Junos® Space Edge Services Director User Guide

Junos® Space
Edge Services Director User Guide
Release
1.0
Modified: 2016-06-28
Copyright © 2016, Juniper Networks, Inc.
Juniper Networks, Inc.
1133 Innovation Way
Sunnyvale, California 94089
USA
408-745-2000
www.juniper.net
Copyright © 2016, Juniper Networks, Inc. All rights reserved.
Juniper Networks, Junos, Steel-Belted Radius, NetScreen, and ScreenOS are registered trademarks of Juniper Networks, Inc. in the United
States and other countries. The Juniper Networks Logo, the Junos logo, and JunosE are trademarks of Juniper Networks, Inc. All other
trademarks, service marks, registered trademarks, or registered service marks are the property of their respective owners.
Juniper Networks assumes no responsibility for any inaccuracies in this document. Juniper Networks reserves the right to change, modify,
transfer, or otherwise revise this publication without notice.
®
Junos Space Edge Services Director User Guide
1.0
Copyright © 2016, Juniper Networks, Inc.
All rights reserved.
The information in this document is current as of the date on the title page.
YEAR 2000 NOTICE
Juniper Networks hardware and software products are Year 2000 compliant. Junos OS has no known time-related limitations through the
year 2038. However, the NTP application is known to have some difficulty in the year 2036.
END USER LICENSE AGREEMENT
The Juniper Networks product that is the subject of this technical documentation consists of (or is intended for use with) Juniper Networks
software. Use of such software is subject to the terms and conditions of the End User License Agreement (“EULA”) posted at
http://www.juniper.net/support/eula.html. By downloading, installing or using such software, you agree to the terms and conditions of
that EULA.
ii
Copyright © 2016, Juniper Networks, Inc.
Table of Contents
About the Documentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxvii
Documentation and Release Notes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxvii
Supported Platforms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxvii
Documentation Conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxvii
Documentation Feedback . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxix
Requesting Technical Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxx
Self-Help Online Tools and Resources . . . . . . . . . . . . . . . . . . . . . . . . . . xxx
Opening a Case with JTAC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxx
Part 1
Overview
Chapter 1
Edge Services Director Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
Understanding the Need for Edge Services Director . . . . . . . . . . . . . . . . . . . . . . . . . 3
Understanding the Edge Services Director User Interface . . . . . . . . . . . . . . . . . . . . 5
View Pane . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
Displaying Devices in Various Network Views . . . . . . . . . . . . . . . . . . . . . . . 7
Expanding or Collapsing Nodes in the Network Tree . . . . . . . . . . . . . . . . . 8
Searching the Network Tree . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
Tasks Pane . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
Alarms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
Main Window or Workspace . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
Tables in Edge Services Director . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
Moving and Resizing Columns . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
Navigating Pages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
Displaying the Column Drop-Down Menu . . . . . . . . . . . . . . . . . . . . . . . . . 10
Sorting on a Column . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
Hiding and Exposing Columns . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
Searching Table Contents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
Filtering Table Contents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
Understanding Edge Services Director and the Management Lifecycle Modes . . . 14
Service Delivery Gateway Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
Carrier-Grade NAT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
Firewalls and Intrusion Prevention System . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
Traffic Direct . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
Load Balancing and Adaptive Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
Edge Services Director Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
Copyright © 2016, Juniper Networks, Inc.
iii
Edge Services Director User Guide
Chapter 2
Getting Started . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
Understanding How to Use the Edge Services Director Interface to View System
Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
Getting Started Assistant in Junos Space Platform Overview . . . . . . . . . . . . . . . . 23
Changing Your Password for Edge Services Director . . . . . . . . . . . . . . . . . . . . . . . 24
Logging In to Edge Services Director . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25
Logging Out of Edge Services Director . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
Quickly Accessing Important Monitoring and Troubleshooting Details . . . . . . . . . 27
Chapter 3
Tasks Pane . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31
Understanding the Build Mode Tasks Pane . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31
Understanding the Deploy Mode Tasks Pane . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38
Understanding the Fault Mode Tasks Pane . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40
Understanding the Monitor Mode Tasks Pane . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41
Understanding the Report Mode Tasks Pane . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42
Chapter 4
System Administration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45
Handling Administrative Tasks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45
Understanding Edge Services Director User Administration . . . . . . . . . . . . . . 45
Viewing Audit Logs From Edge Services Director . . . . . . . . . . . . . . . . . . . . . . 46
Managing Jobs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47
Collecting Logs for Troubleshooting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48
Chapter 5
Dashboard . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51
Understanding the Dashboard . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51
Working with the Dashboard . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51
SDG Views . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52
Service Delivery Gateway Alarms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53
Filters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53
Specifying KPI Template and Alarm Filters . . . . . . . . . . . . . . . . . . . . . . . . . . . 54
Service Delivery Gateways Count by Severity . . . . . . . . . . . . . . . . . . . . . . . . . 55
Service Gateway Ticker Updates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56
Service Delivery Gateway Health Status Trend . . . . . . . . . . . . . . . . . . . . . . . . 56
Using Dashboard Widgets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56
Alarm Severities and States Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57
Alarm Severity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57
Alarm State . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58
Viewing the Detailed Status of KPI Templates Applied to Devices . . . . . . . . . . . . 58
Part 2
Gateway View of Build Mode
Chapter 6
About Gateway View of Build Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63
Understanding Build Mode in Gateway View of Edge Services Director . . . . . . . . 63
Discovering Devices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63
Configuring Devices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64
Deploying Device Configurations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64
Importing Device Configurations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65
Out-of-Band Configuration Changes . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65
Viewing the Devices Inventory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65
Service Delivery Gateway Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66
iv
Copyright © 2016, Juniper Networks, Inc.
Table of Contents
KPI Templates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66
Understanding Resynchronization of Device Configuration . . . . . . . . . . . . . . . . . . 67
The Resynchronize Device Configuration Task . . . . . . . . . . . . . . . . . . . . . . . . 68
How Resynchronization Works in NSOR Mode . . . . . . . . . . . . . . . . . . . . . . . . 68
How Resynchronization Works in SSOR Mode . . . . . . . . . . . . . . . . . . . . . . . . 69
How Edge Services Director Resynchronizes the Build Mode
Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71
Importing Devices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72
Device Discovery Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 74
Unmanaged Devices Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76
Working With Managed Devices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77
Working With Unmanaged Devices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78
Working With Discovered Devices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78
Managing Jobs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79
Chapter 7
Managing Service Delivery Gateways and Groups . . . . . . . . . . . . . . . . . . . . . 83
Discovering Devices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83
Preparing MX Series Devices for Discovery . . . . . . . . . . . . . . . . . . . . . . . . . . . 84
Specifying a Discovery Profile and the Target Devices . . . . . . . . . . . . . . . . . . 85
Specifying SNMP Probes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86
Specifying Credentials . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89
Comparing Configuration Settings of Devices . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89
Exporting Managed Device Details to a CSV File . . . . . . . . . . . . . . . . . . . . . . . . . . 92
Changing an Unmanaged Device to a Managed Device . . . . . . . . . . . . . . . . . . . . . 93
Modifying the SDG Group and KPI Templates for a Device . . . . . . . . . . . . . . . . . . 94
Scheduling the Discovery of Devices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95
Creating Service Gateway Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 96
Managing Service Gateway Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97
Viewing the Service Gateway Details . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 99
Searching Unmanaged Devices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101
Viewing the List of Discovered, Managed, and Unmanaged Devices . . . . . . . . . . 102
Changing a Managed Device to an Unmanaged Device . . . . . . . . . . . . . . . . . . . . 109
Modifying Discovery Profiles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 110
Deleting Discovery Profiles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 111
Systems of Record in Junos Space Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 112
Systems of Record . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 112
Implications on device management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 113
Resynchronizing Managed SDGs with the Network . . . . . . . . . . . . . . . . . . . . . . . . 113
Chapter 8
Managing KPI Templates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 115
Understanding Measurement Points, Key Performance Indicators, and Baseline
Values . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 115
Measurement Points . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 115
Basic Key Performance Indicators . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 116
Setting Baselines . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 116
Cloning a KPI Template . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 117
Deleting KPI Templates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 124
Managing KPI Templates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 125
Viewing KPI Templates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 126
Modifying a KPI Template Associated with a Service Gateway . . . . . . . . . . . . . . . 127
Copyright © 2016, Juniper Networks, Inc.
v
Edge Services Director User Guide
Chapter 9
Viewing the Device Inventory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 129
Viewing the Device Inventory Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 129
Viewing Device Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 137
Viewing the Number of Devices by Platform . . . . . . . . . . . . . . . . . . . . . . . . . 138
Viewing Connection Status for Devices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 138
Viewing Devices by Junos OS Release . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 139
Viewing Configuration Details of Services on Devices . . . . . . . . . . . . . . . . . . . . . 140
Viewing Discovery Logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 142
Viewing Discovery Profiles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 143
Part 3
Location and Device Views of Build Mode
Chapter 10
Location View Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 147
Understanding Build Mode in Location and Device Views of Edge Services
Director . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 147
Discovering Devices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 147
Building the Location and Custom Views . . . . . . . . . . . . . . . . . . . . . . . . . . . . 148
Configuring Devices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 149
Deploying Device Configurations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 149
Importing Device Configurations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 149
Out-of-Band Configuration Changes . . . . . . . . . . . . . . . . . . . . . . . . . . . 149
Managing Devices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 150
Understanding the Location View . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 150
Assigning and Unassigning Devices to a Location . . . . . . . . . . . . . . . . . . . . . . . . . 151
How to Assign or Unassign Devices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 152
Assigning Devices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 152
Changing the Location of a Device . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 153
How to Move a Device to a New Location . . . . . . . . . . . . . . . . . . . . . . . . . . . 154
Changing the Location of a Device . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 154
Configuring Buildings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 154
How to Add or Edit a Building . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 155
Adding or Editing a Building for a Location . . . . . . . . . . . . . . . . . . . . . . . . . . . 155
Configuring Floors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 156
How to Add or Edit a Floor . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 156
Adding or Editing a Building Floor for a Location . . . . . . . . . . . . . . . . . . . . . . 157
Configuring Outdoor Areas . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 157
How to Configure an Outdoor Area . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 157
Configuring an Outdoor Area . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 158
Creating a Site . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 158
How to Add or Edit a Location Site . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 159
Creating or Editing a Site . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 159
Deleting Sites, Buildings, Floors, Wiring Closets, and Devices . . . . . . . . . . . . . . . 159
How to Delete a Location Object . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 160
Deleting Sites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 160
Deleting Buildings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 160
Deleting Floors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 160
Deleting Closets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 161
Deleting Devices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 161
vi
Copyright © 2016, Juniper Networks, Inc.
Table of Contents
Setting Up Closets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 161
How to Add or Edit a Closet . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 162
Adding or Editing a Wiring Closet . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 162
Setting Up the Location View . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 163
Chapter 11
Device Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 167
Accessing a Device’s CLI from Edge Services Director . . . . . . . . . . . . . . . . . . . . . . 167
Deleting Devices from Edge Services Director . . . . . . . . . . . . . . . . . . . . . . . . . . . . 168
Rebooting Devices from Edge Services Director . . . . . . . . . . . . . . . . . . . . . . . . . . 169
Viewing the Device Inventory Page in Device View of Edge Services Director . . . 170
Viewing the Physical Inventory of Devices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 172
Viewing a Device's Current Configuration from Edge Services Director . . . . . . . . 173
Viewing Licenses With Edge Services Director . . . . . . . . . . . . . . . . . . . . . . . . . . . . 173
Part 4
Service View of Build Mode
Chapter 12
About Build Mode in Service View . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 179
Understanding Build Mode in Service View of Edge Services Director . . . . . . . . . 179
Service Designer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 179
Services Inventory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 180
Object Builder . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 180
Chapter 13
Using the Service Designer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 181
Object Builder Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 181
Service Templates Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 182
Filtering Service Templates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 183
Viewing Service Templates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 183
Viewing the Services Inventory Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 185
Using the Actions Menu on the Service Template and Service Edit Pages . . . . . . 187
Publishing a Service Template . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 187
Unpublishing a Service Template . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 188
Exporting a Service to a CSV File . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 189
Cloning a Service Template . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 190
Creating a Deploy Plan and Provisioning Services Immediately . . . . . . . . . . . 191
Viewing a Graphical Statistic of Service Templates . . . . . . . . . . . . . . . . . . . . . . . 193
Creating and Managing ADC Service Templates . . . . . . . . . . . . . . . . . . . . . . . . . . 194
Creating an ADC Service Template . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 194
Importing an ADC Service Template . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 197
Creating a Deployment Plan . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 199
Creating a Real Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 200
Creating a Group for Real Servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 202
Load-Balancing Methods for Real-Server Groups . . . . . . . . . . . . . . . . . . . . 204
Creating a Client-Facing Interface and Routing Instance . . . . . . . . . . . . . . . 206
Creating a Server-Facing Interface and Routing Instance . . . . . . . . . . . . . . . 207
Creating a Services PIC for an ADC Service Template . . . . . . . . . . . . . . . . . 208
Creating a Health Check for an ADC Service Template . . . . . . . . . . . . . . . . . 210
Creating a Custom Health Check for an ADC Instance . . . . . . . . . . . . . . . . . . 211
Creating a Virtual Service for an ADC Service Template . . . . . . . . . . . . . . . . 214
Creating a Virtual Server for an ADC Service Template . . . . . . . . . . . . . . . . . 216
Copyright © 2016, Juniper Networks, Inc.
vii
Edge Services Director User Guide
Creating a Firewall Rule for an ADC Service Template . . . . . . . . . . . . . . . . . . 217
Modifying ADC Service Templates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 220
Creating and Managing CGNAT Service Templates . . . . . . . . . . . . . . . . . . . . . . . 222
Creating a CGNAT Service Template . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 222
Modifying CGNAT Service Templates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 225
Creating a Deployment Plan . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 227
Importing a CGNAT Service Template . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 228
Creating a Service Set . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 230
Creating a Syslog . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 234
Creating a Rule . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 236
Creating a Rule Set . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 237
Creating a Pool . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 238
Creating and Managing SFW Service Templates . . . . . . . . . . . . . . . . . . . . . . . . . 239
Creating an SFW Service Template . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 239
Modifying SFW Service Templates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 242
Creating a Deployment Plan . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 244
Importing an SFW Service Template . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 245
Creating a Service Set . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 247
Creating an Application . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 250
Creating an Application Set . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 253
Creating a Syslog . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 254
Creating a Rule . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 256
Creating a Rule Set . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 257
Creating a Services PIC for an SFW Service Template . . . . . . . . . . . . . . . . . 258
Creating and Managing TLB Service Templates . . . . . . . . . . . . . . . . . . . . . . . . . . 259
Creating a TLB Service Template . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 260
Creating a Deployment Plan . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 263
Modifying TLB Service Templates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 264
Importing a TLB Service Template . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 266
Creating a Real Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 267
Creating a Group for Real Servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 268
Creating a Services PIC for a TLB Service Template . . . . . . . . . . . . . . . . . . . . 271
Creating a Network Monitor Profile for a TLB Service Template . . . . . . . . . . 272
Creating a Command for Script-Based Health Checks . . . . . . . . . . . . . . . . . 273
Creating a Server Bypass Filter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 274
Creating a Virtual Service for a TLB Service Template . . . . . . . . . . . . . . . . . . 275
Creating a Client-Facing Interface and Routing Instance . . . . . . . . . . . . . . . 279
Creating a Server-Facing Interface and Routing Instance . . . . . . . . . . . . . . 280
Modifying Individual Service Instances and Deploying to Devices . . . . . . . . . . . . 281
Modifying Service Instances . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 281
Creating a Deployment Plan . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 283
Chapter 14
Using the Object Builder . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 285
Understanding the Object Builder . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 285
Importing All Types of Objects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 286
Importing SFW Rule Sets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 288
Importing SFW Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 290
Importing Real Server Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 291
Importing CGNAT Rule Sets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 293
viii
Copyright © 2016, Juniper Networks, Inc.
Table of Contents
Importing CGNAT Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 294
Importing CGNAT Pools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 296
Importing Applications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 297
Importing Application Sets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 298
Chapter 15
Managing Packet Analyzers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 301
Packet Analyzer Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 301
Pre-Service Filtering of Traffic for Service Processing . . . . . . . . . . . . . . . . . . 302
Postservice Filtering of Returning Service Traffic . . . . . . . . . . . . . . . . . . . . . 303
Creating and Viewing Service Analyzers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 303
Configuring the Traffic Analyzer Filter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 303
Managing Service Analyzer Filter Instances . . . . . . . . . . . . . . . . . . . . . . . . . 306
Viewing Service Analyzer Instance Details . . . . . . . . . . . . . . . . . . . . . . . . . . 308
Viewing the Service Analyzer Statistics in Grid Format and Graph . . . . . . . . 310
Part 5
Deploy Mode
Chapter 16
About Deploy Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 315
Understanding Deploy Mode in Gateway and Service Views of Edge Services
Director . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 315
Deploying Configuration Changes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 315
Transactions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 316
Modify the Association of SDG Details and Rule Terms for a Policy
Filters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 316
View Service Object Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 317
Service Edit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 317
Policy and Filter Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 317
Understanding Deploy Mode in Location and Device Views of Edge Services
Director . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 318
Managing Software Images . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 318
Managing Devices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 318
Managing Device Configuration Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 318
Chapter 17
Device Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 319
Viewing the Device Inventory Page in Device View of Edge Services Director . . . 320
Resynchronizing Device Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 322
The Resynchronize Device Configuration List of Devices . . . . . . . . . . . . . . . 323
Resynchronizing Devices When Junos Space Is in NSOR Mode . . . . . . . . . . 324
Resynchronizing Devices When Junos Space Is in SSOR Mode . . . . . . . . . . 324
Resynchronizing Devices in Manual Approval Mode . . . . . . . . . . . . . . . . . . . 325
Viewing the Network Changes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 325
Viewing Resynchronization Job Status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 326
Chapter 18
Configuration File Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 327
Managing Device Configuration Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 327
Selecting Device Configuration File Management Options . . . . . . . . . . . . . . 327
Backing Up Device Configuration Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 328
Restoring Device Configuration Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 329
Viewing Device Configuration Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 329
Comparing Device Configuration Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 329
Copyright © 2016, Juniper Networks, Inc.
ix
Edge Services Director User Guide
Deleting Device Configuration Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 330
Managing Device Configuration File Management Jobs . . . . . . . . . . . . . . . . 330
Managing Jobs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 330
Chapter 19
Software Image Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 333
Managing Software Images . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 333
Selecting Software Image Management Options . . . . . . . . . . . . . . . . . . . . . 333
Adding Software Images to the Repository . . . . . . . . . . . . . . . . . . . . . . . . . . 334
Using the Device Image Upload Window . . . . . . . . . . . . . . . . . . . . . . . . . . . . 334
Viewing Software Image Details . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 334
Using the Device Image Summary Window . . . . . . . . . . . . . . . . . . . . . . . . . . 335
Deleting Software Images . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 335
Deploying Software Images . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 335
Specifying Software Deployment Job Options . . . . . . . . . . . . . . . . . . . . . . . 336
Selecting Software Images To Deploy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 336
Selecting Options for Software Deployment . . . . . . . . . . . . . . . . . . . . . . . . . 337
Summary of Software Deployment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 339
Managing Software Image Deployment Jobs . . . . . . . . . . . . . . . . . . . . . . . . . . . . 339
Selecting Software Image Management Options . . . . . . . . . . . . . . . . . . . . . 339
Viewing Software Image Job Details . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 340
Using the Device Image Staging Window . . . . . . . . . . . . . . . . . . . . . . . . . . . 340
Canceling Software Image Jobs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 341
Chapter 20
Viewing and Editing Service Instances and Packet Filters Across All
Gateways . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 343
Viewing Service Object Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 343
Modifying Service Instances . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 345
Modifying Packet Filter Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 347
Chapter 21
Enhanced Editing of Services and Packet Filters . . . . . . . . . . . . . . . . . . . . . 349
Enhanced Editing of Service Policies and Policy Filters Overview . . . . . . . . . . . . 349
Modifying the Association of SDG Details and Service Components for a Packet
Filter Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 350
Modifying the Association of SDG Details and Service Components for a Service
Policy Filter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 352
Chapter 22
Managing Service Instance and Policy Rule Definitions . . . . . . . . . . . . . . . 355
Policy and Filter Management Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 355
States and Transitions of Policies or Filters . . . . . . . . . . . . . . . . . . . . . . . . . . 356
User Roles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 357
Packet and Service Filters Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 358
Filtering Traffic Before Accepting Packets for Service Processing . . . . . . . . 359
Postservice Filtering of Returning Service Traffic . . . . . . . . . . . . . . . . . . . . . 360
Searching for CGNAT Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 361
Searching for Packet Filters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 364
Searching for SFW Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 366
Managing Service and Policy Locks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 367
Unlocking Locked Services and Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 368
x
Copyright © 2016, Juniper Networks, Inc.
Table of Contents
Viewing Policy and Filter Instances . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 369
Creating and Managing CGNAT Policy and Filter Instances . . . . . . . . . . . . . . . . . 375
Creating a NAT Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 376
Creating a Service Set . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 378
Creating a Syslog . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 383
Creating a Rule . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 385
Creating a Rule Set . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 385
Creating Addresses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 387
Creating Address Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 388
Address and Address Groups Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . 388
Creating a NAT Rule Term . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 389
Associating an Application and Application Set with a NAT Rule . . . . . . . . 393
Creating a NAT Pool . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 393
Associating Service Sets and Rule Sets With a NAT Rule . . . . . . . . . . . . . . . 394
Modifying NAT Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 395
Creating a Deployment Plan . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 396
Creating and Managing Packet Filter Policy Instances . . . . . . . . . . . . . . . . . . . . . 397
Creating a Packet Filter Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 398
Creating Addresses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 400
Creating Address Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 401
Address and Address Groups Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 402
Creating a Packet Filter Rule Term . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 402
Creating an Application and Application Set . . . . . . . . . . . . . . . . . . . . . . . . 406
Associating Interfaces With a Packet Filter Rule . . . . . . . . . . . . . . . . . . . . . . 406
Modifying Packet Filter Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 406
Creating a Deployment Plan . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 408
Creating and Managing SFW Policy and Filter Instances . . . . . . . . . . . . . . . . . . 409
Creating an SFW Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 410
Creating a Service Set . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 413
Creating a Syslog . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 417
Creating a Rule . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 419
Creating a Rule Set . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 420
Creating Addresses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 422
Creating Address Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 423
Address and Address Groups Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 423
Creating an SFW Rule Term . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 423
Creating an Application and Application Set . . . . . . . . . . . . . . . . . . . . . . . . 426
Associating Service Sets and Rule Sets With an SFW Rule . . . . . . . . . . . . . 426
Modifying SFW Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 427
Creating a Deployment Plan . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 428
Viewing CGNAT Service Templates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 430
Viewing SFW Service Templates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 431
Viewing and Modifying ADC Service Instances . . . . . . . . . . . . . . . . . . . . . . . . . . . 432
Viewing ADC Service Instances . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 433
Modifying ADC Service Instances . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 434
Creating a Deploy Plan and Provisioning Services Immediately . . . . . . . . . . 436
Filtering ADC Service Instances . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 438
Managing ADC Service Instance Locks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 439
Unlocking Locked ADC Service Instances . . . . . . . . . . . . . . . . . . . . . . . . . . . 441
Copyright © 2016, Juniper Networks, Inc.
xi
Edge Services Director User Guide
Viewing and Modifying TLB Service Instances . . . . . . . . . . . . . . . . . . . . . . . . . . . 443
Viewing TLB Service Instances . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 444
Modifying TLB Service Instances . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 445
Creating a Deploy Plan and Provisioning Services Immediately . . . . . . . . . . 447
Filtering TLB Service Instances . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 449
Managing TLB Service Instance Locks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 451
Unlocking Locked TLB Service Instances . . . . . . . . . . . . . . . . . . . . . . . . . . . 452
Using the Actions Menu on the Service Policy and Packet Filter Pages . . . . . . . 454
Creating a Deployment Plan . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 454
Discarding Changes Made to a Service Policy or Packet Filter Policy . . . . . . 455
Tagging Junos Space Network Management Platform Objects . . . . . . . . . . . . . 456
Creating a Tag . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 456
Tagging an Object . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 460
Untagging an Object . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 460
Chapter 23
Deploying Configurations to Devices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 463
Planning and Deployment of Service Templates Overview . . . . . . . . . . . . . . . . . 463
Planning Workflow for Service Templates . . . . . . . . . . . . . . . . . . . . . . . . . . . 463
Deployment Workflow for Service Templates . . . . . . . . . . . . . . . . . . . . . . . . 464
Viewing Deployment Plans . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 465
Creating and Assigning a Deployment Plan to Devices . . . . . . . . . . . . . . . . . . . . 469
Creating a Deployment Plan . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 470
Publishing a Deploy Plan . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 473
Viewing Deploy Plans and Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 473
Approving a Deploy Plan and Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 474
Unpublishing a Deploy Plan and Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . 475
Deploying a Deploy Plan and Policies Immediately . . . . . . . . . . . . . . . . . . . . 475
Scheduling Deployment of Services and Policies . . . . . . . . . . . . . . . . . . . . . 476
Rejecting a Deploy Plan and Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 477
Changing a Deploy Plan Action or Decommissioning a Deploy Plan . . . . . . 478
Discarding a Deploy Plan and Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 478
Chapter 24
Viewing Transactions Associated with Deployment Jobs . . . . . . . . . . . . . . 481
Transactions Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 481
Viewing Transactions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 482
Part 6
Monitor Mode
Chapter 25
About Monitor Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 489
Understanding Monitor Mode in Edge Services Director .
General Monitoring . . . . . . . . . . . . . . . . . . . . . . . . . . .
Packet Analyzer . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Fault Management . . . . . . . . . . . . . . . . . . . . . . . . . . .
Performance Management . . . . . . . . . . . . . . . . . . . .
Chapter 26
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
489
489
490
490
490
Using Performance Management Utilities . . . . . . . . . . . . . . . . . . . . . . . . . . . 491
Performance Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 491
The Need and Benefits of Performance Manager . . . . . . . . . . . . . . . . . . . . . 491
Performance Manager View After a Context-Switch from the Monitoring
Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 496
xii
Copyright © 2016, Juniper Networks, Inc.
Table of Contents
Chapter 27
General Monitoring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 497
Monitoring Capabilities Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 497
Viewing the Monitoring Page in Gateway View . . . . . . . . . . . . . . . . . . . . . . . . . . 498
Viewing the ADC Service Details . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 503
Viewing the TLB Service Details . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 505
Viewing the CGNAT Service Details . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 508
Viewing the SFW Service Details . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 510
Part 7
Fault Mode
Chapter 28
About Fault Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 517
Understanding Fault Mode in Edge Services Director . . . . . . . . . . . . . . . . . . . . . . 517
What Are Events and Alarms? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 517
Alarm Severity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 518
Alarm State . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 518
Threshold Alarms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 518
Understanding the Fault Mode Tasks Pane . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 518
Chapter 29
Viewing and Managing Alarms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 521
Changing Alarm State . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 521
Searching Alarms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 521
Chapter 30
Alarm Monitor Reference . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 523
Alarms by State Monitor . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 523
Alarms by Severity Monitor . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 523
Current Active Alarms Monitor . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 524
Alarms by Service Type Monitor . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 525
Alarm Detail Monitor . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 525
Finding Specific Alarms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 526
Sorting Alarms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 527
Reading Events . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 527
Investigating Event Attributes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 528
Changing the Alarm State . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 528
Part 8
Report Mode
Chapter 31
About Report Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 531
Understanding Report Mode in Edge Services Director . . . . . . . . . . . . . . . . . . . . 532
Understanding the Types of Reports You Can Create . . . . . . . . . . . . . . . . . . . . . 533
Chapter 32
Creating and Managing Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 535
Managing Reports in Edge Services Director . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 535
How to Locate and Manage Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 535
Managing Report Definitions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 536
Creating Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 536
How to Create a Report Definition . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 537
Creating a Report Definition . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 538
Selecting Report Types and Report Options . . . . . . . . . . . . . . . . . . . . . . . . . 540
Setting Report Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 540
Reviewing the Report Definition . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 541
Copyright © 2016, Juniper Networks, Inc.
xiii
Edge Services Director User Guide
Changing a Report Definition . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 541
Scheduling Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 542
How to Create or Manage Schedules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 542
Managing Schedules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 542
Creating New Schedules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 543
Editing Schedules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 545
Deleting Schedules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 545
Managing Generated Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 545
Reviewing Generated Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 546
Viewing Report Details . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 546
Exporting Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 547
Deleting Generated Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 547
Retaining Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 547
Chapter 33
Report Reference . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 549
SDG Host Logical and Physical Inventory Report . . . . . . . . . . . . . . . . . . . . . . . . . 549
SDG Service Inventory Report . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 556
SDG Service Inventory Report Header . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 556
SDG Service Inventory Table and Charts . . . . . . . . . . . . . . . . . . . . . . . . . . . . 556
Alarm History Report . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 557
Alarm History Header . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 557
Alarm History Tables . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 558
Part 9
System Mode
Chapter 34
About System Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 563
Understanding the System Tasks Pane . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 563
Audit Logs Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 563
Part 10
Appendix
Chapter 35
Services Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 567
Adaptive Services Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 567
Junos Address Aware Network Addressing Overview . . . . . . . . . . . . . . . . . . . . . 569
Packet Flow Through the Adaptive Services or Multiservices PIC . . . . . . . . . . . . 570
ADC Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 572
Service Instances . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 573
Installing and Configuring the ADC Software . . . . . . . . . . . . . . . . . . . . . . . . 574
Application-Based Health Checks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 574
SSL Server Health Checks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 574
DNS Health Checks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 574
Ping Health Checks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 574
HTTP Health Checks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 574
Script-Based Health Checks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 575
Script Formats . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 575
Sample IPv6 Transition Scenarios . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 576
Example 1: IPv4 Depletion with a Non-IPv6 Access Network . . . . . . . . . . . . 577
Example 2: IPv4 Depletion with an IPv6 Access Network . . . . . . . . . . . . . . . 577
xiv
Copyright © 2016, Juniper Networks, Inc.
Table of Contents
Example 3: IPv4 Depletion for Mobile Networks . . . . . . . . . . . . . . . . . . . . . . 578
Understanding Services PICs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 578
Adaptive services and Multiservices PICs . . . . . . . . . . . . . . . . . . . . . . . . . . . 579
Encryption Services (ES) PIC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 579
Multilink Services and Link Services PICs . . . . . . . . . . . . . . . . . . . . . . . . . . . 580
Monitoring Services PICs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 580
Tunnel Services PIC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 580
Multiservices MIC and Multiservices MPC . . . . . . . . . . . . . . . . . . . . . . . . . . . 580
TLB Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 581
TLB Application Description . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 581
TLB Topology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 582
TLB Key Characteristics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 582
TLB Application Components . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 583
Servers and Server Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 583
Server Health Monitoring — Single Health Check and Dual Health
Check . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 583
Virtual Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 584
TLB Configuration Limits . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 584
Installing and Configuring TLB Using the CLI Interface . . . . . . . . . . . . . . . . . . . . 584
Configuring a TLB Instance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 585
Configuring Interface and Routing Information . . . . . . . . . . . . . . . . . . . . . . . 585
Configuring Servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 586
Configuring Network Monitoring Profiles . . . . . . . . . . . . . . . . . . . . . . . . . . . . 587
Configuring Server Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 588
Configuring Virtual Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 589
Stateful Firewall Overview for Junos OS Extension-Provider Packages . . . . . . . 590
Stateful Firewall Support for Application Protocols . . . . . . . . . . . . . . . . . . . 591
Stateful Firewall Anomaly Checking . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 592
Network Address Translation Configuration Overview . . . . . . . . . . . . . . . . . . . . . 593
Configuring Source and Destination Addresses Network Address Translation
Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 593
Configuring Pools of Addresses and Ports for Network Address Translation
Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 594
Configuring NAT Pools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 594
Preserve Range and Preserve Parity . . . . . . . . . . . . . . . . . . . . . . . . . . . . 595
Specifying Destination and Source Prefixes without Configuring a
Pool . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 596
Configuring Address Pools for Network Address Port Translation (NAPT)
Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 596
Round-Robin Allocation for NAPT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 596
Sequential Allocation for NAPT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 597
Preserve Parity and Preserve Range for NAPT . . . . . . . . . . . . . . . . . . . . 598
Address Pooling and Endpoint Independent Mapping for NAPT . . . . . 598
Port Block Allocation for NAPT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 599
Deterministic Port Block Allocation for NAPT . . . . . . . . . . . . . . . . . . . . 599
Comparision of NAPT Implementation Methods . . . . . . . . . . . . . . . . . 603
Network Address Translation Rules Overview . . . . . . . . . . . . . . . . . . . . . . . 604
Configuring Match Direction for NAT Rules . . . . . . . . . . . . . . . . . . . . . . 605
Configuring Match Conditions in NAT Rules . . . . . . . . . . . . . . . . . . . . . 606
Copyright © 2016, Juniper Networks, Inc.
xv
Edge Services Director User Guide
Configuring Actions in NAT Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 606
Configuring Translation Types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 607
Configuring Service Sets for Network Address Translation . . . . . . . . . . . . . 609
Junos OS CGNAT Implementation Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 611
Network Address Translation Overview for MS-DPC, MS-MPC, and MS-MIC
Line Cards . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 612
Types of NAT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 612
Inline Network Address Translation Overview for MPC Types 1, 2, and 3 . . . 616
CGNAT Implementations Feature Comparison for Junos Address Aware by
Type of Interface Card . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 617
ALGs Available by Default for Junos OS Address Aware NAT . . . . . . . . . . . . 620
Service Redundancy Daemon Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 622
Introduction to the Service Redundancy Daemon . . . . . . . . . . . . . . . . . . . . . 622
Service Redundancy Daemon Components . . . . . . . . . . . . . . . . . . . . . . . . . 622
Service Redundancy Daemon Constraints . . . . . . . . . . . . . . . . . . . . . . . . . . 623
Service Redundancy Daemon Operation . . . . . . . . . . . . . . . . . . . . . . . . . . . 624
Configuring the Service Redundancy Daemon . . . . . . . . . . . . . . . . . . . . . . . . . . . 624
Configuring Redundancy Events . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 625
Configuring Redundancy Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 626
Configuring Redundancy Set and Group . . . . . . . . . . . . . . . . . . . . . . . . . . . . 628
Configuring Routing Policies Supporting Redundancy . . . . . . . . . . . . . . . . . 629
Configuring Service Sets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 629
Application Layer Gateways Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 630
Supported ALGs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 630
ALG Support Details . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 631
Basic TCP ALG . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 632
Basic UDP ALG . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 632
BOOTP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 633
DCE RPC Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 633
DNS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 633
FTP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 633
H323 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 634
ICMP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 635
IIOP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 635
IP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 635
NetBIOS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 635
NetShow . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 636
ONC RPC Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 636
PPTP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 636
RealAudio . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 636
Sun RPC and RPC Portmap Services . . . . . . . . . . . . . . . . . . . . . . . . . . . 637
RTSP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 638
SIP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 639
SNMP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 639
SQLNet . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 639
TFTP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 640
Traceroute . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 640
UNIX Remote-Shell Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 640
Winframe . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 641
xvi
Copyright © 2016, Juniper Networks, Inc.
Table of Contents
Juniper Networks Defaults . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 641
Examples: Referencing the Preset Statement from the Junos Default
Group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 651
Copyright © 2016, Juniper Networks, Inc.
xvii
Edge Services Director User Guide
xviii
Copyright © 2016, Juniper Networks, Inc.
List of Figures
Part 1
Overview
Chapter 1
Edge Services Director Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
Figure 1: The Edge Services Director User Interface Components . . . . . . . . . . . . . . 5
Figure 2: Edge Services Director Banner . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
Figure 3: Performing Search on the View P ane . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
Figure 4: Column Drop-Down Menu . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
Chapter 3
Tasks Pane . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31
Figure 5: Alarms Page in Fault Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41
Chapter 5
Dashboard . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51
Figure 6: Dashboard Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52
Part 2
Gateway View of Build Mode
Chapter 7
Managing Service Delivery Gateways and Groups . . . . . . . . . . . . . . . . . . . . . 83
Figure 7: Compare Configuration View Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91
Figure 8: Service Gateway Groups Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97
Figure 9: Service Gateway Details Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 100
Chapter 8
Managing KPI Templates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 115
Figure 10: Network Entry Points . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 116
Figure 11: Clone KPI Template Window . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 118
Figure 12: KPI Templates Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 126
Chapter 9
Viewing the Device Inventory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 129
Figure 13: Device Inventory Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 130
Figure 14: Device Count by Platform Report . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 138
Figure 15: Device Status Report . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 139
Figure 16: Device Count by OS Report . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 140
Part 3
Location and Device Views of Build Mode
Chapter 11
Device Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 167
Figure 17: Device Inventory Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 170
Part 4
Service View of Build Mode
Chapter 13
Using the Service Designer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 181
Figure 18: Services Inventory Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 186
Figure 19: Service Template Statistics Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 193
Figure 20: Create ADC Service Template Window . . . . . . . . . . . . . . . . . . . . . . . . 195
Copyright © 2016, Juniper Networks, Inc.
xix
Edge Services Director User Guide
Figure 21: Select Reference Config Dialog Box . . . . . . . . . . . . . . . . . . . . . . . . . . . . 221
Figure 22: Create CGNAT Service Template Window . . . . . . . . . . . . . . . . . . . . . . 223
Figure 23: Select Reference Config Dialog Box . . . . . . . . . . . . . . . . . . . . . . . . . . . 226
Figure 24: Create SFW Service Template Window . . . . . . . . . . . . . . . . . . . . . . . . 240
Figure 25: Select Reference Config Dialog Box . . . . . . . . . . . . . . . . . . . . . . . . . . . 243
Figure 26: Create TLB Service Template Window . . . . . . . . . . . . . . . . . . . . . . . . . 261
Figure 27: Select Reference Config Dialog Box . . . . . . . . . . . . . . . . . . . . . . . . . . . 265
Figure 28: Select Reference Config Dialog Box . . . . . . . . . . . . . . . . . . . . . . . . . . . 282
Chapter 14
Using the Object Builder . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 285
Figure 29: Object Builder Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 287
Figure 30: Add to Object Builder Dialog Box . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 289
Chapter 15
Managing Packet Analyzers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 301
Figure 31: Service Analyzer Instances Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 307
Part 5
Deploy Mode
Chapter 17
Device Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 319
Figure 32: Device Inventory Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 320
Chapter 20
Viewing and Editing Service Instances and Packet Filters Across All
Gateways . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 343
Figure 33: Service Edit Page with Pie Charts of Configured Service Types . . . . . 344
Chapter 21
Enhanced Editing of Services and Packet Filters . . . . . . . . . . . . . . . . . . . . . 349
Figure 34: Enhanced Edit Page for Packet Filters . . . . . . . . . . . . . . . . . . . . . . . . . . 351
Figure 35: Enhanced Edit Page for Service Policy Rules . . . . . . . . . . . . . . . . . . . . 353
Chapter 22
Managing Service Instance and Policy Rule Definitions . . . . . . . . . . . . . . . 355
Figure 36: CGNAT Services Listing Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 372
Figure 37: Stateful Firewall Services Listing Page . . . . . . . . . . . . . . . . . . . . . . . . . 374
Figure 38: Create a CGNAT Rule Window . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 377
Figure 39: Create a Packet Filter Rule Term Window . . . . . . . . . . . . . . . . . . . . . . 402
Figure 40: Create SFW Policy Window . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 411
Chapter 23
Deploying Configurations to Devices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 463
Figure 41: Deployment Plans Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 467
Figure 42: Create Deployment Plan Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 471
Chapter 24
Viewing Transactions Associated with Deployment Jobs . . . . . . . . . . . . . . 481
Figure 43: Transactions Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 483
Part 6
Monitor Mode
Chapter 27
General Monitoring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 497
Figure 44: Monitoring Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 499
Figure 45: Monitoring Page for ADC Service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 504
Figure 46: Monitoring Page for TLB Service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 506
Figure 47: Monitoring Page for CGNAT Service . . . . . . . . . . . . . . . . . . . . . . . . . . . 508
Figure 48: Monitoring Page for SFW Service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 511
xx
Copyright © 2016, Juniper Networks, Inc.
List of Figures
Part 7
Fault Mode
Chapter 28
About Fault Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 517
Figure 49: Alarms Page in Fault Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 519
Part 8
Report Mode
Chapter 31
About Report Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 531
Figure 50: Examples of Edge Services Director Reports . . . . . . . . . . . . . . . . . . . . 532
Part 10
Appendix
Chapter 35
Services Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 567
Figure 51: Packet Flow Through the Adaptive Services or MultiServices PIC . . . . 571
Figure 52: IPv4 Depletion Solution - IPv4 Access Network . . . . . . . . . . . . . . . . . . 577
Figure 53: IPv4 Depletion Solution - IPv6 Access Network . . . . . . . . . . . . . . . . . 578
Figure 54: TLB Topology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 582
Figure 55: Dynamic NAT Flow . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 615
Figure 56: Stateful NAT64 Flow . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 615
Figure 57: Supported Inline NAT Types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 617
Copyright © 2016, Juniper Networks, Inc.
xxi
Edge Services Director User Guide
xxii
Copyright © 2016, Juniper Networks, Inc.
List of Tables
About the Documentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxvii
Table 1: Notice Icons . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxviii
Table 2: Text and Syntax Conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxviii
Part 1
Overview
Chapter 1
Edge Services Director Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
Table 3: Numerical Sorts and Lexical Sorts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
Chapter 3
Tasks Pane . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31
Table 4: Device Discovery Tasks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33
Table 5: Inventory Tasks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33
Table 6: Service Gateway Tasks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33
Table 7: Service Analyzer Tasks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33
Table 8: Device Management Tasks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34
Table 9: Location Management Tasks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34
Table 10: Service Template Tasks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36
Table 11: Object Builder Tasks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36
Table 12: Configuration Deployment Tasks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38
Table 13: Image Management Tasks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39
Table 14: Device Management Tasks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39
Table 15: Device Configuration File Management Tasks . . . . . . . . . . . . . . . . . . . . . 39
Table 16: Service Deployment Tasks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39
Table 17: Service Edit Tasks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40
Table 18: Policy and Filter Tasks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40
Chapter 4
System Administration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45
Table 19: Audit Logs Page Fields . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46
Table 20: Job Management Page Fields . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47
Table 21: Log Files in the troubleshooting.zip File . . . . . . . . . . . . . . . . . . . . . . . . . . 49
Part 2
Gateway View of Build Mode
Chapter 6
About Gateway View of Build Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63
Table 22: Job Management Page Fields . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80
Chapter 7
Managing Service Delivery Gateways and Groups . . . . . . . . . . . . . . . . . . . . . 83
Table 23: Fields on the Service Gateway Details Page . . . . . . . . . . . . . . . . . . . . . 100
Table 24: Fields in the Last Execution Status Dialog Box . . . . . . . . . . . . . . . . . . . 104
Chapter 8
Managing KPI Templates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 115
Table 25: ADC Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 119
Copyright © 2016, Juniper Networks, Inc.
xxiii
Edge Services Director User Guide
Table 26: TLB Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 120
Table 27: CGNAT Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 120
Table 28: SFW Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 121
Table 29: Chassis Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 121
Table 30: HA Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 123
Table 31: KPI Templates View . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 127
Chapter 9
Viewing the Device Inventory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 129
Table 32: Managed Status Pie Chart . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 130
Table 33: Fields Under the Gateway Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 131
Table 34: Fields Under the Hardware Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 132
Table 35: Fields Under the Interface Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 136
Part 3
Location and Device Views of Build Mode
Chapter 10
Location View Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 147
Table 36: Contents of Selected Device Details . . . . . . . . . . . . . . . . . . . . . . . . . . . 154
Table 37: Add or Edit Building Fields . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 155
Table 38: Floor Field Descriptions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 157
Table 39: Outdoor Area Fields . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 158
Table 40: Site Creation Fields . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 159
Table 41: Devices that can be Assigned to each Location Component . . . . . . . . 163
Chapter 11
Device Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 167
Table 42: Fields in the Device Inventory Table . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 171
Table 43: Fields in the Device Physical Inventory Table . . . . . . . . . . . . . . . . . . . . . 172
Table 44: Viewing Licenses with Edge Services Director . . . . . . . . . . . . . . . . . . . . 173
Table 45: Additional Licensing Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 174
Part 4
Service View of Build Mode
Chapter 13
Using the Service Designer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 181
Table 46: Service Designer View . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 184
Table 47: Fields on the Services Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 186
Table 48: Hash Keys Supported for AMS for Service Applications . . . . . . . . . . . . 232
Table 49: Hash Keys Supported for AMS for Service Applications . . . . . . . . . . . 249
Part 5
Deploy Mode
Chapter 17
Device Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 319
Table 50: Fields in the Device Inventory Table . . . . . . . . . . . . . . . . . . . . . . . . . . . . 321
Table 51: Resynchronize Device Configuration Fields . . . . . . . . . . . . . . . . . . . . . . 323
Chapter 18
Configuration File Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 327
Table 52: Manage Device Configuration Table . . . . . . . . . . . . . . . . . . . . . . . . . . . 328
Table 53: Job Management Page Fields . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 331
Chapter 19
Software Image Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 333
Table 54: Device Image Repository Table . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 334
Table 55: Device Image Summary Window . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 335
Table 56: Select images for devices Table . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 337
xxiv
Copyright © 2016, Juniper Networks, Inc.
List of Tables
Table 57: Image Management Job Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 338
Table 58: Image Deployment Jobs Table . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 339
Table 59: Device Image Staging Window Description . . . . . . . . . . . . . . . . . . . . . . 341
Chapter 21
Enhanced Editing of Services and Packet Filters . . . . . . . . . . . . . . . . . . . . . 349
Table 60: Service Edit > Packet Filter Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 351
Table 61: Services – CGNAT and SFW Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 353
Chapter 22
Managing Service Instance and Policy Rule Definitions . . . . . . . . . . . . . . . 355
Table 62: Service Edit > ADC Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 370
Table 63: TLB Service Edit Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 370
Table 64: CGNAT Policy and Filter Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 371
Table 65: Packet F ilter Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 373
Table 66: SFW Policy and Filter Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 373
Table 67: Hash Keys Supported for AMS for Service Applications . . . . . . . . . . . . 381
Table 68: Hash Keys Supported for AMS for Service Applications . . . . . . . . . . . . 415
Table 69: CGNAT Service Edit Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 430
Table 70: SFW Service Edit Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 432
Table 71: ADC Service Edit Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 434
Table 72: Fields in the Manage Instance Locks Dialog Box . . . . . . . . . . . . . . . . . . 442
Table 73: TLB Service Edit Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 445
Table 74: Fields in the Manage Instance Locks Dialog Box . . . . . . . . . . . . . . . . . . 452
Part 7
Fault Mode
Chapter 29
Viewing and Managing Alarms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 521
Table 75: Alarm Search Fields . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 522
Chapter 30
Alarm Monitor Reference . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 523
Table 76: Current Active Alarms Monitor . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 524
Table 77: Alarm Detail Fields . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 526
Table 78: Sort Options for Alarms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 527
Table 79: Event Detail Fields . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 527
Part 8
Report Mode
Chapter 32
Creating and Managing Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 535
Table 80: Manage Report Definition Fields . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 536
Table 81: Manage Report Definition Fields . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 537
Table 82: Select Report Type Table Columns . . . . . . . . . . . . . . . . . . . . . . . . . . . . 539
Table 83: Report Type Options for Data Filtration . . . . . . . . . . . . . . . . . . . . . . . . 539
Table 84: Schedule Options for Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 541
Table 85: Manage Report Schedules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 543
Table 86: One-Time Schedule Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 544
Table 87: Recurring Schedule Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 544
Table 88: Range of Recurrence Fields . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 544
Table 89: Fields in the Generated Reports Page . . . . . . . . . . . . . . . . . . . . . . . . . 546
Table 90: Generated Report Details . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 546
Chapter 33
Report Reference . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 549
Table 91: SDG Host Logical and Physical Inventory Report Header . . . . . . . . . . . 549
Copyright © 2016, Juniper Networks, Inc.
xxv
Edge Services Director User Guide
Table 92: Managed Status Pie Chart . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 550
Table 93: Fields Under the SDG Host Details Table . . . . . . . . . . . . . . . . . . . . . . . 551
Table 94: Fields Under the Hardware Table . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 552
Table 95: Fields Under the Interface Table . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 555
Table 96: SDG Service Inventory Report Header . . . . . . . . . . . . . . . . . . . . . . . . . 556
Table 97: SDG Service Inventory Report Fields . . . . . . . . . . . . . . . . . . . . . . . . . . . 557
Table 98: Alarm History Report Header . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 558
Table 99: Active Alarm Table Fields . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 558
Part 9
System Mode
Chapter 34
About System Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 563
Table 100: System Tasks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 563
Part 10
Appendix
Chapter 35
Services Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 567
Table 101: TLB Configuration Limits . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 584
Table 102: Deterministic Port Block Allocation Commit Constraints . . . . . . . . . . 603
Table 103: Comparison of NAPT Implementation Methods . . . . . . . . . . . . . . . . 604
Table 104: CGNAT Implementation—Feature Comparison by Platform . . . . . . . 618
Table 105: CGNAT Translation Types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 619
Table 106: ALGs Available by Default . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 620
Table 107: ALGs Supported by Junos OS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 630
Table 108: RealAudio Product Port Usage . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 636
Table 109: Supported RPC Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 637
xxvi
Copyright © 2016, Juniper Networks, Inc.
About the Documentation
•
Documentation and Release Notes on page xxvii
•
Supported Platforms on page xxvii
•
Documentation Conventions on page xxvii
•
Documentation Feedback on page xxix
•
Requesting Technical Support on page xxx
Documentation and Release Notes
®
To obtain the most current version of all Juniper Networks technical documentation,
see the product documentation page on the Juniper Networks website at
http://www.juniper.net/techpubs/.
If the information in the latest release notes differs from the information in the
documentation, follow the product Release Notes.
Juniper Networks Books publishes books by Juniper Networks engineers and subject
matter experts. These books go beyond the technical documentation to explore the
nuances of network architecture, deployment, and administration. The current list can
be viewed at http://www.juniper.net/books.
Supported Platforms
For the features described in this document, the following platforms are supported:
•
JA2500
•
MX960
•
MX480
•
MX240
Documentation Conventions
Table 1 on page xxviii defines notice icons used in this guide.
Copyright © 2016, Juniper Networks, Inc.
xxvii
Edge Services Director User Guide
Table 1: Notice Icons
Icon
Meaning
Description
Informational note
Indicates important features or instructions.
Caution
Indicates a situation that might result in loss of data or hardware damage.
Warning
Alerts you to the risk of personal injury or death.
Laser warning
Alerts you to the risk of personal injury from a laser.
Tip
Indicates helpful information.
Best practice
Alerts you to a recommended use or implementation.
Table 2 on page xxviii defines the text and syntax conventions used in this guide.
Table 2: Text and Syntax Conventions
Convention
Description
Examples
Bold text like this
Represents text that you type.
To enter configuration mode, type the
configure command:
user@host> configure
Fixed-width text like this
Italic text like this
Italic text like this
xxviii
Represents output that appears on the
terminal screen.
user@host> show chassis alarms
•
Introduces or emphasizes important
new terms.
•
•
Identifies guide names.
A policy term is a named structure
that defines match conditions and
actions.
•
Identifies RFC and Internet draft titles.
•
Junos OS CLI User Guide
•
RFC 1997, BGP Communities Attribute
Represents variables (options for which
you substitute a value) in commands or
configuration statements.
No alarms currently active
Configure the machine’s domain name:
[edit]
root@# set system domain-name
domain-name
Copyright © 2016, Juniper Networks, Inc.
About the Documentation
Table 2: Text and Syntax Conventions (continued)
Convention
Description
Examples
Text like this
Represents names of configuration
statements, commands, files, and
directories; configuration hierarchy levels;
or labels on routing platform
components.
•
To configure a stub area, include the
stub statement at the [edit protocols
ospf area area-id] hierarchy level.
•
The console port is labeled CONSOLE.
< > (angle brackets)
Encloses optional keywords or variables.
stub <default-metric metric>;
| (pipe symbol)
Indicates a choice between the mutually
exclusive keywords or variables on either
side of the symbol. The set of choices is
often enclosed in parentheses for clarity.
broadcast | multicast
# (pound sign)
Indicates a comment specified on the
same line as the configuration statement
to which it applies.
rsvp { # Required for dynamic MPLS only
[ ] (square brackets)
Encloses a variable for which you can
substitute one or more values.
community name members [
community-ids ]
Indention and braces ( { } )
Identifies a level in the configuration
hierarchy.
; (semicolon)
Identifies a leaf statement at a
configuration hierarchy level.
(string1 | string2 | string3)
[edit]
routing-options {
static {
route default {
nexthop address;
retain;
}
}
}
GUI Conventions
Bold text like this
Represents graphical user interface (GUI)
items you click or select.
> (bold right angle bracket)
Separates levels in a hierarchy of menu
selections.
•
In the Logical Interfaces box, select
All Interfaces.
•
To cancel the configuration, click
Cancel.
In the configuration editor hierarchy,
select Protocols>Ospf.
Documentation Feedback
We encourage you to provide feedback, comments, and suggestions so that we can
improve the documentation. You can provide feedback by using either of the following
methods:
•
Online feedback rating system—On any page of the Juniper Networks TechLibrary site
at http://www.juniper.net/techpubs/index.html, simply click the stars to rate the content,
and use the pop-up form to provide us with information about your experience.
Alternately, you can use the online feedback form at
http://www.juniper.net/techpubs/feedback/.
Copyright © 2016, Juniper Networks, Inc.
xxix
Edge Services Director User Guide
•
E-mail—Send your comments to techpubs-comments@juniper.net. Include the document
or topic name, URL or page number, and software version (if applicable).
Requesting Technical Support
Technical product support is available through the Juniper Networks Technical Assistance
Center (JTAC). If you are a customer with an active J-Care or Partner Support Service
support contract, or are covered under warranty, and need post-sales technical support,
you can access our tools and resources online or open a case with JTAC.
•
JTAC policies—For a complete understanding of our JTAC procedures and policies,
review the JTAC User Guide located at
http://www.juniper.net/us/en/local/pdf/resource-guides/7100059-en.pdf.
•
Product warranties—For product warranty information, visit
http://www.juniper.net/support/warranty/.
•
JTAC hours of operation—The JTAC centers have resources available 24 hours a day,
7 days a week, 365 days a year.
Self-Help Online Tools and Resources
For quick and easy problem resolution, Juniper Networks has designed an online
self-service portal called the Customer Support Center (CSC) that provides you with the
following features:
•
Find CSC offerings: http://www.juniper.net/customers/support/
•
Search for known bugs: http://www2.juniper.net/kb/
•
Find product documentation: http://www.juniper.net/techpubs/
•
Find solutions and answer questions using our Knowledge Base: http://kb.juniper.net/
•
Download the latest versions of software and review release notes:
http://www.juniper.net/customers/csc/software/
•
Search technical bulletins for relevant hardware and software notifications:
http://kb.juniper.net/InfoCenter/
•
Join and participate in the Juniper Networks Community Forum:
http://www.juniper.net/company/communities/
•
Open a case online in the CSC Case Management tool: http://www.juniper.net/cm/
To verify service entitlement by product serial number, use our Serial Number Entitlement
(SNE) Tool: https://tools.juniper.net/SerialNumberEntitlementSearch/
Opening a Case with JTAC
You can open a case with JTAC on the Web or by telephone.
xxx
•
Use the Case Management tool in the CSC at http://www.juniper.net/cm/.
•
Call 1-888-314-JTAC (1-888-314-5822 toll-free in the USA, Canada, and Mexico).
Copyright © 2016, Juniper Networks, Inc.
About the Documentation
For international or direct-dial options in countries without toll-free numbers, see
http://www.juniper.net/support/requesting-support.html.
Copyright © 2016, Juniper Networks, Inc.
xxxi
Edge Services Director User Guide
xxxii
Copyright © 2016, Juniper Networks, Inc.
PART 1
Overview
•
Edge Services Director Overview on page 3
•
Getting Started on page 21
•
Tasks Pane on page 31
•
System Administration on page 45
•
Dashboard on page 51
Copyright © 2016, Juniper Networks, Inc.
1
Edge Services Director User Guide
2
Copyright © 2016, Juniper Networks, Inc.
CHAPTER 1
Edge Services Director Overview
•
Understanding the Need for Edge Services Director on page 3
•
Understanding the Edge Services Director User Interface on page 5
•
Understanding Edge Services Director and the Management Lifecycle Modes on page 14
•
Service Delivery Gateway Overview on page 16
•
Edge Services Director Overview on page 18
Understanding the Need for Edge Services Director
The service delivery gateway (SDG) orchestration of services, by coordination of traffic
flows and service interaction, based on policy and subscriber context, immensely simplifies
the service deployment. In addition the consolidation of various components necessary
to deliver services (such as carrier-grade NAT [CGNAT], stateful firewall, deep-packet
inspection, or stateful load balancing) at scale and allows for simplified and reliable
services network architecture. An SDG management application is a key component for
simplifying and solving major operational challenges of service delivery that leads to
service innovation in future.
The SDG management application called Edge Services Director is an operations tool
that is primarily used by the service provider operations team for comprehensive and
centralized service management across different regions, zones and business units
catering to different type of customers. For an enterprise, consumer, voice over Long
Term Evolution (VoLTE) mobile networks, and others, the SDG management application
is implemented on the Junos Space Network Management application and enables
service providers the capability to achieve faster IP service rollouts for business needs
and reduce overall operating expense (OPEX) costs for managing the service lifecycle.
Currently, SDG users need to plan, configure and debug entire SDG network using the
CLI interface.
Operators need extensive training in CLI commands and need to be abreast with the
latest syntax and format changes in the CLI commands and configuration stanzas. The
CLI method of setup and administration is not well-suited for bulk management and
requires a longer time to test, deploy, and maintain large networks. Although SNMP may
provide some monitoring, it lacks a thorough management capability for service lifecycle
management. Service management is a well-understood concept in enterprise and
consumer domains. However, service management in operator and service provider
networks is a combination of complex integration of element management systems,
Copyright © 2016, Juniper Networks, Inc.
3
Edge Services Director User Guide
operations support systems (OSS), and business support systems (BSS) in the backend.
Edge Services Director has a distinct, potent advantage over other management
applications available in the market because it is not vendor-specific and provides a
cohesive, seamless management capability. The service provider operations personnel
use role- based users and workflows to manage services.
The workflow supports deployment specific methods of operations. Edge Services
Director, which is the SDG management application, addresses the following business
and operational requirements:
•
Cost and time to market for new service—Introduction of new value-added services
in a faster and streamlined way to meet evolving business needs.
•
Reliability of services and network—Proactive monitoring of SDG traffic flow and various
components for root cause analysis and faster resolution.
•
Flexibility of making changes—Configuration and reconfiguration of services in a much
more controlled and isolated environment.
•
OPEX savings—Reduction of OPEX cost related to deploying new services and the
training required to operate the service
You can employ SDG management in the following network scenarios:
•
Simplified and scalable management of hundreds of SDGs
•
Configuration and provisioning of SDG services
•
Support for large brownfield deployments
•
Greenfield deployment support by enabling service planning and configuration
templates
Edge Services Director currently supports only brownfield deployments or provisioning
and not greenfield deployments. A greenfield deployment refers to the Junos OS base
configurations and bootstrapping, core device settings such as routing instances,
interfaces and IP addresses, and routing protocols to be available for configuration
using the network management application. A brownfield deployment refers to the
basic and mandatory device settings already being configured on the devices before
they are imported or discovered for additional modifications, such as configuration of
services, using the network management application.
4
•
High availability (HA) support for active and standby systems
•
Faster and easier issue resolution to isolate and identify problems, and debugging call
flows for troubleshooting
•
A searchable and sortable inventory of service instances, service components, and the
underlying hardware
•
Policy and filter management across service instances on the network
•
Scalable video traffic monitoring, such as to monitor multicast or unicast video traffic.
Copyright © 2016, Juniper Networks, Inc.
Chapter 1: Edge Services Director Overview
Related
Documentation
•
Single pane of view for service monitoring with key performance indicators (KPIs) and
threshold values
•
Fault and performance management for scalable logging and data collection and
correlation of different data sources
•
System image and version management, and management of scripts
•
Reporting of service usages
•
Understanding Edge Services Director User Administration on page 45
•
Understanding the Edge Services Director User Interface on page 5
•
Understanding Edge Services Director and the Management Lifecycle Modes on page 14
•
Service Delivery Gateway Overview on page 16
•
Edge Services Director Overview on page 18
Understanding the Edge Services Director User Interface
Junos Space Edge Services Director provides a simple-to-use, Web 2.0 user interface
that you can access through standard Web browsers. The user interface uses task-based
workflows to help you accomplish administrative tasks quickly and efficiently. It provides
you with the flexibility to work with single or multiple devices grouped by logical
relationship, location, or device type. You can filter, sort, and select columns in tables,
making looking for specific information easy.
Figure 1 on page 5 illustrates the main components of the interface.
Use the Edge Services Director banner, shown in Figure 2 on page 6, to select the working
mode. You can also use the Edge Services Director banner to perform other global tasks,
such as setting up your preferences or accessing Junos Space.
Copyright © 2016, Juniper Networks, Inc.
5
Edge Services Director User Guide
Figure 2: Edge Services Director Banner
The following are the functions of the banner:
•
Accessing Junos Space Platform—Click to exit Edge Services Director and open the
Junos Space Network Application Platform. You can switch back and forth between
Edge Services Director and Junos Space without logging in again.
•
View Selector—Select the network view that you want to work in. You can choose from
one of the following views:
•
•
Dashboard View
•
Location View
•
Device View
•
Gateway View
•
Service View
Mode Icons—Select the mode you want to work in.
NOTE: You might not have access to all the Edge Services Director modes.
What modes you have access to depends on your assigned user role.
•
Login as—Displays the username using which you logged in to Edge Services Director.
Click the down arrow next to the username and select the scope of the view, such as
global.
•
User Log out—Select this icon, which is the rightmost one in the banner, to log out of
Edge Services Director and Junos Space.
•
Product Information and Online Help
select either of the following options:
•
6
—Click the down arrow next to System and
•
Help—Enables you to open searchable Help. This Help icon is not context-sensitive—it
always opens Help to the first page. From here, you can browse or search Help.
Context-sensitive Help is available from the Help icon provided on each pane or
page.
•
About—Displays information about Network Director, such as the currently running
version.
System Tasks and Jobs—Access the system tasks such as viewing audit logs and jobs
and collecting troubleshooting logs.
Copyright © 2016, Juniper Networks, Inc.
Chapter 1: Edge Services Director Overview
In addition to this, Edge Services Director displays the date and time in the local time
zone in the bottom right corner.
View Pane
In the View pane, Edge Services Director provides you a unified, hierarchal view of your
wired, wireless, and data center networks in the form of a expand tree that is expandable
and collapsible. By selecting both a view and a node in the tree, you indicate the scope
over which you want an operation or task to occur. For example:
•
By selecting the service delivery gateway (SDG) group in Gateway View, you indicate
that the scope for a task is the routers in the SDG group.
•
By selecting a floor node in Location View, you indicate that the scope for a task is all
devices belonging to that floor.
•
By selecting the MX240 node in Device View, you indicate that the scope for a task is
all MX240 routers in your network.
You can perform the following actions in the View pane:
•
Displaying Devices in Various Network Views on page 7
•
Expanding or Collapsing Nodes in the Network Tree on page 8
•
Searching the Network Tree on page 8
Displaying Devices in Various Network Views
Use the selection box in the Edge Services Director banner to choose one of the following
network views:
•
Dashboard View—This is a customizable view that provides information about your
network. You can select and add monitoring widgets to the Dashboard View based on
your requirements. This is the default view that opens when you log in to Edge Services
Director.
•
Location View—Devices are organized by their physical locations. You build this view
by creating sites, buildings, floors, aisles, racks, outdoor areas, and then assigning your
routers to these locations.
•
Device View—Devices are organized by device type, such as routers. Within each device
type, devices are organized by device model. For example, all models of MX240 routers
are grouped together under one node in the tree.
•
Gateway View—Service delivery gateways (SDGs) are discovered by SDG discovery
workflow. The discovered SDGs are shown in the SDG inventory page. The discovered
SDGs can be a part of a high availability (HA) pair or standalone SDGs. You create the
network managed by Junos Space Edge Services Director by bringing devices under
the administration of the network management application and retrieving the device
settings to save in the Edge Services Director database. It provides you with the ability
to use device discovery to bring devices under Edge Services Director management,
Copyright © 2016, Juniper Networks, Inc.
7
Edge Services Director User Guide
to customize your view of the devices, to configure devices, and to perform some
common device management tasks.
•
Service View—You can create services, policies, and filters for devices that are managed
by Edge Services Director. The service templates and attributes for services, policies,
and filters help you classify and control the manner in which packets must be handled
by the various services. You can also import objects, which are components or
parameters used for creation of services, from the Service Delivery Gateways (SDGs)
that are present in the Edge Services Director database or from external XML files.
Expanding or Collapsing Nodes in the Network Tree
To expand a node in the network tree, select the node and then click the Expand All icon:
The node you selected and any child nodes under the selected node are expanded to
show their contents.
Similarly, to collapse a node in the network tree, select the node and then click the
Collapse All icon (next to the Expand All icon). The node you selected is collapsed and
no nodes under it are shown.
Searching the Network Tree
To quickly find and select a device or device group, use the search function.
To perform a search, type three or more characters in the Search box and click the Search
icon, as shown in Figure 3 on page 9.
8
Copyright © 2016, Juniper Networks, Inc.
Chapter 1: Edge Services Director Overview
Figure 3: Performing Search on the View P ane
Edge Services Director finds the first instance of a node whose name contains the
characters. To find the next instance, click the right arrow.
Searches are not case-sensitive: a search on wla115 and one on WLA115 return the same
results.
Tasks Pane
The Tasks pane is available in every mode and lists tasks specific to that mode. In addition
to changing according to the mode selected, tasks listed in the Tasks pane can change.
For example, some tasks are appropriate only at the device level and thus appear only
when you have selected an individual device. Clicking a task brings up task-specific
content in the main window. In general, to perform a task in Edge Services Director, you
navigate to the task.
Alarms
The Alarms bar that is displayed at the bottom of your browser window provides a quick
summary of how many critical, major, minor, and informational alarms are currently
active in the network and is visible in every mode.
To display more information about alarms, click the alarm count or the Alarms bar. You
are automatically placed in Fault mode and the Fault mode monitors are displayed.
Main Window or Workspace
The main window or workspace displays content relevant to the mode, scope, and task
you have selected. When you log in to Edge Services Director, the main window displays
the dashboard. The dashboard enables you to allow the operators to quickly monitor
health and status of the managed devices. The sections or frames on the dashboard
allows the operator to understand the device problem or fault at the macro level
(comprehensive and widespread network health and status) and the micro level
(individual device health and status). The health representation of the devices can be
customized based on the monitoring properties defined. You can view all the available
Copyright © 2016, Juniper Networks, Inc.
9
Edge Services Director User Guide
devices that are managed by Edge Services Director from the Device Inventory page. The
Device Inventory page is accessible in Device View of Build mode as the default landing
page.
Tables in Edge Services Director
Tables are used throughout Edge Services Director to display data. These tables share
common features. By becoming familiar with these features, you can navigate and
manipulate tabular data quickly and efficiently.
The following sections describe:
•
Moving and Resizing Columns
•
Navigating pages
•
Displaying the Column Drop-Down Menu
•
Sorting on a Column
•
Hiding and Exposing Columns
•
Searching Table Contents
•
Filtering Table Contents
Moving and Resizing Columns
You can reposition and resize columns in a table. To move a column, drag the column
head to the new location. Edge Services Director displays a green check mark when you
mouse over a valid column location. To resize a column, mouse over the edge of a column
until the cursor becomes two vertical lines with outward arrows. Drag the column width
to the new size.
Navigating Pages
Paging controls at the bottom of an applicable page allow you to navigate the entries
on the pages when the inventory is too large to fit on one page. Using these controls, you
can go to a specific page, navigate to the next or previous page, navigate to the first or
last page of the inventory, or refresh the inventory view.
Displaying the Column Drop-Down Menu
A drop-down menu is available from each column head, allowing you to perform additional
operations on columns. To display the column drop-down menu, mouse over the column
head. A down arrow appears. By clicking the arrow, you display the drop-down menu, as
shown in Figure 4 on page 11.
10
Copyright © 2016, Juniper Networks, Inc.
Chapter 1: Edge Services Director Overview
Figure 4: Column Drop-Down Menu
Sorting on a Column
You can sort the table on a column by clicking the column head—each click changes the
direction of the sort. In addition, you can use the Sort Ascending and Sort Descending
options in the drop-down menu.
When you sort on a column, a small arrow appears next to the column name to indicate
that the table is being sorted by the column and the direction of the sort.
Edge Services Director uses a lexical sort for tabular data that is not strict numeric data,
which means that data such as IP addresses do not sort in numerical sequence, as shown
in Table 3 on page 11.
Table 3: Numerical Sorts and Lexical Sorts
Numerical Sort
Lexical Sort
10.93.200.65
10.93.200.129
10.93.200.129
10.93.200.199
10.93.200.199
10.93.200.65
Hiding and Exposing Columns
You can customize your tables by hiding or exposing columns. This way, you can choose
to see only relevant information.
To hide or expose columns, display the drop-down menu for any column head and mouse
over the Columns option, as shown in Figure 4 on page 11. Select the check box beside
a column in the drop-down menu to expose it. Clear the check box beside a column to
hide it.
Copyright © 2016, Juniper Networks, Inc.
11
Edge Services Director User Guide
As a general rule, Edge Services Director displays all columns in a table by default.
However, some tables have more columns than can fit easily within the page. In these
tables, some columns are hidden by default.
Searching Table Contents
You can search for specific data in large tables by using search criteria.
To search for an item in a table, enter the search term in the text box. Select ANY for
Edge Services Director to search for the term in all columns in the table. Every table has
a predefined default column that the system searches; before it proceeds to search other
columns.
You can also choose to search a particular column for a term. Edge Services Director
displays a list of all the columns in a table. To search a particular column for a term,
select that column for the list.
NOTE: When you enter a search expression, note the following:
•
You must add a back slash “\” if you want to use the following special
characters in the search text:
+ ~ && || ! ( ) { } [ ] ^ “ ~ * ? : \
•
Field names are case-sensitive.
For example, if you have a few systems running on Junos OS 12.3 Release
4.5, then os: 12.3R4.5 returns search results, whereas OS: 12.3R4.5 does
not return search results. This is because the field name that is indexed is
os and not OS.
•
If you want to search for a term that includes a space, enclose the term
within double quotation marks.
For example, to search for all devices that are synchronized (that is, In
Sync), enter “In Sync” in the Search field.
•
You must append "*" if you want to search using partial keywords.
Otherwise, the search returns 0 (zero) matches or hits.
You can filter search results by specifying one or more search terms. Edge Services Director
uses the AND operator for each search term that you enter. Edge Services Director lists
the search results in the table, depending on the search criteria that you specified.
For example, perform the following steps to search for an MX480 router that is running
Junos OS Release 14.1:
1.
Enter MX480 as the search term in the text box.
2. From the list that appears, select to search the Platform column.
Edge Services Director lists all the MX480 routers in your network.
12
Copyright © 2016, Juniper Networks, Inc.
Chapter 1: Edge Services Director Overview
3. Enter 14.1 as the search term after the comma separator in the text box.
4. From the list, select to search from the OS Version column.
Edge Services Director lists all the MX480 routers in your network that are running
Junos OS Release 14.1.
Filtering Table Contents
For large tables, it is helpful to be able to sort data to show only relevant entries. When
you mouse over the Filters option in the column drop-down menu, a fill-in box appears
where you can type filter criteria. If you type a text string and click Go, entries that do not
contain the text string (filter criterion) are removed from the table. A red asterisk appears
on the column head to indicate that the column has been filtered. To restore all entries
to the table, clear the Filters option.
For example, to filter the Device Inventory page so that only devices in the 192.168.1.0
subnet are displayed:
1.
Mouse over the right side of the IP Address column head to expose the down arrow.
2. Click the arrow to display the column drop-down menu.
3. Mouse over Filters to display the Filter field.
4. Type 192.168.1. in the field and click Go.
Only the devices in the 192.168.1.0 subnet are shown.
In addition to these functions, Connectivity Services Director displays the date and time
in the local time zone on the bottom right corner.
Related
Documentation
•
Understanding the Need for Edge Services Director on page 3
•
Understanding Edge Services Director User Administration on page 45
•
Understanding Edge Services Director and the Management Lifecycle Modes on page 14
•
Service Delivery Gateway Overview on page 16
•
Edge Services Director Overview on page 18
Copyright © 2016, Juniper Networks, Inc.
13
Edge Services Director User Guide
Understanding Edge Services Director and the Management Lifecycle Modes
Junos Space Edge Services Director is a Junos Space application for management of
services interfaces of MX Series routers, such as adaptive services interfaces and
multiservices interfaces, that provide specific capabilities for manipulating traffic before
it is delivered to its destination. Services interfaces enable you to add services to your
network incrementally. Providing full network lifecycle management, Edge Services
Director simplifies the discovery, configuration, visualization, monitoring, and
administration of large networks. Operators can quickly deploy a network by using it,
configure it optimally to improve network uptime and maximize resources, and respond
agilely to the needs of applications and users.
The Edge Services Director user interface is based on the network management lifecycle.
The interface provides five main working modes that are aligned to the network
management lifecycle, and a sixth mode for working with Edge Services Director itself.
Each mode provides access to different tasks:
•
Build mode—In Build mode, you can create services, policies, and filters for devices that
are managed by Edge Services Director. You can define service templates and attributes
of different services. You can also specify policies and filters to classify and control
the manner in which packets must be handled by the various services. Configuring a
policy has a major impact on the flow of routing information or packets within and
through the router.
In Gateway view of Build mode, you create the network managed by Junos Space Edge
Services Director by bringing devices under the administration of the network
management application and retrieving the device settings to save in the Edge Services
Director database. It provides you with the ability to use device discovery to bring
devices under Edge Services Director management, to customize your view of the
devices, to configure devices, and to perform some common device management
tasks. In Device view of Build mode, you can perform software upgrades to devices
and perform several device management and configuration file management tasks.
You can also back up the Edge Services Director database that contains all the
configuration parameters of devices, settings that enable monitoring and management
of devices and services, and reports that contain statistics and graphs of the tracked
system states. You can restore the data backed up to a different server that runs the
Edge Services Director application.
•
Deploy mode—Deploy mode enables you to deploy configuration changes to devices.
You can create a deployment plan for each of the service planning templates, such as
the ones defined for ADC or stateful firewall (SFW) services, and the policy or filter
templates, such as the packet filter or SFW policy, that you have created. A deployment
plan contains details about the settings and configuration parameters that must be
propagated and provisioned on the SDGs managed by Edge Services Director. You can
also create, update, display, publish, and commission packet filters, stateful firewall
policies, and CGNAT policies present on discovered and managed SDGs.
•
Monitor mode—Monitor mode in Edge Services Director provides visibility into the
behavior and performance of your network. Edge Services Director monitors its managed
devices and maintains the information it collects from the devices in a database.
14
Copyright © 2016, Juniper Networks, Inc.
Chapter 1: Edge Services Director Overview
Monitor mode displays this information in easy-to-understand graphs and in tables
that you can sort and filter, allowing you to quickly visualize the state of your network,
spot trends developing over time, and find important details.
•
Fault mode—Fault mode shows you information about the health of your network and
changing conditions of your equipment. Use Fault mode to identify problems with
equipment, pinpoint security attacks, or analyze trends and categories of errors. Edge
Services Director correlates traps, which describe a condition, into an alarm. Alarms
are ranked by their impact on the network.
•
Report mode—Use Report mode to generate reports from the data that Edge Services
Director stores about network performance, status, and activity. In Report mode, you
can create standardized reports from the monitoring and fault data collected by
Network Director. An essential part of the network management lifecycle, reporting
provides administrators and management insight into the network for maintenance,
troubleshooting, and trend and capacity analysis, and generates records that can be
archived for compliance requirements.
•
View pane—On the View pane, Edge Services Director provides you with a unified,
hierarchal view of your wired, wireless, and virtual networks in the form of a expand
tree that is expandable and collapsible. You can choose from five views, or perspectives,
of your network—Dashboard view, Location view, Device view, Gateway view, and
Service view. By selecting both a view and a node from the tree, you indicate the scope
over which you want an operation or task to occur. The Dashboard view provides a
summary, encompassing a pictorial representation of the health and performance of
devices and services in your network, which enables you to analyze and troubleshoot
the parameters that are causing traffic-handling errors.
System-level tasks include viewing the Edge Services Director user and system audit
trail, managing jobs, and gathering logs for troubleshooting. The dashboard enables you
to allow the operators to quickly monitor health and status of the managed service
delivery gateways (SDGs) through several widgets and monitors. The sections or frames
on the dashboard allows the operator to understand the device problem or fault at macro
level (comprehensive and widespread network health and status) to micro level (individual
SDG health and status). The health representation of the SDGs can be customized based
on the monitoring properties defined in SDG templates.
Related
Documentation
•
Understanding the Need for Edge Services Director on page 3
•
Understanding Edge Services Director User Administration on page 45
•
Understanding the Edge Services Director User Interface on page 5
•
Service Delivery Gateway Overview on page 16
•
Edge Services Director Overview on page 18
Copyright © 2016, Juniper Networks, Inc.
15
Edge Services Director User Guide
Service Delivery Gateway Overview
The service delivery gateway (running on the MX Series 3D Universal Edge router)
consolidates a variety of best-in-class Gi (“i” for Internet or IP network) network services
onto a single platform to reduce cost, increase network resiliency, and increase
performance. The Gi interface is the connection between a GGSN and the Internet or
destination networks connected to a public land mobile network (PLMN). Costs are
reduced by using less rack space, less hardware, reduced power and cooling, less cabling,
and simplified network management. Resiliency is increased by leveraging the redundancy
features of the MX Series 3D routers and by limiting the number of different boxes and
OS types that must be managed. Performance is increased by taking advantage of the
ability of the MX Series 3D Universal Edge routers to perform many services at line rate
in hardware.
The MX Series routers provide industry-leading packet forwarding performance along
with a very compelling set of value added services that include carrier grade NAT, firewall,
intrusion prevention service, video optimization, server load balancing, MPLS VPN, IPsec
VPN and much more. Many of these services can be performed at line rate by leveraging
the Trio chipset on the Packet Forwarding Engines. This makes the MX Series routers an
ideal and robust platform upon which to host the service delivery gateway.
The following sections describe some of the services that are required on the service
delivery gateways:
•
Carrier-Grade NAT on page 16
•
Firewalls and Intrusion Prevention System on page 17
•
Traffic Direct on page 17
•
Load Balancing and Adaptive Services on page 17
Carrier-Grade NAT
Carrier-grade network (CGN) is rapidly increasing in importance now that the Internet
Assigned Numbering Authority (IANA) has run out of IPv4 addresses. Some operators
are already moving to IPv6, but this does not solve the IPv4 exhaust problem because
most of the Internet is still only reachable via an IPv4 address. The answer for many
mobile operators that are faced with rapid smart phone growth is carrier grade NAT.
Juniper Networks provides a complete implementation of CGN on the service delivery
gateway. In the mobile operator’s domain, the IPv4 address exhaust problem is more
severe than in the wireline world because there is exponential growth, and because of
the move to always-on connectivity with smartphones. Always-on connectivity indicates
that the subscriber has a session and an IP address even when the device is idle. The two
approaches that have received the most attention in the mobile world are dual stack
and IPv6-only. Dual stack allows the mobile device to access content that is either IPv6
or IPv4 addressable. To make this work in a seamless fashion, the mobile device must
have both an IPv4 and an IPv6 session up and active at the same time. This is possible
beginning in 3GPP Release 8. The other approach that is receiving a lot of attention is
IPv6-only. In this implementation, the mobile device establishes a single IPv6 session,
and traffic headed for the IPv4 Internet is translated using NAT64. The drawback is that
16
Copyright © 2016, Juniper Networks, Inc.
Chapter 1: Edge Services Director Overview
the mobile device must use IPv6 native applications. Problems during roaming might
also occur, and the device does not work on most Wi-Fi networks, which can be mitigated
by using IPv4 when connecting to Wi-Fi.
Firewalls and Intrusion Prevention System
Firewalls are an essential part of any mobile Gi network that connects to the Internet. In
many cases, firewalls are also tightly linked with the CGN function. Some operators
require a dedicated security device and Juniper Networks SRX Series Services Gateways
provides rich firewall services with industry leading performance and scale. The service
delivery gateway, in combination with the SRX Series, allows Juniper Networks to address
a wide variety of deployment scenarios. Intrusion prevention system (IPS) takes the
firewall concept one step further by analyzing traffic using deep packet inspection (DPI)
to identify threat signatures. Juniper’s library of threat signatures is constantly upgraded
to handle the latest security vulnerabilities. The primary focus of a firewall and IPS function
on the Gi network is to prevent attacks from being launched against the mobile network
and mobile users from hosts out on the Internet.
Traffic Direct
An essential part of any mobile packet core design is the method by which data traffic
is steered as it moves from the mobile device through to the correct GGSN, and from
there to the correct Gi network. Access point nodes (APNs) are the traditional solution
to the problem, but they can be administratively complex. Not only must mobile devices
be configured with the correct APN, but so must the network infrastructure (SGSNs, DNS,
and GGSNs). Juniper Networks has developed Traffic Direct as an alternative to APNs.
This is a much simpler solution to the challenge of making sure that users get where they
need to go. The Traffic Direct feature sits on an service delivery gateway and can steer
traffic from the GGSN to the correct Gi network. There are several instantiations of Traffic
Direct, of which the most popular is Static Bypass Traffic Direct. This feature makes use
of the service delivery gateway’s policy routing feature. The service delivery gateway is
capable of routing on any of the elements of the IP header which include the source and
destination IP addresses, source and destination port numbers, and protocol type.
Forwarding is handled in hardware at line rate by the Juniper Networks Junos Trio chipset.
This approach is a simple way of guaranteeing that all users get to the correct Gi network.
Load Balancing and Adaptive Services
The service delivery gateway services umbrella leverages the Multiservices-Dense Port
Concentrator (MS-DPC), in-house Junos services, the Junos Software Development Kit
(SDK) and external third-party platforms and applications. Offered services can run in
standalone mode or can be consolidated (chaining with next hop routing), as long as
the chained combination is meaningful, to concurrently run in the same chassis or blade.
Scaling is achieved by adding MS-DPC blades in the chassis. The combination of
consolidated services also dictates the number of MS-DPC blades to be used. Needed
services that are not directly hosted by the service delivery gateway are collocated with
the service delivery gateway within the different service complexes to provide specific
value-added services. As an example, such service complexes include the user equipment
(UE) DNS service complex and Juniper Networks Mobile Video Optimization service
complex.
Copyright © 2016, Juniper Networks, Inc.
17
Edge Services Director User Guide
Some of these service complex functions can be integrated by leveraging Junos SDK
capabilities. Service complexes and packet gateways (such as GGSN and PGW) attach
to active or standby service delivery gateway in VRRP groups leveraging MC-LAG. The
services delivery gateway pair connects to the core routers using LAG. Services delivery
gateway can be deployed to act as a CE or a PE router, with BFD enabled. Server load
balancing (SLB) towards service complexes is performed using ECMP. RPM probes are
configured to provide server status updates in the complex. An event script or an
operational script can be leveraged to take appropriate action upon detection of a status
change.
Leveraging adaptive delivery controllers (ADC) from MS-DPC is another possible avenue.
ADCs for the MX Series 3D Universal Edge Router offers advanced router-integrated ADC
functions that enables service providers and enterprises to efficiently scale service
capacity and increase service performance.
Configuring load balancing requires an aggregated Multiservices (AMS) system. AMS
involves grouping several Multiservices PICs together. An AMS configuration eliminates
the need for separate routers within a system. The primary benefit of having an AMS
configuration is the ability to support load balancing of traffic across multiple services
PICs.
Related
Documentation
•
Understanding the Need for Edge Services Director on page 3
•
Understanding Edge Services Director User Administration on page 45
•
Understanding the Edge Services Director User Interface on page 5
•
Understanding Edge Services Director and the Management Lifecycle Modes on page 14
•
Edge Services Director Overview on page 18
Edge Services Director Overview
Service providers are increasingly using IP Layer 3 through Layer 7 services to differentiate
themselves from third-party, external, over-the-top (OTT) providers and provide better
customer experience. These IP services are used to provide better end user experience
by managing traffic flow per application type, better security, better video quality and
other enhanced IP applications. OTT providers are consuming service provider resources
and therefore, value-added IP service is the way optimize and offer best returns for
network investment.
Juniper Networks service delivery gateway (SDG) is a next-generation services solution
framework to address these set of converging, simultaneous challenges that mobile and
wireline operators currently face in delivering services. The SDG primarily is a service
orchestration solution, which is based on subscriber and service policy contexts to
coordinate the traffic flow between services in on-the-box or off-the-box scenarios and
also with Juniper Networks devices or third-party devices. In addition, SDG consolidates
the common elements necessary to deliver services at scale, such as carrier-grade NAT
(CGN), stateful firewall, deep-packet inspection, or stateful load balancing. This
mechanism simplifies and accelerates delivery and introduction of new services offering
while keeping changes to network and other services at a minimum.
18
Copyright © 2016, Juniper Networks, Inc.
Chapter 1: Edge Services Director Overview
The SDG is equipped to be positioned upstream from a broadband gateway, cable modem
termination system (CMTS), or any other aggregation point such as Packet Data Network
Gateway (P-GW) on the Gi interface in the network where centralized services can be
applied via an IP address or subscriber database. These services on Juniper service cards
are configured in a service chain for a specific packet flow to meet a customer’s business
and network requirement. In addition, policies and filters associated with these services
are modified and updated as business evolves and requirement changes. In the future,
the service chain of service instances on different service cards becomes a necessity
because packet flow within single platform depends on services configured in the platform.
Also, tethered services on virtual instances attached to MX Series routers and other
Juniper Networks platforms can be complicated.
Over a period of time, as the number of services increase and configuration too increases
correspondingly, deployment and management of IP services become dynamic, complex
and unmanageable. Configuration and deployment using configuration files and
statements through the CLI interface is prone to human errors. Therefore, a robust and
a comprehensive GUI-based service management application is required to automate
management and monitoring tasks. Amazon Web Services (AWS) enables the
simplification of compute, storage, and network management using easy-to-use web
application increases customer acquisition and adoption of management apps. SDG
reduces operational (OPEX) costs by abstracting and simplifying complex low-level CLI
commands and scripts. The services management system called Edge Services Director
enables faster time to market and better customer experience. Edge Services Director
simplifies and enables dynamic SDG Service planning, configuration, and provisioning
of settings on MX Series routers so that users can respond to market condition faster
with lower OPEX and overhead costs.
Related
Documentation
•
Understanding the Need for Edge Services Director on page 3
•
Understanding Edge Services Director User Administration on page 45
•
Understanding the Edge Services Director User Interface on page 5
•
Understanding Edge Services Director and the Management Lifecycle Modes on page 14
•
Service Delivery Gateway Overview on page 16
Copyright © 2016, Juniper Networks, Inc.
19
Edge Services Director User Guide
20
Copyright © 2016, Juniper Networks, Inc.
CHAPTER 2
Getting Started
•
Understanding How to Use the Edge Services Director Interface to View System
Information on page 22
•
Getting Started Assistant in Junos Space Platform Overview on page 23
•
Changing Your Password for Edge Services Director on page 24
•
Logging In to Edge Services Director on page 25
•
Logging Out of Edge Services Director on page 26
•
Quickly Accessing Important Monitoring and Troubleshooting Details on page 27
Copyright © 2016, Juniper Networks, Inc.
21
Edge Services Director User Guide
Understanding How to Use the Edge Services Director Interface to View System
Information
When you log in to the Edge Services Director application, the initial default page that is
displayed is the Dashboard page. The dashboard functionality allows the operators to
quickly identify, understand and monitor the health and status of the service delivery
gateways (SDGs). The SDG network management application or Edge Services Director
tries to simplify the complexity involved in monitoring the health and status of SDGs
deployed across networks through following components and visual representation. The
dashboard gadget enables you to understand the issue at macro level (overall network
health and status) to micro level (an individual SDG health and status). The health
representation of the SDGs can be customized based on the monitoring properties defined
in SDG templates.
The SDG service Dashboard and Monitoring pages in the Edge Services Director GUI
provide a proactive account of the SDG health status and working efficiency of service
delivery gateway (SDG) devices in a bird's eye, comprehensive, and intuitive format at
the network level, SDG instance, and service levels. A single pane of glass (SPOG) view
helps the operator to view various alarms and quickly identify and isolate issues. The
dashboard and monitoring feature aggregates and correlates data from different sources
such as SNMP and system event logs. The defined key performance indicators (KPIs)
and threshold values enable operators to specify monitoring criteria critical for service
operations and administration. The performance management view also highlights the
top or first three non-confirming SDGs and provides a historical context with time graph
and additional data from the logging system.
The following are the salient capabilities and benefits of the dashboard view of SDGs:
22
•
A single pane of glass (SPOG) view of entire SDG deployment
•
Configuration of KPI templates to enable the monitoring of health status
•
Display of service name, service status, alarm status, and heat map
•
A summary of a list of object counts by types
•
Chassis view with service status overlay
•
Logical view of selected service with component data, such as ingress and egress
direction
•
High-priority log tickers
•
Proactive SNMP traps and alarms, syslogs, and KPI thresholds
•
Near real-time CPU and memory usage graph per core and service
•
Customized Dashboard view for user roles and profiles
•
Performance view with three top non-confirming SDGs CPU, memory, and service
status
•
Performance view with selected KPI filters
•
Comparison graph view between operator-selected SDGs
Copyright © 2016, Juniper Networks, Inc.
Chapter 2: Getting Started
Related
Documentation
•
The total count for alarm type, status and others
•
System health status at SDG instance and component level Hardware details and
hardware status within a SDG
•
Getting Started Assistant in Junos Space Platform Overview on page 23
•
Changing Your Password for Edge Services Director on page 24
•
Logging In to Edge Services Director on page 25
•
Logging Out of Edge Services Director on page 26
•
Quickly Accessing Important Monitoring and Troubleshooting Details on page 27
Getting Started Assistant in Junos Space Platform Overview
In the Junos Space Platform user interface, the Getting Started assistant is a section in
the sidebar that shows you how to perform common tasks. The tasks in the Getting
Started assistant are workspace specific. The tasks displayed in this section vary according
to the workspace. The Getting Started assistant provides instructions on how to perform
tasks related to a device, service template, or a policy and filter template configuration.
The Getting Started topics are context- sensitive per application. Getting Started displays
all the steps of a task. From a step in a task, you can jump to that point in the user interface
to actually complete it. If Show Getting Started on Startup checkbox is selected, the
Getting Started assistant automatically displays the tasks when you log in. If this checkbox
was not selected, click the Help icon and click Getting Started from the resulting sidebar.
To use a Getting Started assistant:
1.
Select an application from the Applications list above the task tree.
2. In the sidebar, expand Getting Started.
A main Getting Started topic link appears on the sidebar.
If the sidebar is not displayed, select the Help (
Space header. The sidebar appears.
) icon at the right side of the Junos
3. Select a main topic.
For example, if you are in the Network Management Platform application user interface,
click the Increase Space Capacity link. A list of required steps appears in the sidebar.
Each step contains a task link and a link to Help.
4. Perform a specific step by clicking the link.
You jump to that point in the user interface. The assistant remains visible on the sidebar
to aid navigation to subsequent tasks.
5. Access help for a specific step by clicking the Help icon next to that step.
Copyright © 2016, Juniper Networks, Inc.
23
Edge Services Director User Guide
Related
Documentation
•
Understanding How to Use the Edge Services Director Interface to View System
Information on page 22
•
Changing Your Password for Edge Services Director on page 24
•
Logging In to Edge Services Director on page 25
•
Logging Out of Edge Services Director on page 26
•
Quickly Accessing Important Monitoring and Troubleshooting Details on page 27
Changing Your Password for Edge Services Director
Any user, regardless of user role, can change his or her password.
Your username and password are the same in Junos Space and Edge Services Director.
To change your password:
1.
From the Edge Services Director user interface, click the Junos Space icon on the Edge
Services Director banner.
The Junos Space Platform user interface is displayed.
2. Click the User Settings icon on the Junos Space banner.
The Change User Settings dialog box appears.
3. In the Old Password text box, enter your old password.
NOTE: Mouse over the information icon (small blue i) next to the New
Password text box to view the rules for password creation. For more
information about the password rules, see Modifying Junos Space Network
Management Platform Settings.
4. In the New Password text box, enter your new password. The minimum value for this
field is 6 (the default) and the maximum value is 999. The password can include
alphanumeric and special characters, but not control characters.
5. In the Confirm Password text box, enter your new password again to confirm it.
NOTE: The fields on the X.509 Certificate tab are applicable when you
want to use certificate-based authentication. If you are using
password-based authentication, you can ignore these fields. For more
information about certificate-based authentication, see the Certificate
Management Overview topic in the Junos Space Network Management
Platform Workspaces Feature Guide.
24
Copyright © 2016, Juniper Networks, Inc.
Chapter 2: Getting Started
6. (Optional) Select the Manage objects from all assigned domains check box on the
Object Visibility tab to view and manage objects from all the domains for which you
are assigned.
7. Click OK.
You are logged out of the system. To log in to Junos Space again, you must use your
new password. Other sessions logged in with the same username are unaffected until
the next login.
Related
Documentation
•
Logging In to Edge Services Director on page 25
•
Logging Out of Edge Services Director on page 26
Logging In to Edge Services Director
You connect to Edge Services Director using your Web browser. The following Web
browsers are supported: Internet Explorer 9.0 and 10.0, Mozilla Firefox 3.6 or later, and
Google Chrome 17 and later. The minimum screen resolution is 1280 x 1024.
You can connect to Edge Services Director in either of the following ways:
•
Log in to Edge Services Director directly by using the following URL:
https://<n.n.n.n>/mainui/?appName=SGD
where n.n.n.n is the IP address of the Junos Space Web interface. You can bookmark
the login page for future use.
Enter the login credentials. After successful login, the Dashboard page of Edge Services
Director is displayed.
•
Log in to Junos Space first by using the following URL:
https://<n.n.n.n>/mainui
where n.n.n.n is the IP address of the Junos Space Web interface.
The Junos Space Platform login page is displayed.
To enter the login credentials and open the Junos Space Platform page:
1.
From the Junos Space Platform login page, in the Username text box, enter your
username. For information about how to change your username, consult your system
administrator.
2. In the Password text box, enter your password. For information about how to change
your password, see “Changing Your Password for Edge Services Director” on page 24.
3. (Optional) If the remote authentication server is configured for Challenge/Response,
you are presented with the challenge questions. Provide valid responses to the
challenge questions you are asked, to log in successfully.
4. Click Log In.
Copyright © 2016, Juniper Networks, Inc.
25
Edge Services Director User Guide
The Junos Space home page appears. If the home page is not set, the Junos Space
Dashboard page is displayed. If the home page is inaccessible due to role or domain
restrictions, a warning message is displayed and the Junos Space Dashboard page
is loaded.
NOTE: If you are a user with access to more than one domain, then an
informational message about switching domains is displayed in a dialog
box.
Do one of the following:
•
To prevent the informational message from appearing again, ensure
that the Don’t show again check box is selected and click OK. The Don’t
show again check box is selected by default.
•
To allow the informational message to continue appearing, clear the
Don’t show again check box and click OK.
You can then switch to the Edge Services Director interface by selecting Edge Services
Director from the Applications list in the left pane of the Junos Space user interface.
The default username and password are the same for both Junos Space and Edge Services
Director:
Related
Documentation
•
Username—super
•
Password—juniper123
•
Changing Your Password for Edge Services Director on page 24
•
Logging Out of Edge Services Director on page 26
Logging Out of Edge Services Director
After you finish using Edge Services Director, log out to prevent unauthorized access. You
can log out manually or set an automatic logout period for Edge Services Director to
automatically log you out.
Logging out manually—To log out of Edge Services Director manually, click the down
arrow next to the username on the Edge Services Director banner and select Logout from
the list.
Logging out automatically—Edge Services Director automatically logs you out if you have
not performed any action on it, such as by using keystrokes or mouse-clicks, for a set
period of time. This automatic logout conserves server resources and protects the system
from unauthorized access. By default, automatic logout occurs if a session has been idle
for 60 minutes. You can change the setting on the Applications inventory page. Select
Administration > Applications > Network Management Platform > Modify Application
Settings (from the Actions menu) > User.
26
Copyright © 2016, Juniper Networks, Inc.
Chapter 2: Getting Started
Edge Services Director uses the same automatic logout period as Junos Space.
To change the automatic logout period:
1.
Click the System Platform icon on the Edge Services Director banner.
The logout page appears.
2. Click the Click here to log in again link on the logout page to log in to the system again.
3. Navigate to Administration > Applications.
The Applications page is displayed.
4. Right-click Network Management Platform and select Modify Application Settings..
The Modify Application Settings page appears.
5. In the Modify Network Management Settings page, select User.
The User page is displayed.
6. In the Automatic logout after inactivity (minutes) field, move the slider to modify the
automatic logout setting.
The logout setting is modified.
7. Click Modify to save the setting.
You are returned to the Modify Applications page.
Related
Documentation
•
Changing Your Password for Edge Services Director on page 24
•
Logging In to Edge Services Director on page 25
Quickly Accessing Important Monitoring and Troubleshooting Details
In the task pane, the top part of the navigation tree enables you to select the options
corresponding to different activities that you can perform on the devices and services
that are managed by Edge Services Director, and configuration settings you can specify.
The bottom bar of the GUI enables you to view critical, salient information about the
configured devices and services in an intuitive, easily-navigable format. The summarized
way in which you can view statistical details enables you to examine the health and
operating-efficiency of devices, and the performance of services. It provides a bird's eye,
high-level view of parameters that enables effective and simplified troubleshooting and
administration. For example, if you find that a particular Service Delivery Gateway (SDG)
or and SDG group has recorded a large number of critical or major alarms, you can then
navigate to the Monitoring page or the appropriate device settings page to correct and
modify the attributes or diagnose the problems that might be generating the alarms.
You can view the following types of details from the quick-access facility that is displayed
at the bottom left corner of the Edge Services Director GUI pages in all lifecyle modes
and views:
•
Service analyzer details
Copyright © 2016, Juniper Networks, Inc.
27
Edge Services Director User Guide
•
Status of deployment plans
•
Alarms recorded on the devices
To view alarm details:
1.
From the bottom left corner of the screen, click the down arrow and select the Alarms
option from the shortcut menu. By default, the Alarms option is selected.
The Network Alarms table is displayed A list of alarms classified by severity levels is
displayed. The following table describes the alarms displayed:
•
Critical (Red)—A critical condition exists; immediate action is necessary.
•
Major (Orange)—A major error has occurred; escalate or notify as necessary.
•
Minor (Yellow)—A minor error has occurred; notify or monitor the condition.
To view the status of deploy plans:
1.
From the bottom left corner of the screen, click the down arrow and select the
Deployment option from the shortcut menu.
The Deployment Plan Status table is displayed. The following describes the deploy
plan states that are displayed:
•
Number of deploy plans for which approval is pending
•
Number of deploy plans in approved state
•
Number of deploy plans in rejected state
•
Number of deploy plans currently being provisioned on devices
•
Number of deploy plans that have been successfully propagated and applied on
devices
•
Number of deploy plans scheduled for deployment at a future time
•
Number of deploy plans for which deployment failed
To view the service or packet analyzer details:
1.
From the bottom left corner of the screen, click the down arrow and select the Service
Analyzer option from the shortcut menu.
The Service Analyzer table is displayed The following details are displayed:
Related
Documentation
28
•
Active—Number of service instances that are currently running
•
Completed—Number of service instances that have successfully completed
•
Stopped—Number of service instances that were halted
•
Understanding How to Use the Edge Services Director Interface to View System
Information on page 22
•
Getting Started Assistant in Junos Space Platform Overview on page 23
•
Changing Your Password for Edge Services Director on page 24
Copyright © 2016, Juniper Networks, Inc.
Chapter 2: Getting Started
•
Logging In to Edge Services Director on page 25
•
Logging Out of Edge Services Director on page 26
Copyright © 2016, Juniper Networks, Inc.
29
Edge Services Director User Guide
30
Copyright © 2016, Juniper Networks, Inc.
CHAPTER 3
Tasks Pane
•
Understanding the Build Mode Tasks Pane on page 31
•
Understanding the Deploy Mode Tasks Pane on page 38
•
Understanding the Fault Mode Tasks Pane on page 40
•
Understanding the Monitor Mode Tasks Pane on page 41
•
Understanding the Report Mode Tasks Pane on page 42
Understanding the Build Mode Tasks Pane
The Tasks pane in Build mode contains all the tasks you can do in Build mode. Click a
specific task to begin that task.
The tasks listed in the Tasks pane depend on the scope you select in the View pane—that
is, what view (Location, Device, Gateway, or Service) you have selected and what object
you have selected. Not all tasks are available in all scopes. As you change your selections
in the View pane, the contents of the Tasks pane also change.
Build mode tasks are divided into the following categories in the Tasks pane.
Edge Services Director enables you to perform the following tasks for devices in your
physical network:
•
Device Discovery—Before your devices can be managed by Edge Services Director, you
must use device discovery to discover them. As Edge Services Director discovers devices,
it adds them to your network view in the View pane. Table 4 on page 33 describes the
device discovery tasks.
•
Inventory—The Device Inventory page lists devices managed by Edge Services Director
and provides basic information about the devices, such as IP address and current
operating status, and configured services, such as server load balancing (SLB) and
carrier grade NAT (CGNAT). The Device Inventory page is available in Build mode.
Table 5 on page 33 describes the inventory tasks.
•
Service Gateway—The service delivery gateway (SDG) devices that are administered,
maintained, and monitored from the Edge Services director application are called
managed devices. The service delivery gateway (SDG) devices that are not managed
and monitored from the Edge Services director application are called unmanaged
devices. A service delivery gateway (SDG) device can be combined into a group of
devices for easier and streamlined administration. You can create an SDG group for a
Copyright © 2016, Juniper Networks, Inc.
31
Edge Services Director User Guide
particular domain or zone in your network, or for any logical bundling that is needed.
Templates contain the KPI parameters that evaluate the health of a SDG device. A
system-created default KPI template is available. This system-created KPI template
cannot be edited or deleted. Table 6 on page 33 describes the service gateway tasks.
•
Service Analyzer—You can configure and provision filters for packet analysis, configure
filters for CGNAT, ADC, and TLB services. Also, you can start and stop the configured
filters. Table 7 on page 33 describes the service analyzer tasks.
•
Device Management—After devices have been discovered, you can perform
administrative tasks on them, such as viewing a list of the device’s physical components,
connecting to a device using SSH, deleting a device, or rebooting a device.
Table 8 on page 34 describes the device management tasks.
•
Location Management—You can build your Location view of the network by creating
sites, buildings, floors, closets, and outdoor areas and assigning devices to these
locations. Table 9 on page 34 describes the location management tasks.
•
Service Template—You use the service templates to configure the following attributes
and settings for the following four types of services: stateful firewall (SFW),
carrier-grade network addressing (CGNAT), traffic load balancer (TLB), and application
delivery controller (ADC). The service planning functionality enables you to use the
Service Designer page to create service templates, which can be used on multiple
devices. The Service Designer page lists all service components used to create service
templates. According to the business needs, you can configure generic properties in a
template and enable the editing of deployment-specific parameters.
Table 10 on page 36 describes the connectivity tasks.
•
Service Inventory—The Services Inventory page lists the services configured in the Edge
Services Director database and provides basic information about the configured
services, such as adaptive delivery controller (ADC), stateful firewall (SFW), server
load balancing (SLB), and carrier grade NAT (CGNAT). The Services Inventory page
is available in Build mode and under Service view.
•
Object Builder—The objects are the constituents or building blocks that are used to
create service definitions and policy or filter templates. You can use the Object Builder
page to retrieve and transfer the objects or components that have been previously
created on the SDGs or devices.. Table 11 on page 36 describes the profile and
configuration management tasks.
•
Key Tasks—Edge Services Director enables you to group the tasks that you perform
frequently and create a list of key tasks. You can add any task from the Tasks pane to
the Key Tasks list by selecting a task and clicking the plus (+) sign that appears adjacent
to the task. For some modes, you can see that Edge Services Director has predefined
some key tasks for you. You can modify this set of tasks to suit your requirements. This
feature is available in Task pane irrespective of your current mode, scope, or view.
For more information about Build mode features, see “Understanding Build Mode in
Gateway View of Edge Services Director” on page 63 and “Understanding Build Mode in
Service View of Edge Services Director” on page 179.
32
Copyright © 2016, Juniper Networks, Inc.
Chapter 3: Tasks Pane
Table 4 on page 33 through Table 11 on page 36 describe the tasks that you can perform
in the physical network category, including the scope in the View pane that you must
select to access the task.
Table 4: Device Discovery Tasks
Task
Description
Scope
Discover Devices
Discovers supported devices, such as routers, in the network and brings
them under Edge Services Director management.
Any
Table 5: Inventory Tasks
Task
Description
Scope
View Device Inventory
Displays three pie charts that summarize the status of the devices and services in your
network environment. You can remove or restore a category (segment) from the pie
chart by clicking that segment in the chart
Any
View Service Inventory
Displays the services configured in the Edge Services Director database and provides
basic information about the configured services, such as adaptive delivery controller
(ADC), stateful firewall (SFW), server load balancing (SLB), and carrier grade NAT
(CGNAT). The Services Inventory page is available in Build mode and under Service
view.
Any
Table 6: Service Gateway Tasks
Task
Description
Scope
Discover Gateway
Discovers and synchronizes physical devices such as MX Series routers that
function as service delivery gateways in your network that are managed by Edge
Services Director
Any
Unmanaged Gateway
Changes an unmanaged device to a managed device, and modifies managed
device and KPI associations.
Any
Managed Gateway
Changes a managed device to an unmanaged device, and modifies managed
device and KPI associations.
Any
Groups
Creates and manages a cluster of group of SDGs for easy and effective
administration of service and policy definitions.
Any
KPI Templates
Clones, modifies, or deletes KPI templates to be associated with standalone
SDGs or a high-availability pair of SDGs.
Any
Table 7: Service Analyzer Tasks
Task
Description
Scope
ADC Filter
Configures filters for ADC services. Also, starts and stops the service analyzer
filters.
Any
TLB Filter
Configures filters for TLB services. Also, starts and stops the service analyzer
filters.
Any
Copyright © 2016, Juniper Networks, Inc.
33
Edge Services Director User Guide
Table 7: Service Analyzer Tasks (continued)
Task
Description
Scope
CGNAT Filter
Configures filters for CGNAT services. Also, starts and stops the service
analyzer filters.
Any
Table 8: Device Management Tasks
Task
Description
Scope
Change Location of Device
Changes where a device is located in Location view.
View: All
Object: Individual router
Delete Devices
Deletes a switch or a wireless LAN controller as a managed
device from Edge Services Director. If you select a scope that
contains more than one switch or controller, you can choose
which devices are deleted.
View: All
Object: All, except access points
Reboot Devices
Reboots devices. If you select a scope that contains more
than one switch or controller, you can choose which devices
get deleted.
View: All
Object: All
Show Current Configuration
Shows the running configuration on a switch or a wireless
LAN controller.
View: All
Object: Individual router
SSH to Device
Launches an SSH connection to the selected device.
View: All
Object: Individual router
Validate Pending
Configuration
Validates configuration changes that have not yet been
deployed on devices.
View: All
Object: All
View Inventory
Displays information about all the devices in the currently
selected object and all its child objects.
View: All
Object: All
View License Information
View the licenses installed on the device and their status.
View: All
Object: Individual router
View Physical Inventory
Displays information about the selected device’s hardware
components.
View: All
Object: Individual router
Table 9: Location Management Tasks
Task
Description
Scope
Add Building
Creates a new building in the selected site.
View: Location
Object: A site
NOTE: Use this task only to create the building. Floors
and closets in the building must be created separately.
Add Closet
34
Creates a new closet in the selected floor.
View: Location
Object: A floor
Copyright © 2016, Juniper Networks, Inc.
Chapter 3: Tasks Pane
Table 9: Location Management Tasks (continued)
Task
Description
Scope
Add Floor
Creates a new floor in the selected building.
View: Location
Object: A building
NOTE: Use this task only to create the floor. Closets in
the building must be created separately.
Add Outdoor Area
Creates a new outdoor area in the selected site.
View: Location
Object: A site
Add Site
Creates a new site in Location view.
View: Location
Object: My Network only
NOTE: Use this task only to create the site object.
Buildings, floors, closets, and outdoor areas in the site
must be created separately.
Delete Building/Edit Building
Deletes or modifies the selected building.
View: Location
Object: A building
Delete Closet/Edit Closet
Deletes or modifies the selected closet.
View: Location
Object: A closet
Delete Floor/Edit Floor
Deletes or modifies the selected floor.
View: Location
Object: A floor
Delete Outdoor Area/Edit
Outdoor Area
Deletes or modifies the selected outdoor area.
View: Location
Object: An outdoor area
Delete Site/Edit Site
Deletes or modifies the selected site.
View: Location
Object: A site
Assign Devices to Building
Assigns routers to a building. You cannot assign access
points to a building.
View: Location
Object: A building
Assign Devices to Closet
Assigns routers to a closet. You cannot assign access
points to a closet.
View: Location
Object: A closet
Assign Devices to Floor
Assigns routers to a floor.
View: Location
Object: A floor
Assign Devices to Outdoor
Area
Assigns routers to an outdoor area.
View: Location
Object: An outdoor area
Setup Locations
Opens the page by using which you can create an entire
site—that is, define buildings, floors, closets, outdoor
areas and to assign devices to these locations.
View: Location
Object: My Network and any location
node within an existing site.
NOTE: Use this task only to create a site. Do not use it
to modify an existing site.
Copyright © 2016, Juniper Networks, Inc.
35
Edge Services Director User Guide
Table 10: Service Template Tasks
Task
Description
Scope
Manage ADC Service
Templates
Creates, modified, or deletes an ADC service template
with attributes and settings for load balancing operations
View: Service
Object: Individual SDG or router
Manage CGNAT Service
Templates
Creates, modified, or deletes a CGNAT service template
with attributes and settings for load balancing operations
View: Service
Object: Individual SDG or router
Manage SFW Service
Templates
Creates, modified, or deletes a stateful firewall service
template with attributes and settings for load balancing
operations
View: Service
Object: Individual SDG or router
Manage TLB Service
Templates
Creates, modified, or deletes a traffic load-balancer (TLB)
service template with attributes and settings for load
balancing operations
View: Service
Object: Individual SDG or router
Table 11: Object Builder Tasks
Task
Description
Scope
Import Objects
Retrieves and adds all of the object types that are
supported for different services in a single, one-step
operation from SDGs or an XML configuration file.
You can select an SDG from which you want to
import all of the objects contained in it. The
supported or applicable objects of CGNAT pools,
CGNAT rules, CGNAT rule sets, SFW rules, SFW rule
sets, applications, application sets, and real servers
can be imported in a bulk manner from a device.
Object: All services
Real Servers
Imports real servers, which are application servers
used for traffic or server load balancing. The ADC
software monitors the servers in the real-server
group and the load-balanced applications running
on them.
ADC services
SFW Rules
Imports firewall rules for use in stateful firewall
policy creation.
SFW services
SFW Rule Sets
Imports firewall rule sets, which is a collection of
rules, for use in stateful firewall policy creation.
SFW services
CGNAT Rules
Imports NAT rules for use in carrier-grade NAT policy
creation.
CGNAT services
CGNAT Rule Sets
Imports NAT rule sets, which is a collection of rules
for use in carrier-grade NAT policy creation.
CGNAT services
CGNAT Pools
Imports NAT pools for use in carrier-grade NAT
policy creation.
CGNAT services
36
Copyright © 2016, Juniper Networks, Inc.
Chapter 3: Tasks Pane
Table 11: Object Builder Tasks (continued)
Task
Description
Scope
Applications
Defines application protocols for the stateful
firewall and Network Address Translation (NAT)
services to use in match condition rules.
SFW and CGNAT services
Application Sets
Imports application sets for use in match conditions
or criteria of stateful firewall and NAT rule terms
SFW and CGNAT services
Copyright © 2016, Juniper Networks, Inc.
37
Edge Services Director User Guide
Understanding the Deploy Mode Tasks Pane
The Tasks pane in Deploy mode lists the available tasks. The Deploy mode tasks that
are available depend on the scope selected in the View pane.
Deploy mode tasks are divided into the following categories:
•
Configuration Deployment—These tasks enable you to deploy configuration changes
to devices and manage configuration deployment jobs. Table 12 on page 38 describes
the configuration deployment tasks.
•
Image Management—These tasks enable you to manage software images on devices.
Table 13 on page 39 describes the image management tasks.
•
Device Management—These tasks enable you to view the device inventory, resynchronize
the configuration of out-of-sync devices, and see extensive configuration settings that
are present on a device.Table 14 on page 39 describes the device management tasks.
•
Device Configuration File Management—These tasks enable you manage configuration
files on managed devices. Table 15 on page 39 describes the device configuration file
management tasks.
•
Deploy Service—These tasks enable you to create a deployment plan that contains
details about the settings and configuration parameters to be propagated and
provisioned on the SDGs managed by Edge Services Director. For each approved deploy
plan, a transaction is automatically created by the Edge Services Director application.
Table 16 on page 39 describes the service deployment tasks.
•
Service Edit—This task enables you to view the list of CGNAT, SFW, and packet policy
or filter templates as pie charts, whose segments display service policy filters in various
states. Table 17 on page 40 describes the task associated with the viewing of service
object statistical details.
•
Policy & Filters—These tasks enable the creation, update, display, publish and
commission of packet filters, stateful firewall and NAT policies present on discovered
and managed SDGs. Table 18 on page 40 describes the service deployment tasks.
•
Key Tasks—Edge Services Director enables you to group the tasks that you perform
frequently and create a list of key tasks. You can add any task from the Tasks pane to
the Key Tasks list by selecting a task and clicking the plus (+) sign that appears adjacent
to the task. For some modes, you can see that Edge Services Director has predefined
some key tasks for you. You can modify this set of tasks to suit your requirements. This
feature is available in Task pane irrespective of your current mode, scope, or view.
Table 12 on page 38 through Table 15 on page 39 describe the tasks in each task category.
Table 12: Configuration Deployment Tasks
Task
Description
Deploy Configuration Changes
Deploys pending configuration changes to devices.
38
Copyright © 2016, Juniper Networks, Inc.
Chapter 3: Tasks Pane
Table 12: Configuration Deployment Tasks (continued)
Task
Description
Approve Change Requests
Enables a configuration approver to approve or reject a change request, which
has been submitted for approval by an operator.
Set SNMP Trap Configuration
Enables SNMP traps on network devices so that Edge Services Director can collect
and manage event and error information from these devices.
View Deployment Jobs
Manages configuration deployment jobs.
Table 13: Image Management Tasks
Task
Description
Manage Image Repository
Manages the software images repository on the server.
Deploy Images to Devices
Deploys software images from the repository to devices.
View Image Deployment Jobs
Manages software image deployment jobs.
Table 14: Device Management Tasks
Task
Description
Resynchronize Device Configuration
Resynchronizes the device configuration maintained in Build mode with the
running configuration on the devices.
Show Current Configuration
Shows the selected device’s current configuration.
View Inventory
Displays the device inventory of the selected node.
Table 15: Device Configuration File Management Tasks
Task
Description
Manage Device Configuration Files
Manages backup device configuration files.
View Configuration File Mgmt Jobs
Manages device configuration file management jobs.
Table 16: Service Deployment Tasks
Task
Description
Manage Deployment
Plans
Enables you to create deployment plans, which contain the configuration settings and attributes
of services that must be propagated to SDGs. You can provision the deploy plans to transfer the
configuration to devices immediately or schedule the deployment at a later specified time.
Copyright © 2016, Juniper Networks, Inc.
39
Edge Services Director User Guide
Table 16: Service Deployment Tasks (continued)
Task
Description
Transactions
Displays all of the transactions generated by the system for approved deploy plans. You can delete
a transaction, which causes the transaction to be removed from listing, but does not delete the
deployment plan associated with it. In addition, you can view the XML API format of configurations
that exist on the device.
Table 17: Service Edit Tasks
Task
Description
View Statistics
Displays a set of five pie charts when you select Service Edit from the task pane. The pie charts are
displayed for the different policy and service filters, such as ADC, TLB, CGNAT, stateful firewall, and
packet filter templates, in various configuration states, such as in-synchronization,
out-of-synchronization, and synchronization-in-progress.
Table 18: Policy and Filter Tasks
Task
Description
CGNAT
Enables you to create, update, and delete CGNAT policies on selected SDGs.
SFW
Enables you to create, update, and delete stateful firewall policies on selected SDGs.
Packet Filter
Enables you to create, update, and delete packet and service filter policies on selected SDGs.
Understanding the Fault Mode Tasks Pane
The Tasks pane in Fault mode provides you with a set of tools for effectively managing
alarms on your system.
From the Tasks pane, you can filter known alarms to locate a specific alarm or error
condition by clicking Search Alarms. Use this task to isolate alarms that occurred during
a known time-frame or that have annotations associated with them. Although each of
the Fault mode monitors can sort the alarms, Search Alarms enable you to submit multiple
search and sort arguments as part of your search query.
In addition, Edge Services Director enables you to group the tasks that you perform
frequently and create a list of key tasks. You can add any task from the Tasks pane to
the Key Tasks list by selecting a task and clicking the plus (+) sign that appears adjacent
to the task. For some modes, you can see that Edge Services Director has predefined
some key tasks for you. You can modify this set of tasks to suit your requirements. This
feature is available in Task pane irrespective of your current mode, scope, or view.
40
Copyright © 2016, Juniper Networks, Inc.
Chapter 3: Tasks Pane
Figure 5: Alarms Page in Fault Mode
Understanding the Monitor Mode Tasks Pane
The Tasks pane in Monitor mode displays a list of tasks that are available for the currently
selected Monitor tab. These tasks provide monitoring functions in addition to the monitors
available under each tab. The Monitor icon on the Edge Services Director is available or
accessible only when you select Gateway View and Service View from the View selector.
Monitor mode in Edge Services Director provides you visibility into your network status
and performance. Edge Services Director monitors its managed devices and maintains
the information it collects from the devices in a database. Monitor mode displays this
information in easy-to-understand graphs and in tables that you can sort and filter,
allowing you to quickly visualize the state of your network, spot trends developing over
time, and find important details.
The main purpose and benefit of monitoring functionalities is to allow the operators to
quickly monitor the health (working condition), operating efficiency, traffic-handling
capacity, and performance status of the managed SDGs and configured services such
as ADC, TLB, CGNAT and SFW. The SDG monitoring mechanism is an extensive and
ingrained tool; it allows the operator to understand the network health and status by
drilling down to all the components of SDG. The SDG status is marked as Green, Red,
Orange or Gray, based on the health, availability, performance and other important KPI
indicators. Red denotes an emergency condition, which is a system panic or other
conditions that cause the routing platform to stop functioning. It also indicates that the
device is offline or turned down. Orange denotes an alert, which can be conditions that
must be corrected immediately, such as a corrupted system database. Green indicates
a notice, which signifies conditions that are not error conditions but are of interest or
might warrant special handling. It can also include a severity level equivalent to
Copyright © 2016, Juniper Networks, Inc.
41
Edge Services Director User Guide
informational or debugging messages. Gray signifies an unknown or an unconnected
device that is out of synchronization.
The Monitoring page is refreshed automatically every 3 minutes. Static polling occurs to
obtain and display data, and asynchronous collection is not used.
The Master and Standby tabs display information about the primary or master, and
standby or secondary SDGs in an SDG pair. The Service Wait tab is displayed if the standby
device is not fully active after a switchover.
Understanding the Report Mode Tasks Pane
Edge Services Director has built-in reporting features to create standardized reports from
your network data. You can schedule these reports to run either in real time or in batch
to gain insight into the network for ensuring compliance, performing maintenance, or
troubleshooting.
The Report mode analyzes data from different perspectives and filters the data based
on the node selected in the network tree.
For example, if you want to view inventory reports on only your wireless controllers, you
can select the Device view and the Routers > MX960 node in the network tree to provide
granular information on just those devices. After selecting the view and node in the
network tree, create a report definition. In this definition file you select from a number of
preconfigured reports and set the time frame, schedule, and output options.
From the Reports Tasks pane, you can:
•
Set up a new report or change how an existing report is run by clicking Report Definition.
From this page, you can launch a wizard that guide you through the process of defining
a report or changing a report definition file. The report definition file is based on the
report content on the view and the node you select in the network tree. The Filter option
in the View pane does not affect the report content.
•
View the summary details of the last run of a report, export a report, or to delete a
report output by clicking Manage Generated Reports. This page is also the default
Reports page. After a report definition is created and a report is generated from that
definition, it is shown in the Generated Reports page.
Reports are stored on the application server on which Edge Services Director is running.
However, because reports can be large, the report is delivered in a compressed or
zipped format. and can be stored offline.
•
Create or change a schedule that is used by one or more reports by clicking Manage
Schedules. Unless you want to run the report immediately, you need to create a
schedule and associate it with the report definition file. Create the schedule before
you create the report definition file.
For example, you might want to run several reports that run on the weekend and are
available first thing on Monday morning. You could create a single schedule that runs
at midnight on Saturday and is delivered to you through e-mail.
•
42
Add frequently performed tasks to Key tasks list. You can add any task from the Tasks
pane to the Key Tasks list by selecting a task and clicking the plus (+) sign that appears
Copyright © 2016, Juniper Networks, Inc.
Chapter 3: Tasks Pane
adjacent to the task. For some modes, you can see that Edge Services Director has
predefined some key tasks for you. You can modify this set of tasks to suit your
requirements. This feature is available in Task pane irrespective of your current mode,
scope, or view.
Copyright © 2016, Juniper Networks, Inc.
43
Edge Services Director User Guide
44
Copyright © 2016, Juniper Networks, Inc.
CHAPTER 4
System Administration
•
Handling Administrative Tasks on page 45
Handling Administrative Tasks
•
Understanding Edge Services Director User Administration on page 45
•
Viewing Audit Logs From Edge Services Director on page 46
•
Managing Jobs on page 47
•
Collecting Logs for Troubleshooting on page 48
Understanding Edge Services Director User Administration
Edge Services Director uses the user administration features of the Junos Space platform
on which it runs. Using these features, you can add, delete, and edit user accounts and
roles and changing user passwords. Refer to the Junos Space Network Application Platform
User Guide for more information about user administration.
When Edge Services Director is installed, some additional user administration options
are available in Junos Space, which are specific to Edge Services Director.
In addition to the Super Administrator role, the following predefined roles are available
to Edge Services Director users:
•
Edge Services Director - Administrator—Has complete access to all the Edge Services
Director modes and user preferences.
•
Edge Services Director - Operator—Has access to all modes except the Build mode.
Has access to windows and capabilities, such as fault management, performance
management, dashboard and monitoring. You can create custom roles to grant users
different access rights to the Edge Services Director modes.
•
Edge Services Director - Designer— Has access to the Build mode for handling device
and service configuration operations such as creation of services and KPI templates.
You can also create custom roles to grant users different access rights to the Connectivity
Services Director modes. Edge Services Director modes—Build, Deploy, Monitor, Fault,
and Report modes are available to assign to custom user roles in the list of application
workspaces and associated tasks.
Copyright © 2016, Juniper Networks, Inc.
45
Edge Services Director User Guide
NOTE: The tasks listed under the Edge Services Director modes do not have
any effect. Access is controlled at the mode level, so if you grant a role access
to a mode, the role has access to all tasks in that mode, regardless of which
tasks you select.
Related
Documentation
•
Understanding the Need for Edge Services Director on page 3
•
Understanding the Edge Services Director User Interface on page 5
•
Understanding Edge Services Director and the Management Lifecycle Modes on page 14
•
Service Delivery Gateway Overview on page 16
•
Edge Services Director Overview on page 18
Viewing Audit Logs From Edge Services Director
Audit logs are generated for login activity and tasks that are initiated from the Edge
Services Director application. The Audit Logs page displays the logs for all user-initiated
activities.
You can do the following on the Audit Logs page:
•
Sort, filter, and search the log entries using the standard table manipulation features
in Edge Services Director.
•
Obtain more information about a log entry by double-clicking the entry or by selecting
the entry and clicking Show Details. The Audit Log Details window is displayed.
•
For a user-initiated task that runs as a job, you can obtain more information about the
job by clicking the job ID in the Job ID column.
To display the Audit Logs page:
1.
Click System in the Edge Services Director banner.
2. Select View Audit Logs from the Tasks pane.
The Audit Logs page is displayed with the fields listed in Table 19 on page 46.
Table 19: Audit Logs Page Fields
46
Field
Description
User Name
The login ID of the user that initiated the task
User IP
The IP address of the client computer from which the user initiated the task
Task
The name of the task that triggered the audit log
Time
The data and time when the user initiated the task
Copyright © 2016, Juniper Networks, Inc.
Chapter 4: System Administration
Table 19: Audit Logs Page Fields (continued)
Field
Description
Result
The execution result of the task that triggered the audit log:
•
Success—Job completed successfully
•
Failure—Job failed and was terminated
•
Job Scheduled—Job is scheduled but has not yet started
Description
A description of the audit log
Job ID
The job ID for any task that runs as a job
Managing Jobs
Edge Services Director enables you to view and manage jobs. You can view the status
of completed jobs and cancel the jobs that are scheduled to execute at a later time or
jobs that are in progress.
The Job Management page, accessible as a System task, enables you to view and manage
all jobs. In addition, Edge Services Director enables you to view special pre-filtered versions
of this page from various other tasks, such as View Discovery Status or View Image
Deployment Jobs. These pages contain the same fields (although some fields might be
hidden) and have the same functionality as the Job Management page, but they list only
those jobs relevant to particular tasks.
To display the Job Management page:
1.
Click System on the Edge Services Director banner.
2. Select Manage Jobs from the Tasks pane. The Job Management page appears.
3. To view the details of a job, select a row and click Show Details or double-click a row.
4. To cancel a scheduled job, select a job that is scheduled for a later time or a job that
is in progress and click Cancel.
The fields in the Job Management page are described in Table 20 on page 47. To view
any hidden column, keep the mouse on any column heading and select the down arrow
and then click Columns. Select the check box to display the hidden columns.
NOTE: Details of jobs initiated from Edge Services Director will be available
only from Edge Services Director. These jobs will not be listed in the Job
Management pane in Junos Space platform and vice-versa.
Table 20: Job Management Page Fields
Field
Description
Job ID
The unique ID assigned to the job
Copyright © 2016, Juniper Networks, Inc.
47
Edge Services Director User Guide
Table 20: Job Management Page Fields (continued)
Field
Description
Name
The name of the job
Percent
The percentage of completion of the job
State
The status of the job:
•
Success—Job completed successfully
•
Failure—Job failed and was terminated
•
Job Scheduled—Job is scheduled but has not yet started
•
In progress—Job is has started, but not completed
•
Cancelled—Job is cancelled
Job Type
The type of the job
Summary
Summary of the job scheduled and executed with status
Scheduled
Start Time
The time when the job is scheduled to start
Actual Start
Time
The actual time when the job started
End Time
The time when the job was completed
User
The login ID of the user that initiated the task
Recurrence
The recurrent time when the job will be restarted.
Collecting Logs for Troubleshooting
Edge Services Director enables you to collect logs and other data from both Edge Services
Director and Junos Space that can assist in managing and monitoring Edge Services
Director servers.
Edge Services Director collects the logs and troubleshooting data into a compressed file
that you can download. This file is named troubleshoot_yyyy-mm-dd_hh-mm-ss.zip—for
example, troubleshoot_2012-12-21_11-25-12.zip. The date and time in the file name is the
server Coordinated Universal Time (UTC) date and time.
To retrieve troubleshooting data and log files, follow these steps:
1.
Click System on the Edge Services Director banner.
2. From the Tasks pane, click Collect Logs for Troubleshooting. The Collect Logs for
Troubleshooting page appears.
3. Click the Download troubleshooting data and logs from Edge Services Director and
Junos Space link.
48
Copyright © 2016, Juniper Networks, Inc.
Chapter 4: System Administration
Edge Services Director begins collecting the logs and data. It can take a few minutes
for Edge Services Director to collect the information and create the zip file.
4. When the standard file download window for your browser opens, save the
troubleshoot_yyyy-mm-dd_hh-mm-ss.zip file.
5. When you contact the Juniper Technical Assistance Center, describe the problem you
encountered and provide the JTAC representative with the troubleshoot.zip file.
Table 21 on page 49 lists the files included in the
troubleshoot_yyyy-mm-dd_hh-mm-ss.zip file.
Table 21: Log Files in the troubleshooting.zip File
Description
Location
Jboss log files
/var/log/jboss/servers/server1
MSS OS adapter log files
/home/jmp/mssosadpater/var/errorLog/
Daemon log files
/opt/opennms/logs/daemon/
Platform log files
/var/log/platform
Access Log Files
/var/log/httpd
Log files for Apache, NMA, Webproxy
/var/log/httpd/
Watchdog log file
/var/log/
Copyright © 2016, Juniper Networks, Inc.
49
Edge Services Director User Guide
50
Copyright © 2016, Juniper Networks, Inc.
CHAPTER 5
Dashboard
•
Understanding the Dashboard on page 51
•
Working with the Dashboard on page 51
•
Using Dashboard Widgets on page 56
•
Alarm Severities and States Overview on page 57
•
Viewing the Detailed Status of KPI Templates Applied to Devices on page 58
Understanding the Dashboard
The Dashboard is a customizable page to view information about the network, and is
the default page that opens when you log in. You select monitoring widgets to display
on the Dashboard that show various information about the network. The Dashboard is
a view. To open a different view, select a view from the Views list in the Edge Services
Director banner.
Related
Documentation
•
Working with the Dashboard on page 51
Working with the Dashboard
When you log in to the Edge Services Director interface, the first page that is displayed
is the Dashboard page. After the deployment of the Edge Services Director application,
if you have not discovered any SDGs, you are prompted to the next step of discovering
devices. The link to the Service Gateways page, which is accessible by clicking the Build
icon in the banner, is provided only for users with administrator privileges. The Dashboard
page contains several monitors or frames. The following monitors are displayed on the
Dashboard page:
Copyright © 2016, Juniper Networks, Inc.
51
Edge Services Director User Guide
Figure 6: Dashboard Page
•
SDG Views on page 52
•
Service Delivery Gateway Alarms on page 53
•
Filters on page 53
•
Specifying KPI Template and Alarm Filters on page 54
•
Service Delivery Gateways Count by Severity on page 55
•
Service Gateway Ticker Updates on page 56
•
Service Delivery Gateway Health Status Trend on page 56
SDG Views
The dashboard default view is tiled view. In tile view, a high-level, graphical view of the
chassis is shown. It indicates the state of the interfaces. When the administrative and
operational status of the interface is up, it is displayed in green. If the administrative
status is down, the interface is displayed in grey. And, if the administrative status is up
and operational status is down, the interface is displayed in amber. The image is a replica
of the SDG. If you are connected to a virtual chassis, the image includes all the member
switches of the virtual chassis.
The purpose of the view is to try and provide a comprehensive monitoring view of the
health and status of deployed SDGs across the network. In this view all the managed
SDGs are shown with their appropriate status and health based on the KPI template
applied. This view helps the operator to know the health and status across the network,
it provides with the operator to quickly see the macro level information, which allows the
operator to further analyze the information provided and quickly navigate to individual
SDGs and take any further corrective measure required. In tiled view, SDGs are by default
sorted based on Red, Orange and Green. Consider a scenario in which an operator deploys
n number of SDGs in a network. If the operator finds a difficulty in monitoring the status
and health of the entire network, you can organize the dashboard with a tiled view to
enable the operator to have a macro-level view on the network health.
You can change the view format to be tile view, group view, or band view. To change the
view format, click the Maximize icon in the Service Gateway Health Status widget. The
52
Copyright © 2016, Juniper Networks, Inc.
Chapter 5: Dashboard
Service Gateway Health Status widget is popped out as a separate dialog box. You can
click the Tile View, Group View, or Band View icons in the dialog box to organize the view
appropriately in the Dashboard page. SDGs are deployed in the network as zones and
the group view, which is a cluster of SDGs typically in a particular zone, helps the operators
to quickly reach to a particular zone and find the status and health of the deployed SDG’s
in that zone. By default it includes all the SDGs across network. Operator can able to
view the SDGs based on particular zone. In Tile view, the Gateways/page box enables
you to customize the number of SDGs displayed per page. You can display 25, 30, 35, or
40 SDGs per page. In Group view, the Groups/page box enables you to customize the
number of SDG groups displayed per page. You can display 2, 4, 6, or 8 groups per page.
The SDG groups are displayed in quadrants on the page.
Click the Maximum button at the upper right corner of each of the group boxes to expand
and display the particular group in a separate window. SDGs span across the network
based on zones. In this group view, all the managed SDG’s are grouped based on the
zones. The corresponding SDG status and health is shown based on the KPI template
applied.
Operators can quickly narrow down network discrepancies and failures based on a
particular zone. Assume that in a particular zone, the KPI indication of SDGs in that group
is not satisfactory. Using the group view, the operator can identify the particular zone in
an efficient, optimal, and faster manner to view the status and health and analyze further.
Logical grouping of SDGs, mostly based on zones, avoids the difficulty in monitoring the
status and health of the entire network because the specific zone or group can be
determined to investigate and drill down to the exact SDG that needs to be rectified.
A band view is also provided. In this view, each of the SDGs in a band are displayed
spanning across the frame that shows the views. The bands are displayed one below
the other. It provides a graphical display of the chassis in the network based on the bands,
which are the different system severities or health conditions, such as red, orange, green,
and gray. Double-clicking any of the SDGs in any of the views navigates you to the
Monitoring page under Monitor mode for more detailed, in-depth diagnosis and debugging.
Service Delivery Gateway Alarms
Alarms are displayed below the health status line graph of the SDGs. Critical, major, and
minor alarms are displayed in a pie chart with percentage values of each type of alarm.
When you move the mouse over the segments of the pie chart, the total number of alarms
of each type are displayed.
Filters
The SDG dashboard filter consists of two types, namely alarms and KPI templates, and
favorite SDGs. The filters enable you to quickly and easily sort and segregate the
appropriate SDGs that correspond to the KPI templates defined or alarms. The filter
capability makes it easier for you to focus on only the SDGs that you are of relevance or
interest. The SDGs status and health are colored based on the KPIs set by the operator.
The dashboard filter operates in a logical OR format. If either of the filter conditions are
satisfied, the display is modified to match the filter condition.
Copyright © 2016, Juniper Networks, Inc.
53
Edge Services Director User Guide
Assume that the CPU threshold value of one of the SDGs is set as 40 percent in a
template. If the particular SDG exceeds that threshold, it needs to be displayed as red.
When an operator logs into the dashboard and views the tiled pattern of display, all the
SDGs are shown across the network. The operator is also viewing the critical SDGs and
can decide to filter the SDGs based on the template. Based on the filter chosen, the SDGs
are displayed in the dashboard view.
Select Favorite SDGs from the Filters box to display only the SDGs that you are interested
in or are involved with managing in the entire network.
Select Alarms | KPIs from the Filters box to display SDGs that match with the criteria
specified in the templates.
Click Clear Filters to remove the applied filters. You are prompted to confirm the deletion
in such a case. A graphical representation of the components such as ADC and SFW that
are defined in the KPI templates are displayed to the right of the Filters box on the
Dashboard page.
To configure a filter, see Specifying KPI Template and Alarm Filters.
Specifying KPI Template and Alarm Filters
To specify KPI template and alarm filters for sorting the dashboard devices according
to your needs:
1.
From the Dashboard page, select Alarms | KPIs from the Filter box. If you have already
configured a filter, it is applied to determine the match criterion for displaying SDGs.
The Filters window is displayed only if you cleared a previously configured filter or are
configuring a filter for the first time.
2. Select the Critical, Major, or Minor check boxes next to the Alarms field to filter SDGs
based on the critical, major, or minor alarms generated for the devices.
3. For the ADC, CGNAT, TLB, SFW, or HA sections, select the check boxes under the R,
G, or O columns for the respective fields to cause SDGs that map with the settings
defined in the KPI templates to be displayed in the dashboard view.
R refers to SDGs with red status or catastrophic problems, G refers to SDGs with green
status or fully functional condition, and O refers to SDGs with orange status or
moderately critical problems.
For the ADC section, you can choose the following:
•
CPU Status—Working state of the CPU for ADC
•
Service Pic Status—Operating status of the services PIC for ADC
•
VIP Status—Virtual IP address state used by virtual servers for ADC
•
Real Servers—Real servers used by ADC instances
For the CGNAT section, you can choose the following:
54
•
CPU Status—Working state of the CPU
•
Service Pic Status—Operating status of the services PIC for CGNAT
Copyright © 2016, Juniper Networks, Inc.
Chapter 5: Dashboard
•
Memory Status—Utilization of memory for CGNAT services
•
CPU Utilization—Usage of CPU for CGNAT operations
For the TLB section, you can choose the following:
•
CPU Status—Working state of the CPU
•
Service Pic Status—Working status of the services PIC for TLB
•
Real Server Status—Status of real servers for TLB
For the SFW section, you can choose the following:
•
CPU Status—Working state of the CPU
•
Service Pic Status—Status of services PIC for stateful firewall
For the HA section, you can choose the following:
•
VRRP Status—Status of VRRP
•
CGNAT SFW HA—Inter-chassis high availability for CGNAT and firewalls.
4. Click Apply to save the settings. Click Close to close the Filters window and return to
the dashboard.
Service Delivery Gateways Count by Severity
A set of four boxes are displayed beneath the pane that shows the view of SDGs. These
boxes are indicators for the overall set of SDGs that have been deployed. The boxes are
colored as orange, red, green, or grey to indicate the health and performance of the SDGs
based on the applied KPI templates. Red denotes an emergency condition, which is a
system panic or other conditions that cause the routing platform to stop functioning. It
also indicates that the device is offline or turned down. Orange denotes an alert, which
can be conditions that must be corrected immediately, such as a corrupted system
database. Green indicates a notice, which signifies conditions that are not error conditions
but are of interest or might warrant special handling. It can also include a severity level
equivalent to informational or debugging messages. Gray signifies an unknown or an
unconnected device that is out of synchronization.
The configuration state of a device is shown as In Sync when the configuration information
in all three repositories match (settings made using the devices CLI, Edge Servcies Director
in Build mode, or Junos Space Network Management Platform). If there is a conflict
between the configuration information in one or more of the repositories, the device
configuration state is Out of Sync. An Out of Sync state is usually the result of out-of-band
configuration changes—that is, configuration changes made to a device using a
management tool other than Edge Services Director. You can resynchronize such devices
to bring them back to be in synchronization. A number is displayed overlaying each of
the boxes to specify the number of SDGs in each of the states or health conditions.
The paging controls that appear at the bottom of the SDG icons that are shown. You can
use these controls to browse the SDGs when the inventory of SDGs is too large to fit on
one page. The Page box lets you jump to a specific page of managed objects. Type the
page number in the Page box and press Enter to jump to that page. The SDGs per page
Copyright © 2016, Juniper Networks, Inc.
55
Edge Services Director User Guide
box enables you to customize the number of objects displayed per page. You can also
navigate to the specific page of the dashboard view by typing the page number, if the
SDGs span acros several pages. Otherwise, you can use the first, previous, next, and last
page buttons to traverse across pages. The Refresh icon enables you to revise the display
and show updated information.
Service Gateway Ticker Updates
The SDG dashboard ticker constantly updates with the event, messages and logs. This
view can be added or removed from the Dashboard View by clicking the Add Widgets
button or the cross mark (X) icon respectively. For a displayed syslog message, if you
want to further analyze it for troubleshooting and diagnosing the cause of the error, you
can use the options under the Monitor mode. At any given point in time, the latest ten
messages are displayed and the older messages are flushed out. If you want to view
historical messages, you can view the Fault Management, Performance Management,
or Monitoring pages. By default, the standard Junos OS format for messages specifies
the month, date, hour, minute, and second when the message was logged. Also, the event
category and description are displayed.
Service Delivery Gateway Health Status Trend
The line chart displays the number of SDGs in each of the severity states. The severity is
determined by the memory utilized on the routing engine, temperature, CPU load, and
fan status. A fan running at normal speed is displayed in green. If the fan is running at
maximum speed or not running at all, it is displayed in red. For a virtual chassis the status
of the fans for the selected member is displayed. The SDG health status displays the
operating condition and working efficiency in a color-coded form based on the configured
KPI template for each of the individual SDGs.
A line graph is displayed with the horizontal axis showing the number of SDGs. The vertical
axis shows the time in 24-hour clock format at which alarms have been raised or cleared
for the SDGs. The green line denotes active SDGs, the orange line denotes warning
messages, and the red line denotes critical problems with SDGs. Mouse over the dots on
the graph to view details about the number of alarms at a particular point in time. Time
is shown in increments of two hours on the horizontal axis, ending with the current time
of the local clock on the system. You can expand or collapse the SDG Health Status pane
by clicking the double right or double left arrows on the top-right corner of the pane.
Related
Documentation
•
Quickly Accessing Important Monitoring and Troubleshooting Details on page 27
Using Dashboard Widgets
The Dashboard is a customizeable page for viewing information about the network. You
select monitoring widgets to display on the Dashboard that show various information
about the network. The Dashboard is the default view that opens when you log in. When
a different view is selected, select Dashboard View from the Select View list in the Edge
Services Director banner to open the Dashboard.
56
Copyright © 2016, Juniper Networks, Inc.
Chapter 5: Dashboard
To select what appears on the Dashboard:
1.
To add a monitor to the Dashboard:
a. Select Add Widgets. Thumbnails of the available widgets appear.
b. To add a widget to the Dashboard, mouse over the widget’s thumbnail, then click
the Add button that appears on the widgets.
c. When you are finished adding widgets, click Done. The new widgets appear on the
Home page.
2. To refresh a widget’s data, click the Refresh button in its title bar.
3. To see additional information for a widget, click the Maximize button in the widget’s
title bar.
4. To remove a widget from the Dashboard, click the Close button (X) in its title bar.
5. To open online help for a widget, click the Help button (?) in its title bar.
6. To move a widget, click its title bar and drag it to the new location.
Related
Documentation
•
Working with the Dashboard on page 51
Alarm Severities and States Overview
By default, the Junos Space Network Management Platform is monitored using a built-in
SNMP manager. The Junos Space Network Management Platform node is listed in the
node list (Network Monitoring > Node List), and is referred to as the Junos Space Network
Management Platform node.
Alarm Severity
Alarms are ranked by their impact to the network. The following list shows the ranking
of alarms in Edge Services Director from alarms that have the most impact to alarms
that have the least impact on the network. It also shows the color scheme associated
with each level of severity that is reflected in related graphs.
Critical (Red)—A critical condition exists; immediate action is necessary.
Major (Orange)—A major error has occurred; escalate or notify as necessary.
Minor (Yellow)—A minor error has occurred; notify or monitor the condition.
Indeterminate (Blue)—An informational message; no action is necessary. Informational
alarms do not necessarily indicate an error. It could indicate that a device or entity
has changed state.
Administrators can override the default severity of an alarm and set the severity to match
their inhouse guidelines.
Copyright © 2016, Juniper Networks, Inc.
57
Edge Services Director User Guide
Alarm State
Once an alarm is active, it has one of these states:
•
Active—Alarms that are current and not yet acknowledged or cleared.
•
Cleared—Alarms that are resolved and the device or entity has returned to normal
operation.
Some alarm states go directly from active to cleared state and require little to no
administrative effort. However, other alarms with a high severity should be acknowledged
and investigated.
In addition to acknowledging and clearing an alarm, you can assign an alarm to someone
and you can append a note or annotation to an alarm. Annotations are helpful for
documenting the resolution of an alarm or time estimates for a fix. Changes to an alarm’s
state are made through the Alarm State monitor in Fault mode.
Related
Documentation
•
Events and Alarms Overview
•
Understanding Monitor Mode in Edge Services Director on page 489
Viewing the Detailed Status of KPI Templates Applied to Devices
In a network environment, it is essential and important for a network administrator or a
supervisor to quickly, easily assess the device performance and operating efficiency to
be able to take corrective action and restoration measures for any device alarms,
overloaded conditions, or traffic drops observed.
From the “Dashboard” on page 51 page, you can view the KPI templates applied to the
SDG devices in an in-depth, granular way before you navigate to the KPI Templates page
or the Service Designer page to modify the metrics of KPI settings or service settings
respectively. You can view ingrained, extensive information about the KPI settings for
SDGs displayed in tile view, group view, or band view.
To view detailed status inxformation of the KPI templates associated with a particular
SDG device:
1.
From the Dashboard page, right-click an SDG device and select Status Details. The
Service Gateway KPI Status Details window appears.
The name of the SDG device is displayed at the top of the page. The same color-coding
format that is used to display the SDG in the Dashboard page is used in this window.
For example, if the SDG is shown in the tile view or band view in red, the host name is
shown in red in the KPI Status Details window.
2. Click the right arrow next to each of the KPI sections or components that are displayed.
Only the KPI components applied to the specified SDG are displayed. When you
expand each of the KPI components, the attributes or parameters that apply for the
KPI are shown. A colored box is displayed for each of the KPI attributes to signify the
health and efficiency of the device for the corresponding KPI setting. For example, for
ADC, CPU Status, Service Pic Status, VIP Status, and Real Servers might be displayed.
58
Copyright © 2016, Juniper Networks, Inc.
Chapter 5: Dashboard
3. Click Close after you complete viewing the settings and to return to the Dashboard
page.
Related
Documentation
•
Working with the Dashboard on page 51
Copyright © 2016, Juniper Networks, Inc.
59
Edge Services Director User Guide
60
Copyright © 2016, Juniper Networks, Inc.
PART 2
Gateway View of Build Mode
•
About Gateway View of Build Mode on page 63
•
Managing Service Delivery Gateways and Groups on page 83
•
Managing KPI Templates on page 115
•
Viewing the Device Inventory on page 129
Copyright © 2016, Juniper Networks, Inc.
61
Edge Services Director User Guide
62
Copyright © 2016, Juniper Networks, Inc.
CHAPTER 6
About Gateway View of Build Mode
•
Understanding Build Mode in Gateway View of Edge Services Director on page 63
•
Understanding Resynchronization of Device Configuration on page 67
•
Importing Devices on page 72
•
Device Discovery Overview on page 74
•
Unmanaged Devices Overview on page 76
•
Working With Managed Devices on page 77
•
Working With Unmanaged Devices on page 78
•
Working With Discovered Devices on page 78
•
Managing Jobs on page 79
Understanding Build Mode in Gateway View of Edge Services Director
In Gateway view of Build mode, you create the network managed by Junos Space Edge
Services Director by bringing devices under the administration of the network management
application and retrieving the device settings to save in the Edge Services Director
database. It provides you with the ability to use device discovery to bring devices under
Edge Services Director management, to customize your view of the devices, to configure
devices, and to perform some common device management tasks.
This topic describes:
•
Discovering Devices on page 63
•
Configuring Devices on page 64
•
Viewing the Devices Inventory on page 65
•
Service Delivery Gateway Groups on page 66
•
KPI Templates on page 66
Discovering Devices
Device discovery finds your network devices and brings them under Edge Services Director
management. You provide Edge Services Director with identifying information about the
devices you want Edge Services Director to manage—an IP address or hostname, an IP
address range, an IP subnetwork, or a CSV file that contains this information. Edge Services
Director uses the information to probe the devices by using either ping or SNMP get
Copyright © 2016, Juniper Networks, Inc.
63
Edge Services Director User Guide
requests. If a device probe is successful, Edge Services Director then attempts to make
an SSH connection to the device using the login credentials you supply. If the connection
is successful and the device is a supported device, Edge Services Director adds the device
to its database of managed devices. Edge Services Director uses Juniper Network’s Device
Management Interface (DMI), which is an extension to the NETCONF network
configuration protocol, to connect to and configure its managed devices.
You can also discover devices using the device discovery feature provided by the Junos
Space Network Management Platform. Devices you discover using Junos Space device
discovery are brought under Edge Services Director management if they are supported
by Edge Services Director.
Besides bringing your devices under Edge Services Director management, device discovery:
•
Reads the device configuration and saves it in the Junos Space configuration database.
Edge Services Director uses this record of the device configuration to determine what
configuration commands it needs to send to a device when you deploy the configuration
on the device. For this reason, it is important for the Junos Space configuration record
to match, or be in sync with, the device configuration.
•
Imports the device configuration into the Gateway view of Build mode configuration.
For more information about importing device configurations, see “Importing Device
Configurations” on page 65.
Configuring Devices
In Gateway view of Build mode, you can define the configuration of network devices in
your Physical network. To support rapid, large-scale deployment of devices, you can
define much of your Gateway view of Build mode configuration in a set of profiles.
NOTE: This section does not apply to virtual devices that Edge Services
Director manages.
Deploying Device Configurations
After you build your device configurations in Gateway view of Build mode, you need to
deploy the configurations on the devices. None of the configurations you create in Gateway
view of Build mode affect your devices until the configurations are actually deployed on
the devices.
To deploy the configuration on devices, use Deploy mode. When you change a device’s
configuration in Gateway view of Build mode, the device becomes available in Deploy
mode for configuration deployment.
For more information about deploying configuration changes, see Understanding Deploy
Mode in Edge Services Director.
64
Copyright © 2016, Juniper Networks, Inc.
Chapter 6: About Gateway View of Build Mode
Importing Device Configurations
As part of device discovery, Edge Services Director analyzes the configuration of a newly
discovered device and automatically imports the configuration into the Gateway view
of Build mode configuration for that device.
As it imports the device configuration, Edge Services Director automatically creates
discovery profiles to match the configuration. It first determines whether any existing
profiles match the configuration, and if so, assigns those profiles to the device. It then
creates and assigns new profiles as needed. For example, if an access switch has some
ports that match the configuration of an existing Port profile, Edge Services Director
assigns the existing Port profile to those ports. For the other ports, Edge Services Director
creates as many Port profiles as needed to match the port configurations and assigns
them to the ports.
You can manage the profiles that Edge Services Director creates as part of device
discovery in the same way that you manage user-created profiles—that is, you can modify,
delete, or assign them to other devices.
Out-of-Band Configuration Changes
Out-of-band configuration changes are configuration changes made to a device outside
of Edge Services Director. Examples include changes made by:
•
Using the device CLI.
•
Using the device Web-based management interface (the J-Web interface or Web
View).
•
Using the Junos Space Network Management Platform configuration editor.
•
Using RingMaster software.
•
Restoring or replacing device configuration files.
When an out-of-band change is made, the device configuration no longer matches the
Gateway view of Build mode configuration, and the device configuration state changes
to out of sync. You cannot deploy configuration on a device that is out of sync. The Edge
Services Director resolves out-of-band configuration changes and synchronizes the
Gateway view of Build mode configuration with the device configuration by using the
resynchronization of devices functionality.
TIP: Before you make configuration changes in Gateway view of Build mode,
make sure that devices that will be affected are in sync. Resynchronizing the
device configuration can result in losing pending Gateway view of Build mode
configuration changes for that device.
Viewing the Devices Inventory
This inventory page lists all the SDG hardware and inventory of the chassis components.
A graphical representation is provided of the types of services, connection status of the
Copyright © 2016, Juniper Networks, Inc.
65
Edge Services Director User Guide
SDGs or devices, and the configuration status of managed SDGs. A pie chart is displayed
to signify these details. Also, you can view full-blown information on the chassis, line
cards, and associated hardware components of an SDG and the interface attributes. All
of the SDGs that are created are displayed in a tree structure on the left pane of the
Inventory page.
NOTE: From Service view in Build mode, you can select View Inventory from
the tasks pane also view comprehensive, consolidated information on each
of the services, such as load balancing or CGNAT, from the Inventory page
by clicking the plus (+) sign that appears adjacent to each service on the
page.
Service Delivery Gateway Groups
Service delivery gateways (SDGs) are discovered by SDG discovery workflow. The
discovered SDGs are shown in the SDG inventory page. The discovered SDGs can be a
part of a high availability (HA) pair or standalone SDGs. In case of SDG HA pairs, all the
actions from SDG management are at the SDG HA pair level; you cannot an action on
only the master SDG alone or the standby SDG. SDGs can be grouped as zones or domains.
The SDG groups contain one or more SDGs. Each SDG can be part of just one group. User
can create, edit, or delete SDG Groups.
KPI Templates
Templates contain the KPI parameters that evaluate the health of a SDG device. A
system-created default KPI template is available. This system-created KPI template
cannot be edited or deleted. However, an SDG administrator can clone a new template
based on this default template. An administrator-created KPI template can be edited
or deleted. During the SDG discovery process, one of the KPI template copy is associated
to each and every SDG. The KPI parameters from the KPI template are part of the SDG
settings and are used to compute the statuses and condition of services of SDGs as
green, orange or red.
Related
Documentation
66
•
Working with the Dashboard on page 51
Copyright © 2016, Juniper Networks, Inc.
Chapter 6: About Gateway View of Build Mode
Understanding Resynchronization of Device Configuration
In a network managed by Edge Services Director, three separate repositories about device
configuration are maintained:
•
The configuration information on the devices themselves. Each switch and wireless
LAN controller maintains its own configuration record.
•
The configuration information maintained by the Junos Space Network Management
Platform. When a device is discovered, either by Junos Space or Edge Services Director,
Junos Space stores a record of the configuration on that device.
Edge Services Director uses the configuration record maintained by Junos Space to
determine what configuration commands need to be sent to the device when you
deploy configuration on the device in Deploy mode.
•
The configuration information maintained by Edge Services Director in Build mode.
This information takes the form of the profiles assigned to the device, plus the additional
configuration, such as LAG and access point configuration, that you can do under device
management.
In Edge Services Director, the configuration state of a device is shown as In Sync when
the configuration information in all three repositories match. If there is a conflict between
the configuration information in one or more of the repositories, Edge Services Director
shows the device configuration state as Out of Sync.
An Out of Sync state is usually the result of out-of-band configuration changes—that is,
configuration changes made to a device using a management tool other than Edge
Services Director. Examples of such changes include changes made by:
•
Using the device CLI.
•
Using the device Web-based management interface (the J-Web interface or Web
View).
•
Using the Junos Space Network Management Platform configuration editor.
•
Using RingMaster software.
•
Restoring or replacing device configuration files.
You cannot deploy configuration on a device when the device configuration state is Out
of Sync.
This topic describes how Edge Services Director enables you to resynchronize the device
configuration state. It covers:
•
The Resynchronize Device Configuration Task on page 68
•
How Resynchronization Works in NSOR Mode on page 68
•
How Resynchronization Works in SSOR Mode on page 69
•
How Edge Services Director Resynchronizes the Build Mode Configuration on page 71
Copyright © 2016, Juniper Networks, Inc.
67
Edge Services Director User Guide
The Resynchronize Device Configuration Task
Edge Services Director provides a task in Deploy mode that enables you to resynchronize
the repositories of configuration information. When an out-of-band configuration change
is made, you can use this task to resynchronize both the Junos Space configuration record
and the Build mode configuration with the configuration on the device.
How Edge Services Director performs resynchronization depends on the system of record
(SOR) mode set for the Junos Space Network Management Platform. There are two
possible modes:
•
Network as system of record (NSOR). This is the default mode.
•
Junos Space as system of record (SSOR).
You set the mode in Junos Space under Administration > Applications > Network
Management Platform > Modify Application Settings.
How Resynchronization Works in NSOR Mode
In NSOR mode, the network device is considered the system of record for device
configuration, which means the configuration maintained by the device takes precedence
over the configuration maintained by Junos Space and Edge Services Director. Thus when
you perform a resynchronization, the Junos Space configuration record and the Edge
Services Director Build mode configuration are updated to match the device configuration.
When an out-of-band change is made on a managed device when Junos Space is in
NSOR mode:
1.
Junos Space detects that a configuration change has occurred on the device and
informs Edge Services Director about the change.
2. Both Junos Space and Edge Services Director set the device configuration state to
Out of Sync.
3. Junos Space automatically resynchronizes its configuration record to match the device
configuration and sets the device configuration state to In Sync when the
synchronization completes.
4. If the configuration change does not affect configuration that you can perform in Build
mode (for example, routing configuration), Edge Services Director also sets the device
configuration state to In Sync after the Junos Space resynchronization completes. All
three configuration repositories are now in sync.
If the configuration change affects configuration that you can perform in Build mode,
Edge Services Director does not set the device configuration state to In Sync. Instead,
it continues to show the device configuration state as Out of Sync because the Build
mode configuration does not match the device configuration.
5. To resolve the Out of Sync state in Edge Services Director, use the Resynchronize
Device Configuration task in Deploy mode. Edge Services Director updates the Build
mode configuration to match the out-of-band changes.
6. Edge Services Director sets the device configuration state to In Sync.
68
Copyright © 2016, Juniper Networks, Inc.
Chapter 6: About Gateway View of Build Mode
NOTE: Automatic resynchronization, as described in Step 3 above, is a default
setting for the Junos Space Network Management Platform. If automatic
resynchronization is disabled, you must manually resynchronize the Junos
Space configuration with the device configuration. You can do so in two ways:
•
Use the Resynchronize with Network action in Junos Space. The Junos
Space configuration is synchronized with the device configuration. However,
the Build mode configuration is not synchronized, so the device state in
Edge Services Director remains Out of Sync. You must use the
Resynchronize Device Configuration task in Deploy mode to resynchronize
the Build mode configuration.
•
Use the Resynchronize Device Configuration task in Deploy mode. In this
case, Edge Services Director resynchronizes both the Junos Space
configuration and the Build mode configuration with the device
configuration.
How Resynchronization Works in SSOR Mode
When Junos Space is in SSOR mode, Junos Space is considered the system of record for
device configuration. In this mode, when an out-of-band configuration change occurs
on a device, you can choose whether to accept the change or to overwrite the change
with the configuration maintained by Junos Space.
When an out-of-band change is made on a managed device when Junos Space is in
SSOR mode:
1.
Junos Space detects that a configuration change has occurred on the device and
informs Edge Services Director about the change.
2. Junos Space sets the device configuration state as Device Changed, and Edge Services
Director sets the device configuration state to Out of Sync.
Edge Services Director sets the device configuration state to Out of Sync even if the
configuration change does not affect configuration you can perform in Build mode.
This allows you to resolve the Device Changed configuration state for Junos Space
from Edge Services Director.
3. In Edge Services Director, use the Resynchronize Device Configuration task to accept
or reject the out-of-band changes:
•
If you accept the out-of-band changes, both the Junos Space configuration record
and the Edge Services Director Build mode configuration are resynchronized to
reflect the out-of-band configuration changes.
•
If you reject the out-of-band changes, the configuration on the device is overwritten
by the configuration record maintained by Junos Space. The Edge Services Director
Build mode configuration remains unchanged.
4. Both Junos Space and Edge Services Director set the device configuration state to In
Sync.
Copyright © 2016, Juniper Networks, Inc.
69
Edge Services Director User Guide
The above process differs somewhat when out-of-band configuration changes are made
through the Junos Space configuration editor. In this case:
1.
Junos Space sets the device configuration state as Space Changed after the
configuration change is saved.
At this point, the changes have been made only in the Junos Space configuration
record and the changes have not yet been deployed to the device. Edge Services
Director shows the device configuration state as In Sync.
NOTE: Because the device configuration state is In Sync in Edge Services
Director, you can deploy configuration on the device from Edge Services
Director at this point. If you do so, the Edge Services Director changes are
deployed on the device, but the Junos Space changes are not. The device
state in Junos Space remains Space Changed.
2. When the changes are deployed to the device from Junos Space, Junos Space changes
the device state to In Sync, while Edge Services Director changes the device state to
Out of Sync.
3. In Edge Services Director, use the Resynchronize Device Configuration task to resolve
the Out of Sync state. In this case, because the Junos Space configuration record and
the device configuration are in sync, you cannot reject the changes. When you
resynchronize the device in Edge Services Director, the Build mode configuration is
updated to reflect the configuration changes.
4. Edge Services Director sets the device configuration state to In Sync.
If you use Junos Space instead of Edge Services Director to resolve out-of-band
configuration changes in SSOR mode, note the following:
•
If you reject an out-of-band change, the device state becomes In Sync in both Edge
Services Director and Junos Space.
•
If you accept an out-of-band change that does not affect the Build mode configuration,
the device state becomes In Sync in both Edge Services Director and Junos Space.
•
If you accept an out-of-band change that affects the Build mode configuration, the
device state becomes In Sync in Junos Space but remains Out Of Sync in Edge Services
Director. You must use the Resynchronize Device Configuration task to resolve the Out
of Sync state.
NOTE: When Junos Space is in SSOR mode, we recommend that you do not
make out-of-band changes to the cluster configuration on the secondary
seeds and member controllers of a mobility domain, such as disabling the
cluster on these devices. Use Edge Services Director to modify the cluster
configuration on these devices.
70
Copyright © 2016, Juniper Networks, Inc.
Chapter 6: About Gateway View of Build Mode
How Edge Services Director Resynchronizes the Build Mode Configuration
A network managed by Edge Services Director has three repositories of information about
the configuration of a network device—the configuration stored on the device itself, the
device configuration record maintained by Junos Space, and the Build mode configuration
maintained by Edge Services Director.
When the configuration contained in all three repositories match, the device configuration
state is shown as In Sync in Edge Services Director. When the repositories do not match,
the configuration state is shown as Out of Sync. A common cause for this state is
out-of-band configuration changes—that is, configuration changes made to a device
outside of Edge Services Director.
•
When Junos Space is in network as system of record (NSOR) mode, the device is
considered the system of record for configuration. When you resynchronize a device
when Junos Space is in NSOR mode, both the Junos Space configuration record and
the Edge Services Director Build mode configuration are updated to reflect the device
configuration—in other words, the out-of-band configuration changes are incorporated
into both the Junos Space and the Edge Services Director configuration repositories.
•
When Junos Space is in Junos Space as system of record (SSOR) mode, you can choose
whether accept or reject the out-of-band changes reflected in the device configuration.
If you accept the changes, both the Junos Space configuration record and the Edge
Services Director Build mode configuration are updated to reflect the device
configuration. If you reject the changes, the out-of-band changes are rolled back on
the device so that the device configuration matches the Junos Space configuration
record and the Edge Services Director Build mode configuration.
When a commit operation is performed on a managed device under NSOR, Junos Space
Network Management Platform, by default, schedules a resynchronization job to run 20
seconds after the commit operation is received. However, if Junos Space Network
Management Platform receives another commit notification within 20 seconds of the
previous commit notification, no additional resynchronization jobs are scheduled because
Junos Space Network Management Platform resynchronizes both commit operations in
one job. This damping feature of automatic resynchronization provides a window of time
during which multiple commit operations can be executed on the device, but only one
or a few resynchronization jobs are required to resynchronize the Junos Space Network
Management Platform database after multiple configuration changes are executed on
the device.
You can change the default value of 20 seconds to any other duration by specifying the
value in seconds in the Administration > Applications > Network Management Platform >
Modify Application Settings > Device > Max auto resync waiting time secs field. For example,
if you set the value of this field to 120 seconds, then Junos Space Network Management
Platform automatically schedules a resynchronization job to run 120 seconds after the
first commit operation is received. If Junos Space Network Management Platform receives
any other commit notification within these 120 seconds, it resynchronizes both commit
operations in one job.
Copyright © 2016, Juniper Networks, Inc.
71
Edge Services Director User Guide
When Junos Space Network Management Platform receives the device commit
notification, the device status is “Out of Sync”. When the resynchronization job begins
on the device, the Managed Status for the device displays “Synchronizing” and then “In
Sync” after the resynchronization job has completed, unless a pending device commit
operation causes the device to display “Out of Sync” while it was synchronizing.
For details about resynchronizing devices, see Resynchronizing Managed Devices with the
Network.
Related
Documentation
•
Understanding Build Mode in Gateway View of Edge Services Director on page 63
Importing Devices
You can import device configurations from MX Series devices running Junos OS into the
Edge Services Director database.
When importing from a device, the management system connects to the device and
imports Data Model (DM) information that contains details of the device configuration.
The connection is secured using Secure Server Protocol (SSP), a proprietary encryption
method; an always-on connection exists between the management system and the
device.
To import a single device, you must have available the following requirements:
•
A management interface (fxp0) with the IP address of the device
•
A user with full administrative privileges for the NSM administrator
•
Device connection information (IP address, connection method) and the device
administrator's name and password
NOTE: All passwords handled by NSM are case-sensitive.
72
•
A physical connection to your network with access to network resources
•
Connectivity to the NSM Device Server, which can be with a static IP address
•
A Telnet or an SSHv2, and a NETCONF protocol over SSH connection
Copyright © 2016, Juniper Networks, Inc.
Chapter 6: About Gateway View of Build Mode
NOTE: After importing a device configuration, log entries from that device
begin to appear in the Log Viewer. However, until you update the device from
NSM, the following log fields display 0 (or unknown):
•
domain
•
rulebase
•
policy
•
rule number
•
source zone
•
destination zone
After you update the imported device configuration using NSM, the
appropriate values are displayed for log entries from the device.
When you import a device configuration, the Log Viewer displays the
appropriate values for the device's log entries. This feature eliminates the
need to update the device after importing it.
To add devices in a large-scale, bulk manner:
1.
From the View selector, select Gateway View or Device View. The workspaces that
are available in this view are displayed. The Gateway view displays the service delivery
gateway (SDG) groups and the SDGs that are part of the high availability pair in an
SDG group. The Device view displays the SDGs based on the device type, and within
the device type, the devices are organized by the device model. For example, all models
of MX960 routers are grouped together under one node in the tree.
2. From the Junos Space user interface, click the Build icon on the Edge Services Director
banner.
The functionalities that you can configure in this mode are displayed in the task pane.
3. From the View pane, select the All Network item in Gateway view. If you are in Device
view, click the plus sign (+) beside the My Network item in the View pane to expand
the tree and select the device node you want.
4. Perform either of the following:
•
If you are in Gateway View, select Services Gateways from the task pane.
The Service Gateways page is displayed.
•
If you are in Device View, select Device Discovery from the task pane.
The Service Gateways page is displayed.
5. Under Device Discovery, select the Discover Devices option from the task pane.
Alternatively, under Services gateways, select the Discover Gateway option from the
task pane.
The Service Gateways—Discovered Devices view is displayed.
Copyright © 2016, Juniper Networks, Inc.
73
Edge Services Director User Guide
You need not click this button if you are launching the Service Gateways page by
navigating from another page or another mode, such as Deploy or Monitor. It is
displayed by default. You must click this button only if you are viewing unmanaged
or managed SDGs or devices.
6. Click the Add icon.
The Discovery Profile window appears.
You can add devices using either the CSV Upload button or the Add icon, or both
together. This button is available in the IP Details, User Details, and SNMP Details
sections of the Discovery Profile window.
7. Click the CSV Upload button to add your own CSV files.
NOTE: The format of the CSV file that you are uploading should exactly
match the format of the sample CSV file.
A dialog box appears.
8. Click Browse.
The CSV File Upload dialog box appears.
9. Navigate to the desired CSV file, select it, and then click Open.
The CSV File Upload dialog box reappears, this time displaying the name of the
selected file.
10. Click Upload to upload the selected CSV file.
Related
Documentation
•
Understanding Build Mode in Gateway View of Edge Services Director on page 63
•
Understanding Resynchronization of Device Configuration on page 67
Device Discovery Overview
You use device discovery to add devices to Junos Space Edge Services Director application.
Discovery is the process of finding a device and then synchronizing the device inventory
and configuration with the Junos Space Edge Services Director application database. To
use device discovery, Junos Space Edge Services Director application must be able to
connect to the device.
To discover network devices, Junos Space Edge Services Director application uses the
SSH and SNMP protocols. Device authentication initially is handled through administrator
login SSH v2 credentials and SNMP v1/v2c or v3 settings, which are part of the device
discovery configuration. You can continue to use credentials for these devices thereafter,
or you can create and upload RSA keys to devices to allow Junos Space Edge Services
Director application to authenticate itself to them automatically during later discoveries.
You can specify a single IP address, a DNS hostname, an IP range, or an IP subnet to
discover devices on a network. During discovery, Junos Space Edge Services Director
74
Copyright © 2016, Juniper Networks, Inc.
Chapter 6: About Gateway View of Build Mode
application connects to the physical device and retrieves the running configuration and
the status information of the device. To connect with and configure devices, Junos Space
Edge Services Director application uses Juniper Network’s Device Management Interface
(DMI), which is an extension to the NETCONF network configuration protocol.
When discovery succeeds, Junos Space Edge Services Director application creates an
object in the Junos Space Edge Services Director application database to represent the
physical device and maintains a connection between the object and the physical device
so their information is linked.
Junos Space can manage devices in either of the following ways:
•
Junos Space initiates and maintains a connection to the device.
•
The device initiates and maintains a connection to Junos Space.
By default, Junos Space manages devices by initiating and maintaining a connection to
the device. When Junos Space initiates the connection to the device, you can discover
and manage devices provided that the management system is behind Network Address
Translation (NAT), as Junos Space establishes the SSH tunnel directly to the device. For
WW Junos devices, Junos Space uses SSH with an adapter to manage the devices.
If device-initiated connection to Junos Space is enabled, the DMI channel and port 7804
are used and the following (sample) configuration is added on the device to establish
the connection to Junos Space:
set system services outbound-ssh client 00111DOCEFAC device-id 7CE5FE
set system services outbound-ssh client 00111DOCEFAC secret “$ABC123”
set system services outbound-ssh client 00111DOCEFAC services netconf
set system services outbound-ssh client 00111DOCEFAC 172.22.199.10 port 7804
When configuration changes are made in Junos Space Edge Services Director application,
for example, when you deploy service orders to activate a service on your network devices,
the configuration is pushed to the physical device.
If the network is the system of record (NSOR), when configuration changes are made on
the physical device (out-of-band CLI commits and change-request updates), Junos
Space Edge Services Director application automatically resynchronizes with the device
so that the device inventory information in the Junos Space Edge Services Director
application database matches the current device inventory and configuration information.
If Junos Space Edge Services Director application is the system of record (SSOR), this
resynchronization does not occur and the database is unchanged.
The following device inventory and configuration data is captured and stored in relational
tables in the Junos Space Edge Services Director application database:
•
Devices—hostname, IP address, credentials
•
Physical Inventory—chassis, FPM board, Power Entry Module (PEM), Routing Engine,
Control Board (CB), Flexible PIC Concentrator (FPC), CPU, Physical Interface Card
(PIC), transceiver (Xcvr), fan tray
Junos Space Edge Services Director application displays the model number, part
number, serial number, and description for each inventory component, when applicable.
Copyright © 2016, Juniper Networks, Inc.
75
Edge Services Director User Guide
•
Logical Inventory—subinterfaces, encapsulation (link-level), type, speed, maximum
transmission unit (MTU), VLAN ID
•
License information:
•
•
License usage summary—license feature name, feature description, licensed count,
used count, given count, needed count
•
Licensed feature information—original time allowed, time remaining
•
License SKU information—start date, end date, and time remaining
Loopback interface
Other device configuration data is stored in the Junos Space Edge Services Director
application database as binary large objects, and is available only to northbound interface
(NBI) users.
Related
Documentation
•
Understanding Build Mode in Gateway View of Edge Services Director on page 63
•
Understanding Resynchronization of Device Configuration on page 67
Unmanaged Devices Overview
Unmanaged devices are non-DMI devices made by vendors other than Juniper Networks,
Inc. You can add such devices to Junos Space Edge Services Director manually, or by
importing multiple devices simultaneously from a CSV file. You need to provide the IP
address or the host name of the unmanaged device, name of the vendor, username of
the device, password for the device, SNMP credentials, loopback address details, and
key-values that are needed for the device driver to operate. The currently supported
SNMP versions are SNMP V1, SNMP V2C, and SNMP V3. You are any other user may need
to enter the key and the value for the device driver to operate. You can add multiple
key-value pairs for an unmanaged device. The key-value pairs supported are plain-text
string or password. If Junos Space Network Management Platform can communicate
with the device using SNMP, the information gathered via SNMP overrides the information
that you enter.
When you have added the unmanaged device and installed the appropriate device drivers,
the inventory data is fetched from the device. Physical interface and logical interface
details can be fetched for an unmanaged device. You can resynchronize the device with
the network both in SSOR and NSOR mode. This action will resynchronize the inventory
data for the device based on the capabilities supported by the device. Junos Space
Network Management Platform does not monitor the connection status of the unmanaged
device for which the device driver is installed in Junos Space Network Management
Platform. The Device Management table lists NA in the Connection Status column for
unmanaged devices.
You need to package the driver code into a JAR file and add it to the Jboss 7 shared module
directory. Junos Space Network Management Platform accesses the driver class using
module based class loading. You also need to make an entry into the driver registration
XML file. Junos Space Network Management Platform reads this XML file when JBOSS
76
Copyright © 2016, Juniper Networks, Inc.
Chapter 6: About Gateway View of Build Mode
starts and populates this XML file into the database. The XML file should include the
following parameters:
Parameter
Description
Name
Name of the device driver.
Vendor
Vendor of the device.
DeviceFamily
The family of the device.
Platform
The platform of the device.
DriverClassName
The full class name of the class which extends the driver class from the device platform.
MgtAttrColl
Holds a collection of key-value pairs that are populated in the Advanced Properties section
when creating an unmanaged device. This can be omitted if you want to enter the key-value
pairs when creating an umanaged device.
IsDefaultForVendor
When set to true, the driver is used as a default driver for devices of other device family
or platform, but from the same vendor.
IsDefaultForFamily
When set to true, the driver is used as a default driver for devices of a different platform,
but from the same vendor and device family.
Creating an unmanaged device from a vendor other than Juniper Networks also creates
a tag for that vendor (for example, CISCO) and assigns that tag to the device. If you have
successfully installed the device driver on Junos Space Network Management Platform,
you will be able to fetch the information related to physical and logical interface, manually
resynchronize inventory data, and edit the unmanaged device configuration using the
Junos Space applications. You can view the changes in the unmanaged device
configuration using the View Configuration Change Log action.
Related
Documentation
•
Importing Devices on page 72
•
Device Discovery Overview on page 74
•
Working With Managed Devices on page 77
•
Working With Unmanaged Devices on page 78
•
Working With Discovered Devices on page 78
Working With Managed Devices
The service delivery gateway (SDG) devices that are administered, maintained, and
monitored from the Edge Services director application are called managed devices. For
such devices, you can monitor alarms and events, create service templates and assign
to the devices, and modify assigned KPI templates. You can perform the following tasks
with managed devices from the Service Gateways—Managed Service Gateways page
under the Build mode of the GUI interface:
Copyright © 2016, Juniper Networks, Inc.
77
Edge Services Director User Guide
Related
Documentation
•
Remove the managed SDG devices and mark them unmanaged.
•
Modify the SDG association with the SDG group and KPI template.
•
Modify KPI templates for the SDGs.
•
View configuration and compare the configurations of up to four SDGs.
•
Export the managed device details to a CSV file.
•
Importing Devices on page 72
•
Device Discovery Overview on page 74
•
Unmanaged Devices Overview on page 76
•
Working With Unmanaged Devices on page 78
•
Working With Discovered Devices on page 78
Working With Unmanaged Devices
The service delivery gateway (SDG) devices that are not managed and monitored from
the Edge Services director application are called unmanaged devices. In certain network
topologies, you might require certain devices to be configured individually before they
are added to the management application. You can perform the following tasks with
unmanaged devices from the Service Gateways—Managed Service Gateways page under
the Build mode of the GUI interface:
Related
Documentation
•
Bring the unmanaged devices back into the administration of Edge Services Director.
•
View discovery log details.
•
Searching and filtering unmanaged devices.
•
Modify KPI templates for the SDGs.
•
Importing Devices on page 72
•
Device Discovery Overview on page 74
•
Unmanaged Devices Overview on page 76
•
Working With Managed Devices on page 77
•
Working With Discovered Devices on page 78
Working With Discovered Devices
You can create discovery profiles to specify the parameters to be used for a discovery
job, schedule the discovery of devices, modify discovery profiles, and view profile details.
You can perform the following tasks with discovered devices from the Service
Gateways—Discovered Devices page under the Build mode:
78
Copyright © 2016, Juniper Networks, Inc.
Chapter 6: About Gateway View of Build Mode
Related
Documentation
•
Create and modify discovery profiles.
•
Delete previously created discovery profiles.
•
View discovery profile details.
•
Schedule the discovery of devices.
•
Importing Devices on page 72
•
Device Discovery Overview on page 74
•
Unmanaged Devices Overview on page 76
•
Working With Managed Devices on page 77
•
Working With Unmanaged Devices on page 78
Managing Jobs
Edge Services Director enables you to view and manage jobs. You can view the status
of completed jobs and cancel the jobs that are scheduled to execute at a later time or
jobs that are in progress.
The Job Management page, accessible as a System task, enables you to view and manage
all jobs. In addition, Edge Services Director enables you to view special pre-filtered versions
of this page from various other tasks, such as View Discovery Status or View Image
Deployment Jobs. These pages contain the same fields (although some fields might be
hidden) and have the same functionality as the Job Management page, but they list only
those jobs relevant to particular tasks.
To display the Job Management page:
1.
Click the My Jobs icon located on the top right of the Edge Services Director banner.
The My Jobs report appears. The My Jobs report displays your 25 most recent jobs.
The jobs displayed in the My Jobs report provide information about the status of the
job, percentage completion of the job, the name of the job, and the job ID. The date
and time represents the date and time when the job failed (in case the job failed) and
the date and time when the job succeeded (in case the job succeeded).
2. You can also click a job in the My Jobs report to view the job on the Job Management
page. Clicking the job ID filters the Job Management page to display only that job. To
view jobs details, click Manage Jobs. The Job Management page appears.
3. Click Close to exit the My Jobs page.
To view the job details:
1.
in the My Jobs page, select a row and click Show Details or double-click a row.
2. To cancel a scheduled job, select a job that is scheduled for a later time or a job that
is in progress and click Cancel.
The fields in the Job Management page are described in Table 20 on page 47.
Copyright © 2016, Juniper Networks, Inc.
79
Edge Services Director User Guide
Table 22: Job Management Page Fields
Field
Description
Job ID
The unique ID assigned to the job
Name
The name of the job
Percent
The percentage of completion of the job
State
The status of the job:
•
Success—Job completed successfully
•
Failure—Job failed and was terminated
•
Job Scheduled—Job is scheduled but has not yet started
•
In progress—Job is has started, but not completed
•
Cancelled—Job is cancelled
Job Type
The type of the job
Summary
Summary of the job scheduled and executed with status
Scheduled
Start Time
The time when the job is scheduled to start
Actual Start
Time
The actual time when the job started
End Time
The time when the job was completed
User
The login ID of the user that initiated the task
Recurrence
The recurrent time when the job will be restarted.
You can clear your jobs from a list of your jobs when these jobs are no longer of interest
to you.
To remove the jobs that you have initiated:
1.
In the banner of the Junos Space user interface, click the My Jobs icon located at the
top right.
The My Jobs report appears. The My Jobs report displays your 25 most recent jobs.
The jobs displayed in the My Jobs report provide information about the status of the
job, percentage completion of the job, the name of the job, and the job ID. The date
and time represents the date and time when the job failed (in case the job failed) and
the date and time when the job succeeded (in case the job succeeded).
2. Perform one of the following actions:
•
80
Click the Clear Job icon that appears to the right of the job to remove a job.
Copyright © 2016, Juniper Networks, Inc.
Chapter 6: About Gateway View of Build Mode
•
Click Clear All My Jobs at the top of the My Jobs report to clear all your jobs displayed
on the My Jobs list.
NOTE: Clearing a job from the My Jobs report does not affect the job itself,
but only updates the My Jobs view.
3. Click Close to exit the My Jobs page.
Related
Documentation
•
Importing Devices on page 72
•
Device Discovery Overview on page 74
•
Unmanaged Devices Overview on page 76
•
Working With Managed Devices on page 77
•
Working With Unmanaged Devices on page 78
•
Working With Discovered Devices on page 78
Copyright © 2016, Juniper Networks, Inc.
81
Edge Services Director User Guide
82
Copyright © 2016, Juniper Networks, Inc.
CHAPTER 7
Managing Service Delivery Gateways and
Groups
•
Discovering Devices on page 83
•
Comparing Configuration Settings of Devices on page 89
•
Exporting Managed Device Details to a CSV File on page 92
•
Changing an Unmanaged Device to a Managed Device on page 93
•
Modifying the SDG Group and KPI Templates for a Device on page 94
•
Scheduling the Discovery of Devices on page 95
•
Creating Service Gateway Groups on page 96
•
Managing Service Gateway Groups on page 97
•
Viewing the Service Gateway Details on page 99
•
Searching Unmanaged Devices on page 101
•
Viewing the List of Discovered, Managed, and Unmanaged Devices on page 102
•
Changing a Managed Device to an Unmanaged Device on page 109
•
Modifying Discovery Profiles on page 110
•
Deleting Discovery Profiles on page 111
•
Systems of Record in Junos Space Overview on page 112
•
Resynchronizing Managed SDGs with the Network on page 113
Discovering Devices
You can discover and synchronize physical devices such as MX Series routers that function
as service delivery gateways in your network that are managed by Edge Services Director.
NOTE: On MX Series routers, Edge Services Director connects to port 22 (the
default port) on the Junos Space JA2500 Appliance or the Junos Space Virtual
Appliance by using SSH. You can configure port 22 on the Junos Space
appliances through Administration > Applications in the Junos Space Platform
page. Select Network Application Platform and click Actions > Modify
Application Settings. Change SSH port for device connection field to 22.
Copyright © 2016, Juniper Networks, Inc.
83
Edge Services Director User Guide
Device discovery is a three-step process in which you specify the target devices, the
discovery options, and the schedule options.
While in Build mode, from the Tasks pane, select Service Gateways. The Service Gateways
page is displayed. Click Discover Devices to create a discovery profile or a job, and to view
the previously created discovery profiles
This topic describes:
•
Preparing MX Series Devices for Discovery on page 84
•
Specifying a Discovery Profile and the Target Devices on page 85
•
Specifying SNMP Probes on page 86
•
Specifying Credentials on page 89
Preparing MX Series Devices for Discovery
Juniper Networks MX Series 3D Universal Edge Routers—MX240, MX480, and
MX960—include all standard Ethernet capabilities as well as enhanced mechanisms for
service providers to provision and support large numbers of Ethernet services in addition
to all Layer 3 services. You can discover these routers and manage them as switching
devices from Edge Services Director. However, before discovering these MX devices from
Edge Services Director, you must ensure that the Junos OS running on the device is at
the required level and that the network service mode is set to LAN.
To prepare an MX Series device for discovery:
1.
Log in to the MX Series device by using the CLI.
2. Ensure that the device is running a version of Junos OS that is compatible with Edge
Services Director. Use the operational mode command show version to determine the
Junos OS software release.
3. Commit your changes.
The MX Series device is now discoverable from Edge Services Director.
84
Copyright © 2016, Juniper Networks, Inc.
Chapter 7: Managing Service Delivery Gateways and Groups
Specifying a Discovery Profile and the Target Devices
You can add devices to Edge Services Director for device discovery by using the Add icon
on the Service Gateways page. A discovery profile is created, which is a discovery job
that contains the list of devices and its properties to be retrieved and added to the Edge
Services Director database.
NOTE: If you want to discover and manage MX Series devices—MX240,
MX480, and MX960—from Edge Services Director, you must first make these
devices discoverable. For more details see “Preparing MX Series Devices for
Discovery” on page 84.
To specify a discovery profile and the target devices that you want Edge Services Director
to discover:
1.
From the View selector, select Gateway View. The workspaces that are applicable to
this view are displayed.
2. From the Junos Space user interface, click the Build icon on the Edge Services Director
banner.
The functionalities that you can configure in this mode are displayed in the task pane.
3. From the View selector, select Gateway View or Device View. The workspaces that
are available in this view are displayed. The Gateway view displays the service delivery
gateway (SDG) groups and the SDGs that are part of the high availability pair in an
SDG group. The Device view displays the SDGs based on the device type, and within
the device type, the devices are organized by the device model. For example, all models
of MX960 routers are grouped together under one node in the tree
4. From the Junos Space user interface, click the Build icon on the Edge Services Director
banner.
The functionalities that you can configure in this mode are displayed in the task pane.
5. From the View pane, select the All Network item in Gateway view. If you are in Device
view, click the plus sign (+) beside the My Network item in the View pane to expand
the tree and select the device node you want.
6. From the task pane in Gateway view, select Services Gateways.
The Service Gateways page is displayed.
NOTE: Alternatively, you can select Device View from the View selector,
click the Build icon on the banner, and select Discover Devices from the
task pane to open the Discovery Profiles window to discover and manage
devices.
7. From the task pane, select the Discover Gateway option. You need not click this button
if you are launching the Service Gateways page by navigating from another page or
Copyright © 2016, Juniper Networks, Inc.
85
Edge Services Director User Guide
another mode, such as Deploy or Monitor. It is displayed by default. You must click
this button only if you are viewing unmanaged or managed SDGs or devices.
8. Click the Add icon. The Discovery Profile window appears.
9. In the Name field, enter a name for the device discovery job. No name is shown by
default. A job or profile name cannot exceed 128 characters and can contain only
letters, numbers, spaces, and some special characters. The special characters allowed
are hyphen (-), underscore (_), period (.), at (@), single quote (’), forward slash (/),
and ampersand (&).
10. (Optional) In the Description field, type a user-defined description. (a minimum of 2
characters and a maximum limit of 255 characters). The description cannot exceed
256 characters and cannot contain hyphens. The operators who use the profile rely
on the description for information on the discovery job.
11. To add individual devices by specifying the IP address credentials, click Add in the IP
Details table.
The IP Details dialog box appears.
12. Choose one of the following options to specify the target devices:
•
Select the IP Address option and enter the IP address of the device.
•
Select the IP-Range option and enter a range of IP addresses for the devices. The
maximum number of IP addresses for an IP range target is 1024.
•
Select the IP-Subnet option and enter an IP subnet for the devices.
•
Select the HostName option and enter the hostname of the device.
•
Click Save to save the target devices that you specified. When you have added all
target devices that you want Edge Services Director to discover, click Save in the
Discovery Profile window.
The IP Details section displays the addresses of the configured target devices.
13.
•
To edit a target device, select the box that displays with an icon for each added
device in the IP Details section and click Edit. Make the required changes and click
Add to display the IP addresses in the Device Targets table
•
To delete a target device, select the box that displays with an icon for each added
device in the IP Details section and click Delete.
•
To view and download a sample CSV file, click CSV Sample. The Opening
Device_Discovery_CSV.csv file dialog box is displayed. You can open the sample
CSV file or save the sample CSV file.
14. (Optional) You can proceed to specify the SNMP probes and credentials for the added
devices.
Specifying SNMP Probes
You can specify an SNMP probe to connect to and discover the devices in a network.
86
Copyright © 2016, Juniper Networks, Inc.
Chapter 7: Managing Service Delivery Gateways and Groups
To add a probe:
1.
From the View selector, select Gateway View. The workspaces that are applicable to
this view are displayed.
2. From the Junos Space user interface, click the Build icon on the Edge Services Director
banner.
The functionalities that you can configure in this mode are displayed in the task pane.
3. From the task pane, select Services Gateways. The Service Gateways page is displayed.
4. Select the Discover Gateway option.
5. Click the Add icon. The Discovery Profile window appears.
6. Click the Add icon in the SNMP Details table. The SNMP Details dialog box is displayed.
7. Select one of the following options and enter the appropriate value in the field provided.
•
Select SNMP V1/V2C and specify the community string in the Community field.
The SNMP v1/v2c community string public is available by default. The SNMP v1/v2c
community string is based on the community string configured on the devices in
your network.
•
Select SNMP V3 and enter the information in the fields provided.
a. Enter the SNMP V3 username in the Username field.
b. Select the privacy protocol (the encryption standard for the SNMP user) from
the Privacy type list.
The available options are AES128, DES, and None.
c. Enter the password used to generate the key used for encryption in the Privacy
password field.
The password must be at least eight characters long. You can include all
character classes in a password (alphabetic, numeric, and special characters)
except control characters.
d. Select the authentication type for the SNMP user from the Privacy type drop-down
list.
The available options are MD5, SHA1, and none.
e. Enter the password used to generate the key used for authentication in the
Authentication password field.
The password must be at least eight characters long. You can include all
character classes in a password (alphabetic, numeric, and special characters)
except control characters.
8. Click Save to close the SNMP Details dialog box and add the SNMP probe to the SNMP
Settings list.
The SNMP Details section of the Discovery Profile page displays the configured SNMP
settings.
You can also click Cancel to close the SNMP Details dialog box without adding any
SNMP probes.
Copyright © 2016, Juniper Networks, Inc.
87
Edge Services Director User Guide
To edit an SNMP probe:
1.
Select the SNMP probe that you want to edit and click the Modify icon [slanted pencil]
to open the SNMP Details dialog box.
2. Select one of the following options and enter the appropriate value in the field provided.
You can choose to edit the existing values in the selected SNMP version, or you can
select a different SNMP version and enter the desired values.
•
Select SNMP V1/V2C and specify the community string in the Community field.
You can enter “public”, “private”, or a predefined string.
•
Select SNMP V3 and enter the information in the fields provided.
a. Enter the SNMP version 3 username in the Username field.
b. Select the privacy protocol–that is, the encryption standard for the SNMP
user–from the Privacy type list.
The available options are AES128, DES, and None.
c. Enter the password used to generate the key used for encryption in the Privacy
password field.
The password must be at least eight characters long. You can include all
character classes in a password (that is, alphabetic, numeric, and special
characters) except control characters.
d. Select the authentication type for the SNMP user from the Privacy type drop-down
list.
The available options are MD5, SHA1, and none.
e. Enter the password used to generate the key used for authentication in the
Authentication password field.
The password must be at least eight characters long. You can include all
character classes in a password (that is, alphabetic, numeric, and special
characters) except control characters.
3. Click Modify to save your changes and close the SNMP Details dialog box.
The SNMP Details section displays the configured SNMP settings.
Alternatively, click Cancel to close the dialog box without editing any SNMP probes.
To delete an SNMP probe:
1.
Select the SNMP probe that you want to delete in the SNMP Details section and click
the Delete icon [X] .
2. The SNMP probe is removed from the SNMP Details section.
88
Copyright © 2016, Juniper Networks, Inc.
Chapter 7: Managing Service Delivery Gateways and Groups
Specifying Credentials
Optionally, specify an administrator name and password to establish the SSH connection
for each target device that you configured. If you are using key-based authentication, you
do not need to do this step. To specify the credentials:
NOTE: Alternatively, you can select Device View from the View selector, click
the Build icon on the banner, and select Discover Devices from the task pane
to open the Discovery Profiles window to discover and manage devices.
1.
From the View selector, select Gateway View. The workspaces that are applicable to
this view are displayed.
2. From the Junos Space user interface, click the Build icon on the Edge Services Director
banner.
The functionalities that you can configure in this mode are displayed in the task pane.
3. From the task pane, select Services Gateways.
The Service Gateways page is displayed.
4. Select the Discover Gateway option.
5. Click the Add icon. The Discovery Profile window appears.
6. Click the Add icon in the User Details table. The User Details dialog box is displayed.
7. Specify the administrator username and password, and confirm the password. The
name and password must match the name and password configured on the device.
Save the user name and password that you specified by selecting Save.
The User Details section of the Discovery Profile window displays the administrator
user names that you configured.
Related
Documentation
•
Importing Devices on page 72
•
Device Discovery Overview on page 74
•
Unmanaged Devices Overview on page 76
•
Working With Managed Devices on page 77
•
Working With Unmanaged Devices on page 78
•
Working With Discovered Devices on page 78
Comparing Configuration Settings of Devices
You can compare the configuration of a SDG with any other SDG that is discovered. You
can contrast and view the configuration settings of a master device with another master
device in two SDG high availability pairs, of a standby device with another standby device,
or of a master and a standby device in the same SDG pair. You can compare the settings
Copyright © 2016, Juniper Networks, Inc.
89
Edge Services Director User Guide
of up to four devices simultaneously. After you select the desired device and initiate the
comparison operation, you can also add more devices until the maximum limit of four
devices is reached for comparison.
The services are displayed and the objects or components of each service instance are
also shown. You can filter and view a specified service component or the components
of all services. A red minus mark denotes that the particular parameter or element is not
available or configured on the specified device. A green tick mark denotes that the
particular parameter is available on the corresponding device. For attributes that can
contain values, the associated values are shown for the appropriate device. Otherwise,
for attributes that can either be disabled or enabled, the red minus icon or green tick icon
provides a graphical indication. To compare the configuration settings of two or more
devices
To compare the configuration settings of two or more devices
1.
From the View selector, select Gateway View. The workspaces that are applicable to
this view are displayed.
2. From the Junos Space user interface, click the Build icon on the Edge Services Director
banner.
The functionalities that you can configure in this mode are displayed in the task pane.
3. From the task pane, select Services Gateways.
The Service Gateways page is displayed.
4. From the task pane, select the Managed Gateway option.
The list of managed SDGs appears.
5. Perform the following from the View pane:
a. Click the All Network item. The list of discovered SDG groups that contain devices
are displayed.
b. Click the + sign to expand the tree beside the SDG groups. At least, two discovered
devices must be present for which you want to compare the services configured.
You must select the pair of devices within the SDG group.
c. Select the SDG device pair. The list of managed devices are displayed.
NOTE: You must select a minimum of two devices, if the SDG is not a
high availability pair of devices.
6. Select the Compare Configuration option from the task pane that displays the
configuration settings contrasted between the two devices you selected. The Compare
Configuration View page is displayed.
The list of service types are displayed in the leftmost column of the table.
90
Copyright © 2016, Juniper Networks, Inc.
Chapter 7: Managing Service Delivery Gateways and Groups
Figure 7: Compare Configuration View Page
7. From the View drop-down list, select one of the following options:
•
All Configs—Causes all of the services configurations to be displayed.
•
ADC—Causes the application delivery service components to be displayed.
•
TLB—Causes the traffic load balancer service components to be displayed.
•
SFW—Causes the stateful firewall service components to be displayed.
•
CGNAT—Causes the carrier-grade NAT service components to be displayed.
8. From the Select Devices list, select more devices up to the maximum limit of four
devices. Click the cross mark beside each selected device if you want to remove it
from the list, and select a different device instead.
9. Click the Compare Configuration icon adjacent to the Select Devices drop-down list.
The devices you select cause their configurations to be displayed on the page.
10. Click Refresh to refresh the displayed configuration. This action reads the device
configuration of the selected device, perform the comparison, and updates the display
to highlight the differences between the devices.
11. Click Close after you finish viewing the configuration comparison and to return to the
page that lists the devices.
Related
Documentation
•
Discovering Devices on page 83
•
Exporting Managed Device Details to a CSV File on page 92
•
Changing an Unmanaged Device to a Managed Device on page 93
•
Modifying the SDG Group and KPI Templates for a Device on page 94
•
Scheduling the Discovery of Devices on page 95
Copyright © 2016, Juniper Networks, Inc.
91
Edge Services Director User Guide
Exporting Managed Device Details to a CSV File
The Service Gateways—Managed Service Gateways page lists all of the devices that are
currently being controlled and provisioned by the Edge Services Director application. You
can export Service Now device data to CSV and Excel file formats. A CSV file is a plaintext
file that stores each data record separated by a comma. Choose this format if you want
to export the report data to a spreadsheet or other business application. The
Comma-Separated Values (CSV) format takes the raw data from the devices listing and
delineates the fields with commas so that it imports into popular spreadsheet programs
To export the device data in CSV format:
1.
From the View selector, select Gateway View. The workspaces that are applicable to
this view are displayed.
2. From the Junos Space user interface, click the Build icon on the Edge Services Director
banner.
The functionalities that you can configure in this mode are displayed in the task pane.
3. From the View pane, select the All Network item in Gateway view.
4. Select Services Gateways from the task pane.
The Service Gateways page is displayed.
5. Select the Manage Service Gateways option.
The Service Gateways—Managed Service Gateways page appears with the list of
managed SDGs. If the SDGs are configured in a high availability pair, the details of
both the devices in the pair are exported.
6. Select the check box next to the managed SDG or SDG pair that you want to export
to a CSV file.
7. Click the Export Service Gateway Details icon.
The Export SDG dialog box is displayed.
8. Export the device inventory information to the CSV file. You can export information
about selected devices or export information about all of the devices managed by
Junos Space. Click either the Export Selected button or the Export All button to begin
creating the CSV file.
9. Download the resulting CSV file. Now that you have the CSV report, you can import
that CSV file into other applications such as those you use for asset management.
Related
Documentation
92
•
Discovering Devices on page 83
•
Comparing Configuration Settings of Devices on page 89
•
Changing an Unmanaged Device to a Managed Device on page 93
•
Modifying the SDG Group and KPI Templates for a Device on page 94
•
Scheduling the Discovery of Devices on page 95
Copyright © 2016, Juniper Networks, Inc.
Chapter 7: Managing Service Delivery Gateways and Groups
Changing an Unmanaged Device to a Managed Device
The Service Gateways—Unmanaged Devices page lists all of the devices that are currently
not being controlled and provisioned by the Edge Services Director application. You can
enable management of such devices from Edge Services Director.
To convert an unmanaged device to a managed device:
1.
From the View selector, select Gateway View. The workspaces that are applicable to
this view are displayed.
2. From the Junos Space user interface, click the Build icon on the Edge Services Director
banner.
The functionalities that you can configure in this mode are displayed in the task pane.
3. From the View pane, select the All Network item in Gateway view.
4. Select Services Gateways from the task pane.
The Service Gateways page is displayed.
5. Select the Unmanaged Gateway option.
The list of unmanaged SDGs appears.
6. Select the check box next to the unmanaged SDG that you want to bring under Edge
Services Director administration.
7. Click the Manage Service Gateways icon.
The Manage Service Gateway dialog box is displayed, with the SDG name and
description of the SDG displayed in the respective fields.
8. From the Service Gateway Group list, select the SDG group with which you want to
associate the SDG to be managed. Alternatively, click the green plus sign (+) beside
the list to create a new SDG group. For more information, see “Creating Service
Gateway Groups” on page 96.
9. From the KPI list, select the KPI template to be associated with the selected SDG.
Alternatively, click the green plus sign (+) beside the list to create a new KPI template
by modeling it on an existing, system-defined KPI template. For more information,
see “Cloning a KPI Template” on page 117.
10. Click the Apply button to save the settings.
An informational message is displayed stating that the settings are successfully
applied to the selected device.
11. Click the Manage button to classify the device as a managed device.
The Manage Status dialog box is displayed with the name of the SDG device and the
status.
Copyright © 2016, Juniper Networks, Inc.
93
Edge Services Director User Guide
The device becomes a managed devices and is removed from the unmanaged devices
listing. The device is added to the list of managed devices.
12. Select the Auto Refresh check box at the bottom of the Service Gateways --
Unmanaged devices page to indicate that the page needs to be refreshed
automatically. The default value is three seconds. When you deselect this check box,
the page is not refreshed periodically by itself; instead you can click the Refresh icon
to update the page contents for viewing. Also, when you deselect the auto-refresh
functionality, a message is displayed to denote that auto-refresh is turned off and of
the number of updates that have not been viewed since the last refresh operation.
The date and time at which the page was last updated is shown.
Related
Documentation
•
Discovering Devices on page 83
•
Comparing Configuration Settings of Devices on page 89
•
Exporting Managed Device Details to a CSV File on page 92
•
Modifying the SDG Group and KPI Templates for a Device on page 94
•
Scheduling the Discovery of Devices on page 95
Modifying the SDG Group and KPI Templates for a Device
The Service Gateways—Managed Service Gateways page lists all of the devices that are
currently being controlled and provisioned by the Edge Services Director application. You
can modify the KPI template and the SDG group that are mapped to the standalone SDG
or the high availability pair of SDGs.
To modify the SDG details:
1.
From the View selector, select Gateway View. The workspaces that are applicable to
this view are displayed.
2. From the Junos Space user interface, click the Build icon on the Edge Services Director
banner.
The functionalities that you can configure in this mode are displayed in the task pane.
3. From the View pane, select the All Network item in Gateway view. You can also click
the plus sign (+) beside the All Network item in the View pane to expand the tree and
select the device node you want.
4. From the task pane, select Services Gateways.
The Service Gateways page is displayed.
5. Select the Manage Service Gateways option.
The list of managed SDGs appears. If the SDGs are configured in a high availability
pair, the details of both the devices in the pair are exported.
6. Select the check box next to the managed SDG or SDG pair that you want to modify.
The SDG is available for modification.
94
Copyright © 2016, Juniper Networks, Inc.
Chapter 7: Managing Service Delivery Gateways and Groups
7. Click the down arrow in the Modify button at the top of the table of managed SDGs
that are listed, and select Service Gateway.
The Modify Service Gateway dialog box is displayed.
8. In the Description field, edit the user-defined comment or description as needed.
9. From the SDG Group and KPI Template lists, select the SDG group and KPI template
you want to associate the SDGs with.
10. Click Modify to save the edited settings.
Related
Documentation
•
Discovering Devices on page 83
•
Comparing Configuration Settings of Devices on page 89
•
Exporting Managed Device Details to a CSV File on page 92
•
Changing an Unmanaged Device to a Managed Device on page 93
•
Scheduling the Discovery of Devices on page 95
Scheduling the Discovery of Devices
The Discovery Profiles page displays the discovery jobs that you have previously created.
After you specify a discovery profile that contains the list of devices or SDG hosts that
need to be retrieved and added to the Edge Services Director database to facilitate easier
administration, you must configure the discovery operation. You can choose to discover
the devices immediately or to plan for the discovery to happen at a specified future time.
To specify the scheduling details for discovering devices:
1.
From the View selector, select Gateway View. The workspaces that are applicable to
this view are displayed.
2. From the Junos Space user interface, click the Build icon on the Edge Services Director
banner.
The functionalities that you can configure in this mode are displayed in the task pane.
3. From the View pane, select the All Network item in Gateway view.
4. From the task pane, select Services Gateways.
The Service Gateways page is displayed.
5. Select the Discover Gateway option.
The list of discovery profiles appears.
6. Select the check box next to the discovery profile that you want to schedule for
discovering devices.
7. Click Discover Device(s) Now above the table of displayed profiles if you want to
discover the devices immediately. A dialog box confirming that discovery has been
initiated is displayed.
Copyright © 2016, Juniper Networks, Inc.
95
Edge Services Director User Guide
8. Alternatively, click Discover Device(s) Later if you want to schedule the device discovery
for a future time. If you select schedule at a later time, specify the date and time to
run the device discovery. The calender picker and the drop-down list for selection of
time are displayed beside the Discover Device(s) Later button.
Select a date from the calendar and the time from the list. The time is shown in
increments of 15 minutes from 12:00 AM - 11:45 PM.
NOTE: The selected time in the scheduler corresponds to Junos Space
server time but is mapped to the local time zone of the client computer.
9. Click the Schedule button. The discovery process occurs at the designated time on
the specified day.
After you have configured the device discovery options, you can view the device
discovery status from the Service Gateways page with the Discover Devices view.
Related
Documentation
•
Discovering Devices on page 83
•
Comparing Configuration Settings of Devices on page 89
•
Exporting Managed Device Details to a CSV File on page 92
•
Changing an Unmanaged Device to a Managed Device on page 93
•
Modifying the SDG Group and KPI Templates for a Device on page 94
Creating Service Gateway Groups
A service delivery gateway (SDG) device can be combined into a group of devices for
easier and streamlined administration. You can create an SDG group for a particular
domain or zone in your network, or for any logical bundling that is needed.
The Service Gateway Groups page displays all of the created SDG groups.
To create a SDG group:
1.
From the View selector, select Gateway View. The workspaces that are applicable to
this view are displayed.
2. From the Junos Space user interface, click the Build icon on the Edge Services Director
banner.
The functionalities that you can configure in this mode are displayed in the task pane.
3. From the View pane, select the All Network item in Gateway view.
4. Select Services Gateway > Groups from the task pane.
The Service Gateway Groups page is displayed.
96
Copyright © 2016, Juniper Networks, Inc.
Chapter 7: Managing Service Delivery Gateways and Groups
Figure 8: Service Gateway Groups Page
5. Click the Add icon.
The Create SDG Group dialog box appears.
6. In the Name field, enter a unique name for the template (limit of 63 alphanumeric
characters without spaces).
7. (Optional) Enter a description of the template in the Description field (limit of 255
characters).
8. Click Create to save the SDG group and return to the page that displays all the
configured groups.
Related
Documentation
•
Managing Service Gateway Groups on page 97
•
Searching Unmanaged Devices on page 101
•
Viewing the List of Discovered, Managed, and Unmanaged Devices on page 102
•
Changing a Managed Device to an Unmanaged Device on page 109
•
Modifying Discovery Profiles on page 110
•
Deleting Discovery Profiles on page 111
Managing Service Gateway Groups
A service delivery gateway (SDG) device can be combined into a group of devices for
easier and streamlined administration. You can create an SDG group for a particular
domain or zone in your network, or for any logical bundling that is needed. When you
modify the details of a managed device, you can change the SDG group that is assigned
to it. The listing of SDG groups provides you with an agglomerative view of all the SDGs
present in a particular group at a point in time.
Copyright © 2016, Juniper Networks, Inc.
97
Edge Services Director User Guide
The Service Gateway Groups page displays all of the created SDG groups. You can
perform the following tasks on this page:
•
Create SDG groups
•
Delete SDG groups (You cannot delete the default group named Default-Group.)
•
Search SDG groups
To view the configured SDG groups:
1.
From the View selector, select Gateway View. The workspaces that are applicable to
this view are displayed.
2. From the Junos Space user interface, click the Build icon on the Edge Services Director
banner.
The functionalities that you can configure in this mode are displayed in the task pane.
3. From the View pane, select the All Network item in Gateway view.
4. Select Services Gateway > Groups from the task pane.
The Service Gateway Groups page is displayed.
The top half of the page displays a bar chart. The SDG names are displayed on the
horizontal axis and the count of SDGs are displayed on the vertical axis. A color-coding
format is used to represent the bars on the chart. Mouse over each bar in the chart to
highlight and display the SDG name
The following fields are displayed in the lower half of the page:
Related
Documentation
98
Field
Description
Name
Unique name of the SDG group.
Description
User-defined description of the SDG group.
Created By
Name of the user that created the DG group.
Created Time
Date and time at which the SDG group was created.
Modified Time
Date and time at which the SDG group was last updated.
•
Creating Service Gateway Groups on page 96
•
Searching Unmanaged Devices on page 101
•
Viewing the List of Discovered, Managed, and Unmanaged Devices on page 102
•
Changing a Managed Device to an Unmanaged Device on page 109
•
Modifying Discovery Profiles on page 110
•
Deleting Discovery Profiles on page 111
Copyright © 2016, Juniper Networks, Inc.
Chapter 7: Managing Service Delivery Gateways and Groups
Viewing the Service Gateway Details
You can view the details of managed SDGs, such as the Junos OS version running on the
device and the model number of the device, and the names and types of different services,
such as ADC, TLB, stateful firewall, and CGNAT, on the managed SDGs. The high-level
view you can obtain enables you to examine the existing system configuration and services
on a device and modify them according to your topology needs by navigating to the
gateway and service workspaces.
To view the details of managed service gateways:
1.
From the View selector, select Gateway View. The workspaces that are applicable to
this view are displayed.
2. From the Junos Space user interface, click the Build icon on the Edge Services Director
banner.
The functionalities that you can configure in this mode are displayed in the task pane.
3. From the View pane, select the All Network item. Expand the tree to select the SDG
in an SDG group.
4. From the task pane, select Services Gateways.
The Service Gateways page is displayed.
5. From the task pane, select the Managed Gateway option.
The list of managed SDGs appears.
6. In the main window, click the plus sign (+) next to the SDG pairs to expand the tree
and view the pair of devices in the SDG group or pair. Select the check box next to the
individual SDG for which you want to view the device details.
The Service Gateway Details page is displayed.
Copyright © 2016, Juniper Networks, Inc.
99
Edge Services Director User Guide
Figure 9: Service Gateway Details Page
Table 23 on page 100 describes the fields displayed on the Service Gateway Details
page.
Table 23: Fields on the Service Gateway Details Page
100
Field
Description
Name
Hostnames of the SDGs in the SDG group.
Description
User-defined description of the SDG group.
Service Gateway Group
Name of the SDG group.
KPI Template
Name of the KPI template associated with the SDG.
Host Name
Hostname of the device.
Version
Software version the device is running.
IP Address
IP address configured for the device.
Platform
Model number of the device.
Copyright © 2016, Juniper Networks, Inc.
Chapter 7: Managing Service Delivery Gateways and Groups
Table 23: Fields on the Service Gateway Details Page (continued)
Field
Description
Connection Status
Device’s state:
•
UP—Edge Services Director can communicate with the device.
•
DOWN—Edge Services Director cannot communicate with the
device.
Services
Displays the details of configured services.
Name
Name of the service configured on the SDG.
Type
Type of the service configured on the SDG, such as ADC< TLB,
stateful firewall, or CGNAT..
Service Pic
Services PIC and interface details, such as multiservices PIC or
adaptive services PIC with the FPC slot, PIC, and port attributes
7. Click Close after you finish viewing the gateway details.
Related
Documentation
•
Discovering Devices on page 83
•
Exporting Managed Device Details to a CSV File on page 92
•
Changing an Unmanaged Device to a Managed Device on page 93
•
Modifying the SDG Group and KPI Templates for a Device on page 94
•
Scheduling the Discovery of Devices on page 95
Searching Unmanaged Devices
The Service Gateways—Unmanaged Devices page lists all of the devices that are not
currently being controlled and provisioned by the Edge Services Director application. Use
the search mechanism to filter and isolate information about a specific device. Use this
facility to specify complex sorting and filtering criteria for all devices.
The search functionality is an effective tool that helps to search a discovered device from
the available list, based on various criteria such as Node Name, IP Address, Service
available, HA State. The search utility also supports wildcards. For example, you can
search and sort devices of the same platform type or OS version.
To search and filter discovered devices:
1.
From the View selector, select Gateway View. The workspaces that are applicable to
this view are displayed.
2. From the Junos Space user interface, click the Build icon on the Edge Services Director
banner.
The functionalities that you can configure in this mode are displayed in the task pane.
3. From the View pane, select the All Network item in Gateway view.
Copyright © 2016, Juniper Networks, Inc.
101
Edge Services Director User Guide
4. Select Services Gateways from the task pane.
The Service Gateways page is displayed.
5. Click the Unmanaged Devices button.
The list of unmanaged SDGs that have been discovered appears.
6. Click the double right arrow icon to the far right of the screen in the line of toolbar
icons.
The Search drop-down list and Name field are displayed.
7. Enter the search criteria by selecting the parameter that you want to use to filter in
the Search list. You can select one of the following values:
•
Host Name
•
IP Address
•
Platform Type
•
Version
•
HA State
Enter the value for the search parameter you selected in the text field adjacent to the
drop-down list, and click the magnifying glass icon.
The page refreshes to display the devices that match the specified criterion.
8. To save the search criterion you specified for future purposes, enter a name for the
search in the Name drop-down list and click the Save icon (floppy drive icon) to save
the search filter.
You can also edit or delete the search filters by selecting them from the Name
drop-down list and clicking the Edit or Delete icons respectively.
Related
Documentation
•
Creating Service Gateway Groups on page 96
•
Managing Service Gateway Groups on page 97
•
Viewing the List of Discovered, Managed, and Unmanaged Devices on page 102
•
Changing a Managed Device to an Unmanaged Device on page 109
•
Modifying Discovery Profiles on page 110
•
Deleting Discovery Profiles on page 111
Viewing the List of Discovered, Managed, and Unmanaged Devices
There are three types of views displayed on the Service Gateways page, depending on
whether you select the Discover Devices, Unmanaged Devices, or Manage Service Gateways
button. These views enable you to examine the discovery profiles, devices managed by
Edge Services Director, and SDGs that are not currently managed.
102
Copyright © 2016, Juniper Networks, Inc.
Chapter 7: Managing Service Delivery Gateways and Groups
To view the list of discovered, managed, and unmanaged devices:
1.
From the View selector, select Gateway View. The workspaces that are applicable to
this view are displayed.
2. From the Junos Space user interface, click the Build icon on the Edge Services Director
banner.
The functionalities that you can configure in this mode are displayed in the task pane.
3. From the View pane, select the All Network item in Gateway view.
4. Select Services Gateways from the task pane. The Service Gateways page is displayed.
5. Select the Discover Gateway option.
The Service Gateways—Discovered Devices view is displayed. The following table
describes the fields in this view:
Field
Description
Discovery Profile
Unique name of the discovery profile.
Description
User-defined description of the profile.
Created By
Name of the user that created the profile.
Created Time
Date and time at which the profile was first created.
Modified Time
Date and time at which the profile was last updated.
Copyright © 2016, Juniper Networks, Inc.
103
Edge Services Director User Guide
Field
Description
Last Execution
Status
Status of the last discovery process performed for a profile. This column
indicates whether the discovery was completed or aborted.
Click the link in this column to view extensive details about a discovery profile.
The DiscoveryProfileName: Last Execution Status window appears. The
Discovery Profile -- Last Execution Status window is divided into two panes.
The top half of the page displays a bar chart that denotes the number of
devices in each of the states during their discovery and process of addition to
the Edge Services Manager database. The x-axis displays the different states
of the devices during the discovery process and the y-axis denotes the number
of devices corresponding to each state. Mouse over the different segments of
the bar chart to highlight and view the total number of devices in each state.
Click any of the states in the color-coding legend box to display only the details
pertaining to that state to be shown beneath the graph in the table. The
following color-coding legend denotes the devices in the different states:
•
Dark green—Denotes the devices that are already added and managed by
Edge Services Director
•
Light green—Denotes the devices for which discovery succeeded
•
Yellow—Denotes the devices for which discovery is in progress
•
Red—Denotes the devices for which discovery failed
•
Dark orange—Denotes the devices for which synchronization failed
•
Light orange–Denotes the devices for which a timeout has occurred in the
connection from Edge Services Director
•
Pink—Denotes the devices for which discovery is skipped
See Table 24 on page 104 for a description of the fields shown in the table of
this dialog box.
In Progress
Indicates whether a discovery job is currently running.
Scheduled
Indicates whether a discovery is scheduled for a future time.
Table 24: Fields in the Last Execution Status Dialog Box
104
Field
Description
Host Name
Device name
IP Address
IP address
Description
User-defined description of the profile
Copyright © 2016, Juniper Networks, Inc.
Chapter 7: Managing Service Delivery Gateways and Groups
Table 24: Fields in the Last Execution Status Dialog Box (continued)
Field
Description
Status
Indicates whether the device’s configuration is in sync with Edge Services
Director’s version:
•
Already Added—Denotes that the device has been discovered and are being
currently managed.
•
Succeeded—Denotes the devices for which discovery succeeded.
•
Discovered—Denotes the devices that have been discovered and retrieved.
•
Failed—Denotes the devices for which discovery failed.
•
Sync Failed—Denotes devices for which synchronization of the device
configuration with the Edge Services Director database failed.
•
Timedout—Denotes devices for which the establishment of connection from
Edge Services Director to the devices failed because a timeout occurred.
•
Skipped—Denotes devices that were not discovered and were skipped from
being brought into Edge Services Director again because no configuration
setting changes were observed on such devices
6. Select the Unmanaged Devices option beneath Service Gateways in the task pane.
The Service Gateways—Unmanaged devices view is displayed. The following fields
are displayed in this view:
Field
Description
Host Name
Host name of the device.
Version
Software version the device is running.
IP Address
IP address configured for the device.
Device Family
Device family to which the device belongs. Hardware family such as Junos
OS is displayed.
Platform
Model number of the device.
Current HA Status
Present high availability status that indicates if the SDGs are configured in
a redundancy pair. It denotes whether the device is a master or a standby
device.
NOTE: Not applicable for devices that are not in a high availability pair.
Deployment HA
Status
High availability status after deployment that indicates if the SDGs are
configured in a redundancy pair. It denotes whether the device is a master
or a standby device.
NOTE: Not applicable for devices that are not in a high availability pair.
Connection Status
Peer IP
Copyright © 2016, Juniper Networks, Inc.
Device’s state:
•
UP—Edge Services Director can communicate with the device.
•
DOWN—Edge Services Director cannot communicate with the device.
IP address of the peer device in a redundancy group.
105
Edge Services Director User Guide
Field
Description
ADC
Whether the ADC service is configured. A tick mark indicates the service is
configured, and a gray minus sign indicates the service is unavailable.
TLB
Whether the TLB service is configured. A tick mark indicates the service is
configured, and a gray minus sign indicates the service is unavailable.
CGNAT
Whether the CGNAT service is configured. A tick mark indicates the service
is configured, and a gray minus sign indicates the service is unavailable.
SFW
Whether the stateful firewall service is configured. A tick mark indicates the
service is configured, and a gray minus sign indicates the service is
unavailable.
Routing Instance
Whether the routing instance is configured. A tick mark indicates the service
is configured, and a gray minus sign indicates the service is unavailable.
Managed Status
Indicates whether the device’s configuration is in sync with Edge Services
Director’s version:
•
Connecting—The device is being contacted to establish a connection.
•
In Sync—The configuration on the device is in sync with the Edge Services
Director configuration for the device.
•
Out Of Sync—The configuration on the device does not match the Edge
Services Director configuration for the device. This state is usually the
result of the device configuration being altered outside of Edge Services
Director.
You cannot deploy configuration on a device when the device is Out Of
Sync. To resolve this state, use the Resynchronize Device Configuration
task in Deploy mode.
•
Synchronizing—The device configuration is in the process of being
resynchronized.
•
Sync failed—An attempt to resynchronize an Out Of Sync device failed.
Select the Auto Refresh check box at the bottom of the Service Gateways -Unmanaged devices page to indicate that the page needs to be refreshed
automatically. The default value is three seconds. When you deselect this check box,
the page is not refreshed periodically by itself; instead you can click the Refresh icon
to update the page contents for viewing. Also, when you deselect the auto-refresh
functionality, a message is displayed to denote that auto-refresh is turned off and of
the number of updates that have not been viewed since the last refresh operation.
The date and time at which the page was last updated is shown.
7. Select the Managed Service Gateways option beneath Service Gateways from the
task pane.
The Service Gateways—Managed Service Gateways view is displayed. The following
fields are displayed in this view:
106
Field
Description
Name
Host names of the devices in an SDG high availability pair or the standalone
SDG device.
Copyright © 2016, Juniper Networks, Inc.
Chapter 7: Managing Service Delivery Gateways and Groups
Field
Description
Service Gateway
Group
Name of the SDG group associated with the device.
KPI Template
Name of the KPI template associated with the SDG.
Host Name
Host name of the device.
Version
Software version the device is running.
IP Address
IP address configured for the device.
Platform
Model number of the device.
Current HA
Status
High availability status that indicates if the SDGs are configured in a
redundancy pair. It denotes whether the device is a master or a standby device.
NOTE: Not applicable for devices that are not in a high availability pair.
PM Status
Whether the performance management utility is running and statistical
counters are being computed. If this field indicates Managed, it denotes that
performance management is succesfully operating on the device.
NOTE: If the PM Status field denotes a value that is other than Managed, you
might need to examine the device and services settings to take the required
corrective action for performance management to work properly. For example,
you might need to change the device to unmanaged and perform
troubleshooting.
PM Job Status
Whether the jobs to retrieve counters and values from devices to display
performance management statistics are running. If this field indicates a value
other than Running, you might need to stop the PM collection utility, rectify
the settings, and restart the PM collection utility.
ADC
Whether the ADC service is configured. A tick mark indicates the service is
configured, and a gray minus sign indicates the service is unavailable.
TLB
Whether the TLB service is configured. A tick mark indicates the service is
configured, and a gray minus sign indicates the service is unavailable.
CGNAT
Whether the CGNAT service is configured. A tick mark indicates the service
is configured, and a gray minus sign indicates the service is unavailable.
SFW
Whether the stateful firewall service is configured. A tick mark indicates the
service is configured, and a gray minus sign indicates the service is unavailable.
Connection
Status
Device’s state:
Copyright © 2016, Juniper Networks, Inc.
•
UP—Edge Services Director can communicate with the device.
•
DOWN—Edge Services Director cannot communicate with the device.
107
Edge Services Director User Guide
Field
Description
Managed Status
Indicates whether the device’s configuration is in sync with Edge Services
Director’s version:
•
Connecting—The device is being contacted to establish a connection.
•
In Sync—The configuration on the device is in sync with the Edge Services
Director configuration for the device.
•
Out Of Sync—The configuration on the device does not match the Edge
Services Director configuration for the device. This state is usually the result
of the device configuration being altered outside of Edge Services Director.
You cannot deploy configuration on a device when the device is Out Of
Sync. To resolve this state, use the Resynchronize Device Configuration
task in Deploy mode.
•
Synchronizing—The device configuration is in the process of being
resynchronized.
•
Sync failed—An attempt to resynchronize an Out Of Sync device failed.
NOTE: After you bring a device under the control and provisioning of Edge
Services Director, you might require to define services, policy filters, and
modify certain configuration settings of the managed devices before you
want to start the collection of performance management (PM) statistics
and counters. You can select a device or the high availability pair of SDGs,
and select Start PM Collection. An information message is displayed to
indicate whether a successful start of the retrieval of monitoring details
has occurred. Else, an error message denotes a failure in the attempt to
start collection of monitoring information. By default, retrieval and
computation of statistics is enabled. You can terminate the collection of
PM statistics at any time by selecting a device or pair of devices, and
selecting Stop PM Collection. The option to start and stop collection of
monitoring statistics is a toggle button. Alternatively, to change a managed
device to be unmanaged and remove it from the administration and
monitoring of Edge Services Director, you can also right-click a device or
a high availability pair of SDGs in the list of devices that are displayed in
the Managed Service Gateways page, and select Stop Managing.
Related
Documentation
108
•
Creating Service Gateway Groups on page 96
•
Managing Service Gateway Groups on page 97
•
Searching Unmanaged Devices on page 101
•
Changing a Managed Device to an Unmanaged Device on page 109
•
Modifying Discovery Profiles on page 110
•
Deleting Discovery Profiles on page 111
Copyright © 2016, Juniper Networks, Inc.
Chapter 7: Managing Service Delivery Gateways and Groups
Changing a Managed Device to an Unmanaged Device
The Service Gateways—Managed Service Gateways page lists all of the devices that are
currently being controlled and provisioned by the Edge Services Director application. You
can remove the management of such devices from Edge Services Director. For example,
in a certain deployment, you might require certain device characteristics to be separately
configured without a bulk application of settings. In such a case, you can mark the device
as unmanaged, perform the configurations manually using the device CLI interface, and
later decide to add it to the managed devices.
To convert a managed device to an unmanaged device:
1.
From the View selector, select Gateway View. The workspaces that are applicable to
this view are displayed.
2. From the Junos Space user interface, click the Build icon on the Edge Services Director
banner.
The functionalities that you can configure in this mode are displayed in the task pane.
3. From the View pane, select the All Network item in Gateway view.
4. Click the Manage Service Gateways button.
The list of managed SDGs appears. If the SDGs are configured in a high availability
pair, an attempt to unmanage such SDGs causes both the master and standby devices
in the redundancy group to become unmanaged.
NOTE: After you bring a device under the control and provisioning of Edge
Services Director, you might require to define services, policy filters, and
modify certain configuration settings of the managed devices before you
want to start the collection of performance management (PM) statistics
and counters. You can right-click a device or the high availability pair of
SDGs, and select Start PM Collection. An information message is displayed
to indicate whether a successful start of the retrieval of monitoring details
has occurred. Else, an error message denotes a failure in the attempt to
start collection of monitoring information. By default, retrieval and
computation of statistics is enabled. You can terminate the collection of
PM statistics at any time by right-clicking a device or pair of devices, and
selecting Stop PM Collection. The option to start and stop collection of
monitoring statistics is a toggle button. Alternatively, to change a managed
device to be unmanaged and remove it from the administration and
monitoring of Edge Services Director, you can also right-click a device or
a high availability pair of SDGs in the list of devices that are displayed in
the Managed Service Gateways page, and select Stop Managing.
5. Select the check box next to the managed SDG or SDG pair that you want to remove
from Edge Services Director administration.
6. Click the Unmanage Service Gateway icon.
Copyright © 2016, Juniper Networks, Inc.
109
Edge Services Director User Guide
The device becomes an unmanaged device and is removed from the managed devices
listing. The device is added to the list of unmanaged devices.
Related
Documentation
•
Creating Service Gateway Groups on page 96
•
Managing Service Gateway Groups on page 97
•
Searching Unmanaged Devices on page 101
•
Viewing the List of Discovered, Managed, and Unmanaged Devices on page 102
•
Modifying Discovery Profiles on page 110
•
Deleting Discovery Profiles on page 111
Modifying Discovery Profiles
The Discovery Profiles page displays the discovery jobs that you have previously created.
You can edit the properties of a discovery profile, such as adding more devices into a job
or updating the SNMP settings.
To modify a configured discovery profile:
1.
From the View selector, select Gateway View. The workspaces that are applicable to
this view are displayed.
2. From the Junos Space user interface, click the Build icon on the Edge Services Director
banner.
The functionalities that you can configure in this mode are displayed in the task pane.
3. From the View selector, select Gateway View or Device View. The workspaces that
are available in this view are displayed. The Gateway view displays the service delivery
gateway (SDG) groups and the SDGs that are part of the high availability pair in an
SDG group. The Device view displays the SDGs based on the device type, and within
the device type, the devices are organized by the device model. For example, all models
of MX960 routers are grouped together under one node in the tree
4. From the Junos Space user interface, click the Build icon on the Edge Services Director
banner.
The functionalities that you can configure in this mode are displayed in the task pane.
5. From the View pane, select the All Network item in Gateway view. If you are in Device
view, click the plus sign (+) beside the My Network item in the View pane to expand
the tree and select the device node you want.
6. From the task pane in Gateway view, select Services Gateways.
The Service Gateways page is displayed.
NOTE: Alternatively, you can select Device View from the View selector,
click the Build icon on the banner, and select Discover Devices from the
task pane to open the Discovery Profiles window to discover and manage
devices.
110
Copyright © 2016, Juniper Networks, Inc.
Chapter 7: Managing Service Delivery Gateways and Groups
7. Select the Discover Gateway option in Gateway view. Alternatively, in Device view,
select the Discover Devices option from the task pane.
8. Select the check box next to the discovery profile that you want to modify.
9. Click the pencil icon above the table of discovery profiles to modify the selected profile.
The Discovery Profile window appears.
10. Modify or add the discovery profile properties by clicking the plus sign or the pencil
icon in the IP Details, SNMP Details, and User Details tables.
11. After you finish modifying all the necessary settings, click Save to save the modified
profile in the database.
Related
Documentation
•
Creating Service Gateway Groups on page 96
•
Managing Service Gateway Groups on page 97
•
Searching Unmanaged Devices on page 101
•
Viewing the List of Discovered, Managed, and Unmanaged Devices on page 102
•
Changing a Managed Device to an Unmanaged Device on page 109
•
Deleting Discovery Profiles on page 111
Deleting Discovery Profiles
The Discovery Profiles page displays the discovery jobs that you have previously created.
You can delete a discovery profile if you do not need it for discovering devices.
To delete a configured discovery profile:
1.
From the View selector, select Gateway View. The workspaces that are applicable to
this view are displayed.
2. From the Junos Space user interface, click the Build icon on the Edge Services Director
banner.
The functionalities that you can configure in this mode are displayed in the task pane.
3. Select Services Gateways from the task pane in Gateway view. Alternatively, select
Device Discovery from the task pane in Device view.
The Service Gateways page is displayed.
4. Select the Discover Gateway option in Gateway view. Else, select the Discover Devices
option in Device view.
The list of discovery profiles is displayed.
5. Select the check box next to the discovery profile that you want to delete.
6. Click the red minus (-) icon above the table of listed templates. You are prompted to
confirm the deletion.
7. Click OK to confirm the deletion. The corresponding profile is removed.
Copyright © 2016, Juniper Networks, Inc.
111
Edge Services Director User Guide
Related
Documentation
•
Creating Service Gateway Groups on page 96
•
Managing Service Gateway Groups on page 97
•
Searching Unmanaged Devices on page 101
•
Viewing the List of Discovered, Managed, and Unmanaged Devices on page 102
•
Changing a Managed Device to an Unmanaged Device on page 109
•
Modifying Discovery Profiles on page 110
Systems of Record in Junos Space Overview
Although by default the Junos Space network you are administering is the system of
record (SOR)—each device defines its own official state—you may prefer to have the
Junos Space Network Management Platform database contain the official state of the
network, enabling you to restore that official state if unwanted out-of-band changes are
made to a device. This feature enables you to designate Junos Space Network
Management Platform as the SOR if you prefer.
•
Systems of Record on page 112
•
Implications on device management on page 113
Systems of Record
A network managed by Junos Space Network Management Platform contains two
repositories of information about the devices in the network: the devices themselves
(each device defines and reports its official state) and the Junos Space Network
Management Platform database (which contains information that is reported by the
device during device discovery). One of these repositories must have precedence over
the other as the accepted desirable state. By default, the network itself is the system of
record (NSOR).
In NSOR, when a local user commits a change in the configuration of a network device,
the commit operation triggers a report via system log to Junos Space Network
Management Platform. The values in the Junos Space Network Management Platform
database are automatically changed to match the new device values, and the timestamps
are synchronized. Thus the devices control the contents of the database.
As of version 12.2, you can designate the Junos Space Network Management Platform
database values as having precedence over any values configured locally at a device. In
this scenario, Junos Space Network Management Platform (database) is the system of
record (SSOR). It contains the configurations that the Junos Space administrator considers
best for the network devices. If an out-of-band commit operation is executed on a network
device, Junos Space Network Management Platform receives a system log message, but
the values in the Junos Space Network Management Platform database are not
automatically changed or synchronized. Instead, the administrator can choose whether
or not to overwrite the device's local changes by pushing the accepted configuration to
the device from the Junos Space Network Management Platform database.
112
Copyright © 2016, Juniper Networks, Inc.
Chapter 7: Managing Service Delivery Gateways and Groups
The choice of pushing the Junos Space Network Management Platform configuration is
left to the administrator because the local device changes may, for example, be part of
a temporary test that the administrator would not want to interrupt. However, if the
tester forgets to reset the configuration at the end of the test, the administrator might
then push the SSOR configuration to the device.
Implications on device management
The basic difference between NSOR and SSOR lies in whether or not the Junos Space
Network Management Platform database is automatically synchronized when changes
are made to a network device, and which set of values has precedence.
Setting the Junos Space Network Management Platform database as the system of
record does not protect your network from local changes. The device notifies Junos Space
Network Management Platform via system log when the changes occur, and it does not
resynchronize, so you still have the previous configuration and you can reset the remote
device quickly if you need to do so. In an NSOR scenario, Junos Space Network
Management Platform is also notified via system log. You can still push a more desirable
configuration to the device, but this process is less efficient.
In the NSOR scenario, you can disable automatic resynchronization. When
autoresynchronozation is turned off, the server continues to receive notifications and
goes into the out-of-sync state; however, autoresynchronozation does not run on the
device. You can manually resynchronize a device in such a case.
NSOR with automatic resynchronization disabled is not equivalent to SSOR: manually
resynchronizing under NSOR updates the values in the Junos Space Network Management
Platform database to reflect those on the device. This never happens under SSOR, where
the Junos Space Network Management Platform database values have precedence over
the device values, and synchronizing them involves pushing the database values to the
device, effectively resetting the device’s out-of-band changes.
Related
Documentation
•
Resynchronizing Managed SDGs with the Network on page 113
Resynchronizing Managed SDGs with the Network
If the network is the system of record, you can resynchronize a managed device at any
time. For example, when a managed device is updated by a device administrator from
the device's native GUI or CLI, you can resynchronize the device configuration in the Junos
Space Network Management Platform database with the physical device. (If Junos Space
Network Management Platform is the system of record, this capability is not available.)
To resynchronize a device:
1.
From the View selector, select Gateway View. The workspaces that are applicable to
this view are displayed.
2. From the Junos Space user interface, click the Build icon on the Edge Services Director
banner.
The functionalities that you can configure in this mode are displayed in the task pane.
Copyright © 2016, Juniper Networks, Inc.
113
Edge Services Director User Guide
3. Do either of the following:
•
Select Services Gateways > Unmanaged Gateway from the task pane. The
Unmanaged Devices page is displayed.
•
Select Services Gateways > Managed Gateway from the task pane. The Managed
Devices page is displayed.
4. Select the devices you want to resychronize and click the Re-synch Hosts button above
the table of listed service delivery gateways (SDGs) or SDG pairs.
The Resynchronize Devices pop-up window is displayed.
5. Click Confirm.
When a resynchronization job is scheduled to run but another resynchronization job
on the same device is in progress, Junos Space Network Management Platform delays
the scheduled resynchronization job. The time delay is determined by the damper
interval that you set from the application workspace. By default the time delay is 20
seconds. The scheduled job is delayed as long as the other resynchronization job to
the same device is in progress. When the job that is currently running finishes, the
scheduled resynchronization job starts.
NOTE: You can check whether a managed device was resynchronized with
the network, from the Job Details page. To go to the Job Details page,
double-click the ID of the resynchronization job on the Job Management page.
The Description column on this page specifies whether the managed device
was resynchronized with the network. If the managed device was not
resynchronized with the network, the column lists the reason for failure.
Related
Documentation
114
•
Viewing the Device Inventory Page in Device View of Edge Services Director on page 170
•
Resynchronizing Device Configuration on page 322
•
Systems of Record in Junos Space Overview on page 112
Copyright © 2016, Juniper Networks, Inc.
CHAPTER 8
Managing KPI Templates
•
Understanding Measurement Points, Key Performance Indicators, and Baseline
Values on page 115
•
Cloning a KPI Template on page 117
•
Deleting KPI Templates on page 124
•
Managing KPI Templates on page 125
•
Viewing KPI Templates on page 126
•
Modifying a KPI Template Associated with a Service Gateway on page 127
Understanding Measurement Points, Key Performance Indicators, and Baseline Values
This chapter topic provides guidelines for monitoring the service quality of an IP network.
It describes how service providers and network administrators can use information
provided by Juniper Networks routers to monitor network performance and capacity. You
should have a thorough understanding of the SNMP and the associated MIB supported
by Junos OS.
NOTE: For a good introduction to the process of monitoring an IP network,
see RFC 2330, Framework for IP Performance Metrics.
This topic contains the following sections:
•
Measurement Points on page 115
•
Basic Key Performance Indicators on page 116
•
Setting Baselines on page 116
Measurement Points
Defining the measurement points where metrics are measured is equally as important
as defining the metrics themselves. This section describes measurement points within
the context of this chapter and helps identify where measurements can be taken from
a service provider network. It is important to understand exactly where a measurement
point is. Measurement points are vital to understanding the implication of what the actual
measurement means.
Copyright © 2016, Juniper Networks, Inc.
115
Edge Services Director User Guide
An IP network consists of a collection of routers connected by physical links that are all
running the Internet Protocol. You can view the network as a collection of routers with
an ingress (entry) point and an egress (exit) point. See Figure 10 on page 116.
•
Network-centric measurements are taken at measurement points that most closely
map to the ingress and egress points for the network itself. For example, to measure
delay across the provider network from Site A to Site B, the measurement points should
be the ingress point to the provider network at Site A and the egress point at Site B.
•
Router-centric measurements are taken directly from the routers themselves, but be
careful to ensure that the correct router subcomponents have been identified in
advance.
Figure 10: Network Entry Points
NOTE: Figure 10 on page 116 does not show the client networks at customer
premises, but they would be located on either side of the ingress and egress
points. Although this chapter does not discuss how to measure network
services as perceived by these client networks, you can use measurements
taken for the service provider network as input into such calculations.
Basic Key Performance Indicators
For example, you could monitor a service provider network for three basic key performance
indicators (KPIs):
•
Availability measures the “reachability” of one measurement point from another
measurement point at the network layer (for example, using ICMP ping). The underlying
routing and transport infrastructure of the provider network will support the availability
measurements, with failures highlighted as unavailability.
•
Health measures the number and type of errors that are occurring on the provider
network, and can consist of both router-centric and network-centric measurements,
such as hardware failures or packet loss.
•
Performance of the provider network measures how well it can support IP services (for
example, in terms of delay or utilization).
Setting Baselines
How well is the provider network performing? We recommend an initial three-month
period of monitoring to identify a network’s normal operational parameters. With this
information, you can recognize exceptions and identify abnormal behavior. You should
116
Copyright © 2016, Juniper Networks, Inc.
Chapter 8: Managing KPI Templates
continue baseline monitoring for the lifetime of each measured metric. Over time, you
must be able to recognize performance trends and growth patterns.
Within the context of this chapter, many of the metrics identified do not have an allowable
operational range associated with them. In most cases, you cannot identify the allowable
operational range until you have determined a baseline for the actual variable on a specific
network.
Related
Documentation
•
Cloning a KPI Template on page 117
•
Deleting KPI Templates on page 124
•
Managing KPI Templates on page 125
•
Viewing KPI Templates on page 126
Cloning a KPI Template
You clone a template definition to quickly create a new template definition with a new
name but same properties. To modify a template definition without disabling templates
based upon that definition, first clone the definition, then modify the clone.
1.
From the View selector, select Gateway View. The workspaces that are applicable to
this view are displayed.
2. From the Junos Space user interface, click the Build icon on the Edge Services Director
banner.
The functionalities that you can configure in this mode are displayed in the task pane.
3. From the View pane, select the All Network item in Gateway view.
4. From the task pane, select KPI Templates.
The KPI Templates page is displayed.
NOTE: You can search for a specific template by entering the search
criteria in the search field, in the table above the list of displayed templates.
You can also search the templates based on the SDG, host, or SDG group.
5. Select the template you want to clone.
The Clone KPI Template dialog box is displayed.
Copyright © 2016, Juniper Networks, Inc.
117
Edge Services Director User Guide
Figure 11: Clone KPI Template Window
6. In the Name field, type a user-defined template definition name. A template definition
name cannot exceed 128 characters and can contain only letters, numbers, spaces,
and some special characters. The special characters allowed are hyphen (-),
underscore (_), period (.), at (@), single quote (’), forward slash (/), and ampersand
(&).
7. (Optional) In the Description field, type a user-defined description. (limit of 255
characters). The description cannot exceed 256 characters. The operators who use
the template definition to create templates rely on the description for information on
the template definition.
8. Click Save to save the template.
The dialog box closes and the KPI Template window appears.
9. On the ADC tab, define the KPI settings for the adaptive delivery controller (ADC)
service. Fill in the fields under this tab as indicated in the following table:
118
Copyright © 2016, Juniper Networks, Inc.
Chapter 8: Managing KPI Templates
Table 25: ADC Tab
Field
Description
ADC KPIs
Select to enable configuration of KPIs for the adaptive delivery controller
(ADC).
VIP Status
Select to configure virtual IP address status. Red is displayed for any failure
in the virtual IP status, and green is displayed if there is no virtual IP failure.
Real Servers Up(%)
Select to configure real servers. Red denotes 0-30 percent of real servers
are up and active, yellow denotes 31-60 percent of real servers are up,
and green denotes 61-100 percent of total real servers are up.
Connection Table
Count(K)
Select to configure connection table utilization. The connection table
contains the online information on the current open connections that are
handled by the ADC software. Red denotes 81-100 kilobytes of the table
are utilized, yellow denotes 61-80 kilobytes of utilization, and green denote
0-60 kilobytes of utilization.
CPU Status Control
Select to configure CPU utilization for control packets as a status indicator.
Red denotes CPU utilization of 81-100 percent, yellow is for 41-80 percent,
and green is for 0-40 percent.
CPU Status (Data)
Select to configure CPU utilization for data packets as a status indicator.
Red denotes CPU utilization of 96-100 percent, yellow is for 70-95 percent,
and green is for 0-69 percent.
CPU Status
(DataCores)
Select to configure CPU utilization for data cores as a status indicator.
Red denotes CPU utilization of 1-5 cores, yellow is for 6-9 cores, and green
is for 10-21 cores.
NOTE: A core represents a single CPU unit and multiple cores on a chip
often share a memory bus or I/O bus. Virtual processor is a way to optimize
the use of a core by permitting more threads to execute on the same core,
while one thread is awaiting a memory or bus operation. Cores are an
accurate metric of actual performance, as the VP’s optimization is not
constant, but depends on the workload.
NPU Allocation
Failure
Select to configure network processing unit (NPU) allocation failures as
a health status indicator. Red represents a failure, and green represents
no failures.
DP Allocation Failure
Select to configure allocation failures in data plane as a health status
marker in the template. Red represents a failure, and green represents no
failures.
Service PIC Status
Select to configure the status of services PICs, such as adaptive or
multiservices PICs. Red represents a failure, and green represents no
failures.
Egress Interface
Status
Select to configure the status of egress interfaces for services applications.
Red represents a failure, and green represents no failures.
Copyright © 2016, Juniper Networks, Inc.
119
Edge Services Director User Guide
10. On the TLB tab, define the KPI settings for the adaptive delivery controller (ADC)
service. Fill in the fields under this tab as indicated in the following table:
Table 26: TLB Tab
Field
Description
TLB KPIs
Select to enable configuration of KPIs for traffic load balancer (TLB).
RI Composite Next Hop
Status
Select to configure the TLB routing instance composite next-hop status.
Red is displayed if next-hop is not available, and green is displayed if
next-hop is available.
Real Servers Status
Select to configure status of real servers. Red denotes 31-100 percent
of real servers are used, yellow denotes 5-30 percent of real servers are
utilized, and green denotes 0-4 percent of total real servers are utilized.
Servers are configured to be available for hash-based, next-hop session
distribution.
CPU Status(%)
Select to configure CPU status for as a status indicator. Red denotes
CPU status of 91-100 percent, yellow is for 60-90 percent, and green
is for 0-59 percent.
Service PIC Status
Select to configure the status of services PICs, such as adaptive or
multiservices PICs. Red represents a failure, and green represents no
failures.
Egress Interface Status
Select to configure the status of egress interfaces for services
applications. Red represents a failure, and green represents no failures.
11. On the CGNAT tab, define the KPI settings for the adaptive delivery controller (ADC)
service. Fill in the fields under this tab as indicated in the following table:
Table 27: CGNAT Tab
120
Field
Description
CGNAT KPIs
Select to enable configuration of KPIs for carrier-grade NAT (CGNAT)
services.
CPU Status(%)
Select to configure CPU status for as a status indicator. Red denotes
CPU status of 81-100 percent, yellow is for 60-80 percent, and green
is for 0-59 percent.
Packet Drop Status)
Select to configure packet drop probability. Red denotes one or more
packets are dropped, and green denotes no packet drops.
Memory Status(%)
Select to configure the working status of memory. Red denotes 0-30
percent of efficiency, yellow denotes 31-60 percent of efficiency, and
green denotes 61-100 percent of efficiency.
NAT Pool Status(%)
Select to configure utilization of NAt address pools utilization. Red
denotes 96-100 percent of utilization, yellow denotes 85-95 percent
of utilization , and green denotes 0-84 percent of utilization .
Copyright © 2016, Juniper Networks, Inc.
Chapter 8: Managing KPI Templates
Table 27: CGNAT Tab (continued)
Field
Description
Service PIC Status
Select to configure the status of services PICs, such as adaptive or
multiservices PICs. Red represents a failure, and green represents no
failures.
CPU Utilization(%)
Select to configure CPU utilization for control packets as a status
indicator. Red denotes CPU utilization of 30-00 percent, yellow is for
20-29 percent, and green is for 0-10 percent.
12. On the SFW tab, define the KPI settings for the adaptive delivery controller (ADC)
service. Fill in the fields under this tab as indicated in the following table:
Table 28: SFW Tab
Field
Description
SFW KPIs
Select to enable configuration of KPIs for stateful firewall services.
CPU Status(%)
Select to configure CPU status for as a status indicator. Red denotes
CPU status of 81-100 percent, yellow is for 60-80 percent, and green
is for 0-59 percent.
Packet Drop Status
Select to configure packet drop probability. Red denotes one or more
packets are dropped, and green denotes no packet drops.
Memory Status(%)
Select to configure the working status of memory. Red denotes 0-30
percent of efficiency, yellow denotes 31-60 percent of efficiency, and
green denotes 61-100 percent of efficiency.
NAT Pool Status(%)
Select to configure utilization of NAt address pools utilization. Red
denotes 96-100 percent of utilization, yellow denotes 85-95 percent
of utilization , and green denotes 0-84 percent of utilization .
Service PIC Status
Select to configure the status of services PICs, such as adaptive or
multiservices PICs. Red represents a failure, and green represents no
failures.
13. On the Chassis tab, define the KPI settings for the adaptive delivery controller (ADC)
service. Fill in the fields under this tab as indicated in the following table:
Table 29: Chassis Tab
Field
Description
Chassis KPIs
Select to enable configuration of KPIs for chassis operations.
Chassis Level KPIs
Select to enable configuration of KPIs for chassis-level processes and
parameters.
Power Supply
Failure
Select to configure failure of power supplies as a status marker. Red
denotes a failure, and green denotes no failure.
Copyright © 2016, Juniper Networks, Inc.
121
Edge Services Director User Guide
Table 29: Chassis Tab (continued)
Field
Description
Fan Failure
Select to configure failure of fans as a status marker. Red denotes a failure,
and green denotes no failure.
FRU Failure
Select to configure failure of FRUs as a status marker. Red denotes a
failure, and green denotes no failure.
Over Temperature
Select to configure temperature of chassis as a metric. Red denotes 95-100
percent of over temperature condition, yellow denotes 80-94 percent,
and green denotes 0-70 percent.
CPU Utilization(%)
Select to configure CPU utilization of the chasiss as a metric. Red denotes
95-100 percent of CPU usage, yellow denotes 80-94 percent, and green
denotes 0-70 percent.
Memory Status(%)
Select to configure the percentage of memory used by the entire chassis.
If this number exceeds 80 percent, you might experience a software
problem (memory leak). Red denotes 95-100 percent of usage, yellow
denotes 80-94 percent, and green denotes 0-70 percent.
Slot Level KPIs
Select to enable configuration of KPIs for slot-based processes and
parameters.
RE Tab
RE
Select to configure Routing Engine characteristics.
Temperature
Select to configure temperature of Routing Engines as a metric. Red
denotes 95-100 percent of over temperature condition, yellow denotes
80-94 percent, and green denotes 0-70 percent.
CPU Utilization(%)
Select to configure CPU utilization of Routing Engines as a metric. Red
denotes 95-100 percent of CPU usage, yellow denotes 80-94 percent,
and green denotes 0-70 percent.
Memory(Heap)
Select to configure the percentage of heap space (dynamic memory)
being used by the Routing Engine . If this number exceeds 80 percent, you
might experience a software problem (memory leak). Red denotes 95-100
percent of usage, yellow denotes 80-94 percent, and green denotes 0-70
percent.
Buffer
Select to configure the percentage of buffer memory space being used by
the Routing Engine processor for buffering internal messages. Red denotes
95-100 percent of usage, yellow denotes 80-94 percent, and green
denotes 0-70 percent.
Service PIC Tab
Service PIC
(MS-DPC)
122
Select to configure service PIC characteristics.
Copyright © 2016, Juniper Networks, Inc.
Chapter 8: Managing KPI Templates
Table 29: Chassis Tab (continued)
Field
Description
Temperature
Select to configure temperature of service PIC as a metric. Red denotes
95-100 percent of over temperature condition, yellow denotes 80-94
percent, and green denotes 0-70 percent.
CPU Utilization(%)
Select to configure CPU utilization of services PICs as a metric. Red denotes
95-100 percent of CPU usage, yellow denotes 80-94 percent, and green
denotes 0-70 percent.
Memory(Heap)
Select to configure the percentage of heap space (dynamic memory)
being used by the services PICs. If this number exceeds 80 percent, you
might experience a software problem (memory leak). Red denotes 95-100
percent of usage, yellow denotes 80-94 percent, and green denotes 0-70
percent.
Buffer
Select to configure the percentage of buffer memory space being used by
the service PICs for buffering internal messages. Red denotes 95-100
percent of usage, yellow denotes 80-94 percent, and green denotes 0-70
percent.
Packet Drop Status)
Select to configure packet drop probability. Red denotes one or more
packets are dropped, and green denotes no packet drops.
FPC Tab
FPC
Select to configure FPC characteristics.
Temperature
Select to configure temperature of the FPC as a metric. Red denotes
95-100 percent of over temperature condition, yellow denotes 80-94
percent, and green denotes 0-70 percent.
CPU Utilization(%)
Select to configure CPU utilization of FPCs as a metric. Red denotes 95-100
percent of CPU usage, yellow denotes 80-94 percent, and green denotes
0-70 percent.
Memory(Heap)
Select to configure the percentage of heap space (dynamic memory)
being used by the FPCs. If this number exceeds 80 percent, you might
experience a software problem (memory leak). Red denotes 95-100
percent of usage, yellow denotes 80-94 percent, and green denotes 0-70
percent.
Buffer
Select to configure the percentage of buffer memory space being used by
the FPCs for buffering internal messages. Red denotes 95-100 percent of
usage, yellow denotes 80-94 percent, and green denotes 0-70 percent.
14. On the HA tab, define the KPI settings for the high availability service. Fill in the fields
under this tab as indicated in the following table:
Table 30: HA Tab
Field
Description
HA KPIs
Select to enable configuration of KPIs for high availability services.
Copyright © 2016, Juniper Networks, Inc.
123
Edge Services Director User Guide
Table 30: HA Tab (continued)
Field
Description
SDG Status
Select to specify the status of SDGs. Red denotes a failure, and green
indicates no failure.
BGP Advertising
Select to configure packet drops during BGP advertisements. Red
denotes a packet drop, and green denotes no packet drops.
VRRP Status
Select to configure the status of Virtual Router Redundancy Protocol
(VRRP). Red denotes a failure, and green indicates no failure.
CGNAT SFW HA Status
Select to configure inter-chassis high availability status of
carrier-grade NAT. Red denotes a failure, and green indicates no
failure.
CGNAT Route Status
Select to configure the status of routes in CGNAT. Red denotes a
failure, and green indicates no failure.
ADC VIP Route Status
Select to configure the status of routes in the ADC virtual server. Red
denotes a failure, and green indicates no failure.
TLB RI Route Status
Select to configure the route status in a TLB routing instance. Red
denotes a failure, and green indicates no failure.
15. Click Save to save the template definition for the different service types.
Related
Documentation
•
Understanding Measurement Points, Key Performance Indicators, and Baseline Values
on page 115
Deleting KPI Templates
The KPI Templates page displays the definitions you created to configure KPIs for the
different services in your service delivery gateway (SDG) devices. The templates are
sorted by name. You can delete a KPI template that is not referenced by an SDG.
To delete the configured KPI templates:
1.
From the View selector, select Gateway View. The workspaces that are applicable to
this view are displayed.
2. From the Junos Space user interface, click the Build icon on the Edge Services Director
banner.
The functionalities that you can configure in this mode are displayed in the task pane.
3. From the task pane, select KPI Templates.
The KPI Templates page is displayed.
124
Copyright © 2016, Juniper Networks, Inc.
Chapter 8: Managing KPI Templates
4. Select the template you want to delete.
5. Click the red minus (-) icon above the table of listed templates. You are prompted to
confirm whether you want to delete the selected template. Click OK to confirm the
deletion.
The corresponding template is removed from the database.
Related
Documentation
•
Understanding Measurement Points, Key Performance Indicators, and Baseline Values
on page 115
•
Cloning a KPI Template on page 117
•
Managing KPI Templates on page 125
•
Viewing KPI Templates on page 126
Managing KPI Templates
The KPI Templates page displays the definitions you created to configure KPIs for the
different services in your service delivery gateway (SDG) devices. The templates are
sorted by name.
The KPI Templates page provides the metrics that are used in evaluating the health and
operating efficiency of an SDG. A preconfigured, system-supplied KPI template is available
and it is not editable. You can create a copy of the predefined, system template and edit
it for your needs. During a discovery of an SDG, all the KPI templates in the system are
displayed and you can associate the appropriate KPI template with the SDG. During KPI
template association, a copy of the selected KPI template is associated with the SDG.
This behavior indicates that the base KPI template has no link to the KPI details on the
SDG after association. As a result, any changes performed to the base template are not
propagated to the SDG. Instead, you must modify the KPI template for each SDG. The
KPI Templates page enables you to edit the KPI details of a selected SDG.
You can perform the following tasks from this page under Build mode:
Related
Documentation
•
View KPI templates
•
Clone a KPI template
•
Delete a KPI template
•
Modify a KPI Template
•
Understanding Measurement Points, Key Performance Indicators, and Baseline Values
on page 115
•
Deleting KPI Templates on page 124
•
Viewing KPI Templates on page 126
Copyright © 2016, Juniper Networks, Inc.
125
Edge Services Director User Guide
Viewing KPI Templates
The KPI Templates page displays the definitions you created to configure KPIs for the
different services in your service delivery gateway (SDG) devices. The templates are
sorted by name.
To view the configured KPI templates:
1.
From the View selector, select Gateway View. The workspaces that are applicable to
this view are displayed.
2. From the Junos Space user interface, click the Build icon on the Edge Services Director
banner.
The functionalities that you can configure in this mode are displayed in the task pane.
3. From the View pane, select the All Network item in Gateway view.
4. From the task pane, select KPI Templates.
The KPI Templates page is displayed. The page is divided into two halves. The top
part of the page displays two graphs, while the bottom part of the page displays all
the configured KPI templates.
Figure 12: KPI Templates Page
Of the two graphs, one of them is the Associated KPI Template Count graph. This pie
graph illustrates the percentage of templates, out of the total number of templates, that
are associated with SDGs. The Used type denotes the templates associated with SDGs,
while the Unused type denotes the templates that are not mapped to any SDG. The other
graph is a bar chart. The Enabled KPIs Status bar chart shows the different service types
on the x-axis and the number of KPIs that are defined for each service type on the y-axis.
126
Copyright © 2016, Juniper Networks, Inc.
Chapter 8: Managing KPI Templates
For example, a count of 5 for the TLB service type signifies that five KPI templates contain
TLB service attributes.
The lower half of the Templates page displays the following fields in a tabular view:
You clone a template definition to quickly create a new template definition with a new
name but same properties. To modify a template definition without disabling templates
based upon that definition, first clone the definition, then modify the clone.
Table 31: KPI Templates View
Related
Documentation
Field
Description
Name
Name of the KPI template.
Description
User-defined description of the template.
Created By
Name of the user that created the template
Created Time
Time and date when the KPI template was created. The displayed
timezone depends on the server timezone.
Modified Time
Time and date when the KPI template was last updated. The
displayed timezone depends on the server timezone.
•
Understanding Measurement Points, Key Performance Indicators, and Baseline Values
on page 115
•
Cloning a KPI Template on page 117
•
Deleting KPI Templates on page 124
•
Managing KPI Templates on page 125
Modifying a KPI Template Associated with a Service Gateway
You can modify the KPI template characteristics for the different services. You can select
a managed device with which a KPI template is associated and change the KPI settings
to specify monitoring criteria critical for service operations and administration. On the
dashboard, the SDGs are colored as orange, red, green, or grey to indicate the health and
performance of the SDGs based on the applied KPI templates.
To modify the KPI template associated with a managed service gateway:
1.
From the View selector, select Gateway View.
The workspaces that are applicable to this view are displayed.
2. From the Junos Space user interface, click the Build icon on the Edge Services Director
banner.
The functionalities that you can configure in this mode are displayed in the task pane.
Copyright © 2016, Juniper Networks, Inc.
127
Edge Services Director User Guide
3. From the View pane, select the All Network item in Gateway view. You can also click
the plus sign (+) beside the All Network item in the View pane to expand the tree and
select the device node you want.
4. From the task pane, select Services Gateways.
The Service Gateways page is displayed.
5. Select the Manage Service Gateways option.
The list of managed SDGs appears. If the SDGs are configured in a high availability
pair, the details of both the devices in the pair are exported.
6. In the main window, click the plus sign (+) next to the SDG pairs to expand the tree
and view the pair of devices in the SDG group or pair. Select the check box next to the
individual SDG for which you want to view the device details.
The SDG for which you want to modify KPI template details is selected.
7. Click the down arrow in the Modify button at the top of the table of managed SDGs
that are listed, and select KPI Details.
The Edit KPI Details for Service Gateway dialog box is displayed.
8. Modify the settings as described in “Cloning a KPI Template” on page 117.
9. Click Save to save the template definition for the different service types.
You are returned to the Managed Service Gateways page.
Related
Documentation
128
•
Discovering Devices on page 83
•
Exporting Managed Device Details to a CSV File on page 92
•
Changing an Unmanaged Device to a Managed Device on page 93
•
Modifying the SDG Group and KPI Templates for a Device on page 94
•
Scheduling the Discovery of Devices on page 95
Copyright © 2016, Juniper Networks, Inc.
CHAPTER 9
Viewing the Device Inventory
•
Viewing the Device Inventory Page on page 129
•
Viewing Device Statistics on page 137
•
Viewing Configuration Details of Services on Devices on page 140
•
Viewing Discovery Logs on page 142
•
Viewing Discovery Profiles on page 143
Viewing the Device Inventory Page
The Device Inventory page lists devices managed by Edge Services Director and provides
basic information about the devices, such as IP address and current operating status,
and configured services, such as server load balancing (SLB) and carrier grade NAT
(CGNAT). The Device Inventory page is available in Build mode.
Hardware inventory information shows the slots that are available for a device and
provides information about power supplies, chassis cards, fans, part numbers, and so
forth. Edge Services Director displays hardware inventory by device name, based on data
retrieved both from the device during discovery and resynchronization operations, and
from the data stored in the hardware catalog. For each managed device, the hardware
catalog provides descriptions for field replaceable units (FRUs), part numbers, model
numbers, and the pluggable locations from which empty slots are determined.
The Device Inventory page provides two pie charts that summarize the status of the
devices and services in your network environment. You can remove or restore a category
(segment) from the pie chart by clicking that segment in the chart.
To view the device inventory page:
1.
From the View selector, select Gateway View. The workspaces that are applicable to
this view are displayed.
2. From the Junos Space user interface, click the Build icon on the Edge Services Director
banner.
The functionalities that you can configure in this mode are displayed in the task pane.
Copyright © 2016, Juniper Networks, Inc.
129
Edge Services Director User Guide
3. From the View pane, select the All Network item in Gateway view. You can also click
the plus sign (+) beside the All Network item in the View pane to expand the tree and
select the device node you want.
4. From the task pane in Gateway view, select Inventory > View Inventory.
The Device Inventory page for the entire network, the SDG group, or the particular
SDG is displayed, depending on the view or perspective you selected.
Figure 13: Device Inventory Page
The following charts are displayed in the top half of the page:
•
•
Connection State—Shows the proportion of devices that are up or down. In this chart,
Virtual Chassis count as one device. The possible connection states are:
•
UP—Device is connected to Edge Services Director.
•
DOWN—Device is not connected to Edge Services Director.
•
N/A—Device connection state is not available.
Managed Status—Shows the proportion of devices in each configuration state. See
Table 32 on page 130 for definitions of the configuration states.
Table 32: Managed Status Pie Chart
130
Field
Description
In Sync
The configuration on the device is in sync with the Edge Services Director
configuration for the device.
Copyright © 2016, Juniper Networks, Inc.
Chapter 9: Viewing the Device Inventory
Table 32: Managed Status Pie Chart (continued)
Field
Description
Out Of Sync
The configuration on the device does not match the Edge Services Director
configuration for the device. This state is usually the result of the device
configuration being altered outside of Edge Services Director.
You cannot deploy configuration on a device from Edge Services Director
when the device is Out Of Sync. To resolve this state, use the Resynchronize
Device Configuration task in Deploy mode.
Sync failed
An attempt to resynchronize an Out Of Sync device failed.
Synchronizing
The device configuration is in the process of being resynchronized.
N/A
The device is down or is an access point.
Mouse over a pie segment to view the actual number of devices and the percentage
represented by that pie segment.
In the left pane, which displays all the configured SDGs in a tree format, the All Service
Gateways option is selected by default. The right pane that displays the pie graphs and
the corresponding tabular details of services, hardware, and interfaces in the bottom
part of the right pane are corresponding with the All Service Gateways selection. You can
select a specific SDG from the left pane and the right pane details are appropriately
shown.
The lower half of the Inventory page contains three tabs—Gateway, Hardware, and
Interface. These tabs are displayed only if you expand the All Network item in the View
pane and select a device node or SDG. Otherwise, only the fields under the Gateway tab
are displayed.
Table 23 on page 100 describes the fields under the Gateway tab of the Device Inventory
table.
Table 33: Fields Under the Gateway Tab
Field
Description
Host Name
Hostname of the device.
Version
Software version the device is running.
IP Address
IP address configured for the device.
Device Family
Device family to which the device belongs. Hardware family such as Junos
OS is displayed.
Platform
Model number of the device.
Copyright © 2016, Juniper Networks, Inc.
131
Edge Services Director User Guide
Table 33: Fields Under the Gateway Tab (continued)
Field
Description
Connection Status
Device’s state:
Managed Status
•
UP—Edge Services Director can communicate with the device.
•
DOWN—Edge Services Director cannot communicate with the device.
Indicates whether the device’s configuration is in sync with Edge Services
Director’s version:
•
Connecting—The device is being contacted to establish a connection.
•
In Sync—The configuration on the device is in sync with the Edge
Services Director configuration for the device.
•
Out Of Sync—The configuration on the device does not match the Edge
Services Director configuration for the device. This state is usually the
result of the device configuration being altered outside of Edge Services
Director.
You cannot deploy configuration on a device when the device is Out
Of Sync. To resolve this state, use the Resynchronize Device
Configuration task in Deploy mode.
•
Synchronizing—The device configuration is in the process of being
resynchronized.
•
Sync failed—An attempt to resynchronize an Out Of Sync device failed.
Service Gateway
Name of the service delivery gateway.
Service Gateway
Group
Name of the group to which the SDG is assigned.
Table 34 on page 132 describes the fields under the Hardware tab of the Device Inventory
table.
Table 34: Fields Under the Hardware Tab
132
Field
Description
Module
Name of the SDG and the platform type, such as MX240 or MX480. Click the plus
sign (+) to expand the tree to display the components of the device, such as chassis,
PIC, CPU, and PIC parameters. Information about the chassis, midplane, craft
interface (FPM), power midplane (PMP), Power Supply Modules (PSMs), Power
Distribution Modules (PDMs), Routing Engines, Control Boards (CBs) and Switch
Processor Mezzanine Boards (SPMBs), Switch Fabric Boards (SFBs), Flexible PIC
Concentrators (FPCs), PICs, adapter cards (ADCs) and fan trays is displayed.
Model
Number
Model number of the FRU hardware component.
Model
Model of the FRU component.
Part
Number
Part number of the chassis component.
Copyright © 2016, Juniper Networks, Inc.
Chapter 9: Viewing the Device Inventory
Table 34: Fields Under the Hardware Tab (continued)
Field
Description
Serial
Number
Serial number of the chassis component. The serial number of the backplane is
also the serial number of the router chassis. Use this serial number when you need
to contact Juniper Networks Customer Support about the router or switch chassis.
Copyright © 2016, Juniper Networks, Inc.
133
Edge Services Director User Guide
Table 34: Fields Under the Hardware Tab (continued)
Field
Description
Description
134
Copyright © 2016, Juniper Networks, Inc.
Chapter 9: Viewing the Device Inventory
Table 34: Fields Under the Hardware Tab (continued)
Field
Description
Brief description of the hardware item:
•
Type of power supply.
•
Type of PIC. If the PIC type is not supported on the current software release, the
output states Hardware Not Supported.
•
Type of FPC: FPC Type 1, FPC Type 2, FPC Type 3, FPC Type 4 , or FPC TypeOC192.
On EX Series switches, a brief description of the FPC.
On the J Series routers, the FPC type corresponds to the Physical Interface Module
(PIM). The following list shows the PIM abbreviation in the output and the
corresponding PIM name.
•
2x FE—Either two built-in Fast Ethernet interfaces (fixed PIM) or dual-port
Fast Ethernet PIM
•
4x FE—4-port Fast Ethernet ePIM
•
1x GE Copper—Copper Gigabit Ethernet ePIM (one 10-Mbps, 100-Mbps, or
1000-Mbps port)
•
1x GE SFP—SFP Gigabit Ethernet ePIM (one fiber port)
•
4x GE Base PIC—Four built-in Gigabit Ethernet ports on a J4350 or J6350
chassis (fixed PIM)
•
2x Serial—Dual-port serial PIM
•
2x T1—Dual-port T1 PIM
•
2x E1—Dual-port E1 PIM
•
2x CT1E1—Dual-port channelized T1/E1 PIM
•
1x T3—T3 PIM (one port)
•
1x E3—E3 PIM (one port)
•
4x BRI S/T—4-port ISDN BRI S/T PIM
•
4x BRI U—4-port ISDN BRI U PIM
•
1x ADSL Annex A—ADSL 2/2+ Annex A PIM (one port, for POTS)
•
1x ADSL Annex B—ADSL 2/2+ Annex B PIM (one port, for ISDN)
•
2x SHDSL (ATM)—G SHDSL PIM (2-port two-wire module or 1-port four-wire
module)
•
1x TGM550—TGM550 Telephony Gateway Module (Avaya VoIP gateway
module with one console port, two analog LINE ports, and two analog TRUNK
ports)
•
1x DS1 TIM510—TIM510 E1/T1 Telephony Interface Module (Avaya VoIP media
module with one E1 or T1 trunk termination port and ISDN PRI backup)
•
4x FXS, 4xFX0, TIM514—TIM514 Analog Telephony Interface Module (Avaya
VoIP media module with four analog LINE ports and four analog TRUNK ports)
•
4x BRI TIM521—TIM521 BRI Telephony Interface Module (Avaya VoIP media
module with four ISDN BRI ports)
•
Crypto Accelerator Module—For enhanced performance of cryptographic
algorithms used in IP Security (IPsec) services
•
MPC M 16x 10GE—16-port 10-Gigabit Module Port Concentrator that supports
SFP+ optical transceivers. (Not on EX Series switches.)
Copyright © 2016, Juniper Networks, Inc.
•
For hosts, the Routing Engine type.
•
For small form-factor pluggable transceiver (SFP) modules, the type of fiber:
LX, SX, LH, or T.
•
LCD description for EX Series switches (except EX2200 switches).
135
Edge Services Director User Guide
Table 34: Fields Under the Hardware Tab (continued)
Field
Description
•
MPC2—1-port MPC2 that supports two separate slots for MICs.
•
MPC3E—1-port MPC3E that supports two separate slots for MICs
(MIC-3D-1X100GE-CFP and MIC-3D-20GE-SFP) on MX960, MX480, and MX240
routers. The MPC3E maps one MIC to one PIC (1 MIC, 1 PIC), which differs from
the mapping of legacy MPCs.
•
100GBASE-LR4, pluggable CFP optics
•
Supports the Enhanced MX Switch Control Board with fabric redundancy and
existing SCBs without fabric redundancy.
•
Interoperates with existing MX Series line cards, including Flexible Port
Concentrators (FPC), Dense Port Concentrators (DPCs), and Modular Port
Concentrators (MPCs).
•
MPC4E—Fixed configuration MPC4E that is available in two flavors:
MPC4E-3D-32XGE-SFPP and MPC4E-3D-2CGE-8XGE on MX2020, MX960,
MX480, and MX240 routers.
•
LCD description for MX Series routers
Table 35 on page 136 describes the fields under the Interface tab of the Device Inventory
table.
Table 35: Fields Under the Interface Tab
136
Field
Description
Host Name
Hostname of the SDG.
Physical Interface Name
Name of the physical interface.
IP Address
IP address configured on the interface.
MAC Address
MAC address configured on the interface
Operation Status
Operational status of the physical interface: Up, Down.
Admin Status
Administrative state of the interface: Enabled or Disabled. If the
interface is disabled, it can provide network connectivity, but it
cannot provide power to connected devices.
Link Level Type
Encapsulation type configured on the interface.
Link Type
Data transmission type.
Speed
Speed at which the interface is running.
MTU
Maximum transmission unit size on the physical interface.
Description
Configured textual description of the interface.
Copyright © 2016, Juniper Networks, Inc.
Chapter 9: Viewing the Device Inventory
To view configuration and run-time information for devices:
1.
Sort the table by mousing over the column header for the data you want to sort by
and clicking the down arrow. Select Sort Ascending or Sort Descending.
2. Show columns not in the default table view, or hide columns, as follows:
1.
Mouse over any column header and click the down arrow.
2. Select Columns from the menu.
3. Select the check boxes for columns that you want to view. Clear the check boxes
for columns that you want to hide.
3. View information about devices as follows:
•
To restrict the display of devices, enter a search criterion of one or more characters
in the Search bar and press Enter.
All devices that match the search criterion are shown in the main display area.
Related
Documentation
•
Viewing Device Statistics on page 137
•
Viewing Configuration Details of Services on Devices on page 140
•
Viewing Discovery Logs on page 142
•
Viewing Discovery Profiles on page 143
Viewing Device Statistics
The Devices statistics page provides three types of data for managed devices:
•
Device Count by Platform—The number of Juniper Networks devices organized by type
•
Device Status—The connection status of managed devices on the network
•
Device Count by OS—The number of devices running a particular Junos OS release
To view device statistics, from the Junos Space Network Management Platform user
interface, select Devices. The Devices landing page is displayed. This page displays the
charts related to devices.
This topic includes the following tasks:
•
Viewing the Number of Devices by Platform on page 138
•
Viewing Connection Status for Devices on page 138
•
Viewing Devices by Junos OS Release on page 139
Copyright © 2016, Juniper Networks, Inc.
137
Edge Services Director User Guide
Viewing the Number of Devices by Platform
Figure 14 on page 138 shows the Device Count by Platform report. The bar chart shows
the number of Juniper Networks devices on the y-axis discovered by platform type on
the x-axis. Each vertical bar in the chart displays the number of managed devices for a
platform.
Figure 14: Device Count by Platform Report
To view more detailed information about devices per platform:
•
Click a bar in the bar graph. The Device Management inventory page appears filtered
by the device type you selected. See Viewing Managed Devices.
To save the bar chart as an image or to print for presentations or reporting:
•
Right-click the bar chart and use the menu to save or print the image.
Viewing Connection Status for Devices
138
Copyright © 2016, Juniper Networks, Inc.
Chapter 9: Viewing the Device Inventory
Figure 15 on page 139 shows the Device Status report. The pie chart displays the percentage
and number of devices that are connected and disconnected on the network. The up or
down status is expressed as a percentage of the total number of devices.
Figure 15: Device Status Report
To view more detailed device status information:
•
Click a slice in the pie chart. The Device Management inventory page appears filtered
by the devices that are up or down. See Viewing Managed Devices.
To save the pie chart as an image or to print for presentations or reporting:
•
Right-click the bar chart and use the menu to save or print the image.
Viewing Devices by Junos OS Release
Copyright © 2016, Juniper Networks, Inc.
139
Edge Services Director User Guide
Figure 16 on page 140 shows the Device Count by OS report. The bar chart shows the
number of Juniper Networks devices on the network (the y-axis) categorized by running
a certain Junos OS release (the x-axis).
Figure 16: Device Count by OS Report
To view more detailed information about devices running a particular Junos OS release:
•
Click a bar in the chart. The Device Management inventory page appears. See Viewing
Managed Devices in the Junos Space Network Application Platform User Guide for details.
To save the pie chart as an image or to print for presentations or reporting:
Related
Documentation
•
Right-click the bar chart and use the menu to save or print the image.
•
Viewing the Device Inventory Page on page 129
•
Viewing Configuration Details of Services on Devices on page 140
•
Viewing Discovery Logs on page 142
•
Viewing Discovery Profiles on page 143
Viewing Configuration Details of Services on Devices
The view configuration capability enables you to see extensive, comprehensive
configuration settings of a device. The settings of each service configured, such as ADC
or TLB, and the options or substatements for each service, such as service PICs and
client-facing interfaces, are displayed. For each service instance configured on a device,
you can view granular information on each attribute of a service instance.
The configuration details are displayed in property view and configuration view. The
property view is useful if you want a GUI, tree-based structure of display. In this view, you
140
Copyright © 2016, Juniper Networks, Inc.
Chapter 9: Viewing the Device Inventory
can drill-down the tree and view data about each of the service attributes. Property view
is simple view of configuration as key value pair. The dynamic fields in form view are
defined using parameters. The configuration view is beneficial if you are familiar with the
CLI interface structure and want to view service attributes in the form of configuration
stanzas and hierarchy levels. This display is similar to the show command that you can
use at a certain [edit] hierarchy level to view the defined settings. Each level in the
hierarchy is indented to indicate each statement's relative position in the hierarchy.
To view the configuration details of services on a device:
1.
From the View selector, select Gateway View. The workspaces that are applicable to
this view are displayed.
2. From the Junos Space user interface, click the Build icon on the Edge Services Director
banner.
The functionalities that you can configure in this mode are displayed in the task pane.
3. From the View pane, select the All Network item in Gateway view. You can also click
the plus sign (+) beside the All Network item in the View pane to expand the tree and
select the device node you want.
4. Select Services Gateways from the task pane. The Service Gateways page is displayed.
5. Select the check box next to the discovered device for which you want to view the
services configured.
The device for which you want to view the configuration of services is selected.
6. Click the View Configuration icon above the table of displayed devices. The View
Service page is displayed.
The page is divided into three panes. The left pane displays a tree of all configured
services. Click the plus sign (+) for each service to expand and view the service
instances contained in a service. The middle pane displays the components or
attributes of the selected service instance. The rightmost pane displays the attributes
of the service instance in property or config view.
7. Click the Service Details option from the left pane. The list of services corresponding
to the selected SDG pair is displayed.
8. Mouse over the middle pane that lists the service instance components to highlight
the component and view its name.
9. Select the service instance from the left pane. Drill down until you locate the instance
you need. The graphical representation of the components of the service instance are
shown in the middle pane. The categories and the elements of the components are
shown.
When you click a different component or attribute of the service instance, the property
or config view is refreshed accordingly.
10. Select the Property View tab if you want to view the parameters in a tree-based, key
value pair structure. Select the Config View tab if you want to view the parameters in
a CLI structure.
Copyright © 2016, Juniper Networks, Inc.
141
Edge Services Director User Guide
Related
Documentation
•
Viewing the Device Inventory Page on page 129
•
Viewing Device Statistics on page 137
•
Viewing Discovery Logs on page 142
•
Viewing Discovery Profiles on page 143
Viewing Discovery Logs
Discovery logs are prepared and stored on each stage of the SDG discovery. All these
discovery logs are stored in the discovery audit log database. When you initiate the request
to view the system event logging messages, the logs for the selected device are retrieved
and displayed with the timestamp of the recording.
To view the details of a discovery log:
1.
From the View selector, select Gateway View. The workspaces that are applicable to
this view are displayed.
2. From the Junos Space user interface, click the Build icon on the Edge Services Director
banner.
The functionalities that you can configure in this mode are displayed in the task pane.
3. From the View pane, select the All Network item in Gateway view. You can also click
the plus sign (+) beside the All Network item in the View pane to expand the tree and
select the device node you want.
4. Select Services Gateways from the task pane. The Service Gateways page is displayed.
5. Select the Unmanaged Devices option. The list of discovered devices are displayed.
6. Select the check box next to the discovered device for which you want to view the
logs.
7. Click the View Discovery Logs icon above the table of displayed devices. The Discovery
Log window is displayed.
The timestamp is the UTC time in database that is mapped to the local time zone of
client computer. The description of the log is displayed in color-coded format. Red
indicates error severity, orange indicates severity level of warning, and black indicates
an informational message.
8. In the Service Delivery Host Discovery Log window, you can sort and view the log
messages that pertain to a severity level to quickly, effectively identify and separate
only the logs that are of relevance to you. To filter the logs based on a severity level,
select the check boxes next to the severity levels, such as Error, Warning, or Info and
click the search icon to display based on the match criterion. Click the red cross (x)
icon to clear the applied filter and display the logs corresponding to all severity levels.
If you rediscover a device, the logs display a cumulative, consolidated list of all of the
messages generated during all of the discovery attempts.
142
Copyright © 2016, Juniper Networks, Inc.
Chapter 9: Viewing the Device Inventory
9. Click Refresh if you want updated snapshots of the logs to be displayed. The refresh
process causes a request to be sent to the device and retrieval of the latest logs occurs.
10. After you finish viewing the profile settings, click Close to return to the page that
displays all the discovery profiles.
Related
Documentation
•
Viewing the Device Inventory Page on page 129
•
Viewing Device Statistics on page 137
•
Viewing Configuration Details of Services on Devices on page 140
•
Viewing Discovery Profiles on page 143
Viewing Discovery Profiles
The Discovery Profiles page displays the discovery jobs that you have previously created.
You can examine the parameters contained in a discovery profile before you modify or
want to create a fresh profile. All of the discovery details, such as the device attributes
and credentials for connecting to it, are shown.
To view the details of a configured discovery profile:
1.
From the View selector, select Gateway View. The workspaces that are applicable to
this view are displayed.
2. From the Junos Space user interface, click the Build icon on the Edge Services Director
banner.
The functionalities that you can configure in this mode are displayed in the task pane.
3. From the View pane, select the All Network item in Gateway view. You can also click
the plus sign (+) beside the All Network item in the View pane to expand the tree and
select the device node you want.
4. Select Services Gateways from the task pane. The Service Gateways page is displayed.
5. Select the Discover Devices option.
6. Select the check box next to the discovery profile that you want to view.
7. Click the View Discovery Profile Details icon above the table of displayed profiles. The
View Discovery Profile Details window is displayed.
The following fields are displayed in this window:
Field
Description
Name
Unique name of the discovery profile
Description
User-defined description of the profile
Discover Targets
Type
Copyright © 2016, Juniper Networks, Inc.
Indicates whether hostname or IP address of the devices in the
profile are configured.
143
Edge Services Director User Guide
Field
Description
Value
Hostname or IP address of the devices in the profile
Credentials
UserName
Name of the user to connect to the devices in the discovery profile.
Password
Password for authentication to the devices in the profile displayed
as a set of asterisks
Protocol Details
SNMP Version
Version of SNMP, such as SNMPv1, v2C, or v3.
Details
Parameters such as the privacy and authentication details for
SNMP.
8. After you finish viewing the profile settings, click Close to return to the page that
displays all the discovery profiles.
Related
Documentation
144
•
Viewing the Device Inventory Page on page 129
•
Viewing Device Statistics on page 137
•
Viewing Configuration Details of Services on Devices on page 140
•
Viewing Discovery Logs on page 142
Copyright © 2016, Juniper Networks, Inc.
PART 3
Location and Device Views of Build Mode
•
Location View Configuration on page 147
•
Device Management on page 167
Copyright © 2016, Juniper Networks, Inc.
145
Edge Services Director User Guide
146
Copyright © 2016, Juniper Networks, Inc.
CHAPTER 10
Location View Configuration
•
Understanding Build Mode in Location and Device Views of Edge Services
Director on page 147
•
Understanding the Location View on page 150
•
Assigning and Unassigning Devices to a Location on page 151
•
Changing the Location of a Device on page 153
•
Configuring Buildings on page 154
•
Configuring Floors on page 156
•
Configuring Outdoor Areas on page 157
•
Creating a Site on page 158
•
Deleting Sites, Buildings, Floors, Wiring Closets, and Devices on page 159
•
Setting Up Closets on page 161
•
Setting Up the Location View on page 163
Understanding Build Mode in Location and Device Views of Edge Services Director
In Build mode, you build the network managed by Junos Space Edge Services Director.
It provides you with the ability to use device discovery to bring devices under Edge Services
Director management, to customize your view of the devices, to configure devices, and
to perform some common device management tasks.
This topic describes:
•
Discovering Devices on page 147
•
Building the Location and Custom Views on page 148
•
Configuring Devices on page 149
•
Managing Devices on page 150
Discovering Devices
Device discovery finds your network devices and brings them under Edge Services Director
management. You provide Edge Services Director with identifying information about the
devices you want Edge Services Director to manage—an IP address or hostname, an IP
address range, an IP subnetwork, or a CSV file that contains this information. Edge Services
Director uses the information to probe the devices by using either ping or SNMP get
Copyright © 2016, Juniper Networks, Inc.
147
Edge Services Director User Guide
requests. If a device probe is successful, Edge Services Director then attempts to make
an SSH connection to the device using the login credentials you supply. If the connection
is successful and the device is a supported device, Edge Services Director adds the device
to its database of managed devices. Edge Services Director uses Juniper Network’s Device
Management Interface (DMI), which is an extension to the NETCONF network
configuration protocol, to connect to and configure its managed devices.
You can also discover devices using the device discovery feature provided by the Junos
Space Network Management Platform. Devices you discover using Junos Space device
discovery are brought under Edge Services Director management if they are supported
by Edge Services Director.
Besides bringing your devices under Edge Services Director management, device discovery:
•
Reads the device configuration and saves it in the Junos Space configuration database.
Edge Services Director uses this record of the device configuration to determine what
configuration commands it needs to send to a device when you deploy the configuration
on the device. For this reason, it is important for the Junos Space configuration record
to match, or be in sync with, the device configuration. For more information about how
the Junos Space configuration record and device configuration are kept in sync, see
“Understanding Resynchronization of Device Configuration” on page 67.
•
Imports the device configuration into the Build mode configuration. For more information
about importing device configurations, see “Importing Device Configurations” on
page 65.
Building the Location and Custom Views
When a device is discovered in the physical network mode, it is added to the network
tree in the View pane.
In Location View, all discovered devices are added to the Unassigned node. You can use
Build mode to create the Location View—that is, create the sites, buildings, floors, closets,
and outdoor areas that reflect the physical location of your network devices—and to
assign the discovered devices to these locations.
The Custom Group View displays only the top level—My Network—until you create one
or more custom groups. Custom group is another way of grouping your devices based
on your business needs. You can create custom groups and add devices to each custom
group. You can manually add devices to a custom group or you can define rules to add
devices, that match the rule condition, to the custom group once they are discovered by
Edge Services Director. You can view the custom groups and devices that are assigned
to each group in the Custom Group view.
NOTE: This section does not apply to virtual devices that Edge Services
Director manages.
148
Copyright © 2016, Juniper Networks, Inc.
Chapter 10: Location View Configuration
Configuring Devices
In Build mode, you can define the configuration of network devices in your Physical
network. To support rapid, large-scale deployment of devices, you can define much of
your Build mode configuration in a set of profiles. You can reference profiles in other
profiles or apply them to multiple objects in your network—devices, ports, radios, logical
entities. For example, you can create a class-of-service (CoS) profile that contains settings
that are appropriate for point-to-point, Layer 3 VPN, and VPLS services that you can
manage, provision, and monitor in Service View of Edge Services Director.
In addition to creating configuration profiles, in Build mode you can configure Link
Aggregation Groups (LAGs) on routers.
Deploying Device Configurations
After you build your device configurations in Build mode, you need to deploy the
configurations on the devices. None of the configurations you create in Build mode affect
your devices until the configurations are actually deployed on the devices.
To deploy the configuration on devices, use Deploy mode. When you change a device’s
configuration in Build mode, the device becomes available in Deploy mode for
configuration deployment.
Importing Device Configurations
As part of device discovery, Edge Services Director analyzes the configuration of a newly
discovered device and automatically imports the configuration into the Build mode
configuration for that device. For example, as part of the discovery of a wireless LAN
controller, Edge Services Director imports the configurations of wireless access points
from the controller and makes them available for viewing and modification under the
Manage Access Point task for that controller.
As it imports the device configuration, Edge Services Director automatically creates
profiles to match the configuration. It first determines whether any existing profiles match
the configuration, and if so, assigns those profiles to the device. It then creates and assigns
new profiles as needed. For example, if an access switch has some ports that match the
configuration of an existing Port profile, Edge Services Director assigns the existing Port
profile to those ports. For the other ports, Edge Services Director creates as many Port
profiles as needed to match the port configurations and assigns them to the ports.
You can manage the profiles that Edge Services Director creates as part of device
discovery in the same way that you manage user-created profiles—that is, you can modify,
delete, or assign them to other devices.
Out-of-Band Configuration Changes
Out-of-band configuration changes are configuration changes made to a device outside
of Edge Services Director. Examples include changes made by:
Copyright © 2016, Juniper Networks, Inc.
149
Edge Services Director User Guide
•
Using the device CLI.
•
Using the device Web-based management interface (the J-Web interface or Web
View).
•
Using the Junos Space Network Management Platform configuration editor.
•
Using RingMaster software.
•
Restoring or replacing device configuration files.
When an out-of-band change is made, the device configuration no longer matches the
Build mode configuration, and the device configuration state changes to out of sync. You
cannot deploy configuration on a device that is out of sync. Use the Resynchronize Device
Configuration task in Deploy mode to resynchronize the device configuration. For more
information about how Edge Services Director resolves out-of-band configuration changes
and synchronizes the Build mode configuration with the device configuration, see
“Understanding Resynchronization of Device Configuration” on page 67.
TIP: Before you make configuration changes in Build mode, make sure that
devices that will be affected are in sync. Resynchronizing the device
configuration can result in losing pending Build mode configuration changes
for that device.
Managing Devices
In addition to the tasks that allow you to build your network, Build mode provides a
number of tasks for day-to-day device management. For example, you can:
Related
Documentation
•
View a device’s hardware component inventory or its installed licenses
•
Reboot a device or groups of devices
•
Connect to a device’s CLI through SSH or to its web-based management interface
•
View the profiles assigned to a device
•
Working with the Dashboard on page 51
Understanding the Location View
The Location View is one of the perspectives that Edge Services Director enables you to
view and analyze your network. Using this view, you can view devices and data based on
their physical location and proximity in the network. By physical location, we mean the
buildings, floors, aisles, racks, wiring closets, and outdoor areas where the devices reside.
After these locations are defined and devices assigned, the Location View gives you a
visual representation of your devices based on where they reside.
You can define the physical location where the devices in the network are deployed in a
hierarchical way, and define location entities from a site down to the wiring closet. When
in the Location View, the network tree shows the network in terms of buildings, floors,
150
Copyright © 2016, Juniper Networks, Inc.
Chapter 10: Location View Configuration
aisles, racks, wiring closets, and outdoor areas nested beneath the building. The hierarchy
of the locations is:
•
Site—Your campus or data center; the highest node in your location.
•
Building—One entry for every building at your site. Buildings are listed in alphabetical
order, not by address or the order in which you identified them to the system.
•
Floors—One entry for each floor within the building; Floors are nested within the building.
•
Aisles—One entry for each aisle in a floor. Aisles are nested within the floor.
•
Racks—One entry for each rack in an aisle. Racks are nested within the aisle.
•
Outdoor Area—One entry for each named area; Outdoor areas are associated with
buildings.
•
Devices—Most are assigned to buildings, floors, outdoor areas, or racks. Access points
can be assigned only to outdoor areas and floors. Devices are not assigned at the site
level; those devices are considered unassigned.
The hierarchical model enables you to define a location by using either of these methods:
Related
Documentation
•
Using the Location Setup wizard to set up a location in a single process, starting at the
site level and progressing to the racks and outdoor areas. The wizard also provides an
option to create part of the location, such as defining the site and building, then to use
the individual procedures to create floors and wiring closets for the building you created.
•
Using separate tasks to create location entities in sequence in a top-to-bottom order.
You can create the higher level entities such as a site or building first and save them.
Later, you can add floors and wiring closets when information about them becomes
available.
•
Assigning and Unassigning Devices to a Location on page 151
•
Changing the Location of a Device on page 153
•
Configuring Buildings on page 154
•
Configuring Floors on page 156
•
Configuring Outdoor Areas on page 157
•
Creating a Site on page 158
•
Deleting Sites, Buildings, Floors, Wiring Closets, and Devices on page 159
•
Setting Up Closets on page 161
•
Setting Up the Location View on page 163
Assigning and Unassigning Devices to a Location
You can assign devices or remove assignments from devices by their location. Your
choices for device assignment are dependent upon the type of device and your position
in the site. For example, you cannot assign access points to buildings or closets. However,
Copyright © 2016, Juniper Networks, Inc.
151
Edge Services Director User Guide
you can assign access points to floors or outdoor areas. For details on which devices can
be assigned to a location node, see the Devices that can be Assigned to each Location
Component table from the “Setting Up the Location View” on page 163.
This topic describes:
•
How to Assign or Unassign Devices on page 152
•
Assigning Devices on page 152
How to Assign or Unassign Devices
To assign devices to a specific location:
While in Build mode,
1.
Select Location View from the list in the View pane.
The network tree displays discovered devices under the physical locations already
defined in Edge Services Director. The root node (for example, My Network) is selected
by default. The devices that are assigned to the locations are displayed under the
nodes for respective locations, such as buildings and floors. All devices that are not
assigned to any location are displayed under the Unassigned node.
2. Navigate the network tree to the location where you want to add a device.
Both the Tasks pane and Device Inventory page update to reflect the location’s current
configuration.
3. Select one of the following tasks in the pane to open Add/Remove Devices for Selected
Location.
•
Assign Devices to Building
•
Assign Device to a Floor
•
Assign Devices to a Wiring Closet
•
Assign Devices to an Outdoor Location
4. Navigate the tree to find an available device under Unassigned in the left portion of
the page.
5. Select the device and click the double right arrows to assign it to the target location
on the right. To unassign a device, select the device in the Assigned Devices to Selected
Location column and click the double left arrows. Repeat this step until you have
finished assigning and unassigning devices.
6. Click OK at the bottom of the page to save the assignment. The network tree refreshes
to display the device in the new location.
Assigning Devices
Use the Add/Remove Devices for Selected Location to find a device and assign it to a
location within a site. Locate the device in the Available Devices column and assign it by
clicking the double right arrows. Use the same method to unassign a device by selecting
152
Copyright © 2016, Juniper Networks, Inc.
Chapter 10: Location View Configuration
it in the Assigned Devices to Selected Location column and double clicking the double
left arrows.
You can assign standalone service delivery gateway (SDG) or a high-availability pair of
SDGs that contains a master and standby SDG, or MX Virtual Chassis devices to buildings,
floors, aisles, and closets.
While assigning MX Series to a location within a site, you can either assign the logical
device—Virtual Chassis—as a single device or one or more member devices that belong
to these logical devices, but not both.
NOTE: Edge Services Director displays the Virtual Chassis systems in the
Location view network tree only if the following conditions are met:
•
MX Series Virtual Chassis is assigned to a location.
•
At least one of their member devices are not assigned to any location entity.
If all the member devices are assigned to location entities, then the Virtual
Chassis systems are not displayed in the network tree.
Related
Documentation
•
Changing the Location of a Device on page 153
•
Configuring Buildings on page 154
•
Configuring Floors on page 156
•
Configuring Outdoor Areas on page 157
•
Creating a Site on page 158
•
Deleting Sites, Buildings, Floors, Wiring Closets, and Devices on page 159
•
Setting Up Closets on page 161
•
Setting Up the Location View on page 163
Changing the Location of a Device
The Change Location of Device task is an easy way to move a device address to another
building, floor, or wiring closet location within the site. You can move an access point to
another floor or to another outdoor area. However, you cannot move an access point to
a building or wiring closet. The Change Location of Device task is available whenever you
select an assigned device in the Location or Logical views.
This topic describes:
•
How to Move a Device to a New Location on page 154
•
Changing the Location of a Device on page 154
Copyright © 2016, Juniper Networks, Inc.
153
Edge Services Director User Guide
How to Move a Device to a New Location
To move a device address to another location:
Select a device in the network tree that is currently assigned to a building, floor, or
closet.
1.
2. Click Change Location of Device to open the Change Location of Device page.
3. Using the Location View, navigate the tree and select the new location for the device.
You can move an access point, only to another floor or outdoor area.
4. Click OK to move the device assignment and to save the new configuration.
Changing the Location of a Device
The Change Location of Device page consists of two components: Selected Device
Details and Location View. Use the Selected Device Details portion of the page to review
information about the device and its current location. The fields in Selected Device Details
page are described in Table 36 on page 154.
Table 36: Contents of Selected Device Details
Field
Description
Device Name
Hostname
Device IP
Device Address
Device Family
Hardware family of products, for example, Junos-MX.
Location
Gives the current location of the device in the format of site/building/floor/cabinet
Location View is a copy of the network tree for you to navigate and designate the new
location for the device.
Related
Documentation
•
Understanding the Location View on page 150
•
Assigning and Unassigning Devices to a Location on page 151
•
Configuring Buildings on page 154
•
Configuring Floors on page 156
•
Configuring Outdoor Areas on page 157
•
Creating a Site on page 158
Configuring Buildings
At any time after you create a site, you can grow your location by adding buildings. You
add a building to a site either from within the Location wizard or independently from the
Add Building page.
154
Copyright © 2016, Juniper Networks, Inc.
Chapter 10: Location View Configuration
This topic describes:
•
How to Add or Edit a Building on page 155
•
Adding or Editing a Building for a Location on page 155
How to Add or Edit a Building
To add or change a building definition:
1.
Ensure you are in the Build mode and Location view. Click Build in the Edge Services
Director banner to enter Build mode; select Location View from the list in the View
pane.
2. If you want to add a building to a site:
a. Select the site in the Tasks pane , for example, Main Campus.
The Tasks pane refreshes to show your selected site and the tasks available at the
site node.
b. Click Add Building in the Tasks pane to open the Add Building page.
3. If you want to edit an existing building definition:
a. Select the building within the site, for example, Headquarters Building.
The Tasks pane refreshes to show your selected building and the available tasks
that you can perform at the building node.
b. Click Edit Building in the Tasks pane to open the Edit Building page.
4. Fill in the fields and click Done to submit the information and to refresh the network
tree.
Adding or Editing a Building for a Location
Table 37 on page 155 describes the fields needed to establish a building.
Table 37: Add or Edit Building Fields
Field
Description
Building Name
Type a representative name for the building. The Building Name is a required field.
Address
Type an address. The address can be the street address, building number, or any
other identification that helps distinguish it from other buildings.
Done
Click to submit the information. Your view updates to reflect the building change
under the site name in the network tree.
Cancel
Click to close the window without changes.
Related
Documentation
•
Understanding the Location View on page 150
•
Assigning and Unassigning Devices to a Location on page 151
Copyright © 2016, Juniper Networks, Inc.
155
Edge Services Director User Guide
•
Changing the Location of a Device on page 153
•
Configuring Floors on page 156
•
Configuring Outdoor Areas on page 157
•
Creating a Site on page 158
Configuring Floors
You can refine the a building location and designate floors within the building. Use the
Add Floor page to:
•
Name a floor
•
Note the floor level
•
Upload a floor plan for viewing
•
View an uploaded floor plan
This topic describes:
•
How to Add or Edit a Floor on page 156
•
Adding or Editing a Building Floor for a Location on page 157
How to Add or Edit a Floor
Within each building you can define the number of floors and attach the floor plan for
online viewing.
1.
Click the Build Mode icon in the Edge Services Director banner.
2. Select Location View from the list in the View pane.
3. If you want to add a floor to a building:
a. Select the building in the network tree to which you want to add floors, for example,
Headquarters.
The Tasks pane refreshes to show your selected building and the available tasks
for the building.
b. Click Add Floor in the Tasks pane to add a new floor to the building.
4. If you want to edit an existing floor definition:
a. Select the floor within the building, for example, Lobby-Floor 1.
The Tasks pane refreshes to display the selected building floor and the available
tasks that you can perform at the floor node.
b. Click Edit Floor in the Tasks pane to open the Edit Floor page.
5. Fill in the fields for the floor name and level.
6. (Optional) Upload an image of the floor plan.
156
Copyright © 2016, Juniper Networks, Inc.
Chapter 10: Location View Configuration
7. (Optional) View the floor plan, if available.
8. Click Done to submit the information and to refresh the network tree.
Adding or Editing a Building Floor for a Location
To add or change information about a building floor, use the fields in Table 38 on page 157.
Table 38: Floor Field Descriptions
Field
Description
Floor Name
Type the name of the floor. This field is required.
Floor Level
Use the arrow keys to set the floor number.
Add/Update
Upload a image of the floor plan.
View
View an existing floor plan.
Done
Saves the floor configuration information, and returns you to Device Inventory page in the
default view.
Cancel
Discards any configuration changes.
Related
Documentation
•
Understanding the Location View on page 150
•
Assigning and Unassigning Devices to a Location on page 151
•
Changing the Location of a Device on page 153
•
Configuring Buildings on page 154
•
Configuring Outdoor Areas on page 157
•
Creating a Site on page 158
Configuring Outdoor Areas
You can associate an outdoor area to a site or a building for wireless coverage and upload
an image or map of that area. After you designate an outdoor area, you can edit or view
the map using the Edit Outdoor Area task.
This topic describes:
•
How to Configure an Outdoor Area on page 157
•
Configuring an Outdoor Area on page 158
How to Configure an Outdoor Area
To create an outdoor area without using the wizard:
Copyright © 2016, Juniper Networks, Inc.
157
Edge Services Director User Guide
•
Ensure you are in Build mode and Location view. Click Build in the Edge Services Director
banner to enter Build mode; select Location View from the list in the View pane.
•
Click Add Outdoor Area in the Tasks pane. The Add Outdoor Area page opens.
•
Fill in the name and upload the optional map.
•
Click Done to save the data and to return to the default view.
Configuring an Outdoor Area
Table 39 on page 158 describes the fields and buttons necessary to create or change an
outdoor area.
Table 39: Outdoor Area Fields
Field
Description
Outdoor Area Name
Type the name of the outdoor area. Edge Services Director associates the outdoor
area with the building.
Upload
Optional step to upload an image of the outdoor area. Use the Upload Map window
to navigate to the image file location.
Done
Click to save the configuration. The network tree is updated to reflect the change.
Add/Update
Click to add a map or overlay an existing map of the area.
Related
Documentation
•
Understanding the Location View on page 150
•
Assigning and Unassigning Devices to a Location on page 151
•
Changing the Location of a Device on page 153
•
Configuring Buildings on page 154
•
Configuring Floors on page 156
•
Creating a Site on page 158
Creating a Site
A site is the cornerstone of the location-based view of your network. Until you define a
site, the default view of your network tree merely shows you a list of your unassigned
devices. After you define a location site, you can build a tree structure of buildings, floors,
wiring closets, and outdoor areas that can each be assigned devices. You are able to
view the devices in the network by expanding and collapsing these location nodes. To
setup a location in Edge Services Director, the first step is to create a site.
This topic describes:
158
•
How to Add or Edit a Location Site on page 159
•
Creating or Editing a Site on page 159
Copyright © 2016, Juniper Networks, Inc.
Chapter 10: Location View Configuration
How to Add or Edit a Location Site
1.
Click the Build Mode icon in the Edge Services Director banner.
2. Select Location View from the list in the View pane.
3. Click Add Site to add a new site or click Edit Site in the Tasks pane.
4. Fill in or change the fields on the page that opens.
5. Click Done to define the site and to save the configuration.
Creating or Editing a Site
Only a few fields are required to establish a site as shown in Table 40 on page 159.
Table 40: Site Creation Fields
Site Name
A descriptive name for the site. This field is mandatory.
City
The city where the site is located.
State
The state where the site is located.
Country
The country where the site is located. Select the country from the list.
This field is mandatory because it sets the regulatory country code for wireless devices.
Edge Services Director validates the country code against the country codes in the
network’s controllers and access points. If the codes do not match, a warning message
is sent.
Related
Documentation
•
Understanding the Location View on page 150
•
Assigning and Unassigning Devices to a Location on page 151
•
Changing the Location of a Device on page 153
•
Configuring Buildings on page 154
•
Configuring Floors on page 156
•
Configuring Outdoor Areas on page 157
Deleting Sites, Buildings, Floors, Wiring Closets, and Devices
From the Build mode Tasks pane, you can delete any sites, buildings, floors, wiring closets
and their associated devices. When you delete one of these objects, it removes not only
that item but all child objects within the node. All associations related to the node and
below are also removed. Devices are moved to the Unassigned node in the network tree.
Be sure you understand what is being deleted on the node when you choose to delete a
node.
Copyright © 2016, Juniper Networks, Inc.
159
Edge Services Director User Guide
For example, if you delete a building, it deletes the building, all floors, all wiring closets
in that building. All of the devices in the building are moved to Unassigned in the network
tree. When you delete a building, the site and any other buildings and their associations
remain.
•
How to Delete a Location Object on page 160
•
Deleting Sites on page 160
•
Deleting Buildings on page 160
•
Deleting Floors on page 160
•
Deleting Closets on page 161
•
Deleting Devices on page 161
How to Delete a Location Object
1.
Ensure you are in the Build mode and Location view. Click Build in the Edge Services
Director banner to enter Build mode; select Location View from the list in the View
pane.
2. Select any object within the site. The option to delete the object appears in the Tasks
pane.
3. Confirm the deletion of the object.
Deleting Sites
There is only one method of deleting a site: select the site in the Tasks pane and click
Delete Site. Use caution with this selection. When you click Delete Site you are given the
opportunity to confirm or cancel the deletion. If you confirm the deletion, you remove
the site and everything in the site. All devices become unassigned and are not associated
with any buildings, floors, or wiring closets.
Deleting Buildings
When you delete a building, it removes the building, all floors, and all wiring closets within
that building. All devices become unassigned and are not associated with the building,
its floors, or its wiring closets. Only one building can be deleted at a time. To delete a
building, select the building in the network tree and click Delete Building. Confirm the
deletion to remove the objects and to disassociate the devices. If a site is deleted, all of
the buildings within the site are also deleted.
Deleting Floors
When you delete a floor, it removes the selected floor and all wiring closets on that floor.
All devices assigned to the floor or to the closets on that floor become unassigned and
become available for reassignment. To delete a floor, select the floor in the network tree
and click Delete Floor. Confirm the deletion to remove the objects and to disassociate
the devices. If a site or building is deleted, the floors are also deleted.
160
Copyright © 2016, Juniper Networks, Inc.
Chapter 10: Location View Configuration
Deleting Closets
When you delete a closet, it removes the selected closet and unassigns the devices in
the closet. Those devices then become available for reassignment. To delete a closet,
select the closet in the network tree and click Delete Closet. Confirm the deletion to
remove the objects and to disassociate the devices. If a site, building, or floor is deleted,
the associated closets are also deleted.
Deleting Devices
At every node in the network tree, you can choose to delete devices directly.
BEST PRACTICE: However, it is usually best to select the node directly above
the device so that you do not accidently unassign more devices than desired.
Related
Documentation
•
Select the node (site, building, floor, or closet) directly above the device.
•
Click Delete Devices to open the Delete Devices page.
•
Click the plus signs to expand the node until you locate the device.
•
Click one or more boxes to select the devices. If you do not navigate down to the device
level and select a node at a higher level (such a closet or floor), the system selects all
devices at and below the node.
•
Click OK and confirm your selection to remove the assignment. The devices are moved
to the Unassigned node of the network tree.
•
Understanding the Location View on page 150
•
Assigning and Unassigning Devices to a Location on page 151
•
Changing the Location of a Device on page 153
•
Configuring Buildings on page 154
•
Configuring Floors on page 156
•
Configuring Outdoor Areas on page 157
•
Creating a Site on page 158
Setting Up Closets
Use the Add Closet or Edit Closet tasks to create or change the name of a wiring closet.
These tasks are visible only from a floor node in a building.
This topic describes:
•
How to Add or Edit a Closet on page 162
•
Adding or Editing a Wiring Closet on page 162
Copyright © 2016, Juniper Networks, Inc.
161
Edge Services Director User Guide
How to Add or Edit a Closet
To add or change a wiring closet:
1.
Click the Build Mode icon in the Edge Services Director banner.
2. Select Location View from the list in the View pane.
3. Navigate to the building and floor where you are adding or changing the closet.
4. If you are adding a wiring closet:
a. Select a building floor in the network tree to which you want to add a wiring closet.
The Tasks pane refreshes to show your selected floor and the available tasks for
the floor.
b. Click Add Closet in the Tasks pane.
5. If you are changing a wiring closet, click Edit Closet in the Tasks pane.
6. Type the closet name and click Done to save the configuration.
The closet appears with the change in the network tree.
Adding or Editing a Wiring Closet
The Add Wiring Closet or Edit Wiring Closet pages allow you to name a wiring closet.
Simply type the name of the new or changed wiring closet and click Done to submit the
information to the system. Your network tree refreshes to show the wiring closet.
Related
Documentation
162
•
Understanding the Location View on page 150
•
Assigning and Unassigning Devices to a Location on page 151
•
Changing the Location of a Device on page 153
•
Configuring Buildings on page 154
•
Configuring Floors on page 156
•
Configuring Outdoor Areas on page 157
•
Creating a Site on page 158
Copyright © 2016, Juniper Networks, Inc.
Chapter 10: Location View Configuration
Setting Up the Location View
You can build a new location site by the individual nodes, or you can use the Location
Setup page. The wizard guides you though the top-down process from the site node
down to the assignment of devices.
NOTE: Use the Location Setup page only to design new sites; it is not meant
for editing existing sites. If you enter data for an existing site, it is rejected
when you attempt to commit the data.
A site is the cornerstone of the location-based view of your network. Until you define a
site, the default view of your network tree only shows you a list of your unassigned devices.
After you define a site, you can build a tree structure of buildings, floors, wiring closets,
aisles, and outdoor areas. As you define your network, you can assign devices to the
various components of your network. Table 41 on page 163 describes the devices that you
can assign to each of the location component.
Table 41: Devices that can be Assigned to each Location Component
Component
Devices that can be assigned
Site
None
Building
MX Series routers
Floor
MX Series routers
Closet
MX Series routers
Aisle
None
Rack
MX Series routers
Outdoor Area
MX Series routers
The Location Setup page displays the network tree as you add components to your
network. Use the buttons on this page to add various components—such as, buildings,
outdoor areas, floors, aisles, racks—to your network. These buttons change depending
on the component that you select in the network tree.
After the location is set up, you can view the devices in the network by expanding and
collapsing these location nodes in the Location view.
To set up your Location view:
1.
Ensure you are in the Build mode and Location or Topology view. Click Build in the
Edge Services Director banner to enter Build mode; select Location view or Topology
view from the View selector.
Copyright © 2016, Juniper Networks, Inc.
163
Edge Services Director User Guide
2. If you are accessing the Location Setup page from the Location view, select the root
node (for example, My Network) in the View pane.
3. Do one of the following depending on the view you are in:
•
From the Tasks pane in the Location view, select Location Management > Setup
Locations.
•
From the Tasks pane in the Topology view, select Location > Setup Locations.
The Location Setup page opens.
4. Click Add Site to add a new site.
Edge Services Director adds a new site under the root node and names it as Site-1.
5. Select the new site and perform any of the following actions:
•
Click Edit Site to modify the name of the site and specify the site address. The Edit
Site window opens.
Topology view uses this address to place the devices assigned to this site on the
topology map. For more details on editing a site, see “Creating a Site” on page 158.
•
Click Add Building to add a building to your site.
Edge Services Director adds a new building under the site and names it as Building-1.
•
Click Outdoor Area to add an outdoor area to your site. Edge Services Director adds
a new outdoor area under the site and names it as Outdoor Area-1. You can associate
an outdoor area to a site or a building for wireless coverage and upload an image
or map of that area. After you designate an outdoor area, you can edit or view the
map using the Edit Outdoor Area task.
•
Click Delete to delete the site.
6. If you added a building, select the building and perform any of the following actions
to continue building your network:
•
Click Add Floor to add floors to the building.
•
Click Assign Device to assign devices to the selected building. The Associate Devices
to Building window opens displaying all the unassigned devices in your network.
Select the devices that you want to add to the building and click Add.
Edge Services Director adds the selected devices to the network tree.
•
Click Edit Building to edit the name and address of the building. For more details on
editing a building, see “Configuring Buildings” on page 154.
•
Click Delete to delete the building.
7. If you added an outdoor area, select the outdoor area and perform any of the following
actions to continue building your network:
•
164
Click Assign Device to assign devices to the selected outdoor area. The Associate
Devices to Outdoor window opens displaying all the unassigned devices in your
network. Select the devices that you want to add to the building and click Add.
Copyright © 2016, Juniper Networks, Inc.
Chapter 10: Location View Configuration
•
Click Edit Outdoor Area to edit the name of the outdoor area and to upload the
image of the outdoor area. For more details on editing an outdoor area, see
“Configuring Outdoor Areas” on page 157.
•
Click Delete to delete the building.
8. If you added a floor to the building, select the floor and perform any of the following
actions to continue building your network:
NOTE: You can add aisles and racks to a floor only from the Location view.
However, you can view aisles, racks, and devices that you have assigned
to these components from the Topology view.
•
Click Add Closet to add a wiring closet to the floor.
•
Click Add Aisle to add an aisle to the floor.
•
Click Assign Device to assign devices to the selected floor. The Associate Devices
to Floor window opens displaying all the unassigned devices in your network. Select
the devices that you want to add to the floor and click Add.
•
Click Edit Floor to modify the name of the floor, floor level and upload the floor plan.
For more details on editing a floor, see “Configuring Floors” on page 156.
•
Click Delete to delete the floor.
9. If you added a wiring closet, select the wiring closet and perform any of the following
actions:
•
Click Assign Device to assign devices to the selected closet. The Associate Devices
to Closet window opens displaying all the unassigned devices in your network.
Select the devices that you want to add to the closet and click Add.
•
Click Edit Closet to modify the name of the wiring closet. In the Edit Closet window,
modify the wiring closet name and click Done.
•
Click Delete to delete the wiring closet.
10. If you added an aisle, select the aisle and perform any of the following actions:
NOTE: You can add aisles and racks to a floor only from the Location view.
However, you can view aisles, racks, and devices that you have assigned
to these components from the Topology view.
•
Click Add Rack to add a rack to the aisle.
•
Click Edit Aisle to modify the name of the aisle. In the Edit Aisle window, modify the
name and click Done.
•
Click Delete to delete the aisle.
11. If you added a rack, select the rack and perform any of the following actions:
Copyright © 2016, Juniper Networks, Inc.
165
Edge Services Director User Guide
NOTE: You can add aisles and racks to a floor only from the Location view.
However, you can view aisles, racks, and devices that you have assigned
to these components from the Topology view.
•
Click Assign Device to assign devices to the selected rack. The Associate Devices
to Rack window opens displaying all the unassigned devices in your network. Select
the devices that you want to add to the rack and click Add.
•
Click Edit Closet to modify the name of the rack. In the Edit Rack window, modify
the name and click Done.
•
Click Delete to delete the rack.
12. Click Done to save the location details.
Edge Services Director displays the location details along with the assigned devices
in Location view.
Related
Documentation
166
•
Understanding the Location View on page 150
•
Assigning and Unassigning Devices to a Location on page 151
•
Changing the Location of a Device on page 153
•
Configuring Buildings on page 154
•
Configuring Floors on page 156
•
Configuring Outdoor Areas on page 157
•
Creating a Site on page 158
Copyright © 2016, Juniper Networks, Inc.
CHAPTER 11
Device Management
•
Accessing a Device’s CLI from Edge Services Director on page 167
•
Deleting Devices from Edge Services Director on page 168
•
Rebooting Devices from Edge Services Director on page 169
•
Viewing the Device Inventory Page in Device View of Edge Services Director on page 170
•
Viewing the Physical Inventory of Devices on page 172
•
Viewing a Device's Current Configuration from Edge Services Director on page 173
•
Viewing Licenses With Edge Services Director on page 173
Accessing a Device’s CLI from Edge Services Director
Edge Services Director enables you to connect to the CLI for devices in your network,
using SSH.
This topic describes the steps to connect to a router by using SSH (Secure Shell). SSH
is a cryptographic network protocol used for remote shell services or command execution.
SSH is one of the many access services that are supported on the Juniper Networks
devices. All Juniper Network devices have SSH enabled by default.
To connect to a device by using SSH:
1.
Do one of the following:
•
In the View pane, select the device to which you want to connect.
•
In the Topology View, locate the device to which you want to connect.
2. Do one of the following:
•
With the device selected in the View pane, select Build mode and select Tasks >
Device Management > SSH to Device.
•
While in the Topology View, select the device to which you want to launch the SSH
connection and click Device Management > SSH To Device.
The SSH to Device dialog box appears.
3. Enter the username and password to connect to the selected device and click Connect.
Copyright © 2016, Juniper Networks, Inc.
167
Edge Services Director User Guide
NOTE: Ensure that you have removed Pop-Up blockers, if any, before you
click Connect.
The SSH console to the router or controller opens in a separate browser tab or window
depending on your browser settings. Refer to the MX Series documentation for more
information about using the CLI for MX Series routers.
NOTE: Any configuration changes you make to a device, using the CLI qualify
as out-of-band changes in Edge Services Director. Out-of-band configuration
changes can cause the configuration state of a managed device to become
out of sync, which indicates that the device configuration no longer matches
the Build mode configuration for the device. Use the Resynchronize Device
Configuration task in Deploy mode to resynchronize the device configuration.
Related
Documentation
•
Understanding the Edge Services Director User Interface on page 5
Deleting Devices from Edge Services Director
You can delete devices that are no longer used from Edge Services Director. Deleting a
device removes all device configuration and device inventory information from the Junos
Space database. Once a device is deleted from the database, all the profiles associations,
device configurations, and inventory information of the deleted device are also deleted.
However, the system maintains the audit logs and monitoring data for the device even
after the device is deleted.
Use the Delete Devices page to delete devices from Edge Services Director. While in Build
mode, click Delete Devices from the Tasks > Device Management menu. The Delete Devices
page appears.
The Delete Devices page displays the devices contextually depending on your selection
in the View pane. For example, if you select a site in Location view and click Delete Devices,
Edge Services Director displays all the devices that are assigned to the buildings or floors
in the selected site in the Delete Devices page. If you select a particular router family in
Device View and click Delete Devices, only routers that belong to that router family are
displayed.
To delete devices, complete the following tasks:
1.
Select the check box adjacent to the router that you want to delete.
2. Click Done.
Edge Services Director prompts you to confirm the deletion. Click Yes to confirm the
deletion or No to go back and make changes to the selection.
168
Copyright © 2016, Juniper Networks, Inc.
Chapter 11: Device Management
Related
Documentation
•
Understanding the Edge Services Director User Interface on page 5
Rebooting Devices from Edge Services Director
Use the Reboot Devices task to immediately reboot the selected device. This task is
available in all scopes when in Build mode. To reboot one or more devices immediately:
1.
Select the scope in the View pane that contains the devices you want to reboot.
2. Select Reboot Devices from the Tasks pane.
3. Expand the tree on the page as needed to locate the available devices.
4. Select the check box for one or more devices.
5. Click Done to start the reboot or click Cancel to return to the Device Inventory page.
The rebooting process triggers a Cold Start Alarm that can be seen in Fault mode.
Related
Documentation
•
Understanding the Edge Services Director User Interface on page 5
Copyright © 2016, Juniper Networks, Inc.
169
Edge Services Director User Guide
Viewing the Device Inventory Page in Device View of Edge Services Director
The Device Inventory page lists devices managed by Edge Services Director and provides
basic information about the devices, such as IP address and current operating status.
The Device Inventory page is available in Build and Deploy mode and is the default landing
page for Build mode.
The scope you have selected in the View pane and the network view that you have
selected from the View selector determines which devices are listed in the Device Inventory
page. For example:
•
If you are in the Device View and select My Network, all devices managed by Edge
Services Director are listed.
•
If you select a building in Location view, only those devices assigned to that building
(including the floors and closets in the building) are listed.
The Device Inventory page provides three pie charts that summarize the status of the
devices in your selected scope:
•
Devices by Category—Indicates the proportion of devices in each device family.
•
Connection State—Shows the proportion of devices that are up or down. In this chart,
Virtual Chassis count as one device.
•
Configuration State—Shows the proportion of devices in each configuration state. See
the Config State entry in Table 32 on page 130 for definitions of the configuration states.
Figure 17: Device Inventory Page
Mouse over a pie segment to view the actual number of devices and the percentage
represented by that pie segment.
170
Copyright © 2016, Juniper Networks, Inc.
Chapter 11: Device Management
Table 32 on page 130 describes the fields in the Device Inventory table.
Table 42: Fields in the Device Inventory Table
Field
Description
Hostname
Configured name of the device or IP address if no hostname is configured.
IP Address
IP Address of the device.
Serial Number
Serial number of device chassis.
Platform
Model number of the device.
OS Version
Operating system version running on the device.
Device Family
Device family of the device, such as JUNOS for MX Series routers.
Device Type
Type of the device:
Connection State
Config State
•
ROUTER—MX Series routers
•
AP—Wireless LAN access point
•
Fabric Member—QFabric member switch
•
QFabric—QFabric system
•
Switch—Standalone switch
•
VC—Virtual Chassis master
•
VC Member—Virtual Chassis member switch
Connection status of the device in Edge Services Director:
•
UP—Device is connected to Edge Services Director.
•
DOWN—Device is not connected to Edge Services Director.
•
N/A—Access point state is unavailable to Edge Services Director.
Displays the configuration status of the device:
•
In Sync—The configuration on the device is in sync with the Edge Services
Director configuration for the device.
•
Out Of Sync—The configuration on the device does not match the Edge
Services Director configuration for the device. This state is usually the
result of the device configuration being altered outside of Edge Services
Director.
You cannot deploy configuration on a device from Edge Services Director
when the device is Out Of Sync. To resolve this state, use the
Resynchronize Device Configuration task in Deploy mode.
Copyright © 2016, Juniper Networks, Inc.
•
Sync failed—An attempt to resynchronize an Out Of Sync device failed.
•
Synchronizing—The device configuration is in the process of being
resynchronized.
•
N/A—The device is down or is an access point.
171
Edge Services Director User Guide
Table 42: Fields in the Device Inventory Table (continued)
Field
Description
Manageability
State
Displays if the device is directly manageable or not.
This is a hidden field. To display the Manageability State field, click any
column, click the down arrow to expand the list, select Columns from the
list, and then enable Manageability State.
Viewing the Physical Inventory of Devices
You can view the physical inventory of all the devices in your network in the Device Physical
Inventory page. The Device Physical Inventory page displays information about the slots
that are available for a device and provides information about power supplies, chassis
cards, fans, part numbers, and so on. Edge Services Director displays hardware inventory
by device name, based on data retrieved both from the device during discovery and
resynchronizing operations, and from the data stored in the hardware catalog. For each
managed device, the physical inventory page provides descriptions for field replaceable
units (FRUs), part numbers, model numbers, and the pluggable locations from which
empty slots are determined.
To view the Device Physical Inventory page, while in the Build mode, select an MX Series
router from the View pane and select Device Management > Physical Inventory from the
Tasks pane.
The physical inventory page displays the model number, part number, serial number, and
description for the following, depending on the device that you selected:
•
For MX Series routers, the page displays details of the switch, the chassis, the Flexible
PIC Concentrator (FPC), the PIC slot, the PIC installed in the PIC slot, the power supply,
the fan tray, and the routing engine.
You can view the following details from the Device Physical Inventory page as described
in Table 43 on page 172.
Table 43: Fields in the Device Physical Inventory Table
Field
Description
Item
Name of the device and the components that are part of the device. By default, Edge Services
Director displays the device and components in an expanded tree structure. You can click
a device or component to collapse or expand the sub-components.
Model Number
Model number of the FRU hardware component.
Part Number
Part number of the MX Series router chassis component.
Serial Number
The hardware serial number of the device.
Description
The description about the component.
172
Copyright © 2016, Juniper Networks, Inc.
Chapter 11: Device Management
Related
Documentation
•
Understanding the Edge Services Director User Interface on page 5
Viewing a Device's Current Configuration from Edge Services Director
You can view a device’s current configuration from Edge Services Director. This is a
convenient way to view device configurations without leaving Edge Services Director.
To view a device's current configuration:
1.
Click Build or Deploy in the Edge Services Director banner.
2. Select the device in the View pane.
3. Select Device Management > Show Current Configuration in the Tasks pane.
4. The device’s current configuration displays in the main window.
Related
Documentation
•
Understanding the Edge Services Director User Interface on page 5
Viewing Licenses With Edge Services Director
Juniper Networks devices require a license to operate some features. You can view the
licenses for devices connected to Edge Services Director.
To view the license for a Juniper Networks device on your network:
1.
Select the Build icon in the Edge Services Director banner.
2. In the View pane, select a wireless or wired device.
3. In the Tasks pane, select View License Information.
The Licenses page for that object is displayed with the fields listed in
Table 44 on page 173.
Table 44: Viewing Licenses with Edge Services Director
Field
Description
Feature Name
Name of the licensed SKU or feature. It can be used to look up the license with
Juniper Networks. Not all devices support this.
License Count
Number of times an item has been licensed. This value can have contributions
from more than one licensed SKU or feature. Alternatively, it can be 1, no matter
how many times it has been licensed.
Used Count
Number of times the feature is used. For some types of licenses, the license count
will be 1, no matter how many times it is used. For capacity-based licensable
items, if infringement is supported, the license count can exceed the given count,
which has a corresponding effect on the need count.
Need Count
Number of times the feature is used without a license. Not all devices can provide
this information.
Copyright © 2016, Juniper Networks, Inc.
173
Edge Services Director User Guide
Table 44: Viewing Licenses with Edge Services Director (continued)
Field
Description
Given Count
Number of instances of the feature that are provided by default.
NOTE: If a device does not have a license, a blank page is displayed with
the message, No license is installed on this device. If you are sure the device
has a license, try resynchronizing the device before displaying the license
again.
4. Optionally, expand the license information by feature name to view the feature SKU
information. Table 45 on page 174 describes the additional fields that are displayed.
Table 45: Additional Licensing Information
Field
Description
Validity Type
Validity type can be Databased (license expires on end date), Permanent,
Countdown (license expires when time remaining is zero), or Trial. If the validity
type is either Databased or Countdown, more information is displayed—License
Name, License Version, License State, and Time Remaining. Additional
information can be added in the details grid based on the SKU type (SKU or
Feature)—Start Date, End Date, or Original Time Allowed.
License Name
If the validity type is either Databased or Countdown, the identifier associated
with a license key is displayed.
License Version
If the validity type is either Databased or Countdown, the version of a license is
displayed. The version indicates how the license is validated, the type of signature,
and the signer of the license key.
License State
If the validity type is either Databased or Countdown, the state of the license is
displayed—Valid, Invalid, or Expired.
Time Remaining
If the validity type is either Databased or Countdown, the remaining time left on
the license is displayed. For a trial license, the number of days remaining after
you installed the device is displayed. For a commercial license, the time remaining
is unlimited.
Start Date
Based on the SKU type, the start date of the license can be displayed in the
details grid.
End Date
Based on the SKU type, the end date of the license can be displayed in the details
grid.
Original Time Allowed
Based on the SKU type, the original license timeframe can be displayed here.
174
Copyright © 2016, Juniper Networks, Inc.
Chapter 11: Device Management
NOTE: If you apply a new license to an existing device, you must resynchronize
the device before the new license is seen in Edge Services Director. For
directions, see “Resynchronizing Device Configuration” on page 322.
Related
Documentation
•
Understanding the Edge Services Director User Interface on page 5
Copyright © 2016, Juniper Networks, Inc.
175
Edge Services Director User Guide
176
Copyright © 2016, Juniper Networks, Inc.
PART 4
Service View of Build Mode
•
About Build Mode in Service View on page 179
•
Using the Service Designer on page 181
•
Using the Object Builder on page 285
•
Managing Packet Analyzers on page 301
Copyright © 2016, Juniper Networks, Inc.
177
Edge Services Director User Guide
178
Copyright © 2016, Juniper Networks, Inc.
CHAPTER 12
About Build Mode in Service View
•
Understanding Build Mode in Service View of Edge Services Director on page 179
Understanding Build Mode in Service View of Edge Services Director
In Build mode, you can create services, policies, and filters for devices that are managed
by Edge Services Director. The service templates and attributes for services, policies, and
filters help you classify and control the manner in which packets must be handled by the
various services.
Configuring a policy has a major impact on the flow of routing information or packets
within and through the router. For example, you can configure a routing policy that does
not allow routes associated with a particular customer to be placed in the routing table.
As a result of this routing policy, the customer routes are not used to forward data packets
to various destinations and the routes are not advertised by the routing protocol to
neighbors.
You can also import objects, which are components or parameters used for creation of
services, from the Service Delivery Gateways (SDGs) that are present in the Edge Services
Director database or from external XML files.
This topic contains the following sections that describe the different workspaces or
utilities that you can access from Build mode:
•
Service Designer on page 179
•
Services Inventory on page 180
•
Object Builder on page 180
Service Designer
The service planning functionality enables you to use the Service Designer page to create
service templates, which can be used on multiple devices. The Service Designer page
lists all service components used to create service templates. According to the business
needs, you can configure generic properties in a template and enable the editing of
deployment-specific parameters. The operator can then easily and quickly configure the
service on a large number of devices. You can use the Service Designer page to define
and manage stateful firewall (SFW), carrier-grade NAT (CGNAT), application delivery
controller (ADC), and traffic load balancing (TLB) services.
Copyright © 2016, Juniper Networks, Inc.
179
Edge Services Director User Guide
NOTE: Edge Services Director currently supports only brownfield deployments
and not greenfield deployments. A greenfield deployment refers to the Junos
OS base configurations and bootstrapping, core device settings such as
routing instances, interfaces and IP addresses, and routing protocols to be
available for configuration using the network management application. A
brownfield deployment refers to the basic and mandatory device settings
already being configured on the devices before they are imported or
discovered for additional modifications, such as configuration of services,
using the network management application.
As a designer, you can also modify service parameters and definitions by
using the View Service page that you can open from the Service Gateways
-- Unmanaged devices page in the Build mode without using service templates
for updating services details. All the service components are listed on the
Service Designer page so that the designer can use choose components and
create the new service template.
Services Inventory
The Services Inventory page lists the services configured in the Edge Services Director
database and provides basic information about the configured services, such as adaptive
delivery controller (ADC), stateful firewall (SFW), server load balancing (SLB), and carrier
grade NAT (CGNAT). The Services Inventory page is available in Build mode and under
Service view.
Object Builder
Objects are constituents or building blocks that are used to create service definitions and
policy or filter templates. You can use the Object Builder page to retrieve and transfer
the objects or components that have been previously created on the SDGs or devices.
The objects might reside on the managed SDGs or SDG groups if the objects were defined
using the appropriate configuration statements and parameters in the Junos CLI interface
of the respective SDGs. This mechanism of importing object settings enables you to
easily, quickly, and optimally use the object definitions when you create service and policy
templates.
Related
Documentation
180
•
Understanding Edge Services Director and the Management Lifecycle Modes on page 14
Copyright © 2016, Juniper Networks, Inc.
CHAPTER 13
Using the Service Designer
•
Object Builder Overview on page 181
•
Service Templates Overview on page 182
•
Filtering Service Templates on page 183
•
Viewing Service Templates on page 183
•
Viewing the Services Inventory Page on page 185
•
Using the Actions Menu on the Service Template and Service Edit Pages on page 187
•
Viewing a Graphical Statistic of Service Templates on page 193
•
Creating and Managing ADC Service Templates on page 194
•
Creating and Managing CGNAT Service Templates on page 222
•
Creating and Managing SFW Service Templates on page 239
•
Creating and Managing TLB Service Templates on page 259
•
Modifying Individual Service Instances and Deploying to Devices on page 281
Object Builder Overview
You can use the Object Builder workspace in Edge Services Director to create objects to
be used by firewall policies, VPNs, and NAT policies. These objects are stored in the Junos
Space database. You can reuse these objects with multiple security policies, VPNs, and
NAT policies.
You can use the Object Builder workspace to create, modify, clone, and delete the
following objects:
•
Addresses and address groups
•
Services and service groups
•
Variables
You cannot delete any of the objects that you created in Object Builder (except Template
definition and Templates) if they are already used in a firewall policy, NAT policy, or any
other service definition.
Object Builder supports concurrent editing of its objects, with a save as option to save
your changes with a different name.
Copyright © 2016, Juniper Networks, Inc.
181
Edge Services Director User Guide
Concurrent editing is supported for the following objects:
•
Addresses and address groups
•
Application signatures
•
Stateful firewall rules
•
Stateful firewall rule sets
•
CGNAT pools
•
CGNAT rule sets
•
CGNAT rules
•
Real server settings
If you attempt to save your changes to an object that has been modified since you began
editing, you receive an error message.
Related
Documentation
•
Understanding the Object Builder on page 285
•
Importing All Types of Objects on page 286
•
Importing SFW Rule Sets on page 288
•
Importing SFW Rules on page 290
•
Importing Real Server Settings on page 291
•
Importing CGNAT Rule Sets on page 293
•
Importing CGNAT Rules on page 294
•
Importing CGNAT Pools on page 296
•
Importing Applications on page 297
•
Importing Application Sets on page 298
Service Templates Overview
You use the service templates to configure the following attributes and settings for the
following four types of services:
•
Stateful firewall (SFW)
•
Carrier-Grade network addressing (CGNAT)
•
Traffic load balancer (TLB)
•
Application delivery controller (ADC)
After you create and publish the service templates, you can use these templates to create
service deployment plans. The deployment plans are defined with the SDGs on which
services need to be deployed. After the deployment plans are published and approved,
the services can be deployed to become effective on the relevant SDGs.
182
Copyright © 2016, Juniper Networks, Inc.
Chapter 13: Using the Service Designer
Related
Documentation
•
Planning and Deployment of Service Templates Overview on page 463
Filtering Service Templates
You can filter service templates to sort and identify the service definitions that are of
interest or necessary for your network needs. To filter service templates based on their
states:
1.
From the View selector, select Service View. The workspaces that are applicable to
this view are displayed.
2. From the Junos Space user interface, click the Build icon on the Edge Services Director
banner.
The functionalities that you can configure in this mode are displayed in the task pane.
3. From the task pane, select Service Template > Manage Service Templates. The Service
Templates page is displayed.
4. From the View pane, perform one of the following tasks:
•
Click the ADC button.
The list of ADC service templates is displayed. You need not click this button if you
are launching the Service Designer page for the first time or are navigating to this
page from another mode or a different page. You need to click this button only if
you are viewing the other service templates, such as CGNAT or TLB.
•
Click the SFW button.
The list of SFW templates is displayed.
•
Click the TLB button.
The list of TLB templates is displayed.
•
Click the CGNAT button.
The list of CGNAT templates is displayed.
5. To filter and sort the display of service templates, enter the name of the template as
a match criterion in the Search box and click the Search icon.
The page refreshes to display the service templates that match with the specified
criterion. You can use the paging controls to navigate across multiple pages of objects
as necessary.
Related
Documentation
•
Planning and Deployment of Service Templates Overview on page 463
Viewing Service Templates
On the Service Designer page, you can view the collection of service templates defined
for several applications, such as stateful firewall or CGNAT.
Copyright © 2016, Juniper Networks, Inc.
183
Edge Services Director User Guide
To view the list of service templates, such as ADC, SFW, CGNAT, or TLB templates:
1.
From the View selector, select Service View. The workspaces that are applicable to
this view are displayed.
2. From the Junos Space user interface, click the Build icon on the Edge Services Director
banner.
The functionalities that you can configure in this mode are displayed in the task pane.
3. From the task pane, select Service Template > View Statistics.
The Service Designer page displays a bar graph in the top pane of the page. The total
number of service templates of each type is displayed on the vertical axis and the
service type is shown on the horizontal axis. A color-coding format is used to represent
the bars on the graph. Published service templates are shown in olive green color and
unpublished service templates are shown in blue color. Mouse over each bar in the
chart to highlight and display the number of templates published or unpublished for
each type of service.
4. From the View pane, perform one of the following tasks:
•
Click the All Services item to view all of the service types, such as ADC, TLB, SFW,
and CGNAT.
•
Click the ADC button.
The list of ADC service templates is displayed. You need not click this button if you
are launching the Service Designer page for the first time or are navigating to this
page from another mode or a different page. You need to click this button only if
you are viewing the other service templates, such as CGNAT or TLB.
•
Click the SFW button.
The list of SFW templates is displayed.
•
Click the TLB button.
The list of TLB templates is displayed.
•
Click the CGNAT button.
The list of CGNAT templates is displayed.
Table 46 on page 184 describes the fields displayed on the Service Designer page:
Table 46: Service Designer View
184
Field
Description
Name
Name of the service template.
Description
User-defined description of the template.
Created By
Name of the user who created the template
Created Time
Time and date when the template was created. The server time zone
determines the time zone displayed on this page.
Copyright © 2016, Juniper Networks, Inc.
Chapter 13: Using the Service Designer
Table 46: Service Designer View (continued)
Field
Description
Modified Time
Time and date when the template was last updated. The server time
zone determines the time zone displayed on this page.
5. Click the Add icon above the list of templates to create a new template.
6. Click the Edit icon above the list of templates to modify an existing template.
7. Click the Delete icon above the list of templates to delete an existing template.
Related
Documentation
•
Service Templates Overview on page 182
•
Filtering Service Templates on page 183
•
Using the Actions Menu on the Service Template and Service Edit Pages on page 187
Viewing the Services Inventory Page
The Services Inventory page lists the services configured in the Edge Services Director
database and provides basic information about the configured services, such as adaptive
delivery controller (ADC), stateful firewall (SFW), server load balancing (SLB), and carrier
grade NAT (CGNAT). The Services Inventory page is available in Build mode and under
Service view.
To view the services inventory page:
1.
From the View selector, select Service View. The workspaces that are applicable to
this view are displayed.
2. From the Junos Space user interface, click the Build icon on the Edge Services Director
banner.
The functionalities that you can configure in this mode are displayed in the task pane.
3. From the task pane, select Inventory > View Inventory. The Services Inventory page is
displayed.
Copyright © 2016, Juniper Networks, Inc.
185
Edge Services Director User Guide
Figure 18: Services Inventory Page
4. From the View pane, do one of the following:
•
Select ADC to open the Inventory > ADC page on the right pane.
•
Select TLB to open the Inventory > TLB page on the right pane.
•
Select CGNAT to open the Inventory > CGNAT page on the right pane.
•
Select SFW to open the Inventory > SFW page on the right pane.
Table 47 on page 186 describes the fields on the Services page.
Table 47: Fields on the Services Page
186
Field
Description
Service Name
Name of the configured service, such as stateful firewall or CGNAT.
Click the plus sign (+) beside each service to view extensive
information on attributes configured for the service.
Service Gateway
Name of the service delivery gateway.
Host
Hostname of the device.
Service Type
Type of the service, such as ADC, SFW, CGNAT, or TLB.
Service Pic and Interface
Services PIC and interface details, such as multiservices PIC or
adaptive services PIC with the FPC slot, PIC, and port attributes.
SDG Group
Name of the group to which the SDG is assigned.
Copyright © 2016, Juniper Networks, Inc.
Chapter 13: Using the Service Designer
To view configuration and run-time information for services:
1.
Sort the table by mousing over the column header for the data you want to sort by
and clicking the down arrow. Select Sort Ascending or Sort Descending.
2. Show columns not in the default table view, or hide columns, as follows:
1.
Mouse over any column header and click the down arrow.
2. Select Columns from the menu.
3. Select the check boxes for columns that you want to view. Clear the check boxes
for columns that you want to hide.
3. View information about devices as follows:
•
To restrict the display of devices, enter a search criterion of one or more characters
in the Search bar and press Enter.
All devices that match the search criterion are shown in the main display area.
Related
Documentation
•
Viewing Device Statistics on page 137
•
Viewing Configuration Details of Services on Devices on page 140
•
Viewing Discovery Logs on page 142
•
Viewing Discovery Profiles on page 143
Using the Actions Menu on the Service Template and Service Edit Pages
You can use the Actions menu on the Service Template and Service Edit pages for ADC,
TLB, CGNAT, and SFW service instances to publish, unpublish, and clone the defined
service instances. You can also create a deployment plan for the service or disregard the
changes done to the service.
•
Publishing a Service Template on page 187
•
Unpublishing a Service Template on page 188
•
Exporting a Service to a CSV File on page 189
•
Cloning a Service Template on page 190
•
Creating a Deploy Plan and Provisioning Services Immediately on page 191
Publishing a Service Template
You need to publish a service template definition when you want to make it available to
create device templates from the template definition.
To publish a service template:
1.
From the View selector, select Service View. The workspaces that are applicable to
this view are displayed.
2. From the Junos Space user interface, click the Build icon on the Edge Services Director
banner.
Copyright © 2016, Juniper Networks, Inc.
187
Edge Services Director User Guide
The functionalities that you can configure in this mode are displayed in the task pane.
3. From the task pane, select Service Template > Manage Service Templates.
The Service Templates page is displayed in the right pane, listing all the previously
defined service instances.
4. From the View pane, perform one of the following tasks:
•
Click the ADC button.
The list of ADC service instances is displayed. You need not click this button if you
are launching the Service Designer page for the first time or are navigating to this
page from another mode or a different page. You need to click this button only if
you are viewing the other service instances, such as CGNAT or TLB.
•
Click the SFW button.
The list of SFW templates is displayed.
•
Click the TLB button.
The list of TLB templates is displayed.
•
Click the CGNAT button.
The list of CGNAT templates is displayed.
5. Select a template, and click the Publish button.
The filter status changes from “Draft” to “Published”. The Publish option is available
only if all selected filters are assigned the Draft status.
Unpublishing a Service Template
To make a template definition unavailable to operators, you must unpublish it. You must
also unpublish a definition before you can modify or delete it. If you unpublish a definition
that is already being used as the basis for templates, all templates based on that definition
are disabled. Republishing the definition alone is not enough to reenable the templates.
The templates must be reviewed before they can be reenabled
To unpublish a service template:
1.
From the View selector, select Service View. The workspaces that are applicable to
this view are displayed.
2. From the Junos Space user interface, click the Build icon on the Edge Services Director
banner.
The functionalities that you can configure in this mode are displayed in the task pane.
3. From the task pane, select Service Template > Manage Service Templates.
The Service Templates page is displayed in the right pane, listing all the previously
defined service instances.
4. From the View pane, perform one of the following tasks:
188
Copyright © 2016, Juniper Networks, Inc.
Chapter 13: Using the Service Designer
•
Click the ADC button.
The list of ADC service instances is displayed. You need not click this button if you
are launching the Service Designer page for the first time or are navigating to this
page from another mode or a different page. You need to click this button only if
you are viewing the other service instances, such as CGNAT or TLB.
•
Click the SFW button.
The list of SFW templates is displayed.
•
Click the TLB button.
The list of TLB templates is displayed.
•
Click the CGNAT button.
The list of CGNAT templates is displayed.
5. Select a template, and click the Unpublish button above the table of listed templates.
The filter status changes from “Published” to “Draft”. The Unpublish option is available
only if all selected filters are assigned the Published status.
Exporting a Service to a CSV File
You can export the service template settings and parameters to a comma-separated
value (.csv) file to open it by using a spreadsheet or any other business application on
your client computer.
To export a service template to CSV file:
1.
From the View selector, select Service View. The workspaces that are applicable to
this view are displayed.
2. From the Junos Space user interface, click the Build icon on the Edge Services Director
banner.
The functionalities that you can configure in this mode are displayed in the task pane.
3. From the task pane, select Service Template > Manage Service Templates.
The Service Templates page is displayed in the right pane, listing all the previously
defined service instances.
4. From the View pane, perform one of the following tasks:
•
Click the ADC button.
The list of ADC service instances is displayed. You need not click this button if you
are launching the Service Designer page for the first time or are navigating to this
page from another mode or a different page. You need to click this button only if
you are viewing the other service instances, such as CGNAT or TLB.
•
Click the SFW button.
The list of SFW templates is displayed.
•
Click the TLB button.
Copyright © 2016, Juniper Networks, Inc.
189
Edge Services Director User Guide
The list of TLB templates is displayed.
•
Click the CGNAT button.
The list of CGNAT templates is displayed.
5. Click the Actions menu, and select Export to CSV from the drop-down menu.
The Export dialog box appears.
6. Export the policy information to the CSV file. You can export information about selected
devices or export information about all of the devices managed by Junos Space.
•
Select the check box next to the managed SDG or SDG pair that you want to export
to a CSV file, and click the Export Selected button to export the policy information
about selected devices and begin creating the CSV file.
•
Click the Export All button to export the policy information for all the devices and
begin creating the CSV file.
A progress bar is displayed to indicate the percentage of completion of the export job.
After the export job is completed, a download link is displayed that you can click to
download the CSV file.
Cloning a Service Template
You clone a template definition to quickly create a new template definition with a new
name but same properties. To modify a template definition without disabling templates
based upon that definition, first clone the definition, then modify the clone.
To clone a service template:
1.
From the View selector, select Service View. The workspaces that are applicable to
this view are displayed.
2. From the Junos Space user interface, click the Build icon on the Edge Services Director
banner.
The functionalities that you can configure in this mode are displayed in the task pane.
3. From the task pane, select Service Template > Manage Service Templates.
The Service Templates page is displayed in the right pane, listing all the previously
defined service instances.
4. From the View pane, perform one of the following tasks:
•
Click the ADC button.
The list of ADC service instances is displayed. You need not click this button if you
are launching the Service Designer page for the first time or are navigating to this
page from another mode or a different page. You need to click this button only if
you are viewing the other service instances, such as CGNAT or TLB.
•
Click the SFW button.
The list of SFW templates is displayed.
•
190
Click the TLB button.
Copyright © 2016, Juniper Networks, Inc.
Chapter 13: Using the Service Designer
The list of TLB templates is displayed.
•
Click the CGNAT button.
The list of CGNAT templates is displayed.
5. Select the template you want to clone
6. Click the Clone button above the table of displayed templates.
7. In the Name field, type a user-defined template definition name. A template definition
name cannot exceed 128 characters and can contain only letters, numbers, spaces,
and some special characters. The special characters allowed are hyphen (-),
underscore (_), period (.), at (@), single quote (’), forward slash (/), and ampersand
(&).
8. (Optional) In the Description field, type a user-defined description. (limit of 255
characters). The description cannot exceed 256 characters. The operators who use
the template definition to create templates rely on the description for information on
the template definition.
9. Click Save to save the template. The dialog box closes and the Manage Service
Templates window appears.
Creating a Deploy Plan and Provisioning Services Immediately
To deploy a deployment plan and policies immediately:
1.
From the View selector, select Gateway View or Service View. The workspaces that
are applicable to this view are displayed. In Gateway view, the devices in the entire
network are displayed, organized by the device types and the device models within
each device type. In Service View, the different types of services are displayed in the
View pane.
2. From the Junos Space user interface, click the Deploy icon on the Edge Services Director
banner.
The functionalities that you can configure in this mode are displayed in the task pane.
3. From the View pane, select the All Network item in Gateway view. Click the plus sign
(+) beside the All Network item in the View pane to expand the tree and select the
device node you want.
4. From the task pane, select Service Edit. The Service Instances page is displayed.
5. In the Service Edit page, from the tree that lists the SDGs, select All Service Gateways,
or the SDG or SDG pair for which you want to view the previously configured policy or
filter templates. This step is applicable only if you selected Gateway View.
The page is divided into two panes. The list of SDGs are displayed on the left pane.
You can drill-down to the SDG or pair of SDGs for which you want to process policies
or filters. The policy and filter rules are displayed in the right pane.
6. Alternatively, if you are in Service view, from the View pane, perform one of the
following tasks:
Copyright © 2016, Juniper Networks, Inc.
191
Edge Services Director User Guide
•
Click the ADC button.
The list of ADC service instances is displayed. You need not click this button if you
are launching the Service Designer page for the first time or are navigating to this
page from another mode or a different page. You need to click this button only if
you are viewing the other service instances, such as CGNAT or TLB.
•
Click the SFW button.
The list of SFW templates is displayed.
•
Click the TLB button.
The list of TLB templates is displayed.
•
Click the CGNAT button.
The list of CGNAT templates is displayed.
7. From the task pane, select Service Edit. The Service Instances page is displayed.
8. In the Service Instances page, from the tree that lists the SDGs, select All Service
Gateways, or the SDG or SDG pair for which you want to view the previously configured
policy or filter templates.
You can drill-down to the SDG or pair of SDGs for which you want to process policies
or filters. The service instances associated with each SDG in an SDG pair are displayed.
9. In the Service Instances page, select a service instance and click the Lock icon.
The corresponding service instance is locked and is available for modifications.
10. Click the Send for Deployment button.
•
If you create a deployment plan from Gateway view of Deploy mode, the Deployment
Plan Summary dialog box appears, with the service name, type, and status listed.
Click Send to create a deployment plan.
•
If you create a deployment plan from Service view of Deploy mode, the Edit Service
Instance page is displayed. You can modify the SDGs associated with the service
instance and also modify the service instance attributes as necessary by either
clicking the buttons corresponding to the various settings at the top of the wizard
page to directly traverse to the page you want to modify or clicking the navigation
buttons at the bottom of the wizard page to go to the different pages of the wizard.
Click Finish to create a deployment plan.
The configuration deployment job runs. To view the status or results of the deployment
job, you can view the Deployment Plans page. In the Deployment Plans page, the
Provision Status and Message columns are updated indicating the progress of
commission. If the deploy is successful, the status denotes Commissioned. If the
deploy fails, the status changes to Commission Failed.
Alternatively, you can select Discard changes from the Actions menu to ignore the
modifications done to a policy or filter template.
Related
Documentation
192
•
Service Templates Overview on page 182
Copyright © 2016, Juniper Networks, Inc.
Chapter 13: Using the Service Designer
•
Filtering Service Templates on page 183
•
Viewing Service Templates on page 183
Viewing a Graphical Statistic of Service Templates
To view the total number of service templates that are previously configured in the Edge
Services Director database and are in the published or unpublished states:
1.
From the View selector, select Service View. The workspaces that are applicable to
this view are displayed.
2. From the Junos Space user interface, click the Build icon on the Edge Services Director
banner.
The functionalities that you can configure in this mode are displayed in the task pane.
3. From the task pane, select Service Template > View Statistics.
The Service Template Statistics page is displayed.
Figure 19: Service Template Statistics Page
The page displays a bar graph in the top pane of the page. The count of service
templates of each type is displayed on the vertical axis and the service type is shown
on the horizontal axis. A color-coding format is used to represent the bars on the graph.
Published service templates are shown in olive green color and unpublished service
templates are shown in blue color. Mouse over each bar in the chart to highlight and
display the number of templates published or unpublished for each type of service.
Related
Documentation
•
Creating and Managing ADC Service Templates on page 194
•
Creating and Managing CGNAT Service Templates on page 222
•
Creating and Managing SFW Service Templates on page 239
Copyright © 2016, Juniper Networks, Inc.
193
Edge Services Director User Guide
•
Creating and Managing TLB Service Templates on page 259
Creating and Managing ADC Service Templates
You can configure the adaptive delivery controller (ADC) software within your router to
balance user session traffic among a group of available servers that provide shared
services. The ADC software uses Junos OS firewall filters, Junos OS routing instances of
type forwarding-instance, and Junos OS logical interfaces and interface address families
(units and addresses) defined on the Multiservices-DPCs running the ADC software.
You can perform the following tasks with the Service Designer page for ADC:
•
Create an ADC service template with attributes and settings for load balancing
operations.
•
Modify an existing ADC template to meet the network needs and deployment scenarios.
•
Delete an existing template.
•
Creating an ADC Service Template on page 194
•
Importing an ADC Service Template on page 197
•
Creating a Deployment Plan on page 199
•
Creating a Real Server on page 200
•
Creating a Group for Real Servers on page 202
•
Load-Balancing Methods for Real-Server Groups on page 204
•
Creating a Client-Facing Interface and Routing Instance on page 206
•
Creating a Server-Facing Interface and Routing Instance on page 207
•
Creating a Services PIC for an ADC Service Template on page 208
•
Creating a Health Check for an ADC Service Template on page 210
•
Creating a Custom Health Check for an ADC Instance on page 211
•
Creating a Virtual Service for an ADC Service Template on page 214
•
Creating a Virtual Server for an ADC Service Template on page 216
•
Creating a Firewall Rule for an ADC Service Template on page 217
•
Modifying ADC Service Templates on page 220
Creating an ADC Service Template
To configure a new ADC service template:
1.
From the View selector, select Service View. The workspaces that are applicable to
this view are displayed.
2. From the Junos Space user interface, click the Build icon on the Edge Services Director
banner.
The functionalities that you can configure in this mode are displayed in the task pane.
3. From the task pane, select Service Templates.
194
Copyright © 2016, Juniper Networks, Inc.
Chapter 13: Using the Service Designer
The Manage Service Templates page is displayed.
4. Click the ADC button.
The list of ADC service templates is displayed. You need not click this button if you
are launching the Service Designer page for the first time or are navigating to this page
from another mode or a different page. You need to click this button only if you are
viewing the other service templates, such as CGNAT or TLB.
The Service Designer page displays a bar graph in the top pane of the page. The total
number of service templates of each type is displayed on the vertical axis and the
service type is shown on the horizontal axis. A color-coding format is used to represent
the bars on the graph. Published service templates are shown in olive green color and
unpublished service templates are shown in blue color. Mouse over each bar in the
chart to highlight and display the number of templates published or unpublished for
each type of service.
5. Click the Add icon.
The Create an ADC Planning Template window appears.
Figure 20: Create ADC Service Template Window
6. In the Name field, enter a name for the service template or profile (limit of 63
alphanumeric characters without spaces).
7. In the ADC Instance Name field, enter a name for the service instance (limit of 63
alphanumeric characters without spaces). Each service instance that you define can
be applied to a single SDG or multiple SDGs.
8. (Optional) Alternatively, instead of creating a new template entirely, click the Import
button to clone an existing template by importing it. You can import the parameters
defined for a previous ADC service instance and customize only the settings that are
necessary.
Copyright © 2016, Juniper Networks, Inc.
195
Edge Services Director User Guide
Imported templates are created without any device assigned to them. To use these
templates, you must associate a device with the policy.
The Import Services dialog box is displayed. See Importing an ADC Service Template
for step-wise details on importing an ADC service template.
9. The Create an ADC Planning Template window displays the individual elements or
components of the service with a graphical icon for each of the service elements and
the corresponding names in separate boxes. You can add, edit, or delete these service
elements in a template.
The Property View tab and the Config View tab are displayed on the right pane of the
template window. The Property View tab provides a tree-based structure of the
parameters defined in a service template. You can expand the tree and view details
of each component. A key value pair representation is shown. Each of the components
can be treated as categories of the service template shown in the property view.
The Config View tab displays the elements or components specified for a service
template in the form of configuration stanzas and hierarchy levels. This display is
similar to the show command that you can use at a certain [edit] hierarchy level to
view the defined settings. Each level in the hierarchy is indented to indicate each
statement's relative position in the hierarchy. Each level is generally set off with braces,
with an open brace ({) at the beginning of each hierarchy level and a closing brace
(}) at the end. If the statement at a hierarchy level is empty, the braces are not
displayed. Each leaf statement ends with a semicolon (;), as does the last statement
in the hierarchy.
a. Click the green tick mark (✓) displayed at the top-right corner of each of the service
element boxes to create a new element. If the green tick mark is not shown, it
indicates that the user role does not have the permission to create an element.
b. Click the red cross mark (x) displayed at the top-right corner of the icons of each
element if you want to delete the existing configuration. The user with designer
role has permissions to remove or edit elements.
c. if the red cross mark is not displayed beside a particular icon, it signifies that the
element cannot be deleted.
d. The diamond icon that contains an orange tick mark within it at the top-right corner
of the service component name denotes that the particular element can be
modified. The absence of this icon denotes that the user does not have permissions
to modify the attributes of the service component.
e. Double-click each icon pertaining to a service element to view or edit its settings.
If you do not possess the permission to modify the element, a view-only dialog box
with the attributes of the selected element is shown. Otherwise, an editable dialog
box enables you to modify the settings.
f. Click the Maximize icon displayed at the top-right corner of the rectangle or box
that shows all of the values or entities of a particular component of a service
template. The specified component or attribute is displayed as a separate dialog
box, listing all of the values of the particular component. You can add, modify, or
delete the listed values.
196
Copyright © 2016, Juniper Networks, Inc.
Chapter 13: Using the Service Designer
g. While creating the new service template, the designer can add or modify service
parameter values and also restrict the access level for each service parameter for
the operator. The designer can set following access levels for each service
parameters to operator in planning template. Click the new icon (cascading files
icon) displayed at the top-left corner of each of the element boxes to open the
shortcut menu. You can click one of the following radio buttons:
•
Read-only (the configuration parameter is read-only for operator as part of
provisioning)
•
Editable (the configuration parameter is editable as part of provisioning)
•
Device-Specific (the configuration parameter value needs to be entered by the
operator for each device during deployment)
h. in the ADC Configuration Parameters box, do the following:
•
Select the Failed Server Loyalty check box to enable failed server protection. If
any server in a server group fails, the remaining servers continue to provide access
to vital applications and data. The failed server can be brought back up without
interrupting access to services.
•
Select the Clear on Tcp Reset check box to clear the adaptive load-balancing
mechanism when a Reset flag is received in a TCP packet.
i.
Click Save to save the service template configuration. Else, click Close to discard
the changes to the template.
j.
Click Save & Publish to save and publish the service template configuration. The
designer must publish the service templates to the operator to use in the creation
of deployment plans. After a filter or policy is published, it goes for peer review and
approval. After approval, the filter or policy is deployed to device.
Importing an ADC Service Template
To create a clone of an existing ADC template by importing it:
1.
From the View selector, select Service View. The workspaces that are applicable to
this view are displayed.
2. From the Junos Space user interface, click the Build icon on the Edge Services Director
banner.
The functionalities that you can configure in this mode are displayed in the task pane.
3. From the task pane, select Service Templates. The Manage Service Templates page
is displayed.
4. Click the ADC button. The list of ADC service templates is displayed. You need not
click this button if you are launching the Service Designer page for the first time or are
navigating to this page from another mode or a different page. You need to click this
button only if you are viewing the other service templates, such as CGNAT or TLB.
5. Click the Add icon. The Create an ADC Planning Template window appears.
6. Enter the name of the template and the service instance in the respective fields.
Copyright © 2016, Juniper Networks, Inc.
197
Edge Services Director User Guide
7. Click the Import button. The Import Services dialog box appears.
You can import the service templates assigned to SDGs or choose from a list of all of
the predefined templates in the database. Also, you can either import all of the
components of a service or specific components.
8. Perform one of the following for the Import section:
•
Select the From Existing Service Gateway radio button if you want to import the
CGNAT rule from SDGs that are present in the Edge Services Director database.
•
Select the From XML radio button if you want to import the CGNAT rule from an
XML configuration file on an external system.
9. If you selected the option to import the object from SDGs, do the following:
•
Click the Normal View tab to view the list of SDGs. You can search for specific SDGs
by entering a search item and clicking the Search icon.
Alternatively, click the Group View tab to view the list of SDG groups. You can search
for specific SDG groups by entering a search item and clicking the Search icon.
•
Click the plus sign (+) next to the All Service Gateways item to expand the tree
structure that displays the list of SDGs or SDG groups. If the SDG pair is configured,
you can select one of the devices, master or standby, from which you want to import
the object.
Alternatively, if you selected the Group View tab, you can select an SDG from the
groups displayed from which you want to import the object.
•
Click Import. The object is added to the database and can be used during
configuration of services or policies.
10. If you selected the option to import from an XML file, do the following:
•
Click Browse beside the File Name field to navigate to the path where an XML file
is available to be imported.
•
Click Upload. The service template is added to the database and can be used during
configuration of services or policies.
11. Do one of the following to import all components of a selected template or only a
particular component of a template. For the components that are not imported, you
need to specify the definitions of the components afresh.
•
Select the check boxes next to all of the service instances that are displayed for the
selected SDG or SDG group, or for the XML file that you uploaded. In such a case,
all of the elements or parameters of the selected template or instance are imported.
•
Alternatively, select the check box next to a particular or group of service instances
to import only a specific component of the selected template
For example, if the service instance you are importing contains Routing Interface
Details from the list of individual service components being retrieved to the service
template you are creating, you can import the client-facing and server-facing
interface and routing instances. The interface and routing instance where client
packets are received from the list of all the items that belong to the devices in the
inventory form the client-facing set. The interface and routing instance through
198
Copyright © 2016, Juniper Networks, Inc.
Chapter 13: Using the Service Designer
which packets traverse to servers from the list of all the items that belong to the
devices in the inventory form the server-facing set.
NOTE: Client-facing interfaces—The device interfaces where client
traffic is received. Traffic arriving on these interfaces is handled by the
ADC software and destined to be routed to the virtual IP addresses and
filter destination addresses configured in the instance. At least one
client-facing interface must be specified for each adc-instance. A
client-facing interface can be shared between instances.
Server-facing interfaces—The device interfaces where servers are
connected, usually through switches or routers. Traffic to the servers is
routed to these interfaces. At least one server-facing interface must be
specified for each load-balancing instance; a server-facing interface
can be shared between instances. The same device interface can be
used as a client-facing interface in one (or more) adcinstances, and as
a server-facing interface in other instances.
12. Similarly, you can select other components and import them to the template. Save
the imported components to add them to the template you are creating by using the
imported template as a base.
Creating a Deployment Plan
You must have previously defined service templates and policy or filter templates before
you can create a deployment plan.
To create a deployment plan and assigning devices to it:
1.
From the View selector, select Service View. The workspaces that are applicable to
this view are displayed.
2. From the Junos Space user interface, click the Deploy icon on the Edge Services Director
banner.
The functionalities that you can configure in this mode are displayed in the task pane.
3. From the task pane, select Service Edit. The Manage Service Templates page is
displayed.
4. Click the ADC button. The list of ADC service templates is displayed. You need not
click this button if you are launching the Service Designer page for the first time or are
navigating to this page from another mode or a different page. You need to click this
button only if you are viewing the other service templates, such as CGNAT or TLB.
5. Select the check boxes next to the SDGs or SDG groups that you want to assign to
the plan. Based on your selection of a service or a policy template, the components
or attributes are shown for the corresponding device.
6. From the boxes that show the components of a service template, you can edit, delete,
or add elements to it. If you do not have permissions to update a template, the
corresponding icons are not shown.
Copyright © 2016, Juniper Networks, Inc.
199
Edge Services Director User Guide
7. Click the down arrow in the Actions menu and select Send for Deployment to create
a deployment plan for the particular service template and save the plan.
•
If you create a deployment plan from Gateway view of Deploy mode, the Deployment
Plan Summary dialog box appears, with the service name, type, and status listed.
Click Send to create a deployment plan.
•
If you create a deployment plan from Service view of Deploy mode, the Edit Service
Instance page is displayed. You can modify the SDGs associated with the service
instance and also modify the service instance attributes as necessary by either
clicking the buttons corresponding to the various settings at the top of the wizard
page to directly traverse to the page you want to modify or clicking the navigation
buttons at the bottom of the wizard page to go to the different pages of the wizard.
Click Finish to create a deployment plan.
A deploy plan is created for the service template with the devices that are assigned
to it when you view the Deployment Plans page.
8. Alternatively, you can select Discard changes from the Actions menu to ignore the
modifications done to a policy or filter template.
9. From the Deployment plans page, you can select Reject or Approve from the Actions
drop-down list to reject or approve the deployment plan and make it available for
commissioning to the devices.
Creating a Real Server
To create a real server as a component for the ADC template:
1.
From the View selector, select Service View. The workspaces that are applicable to
this view are displayed.
2. From the Junos Space user interface, click the Build icon on the Edge Services Director
banner.
The functionalities that you can configure in this mode are displayed in the task pane.
3. From the task pane, select Service Templates. The Manage Service Templates page
is displayed.
4. Click the ADC button. The list of ADC service templates is displayed.
5. Click the Add icon. The Create an ADC Planning Template window appears.
6. Enter the name of the template and the service instance in the respective fields.
7. Click the green plus sign in the Real Servers box. The Addition of Real Server dialog
box appears.
200
Copyright © 2016, Juniper Networks, Inc.
Chapter 13: Using the Service Designer
NOTE: For the service elements that you can configure using the Object
Builder workspace, such as applications and rules, when you click the
green plus sign (+) at the top-right corner of each of the service element
boxes, the shortcut menu is displayed. Click the Create New radio button
to create the service component afresh. Alternatively, click the Import from
Object Builder radio button to open a dialog box that enables you to select
from the list of service elements that are present in the database of Edge
Services Director and import them into the service template.
If a green tick mark is shown beside a field in the dialog box, it denotes
that you can add attributes for that component. A red cross mark shows
that you can delete that particular attribute for that component.
8. In the Name field, enter the name to identify the real server. Make sure the servers are
connected via a router interface that is defined as a server-facing interface for the
adc-instance. For each real server, you must assign a real-server name and specify
its actual IP address.
9. In the Address Family field, select IPv4 to specify an IPv4 address, or select IPv6 to
enter the IPv6 address of the real server.
10. In the IP Address field, specify the IP address of the real server.
11. In the Health check section, select the check box and specify the following:
•
In the Interval field, specify the amount of time, in seconds, between polls of the
real server by the router.
NOTE: The ADC software monitors the servers in the real-server group
and the load-balanced applications running on them. If a router detects
that a server or application has failed, it does not direct any new
connection requests to that server. When a service fails, the ADC
software can remove the individual service from the load-balancing
algorithm without affecting other services provided by that server. By
default, the router checks the status of each service on each real server
every five (5) seconds. Sometimes, the real server can be too busy
processing connections to respond to health checks. If a service does
not respond to four consecutive health checks, the router, by default,
declares the service unavailable. You can modify both the health check
interval and the number of retries.
•
In the Failure-retries field, specify the number of times the router attempts its check
on the real server before marking the server as unavailable. In the Recovery-retries
field, specify the number of times the router attempts to recover the real-server
connection.
•
In the Recovery Retries field, set the number of recovery retries to attempt to
determine server recovery. The range is from 1 through 63.
Copyright © 2016, Juniper Networks, Inc.
201
Edge Services Director User Guide
12. In the Listing Ports section, click the plus sign to add as many ports as needed for the
real server. Enter the port number in the Port field. For example, you might require
ports for the common application ports and the applications that use them, such as
8080 for HTTP and 443 for HTTPS.
13. In the Content String section, click the plus sign to add as many content strings as
neded to be added for the real server. Enter the string for matching traffic to be sent
to the real server in the String field. ADC software supports two content-string methods
(URL hashing and URL pattern matching) and all Layer 4 load-balancing methods. If
you do not add a defined string (or add the defined string any), the server handles any
request. Content string handling applies to the DNS, RTSP, HTTP services, and to
filters.
You can assign one or more content strings to each real server. When more than one
URL string is assigned to a real server, requests matching any string are redirected to
that real server. There is also a special string known as "any" that matches all content.
14. Click Save to save the service template configuration. Else, click Close to discard the
changes to the template.
Creating a Group for Real Servers
Define the group and assign real servers to it. The real servers in any given group must
have an IP address accessible to the module that performs the SLB functions. This IP
routing is most easily accomplished by placing the servers on a network local to the
router. Routing to the server can be used as long as it does not violate the topology rules
outlined.
A group is a collection of multiple servers with the same content, so that client requests
can be load-balanced between them.
To create a group of real servers:
1.
From the View selector, select Service View. The workspaces that are applicable to
this view are displayed.
2. From the Junos Space user interface, click the Build icon on the Edge Services Director
banner.
The functionalities that you can configure in this mode are displayed in the task pane.
3. From the task pane, select Service Templates.
The Manage Service Templates page is displayed.
4. Click the ADC button.
The list of ADC service templates is displayed.
5. Click the Add icon.
The Create an ADC Planning Template window appears.
6. In the Template Name field, enter a name for the service template or profile (limit of
63 alphanumeric characters without spaces).
202
Copyright © 2016, Juniper Networks, Inc.
Chapter 13: Using the Service Designer
7. In the Instance Name field, enter a meaningful, easily-identifiable name for the service
instance (limit of 255 characters). Each service instance you define can be applied to
a single or multiple SDGs.
8. Click the green plus sign in the Server Groups box. The Addition of Group dialog box
appears.
NOTE: For the service elements that you can configure using the Object
Builder workspace, such as applications and rules, when you click the
green plus sign (+) at the top-right corner of each of the service element
boxes, the shortcut menu is displayed. Click the Create New radio button
to create the service component afresh. Alternatively, click the Import from
Object Builder radio button to open a dialog box that enables you to select
from the list of service elements that are present in the database of Edge
Services Director and import them into the service template.
If a green tick mark is shown beside a field in the dialog box, it denotes
that you can add attributes for that component. A red cross mark shows
that you can delete that particular attribute for that component.
9. In the Name field, enter the name for the real servers group.
10. In the Group Unit field, specify the unit on a group. In general, the unit is used when
the traffic is going out from the ADC software to the server. To support virtual routers
on the server side, each server is assigned a unit. When the traffic is going out from
the ADC software to this server, the traffic goes out from the matching
Multiservices-DPC NPU IFL (ms-x/y/z.#, where # is the unit). This allows you to attach
the relevant IFL to a virtual router and attach the server to this virtual router. If the unit
is not configured on the server, the unit is taken from the group configuration. If the
unit is not configured in the group, the unit is taken from the adc-instance configuration.
If no unit is configured, the ADC software uses the default unit (unit 0).
For example, if you specify the unit as 40, it sets all servers inside this group to use
unit 40, unless a unit is configured on a specific server inside the group.
11. From the Load Balance Method list, select the method of load balancing for the real
servers group. Load-balancing methods are used for selecting which real-server in a
group receives the next client connection. The available metrics include hash, least
connections, round-robin, response (response time), and bandwidth.
12. In the Real Servers section, assign the real servers to be part of the group. Select the
real servers from the Available column and click the right arrow to move the server to
the Selected column.
13. In the Health Check section, do one of the following:
The ADC software monitors the servers in the real-server group and the load-balanced
applications running on them. If a router detects that a server or application has failed,
it does not direct any new connection requests to that server. When a service fails,
the ADC software can remove the individual service from the load-balancing algorithm
without affecting other services provided by that server. By default, the router checks
the status of each service on each real server every five (5) seconds. Sometimes, the
Copyright © 2016, Juniper Networks, Inc.
203
Edge Services Director User Guide
real server can be too busy processing connections to respond to health checks. If a
service does not respond to four consecutive health checks, the router, by default,
declares the service unavailable. You can modify both the health check interval and
the number of retries.
•
Select the DNS radio button to configure DNS health checking. Enter the hostname
for which health verification needs to be performed..
•
Select the HTTP radio button to configure HTTP-based health check. HTTP-based
health checks can include the hostname for Host headers. The Host header and
health check URL are constructed from the Virtual server hostname, domain name,
and the server group health check field. Enter the URL for which health check is
needed and the HTTP header method, such as GET, PUT, POST, DELETE , and.
PATCH. Select the Use Head Method that causes the HTTP Head method to retrieve
HTTP headers only.
•
Select the PING radio button to configure ping-based health checking. Ping health
checks verify if the real server is alive.
•
Select the SSLHELLO radio button to sets Secure Sockets Layer (SSL) hello
health-check parameters. SSL version 2 (SSLv2) is used for the SSL health check
•
Select the SCRIPT radio button to create a custom-based health check. From the
Custom Health Check field, specify tcp or udp as the protocol for the script to use
in a custom health check. A script is made up of one or more TCP or UDP command
containers. A script can contain any number of these containers, up to the allowable
number of characters that a script supports.
14. Click Save to save the service template configuration. Else, click Close to discard the
changes to the template.
Load-Balancing Methods for Real-Server Groups
The following methods for real server groups are supported:
204
•
Hash—The hash load-balancing method uses IP address information in the client
request to select a server. For virtual-services, the client source IP address is used. All
requests from a specific client are sent to the same server. This is useful for applications
where client information must be retained between sessions. When selecting a server,
a mathematical hash of the relevant IP address information is used as an index into
the list of currently available servers. Any given IP address information always has the
same hash result, providing natural persistence, as long as the server list is stable.
When a configured server becomes unavailable, clients bound to operational servers
continue to be bound to the same servers for future sessions and clients bound to
unavailable servers are rehashed to select an operational server. Some services allow
you to hash using the client-ip and port. This is done using the source-port-inhash
parameter. There are more hash options in filters, that are set using the
load-balancing-hash parameter.
•
Least Connections—With the least-connections load-balancing method, the number
of connections currently open on each real server is measured in real time. The server
with the fewest current connections is considered to be the best choice for the next
Copyright © 2016, Juniper Networks, Inc.
Chapter 13: Using the Service Designer
client connection request. This option is the most self-regulating, with the fastest
servers typically getting the most connections over time.
•
Round-Robin—With the round-robin load-balancing method, new connections are
issued to each server in turn; that is, the first real server in the group gets the first
connection, the second real server gets the next connection, followed by the third real
server, and so on. When all the real servers in this group have received at least one
connection, the issuing process starts over with the first real server.
•
Response Time—The response-time load-balancing method uses real-server response
time to assign sessions to servers. The response time between the servers and the
load-balancing module is used as the weighting factor. The router monitors and records
the amount of time it takes for each real server to reply to a health check to adjust the
real-server weights. The weights are adjusted so they are inversely proportional to a
moving average of response time. In such a scenario, a server with half the response
time as another server receives a weight twice as large. Note: The effects of the
response-time or bandwidth weighting apply directly to the real servers and are not
necessarily confined to the group. When response-time or bandwidth-metered real
servers are also used in other groups that use the least connections, round-robin, or
hash methods, the response-time or bandwidth weights are applied on top of the
method calculations for the affected real servers. Since the response-time or bandwidth
weight changes dynamically, this can produce fluctuations in traffic distribution for
the groups that use the least-connections, round-robin, or hash load-balancing
methods.
•
Bandwidth The bandwidth load-balancing method uses real-server octet counts to
assign sessions to a server. The load-balancing module monitors the number of octets
sent between the server and the module. Then, the real-server weights are adjusted
so they are inversely proportional to the number of octets that the real server processes
during the last interval. Servers that process more octets are considered to have less
available bandwidth than servers that have processed fewer octets. For example, the
server that processes half the amount of octets over the last interval receives twice
the weight of the other servers. The higher the bandwidth used, the smaller the weight
assigned to the server. Based on this weighting, the subsequent requests go to the
server with the highest amount of free bandwidth. These weights are automatically
assigned.
NOTE: The effects of the response-time or bandwidth weighting apply
directly to the real servers and are not necessarily confined to the group.
When response-time or bandwidth-metered real servers are also used in
other groups that use the leastconnections, round-robin, or hash methods,
the response-time or bandwidth weights are applied on top of the method
calculations for the affected real servers. Since the response-time or
bandwidth weight changes dynamically, this can produce fluctuations in
traffic distribution for the groups that use the least-connections,
round-robin, or hash load-balancing methods.
Copyright © 2016, Juniper Networks, Inc.
205
Edge Services Director User Guide
Creating a Client-Facing Interface and Routing Instance
Clients and servers can be connected through the same router port. Each port in use on
the router can be configured to process client requests, server traffic, or both:
Client-facing interfaces—Router ports through which client requests to the virtual server
are received.
Server-facing interfaces—Router ports to which servers are connected (directly or through
routing). Responses to clients are received on the router through these ports.
To assign a client-facing instance and interface to an ADC template:
1.
From the View selector, select Service View. The workspaces that are applicable to
this view are displayed.
2. From the Junos Space user interface, click the Build icon on the Edge Services Director
banner.
The functionalities that you can configure in this mode are displayed in the task pane.
3. From the task pane, select Service Templates.
The Manage Service Templates page is displayed.
4. Click the ADC button.
The list of ADC service templates is displayed.
5. Click the Add icon.
The Create an ADC Planning Template window appears.
6. In the Template Name field, enter a name for the service template or profile (limit of
63 alphanumeric characters without spaces).
7. In the Instance Name field, enter a meaningful, easily-identifiable name for the service
instance (limit of 255 characters). Each service instance you define can be applied to
a single or multiple SDGs.
8. Click the green plus sign in the Client-Facing box. The Client facing dialog box appears.
NOTE: For the service elements that you can configure using the Object
Builder workspace, such as applications and rules, when you click the
green plus sign (+) at the top-right corner of each of the service element
boxes, the shortcut menu is displayed. Click the Create New radio button
to create the service component afresh. Alternatively, click the Import from
Object Builder radio button to open a dialog box that enables you to select
from the list of service elements that are present in the database of Edge
Services Director and import them into the service template.
If a green tick mark is shown beside a field in the dialog box, it denotes
that you can add attributes for that component. A red cross mark shows
that you can delete that particular attribute for that component.
206
Copyright © 2016, Juniper Networks, Inc.
Chapter 13: Using the Service Designer
9. From the Service Gateway Name field, select the SDG group with which the service
element must be associated.
10. From the Host Name field, select the SDG in the SDG high-availability pair of active
and standby SDGs.
11. In the Device Inventory Routing Instances section, select the check box next to the
routing instance of the SDG that must be used for packets arriving from clients or
users. All the routing instances from the inventory of devices are listed.
12. In the Device Inventory Interfaces section, select the check box next to the interface
instance of the SDG that must be used for packets arriving from clients or users. All
of the interfaces from the inventory of devices are listed.
13. Click OK to save the settings. Else, click Cancel to discard the configuration.
Creating a Server-Facing Interface and Routing Instance
Clients and servers can be connected through the same router port. Each port in use on
the router can be configured to process client requests, server traffic, or both:
Client-facing interfaces—Router ports through which client requests to the virtual server
are received.
Server-facing interfaces—Router ports to which servers are connected (directly or through
routing). Responses to clients are received on the router through these ports.
To assign a server-facing instance and interface to an ADC template:
1.
From the View selector, select Service View. The workspaces that are applicable to
this view are displayed.
2. From the Junos Space user interface, click the Build icon on the Edge Services Director
banner.
The functionalities that you can configure in this mode are displayed in the task pane.
3. From the task pane, select Service Templates.
The Manage Service Templates page is displayed.
4. Click the ADC button.
The list of ADC service templates is displayed.
5. Click the Add icon.
The Create an ADC Planning Template window appears.
6. In the Template Name field, enter a name for the service template or profile (limit of
63 alphanumeric characters without spaces).
7. In the Instance Name field, enter a meaningful, easily-identifiable name for the service
instance (limit of 255 characters). Each service instance you define can be applied to
a single or multiple SDGs.
8. Click the green plus sign in the Client-Facing box. The Client facing dialog box appears.
Copyright © 2016, Juniper Networks, Inc.
207
Edge Services Director User Guide
NOTE: For the service elements that you can configure using the Object
Builder workspace, such as applications and rules, when you click the
green plus sign (+) at the top-right corner of each of the service element
boxes, the shortcut menu is displayed. Click the Create New radio button
to create the service component afresh. Alternatively, click the Import from
Object Builder radio button to open a dialog box that enables you to select
from the list of service elements that are present in the database of Edge
Services Director and import them into the service template.
If a green tick mark is shown beside a field in the dialog box, it denotes
that you can add attributes for that component. A red cross mark shows
that you can delete that particular attribute for that component.
9. From the Service Gateway Name field, select the SDG group with which the service
element must be associated.
10. From the Host Name field, select the SDG in the SDG high-availability pair of active
and standby SDGs.
11. In the Device Inventory Routing Instances section, select the check box next to the
routing instance of the SDG that must be used for packets traversing to the servers.
All the routing instances from the inventory of devices are listed.
12. In the Device Inventory Interfaces section, select the check box next to the interface
instance of the SDG that must be used for packets to be sent to the servers. All of the
interfaces from the inventory of devices are listed.
13. Click OK to save the settings. Else, click Cancel to discard the configuration.
Creating a Services PIC for an ADC Service Template
Multiservices (ms-) interfaces are the physical multiservices interfaces of a device that
are used to run the load-balancing instance application. The more multiservices interfaces
used for a loadbalancing instance, the more capacity and processing power the instance
has. At least one MS interface must be specified for each adc-instance, up to eight
interfaces can run the same instance. A multiservices interface is associated exclusively
to a single load-balancing instance (it cannot be shared between instances).
To assign a services interface to an ADC template:
1.
From the View selector, select Service View. The workspaces that are applicable to
this view are displayed.
2. From the Junos Space user interface, click the Build icon on the Edge Services Director
banner.
The functionalities that you can configure in this mode are displayed in the task pane.
3. From the task pane, select Service Templates.
The Manage Service Templates page is displayed.
4. Click the ADC button.
208
Copyright © 2016, Juniper Networks, Inc.
Chapter 13: Using the Service Designer
The list of ADC service templates is displayed.
5. Click the Add icon.
The Create an ADC Planning Template window appears.
6. Enter the name of the template and the service instance in the respective fields.
7. Click the green plus sign in the Service Pic box. The Service Pic dialog box appears.
NOTE: For the service elements that you can configure using the Object
Builder workspace, such as applications and rules, when you click the
green plus sign (+) at the top-right corner of each of the service element
boxes, the shortcut menu is displayed. Click the Create New radio button
to create the service component afresh. Alternatively, click the Import from
Object Builder radio button to open a dialog box that enables you to select
from the list of service elements that are present in the database of Edge
Services Director and import them into the service template.
If a green tick mark is shown beside a field in the dialog box, it denotes
that you can add attributes for that component. A red cross mark shows
that you can delete that particular attribute for that component.
8. From the Service Gateway Name field, select the SDG group with which the service
element must be associated.
9. From the Host Name field, select the SDG in the SDG high-availability pair of active
and standby SDGs.
10. Select the check box next to the ms- interface of an SDG that must be assigned to
the ADC template.
11. Click OK to save the settings. Else, click Cancel to discard the configuration.
Copyright © 2016, Juniper Networks, Inc.
209
Edge Services Director User Guide
Creating a Health Check for an ADC Service Template
The ADC software does health checking on each defined server (see Health Checking,
page 183). In order for the traffic to get from the ADC software to the server, a source IP
with the same subunit as the server must be defined. Usually all subunits that are in use
in a certain adc-instance must have a matching IP address with the same subunit defined
in the instance.
The health check itself is defined at the group parameter. Select a health check based
on the application running on the real server in question. If the real server is an LDAP
server, for example, use the LDAP health check method. It is important to make sure that
the server can answer connections from the IP address configured. This source IP address
must be “routable” back to the router. Each server in the load-balancing instance has a
sub-unit attached to it. Before the ADC software sends a health check to a server, it
checks the sub-unit attached to the server, then chooses the source IP address to use
for this server health check according to the address configured under the same unit in
the health-check-source configuration. As a result, each sub-unit attached to a server
must have a matching address in the healthcheck- source configuration. This way the
ADC software can send health checks to servers using this sub-unit. When no health
check address is defined for the unit, all servers with this unit are in a failed status. Family
inet is the only supported family under the health-check-source configuration.
To configure a health check source for an ADC template:
1.
From the View selector, select Service View. The workspaces that are applicable to
this view are displayed.
2. From the Junos Space user interface, click the Build icon on the Edge Services Director
banner.
The functionalities that you can configure in this mode are displayed in the task pane.
3. From the task pane, select Service Templates.
The Manage Service Templates page is displayed.
4. Click the ADC button.
The list of ADC service templates is displayed.
5. Click the Add icon.
The Create an ADC Planning Template window appears.
6. In the Template Name field, enter a name for the service template or profile (limit of
63 alphanumeric characters without spaces).
7. In the Instance Name field, enter a meaningful, easily-identifiable name for the service
instance (limit of 255 characters). Each service instance you define can be applied to
a single or multiple SDGs.
8. Click the green plus sign in the Health Check box. The Addition of Health Check dialog
box appears.
210
Copyright © 2016, Juniper Networks, Inc.
Chapter 13: Using the Service Designer
NOTE: For the service elements that you can configure using the Object
Builder workspace, such as applications and rules, when you click the
green plus sign (+) at the top-right corner of each of the service element
boxes, the shortcut menu is displayed. Click the Create New radio button
to create the service component afresh. Alternatively, click the Import from
Object Builder radio button to open a dialog box that enables you to select
from the list of service elements that are present in the database of Edge
Services Director and import them into the service template.
If a green tick mark is shown beside a field in the dialog box, it denotes
that you can add attributes for that component. A red cross mark shows
that you can delete that particular attribute for that component.
9. Specify the unit of the health check source in the Unit field. as part of the
auto-configuration, the ADC software defines IFLs and IFAs (units and addresses) on
the Multiservices-DPC. These IFLs require a unique unit number that is used later in
auto-configured filters to direct traffic. By default, the units used by the ADC software
for automatic configuration are in the range of 10,000 to 11,032.
10. Select the IPv4 Family check box to specify IPv4 as the address protocol family.
11. Specify the IPv4 address of the source for health verification in the IP Address field.
12. Select the IPv6 Family check box to specify IPv6 as the address protocol family.
13. Specify the IPv6 address prefix of the source for health verification in the IP Address
field.
14. Click Save to save the settings. Else, click Cancel to discard the configuration.
Creating a Custom Health Check for an ADC Instance
You can configure the ADC software to send a series of health-check requests to real
servers or real-server groups and monitor the responses. Health checks are supported
for TCP and UDP protocols, using either binary or ASCII content.
Health check scripts dynamically verify application and content availability by executing
a sequence of tests based on send and expect commands. You can configure the ADC
software to send a series of health check requests to real servers or realserver groups
and monitor the responses. Both ASCII and binary-based scripts, for TCP and UDP
protocols, can be used to verify application and content availability.
To configure a custom health-check script for an ADC template:
1.
From the View selector, select Service View. The workspaces that are applicable to
this view are displayed.
2. From the Junos Space user interface, click the Build icon on the Edge Services Director
banner.
The functionalities that you can configure in this mode are displayed in the task pane.
3. From the task pane, select Service Templates.
Copyright © 2016, Juniper Networks, Inc.
211
Edge Services Director User Guide
The Manage Service Templates page is displayed.
4. Click the ADC button.
The list of ADC service templates is displayed.
5. Click the Add icon.
The Create an ADC Planning Template window appears.
6. In the Template Name field, enter a name for the service template or profile (limit of
63 alphanumeric characters without spaces).
7. In the Instance Name field, enter a meaningful, easily-identifiable name for the service
instance (limit of 255 characters). Each service instance you define can be applied to
a single or multiple SDGs.
8. Click the green plus sign in the Custom Health Check box. The Addition of Custom
Health Check dialog box appears.
NOTE: For the service elements that you can configure using the Object
Builder workspace, such as applications and rules, when you click the
green plus sign (+) at the top-right corner of each of the service element
boxes, the shortcut menu is displayed. Click the Create New radio button
to create the service component afresh. Alternatively, click the Import from
Object Builder radio button to open a dialog box that enables you to select
from the list of service elements that are present in the database of Edge
Services Director and import them into the service template.
If a green tick mark is shown beside a field in the dialog box, it denotes
that you can add attributes for that component. A red cross mark shows
that you can delete that particular attribute for that component.
9. Specify the name of the script to be used for health-check in the Script Name field.
A script is made up of one or more TCP or UDP command containers. A script can
contain any number of these containers, up to the allowable number of characters
that a script supports.
10. Select the type of protocol for custom health-check from the Command Type list. You
can select either TCP or UDP. Commands exist to open a connection to a specific TCP
or UDP port, send a request to the server, and expect an ASCII string or binary pattern.
Only one protocol can be configured per script.
11. Specify the name of the command for custom health-check in the Command Name
field.
The name of the TCP or UDP command for script-based health-check is a container
for one or more commands.
12. Click the Add icon to create a health-check command. The Health Check Command
dialog box is displayed.
212
Copyright © 2016, Juniper Networks, Inc.
Chapter 13: Using the Service Designer
You can also select the check boxes beside existing commands from the list of
previously configured commands from the Custom Health Check dialog box if you
want to assign them to the health-check script. Click Save to save the settings.
13. In the Health Check Command dialog box, enter the unique identifier for the command
to be used for diagnosing and monitoring the health of servers or URLs using
script-based checking in the Command ID field.
14. Select the type of command for script-based health monitoring from the Command
Type list.
The following are the currently available commands for building a script-based health
check:
•
open—Specifies which destination real-server UDP port to use; for example, OPEN
9201. After entering the destination port, you is prompted to specify a protocol;
choose udp.
•
send—Specifies the send content in raw hexadecimal format.
•
binary-send (for binary content only)—Used to specify binary content (in
hexadecimal format) for the request packet.
•
expect—Specify the expected content in raw hexadecimal format.
•
binary-expect (for binary content only)—Used to specify the binary content (in hex
format) to be expected from the server response packet.
•
offset (for binary content only)—Specifies the offset from the beginning of the
binary data area to start matching the content specified in the binary-expect
command. The offset command is supported for both UDP and TCP-based health
checks. Specify the offset command after a binary-expect command if an offset is
desired. If this command is not present, an offset of zero is assumed.
•
depth (for binary content only)—Specifies the number of bytes in the IP packet that
should be examined. If no offset value is specified, depth is specified from the
beginning of the packet. When depth is not specified, it is the length of the content.
This means that the content is expected exactly at the offset specified (or 0 when
the offset is not specified).
•
wait—Specifies a wait interval before the expected response is returned. The wait
window begins when the send string is sent from the ADC. If the expected response
is received within the window, the wait step passes. Otherwise, the health check
fails. The wait window is in units of milliseconds. When the wait value is not specified
the script waits according to the realserver configured interval.
15. Enter a value corresponding to the command type selected in the Value field. You
can enter one of the following types of values based on the command type:
•
binary-expect and binary-send hexadecimal-value—Specifies the content to expect
from the server response packet using hexadecimal format.
•
depth number—Specifies the number of bytes in the IP packet that should be
examined. If no offset value is specified, depth is specified from the beginning of
the packet. Default: The default value is the length of the content.
Copyright © 2016, Juniper Networks, Inc.
213
Edge Services Director User Guide
•
offset number—Specifies the offset from the beginning of the binary data area to
start matching the content specified in the binary-expect command. The offset
command is supported for both UDP-based and TCP-based health checks. If you
require an offset, specify the offset command after a binary-expect command.
Default: 0
•
binary-expect, binary-send, and expect wait interval—Specifies a wait interval before
the expected response is returned. The wait interval begins when the send string is
sent from the ADC software. If the expected response is received within the interval,
the wait step passes. Otherwise, the health check fails. The wait interval is expressed
in units of milliseconds. When the wait interval is not specified, the script waits
according to the real server configured interval. Range: 0 through 65535
•
send text—Specifies the send content in raw hexidecimal format.
•
open port—Specifies which destination real-server UDP port to use; for example,
open 9201.
16. Click Save to save your settings in the Health Check Command dialog box. You are
returned to the Custom Health Check dialog box and the newly configured command
is added to the list shown.
17. Click OK to save the settings in the Custom Health Check dialog box. Else, click Cancel
to discard the configuration.
Creating a Virtual Service for an ADC Service Template
A virtual service is a service that is being load-balanced across the servers in the group;
for example, dns-virtual-service. The service belongs to a virtual server, that defines the
IP address through which the service is accessible to the client. The service is accessed
through one or more predefined application ports (TCP or UDP). The virtual server defines
the IP address to which client requests are sent. The virtual service defines a destination
port within the virtual-server IP address. The virtual service configuration includes
parameters relevant to the processing of client requests to this service. The service is
actually provided by the real servers in the group defined in the virtual service.
To configure a virtual service for an ADC template:
1.
From the View selector, select Service View. The workspaces that are applicable to
this view are displayed.
2. From the Junos Space user interface, click the Build icon on the Edge Services Director
banner.
The functionalities that you can configure in this mode are displayed in the task pane.
3. From the task pane, select Service Templates.
The Manage Service Templates page is displayed.
4. Click the ADC button.
The list of ADC service templates is displayed.
5. Click the Add icon.
The Create an ADC Planning Template window appears.
214
Copyright © 2016, Juniper Networks, Inc.
Chapter 13: Using the Service Designer
6. In the Template Name field, enter a name for the service template or profile (limit of
63 alphanumeric characters without spaces).
7. In the Instance Name field, enter a meaningful, easily-identifiable name for the service
instance (limit of 255 characters). Each service instance you define can be applied to
a single or multiple SDGs.
8. Click the green plus sign in the Virtual Service box. The Addition of Virtual Service
dialog box appears.
NOTE: If a green tick mark is shown beside a field in the dialog box, it
denotes that you can add attributes for that component. A red cross mark
shows that you can delete that particular attribute for that component.
9. In the Name field, specify the name of the virtual service (limit of 128 characters).
10. In the Address field, specify the IP address of the virtual server.
11. From the Service Type list, select DNS to set up the DNS service for the virtual server.
You can also select other service types such as plain, HTTP, or SSL.
IP server load balancing allows you to configure your ADC software for server load
balancing based on the client's IP address only. Typically, the client IP address is used
with the client port number to produce a session identifier. When the Layer 3 option
is enabled, the ADC software uses only the client IP address as the session identifier.
12. In the Server Listening Port field, specify the port number the server uses to listen or
receive connection requests. The range is from 0 through 65,534. You can change the
destination port of traffic to a specific port by using this field setting.
13. From the Protocol list, select TCP or UDP to specify the application type of virtual
service.
14. From the Group list, select the name of a real server group configured to be used for
this virtual service.
15. In the Service Timeout field, configure the service-timeout parameter to the amount
of time that idle connections should remain in the connection table before being
removed, in minutes (0 to 32768). The default, when the parameter is not set, is to
use the timeout configured for the real server, typically 10 minutes.
16. Select the Fast Load Balancing check box to specify the connection table needs to be
used for requests only.
Traffic to virtual services is managed using the connection table. Each connection is
recorded in the table. Usually, the connection table is used both for the request
processing and for reply processing. In request processing, the ADC software looks
for a corresponding entry to check persistency information, finds the appropriate
real-server address and listening port, and uses it to send the request to the server.
In reply processing, the ADC software looks for a corresponding entry to know how to
change the source address from a real-server address and listening port back to the
virtualserver address and service port. In some cases, faster traffic processing can be
Copyright © 2016, Juniper Networks, Inc.
215
Edge Services Director User Guide
achieved by not checking the connection table for the response path, but by using
another, more efficient, mechanism for the address and port translation.
17. Select the Send Traffic to VIP check box to redirect the packets to the virtual IP address
configured for the virtual server associated with the virtual service. When a certain
VIP is available, the route to this VIP exists in the routing-instance. This allows the
dynamic protocol to publish the VIP as owned by the router. When the virtual IP address
is not available (i.e., all the servers for this VIP are down), the route is redrawn using
the routing-instance. This causes the routing protocol to redraw the route to this IP
from its publications. In turn, traffic to this VIP is no longer be routed to this specific
router.
18. Click Save to save the settings. Else, click Cancel to discard the configuration.
Creating a Virtual Server for an ADC Service Template
Each virtual server can be configured to support up to 8 service ports and is limited to a
total of 1023 services per router. If more than eight service ports are required for a virtual
address, you can define multiple virtual servers with the same address. The protocol
setting specifies whether this virtual service is a TCP or UDP application. The port setting
specifies the application port for this application.
To configure a virtual server for an ADC template:
1.
From the View selector, select Service View. The workspaces that are applicable to
this view are displayed.
2. From the Junos Space user interface, click the Build icon on the Edge Services Director
banner.
The functionalities that you can configure in this mode are displayed in the task pane.
3. From the task pane, select Service Templates.
The Manage Service Templates page is displayed.
4. Click the ADC button.
The list of ADC service templates is displayed.
5. Click the Add icon.
The Create an ADC Planning Template window appears.
6. In the Template Name field, enter a name for the service template or profile (limit of
63 alphanumeric characters without spaces).
7. In the Instance Name field, enter a meaningful, easily-identifiable name for the service
instance (limit of 255 characters). Each service instance you define can be applied to
a single or multiple SDGs.
8. Click the green plus sign in the Virtual Server box. The Addition of Virtual Server dialog
box appears.
216
Copyright © 2016, Juniper Networks, Inc.
Chapter 13: Using the Service Designer
NOTE: For the service elements that you can configure using the Object
Builder workspace, such as applications and rules, when you click the
green plus sign (+) at the top-right corner of each of the service element
boxes, the shortcut menu is displayed. Click the Create New radio button
to create the service component afresh. Alternatively, click the Import from
Object Builder radio button to open a dialog box that enables you to select
from the list of service elements that are present in the database of Edge
Services Director and import them into the service template.
If a green tick mark is shown beside a field in the dialog box, it denotes
that you can add attributes for that component. A red cross mark shows
that you can delete that particular attribute for that component.
9. In the Name field, enter the name of the virtual server. The virtual server defines the
IP address to which client requests are sent.
10. In the Address field, specify the IP address of the virtual server.
11. From the Type list, select DNS to set up the DNS service for the virtual server. You can
also select other service types such as LDAP, HTTP, or SNMP.
12. In the Virtual Services section, select a virtual service from the Available column and
click the right arrow to move the service to the Selected column,
13. Click Save to save the settings. Else, click Cancel to discard the configuration.
Creating a Firewall Rule for an ADC Service Template
ADC filter terms are an ordered list of terms. Each filter term is composed from a match
clause (ADC Filter Terms—“from” Clause) that defines the match criteria, and a then
clause (ADC Filter Terms—“then” Clause) that defines the action and behavior with traffic
that matches the term. An ADC filter term name can contain letters, numbers, and hyphens
(-) and can be up to 255 characters long. To include spaces in the name, enclose the
entire name in quotation marks (" "). Each term name must be unique within a filter. You
can specify multiple terms in the ADC filter, effectively chaining together a series of match
action operations to apply to the packets. You can also use the go-to action so that,
when a match condition is met, the evaluation continues from the go-to term, rather
than terminating. ADC filter terms are evaluated in the order in which you specify them
in the configuration. To reorder terms, use the configuration mode insert command. For
example, the command insert term up before term start places the term up before the
term start. Up to 2048 filter terms can be configured on the module. Descriptive names
can be used to define filter terms. Each filter can be set to perform from or then actions,
based on any combination of the filter options.
ADC Filter Terms—“from” Clause
In the from statement in the ADC filter term, you specify conditions that the packet must
match for the action in the then statement to be taken. All conditions in the from
statement must match for the action to be taken. The order in which you specify match
conditions is not important, because a packet must match all the conditions in a term
Copyright © 2016, Juniper Networks, Inc.
217
Edge Services Director User Guide
for a match to occur. If you specify no match conditions in a term, that term matches all
packets. In the from clause you can indicate Layer 4 information to match traffic:
•
source-address—Source IP address or range.
•
destination-address—Destination IP address or range (dip and dmask).
•
protocol tcp | udp—Match using either TCP or UDP protocol. By default, both are
matched.
•
source-port—TCP/UDP application or source port or source port range (such as 31000
to 33000). The service number specified on the module must match the service
specified on the server.
•
destination-port—TCP/UDP application or destination port or destination port range
(such as 31000 to 33000).
NOTE: Advanced filtering options such as TCP flags are available. Using
these filter criteria, you could create a single filter that blocks external
Telnet traffic to your main server except from a trusted IP address. Another
filter could warn you if FTP access is attempted from a specific IP address.
Another filter could redirect all incoming e-mail traffic to a server where it
can be analyzed for spam. The options are nearly endless
ADC Filter Terms—“then” Clause
A filter term then statement instructs the filter what to do once the filtering criteria are
matched. These actions are defined in the then clause of the filter term. You can specify
one of the following filter actions:
218
•
accept—Allows the frame to pass (by default). It is processed according to its
destination: either handled by ADC virtual services or by the router and sent to its
destination.
•
discard—Discards frames that fit this filter’s profile. They are not processed further.
•
go-to term—Match to the specified term and continue classification from there. Note:
The target term must appear further down the list than the currently evaluated term.
•
http-redirect—Allows you to specify a target term name that the filter search should
jump to when a match occurs. The http-redirect causes filter processing to jump to a
designated filter, effectively skipping over a block of filter terms. Filter searching then
continues from the designated filter term. To specify the new filter, use the http-redirect
command.
•
load-balance—Redirects frames that fit this filter's profile, such as for web cache
redirection. In addition, Layer 4 processing must be used.
•
content-term—Traffic is further matched against content strings, when matched. The
content term then clause is effective. When the content-term is not matched there is
no further filter term matching.
Copyright © 2016, Juniper Networks, Inc.
Chapter 13: Using the Service Designer
•
log—Generates system log messages when the filter term is hit. This option can be
used in conjunction with other term actions.
•
per-packet-load-balancing—To improve efficiency, by default, filter processing is
performed only on the first frame in each session. Subsequent frames in the session
are assumed to match the same criteria and are automatically treated in the same
way as the initial frame. Sessions that match a filter term are logged in the connection
table for immediate processing of subsequent frames, rather than a full search to find
a matching term. Some types of filtering (such as TCP flag) require each frame in the
session to be filtered separately. To set this behavior, set per-packet-load-balancing
for the relevant filters.
To configure a virtual server for an ADC template:
1.
From the Junos Space user interface, click the Build icon on the Edge Services Director
banner.
The functionalities that you can configure in this mode are displayed in the task pane.
2. From the task pane, select Service Templates.
The Manage Service Templates page is displayed.
3. Click the ADC button.
The list of ADC service templates is displayed.
4. Click the Add icon.
The Create an ADC Planning Template window appears.
5. In the Template Name field, enter a name for the service template or profile (limit of
63 alphanumeric characters without spaces).
6. In the Instance Name field, enter a meaningful, easily-identifiable name for the service
instance (limit of 255 characters). Each service instance you define can be applied to
a single or multiple SDGs.
7. Click the green plus sign in the Firewall Rules box. The Addition of Firewall Rule dialog
box appears.
NOTE: If a green tick mark is shown beside a field in the dialog box, it
denotes that you can add attributes for that component. A red cross mark
shows that you can delete that particular attribute for that component.
8. Select the element for the from clause that specifies the match criterion or filter
condition.
9. Select the element for the then clause that specifies the action modifier to be
performed.
10. Click Save to save the settings. Else, click Cancel to discard the configuration.
Copyright © 2016, Juniper Networks, Inc.
219
Edge Services Director User Guide
Modifying ADC Service Templates
On the Service Designer page, you can view the collection of service templates defined
for several applications, such as stateful firewall or CGNAT.
To modify service template instances, such as ADC, SFW, CGNAT, or TLB templates:
1.
From the View selector, select Service View. The workspaces that are applicable to
this view are displayed.
2. From the Junos Space user interface, click the Deploy icon on the Edge Services Director
banner.
The functionalities that you can configure in this mode are displayed in the task pane.
3. From the task pane, select Deploy Service > Service Edit.
The Service Instances page is displayed in the right pane, listing all the previously
defined service templates.
4. From the View pane, perform one of the following tasks:
•
Click the ADC button.
The list of ADC service templates is displayed. You need not click this button if you
are launching the Service Designer page for the first time or are navigating to this
page from another mode or a different page. You need to click this button only if
you are viewing the other service templates, such as CGNAT or TLB.
•
Click the SFW button.
The list of SFW templates is displayed.
•
Click the TLB button.
The list of TLB templates is displayed.
•
Click the CGNAT button.
The list of CGNAT templates is displayed.
5. In the main window, click the plus sign (+) next to the SDG pairs to expand the tree
and view the pair of devices in the SDG group or pair. Select the check box next to the
SDG pair or individual SDG for which you want to modify settings. In an SDG pair, you
can select a single SDG or both the SDGs in the in the redundancy pair of devices.
NOTE: Alternatively, you can also modify service templates from Service
View in Build Mode by selecting the Service Templates > Manage Service
Templates from the task pane, selecting a service instance, and clicking
the Modify button. You can also modify ADC and TLB service templates
from Gateway View in Deploy mode by selecting the SDG pair or SDG from
the View pane, selecting Service Edit from the task pane, and selecting
the TLB service from the main window that displays all the previously
configured template instances to lock and modify it.
220
Copyright © 2016, Juniper Networks, Inc.
Chapter 13: Using the Service Designer
6. Click the Lock icon above the table of listed packet filters. The Select Reference Config
dialog box is displayed.
Figure 21: Select Reference Config Dialog Box
7. From the Service Gateway Name drop-down list, select the SDG group to which the
packet filter must be applied.
8. From the Host Name drop-down list, select the hostname of the SDG.
9. In the Select Common Components section, select the check boxes beside the service
modules or components, such as packet filters, SFW rules, or CGNAT rules, that are
displayed. The displayed components depend on the attributes that are previously
defined for that selected packet filter. For example, if the service policy is for stateful
firewall, SFW rules and SFW rule sets are shown. Select the check box beside Config
Category to select all the service components.
10. Click Save to save the modified association.
11. Select the check box beside the template you want to modify.
12. Open the Modify menu above the list of templates to modify an existing template,
and select the component or service attribute, such as application or rule, that you
want to edit.
13. Perform one of the following from the drop-down menu displayed for each component:
•
To retrieve the service component and import into the database of Edge Services
Director, select Import Object. The Import Services dialog box appears. You can
import the service templates assigned to SDGs or choose from a list of all of the
predefined templates in the database. Also, you can either import all of the
components of a service or specific components.
•
To create the component afresh, select Create New. The Create page corresponding
to the service component appears. You can define the attributes for the service
component in the same manner as you define the elements during the creation of
a service template.
Copyright © 2016, Juniper Networks, Inc.
221
Edge Services Director User Guide
Related
Documentation
•
Service Templates Overview on page 182
•
Filtering Service Templates on page 183
•
Viewing Service Templates on page 183
•
Using the Actions Menu on the Service Template and Service Edit Pages on page 187
Creating and Managing CGNAT Service Templates
Each carrier-grade NAT rule consists of a set of terms, similar to a service filter. A term
consists of the following:
from statement—Specifies the match conditions and applications that are included and
excluded. The from statement is optional in NAT rules.
then statement—Specifies the actions and action modifiers to be performed by the router
software. The then statement is mandatory in NAT rules.
You can perform the following tasks with the Service Designer page for CGNAT:
•
Create a CGNAT service template with attributes and settings for NAT operations.
•
Modify an existing CGNAT template to meet the network needs and deployment
scenarios.
•
Delete an existing template.
•
Creating a CGNAT Service Template on page 222
•
Modifying CGNAT Service Templates on page 225
•
Creating a Deployment Plan on page 227
•
Importing a CGNAT Service Template on page 228
•
Creating a Service Set on page 230
•
Creating a Syslog on page 234
•
Creating a Rule on page 236
•
Creating a Rule Set on page 237
•
Creating a Pool on page 238
Creating a CGNAT Service Template
To configure a new CGNAT service template:
1.
From the View selector, select Service View. The workspaces that are applicable to
this view are displayed.
2. From the Junos Space user interface, click the Build icon on the Edge Services Director
banner.
The functionalities that you can configure in this mode are displayed in the task pane.
3. From the task pane, select Service Templates.
The Manage Service Templates page is displayed.
222
Copyright © 2016, Juniper Networks, Inc.
Chapter 13: Using the Service Designer
4. Click the CGNAT button. The list of CGNAT service templates is displayed.
The Service Designer page displays a bar graph in the top pane of the page. The count
of service templates of each type is displayed on the vertical axis and the service type
is shown on the horizontal axis. A color-coding format is used to represent the bars
on the graph. Published service templates are shown in olive green color and
unpublished service templates are shown in blue color. Mouse over each bar in the
chart to highlight and display the number of templates published or unpublished for
each type of service.
5. Click the Add icon. The Select Version dialog box appears.
6. Select Junos 12.1 if you want to create a template based on the Junos OS Release 12.1.
Alternatively, select Junos 14.1 if you want to create a template based on the Junos
OS Release 14.1.
NOTE: All the service template components described in this section can
be created for templates that are based on both the Junos OS Releases
12.1 and 14.1. The service elements or components that are additionally
available for configuration when you select the Junos OS 14.1 version are
explicitly mentioned in the relevant steps of the procedure.
The Create a CGNAT Planning Template window appears.
Figure 22: Create CGNAT Service Template Window
7. In the Name field, enter a name for the service template or profile (limit of 63
alphanumeric characters without spaces).
8. In the Description field, enter a meaningful, easily-identifiable name for the service
instance (limit of 255 alphanumeric characters). Each service instance you define can
be applied to a single or multiple SDGs.
Copyright © 2016, Juniper Networks, Inc.
223
Edge Services Director User Guide
9. Instead of creating a new template entirely, you can import the parameters defined
for a previous CGNAT service instance and customize only the settings that are
necessary. Imported templates are created without any device assigned to them. To
use these templates, you must associate a device with the policy. To clone an existing
template by importing it, click the Import button.
The Import Services dialog box is displayed. See Importing a CGNAT Service Template
for step-wise details on importing a CGNAT service template.
10. The Create a CGNAT Planning Template window displays the individual elements or
components of the service with a graphical icon for each of the service elements and
the corresponding names in separate boxes. You can add, edit, or delete these service
elements in a template.
The Property View tab and the Config View tab are displayed on the right pane of the
template window. The Property View tab provides a tree-based structure of the
parameters defined in a service template. You can expand the tree and view details
of each component. A key value pair representation is shown. Each of the components
can be treated as categories of the service template shown in the property view.
The Config View tab displays the elements or components specified for a service
template in the form of configuration stanzas and hierarchy levels. This display is
similar to the show command that you can use at a certain [edit] hierarchy level to
view the defined settings. Each level in the hierarchy is indented to indicate each
statement's relative position in the hierarchy. Each level is generally set off with braces,
with an open brace ({) at the beginning of each hierarchy level and a closing brace
(}) at the end. If the statement at a hierarchy level is empty, the braces are not
displayed. Each leaf statement ends with a semicolon (;), as does the last statement
in the hierarchy.
a. Click the green tick mark (✓) displayed at the top-right corner of each of the service
element boxes to create a new element. If the green tick mark is not shown, it
indicates that the user role does not have the permission to create an element.
b. Click the red cross mark (x) displayed at the top-right corner of the icons of each
element if you want to delete the existing configuration. The user with designer
role has permissions to remove or edit elements.
c. if the red cross mark is not displayed beside a particular icon, it signifies that the
element cannot be deleted.
d. The diamond icon that contains an orange tick mark within it at the top-right corner
of the service component name denotes that the particular element can be
modified. The absence of this icon denotes that the user does not have permissions
to modify the attributes of the service component.
e. Double-click each icon pertaining to a service element to view or edit its settings.
If you do not possess the permission to modify the element, a view-only dialog box
with the attributes of the selected element is shown. Otherwise, an editable dialog
box enables you to modify the settings.
f. Click Save to save the service template configuration. Else, click Close to discard
the changes to the template.
224
Copyright © 2016, Juniper Networks, Inc.
Chapter 13: Using the Service Designer
g. Click the Maximize icon displayed at the top-right corner of the rectangle or box
that shows all of the values or entities of a particular component of a service
template. The specified component or attribute is displayed as a separate dialog
box, listing all of the values of the particular component. You can add, modify, or
delete the listed values.
h. While creating the new service template, the designer can add or modify service
parameter values and also restrict the access level for each service parameter for
the operator. The designer can set following access levels for each service
parameters to operator in planning template. Click the new icon (cascading files
icon) displayed at the top-left corner of each of the element boxes to open the
shortcut menu. You can click one of the following radio buttons:
i.
•
Read-only (the configuration parameter is read-only for operator as part of
provisioning)
•
Editable (the configuration parameter is editable as part of provisioning)
•
Device-Specific (the configuration parameter value needs to be entered by the
operator for each device during deployment)
Click Save & Publish to save and publish the service template configuration. The
designer must publish the service templates to the operator to use in the creation
of deployment plans. After a filter or policy is published, it goes for peer review and
approval. After approval, the filter or policy is deployed to device.
Modifying CGNAT Service Templates
On the Service Designer page, you can view the collection of service templates defined
for several applications, such as stateful firewall or CGNAT.
To modify service template instances, such as ADC, SFW, CGNAT, or TLB templates:
1.
From the View selector, select Service View. The workspaces that are applicable to
this view are displayed.
2. From the Junos Space user interface, click the Deploy icon on the Edge Services Director
banner.
The functionalities that you can configure in this mode are displayed in the task pane.
3. From the task pane, select Deploy Service > Service Edit.
The Service Instances page is displayed in the right pane, listing all the previously
defined service templates.
4. From the View pane, perform one of the following tasks:
•
Click the ADC button.
The list of ADC service templates is displayed. You need not click this button if you
are launching the Service Designer page for the first time or are navigating to this
page from another mode or a different page. You need to click this button only if
you are viewing the other service templates, such as CGNAT or TLB.
•
Click the SFW button.
Copyright © 2016, Juniper Networks, Inc.
225
Edge Services Director User Guide
The list of SFW templates is displayed.
•
Click the TLB button.
The list of TLB templates is displayed.
•
Click the CGNAT button.
The list of CGNAT templates is displayed.
5. In the main window, click the plus sign (+) next to the SDG pairs to expand the tree
and view the pair of devices in the SDG group or pair. Select the check box next to the
SDG pair or individual SDG for which you want to modify settings. In an SDG pair, you
can select a single SDG or both the SDGs in the in the redundancy pair of devices.
NOTE: Alternatively, you can also modify service templates from Service
View in Build Mode by selecting the Service Templates > Manage Service
Templates from the task pane, selecting a service instance, and clicking
the Modify button.
6. Click the Lock icon above the table of listed packet filters. The Select Reference Config
dialog box is displayed.
Figure 23: Select Reference Config Dialog Box
7. From the Service Gateway Name drop-down list, select the SDG group to which the
packet filter must be applied.
8. From the Host Name drop-down list, select the hostname of the SDG.
9. In the Select Common Components section, select the check boxes beside the service
modules or components, such as packet filters, SFW rules, or CGNAT rules, that are
displayed. The displayed components depend on the attributes that are previously
defined for that selected packet filter. For example, if the service policy is for stateful
firewall, SFW rules and SFW rule sets are shown. Select the check box beside Config
Category to select all the service components.
226
Copyright © 2016, Juniper Networks, Inc.
Chapter 13: Using the Service Designer
10. Click Save to save the modified association.
11. Select the check box beside the template you want to modify.
12. Open the Modify menu above the list of templates to modify an existing template,
and select the component or service attribute, such as application or rule, that you
want to edit.
13. Perform one of the following from the drop-down menu displayed for each component:
•
To retrieve the service component and import into the database of Edge Services
Director, select Import Object. The Import Services dialog box appears. You can
import the service templates assigned to SDGs or choose from a list of all of the
predefined templates in the database. Also, you can either import all of the
components of a service or specific components.
•
To create the component afresh, select Create New. The Create page corresponding
to the service component appears. You can define the attributes for the service
component in the same manner as you define the elements during the creation of
a service template.
Creating a Deployment Plan
You must have previously defined service templates and policy or filter templates before
you can create a deployment plan.
To create a deployment plan and assigning devices to it:
1.
From the View selector, select Service View. The workspaces that are applicable to
this view are displayed.
2. From the Junos Space user interface, click the Deploy icon on the Edge Services Director
banner.
The functionalities that you can configure in this mode are displayed in the task pane.
3. From the task pane, select Service Edit.
The Manage Service Templates page is displayed.
4. Click the CGNAT button.
The list of CGNAT service templates is displayed.
5. Select the check boxes next to the SDGs or SDG groups that you want to assign to
the plan. Based on your selection of a service or a policy template, the components
or attributes are shown for the corresponding device.
6. From the boxes that show the components of a service template, you can edit, delete,
or add elements to it. If you do not have permissions to update a template, the
corresponding icons are not shown.
7. Click the down arrow in the Actions menu and select Send for Deployment to create
a deployment plan for the particular service template and save the plan.
If you create a deployment plan from Service view of Deploy mode, the Edit Service
Instance page is displayed. You can modify the SDGs associated with the service
instance and also modify the service instance attributes as necessary by either clicking
Copyright © 2016, Juniper Networks, Inc.
227
Edge Services Director User Guide
the buttons corresponding to the various settings at the top of the wizard page to
directly traverse to the page you want to modify or clicking the navigation buttons at
the bottom of the wizard page to go to the different pages of the wizard. Click Finish
to create a deployment plan.
A deploy plan is created for the service template with the devices that are assigned
to it when you view the Deployment Plans page.
8. Alternatively, you can select Discard changes from the Actions menu to ignore the
modifications done to a policy or filter template.
9. From the Deployment plans page, you can select Reject or Approve from the Actions
drop-down list to reject or approve the deployment plan and make it available for
commissioning to the devices.
Importing a CGNAT Service Template
To create a clone of an existing CGNAT template by importing it:
1.
From the View selector, select Service View. The workspaces that are applicable to
this view are displayed.
2. From the Junos Space user interface, click the Build icon on the Edge Services Director
banner.
The functionalities that you can configure in this mode are displayed in the task pane.
3. From the task pane, select Service Templates.
The Manage Service Templates page is displayed.
4. Click the CGNAT button.
The list of CGNAT service templates is displayed. You need not click this button if you
are launching the Service Designer page for the first time or are navigating to this page
from another mode or a different page. You need to click this button only if you are
viewing the other service templates, such as CGNAT or CGNAT.
5. Click the Add icon.
The Create a CGNAT Planning Template window appears.
6. In the Name field, enter a name for the service template or profile (limit of 63
alphanumeric characters without spaces).
7. In the Description field, enter a meaningful, easily-identifiable name for the service
instance (limit of 255 alphanumeric characters). Each service instance you define can
be applied to a single or multiple SDGs.
8. Click the Import button.
The Import Services dialog box appears.
You can import the service templates assigned to SDGs or choose from a list of all of
the predefined templates in the database. Also, you can either import all of the
components of a service or specific components.
9. Do one of the following for the Import section:
228
Copyright © 2016, Juniper Networks, Inc.
Chapter 13: Using the Service Designer
•
Select the From Existing Service Gateway radio button if you want to import the
CGNAT rule from SDGs that are present in the Edge Services Director database.
•
Select the From XML radio button if you want to import the CGNAT rule from an
XML configuration file on an external system.
10. If you selected the option to import the object from SDGs, do the following:
•
Click the Normal View tab to view the list of SDGs. You can search for specific SDGs
by entering a search item and clicking the Search icon.
Alternatively, click the Group View tab to view the list of SDG groups. You can search
for specific SDG groups by entering a search item and clicking the Search icon.
•
Click the plus sign (+) next to the All Service Gateways item to expand the tree
structure that displays the list of SDGs or SDG groups. If the SDG pair is configured,
you can select one of the devices, master or standby, from which you want to import
the object.
Alternatively, if you selected the Group View tab, you can select an SDG from the
groups displayed from which you want to import the object.
•
Click Import. The object is added to the database and can be used during
configuration of services or policies.
11. If you selected the option to import from an XML file, do the following:
•
Click Browse beside the File Name field to navigate to the path where an XML file
is available to be imported.
•
Click Upload. The service template is added to the database and can be used during
configuration of services or policies.
12. Do one of the following to import all components of a selected template or only a
particular component of a template. For the components that are not imported, you
need to specify the definitions of the components afresh.
•
Select the check boxes next to all of the service instances that are displayed for the
selected SDG or SDG group, or for the XML file that you uploaded. In such a case,
all of the elements or parameters of the selected template or instance are imported.
•
Alternatively, select the check box next to a particular or group of service instances
to import only a specific component of the selected template
13. Similarly, you can select other components and import them to the template. Save
the imported components to add them to the template you are creating by using the
imported template as a base.
Copyright © 2016, Juniper Networks, Inc.
229
Edge Services Director User Guide
Creating a Service Set
A service set is a collection of services to be performed by an Adaptive Services (AS) or
Multiservices PIC. To create a service set as a component for the CGNAT template:
1.
From the View selector, select Service View. The workspaces that are applicable to
this view are displayed.
2. From the Junos Space user interface, click the Build icon on the Edge Services Director
banner.
The functionalities that you can configure in this mode are displayed in the task pane.
3. From the task pane, select Service Templates.
The Manage Service Templates page is displayed.
4. Click the CGNAT button.
The list of CGNAT service templates is displayed.
5. Click the Add icon.
The Create a CGNAT Planning Template window appears.
6. In the Name field, enter a name for the service template or profile (limit of 63
alphanumeric characters without spaces).
7. In the Description field, enter a meaningful, easily-identifiable name for the service
instance (limit of 255 alphanumeric characters). Each service instance you define can
be applied to a single or multiple SDGs.
8. Click the green plus sign in the Service Set box.
The Addition of Service Set dialog box appears.
NOTE: For the service elements that you can configure using the Object
Builder workspace, such as applications and rules, when you click the
green plus sign (+) at the top-right corner of each of the service element
boxes, the shortcut menu is displayed. Click the Create New radio button
to create the service component afresh. Alternatively, click the Import from
Object Builder radio button to open a dialog box that enables you to select
from the list of service elements that are present in the database of Edge
Services Director and import them into the service template.
If a green tick mark is shown beside a field in the dialog box, it denotes
that you can add attributes for that component. A red cross mark shows
that you can delete that particular attribute for that component.
9. In the Name field, enter the name to identify the service set. Rules are combined into
rule sets, and are associated with a service set for each application such as firewall
or CGNAT.
10. In the Sampling Service Choices section, do one of the following:
230
Copyright © 2016, Juniper Networks, Inc.
Chapter 13: Using the Service Designer
•
Click Interface Services to configure an interface-style service set. An interface
service set is used as an action modifier across an entire interface
•
In the Service Interfaces field, specify the name for the adaptive services interface
associated with an interface-wide service set.
When you have defined and grouped the service rules by configuring the service-set
definition, you can apply services to one or more interfaces installed on the router.
When you apply the service set to an interface, it automatically ensures that
packets are directed to the PIC.
•
From the Load Balancing Options section, configure the high availability (HA)
options.
The following hash keys can be configured in the egress direction: destination-ip
(Use the destination IP address of the flow to compute the hash used in load
balancing.) and source-ip (Use the source IP address of the flow to compute the
hash used in load balancing.)
•
Click the green tick park beside the Egress Key element to configure the hash keys
to be used in the egress flow direction. The configuration is mandatory if you are
using AMS for Network Address Translation (NAT). This configuration is not
mandatory if you are using AMS for stateful firewall; if the hash keys are not
xconfigured, then the defaults are chosen.
•
Click the green tick park beside the Ingress Key element to configure the hash
keys to be used in the ingress flow direction. The configuration is mandatory if
you are using AMS for Network Address Translation (NAT). This configuration is
not mandatory if you are using AMS for stateful firewall; if the hash keys are not
configured, then the defaults are chosen.
Configure the hash keys used for load balancing in aggregated multiservices (AMS)
for service applications (Network Address Translation [NAT], stateful firewall,
application-level gateway [ALG], HTTP header enrichment, and mobility). The hash
keys supported in the ingress and egress direction are the source IP address and
destination IP address.
Hash keys are used to define the load-balancing behavior among the various
members in the AMS group. For example, if hash-keys is configured as source-ip,
then the hashing would be performed based on the source IP address of the packet.
Therefore, all packets with the same source IP address land on the same member.
Hash keys must be configured with respect to the traffic direction: ingress or egress.
For example, if hash-keys is configured as source-ip in the ingress direction, then it
should be configured as destination-ip in the egress direction. This is required to
ensure that the packets of the same flow reach the same member of the AMS group.
The configuration of the ingress and egress hash keys is mandatory if you are using
AMS for NAT. This configuration is not mandatory if you are using AMS for stateful
firewall; if the hash keys are not configured, then the defaults are chosen. Refer to
Table 48 on page 232 for the supported hash keys.
The resource-triggered option enables anchor session PICs to use the load or
resource information from the anchor services PICs to select the AMS member will
anchor the services for the subscriber for load balancing among AMS members. In
Copyright © 2016, Juniper Networks, Inc.
231
Edge Services Director User Guide
addition, for mobile subscriber-aware services (such as HTTP header enrichment),
you must configure the resource-triggered statement, which means that the load
balancing is not done using the ingress and egress keys.
Table 48: Hash Keys Supported for AMS for Service Applications
Service Set at Ingress Interface
Service Set at Egress Interface
NAT Type
Ingress hash key
Egress hash key
Ingress hash key
Egress hash key
source static
Destination IP address
Source IP address
Source IP address
Destination IP address
source dynamic
Source IP address
Destination IP address
Destination IP address
Source IP address
Network Address Port
Translation (NAPT)
Source IP address
Destination IP address
Destination IP address
Source IP address
destination static
Source IP address
Destination IP address
Destination IP address
Source IP address
Hash Keys for NAT
Hash Keys for Stateful Firewall
Stateful Firewall
Destination IP address
Source IP address
Destination IP address
Source IP address
Stateful Firewall
Source IP address
Destination IP address
Source IP address
Destination IP address
NOTE: If NAT is used in the service set (along with stateful firewall and
ALG), then the hash keys should be based on the NAT type; otherwise,
the hash keys of the stateful firewall should be used.
•
Click Next Hop Services to configure a next-hop style service set. A next-hop service
set is a route-based method of applying a particular service. Only packets destined
for a specific next hop are serviced by the creation of explicit static routes.
•
In the Inside Interface list, specify the interface type of the service interface
associated with the service set applied inside the network. For inline IP reassembly,
set the interface type to local. Also, specify the name and logical unit number of
the service interface associated with the service set applied inside the network.
When a next-hop service is configured, the AS or Multiservices PIC is considered
to be a two-legged module with one leg configured to be the inside interface
(inside the network) and the other configured as the outside interface (outside
the network).
•
232
In the Outside Interface list, specify the interface type of the service interface
associated with the service set applied outside the network. For inline IP
reassembly, set the interface type to local. Also, specify the name and logical unit
number of the service interface associated with the service set applied outside
the network.
Copyright © 2016, Juniper Networks, Inc.
Chapter 13: Using the Service Designer
•
In the Service Interface Pool list, select the name of the pool of logical interfaces
configured at the [edit services service-interface-pools pool pool-name] hierarchy
level. You can configure a service interface pool only if the service set has a PGCP
rule configured. The service set cannot contain any other type of rule.
•
•
Click Sampling Services to configure a sampling service set.
•
•
In the Service Interface field, specify the service interface, which is the interface
the sampling is taken from. In the case of a sampling service set, the service
interface must be a Multiservices PIC interface with a subunit number of 0 (zero).
The subunit number defaults to 0. The reverse-flow statement is not mandatory.
All sampled traffic is considered to be forward traffic. If you set the reverse-flow
statement, it is ignored.
Select the Replication Service check box to configure the services replication options
for inter-chassis high availability on MS-MIC and MS-MPC. This field is available
only if you selected the Junos OS 12.1 version.
•
In the Replication Threshold field, specify the number of seconds for the replication
threshold. When a flow has been active for more than the number of seconds
specified as a threshold, flow state information is replicated to the backup device.
Make sure that the replication-threshold value is than the open-timeout value(the
timeout period for establishing a TCP connection). The default value of the
replication threshold is 180 seconds. This value is also the minimum.
•
Select the Stateful Firewall check box to replicate stateful firewall state
information.
•
Select the NAT check box to replicate NAPT44 information.
11. Select the Service Set Options check box to specify the service set options to apply
to a service set. This field is available only if you selected the Junos OS 14.1 version.
12. In the Redundancy Set ID field, specify a unique identifer in the range of 1 through 100
for the redundancy set. The redundancy group IDs that the service redundancy daemon
(srd) uses are associated with those configured for the ICCP daemon (iccpd) through
the existing ICCP configuration hierarchy by using the same redundancy group ID in
the configuration of the services redundancy group. This field is available only if you
selected the Junos OS 14.1 version.
The actions to be performed when configured redundancy events occur are defined
in redundancy policies. Redundancy polices are associated with redundancy sets;
they are analogous to rules associated with service sets. Redundancy sets are
associated to redundancy groups by redundancy group IDs. Redundancy group details
are defined by the underlying ICCPd configuration. Finally, service sets and redundancy
sets are associated through the redundancy-sets statement in service sets
configuration.
13. In the CGNAT Rule Sets section, select the rule set you want to associate with the
service set from the Available column and click the right arrow to move to the Selected
column.
Copyright © 2016, Juniper Networks, Inc.
233
Edge Services Director User Guide
14. In the CGNAT Rules section, select the rule you want to associate with the service set
from the Available column and click the right arrow to move to the Selected column.
15. In the CGNAT Syslogs section, select the syslog you want to associate with the service
set from the Available column and click the right arrow to move to the Selected
column.
16. Click Save to save the service template configuration. Else, click Close to discard the
changes to the template.
Creating a Syslog
You can enable system logging. The system log information from the Adaptive Services
or Multiservices PIC is passed to the kernel for logging in the /var/log directory. This setting
overrides any syslog statement setting included in the service set or interface default
configuration.
To create a syslog for the CGNAT template:
1.
From the View selector, select Service View. The workspaces that are applicable to
this view are displayed.
2. From the Junos Space user interface, click the Build icon on the Edge Services Director
banner.
The functionalities that you can configure in this mode are displayed in the task pane.
3. From the task pane, select Service Templates.
The Manage Service Templates page is displayed.
4. Click the CGNAT button.
The list of CGNAT service templates is displayed.
5. Click the Add icon.
The Create a CGNAT Planning Template window appears.
6. In the Name field, enter a name for the service template or profile (limit of 63
alphanumeric characters without spaces).
7. In the Description field, enter a meaningful, easily-identifiable name for the service
instance (limit of 255 alphanumeric characters). Each service instance you define can
be applied to a single or multiple SDGs.
8. Click the green plus sign in the Server Groups box.
The Addition of Group dialog box appears.
234
Copyright © 2016, Juniper Networks, Inc.
Chapter 13: Using the Service Designer
NOTE: For the service elements that you can configure using the Object
Builder workspace, such as applications and rules, when you click the
green plus sign (+) at the top-right corner of each of the service element
boxes, the shortcut menu is displayed. Click the Create New radio button
to create the service component afresh. Alternatively, click the Import from
Object Builder radio button to open a dialog box that enables you to select
from the list of service elements that are present in the database of Edge
Services Director and import them into the service template.
If a green tick mark is shown beside a field in the dialog box, it denotes
that you can add attributes for that component. A red cross mark shows
that you can delete that particular attribute for that component.
9. In the Name field, enter the name for the syslog component. Specify the fully qualified
domain name or IP address for the syslog server.
10. In the Services list, specify the system logging severity level. It assigns a severity level
to the facility. Valid entries include:
•
alert—Conditions that should be corrected immediately.
•
any—Matches any level.
•
critical—Critical conditions.
•
emergency—Panic conditions.
•
error—Error conditions.
•
info—Informational messages.
•
notice—Conditions that require special handling.
•
warning—Warning messages.
11. From the Facility Override list, select the override for the default facility for system
log reporting. Valid values include:
authorization
daemon
ftp
kernel
local0 through local7
user
12. In the Log Prefix field, set the system logging prefix value for all logging to the system
log host.
13. In the Port field, specify the port number to be used for connection with the remote
syslog server.
14. In the Class section, set the class of applications to be logged to the system log.
Copyright © 2016, Juniper Networks, Inc.
235
Edge Services Director User Guide
•
alg-logs—Log application-level gateway events.
•
ids-logs—Log intrusion detection system events.
•
nat-logs—Log Network Address Translation events.
•
packet-logs—Log general packet-related events.
•
session-logs—Log session open and close events.
•
session-logs open—Log session open events only.
•
session-logs close—Log session close events.
•
stateful-firewall-logs—Log stateful firewall events.
15. Click Save to save the service template configuration. Else, click Close to discard the
changes to the template.
Creating a Rule
To create a rule for the CGNAT template:
1.
From the Junos Space user interface, click the Build icon on the Edge Services Director
banner.
The functionalities that you can configure in this mode are displayed in the task pane.
2. From the task pane, select Service Templates.
The Manage Service Templates page is displayed.
3. Click the CGNAT button.
The list of CGNAT service templates is displayed.
4. Click the Add icon.
The Create a CGNAT Planning Template window appears.
5. Enter the name of the template and the service instance in the respective fields.
6. Click the green plus sign in the Server Groups box. The Addition of Group dialog box
appears.
NOTE: If a green tick mark is shown beside a field in the dialog box, it
denotes that you can add attributes for that component. A red cross mark
shows that you can delete that particular attribute for that component.
7. From the Rule list, select one of the previously configured rules.
The rules that you configured in the Service Templates workspace for CGNAT, packet
filter, or CGNAT are displayed.
8. Click Save to save the service template configuration. Else, click Close to discard the
changes to the template.
236
Copyright © 2016, Juniper Networks, Inc.
Chapter 13: Using the Service Designer
Creating a Rule Set
The rule-set statement defines a collection of stateful firewall rules that determine what
actions the router software performs on packets in the data stream. You define each rule
by specifying a rule name and configuring terms. Then, you specify the order of the rules
by including the rule-set statement at the [edit services stateful-firewall] hierarchy level
with a rule statement for each rule.
The router software processes the rules in the order in which you specify them in the
configuration. If a term in a rule matches the packet, the router performs the corresponding
action and the rule processing stops. If no term in a rule matches the packet, processing
continues to the next rule in the rule set. If none of the rules matches the packet, the
packet is dropped by default.
To create a rule set for the CGNAT template:
1.
From the Junos Space user interface, click the Build icon on the Edge Services Director
banner.
The functionalities that you can configure in this mode are displayed in the task pane.
2. From the task pane, select Service Templates.
The Manage Service Templates page is displayed.
3. Click the CGNAT button.
The list of CGNAT service templates is displayed.
4. Click the Add icon.
The Create a CGNAT Planning Template window appears.
5. Enter the name of the template and the service instance in the respective fields.
6. Click the green plus sign in the Rule Sets box.
The Addition of Rule Sets dialog box appears.
NOTE: For the service elements that you can configure using the Object
Builder workspace, such as applications and rules, when you click the
green plus sign (+) at the top-right corner of each of the service element
boxes, the shortcut menu is displayed. Click the Create New radio button
to create the service component afresh. Alternatively, click the Import from
Object Builder radio button to open a dialog box that enables you to select
from the list of service elements that are present in the database of Edge
Services Director and import them into the service template.
If a green tick mark is shown beside a field in the dialog box, it denotes
that you can add attributes for that component. A red cross mark shows
that you can delete that particular attribute for that component.
7. Specify the rule set name the router uses when applying this service.
Copyright © 2016, Juniper Networks, Inc.
237
Edge Services Director User Guide
8. Select the rules that you want t ogroup into a rule set from the Available column and
click the right arrow to move the rules to the Selected column.
9. Click Save to save the service template configuration. Else, click Close to discard the
changes to the template.
Creating a Pool
To create an address pool for the CGNAT template:
1.
From the Junos Space user interface, click the Build icon on the Edge Services Director
banner.
The functionalities that you can configure in this mode are displayed in the task pane.
2. From the task pane, select Service Templates.
The Manage Service Templates page is displayed.
3. Click the CGNAT button.
The list of CGNAT service templates is displayed.
4. Click the Add icon.
The Create a CGNAT Planning Template window appears.
5. Enter the name of the template and the service instance in the respective fields.
6. Click the green plus sign in the NAT Pools box. The Addition of NAT Pool dialog box
appears.
NOTE: For the service elements that you can configure using the Object
Builder workspace, such as applications and rules, when you click the
green plus sign (+) at the top-right corner of each of the service element
boxes, the shortcut menu is displayed. Click the Create New radio button
to create the service component afresh. Alternatively, click the Import from
Object Builder radio button to open a dialog box that enables you to select
from the list of service elements that are present in the database of Edge
Services Director and import them into the service template.
If a green tick mark is shown beside a field in the dialog box, it denotes
that you can add attributes for that component. A red cross mark shows
that you can delete that particular attribute for that component.
7. From the Pool list, select one of the previously configured pools. The pools that you
configured in the Service Templates workspace for CGNAT are displayed.
8. Click Save to save the service template configuration. Else, click Close to discard the
changes to the template.
Related
Documentation
238
•
Service Templates Overview on page 182
•
Filtering Service Templates on page 183
Copyright © 2016, Juniper Networks, Inc.
Chapter 13: Using the Service Designer
•
Viewing Service Templates on page 183
•
Using the Actions Menu on the Service Template and Service Edit Pages on page 187
Creating and Managing SFW Service Templates
Each stateful firewall rule consists of a set of terms, similar to a service filter. A term
consists of the following:
from statement—Specifies the match conditions and applications that are included and
excluded. The from statement is optional in stateful firewall rules.
then statement—Specifies the actions and action modifiers to be performed by the router
software. The then statement is mandatory in stateful firewall rules.
You can perform the following tasks with the Service Designer page for SFW:
•
Create an SFW service template with attributes and settings for stateful firewall
operations.
•
Modify an existing SFW template to meet the network needs and deployment scenarios.
•
Delete an existing template.
•
Creating an SFW Service Template on page 239
•
Modifying SFW Service Templates on page 242
•
Creating a Deployment Plan on page 244
•
Importing an SFW Service Template on page 245
•
Creating a Service Set on page 247
•
Creating an Application on page 250
•
Creating an Application Set on page 253
•
Creating a Syslog on page 254
•
Creating a Rule on page 256
•
Creating a Rule Set on page 257
•
Creating a Services PIC for an SFW Service Template on page 258
Creating an SFW Service Template
To configure a new SFW service template:
1.
From the View selector, select Service View. The workspaces that are applicable to
this view are displayed.
2. From the Junos Space user interface, click the Build icon on the Edge Services Director
banner.
The functionalities that you can configure in this mode are displayed in the task pane.
3. From the task pane, select Service Templates.
The Manage Service Templates page is displayed.
Copyright © 2016, Juniper Networks, Inc.
239
Edge Services Director User Guide
4. Click the SFW button.
The list of SFW service templates is displayed.
The Service Designer page displays a bar graph in the top pane of the page. The count
of service templates of each type is displayed on the vertical axis and the service type
is shown on the horizontal axis. A color-coding format is used to represent the bars
on the graph. Published service templates are shown in olive green color and
unpublished service templates are shown in blue color. Mouse over each bar in the
chart to highlight and display the number of templates published or unpublished for
each type of service.
5. Click the Add icon. The Select Version dialog box appears.
6. Select Junos 12.1 if you want to create a template based on the Junos OS Release 12.1.
Alternatively, select Junos 14.1 if you want to create a template based on the Junos
OS Release 14.1.
NOTE: All the service template components described in this section can
be created for templates that are based on both the Junos OS Releases
12.1 and 14.1. The service elements or components that are additionally
available for configuration when you select the Junos OS 14.1 version are
explicitly mentioned in the relevant steps of the procedure.
The Create an SFW Planning Template window appears.
Figure 24: Create SFW Service Template Window
7. In the Template Name field, enter a name for the service template or profile (limit of
63 alphanumeric characters without spaces).
8. In the Description field, enter a meaningful, easily-identifiable name for the service
instance (limit of 255 characters). Each service instance you define can be applied to
a single or multiple SDGs.
240
Copyright © 2016, Juniper Networks, Inc.
Chapter 13: Using the Service Designer
9. Instead of creating a new template entirely, you can import the parameters defined
for a previous SFW service instance and customize only the settings that are necessary.
Imported templates are created without any device assigned to them. To use these
templates, you must associate a device with the policy. To clone an existing template
by importing it, click the Import button.
The Import Services dialog box is displayed. See Importing an SFW Service Template
for step-wise details on importing an SFW service template.
10. The Create an SFW Planning Template window displays the individual elements or
components of the service with a graphical icon for each of the service elements and
the corresponding names in separate boxes. You can add, edit, or delete these service
elements in a template.
NOTE: The Property View tab and the Config View tab are displayed on
the right pane of the template window. The Property View tab provides a
tree-based structure of the parameters defined in a service template. You
can expand the tree and view details of each component. A key value pair
representation is shown. Each of the components can be treated as
categories of the service template shown in the property view.
The Config View tab displays the elements or components specified for
a service template in the form of configuration stanzas and hierarchy
levels. This display is similar to the show command that you can use at a
certain [edit] hierarchy level to view the defined settings. Each level in the
hierarchy is indented to indicate each statement's relative position in the
hierarchy. Each level is generally set off with braces, with an open brace
({) at the beginning of each hierarchy level and a closing brace (}) at the
end. If the statement at a hierarchy level is empty, the braces are not
displayed. Each leaf statement ends with a semicolon (;), as does the last
statement in the hierarchy.
a. Click the green tick mark (✓) displayed at the top-right corner of each of the service
element boxes to create a new element. If the green tick mark is not shown, it
indicates that the user role does not have the permission to create an element.
b. Click the red cross mark (x) displayed at the top-right corner of the icons of each
element if you want to delete the existing configuration. The user with designer
role has permissions to remove or edit elements.
c. if the red cross mark is not displayed beside a particular icon, it signifies that the
element cannot be deleted.
d. The diamond icon that contains an orange tick mark within it at the top-right corner
of the service component name denotes that the particular element can be
modified. The absence of this icon denotes that the user does not have permissions
to modify the attributes of the service component.
e. Double-click each icon pertaining to a service element to view or edit its settings.
If you do not possess the permission to modify the element, a view-only dialog box
Copyright © 2016, Juniper Networks, Inc.
241
Edge Services Director User Guide
with the attributes of the selected element is shown. Otherwise, an editable dialog
box enables you to modify the settings.
f. Click Save to save the service template configuration. Else, click Close to discard
the changes to the template.
g. Click the Maximize icon displayed at the top-right corner of the rectangle or box
that shows all of the values or entities of a particular component of a service
template. The specified component or attribute is displayed as a separate dialog
box, listing all of the values of the particular component. You can add, modify, or
delete the listed values.
h. While creating the new service template, the designer can add or modify service
parameter values and also restrict the access level for each service parameter for
the operator. The designer can set following access levels for each service
parameters to operator in planning template. Click the new icon (cascading files
icon) displayed at the top-left corner of each of the element boxes to open the
shortcut menu. You can click one of the following radio buttons:
i.
•
Read-only (the configuration parameter is read-only for operator as part of
provisioning)
•
Editable (the configuration parameter is editable as part of provisioning)
•
Device-Specific (the configuration parameter value needs to be entered by the
operator for each device during deployment)
Click Save & Publish to save and publish the service template configuration. The
designer must publish the service templates to the operator to use in the creation
of deployment plans. After a filter or policy is published, it goes for peer review and
approval. After approval, the filter or policy is deployed to device.
Modifying SFW Service Templates
On the Service Designer page, you can view the collection of service templates defined
for several applications, such as stateful firewall or CGNAT.
To modify service template instances, such as ADC, SFW, CGNAT, or TLB templates:
1.
From the View selector, select Service View. The workspaces that are applicable to
this view are displayed.
2. From the Junos Space user interface, click the Deploy icon on the Edge Services Director
banner.
The functionalities that you can configure in this mode are displayed in the task pane.
3. From the task pane, select Deploy Service > Service Edit.
The Service Instances page is displayed in the right pane, listing all the previously
defined service templates.
4. From the View pane, perform one of the following tasks:
242
Copyright © 2016, Juniper Networks, Inc.
Chapter 13: Using the Service Designer
•
Click the ADC button.
The list of ADC service templates is displayed. You need not click this button if you
are launching the Service Designer page for the first time or are navigating to this
page from another mode or a different page. You need to click this button only if
you are viewing the other service templates, such as CGNAT or TLB.
•
Click the SFW button.
The list of SFW templates is displayed.
•
Click the TLB button.
The list of TLB templates is displayed.
•
Click the CGNAT button.
The list of CGNAT templates is displayed.
5. In the main window, click the plus sign (+) next to the SDG pairs to expand the tree
and view the pair of devices in the SDG group or pair. Select the check box next to the
SDG pair or individual SDG for which you want to modify settings. In an SDG pair, you
can select a single SDG or both the SDGs in the in the redundancy pair of devices.
NOTE: Alternatively, you can also modify service templates from Service
View in Build Mode by selecting the Service Templates > Manage Service
Templates from the task pane, selecting a service instance, and clicking
the Modify button.
6. Click the Lock icon above the table of listed packet filters. The Select Reference Config
dialog box is displayed.
Figure 25: Select Reference Config Dialog Box
7. From the Service Gateway Name drop-down list, select the SDG group to which the
packet filter must be applied.
Copyright © 2016, Juniper Networks, Inc.
243
Edge Services Director User Guide
8. From the Host Name drop-down list, select the hostname of the SDG.
9. In the Select Common Components section, select the check boxes beside the service
modules or components, such as packet filters, SFW rules, or CGNAT rules, that are
displayed. The displayed components depend on the attributes that are previously
defined for that selected packet filter. For example, if the service policy is for stateful
firewall, SFW rules and SFW rule sets are shown. Select the check box beside Config
Category to select all the service components.
10. Click Save to save the modified association.
11. Select the check box beside the template you want to modify.
12. Open the Modify menu above the list of templates to modify an existing template,
and select the component or service attribute, such as application or rule, that you
want to edit.
13. Perform one of the following from the drop-down menu displayed for each component:
•
To retrieve the service component and import into the database of Edge Services
Director, select Import Object. The Import Services dialog box appears. You can
import the service templates assigned to SDGs or choose from a list of all of the
predefined templates in the database. Also, you can either import all of the
components of a service or specific components.
•
To create the component afresh, select Create New. The Create page corresponding
to the service component appears. You can define the attributes for the service
component in the same manner as you define the elements during the creation of
a service template.
Creating a Deployment Plan
You must have previously defined service templates and policy or filter templates before
you can create a deployment plan.
To create a deployment plan and assigning devices to it:
1.
From the View selector, select Service View. The workspaces that are applicable to
this view are displayed.
2. From the Junos Space user interface, click the Deploy icon on the Edge Services Director
banner.
The functionalities that you can configure in this mode are displayed in the task pane.
3. From the task pane, select Service Edit.
The Manage Service Templates page is displayed.
4. Click the SFW button.
The list of SFW service templates is displayed.
5. Select the check boxes next to the SDGs or SDG groups that you want to assign to
the plan. Based on your selection of a service or a policy template, the components
or attributes are shown for the corresponding device.
244
Copyright © 2016, Juniper Networks, Inc.
Chapter 13: Using the Service Designer
6. From the boxes that show the components of a service template, you can edit, delete,
or add elements to it. If you do not have permissions to update a template, the
corresponding icons are not shown.
7. Click the down arrow in the Actions menu and select Send for Deployment to create
a deployment plan for the particular service template and save the plan.
If you create a deployment plan from Service view of Deploy mode, the Edit Service
Instance page is displayed. You can modify the SDGs associated with the service
instance and also modify the service instance attributes as necessary by either clicking
the buttons corresponding to the various settings at the top of the wizard page to
directly traverse to the page you want to modify or clicking the navigation buttons at
the bottom of the wizard page to go to the different pages of the wizard. Click Finish
to create a deployment plan.
A deploy plan is created for the service template with the devices that are assigned
to it when you view the Deployment Plans page.
8. Alternatively, you can select Discard changes from the Actions menu to ignore the
modifications done to a policy or filter template.
9. From the Deployment plans page, you can select Reject or Approve from the Actions
drop-down list to reject or approve the deployment plan and make it available for
commissioning to the devices.
Importing an SFW Service Template
To create a clone of an existing SFW template by importing it:
1.
From the View selector, select Service View. The workspaces that are applicable to
this view are displayed.
2. From the Junos Space user interface, click the Build icon on the Edge Services Director
banner.
The functionalities that you can configure in this mode are displayed in the task pane.
3. From the task pane, select Service Templates.
The Manage Service Templates page is displayed.
4. Click the SFW button.
The list of SFW service templates is displayed.
You need not click this button if you are launching the Service Designer page for the
first time or are navigating to this page from another mode or a different page. You
need to click this button only if you are viewing the other service templates, such as
CGNAT or SFW.
5. Click the Add icon.
The Create an SFW Planning Template window appears.
6. In the Template Name field, enter a name for the service template or profile (limit of
63 alphanumeric characters without spaces).
Copyright © 2016, Juniper Networks, Inc.
245
Edge Services Director User Guide
7. In the Description field, enter a meaningful, easily-identifiable name for the service
instance (limit of 255 characters). Each service instance you define can be applied to
a single or multiple SDGs.
8. Click the Import button.
The Import Services dialog box appears.
You can import the service templates assigned to SDGs or choose from a list of all of
the predefined templates in the database. Also, you can either import all of the
components of a service or specific components.
9. Do one of the following for the Import section:
•
Select the From Existing Service Gateway radio button if you want to import the
CGNAT rule from SDGs that are present in the Edge Services Director database.
•
Select the From XML radio button if you want to import the CGNAT rule from an
XML configuration file on an external system.
10. If you selected the option to import the object from SDGs, do the following:
•
Click the Normal View tab to view the list of SDGs. You can search for specific SDGs
by entering a search item and clicking the Search icon.
Alternatively, click the Group View tab to view the list of SDG groups. You can search
for specific SDG groups by entering a search item and clicking the Search icon.
•
Click the plus sign (+) next to the All Service Gateways item to expand the tree
structure that displays the list of SDGs or SDG groups. If the SDG pair is configured,
you can select one of the devices, master or standby, from which you want to import
the object.
Alternatively, if you selected the Group View tab, you can select an SDG from the
groups displayed from which you want to import the object.
•
Click Import. The object is added to the database and can be used during
configuration of services or policies.
11. If you selected the option to import from an XML file, do the following:
•
Click Browse beside the File Name field to navigate to the path where an XML file
is available to be imported.
•
Click Upload. The service template is added to the database and can be used during
configuration of services or policies.
12. Do one of the following to import all components of a selected template or only a
particular component of a template. For the components that are not imported, you
need to specify the definitions of the components afresh.
•
246
Select the check boxes next to all of the service instances that are displayed for the
selected SDG or SDG group, or for the XML file that you uploaded. In such a case,
all of the elements or parameters of the selected template or instance are imported.
Copyright © 2016, Juniper Networks, Inc.
Chapter 13: Using the Service Designer
•
Alternatively, select the check box next to a particular or group of service instances
to import only a specific component of the selected template
13. Similarly, you can select other components and them to the template. Save the
imported components to add them to the template you are creating by using the
imported template as a base.
Creating a Service Set
A service set is a collection of services to be performed by an Adaptive Services (AS) or
Multiservices PIC. To create a service set as a component for the SFW template:
1.
From the View selector, select Service View. The workspaces that are applicable to
this view are displayed.
2. From the Junos Space user interface, click the Build icon on the Edge Services Director
banner.
The functionalities that you can configure in this mode are displayed in the task pane.
3. From the task pane, select Service Templates.
The Manage Service Templates page is displayed.
4. Click the SFW button.
The list of SFW service templates is displayed.
5. Click the Add icon.
The Create an SFW Planning Template window appears.
6. Enter the name of the template and the service instance in the respective fields.
7. Click the green plus sign in the Service Set box.
The Addition of Service Set dialog box appears.
NOTE: For the service elements that you can configure using the Object
Builder workspace, such as applications and rules, when you click the
green plus sign (+) at the top-right corner of each of the service element
boxes, the shortcut menu is displayed. Click the Create New radio button
to create the service component afresh. Alternatively, click the Import from
Object Builder radio button to open a dialog box that enables you to select
from the list of service elements that are present in the database of Edge
Services Director and import them into the service template.
If a green tick mark is shown beside a field in the dialog box, it denotes
that you can add attributes for that component. A red cross mark shows
that you can delete that particular attribute for that component.
8. In the Name field, enter the name to identify the service set. Rules are combined into
rule sets, and are associated with a service set for each application such as firewall
or CGNAT.
9. In the Sampling Service Choices section, do one of the following:
Copyright © 2016, Juniper Networks, Inc.
247
Edge Services Director User Guide
•
Click Interface Services to configure an interface-style service set. An interface
service set is used as an action modifier across an entire interface
•
In the Service Interfaces field, specify the name for the adaptive services interface
associated with an interface-wide service set.
When you have defined and grouped the service rules by configuring the service-set
definition, you can apply services to one or more interfaces installed on the router.
When you apply the service set to an interface, it automatically ensures that
packets are directed to the PIC.
•
From the Load Balancing Options section, configure the high availability (HA)
options.
The following hash keys can be configured in the egress direction: destination-ip
(Use the destination IP address of the flow to compute the hash used in load
balancing.) and source-ip (Use the source IP address of the flow to compute the
hash used in load balancing.)
•
Click the green tick park beside the Egress Key element to configure the hash keys
to be used in the egress flow direction. The configuration is mandatory if you are
using AMS for Network Address Translation (NAT). This configuration is not
mandatory if you are using AMS for stateful firewall; if the hash keys are not
configured, then the defaults are chosen.
•
Click the green tick park beside the Ingress Key element to configure the hash
keys to be used in the ingress flow direction. The configuration is mandatory if
you are using AMS for Network Address Translation (NAT). This configuration is
not mandatory if you are using AMS for stateful firewall; if the hash keys are not
configured, then the defaults are chosen.
Configure the hash keys used for load balancing in aggregated multiservices (AMS)
for service applications (Network Address Translation [NAT], stateful firewall,
application-level gateway [ALG], HTTP header enrichment, and mobility). The hash
keys supported in the ingress and egress direction are the source IP address and
destination IP address.
Hash keys are used to define the load-balancing behavior among the various
members in the AMS group. For example, if hash-keys is configured as source-ip,
then the hashing would be performed based on the source IP address of the packet.
Therefore, all packets with the same source IP address land on the same member.
Hash keys must be configured with respect to the traffic direction: ingress or egress.
For example, if hash-keys is configured as source-ip in the ingress direction, then it
should be configured as destination-ip in the egress direction. This is required to
ensure that the packets of the same flow reach the same member of the AMS group.
The configuration of the ingress and egress hash keys is mandatory if you are using
AMS for NAT. This configuration is not mandatory if you are using AMS for stateful
firewall; if the hash keys are not configured, then the defaults are chosen. Refer to
Table 48 on page 232 for the supported hash keys.
The resource-triggered option enables anchor session PICs to use the load or
resource information from the anchor services PICs to select the AMS member will
anchor the services for the subscriber for load balancing among AMS members. In
248
Copyright © 2016, Juniper Networks, Inc.
Chapter 13: Using the Service Designer
addition, for mobile subscriber-aware services (such as HTTP header enrichment),
you must configure the resource-triggered statement, which means that the load
balancing is not done using the ingress and egress keys.
Table 49: Hash Keys Supported for AMS for Service Applications
Service Set at Ingress Interface
Service Set at Egress Interface
NAT Type
Ingress hash key
Egress hash key
Ingress hash key
Egress hash key
source static
Destination IP address
Source IP address
Source IP address
Destination IP address
source dynamic
Source IP address
Destination IP address
Destination IP address
Source IP address
Network Address Port
Translation (NAPT)
Source IP address
Destination IP address
Destination IP address
Source IP address
destination static
Source IP address
Destination IP address
Destination IP address
Source IP address
Hash Keys for NAT
Hash Keys for Stateful Firewall
Stateful Firewall
Destination IP address
Source IP address
Destination IP address
Source IP address
Stateful Firewall
Source IP address
Destination IP address
Source IP address
Destination IP address
NOTE: If NAT is used in the service set (along with stateful firewall and
ALG), then the hash keys should be based on the NAT type; otherwise,
the hash keys of the stateful firewall should be used.
•
Click Next Hop Services to configure a next-hop style service set. A next-hop service
set is a route-based method of applying a particular service. Only packets destined
for a specific next hop are serviced by the creation of explicit static routes.
•
In the Inside Interface list, specify the interface type of the service interface
associated with the service set applied inside the network. For inline IP reassembly,
set the interface type to local. Also, specify the name and logical unit number of
the service interface associated with the service set applied inside the network.
When a next-hop service is configured, the AS or Multiservices PIC is considered
to be a two-legged module with one leg configured to be the inside interface
(inside the network) and the other configured as the outside interface (outside
the network).
•
Copyright © 2016, Juniper Networks, Inc.
In the Outside Interface list, specify the interface type of the service interface
associated with the service set applied outside the network. For inline IP
reassembly, set the interface type to local. Also, specify the name and logical unit
number of the service interface associated with the service set applied outside
the network.
249
Edge Services Director User Guide
•
In the Service Interface Pool list, select the name of the pool of logical interfaces
configured at the [edit services service-interface-pools pool pool-name] hierarchy
level. You can configure a service interface pool only if the service set has a PGCP
rule configured. The service set cannot contain any other type of rule.
•
•
Click Sampling Services to configure a sampling service set.
•
•
In the Service Interface field, specify the service interface, which is the interface
the sampling is taken from. In the case of a sampling service set, the service
interface must be a Multiservices PIC interface with a subunit number of 0 (zero).
The subunit number defaults to 0. The reverse-flow statement is not mandatory.
All sampled traffic is considered to be forward traffic. If you set the reverse-flow
statement, it is ignored.
Select the Replication Service check box to configure the services replication options
for inter-chassis high availability on MS-MIC and MS-MPC.
•
In the Replication Threshold field, specify the number of seconds for the replication
threshold. When a flow has been active for more than the number of seconds
specified as a threshold, flow state information is replicated to the backup device.
Make sure that the replication-threshold value is than the open-timeout value(the
timeout period for establishing a TCP connection). The default value of the
replication threshold is 180 seconds. This value is also the minimum.
•
Select the Stateful Firewall check box to replicate stateful firewall state
information.
•
Select the NAT check box to replicate NAPT44 information.
10. In the SFW Rule Sets section, select the rule set you want to associate with the service
set from the Available column and click the right arrow to move to the Selected
column.
11. In the SFW Rules section, select the rule you want to associate with the service set
from the Available column and click the right arrow to move to the Selected column.
12. In the SFW Syslogs section, select the syslog you want to associate with the service
set from the Available column and click the right arrow to move to the Selected
column.
13. Click Save to save the service template configuration. Else, click Close to discard the
changes to the template.
Creating an Application
You can define application protocols for the stateful firewall and Network Address
Translation (NAT) services to use in match condition rules. An application protocol, or
application layer gateway (ALG), defines application parameters using information from
network Layer 3 and above. Examples of such applications are FTP and H.323.
250
Copyright © 2016, Juniper Networks, Inc.
Chapter 13: Using the Service Designer
To create an application for an SFW rule term:
1.
From the View selector, select Service View. The workspaces that are applicable to
this view are displayed.
2. From the Junos Space user interface, click the Build icon on the Edge Services Director
banner.
The functionalities that you can configure in this mode are displayed in the task pane.
3. From the task pane, select Service Templates.
The Manage Service Templates page is displayed.
4. Click the SFW button.
The list of SFW service templates is displayed.
5. Click the Add icon.
The Create a SFW Planning Template window appears.
6. In the Name field, enter a name for the service template or profile (limit of 63
alphanumeric characters without spaces).
7. In the Description field, enter a meaningful, easily-identifiable name for the service
instance (limit of 255 alphanumeric characters). Each service instance you define can
be applied to a single or multiple SDGs.
8. Click the green plus sign in the Applications box.
The Create an Application dialog box appears.
NOTE: For the service elements that you can configure using the Object
Builder workspace, such as applications and rules, when you click the
green plus sign (+) at the top-right corner of each of the service element
boxes, the shortcut menu is displayed. Click the Create New radio button
to create the service component afresh. Alternatively, click the Import from
Object Builder radio button to open a dialog box that enables you to select
from the list of service elements that are present in the database of Edge
Services Director and import them into the service template.
If a green tick mark is shown beside a field in the dialog box, it denotes
that you can add attributes for that component. A red cross mark shows
that you can delete that particular attribute for that component.
9. In the Name field, enter the name to identify the application.
10. From the Protocol drop-down list, specify the networking protocol type or number to
match in an application definition. The following text values are supported: TCP, UDP,
ICMP, and GRE. Based on the selection, the dialog box refreshes to display additional
fields applicable for the protocol.
11. From the Application Protocol drop-down list, specify the application protocol name.
Application protocols are also called application layer gateways (ALGs). The
application-protocol setting allows you to specify which of the supported application
Copyright © 2016, Juniper Networks, Inc.
251
Edge Services Director User Guide
protocols (ALGs) to configure and include in an application set for service processing.
Valid entries include the following:
dns—Domain Name Service
icmp—ICMP
rtsp—Real Time Streaming Protocol
tftp–Trivial File Transfer Protocol
Based on the selection, the dialog box refreshes to display additional fields applicable
for the application protocol.
12. In the Inactivity Timeout (secs) field, specify the length of time, in seconds, for which
the application is inactive before it times out. The default is 30 seconds.
13. In the ICMP Type field, specify the Internet Control Message Protocol (ICMP) code
type. The ICMP code and type provide additional specification, in conjunction with
the network protocol, for packet matching in an application definition. Normally, you
specify this match in conjunction with the protocol match statement to determine
which protocol is being used on the port.The only value available in this field is
ECHO_REQUEST.
NOTE: From the Junos OS CLI, to configure ICMP settings, include the
icmp-code and icmp-type statements at the [edit applications application
application-name] hierarchy level:
In place of the numeric value, you can specify one of the following text
synonyms (the field values are also listed): echo-reply (0),
echo-request (8), info-reply (16), info-request (15), mask-request (17),
mask-reply (18), parameter-problem (12), redirect (5),
router-advertisement (9), router-solicit (10), source-quench (4),
time-exceeded (11), timestamp (13), timestamp-reply (14), or
unreachable (3).
14. From the Source Port type list, do one of the following:
•
Select RANGE to configure a range of source ports for the application, and enter
the upper limit and lower limit of the range of ports in the Start Value and End Value
fields. You can specify a value in the range of 1 through 65,535.
•
Select SINGLE to configure a single port number as the source port, and enter the
number in the Port Value field.
•
Select NA if you do not want to specify a port number.
The TCP or UDP source and destination port provide additional specification, in
conjunction with the network protocol, for packet matching in an application definition.
To configure ports, you must define one source or destination port. Normally, you
specify this match in conjunction with the protocol match statement to determine
which protocol is being used on the port.
15. From the Destination Port type list, do one of the following:
252
Copyright © 2016, Juniper Networks, Inc.
Chapter 13: Using the Service Designer
•
Select RANGE to configure a range of destination ports for the application, and
enter the upper limit and lower limit of the range of ports in the Start Value and End
Value fields. You can specify a value in the range of 1 through 65,535.
NOTE: If you specify a value of 0 as a destination port or beginning of
a destination report range, you will receive the following error: application
application-name' TCP Destination Port 0 Invalid error: configuration
check-out failed
•
Select SINGLE to configure a single port number as the destination port, and enter
the number in the Port Value field.
•
Select NA if you do not want to specify a port number.
16. Click Save to save the application.
Creating an Application Set
You can group the applications you have defined into a named object as an application
set.
To create an application set for an SFW rule term:
1.
From the View selector, select Service View. The workspaces that are applicable to
this view are displayed.
2. From the Junos Space user interface, click the Build icon on the Edge Services Director
banner.
The functionalities that you can configure in this mode are displayed in the task pane.
3. From the task pane, select Service Templates.
The Manage Service Templates page is displayed.
4. Click the SFW button.
The list of SFW service templates is displayed.
5. Click the Add icon.
The Create a SFW Planning Template window appears.
6. In the Name field, enter a name for the service template or profile (limit of 63
alphanumeric characters without spaces).
7. In the Description field, enter a meaningful, easily-identifiable name for the service
instance (limit of 255 alphanumeric characters). Each service instance you define can
be applied to a single or multiple SDGs.
8. Click the green plus sign in the Applications box.
The Create an Application dialog box appears.
Copyright © 2016, Juniper Networks, Inc.
253
Edge Services Director User Guide
NOTE: For the service elements that you can configure using the Object
Builder workspace, such as applications and rules, when you click the
green plus sign (+) at the top-right corner of each of the service element
boxes, the shortcut menu is displayed. Click the Create New radio button
to create the service component afresh. Alternatively, click the Import from
Object Builder radio button to open a dialog box that enables you to select
from the list of service elements that are present in the database of Edge
Services Director and import them into the service template.
If a green tick mark is shown beside a field in the dialog box, it denotes
that you can add attributes for that component. A red cross mark shows
that you can delete that particular attribute for that component.
9. In the Name field, enter the name to identify the application set.
10. In the Application section, the application set selector dialog box is displayed. Select
the applications or application sets that need to be added to the rule term in the from
the Available column and click the right arrow to move these applications or application
sets to the Selected column.
11. Click Save to save the application set.
Creating a Syslog
You can enable system logging. The system log information from the Adaptive Services
or Multiservices PIC is passed to the kernel for logging in the /var/log directory. This setting
overrides any syslog statement setting included in the service set or interface default
configuration.
To create a syslog for the SFW template:
1.
From the View selector, select Service View. The workspaces that are applicable to
this view are displayed.
2. From the Junos Space user interface, click the Build icon on the Edge Services Director
banner.
The functionalities that you can configure in this mode are displayed in the task pane.
3. From the task pane, select Service Templates.
The Manage Service Templates page is displayed.
4. Click the SFW button.
The list of SFW service templates is displayed.
5. Click the Add icon.
The Create an SFW Planning Template window appears.
6. In the Template Name field, enter a name for the service template or profile (limit of
63 alphanumeric characters without spaces).
254
Copyright © 2016, Juniper Networks, Inc.
Chapter 13: Using the Service Designer
7. In the Description field, enter a meaningful, easily-identifiable name for the service
instance (limit of 255 characters). Each service instance you define can be applied to
a single or multiple SDGs.
8. Click the green plus sign in the Server Groups box.
The Addition of Group dialog box appears.
NOTE: If a green tick mark is shown beside a field in the dialog box, it
denotes that you can add attributes for that component. A red cross mark
shows that you can delete that particular attribute for that component.
9. In the Name field, enter the name for the syslog component. Specify the fully qualified
domain name or IP address for the syslog server.
10. In the Services list, specify the system logging severity level. It assigns a severity level
to the facility. Valid entries include:
•
alert—Conditions that should be corrected immediately.
•
any—Matches any level.
•
critical—Critical conditions.
•
emergency—Panic conditions.
•
error—Error conditions.
•
info—Informational messages.
•
notice—Conditions that require special handling.
•
warning—Warning messages.
11. From the Facility Override list, select the override for the default facility for system
log reporting. Valid values include:
authorization
daemon
ftp
kernel
local0 through local7
user
12. In the Log Prefix field, set the system logging prefix value for all logging to the system
log host.
13. In the Port field, specify the port number to be used for connection with the remote
syslog server.
14. In the Class section, set the class of applications to be logged to the system log.
•
alg-logs—Log application-level gateway events.
•
ids-logs—Log intrusion detection system events.
Copyright © 2016, Juniper Networks, Inc.
255
Edge Services Director User Guide
•
nat-logs—Log Network Address Translation events.
•
packet-logs—Log general packet-related events.
•
session-logs—Log session open and close events.
•
session-logs open—Log session open events only.
•
session-logs close—Log session close events.
•
stateful-firewall-logs—Log stateful firewall events.
15. Click Save to save the service template configuration. Else, click Close to discard the
changes to the template.
Creating a Rule
To create a rule for the SFW template:
1.
From the View selector, select Service View. The workspaces that are applicable to
this view are displayed.
2. From the Junos Space user interface, click the Build icon on the Edge Services Director
banner.
The functionalities that you can configure in this mode are displayed in the task pane.
3. From the task pane, select Service Templates.
The Manage Service Templates page is displayed.
4. Click the SFW button.
The list of SFW service templates is displayed.
5. Click the Add icon.
The Create an SFW Planning Template window appears.
6. In the Template Name field, enter a name for the service template or profile (limit of
63 alphanumeric characters without spaces).
7. In the Description field, enter a meaningful, easily-identifiable name for the service
instance (limit of 255 characters). Each service instance you define can be applied to
a single or multiple SDGs.
8. Click the green plus sign in the Server Groups box. The Addition of Group dialog box
appears.
NOTE: If a green tick mark is shown beside a field in the dialog box, it
denotes that you can add attributes for that component. A red cross mark
shows that you can delete that particular attribute for that component.
256
Copyright © 2016, Juniper Networks, Inc.
Chapter 13: Using the Service Designer
9. From the Rule list, select one of the previously configured rules. The rules that you
configured in the Service Templates workspace for SFW, packet filter, or CGNAT are
displayed.
10. Click Save to save the service template configuration. Else, click Close to discard the
changes to the template.
Creating a Rule Set
The rule-set statement defines a collection of stateful firewall rules that determine what
actions the router software performs on packets in the data stream. You define each rule
by specifying a rule name and configuring terms. Then, you specify the order of the rules
by including the rule-set statement at the [edit services stateful-firewall] hierarchy level
with a rule statement for each rule.
The router software processes the rules in the order in which you specify them in the
configuration. If a term in a rule matches the packet, the router performs the corresponding
action and the rule processing stops. If no term in a rule matches the packet, processing
continues to the next rule in the rule set. If none of the rules matches the packet, the
packet is dropped by default.
To create a rule set for the SFW template:
1.
From the View selector, select Service View. The workspaces that are applicable to
this view are displayed.
2. From the Junos Space user interface, click the Build icon on the Edge Services Director
banner.
The functionalities that you can configure in this mode are displayed in the task pane.
3. From the task pane, select Service Templates.
The Manage Service Templates page is displayed.
4. Click the SFW button.
The list of SFW service templates is displayed.
5. Click the Add icon.
The Create an SFW Planning Template window appears.
6. In the Template Name field, enter a name for the service template or profile (limit of
63 alphanumeric characters without spaces).
7. In the Description field, enter a meaningful, easily-identifiable name for the service
instance (limit of 255 characters). Each service instance you define can be applied to
a single or multiple SDGs.
8. Click the green plus sign in the Rule Sets box.
The Addition of Rule Sets dialog box appears.
Copyright © 2016, Juniper Networks, Inc.
257
Edge Services Director User Guide
NOTE: For the service elements that you can configure using the Object
Builder workspace, such as applications and rules, when you click the
green plus sign (+) at the top-right corner of each of the service element
boxes, the shortcut menu is displayed. Click the Create New radio button
to create the service component afresh. Alternatively, click the Import from
Object Builder radio button to open a dialog box that enables you to select
from the list of service elements that are present in the database of Edge
Services Director and import them into the service template.
If a green tick mark is shown beside a field in the dialog box, it denotes
that you can add attributes for that component. A red cross mark shows
that you can delete that particular attribute for that component.
9. Specify the rule set name the router uses when applying this service.
10. Select the rules that you want t ogroup into a rule set from the Available column and
click the right arrow to move the rules to the Selected column.
11. Click Save to save the service template configuration. Else, click Close to discard the
changes to the template.
Creating a Services PIC for an SFW Service Template
Multiservices (ms-) interfaces are the physical multiservices interfaces of a device that
are used to run the load-balancing instance application. The more multiservices interfaces
used for a loadbalancing instance, the more capacity and processing power the instance
has. At least one MS interface must be specified for each adc-instance, up to eight
interfaces can run the same instance. A multiservices interface is associated exclusively
to a single load-balancing instance (it cannot be shared between instances).
To assign a services interface to an SFW template:
1.
From the View selector, select Service View. The workspaces that are applicable to
this view are displayed.
2. From the Junos Space user interface, click the Build icon on the Edge Services Director
banner.
The functionalities that you can configure in this mode are displayed in the task pane.
3. From the task pane, select Service Templates.
The Manage Service Templates page is displayed.
4. Click the SFW button.
The list of SFW service templates is displayed.
5. Click the Add icon.
The Create an SFW Planning Template window appears.
6. In the Template Name field, enter a name for the service template or profile (limit of
63 alphanumeric characters without spaces).
258
Copyright © 2016, Juniper Networks, Inc.
Chapter 13: Using the Service Designer
7. In the Description field, enter a meaningful, easily-identifiable name for the service
instance (limit of 255 characters). Each service instance you define can be applied to
a single or multiple SDGs.
8. Click the green plus sign in the Service Pic box.
The Service Pic dialog box appears.
NOTE: If a green tick mark is shown beside a field in the dialog box, it
denotes that you can add attributes for that component. A red cross mark
shows that you can delete that particular attribute for that component.
9. Select the check box next to the ms- interface of an SDG that must be assigned to
the SFW template.
10. Click OK to save the settings. Else, click Cancel to discard the configuration.
Related
Documentation
•
Service Templates Overview on page 182
•
Filtering Service Templates on page 183
•
Viewing Service Templates on page 183
•
Using the Actions Menu on the Service Template and Service Edit Pages on page 187
Creating and Managing TLB Service Templates
Before you configure the traffic load balancer (TLB) software, install the TLB application
package on the services PIC used for the server health monitoring function. Once you
have installed the application package, you can configure or re-configure TLB as needed.
To create a complete application, you must also define interfaces and routing information.
You can optionally define firewall filters and policy options in order to differentiate TLB
traffic.
You can perform the following tasks with the Service Designer page for TLB:
•
Create a TLB service template with attributes and settings for load balancing operations.
•
Modify an existing TLB template to meet the network needs and deployment scenarios.
•
Delete an existing template.
•
Creating a TLB Service Template on page 260
•
Creating a Deployment Plan on page 263
•
Modifying TLB Service Templates on page 264
•
Importing a TLB Service Template on page 266
•
Creating a Real Server on page 267
•
Creating a Group for Real Servers on page 268
•
Creating a Services PIC for a TLB Service Template on page 271
Copyright © 2016, Juniper Networks, Inc.
259
Edge Services Director User Guide
•
Creating a Network Monitor Profile for a TLB Service Template on page 272
•
Creating a Command for Script-Based Health Checks on page 273
•
Creating a Server Bypass Filter on page 274
•
Creating a Virtual Service for a TLB Service Template on page 275
•
Creating a Client-Facing Interface and Routing Instance on page 279
•
Creating a Server-Facing Interface and Routing Instance on page 280
Creating a TLB Service Template
To configure a new TLB service template:
1.
From the View selector, select Service View. The workspaces that are applicable to
this view are displayed.
2. From the Junos Space user interface, click the Build icon on the Edge Services Director
banner.
The functionalities that you can configure in this mode are displayed in the task pane.
3. From the task pane, select Service Templates. The Manage Service Templates page
is displayed.
4. Click the TLB button.
The list of TLB service templates is displayed.
The Service Designer page displays a bar graph in the top pane of the page. The count
of service templates of each type is displayed on the vertical axis and the service type
is shown on the horizontal axis. A color-coding format is used to represent the bars
on the graph. Published service templates are shown in olive green color and
unpublished service templates are shown in blue color. Mouse over each bar in the
chart to highlight and display the number of templates published or unpublished for
each type of service.
5. Click the Add icon. The Select Version dialog box is displayed.
6. Select Junos 12.1 if you want to create a template based on the Junos OS Release 12.1.
Alternatively, select Junos 14.1 if you want to create a template based on the Junos
OS Release 14.1.
NOTE: All the service template components described in this section can
be created for templates that are based on both the Junos OS Releases
12.1 and 14.1. The service elements or components that are additionally
available for configuration when you select the Junos OS 14.1 version are
explicitly mentioned in the relevant steps of the procedure.
The Create a TLB Planning Template window appears.
260
Copyright © 2016, Juniper Networks, Inc.
Chapter 13: Using the Service Designer
Figure 26: Create TLB Service Template Window
7. In the Template Name field, enter a name for the service template or profile (limit of
63 alphanumeric characters without spaces).
8. In the Instance Name field, enter a meaningful, easily-identifiable name for the service
instance (limit of 255 characters). Each service instance you define can be applied to
a single or multiple SDGs.
9. Instead of creating a new template entirely, you can import the parameters defined
for a previous TLB service instance and customize only the settings that are necessary.
Imported templates are created without any device assigned to them. To use these
templates, you must associate a device with the policy. To clone an existing template
by importing it, click the Import button.
The Import Services dialog box is displayed. See Importing a TLB Service Template for
step-wise details on importing a TLB service template.
10. The Create a TLB Planning Template window displays the individual elements or
components of the service with a graphical icon for each of the service elements and
the corresponding names in separate boxes. You can add, edit, or delete these service
elements in a template.
The Property View tab and the Config View tab are displayed on the right pane of the
template window. The Property View tab provides a tree-based structure of the
parameters defined in a service template. You can expand the tree and view details
of each component. A key value pair representation is shown. Each of the components
can be treated as categories of the service template shown in the property view.
The Config View tab displays the elements or components specified for a service
template in the form of configuration stanzas and hierarchy levels. This display is
similar to the show command that you can use at a certain [edit] hierarchy level to
view the defined settings. Each level in the hierarchy is indented to indicate each
statement's relative position in the hierarchy. Each level is generally set off with braces,
with an open brace ({) at the beginning of each hierarchy level and a closing brace
Copyright © 2016, Juniper Networks, Inc.
261
Edge Services Director User Guide
(}) at the end. If the statement at a hierarchy level is empty, the braces are not
displayed. Each leaf statement ends with a semicolon (;), as does the last statement
in the hierarchy.
a. Click the green tick mark (✓) displayed at the top-right corner of each of the service
element boxes to create a new element. If the green tick mark is not shown, it
indicates that the user role does not have the permission to create an element.
b. Click the red cross mark (x) displayed at the top-right corner of the icons of each
element if you want to delete the existing configuration. The user with designer
role has permissions to remove or edit elements.
c. if the red cross mark is not displayed beside a particular icon, it signifies that the
element cannot be deleted.
d. The diamond icon that contains an orange tick mark within it at the top-right corner
of the service component name denotes that the particular element can be
modified. The absence of this icon denotes that the user does not have permissions
to modify the attributes of the service component.
e. Double-click each icon pertaining to a service element to view or edit its settings.
If you do not possess the permission to modify the element, a view-only dialog box
with the attributes of the selected element is shown. Otherwise, an editable dialog
box enables you to modify the settings.
f. Click Save to save the service template configuration. Else, click Close to discard
the changes to the template.
g. Click the Maximize icon displayed at the top-right corner of the rectangle or box
that shows all of the values or entities of a particular component of a service
template. The specified component or attribute is displayed as a separate dialog
box, listing all of the values of the particular component. You can add, modify, or
delete the listed values.
h. While creating the new service template, the designer can add or modify service
parameter values and also restrict the access level for each service parameter for
the operator. The designer can set following access levels for each service
parameters to operator in planning template. Click the new icon (cascading files
icon) displayed at the top-left corner of each of the element boxes to open the
shortcut menu. You can click one of the following radio buttons:
i.
262
•
Read-only (the configuration parameter is read-only for operator as part of
provisioning)
•
Editable (the configuration parameter is editable as part of provisioning)
•
Device-Specific (the configuration parameter value needs to be entered by the
operator for each device during deployment)
Click Save & Publish to save and publish the service template configuration. The
designer must publish the service templates to the operator to use in the creation
of deployment plans. After a filter or policy is published, it goes for peer review and
approval. After approval, the filter or policy is deployed to device.
Copyright © 2016, Juniper Networks, Inc.
Chapter 13: Using the Service Designer
Creating a Deployment Plan
You must have previously defined service templates and policy or filter templates before
you can create a deployment plan.
To create a deployment plan and assigning devices to it:
1.
From the View selector, select Service View. The workspaces that are applicable to
this view are displayed.
2. From the Junos Space user interface, click the Deploy icon on the Edge Services Director
banner.
The functionalities that you can configure in this mode are displayed in the task pane.
3. From the task pane, select Service Edit.
The Manage Service Templates page is displayed.
4. Click the TLB button.
The list of TLB service templates is displayed.
5. Select the check boxes next to the SDGs or SDG groups that you want to assign to
the plan. Based on your selection of a service or a policy template, the components
or attributes are shown for the corresponding device.
6. From the boxes that show the components of a service template, you can edit, delete,
or add elements to it. If you do not have permissions to update a template, the
corresponding icons are not shown.
7. Click the down arrow in the Actions menu and select Send for Deployment to create
a deployment plan for the particular service template and save the plan.
•
If you create a deployment plan from Gateway view of Deploy mode, the Deployment
Plan Summary dialog box appears, with the service name, type, and status listed.
Click Send to create a deployment plan.
•
If you create a deployment plan from Service view of Deploy mode, the Edit Service
Instance page is displayed. You can modify the SDGs associated with the service
instance and also modify the service instance attributes as necessary by either
clicking the buttons corresponding to the various settings at the top of the wizard
page to directly traverse to the page you want to modify or clicking the navigation
buttons at the bottom of the wizard page to go to the different pages of the wizard.
Click Finish to create a deployment plan.
A deploy plan is created for the service template with the devices that are assigned
to it when you view the Deployment Plans page.
8. Alternatively, you can select Discard changes from the Actions menu to ignore the
modifications done to a policy or filter template.
9. From the Deployment plans page, you can select Reject or Approve from the Actions
drop-down list to reject or approve the deployment plan and make it available for
commissioning to the devices.
Copyright © 2016, Juniper Networks, Inc.
263
Edge Services Director User Guide
Modifying TLB Service Templates
On the Service Designer page, you can view the collection of service templates defined
for several applications, such as stateful firewall or CGNAT.
To modify service template instances, such as ADC, SFW, CGNAT, or TLB templates:
1.
From the View selector, select Service View. The workspaces that are applicable to
this view are displayed.
2. From the Junos Space user interface, click the Deploy icon on the Edge Services Director
banner.
The functionalities that you can configure in this mode are displayed in the task pane.
3. From the task pane, select Deploy Service > Service Edit.
The Service Instances page is displayed in the right pane, listing all the previously
defined service templates.
4. From the View pane, perform one of the following tasks:
•
Click the ADC button.
The list of ADC service templates is displayed. You need not click this button if you
are launching the Service Designer page for the first time or are navigating to this
page from another mode or a different page. You need to click this button only if
you are viewing the other service templates, such as CGNAT or TLB.
•
Click the SFW button.
The list of SFW templates is displayed.
•
Click the TLB button.
The list of TLB templates is displayed.
•
Click the CGNAT button.
The list of CGNAT templates is displayed.
5. In the main window, click the plus sign (+) next to the SDG pairs to expand the tree
and view the pair of devices in the SDG group or pair. Select the check box next to the
SDG pair or individual SDG for which you want to modify settings. In an SDG pair, you
can select a single SDG or both the SDGs in the in the redundancy pair of devices.
NOTE: Alternatively, you can also modify service templates from Service
View in Build Mode by selecting the Service Templates > Manage Service
Templates from the task pane, selecting a service instance, and clicking
the Modify button. You can also modify ADC and TLB service templates
from Gateway View in Deploy mode by selecting the SDG pair or SDG from
the View pane, selecting Service Edit from the task pane, and selecting
the TLB service from the main window that displays all the previously
configured template instances to lock and modify it.
264
Copyright © 2016, Juniper Networks, Inc.
Chapter 13: Using the Service Designer
6. Click the Lock icon above the table of listed packet filters. The Select Reference Config
dialog box is displayed.
Figure 27: Select Reference Config Dialog Box
7. From the Service Gateway Name drop-down list, select the SDG group to which the
packet filter must be applied.
8. From the Host Name drop-down list, select the hostname of the SDG.
9. In the Select Common Components section, select the check boxes beside the service
modules or components, such as packet filters, SFW rules, or CGNAT rules, that are
displayed. The displayed components depend on the attributes that are previously
defined for that selected packet filter. For example, if the service policy is for stateful
firewall, SFW rules and SFW rule sets are shown. Select the check box beside Config
Category to select all the service components.
10. Click Save to save the modified association.
11. Select the check box beside the template you want to modify.
12. Open the Modify menu above the list of templates to modify an existing template,
and select the component or service attribute, such as application or rule, that you
want to edit.
13. Perform one of the following from the drop-down menu displayed for each component:
•
To retrieve the service component and import into the database of Edge Services
Director, select Import Object. The Import Services dialog box appears. You can
import the service templates assigned to SDGs or choose from a list of all of the
predefined templates in the database. Also, you can either import all of the
components of a service or specific components.
•
To create the component afresh, select Create New. The Create page corresponding
to the service component appears. You can define the attributes for the service
component in the same manner as you define the elements during the creation of
a service template.
Copyright © 2016, Juniper Networks, Inc.
265
Edge Services Director User Guide
Importing a TLB Service Template
To create a clone of an existing TLB template by importing it:
1.
From the View selector, select Service View. The workspaces that are applicable to
this view are displayed.
2. From the Junos Space user interface, click the Build icon on the Edge Services Director
banner.
The functionalities that you can configure in this mode are displayed in the task pane.
3. From the task pane, select Service Templates.
The Manage Service Templates page is displayed.
4. Click the TLB button.
The list of TLB service templates is displayed. You need not click this button if you
are launching the Service Designer page for the first time or are navigating to this page
from another mode or a different page. You need to click this button only if you are
viewing the other service templates, such as CGNAT or TLB.
5. Click the Add icon.
The Create a TLB Planning Template window appears.
6. In the Template Name field, enter a name for the service template or profile (limit of
63 alphanumeric characters without spaces).
7. In the Instance Name field, enter a meaningful, easily-identifiable name for the service
instance (limit of 255 characters). Each service instance you define can be applied to
a single or multiple SDGs.
8. Click the Import button. The Import Services dialog box appears.
You can import the service templates assigned to SDGs or choose from a list of all of
the predefined templates in the database. Also, you can either import all of the
components of a service or specific components.
9. Do one of the following for the Import section:
•
Select the From Existing Service Gateway radio button if you want to import the
CGNAT rule from SDGs that are present in the Edge Services Director database.
•
Select the From XML radio button if you want to import the CGNAT rule from an
XML configuration file on an external system.
10. If you selected the option to import the object from SDGs, do the following:
•
Click the Normal View tab to view the list of SDGs. You can search for specific SDGs
by entering a search item and clicking the Search icon.
Alternatively, click the Group View tab to view the list of SDG groups. You can search
for specific SDG groups by entering a search item and clicking the Search icon.
•
266
Click the plus sign (+) next to the All Service Gateways item to expand the tree
structure that displays the list of SDGs or SDG groups. If the SDG pair is configured,
Copyright © 2016, Juniper Networks, Inc.
Chapter 13: Using the Service Designer
you can select one of the devices, master or standby, from which you want to import
the object.
Alternatively, if you selected the Group View tab, you can select an SDG from the
groups displayed from which you want to import the object.
•
Click Import. The object is added to the database and can be used during
configuration of services or policies.
11. If you selected the option to import from an XML file, do the following:
•
Click Browse beside the File Name field to navigate to the path where an XML file
is available to be imported.
•
Click Upload. The service template is added to the database and can be used during
configuration of services or policies.
12. Do one of the following to import all components of a selected template or only a
particular component of a template. For the components that are not imported, you
need to specify the definitions of the components afresh.
•
Select the check boxes next to all of the service instances that are displayed for the
selected SDG or SDG group, or for the XML file that you uploaded. In such a case,
all of the elements or parameters of the selected template or instance are imported.
•
Alternatively, select the check box next to a particular or group of service instances
to import only a specific component of the selected template
13. Similarly, you can select other components and import them to the template. Save
the imported components to add them to the template you are creating by using the
imported template as a base.
Creating a Real Server
To create a real server as a component for the TLB template:
1.
From the View selector, select Service View. The workspaces that are applicable to
this view are displayed.
2. From the Junos Space user interface, click the Build icon on the Edge Services Director
banner.
The functionalities that you can configure in this mode are displayed in the task pane.
3. From the task pane, select Service Templates.
The Manage Service Templates page is displayed.
4. Click the TLB button.
The list of TLB service templates is displayed.
5. Click the Add icon.
The Create a TLB Planning Template window appears.
6. In the Template Name field, enter a name for the service template or profile (limit of
63 alphanumeric characters without spaces).
Copyright © 2016, Juniper Networks, Inc.
267
Edge Services Director User Guide
7. In the Instance Name field, enter a meaningful, easily-identifiable name for the service
instance (limit of 255 characters). Each service instance you define can be applied to
a single or multiple SDGs.
8. Click the green plus sign in the Real Servers box. The Addition of Real Server dialog
box appears.
NOTE: For the service elements that you can configure using the Object
Builder workspace, such as applications and rules, when you click the
green plus sign (+) at the top-right corner of each of the service element
boxes, the shortcut menu is displayed. Click the Create New radio button
to create the service component afresh. Alternatively, click the Import from
Object Builder radio button to open a dialog box that enables you to select
from the list of service elements that are present in the database of Edge
Services Director and import them into the service template.
If a green tick mark is shown beside a field in the dialog box, it denotes
that you can add attributes for that component. A red cross mark shows
that you can delete that particular attribute for that component.
9. In the Name field, enter the name to identify the real server. Make sure the servers are
connected via a router interface that is defined as a server-facing interface for the
adc-instance. For each real server, you must assign a real-server name and specify
its actual IP address.
10. In the Address Family field, select IPv4 to specify an IPv4 address, or select IPv6 to
enter the IPv6 address of the real server.
11. In the IP Address field, specify the IP address of the real server.
12. Click Save to save the service template configuration. Else, click Close to discard the
changes to the template.
Creating a Group for Real Servers
Define the group and assign real servers to it. The real servers in any given group must
have an IP address accessible to the module that performs the SLB functions. This IP
routing is most easily accomplished by placing the servers on a network local to the
router. Routing to the server can be used as long as it does not violate the topology rules
outlined.
A group is a collection of multiple servers with the same content, so that client requests
can be load-balanced between them.
To create a group of real servers:
1.
From the View selector, select Service View. The workspaces that are applicable to
this view are displayed.
2. From the Junos Space user interface, click the Build icon on the Edge Services Director
banner.
The functionalities that you can configure in this mode are displayed in the task pane.
268
Copyright © 2016, Juniper Networks, Inc.
Chapter 13: Using the Service Designer
3. From the task pane, select Service Templates.
The Manage Service Templates page is displayed.
4. Click the TLB button.
The list of TLB service templates is displayed.
5. Click the Add icon.
The Create a TLB Planning Template window appears.
6. In the Template Name field, enter a name for the service template or profile (limit of
63 alphanumeric characters without spaces).
7. In the Instance Name field, enter a meaningful, easily-identifiable name for the service
instance (limit of 255 characters). Each service instance you define can be applied to
a single or multiple SDGs.
8. Click the green plus sign in the Server Groups box. The Addition of Group dialog box
appears.
NOTE: For the service elements that you can configure using the Object
Builder workspace, such as applications and rules, when you click the
green plus sign (+) at the top-right corner of each of the service element
boxes, the shortcut menu is displayed. Click the Create New radio button
to create the service component afresh. Alternatively, click the Import from
Object Builder radio button to open a dialog box that enables you to select
from the list of service elements that are present in the database of Edge
Services Director and import them into the service template.
If a green tick mark is shown beside a field in the dialog box, it denotes
that you can add attributes for that component. A red cross mark shows
that you can delete that particular attribute for that component.
9. In the Name field, enter the name for the real servers group.
Copyright © 2016, Juniper Networks, Inc.
269
Edge Services Director User Guide
10. Do the following in the Routing Instance section:
a. Select the Routing Instance Selection check box to configure a routing instance for
TLB to steer traffic.
b. Click the green plus sign next to the Routing Instance field. The Routing Instances
dialog box appears.
c. From the Service Gateway Name field, select the SDG group with which the service
element must be associated.
d. From the Host Name field, select the SDG in the SDG high-availability pair of active
and standby SDGs.
e. In the MS Interfaces section, select the check box next to the routing instance of
the SDG that must be used for packets arriving from clients or users. All the routing
instances from the inventory of devices are listed.
11. Select the Real service rejoin options check box to allow a server to rejoin the group
automatically when it comes up. When a previously down server is returned to service,
all flows belonging to that server based on hashing return to it, impacting performance
for the returned flows. For this reason, the automatic rejoining of a server to an active
group can be disabled.
12. From the Health Check Interface Sub Unit list, select the subunit to be used for health
monitoring. Select the number of the unit to edit. A health-check source address must
be set for each unit on which real servers are configured, in order to allow sending
health checks to the servers.This field is applicable only for Junos OS 14.1 version.
13. From the Real Server IP Type field, select IPv4 or IPv6 to configure an IPv4 or IPv6
addresses for real servers.
14. In the Real Servers section, assign the real servers to be part of the group. Select the
real servers from the Available column and click the right arrow to move the server to
the Selected column.
15. In the Network Monitoring Profiles section, select the profile from the Available column
and click the right arrow to move the profile to the Selected column.
16. Click Save to save the service template configuration. Else, click Close to discard the
changes to the template.
270
Copyright © 2016, Juniper Networks, Inc.
Chapter 13: Using the Service Designer
Creating a Services PIC for a TLB Service Template
Multiservices (ms-) interfaces are the physical multiservices interfaces of a device that
are used to run the load-balancing instance application. The more multiservices interfaces
used for a loadbalancing instance, the more capacity and processing power the instance
has. At least one MS interface must be specified for each adc-instance, up to eight
interfaces can run the same instance. A multiservices interface is associated exclusively
to a single load-balancing instance (it cannot be shared between instances).
To assign a services interface to a TLB template:
1.
From the Junos Space user interface, click the Build icon on the Edge Services Director
banner.
The functionalities that you can configure in this mode are displayed in the task pane.
2. From the task pane, select Service Templates.
The Manage Service Templates page is displayed.
3. Click the TLB button.
The list of TLB service templates is displayed.
4. Click the Add icon.
The Create a TLB Planning Template window appears.
5. In the Template Name field, enter a name for the service template or profile (limit of
63 alphanumeric characters without spaces).
6. In the Instance Name field, enter a meaningful, easily-identifiable name for the service
instance (limit of 255 characters). Each service instance you define can be applied to
a single or multiple SDGs.
7. Click the green plus sign in the Service Pics box.
The Service Pic dialog box appears.
NOTE: If a green tick mark is shown beside a field in the dialog box, it
denotes that you can add attributes for that component. A red cross mark
shows that you can delete that particular attribute for that component.
8. From the Service Gateway Name field, select the SDG group with which the service
element must be associated.
9. From the Host Name field, select the SDG in the SDG high-availability pair of active
and standby SDGs.
10. Select the check box next to the ms- interface of an SDG that must be assigned to
the TLB template.
11. Click OK to save the settings. Else, click Cancel to discard the configuration.
Copyright © 2016, Juniper Networks, Inc.
271
Edge Services Director User Guide
Creating a Network Monitor Profile for a TLB Service Template
To configure a network monitor profile to perform health and welfare validation of servers
for a TLB template:
1.
From the Junos Space user interface, click the Build icon on the Edge Services Director
banner.
The functionalities that you can configure in this mode are displayed in the task pane.
2. From the task pane, select Service Templates.
The Manage Service Templates page is displayed.
3. Click the TLB button.
The list of TLB service templates is displayed.
4. Click the Add icon.
The Create a TLB Planning Template window appears.
5. In the Template Name field, enter a name for the service template or profile (limit of
63 alphanumeric characters without spaces).
6. In the Instance Name field, enter a meaningful, easily-identifiable name for the service
instance (limit of 255 characters). Each service instance you define can be applied to
a single or multiple SDGs.
7. Click the green plus sign in the Network Monitor Profile box. The Addition of Network
Monitor Profile dialog box appears.
NOTE: If a green tick mark is shown beside a field in the dialog box, it
denotes that you can add attributes for that component. A red cross mark
shows that you can delete that particular attribute for that component.
8. In the Name field, enter the name of the network monitor profile used to monitor the
health of servers in the group.
9. In the Probe Interval field, specify the amount of time, in seconds, between polls of
the real server by the router.
NOTE: The ADC software monitors the servers in the real-server group
and the load-balanced applications running on them. If a router detects
that a server or application has failed, it will not direct any new connection
requests to that server. When a service fails, the ADC software can remove
the individual service from the load-balancing algorithm without affecting
other services provided by that server. By default, the router checks the
status of each service on each real server every five (5) seconds.
Sometimes, the real server can be too busy processing connections to
respond to health checks. If a service does not respond to four consecutive
health checks, the router, by default, declares the service unavailable. You
can modify both the health check interval and the number of retries.
272
Copyright © 2016, Juniper Networks, Inc.
Chapter 13: Using the Service Designer
10. In the Failure Retries field, specify the number of times the router will attempt its check
on the real server before marking the server as unavailable.
11. In the Recover Retries field, specify the number of times the router will attempt to
recover the real-server connection.
12. In the TCP Choices drop-down list, select one of the supported health checking
protocols, such as TCP, HTTP, or ICMP.
13. In the TCP Choices section, do one of the following:
a. Select the HTTP radio button to select HTTP for health checks. Specify the name
of the host, HTTP method such as PUT, GET, OPTIONS, or POST, the URL for which
health check needs to be performed, and the port to be used for server health
monitoring.
b. Select the ICMP radio button to select ICMP for health check probes.
c. Select the TCP radio button to select TCP for health check probes. Specify the port
number to be used for monitoring the health and welfare of the server or URL using
the SSL-based health probes in the Port field. You can specify this value only if
you create the TLB service template based on the Junos OS 14.1 version.
d. Select the SSLHELLO radio button to sets Secure Sockets Layer (SSL) hello
health-check parameters. SSL version 2 (SSLv2) is used for the SSL health check.
Specify the port number to be used for monitoring the health and welfare of the
server or URL using the SSL-based health probes in the Port field. You can specify
this the SSL-hello health check setting only if you create the TLB service template
based on the Junos OS 14.1 version.
e. Select the CUSTOM radio button to create a custom-based health check. From
the Protocol field, specify tcp or udp as the protocol for the script to use in a custom
health check. A script is made up of one or more TCP or UDP command containers.
A script can contain any number of these containers, up to the allowable number
of characters that a script supports.
In the Command ID field, specify the command ID for the commands to be used.
Multiple command lines are usually required in order to specify a full script.
In the Port field, specify the port number to be used for custom-based health check
mechanism.
Health check scripts dynamically verify application and content availability by
executing a sequence of tests based on send and expect commands. See the
Creating a Command for Script-Based Health Checks section for detailed information.
14. Click Save to save the settings. Else, click Cancel to discard the configuration.
Creating a Command for Script-Based Health Checks
You can create commands for building a script-based health check. You can configure
this service element only if you create a TLB service template using the Junos OS 14.1
version.
Copyright © 2016, Juniper Networks, Inc.
273
Edge Services Director User Guide
To create a custom network monitoring profile command for script-based health checks.
1.
In the Create Networking Profile dialog box, select the check box next to the SEND or
EXPECT row under the Command column of the table.
2. Click the pencil icon to specify the command attributes. The Create Custom Networking
Profile Command dialog box appears.
3. If you selected the SEND type, it is displayed in the Command Type field.
4. In the Send Type list, perform either of the following:
•
Select BINARY to specify binary content (in hexadecimal format) for the request
packet.
•
Select ASCII to specify ASCII content (in hexadecimal format) for the request packet.
5. In the Value field, specify the content to be sent in raw hexidecimal format or the
binary content to send using raw hexadecimal format for the request packet.
6. If you selected the EXPECT type, it is displayed in the Command Type field.
7. In the Send Type list, perform either of the following:
•
Select BINARY to specify binary content (in hexadecimal format) to be expected
from the server response packet.
•
Select ASCII to specify ASCII content (in hexadecimal format) to be expected from
the server response packet.
8. In the Value field, specify the content to be returned in the server response packet in
raw hexidecimal format or the binary content to receive using raw hexadecimal format
for the response packet.
9. For binary content only, in the Offset field, specify the offset from the beginning of
the binary data area to start matching the content specified in the binary-expect
command. The offset command is supported for both UDP and TCP-based health
checks. If this value is not present, an offset of zero is assumed.
10. For binary content only, in the Length field, specify the number of bytes in the IP packet
that should be examined. If no offset value is specified, depth is specified from the
beginning of the packet. When depth is not specified, it is the length of the content.
This means that the content is expected exactly at the offset specified (or 0 when
the offset is not specified).
11. Click Save to save the custom network monitor profile configuration. Else, click Close
to discard the changes to the custom health check profile.
Creating a Server Bypass Filter
You can configure this service element only if you create a TLB service template using
the Junos OS 14.1 version.
274
Copyright © 2016, Juniper Networks, Inc.
Chapter 13: Using the Service Designer
To configure a virtual service for a TLB template:
1.
From the Junos Space user interface, click the Build icon on the Edge Services Director
banner.
The functionalities that you can configure in this mode are displayed in the task pane.
2. From the task pane, select Service Templates.
The Manage Service Templates page is displayed.
3. Click the TLB button.
The list of TLB service templates is displayed.
4. Click the Add icon.
The Create a TLB Planning Template window appears.
5. In the Template Name field, enter a name for the service template or profile (limit of
63 alphanumeric characters without spaces).
6. In the Instance Name field, enter a meaningful, easily-identifiable name for the service
instance (limit of 255 characters). Each service instance you define can be applied to
a single or multiple SDGs.
7. Click the green plus sign in the Server Bypass Filters box. The Create Server Bypass
Filter dialog box appears.
NOTE: If a green tick mark is shown beside a field in the dialog box, it
denotes that you can add attributes for that component. A red cross mark
shows that you can delete that particular attribute for that component.
8. From the Service Gateway Name field, select the SDG group with which the service
element must be associated.
9. From the Host Name field, select the SDG in the SDG high-availability pair of active
and standby SDGs.
10. From the table, select the check boxes beside the filters to specify the filters used to
bypass rephrase as health-check traffic from real servers.
11. Click Save to save the settings. Else, click Cancel to discard the configuration.
Creating a Virtual Service for a TLB Service Template
The virtual service provides an address that is associated with a the group of servers to
which traffic is directed as determined by hash-based session distribution and server
health monitoring. You may optionally specify filters and routing instances to steer traffic
for TLB.
The virtual service configuration identifies:
•
The group of servers to which sessions are distributed
•
The session distribution hashing method
Copyright © 2016, Juniper Networks, Inc.
275
Edge Services Director User Guide
TLB doesn't require a specific virtual IP. VIPs 0.0.0.0 or 0::0 are acceptable.
To configure a virtual service for a TLB template:
1.
From the Junos Space user interface, click the Build icon on the Edge Services Director
banner.
The functionalities that you can configure in this mode are displayed in the task pane.
2. From the task pane, select Service Templates.
The Manage Service Templates page is displayed.
3. Click the TLB button.
The list of TLB service templates is displayed.
4. Click the Add icon.
The Create a TLB Planning Template window appears.
5. In the Template Name field, enter a name for the service template or profile (limit of
63 alphanumeric characters without spaces).
6. In the Instance Name field, enter a meaningful, easily-identifiable name for the service
instance (limit of 255 characters). Each service instance you define can be applied to
a single or multiple SDGs.
7. Click the green plus sign in the Virtual Service box. The Addition of Virtual Service
dialog box appears.
NOTE: If a green tick mark is shown beside a field in the dialog box, it
denotes that you can add attributes for that component. A red cross mark
shows that you can delete that particular attribute for that component.
8. In the Name field, specify the name of the virtual service.
9. In the Address field, specify a non-zero address for the virtual service.
10. From the Mode field, select one of the following:
•
translated—In complex network topologies, the TLB software functions can be
managed using a client Network Address Translation (NAT) IP address on the
server-facing interfaces traffic. When the client requests services from the TLB
software virtual server, the client sends its own IP address for use as a return address.
If a NAT IP address is configured for the Multiservices-DPC NPU, the TLB software
replaces the client's source IP address with the TLB software NAT IP address before
sending the request to the real server. This process is called client NAT. The real
server uses the NAT IP address as the destination address for any response.
Load-balancing traffic is forced to return through the TLB software and through
the same Multiservices-DPC NPU, regardless of alternate paths. Once the TLB
software receives the translated IP address, it puts the original client IP address
into the destination address and sends the packet to the client. This process is
transparent to the client.
276
Copyright © 2016, Juniper Networks, Inc.
Chapter 13: Using the Service Designer
•
direct-server-return—Direct Server Return health checks are used to verify the
existence of a server-provided service where the server replies directly back to the
client without responding through the virtual-server IP address. In this configuration,
the server is configured with a real-server IP address and virtualserver IP address.
The virtual-server IP address is configured to be the same address as your
virtual-server IP address. When Direct Server Return health checks are used, the
specified health check is sent originating from the configured health check address.
It is destined for the virtualserver IP address with the MAC address that was acquired
from the real-server IP Address Resolution Protocol (ARP) entry. Direct Server
Return is configured at the group level. If a group is configured with
“direct-server-return” the health check performed is sent to the virtual IP and not
to the actual server IPs. The TLB software lets you to perform health checks for
Direct Server Return configurations (for more information, see Direct Server Return).
The router is able to verify that the server correctly responds to requests made to
the virtual-server IP address, as required in Direct Server Return configurations. To
perform this function, the real-server IP address is replaced with the virtualserver
IP address in the health check packets that are forwarded to the real servers for
health checking. With this feature enabled, the health check will fail if the real server
is not properly configured with the virtual-server IP address.
•
layer2-direct-server-return—Use transparent mode processing with Layer 2 direct
server return (DSR). Some clients may need the Direct Server Return (DSR) feature,
which allows the server to respond directly to the client. This capability is useful for
sites where large amounts of data flows from servers to clients, such as with content
providers or portal sites that typically have asymmetric traffic patterns. DSR and
content-intelligent Layer 7 routing cannot be performed at the same time because
content intelligent routing requires that all frames return to the router for connection
splicing. DSR requires that the server be set up to receive frames that have a
destination IP address that is equal to the virtual-server IP address.
11. From the Group list, select the name of a real server group configured to be used for
this virtual service.
12. Select the Routing Instance Selection check box to specify a routing instance to be
used for this application type of virtual service.
Copyright © 2016, Juniper Networks, Inc.
277
Edge Services Director User Guide
13. Do the following in the Routing Instance section:
a. Click the green plus sign next to the Routing Instance field. The Routing Instances
dialog box appears.
b. From the Service Gateway Name field, select the SDG group with which the service
element must be associated.
c. From the Host Name field, select the SDG in the SDG high-availability pair of active
and standby SDGs.
d. In the MS Interfaces section, select the check box next to the routing instance of
the SDG that must be used for packets arriving from clients or users. All the routing
instances from the inventory of devices are listed.
14. In the Rebalance threshold field, specify the limit for rebalancing of traffic. This field
is applicable only for Junos OS 12.1 version.
15. In the Route metric field, specify a routing metric for the virtual service. This field is
applicable only for Junos OS 12.1 version.
16. In the Server Protocol section, do the following. This section and the associated fields
are applicable only for Junos OS 14.1 version.
•
In the Name field, specify a service name to denote the translated mode details for
the specified service. Packets destined to this virtual ip-address + virtual-port +
protocol are load balanced to the appropriate server. The destination IP address
and port are replaced by the real services IP address and the server-listening-port
(configured here).
•
In the Virtual Port field, specify the virtual port number for the virtual service.
•
In the Server Listening Port field, specify the port number the server uses to listen
or receive connection requests. The range is from 0 through 65,534. You can change
the destination port of traffic to a specific port by using this field setting.
•
From the Protocol list, select TCP or UDP to specify the protocol type of virtual
service.
17. From the Server Interfaces section, select the interfaces from the Available column
and click the right arrow to move the hash method to the Selected column.
18. From the Load balance method list, select the hash method used for enhanced ECMP
load balancing from the Available column and click the right arrow to move the hash
method to the Selected column. You can specify source-ip, destination-ip, or protocol
•
destination-ip—Hash based on destination IP address.
•
protocol—Hash based on protocol.
•
source-ip—Hash based on source IP address.
19. Click Save to save the settings. Else, click Cancel to discard the configuration.
278
Copyright © 2016, Juniper Networks, Inc.
Chapter 13: Using the Service Designer
Creating a Client-Facing Interface and Routing Instance
You can configure this service element only if you create a TLB service template using
the Junos OS 14.1 version.
Clients and servers can be connected through the same router port. Each port in use on
the router can be configured to process client requests, server traffic, or both:
Client-facing interfaces—Router ports through which client requests to the virtual server
are received.
Server-facing interfaces—Router ports to which servers are connected (directly or through
routing). Responses to clients are received on the router through these ports.
To assign a client-facing instance and interface to an ADC template:
1.
From the View selector, select Service View. The workspaces that are applicable to
this view are displayed.
2. From the Junos Space user interface, click the Build icon on the Edge Services Director
banner.
The functionalities that you can configure in this mode are displayed in the task pane.
3. From the task pane, select Service Templates.
The Manage Service Templates page is displayed.
4. Click the TLB button.
The list of ADC service templates is displayed.
5. Click the Add icon.
The Create an ADC Planning Template window appears.
6. In the Template Name field, enter a name for the service template or profile (limit of
63 alphanumeric characters without spaces).
7. In the Instance Name field, enter a meaningful, easily-identifiable name for the service
instance (limit of 255 characters). Each service instance you define can be applied to
a single or multiple SDGs.
8. Click the green plus sign in the Client-Facing box. The Client facing dialog box appears.
NOTE: If a green tick mark is shown beside a field in the dialog box, it
denotes that you can add attributes for that component. A red cross mark
shows that you can delete that particular attribute for that component.
9. From the Service Gateway Name field, select the SDG group with which the service
element must be associated.
10. From the Host Name field, select the SDG in the SDG high-availability pair of active
and standby SDGs.
Copyright © 2016, Juniper Networks, Inc.
279
Edge Services Director User Guide
11. In the Routing Instances section, select the check box next to the routing instance of
the SDG that must be used for packets arriving from clients or users. All the routing
instances from the inventory of devices are listed.
12. In the Interfaces section, select the check box next to the interface instance of the
SDG that must be used for packets arriving from clients or users. All of the interfaces
from the inventory of devices are listed.
13. Click OK to save the settings. Else, click Cancel to discard the configuration.
Creating a Server-Facing Interface and Routing Instance
You can configure this service element only if you create a TLB service template using
the Junos OS 14.1 version.
Clients and servers can be connected through the same router port. Each port in use on
the router can be configured to process client requests, server traffic, or both:
Client-facing interfaces—Router ports through which client requests to the virtual server
are received.
Server-facing interfaces—Router ports to which servers are connected (directly or through
routing). Responses to clients are received on the router through these ports.
To assign a server-facing instance and interface to an ADC template:
1.
From the View selector, select Service View. The workspaces that are applicable to
this view are displayed.
2. From the Junos Space user interface, click the Build icon on the Edge Services Director
banner.
The functionalities that you can configure in this mode are displayed in the task pane.
3. From the task pane, select Service Templates.
The Manage Service Templates page is displayed.
4. Click the TLB button.
The list of TLB service templates is displayed.
5. Click the Add icon.
The Create an ADC Planning Template window appears.
6. In the Template Name field, enter a name for the service template or profile (limit of
63 alphanumeric characters without spaces).
7. In the Instance Name field, enter a meaningful, easily-identifiable name for the service
instance (limit of 255 characters). Each service instance you define can be applied to
a single or multiple SDGs.
8. Click the green plus sign in the Server-Facing box. The Server facing dialog box appears.
280
Copyright © 2016, Juniper Networks, Inc.
Chapter 13: Using the Service Designer
NOTE: If a green tick mark is shown beside a field in the dialog box, it
denotes that you can add attributes for that component. A red cross mark
shows that you can delete that particular attribute for that component.
9. From the Service Gateway Name field, select the SDG group with which the service
element must be associated.
10. From the Host Name field, select the SDG in the SDG high-availability pair of active
and standby SDGs.
11. In the Device Inventory Routing Instances section, select the check box next to the
routing instance of the SDG that must be used for packets traversing to the servers.
All the routing instances from the inventory of devices are listed.
12. In the Device Inventory Interfaces section, select the check box next to the interface
instance of the SDG that must be used for packets to be sent to the servers. All of the
interfaces from the inventory of devices are listed.
13. Click OK to save the settings. Else, click Cancel to discard the configuration.
Related
Documentation
•
Service Templates Overview on page 182
•
Filtering Service Templates on page 183
•
Viewing Service Templates on page 183
•
Using the Actions Menu on the Service Template and Service Edit Pages on page 187
Modifying Individual Service Instances and Deploying to Devices
You can modify individual service instances, such as ADC, TLB, CGNAT, or SFW services,
and create a deployment plan for such services using the Service Edit option in task pane
in Gateway View of Deploy mode.
•
Modifying Service Instances on page 281
•
Creating a Deployment Plan on page 283
Modifying Service Instances
On the Service Designer page, you can view the collection of service templates defined
for several applications, such as stateful firewall or CGNAT.
To modify service template instances, such as ADC, SFW, CGNAT, or TLB templates:
1.
From the View selector, select Gateway View. The workspaces that are applicable to
this view are displayed.
2. From the Junos Space user interface, click the Deploy icon on the Edge Services Director
banner.
The functionalities that you can configure in this mode are displayed in the task pane.
3. From the task pane, select Deploy Service > Service Edit.
Copyright © 2016, Juniper Networks, Inc.
281
Edge Services Director User Guide
The Service Instances page is displayed in the right pane, listing all the previously
defined service templates.
4. From the View pane, perform one of the following tasks:
•
Click the ADC button.
The list of ADC service templates is displayed. You need not click this button if you
are launching the Service Designer page for the first time or are navigating to this
page from another mode or a different page. You need to click this button only if
you are viewing the other service templates, such as CGNAT or TLB.
•
Click the SFW button.
The list of SFW templates is displayed.
•
Click the TLB button.
The list of TLB templates is displayed.
•
Click the CGNAT button.
The list of CGNAT templates is displayed.
5. In the main window, click the plus sign (+) next to the SDG pairs to expand the tree
and view the pair of devices in the SDG group or pair. Select the check box next to the
SDG pair or individual SDG for which you want to modify settings. In an SDG pair, you
can select a single SDG or both the SDGs in the in the redundancy pair of devices.
NOTE: Alternatively, you can also modify service templates from Service
View in Build Mode by selecting the Service Templates > Manage Service
Templates from the task pane, selecting a service instance, and clicking
the Modify button.
6. Click the Lock icon above the table of listed packet filters. The Select Reference Config
dialog box is displayed.
Figure 28: Select Reference Config Dialog Box
282
Copyright © 2016, Juniper Networks, Inc.
Chapter 13: Using the Service Designer
7. Open the Modify menu above the list of templates to modify an existing template,
and select the component or service attribute, such as application or rule, that you
want to edit.
8. Modify the service attributes, as needed, and save the changes.
Creating a Deployment Plan
You must have previously defined service templates and policy or filter templates before
you can create a deployment plan.
To create a deployment plan and assigning devices to it:
1.
From the View selector, select Gateway View. The workspaces that are applicable to
this view are displayed.
2. From the Junos Space user interface, click the Deploy icon on the Edge Services Director
banner.
The functionalities that you can configure in this mode are displayed in the task pane.
3. From the task pane, select Service Edit.
The Manage Service Templates page is displayed.
4. From the View pane, perform one of the following tasks:
•
Click the ADC button.
The list of ADC service templates is displayed. You need not click this button if you
are launching the Service Designer page for the first time or are navigating to this
page from another mode or a different page. You need to click this button only if
you are viewing the other service templates, such as CGNAT or TLB.
•
Click the SFW button.
The list of SFW templates is displayed.
•
Click the TLB button.
The list of TLB templates is displayed.
•
Click the CGNAT button.
The list of CGNAT templates is displayed.
5. In the main window, click the plus sign (+) next to the SDG pairs to expand the tree
and view the pair of devices in the SDG group or pair. Select the check box next to the
SDG pair or individual SDG for which you want to modify settings. In an SDG pair, you
can select a single SDG or both the SDGs in the in the redundancy pair of devices.
6. Click the down arrow in the Actions menu and select Send for Deployment to create
a deployment plan for the particular service template and save the plan.
The Deployment Plan Summary dialog box appears, with the service name, type, and
status listed.
Click Send to create a deployment plan.
Copyright © 2016, Juniper Networks, Inc.
283
Edge Services Director User Guide
A deploy plan is created for the service template with the devices that are assigned
to it when you view the Deployment Plans page.
7. Alternatively, you can select Discard changes from the Actions menu to ignore the
modifications done to a policy or filter template.
8. From the Deployment plans page, you can select Reject or Approve from the Actions
drop-down list to reject or approve the deployment plan and make it available for
commissioning to the devices.
Related
Documentation
284
•
Service Templates Overview on page 182
•
Filtering Service Templates on page 183
•
Viewing Service Templates on page 183
•
Using the Actions Menu on the Service Template and Service Edit Pages on page 187
Copyright © 2016, Juniper Networks, Inc.
CHAPTER 14
Using the Object Builder
•
Understanding the Object Builder on page 285
•
Importing All Types of Objects on page 286
•
Importing SFW Rule Sets on page 288
•
Importing SFW Rules on page 290
•
Importing Real Server Settings on page 291
•
Importing CGNAT Rule Sets on page 293
•
Importing CGNAT Rules on page 294
•
Importing CGNAT Pools on page 296
•
Importing Applications on page 297
•
Importing Application Sets on page 298
Understanding the Object Builder
The objects are the constituents or building blocks that are used to create service
definitions and policy or filter templates. You can use the Object Builder page to retrieve
and transfer the objects or components that have been previously created on the SDGs
or devices. The objects might reside on the managed SDGs or SDG groups if they were
defined using the appropriate configuration statements and parameters in the Junos CLI
interface of the respective SDGs. Such a mechanism of importing object settings enables
you to easily, quickly, and optimally use the object definitions when you create service
and policy templates.
The objects that you can import from SDGs to the database of Edge Services Director
comprise the following:
•
Real servers
•
CGNAT rules and rule sets
•
CGNAT pools
•
Applications and application sets
•
SFW rules and rule sets
For example, if you have created NAT pools on an SDG device and import those objects
into the Junos Space database, you can seamlessly import the pool settings during the
Copyright © 2016, Juniper Networks, Inc.
285
Edge Services Director User Guide
creation of a CGNAT service or a CGNAT policy and filter template. Also, you can use the
same object settings across multiple services and policies. For example, if you have
imported an application into Edge Services Director, you can use the application for
different services such as ADC or TLB.
You can import objects into the network management application database using two
methods. One method is to import the configuration attributes and settings directly from
the devices, and the other method is to import XML files that contain the configurations.
The Junos XML API is an XML representation of Junos configuration statements and
operational mode commands. Junos XML configuration tag elements are the content to
which the Junos XML protocol operations apply. Junos XML operational tag elements
are equivalent in function to operational mode commands in the CLI, which administrators
use to retrieve status information for a device. With both these techniques, you can quickly
obtain the objects from devices and propagate them to Edge Service Director.
Related
Documentation
•
Importing All Types of Objects on page 286
Importing All Types of Objects
Although you can import objects individually based on the services or applications you
are using in your deployment, you can also retrieve and add all of the object types that
are supported for different services in a single, one-step operation. You can select an
SDG from which you want to import all of the objects contained in it. The supported or
applicable objects of CGNAT pools, CGNAT rules, CGNAT rule sets, SFW rules, SFW rule
sets, applications, application sets, and real servers can be imported in a bulk manner
from a device. Similarly, you can also select an XML file that contains a collection of such
objects and import all object definitions to the Edge Services Director database.
To import all types of objects in a single operation:
1.
From the View selector, select Service View. The workspaces that are applicable to
this view are displayed.
2. From the Junos Space user interface, click the Build icon on the Edge Services Director
banner.
The functionalities that you can configure in this mode are displayed in the task pane.
3. Select Object Builder from the task pane.
The Object Builder page is displayed.
286
Copyright © 2016, Juniper Networks, Inc.
Chapter 14: Using the Object Builder
Figure 29: Object Builder Page
The Object Builder window displays the individual elements or components with a
graphical icon for each of the object elements and the corresponding names in separate
boxes. Beneath each of the icons that signify the object types, the number of objects
of each type already imported is also displayed.
4. Click the Import button.
The Add to Object Builder dialog box is displayed.
5. Do one of the following for the Import section:
•
Select the From Existing Service Gateway radio button if you want to import the real
server from SDGs that are present in the Edge Services Director database.
•
Select the From XML radio button if you want to import the real server from an XML
configuration file on an external system.
6. If you selected the option to import the object from SDGs, do the following:
•
Click the Normal View tab to view the list of SDGs. You can search for specific SDGs
by entering a search item and clicking the Search icon.
Alternatively, click the Group View tab to view the list of SDG groups. You can search
for specific SDG groups by entering a search item and clicking the Search icon.
•
Click the plus sign (+) next to the All Service Gateways item to expand the tree
structure that displays the list of SDGs or SDG groups. If the SDG pair is configured,
you can select one of the devices, master or standby, from which you want to import
the object.
Alternatively, if you selected the Group View tab, you can select an SDG from the
groups displayed from which you want to import the object.
Copyright © 2016, Juniper Networks, Inc.
287
Edge Services Director User Guide
•
Click Import. The object is added to the database and can be used during
configuration of services or policies.
7. If you selected the option to import from an XML file, do the following:
•
Click Browse beside the File Name field to navigate to the path where an XML file
is available to be imported.
•
Click Import. The object is added to the database and can be used during
configuration of services or policies.
8. Click the Clear button at the bottom of the Object Builder page to delete all the object
definitions imported from SDGs to the database of Edge Services Director. You are
prompted to confirm the deletion. Click OK to confirm.
9. Click the links beneath the graphical icon of each of the configured object elements
to navigate directly to the Import page of that corresponding object.
Related
Documentation
•
Understanding the Object Builder on page 285
Importing SFW Rule Sets
The rule-set statement defines a collection of SFW rules that determine what actions
the router software performs on packets in the data stream. You define each rule by
specifying a rule name and configuring terms. Then, you specify the order of the rules by
including the rule-set statement at the [edit services srareful-firewall] hierarchy level with
a rule statement for each rule:
The router software processes the rules in the order in which you specify them in the
configuration. If a term in a rule matches the packet, the router performs the corresponding
action and the rule processing stops. If no term in a rule matches the packet, processing
continues to the next rule in the rule set. If none of the rules matches the packet, the
packet is dropped by default.
To import an SFW rule set:
1.
From the View selector, select Service View. The workspaces that are applicable to
this view are displayed.
2. From the Junos Space user interface, click the Build icon on the Edge Services Director
banner.
The functionalities that you can configure in this mode are displayed in the task pane.
3. Select Object Builder from the task pane.
The Object Builder page is displayed.
4. Click the plus sign (+) next to Object Builder in the task pane to expand the tree and
display the list of objects.
5. From the task pane, select SFW Rule Sets to open the SFW Rule Sets page on the
right pane. The list of previously imported objects is displayed.
288
Copyright © 2016, Juniper Networks, Inc.
Chapter 14: Using the Object Builder
To filter and sort the display of objects, enter the name of the object as a match
criterion in the Search box and click the Search icon. The page refreshes to display
only the object names that match with the search term. You can use the paging
controls to navigate across multiple pages of objects as necessary.
6. Click the Import icon.
The Add to Object Builder dialog box is displayed.
Figure 30: Add to Object Builder Dialog Box
7. Do one of the following for the Import section:
•
Select the From Existing Service Gateway radio button if you want to import the
SFW rule set from SDGs that are present in the Edge Services Director database.
•
Select the From XML radio button if you want to import the SFW rule set from an
XML configuration file on an external system.
8. If you selected the option to import the object from SDGs, do the following:
•
Click the Normal View tab to view the list of SDGs. You can search for specific SDGs
by entering a search item and clicking the Search icon.
Alternatively, click the Group View tab to view the list of SDG groups. You can search
for specific SDG groups by entering a search item and clicking the Search icon.
•
Click the plus sign (+) next to the All Service Gateways item to expand the tree
structure that displays the list of SDGs or SDG groups. If the SDG pair is configured,
Copyright © 2016, Juniper Networks, Inc.
289
Edge Services Director User Guide
you can select one of the devices, master or standby, from which you want to import
the object.
Alternatively, if you selected the Group View tab, you can select an SDG from the
groups displayed from which you want to import the object.
•
Click Import. The object is added to the database and can be used during
configuration of services or policies.
9. If you selected the option to import from an XML file, do the following:
Related
Documentation
•
Click Browse beside the File Name field to navigate to the path where an XML file
is available to be imported.
•
Click Import. The object is added to the database and can be used during
configuration of services or policies.
•
Understanding the Object Builder on page 285
•
Importing All Types of Objects on page 286
Importing SFW Rules
Each stateful firewall rule consists of a set of terms, similar to a filter configured at the
[edit firewall] hierarchy level. A term consists of the following:
•
from statement—Specifies the match conditions and applications that are included
and excluded. The from statement is optional in stateful firewall rules.
•
then statement—Specifies the actions and action modifiers to be performed by the
router software. The then statement is mandatory in stateful firewall rules.
To import an SFW rule:
1.
From the View selector, select Service View. The workspaces that are applicable to
this view are displayed.
2. From the Junos Space user interface, click the Build icon on the Edge Services Director
banner.
The functionalities that you can configure in this mode are displayed in the task pane.
3. Select Object Builder from the task pane.
The Object Builder page is displayed.
4. Click the plus sign (+) next to Object Builder in the task pane to expand the tree and
display the list of objects.
5. From the task pane, select SFW Rules to open the SFW Rules page on the right pane.
The list of previously imported objects is displayed.
To filter and sort the display of objects, enter the name of the object as a match
criterion in the Search box and click the Search icon. The page refreshes to display
only the object names that match with the search term. You can use the paging
controls to navigate across multiple pages of objects as necessary.
290
Copyright © 2016, Juniper Networks, Inc.
Chapter 14: Using the Object Builder
6. Click the Import icon.
The Add to Object Builder dialog box is displayed.
7. Do one of the following for the Import section:
•
Select the From Existing Service Gateway radio button if you want to import the
SFW rule from SDGs that are present in the Edge Services Director database.
•
Select the From XML radio button if you want to import the SFW rule from an XML
configuration file on an external system.
8. If you selected the option to import the object from SDGs, do the following:
•
Click the Normal View tab to view the list of SDGs. You can search for specific SDGs
by entering a search item and clicking the Search icon.
Alternatively, click the Group View tab to view the list of SDG groups. You can search
for specific SDG groups by entering a search item and clicking the Search icon.
•
Click the plus sign (+) next to the All Service Gateways item to expand the tree
structure that displays the list of SDGs or SDG groups. If the SDG pair is configured,
you can select one of the devices, master or standby, from which you want to import
the object.
Alternatively, if you selected the Group View tab, you can select an SDG from the
groups displayed from which you want to import the object.
•
Click Import. The object is added to the database and can be used during
configuration of services or policies.
9. If you selected the option to import from an XML file, do the following:
Related
Documentation
•
Click Browse beside the File Name field to navigate to the path where an XML file
is available to be imported.
•
Click Import. The object is added to the database and can be used during
configuration of services or policies.
•
Understanding the Object Builder on page 285
•
Importing All Types of Objects on page 286
Importing Real Server Settings
Real servers are application servers used for traffic or server load balancing. The ADC
software monitors the servers in the real-server group and the load-balanced applications
running on them. If a router detects that a server or application has failed, it will not direct
any new connection requests to that server. An adc-instance includes a complete set of
ADC definitions: real-servers, groups of servers, virtual servers using virtual IP addresses,
and virtual services accessed by clients.
Real servers are bound to real server groups. The criteria that you specify for real servers,
such as weight and maximum and minimum connection thresholds, apply to the server
load balancing algorithms that you specify for the real server groups. Server load balancing
Copyright © 2016, Juniper Networks, Inc.
291
Edge Services Director User Guide
(SLB) uses the algorithms as it determines which real servers are to be assigned client
requests. You also specify a ramp-up time, which is the period of time that it takes to
reach the maximum connection threshold for the real server.
To import a real server:
1.
From the View selector, select Service View. The workspaces that are applicable to
this view are displayed.
2. From the Junos Space user interface, click the Build icon on the Edge Services Director
banner.
The functionalities that you can configure in this mode are displayed in the task pane.
3. Select Object Builder from the task pane.
The Object Builder page is displayed.
4. Click the plus sign (+) next to Object Builder in the task pane to expand the tree and
display the list of objects.
5. From the task pane, select Real Servers to open the Real Servers page on the right
pane. The list of previously imported objects is displayed.
To filter and sort the display of objects, enter the name of the object as a match
criterion in the Search box and click the Search icon. The page refreshes to display
only the object names that match with the search term. You can use the paging
controls to navigate across multiple pages of objects as necessary.
6. Click the Import icon.
The Add to Object Builder dialog box is displayed.
7. Do one of the following for the Import section:
•
Select the From Existing Service Gateway radio button if you want to import the real
server from SDGs that are present in the Edge Services Director database.
•
Select the From XML radio button if you want to import the real server from an XML
configuration file on an external system.
8. If you selected the option to import the object from SDGs, do the following:
•
Click the Normal View tab to view the list of SDGs. You can search for specific SDGs
by entering a search item and clicking the Search icon.
Alternatively, click the Group View tab to view the list of SDG groups. You can search
for specific SDG groups by entering a search item and clicking the Search icon.
•
Click the plus sign (+) next to the All Service Gateways item to expand the tree
structure that displays the list of SDGs or SDG groups. If the SDG pair is configured,
you can select one of the devices, master or standby, from which you want to import
the object.
Alternatively, if you selected the Group View tab, you can select an SDG from the
groups displayed from which you want to import the object.
292
Copyright © 2016, Juniper Networks, Inc.
Chapter 14: Using the Object Builder
•
Click Import. The object is added to the database and can be used during
configuration of services or policies.
9. If you selected the option to import from an XML file, do the following:
Related
Documentation
•
Click Browse beside the File Name field to navigate to the path where an XML file
is available to be imported.
•
Click Import. The object is added to the database and can be used during
configuration of services or policies.
•
Understanding the Object Builder on page 285
•
Importing All Types of Objects on page 286
Importing CGNAT Rule Sets
The rule-set statement defines a collection of NAT rules that determine what actions
the router software performs on packets in the data stream. You define each rule by
specifying a rule name and configuring terms. Then, you specify the order of the rules by
including the rule-set statement at the [edit services nat] hierarchy level with a rule
statement for each rule:
The router software processes the rules in the order in which you specify them in the
configuration. If a term in a rule matches the packet, the router performs the corresponding
action and the rule processing stops. If no term in a rule matches the packet, processing
continues to the next rule in the rule set. If none of the rules matches the packet, no NAT
action is performed on the packet. If a packet is destined to a NAT pool address, it is
dropped.
To import a CGNAT rule set:
1.
From the View selector, select Service View. The workspaces that are applicable to
this view are displayed.
2. From the Junos Space user interface, click the Build icon on the Edge Services Director
banner.
The functionalities that you can configure in this mode are displayed in the task pane.
3. Select Object Builder from the task pane. The Object Builder page is displayed.
4. Click the plus sign (+) next to Object Builder in the task pane to expand the tree and
display the list of objects.
5. From the task pane, select CGNAT Rule Sets to open the CGNAT Rule Sets page on
the right pane. The list of previously imported objects is displayed.
To filter and sort the display of objects, enter the name of the object as a match
criterion in the Search box and click the Search icon. The page refreshes to display
only the object names that match with the search term. You can use the paging
controls to navigate across multiple pages of objects as necessary.
6. Click the Import icon.
Copyright © 2016, Juniper Networks, Inc.
293
Edge Services Director User Guide
The Add to Object Builder dialog box is displayed.
7. Do one of the following for the Import section:
•
Select the From Existing Service Gateway radio button if you want to import the
CGNAT rule set from SDGs that are present in the Edge Services Director database.
•
Select the From XML radio button if you want to import the CGNAT rule set from
an XML configuration file on an external system.
8. If you selected the option to import the object from SDGs, do the following:
•
Click the Normal View tab to view the list of SDGs. You can search for specific SDGs
by entering a search item and clicking the Search icon.
Alternatively, click the Group View tab to view the list of SDG groups. You can search
for specific SDG groups by entering a search item and clicking the Search icon.
•
Click the plus sign (+) next to the All Service Gateways item to expand the tree
structure that displays the list of SDGs or SDG groups. If the SDG pair is configured,
you can select one of the devices, master or standby, from which you want to import
the object.
Alternatively, if you selected the Group View tab, you can select an SDG from the
groups displayed from which you want to import the object.
•
Click Import. The object is added to the database and can be used during
configuration of services or policies.
9. If you selected the option to import from an XML file, do the following:
Related
Documentation
•
Click Browse beside the File Name field to navigate to the path where an XML file
is available to be imported.
•
Click Import. The object is added to the database and can be used during
configuration of services or policies.
•
Understanding the Object Builder on page 285
•
Importing All Types of Objects on page 286
Importing CGNAT Rules
NAT processing centers on the evaluation of NAT rule sets and rules. A rule set determines
the overall direction of the traffic to be processed. For example, a rule set can select
traffic from a particular interface or to a specific zone. A rule set can contain multiple
rules. Once a rule set is found that matches specific traffic, each rule in the rule set is
evaluated for a match. Each rule in the rule set further specifies the traffic to be matched
and the action to be taken when traffic matches the rule.
294
Copyright © 2016, Juniper Networks, Inc.
Chapter 14: Using the Object Builder
To import a CGNAT rule:
1.
From the View selector, select Service View. The workspaces that are applicable to
this view are displayed.
2. From the Junos Space user interface, click the Build icon on the Edge Services Director
banner.
The functionalities that you can configure in this mode are displayed in the task pane.
3. Select Object Builder from the task pane. The Object Builder page is displayed.
4. Click the plus sign (+) next to Object Builder in the task pane to expand the tree and
display the list of objects.
5. From the task pane, select CGNAT Rules to open the CGNAT Rules page on the right
pane. The list of previously imported objects is displayed.
To filter and sort the display of objects, enter the name of the object as a match
criterion in the Search box and click the Search icon. The page refreshes to display
only the object names that match with the search term. You can use the paging
controls to navigate across multiple pages of objects as necessary.
6. Click the Import icon.
The Add to Object Builder dialog box is displayed.
7. Do one of the following for the Import section:
•
Select the From Existing Service Gateway radio button if you want to import the
CGNAT rule from SDGs that are present in the Edge Services Director database.
•
Select the From XML radio button if you want to import the CGNAT rule from an
XML configuration file on an external system.
8. If you selected the option to import the object from SDGs, do the following:
•
Click the Normal View tab to view the list of SDGs. You can search for specific SDGs
by entering a search item and clicking the Search icon.
Alternatively, click the Group View tab to view the list of SDG groups. You can search
for specific SDG groups by entering a search item and clicking the Search icon.
•
Click the plus sign (+) next to the All Service Gateways item to expand the tree
structure that displays the list of SDGs or SDG groups. If the SDG pair is configured,
you can select one of the devices, master or standby, from which you want to import
the object.
Alternatively, if you selected the Group View tab, you can select an SDG from the
groups displayed from which you want to import the object.
•
Click Import. The object is added to the database and can be used during
configuration of services or policies.
9. If you selected the option to import from an XML file, do the following:
•
Click Browse beside the File Name field to navigate to the path where an XML file
is available to be imported.
Copyright © 2016, Juniper Networks, Inc.
295
Edge Services Director User Guide
•
Related
Documentation
Click Import. The object is added to the database and can be used during
configuration of services or policies.
•
Understanding the Object Builder on page 285
•
Importing All Types of Objects on page 286
Importing CGNAT Pools
A Network Address Translation (NAT) pool is a continuous range of IP addresses that
you can use to create a NAT policy. NAT policies perform address translation by translating
internal IP addresses to the addresses in these pools.
To import a CGNAT pool:
1.
From the View selector, select Service View. The workspaces that are applicable to
this view are displayed.
2. From the Junos Space user interface, click the Build icon on the Edge Services Director
banner.
The functionalities that you can configure in this mode are displayed in the task pane.
3. Select Object Builder from the task pane. The Object Builder page is displayed.
4. Click the plus sign (+) next to Object Builder in the task pane to expand the tree and
display the list of objects.
5. From the task pane, select CGNAT Pools to open the Real Servers page on the right
pane. The list of previously imported objects is displayed.
To filter and sort the display of objects, enter the name of the object as a match
criterion in the Search box and click the Search icon. The page refreshes to display
only the object names that match with the search term. You can use the paging
controls to navigate across multiple pages of objects as necessary.
6. Click the Import icon.
The Add to Object Builder dialog box is displayed.
7. Do one of the following for the Import section:
•
Select the From Existing Service Gateway radio button if you want to import the
CGNAT pool from SDGs that are present in the Edge Services Director database.
•
Select the From XML radio button if you want to import the CGNAT pool from an
XML configuration file on an external system.
8. If you selected the option to import the object from SDGs, do the following:
•
Click the Normal View tab to view the list of SDGs. You can search for specific SDGs
by entering a search item and clicking the Search icon.
Alternatively, click the Group View tab to view the list of SDG groups. You can search
for specific SDG groups by entering a search item and clicking the Search icon.
296
Copyright © 2016, Juniper Networks, Inc.
Chapter 14: Using the Object Builder
•
Click the plus sign (+) next to the All Service Gateways item to expand the tree
structure that displays the list of SDGs or SDG groups. If the SDG pair is configured,
you can select one of the devices, master or standby, from which you want to import
the object.
Alternatively, if you selected the Group View tab, you can select an SDG from the
groups displayed from which you want to import the object.
•
Click Import. The object is added to the database and can be used during
configuration of services or policies.
9. If you selected the option to import from an XML file, do the following:
Related
Documentation
•
Click Browse beside the File Name field to navigate to the path where an XML file
is available to be imported.
•
Click Import. The object is added to the database and can be used during
configuration of services or policies.
•
Understanding the Object Builder on page 285
•
Importing All Types of Objects on page 286
Importing Applications
You can define application protocols for the stateful firewall and Network Address
Translation (NAT) services to use in match condition rules. An application protocol, or
application layer gateway (ALG), defines application parameters using information from
network Layer 3 and above. Examples of such applications are FTP and H.323. The
application-protocol allows you to specify which of the supported application protocols
(ALGs) to configure and include in an application set for service processing.
To import an application:
1.
From the View selector, select Service View. The workspaces that are applicable to
this view are displayed.
2. From the Junos Space user interface, click the Build icon on the Edge Services Director
banner.
The functionalities that you can configure in this mode are displayed in the task pane.
3. Select Object Builder from the task pane.
The Object Builder page is displayed.
4. Click the plus sign (+) next to Object Builder in the task pane to expand the tree and
display the list of objects.
5. From the task pane, select Applications to open the Applications page on the right
pane. The list of previously imported objects is displayed.
To filter and sort the display of objects, enter the name of the object as a match
criterion in the Search box and click the Search icon. The page refreshes to display
only the object names that match with the search term. You can use the paging
controls to navigate across multiple pages of objects as necessary.
Copyright © 2016, Juniper Networks, Inc.
297
Edge Services Director User Guide
6. Click the Import icon.
The Add to Object Builder dialog box is displayed.
7. Do one of the following for the Import section:
•
Select the From Existing Service Gateway radio button if you want to import the
application from SDGs that are present in the Edge Services Director database.
•
Select the From XML radio button if you want to import the application from an
XML configuration file on an external system.
8. If you selected the option to import the object from SDGs, do the following:
•
Click the Normal View tab to view the list of SDGs. You can search for specific SDGs
by entering a search item and clicking the Search icon.
Alternatively, click the Group View tab to view the list of SDG groups. You can search
for specific SDG groups by entering a search item and clicking the Search icon.
•
Click the plus sign (+) next to the All Service Gateways item to expand the tree
structure that displays the list of SDGs or SDG groups. If the SDG pair is configured,
you can select one of the devices, master or standby, from which you want to import
the object.
Alternatively, if you selected the Group View tab, you can select an SDG from the
groups displayed from which you want to import the object.
•
Click Import. The object is added to the database and can be used during
configuration of services or policies.
9. If you selected the option to import from an XML file, do the following:
Related
Documentation
•
Click Browse beside the File Name field to navigate to the path where an XML file
is available to be imported.
•
Click Import. The object is added to the database and can be used during
configuration of services or policies.
•
Understanding the Object Builder on page 285
•
Importing All Types of Objects on page 286
Importing Application Sets
You can define application protocols for the stateful firewall and Network Address
Translation (NAT) services to use in match condition rules. You can group applications
into a bundle called an application set.
To import an application set:
1.
From the View selector, select Service View. The workspaces that are applicable to
this view are displayed.
2. From the Junos Space user interface, click the Build icon on the Edge Services Director
banner.
298
Copyright © 2016, Juniper Networks, Inc.
Chapter 14: Using the Object Builder
The functionalities that you can configure in this mode are displayed in the task pane.
3. Select Object Builder from the task pane.
The Object Builder page is displayed.
4. Click the plus sign (+) next to Object Builder in the task pane to expand the tree and
display the list of objects.
5. From the task pane, select Application Sets to open the Application Sets page on the
right pane.
The list of previously imported objects is displayed.
To filter and sort the display of objects, enter the name of the object as a match
criterion in the Search box and click the Search icon. The page refreshes to display
only the object names that match with the search term. You can use the paging
controls to navigate across multiple pages of objects as necessary.
6. Click the Import icon. The Add to Object Builder dialog box is displayed.
7. Do one of the following for the Import section:
•
Select the From Existing Service Gateway radio button if you want to import the
application set from SDGs that are present in the Edge Services Director database.
•
Select the From XML radio button if you want to import the application set from an
XML configuration file on an external system.
8. If you selected the option to import the object from SDGs, do the following:
•
Click the Normal View tab to view the list of SDGs. You can search for specific SDGs
by entering a search item and clicking the Search icon.
Alternatively, click the Group View tab to view the list of SDG groups. You can search
for specific SDG groups by entering a search item and clicking the Search icon.
•
Click the plus sign (+) next to the All Service Gateways item to expand the tree
structure that displays the list of SDGs or SDG groups. If the SDG pair is configured,
you can select one of the devices, master or standby, from which you want to import
the object.
Alternatively, if you selected the Group View tab, you can select an SDG from the
groups displayed from which you want to import the object.
•
Click Import. The object is added to the database and can be used during
configuration of services or policies.
9. If you selected the option to import from an XML file, do the following:
Related
Documentation
•
Click Browse beside the File Name field to navigate to the path where an XML file
is available to be imported.
•
Click Import. The object is added to the database and can be used during
configuration of services or policies.
•
Understanding the Object Builder on page 285
•
Importing All Types of Objects on page 286
Copyright © 2016, Juniper Networks, Inc.
299
Edge Services Director User Guide
300
Copyright © 2016, Juniper Networks, Inc.
CHAPTER 15
Managing Packet Analyzers
•
Packet Analyzer Overview on page 301
•
Creating and Viewing Service Analyzers on page 303
Packet Analyzer Overview
Packet capture is a tool that helps you to analyze network traffic and troubleshoot
network problems. The packet capture tool captures real-time data packets traveling
over the network for monitoring and logging. This tool is a debugging and analysis utility
that you can use to identify the problematic area in a session path. A set of counters are
displayed for both forward and reverse flow for all the supported services on SDG devices.
Using these statistical details and values, you can obtain adequate and useful estimates
regarding the total bytes count for each service in every hop and quickly, easily locate
the hop where there can be a possible packet drop.
The packet analyzer is the endpoint to which the flow collector interface sends traffic
for analysis. You can process and export multiple cflowd records with a flow collector
interface. You create a flow collector interface on a Monitoring Services II or Multiservices
400 PIC. The flow collector interface combines multiple cflowd records into a compressed
ASCII data file and exports the file to an FTP server.
You can configure the packet analyzer filters to capture packet data flows based on a
match or classification criteria to collect statistics and information only about packets
that satisfy the criteria. You can define the data and control plane packet flow direction
and interface settings in the filter, and the interval at which devices must be polled. You
can also specify a timeout to apply a threshold on the amount of data to be collected.
You can then schedule the filter to be run for different services and view the statistics as
numerical values or as a graph.
Packets are captured as binary data, without modification. You can read the packet
information offline with a packet analyzer such as Ethereal or tcpdump. If you need to
quickly capture packets destined for, or originating from, the Routing Engine and analyze
them online, you can use the packet capture diagnostic tool.
Network administrators and security engineers use packet capture to perform the
following tasks:
•
Monitor network traffic and analyze traffic patterns.
Copyright © 2016, Juniper Networks, Inc.
301
Edge Services Director User Guide
•
Identify and troubleshoot network problems. Detect security breaches in the network,
such as unauthorized intrusions, spyware activity, or ping scans.
•
Packet capture operates like traffic sampling on the device, except that it captures
entire packets.
Data packets are chunks of data that transit the router as they are being forwarded from
a source to a destination. When a router receives a data packet on an interface, it
determines where to forward the packet by looking in the forwarding table for the best
route to a destination. The router then forwards the data packet toward its destination
through the appropriate interface. The Packet Forwarding Engine, which is the central
processing element of the router’s forwarding plane, handles the flow of data packets
in and out of the router’s physical interfaces. Although the Packet Forwarding Engine
contains Layer 3 and Layer 4 header information, it does not contain the packet data
itself (the packet's payload).
You can also use the packet capture feature when you need to quickly capture and
analyze control traffic on a router. Control packets refer to health check packets that are
sent to examine the health and efficiency of specific URLs or paths. Health checking
allows you to verify content accessibility in large websites. As content grows and
information is distributed across different server farms, flexible, customizable content
health checks are critical to ensure end-to-end availability.
Pre-Service Filtering of Traffic for Service Processing
To filter IPv4 or IPv6 traffic before accepting packets for input or output service processing,
include the service-set service-set-name service-filter service-filter-name at one of the
following interfaces:
•
[edit interfaces interface-name unit unit-number family (inet | inet6) service input]
•
[edit interfaces interface-name unit unit-number family (inet | inet6) service output]
For the service-set-name, specify a service set configured at the [edit services service-set]
hierarchy level.
The service set retains the input interface information even after services are applied, so
that functions such as filter-class forwarding and destination class usage (DCU) that
depend on input interface information continue to work.
The following requirements apply to filtering inbound or outbound traffic before accepting
packets for service processing:
302
•
You configure the same service set on the input and output sides of the interface.
•
If you include the service-set statement without an optional service-filter definition,
the Junos OS assumes the match condition is true and selects the service set for
processing automatically.
•
The service filter is applied only if a service set is configured and selected.
Copyright © 2016, Juniper Networks, Inc.
Chapter 15: Managing Packet Analyzers
You can include more than one service set definition on each side of an interface. The
following guidelines apply:
•
If you include multiple service sets, the router (or switch) software evaluates them in
the order in which they appear in the configuration. The system executes the first service
set for which it finds a match in the service filter and ignores the subsequent definitions.
•
A maximum of six service sets can be applied to an interface.
•
When you apply multiple service sets to an interface, you must also configure and
apply a service filter to the interface.
Postservice Filtering of Returning Service Traffic
As an option to filtering of IPv4 or IPv6 input service traffic, you can apply a service filter
to IPv4 or IPv6 traffic that is returning to the services interface after the service set is
executed. To apply a service filter in this manner, include the post-service-filter
service-filter-name statement at the [edit interfaces interface-name unit unit-number family
(inet | inet6) service input] hierarchy level.
Related
Documentation
•
Creating and Viewing Service Analyzers on page 303
Creating and Viewing Service Analyzers
The packet analyzer is the endpoint to which the flow collector interface sends traffic
for analysis. You can process and export multiple cflowd records with a flow collector
interface. You can perform the following tasks with the Service Analyzer page:
•
Configure and provision filters for packet analysis.
•
Configure filters for CGNAT, ADC, and TLB services.
•
Start and stop the configured filters.
•
View the packet analyzer details as a statistical form or a graphical form.
•
Configuring the Traffic Analyzer Filter on page 303
•
Managing Service Analyzer Filter Instances on page 306
•
Viewing Service Analyzer Instance Details on page 308
•
Viewing the Service Analyzer Statistics in Grid Format and Graph on page 310
Configuring the Traffic Analyzer Filter
To configure the traffic analyzer filter details on packet flows for the different services
and to schedule its running:
Copyright © 2016, Juniper Networks, Inc.
303
Edge Services Director User Guide
1.
From the View selector, select Gateway View. The workspaces that are available in
this view are displayed. The Gateway view displays the service delivery gateway (SDG)
groups and the SDGs that are part of the high availability pair in an SDG group.
2. From the Junos Space user interface, click the Build icon on the Edge Services Director
banner.
The functionalities that you can configure in this mode are displayed in the task pane.
3. From the View pane, select the All Network item in Gateway view. Click the plus sign
(+) beside the All Network item in the View pane to expand the tree and select the
device node you want.
4. From the task pane, do one of the following:
•
Select Service Analyzer > ADC Filter from the task pane. The Service Analyzer for
ADC Filter page is displayed. The service instance or template that you previously
configured for the ADC service type are displayed. All the instances created in the
Service Templates workspace are shown.
•
Select Service Analyzer > TLB Filter from the task pane. The Service Analyzer for
TLB Filter page is displayed. The service instance or template that you previously
configured for the TLB service type are displayed. All the instances created in the
Service Templates workspace are shown.
•
Select Service Analyzer > CGNAT Filter from the task pane. The Service Analyzer for
CGNAT Filter page is displayed. The service instance or template that you previously
configured for the CGNAT service type are displayed. All the instances created in
the Service Templates workspace are shown.
The list of SDGs or SDG pairs in a high availability group are displayed, along with the
filter instances that were configured for the different services. The number of filter
instances that are currently in progress and the number of filter instances that are
scheduled or planned to be run at a later time are also displayed. For information on
running or clearing filter instances, see Managing Service Analyzer Filter Instances.
5. Select the SDGs or SDG pairs (you can select multiple rows to create and assign filters
to several SDGs simultaneously) for which you want to create packet analyzer filters
for services.
6. Click the plus sign (+) above the table of listed SDGs to create a new filter. The Update
Service Analyzer Filter Details page is displayed.
7. In the Data Forward Flow section, do the following. A forward flow refers to packets
that are sent in the forward or upward direction. A reverse flow refers to packets that
are sent in the returning or backward direction.
•
From the Egress list, select the egress interface on which the data packets that are
sent out in the forward flow must be monitored. Click Details beside the list to view
interface details.
•
From the Ingress list, select the input interface on which the data packets that are
received in the forward flow must be monitored. Click Details beside the list to view
interface details.
8. In the Data Reverse Flow section, do the following.
304
Copyright © 2016, Juniper Networks, Inc.
Chapter 15: Managing Packet Analyzers
•
From the Egress list, select the egress interface on which the data packets that are
sent out in the reverse flow must be monitored. Click Details beside the list to view
interface details.
•
From the Ingress list, select the input interface on which the data packets that are
received in the reverse flow must be monitored. Click Details beside the list to view
interface details.
9. In the Control Forward Flow section, do the following. A forward flow refers to packets
that are sent in the forward or upward direction. A reverse flow refers to packets that
are sent in the returning or backward direction.
•
From the Egress list, select the egress interface on which the control packets that
are sent out in the forward flow must be monitored. Click Details beside the list to
view interface details.
•
From the Ingress list, select the input interface on which the control packets that
are received in the forward flow must be monitored. Click Details beside the list to
view interface details.
10. In the Data Reverse Flow section, do the following.
•
From the Egress list, select the egress interface on which the control packets that
are sent out in the reverse flow must be monitored. Click Details beside the list to
view interface details.
•
From the Ingress list, select the input interface on which the control packets that
are received in the reverse flow must be monitored. Click Details beside the list to
view interface details.
11. Click Apply to save the filter settings. Otherwise, click Cancel to discard the changes.
You are returned to the Service Analyzer page.
12. If you created a new filter, the filter instance is displayed under the corresponding
service type section, such as CGNAT or ADC. Such filters are provisioned filter instances.
This display signifies that the filter is configured, but it needs to be scheduled to be
run. Click the link that shows the number of instances under the column of the relevant
service type. The Service Analyzer Instances page is shown.
13. On this page, the names of the service instances for which filters are defined. The
actions you can perform are in the form of the Clear and Run buttons, above the table
of listed service instances, for each service instance with a filter.
14. Select the check box next to a service analyzer filter and click the Delete button to
remove a configured filter for an instance. You are prompted to confirm the deletion.
If you click OK, a popup dialog box denotes the successful deletion.
15. Select the check box next to a service analyzer filter instance, and click the Run button
to schedule the filter to be run. The Run Filter dialog box appears. The Run button is
grayed out if the particular service filter instance is already in progress.
16. From the Poll Interval list, select the interval in minutes at which the data must be
polled and collected. Values from 1 minute up to 59 minutes are shown in increments
of 2 minutes in the list.
Copyright © 2016, Juniper Networks, Inc.
305
Edge Services Director User Guide
17. In the Schedule Start Details section, click Run Now to start the filter immediately.
Alternatively, click the Run At radio button and select the date and time at which the
filter must be run.
18. In the Schedule End Details section, do one of the following:
•
Click the Stop At radio button and select the date and time at which the filter must
be stopped.
•
Click the Stop After radio button and specify a value for the number of polls after
which the filter must be ended.
•
Click the Run Until Stopped radio button to continue running the test until you
manually want to stop it.
19. Click Run to save the filter settings. Otherwise, click Cancel to discard the changes.
You are returned to the Prepared Service Analyzer Instances dialog box. Click Close
to return to the Service Analyzer Page.
Managing Service Analyzer Filter Instances
To view, start, stop, or clear the configured analyzer filters:
1.
From the View selector, select Gateway View. The workspaces that are available in
this view are displayed. The Gateway view displays the service delivery gateway (SDG)
groups and the SDGs that are part of the high availability pair in an SDG group.
2. From the Junos Space user interface, click the Build icon on the Edge Services Director
banner.
The functionalities that you can configure in this mode are displayed in the task pane.
3. From the View pane, select the All Network item in Gateway view. Click the plus sign
(+) beside the All Network item in the View pane to expand the tree and select the
device node you want.
4. From the task pane, do one of the following:
•
Select Service Analyzer > ADC Filter from the task pane. The Service Analyzer for
ADC Filter page is displayed. The service instance or template that you previously
configured for the ADC service type are displayed. All the instances created in the
Service Templates workspace are shown.
•
Select Service Analyzer > TLB Filter from the task pane. The Service Analyzer for
TLB Filter page is displayed. The service instance or template that you previously
configured for the TLB service type are displayed. All the instances created in the
Service Templates workspace are shown.
•
Select Service Analyzer > CGNAT Filter from the task pane. The Service Analyzer for
CGNAT Filter page is displayed. The service instance or template that you previously
configured for the CGNAT service type are displayed. All the instances created in
the Service Templates workspace are shown.
The list of SDGs or SDG pairs in a high availability group are displayed, along with the
filter instances that were configured for the different services. The number of filter
instances that are currently in progress and the number o filter instances that are
306
Copyright © 2016, Juniper Networks, Inc.
Chapter 15: Managing Packet Analyzers
scheduled or planned to be run at a later time are also displayed. For information on
viewing filter instances, see Viewing the Traffic Analyzer Statistics and Graph.
5. For the SDG corresponding to a certain service, all of the previously configured service
analyzer filters are displayed in the Service Analyzer Instances page with the state of
the filter instance under the Status column of the relevant service type. View the
Status column for the current state of the filter.
Figure 31: Service Analyzer Instances Page
You can click the links under one of the following columns:
•
View—Click to display the traffic analyzer details on packet flows for the different
services configured. For information on viewing filter instances, see Viewing the
Service Analyzer Statistics and Graph.
•
Delete—Click to remove the configured filter for an instance. You are prompted to
confirm the deletion. If you click OK, a popup dialog box denotes the successful
deletion.
•
Run—Click to schedule a filter to be run. For information on scheduling a filter
instance to be run, see Configuring the Traffic Analyzer Filter.
•
Report—Click to view the collection statistics and information about packets that
are fetched. For information on viewing the collected details by a service analyzer,
see Viewing the Service Analyzer Collection Data
•
Stop—Click to end a running filter. You are prompted to confirm whether you want
to stop the filter instance. If you click OK, a popup dialog box denotes the successful
termination of the filter instance.
•
Last Run Errors—Click to display any errors that occurred during the running of the
filter instance. The Last Run Status dialog box is displayed. It contains the
Provisioning Errors and Decommissioning Errors tabs that describe errors that might
have occurred during the initialization and start of the analyzer filters or with the
Copyright © 2016, Juniper Networks, Inc.
307
Edge Services Director User Guide
decommissioning and termination. The following fields are displayed in this dialog
box for both the tabs:
•
•
Host Name—Host name of the SDG device.
•
Severity—System logging severity level.
•
Path—Hierarchy level of the configuration statement corresponding to the setting
in the CLI interface Info Informational message about the error that is generated.
•
Message—System event logging message generated that describes the error.
Graph—Click to display the packet analyzer details for monitoring as a pictorial form.
The Packet Flow Graph dialog box appears.
6. In the dialog box, the Configured Instances column displays the names of the service
instances for which filters are defined. The Actions column contains the Clear and
Run subcolumns for each service instance with a filter.
7. Click Delete to remove a configured filter for an instance. You are prompted to confirm
the deletion. If you click OK, a popup dialog box denotes the successful deletion.
8. Click Run beside the instance you want to schedule the filter to be run. The Run Filter
dialog box appears to specify the schedule settings.
Viewing Service Analyzer Instance Details
To view the service analyzer instance details:
1.
From the View selector, select Gateway View. The workspaces that are available in
this view are displayed. The Gateway view displays the service delivery gateway (SDG)
groups and the SDGs that are part of the high availability pair in an SDG group.
2. From the Junos Space user interface, click the Build icon on the Edge Services Director
banner.
The functionalities that you can configure in this mode are displayed in the task pane.
3. From the View pane, select the All Network item in Gateway view. Click the plus sign
(+) beside the All Network item in the View pane to expand the tree and select the
device node you want.
4. From the task pane, do one of the following:
308
•
Select Service Analyzer > ADC Filter from the task pane. The Service Analyzer for
ADC Filter page is displayed. The service instance or template that you previously
configured for the ADC service type are displayed. All the instances created in the
Service Templates workspace are shown.
•
Select Service Analyzer > TLB Filter from the task pane. The Service Analyzer for
TLB Filter page is displayed. The service instance or template that you previously
configured for the TLB service type are displayed. All the instances created in the
Service Templates workspace are shown.
•
Select Service Analyzer > CGNAT Filter from the task pane. The Service Analyzer for
CGNAT Filter page is displayed. The service instance or template that you previously
Copyright © 2016, Juniper Networks, Inc.
Chapter 15: Managing Packet Analyzers
configured for the CGNAT service type are displayed. All the instances created in
the Service Templates workspace are shown.
The list of SDGs or SDG pairs in a high availability group are displayed, along with the
filter instances that were configured for the different services. The number of filter
instances that are currently in progress and the number o filter instances that are
scheduled or planned to be run at a later time are also displayed. For information on
running or clearing filter instances, see Managing Service Analyzer Filter Instances.
5. Select the SDGs or SDG pairs (you can select multiple rows to create and assign filters
to several SDGs simultaneously) for which you want to create packet analyzer filters
for services.
6. From the Service Analyzer page, for the SDG corresponding to a certain service, click
the link under the column of the relevant service type. The Prepared Service Analyzer
Instances dialog box is shown. Click View under the View column to view the traffic
analyzer for the particular service.
The View Service Instance Analyzer Details page is displayed.
The following fields are displayed in this page:
Field
Description
Name
Name of the SDG or pair of SDGs in a high availability group.
Type
Service type for which packets collected are shown. Values are CGNAT, ADC, or TLB.
Data Packets/Control
Packets
Click the Data Packets tab to view data packet details for the service analyzer filter. Alternatively,
click the Control Packets tab to view control packet details for the service analyzer filter Indicates
whether data or control packet details are shown.
Forward Flow
Displays statistics for packets in forward flow direction.
Ingress
Number of packets that arrive in the ingress direction in forward flow.
Egress
Number of packets that are sent out in the egress direction in forward flow.
Reverse Flow
Displays statistics for packets in reverse flow direction. If a service set is a sampling service set
and the reverse-flow service order is not configured, all sampled traffic is considered to be
forward traffic.
Ingress
Number of packets that arrive in the ingress direction in reverse flow.
Egress
Number of packets that are sent out in the egress direction in reverse flow.
7. Click Close after viewing the analyzer filter details. You are returned to the Prepared
Service Analyzer Instances dialog box. Click Close to return to the Service Analyzer
Page
Copyright © 2016, Juniper Networks, Inc.
309
Edge Services Director User Guide
Viewing the Service Analyzer Statistics in Grid Format and Graph
To view the traffic analyzer details on packet flows for the different services that match
the filter criteria:
1.
From the View selector, select Gateway View. The workspaces that are available in
this view are displayed. The Gateway view displays the service delivery gateway (SDG)
groups and the SDGs that are part of the high availability pair in an SDG group.
2. From the Junos Space user interface, click the Build icon on the Edge Services Director
banner.
The functionalities that you can configure in this mode are displayed in the task pane.
3. From the View pane, select the All Network item in Gateway view. Click the plus sign
(+) beside the All Network item in the View pane to expand the tree and select the
device node you want.
4. From the task pane, do one of the following:
•
Select Service Analyzer > ADC Filter from the task pane. The Service Analyzer for
ADC Filter page is displayed. The service instance or template that you previously
configured for the ADC service type are displayed. All the instances created in the
Service Templates workspace are shown.
•
Select Service Analyzer > TLB Filter from the task pane. The Service Analyzer for
TLB Filter page is displayed. The service instance or template that you previously
configured for the TLB service type are displayed. All the instances created in the
Service Templates workspace are shown.
•
Select Service Analyzer > CGNAT Filter from the task pane. The Service Analyzer for
CGNAT Filter page is displayed. The service instance or template that you previously
configured for the CGNAT service type are displayed. All the instances created in
the Service Templates workspace are shown.
The list of SDGs or SDG pairs in a high availability group are displayed, along with the
filter instances that were configured for the different services. The number of filter
instances that are currently in progress and the number o filter instances that are
scheduled or planned to be run at a later time are also displayed. For information on
running or clearing filter instances, see Managing Service Analyzer Filter Instances.
5. Select the SDGs or SDG pairs (you can select multiple rows to create and assign filters
to several SDGs simultaneously) for which you want to create packet analyzer filters
for services.
6. From the Service Analyzer page, for the SDG corresponding to a certain service, click
the link under the column of the relevant service type. The Prepared Service Analyzer
Instances dialog box is shown. Click Report under the View Report column to view the
traffic analyzer for the particular service.
The Service Analyzer Collection Data — Grid View page is displayed.
At the top of the tabular display, select the criteria for which you want to sort and
segregate the packet analyzer information to be viewed. From the Criteria section, do
the following:
310
Copyright © 2016, Juniper Networks, Inc.
Chapter 15: Managing Packet Analyzers
a. Select Control or Data from the first drop-down list to view control or data packets.
b. Select Forward or Reverse from the second drop-down list to view statistics for
packets in forward or reverse flows.
c. Select IPv4 or IPv6 from the second drop-down list to view IPv4 or IPv6 packets
for the filter instance.
d. Click the search icon to apply the filter conditions and display details matching the
specified criteria.
The following fields are displayed in this page:
Field
Description
Name
Name of the SDG or pair of SDGs in a high availability group.
Type
Service type for which packets collected are shown. Values are CGNAT, ADC, or TLB.
Collection Time
Date and time at which the packet details are collected.
Ingress
Number of packets that arrive in the ingress direction in forward and reverse flow.
PreService
Number of packets in the forward flow and reverse flow before the processing of services. You can
define the pre-service filter to be applied to traffic before it is accepted for service processing.
Post Service
Number of packets in the forward flow and reverse flow after processing of services. You can define
the post-service filter to be applied to traffic after service processing. The filter is applied only if a
service set is configured and selected. You can configure a postservice filter on the input side of the
interface only. This setting is not supported when the service interface is on an MS-MIC or MS-MPC.
Egress
Number of packets that are sent out in the egress direction in forward flow and reverse flow.
Click Close after viewing the collection data in the tabular grid. You are returned to
the Prepared Service Analyzer Instances dialog box. Click Close to return to the Service
Analyzer Page.
7. Alternatively, you can view the service analyzer details in a graphical representation.
Click Graph under the View Report column to display the packet analyzer details for
monitoring as a pictorial form. The Packet Flow Graph dialog box appears.
Line graphs are displayed for data forward flow, data reverse flow, control forward
flow, and control reverse flow. The number of packets is displayed on the y-axis and
time is displayed along the x-axis. The legends reference the egress, pre-service,
post-service, and ingress packets. Mouse over the points in the graph to highlight and
view the number of packets at a particular time instance.
At the top of the graph, select the criteria for which you want to sort and segregate
the packet analyzer information to be viewed. From the Criteria section, do the
following:
Copyright © 2016, Juniper Networks, Inc.
311
Edge Services Director User Guide
a. Select Control or Data from the first drop-down list to view control or data packets.
b. Select IPv4 or IPv6 from the second drop-down list to view IPv4 or IPv6 packets
for the filter instance.
c. Select the period for which the service analyzer details must be shown from the
third drop-down list. For example, you can select Last 10 Mins to display the service
analyzer packets collected over the last 10 minutes or the Last 1 Hr option to display
the service analyzer packets collected over the last one hour.
d. Click the search icon to apply the filter conditions and display details matching the
specified criteria.
8. Click Close after viewing the graph. You are returned to the Prepared Service Analyzer
Instances dialog box. Click Close to return to the Service Analyzer Page.
Related
Documentation
312
•
Packet Analyzer Overview on page 301
Copyright © 2016, Juniper Networks, Inc.
PART 5
Deploy Mode
•
About Deploy Mode on page 315
•
Device Management on page 319
•
Configuration File Management on page 327
•
Software Image Management on page 333
•
Viewing and Editing Service Instances and Packet Filters Across All Gateways on page 343
•
Enhanced Editing of Services and Packet Filters on page 349
•
Managing Service Instance and Policy Rule Definitions on page 355
•
Deploying Configurations to Devices on page 463
•
Viewing Transactions Associated with Deployment Jobs on page 481
Copyright © 2016, Juniper Networks, Inc.
313
Edge Services Director User Guide
314
Copyright © 2016, Juniper Networks, Inc.
CHAPTER 16
About Deploy Mode
•
Understanding Deploy Mode in Gateway and Service Views of Edge Services
Director on page 315
•
Understanding Deploy Mode in Location and Device Views of Edge Services
Director on page 318
Understanding Deploy Mode in Gateway and Service Views of Edge Services Director
The Deploy mode in Gateway and Service views enables you to deploy configuration
changes to devices. You can create a deployment plan for each of the service planning
templates, such as the ones defined for ADC or SFW services, and the policy or filter
templates, such as the packet filter or SFW policy, that you have created. A deploy plan
contains details about the settings and configuration parameters that must be propagated
and provisioned on the SDGs managed by Edge Services Director. You can also create,
update, display, publish and commission of packet filters, stateful firewall and NAT
policies present on discovered and managed SDGs.
This topic describes:
•
Deploying Configuration Changes on page 315
•
Transactions on page 316
•
Modify the Association of SDG Details and Rule Terms for a Policy Filters on page 316
•
View Service Object Statistics on page 317
•
Service Edit on page 317
•
Policy and Filter Management on page 317
Deploying Configuration Changes
When you make configuration changes in Build mode, the changes are not deployed to
devices automatically. You must manually deploy the changes to devices in Deploy mode.
Every time you make configuration changes in Build mode that affect a device, the device
is automatically added to the list of devices with pending changes. Configuration changes
are deployed to devices at the device level. When you deploy configuration changes to
a device, all pending configuration changes for that device are deployed.
Copyright © 2016, Juniper Networks, Inc.
315
Edge Services Director User Guide
You can do the following configuration deployment tasks on devices that have pending
changes:
•
Run configuration deployment jobs immediately or schedule them for future times.
•
Preview pending configuration changes before deploying.
•
Validate that the pending changes are compatible with the device’s configuration.
•
Manage configuration deployment jobs.
Configuration changes are validated for each device both in Edge Services Director and
on the device. If any part of a configuration change for a device fails validation, no
configuration changes are deployed to the device. You can see the results of each
validation phase separately.
Edge Services Director does not deploy configuration to a device with a configuration
that is out of sync (meaning that the device’s configuration differs from Edge Services
Director’s version of that device’s configuration), or to a device that has uncommitted
changes to its candidate configuration. Deployment to such devices will fail.
When you schedule a deployment job, that job and any profiles and devices assigned to
that job are locked within Edge Services Director. You cannot edit the job or any of its
assigned profiles until the job runs or gets cancelled. This locking feature prevents you
from deploying unintended configuration changes that could result from editing profiles
and devices that are already scheduled to deploy. To change any properties of a scheduled
job, cancel the job and create a new scheduled job with the desired properties. You cannot
edit the profile assignments of a device that has scheduled pending configuration changes.
The Service Deployment page provides the following functionalities:
•
Approval Management—View the details of the filters/policies and other service
deployment plans which are pending for approval. Approve or reject deployment plans
done to existing feature.
•
Update Devices—View the details of approved filters/policies and other service
deployment plans which are ready for commissioning. Commission the deployment
plans or discard accordingly.
Transactions
A transaction refers to an operation or a task that is performed on the service definitions,
configuration parameters, and policy settings that are created for provisioning on the
devices or Service Delivery Gateways (SDGs). When you create a deployment plan to
define the services and policy filters that must be applied and propagated on the devices,
the administrator can approve or reject a deploy plan. For each approved deploy plan, a
transaction is automatically created by the Edge Services Director application.
Modify the Association of SDG Details and Rule Terms for a Policy Filters
In Gateway view of Deploy mode, from the Policy & Filters page, which displays all the
previously configured CGNAT and SFW service policy filters, and packet filters, you can
modify the components or the parameter types that are associated with a particular
316
Copyright © 2016, Juniper Networks, Inc.
Chapter 16: About Deploy Mode
service filter. You must lock the packet filters for which you want to modify the attached
rule term components or attributes before you can update the settings. You can also
select a different SDG to which the packet filter must be applied.
View Service Object Statistics
In Service view of Deploy mode, you can view a graphical representation in the form of
pie charts of the configured ADC, TLB, CGNAT, SFW, and packet policies or filter.
Service Edit
In Gateway and Service views, you can select a previously configured service template
instance, such as a stateful firewall, carrier-grade NAT, traffic load balancer, or adaptive
delivery controller, and lock the service instance to select the attributes or components
of the service to be modified. You can publish or unpublish service template instances.
Policy and Filter Management
The Policy and Filter Management feature in the Junos Space Edge Services Director
application helps you create, update, display, publish and commission of packet filters,
stateful firewall and NAT policies present on discovered and managed SDGs. The Service
Management workspace displays a bar graph of draft, published and approved filters or
policies for different options available under workspace:
Related
Documentation
•
Packet Filter: This option displays packet filters present on SDGs in tabular view. It also
provides the ability to create, update, and delete filters on selected SDGs.
•
Stateful Firewall: This option displays stateful firewall policies present on SDGs in
tabular view. It also provides the ability to create, update and delete stateful firewall
policies on selected SDGs.
•
CGNAT: This option displays CGNAT policies present on SDGs in tabular view. It also
provides the ability to create, update and delete CGNAT policies on selected SDGs. A
published filter or policy is sent for peer review and approval. After approval, the filter
or policy is deployed to devices.
•
Viewing Deployment Plans on page 465
•
Creating and Assigning a Deployment Plan to Devices on page 469
•
Transactions Overview on page 481
•
Viewing Transactions on page 482
Copyright © 2016, Juniper Networks, Inc.
317
Edge Services Director User Guide
Understanding Deploy Mode in Location and Device Views of Edge Services Director
The Deploy mode enables you to deploy configuration changes and software upgrades
to devices and perform several device management and configuration file management
tasks.
This topic describes:
•
Managing Software Images on page 318
•
Managing Devices on page 318
•
Managing Device Configuration Files on page 318
Managing Software Images
Edge Services Director can manage software images on the nodes it manages. You can
do the following software image management tasks:
•
Deploy a software image stored in an image repository on the Edge Services Director
server to multiple devices with a single job.
•
Track the status of software image management jobs.
•
Stage and install software images as separate tasks.
•
Schedule staging and installation to happen at independent future times.
•
Perform several software image upgrade options, such as rebooting devices
automatically after the upgrade finishes.
NOTE: Using nonstop software upgrade (NSSU) to upgrade MX Series routers
is supported in Edge Services Director.
Managing Devices
In Deploy mode you can perform several device management tasks, including:
•
View the device inventory.
•
Show a device’s current configuration.
•
Resynchronize the device configuration maintained in Build mode with the configuration
on the device.
Managing Device Configuration Files
You can back up device configuration files to the Edge Services Director server. You can
perform several actions on backed up configuration files, such as restoring configuration
files to devices, and viewing and comparing configuration files.
318
Copyright © 2016, Juniper Networks, Inc.
CHAPTER 17
Device Management
•
Viewing the Device Inventory Page in Device View of Edge Services Director on page 320
•
Resynchronizing Device Configuration on page 322
Copyright © 2016, Juniper Networks, Inc.
319
Edge Services Director User Guide
Viewing the Device Inventory Page in Device View of Edge Services Director
The Device Inventory page lists devices managed by Edge Services Director and provides
basic information about the devices, such as IP address and current operating status.
The Device Inventory page is available in Build and Deploy mode and is the default landing
page for Build mode.
The scope you have selected in the View pane and the network view that you have
selected from the View selector determines which devices are listed in the Device Inventory
page. For example:
•
If you are in the Device View and select My Network, all devices managed by Edge
Services Director are listed.
•
If you select a building in Location view, only those devices assigned to that building
(including the floors and closets in the building) are listed.
The Device Inventory page provides three pie charts that summarize the status of the
devices in your selected scope:
•
Devices by Category—Indicates the proportion of devices in each device family.
•
Connection State—Shows the proportion of devices that are up or down. In this chart,
Virtual Chassis count as one device.
•
Configuration State—Shows the proportion of devices in each configuration state. See
the Config State entry in Table 32 on page 130 for definitions of the configuration states.
Figure 32: Device Inventory Page
Mouse over a pie segment to view the actual number of devices and the percentage
represented by that pie segment.
320
Copyright © 2016, Juniper Networks, Inc.
Chapter 17: Device Management
Table 32 on page 130 describes the fields in the Device Inventory table.
Table 50: Fields in the Device Inventory Table
Field
Description
Hostname
Configured name of the device or IP address if no hostname is configured.
IP Address
IP Address of the device.
Serial Number
Serial number of device chassis.
Platform
Model number of the device.
OS Version
Operating system version running on the device.
Device Family
Device family of the device, such as JUNOS for MX Series routers.
Device Type
Type of the device:
Connection State
Config State
•
ROUTER—MX Series routers
•
AP—Wireless LAN access point
•
Fabric Member—QFabric member switch
•
QFabric—QFabric system
•
Switch—Standalone switch
•
VC—Virtual Chassis master
•
VC Member—Virtual Chassis member switch
Connection status of the device in Edge Services Director:
•
UP—Device is connected to Edge Services Director.
•
DOWN—Device is not connected to Edge Services Director.
•
N/A—Access point state is unavailable to Edge Services Director.
Displays the configuration status of the device:
•
In Sync—The configuration on the device is in sync with the Edge Services
Director configuration for the device.
•
Out Of Sync—The configuration on the device does not match the Edge
Services Director configuration for the device. This state is usually the
result of the device configuration being altered outside of Edge Services
Director.
You cannot deploy configuration on a device from Edge Services Director
when the device is Out Of Sync. To resolve this state, use the
Resynchronize Device Configuration task in Deploy mode.
Copyright © 2016, Juniper Networks, Inc.
•
Sync failed—An attempt to resynchronize an Out Of Sync device failed.
•
Synchronizing—The device configuration is in the process of being
resynchronized.
•
N/A—The device is down or is an access point.
321
Edge Services Director User Guide
Table 50: Fields in the Device Inventory Table (continued)
Field
Description
Manageability
State
Displays if the device is directly manageable or not.
This is a hidden field. To display the Manageability State field, click any
column, click the down arrow to expand the list, select Columns from the
list, and then enable Manageability State.
Resynchronizing Device Configuration
A network managed by Edge Services Director has three repositories of information about
the configuration of a network device—the configuration stored on the device itself, the
device configuration record maintained by Junos Space, and the Build mode configuration
maintained by Edge Services Director.
When the configuration contained in all three repositories match, the device configuration
state is shown as In Sync in Edge Services Director. When the repositories do not match,
the configuration state is shown as Out of Sync. A common cause for this state is
out-of-band configuration changes—that is, configuration changes made to a device
outside of Edge Services Director.
When a device state is Out of Sync, you cannot deploy configuration changes on the
device in Deploy mode. Use the Resynchronize Device Configuration task to resynchronize
the three configuration repositories and change the device configuration state back to
In Sync.
How the Resynchronize Device Configuration task performs the resynchronization depends
on the system of record (SOR) mode setting for the Junos Space Network Management
Platform:
•
When Junos Space is in network as system of record (NSOR) mode, the device is
considered the system of record for configuration. When you resynchronize a device
when Junos Space is in NSOR mode, both the Junos Space configuration record and
the Edge Services Director Build mode configuration are updated to reflect the device
configuration—in other words, the out-of-band configuration changes are incorporated
into both the Junos Space and the Edge Services Director configuration repositories.
•
When Junos Space is in Junos Space as system of record (SSOR) mode, you can choose
whether accept or reject the out-of-band changes reflected in the device configuration.
If you accept the changes, both the Junos Space configuration record and the Edge
Services Director Build mode configuration are updated to reflect the device
configuration. If you reject the changes, the out-of-band changes are rolled back on
the device so that the device configuration matches the Junos Space configuration
record and the Edge Services Director Build mode configuration.
For more information about out-of-band configuration changes, Junos Space SOR modes,
and how Edge Services Director resynchronizes device configuration, see “Understanding
Resynchronization of Device Configuration” on page 67.
322
Copyright © 2016, Juniper Networks, Inc.
Chapter 17: Device Management
This topic covers:
•
The Resynchronize Device Configuration List of Devices on page 323
•
Resynchronizing Devices When Junos Space Is in NSOR Mode on page 324
•
Resynchronizing Devices When Junos Space Is in SSOR Mode on page 324
•
Resynchronizing Devices in Manual Approval Mode on page 325
•
Viewing the Network Changes on page 325
•
Viewing Resynchronization Job Status on page 326
The Resynchronize Device Configuration List of Devices
The Resynchronize Device Configuration page displays a list of all devices in the selected
scope whose configuration was successfully imported during device discovery and whose
configuration state is now Out Of Sync. You can select devices from this list and
resynchronize them.
Table 51 on page 323 describes the fields in the list of devices.
Table 51: Resynchronize Device Configuration Fields
Field
Description
Name
Device hostname or device IP address.
IP address
IP address of device.
Model
Model number of the device.
OS Version
Operating system version currently running on the device.
Connection State
Connection state:
Configuration State
•
UP—Edge Services Director is connected to the device
•
DOWN—Edge Services Director cannot connect to the device
Shows the configuration state of the device:
•
Out Of Sync—The device configuration is out of sync with either the Edge Services Director Build
mode configuration or the Junos Space configuration record or both.
•
Resynchronizing—The device configuration is in the process of being resynchronized.
•
Sync Failed—The resynchronization attempt failed.
If the resynchronization is successful, the device is removed from the table.
Copyright © 2016, Juniper Networks, Inc.
323
Edge Services Director User Guide
Table 51: Resynchronize Device Configuration Fields (continued)
Field
Description
Local Changes
Specifies whether configuration changes have been made in Build mode and are pending deployment
on the device.
•
None—There are no configuration changes pending deployment.
•
View—There are configuration changes that are pending deployment. Click View to view the changes.
These changes will be lost if you resynchronize the Build mode configuration to match the device
configuration.
NOTE: The Pending Changes window that appears when you click View allows you to see what profiles
have been added, modified, or changed. However, because the device is not in sync, you cannot view
the specific changes in CLI or XML format.
Network Changes
Indicates whether you can view the out-of-band changes:
•
None—The out-of-band changes are not available for viewing. You cannot view out-of-band changes
in NSOR mode. In SSOR mode, you cannot view the out-of-band changes if they are already resolved
in Junos Space—that is, the device configuration state in Junos Space is In Sync.
•
View—You can view the out-of-band changes made on the device. Click View to view the changes
presented in XML format.
Resynchronizing Devices When Junos Space Is in NSOR Mode
To resynchronize devices when the Junos Space Network Application Platform is in NSOR
mode:
1.
On the Resynchronization Device Configuration page, select the device or devices that
you want to resynchronize.
2. (Optional) View any pending changes to a device’s configuration in Edge Services
Director by clicking View in the Local Changes column. These pending changes are
deleted when you resynchronize the device.
3. Click Resynchronize Configuration.
The Resychronize Device Configuration Results window appears. This window will be
updated with status of the resynchronization when the resynchronization completes.
Resynchronizing Devices When Junos Space Is in SSOR Mode
To resynchronize devices when the Junos Space Network Management Platform is in
SSOR mode:
1.
On the Resynchronization Device Configuration page, select the device or devices that
you want to resynchronize.
2. (Optional) View any pending changes to a device’s configuration in Edge Services
Director by clicking View in the Local Changes column. These pending changes are
deleted if you accept the out-of-band changes when you resynchronize the device.
3. (Optional) View the out-of-band configuration changes by selecting View in the
Network Changes column. If you accept the out-of-band changes when you
resynchronize the device, these changes will be reflected in the Build mode
324
Copyright © 2016, Juniper Networks, Inc.
Chapter 17: Device Management
configuration. If you reject the out-of-band changes when you resynchronize the
devices, these changes will be deleted from the device. For more information about
viewing the out-of-band changes, see “Viewing the Network Changes” on page 325.
NOTE: Out-of-band changes that were made with the Junos Space
configuration editor or that were already accepted in Junos Space are not
shown. Such changes also cannot be rejected.
4. Click Resynchronize Configuration.
5. In the Confirm dialog box:
•
Click Accept device changes if you want to accept the out-of-band changes.
•
Click Reject device changes if you want to reject the out-of-band changes and have
the configuration that existed on the device before the out-of-band changes were
made be reinstated.
click Submit.
The Resychronize Device Configuration Results window appears. This window will be
updated with status of the resynchronization when the resychronization completes.
NOTE: Device changes made by the Junos Space configuration editor or
device changes that have been accepted in Junos Space cannot be rejected.
Even if you select Reject device changes, these changes will not be rejected
and instead will be incorporated into the Build mode configuration.
Resynchronizing Devices in Manual Approval Mode
When out-of-band changes exist, device resynchronization merges the changes done
by using the CLI with the local changes provided that there are no conflicts. If there are
conflicting changes, the changes made using the CLI take precedence over the local
changes. Therefore, configuration changes that are part of a change request might be
lost. The configuration change requests that are lost are marked as Cancelled against
the corresponding device. When device resynchronization is initiated for a device, a
message is displayed that lists the change requests that will be lost because of conflicting
CLI and local changes. All other changes remain unaffected.
Viewing the Network Changes
The Network Changes window shows the out-of-band configuration changes made to
a device when Junos Space is in SSOR mode.
Not all out-of-band configuration changes are shown in this window. Configuration
changes are shown only when the device configuration differs from the Junos Space
configuration record—that is, when the device configuration state in Junos Space is not
In Sync. For example, if the out-of-band changes were deployed from the Junos Space
configuration editor or if the out-of-band changes were already accepted in Junos Space,
the configuration changes will not appear in this window.
Copyright © 2016, Juniper Networks, Inc.
325
Edge Services Director User Guide
The configuration changes are shown in XML format. If there have been multiple
out-of-band changes—that is, there has been more than one configuration commit, or
save, on the device—the changes are grouped by each commit.
The following information is provided for each configuration commit:
•
junos:commit-seconds—Specifies the time when the configuration was committed
as the number of seconds since midnight on 1 January 1970.
•
junos:commit-localtime—Specifies the time when the configuration was committed
as the date and time in the device’s local time zone.
•
xmlns:junos—Specifies the URL for the DTD that defines the XML namespace for the
tag elements.
•
junos:commit-user—Specifies the username of the user who requested the commit
operation.
Viewing Resynchronization Job Status
The Resychronize Device Configuration Results window appears after you start a
resynchronization job. This window is automatically updated with the resynchronization
status for each device when the job completes.
You can also view the status of the resynchronization jobs using the Manage Jobs task
in System mode. The following jobs are associated with resynchronization:
Related
Documentation
326
•
Resynch Network Elements—This job runs in NSOR mode and resynchronizes the Junos
Space configuration record with the device configuration.
•
Resolve OOB Changes—This job runs in SSOR mode and resolves the out-of-band
changes for Junos Space—either accepting the changes and updating the Junos Space
configuration or rejecting the changes and rolling back the changes on the device.
•
Resynchronize devices—This job runs in both NSOR and SSOR mode and resynchronizes
the Build mode configuration with the device configuration.
•
Understanding Resynchronization of Device Configuration on page 67
•
Understanding Deploy Mode in Gateway and Service Views of Edge Services Director
on page 315
Copyright © 2016, Juniper Networks, Inc.
CHAPTER 18
Configuration File Management
•
Managing Device Configuration Files on page 327
•
Managing Jobs on page 330
Managing Device Configuration Files
You can back up device configuration files to the Edge Services Director server. You can
perform several actions on backed up configuration files, such as restoring configuration
files to devices, and viewing and comparing configuration files.
To start managing device configuration files:
1.
Click Deploy in the Edge Services Director banner.
2. In the Tasks pane, select Device Configuration Files > Manage Device Configuration
Files.
The Manage Device Configuration page opens in the main window. The table lists the
devices that have configuration files backed up.
This topic describes:
•
Selecting Device Configuration File Management Options on page 327
•
Backing Up Device Configuration Files on page 328
•
Restoring Device Configuration Files on page 329
•
Viewing Device Configuration Files on page 329
•
Comparing Device Configuration Files on page 329
•
Deleting Device Configuration Files on page 330
•
Managing Device Configuration File Management Jobs on page 330
Selecting Device Configuration File Management Options
From the Manage Device Configuration page, you can:
•
Back up device configuration files by clicking Backup. See “Backing Up Device
Configuration Files” on page 328 for more information.
•
Restore backup device configuration files to devices by selecting devices and clicking
Restore. See “Restoring Device Configuration Files” on page 329 for more information.
Copyright © 2016, Juniper Networks, Inc.
327
Edge Services Director User Guide
•
View backed up configuration files by selecting a device and clicking View Configuration
File. See “Viewing Device Configuration Files” on page 329 for more information.
•
Compare backed up device configuration files by selecting devices and clicking Compare
Config Files. See “Comparing Device Configuration Files” on page 329 for more
information.
•
Delete backup device configuration files by selecting devices and clicking Delete. See
“Deleting Device Configuration Files” on page 330 for more information.
Table 52 on page 328 describes the information provided in the Manage Device
Configuration table.
Table 52: Manage Device Configuration Table
Table Column
Description
Device Name
Device name.
Config File Version
Version number of the backup configuration file.
First Backup on
Date when the oldest version of the backup configuration file was created.
Most Recent Backup on
Date when the configuration file was backed up most recently.
Backing Up Device Configuration Files
To back up device configuration files:
1.
Click Backup.
The Backup Devices Configuration page opens in the main window.
2. Select the devices to back up from the device tree.
3. To back up configuration files immediately, click Backup Now.
The backup job runs. When it finishes, the Manage Device Configuration table shows
updated information for the devices you backed up.
4. To schedule the backup to run later, click Schedule Backup.
The Schedule Backup window opens.
a. Select the Schedule at a later time check box.
b. Specify when the backup will run using the Date and Time fields.
c. Optionally, configure the backup job to repeat by selecting the Repeat check box,
then specifying the backup schedule using the provided fields.
Optionally, you can specify when repeated backups will stop by selecting the End
Time check box, then specifying the last date on which the repeated backup job
will run using the Date and Time fields.
d. Click Schedule Backup.
328
Copyright © 2016, Juniper Networks, Inc.
Chapter 18: Configuration File Management
Restoring Device Configuration Files
You can restore a backed up configuration file to the device from which it was backed
up.
CAUTION: Restoring a configuration file to a device is considered an
out-of-band configuration change, which can cause some unexpected results.
For more information, see “Understanding Build Mode in Location and Device
Views of Edge Services Director” on page 147.
To restore backed up configuration files to devices:
1.
Select the devices to restore from the Manage Device Configuration list.
2. Click Restore.
The Restore Device Configuration File(s) window opens.
3. To restore a configuration file that is older than the most recent version, click in the
Latest Version cell and select the version to restore.
4. Click Restore.
Viewing Device Configuration Files
To view the backed up configuration files for a device:
1.
Select the device from the Manage Device Configuration list.
2. Click View Configuration File.
The Device Configuration Summary window opens, displaying the most recently
backed up configuration file.
3. To view an older stored configuration file version, select a version number from the
Config File Version list.
Comparing Device Configuration Files
To compare backed up device configuration files:
1.
Select the configuration files to compare from the Manage Device Configuration list.
2. Click Compare Configuration Files.
The Compare Configuration Files window opens.
3. Select a source device from the Source Device list and a configuration file version from
the Config File Version list.
Copyright © 2016, Juniper Networks, Inc.
329
Edge Services Director User Guide
4. Select a target device from the Target Device list and a configuration file version from
the Config File Version list.
5. The configuration file versions you selected are displayed in the window. The file name
and version appears at the top of each file. The differences between the configuration
files are color-coded. The color-coding legend appears at the top of the window.
Deleting Device Configuration Files
When you delete a device’s backed up configuration, all of the configuration file versions
for the device are deleted.
To delete device configuration files:
1.
Select the configuration files to delete from the Manage Device Configuration list.
2. Click Delete.
The Delete Device Configuration File(s) window opens.
3. Verify that the correct devices are listed, then click Delete.
Managing Device Configuration File Management Jobs
Each time you back up or restore device configuration files, a device configuration file
management job is created.
To manage device configuration file management jobs:
1.
Click Deploy in the Edge Services Director banner.
2. In the Tasks pane, select Device Configuration Files > View Configuration File Mgmt
Jobs.
The Device Configuration Jobs page opens in the main window, listing the device
configuration file management jobs.
Managing these jobs is similar to managing other types of jobs using the System mode.
The advantage of accessing the jobs this way is that the jobs list show only configuration
file management jobs.
Managing Jobs
Edge Services Director enables you to view and manage jobs. You can view the status
of completed jobs and cancel the jobs that are scheduled to execute at a later time or
jobs that are in progress.
The Job Management page, accessible as a System task, enables you to view and manage
all jobs. In addition, Edge Services Director enables you to view special pre-filtered versions
of this page from various other tasks, such as View Discovery Status or View Image
Deployment Jobs. These pages contain the same fields (although some fields might be
hidden) and have the same functionality as the Job Management page, but they list only
those jobs relevant to particular tasks.
330
Copyright © 2016, Juniper Networks, Inc.
Chapter 18: Configuration File Management
To display the Job Management page:
1.
Click System on the Edge Services Director banner.
2. Select Manage Jobs from the Tasks pane. The Job Management page appears.
3. To view the details of a job, select a row and click Show Details or double-click a row.
4. To cancel a scheduled job, select a job that is scheduled for a later time or a job that
is in progress and click Cancel.
The fields in the Job Management page are described in Table 20 on page 47. To view
any hidden column, keep the mouse on any column heading and select the down arrow
and then click Columns. Select the check box to display the hidden columns.
NOTE: Details of jobs initiated from Edge Services Director will be available
only from Edge Services Director. These jobs will not be listed in the Job
Management pane in Junos Space platform and vice-versa.
Table 53: Job Management Page Fields
Field
Description
Job ID
The unique ID assigned to the job
Name
The name of the job
Percent
The percentage of completion of the job
State
The status of the job:
•
Success—Job completed successfully
•
Failure—Job failed and was terminated
•
Job Scheduled—Job is scheduled but has not yet started
•
In progress—Job is has started, but not completed
•
Cancelled—Job is cancelled
Job Type
The type of the job
Summary
Summary of the job scheduled and executed with status
Scheduled
Start Time
The time when the job is scheduled to start
Actual Start
Time
The actual time when the job started
End Time
The time when the job was completed
User
The login ID of the user that initiated the task
Recurrence
The recurrent time when the job will be restarted.
Copyright © 2016, Juniper Networks, Inc.
331
Edge Services Director User Guide
332
Copyright © 2016, Juniper Networks, Inc.
CHAPTER 19
Software Image Management
•
Managing Software Images on page 333
•
Deploying Software Images on page 335
•
Managing Software Image Deployment Jobs on page 339
Managing Software Images
This topic describes how to manage software images for managed devices.
To start managing software images:
1.
Click Deploy in the Edge Services Director banner.
2. In the Tasks pane, select Image Management > Manage Image Repository.
The Device Image Repository page opens in the main window. The table lists the
software images in the repository.
3. In the Tasks pane, select Device Configuration File Management > Manage Device
Configuration.
The Manage Device Configuration page opens in the main window. The table lists the
devices that have configuration files backed up software images in the repository.
This topic describes:
•
Selecting Software Image Management Options on page 333
•
Adding Software Images to the Repository on page 334
•
Using the Device Image Upload Window on page 334
•
Viewing Software Image Details on page 334
•
Using the Device Image Summary Window on page 335
•
Deleting Software Images on page 335
Selecting Software Image Management Options
From the Device Image Repository page, you can:
•
Add a software image to the repository by clicking Add.
•
View details about a software image by selecting it and clicking Details.
Copyright © 2016, Juniper Networks, Inc.
333
Edge Services Director User Guide
•
Delete software images from the repository by selecting them and clicking Delete.
Table 54 on page 334 describes the information provided in the Device Image Repository
table.
Table 54: Device Image Repository Table
Table Column
Description
Check box
Select to perform an action on the software image in that row.
Name
Software image name.
Version
Software version.
Series
Device series that uses the software image.
Uploaded By
User who uploaded the software image.
Created On
Time when the software image was uploaded to the server.
Size(MB)
Size of the software image in megabytes.
Adding Software Images to the Repository
Software images are stored in a repository on the Edge Services Director server.
To add a software image to the repository:
1.
Click Add.
The Device Image Upload window opens.
2. Use the Device Image Upload window to upload a device software image. See “Using
the Device Image Upload Window” on page 334 for a description of the window.
Using the Device Image Upload Window
To use the Device Image Upload window to add a software image to the repository:
1.
Click Browse and browse to the software image file.
2. Click Upload to add the file to the repository.
Viewing Software Image Details
To view details about a software image:
1.
Select the software image file in the table.
2. Click Details.
The Device Image Summary window opens. See “Using the Device Image Summary
Window” on page 335 for information about this window.
334
Copyright © 2016, Juniper Networks, Inc.
Chapter 19: Software Image Management
Using the Device Image Summary Window
Use the Device Image Summary window to view detailed information about a software
image. Table 55 on page 335 describes the fields in this window.
Table 55: Device Image Summary Window
Field
Description
Name
Software image filename.
Version
Software version (release number).
Series
Device series on which the software is supported.
Supported Platforms
Platforms on which the software is supported.
Uploaded By
User who uploaded the image to the server.
Created On
Date and time when the software image was uploaded.
Size (MB)
Size of the software image file, in megabytes.
OK
Click to close the window.
Deleting Software Images
To delete software image files:
1.
Select the check box in the rows of the software image files that you want to delete.
2. Click Delete.
Related
Documentation
•
Understanding Deploy Mode in Gateway and Service Views of Edge Services Director
on page 315
Deploying Software Images
This topic describes how to deploy software images to managed devices. You must
upload software images to the Edge Services Director server before you can deploy them
to devices. See Managing Software Images for more information.
To start deploying software images:
1.
Click Deploy in the Edge Services Director banner.
2. Select a node in the View pane that contains the devices to which you want to deploy
software images.
3. In the Tasks pane, select Image Management > Deploy Images to Devices.
Copyright © 2016, Juniper Networks, Inc.
335
Edge Services Director User Guide
The Select Devices page of the Deploy Images to Devices wizard opens in the main
window.
This topic describes:
•
Specifying Software Deployment Job Options on page 336
•
Selecting Software Images To Deploy on page 336
•
Selecting Options for Software Deployment on page 337
•
Summary of Software Deployment on page 339
Specifying Software Deployment Job Options
To specify software deployment job options in the Select Devices page:
1.
In the Job name field, enter a job name.
2. From the Device and deployment options list, select an option:
•
Select Staging only (Download image to the device) to download the software image
to the device but not install it.
•
Select Upgrade only (Install previously staged image on device) to upgrade the device
to a software image that was previously staged on the device.
•
Select Staging and Upgrade (Download and Install image on device) to download
the software image and install it on the device.
Devices are not automatically rebooted after upgrade to make the device begin running
the new software version. You can select the option to reboot the device automatically
after the upgrade in a later wizard page.
3. Click Next to continue to the next page.
The Select Images page opens. Select a software image as described in “Selecting
Software Images To Deploy” on page 336.
Selecting Software Images To Deploy
The Select Images page includes a table listing each device group and device that you
selected for deployment. See Table 56 on page 337 for a description of the table columns.
If you selected the Upgrade only (Install previously staged image on device) option, only
devices that contain a previously staged software image appear in the table. You cannot
select a different image to install on these devices.
To select the software images to deploy, perform the following steps on the table row
for each device group or individual device that you want to upgrade:
1.
In the Proposed Image Version/Profile column, click Select Image/Profile.
The Select Image/Profile list is displayed.
2. From the Select Image/Profile list, select a software image.
336
Copyright © 2016, Juniper Networks, Inc.
Chapter 19: Software Image Management
TIP: To clear this field, select Select Image/Profile from the list.
3. After you finish selecting software images, click Next to continue to the next page.
The Select Options page opens.
TIP: A pop-up message notifies you if you do not select a software image
for all the listed devices. This is just for your information. No action will be
taken on devices for which you do not select a software image. In effect,
this removes those devices from the job.
Select options for software deployment as described in “Selecting Options for Software
Deployment” on page 337.
Table 56: Select images for devices Table
Table Column
Description
Device Family
Device family to which the device belongs. Devices are grouped by family. To display
the devices within a device family, click the arrow next to the device family name.
Count
Number of devices contained within a device family.
IP Address
Device’s IP address.
Device Name
Device’s name.
State
Device’s state:
•
UP—Edge Services Director can communicate with the device.
•
DOWN—Edge Services Director cannot communicate with the device.
Running Image Version
Software version the device is running.
Proposed Image Version/Profile
Software version that will be installed on the device when the job runs successfully.
Selecting Options for Software Deployment
The options that you can configure in the Select Options page are described in
Table 57 on page 338. The options that are available depend on the job flow you chose in
the Select Images page.
After you finish selecting options, click Next to continue to the next page. The Summary
page opens. Review the job summary as described in “Summary of Software Deployment”
on page 339.
Copyright © 2016, Juniper Networks, Inc.
337
Edge Services Director User Guide
Table 57: Image Management Job Options
Option
Action
Select Options
All Device Types
Delete any existing image before
download
Select to delete any existing software images on devices before downloading the new
software image.
Reboot device after successful
installation
Select to reboot the device after the software image is installed. A reboot is required to
begin running the new software version on the device.
NOTE: This option may get disabled based on your details that you specify in the remaining
fields. This indicates that for the options that you specified, the system will automatically
reboot the device as per the requirement during or after the image upgrade.
Wired Devices
Check compatibility with current
configuration
Select to validate the software package or bundle against the current configuration as a
prerequisite to adding the software package or bundle.
ISSU/NSSU
Select if you want to perform a Nonstop software upgrade (NSSU) or Iin-service software
upgrade (ISSU).
ISSU enables you to upgrade between two different Junos OS releases with minimal
disruption on the control plane and with minimal disruption of traffic.
NSSU enables you to upgrade the software running on an MX Series router with redundant
Routing Engines or on most EX Series Virtual Chassis by using a single command and with
minimal disruption to network traffic
Archive data (Snapshot)
Select to take an archive snapshot of the files currently used to run the switch and copy
them to an external USB storage device connected to the switch.
Copy to alternate slice
Select to copy the new Junos OS image into the alternate root partition. This ensures that
the resilient dual-root partitions feature operates correctly.
This option is available only if you select Reboot device after successful installation.
Select Schedule
Stage now
Select Stage now to start staging software images to devices as soon as the job runs.
Stage later time
Select Stage later time to schedule the staging for a later time.
Staging Schedule
If you selected Stage later time, enter the date and time for staging to start.
Upgrade now
Select Upgrade now to start upgrading software images on devices as soon as staging
finishes.
Upgrade later time
Select Upgrade later time to schedule the software upgrade for a later time.
Deployment Schedule
If you selected Upgrade later time, enter the date and time for upgrade to start.
If you scheduled staging, you must schedule the upgrade for at least 10 minutes after
staging, to ensure that staging completes before upgrade starts.
338
Copyright © 2016, Juniper Networks, Inc.
Chapter 19: Software Image Management
Summary of Software Deployment
On the Summary page, review the selections you made for the job. To change selections,
click Edit in the area that you want to change. You can also click the boxes in the process
flowchart above the wizard page to navigate between pages. When you are done making
selections, click Finish on the Summary page to save the job, and run it if you configured
the job to run immediately.
Related
Documentation
•
Understanding Deploy Mode in Gateway and Service Views of Edge Services Director
on page 315
Managing Software Image Deployment Jobs
This topic describes how to manage software image jobs. A software image job is created
each time you deploy software images to devices or schedule a software image
deployment. You can check the status of jobs, see job details, and cancel scheduled jobs.
To start managing software image jobs:
1.
Click Deploy in the Edge Services Director banner.
2. In the Tasks pane, select Image Management > View Image Deployment Jobs.
The Image Deployment Jobs page opens in the main window.
This topic describes:
•
Selecting Software Image Management Options on page 339
•
Viewing Software Image Job Details on page 340
•
Using the Device Image Staging Window on page 340
•
Canceling Software Image Jobs on page 341
Selecting Software Image Management Options
From the Image Deployment Jobs page, you can:
•
Show deployment job details by selecting a job and clicking Show Details. See “Viewing
Software Image Job Details” on page 340 for more information.
•
Cancel a pending job by selecting the job and clicking Cancel Job. See “Canceling
Software Image Jobs” on page 341 for more information.
Table 58 on page 339 describes the information provided in the of the Image Deployment
Jobs table.
Table 58: Image Deployment Jobs Table
Table Column
Description
Job Id
An identifier assigned to the job.
Copyright © 2016, Juniper Networks, Inc.
339
Edge Services Director User Guide
Table 58: Image Deployment Jobs Table (continued)
Table Column
Description
Check box
Select to perform an action on the job in that row.
Job Name
Job name.
Percent
Percentage of the job that is complete.
Status
Job status. The possible states are:
•
CANCELLED—The job was cancelled by a user.
•
SCHEDULED—The job is scheduled but has not run yet.
•
INPROGRESS—The job is running.
•
SUCCESS—The job completed successfully. This state is applied if all of the devices in
the job completed successfully.
•
FAILURE—The job failed. This state is applied if any of the devices in the job failed. But
some of the devices might have completed successfully. View the job details for the
status of each device.
Summary
Job summary.
Scheduled Start Time
Job’s scheduled start time.
Actual Start Time
Time when the job started.
End Time
Time when the job ended.
User
User who created the job.
Recurrence
This field is not used for software image management jobs.
Viewing Software Image Job Details
To view the details of a software image job:
1.
Select the job in the table.
2. Click Show Details.
The Device Image Staging window opens. See “Using the Device Image Staging
Window” on page 340 for a description of the window.
Using the Device Image Staging Window
Use the Device Image Staging window to view information about software image jobs.
Table 59 on page 341 describes this window.
340
Copyright © 2016, Juniper Networks, Inc.
Chapter 19: Software Image Management
Table 59: Device Image Staging Window Description
Field
Description
Job Name
Job name.
Start Time
Job’s scheduled start time.
End Time
Time when the job ended.
% Complete
Percentage of the job that is complete.
Status
Job status. The possible statuses are:
•
CANCELLED—The job was cancelled by a user.
•
SCHEDULED—The job is scheduled but has not run yet.
•
INPROGRESS—The job is running.
•
SUCCESS—The job completed successfully.
•
FAILURE—The job failed.
Host Name
Host name of device.
Status
Device status. The possible statuses are:
•
INPROGRESS—The job is running.
•
SUCCESS—The job completed successfully.
•
FAILURE—The job failed.
% Complete
Percentage of the job that is complete on the device.
Start Time
Time when the job started on the device.
End Time
Time when the job ended on the device.
Description
Description of the job on the device. Can include error messages for failed devices.
Close
Click to close the window.
Canceling Software Image Jobs
To cancel a software image job:
1.
Select the job in the table.
2. Click Cancel.
Related
Documentation
•
Understanding Deploy Mode in Gateway and Service Views of Edge Services Director
on page 315
Copyright © 2016, Juniper Networks, Inc.
341
Edge Services Director User Guide
342
Copyright © 2016, Juniper Networks, Inc.
CHAPTER 20
Viewing and Editing Service Instances and
Packet Filters Across All Gateways
•
Viewing Service Object Statistics on page 343
•
Modifying Service Instances on page 345
•
Modifying Packet Filter Policies on page 347
Viewing Service Object Statistics
To view a graphical representation in the form of pie charts of the configured ADC, TLB,
CGNAT, SFW, and packet policies or filters:
1.
From the View selector, select Gateway View . The workspaces that are applicable to
this view are displayed.
2. From the Junos Space user interface, click the Deploy icon on the Edge Services Director
banner.
The functionalities that you can configure in this mode are displayed in the task pane.
3. From the View pane, select the All Network item in Gateway view. Click the plus sign
(+) beside the All Network item in the View pane to expand the tree and select the
device node you want.
4. From the task pane, select Service Edit. On the right pane, pie charts corresponding
to the configured services and policy filters are displayed if you view the page without
drilling-down the tree in the task pane to select a particular service or policy. The same
Service Object Statistics page is displayed when you select View Statistics from the
task pane.
5. In the View pane, from the tree that lists the SDGs, select All SDG, or the SDG or SDG
pair for which you want to view the previously configured policy or filter templates.
The page is divided into three panes. The list of SDGs are displayed on the left pane.
You can drill-down to the SDG or pair of SDGs for which you want to view the service
statistics.
Copyright © 2016, Juniper Networks, Inc.
343
Edge Services Director User Guide
Figure 33: Service Edit Page with Pie Charts of Configured Service Types
The Service Object Statistics page is displayed. A set of five pie charts are displayed
when you select Service Edit from the task pane, without expanding the tree and
selecting a policy and filter template. The pie charts are displayed for the different
policy and service filters, such as ADC, TLB, CGNAT, stateful firewall, and packet filter
templates. A color-code is used to denote different portions of the pie chart for the
service policy filters in various states. Mouse over each portion of the pie to view the
number corresponding to the percentage of each service policy filter in a particular
state. The following segments are displayed in the pie chart as a percentage of the
total number of service policy filters.
Related
Documentation
344
•
In Sync—The configuration on the device is in sync with the Edge Services Director
configuration for the device.
•
Out Of Sync—The configuration on the device does not match the Edge Services
Director configuration for the device. This state is usually the result of the device
configuration being altered outside of Edge Services Director. You cannot deploy
configuration on a device from Edge Services Director when the device is Out Of
Sync. To resolve this state, use the Resynchronize Device Configuration task in
Deploy mode.
•
Sync failed—An attempt to resynchronize an Out Of Sync device failed.
Synchronizing—The device configuration is in the process of being resynchronized.
•
N/A—The device is down or is an access point.
•
Policy and Filter Management Overview on page 355
•
Packet and Service Filters Overview on page 358
•
Searching for CGNAT Policies on page 361
Copyright © 2016, Juniper Networks, Inc.
Chapter 20: Viewing and Editing Service Instances and Packet Filters Across All Gateways
•
Searching for Packet Filters on page 364
•
Searching for SFW Policies on page 366
•
Managing Service and Policy Locks on page 367
•
Unlocking Locked Services and Policies on page 368
Modifying Service Instances
On the Service Designer page, you can view the collection of service templates defined
for several applications, such as stateful firewall or CGNAT.
To modify service template instances, such as ADC, SFW, CGNAT, or TLB templates:
1.
From the View selector, select Service View. The workspaces that are applicable to
this view are displayed.
2. From the Junos Space user interface, click the Deploy icon on the Edge Services Director
banner.
The functionalities that you can configure in this mode are displayed in the task pane.
3. From the task pane, select Service Edit.
The Service Instances page is displayed in the right pane, listing all the previously
defined service templates.
4. From the View pane, perform one of the following tasks:
•
Click the ADC button.
The list of ADC service templates is displayed. You need not click this button if you
are launching the Service Designer page for the first time or are navigating to this
page from another mode or a different page. You need to click this button only if
you are viewing the other service templates, such as CGNAT or TLB.
•
Click the SFW button.
The list of SFW templates is displayed.
•
Click the TLB button.
The list of TLB templates is displayed.
•
Click the CGNAT button.
The list of CGNAT templates is displayed.
5. Click the Lock icon above the table of listed packet filters. The Select Reference Config
dialog box is displayed.
6. From the Service Gateway Name drop-down list, select the SDG group to which the
packet filter must be applied.
7. From the Host Name drop-down list, select the hostname of the SDG.
8. In the Select Common Components section, select the check boxes beside the service
modules or components, such as packet filters, SFW rules, or CGNAT rules, that are
Copyright © 2016, Juniper Networks, Inc.
345
Edge Services Director User Guide
displayed. The displayed components depend on the attributes that are previously
defined for that selected packet filter. For example, if the service policy is for stateful
firewall, SFW rules and SFW rule sets are shown. Select the check box beside Config
Category to select all the service components.
9. Click Save to save the modified association.
10. Select the check box beside the template you want to modify.
11. Open the Modify menu above the list of templates to modify an existing template,
and select the component or service attribute, such as application or rule, that you
want to edit.
12. Perform one of the following from the drop-down menu displayed for each component:
•
To retrieve the service component and import into the database of Edge Services
Director, select Import Object. The Import Services dialog box appears. You can
import the service templates assigned to SDGs or choose from a list of all of the
predefined templates in the database. Also, you can either import all of the
components of a service or specific components.
•
To create the component afresh, select Create New. The Create page corresponding
to the service component appears. You can define the attributes for the service
component in the same manner as you define the elements during the creation of
a service template.
13. Click the down arrow in the Actions menu and select Send for Deployment to create
a deployment plan for the particular service template and save the plan.
If you create a deployment plan from Service view of Deploy mode, the Edit Service
Instance page is displayed. You can modify the SDGs associated with the service
instance and also modify the service instance attributes as necessary by either clicking
the buttons corresponding to the various settings at the top of the wizard page to
directly traverse to the page you want to modify or clicking the navigation buttons at
the bottom of the wizard page to go to the different pages of the wizard. Click Finish
to create a deployment plan.
A deploy plan is created for the service template with the devices that are assigned
to it when you view the Deployment Plans page.
From the Deployment plans page, you can select Reject or Approve from the Actions
drop-down list to reject or approve the deployment plan and make it available for
commissioning to the devices.
14. Select Discard changes from the Actions menu to ignore the modifications done to a
policy or filter template.
Related
Documentation
346
•
Service Templates Overview on page 182
•
Filtering Service Templates on page 183
•
Using the Actions Menu on the Service Template and Service Edit Pages on page 187
Copyright © 2016, Juniper Networks, Inc.
Chapter 20: Viewing and Editing Service Instances and Packet Filters Across All Gateways
Modifying Packet Filter Policies
On the Packet Filter Policies page, you can view the collection of previously configured
packet filters and perform an enhanced edit to select a different SDG group and an SDG
host in the group to be associated with the packet filter.
To modify packet filter services and specify the SDG group, SDG host, and service
attributes to be associated with the packet filters:
1.
From the View selector, select Service View. The workspaces that are applicable to
this view are displayed.
2. From the Junos Space user interface, click the Deploy icon on the Edge Services Director
banner.
The functionalities that you can configure in this mode are displayed in the task pane.
3. From the View pane, click the plus sign (+) beside All Services to expand the tree and
select the type of service.
4. From the task pane, select Deploy Service > Packet Filter.
The Packet Filter Policies page is displayed on the right pane, listing all the previously
defined packet filters.
5. Click the Lock icon above the table of listed packet filters. The Select Reference Config
dialog box is displayed.
6. From the Service Gateway Name drop-down list, select the SDG group to which the
packet filter must be applied.
7. From the Host Name drop-down list, select the hostname of the SDG.
8. In the Select Common Components section, select the check boxes beside the service
modules or components, such as packet filters, that are displayed. The displayed
components depend on the attributes that are previously defined for that selected
packet filter. Select the check box beside Config Category to select all the service
components.
9. Click Save to save the modified association.
10. Select the check box beside the packet filter you want to modify.
11. Open the Modify menu above the list of templates to modify an existing packet filter.
The Modify Packet Filter window is displayed. Modify the attributes that are needed
and save the updated settings.
12. Click the down arrow in the Actions menu and select Send for Deployment to create
a deployment plan for the particular service template and save the plan.
•
If you create a deployment plan from Gateway view of Deploy mode, the Deployment
Plan Summary dialog box appears, with the service name, type, and status listed.
Click Send to create a deployment plan.
•
If you create a deployment plan from Service view of Deploy mode, the Edit Service
Instance page is displayed. You can modify the SDGs associated with the service
Copyright © 2016, Juniper Networks, Inc.
347
Edge Services Director User Guide
instance and also modify the service instance attributes as necessary by either
clicking the buttons corresponding to the various settings at the top of the wizard
page to directly traverse to the page you want to modify or clicking the navigation
buttons at the bottom of the wizard page to go to the different pages of the wizard.
Click Finish to create a deployment plan.
A deploy plan is created for the service template with the devices that are assigned
to it when you view the Deployment Plans page.
From the Deployment plans page, you can select Reject or Approve from the Actions
drop-down list to reject or approve the deployment plan and make it available for
commissioning to the devices.
13. Select Discard changes from the Actions menu to ignore the modifications done to a
packet policyfilter.
Related
Documentation
348
•
Service Templates Overview on page 182
•
Filtering Service Templates on page 183
•
Using the Actions Menu on the Service Template and Service Edit Pages on page 187
Copyright © 2016, Juniper Networks, Inc.
CHAPTER 21
Enhanced Editing of Services and Packet
Filters
•
Enhanced Editing of Service Policies and Policy Filters Overview on page 349
•
Modifying the Association of SDG Details and Service Components for a Packet Filter
Policy on page 350
•
Modifying the Association of SDG Details and Service Components for a Service Policy
Filter on page 352
Enhanced Editing of Service Policies and Policy Filters Overview
In Gateway View of Deploy mode, with All Network selected in View pane and Policy &
Filters selected in the task pane, you can select a different SDG host from the Host Name
list, and a different rule term from the Term Name list from the page that lists all of the
previously defined service policies. This type of inline or embedded editing enables you
to quickly and optimally change the rule term in a service policy and the SDG with which
the policy must be associated.
Inline modification signifies the ability to perform changes to previously defined settings
in an easy and quick manner. Embedded editing is enabled, which causes the grids showing
the devices and interfaces to become modifiable directly without the need to perform
the process of highlighting, editing, and saving the changes every time you want to edit
a particular parameter. The page that displays the configured settings presents as a form
in which the fields or cells of the table are editable.
Instead of modifying an existing stateful firewall, NAT, or packet filter policy to associate
a different SDG host with the policy by using the Service Edit option in the task pane in
Service View of Deploy mode, you can easily and rapidly change the SDG host mapped
to a policy using the enhanced editing mechanism.
Related
Documentation
•
Modifying the Association of SDG Details and Service Components for a Packet Filter
Policy on page 350
•
Modifying the Association of SDG Details and Service Components for a Service Policy
Filter on page 352
Copyright © 2016, Juniper Networks, Inc.
349
Edge Services Director User Guide
Modifying the Association of SDG Details and Service Components for a Packet Filter
Policy
From the Policy & Filters page, which displays all the previously configured packet filters,
you can modify the components or the parameter types that are associated with a
particular service filter. You must lock the packet filters for which you want to modify the
attached rule term components or attributes before you can update the settings. You
can also select a different SDG to which the packet filter must be applied.
To modify the association of SDGs and the rule term component for a packet filter, such
as a stateless firewall filter:
1.
From the View selector, select Service View. The workspaces that are applicable to
edge services are displayed.
2. Select All Network from the Service View pane. You can modify the association of
SDGs with service policies, only if you select the All Network label in the View pane.
If you expand the All Network tree and select an SDG group or an SDG in a redundancy
pair, you cannot modify the association of service policies and rules with SDGs in a
single-shot, one-step operation.
3. From the Junos Space user interface, click the Deploy icon on the Edge Services Director
banner.
The functionalities that you can configure in this mode are displayed in the task pane.
4. From the View pane, select the All Network item in Gateway view. Click the plus sign
(+) beside the All Network item in the View pane to expand the tree and select the
device node you want.
5. Select Policy & Filters from the task pane.
The Services page is displayed.
6. Click the down arrow next to Policy & Filters to expand the tree in the task pane and
view the list of filter templates.
Select Packet Filter to open the Service Edit > Packet Filter page on the right pane.
350
Copyright © 2016, Juniper Networks, Inc.
Chapter 21: Enhanced Editing of Services and Packet Filters
Figure 34: Enhanced Edit Page for Packet Filters
The following fields are displayed on this page:
Table 60: Service Edit > Packet Filter Page
Field
Description
Instance Name
Name of the configured service template instance
OS Version
Junos OS release number that represents a particular revision of the
software that runs on a Juniper Networks routing platform, for example,
Junos OS Release 8.5, 9.1, or 9.2. Each Junos OS release has certain new
features that complement the software processes that support Internet
routing protocols, control the device’s interfaces and the device chassis
itself, and allow device system management.
Group Name
Name of the SDG group
Reference Host
Hostname of the SDG with which the service instance is associated.
Deployment Plans
Name of the deployment plan with which the service template is
attached.
7. From the Term Name drop-down list, select the rule term with which the packet filter
must be applied.
8. From the Host Name drop-down list, select the hostname of the SDG.
9. In the Select Common Components section, select the check boxes beside the service
modules or components, such as packet filters, SFW rules, or CGNAT rules, that are
displayed. The displayed components depend on the attributes that are previously
defined for that selected packet filter. For example, if the service policy is for stateful
firewall, SFW rules and SFW rule sets are shown. Select the check box beside Config
Category to select all the service components.
The modified association is saved.
Copyright © 2016, Juniper Networks, Inc.
351
Edge Services Director User Guide
You can use the Actions menu in the Service Template pages for packet filters to publish,
unpublish, export, and restore the defined polices or filters. For details, see Using the
Actions Menu in the Service Template Page.
Related
Documentation
•
Creating Service Gateway Groups on page 96
•
Managing Service Gateway Groups on page 97
•
Searching Unmanaged Devices on page 101
•
Viewing the List of Discovered, Managed, and Unmanaged Devices on page 102
•
Modifying Discovery Profiles on page 110
•
Deleting Discovery Profiles on page 111
Modifying the Association of SDG Details and Service Components for a Service Policy
Filter
From the Policy & Filters page, which displays all the previously configured service policy
filters, you can modify the components or the parameter types that are associated with
a particular service filter. You must lock the service policy filters for which you want to
modify the attached service components or attributes before you can update the settings.
You can also select a different SDG to which the service policy filter must be applied.
To modify the association of SDGs and service components for a service policy filter,
such as a stateful firewall service, or a carrier-grade NAT service policy:
1.
From the View selector, select Service View. The workspaces that are applicable to
edge services are displayed.
2. Select All Network from the Service View pane. You can modify the association of
SDGs with service policies, only if you select the All Network label in the View pane.
If you expand the All Network tree and select an SDG group or an SDG in a redundancy
pair, you cannot modify the association of service policies and rules with SDGs in a
single-shot, one-step operation.
3. From the Junos Space user interface, click the Deploy icon on the Edge Services Director
banner.
The functionalities that you can configure in this mode are displayed in the task pane.
4. From the View pane, select the All Network item in Gateway view. Click the plus sign
(+) beside the All Network item in the View pane to expand the tree and select the
device node you want.
5. Select Policy & Filters from the task pane.
The Service Edit page is displayed.
352
Copyright © 2016, Juniper Networks, Inc.
Chapter 21: Enhanced Editing of Services and Packet Filters
Figure 35: Enhanced Edit Page for Service Policy Rules
6. Click the plus sign (+) next to Policy & Filters to expand the tree in the task pane and
view the list of filter templates. Do one of the following:
•
Select CGNAT to open the Service Edit > CGNAT page on the right pane.
•
Select SFW to open the Service Edit > SFW page on the right pane.
The following fields are displayed on this page:
Table 61: Services – CGNAT and SFW Page
Field
Description
Instance Name
Name of the configured service template instance
OS Version
Junos OS release number that represents a particular revision of the
software that runs on a Juniper Networks routing platform, for
example, Junos OS Release 8.5, 9.1, or 9.2. Each Junos OS release has
certain new features that complement the software processes that
support Internet routing protocols, control the device’s interfaces and
the device chassis itself, and allow device system management.
Group Name
Name of the SDG group
Reference Host
Hostname of the SDG with which the service instance is associated.
Applications
Name of the applications protocols created for the service template.
Application Sets
Name of the application sets created for the service template.
SFW Rules
Name of the stateful firewall rules created for the service instance.
SFW Rule Sets
Name of the stateful firewall rule sets created for the service template.
NAT Pools
Name of the CGNAT pool created for the service template.
Copyright © 2016, Juniper Networks, Inc.
353
Edge Services Director User Guide
Table 61: Services – CGNAT and SFW Page (continued)
Field
Description
NAT Rules
Name of the CGNAT rules created for the service instance.
NAT Rule Sets
Name of the CGNAT rule sets created for the service template.
Syslogs
Name of the syslog created for the service template.
Deployment Plans
Name of the deployment plan with which the service template is
attached.
7. From the Term Name drop-down list, select the rule term that must be assigned to
the service policy filter, such as CGNAT or stateful firewall service policies.
8. From the Host Name drop-down list, select the hostname of the SDG.
The modified association is saved.
You can use the Actions menu in the Service Template pages for CGNAT, SFW, and
packet filters to publish, unpublish, export, and restore the defined polices or filters. For
details, see Using the Actions Menu in the Service Template Page.
Related
Documentation
354
•
Creating Service Gateway Groups on page 96
•
Managing Service Gateway Groups on page 97
•
Searching Unmanaged Devices on page 101
•
Viewing the List of Discovered, Managed, and Unmanaged Devices on page 102
•
Modifying Discovery Profiles on page 110
•
Deleting Discovery Profiles on page 111
Copyright © 2016, Juniper Networks, Inc.
CHAPTER 22
Managing Service Instance and Policy Rule
Definitions
•
Policy and Filter Management Overview on page 355
•
Packet and Service Filters Overview on page 358
•
Searching for CGNAT Policies on page 361
•
Searching for Packet Filters on page 364
•
Searching for SFW Policies on page 366
•
Managing Service and Policy Locks on page 367
•
Unlocking Locked Services and Policies on page 368
•
Viewing Policy and Filter Instances on page 369
•
Creating and Managing CGNAT Policy and Filter Instances on page 375
•
Creating and Managing Packet Filter Policy Instances on page 397
•
Creating and Managing SFW Policy and Filter Instances on page 409
•
Viewing CGNAT Service Templates on page 430
•
Viewing SFW Service Templates on page 431
•
Viewing and Modifying ADC Service Instances on page 432
•
Viewing and Modifying TLB Service Instances on page 443
•
Using the Actions Menu on the Service Policy and Packet Filter Pages on page 454
•
Tagging Junos Space Network Management Platform Objects on page 456
Policy and Filter Management Overview
The Policy and Filter Management feature in the Junos Space Edge Services Director
application takes care of creation, update, display, publish and commission of packet
filters, stateful firewall and NAT policies present on discovered and managed SDGs. The
Service Management workspace displays a bar graph of draft, published, and approved
filters or policies for different options available under workspace.
•
Packet Filter: This option displays packet filters present on SDGs in a tabular layout.
It also provides the ability to create, update and delete filters on selected SDGs.
Copyright © 2016, Juniper Networks, Inc.
355
Edge Services Director User Guide
•
Stateful Firewall: This option displays stateful firewall policies present on SDGs in a
tabular layout. It also provides the ability to create, update, and delete stateful firewall
policies on selected SDGs.
•
CGNAT: This option displays CGNAT policies present on SDGs in a tabular layout. It
also provides the ability to create, update, and delete CGNAT policies on selected
SDGs. After a filter or policy is published, it goes for peer review and approval. After
approval, the filter or policy is deployed to the device.
The Service Deployment page provides the following functionalities:
•
1. Approval Management – View the details of the filters/policies and other service
deployment plans which are pending for approval. Approve or reject deployment plans
done to existing feature.
•
2. Update Devices – View the details of approved filters/policies and other service
deployment plans which are ready for commissioning. Commission the deployment
plans or discard accordingly.
States and Transitions of Policies or Filters
A filter has the following states:
•
New
•
Updated
•
Deleted
A user can carry out following operations depending on the status of a filter:
•
Add – To create a new filter for Zone, SDG or Host.
•
Update – Update exiting filter on SDG.
•
Delete – Delete existing filter on SDG.
•
Send for Deployment—Deploy the policy and filter instance on the associated
standalone SDG or SDGs in a high availability pair.
You can perform the following tasks with a deployment plan created for provisioning
a policy on SDGs:
356
•
Publish – Publish new, updated or deleted filter for administrator or designer approval.
•
Unpublish – Unpublish the published filter to do more changes. The filter returns to
the “Draft” status.
•
Approve – An administrator or designer approves the published filter.
•
Reject – An administrator or designer rejects the published filter.
•
Commission – An administrator or designer pushes updates to SDG.
•
Discard – An administrator or designer discards an approved filter without pushing
updates to SDG.
Copyright © 2016, Juniper Networks, Inc.
Chapter 22: Managing Service Instance and Policy Rule Definitions
User Roles
SDG operator is responsible for creating, modifying, and deleting a policy or filter and
publishes it for approval of the designer. SDG operator can access the Service
Management workspace and all options under it.
A user with the SDG designer role is responsible for review and approval of published
policy or filter. Workflow for review and approval is part of another workspace called
Service Deployment. As a user with the SDG designer role, you can access both Service
Management’ and ‘Service Deployment workspaces.
SDG Administrator is responsible for commissioning of an approved policy or filter to
managed SDGs. Workflow for commissioning will be part of another workspace called
Service Deployment. An SDG designer can access both the Service Management and
Service Deployment workspaces.
Related
Documentation
•
SDG Operator – An SDG operator is responsible for creating, modifying, and deleting
a policy or filter and will publish it for approval of designer. An SDG operator can access
the Service Management workspace and all options under it.
•
SDG Designer – An SDG designer is responsible for review and approval of a published
policy or filter. The workflow for review and approval is part of another workspace
called Service Deployment. An SDG designer can access both the Service Management
and Service Deployment workspaces.
•
SDG Administrator – An SDG administrator is responsible for commission of approved
policy or filter to managed SDGs. The workflow for commissioning is part of another
workspace called Service Deployment. An SDG designer can access both the Service
Management and Service Deployment workspaces.
•
Policy and Filter Management Overview on page 355
•
Searching for CGNAT Policies on page 361
•
Searching for Packet Filters on page 364
•
Searching for SFW Policies on page 366
•
Managing Service and Policy Locks on page 367
•
Unlocking Locked Services and Policies on page 368
•
Viewing Policy and Filter Instances on page 369
Copyright © 2016, Juniper Networks, Inc.
357
Edge Services Director User Guide
Packet and Service Filters Overview
The Adaptive Services Physical Interface Cards (PICs), Multiservices PICs, and
Multiservices Dense Port Concentrators (DPCs) provide adaptive services interfaces.
Adaptive services interfaces enable you to coordinate a special range of services on a
single PIC or DPC by configuring a set of services and applications.
A service set is an optional definition you can apply to the traffic at an adaptive services
interface. A service set enables you to configure combinations of directional rules and
default settings that control the behavior of each service in the service set. When you
apply a service set to the traffic at an adaptive services interface, you can optionally use
service filters to refine the target of the set of services and also to process traffic. Service
filters enable you to manipulate traffic by performing packet filtering to a defined set of
services on an adaptive services interface before the traffic is delivered to its destination.
You can apply a service filter to traffic before packets are accepted for input or output
service processing or after packets return from input service processing.
A service filter defines packet-filtering (a set of match conditions and a set of actions)
for IPv4 or IPv6 traffic. You can apply a service filter to the inbound or outbound traffic
at an adaptive services interface to perform packet filtering on traffic before it is accepted
for service processing. You can also apply a service filter to the traffic that is returning to
the services interface after service processing to perform postservice processing.
Service filters filter IPv4 and IPv6 traffic only and can be applied to logical interfaces on
Adaptive Services PICs, MultiServices PICs, and MultiServices DPCs only.
The Junos OS standard stateless firewall filters support a rich set of packet-matching
criteria that you can use to match on specific traffic and perform specific actions, such
as forwarding or dropping packets that match the criteria you specify. You can configure
firewall filters to protect the local router or to protect another device that is either directly
or indirectly connected to the local router. For example, you can use the filters to restrict
the local packets that pass from the router’s physical interfaces to the Routing Engine.
Such filters are useful in protecting the IP services that run on the Routing Engine, such
as Telnet, SSH, and BGP, from denial-of-service attacks.
NOTE: If you configured targeted broadcast for virtual routing and forwarding
(VRF) by including the forward-and-send-to-re statement, any firewall filter
that is configured on the Routing Engine loopback interface (lo0) cannot be
applied to the targeted broadcast packets that are forwarded to the Routing
Engine. This is because broadcast packets are forwarded as flood next hop
traffic and not as local next hop traffic, and you can only apply a firewall filter
to local next hop routes for traffic directed toward the Routing Engine.
You can configure service filters to filter IPv4 traffic (family inet) and IPv6 traffic (family
inet6) only. No other protocol families are supported for service filters.
Under the family inet or family inet6 statement, you can include service-filter
service-filter-name statements to create and name service filters. The filter name can
358
Copyright © 2016, Juniper Networks, Inc.
Chapter 22: Managing Service Instance and Policy Rule Definitions
contain letters, numbers, and hyphens (-) and be up to 64 characters long. To include
spaces in the name, enclose the entire name in quotation marks (“ ”).
Under the service-filter service-filter-name statement, you can include term term-name
statements to create and name filter terms.
Service filter terms support only a subset of the IPv4 and IPv6 match conditions that are
supported for standard stateless firewall filters.
If you specify an IPv6 address in a match condition (the address, destination-address, or
source-address match conditions), use the syntax for text representations described in
RFC 4291, IP Version 6 Addressing Architecture.
When configuring a service filter term, you must specify one of the following
filter-terminating actions:
•
service
•
skip
NOTE: These actions are unique to service filters.
Service filter terms support only a subset of the IPv4 and IPv6 nonterminating actions
that are supported for standard stateless firewall filters:
•
count counter-name
•
log
•
port-mirror
•
sample
Service filters do not support the next action.
Filtering Traffic Before Accepting Packets for Service Processing
To filter IPv4 or IPv6 traffic before accepting packets for input or output service processing,
include the service-set service-set-name service-filter service-filter-name at one of the
following interfaces:
•
[edit interfaces interface-name unit unit-number family (inet | inet6) service input]
•
[edit interfaces interface-name unit unit-number family (inet | inet6) service output]
For the service-set-name, specify a service set configured at the [edit services service-set]
hierarchy level.
The service set retains the input interface information even after services are applied, so
that functions such as filter-class forwarding and destination class usage (DCU) that
depend on input interface information continue to work.
Copyright © 2016, Juniper Networks, Inc.
359
Edge Services Director User Guide
The following requirements apply to filtering inbound or outbound traffic before accepting
packets for service processing:
•
You configure the same service set on the input and output sides of the interface.
•
If you include the service-set statement without an optional service-filter definition,
the Junos OS assumes the match condition is true and selects the service set for
processing automatically.
•
The service filter is applied only if a service set is configured and selected.
You can include more than one service set definition on each side of an interface. The
following guidelines apply:
•
If you include multiple service sets, the router (or switch) software evaluates them in
the order in which they appear in the configuration. The system executes the first service
set for which it finds a match in the service filter and ignores the subsequent definitions.
•
A maximum of six service sets can be applied to an interface.
•
When you apply multiple service sets to an interface, you must also configure and
apply a service filter to the interface.
Postservice Filtering of Returning Service Traffic
As an option to filtering of IPv4 or IPv6 input service traffic, you can apply a service filter
to IPv4 or IPv6 traffic that is returning to the services interface after the service set is
executed. To apply a service filter in this manner, include the post-service-filter
service-filter-name statement at the [edit interfaces interface-name unit unit-number family
(inet | inet6) service input] hierarchy level.
Related
Documentation
360
•
Policy and Filter Management Overview on page 355
•
Searching for CGNAT Policies on page 361
•
Searching for Packet Filters on page 364
•
Searching for SFW Policies on page 366
•
Managing Service and Policy Locks on page 367
•
Unlocking Locked Services and Policies on page 368
•
Viewing Policy and Filter Instances on page 369
Copyright © 2016, Juniper Networks, Inc.
Chapter 22: Managing Service Instance and Policy Rule Definitions
Searching for CGNAT Policies
Copyright © 2016, Juniper Networks, Inc.
361
Edge Services Director User Guide
You can use the enhanced search utility on the Service Templates page for CGNAT
policies and packet filters to effectively, quickly identify and segregate the policies and
filters of relevance and interest.
The Service Templates page provides advanced search options for the CGNAT policies.
Enter the term that you want to specify as the filter criterion in the search field and click
the Search icon.
You can perform advanced searches for the following fields:
•
Policy Name
•
Source Address
•
Destination Port
•
Destination Address
•
Application
•
Translation Type
•
NAT Pool
•
Description
•
Custom column
The following advanced search criteria are available:
•
Wildcard search for rule names using an asterisk (*) is allowed.
•
Edge Services Director supports AND and OR operations between search items. The
default behavior is OR.
•
For rule name search, only the OR operation is allowed, because a policy cannot have
multiple rule names.
•
For zone search, only the OR operation is allowed. Wildcard search is supported.
•
For service and address fields, OR and AND operations are allowed.
•
Multiple groups can be grouped using parenthesis. Grouping can be used during filed
or keyword searches as well.
•
Negate (-) symbol can be used to exclude objects that contain a specific term name.
•
The plus (+) operator can be used to specify that the term after the + symbol existing
the field value to be filtered along with other searched items.
•
Escaping special characters are part of the search syntax. The supported special
characters are + - && || ! ( ) { } [ ] ^ " ~ * ? : \.
NOTE: Use the AND operator to find rules that match all values for a given
set of fields. Use the OR operator to find rules that match any of the values
for a given set of fields.
362
Copyright © 2016, Juniper Networks, Inc.
Chapter 22: Managing Service Instance and Policy Rule Definitions
1.
From the Junos Space user interface, click the Build icon on the Edge Services Director
banner.
The functionalities that you can configure in this mode are displayed in the task pane.
2. Select Service Edit > Policy and Filter from the task pane. The Policy and Filter page
is displayed.
3. Click the plus sign (+) next to the policy and filter template to expand the tree in the
task pane and view the list of filter templates.
4. From the task pane, select CGNAT Policy and Filter to open the CGNAT and Filter page
on the right pane.
5. Enter the term that you want to specify as the filter criterion in the Search field and
click the Search icon.
Related
Documentation
•
Policy and Filter Management Overview on page 355
•
Packet and Service Filters Overview on page 358
•
Searching for Packet Filters on page 364
•
Searching for SFW Policies on page 366
•
Managing Service and Policy Locks on page 367
•
Unlocking Locked Services and Policies on page 368
•
Viewing Policy and Filter Instances on page 369
Copyright © 2016, Juniper Networks, Inc.
363
Edge Services Director User Guide
Searching for Packet Filters
You can use the enhanced search utility on the Service Templates page for CGNAT
policies and packet filters to effectively, quickly identify and segregate the policies and
filters of relevance and interest.
The Service Templates page provides advanced search options for the packet filters.
Enter the term that you want to specify as the filter criterion in the Filter field and click
the Filter icon.
You can perform advanced searches for the following fields:
•
Filter Name
•
Source Port
•
Source Address
•
Destination Port
•
Destination Address
•
Action
•
Description
•
Custom column
The following advanced search criteria are available:
•
Wildcard search for rule names using an asterisk (*) is allowed.
•
Edge Services Director supports AND and OR operations between search items. The
default behavior is OR.
•
For rule name search, only the OR operation is allowed, because a policy cannot have
multiple rule names.
•
For zone search, only the OR operation is allowed. Wildcard search is supported.
•
For service and address fields, OR and AND operations are allowed.
•
Multiple groups can be grouped using parenthesis. Grouping can be used during filed
or keyword searches as well.
•
Negate (-) symbol can be used to exclude objects that contain a specific term name.
•
The plus (+) operator can be used to specify that the term after the + symbol existing
the field value to be filtered along with other searched items.
•
Escaping special characters are part of the search syntax. The supported special
characters are + - && || ! ( ) { } [ ] ^ " ~ * ? : \.
NOTE: Use the AND operator to find rules that match all values for a given
set of fields. Use the OR operator to find rules that match any of the values
for a given set of fields.
364
Copyright © 2016, Juniper Networks, Inc.
Chapter 22: Managing Service Instance and Policy Rule Definitions
1.
From the Junos Space user interface, click the Build icon on the Edge Services Director
banner.
The functionalities that you can configure in this mode are displayed in the task pane.
2. Select Service Edit > Policy and Filter from the task pane. The Policy and Filter page
is displayed.
3. Click the plus sign (+) next to Service Template to expand the tree in the task pane
and view the list of filter templates.
4. From the task pane, select Packet Filter to open the Packet Filter page on the right
pane.
5. Enter the term that you want to specify as the filter criterion in the Search field and
click the Search icon.
Related
Documentation
•
Policy and Filter Management Overview on page 355
•
Packet and Service Filters Overview on page 358
•
Searching for CGNAT Policies on page 361
•
Searching for SFW Policies on page 366
•
Managing Service and Policy Locks on page 367
•
Unlocking Locked Services and Policies on page 368
•
Viewing Policy and Filter Instances on page 369
Copyright © 2016, Juniper Networks, Inc.
365
Edge Services Director User Guide
Searching for SFW Policies
You can use the enhanced search utility on the Service Templates page for SFW policies
and packet filters to effectively, quickly identify and segregate the policies and filters of
relevance and interest.
The Service Templates page provides advanced search options for the SFW policies.
Enter the term that you want to specify as the filter criterion in the search field and click
the Search icon.
You can perform advanced searches for the following fields:
•
Policy Name
•
Source Address
•
Destination Port
•
Destination Address
•
Application
•
Action
•
Description
•
Custom column
The following advanced search criteria are available:
•
Wildcard search for rule names using an asterisk (*) is allowed.
•
Edge Services Director supports AND and OR operations between search items. The
default behavior is OR.
•
For rule name search, only the OR operation is allowed, because a policy cannot have
multiple rule names.
•
For zone search, only the OR operation is allowed. Wildcard search is supported.
•
For service and address fields, OR and AND operations are allowed.
•
Multiple groups can be grouped using parenthesis. Grouping can be used during filed
or keyword searches as well.
•
Negate (-) symbol can be used to exclude objects that contain a specific term name.
•
The plus (+) operator can be used to specify that the term after the + symbol existing
the field value to be filtered along with other searched items.
•
Escaping special characters are part of the search syntax. The supported special
characters are + - && || ! ( ) { } [ ] ^ " ~ * ? : \.
NOTE: Use the AND operator to find rules that match all values for a given
set of fields. Use the OR operator to find rules that match any of the values
for a given set of fields.
366
Copyright © 2016, Juniper Networks, Inc.
Chapter 22: Managing Service Instance and Policy Rule Definitions
1.
From the Junos Space user interface, click the Build icon on the Edge Services Director
banner.
The functionalities that you can configure in this mode are displayed in the task pane.
2. Select Service Edit > Policy and Filter from the task pane. The Policy and Filter page
is displayed.
3. Click the plus sign (+) next to Service Template to expand the tree in the task pane
and view the list of filter templates.
4. From the task pane, select SFW Policy and Filter to open the SFW and Filter page on
the right pane.
5. Enter the term that you want to specify as the filter criterion in the Search field and
click the Search icon.
Related
Documentation
•
Policy and Filter Management Overview on page 355
•
Packet and Service Filters Overview on page 358
•
Searching for CGNAT Policies on page 361
•
Searching for Packet Filters on page 364
•
Managing Service and Policy Locks on page 367
•
Unlocking Locked Services and Policies on page 368
•
Viewing Policy and Filter Instances on page 369
Managing Service and Policy Locks
All the locked policies can be viewed in a single page. You can display the list of SFW,
CGNAT, or packet filter templates that are locked by filtering them separately. Such a
page shows all the locks of users only if you have the unlock task assigned; otherwise,
you see only your locks.
To view the locked services and policies:
1.
From the View selector, select Gateway View. The devices that are organized in the
entire network based on the SDG pairs and the devices in each SDG group or pair are
displayed.
2. Click the Deploy icon on the Edge Services Director banner.
The functionalities that you can configure in this mode are displayed in the task pane.
3. Select the All Network item in the task pane. The tree can be expanded to view all
the configured SDG groups and SDGs in a high-availability or redundancy group.
4. Select Service Edit from the task pane. The Services page is displayed for ADC and
TLB services and the Rules page is displayed for CGNAT, SFW, and packet filter policies.
5. Click the right arrow next to Service Edit to expand the tree in the task pane and view
the list of filter templates.
6. From the task pane, do one of the following:
Copyright © 2016, Juniper Networks, Inc.
367
Edge Services Director User Guide
•
Select ADC to open the ADC Services page on the right pane.
•
Select TLB to open theTLB Services page on the right pane.
•
Select CGNAT to open the CGNAT and Filter page on the right pane.
•
Select Packet Filter to open the Packet Filter page on the right pane.
•
Select SFW Policy and Filters to open the SFW Policy and Filter page on the right
pane.
7. In the Services or Rules page, from the tree that lists the SDGs, select All Service
Gateways, or the SDG or SDG pair for which you want to lock the filter templates.
8. Select the check box next to the service or rule.
9. Click the Lock icon. You can select policies that are locked by you and unlock them.
To unlock your policies, you do not need any administrator privileges. To unlock policies
locked by other users, you must have the task LOCK assigned to you.
Related
Documentation
•
Policy and Filter Management Overview on page 355
•
Packet and Service Filters Overview on page 358
•
Searching for CGNAT Policies on page 361
•
Searching for Packet Filters on page 364
•
Searching for SFW Policies on page 366
•
Unlocking Locked Services and Policies on page 368
•
Viewing Policy and Filter Instances on page 369
Unlocking Locked Services and Policies
All the locked services policies can be viewed in a single page. This page is available for
a user with Manage Policy Locks tasks assigned. This page shows all the locks only if the
user has the unlock task assigned; otherwise, the user sees only their locks.
To unlock the locked services and policies:
1.
From the View selector, select Gateway View. The devices that are organized in the
entire network based on the SDG pairs and the devices in each SDG group or pair are
displayed.
2. Click the Deploy icon on the Edge Services Director banner.
The functionalities that you can configure in this mode are displayed in the task pane.
3. Select the All Network item in the task pane. The tree can be expanded to view all
the configured SDG groups and SDGs in a high-availability or redundancy group.
4. Select Service Edit from the task pane. The Rules page is displayed.
5. Click the right arrow next to Service Edit to expand the tree in the task pane and view
the list of service and policy filter templates.
6. From the task pane, do one of the following:
368
Copyright © 2016, Juniper Networks, Inc.
Chapter 22: Managing Service Instance and Policy Rule Definitions
•
Select ADC to open the ADC Services page on the right pane.
•
Select TLB to open theTLB Services page on the right pane.
•
Select CGNAT to open the CGNAT and Filter page on the right pane.
•
Select Packet Filter to open the Packet Filter page on the right pane.
•
Select SFW Policy and Filters to open the SFW Policy and Filter page on the right
pane.
7. In the Services and Rules pages, respectively, from the tree that lists the SDGs, select
All Service Gateways, or the SDG or SDG pair for which you want to view the locked
filter templates.
8. Select the policy instance you want to unlock, and click the Unlock icon at the top of
the dialog box. Click the Close icon to return to the services listing page. To unlock
your policies, you do not need any administrator privileges. To unlock policies locked
by other users, you must have the task LOCK assigned to you.
Related
Documentation
•
Policy and Filter Management Overview on page 355
•
Packet and Service Filters Overview on page 358
•
Searching for CGNAT Policies on page 361
•
Searching for Packet Filters on page 364
•
Searching for SFW Policies on page 366
•
Managing Service and Policy Locks on page 367
•
Viewing Policy and Filter Instances on page 369
Viewing Policy and Filter Instances
To view the list of CGNAT, SFW, and packet policy or filter instances:
1.
From the View selector, select Gateway View. The workspaces that are applicable to
this view are displayed.
2. From the Junos Space user interface, click the Deploy icon on the Edge Services Director
banner.
The functionalities that you can configure in this mode are displayed in the task pane.
3. From the task pane, select Service Edit. On the right pane, pie charts corresponding
to the configured services and policy filters are displayed if you view the page without
drilling-down the tree in the task pane to select a particular service or policy.
4. Click the right arrow next to Service Edit to expand the tree in the task pane and view
the list of filter instances.
5. From the task pane, do one of the following:
•
Select ADC to open the Service Edit > ADC page on the right pane.
•
Select TLB to open the Service Edit > TLB page on the right pane.
Copyright © 2016, Juniper Networks, Inc.
369
Edge Services Director User Guide
•
Select CGNAT Policy and Filter to open the CGNAT and Filter page on the right pane.
•
Select Packet Filter to open the Packet Filter page on the right pane.
•
Select SFW Policy and Filters to open the SFW Policy and Filter page on the right
pane.
6. In the Service Edit page, from the tree that lists the SDGs, select All Service Gateways,
or the SDG or SDG pair for which you want to view the previously configured policy or
filter instances.
The page is divided into three panes. The list of SDGs are displayed on the left pane.
You can drill-down to the SDG or pair of SDGs for which you want to process policies
or filters. The policy and filter rules are displayed in the middle pane. The right pane
lists the rule and service set details. For each rule, the terms defined are shown in a
tree structure. The key value pair format can be expanded by clicking the + icon beside
each term.
The following fields are displayed on the Service Edit > ADC page:
Table 62: Service Edit > ADC Page
Field
SDG Host
Instance Name
OS Version
Group Name
Reference Host
Real Servers
Health Check Sources
Custom Health Checks
Groups
Virtual Servers
Deployment Plans
The following fields are displayed on the Service Edit > TLB page:
Table 63: TLB Service Edit Page
Field
SDG Host
370
Copyright © 2016, Juniper Networks, Inc.
Chapter 22: Managing Service Instance and Policy Rule Definitions
Table 63: TLB Service Edit Page (continued)
Field
Instance Name
OS Version
Group Name
Reference Host
Real Servers
Network Monitoring
Groups
Virtual Servers
Deployment Plans
The following fields are displayed on the Service Gateways—CGNAT Policy and Filter
page:
TIP: In Gateway View of Deploy mode, with All Network selected in View
pane and Policy & Filters > CGNAT selected in the task pane, you can select
a different SDG host from the Host Name list, and a different rule term from
the Term Name list from the page that lists all of the previously defined service
policies. This type of inline or embedded editing enables you to quickly and
optimally change the rule term in a service policy and the SDG with which
the policy must be associated.
Table 64: CGNAT Policy and Filter Page
Field
Host Name
Group Name
Rule Name
Match Direction
Term Name
Source Address
Copyright © 2016, Juniper Networks, Inc.
371
Edge Services Director User Guide
Table 64: CGNAT Policy and Filter Page (continued)
Field
Destination Address
Destination Port
Application
Translated Packet Source
Translated Packet Destination
Translation Type
Figure 36: CGNAT Services Listing Page
The following fields are displayed on the Service Gateways—Packet Filter page:
TIP: In Gateway view of Deploy mode, with All Network selected in the View
pane and Policy & Filters > Packet Filtert selected in the task pane, you can
select a different SDG host from the Host Name list, and a different rule term
from the Term Name list from the page that lists all of the previously defined
service policies. This type of inline or embedded editing enables you to quickly
and optimally change the rule term in a service policy and the SDG with which
the policy must be associated.
372
Copyright © 2016, Juniper Networks, Inc.
Chapter 22: Managing Service Instance and Policy Rule Definitions
Table 65: Packet F ilter Page
Field
Host Name
Group Name
Filter Name
Term Name
Source Address
Destination Address
Destination Port
Source Port
Protocol
Forwarding Class
Action
Status
The following fields are displayed on the Service Gateways—SFW Policy and Filter page:
TIP: In Gateway view of Deploy mode, with All Network selected in the View
pane and Policy & Filters > SFW selected in the task pane, you can select a
different SDG host from the Host Name list, and a different rule term from
the Term Name list from the page that lists all of the previously defined service
policies. This type of inline or embedded editing enables you to quickly and
optimally change the rule term in a service policy and the SDG with which
the policy must be associated.
Table 66: SFW Policy and Filter Page
Field
Host Name
Group Name
Rule Name
Term Name
Copyright © 2016, Juniper Networks, Inc.
373
Edge Services Director User Guide
Table 66: SFW Policy and Filter Page (continued)
Field
Source Address
Destination Address
Destination Port
Source Port
Application Sets
Filter Outcome
Figure 37: Stateful Firewall Services Listing Page
Select a policy or a filter and click the Expand All icon, and all rules corresponding to that
policy or filter are expanded.
Select a policy or filter and click the Collapse All icon to collapse all rules.
Related
Documentation
374
•
Policy and Filter Management Overview on page 355
•
Packet and Service Filters Overview on page 358
•
Searching for CGNAT Policies on page 361
•
Searching for Packet Filters on page 364
•
Searching for SFW Policies on page 366
•
Managing Service and Policy Locks on page 367
Copyright © 2016, Juniper Networks, Inc.
Chapter 22: Managing Service Instance and Policy Rule Definitions
•
Unlocking Locked Services and Policies on page 368
Creating and Managing CGNAT Policy and Filter Instances
NAT processing centers on the evaluation of NAT rule sets and rules. A rule set determines
the overall direction of the traffic to be processed. For example, a rule set can select
traffic from a particular interface or to a specific zone. A rule set can contain multiple
rules. Once a rule set is found that matches specific traffic, each rule in the rule set is
evaluated for a match. Each rule in the rule set further specifies the traffic to be matched
and the action to be taken when traffic matches the rule.
NOTE: Before you create a policy and filter template for packet filters, SFW,
or CGNAT services, you must have previously configured the different
elements or attributes of the service, such as service sets, interface sets, rule
sets, and syslogs during the creation of the service template. The sections in
this procedural topic that describe the creation of such service elements
apply during the creation of the service template and not during the creation
of the service policy filters, such as CGNAT or SFW policies.
•
Creating a NAT Policy on page 376
•
Creating a Service Set on page 378
•
Creating a Syslog on page 383
•
Creating a Rule on page 385
•
Creating a Rule Set on page 385
•
Creating Addresses on page 387
•
Creating Address Groups on page 388
•
Address and Address Groups Overview on page 388
•
Creating a NAT Rule Term on page 389
•
Associating an Application and Application Set with a NAT Rule on page 393
•
Creating a NAT Pool on page 393
•
Associating Service Sets and Rule Sets With a NAT Rule on page 394
•
Modifying NAT Policies on page 395
•
Creating a Deployment Plan on page 396
Copyright © 2016, Juniper Networks, Inc.
375
Edge Services Director User Guide
Creating a NAT Policy
To configure a new CGNAT policy or filter rule:
1.
From the View selector, select Gateway View. The View pane displays the devices in
the entire network organized by the device type and device models pertaining to each
device type.
2. From the View pane, select the All Network item. Expand the tree to select the device
type and device node, which denotes the SDGs in a high availability pair of SDGs or
an SDG group.
3. From the Junos Space user interface, click the Deploy icon on the Edge Services Director
banner.
The functionalities that you can configure in this mode are displayed in the task pane.
4. Select Service Edit > CGNAT from the task pane.
The CGNAT Policies page is displayed.
5. Click the plus sign (+) next to Policy and Filter to expand the tree in the task pane and
view the list of filter rules.
6. From the task pane, select CGNAT Policy and Filter to open the CGNAT and Filter page
on the right pane.
7. Click the Add icon above the table of listed rules. The Create Policy and Filter window
is displayed.
376
Copyright © 2016, Juniper Networks, Inc.
Chapter 22: Managing Service Instance and Policy Rule Definitions
Figure 38: Create a CGNAT Rule Window
8. Enter the name of the group policy in the Name field (limit of 63 alphanumeric
characters).
9. Enter a description for the group policy rules in the Description field. Edge Services
Director sends the comments entered in this field to the device (limit of 255
alphanumeric characters).
10. In the Match Direction list, specify the direction in which the rule match is applied.
Select one of the following options:
•
input—Apply the rule match on the input side of the interface.
•
input-output—Apply the rule match bidirectionally.
•
output—Apply the rule match on the output side of the interface.
11. In the SDG section, do the following:
Copyright © 2016, Juniper Networks, Inc.
377
Edge Services Director User Guide
•
From the SDG drop-down list, select the devices with which the NAT policy must
be associated. Alternatively, you can select the high availability pair of SDG devices
with which the NAT policy must be associated. All of the devices in the different
SDG groups that were previously defined in the database are also listed in the
drop-down menu.
12. Create a NAT rule term that must be added to the NAT policy. For details on configuring
a NAT rule term, see Creating a NAT Rule Term.
13. The list of terms added, and the associated service sets and rule sets, are displayed
in a tabular format in the Create Policy and Filter page. Select the check box next to
the term you want to attach to the NAT policy.
14. Click Create to save the NAT policy.
15. Click Validate to perform validation checks on the configuration planned to be deployed
to examine and correct any syntax errors or incompatible settings. You can also
validate without deploying the configuration.
NOTE: In the Create Policy and Filter window, you can also do the following:
•
Click the Create icon displayed beside the terms or attributes to add a new
attribute. You can then use the newly defined attribute to add to a policy
to cause the same selection for a particular term to be applied across all
SDGs or groups.
•
Click the Edit icon displayed beside the terms or attributes to modify an
attribute. You can then use the modified attribute to add to a policy to
cause the same selection for a particular term to be applied across all SDGs
or groups.
•
Select the check box beside the SDGs or SDG groups in the Create NAT
Term page to include the devices or the SDG groups in the NAT policy for
association. Deselect the check boxes beside the SDGs or groups to exclude
the devices in the NAT policy..
•
Click the Copy to All Hosts button to apply the defined term at the system
or network level and not at a particular SDG or SDG group level.
Creating a Service Set
A service set is a collection of services to be performed by an Adaptive Services (AS) or
Multiservices PIC. To create a service set as a component for the CGNAT rule:
1.
From the View selector, select Gateway View. The View pane displays the devices in
the entire network organized by the device type and device models pertaining to each
device type.
2. From the View pane, select the All Network item. Expand the tree to select the device
type and device node, which denotes the SDGs in a high availability pair of SDGs or
an SDG group.
378
Copyright © 2016, Juniper Networks, Inc.
Chapter 22: Managing Service Instance and Policy Rule Definitions
3. From the Junos Space user interface, click the Deploy icon on the Edge Services Director
banner.
The functionalities that you can configure in this mode are displayed in the task pane.
4. Select Service Edit > CGNAT from the task pane.
The Service Edit > CGNAT Policies page is displayed.
5. Click the Add icon. The Create a CGNAT Policy and Filter Template window appears.
6. Enter the name of the rule, a description, and the direction in which the rule match
must be applied in the respective fields. Also, select the SDG or SDG pair for which
the syslog needs to be defined for the service set.
7. In the Create Policy and Filter page, click Associate Service Sets/Rule Sets. The
Associate Service Sets/Rule Sets section is displayed. The SDGs and SDG groups that
are part of the NAT policy filter rule term are shown in one column. Under the
Association column, either the Configure or Edit icon appears. If you already created
and mapped a service set with the particular SDG or group, the Edit icon shows.
8. Click the Configure or Edit icon. The Configure Service Sets/Rule Sets dialog box is
displayed.
9. From the Type drop-down list, select Service Set to map a service set with the policy
filter rule.
10. If you selected Service Set from the Type list, select a service set previously configured
in the Service Designer workspace from the Value list.
11. Click the green plus sign next to the Value drop-down list. The Addition of Service
Sets dialog box appears.
NOTE: If a green plus sign mark is shown beside a field in the dialog box,
it denotes that you can add attributes for that component. A red minus
mark shows that you can delete that particular attribute for that
component.
12. In the Name field, enter the name to identify the service set. Rules are combined into
rule sets, and are associated with a service set for each application such as firewall
or CGNAT.
13. In the Sampling Service Choices section, do one of the following:
•
Click Interface Services to configure an interface-style service set. An interface
service set is used as an action modifier across an entire interface
Copyright © 2016, Juniper Networks, Inc.
379
Edge Services Director User Guide
•
In the Service Interfaces field, specify the name for the adaptive services interface
associated with an interface-wide service set.
When you have defined and grouped the service rules by configuring the service-set
definition, you can apply services to one or more interfaces installed on the router.
When you apply the service set to an interface, it automatically ensures that
packets are directed to the PIC.
•
From the Load Balancing Options section, configure the high availability (HA)
options.
The following hash keys can be configured in the egress direction: destination-ip
(Use the destination IP address of the flow to compute the hash used in load
balancing.) and source-ip (Use the source IP address of the flow to compute the
hash used in load balancing.)
•
Click the green tick park beside the Egress Key element to configure the hash keys
to be used in the egress flow direction. The configuration is mandatory if you are
using AMS for Network Address Translation (NAT). This configuration is not
mandatory if you are using AMS for stateful firewall; if the hash keys are not
xconfigured, then the defaults are chosen.
•
Click the green tick park beside the Ingress Key element to configure the hash
keys to be used in the ingress flow direction. The configuration is mandatory if
you are using AMS for Network Address Translation (NAT). This configuration is
not mandatory if you are using AMS for stateful firewall; if the hash keys are not
configured, then the defaults are chosen.
Configure the hash keys used for load balancing in aggregated multiservices (AMS)
for service applications (Network Address Translation [NAT], stateful firewall,
application-level gateway [ALG], HTTP header enrichment, and mobility). The hash
keys supported in the ingress and egress direction are the source IP address and
destination IP address.
Hash keys are used to define the load-balancing behavior among the various
members in the AMS group. For example, if hash-keys is configured as source-ip,
then the hashing would be performed based on the source IP address of the packet.
Therefore, all packets with the same source IP address land on the same member.
Hash keys must be configured with respect to the traffic direction: ingress or egress.
For example, if hash-keys is configured as source-ip in the ingress direction, then it
should be configured as destination-ip in the egress direction. This is required to
ensure that the packets of the same flow reach the same member of the AMS group.
The configuration of the ingress and egress hash keys is mandatory if you are using
AMS for NAT. This configuration is not mandatory if you are using AMS for stateful
firewall; if the hash keys are not configured, then the defaults are chosen. Refer to
Table 48 on page 232 for the supported hash keys.
The resource-triggered option enables anchor session PICs to use the load or
resource information from the anchor services PICs to select the AMS member will
anchor the services for the subscriber for load balancing among AMS members. In
addition, for mobile subscriber-aware services (such as HTTP header enrichment),
380
Copyright © 2016, Juniper Networks, Inc.
Chapter 22: Managing Service Instance and Policy Rule Definitions
you must configure the resource-triggered statement, which means that the load
balancing is not done using the ingress and egress keys.
Table 67: Hash Keys Supported for AMS for Service Applications
Service Set at Ingress Interface
Service Set at Egress Interface
NAT Type
Ingress hash key
Egress hash key
Ingress hash key
Egress hash key
source static
Destination IP address
Source IP address
Source IP address
Destination IP address
source dynamic
Source IP address
Destination IP address
Destination IP address
Source IP address
Network Address Port
Translation (NAPT)
Source IP address
Destination IP address
Destination IP address
Source IP address
destination static
Source IP address
Destination IP address
Destination IP address
Source IP address
Hash Keys for NAT
Hash Keys for Stateful Firewall
Stateful Firewall
Destination IP address
Source IP address
Destination IP address
Source IP address
Stateful Firewall
Source IP address
Destination IP address
Source IP address
Destination IP address
NOTE: If NAT is used in the service set (along with stateful firewall and
ALG), then the hash keys should be based on the NAT type; otherwise,
the hash keys of the stateful firewall should be used.
•
Click Next Hop Services to configure a next-hop style service set. A next-hop service
set is a route-based method of applying a particular service. Only packets destined
for a specific next hop are serviced by the creation of explicit static routes.
•
In the Inside Interface list, specify the interface type of the service interface
associated with the service set applied inside the network. For inline IP reassembly,
set the interface type to local. Also, specify the name and logical unit number of
the service interface associated with the service set applied inside the network.
When a next-hop service is configured, the AS or Multiservices PIC is considered
to be a two-legged module with one leg configured to be the inside interface
(inside the network) and the other configured as the outside interface (outside
the network).
•
In the Outside Interface list, specify the interface type of the service interface
associated with the service set applied outside the network. For inline IP
reassembly, set the interface type to local. Also, specify the name and logical unit
number of the service interface associated with the service set applied outside
the network.
•
In the Service Interface Pool list, select the name of the pool of logical interfaces
configured at the [edit services service-interface-pools pool pool-name] hierarchy
Copyright © 2016, Juniper Networks, Inc.
381
Edge Services Director User Guide
level. You can configure a service interface pool only if the service set has a PGCP
rule configured. The service set cannot contain any other type of rule.
•
•
Click Sampling Services to configure a sampling service set.
•
•
In the Service Interface field, specify the service interface, which is the interface
the sampling is taken from. In the case of a sampling service set, the service
interface must be a Multiservices PIC interface with a subunit number of 0 (zero).
The subunit number defaults to 0. The reverse-flow statement is not mandatory.
All sampled traffic is considered to be forward traffic. If you set the reverse-flow
statement, it is ignored.
Select the Replication Service check box to configure the services replication options
for inter-chassis high availability on MS-MIC and MS-MPC.
•
In the Replication Threshold field, specify the number of seconds for the replication
threshold. When a flow has been active for more than the number of seconds
specified as a threshold, flow state information is replicated to the backup device.
Make sure that the replication-threshold value is than the open-timeout value(the
timeout period for establishing a TCP connection). The default value of the
replication threshold is 180 seconds. This value is also the minimum.
•
Select the Stateful Firewall check box to replicate stateful firewall state
information.
•
Select the NAT check box to replicate NAPT44 information.
14. In the CGNAT Rule Sets section, select the rule set you want to associate with the
service set from the Available column and click the right arrow to move to the Selected
column.
15. In the CGNAT Rules section, select the rule you want to associate with the service set
from the Available column and click the right arrow to move to the Selected column.
16. In the CGNAT Syslogs section, select the syslog you want to associate with the service
set from the Available column and click the right arrow to move to the Selected
column.
17. Click Save to save the service rule configuration. Else, click Close to discard the changes
to the rule.
382
Copyright © 2016, Juniper Networks, Inc.
Chapter 22: Managing Service Instance and Policy Rule Definitions
Creating a Syslog
You can enable system logging. The system log information from the Adaptive Services
or Multiservices PIC is passed to the kernel for logging in the /var/log directory. This setting
overrides any syslog statement setting included in the service set or interface default
configuration.
To create a syslog for the CGNAT rule:
1.
From the View selector, select Gateway View. The View pane displays the devices in
the entire network organized by the device type and device models pertaining to each
device type.
2. From the View pane, select the All Network item. Expand the tree to select the device
type and device node, which denotes the SDGs in a high availability pair of SDGs or
an SDG group.
3. From the Junos Space user interface, click the Deploy icon on the Edge Services Director
banner.
The functionalities that you can configure in this mode are displayed in the task pane.
4. Select Service Edit > CGNAT from the task pane.
The Service Edit > CGNAT Policies page is displayed.
5. Click the Add icon. The Create a CGNAT Policy and Filter Template window appears.
6. Enter the name of the rule, a description, and the direction in which the rule match
must be applied in the respective fields. Also, select the SDG or SDG pair for which
the syslog needs to be defined for the service set.
7. In the Create Policy and Filter page, click Associate Service Sets/Rule Sets. The
Associate Service Sets/Rule Sets section is displayed. The SDGs and SDG groups that
are part of the NAT policy filter rule term are shown in one column. Under the
Association column, either the Configure or Edit icon appears. If you already created
and mapped a service set with the particular SDG or group, the Edit icon shows.
8. Click the Configure or Edit icon. The Configure Service Sets/Rule Sets dialog box is
displayed.
9. From the Type drop-down list, select Service Set to map a service set with the policy
filter rule.
10. If you selected Service Set from the Type list, select a service set previously configured
in the Service Designer workspace from the Value list.
11. Click the green plus sign next to the Value drop-down list. The Addition of Service
Sets dialog box appears.
NOTE: If a green plus sign mark is shown beside a field in the dialog box,
it denotes that you can add attributes for that component. A red minus
mark shows that you can delete that particular attribute for that
component.
Copyright © 2016, Juniper Networks, Inc.
383
Edge Services Director User Guide
12. Click the green plus sign next to the Syslog Settings field. The Addition of Service Sets
dialog box appears.
13. In the Name field, enter the name for the syslog component. Specify the fully qualified
domain name or IP address for the syslog server.
14. In the Services list, specify the system logging severity level. It assigns a severity level
to the facility. Valid entries include:
•
alert—Conditions that should be corrected immediately.
•
any—Matches any level.
•
critical—Critical conditions.
•
emergency—Panic conditions.
•
error—Error conditions.
•
info—Informational messages.
•
notice—Conditions that require special handling.
•
warning—Warning messages.
15. From the Facility Override list, select the override for the default facility for system
log reporting. Valid values include:
authorization
daemon
ftp
kernel
local0 through local7
user
16. In the Log Prefix field, set the system logging prefix value for all logging to the system
log host.
17. In the Port field, specify the port number to be used for connection with the remote
syslog server.
18. In the Class section, set the class of applications to be logged to the system log.
384
•
alg-logs—Log application-level gateway events.
•
ids-logs—Log intrusion detection system events.
•
nat-logs—Log Network Address Translation events.
•
packet-logs—Log general packet-related events.
•
session-logs—Log session open and close events.
•
session-logs open—Log session open events only.
•
session-logs close—Log session close events.
•
stateful-firewall-logs—Log stateful firewall events.
Copyright © 2016, Juniper Networks, Inc.
Chapter 22: Managing Service Instance and Policy Rule Definitions
19. In the Source Address field, specify a source address to record in system log messages
that are directed to a remote machine specified in the hostname statement. The
supported interfaces are ms, rms, and mams interfaces. If you do not specify the
interface parameter, the command loops on all supported interfaces. This field is
available only if you selected the Junos OS 14.1 version.
20. Click Save to save the service rule configuration. Else, click Close to discard the changes
to the rule.
Creating a Rule
To create a rule for the CGNAT service:
1.
From the View selector, select Gateway View. The View pane displays the devices in
the entire network organized by the device type and device models pertaining to each
device type.
2. From the View pane, select the All Network item. Expand the tree to select the device
type and device node, which denotes the SDGs in a high availability pair of SDGs or
an SDG group.
3. From the Junos Space user interface, click the Deploy icon on the Edge Services Director
banner.
The functionalities that you can configure in this mode are displayed in the task pane.
4. From the task pane, select Service Edit. The Service Edit page is displayed.
5. Click the CGNAT button. The list of CGNAT policies is displayed.
6. Click the Add icon. The Create a CGNAT Policy window appears.
7. Enter the name of the template and the service instance in the respective fields.
8. Click the green plus sign in the Rules box. The Addition of Rules dialog box appears.
NOTE: If a green tick mark is shown beside a field in the dialog box, it
denotes that you can add attributes for that component. A red cross mark
shows that you can delete that particular attribute for that component.
9. From the Rule list, select one of the previously configured rules. The rules that you
configured in the Service Templates workspace for CGNAT, packet filter, or CGNAT
are displayed.
10. Click Save to save the service template configuration. Else, click Close to discard the
changes to the template.
Creating a Rule Set
The rule-set statement defines a collection of stateful firewall rules that determine what
actions the router software performs on packets in the data stream. You define each rule
by specifying a rule name and configuring terms. Then, you specify the order of the rules
by including the rule-set statement at the [edit services stateful-firewall] hierarchy level
with a rule statement for each rule.
Copyright © 2016, Juniper Networks, Inc.
385
Edge Services Director User Guide
The router software processes the rules in the order in which you specify them in the
configuration. If a term in a rule matches the packet, the router performs the corresponding
action and the rule processing stops. If no term in a rule matches the packet, processing
continues to the next rule in the rule set. If none of the rules matches the packet, the
packet is dropped by default.
To create a rule set for the CGNAT policy:
1.
From the View selector, select Gateway View. The View pane displays the devices in
the entire network organized by the device type and device models pertaining to each
device type.
2. From the View pane, select the All Network item. Expand the tree to select the device
type and device node, which denotes the SDGs in a high availability pair of SDGs or
an SDG group.
3. From the Junos Space user interface, click the Deploy icon on the Edge Services Director
banner.
The functionalities that you can configure in this mode are displayed in the task pane.
4. Select Service Edit > CGNAT from the task pane.
The Service Edit > CGNAT Policies page is displayed.
5. Click the Add icon. The Create a CGNAT Policy and Filter Template window appears.
6. Enter the name of the rule, a description, and the direction in which the rule match
must be applied in the respective fields. Also, select the SDG or SDG pair for which
the syslog needs to be defined for the service set.
7. In the Create Policy and Filter page, click Associate Service Sets/Rule Sets. The
Associate Service Sets/Rule Sets section is displayed. The SDGs and SDG groups that
are part of the NAT policy filter rule term are shown in one column. Under the
Association column, either the Configure or Edit icon appears. If you already created
and mapped a service set with the particular SDG or group, the Edit icon shows.
8. Click the Configure or Edit icon. The Configure Service Sets/Rule Sets dialog box is
displayed.
9. From the Type drop-down list, select Service Set to map a service set with the policy
filter rule.
10. If you selected Service Set from the Type list, select a service set previously configured
in the Service Designer workspace from the Value list.
11. Click the green plus sign next to the Value drop-down list. The Addition of Service
Sets dialog box appears.
NOTE: If a green plus sign mark is shown beside a field in the dialog box,
it denotes that you can add attributes for that component. A red minus
mark shows that you can delete that particular attribute for that
component.
386
Copyright © 2016, Juniper Networks, Inc.
Chapter 22: Managing Service Instance and Policy Rule Definitions
12. In the Name field, specify a name for the rule set the router uses when applying this
service.
13. In the Rules section, select the rules that need to be added to the rule set in the from
the Available column and click the right arrow to move these rules to the Selected
column. All the rules that you previously configured during the creation or modification
of the service rule are displayed.
14. Click Save to save the rule set configuration. Else, click Close to discard the changes
to the rule.
Creating Addresses
To create an address:
1.
In the Source and Destination Address Selector dialog box, to create a new address.
click the plus sign (+).
The Create Address page appears.
2. In the Object Type section, click the Address radio button to create an address.
3. In the Name field, enter a name for the new address.
4. In the Description field, enter a description for the new address.
5. Direct Edge Services Director to resolve an IP address to a hostname or resolve a
hostname to an IP address.
•
To specify an IP address as the address type, select Host from the drop-down menu
and enter the IP address in the IP field.
•
To specify a hostname as the address type, select Host from the drop-down menu
and enter the hostname in the Host Name field.
•
To specify an IP address range, select Range from the drop-down menu and enter
the IP ranges in the Start IP and End IP fields.
•
To specify a network as an address type, select Network from the drop-down menu
and enter the network address in the IP and Netmask fields.
•
To specify an IP address with a wildcard mask, select Wildcard from the drop-down
menu and enter the IP address in the IP field and wildcard mask in the Wildcard
Mask fields.
•
To specify a DNS name as an address type, select DNS Host from the drop-down
menu and enter the DNS name in the DNS Name field.
NOTE: You can resolve an IP address to a hostname and a hostname to
an IP address using the green arrows next to the IP and Host Name fields.
Copyright © 2016, Juniper Networks, Inc.
387
Edge Services Director User Guide
NOTE: The host and network address types support both IPv4 and IPv6
address types. These address types also supports multicast addresses.
However, the range address type supports only IPv4 addresses. NAT and
IPsec VPNs do not support IPv6 addressing and wildcard addresses.
NOTE: Ensure that the first 8 bits of the address are not 0 and the highest
bit of the mask is 1 when you are using the wildcard address type.
6. Click Create to create an address.
The new address appears in the Manage Address page.
Creating Address Groups
To create an address group:
1.
In the Source and Destination Address Selector dialog box, to create a new address
group. click the plus sign (+).
The Create Address Group page appears.
2. Select the Object Type as Address Group.
3. In the Name field, enter a name for the new address group.
4. In the Description field, enter a description for the new address group.
5. In the Addresses field, from the Available dialog box, select the address that you want
to group, and click the right arrow to add to the Selected column.
Click All to move all the addresses to the Selected column. The address you have
selected appears in the Selected section of the dialog box.
6. Click Create.
The address group appears on the Address page.
Address and Address Groups Overview
You can use the Address Creation Wizard to create an address object that specifies an
IP address or a hostname. You can specify a hostname and use the address resolution
option to resolve it to an IP address. You can also resolve an IP address to the
corresponding hostname.
You can group address objects to form an address group using the Address Group Creation
Wizard. Junos Space creates an object in the Junos Space database to represent an
address or an address group.
388
Copyright © 2016, Juniper Networks, Inc.
Chapter 22: Managing Service Instance and Policy Rule Definitions
Creating a NAT Rule Term
To add rules to a NAT policy:
1.
In the Create Policy and Filter window, the list of rule terms already added, if any, to
the NAT policy are displayed.
2. Next to the Terms field, click the + icon to add rules, and select the type of rule you
want to add.
3. In the Term Name field, specify the name of the rule.
The list of SDGs with which you associated the NAT policy in the Create Policy window
are displayed with the form and then sections or clauses. If you selected SDG groups
to associate with the NAT policy, the SDG group names are displayed.
NOTE:
• Click the Copy to All Hosts button to apply the defined term at the system
or network level and not at a particular SDG or SDG group level.
•
When you create a rule or filter term, and define the name of the filter,
for SDGs that are part of a high availability pair of devices, the names
of the SDGs are displayed as tabs and check boxes beside the
hostnames of the SDGs are displayed. If you want the policy or filter
term definition to apply to both the SDGs, select the check boxes next
to the SDG names.
Otherwise, when the click the SDG name tab for the SDG for which you
did not select the check box, a blue highlight overlays the entire dialog
box to indicate the settings are not enabled for configuration for that
specific SDG.
4. In the From section, do the following to specify input conditions or match criteria for
the NAT term :
•
In the Source Address field, click the down arrow in the list. The address selector
dialog box appears. Select the source addresses that need to be added to the NAT
policy in the from the Available column and click the right arrow to move these
devices to the Selected column.
Click OK to confirm the selection. Click Cancel to discard your changes and return
to the Create Policy and Filter window.
To create an address or address group from the address selector dialog box, see
Creating Addresses and Creating Address Groups.
•
In the Destination Address field, click the down arrow in the list. The address selector
dialog box appears. Select the destination addresses that need to be added to the
NAT policy in the from the Available column and click the right arrow to move these
devices to the Selected column.
Click OK to confirm the selection. Click Cancel to discard your changes and return
to the Create Policy and Filter window.
Copyright © 2016, Juniper Networks, Inc.
389
Edge Services Director User Guide
To create an address or address group from the address selector dialog box, see
Creating Addresses and Creating Address Groups.
•
Specify a destination port to match the rule in the Destination Port field. You can
configure a range of ports by specifying the upper limit and lower limit of the ports
in the Start Value and End Value fields.
•
Select the application protocol or name to which the NAT services apply from the
Application drop-down menu. When you click the down arrow in the list, the
application selector dialog box appears. Select the application name that needs
to be added to the NAT policy.
To create a new application name or application set, see Creating Applications and
Application Sets.
•
Select the name of the target application set from the Application Sets drop-down
menu.
5. In the To section, do the following to specify actions or modifiers to be performed for
the NAT term :
•
390
In the Translation Type drop-down list, select the NAT translation type.
Copyright © 2016, Juniper Networks, Inc.
Chapter 22: Managing Service Instance and Policy Rule Definitions
•
basic-nat44—Translate the source address statically (IPv4 to IPv4).
•
basic-nat66—Translate the source address statically (IPv6 to IPv6).
•
basic-nat-pt—Translate the addresses of IPv6 hosts as they originate sessions
to the IPv4 hosts in the external domain. The basic-nat-pt option is always
implemented with DNS ALG.
•
deterministic-napt44—Translate as napt-44, and use deterministic port block
allocation for port translation.
•
dnat-44—Translate the destination address statically (IPv4 to IPv4).
•
dynamic-nat44—Translate only the source address by dynamically choosing the
NAT address from the source address pool.
•
napt-44—Translate the transport identifier of the IPv4 private network to a single
IPv4 external address.
•
napt-66—Translate the transport identifier of the IPv6 private network to a single
IPv6 external address.
•
napt-pt—Bind addresses in an IPv6 network with addresses in an IPv4 network
and vice versa to provide transparent routing for the datagrams traversing between
the address realms.
•
stateful-nat64—Implement dynamic address and port translation for source IP
addresses (IPv6-to-IPv4) and prefix removal translation for the destination IP
addresses (IPv6-to-IPv4).
•
twice-basic-nat-44—Translate the source and destination addresses statically
(IPv4 to IPv4).
•
twice-dynamic-nat-44—Translate the source address by dynamically choosing
the NAT address from the source address pool. Translate the destination address
statically.
•
twice-dynamic-napt-44—Translate the transport identifier of the IPv4 private
network to a single IPv4 external address. Translate the destination address
statically.
•
In the Source Pool field, click the down arrow in the list. The NAT pool selector dialog
box appears. Select the source pools that need to be added to the NAT policy in
the from the Available column and click the right arrow to move these pools to the
Selected column.
Click OK to confirm the selection. Click Cancel to discard your changes and return
to the Create Policy and Filter window.
To create a NAT pool from the source and destination pool selector dialog box, see
Creating a NAT Pool.
•
In the Destination Pool field, click the down arrow in the list. The NAT pool selector
dialog box appears. Select the destination pools that need to be added to the NAT
policy in the from the Available column and click the right arrow to move these
pools to the Selected column.
Copyright © 2016, Juniper Networks, Inc.
391
Edge Services Director User Guide
Click OK to confirm the selection. Click Cancel to discard your changes and return
to the Create Policy and Filter window.
To create a NAT pool from the source and destination pool selector dialog box, see
Creating a NAT Pool.
•
Select the No Translation option to specify that traffic is not to be translated.
•
Select the NAT address pooling behavior as Paired. Only paired address pooling is
supported. Address pooling, or address pooling paired (APP) ensures assignment
of the same external IP address for all sessions originating from the same internal
host. You can use this feature when assigning external IP addresses from a pool.
This option does not affect port utilization
•
In the Destination Prefix field, click the down arrow in the list to specify the destination
prefix for translated traffic. The address selector dialog box appears. Select the
destination addresses that need to be added to the NAT policy in the from the
Available column and click the right arrow to move these devices to the Selected
column.
Click OK to confirm the selection. Click Cancel to discard your changes and return
to the Create Policy and Filter window.
To create an address or address group from the address selector dialog box, see
Creating Addresses and Creating Address Groups.
•
Specify the (NAT) pool for destination translation from the DNS ALG Pool list.
•
Set the Domain Name System (DNS) application-level gateway (ALG) 96-bit prefix
for mapping IPv4 addresses to IPv6 addresses from the DNS ALG Prefix list.
•
Select the Endpoint Independent check box for the Filtering Type field to specify the
NAT filtering behavior for sessions initiated from outside to inside as
endpoint-independent filtering (EIF).
•
Select the Endpoint Independent check box for the Mapping Type field to specify
the source NAT mapping type.
•
In the Source Prefix field, click the down arrow in the list to specify the destination
prefix for translated traffic. The address selector dialog box appears. Select the
source addresses that need to be added to the NAT policy in the from the Available
column and click the right arrow to move these devices to the Selected column.
Click OK to confirm the selection. Click Cancel to discard your changes and return
to the Create Policy and Filter window.
To create an address or address group from the address selector dialog box, see
Creating Addresses and Creating Address Groups.
•
392
Select the Syslog check box to enable system logging. The system log information
from the Multiservices PIC is passed to the kernel for logging in the /var/log directory.
This field is available only if you selected the Junos OS 14.1 version to create the
service template.
Copyright © 2016, Juniper Networks, Inc.
Chapter 22: Managing Service Instance and Policy Rule Definitions
6. Click Save to create the rule. Alternatively, click Validate in the Create Rule page to
perform validation checks on the configuration planned to be deployed to examine
and correct any syntax errors or incompatible settings.
7. A new rule is added in the last row depending on the type of rule you have added. The
newly added rules blink with a different color for few seconds. The behavior is same
if you add a new rule before or after a rule, clone a rule, or paste a rule.
The rule is assigned a serial number based on the number of rules already added to
the policy.
Associating an Application and Application Set with a NAT Rule
To associate an application and an application set for a NAT rule term:
1.
In the Add Term page, in the Application or Application Set sections, the application
set selector dialog box is displayed. Select the applications or application sets that
need to be added to the NAT rule term in the from the Available column and click the
right arrow to move these applications or application sets to the Selected column.
Creating a NAT Pool
A Network Address Translation (NAT) pool is a continuous range of IP addresses that
you can use to create a NAT policy. NAT policies perform address translation by translating
internal IP addresses to the addresses in these pools.
To create a NAT pool:
1.
In the Add Term page, click the down arrow of the Source Pool or Destination Pool
drop-down lists. The source and destination NAT pool selector dialog box is displayed.
2. Select a NAT pool to function as the source or destination pool from the Select NAT
Pool pop-up dialog box. Click OK to add the selected NAT pool to the source or
destination pool drop-down list in the Add Term page.
3. If a NAT address pool has not been previously created, click the plus sign (+) to create
a new NAT pool. The Create NAT Pool page appears.
4. Enter the name of the NAT pool in the Name field.
5. Select the type of NAT pool as source or destination from the Pool Type menu.
6. In the Pool Address field, do one of the following
•
Select the Range radio button and enter the network address in the Prefix and
Netmask fields for IPv4 or IPv6.
•
Select the Address Prefix radio button and enter the IP ranges in the Start IP and
End IP fields.
7. Select the Round Robin check box beside the Address Allocation field if you want to
use round-robin technology. When you use round-robin allocation, one port is allocated
from each address in a range before repeating the process for each address in the
next range. After ports have been allocated for all addresses in the last range, the
Copyright © 2016, Juniper Networks, Inc.
393
Edge Services Director User Guide
allocation process wraps around and allocates the next unused port for addresses in
the first range.
8. In the Auto Port Allocation field, do one of the following to specify the NAT pool port
or range. You can configure an automatically assigned port or specify a range with
minimum and maximum values. :
•
Select the Automatic radio button to use a router-assigned port.
•
Select the Random Allocation radio button to allocate ports within a specified range
randomly. Select the Range check box and specify the starting and ending values
for the port range in the Low and High fields.
9. Click Create to save the NAT address pool. The pool is now populated in the Select
NAT Pool dialog box in the drop-down list. You can select the created pool as the
source or destination address pool while creating a NAT rule term.
Associating Service Sets and Rule Sets With a NAT Rule
To associate a service set and a rule set with a NAT policy filter rule term:
1.
In the Create Policy and Filter page, click Associate Service Sets/Rule Sets. The
Associate Service Sets/Rule Sets section is displayed. The SDGs and SDG groups that
are part of the NAT policy filter rule term are shown in one column. Under the
Association column, either the Configure or Edit icon appears. If you already created
and mapped a service set with the particular SDG or group, the Edit icon shows.
2. Click the Configure or Edit icon. The Configure Service Sets/Rule Sets dialog box is
displayed.
3. From the Type drop-down list, do either of the following:
•
Select Service Set to map a service set with the policy filter rule.
•
Select Rule Set to map a rule set with the policy filter rule.
Depending on the option selected in the Type list as service set or rule set for
association with the policy filter rule, the options that are displayed in the Value list
beneath the Type list varies.
4. If you selected Service Set from the Type list, select a service set previously configured
in the Service Designer workspace from the Value list. If you selected Rule Set from
the Type list, select a rule set previously configured in the Service Designer workspace
from the Value list. Click Add to map the service set or rule set with the NAT policy
filter rule.
5. Click Save to save the settings. Alternatively, click Cancel to abort the changes.
6. Click Copy to All Hosts in the Associate Service Sets dialog box to apply the defined
term at the system or network level and not at a particular SDG or SDG group level.
You are returned to the Add Term window.
394
Copyright © 2016, Juniper Networks, Inc.
Chapter 22: Managing Service Instance and Policy Rule Definitions
Modifying NAT Policies
Before you can edit the policy, you must lock it by clicking the lock icon, which is available
in the policy tabular view. You can hold more than one policy lock at a given time. You
can unlock the policy by clicking the unlock icon next to the lock icon in the policy tabular
view. If you attempt to lock a policy that is already locked by another user, a message is
displayed stating that the lock is acquired by another user.
If the Edge Services Director administrator releases the lock, you will receive the a warning
message stating that the lock has been released.
The Manage Policy Locks page appears showing only those locks that can be managed
by the current user. The page contains the following fields:
•
Instance or Rule name
•
User (IP Address)
•
Lock acquired time
•
Service Gateway
The policy is locked and released for the following policy operations. Also, these operations
are disabled for a policy, if the policy is locked by some other user.
•
Modify
•
Assign devices
•
Rollback
•
Delete
NOTE:
Copyright © 2016, Juniper Networks, Inc.
•
You can unlock your policies even if they are not edited.
•
If the browser crashes when the policy is still locked, the policy is unlocked
only after the timeout interval expires.
•
Policy lock is not released under the following scenario:
•
If you save or discard you changes to the locked policy.
•
if you do not make any changes to the locked policy and navigate to
another policy.
395
Edge Services Director User Guide
To modify an existing CGNAT policy or filter rule:
1.
From the View selector, select Gateway View. The View pane displays the devices in
the entire network organized by the device type and device models pertaining to each
device type.
2. From the View pane, select the All Network item. Expand the tree to select the device
type and device node, which denotes the SDGs in a high availability pair of SDGs or
an SDG group.
3. From the Junos Space user interface, click the Deploy icon on the Edge Services Director
banner.
The functionalities that you can configure in this mode are displayed in the task pane.
4. Select Service Edit from the task pane. The Service Templates page is displayed.
5. Click the plus sign (+) next to Policy and Filter to expand the tree in the task pane and
view the list of filter rules.
6. From the task pane, select CGNAT Policy and Filter to open the CGNAT and Filter page
on the right pane.
7. Select a policy, and click the Lock icon above the table of listed policies.
8. Click the Modify icon above the table of listed templates. The Modify Policy and Filter
window is displayed.
9. Modify the attributes that are needed and save the updated settings.
Creating a Deployment Plan
You must have previously defined service templates and policy or filter templates before
you can create a deployment plan.
To create a deployment plan and assigning devices to it:
1.
From the View selector, select Gateway View. The View pane displays the devices in
the entire network organized by the device type and device models pertaining to each
device type.
2. From the View pane, select the All Network item. Expand the tree to select the SDG
in an SDG group.
3. From the Junos Space user interface, click the Deploy icon on the Edge Services Director
banner.
The functionalities that you can configure in this mode are displayed in the task pane.
4. Select Service Edit from the task pane. The Service Edit page is displayed.
5. Click the right arrow next to Service Edit to expand the tree in the task pane and view
the list of filter instances.
6. From the task pane, select CGNAT Policy and Filter to open the SFW Policy and Filter
page on the right pane.
7. In the Service Edit page, from the tree that lists the SDGs, select All Service Gateways,
or the SDG or SDG pair for which you want to view the previously configured policy or
396
Copyright © 2016, Juniper Networks, Inc.
Chapter 22: Managing Service Instance and Policy Rule Definitions
filter instances. This step is applicable only if you selected Gateway View. You can
drill-down to the SDG or pair of SDGs for which you want to process policies or filters.
8. Select a rule corresponding to an SDG, and click the Lock icon above the table of listed
policy filters.
9. Click the down arrow in the Actions menu and select Send for Deployment to create
a deployment plan for the particular service template and save the plan.
The Deployment Plan Summary dialog box appears, with the service name, type, and
status listed.
Click Send to create a deployment plan.
A deploy plan is created for the service template with the devices that are assigned
to it when you view the Deployment Plans page.
10. Alternatively, you can select Discard changes from the Actions menu to ignore the
modifications done to a policy or filter template.
11. From the Deployment plans page, you can select Reject or Approve from the Actions
drop-down list to reject or approve the deployment plan and make it available for
commissioning to the devices.
Related
Documentation
•
Policy and Filter Management Overview on page 355
•
Packet and Service Filters Overview on page 358
•
Searching for CGNAT Policies on page 361
•
Searching for Packet Filters on page 364
•
Searching for SFW Policies on page 366
•
Managing Service and Policy Locks on page 367
•
Unlocking Locked Services and Policies on page 368
•
Viewing Policy and Filter Instances on page 369
Creating and Managing Packet Filter Policy Instances
You can optionally include filters associated with each service set to refine the target
and additionally process the traffic. If you include the service-set statement without a
service-filter definition, the router software assumes that the match condition is true and
selects the service set for processing automatically. To configure service filters, include
the firewall statement at the [edit] hierarchy level. You configure service filters in a similar
way to firewall filters.
If you configure match-direction input-output, sessions initiated from both directions
might match this rule.
The match direction is used with respect to the traffic flow through the AS or Multiservices
PIC. When a packet is sent to the PIC, direction information is carried along with it.
Copyright © 2016, Juniper Networks, Inc.
397
Edge Services Director User Guide
With an interface service set, packet direction is determined by whether a packet is
entering or leaving the interface on which the service set is applied.
With a next-hop service set, packet direction is determined by the interface used to route
the packet to the AS or Multiservices PIC. If the inside interface is used to route the packet,
the packet direction is input. If the outside interface is used to direct the packet to the
PIC, the packet direction is output.
On the PIC, a flow lookup is performed. If no flow is found, rule processing is performed.
Rules in this service set are considered in sequence until a match is found. During rule
processing, the packet direction is compared against rule directions. Only rules with
direction information that matches the packet direction are considered. Most packets
result in the creation of bidirectional flows.
•
Creating a Packet Filter Policy on page 398
•
Creating Addresses on page 400
•
Creating Address Groups on page 401
•
Address and Address Groups Overview on page 402
•
Creating a Packet Filter Rule Term on page 402
•
Creating an Application and Application Set on page 406
•
Associating Interfaces With a Packet Filter Rule on page 406
•
Modifying Packet Filter Policies on page 406
•
Creating a Deployment Plan on page 408
Creating a Packet Filter Policy
To configure a new Packet Filter policy or filter instance:
1.
From the View selector, select Gateway View. The View pane displays the devices in
the entire network organized by the device type and device models pertaining to each
device type.
2. From the View pane, select the All Network item. Expand the tree to select the device
type and device node, which denotes the SDGs in a high availability pair of SDGs or
an SDG group.
3. From the Junos Space user interface, click the Deploy icon on the Edge Services Director
banner.
The functionalities that you can configure in this mode are displayed in the task pane.
4. Click the right arrow beside Service Edit from the task pane to expand the tree and
view the types of service policy filters. The Rules page is displayed.
5. From the task pane, select Packet Filter Policy and Filter to open the Packet Filter
Policy and Filter page on the right pane.
398
Copyright © 2016, Juniper Networks, Inc.
Chapter 22: Managing Service Instance and Policy Rule Definitions
6. Click the Add icon above the table of listed templates. The Create Policy and Filter
window is displayed.
7. Enter the name of the group policy in the Name field.
8. Enter a description for the group policy rules in the Description field. Edge Services
Director sends the comments entered in this field to the device.
9. In the Match Direction list, specify the direction in which the rule match is applied.
Select one of the following options:
•
input—Apply the rule match on the input side of the interface.
•
input-output—Apply the rule match bidirectionally.
•
output—Apply the rule match on the output side of the interface.
10. In the SDG section, do the following:
•
From the SDG drop-down list, select the devices with which the NAT policy must
be associated. Alternatively, you can select the high availability pair of SDG devices
with which the NAT policy must be associated. All of the devices in the different
SDG groups that were previously defined in the database are also listed in the
drop-down menu.
11. Create a Packet Filter rule term that must be added to the Packet Filter policy. For
details on configuring a Packet Filter rule term, see Creating a Packet Filter Rule Term.
12. The list of terms added, and the associated service sets and rule sets, are displayed
in a tabular format in the Create Policy and Filter page. Select the check box next to
the term you want to attach to the Packet Filter policy.
Copyright © 2016, Juniper Networks, Inc.
399
Edge Services Director User Guide
13. Click Create to save the Packet Filter policy.
14. Alternatively, click Validate in the Create Rule page to perform validation checks on
the configuration planned to be deployed to examine and correct any syntax errors
or incompatible settings.
NOTE: In the Create Policy and Filter window, you can also do the following:
•
Click the Create icon displayed beside the terms or attributes to add a new
attribute. You can then use the newly defined attribute to add to a policy
to cause the same selection for a particular term to be applied across all
SDGs or groups.
•
Click the Edit icon displayed beside the terms or attributes to modify an
attribute. You can then use the modified attribute to add to a policy to
cause the same selection for a particular term to be applied across all SDGs
or groups.
•
Select the check box beside the SDGs or SDG groups in the Create Packet
Filter Term page to include the devices or the SDG groups in the Packet
Filter policy for association. Deselect the check boxes beside the SDGs or
groups to exclude the devices in the Packet Filter policy..
•
Click the Copy to All Hosts button to apply the defined term at the system
or network level and not at a particular SDG or SDG group level.
Creating Addresses
To create an address:
1.
In the Source and Destination Address Selector dialog box, to create a new address.
click the plus sign (+).
The Create Address page appears.
2. In the Object Type section, click the Address radio button to create an address.
3. In the Name field, enter a name for the new address.
4. In the Description field, enter a description for the new address.
5. Direct Edge Services Director to resolve an IP address to a hostname or resolve a
hostname to an IP address.
400
•
To specify an IP address as the address type, select Host from the drop-down menu
and enter the IP address in the IP field.
•
To specify a hostname as the address type, select Host from the drop-down menu
and enter the hostname in the Host Name field.
•
To specify an IP address range, select Range from the drop-down menu and enter
the IP ranges in the Start IP and End IP fields.
Copyright © 2016, Juniper Networks, Inc.
Chapter 22: Managing Service Instance and Policy Rule Definitions
•
To specify a network as an address type, select Network from the drop-down menu
and enter the network address in the IP and Netmask fields.
•
To specify an IP address with a wildcard mask, select Wildcard from the drop-down
menu and enter the IP address in the IP field and wildcard mask in the Wildcard
Mask fields.
•
To specify a DNS name as an address type, select DNS Host from the drop-down
menu and enter the DNS name in the DNS Name field.
NOTE: You can resolve an IP address to a hostname and a hostname to
an IP address using the green arrows next to the IP and Host Name fields.
NOTE: The host and network address types support both IPv4 and IPv6
address types. These address types also supports multicast addresses.
However, the range address type supports only IPv4 addresses. Packet
Filter and IPsec VPNs do not support IPv6 addressing and wildcard
addresses.
NOTE: Ensure that the first 8 bits of the address are not 0 and the highest
bit of the mask is 1 when you are using the wildcard address type.
6. Click Create to create an address.
The new address appears in the Manage Address page.
Creating Address Groups
To create an address group:
1.
In the Source and Destination Address Selector dialog box, to create a new address
group. click the plus sign (+).
The Create Address Group page appears.
2. Select the Object Type as Address Group.
3. In the Name field, enter a name for the new address group.
4. In the Description field, enter a description for the new address group.
5. In the Addresses field, from the Available dialog box, select the address that you want
to group, and click the right arrow to add to the Selected column.
Click All to move all the addresses to the Selected column. The address you have
selected appears in the Selected section of the dialog box.
6. Click Create.
The address group appears on the Address page.
Copyright © 2016, Juniper Networks, Inc.
401
Edge Services Director User Guide
Address and Address Groups Overview
You can use the Address Creation Wizard to create an address object that specifies an
IP address or a hostname. You can specify a hostname and use the address resolution
option to resolve it to an IP address. You can also resolve an IP address to the
corresponding hostname.
You can group address objects to form an address group using the Address Group Creation
Wizard. Junos Space creates an object in the Junos Space database to represent an
address or an address group.
Creating a Packet Filter Rule Term
To add rules to a Packet Filter policy:
1.
In the Create Policy and Filter window, the list of rule terms already added, if any, to
the Packet Filter policy are displayed.
2. Next to the Terms field, click the + icon to add rules, and select the type of rule you
want to add.
Figure 39: Create a Packet Filter Rule Term Window
3. In the Term Name field, specify the name of the rule.
The list of SDGs with which you associated the Packet Filter policy in the Create Policy
window are displayed with the form and then sections or clauses. If you selected SDG
groups to associate with the Packet Filter policy, the SDG group names are displayed.
4. In the From section, do the following to specify input conditions or match criteria for
the Packet Filter term :
402
Copyright © 2016, Juniper Networks, Inc.
Chapter 22: Managing Service Instance and Policy Rule Definitions
•
In the Source Address field, click the down arrow in the list. The address selector
dialog box appears. Select the source addresses that need to be added to the Packet
Filter policy from the Available column and click the right arrow to move these
devices to the Selected column.
Click OK to confirm the selection. Click Cancel to discard your changes and return
to the Create Policy and Filter window.
To create an address or address group from the address selector dialog box, see
Creating Addresses and Creating Address Groups.
•
In the Destination Address field, click the down arrow in the list. The address selector
dialog box appears. Select the destination addresses that need to be added to the
Packet Filter policy from the Available column and click the right arrow to move
these devices to the Selected column.
Click OK to confirm the selection. Click Cancel to discard your changes and return
to the Create Policy and Filter window.
To create an address or address group from the address selector dialog box, see
Creating Addresses and Creating Address Groups.
•
Specify a destination port to match the rule in the Destination Port field.
•
Specify a source port to match the rule in the Source Port field.
•
In the Add Term page, in the Application or Application Set sections, the application
set selector dialog box is displayed. Select the applications or application sets that
need to be added to the packet filter policy rule term from the Available column
and click the right arrow to move these applications or application sets to the
Selected column.
To create a new application name or application set, see Creating Applications and
Application Sets.
•
When you create a rule or filter term, and define the name of the filter, for SDGs
that are part of a high availability pair of devices, the names of the SDGs are
displayed as tabs and check boxes beside the hostnames of the SDGs are displayed.
If you want the policy or filter term definition to apply to both the SDGs, select the
check boxes next to the SDG names.
Otherwise, when the click the SDG name tab for the SDG for which you did not
select the check box, a blue highlight overlays the entire dialog box to indicate the
settings are not enabled for configuration for that specific SDG.
•
Click the Copy to All Hosts button to apply the defined term at the system or network
level and not at a particular SDG or SDG group level.
•
Select the name of the target application set from the Application Sets selector
dialog box. Select the application sets that need to be added from the Available
Column and click the right arrow to move the application sets to the Selected
column.
•
In the Source Prefix field, click the down arrow in the list to specify the source prefix
for rule matching traffic. The address selector dialog box appears. Select the source
Copyright © 2016, Juniper Networks, Inc.
403
Edge Services Director User Guide
addresses that need to be added to the Packet Filter policy from the Available
column and click the right arrow to move these devices to the Selected column.
Click OK to confirm the selection. Click Cancel to discard your changes and return
to the Create Policy and Filter window.
To create an address or address group from the address selector dialog box, see
Creating Addresses and Creating Address Groups.
•
In the Destination Prefix field, click the down arrow in the list to specify the destination
prefix for rule matching traffic. The address selector dialog box appears. Select the
source addresses that need to be added to the packet filter policy from the Available
column and click the right arrow to move these devices to the Selected column.
Click OK to confirm the selection. Click Cancel to discard your changes and return
to the Create Policy and Filter window.
To create an address or address group from the address selector dialog box, see
Creating Addresses and Creating Address Groups.
•
Select the type of protocol from the Protocol drop-down menu. The Protocol selector
dialog box appears. Select the protocols you want to add from the Available column,
and click the right arrow to move them to the Selected column.
5. In the To section, do the following to specify actions or modifiers to be performed for
the Packet Filter term :
•
In the Count field, specify a name for the counter to compute the matched packet
in the named counter
•
In the Forwarding Class list, select the name of the forwarding class that must be
used to classify the packet. Select one of the following options:
•
•
forwarding-class-name
•
assured-forwarding
•
best-effort
•
expedited-forwarding
•
network-control
In the Actions field, click the down arrow in the list. Select one of the following
options:
accept—Accept the traffic and send it on to its destination.
discard—Do not accept traffic or process it further.
reject—Do not accept the traffic and return a rejection message. Rejected traffic
can be logged or sampled.
count—Add the packet to a counter total.
log—Log the packet.
port-mirror—Port-mirror the packet.
sample—Sample the packet.
404
Copyright © 2016, Juniper Networks, Inc.
Chapter 22: Managing Service Instance and Policy Rule Definitions
service—Forward the packet for service processing.
skip—Omit the packet from service processing.
•
In the Protocol list, select the protocol for which packets must be classified.
•
In the Routing Instance list, select the name of the configured routing instance for
the SDG or SDG group to enable the packets to be directed for processing.
•
Click the Copy to All Hosts button to apply the defined term at the system or network
level and not at a particular SDG or SDG group level.
•
When you create a rule or filter term, and define the name of the filter, for SDGs
that are part of a high availability pair of devices, the names of the SDGs are
displayed as tabs and check boxes beside the hostnames of the SDGs are displayed.
If you want the policy or filter term definition to apply to both the SDGs, select the
check boxes next to the SDG names.
Otherwise, when the click the SDG name tab for the SDG for which you did not
select the check box, a blue highlight overlays the entire dialog box to indicate the
settings are not enabled for configuration for that specific SDG.
•
Select the Syslog check box to enable system logging. The system log information
from the Multiservices PIC is passed to the kernel for logging in the /var/log directory.
6. Click Save to create the rule. Alternatively, click Validate in the Create Rule page to
perform validation checks on the configuration planned to be deployed to examine
and correct any syntax errors or incompatible settings.
7. A new rule is added in the last row depending on the type of rule you have added. The
newly added rules blink with a different color for few seconds. The behavior is same
if you add a new rule before or after a rule, clone a rule, or paste a rule.
The rule is assigned a serial number based on the number of rules already added to
the policy.
Copyright © 2016, Juniper Networks, Inc.
405
Edge Services Director User Guide
Creating an Application and Application Set
To create an application and an application set for a Packet Filter rule term:
1.
In the Add Term page, in the Application or Application Set sections, the application
set selector dialog box is displayed. Select the applications or application sets that
need to be added to the packet filter term from the Available column and click the
right arrow to move these application sets to the Selected column.
Associating Interfaces With a Packet Filter Rule
To associate a service set and a rule set with a Packet Filter rule term:
1.
In the Create Policy and Filter page, click Associate Interfaces. The Associate Interfaces
dialog box is displayed. The SDGs and SDG groups that are part of the packet filter
rule term are shown in one column. Under the Association column, either the Configure
or Edit link appears. If you already created and mapped a service set with the particular
SDG or group, the Edit link shows.
2. Click the Configure or Edit link. The Associate Interfaces dialog box is displayed.
3. Select an interface previously configured in the Service Designer workspace from the
Interfaces list. Select the logical unit number of the interface from the Unit list. Click
Add to map the interface with the packet filter rule.
4. Click Done to save the settings. Alternatively, click Cancel to abort the changes.
5. Click Done in the Associate Interfaces dialog box. You are returned to the Add Term
window.
Modifying Packet Filter Policies
Before you can edit the policy, you must lock it by clicking the lock icon, which is available
in the policy tabular view. You can hold more than one policy lock at a given time. You
can unlock the policy by clicking the unlock icon next to the lock icon in the policy tabular
view. If you attempt to lock a policy that is already locked by another user, a message is
displayed stating that the lock is acquired by another user.
If the Edge Services Director administrator releases the lock, you will receive the a warning
message stating that the lock has been released.
The Manage Policy Locks page appears showing only those locks that can be managed
by the current user. The page contains the following fields:
406
•
Instance or Rule name
•
User (IP Address)
•
Lock acquired time
•
Service Gateway
Copyright © 2016, Juniper Networks, Inc.
Chapter 22: Managing Service Instance and Policy Rule Definitions
The policy is locked and released for the following policy operations. Also, these operations
are disabled for a policy, if the policy is locked by some other user.
•
Modify
•
Assign devices
•
Rollback
•
Delete
NOTE:
•
You can unlock your policies even if they are not edited.
•
If the browser crashes when the policy is still locked, the policy is unlocked
only after the timeout interval expires.
•
Policy lock is not released under the following scenario:
•
If you save or discard you changes to the locked policy.
•
if you do not make any changes to the locked policy and navigate to
another policy.
To modify an existing Packet Filter policy or filter instance:
1.
From the View selector, select Service View. The workspaces that are applicable to
this view are displayed.
2. From the Junos Space user interface, click the Deploy icon on the Edge Services Director
banner.
The functionalities that you can configure in this mode are displayed in the task pane.
3. Select Service Edit > Policy and Filter from the task pane. The Packet Filter Policies
page is displayed.
4. From the task pane, select Packet Filter Policy and Filter to open the Packet Filter and
Filter page on the right pane.
5. Select a policy, and click the Lock icon above the table of listed policies.
6. From the Service Gateway Name drop-down list, select the SDG group to which the
packet filter must be applied.
7. From the Host Name drop-down list, select the hostname of the SDG.
8. In the Select Common Components section, select the check boxes beside the service
modules or components, such as packet filters, SFW rules, or CGNAT rules, that are
displayed. The displayed components depend on the attributes that are previously
defined for that selected packet filter. For example, if the service policy is for stateful
firewall, SFW rules and SFW rule sets are shown. Select the check box beside Config
Category to select all the service components.
9. Click Save to save the modified association.
10. Select the check box beside the template you want to modify.
Copyright © 2016, Juniper Networks, Inc.
407
Edge Services Director User Guide
11. Click the Modify button above the table of listed templates. The Modify Policy and
Filter window is displayed.
12. Modify the attributes that are needed and save the updated settings.
Creating a Deployment Plan
You must have previously defined service instances and policy or filter instances before
you can create a deployment plan.
To create a deployment plan and assigning devices to it:
1.
From the View selector, select Gateway View or Service View. In Gateway view, the
devices in the entire network are displayed, organized by the device types and the
device models within each device type. In Service View, the different types of services
are displayed in the View pane.select Service View. The workspaces that are applicable
to this view are displayed.
2. From the Junos Space user interface, click the Deploy icon on the Edge Services Director
banner.
The functionalities that you can configure in this mode are displayed in the task pane.
3. From the View pane, select the All Network item in Gateway view. Click the plus sign
(+) beside the All Network item in the View pane to expand the tree and select the
device node you want. Alternatively, from the View pane, click the plus sign (+) beside
All Services to expand the tree and select the type of service.
4. From the task pane, select Service Edit. The Service Templates page is displayed.
5. If you are in Gateway view, click the plus sign (+) next to Service Edit to expand the
tree in the task pane and view the list of filter templates.
6. In the Service Edit page, from the tree that lists the SDGs, select All Service Gateways,
or the SDG or SDG pair for which you want to view the previously configured policy or
filter templates. This step is applicable only if you selected Gateway View.
The list of SDGs are displayed on the left pane. You can drill-down to the SDG or pair
of SDGs for which you want to process policies or filters. The policy and filter rules are
displayed in the right pane.
7. If you are in Service View, from the View pane, select the All Services item. The Services
page is displayed.
8. From the task pane, select Deploy Service > Packet Filter. The Packet Filter Policies
page is displayed.
9. Select the check boxes next to the policy instances that you want to assign to the
plan.
10. Click the down arrow in the Actions menu and select Send for Deployment to create
a deployment plan for the particular service instance and save the plan.
•
If you create a deployment plan from Gateway view of Deploy mode, the Deployment
Plan Summary dialog box appears, with the service name, type, and status listed.
Click Send to create a deployment plan.
408
Copyright © 2016, Juniper Networks, Inc.
Chapter 22: Managing Service Instance and Policy Rule Definitions
•
If you create a deployment plan from Service view of Deploy mode, the Edit Service
Instance page is displayed. You can modify the SDGs associated with the service
instance and also modify the service instance attributes as necessary by either
clicking the buttons corresponding to the various settings at the top of the wizard
page to directly traverse to the page you want to modify or clicking the navigation
buttons at the bottom of the wizard page to go to the different pages of the wizard.
Click Finish to create a deployment plan.
A deploy plan is created for the service instance with the devices that are assigned to
it when you view the Deployment Plans page.
11. From the Deployment plans page, you can select Reject or Approve from the Actions
drop-down list to reject or approve the deployment plan and make it available for
commissioning to the devices.
Related
Documentation
•
Policy and Filter Management Overview on page 355
•
Packet and Service Filters Overview on page 358
•
Searching for CGNAT Policies on page 361
•
Searching for Packet Filters on page 364
•
Searching for SFW Policies on page 366
•
Managing Service and Policy Locks on page 367
•
Unlocking Locked Services and Policies on page 368
•
Viewing Policy and Filter Instances on page 369
Creating and Managing SFW Policy and Filter Instances
A stateless firewall filter, often called a firewall filter or access control list (ACL), statically
evaluates packet contents. In contrast, a stateful firewall filter, or stateful firewall policy,
uses connection state information derived from past communications and other
applications to make dynamic control decisions.
Each stateful firewall rule consists of a set of terms, similar to a filter configured at the
[edit firewall] hierarchy level. Each rule must include a match-direction statement that
specifies the direction in which the rule match is applied. To configure where the match
is applied, include the match-direction statement at the [edit services stateful-firewall
rule rule-name] hierarchy level:
[edit services stateful-firewall rule rule-name]
match-direction (input | output | input-output);
If you configure match-direction input-output, sessions initiated from both directions
might match this rule.
The match direction is used with respect to the traffic flow through the AS or Multiservices
PIC. When a packet is sent to the PIC, direction information is carried along with it.
Copyright © 2016, Juniper Networks, Inc.
409
Edge Services Director User Guide
With an interface service set, packet direction is determined by whether a packet is
entering or leaving the interface on which the service set is applied.
With a next-hop service set, packet direction is determined by the interface used to route
the packet to the AS or Multiservices PIC. If the inside interface is used to route the packet,
the packet direction is input. If the outside interface is used to direct the packet to the
PIC, the packet direction is output.
On the PIC, a flow lookup is performed. If no flow is found, rule processing is performed.
Rules in this service set are considered in sequence until a match is found. During rule
processing, the packet direction is compared against rule directions. Only rules with
direction information that matches the packet direction are considered. Most packets
result in the creation of bidirectional flows.
NOTE: Before you create a policy and filter template for packet filters, SFW,
or CGNAT services, you must have previously configured the different
elements or attributes of the service, such as service sets, interface sets, rule
sets, and syslogs during the creation of the service template. The sections in
this procedural topic that describe the creation of such service elements
apply during the creation of the service template and not during the creation
of the service policy filters, such as CGNAT or SFW policies.
•
Creating an SFW Policy on page 410
•
Creating a Service Set on page 413
•
Creating a Syslog on page 417
•
Creating a Rule on page 419
•
Creating a Rule Set on page 420
•
Creating Addresses on page 422
•
Creating Address Groups on page 423
•
Address and Address Groups Overview on page 423
•
Creating an SFW Rule Term on page 423
•
Creating an Application and Application Set on page 426
•
Associating Service Sets and Rule Sets With an SFW Rule on page 426
•
Modifying SFW Policies on page 427
•
Creating a Deployment Plan on page 428
Creating an SFW Policy
To configure a new SFW policy or filter instance:
1.
From the View selector, select Gateway View. The View pane displays the devices in
the entire network organized by the device type and device models pertaining to each
device type.
2. From the View pane, select the All Network item. Expand the tree to select the SDG
in an SDG group.
410
Copyright © 2016, Juniper Networks, Inc.
Chapter 22: Managing Service Instance and Policy Rule Definitions
3. From the Junos Space user interface, click the Deploy icon on the Edge Services Director
banner.
The functionalities that you can configure in this mode are displayed in the task pane.
4. Select Service Edit from the task pane. The different service types are displayed in the
task pane.
5. Click the right arrow next to Service Edit in the task pane to expand the tree in the task
pane and view the list of filter instances.
6. From the task pane, select SFW Policy and Filter to open the SFW Policy and Filter
page on the right pane.
7. Click the Add icon above the table of listed templates. The Create Policy and Filter
window is displayed.
Figure 40: Create SFW Policy Window
8. Enter the name of the group policy in the Name field.
9. Enter a description for the group policy rules in the Description field. Edge Services
Director sends the comments entered in this field to the device.
Copyright © 2016, Juniper Networks, Inc.
411
Edge Services Director User Guide
10. In the Match Direction list, specify the direction in which the rule match is applied.
Select one of the following options:
•
input—Apply the rule match on the input side of the interface.
•
input-output—Apply the rule match bidirectionally.
•
output—Apply the rule match on the output side of the interface.
11. In the SDG section, do the following:
•
From the SDG drop-down list, select the devices with which the NAT policy must
be associated. Alternatively, you can select the high availability pair of SDG devices
with which the NAT policy must be associated. All of the devices in the different
SDG groups that were previously defined in the database are also listed in the
drop-down menu.
12. Create an SFW rule term that must be added to the SFW policy. For details on
configuring an SFW rule term, see Creating an SFW Rule Term.
13. The list of terms added, and the associated service sets and rule sets, are displayed
in a tabular format in the Create Policy and Filter page. Select the check box next to
the term you want to attach to the SFW policy.
14. Click Create to save the SFW policy.
15. Click Validate to perform validation checks on the configuration planned to be deployed
to examine and correct any syntax errors or incompatible settings. You can also
validate without deploying the configuration.
NOTE: In the Create Policy and Filter window, you can also do the following:
412
•
Click the Create icon displayed beside the terms or attributes to add a new
attribute. You can then use the newly defined attribute to add to a policy
to cause the same selection for a particular term to be applied across all
SDGs or groups.
•
Click the Edit icon displayed beside the terms or attributes to modify an
attribute. You can then use the modified attribute to add to a policy to
cause the same selection for a particular term to be applied across all SDGs
or groups.
•
Select the check box beside the SDGs or SDG groups in the Create SFW
Term page to include the devices or the SDG groups in the SFW policy for
association. Deselect the check boxes beside the SDGs or groups to exclude
the devices in the SFW policy.
•
Click the Copy to All Hosts button to apply the defined term at the system
or network level and not at a particular SDG or SDG group level.
Copyright © 2016, Juniper Networks, Inc.
Chapter 22: Managing Service Instance and Policy Rule Definitions
Creating a Service Set
A service set is a collection of services to be performed by an Adaptive Services (AS) or
Multiservices PIC. To create a service set as a component for the SFW template:
1.
From the View selector, select Gateway View. The View pane displays the devices in
the entire network organized by the device type and device models pertaining to each
device type.
2. From the View pane, select the All Network item. Expand the tree to select the SDG
in an SDG group.
3. From the Junos Space user interface, click the Deploy icon on the Edge Services Director
banner.
The functionalities that you can configure in this mode are displayed in the task pane.
4. Select Service Edit from the task pane. The different types of services are displayed
in the task pane.
5. Click the right arrow next to Service Edit to expand the tree in the task pane and view
the list of filter instances.
6. From the task pane, select SFW Policy and Filter to open the SFW and Filter page on
the right pane.
7. Click the Add icon. The Create an SFW Policy and Filter Template window appears.
8. Enter the name of the template, a description, and the direction in which the rule
match must be applied in the respective fields. Also, select the SDG or SDG pair for
which the syslog needs to be defined for the service set.
9. In the Create Policy and Filter page, click Associate Service Sets/Rule Sets. The
Associate Service Sets/Rule Sets section is displayed. The SDGs and SDG groups that
are part of the NAT policy filter rule term are shown in one column. Under the
Association column, either the Configure or Edit icon appears. If you already created
and mapped a service set with the particular SDG or group, the Edit icon shows.
10. Click the Configure or Edit icon. The Configure Service Sets/Rule Sets dialog box is
displayed.
11. From the Type drop-down list, select Service Set to map a service set with the policy
filter instance.
12. If you selected Service Set from the Type list, select a service set previously configured
in the Service Designer workspace from the Value list.
13. Click the green plus sign next to the Value drop-down list. The Addition of Service
Sets dialog box appears.
NOTE: If a green plus sign mark is shown beside a field in the dialog box,
it denotes that you can add attributes for that component. A red minus
mark shows that you can delete that particular attribute for that
component.
Copyright © 2016, Juniper Networks, Inc.
413
Edge Services Director User Guide
14. In the Name field, enter the name to identify the service set. Rules are combined into
rule sets, and are associated with a service set for each application such as firewall
or CGNAT.
15. In the Sampling Service Choices section, do one of the following:
•
Click Interface Services to configure an interface-style service set. An interface
service set is used as an action modifier across an entire interface
•
In the Service Interfaces field, specify the name for the adaptive services interface
associated with an interface-wide service set.
When you have defined and grouped the service rules by configuring the service-set
definition, you can apply services to one or more interfaces installed on the router.
When you apply the service set to an interface, it automatically ensures that
packets are directed to the PIC.
•
From the Load Balancing Options section, configure the high availability (HA)
options.
The following hash keys can be configured in the egress direction: destination-ip
(Use the destination IP address of the flow to compute the hash used in load
balancing.) and source-ip (Use the source IP address of the flow to compute the
hash used in load balancing.)
•
Click the green tick park beside the Egress Key element to configure the hash keys
to be used in the egress flow direction. The configuration is mandatory if you are
using AMS for Network Address Translation (NAT). This configuration is not
mandatory if you are using AMS for stateful firewall; if the hash keys are not
xconfigured, then the defaults are chosen.
•
Click the green tick park beside the Ingress Key element to configure the hash
keys to be used in the ingress flow direction. The configuration is mandatory if
you are using AMS for Network Address Translation (NAT). This configuration is
not mandatory if you are using AMS for stateful firewall; if the hash keys are not
configured, then the defaults are chosen.
Configure the hash keys used for load balancing in aggregated multiservices (AMS)
for service applications (Network Address Translation [NAT], stateful firewall,
application-level gateway [ALG], HTTP header enrichment, and mobility). The hash
keys supported in the ingress and egress direction are the source IP address and
destination IP address.
Hash keys are used to define the load-balancing behavior among the various
members in the AMS group. For example, if hash-keys is configured as source-ip,
then the hashing would be performed based on the source IP address of the packet.
Therefore, all packets with the same source IP address land on the same member.
Hash keys must be configured with respect to the traffic direction: ingress or egress.
For example, if hash-keys is configured as source-ip in the ingress direction, then it
should be configured as destination-ip in the egress direction. This is required to
ensure that the packets of the same flow reach the same member of the AMS group.
The configuration of the ingress and egress hash keys is mandatory if you are using
AMS for NAT. This configuration is not mandatory if you are using AMS for stateful
414
Copyright © 2016, Juniper Networks, Inc.
Chapter 22: Managing Service Instance and Policy Rule Definitions
firewall; if the hash keys are not configured, then the defaults are chosen. Refer to
Table 48 on page 232 for the supported hash keys.
The resource-triggered option enables anchor session PICs to use the load or
resource information from the anchor services PICs to select the AMS member will
anchor the services for the subscriber for load balancing among AMS members. In
addition, for mobile subscriber-aware services (such as HTTP header enrichment),
you must configure the resource-triggered statement, which means that the load
balancing is not done using the ingress and egress keys.
Table 68: Hash Keys Supported for AMS for Service Applications
Service Set at Ingress Interface
Service Set at Egress Interface
NAT Type
Ingress hash key
Egress hash key
Ingress hash key
Egress hash key
source static
Destination IP address
Source IP address
Source IP address
Destination IP address
source dynamic
Source IP address
Destination IP address
Destination IP address
Source IP address
Network Address Port
Translation (NAPT)
Source IP address
Destination IP address
Destination IP address
Source IP address
destination static
Source IP address
Destination IP address
Destination IP address
Source IP address
Hash Keys for NAT
Hash Keys for Stateful Firewall
Stateful Firewall
Destination IP address
Source IP address
Destination IP address
Source IP address
Stateful Firewall
Source IP address
Destination IP address
Source IP address
Destination IP address
NOTE: If NAT is used in the service set (along with stateful firewall and
ALG), then the hash keys should be based on the NAT type; otherwise,
the hash keys of the stateful firewall should be used.
•
Click Next Hop Services to configure a next-hop style service set. A next-hop service
set is a route-based method of applying a particular service. Only packets destined
for a specific next hop are serviced by the creation of explicit static routes.
Copyright © 2016, Juniper Networks, Inc.
415
Edge Services Director User Guide
•
In the Inside Interface list, specify the interface type of the service interface
associated with the service set applied inside the network. For inline IP reassembly,
set the interface type to local. Also, specify the name and logical unit number of
the service interface associated with the service set applied inside the network.
When a next-hop service is configured, the AS or Multiservices PIC is considered
to be a two-legged module with one leg configured to be the inside interface
(inside the network) and the other configured as the outside interface (outside
the network).
•
In the Outside Interface list, specify the interface type of the service interface
associated with the service set applied outside the network. For inline IP
reassembly, set the interface type to local. Also, specify the name and logical unit
number of the service interface associated with the service set applied outside
the network.
•
In the Service Interface Pool list, select the name of the pool of logical interfaces
configured at the [edit services service-interface-pools pool pool-name] hierarchy
level. You can configure a service interface pool only if the service set has a PGCP
rule configured. The service set cannot contain any other type of rule.
•
•
Click Sampling Services to configure a sampling service set.
•
•
In the Service Interface field, specify the service interface, which is the interface
the sampling is taken from. In the case of a sampling service set, the service
interface must be a Multiservices PIC interface with a subunit number of 0 (zero).
The subunit number defaults to 0. The reverse-flow statement is not mandatory.
All sampled traffic is considered to be forward traffic. If you set the reverse-flow
statement, it is ignored.
Select the Replication Service check box to configure the services replication options
for inter-chassis high availability on MS-MIC and MS-MPC. This field is available
only if you selected the Junos OS 12.1 version.
•
In the Replication Threshold field, specify the number of seconds for the replication
threshold. When a flow has been active for more than the number of seconds
specified as a threshold, flow state information is replicated to the backup device.
Make sure that the replication-threshold value is than the open-timeout value(the
timeout period for establishing a TCP connection). The default value of the
replication threshold is 180 seconds. This value is also the minimum.
•
Select the Stateful Firewall check box to replicate stateful firewall state
information.
•
Select the NAT check box to replicate NAPT44 information.
16. Select the Service Set Options check box to specify the service set options to apply
to a service set. This field is available only if you selected the Junos OS 14.1 version.
17. In the Redundancy Set ID field, specify a unique identifer in the range of 1 through 100
for the redundancy set. The redundancy group IDs that the service redundancy daemon
(srd) uses are associated with those configured for the ICCP daemon (iccpd) through
the existing ICCP configuration hierarchy by using the same redundancy group ID in
416
Copyright © 2016, Juniper Networks, Inc.
Chapter 22: Managing Service Instance and Policy Rule Definitions
the configuration of the services redundancy group. This field is available only if you
selected the Junos OS 14.1 version.
The actions to be performed when configured redundancy events occur are defined
in redundancy policies. Redundancy polices are associated with redundancy sets;
they are analogous to rules associated with service sets. Redundancy sets are
associated to redundancy groups by redundancy group IDs. Redundancy group details
are defined by the underlying ICCPd configuration. Finally, service sets and redundancy
sets are associated through the redundancy-sets statement in service sets
configuration.
18. In the SFW Rule Sets section, select the rule set you want to associate with the service
set from the Available column and click the right arrow to move to the Selected
column.
19. In the SFW Rules section, select the rule you want to associate with the service set
from the Available column and click the right arrow to move to the Selected column.
20. In the SFW Syslogs section, select the syslog you want to associate with the service
set from the Available column and click the right arrow to move to the Selected
column.
21. Click Save to save the service instance configuration. Else, click Close to discard the
changes to the template.
Creating a Syslog
You can enable system logging. The system log information from the Adaptive Services
or Multiservices PIC is passed to the kernel for logging in the /var/log directory. This setting
overrides any syslog statement setting included in the service set or interface default
configuration.
To create a syslog for the SFW template:
1.
From the View selector, select Gateway View. The View pane displays the devices in
the entire network organized by the device type and device models pertaining to each
device type.
2. From the View pane, select the All Network item. Expand the tree to select the SDG
in an SDG group.
3. From the Junos Space user interface, click the Deploy icon on the Edge Services Director
banner.
The functionalities that you can configure in this mode are displayed in the task pane.
4. Select Service Edit > Policy and Filter from the task pane. The Service Edit > Policy
and Filter page is displayed.
5. Click the plus sign (+) next to Policy and Filter to expand the tree in the task pane and
view the list of filter instances.
6. From the task pane, select SFW Policy and Filter to open the SFW and Filter page on
the right pane.
7. Click the Add icon. The Create an SFW Policy and Filter Template window appears.
Copyright © 2016, Juniper Networks, Inc.
417
Edge Services Director User Guide
8. Enter the name of the template, a description, and the direction in which the rule
match must be applied in the respective fields. Also, select the SDG or SDG pair for
which the syslog needs to be defined for the service set.
9. In the Create Policy and Filter page, click Associate Service Sets/Rule Sets. The
Associate Service Sets/Rule Sets section is displayed. The SDGs and SDG groups that
are part of the NAT policy filter rule term are shown in one column. Under the
Association column, either the Configure or Edit icon appears. If you already created
and mapped a service set with the particular SDG or group, the Edit icon shows.
10. Click the Configure or Edit icon. The Configure Service Sets/Rule Sets dialog box is
displayed.
11. From the Type drop-down list, select Service Set to map a service set with the policy
filter instance.
12. If you selected Service Set from the Type list, select a service set previously configured
in the Service Designer workspace from the Value list.
13. Click the green plus sign next to the Value drop-down list. The Addition of Service
Sets dialog box appears.
NOTE: If a green plus sign mark is shown beside a field in the dialog box,
it denotes that you can add attributes for that component. A red minus
mark shows that you can delete that particular attribute for that
component.
14. Click the green plus sign next to the Syslog Settings field. The Addition of Service Sets
dialog box appears.
15. In the Host field, enter the hostname for the syslog component. Specify the fully
qualified domain name or IP address for the syslog server.
16. In the Services list, specify the system logging severity level. It assigns a severity level
to the facility. Valid entries include:
•
alert—Conditions that should be corrected immediately.
•
any—Matches any level.
•
critical—Critical conditions.
•
emergency—Panic conditions.
•
error—Error conditions.
•
info—Informational messages.
•
notice—Conditions that require special handling.
•
warning—Warning messages.
17. From the Facility Override list, select the override for the default facility for system
log reporting. Valid values include:
418
Copyright © 2016, Juniper Networks, Inc.
Chapter 22: Managing Service Instance and Policy Rule Definitions
authorization
daemon
ftp
kernel
local0 through local7
user
18. In the Log Prefix field, set the system logging prefix value for all logging to the system
log host.
19. In the Port field, specify the port number to be used for connection with the remote
syslog server.
20. In the Source Address field, specify a source address to record in system log messages
that are directed to a remote machine specified in the hostname statement. The
supported interfaces are ms, rms, and mams interfaces. If you do not specify the
interface parameter, the command loops on all supported interfaces. This field is
available only if you selected the Junos OS 14.1 version.
21. In the Class section, set the class of applications to be logged to the system log.
•
alg-logs—Log application-level gateway events.
•
ids-logs—Log intrusion detection system events.
•
nat-logs—Log Network Address Translation events.
•
packet-logs—Log general packet-related events.
•
session-logs—Log session open and close events.
•
session-logs open—Log session open events only.
•
session-logs close—Log session close events.
•
stateful-firewall-logs—Log stateful firewall events.
22. Click Save to save the service instance configuration. Else, click Close to discard the
changes to the template.
Creating a Rule
To create a rule for the SFW template:
1.
From the View selector, select Gateway View. The View pane displays the devices in
the entire network organized by the device type and device models pertaining to each
device type.
2. From the View pane, select the All Network item. Expand the tree to select the SDG
in an SDG group.
3. From the Junos Space user interface, click the Deploy icon on the Edge Services Director
banner.
The functionalities that you can configure in this mode are displayed in the task pane.
Copyright © 2016, Juniper Networks, Inc.
419
Edge Services Director User Guide
4. Select Service Edit from the task pane.
The Service Edit page is displayed.
5. Click the right arrow next to Service Edit to expand the tree in the task pane and view
the list of filter instances.
6. From the task pane, select SFW Policy and Filter to open the SFW and Filter page on
the right pane.
7. Click the Add icon.
The Create an SFW Policy and Filter Template window appears.
8. Enter the name of the template and the service instance in the respective fields.
9. Click the green plus sign in the Rules box. The Addition of Rules dialog box appears.
NOTE: If a green tick mark is shown beside a field in the dialog box, it
denotes that you can add attributes for that component. A red cross mark
shows that you can delete that particular attribute for that component.
10. From the Rule list, select one of the previously configured rules. The rules that you
configured in the Service Templates workspace for SFW, packet filter, or CGNAT are
displayed.
11. Click Save to save the service instance configuration. Else, click Close to discard the
changes to the template.
Creating a Rule Set
The rule-set statement defines a collection of stateful firewall rules that determine what
actions the router software performs on packets in the data stream. You define each rule
by specifying a rule name and configuring terms. Then, you specify the order of the rules
by including the rule-set statement at the [edit services stateful-firewall] hierarchy level
with a rule statement for each rule.
The router software processes the rules in the order in which you specify them in the
configuration. If a term in a rule matches the packet, the router performs the corresponding
action and the rule processing stops. If no term in a rule matches the packet, processing
continues to the next rule in the rule set. If none of the rules matches the packet, the
packet is dropped by default.
To create a rule set for the SFW template:
1.
From the View selector, select Gateway View. The View pane displays the devices in
the entire network organized by the device type and device models pertaining to each
device type.
2. From the View pane, select the All Network item. Expand the tree to select the SDG
in an SDG group.
3. From the Junos Space user interface, click the Deploy icon on the Edge Services Director
banner.
420
Copyright © 2016, Juniper Networks, Inc.
Chapter 22: Managing Service Instance and Policy Rule Definitions
The functionalities that you can configure in this mode are displayed in the task pane.
4. Select Service Edit from the task pane. The Service Edit page is displayed.
5. Click the right arrow next to Service Edit to expand the tree in the task pane and view
the list of filter instances.
6. From the task pane, select SFW Policy and Filter to open the SFW and Filter page on
the right pane.
7. Click the Add icon. The Create an SFW Policy and Filter Template window appears.
8. Enter the name of the template, a description, and the direction in which the rule
match must be applied in the respective fields. Also, select the SDG or SDG pair for
which the syslog needs to be defined for the service set.
9. In the Create Policy and Filter page, click Associate Service Sets/Rule Sets. The
Associate Service Sets/Rule Sets section is displayed. The SDGs and SDG groups that
are part of the NAT policy filter rule term are shown in one column. Under the
Association column, either the Configure or Edit icon appears. If you already created
and mapped a service set with the particular SDG or group, the Edit icon shows.
10. Click the Configure or Edit icon. The Configure Service Sets/Rule Sets dialog box is
displayed.
11. From the Type drop-down list, select Service Set to map a service set with the policy
filter instance.
12. If you selected Service Set from the Type list, select a service set previously configured
in the Service Designer workspace from the Value list.
13. Click the green plus sign next to the Value drop-down list. The Addition of Service
Sets dialog box appears.
NOTE: If a green plus sign mark is shown beside a field in the dialog box,
it denotes that you can add attributes for that component. A red minus
mark shows that you can delete that particular attribute for that
component.
14. In the Name field, specify a name for the rule set the router uses when applying this
service.
15. In the Rules section, select the rules that need to be added to the rule set from the
Available column and click the right arrow to move these rules to the Selected column.
All the rules that you previously configured during the creation or modification of the
service instance are displayed.
16. Click Save to save the rule set configuration. Else, click Close to discard the changes
to the template.
Copyright © 2016, Juniper Networks, Inc.
421
Edge Services Director User Guide
Creating Addresses
To create an address:
1.
In the Source and Destination Address Selector dialog box, to create a new address.
click the plus sign (+).
The Create Address page appears.
2. In the Object Type section, click the Address radio button to create an address.
3. In the Name field, enter a name for the new address.
4. In the Description field, enter a description for the new address.
5. Direct Edge Services Director to resolve an IP address to a hostname or resolve a
hostname to an IP address.
•
To specify an IP address as the address type, select Host from the drop-down menu
and enter the IP address in the IP field.
•
To specify a hostname as the address type, select Host from the drop-down menu
and enter the hostname in the Host Name field.
•
To specify an IP address range, select Range from the drop-down menu and enter
the IP ranges in the Start IP and End IP fields.
•
To specify a network as an address type, select Network from the drop-down menu
and enter the network address in the IP and Netmask fields.
•
To specify an IP address with a wildcard mask, select Wildcard from the drop-down
menu and enter the IP address in the IP field and wildcard mask in the Wildcard
Mask fields.
•
To specify a DNS name as an address type, select DNS Host from the drop-down
menu and enter the DNS name in the DNS Name field.
NOTE: You can resolve an IP address to a hostname and a hostname to
an IP address using the green arrows next to the IP and Host Name fields.
NOTE: The host and network address types support both IPv4 and IPv6
address types. These address types also supports multicast addresses.
However, the range address type supports only IPv4 addresses. NAT and
IPsec VPNs do not support IPv6 addressing and wildcard addresses.
NOTE: Ensure that the first 8 bits of the address are not 0 and the highest
bit of the mask is 1 when you are using the wildcard address type.
6. Click Create to create an address.
422
Copyright © 2016, Juniper Networks, Inc.
Chapter 22: Managing Service Instance and Policy Rule Definitions
The new address appears in the Manage Address page.
Creating Address Groups
To create an address group:
1.
In the Source and Destination Address Selector dialog box, to create a new address
group. click the plus sign (+).
The Create Address Group page appears.
2. Select the Object Type as Address Group.
3. In the Name field, enter a name for the new address group.
4. In the Description field, enter a description for the new address group.
5. In the Addresses field, from the Available dialog box, select the address that you want
to group, and click the right arrow to add to the Selected column.
Click All to move all the addresses to the Selected column. The address you have
selected appears in the Selected section of the dialog box.
6. Click Create.
The address group appears on the Address page.
Address and Address Groups Overview
You can use the Address Creation Wizard to create an address object that specifies an
IP address or a hostname. You can specify a hostname and use the address resolution
option to resolve it to an IP address. You can also resolve an IP address to the
corresponding hostname.
You can group address objects to form an address group using the Address Group Creation
Wizard. Junos Space creates an object in the Junos Space database to represent an
address or an address group.
Creating an SFW Rule Term
To add rules to an SFW policy:
1.
In the Create Policy and Filter window, the list of rule terms already added, if any, to
the SFW policy are displayed.
2. Next to the Terms field, click the + icon to add rules, and select the type of rule you
want to add.
3. In the Term Name field, specify the name of the rule.
The list of SDGs with which you associated the SFW policy in the Create Policy window
are displayed with the form and then sections or clauses. If you selected SDG groups
to associate with the SFW policy, the SDG group names are displayed.
4. In the From section, do the following to specify input conditions or match criteria for
the SFW term :
Copyright © 2016, Juniper Networks, Inc.
423
Edge Services Director User Guide
•
In the Source Address field, click the down arrow in the list. The address selector
dialog box appears. Select the source addresses that need to be added to the SFW
policy from the Available column and click the right arrow to move these devices
to the Selected column.
Click OK to confirm the selection. Click Cancel to discard your changes and return
to the Create Policy and Filter window.
To create an address or address group from the address selector dialog box, see
Creating Addresses and Creating Address Groups.
•
In the Destination Address field, click the down arrow in the list. The address selector
dialog box appears. Select the destination addresses that need to be added to the
SFW policy from the Available column and click the right arrow to move these
devices to the Selected column.
Click OK to confirm the selection. Click Cancel to discard your changes and return
to the Create Policy and Filter window.
To create an address or address group from the address selector dialog box, see
Creating Addresses and Creating Address Groups.
•
Specify a destination port to match the rule in the Destination Port field. You can
specify a range of ports by defining the upper limit and lower limit of the range in
the Start Value and End Value fields.
•
In the Add Term page, in the Application or Application Set sections, the application
set selector dialog box is displayed. Select the applications or application sets that
need to be added to the SFW rule term from the Available column and click the
right arrow to move these applications or application sets to the Selected column.
To create a new application name or application set, see Creating Applications and
Application Sets.
•
Click the Copy to All Hosts button to apply the defined term at the system or network
level and not at a particular SDG or SDG group level.
•
When you create a rule or filter term, and define the name of the filter, for SDGs
that are part of a high availability pair of devices, the names of the SDGs are
displayed as tabs and check boxes beside the hostnames of the SDGs are displayed.
If you want the policy or filter term definition to apply to both the SDGs, select the
check boxes next to the SDG names.
Otherwise, when the click the SDG name tab for the SDG for which you did not
select the check box, a blue highlight overlays the entire dialog box to indicate the
settings are not enabled for configuration for that specific SDG.
424
•
Select the name of the target application set from the Application Sets selector
dialog box. Select the application sets that need to be added from the Available
Column and click the right arrow to move the application sets to the Selected
column.
•
In the Source Prefix field, click the down arrow in the list to specify the source prefix
for rule matching traffic. The address selector dialog box appears. Select the source
addresses that need to be added to the NAT policy from the Available column and
click the right arrow to move these devices to the Selected column.
Copyright © 2016, Juniper Networks, Inc.
Chapter 22: Managing Service Instance and Policy Rule Definitions
Click OK to confirm the selection. Click Cancel to discard your changes and return
to the Create Policy and Filter window.
To create an address or address group from the address selector dialog box, see
Creating Addresses and Creating Address Groups.
•
In the Destination Prefix field, click the down arrow in the list to specify the destination
prefix for rule matching traffic. The address selector dialog box appears. Select the
source addresses that need to be added to the NAT policy from the Available column
and click the right arrow to move these devices to the Selected column.
Click OK to confirm the selection. Click Cancel to discard your changes and return
to the Create Policy and Filter window.
To create an address or address group from the address selector dialog box, see
Creating Addresses and Creating Address Groups.
5. In the To section, do the following to specify actions or modifiers to be performed for
the SFW term :
•
In the Actions field, click the down arrow in the list. Select one of the following
options:
accept—Accept the traffic and send it on to its destination.
discard—Do not accept traffic or process it further.
reject—Do not accept the traffic and return a rejection message. Rejected traffic
can be logged or sampled.
•
Click the Copy to All Hosts button to apply the defined term at the system or network
level and not at a particular SDG or SDG group level.
•
When you create a rule or filter term, and define the name of the filter, for SDGs
that are part of a high availability pair of devices, the names of the SDGs are
displayed as tabs and check boxes beside the hostnames of the SDGs are displayed.
If you want the policy or filter term definition to apply to both the SDGs, select the
check boxes next to the SDG names.
Otherwise, when the click the SDG name tab for the SDG for which you did not
select the check box, a blue highlight overlays the entire dialog box to indicate the
settings are not enabled for configuration for that specific SDG.
•
Select the Syslog check box to enable system logging. The system log information
from the Multiservices PIC is passed to the kernel for logging in the /var/log directory.
This field is available only if you selected the Junos OS 14.1 version to create the
service instance.
6. A new rule is added in the last row depending on the type of rule you have added. The
newly added rules blink with a different color for few seconds. The behavior is same
if you add a new rule before or after a rule, clone a rule, or paste a rule.
Copyright © 2016, Juniper Networks, Inc.
425
Edge Services Director User Guide
The rule is assigned a serial number based on the number of rules already added to
the policy.
7. Click Save to create the rule. Alternatively, click Validate in the Create Rule page to
perform validation checks on the configuration planned to be deployed to examine
and correct any syntax errors or incompatible settings.
Creating an Application and Application Set
To create an application and an application set for an SFW rule term:
1.
In the Add Term page, in the Application or Application Set sections, the application
set selector dialog box is displayed. Select the applications or application sets that
need to be added to the SFW rule term from the Available column and click the right
arrow to move these applications or application sets to the Selected column.
Associating Service Sets and Rule Sets With an SFW Rule
To associate a service set and a rule set with an SFW policy filter rule term:
1.
In the Create Policy and Filter page, click Associate Service Sets/Rule Sets. The
Associate Service Sets/Rule Sets section is displayed. The SDGs and SDG groups that
are part of the SFW policy filter rule term are shown in one column. Under the
Association column, either the Configure or Edit icon appears. If you already created
and mapped a service set with the particular SDG or group, the Edit icon shows.
2. Click the Configure or Edit icon. The Configure Service Sets/Rule Sets dialog box is
displayed.
3. From the Type drop-down list, do either of the following:
•
Select Service Set to map a service set with the policy filter instance.
•
Select Rule Set to map a rule set with the policy filter instance.
Depending on the option selected in the Type list as service set or rule set for
association with the policy filter instance, the options that are displayed in the Value
list beneath the Type list varies.
4. If you selected Service Set from the Type list, select a service set previously configured
in the Service Designer workspace from the Value list. If you selected Rule Set from
the Type list, select a rule set previously configured in the Service Designer workspace
from the Value list. Click Add to map the service set or rule set with the SFW policy
filter rule.
5. Click Save to save the settings. Alternatively, click Cancel to abort the changes.
6. Click Copy to All Hosts in the Associate Service Sets dialog box to apply the defined
term at the system or network level and not at a particular SDG or SDG group level.
You are returned to the Add Term window.
426
Copyright © 2016, Juniper Networks, Inc.
Chapter 22: Managing Service Instance and Policy Rule Definitions
Modifying SFW Policies
Before you can edit the policy, you must lock it by clicking the lock icon, which is available
in the policy tabular view. You can hold more than one policy lock at a given time. You
can unlock the policy by clicking the unlock icon next to the lock icon in the policy tabular
view. If you attempt to lock a policy that is already locked by another user, a message is
displayed stating that the lock is acquired by another user.
If the Edge Services Director administrator releases the lock, you will receive the a warning
message stating that the lock has been released.
The Manage Policy Locks page appears showing only those locks that can be managed
by the current user. The page contains the following fields:
•
Instance or Rule name
•
User (IP Address)
•
Lock acquired time
•
Service Gateway
The policy is locked and released for the following policy operations. Also, these operations
are disabled for a policy, if the policy is locked by some other user.
•
Modify
•
Assign devices
•
Rollback
•
Delete
NOTE:
Copyright © 2016, Juniper Networks, Inc.
•
You can unlock your policies even if they are not edited.
•
If the browser crashes when the policy is still locked, the policy is unlocked
only after the timeout interval expires.
•
Policy lock is not released under the following scenario:
•
If you save or discard you changes to the locked policy.
•
if you do not make any changes to the locked policy and navigate to
another policy.
427
Edge Services Director User Guide
To modify an existing SFW policy or filter instance:
1.
From the View selector, select Gateway View. The workspaces that are applicable to
this view are displayed. In Gateway view, the devices in the entire network are displayed,
organized by the device types and the device models within each device type. In Service
View, the different types of services are displayed in the View pane.
2. From the Junos Space user interface, click the Deploy icon on the Edge Services Director
banner.
The functionalities that you can configure in this mode are displayed in the task pane.
3. From the View pane, select the All Network item in Gateway view. Click the plus sign
(+) beside the All Network item in the View pane to expand the tree and select the
device node you want.
Alternatively, from the View pane, click the plus sign (+) beside All Services to expand
the tree and select the type of service.
4. From the task pane, select Service Edit. The Service Templates page is displayed.
5. If you are in Gateway view, click the plus sign (+) next to Service Edit to expand the
tree in the task pane and view the list of filter instances.
6. From the task pane, select SFW Policy and Filter to open the SFW and Filter page on
the right pane.
7. In the Service Edit page, from the tree that lists the SDGs, select All Service Gateways,
or the SDG or SDG pair for which you want to view the previously configured policy or
filter instances. This step is applicable only if you selected Gateway View.
The page is divided into two panes. The list of SDGs are displayed on the left pane.
You can drill-down to the SDG or pair of SDGs for which you want to process policies
or filters. The policy and filter rules are displayed in the right pane.
8. Select a policy, and click the Lock icon above the table of listed policies.
9. Click the Modify icon above the table of listed templates. The Modify Policy and Filter
window is displayed.
10. Modify the attributes that are needed and save the updated settings.
Creating a Deployment Plan
You must have previously defined service templates and policy or filter templates before
you can create a deployment plan.
To create a deployment plan and assigning devices to it:
1.
From the View selector, select Gateway View. The View pane displays the devices in
the entire network organized by the device type and device models pertaining to each
device type.
2. From the View pane, select the All Network item. Expand the tree to select the SDG
in an SDG group.
428
Copyright © 2016, Juniper Networks, Inc.
Chapter 22: Managing Service Instance and Policy Rule Definitions
3. From the Junos Space user interface, click the Deploy icon on the Edge Services Director
banner.
The functionalities that you can configure in this mode are displayed in the task pane.
4. Select Service Edit from the task pane. The Service Edit page is displayed.
5. Click the right arrow next to Service Edit to expand the tree in the task pane and view
the list of filter instances.
6. From the task pane, select SFW Policy and Filter to open the SFW Policy and Filter
page on the right pane.
7. In the Service Edit page, from the tree that lists the SDGs, select All Service Gateways,
or the SDG or SDG pair for which you want to view the previously configured policy or
filter instances. This step is applicable only if you selected Gateway View. You can
drill-down to the SDG or pair of SDGs for which you want to process policies or filters.
8. Select a rule corresponding to an SDG, and click the Lock icon above the table of listed
policy filters.
9. Click the down arrow in the Actions menu and select Send for Deployment to create
a deployment plan for the particular service template and save the plan.
The Deployment Plan Summary dialog box appears, with the service name, type, and
status listed.
Click Send to create a deployment plan.
A deploy plan is created for the service template with the devices that are assigned
to it when you view the Deployment Plans page.
10. Alternatively, you can select Discard changes from the Actions menu to ignore the
modifications done to a policy or filter template.
11. From the Deployment plans page, you can select Reject or Approve from the Actions
drop-down list to reject or approve the deployment plan and make it available for
commissioning to the devices.
Related
Documentation
•
Policy and Filter Management Overview on page 355
•
Packet and Service Filters Overview on page 358
•
Searching for CGNAT Policies on page 361
•
Searching for Packet Filters on page 364
•
Searching for SFW Policies on page 366
•
Managing Service and Policy Locks on page 367
•
Unlocking Locked Services and Policies on page 368
•
Viewing Policy and Filter Instances on page 369
Copyright © 2016, Juniper Networks, Inc.
429
Edge Services Director User Guide
Viewing CGNAT Service Templates
To view the list of CGNAT service templates:
1.
From the View selector, select Gateway View or Service View. The workspaces that
are applicable to this view are displayed. In Gateway view, the devices in the entire
network are displayed, organized by the device types and the device models within
each device type. In Service View, the different types of services are displayed in the
View pane.
2. From the Junos Space user interface, click the Deploy icon on the Edge Services Director
banner.
The functionalities that you can configure in this mode are displayed in the task pane.
3. From the View pane, select the All Network item in Gateway view. Click the plus sign
(+) beside the All Network item in the View pane to expand the tree and select the
device node you want.
Alternatively, from the View pane, click the plus sign (+) beside All Services to expand
the tree and select the type of service.
4. From the task pane, select Service Edit. The Service Templates page is displayed.
5. If you are in Gateway view, Click the plus sign (+) next to Service Edit to expand the
tree in the task pane and view the list of filter templates.
6. If you are in Gateway View, from the task pane, select CGNAT to open the Service Edit
> CGNAT page on the right pane.
7. In the Service Edit page, from the tree that lists the SDGs, select All Service Gateways,
or the SDG or SDG pair for which you want to view the previously configured policy or
filter templates. This step is applicable only if you selected Gateway View.
The page is divided into two panes. The list of SDGs are displayed on the left pane.
You can drill-down to the SDG or pair of SDGs for which you want to process policies
or filters. The policy and filter rules are displayed in the right pane.
The following fields are displayed on the Service Edit > CGNAT page:
Table 69: CGNAT Service Edit Page
430
Field
Description
Instance Name
Name of the configured service template instance
OS Version
Junos OS release number that represents a particular revision of the
software that runs on a Juniper Networks routing platform, for
example, Junos OS Release 8.5, 9.1, or 9.2. Each Junos OS release has
certain new features that complement the software processes that
support Internet routing protocols, control the device’s interfaces and
the device chassis itself, and allow device system management.
Group Name
Name of the SDG group
Copyright © 2016, Juniper Networks, Inc.
Chapter 22: Managing Service Instance and Policy Rule Definitions
Table 69: CGNAT Service Edit Page (continued)
Field
Description
Reference Host
Hostname of the SDG with which the service instance is associated.
Applications
Name of the applications protocols created for the service template.
Application Sets
Name of the application sets created for the service template.
NAT Pools
Name of the CGNAT pool created for the service template.
NAT Rules
Name of the CGNAT rules created for the service instance.
NAT Rule Sets
Name of the CGNAT rule sets created for the service template.
Syslogs
Name of the syslog created for the service template.
Deployment Plans
Name of the deployment plan with which the service template is
attached.
Viewing SFW Service Templates
To view the list of SFW service templates:
1.
From the View selector, select Gateway View or Service View. The workspaces that
are applicable to this view are displayed. In Gateway view, the devices in the entire
network are displayed, organized by the device types and the device models within
each device type. In Service View, the different types of services are displayed in the
View pane.
2. From the Junos Space user interface, click the Deploy icon on the Edge Services Director
banner.
The functionalities that you can configure in this mode are displayed in the task pane.
3. From the View pane, select the All Network item in Gateway view. Click the plus sign
(+) beside the All Network item in the View pane to expand the tree and select the
device node you want.
Alternatively, from the View pane, click the plus sign (+) beside All Services to expand
the tree and select the type of service.
4. From the task pane, select Service Edit. The Service Templates page is displayed.
5. If you are in Gateway view, Click the plus sign (+) next to Service Edit to expand the
tree in the task pane and view the list of filter templates.
6. If you are in Gateway View, from the task pane, select SFW to open the Service Edit
> SFW page on the right pane.
7. In the Service Edit page, from the tree that lists the SDGs, select All Service Gateways,
or the SDG or SDG pair for which you want to view the previously configured policy or
filter templates. This step is applicable only if you selected Gateway View.
Copyright © 2016, Juniper Networks, Inc.
431
Edge Services Director User Guide
The page is divided into two panes. The list of SDGs are displayed on the left pane.
You can drill-down to the SDG or pair of SDGs for which you want to process policies
or filters. The policy and filter rules are displayed in the right pane.
The following fields are displayed on the Service Edit > SFW page:
Table 70: SFW Service Edit Page
Field
Description
Instance Name
Name of the configured service template instance
OS Version
Junos OS release number that represents a particular revision of the
software that runs on a Juniper Networks routing platform, for
example, Junos OS Release 8.5, 9.1, or 9.2. Each Junos OS release has
certain new features that complement the software processes that
support Internet routing protocols, control the device’s interfaces and
the device chassis itself, and allow device system management.
Group Name
Name of the SDG group
Reference Host
Hostname of the SDG with which the service instance is associated.
Applications
Name of the applications protocols created for the service template.
Application Sets
Name of the application sets created for the service template.
SFW Rules
Name of the stateful firewall rules created for the service instance.
SFW Rule Sets
Name of the stateful firewall rule sets created for the service template.
Syslogs
Name of the syslog created for the service template.
Deployment Plans
Name of the deployment plan with which the service template is
attached.
Viewing and Modifying ADC Service Instances
After you create the adaptive delivery controller (ADC) software service instance to
balance user session traffic among a group of available servers that provide shared
services using the Service Designer workspace, you can view and modify the components
or elements of the service instance by using the Service Edit workspace.
You can perform the following tasks with the Service Edit page for ADC:
432
•
View the list of configured ADC service instances.
•
Modify an existing ADC service instance to meet the network needs and deployment
scenarios.
•
Delete an existing template.
Copyright © 2016, Juniper Networks, Inc.
Chapter 22: Managing Service Instance and Policy Rule Definitions
•
Transfer the service instance for deployment on a device.
•
Discard the changes made to a service instance.
•
Viewing ADC Service Instances on page 433
•
Modifying ADC Service Instances on page 434
•
Creating a Deploy Plan and Provisioning Services Immediately on page 436
•
Filtering ADC Service Instances on page 438
•
Managing ADC Service Instance Locks on page 439
•
Unlocking Locked ADC Service Instances on page 441
Viewing ADC Service Instances
To view the list of ADC service instances:
1.
From the View selector, select Gateway View or Service View. The workspaces that
are applicable to this view are displayed. In Gateway view, the devices in the entire
network are displayed, organized by the device types and the device models within
each device type. In Service View, the different types of services are displayed in the
View pane.
2. From the Junos Space user interface, click the Deploy icon on the Edge Services Director
banner.
The functionalities that you can configure in this mode are displayed in the task pane.
3. From the View pane, select the All Network item in Gateway view. Click the plus sign
(+) beside the All Network item in the View pane to expand the tree and select the
device node you want.
Alternatively, from the View pane, click the plus sign (+) beside All Services to expand
the tree and select the type of service.
4. From the task pane, select Service Edit. The Service Instances page is displayed.
5. If you are in Gateway view, Click the plus sign (+) next to Service Edit to expand the
tree in the task pane and view the list of filter templates.
6. If you are in Gateway View, from the task pane, select ADC to open the Service Edit >
ADC page on the right pane.
7. In the Service Edit page, from the tree that lists the SDGs, select All Service Gateways,
or the SDG or SDG pair for which you want to view the previously configured policy or
filter templates. This step is applicable only if you selected Gateway View.
The page is divided into two panes. The list of SDGs are displayed on the left pane.
You can drill-down to the SDG or pair of SDGs for which you want to process policies
or filters. The policy and filter rules are displayed in the right pane.
The following fields are displayed on the Service Edit > ADC page:
Copyright © 2016, Juniper Networks, Inc.
433
Edge Services Director User Guide
Table 71: ADC Service Edit Page
Field
SDG Host
Instance Name
OS Version
Group Name
Reference Host
Real Servers
Health Check Sources
Custom Health Checks
Groups
Virtual Servers
Deployment Plans
Select a policy or a filter and click the Expand All icon, and all rules corresponding to that
policy or filter are expanded.
Select a policy or filter and click the Collapse All icon to collapse all rules.
Enter the term that you want to specify as the filter criterion in the Filter field and click
the Filter icon to sort and display only the services that are of interest.
Modifying ADC Service Instances
On the Service Designer page, you can view the collection of service instances defined
for several applications, such as stateful firewall or CGNAT.
To modify service instance instances, such as ADC, SFW, CGNAT, or TLB templates:
1.
From the View selector, select Gateway View or Service View. The workspaces that
are applicable to this view are displayed. In Gateway view, the devices in the entire
network are displayed, organized by the device types and the device models within
each device type. In Service View, the different types of services are displayed in the
View pane.
2. From the Junos Space user interface, click the Deploy icon on the Edge Services Director
banner.
The functionalities that you can configure in this mode are displayed in the task pane.
434
Copyright © 2016, Juniper Networks, Inc.
Chapter 22: Managing Service Instance and Policy Rule Definitions
3. From the View pane, select the All Network item in Gateway view. Click the plus sign
(+) beside the All Network item in the View pane to expand the tree and select the
device node you want.
Alternatively, from the View pane, click the plus sign (+) beside All Services to expand
the tree and select the type of service.
4. From the task pane, select Service Edit. The Service Instances page is displayed.
5. If you are in Gateway view, click the plus sign (+) next to Service Edit to expand the
tree in the task pane and view the list of filter templates.
6. In the Service Edit page, from the tree that lists the SDGs, select All Service Gateways,
or the SDG or SDG pair for which you want to view the previously configured policy or
filter templates. This step is applicable only if you selected Gateway View.
The page is divided into two panes. The list of SDGs are displayed on the left pane.
You can drill-down to the SDG or pair of SDGs for which you want to process policies
or filters. The policy and filter rules are displayed in the right pane.
7. Alternatively, from the View selector, select Service View. The workspaces that are
applicable to this view are displayed. From the Junos Space user interface, click the
Build icon on the Edge Services Director banner.
The functionalities that you can configure in this mode are displayed in the task pane.
Click the plus sign in the View pane to expand the All Services tree and select the type
of service. From the task pane, select Manage Service Instances.
The Service Ins