config guide system basics

Junos OSSystem Basics Configuration Guide

Release

11.2

Published: 2011-05-17

Copyright 2011, Juniper Networks, Inc.

Juniper Networks, Inc. 1194 North Mathilda Avenue Sunnyvale, California 94089 USA 408-745-2000 www.juniper.net This product includes the Envoy SNMP Engine, developed by Epilogue Technology, an Integrated Systems Company. Copyright 1986-1997, Epilogue Technology Corporation. All rights reserved. This program and its documentation were developed at private expense, and no part of them is in the public domain. This product includes memory allocation software developed by Mark Moraes, copyright 1988, 1989, 1993, University of Toronto. This product includes FreeBSD software developed by the University of California, Berkeley, and its contributors. All of the documentation and software included in the 4.4BSD and 4.4BSD-Lite Releases is copyrighted by the Regents of the University of California. Copyright 1979, 1980, 1983, 1986, 1988, 1989, 1991, 1992, 1993, 1994. The Regents of the University of California. All rights reserved. GateD software copyright 1995, the Regents of the University. All rights reserved. Gate Daemon was originated and developed through release 3.0 by Cornell University and its collaborators. Gated is based on Kirtons EGP, UC Berkeleys routing daemon (routed), and DCNs HELLO routing protocol. Development of Gated has been supported in part by the National Science Foundation. Portions of the GateD software copyright 1988, Regents of the University of California. All rights reserved. Portions of the GateD software copyright 1991, D. L. S. Associates. This product includes software developed by Maker Communications, Inc., copyright 1996, 1997, Maker Communications, Inc. Juniper Networks, Junos, Steel-Belted Radius, NetScreen, and ScreenOS are registered trademarks of Juniper Networks, Inc. in the United States and other countries. The Juniper Networks Logo, the Junos logo, and JunosE are trademarks of Juniper Networks, Inc. All other trademarks, service marks, registered trademarks, or registered service marks are the property of their respective owners. Juniper Networks assumes no responsibility for any inaccuracies in this document. Juniper Networks reserves the right to change, modify, transfer, or otherwise revise this publication without notice. Products made or sold by Juniper Networks or components thereof might be covered by one or more of the following patents that are owned by or licensed to Juniper Networks: U.S. Patent Nos. 5,473,599, 5,905,725, 5,909,440, 6,192,051, 6,333,650, 6,359,479, 6,406,312, 6,429,706, 6,459,579, 6,493,347, 6,538,518, 6,538,899, 6,552,918, 6,567,902, 6,578,186, and 6,590,785.

Junos OS System Basics Configuration Guide Release 11.2 Copyright 2011, Juniper Networks, Inc. All rights reserved. Revision History April 2011R1 Junos OS 11.2 The information in this document is current as of the date listed in the revision history. YEAR 2000 NOTICE Juniper Networks hardware and software products are Year 2000 compliant. The Junos OS has no known time-related limitations through the year 2038. However, the NTP application is known to have some difficulty in the year 2036.

ii


END USER LICENSE AGREEMENTREAD THIS END USER LICENSE AGREEMENT (AGREEMENT) BEFORE DOWNLOADING, INSTALLING, OR USING THE SOFTWARE. BY DOWNLOADING, INSTALLING, OR USING THE SOFTWARE OR OTHERWISE EXPRESSING YOUR AGREEMENT TO THE TERMS CONTAINED HEREIN, YOU (AS CUSTOMER OR IF YOU ARE NOT THE CUSTOMER, AS A REPRESENTATIVE/AGENT AUTHORIZED TO BIND THE CUSTOMER) CONSENT TO BE BOUND BY THIS AGREEMENT. IF YOU DO NOT OR CANNOT AGREE TO THE TERMS CONTAINED HEREIN, THEN (A) DO NOT DOWNLOAD, INSTALL, OR USE THE SOFTWARE, AND (B) YOU MAY CONTACT JUNIPER NETWORKS REGARDING LICENSE TERMS. 1. The Parties. The parties to this Agreement are (i) Juniper Networks, Inc. (if the Customers principal office is located in the Americas) or Juniper Networks (Cayman) Limited (if the Customers principal office is located outside the Americas) (such applicable entity being referred to herein as Juniper), and (ii) the person or organization that originally purchased from Juniper or an authorized Juniper reseller the applicable license(s) for use of the Software (Customer) (collectively, the Parties). 2. The Software. In this Agreement, Software means the program modules and features of the Juniper or Juniper-supplied software, for which Customer has paid the applicable license or support fees to Juniper or an authorized Juniper reseller, or which was embedded by Juniper in equipment which Customer purchased from Juniper or an authorized Juniper reseller. Software also includes updates, upgrades and new releases of such software. Embedded Software means Software which Juniper has embedded in or loaded onto the Juniper equipment and any updates, upgrades, additions or replacements which are subsequently embedded in or loaded onto the equipment. 3. License Grant. Subject to payment of the applicable fees and the limitations and restrictions set forth herein, Juniper grants to Customer a non-exclusive and non-transferable license, without right to sublicense, to use the Software, in executable form only, subject to the following use restrictions: a. Customer shall use Embedded Software solely as embedded in, and for execution on, Juniper equipment originally purchased by Customer from Juniper or an authorized Juniper reseller. b. Customer shall use the Software on a single hardware chassis having a single processing unit, or as many chassis or processing units for which Customer has paid the applicable license fees; provided, however, with respect to the Steel-Belted Radius or Odyssey Access Client software only, Customer shall use such Software on a single computer containing a single physical random access memory space and containing any number of processors. Use of the Steel-Belted Radius or IMS AAA software on multiple computers or virtual machines (e.g., Solaris zones) requires multiple licenses, regardless of whether such computers or virtualizations are physically contained on a single chassis. c. Product purchase documents, paper or electronic user documentation, and/or the particular licenses purchased by Customer may specify limits to Customers use of the Software. Such limits may restrict use to a maximum number of seats, registered endpoints, concurrent users, sessions, calls, connections, subscribers, clusters, nodes, realms, devices, links, ports or transactions, or require the purchase of separate licenses to use particular features, functionalities, services, applications, operations, or capabilities, or provide throughput, performance, configuration, bandwidth, interface, processing, temporal, or geographical limits. In addition, such limits may restrict the use of the Software to managing certain kinds of networks or require the Software to be used only in conjunction with other specific Software. Customers use of the Software shall be subject to all such limitations and purchase of all applicable licenses. d. For any trial copy of the Software, Customers right to use the Software expires 30 days after download, installation or use of the Software. Customer may operate the Software after the 30-day trial period only if Customer pays for a license to do so. Customer may not extend or create an additional trial period by re-installing the Software after the 30-day trial period. e. The Global Enterprise Edition of the Steel-Belted Radius software may be used by Customer only to manage access to Customers enterprise network. Specifically, service provider customers are expressly prohibited from using the Global Enterprise Edition of the Steel-Belted Radius software to support any commercial network access services. The foregoing license is not transferable or assignable by Customer. No license is granted herein to any user who did not originally purchase the applicable license(s) for the Software from Juniper or an authorized Juniper reseller. 4. Use Prohibitions. Notwithstanding the foregoing, the license provided herein does not permit the Customer to, and Customer agrees not to and shall not: (a) modify, unbundle, reverse engineer, or create derivative works based on the Software; (b) make unauthorized copies of the Software (except as necessary for backup purposes); (c) rent, sell, transfer, or grant any rights in and to any copy of the Software, in any form, to any third party; (d) remove any proprietary notices, labels, or marks on or in any copy of the Software or any product in which the Software is embedded; (e) distribute any copy of the Software to any third party, including as may be embedded in Juniper equipment sold in the secondhand market; (f) use any locked or key-restricted feature, function, service, application, operation, or capability without first purchasing the applicable license(s) and obtaining a valid key from Juniper, even if such feature, function, service, application, operation, or capability is enabled without a key; (g) distribute any key for the Software provided by Juniper to any third party; (h) use the


iii

Software in any manner that extends or is broader than the uses purchased by Customer from Juniper or an authorized Juniper reseller; (i) use Embedded Software on non-Juniper equipment; (j) use Embedded Software (or make it available for use) on Juniper equipment that the Customer did not originally purchase from Juniper or an authorized Juniper reseller; (k) disclose the results of testing or benchmarking of the Software to any third party without the prior written consent of Juniper; or (l) use the Software in any manner other than as expressly provided herein. 5. Audit. Customer shall maintain accurate records as necessary to verify compliance with this Agreement. Upon request by Juniper, Customer shall furnish such records to Juniper and certify its compliance with this Agreement. 6. Confidentiality. The Parties agree that aspects of the Software and associated documentation are the confidential property of Juniper. As such, Customer shall exercise all reasonable commercial efforts to maintain the Software and associated documentation in confidence, which at a minimum includes restricting access to the Software to Customer employees and contractors having a need to use the Software for Customers internal business purposes. 7. Ownership. Juniper and Junipers licensors, respectively, retain ownership of all right, title, and interest (including copyright) in and to the Software, associated documentation, and all copies of the Software. Nothing in this Agreement constitutes a transfer or conveyance of any right, title, or interest in the Software or associated documentation, or a sale of the Software, associated documentation, or copies of the Software. 8. Warranty, Limitation of Liability, Disclaimer of Warranty. The warranty applicable to the Software shall be as set forth in the warranty statement that accompanies the Software (the Warranty Statement). Nothing in this Agreement shall give rise to any obligation to support the Software. Support services may be purchased separately. Any such support shall be governed by a separate, written support services agreement. TO THE MAXIMUM EXTENT PERMITTED BY LAW, JUNIPER SHALL NOT BE LIABLE FOR ANY LOST PROFITS, LOSS OF DATA, OR COSTS OR PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES, OR FOR ANY SPECIAL, INDIRECT, OR CONSEQUENTIAL DAMAGES ARISING OUT OF THIS AGREEMENT, THE SOFTWARE, OR ANY JUNIPER OR JUNIPER-SUPPLIED SOFTWARE. IN NO EVENT SHALL JUNIPER BE LIABLE FOR DAMAGES ARISING FROM UNAUTHORIZED OR IMPROPER USE OF ANY JUNIPER OR JUNIPER-SUPPLIED SOFTWARE. EXCEPT AS EXPRESSLY PROVIDED IN THE WARRANTY STATEMENT TO THE EXTENT PERMITTED BY LAW, JUNIPER DISCLAIMS ANY AND ALL WARRANTIES IN AND TO THE SOFTWARE (WHETHER EXPRESS, IMPLIED, STATUTORY, OR OTHERWISE), INCLUDING ANY IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR NONINFRINGEMENT. IN NO EVENT DOES JUNIPER WARRANT THAT THE SOFTWARE, OR ANY EQUIPMENT OR NETWORK RUNNING THE SOFTWARE, WILL OPERATE WITHOUT ERROR OR INTERRUPTION, OR WILL BE FREE OF VULNERABILITY TO INTRUSION OR ATTACK. In no event shall Junipers or its suppliers or licensors liability to Customer, whether in contract, tort (including negligence), breach of warranty, or otherwise, exceed the price paid by Customer for the Software that gave rise to the claim, or if the Software is embedded in another Juniper product, the price paid by Customer for such other product. Customer acknowledges and agrees that Juniper has set its prices and entered into this Agreement in reliance upon the disclaimers of warranty and the limitations of liability set forth herein, that the same reflect an allocation of risk between the Parties (including the risk that a contract remedy may fail of its essential purpose and cause consequential loss), and that the same form an essential basis of the bargain between the Parties. 9. Termination. Any breach of this Agreement or failure by Customer to pay any applicable fees due shall result in automatic termination of the license granted herein. Upon such termination, Customer shall destroy or return to Juniper all copies of the Software and related documentation in Customers possession or control. 10. Taxes. All license fees payable under this agreement are exclusive of tax. Customer shall be responsible for paying Taxes arising from the purchase of the license, or importation or use of the Software. If applicable, valid exemption documentation for each taxing jurisdiction shall be provided to Juniper prior to invoicing, and Customer shall promptly notify Juniper if their exemption is revoked or modified. All payments made by Customer shall be net of any applicable withholding tax. Customer will provide reasonable assistance to Juniper in connection with such withholding taxes by promptly: providing Juniper with valid tax receipts and other required documentation showing Customers payment of any withholding taxes; completing appropriate applications that would reduce the amount of withholding tax to be paid; and notifying and assisting Juniper in any audit or tax proceeding related to transactions hereunder. Customer shall comply with all applicable tax laws and regulations, and Customer will promptly pay or reimburse Juniper for all costs and damages related to any liability incurred by Juniper as a result of Customers non-compliance or delay with its responsibilities herein. Customers obligations under this Section shall survive termination or expiration of this Agreement. 11. Export. Customer agrees to comply with all applicable export laws and restrictions and regulations of any United States and any applicable foreign agency or authority, and not to export or re-export the Software or any direct product thereof in violation of any such restrictions, laws or regulations, or without all necessary approvals. Customer shall be liable for any such violations. The version of the Software supplied to Customer may contain encryption or other capabilities restricting Customers ability to export the Software without an export license.

iv


12. Commercial Computer Software. The Software is commercial computer software and is provided with restricted rights. Use, duplication, or disclosure by the United States government is subject to restrictions set forth in this Agreement and as provided in DFARS 227.7201 through 227.7202-4, FAR 12.212, FAR 27.405(b)(2), FAR 52.227-19, or FAR 52.227-14(ALT III) as applicable. 13. Interface Information. To the extent required by applicable law, and at Customer's written request, Juniper shall provide Customer with the interface information needed to achieve interoperability between the Software and another independently created program, on payment of applicable fee, if any. Customer shall observe strict obligations of confidentiality with respect to such information and shall use such information in compliance with any applicable terms and conditions upon which Juniper makes such information available. 14. Third Party Software. Any licensor of Juniper whose software is embedded in the Software and any supplier of Juniper whose products or technology are embedded in (or services are accessed by) the Software shall be a third party beneficiary with respect to this Agreement, and such licensor or vendor shall have the right to enforce this Agreement in its own name as if it were Juniper. In addition, certain third party software may be provided with the Software and is subject to the accompanying license(s), if any, of its respective owner(s). To the extent portions of the Software are distributed under and subject to open source licenses obligating Juniper to make the source code for such portions publicly available (such as the GNU General Public License (GPL) or the GNU Library General Public License (LGPL)), Juniper will make such source code portions (including Juniper modifications, as appropriate) available upon request for a period of up to three years from the date of distribution. Such request can be made in writing to Juniper Networks, Inc., 1194 N. Mathilda Ave., Sunnyvale, CA 94089, ATTN: General Counsel. You may obtain a copy of the GPL at http://www.gnu.org/licenses/gpl.html, and a copy of the LGPL at http://www.gnu.org/licenses/lgpl.html . 15. Miscellaneous. This Agreement shall be governed by the laws of the State of California without reference to its conflicts of laws principles. The provisions of the U.N. Convention for the International Sale of Goods shall not apply to this Agreement. For any disputes arising under this Agreement, the Parties hereby consent to the personal and exclusive jurisdiction of, and venue in, the state and federal courts within Santa Clara County, California. This Agreement constitutes the entire and sole agreement between Juniper and the Customer with respect to the Software, and supersedes all prior and contemporaneous agreements relating to the Software, whether oral or written (including any inconsistent terms contained in a purchase order), except that the terms of a separate written agreement executed by an authorized Juniper representative and Customer shall govern to the extent such terms are inconsistent or conflict with terms contained herein. No modification to this Agreement nor any waiver of any rights hereunder shall be effective unless expressly assented to in writing by the party to be charged. If any portion of this Agreement is held invalid, the Parties agree that such invalidity shall not affect the validity of the remainder of this Agreement. This Agreement and associated documentation has been written in the English language, and the Parties agree that the English version will govern. (For Canada: Les parties aux prsents confirment leur volont que cette convention de mme que tous les documents y compris tout avis qui s'y rattach, soient redigs en langue anglaise. (Translation: The parties confirm that this Agreement and all related documentation is and will be in the English language)).


v

vi


Abbreviated Table of ContentsAbout This Guide . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xli

Part 1Chapter 1 Chapter 2

OverviewIntroduction to Junos OS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 Junos Configuration Basics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17

Part 2Chapter 3 Chapter 4 Chapter 5 Chapter 6 Chapter 7 Chapter 8 Chapter 9 Chapter 10 Chapter 11 Chapter 12 Chapter 13

System ManagementSystem Management Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45 System Management Configuration Statements . . . . . . . . . . . . . . . . . . . . . . 53 Configuring Basic System Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61 Configuring User Access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77 Configuring System Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 103 Configuring Time . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 127 Configuring System Log Messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 139 Configuring System Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 187 Configuring Miscellaneous System Management Features . . . . . . . . . . . . 233 Security Configuration Example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 263 Summary of System Management Configuration Statements . . . . . . . . . 293


AccessConfiguring Access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 475 Summary of Access Configuration Statements . . . . . . . . . . . . . . . . . . . . . . 515

Part 4Chapter 16 Chapter 17 Chapter 18

Security ServicesSecurity Services Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 585 Security Services Configuration Guidelines . . . . . . . . . . . . . . . . . . . . . . . . . 589 Summary of Security Services Configuration Statements . . . . . . . . . . . . . 645


Router ChassisRouter Chassis Configuration Guidelines . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 711 Summary of Router Chassis Configuration Statements . . . . . . . . . . . . . . . 829

Part 6

IndexIndex . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 887


vii

Junos OS 11.2 System Basics Configuration Guide

Index of Statements and Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 907

viii


Table of ContentsAbout This Guide . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xliJunos OS Documentation and Release Notes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xli Objectives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xlii Audience . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xlii Supported Platforms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xlii Using the Indexes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xliii Using the Examples in This Manual . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xliii Merging a Full Example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xliii Merging a Snippet . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xliv Documentation Conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xliv Documentation Feedback . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xlvi Requesting Technical Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xlvi Self-Help Online Tools and Resources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xlvi Opening a Case with JTAC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xlvii

Part 1Chapter 1

OverviewIntroduction to Junos OS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3Junos OS Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 Junos OS Architecture Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 Product Architecture . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 Routing Process Architecture . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 Packet Forwarding Engine . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 Routing Engine . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 Router Hardware Components . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7 Junos OS Commit Model for Router or Switch Configuration . . . . . . . . . . . . . . . . . 8 Junos OS Routing Engine Components and Processes . . . . . . . . . . . . . . . . . . . . . . 9 Routing Engine Kernel . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10 Initialization Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10 Management Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10 Process Limits . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10 Routing Protocol Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10 Interface Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11 Chassis Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11 SNMP and MIB II Processes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11 Junos OS Support for IPv4 Routing Protocols . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11 Junos OS Support for IPv6 Routing Protocols . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13 Junos OS Routing and Forwarding Tables . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14 Routing Policy Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14 Junos OS Support for VPNs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15


ix


Chapter 2

Junos Configuration Basics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17Junos OS Configuration Basics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17 Junos OS Configuration from External Devices . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17 Methods for Configuring Junos OS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19 Junos OS Command-Line Interface (CLI) . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20 ASCII File . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20 J-Web Package . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20 Junos XML Management Protocol Software . . . . . . . . . . . . . . . . . . . . . . . . . . 21 NETCONF XML Management Protocol Software . . . . . . . . . . . . . . . . . . . . . . . 21 Configuration Commit Scripts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21 Configuring a Router for the First Time . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22 Initial Router or Switch Configuration Using the Junos OS . . . . . . . . . . . . . . . 22 Configuring the Junos OS for the First Time on a Router or Switch with a Single Routing Engine . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23 Configuring the Junos OS the First Time on a Router with Dual Routing Engines . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27 Junos OS Default Settings for Router Security . . . . . . . . . . . . . . . . . . . . . . . . . 32 Junos OS Configuration Using the CLI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33 Activation of the Junos OS Candidate Configuration . . . . . . . . . . . . . . . . . . . 33 Disk Space Management for Junos OS Installation . . . . . . . . . . . . . . . . . . . . . 34 Junos OS Tools for Monitoring the Router . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34 Junos OS Features for Router Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35 Methods of Remote Access for Router Management . . . . . . . . . . . . . . . . . . . 35 Junos OS Supported Protocols and Methods for User Authentication . . . . . 36 Junos OS Plain-Text Password Requirements . . . . . . . . . . . . . . . . . . . . . . . . . 37 Junos OS Support for Routing Protocol Security Features and IPsec . . . . . . . 37 Junos OS Support for Firewall Filters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38 Junos OS Auditing Support for Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38 Upgrading to 64-bit Junos OS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39

Part 2Chapter 3

System ManagementSystem Management Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45Format for Specifying IP Addresses, Network Masks, and Prefixes in Junos OS Configuration Statements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45 Format for Specifying Filenames and URLs in Junos OS CLI Commands . . . . . . . 46 Default Directories for Junos OS File Storage on the Router or Switch . . . . . . . . . 47 Directories on the Logical System . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48 Junos OS Tracing and Logging Operations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49 Junos OS Authentication Methods for Routing Protocols . . . . . . . . . . . . . . . . . . . 50 Junos OS User Authentication Methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51

Chapter 4

System Management Configuration Statements . . . . . . . . . . . . . . . . . . . . . . 53System Management Configuration Statements . . . . . . . . . . . . . . . . . . . . . . . . . . 53

Chapter 5

Configuring Basic System Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61Configuring Basic Router or Switch Properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62 Configuring the Hostname of the Router or Switch . . . . . . . . . . . . . . . . . . . . . . . . 62 Mapping the Name of the Router to IP Addresses . . . . . . . . . . . . . . . . . . . . . . . . . 63

x


Table of Contents

Configuring an ISO System Identifier for the Router . . . . . . . . . . . . . . . . . . . . . . . . 63 Example: Configuring the Name of the Router, IP Address, and System ID . . . . . 64 Configuring the Domain Name for the Router or Switch . . . . . . . . . . . . . . . . . . . . 64 Example: Configuring the Domain Name for the Router or Switch . . . . . . . . . . . . 65 Configuring the Domains to Search When a Router or Switch Is Included in Multiple Domains . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65 Configuring a DNS Name Server for Resolving a Hostname into Addresses . . . . . 65 Configuring a Backup Router . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66 Configuring a Backup Router Running IPv4 . . . . . . . . . . . . . . . . . . . . . . . . . . . 67 Configuring a Backup Router Running IPv6 . . . . . . . . . . . . . . . . . . . . . . . . . . . 67 Configuring Automatic Mirroring of the CompactFlash Card on the Hard Disk Drive . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68 Configuring the Physical Location of the Router or Switch . . . . . . . . . . . . . . . . . . 69 Configuring the Root Password . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70 Example: Configuring the Root Password . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71 Example: Configuring a Plain-Text Password for Root Logins . . . . . . . . . . . . . . . . . 71 Example: Configuring SSH Authentication for Root Logins . . . . . . . . . . . . . . . . . . 72 Special Requirements for Junos OS Plain-Text Passwords . . . . . . . . . . . . . . . . . . 72 Changing the Requirements for Junos OS Plain-Text Passwords . . . . . . . . . . . . . 74 Example: Changing the Requirements for Junos OS Plain-Text Passwords . . . . . 75 Configuring Multiple Routing Engines to Synchronize Committed Configurations Automatically . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75 Compressing the Current Configuration File . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75

Chapter 6

Configuring User Access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77Junos OS Login Classes Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78 Defining Junos OS Login Classes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78 Junos OS User Accounts Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79 Configuring Junos OS User Accounts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81 Example: Configuring User Accounts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81 Limiting the Number of User Login Attempts for SSH and Telnet Sessions . . . . . 82 Example: Limiting the Number of Login Attempts for SSH and Telnet Sessions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83 Configuring Time-Based User Access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 84 Examples: Configuring Time-Based User Access . . . . . . . . . . . . . . . . . . . . . . . . . . 85 Junos-FIPS Crypto Officer and User Accounts Overview . . . . . . . . . . . . . . . . . . . . 86 Crypto Officer User Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86 FIPS User Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87 Junos OS Access Privilege Levels Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87 Junos OS Login Class Permission Flags . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87 Allowing or Denying Individual Commands for Junos OS Login Classes . . . . 90 Configuring Access Privilege Levels . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 92 Example: Configuring Access Privilege Levels . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 92 Specifying Access Privileges for Junos OS Operational Mode Commands . . . . . . 92 Regular Expressions for Allowing and Denying Junos OS Operational Mode Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 94 Example: Configuring Access Privileges for Operational Mode Commands . . . . . 95


xi


Specifying Access Privileges for Junos OS Configuration Mode Hierarchies . . . . . 96 Example: Specifying Access Privileges Using Allow or Deny Configuration with Regular Expressions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 96 Regular Expressions for Allowing and Denying Junos OS Configuration Mode Hierarchies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 100 Configuring the Timeout Value for Idle Login Sessions . . . . . . . . . . . . . . . . . . . . . 101 Configuring CLI Tips . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 102

Chapter 7

Configuring System Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 103Configuring RADIUS Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 103 Configuring RADIUS Server Details . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 103 Configuring MS-CHAPv2 for Password-Change Support . . . . . . . . . . . . . . . 104 Specifying a Source Address for the Junos OS to Access External RADIUS Servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105 Juniper Networks Vendor-Specific RADIUS Attributes . . . . . . . . . . . . . . . . . . . . . 106 Configuring TACACS+ Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 108 Configuring TACACS+ Server Details . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 108 Specifying a Source Address for the Junos OS to Access External TACACS+ Servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 109 Configuring the Same Authentication Service for Multiple TACACS+ Servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 109 Configuring Juniper Networks Vendor-Specific TACACS+ Attributes . . . . . . 110 Juniper Networks Vendor-Specific TACACS+ Attributes . . . . . . . . . . . . . . . . . . . . 111 Overview of Template Accounts for RADIUS and TACACS+ Authentication . . . . 112 Configuring Remote Template Accounts for User Authentication . . . . . . . . . . . . . 112 Configuring Local User Template Accounts for User Authentication . . . . . . . . . . 113 Using Regular Expressions on a RADIUS or TACACS+ Server to Allow or Deny Access to Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 115 Junos OS Authentication Order for RADIUS, TACACS+, and Password Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 116 Using RADIUS or TACACS+ Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . 117 Using Local Password Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 117 Order of Authentication Attempts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 118 Configuring the Junos OS Authentication Order for RADIUS, TACACS+, and Local Password Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 121 Example: Configuring System Authentication for RADIUS, TACACS+, and Password Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 122 Recovering the Root Password . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 124

Chapter 8

Configuring Time . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 127Modifying the Default Time Zone for a Router or Switch Running Junos OS . . . . 127 NTP Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 128 Synchronizing and Coordinating Time Distribution Using NTP . . . . . . . . . . . . . . . 129 Configuring NTP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 129 Configuring the NTP Boot Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 129 Specifying a Source Address for an NTP Server . . . . . . . . . . . . . . . . . . . . . . . 129 NTP Time Server and Time Services Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . 131 Configuring the NTP Time Server and Time Services . . . . . . . . . . . . . . . . . . . . . . 132 Configuring the Router or Switch to Operate in Client Mode . . . . . . . . . . . . . 132 Configuring the Router or Switch to Operate in Symmetric Active Mode . . . 133

xii


Table of Contents

Configuring the Router or Switch to Operate in Broadcast Mode . . . . . . . . . 133 Configuring the Router or Switch to Operate in Server Mode . . . . . . . . . . . . 133 Configuring NTP Authentication Keys . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 134 Configuring the Router or Switch to Listen for Broadcast Messages Using NTP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 135 Configuring the Router or Switch to Listen for Multicast Messages Using NTP . . 135 Setting a Custom Time Zone on Routers or Switches Running Junos OS . . . . . . 136 Importing and Installing Time Zone Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . 136 Configuring a Custom Time Zone . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 137

Chapter 9

Configuring System Log Messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 139Junos OS System Log Configuration Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . 139 Junos OS System Log Configuration Statements . . . . . . . . . . . . . . . . . . . . . . . . . 140 Junos OS Minimum and Default System Logging Configuration . . . . . . . . . . . . . 140 Junos OS Minimum System Logging Configuration . . . . . . . . . . . . . . . . . . . . 141 Junos OS Default System Log Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 141 Junos OS Platform-Specific Default System Log Messages . . . . . . . . . . . . . 143 Single-Chassis System Logging Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . 143 Single-Chassis System Logging Configuration Overview . . . . . . . . . . . . . . . 144 Specifying the Facility and Severity of Messages to Include in the Log . . . . . 145 Junos OS System Logging Facilities and Message Severity Levels . . . . . . . . 146 Directing System Log Messages to a Log File . . . . . . . . . . . . . . . . . . . . . . . . . 147 Logging Messages in Structured-Data Format . . . . . . . . . . . . . . . . . . . . . . . 148 Directing System Log Messages to a User Terminal . . . . . . . . . . . . . . . . . . . 149 Directing System Log Messages to the Console . . . . . . . . . . . . . . . . . . . . . . . 149 System Logging on a Remote Machine or the Other Routing Engine . . . . . . 150 Directing System Log Messages to a Remote Machine or the Other Routing Engine . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 150 Specifying an Alternative Source Address for System Log Messages . . . 151 Changing the Alternative Facility Name for Remote System Log Messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 151 System Log Default Facilities for Messages Directed to a Remote Destination . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 153 Junos OS System Log Alternate Facilities for Remote Logging . . . . . . . 154 Examples: Assigning an Alternative Facility . . . . . . . . . . . . . . . . . . . . . . 155 Adding a Text String to System Log Messages . . . . . . . . . . . . . . . . . . . . 155 Specifying Log File Size, Number, and Archiving Properties . . . . . . . . . . . . . 156 Including Priority Information in System Log Messages . . . . . . . . . . . . . . . . . 158 System Log Facility Codes and Numerical Codes Reported in Priority Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 159 Including the Year or Millisecond in Timestamps . . . . . . . . . . . . . . . . . . . . . . 161 Using Regular Expressions to Refine the Set of Logged Messages . . . . . . . . 162 Junos System Log Regular Expression Operators for the match Statement . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 164 Disabling the System Logging of a Facility . . . . . . . . . . . . . . . . . . . . . . . . . . . 164 Examples: Configuring System Logging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 165


xiii


System Logging Configuration for a TX Matrix Router . . . . . . . . . . . . . . . . . . . . . . 167 Configuring System Logging for a TX Matrix Router . . . . . . . . . . . . . . . . . . . . 167 Configuring Message Forwarding to the TX Matrix Router . . . . . . . . . . . . . . 169 Impact of Different Local and Forwarded Severity Levels on System Log Messages on a TX Matrix Router . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 170 Messages Logged When the Local and Forwarded Severity Levels Are the Same . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 170 Messages Logged When the Local Severity Level Is Lower . . . . . . . . . . 170 Messages Logged When the Local Severity Level Is Higher . . . . . . . . . . . 171 Configuring Optional Features for Forwarded Messages on a TX Matrix Router . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 172 Including Priority Information in Forwarded Messages . . . . . . . . . . . . . . 172 Adding a Text String to Forwarded Messages . . . . . . . . . . . . . . . . . . . . . 173 Using Regular Expressions to Refine the Set of Forwarded Messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 173 Directing Messages to a Remote Destination from the Routing Matrix Based on the TX Matrix Router . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 173 Configuring System Logging Differently on Each T640 Router in a Routing Matrix . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 174 System Logging Configuration for a TX Matrix Plus Router . . . . . . . . . . . . . . . . . . 176 Configuring System Logging for a TX Matrix Plus Router . . . . . . . . . . . . . . . . 176 Configuring Message Forwarding to the TX Matrix Plus Router . . . . . . . . . . . 178 Impact of Different Local and Forwarded Severity Levels on System Log Messages on a TX Matrix Plus Router . . . . . . . . . . . . . . . . . . . . . . . . . . . 179 Messages Logged When the Local and Forwarded Severity Levels Are the Same . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 179 Messages Logged When the Local Severity Level Is Lower . . . . . . . . . . 180 Messages Logged When the Local Severity Level Is Higher . . . . . . . . . . 180 Configuring Optional Features for Forwarded Messages on a TX Matrix Plus Router . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 181 Including Priority Information in Forwarded Messages . . . . . . . . . . . . . . 182 Adding a Text String to Forwarded Messages . . . . . . . . . . . . . . . . . . . . . 182 Using Regular Expressions to Refine the Set of Forwarded Messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 182 Directing Messages to a Remote Destination from the Routing Matrix Based on a TX Matrix Plus Router . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 183 Configuring System Logging Differently on Each T1600 Router in a Routing Matrix . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 184

xiv


Table of Contents

Chapter 10

Configuring System Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 187System Services Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 188 Configuring clear-text or SSL Service for Junos XML Protocol Client Applications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 189 Configuring clear-text Service for Junos XML Protocol Client Applications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 189 Configuring SSL Service for Junos XML Protocol Client Applications . . . . . . 190 Configuring the Router, Switch, or Interface to Act as a DHCP Server on J Series Services Routers and EX Series Ethernet Switches . . . . . . . . . . . . . . . . . . . . 190 DHCP Access Service Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 192 Network Address Assignments (Allocating a New Address) . . . . . . . . . . . . . 192 Network Address Assignments (Reusing a Previously Assigned Address) . . 194 Static and Dynamic Bindings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 194 Compatibility with Autoinstallation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 195 Conflict Detection and Resolution . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 195 DHCP Statement Hierarchy and Inheritance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 195 Configuring Address Pools for DHCP Dynamic Bindings . . . . . . . . . . . . . . . . . . . . 197 Configuring Manual (Static) DHCP Bindings Between a Fixed IP Address and a Client MAC Address . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 198 Specifying DHCP Lease Times for IP Address Assignments . . . . . . . . . . . . . . . . . 199 Configuring a DHCP Boot File and DHCP Boot Server . . . . . . . . . . . . . . . . . . . . . 199 Configuring the Next DHCP Server to Contact After a Boot Client Establishes Initial Communication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 200 Configuring a Static IP Address as DHCP Server Identifier . . . . . . . . . . . . . . . . . . 201 Configuring a Domain Name and Domain Search List for a DHCP Server Host . . 201 Configuring Routers Available to the DHCP Client . . . . . . . . . . . . . . . . . . . . . . . . 202 Creating User-Defined DHCP Options Not Included in the Default Junos Implementation of the DHCP Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 203 Example: Complete DHCP Server Configuration . . . . . . . . . . . . . . . . . . . . . . . . . 204 Example: Viewing DHCP Bindings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 205 Example: Viewing DHCP Address Pools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 206 Example: Viewing and Clearing DHCP Conflicts . . . . . . . . . . . . . . . . . . . . . . . . . 206 Configuring Tracing Operations for DHCP Processes . . . . . . . . . . . . . . . . . . . . . . 206 Configuring the DHCP Processes Log Filename . . . . . . . . . . . . . . . . . . . . . . 207 Configuring the Number and Size of DHCP Processes Log Files . . . . . . . . . . 207 Configuring Access to the DHCP Log File . . . . . . . . . . . . . . . . . . . . . . . . . . . 208 Configuring a Regular Expression for Refining the Output of DHCP Logged Events . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 208 Configuring DHCP Trace Operation Events . . . . . . . . . . . . . . . . . . . . . . . . . . 208 DHCP Processes Tracing Flags . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 209 Configuring the Router as an Extended DHCP Local Server . . . . . . . . . . . . . . . . . 210 Interaction Among the DHCP Client, Extended DHCP Local Server, and Address-Assignment Pools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 212 Extended DHCP Local Server and Address-Assignment Pools . . . . . . . . . . . . . . 212 Methods Used by the Extended DHCP Local Server to Determine Which Address-Assignment Pool to Use . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 213 Matching the Client IP Address to the Address-Assignment Pool . . . . . . . . . 213 Matching Option 82 Information to Named Address Ranges . . . . . . . . . . . . 213 Default Options Provided by the Extended DHCP Server for the DHCP Client . . 214


xv


Using External AAA Authentication Services to Authenticate DHCP Clients . . . . 214 Configuring Authentication Support for an Extended DHCP Application . . . 215 Grouping Interfaces with Common DHCP Configurations . . . . . . . . . . . . . . . 216 Configuring Passwords for Usernames the DHCP Application Presents to the External AAA Authentication Service . . . . . . . . . . . . . . . . . . . . . . . . . 217 Creating Unique Usernames the Extended DHCP Application Passes to the External AAA Authentication Service . . . . . . . . . . . . . . . . . . . . . . . . . . . . 217 Client Configuration Information Exchanged Between the External Authentication Server, DHCP Application, and DHCP Client . . . . . . . . . . . . . . . . . . . . . . . . . 219 Tracing Extended DHCP Local Server Operations . . . . . . . . . . . . . . . . . . . . . . . . 220 Configuring the Filename of the Extended DHCP Local Server Processes Log . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 220 Configuring the Number and Size of Extended DHCP Local Server Processes Log Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 220 Configuring Access to the Log File . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 221 Configuring a Regular Expression for Lines to Be Logged . . . . . . . . . . . . . . . . 221 Configuring Trace Option Flags . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 221 Example: Configuring the Minimum Extended DHCP Local Server Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 222 Example: Extended DHCP Local Server Configuration with Optional Pool Matching . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 222 Verifying and Managing the DHCP Server Configuration . . . . . . . . . . . . . . . . . . . 223 Configuring DTCP-over-SSH Service for the Flow-Tap Application . . . . . . . . . . . 223 Configuring Finger Service for Remote Access to the Router . . . . . . . . . . . . . . . . 224 Configuring FTP Service for Remote Access to the Router or Switch . . . . . . . . . 225 Configuring SSH Service for Remote Access to the Router or Switch . . . . . . . . . 226 Configuring the Root Login Through SSH . . . . . . . . . . . . . . . . . . . . . . . . . . . 226 Configuring the SSH Protocol Version . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 227 Configuring Outbound SSH Service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 227 Configuring the Device Identifier for Outbound SSH Connections . . . . . . . . 228 Sending the Public SSH Host Key to the Outbound SSH Client . . . . . . . . . . 229 Configuring Keepalive Messages for Outbound SSH Connections . . . . . . . . 230 Configuring a New Outbound SSH Connection . . . . . . . . . . . . . . . . . . . . . . . 230 Configuring the Outbound SSH Client to Accept NETCONF as an Available Service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 231 Configuring Outbound SSH Clients . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 231 Configuring NETCONF-Over-SSH Connections on a Specified TCP Port . . . . . . . 231 Configuring Telnet Service for Remote Access to a Router or Switch . . . . . . . . . 232

Chapter 11

Configuring Miscellaneous System Management Features . . . . . . . . . . . . 233Configuring the Junos OS to Set Console and Auxiliary Port Properties . . . . . . . 234 Configuring the Junos OS to Disable Protocol Redirect Messages on the Router or Switch . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 235 Configuring the Junos OS to Select a Fixed Source Address for Locally Generated TCP/IP Packets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 236 Configuring the Junos OS to Make the Router or Interface Act as a DHCP or BOOTP Relay Agent . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 237 Configuring the Junos OS to Disable the Routing Engine Response to Multicast Ping Packets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 237

xvi


Table of Contents

Configuring the Junos OS to Disable the Reporting of IP Address and Timestamps in Ping Responses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 237 Configuring Password Authentication for Console Access to PICs . . . . . . . . . . . 238 Configuring the Junos OS to Display a System Login Message . . . . . . . . . . . . . . 238 Configuring the Junos OS to Display a System Login Announcement . . . . . . . . . 240 Disabling Junos OS Processes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 240 Configuring Failover to Backup Media if a Junos OS Process Fails . . . . . . . . . . . . 241 Configuring Password Authentication for the Diagnostics Port . . . . . . . . . . . . . . 241 Viewing Core Files from Junos OS Processes . . . . . . . . . . . . . . . . . . . . . . . . . . . . 242 Saving Core Files from Junos OS Processes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 242 Using Junos OS to Configure Logical System Administrators . . . . . . . . . . . . . . . 242 Using Junos OS to Configure a Router or Switch to Transfer Its Configuration to an Archive Site . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 243 Configuring the Router or Switch to Transfer Its Currently Active Configuration to an Archive . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 244 Configuring the Transfer Interval for Periodic Transfer of the Active Configuration to an Archive Site . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 244 Configuring Transfer of the Current Active Configuration When a Configuration Is Committed . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 244 Configuring Archive Sites for Transfer of Active Configuration Files . . . . . . . 245 Using Junos OS to Specify the Number of Configurations Stored on the CompactFlash Card . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 245 Configuring RADIUS System Accounting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 246 Configuring Auditing of User Events on a RADIUS Server . . . . . . . . . . . . . . . 246 Specifying RADIUS Server Accounting and Auditing Events . . . . . . . . . . . . . 247 Configuring RADIUS Server Accounting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 247 Example: Configuring RADIUS System Accounting . . . . . . . . . . . . . . . . . . . . . . . 248 Configuring TACACS+ System Accounting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 248 Specifying TACACS+ Auditing and Accounting Events . . . . . . . . . . . . . . . . . 249 Configuring TACACS+ Server Accounting . . . . . . . . . . . . . . . . . . . . . . . . . . . 249 Configuring TACACS+ Accounting on a TX Matrix Router . . . . . . . . . . . . . . . . . . 250 Configuring the Junos OS to Work with SRC Software . . . . . . . . . . . . . . . . . . . . 250 Configuring the Junos OS ICMPv4 Rate Limit for ICMPv4 Routing Engine Messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 251 Configuring the Junos OS ICMPv6 Rate Limit for ICMPv6 Routing Engine Messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 252 Configuring the Junos OS for IP-IP Path MTU Discovery on IP-IP Tunnel Connections . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 252 Configuring TCP MSS for Session Negotiation . . . . . . . . . . . . . . . . . . . . . . . . . . . 252 Configuring TCP MSS on T Series and M Series Routers . . . . . . . . . . . . . . . . 253 Configuring TCP MSS on J Series Services Routers . . . . . . . . . . . . . . . . . . . . 253 Configuring the Junos OS for IPv6 Path MTU Discovery . . . . . . . . . . . . . . . . . . . . 254 Configuring the Junos OS for IPv6 Duplicate Address Detection Attempts . . . . 254 Configuring the Junos OS for Acceptance of IPv6 Packets with a Zero Hop Limit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 254 Configuring the Junos OS to Enable Processing of IPv4-mapped IPv6 Addresses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 255 Configuring the Junos OS for Path MTU Discovery on Outgoing GRE Tunnel Connections . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 255


xvii


Configuring the Junos OS for Path MTU Discovery on Outgoing TCP Connections . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 256 Configuring the Junos OS to Ignore ICMP Source Quench Messages . . . . . . . . . 256 Configuring the Junos OS to Enable the Router or Switch to Drop Packets with the SYN and FIN Bits Set . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 256 Configuring the Junos OS to Disable TCP RFC 1323 Extensions . . . . . . . . . . . . . . 257 Configuring the Junos OS to Disable the TCP RFC 1323 PAWS Extension . . . . . . 257 Configuring the Junos OS to Extend the Default Port Address Range . . . . . . . . . 257 Configuring the Junos OS ARP Learning and Aging Options for Mapping IPv4 Network Addresses to MAC Addresses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 258 Configuring Passive ARP Learning for Backup VRRP Routers or Switches . . 258 Configuring a Delay in Gratuitous ARP Requests . . . . . . . . . . . . . . . . . . . . . 259 Configuring a Gratuitous ARP Request When an Interface is Online . . . . . . 259 Configuring the Purging of ARP Entries . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 259 Adjusting the ARP Aging Timer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 259 Disabling MAC Address Learning of Neighbors Through ARP or Neighbor Discovery for IPv4 and IPv6 Neighbors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 260 Configuring System Alarms to Appear Automatically on J Series Routers, EX Series Ethernet Switches, and the QFX Series . . . . . . . . . . . . . . . . . . . . . . . . 261 System Alarms on J Series Routers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 261

Chapter 12

Security Configuration Example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 263Example: Configuring a Router Name and Domain Name . . . . . . . . . . . . . . . . . . 263 Example: Configuring RADIUS Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . 264 Example: Creating Login Classes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 265 Example: Configuring User Login Accounts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 265 Example: Configuring RADIUS Template Accounts . . . . . . . . . . . . . . . . . . . . . . . 266 Example: Enabling SSH Connection Services . . . . . . . . . . . . . . . . . . . . . . . . . . . 266 Example: Configuring System Logging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 267 Example: Configuring NTP as a Single Time Source for Router and Switch Clock Synchronization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 267 Example: Configuring ATM, SONET, Loopback, and Out-of-Band Management Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 268 Example: Configuring SNMPv3 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 270 Examples: Configuring Protocol-Independent Routing Properties . . . . . . . . . . . 272 Example: Configuring the Router ID and Autonomous System Number for BGP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 273 Example: Configuring Martian Addresses . . . . . . . . . . . . . . . . . . . . . . . . . . . . 273 Example: Viewing Reserved IRI IP Addresses . . . . . . . . . . . . . . . . . . . . . . . . . 273 Example: Configuring the BGP and IS-IS Routing Protocols . . . . . . . . . . . . . . . . 274 Configuring BGP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 275 Configuring IS-IS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 275 Configuring Firewall Policies and Filters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 276 Example: Configuring Firewall Filters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 277 Example: Configuring Firewall Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 280 Example: Consolidated Security Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . 281

Chapter 13

Summary of System Management Configuration Statements . . . . . . . . . 293accounting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 294 access-end . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 295

xviii


Table of Contents

access-start . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 295 accounting-port . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 296 allow-commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 296 allow-configuration-regexps . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 297 allow-v4mapped-packets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 298 allowed-days . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 298 announcement . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 299 archival . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 300 archive (All System Log Files) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 301 archive (Individual System Log File) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 302 archive-sites (Configuration File) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 304 arp . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 305 authentication (DHCP Local Server) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 306 authentication (Login) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 307 authentication-key . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 308 authentication-order . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 309 autoinstallation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 310 auxiliary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 311 backup-router . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 312 boot-file . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 313 boot-server (DHCP) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 314 boot-server (NTP) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 315 broadcast . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 316 broadcast-client . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 317 change-type . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 317 circuit-type . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 318 class (Assigning a Class to an Individual User) . . . . . . . . . . . . . . . . . . . . . . . . . . . 319 class (Defining Login Classes) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 319 client-identifier . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 320 commit synchronize . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 321 compress-configuration-files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 322 configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 323 configuration-servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 324 connection-limit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 325 console (Physical Port) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 326 console (System Logging) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 327 default-address-selection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 328 default-lease-time . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 329 delimiter (DHCP Local Server) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 330 deny-commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 331 deny-configuration-regexps . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 332 destination . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 333 destination-override . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 334 dhcp . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 335 dhcpv6 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 337 dhcp-local-server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 339 diag-port-authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 342 domain-name (DHCP) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 343 domain-name . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 343


xix


domain-name (DHCP Local Server) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 344 domain-search . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 345 dump-device . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 346 events . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 347 explicit-priority . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 347 facility-override . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 348 file (System Logging) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 349 files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 350 finger . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 351 flow-tap-dtcp . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 351 format . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 352 ftp . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 352 full-name . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 353 gratuitous-arp-on-ifup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 353 gre-path-mtu-discovery . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 354 group (DHCP Local Server) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 355 host . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 357 host-name . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 359 http . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 359 https . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 360 icmpv4-rate-limit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 361 icmpv6-rate-limit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 362 idle-timeout . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 363 inet6-backup-router . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 364 interfaces (ARP Aging Timer) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 365 interface (DHCP Local Server) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 366 interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 367 internet-options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 368 ip-address-first . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 369 ipip-path-mtu-discovery . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 370 ipv6-duplicate-addr-detection-transmits . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 370 ipv6-path-mtu-discovery . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 371 ipv6-path-mtu-discovery-timeout . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 371 ipv6-reject-zero-hop-limit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 372 load-key-file . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 372 local-certificate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 373 location . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 374 log-prefix . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 375 logical-system-name (DHCP Local Server) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 376 login . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 377 login-alarms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 378 login-tip . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 378 mac-address (DHCP Local Server) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 379 match . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 380 max-configurations-on-flash . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 380 maximum-lease-time . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 381 maximum-length . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 381 message . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 382 minimum-changes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 383

xx


Table of Contents

minimum-length . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 384 mirror-flash-on-disk . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 385 multicast-client . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 386 name-server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 386 next-server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 387 no-compress-configuration-files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 387 no-gre-path-mtu-discovery . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 387 no-ipip-path-mtu-discovery . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 387 no-ipv6-reject-zero-hop-limit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 387 no-multicast-echo . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 388 no-path-mtu-discovery . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 388 no-ping-record-route . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 388 no-ping-time-stamp . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 389 no-redirects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 389 no-remote-trace . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 389 no-saved-core-context . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 390 no-source-quench . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 390 no-tcp-rfc1323 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 390 no-tcp-rfc1323 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 390 ntp . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 391 option-60 (DHCP Local Server) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 392 option-82 (DHCP Local Server Authentication) . . . . . . . . . . . . . . . . . . . . . . . . . . 393 option-82 (DHCP Local Server Pool Matching) . . . . . . . . . . . . . . . . . . . . . . . . . . 394 outbound-ssh . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 395 passive-learning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 397 password (DHCP Local Server) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 398 password (Login) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 399 path-mtu-discovery . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 399 peer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 400 permissions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 401 pic-console-authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 402 pool . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 403 pool-match-order . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 404 port . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 405 port (HTTP/HTTPS) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 405 port (NETCONF Server) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 406 port (RADIUS Server) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 407 port (SRC Server) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 407 port (TACACS+ Server) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 408 ports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 409 processes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 410 protocol-version . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 411 radius . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 412 radius-options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 413 radius-server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 414 rate-limit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 415 retry . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 416 retry-options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 417 root-authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 418


xxi


root-login . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 419 router . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 420 routing-instance-name (DHCP Local Server) . . . . . . . . . . . . . . . . . . . . . . . . . . . . 421 saved-core-context . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 422 saved-core-files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 422 secret . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 423 server (NTP) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 424 server (RADIUS Accounting) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 425 server (TACACS+ Accounting) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 425 server-identifier . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 426 servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 427 service-deployment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 427 services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 428 session . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 430 single-connection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 431 size . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 432 source-address (NTP, RADIUS, System Logging, or TACACS+) . . . . . . . . . . . . . 433 source-address (SRC Software) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 434 source-port . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 434 source-quench . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 435 ssh . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 435 static-binding . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 436 static-host-mapping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 437 structured-data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 438 syslog . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 439 system . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 440 tacplus . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 441 tacplus-options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 442 tacplus-server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 443 tcp-drop-synfin-set . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 443 tcp-mss . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 444 telnet . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 445 time-format . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 446 timeout . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 447 time-zone . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 448 traceoptions (Address-Assignment Pool) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 451 traceoptions (DHCP Local Server) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 453 traceoptions (DHCP Server) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 455 traceoptions (SBC Configuration Process) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 458 tracing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 460 transfer-interval (Configuration) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 461 transfer-on-commit . . . . . . . . . . . . .

config guide system basics

Documents