User Access and Authentication User Guide

®
Junos OS
User Access and Authentication User Guide
Published
2020-03-26
ii
Juniper Networks, Inc.

1133 Innovation Way
Sunnyvale, California 94089
USA
408-745-2000
www.juniper.net
Juniper Networks, the Juniper Networks logo, Juniper, and Junos are registered trademarks of Juniper Networks, Inc. in
the United States and other countries. All other trademarks, service marks, registered marks, or registered service marks
are the property of their respective owners.
Juniper Networks assumes no responsibility for any inaccuracies in this document. Juniper Networks reserves the right
to change, modify, transfer, or otherwise revise this publication without notice.
®
Junos OS User Access and Authentication User Guide
Copyright © 2020 Juniper Networks, Inc. All rights reserved.
The information in this document is current as of the date on the title page.
YEAR 2000 NOTICE
Juniper Networks hardware and software products are Year 2000 compliant. Junos OS has no known time-related
limitations through the year 2038. However, the NTP application is known to have some difficulty in the year 2036.
END USER LICENSE AGREEMENT
The Juniper Networks product that is the subject of this technical documentation consists of (or is intended for use with)
Juniper Networks software. Use of such software is subject to the terms and conditions of the End User License Agreement
(“EULA”) posted at https://support.juniper.net/support/eula/. By downloading, installing or using such software, you
agree to the terms and conditions of that EULA.
iii
Table of Contents
About the Documentation | xxix
Documentation and Release Notes | xxix
Using the Examples in This Manual | xxix
Merging a Full Example | xxx
Merging a Snippet | xxxi
Documentation Conventions | xxxi
Documentation Feedback | xxxiv
Requesting Technical Support | xxxiv
Self-Help Online Tools and Resources | xxxv
Creating a Service Request with JTAC | xxxv
1 Login Classes and Login Settings

Junos OS Login Classes Overview | 37
Permission Bits | 38
Denying or Allowing Individual Commands | 41
Defining Junos OS Login Classes | 41
Example: Creating Login Classes with Specific Privileges | 42
Junos OS Login Settings | 43
Configuring Junos OS to Display a System Login Announcement | 44
Configuring System Alarms to Appear Automatically Upon Login | 46
Configuring Login Tips | 46
Examples: Configuring Time-Based User Access | 47
Configuring the Timeout Value for Idle Login Sessions | 48
Login Retry Options | 49
Limiting the Number of User Login Attempts for SSH and Telnet Sessions | 50
Example: Configuring Login Retry Options | 52

iv
2 User Accounts
Junos OS User Accounts | 57
Junos OS User Accounts Overview | 57
Junos-FIPS Crypto Officer and User Accounts Overview | 59
Crypto Officer User Configuration | 60
FIPS User Configuration | 60
Example: Configuring User Accounts | 60
Example: Configuring New Users | 61
Configuring Junos OS User Accounts by Using a Configuration Group | 68
Junos OS Administrative Roles | 71
Understanding Administrative Roles | 72
Example: Configuring Administrative Roles | 74
Configuring a Local Administrator Account | 82
Junos OS User Access Privileges | 83
Understanding Junos OS Access Privilege Levels | 84
Junos OS Login Class Permission Flags | 84
Allowing or Denying Individual Commands for Junos OS Login Classes | 88
Example: Configuring User Permissions with Access Privilege Levels | 89
Regular Expressions for Allowing and Denying Junos OS Operational Mode Commands,
Configuration Statements, and Hierarchies | 94
Understanding Regular Expressions | 94
Specifying Regular Expressions | 97
Regular Expressions Operators | 99
Regular Expression Examples | 102
Examples of Defining Access Privileges Using allow-configuration and deny-configuration

Statements | 105
Example: Using Additive Logic With Regular Expressions to Specify Access Privileges | 108
Example: Configuring User Permissions with Access Privileges for Operational Mode
Commands | 111
Example: Configuring User Permissions with Access Privileges for Configuration Statements
and Hierarchies | 126
v
3 Passwords for User Access

Root Password | 142
Configuring the Root Password | 142
Example: Configuring a Plain-Text Password for Root Logins | 144
Example: Configuring SSH Authentication for Root Logins | 147
Recovering Root Password | 148
Recovering the Root Password on Routers | 148
Recovering the Root Password on Junos OS with Upgraded FreeBSD | 151
Recovering the Root Password for Junos OS Evolved | 154
Connecting to the Serial Port | 154
Recovering the Root Password | 156
Recovering the Root Password on Switches | 158
Plain-Text Passwords | 161
Changing the Requirements for Junos OS Plain-Text Passwords | 161
Example: Changing the Requirements for Junos OS Plain-Text Passwords | 162
Master Password for Configuration Encryption | 164
Hardening Shared Secrets in Junos OS | 165
Understanding Hardening Shared Secrets | 165
Using Trusted Platform Module to Bind Secrets on SRX Series Devices | 167
Limitations | 168
Configuring Master Encryption Password | 168
Verifying the Status of the TPM | 169
Changing the Master Encryption Password | 169
4 User Authentication
Junos OS User Authentication Overview | 172
Junos OS User Authentication Methods | 172
Configuring Local User Template Accounts for User Authentication | 173
Configuring Remote Template Accounts for User Authentication | 175
Example: Creating Template Accounts | 176
Understanding Remote Authentication Servers | 180

vi
Local Password Authentication with Remote Authorization on TACACS+ Server | 181
Authentication Order for RADIUS, TACACS+, and Local Password | 182
Junos OS Authentication Order for RADIUS, TACACS+, and Password Authentication | 182
Using RADIUS or TACACS+ Authentication | 183
Using Local Password Authentication | 183
Order of Authentication Attempts | 184
Configuring the Junos OS Authentication Order for RADIUS, TACACS+, and Local Password
Authentication | 189
Example: Configuring Authentication Order | 191
Example: Configuring System Authentication for RADIUS, TACACS+, and Password

RADIUS Authentication | 197
Configuring RADIUS Server Authentication | 197
Why Use RADIUS | 198
Configuring RADIUS Server Details | 198
Configuring RADIUS To Use the Management Instance | 202
Example: Configuring a RADIUS Server for System Authentication | 203
Example: Configuring RADIUS Authentication | 206
Configuring RADIUS Authentication (QFX Series or OCX Series) | 208
Configuring MS-CHAPv2 for Password-Change Support | 210
Specifying a Source Address for the Junos OS to Access External RADIUS Servers | 211
Juniper Networks Vendor-Specific RADIUS Attributes | 211
Juniper-Switching-Filter VSA Match Conditions and Actions | 215
Understanding RADIUS Accounting | 218
Configuring RADIUS System Accounting | 219
Configuring Auditing of User Events on a RADIUS Server | 219
Specifying RADIUS Server Accounting and Auditing Events | 220
Configuring RADIUS Server Accounting | 220
RADIUS over TLS (RADSEC) | 223
Configure the RADSEC Destination | 224
Configure TLS Connection Parameters | 225
Example: Simple RADSEC Configuration | 226

vii
Monitoring Certificates | 226
Monitoring RADSEC Destinations | 227
TACACS+ Authentication | 227
Configuring TACACS+ Authentication | 228
Configuring TACACS+ Server Details | 228
Configuring TACACS+ to Use the Management Instance | 230
Specifying a Source Address for the Junos OS to Access External TACACS+ Servers | 230
Configuring the Same Authentication Service for Multiple TACACS+ Servers | 231
Configuring Juniper Networks Vendor-Specific TACACS+ Attributes | 231
Example: Configuring a TACACS+ Server for System Authentication | 232
Configuring Periodic Refresh of the TACACS+ Authorization Profile | 235
Using Regular Expressions on a RADIUS or TACACS+ Server to Allow or Deny Access to

Commands | 237
Juniper Networks Vendor-Specific TACACS+ Attributes | 240
Configuring TACACS+ System Accounting | 242
Specifying TACACS+ Auditing and Accounting Events | 243
Configuring TACACS+ Server Accounting | 243
Configuring TACACS+ To Use the Management Instance | 245
Configuring TACACS+ Accounting on a TX Matrix Router | 246
Authentication for Routing Protocols | 247
Junos OS Authentication Methods for Routing Protocols | 247
Example: Configuring the Authentication Key for BGP and IS-IS Routing Protocols | 248
Configuring BGP | 248
Configuring IS-IS | 249
Configuring the Authentication Key Update Mechanism for BGP and LDP Routing
Protocols | 250
Configuring Authentication Key Updates | 251
Configuring BGP and LDP for Authentication Key Updates | 251
5 Remote Access Management

Remote Access Overview | 254
System Services Overview | 254
Configuring Telnet Service for Remote Access to a Router or Switch | 255
Configuring FTP Service for Remote Access to the Router or Switch | 256
viii
Configuring Finger Service for Remote Access to the Router | 257
Configuring SSH Service for Remote Access to the Router or Switch | 257
Configuring the Root Login Through SSH | 259
Configuring Incoming SFTP Connections | 260
Configuring the SSH Protocol Version | 260
Configuring the Client Alive Mechanism | 261
Configuring the SSH Fingerprint Hash Algorithm | 261
The telnet Command | 262
The ssh Command | 263
Configuring SSH Host Keys for Secure Copying of Data | 264
Configuring SSH Known Hosts | 265
Configuring Support for SCP File Transfer | 266
Updating SSH Host Key Information | 266
Configuring the SSH Service to Support Legacy Cryptography | 268
Configuring Outbound SSH Service | 270
Configuring the Device Identifier for Outbound SSH Connections | 271
Sending the Public SSH Host Key to the Outbound SSH Client | 271
Configuring Keepalive Messages for Outbound SSH Connections | 272
Configuring a New Outbound SSH Connection | 273
Configuring the Outbound SSH Client to Accept NETCONF as an Available Service | 273
Configuring Outbound SSH Clients | 273
Configuring Routing Instances for Outbound SSH Clients | 274
Configuring NETCONF-Over-SSH Connections on a Specified TCP Port | 274
Configuring Password Retry Limits for Telnet and SSH Access | 275
Example: Configuring a Filter to Block Telnet and SSH Access | 276
USB Modems for Remote Management of Security Devices | 284
USB Modem Interface Overview | 284
USB Modem Interfaces | 285
Dialer Interface Rules | 285
How the Device Initializes USB Modems | 286
USB Modem Configuration Overview | 287
Example: Configuring a USB Modem Interface | 290
Example: Configuring a Dialer Interface | 293

ix
Example: Configuring a Dialer Interface for USB Modem Dial-In | 298
Configuring a Dial-Up Modem Connection Remotely | 300
Connecting to the Device Remotely | 302
Modifying USB Modem Initialization Commands | 302
Resetting USB Modems | 303
Secure Web Access for Remote Management | 304
Secure Web Access Overview | 304
Generating SSL Certificates for Secure Web Access (SRX Series Devices) | 305
Generating SSL Certificates to Be Used for Secure Web Access (EX Series Switch) | 306
Generating a Self-Signed SSL Certificate Automatically | 307
Manually Generating Self-Signed SSL Certificates | 307
Deleting Self-Signed Certificates (CLI Procedure) | 308
Understanding Self-Signed Certificates on EX Series Switches | 308
Manually Generating Self-Signed Certificates on Switches (CLI Procedure) | 310
Generating a Public-Private Key Pair on Switches | 310
Generating Self-Signed Certificates on Switches | 311
Example: Configuring Secure Web Access | 311
Example: Controlling Management Access on SRX Series Devices | 314
Configuration Guidelines for Securing Console Port Access | 319
Securing Console Port | 319
Securing Mini-USB Ports | 321
Configuring the Console Port Type (CLI Procedure) | 322
6 Access Control on Switches

Access Control and Authentication on Switching Devices | 326
Understanding Authentication on Switches | 326
Sample Authentication Topology | 327
802.1X Authentication | 329
MAC RADIUS Authentication | 330
Captive Portal Authentication | 331
Static MAC Bypass of Authentication | 331

x
Fallback of Authentication Methods | 332
Understanding Access Control on Switches | 333
Understanding Authentication Session Timeout | 335
Controlling Authentication Session Timeouts (CLI Procedure) | 336
Preventing Unauthorized Access to EX Series Switches Using Unattended Mode for

U-Boot | 338
Understanding Unattended Mode for U-Boot on EX Series Switches | 338
Using Unattended Mode for U-Boot to Prevent Unauthorized Access | 340
Configuring the Boot Loader Password | 341
Configuring Unattended Mode for U-Boot | 342
Accessing the U-Boot CLI | 342
RADIUS Server Configuration for Authentication | 343
Specifying RADIUS Server Connections on Switches (CLI Procedure) | 344
Configuring MS-CHAPv2 to Provide Password-Change Support (CLI Procedure) | 345
Understanding Server Fail Fallback and Authentication on Switches | 348
Configuring RADIUS Server Fail Fallback (CLI Procedure) | 349
802.1X for Switches Overview | 352
How 802.1X Authentication Works | 352
802.1X Features Overview | 353
802.1X Authentication on Trunk Ports | 354
Configuring 802.1X Interface Settings (CLI Procedure) | 355
Understanding RADIUS-Initiated Changes to an Authorized User Session | 357
Disconnect Messages | 357
Change of Authorization Messages | 358
CoA Request Port Bounce | 358
Error-Cause Codes | 359
Filtering 802.1X Supplicants by Using RADIUS Server Attributes | 360
Configuring Firewall Filters on the RADIUS Server | 361
Applying a Locally Configured Firewall Filter from the RADIUS Server | 364
Example: Connecting a RADIUS Server for 802.1X to an EX Series Switch | 365
Understanding Dynamic Filters Based on RADIUS Attributes | 370

xi
Understanding Dynamic VLAN Assignment Using RADIUS Attributes | 371
Understanding Guest VLANs for 802.1X on Switches | 372
Example: Configuring 802.1X Authentication Options When the RADIUS Server Is Unavailable
to an EX Series Switch | 373
Example: Configuring Fallback Options on EX Series Switches for EAP-TTLS Authentication

and Odyssey Access Clients | 379
Monitoring 802.1X Authentication | 385
Verifying 802.1X Authentication | 386
Troubleshooting Authentication of End Devices on EX Series Switches | 388
Configuring MAC RADIUS Authentication (CLI Procedure) | 391
Example: Configuring MAC RADIUS Authentication on an EX Series Switch | 392
802.1X and RADIUS Accounting | 399
Understanding 802.1X and RADIUS Accounting on Switches | 400
RADIUS Accounting Process | 400
Supported RADIUS Attributes | 401
Configuring 802.1X RADIUS Accounting (CLI Procedure) | 403
Example: Setting Up 802.1X for Single-Supplicant or Multiple-Supplicant Configurations

on an EX Series Switch | 405
Example: Setting Up 802.1X in Conference Rooms to Provide Internet Access to

Corporate Visitors on an EX Series Switch | 413
Interfaces Enabled for 802.1X or MAC RADIUS Authentication | 420
Example: Applying a Firewall Filter to 802.1X-Authenticated Supplicants by Using RADIUS

Server Attributes on an EX Series Switch | 420
Example: Applying Firewall Filters to Multiple Supplicants on Interfaces Enabled for 802.1X
or MAC RADIUS Authentication | 428
Example: Applying Firewall Filters to Multiple Supplicants on Interfaces Enabled for 802.1X
or MAC RADIUS Authentication on EX Series Switches with ELS Support | 435
Static MAC Bypass of 802.1X and MAC RADIUS Authentication | 441
Configuring Static MAC Bypass of 802.1X and MAC RADIUS Authentication (CLI
Procedure) | 442
Example: Configuring Static MAC Bypass of 802.1X and MAC RADIUS Authentication on an
EX Series Switch | 443
xii
Example: Setting Up Captive Portal Authentication on an EX Series Switch | 449
Configuring Captive Portal Authentication (CLI Procedure) | 456
Configuring Secure Access for Captive Portal | 456
Enabling an Interface for Captive Portal | 457
Configuring Bypass of Captive Portal Authentication | 457
Designing a Captive Portal Authentication Login Page on Switches | 458
Configuring Captive Portal Authentication (CLI Procedure) on an EX Series Switche with ELS
Support | 461
Example: Setting Up Captive Portal Authentication on an EX Series Switch with ELS

Support | 463
Flexible Authentication Order on EX Series Switches | 469
Configuring Flexible Authentication Order | 470
Configuring EAPoL Block to Maintain an Existing Authentication Session | 472
Central Web Authentication | 474
Understanding Central Web Authentication | 474
Central Web Authentication Process | 475
Dynamic Firewall Filters for Central Web Authentication | 476
Redirect URL for Central Web Authentication | 477
Configuring Central Web Authentication | 477
Configuring Dynamic Firewall Filters for Central Web Authentication | 478
Configuring the Redirect URL for Central Web Authentication | 479
Guidelines for Configuring Central Web Authentication | 480
Centralized Access Control to Network Resources on EX Series Switches | 481
Understanding Centralized Network Access Control and EX Series Switches | 481
NAC Using Any RADIUS Server and Access Polices Defined on the Local Switch | 482
Centralized NAC Using Junos Pulse Access Control Service | 482

xiii
Configuring an EX Series Switch to Use Junos Pulse Access Control Service for Network Access
Control (CLI Procedure) | 484
OBSOLETE: Configuring the EX Series Switch for Captive Portal Authentication with Junos
Pulse Access Control Service (CLI Procedure) | 488
VoIP on EX Series Switches | 489
Understanding 802.1X and VoIP on EX Series Switches | 489
Multi Domain 802.1X Authentication | 491
Example: Setting Up VoIP with 802.1X and LLDP-MED on an EX Series Switch | 492
Example: Configuring VoIP on an EX Series Switch Without Including LLDP-MED Support | 501
Example: Configuring VoIP on an EX Series Switch Without Including 802.1X

Example: Setting Up VoIP with 802.1X and LLDP-MED on an EX Series Switch with ELS
Support | 522
7 Configuring IEEE 802.1x Port-Based Network Access Control

IEEE 802.1x Port-Based Network Access Control Overview | 534
Understanding the Administrative State of the Authenticator Port | 535
Understanding the Administrative Mode of the Authenticator Port | 535
Configuring the Authenticator | 536
Viewing the dot1x Configuration | 537
Configuring IEEE 802.1x Port-Based Network Access Control in Enhanced

8 LAN Mode
802.1X for MX Series Routers in Enhanced LAN Mode Overview | 540
How 802.1X Authentication Works | 541
802.1X Features Overview | 543
Supported Features Related to 802.1X Authentication | 543
Understanding 802.1X and LLDP and LLDP-MED on MX Series Routers in Enhanced

LAN Mode | 544
Understanding 802.1X and RADIUS Accounting on MX Series Routers in Enhanced LAN

Mode | 547
Understanding 802.1X and VoIP on MX Series Routers in Enhanced LAN Mode | 548
xiv
Understanding Guest VLANs for 802.1X on MX Series Routers in Enhanced LAN

Mode | 551
Understanding Dynamic VLANs for 802.1X on MX Series Routers in Enhanced LAN

Mode | 551
Understanding Server Fail Fallback and Authentication on MX Series Routers in Enhanced

LAN Mode | 552
Configuring 802.1X RADIUS Accounting on MX Series Routers in Enhanced LAN

Mode | 553
Configuring 802.1X Interface Settings on MX Series Routers in Enhanced LAN Mode | 556
Configuring LLDP-MED on MX Series Routers in Enhanced LAN Mode | 558
Enabling LLDP-MED on Interfaces | 558
Configuring Location Information Advertised by the Router | 558
Configuring for Fast Start | 559
Configuring LLDP on MX Series Routers in Enhanced LAN Mode | 560
Enabling LLDP on Interfaces | 560
Adjusting LLDP Advertisement Settings | 561
Adjusting SNMP Notification Settings of LLDP Changes | 562
Specifying a Management Address for the LLDP Management TLV | 563
Configuring Server Fail Fallback on MX Series Routers in Enhanced LAN Mode | 564
Understanding Captive Portal Authentication on the MX Series Routers | 566
Limitations of Captive Portal | 566
Understanding Authentication Session Timeout on MX Series Routers | 567
Authentication Process Flow for MX Series Routers in Enhanced LAN Mode | 568
Specifying RADIUS Server Connections on an MX Series Router in Enhanced LAN

Mode | 570
Configuring Captive Portal Authentication on MX Series Routers in Enhanced LAN

Mode | 571

xv
Designing a Captive Portal Authentication Login Page on an MX Series Router | 574
Configuring Static MAC Bypass of Authentication on MX Series Routers in Enhanced

LAN Mode | 577
Controlling Authentication Session Timeouts on an MX Series Router in Enhanced LAN

Mode | 578
Configuring MAC RADIUS Authentication on MX Series Routers in Enhanced LAN

Mode | 580
Example: Configuring MAC RADIUS Authentication on an MX Series Router | 582
Example: Setting Up Captive Portal Authentication on an MX Series Router | 587
Example: Connecting a RADIUS Server for 802.1X to an MX Series Router | 594

Corporate Visitors on an MX Series Router | 598
Example: Configuring Static MAC Bypass of Authentication on an MX Series Router | 602
Example: Applying Firewall Filters to Multiple Supplicants on Interfaces Enabled for

802.1X or MAC RADIUS Authentication on MX Series Routers | 607
9 Device Discovery
Device Discovery Using LLDP and LLDP-MED on Switches | 615
Understanding LLDP | 615
Configuring LLDP (CLI Procedure) | 616
Configuring LLDP Power Negotiation | 619
Disabling LLDP TLVs | 620
Configuring LLDP (J-Web Procedure) | 622
Understanding LLDP and LLDP-MED on EX Series Switches | 623
Benefits of LLDP and LLDP-MED | 623
LLDP and LLDP-MED Overview | 624
Supported LLDP TLVs | 624
Supported LLDP-MED TLVs | 626

xvi
Disabling TLVs | 627
Configuring LLDP-MED (CLI Procedure) | 627
Configuring Location Information Advertised by the Switch | 628
Configuring a Fast Start for LLDP-MED | 628
Disabling LLDP-MED TLVs | 629
NetBIOS Snooping on EX Series Switches | 631
Understanding NetBIOS Snooping | 631
What Is a NetBIOS Name? | 631
How NetBIOS Snooping Works | 632
Configuring NetBIOS Snooping (CLI Procedure) | 632
Enabling NetBIOS Snooping | 633
Disabling NetBIOS Snooping | 633
10 Domain Name Security

DNSSEC Overview | 635
Configuring the TTL Value for DNS Server Caching | 635
Example: Configuring DNSSEC | 637
Example: Configuring Secure Domains and Trusted Keys for DNSSEC | 638
Example: Configuring Keys for DNSSEC | 640
DNS Proxy Overview | 641
DNS Proxy Cache | 641
DNS Proxy with Split DNS | 642
Dynamic Domain Name System Client | 644
Configuring the Device as a DNS Proxy | 646
11 Permission Flags
access | 652
access-control | 657
admin | 658
admin-control | 664
xvii
all-control | 665
clear | 666
configure | 767
control | 768
field | 769
firewall | 770
firewall-control | 775
floppy | 776
flow-tap | 777
flow-tap-control | 782
flow-tap-operation | 783
idp-profiler-operation | 784
interface | 784
interface-control | 790
maintenance | 791
network | 804
pgcp-session-mirroring | 807
pgcp-session-mirroring-control | 812
reset | 812
rollback | 814
routing | 814
routing-control | 825
secret | 831
secret-control | 837
security | 839
xviii
security-control | 849
shell | 854
snmp | 855
snmp-control | 860
system | 861
system-control | 869
trace | 871
trace-control | 883
view | 890
view-configuration | 1040
12 Configuration Statements
accounting (System) | 1048
accounting-order | 1050
accounting-port (RADIUS Server) | 1051
accounting-server | 1052
address-protection | 1054
algorithm (Authentication Keychain) | 1056
archival | 1057
authentication-key-chains | 1059
authentication-order (System) | 1061
authentication-order (Authenticator) | 1063
authentication-protocol | 1066
authentication-whitelist | 1068
authenticator | 1070
boot-loader-authentication | 1073
xix
boot-server (NTP) | 1075
broadcast | 1078
broadcast | 1080
broadcast-client | 1081
ca-type | 1083
captive-portal | 1085
civic-based | 1087
class (Defining Login Classes) | 1089
connection-limit | 1100
custom-options | 1102
description (Authentication Keychain) | 1105
destination (Accounting) | 1106
destination (RADSEC) | 1110
detection-time | 1112
disable (DNSSEC) | 1113
dlv | 1114
dot1x | 1115
eapol-block | 1118
enhanced-avs-max | 1120
events | 1121
failover-delay | 1122
file (System Logging) | 1123

xx
finger | 1127
flow-tap-dtcp | 1128
ftp | 1129
host (SSH Known Hosts) | 1130
hostkey-algorithm | 1132
http (Web Management) | 1134
https (Web Management) | 1135
interface (802.1X) | 1137
interface (Captive Portal) | 1145
interface (LLDP) | 1148
interface (LLDP-MED) | 1151
interface (VoIP) | 1153
interface-description-format | 1155
interfaces (ARP) | 1157
interfaces (Security Zones) | 1158
key (Authentication Keychain) | 1159
key-chain (Security) | 1161
key-exchange | 1163
lldp | 1165
lldp-med (Ethernet Switching) | 1173
lldp-priority | 1175
local-certificate | 1176
location (LLDP-MED) | 1177
location (System) | 1179

xxi
login | 1181
mac-radius | 1186
master-password | 1188
method | 1190
multi-domain | 1192
multicast-client | 1194
nas-port-extended-format | 1196
nas-port-id-format (Subscriber Management) | 1198
nas-port-type (Subscriber Management) | 1200
ntp | 1202
options (Security) | 1205
outbound-ssh | 1206
password (Login) | 1209
password-options | 1215
peer (NTP) | 1216
port (NETCONF) | 1217
port (RADIUS Server) | 1218
port (SRC Server) | 1219
port (TACACS+ Server) | 1220
profile | 1221
profilerd | 1223
provisioning-order (Diameter Applications) | 1224
proxy | 1225
radius (System) | 1226

xxii
radius-options (System) | 1227
radius-server | 1229
radius-server (System) | 1233
radsec | 1234
radsec-destination | 1236
rate-limit | 1237
regex-additive-logic | 1239
remote-debug-permission | 1240
retry | 1241
retry (RADIUS) | 1242
retry-options | 1243
revert-interval (Access) | 1245
root-authentication | 1246
routing-engine-profile | 1248
routing-instance | 1249
routing-instance (Accounting and Authentication) | 1250
secret (RADIUS or TACACS+ Server) | 1252
server (NTP) | 1254
server (DNS, Port, and TFTP Service) | 1256
server (RADIUS Accounting) | 1258
server (TACACS+ Accounting) | 1259
server-reject-bridge-domain | server-reject-vlan | 1260
servers | 1262
service (Service Accounting) | 1263

xxiii
service-deployment | 1264
services (Switches) | 1265
session (Web Management) | 1266
single-connection | 1267
sip-server | 1268
source-address (NTP, RADIUS, System Logging, or TACACS+) | 1269
source-address (SRC Software) | 1270
ssh (System Services) | 1271
ssh-known-hosts | 1279
ssl-renegotiation | 1281
start-time (Authentication Key Transmission) | 1282
static (802.1X) | 1284
static-subscribers | 1285
statistics-service | 1286
subscriber-management-helper | 1287
tacplus | 1288
tacplus | 1289
tacplus-options | 1291
tacplus-server | 1294
telnet | 1296
tftp | 1297
timeout (System) | 1298
timeout-action (Access Control Service) | 1299
tlv-filter | 1300
xxiv
tlv-select | 1303
traceoptions (802.1X) | 1306
traceoptions (DNS, Port, and TFTP Packet Forwarding) | 1308
traceoptions (LLDP) | 1311
traceoptions (Outbound SSH) | 1314
traceoptions (SBC Configuration Process) | 1316
traceoptions (Security) | 1318
trusted-key | 1320
uac-policy | 1321
uac-service | 1322
uac-service | 1323
unattended-boot | 1324
usb-control | 1325
user (Access) | 1326
voip | 1329
vpn (Forwarding Options) | 1330
watchdog | 1331
web-management (System Services) | 1332
web-management (System Processes) | 1336
xnm-clear-text | 1337
xnm-ssl | 1338
13 Operational Commands
clear accounting server statistics archival-transfer | 1344
clear captive-portal | 1345
clear dot1x | 1348

xxv
clear lldp neighbors | 1351
clear lldp statistics | 1352
clear network-access radsec state | 1355
clear network-access radsec statistics | 1356
clear security pki local-certificate | 1357
clear security ssh key-pair-identity | 1359
clear system login lockout | 1360
request component login | 1361
request ipsec switch | 1364
request message | 1365
request security certificate enroll (Signed) | 1367
request security certificate enroll (Unsigned) | 1369
request security key-pair | 1371
request security pki generate-key-pair | 1373
request security pki local-certificate generate-self-signed | 1375
request security ssh key-pair-identity generate | 1377
request security tpm master-encryption-password set | 1379
request system autorecovery state | 1381
request system decrypt password | 1384
request system download abort | 1386
request system download clear | 1388
request system download pause | 1389
request system download resume | 1391

xxvi
request system download start | 1393
request system firmware upgrade | 1395
request system license update | 1397
request system reboot | 1399
request system reboot (SRX Series) | 1409
request system snapshot (Maintenance) | 1411
request system software abort in-service-upgrade (ICU) | 1415
request system software add (Maintenance) | 1417
request system software rollback (SRX Series) | 1418
request system zeroize | 1419
show accounting server statistics archival-transfer | 1421
show captive-portal authentication-failed-users | 1422
show captive-portal firewall | 1424
show captive-portal interface | 1427
show chassis routing-engine (View) | 1431
show dot1x | 1437
show dot1x accounting attribute | 1444
show dot1x authentication-failed-users | 1447
show dot1x firewall | 1449
show dot1x static-mac-address | 1451
show dot1x statistics | 1453
show ethernet-switching interface | 1456
show ethernet-switching interfaces | 1460
show firewall (View) | 1470
show lldp | 1473

xxvii
show lldp local-information | 1481
show lldp neighbors | 1484
show lldp remote-global-statistics | 1498
show lldp statistics | 1500
show network-access aaa statistics accounting | 1505
show network-access aaa statistics authentication | 1507
show network-access aaa statistics dynamic-requests | 1509
show network-access radsec local-certificate | 1511
show network-access radsec statistics | 1514
show network-access radsec state | 1517
show route extensive | 1520
show route instance | 1546
show security ssh key-pair-identity | 1551
show security pki local-certificate | 1553
show security tpm status | 1557
show services unified-access-control authentication-table | 1559
show services unified-access-control policies | 1562
show services unified-access-control status | 1565
show snmp | 1566
show snmp statistics | 1569
show ssl-certificates | 1577
show system autorecovery state | 1580
show system download | 1582

xxviii
show system license (View) | 1584
show system login lockout | 1588
show system services service-deployment | 1590
show system snapshot media | 1592
show system storage partitions | 1595
show system users | 1599
ssh | 1605
telnet | 1608
test access profile | 1611
test access radius-server | 1616

xxix
About the Documentation
IN THIS SECTION
Documentation and Release Notes | xxix
Using the Examples in This Manual | xxix
Documentation Conventions | xxxi
Documentation Feedback | xxxiv
Requesting Technical Support | xxxiv
The Junos operating system (Junos OS) enables you to configure user access and authentication features
at the [edit system] hierarchy level of the CLI. Essential user access features include login classes, user
accounts, access privilege levels, and user authentication methods. Use the topics on this page to configure
essential user access features for your system.
Documentation and Release Notes
®
To obtain the most current version of all Juniper Networks technical documentation, see the product
documentation page on the Juniper Networks website at https://www.juniper.net/documentation/.
If the information in the latest release notes differs from the information in the documentation, follow the
product Release Notes.
Juniper Networks Books publishes books by Juniper Networks engineers and subject matter experts.
These books go beyond the technical documentation to explore the nuances of network architecture,
deployment, and administration. The current list can be viewed at https://www.juniper.net/books.
Using the Examples in This Manual
If you want to use the examples in this manual, you can use the load merge or the load merge relative
command. These commands cause the software to merge the incoming configuration into the current
candidate configuration. The example does not become active until you commit the candidate configuration.
xxx
If the example configuration contains the top level of the hierarchy (or multiple hierarchies), the example
is a full example. In this case, use the load merge command.
If the example configuration does not start at the top level of the hierarchy, the example is a snippet. In
this case, use the load merge relative command. These procedures are described in the following sections.
Merging a Full Example
To merge a full example, follow these steps:
1. From the HTML or PDF version of the manual, copy a configuration example into a text file, save the
file with a name, and copy the file to a directory on your routing platform.
For example, copy the following configuration to a file and name the file ex-script.conf. Copy the
ex-script.conf file to the /var/tmp directory on your routing platform.
system {
scripts {
commit {
file ex-script.xsl;
}
}
}
interfaces {
fxp0 {
disable;
unit 0 {
family inet {
address 10.0.0.1/24;
}
}
}
}
2. Merge the contents of the file into your routing platform configuration by issuing the load merge
configuration mode command:
[edit]
user@host# load merge /var/tmp/ex-script.conf
load complete
xxxi
Merging a Snippet
To merge a snippet, follow these steps:
1. From the HTML or PDF version of the manual, copy a configuration snippet into a text file, save the
file with a name, and copy the file to a directory on your routing platform.
For example, copy the following snippet to a file and name the file ex-script-snippet.conf. Copy the
ex-script-snippet.conf file to the /var/tmp directory on your routing platform.
commit {
file ex-script-snippet.xsl; }
2. Move to the hierarchy level that is relevant for this snippet by issuing the following configuration mode
command:
[edit]
user@host# edit system scripts
[edit system scripts]
3. Merge the contents of the file into your routing platform configuration by issuing the load merge
relative configuration mode command:

user@host# load merge relative /var/tmp/ex-script-snippet.conf
load complete
For more information about the load command, see CLI Explorer.
Documentation Conventions
Table 1 on page xxxii defines notice icons used in this guide.

xxxii
Table 1: Notice Icons
Icon Meaning Description
Informational note Indicates important features or instructions.
Caution Indicates a situation that might result in loss of data or hardware

damage.
Warning Alerts you to the risk of personal injury or death.
Laser warning Alerts you to the risk of personal injury from a laser.
Tip Indicates helpful information.
Best practice Alerts you to a recommended use or implementation.
Table 2 on page xxxii defines the text and syntax conventions used in this guide.
Table 2: Text and Syntax Conventions
Convention Description Examples
Bold text like this Represents text that you type. To enter configuration mode, type
the configure command:
user@host> configure
Fixed-width text like this Represents output that appears on user@host> show chassis alarms
the terminal screen.
No alarms currently active
Italic text like this • Introduces or emphasizes important • A policy term is a named structure
new terms. that defines match conditions and
• Identifies guide names. actions.
• Identifies RFC and Internet draft • Junos OS CLI User Guide

titles. • RFC 1997, BGP Communities
Attribute
xxxiii
Table 2: Text and Syntax Conventions (continued)
Italic text like this Represents variables (options for Configure the machine’s domain
which you substitute a value) in name:
commands or configuration
[edit]
statements.
root@# set system domain-name
domain-name
Text like this Represents names of configuration • To configure a stub area, include
statements, commands, files, and the stub statement at the [edit
directories; configuration hierarchy protocols ospf area area-id]
levels; or labels on routing platform hierarchy level.
components. • The console port is labeled
CONSOLE.
< > (angle brackets) Encloses optional keywords or stub <default-metric metric>;
variables.
| (pipe symbol) Indicates a choice between the broadcast | multicast

mutually exclusive keywords or
(string1 | string2 | string3)
variables on either side of the symbol.
The set of choices is often enclosed
in parentheses for clarity.
# (pound sign) Indicates a comment specified on the rsvp { # Required for dynamic MPLS
same line as the configuration only
statement to which it applies.
[ ] (square brackets) Encloses a variable for which you can community name members [
substitute one or more values. community-ids ]
Indention and braces ( { } ) Identifies a level in the configuration [edit]

hierarchy. routing-options {
static {
; (semicolon) Identifies a leaf statement at a route default {
configuration hierarchy level. nexthop address;
retain;
}
}
}
GUI Conventions
xxxiv
Table 2: Text and Syntax Conventions (continued)
Bold text like this Represents graphical user interface • In the Logical Interfaces box, select
(GUI) items you click or select. All Interfaces.
• To cancel the configuration, click
Cancel.
> (bold right angle bracket) Separates levels in a hierarchy of In the configuration editor hierarchy,
menu selections. select Protocols>Ospf.
Documentation Feedback
We encourage you to provide feedback so that we can improve our documentation. You can use either
of the following methods:
• Online feedback system—Click TechLibrary Feedback, on the lower right of any page on the Juniper
Networks TechLibrary site, and do one of the following:
• Click the thumbs-up icon if the information on the page was helpful to you.
• Click the thumbs-down icon if the information on the page was not helpful to you or if you have
suggestions for improvement, and use the pop-up form to provide feedback.
• E-mail—Send your comments to [email protected]. Include the document or topic name,

URL or page number, and software version (if applicable).
Requesting Technical Support
Technical product support is available through the Juniper Networks Technical Assistance Center (JTAC).
If you are a customer with an active Juniper Care or Partner Support Services support contract, or are
xxxv
covered under warranty, and need post-sales technical support, you can access our tools and resources
online or open a case with JTAC.
• JTAC policies—For a complete understanding of our JTAC procedures and policies, review the JTAC User
Guide located at https://www.juniper.net/us/en/local/pdf/resource-guides/7100059-en.pdf.
• Product warranties—For product warranty information, visit https://www.juniper.net/support/warranty/.
• JTAC hours of operation—The JTAC centers have resources available 24 hours a day, 7 days a week,
365 days a year.
Self-Help Online Tools and Resources
For quick and easy problem resolution, Juniper Networks has designed an online self-service portal called
the Customer Support Center (CSC) that provides you with the following features:
• Find CSC offerings: https://www.juniper.net/customers/support/
• Search for known bugs: https://prsearch.juniper.net/
• Find product documentation: https://www.juniper.net/documentation/
• Find solutions and answer questions using our Knowledge Base: https://kb.juniper.net/
• Download the latest versions of software and review release notes:

https://www.juniper.net/customers/csc/software/
• Search technical bulletins for relevant hardware and software notifications:

https://kb.juniper.net/InfoCenter/
• Join and participate in the Juniper Networks Community Forum:

https://www.juniper.net/company/communities/
• Create a service request online: https://myjuniper.juniper.net
To verify service entitlement by product serial number, use our Serial Number Entitlement (SNE) Tool:
https://entitlementsearch.juniper.net/entitlementsearch/
Creating a Service Request with JTAC
You can create a service request with JTAC on the Web or by telephone.
• Visit https://myjuniper.juniper.net.
• Call 1-888-314-JTAC (1-888-314-5822 toll-free in the USA, Canada, and Mexico).
For international or direct-dial options in countries without toll-free numbers, see

https://support.juniper.net/support/requesting-support/.
1 CHAPTER
Login Classes and Login Settings
Junos OS Login Settings | 43

37
Junos OS Login Classes Overview
IN THIS SECTION
Example: Creating Login Classes with Specific Privileges | 42
Junos OS login classes allow you to define access privileges, permission for using CLI commands and
statements, and session idle time for each login class. You can apply a login class to an individual user
account, thereby specifying certain privileges and permissions to the user. Read this topic for more
information.
Junos OS Login Classes Overview
All users who can log in to the router or switch must be in a login class. With login classes, you define the
following:
• Access privileges that users have when they are logged in to the router or switch
• Commands and statements that users can and cannot specify
• How long a login session can be idle before it times out and the user is logged out
You can define any number of login classes and then apply one login class to an individual user account.
The Junos operating system (Junos OS) contains a few predefined login classes, which are listed in
Table 3 on page 37. The predefined login classes cannot be modified.
Table 3: Predefined System Login Classes
Login Class Permission Flag Set
operator clear, network, reset, trace, and view
read-only view
superuser or super-user all

38
Table 3: Predefined System Login Classes (continued)
Login Class Permission Flag Set
unauthorized None
NOTE:
• You cannot modify a predefined login class name. If you issue the set command on a predefined
class name, the Junos OS appends -local to the login class name. The following message also
appears:
warning: '<class-name>' is a predefined class name; changing to '<class-name>-local'
• You cannot issue the rename or copy command on a predefined login class. Doing so results
in the following error message:
error: target '<class-name>' is a predefined class
Permission Bits
Each top-level CLI command and each configuration statement has an access privilege level associated
with it. Users can execute only those commands and configure and view only those statements for which
they have access privileges. The access privileges for each login class are defined by one or more permission
bits (see Table 4 on page 38).
Two forms for the permissions control the individual parts of the configuration:
• "Plain" form—Provides read-only capability for that permission type. An example is interface.
• Form that ends in -control—Provides read and write capability for that permission type. An example is
interface-control.
Table 4: Permission Bits for Login Classes
Permission Bit Access
admin Can view user account information in configuration mode and with the show
configuration command.
admin-control Can view user accounts and configure them (at the [edit system login] hierarchy
level).
39
Table 4: Permission Bits for Login Classes (continued)
access Can view the access configuration in configuration mode and with the show
configuration operational mode command.
access-control Can view and configure access information (at the [edit access] hierarchy level).
all Has all permissions.
clear Can clear (delete) information learned from the network that is stored in various
network databases (using the clear commands).
configure Can enter configuration mode (using the configure command) and commit
configurations (using the commit command).
control Can perform all control-level operations (all operations configured with the -control
permission bits).
field Reserved for field (debugging) support.
firewall Can view the firewall filter configuration in configuration mode.
firewall-control Can view and configure firewall filter information (at the [edit firewall] hierarchy
level).
floppy Can read from and write to the removable media.
interface Can view the interface configuration in configuration mode and with the show
interface-control Can view chassis, class of service, groups, forwarding options, and interfaces
configuration information. Can configure chassis, class of service, groups,
forwarding options, and interfaces (at the [edit] hierarchy).
maintenance Can perform system maintenance, including starting a local shell on the device
and becoming the superuser in the shell (by issuing the su root command), and
can halt and reboot the device (using the request system commands).
network Can access the network by entering the ping, ssh, telnet, and traceroute commands.
reset Can restart software processes using the restart command and can configure
whether software processes are enabled or disabled (at the [edit system processes]
hierarchy level).
40
Table 4: Permission Bits for Login Classes (continued)
rollback Can use the rollback command to return to a previously committed configuration
other than the most recently committed one.
routing Can view general routing, routing protocol, and routing policy configuration
information in configuration and operational modes.
routing-control Can view general routing, routing protocol, and routing policy configuration
information and configure general routing (at the [edit routing-options] hierarchy
level), routing protocols (at the [edit protocols] hierarchy level), and routing policy
(at the [edit policy-options] hierarchy level).
secret Can view passwords and other authentication keys in the configuration.
secret-control Can view passwords and other authentication keys in the configuration and can
modify them in configuration mode.
security Can view security configuration in configuration mode and with the show
security-control Can view and configure security information (at the [edit security] hierarchy level).
shell Can start a local shell on the device by entering the start shell command.
snmp Can view SNMP configuration information in configuration and operational modes.
snmp-control Can view SNMP configuration information and configure SNMP (at the [edit snmp]
hierarchy level).
system Can view system-level information in configuration and operational modes.
system-control Can view system-level configuration information and configure it (at the [edit
system] hierarchy level).
trace Can view trace file settings in configuration and operational modes.
trace-control Can view trace file settings and configure trace file properties.
view Can use various commands to display current system-wide, routing table, and
protocol-specific values and statistics.
41
Denying or Allowing Individual Commands
By default, all top-level CLI commands have associated access privilege levels. Users can execute only
those commands and view only those statements for which they have access privileges. For each login
class, you can explicitly deny or allow the use of operational and configuration mode commands that are
otherwise permitted or not allowed by a permission bit.
Defining Junos OS Login Classes
Login classes allow you to define the following:
• Access privileges that users have when they are logged in to the router or switch
• Commands and statements that users can and cannot specify
• How long a login session can be idle before it times out and the user is logged out
All users who can log in to the router or switch must be in a login class. Therefore, you must define a Junos
OS login class for each user or class of users. You can define any number of login classes depending on
the types of permissions the users need.
To define a login class and its access privileges, include the class statement at the [edit system login]
hierarchy level:
[edit system login]

class class-name {
access-end hh:mm;
access-start hh:mm;
( allow-commands | allow-commands-regexps ) “regular expression 1” “regular expression 2”;
( allow-configuration | allow-configuration-regexps ) “regular expression 1” “regular expression 2”;
allow-sources [ allow-sources ... ];
allow-times [ allow-times ... ];
allowed-days [ days of the week ];
cli {
prompt prompt;
}
configuration-breadcrumbs;
confirm-commands [“regular expression or command 1” “regular expression or command 2” ...] {
confirmation-message;
}
( deny-commands | deny-commands-regexps ) [ “regular expression 1” “regular expression 2 ” ... ];
( deny-configuration | deny-configuration-regexps ) “regular expression 1” “regular expression 2 ”;
deny-sources [ deny-sources ... ];
deny-times [ deny-times ... ];
42
idle-timeout minutes;
logical-system logical-system-name;
login-alarms;
login-script filename;
login-tip;
no-scp-server;
no-sftp-server;
permissions [ permissions ];
satellite all;
security-role (audit-administrator | crypto-administrator | ids-administrator | security-administrator);
tenant tenant;
}
Example: Creating Login Classes with Specific Privileges
Login classes are used to assign certain permissions or restrictions to groups of users, ensuring that sensitive
commands are only accessible to the appropriate users. By default, Juniper Networks devices have four
types of login classes with preset permissions: operator, read-only, superuser or super-user, and
unauthorized.
You can create new custom login classes to make different combinations of permissions that are not found
in the default login classes. The following example shows how to create three custom login classes, each
with specific privileges and timers to disconnect the class members after a period of inactivity. Inactivity
timers help protect network security by disconnecting a user from the network if the user is away from
his computer for too long, preventing potential security risks created by leaving an unattended account
logged in to a switch or router. The permissions and inactivity timers shown here are only examples and
should be customized to your organization.
The first class of users is called observation and they can only view statistics and configuration. They are
not allowed to modify any configuration. The second class of users is called operation and they can view
and modify the configuration. The third class of users is called engineering and they have unlimited access
and control. All three login classes use the same inactivity timer of 5 minutes.
[edit]
system {
login {
class observation {
idle-timeout 5;
permissions [ view ];
}
class operation {
43
idle-timeout 5;
permissions [ admin clear configure interface interface-control network
reset routing routing-control snmp snmp-control trace-control
firewall-control rollback ];
}
class engineering {
idle-timeout 5;
permissions all;
}
}
}
RELATED DOCUMENTATION

Junos OS Login Settings
IN THIS SECTION
Configuring Login Tips | 46
Examples: Configuring Time-Based User Access | 47
Configuring the Timeout Value for Idle Login Sessions | 48
Login Retry Options | 49
Example: Configuring Login Retry Options | 52

44
Junos OS allows you to specify various settings for the users after they have logged in. You can define
what to notify for the users after they have logged in, display system alarms, provide login tips, or specify
time-based user access, and limit the number of login attempts. Read this topic for more information.
Configuring Junos OS to Display a System Login Announcement
Sometimes you want to make announcements only to authorized users after they have logged in. For
example, you might want to announce an upcoming maintenance event.
You can format the announcement using the following special characters:
• \n—New line
• \t—Horizontal tab
• \'—Single quotation mark
• \"—Double quotation mark
• \\—Backslash
If the message text contains any spaces, enclose it in quotation marks.
By default, no login announcement is displayed.
To configure an announcement that can be seen only by authorized users:
1. Include the announcement statement in the [edit system login] configuration.
[edit system login]

user@host# set announcement text
For example:
system {
login {
announcement "\tJuly 27th 1:00 AM to 8:00\n\nPlanned Network Maintenance\n\nAFFECTED
LOCATIONS: Sunnyvale\n\nPLANNED ACTIVITY: Upgrade all 6200 switch firmware to the Enterprise
TAC recommended firmware version\n\nPURPOSE: This activity will help to minimize the impact of
unplanned power outages as well as address known issues within our currently installed firmware
version(s)\n\nWHAT TO EXPECT: During the maintenance window for your site, the office network
will not be available.\n\n";
message "\n\n\n\tTP0 - M7i - iX Router Lab\n\n\tUNAUTHORIZED USE OF THIS ROUTER\n\tIS
STRICTLY PROHIBITED!\n\n\tPlease contact \'[email protected]\' to gain\n\taccess to this equipment
if you need authorization.\n\n\n"
45
}
}
2. Commit the configuration.
[edit system login]

user@host# commit
3. Connect to the device in a new session to verify the presence of the new banner.
The preceding login message configuration example produces a login message similar to the following:
server% telnet host

Trying 203.0.113.0
Connected to host.example.net
Escape character is ’^]’.
TP0 - M7i - iX Router Lab
UNAUTHORIZED USE OF THIS ROUTER

IS STRICTLY PROHIBITED!
Please contact '[email protected]' to gain

access to this equipment if you need authorization
login: user
Password:
July 27th 1:00 AM to 8:00
Planned Network Maintenance
AFFECTED LOCATIONS: Sunnyvale
PLANNED ACTIVITY: Upgrade all 6200 switch firmware to the Enterprise TAC
recommended firmware version
PURPOSE: This activity will help to minimize the impact of unplanned power
46
outages as well as address known issues within our currently installed firmware
version(s)
WHAT TO EXPECT: During the maintenance window for your site, the office network
will not be available.
If the announcement text contains any spaces, enclose the text in quotation marks.
A system login announcement appears after the user logs in. A system login message appears before the
user logs in.
TIP: You can use the same special characters described to format your system login
announcement.
Configuring System Alarms to Appear Automatically Upon Login
You can configure Juniper Networks routers and switches to run the show system alarms command
whenever a user with the login class admin logs in to the router or switch. To do so, include the login-alarms
statement at the [edit system login class admin] hierarchy level.
[edit system login class admin]

login-alarms;
For more information on the show system alarms command, see the CLI Explorer.
SEE ALSO
show system alarms
Configuring Login Tips
The Junos OS CLI provides the option of configuring login tips for the user. By default, the tip command
is not enabled when a user logs in.
47
• To enable tips, include the login-tip statement at the [edit system login class class-name] hierarchy level:
[edit system login class class-name]

login-tip;
Adding this statement enables the tip command for the class specified, provided the user logs in using the
CLI.
Examples: Configuring Time-Based User Access
The following example shows how to configure user access for the operator-round-the-clock-access login
class from Monday through Friday without any restriction on access time or duration of login:
[edit system]
login {
class operator-round-the-clock-access {
allowed-days [ monday tuesday wednesday thursday friday ];
}
The following example shows how to configure user access for the operator-day-shift login class on
Monday, Wednesday, and Friday from 8:30 AM to 4:30 PM:
[edit system]
login {
class operator-day-shift {
allowed-days [ monday wednesday friday ];
access-start 0830;
access-end 1630;
}
}
Alternatively, you can also specify the login start time and end time for the operator-day-shift login class
to be from 8:30 AM to 4:30 PM in the following format:
[edit system]
login {
class operator-day-shift {
allowed-days [ monday wednesday friday ];
access-start 08:30am;
access-end 04:30pm;
48
}
}
The following example shows how to configure user access for the operator-day-shift-all-days-of-the-week
login class to be on all days of the week from 8:30 AM to 4:30 PM:
[edit system]
login {
class operator-day-shift-all-days-of-the-week {
access-start 0830;
access-end 1630;
}
}
SEE ALSO
Configuring Time-Based User Access
Configuring the Timeout Value for Idle Login Sessions
An idle login session is one in which the CLI operational mode prompt is displayed but there is no input
from the keyboard. By default, a login session remains established until a user logs out of the router or
switch, even if that session is idle. To close idle sessions automatically, you must configure a time limit for
each login class. If a session established by a user in that class remains idle for the configured time limit,
the session automatically closes. Idle-timeout can only be configured for user defined classes. Configuration
won't work for the system predefined classes: operator, read-only, super-user. These classes’ values and
permissions are not editable.
To define the timeout value for idle login sessions, include the idle-timeout statement at the [edit system
login class class-name] hierarchy level:

Specify the number of minutes that a session can be idle before it is automatically closed.
If you have configured a timeout value, the CLI displays messages similar to the following when timing out
an idle user. It starts displaying these messages 5 minutes before timing out the user.
49
user@host# Session will be closed in 5 minutes if there is no activity.

Warning: session will be closed in 1 minute if there is no activity
Warning: session will be closed in 10 seconds if there is no activity
Idle timeout exceeded: closing session
If you configure a timeout value, the session closes after the specified time has elapsed, unless the user
is running telnet or monitoring interfaces using the monitor interface or monitor traffic command.
Login Retry Options
The security administrator can configure the number of times a user can try to log in to the device with
invalid login credentials. The device can be locked after the specified number of unsuccessful authentication
attempts. This helps to protect the device from malicious users attempting to access the system by guessing
an account’s password. The security administrator can unlock the user account or define a time period for
the user account to remain locked.
The system lockout-period defines the amount of time the device can be locked for a user account after
a specified number of unsuccessful login attempts.
The security administrator can configure a period of time after which an inactive session will be locked
and require re-authentication to be unlocked. This helps to protect the device from being idle for a long
period before the session times out.
The system idle-timeout defines length of time the CLI operational mode prompt remains active before
the session times out.
The security administrator can configure a banner with an advisory notice to be displayed before the
identification and authentication screen.
The system message defines the system login message. This message appears before a user logs in.
The number of reattempts the device allows is defined by the tries-before-disconnect option. The device
allows 3 unsuccessful attempts by default or as configured by the administrator. The device prevents the
locked users to perform activities that require authentication, until a security administrator manually clears
the lock or the defined time period for the device to remain locked has elapsed. However, the existing
locks are ignored when the user attempts to log in from the local console.
50
NOTE: To clear the console during an administrator-initiated logout, the administrator must configure the set
system login message “message string” such that, the message-string contains newline (\n) characters and a
login banner message at the end of the \n characters.
To ensure that configuration information is cleared completely, the administrator can enter 50 or more \n
characters in the message-string of the command set system login message “message string”.
For example, set system login message

"\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n
Welcome to Junos!!!"
Limiting the Number of User Login Attempts for SSH and Telnet Sessions
You can limit the number of times a user can attempt to enter a password while logging in through SSH
or Telnet. The connection is terminated if a user fails to log in after the number of attempts specified. You
can also specify a delay, in seconds, before a user can try to enter a password after a failed attempt. In
addition, you can specify the threshold for the number of failed attempts before the user experiences a
delay in being able to enter a password again.
To specify the number of times a user can attempt to enter a password while logging in, include the
retry-options statement at the [edit system login] hierarchy level:
[edit system login]

retry-options {
tries-before-disconnect number;
backoff-threshold number;
backoff-factor seconds;
maximum-time seconds
minimum-time seconds;
}
You can configure the following options:
• tries-before-disconnect—Number of times a user can attempt to enter a password when logging in. The
connection closes if a user fails to log in after the number specified. The range is from 1 through 10, and
the default is 10.
• backoff-threshold—Threshold for the number of failed login attempts before the user experiences a
delay in being able to enter a password again. Use the backoff-factor option to specify the length of the
delay in seconds. The range is from 1 through 3, and the default is 2.
51
• backoff-factor—Length of time, in seconds, before a user can attempt to log in after a failed attempt.
The delay increases by the value specified for each subsequent attempt after the threshold. The range
is from 5 through 10, and the default is 5 seconds.
• maximum-time seconds—Maximum length of time, in seconds, that the connection remains open for the
user to enter a username and password to log in. If the user remains idle and does not enter a username
and password within the configured maximum-time, the connection is closed. The range is from 20
through 300 seconds, and the default is 120 seconds.
• minimum-time—Minimum length of time, in seconds, that a connection remains open while a user is
attempting to enter a correct password. The range is from 20 through 60, and the default is 40.
The following example shows how to limit the user to four attempts when the user enters a password
while logging in through SSH or Telnet:
Limiting the number of SSH and Telnet login attempts per user is one of the most effective methods of
stopping brute force attacks from compromising your network security. Brute force attackers execute a
large number of login attempts in a short period of time to illegitimately gain access to a private network.
By configuring the retry-options command, you can create an increasing delay after each failed login
attempt, eventually disconnecting any user who passes your set threshold of login attempts.
Set the backoff-threshold to 2, the back-off-factor to 5 seconds, and the minimum-time to 40 seconds.
The user experiences a delay of 5 seconds after the second attempt to enter a correct password fails. After
each subsequent failed attempt, the delay increases by 5 seconds. After the fourth and final failed attempt
to enter a correct password, the user experiences an additional 10-second delay, and the connection closes
after a total of 40 seconds.
The additional variables maximum-time and lockout-period are not set in this example.
[edit]
system {
login {
retry-options {
backoff-threshold 2;
backoff-factor 5;
minimum-time 40;
tries-before-disconnect 4;
}
password {
}
}
}
52
NOTE: This sample only shows the portion of the [edit system login] hierarchy level being
modified.
Example: Configuring Login Retry Options
IN THIS SECTION
Requirements | 52
Overview | 52
Configuration | 54
Verification | 55
This example shows how to configure system retry options to protect the device from malicious users.
Requirements
Before you begin, you should understand “Login Retry Options” on page 49.
No special configuration beyond device initialization is required before configuring this feature.
Overview
Malicious users sometimes try to log in to a secure device by guessing an authorized user account’s
password. Locking out a user account after a number of failed authentication attempts helps protect the
device from malicious users.
Device lockout allows you to configure the number of failed attempts before the user account is locked
out of the device and configure the amount of time before the user can attempt to log in to the device
again. You can configure the amount of time in-between failed login attempts of a user account and can
manually lock and unlock user accounts.
53
NOTE:
This example includes the following settings:
• backoff-factor — Sets the length of delay in seconds after each failed login attempt. When a
user incorrectly logs in to the device, the user must wait the configured amount of time before
attempting to log in to the device again. The length of delay increases by this value for each
subsequent login attempt after the value specified in the backoff-threshold statement. The
default value for this statement is five seconds, with a range of five to ten seconds.
• backoff-threshold — Sets the threshold for the number of failed login attempts on the device
before the user experiences a delay when attempting to reenter a password. When a user
incorrectly logs in to the device and hits the threshold of failed login attempts, the user
experiences a delay that is set in the backoff-factor statement before attempting to log in to
the device again. The default value for this statement is two, with a range of one through three.
• lockout-period — Sets the amount of time in minutes before the user can attempt to log in to
the device after being locked out due to the number of failed login attempts specified in the
tries-before-disconnect statement. When a user fails to correctly login after the number of
allowed attempts specified by the tries-before-disconnect statement, the user must wait the
configured amount of minutes before attempting to log in to the device again. The
lockout-period must be greater than zero. The range at which you can configure the
lockout-period is one through 43,200 minutes.
• tries-before-disconnect — Sets the maximum number of times the user is allowed to enter a
password to attempt to log in to the device through SSH or Telnet. When the user reaches
the maximum number of failed login attempts, the user is locked out of the device. The user
must wait the configured amount of minutes in the lockout-period statement before attempting
to log back in to the device. The tries-before-disconnect statement must be set when the
lockout-period statement is set; otherwise, the lockout-period statement is meaningless. The
default number of attempts is ten, with a range of one through ten attempts.
Once a user is locked out of the device, if you are the security administrator, you can manually
remove the user from this state using the clear system login lockout <username> command. You
can also use the show system login lockout command to view which users are currently locked
out, when the lockout period began for each user, and when the lockout period ends for each
user.
If the security administrator is locked out of the device, he can log in to the device from the
console port, which ignores any user locks. This provides a way for the administrator to remove
the user lock on their own user account.
In this example the user waits for the backoff-threshold multiplied by the backoff-factor interval, in
seconds, to get the login prompt. In this example, the user must wait 5 seconds after the first failed login
attempt and 10 seconds after the second failed login attempt to get the login prompt. The user gets
54
disconnected after 15 seconds after the third failed attempt because the tries-before-disconnect option
is configured as 3.
The user cannot attempt anther login until 120 minutes has elapsed, unless a security administrator manually
clears the lock sooner.
Configuration
CLI Quick Configuration

To quickly configure this example, copy the following commands, paste them into a text file, remove any
line breaks, change any details necessary to match your network configuration, copy and paste the
commands into the CLI at the [edit] hierarchy level, and then enter commit from configuration mode.
set system login retry-options backoff-factor 5

set system login retry-options backoff-threshold 1
set system login retry-options lockout-period 120
set system login retry-options tries-before-disconnect 3
Step-by-Step Procedure
To configure system retry-options:
1. Configure the backoff factor.
[edit ]
user@host# set system login retry-options backoff-factor 5
2. Configure the backoff threshold.
[edit]
user@host# set system login retry-options backoff-threshold 1
3. Configure the amount of time the device gets locked after failed attempts.
[edit]
user@host# set system login retry-options lockout-period 5
4. Configure the number of unsuccessful attempts during which, the device can remain unlocked.
[edit]
user@host# set system login retry-options tries-before-disconnect 3
55
Results
From configuration mode, confirm your configuration by entering the show system login retry-options
command. If the output does not display the intended configuration, repeat the configuration instructions
in this example to correct it.
[edit]
user@host# show system login retry-options
backoff-factor 5;
backoff-threshold 1;
lockout-period 5;
tries-before-disconnect 3;
Confirm that the configuration is working properly.
If you are done configuring the device, enter commit from configuration mode.
Verification
Displaying the Locked User Logins
Purpose
Verify that the login lockout configuration is enabled.
Action
Attempt three unsuccessful logins for a particular username. The device will be locked for that username;
then log in to the device with a different username. From operational mode, enter the show system login
lockout command.
Meaning
When you perform three unsuccessful login attempts with a particular username, the device is locked for
that user for five minutes, as configured in the example. You can verify that the device is locked for that
user by logging in to the device with a different username and entering the show system login lockout
command.

2 CHAPTER
User Accounts

57
Junos OS User Accounts
IN THIS SECTION
Junos-FIPS Crypto Officer and User Accounts Overview | 59
Example: Configuring User Accounts | 60
Example: Configuring New Users | 61
Junos OS allows you to create accounts for router, switch, and security users. All users also belong to one
of the system login classes.
Junos OS requires that all users have a predefined user account before they can log in to the device. For
each user account, you define the login name for the user and, optionally, information that identifies the
user. User accounts provide a way for users to access a router or switch or security device. Read this topic
for more information.
Junos OS User Accounts Overview
User accounts provide one way for users to access the device. (Users can access the device without
accounts if you configured RADIUS or TACACS+ servers, as described in “Junos OS User Authentication
Methods” on page 172.) For each account, you define the login name and password for the user and,
optionally, additional parameters and metadata for the user. After you have created an account, the
software creates a home directory for the user.
An account for the user root is always present in the configuration. You configure the password for root
using the root-authentication statement, as described in “Configuring the Root Password” on page 142.
It is a common practice to use remote authentication servers to centrally store information about users.
Even so, it is also a good practice to configure at least one non-root user directly on each device, in case
access to the remote authentication server is disrupted. This one non-root user commonly has a generic
name, such as admin.
For each user account, you can define the following:

58
• Username: Name that identifies the user. It must be unique within the device. Do not include spaces,
colons, or commas in the username. The username can be up to 64 characters long.
• User’s full name: (Optional) If the full name contains spaces, enclose it in quotation marks. Do not include
colons or commas.
• User identifier (UID): (Optional) Numeric identifier that is associated with the user account name. Typically
there is no need to set the UID because the software automatically assigns it when you commit the
configuration. However, if you manually configure the UID, it must be in the range from 100 through
64,000 and must be unique within the device.
You must ensure that the UID is unique. However, it is possible to assign the same UID to different
users. If you do this, the CLI displays a warning when you commit the configuration and then assigns
the duplicate UID.
• User’s access privilege: (Required) One of the login classes you defined in the class statement at the
[edit system login] hierarchy level, or one of the default classes listed in “Junos OS User Access Privileges”
on page 83.
• Authentication method or methods and passwords that the user can use to access the device—You can
use SSH or a Message Digest 5 (MD5) password, or you can enter a plain-text password that the Junos
OS encrypts using MD5-style encryption before entering it in the password database. For each method,
you can specify the user’s password. If you configure the plain-text-password option, you are prompted
to enter and confirm the password:
[edit system login user username]

user@host# set authentication plain-text-password
New password: type password here
Retype new password: retype password here
The default requirements for plain-text passwords are:
• The password must be between 6 and 128 characters long.
• You can include most character classes in a password (uppercase letters, lowercase letters, numbers,
punctuation marks, and other special characters). Control characters are not recommended.
• Valid passwords must contain at least one change of case or character class.
Junos-FIPS and Common Criteria have special password requirements. FIPS and Common Criteria
passwords must be between 10 and 20 characters in length. Passwords must use at least three of the
five defined character sets (uppercase letters, lowercase letters, digits, punctuation marks, and other
special characters). If Junos-FIPS is installed on the device, you cannot configure passwords unless they
meet this standard.
For SSH authentication, you can copy the contents of an SSH key file into the configuration or directly
configure SSH key information. Use the load-key-file URL filename command to load an SSH key file that
was previously generated, e.g. by using ssh-keygen. The URL filename is the path to the file’s location and
59
name. This command loads RSA (SSH version 1 and SSH version 2) and DSA (SSH version 2) public keys.
The contents of the SSH key file are copied into the configuration immediately after you enter the
load-key-file statement. Optionally, you can use the ssh-dsa public key <from hostname> and the ssh-rsa
public key <from hostname> statements to directly configure SSH keys.
The following TLS version and cipher suite combinations will fail when you use the specified type of host
key.
With RSA host keys:
• TLS_1.0@DHE-RSA-AES128-SHA
• TLS_1.0@DHE-RSA-AES256-SHA
With DSA host keys:
• TLS 1.0 (default ciphers)
• TLS 1.1 (default ciphers)
• TLS_1.0@DHE-DSS-AES128-SHA
• TLS_1.0@DHE-DSS-AES256-SHA
For each user account and for root logins, you can configure more than one public RSA or DSA key for
user authentication. When a user logs in using a user account or as root, the configured public keys are
referenced to determine whether the private key matches any of them.
To view the SSH keys entries, use the configuration mode show command. For example:
[edit system login user boojum]

user@host# set authentication load-key-file my-host:.ssh/id_dsa.pub
.file.19692 | 0 KB | 0.3 kB/s | ETA: 00:00:00 | 100%
[edit system]
user@host# show
root-authentication {
ssh-rsa "$ABC123"; # SECRET-DATA
}
Junos-FIPS Crypto Officer and User Accounts Overview
Junos-FIPS defines a restricted set of user roles. Unlike the Junos OS, which enables a wide range of
capabilities to users, FIPS 140-2 defines specific types of users (Crypto Officer, User, and Maintenance).
Crypto Officers and FIPS Users perform all FIPS-related configuration tasks and issue all FIPS-related
commands. Crypto Officer and FIPS User configurations must follow FIPS 140-2 guidelines. Typically, no
user besides a Crypto Officer can perform FIPS-related tasks.
60
Crypto Officer User Configuration
Junos-FIPS offers finer control of user permissions than those mandated by FIPS 140-2. For FIPS 140-2
conformance, any Junos-FIPS user with the secret, security, and maintenance permission bits set is a
Crypto Officer. In most cases, the super-user class should be reserved for a Crypto Officer. A FIPS User
can be defined as any Junos-FIPS user that does not have the secret, security, and maintenance bits set.
FIPS User Configuration
A Crypto Officer sets up FIPS Users. FIPS Users can be granted permissions normally reserved for a Crypto
Officer; for example, permission to zeroize the system and individual AS-II FIPS PICs.
Example: Configuring User Accounts
The following example shows how to create accounts for four router or switch users, and create an account
for the template user remote. All users use one of the default system login classes. User alexander also
has two digital signal algorithm (DSA) public keys configured for SSH authentication.
[edit]
system {
login {
user philip {
full-name “Philip of Macedonia”;
uid 1001;
class super-user;
authentication {
encrypted-password “$ABC123”;
}
}
user alexander {
full-name “Alexander the Great”;
uid 1002;
class view;
authentication {
ssh-dsa “8924 37 5678 [email protected]”;
ssh-dsa “6273 94 [email protected]”;
}
}
user darius {
full-name “Darius King of Persia”;
61
uid 1003;
class operator;
authentication {
ssh-rsa “1024 37 [email protected]”;
}
}
user anonymous {
class unauthorized;
}
user remote {
full-name “All remote users”;
uid 9999;
class read-only;
}
}
}
Example: Configuring New Users
IN THIS SECTION
Requirements | 61
Overview | 62
Configuration | 62
Verification | 67
This example shows how to configure new users.
Requirements
62
Overview
You can add new users to the device’s local database. For each account, you define a login name and
password for the user and specify a login class for access privileges. The login password must meet the
following criteria:
• The password must be at least six characters long.
• You can include most character classes in a password (alphabetic, numeric, and special characters), but
not control characters.
• The password must contain at least one change of case or character class.
In this example, you create a login class named operator-and-boot and allow it to reboot the device. You
can define any number of login classes. You then allow the operator-and-boot login class to use commands
defined in the clear, network, reset, trace, and view permission bits.
Then you create user accounts. User accounts enable you to access the device. (You can access the device
without accounts if you configured RADIUS or TACACS+ servers.) You set the username as cmartin and
the login class as superuser. Finally, you define the encrypted password for the user.
Configuration

set system login class operator-and-boot allow-commands “request system reboot”

set class system login operator-and-boot permissions [clear network reset trace view]
set system login user cmartin class superuser authentication encrypted-password $1$ABC123
GUI Step-by-Step Procedure

To configure new users:
1. In the J-Web user interface, select Configure>System Properties>User Management.
2. Click Edit. The Edit User Management dialog box appears.
3. Select the Users tab.
4. Click Add to add a new user. The Add User dialog box appears.
5. In the User name box, type a unique name for the user.
63
Do not include spaces, colons, or commas in the username.
6. In the User ID box, type a unique ID for the user.
7. In the Full Name box, type the user’s full name.
If the full name contains spaces, enclose it in quotation marks. Do not include colons or commas.
8. In the Password and Confirm Password boxes, enter a login password for the user and verify your
entry.
9. From the Login Class list, select the user’s access privilege:
• operator
• read-only
• unauthorized
This list also includes any user-defined login classes.
10. Click OK in the Add User dialog box and Edit User Management dialog box.
11. Click OK to check your configuration and save it as a candidate configuration.
12. If you are done configuring the device, click Commit Options>Commit.
The following example requires you to navigate various levels in the configuration hierarchy. For instructions
on how to do that, see Using the CLI Editor in Configuration Mode in the CLI User Guide.
To configure new users:
1. Set the name of the login class and allow the use of the reboot command.
[edit system login]

user@host# set class operator-and-boot allow-commands “request system reboot”
2. Set the permission bits for the login class.
[edit system login]

user@host# set class operator-and-boot permissions [clear network reset trace view]
3. Set the username, login class, and encrypted password for the user.
64
[edit system login]

user@host# set user cmartin class superuser authentication encrypted-password $1$ABC123
Results
From configuration mode, confirm your configuration by entering the show system login command. If the
output does not display the intended configuration, repeat the configuration instructions in this example
to correct it.
[edit]
user@host# show system login
class operator-and-boot {
permissions [ clear network reset trace view ];
allow-commands "request system reboot";
}
user cmartin {
class superuser;
authentication {
encrypted-password "$1$ABC123";
}
}
[edit]
system {
login {
user philip {
uid 1001;
class super-user;
authentication {
}
}
user alexander {
uid 1002;
class view;
authentication {
65

}
}
user darius {
uid 1003;
class operator;
authentication {
}
}
user anonymous {
class unauthorized;
}
user remote {
uid 9999;
class read-only;
}
}
}
[edit]
system {
login {
user philip {
uid 1001;
class super-user;
authentication {
}
}
user alexander {
uid 1002;
class view;
authentication {
66

}
}
user darius {
uid 1003;
class operator;
authentication {
}
}
user anonymous {
class unauthorized;
}
user remote {
uid 9999;
class read-only;
}
}
}
[edit]
system {
login {
user philip {
uid 1001;
class super-user;
authentication {
}
}
user alexander {
uid 1002;
class view;
authentication {
67

}
}
user darius {
uid 1003;
class operator;
authentication {
}
}
user anonymous {
class unauthorized;
}
user remote {
uid 9999;
class read-only;
}
}
}
NOTE: To completely set up RADIUS or TACACS+ authentication, you must configure at least
one RADIUS or TACACS+ server and specify a user template account. Do one of the following
tasks:
• Configure a RADIUS server. See “Example: Configuring a RADIUS Server for System
Authentication” on page 203.
• Configure a TACACS+ server. See “Example: Configuring a TACACS+ Server for System
• Configure a user. See “Example: Configuring New Users” on page 61.
• Configure template accounts. See “Example: Creating Template Accounts” on page 176.
Verification

68
Verifying the New Users Configuration
Purpose
Verify that the new users have been configured.
Action
From operational mode, enter the show system login command.
Configuring Junos OS User Accounts by Using a Configuration Group
Because user accounts are configured on multiple devices, they are commonly configured inside of a
configuration group. As such, the examples shown here are in a configuration group called global. Using
a configuration group for your user accounts is optional.
To create a user account:
1. Add a new user, using the user’s assigned account login name.
[edit groups global]

user@host# edit system login user username
2. (Optional) Configure a full descriptive name for the account.
If the full name includes spaces, enclose the entire name in quotation marks.
[edit groups global system login user user-name]

user@host# set full-name complete-name
For example:
user@host# show groups

global {
system {
login {
user admin {
full-name "general administrator";
}
}
}
}
3. (Optional) Set the user identifier (UID) for the account.

69
As with UNIX systems, the UID enforces user permissions and file access. If you do not set the UID,
Junos OS assigns one for you. The format of the UID is a number in the range of 100 to 64000.

user@host# set uid uid-value
For example:

global {
system {
login {
user admin {
uid 9999;
}
}
}
}
4. Assign the user to a login class.
You can define your own login classes or assign one of the predefined Junos OS login classes.
The predefined login classes are as follows:
• super-user—all permissions
• operator—clear, network, reset, trace, and view permissions
• read-only— view permissions
• unauthorized—no permissions

user@host# set class class-name
For example:

global {
system {
login {
user admin {
class super-user;
}
70
}
}
}
5. Use one of the following methods to configure the user password.
• To enter a clear-text password that the system encrypts for you, use the following command to set
the user password:

user@host# set authentication plain-text-password password
New Password: type password here
As you enter the password in plain text, Junos OS encrypts it immediately. You do not have to
configure Junos OS to encrypt the password as in some other systems. Plain-text passwords are
therefore hidden and marked as ## SECRET-DATA in the configuration.
• To enter a password that is already encrypted, use the following command to set the user password:
CAUTION: Do not use the encrypted-password option unless the password is

already encrypted, and you are entering the encrypted version of the password.
If you accidentally configure the encrypted-password option with a plain-text

password or with blank quotation marks (" "), you will not be able to log in to the
device as this user.

user@host# set authentication encrypted-password "password"
• To load previously generated public keys from a named file at a specified URL location, use the
following command to set the user password:

user@host# set authentication load-key-file URL filename
• To enter an ssh public string, use the following command to set the user password:

user@host# set authentication (ssh-ecdsa | ssh-ed25519 | ssh-rsa) authorized-key
71
6. At the top level of the configuration, apply the configuration group.
If you use a configuration group, you must apply it for it to take effect.
[edit]
user@host# set apply-groups global
user@host# commit
8. To verify the configuration, log out and log back in as the new user.

Junos OS Administrative Roles
IN THIS SECTION
Configuring a Local Administrator Account | 82
Junos OS allows you to define a system user to act as a particular kind of administrator for the system.
You can assign an administrative role to a user by configuring a login class to have the administrative role
attributes. You can assign one of the role attributes such as audit-officer crypto-officer, security-officer,
ids-officer to an administrative user. Read this topic for more information.
72
Understanding Administrative Roles
A system user can be a member of a class that allows the user to act as a particular kind of administrator
for the system. Requiring a specific role to view or modify an item restricts the extent of information a
user can obtain from the system. It also limits how much of the system is open to intentional or unintentional
modification or observation by a user. We recommend that you use the following guidelines when you
are designing administrative roles:
• Do not allow any user to log in to the system as root.
• Restrict each user to the smallest set of privileges needed to perform the user’s duties.
• Do not allow any user to belong to a login class containing the shell permission flag. The shell permission
flag allows users to run the start shell command from the CLI.
• Allow users to have rollback permissions. Rollback permissions allow users to undo an action performed
by an administrator but does not allow them to commit the changes.
You can assign an administrative role to a user by configuring a login class to have the privileges required
for that role. You can configure each class to allow or deny access to configuration statements and
commands by name. These specific restrictions override and take precedence over any permission flags
also configured in the class. You can assign one of the following role attributes to an administrative user.
• Crypto-administrator—Allows the user to configure and monitor cryptographic data.
• Security-administrator—Allows the user to configure and monitor security data.
• Audit-administrator—Allows the user to configure and monitor audit data.
• IDS-administrator—Allows the user to monitor and clear the intrusion detection service (IDS) security
logs.
Each role can perform the following specific management functions:
• Cryptographic Administrator
• Configures the cryptographic self-test.
• Modifies the cryptographic security data parameters.
• Audit Administrator
• Configures and deletes the audit review search and sort feature.
• Searches and sorts audit records.
• Configures search and sort parameters.
• Manually deletes audit logs.
• Security Administrator
73
• Invokes, determines, and modifies the cryptographic self-test behavior.
• Enables, disables, determines, and modifies the audit analysis and audit selection functions and
configures the device to automatically delete audit logs.
• Enables or disables security alarms.
• Specifies limits for quotas on Transport Layer connections.
• Specifies the limits, network identifiers, and time periods for quotas on controlled connection-oriented
resources.
• Specifies the network addresses permitted to use Internet Control Message Protocol (ICMP) or Address
Resolution Protocol (ARP).
• Configures the time and date used in time stamps.
• Queries, modifies, deletes, and creates the information flow or access control rules and attributes for
the unauthenticated information flow security function policy (SFP), the authenticated information
flow SFP, the unauthenticated device services, and the discretionary access control policy.
• Specifies initial values that override default values when object information is created under
unauthenticated information flow SFP, the authenticated information flow SFP, the unauthenticated
target of evaluation (TOE) services, and the discretionary access control policy.
• Creates, deletes, or modifies the rules that control the address from which management sessions can
be established.
• Specifies and revokes security attributes associated with the users, subjects, and objects.
• Specifies the percentage of audit storage capacity at which the device alerts administrators.
• Handles authentication failures and modifies the number of failed authentication attempts through
SSH or from the CLI that can occur before progressive throttling is enforced for further authentication
attempts and before the connection is dropped.
• Manages basic network configuration of the device.
• IDS Administrator—Specifies IDS security alarms, intrusion alarms, audit selections, and audit data.
You need to set the security-role attribute in the classes created for these administrative roles. This attribute
restricts which users can show and clear the security logs, actions that cannot be performed through
configuration alone.
For example, you need to set the security-role attribute in the ids-admin class created for the IDS
administrator role if you want to restrict clearing and showing IDS logs to the IDS administrator role.
Likewise, you need to set the security-role to one of the other admin values to restrict that class from
being able to clear and show non-IDS logs only.
74
NOTE: When a user deletes an existing configuration, the configuration statements under the
hierarchy level of the deleted configuration (that is, the child objects that the user does not have
permission to modify), now remain in the device.
Example: Configuring Administrative Roles
IN THIS SECTION
Requirements | 74
Overview | 74
Configuration | 75
Verification | 81
This example shows how to configure individual administrative roles for a distinct, unique set of privileges
apart from all other administrative roles.
Requirements
Overview
This example configures four users:
• audit-officer of the class audit-admin
• crypto-officer of the class crypto-admin
• security-officer of the class security-admin
• ids-officer of the class ids-admin
When a security-admin class is configured, the privileges for creating administrators are revoked from the
user who created the security-admin class. Creation of new users and logins is at the discretion of the
security-officer.
75
In this example, you create audit admin, crypto admin, security admin, and ids admin with permission flags
pertaining to this role. Then you allow or deny access to configuration statements and commands by name
for each administrative role. These specific restrictions take precedence over the permission flags also
configured in the class. For example, only the crypto-admin can run the request system set-encryption-key
command, which requires having the security permission flag to access it. Only the security-admin can
include the system time-zone statement in the configuration, which requires having the system-control
permission flag.
Configuration

set system login class audit-admin permissions security

set system login class audit-admin permissions trace
set system login class audit-admin permissions maintenance
set system login class audit-admin allow-commands "^clear (log|security log)"
set system login class audit-admin deny-commands "^clear (security alarms|system login lockout)|^file
(copy|delete|rename)|^request (security|system set-encryption-key)|^rollback|^set date|^show security
(alarms|dynamic-policies|match-policies|policies)|^start shell";
set system login class audit-admin security-role audit-administrator
set system login class crypto-admin permissions admin-control
set system login class crypto-admin permissions configure
set system login class crypto-admin permissions maintenance
set system login class crypto-admin permissions security-control
set system login class crypto-admin permissions system-control
set system login class crypto-admin permissions trace
set system login class crypto-admin allow-commands "^request system set-encryption-key"
set system login class crypto-admin deny-commands "^clear (log|security alarms|security log|system login
lockout)|^file (copy|delete|rename)|^rollback|^set date|^show security
(alarms|dynamic-policies|match-policies|policies)|^start shell"
set system login class crypto-admin allow-configuration-regexps "security (ike|ipsec) (policy|proposal)" "security
ipsec ^vpn$ .* manual (authentication|encryption|protocol|spi)" "system fips self-test after-key-generation"
set system login class crypto-admin security-role crypto-administrator
set system login class security-admin permissions all
set system login class security-admin deny-commands "^clear (log|security log)|^(clear|show) security alarms
alarm-type idp|^request (security|system set-encryption-key)|^rollback|^start shell"
set system login class security-admin deny-configuration-regexps "security alarms potential-violation idp"
"security (ike|ipsec) (policy|proposal)" "security ipsec ^vpn$ .* manual (authentication| encryption|protocol|spi)"
"security log cache" "security log exclude .* event-id IDP_.*" "system fips self-test after-key- generation"
set system login class security-admin security-role security-administrator
set system login class ids-admin permissions configure
76
set system login class ids-admin permissions security-control

set system login class ids-admin permissions trace
set system login class ids-admin permissions maintenance
set system login class ids-admin allow-configuration-regexps "security alarms potential-violation idp" "security
log exclude .* event-id IDP_.*"
set system login class ids-admin deny-commands "^clear log|^(clear|show) security alarms
(alarm-id|all|newer-than|older- than|process|severity)|^(clear|show) security alarms alarm-type
(authentication|cryptographic-self-test|decryption-failures|encryption-failures|
ike-phase1-failures|ike-phase2-failures|key-generation-self-test|
non-cryptographic-self-test|policy|replay-attacks)|^file (copy|delete|rename)|^request (security|system
set-encryption-key)|^rollback|
^set date|^show security (dynamic-policies|match-policies|policies)|^start shell"
set system login class ids-admin deny-configuration-regexps "security alarms potential-violation
(authentication|cryptographic-self-test|decryption-
failures|encryption-failures|ike-phase1-failures|ike-phase2-failures|
key-generation-self-test|non-cryptographic-self-test|policy|replay-attacks)"
set system login class ids-admin security-role ids-admin
set system login user audit-officer class audit-admin
set system login user crypto-officer class crypto-admin
set system login user security-officer class security-admin
set system login user ids-officer class ids-admin
set system login user audit-officer authentication plain-text-password
set system login user crypto-officer authentication plain-text-password
set system login user security-officer authentication plain-text-password
set system login user ids-officer authentication plain-text-password
The following example requires you to navigate various levels in the configuration hierarchy. For information
about navigating the CLI, see Using the CLI Editor in Configuration Mode.
To configure users in administrative roles:
1. Create the audit-admin login class.
[edit]
user@host# set system login class audit-admin
[edit system login class audit-admin]
user@host# set permissions security
user@host# set permissions trace
user@host# set permissions maintenance
2. Configure the audit-admin login class restrictions.

77
[edit system login class audit-admin]

user@host# set allow-commands "^clear (log|security log)"
user@host# set deny-commands "^clear (security alarms|system login lockout)|^file
(copy|delete|rename)|^request (security|system set-encryption-key)|^rollback|^set date|^show security
user@host# set security-role audit-administrator
3. Create the crypto-admin login class.
[edit]
user@host# set system login class crypto-admin
[edit system login class crypto-admin]

user@host# set permissions admin-control
user@host# set permissions configure
user@host# set permissions security-control
user@host# set permissions system-control
4. Configure the crypto-admin login class restrictions.
[edit system login class crypto-admin]

user@host# set allow-commands "^request system set-encryption-key"
user@host# set deny-commands "^clear (log|security alarms|security log|system login lockout)|^file
(copy|delete|rename)|^rollback|^set date|^show security
user@host# set allow-configuration-regexps "security (ike|ipsec) (policy|proposal)" "security ipsec ^vpn$ .*
manual (authentication|encryption|protocol|spi)" "system fips self-test after-key-generation"
user@host# set security-role crypto-administrator
5. Create the security-admin login class.
[edit]
user@host# set system login class security-admin
[edit system login class security-admin]

user@host# set permissions all
6. Configure the security-admin login class restrictions.

78
[edit system login class security-admin]

user@host# set deny-commands "^clear (log|security log)|^(clear|show) security alarms alarm-type idp|^request
(security|system set-encryption-key)|^rollback|^start shell"
user@host# set deny-configuration-regexps "security alarms potential-violation idp" "security (ike|ipsec)
(policy|proposal)" "security ipsec ^vpn$ .* manual (authentication| encryption|protocol|spi)" "security log
cache" "security log exclude .* event-id IDP_.*" "system fips self-test after-key- generation"
user@host# set security-role security-administrator
7. Create the ids-admin login class.
[edit]
user@host# set system login class ids-admin
[edit system login class ids-admin]

user@host# set permissions security-control
8. Configure the ids-admin login class restrictions.
[edit system login class ids-admin]

user@host# set allow-configuration-regexps "security alarms potential-violation idp" "security log exclude
.* event-id IDP_.*"
set system login class ids-admin deny-commands "^clear log|^(clear|show) security alarms
(alarm-id|all|newer-than|older- than|process|severity)|^(clear|show) security alarms alarm-type
(authentication|cryptographic-self-test|decryption-failures|encryption-failures|
ike-phase1-failures|ike-phase2-failures|key-generation-self-test|
non-cryptographic-self-test|policy|replay-attacks)|^file (copy|delete|rename)|^request (security|system
set-encryption-key)|
^rollback|^set date|^show security (dynamic-policies|match-policies|policies)|^start shell"
set system login class ids-admin deny-configuration-regexps "security alarms potential-violation
user@host# set security-role ids-administrator
9. Assign users to the roles.
[edit]
user@host# set system login
79
[edit system login]

user@host# set user audit-officer class audit-admin
user@host# set user crypto-officer class crypto-admin
user@host# set user security-officer class security-admin
user@host# set user ids-officer class ids-admin
10. Configure passwords for the users.
[edit system login]

user@host# set user audit-officer authentication plain-text-password
user@host# set user crypto-officer authentication plain-text-password
user@host# set user security-officer authentication plain-text-password
user@host# set user ids-officer authentication plain-text-password
Results
From configuration mode, confirm your configuration by entering the show system command. If the output
does not display the intended configuration, repeat the instructions in this example to correct the
configuration.
[edit]
user@host# show system
system {
login {
class audit-admin {
permissions [ maintenance security trace ];
allow-commands "^clear (log|security log)";
deny-commands "^clear (security alarms|system login lockout)|^file (copy|delete|rename)|^request
(security|system set-encryption-key)|^rollback|^set date|^show security
security-role audit-administrator;
}
class crypto-admin {
permissions [ admin-control configure maintenance security-control system-control trace ];
allow-commands "^request (system set-encryption-key)";
deny-commands "^clear (log|security alarms|security log|system login lockout)|^file
(copy|delete|rename)|^rollback|^set date|^show security
allow-configuration-regexps "security (ike|ipsec) (policy|proposal)" "security ipsec ^vpn$ .* manual
(authentication|encryption|protocol|spi)" "system fips self-test after-key-generation" ;
security-role crypto-administrator;
}
80
class security-admin {
permissions [all];
deny-commands "^clear (log|security log)|^(clear|show) security alarms alarm-type idp|^request
(security|system set-encryption-key)|^rollback|^start shell";
deny-configuration-regexps "security alarms potential-violation idp" "security (ike|ipsec) (policy|proposal)"
"security ipsec ^vpn$ .* manual (authentication|encryption|protocol|spi)" "security log exclude .* event-id
IDP_.*" "system fips self-test after-key-generation";
security-role security-administrator;
}
class ids-admin {
permissions [ configure maintenance security-control trace ];
deny-commands "^clear log|^(clear|show) security alarms
(alarm-id|all|newer-than|older-than|process|severity)|^(clear|show) security alarms alarm-type
(authentication | cryptographic-self-test | decryption-failures | encryption-failures
| ike-phase1-failures | ike-phase2-failures|key-generation-self-test |
non-cryptographic-self-test |policy | replay-attacks) | ^file (copy|delete|rename)
|^request (security|system set-encryption-key) | ^rollback |
^set date | ^show security (dynamic-policies|match-policies|policies) |^start shell";
allow-configuration-regexps "security alarms potential-violation idp" "security log exclude .* event-id
IDP_.*";
deny-configuration-regexps "security alarms potential-violation
security-role ids-administrator;
}
user audit-officer {
class audit-admin;
authentication {
encrypted-password "$1$ABC123"; ## SECRET-DATA
}
}
user crypto-officer {
class crypto-admin;
authentication {
encrypted-password "$1$ABC123."; ## SECRET-DATA
}
}
user security-officer {
class security-admin;
authentication {
encrypted-password "$1$ABC123."; ##SECRET-DATA
}
}
81
user ids-officer {
class ids-admin;
authentication {
encrypted-password "$1$ABC123/"; ## SECRET-DATA
}
}
}
}
Verification
Verifying the Login Permissions
Purpose
Verify the login permissions for the current user.
Action
From operational mode, enter the show cli authorization command.
user@host>show cli authorization
Current user: 'example' class 'super-user'

Permissions:
admin -- Can view user accounts
admin-control-- Can modify user accounts
clear -- Can clear learned network info
configure -- Can enter configuration mode
control -- Can modify any config
edit -- Can edit full files
field -- Can use field debug commands
floppy -- Can read and write the floppy
interface -- Can view interface configuration
interface-control-- Can modify interface configuration
network -- Can access the network
reset -- Can reset/restart interfaces and daemons
routing -- Can view routing configuration
routing-control-- Can modify routing configuration
shell -- Can start a local shell
snmp -- Can view SNMP configuration
snmp-control-- Can modify SNMP configuration
82
system -- Can view system configuration

system-control-- Can modify system configuration
trace -- Can view trace file settings
trace-control-- Can modify trace file settings
view -- Can view current values and statistics
maintenance -- Can become the super-user
firewall -- Can view firewall configuration
firewall-control-- Can modify firewall configuration
secret -- Can view secret statements
secret-control-- Can modify secret statements
rollback -- Can rollback to previous configurations
security -- Can view security configuration
security-control-- Can modify security configuration
access -- Can view access configuration
access-control-- Can modify access configuration
view-configuration-- Can view all configuration (not including secrets)
flow-tap -- Can view flow-tap configuration
flow-tap-control-- Can modify flow-tap configuration
idp-profiler-operation-- Can Profiler data
pgcp-session-mirroring-- Can view pgcp session mirroring configuration
pgcp-session-mirroring-control-- Can modify pgcp session mirroring configura
tion
storage -- Can view fibre channel storage protocol configuration
storage-control-- Can modify fibre channel storage protocol configuration
all-control -- Can modify any configuration
Individual command authorization:
Allow regular expression: none
Deny regular expression: none
Allow configuration regular expression: none
Deny configuration regular expression: none
This output summarizes the login permissions.
Configuring a Local Administrator Account
The following example shows how to configure a password- protected local administration account called
admin with superuser privileges. Superuser privileges give a user permission to use any command on the
router and are generally reserved for a select few users such as system administrators. It is important to
protect the local administrator account with a password to prevent unauthorized users from gaining access
to superuser commands that can be used to alter the system configuration. Even users with RADIUS
83
authentication should configure a local password. If RADIUS fails or becomes unreachable, the login process
will revert to password authentication on the local administrator account.
[edit]
system {
login {
user admin {
uid 1000;
class superuser;
authentication {
encrypted-password "<PASSWORD>"; # SECRET-DATA
}
}
}
}

Junos OS User Access Privileges
IN THIS SECTION
Regular Expressions for Allowing and Denying Junos OS Operational Mode Commands, Configuration
Statements, and Hierarchies | 94
Examples of Defining Access Privileges Using allow-configuration and deny-configuration Statements | 105
Example: Configuring User Permissions with Access Privileges for Operational Mode Commands | 111
Example: Configuring User Permissions with Access Privileges for Configuration Statements and
Hierarchies | 126
84
Junos OS allows you to grant the access or permissions to the commands and configuration hierarchy
levels and statements. This enables users to execute only those commands and configure and view only
those statements for which they have access privileges. You can use extended regular expressions to
specify which operational mode commands, configuration statements, and hierarchies are denied or allowed
for users. This prevents unauthorized users from executing or configuring sensitive commands and
statements that could potentially cause damage to the network. Read this topic for more information.
Understanding Junos OS Access Privilege Levels
IN THIS SECTION
Junos OS Login Class Permission Flags | 84
Allowing or Denying Individual Commands for Junos OS Login Classes | 88
Each top-level CLI command and each configuration statement have an access privilege level associated
with them. Users can execute only those commands and configure and view only those statements for
which they have access privileges. The access privileges for each login class are defined by one or more
permission flags.
For each login class, you can explicitly deny or allow the use of operational and configuration mode
commands that would otherwise be permitted or not allowed by a privilege level specified in the permissions
statement.
The following sections provide additional information about permissions:
Junos OS Login Class Permission Flags
Permission flags are used to grant a user access to operational mode commands and configuration hierarchy
levels and statements. By specifying a specific permission flag on the user's login class at the [edit system
login class] hierarchy level, you grant the user access to the corresponding commands and configuration
hierarchy levels and statements. To grant access to all commands and configuration statements, use the
all permissions flag.
NOTE: Each command listed represents that command and all subcommands with that command
as a prefix. Each configuration statement listed represents the top of the configuration hierarchy
to which that flag grants access.
85
The permissions statement specifies one or more of the permission flags listed in Table 5 on page 85.
Permission flags are not cumulative, so for each class you must list all the permission flags needed, including
view to display information and configure to enter configuration mode. Two forms of permissions control
for individual parts of the configuration are:
• "Plain” form—Provides read-only capability for that permission type. An example is interface.
• Form that ends in -control—Provides read and write capability for that permission type. An example is
interface-control.
For permission flags that grant access to configuration hierarchy levels and statements, the flags grant
read-only privilege to that configuration. For example, the interface permissions flag grants read-only
access to the [edit interfaces] hierarchy level. The -control form of the flag grants read-write access to
that configuration. Using the preceding example, interface-control grants read-write access to the [edit
interfaces] hierarchy level.
Table 5 on page 85 lists the Junos OS login class permission flags that you can configure by including the
permissions statement at the [edit system login class class-name] hierarchy level.
The permission flags grant a specific set of access privileges. Each permission flag is listed with the
operational mode commands and configuration hierarchy levels and statements for which that flag grants
access.
Table 5: Login Class Permission Flags
Permission Flag Description
“access” on page 652 Can view the access configuration in configuration mode and with the show
“access-control” on page 657 Can view and configure access information at the [edit access] hierarchy level.
“admin” on page 658 Can view user account information in configuration mode and with the show
“admin-control” on page 664 Can view user account information and configure it at the [edit system]
hierarchy level.
“all-control” on page 665 Can view user accounts and configure them at the [edit system login] hierarchy
level.
all Can access all operational mode commands and configuration mode commands.
Can modify configuration in all the configuration hierarchy levels.
“clear” on page 666 Can clear (delete) information learned from the network that is stored in various
network databases by using the clear commands.
86
Table 5: Login Class Permission Flags (continued)
“configure” on page 767 Can enter configuration mode by using the configure command.
“control” on page 768 Can perform all control-level operations—all operations configured with the
-control permission flags.
“field” on page 769 Can view field debug commands. Reserved for debugging support.
“firewall” on page 770 Can view the firewall filter configuration in configuration mode.
“firewall-control” on page 775 Can view and configure firewall filter information at the [edit firewall] hierarchy
level.
“floppy” on page 776 Can read from and write to the removable media.
“flow-tap” on page 777 Can view the flow-tap configuration in configuration mode.
“flow-tap-control” on page 782 Can view the flow-tap configuration in configuration mode and can configure
flow-tap configuration information at the [edit services flow-tap] hierarchy
level.
“flow-tap-operation” on page 783 Can make flow-tap requests to the router or switch. For example, a Dynamic
Tasking Control Protocol (DTCP) client must have flow-tap-operation
permission to authenticate itself to the Junos OS as an administrative user.
NOTE: The flow-tap-operation option is not included in the all-control

permissions flag.
“idp-profiler-operation” on page 784 Can view profiler data.
“interface” on page 784 Can view the interface configuration in configuration mode and with the show
“interface-control” on page 790 Can view chassis, class of service (CoS), groups, forwarding options, and
interfaces configuration information. Can edit configuration at the following
hierarchy levels:
• [edit chassis]
• [edit class-of-service]
• [edit groups]
• [edit forwarding-options]
• [edit interfaces]
87
“maintenance” on page 791 Can perform system maintenance, including starting a local shell on the router
or switch and becoming the superuser in the shell by using the su root
command, and can halt and reboot the router or switch by using the request
system commands.
“network” on page 804 Can access the network by using the ping, ssh, telnet, and traceroute
commands.
“pgcp-session-mirroring” on Can view the pgcp session mirroring configuration.

page 807
“pgcp-session-mirroring-control” Can modify the pgcp session mirroring configuration.

on page 812
“reset” on page 812 Can restart software processes by using the restart command and can configure
whether software processes are enabled or disabled at the [edit system
processes] hierarchy level.
“rollback” on page 814 Can use the rollback command to return to a previously committed
configuration other than the most recently committed one.
“routing” on page 814 Can view general routing, routing protocol, and routing policy configuration
“routing-control” on page 825 Can view general routing, routing protocol, and routing policy configuration
information and can configure general routing at the [edit routing-options]
hierarchy level, routing protocols at the [edit protocols] hierarchy level, and
routing policy at the [edit policy-options] hierarchy level.
“secret” on page 831 Can view passwords and other authentication keys in the configuration.
“secret-control” on page 837 Can view passwords and other authentication keys in the configuration and
can modify them in configuration mode.
“security” on page 839 Can view security configuration in configuration mode and with the show
“security-control” on page 849 Can view and configure security information at the [edit security] hierarchy
level.
“shell” on page 854 Can start a local shell on the router or switch by using the start shell command.
88
“snmp” on page 855 Can view Simple Network Management Protocol (SNMP) configuration
“snmp-control” on page 860 Can view SNMP configuration information and can modify SNMP configuration
at the [edit snmp] hierarchy level.
“system” on page 861 Can view system-level information in configuration and operational modes.
“system-control” on page 869 Can view system-level configuration information and configure it at the [edit
system] hierarchy level.
“trace” on page 871 Can view trace file settings and configure trace file properties.
“trace-control” on page 883 Can modify trace file settings and configure trace file properties.
“view” on page 890 Can use various commands to display current system-wide, routing table, and
protocol-specific values and statistics. Cannot view the secret configuration.
“view-configuration” on page 1040 Can view all of the configuration excluding secrets, system scripts, and event
options.
NOTE: Only users with the maintenance permission can view commit script,
op script, or event script configuration.
Allowing or Denying Individual Commands for Junos OS Login Classes
By default, all top-level CLI commands have associated access privilege levels. Users can execute only
those commands and view only those statements for which they have access privileges. For each login
class, you can explicitly deny or allow the use of operational and configuration mode commands that would
otherwise be permitted or not allowed by a privilege level specified in the permissions statement.
Permission flags are used to grant a user access to operational mode commands and configuration hierarchy
levels and statements. By specifying a specific permission flag on the user's login class at the [edit system
login class] hierarchy level, you grant the user access to the corresponding commands and configuration
hierarchy levels and statements. To grant access to all commands and configuration statements, use the
all permissions flag. For permission flags that grant access to configuration hierarchy levels and statements,
the flags grant read-only privilege to that configuration. For example, the interface permissions flag grants
read-only access to the [edit interfaces] hierarchy level. The -control form of the flag grants read-write
access to that configuration. Using the preceding example, interface-control grants read-write access to
the [edit interfaces] hierarchy level.
89
• The all login class permission bits take precedence over extended regular expressions when a user issues
rollback command with rollback permission flag enabled.
• Expressions used to allow and deny commands for users on RADIUS and TACACS+ servers have been
simplified. Instead of a single, long expression with multiple commands (allow-commands=cmd1 cmd2
... cmdn), you can specify each command as a separate expression. This new syntax is valid for
allow-configuration, deny-configuration, allow-commands, deny-commands, and all user permission
bits.
• Users cannot issue the load override command when specifying an extended regular expression. Users
can only issue the merge, replace, and patch configuration commands.
• If you allow and deny the same commands, the allow-commands permissions take precedence over the
permissions specified by the deny-commands. For example, if you include allow-commands "request
system software add" and deny-commands "request system software add", the login class user is allowed
to install software using the request system software add command.
• Regular expressions for allow-commands and deny-commands can also include the commit, load,
rollback, save, status, and update commands.
• If you specify a regular expression for allow-commands and deny-commands with two different variants
of a command, the longest match is always executed.
For example, if you specify a regular expression for allow-commands with the commit-synchronize
command and a regular expression for deny-commands with the commit command, users assigned to
such a login class would be able to issue the commit synchronize command, but not the commit command.
This is because commit-synchronize is the longest match between commit and commit-synchronize
and it is specified for allow-commands.
Likewise, if you specify a regular expression for allow-commands with the commit command and a
regular expression for deny-commands with the commit-synchronize command, users assigned to such
a login class would be able to issue the commit command, but not the commit-synchronize command.
This is because commit-synchronize is the longest match between commit and commit-synchronize
and it is specified for deny-commands.
Example: Configuring User Permissions with Access Privilege Levels
IN THIS SECTION
Requirements | 90
Overview | 90
Configuration | 91
Verification | 93
90
This example shows how to view permissions for a user account and configure the user permissions with
access privileges for a login class. This enables users to execute only those commands and configure and
view only those statements for which they have access privileges. This prevents unauthorized users from
executing or configuring sensitive commands and statements that could potentially cause damage to the
network.
Requirements
This example uses the following hardware and software components:
• One Juniper Networks device
• One TACACS+ (or RADIUS) server
• Junos OS build running on the Juniper Networks device
Before you begin:
• Establish connection between the device and the TACACS+ server.
For information on configuring a TACACS+ server, see “Configuring TACACS+ Authentication” on

page 228.
• Configure at least one user assigned to a login class on the Juniper Networks device. There can be more
than one login class, each with varying permission configurations, and more than one user on the device.
Overview
Each top-level command-line interface (CLI) command and each configuration statement in Junos OS has
an access privilege level associated with it. For each login class, you can explicitly deny or allow the use
of operational and configuration mode commands that would otherwise be permitted or not allowed by
a privilege level. Users can execute only those commands and configure and view only those statements
for which they have access privileges. To configure access privilege levels, include the permissions statement
at the [edit system login class class-name] hierarchy level.
The access privileges for each login class are defined by one or more permission flags specified in the
permissions statement. Permission flags are used to grant a user access to operational mode commands,
statements, and configuration hierarchies. Permission flags are not cumulative, so for each login class you
must list all the permission flags needed, including view to display information and configure to enter
configuration mode. By specifying a specific permission flag on the user's login class, you grant the user
access to the corresponding commands, statements, and configuration hierarchies. To grant access to all
commands and configuration statements, use the all permissions flag. The permission flags provide read-only
(“plain” form) and read and write (form that ends in -control) capability for a permission type.
91
NOTE: The all login class permission bits take precedence over extended regular expressions
when a user issues a rollback command with the rollback permission flag enabled.
To configure user access privilege levels:
1. View permissions for a user account.
You can view the permissions for a user account before configuring the access privileges for those
permissions.
To view the user permissions, enter ? at the [edit] hierarchy level:
[edit]
?
2. Configure user permissions with access privileges.
All users who can log in to a device must be in a login class. For each login class, you can configure the
access privileges that the associated users can have when they are logged in to the device.
To configure access privilege levels for user permissions, include the permissions statement at the [edit
system login class class-name] hierarchy level, followed by the user permission, the permissions option,
and the required permission flags.
[edit system login]

user@host# set class class-name permissions user-permission permissions [permission flags];
Configuration
Configuring User Permissions with Access Privilege Levels
To configure access privileges:
1. From the device, view the list of permissions available for the user account. In this example, the username
of the user account is host.
[edit]
user@host> ?
Possible completions:
clear Clear information in the system
configure Manipulate software configuration information
92
file Perform file operations

help Provide help information
load Load information from file
monitor Show real-time debugging information
mtrace Trace multicast path from source to receiver
op Invoke an operation script
ping Ping remote target
quit Exit the management session
request Make system-level requests
restart Restart software process
save Save information to file
set Set CLI properties, date/time, craft interface message
show Show system information
ssh Start secure shell on another host
start Start shell
telnet Telnet to another host
test Perform diagnostic debugging
traceroute Trace route to remote host
The output lists the permissions for the user host. Customized login classes can be created by configuring
different access privileges on these user permissions.
2. Configure an access privilege class to enable user host to configure and view SNMP parameters only.
In this example, this login class is called network-management. To customize the network-management
login class, include the SNMP permission flags to the configure user permission.
[edit system login class network-management]

user@host# set permissions configure permissions snmp
user@host# set permissions configure permissions snmp-control
Here, the configured permission flags provide both read (snmp) and read-and-write (snmp-control)
capability for SNMP, and this is the only allowed access privilege for the network-management login
class. In other words, all other access privileges other than configuring and viewing SNMP parameters
are denied.
Results
output does not display the intended configuration, repeat the instructions in this example to correct the
configuration.

class network-management {
93
permissions [ configure snmp snmp-control ];

}
Verification
IN THIS SECTION
Verifying SNMP Configuration | 93
Verifying non-SNMP Configuration | 93
Log in as the username assigned with the new login class, and confirm that the configuration is working
properly.
Verifying SNMP Configuration
Purpose
Verify that SNMP configuration can be executed.
Action
From configuration mode, execute basic SNMP commands at the [edit snmp] hierarchy level.
[edit snmp]
user@host# set name device1
user@host# set description switch1
user@host# set location Lab1
user@host# set contact example.com
user@host# commit
Meaning
The user host assigned to the network-management login class is able to configure SNMP parameters, as
the permission flags specified for this class include both snmp (read capabilities) and snmp-control (read
and write capabilities) permission bits.
Verifying non-SNMP Configuration
Purpose
Verify that non-SNMP configuration is denied for the network-management login class.
Action
94
From the configuration mode, execute any non-SNMP configuration, for example, interfaces configuration.
[edit]
user@host# edit interfaces
Syntax error, expecting <statement> or <identifier>.
Regular Expressions for Allowing and Denying Junos OS Operational Mode

Commands, Configuration Statements, and Hierarchies
IN THIS SECTION
Understanding Regular Expressions | 94
Specifying Regular Expressions | 97
Regular Expressions Operators | 99
Regular Expression Examples | 102
This topic contains the following sections:
Understanding Regular Expressions
You can use extended regular expressions to specify which operational mode commands, configuration
statements, and hierarchies are denied or allowed. You specify these regular expressions locally in the
allow/deny-commands, allow/deny-configuration, and allow/deny-commands-regexps and
allow/deny-configuration-regexp statements at the [edit system login class class-name] hierarchy level,
or remotely by specifying Juniper Networks vendor-specific TACACS+ or RADIUS attributes in your
authorization server’s configuration.
NOTE: Starting in Junos OS Release 18.1, the allow-commands-regexps and

deny-commands-regexps statements are supported for TACACS+ authorization.
The difference between a local and remote authorization configuration is the pattern in which the regular
expressions statements are executed. While it is possible to specify multiple regular expressions using
strings in the local authorization configuration, in a remote configuration, the regular expressions statements
need to be split and specified in individual strings. When the authorization parameters are configured both
95
remotely and locally, the regular expressions received during TACACS+ or RADIUS authorization get
merged with any regular expressions available on the local device.
When specifying multiple regular expressions in a local configuration using the allow-configuration,
deny-configuration, allow-commands, or deny-commands statements, regular expressions are configured
within parentheses and separated using the pipe symbol. The complete expression is enclosed in double
quotes. For example, you can specify multiple allow-commands parameters with the following syntax:
allow-commands "(cmd1)|(cmd2)|(cmdn)"
The same expression configured remotely on the authorization server uses the following syntax:
allow-commands1 = "cmd1"
allow-commands2 = "cmd2"
allow-commandsn = "cmdn"
When specifying multiple regular expressions in a local configuration using the allow-configuration-regexps,
deny-configuration-regexps, allow-commands-regexps, or deny-commands-regexps statements, regular
expressions are configured within double quotes and separated using the space operator. The complete
expression is enclosed in square brackets. For example, you can specify multiple allow-commands parameters
with the following syntax:
allow-commands-regexps [ "cmd1" "cmd2" "cmdn" ]
The same expression configured remotely on the authorization server uses the following syntax:
allow-commands-regexps1 = "cmd1"
allow-commands-regexps2 = "cmd2"
allow-commands-regexpsn = "cmdn"
Table 6 on page 96 differentiates the local and remote authorization configuration using regular expressions.
96
Table 6: Sample Local and Remote Authorization Configuration Using Regular Expressions
Local Configuration Remote Configuration
login { user = remote {

class local { login = username
permissions configure; service = junos-exec {
allow-commands "(ping .*)|(traceroute allow-commands1 = "ping .*"
.*)|(show .*)|(configure allow-commands2 = "traceroute .*"
.*)|(edit)|(exit)|(commit)|(rollback .*)"; allow-commands3 = "show .*"
deny-commands .*; allow-commands4 = "configure"
allow-configuration "(interfaces .* unit allow-commands5 = "edit"
0 family ethernet-switching vlan allow-commands6 = "exit"
mem.* .*)|(interfaces .* native.* allow-commands7 = "commit"
.*)|(interfaces .* unit 0 family allow-commands8 = ".*xml-mode" <<<<<
ethernet-switching interface-mo.* allow-commands9 = ".*netconf" <<<<<
.*)|(interfaces .* unit .*)|(interfaces .* allow-commands10 = ".*need-trailer" <<<<<
disable)|(interfaces .* description allow-commands11 = "rollback.*"
.*)|(vlans .* vlan-.* .*)" deny-commands1 = ".*"
deny-configuration .*; allow-configuration1 = "interfaces .* unit 0 family
} ethernet-switching vlan mem.* .*"
} allow-configuration2 = "interfaces .* native.* .*"
allow-configuration3 = "interfaces .* unit 0 family
ethernet-switching interface-mo.* .*"
allow-configuration4 = "interfaces .* unit .*"
allow-configuration5 = "interfaces .* disable"
allow-configuration6 = "interfaces .* description .*"
allow-configuration7 = "interfaces .*"
allow-configuration8 = "vlans .* vlan-.* .*"
deny-configuration1 = ".*"
local-user-name = local-username
user-permissions = "configure"
}
}
NOTE:
• You need to explicitly allow access to the NETCONF mode, either locally or remotely, by
issuing the following three commands: xml-mode, netconf, and need-trailer.
• When the deny-configuration = “.*” statement is used, all the other desired configurations
should be allowed using the allow-configuration statement. This can affect the allowed regular
expressions buffer limit for the allow-configuration statement. When this limit exceeds, the
allowed configuration might not work. This regular expression buffer size limit has been
increased in Junos OS Release 14.1x53-D40, 15.1, and 16.1.
97
Specifying Regular Expressions
WARNING: When you specify regular expression for commands and configuration
statements, pay close attention to the following examples, as regular expression with
invalid syntax might not produce the desired results, even if the configuration is
committed without any error.
Regular expressions for commands and configuration statements should be specified in the same manner
as executing the complete command or statement. Table 7 on page 98 lists the regular expressions for
configuring access privileges for the [edit interfaces] and [edit vlans] statement hierarchies, and for the
delete interfaces command.
98
Table 7: Specifying Regular Expressions
Statement Regular Expression Configuration Notes
[edit interfaces] The set interfaces statement is • The .* operator denotes everything from
incomplete by itself, and requires the the specified point onward for that
The set command for
unit option to execute the statement. particular command or statement. In this
interfaces is executed as
example, it denotes any interface name
follows: As a result, the regular expression
with any unit value.
required for denying the set interfaces
[edit] • Specifying only the deny-configuration
configuration must specify the entire
user@host# set interfaces "interfaces .*" statement is incorrect and
executable string with the .* operator
interface-name unit does not deny access to the interfaces
in place of statement variables:
interface-unit-number configuration for the specified login class.
[edit system login class class-name] • Other valid options can be included in the
user@host# set permissions regular expression, for example:
configure
user@host# set deny-configuration
"interfaces .* unit .*"
"interfaces .* description .*"

user@host# set
allow-configuration-regexps [
"interfaces .* description .*” “interfaces
.* unit .* description .*” “interfaces .*
unit .* family inet address .*”
“interfaces.* disable" ]

user@host# set allow-configuration
"interfaces .* unit 0 family
ethernet-switching vlan mem.* .*"
Note: The mem.* regular expression in

this example is used when multiple strings
starting with the mem keyword are
expected to be included in the specified
regular expression. When only one
member string is expected to be included,
the member .* regular expression is used.
99
Table 7: Specifying Regular Expressions (continued)
Statement Regular Expression Configuration Notes
delete interfaces The delete interfaces statement can • The .* operator denotes everything from
be executed by itself and does not the specified point onward for that
The delete command for
require additional statements to be particular command or statement. In this
interfaces is executed as
complete. example, it denotes any interface name.
follows:
• For the deny-configuration "interfaces
As a result, the regular expression
[edit] .*" regular expression to take effect, the
required for denying the delete
user@host# delete specified login class should allow
interfaces statement should specify
interfaces interface-name configuration permissions for the
the following:
interfaces hierarchy using the
[edit system login class class-name] allow-configuration "interfaces .*" regular
user@host# set permissions expression.
configure
"interfaces .*"
"interfaces .*"
[edit vlans] Here, the set vlans statement is • The .* operator denotes everything from
incomplete by itself, and requires the the specified point onward for that
The set command for VLANs
vlan-id option to execute the particular command or statement. In this
is executed as follows:
statement. example, it denotes any VLAN name with
[edit] any VLAN ID.

As a result, the regular expression
user@host# set vlans • Other valid options under the [edit vlans]
required for allowing the set vlans
vlan-name vlan-id vlan-id statement hierarchy can be included in
configuration must specify the entire
the regular expression, for example:
executable string with the .* operator
in place of statement variables: [edit system login class class-name]
user@host# set
user@host# set permissions
allow-configuration-regexps [ "vlans
configure
.* vlan-id .*" "vlans .* vlan-id .*
description .*" "vlans .* vlan-id .* filter
"vlans .* vlan-id .*"
.*" ]
Regular Expressions Operators
Table 8 on page 100 lists common regular expression operators that you can use for allowing or denying
operational and configuration modes.
Command regular expressions implement the extended (modern) regular expressions, as defined in POSIX
1003.2.
100
Table 8: Common Regular Expression Operators
Operator Match Example
| One of two or [edit system login class test]

more terms user@host# set permissions configure
separated by user@host# set allow-commands "(ping)|(traceroute)|(show system alarms)|(show
the pipe. Each system software)"
term must be a user@host# set deny-configuration
complete "(access)|(access-profile)|(accounting-options)|(applications)|(apply-groups)|
standalone (bridge-domains)|(chassis)|(class-of-service)"
expression
With the above configuration, the users assigned to the test login class have operational
enclosed in
mode access restricted to only the commands specified in the allow-commands
parentheses ( ),
statement, and access to the configuration mode, excluding the hierarchy levels
with no spaces
specified in the deny-configuration statement.
between the
pipe and the
adjacent
parentheses.
^ At the [edit system login class test]

beginning of user@host# set permissions interface
an expression, user@host# set permissions interface-control
used to denote user@host# set allow-commands "(^show) (log|interfaces|policer))|(^monitor)"
where the
With the above configuration, the users assigned to the test login class have access
command
to configuring and viewing interface configuration from the operational and
begins, where
configuration mode. The allow-commands statement specifies access to commands
there might be
that begin with show and monitor keywords.
some
ambiguity. For the first filter, the commands specified include the show log, show interfaces, and
show policer commands. The second filter specifies all commands starting with the
monitor keyword, such as monitor interfaces or monitor traffic commands.
$ Character at [edit system login class test]

the end of a user@host# set permissions interface
command. user@host# set allow-commands "(show interfaces$)"
Used to
With the above configuration, the users assigned to the test login class can view the
denote a
interface configuration in the configuration mode and with the show configuration
command that
operational mode command with the interface user permission. However, the regular
must be
expression specified in the allow-commands statement restricts the users to execute
matched
only the show interfaces command and denies access to the command extensions,
exactly up to
such as show interfaces detail or show interfaces extensive.
that point.
101
Table 8: Common Regular Expression Operators (continued)
[] Range of [edit system login class test]

letters or user@host# set permissions clear
digits. To user@host# set permissions configure
separate the user@host# set permissions network
start and end user@host# set permissions trace
of a range, use user@host# set permissions view
a hyphen ( - ). user@host# set allow-configuration-regexps [ "interfaces [gx]e-.* unit [0-9]* description
.*" ]
With the above configuration, the users assigned to the test login class have
operator-level user permissions, and have access to configure interfaces within the
specified range of interface name and unit number (0 through 9).
() A group of [edit system login class test]

commands, user@host# set permissions all
indicating a user@host# set allow-commands "(clear)|(configure)"
complete, user@host# deny-commands "(mtrace)|(start)|(delete)"
standalone
With the above configuration, users assigned to the test login class have superuser-level
expression to
permissions, and have access to the commands specified in the allow-commands
be evaluated.
statement.
The result is
then evaluated
as part of the
overall
expression.
Parentheses
must be used
in conjunction
with pipe
operators, as
explained.
* Zero or more [edit system login class test]

terms. user@host# set permissions configure
user@host# set deny-configuration "(system login class m*)"
With the above configuration, users assigned to the test login class whose login
username begins with m are denied configuration access.
102
Table 8: Common Regular Expression Operators (continued)
+ One or more [edit system login class test]

terms. user@host# set permissions configure
user@host# set deny-configuration "(system login class m+)"
. Any character [edit system login class test]

except for a user@host# set permissions configure
space " ". user@host# set deny-configuration "(system login class m.)"
.* Everything [edit system login class test]

from the user@host# set permissions configure
specified point user@host# set deny-configuration "(system login class m .*)"
onward.
Similarly, the deny-configuration "protocols .*" statement denies all configuration

access under the [edit protocols] hierarchy level.
NOTE:
• The *, +, and . operations can be achieved by using .*.
• The deny-commands .* and deny-configuration .* statements deny access to all
operational mode commands and configuration hierarchies, respectively.
NOTE: Junos OS does not support the ! regular expression operator.
Regular Expression Examples
Table 9 on page 103 lists the regular expressions used to allow configuration options under two configuration
hierarchies—[edit system ntp server] and [edit protocols rip]—as an example for specifying regular
expressions.
103
NOTE: Table 9 on page 103 does not provide a comprehensive list of all regular expressions and
keywords for all configuration statements and hierarchies. The regular expressions listed in the
table are supported in Junos OS Release 16.1, and are validated only for the [edit system ntp
server] and [edit protocols rip] statement hierarchies.
Table 9: Regular Expressions Examples
Statement Allowed Denied

Hierarchy Regular Expressions Configuration Configuration
[edit system ntp

server]
key key-number [edit system login class test] • server IP • version

set permissions configure • server IP and key • prefer
set allow-configuration-regexps [ "system
ntp server .*" "system ntp server .* key
.*" ]
set deny-configuration-regexps [ "system
ntp server .* version .*" "system ntp
server .* prefer" ]
version [edit system login class test] • server IP • key

version-number set permissions configure • server IP and • prefer
set allow-configuration-regexps [ "system version
ntp server .*" "system ntp server .*
version .*" ]
ntp server .* key .*" "system ntp server
.* prefer" ]
prefer [edit system login class test] • server IP • key

set permissions configure • server IP and prefer • version
set allow-configuration-regexps [ "system
ntp server .*" "system ntp server .*
prefer" ];
ntp server .* key .*" "system ntp server
.* version .*" ]
[edit protocols rip]

104
Table 9: Regular Expressions Examples (continued)
Statement Allowed Denied

Hierarchy Regular Expressions Configuration Configuration
message-size [edit system login class test] • message-size • metric-in

message-size set permissions configure • route-timeout
set allow-configuration-regexps "protocols
• update-interval
rip message-size .*"
set deny-configuration-regexps [ "protocols
rip metric-in .*" "protocols rip
route-timeout .*" "protocols rip
update-interval .*" ]
metric-in metric-in [edit system login class test] • metric-in • message-size

set permissions configure • route-timeout
• update-interval
rip metric-in .*"
rip message-size .*" "protocols rip
route-timeout [edit system login class test] • route-timeout • message-size

route-timeout set permissions configure • metric-in
• update-interval
rip route-timeout .*"
message-size .*" "protocols rip
update-interval [edit system login class test] • update-interval • message-size

update-interval set permissions configure • metric-in
• route-timeout
rip update-interval .*"
message-size .*" ]
105
Examples of Defining Access Privileges Using allow-configuration and

deny-configuration Statements
You can define access privileges using a combination of the following types of statements:
• permission flags
• allow-configuration and deny-configuration statements
The permission flags define the larger boundaries of what a person or login class can access and control.
The allow-configuration and deny-configuration statements take precedence over permission flags and
give the administrator finer control over exactly what the user has access to.
This topic explains defining access privileges using allow-configuration and deny-configuration statements
by showing a series of examples of login class configuration using these statements. Examples 1 through
3 use both permission flags and deny-configuration statements to create login classes that allow users
access to all except something. Each allow-configuration or deny-configuration statement is configured
with one or more regular expressions to be allowed or denied.
Notice that permission bit and permission flag are used interchangeably.
Example 1
To create a login class that allows the user to configure everything except telnet parameters:
1. Set the user’s login class permission bit to all.
[edit system login]

user@host# set class all-except-telnet permissions all
2. Include the following deny-configuration statement.
[edit system login class all-except-telnet]

user@host# set deny-configuration "system services telnet"
Example 2
106
To create a login class that allows the user to configure everything except anything within any login class
whose name begins with “m”:
[edit system login]

user@host# set class all-except-login-class-m permissions all
[edit system login class all-except-login-class-m]

user@host# set deny-configuration "system login class m.*"
Example 3
This next example shows the creation of a login class with the all permission bit that prevents the user
from editing a configuration or issuing commands (such as commit) at the [edit system login class] or [edit
system services] hierarchy levels:
To create a login class that allows the user to configure everything except at the [edit system login class]
or [edit system services] hierarchy levels:
[edit system login]

user@host# set class all-except-login-class-or-system-services permissions all
[edit system login class all-except-login-class-or-system-services]

user@host# set deny-configuration "(system login class) | (system services)"
The next two examples show how to use the allow-configuration and deny-configuration statements to
determine permissions inverse to each other for the [edit system services] hierarchy level.
107
Example 4
To create a login class that allows the user to have full configuration privileges at the [edit system services]
hierarchy level and at only the [edit system services] hierarchy level:
1. Set the user’s login class permission bit to configure.
[edit system login]

user@host# set class configure-only-system-services permissions configure
2. Include the following allow-configuration statement.
[edit system login class configure-only-system-services]

user@host# set allow-configuration "system services"
Example 5
To create a login class that allows the user full permissions for all configuration mode hierarchies except
the [edit system services] hierarchy level:
[edit system login]

user@host# set class all-except-system-services permissions all
[edit system login class all-except-system-services]

user@host# set deny-configuration "system services"
108
Example: Using Additive Logic With Regular Expressions to Specify Access

Privileges
IN THIS SECTION
Requirements | 108
Overview | 108
Configuration | 109
Examples | 109
This example shows how to use additive logic when using regular expressions to set up configuration
access privileges.
Requirements
• One Juniper Networks J Series, M Series, MX Series, or T Series device
• Junos OS Release 16.1 or later
• There must be at least one user assigned to a login class.
• There can be more than one login class, each with varying permission configurations, and more than
one user on the device.
Overview
To control who can make configuration changes to the system, and what specifically they can change, you
can create regular expressions that indicate specific portions of the configuration hierarchy that users in
a named user class are permitted to access. For example, you can create regular expressions that specify
a group of routing instances that users are allowed to modify, and prevent the users from making changes
to any other routing instances, or to any other configuration level.
You configure regular expressions using the allow-configuration-regexps and deny-configuration-regexps

statements. By default, deny-configuration-regexps statements take precedence over
allow-configuration-regexps statements for users in the named user class to which they are applied.
If a configuration hierarchy appears in a deny-configuration-regexps statement for a named user class, it

is not visible to the users, regardless of the contents of the allow-configuration-regexps statement. If a
109
configuration hierarchy does not appear in a deny-configuration-regexps statement, it is visible if it appears

in an allow-configuration-regexps statement, or if there is no allow-configuration-regexps statement
configured for the user class..
You can optionally change this default behavior so additive logic (that is, deny all by default / allow some
as specified) is used in regular expressions. When additive logic is enabled, the behavior of existing regular
expressions changes so that all configuration hierarchies are denied unless they are included in an
allow-configuration-regexps statement for the named user class.
Configuration
To enable additive logic for regular expressions:
1. To explicitly allow one or more individual configuration mode hierarchies, include the
allow-configuration-regexps statement at the [edit system login class class-name] hierarchy level,
configured with the regular expressions to be allowed.

user@host# set allow-configuration-regexps "regular expression 1" "regular expression 2" "regular expression
3" "regular expression 4" ...
2. Assign the login class to one or more users.
[edit system login]

user@host# set user username class class-name
3. Enable additive logic for regular expressions.
[edit system]
user@host# set regex-additive-logic
4. Commit your changes.
Users assigned this login class have access to the configuration hierarchies included in the
allow-configuration-regexps statement, but no others.
Examples
Using Regular Expressions with Additive Logic
Purpose
110
This section provides examples of regular expressions that use additive logic to give you ideas for creating
configurations appropriate for your system.
Allow Specific Routing Instances
The following example login class includes a regular expression that allows configuration of routing instances
whose names start with CUST-VRF-; for example, CUST-VRF-1, CUST-VRF-25, CUST-VRF-100, and so
on:

user@host# set permissions configure view view-configuration
user@host# set allow-configuration-regexps "routing-instances CUST-VRF-.* .*"
If the following statement is included in the configuration, it prevents the user from configuring any other
routing instances and denies access to any non-routing instance configuration hierarchy:
[edit system]
Allow BGP Peer Configuration Only
The following example login class includes a regular expression that allows configuration of BGP peers:

user@host# set permissions configure view view-configuration
user@host# set allow-configuration-regexps "protocols bgp group *"
If the following statement is included in the configuration, it prevents the user from making any other
changes, such as deleting or disabling BGP statements:
[edit system]
Verification
111
To verify that you have set the access privileges correctly:
1. Configure a login class and commit the changes.
2. Assign the login class to a username.
3. Log in as the username assigned with the new login class.
4. Attempt to perform the configurations that have been allowed.
• You should be able to perform configuration changes to hierarchy levels and regular expressions that
have been allowed.
• All other hierarchies should not be visible.
• Any allowed or denied expressions should take precedence over any permissions granted with the
permissions statement.
Example: Configuring User Permissions with Access Privileges for

Operational Mode Commands
IN THIS SECTION
Requirements | 112
Overview and Topology | 112
Configuration | 116
Verification | 122
This example shows how to configure custom login classes and assign access privileges for operational
mode commands. This enables users of the customized login class to execute only those operational
commands for which access privileges have been specified. This prevents unauthorized users from executing
sensitive commands that could potentially cause damage to the network.
112
Requirements
Before you begin:
• Establish a TCP connection between the device and the TACACS+ server. In the case of the RADIUS
server, establish a UDP connection between the device and the RADIUS server.

page 228.
Overview and Topology
permissions statement. In addition to this, you can specify extended regular expressions with the following
statements:
• allow-commands and deny-commands—Allow or deny access to operational mode commands only.
• allow-configuration and deny-configuration—Allow or deny access to a particular configuration hierarchy

only.
• allow-configuration-regexps and deny-configuration-regexps—Allow or deny access to a particular

configuration hierarchy using strings of regular expressions.
• allow-commands-regexps and deny-commands-regexps—(TACACS+ authorization only) Allow or deny

access to a particular command using strings of regular expressions.
The above statements define a user’s access privileges to individual operational mode commands,
configuration statements, and hierarchies. These statements take precedence over the login class permissions
set for a user.
113
Configuration Notes
When configuring the allow-commands, deny-commands, allow-configuration, and deny-configuration

statements with access privileges, take the following into consideration:
• You can include the allow/deny statement only once in each login class.
• If the exact same command is configured under both allow-commands and deny-commands statements,
or both allow-configuration and deny-configuration statements, then the allow operation takes
precedence over the deny statement.
For instance, with the following configuration, a user assigned to login class test is allowed to install
software using the request system software add command, although the deny-commands statement
also includes it:
[edit system login]

user@host# set class test permissions allow-commands "request system software add"
user@host# set class test permissions deny-commands "request system software add"
For instance, with the following configuration, a user assigned to login class test is allowed to access the
[edit system services] configuration hierarchy, although the deny-configuration statement also includes
it:
[edit system login]

user@host# set class test permissions allow-configuration "system services"
user@host# set class test permissions deny-configuration "system services"
• If you specify a regular expression for allow-commands and deny-commands statements with two
different variants of a command, the longest match is always executed.
For instance, for the following configuration, a user assigned to test login class is allowed to execute the
commit synchronize command and not the commit command. This is because commit-synchronize is
the longest match between commit and commit-synchronize, and it is specified for allow-commands.
[edit system login]

user@host# set class test allow-commands "commit-synchronize"
user@host# set class test deny-commands commit
• Regular expressions for allow-commands and deny-commands statements can also include the commit,
load, rollback, save, status, and update commands.
• Explicitly allowing configuration mode hierarchies or regular expressions using the allow-configuration
statement adds to the regular permissions set using the permissions statement. Likewise, explicitly
denying configuration mode hierarchies or regular expressions using the deny-configuration statement
removes permissions for the specified configuration mode hierarchy, from the default permissions
provided by the permissions statement.
114
For example, for the following configuration, the login class user can edit the configuration at the [edit
system services] hierarchy level and issue configuration mode commands (such as commit), in addition
to just entering the configuration mode using the configure command, which is the permission specified
by the configure permission flag:
[edit system login]

user@host# set class test permissions configure allow-configuration "system services"
Likewise, for the following configuration, the login class user can perform all operations allowed by the
all permissions flag, except issuing configuration mode commands (such as commit) or modifying the
configuration at the [edit system services] hierarchy level:
[edit system login]

user@host# set class test permissions all deny-configuration "system services"
• The allow/deny-configuration statements are mutually exclusive with the

allow/deny-configuration-regexps statements, and the allow-deny-commands statements are mutually
exclusive with the allow/deny-commands-regexps statements. For example, you cannot configure both
allow-configuration and allow-configuration-regexps in the same login class.
• If you have existing configurations using the allow/deny-configuration or allow/deny-commands

statements, using the same configuration options with the allow/deny-configuration-regexps or
allow/deny-commands-regexps statements might not produce the same results, as the search and match
methods differ in the two forms of these statements.
• To define access privileges to parts of the configuration hierarchy, specify the full paths in the extended
regular expressions with the allow-configuration and deny-configuration statements. Use parentheses
around an extended regular expression that connects two or more expressions with the pipe (|) symbol.
For example:
[edit system login]

user@host# set class test deny-configuration "(system login class) | (system services)"
• If the regular expression contains any spaces, operators, or wildcard characters, enclose the expression
in quotation marks. Regular expressions are not case-sensitive; for example, allow-commands "show
interfaces".
• Modifiers such as set, log, and count are not supported within the regular expression string to be matched.
If a modifier is used, then nothing is matched.
Incorrect configuration:
[edit system login]

user@host# set class test permission deny-commands "set protocols"
115
Correct configuration:
[edit system login]

user@host# set class test permission deny-commands protocols
• Anchors are required when specifying complex regular expressions with the allow-commands statement.
For example:
[edit system login]

user@host# set class test permissions allow-commands "(^monitor) | (^ping) | (^show) | (^exit)"
OR
set class test permissions allow-commands "allow-commands ="^(monitor | ping | show | exit)"
• When specifying extended regular expressions using the allow/deny-commands and

allow/deny-configuration statements, each expression separated by a pipe (|) symbol must be a complete
standalone expression, and must be enclosed in parentheses ( ). Do not use spaces between regular
expressions separated with parentheses and connected with the pipe (|) symbol.
For example:
[edit system login]

user@host# set class test allow-commands "(ping .*)|(traceroute .*)|(show .*)|(configure
.*)|(edit)|(exit)|(commit)|(rollback .*)"
user@host# set class test deny-configuration "(system login class)|(system services)"
• When specifying extended regular expressions using the allow/deny-configuration-regexps or

allow/deny-commands-regexps statement, each expression enclosed within quotes (") and separated
by a space must be enclosed in angular brackets [ ].
For example:
[edit system login]

user@host# set class test allow-configuration-regexps [ "interfaces .* description .*” “interfaces .* unit .* description
.*” “interfaces .* unit .* family inet address .*” “interfaces.* disable" ]
• You can use the * wildcard character when denoting regular expressions. However, it must be used as
a portion of a regular expression. You cannot use [ * ] or [ .* ] alone.
• You cannot configure the allow-configuration statement with the (interfaces (description (|.*)) regular
expression, as this evaluates to allow-configuration = .* regular expression.
• You can configure as many regular expressions as needed to be allowed or denied. Regular expressions
to be denied take precedence over configurations to be allowed.
116
Topology
Figure 1: Configuring TACACS+ Server Authentication
10.209.1.66/24
TCP connection
g043487
R1 TACACS+
Server
Figure 1 on page 116 illustrates a simple topology, where Router R1 is a Juniper Networks device and has
a TCP connection established with a TACACS+ server.
In this example, R1 is configured with three customized login classes—Class1, Class2, and Class3—for
specifying access privileges with extended regular expressions using the allow-commands and
deny-commands statements differently.
The purpose of each login class is as follows:
• Class1—Defines access privileges for the user with the allow-commands statement only. This login class
provides operator-level user permissions, and should provide authorization for only rebooting the device.
• Class2—Defines access privileges for the user with the deny-commands statement only. This login class
provides operator-level user permissions, and should deny access to set commands.
• Class3—Defines access privileges for the user with both the allow-commands and deny-commands
statements. This login class provides superuser-level user permissions, and should provide authorization
for accessing interfaces and viewing device information. It should also deny access to edit and configure
commands.
Router R1 has three different users, User1, User2, and User3, assigned to Class1, Class2, and Class3 login
classes, respectively.
Configuration

R1
set system authentication-order tacplus

set system authentication-order radius
117
set system authentication-order password

set system radius-server 10.209.1.66 secret "$ABC123"
set system tacplus-server 10.209.1.66
set system radius-options enhanced-accounting
set system tacplus-options enhanced-accounting
set system accounting events login
set system accounting events change-log
set system accounting events interactive-commands
set system accounting traceoptions file auditlog
set system accounting traceoptions flag all
set system accounting destination tacplus server 10.209.1.66
set system login class Class1 permissions clear
set system login class Class1 permissions network
set system login class Class1 permissions reset
set system login class Class1 permissions trace
set system login class Class1 permissions view
set system login class Class1 allow-commands "request system reboot"
set system login class Class2 permissions clear
set system login class Class2 permissions network
set system login class Class2 permissions reset
set system login class Class2 permissions trace
set system login class Class2 permissions view
set system login class Class2 deny-commands set
set system login class Class3 permissions all
set system login class Class3 allow-commands configure
set system login class Class3 deny-commands .*
set system login user User1 uid 2001
set system login user User1 class Class1
set system login user User1 authentication encrypted-password "$ABC123"
set system syslog file messages any any
Configuring Authentication Parameters for Router R1
118
The following example requires that you navigate various levels in the configuration hierarchy. For
information about navigating the CLI, see Using the CLI Editor in Configuration Mode in the CLI User Guide.
To configure Router R1 authentication:
1. Configure the order in which authentication should take place for R1. In this example, TACACS+ server
authentication is first, followed by RADIUS server authentication, and then the local password.
[edit system]
user@R1# set authentication-order tacplus
user@R1# set authentication-order radius
user@R1# set authentication-order password
2. Establish R1 connection with the TACACS+ server.
[edit system]
user@R1# set tacplus-server 10.209.1.66
user@R1# set tacplus-options enhanced-accounting
user@R1# set accounting destination tacplus server 10.209.1.66
3. Configure RADIUS server authentication parameters.
[edit system]
user@R1# set radius-server 10.209.1.66 secret "$ABC123"
user@R1# set radius-options enhanced-accounting
4. Configure R1 accounting configuration parameters.
[edit system]
user@R1# set accounting events login
user@R1# set accounting events change-log
user@R1# set accounting events interactive-commands
user@R1# set accounting traceoptions file auditlog
user@R1# set accounting traceoptions flag all
Configuring Access Privileges with allow-commands Statement Only (Class1)
To specify regular expressions using the allow-commands statement only:
1. Configure Class1 custom login class and assign operator-level user permissions. For information on the
predefined system login classes, see the “Junos OS Login Classes Overview” on page 37.
119
[edit system login]

user@R1# set class Class1 permissions clear
user@R1t# set class Class1 permissions network
user@R1# set class Class1 permissions reset
user@R1# set class Class1 permissions trace
user@R1# set class Class1 permissions view
2. Specify the command to enable rebooting of R1 in the allow-commands statement.
[edit system login]

user@R1# set class Class1 allow-commands "request system reboot"
3. Configure the user account for the Class1 login class.
[edit system login]

user@R1# set user User1 uid 2001
user@R1# set user User1 class Class1
user@R1# set user User1 authentication encrypted-password "$ABC123"
Configuring Access Privileges with deny-commands Statement Only (Class2)
To specify regular expressions using the deny-commands statement only:
1. Configure the Class2 custom login class and assign operator-level user permissions. For information
on the predefined system login classes, see the “Junos OS Login Classes Overview” on page 37.
[edit system login]

user@R1# set class Class1 permissions clear
user@R1# set class Class1 permissions network
user@R1# set class Class1 permissions reset
user@R1# set class Class1 permissions trace
user@R1# set class Class1 permissions view
2. Disable execution of any set commands in the deny-commands statement.
[edit system login]

user@R1# set class Class1 deny-commands "set"

120
user@R1# set login user User2 uid 2002

user@R1# set login user User2 class Class2
user@R1# set login user User2 authentication encrypted-password "$ABC123"
Configuring Access Privileges with Both allow-commands and deny-commands Statements (Class3)
To specify regular expressions using both the allow-commands and deny-commands statements:
1. Configure the Class3 custom login class and assign superuser-level user permissions. For information
on the predefined system login classes, see the “Junos OS Login Classes Overview” on page 37.
[edit system login]

user@R1# set class Class3 permissions all
2. Specify the commands to enable only configure commands in the allow-commands statement.
[edit system login]

user@R1# set class Class3 allow-commands configure
3. Disable execution of all commands in the deny-commands statement.
[edit system login]

user@R1# set class Class3 deny-commands .*
[edit system login]

user@R1# set login user User3 uid 2003
user@R1# set login user User3 class Class3
user@R1# set login user User3 authentication encrypted-password "$ABC123"
Results
configuration.
user@R1# show system

121
authentication-order [ tacplus radius password ];

radius-server {
10.209.1.66 secret "$ABC123";
}
tacplus-server {
10.209.1.66;
}
radius-options {
enhanced-accounting;
}
tacplus-options {
}
accounting {
events [ login change-log interactive-commands ];
traceoptions {
file auditlog;
flag all;
}
destination {
tacplus {
server {
10.209.1.66;
}
}
}
}
login {
class Class1 {
allow-commands "request system reboot";
}
class Class2 {
deny-commands set;
}
class Class3 {
permissions all;
allow-commands configure;
deny-commands .*;
}
user User1 {
uid 2001;
class Class1;
122
authentication {
encrypted-password "$ABC123";
}
}
user User2 {
uid 2002;
class Class2;
authentication {
}
}
user User3 {
uid 2003;
class Class3;
authentication {
}
}
}
syslog {
file messages {
any any;
}
}
Verification
IN THIS SECTION
Verifying Class1 Configuration | 122
properly.
Verifying Class1 Configuration
Purpose
Verify that the permissions and commands allowed in the Class1 login class are working.
123
Action
From operational mode, run the show system users command.
User1@R1> show system users
12:39PM up 6 days, 23 mins, 6 users, load averages: 0.00, 0.01, 0.00

USER TTY FROM LOGIN@ IDLE WHAT
User1 p0 abc.example.net 12:34AM 12:04 cli
User2 p1 abc.example.net 12:36AM 12:02 -cli (cli)
User3 p2 abc.example.net 10:41AM 11 -cli (cli)
From operational mode, run the request system reboot command.
User1@R1> request system ?
reboot Reboot the system
Meaning
The Class1 login class to which User1 is assigned has the operator-level user permissions, and is allowed
to execute the request system reboot command.
The predefined operator login class has the following permission flags specified:
• clear—Can clear (delete) information learned from the network that is stored in various network databases
by using the clear commands.
• network—Can access the network by using the ping, ssh, telnet, and traceroute commands.
• reset—Can restart software processes by using the restart command and can configure whether software
processes are enabled or disabled at the [edit system processes] hierarchy level.
• trace—Can view trace file settings and configure trace file properties.
• view—Can use various commands to display current system-wide, routing table, and protocol-specific
values and statistics. Cannot view the secret configuration.
For the Class1 login class, in addition to the above-mentioned user permissions, User1 can execute the
request system reboot command. The first output displays the view permissions as an operator, and the
second output shows that the only request command that User1 can execute as an operator is the request
system reboot command.
Purpose
124
Verify that the permissions and commands allowed for the Class2 login class are working.
Action
From the operational mode, run the ping command.
User2@R1> ping 10.209.1.66
ping 10.209.1.66
PING 10.209.1.66 (10.209.1.66): 56 data bytes
64 bytes from 10.209.1.66: icmp_seq=0 ttl=52 time=212.521 ms
^C
--- 10.209.1.66 ping statistics ---
4 packets transmitted, 4 packets received, 0% packet loss
round-trip min/avg/max/stddev = 210.963/211.908/212.844/0.792 ms
From the CLI prompt, check the available permissions.
User2@R1> ?
start Start shell
125

traceroute Trace route to remote host
From the CLI prompt, execute any set command.
User2@R1> set
^
unknown command.
Meaning
The Class2 login class to which User2 is assigned has the operator-level user permissions, and is denied
access to all set commands. This is displayed in the command outputs.
The permission flags specified for the predefined operator login class are the same as that of Class1.
Purpose
Verify that the permissions and commands allowed for the Class3 login class are working.
Action
User3@R1> ?
From the operational mode, enter configuration mode.
User3@R1> configure
Entering configuration mode
[edit]
User3@R1#
Meaning
126
The Class3 login class to which User3 is assigned has the superuser (all) user permissions, but is allowed
to execute the configure command only, and is denied access to all other operational mode commands.
Because the regular expressions specified in the allow/deny-commands statements take precedence over
the user permissions, User3 on R1 has access only to configuration mode, and is denied access to all other
operational mode commands.
Example: Configuring User Permissions with Access Privileges for

Configuration Statements and Hierarchies
IN THIS SECTION
Requirements | 126
Configuration | 133
Verification | 138
This example shows how to configure custom login classes and assign access privileges to portions of the
configuration hierarchy. This enables users of the customized login class to execute only those configuration
statements and hierarchies for which access privileges have been specified. This prevents unauthorized
users from accessing device configurations that could potentially cause damage to the network.
Requirements
Before you begin:
• Establish a TCP connection between the device and the TACACS+ server. In the case of the RADIUS
server, establish a UDP connection between the device and the RADIUS server.

page 228.
127
permissions statement. In addition to this, you can specify extended regular expressions with the following
statements:
• allow-commands and deny-commands—Allow or deny access to operational mode commands.
• allow-configuration and deny-configuration—Allow or deny access to parts of the configuration hierarchy.
These statements perform slower matching, with more flexibility, especially in wildcard matching.
However, it can take a very long time to evaluate all of the possible statements if a great number of
full-path regular expressions or wildcard expressions are configured, possibly impacting performance.
• allow-configuration-regexps and deny-configuration-regexps—Allow or deny access to a particular

configuration hierarchy using strings of regular expressions. These statements are similar to
allow-configuration and deny-configuration statements, except that in the
allow/deny-configuration-regexps statements you can configure sets of strings in which the strings
include spaces when using the first set of statements.
The above statements define a user’s access privileges to individual operational mode commands,
configuration statements, and hierarchies. These statements take precedence over a login class permissions
bit set for a user.
Difference between allow/deny-configuration and allow/deny-configuration-regexps statements
The allow-configuration and deny-configuration statements were introduced before Junos OS Release
7.4. The allow-configuration-regexps and deny-configuration-regexps statements were introduced in
Junos OS Release 11.2. In Junos OS Release 11.4, the allow-configuration and deny-configuration
statements were deprecated, but because these statements were useful in executing simple configurations,
these statements were undeprecated in Junos OS Release 11.4R6, and starting with the 11.4R6 release,
both the allow/deny-configuration and the allow/deny-configuration-regexps statements are supported.
The allow/deny-configuration-regexps statements split up the regular expression into tokens and match
each piece against each part of the specified configuration’s full path, whereas the allow/deny-configuration
statements match against the full string. For allow/deny-configuration-regexps statements, you configure
128
a set of strings in which each string is a regular expression, with spaces between the terms of the string.
This provides very fast matching, but with less flexibility. For specifying wildcard expressions you must
set up wildcards for each token of the space-delimited string you want to match, and this makes it more
tedious to use wildcard expressions for these statements.
For example:
• Regular expression matching one token using allow-configuration-regexps
This example shows that options is the only matched expression against the first token of the statement.
[edit system]
login {
class test {
permissions configure;
allow-configuration-regexps .*options;
}
}
The above configuration matches the following statements:
• set policy-options condition condition dynamic-db
• set routing-options static route static-route next-hop next-hop
• set event-options generate-event event time-interval seconds
The above configuration does not match the following statements:
• system host-name host-options
• interfaces interface-name description options
• Regular expression matching three tokens using allow-configuration-regexps
This example shows that ssh is the only matched expression against the third token of the statement.
[edit system]
login {
class test {
allow-configuration-regexps ".* .* .*ssh";
}
}
In the above example, the three tokens include .*, .*, and .*ssh, respectively.
129
The above configuration matches the following statements:
• system host-name hostname-ssh
• system services ssh
• system services outbound-ssh
The above configuration does not match the following statement:
• interfaces interface-name description ssh
You can restrict configuration access easily using the deny-configuration statement as compared to using
the deny-configuration-regexps statement. Table 10 on page 129 illustrates the use of both the
deny-configuration and deny-configuration-regexps statements in different configurations to achieve the
same result of restricting access to a particular configuration.
Table 10: Restricting Configuration Access Using deny-configurtion and deny-configuration-regexps

Statements
Configuration Using: deny-configuration Using: deny-configuration-regexps Result

Denied
xnm-ssl [edit system] [edit system] The following

login { login { configuration
class test { class test { statement is
permissions configure; permissions configure; denied:
allow-configuration .*; allow-configuration .*;
deny-configuration deny-configuration-regexps ".* .* • system services
xnm-ssl
.*xnm-ssl; .*-ssl"";
} }
} }
ssh [edit system] [edit system] The following

login { login { configuration
class test { class test { statements are
permissions configure; permissions configure; denied:
allow-configuration .*; allow-configuration .*;
deny-configuration ".*ssh"; deny-configuration-regexps • system
host-name
} ".*ssh";
hostname-ssh
} deny-configuration-regexps ".*
.*ssh"; • system services
deny-configuration-regexps ".* .* ssh
.*ssh"; • system services
} outbound-ssh
}
• security
ssh-known-host
130
Although the allow/deny-configuration statements are also useful when simple configuration is desired,
the allow/deny-configuration-regexps statements provide better performance and overcome the ambiguity
that existed when combining expressions set in the allow/deny-configuration statements.
NOTE: The allow/deny-configuration and allow/deny-configuration-regexps statements are

mutually exclusive and cannot be configured together for a login class. At a given point in time,
a login class can include either the allow/deny-configuration statement, or the
allow/deny-configuration-regexps statement. If you have existing configurations using the
allow/deny-configuration statements, using the same configuration options with the
allow/deny-configuration-regexps statements might not produce the same results, as the search
and match methods differ in the two forms of these statements.
Configuration Notes
When configuring the allow-configuration, deny-configuration, allow-configuration-regexps, and

deny-configuration-regexps statements with access privileges, take the following into consideration:
• You can include one deny-configuration and one allow-configuration statement in each login class.
• The allow/deny-configuration and allow/deny-configuration-regexps statements are mutually exclusive

and cannot be configured together for a login class. At a given point in time, a login class can include
either the allow/deny-configuration statement, or the allow/deny-configuration-regexps statement. If
you have existing configurations using the allow/deny-configuration statements, using the same
configuration options with the allow/deny-configuration-regexps statements might not produce the
same results, as the search and match methods differ in the two forms of these statements.
• Explicitly allowing configuration mode hierarchies or regular expressions using the allow-configuration
statement adds to the regular permissions set using the permissions statement. Likewise, explicitly
denying configuration mode hierarchies or regular expressions using the deny-configuration statement
removes permissions for the specified configuration mode hierarchy, from the default permissions
provided by the permissions statement.
For example, for the following configuration, the login class user can edit the configuration at the [edit
system services] hierarchy level and issue configuration mode commands (such as commit), in addition
to just entering the configuration mode using the configure command, which is the permission specified
by the configure permission flag:
[edit system login]

user@host# set class test permissions configure allow-configuration "system services"
Likewise, for the following configuration, the login class user can perform all operations allowed by the
all permissions flag, except issuing configuration mode commands (such as commit) or modifying the
configuration at the [edit system services] hierarchy level:
131
[edit system login]

user@host# set class test permissions all deny-configuration "system services"
• To define access privileges to parts of the configuration hierarchy, specify the full paths in the extended
regular expressions with the allow-configuration and deny-configuration statements. Use parentheses
around an extended regular expression that connects two or more expressions with the pipe (|) symbol.
For example:
[edit system login]

• When specifying extended regular expressions using the allow/deny-commands and

allow/deny-configuration statements, each expression separated by a pipe (|) symbol must be a complete
For example:
[edit system login]

user@host# set class test allow-commands "(ping .*)|(traceroute .*)|(show .*)|(configure
.*)|(edit)|(exit)|(commit)|(rollback .*)"
• When specifying extended regular expressions using the allow-deny-configuration-regexps statement,

each expression enclosed within quotes (") and separated by a space must be enclosed in angular brackets
[ ].
For example:
[edit system login]

user@host# set class test allow-configuration-regexps [ "interfaces .* description .*” “interfaces .* unit .* description
.*” “interfaces .* unit .* family inet address .*” “interfaces.* disable" ]
• If the exact same command is configured under both allow-configuration and deny-configuration
statements, then the allow operation takes precedence over the deny statement.
For instance, with the following configuration, a user assigned to login class test is allowed to access the
[edit system services] configuration hierarchy, although the deny-configuration statement also includes
it:
[edit system login]

user@host# set class test permissions allow-configuration "system services"
user@host# set class test permissions deny-configuration "system services"
132
For instance, if a certain command or configuration is allowed, for example, using permission all, then
we can use the deny-configuration command to deny access to a particular hierarchy.
• Modifiers such as set, log, and count are not supported within the regular expression string to be matched.
If a modifier is used, then nothing is matched.
Incorrect configuration:
[edit system login]

user@host# set class test permission deny-configuration "set protocols"
Correct configuration:
[edit system login]

user@host# set class test permission deny-configuration protocols
• You can use the * wildcard character when denoting regular expressions. However, it must be used as
a portion of a regular expression. You cannot use [ * ] or [ .* ] alone.
• You cannot configure the allow-configuration statement with the (interfaces (description (|.*)) regular
expression, as this evaluates to allow-configuration = .* regular expression.
• You can configure as many regular expressions as needed to be allowed or denied. Regular expressions
to be denied take precedence over configurations to be allowed.
Topology
Figure 2: Configuring TACACS+ Server Authentication
10.209.1.66/24
TCP connection
g043487
R1 TACACS+
Server
Figure 2 on page 132 illustrates a simple topology, where Router R1 is a Juniper Networks device and has
a TCP connection established with a TACACS+ server.
In this example, R1 is configured with two customized login classes—Class1 and Class2—for specifying
access privileges with extended regular expressions using the allow-configuration, deny-configuration,
allow-configuration-regexps, and deny-configuration-regexps statements differently.
The purpose of the login classes is as follows:
• Class1—Define access privileges for the user with the allow-configuration and deny-configuration
statements. This login class should provide access to configure interfaces hierarchy only, and deny all
other access on the device. To do this, the user permissions should include configure to provide
133
configuration access. In addition to this, the allow-configuration statement should allow interfaces
configuration, and the deny-configuration statement should deny access to all other configurations.
Because the allow statement takes precedence over the deny statement, the users assigned to the Class1
login class can access only the [edit interfaces] hierarchy level.
• Class2—Define access privileges for the user with the allow-configuration-regexps and
deny-configuration-regexps statements. This login class provides superuser-level user permissions, and
in addition, explicitly allows configuration under multiple hierarchy levels for interfaces. It also denies
configuration access to the [edit system] and [edit protocols] hierarchy levels.
Router R1 has two users, User1 and User2, assigned to the Class1 and Class2 login classes, respectively.
Configuration

R1
set system authentication-order tacplus

set system authentication-order radius
set system authentication-order password
set system radius-server 10.209.1.66 secret "$ABC123"
set system tacplus-server 10.209.1.66
set system radius-options enhanced-accounting
set system tacplus-options enhanced-accounting
set system accounting events login
set system accounting events change-log
set system accounting events interactive-commands
set system accounting traceoptions file auditlog
set system accounting traceoptions flag all
set system accounting destination tacplus server 10.209.1.66
set system login class Class1 permissions configure
set system login class Class1 allow-configuration "interfaces .* unit .*"
set system login class Class1 deny-configuration .*
set system login class Class2 permissions all
set system login class Class2 allow-configuration-regexps [ "interfaces .* description .*" "interfaces .*
unit .* description .*" "interfaces .* unit .* family inet address .*" "interfaces.* disable" ]
set system login class Class2 deny-configuration-regexps [ "system" "protocols" ]
134

set system syslog file messages any any
Configuring Authentication Parameters for Router R1
The following example requires that you navigate various levels in the configuration hierarchy. For
information about navigating the CLI, see Using the CLI Editor in Configuration Mode in the CLI User Guide.
To configure Router R1 authentication:
1. Configure the order in which authentication should take place for R1. In this example, TACACS+ server
authentication is first, followed by RADIUS server authentication, then the local password.
[edit system]
user@R1# set authentication-order tacplus
user@R1# set authentication-order radius
user@R1# set authentication-order password
2. Establish R1 connection with the TACACS+ server.
[edit system]
user@R1# set tacplus-server 10.209.1.66
user@R1# set tacplus-options enhanced-accounting
user@R1# set accounting destination tacplus server 10.209.1.66
3. Configure RADIUS server authentication parameters.
[edit system]
user@R1# set radius-server 10.209.1.66 secret "$ABC123"
user@R1# set radius-options enhanced-accounting
4. Configure the R1 accounting configuration parameters.
[edit system]
user@R1# set accounting events login
135
user@R1# set accounting events change-log

user@R1# set accounting events interactive-commands
user@R1# set accounting traceoptions file auditlog
user@R1# set accounting traceoptions flag all
Configuring Access Privileges with allow-configuration and deny-configuration Statements (Class1)
To specify regular expressions using the allow-configuration and deny-configuration statements:
1. Configure the Class1 custom login class and assign configuration user permissions.
[edit system login]

user@R1# set class Class1 permissions configure
2. Specify the regular expression in the allow-configuration statement to allow configuration at the [edit
interfaces] hierarchy level. To allow set commands at the [edit interfaces] hierarchy level, the regular
expression used is interfaces .* unit .*.
[edit system login]

user@R1# set class Class1 allow-configuration "interfaces .* unit .*"
3. Specify the regular expression in the deny-configuration statement to disable all configuration access.
The regular expression used to deny all configuration access is .*.
[edit system login]

user@R1# set class Class1 deny-configuration .*
[edit system login]

user@R1# set system login user User1 uid 2004
user@R1# set system login user User1 class Class1
user@R1# set system login user User1 authentication encrypted-password "$ABC123"
Configuring Access Privileges with allow-configuration-regexps and deny-configuration-regexps Statements

(Class2)
136
To specify regular expressions using the allow-configuration-regexps and deny-configuration-regexps

statements:
1. Configure the Class2 custom login class and assign superuser (all) user permissions. For information on
the predefined system login classes, see “Junos OS Login Classes Overview” on page 37.
[edit system login]

user@R1# set class Class2 permissions all
2. Specify the regular expression to allow access to multiple hierarchies under the [edit interfaces] hierarchy
level.
[edit system login]

user@R1# set class Class2 allow-configuration-regexps [ "interfaces .* description .*" "interfaces .* unit .*
description .*" "interfaces .* unit .* family inet address .*" "interfaces.* disable" ]
3. Specify the regular expression to deny configuration at the [edit system] and [edit protocols] hierarchy
levels.
[edit system login]

user@R1# set class Class2 deny-configuration-regexps [ "system" "protocols" ]
[edit system login]

user@R1# set system login user User2 uid 2006
user@R1# set system login user User2 class Class2
user@R1# set system login user User2 authentication encrypted-password "$ABC123"
Results
configuration.
user@R1# show system

authentication-order [ tacplus radius password ];
radius-server {
10.209.1.66 secret "$ABC123";
}
137
tacplus-server {
10.209.1.66;
}
radius-options {
}
tacplus-options {
}
accounting {
traceoptions {
file auditlog;
flag all;
}
destination {
tacplus {
server {
10.209.1.66;
}
}
}
}
login {
class Class1 {
allow-configuration "interfaces .* unit .*";
deny-configuration .*;
}
class Class2 {
permissions all;
allow-configuration-regexps [ "interfaces .* description .*" "interfaces .* unit .* description .*" "interfaces .*
unit .* family inet address .*" "interfaces.* disable" ];
deny-configuration-regexps [ "system" "protocols" ];
}
user User1 {
uid 2001;
class Class1;
authentication {
}
}
user User2 {
uid 2002;
138
class Class2;
authentication {
}
}
}
syslog {
file messages {
any any;
}
}
Verification
IN THIS SECTION
properly.
Purpose
Verify that the permissions allowed in the Class1 login class are working.
Action
User1@R1> ?
139

start Start shell
From the configuration mode, check the available configuration permissions.
User1@R1# edit ?
> interfaces Interface configuration
Meaning
User1 has configure user permissions seen in the first output, and the only configuration access allowed
for User1 is at the interfaces hierarchy level. All other configuration is denied, as seen in the second output.
Purpose
Verify that the Class2 configuration is working.
Action
From the configuration mode, access the interfaces configuration.
[edit interfaces]
User2@R1# set ?
<interface-name> Interface name
+ apply-groups Groups from which to inherit configuration data
+ apply-groups-except Don't inherit configuration data from these groups
ge-0/0/3 Interface name
> interface-range Interface ranges configuration
> interface-set Logical interface set configuration
> traceoptions Interface trace options
From the configuration mode, access the system and protocols configuration hierarchies.
User2@R1# edit system

140
^
User2@R1# edit protocols
^
Meaning
User2 has permissions to configure interfaces of R1, but the [edit system] and [edit protocols] hierarchy
levels are denied access, as seen in the output.
SEE ALSO

3 CHAPTER
Passwords for User Access
Root Password | 142
Recovering Root Password | 148
Master Password for Configuration Encryption | 164

142
Root Password
IN THIS SECTION
Example: Configuring a Plain-Text Password for Root Logins | 144
Example: Configuring SSH Authentication for Root Logins | 147
When the router, switch, or security device is powered on first time, it is ready to be configured. Initially,
you log in as the user root with no password. Later, you must configure a plain-text password for the
root-level user (whose username is root). Configuring a plain-text password is one way to protect access
to the root level by unauthorized users. If you forget the root password for the router, you can use the
password recovery procedure to reset the root password. Read this topic for more information.
Configuring the Root Password
The Junos OS is preinstalled on the router or switch. When the router or switch is powered on, it is ready
to be configured. Initially, you log in as the user root with no password. The root directory of a UNIX device
is the entry point to all other folders and files on that device. As a result, access to the root directory is
restricted by default to a predefined user account known as the root user. The root user (also referred to
as superuser) has unrestricted access and full permissions within the system. The expression “log in as root”
is commonly used when an action requires the user to log into the device as the root user.
NOTE: If you configure a blank password using the encrypted-password statement at the [edit
system root-authentication] hierarchy level for root authentication, you can commit a
configuration but you cannot log in as the root user and gain root level access to the router or
switch.
After you log in, you should configure the root (superuser) password by including the root-authentication
statement at the [edit system] hierarchy level and configuring one of the password options:
[edit system]
143
(encrypted-password "password"| plain-text-password);
load-key-file URL filename;
ssh-dsa “public-key” <from hostname>;
ssh-ecdsa “public-key” <from hostname>;
ssh-rsa “public-key” <from hostname>;
}
If you configure the plain-text-password option, you are prompted to enter and confirm the password:
[edit system]
user@host# set root-authentication plain-text-password
New password: type password here
The default requirements for plain-text passwords are:
• The password must be between 6 and 128 characters long
• Valid passwords must contain at least one uppercase letter or one lowercase letter, or one character
class.
You can use the load-key-file URL filename statement to load an SSH key file that was previously generated
using ssh-keygen. The URL filename is the path to the file’s location and name. When using this option,
the contents of the key file are copied into the configuration immediately after entering the load-key-file
URL statement. This command loads RSA (SSH version 1 and SSH version 2) and DSA (SSH version 2)
public keys.
Starting in Junos OS Release 18.3R1, the ssh-dss and ssh-dsa hostkey algorithms are deprecated— rather
than immediately removed—to provide backward compatibility and a chance to bring your configuration
into compliance with the new configuration.
Optionally, you can use the ssh-dsa, ssh-ecdsa, or ssh-rsa statements to directly configure SSH RSA, DSA,
or ECDSA keys to authenticate root logins. You can configure more than one public key for SSH
authentication of root logins as well as for user accounts. When a user logs in as root, the public keys are
referenced to determine whether the private key matches any of them.
[edit system]
user@host# set root-authentication load-key-file my-host:.ssh/id_dsa.pub
.file.19692 | 0 KB | 0.3 kB/s | ETA: 00:00:00 | 100%
[edit system]
144
From configuration mode, you can confirm your SSH key entries by entering the show command. It should
look something like this:
[edit system]
user@hos# show
ssh-rsa "$ABC123"; #
SECRET-DATA
}
Junos-FIPS software has special password requirements. FIPS passwords must be between 10 and 20
characters in length. Passwords must use at least three of the five defined character sets (uppercase letters,
lowercase letters, digits, punctuation marks, and other special characters). If Junos-FIPS is installed on the
router or switch, you cannot configure passwords unless they meet this standard.
If you use the encrypted-password option, then a null-password (empty) is not permitted. You must
configure a password whose number of characters range from 1 through 128 characters and enclose the
password in quotation marks.
SEE ALSO
Protecting Network Security by Configuring the Root Password

Example: Configuring a Plain-Text Password for Root Logins
IN THIS SECTION
Requirements | 145
Overview | 145
Configuration | 145
Verification | 146
This example shows how to configure a plain-text password for the root-level user (whose username is
root). Configuring a plain-text password is one way to protect access to the root level by unauthorized
145
users. You must prevent unauthorized users from gaining access to superuser commands that can be used
to alter your system configuration.
Requirements
No special configuration beyond device initialization is required before configuring this example.
Make sure that you understand the requirements for a valid plain-text password. For Junos OS, the default
requirements for a plain-text password are as follows:
• Must be from 6 up to 128 characters long.
• Can include most character classes (uppercase letters, lowercase letters, numbers, punctuation marks,
and other special characters). Control characters are not recommended.
• Must contain at least one change of case or character class.
Overview
Junos OS is preinstalled on the router. When the router is powered on, it is ready to be configured. Initially,
you log in as the root-level user with no password. To set the root password, you have several options.
This example shows how to enter a plain-text password that Junos OS then encrypts for you.
Configuration

To quickly configure this example, copy the following command and paste it into the window. When
prompted, type the new password, and then when prompted, retype it.
set system root-authentication plain-text-password
Configuring a Plain-Text Password for User Root
To configure a plain-text password for the root-level user:
1. Type the set command for the plain-text password and press Enter.
[edit]
user@host# set system root-authentication plain-text-password
New password:
2. Type the new password next to the New password prompt and press Enter.
146
New password: new-password

Retype new password:
3. Retype the same password next to the Retype new password prompt and press Enter.
Results
From configuration mode, confirm your configuration by using the show command. It should look something
like this:
[edit ]
user@host# show system
encrypted-password "$ABC123"; ## SECRET-DATA
}
If the output does not display the intended configuration, repeat the instructions in this example to correct
the configuration.
After you have confirmed that the configuration is correct, enter commit from configuration mode.
Verification
Verifying the Configuration of a Plain-Text Password for User Root
Purpose
Verify the configuration of a plain-text password for the root-level user.
Action
From operational mode, confirm your configuration by entering the show configuration system command.
user@host> show configuration system

encrypted-password "$ABC123"; ## SECRET-DATA
}
Meaning
If you use a clear-text password, Junos OS displays the password as an encrypted string so that users
viewing the configuration cannot see the unencrypted password. That is, as you enter the password in
plain text, Junos OS encrypts it immediately. You do not have to configure Junos OS to encrypt the
password as in some other systems. Plain-text passwords are hidden and marked as ## SECRET-DATA in
the configuration.
147
SEE ALSO
Example: Configuring SSH Authentication for Root Logins
The following example shows how to configure two public DSA keys for SSH authentication of root logins:
[edit system]
## SECRET-DATA;
ssh-dsa "2354 95 [email protected]";
ssh-dsa "0483 02 [email protected]";
}
Release History Table
Release Description
18.3R1 Starting in Junos OS Release 18.3R1, the ssh-dss and ssh-dsa hostkey algorithms are
deprecated— rather than immediately removed—to provide backward compatibility and a
chance to bring your configuration into compliance with the new configuration.
Protecting Network Security by Configuring the Root Password

Release Information for Junos OS with Upgraded FreeBSD
148
Recovering Root Password
IN THIS SECTION
Recovering the Root Password on Routers | 148
Recovering the Root Password for Junos OS Evolved | 154
Recovering the Root Password on Switches | 158
If you forget the root password for a device running Junos OS, you can use the password recovery procedure
to reset the root password. Read this topic to understand how to recover root password.
Recovering the Root Password on Routers
If you forget the root password for the router, you can use the password recovery procedure to reset the
root password.
Before you begin, note the following:
• You need console access to recover the root password.
• This password recovery procedure does not apply to devices running Junos OS with Upgraded FreeBSD.
See “Recovering the Root Password on Junos OS with Upgraded FreeBSD” on page 151. For the list of
Junos OS devices with upgraded FreeBSD, see Junos kernel upgrade to FreeBSD 10+.
• For MX80 Series routers, try this procedure first, but if it does not work you can manually delete the
root-authentication settings from the Junos configuration file and reset the password, as explained here:
Recovering the Root Password for MX80
Video: How to Recover the Root Password in Junos OS
To recover the root password:
1. Power off the router by pressing the power button on the front panel.
2. Turn off the power to the management device, such as a PC or laptop computer, that you want to use
to access the CLI.
149
3. Plug one end of the Ethernet rollover cable supplied with the router into the RJ-45–to–DB-9 serial
port adapter supplied with the router.
4. Plug the RJ-45–to–DB-9 serial port adapter into the serial port on the management device.
5. Connect the other end of the Ethernet rollover cable to the console port on the router.
6. Turn on the power to the management device.
7. On the management device, start your asynchronous terminal emulation application (such as Microsoft
Windows Hyperterminal) and select the appropriate COM port to use (for example, COM1).
8. Configure the port settings as follows:
• Bits per second: 9600
• Data bits: 8
• Parity: None
• Stop bits: 1
• Flow control: None
9. Power on the router by pressing the power button on the front panel.
Verify that the POWER LED on the front panel turns green.
The terminal emulation screen on your management device displays the router’s boot sequence.
10. When the following prompt appears, press the Spacebar to access the router’s bootstrap loader command
prompt:
Depending on your device hardware, the bootstrap loader might proceed quite quickly at this step
without pausing for input. Therefore, you might need to press the spacebar multiple times at the
beginning of the boot sequence.
Hit [Enter] to boot immediately, or space bar for command prompt.

Booting [kernel] in 9 seconds...
11. At the following prompt, type boot -s to start the system in single-user mode.
ok boot -s
12. At the following prompt, type recovery to start the root password recovery procedure.
150
Enter full pathname of shell or 'recovery' for root password recovery or

RETURN for /bin/sh: recovery
13. Enter configuration mode in the CLI.
14. Set the root password.
[edit]
user@host# set system root-authentication plain-text-password
When you configure a plain-text password, Junos OS encrypts the password for you.

already encrypted, and you are entering the encrypted version of the password. If
you commit the encrypted-password option with a plain-text password or with
blank quotation marks (" "), you will not be able to log in to the device as root, and
you will need to repeat this password recovery process.
15. At the following prompt, enter the new root password, for example:
New password: password
16. At the second prompt, reenter the new root password.
17. After you have finished configuring the password, commit the configuration.
root@host# commit
commit complete
18. Exit configuration mode in the CLI.
19. Exit operational mode in the CLI.
20. At the prompt, type y to reboot the router.
Reboot the system? [y/n] y

151
SEE ALSO

Recovering the Root Password on Junos OS with Upgraded FreeBSD
If you forget the root password for a device running Junos OS with Upgraded FreeBSD, you can use the
password recovery procedure to reset the root password.
For the list of Junos OS devices with upgraded FreeBSD, see Junos kernel upgrade to FreeBSD 10+
Video: How to Recover the Root Password in Junos OS with Upgraded FreeBSD
NOTE: You need console access to recover the root password.
NOTE: This password recovery procedure only applies to devices running Junos OS with
Upgraded FreeBSD. For password recovery on Junos OS devices, see “Recovering the Root
Password on Routers” on page 148.
to access the CLI.

152
• Data bits: 8
• Parity: None
• Stop bits: 1
Verify that the POWER LED on the front panel turns green.
The terminal emulation screen on your management device displays the router’s boot sequence.
10. Access the Junos Main Menu.
• Prior to Junos OS Release 17.3, the Junos Main Menu appears for 3 seconds on startup before
automatically booting the Junos volume. Press any key within the 3 second window to stop the
autotmatic boot sequence and display the Junos Main Menu.
NOTE: The Junos Main Menu will appear every time you reboot the router while connected
to the console.
• Starting in Junos OS Release 17.3, press Ctrl+c at the following part in the reboot to bring up the
Junos Main Menu:
FreeBSD/x86 bootstrap loader, Revision 1.1

([email protected], Sun Feb 4 13:06:24 PST 2018)
/
Autoboot in 1 seconds... (press Ctrl-C to interrupt)
1. Boot [J]unos volume

2. Boot Junos volume in [S]afe mode
3. [R]eboot
153
4. [B]oot menu
5. [M]ore options
11. At the Junos Main Menu, press the M or 5 key to activate the 5. [M]ore options menu:
1. Recover [J]unos volume

2. Recovery mode - [C]LI
3. Check [F]ile system
4. Enable [V]erbose boot
5. [B]oot prompt
6. [M]ain menu
12. Press the C or 2 key to access the 2. Recovery mode - [C]LI option. The router will reboot into CLI
recovery mode.
13. When prompted, press the Enter key to immediately boot the router, or press any other key to bring
up the command prompt.
14. Enter configuration mode in the CLI.
root># configure
Entering configuration mode
15. Set the root password.
When you configure a plain-text password, Junos OS encrypts the password for you.
[edit]
root# set system root-authentication plain-text-password

already encrypted, and you are entering the encrypted version of the password. If
you commit the encrypted-password option with a plain-text password or with
blank quotation marks (" "), you will not be able to log in to the router as root, and
you will need to repeat this password recovery process.
154
16. At the following prompt, enter the new root password, for example:
New password: password
Recovering the Root Password for Junos OS Evolved
IN THIS SECTION
Connecting to the Serial Port | 154
Recovering the Root Password | 156
This procedure resets the root password without resetting the device configuration to the factory default
configuration. Only the root password is reset to a value you enter. None of the other functions nor the
state of the device are affected.
Video: How to Recover the Root Password in Junos OS Evolved
Connecting to the Serial Port
The first task in the password reset operation is to connect to the serial port of the device.
To connect to the serial port:
to access the CLI.
155
• Data bits: 8
• Parity: None
• Stop bits: 1
Verify that the POWER LED on the front panel turns green. The terminal emulation screen on your
management device displays the router’s boot sequence.
156
Recovering the Root Password
The password reset operation is triggered early in the boot process, The actual password reset is done in
the shell.
To recover the root password for Junos OS Evolved:
1. Do a hard reboot of the Routing Engine (that is, reboot a device that is not running) .
On the terminal, you see this screen:
GNU GRUB version 2.02~beta3
+--------------------------------------------------------------------+
|*Primary ptx-fixed-19.1-16 |
| Primary [Recover password] |
| Primary-Rollback ptx-fixed-19.1-15 |
| Primary-Rollback [Recover password] |
| |
| |
| |
| |
| |
| |
| |
| |
+--------------------------------------------------------------------+
Use the ^ and v keys to select which entry is highlighted.

Press enter to boot the selected OS, `e' to edit the commands
before booting or `c' for a command-line.
2. Use the arrow keys to scroll down to the Primary [Recover password] option and press Enter.
Disk boot ...

IMA is 0
Loading kernel ...ok.
Loading initrd ...ok.
Booting ...
[ 0.791088] Failed to find cpu0 device node
Processing /dev/sda2 for mount on /soft ...[checking]..ok [mounting]..done
Processing /dev/sda5 for mount on /data ...[checking]..ok [mounting]..done
Processing /dev/sda6 for mount on /data/config ...[checking]..ok [mounting]..done
157
Processing /dev/sda7 for mount on /data/var ...[checking]..ok [mounting]..done

mkswap: /dev/sda3: warning: wiping old swap signature.
Setting up swapspace version 1, size = 4 GiB (4294963200 bytes)
no label, UUID=7d905478-773b-41e5-8f1d-8166ec03f93a
Processing /dev/sda1 for mount on /boot ...[checking]..ok [mounting]..done
Done with local filesystems setup.
Mounting version
junos-linux-install-ptx-x86-64-16.2I20180502181332_evo-builder...done.
System is running with minimal count of software versions
modprobe: FATAL: Module jnx_cbd_fpga_ptx21k not found in directory
/lib/modules/4.8.24-WR2.2.1_standard
Installing kexec kernel...Cannot get kernel page_offset_base symbol address
done
Password recovery in progress. Please enter new password.
3. Enter the new password, and then retype the new password and Enter.
New password:
passwd: password updated successfully
Password recovery done
Welcome to Linux!
The reboot will proceed until the login prompt is displayed.
[ OK ] Started Serial Getty on ttyS0.

[ OK ] Reached target Login Prompts.
[ OK ] Started Vsftpd ftp daemon.
[ OK ] Started Network Time Service.
[ OK ] Started strongSwan IPsec IKEv1/IKEv2 daemon using swanctl.
[ OK ] Started Arp filtering arptables.
[ OK ] Started Management Ethernet Interface Manager Service.
[ OK ] Started OFP on RE.
Starting MGD initialization of schema and database on RE...
Juniper Linux Distribution 2.2.1 re0 ttyS0
re0 login:
4. Enter your login ID, and then your password.
You will see a shell prompt.

158
Last login: Mon May 7 13:09:08 PDT 2018 from xxxx

--- JUNOS builder Linux re0 4.8.24-WR2.2.1_standard #1 SMP PREEMPT Mon Apr 9
13:21:32 PDT 2018 x86_64 x86_64 x86_64 GNU/Linux
remote@RE0:~$
5. To start the CLI, enter cli.
Recovering the Root Password on Switches

Problem
Description: If you forget the root password for a switch, use the password recovery procedure to reset
the root password.
Before you being, note the following:
• You need physical access to the switch to recover the root password.
• This password recovery procedure does not apply to devices running Junos OS with Upgraded FreeBSD.
See “Recovering the Root Password on Junos OS with Upgraded FreeBSD” on page 151. For the list of
Junos OS devices with upgraded FreeBSD, see Junos kernel upgrade to FreeBSD 10+.
TIP: For a video on recovering the root password for routers, see “Recovering the Root Password
on Routers” on page 148. The procedure is similar for switches.
Solution
1. Power off your switch by unplugging the power cord or turning off the power at the wall switch.
2. Insert one end of the Ethernet cable into the serial port on the management device and connect the
other end to the console port on the back of the switch. See Figure 3 on page 159.
159
Figure 3: Connecting to the Console Port on the EX Series Switch
• Data bits: 8
• Parity: None
• Stop bits: 1
5. Power on your switch by plugging in the power cord or turning on the power at the wall switch.
6. When the following prompt appears, press the Spacebar to access the switch's bootstrap loader
command prompt:
Hit [Enter] to boot immediately, or space bar for command prompt.

Booting [kernel] in 1 second...
NOTE: If the switch is in unattended mode for U-Boot, access to the bootstrap loader
command prompt is blocked. If the root password is lost, you must reset the switch to the
factory default configuration using the LCD panel. For more information, see Reverting to the
Default Factory Configuration for the EX Series Switch.
7. At the following prompt, type boot -s to start up the system in single-user mode:
160
loader> boot -s
8. At the following prompt, type recovery to start the root password recovery procedure:
Enter full path name of shell or ’recovery’ for root password recovery or RETURN for /bin/sh: recovery
A series of messages describe consistency checks, mounting of filesystems, and initialization and
checkout of management services. Then the CLI prompt appears.
9. Enter configuration mode in the CLI:

user@switch> configure
10. Set the root password. For example:

user@switch# set system root-authentication plain-text-password
11. At the following prompt, enter the new root password. For example, juniper1:
user@switch# juniper1
13. If you are finished configuring the network, commit the configuration.
root@switch# commit
commit complete
14. Exit configuration mode in the CLI.

root@switch# exit
15. Exit operational mode in the CLI.

root@switch> exit
16. At the prompt, enter y to reboot the switch.

Reboot the system? [y/n] y
SEE ALSO
Connecting and Configuring an EX Series Switch (CLI Procedure)

Connecting and Configuring an EX Series Switch (J-Web Procedure)
161
Plain-Text Passwords
IN THIS SECTION
Changing the Requirements for Junos OS Plain-Text Passwords
For plain-text password requirements, see Special Requirements for Junos OS Plain-Text Passwords.
To change the requirements for plain-text passwords, include the password statement at the [edit system
login] hierarchy level:
[edit system login]

password {
change-type (set-transitions | character-set);
format (sha1 | sha256 | sha512);
maximum-length length;
maximum-lifetime days
minimum-changes number;
minimum-character-changes number
minimum-length length;
minimum-lifetime days
minimum-lower-cases number;
minimum-numerics number;
minimum-reuse number
minimum-punctuations number;
minimum-upper-cases number;
}
NOTE: These statements apply to plain-text passwords only, not encrypted passwords.
162
SEE ALSO

Example: Changing the Requirements for Junos OS Plain-Text Passwords
IN THIS SECTION
Requirements | 162
Overview | 162
Configuration | 162
This example shows how to set various maximum and minimum requirements for plain-text passwords to
increase password strength.
Requirements
This example requires a device running Junos 12.2 or greater. The minimum-length and maximum-length
password requirements statements are available in earlier releases, however, you must have Junos OS
Release 12.2 or greater to configure minimum-lower-cases, minimum-numerics, minimum-punctuations,
or minimum-upper-cases.
Overview
You can use a variety of requirements to strengthen plain-text passwords for greater security. Junos OS
provides a number of possible configurations at the [edit system login password] hierarchy level that allow
you to require users to create plain-text passwords that conform to a particular set of requirements that
may include such things as length, number of changes, type of characters, numbers, or letter case.
Configuration

line breaks, change any details necessary to match your network configuration, and then copy and paste
the commands into the CLI at the [edit] hierarchy level.
163
set system login password minimum-length 12

set system login password maximum-length 22
set system login password minimum-numerics 1
set system login password minimum-upper-cases 1
set system login password minimum-lower-cases 1
set system login password minimum-punctuations 1
Configuring Requirements for Plain-Text Passwords
This example configures password requirements that require the user to creat a password that has a
minimum length of 12 characters, a maximum length of 22 characters, and that includes at least one
lower-case letter, at least one upper-case letter, at least one punctuation character, and at least one numeric
character.
1. Navigate to configuration mode in the [system login password] hierarchy level.
user@host> edit
[edit]
user@host# edit system login password
2. Set a minimum length requirement of 12 characters and a maximum length requirement of 22 characters
for user passwords.
[edit system login password]

user@host# set minimum-length 12
user@host# set maximum-length 22
3. Require users to set a password that has at least one lower-case letter and at least one upper-case
letter.

user@host# set minimum-lower-cases 1
user@host# set minimum-upper-cases 1
4. Require users to set a password that has at least one punctuation-class character and at least one
number.

164
user@host# set minimum-punctuations 1

user@host# set minimum-numerics 1
Results
From configuration mode, confirm your configuration by entering the show command at the edit system
login password hierarchy level. if the output does not display the intended configuration, repeat the
instructions in this example to correct the configuration.

user@host# show
minimum-length 12;
maximum-length 22;
minimum-numerics 1;
minimum-upper-cases 1;
minimum-lower-cases 1;
SEE ALSO
Master Password for Configuration Encryption
IN THIS SECTION
Junos OS supports encryption method for configuration secrets using a master password. The master
password derives an encryption key that uses AES256-GCM to protect certain secrets such as private
keys, system master passwords, and other sensitive data by storing it in an AES256 encrypted format. For
more information, read this topic.
165
Hardening Shared Secrets in Junos OS
IN THIS SECTION
Understanding Hardening Shared Secrets | 165
Understanding Hardening Shared Secrets
Existing shared secrets ($9$ format) in Junos OS currently use an obfuscation algorithm, which is not a
very strong encryption for configuration secrets. If you want a strong encryption for your configuration
secrets, you can configure a master password. The master password is used to derive an encryption key
that is used with AES256-GCM to encrypt configuration secrets. This new encryption method uses the
$8$ formatted strings.
Starting with Junos OS Release 15.1X49-D50, new CLI commands are introduced to configure a system
master password to provide stronger encryption for configuration secrets. The master password encrypts
secrets like the RADIUS password, IKE preshared keys, and other shared secrets in the Junos OS
management process (mgd) configuration. The master password itself is not saved as part of the
configuration. The password quality is evaluated for strength, and the device gives feedback if weak
passwords are used.
The master password is used as input to the password based key derivation function (PBKDF2) to generate
an encryption key. the key is used as input to the Advanced Encryption Standard in Galois/Counter Mode
(AES256-GCM). The plain text that the user enters is processed by the encryption algorithm (with key) to
produce the encrypted text (cipher text). See Figure 4 on page 165
Figure 4: Master Password Encryption
Master
PBKDF2
Password
Key
Plaintext AES256-GCM ciphertext

g043440
The $8$ configuration secrets can only be shared between devices using the same master password.
The $8$-encrypted passwords have the following format:

166
$8$crypt-algo$hash-algo$iterations$salt$iv$tag$encrypted. See Table 11 on page 166 for the master

password format details.
Table 11: $8$-encrypted Password Format
Format Description
crypt-algo Encryption/decryption algorithm to be used. Currently only AES256-GCM is supported.
hash-algo Hash (prf) algorithm to be used for the PBKDF2 key derivation.
iterations The number of iterations to use for the PBKDF2 hash function. Current iteration-count
default is 100. The iteration count slows the hashing count, thus slowing attacker guesses.
salt Sequence of ASCII64-encoded pseudorandom bytes generated during encryption that are
to be used to salt (a random, but known string) the password and input to the PBKDF2 key
derivation.
iv A sequence of ASCII64-encoded pseudorandom bytes generated during encryption that are

to be used as initialization vector for the AES256-GCM encryption function.
tag ASCII64-encoded representation of the tag.
encrypted ASCII64-encoded representation of the encrypted password.
The ASCII64 encoding is Base64 (RFC 4648) compatible, except no padding (character “=”) is used to keep
the strings short. For example:
$8$aes256-gcm$hmac-sha2-256$100$y/4YMC4YDLU$fzYDI4jjN6YCyQsYLsaf8A$Ilu4jLcZarD9YnyD
/Hejww$okhBlc0cGakSqYxKww
Chassis Cluster Considerations

When defining a chassis cluster on SRX Series devices, be aware of the following restrictions:
• For SRX Series devices, first configure the master password on each node, and then build the cluster.
The same master password should be configured on each node.
• In chassis cluster mode, the master password cannot be deleted.
NOTE: A change in the master password would mean disruption in chassis clustering; therefore
you must change the password on both nodes independently.
167
Using Trusted Platform Module to Bind Secrets on SRX Series Devices
IN THIS SECTION
Limitations | 168
Configuring Master Encryption Password | 168
Verifying the Status of the TPM | 169
Changing the Master Encryption Password | 169
By enabling the Trusted Platform Module (TPM) on the SRX Series devices, the software layer leverages
the use of the underlying TPM chip. TPM is a specialized chip that protects certain secrets at rest such as
private keys, system master passwords, and other sensitive data by storing it in an AES256 encrypted
format (instead of storing sensitive data in a clear text format). The device also generates a new SHA256
hash of the configuration each time the administrator commits the configuration. This hash is verified each
time the system boots up. If the configuration has been tampered with, the verification fails and the device
will not continue to boot. Both the encrypted data and the hash of the configuration is protected by the
TPM module using the master encryption password.
NOTE: Hash validation is performed during any commit operation by performing a validation
check of the configuration file against the saved hash from previous commits. In a chassis cluster
system, hash is independently generated on the backup system as part of the commit process.
A commit from any mode, that is, batch-config, dynamic-config, exclusive-config, or private
config generates the integrity hash.
NOTE: Hash is saved only for the current configuration and not for any rollback configurations.
Hash is not generated during reboot or shutdown of the device.
The TPM encrypts the following secrets:
• SHA256 hash of the configuration
• device master-password
• all key-pairs on the device
The TPM chip is available on the SRX300, SRX320, SRX340, SRX345, SRX5400, SRX5600, and SRX5800
devices. On SRX5400, SRX5600, and SRX5800 devices, TPM is supported only with SRX5K-RE3-128G
168
Routing Engine (RE3). The TPM chip is enabled by default to make use of TPM functionality. You must
configure master encryption password to encrypt PKI key-pairs and configuration hash. To configure
master encryption password, see “Configuring Master Encryption Password” on page 168.
Limitations
The following limitations and exceptions apply to the configuration file integrity feature using TPM:
• This feature is supported only on the SRX300, SRX320, SRX340, SRX345, SRX5400, SRX5600, and
SRX5800 devices. On SRX5400, SRX5600, and SRX5800 devices, TPM is supported only with RE3.
• If the master encryption password is not set, data is stored unencrypted.
• The file integrity feature is not supported along with the configuration file encryption feature that uses
keys saved in EEPROM. You can enable only one function at a time.
• In a chassis cluster, both nodes must have the same TPM settings. This means that both nodes in the
chassis cluster must have TPM enabled, or both nodes in the chassis cluster must have TPM disabled.
The chassis cluster must not have one node set to TPM enabled and the another node set to TPM
disabled.
Configuring Master Encryption Password
NOTE: Before configuring master encryption password, ensure that you have configured set
system master-password plain-text-password otherwise, certain sensitive data will not be
protected by the TPM.
Set the master encryption password using the following CLI command:
request security tpm master-encryption-password set plain-text-password
You will be prompted to enter the master encryption password twice, to make sure that these passwords
match. The master encryption password is validated for required password strength.
After master encryption password is set, the system proceeds to encrypt the sensitive data with the master
encryption password which is encrypted by the Master Binding Key that is owned and protected by the
TPM chip.
NOTE: If there is any issue with setting the master encryption password, a critical ERROR
message is logged on the console and the process is aborted.
169
Verifying the Status of the TPM
You can use the show security tpm status command to verify the status of the TPM. The following
information is displayed:
• TPM enabled/disabled
• TPM ownership
• TPM’s Master Binding Key status (created or not created)
• master encryption password status (set or not set)
Starting with Junos OS Release 15.1X49-D120 and Junos OS Release 17.4R1, Trusted Platform Module
(TPM) firmware has been updated. The upgraded firmware version provides additional secure cryptography
and improves security. Updated TPM firmware is available along with the Junos OS package. For updating
TPM Firmware, see Upgrading TPM Firmware on SRX-Devices. To confirm the TPM firmware version, use
the show security tpm status command. TPM Family and TPM Firmware version output fields are
introduced.
Changing the Master Encryption Password
Changing the master encryption password is done using the CLI.
To change the master encryption password, enter the following command from operational mode:
NOTE: It is recommended that no configuration changes are made while you are changing the
master encryption password.
The system checks if the master encryption password is already configured. If master encryption password
is configured, then you are prompted to enter the current master encryption password.
The entered master encryption password is validated against the current master encryption password to
make sure these master encryption passwords match. If the validation succeeds, you will be prompted to
enter the new master encryption password as plain text. You will be asked to enter the key twice to validate
the password.
The system then proceeds to re-encrypt the sensitive data with the new master encryption password. You
must wait for this process of re-encryption to complete before attempting to change the master encryption
password again.
If for some reason, the encrypted master encryption password file is lost or corrupted, the system will not
be able to decrypt the sensitive data. The system can only be recovered by re-importing the sensitive data
in clear text, and re-encrypting them.
170
If the system is compromised, the administrator can recover the system using of the following method:
• Clear the TPM ownership in u-boot and then install the image in boot loader using TFTP or USB (if USB
port is not restricted).
NOTE: If the installed software version is older than Junos OS Release 15.1X49-D110 and the
master encryption password is enabled, then installation of Junos OS Release 15.1X49-D110
will fail. You must backup the configuration, certificates, key-pairs, and other secrets and use
the TFTP/USB installation procedure.
Release Description
17.4R1 Starting with Junos OS Release 15.1X49-D120 and Junos OS Release 17.4R1, Trusted Platform
Module (TPM) firmware has been updated. The upgraded firmware version provides additional
secure cryptography and improves security. Updated TPM firmware is available along with the
Junos OS package. For updating TPM Firmware, see Upgrading TPM Firmware on SRX-Devices.
To confirm the TPM firmware version, use the show security tpm status command. TPM Family
and TPM Firmware version output fields are introduced.
15.1X49-D50 Starting with Junos OS Release 15.1X49-D50, new CLI commands are introduced to configure a
system master password to provide stronger encryption for configuration secrets.
Root Password | 142
4 CHAPTER
User Authentication
Authentication for Routing Protocols | 247

172
Junos OS User Authentication Overview
IN THIS SECTION
Configuring Remote Template Accounts for User Authentication | 175
Example: Creating Template Accounts | 176
Understanding Remote Authentication Servers | 180
Local Password Authentication with Remote Authorization on TACACS+ Server | 181
Junos OS supports different methods such as local password authentication, RADIUS and TACACS+ to
control access to the network. Authentication methods are used for validating users who attempt to access
the router or switch using telnet. Authentication prevents unauthorized devices and users from gaining
access to your LAN. For more information, read this topic.
Junos OS User Authentication Methods
The Junos OS supports three methods of user authentication: local password authentication, Remote
Authentication Dial-In User Service (RADIUS), and Terminal Access Controller Access Control System Plus
(TACACS+).
With local password authentication, you configure a password for each user allowed to log in to the router
or switch.
RADIUS and TACACS+ are authentication methods for validating users who attempt to access the router
or switch using telnet. They are both distributed client-server systems—the RADIUS and TACACS+ clients
run on the router or switch, and the server runs on a remote network system.
You can configure the router or switch to be both a RADIUS and TACACS+ client, and you can also configure
authentication passwords in the Junos OS configuration file. You can prioritize the methods to configure
the order in which the software tries the different authentication methods when verifying user access.
You can control access to your network using several different authentication methods—media access
control (MAC) RADIUS, for example. Authentication prevents unauthorized devices and users from gaining
access to your LAN. For MAC RADIUS authentication, end devices must be authenticated before they
receive an IP address from a DHCP server.
173
NOTE: Note about the MAC RADIUS authentication:
• You can enable end devices to access the network without authenticating on the RADIUS
server by configuring the MAC address of the end device in the static MAC bypass list by
configuring the MAC address using the authentication-whitelist statement.
• You can configure one or more authentication methods on a single interface and thereby
enable fallback to the next method if the first or second method is unsuccessful.
• On a single interface you can configure one or a combination of several authentication methods.
• The EAP method supported for MAC RADIUS authentication is EAP-MD5.
• You can configure MAC RADIUS authentication on interfaces that are connected to end
devices.
• When you configure the mac-radius restrict option, the switch immediately attempts a MAC-
RADIUS authentication by sending a request to the RADIUS server for authentication of the
MAC address of the end device. If MAC address of the end device is configured for RADIUS
authentication, LAN access between the two switches is created.
SEE ALSO

Configuring Local User Template Accounts for User Authentication
You use local user template accounts when you need different types of templates for authentication. Each
template can define a different set of permissions appropriate for the group of users who use that template.
These templates are defined locally on the router or switch and referenced by the TACACS+ and RADIUS
authentication servers.
When you configure local user templates and a user logs in, Junos OS issues a request to the authentication
server to authenticate the user’s login name. If a user is authenticated, the server returns the local username
to Junos OS, which then determines whether a local username is specified for that login name
(local-username for TACACS+, Juniper-Local-User for RADIUS). If so, Junos OS selects the appropriate
local user template locally configured on the router or switch. If a local user template does not exist for
the authenticated user, the router or switch defaults to the remote template.
174
To configure different access privileges for users who share the local user template account, include the
allow-commands and deny-commands commands in the authentication server configuration file.
To configure a local user template, include the user local-username statement at the [edit system login]
hierarchy level and specify the privileges you want to grant to the local users to whom the template applies:
[edit system login]

user local-username {
full-name "Local user account";
uid uid-value;
class class-name;
}
This example configures the sales and engineering local user templates:
[edit]
system {
login {
user sales {
uid uid-value;
class class-name;
}
user engineering {
uid uid-value;
class class-name;
}
}
}
user = simon {
...
service = junos-exec {
local-user-name = sales
allow-commands = "configure"
deny-commands = "shutdown"
}
}
user = rob {
...
local-user-name = sales
allow-commands = "(request system) | (show rip neighbor)"
deny-commands = "clear"
175
}
}
user = harold {
...
local-user-name = engineering
allow-commands = "monitor | help | show | ping | traceroute"
deny-commands = "configure"
}
}
user = jim {
...
local-user-name = engineering
allow-commands = "show bgp neighbor"
deny-commands = "telnet | ssh"
}
}
When the login users Simon and Rob are authenticated, the router or switch applies the sales local user
template. When login users Harold and Jim are authenticated, the router or switch applies the engineering
local user template.
SEE ALSO

Configuring Remote Template Accounts for User Authentication
By default, the Junos OS uses remote template accounts for user authentication when:
• The authenticated user does not exist locally on the router or switch.
• The authenticated user’s record in the authentication server specifies local user, or the specified local
user does not exist locally on the router or switch.
To configure the remote template account, include the user remote statement at the [edit system login]
hierarchy level and specify the privileges you want to grant to remote users:
176
[edit system login]

user remote {
full-name "All remote users";
uid uid-value;
class class-name;
}
To configure different access privileges for users who share the remote template account, include the
allow-commands and deny-commands statements in the authentication server configuration file.
SEE ALSO

Example: Creating Template Accounts
IN THIS SECTION
Requirements | 176
Overview | 176
Configuration | 177
Verification | 179
This example shows how to create template accounts.
Requirements
Overview
You can create template accounts that are shared by a set of users when you are using RADIUS or TACACS+
authentication. When a user is authenticated by a template account, the CLI username is the login name,
and the privileges, file ownership, and effective user ID are inherited from the template account.
177
By default, Junos OS uses the remote template account when:
• The authenticated user does not exist locally on the device.
• The authenticated user's record in the RADIUS or TACACS+ server specifies local user, or the specified
local user does not exist locally on the device.
In this example, you create a remote template account and set the username to remote and the login class
for the user as operator. You create a remote template that is applied to users authenticated by RADIUS
or TACACS+ that do not belong to a local template account.
You then create a local template account and set the username as admin and the login class as superuser.
You use local template accounts when you need different types of templates. Each template can define a
different set of permissions appropriate for the group of users who use that template.
Configuration
IN THIS SECTION
Creating a Remote Template Account | 177
Creating a Local Template Account | 178
Creating a Remote Template Account

set system login user remote class operator
178
To create a remote template account:
• Set the username and the login class for the user.
[edit system login]

user@host# set user remote class operator
Results
to correct it.
[edit]
user remote {
class operator;
}
Creating a Local Template Account

set system login user admin class superuser
To create a local template account:
1. Set the username and the login class for the user.
[edit system login]

user@host# set user admin class superuser
179
Results
to correct it.
[edit]
user admin {
class super-user;
}
one RADIUS or TACACS+ server and specify a system authentication order. Do one of the
following tasks:
• Configure system authentication order. See “Example: Configuring Authentication Order” on

page 191.
Verification
Verifying the Template Accounts Creation
Purpose
Verify that the template accounts have been created.
Action
From operational mode, enter the show system login command.
SEE ALSO

180
Understanding Remote Authentication Servers
You probably already use a remote authentication server (or servers) in your network. It is a recommended
best practice, because the servers allow you to centrally create a consistent set of user accounts for all
devices in your network. There are many good reasons for implementing a authentication, authorization,
and accountability (AAA) solution in your network, not the least of which is to make the management of
user accounts easier.
There are two basic methods of remote authentication in use by most enterprises today—RADIUS and
TACACS+. Junos OS supports both types and can be configured to query multiple remote authentication
servers of both types. The idea behind a RADIUS or TACACS+ server is simple, a central authentication
server that routers, switches, security devices, and even servers can use to authenticate users as they
attempt to gain access to these systems. Think of the advantages that a central user directory brings for
authentication auditing and access control in a client server model, and you have your justification for
RADIUS or TACACS+ for your networks infrastructure.
Using a central server has multiple advantages over the alternative of creating local users on each device,
a time-consuming and error-prone task. A central authentication system also simplifies the use of one-time
password systems such as SecureID, which offer protection against password sniffing and password replay
attacks, in which someone uses a captured password to pose as a system administrator.
• RADIUS—You should use RADIUS when your priorities are interoperability and performance.
• Interoperability—RADIUS is more interoperable than TACACS+, primarily because of the proprietary

nature of TACACS+. While TACACS+ supports more protocols, RADIUS is universally supported.
• Performance—RADIUS is much lighter on your routers and switches and for this reason, network
engineers generally prefer RADIUS over TACACS+.
• TACACS+—You should use TACACS+ when your priorities are security and flexibility.
• Security—TACACS+ is more secure than RADIUS. Not only is the full session encrypted, but
authorization and authentication are done separately to prevent someone from trying to force their
way into your network.
• Flexibility—TCP is a more flexible transport protocol than UDP. You can do more with it in more
advanced networks. In addition, TACACS+ supports more of the enterprise protocols like NetBios or
Appletalk.
181
Local Password Authentication with Remote Authorization on TACACS+

Server
By default, Junos OS supports local authorization for locally authenticated users and remote authorization
for users remotely authenticated on TACACS+ or RADIUS servers.
Starting in Release 19.3R1, Junos OS supports remote authorization on TACACS+ servers for locally
authenticated users. After users have successfully authenticated and logged in locally, Junos fetches their
remotely configured authorization parameters on TACACS+ server and combine them with their locally
configured parameters.
To enable the feature, include the tacplus-authorization option at the [edit system password-options]
hierarchy level.
[edit system password-options]

tacplus-authorization;
NOTE:
• In Junos OS Release 19.3R1, remote authorization on TACACS+ server through local
authentication is supported on MX Series routers.
• You must configure password under authentication-order when password-options is configured.
• The feature does not work in a local fallback scenario because password is not configured
under authentication-order for a local fallback scenario.

182
Authentication Order for RADIUS, TACACS+, and

Local Password
IN THIS SECTION
Example: Configuring System Authentication for RADIUS, TACACS+, and Password Authentication | 194
Junos OS supports different methods such as local password authentication, RADIUS and TACACS+ to
control access to the network. Authentication methods are used for validating users who attempt to access
the router or switch using telnet. You can prioritize the methods to configure the order in which the Junos
OS tries the different authentication methods when verifying user access to a router or switch or security
device. For more information, read this topic.
Junos OS Authentication Order for RADIUS, TACACS+, and Password

Authentication
Using the authentication-order statement, you can prioritize the order in which the Junos OS tries the
different authentication methods when verifying user access to a router or switch.
If RADIUS and/or TACACS+ servers are configured in the authentication order but there is no response
from them to a request, the Junos OS always defaults to trying local password authentication as a last
resort. If the authentication order is set to authentication-order password, that will be the only
authentication method attempted.
NOTE: It is not possible and would make no sense to try to configure local password
authentication ahead of RADIUS or TACACS+ in the order because “no response” cannot happen.
A local authentication request will always either be accepted or rejected.
183
The handling of a rejected authentication request when RADIUS or TACACS+ are present is more
complicated.
• If password (local password authentication) is not in the authentication order, a RADIUS and/or TACACS+
rejection ends with the rejection.
• If password is included at the end of the authentication order and RADIUS and/or TACACS+ rejects the
authentication, the Junos OS tries for a local authentication check.
In other words, including password as a final authentication order option is a means by which you can
choose whether a RADIUS and/or TACACS+ rejection ends there or if the request is to be given one last
chance for authentication locally.
Using RADIUS or TACACS+ Authentication
You can configure the Junos OS to be both a RADIUS and TACACS+ authentication client.
If an authentication method included in the [authentication-order] statement is not available, or if the

authentication is available but returns a reject response, the Junos OS tries the next authentication method
included in the authentication-order statement.
The RADIUS or TACACS+ server authentication might fail because of the following reasons:
• The authentication method is configured, but the corresponding authentication servers are not configured.
For instance, the RADIUS and TACACS+ authentication methods are included in the authentication-order
statement, but the corresponding RADIUS or TACACS+ servers are not configured at the respective
[edit system radius-server] and [edit system tacplus-server] hierarchy levels.
• The RADIUS or TACACS+ server does not respond within the timeout period configured at the [edit
system radius-server] or [edit system tacplus-server] hierarchy levels.
• The RADIUS or TACACS+ server is not reachable because of a network problem.
The RADIUS or TACACS+ server authentication might return a reject response because of the following
reasons:
• The user profiles of users accessing a router or switch might not be configured on the RADIUS or
TACACS+ server.
• The user enters incorrect logon credentials.
Using Local Password Authentication
You can explicitly configure the password authentication method or use this method as a fallback mechanism
when remote authentication servers fail. The password authentication method consults the local user
profiles configured at the [edit system login] hierarchy level. Users can log in to a router or switch using
their local username and password in the following scenarios:
184
• The password authentication method (password) is explicitly configured as one of the authentication
methods in the [authentication-order authentication-methods] statement. In this case, the password
authentication method is tried if no previous authentication accepts the logon credentials. This is true
whether the previous authentication method fails to respond or returns a reject response because of
an incorrect username or password.
• The password authentication method is not explicitly configured as one of the authentication methods
in the authentication-order authentication-methods statement. In this case, the password authentication
method is tried only if all configured authentication methods fail to respond. It is not consulted if any
configured authentication method returns a reject response because of an incorrect username or
password.
Order of Authentication Attempts
Table 12 on page 184 describes how the authentication-order statement at the [edit system] hierarchy
level determines the procedure that the Junos OS uses to authenticate users for access to a router or
switch.
Table 12: Order of Authentication Attempts
Syntax Order of Authentication Attempts
authentication-order radius; 1. Try configured RADIUS authentication servers.
2. If RADIUS server is available and authentication is

accepted, grant access.
3. If RADIUS server is available but authentication is

rejected, deny access.
4. If RADIUS servers are not available, try password

authentication.
NOTE: If a RADIUS server is available, password

authentication is not attempted, because it is not
explicitly configured in the authentication order.
authentication-order [ radius password ]; 1. Try configured RADIUS authentication servers.
2. If RADIUS servers fail to respond or return a reject

response, try password authentication, because it is
185
Table 12: Order of Authentication Attempts (continued)
authentication-order [ radius tacplus ]; 1. Try configured RADIUS authentication servers.


response, try configured TACACS+ servers.
4. If TACACS+ server is available and authentication is

5. If TACACS+ server is available but authentication is

6. If both RADIUS and TACACS+ servers are not available,

try password authentication.
NOTE: If either RADIUS or TACACS+ servers are

available, password authentication is not attempted,
because it is not explicitly configured in the
authentication order.
authentication-order [ radius tacplus password ]; 1. Try configured RADIUS authentication servers.


response, try configured TACACS+ servers.

5. If TACACS+ servers fail to respond or return a reject

186
authentication-order tacplus; 1. Try configured TACACS+ authentication servers.

3. If TACACS+ server is available but authentication is

4. If TACACS+ servers are not available, try password

authentication.
NOTE: If a TACACS+ server is available, password

authentication is not attempted, because it is not
authentication-order [ tacplus password ]; 1. Try configured TACACS+ authentication servers.

187
authentication-order [ tacplus radius ]; 1. Try configured TACACS+ authentication servers.


response, try configured RADIUS servers.

5. If RADIUS server is available but authentication is

6. If both TACACS+ and RADIUS servers are not available,

try password authentication.
NOTE: If either TACACS+ or RADIUS servers are

available, password authentication is not attempted,
because it is not explicitly configured in the
authentication order.
authentication-order [ tacplus radius password ]; 1. Try configured TACACS+ authentication servers.


response, try configured RADIUS servers.


response try password authentication, because it is
188
authentication-order password; 1. Try to authenticate the user, using the password

configured at the [edit system login] hierarchy level.
2. If the authentication is accepted, grant access.
3. If the authentication is rejected, deny access.
NOTE: If SSH public keys are configured, SSH user authentication first tries to perform public
key authentication before using the authentication methods configured in the
authentication-order statement. If you want SSH logins to use the authentication methods
configured in the authentication-order statement without first trying to perform public key
authentication, do not configure SSH public keys.
In a routing matrix based on a TX Matrix router, the authentication order must be configured
only at the configuration groups re0 and re1. The authentication order must not be configured
at the [edit system] hierarchy. This is because the authentication order for the routing matrix is
controlled on the switch-card chassis (or TX Matrix router) or switch-fabric chassis (for TX Matrix
Plus router) only.
In Junos OS Release 10.0 and later, the superuser (belonging to the super-user login class) is also
authenticated based on the authentication order that is configured for TACACS+, RADIUS, or
password authentication using the authentication-order statement. For example, if the only
configured authentication order is TACACS+, the superuser can only be authenticated by the
TACACS+ server and password authentication cannot be used as an alternative. However, in
Junos OS Release 9.6 and earlier, the superuser can use password authentication to login, even
if password authentication is not configured explicitly using the authentication-order statement.
SEE ALSO
189
Configuring the Junos OS Authentication Order for RADIUS, TACACS+,

and Local Password Authentication
Using the authentication-order statement, you can prioritize the order in which the Junos OS tries the
different authentication methods when verifying user access to a router or switch. If you do not set the
authentication order, by default users are verified based on their configured passwords.
When configuring a password using plain text and relying on Junos OS to encrypt it, you are still sending
the password over the internet in plain text. Using pre-encrypted passwords is more secure because it
means that the plain text of the password never has to be sent over the internet. Also, with passwords,
only one user can be assigned to a password at a time.
On the other hand, both RADIUS and TACACS+ pre-ecrypt passwords. Both let you assign a set of users
at a time instead of one by one. But here are how these authentication systems differ:
• RADIUS uses UDP, while TACACS+ uses TCP.
• RADIUS encrypts only the password during transmission whereas TACACS+ encrypts the entire session.
• RADIUS combines authentication (device) and authorization (user) whereas TACACS+ separates
authentication, authorization, and accountability.
In short, TACACAS+ is the more secure of the two. However, RADIUS has better performance and is more
interoperable. RADIUS is widely supported, whereas TACACS+ is a Cisco proprietary product and not
widely supported outside of Cisco.
You can configure the authentication order based on your system, its restrictions, and your IT policy and
operational preferences.
To configure the authentication order, include the authentication-order statement at the [edit system]
hierarchy level:
[edit system]
authentication-order (System) [ authentication-methods ];
For a list of hierarchy levels at which you can include this statement, see the statement summary section
for this statement.
190
Following are the possible authentication order entry options:
• radius—Verify the user using RADIUS authentication servers.
• tacplus—Verify the user using TACACS+ authentication servers.
• password—Verify the user using the username and password configured locally by including the
authentication statement at the [edit system login user] hierarchy level.
If RADIUS and/or TACACS+ servers are configured in the authentication order but there is no response
from them to a request, the Junos OS always defaults to trying local password authentication as a last
resort. If the authentication order is set to authentication-order password, that will be the only
authentication method attempted.
NOTE: It is not possible and would make no sense to try to configure local password
authentication ahead of RADIUS or TACACS+ in the order because “no response” cannot happen.
A local authentication request will always either be accepted or rejected.
The handling of a rejected authentication request when RADIUS or TACACS+ are present is more
complicated.
• If password (local password authentication) is not in the authentication order, a RADIUS and/or TACACS+
rejection ends with the rejection.
• If password is included at the end of the authentication order and RADIUS and/or TACACS+ rejects the
authentication, the Junos OS tries for a local authentication check.
In other words, including password as a final authentication order option is a means by which you can
choose whether a RADIUS and/or TACACS+ rejection ends there or if the request is to be given one last
chance for authentication locally.
For more details, see “Junos OS Authentication Order for RADIUS, TACACS+, and Password Authentication”
on page 182.
The CHAP authentication sequence cannot take more than 30 seconds. If it takes longer to authenticate
a client, the authentication is abandoned and a new sequence is initiated.
For example, if you configure three RADIUS servers so that the router or switch attempts to contact each
server three times, and with each retry the server times out after 3 seconds, then the maximum time given
to the RADIUS authentication method before CHAP considers it a failure is 27 seconds. If you add more
RADIUS servers to this configuration, they might not be contacted because the authentication process
might be abandoned before these servers are tried.
The Junos OS enforces a limit on the number of standing authentication server requests that the CHAP
authentication can have at one time. Thus, an authentication server method—RADIUS, for example—might
fail to authenticate a client when this limit is exceeded. If it fails, the authentication sequence is reinitiated
191
by the router or switch until authentication succeeds and the link is brought up. However, if the RADIUS
servers are not available and if additional authentication methods such as tacplus or password are configured
along with radius, the next authentication method is tried.
The following example shows how to configure radius and password authentication:
[edit system]
user@switch# authentication-order [ radius password ];
The following example shows how to delete the radius statement from the authentication order:
[edit system]
user@switch# delete authentication-order radius
The following example shows how to insert the tacplus statement after the radius statement:
[edit system]
user@switch# insert authentication-order tacplus after radius
SEE ALSO
Using Regular Expressions on a RADIUS or TACACS+ Server to Allow or Deny Access to Commands | 237
Example: Configuring Authentication Order
IN THIS SECTION
Requirements | 192
Overview | 192
Configuration | 192
Verification | 194
This example shows how to configure authentication order.

192
Requirements
Before you begin, perform the initial device configuration. See the Getting Started Guide for your device.
Overview
You can configure the authentication methods that the device uses to verify that a user can gain access.
For each login attempt, the device tries the authentication methods in order, starting with the first one,
until the password matches. If you do not configure system authentication, users are verified based on
their configured local passwords.
This example configures the device to attempt user authentication with the local password first, then with
the RADIUS server, and finally with the TACACS+ server.
When you use local password authentication, you must create a local user account for every user who
wants to access the system. However, when you are using RADIUS or TACACS+ authentication, you can
create single accounts (for authorization purposes) that are shared by a set of users. You create these
accounts using the remote and local user template accounts. When a user is using a template account, the
command-line interface (CLI) username is the login name; however, the privileges, file ownership, and
effective user ID are inherited from the template account.
Configuration

insert system authentication-order radius after password

insert system authentication-order tacplus after radius

To configure authentication order:
3. Select the Authentication Method and Order tab.
4. Under Available Methods, select the authentication method the device should use to authenticate
users, and use the arrow button to move the item to the Selected Methods list. Available methods
include:
193
• RADIUS
• TACACS+
• Local Password
If you want to use multiple methods to authenticate users, repeat this step to add the additional methods
to the Selected Methods list.
5. Under Selected Methods, use the Up Arrow and Down Arrow to specify the order in which the device
should execute the authentication methods.
To configure authentication order:
1. Add RADIUS authentication to the authentication order.
[edit]
user@host# insert system authentication-order radius after password
2. Add TACACS+ authentication to the authentication order.
[edit]
user@host# insert system authentication-order tacplus after radius
Results
From configuration mode, confirm your configuration by entering the show system authentication-order
command. If the output does not display the intended configuration, repeat the configuration instructions
in this example to correct it.
[edit]
user@host# show system authentication-order
authentication-order [password, radius, tacplus];
194
one RADIUS or TACACS+ server and create user template accounts. Do one of the following
tasks:
• Configure template accounts. See “Example: Creating Template Accounts” on page 176.
Verification
Verifying the Authentication Order Configuration
Purpose
Verify that the authentication order has been configured.
Action
From operational mode, enter the show system authentication-order command.
SEE ALSO

Example: Configuring System Authentication for RADIUS, TACACS+, and

Password Authentication
The following example shows how to configure system authentication for RADIUS, TACACS+, and password
authentication.
In this example, only the user Philip and users authenticated by a remote RADIUS server can log in. If a
user logs in and is not authenticated by the RADIUS server, the user is denied access to the router or
switch. If the RADIUS server is not available, the user is authenticated using the password authentication
195
method and allowed access to the router or switch. For more information about the password authentication
method, see “Junos OS Authentication Order for RADIUS, TACACS+, and Password Authentication” on
page 182.
When Philip tries to log in to the system, if the RADIUS server authenticates him, he is given access and
privileges for the super-user class. Local accounts are not configured for other users. When they log in to
the system and the RADIUS server authenticates them, they are given access using the same user ID (UID)
9999 and the privileges associated with the operator class.
[edit]
system {
authentication-order radius;
login {
user philip {
full-name "Philip";
uid 1001;
class super-user;
}
user remote {
uid 9999;
class operator;
}
}
}
NOTE: For authorization purposes, you can use a template account to create a single account
that can be shared by a set of users at the same time. For example, when you create a remote
template account, a set of remote users can concurrently share a single UID. For more information
about template accounts, see “Example: Configuring Authentication Order” on page 191.
When a user logs in to a device, the user’s login name is used by the RADIUS or TACACS+ server for
authentication. If the user is authenticated successfully by the authentication server and the user is not
configured at the [edit system login user] hierarchy level, the device uses the default remote template
user account for the user, provided a remote template account is configured at the edit system login user
remote hierarchy level. The remote template account serves as a default template user account for all
users that are authenticated by the authentication server but not having a locally configured user account
on the device. Such users share the same login class and UID.
To configure an alternate template user, specify the user-name parameter returned in the RADIUS
authentication response packet. Not all RADIUS servers allow you to change this parameter. The following
shows a sample Junos OS configuration:
196
[edit]
system {
login {
user philip {
full-name "Philip";
uid 1001;
class super-user;
}
user operator {
full-name "All operators";
uid 9990;
class operator;
}
user remote {
uid 9999;
class read-only;
}
}
}
Assume your RADIUS server is configured with the following information:
• User Philip with password “olympia”
• User Alexander with password “bucephalus” and username “operator”
• User Darius with password “redhead” and username “operator”
• User Roxane with password “athena”
Philip would be given access as a superuser (super-user) because he has his own local user account.
Alexander and Darius share UID 9990 and have access as operators. Roxane has no template-user override,
so she shares access with all the other remote users, getting read-only access.
SEE ALSO

197

RADIUS Authentication
IN THIS SECTION
Example: Configuring a RADIUS Server for System Authentication | 203
The Junos OS supports RADIUS for central authentication of users on multiple routers or switches or
security devices. To use RADIUS authentication on the device, you must configure information about one
or more RADIUS servers on the network. You can also configure RADIUS accounting on the device to
collect statistical data about the users logging in to or out from a LAN and sending the data to a RADIUS
accounting server. For more information, read this topic.
Configuring RADIUS Server Authentication
IN THIS SECTION
Why Use RADIUS | 198
Configuring RADIUS To Use the Management Instance | 202

198
RADIUS authentication is a method of authenticating users who attempt to access the router or switch.
Why Use RADIUS
The Junos OS supports two protocols for central authentication of users on multiple routers: RADIUS and
TACACS+. We recommend RADIUS because it is a multivendor IETF standard, and its features are more
widely accepted than those of TACACS+ or other proprietary systems. In addition, we recommend using
a one-time-password system for increased security, and all vendors of these systems support RADIUS.
You should use RADIUS when your priorities are interoperability and performance:
• Interoperability—RADIUS is more interoperable than TACACS+, primarily because of the proprietary

nature of TACACS+. While TACACS+ supports more protocols, RADIUS is universally supported.
• Performance—RADIUS is much lighter on your routers and switches and for this reason, network engineers
generally prefer RADIUS over TACACS+.
Configuring RADIUS Server Details
To use RADIUS authentication on the device, configure information about one or more RADIUS servers
on the network by including one radius-server statement at the [edit system] hierarchy level for each
RADIUS server.
Because remote authentication is configured on multiple devices, it is commonly configured inside of a

configuration group. As such, the steps shown here are in a configuration group called global. Using a
configuration group is optional.
NOTE: The remote statement must always be lowercase.
NOTE: This feature is supported on SRX1500, SRX5400, SRX5600, and SRX5800 devices.
199
To configure authentication by a RADIUS server:
1. Add an IPv4 or IPv6 server address.
• Configure an IPv4 source-address and server-address:

user@host# set system radius-server server-address source-address source-address
For example:

user@host# set system radius-server 192.168.17.28 source-address 192.168.17.1
• Configure an IPv6 source-address and server address:
[edit groups global system radius-server server-address]

user@host# set server-address secret “secretkey” source-address-inet6 source-address
For example:
[edit groups global system radius-server ::17.22.22.162]

user@host# set secret $9$lPOv87ZGiH.5JGn/AtOB7-dVgo source-address-inet6 ::17.22.22.1
Source address is a valid IPv4 or IPv6 address configured on one of the router or switch interfaces.
This sets a fixed address as the source address for locally generated IP packets.
Server address is a unique IPv4 or IPv6 address that is assigned to a particular server and used to
route information to the server. If the Junos OS device has several interfaces that can reach the
RADIUS server, assign an IP address that Junos OS can use for all its communication with the RADIUS
server.
2. Include a shared secret password.
You must specify a password in the secret password statement. If the password contains spaces, enclose
it in quotation marks. The secret password used by the local router or switch must match that used by
the server. The secret password configures the password that the Junos OS device uses to access the
RADIUS server.

user@host# set secret password
200
For example:
[edit groups global system radius-server 192.168.69.162]

user@host# set secret $9$gQ4UHf5F36CiH.5Tz9CuO1hreM8xw2oIENVwgZG
3. If necessary, specify a port on which to contact the RADIUS server.
By default, port number 1812 is used (as specified in RFC 2865).
NOTE: You can also specify an accounting port to send accounting packets with the
accounting-port statement. The default is 1813 (as specified in RFC 2866).

user@host# set port port-number
For example:
[edit groups global system radius-server 192.168.69.162]

user@host# set port 1845
4. Specify the order in which Junos OS attempts authentication.
You must include the authentication-order statement in your remote authentication configuration.
The example assumes your network includes both RADIUS and TACACS+ servers. In this example,
whenever a user attempts to log in, Junos OS begins by querying the RADIUS server for authentication.
If it fails, it next attempts authentication with locally configured user accounts. Finally the TACACS+
server is tried.
[edit groups global system]

user@host# set authentication-order [ authentication-methods ]
For example:
[edit groups global system]

user@host# set authentication-order [ radius password tacplus ]
5. Assign a login class to RADIUS-authenticated users.

201
You can assign different user templates and login classes to RADIUS-authenticated users. This allows
RADIUS-authenticated users to be granted different administrative permissions on the Junos OS device.
By default, RADIUS-authenticated users use the remote user template and are assigned to the associated
class, which is specified in the remote user template, if the remote user template is configured. The
username remote is a special case in Junos OS. It acts as a template for users who are authenticated
by a remote server, but do not have a locally configured user account on the device. In this method,
Junos OS applies the permissions of the remote template to those authenticated users without a locally
defined account. All users mapped to the remote template are of the same login class.
In the Junos OS configuration, a user template is configured in the same way as a regular local user
account, except that no local authentication password is configured because the authentication is
remotely performed on the RADIUS server.
• To use the same permissions for all RADIUS-authenticated users:
[edit groups global system login]

user@host# set user remote class class
For example:

user@host# set user remote class super-user
• To have different login classes be used for different RADIUS-authenticated users, granting them
different permissions:
a. Create multiple user templates in the Junos OS configuration.
Every user template can be assigned a different login class.
For example:

set user RO class read-only
set user OP class operator
set user SU class super-user
set user remote full-name "default remote access user template"
set user remote class read-only
b. Have the RADIUS server specify the name of the user template to be applied to the authenticated
user.
For a RADIUS server to indicate which user template is to be applied, it needs to include the
Juniper-Local-User-Name attribute (Vendor 2636, type 1, string) Juniper VSA (vendor-specific
attribute) in the RADIUS Access-Accept message. The string value in the Juniper-Local-User-Name
202
must correspond to the name of a configured user template on the device. For a list of relevant
Juniper RADIUS VSAs, see “Juniper Networks Vendor-Specific RADIUS Attributes” on page 211.
If the Juniper-Local-User-Name is not included in the Access-Accept message or the string contains
a user template name that does not exist on the device, the user is assigned to the remote user
template, if configured. If it is not configured, authentication fails for the user.
After logging in, the remotely authenticated user retains the same username that was used to log
in. However, the user inherits the user class from the assigned user template.
In a RADIUS server, users can be assigned a Juniper-Local-User-Name string, which indicates the
user template to be used in the Junos OS device. From the previous example, the string would
be RO, OP, or SU. Configuration of the RADIUS server depends on the server being used.
Configuring RADIUS To Use the Management Instance
By default, Junos OS routes authentication, authorization, and accounting packets for RADIUS through
the default routing instance. Starting in Junos OS Release 18.1R1, existing RADIUS behavior is enhanced
to support a management interface in a non-default VRF instance.
When the routing-instance mgmt_junos option is configured in both the radius-server server-ip-address
and the radius server server-ip-address statements, provided the management-instance statement is also
configured, RADIUS packets are routed through the management instance mgmt_junos.
[edit system]
radius-server server-address {
accounting-port port-number;
port number;
retry number;
routing-instance routing-instance-name; #use “mgmt_junos” for RI name
secret password;
source-address source-address;
timeout seconds;
}
[edit system accounting destination radius]

server {
server-address {
retry number;
routing-instance routing-instance; #use “mgmt_junos” for RI name
secret password;
source-address address;
timeout seconds;
203
}
}
NOTE: The routing-instance mgmt_junos option must be configured in both the radius-server
and the radius server statements. If not, even if the management-instance statement is set,
RADIUS packets will still be sent using the default routing instance only.
For more details on this management instance, see management-instance.
SEE ALSO

Example: Configuring a RADIUS Server for System Authentication
IN THIS SECTION
Requirements | 203
Overview | 204
Configuration | 204
Verification | 206
This example shows how to configure a RADIUS server for system authentication.
Requirements
Before you begin:
• Perform the initial device configuration. See the Getting Started Guide for your device.
204
• Configure at least one RADIUS server. For more details, see RADIUS Authentication and Accounting
Servers Configuration Overview.
Overview
In this example, you add a new RADIUS server with an IP address of 172.16.98.1 and specify the shared
secret password of the RADIUS server as Radiussecret1. The secret is stored as an encrypted value in the
configuration database. Finally, you specify the source address to be included in the RADIUS server requests
by the device. In most cases you can use the loopback address of the device, which in this example is
10.0.0.1.
Configuration

set system radius-server address 172.16.98.1

set system radius-server 172.16.98.1 secret Radiussecret1
set system radius-server 172.16.98.1 source-address 10.0.0.1

To configure a RADIUS server for system authentication:
4. In the RADIUS section, click Add. The Add Radius Server dialog box appears.
5. In the IP Address box, type the server’s 32–bit IP address.
6. In the Password and Confirm Password boxes, type the secret password for the server and verify your
entry.
7. In the Server Port box, type the appropriate port.
8. In the Source Address box, type the source IP address of the server.
205
9. In the Retry Attempts box, specify the number of times that the server should try to verify the user’s
credentials.
10. In the Time Out box, specify the amount of time (in seconds) the device should wait for a response
from the server.
To configure a RADIUS server for system authentication:
1. Add a new RADIUS server and set its IP address.
[edit system]
user@host# set radius-server address 172.16.98.1
2. Specify the shared secret (password) of the RADIUS server.
[edit system]
user@host# set radius-server 172.16.98.1 secret Radiussecret1
3. Specify the device’s loopback address source address.
[edit system]
user@host# set radius-server 172.16.98.1 source-address 10.0.0.1
Results
From configuration mode, confirm your configuration by entering the show system radius-server command.
If the output does not display the intended configuration, repeat the configuration instructions in this
example to correct it.
[edit]
user@host# show system radius-server
radius-server 172.16.98.1 {
secret Radiussecret1;
206
source-address 10.0.0.1;
}
NOTE: To completely set up RADIUS authentication, you must create user template accounts
and specify a system authentication order. Do one of the following tasks:
• Configure a system authentication order. See “Example: Configuring Authentication Order”

on page 191.
• Configure local user template accounts. See “Example: Creating Template Accounts” on page 176.
Verification
Verifying the RADIUS Server System Authentication Configuration
Purpose
Verify that the RADIUS server has been configured for system authentication.
Action
From operational mode, enter the show system radius-server command.
SEE ALSO

Example: Configuring RADIUS Authentication
The Junos OS supports two protocols for central authentication of users on multiple routers: RADIUS and
TACACS+. We recommend RADIUS because it is a multivendor IETF standard, and its features are more
207
widely accepted than those of TACACS+ or other proprietary systems. In addition, we recommend using
a one-time-password system for increased security, and all vendors of these systems support RADIUS.
The Junos OS uses one or more template accounts to perform user authentication. You create the template
account or accounts, and then configure the user access to use that account. If the RADIUS server is
unavailable, the fallback is for the login process to use the local account that set up on the router or switch.
The following example shows how to configure RADIUS authentication:
[edit]
system {
authentication-order [ radius password ];
encrypted-password "$ABC123; # SECRET-DATA
}
name-server {
10.1.1.1;
10.1.1.2;
}
}
The following example shows how to enable RADIUS authentication and define the shared secret between
the client and the server. The secret enables the client and server to determine that they are talking to
the trusted peer.
Define a timeout value for each server, so that if there is no response within the specified number of
seconds, the router can try either the next server or the next authentication mechanism.
[edit]
system {
radius-server {
10.1.2.1 {
secret "$ABC123”; # SECRET-DATA
timeout 5;
}
10.1.2.2 {
secret "$ABC123"; # SECRET-DATA
timeout 5;
}
}
}
The following example shows how to configure RADIUS template accounts for different users or groups
of users:
208
[edit]
system {
login {
user observation {
uid 1001;
class observation;
}
user operation {
uid 1002;
class operation;
}
user engineering {
uid 1003;
class engineering;
}
}
}
Configuring RADIUS Authentication (QFX Series or OCX Series)
IN THIS SECTION
Specifying a Source Address for the Junos OS to Access External RADIUS Servers | 211
RADIUS authentication is a method of authenticating users who attempt to access the router or switch.
Tasks to configure RADIUS authentication are:
209
NOTE: The source-address statement is not supported at the [edit system radius-options or
[edit system-radius-server name] hierarchies on the QFabric system.
Configuring RADIUS Server Details
To use RADIUS authentication on the router or switch, configure information about one or more RADIUS
servers on the network by including one radius-server statement at the [edit system] hierarchy level for
each RADIUS server:
[edit system]
port number;
retry number;
secret password;
timeout seconds;
}
server-address is the address of the RADIUS server.
You can specify a port on which to contact the RADIUS server. By default, port number 1812 is used (as
specified in RFC 2865). You can also specify an accounting port to send accounting packets. The default
is 1813 (as specified in RFC 2866).
You must specify a password in the secret password statement. If the password contains spaces, enclose
it in quotation marks. The secret used by the local router or switch must match that used by the server.
Optionally, you can specify the amount of time that the local router or switch waits to receive a response
from a RADIUS server (in the timeout statement) and the number of times that the router or switch
attempts to contact a RADIUS authentication server (in the retry statement). By default, the router or
switch waits 3 seconds. You can configure this to be a value from 1 through 90 seconds. By default, the
router or switch retries connecting to the server three times. You can configure this to be a value from 1
through 10 times.
You can use the source-address statement to specify a logical address for individual or multiple RADIUS
servers.
To configure multiple RADIUS servers, include multiple radius-server statements.

210
To configure a set of users that share a single account for authorization purposes, you create a template
user. To do this, include the user statement at the [edit system login] hierarchy level, as described in
“Example: Configuring Authentication Order” on page 191.
You can also configure RADIUS authentication at the [edit access] and [edit access profile] hierarchy level.
Junos OS uses the following search order to determine which set of servers are used for authentication:
1. [edit access profile profile-name radius-server server-address]
2. [edit access radius-server server-address]
3. [edit system radius-server server-address]
Configuring MS-CHAPv2 for Password-Change Support
You can configure the Microsoft implementation of the Challenge Handshake Authentication Protocol
version 2 (MS-CHAPv2) on the router or switch to support changing of passwords. This feature provides
users accessing a router or switch the option of changing the password when the password expires, is
reset, or is configured to be changed at the next login.
Before you configure MS-CHAPv2 for password-change support, ensure that you:
• Configure the RADIUS server authentication parameters
• Set the authentication-order to use the RADIUS server for the initial password attempt
To configure MS-CHAP-v2, include the following statements at the [edit system radius-options] hierarchy
level:
[edit system radius-options]

password-protocol mschap-v2;
The following example shows statements for configuring the MS-CHAPv2 password protocol, password
authentication order, and user accounts:
[edit]
system {
radius-server {
192.168.69.149 secret "$ABC123"; ## SECRET-DATA
}
radius-options {
}
login {
user bob {
211
class operator;
}
}
}
Specifying a Source Address for the Junos OS to Access External RADIUS Servers
You can specify which source address Junos OS uses when accessing your network to contact an external
RADIUS server for authentication. You can also specify which source address Junos OS uses when contacting
a RADIUS server for sending accounting information.
To specify a source address for a RADIUS server, include the source-address statement at the [edit system
radius-server server-address] hierarchy level:
[edit system radius-server server-address]

source-address is a valid IP address configured on one of the router or switch interfaces.
SEE ALSO

Juniper Networks Vendor-Specific RADIUS Attributes
Junos OS supports the configuration of Juniper Networks RADIUS vendor-specific attributes (VSAs). These
VSAs are encapsulated in a RADIUS vendor-specific attribute with the vendor ID set to the Juniper Networks
ID number, 2636. Table 13 on page 212 lists the Juniper Networks VSAs you can configure.
212
Table 13: Juniper Networks Vendor-Specific RADIUS Attributes
Name Description Type Length String
Juniper-Local-User-Name Indicates the name of the 1 ≥3 One or more octets

user template used by this containing printable
user when logging in to a ASCII characters.
device. This attribute is used
only in Access-Accept
packets.
Juniper-Allow-Commands Contains an extended regular 2 ≥3 One or more octets

expression that enables the containing printable
user to run operational mode ASCII characters, in the
commands in addition to the form of an extended
commands authorized by the regular expression. See
user’s login class permission “Regular Expressions for
bits. This attribute is used Allowing and Denying
only in Access-Accept Junos OS Operational
packets. Mode Commands,
Configuration
Statements, and
Hierarchies” on
page 94.
Juniper-Deny-Commands Contains an extended regular 3 ≥3 One or more octets

expression that denies the containing printable
user permission to run ASCII characters, in the
operation mode commands form of an extended
authorized by the user’s login regular expression. See
class permission bits. This “Regular Expressions for
attribute is used only in Allowing and Denying
Access-Accept packets. Junos OS Operational
Mode Commands,
Configuration
Statements, and
Hierarchies” on
page 94.
213
Table 13: Juniper Networks Vendor-Specific RADIUS Attributes (continued)
Juniper-Allow-Configuration Contains an extended regular 4 ≥3 One or more octets

expression that enables the containing printable
user to run configuration ASCII characters, in the
mode commands in addition form of an extended
to the commands authorized regular expression. See
by the user’s login class “Regular Expressions for
permission bits. This attribute Allowing and Denying
is used only in Access-Accept Junos OS Operational
packets. Mode Commands,
Configuration
Statements, and
Hierarchies” on
page 94.
Juniper-Deny-Configuration Contains an extended regular 5 ≥3 One or more octets

expression that denies the containing printable
user permission to run ASCII characters, in the
configuration commands form of an extended
authorized by the user’s login regular expression. See
class permission bits. This “Regular Expressions for
attribute is used only in Allowing and Denying
Access-Accept packets. Junos OS Operational
Mode Commands,
Configuration
Statements, and
Hierarchies” on
page 94.
Juniper-Interactive-Command Indicates the interactive 8 ≥3 One or more octets

command entered by the containing printable
user. This attribute is used ASCII characters.
only in Accounting-Request
packets.
Juniper-Configuration-Change Indicates the interactive 9 ≥3 One or more octets

command that results in a containing printable
configuration (database) ASCII characters.
change. This attribute is used
only in Accounting-Request
packets.
214
Juniper-User-Permissions Contains information the 10 ≥3 One or more octets

server uses to specify user containing printable
permissions. This attribute is ASCII characters.
used only in Access-Accept
The string is a list of
packets.
permission flags
NOTE: When the separated by a space.
Juniper-User-Permissions The exact name of each
attribute is configured to flag must be specified in
grant the Junos OS its entirety. See “Login
maintenance or all Class Permission Flags”
permissions on a RADIUS on page 85.
server, the UNIX wheel group
membership is not
automatically added to a
user’s list of group
memberships. Some
operations such as running
the su root command from a
local shell require wheel
group membership
permissions. However, when
a user is configured locally
with the permissions
maintenance or all, the user
is automatically granted
membership to the UNIX
wheel group. Therefore, we
recommend that you create
a template user account with
the required permissions and
associate individual user
accounts with the template
user account.
215
Juniper-Authentication-Type Indicates the authentication 11 ≥5 One or more octets

method (local database, or containing printable
RADIUS server) used to ASCII characters.
authenticate a user. If the
user is authenticated using a
local database, the attribute
value shows ’local’. If the user
is authenticated using
RADIUS server, the attribute
value shows ’remote’.
Juniper-Session-Port Indicates the source port 12 size of Integer

number of the established integer
session.
For more information about the VSAs, see RFC 2138, Remote Authentication Dial In User Service (RADIUS).
Juniper-Switching-Filter VSA Match Conditions and Actions
Devices support the configuration of RADIUS server attributes specific to Juniper Networks. These
attributes are known as vendor-specific attributes (VSAs) and are described in RFC 2138, Remote
Authentication Dial In User Service (RADIUS).
Through VSAs, you can configure port-filtering attributes on the RADIUS server. VSAs are cleartext fields
sent from the RADIUS server to the device as a result of authentication success or failure. Authentication
prevents unauthorized user access by blocking a supplicant at the port until the device is authenticated
by the RADIUS server. The VSA attributes are interpreted by the device during authentication, and the
device takes appropriate actions. Implementing port-filtering attributes with authentication on the RADIUS
server provides a central location for controlling LAN access for supplicants.
These port-filtering attributes specific to Juniper Networks are encapsulated in a RADIUS server VSA with
the vendor ID set to the Juniper Networks ID number, 2636.
As well as configuring port-filtering attributes through VSAs, you can apply a port firewall filter that has
already been configured on the device directly to the RADIUS server. Like port-filtering attributes, the
filter is applied during the authentication process, and its actions are applied at the device port. Adding a
port firewall filter to a RADIUS server eliminates the need to add the filter to multiple ports and devices.
216
The Juniper-Switching-Filter VSA works in conjunction with 802.1X authentication to centrally control
access of supplicants to the network. You can use this VSA to configure filters on the RADIUS server,
which are sent to the switch and applied to users that have been authenticated using 802.1X authentication.
The Juniper-Switching-Filter VSA can contain one or more filter terms. Filter terms are configured using
one or more match conditions with a resulting action. Match conditions are the criteria that a packet must
meet for a configured action to be applied on it. The action is the action that the switch takes if a packet
meets the criteria in the match conditions. The action that the switch can take is either accept or deny a
packet.
The following guidelines apply when you specify match conditions and actions for VSAs:
• Both match and action statements are mandatory.
• If no match condition is specified, any packet is considered a match by default.
• If no action is specified, the default action is to deny the packet.
• Any or all options can be included in each match and action statement.
• The AND operation is performed on fields that are of a different type, which are separated by commas.
Fields of the same type cannot be repeated.
• For the forwarding-class option to be applied, the forwarding class must be configured on the switch.
If the forwarding class is not configured on the switch, this option is ignored.
Table 14 on page 216 describes the match conditions that you can specify when you configure a VSA
attribute as a firewall filter by using the match command on the RADIUS server. The string that defines a
match condition is called a match statement.
Table 14: Match Conditions
Option Description
destination-mac mac-address Destination media access control (MAC) address of the packet.
source-dot1q-tag tag Tag value in the 802.1Q header, in the range 0 through 4095.
destination-ip ip-address Address of the final destination node.
ip-protocol protocol-id IPv4 protocol value. In place of the numeric value, you can specify one
of the following text synonyms:
ah, egp (8), esp (50, gre (47), icmp (1), igmp (2), ipip (4), ipv6 (41), ospf
(89), pim (103), rsvp (46), tcp (6), or udp (17)
217
Table 14: Match Conditions (continued)
Option Description
source-port port TCP or User Datagram Protocol (UDP) source port field. Normally, you
specify this match statement in conjunction with the ip-protocol match
statement to determine which protocol is being used on the port. In
place of the numeric field, you can specify one of the text options listed
under destination-port.
destination-port port TCP or UDP destination port field. Normally, you specify this match
statement in conjunction with the ip-protocol match statement to
determine which protocol is being used on the port. In place of the
numeric value, you can specify one of the following text synonyms (the
port numbers are also listed):
afs (1483), bgp (179), biff (512), bootpc (68), bootps (67), cvspserver
(2401), cmd (514), dhcp (67), domain (53), eklogin (2105), ekshell (2106),
exec (512), finger (79), ftp (21), ftp-data (20), http (80), https (443), ident
(113), imap (143), kerberos-sec (88), klogin (543), kpasswd (761),
krb-prop (754), krbupdate (760), kshell (544), ldap (389), login (513),
mobileip-agent (434), mobilip-mn (435), msdp (639), netbios-dgm (138),
netbios-ns (137), netbios-ssn (139), nfsd (2049), nntp (119), ntalk (518),
ntp (123), pop3 (110), pptp (1723), printer (515), radacct (1813), radius
(1812), rip (520), rkinit (2108), smtp (25), snmp (161), snmptrap (162),
snpp (444), socks (1080), ssh (22), sunrpc (111), syslog (514), telnet (23),
tacacs-ds (65), talk (517), tftp (69), timed (525), who (513), xdmcp (177),
zephyr-clt (2103), zephyr-hm (2104)
When you define one or more terms that specify the filtering criteria, you also define the action to take
if the packet matches all criteria. Table 15 on page 217 shows the actions that you can specify in a term.
Table 15: Actions for VSAs
Option Description
(allow | deny) Accept a packet or discard a packet silently without sending an Internet
Control Message Protocol (ICMP) message.
forwarding-class class-of-service (Optional) Classify the packet in one of the following forwarding classes:
• assured-forwarding
• best-effort
• expedited-forwarding
• network-control
218
Table 15: Actions for VSAs (continued)
Option Description
loss-priority (low | medium | high) (Optional) Set the packet loss priority (PLP) to low, medium, or high.
Specify both the forwarding class and the loss priority.
SEE ALSO

Understanding RADIUS Accounting
Devices support IETF RFC 2866, RADIUS Accounting. Configuring RADIUS accounting on the device
supports collecting statistical data about users logging in to or out from a LAN and sending the data to a
RADIUS accounting server. The statistical data gathered can be used for general network monitoring,
analyzing and tracking usage patterns, or billing a user based upon the amount of time or type of services
accessed.
To configure RADIUS accounting, specify one or more RADIUS accounting servers to receive the statistical
data from the device, and select the type of accounting data to be collected.
The RADIUS accounting server you specify can be the same server used for RADIUS authentication, or it
can be a separate RADIUS server. You can specify a list of RADIUS accounting servers. If the primary
server (the first one configured) is unavailable, each RADIUS server in the list is tried in the order in which
they are configured in the Junos OS.
The RADIUS accounting process between the device and a RADIUS server works like this:
1. A RADIUS accounting server listens for User Datagram Protocol (UDP) packets on a specific port. For
example, on FreeRADIUS, the default port is 1813.
2. The device forwards an accounting-request packet containing an event record to the accounting server.
The event record associated with this supplicant contains an Acct-Status-Type attribute whose value
indicates the beginning of user service for this supplicant. When the supplicant’s session ends, the
accounting request contains an Acct-Status-Type attribute value indicating the end of user service. The
RADIUS accounting server records this as a stop-accounting record containing session information and
the length of the session.
219
3. The RADIUS accounting server logs these events in a file as start-accounting or stop-accounting records.
On FreeRADIUS, the filename is the server’s address; for example, 192.0.2.0.
4. The accounting server sends an accounting-response packet back to the device confirming it has received
the accounting request.
5. If the device does not receive a response from the server, it continues to send accounting requests
until an accounting response is returned from the accounting server.
The statistics collected through this process can be displayed from the RADIUS server; to see those
statistics, the user accesses the log file configured to receive them.
SEE ALSO
Configuring RADIUS System Accounting
With RADIUS accounting enabled, Juniper Networks routers or switches, acting as RADIUS clients, can
notify the RADIUS server about user activities such as software logins, configuration changes, and interactive
commands. The framework for RADIUS accounting is described in RFC 2866.
Tasks for configuring RADIUS system accounting are:
1. Configuring Auditing of User Events on a RADIUS Server | 219

2. Specifying RADIUS Server Accounting and Auditing Events | 220
3. Configuring RADIUS Server Accounting | 220
Configuring Auditing of User Events on a RADIUS Server
To audit user events, include the following statements at the [edit system accounting] hierarchy level:
[edit system accounting]

events [ events ];
destination {
radius {
server {
server-address {
220
retry number;
routing-instance routing-instance;
secret password;
timeout seconds;
}
}
}
}
Specifying RADIUS Server Accounting and Auditing Events
To specify the events you want to audit when using a RADIUS server for authentication, include the events
statement at the [edit system accounting] hierarchy level:

events [ events ];
events is one or more of the following:
• login—Audit logins
• change-log—Audit configuration changes
• interactive-commands—Audit interactive commands (any command-line input)
Configuring RADIUS Server Accounting
To configure RADIUS server accounting, include the server statement at the [edit system accounting
destination radius] hierarchy level:
server {
server-address {
retry number;
secret password;
timeout seconds;
}
}
221
server-address specifies the address of the RADIUS server. To configure multiple RADIUS servers, include
multiple server statements.
NOTE: If no RADIUS servers are configured at the [edit system accounting destination radius]
statement hierarchy level, the Junos OS uses the RADIUS servers configured at the [edit system
radius-server] hierarchy level.
accounting-port port-number specifies the RADIUS server accounting port number.
The default port number is 1813.
NOTE: If you enable RADIUS accounting at the [edit access profile profile-name accounting-order]
hierarchy level, accounting is triggered on the default port of 1813 even if you do not specify a
value for the accounting-port statement.
routing-instance routing-instance is the name of the non-default management instance. Use mgmt_junos
as the routing-instance name. See Management Interface in a Nondefault Instance.
You must specify a secret (password) that the local router or switch passes to the RADIUS client by including
the secret statement. If the password contains spaces, enclose the entire password in quotation marks (“
“).
In the source-address statement, specify a source address for the RADIUS server. Each RADIUS request
sent to a RADIUS server uses the specified source address. The source address is a valid IPv4 address (in
case if radius-server address is IPv4) or IPv6 address (in case if radius-server address is IPv6) configured
on one of the router or switch interfaces.
Optionally, you can specify the number of times that the router or switch attempts to contact a RADIUS
authentication server by including the retry statement. By default, the router or switch retries three times.
You can configure the router or switch to retry from 1 through 10 times.
Optionally, you can specify the length of time that the local router or switch waits to receive a response
from a RADIUS server by including the timeout statement. By default, the router or switch waits 3 seconds.
You can configure the timeout to be from 1 through 90 seconds.
Starting with Junos OS Release 14.1 and Junos OS Release 17.3R1, you can configure the
enhanced-accounting statement to view the attribute values of a logged in user. If you use the
enhanced-accounting statement at the [edit system radius-options] hierarchy level, the RADIUS attributes
such as access method, remote port, and access privileges can be audited. You can limit the number of
attribute values to be displayed for auditing by using the enhanced-avs-max <number> statement at the
[edit system accounting] hierarchy level.
222


enhanced-avs-max <number>;
When a Juniper Networks router or switch is configured with RADIUS accounting, it sends Accounting-Start
and Accounting-Stop messages to the RADIUS server. These messages contain information about user
activities such as software logins, configuration changes, and interactive commands. This information is
typically used for monitoring a network, collecting usage statistics, and ensuring that users are billed
properly.
The following example shows three servers (10.5.5.5, 10.6.6.6, and 10.7.7.7) configured for RADIUS
accounting:
system {
accounting {
destination {
radius {
server {
10.5.5.5 {
accounting-port 3333;
secret $ABC123;
retry 3;
timeout 3;
}
10.6.6.6 secret $ABC123;
10.7.7.7 secret $ABC123;
}
}
}
}
}
223
Release Description
17.4R1 Starting in Junos OS Release 18.1R1, existing RADIUS behavior is enhanced to support a
management interface in a non-default VRF instance.
14.1 Starting with Junos OS Release 14.1 and Junos OS Release 17.3R1, you can configure the
enhanced-accounting statement to view the attribute values of a logged in user.

RADIUS over TLS (RADSEC)
IN THIS SECTION
Configure the RADSEC Destination | 224
Configure TLS Connection Parameters | 225
Example: Simple RADSEC Configuration | 226
Monitoring Certificates | 226
Monitoring RADSEC Destinations | 227
RADIUS over TLS is designed to provide secure communication of RADIUS requests using the Transport
Secure Layer (TLS) protocol. RADIUS over TLS, also known as RADSEC, redirects regular RADIUS traffic
to remote RADIUS servers connected over TLS. RADSec allows RADIUS authentication, authorization and
accounting data to be passed safely across untrusted networks.
RADSEC uses TLS in combination with the Transmission Control Protocol (TCP). This transport profile
provides stronger security than the User Datagram Protocol (UDP) which was originally used for RADIUS
transmission. RADIUS over UDP encrypts the shared secret password using the MD5 algorithm, which is
224
vulnerable to attacks. RADSEC mitigates the risk of attacks on MD5 by exchanging RADIUS packet payloads
over an encrypted TLS tunnel.
NOTE: Due to limitations of the TCP protocol, RADSEC can have no more than 255 RADIUS
messages in flight.
Configure the RADSEC Destination
RADSEC servers are represented by RADSEC destination objects. To configure RADSEC, you must define
the RADSEC server as a destination, and direct RADIUS traffic to that destination.
You define the RADSEC server as a destination using the radsec statement at the [edit access] hierarchy
level. RADSEC destinations are identified by a unique numeric ID. You can configure multiple RADSEC
destinations with different parameters pointing to the same RADSEC server.
To redirect traffic from a standard RADIUS server to a RADSEC server, associate the RADIUS server with
a RADSEC destination. For example, the RADIUS server 1.1.1.1 is associated with RADSEC destination
10:
access {
secret zzz;
radsec-destination 10;
}
}
You can also associate the RADIUS server with a RADSEC destination inside an access profile. For example,
RADIUS server 2.2.2.2 in profile acc_profile is associated with RADSEC destination 10:
access {
profile acc_profile {
secret zzz;
}
}
NOTE: You can redirect more than one RADIUS server to the same RADSEC destination.
225
To configure RADSEC:
1. Configure the RADSEC destination with a unique ID and an IP address.
[edit access]
user@host# radsec destination id-number address server-address
2. Configure the port of the RADSEC server. If no port is configured, the default RADSEC port 2083 is
used.
[edit access radsec destination id-number]

user@host# port port-number
3. Redirect traffic from a RADIUS server to the RADSEC destination:
[edit access]
user@host# radius-server server-address radsec-destination id-number
Configure TLS Connection Parameters
The TLS connection provides encryption, authentication, and data integrity for the exchange of RADIUS
messages. TLS relies on certificates and private-public key exchange pairs to secure the transmission of
data between the RADSEC client and server. The RADSEC destination uses local certificates that are
dynamically acquired from the Junos PKI infrastructure.
To enable RADSEC, you must specify the name of the local certificate. For information on configuring the
local certificate and certificate authority (CA), see Configuring Digital Certificates.
1. Specify the name of the local certificate to be used for TLS communications.
[edit access]
user@host# radsec destination id-number tls-certificate certificate-name
2. Configure the certified name of the RADSEC server.
[edit access]
user@host# radsec destination id-number tls-peer-name cert-server-name
226
3. (Optional) Configure the TLS connection timeout (default is 5 seconds).
[edit access]
user@host# radsec destination id-number tls-timeout seconds
Example: Simple RADSEC Configuration
The following example is a simple RADSEC configuration with one RADIUS server and one RADSEC
destination. RADIUS traffic is redirected from RADIUS server 1.1.1.1 to RADSEC destination 10.
access {
secret zzz;
}
radsec {
destination 10 {
address 10.1.1.1;
max-tx-buffers 1000;
id-reuse-timeout 30;
port 1777;
tls-certificate my_cert;
tls-force-ciphers { medium | low };
tls-min-version { v1.1 | v1.2 };
tls-peer-name x0.radsec.com
tls-timeout 10;
}
}
}
Monitoring Certificates
To view information about the state and statistics of local certificate acquisition: show network-access
radsec local-certificate.
227
Monitoring RADSEC Destinations
To view statistics for the RADSEC destinations: show network-access radsec statistics.
To view the state of the RADSEC destinations: show network-access radsec state.

TACACS+ Authentication
IN THIS SECTION
Juniper Networks Vendor-Specific TACACS+ Attributes | 240
The Junos OS supports TACACS+ for central authentication of users on multiple routers or switches or
security devices. To use TACACS+ authentication on the device, you must configure information about
one or more TACACS+ servers on the network. You can also configure TACACS+ accounting on the device
to collect statistical data about the users logging in to or out from a LAN and sending the data to a TACACS+
accounting server. For more information, read this topic.
228
Configuring TACACS+ Authentication
IN THIS SECTION
Configuring TACACS+ Server Details | 228
Configuring TACACS+ to Use the Management Instance | 230
Specifying a Source Address for the Junos OS to Access External TACACS+ Servers | 230
Configuring the Same Authentication Service for Multiple TACACS+ Servers | 231
Configuring Juniper Networks Vendor-Specific TACACS+ Attributes | 231
TACACS+ authentication is a method of authenticating users who attempt to access the router or switch.
NOTE: Starting with Release 13.3, Junos OS supports IPv6 along with the existing IPv4 support
for user authentication using TACACS+ servers.
Tasks to configure TACACS+ configuration are:
Configuring TACACS+ Server Details
To use TACACS+ authentication on the router or switch, configure information about one or more TACACS+
servers on the network by including the tacplus-server statement at the [edit system] hierarchy level:
[edit system]
tacplus-server server-address {
port port-number;
secret password;
single-connection;
timeout seconds;
}
server-address is the address of the TACACS+ server.
port-number is the TACACS+ server port number.
routing-instance routing-instance is the name of the routing instance used to send and receive TACACS+
packets. By default, Junos OS routes authentication, authorization, and accounting packets for TACACS+
229
through the default routing instance. Starting in Junos OS Release 17.4R1, existing TACACS+ behavior is
enhanced to support routing TACACS+ packets through a management interface in a non-default VRF
instance named mgmt_junos. For more information on this VRF management instance, see “Configuring
TACACS+ to Use the Management Instance” on page 230. Starting in Junos OS Release 18.2R1, you can
route TACACS+ traffic through any routing instance you configure in authentication.
You must specify a secret (password) that the local router or switch passes to the TACACS+ client by
including the secret statement. If the password included spaces, enclose the password in quotation marks.
The secret used by the local router or switch must match that used by the server.
from a TACACS+ server by including the timeout statement. By default, the router or switch waits 3 seconds.
You can configure this to be a value in the range from 1 through 90 seconds.
Optionally, you can have the software maintain one open Transmission Control Protocol (TCP) connection
to the server for multiple requests, rather than opening a connection for each connection attempt by
including the single-connection statement.
NOTE: Early versions of the TACACS+ server do not support the single-connection option. If
you specify this option and the server does not support it, the Junos OS will be unable to
communicate with that TACACS+ server.
To configure multiple TACACS+ servers, include multiple tacplus-server statements.
On a TX Matrix router, TACACS+ accounting should be configured only under the groups re0 and re1.
NOTE: Accounting should not be configured at the [edit system] hierarchy level; on a TX Matrix
router, control is done under the switch-card chassis only.
To configure a set of users that share a single account for authorization purposes, you create a template
user. To do this, include the user statement at the [edit system login] hierarchy level, as described in
“Example: Configuring Authentication Order” on page 191.
SEE ALSO

230
Configuring TACACS+ to Use the Management Instance
By default, Junos OS routes authentication, authorization, and accounting packets for TACACS+ through
the default routing instance. Starting in Junos OS Release 17.4R1, existing TACACS+ behavior is enhanced
[edit system]
}
When the routing-instance mgmt_junos option is configured in both the tacplus-server server-address
and the tacplus server server-ip statements (see tacplus), provided the management-instance statement
is also configured, TACACS+ packets are routed through the management instance mgmt_junos.
NOTE: The routing-instance mgmt_junos option must be configured in both the tacplus-server
and the tacplus server statements. If not, even when the management-instance statement is
configured, TACACS+ packets use the default routing instance only.
Before Junos OS Release 17.4R1, there is no option for configuring a routing instance for
TACACS+. Therefore, even if management-instance is configured, there is no TACACS+ routing
instance functionality, until Junos OS Release 17.4R1.
For more details on the management instance mgmt_junos, see management-instance.
Specifying a Source Address for the Junos OS to Access External TACACS+ Servers
You can specify which source address the Junos OS uses when accessing your network to contact an
external TACACS+ server for authentication. You can also specify which source address the Junos OS
uses when contacting a TACACS+ server for sending accounting information.
To specify a source address for a TACACS+ server for authentication, include the source-address statement
at the [edit system tacplus-server server-address] hierarchy level:
[edit system tacplus-server server-address]

To specify a source address for a TACACS+ server for system accounting, include the source-address
statement at the [edit system accounting destination tacplus server server-address] hierarchy level:
231
[edit system accounting destination tacplus server server-address]

Configuring the Same Authentication Service for Multiple TACACS+ Servers
To configure the same authentication service for multiple TACACS+ servers, include statements at the
[edit system tacplus-server] and [edit system tacplus-options] hierarchy levels. For information about
how to configure a TACACS+ server at the [edit system tacplus-server] hierarchy level, see “Configuring
TACACS+ Authentication” on page 228.
To assign the same authentication service to multiple TACACS+ servers, include the service-name statement
at the [edit system tacplus-options] hierarchy level:
[edit system tacplus-options]

service-name service-name;
service-name is the name of the authentication service. By default, the service name is set to junos-exec.
The following example shows how to configure the same authentication service for multiple TACACS+
servers:
[edit system]
tacplus-server {
10.2.2.2 secret "$ABC123"; ## SECRET-DATA
10.3.3.3 secret "$ABC123";## SECRET-DATA
}
tacplus-options {
service-name bob;
}
Configuring Juniper Networks Vendor-Specific TACACS+ Attributes
The Juniper Networks Vendor-Specific TACACS+ Attributes enable you to configure access privileges for
users on a TACACS+ server. They are specified in the TACACS+ server configuration file on a per-user
basis. The Junos OS retrieves these attributes through an authorization request of the TACACS+ server
after authenticating a user. You do not need to configure these attributes to run the Junos OS with
TACACS+.
To specify these attributes, include a service statement of the following form in the TACACS+ server
configuration file:
232
local-user-name = <username-local-to-router>
allow-commands = "<allow-commands-regex>"
allow-configuration-regexps = "<allow-configuration-regex>"
deny-commands = "<deny-commands-regex>"
deny-configuration-regexps = "<deny-configuration-regex>"
}
This service statement can appear in a user or group statement.
Example: Configuring a TACACS+ Server for System Authentication
IN THIS SECTION
Requirements | 232
Overview | 232
Configuration | 233
Verification | 235
This example shows how to configure a TACACS+ server for system authentication.
Requirements
Before you begin:
• Perform the initial device configuration. See the Getting Started Guide for your device.
• Configure at least one TACACS+ server.
Overview
In this example, you set the IP address to 172.16.98.24 and the shared secret password of the TACACS+
server to Tacacssecret1. The secret password is stored as an encrypted value in the configuration database.
You then set the loopback source address as 10.0.0.1
233
Configuration

set system tacplus-server address 172.16.98.24

set system tacplus-server 172.16.98.24 secret Tacacssecret1
set system tacplus-server 172.16.98.24 source-address 10.0.0.1

To configure a TACACS+ server for system authentication:
4. In the TACACS section, click Add. The Add TACACS Server dialog box appears.
5. In the IP Address box, type the server’s 32–bit IP address.
6. In the Password and Confirm Password boxes, type the secret password for the server and verify your
entry.
7. In the Server Port box, type the appropriate port.
8. In the Source Address box, type the locally configured interface address, which is used as the source
address for TACACS+ packets.
NOTE: The Source Address box can accept either a hostname or an IP address.
9. In the Retry Attempts box, specify the number of times that the server should try to verify the user’s
credentials.
10. In the Time Out box, specify the amount of time (in seconds) the device should wait for a response
from the server.
234
To configure a TACACS+ server for system authentication:
1. Add a new TACACS+ server and set its IP address.
[edit system]
user@host# set tacplus-server address 172.16.98.24
2. Specify the shared secret (password) of the TACACS+ server.
[edit system]
user@host# set tacplus-server 172.16.98.24 secret Tacacssecret1
3. Specify the device’s loopback address as the source address.
[edit system]
user@host# set tacplus-server 172.16.98.24 source-address 10.0.0.1
Results
From configuration mode, confirm your configuration by entering the show system tacplus-server command.
If the output does not display the intended configuration, repeat the configuration instructions in this
example to correct it.
[edit]
user@host# show system tacplus-server
tacplus-server 172.16.98.24 {
secret Tacacssecret1;
}
235
NOTE: To completely set up TACACS+ authentication, you must create user template accounts
and specify a system authentication order. Do one of the following tasks:
• Configure a system authentication order. See “Example: Configuring Authentication Order”

on page 191.
• Configure local user template accounts. See “Example: Creating Template Accounts” on page 176.
Verification
Verifying the TACACS+ Server System Authentication Configuration
Purpose
Verify that the TACACS+ server has been configured for system authentication.
Action
From configuration mode, enter the show system tacplus-server command.
SEE ALSO

Configuring Periodic Refresh of the TACACS+ Authorization Profile
When you configure a Junos OS device to use a TACACS+ server for authentication, the device prompts
users for login information, which is verified by the TACACS+ server. After the user is successfully
authenticated, the Junos OS device sends an authorization request to the TACACS+ server to obtain the
authorization profile for the user. Authorization profiles specify the access permissions for authenticated
users or devices.
The TACACS+ server sends the authorization profile as part of an authorization response message. The
remote user configured on the TACACS+ server is mapped to a local user configured on the Junos OS
236
device. The Junos OS device combines the remote authorization profile with the locally-configured
authorization profile for the user, which is configured at the [edit system login class] hierarchy level.
The exchange of authorization request and response messages occurs only once, after successful
authentication, by default. You can configure the Junos OS device to periodically fetch the remote
authorization profile from the TACACS+ server and refresh the authorization profile stored locally. This
ensures that any change in the authorization parameters are reflected on the local device without the user
having to restart the authentication process.
To enable periodic refresh of the authorization profile, you must set the time interval at which the Junos
OS device checks the authorization profile configured remotely on the TACACS+ server. If there is a change
in the remote authorization profile, the device fetches the authorization profile from the TACACS+ server
and the authorization profile configured under the login class hierarchy. The device refreshes the
authorization profile stored locally by combining the remote and locally-configured authorization profiles.
The time interval can be configured directly on the TACACS+ server or locally on the Junos OS device
using the CLI. The time interval is configured in minutes, in the range of 15 to 1440 minutes.
• To configure periodic refresh of the authorization profile on the local device using the CLI, include the
authorization-time-interval statement at the [edit system tacplus-options] hierarchy level:

authorization-time-interval [minutes];
• To configure the time interval for periodic refresh on the TACACS+ server, add the time interval as a
parameter in the authorization profile using the following syntax:
refresh-time-interval=minutes
237
Use the following guidelines to determine which time interval configuration takes precedence:
• If there is no refresh time interval configured on the TACACS+ server for periodic refresh, the Junos OS
device does not receive the time interval value in the authorization response. In this case, the value
configured locally on the Junos OS device will take effect.
• If the refresh time interval is configured on the TACACS+ server and there is no refresh time interval
configured locally on the Junos OS device, the value configured on the TACACS+ server will take effect.
• If refresh time interval is configured on the TACACS+ server and also on the Junos OS device locally,
the value configured on the TACACS+ server will take precedence.
• If there is no refresh time interval configured on the TACACS+ server and there is no refresh time interval
configured on the Junos OS device, there will be no periodic refresh.
• If the refresh time interval configured on the TACACS+ server is out of range or invalid, the refresh time
interval value configured locally will take effect.
• If the refresh time interval configured on the TACACS+ server is out of range or invalid and there is no
refresh time interval configured locally, there will be no periodic refresh.
After the periodic refresh time interval is set, if the user changes the refresh interval before the authorization
request is sent from the Junos OS device, the updated refresh interval takes effect after the next immediate
periodic refresh.
SEE ALSO

Using Regular Expressions on a RADIUS or TACACS+ Server to Allow or

Deny Access to Commands
Use regular expressions to specify which operational or configuration mode commands are allowed or
denied when you use a RADIUS or TACACS+ server for user authentication. You can specify the regular
expressions using the appropriate Juniper Networks vendor-specific RADIUS or TACACS+ attributes in
your authentication server configuration.
The following attributes are supported for configuring authorizations on RADIUS and TACACS+ servers:
• user-permissions
• allow-configuration
• deny-configuration
238
• allow-commands
• deny-commands
• allow-configuration-regexp
• deny-configuration-regexp
• (TACACS+ only) allow-commands-regexp
• (TACACS+ only) deny-commands-regexp
You can specify allow-configuration, deny-configuration, allow-commands, or deny-commands in a single

extended regular expression, enclosing multiple commands in parentheses and separating them using the
pipe symbol. For example, you can specify multiple allow-commands parameters using: allow-commands=
(cmd1 | cmd2 | cmdn). You can specify user-permissions as a list of comma-separated values, and not as
a regular expression.
To configure authorizations using the allow/deny-configuration-regexps or allow/deny-commands-regexps

attributes, you configure a set of strings in which each string is a regular expression, enclosed in double
quotes and separated with a space operator. For example, you can specify multiple parameters for
allow-commands-regexp using the following syntax: allow-commands-regexps = (“regexp1” “regexp2”...).
On a RADIUS or TACACS+ server, you can also use a simplified version for regular expressions where you
specify each individual expression on a separate line. The simplified version is valid for allow-commands,
deny-commands, allow-configuration, deny-configuration, and permissions vendor-specific attributes.
For a RADIUS server, specify the individual regular expressions using the following syntax:
Juniper-Allow-Commands+="cmd1"
Juniper-Allow-Commands+="cmd2"
Juniper-Allow-Commands+="cmdn"
Juniper-Deny-Commands+="cmd1"
Juniper-Deny-Commands+="cmd2"
Juniper-Deny-Commands+="cmdn"
Juniper-Allow-Configuration+="regex1"
Juniper-Allow-Configuration+="regex2"
Juniper-Allow-Configuration+="regexn"
Juniper-Deny-Configuration+="regex1"
Juniper-Deny-Configuration+="regex2"
Juniper-Deny-Configuration+="regexn"
Juniper-User-Permissions+="permission-flag1"
Juniper-User-Permissions+="permission-flag2"
Juniper-User-Permissions+="permission-flagn"
For TACACS+ server, specify the individual regular expressions using the following syntax:
239
allow-commands1="cmd1"
allow-commandsn="cmdn"
deny-commands1="cmd1"
deny-commandsn="cmdn"
allow-configuration1="regex1"
allow-configuration2="regex2"
allow-configurationn="regexn"
deny-configuration1="regex1"
deny-configuration2="regex2"
deny-configurationn="regexn"
user-permissions1="permission-flag1"
user-permissions2="permission-flag2"
user-permissionsn="permission-flagn "
NOTE:
• Numeric values 1 to n in the syntax (for TACACS+ server) must be unique but need not be
sequential. For example, the following syntax is valid:
• The limit on the number of lines of individual regular expressions is imposed by the TACACS+
or RADIUS server.
• When you issue the show cli authorization command, the command output displays the regular
expression in a single line, even if you specify each individual expression on a separate line.
For more information about Juniper Networks vendor-specific RADIUS and TACACS+ attributes, see
“Juniper Networks Vendor-Specific RADIUS Attributes” on page 211 and “Juniper Networks Vendor-Specific
TACACS+ Attributes” on page 240.
240
NOTE: When RADIUS or TACACS+ authentication is configured for a router, regular expressions
configured on the RADIUS or TACACS+ server merge with any regular expressions configured
on the local router at the [edit system login class] hierarchy level using the allow-commands,
deny-commands, allow-configuration, deny-configuration, or permissions statements. If the
final expression has a syntax error, the overall result is an invalid regular expression.
SEE ALSO
Juniper Networks Vendor-Specific TACACS+ Attributes
Junos OS supports the configuration of Juniper Networks TACACS+ vendor-specific attributes (VSAs).
These VSAs are encapsulated in a TACACS+ vendor-specific attribute with the vendor ID set to the Juniper
Networks ID number, 2636. Table 16 on page 240 lists the Juniper Networks VSAs you can configure.
Table 16: Juniper Networks Vendor-Specific TACACS+ Attributes
Name Description Length String
local-user-name Indicates the name of the user template used by ≥3 One or more octets
this user when logging in to a device. containing printable ASCII
characters.
allow-commands Contains an extended regular expression that ≥3 One or more octets

enables the user to run operational mode containing printable ASCII
commands in addition to those commands characters, in the form of an
authorized by the user’s login class permission extended regular
bits. expression. See “Regular
Expressions for Allowing
and Denying Junos OS
Operational Mode
Commands, Configuration
Statements, and
Hierarchies” on page 94.
241
Table 16: Juniper Networks Vendor-Specific TACACS+ Attributes (continued)
allow-configuration Contains an extended regular expression that ≥3 One or more octets

enables the user to run configuration mode containing printable ASCII
commands in addition to those commands characters, in the form of an
authorized by the user’s login class permission extended regular
bits. expression. See “Regular
Operational Mode
Statements, and
deny-commands Contains an extended regular expression that ≥3 One or more octets

denies the user permission to run operational containing printable ASCII
mode commands authorized by the user’s login characters, in the form of an
class permission bits. extended regular
expression. See “Regular
Operational Mode
Statements, and
deny-configuration Contains an extended regular expression that ≥3 One or more octets

denies the user permission to run configuration containing printable ASCII
mode commands authorized by the user’s login characters, in the form of an
class permission bits. extended regular
expression. See “Regular
Operational Mode
Statements, and
242
Table 16: Juniper Networks Vendor-Specific TACACS+ Attributes (continued)
user-permissions Contains information the server uses to specify ≥3 One or more octets
user permissions. containing printable ASCII
characters. See
NOTE: When the user-permissions attribute is
“Understanding Junos OS
configured to grant the Junos OS maintenance
Access Privilege Levels” on
or all permissions on an IPv4 or IPv6 TACACS+
page 84.
server, the UNIX wheel group membership is not
automatically added to a user’s list of group
memberships. Some operations such as running
the su root command from a local shell require
wheel group membership permissions. However,
when a user is configured locally with the
permissions maintenance or all, the user is
automatically granted membership to the UNIX
wheel group. Therefore, we recommend that you
create a template user account with the required
permissions and associate individual user
accounts with the template user account.
authentication-type Indicates the authentication method (local ≥5 One or more octets

database, or TACACS+ server) used to containing printable ASCII
authenticate a user. If the user is authenticated characters.
using a local database, the attribute value shows
’local’. If the user is authenticated using TACACS+
server, the attribute value shows ’remote’.
session-port Indicates the source port number of the size of Integer

established session. integer
Configuring TACACS+ System Accounting
You can use TACACS+ to track and log software logins, configuration changes, and interactive commands.
To audit these events, include the following statements at the [edit system accounting] hierarchy level:

events [ events ];
destination {
tacplus {
243
server {
server-address {
port port-number;
secret password;
single-connection;
timeout seconds;
}
}
}
}
Tasks for configuring TACACS+ system accounting are:
1. Specifying TACACS+ Auditing and Accounting Events | 243

2. Configuring TACACS+ Server Accounting | 243
3. Configuring TACACS+ To Use the Management Instance | 245
4. Configuring TACACS+ Accounting on a TX Matrix Router | 246
Specifying TACACS+ Auditing and Accounting Events
To specify the events you want to audit when using a TACACS+ server for authentication, include the
events statement at the [edit system accounting] hierarchy level:

events [ events ];
events is one or more of the following:
• login—Audit logins
• change-log—Audit configuration changes
• interactive-commands—Audit interactive commands (any command-line input)
Configuring TACACS+ Server Accounting
To configure TACACS+ server accounting, include the server statement at the [edit system accounting
destination tacplus] hierarchy level:
[edit system accounting destination tacplus]

server {
244
server-address {
port port-number;
secret password;
single-connection;
timeout seconds;
}
}
server-address specifies the address of the TACACS+ server. To configure multiple TACACS+ servers,
include multiple server statements.
NOTE: If no TACACS+ servers are configured at the [edit system accounting destination tacplus]
statement hierarchy level, the Junos OS uses the TACACS+ servers configured at the [edit system
tacplus-server] hierarchy level.
We recommend that you add the following configuration at the [edit system accounting
destination tacplus] statement hierarchy level to identify a destination and help avoid generating
an error condition:
accounting {
destination {
tacplus;
}
}
port-number specifies the TACACS+ server port number.
routing-instance routing-instance is the name of the routing instance used to send and receive TACACS+
packets. By default, Junos OS routes authentication, authorization, and accounting packets for TACACS+
through the default routing instance. Starting in Junos OS Release 17.4R1, existing TACACS+ behavior is
enhanced to support routing TACACS+ packets through a management interface in a non-default VRF
instance named mgmt_junos. For more information on this VRF management instance, see “Configuring
TACACS+ To Use the Management Instance” on page 245. Starting in Junos OS Release 18.2R1, you can
route TACACS+ traffic through any routing instance you configure in accounting.
You must specify a secret (password) that the local router or switch passes to the TACACS+ client by
including the secret statement. If the password contains spaces, enclose the entire password in quotation
marks (“ ”). The password used by the local router or switch must match that used by the server.
245
from a TACACS+ server by including the timeout statement. By default, the router or switch waits 3 seconds.
You can configure this to be a value in the range from 1 through 90 seconds.
Optionally, you can maintain one open TCP connection to the server for multiple requests, rather than
opening a connection for each connection attempt, by including the single-connection statement.
To ensure that start and stop requests for accounting of login events are correctly logged in the Accounting
file instead of the Administration log file on a TACACS+ server, include either the no-cmd-attribute-value
statement or the exclude-cmd-attribute at the [edit system tacplus-options] hierarchy level.
If you use the no-cmd-attribute-value statement, the value of the cmd attribute is set to a null string in
the start and stop requests. If you use the exclude-cmd-attribute statement, the cmd attribute is totally
excluded from the start and stop requests. Both statements support the correct logging of accounting
requests in the Accounting file, instead of the Administration file.

(no-cmd-attribute-value | exclude-cmd-attribute);
Configuring TACACS+ To Use the Management Instance
By default, Junos OS routes authentication, authorization, and accounting packets for TACACS+ through
the default routing instance. Starting in Junos OS Release 17.4R1, existing TACACS+ behavior is enhanced

server {
server-address {
}
}
When the routing-instance mgmt_junos option is configured in both the tacplus-server server-address
and the tacplus server server-ip statements, provided the management-instance statement is also configured,
TACACS+ packets are routed through the management instance mgmt_junos.
NOTE: The routing-instance mgmt_junos option must be configured in both the tacplus-server
and the tacplus server statements. If not, even if the management-instance statement is set,
TACACS+ packets will still be sent using the default routing instance only.
For more details on this management instance, see management-instance.

246
Configuring TACACS+ Accounting on a TX Matrix Router
On a TX Matrix router, TACACS+ accounting should be configured only under the groups re0 and re1.
NOTE: Accounting should not be configured at the [edit system] hierarchy; on a TX Matrix
router, control is done under the switch-card chassis only.
Release Description
18.2R1 Starting in Junos OS Release 18.2R1, you can route TACACS+ traffic through any routing
instance you configure in authentication.
18.2R1 Starting in Junos OS Release 18.2R1, you can route TACACS+ traffic through any routing
instance you configure in accounting.
17.4R1 Starting in Junos OS Release 17.4R1, existing TACACS+ behavior is enhanced to support routing
TACACS+ packets through a management interface in a non-default VRF instance named
mgmt_junos.
17.4R1 Starting in Junos OS Release 17.4R1, existing TACACS+ behavior is enhanced to support a
17.4R1 Starting in Junos OS Release 17.4R1, existing TACACS+ behavior is enhanced to support routing
TACACS+ packets through a management interface in a non-default VRF instance named
mgmt_junos.
17.4R1 Starting in Junos OS Release 17.4R1, existing TACACS+ behavior is enhanced to support a

247
Authentication for Routing Protocols
IN THIS SECTION
Junos OS Authentication Methods for Routing Protocols | 247
Example: Configuring the Authentication Key for BGP and IS-IS Routing Protocols | 248
Configuring the Authentication Key Update Mechanism for BGP and LDP Routing Protocols | 250
You can configure an authentication method and password for routing protocol messages for IGPs, IS-IS,
OSPF, and RIP, and RSVP. To prevent exchange of unauthenticated or forged packets, routers must ensure
that they form routing protocol relationships (peering or neighboring relationships) to trusted peers. One
way of doing this is by authenticating routing protocol messages. Neighboring routers use the password
to verify the authenticity of packets sent by the protocol from the router or from a router interface. Read
this topic for more information.
Junos OS Authentication Methods for Routing Protocols
Some interior gateway protocols (IGPs)—Intermediate System-to-Intermediate System (IS-IS), Open Shortest
Path First (OSPF), and Routing Information Protocol (RIP)—and Resource Reservation Protocol (RSVP)
allow you to configure an authentication method and password. Neighboring routers use the password to
verify the authenticity of packets sent by the protocol from the router or from a router interface. The
following authentication methods are supported:
• Simple authentication (IS-IS, OSPF, and RIP)—Uses a simple text password. The receiving router uses an
authentication key (password) to verify the packet. Because the password is included in the transmitted
packet, this method of authentication is relatively insecure. We recommend that you not use this
authentication method.
• MD5 and HMAC-MD5 (IS-IS, OSPF, RIP, and RSVP)—Message Digest 5 (MD5) creates an encoded
checksum that is included in the transmitted packet. HMAC-MD5, which combines HMAC authentication
with MD5, adds the use of an iterated cryptographic hash function. With both types of authentication,
the receiving router uses an authentication key (password) to verify the packet. HMAC-MD5
authentication is defined in RFC 2104, HMAC: Keyed-Hashing for Message Authentication.
In general, authentication passwords are text strings consisting of a maximum of 16 or 255 letters and
digits. Characters can include any ASCII strings. If you include spaces in a password, enclose all characters
in quotation marks (“ ”).
248
Junos-FIPS has special password requirements. FIPS passwords must be between 10 and 20 characters
in length. Passwords must use at least three of the five defined character sets (uppercase letters, lowercase
letters, digits, punctuation marks, and other special characters). If Junos-FIPS is installed on the router,
you cannot configure passwords unless they meet this standard.
Example: Configuring the Authentication Key for BGP and IS-IS Routing
Protocols
The main task of a router is to use its routing and forwarding tables to forward user traffic to its intended
destination. Attackers can send forged routing protocol packets to a router with the intent of changing or
corrupting the contents of its routing table or other databases, which in turn can degrade the functionality
of the router and the network. To prevent such attacks, routers must ensure that they form routing protocol
relationships (peering or neighboring relationships) to trusted peers. One way of doing this is by
authenticating routing protocol messages. We strongly recommend using authentication when configuring
routing protocols. The Junos OS supports HMAC-MD5 authentication for BGP, Intermediate
System-to-Intermediate System (IS-IS), Open Shortest Path First (OSPF), Routing Information Protocol
(RIP), and Resource Reservation Protocol (RSVP). HMAC-MD5 uses a secret key that is combined with
the data being transmitted to compute a hash. The computed hash is transmitted along with the data. The
receiver uses the matching key to recompute and validate the message hash. If an attacker has forged or
modified the message, the hash will not match and the data will be discarded.
In the following examples, we configure BGP as the exterior gateway protocol (EGP) and IS-IS as the
interior gateway protocol (IGP). If you use OSPF, configure it similarly to the IS-IS configuration shown.
Configuring BGP
The following example shows the configuration of a single authentication key for the BGP peer group
internal peers. You can also configure BGP authentication at the neighbor or routing instance levels, or
for all BGP sessions. As with any security configuration, there is a trade-off between the degree of
granularity (and to some extent the degree of security) and the amount of management necessary to
maintain the system. This example also configures a number of tracing options for routing protocol events
and errors, which can be good indicators of attacks against routing protocols. These events include protocol
authentication failures, which might point to an attacker that is sending spoofed or otherwise malformed
routing packets to the router in an attempt to elicit a particular behavior.
[edit]
protocols {
bgp {
group ibgp {
type internal;
249
traceoptions {
file bgp-trace size 1m files 10;
flag state;
flag general;
}
local-address 10.10.5.1;
log-updown;
neighbor 10.2.1.1;
authentication-key "$9$aH1j8gqQ1gjyjgjhgjgiiiii";
}
group ebgp {
type external;
traceoptions {
file ebgp-trace size 10m files 10;
flag state;
flag general;
}
local-address 10.10.5.1;
log-updown;
peer-as 2;
neighbor 10.2.1.2;
authentication-key "$9$aH1j8gqQ1gjyjgjhgjgiiiii";
}
}
}
Configuring IS-IS
Although all IGPs supported by the Junos OS support authentication, some are inherently more secure
than others. Most service providers use OSPF or IS-IS to allow fast internal convergence and scalability
and to use traffic engineering capabilities with Multiprotocol Label Switching (MPLS). Because IS-IS does
not operate at the network layer, it is more difficult to spoof than OSPF, which is encapsulated in IP and
is therefore subject to remote spoofing and DoS attacks.
The following example also shows how to configure a number of tracing options for routing protocol
events and errors, which can be good indicators of attacks against routing protocols. These events include
protocol authentication failures, which might point to an attacker that is sending spoofed or otherwise
malformed routing packets to the router in an attempt to elicit a particular behavior.
[edit]
protocols {
isis {
authentication-key "$9$aH1j8gqQ1gjyjgjhgjgiiiii"; # SECRET-DATA
250
authentication-type md5;
traceoptions {
file isis-trace size 10m files 10;
flag normal;
flag error;
}
interface at-0/0/0.131 {
lsp-interval 50;
level 2 disable;
level 1 {
metric 3;
hello-interval 5;
hold-time 60;
}
}
interface lo0.0 {
passive;
}
}
}
Configuring the Authentication Key Update Mechanism for BGP and LDP
Routing Protocols
You can configure an authentication key update mechanism for the Border Gateway Protocol (BGP) and
Label Distribution Protocol (LDP) routing protocols. This mechanism allows you to update authentication
keys without interrupting associated routing and signaling protocols such as Open Shortest Path First
(OSPF) and Resource Reservation Setup Protocol (RSVP).
To configure this feature, include the authentication-key-chains statement at the [edit security] level, and
include the authentication-algorithm algorithm and authentication-key-chain statements for the BGP or
LDP routing protocols at the [edit protocols] level .
The following topics provide more details about configuring authentication key updates for BGP and LDP
Routing Protocols:
• Configuring Authentication Key Updates on page 251

251
• Configuring BGP and LDP for Authentication Key Updates on page 251
Configuring Authentication Key Updates
To configure the authentication key update mechanism, include the key-chain statement at the [edit
security authentication-key-chains] hierarchy level, and specify the key option to create a keychain
consisting of several authentication keys.
[edit security authentication-key-chains]

key-chain key-chain-name {
key key {
secret secret-data;
start-time yyyy-mm-dd.hh:mm:ss;
}
}
key-chain—Assigns a name to the keychain mechanism. This name is also configured at the [edit protocols
bgp] or the [edit protocols ldp] hierarchy levels to associate unique authentication key-chain attributes
as specified using the following options:
• key—Each key within a keychain is identified by a unique integer value. The range is from 0 through 63.
• secret—Each key must specify a secret in encrypted text or plain text format. Even if you enter the secret
data in plain-text format, the secret always appears in encrypted format.
• start-time—Start times for authentication key updates are specified in UTC (Coordinated Universal Time),
and must be unique within the keychain.
Configuring BGP and LDP for Authentication Key Updates
To configure the authentication key update mechanism for the BGP and LDP routing protocols, include
the authentication-key-chain statement at the [edit protocols (bgp | ldp)] hierarchy level to associate each
routing protocol with the [edit security authentication-key-chains] authentication keys. You must also
configure the authentication-algorithm algorithm statement at the [edit protocols (bgp | ldp)] hierarchy
level.
[edit protocols (bgp | ldp)]

group group-name {
neighbor address {
authentication-algorithm algorithm;
authentication-key-chain key-chain-name;
}
}
252
NOTE: When configuring the authentication key update mechanism for BGP, you cannot commit
the 0.0.0.0/allow statement with authentication keys or key chains. The CLI issues a warning
and fails to commit such configurations.
For information about the BGP protocol, see the Junos OS Routing Protocols Library.
authentication-algorithm
authentication-key-chain (Protocols BGP and BMP)
authentication-key-chain (Protocol LDP)
5 CHAPTER
Remote Access Management
Example: Controlling Management Access on SRX Series Devices | 314
Configuring the Console Port Type (CLI Procedure) | 322

254
Remote Access Overview
IN THIS SECTION
System Services Overview | 254
The telnet Command | 262
The ssh Command | 263
Configuring the SSH Service to Support Legacy Cryptography | 268
Configuring Password Retry Limits for Telnet and SSH Access | 275
Example: Configuring a Filter to Block Telnet and SSH Access | 276
You can access a router, switch, or security device remotely using DHCP, Finger, FTP, rlogin, SSH, and
Telnet services and so on. This topic shows you how to configure remote access using Telnet, SSH, FTP,
and Finger services. Read this topic for more information.
System Services Overview
For security reasons, remote access to the router is disabled by default. You must configure the router
explicitly so that users on remote systems can access it. The router can be accessed from a remote system
by means of the DHCP, finger, FTP, rlogin, SSH, and Telnet services. In addition, Junos XML protocol client
applications can use Secure Sockets Layer (SSL) or the Junos XML protocol-specific clear-text service,
among other services.
255
NOTE: To protect system resources, you can limit the number of simultaneous connections that
a service accepts and the number of processes owned by a single user. If either limit is exceeded,
connection attempts fail.
SEE ALSO
Configuring clear-text or SSL Service for Junos XML Protocol Client Applications
IP Address Assignments
Configuring DTCP-over-SSH Service for the Flow-Tap Application
Configuring Telnet Service for Remote Access to a Router or Switch
To configure the router or switch to accept Telnet as an access service, include the telnet statement at
the [edit system services] hierarchy level:
[edit system services]

telnet {
connection-limit limit;
rate-limit limit;
}
By default, the router or switch supports a limited number of simultaneous Telnet sessions and connection
attempts per minute.
Optionally, you can include either or both of the following statements to change the defaults:
• connection-limit limit—Maximum number of simultaneous connections per protocol (IPV4 and IPv6).
The range is from 1 through 250. The default is 75. When you configure a connection limit, the limit is
applicable to the number of telnet sessions per protocol (IPv4 and IPv6). For example, a connection limit
of 10 allows 10 IPv6 telnet sessions and 10 IPv4 telnet sessions.
• rate-limit limit—Maximum number of connection attempts accepted per minute (from 1 through 250).
The default is 150. When you configure a rate limit, the limit is applicable to the number of connection
attempts per protocol (IPv4 and IPv6). For example, a rate limit of 10 allows 10 IPv6 telnet session
connection attempts per minute and 10 IPv4 telnet session connection attempts per minute.
256
You cannot include the telnet statement on devices that run the Junos-FIPS software. We recommend
that you do not use Telnet in a Common Criteria environment.
SEE ALSO
telnet | 1608
Configuring FTP Service for Remote Access to the Router or Switch
To configure the router or switch to accept FTP as an access service, include the ftp statement at the [edit
system services] hierarchy level:

ftp {
rate-limit limit;
}
By default, the router or switch supports a limited number of simultaneous FTP sessions and connection
attempts per minute. You can include either or both of the following statements to change the defaults:
• connection-limit limit—Maximum number of simultaneous connections per protocol (IPV4 and IPv6).
The range is a value from 1 through 250. The default is 75. When you configure a connection limit, the
limit is applicable to the number of sessions per protocol (IPv4 and IPv6). For example, a connection
limit of 10 allows 10 IPv6 FTP sessions and 10 IPv4 FTP sessions.
• rate-limit limit—Maximum number of connection attempts accepted per minute (a value from 1 through
250). The default is 150.When you configure a rate limit, the limit is applicable to the number of
connection attempts per protocol (IPv4 and IPv6). For example, a rate limit of 10 allows 10 IPv6 FTP
session connection attempts and 10 IPv4 FTP session connection attempts.
You can use passive FTP to access devices that accept only passive FTP services. All commands and
statements that use FTP also accept passive FTP. Include the ftp statement at the [edit system services]
hierarchy level to use either active FTP or passive FTP.
To start a passive FTP session, use pasvftp (instead of ftp ) in the standard FTP format (ftp://destination).
For example:
request system software add pasvftp://name.com/jinstall.tgz

257
You cannot include the ftp statement on routers or switches that run the Junos-FIPS software. We
recommend that you do not use the finger service in a Common Criteria environment.
Configuring Finger Service for Remote Access to the Router
To configure the router to accept finger as an access service, include the finger statement at the [edit

finger {
rate-limit limit;
}
By default, the router supports a limited number of simultaneous finger sessions and connection attempts
per minute. Optionally, you can include either or both of the following statements to change the defaults:
• connection-limit limit—Maximum number of simultaneous connections per protocol (IPv4 and IPv6).
limit is applicable to the number of sessions per protocol (IPv4 and IPv6). For example, a connection
limit of 10 allows 10 IPv6 clear-text service sessions and 10 IPv4 clear-text service sessions
250). The default is 150. When you configure a rate limit, the limit is applicable to the number of
connection attempts per protocol (IPv4 and IPv6). For example, a rate limit of 10 allows 10 IPv6 session
connection attempts per minute and 10 IPv4 session connection attempts per minute.
You cannot include the finger statement on routers that run the Junos-FIPS software. We recommend
that you do not use the finger service in a Common Criteria environment.
Configuring SSH Service for Remote Access to the Router or Switch
IN THIS SECTION
Configuring the Root Login Through SSH | 259
Configuring Incoming SFTP Connections | 260
Configuring the SSH Protocol Version | 260

258
Configuring the Client Alive Mechanism | 261
Configuring the SSH Fingerprint Hash Algorithm | 261
To configure the router or switch to accept SSH as an access service, include the ssh statement at the
[edit system services] hierarchy level:

ssh {
authentication-order [method 1 method2...];
authorized-keys-command authorized-keys-command;
authorized-keys-command-user authorized-keys-command-user;
ciphers [ cipher-1 cipher-2 cipher-3 ...];
client-alive-count-max number;
client-alive-interval seconds;
fingerprint-hash (md5 | sha2-256);
hostkey-algorithm (algorithm | no-algorithm);
key-exchange [algorithm1 algorithm2...];
log-key-changes log-key-changes;
macs [algorithm1 algorithm2...];
max-pre-authentication-packets number;
max-sessions-per-connection number;
no-challenge-response;
no-password-authentication;
no-passwords;
no-public-keys;
no-tcp-forwarding;
port port-number;
protocol-version [v2];
rate-limit number;
rekey {
data-limit bytes;
time-limit minutes;
}
root-login (allow | deny | deny-password);
sftp-server;
}
tcp-forwarding;
259
By default, the router or switch supports a limited number of simultaneous SSH sessions and connection
attempts per minute. Use the following statements to change the defaults:
• connection-limit limit—Maximum number of simultaneous connections per protocol (IPv4 and IPv6).
limit is applicable to the number of SSH sessions per protocol (IPv4 and IPv6). For example, a connection
limit of 10 allows 10 IPv6 SSH sessions and 10 IPv4 SSH sessions.
• max-sessions-per-connection number—Include this statement to specify the maximum number of SSH

sessions allowed per single SSH connection. This allows you to limit the number of cloned sessions
tunneled within a single SSH connection. The default value is 10.
250). The default is 150. When you configure a rate limit, the limit is applicable to the number of
connection attempts per protocol (IPv4 and IPv6). For example, a rate limit of 10 allows 10 IPv6 SSH
session connection attempts per minute and 10 IPv4 SSH session connection attempts per minute.
• data-limit—Data limit before renegotiating session keys (bytes)
• time-limit—Time limit before renegotiating session keys (minutes)
Starting in Junos OS Release 19.4R1, you can disable either the SSH login password or the
challenge-response authentication using the no-password-authentication and no-challenge-response
options at the [edit system services ssh] hierarchy level.
By default, a user can create an SSH tunnel over a CLI session to a router running Junos OS via SSH. This
type of tunnel could be used to forward TCP traffic, bypassing any firewall filters or access control lists
allowing access to resources beyond the router. Use the no-tcp-forwarding option to prevent a user from
creating an SSH tunnel to a router via SSH.
For information about other configuration settings, see the following topics:
Configuring the Root Login Through SSH
By default, users are allowed to log in to the router or switch as root through SSH when the authentication
method does not require a password. To control user access through SSH, include the root-login statement
at the [edit systems services ssh] hierarchy level:
[edit system services ssh]

allow—Allows users to log in to the router or switch as root through SSH.
deny—Disables users from logging in to the router or switch as root through SSH.
deny-password—Allows users to log in to the router or switch as root through SSH when the authentication
method (for example, RSA) does not require a password.
260
The default is deny-password.
Configuring Incoming SFTP Connections
SSH File Transfer Protocol (SFTP) is a network protocol that provides file access, file transfer, and file
management over any reliable data stream. Starting in Junos OS Release 19.1R1, we have globally disabled
the incoming SFTP connections by default. If desired, you can globally enable incoming SFTP connections
by configuring the statement sftp-server at the [edit system services ssh] hierarchy level. Prior to Junos
OS Release 19.1R1, incoming SFTP connections were globally enabled by default.
NOTE: Only the incoming SFTP connections are disabled by default. For example, given devices
A and B (where device A is running 19.1R1), you cannot connect through SFTP from B to A by
default. However, you can connect through SFTP from device B to device A, if you configure
sftp-server on device A.
The incoming SFTP connections are disabled by default. To enable incoming SFTP connections:
1. Configure the sftp-server statement at the [edit system services ssh] hierarchy level:

user@host# set sftp-server

user@host# commit
The sftp-server statement is now active. Therefore, the incoming SFTP connections are enabled.
Configuring the SSH Protocol Version
By default, only version 2 of the SSH protocol is enabled.
To configure the router or switch to use version 2 of the SSH protocol, include the protocol-version
statement and specify v2 at the [edit system services ssh] hierarchy level:

protocol-version [ v2 ];
Systems in FIPS mode always use SSH protocol version v2.

261
Configuring the Client Alive Mechanism
The client alive mechanism is valuable when the client or server depends on knowing when a connection
has become inactive. It differs from the standard keepalive mechanism because the client alive messages
are sent through the encrypted channel. The client alive mechanism is not enabled at default. To enable
it, configure the client-alive-count-max and client-alive-interval statements. This option applies to SSH
protocol version 2 only.
In the following example, unresponsive SSH clients will be disconnected after approximately 100 seconds
(20 x 5).

client-alive-count-max 5;
client-alive-interval 20;
SEE ALSO
ssh | 1271
Configuring the SSH Fingerprint Hash Algorithm
To configure the hash algorithm used by the SSH server when it displays key fingerprints, include the
fingerprint-hash statement and specify md5 or sha2-256 at the [edit system services ssh] hierarchy level:

The md5 hash algorithm is unavailable on systems in FIPS mode.
SEE ALSO
ssh | 1271
262
The telnet Command
You can use the CLI telnet command to open a Telnet session to a remote device:
user@host> telnet host <8bit> <bypass-routing> <inet> <interface interface-name>

<no-resolve> <port port> <routing-instance routing-instance-name> <source address>
NOTE: On SRX100, SRX210, SRX220, SRX240, SRX300, SRX320, SRX340, SRX345, and SRX1500
devices, the maximum number of concurrent Telnet sessions is indicated in the following table.
Platform support depends on the Junos OS release in your installation.
SRX300
SRX210 SRX320
SRX100 SRX220 SRX240 SRX340 SRX345 SRX1500
3 3 5 3 5 5
To exit the Telnet session and return to the Telnet command prompt, press Ctrl-].
To exit the Telnet session and return to the CLI command prompt, enter quit.
Table 17 on page 262 describes the telnet command options.
Table 17: CLI telnet Command Options
Option Description
8bit Use an 8-bit data path.
bypass-routing Bypass the routing tables and open a Telnet session only to hosts on directly
attached interfaces. If the host is not on a directly attached interface, an error
message is returned.
host Open a Telnet session to the specified hostname or IP address.
inet Force the Telnet session to an IPv4 destination.
interface source-interface Open a Telnet session to a host on the specified interface. If you do not include
this option, all interfaces are used.
no-resolve Suppress the display of symbolic names.

263
Table 17: CLI telnet Command Options (continued)
Option Description
port port Specify the port number or service name on the host.
routing-instance Use the specified routing instance for the Telnet session.
routing-instance-name
source address Use the specified source address for the Telnet session.
The ssh Command
You can use the CLI ssh command to use the secure shell (SSH) program to open a connection to a remote
device:
user@host> ssh host <bypass-routing> <inet> <interface interface-name>

<routing-instance routing-instance-name> <source address> <v1> <v2>
NOTE: On SRX100, SRX210, SRX220, SRX240, SRX300, SRX320, SRX340, SRX345, and SRX1500
devices, the maximum number of concurrent SSH sessions is indicated in the following table.
Platform support depends on the Junos OS release in your installation.
SRX300
SRX210 SRX320
SRX100 SRX220 SRX240 SRX340 SRX345 SRX1500
3 3 5 3 5 5
Table 18 on page 263 describes the ssh command options.
Table 18: CLI ssh Command Options
Option Description
bypass-routing Bypass the routing tables and open an SSH connection only to hosts on directly
attached interfaces. If the host is not on a directly attached interface, an error
message is returned.
264
Table 18: CLI ssh Command Options (continued)
Option Description
host Open an SSH connection to the specified hostname or IP address.
inet Force the SSH connection to an IPv4 destination.
interface source-interface Open an SSH connection to a host on the specified interface. If you do not include
this option, all interfaces are used.
routing-instance Use the specified routing instance for the SSH connection.
routing-instance-name
source address Use the specified source address for the SSH connection.
v1 Force SSH to use version 1 for the connection.
v2 Force SSH to use version 2 for the connection.
Configuring SSH Host Keys for Secure Copying of Data
Secure Shell (SSH) uses encryption algorithms to generate a host, server, and session key system that
ensures secure data transfer. You can configure SSH host keys to support secure copy (SCP) as an alternative
to FTP for the background transfer of data such as configuration archives and event logs. To configure
SSH support for SCP, you must complete the following tasks:
• Specify SSH known hosts by including hostnames and host key information in the Routing Engine
configuration hierarchy.
• Set an SCP URL to specify the host from which to receive data. Setting this attribute automatically
retrieves SSH host key information from the SCP server.
265
• Verify that the host key is authentic.
• Accept the secure connection. Accepting this connection automatically stores host key information in
the local host key database. Storing host key information in the configuration hierarchy automates the
secure handshake and allows background data transfer using SCP.
Tasks to configure SSH host keys for secure copying of data are:
1. Configuring SSH Known Hosts | 265

2. Configuring Support for SCP File Transfer | 266
3. Updating SSH Host Key Information | 266
Configuring SSH Known Hosts
To configure SSH known hosts, include the host statement, and specify hostname and host key options
for trusted servers at the [edit security ssh-known-hosts] hierarchy level:
[edit security ssh-known-hosts]

host corporate-archive-server, ip-address {
dsa-key key;
}
host archive-server-url {
rsa-key key;
}
host server-with-ssh-version-1, ip-address {
rsa1-key key;
}
Host keys are one of the following:
• dsa-key key—Base64 encoded Digital Signature Algorithm (DSA) key for SSH version 2.
• ecdsa-sha2-nistp256-key key—Base64 encoded ECDSA-SHA2-NIST256 key.
• ed25519-key key—Base64 encoded ED25519 key.
• rsa-key key—Base64 encoded public key algorithm that supports encryption and digital signatures for
SSH version 1 and SSH version 2.
• rsa1-key key—Base64 encoded RSA public key algorithm, which supports encryption and digital signatures
for SSH version 1.
266
Starting in Junos OS Release 18.3R1, the ssh-dss and ssh-dsa hostkey algorithms are deprecated— rather
than immediately removed—to provide backward compatibility and a chance to bring your configuration
into compliance with the new configuration.
Configuring Support for SCP File Transfer
To configure a known host to support background SCP file transfers, include the archive-sites statement
at the [edit system archival configuration] hierarchy level.
[edit system archival configuration]

archive-sites {
scp://username<:password>@host<:port>/url-path;
}
NOTE: When specifying a URL in a Junos OS statement using an IPv6 host address, you must
enclose the entire URL in quotation marks (" ") and enclose the IPv6 host address in brackets ([
]). For example, “scp://username<:password>@[host]<:port>/url-path”;
Setting the archive-sites statement to point to an SCP URL triggers automatic host key retrieval. At this
point, Junos OS connects to the SCP host to fetch the SSH public key, displays the host key message digest
or fingerprint as output to the console, and terminates the connection to the server.
user@host# set system archival configuration archive-sites “<scp-url-path>”

The authenticity of host <my-archive-server (<server-ip-address>)> can’t be established. RSA key fingerprint is
<ascii-text key>. Are you sure you want to continue connecting (yes/no)?
To verify that the host key is authentic, compare this fingerprint with a fingerprint that you obtain from
the same host using a trusted source. If the fingerprints are identical, accept the host key by entering yes
at the prompt. The host key information is then stored in the Routing Engine configuration and supports
background data transfers using SCP.
Updating SSH Host Key Information
Typically, SSH host key information is automatically retrieved when you set a URL attribute for SCP using
the archival configuration archive-sites statement at the [edit system] hierarchy level. However, if you
need to manually update the host key database, use one of the following methods.
1. Retrieving Host Key Information Manually | 267

2. Importing Host Key Information from a File | 267
267
Retrieving Host Key Information Manually

To manually retrieve SSH public host key information, use the fetch-from-server option with the set
security ssh-known-hosts command. You must include a hostname attribute with the set security
ssh-known-hosts fetch-from-server command to specify the host from which to retrieve the SSH public
key.
user@host# set security ssh-known-hosts fetch-from-server <hostname>
Importing Host Key Information from a File

To manually import SSH host key information from the known-hosts file located at /var/tmp/known-hosts
on the server, include the load-key-file option with the set security ssh-known-hosts command. You must
include the path to the known-hosts file with the set security ssh-known-hosts load-key-file command
to specify the location from which to import host key information.
user@host# set security ssh-known-hosts load-key-file /var/tmp/known-hosts
SEE ALSO
Importing SSL Certificates for Junos XML Protocol Support

268
Configuring the SSH Service to Support Legacy Cryptography
Starting in Junos OS Release 16.1, the SSH server in Junos OS is based on OpenSSH 7 and defaults to a
more secure set of ciphers and key-exchange algorithms. OpenSSH 7 omits some legacy cryptography.
NOTE: Lack of support for legacy cryptography in devices causes Junos Space device discovery
to fail. To work around this issue, configure the device to support the 3des-cbc or blowfish-cbc
cipher, or both, and the dh-group1-sha1 key-exchange method. This issue does not affect devices
running Junos OS with upgraded FreeBSD.
NOTE: See the OpenSSH 7 documentation at https://www.openssh.com/ for more information

about these extensions.
Junos OS Release 16.1 supports the following set of ciphers by default:
• [email protected]
• aes128-ctr
• aes192-ctr
• aes256-ctr
In Junos OS Release 16.1, the following ciphers are not supported by default, but you can configure your
device to support them. They are listed from the most secure to the least secure:
• aes256-cbc
• aes192-cbc
• aes128-cbc
• 3des-cbc
• blowfish-cbc
• cast128-cbc
• arcfour256
• arcfour128
• arcfour
269
Junos OS Release 16.1 supports the following set of key-exchange methods by default:
• curve25519-sha256
• ecdh-sha2-nistp256
• group-exchange-sha2
• dh-group14-sha1
In Junos OS Release 16.1, the following key-exchange methods are not supported by default, but you can
configure your device to support them:
• group-exchange-sha1
• dh-group1-sha1
To configure the SSH service to support legacy cryptography:
NOTE: By configuring an ordered set of ciphers, key-exchange methods, or message

authentication codes (MACs), the newly defined set is applied to both server and client commands.
Changes to the defaults affect the file copy command when you use Secure Copy Protocol (SCP).
1. Add support for ciphers by using the set system services ssh ciphers [ cipher 1 cipher 2 ... ] command.
We recommend that you add the ciphers to the end of the configuration list so that they are among
the last options used. In the following example, the 3des-cbc and blowfish-cbc ciphers are added to
the default set:

user@device# set ciphers [ [email protected] aes128-ctr aes192-ctr aes256-ctr
[email protected] [email protected] 3des-cbc blowfish-cbc ]
2. Add support for key-exchange methods by using the set system services ssh key-exchange [ method
1 method 2 ... ] command. We recommend that you add the key-exchange methods to the end of the
configuration list so that they are among the last options used. In the following example, the
dh-group1-sha1 key-exchange method is added to the default set:

user@device# set key-exchange [ curve25519-sha256 ecdh-sha2-nistp256 ecdh-sha2-nistp384
ecdh-sha2-nistp521 group-exchange-sha2 dh-group14-sha1 dh-group1-sha1 ]
270
3. Commit the configuration:
[edit]
user@device# commit
SEE ALSO
key-exchange | 1163
Configuring Outbound SSH Service
You can configure a device running the Junos OS to initiate a TCP/IP connection with a client management
application that would be blocked if the client attempted to initiate the connection (for example, if the
device is behind a firewall). The outbound-ssh command instructs the device to create a TCP/IP connection
with the client management application and to forward the identity of the device. Once the connection is
established, the management application acts as the client and initiates the SSH sequence, and the device
acts as the server and authenticates the client.
NOTE: There is no initiation command with outbound SSH. Once outbound SSH is configured
and committed, the device begins to initiate an outbound SSH connection based on the committed
configuration. The device repeatedly attempts to create this connection until successful. If the
connection between the device and the client management application is dropped, the device
again attempts to create a new outbound SSH connection until successful. This connection is
maintained until the outbound SSH stanza is removed from the configuration.
To configure the device for outbound SSH connections, include the outbound-ssh statement at the [edit
[edit system services outbound-ssh]
The following topics describe the tasks for configuring the outbound SSH service:
Configuring the Device Identifier for Outbound SSH Connections | 271
Sending the Public SSH Host Key to the Outbound SSH Client | 271
Configuring Keepalive Messages for Outbound SSH Connections | 272
Configuring a New Outbound SSH Connection | 273

271
Configuring the Outbound SSH Client to Accept NETCONF as an Available Service | 273
Configuring Outbound SSH Clients | 273
Configuring Routing Instances for Outbound SSH Clients | 274
Configuring the Device Identifier for Outbound SSH Connections
Each time the device establishes an outbound SSH connection, it first sends an initiation sequence to the
management client. This sequence identifies the device to the management client. Within this transmission
is the value of device-id.
To configure the device identifier of the device, include the device-id statement at the [edit system services
outbound-ssh client client-id] hierarchy level:
[edit system services outbound-ssh client client-id]

device-id device-id;
The initiation sequence when secret is not configured:
MSG-ID: DEVICE-CONN-INFO\r\n
MSG-VER: V1\r\n
DEVICE-ID: <device-id>\r\n
Sending the Public SSH Host Key to the Outbound SSH Client
Each time the router or switch establishes an outbound SSH connection, it first sends an initiation sequence
to the management client. This sequence identifies the router or switch to the management client. Within
this transmission is the value of device-id.
To configure the device identifier of the router or switch, include the device-id statement at the [edit
system services outbound-ssh client client-id] hierarchy level:

The initiation sequence when secret is not configured:
MSG-VER: V1\r\n
272
During the initialization of an SSH connection, the client authenticates the identity of the device using the
public SSH host key of the device. Therefore, before the client can initiate the SSH sequence, it needs the
public SSH key of the device. When you configure the secret statement, the device passes its public SSH
key as part of the outbound SSH connection initiation sequence.
When the secret statement is set and the device establishes an outbound SSH connection, the device
communicates its device ID, its public SSH key, and an SHA1 hash derived in part from the secret statement.
The value of the secret statement is shared between the device and the management client. The client
uses the shared secret to authenticate the public SSH host key it is receiving to determine whether the
public key is from the device identified by the device-id statement.
Using the secret statement to transport the public SSH host key is optional. You can manually transport
and install the public key onto the client system.
NOTE: Including the secret statement means that the device sends its public SSH host key every
time it establishes a connection to the client. It is then up to the client to decide what to do with
the SSH host key if it already has one for that device. We recommend that you replace the client’s
copy with the new key. Host keys can change for various reasons and by replacing the key each
time a connection is established, you ensure that the client has the latest key.
To send the router’s or switch’s public SSH host key when the device connects to the client, include the
secret statement at the [edit system services outbound-ssh client client-id] hierarchy level:

secret password;
The following message is sent by the device when the secret attribute is configured:
MSG-VER: V1\r\n
HOST-KEY: <public-hot-key>\r\n
HMAC:<HMAC(pub-SSH-host-key, <secret>>)>\r\n
Configuring Keepalive Messages for Outbound SSH Connections
Once the client application has the router’s or switch’s public SSH host key, it can then initiate the SSH
sequence as if it had created the TCP/IP connection and can authenticate the device using its copy of the
router’s or switch’s public host SSH key as part of that sequence. The device authenticates the client user
through the mechanisms supported in the Junos OS (RSA/DSA public string or password authentication).
273
To enable the device to send SSH protocol keepalive messages to the client application, configure the
keep-alive statement at the [edit system services outbound-ssh client client-id] hierarchy level:

keep-alive {
retry number;
timeout seconds;
}
Configuring a New Outbound SSH Connection
When disconnected, the device begins to initiate a new outbound SSH connection. To specify how the
device reconnects to the server after a connection is dropped, include the reconnect-strategy statement
at the [edit system services outbound-ssh client client-id] hierarchy level:
[edit system services outbound-ssh client-id]

reconnect-strategy (sticky | in-order);
You can also specify the number of retry attempts and set the amount of time before the reconnection
attempts stop. See “Configuring Keepalive Messages for Outbound SSH Connections” on page 272.
Configuring the Outbound SSH Client to Accept NETCONF as an Available Service
To configure the application to accept NETCONF as an available service, include the services netconf
statement at the [edit system services outbound-ssh client client-id] hierarchy level:

services {
netconf;
}
Configuring Outbound SSH Clients
To configure the clients available for this outbound SSH connection, list each client with a separate address
statement at the [edit system services outbound-ssh client client-id] hierarchy level:

address address {
retry number;
timeout seconds;
274
port port-number;
}
NOTE: Outbound SSH connections support IPv4 and IPv6 address formats.
Configuring Routing Instances for Outbound SSH Clients
(SRX Series and MX Series only) Starting in Junos OS Release 19.3R1, you can specify the name of the
routing instance on which the outbound SSH connectivity needs to be established by including the
routing-instance statement at the [edit system services outbound-ssh] hierarchy level:
[edit system services outbound-ssh routing-instance routing-instance-name]
To use the management routing instance, first enable the mgmt_junos routing instance using the set system
management-instance command.
To use any other routing instance, first configure the routing instance at the [edit routing-instances]
hierarchy.
If you do not specify a routing instance, your device will establish the outbound SSH connection using the
default routing table.
Configuring NETCONF-Over-SSH Connections on a Specified TCP Port
The Junos OS enables you to restrict incoming NETCONF connections to a specified TCP port without
configuring a firewall. To configure the TCP port used for NETCONF-over-SSH connections, include the
port statement at the [edit system services netconf ssh] hierarchy level. The configured port accepts only
NETCONF-over-SSH sessions. Regular SSH session requests for this port are rejected.
You can either configure the default port 830 for NETCONF connections over SSH, as specified in RFC
4742, Using the NETCONF Configuration Protocol over Secure Shell (SSH), or configure any port from 1
through 65535.
275
NOTE:
• The default SSH port (22) continues to accept NETCONF sessions even with a configured
NETCONF server port. To disable the SSH port from accepting NETCONF sessions, specify
this in the login event script.
• We do not recommend configuring the default ports for FTP (21) and Telnet (23) services for
configuring NETCONF-over-SSH connections.
SEE ALSO
Configuring Password Retry Limits for Telnet and SSH Access
To prevent brute force and dictionary attacks, the device performs the following actions for Telnet or SSH
sessions by default:
• Disconnects a session after a maximum of 10 consecutive password retries.
• After the second password retry, introduces a delay in multiples of 5 seconds between subsequent
password retries.
For example, the device introduces a delay of 5 seconds between the third and fourth password retry,
a delay of 10 seconds between the fourth and fifth password retry, and so on.
• Enforces a minimum session time of 20 seconds during which a session cannot be disconnected.
Configuring the minimum session time prevents malicious users from disconnecting sessions before the
password retry delay goes into effect, and attempting brute force and dictionary attacks with multiple
logins.
You can configure the password retry limits for Telnet and SSH access. In this example, you configure the
device to take the following actions for Telnet and SSH sessions:
• Allow a maximum of four consecutive password retries before disconnecting a session.
• Introduce a delay in multiples of 5 seconds between password retries that occur after the second
password retry.
• Enforce a minimum session time of 40 seconds during which a session cannot be disconnected.
276
To configure password retry limits for Telnet and SSH access:
1. Set the maximum number of consecutive password retries before a Telnet or SSH or telnet session is
disconnected. The default number is 10, but you can set a number from 1 through 10.
[edit system login retry-options]

user@host# set tries-before-disconnect 4
2. Set the threshold number of password retries after which a delay is introduced between two consecutive
password retries. The default number is 2, but you can specify a value from 1 through 3.

user@host# set backoff-threshold 2
3. Set the delay (in seconds) between consecutive password retries after the threshold number of password
retries. The default delay is in multiples of 5 seconds, but you can specify a value from 5 through 10
seconds.

user@host# set backoff-factor 5
4. Set the minimum length of time (in seconds) during which a Telnet or SSH session cannot be
disconnected. The default is 20 seconds, but you can specify an interval from 20 through 60 seconds.

user@host# set minimum-time 40
5. If you are done configuring the device, enter commit from configuration mode.
Example: Configuring a Filter to Block Telnet and SSH Access
IN THIS SECTION
Requirements | 277
Overview | 277
277
Configuration | 277
Verification | 280
Requirements
You must have access to a remote host that has network connectivity with this device.
Overview
In this example, you create an IPv4 stateless firewall filter that logs and rejects Telnet or SSH access packets
unless the packet is destined for or originates from the 192.168.1.0/24 subnet.
• To match packets destined for or originating from the address 192.168.1.0/24 subnet, you use the
source-address 192.168.1.0/24 IPv4 match condition.
• To match packets destined for or originating from a TCP port, Telnet port, or SSH port, you use the
protocol tcp, port telnet, and telnet ssh IPv4 match conditions.
Configuration
IN THIS SECTION
Configure the Stateless Firewall Filter | 278
Apply the Firewall Filter to the Loopback Interface | 279
Confirm and Commit Your Candidate Configuration | 279
The following example requires you to navigate various levels in the configuration hierarchy. For information
about navigating the CLI, see Using the CLI Editor in Configuration Mode.
To configure this example, perform the following tasks:

278
set firewall family inet filter local_acl term terminal_access from source-address 192.168.1.0/24
set firewall family inet filter local_acl term terminal_access from protocol tcp
set firewall family inet filter local_acl term terminal_access from port ssh
set firewall family inet filter local_acl term terminal_access from port telnet
set firewall family inet filter local_acl term terminal_access then accept
set firewall family inet filter local_acl term terminal_access_denied from protocol tcp
set firewall family inet filter local_acl term terminal_access_denied from port ssh
set firewall family inet filter local_acl term terminal_access_denied from port telnet
set firewall family inet filter local_acl term terminal_access_denied then log
set firewall family inet filter local_acl term terminal_access_denied then reject
set firewall family inet filter local_acl term default-term then accept
set interfaces lo0 unit 0 family inet filter input local_acl
set interfaces lo0 unit 0 family inet address 127.0.0.1/32
Configure the Stateless Firewall Filter
To configure the stateless firewall filter that selectively blocks Telnet and SSH access:
1. Create the stateless firewall filter local_acl.
[edit]
user@myhost# edit firewall family inet filter local_acl
2. Define the filter term terminal_access.
[edit firewall family inet filter local_acl]

user@myhost# set term terminal_access from source-address 192.168.1.0/24
user@myhost# set term terminal_access from protocol tcp
user@myhost# set term terminal_access from port ssh
user@myhost# set term terminal_access from port telnet
user@myhost# set term terminal_access then accept
3. Define the filter term terminal_access_denied.
[edit firewall family inet filter local_acl]

user@myhost# set term terminal_access_denied from protocol tcp
user@myhost# set term terminal_access_denied from port ssh
279
user@myhost# set term terminal_access_denied from port telnet

user@myhost# set term terminal_access_denied then log
user@myhost# set term terminal_access_denied then reject
user@myhost# set term default-term then accept
Apply the Firewall Filter to the Loopback Interface
• To apply the firewall filter to the loopback interface:
[edit]
user@myhost# set interfaces lo0 unit 0 family inet filter input local_acl
user@myhost# set interfaces lo0 unit 0 family inet address 127.0.0.1/32
Confirm and Commit Your Candidate Configuration
To confirm and then commit your candidate configuration:
1. Confirm the configuration of the stateless firewall filter by entering the show firewall configuration
mode command. If the command output does not display the intended configuration, repeat the
instructions in this example to correct the configuration.
[edit]
user@myhost# show firewall
family inet {
filter local_acl {
term terminal_access {
from {
source-address {
192.168.1.0/24;
}
protocol tcp;
port [ssh telnet];
}
then accept;
}
term terminal_access_denied {
from {
protocol tcp;
port [ssh telnet];
}
280
then {
log;
reject;
}
}
term default-term {
then accept;
}
}
}
2. Confirm the configuration of the interface by entering the show interfaces configuration mode command.
If the command output does not display the intended configuration, repeat the instructions in this
example to correct the configuration.
[edit]
user@myhost# show interfaces
lo0 {
unit 0 {
family inet {
filter {
input local_acl;
}
source-address 127.0.0.1/32;
}
}
}
3. If you are done configuring the device, commit your candidate configuration.
[edit]
user@myhost# commit
Verification
IN THIS SECTION
Verifying Accepted Packets | 281
Verifying Logged and Rejected Packets | 282

281
Verifying Accepted Packets
Purpose
Verify that the actions of the firewall filter terms are taken.
Action
1. Clear the firewall log on your router or switch.
user@myhost> clear firewall log
2. From a host at an IP address within the 192.168.1.0/24 subnet, use the ssh hostname command to
verify that you can log in to the device using only SSH. This packet should be accepted, and the packet
header information for this packet should not be logged in the firewall filter log buffer in the Packet
Forwarding Engine.
user@host-A> ssh myhost
user@myhosts’s password:
--- JUNOS 11.1-20101102.0 built 2010-11-02 04:48:46 UTC
% cli
user@myhost>
3. From a host at an IP address within the 192.168.1.0/24 subnet, use the telnet hostname command to
verify that you can log in to your router or switch using only Telnet. This packet should be accepted,
and the packet header information for this packet should not be logged in the firewall filter log buffer
in the Packet Forwarding Engine.
user@host-A> telnet myhost
Trying 192.168.249.71...
Connected to myhost-fxp0.example.net.
Escape character is '^]'.
host (ttyp0)
login: user
Password:
--- JUNOS 11.1-20101102.0 built 2010-11-02 04:48:46 UTC

282
% cli
user@myhost>
4. Use the show firewall log command to verify that the routing table on the device does not contain any
entries with a source address in the 192.168.1.0/24 subnet.
user@myhost> show firewall log
Verifying Logged and Rejected Packets
Purpose
Verify that the actions of the firewall filter terms are taken.
Action
1. Clear the firewall log on your router or switch.
user@myhost> clear firewall log
2. From a host at an IP address outside of the 192.168.1.0/24 subnet, use the ssh hostname command to
verify that you cannot log in to the device using only SSH. This packet should be rejected, and the
packet header information for this packet should be logged in the firewall filter log buffer in the Packet
Forwarding Engine.
user@host-B ssh myhost
ssh: connect to host sugar port 22: Connection refused

--- JUNOS 11.1-20101102.0 built 2010-11-02 04:48:46 UTC
%
3. From a host at an IP address outside of the 192.168.1.0/24 subnet, use the telnet hostname command
to verify that you can log in to the device using only Telnet. This packet should be rejected, and the
packet header information for this packet should be logged in the firewall filter log buffer in the PFE.
user@host-B> telnet myhost
Trying 192.168.249.71...
telnet: connect to address 192.168.187.3: Connection refused
telnet: Unable to connect to remote host
%
4. Use the show firewall log command to verify that the routing table on the device does not contain any
entries with a source address in the 192.168.1.0/24 subnet.
283
user@myhost> show firewall log
Time Filter Action Interface Protocol Src Addr Dest Addr

18:41:25 local_acl R fxp0.0 TCP 192.168.187.5 192.168.187.1
...
...
Release Description
19.4R1 Starting in Junos OS Release 19.4R1, you can disable either the SSH login password or the
challenge-response authentication using the no-password-authentication and
no-challenge-response options at the [edit system services ssh] hierarchy level.
Junos OS Release Starting in Junos OS Release 19.1R1, we have globally disabled the incoming SFTP connections
19.1R1 by default. If desired, you can globally enable incoming SFTP connections by configuring the
statement sftp-server at the [edit system services ssh] hierarchy level
18.3R1 Starting in Junos OS Release 18.3R1, the ssh-dss and ssh-dsa hostkey algorithms are
deprecated— rather than immediately removed—to provide backward compatibility and a

284
USB Modems for Remote Management of Security

Devices
IN THIS SECTION
USB Modem Interface Overview | 284
USB Modem Configuration Overview | 287
Example: Configuring a USB Modem Interface | 290
Example: Configuring a Dialer Interface | 293
Example: Configuring a Dialer Interface for USB Modem Dial-In | 298
Configuring a Dial-Up Modem Connection Remotely | 300
Connecting to the Device Remotely | 302
Modifying USB Modem Initialization Commands | 302
Resetting USB Modems | 303
Junos OS allows the use of USB modems for remote management on SRX Series device. You can use
Telnet or SSH to connect to the device from a remote location through two modems over a telephone
network. For more information, read this topic.
USB Modem Interface Overview
Juniper Networks SRX Series devices support the use of USB modems for remote management. You can
use Telnet or SSH to connect to the device from a remote location through two modems over a telephone
network. The USB modem is connected to the USB port on the device, and a second modem is connected
to a remote management device such as a PC or laptop computer.
NOTE: USB modems are no longer supported for dial backup on SRX300, SRX320, SRX340,
SRX345, SRX380, and SRX550HM devices.
You can configure your device to fail over to a USB modem connection when the primary Internet
connection experiences interruption.
285
A USB modem connects to a device through modem interfaces that you configure. The device applies its
own modem AT commands to initialize the attached modem. Modem setup requires that you connect and
configure the USB modem at the device and the modem at the user end of the network.
You use either the J-Web configuration editor or CLI configuration editor to configure the USB modem
and its supporting dialer interfaces.
NOTE: Low-latency traffic such as VoIP traffic is not supported over USB modem connections.
NOTE: We recommend using a US Robotics USB 56k V.92 Modem, model number USR Model
5637.
USB Modem Interfaces
You configure two types of interfaces for USB modem connectivity:
• A physical interface which uses the naming convention umd0. The device creates this interface when a
USB modem is connected to the USB port.
• A logical interface called the dialer interface. You use the dialer interface, dln, to configure dialing
properties for USB modem connections. The dialer interface can be configured using Point-to-Point
Protocol (PPP) encapsulation. You can also configure the dialer interface to support authentication
protocols—PPP Challenge Handshake (CHAP) or Password Authentication Protocol (PAP). You can
configure multiple dialer interfaces for different functions on the device. After configuring the dialer
interface, you must configure a backup method such as a dialer backup, a dialer filter, or a dialer watch.
The USB modem provides a dial-in remote management interface, and supports dialer interface features
by sharing the same dial pool as a dialer interface. The dial pool allows the logical dialer interface and the
physical interface to be bound together dynamically on a per-call basis. You can configure the USB modem
to operate either as a dial-in console for management or as a dial-in WAN backup interface. Dialer pool
priority has a range from 1 to 255, with 1 designating the lowest priority interfaces and 255 designating
the highest priority interfaces.
Dialer Interface Rules
The following rules apply when you configure dialer interfaces for USB modem connections:
• The dialer interface must be configured to use PPP encapsulation. You cannot configure Cisco High-Level
Data Link Control (HDLC) or Multilink PPP (MLPPP) encapsulation on dialer interfaces.
• The dialer interface cannot be configured as a constituent link in a multilink bundle.

286
• The dialer interface can perform backup, dialer filter, and dialer watch functions, but these operations
are mutually exclusive. You can configure a single dialer interface to operate in only one of the following
ways:
• As a backup interface—for one primary interface
• As a dialer filter
• As a dialer watch interface
The backup dialer interfaces are activated only when the primary interface fails. USB modem backup
connectivity is supported on all interfaces except lsq-0/0/0.
The dial-on-demand routing backup method allows a USB modem connection to be activated only when
network traffic configured as an “interesting packet” arrives on the network. Once the network traffic is
sent, an inactivity timer is triggered and the connection is closed. You define an interesting packet using
the dialer filter feature of the device. To configure dial-on-demand routing backup using a dialer filter, you
first configure the dialer filter and then apply the filter to the dialer interface.
Dialer watch is a backup method that integrates backup dialing with routing capabilities and provides
reliable connectivity without relying on a dialer filter to trigger outgoing USB modem connections. With
dialer watch, the device monitors the existence of a specified route. If the route disappears, the dialer
interface initiates the USB modem connection as a backup connection.
How the Device Initializes USB Modems
When you connect the USB modem to the USB port on the device, the device applies the modem AT
commands configured in the init-command-string command to the initialization commands on the modem.
If you do not configure modem AT commands for the init-command-string command, the device applies
the following default sequence of initialization commands to the modem: AT S7=45 S0=0 V1 X4 &C1 E0
Q0 &Q8 %C0. Table 19 on page 286 describes the commands. For more information about these commands,
see the documentation for your modem.
Table 19: Default Modem Initialization Commands
Modem Command Description
AT Attention. Informs the modem that a command follows.
S7=45 Instructs the modem to wait 45 seconds for a telecommunications service

provider (carrier) signal before terminating the call.
S0=0 Disables the auto answer feature, whereby the modem automatically answers
calls.
V1 Displays result codes as words.

287
Table 19: Default Modem Initialization Commands (continued)
Modem Command Description
&C1 Disables reset of the modem when it loses the carrier signal.
E0 Disables the display on the local terminal of commands issued to the modem
from the local terminal.
Q0 Enables the display of result codes.
&Q8 Enables Microcom Networking Protocol (MNP) error control mode.
%C0 Disables data compression.
When the device applies the modem AT commands in the init-command-string command or the default
sequence of initialization commands to the modem, it compares them to the initialization commands already
configured on the modem and makes the following changes:
• If the commands are the same, the device overrides existing modem values that do not match. For
example, if the initialization commands on the modem include S0=0 and the device’s init-command-string
command includes S0=2, the device applies S0=2.
• If the initialization commands on the modem do not include a command in the device’s
init-command-string command, the device adds it. For example, if the init-command-string command
includes the command L2, but the modem commands do not include it, the device adds L2 to the
initialization commands configured on the modem.
NOTE: On SRX210 devices, the USB modem interface can handle bidirectional traffic of up to
19 Kbps. On oversubscription of this amount (that is, bidirectional traffic of 20 Kbps or above),
keepalives do not get exchanged, and the interface goes down. (Platform support depends on
the Junos OS release in your installation.)
USB Modem Configuration Overview
and SRX345 devices.
288
Before you begin:
1. Install device hardware. For more information, see the Getting Started Guide for your device.
2. Establish basic connectivity. For more information, see the Getting Started Guide for your device.
3. Order a US Robotics USB 56k V.92 Modem, model number USR Model 5637 (http://www.usr.com/).
4. Order a public switched telephone network (PSTN) line from your telecommunications service provider.
Contact your service provider for more information.
5. Connect the USB modem to the device's USB port.
NOTE: When you connect the USB modem to the USB port on the device, the USB modem
is initialized with the modem initialization string configured for the USB modem interface on
the device.
a. Plug the modem into the USB port.
b. Connect the modem to your telephone network.
i.
Suppose you have a branch office router and a head office router each with a USB modem interface and
a dialer interface. This example shows you how to establish a backup connection between the branch
office and head office routers. See Table 20 on page 289 for a summarized description of the procedure.
289
Table 20: Configuring Branch Office and Head Office Routers for USB Modem Backup Connectivity
Router Location Configuration Requirement Procedure
Branch Office Configure the logical dialer interface on To configure the logical dialer
the branch office router for USB modem interface, see “Example: Configuring
dial backup. a USB Modem Interface” on page 290.
Configure the dialer interface dl0 on the Configure the dialer interface using
branch office router using one of the one of the following backup methods:
following backup methods:
• To configure dl0 as a backup for
• Configure the dialer interface dl0 as the t1-1/0/0 see Example: Configuring
backup interface on the branch office Dialer Interfaces and Backup
router's primary T1 interface t1-1/0/0. Methods for USB Modem Dial
• Configure a dialer filter on the branch Backup.
office router's dialer interface. • To configure a dialer filter on dl0,
• Configure a dialer watch on the branch see Example: Configuring Dialer
office router's dialer interface. Interfaces and Backup Methods for
USB Modem Dial Backup.
• To configure a dialer watch on dl0,
see Example: Configuring Dialer
Interfaces and Backup Methods for
USB Modem Dial Backup.
Head Office Configure dial-in on the dialer interface To configure dial-in on the head office
dl0 on the head office router. router, see “Example: Configuring a
Dialer Interface for USB Modem
Dial-In” on page 298.
If the dialer interface is configured to accept only calls from a specific caller ID, the device matches the
incoming call's caller ID against the caller IDs configured on its dialer interfaces. If an exact match is not
found and the incoming call's caller ID has more digits than the configured caller IDs, the device performs
a right-to-left match of the incoming call's caller ID with the configured caller IDs and accepts the incoming
call if a match is found. For example, if the incoming call's caller ID is 4085321091 and the caller ID
configured on a dialer interface is 5321091, the incoming call is accepted. Each dialer interface accepts
calls from only callers whose caller IDs are configured on it.
See Table 21 on page 290 for a list of available incoming map options.
290
Table 21: Incoming Map Options
Option Description
accept-all Dialer interface accepts all incoming calls.
You can configure the accept-all option for only one of the dialer interfaces
associated with a USB modem physical interface. The dialer interface with
the accept-all option configured is used only if the incoming call's caller
ID does not match the caller IDs configured on other dialer interfaces.
caller Dialer interface accepts calls from a specific caller ID. You can configure
a maximum of 15 caller IDs per dialer interface.
The same caller ID must not be configured on different dialer interfaces.

However, you can configure caller IDs with more or fewer digits on
different dialer interfaces. For example, you can configure the caller IDs
14085551515, 4085551515, and 5551515 on different dialer interfaces.
You configure dialer interfaces to support PAP. PAP allows a simple method for a peer to establish its
identity using a two-way handshake during initial link establishment. After the link is established, an ID
and password pair are repeatedly sent by the peer to the authenticator until authentication is acknowledged
or the connection is terminated.
Example: Configuring a USB Modem Interface
IN THIS SECTION
Requirements | 291
Overview | 291
Configuration | 291
Verification | 292
This example shows how to configure a USB modem interface for dial backup.
and SRX345 devices.
291
Requirements
Overview
In this example, you create an interface called as umd0 for USB modem connectivity and set the dialer
pool priority to 25. You also configure a modem initialization string to autoanswer after a specified number
of rings. The default modem initialization string is AT S7=45 S0=0 V1 X4 &C1 E0 Q0 &Q8 %C0. The
modem command S0=0 disables the modem from autoanswering the calls. Finally, you set the modem to
act as a dial-in WAN backup interface.
Configuration

To quickly configure this example, copy the following command, paste it into a text file, remove any line
breaks, change any details necessary to match your network configuration, copy and paste the command
into the CLI at the [edit] hierarchy level, and then enter commit from configuration mode.
set interfaces umd0 dialer-options pool usb-modem-dialer-pool priority 25

set modem-options init-command-string "ATS0=2 \n" dialin routable
To configure a USB modem interface for dial backup:
1. Create an interface.
[edit]
user@host# edit interfaces umd0
2. Set the dialer options and priority.
[edit interfaces umd0]

user@host# set dialer-options pool usb-modem-dialer-pool priority 25
3. Specify the modem options.

292
user@host# set modem-options init-command-string "ATS0=2 \n"
4. Set the modem to act as a dial-in WAN backup interface.

user@host# set modem-options dialin routable
Results
From configuration mode, confirm your configuration by entering the show interface umd0 command. If
the output does not display the intended configuration, repeat the configuration instructions in this example
to correct it.
[edit]
user@host# show interface umd0
modem-options {
init-command-string "ATS0=2 \n";
dialin routable;
}
dialer-options {
pool usb-modem-dialer-pool priority 25;
}
Verification
Verifying the Configuration
Purpose
Verify a USB modem interface for dial backup.
Action
From configuration mode, enter the show interfaces umd0 extensive command. The output shows a
summary of interface information and displays the modem status.
Physical interface: umd0, Enabled, Physical link is Up

Interface index: 64, SNMP ifIndex: 33, Generation: 1
Type: Async-Serial, Link-level type: PPP-Subordinate, MTU: 1504,
293
Clocking: Unspecified, Speed: MODEM

Device flags : Present Running
Interface flags: Point-To-Point SNMP-Traps Internal: 0x4000
Link flags : None
Hold-times : Up 0 ms, Down 0 ms
Last flapped : Never
Statistics last cleared: Never
Traffic statistics:
Input bytes : 21672
Output bytes : 22558
Input packets: 1782
Output packets: 1832
Input errors:
Errors: 0, Drops: 0, Framing errors: 0, Runts: 0, Giants: 0, Policed discards:
0,
Resource errors: 0
Output errors:
Carrier transitions: 63, Errors: 0, Drops: 0, MTU errors: 0, Resource errors:
0
MODEM status:
Modem type : LT V.92 1.0 MT5634ZBA-USB-V92 Data/Fax Modem
(Dual Config) Version 2.27m
Initialization command string : ATS0=2
Initialization status : Ok
Call status : Connected to 4085551515
Call duration : 13429 seconds
Call direction : Dialin
Baud rate : 33600 bps
Most recent error code : NO CARRIER
Logical interface umd0.0 (Index 2) (SNMP ifIndex 34) (Generation 1)

Flags: Point-To-Point SNMP-Traps Encapsulation: PPP-Subordinate
Example: Configuring a Dialer Interface
IN THIS SECTION
Requirements | 294
Overview | 294
294
Configuration | 295
Verification | 296
This example shows how to configure a logical dialer interface for an SRX300, SRX320, SRX340, or SRX345
device.
Requirements
Before you begin:
• Install device hardware and establish basic connectivity. See the Getting Started Guide for your device.
• Order a US Robotics USB 56k V.92 Modem, model number USR Model 5637, from US Robotics
(http://www.usr.com/).
• Order a dial-up modem for the PC or laptop computer at the remote location from where you want to
connect to the device.
• Order a PSTN line from your telecommunications service provider. Contact your service provider.
Overview
In this example, you configure a logical dialer interface called dl0 to establish USB connectivity. You can
configure multiple dialer interfaces for different functions on the device. You add a description to
differentiate among different dialer interfaces. For example, this modem is called
USB-modem-remote-management. Configure PPP encapsulation and set the logical unit as 0. You then
specify the name of the dialer pool as usb-modem-dialer-pool and set the source and destination IP
addresses as 172.20.10.2, and 172.20.10.1, respectively.
NOTE: You cannot configure Cisco High-Level Data Link Control (HDLC) or Multilink PPP
(MLPPP) encapsulation on dialer interfaces used in USB modem connections.
295
NOTE: If you configure multiple dialer interfaces, ensure that the same IP subnet address is not
configured on different dialer interfaces. Configuring the same IP subnet address on multiple
dialer interfaces can result in inconsistency in the route and packet loss. The device might route
packets through another dialer interface with the IP subnet address instead of through the dialer
interface to which the USB modem call is mapped.
Configuration

set interfaces dl0 description USB-modem-remote-management encapsulation ppp

set interfaces dl0 unit 0 dialer-options pool usb-modem-dialer-pool
set interfaces dl0 unit 0 family inet address 172.20.10.2 destination 172.20.10.1
To configure a logical dialer interface for the device:
1. Create an interface.
[edit]
user@host# set interfaces dl0
2. Add a description and configure PPP encapsulation.
[edit interfaces dl0]

user@host# set description USB-modem-remote-management
user@host# set encapsulation ppp
3. Create the logical unit.
NOTE: The logical unit number must be 0.

296
[edit interfaces dl0]

user@host# set unit 0
4. Configure the name of the dialer pool to use for USB modem connectivity.
[edit interfaces dl0 unit 0]

user@host# set dialer-options pool usb-modem-dialer-pool
5. Configure source and destination IP addresses for the dialer interface.
[edit interfaces dl0 unit 0]

user@host# set family inet address 172.20.10.2 destination 172.20.10.1
Results
From configuration mode, confirm your configuration by entering the show interfaces dl0 command. If
to correct it.
[edit]
user@host# show interfaces dl0
description USB-modem-remote-management;
encapsulation ppp;
unit 0 {
family inet {
address 172.20.10.2/32 {
destination 172.20.10.1;
}
}
dialer-options {
pool usb-modem-dialer-pool;
}
}
Verification

297
Verifying a Dialer Interface
Purpose
Verify that the dialer interface has been configured.
Action
From configuration mode, enter the show interfaces dl0 extensive command. The output shows a summary
of dialer interface information.
Physical interface: dl0, Enabled, Physical link is Up

Interface index: 128, SNMP ifIndex: 24, Generation: 129
Type: 27, Link-level type: PPP, MTU: 1504, Clocking: Unspecified, Speed:
Unspecified
Device flags : Present Running
Interface flags: SNMP-Traps
Link type : Full-Duplex
Link flags : Keepalives
Physical info : Unspecified
Hold-times : Up 0 ms, Down 0 ms
Current address: Unspecified, Hardware address: Unspecified
Alternate link address: Unspecified
Last flapped : Never
Statistics last cleared: Never
Traffic statistics:
Input bytes : 13859 0 bps
Output bytes : 0 0 bps
Input packets: 317 0 pps
Output packets: 0 0 pps
Input errors:
Errors: 0, Drops: 0, Framing errors: 0, Runts: 0, Giants: 0, Policed discards:
0,
Resource errors: 0
Output errors:
Carrier transitions: 0, Errors: 0, Drops: 0, MTU errors: 0, Resource errors:
0
Logical interface dl0.0 (Index 70) (SNMP ifIndex 75) (Generation 146)
Description: USB-modem-remote-management
Flags: Point-To-Point SNMP-Traps 0x4000 LinkAddress 23-0 Encapsulation: PPP
Dialer:
State: Active, Dial pool: usb-modem-dialer-pool
Dial strings: 220
Subordinate interfaces: umd0 (Index 64)
Activation delay: 0, Deactivation delay: 0
Initial route check delay: 120
298
Redial delay: 3
Callback wait period: 5
Load threshold: 0, Load interval: 60
Bandwidth: 115200
Traffic statistics:
Input bytes : 24839
Input packets: 489
Output packets: 340
Local statistics:
Input bytes : 10980
Input packets: 172
Output packets: 340
Transit statistics:
Input bytes : 13859 0 bps
Output bytes : 0 0 bps
Input packets: 317 0 pps
Output packets: 0 0 pps
LCP state: Opened
NCP state: inet: Opened, inet6: Not-configured, iso: Not-configured,
mpls: Not-configured
CHAP state: Success
Protocol inet, MTU: 1500, Generation: 136, Route table: 0
Flags: None
Addresses, Flags: Is-Preferred Is-Primary
Destination: 172.20.10.1, Local: 172.20.10.2, Broadcast: Unspecified,
Generation: 134
Example: Configuring a Dialer Interface for USB Modem Dial-In
IN THIS SECTION
Requirements | 299
Overview | 299
Configuration | 299
Verification | 300
299
This example shows how to configure a dialer interface for USB modem dial-in.
NOTE: USB modems are no longer supported for dial-in to a dialer interface on SRX300, SRX320,
SRX340, and SRX345 devices.
Requirements
Overview
To enable connections to the USB modem from a remote location, you must configure the dialer interfaces
set up for USB modem use to accept incoming calls. You can configure a dialer interface to accept all
incoming calls or accept only calls from one or more caller IDs.
If the dialer interface is configured to accept only calls from a specific caller ID, the system matches the
incoming call's caller ID against the caller IDs configured on its dialer interfaces. If an exact match is not
found and the incoming call's caller ID has more digits than the configured caller IDs, the system performs
a right-to-left match of the incoming call's caller ID with the configured caller IDs and accepts the incoming
call if a match is found. For example, if the incoming call's caller ID is 4085550115 and the caller ID
configured on a dialer interface is 5550115, the incoming call is accepted. Each dialer interface accepts
calls from only callers whose caller IDs are configured on it.
You can configure the following incoming map options for the dialer interface:
• accept-all—Dialer interface accepts all incoming calls.
You can configure the accept-all option for only one of the dialer interfaces associated with a USB
modem physical interface. The device uses the dialer interface with the accept-all option configured
only if the incoming call's caller ID does not match the caller IDs configured on other dialer interfaces.
• caller—Dialer interface accepts calls from a specific caller ID— for example, 4085550115. You can
configure a maximum of 15 caller IDs per dialer interface.
The same caller ID must not be configured on different dialer interfaces. However, you can configure
caller IDs with more or fewer digits on different dialer interfaces. For example, you can configure the
caller IDs 14085550115, 4085550115, and 5550115 on different dialer interfaces.
In this example, you configure the incoming map option as caller 4085550115 for dialer interface dl0.
Configuration

300
To quickly configure this example, copy the following command, paste it into a text file, remove any line
breaks, change any details necessary to match your network configuration, copy and paste the command
into the CLI at the [edit] hierarchy level, and then enter commit from configuration mode.
set interfaces dl0 unit 0 dialer-options incoming-map caller 4085550115
To configure a dialer interface for USB modem dial-in:
1. Select a dialer interface.
[edit]
user@host# edit interfaces dl0
2. Configure the incoming map options.
[edit]
user@host# edit unit 0 dialer-options incoming-map caller 4085551515
3. If you are done configuring the device, commit the configuration.
[edit]
user@host# commit
Verification
To verify the configuration is working properly, enter the show interface dl0 command.
Configuring a Dial-Up Modem Connection Remotely
To remotely connect to the USB modem connected to the USB port on the device, you must configure a
dial-up modem connection on the PC or laptop computer at your remote location. Configure the dial-up
modem connection properties to disable IP header compression.
To configure a dial-up modem connection remotely:

301
1. At your remote location, connect a modem to a management device such as a PC or laptop computer.
2. Connect the modem to your telephone network.
3. On the PC or laptop computer, select Start>Settings>Control Panel>Network Connections. The

Network Connections page appearts.
4. Click Create a new connection. The New Connection Wizard appears.
5. Click Next. The New Connection Wizard: Network Connection Type page appears.
6. Select Connect to the network at my workplace, and then click Next.
The New Connection Wizard: Network Connection page appears.
7. Select Dial-up connection, and then click Next. The New Connection Wizard: Connection Name page
appears.
8. In the Company Name box, type the dial-up connection name, for example USB-modem-connect. Then,
click Next. The New Connection Wizard: Phone Number to Dial page appears.
9. In the Phone number box, type the telephone number of the PSTN line connected to the USB modem
at the device end.
10. Click Next twice, and then click Finish. The Connect USB-modem-connect page appears.
11. If CHAP is configured on the dialer interface used for the USB modem interface at the device end, type
the username and password configured in the CHAP configuration in the User name and Password
boxes.
12. Click Properties. The USB-modem-connect Properties page appears.
13. In the Networking tab, select Internet Protocol (TCP/IP), and then click Properties. The Internet Protocol
(TCP/IP) Properties page appears.
14. Click Advanced. The Advanced TCP/IP Settings page appears.
15. Clear the Use IP header compression check box.

302
Connecting to the Device Remotely
To remotely connect to the device through a USB modem connected to the USB port on the device:
1. On the PC or laptop computer at your remote location, select Start>Settings>Control Panel>Network

Connections. The Network Connections page appears.
2. Double-click the USB-modem-connect dial-up connection. The Connect USB-modem-connect page

appears.
3. Click Dial to connect to the Juniper Networks device.
When the connection is complete, you can use Telnet or SSH to connect to the device.
Modifying USB Modem Initialization Commands
NOTE: These instructions use Hayes-compatible modem commands to configure the modem.
If your modem is not Hayes-compatible, see the documentation for your modem and enter
equivalent modem commands. Applies to SRX300, SRX320, SRX340, SRX345 devices.
You can use the CLI configuration editor to override the value of an initialization command configured on
the USB modem or configure additional commands for initializing USB modems.
NOTE: If you modify modem initialization commands when a call is in progress, the new
initialization sequence is applied on the modem only when the call ends.
You can configure the following modem AT commands to initialize the USB modem:
• The command S0=2 configures the modem to automatically answer calls on the second ring.
• The command L2 configures medium speaker volume on the modem.
You can insert spaces between commands.
When you configure modem commands in the CLI configuration editor, you must follow these conventions:
• Use the newline character \n to indicate the end of a command sequence.
• Enclose the command string in double quotation marks.

303
You can override the value of the S0=0 command in the initialization sequence configured on the modem
and add the L2 command.
To modify the initialization commands on a USB modem:
1. Configure the modem AT commands to initialize the USB modem.

user@host# set modem-options init-command-string "AT S0=2 L2 \n"
Resetting USB Modems
For SRX300, SRX320, SRX340, and SRX345 devices, if the USB modem does not respond, you can reset
the modem.
CAUTION: If you reset the modem when a call is in progress, the call is terminated.
To reset the USB modem, in operational mode, enter the following command:
user@host> request interface modem reset umd0

304
Secure Web Access for Remote Management
IN THIS SECTION
Secure Web Access Overview | 304
Generating SSL Certificates to Be Used for Secure Web Access (EX Series Switch) | 306
Manually Generating Self-Signed SSL Certificates | 307
Understanding Self-Signed Certificates on EX Series Switches | 308
Example: Configuring Secure Web Access | 311
You can manage a Juniper Networks device remotely through the J-Web interface. To enable secure Web
access, the Juniper Networks devices support HTTP over Secure Sockets Layer (HTTPS). You can enable
HTTP or HTTPS access on specific interfaces and ports on the device as needed. Read this topic for
information.
Secure Web Access Overview
You can manage a Juniper Networks device remotely through the J-Web interface. To communicate with
the device, the J-Web interface uses the Hypertext Transfer Protocol (HTTP). HTTP allows easy Web
access but no encryption. The data that is transmitted between the Web browser and the device by means
of HTTP is vulnerable to interception and attack. To enable secure Web access, the Juniper Networks
devices support HTTP over Secure Sockets Layer (HTTPS). You can enable HTTP or HTTPS access on
specific interfaces and ports as needed.
The Juniper Networks device uses the Secure Sockets Layer (SSL) protocol to provide secure device
management through the Web interface. SSL uses public-private key technology that requires a paired
private key and an authentication certificate for providing the SSL service. SSL encrypts communication
between your device and the Web browser with a session key negotiated by the SSL server certificate.
An SSL certificate includes identifying information such as a public key and a signature made by a certificate
authority (CA). When you access the device through HTTPS, an SSL handshake authenticates the server
305
and the client and begins a secure session. If the information does not match or the certificate has expired,
you cannot access the device through HTTPS.
Without SSL encryption, communication between your device and the browser is sent in the open and
can be intercepted. We recommend that you enable HTTPS access on your WAN interfaces.
HTTP access is enabled by default on the built-in management interfaces. By default, HTTPS access is
supported on any interface with an SSL server certificate.
SEE ALSO
Configuring Device Addresses (IPv4 and Loopback Addresses)
Generating SSL Certificates for Secure Web Access (SRX Series Devices)
To generate an SSL certificate using the openssl command:
1. Enter openssl in the CLI. The openssl command generates a self-signed SSL certificate in
privacy-enhanced mail (PEM) format. It writes the certificate and an unencrypted 1024-bit RSA private
key to the specified file.
NOTE: Run this command on a LINUX or UNIX device because Juniper Networks Services
Gateways do not support the openssl command.
% openssl req –x509 –nodes –newkey rsa:1024 –keyout filename.pem -out filename.pem
Replace filename with the name of a file in which you want the SSL certificate to be written—for example,
new.pem.
2. When prompted, type the appropriate information in the identification form. For example, type US for
the country name.
3. Display the contents of the file new.pem.
cat new.pem
Copy the contents of this file for installing the SSL certificate.
306
Generating SSL Certificates to Be Used for Secure Web Access (EX Series
Switch)
You can set up secure Web access for an EX Series switch. To enable secure Web access, you must generate
a digital Secure Sockets Layer (SSL) certificate and then enable HTTPS access on the switch.
To generate an SSL certificate:
1. Enter the following openssl command in your SSH command-line interface on a BSD or Linux system
on which openssl is installed. The openssl command generates a self-signed SSL certificate in the
privacy-enhanced mail (PEM) format. It writes the certificate and an unencrypted 1024-bit RSA private
key to the specified file.
% openssl req –x509 –nodes –newkey rsa:1024 –keyout filename.pem -out filename.pem
where filename is the name of a file in which you want the SSL certificate to be written—for example,
my-certificate.
2. When prompted, type the appropriate information in the identification form. For example, type US for
the country name.
3. Display the contents of the file that you created.
cat my-certificate.pem
You can use the J-Web Configuration page to install the SSL certificate on the switch. To do this, copy
the file containing the certificate from the BSD or Linux system to the switch. Then open the file, copy its
contents, and paste them into the Certificate box on the J-Web Secure Access Configuration page.
You can also use the following CLI statement to install the SSL certificate on the switch:
[edit]
user@switch# set security certificates local my-signed-cert load-key-file my-certificate.pem
For more information on installing certificates, see “Example: Configuring Secure Web Access” on page 311.
SEE ALSO
Configuring Management Access for the EX Series Switch (J-Web Procedure)

Overview of Port Security
307
Generating a Self-Signed SSL Certificate Automatically
To generate a self-signed SSL certificate on Juniper Networks devices:
1. Establish basic connectivity.
2. Reboot the system. The self-signed certificate is automatically generated at bootup time.
user@host> request system reboot

Reboot the system ? [yes,no] yes
3. Specify system-generated-certificate under HTTPS Web management.
[edit]
user@host# show system services web-management https system-generated-certificate
Manually Generating Self-Signed SSL Certificates
To manually generate a self-signed SSL certificate on Juniper Networks devices:
1. Establish basic connectivity.
2. If you have root login access, you can manually generate the self-signed certificate by using the following
commands:
root@host> request security pki generate-key-pair size 512 certificate-id certname
Generated key pair sslcert, key size 512 bits
root@host> request security pki local-certificate generate-self-signed certificate-id cert-name email email
domain-name domain name ip-address IP address subject “DC= Domain name, CN= Common-Name, OU=
Organizational-Unit-name, O= Organization-Name, ST= state, C= Country”
Self-signed certificate generated and loaded successfully

308
NOTE: When generating the certificate, you must specify the subject, e-mail address, and
either domain-name or ip-address.
3. To verify that the certificate was generated and loaded properly, enter the show security pki
local-certificate operational command and specify local-certificate under HTTPS Web management.
[edit]
root@host# show system services web-management https local-certificate certname
Deleting Self-Signed Certificates (CLI Procedure)
You can delete a self-signed certificate that is automatically or manually generated from the EX Series
switch. When you delete the automatically generated self-signed certificate, the switch generates a new
self-signed certificate and stores it in the file system.
• To delete the automatically generated certificate and its associated key pair from the switch:
user@switch> clear security pki local-certificate system-generated
• To delete a manually generated certificate and its associated key pair from the switch:
user@switch> clear security pki local-certificate certificate-id certificate-id-name
• To delete all manually generated certificates and their associated key pairs from the switch:
user@switch> clear security pki local-certificate all
Understanding Self-Signed Certificates on EX Series Switches
When you initialize a Juniper Networks EX Series Ethernet Switch with the factory default configuration,
the switch generates a self-signed certificate, allowing secure access to the switch through the Secure
Sockets Layer (SSL) protocol. Hypertext Transfer Protocol over Secure Sockets Layer (HTTPS) and XML
Network Management over Secure Sockets Layer (XNM-SSL) are the two services that can make use of
the self-signed certificates.
309
NOTE: Self-signed certificates do not provide additional security as do those generated by

Certificate Authorities (CAs). This is because a client cannot verify that the server he or she has
connected to is the one advertised in the certificate.
The switches provide two methods for generating a self-signed certificate:
• Automatic generation
In this case, the creator of the certificate is the switch. An automatically generated (also called
“system-generated”) self-signed certificate is configured on the switch by default.
After the switch is initialized, it checks for the presence of an automatically generated self-signed
certificate. If it does not find one, the switch generates one and saves it in the file system.
A self-signed certificate that is automatically generated by the switch is similar to an SSH host key. It is
stored in the file system, not as part of the configuration. It persists when the switch is rebooted, and it
is preserved when a request system snapshot command is issued.
The switch uses the following distinguished name for the automatically generated certificate:
“ CN=<device serial number>, CN=system generated, CN=self-signed”
If you delete the system-generated self-signed certificate on the switch, the switch generates a self-signed
certificate automatically.
• Manual generation
In this case, you create the self-signed certificate for the switch. At any time, you can use the CLI to
generate a self-signed certificate. Manually generated self-signed certificates are stored in the file system,
not as part of the configuration.
Self-signed certificates are valid for five years from the time they are generated. When the validity of an
automatically generated self-signed certificate expires, you can delete it from the switch so that the switch
generates a new self-signed certificate.
System-generated self-signed certificates and manually generated self-signed certificates can coexist on
the switch.
310
Manually Generating Self-Signed Certificates on Switches (CLI Procedure)
IN THIS SECTION
Generating a Public-Private Key Pair on Switches | 310
Generating Self-Signed Certificates on Switches | 311
EX Series switches allow you to generate custom self-signed certificates and store them in the file system.
The certificate you generate manually can coexist with the automatically generated self-signed certificate
on the switch. To enable secure access to the switch over SSL, you can use either the system-generated
self-signed certificate or a certificate you have generated manually.
To generate self-signed certificates manually, you must complete the following tasks:
Generating a Public-Private Key Pair on Switches
A digital certificate has an associated cryptographic key pair that is used to sign the certificate digitally.
The cryptographic key pair comprises a public key and a private key. When you generate a self-signed
certificate, you must provide a public-private key pair that can be used to sign the self-signed certificate.
Therefore, you must generate a public-private key pair before you can generate a self-signed certificate.
To generate a public-private key pair:
user@switch> request security pki generate-key-pair certificate-id certificate-id-name
NOTE: Optionally, you can specify the encryption algorithm and the size of the encryption key.
If you do not specify the encryption algorithm and encryption key size, default values are used.
The default encryption algorithm is RSA, and the default encryption key size is 1024 bits.
After the public-private key pair is generated, the switch displays the following:
generated key pair certificate-id-name, key size 1024 bits

311
Generating Self-Signed Certificates on Switches
To generate the self-signed certificate manually, include the certificate ID name, the subject of the
distinguished name (DN), the domain name, the IP address of the switch, and the e-mail address of the
certificate holder:
user@switch> request security pki local-certificate generate-self-signed certificate-id certificate-id-name

domain-name domain-name email email-address ip-address switch-ip-address subject
subject-of-distinguished-name
The certificate you have generated is stored in the switch’s file system. The certificate ID you have specified
while generating the certificate is a unique identifier that you can use to enable the HTTPS or XNM-SSL
services.
To verify that the certificate was generated and loaded properly, enter the show security pki local-certificate
operational command.
SEE ALSO
Enabling HTTPS and XNM-SSL Services on Switches Using Self-Signed Certificates (CLI Procedure)
Example: Configuring Secure Web Access
IN THIS SECTION
Requirements | 311
Overview | 312
Configuration | 312
Verification | 313
This example shows how to configure secure Web access on your device.
Requirements
312
NOTE: You can enable HTTPS access on specified interfaces. If you enable HTTPS without
specifying an interface, HTTPS is enabled on all interfaces.
Overview
In this example, you import the SSL certificate that you have generated as a new and private key in PEM
format. You then enable HTTPS access and specify the SSL certificate to be used for authentication. Finally,
you specify the port as 8443 on which HTTPS access is to be enabled.
Configuration

set security certificates local new load-key-file /var/tmp/new.pem

set system services web-management https local-certificate new port 8443
To configure secure Web access on your device:
1. Import the SSL certificate and private key.
[edit security]
user@host# set certificates local new load-key-file /var/tmp/new.pem
2. Enable HTTPS access and specify the SSL certificate and port.
[edit system]
user@host# set services web-management https local-certificate new port 8443
Results
313
From configuration mode, confirm your configuration by entering the show security command. If the
to correct it.
[edit]
user@host# show security
certificates {
local {
new {
"-----BEGIN RSA PRIVATE KEY-----\nMIICXQIBAAKBgQC/C5UI4frNqbi
qPwbTiOkJvqoDw2YgYse0Z5zzVJyErgSg954T\nEuHM67Ck8hAOrCnb0YO+SY
Y5rCXLf4+2s8k9EypLtYRw/Ts66DZoXI4viqE7HSsK\n5sQw/UDBIw7/MJ+OpA ...
KYiFf4CbBBbjlMQJ0HFudW6ISVBslONkzX+FT\ni95ddka6iIRnArEb4VFCRh+
e1QBdp1UjziYf7NuzDx4Z\n -----END RSA PRIVATE KEY-----\n-----BEGIN CERTIFICATE-----
\nMIIDjDCCAvWgAwIBAgIBADANBgkqhkiG9w0BAQQ ...
FADCBkTELMAkGA1UEBhMCdXMx\nCzAJBgNVBAgTAmNhMRIwEAYDVQQHEwlzdW5ue
HB1YnMxDTALBgNVBAMTBGpucHIxJDAiBgkqhkiG\n9w0BCQEWFW5iaGFyZ2F2YUB
fLUYAnBYmsYWOH\n -----END CERTIFICATE-----\n"; ## SECRET-DATA
}
}
}
Verification
IN THIS SECTION
Verifying an SSL Certificate Configuration | 313
Verifying a Secure Access Configuration | 314
Verifying an SSL Certificate Configuration
Purpose
Verify the SSL certificate configuration.
Action
From operational mode, enter the show security command.
314
Verifying a Secure Access Configuration
Purpose
Verify the secure access configuration.
Action
From operational mode, enter the show system services command. The following sample output displays
the sample values for secure Web access:
[edit]
user@host# show system services
web-management {
http;
https {
port 8443;
local-certificate new;
}
}

Example: Controlling Management Access on SRX

Series Devices
IN THIS SECTION
Requirements | 315
Overview | 315
Configuration | 315
Verification | 318
315
This example shows how to limit the management access to the specific IP addresses on an SRX Series
devices to manage the device.
Requirements
Overview
To limit the IP addresses that can manage a device, you can configure a firewall filter. This firewall filters
must include a term to deny all traffic except the IP address that you allow to manage the device. You
must apply the firewall filter to the loopback interface (lo0) as this ensures that only management traffic
(traffic to the device) is filtered.
In this example you:
• Configure a prefix-list called manager-ip. This list defines a set of IP addresses that are allowed to manage
the SRX Series device.
• Configure a firewall filter FILTER1 that rejects all requesters except IP addresses available in the
manager-ip prefix list. In this way, you are ensuring that IP address list specified in the prefix list can
manage the device.
• Apply FILTER1 filter to the loopback interface. Any time a packet hits any of the interfaces on the device,
the loopback interface applies the filter FILTER1 .
Configuration
Configuring an IP Address List to Restrict Management Access to a Device

set policy-options prefix-list manager-ip 192.168.4.254/32

set policy-options prefix-list manager-ip 10.0.0.0/8
set firewall filter FILTER1 term block_non_manager from source-address 0.0.0.0/0
316
set firewall filter FILTER1 term block_non_manager from source-prefix-list manager-ip except
set firewall filter FILTER1 term block_non_manager from protocol tcp
set firewall filter FILTER1 term block_non_manager from destination-port ssh
set firewall filter FILTER1 term block_non_manager from destination-port https
set firewall filter FILTER1 term block_non_manager from destination-port telnet
set firewall filter FILTER1 term block_non_manager from destination-port http
set firewall filter FILTER1 term block_non_manager then discard
set firewall filter FILTER1 term accept_everything_else then accept
set interfaces lo0 unit 0 family inet filter input FILTER1
1. Define a set of allowed host addresses in the prefix list.
[edit policy-options]
user@host# set prefix-list manager-ip 192.168.4.254/32
user@host# set prefix-list manager-ip 10.0.0.0/8
NOTE: The configured list is referenced in the actual filter, where you can change your
defined set of addresses.
2. Configure a firewall filter to deny traffic from all IP addresses except the IP addresses defined in the
prefix list.
[edit firewall filter]

user@host# set manager-ip term block_non_manager from source-address 0.0.0.0/0
user@host# set manager-ip term block_non_manager from source-prefix-list manager-ip except
user@host# set manager-ip term block_non_manager from protocol tcp
user@host# set manager-ip term block_non_manager from destination-port ssh
user@host# set manager-ip term block_non_manager from destination-port https
user@host# set manager-ip term block_non_manager from destination-port telnet
user@host# set manager-ip term block_non_manager from destination-port http
user@host# set manager-ip term block_non_manager then discard
Management traffic that uses any of the listed destination ports is rejected when the traffic comes
from an address in the list.
3. Configure a default term that accepts all other traffic.

317
[edit firewall filter]

user@host# set manager-ip term accept_everything_else then accept
4. Apply stateless firewall filters to the loopback interface to filter the packets originating from the hosts
to which you are granting management access.
[edit interfaces lo0 unit 0 ]

user@host# set family inet filter input manager-ip
This configuration applies to traffic terminating at the device itself. If you have IPsec traffic, or OSPF,
RIP, BGP, or any other traffic that terminates at the interface of the device, then you must add the IP
address of the interface to the prefix list.
Results
From configuration mode, confirm your configuration by entering show configuration command. If the
to correct it.
user@host# show configuration policy-options

prefix-list manager-ip {
10.0.0.0/8;
192.168.4.254/32;
}
user@host# show configuration firewall

filter FILTER1 {
term block_non_manager {
from {
source-address {
0.0.0.0/0;
}
source-prefix-list {
manager-ip except;
}
protocol tcp;
destination-port [ ssh https telnet http ];
}
then {
discard;
}
}
318
term accept_everything_else {
then accept;
}
}
user@host# show configuration interfaces

lo0 {
unit 0 {
family inet {
filter {
input FILTER1;
}
}
}
}
user@host# show configuration interfaces lo0

unit 0 {
family inet {
filter {
input FILTER1;
}
}
}
Verification
Verifying Interfaces
Purpose
Verify if the interfaces are configured correctly.
Action
From operational mode, enter the following commands:
• show policy-options
319
• show firewall
• show interfaces
Configuration Guidelines for Securing Console Port

Access
IN THIS SECTION
Securing Console Port | 319
Securing Mini-USB Ports | 321
We recommend disabling the console port to prevent unauthorized access to the device.
Securing Console Port
You can use the console port on the device to connect to the device through an RJ-45 serial cable. From
the console port, you can use the CLI to configure the device. By default, the console port is enabled. To
secure the console port, you can configure the device to take the following actions:
• Log out of the console session when you unplug the serial cable connected to the console port.
• Disable root login connections to the console. This action prevents a non-root user from performing
password recovery operation using the console.
• Disable the console port. We recommend disabling the console port to prevent unauthorized access to
the device, especially when the device is used as customer premises equipment (CPE) and is forwarding
sensitive traffic.
320
NOTE: It is not always possible to disable the console port, because console access is important
during operations such as software upgrades.
WARNING: On SRX SRX300, SRX320, SRX340, and SRX345 devices, if both set
system ports console insecure and set chassis routing-engine bios uninterrupt
options are configured, there is no alternative recovery method available incase
Junos OS fails to boot and the device might become unusable.
To secure the console port:
1. Do one of the following:
• Disable the console port. Enter
[edit system ports console]

user@host# set disable
• Disable root login connections to the console. Enter

user@host# set insecure
NOTE: After configuring the console port as insecure, if a user tries to perform password
recovery operation by booting in single-user mode, the device will prompt for the root
password. This way, the user will be unable to log in to single-user mode for password
recovery unless the root password is known.
• Log out the console session when the serial cable connected to the console port is unplugged. Enter

user@host# set log-out-on-disconnect
NOTE: The log-out-on-disconnect statement is not operational on SRX1500, SRX4100,

SRX4200, and SRX4600 devices; on these devices, you must manually log out from the
console with the request system logout command.
321
Securing Mini-USB Ports
SRX320, SRX320, SRX340, and SRX345 devices have a mini-USB Type-B port. You can connect your
management device to the Mini-USB Type-B console port for CLI management.
You can disable mini-USB ports on the SRX Series devices to block users from connecting a USB mass
storage device to the services gateway. When you disable the device, any transactions in progress on the
USB device are aborted.
Disable mini-USB ports.
• Use the following command to disable the mini-USB ports.
[edit]
user@host# set chassis usb storage disable
Enable mini-USB ports.
• Use the following command to enable the mini-USB ports.
[edit]
user@host# delete chassis usb storage disable
This step re-enables the disabled mini-USB ports.
Verify the status of the mini-USB.
• Use the following show command to verify the status.
user@host> show chassis usb storage
The output displays the current status of USB mass storage device and whether the USB ports are
enabled or disabled.
USB Enabled
322
Console Port Overview
Configuring the Console Port Type (CLI Procedure)
Some devices have two console ports: an RJ-45 console port and a Mini-USB Type-B console port. You
can configure and manage the device using either port. To connect to the device using a passive port, you
must first configure the port as active and then reboot the device.
When a console port is active, it can display all the early boot and low-level message output. You can
access the device through this port in the debugger prompt. On some devices, only one console port is
active at a time and the console input is active only on that port. Check the hardware guide for your
particular device for whether both ports can be active at the same time.
The RJ-45 console port is the active port by default. To activate the Mini-USB Type-B console port:
1. Connect the host machine to the device directly using the active console port or remotely using the
management interface. To connect using the active console port, which is the RJ-45 console port by
default, see Connecting a Device to a Management Console Using an RJ-45 Connector.
2. Connect to your device using the Mini-USB Type-B console port. See the hardware guide for your
particular device for how to connect to the port.
3. Configure the port type as mini-usb:
[edit]
user@switch# set system ports auxiliary port-type mini-usb
4. Commit the configuration and Exit. The initial logs will show the Mini-USB Type-B console port as
active.
5. Reboot the switch. The boot log appears on the activated console. If your device supports both ports
being active at the same time, both ports are now active and can be used as console ports.
NOTE: Do not use the delete system ports auxiliary port-type command to delete the port-type
configuration. Always use the set system ports auxiliary port-type type command to change the
active management console port type.
323
To configure the RJ-45 console port as the active port, use the same procedure with the set system ports
auxiliary port-type rj45 command.
Connecting a Device to a Management Console Using an RJ-45 Connector

Connecting an EX Series Switch to a Management Console Using the Mini-USB Type-B Console Port
Connecting an MX150 to a Management Console Using Mini-USB Type-B Console Port
Connecting an NFX250 Device to a Management Console Using Mini-USB Type-B Console Port
Connecting an OCX1100 Switch to a Management Console by Using the Mini-USB Type-B Console Port
6 CHAPTER
Access Control on Switches
Preventing Unauthorized Access to EX Series Switches Using Unattended Mode for

U-Boot | 338
Example: Setting Up 802.1X for Single-Supplicant or Multiple-Supplicant

Configurations on an EX Series Switch | 405

Corporate Visitors on an EX Series Switch | 413


326
Access Control and Authentication on Switching

Devices
IN THIS SECTION
Understanding Access Control on Switches | 333
You can control access to your network through a switch by using several different authentication. Junos
OS switches support 802.1X, MAC RADIUS, and captive portal as an authentication methods to devices
requiring to connect to a network. Read this topic for more information.
Understanding Authentication on Switches
IN THIS SECTION
Sample Authentication Topology | 327
Static MAC Bypass of Authentication | 331
Fallback of Authentication Methods | 332

327
You can control access to your network through a Juniper Networks EX Series Ethernet Switch by using
authentication methods such as 802.1X, MAC RADIUS, or captive portal. Authentication prevents
unauthenticated devices and users from gaining access to your LAN. For 802.1X and MAC RADIUS
authentication, end devices must be authenticated before they receive an IP address from a Dynamic Host
Configuration Protocol (DHCP) server. For captive portal authentication, the switch allows the end devices
to acquire an IP address in order to redirect them to a login page for authentication.
This topic covers:
Sample Authentication Topology
Figure 5 on page 328 illustrates a basic deployment topology for authentication on an EX Series switch:
NOTE: For illustration purposes, we have used an EX Series switch, but a QFX5100 switch can
be used in the same way.
328
Figure 5: Example Authentication Topology
The topology contains an EX Series access switch connected to the authentication server on port ge-0/0/10.
Interface ge-0/0/1 connects to the conference room host. Interface ge-0/0/8 is connected to four desktop
PCs through a hub. Interfaces ge-0/0/9 and ge-0/0/2 are connected to IP phones with an integrated hub
329
to connect the phone and desktop PC to a single port. Interfaces ge-0/0/19 and ge-0/0/20 are connected
to printers.
802.1X Authentication
802.1X is an IEEE standard for port-based network access control (PNAC). It provides an authentication
mechanism for devices seeking to access a LAN. The 802.1X authentication feature on an EX Series switch
is based upon the IEEE 802.1X standard Port-Based Network Access Control.
The communication protocol between the end device and the switch is Extensible Authentication Protocol
over LAN (EAPoL). EAPoL is a version of EAP designed to work with Ethernet networks. The communication
protocol between the authentication server and the switch is RADIUS.
During the authentication process, the switch completes multiple message exchanges between the end
device and the authentication server. While 802.1X authentication is in process, only 802.1X traffic and
control traffic can transit the network. Other traffic, such as DHCP traffic and HTTP traffic, is blocked at
the data link layer.
NOTE: You can configure both the maximum number of times an EAPoL request packet is
retransmitted and the timeout period between attempts. For information, see “Configuring
802.1X Interface Settings (CLI Procedure)” on page 355.
An 802.1X authentication configuration for a LAN contains three basic components:
• Supplicant (also called end device)—Supplicant is the IEEE term for an end device that requests to join
the network. The end device can be responsive or nonresponsive. A responsive end device is
802.1X-enabled and provides authentication credentials using EAP. The credentials required depend on
the version of EAP being used—specifically, a username and password for EAP MD5 or a username and
client certificates for Extensible Authentication Protocol-Transport Layer Security (EAP-TLS),
EAP-Tunneled Transport Layer Security (EAP-TTLS), and Protected EAP (PEAP).
You can configure a server-reject VLAN to provide limited LAN access for responsive 802.1X-enabled
end devices that sent incorrect credentials. A server-reject VLAN can provide a remedial connection,
typically only to the Internet, for these devices. See “Example: Configuring Fallback Options on EX Series
Switches for EAP-TTLS Authentication and Odyssey Access Clients” on page 379 for additional information.
NOTE: If the end device that is authenticated using the server-reject VLAN is an IP phone,
voice traffic is dropped.
A nonresponsive end device is one that is not 802.1X-enabled. It can be authenticated through MAC
RADIUS authentication.
330
• Authenticator port access entity—The IEEE term for the authenticator. The switch is the authenticator,
and it controls access by blocking all traffic to and from end devices until they are authenticated.
• Authentication server—The authentication server contains the backend database that makes authentication
decisions. It contains credential information for each end device that is authenticated to connect to the
network. The authenticator forwards credentials supplied by the end device to the authentication server.
If the credentials forwarded by the authenticator match the credentials in the authentication server
database, access is granted. If the credentials forwarded do not match, access is denied. The EX Series
switches support RADIUS authentication servers.
NOTE: You cannot configure 802.1X authentication on redundant trunk groups (RTGs). For
more information about RTGs, see Understanding Redundant Trunk Links (Legacy RTG Configuration).
MAC RADIUS Authentication
The 802.1X authentication method only works if the end device is 802.1X-enabled, but many single-purpose
network devices such as printers and IP phones do not support the 802.1X protocol. You can configure
MAC RADIUS authentication on interfaces that are connected to network devices that do not support
802.1X and for which you want to allow to access the LAN. When an end device that is not 802.1X-enabled
is detected on the interface, the switch transmits the MAC address of the device to the authentication
server. The server then tries to match the MAC address with a list of MAC addresses in its database. If
the MAC address matches an address in the list, the end device is authenticated.
You can configure both 802.1X and MAC RADIUS authentication methods on the interface. In this case,
the switch first attempts to authenticate the end device by using 802.1X, and if that method fails, it attempts
to authenticate the end device by using MAC RADIUS authentication. If you know that only non-responsive
supplicants connect on that interface, you can eliminate the delay that occurs for the switch to determine
that the end device is not 802.1X-enabled by configuring the mac-radius restrict option. When this option
is configured, the switch does not attempt to authenticate the end device through 802.1X authentication
but instead immediately sends a request to the RADIUS server for authentication of the MAC address of
the end device. If the MAC address of that end device is configured as a valid MAC address on the RADIUS
server, the switch opens LAN access to the end device on the interface to which it is connected.
The mac-radius-restrict option is useful when no other 802.1X authentication methods, such as guest
VLAN, are needed on the interface. If you configure mac-radius-restrict on an interface, the switch drops
all 802.1X packets.
The authentication protocols supported for MAC RADIUS authentication are EAP-MD5, which is the
default, Protected EAP (EAP-PEAP), and Password Authentication Protocol (PAP). You can specify the
authentication protocol to be used for MAC RADIUS authentication using the authentication-protocol
statement.
331
Captive Portal Authentication
Captive portal authentication (hereafter referred to as captive portal) enables you to authenticate users
on EX Series switches by redirecting Web browser requests to a login page that requires users to input a
valid username and password before they can access the network. Captive portal controls network access
by requiring users to provide information that is authenticated against a RADIUS server database by using
EAP-MD5. You can also use captive portal to display an acceptable-use policy to users before they access
your network.
Juniper Networks Junos operating system (Junos OS) for EX Series switches provides a template that
enables you to easily design and modify the look of the captive portal login page. You enable specific
interfaces for captive portal. The first time an end device connected to a captive portal interface attempts
to access a webpage, the switch presents the captive portal login page. After the device is successfully
authenticated, it is allowed access to the network and to continue to the original page requested.
NOTE: If HTTPS is enabled, HTTP requests are redirected to an HTTPS connection for the
captive portal authentication process. After authentication, the end device is returned to the
HTTP connection.
If there are end devices that are not HTTP-enabled connected to the captive portal interface, you can
allow them to bypass captive portal authentication by adding their MAC addresses to an authentication
whitelist.
When a user is authenticated by the RADIUS server, any per-user policies (attributes) associated with that
user are also sent to the switch.
Captive portal on switches has the following limitations:
• Captive portal does not support dynamic assignment of VLANs downloaded from the RADIUS server.
• If the user remains idle for more than about 5 minutes and there is no traffic passed, the user must log
back in to the captive portal.
Static MAC Bypass of Authentication
You can allow end devices to access the LAN without authentication on a RADIUS server by including
their MAC addresses in the static MAC bypass list (also known as the exclusion list).
You might choose to include a device in the bypass list to:
• Allow non-802.1X-enabled devices access to the LAN.
• Eliminate the delay that occurs for the switch to determine that a connected device is a
non-802.1X-enabled host.
332
When you configure static MAC on the switch, the MAC address of the end device is first checked in a
local database (a user-configured list of MAC addresses). If a match is found, the end device is successfully
authenticated and the interface is opened up for it. No further authentication is done for that end device.
If a match is not found and 802.1X authentication is enabled on the switch, the switch attempts to
authenticate the end device through the RADIUS server.
For each MAC address, you can also configure the VLAN to which the end device is moved or the interfaces
on which the host connects.
CAUTION: When you clear the learned MAC addresses from an interface, using the
clear dot1x interface command, all MAC addresses are cleared, including those in the
static MAC bypass list.
Fallback of Authentication Methods
You can configure 802.1X, MAC RADIUS, and captive portal authentication on a single interface to enable
fallback to another method if authentication by one method fails. The authentication methods can be
configured in any combination, except that you cannot configure both MAC RADIUS and captive portal
on an interface without also configuring 802.1X. By default, an EX Series switch uses the following order
of authentication methods:
1. 802.1X authentication—If 802.1X is configured on the interface, the switch sends EAPoL requests to
the end device and attempts to authenticate the end device through 802.1X authentication. If the end
device does not respond to the EAP requests, the switch checks whether MAC RADIUS authentication
is configured on the interface.
2. MAC RADIUS authentication—If MAC RADIUS authentication is configured on the interface, the switch
sends the MAC RADIUS address of the end device to the authentication server. If MAC RADIUS
authentication is not configured, the switch checks whether captive portal is configured on the interface.
3. Captive portal authentication—If captive portal is configured on the interface, the switch attempts to
authenticate the end device by using this method after the other authentication methods configured
on the interface have failed.
For an illustration of the default process flow when multiple authentication methods are configured on an
interface, see “Understanding Access Control on Switches” on page 333.
You can override the default order for fallback of authentication methods by configuring the
authentication-order statement to specify that the switch use either 802.1X authentication or MAC
RADIUS authentication first. Captive portal must always be last in the order of authentication methods.
For more information, see “Configuring Flexible Authentication Order” on page 470.
333
NOTE: Starting with Junos OS Release 15.1R3, if an interface is configured in multiple-supplicant

mode, end devices connecting through the interface can be authenticated using different methods
in parallel. Therefore, if an end device on the interface was authenticated after fall back to captive
portal, then additional end devices can still be authenticated using 802.1X or MAC RADIUS
authentication.
SEE ALSO

Example: Setting Up 802.1X for Single-Supplicant or Multiple-Supplicant Configurations on an EX
Series Switch | 405
Configuring Static MAC Bypass of 802.1X and MAC RADIUS Authentication (CLI Procedure) | 442
Understanding Access Control on Switches
You can control access to your network through a switch by using several different authentication
methods—including 802.1X, MAC RADIUS, or captive portal.
Figure 6 on page 334 illustrates the authentication process:

334
Figure 6: Authentication Process Flow for Switches
Begin
Authentication
MAC
address in A Client authenticated.
whitelist or static YES A Allow access on port.
MAC list? B Client is not authenticated.
Deny access on port.
C Captive portal.
NO
D Reauthentication.
E Client authenticated. Allow access
only to specified VLAN on port.
Authenticator
D
configured? Try authenticating
NO using EAPOL—
maximum 3 requests
YES
mac-radius C
restrict statement
configured?
Does client
MAC RADIUS Captive portal Guest VLAN
YES respond to EAP NO NO NO
configured? configured? configured?
message?
Try authenticating
using
MAC RADIUS YES YES YES
YES NO
Continue with Try once to Continue with A B

NO 802.1X authenticate using captive portal
authentication MAC RADIUS
Go to C
Does
RADIUS server NO
respond?
Does
Server-reject YES Server-fail
RADIUS server
VLAN NO VLAN NO B
return access-
configured? configured?
accept?
Does
RADIUS server NO
YES NO YES YES respond?
E B A A
YES
Does
RADIUS server
NO B
return access-
YES accept?
g041098
SEE ALSO

335
Understanding Authentication Session Timeout
Information about authentication sessions—including the associated interfaces and VLANs for each MAC
address that is authenticated—is stored in the authentication session table. The authentication session
table is tied to the Ethernet switching table (also called the MAC table). Each time the switch detects traffic
from a MAC address, it updates the timestamp for that network node in the Ethernet switching table. A
timer on the switch periodically checks the timestamp and if its value exceeds the user-configured
mac-table-aging-time value, the MAC address is removed from the Ethernet switching table. When a MAC
address ages out of the Ethernet switching table, the entry for that MAC address is also removed from
the authentication session table, with the result that the session ends.
When the authentication session ends due to MAC address aging, the host must re-attempt authentication.
To limit the downtime resulting from re-authentication, you can control the timeout of authentication
sessions in the following ways:
• For 802.1X and MAC RADIUS authentication sessions, disassociate the authentication session table
from the Ethernet switching table by using the no-mac-table-binding statement. This setting prevents
the termination of the authentication session when the associated MAC address ages out of the Ethernet
switching table.
• For captive portal authentication sessions, configure a keep-alive timer using the user-keepalive statement.
With this option configured, when the associated MAC address ages out of the Ethernet switching table,
the keep-alive timer is started. If traffic is received within the keep-alive timeout period, the timer is
deleted. If there is no traffic within the keep-alive timeout period, the session is deleted.
You can also specify timeout values for authentication sessions to end the session before the MAC aging
timer expires. After the session times out, the host must re-attempt authentication.
• For 802.1X and MAC RADIUS authentication sessions, the duration of the session before timeout
depends on the value of the reauthentication statement. If the MAC aging timer expires before the
session times out, and the no-mac-table-binding statement is not configured, the session is ended, and
the host must re-authenticate.
• For captive portal authentication sessions, the duration of the session depends on the value configured
for the session-expiry statement. If the MAC aging timer expires before the session times out, and the
user-keepalive statement is not configured, the session is ended, and the host must re-authenticate.
NOTE: If the authentication server sends an authentication session timeout to the client, this
takes priority over the value configured locally using either the reauthentication statement or
the session-expiry statement. The session timeout value is sent from the server to the client as
an attribute of the RADIUS Access-Accept message. For information about configuring the
authentication server to send an authentication session timeout, see the documentation for your
server.
336
SEE ALSO

Series Switch | 405
Configuring MAC Table Aging on Switches
Controlling Authentication Session Timeouts (CLI Procedure)
The expiration of an authentication session can result in downtime because the host must re-attempt
authentication. You can limit this downtime by controlling the timeout period for authentication sessions.
An authentication session can end when the MAC address associated with the authenticated host ages
out of the Ethernet switching table. When the MAC address is cleared from the Ethernet switching table,
the authenticated session for that host ends, and the host must re-attempt authentication.
To prevent the authentication session from ending when the MAC address ages out of the Ethernet
switching table:
• For sessions authenticated using 802.1X or MAC RADIUS authentication, you can prevent authentication
session timeouts due to MAC address aging by disassociating the authentication session table from
the Ethernet switching table using the no-mac-table-binding statement:
[edit]
user@switch# set protocols dot1x authenticator no-mac-table-binding;
• For sessions authenticated using captive portal authentication, you can prevent authentication session
timeouts due to MAC address aging by extending the timeout period using the user-keepalive statement:
[edit]
user@switch# set services captive-portal interface interface-name user-keepalive minutes;
You can also configure timeout values for authentication sessions to end an authenticated session before
the MAC aging timer expires.
NOTE: Configuring the session timeout for an authentication session does not extend the session
after the MAC aging timer expires. You must configure either the no-mac-table-binding statement
for 802.1X and MAC RADIUS authentication, or the user-keepalive statement for captive portal
authentication, to prevent session timeout due to MAC aging.
337
For 802.1X and MAC RADIUS authentication sessions, configure the timeout value using the
reauthentication statement.
• To configure the timeout value on a single interface:
[edit]
user@switch# set protocols dot1x authenticator interface interface-name reauthentication seconds;
• To configure the timeout value on all interfaces:
[edit]
user@switch# set protocols dot1x authenticator interface all reauthentication seconds;
For captive portal authentication sessions, configure the timeout value using the session-expiry statement.
• To configure the timeout value on a single interface:
[edit]
user@switch# set services captive-portal interface interface-name session-expiry minutes;
• To configure the timeout value on all interfaces:
[edit]
user@switch# set services captive-portal interface all session-expiry minutes;
takes priority over the value configured using the reauthentication statement or the session-expiry
statement. The session timeout value is sent from the server to the client as an attribute of the
RADIUS Access-Accept message.
SEE ALSO
Configuring MAC Table Aging on Switches

Series Switch | 405

338

Preventing Unauthorized Access to EX Series Switches

Using Unattended Mode for U-Boot
IN THIS SECTION
Understanding Unattended Mode for U-Boot on EX Series Switches | 338
Junos OS allows you to configure anattended mode for U-Boot to prevent unauthorized access to the
switch during the boot process. When you configure unattended mode, an user can access the CLI during
the boot process by supplying the boot-loader password. This prevents unauthorized access during boot
process. Read this topic for more information.
Understanding Unattended Mode for U-Boot on EX Series Switches
Unattended mode for U-Boot can be configured to prevent unauthorized access to the switch that can
occur during the boot process. After the CPU has been reset, there are several known methods of accessing
the system before the JUNOS OS login prompt appears that do not require the user to enter authorization
credentials. By gaining unauthorized access, the user can view, modify, or corrupt the switch configuration,
or make the switch unavailable on the network.
When unattended mode is configured, the user can access the CLI during the boot process only by pressing
<Ctrl+c> and entering the correct password, which is known as the boot-loader password. The boot-loader
password must have been previously configured on the switch. Entering the correct boot-loader password
will place the user in the U-Boot CLI. If the password is incorrect, or if no password is entered within one
minute, access to the U-Boot CLI is blocked and the boot process continues automatically.
Access to the bootstrap loader command prompt (loader>) is blocked in unattended mode, which prevents
the use of the following recovery mechanisms: root password recovery by using single-user mode, and
booting the switch by using a software package stored on a USB flash drive.
339
NOTE: If the root password is lost while the switch is in unattended mode, the switch must be
reset to the factory default configuration using the LCD panel. For more information see Reverting
to the Default Factory Configuration for the EX Series Switch.
If unattended mode is not configured, but a boot-loader password has been configured, the user must
enter the correct password to access the U-Boot CLI. If a boot-loader password has not been configured,
the user can access the U-Boot CLI without entering a password. In either case, the user can access the
bootstrap loader command prompt, which enables root password recovery by using single-user mode as
well as booting from a USB flash drive.
Unattended mode is not enabled by default. When configured, unattended mode is turned on and will
block unauthorized access to the switch. Table 22 on page 339 summarizes the behaviors for U-Boot mode.
Table 22: Unattended Mode Behavior
Boot-loader
Unattended Mode password Behavior
On Set • Access to U-Boot CLI is allowed only after entering correct password.
• Access to loader command prompt is blocked.
• Booting from USB is blocked.
• Root password recovery by using single-user mode is blocked.
On Not Set • Access to U-Boot CLI is blocked.

• Access to loader command prompt is blocked.
• Booting from USB is blocked.
• Root password recovery by using single-user mode is blocked.
Off Set • Access to U-Boot CLI is allowed only after entering correct password.
• Access to loader command prompt is allowed.
• Booting from USB is allowed.
• Root password recovery by using single-user mode is allowed.
Off Not Set • Access to U-Boot CLI is allowed.

• Access to loader command prompt is allowed.
• Booting from USB is allowed.
• Root password recovery by using single-user mode is allowed.
SEE ALSO
340
Root Password | 142
Using Unattended Mode for U-Boot to Prevent Unauthorized Access
IN THIS SECTION
Configuring the Boot Loader Password | 341
Configuring Unattended Mode for U-Boot | 342
Accessing the U-Boot CLI | 342
Unattended mode for U-Boot can be used to prevent unauthorized access to the switch that can occur
during the boot process. When unattended mode is configured, the user can access the CLI during the
boot process only by entering the correct password, which is known as the boot-loader password. The
boot-loader password must have been previously configured on the switch.
When unattended mode is configured, access to the bootstrap loader command prompt (loader>) is blocked,
which prevents the use of the following recovery mechanisms: root password recovery by using single-user
mode, and booting the switch by using a software package stored on a USB flash drive.
WARNING: On EX2200 switches, if both the root and unattended mode password
are lost while the switch is in unattended mode, there is no alternative recovery method
available. The switch must be returned to Juniper Networks. For more information,
see Returning an EX2200 Switch or Component for Repair or Replacement.
To use unattended mode, follow the following procedures:

341
Configuring the Boot Loader Password
To configure the boot loader password, you can use either a plain-text password that the system encrypts
for you, or a password that has already been encrypted. If you use a plain-text password, Junos OS displays
the password as an encrypted string so that users viewing the configuration cannot see it. As you enter
the password in plain text, Junos OS encrypts it immediately. You do not have to configure Junos OS to
encrypt the password. Plain-text passwords are hidden and marked as ## SECRET-DATA in the
configuration.
To configure the boot-loader password:
1. Enter either a plain-text password or an encrypted password by using the set system boot-loader
authentication command.
• To enter a plain-text password, use the plain-text-password option, and re-enter the password when
prompted:
[edit]
root@# set system boot-loader-authentication plain-text-password
New Password: type password here
• To enter a password that is already encrypted, use the encrypted-password option:
[edit]
root@# set system boot-loader-authentication encrypted-password password
2. Commit the changes.
[edit]
root@# commit
3. To view the encrypted password entries, use the configuration mode show command. For example:
[edit]
root@# show system boot-loader-authentication
encrypted-password “$ABC123”; ## SECRET-DATA
342
Configuring Unattended Mode for U-Boot
Before enabling unattended mode for U-Boot, you must download and install the jloader firmware package
/volume/build/junos/13.2/service/13.2X51-D20.2/ship/jloader-ex-2200-13.2X51-D20.2-signed.tgz,
as described in TSB16425.
Unattended mode for U-Boot is not enabled by default. Use the following procedure to configure unattended
mode:
1. Configure unattended mode.
[edit]
root@# set system unattended-boot
2. Commit the changes.
[edit]
root@# commit
Accessing the U-Boot CLI
When unattended mode for U-Boot is configured and the boot-loader password has been set, you can
access the U-Boot CLI during the boot process by pressing <Ctrl+c> and entering the password at the
prompt:
Press Ctrl-C in next 1 seconds to enter u-boot prompt...

Enter password:
password correct...
=>
The correct password must be entered within one minute after the prompt appears. If the password is not
entered within one minute, or if the password is incorrect or has not been configured, access to the U-Boot
CLI will be blocked, and the boot process will continue. For more information about unattended mode
behavior, see “Understanding Unattended Mode for U-Boot on EX Series Switches” on page 338.
SEE ALSO
343
RADIUS Server Configuration for Authentication
IN THIS SECTION
Configuring MS-CHAPv2 to Provide Password-Change Support (CLI Procedure) | 345
Juniper Networks Ethernet Switches use 802.1X, MAC RADIUS, or captive portal authentication to provide
access control to the devices or users. When 802.1X, MAC RADIUS, or captive portal authentications are
configured on the switch, end devices are evaluated at the initial connection by an authentication (RADIUS)
server. To use 802.1X or MAC RADIUS authentication, you must specify the connections on the switch
for each RADIUS server to which you want to connect. Read this topic for more information.
344
Specifying RADIUS Server Connections on Switches (CLI Procedure)
IEEE 802.1X and MAC RADIUS authentication both provide network edge security, protecting Ethernet
LANs from unauthorized user access by blocking all traffic to and from devices at the interface until the
supplicant's credentials or MAC address are presented and matched on the authentication server (a RADIUS
server). When the supplicant is authenticated, the switch stops blocking access and opens the interface
to the supplicant.
To use 802.1X or MAC RADIUS authentication, you must specify the connections on the switch for each
RADIUS server to which you will connect.
To configure a RADIUS server on the switch:
1. Define the IP address of the RADIUS server, the RADIUS server authentication port number, and the
secret password. You can define more than one RADIUS server. The secret password on the switch
must match the secret password on the server:
[edit access]
user@switch# set radius-server server-address port 1812 secret password
NOTE: Specifying the authentication port is optional, and port 1812 is the default. However,
we recommend that you configure it in order to avoid confusion as some RADIUS servers
might refer to an older default.
2. (Optional) Specify the IP address by which the switch is identified by the RADIUS server. If you do not
specify the IP address, the RADIUS server uses the address of the interface that sends the RADIUS
request. We recommend that you specify this IP address because if the request gets diverted on an
alternate route to the RADIUS server, the interface relaying the request might not be an interface on
the switch.
[edit access]
user@switch# set access radius-server source-address source-address
3. Configure the authentication order, making radius the first method of authentication:
[edit access]
user@switch# set profile profile-name authentication-order (Access Profile) radius
4. Create a profile and specify the list of RADIUS servers to be associated with the profile. For example,
you might choose to group your RADIUS servers geographically by city. This feature enables easy
modification whenever you want to change to a different sent of authentication servers.
345
[edit access profile profile-name]

user@switch# set radius authentication-server server-address server-address
5. Specify the group of servers to be used for 802.1X or MAC RADIUS authentication by identifying the
profile name:
[edit]
user@switch# set protocols dot1x authenticator authentication-profile-name access-profile-name
6. Configure the IP address of the switch in the list of clients on the RADIUS server. For information about
configuring the RADIUS server, consult the documentation for your server.
SEE ALSO

Configuring 802.1X Authentication (J-Web Procedure)
Configuring MS-CHAPv2 to Provide Password-Change Support (CLI

Procedure)
Junos OS for EX Series switches enables you to configure the Microsoft Corporation implementation of
the Challenge Handshake Authentication Protocol version 2 (MS-CHAPv2) on the switch to provide
password-change support. Configuring MS-CHAPv2 on the switch provides users accessing a switch the
option of changing the password when the password expires, is reset, or is configured to be changed at
next login.
See RFC 2433, Microsoft PPP CHAP Extensions, for information about MS-CHAP.
Before you configure MS-CHAPv2 to provide password-change support, ensure that you have:
346
• Configured RADIUS server authentication. Configure users on the authentication server and set the
first-tried option in the authentication order to radius. See “Example: Connecting a RADIUS Server for
802.1X to an EX Series Switch” on page 365.
To configure MS-CHAPv2, specify the following:
user@switch# set password-protocol mschap-v2
You must have the required access permission on the switch in order to change your password.
SEE ALSO
Managing Users (J-Web Procedure)

For more about configuring user access, see the Junos OS Access Privilege Configuration Guide.
Configuring MS-CHAPv2 for Password-Change Support
You can configure the Microsoft implementation of the Challenge Handshake Authentication Protocol
version 2 (MS-CHAPv2) on the router or switch to support changing of passwords. This feature provides
users accessing a router or switch the option of changing the password when the password expires, is
reset, or is configured to be changed at next logon.
Before you configure MS-CHAPv2 for password-change support, ensure that you have done the following:
• Configured RADIUS server authentication parameters.
• Set the first tried option in the authentication order to RADIUS server.
To configure MS-CHAP-v2, include the following statements at the [edit system radius-options] hierarchy
level:

The following example shows statements for configuring the MS-CHAPv2 password protocol, password
authentication order, and user accounts:
[edit]
system {
347

radius-server {
192.168.69.149 secret "$9$G-j.5Qz6tpBk.1hrlXxUjiq5Qn/C"; ## SECRET-DATA
}
radius-options {
}
login {
user bob {
class operator;
}
}
}
SEE ALSO
Configuring Access Profiles for L2TP or PPP Parameters

348
Understanding Server Fail Fallback and Authentication on Switches
Juniper Networks Ethernet Switches use authentication to implement access control in an enterprise
network. If 802.1X, MAC RADIUS, or captive portal authentication is configured on the switch, end devices
are evaluated at the initial connection by an authentication (RADIUS) server. If the end device is configured
on the authentication server, the device is granted access to the LAN and the EX Series switch opens the
interface to permit access.
Server fail fallback enables you to specify how end devices connected to the switch are supported if the
RADIUS authentication server becomes unavailable. Server fail fallback is triggered most often during
reauthentication when the already configured and in-use RADIUS server becomes inaccessible. However,
server fail fallback can also be triggered by an end device’s first attempt at authentication through the
RADIUS server.
Server fail fallback enables you to specify one of four actions to be taken for end devices awaiting
authentication when the server is timed out. The switch can accept or deny access to supplicants or
maintain the access already granted to supplicants before the RADIUS timeout occurred. You can also
configure the switch to move the supplicants to a specific VLAN. The VLAN must already be configured
on the switch. The configured VLAN name overrides any attributes sent by the server.
• Permit authentication, allowing traffic to flow from the end device through the interface as if the end
device were successfully authenticated by the RADIUS server.
• Deny authentication, preventing traffic from flowing from the end device through the interface. This is
the default.
• Move the end device to a specified VLAN if the switch receives a RADIUS access-reject message. The
configured VLAN name overrides any attributes sent by the server. (The VLAN must already exist on
the switch.)
• Sustain authenticated end devices that already have LAN access and deny unauthenticated end devices.
If the RADIUS servers time out during reauthentication, previously authenticated end devices are
reauthenticated and new users are denied LAN access.
SEE ALSO

Example: Configuring 802.1X Authentication Options When the RADIUS Server Is Unavailable to an
Series Switch | 405
349
Configuring RADIUS Server Fail Fallback (CLI Procedure)
You can configure authentication fallback options to specify how end devices connected to a switch are
supported if the RADIUS authentication server becomes unavailable.
When you set up 802.1X or MAC RADIUS authentication on the switch, you specify a primary authentication
server and one or more backup authentication servers. If the primary authentication server cannot be
reached by the switch and the secondary authentication servers are also unreachable, a RADIUS server
timeout occurs. If this happens, because it is the authentication server that grants or denies access to the
end devices awaiting authentication, the switch does not receive access instructions for end devices
attempting access to the LAN, and normal authentication cannot be completed.
You can configure the server fail fallback feature to specify an action that the switch applies to end devices
when the authentication servers are unavailable. The switch can accept or deny access to supplicants or
maintain the access already granted to supplicants before the RADIUS timeout occurred. You can also
configure the switch to move the supplicants to a specific VLAN.
You can also configure the server reject fallback feature for end devices that receive a RADIUS access-reject
message from the authentication server. The server reject fallback feature provides limited access to a
LAN, typically only to the Internet, for responsive end devices that are 802.1X-enabled but that have sent
the wrong credentials.
Server fail fallback is supported for voice traffic starting in Release 14.1X53-D40 and Release 15.1R4. To
configure server fail fallback actions for VoIP clients sending voice traffic, use the server-fail-voip statement.
For all data traffic, use the server-fail statement. The switch determines the fallback method to use based
on the type of traffic sent by the client. Untagged data frames are subject to the action configured with
server-fail, even if they are sent by a VoIP client. Tagged VoIP VLAN frames are subject to the action
configured with server-fail-voip. If server-fail-voip is not configured, the voice traffic is dropped.
NOTE: Server reject fallback is not supported for VoIP VLAN tagged traffic. If a VoIP client starts
authentication by sending untagged data traffic to a VLAN while server reject fallback is in effect,
the VoIP client is allowed to access the fallback VLAN. If the same client subsequently sends
tagged voice traffic, the voice traffic is dropped.
If a VoIP client starts authentication by sending tagged voice traffic while server reject fallback
is in effect, the VoIP client is denied access to the fallback VLAN.
350
You can use the following procedure to configure server fail actions for data clients. To configure server
fail fallback for VoIP clients sending voice traffic, use the server-fail-voip statement in place of the server-fail
statement.
To configure server fail fallback actions:
• Configure an interface to allow traffic to flow from a supplicant to the LAN if a RADIUS server timeout
occurs (as if the end device had been successfully authenticated by a RADIUS server):
[edit protocols dot1x authenticator]

user@switch# set interface interface-name server-fail permit
• Configure an interface to prevent traffic flow from an end device to the LAN (as if the end device had
failed authentication and had been denied access by the RADIUS server):

user@switch# set interface interface-name server-fail deny
• Configure an interface to move an end device to a specified VLAN if a RADIUS server timeout occurs:

user@switch# set interface interface-name server-fail vlan-name
• Configure an interface to recognize already connected end devices as reauthenticated if there is a

RADIUS timeout during reauthentication (new end devices are denied access):

user@switch# set interface interface-name server-fail use-cache
You can configure an interface that receives a RADIUS access-reject message from the authentication
server to move end devices attempting LAN access on the interface to a server-reject VLAN, a specified
VLAN already configured on the switch.
To configure a server reject fallback VLAN:
• [edit protocols dot1x authenticator]

user@switch# set interface interface-name server-reject-vlan vlan-sf
SEE ALSO
351
Release Description
14.1X53-D40 Server fail fallback is supported for voice traffic starting in Release 14.1X53-D40
and Release 15.1R4.

802.1X Authentication
IN THIS SECTION
Example: Configuring 802.1X Authentication Options When the RADIUS Server Is Unavailable to an EX
Series Switch | 373
Example: Configuring Fallback Options on EX Series Switches for EAP-TTLS Authentication and Odyssey
Access Clients | 379
Troubleshooting Authentication of End Devices on EX Series Switches | 388

352
IEEE 802.1X standard for port-based network access control and protects Ethernet LANs from unauthorized
user access. It blocks all traffic to and from a supplicant (client) at the interface until the supplicant's
credentials are presented and matched on the authentication server (a RADIUS server). When the supplicant
is authenticated, the switch stops blocking access and opens the interface to the supplicant. Read this
topic for more information.
802.1X for Switches Overview
How 802.1X Authentication Works
802.1X authentication works by using an authenticator port access entity (the switch) to block ingress
traffic from a supplicant (end device) at the port until the supplicant's credentials are presented and match
on the authentication server (a RADIUS server). When authenticated, the switch stops blocking traffic and
opens the port to the supplicant.
The end device is authenticated in single supplicant mode, single-secure supplicant mode, or multiple supplicant
mode:
• single supplicant—Authenticates only the first end device. All other end devices that connect later to
the port are allowed full access without any further authentication. They effectively piggyback on the
first end device’s authentication.
• single-secure supplicant—Allows only one end device to connect to the port. No other end device is
allowed to connect until the first device logs out.
• multiple supplicant—Allows multiple end devices to connect to the port. Each end device is authenticated
individually.
Network access can be further defined by using VLANs and firewall filters, both of which act as filters to
separate and match groups of end devices to the areas of the LAN they require. For example, you can
configure VLANs to handle different categories of authentication failures depending upon:
• Whether or not the end device is 802.1X-enabled.
• Whether or not MAC RADIUS authentication is configured on the switch interfaces to which the hosts
are connected.
• Whether the RADIUS authentication server becomes unavailable or sends a RADIUS access-reject
message. See “Configuring RADIUS Server Fail Fallback (CLI Procedure)” on page 349.
353
802.1X Features Overview
The following 802.1X features are supported on Juniper Networks Ethernet Switches:
• Guest VLAN—Provides limited access to a LAN, typically only to the Internet, for nonresponsive end
devices that are not 802.1X-enabled when MAC RADIUS authentication is not configured on the switch
interfaces to which the hosts are connected. Also, a guest VLAN can be used to provide limited access
to a LAN for guest users. Typically, the guest VLAN provides access only to the Internet and to other
guests’ end devices.
• Server-reject VLAN—Provides limited access to a LAN, typically only to the Internet, for responsive end
devices that are 802.1X-enabled but that have sent the wrong credentials. If the end device that is
authenticated using the server-reject VLAN is an IP phone, voice traffic is not allowed.
• Server-fail VLAN—Provides limited access to a LAN, typically only to the Internet, for 802.1X end devices
during a RADIUS server timeout.
• Dynamic VLAN—Enables an end device, after authentication, to be a member of a VLAN dynamically.
• Private VLAN—Enables configuration of 802.1X authentication on interfaces that are members of private
VLANs (PVLANs).
• Dynamic changes to a user session—Enables the switch administrator to terminate an already

authenticated session. This feature is based on support of the RADIUS Disconnect Message defined in
RFC 3576.
• VoIP VLAN—Supports IP telephones. The implementation of a voice VLAN on an IP telephone is

vendor-specific. If the phone is 802.1X-enabled, it is authenticated as any other supplicant is. If the
phone is not 802.1X-enabled, but has another 802.1X-compatible device connected to its data port,
that device is authenticated, and then VoIP traffic can flow to and from the phone (provided that the
interface is configured in single supplicant mode and not in single-secure supplicant mode).
NOTE: Configuring a VoIP VLAN on private VLAN (PVLAN) interfaces is not supported.
• RADIUS accounting—Sends accounting information to the RADIUS accounting server. Accounting

information is sent to the server whenever a subscriber logs in or logs out and whenever a subscriber
activates or deactivates a subscription.
• RADIUS server attributes for 802.1X—The Juniper-Switching-Filter is a vendor-specific attribute (VSA)

that can be configured on the RADIUS server to further define a supplicant's access during the 802.1X
authentication process. Centrally configuring attributes on the authentication server obviates the need
to configure these same attributes in the form of firewall filters on every switch in the LAN to which the
supplicant might connect to the LAN. This feature is based on RLI 4583, AAA RADIUS BRAS VSA Support.
354
The following features are supported to authenticate devices that are not 802.1X-enabled:
• Static MAC bypass—Provides a bypass mechanism to authenticate devices that are not 802.1X-enabled
(such as printers). Static MAC bypass connects these devices to 802.1X-enabled ports, bypassing 802.1X
authentication.
• MAC RADIUS authentication—Provides a means to permit hosts that are not 802.1X-enabled to access
the LAN. MAC-RADIUS simulates the supplicant functionality of the client device, using the MAC address
of the client as username and password.
802.1X Authentication on Trunk Ports
Starting in Junos OS Release 18.3R1, you can configure 802.1X authentication on trunk interfaces, which
allows the network access device (NAS) to authenticate an access point (AP) or another connected Layer
2 device. An AP or switch connected to the NAS will support multiple VLANs, so must connect to a trunk
port. Enabling 802.1X authentication on the trunk interface protects the NAS from a security breach in
which an attacker might disconnect the AP and connect a laptop to get free access to network for all the
configured VLANs.
Please note the following caveats when configuring 802.1X authentication on trunk interfaces.
• Only single and single-secure supplicant modes are supported on trunk interfaces.
• You must configure 802.1X authentication locally on the trunk interface. If you configure 802.1X
authentication globally using the set protocol dot1x interface all command, the configuration is not
applied to the trunk interface.
• Dynamic VLANS are not supported on trunk interfaces.
• Guest VLAN and server-reject VLAN are not supported on trunk interfaces.
• Server fail fallback for VoIP clients is not supported on trunk interfaces (server-fail-voip).
• Authentication on trunk port is not supported using captive portal.
• Authentication on trunk port is not supported on aggregated interfaces.
• Configuration of 802.1X authentication on interfaces that are members of private VLANs (PVLANs) is
not supported on trunk ports.
SEE ALSO

355
Configuring 802.1X Interface Settings (CLI Procedure)
IEEE 802.1X authentication provides network edge security, protecting Ethernet LANs from unauthorized
user access by blocking all traffic to and from a supplicant (client) at the interface until the supplicant's
credentials are presented and matched on the authentication server (a RADIUS server). When the supplicant
is authenticated, the switch stops blocking access and opens the interface to the supplicant.
NOTE:
• You can also specify an 802.1X exclusion list to specify supplicants that can bypass
authentication and be automatically connected to the LAN. See “Configuring Static MAC
Bypass of 802.1X and MAC RADIUS Authentication (CLI Procedure)” on page 442.
• You cannot configure 802.1X user authentication on interfaces that have been enabled for
Q-in-Q tunneling.
Before you begin, specify the RADIUS server or servers to be used as the authentication server. See
“Specifying RADIUS Server Connections on Switches (CLI Procedure)” on page 344.
To configure 802.1X on an interface:
1. Configure the supplicant mode as single (authenticates the first supplicant), single-secure (authenticates
only one supplicant), or multiple (authenticates multiple supplicants):
[edit protocols dot1x]

user@switch# set authenticator interface interface-name supplicant multiple
NOTE: Multiple supplicant mode is not supported on trunk interfaces.
2. Enable reauthentication and specify the reauthentication interval:

user@switch# set authenticator interface interface-name reauthentication interval seconds
3. Configure the interface timeout value for the response from the supplicant:

user@switch# set authenticator interface interface-name supplicant-timeout seconds
356
4. Configure the timeout for the interface before it resends an authentication request to the RADIUS
server:

user@switch# set authenticator interface interface-name server-timeout seconds
5. Configure how long, in seconds, the interface waits before retransmitting the initial EAPOL PDUs to
the supplicant:

user@switch# set authenticator interface interface-name transmit-period seconds
6. Configure the maximum number of times an EAPOL request packet is retransmitted to the supplicant
before the authentication session times out:

user@switch# set authenticator interface interface-name maximum-requests number
7. Configure the number of times the switch attempts to authenticate the port after an initial failure. The
port remains in a wait state during the quiet period after the authentication attempt.

user@switch# set authenticator interface interface-name retries number
8. Set the server-fail to deny so that the server does not fail.
[edit protocols dot1x authenticator interface interface-name]

user@switch# set server-fail deny
NOTE: This setting specifies the number of attempts before the switch puts the interface in a
HELD state.
SEE ALSO

357
Understanding RADIUS-Initiated Changes to an Authorized User Session
IN THIS SECTION
Disconnect Messages | 357
Change of Authorization Messages | 358
CoA Request Port Bounce | 358
Error-Cause Codes | 359
When using an authentication service that is based on a client/server RADIUS model, requests are typically
initiated by the client and sent to the RADIUS server. There are instances in which a request might be
initiated by the server and sent to the client in order to dynamically modify an authenticated user session
already in progress. The client that receives and processes the messages is the switch, which acts as the
network access server, or NAS. The server can send the switch a Disconnect message requesting to
terminate a session, or a Change of Authorization (CoA) message requesting to modify the session
authorization attributes.
The switch listens for unsolicited RADIUS requests on UPD port 3799, and accepts requests only from a
trusted source. Authorization to send a Disconnect or CoA request is determined based on the source
address and the corresponding shared secret, which must be configured on the switch as well as on the
RADIUS server. For more information about configuring the source address and shared secret on the
switch, see “Example: Connecting a RADIUS Server for 802.1X to an EX Series Switch” on page 365.
Disconnect Messages
The RADIUS server sends a Disconnect-Request message to the switch in order to terminate a user session
and discard all associated session context. The switch responds to a Disconnect-Request packet with a
Disconnect-ACK message if the request is successful, that is, all associated session context is discarded
and the user session is no longer connected, or with a Disconnect-NAK packet if the request fails, that is,
the authenticator is unable to disconnect the session and discard all associated session context.
In Disconnect-Request messages, RADIUS attributes are used to uniquely identify the switch (NAS) and
the user session. The combination of NAS identification attributes and session identification attributes
included in the message must match at least one session for the request to be successful; otherwise, the
switch responds with a Disconnect-NAK message. A Disconnect-Request message can contain only NAS
and session identification attributes; if any other attributes are included, the switch responds with a
Disconnect-NAK message.
358
Change of Authorization Messages
Change of Authorization (CoA) messages contain information for dynamically modifying the authorization
attributes for a user session to change the authorization level. This occurs as part of a two-step
authentication process, in which the endpoint is first authenticated using MAC RADIUS authentication,
and is then profiled based on the type of device. The CoA message is used to apply an enforcement policy
that is appropriate for the device, typically by changing the data filters or the VLAN.
The switch responds to a CoA message with a CoA-ACK message if the authorization change is successful,
or a with CoA-NAK message if the change is unsuccessful. If one or more authorization changes specified
in a CoA-Request message cannot be carried out, the switch responds with a CoA-NAK message.
In CoA-Request messages, RADIUS attributes are used to uniquely identify the switch (acting as the NAS)
and the user session. The combination of NAS identification attributes and session identification attributes
included in the message must match the identification attributes of at least one session for the request to
be successful; otherwise, the switch responds with a CoA-NAK message.
CoA-Request packets also include the session authorization attributes that will be modified if the request
is accepted. The supported session authorization attributes are listed below. The CoA message can contain
any or all of these attributes. If any attribute is not included as part of the CoA-Request message, the NAS
assumes that the value for that attribute is to remain unchanged.
• Filter-ID
• Tunnel-Private-Group-ID
• Juniper-Switching-Filter
• Juniper-VoIP-VLAN
• Session-Timeout
CoA Request Port Bounce
When a CoA message is used to change the VLAN for an authenticated host, end devices such as printers
do not have a mechanism to detect the VLAN change, so they do not renew the lease for their DHCP
address in the new VLAN. Starting in Junos OS Release 17.3, the port bounce feature can be used to force
the end device to initiate DHCP re-negotiation by causing a link flap on the authenticated port.
The command to bounce the port is sent from the RADIUS server using a Juniper Networks vendor-specific
attribute (VSA). The port is bounced if the following VSA attribute-value pair is received in the CoA message
from the RADIUS server:
359
• Juniper-AV-Pair = “Port-Bounce”
To enable the port bounce feature, you must update the Junos dictionary file (juniper.dct) on the RADIUS
server with the Juniper-AV-Pair VSA. Locate the dictionary file and add the following text to the file:
ATTRIBUTE Juniper-AV-Pair Juniper-VSA(52, string) r
For more information about adding the VSA, consult the FreeRADIUS documentation.
You can disable the feature by configuring the ignore-port-bounce statement at the [edit protocols dot1x
authenticator interface interface-name] hierachy level.
Error-Cause Codes
When a disconnect or CoA operation is unsuccessful, an Error-Cause attribute (RADIUS attribute 101)
can be included in the response message sent by the NAS to the server to provide detail about the cause
of the problem. If the detected error does not map to one of the supported Error-Cause attribute values,
the router sends the message without an error-cause attribute. See Table 23 on page 359 for descriptions
of error-cause codes that can be included in response messages sent from the NAS.
Table 23: Error-Cause Codes (RADIUS Attribute 101)
Code Value Description
201 Residual session context Sent in response to a Disconnect-Request message if one or more user
removed sessions are no longer active, but residual session context was found
and successfully removed. This code is sent only within a Disconnect-ACK
message.
401 Unsupported attribute The request contains an attribute that is not supported (for example, a
third-party attribute).
402 Missing attribute A critical attribute (for example, the session identification attribute) is
missing from a request.
403 NAS identification mismatch Request contains one or more NAS identification attributes that do not
match the identity of the NAS receiving the request.
404 Invalid request Some other aspect of the request is invalid—for example, if one or more
attributes are not formatted properly.
405 Unsupported service The Service-Type attribute included with the request contains an invalid
or unsupported value.
360
Table 23: Error-Cause Codes (RADIUS Attribute 101) (continued)
Code Value Description
406 Unsupported extension The entity receiving the request (either an NAS or a RADIUS proxy) does
not support RADIUS-initiated requests.
407 Invalid attribute value The request contains an attribute with an unsupported value.
501 Administratively prohibited The NAS is configured to prohibit honoring of Disconnect-Request or

CoA-Request messages for the specified session.
503 Session context not found The session context identified in the request does not exist on the NAS.
504 Session context not The subscriber identified by attributes in the request is owned by a
removable component that is not supported. This code is sent only within a
Disconnect-NAK message.
506 Resources unavailable A request could not be honored because of lack of available NAS
resources (such as memory).
507 Request initiated The CoA-Request message includes a Service-Type attribute with a value
of Authorize Only.
508 Multiple session selection The session identification attributes included in the request match
unsupported multiple sessions, but the NAS does not support requests that apply to
multiple sessions.
Filtering 802.1X Supplicants by Using RADIUS Server Attributes
There are two ways to configure the a RADIUS server with port firewall filters (Layer 2 firewall filters):
• Include one or more filter terms in the Juniper-Switching-Filter attribute. The Juniper-Switching-Filter
attribute is a vendor-specific attribute (VSA) listed under attribute ID number 48 in the Juniper dictionary
on the RADIUS server. Use this VSA to configure simple filter conditions for 802.1X authenticated users.
Nothing needs to be configured on the switch; all of the configuration is on the RADIUS server.
• Configure a local firewall filter on each switch and apply that firewall filter to users authenticated through
the RADIUS server. Use this method for more complex filters. The firewall filter must be configured on
each switch.
361
NOTE: If the firewall filter configuration is modified after users are authenticated using the
802.1X authentication, then the established 802.1X authentication session must be terminated
and re-established for the firewall filter configuration changes to take effect.
This topic includes the following tasks:
1. Configuring Firewall Filters on the RADIUS Server | 361

2. Applying a Locally Configured Firewall Filter from the RADIUS Server | 364
Configuring Firewall Filters on the RADIUS Server
You can configure simple filter conditions by using the Juniper-Switching-Filter attribute in the Juniper
dictionary on the RADIUS server. These filters are sent to a switch whenever a new user is authenticated
successfully. The filters are created and applied on all EX Series switches that authenticate users through
that RADIUS server without the need for you to configure anything on each individual switch.
NOTE: This procedure describes using FreeRADIUS software to configure the

Juniper-Switching-Filter VSA. For specific information about configuring your server, consult
the AAA documentation included with your server.
To configure the Juniper-Switching-Filter attribute, enter one or more filter terms by using the CLI for the
RADIUS server. Each filter term consists of match conditions with a corresponding action. Enter the filter
terms enclosed within quotation marks (" ") by using the following syntax:
Juniper-Switching-Filter = “match <destination-mac mac-address> <source-vlan vlan-name> <source-dot1q-tag

tag> <destination-ip ip-address> <ip-protocol protocol-id> <source-port port> <destination-port port> action
(allow | deny) <forwarding-class class-of-service> <loss-priority (low | medium | high)>”
More than one match condition can be included in a filter term. When multiple conditions are specified in
a filter term, they must all be fulfilled for the packet to match the filter term. For example, the following
filter term requires a packet to match both the destination IP address and the destination MAC address
to meet the term criteria:
Juniper-Switching-Filter = “match destination-ip 10.10.10.8 destination-mac 00:00:00:01:02:03 action allow”
Multiple filter terms should be separated with commas—for example:

362
Juniper-Switching-Filter = “match destination-mac 00:00:00:01:02:03 action allow, match destination-port 80

destination-mac 00:aa:bb:cc:dd:ee action allow”
See “Juniper-Switching-Filter VSA Match Conditions and Actions” on page 215 for definitions of match
conditions and actions.
NOTE: On EX9200 switches, and in a Junos Fusion Enterprise with EX9200 as the aggregate
device, the dynamic firewall filter is strictly applied for all IP packets. If the filter is configured
to allow only a specific destination IP address, packets with other IP addresses as the destination
IP will be dropped per the filter rules. This includes any IP protocol packets, such as DHCP, IGMP
and ARP packets.
To configure match conditions on the RADIUS server:
1. Verify that the Juniper dictionary is loaded on your RADIUS server and includes the filtering attribute
Juniper-Switching-Filter (attribute ID 48):
[root@freeradius]# cat /usr/local/share/freeradius/dictionary.juniper
# dictionary.juniper
#
# Version: $Id: dictionary.juniper,v 1.2.6.1 2005/11/30 22:17:25 aland Exp
$
# VENDOR Juniper 2636
BEGIN-VENDOR Juniper
ATTRIBUTE Juniper-Local-User-Name 1 string
ATTRIBUTE Juniper-Allow-Commands 2 string
ATTRIBUTE Juniper-Deny-Commands 3 string
ATTRIBUTE Juniper-Allow-Configuration 4 string
ATTRIBUTE Juniper-Deny-Configuration 5 string
ATTRIBUTE Juniper-Switching-Filter 48 string
<—
2. Enter the match conditions and actions. For example:
• To deny authentication based on the 802.1Q tag (here, the 802.1Q tag is 10):
[root@freeradius]#
cd /usr/local/etc/raddb
vi users
For each relevant user, add the Juniper-Switching-Filter attribute:

363
Juniper-Switching-Filter = "Match Source-dot1q-tag 10 Action deny"
• To deny access based on a destination IP address:
[root@freeradius]# cd /usr/local/etc/raddb
vi users
Juniper-Switching-Filter = “Match Destination-ip 192.168.1.0/31 Action deny”
• To set the packet loss priority (PLP) to high based on a destination MAC address and the IP protocol:
[root@freeradius]# cd /usr/local/etc/raddb
vi users
Juniper-Switching-Filter = "Match Destination-mac 00:04:0f:fd:ac:fe, Ip-protocol 2, forwarding-class

high, Action loss-priority high"
NOTE: For the forwarding-class option to be applied, the forwarding class must be
configured on the switch and the packet loss priority specified. If it is not configured on
the switch, this option is ignored. You must specify both the forwarding class and the packet
loss priority.
3. Stop and restart the RADIUS process to activate the configuration.

364
Applying a Locally Configured Firewall Filter from the RADIUS Server
You can apply a port firewall filter (Layer 2 firewall filter) to user policies centrally from the RADIUS server.
The RADIUS server can then specify the firewall filters that are to be applied to each user that requests
authentication, reducing the need to configure the same firewall filter on multiple switches. Use this method
when the firewall filter contains a large number of conditions or you want to use different conditions for
the same filter on different switches. The firewall filters must be configured on each switch.
For more information about firewall filters, see Firewall Filters for EX Series Switches Overview.
To apply a port firewall filter centrally from the RADIUS server:
NOTE: If port firewall filters are also configured locally for the interface, then the firewall filters
configured by using VSAs take precedence if they conflict with the locally configured port firewall
filters. If there is no conflict, they are merged.
1. Create the firewall filter on the local switch. See Configuring Firewall Filters (CLI Procedure) for more
information on configuring a port firewall filter.
2. On the RADIUS server, open the users file to display the local user profiles of the end devices to which
you want to apply the filter:
[root@freeradius]#
cat /usr/local/etc/raddb/usersvi users
3. Apply the filter to each user profile by adding the Filter-ID attribute with the filter name as the attribute
value:
Filter-Id =filter-name
For example, the user profile below for supplicant1 includes the Filter-ID attribute with the filter name
filter1:
[root@freeradius]# cat /usr/local/etc/raddb/users
supplicant1 Auth-Type := EAP, User-Password == "supplicant1"

Tunnel-Type = VLAN,
Tunnel-Medium-Type = IEEE-802,
Tunnel-Private-Group-Id = "1005",
Filter-Id = "filter1"
365
NOTE: Multiple filters are not supported on a single interface. However, you can support
multiple filters for multiple users that are connected to the switch on the same interface by
configuring a single filter with policies for each of those users.
4. Stop and restart the RADIUS process to activate the configuration.
SEE ALSO
Example: Applying a Firewall Filter to 802.1X-Authenticated Supplicants by Using RADIUS Server

Attributes on an EX Series Switch | 420
Example: Configuring Firewall Filters for Port, VLAN, and Router Traffic on EX Series Switches
Example: Connecting a RADIUS Server for 802.1X to an EX Series Switch
IN THIS SECTION
Requirements | 366
Configuration | 368
Verification | 369
802.1X is the IEEE standard for port-based network access control (PNAC). You use 802.1X to control
network access. Only users and devices providing credentials that have been verified against a user database
are allowed access to the network. You can use a RADIUS server as the user database for 802.1X
authentication, as well as for MAC RADIUS authentication.
This example describes how to connect a RADIUS server to an EX Series switch, and configure it for
802.1X:
366
Requirements
This example uses the following software and hardware components:
• Junos OS Release 9.0 or later for EX Series switches
• One EX Series switch acting as an authenticator port access entity (PAE). The ports on the authenticator
PAE form a control gate that blocks all traffic to and from supplicants until they are authenticated.
• One RADIUS authentication server that supports 802.1X. The authentication server acts as the backend
database and contains credential information for hosts (supplicants) that have permission to connect to
the network.
Before you connect the server to the switch, be sure you have:
• Performed basic bridging and VLAN configuration on the switch. See the documentation that describes
setting up basic bridging and a VLAN for your switch. If you are using a switch that supports the Enhanced
Layer 2 Software (ELS) configuration style, see Example: Setting Up Basic Bridging and a VLAN for an EX
Series Switch with ELS Support . For all other switches, see Example: Setting Up Basic Bridging and a VLAN
for an EX Series Switch.
NOTE: For more about ELS, see Using the Enhanced Layer 2 Software CLI.
• Configured users on the RADIUS authentication server.
The EX Series switch acts as an authenticator PAE. It blocks all traffic and acts as a control gate until the
supplicant (client) is authenticated by the server. All other users and devices are denied access.
Figure 7 on page 367 shows one EX4200 switch that is connected to the devices listed in
Table 24 on page 368.
367
Figure 7: Topology for Configuration

368
Table 24: Components of the Topology
Property Settings
Switch hardware EX4200 access switch, 24 Gigabit Ethernet ports: 8 PoE ports (ge-0/0/0 through
ge-0/0/7) and 16 non-PoE ports (ge-0/0/8 through ge-0/0/23)
VLAN name default
One RADIUS server Backend database with an address 10.0.0.100 connected to the switch at port
ge-0/0/10
In this example, connect the RADIUS server to access port ge-0/0/10 on the EX4200 switch. The switch
acts as the authenticator and forwards credentials from the supplicant to the user database on the RADIUS
server. You must configure connectivity between the EX4200 and the RADIUS server by specifying the
address of the server and configuring the secret password. This information is configured in an access
profile on the switch.
NOTE: For more information about authentication, authorization, and accounting (AAA) services,
see the Junos OS System Basics Configuration Guide.
Configuration

To quickly connect the RADIUS server to the switch, copy the following commands and paste them into
the switch terminal window:
[edit]
set access radius-server 10.0.0.100 secret juniper
set access profile profile1 authentication-order radius
set access profile profile1 radius authentication-server [10.0.0.100 10.0.0.200]
To connect the RADIUS server to the switch:
1. Define the address of the servers, and configure the secret password. The secret password on the
switch must match the secret password on the server:
369
[edit]
user@switch# set access radius-server 10.0.0.100 secret juniper
[edit]
user@switch# set access profile profile1 authentication-order radius
3. Configure a list of server IP addresses to be tried in sequential order to authenticate the supplicant:
[edit]
user@switch# set access profile profile1 radius authentication-server [10.0.0.100 10.0.0.200]
Results
Display the results of the configuration:
user@switch> show configuration access

radius-server {
10.0.0.100
port 1812;
secret "$ABC123"; ## SECRET-DATA
}
}
profile profile1{
radius {
authentication-server 10.0.0.100 10.0.0.200;
}
}
}
Verification
IN THIS SECTION
Verify That the Switch and RADIUS Server Are Properly Connected | 370
To confirm that the configuration is working properly, perform these tasks:

370
Verify That the Switch and RADIUS Server Are Properly Connected
Purpose
Verify that the RADIUS server is connected to the switch on the specified port.
Action
Ping the RADIUS server to verify the connection between the switch and the server:
user@switch> ping 10.0.0.100
PING 10.0.0.100 (10.0.0.100): 56 data bytes

Meaning
ICMP echo request packets are sent from the switch to the target server at 10.0.0.100 to test whether
the server is reachable across the IP network. ICMP echo responses are being returned from the server,
verifying that the switch and the server are connected.
SEE ALSO

Series Switch | 405
Example: Setting Up 802.1X in Conference Rooms to Provide Internet Access to Corporate Visitors
Understanding Dynamic Filters Based on RADIUS Attributes
You can use RADIUS server attributes to implement port firewall filters on a RADIUS authentication server.
These filters can be dynamically applied to supplicants that request authentication through that server.
RADIUS server attributes are clear-text fields encapsulated in Access-Accept messages sent from the
authentication server to the switch when a supplicant connected to the switch is successfully authenticated.
The switch, acting as the authenticator, uses the information in the RADIUS attributes to apply the related
filters to the supplicant. Dynamic filters can be applied to multiple ports on the same switch, or to multiple
switches that the use same authentication server, providing centralized access control for the network.
371
You can define firewall filters directly on the RADIUS server by using the Juniper-Switching-Filter attribute,
which is a RADIUS attribute specific to Juniper Networks, also known as a vendor-specific attribute (VSA).
VSAs are described in RFC 2138, Remote Authentication Dial In User Service (RADIUS). The
Juniper-Switching-Filter VSA is listed under attribute ID number 48 in the Juniper dictionary on the RADIUS
server, with the vendor ID set to the Juniper Networks ID number 2636. Using this attribute, you define
filters on the authentication server, which are applied on all switches that authenticate supplicants through
that server. This method eliminates the need to configure the same filters on multiple switches.
Alternatively, you can apply a port firewall filter to multiple ports on the same switch by using the Filter-ID
attribute, which is RADIUS attribute ID number 11. To use the Filter-ID attribute, you must first configure
a filter on the switch, and then add the filter name to user policies on the RADIUS server as the value of
the Filter-ID attribute. When a supplicant defined in one of those policies is authenticated by the RADIUS
server, the filter is applied to the switch port that has been authenticated for the supplicant. Use this
method when the firewall filter has complex conditions, or if you want to use different conditions for the
same filter on different switches. The filter named in the Filter-ID attribute must be configured locally on
the switch at the [edit firewall family ethernet-switching filter] hierarchy level.
VSAs are supported only for 802.1X single supplicant configurations and multiple supplicant configurations.
SEE ALSO

Example: Applying a Firewall Filter to 802.1X-Authenticated Supplicants by Using RADIUS Server
Attributes on an EX Series Switch | 420
Configuring Firewall Filters (CLI Procedure)
Understanding Dynamic VLAN Assignment Using RADIUS Attributes
VLANs can be dynamically assigned by a RADIUS server to supplicants requesting 802.1X authentication
through that server. You configure the VLAN on the RADIUS server using RADIUS server attributes, which
are clear-text fields encapsulated in messages sent from the authentication server to the switch when a
supplicant connected to the switch requests authentication. The switch, acting as the authenticator, uses
the information in the RADIUS attributes to assign the VLAN to the supplicant. Based on the results of
the authentication, a supplicant that began authentication in one VLAN might be assigned to another
VLAN.
Successful authentication requires that the VLAN ID or VLAN name is configured on the switch acting as
802.1X authenticator, and that it matches the VLAN ID or VLAN name sent by the RADIUS server during
372
authentication. If neither exists, the end device is not authenticated. If a guest VLAN is established, the
unauthenticated end device is automatically moved to the guest VLAN.
The RADIUS server attributes used for dynamic VLAN assignment described in RFC 2868, RADIUS Attributes
for Tunnel Protocol Support.
• Tunnel-Type—Defined as RADIUS attribute type 64. The value should be set to VLAN.
• Tunnel-Medium-Type—Defined as RADIUS attribute type 65. The value should be set to IEEE-802.
• Tunnel-Private-Group-ID—Defined as RADIUS attribute type 81. The value should be set to the VLAN
ID or the VLAN name.
For more information about configuring dynamic VLANs on your RADIUS server, see the documentation
for your RADIUS server.
SEE ALSO

Understanding Guest VLANs for 802.1X on Switches
Guest VLANs can be configured on switches that are using 802.1X authentication to provide limited
access—typically only to the Internet—for corporate guests. Guest VLAN is used as a fallback when:
• The supplicant is not 802.1X-enabled and does not respond to EAP messages.
• MAC RADIUS authentication has not been configured on the switch interfaces to which the supplicant
is connected.
• Captive portal has not been configured on the switch interfaces to which the supplicant is connected.
A guest VLAN is not used for supplicants that send incorrect credentials. Those supplicants are directed
to the server-reject VLAN instead.
For end devices that are not 802.1X-enabled, a guest VLAN can allow limited access to a server from
which the non-802.1X-enabled end device can download the supplicant software and attempt authentication
again.
SEE ALSO
373
Example: Configuring 802.1X Authentication Options When the RADIUS

Server Is Unavailable to an EX Series Switch
IN THIS SECTION
Requirements | 373
Configuration | 376
Verification | 377
Server fail fallback enables you to specify how 802.1X supplicants connected to the switch are supported
if the RADIUS authentication server becomes unavailable.
You use 802.1X to control network access. Only users and devices (supplicants) providing credentials that
have been verified against a user database are allowed access to the network. You use a RADIUS server
as the user database.
This example describes how to configure an interface to move a supplicant to a VLAN in the event of a
RADIUS server timeout:
Requirements
NOTE: This example also applies to QFX5100 switches.
374
the network.
Series Switch with ELS Support or Example: Setting Up Basic Bridging and a VLAN on Switches. For all other
switches, seeExample: Setting Up Basic Bridging and a VLAN for an EX Series Switch.
• Set up a connection between the switch and the RADIUS server. See “Example: Connecting a RADIUS
Server for 802.1X to an EX Series Switch” on page 365.
• Configured users on the authentication server.
A RADIUS server timeout occurs if no authentication RADIUS servers are reachable when a supplicant
logs in and attempts to access the LAN. Using server fail fallback, you configure alternative options for
supplicants attempting LAN access. You can configure the switch to accept or deny access to supplicants
or to maintain the access already granted to supplicants before the RADIUS server timeout. Additionally,
you can configure the switch to move supplicants to a specific VLAN if a RADIUS timeout occurs.
Figure 8 on page 375 shows the topology used for this example. The RADIUS server is connected to the
EX4200 switch on access port ge-0/0/10. The switch acts as the authenticator port access entity (PAE)
and forwards credentials from the supplicant to the user database on the RADIUS server. The switch blocks
all traffic and acts as a control gate until the supplicant is authenticated by the authentication server. A
supplicant is connected to the switch through interface ge-0/0/1.
NOTE: This figure also applies to QFX5100 switches.

375
Figure 8: Topology for Configuring 802.1X Options
Table 25 on page 375 describes the components in this topology.
Property Settings
Switch hardware EX4200 access switch, 24 Gigabit Ethernet ports: 16 non-PoE ports and 8
PoE ports.
VLAN names default VLAN
vlan-sf VLAN
Supplicant Supplicant attempting access on interface ge-0/0/1
One RADIUS server Backend database with an address of 10.0.0.100 connected to the switch at
port ge-0/0/10
376
In this example, configure interface ge-0/0/1 to move a supplicant attempting access to the LAN during
a RADIUS timeout to another VLAN. A RADIUS timeout prevents the normal exchange of EAP messages
that carry information from the RADIUS server to the switch and permit the authentication of a supplicant.
The default VLAN is configured on interface ge-0/0/1. When a RADIUS timeout occurs, supplicants on
the interface will be moved from the default VLAN to the VLAN named vlan-sf.
Configuration

To quickly configure server fail fallback on the switch, copy the following commands and paste them into
set interface ge-0/0/1 server-fail vlan-name vlan-sf
To configure an interface to divert supplicants to a specific VLAN when a RADIUS timeout occurs (here,
the VLAN is vlan-sf):
1. Define the VLAN to which supplicants are diverted:

user@switch# set interface ge-0/0/1 server-fail vlan-name vlan-sf
Results
user@switch> show configuration

interfaces {
ge-0/0/1 {
unit 0 {
family ethernet-switching {
vlan {
members default;
}
}
}
}
protocols {
dot1x {
authenticator {
interface {
377
ge-0/0/1.0 {
server-fail vlan-name vlan-sf;
}
}
}
}
}
}
Verification
IN THIS SECTION
Verifying That the Supplicants Are Moved to an Alternative VLAN During a RADIUS Timeout | 377
Verifying That the Supplicants Are Moved to an Alternative VLAN During a RADIUS Timeout
Purpose
Verify that the interface moves supplicants to an alternative VLAN during a RADIUS timeout.
NOTE: On switches running Junos OS for EX Series with support for ELS, the output for the
show vlans command will contain additional information. If your switch runs software that
supports ELS, see show vlans. For ELS details, see Using the Enhanced Layer 2 Software CLI
Action
Display the VLANs configured on the switch; the interface ge-0/0/1.0 is a member of the default VLAN:
user@switch> show vlans
Name Tag Interfaces

default
ge-0/0/0.0, ge-0/0/1.0*, ge-0/0/5.0*, ge-0/0/10.0,
ge-0/0/12.0*, ge-0/0/14.0*, ge-0/0/15.0, ge-0/0/20.0
v2 77
378
None
vlan—sf 50
None
mgmt
me0.0*
Display 802.1X protocol information on the switch to view supplicants that are authenticated on interface
ge-0/0/1.0:
user@switch> show dot1x interface brief
802.1X Information:
Interface Role State MAC address User
ge-0/0/1.0 Authenticator Authenticated 00:00:00:00:00:01 abc
ge-0/0/10.0 Authenticator Initialize
ge-0/0/14.0 Authenticator Connecting
A RADIUS server timeout occurs. Display the Ethernet switching table to show that the supplicant with
the MAC address 00:00:00:00:00:01 previously accessing the LAN through the default VLAN is now being
learned on the VLAN named vlan-sf:
user@switch> show ethernet-switching table
Ethernet-switching table: 3 entries, 1 learned

VLAN MAC address Type Age Interfaces
v1 * Flood - All-members
vlan—sf 00:00:00:00:00:01 Learn 1:07 ge-0/0/1.0
default * Flood - All-members
Display 802.1X protocol information to show that interface ge-0/0/1.0 is connecting and will open LAN
access to supplicants:
802.1X Information:
379

Meaning
The show vlans command displays interface ge-0/0/1.0 as a member of the default VLAN. The show
dot1x interface brief command shows that a supplicant (abc) is authenticated on interface ge-0/0/1.0 and
has the MAC address 00:00:00:00:00:01. A RADIUS server timeout occurs, and the authentication server
cannot be reached by the switch. The show-ethernet-switching table command shows that MAC address
00:00:00:00:00:01 is learned on VLAN vlan-sf. The supplicant has been moved from the default VLAN to
the vlan-sf VLAN. The supplicant is then connected to the LAN through the VLAN named vlan-sf.
SEE ALSO

Series Switch | 405
Example: Configuring Fallback Options on EX Series Switches for EAP-TTLS

Authentication and Odyssey Access Clients
IN THIS SECTION
Requirements | 380
Configuration | 382
Verification | 384
380
For 802.1X user authentication, EX Series switches support RADIUS authentication servers that are using
Extensible Authentication Protocol–Tunneled TLS (EAP-TTLS) to authenticate Odyssey Access Client
(OAC) supplicants. OAC networking software runs on endpoint computers (desktop, laptop, or notepad
computers and supported wireless devices) and provides secure access to both wired and wireless networks.
This example describes how to configure an 802.1X-enabled interface on the switch to provide fallback
support for OAC users who have entered incorrect login credentials:
Requirements
the network.
• One OAC end device acting as a supplicant.
Before you begin configuring the fallback option, ensure that you have:
• Configured EAP-TTLS on the server. See your RADIUS server documentation.
• Configured users on the RADIUS server. See your RADIUS server documentation.
OAC is networking software that runs on endpoint computers (desktop, laptop, or notepad) and supported
wireless devices. OAC provides full support for EAP, which is required for secure wireless LAN access.
In this topology, OAC is deployed with an 802.1X-enabled switch and a RADIUS server. The switch functions
as an enforcement point in the network security architecture. This topology:
• Ensures that only authorized users can connect.
• Maintains privacy of login credentials.
• Maintains data privacy over the wireless link.

381
This example includes the configuration of a server-reject VLAN on the switch, which can be used to
prevent accidental lockout for users who have entered incorrect login credentials. These users can be
given limited LAN access.
However, this fallback configuration is complicated by the fact that the OAC supplicant and RADIUS server
are using EAP-TTLS. EAP-TTLS creates a secure encrypted tunnel between the server and the end device
to complete the authentication process. When the user enters incorrect login credentials, the RADIUS
server sends EAP failure messages directly to the client through this tunnel. The EAP failure message
causes the client to restart the authentication procedure, so that the switch’s 802.1X authentication process
tears down the session that was established with the switch using the server-reject VLAN. You can enable
the remedial connection to continue by configuring:
• eapol-block—Enable the EAPoL block timer on the 802.1X interface that is configured to belong to the
server-reject VLAN. The block timer causes the authentication port access entity to ignore EAP start
messages from the client, attempting to restart the authentication procedure.
NOTE: The EAPoL block timer is triggered only after the configured number of allowed
reattempts (using the retries option) on the 802.1X interface have been exhausted. You can
configure retries to specify the number of times the switch attempts to authenticate the port
after an initial failure. The default is three retries.
• block-interval—Configure the amount of time that you want the EAPoL block timer to continue to ignore
EAP start messages. If you do not configure the block interval, the EAPoL block timer defaults to 120
seconds.
When the 802.1X interface ignores the EAP start messages from the client, the switch allows the existing
remedial session that was established through the server-reject VLAN to remain open.
These configuration options apply to single, single-secure, and multiple supplicant authentication modes.
In this example, the 802.1X interface is configured in single supplicant mode.
Figure 9 on page 382 shows an EX Series switch connecting an OAC end device to a RADIUS server, and
indicates the protocols being used to connect the network entities.

382
Figure 9: EX Series Switch Connecting OAC to RADIUS Server Using EAP-TTLS Authentication
Table 26 on page 382 describes the components in this OAC deployment:.
Table 26: Components of the OAC Deployment
Property Settings
Switch hardware EX Series switch
VLANs default
server-reject-vlan: VLAN name is remedial and VLAN ID is

700
802.1X interface ge-0/0/8
OAC supplicant EAP-TTLS
One RADIUS authentication server EAP-TTLS
Configuration

To quickly configure the fallback options for EAP-TTLS and OAC supplicants, copy the following commands
and paste them into the switch terminal window:
[edit]
set vlans remedial vlan-id 700
set protocols dot1x authenticator interface ge-0/0/8 retries 4
set protocols dot1x authenticator interface ge-0/0/8 server-reject-vlan remedial
set protocols dot1x authenticator interface ge-0/0/8 server-reject-vlan eapol-block
set protocols dot1x authenticator interface ge-0/0/8 server-reject-vlan block-interval 130
383
To configure the fallback options for EAP-TTLS and OAC supplicants:
TIP: In this example, the switch has only one server-reject VLAN. Therefore, the configuration
specifies eapol-block and block-interval directly after server-reject-vlan. However, if you have
configured multiple VLANs on the switch, you must include the VLAN name or VLAN ID directly
after server-reject-vlan to indicate which VLAN is being modified.
1. Configure a VLAN that will function as the server-reject VLAN to provide limited LAN access for users
who have entered incorrect login credentials:
[edit]
user@switch# set vlans remedial vlan-id 700
2. Configure the number of times for the client to be prompted for username and password before an
incorrect login is directed to the server-reject VLAN:
[edit protocols dot1x authenticator interface ge-0/0/8]

user@switch# set retries 4
3. Configure the 802.1X authenticator interface to use the server-reject VLAN as a fallback for incorrect
logins:

user@switch# set server-reject-vlan remedial
4. Enable the EAPoL block timer on the 802.1X interface that is configured to belong to the server-reject
VLAN.

user@switch# set server-reject-vlan eapol-block
5. Configure the amount of time for the EAPoL block to remain in effect:

user@switch# set server-reject-vlan block-interval 130
Results
Check the results of the configuration:

384
protocols {
dot1x {
authenticator {
interface {
ge-0/0/8.0 {
supplicant single;
retries 4;
server-reject-vlan remedial block-interval 130 eapol-block;
}
Verification
IN THIS SECTION
Verifying the Configuration of the 802.1X Interface | 384
To confirm that the configuration and the fallback options are working correctly, perform this task:
Verifying the Configuration of the 802.1X Interface
Purpose
Verify that the 802.1X interface is configured with the desired options.
Action
user@switch> show dot1x interface ge-0/0/8.0 detail
ge-0/0/8.0
Role: Authenticator
Administrative state: Auto
Supplicant mode: Single
Number of retries: 4
Quiet period: 60 seconds
Transmit period: 30 seconds
Mac Radius: Disabled
Mac Radius Restrict: Disabled
Reauthentication: Enabled
Configured Reauthentication interval: 120 seconds
Supplicant timeout: 30 seconds
Server timeout: 30 seconds
385
Maximum EAPoL requests: 2

Guest VLAN member: guest
Number of connected supplicants: 1
Supplicant: tem, 2A:92:E6:F2:00:00
Operational state: Authenticated
Backend Authentication state: Idle
Authentication method: Radius
Authenticated VLAN: remedial
Session Reauth interval: 120 seconds
Reauthentication due in 68 seconds
Meaning
The show dot1x ge-0/0/8 detail command output shows that the ge-0/0/8 interface is in the Authenticated
state and that it is using the remedial VLAN.
SEE ALSO
Monitoring 802.1X Authentication

Purpose
NOTE: This topic applies only to the J-Web Application package.
J-Web Application package Release 14.1X53-A2 does not support 802.1X authentication on
EX4600 switches.
Use the monitoring feature to display details of authenticated users and users that failed authentication.
Action
To display authentication details in the J-Web interface, select Monitoring > Security > 802.1X.
To display authentication details in the CLI, enter the following commands:
• show dot1x interface detail | display xml
• show dot1x interface detail <interface> | display xml
• show dot1x auth-failed-users

386
Meaning
The details displayed include:
• A list of authenticated users.
• The number of connected users.
• A list of users that failed authentication.
You can also specify an interface for which the details must be displayed.
SEE ALSO

Series Switch | 405
Verifying 802.1X Authentication

Purpose
Verify that supplicants are being authenticated on an interface on a switch with the interface configured
for 802.1X authentication, and display the method of authentication being used.
Action
Display detailed information about an interface configured for 802.1X (here, the interface is ge-0/0/16):
ge-0/0/16.0
Role: Authenticator
Mac Radius: Enabled
Mac Radius Strict: Disabled
Reauthentication: Enabled Reauthentication interval: 40 seconds
Maximum EAPOL requests: 1
387
Guest VLAN member: <not configured>

Supplicant: user5, 00:30:48:8C:66:BD
Authenticated VLAN: v200
Meaning
The sample output from the show dot1x interface detail command shows that the Number of connected
supplicants is 1. The supplicant that was authenticated and is now connected to the LAN is known as
user5 on the RADIUS server and has the MAC address 00:30:48:8C:66:BD. The supplicant was authenticated
by means of the 802.1X authentication method called RADIUS authentication, as indicated by Radius in
the output. When RADIUS authentication is used, the supplicant is configured on the RADIUS server, the
RADIUS server communicates this to the switch, and the switch opens LAN access on the interface to
which the supplicant is connected. The sample output also shows that the supplicant is connected to VLAN
v200.
Other 802.1X authentication methods supported on EX Series switches in addition to RADIUS authentication
are:
• Guest VLAN—A nonresponsive host is granted Guest-VLAN access.
• MAC Radius—A nonresponsive host is authenticated based on its MAC address. The MAC address is
configured as permitted on the RADIUS server, the RADIUS server notifies the switch that the MAC
address is a permitted address, and the switch grants LAN access to the nonresponsive host on the
interface to which it is connected.
• Server-fail deny—If the RADIUS servers time out, all supplicants are denied access to the LAN, preventing
traffic from the supplicant from traversing through the interface. This is the default.
• Server-fail permit—When the RADIUS server is unavailable, a supplicant is still permitted access to the
LAN as if the supplicant were successfully authenticated by the RADIUS server.
• Server-fail use-cache—If the RADIUS servers time out during reauthentication, previously authenticated
supplicants are granted LAN access, but new supplicants are denied LAN access.
• Server-fail VLAN—A supplicant is configured to be moved to a specified VLAN if the RADIUS server is
unavailable to reauthenticate the supplicant. (The VLAN must already exist on the switch.)
SEE ALSO

388

Troubleshooting Authentication of End Devices on EX Series Switches

Problem
Description: End devices configured using static MAC addresses lose connection to the switch after the
clear dot1x interface command is run to clear all learned MAC addresses.
Before clearing MAC addresses:
user@switch# run show ethernet-switching table

Ethernet-switching table: 3 entries, 1 learned, 0 persistent entries
vlan100 * Flood - All-members
default 00:a0:d4:00:03:00 Learn 0 ge-3/0/16.0
user@switch> show dot1x authentication-bypassed-users

MAC address Interface VLAN
00:a0:d4:00:03:00 ge-3/0/16.0 configured/default
To clear MAC addresses:
user@switch> clear dot1x interface
After clearing MAC addresses:
user@switch> show ethernet-switching table

Ethernet-switching table: 2 entries, 0 learned, 0 persistent entries
vlan100 * Flood - All-members
user@switch> show dot1x authentication-bypassed-users
Note that there are no end devices on the authentication bypass list.
389
Cause
Static MAC addresses are treated the same as other learned MAC addresses on an interface. When the
clear dot1x interface command is run, it clears all learned MAC addresses from the interface, including the
static MAC bypass list (also known as the exclusion list).
Solution
If you run the clear dot1x interfaces command for an interface that has static MAC addresses configured
for authentication bypass, re-add the static MAC addresses to the static MAC bypass list.
SEE ALSO
clear dot1x | 1348

Release Description
18.4R1 Starting in Junos OS Release 18.3R1, you can configure 802.1X authentication on trunk
interfaces, which allows the network access device (NAS) to authenticate an access point
(AP) or another connected Layer 2 device.
17.3R1 Starting in Junos OS Release 17.3, the port bounce feature can be used to force the end
device to initiate DHCP re-negotiation by causing a link flap on the authenticated port.
14.1X53-A2 J-Web Application package Release 14.1X53-A2 does not support 802.1X authentication
on EX4600 switches.

Series Switch | 405
390
MAC RADIUS Authentication
IN THIS SECTION
requiring to connect to a network.
You can configure MAC RADIUS authentication on the switch interfaces to which the hosts are connected
to provide LAN access. For more information, read this topic.
391
Configuring MAC RADIUS Authentication (CLI Procedure)
You can permit devices that are not 802.1X-enabled LAN access by configuring MAC RADIUS authentication
on the switch interfaces to which the hosts are connected.
NOTE: You can also allow non-802.1X-enabled devices to access the LAN by configuring their
MAC address for static MAC bypass of authentication.
You can configure MAC RADIUS authentication on an interface that also allows 802.1X authentication,
or you can configure either authentication method alone.
If both MAC RADIUS and 802.1X authentication are enabled on the interface, the switch first sends the
host three EAPoL requests to the host. If there is no response from the host, the switch sends the host’s
MAC address to the RADIUS server to check whether it is a permitted MAC address. If the MAC address
is configured as permitted on the RADIUS server, the RADIUS server sends a message to the switch that
the MAC address is a permitted address, and the switch opens LAN access to the nonresponsive host on
the interface to which it is connected.
If MAC RADIUS authentication is configured on the interface but 802.1X authentication is not (by using
the mac-radius restrict option), the switch attempts to authenticate the MAC address with the RADIUS
server without delaying by attempting 802.1X authentication first.
Before you configure MAC RADIUS authentication, be sure you have:

392
• Configured basic access between the switch and the RADIUS server. See “Example: Connecting a RADIUS
To configure MAC RADIUS authentication by using the CLI:
• On the switch, configure the interfaces to which the nonresponsive hosts are attached for MAC RADIUS
authentication, and add the restrict qualifier for interface ge-0/0/20 to have it use only MAC RADIUS
authentication:
[edit]
user@switch# set protocols dot1x authenticator interface ge-0/0/19 mac-radius
user@switch# set protocols dot1x authenticator interface ge-0/0/20 mac-radius restrict
• On a RADIUS authentication server, create user profiles for each nonresponsive host using the MAC
address (without colons) of the nonresponsive host as the username and password (here, the MAC
addresses are 00:04:0f:fd:ac:fe and 00:04:ae:cd:23:5f):
[root@freeradius]#
edit /etc/raddb
vi users
00040ffdacfe Auth-type:=Local, User-Password = "00040ffdacfe"
0004aecd235f Auth-type:=Local, User-Password = "0004aecd235f"
SEE ALSO
Example: Configuring MAC RADIUS Authentication on an EX Series Switch
IN THIS SECTION
Requirements | 393
Configuration | 396
Verification | 397
393
To permit hosts that are not 802.1X-enabled to access a LAN, you can configure MAC RADIUS
authentication on the switch interfaces to which the non-802.1X-enabled hosts are connected. When
MAC RADIUS authentication is configured, the switch will attempt to authenticate the host with the
RADIUS server by using the host’s MAC address.
This example describes how to configure MAC RADIUS authentication for two non-802.1X-enabled hosts:
Requirements
• Junos OS Release 9.3 or later for EX Series switches.
• An EX Series switch acting as an authenticator port access entity (PAE). The ports on the authenticator
• A RADIUS authentication server. The authentication server acts as the backend database and contains
credential information for hosts (supplicants) that have permission to connect to the network.
• Configured basic access between the EX Series switch and the RADIUS server. See “Example: Connecting
a RADIUS Server for 802.1X to an EX Series Switch” on page 365.
switches, see Example: Setting Up Basic Bridging and a VLAN for an EX Series Switch.
NOTE: For more about ELS, see: Using the Enhanced Layer 2 Software CLI
• Performed basic 802.1X configuration. See “Configuring 802.1X Interface Settings (CLI Procedure)” on
page 355.
IEEE 802.1X port-based network access control (PNAC) authenticates and permits devices access to a
LAN if the devices can communicate with the switch by using the 802.1X protocol (that is, the devices are
802.1X-enabled). To permit non-802.1X-enabled end devices to access the LAN, you can configure MAC
394
RADIUS authentication on the interfaces to which the end devices are connected. When the MAC address
of the end device appears on the interface, the switch consults the RADIUS server to check whether it is
a permitted MAC address. If the MAC address of the end device is configured as permitted on the RADIUS
server, the switch opens LAN access to the end device.
You can configure both MAC RADIUS authentication and 802.1X authentication methods on an interface
configured for multiple supplicants. Additionally, if an interface is connected only to a non-802.1X-enabled
host, you can enable MAC RADIUS and not enable 802.1X authentication by using the mac-radius restrict
option, and thus avoid the delay that occurs while the switch determines that the device is does not respond
to EAP messages.
Figure 10 on page 395 shows the two printers connected to the switch.

395
Figure 10: Topology for MAC RADIUS Authentication Configuration
Table 27 on page 395 shows the components in the example for MAC RADIUS authentication.
Table 27: Components of the MAC RADIUS Authentication Configuration Topology
Property Settings
Switch hardware EX4200 ports (ge-0/0/0 through ge-0/0/23)
VLAN name sales
Connections to printers (no PoE required) ge-0/0/19, MAC address 00040ffdacfe
ge-0/0/20, MAC address 0004aecd235f
RADIUS server Connected to the switch on interface ge-0/0/10

396
The printer with the MAC address 00040ffdacfe is connected to access interface ge-0/0/19. A second
printer with the MAC address 0004aecd235f is connected to access interface ge-0/0/20. In this example,
both interfaces are configured for MAC RADIUS authentication on the switch, and the MAC addresses
(without colons) of both printers are configured on the RADIUS server. Interface ge-0/0/20 is configured
to eliminate the normal delay while the switch attempts 802.1X authentication; MAC RADIUS authentication
is enabled and 802.1X authentication is disabled using the mac radius restrict option.
Configuration

To quickly configure MAC RADIUS authentication, copy the following commands and paste them into the
switch terminal window:
[edit]
set protocols dot1x authenticator interface ge-0/0/19 mac-radius
set protocols dot1x authenticator interface ge-0/0/20 mac-radius restrict
NOTE: You must also configure the two MAC addresses as usernames and passwords on the
RADIUS server, as is done in step 2 of the Step-by-Step Procedure.
Configure MAC RADIUS authentication on the switch and on the RADIUS server:
1. On the switch, configure the interfaces to which the printers are attached for MAC RADIUS
authentication, and configure the restrict option on interface ge-0/0/20, so that only MAC RADIUS
authentication is used:
[edit]
user@switch# set protocols dot1x authenticator interface ge-0/0/19 mac-radius
user@switch# set protocols dot1x authenticator interface ge-0/0/20 mac-radius restrict
2. On the RADIUS server, configure the MAC addresses 00040ffdacfe and 0004aecd235f as usernames
and passwords:
[root@freeradius]#
edit /etc/raddb
vi users
00040ffdacfe Auth-type:=EAP, User-Password = "00040ffdacfe"
0004aecd235f Auth-type:=EAP, User-Password = "0004aecd235f"
397
Results
Display the results of the configuration on the switch:

protocols {
dot1x {
authenticator {
authentication-profile-name profile52;
interface {
ge-0/0/19.0 {
mac-radius;
}
ge-0/0/20.0 {
mac-radius {
restrict;
}
}
}
}
}
}
Verification
IN THIS SECTION
Verifying That the Supplicants Are Authenticated | 397
Verify that the supplicants are authenticated:
Verifying That the Supplicants Are Authenticated
Purpose
After supplicants are configured for MAC RADIUS authentication on the switch and on the RADIUS server,
verify that they are authenticated and display the method of authentication.
Action
Display information about the 802.1X-configured interfaces ge-0/0/19 and ge-0/0/20:

398
ge-0/0/19.0
Role: Authenticator
Mac Radius: Enabled
Supplicant: user101, 00:04:0f:fd:ac:fe
Authenticated VLAN: vo11
Dynamic Filter: match source-dot1q-tag 10 action deny
ge-0/0/20.0
Role: Authenticator
Mac Radius: Enabled
Mac Radius Restrict: Enabled
Supplicant: user102, 00:04:ae:cd:23:5f
399
Authentcation method: Radius

Meaning
The sample output from the show dot1x interface detail command displays the MAC address of the
connected end device in the Supplicant field. On interface ge-0/0/19, the MAC address is 00:04:0f:fd:ac:fe,
which is the MAC address of the first printer configured for MAC RADIUS authentication. The
Authentication method field displays the authentication method as Radius. On interface ge-0/0/20, the
MAC address is 00:04:ae:cd:23:5f, which is the MAC address of the second printer configured for MAC
RADIUS authentication. The Authentication method field displays the authentication method as Radius.

802.1X and RADIUS Accounting
IN THIS SECTION
EX Series Switches support RADIUS accounting. You can configure RADIUS accounting on an EX Series
switch to collect statistical data about users logging in to or out of a LAN and send that data to a RADIUS
accounting server. The data gathered is used for network monitoring purpose.
400
Understanding 802.1X and RADIUS Accounting on Switches
IN THIS SECTION
RADIUS Accounting Process | 400
Supported RADIUS Attributes | 401
Juniper Networks EX Series Ethernet Switches support IETF RFC 2866, RADIUS Accounting. By configuring
RADIUS accounting on an EX Series switch, you can collect statistical data about users logging in to or out
of a LAN and send that data to a RADIUS accounting server. The statistical data gathered can be used to
perform general network monitoring, to analyze and track usage patterns, or to bill a user based on the
amount of time or type of services accessed.
RADIUS Accounting Process
RADIUS accounting is based on a client/server model in which the switch, operating as the network access
server (NAS), is the client. The client forwards user accounting statistics to a designated RADIUS accounting
server. The RADIUS accounting server must send a response to the client when it has successfully received
and recorded the accounting statistics.
The RADIUS accounting process between a switch and a RADIUS server is based on the exchange of two
types of RADIUS messages—Accounting-Request and Accounting-Response. Accounting-Request messages
are sent from the switch to the server and convey information used to account for a service provided to
a user. Accounting-Response messages are sent from the server to acknowledge receipt of the
Accounting-Request packets. The exchange of messages between the switch and the server proceeds as
follows:
2. When a supplicant is authenticated through 802.1X authentication and then connected to the LAN,
the switch forwards an Accounting-Request message with a record of the event to the accounting
server. The Accounting-Request message sent by the switch includes the RADIUS attribute
Acct-Status-Type with a value of Start, which indicates the beginning of user service for this supplicant.
The accounting server records this event in the accounting log file as a start record.
3. The accounting server sends an Accounting-Response message back to the switch confirming that it
received the accounting request. If the switch does not receive a response from the server, it continues
to send accounting requests until an accounting response is returned from the accounting server.
401
4. The switch might send an interim message to the accounting server to periodically update the server
with information pertaining to a specific session. Interim messages are sent as Accounting-Request
messages with the Acct-Status-Type attribute value of Interim-Update. The accounting server sends
an Accounting-Response messae back to the switch to confirm receipt of an interim update.
5. When the supplicant's session ends, the switch forwards an Accounting-Request message with the
Acct-Status-Type attribute value set to Stop, indicating the end of user service. The accounting server
records this event in the accounting log file as a stop record that contains session information and the
length of the session.
The statistics collected through this process can be displayed from the RADIUS server. To view those
statistics, the user needs to access the accounting log file configured to receive them. On FreeRADIUS,
the filename is the server's address—for example, 122.69.1.250.
Supported RADIUS Attributes
RADIUS accounting statistics are conveyed through the attributes included in each Accounting-Request
message sent from the NAS to the server. Table 28 on page 401 list the RADIUS attributes supported for
Accounting-Request messages.
Table 28: RADIUS Accounting Request Attributes
Type Attribute Description
1 User-Name The name of the authenticated user.
5 NAS-Port The physical port number of the NAS that authenticates the user. Either
NAS-Port or NAS-Port-ID must be contained in the packet.
8 Framed-IP-Address The IP address of the authenticated user.
NOTE: The Framed-IP-Address attribute is sent only if a valid DHCP

binding exists for the host in the DHCP snooping table.
11 Filter-ID The name of the filter list for the user.
12 Framed-MTU The maximum transmission unit that can be configured for the user.
26 Client-System-Name Vendor-specific attribute (VSA) used to indicate the client’s hostname.

Supported for LLDP-capable devices only.
27 Session-Timeout Sets the maximum time (in seconds) that a session stays active before it
terminates or a prompt is issued notifying its termination.
402
Table 28: RADIUS Accounting Request Attributes (continued)
Type Attribute Description
28 Idle-Timeout The maximum number of consecutive seconds of idle connection allowed

to the user before termination of the session or prompt.
30 Called-Station-ID Enables the NAS to identify the phone number that the user called, using
Dialed Number Identification (DNIS) or a similar technology.
31 Calling-Station-ID Enables the NAS to identify the phone number that the call came from,
using Automatic Number Identification (ANI) or a similar technology.
32 NAS-Identifier Contains a string identifying the NAS originating the Accounting-Request

message.
40 Acct-Status-Type Indicates whether this Accounting-Request message marks the beginning

(Start) or the end (Stop) of the user session. Can also be used for an
interim update (Interim-Update).
44 Acct-Session-ID A unique ID for a specific accounting session that can be used to match
start and stop records for a session in the log file.
45 Acct-Authentic Indicates whether the user was authenticated locally, by the RADIUS
server, or by another remote authentication protocol.
55 Event-Timestamp Records the time an event occurred.
87 NAS-Port-ID Text string that identifies the port that authenticates the user. Either
NAS-Port or NAS-Port-ID must be present in the packet.
SEE ALSO

403
Configuring 802.1X RADIUS Accounting (CLI Procedure)
RADIUS accounting enables statistical data about users logging in to or out of a LAN to be collected and
sent to a RADIUS accounting server. The statistical data gathered can be used to perform general network
monitoring, to analyze and track usage patterns, or to bill a user based upon the amount of time or type
of services accessed.
RADIUS accounting is based on a client/server model in which the switch, operating as the network access
server (NAS), is the client. The client is responsible for forwarding user accounting statistics to a designated
RADIUS accounting server. To configure RADIUS accounting, specify one or more RADIUS accounting
servers to receive the statistical data from the switch, and select the type of accounting data to be collected.
can be a separate RADIUS server. You can specify a list of RADIUS accounting servers. If the primary
server (the first one configured) is unavailable, then each RADIUS server in the list is tried in the order in
which the servers are configured in Junos OS.
To configure RADIUS accounting by using the CLI:
1. Configure an access profile and specify the accounting servers to which the switch forwards accounting
statistics:
[edit access]
user@switch# set profile profile-name radius accounting-server [server-addresses]
2. Define the address of RADIUS accounting servers and configure the secret password (the secret
password on the switch must match the secret password on the server):
[edit access]
user@switch# set radius-server server-address secret password
3. Enable accounting for the access profile:
[edit access]
user@switch# set profile profile-name accounting
4. Configure the accounting order, making RADIUS the first method for sending accounting messages
and updates:
[edit access]
user@switch# set profile profile-name accounting order radius
5. Configure the statistics to be collected on the switch and forwarded to the accounting server:
[edit access]
404
user@switch# set profile profile-name accounting accounting-stop-on-access-deny

user@switch# set profile profile-name accounting accounting-stop-on-failure
6. (Optional) Configure the switch to send periodic updates for a user session at a specified interval to
the accounting server:
[edit access]
user@switch# set profile profile-name accounting update-interval minutes
7. Display accounting statistics collected on the switch using the show network-access aaa statistics
accounting command, for example:
user@switch> show network-access aaa statistics accounting
Accounting module statistics

Requests received: 1
Accounting Response failures: 0
Accounting Response Success: 1
Requests timedout: 0
8. Open an accounting log on the RADIUS accounting server by using the server's address, and view
accounting statistics, for example:
[root@freeradius]# cd /usr/local/var/log/radius/radacct/192.168.0.1
[root@freeradius 192.168.0.1]# ls
detail-20071214
[root@freeradius 192.168.0.1]# vi details-20071214
User-Name = "000347e1bab9"
NAS-Port = 67
Acct-Status-Type = Stop
Acct-Session-Id = "8O2.1x811912"
Acct-Input-Octets = 17454
Acct-Output-Octets = 4245
Acct-Session-Time = 1221041249
Acct-Input-Packets = 72
Acct-Output-Packets = 53
Acct-Terminate-Cause = Lost-Carrier
Acct-Input-Gigawords = 0
405
Acct-Output-Gigawords = 0
Called-Station-Id = "00-19-e2-50-52-60"
Calling-Station-Id = "00-03-47-e1-ba-b9"
Event-Timestamp = "Sep 10 2008 16:52:39 PDT"
NAS-Identifier = "esp48t-1b-01"
NAS-Port-Type = Virtual
NAS-Port = 67
Acct-Status-Type = Start
SEE ALSO
Example: Setting Up 802.1X for Single-Supplicant or

Multiple-Supplicant Configurations on an EX Series
Switch
IN THIS SECTION
Requirements | 406

406
Configuration of 802.1X to Support Multiple Supplicant Modes | 409
Verification | 411
802.1x port-based network access control (PNAC) authentication on EX Series switches provides three
types of authentication to meet the access needs of your enterprise LAN:
• Authenticate the first end device (supplicant) on an authenticator port, and allow all other end devices
also connecting to have access to the LAN.
• Authenticate only one end device on an authenticator port at one time.
• Authenticate multiple end devices on an authenticator port. Multiple supplicant mode is used in VoIP
configurations.
This example configures an EX Series switch to use IEEE 802.1X to authenticate end devices that use three
different administrative modes.
Requirements
PAE form a control gate that blocks all traffic to and from end devices until they are authenticated.
database and contains credential information for end devices (supplicants) that have permission to
connect to the network.
Before you configure the ports for 802.1X authentication, be sure you have:
• Performed the initial switch configuration. See Connecting and Configuring an EX Series Switch (CLI
Procedure).
407
• Configured users on the authentication server.
As shown in Figure 11 on page 408, the topology contains an EX4200 access switch connected to the
authentication server on port ge-0/0/10. Interfaces ge-0/0/8, ge-0/0/9, and ge-0/0/11 will be configured
for three different administrative modes.

408
Figure 11: Topology for Configuring Supplicant Modes

409
Table 29: Components of the Supplicant Mode Configuration Topology
Property Settings
Switch hardware EX4200 switch, 24 Gigabit Ethernet ports: 8 PoE ports

(ge-0/0/0 through ge-0/0/7) and 16 non-PoE ports (ge-0/0/8
through ge-0/0/23)
Connections to Avaya phones—with integrated hub, ge-0/0/8, ge-0/0/9, and ge-0/0/11

to connect phone and desktop PC to a single port;
(requires PoE)
To configure the administrative modes to support supplicants in different areas of the Enterprise network:
• Configure access port ge-0/0/8 for single supplicant mode authentication.
• Configure access port ge-0/0/9 for single secure supplicant mode authentication.
• Configure access port ge-0/0/11 for multiple supplicant mode authentication.
Single supplicant mode authenticates only the first end device that connects to an authenticator port. All
other end devices connecting to the authenticator port after the first has connected successfully, whether
they are 802.1X-enabled or not, are permitted access to the port without further authentication. If the
first authenticated end device logs out, all other end devices are locked out until an end device authenticates.
Single-secure supplicant mode authenticates only one end device to connect to an authenticator port. No
other end device can connect to the authenticator port until the first logs out.
Multiple supplicant mode authenticates multiple end devices individually on one authenticator port. If you
configure a maximum number of devices that can be connected to a port through port security, the lesser
of the configured values is used to determine the maximum number of end devices allowed per port.
Configuration of 802.1X to Support Multiple Supplicant Modes

To quickly configure the ports with different 802.1X authentication modes, copy the following commands
and paste them into the switch terminal window:
[edit]
set protocols dot1x authenticator interface ge-0/0/8 supplicant single
set protocols dot1x authenticator interface ge-0/0/9 supplicant single-secure
set protocols dot1x authenticator interface ge-0/0/11 supplicant multiple

410
Configure the administrative mode on the interfaces:
1. Configure the supplicant mode as single on interface ge-0/0/8:
[edit protocols]
user@switch# set dot1x authenticator interface ge-0/0/8 supplicant single
2. Configure the supplicant mode as single secure on interface ge-0/0/9:
[edit protocols]
user@switch# set dot1x authenticator interface ge-0/0/9 supplicant single-secure
3. Configure multiple supplicant mode on interface ge-0/0/11:
[edit protocols]
user@switch# set dot1x authenticator interface ge-0/0/11 supplicant multiple
Results
[edit]
user@access-switch> show configuration
protocols {
dot1x {
authenticator {
interface {
ge-0/0/8.0 {
supplicant single;
)
ge-0/0/9.0 {
supplicant single-secure;
)
ge-0/0/11.0 {
supplicant multiple;
)
}
}
}
}
411
Verification
IN THIS SECTION
Verifying the 802.1X Configuration | 411
Verifying the 802.1X Configuration
Purpose
Verify the 802.1X configuration on interfaces ge-0/0/8, ge-0/0/9, and ge-0/0/5.
Action
Verify the 802.1X configuration by issuing the operational mode command show dot1x interface:
ge-0/0/8.0
Role: Authenticator
ge-0/0/9.0
Role: Authenticator
412

Supplicant mode: Single-Secure
ge-0/0/11.0
Role: Authenticator
Supplicant mode: Multiple
Meaning
The Supplicant mode output field displays the configured administrative mode for each interface. Interface
ge-0/0/8.0 displays Single supplicant mode. Interface ge-0/0/9.0 displays Single-Secure supplicant mode.
Interface ge-0/0/11.0 displays Multiple supplicant mode.
413

Example: Setting Up 802.1X in Conference Rooms to

Provide Internet Access to Corporate Visitors on an
EX Series Switch
IN THIS SECTION
Requirements | 414
Configuration of a Guest VLAN That Includes 802.1X Authentication | 416
Verification | 417
802.1X on EX Series switches provides LAN access to users who do not have credentials in the RADIUS
database. These users, referred to as guests, are authenticated and typically provided with access to the
Internet.
This example describes how to create a guest VLAN and configure 802.1X authentication for it.
414
Requirements
• One EX Series switch acting as a port access entity (PAE). The interfaces on the authenticator PAE form
a control gate that blocks all traffic to and from supplicants until they are authenticated.
the network.
Before you configure guest VLAN authentication, be sure you have:
Procedure).
NOTE: For more about ELS, see: Using the Enhanced Layer 2 Software CLI
As part of IEEE 802.1X port-based network access control (PNAC), you can provide limited network access
to supplicants who do not belong to a VLAN authentication group by configuring authentication for a
guest VLAN. Typically, guest VLAN access is used to provide Internet access to visitors to a corporate site.
However, you can also use the guest VLAN feature to provide access to a VLAN with limited resources
to supplicants that fail 802.1X authentication on a corporate LAN.

415
Figure 12 on page 415 shows the conference room connected to the switch at interface ge-0/0/1.
Figure 12: Topology for Guest VLAN Example

416
Table 30: Components of the Guest VLAN Topology
Property Settings
Switch hardware EX4200 switch, 24 Gigabit Ethernet interfaces: 8 PoE interfaces (ge-0/0/0
through ge-0/0/7) and 16 non-PoE interfaces (ge-0/0/8 through ge-0/0/23)
VLAN names and tag IDs sales, tag 100

support, tag 200
guest-vlan, tag 300
One RADIUS server Backend database connected to the switch through interface ge-0/0/10
In this example, access interface ge-0/0/1 provides LAN connectivity in the conference room. Configure
this access interface to provide LAN connectivity to visitors in the conference room who are not
authenticated by the corporate VLAN.
Configuration of a Guest VLAN That Includes 802.1X Authentication

To quickly configure a guest VLAN, with 802.1X authentication, copy the following commands and paste
them into the switch terminal window:
[edit]
set vlans guest-vlan vlan-id 300
set protocols dot1x authenticator interface all guest-vlan guest-vlan
To configure a guest VLAN that includes 802.1X authentication on an EX Series switch:
1. Configure the VLAN ID for the guest VLAN:
[edit]
user@switch# set vlans guest-vlan vlan-id 300
2. Configure the guest VLAN under dot1x protocol:
[edit]
user@switch# set protocols dot1x authenticator interface all guest-vlan guest-vlan
417
Results

protocols {
dot1x {
authenticator {
interface {
all {
guest-vlan {
guest-vlan;
}
}
}
}
}
}
vlans {
guest-vlan {
vlan-id 300;
}
}
Verification
IN THIS SECTION
Verifying That the Guest VLAN Is Configured | 417
Verifying That the Guest VLAN Is Configured
Purpose
Verify that the guest VLAN is created and that an interface has failed authentication and been moved to
the guest VLAN.
418
NOTE: On switches running Junos OS for EX Series with support for ELS, the output for the
show vlans command will contain additional information. If your switch runs software that
supports ELS, see show vlans. For ELS details, see Using the Enhanced Layer 2 Software CLI.
Action
Issue the operational mode commands:
user@switch> show vlans
Name Tag Interfaces

default
ge-0/0/3.0*
dynamic 40
None
guest 30
None
guest—vlan 300
ge-0/0/1.0*
vlan_dyn
None
ge-0/0/1.0
Role: Authenticator
Mac Radius: Enabled
Guest VLAN member: guest-vlan
419

Supplicant: user1, 00:00:00:00:13:23
Meaning
The output of the show vlans command shows guest-vlan as the the name of the VLAN and the VLAN ID
as 300.
The output of the show dot1x interface ge-0/0/1.0 detail command displays the Guest VLAN membership
field, indicating that a supplicant at this interface failed 802.1X authentication and was passed through to
the guest-vlan.

Series Switch | 405
420
Interfaces Enabled for 802.1X or MAC RADIUS

Authentication
IN THIS SECTION
Example: Applying a Firewall Filter to 802.1X-Authenticated Supplicants by Using RADIUS Server Attributes
Example: Applying Firewall Filters to Multiple Supplicants on Interfaces Enabled for 802.1X or MAC RADIUS
Example: Applying Firewall Filters to Multiple Supplicants on Interfaces Enabled for 802.1X or MAC RADIUS
Authentication on EX Series Switches with ELS Support | 435
EX Series switches support port firewall filters. Port firewall filters are configured on a single EX Series
switch, but in order for them to operate throughout an enterprise, they must be configured on multiple
switches. To reduce the need to configure the same port firewall filter on multiple switches, you can instead
apply the filter centrally on the RADIUS server by using RADIUS server attributes. Terms are applied after
a device is successfully authenticated through 802.1X. For more information, read this topic.
Example: Applying a Firewall Filter to 802.1X-Authenticated Supplicants

by Using RADIUS Server Attributes on an EX Series Switch
IN THIS SECTION
Requirements | 421
Configuring the Port Firewall Filter and Counters | 424
Applying the Port Firewall Filter to the Supplicant User Profiles on the RADIUS Server | 426
Verification | 427
You can use RADIUS server attributes and a port firewall filter to centrally apply terms to multiple supplicants
(end devices) connected to an EX Series switch in your enterprise. Terms are applied after a device is
421
successfully authenticated through 802.1X. If the firewall filter configuration is modified after end devices
are authenticated using the 802.1X authentication, then the established 802.1X authentication session
must be terminated and re-established for the firewall filter changes to take effect.
EX Series switches support port firewall filters. Port firewall filters are configured on a single EX Series
switch, but in order for them to operate throughout an enterprise, they must be configured on multiple
switches. To reduce the need to configure the same port firewall filter on multiple switches, you can instead
apply the filter centrally on the RADIUS server by using RADIUS server attributes.
The following example uses FreeRADIUS to apply a port firewall filter on a RADIUS server. For information
about configuring your server, consult the documentation that was included with your RADIUS server.
This example describes how to configure a port firewall filter with terms, create counters to count packets
for the supplicants, apply the filter to user profiles on the RADIUS server, and display the counters to
verify the configuration:
Requirements
• One RADIUS authentication server. The authentication server acts as the backend database and contains
• Configured 802.1X authentication on the switch, with the supplicant mode for interface ge-0/0/2 set
to multiple. See “Configuring 802.1X Interface Settings (CLI Procedure)” on page 355 and “Example:
Setting Up 802.1X for Single-Supplicant or Multiple-Supplicant Configurations on an EX Series Switch”
on page 405.
• Configured users on the RADIUS authentication server (in this example, the user profiles for Supplicant
1 and Supplicant 2 in the topology are modified on the RADIUS server).
422
When the 802.1X configuration on an interface is set to multiple supplicant mode, you can apply a single
port firewall filter configured through the Junos OS CLI on the EX Series switch to any number of end
devices (supplicants) by adding the filter centrally to the RADIUS server. Only a single filter can be applied
to an interface; however, the filter can contain multiple terms for separate end devices.
For more information about firewall filters, see Firewall Filters for EX Series Switches Overview or Overview
of Firewall Filters.
RADIUS server attributes are applied to the port where the end device is connected after the device is
successfully authenticated using 802.1X. To authenticate an end device, the switch forwards the end
device’s credentials to the RADIUS server. The RADIUS server matches the credentials against preconfigured
information about the supplicant located in the supplicant’s user profile on the RADIUS server. If a match
is found, the RADIUS server instructs the switch to open an interface to the end device. Traffic then flows
from and to the end device on the LAN. Further instructions configured in the port firewall filter and added
to the end device’s user profile using a RADIUS server attribute further define the access that the end
device is granted. Filtering terms configured in the port firewall filter are applied to the port where the
end device is connected after 802.1X authentication is complete.
NOTE: If you modify the port firewall filter after an end device is successfully authenticated
using 802.1X, you must terminate and re-establish the 802.1X authentication session for the
firewall filter configuration changes to be effective.
Figure 13 on page 423 shows the topology used for this example. The RADIUS server is connected to an
EX4200 switch on access port ge-0/0/10. Two end devices (supplicants) are accessing the LAN on interface
ge-0/0/2. Supplicant 1 has the MAC address 00:50:8b:6f:60:3a. Supplicant 2 has the MAC address
00:50:8b:6f:60:3b.

423
Figure 13: Topology for Firewall Filter and RADIUS Server Attributes Configuration
Table 31 on page 423 describes the components in this topology.
Table 31: Components of the Firewall Filter and RADIUS Server Attributes Topology
Property Settings
Switch hardware EX4200 access switch, 24 Gigabit Ethernet ports: 16 non-PoE ports
and 8 PoE ports.
One RADIUS server Backend database with the address 10.0.0.100 connected to the
switch at port ge-0/0/10.
424
Table 31: Components of the Firewall Filter and RADIUS Server Attributes Topology (continued)
Property Settings
802.1X supplicants connected to the switch • Supplicant 1 has MAC address 00:50:8b:6f:60:3a.
on interface ge-0/0/2 • Supplicant 2 has MAC address 00:50:8b:6f:60:3b.
Port firewall filter to be applied on the filter1

RADIUS server
Counters counter1 counts packets from Supplicant 1, and counter2 counts

packets from Supplicant 2.
Policer policer p1
User profiles on the RADIUS server • Supplicant 1 has the user profile supplicant1.
• Supplicant 2 has the user profile supplicant2.
In this example, you configure a port firewall filter named filter1. The filter contains terms that will be
applied to the end devices based on the MAC addresses of the end devices. When you configure the filter,
you also configure the counters counter1 and counter2. Packets from each end device are counted, which
helps you verify that the configuration is working. Policer p1 limits the traffic rate based on the values for
exceeding and discard parameters. Then, you check to see that the RADIUS server attribute is available
on the RADIUS server and apply the filter to the user profiles of each end device on the RADIUS server.
Finally, you verify the configuration by displaying output for the two counters.
Configuring the Port Firewall Filter and Counters

To quickly configure a port firewall filter with terms for Supplicant 1 and Supplicant 2 and create parallel
counters for each supplicant, copy the following commands and paste them into the switch terminal
window:
[edit]
set firewall family ethernet-switching filter filter1 term supplicant1 from source-mac-address
00:50:8b:6f:60:3a
set firewall family ethernet-switching filter filter1 term supplicant2 from source-mac-address
00:50:8b:6f:60:3b
set firewall policer p1 if-exceeding bandwidth-limit 1m

set firewall policer p1 if-exceeding burst-size-limit 1k
set firewall policer p1 then discard

425
set firewall family ethernet-switching filter filter1 term supplicant1 then count counter1
set firewall family ethernet-switching filter filter1 term supplicant1 then policer p1
set firewall family ethernet-switching filter filter1 term supplicant2 then count counter2
To configure a port firewall filter and counters on the switch:
1. Configure a port firewall filter (here, filter1) with terms for each end device based on the MAC address
of each end device:
[edit firewall family ethernet-switching]

user@switch# set filter filter1 term supplicant1 from source-mac-address 00:50:8b:6f:60:3a
user@switch# set filter filter1 term supplicant2 from source-mac-address 00:50:8b:6f:60:3b
2. Set policer definition:
[edit]
user@switch# set firewall policer p1 if-exceeding bandwidth-limit 1m
user@switch# set firewall policer p1 if-exceeding burst-size-limit 1k
user@switch# set firewall policer p1 then discard
3. Create two counters that will count packets for each end device and a policer that limits the traffic
rate:

user@switch# set filter filter1 term supplicant1 then count counter1
user@switch# set filter filter1 term supplicant1 then policer p1
user@switch# set filter filter1 term supplicant2 then count counter2
Results

firewall {
filter filter1 {
term supplicant1 {
from {
source-mac-address {
00:50:8b:6f:60:3a;
426
}
}
then count counter1;
then policer p1;
}
term supplicant2 {
from {
source-mac-address {
00:50:8b:6f:60:3b;
}
}
}
}
}
}
policer p1 {
if-exceeding {
bandwidth-limit 1m;
burst-size-limit 1k;
}
then discard;
}
Applying the Port Firewall Filter to the Supplicant User Profiles on the RADIUS Server
To verify that the RADIUS server attribute Filter-ID is on the RADIUS server and to apply the filter to the
user profiles:
1. Display the dictionary dictionary.rfc2865 on the RADIUS server, and verify that the attribute Filter-ID
is in the dictionary:
[root@freeradius]# cd usr/share/freeradius/dictionary.rfc2865
2. Close the dictionary file.
3. Display the local user profiles of the end devices to which you want to apply the filter (here, the user
profiles are called supplicant1 and supplicant2):

The output shows:
427

Tunnel-Type = VLAN,
Tunnel-Private-Group-Id = "1005"

Tunnel-Type = VLAN,
Tunnel-Private-Group-Id = "1005"
4. Apply the filter to both user profiles by adding the line Filter-Id = “filter1” to each profile, and then
close the file:

After you paste the line into the files, the files look like this:

Tunnel-Type = VLAN,

Tunnel-Type = VLAN,
Verification
Verifying That the Filter Has Been Applied to the Supplicants
Purpose
After the end devices are authenticated on interface ge-0/0/2, verify that the filter has been configured
on the switch and includes the results for both supplicants:
Action
user@switch> show dot1x firewall

428
Filter: dot1x-filter-ge-0/0/2
Counters
counter1_dot1x_ge-0/0/2_user1 100
Meaning
The output of the show dot1x firewall command displays counter1 and counter2. Packets from User_1
are counted using counter1, and packets from User 2 are counted using counter2. The output displays
packets incrementing for both counters. The filter has been applied to both end devices.
SEE ALSO

Series Switch | 405
Example: Applying Firewall Filters to Multiple Supplicants on Interfaces

Enabled for 802.1X or MAC RADIUS Authentication
IN THIS SECTION
Requirements | 429
Configuration | 431
Verification | 433
On EX Series switches, firewall filters that you apply to interfaces enabled for 802.1X or MAC RADIUS
authentication are dynamically combined with the per-user policies sent to the switch from the RADIUS
server. The switch uses internal logic to dynamically combine the interface firewall filter with the user
429
policies from the RADIUS server and create an individualized policy for each of the multiple users or
nonresponsive hosts that are authenticated on the interface.
This example describes how dynamic firewall filters are created for multiple supplicants on an
802.1X-enabled interface (the same principles shown in this example apply to interfaces enabled for MAC
RADIUS authentication):
Requirements
• One EX Series switch
Before you apply firewall filters to an interface for use with multiple supplicants, be sure you have:
• Configured 802.1X authentication on the switch, with the authentication mode for interface ge-0/0/2
set to multiple. See “Configuring 802.1X Interface Settings (CLI Procedure)” on page 355 and “Example:
on page 405.
When the 802.1X configuration on an interface is set to multiple supplicant mode, the system dynamically
combines interface firewall filter with the user policies sent to the switch from the RADIUS server during
authentication and creates separate terms for each user. Because there are separate terms for each user
authenticated on the interface, you can, as shown in this example, use counters to view the activities of
individual users that are authenticated on the same interface.
When a new user (or a nonresponsive host) is authenticated on an interface, the system adds a term to
the firewall filter associated with the interface, and the term (policy) for each user is associated with the
MAC address of the user. The term for each user is based on the user-specific filters set on the RADIUS
server and the filters configured on the interface. For example, as shown in Figure 14 on page 430, when
User1 is authenticated by the EX Series switch, the system creates the firewall filter dynamic-filter-example.
When User2 is authenticated, another term is added to the firewall filter, and so on.
430
Figure 14: Conceptual Model: Dynamic Filter Updated for Each New User
This is a conceptual model of the internal process—you cannot access or view the dynamic filter.
NOTE: If the firewall filter on the interface is modified after the user (or nonresponsive host) is
authenticated, the modifications are not reflected in the dynamic filter unless the user is
reauthenticated.
In this example, you configure a firewall filter to count the requests made by each endpoint authenticated
on interface ge-0/0/2 to the file server, which is located on subnet 192.0.2.16/28, and set policer definitions
to rate limit the traffic. Figure 15 on page 431 shows the network topology for this example.
431
Figure 15: Multiple Supplicants on an 802.1X-Enabled Interface Connecting to a File Server
Configuration
IN THIS SECTION
Configuring Firewall Filters on Interfaces with Multiple Supplicants | 431
To configure firewall filters for multiple supplicants on 802.1X-enabled interfaces:
Configuring Firewall Filters on Interfaces with Multiple Supplicants

To quickly configure firewall filters for multiple supplicants on an 802.1X-enabled interface copy the
following commands and paste them into the switch terminal window:
[edit]
set protocols dot1x authenticator interface ge-0/0/2 supplicant multiple

432
set firewall family ethernet-switching filter filter1 term term1 from destination-address 192.0.2.16/28

set firewall family ethernet-switching filter filter1 term term1 then count counter1
set firewall family ethernet-switching filter filter1 term term2 then policer p1
To configure firewall filters on an interface enabled for multiple supplicants:
1. Configure interface ge-0/0/2 for multiple supplicant mode authentication:

user@switch# set authenticator interface ge-0/0/2 supplicant multiple
user@switch# show policer p1 |display set

3. Configure a firewall filter to count packets from each user and a policer that limits the traffic rate. As
each new user is authenticated on the multiple supplicant interface, this filter term will be included in
the dynamically created term for the user:

user@switch# set filter filter1 term term1 from destination-address 192.0.2.16/28
user@switch# set filter filter1 term term1 then count counter1
user@switch# set filter filter1 term term2 then policer p1
Results
firewall {
filter filter1 {
term term1 {
433
from {
destination-address {
192.0.2.16/28;
}
}
term term2 {
from {
192.0.2.16/28;
}
}
then policer p1;
}
}
}
policer p1 {
if-exceeding {
bandwidth-limit 1m;
}
then discard;
}
}
protocols {
dot1x {
authenticator
interface ge-0/0/2 {
}
}
}
Verification
IN THIS SECTION
Verifying Firewall Filters on Interfaces with Multiple Supplicants | 434

434
Verifying Firewall Filters on Interfaces with Multiple Supplicants
Purpose
Verify that firewall filters are functioning on the interface with multiple supplicants.
Action
1. Check the results with one user authenticated on the interface. In this case, the user is authenticated
on ge-0/0/2:
Filter: dot1x_ge-0/0/2
Counters
2. When a second user, User2, is authenticated on the same interface, ge-0/0/2, you can verify that the
filter includes the results for both of the users authenticated on the interface:
Counters
Meaning
The results displayed by the show dot1x firewall command output reflect the dynamic filter created with
the authentication of each new user. User1 accessed the file server located at the specified destination
address 100 times, while User2 accessed the same file server 400 times.
SEE ALSO
435
Example: Applying Firewall Filters to Multiple Supplicants on Interfaces

Enabled for 802.1X or MAC RADIUS Authentication on EX Series Switches
with ELS Support
IN THIS SECTION
Requirements | 435
Configuration | 438
Verification | 440
NOTE: This example uses Junos OS for EX Series switches with support for the Enhanced Layer
2 Software (ELS) configuration style. If your switch runs software that does not support ELS, see
“Example: Applying Firewall Filters to Multiple Supplicants on Interfaces Enabled for 802.1X or
MAC RADIUS Authentication” on page 428. For ELS details, see Using the Enhanced Layer 2
Software CLI.
On EX Series switches, firewall filters that you apply to interfaces enabled for 802.1X or MAC RADIUS
authentication are dynamically combined with the per-user policies sent to the switch from the RADIUS
server. The switch uses internal logic to dynamically combine the interface firewall filter with the user
policies from the RADIUS server and create an individualized policy for each of the multiple users or
nonresponsive hosts that are authenticated on the interface.
Requirements

436
• One EX Series switch with support for ELS
• Configured 802.1X authentication on the switch, with the authentication mode for the interface ge-0/0/2
set to multiple. See “Configuring 802.1X Interface Settings (CLI Procedure)” on page 355 and “Example:
on page 405.
combines the interface firewall filter with the user policies sent to the switch from the RADIUS server
during authentication and creates separate terms for each user. Because there are separate terms for each
user authenticated on the interface, you can, as shown in this example, use counters to view the activities
of individual users that are authenticated on the same interface.
User 1 is authenticated by the EX Series switch, the system adds a term to the firewall filter
dynamic-filter-example. When User 2 is authenticated, another term is added to the firewall filter, and so
on.

437
reauthenticated.
to rate-limit the traffic. Figure 17 on page 438 shows the network topology for this example.
438
Configuration

following commands and paste them into the switch terminal window:
[edit]
set firewall family ethernet-switching filter filter1 term term1 from ip-destination-address 192.0.2.16/28
set firewall family ethernet-switching filter filter1 term term2 from ip-destination-address 192.0.2.16/28

set firewall policer p1 if-exceeding burst-size-limit 1500
set firewall family ethernet-switching filter filter1 term term1 then count counter1
set firewall family ethernet-switching filter filter1 term term2 then policer p1
439
1. Set the policer definition:
user@switch# show policer p1 |display set

set firewall policer p1 if-exceeding burst-size-limit 1500

user@switch# set filter filter1 term term1 from ip-destination-address 192.0.2.16/28
user@switch# set filter filter1 term term2 from ip-destination-address 192.0.2.16/28 user@switch#
set filter filter1 term term1 then count counter1
user@switch# set filter filter1 term term2 then policer p1
Results
firewall {
filter filter1 {
term term1 {
from {
ip-destination-address {
192.0.2.16/28;
}
}
term term2 {
from {
ip-destination-address {
192.0.2.16/28;
}
}
then policer p1;
440
}
}
}
policer p1 {
if-exceeding {
bandwidth-limit 1m;
burst-size-limit 1500;
}
then discard;
}
}
protocols {
dot1x {
authenticator
}
}
}
Verification
Purpose
Action
1. Check the results with one user authenticated on the interface. In this case, User 1 is authenticated on
ge-0/0/2:
Counters
2. When a second user, User 2, is authenticated on the same interface, ge-0/0/2, you can verify that the

441
Counters
Meaning
the authentication of each new user. User 1 accessed the file server located at the specified destination
address 100 times, while User 2 accessed the same file server 400 times.
SEE ALSO

Series Switch | 405
Static MAC Bypass of 802.1X and MAC RADIUS

Authentication
IN THIS SECTION
Configuring Static MAC Bypass of 802.1X and MAC RADIUS Authentication (CLI Procedure) | 442
Example: Configuring Static MAC Bypass of 802.1X and MAC RADIUS Authentication on an EX Series
Switch | 443
Junos OS allows you to configure access to your LAN through 802.1X-configured interfaces without
authentication, by configuring a static MAC bypass list on the EX Series switch. The static MAC bypass
442
list, also known as the exclusion list, specifies MAC addresses that are allowed on the switch without sending
a request to an authentication server. For more information, read this topic.
Configuring Static MAC Bypass of 802.1X and MAC RADIUS Authentication

(CLI Procedure)
You can configure a static MAC bypass list (sometimes called the exclusion list) on the switch to specify
MAC addresses of devices allowed access to the LAN without 802.1X or MAC RADIUS authentication
requests to the RADIUS server.
To configure the static MAC bypass list:
• Specify a MAC address to bypass authentication:

user@switch# set authenticator static 00:04:0f:fd:ac:fe
• Configure a supplicant to bypass authentication if it is connected through a particular interface:

user@switch# set authenticator static 00:04:0f:fd:ac:fe interface ge-0/0/5
• Configure a supplicant to be moved to a specific VLAN after it is authenticated:

user@switch# set authenticator static 00:04:0f:fd:ac:fe interface ge-0/0/5 vlan-assignment
default-vlan
SEE ALSO

443
Example: Configuring Static MAC Bypass of 802.1X and MAC RADIUS

Authentication on an EX Series Switch
IN THIS SECTION
Requirements | 443
Configuration | 446
Verification | 448
To allow devices to access your LAN through 802.1X-configured interfaces without authentication, you
can configure a static MAC bypass list on the EX Series switch. The static MAC bypass list, also known as
the exclusion list, specifies MAC addresses that are allowed on the switch without sending a request to an
authentication server.
You can use static MAC bypass of authentication to allow connection for devices that are not
802.1X-enabled, such as printers. If a host's MAC address is compared and matched against the static
MAC address list, the nonresponsive host is authenticated and an interface opened for it.
This example describes how to configure static MAC bypass of authentication for two printers:
Requirements
Before you configure static MAC bypass of authentication, be sure you have:
444
For more about ELS, see: Using the Enhanced Layer 2 Software CLI.
• Specified the RADIUS server connections and configured an access profile on the switch. See “Example:
Connecting a RADIUS Server for 802.1X to an EX Series Switch” on page 365.
To permit printers access to the LAN, add them to the static MAC bypass list. The MAC addresses on this
list are permitted access without authentication from the RADIUS server.
Figure 18 on page 445 shows the two printers connected to the EX4200.

445
Figure 18: Topology for Static MAC Bypass of Authentication Configuration
The interfaces shown in Table 32 on page 446 will be configured for static MAC bypass of authentication.
446
Table 32: Components of the Static MAC Bypass of Authentication Configuration Topology
Property Settings
Switch hardware EX4200, 24 Gigabit Ethernet ports: 16 non-PoE ports and 8 PoE
ports (ge-0/0/0 through ge-0/0/23)
VLAN name default
Connections to integrated printer/fax/copier ge-0/0/19, MAC address 00:04:0f:fd:ac:fe

machines (no PoE required) ge-0/0/20, MAC address 00:04:ae:cd:23:5f
The printer with the MAC address 00:04:0f:fd:ac:fe is connected to access interface ge-0/0/19. A second
printer with the MAC address 00:04:ae:cd:23:5f is connected to access interface ge-0/0/20. Both printers
will be added to the static list and bypass 802.1X authentication.
Configuration

To quickly configure the static MAC bypass list, copy the following commands and paste them into the
switch terminal window:
[edit]
set protocols dot1x authenticator static [00:04:0f:fd:ac:fe 00:04:ae:cd:23:5f]
set protocols dot1x authenticator interface all supplicant multiple
set protocols dot1x authenticator authenticaton-profile-name profile1
Configure the static MAC bypass list:
1. Configure MAC addresses 00:04:0f:fd:ac:fe and 00:04:ae:cd:23:5f as static MAC addresses:
[edit protocols]
user@switch# set dot1x authenticator static [00:04:0f:fd:ac:fe 00:04:ae:cd:23:5f]
2. Configure the 802.1X authentication method:
[edit protocols]
user@switch# set dot1x authenticator interface all supplicant multiple
3. Configure the authentication profile name (access profile name) to use for authentication:
[edit protocols]
user@switch# set dot1x authenticator authentication-profile-name profile1
447
NOTE: Access profile configuration is required only for 802.1X clients, not for static MAC
clients.
Results
user@switch> show
interfaces {
ge-0/0/19 {
unit 0 {
vlan members default;
}
}
}
ge-0/0/20 {
unit 0 {
vlan members default;
}
}
}
}
protocols {
dot1x {
authenticator {
authentication-profile-name profile1
static [00:04:0f:fd:ac:fe 00:04:ae:cd:23:5f];
interface {
all {
}
}
}
}
}
448
Verification
IN THIS SECTION
Verifying Static MAC Bypass of Authentication | 448
Verifying Static MAC Bypass of Authentication
Purpose
Verify that the MAC addresses of both printers are configured and associated with the correct interfaces.
Action
Issue the operational mode command:
user@switch> show dot1x static-mac-address
MAC address VLAN-Assignment Interface

00:04:0f:fd:ac:fe default ge-0/0/19.0
00:04:ae:cd:23:5f default ge-0/0/20.0
Meaning
The output field MAC address shows the MAC addresses of the two printers.
The output field Interface shows that the MAC address 00:04:0f:fd:ac:fe can connect to the LAN through
interface ge-0/0/19.0 and that the MAC address 00:04:ae:cd:23:5f can connect to the LAN through
interface ge-0/0/20.0.
SEE ALSO

449

IN THIS SECTION
Configuring Captive Portal Authentication (CLI Procedure) on an EX Series Switche with ELS Support | 461
Example: Setting Up Captive Portal Authentication on an EX Series Switch with ELS Support | 463
requiring to connect to a network. You can set up captive portal authentication on a switch to redirect
Web browser requests to a login page that requires the user to input a username and password. For more
information, read this topic.
Example: Setting Up Captive Portal Authentication on an EX Series Switch
IN THIS SECTION
Requirements | 450
Configuration | 450
Verification | 454
Troubleshooting | 455
450
You can set up captive portal authentication (hereafter referred to as captive portal) on a switch to redirect
Web browser requests to a login page that requires the user to input a username and password. Upon
successful authentication, the user is allowed to continue with the original page request and subsequent
access to the network.
This example describes how to set up captive portal on an EX Series switch:
Requirements
• An EX Series switch that supports captive portal
Before you begin, be sure you have:
• Performed basic bridging and VLAN configuration on the switch. See Example: Setting Up Basic Bridging
and a VLAN for an EX Series Switch.
• Generated an SSL certificate and installed it on the switch. See “Generating SSL Certificates to Be Used
for Secure Web Access (EX Series Switch)” on page 306.
• Designed your captive portal login page. See “Designing a Captive Portal Authentication Login Page on
Switches” on page 458.
This example shows the configuration required on the switch to enable captive portal on an interface. To
permit a printer connected to the captive portal interface to access the LAN without going through captive
portal, add its MAC address to the authentication whitelist. The MAC addresses in this list are permitted
access on the interface without captive portal.
The topology for this example consists of one EX Series switch connected to a RADIUS authentication
server. One interface on the switch is configured for captive portal. In this example, the interface is
configured in multiple supplicant mode.
Configuration
To configure captive portal on your switch:

To quickly configure captive portal on the switch after completing the tasks in the Requirements section,
copy the following commands and paste them into the switch terminal window:
[edit]
451
set access radius-server 10.204.96.165 port 1812

set access radius-server 10.204.96.165 secret "ABC123"
set access profile profile1 radius authentication-server 10.204.96.165
set system services web-management http
set system services web-management https local-certificate my-signed-cert
set services captive-portal secure-authentication https
set services captive-portal interface ge-0/0/10.0 supplicant multiple
set services captive-portal authentication-profile-name profile1
set ethernet-switching-options authentication-whitelist 00:10:12:e0:28:22
set services captive-portal custom-options post-authentication-url http://www.my-home-page.com
To configure captive portal on the switch:
1. Define the server IP address, the server authentication port number, and configure the secret password.
The secret password on the switch must match the secret password on the server:
[edit]
user@switch# set access radius-server 10.204.96.165 port 1812
[edit]
user@switch# set access radius-server 10.204.96.165 secret "ABC123"
[edit]
3. Configure the server IP address to be tried in order to authenticate the supplicant:
[edit]
user@switch# set access profile profile1 radius authentication-server 10.204.96.165
4. Enable HTTP access on the switch:
[edit]
user@switch# set system services web-management http
5. To create a secure channel for Web access to the switch, configure captive portal for HTTPS:
452
NOTE: You can enable HTTP without enabling HTTPS, but we recommend HTTPS for security
purposes.
a. Associate the security certificate with the Web server and enable HTTPS access on the switch:
[edit]
user@switch# set system services web-management https local-certificate my-signed-cert
b. Configure captive portal to use HTTPS:
[edit]
user@switch# set services captive-portal secure-authentication https
6. Enable an interface for captive portal:
[edit]
user@switch# set services captive-portal interface ge-0/0/10 supplicant multiple
7. Specify the name of the access profile to be used for captive portal authentication:
[edit]
user@switch# set services captive-portal authentication-profile-name profile1
8. (Optional) Allow specific clients to bypass captive portal:
NOTE: If the client is already attached to the switch, you must clear its MAC address from
the captive portal authentication by using the clear captive-portal mac-address mac-address
command after adding its MAC address to the whitelist. Otherwise the new entry for the
MAC address will not be added to the Ethernet switching table and authentication bypass
will not be allowed.
[edit]
user@switch# set ethernet-switching-options authentication-whitelist 00:10:12:e0:28:22
453
NOTE: Optionally, you can use set ethernet-switching-options authentication-whitelist

00:10:12:e0:28:22 interface ge-0/0/10.0 to limit the scope to the interface.
9. (Optional) To redirect clients to a specified page rather than the page they originally requested, configure
the post-authentication URL:
[edit]
user@switch# set services captive-portal custom-options post-authentication-url
http://www.my-home-page.com
Results
[edit]
user@switch> show
system {
services {
web-management {
http;
https {
local-certificate my-signed-cert;
}
}
}
}
security {
certificates {
local {
my-signed-cert {
"-----BEGIN RSA PRIVATE KEY-----ABC123
...
ABC123-----END CERTIFICATE-----\n"; ## SECRET-DATA
}
}
}
}
services {
captive-portal {
interface {
ge-0/0/10.0 {
454
}
}
secure-authentication https;
}
}
ethernet-switching-options {
authentication-whitelist {
00:10:12:e0:28:22/48;
}
}
Verification
IN THIS SECTION
Verifying That Captive Portal Is Enabled on the Interface | 454
Verify That Captive Portal Is Working Correctly | 455
To confirm that captive portal is configured and working properly, perform these tasks:
Verifying That Captive Portal Is Enabled on the Interface
Purpose
Verify that captive portal is configured on interface ge-0/0/10.
Action
Use the operational mode command show captive-portal interface interface-name detail:
user@switch> show captive-portal interface ge-0/0/10.0 detail
ge-0/0/10.0
Configured CP session timeout: 3600 seconds
455
Meaning
The output confirms that captive portal is configured on interface ge-0/0/10 with the default settings for
number of retries, quiet period, CP session timeout, and server timeout.
Verify That Captive Portal Is Working Correctly
Purpose
Verify that captive portal is working on the switch.
Action
Connect a client to interface ge-0/0/10. From the client, open a Web browser and request a webpage.
The captive portal login page that you designed should be displayed. After you enter your login information
and are authenticated against the RADIUS server, the Web browser should display either the page you
requested or the post-authentication URL that you configured.
Troubleshooting
IN THIS SECTION
Troubleshooting Captive Portal | 455
To troubleshoot captive portal, perform these tasks:
Troubleshooting Captive Portal
Problem
The switch does not return the captive portal login page when a user connected to a captive portal interface
on the switch requests a Web page.
Solution
You can examine the ARP, DHCP, HTTPS, and DNS counters—if one or more of these counters are not
incrementing, this provides an indication of where the problem lies. For example, if the client cannot get
an IP address, check the switch interface to determine whether the DHCP counter is incrementing—if the
counter increments, the DHCP packet was received by the switch.
user@switch> show captive-portal firewall ge-0/0/10.0
ge-0/0/10.0
Filter name: dot1x_ge-0/0/10
Counters:
Name Bytes Packets
456
dot1x_ge-0/0/10_CP_arp 7616 119

dot1x_ge-0/0/10_CP_dhcp 0 0
dot1x_ge-0/0/10_CP_http 0 0
dot1x_ge-0/0/10_CP_https 0 0
dot1x_ge-0/0/10_CP_t_dns 0 0
dot1x_ge-0/0/10_CP_u_dns 0 0
Configuring Captive Portal Authentication (CLI Procedure)
Configure captive portal authentication (hereafter referred to as captive portal) on an EX Series switch so
that users connected to the switch are authenticated before being allowed to access the network. When
the user requests a web page, a login page is displayed that requires the user to input a username and
password. Upon successful authentication, the user is allowed to continue with the original page request
and subsequent access to the network.
Configuring Secure Access for Captive Portal
To configure secure access for captive portal:
1. Enable HTTP access on the switch:
[edit]
457
user@switch# set system services web-management http
2. Associate the security certificate with the Web server and enable HTTPS access on the switch:
[edit]
NOTE: You can enable HTTP without HTTPS, but we recommend HTTPS for security
purposes.
3. Configure captive portal to use HTTPS:
[edit]
Enabling an Interface for Captive Portal
To enable an interface for captive portal:
[edit]
user@switch# set services captive-portal interface interface-name
For example, to enable captive portal on the interface ge-0/0/10:
[edit]
user@switch# set services captive-portal interface ge-0/0/10
Configuring Bypass of Captive Portal Authentication
To allow specific clients to bypass captive portal:
[edit]
user@switch# set ethernet-switching-options authentication-whitelist mac-address
For example, to allow specific clients to bypass captive portal:
[edit]
user@switch# set ethernet-switching-options authentication-whitelist 00:10:12:e0:28:22
458

NOTE: If the client is already attached to the switch, you must clear its MAC address from the
captive portal authentication by using the clear captive-portal mac-address mac-address command
after adding its MAC address to the whitelist. Otherwise the new entry for the MAC address
will not be added to the Ethernet switching table and authentication bypass will not be allowed.
Designing a Captive Portal Authentication Login Page on Switches
You can set up captive portal authentication on your switch to redirect all Web browser requests to a login
page that requires users to input a username and password before they are allowed access. Upon successful
authentication, users are allowed access to the network and redirected to the original page requested.
Junos OS provides a customizable template for the captive portal window that allows you to easily design
and modify the look of the captive portal login page. You can modify the design elements of the template
to change the look of your captive portal login page and to add instructions or information to the page.
You can also modify any of the design elements of a captive portal login page.
The first screen displayed before the captive login page requires the user to read the terms and conditions
of use. By clicking the Agree button, the user can access the captive portal login page.
Figure 19 on page 459 shows an example of a captive portal login page:

459
Figure 19: Example of a Captive Portal Login Page
Table 33 on page 459 summarizes the configurable elements of a captive portal login page.
Table 33: Configurable Elements of a Captive Portal Login Page
Element CLI Statement Description
Footer footer-bgcolor The HTML hexadecimal code for the background color of the captive
background color hex-color portal login page footer.
Footer message footer-message Text displayed in the footer of the captive portal login page. You can
text-string include copyright information, links, and additional information such
as help instructions, legal notices, or a privacy policy
The default text shown in the footer is Copyright @2010, Juniper

Networks Inc.
Footer text color footer- text-color color Color of the text in the footer. The default color is white.
Form header form-header-bgcolor The HTML hexadecimal code for the background color of the header
background color hex-color bar across the top of the form area of the captive portal login page.
Form header form-header-message Text displayed in the header of the captive portal login page. The default
message text-string text is Captive Portal User Authentication .
Form header text form-header- text- Color of the text in the form header. The default color is black.
color color color
460
Table 33: Configurable Elements of a Captive Portal Login Page (continued)
Form reset button form-reset-label Using the Reset button, the user can clear the username and password
label label-name fields on the form.
Form submit form-submit-label Using the Login button, the user can submit the login information.
button label label-name
Header header-bgcolor The HTML hexadecimal code for the background color of the captive
background color hex-color portal login page header.
Header logo header-logo filename Filename of the file containing the image of the logo that you want to
appear in the header of the captive portal login page. The image file
can be in GIF, JPEG, or PNG format.
You can upload a logo image file to the switch. Copy the logo to the
/var/tmp directory on the switch (during commit, the files are saved to
persistent locations).
If you do not specify a logo image, the Juniper Networks logo is

displayed.
Header message header-message Text displayed in the page header. The default text is User
text-string Authentication.
Header text color header-text- colorcolor Color of the text in the header. The default color is white.
Post-authentication post-authentication-url URL to which the users are directed on successful authentication. By
URL url default, users are directed to the page they had originally requested.
To design the captive portal login page:
1. (Optional) Upload your logo image file to the switch:
user@switch> file copy ftp://username:[email protected]/var/tmp/my-logo.jpeg
2. Configure the custom options to specify the background colors and text displayed in the captive portal
page:
[edit system services captive-portal]

user@switch# set custom-options header-bgcolor #006600
set custom-options header-message “Welcome to Our Network”
set custom-options banner-message “Please enter your username and password”.The banner displays
the message ”XXXXXXX” by default. The user can modify this message.
461
set custom-options footer-message “Copyright ©2010, Our Network”
Now you can commit the configuration.
NOTE: For the custom options that you do not specify, the default value is used.
SEE ALSO

Configuring Captive Portal Authentication (CLI Procedure) on an EX Series

Switche with ELS Support
NOTE: This task uses Junos OS for switches with support for the Enhanced Layer 2 Software
(ELS) configuration style. If your switch runs software that does not support ELS, see “Configuring
Captive Portal Authentication (CLI Procedure)” on page 456. For ELS details, see Using the Enhanced
Layer 2 Software CLI.
Configure captive portal authentication (hereafter referred to as captive portal) on a switch so that users
connected to the switch are authenticated before being allowed to access the network. When the user
requests a webpage, a login page is displayed that requires the user to input a username and password.
Upon successful authentication, the user is allowed to continue with the original page request and
subsequent access to the network.
and a VLAN for an EX Series Switch with ELS Support .
462
• Configured basic access between the switch and the RADIUS server. See “Example: Connecting a RADIUS
1. Associate the security certificate with the Web server and enable HTTPS on the switch:
[edit]
user@switch# set system services web-management https local-certificate certificate-name
NOTE: You can enable HTTP instead of HTTPS, but we recommend HTTPS for security
purposes.
[edit]
To enable an interface for use with captive portal authentication:
[edit]
user@switch# set services captive-portal interface interface-name
463
You can allow specific clients to bypass captive portal authentication:
[edit]
user@switch# set switch-options authentication-whitelist mac-address
NOTE: Optionally, you can use set switch-options authentication-whitelist mac-address interface
interface-name to limit the scope to the interface.
NOTE: If the client is already attached to the switch, you must clear its MAC address from the
captive portal authentication by using the clear captive-portal mac-address session-mac-addr
command after adding its MAC address to the whitelist. Otherwise, the new entry for the MAC
address is not added to the Ethernet switching table and the authentication bypass is not allowed.
Example: Setting Up Captive Portal Authentication on an EX Series Switch

with ELS Support
IN THIS SECTION
Requirements | 464
Configuration | 465
Verification | 467
464
“Example: Setting Up Captive Portal Authentication on an EX Series Switch” on page 449. For
ELS details, see Using the Enhanced Layer 2 Software CLI.
You can set up captive portal authentication (hereafter referred to as captive portal) on a switch to redirect
Web browser requests to a login page that requires the user to input a username and password. Upon
successful authentication, the user is allowed to continue with the original page request and subsequent
This example describes how to set up captive portal on an EX Series switch:
Requirements
• Junos OS Release 13.2X50 or later for EX Series switches
• An EX Series switch with support for ELS
This example shows the configuration required on the switch to enable captive portal on an interface. To
permit a printer connected to the captive portal interface to access the LAN, add its MAC address to the
authentication whitelist and assign it to a VLAN, vlan1. The MAC addresses on this list are permitted access
on the interface without captive portal authentication.
The topology for this example consists of one EX Series switch connected to a RADIUS authentication
server. One interface on the switch is configured for captive portal. In this example, the interface is
465
Configuration
To configure captive portal on your switch:

To quickly configure captive portal on the switch after completing the tasks in the Requirements section,
copy the following commands and paste them into the switch terminal window:
[edit]
set services captive-portal secure-authentication https
set services captive-portal interface ge-0/0/10.0 supplicant multiple
set switch-options authentication-whitelist 00:10:12:e0:28:22 vlan-assignment vlan1
set custom-options post-authentication-url http://www.my-home-page.com
1. To create a secure channel for Web access to the switch, configure captive portal for HTTPS:
a. Associate the security certificate with the Web server and enable HTTPS on the switch:
[edit]
NOTE: You can enable HTTP instead of HTTPS, but we recommend that you enable
HTTPS for security purposes.
[edit]
[edit]
user@switch# set services captive-portal interface ge-0/0/10 supplicant multiple
3. (Optional) Allow specific clients to bypass captive portal authentication:

466
NOTE: If the client is already attached to the switch, you must clear its MAC address from
command after adding its MAC address to the whitelist. Otherwise, the new entry for the
MAC address will not be added to the Ethernet switching table and the authentication bypass
[edit]
user@switch# set switch-options authentication-whitelist 00:10:12:e0:28:22 vlan-assignment
vlan1
NOTE: Optionally, you can use set switch-options authentication-whitelist 00:10:12:e0:28:22

vlan-assignment vlan1 interface ge-0/0/10.0 to limit the scope to the interface.
[edit services captive-portal]

user@switch# set custom-options post-authentication-url http://www.my-home-page.com
Results
[edit]
user@switch# show
system {
services {
web-management {
https {
}
}
}
}
security {
certificates {
local {
my-signed-cert {
467
"-----BEGIN RSA PRIVATE KEY-----\ABC123

ABC123ABC123ABC123 ... ABC123
----END CERTIFICATE-----\n"; ## SECRET-DATA
}
}
}
}
services {
captive-portal {
interface {
ge-0/0/10.0 {
}
}
custom-options {
post-authentication-url http://www.my-home-page.com;
}
}
}
switch-options {
00:10:12:e0:28:22/48 {
vlan-assignment vlan1;
}
}
}
Verification
IN THIS SECTION
To confirm that captive portal authentication is configured and working properly, perform these tasks:
Purpose
468
Verify that captive portal is configured on the interface ge-0/0/10.
Action
user@switch> show captive-portal interface ge-0/0/10.0 detail
ge-0/0/10.0
Meaning
The output confirms that captive portal is configured on the interface ge-0/0/10, with the default settings
for number of retries, quiet period, CP session timeout, and server timeout.
Purpose
Verify that captive portal is working on the switch.
Action
Connect a client to the interface ge-0/0/10. From the client, open a Web browser and request a webpage.
Troubleshooting
IN THIS SECTION
To troubleshoot captive portal, perform this task:
Problem
469
The switch does not return the captive portal login page when a user connected to a captive portal interface
on the switch requests a webpage.
Solution
an IP address, you might check the switch interface to determine whether the DHCP counter is
incrementing—if the counter increments, the DHCP packet was received by the switch.
ge-0/0/10.0
Counters:
Name Bytes Packets
dot1x_ge-0/0/10_CP_arp 7616 119

Flexible Authentication Order on EX Series Switches
IN THIS SECTION
Configuring EAPoL Block to Maintain an Existing Authentication Session | 472

470
Junos OS switches support 802.1X, MAC RADIUS, and captive portal as an authentication methods to
devices requiring to connect to a network. You can use the flexible authentication order feature to specify
the order of authentication methods that the switch uses when attempting to authenticate a client. If
multiple authentication methods are configured on a single interface, when one authentication method
fails, the switch falls back to another method. For more information, read this topic.
Configuring Flexible Authentication Order
You can use the flexible authentication order feature to specify the order of authentication methods that
the switch uses when attempting to authenticate a client. If multiple authentication methods are configured
on a single interface, when one authentication method fails, the switch falls back to another method.
By default, the switch attempts to authenticate a client by using 802.1X authentication first. If 802.1X
authentication fails because there is no response from the client, and MAC RADIUS authentication is
configured on the interface, the switch will attempt authentication using MAC RADIUS. If MAC RADIUS
fails, and captive portal is configured on the interface, the switch attempts authentication using captive
portal.
With a flexible authentication order, the sequence of authentication method used can be changed based
on the type of clients connected to the interface. You can configure the authentication-order statement
to specify whether 802.1X authentication or MAC RADIUS authentication must be the first authentication
method tried. Captive portal is always the last authentication method tried.
If MAC RADIUS authentication is configured as the first authentication method in the order, then on
receiving data from any client, the switch attempts to authenticate the client by using MAC RADIUS
authentication. If MAC RADIUS authentication fails, then the switch uses 802.1X authentication to
authenticate the client. If 802.1X authentication fails, and captive portal is configured on the interface,
the switch attempts authentication using captive portal.
NOTE: If 802.1X authentication and MAC RADIUS authentication fail, and captive portal is not
configured on the interface, the client is denied access to the LAN unless a server fail fallback
method is configured. See “Configuring RADIUS Server Fail Fallback (CLI Procedure)” on page 349
for more information.
Different authentication methods can be used in parallel on an interface that is configured in

multiple-supplicant mode. Therefore, if an end device is authenticated on the interface by using captive
portal, another end device connected to that interface can still be authenticated using 802.1X or MAC
Before you configure the flexible authentication order on an interface, make sure that the authentication
methods are configured on that interface. The switch does not attempt authentication using a method
471
that is not configured on the interface, even if that method is included in the authentication order; the
switch ignores that method and attempts the next method in the authentication order that is enabled on
that interface.
Use the following guidelines when configuring the authentication-order statement:
• The authentication order must include at least two methods of authentication.
• 802.1X authentication must be one of the methods included in the authentication order.
• If captive portal is included in the authentication order, it must be the last method in the order.
• If mac-radius-restrict is configured on an interface then the authentication order cannot be configured

on that interface.
To configure a flexible authentication order, use one of the following valid combinations:
NOTE: The authentication order can be configured globally using the interface all option as well
as locally using the individual interface name. If the authentication order is configured both for
an individual interface and for all interfaces, the local configuration for that interface overrides
the global configuration.
• To configure 802.1X authentication as the first authentication method, followed by MAC RADIUS
authentication, and then captive portal:
[edit]
user@switch# set protocols dot1x authenticator interface interface-name authentication-order
[dot1x mac-radius captive-portal]
• To configure 802.1X authentication as the first authentication method, followed by captive portal:
[edit]
[dot1x captive-portal]
• To configure 802.1X authentication as the first authentication method, followed by MAC RADIUS
authentication:
[edit]
[dot1x mac-radius]
• To configure MAC RADIUS authentication as the first authentication method, followed by 802.1X,
followed by captive portal:
472
[edit]
[mac-radius dot1x captive-portal]
After you configure the authentication order, you must use the insert command to make any modifications
to the authentication order. Using the set command does not change the configured order.
To change the authentication order after initial configuration:
[edit]
user@switch# insert protocols dot1x authenticator interface interface-name authentication-order
authentication-method before authentication-method
For example, to change the order from [mac-radius dot1x captive portal] to [dot1x mac-radius captive
portal]:
[edit]
user@switch# insert protocols dot1x authenticator interface interface-name authentication-order
dot1x before mac-radius
SEE ALSO

Configuring EAPoL Block to Maintain an Existing Authentication Session
When a switch acting as an 802.1X authenticator receives an EAP-Start message from an authenticated
client, the switch tries to re-authenticate the client using the 802.1X method and typically returns an
EAP-Request message, and waits for a response. If the client fails to respond, the switch attempts to
re-authenticate the client using MAC RADIUS or captive portal method if these methods were configured.
Clients that have been authenticated using MAC RADIUS or captive portal authentication are
non-responsive, and traffic is dropped on the interface as the switch attempts re-authentication.
If you have configured flexible authentication order on the interface so that MAC RADIUS is the first
method used to authenticate a client, the switch still reverts to using 802.1X for re-authentication if the
client sends an EAP-Start message, even if the client was successfully authenticated using MAC RADIUS
authentication. You can configure an EAPoL block with either a fixed or flexible authentication order. If
473
you do not configure the authentication-order statement, the order is fixed by default. The eapol-block
statement can be configured with or without configuring the authentication-order statement.
You can configure a switch to ignore EAP-Start messages sent from a client that has been authenticated
using MAC RADIUS authentication or captive portal authentication using the eapol-block statement. With
a block of EAPoL messages in effect, if the switch receives an EAP-Start message from the client, it does
not return an EAP-Request message, and the existing authentication session is maintained.
NOTE: If the endpoint has not been authenticated with MAC RADIUS authentication or captive
portal authentication, the EAPoL block does not take effect. The endpoint can authenticate using
802.1X authentication.
If eapol-block is configured with the mac-radius option, then once the client is authenticated with MAC
RADIUS authentication or CWA (Central Web Authentication), the client remains in authenticated state
even if it sends an EAP-Start message. If eapol-block is configured with the captive-portal option, then
once the client is authenticated with captive portal, the client remains in authenticated state even if it
sends an EAP-Start message.
NOTE: This feature is supported on EX4300 and EX9200 switches.
To configure a block of EAPoL messages to maintain an existing authentication session:
• To configure EAPoL block for a client authenticated using MAC RADIUS authentication:
[edit]
user@switch# set protocols dot1x authenticator interface interface-name eapol-block mac-radius
• To configure EAPoL block for a client authenticated using captive portal authentication:
[edit]
user@switch# set protocols dot1x authenticator interface interface-name eapol-block captive-portal
SEE ALSO
474
Central Web Authentication
IN THIS SECTION
Understanding Central Web Authentication | 474
Web authentication provides access to network for users by redirecting the client’s Web browser to a
central Web authentication server (CWA server), which handles the complete login process. Web
authentication can also be used as a fallback authentication method for regular network users who have
802.1X-enabled devices, but fail authentication because of other issues, such as expired network credentials.
Understanding Central Web Authentication
IN THIS SECTION
Central Web Authentication Process | 475
Dynamic Firewall Filters for Central Web Authentication | 476
Redirect URL for Central Web Authentication | 477
Web authentication redirects Web browser requests to a login page that requires the user to input a
username and password. Upon successful authentication, the user is allowed access to the network. Web
authentication is useful for providing network access to temporary users, such as visitors to a corporate
site, who try to access the network using devices that are not 802.1X-enabled. Web authentication can
also be used as a fallback authentication method for regular network users who have 802.1X-enabled
devices, but fail authentication because of other issues, such as expired network credentials.
Web authentication can be done locally on the switch using captive portal, but this requires that the Web
portal pages be configured on each switch used as a network access device. Central Web authentication
475
(CWA) provides efficiency and scaling benefits by redirecting the client’s Web browser to a central Web
authentication server (CWA server), which handles the complete login process.
Central Web Authentication Process
Central Web authentication is invoked after a host has failed MAC RADIUS authentication. The host can
attempt authentication using 802.1X authentication first, but must then attempt MAC RADIUS
authentication before attempting central Web authentication. The switch, operating as the authenticator,
exchanges RADIUS messages with the authentication, authorization, and accounting (AAA) server. After
MAC RADIUS authentication fails, the switch receives an Access-Accept message from the AAA server.
This message includes a dynamic firewall filter and a redirect URL for central Web authentication. The
switch applies the filter, which allows the host to receive an IP address, and uses the URL to redirect the
host to the Web authentication page.
The host is prompted for login credentials and might also be asked to agree to an acceptable use policy.
If Web authentication is successful, the AAA server sends a Change of Authorization (CoA) message, which
updates the terms of the authorized session in progress. This enables the authenticator to update the filter
or VLAN assignment applied to the controlled port, to allow the host to access the LAN.
The sequence of events in central Web authentication is as follows (see Figure 20 on page 476):
1. A host connected to the switch (authenticator) initiates MAC RADIUS authentication.
2. MAC RADIUS authentication fails. Instead of sending an Access-Reject message to the switch, the AAA
server sends an Access-Accept message that includes a dynamic firewall filter and a CWA redirect URL.
3. The host is allowed by the terms of the filter to send DHCP requests.
4. The host receives an IP address and DNS information from the DHCP server. The AAA server initiates
a new session that has a unique session ID.
5. The host opens a Web browser.
6. The authenticator sends the CWA redirect URL to the host.
7. The host is redirected to the CWA server and is prompted for login credentials.
8. The host provides the username and password.
9. After successful Web authentication, the AAA server sends a CoA message to udpate the filter or VLAN
assignment applied on the controlled port, allowing the host to access the LAN.
476
10. The authenticator responds with a CoA-ACK message and sends a MAC RADIUS authentication request
to the AAA server.
11. The AAA server matches the session ID to the appropriate access policy and sends an Access-Accept
message to authenticate the host.
Figure 20: Central Web Authentication Process
RADIUS/AAA
Host Server
Authenticator
5 DHCP Server
10
g043340
11
Dynamic Firewall Filters for Central Web Authentication
Central Web authentication uses dynamic firewall filters, which are centrally defined on the AAA server
and dynamically applied to supplicants that request authentication through that server. The filter allows
the host to get an IP address dynamically using DHCP. You define the filters by using RADIUS attributes,
which are included in the Access-Accept messages sent from the server. Filters can be defined using either
the Juniper-Switching-Filter attribute, which is a vendor-specific attribute (VSA), or the Filter-ID attribute,
which is an IETF RADIUS attribute.
To use the Juniper-Switching-Filter VSA for central Web authentication, you must configure the filter with
the correct terms that allow the destination IP address of the CWA server. This configuration is done
directly on the AAA server. To use the Filter-ID attribute for central web authentication, enter the value
as JNPR_RSVD_FILTER_CWA on the AAA server. The filter terms for this attribute are internally defined
for central Web authentication, because of which no additional configuration is required. For more
information about configuring dynamic firewall filters for central web authentication, see “Configuring
Central Web Authentication” on page 477.
477
Redirect URL for Central Web Authentication
In central Web authentication, the authenticator redirects the host’s Web browser request to the CWA
server by using a redirect URL. After redirection, the CWA server completes the login process. The redirect
URL for central web authentication can be configured on the AAA server or on the authenticator. The
redirect URL, along with the dynamic firewall filter, must be present to trigger the central web authentication
process after the failure of MAC RADIUS authentication.
The redirect URL can be centrally defined on the AAA server by using the Juniper-CWA-Redirect VSA,
which is attribute number 50 in the Juniper RADIUS dictionary. The URL is forwarded from the AAA server
to the switch in the same RADIUS Access-Accept message that contains the dynamic firewall filter. You
can also configure the redirect URL locally on the host interface by using the CLI statement redirect-url
at the [edit protocols dot1x authenticator interface interface-name] hierarchy level. For more information
about configuring the redirect URL, see “Configuring Central Web Authentication” on page 477.
SEE ALSO

Configuring Central Web Authentication
IN THIS SECTION
Configuring Dynamic Firewall Filters for Central Web Authentication | 478
Configuring the Redirect URL for Central Web Authentication | 479
Guidelines for Configuring Central Web Authentication | 480
Central Web authentication is a fallback method of authentication in which the host’s Web browser is
redirected to a central Web authentication (CWA) server. The CWA server provides a web portal where
the user can enter a username and password. If these credentials are validated by the CWA server, the
user is authenticated and is allowed access to the network.
Central Web authentication is invoked after a host has failed MAC RADIUS authentication. The switch,
operating as the authenticator, receives a RADIUS Access-Accept message from the AAA server that
478
includes a dynamic firewall filter and a redirect URL for central Web authentication. The dynamic firewall
filter and the redirect URL must both be present for the central Web authentication process to be triggered.
Configuring Dynamic Firewall Filters for Central Web Authentication
Dynamic firewall filters are used in central Web authentication to enable the host to get an IP address
from a DHCP server, which allows the host to access the network. The filters are defined on the AAA
server using RADIUS attributes, which are sent to the authenticator in an Access-Accept message. You
can define the filter using either the Juniper-Switching-Filter attribute, which is a vendor-specific attribute
(VSA), or the Filter-ID attribute, which is an IETF RADIUS attribute.
• To use the Juniper-Switching-Filter VSA for central Web authentication, you must configure the filter
terms directly on the AAA server. The filter must include a term to match the destination IP address of
the CWA server with the action allow.
For example:
001122334455 Auth-Type := EAP, Cleartext-Password :="001122334455"

Session-Timeout = "300",
Juniper-CWA-Redirect-URL = "https://10.10.10.10",
Juniper-Switching-Filter = "Match Destination-ip 10.10.10.10 Action allow,
Match ip-protocol 17 Action allow, Match Destination-mac 00:01:02:33:44:55 Action
deny"
NOTE: The switch does not resolve the DNS queries for the redirect URL. You must configure
the Juniper-Switching-Filter attribute to allow the destination IP address of the CWA server.
• To use the Filter-ID attribute for central Web authentication, enter JNPR_RSVD_FILTER_CWA as the
value for the attribute on the AAA server. The filter terms for this attribute are internally defined for
central Web authentication, because of which no additional configuration is required.
For example:

Filter-Id = "JNPR_RSVD_FILTER_CWA",
For more information about configuring dynamic firewall filters on the AAA server, see the documentation
for your AAA server.
479
Configuring the Redirect URL for Central Web Authentication
In central Web authentication, the authenticator redirects the host’s Web browser request to the CWA
server by using a redirect URL. The redirect URL for central Web authentication can be configured on the
AAA server or locally on the host interface.
• To configure the redirect URL on the AAA server, use the Juniper-CWA-Redirect VSA, which is attribute
number 50 in the Juniper RADIUS dictionary. The URL is forwarded from the AAA server to the switch
in the same RADIUS Access-Accept message that contains the dynamic firewall filter.
For example:

Filter-Id = "JNPR_RSVD_FILTER_CWA",
NOTE: When the special Filter-ID attribute JNPR_RSVD_FILTER_CWA is used for the dynamic
firewall filter, the redirect URL must include the IP address of the AAA server, for example,
https://10.10.10.10.
• To configure the redirect URL locally on the host interface, use the following CLI statement:
[edit]
user@switch# set protocols dot1x authenticator interface interface-name redirect-url
For example:
user@switch# show protocols dot1x

authenticator {
authentication-name-profile auth1;
interface {
ge-0/0/1.0 {
supplicant single;
mac-radius;
redirect-url https://10.10.10.10;
}
}
}
480
Guidelines for Configuring Central Web Authentication
Central Web authentication is triggered after the failure of MAC RADIUS authentication when the redirect
URL and dynamic firewall filter are both present. The redirect URL and dynamic firewall filter can be
configured in any of the following combinations:
1. The AAA server sends both the CWA redirect URL and dynamic firewall filter to the authenticator. The
redirect URL is configured on the AAA server by using the Juniper-CWA-Redirect VSA and the dynamic
firewall filter is configured on the AAA server by using the Juniper-Switching-Filter VSA. The filter must
be configured to allow the destination IP address of the CWA server in this case.
2. The AAA server sends the dynamic firewall filter to the authenticator and the redirect URL is configured
locally on the host port. The redirect URL is configured on the authenticator by using the redirect-url
CLI statement and the dynamic firewall filter is configured on the AAA server by using the
Juniper-Switching-Filter VSA. The filter must be configured to allow the destination IP address of the
CWA server in this case.
3. The AAA server sends both the CWA redirect URL and dynamic firewall filter to the authenticator. The
redirect URL is configured on the AAA server by using the Juniper-CWA-Redirect VSA and the dynamic
firewall filter is configured on the AAA server by using the Filter-ID attribute with the value
JNPR_RSVD_FILTER_CWA. The redirect URL must contain the IP address of the CWA server in this
case.
4. The AAA server sends the dynamic firewall filter to the authenticator and the redirect URL is configured
locally on the host port. The redirect URL is configured on the authenticator by using the redirect-url
CLI statement and the dynamic firewall filter is configured on the AAA server by using the Filter-ID
attribute with the value JNPR_RSVD_FILTER_CWA. The redirect URL must contain the IP address of
the CWA server in this case.
Configuring Central Web Authentication with EX Series Switches and Aruba ClearPass
481
Centralized Access Control to Network Resources on

EX Series Switches
IN THIS SECTION
Configuring an EX Series Switch to Use Junos Pulse Access Control Service for Network Access Control
(CLI Procedure) | 484
OBSOLETE: Configuring the EX Series Switch for Captive Portal Authentication with Junos Pulse Access
Control Service (CLI Procedure) | 488
Network access control (NAC) allows you to control access to network resources such as servers,
applications, and stored data.
You can use Junos Pulse Access Control Service and the switches for a centralized end-to-end NAC system.
The Access Control Service eliminates the need to configure firewall filters on each switch. Instead, you
define resource access policies centrally on the NAC device. For more information, read this topic.
Understanding Centralized Network Access Control and EX Series Switches
IN THIS SECTION
NAC Using Any RADIUS Server and Access Polices Defined on the Local Switch | 482
Centralized NAC Using Junos Pulse Access Control Service | 482

482
Network access control (NAC) allows you to control who is admitted to the network and what
resources—servers, applications, and stored data—those users are allowed to access. These controls include:
• Authentication—Pre-admission controls
• Authorization—Post-admission controls
You can use different methods to implement NAC on Juniper Networks EX Series Ethernet Switches.
This topic describes:
NAC Using Any RADIUS Server and Access Polices Defined on the Local Switch
For pre-admission controls, you can use the switch in combination with any RADIUS server as the
authentication server. For additional information, see “Understanding Authentication on Switches” on
page 326.
For post-admission controls, you can configure firewall filters to limit access to specific resources. For
additional information, see Firewall Filters for EX Series Switches Overview.
Centralized NAC Using Junos Pulse Access Control Service
You can use Junos Pulse Access Control Service and the switches for a centralized end-to-end NAC system,
including both pre-admission authentication and post-admission authorization.
When you configure such a system, the Juniper Networks MAG Series Junos Pulse Gateways or the Juniper
Networks IC Series Unified Access Control Appliances NAC device functions as the authentication server.
For messages relating to IEEE 802.1X and MAC RADIUS authentication, the NAC device communicates
with the switch using the RADIUS protocol.
The Access Control Service also performs additional functions. It eliminates the need to configure firewall
filters on each switch. Instead, you define resource access policies centrally on the NAC device. This
centralized method is particularly helpful when you have multiple switches in your network.
The resource access policy on the Access Control Service defines which network resources are allowed
and denied for a user, based upon the user’s role. The NAC device distributes these policies to all connected
switches. The NAC device thus functions as a centralized policy management server. For messages relating
to access policies, the NAC device communicates with the switch using the Junos UAC Enforcer Protocol
(JUEP). The switch converts the resource access policies into filter definitions and applies these to the
appropriate port.
483
NOTE: With this solution, the EX Series switch serves as an Infranet Enforcer, that is, a policy
enforcement point for the Access Control Service. The Access Control Service sends auth table
entries and resource access policies when an endpoint successfully completes 802.1X
authentication or MAC authentication (unmanaged devices). Access for any endpoint is governed
by the resource access policies that you configure on the Access Control Service. Because
resource access policies are employed, firewall filters are not required for the switch configuration.
This integrated solution of Access Control Service and EX Series switches is easier to implement and much
more efficient than previous versions of Access Control Service and the switches. As soon the switch
connects to the MAG Series or IC Series NAC device, the Access Control Service pushes the role-based
policies to the switch via JUEP. This enables the user to access the network more quickly than previous
implementations, because the policy is already available on the switch and does not need to be pushed
from the centralized device at the time of user authentication. Moreover, the policy push happens only
once, which utilizes network bandwidth efficiently and makes this implementation suitable for scaled
environments.
If you change policies, the Access Control Service automatically pushes the updated policies to the
connected switch. The switch applies the policies dynamically without taking users through another
authentication transaction.
NOTE: Do not configure firewall filters on the switch and do not use RADIUS server attributes
for firewall filters if you are configuring the switch to use the Access Control Service. Instead,
specify or deny access to resources by using the Access Control Service resource access policies.
You create policies on the NAC device’s administrative interface to control access to resources and services.
Access is based on successful authentication, the user’s assigned role, and the security compliance of the
endpoint device. For example, you can provide full access to protected resources employee role and limited
access for a contractor role.
Captive portal authentication allows you to authenticate users on the switches by redirecting Web browser
requests to a login page that requires users to input a username and password before they are allowed
access to the network. The details of configuring captive portal authentication differ depending on whether
you are using the Access Control Service:
• If you have connected the switch to the Access Control Service, use the Access Control Service NAC
device as an external captive portal server for redirecting Web browser requests. When users try to
access a protected network resource that is connected to the switch, the user must first sign in to the
484
Access Control Service for authentication and endpoint security checking. The captive portal redirects
the user to a login page located on the Access Control Service. When the sign-in page for the Access
Control Service is displayed, the user signs in and the Access Control Service examines the endpoint for
compliance with security policies. If the endpoint passes the security check, access is granted to the
protected resource.
See “OBSOLETE: Configuring the EX Series Switch for Captive Portal Authentication with Junos Pulse
Access Control Service (CLI Procedure)” on page 488. You can use the same Access Control Service as
the external captive portal server for more than one switch.
• If you are not using the Access Control Service, you can use captive portal to redirect users to a login
page that you configure on the local switch. See “Designing a Captive Portal Authentication Login Page
on Switches” on page 458 for information about designing a login page on your switch.
Configuring an EX Series Switch to Use Junos Pulse Access Control Service

for Network Access Control (CLI Procedure)
You can connect the switch to Junos Pulse Access Control Service to set up a centralized, end-to-end
network access control (NAC) system, which allows you to control who is admitted to the network and
what resources those users are allowed to access.
The Access Control Service functions both as an authentication server (RADIUS server) and as a centralized
policy management server.
Before you begin configuring the switch to connect to the Access Control Service:
• Configure a resource access policy.
• Obtain the password of the Access Control Service.
• Obtain the IP address of the Access Control Service.

485
NOTE: Specify the same IP address for the authentication server, the RADIUS server, and the
infranet controller (NAC device). These components refer to the same Access Control Service.
To configure the switch to work with the Access Control Service:
1. Configure the switch to use the Access Control Service for authentication and authorization:
[edit ethernet-switching-options]
user@switch# set uac-policy
2. Configure the access profile to specify the Access Control Service. The access profile contains the
authentication and authorization configuration that aids in handling authentication and authorization
requests, including the authentication method and sequence, and the Access Control Service address:
a. Configure radius as the authentication method to be used when attempting to authenticate a user.
For each login attempt, the software tries the authentication methods in order, starting with the
first one, until the password matches:
[edit access profile]

user@switch# set profile-name authentication-order radius
b. Specify the IP address of the authentication server:
NOTE: Specify the same IP address that you use for the RADIUS server and the NAC
device.

user@switch# set profile-name radius authentication-server ip-address
3. Configure the RADIUS server to use the same IP address that you specified for the authentication
server:
[edit access]
user@switch# set radius-server ip-address
4. Configure the password to use for connecting the switch with the RADIUS server:
486
NOTE: The password specified here is used for RADIUS communications between the switch
and the Access Control Service. It does not need to match the password that is specified on
the Access Control Service through the administrative interface on the Access Control Service.
[edit access]
user@switch# set radius-server secret password
5. Configure the address of the Access Control Service MAG Series or the IC Series NAC device:
NOTE: Specify the hostname and IP address of the NAC device. This is the same IP address
that you used for specifying the authentication server.
[edit services united-access-control infranet-controller hostname]

user@switch# set address ip-address
6. Configure the switch’s management Ethernet interface for the NAC device:

user@switch# set interface me0.0
7. Configure the password for connecting the switch to the Access Control Service NAC device:
NOTE: This password must match the password specified on the Access Control Service
though its administrative interface. It is used for Junos UAC Enforcer Protocol (JUEP)
communications between the switch and the Access Control Service.

user@switch# set password password
8. Configure the amount of time that switch waits to receive a response from the Access Control Service:
[edit services united-access-control]

user@switch# set timeout seconds
9. Specify the time between continuity-check messages for the switch’s connection with the Access
Control Service:
487

user@switch# set interval seconds
10. Specify an action for the switch to take if a timeout occurs for the connection between the switch and
the Access Control Service:

user@switch# set timeout-action action
11. Specify the name of the access profile to use for 802.1X, MAC RADIUS, or captive portal authentication:
NOTE: Use the same access profile that you configured previously (step 2).

user@switch# set authenticator authentication-profile-name profile-name
12. Configure the 802.1X interface that the switch will use for communicating with the Access Control
Service:

user@switch# set authenticator interface interface-name
488
OBSOLETE: Configuring the EX Series Switch for Captive Portal

Authentication with Junos Pulse Access Control Service (CLI Procedure)
If you have connected the EX Series switch to the Junos Pulse Access Control Service and you want to
use the captive portal user authentication feature, configure the Access Control Service network access
control (NAC) device as an external captive portal server. The captive portal feature is required only for
user authentication. Unmanaged devices, such as printers or phones, can be authenticated through 802.1X
and MAC address authentication.
When users try to access a protected network resource that is connected to the switch, the user must
first sign in to the Access Control Service for authentication and endpoint security checking. The captive
portal redirects the user to a login page located on the Access Control Service.
When the sign-in page for the Access Control Service is displayed, the user signs in and the Access Control
Service examines the endpoint for compliance with security policies. If the endpoint passes the security
check, access is granted to the protected resource.
• Designed your captive portal login page on the Access Control Service.
To configure the switch to use the Access Control Service for captive portal:
1. Configure captive portal to authenticate clients connected to the switch for access to use the
authentication profile that directs the client to the Access Control Service:
2. Enable an interface for use with captive portal authentication:
[edit]
user@switch# set services captive-portal interface interface-name supplicant multiple
3. (Optional) Specify which clients are to bypass captive portal authentication:
NOTE: You can use set ethernet-switching-options authentication-whitelist mac-address

interface interface-name to limit the scope to the interface.

489
VoIP on EX Series Switches
IN THIS SECTION
Example: Configuring VoIP on an EX Series Switch Without Including 802.1X Authentication | 514
Example: Setting Up VoIP with 802.1X and LLDP-MED on an EX Series Switch with ELS Support | 522
You can configure voice over IP (VoIP) on an EX Series switch to support IP telephones. When you use
VoIP, you can connect IP telephones to the switch and configure IEEE 802.1X authentication for
802.1X-compatible IP telephones. For more information, read this topic.
Understanding 802.1X and VoIP on EX Series Switches
When you use VoIP, you can connect IP telephones to the switch and configure IEEE 802.1X authentication
for 802.1X-compatible IP telephones. The 802.1X authentication provides network edge security, protecting
Ethernet LANs from unauthorized user access.
VoIP is a protocol used for the transmission of voice through packet-switched networks. VoIP transmits
voice calls by using a network connection instead of an analog phone line.
When VoIP is used with 802.1X, the RADIUS server authenticates the phone, and Link Layer Discovery
Protocol–Media Endpoint Discovery (LLDP-MED) provides the class-of-service (CoS) parameters to the
phone.
You can configure 802.1X authentication to work with VoIP in multiple supplicant or single supplicant
mode. In multiple supplicant mode, the 802.1X process allows multiple supplicants to connect to the
interface. Each supplicant is authenticated individually. For an example of a VoIP multiple supplicant
topology, see Figure 21 on page 490.
490
Figure 21: VoIP Multiple Supplicant Topology
If an 802.1X-compatible IP telephone does not have an 802.1X host but has another 802.1X-compatible
device connected to its data port, you can connect the phone to an interface in single supplicant mode.
In single supplicant mode, the 802.1X process authenticates only the first supplicant. All other supplicants
who connect later to the interface are allowed full access without any further authentication. They
effectively “piggyback” on the first supplicant’s authentication. For an example of a VoIP single supplicant
topology, see Figure 22 on page 491 .
491
Figure 22: VoIP Single Supplicant Topology
If an IP telephone does not support 802.1X, you can configure VoIP to bypass 802.1X and LLDP-MED
and have the packets forwarded to a VoIP VLAN.
Multi Domain 802.1X Authentication
Multi-domain 802.1X authentication is an extension of multiple supplicant mode that allows one default
VoIP device and multiple data devices to authenticate on a single port. Multi-domain 802.1X authentication
provides enhanced security over multiple supplicant mode by restricting the number of authenticated data
and VoIP sessions on the port. In multiple supplicant mode, any number of VoIP or data sessions can be
authenticated; the number of sessions can be restricted using MAC limiting, but there is no way to apply
the limit specifically to either data or VoIP sessions.
With multi-domain 802.1X authentication, the single port is divided into two domains; one is the data
domain and the other is the voice domain. Multi-domain 802.1X authentication maintains separate session
counts based on the domain. You can configure the maximum number of authenticated data sessions
allowed on the port. The number of VoIP sessions is not configurable; only one authenticated VoIP session
is allowed on the port.
If a new client attempts to authenticate on the interface after the maximum session count has been reached,
the default action is to drop the packet and generate an error log message. You can also configure the
action to shut down the interface. The port can be manually recovered from the down state by issuing the
492
clear dot1x recovery-timeout command, or by can recover automatically after a configured recovery
timeout period.
Multi-domain authentication does not enforce the order of device authentication. However, for the best
results, the VoIP device should be authenticated before a data device on a multi domain 802.1X-enabled
port. Multi-domain authentication is supported only in multiple supplicant mode.
SEE ALSO
Example: Setting Up VoIP with 802.1X and LLDP-MED on an EX Series

Switch
IN THIS SECTION
Requirements | 493
Configuration | 495
Verification | 498
You can configure voice over IP (VoIP) on an EX Series switch to support IP telephones. The Link Layer
Discovery Protocol–Media Endpoint Discovery (LLDP-MED) protocol forwards VoIP parameters from the
switch to the phone. You also configure 802.1X authentication to allow the telephone access to the LAN.
Authentication is done through a backend RADIUS server.
This example describes how to configure VoIP on an EX Series switch to support an Avaya IP phone, as
well as the LLDP-MED protocol and 802.1X authentication:
NOTE: If your switch runs Junos OS for EX Series switches with support for the Enhanced Layer
2 Software (ELS) configuration style, see “Example: Setting Up VoIP with 802.1X and LLDP-MED
on an EX Series Switch with ELS Support” on page 522. For ELS details, see Using the Enhanced
Layer 2 Software CLI.
493
Requirements
• One EX Series switch acting as an authenticator port access entity (PAE). The interfaces on the
authenticator PAE form a control gate that blocks all traffic to and from supplicants until they are
authenticated.
• An Avaya 9620 IP telephone that supports LLDP-MED and 802.1X
Before you configure VoIP, be sure you have:
• Installed your EX Series switch. See Installing and Connecting an EX3200 Switch.
• Performed the initial switch configuration. See Connecting and Configuring an EX Series Switch (J-Web
Procedure).
• Configured the RADIUS server for 802.1X authentication and set up the access profile. See “Example:
• (Optional) Configured interface ge-0/0/2 for Power over Ethernet (PoE). The PoE configuration is not
necessary if the VoIP supplicant is using a power adapter. For information about configuring PoE, see
Configuring PoE on EX Series Switches (CLI Procedure).
NOTE: If the IP address isn't configured on the Avaya IP phone, the phone exchanges LLDP-MED
information to get the VLAN ID for the voice VLAN. You must configure the voip statement on
the interface to designate the interface as a VoIP interface and allow the switch to forward the
VLAN name and VLAN ID for the voice VLAN to the IP telephone. The IP telephone then uses
the voice VLAN (that is, it references the voice VLAN’s ID) to send a DHCP discover request
and exchange information with the DHCP server (voice gateway).
Instead of using a regular telephone, you connect an IP telephone directly to the switch. An IP phone has
all the hardware and software needed to handle VoIP. You also can power an IP telephone by connecting
it to one of the Power over Ethernet (PoE) interfaces on the switch.
In this example, the access interface ge-0/0/2 on the EX4200 switch is connected to an Avaya 9620 IP
telephone. Avaya phones have a built-in bridge that allows you to connect a desktop PC to the phone, so
494
the desktop and phone in a single office require only one interface on the switch. The EX Series switch is
connected to a RADIUS server on interface ge-0/0/10 (see Figure 23 on page 494).
Figure 23: VoIP Topology
In this example, you configure VoIP parameters and specify the forwarding class assured-forward for voice
traffic to provide the highest quality of service.
Table 34 on page 495 describes the components used in this VoIP configuration example.
495
Table 34: Components of the VoIP Configuration Topology
Property Settings
Switch hardware EX4200 switch
VLAN names data-vlan

voice-vlan
Connection to Avaya phone—with integrated hub, to connect ge-0/0/2

phone and desktop PC to a single interface (requires PoE)
One RADIUS server Provides backend database connected to the switch

through interface ge-0/0/10.
As well as configuring a VoIP for interface ge-0/0/2, you configure:
• 802.1X authentication. Authentication is set to multiple supplicant to support more than one supplicant's
access to the LAN through interface ge-0/0/2.
• LLDP-MED protocol information. The switch uses LLDP-MED to forward VoIP parameters to the phone.
Using LLDP-MED ensures that voice traffic gets tagged and prioritized with the correct values at the
source itself. For example, 802.1p class of service and 802.1Q tag information can be sent to the IP
telephone.
NOTE: A PoE configuration is not necessary if an IP telephone is using a power adapter.
Configuration
To configure VoIP, LLDP-MED, and 802.1X authentication:

To quickly configure VoIP, LLDP-MED, and 802.1X, copy the following commands and paste them into
[edit]
set vlans data-vlan vlan-id 77
set vlans voice-vlan vlan-id 99
set vlans data-vlan interface ge-0/0/2.0
set interfaces ge-0/0/2 unit 0 family ethernet-switching vlan members data-vlan

496
set interfaces ge-0/0/2 unit 0 family ethernet-switching port-mode access
set ethernet-switching-options voip interface ge-0/0/2.0 vlan voice-vlan
set ethernet-switching-options voip interface ge-0/0/2.0 forwarding-class assured-forwarding
set protocols lldp-med interface ge-0/0/2.0
set protocols dot1x authenticator interface ge-0/0/2.0 supplicant multiple
To configure VoIP with LLDP-MED and 802.1X:
1. Configure the VLANs for voice and data:
[edit vlans]
user@switch# set data-vlan vlan-id 77
user@switch# set voice-vlan vlan-id 99
2. Associate the VLAN data-vlan with the interface:
[edit vlans]
user@switch# set data-vlan interface ge-0/0/2.0
3. Configure the interface as an access interface, configure support for Ethernet switching, and add the
data-vlan VLAN:
[edit interfaces]
user@switch# set ge-0/0/2 unit 0 family ethernet-switching vlan members data-vlan
user@switch# set ge-0/0/2 unit 0 family ethernet-switching port-mode access
4. Configure VoIP on the interface and specify the assured-forwarding forwarding class to provide the
most dependable class of service:
[edit ethernet—switching—options]
user@switch# set voip interface ge-0/0/2.0 vlan voice-vlan
user@switch# set voip interface ge-0/0/2.0 forwarding-class assured-forwarding
5. Configure LLDP-MED protocol support:
[edit protocols]
user@switch# set lldp-med interface ge-0/0/2.0
6. To authenticate an IP phone and a PC connected to the IP phone on the interface, configure 802.1X
authentication support and specify multiple supplicant mode:
497
NOTE: If you do not want to authenticate any device, skip the 802.1X configuration on this
interface.
[edit protocols]
user@switch# set dot1x authenticator interface ge-0/0/2.0 supplicant multiple
Results
[edit]
user@switch# show configuration
interfaces {
ge-0/0/2 {
unit 0 {
port-mode access;
vlan {
members data-vlan;
}
}
}
}
}
protocols {
lldp-med {
interface ge-0/0/2.0;
}
dot1x {
authenticator {
interface {
ge-0/0/2.0 {
}
}
}
}
}
vlans {
data-vlan {
vlan-id 77;
498
interface {
ge-0/0/2.0;
}
}
voice-vlan {
vlan-id 99;
}
}
ethernet-switching options {
voip {
interface ge-0/0/2.0 {
vlan voice-vlan;
forwarding-class assured-forwarding;
}
}
}
Verification
IN THIS SECTION
Verifying LLDP-MED Configuration | 498
Verifying 802.1X Authentication for IP Phone and Desktop PC | 499
Verifying the VLAN Association with the Interface | 500
Verifying LLDP-MED Configuration
Purpose
Verify that LLDP-MED is enabled on the interface.
Action
user@switch> show lldp detail
LLDP : Enabled
Advertisement interval : 30 Second(s)
Transmit delay : 2 Second(s)
499
Hold timer : 2 Second(s)

Config Trap Interval : 300 Second(s)
Connection Hold timer : 60 Second(s)
LLDP MED : Enabled

MED fast start count : 3 Packet(s)
Interface LLDP LLDP-MED Neighbor count

all Enabled - 0
ge-0/0/2.0 - Enabled 0
Interface VLAN-id VLAN-name

ge-0/0/0.0 0 default
ge-0/0/1.0 0 employee-vlan
ge-0/0/2.0 0 data-vlan
ge-0/0/2.0 99 voice-vlan
LLDP basic TLVs supported:

Chassis identifier, Port identifier, Port description, System name, System
description, System capabilities, Management address.
LLDP 802 TLVs supported:

Power via MDI, Link aggregation, Maximum frame size, Port VLAN tag, Port
VLAN name.
LLDP MED TLVs supported:

LLDP MED capabilities, Network policy, Endpoint location, Extended power
Via MDI.
Meaning
The show lldp detail output shows that both LLDP and LLDP-MED are configured on the ge-0/0/2.0
interface. The end of the output shows the list of supported LLDP basic TLVs, 802.3 TLVs, and LLDP-MED
TLVs that are supported.
Verifying 802.1X Authentication for IP Phone and Desktop PC
Purpose
500
Display the 802.1X configuration to confirm that the VoIP interface has access to the LAN.
Action
user@switch> show dot1x interface ge/0/0/2.0 detail
ge-0/0/2.0
Role: Authenticator
Meaning
The field Role shows that the ge-0/0/2.0 interface is in the authenticator state. The Supplicant field shows
that the interface is configured in multiple supplicant mode, permitting multiple supplicants to be
authenticated on this interface. The MAC addresses of the supplicants currently connected are displayed
at the bottom of the output.
Verifying the VLAN Association with the Interface
Purpose
Display the interface state and VLAN membership.
Action
user@switch> show ethernet-switching interfaces

501

Interface State VLAN members Blocking
ge-0/0/0.0 down default unblocked
ge-0/0/1.0 down employee-vlan unblocked
ge-0/0/2.0 up voice-vlan unblocked
data-vlan unblocked
Meaning
The field VLAN members shows that the ge-0/0/2.0 interface supports both the data-vlan VLAN and
voice-vlan VLAN. The State field shows that the interface is up.
SEE ALSO

Series Switch | 405
Defining CoS Forwarding Classes (CLI Procedure)
Defining CoS Forwarding Classes (J-Web Procedure)
Example: Configuring VoIP on an EX Series Switch Without Including

LLDP-MED Support
IN THIS SECTION
Requirements | 502
Overview | 502
Configuring VoIP Without LLDP-MED by Using a Voice VLAN on an Access Port | 503
502
Configuring VoIP Without LLDP-MED by Using a Trunk Port with Native VLAN Option | 505
Verification | 507
Discovery Protocol–Media Endpoint Discovery (LLDP-MED) protocol is sometimes used with IP phones
to forward VoIP parameters from the switch to the phone. However, not all IP phones support LLDP-MED.
This example describes how to configure VoIP on an EX Series switch without using LLDP-MED:
Requirements
• One EX Series switch with support for ELS acting as an authenticator port access entity (PAE). The
interfaces on the authenticator PAE form a control gate that blocks all traffic to and from supplicants
until they are authenticated.
• An IP phone that does not support LLDP-MED.
• Junos OS Release 13.2X50 or later for EX Series switches.
• Configured the IP phone as a member of the voice VLAN.
necessary if the VoIP supplicant is using a power adapter. See Configuring PoE on EX Series Switches (CLI
Procedure).
Overview
all the hardware and software needed to handle VoIP. You can also power an IP telephone by connecting
EX Series switches can accommodate an IP telephone and end host connected to a single switch port. In
such a scenario, voice and data traffic must be separated into different broadcast domains, or VLANs. One
method for accomplishing this is by configuring a voice VLAN, which enables access ports to accept
untagged data traffic as well as tagged voice traffic from IP phones, and associate each type of traffic with
503
separate and distinct VLANs. Voice traffic (tagged) can then be treated differently, generally with a higher
priority than data traffic (untagged).
The voice VLAN delivers the greatest benefit when used with IP phones that support LLDP-MED, but it
is flexible enough that IP phones that do not support LLDP-MED can also use it effectively. However, in
the absence of LLDP-MED, the voice VLAN ID must be set manually on the IP phone because LLDP-MED
is not available to accomplish this dynamically. For information about setting up a voice VLAN for IP phones
that support LLDP-MED, see “Example: Setting Up VoIP with 802.1X and LLDP-MED on an EX Series
Switch with ELS Support” on page 522.
Another method to separate voice (tagged) and data (untagged) traffic into different VLANs is to use a
trunk port with the native VLAN ID option. The trunk port is added as a member of the voice VLAN, and
processes only tagged voice traffic from that VLAN. The trunk port must also be configured with the native
VLAN ID for the data VLAN so that it can process untagged data traffic from the data VLAN. This
configuration also requires that the voice VLAN ID be set manually on the IP phone.
This example illustrates both methods. In this example, the interface ge-0/0/2 on the switch is connected
to a non-LLDP-MED IP phone.
NOTE: The implementation of a voice VLAN on an IP telephone is vendor-specific. Consult the

documentation that came with your IP telephone for instructions on configuring a voice VLAN.
For example, on an Avaya phone, you can ensure that the phone gets the correct VoIP VLAN
ID even in the absence of LLDP-MED by enabling DHCP option 176.
Configuring VoIP Without LLDP-MED by Using a Voice VLAN on an Access Port

To quickly configure VoIP, copy the following commands and paste them into the switch terminal window:
[edit]
set vlans data-vlan switch-options interface ge-0/0/2.0
set switch-options voip interface ge-0/0/2.0 vlan voice-vlan
set switch-options voip interface ge-0/0/2.0 forwarding-class assured-forwarding

504
1. Configure two VLANs: one for data traffic and one for voice traffic:
[edit vlans]
NOTE: The voice VLAN ID must be set manually on the IP phone.
2. Associate the VLAN data-vlan with the interface ge-0/0/2:
[edit vlans]
user@switch# set data-vlan switch-options interface ge-0/0/2.0
3. Configure the interface ge-0/0/2 as an access port belonging to the data VLAN:
[edit interfaces]
user@switch# set ge-0/0/2 unit 0 family ethernet-switching vlan member data-vlan
4. Configure VoIP on the interface ge-0/0/2 and add this interface to the voice VLAN:
[edit switch-options]
5. Specify the assured-forwarding forwarding class to provide the most dependable class of service:
Results
[edit]
interfaces {
ge-0/0/2 {
unit 0 {
port-mode access;
505
vlan {
members data-vlan;
}
}
}
}
}
vlans {
data-vlan {
vlan-id 77;
interface {
ge-0/0/2.0;
}
}
voice-vlan {
vlan-id 99;
}
}
voip {
vlan voice-vlan;
}
}
}
Configuring VoIP Without LLDP-MED by Using a Trunk Port with Native VLAN Option

[edit]
set interfaces ge-0/0/2 unit 0 family ethernet-switching port-mode trunk
set interfaces ge-0/0/2 unit 0 family ethernet-switching vlan members voice-vlan
set interfaces ge-0/0/2 unit 0 family ethernet-switching native-vlan-id data-vlan
506
[edit vlans]
2. Configure interface ge-0/0/2 as a trunk port that includes only the voice VLAN:
[edit interfaces]
user@switch# set ge-0/0/2 unit 0 family ethernet-switching port-mode trunk
user@switch# set ge-0/0/2 unit 0 family ethernet-switching vlan member voice-vlan
3. Configure the native VLAN ID for the data VLAN on the trunk port:
[edit interfaces]
user@switch# set ge-0/0/2 unit 0 family ethernet-switching native-vlan-id data-vlan
Results
[edit]
interfaces {
ge-0/0/2 {
unit 0 {
port-mode trunk;
vlan {
members voice-vlan;
}
native-vlan-id data-vlan;
}
}
}
}
vlans {
data-vlan {
vlan-id 77;
507
}
voice-vlan {
vlan-id 99;
}
}
Verification
IN THIS SECTION
Verifying the VLAN Association With the Interface | 507
To confirm that the configuration is working properly, perform the following task:
Verifying the VLAN Association With the Interface
Purpose
Action

data-vlan unblocked
Meaning
508
The field VLAN members shows that the ge-0/0/2.0 interface supports both the data VLAN, data-vlan,
and the voice VLAN, voice-vlan. The State field shows that the interface is up.
SEE ALSO
Example: Configuring VoIP on an EX Series Switch Without Including

LLDP-MED Support
IN THIS SECTION
Requirements | 508
Overview | 509
Configuring VoIP Without LLDP-MED by Using a Voice VLAN on an Access Port | 510
Configuring VoIP Without LLDP-MED by Using a Trunk Port with Native VLAN Option | 511
Verification | 513
Discovery Protocol–Media Endpoint Discovery (LLDP-MED) protocol is sometimes used with IP phones
to forward VoIP parameters from the switch to the phone. However, not all IP phones support LLDP-MED.
This example describes how to configure VoIP on an EX Series switch without using LLDP-MED:
Requirements
• One EX4200 switch acting as an authenticator port access entity (PAE). The interfaces on the
authenticator PAE form a control gate that blocks all traffic to and from supplicants until they are
authenticated.
• An IP phone that does not support LLDP-MED.
• Junos OS Release 9.1 or later for EX Series switches.

509
• Configured the IP phone as a member of the voice VLAN.
necessary if the VoIP supplicant is using a power adapter. See Configuring PoE on EX Series Switches (CLI
Procedure).
Overview
all the hardware and software needed to handle VoIP. You can also power an IP telephone by connecting
The voice VLAN delivers the greatest benefit when used with IP phones that support LLDP-MED, but it
is flexible enough that IP phones that do not support LLDP-MED can also use it effectively. However, in
the absence of LLDP-MED, the voice VLAN ID must be set manually on the IP phone because LLDP-MED
is not available to accomplish this dynamically. For information about setting up a voice VLAN for IP phones
that support LLDP-MED, see “Example: Setting Up VoIP with 802.1X and LLDP-MED on an EX Series
Switch” on page 492.
Another method to separate voice (tagged) and data (untagged) traffic into different VLANs is to use a
trunk port with the native VLAN ID option. The trunk port is added as a member of the voice VLAN, and
processes only tagged voice traffic from that VLAN. The trunk port must also be configured with the native
VLAN ID for the data VLAN so that it can process untagged data traffic from the data VLAN. This
configuration also requires that the voice VLAN ID be set manually on the IP phone.
This example illustrates both methods. In this example, the interface ge-0/0/2 on the EX4200 switch is
connected to a non-LLDP-MED IP phone.
NOTE: The implementation of a voice VLAN on an IP telephone is vendor-specific. Consult the

documentation that came with your IP telephone for instructions on configuring a voice VLAN.
For example, on an Avaya phone, you can ensure that the phone gets the correct VoIP VLAN
ID even in the absence of LLDP-MED by enabling DHCP option 176.
510
Configuring VoIP Without LLDP-MED by Using a Voice VLAN on an Access Port

[edit]
[edit vlans]
2. Configure the VLAN data-vlan on the interface ge-0/0/2:
[edit vlans]
3. Configure the interface ge-0/0/2 as an access port belonging to the data VLAN:
[edit interfaces]
user@switch# set ge-0/0/2 unit 0 family ethernet-switching vlan member data-vlan
4. Configure VoIP on the interface ge-0/0/2 and add this interface to the voice VLAN:
511
Results
[edit]
interfaces {
ge-0/0/2 {
unit 0 {
port-mode access;
vlan {
members data-vlan;
}
}
}
}
}
vlans {
data-vlan {
vlan-id 77;
interface {
ge-0/0/2.0;
}
}
voice-vlan {
vlan-id 99;
}
}
voip {
vlan voice-vlan;
}
}
}
Configuring VoIP Without LLDP-MED by Using a Trunk Port with Native VLAN Option

[edit]

512
set interfaces ge-0/0/2 unit 0 family ethernet-switching port-mode trunk
set interfaces ge-0/0/2 unit 0 family ethernet-switching vlan members voice-vlan
set interfaces ge-0/0/2 unit 0 family ethernet-switching native-vlan-id data-vlan
[edit vlans]
2. Configure interface ge-0/0/2 as a trunk port that includes only the voice VLAN:
[edit interfaces]
user@switch# set ge-0/0/2 unit 0 family ethernet-switching port-mode trunk
user@switch# set ge-0/0/2 unit 0 family ethernet-switching vlan member voice-vlan
3. Configure the native VLAN ID for the data VLAN on the trunk port:
[edit interfaces]
user@switch# set ge-0/0/2 unit 0 family ethernet-switching native-vlan-id data-vlan
Results
[edit]
interfaces {
ge-0/0/2 {
unit 0 {
port-mode trunk;
vlan {
members voice-vlan;
513
}
native-vlan-id data-vlan;
}
}
}
}
vlans {
data-vlan {
vlan-id 77;
}
voice-vlan {
vlan-id 99;
}
}
Verification
IN THIS SECTION
Verifying the VLAN Association With the Interface | 513
To confirm that the configuration is working properly, perform the following task:
Verifying the VLAN Association With the Interface
Purpose
Action

514

data-vlan unblocked
Meaning
The field VLAN members shows that the ge-0/0/2.0 interface supports both the data VLAN, data-vlan,
and the voice VLAN, voice-vlan. The State field shows that the interface is up.
SEE ALSO
Example: Configuring VoIP on an EX Series Switch Without Including 802.1X

Authentication
IN THIS SECTION
Requirements | 515
Overview | 515
Configuration | 516
Verification | 519
You can configure voice over IP (VoIP) on an EX Series switch to support IP telephones.
To configure VoIP on an EX Series switch to support an IP phone that does not support 802.1X
authentication, you must either add the MAC address of the phone to the static MAC bypass list or enable
MAC RADIUS authentication on the switch.
This example describes how to configure VoIP on an EX Series switch without 802.1X authentication using
static MAC bypass of authentication:
515
Requirements
• An IP telephone
• Installed your EX Series switch. See the installation information for your switch.
Procedure).
necessary if the VoIP supplicant is using a power adapter. For information about configuring PoE, see
NOTE: If the IP address isn't configured on the Avaya IP phone, the phone exchanges LLDP-MED
Overview
In this example, the access interface ge-0/0/2 on the EX4200 switch is connected to a non-802.1X IP
phone.
To configure VoIP on an EX Series switch to support an IP phone that does not support 802.1X
authentication, add the MAC address of the phone as a static entry in the authenticator database and set
the supplicant mode to multiple.
516
Configuration
To configure VoIP without 802.1X authentication:

[edit]
set ethernet-switching-options voip interface ge-0/0/2.0 forwarding-class assured-forwarding
set protocols lldp-med interface ge-0/0/2.0
set protocols dot1x authenticator authentication-profile-name auth-profile
set protocols dot1x authenticator static 00:04:f2:11:aa:a7
To configure VoIP without 802.1X:
[edit vlans]
[edit vlans]
data-vlan VLAN:
517
[edit interfaces]
[edit protocols]
user@switch# set lldp-med interface ge-0/0/2.0
6. Set the authentication profile (see “Configuring 802.1X Interface Settings (CLI Procedure)” on page 355
and “Configuring 802.1X RADIUS Accounting (CLI Procedure)” on page 403):
[edit protocols]
set dot1x authenticator authentication-profile-name auth-profile
7. Add the MAC address of the phone to the static MAC bypass list:
[edit protocols]
set dot1x authenticator static 00:04:f2:11:aa:a7
8. Set the supplicant mode to multiple:
[edit protocols]
set dot1x authenticator interface ge-0/0/2.0 supplicant multiple
Results
[edit]
interfaces {
ge-0/0/2 {
unit 0 {
port-mode access;
vlan {
518
members data-vlan;
}
}
}
}
}
protocols {
lldp-med {
}
dot1x {
authenticator {
authentication-profile-name auth-profile;
static {
00:04:f2:11:aa:a7;
}
}
interface {
ge-0/0/2.0 {
}
}
}
}
vlans {
data-vlan {
vlan-id 77;
interface {
ge-0/0/2.0;
}
}
voice-vlan {
vlan-id 99;
}
}
voip {
vlan voice-vlan;
}
}
}
519
Verification
IN THIS SECTION
Verifying Authentication for the Desktop PC | 520
Purpose
Action
LLDP : Enabled
Advertisement interval : 30 Second(s)
Transmit delay : 2 Second(s)
Hold timer : 2 Second(s)
Config Trap Interval : 300 Second(s)
Connection Hold timer : 60 Second(s)
LLDP MED : Enabled

MED fast start count : 3 Packet(s)
Interface LLDP LLDP-MED Neighbor count

all Enabled - 0
ge-0/0/2.0 - Enabled 0
Interface VLAN-id VLAN-name

ge-0/0/2.0 0 data-vlan
ge-0/0/2.0 99 voice-vlan
520

LLDP 802 TLVs supported:

Power via MDI, Link aggregation, Maximum frame size, Port VLAN tag, Port
VLAN name.
LLDP MED TLVs supported:

Via MDI.
Meaning
The show lldp detail output shows that both LLDP and LLDP-MED are configured on the ge-0/0/2.0
interface. The end of the output shows the list of supported LLDP basic TLVs, 802.3 TLVs, and LLDP-MED
TLVs that are supported.
Verifying Authentication for the Desktop PC
Purpose
Display the 802.1X configuration for the desktop PC connected to the VoIP interface through the IP phone.
Action
ge-0/0/2.0
Role: Authenticator
521

Meaning
The field Role shows that the ge-0/0/2.0 interface is in the authenticator state. The Supplicant field shows
that the interface is configured in multiple supplicant mode, permitting multiple supplicants to be
Purpose
Action

data-vlan unblocked
Meaning
522
voice-vlan VLAN. The State field shows that the interface is up.
SEE ALSO
Example: Setting Up VoIP with 802.1X and LLDP-MED on an EX Series

Switch with ELS Support
IN THIS SECTION
Requirements | 523
Configuration | 526
Verification | 529
“Example: Setting Up VoIP with 802.1X and LLDP-MED on an EX Series Switch” on page 492.
For ELS details, see Using the Enhanced Layer 2 Software CLI.
You can configure VoIP on an EX Series switch to support IP telephones. The Link Layer Discovery
Protocol–Media Endpoint Discovery (LLDP-MED) protocol forwards VoIP parameters from the switch to
the phone. You also configure 802.1X authentication to allow the telephone access to the LAN.
Authentication is done through a backend RADIUS server.
This example describes how to configure VoIP on an EX Series switch to support an Avaya IP phone, as
well as how to configure the LLDP-MED protocol and 802.1X authentication:
523
Requirements
• Junos OS Release 13.2X50 or later for EX Series switches
• One EX Series switch with support for ELS acting as an authenticator port access entity (PAE). The
interfaces on the authenticator PAE form a control gate that blocks all traffic to and from supplicants
until they are authenticated.
• An Avaya IP telephone that supports LLDP-MED and 802.1X
• Installed your EX Series switch. See the installation information for your switch.
Procedure).
and a VLAN for an EX Series Switch with ELS Support or Example: Setting Up Basic Bridging and a VLAN on
Switches.
• (Optional) Configured the interface ge-0/0/2 for Power over Ethernet (PoE). The PoE configuration is
not necessary if the VoIP supplicant uses a power adapter. For information about configuring PoE, see
NOTE: If the IP address is not configured on the Avaya IP phone, the phone exchanges LLDP-MED
524
NOTE: If a MAC addresses has been learned on both the data and voice VLANs, it remains active
unless it ages out of both VLANs, or both VLANs are deleted.
In this example, the access interface ge-0/0/2 on the EX Series switch is connected to an Avaya IP telephone.
Avaya phones have a built-in bridge that enables you to connect a desktop PC to the phone, so the desktop
and phone in a single office require only one interface on the switch. The EX Series switch is connected
to a RADIUS server on the ge-0/0/10 interface (see Figure 24 on page 525).

525
Figure 24: VoIP Topology
In this example, you configure VoIP parameters and specify the forwarding class assured-forward for voice
traffic to provide the highest quality of service.
Table 35 on page 525 describes the components used in this VoIP configuration example.
Table 35: Components of the VoIP Configuration Topology
Property Settings
Switch hardware EX Series switch with support for ELS.

526
Table 35: Components of the VoIP Configuration Topology (continued)
Property Settings
VLAN names and IDs data-vlan, 77
voice-vlan, 99
Connection to Avaya phone—with integrated hub, to ge-0/0/2

connect phone and desktop PC to a single interface (requires
PoE)
One RADIUS server Provides backend database connected to the switch

through interface ge-0/0/10.
Besides configuring a VoIP for interface ge-0/0/2, you configure:
• 802.1X authentication. Authentication is set to multiple supplicant mode to support more than one
supplicant's access to the LAN through interface ge-0/0/2.
• LLDP-MED protocol information. The switch uses LLDP-MED to forward VoIP parameters to the phone.
Using LLDP-MED ensures that voice traffic gets tagged and prioritized with the correct values at the
source itself. For example, 802.1p class of service and 802.1Q tag information can be sent to the IP
telephone.
NOTE: A PoE configuration is not necessary if an IP telephone uses a power adapter.
Configuration

To quickly configure VoIP, LLDP-MED, and 802.1X, copy the following commands and paste them into
[edit]
set vlans data-vlan switch-options interface ge-0/0/2.0
set interfaces ge-0/0/2 unit 0 family ethernet-switching interface-mode access

527
set switch-options voip interface ge-0/0/2.0 vlan voice-vlan
set switch-options voip interface ge-0/0/2.0 forwarding-class assured-forwarding
set protocols lldp-med interface ge-0/0/2
To configure VoIP with LLDP-MED and 802.1X:
[edit vlans]
[edit vlans]
user@switch# set data-vlan switch-options interface ge-0/0/2.0
interface as a member of the data-vlan VLAN:
[edit interfaces]
user@switch# set ge-0/0/2 unit 0 family ethernet-switching interface-mode access
[edit switch—options]
[edit protocols]
user@switch# set lldp-med interface ge-0/0/2
6. To authenticate an IP phone and a PC connected to the IP phone on the interface, configure 802.1X
authentication support and specify multiple supplicant mode:
528
NOTE: If you do not want to authenticate any device, skip the 802.1X configuration on this
interface.
[edit protocols]
user@switch# set dot1x authenticator interface ge-0/0/2.0 supplicant multiple
Results
[edit]
interfaces {
ge-0/0/2 {
unit 0 {
interface-mode access;
vlan {
members data-vlan;
}
}
}
}
}
protocols {
lldp-med {
interface ge-0/0/2;
}
dot1x {
authenticator {
interface {
ge-0/0/2.0 {
}
}
}
}
}
vlans {
data-vlan {
vlan-id 77;
529
switch-options {
}
}
voice-vlan {
vlan-id 99;
}
}
switch-options {
voip {
vlan voice-vlan;
}
}
}
Verification
IN THIS SECTION
Verifying 802.1X Authentication for IP Phone and Desktop PC | 531
Purpose
Action
LLDP : Enabled
Advertisement interval : 30 seconds
Transmit delay : 2 seconds
530
Hold timer : 120 seconds

Notification interval : 0 Second(s)
Config Trap Interval : 0 seconds
Connection Hold timer : 300 seconds
LLDP MED : Enabled

MED fast start count : 3 Packets
Port ID TLV subtype : locally-assigned
Interface Parent Interface LLDP LLDP-MED Power Negotiation

Neighbor count
all - Enabled Enabled Enabled
0
ge-0/0/2 - - Enabled -
0
Interface Parent Interface Vlan-id Vlan-name

ge-0/0/0 - 1 vlan-1
ge-0/0/1 - 1 vlan-1
ge-0/0/2 - 77 vlan-77
ge-0/0/2 - 99 vlan-99
ge-0/0/3 - 1 vlan-1
ge-0/0/4 - 1 vlan-1
ge-0/0/5 - 1 vlan-1
ge-0/0/6 - 1 vlan-1
ge-0/0/7 - 1 vlan-1
ge-0/0/8 - 1 vlan-1
ge-0/0/9 - 1 vlan-1
ge-0/0/10 - 1 vlan-1
Basic Management TLVs supported:

End Of LLDPDU, Chassis ID, Port ID, Time To Live, Port Description, System Name,
System Description, System Capabilities, Management Address
Organizationally Specific TLVs supported:

MAC/PHY configuration/status, Power via MDI, Link aggregation, Maximum Frame Size,
Port VLAN tag, Port VLAN name.
Meaning
The show lldp detail output shows that both LLDP and LLDP-MED are configured on the ge-0/0/2
interface. The end of the output shows the list of supported LLDP basic management TLVs and
organizationally specific TLVs that are supported.
531
Verifying 802.1X Authentication for IP Phone and Desktop PC
Purpose
Display the 802.1X configuration to confirm that the VoIP interface has access to the LAN.
Action
ge-0/0/2.0
Role: Authenticator
Meaning
The field Role shows that the ge-0/0/2.0 interface is in the authenticator state. The Supplicant mode field
shows that the interface is configured in multiple supplicant mode, permitting multiple supplicants to be
Purpose
Display the interface’s VLAN membership.
532
Action
user@switch> show ethernet-switching interface ge-0/0/2.0
Routing Instance Name : default-switch

Logical Interface flags (DL - disable learning, AD - packet action drop,
LH - MAC limit hit, DN - interface down )
Logical Vlan TAG MAC STP Logical Tagging
interface members limit state interface flags
ge-0/0/2.0 65535 untagged
voice-vlan 99
65535 Discarding
data-vlan 77
65535 Discarding
Meaning
voice-vlan VLAN.
SEE ALSO

Series Switch | 405
Defining CoS Forwarding Classes (CLI Procedure)
Defining CoS Forwarding Classes (J-Web Procedure)

7 CHAPTER
Configuring IEEE 802.1x Port-Based

Network Access Control

534
IEEE 802.1x Port-Based Network Access Control

Overview
MX Series routers support the IEEE 802.1x Port-Based Network Access Control (dot1x) protocol on
Ethernet interfaces for validation of client and user credentials to prevent unauthorized access to a specified
router port. Before authentication is complete, only 802.1x control packets are allowed and forwarded to
the router control plane for processing. All other packets are dropped.
Authentication methods used must be 802.1x compliant. Authentication using RADIUS and Microsoft
Active Directory servers is supported. The following user/client authentication methods are allowed:
• EAP-MD5 (RFC 3748)
• EAP-TTLS requires a server certificate (RFC 2716)
• EAP-TLS requires a client and server certificate
• PEAP requires only a server certificate
You can use both client and server certificates in all types of authentication except EAP-MD5.
NOTE: On the MX Series router, 802.1x can be enabled on bridged ports only and not on routed
ports.
Dynamic changes to a user session are supported to allow the router administrator to terminate an already
authenticated session by using the “RADIUS disconnect” message defined in RFC 3576.

Ethernet Interfaces User Guide for Routing Devices
535
Understanding the Administrative State of the

Authenticator Port
The administrative state of an authenticator port can take any of the following three states:
• Force authorized—Allows network access to all users of the port without requiring them to be
authenticated. This is equivalent to not having any authentication enabled on the port.
• Force unauthorized—Denies network access to all users of the port. This is equivalent to disabling the
port.
• Automatic—This is the default mode where the authentication server response determines if the port
is opened for traffic or not. Only the successfully authenticated clients are allowed access, all others are
denied.
In Junos OS, the default mode is “automatic.” The “force authorized” and “force unauthorized” admin
modes are not supported. You can achieve the functionality of “force authorized” mode by disabling dot1x
on the required port. You can achieve the functionality of “force unauthorized” mode by disabling the port
itself.

Understanding the Administrative Mode of the

Authenticator Port
Junos OS supports the supplicant mode “single” and not the “single secure” nor “multiple” modes. The
“Single” mode option authenticates only the first client that connects to a port. All other clients that connect
later (802.1x compliant or noncompliant) are allowed free access on that port without any further
authentication. If the first authenticated client logs out, all other users are locked out until a client
authenticates again.
536

Configuring the Authenticator
To configure the IEEE 802.1x Port-Based Network Access Control protocol on Ethernet interfaces you
must configure the authenticator statement at the [edit protocols dot1x] hierarchy level. Use the
authentication-profile-name access-profile-name statement to specify the authenticating RADIUS server,
and use the interface statement to specify and configure the Gigabit Ethernet or Fast Ethernet interface
on the router specifically for IEEE 802.1x protocol use; both at the [edit protocols dot1x authenticator]
hierarchy level.

authenticator {
authentication-profile-name access-profile-name;
interface (xe-fpc/pic/port | ge-fpc/pic/port | fe-fpc/pic/port) {
maximum-requests seconds;
quiet-period seconds;
reauthentication (disable | interval seconds);
retries integer;
server-timeout seconds;
supplicant (single);
supplicant-timeout seconds;
transmit-period seconds;
}
}

537

Viewing the dot1x Configuration

Purpose
To review and verify the dot1x configuration.
Action
To view all dot1x configurations, use the show dot1x interface operational mode command. To view a
dot1x configuration for a specific interface, use the show dot1x interface (xe-fpc/pic/port | ge-fpc/pic/port
| fe-fpc/pic/port) detail operational mode command. See the Network Interfaces Command Reference for
more information about this command.

8 CHAPTER
Configuring IEEE 802.1x Port-Based

Network Access Control in Enhanced
LAN Mode
802.1X for MX Series Routers in Enhanced LAN Mode Overview | 540
Understanding 802.1X and LLDP and LLDP-MED on MX Series Routers in Enhanced

LAN Mode | 544
Understanding 802.1X and RADIUS Accounting on MX Series Routers in Enhanced

LAN Mode | 547
Understanding 802.1X and VoIP on MX Series Routers in Enhanced LAN Mode | 548
Understanding Guest VLANs for 802.1X on MX Series Routers in Enhanced LAN

Mode | 551
Understanding Dynamic VLANs for 802.1X on MX Series Routers in Enhanced LAN

Mode | 551
Understanding Server Fail Fallback and Authentication on MX Series Routers in

Enhanced LAN Mode | 552
Configuring 802.1X RADIUS Accounting on MX Series Routers in Enhanced LAN

Mode | 553
Configuring 802.1X Interface Settings on MX Series Routers in Enhanced LAN
Mode | 556
Configuring LLDP-MED on MX Series Routers in Enhanced LAN Mode | 558
Configuring LLDP on MX Series Routers in Enhanced LAN Mode | 560
Configuring Server Fail Fallback on MX Series Routers in Enhanced LAN Mode | 564
Understanding Captive Portal Authentication on the MX Series Routers | 566
Understanding Authentication Session Timeout on MX Series Routers | 567
Authentication Process Flow for MX Series Routers in Enhanced LAN Mode | 568
Specifying RADIUS Server Connections on an MX Series Router in Enhanced LAN

Mode | 570
Configuring Captive Portal Authentication on MX Series Routers in Enhanced LAN

Mode | 571
Designing a Captive Portal Authentication Login Page on an MX Series Router | 574
Configuring Static MAC Bypass of Authentication on MX Series Routers in Enhanced

LAN Mode | 577
Controlling Authentication Session Timeouts on an MX Series Router in Enhanced

LAN Mode | 578
Configuring MAC RADIUS Authentication on MX Series Routers in Enhanced LAN

Mode | 580
Example: Configuring MAC RADIUS Authentication on an MX Series Router | 582
Example: Setting Up Captive Portal Authentication on an MX Series Router | 587
Example: Connecting a RADIUS Server for 802.1X to an MX Series Router | 594

Corporate Visitors on an MX Series Router | 598
Example: Configuring Static MAC Bypass of Authentication on an MX Series

Router | 602
Example: Applying Firewall Filters to Multiple Supplicants on Interfaces Enabled for

802.1X or MAC RADIUS Authentication on MX Series Routers | 607
540
802.1X for MX Series Routers in Enhanced LAN Mode

Overview
541
Starting with Junos os Release 14.2, IEEE 802.1X provides network edge security, protecting Ethernet
LANs from unauthorized user access. Support is implemented for controlling access to your network
through an MX Series router by using several different authentication methods, such as 802.1X, MAC
RADIUS, or a captive portal.
This functionality is supported on the following MPCs on MX240, MX480, and MX960 routers in enhanced
LAN mode:
• MPC4E with two 100-Gigabit Ethernet ports and eight 10-Gigabit Ethernet ports
• MPC4E with thirty-two 10-Gigabit Ethernet ports
• MPC3E that contains a 2-port 40-Gigabit Ethernet MIC with QSFP+
• MPC1E with forty 1-Gigabit Ethernet ports or twenty 1-Gigabit Ethernet ports
You must reboot the router when you configure or delete the enhanced LAN mode on the router.
Configuring the network-services lan option implies that the system is running in the enhanced IP mode.
When you configure a device to function in MX-LAN mode, only the supported configuration statements
and operational show commands that are available for enabling or viewing in this mode are displayed in
the CLI interface. If your system contains parameters that are not supported in MX-LAN mode in a
configuration file, you cannot commit those unsupported attributes. You must remove the settings that
are not supported and then commit the configuration. After the successful CLI commit, a system reboot
is required for the attributes to be come effective. Similarly, if you remove the network-services lan
statement, the system does not run in MX-LAN mode. Therefore, all of the settings that are supported
outside of the MX-LAN mode are displayed and are available for definition in the CLI interface. If your
configuration file contains settings that are supported only in MX-LAN mode, you must remove those
attributes before you commit the configuration. After the successful CLI commit, a system reboot will be
required for the CLI settings to take effect. The Layer 2 Next-Generation CLI configuration settings are
supported in MX-LAN mode. As a result, the typical MX Series-format of CLI configurations might differ
in MX-LAN mode.
This functionality is supported on an MX Series Virtual Chassis combination that functions in enhanced
LAN mode (by entering the network-services lan statement at the [edit chassis] hierarchy level). Port-based
network access control is supported on MX240, MX480, and MX960 routers with MPCs in both the
MX-LAN mode and the non-MX-LAN mode (with other supported network services modes on MPCs on
these routers). To configure the IEEE 802.1x port-based network access control (PNAC) protocol on
Ethernet interfaces, you must configure the authenticator statement at the [edit protocols
authentication-access- control] hierarchy level. You can also configure captive portal authentication on
a router so that users connected to the switch are authenticated before being allowed to access the
network. You can also configure Junos Pulse Access Control Service as the access policy to authenticate
and authorize users connected to the switch for admission to the network and for access to protected
network resources by using the uac-policy statement.
542
How 802.1X Authentication Works
802.1X authentication works by using an Authenticator Port Access Entity (the switch) to block all traffic
to and from a supplicant (end device) at the port until the supplicant's credentials are presented and
matched on the Authentication server (a RADIUS server). When authenticated, the switch stops blocking
traffic and opens the port to the supplicant.
The end device is authenticated in either single mode, single-secure mode, or multiple mode:
• single—Authenticates only the first end device. All other end devices that connect later to the port are
allowed full access without any further authentication. They effectively “piggyback” on the end devices’
authentication.
• single-secure—Allows only one end device to connect to the port. No other end device is allowed to
connect until the first logs out.
• multiple—Allows multiple end devices to connect to the port. Each end device will be authenticated
individually.
Network access can be further defined using VLANs and firewall filters, which both act as filters to separate
and match groups of end devices to the areas of the LAN they require. For example, you can configure
VLANs to handle different categories of authentication failures depending upon:
• Whether or not the end device is 802.1X-enabled.
• Whether or not MAC RADIUS authentication has been configured on the switch interfaces to which
the hosts are connected.
• Whether the RADIUS authentication server becomes unavailable or sends a RADIUS access-reject
message. See “Configuring RADIUS Server Fail Fallback (CLI Procedure)” on page 349.
543
802.1X Features Overview
NOTE: The 802.1X features available on the MX Series routers depend upon which switch you
are using.
802.1X features on Juniper Networks MX Series routers are:
• Guest VLAN—Provides limited access to a LAN, typically just to the Internet, for nonresponsive end
devices that are not 802.1X-enabled when MAC RADIUS authentication has not been configured on
the switch interfaces to which the hosts are connected . Also, a guest VLAN can be used to provide
limited access to a LAN for guest users. Typically, the guest VLAN provides access just to the Internet
and to other guests’ end devices.
• Server-reject VLAN—Provides limited access to a LAN, typically just to the Internet, for responsive end
devices that are 802.1X-enabled but that have sent the wrong credentials.
• Server-fail VLAN—Provides limited access to a LAN, typically just to the Internet, for 802.1X end devices
during a RADIUS server timeout.
• Dynamic VLAN—Enables an end device, after authentication, to be a member of a VLAN dynamically.
• Private VLAN—Enables configuration of 802.1X authentication on interfaces that are members of private
VLANs (PVLANs).
• Dynamic changes to a user session—Allows the switch administrator to terminate an already authenticated
session. This feature is based on support of the RADIUS Disconnect Message defined in RFC 3576.
• RADIUS accounting—Sends accounting information to the RADIUS accounting server. Accounting

information is sent to the server whenever a subscriber logs in or logs out and whenever a subscriber
activates or deactivates a subscription.
Supported Features Related to 802.1X Authentication
802.1X does not replace other security technologies. 802.1X works together with port security features,
such as DHCP snooping, dynamic ARP inspection (DAI), and MAC limiting, to guard against spoofing.
Supported features related to authentication include:
• Static MAC bypass—Provides a bypass mechanism to authenticate devices that are not 802.1X-enabled
(such as printers). Static MAC bypass connects these devices to 802.1X-enabled ports, bypassing 802.1X
authentication.
544
• MAC RADIUS authentication—Provides a means to enable or disable MAC authentication independently

of whether 802.1X authentication is enabled.
Release Description
14.2 Starting with Junos os Release 14.2, IEEE 802.1X provides network edge security, protecting
Ethernet LANs from unauthorized user access. Support is implemented for controlling access to
your network through an MX Series router by using several different authentication methods,
such as 802.1X, MAC RADIUS, or a captive portal.
Understanding 802.1X and LLDP and LLDP-MED on

MX Series Routers in Enhanced LAN Mode
Starting with Junos OS Release 14.2, Juniper Networks MX Series routers use Link Layer Discovery Protocol
(LLDP) and Link Layer Discovery Protocol–Media Endpoint Discovery (LLDP-MED) to learn and distribute
device information on network links. The information allows the router to quickly identify a variety of
devices, resulting in a LAN that interoperates smoothly and efficiently.
LLDP-capable devices transmit information in type, length, and value (TLV) messages to neighbor devices.
Device information can include information such as chassis and port identification and system name and
system capabilities. The TLVs leverage this information from parameters that have already been configured
in the Juniper Networks Junos operating system (Junos OS).
LLDP-MED goes one step further than LLDP, exchanging IP-telephony messages between the router and
the IP telephone.
LLDP and LLDP-MED also provide PoE power management capabilities. LLDP power negotiation allows
the router to manage PoE power by negotiating with LLDP-enabled powered devices to dynamically
allocate PoE power as needed. LLDP power priority allows an LLDP-enabled powered device to set the
PoE power priority on the router interface to which it connects.
The router also uses these protocols to ensure that voice traffic gets tagged and prioritized with the correct
values at the source itself. For example, 802.1p CoS and 802.1Q tag information can be sent to the IP
telephone.
EX Series routeres support the following basic TLVs:

545
• Chassis Identifier—The MAC address associated with the local system.
NOTE: The Chassis ID TLV has a subtype for Network Address Family. LLDP frames are
validated only if this subtype has a value of 1 (IPv4) or 2 (IPv6). For any other value, the
transmitting device is detected by LLDP as a neighbor and displayed in the output of the "show
lldp neighbors" command, but is not assigned to the VLAN.
• Port Identifier—The port identification for the specified port in the local system.
• Port Description—Textual description of the interface or the logical unit. The description for the logical
unit is used, if available; otherwise, the Port Description TLV will contain the description configured on
the physical interface. For example, LAG member interfaces do not contain a logical unit, so only the
description configured on the physical interface can be used.
• System Name—The user-configured name of the local system. The system name can be a maximum of
256 characters.
• System Description—The system description containing information about the software and current
image running on the system. This information is not configurable, but taken from the software.
• System Capabilities—The primary function performed by the system. The capabilities that system
supports; for example, bridge or router. This information is not configurable, but based on the model of
the product.
• Management Address—The IPv4 or IPv6 management address of the local system.
EX Series routeres support the following 802.3 TLVs:
• Power via MDI—A TLV that advertises MDI power support, PSE power pair, and power class information.
• MAC/PHY Configuration Status—A TLV that advertises information about the physical interface, such
as autonegotiation status and support and MAU type. The information is not configurable, but based on
the physical interface structure.
NOTE: The MAC/PHY Configuration Status TLV has a subtype for the PMD Auto-Negotiation
Advertised Capability field. This field will contain a value of other or unknown if the LLDP
packet was transmitted from a 10-gigabit SFP+ port.
• Link Aggregation—A TLV that advertises if the port is aggregated and its aggregated port ID.
• Maximum Frame Size—A TLV that advertises the Maximum Transmission Unit (MTU) of the interface
sending LLDP frames.
• Port Vlan—A TLV that advertises the VLAN name configured on the interface.
EX Series routeres support the following LLDP-MED TLVs:

546
• LLDP MED Capabilities—A TLV that advertises the primary function of the port. The capabilities values
range 0 through 15:
• 0— Capabilities
• 1— Network Policy
• 2— Location Identification
• 3— Extended Power via MDI-PSE
• 4— Inventory
• 5–15— Reserved
• LLDP-MED Device Class Values:
• 0— Class not defined.
• 1— Class 1 Device.
• 4— Network Connectivity Device
• 5–255— Reserved.
• Network Policy—A TLV that advertises the port VLAN configuration and associated Layer 2 and Layer
3 attributes. Attributes include the policy identifier, application types, such as voice or streaming video,
802.1Q VLAN tagging, and 802.1p priority bits and Diffserv code points.
• Endpoint Location— A TLV that advertises the physical location of the endpoint.
• Extended Power via MDI— A TLV that advertises the power type, power source, power priority, and
power value of the port. It is the responsibility of the PSE device (network connectivity device) to
advertise the power priority on a port.
Release Description
14.2 Starting with Junos OS Release 14.2, Juniper Networks MX Series routers use Link Layer Discovery
Protocol (LLDP) and Link Layer Discovery Protocol–Media Endpoint Discovery (LLDP-MED) to
learn and distribute device information on network links. The information allows the router to
quickly identify a variety of devices, resulting in a LAN that interoperates smoothly and efficiently.
547
Understanding 802.1X and RADIUS Accounting on

Juniper Networks MX Series routers support IETF RFC 2866, RADIUS Accounting. Starting with Junos OS
Release 14.2, you can configure RADIUS accounting on an MX Series router which enables statistical data
about users logging onto or off a LAN to be collected and sent to a RADIUS accounting server. The statistical
data gathered can be used for general network monitoring, to analyze and track usage patterns, or to bill
a user based upon the amount of time or type of services accessed.
To configure RADIUS accounting, specify one or more RADIUS accounting servers to receive the statistical
data from the switch, and select the type of accounting data to be collected.
can be a separate RADIUS server. You can specify a list of RADIUS accounting servers. In the event that
the primary server (the first one configured) is unavailable, each RADIUS server in the list is tried in the
order in which they are configured in the Juniper Networks Junos operating system (Junos OS).
The RADIUS accounting process between a switch and a RADIUS server works like this:
2. The switch forwards an accounting-request packet containing an event record to the accounting server.
For example, a supplicant is authenticated through 802.1X authentication and connected to the LAN.
The event record associated with this supplicant contains an Acct-Status-Type attribute whose value
indicates the beginning of user service for this supplicant. When the supplicant's session ends, the
accounting request will contain an Acct-Status-Type attribute value indicating the end of user service.
The RADIUS accounting server records this as a stop-accounting record containing session information
and the length of the session.
3. The RADIUS accounting server logs these events as start-accounting or stop-accounting records. The
records are in a file. On FreeRADIUS, the file name is the server's address; for example, 122.69.1.250.
4. The accounting server sends an accounting-response packet back to the switch confirming it has received
the accounting request.
5. If the switch does not receive a response from the server, it continues to send accounting requests
until an accounting response is returned from the accounting server.
The statistics collected through this process can be displayed from the RADIUS server; to see those
statistics, the user accesses the log file configured to receive them.
548
Release Description
14.2 Starting with Junos OS Release 14.2, you can configure RADIUS accounting on an MX Series router
which enables statistical data about users logging onto or off a LAN to be collected and sent to a
RADIUS accounting server. The statistical data gathered can be used for general network monitoring,
to analyze and track usage patterns, or to bill a user based upon the amount of time or type of
services accessed.
Understanding 802.1X and VoIP on MX Series Routers

in Enhanced LAN Mode
When you use Voice over IP (VoIP), you can connect IP telephones to the router and configure IEEE 802.1X
authentication for 802.1X-compatible IP telephones. Starting with Junos OS Release 14.2, 802.1X
authentication provides network edge security, protecting Ethernet LANs from unauthorized user access.
VoIP is a protocol used for the transmission of voice through packet-switched networks. VoIP transmits
voice calls using a network connection instead of an analog phone line.
When VoIP is used with 802.1X, the RADIUS server authenticates the phone, and Link Layer Discovery
Protocol–Media Endpoint Discovery (LLDP-MED) provides the class-of-service (CoS) parameters to the
phone.
You can configure 802.1X authentication to work with VoIP in multiple supplicant or single supplicant
mode. In multiple-supplicant mode, the 802.1X process allows multiple supplicants to connect to the
interface. Each supplicant will be authenticated individually. For an example of a VoIP multiple supplicant
topology, see Figure 21 on page 490.
549
Figure 25: VoIP Multiple Supplicant Topology
If an 802.1X-compatible IP telephone does not have an 802.1X host but has another 802.1X-compatible
device connected to its data port, you can connect the phone to an interface in single-supplicant mode.
In single-supplicant mode, the 802.1X process authenticates only the first supplicant. All other supplicants
who connect later to the interface are allowed full access without any further authentication. They
effectively “piggyback” on the first supplicant’s authentication. For an example of a VoIP single supplicant
topology, see Figure 22 on page 491 .
550
Figure 26: VoIP Single Supplicant Topology
If an IP telephone does not support 802.1X, you can configure VoIP to bypass 802.1X and LLDP-MED
and have the packets forwarded to a VoIP VLAN,
Release Description
14.2 Starting with Junos OS Release 14.2, 802.1X authentication provides network edge security,
protecting Ethernet LANs from unauthorized user access.
551
Understanding Guest VLANs for 802.1X on MX Series

Routers in Enhanced LAN Mode
Starting with Junos OS Release 14.2, guest VLANs can be configured on switches that are using 802.1X
authentication to provide limited access—typically only to the Internet—for:
• Corporate guests
• End devices that are not 802.1X-enabled
• Nonresponsive end devices when MAC RADIUS authentication has not been configured on the switch
interfaces to which the hosts are connected
A guest VLAN is not used for supplicants sending incorrect credentials. Those supplicants are directed to
the server-reject VLAN instead.
For end devices that are not 802.1X-enabled, a guest VLAN can allow limited access to a server from
which the non-802.1X-enabled end device can download the supplicant software and attempt authentication
again.
A guest VLAN is not used when MAC RADIUS authentication has been configured on the switch interfaces
to which the hosts are connected. Some end devices, such as a printer, cannot be enabled for 802.1X. The
hosts for such devices should be connected to switch interfaces that are configured for MAC RADIUS
authentication.
Release Description
14.2 Starting with Junos OS Release 14.2, guest VLANs can be configured on switches that are
using 802.1X authentication to provide limited access—typically only to the Internet
Understanding Dynamic VLANs for 802.1X on MX

Series Routers in Enhanced LAN Mode
Starting with Junos OS Release 14.2, dynamic VLANs, in conjunction with the 802.1X authentication
process, provide secure access to the LAN for end devices belonging to different VLANs on a single port.
When this feature is configured on the RADIUS server, an end device or user authenticating on the RADIUS
server is assigned to the VLAN configured for it. The end device or user becomes a member of a VLAN
552
dynamically after successful 802.1X authentication. For information on configuring dynamic VLANs on
your RADIUS server, see the documentation for your RADIUS server.
Successful authentication requires that the VLAN ID or VLAN name exist on the router and match the
VLAN ID or VLAN name sent by the RADIUS server during authentication. If neither exists, the end device
is unauthenticated. If a guest VLAN is established, the unauthenticated end device is automatically moved
to the guest VLAN.
Release Description
14.2 Starting with Junos OS Release 14.2, dynamic VLANs, in conjunction with the 802.1X
authentication process, provide secure access to the LAN for end devices belonging to different
VLANs on a single port.
Understanding Server Fail Fallback and Authentication

on MX Series Routers in Enhanced LAN Mode
Starting with Junos OS Release 14.2, server fail fallback allows you to specify how end devices connected
to the router are supported if the RADIUS authentication server becomes unavailable or sends a RADIUS
access-reject message.
Juniper Networks MX Series routers in enhanced LAN mode use authentication to implement access
control in an enterprise network. If 802.1X, MAC RADIUS, or captive portal authentication are configured
on the interface, end devices are evaluated at the initial connection by an authentication (RADIUS) server.
If the end device is configured on the authentication server, the device is granted access to the LAN and
the MX Series router opens the interface to permit access.
A RADIUS server timeout occurs if no RADIUS authentication servers are reachable when an end device
logs in and attempts to access the LAN. Server fail fallback allows you to specify one of four actions to be
taken toward end devices awaiting authentication when the server is timed out:
• Permit authentication, allowing traffic to flow from the end device through the interface as if the end
device were successfully authenticated by the RADIUS server.
• Deny authentication, preventing traffic from flowing from the end device through the interface. This is
the default.
553
• Move the end device to a specified VLAN. (The VLAN must already exist on the router.)
• Sustain authenticated end devices that already have LAN access and deny unauthenticated end devices.
If the RADIUS servers time out during reauthentication, previously authenticated end devices are
reauthenticated and new users are denied LAN access.
Server fail fallback is triggered most often during reauthentication when the already configured and in-use
RADIUS server becomes inaccessible. However, server fail fallback can also be triggered by an end device’s
first attempt at authentication through the RADIUS server.
Server fail fallback allows you to specify that an end device be moved to a specified VLAN if the router
receives a RADIUS access-reject message. The configured VLAN name overrides any attributes sent by
the server.
Release Description
14.2 Starting with Junos OS Release 14.2, server fail fallback allows you to specify how end devices
connected to the router are supported if the RADIUS authentication server becomes unavailable
or sends a RADIUS access-reject message.
Configuring 802.1X RADIUS Accounting on MX Series

Starting with Junos OS Release 14.2, RADIUS accounting permits statistical data about users logging onto
or off a LAN to be collected and sent to a RADIUS accounting server.The statistical data gathered can be
used for general network monitoring, to analyze and track usage patterns, or to bill a user based upon the
amount of time or type of services accessed.
To configure basic RADIUS accounting using the CLI:
1. Specify the accounting servers to which the switch will forward accounting statistics:
[edit access ]
user@router# set profile profile1 radius accounting-serveraccounting-server [122.69.1.250
122.69.1.252]
2. Define the RADIUS accounting servers:
[edit access]
user@router# set radius-server 122.69.1.250 secret juniper
554
user@router# set radius-server 122.69.1.252 secret juniper1
3. Enable accounting for an access profile:
[edit access]
user@router# set profile profile1 accounting
4. Configure the RADIUS servers to use while sending accounting messages and updates:
[edit access]
user@router# set profile profile1 accounting order radius
5. Configure the statistics to be collected on the router and forwarded to the accounting server:
[edit access ]
user@router# set profile profile1 accounting accounting-stop-on-access-deny
user@router# set profile profile1 accounting accounting-stop-on-failure
6. Display accounting statistics collected on the router:
user@router> show network-access aaa statistics accounting

7. Open an accounting log on the RADIUS accounting server using the server's address, and view accounting
statistics:
[root@freeradius]# cd /usr/local/var/log/radius/radacct/122.69.1.250
[root@freeradius 122.69.1.250]# ls
detail-20071214
[root@freeradius 122.69.1.250]# vi details-20071214
NAS-Port = 67
Acct-Status-Type = Stop
555
Acct-Input-Octets = 17454
Acct-Output-Octets = 4245
Acct-Session-Time = 1221041249
Acct-Input-Packets = 72
Acct-Output-Packets = 53
Acct-Terminate-Cause = Lost-Carrier
Acct-Input-Gigawords = 0
Acct-Output-Gigawords = 0
NAS-Port = 67
Acct-Status-Type = Start
Release Description
14.2 Starting with Junos OS Release 14.2, RADIUS accounting permits statistical data about users
logging onto or off a LAN to be collected and sent to a RADIUS accounting server.
556
Configuring 802.1X Interface Settings on MX Series

Starting with Junos OS Release 14.2, IEEE 802.1X authentication provides network edge security, protecting
Ethernet LANs from unauthorized user access by blocking all traffic to and from a supplicant (client) at the
interface until the supplicant's credentials are presented and matched on the authentication server (a
RADIUS server). When the supplicant is authenticated, the switch stops blocking access and opens the
interface to the supplicant.
NOTE:
• You can also specify an 802.1X exclusion list to specify supplicants can that can bypass
authentication and be automatically connected to the LAN.
• You cannot configure 802.1X user authentication on interfaces that have been enabled for
Q-in-Q tunneling.
• You cannot configure 802.1X user authentication on redundant trunk groups (RTGs).
Before you begin, specify the RADIUS server or servers to be used as the authentication server.
To configure 802.1X on an interface:
1. Configure the supplicant mode as single (authenticates the first supplicant), single-secure (authenticates
only one supplicant), or multiple (authenticates multiple supplicants):
[edit protocols authentication-access-control]

user@switch# set interface ge-0/0/5 supplicant multiple
2. Enable reauthentication and specify the reauthentication interval:

user@switch# set interface ge-0/0/5/0 dot1x reauthentication interval 5
3. Configure the interface timeout value for the response from the supplicant:

user@switch# set interface ge-0/0/5 dot1x supplicant-timeout 5
4. Configure the timeout for the interface before it resends an authentication request to the RADIUS
server:

557
user@switch# set interface ge-0/0/5 server-timeout 5
5. Configure how long, in seconds, the interface waits before retransmitting the initial EAPOL PDUs to
the supplicant:

user@switch# set interface ge-0/0/5 dot1x transmit-period 60
6. Configure the maximum number of times an EAPOL request packet is retransmitted to the supplicant
before the authentication session times out:

user@switch# set interface ge-0/0/5 dot1x maximum-requests 5
7. Configure the number of times the switch attempts to authenticate the port after an initial failure. The
port remains in a wait state during the quiet period after the authentication attempt.

user@switch# set interface ge-0/0/5 retries 1
NOTE: This setting specifies the number of tries before the switch puts the interface in a “HELD”
state.
Release Description
14.2 Starting with Junos OS Release 14.2, IEEE 802.1X authentication provides network edge security,
protecting Ethernet LANs from unauthorized user access by blocking all traffic to and from a
supplicant (client) at the interface until the supplicant's credentials are presented and matched on
the authentication server (a RADIUS server).
558
Configuring LLDP-MED on MX Series Routers in

Enhanced LAN Mode
Link Layer Discovery Protocol–Media Endpoint Discovery (LLDP-MED) is an extension of LLDP. Starting
with Junos OS Release 14.2, the router uses LLDP-MED to support device discovery of VoIP telephones
and to create location databases for these telephone locations.
LLDP-MED is turned on by default on MX Series routers.

Configuring Location Information Advertised by the Router | 558
Configuring for Fast Start | 559
Enabling LLDP-MED on Interfaces
LLDP-MED is enabled on all interfaces by default. If it is disabled, you can enable LLDP-MED by configuring
it on all interfaces or on specific interfaces.
To configure LLDP-MED on all interfaces or on a specific interface:
[edit protocols lldp-med]

user@router# set interface (LLDP-MED) ge-0/0/2.0
Configuring Location Information Advertised by the Router
You can configure the location information that is advertised from the router to the LLDP-MED device.
You can specify a civic-based location (geographic location) or a location based on an ELIN (Emergency
Location Identification Number):
• To specify a location by geography:

user@router# set interface ge-0/0/2.0 location civic-based country-code US
user@router# set interface ge-0/0/2.0 location civic-based ca-type 1 ca-value “El Dorado County”
user@router# set interface ge-0/0/2.0 location civic-based ca-type 2 ca-value CA
559
user@router# set interface ge-0/0/2.0 location civic-based ca-type 3 ca-value Somerset

user@router# set interface ge-0/0/2.0 location civic-based ca-type 6 ca-value “Mount Aukum Road”
user@router# set interface ge-0/0/2.0 location civic-based ca-type 19 ca-value 6450
user@router# set interface ge-0/0/2.0 location civic-based ca-type 21 ca-value “Holiday Market”
• To specify a location using an elin string:

user@router# set interface ge-0/0/2.0 location elin 4085551212
Configuring for Fast Start
You can specify the number of LLDP-MED advertisements sent from the router in the first second after
it has detected an LLDP-MED device. The default is 3; to set it to another value:

user@router# set fast-start 6
NOTE: If an interface is configured as a VoIP interface, then the router does not wait for an
attached phone to identify itself as an LLDP-MED device before it performs an LLDP-MED fast
start after a graceful Routing Engine switchover (GRES) or a reboot. Instead, it immediately
performs an LLDP-MED fast start after a GRES or reboot. This behavior prevents certain models
of IP phones from resetting after a GRES.
Release Description
14.2 Starting with Junos OS Release 14.2, the router uses LLDP-MED to support device discovery
of VoIP telephones and to create location databases for these telephone locations.
560
Configuring LLDP on MX Series Routers in Enhanced

LAN Mode
Starting with Junos OS Release 14.2, devices use Link Layer Discovery Protocol (LLDP) and Link Layer
Discovery Protocol–Media Endpoint Discovery (LLDP-MED) to learn and distribute device information on
network links.The information enables the device to quickly identify a variety of other devices, resulting
in a LAN that interoperates smoothly and efficiently.

Enabling LLDP on Interfaces
LLDP is enabled on all interfaces by default. If it is disabled, you can enable LLDP by configuring it on all
interfaces or on specific interfaces.
• To configure LLDP on all interfaces:
[edit protocols lldp]

user@router# set interface all
• To configure LLDP on a specific interface:

user@router# set interface interface-name
NOTE: On MX Series routers, LLDP cannot be configured on the management Ethernet interface.
Issuing the command set protocols lldp interfaceem0 generates the following error message:
error: name: 'em0': Invalid interface

error: statement creation failed: interface
561
Adjusting LLDP Advertisement Settings
You can adjust the following settings for LLDP advertisements for troubleshooting or verification purposes.
The default values are applied when LLDP is enabled. For normal operations, we recommend that you do
not change the default values.
• To specify the frequency at which LLDP advertisements are sent (in seconds):

user@router# set advertisement-interval seconds
For example, using the default value:

user@router# set advertisement-interval 45
• To specify the number of seconds that LLDP information is held before it is discarded (the multiplier
value is used in combination with the advertisement-interval value):

user@router# set hold-multiplier seconds

user@router# set hold-multiplier 5
• To specify the number of seconds the device delays before sending advertisements to neighbors after
a change is made in a TLV (type, length, or value) element in LLDP or in the state of the local system,
such as a change in hostname or management address, set the transmit delay. The transmit delay is
enabled by default on switches to reduce the delay in notifying neighbors of a change in the local system.
The default value is 2 seconds (if the advertisement-interval value is set to 8 seconds or more) or 1
second (if the advertisement-interval value is set to less than 8 seconds).

user@router# set transmit-delay seconds
For example:

user@router# set transmit-delay 2
562
NOTE: The advertisement-interval value must be greater than or equal to four times the
transmit-delay value; otherwise, an error is returned when you attempt to commit the
configuration.
Adjusting SNMP Notification Settings of LLDP Changes
You can adjust the following settings for SNMP notifications of LLDP changes. If the values are not specified
or if the interval values are set to 0, the notifications are disabled.
• To specify the frequency at which LLDP database changes are sent (in seconds):

user@router# set lldp-configuration-notification-interval seconds
For example:

user@router# set lldp-configuration-notification-interval 600
• To configure the time interval for SNMP trap notifications to wait for topology changes (in seconds):

user@router# set ptopo-configuration-trap-interval seconds
For example:

user@router# set ptopo-configuration-trap-interval 600
• To specify the holding time (used in combination with the ptopo-configuration-trap-interval value) to
maintain dynamic topology entries (in seconds):

user@router# set ptopo-configuration-maximum-hold-time seconds
For example:

user@router# set ptopo-configuration-maximum-hold-time 2147483647
563
Specifying a Management Address for the LLDP Management TLV
You can configure an IPv4 or IPv6 management address to be used in the LLDP Management Address
type, length, and value (TLV) messages. Only out-of-band management addresses must be used as the
value for the management-address statement.
To configure the management address:

user@router# set management-address ip-address
NOTE: Ensure that the interface with the configured management address has LLDP enabled
using the set protocols lldp interface command. If you configure a customized management
address for LLDP on an interface that has LLDP disabled, the show lldp local-information
command output will not display the correct interface information.
Release Description
14.2 Starting with Junos OS Release 14.2, devices use Link Layer Discovery Protocol (LLDP) and
Link Layer Discovery Protocol–Media Endpoint Discovery (LLDP-MED) to learn and distribute
device information on network links.
564
Configuring Server Fail Fallback on MX Series Routers

Starting with Junos OS Release 14.2, server fail fallback allows you to specify how end devices connected
to the router are supported if the RADIUS authentication server becomes unavailable or sends a RADIUS
access-reject message.
802.1X and MAC RADIUS authentication work by using an authenticator port access entity (the router) to
block all traffic to and from an end device at the interface until the end device's credentials are presented
and matched on the authentication server (a RADIUS server). When the end device has been authenticated,
the router stops blocking and opens the interface to the end device.
When you set up 802.1X or MAC RADIUS authentication on the router, you specify a primary authentication
server and one or more backup authentication servers. If the primary authentication server cannot be
reached by the router and the secondary authentication servers are also unreachable, a RADIUS server
timeout occurs. Because the authentication server grants or denies access to the end devices awaiting
authentication, the router does not receive access instructions for end devices attempting access to the
LAN and normal authentication cannot be completed. Server fail fallback allows you to configure
authentication alternatives that permit the router to take appropriate actions toward end devices awaiting
authentication or reauthentication.
NOTE: The authentication fallback method called server-reject VLAN provides limited access to
a LAN, typically just to the Internet, for responsive end devices that are 802.1X-enabled but that
have sent the wrong credentials. If the end device that is authenticated using the server-reject
VLAN is an IP phone, voice traffic is not allowed.
565
To configure basic server fail fallback options using the CLI:
• Configure an interface to allow traffic to flow from a supplicant to the LAN if a RADIUS server timeout
occurs (as if the end device had been successfully authenticated by a RADIUS server):

user@router# set interface ge-0/0/1 dot1x server-fail permit
• Configure an interface to prevent traffic flow from an end device to the LAN (as if the end device had
failed authentication and had been rejected by the RADIUS server):

user@router# set interface ge-0/0/1 dot1x server-fail deny
• Configure an interface to move an end device to a specified VLAN if a RADIUS server timeout occurs
(in this case, the VLAN name is vlan1):

user@router# set interface ge-0/0/1 dot1x server-fail vlan-name vlan1
• Configure an interface to recognize already connected end devices as reauthenticated if there is a

RADIUS timeout during reauthentication (new users will be denied access):

user@router# set interface ge-0/0/1 dot1x server-fail use-cache
• Configure an interface that receives a RADIUS access-reject message from the authentication server to
move end devices attempting LAN access on the interface to a specified VLAN already configured on
the router (in this case, the VLAN name is vlan-sf):

user@router# set interface ge-0/0/1 dot1x server-reject-vlan vlan-sf
NOTE: If an IP phone is authenticated in the server-reject VLAN, voice traffic is not allowed.
Release Description
14.2 Starting with Junos OS Release 14.2, server fail fallback allows you to specify how end devices
connected to the router are supported if the RADIUS authentication server becomes unavailable
or sends a RADIUS access-reject message.
566
Understanding Captive Portal Authentication on the

MX Series Routers
Starting with Junos OS Release 14.2, captive portal authentication (hereafter referred to as captive portal)
allows you to authenticate users on MX Series routers by redirecting Web browser requests to a login
page that requires users to input a username and password before they are allowed access to the
network.Captive portal controls network access by requiring users to provide information that is
authenticated against a RADIUS server database using EAP-MD5, You can also use captive portal to display
an acceptable-use policy to users before they access your network.
Juniper Networks Junos Software for MX Series routers provides a template that allows you to easily
design and modify the look of the captive portal login page. You enable specific interfaces for captive
portal. The first time a client connected to a captive portal interface attempts to access a webpage, the
switch presents the captive portal login page. Upon successful authentication, the user is allowed access
to the network and to continue to the original page requested.
NOTE: If Hypertext Transfer Protocol Secure (HTTPS) is enabled, Hypertext Transfer Protocol
(HTTP) requests are redirected to an HTTPS connection for the captive portal authentication
process. After authentication, the client is returned to the HTTP connection.
If there are clients that are not HTTP-enabled connected to the captive portal interface, you can allow
them to bypass captive portal authentication by adding their MAC address to an authentication whitelist.
(If the MAC address has already been learned on the interface, you must clear it using the clear
captive-portal interface interface-name) before adding it to the whitelist.)
When the user is authenticated by the RADIUS server, any per-user policies (attributes) associated with
that user are also sent to the switch.
Limitations of Captive Portal
Captive portal on MX Series routers has the following limitations:
• The captive portal interface must be configured for family ethernet-switching and set to port mode
access. The VLAN must be configured with a routed VLAN interface (RVI).
• The DHCP gateway IP address for the switch must be configured as the IP address of the routed VLAN
interface.
567
• Captive portal does not support dynamic assignment of VLANs downloaded from the RADIUS server.
• If the user is idle for more than about 5 minutes and there is no traffic passed, the user is required to
log back in to the captive portal.
Release Description
14.2 Starting with Junos OS Release 14.2, captive portal authentication (hereafter referred to as captive
portal) allows you to authenticate users on MX Series routers by redirecting Web browser requests
to a login page that requires users to input a username and password before they are allowed
Understanding Authentication Session Timeout on

MX Series Routers
Starting with Junos OS Release 14.2, you can specify authentication session timeout values for captive
portal authentication sessions and 802.1X and MAC RADIUS authentication sessions.
For captive portal authentication, the length of the session depends on the value configured for the
session-expiry statement. The remainder of this topic pertains only to 802.1X and MAC RADIUS
authentication sessions.
For 802.1X and MAC RADIUS authentication sessions, the timeout of the session depends on the value
of reauthentication interval for dot1x authentication. The authentication session might also end when
the MAC table aging time expires because, unless you configure it not to, the session is removed from the
authentication session table when the MAC address is removed from the Ethernet switching table.
Information about each 802.1X and MAC RADIUS authentication session—including the associated
interfaces and VLANs for each MAC address that is authenticated by 802.1X authentication or MAC
RADIUS authentication—is stored in the authentication session table. The authentication session table is
tied to the Ethernet switching table (also called the MAC table). Each time the switch detects traffic from
a MAC address, it updates the timestamp for that network node in the Ethernet switching table. A timer
on the switch periodically checks the timestamp and if its value exceeds the user-configured
mac-table-aging-time value, the switch removes the MAC address from the Ethernet switching table.
When a MAC address ages out of the Ethernet switching table, the entry for that MAC address is also
removed from the authentication database, with the result that the session ends.
568
You can control variables affecting timeout of authentication sessions in the following ways:
• Set the authentication session timeout on all interfaces or on selected interfaces using the reauthentication
statement.
• Disassociate the authentication session table from the Ethernet switching table using the
no-mac-table-binding statement. This setting prevents the termination of the authentication session
when the associated MAC address ages out of the Ethernet switching table.
Release Description
14.2 Starting with Junos OS Release 14.2, you can specify authentication session timeout values
for captive portal authentication sessions and 802.1X and MAC RADIUS authentication
sessions.
Authentication Process Flow for MX Series Routers

Starting with Junos OS Release 14.2, you can control access to your network through an MX Series router
by using several different authentication methods—including 802.1X, MAC RADIUS, or captive portal.
Figure 6 on page 334 illustrates the authentication process:

569
Figure 27: Authentication Process Flow for an MX Series Router
Begin
Authentication
MAC
address in A Client authenticated.
whitelist or static YES A Allow access on port.
MAC list? B Client is not authenticated.
Deny access on port.
C Captive portal.
NO
D Reauthentication.
E Client authenticated. Allow access
only to specified VLAN on port.
Authenticator
D
configured? Try authenticating
NO using EAPOL—
maximum 3 requests
YES
mac-radius C
restrict statement
configured?
Does client
MAC RADIUS Captive portal Guest VLAN
YES respond to EAP NO NO NO
configured? configured? configured?
message?
Try authenticating
using
MAC RADIUS YES YES YES
YES NO
Continue with Try once to Continue with A B

NO 802.1X authenticate using captive portal
authentication MAC RADIUS
Go to C
Does
RADIUS server NO
respond?
Does
Server-reject YES Server-fail
RADIUS server
VLAN NO VLAN NO B
return access-
configured? configured?
accept?
Does
RADIUS server NO
YES NO YES YES respond?
E B A A
YES
Does
RADIUS server
NO B
return access-
YES accept?
g041098
Release Description
14.2 Starting with Junos OS Release 14.2, you can control access to your network through an MX
Series router by using several different authentication methods—including 802.1X, MAC
RADIUS, or captive portal.
570
Specifying RADIUS Server Connections on an MX

Series Router in Enhanced LAN Mode
IEEE 802.1X and MAC RADIUS authentication both provide network edge security, protecting Ethernet
LANs from unauthorized user access by blocking all traffic to and from devices at the interface until the
supplicant's credentials or MAC address are presented and matched on the authentication server (a RADIUS
server). When the supplicant is authenticated, the router stops blocking access and opens the interface
to the supplicant.
Starting with Junos OS Release 14.2, to use 802.1X or MAC RADIUS authentication, you must specify the
connections on the router for each RADIUS server to which you will connect.
To configure a RADIUS server on the router:
1. Define the IP address of the RADIUS server, the RADIUS server authentication port number, and the
secret password. You can define more than one RADIUS server. The secret password on the router
must match the secret password on the server:
[edit access]
user@router# set radius-server 10.0.0.100 port 1812 secret abc
NOTE: Specifying the authentication port is optional, and port 1812 is the default. However,
we recommend that you configure it in order to avoid confusion as some RADIUS servers
might refer to an older default.
2. (Optional) Specify the IP address by which the router is identified by the RADIUS server. If you do not
specify this, the RADIUS server uses the address of the interface sending the RADIUS request. We
recommend that you specify this IP address because if the request gets diverted on an alternate route
to the RADIUS server, the interface relaying the request might not be an interface on the router.
[edit access]
user@router# set radius-server source-address 10.93.14.100
[edit access]
user@router# set profile profile1 authentication-order radius
571
4. Create a profile and specify the list of RADIUS servers to be associated with the profile. For example,
you might choose to group your RADIUS servers geographically by city. This feature enables easy
modification whenever you want to change to a different sent of authentication servers.

user@router# set atlanta radius authentication-server 10.0.0.100 10.2.14.200
5. Specify the group of servers to be used for 802.1X or MAC RADIUS authentication by identifying the
profile name:

user@router# set protocols authentication-access-control authentication-profile-name denver
6. Configure the IP address of the MX Series router in the list of clients on the RADIUS server. For specifics
on configuring the RADIUS server, consult the documentation for your server.
Release Description
14.2 Starting with Junos OS Release 14.2, to use 802.1X or MAC RADIUS authentication, you
must specify the connections on the router for each RADIUS server to which you will connect.
Configuring Captive Portal Authentication on MX

NOTE: This example uses Junos OS for MX240, MX480, and MX960 routers with support for
the Enhanced LAN mode configuration style. If your router does not run MX-LAN mode, you
cannot configure port-based authentication settings in the same manner as described in this
section. If you remove the network-services lan statement at the [edit chassis] hierarchy level,
the system does not run in MX-LAN mode. Therefore, all of the settings that are supported
outside of the MX-LAN mode are displayed and are available for definition in the CLI interface.
In such a scenario, you must use the statements at the [edit protocols dot1x] hierarchy level to
configure 802.1x and MAC RADIUS authentication, and the options at the [edit services
captive-portal] hierarchy level to configure captive portal authentication. In MX-LAN mode, you
can configure all the port-based network access control methodologies using the statements at
the [edit protocols authentication-access-control] hierarchy level.
572
Starting with Junos OS Release 14.2, configure captive portal authentication (hereafter referred to as
captive portal) on an MX Series router so that users connected to the router are authenticated before
being allowed to access the network. When the user requests a webpage, a login page is displayed that
requires the user to input a username and password. Upon successful authentication, the user is allowed
to continue with the original page request and subsequent access to the network.
• Performed basic bridging and VLAN configuration on the router.
• Generated an SSL certificate and installed it on the router.
• Configured basic access between the MX Series router and the RADIUS server.
• Designed your captive portal login page.
1. Associate the security certificate with the Web server and enable HTTPS on the router:
[edit]
user@router# set system services web-management https local-certificate my-signed-cert
NOTE: You can enable HTTP instead of HTTPS, but we recommend HTTPS for security
purposes.
[edit]
user@router# set protocols custom-options-captive-portal secure-authentication https
573
To enable an interface for use with captive portal authentication:
[edit]
user@router# set authentication-access-control interface ge-0/0/10
You can allow specific clients to bypass captive portal authentication:
[edit]
user@router# set authentication-access-control static 00:10:12:e0:28:22
NOTE: Optionally, you can use set authentication-access-control static 00:10:12:e0:28:22

interface ge-0/0/10.0 to limit the scope to the interface.
NOTE: If the client is already attached to the router, you must clear its MAC address from the
captive portal authentication by using the clear captive-portal mac-address session-mac-addr
command after adding its MAC address to the whitelist. Otherwise the new entry for the MAC
address will not be added to the Ethernet switching table and the authentication bypass will not
be allowed.
Release Description
14.2 Starting with Junos OS Release 14.2, configure captive portal authentication (hereafter referred
to as captive portal) on an MX Series router so that users connected to the router are
authenticated before being allowed to access the network.
574
Designing a Captive Portal Authentication Login Page

on an MX Series Router
Starting with Junos OS Release 14.2, you can set up captive portal authentication on your switch to redirect
all Web browser requests to a login page that requires the user to input a username and password before
they are allowed access.Upon successful authentication, the user is allowed access to the network and
redirected to the original page requested.
Junos OS provides a customizable template for the captive portal window that allows you to easily design
and modify the look of the captive portal login page. You can modify the design elements of the template
to change the look of your captive portal login page and to add instructions or information to the page.
You can also modify any of the design elements of a captive portal login page.
The first screen displayed before the captive login page requires the user to read the “Terms and Conditions
of Use”. By clicking the Agree button, the user can access the captive portal login page.
Figure 19 on page 459 shows an example of a captive portal login page:
Figure 28: Example of a Captive Portal Login Page
Table 33 on page 459 summarizes the configurable elements of a captive portal login page.
575
Table 36: Configurable Elements of a Captive Portal Login Page
Footer footer-bgcolor The HTML hexadecimal code for the background color of the captive
background color hex-color portal login page footer.
Footer message footer-message Text displayed in the footer of the captive portal login page. You can
text-string include copyright information, links, and additional information such
as help instructions, legal notices, or a privacy policy
The default text shown in the footer is Copyright @2010, Juniper

Networks Inc.
Footer text color footer- text-color color Color of the text in the footer. The default color is white.
Form header form-header-bgcolor The HTML hexadecimal code for the background color of the header
background color hex-color bar across the top of the form area of the captive portal login page.
Form header form-header-message Text displayed in the header of the captive portal login page. The default
message text-string text is Captive Portal User Authentication
Form header text form-header- text- Color of the text in the form header. The default color is black.
color color color
Form reset button form-reset-label Using the Reset button, the user can clear the username and password
label label-name fields on the form.
Form submit form-submit-label Using the Login button, the user can submit the login information.
button label label-name
Header header-bgcolor The HTML hexadecimal code for the background color of the captive
background color hex-color portal login page header.
Header logo header-logo filename Filename of the file containing the image of the logo that you want to
appear in the header of the captive portal login page. The image file
can be in GIF, JPEG, or PNG format
You can upload a logo image file to the switch. Copy the logo to the
/var/tmp directory on the switch (during commit, the files are saved to
persistent locations).
If you do not specify a logo image, the Juniper Networks logo is

displayed.
Header message header-message Text displayed in the page header. The default text is User
text-string Authentication.
576
Table 36: Configurable Elements of a Captive Portal Login Page (continued)
Header text color header-text- colorcolor Color of the text in the header. The default color is white.
Post-authentication post-authentication-url URL to which the users are directed on successful authentication. By
URL url default, users are directed to the page they had originally requested.
To design the captive portal login page:
1. (Optional) Upload your logo image file to the switch:
user@router> file copy ftp://username:[email protected]/var/tmp/my-logo.jpeg
2. Configure the custom options to specify the background colors and text displayed in the captive portal
page:
[edit protocols]
user@router# set captive-portal-custom-options header-bgcolor #006600
set captive-portal-custom-options header-message “Welcome to Our Network”
set captive-portal-custom-options banner-message “Please enter your username and password”.The
banner displays the message ”XXXXXXX” by default. The user can modify this message.
set custom-options footer-message “Copyright ©2010, Our Network”
Now you can commit the configuration.
NOTE: For the custom options that you do not specify, the default value is used.
Release Description
14.2 Starting with Junos OS Release 14.2, you can set up captive portal authentication on your
switch to redirect all Web browser requests to a login page that requires the user to input a
username and password before they are allowed access.
577
Configuring Static MAC Bypass of Authentication on

Starting with Junos OS Release 14.2, you can configure a static MAC bypass list (sometimes called the
exclusion list) on the switch to specify MAC addresses of devices allowed access to the LAN without
802.1X or MAC RADIUS authentication requests to the RADIUS server.
To configure the static MAC bypass list:
• Specify a MAC address to bypass authentication:

user@router# set static 00:04:0f:fd:ac:fe
• Configure a supplicant to bypass authentication if connected through a particular interface:

user@router# set static 00:04:0f:fd:ac:fe interface ge-0/0/5
• You can configure a supplicant to be moved to a specific VLAN after it is authenticated:

user@router# set static 00:04:0f:fd:ac:fe interface ge-0/0/5 vlan-assignment default-vlan
Release Description
14.2 Starting with Junos OS Release 14.2, you can configure a static MAC bypass list (sometimes
called the exclusion list) on the switch to specify MAC addresses of devices allowed access to
the LAN without 802.1X or MAC RADIUS authentication requests to the RADIUS server.
578
Controlling Authentication Session Timeouts on an

MX Series Router in Enhanced LAN Mode
Starting with Junos OS Release 14.2, for 802.1X and MAC RADIUS authentication sessions, you can specify
authentication session timeout values using the reauthentication statement.
The session might also end when the MAC table aging time expires, because the session is removed from
the authentication session table when the MAC address is removed from the Ethernet switching table. In
order to prevent the session from being removed from the authentication session table, you must
disassociate the authentication table from the Ethernet switching table using the no-mac-table-binding
statement.
Before you begin:
• Specify the RADIUS server or servers to be used as the authentication server.
• Configure 802.1X authentication on the router.

579
To configure the authentication session time on all interfaces:
[edit]
user@router# set protocols authentication-access-control interface all dot1x reauthentication seconds;
To configure the authentication session time on a single interface:
[edit]
user@router# set protocols authentication-access-control interface interface-name dot1x
reauthentication seconds;
To disable removal of authentication sessions from the authentication session table when a MAC address
ages out of the Ethernet switching table, remove the binding of the authentication table to the Ethernet
switching table.
To remove the binding on all interfaces:
[edit]
user@router# set protocols authentication-access-control no-mac-table-binding interface all;
To remove the binding on a single interface:
[edit]
user@router# set protocols authentication-access-control no-mac-table-binding interface
interface-name;
Release Description
14.2 Starting with Junos OS Release 14.2, for 802.1X and MAC RADIUS authentication sessions,
you can specify authentication session timeout values using the reauthentication statement.
580
Configuring MAC RADIUS Authentication on MX

Starting with Junos OS Release 14.2, you can permit devices that are not 802.1X-enabled LAN access by
configuring MAC RADIUS authentication on the MX Series router interfaces to which the hosts are
connected.
NOTE: You can also allow non-802.1X-enabled devices to access the LAN by configuring their
MAC address for static MAC bypass of authentication.
You can configure MAC RADIUS authentication on an interface that also allows 802.1X authentication,
or you can configure either authentication method alone.
If both MAC RADIUS and 802.1X authentication are enabled on the interface, the router first sends the
host three EAPOL requests to the host. If there is no response from the host, the router sends the host’s
MAC address to the RADIUS server to check whether it is a permitted MAC address. If the MAC address
is configured as permitted on the RADIUS server, the RADIUS server sends a message to the router that
the MAC address is a permitted address, and the router opens LAN access to the nonresponsive host on
the interface to which it is connected.
If MAC RADIUS authentication is configured on the interface but 802.1X authentication is not (by using
the mac-radius restrict option), the router attempts to authenticate the MAC address with the RADIUS
server without delaying by attempting 802.1X authentication first.
• Configured MX240, MX480, and MX960 routers to function in enhanced LAN mode by entering the
network-services lan statement at the [edit chassis] hierarchy level.
581
To configure MAC RADIUS authentication using the CLI:
• On the router, configure the interfaces to which the nonresponsive hosts are attached for MAC RADIUS
authentication, and add the restrict qualifier for interface ge-0/0/20 to have it use only MAC RADIUS
authentication:
[edit]
user@router# set protocols authentication-access-control interface ge-0/0/19 dot1x mac-radius
restrict
• On a RADIUS authentication server, create user profiles for each nonresponsive host using the MAC
address (without colons) of the nonresponsive host as the username and password (here, the MAC
addresses are 00:04:0f:fd:ac:fe and 00:04:ae:cd:23:5f):
[root@freeradius]#
edit /etc/raddb
vi users
00040ffdacfe Auth-type:=Local, User-Password = "00040ffdacfe"
0004aecd235f Auth-type:=Local, User-Password = "0004aecd235f"
Release Description
14.2 Starting with Junos OS Release 14.2, you can permit devices that are not 802.1X-enabled LAN
access by configuring MAC RADIUS authentication on the MX Series router interfaces to
which the hosts are connected.
582
Example: Configuring MAC RADIUS Authentication

on an MX Series Router
IN THIS SECTION
Requirements | 582
Configuration | 583
Verification | 585
Starting with Junos OS Release 14.2 to permit hosts that are not 802.1X-enabled to access the LAN, you
can configure MAC RADIUS authentication on the router interfaces to which the non-802.1X-enabled
hosts are connected. When MAC RADIUS authentication is configured, the router will attempt to
authenticate the host with the RADIUS server using the host’s MAC address.
This example describes how to configure MAC RADIUS authentication for two non-802.1X-enabled hosts:
Requirements
• Junos OS Release 14.2 or later for MX240, MX480, or MX960 routers running in enhanced LAN mode.
• An MX Series router acting as an authenticator port access entity (PAE). The ports on the authenticator
• A RADIUS authentication server. The authentication server acts as the backend database and contains
Before you connect the server to the router, be sure you have:
• Configured enhanced LAN mode on the router.

583
IEEE 802.1X Port-Based Network Access Control (PNAC) authenticates and permits devices access to a
LAN if the devices can communicate with the router using the 802.1X protocol (are 802.1X-enabled). To
permit non-802.1X-enabled end devices to access the LAN, you can configure MAC RADIUS authentication
on the interfaces to which the end devices are connected. When the MAC address of the end device
appears on the interface, the router consults the RADIUS server to check whether it is a permitted MAC
address. If the MAC address of the end device is configured as permitted on the RADIUS server, the router
opens LAN access to the end device.
You can configure both MAC RADIUS authentication and 802.1X authentication methods on an interface
configured for multiple supplicants. Additionally, if an interface is only connected to a non-802.1X-enabled
host, you can enable MAC RADIUS and not enable 802.1X authentication using the mac-radius restrict
option, and thus avoid the delay that occurs while the router determines that the device is does not respond
to EAP messages.
Two printers are connected to an MX Series router over interfaces, ge-0/0/19 and ge-0/0/20.
Table 27 on page 395 shows the components in the example for MAC RADIUS authentication.
Table 37: Components of the MAC RADIUS Authentication Configuration Topology
Property Settings
Router hardware Ports (ge-0/0/0 through ge-0/0/23)
VLAN name sales
Connections to printers ge-0/0/19, MAC address 00040ffdacfe
ge-0/0/20, MAC address 0004aecd235f
RADIUS server Connected to the router on interface ge-0/0/10
The printer with the MAC address 00040ffdacfe is connected to access interface ge-0/0/19. A second
printer with the MAC address 0004aecd235f is connected to access interface ge-0/0/20. In this example,
both interfaces are configured for MAC RADIUS authentication on the router, and the MAC addresses
(without colons) of both printers are configured on the RADIUS server. Interface ge-0/0/20 is configured
to eliminate the normal delay while the router attempts 802.1X authentication; MAC RADIUS authentication
is enabled and 802.1X authentication is disabled using the mac radius restrict option.
Configuration
584
To quickly configure MAC RADIUS authentication, copy the following commands and paste them into the
router terminal window:
[edit]
set protocols authentication-access-control interface ge-0/0/19 dot1x mac-radius
set protocols authentication-access-control authenticator interface ge-0/0/20 dot1x mac-radius restrict
NOTE: You must also configure the two MAC addresses as usernames and passwords on the
RADIUS server, as is done in step 2 of the Step-by-Step Procedure.
Configure MAC RADIUS authentication on the router and on the RADIUS server:
1. On the router, configure the interfaces to which the printers are attached for MAC RADIUS
authentication, and configure the restrict option on interface ge-0/0/20, so that only MAC RADIUS
authentication is used:
[edit]
user@router# set protocols authentication-access-control authenticator interface ge-0/0/20 dot1x
mac-radius restrict
2. On the RADIUS server, configure the MAC addresses 00040ffdacfe and 0004aecd235f as usernames
and passwords:
[root@freeradius]#
edit /etc/raddb
vi users
00040ffdacfe Auth-type:=EAP, User-Password = "00040ffdacfe"
0004aecd235f Auth-type:=EAP, User-Password = "0004aecd235f"
Results
Display the results of the configuration on the router:
user@router> show configuration

protocols {
authentication-access-control {
interface {
585
ge-0/0/19.0 {
dot1x {
mac-radius;
}
}
ge-0/0/20.0 {
dot1x {
mac-radius {
restrict;
}
}
}
}
}
}
Verification
IN THIS SECTION
Verifying That the Supplicants Are Authenticated | 585
Verify that the supplicants are authenticated:
Verifying That the Supplicants Are Authenticated
Purpose
After supplicants are configured for MAC RADIUS authentication on the router and on the RADIUS server,
verify that they are authenticated and display the method of authentication:
Action
Display information about 802.1X-configured interfaces ge-0/0/19 and ge-0/0/20:
user@router> show dot1x interface ge-0/0/19.0 detail

586
ge-0/0/19.0
Role: Authenticator
Mac Radius: Enabled
user@router> show dot1x interface ge-0/0/20.0 detail
ge-0/0/20.0
Role: Authenticator
Mac Radius: Enabled
Mac Radius Restrict: Enabled
Supplicant: user102, 00:04:ae:cd:23:5f
587
Authentcation method: Radius

Meaning
The sample output from the show dot1x interface detail command displays the MAC address of the
connected end device in the Supplicant field. On interface ge-0/0/19, the MAC address is 00:04:0f:fd:ac:fe,
which is the MAC address of the first printer configured for MAC RADIUS authentication. The
Authentication method field displays the authentication method as MAC Radius. On interface ge-0/0/20,
the MAC address is 00:04:ae:cd:23:5f, which is the MAC address of the second printer configured for
MAC RADIUS authentication. The Authentication method field displays the authentication method as
MAC Radius.
Release Description
14.2 Starting with Junos OS Release 14.2 to permit hosts that are not 802.1X-enabled to access
the LAN, you can configure MAC RADIUS authentication on the router interfaces to which the
non-802.1X-enabled hosts are connected.
Example: Setting Up Captive Portal Authentication on

an MX Series Router
IN THIS SECTION
Requirements | 588
Configuration | 588
Verification | 591
588
Starting with Junos OS Release 14.2, you can set up captive portal authentication (hereafter referred to
as captive portal) on a router to redirect Web browser requests to a login page that requires the user to
input a username and password.Upon successful authentication, the user is allowed to continue with the
original page request and subsequent access to the network.
This example describes how to set up captive portal on an MX Series router:
Requirements
• An MX Series router that supports captive portal
• Junos OS Release 14.2 or later for MX Series routers
• Generated an SSL certificate and installed it on the router.
• Designed your captive portal login page. .
This example shows the configuration required on the router to enable captive portal on an interface. To
permit a printer connected to the captive portal interface to access the LAN without going through captive
portal, add its MAC address to the authentication whitelist. The MAC addresses in this list are permitted
access on the interface without captive portal.
The topology for this example consists of one MX Series router connected to a RADIUS authentication
server. One interface on the router is configured for captive portal. In this example, the interface is
Configuration
To configure captive portal on your router:

589
To quickly configure captive portal on the router after completing the tasks in the Requirements section,
copy the following commands and paste them into the router terminal window:
[edit]
set system services web-management http
set protocols captive-portal-custom-options secure-authentication https
set protocols authentication-access-control interface ge-0/0/10.0 supplicant multiple
set protocols authentication-access-control static 00:10:12:e0:28:22
set protocols captive-portal-custom-options post-authentication-url http://www.my-home-page.com
To configure captive portal on the router:
1. Enable HTTP access on the router:
[edit]
user@router# set system services web-management http
2. To create a secure channel for Web access to the router, configure captive portal for HTTPS:
NOTE: You can enable HTTP without enabling HTTPS, but we recommend HTTPS for security
purposes.
a. Associate the security certificate with the Web server and enable HTTPS access on the router:
[edit]
user@router# set system services web-management https local-certificate my-signed-cert
[edit]
user@router# set protocols captive-portal-custom-options secure-authentication https
[edit]
user@router# set protocols authentication-access-control interface ge-0/0/10.0 supplicant multiple
4. (Optional) Allow specific clients to bypass captive portal:

590
NOTE: If the client is already attached to the router, you must clear its MAC address from
command after adding its MAC address to the whitelist. Otherwise the new entry for the
MAC address will not be added to the Ethernet routering table and authentication bypass
[edit]
user@router# set protocols authentication-access-control static 00:10:12:e0:28:22


user@router# set protocols captive-portal-custom-options post-authentication-url
http://www.my-home-page.com
Results
[edit]
user@router> show
system {
services {
web-management {
http;
https {
}
}
}
}
security {
certificates {
local {
591
my-signed-cert {
"-----BEGIN RSA PRIVATE KEY-----\nMIICXwIBAAKBgQDk8sUggnXdDUmr7T
vLv63yJq/LRpDASfIDZlX3z9ZDe1Kfk5C9\nr/tkyvzv
...
Pt5YmvWDoGo0mSjoE/liH0BqYdh9YGqv3T2IEUfflSTQQHEOShS0ogWDHF\
nnyOb1O/vQtjk20X9NVQg JHBwidssY9eRp\n-----END CERTIFICATE-----\n"; ## SECRET-DATA
}
}
}
}
protocols {
static 00:10:12:e0:28:22/48;
interface {
ge-0/0/10.0 {
}
}
custom-captive-portal-options {
post-authentication-url http://www.my-home-page.com;
}
}
Verification
IN THIS SECTION
To confirm that captive portal is configured and working properly, perform these tasks:
Purpose
Verify that captive portal is configured on interface ge-0/0/10.
592
Action
user@router> show captive-portal interface ge-0/0/10.0 detail
ge-0/0/10.0
Meaning
The output confirms that captive portal is configured on interface ge-0/0/10 with the default settings for
number of retries, quiet period, CP session timeout, and server timeout.
Purpose
Verify that captive portal is working on the router.
Action
Connect a client to interface ge-0/0/10. From the client, open a Web browser and request a webpage.
Troubleshooting
IN THIS SECTION
To troubleshoot captive portal, perform these tasks:

593
Problem
The router does not return the captive portal login page when a user connected to a captive portal interface
on the router requests a Web page.
Solution
an IP address, check the router interface to determine whether the DHCP counter is incrementing—if the
counter increments, the DHCP packet was received by the router.
user@router> show captive-portal firewall ge-0/0/10.0
ge-0/0/10.0
Counters:
Name Bytes Packets
dot1x_ge-0/0/10_CP_arp 7616 119
Release Description
14.2 Starting with Junos OS Release 14.2, you can set up captive portal authentication (hereafter
referred to as captive portal) on a router to redirect Web browser requests to a login page that
requires the user to input a username and password.
594
Example: Connecting a RADIUS Server for 802.1X to

an MX Series Router
IN THIS SECTION
Requirements | 594
Configuration | 595
Verification | 597
802.1X is the IEEE standard for Port-Based Network Access Control (PNAC). You use 802.1X to control
network access. Only users and devices providing credentials that have been verified against a user database
are allowed access to the network. Starting with Junos OS Release 14.2, you can use a RADIUS server as
the user database for 802.1X authentication, as well as for MAC RADIUS authentication.
This example describes how to connect a RADIUS server to an MX Series router, and configure it for
802.1X:
Requirements
• Junos OS Release 14.2 or later for MX240, MX480, or MX960 routers running in enhanced LAN mode
and Junos OS Release 14.2R3 for all other routers.
• One router acting as an authenticator port access entity (PAE). The ports on the authenticator PAE form
the network.

595
The MX Series router acts as an authenticator Port Access Entity (PAE). It blocks all traffic and acts as a
control gate until the supplicant (client) is authenticated by the server. All other users and devices are
denied access.
Consider an MX Series router that functions as an authenticator port. It is connected using the interface,
ge-0/0/10, over the IP network to a RADIUS server. The router is also linked to a conference room using
the interface, ge-0/0/1, to a printer using the interface, ge-0/0/20, to a hub using the interface, ge-0/0/8,
and to two supplicants or clients over interfaces, ge-0/0/2 and ge-0/0/9 respectively.
Property Settings
Router hardware MX Series router
VLAN name default
One RADIUS server Backend database with an address of 10.0.0.100 connected to the
switch at port ge-0/0/10
In this example, connect the RADIUS server to access port ge-0/0/10 on the MX Series router. The switch
acts as the authenticator and forwards credentials from the supplicant to the user database on the RADIUS
server. You must configure connectivity between the MX Series router and the RADIUS server by specifying
the address of the server and configuring the secret password. This information is configured in an access
profile on the switch.
Configuration
To quickly connect the RADIUS server to the switch, copy the following commands and paste them into
[edit]
set access profile profile1 radius authentication-server [10.0.0.100 10.0.0.200]

596
To connect the RADIUS server to the switch:
1. Define the address of the servers, and configure the secret password. The secret password on the
switch must match the secret password on the server:
[edit]
[edit]
3. Configure a list of server IP addresses to be tried in order to authenticate the supplicant:
[edit]
user@switch# set access profile profile1 radius authentication-server [10.0.0.100 10.0.0.200]
Results
user@switch> show configuration access

radius-server {
10.0.0.100
port 1812;
secret "$9$qPT3ApBSrv69rvWLVb.P5"; ## SECRET-DATA
}
}
profile profile1{
radius {
authentication-server 10.0.0.100 10.0.0.200;
}
}
}
597
Verification
IN THIS SECTION
Verify That the Switch and RADIUS Server are Properly Connected | 597
Verify That the Switch and RADIUS Server are Properly Connected
Purpose
Verify that the RADIUS server is connected to the switch on the specified port.
Action
Ping the RADIUS server to verify the connection between the switch and the server:
user@switch> ping 10.0.0.100
PING 10.0.0.100 (10.0.0.100): 56 data bytes

Meaning
ICMP echo request packets are sent from the switch to the target server at 10.0.0.100 to test whether it
is reachable across the IP network. ICMP echo responses are being returned from the server, verifying
that the switch and the server are connected.
Release Description
14.2 Starting with Junos OS Release 14.2, you can use a RADIUS server as the user database
for 802.1X authentication, as well as for MAC RADIUS authentication.
598
Example: Setting Up 802.1X in Conference Rooms to

Provide Internet Access to Corporate Visitors on an
MX Series Router
IN THIS SECTION
Requirements | 598
Configuration of a Guest VLAN That Includes 802.1X Authentication | 599
Verification | 600
Starting with Junos OS Release 14.2, 802.1X on MX Series routers provides LAN access to users who do
not have credentials in the RADIUS database.These users, referred to as guests, are authenticated and
typically provided with access to the Internet.
This example describes how to create a guest VLAN and configure 802.1X authentication for it.
Requirements
the network.

599
The MX Series router acts as an authenticator Port Access Entity (PAE). It blocks all traffic and acts as a
control gate until the supplicant (client) is authenticated by the server. All other users and devices are
denied access.
Property Settings
VLAN name default
One RADIUS server Backend database with an address of 10.0.0.100 connected to the
switch at port ge-0/0/10
In this example, access interface ge-0/0/1 provides LAN connectivity in the conference room. Configure
this access interface to provide LAN connectivity to visitors in the conference room who are not
authenticated by the corporate VLAN.
Configuration of a Guest VLAN That Includes 802.1X Authentication

To quickly configure a guest VLAN, with 802.1X authentication, copy the following commands and paste
them into the switch terminal window:
[edit]
set vlans bridge-domain-name vlan-id 300
set protocols dot1x authenticator interface all guest-bridge-domain bridge-domain-name
To configure a guest VLAN that includes 802.1X authentication on MX Series routers:
1. Configure the VLAN ID for the guest VLAN:

600
[edit]
user@switch# set bridge-domains bridge-domain-name vlan-id 300
2. Configure the guest VLAN under dot1x protocols:
[edit]
user@switch# set protocols dot1x authenticator interface all guest-bridge-domain
bridge-domain-name
Results

protocols {
dot1x {
authenticator {
interface {
all {
guest-bridge-domain {
bridge-domain-name;
}
}
}
}
}
}
}
bridge-domains {
bridge-domain-name {
vlan-id 300;
}
}
Verification
IN THIS SECTION
Verifying That the Guest VLAN is Configured | 601

601
Verifying That the Guest VLAN is Configured
Purpose
Verify that the guest VLAN is created and that an interface has failed authentication and been moved to
the guest VLAN.
Action
Use the operational mode commands:
user@switch> show bridge-domain
Instance Bridging Domain Type

Primary Table Active
vs1 dynamic bridge
bridge.0 2
vs1 guest bridge
bridge.0 0
vs1 guest-vlan bridge
bridge.0 0
vs1 vlan_dyn bridge
bridge.0 0
ge-0/0/1.0
Role: Authenticator
Mac Radius: Enabled
Guest VLAN member: guest-vlan
602

Supplicant: user1, 00:00:00:00:13:23
Meaning
The output from the show bridge domain command shows bridge-domain-name as the name of the VLAN
and the VLAN ID as 300.
The output from the show dot1x interface ge-0/0/1.0 detail command displays the bridge domain name
, indicating that a supplicant at this interface failed 802.1X authentication and was passed through to the
bridge-domain-name.
Release Description
14.2 Starting with Junos OS Release 14.2, 802.1X on MX Series routers provides LAN access
to users who do not have credentials in the RADIUS database.
Example: Configuring Static MAC Bypass of

Authentication on an MX Series Router
IN THIS SECTION
Requirements | 603
Configuration | 604
Verification | 606
603
Starting with Junos OS Release 14.2, to allow devices to access your LAN through 802.1X-configured
interfaces without authentication, you can configure a static MAC bypass list on the MX Series router.The
static MAC bypass list, also known as the exclusion list, specifies MAC addresses that are allowed on the
router without a request to an authentication server.
You can use static MAC bypass of authentication to allow connection for devices that are not
802.1X-enabled, such as printers. If a host's MAC address is compared and matched against the static
MAC address list, the nonresponsive host is authenticated and an interface opened for it.
This example describes how to configure static MAC bypass of authentication for two printers:
Requirements
To permit printers access to the LAN, add them to the static MAC bypass list. The MAC addresses on this
list are permitted access without authentication from the RADIUS server.
The interfaces shown in Table 32 on page 446 will be configured for static MAC authentication.
604
Table 40: Components of the Static MAC Authentication Configuration Topology
Property Settings
VLAN name default
Connections to integrated printer/fax/copier machines ge-0/0/19, MAC address 00:04:0f:fd:ac:fe

(no PoE required) ge-0/0/20, MAC address 00:04:ae:cd:23:5f
The printer with the MAC address 00:04:0f:fd:ac:fe is connected to access interface ge-0/0/19. A second
printer with the MAC address 00:04:ae:cd:23:5f is connected to access interface ge-0/0/20. Both printers
will be added to the static list and bypass 802.1X authentication.
Configuration
To quickly configure static MAC authentication, copy the following commands and paste them into the
router terminal window:
[edit]
set protocols authentication-access-control static [00:04:0f:fd:ac:fe 00:04:ae:cd:23:5f]
set protocols authentication-access-control interface all supplicant multiple
set protocols authentication-access-control authenticaton-profile-name profile1
Configure static MAC authentication:
1. Configure MAC addresses 00:04:0f:fd:ac:fe and 00:04:ae:cd:23:5f as static MAC addresses:
[edit protocols]
user@router# set authentication-access-control static [00:04:0f:fd:ac:fe 00:04:ae:cd:23:5f]
2. Configure the 802.1X authentication method:
[edit protocols]
user@router# set authentication-access-control interface all supplicant multiple
3. Configure the authentication profile name (access profile name) to use for authentication:
[edit protocols]
user@router# set authentication-access-control authentication-profile-name profile1
605
clients.
Results
user@router> show
interfaces {
ge-0/0/19 {
unit 0 {
family bridge {
vlan-id 10;
}
}
}
ge-0/0/20 {
unit 0 {
family bridge {
vlan-id 10;
}
}
}
}
protocols {
static [00:04:0f:fd:ac:fe 00:04:ae:cd:23:5f];
interface {
all {
}
}
}
}
606
Verification
IN THIS SECTION
Verifying Static MAC Bypass of Authentication | 606
Verifying Static MAC Bypass of Authentication
Purpose
Verify that the MAC address for both printers is configured and associated with the correct interfaces.
Action
Use the operational mode command:

00:04:0f:fd:ac:fe default ge-0/0/19.0
00:04:ae:cd:23:5f default ge-0/0/20.0
Meaning
The output field MAC address shows the MAC addresses of the two printers.
The output field Interface shows that the MAC address 00:04:0f:fd:ac:fe can connect to the LAN through
interface ge-0/0/19.0 and that the MAC address 00:04:ae:cd:23:5f can connect to the LAN through
interface ge-0/0/20.0.
Release Description
14.2 Starting with Junos OS Release 14.2, to allow devices to access your LAN through
802.1X-configured interfaces without authentication, you can configure a static MAC bypass
list on the MX Series router.
607
Example: Applying Firewall Filters to Multiple

Supplicants on Interfaces Enabled for 802.1X or MAC
RADIUS Authentication on MX Series Routers
IN THIS SECTION
Requirements | 607
Configuration | 609
Verification | 612
Starting with Junos OS Release 14.2, on MX Series routers, firewall filters that you apply to interfaces
enabled for 802.1X or MAC RADIUS authentication are dynamically combined with the per-user policies
sent to the switch from the RADIUS server.The switch uses internal logic to dynamically combine the
interface firewall filter with the user policies from the RADIUS server and create an individualized policy
for each of the multiple users or nonresponsive hosts that are authenticated on the interface.
Requirements
• Junos OS Release 14.2 or later for MX Series routers
• One MX Series router
• Set up a connection between the router and the RADIUS server.

608
• Configured 802.1X authentication on the router, with the authentication mode for interface ge-0/0/2
set to multiple.
combines interface firewall filter with the user policies sent to the router from the RADIUS server during
authentication and creates separate terms for each user. Because there are separate terms for each user
authenticated on the interface, you can, as shown in this example, use counters to view the activities of
individual users that are authenticated on the same interface.
User1 is authenticated by the MX Series router, the system creates the firewall filter dynamic-filter-example.
When User2 is authenticated, another term is added to the firewall filter, and so on.
609
reauthenticated.
to rate limit the traffic. Figure 15 on page 431 shows the network topology for this example.
Configuration
IN THIS SECTION
Configuring Firewall Filters on Interfaces with Multiple Supplicants | 610

610
To configure firewall filters for multiple supplicants on 802.1X-enabled interfaces:

following commands and paste them into the router terminal window:
[edit]
set protocols authentication-access-control interface ge-0/0/2 supplicant multiple
set firewall family bridge filter filter1 term term1 from destination-address 192.0.2.16/28

set firewall family bridge filter filter1 term term1 then count counter1
set firewall family bridge filter filter1 term term2 then policer p1
1. Configure interface ge-0/0/2 for multiple supplicant mode authentication:
[edit protocols]
user@router# set authentication-access-control interface ge-0/0/2 supplicant multiple
user@router# show policer p1 |display set

[edit firewall family bridge]

user@router# set filter filter1 term term1 from destination-address 192.0.2.16/28
user@router# set filter filter1 term term1 then count counter1
user@router# set filter filter1 term term2 then policer p1
611
Results
user@router> show configuration
firewall {
family bridge {
filter filter1 {
term term1 {
from {
192.0.2.16/28;
}
}
term term2 {
from {
192.0.2.16/28;
}
}
then policer p1;
}
}
}
policer p1 {
if-exceeding {
bandwidth-limit 1m;
}
then discard;
}
}
protocols {
}
}
612
Verification
IN THIS SECTION
Verifying Firewall Filters on Interfaces with Multiple Supplicants | 612
Purpose
Action
1. Check the results with one user authenticated on the interface. In this case, the user is authenticated
on ge-0/0/2:
user@router> show dot1x firewall
Counters
2. When a second user, User2, is authenticated on the same interface, ge-0/0/2, you can verify that the
user@router> show dot1x firewall
Counters
Meaning
the authentication of each new user. User1 accessed the file server located at the specified destination
address 100 times, while User2 accessed the same file server 400 times.
613
Release Description
14.2 Starting with Junos OS Release 14.2, on MX Series routers, firewall filters that you apply to
interfaces enabled for 802.1X or MAC RADIUS authentication are dynamically combined with
the per-user policies sent to the switch from the RADIUS server.
9 CHAPTER
Device Discovery
Device Discovery Using LLDP and LLDP-MED on Switches | 615
NetBIOS Snooping on EX Series Switches | 631

615
Device Discovery Using LLDP and LLDP-MED on

Switches
IN THIS SECTION
Configuring LLDP (J-Web Procedure) | 622
The Link Layer Discovery Protocol (LLDP) is an industry-standard, vendor-neutral method to allow
networked devices to advertise capabilities, identity, and other information onto a LAN. It also provides
additional TLVs for capabilities discovery, network policy, Power over Ethernet (PoE), and inventory
management. For more information, read this topic.
Understanding LLDP
The device uses Link Layer Discovery Protocol (LLDP) to learn and distribute device information on network
links. The information enables the switch to identify a variety of devices quickly. This quick identification
results in a LAN that interoperates smoothly and efficiently.
Device information can include specifics, such as chassis and port identification and system name and
in Junos OS.
The device supports the following basic TLVs:
• Chassis Identifier—The MAC address associated with the local system.
• Port Identifier—The port identification for the specified port in the local system.
• Port Description—The user-configured port description. The port description can be a maximum of 256
characters.
616
256 characters.
• System Description—The system description containing information about the software and current
image running on the system. This information cannot be configured, but is taken from the software.
• System Capabilities—The primary function performed by the system. The capabilities that system supports
are defined; for example, bridge or router. This information cannot be configured, but is based on the
model of the product.
• Management Address—The IP management address of the local system.
The device supports the following 802.3 TLVs:
• Power via MDI—A TLV that advertises media dependent interface (MDI) power support, power source
equipment (PSE) power pair, and power class information.
as autonegotiation status and support and MAU type. The information cannot be configured, but is
based on the physical interface structure.
• Link Aggregation—A TLV that advertises whether the port is aggregated and its aggregated port ID.
• Maximum Frame Size—A TLV that advertises the Maximum Transmission Unit (MTU) of the interface
Configuring LLDP (CLI Procedure)
Devices use Link Layer Discovery Protocol (LLDP) and Link Layer Discovery Protocol–Media Endpoint
Discovery (LLDP-MED) to learn and distribute device information on network links. The information enables
the device to quickly identify a variety of other devices, resulting in a LAN that interoperates smoothly
and efficiently.
Configuring LLDP Power Negotiation | 619
Disabling LLDP TLVs | 620

617
Enabling LLDP on Interfaces
LLDP is enabled on all interfaces by default. If it is disabled, you can enable LLDP by configuring it on all
interfaces or on specific interfaces.
• To configure LLDP on all interfaces:

user@switch# set interface all
• To configure LLDP on a specific interface:

user@switch# set interface interface-name
Adjusting LLDP Advertisement Settings
You can adjust the following settings for LLDP advertisements for troubleshooting or verification purposes.
The default values are applied when LLDP is enabled. For normal operations, we recommend that you do
not change the default values.
• To specify the frequency at which LLDP advertisements are sent (in seconds):

user@switch# set advertisement-interval seconds

user@switch# set advertisement-interval 45
• To specify the number of seconds that LLDP information is held before it is discarded (the multiplier
value is used in combination with the advertisement-interval value):

user@switch# set hold-multiplier seconds

user@switch# set hold-multiplier 5
• To specify the number of seconds the device waits before sending advertisements to neighbors after a
change is made in a TLV (type, length, or value) element in LLDP or in the state of the local system, such
618
as a change in hostname or management address, set the transmit delay. The transmit delay is enabled
by default on switches to reduce the delay in notifying neighbors of a change in the local system. The
default value is 2 seconds (if the advertisement-interval value is set to 8 seconds or more) or 1 second
(if the advertisement-interval value is set to less than 8 seconds).

user@switch# set transmit-delay seconds
For example:

user@switch# set transmit-delay 2
NOTE: The advertisement-interval value must be greater than or equal to four times the
transmit-delay value; otherwise, an error is returned when you attempt to commit the
configuration.
Adjusting SNMP Notification Settings of LLDP Changes
You can adjust the following settings for SNMP notifications of LLDP changes. If the values are not specified
or if the interval values are set to 0, the notifications are disabled.
• To specify the frequency at which LLDP database changes are sent (in seconds):

user@switch# set lldp-configuration-notification-interval seconds
For example:

user@switch# set lldp-configuration-notification-interval 600
• To configure the time interval for SNMP trap notifications to wait for topology changes (in seconds):

user@switch# set ptopo-configuration-trap-interval seconds
For example:

user@switch# set ptopo-configuration-trap-interval 600
619
• To specify the holding time (used in combination with the ptopo-configuration-trap-interval value) to
maintain dynamic topology entries (in seconds):

user@switch# set ptopo-configuration-maximum-hold-time seconds
For example:

user@switch# set ptopo-configuration-maximum-hold-time 2147483647
Specifying a Management Address for the LLDP Management TLV
You can configure an IPv4 or IPv6 management address to be used in the LLDP Management Address
type, length, and value (TLV) messages. Only an out-of-band management address must be used as the
value for the management-address statement.
To configure the management address:

user@switch# set management-address ip-address
NOTE: Ensure that the interface with the configured management address has LLDP enabled
using the set protocols lldp interface command. If you configure a customized management
address for LLDP on an interface that has LLDP disabled, the show lldp local-information
command output does not display the correct interface information.
Configuring LLDP Power Negotiation
LLDP power negotiation enables the switch’s Power over Ethernet (PoE) controller to dynamically allocate
PoE power to PoE interfaces, based on the needs of the powered device, by negotiating with LLDP-enabled
powered devices.
NOTE: LLDP power negotiation is not supported on EX3200 or EX4200 switches (except for
the EX4200-PX models).
LLDP power negotiation is supported on switches running PoE controller software version 4.04 or later.
For information about upgrading the PoE controller software, see Upgrading the PoE Controller Software.
620
LLDP power negotiation is automatically enabled when the PoE management mode is set to class:
• [edit poe]
user@switch# set management class
To disable LLDP power negotiation:
• On switch interfaces:
[edit protocols lldp interface all power-negotiation]

user@switch# disable
• On a specific switch interface:
[edit protocols lldp interface interface-name power-negotiation]

user@switch# disable
Disabling LLDP TLVs
LLDP sends TLV messages by default. You can configure LLDP to disable non-mandatory TLVs. Mandatory
TLVs are: chassis-id, port-id, and time-to-live. In this procedure, any reference to disabling all TLVs means
disabling all non-mandatory TLVs.
There are two options for disabling TLVs:
• tlv-select—Select which TLVs are allowed to be advertised by LLDP. This approach is useful if you want
to allow only a few TLVs and nothing else.
• tlv-filter—Filter the TLVs that should not be advertised by LLDP. This approach is useful if you want to
filter only few TLVs, and allow everything else.
NOTE: The tlv-select and tlv-filter are mutually exclusive and cannot be used on the same
configuration stanza at the same time.
You can disable TLVs on a specific interfaces or on all interfaces. The configuration under the interface
configuration stanza takes precedence over global the global configuration.
To select which TLVs are allowed to be advertised by LLDP:
• On all interfaces:

user@switch# set tlv-select tlv-name
621
• On a specific interface:

user@switch# set interface interface-name tlv-select tlv-name
To filter TLVs that should not be advertised by LLDP:

user@switch# set tlv-filter tlv-name

user@switch# set interface interface-name tlv-filter tlv-name
The following example disables all TLVs except port-description:

user@switch# set tlv-select port-description
The following example disables the system-description TLV on ge-2/1/1 interface:

user@switch# set interface ge-2/1/1 tlv-filter system-description
The following example disables all TLVs except port-description and system-description on all interfaces
except on the ge-0/0/1 interface, where it disables only the system-name TLV:

user@switch# set tlv-select [port-description system-description]
user@switch# set interface ge-0/0/1 tlv-filter system-name
You can also disable TLVs for the LLDP Media Endpoint Discovery (LLDP-MED) protocol. See “Configuring
LLDP-MED (CLI Procedure)” on page 627 for more information.
622
Configuring LLDP (J-Web Procedure)
NOTE: This topic applies only to the J-Web Application package.
Use the LLDP Configuration page to configure LLDP global and port settings for an EX Series switch on
the J-Web interface.
To configure LLDP:
1. Select Configure > Switching > LLDP.
The LLDP Configuration page displays LLDP Global Settings and Port Settings.
The second half of the screen displays operational details for the selected port.
NOTE: After you make changes to the configuration on this page, you must commit the
changes for them to take effect. To commit all changes to the active configuration, select
Commit Options > Commit. See Using the Commit Options to Commit Configuration Changes
for details about all commit options.
2. For an EX8200 Virtual Chassis configuration, select the member and the slot (FPC) from the list.
3. To modify LLDP Global Settings, click Global Settings.
Enter information as described in Table 41 on page 622.
4. To modify Port Settings, click Edit in the Port Settings section.
Enter information as described in Table 42 on page 623.
Table 41: Global Settings
Field Function Your Action
Advertising interval Specifies the frequency of outbound LLDP advertisements. You Type the number of
can increase or decrease this interval. seconds.
Hold multiplier Specifies the multiplier factor to be used by an LLDP-enabled Type the required number
switch to calculate the time-to-live (TTL) value for the LLDP in the field.
advertisements it generates and transmits to LLDP neighbors.
623
Table 41: Global Settings (continued)
Fast start count Specifies the number of LLDP advertisements sent in the first Type the Fast start count.
second after the device connects. The default is 3. Increasing this
number results in the port initially advertising LLDP–MED at a
faster rate for a limited time.
Table 42: Edit Port Settings
LLDP Status Specifies whether LLDP has been enabled on the Select one: Enabled, Disabled, or None.
port.
LLDP-MED Status Specifies whether LLDP–MED has been enabled Select Enable from the list.
on the port.
Understanding LLDP and LLDP-MED on EX Series Switches
IN THIS SECTION
Benefits of LLDP and LLDP-MED | 623
LLDP and LLDP-MED Overview | 624
Supported LLDP TLVs | 624
Supported LLDP-MED TLVs | 626
Disabling TLVs | 627
EX Series Ethernet Switches use Link Layer Discovery Protocol (LLDP) and Link Layer Discovery
Protocol–Media Endpoint Discovery (LLDP-MED) to learn and distribute device information on network
links. The information enables the switch to quickly identify a variety of devices, resulting in a LAN that
interoperates smoothly and efficiently.
Benefits of LLDP and LLDP-MED
• Enables the switch to quickly identify a variety of devices.

624
• Provides PoE power management capabilities.
• Ensures that voice traffic gets tagged and prioritized with the correct values at the source itself.
LLDP and LLDP-MED Overview
Device information can include information such as chassis and port identification and system name and
in the Junos operating system (Junos OS).
LLDP-MED goes one step further than LLDP, exchanging IP-telephony messages between the switch and
the IP telephone.
NOTE: If your IP telephone is configured for VoIP (VoIP), the switch automatically detects the
configuration and assigns the telephone to the voice VLAN. The implementation of a voice VLAN
on an IP telephone is vendor-specific. Consult the documentation that came with your IP
telephone for instructions on configuring a voice VLAN. For example, on an Avaya phone, you
can ensure that the phone gets the correct VoIP VLAN ID even in the absence of LLDP-MED
by enabling DHCP option 176.
LLDP and LLDP-MED also provide PoE power management capabilities. LLDP power negotiation allows
the switch to manage PoE power by negotiating with LLDP-enabled powered devices to dynamically
allocate PoE power as needed. LLDP power priority allows an LLDP-enabled powered device to set the
PoE power priority on the switch interface to which it connects.
The switch also uses these protocols to ensure that voice traffic gets tagged and prioritized with the correct
values at the source itself. For example, 802.1p CoS and 802.1Q tag information can be sent to the IP
telephone.
Supported LLDP TLVs
EX Series switches and QFX5100 switches support the following basic management TLVs:
625
• Chassis ID—The MAC address associated with the local system.
NOTE: The Chassis ID TLV has a subtype for the network address family. LLDP frames are
validated only if this subtype has a value of 1 (IPv4) or 2 (IPv6). For any other value, the
transmitting device is detected by LLDP as a neighbor and displayed in the output of the show
lldp neighbors command, but is not assigned to the VLAN.
• Port ID—The port identification for the specified port in the local system.
• Time to Live—The length of time that the received information should remain valid.
• Port Description—Textual description of the interface or the logical unit. The description for the logical
unit is used, if available; otherwise, the Port Description TLV contains the description configured on the
physical interface. For example, LAG member interfaces do not contain a logical unit; therefore, only
the description configured on the physical interface can be used.
256 characters. The system name field contains the host name and the domain name in the following
format: host-name.domain-name.
• System Description—The system description that contains information about the software and current
image running on the system. This information is not configurable, but taken from the software.
• System Capabilities—The primary function performed by the system. The capabilities that the system
supports—for example, bridge or router. This information is not configurable, but based on the model
of the product.
• Management Address—The IPv4 or IPv6 management address of the local system.
EX Series switches and QFX5100 switches support the following organizationally defined TLVs:
• Power via MDI—A TLV that advertises MDI (media dependent interface) power support, PSE (power
sourcing equipment) power pair, and power class information.
as autonegotiation status and support and MAU (medium attachment unit) type. The information is not
configurable, but based on the physical interface structure.
NOTE: The MAC/PHY Configuration Status TLV has a subtype for the PMD Auto-Negotiation
Advertised Capability field. This field contains a value of other or unknown if the LLDP packet
is transmitted from a 10-gigabit SFP+ port.
• Link Aggregation—A TLV that advertises whether the port is aggregated and its aggregated port ID.
626
• Maximum Frame Size—A TLV that advertises the maximum transmission unit (MTU) of the interface
Supported LLDP-MED TLVs
EX Series switches and QFX5100 switches support the following LLDP-MED TLVs:
• LLDP-MED Capabilities—A TLV that advertises the primary function of the port. The values of capabilities
range from 0 through 15:
• 0—Capabilities
• 1—Network Policy
• 2—Location Identification
• 3—Extended Power via MDI-PSE
• 4—Inventory
• 5-15—Reserved
• LLDP-MED Device Class Values—Categorizes media endpoint devices into classes:
• 0—Class not defined
• 1—Class 1 (generic endpoints). This class definition is applicable to all endpoints that require the base
LLDP discovery services.
• 2—Class 2 (media endpoints). This class includes endpoints that have IP media capabilities.
• 3—Class 3 (communication endpoints). Devices acting as end user communication applicances
• 4—Network Connectivity Device
• 5-255—Reserved
• Network Policy—A TLV that advertises the port VLAN configuration and associated Layer 2 and Layer
3 attributes. Attributes include the policy identifier, application types, such as voice or streaming video,
802.1Q VLAN tagging, and 802.1p priority bits and Diffserv code points.
• Endpoint Location— A TLV that advertises the physical location of the endpoint.
• Extended Power via MDI— A TLV that advertises the power type, power source, power priority, and
power value of the port. It is the responsibility of the PSE device (network connectivity device) to
627
Disabling TLVs
In multi-vendor networks, it might not be desirable to send TLV messages because they can contain
sensitive information about a network device. You can configure LLDP or LLDP-MED to disable any
non-mandatory TLV message. Mandatory TLVs are: chassis-id, port-id, and time-to-live. All other TLVs
can be disabled, either on specific interfaces or on a global basis. See “Configuring LLDP (CLI Procedure)”
on page 616 and “Configuring LLDP-MED (CLI Procedure)” on page 627 for more information.
SEE ALSO
Understanding PoE on EX Series Switches
Configuring LLDP-MED (CLI Procedure)
Link Layer Discovery Protocol–Media Endpoint Discovery (LLDP-MED) is an extension of LLDP. The EX
Series switch uses LLDP-MED to support device discovery of VoIP telephones and to create location
databases for these telephone locations.
LLDP-MED is enabled by default on EX Series switches.
Configuring Location Information Advertised by the Switch | 628
Configuring a Fast Start for LLDP-MED | 628
Disabling LLDP-MED TLVs | 629
Enabling LLDP-MED on Interfaces
LLDP-MED is enabled on all interfaces by default. If it is disabled, you can enable LLDP-MED by configuring
it on all interfaces or on specific interfaces.
NOTE: On switches running Junos OS for EX Series switches with support for the Enhanced
Layer 2 Software (ELS) configuration style, configure LLDP-MED on the physical interface–for
example, on ge-0/0/2. For more about ELS, see Using the Enhanced Layer 2 Software CLI.
628
To configure LLDP-MED on all interfaces or on a specific interface:

user@switch# set interface interface-name
Configuring Location Information Advertised by the Switch
You can configure the location information that is advertised from the switch to the LLDP-MED device.
You can specify a civic-based location (geographic location) or a location based on an ELIN (Emergency
Location Identification Number):
• To specify a location by geography:

user@switch# set interface ge-0/0/2.0 location civic-based country-code country-code
user@switch# set interface ge-0/0/2.0 location civic-based ca-type ca-type ca-value ca-value
• To specify a location by using an elin string:

user@switch# set interface ge-0/0/2.0 location elin 4085551212
Configuring a Fast Start for LLDP-MED
When the switch detects an LLDP-MED capable device, it begins to send LLDP advertisements from the
port connected to the device. The fast start count indicates how many advertisements will be send in the
first second after the switch detects the LLDP-MED device. The default is 3; to set it to another value:

user@switch# set fast-start seconds
For example:

user@switch# set fast-start 6
629
NOTE: If an interface is configured as a VoIP interface, then the switch does not wait for an
attached phone to identify itself as an LLDP-MED device before it performs an LLDP-MED fast
start after a graceful Routing Engine switchover (GRES) or a reboot. Instead, it immediately
performs an LLDP-MED fast start after a GRES or reboot. This behavior prevents certain models
of IP phones from resetting after a GRES.
Disabling LLDP-MED TLVs
LLDP-MED sends TLV messages by default. You can configure LLDP-MED to disable non-mandatory TLVs.
Mandatory TLVs are: chassis-id, port-id, and time-to-live. In this procedure, any reference to disabling all
TLVs means disabling all non-mandatory TLVs.
There are two options for disabling TLVs:
• tlv-select—Select which TLVs are allowed to be advertised by LLDP. This approach is useful if you want
to allow only a few TLVs and nothing else.
• tlv-filter—Filter the TLVs that should not be advertised by LLDP. This approach is useful if you want to
filter only few TLVs, and allow everything else.
NOTE: The tlv-select and tlv-filter are mutually exclusive and cannot be used on the same
configuration stanza at the same time.
You can disable TLVs on a specific interfaces or on all interfaces. The configuration under the interface
configuration stanza takes precedence over global the global configuration.
To select which TLVs are allowed to be advertised by LLDP-MED:

user@switch# set tlv-select tlv-name

user@switch# set interface interface-name tlv-select tlv-name
To filter TLVs that should not be advertised by LLDP-MED:
630

user@switch# set tlv-filter tlv-name

user@switch# set interface interface-name tlv-filter tlv-name
The following example disables all TLVs except location-id:

user@switch# set tlv-select location-id
The following example disables the ext-power-via-mdi TLV on ge-2/1/1 interface:

user@switch# set interface ge-2/1/1 tlv-filter ext-power-via-mdi
The following example disables all TLVs except location-id and ext-power-via-mdi on all interfaces except
on the ge-0/0/1 interface, where it disables only the network-policy TLV:

user@switch# set tlv-select [location-id ext-power-via-mdi]
user@switch# set interface ge-0/0/1 tlv-filter network-policy
You can also disable TLVs for the LLDP protocol. See “Configuring LLDP (CLI Procedure)” on page 616 for
more information.
SEE ALSO
Example: Setting Up VoIP with 802.1X and LLDP-MED on an EX Series Switch with ELS Support | 522

631
NetBIOS Snooping on EX Series Switches
IN THIS SECTION
Understanding NetBIOS Snooping | 631
NetBIOS snooping enables an EX Series switch to learn information about NetBIOS hosts that are connected
to the switch. The NetBIOS snooping-enabled switch extracts the host details from the NetBIOS name
registration packet and stores the details in the LLDP neighbor database. for more information, read this
topic.
Understanding NetBIOS Snooping
IN THIS SECTION
What Is a NetBIOS Name? | 631
How NetBIOS Snooping Works | 632
NetBIOS snooping allows Juniper Networks EX Series Ethernet Switches to discover NetBIOS hosts that
are connected to the switch.
What Is a NetBIOS Name?
A NetBIOS name is a key element in communications between NetBIOS resources. A NetBIOS name
identifies a NetBIOS resource on the network. A NetBIOS name is either a unique (exclusive) name or a
group (nonexclusive) name. When a NetBIOS resource communicates with one other NetBIOS resource,
a unique name is used in that communication. When a NetBIOS resource communicates with multiple
resources, a group name is used.
The NetBIOS name of each NetBIOS resource is stored on the NetBIOS Name Server (NBNS). The NetBIOS
name of a NetBIOS resource is mapped to its IP address.
632
A NetBIOS name is a 16-byte address. The first 15 bytes contain the name and the last byte contains the
name type.
The NetBIOS name service is supported over UDP port 137.
How NetBIOS Snooping Works
You can enable NetBIOS snooping on the switch so that the switch can identify NetBIOS resources that
are connected to it.
When a host connected to the switch initializes itself, it attempts to register its NetBIOS name by sending
a NetBIOS name registration request message. The host can opt for either a unique or a group NetBIOS
name. For a unique NetBIOS name, the host either broadcasts a NetBIOS name query message on the
local network or unicasts it to the NBNS to check whether the requested name is already being used by
another host. If so, the host that previously registered the name or the NBNS responds with a negative
name registration response. If the host receives no negative response, it broadcasts the NetBIOS name
registration packet to confirm the name. For a NetBIOS group name, the host sends a NetBIOS name
registration packet, which generates no responses from other hosts because multiple hosts can use the
same group name at the same time.
The NetBIOS snooping-enabled switch extracts the host details from the NetBIOS name registration packet
and stores the details in the LLDP neighbor database.
SEE ALSO
Configuring NetBIOS Snooping (CLI Procedure)
IN THIS SECTION
Enabling NetBIOS Snooping | 633
Disabling NetBIOS Snooping | 633

633
NetBIOS snooping enables an EX Series switch to learn information about NetBIOS hosts that are connected
to the switch.
Enabling NetBIOS Snooping
To enable NetBIOS snooping:

user@switch# set netbios-snooping
Disabling NetBIOS Snooping
To disable NetBIOS snooping:

user@switch# delete netbios-snooping
SEE ALSO
lldp | 1165
10 CHAPTER
Domain Name Security
Configuring the TTL Value for DNS Server Caching | 635
Example: Configuring DNSSEC | 637
DNS Proxy Overview | 641

635
DNSSEC Overview
Junos OS devices support the domain name service security extensions (DNSSEC) standard. DNSSEC is
an extension of DNS that provides authentication and integrity verification of data by using public-key
based signatures.
In DNSSEC, all the resource records in a DNS are signed with the private key of the zone owner. The DNS
resolver uses the public key of the owner to validate the signature. The zone owner generates a private
key to encrypt the hash of a set of resource records. The private key is stored in RRSIG record. The
corresponding public key is stored in the DNSKEY record. The resolver uses the public key to decrypt the
RRSIG and compares the result with the hash of the resource record to verify that it has not been altered.
Similarly, the hash of the public DNSKEY is stored in a DS record in a parent zone. The zone owner generates
a private key to encrypt the hash of the public key. The private key is stored in the RRSIG record. The
resolver retrieves the DS record and its corresponding RRSIG record and public key. Using the public key,
the resolver decrypts the RRSIG record and compares the result with the hash of the public DNSKEY to
verify that it has not been altered. This establishes a chain of trust between the resolver and the name
servers.
DNS Overview
Configuring the TTL Value for DNS Server Caching
IN THIS SECTION
Requirements | 636
Overview | 636
Configuration | 636
Verification | 637
636
This section describes how to configure the TTL value for a DNS server cache to define the period for
which DNS query results are cached.
Requirements
No special configuration beyond device initialization is required before performing this task.
Overview
The DNS name server stores DNS query responses in its cache for the TTL period specified in the TTL
field of the resource record. When the TTL value expires, the name server sends a fresh DNS query and
updates the cache. You can configure the TTL value from 0 to 604,800 seconds. You can also configure
the TTL value for cached negative responses. Negative caching is the storing of the record that a value
does not exist. In this example, you set the maximum TTL value for cached (and negative cached) responses
to 86,400 seconds.
Configuration
To configure the TTL value for a DNS server cache:
1. Specify the maximum TTL value for cached responses, in seconds. (In this example, 86400 seconds
equals 24 hours.)
[edit]
user@host# set system services dns max-cache-ttl 86400
2. Specify the maximum TTL value for negative cached responses, in seconds.
[edit]
user@host# set system services dns max-ncache-ttl 86400
3. If you are done configuring the device, commit the configuration.
[edit]
637
user@host# commit
Verification
To verify the configuration is working properly, enter the show system services command.
DNS Overview
Example: Configuring DNSSEC
DNS-enabled devices run a DNS resolver (proxy) that listens on loopback address 127.0.0.1 or ::1. The
DNS resolver performs a hostname resolution for DNSSEC. Users need to set name server IP address to
127.0.0.1 or ::1 so the DNS resolver forwards all DNS queries to DNSSEC instead of to DNS. If the name
server IP address is not set, DNS will handle all queries instead of to DNSSEC.
The following example shows how to set the server IP address to 127.0.0.1:
[edit]
user@host# set system name-server 127.0.0.1
The DNSSEC feature is enabled by default. You can disable DNSSEC in the server by using the following
CLI command:
[edit]
set system services dns dnssec disable

638
Example: Configuring Secure Domains and Trusted

Keys for DNSSEC
IN THIS SECTION
Requirements | 638
Overview | 638
Configuration | 639
This example shows how to configure secure domains and trusted keys for DNSSEC.
Requirements
Set the name server IP address so the DNS resolver forwards all DNS queries to DNSSEC instead of DNS.
See “Example: Configuring DNSSEC” on page 637 for more information.
Overview
You can configure secure domains and assign trusted keys to the domains. Both signed and unsigned
responses can be validated when DNSSEC is enabled.
When you configure a domain as a secure domain and if DNSSEC is enabled, all unsigned responses to
that domain are ignored and the server returns a SERVFAIL error code to the client for the unsigned
responses. If the domain is not configured as a secure domain, unsigned responses will be accepted.
When the server receives a signed response, it checks if the DNSKEY in the response matches any of the
trusted keys that are configured. If it finds a match, the server accepts the signed response.
You can also attach a DNS root zone as a trusted anchor to a secure domain to validate the signed responses.
When the server receives a signed response, it queries the DNS root zone for a DS record. When it receives
the DS record, it checks if the DNSKEY in the DS record matches the DNSKEY in the signed response. If
it finds a match, the server accepts the signed response.
639
Configuration
set system services dns dnssec secure-domains domain1.net

set system services dns dnssec secure-domains domain2.net
set system services dns dnssec trusted-keys key domain1.net.ABC123ABCh
set system services dns dnssec dlv domain domain2.net trusted-anchor dlv.isc.org
To configure secure domains and trusted keys for DNSSEC:
1. Configure domain1.net and domain2.net as secure domains.
[edit]
user@host# set system services dns dnssec secure-domains domain1.net
user@host# set system services dns dnssec secure-domains domain2.net
2. Configure trusted keys to domain1.net.
[edit]
user@host# set system services dns dnssec trusted-keys key "domain1.net.ABC123ABCh"
3. Attach a root zone div.isc.org as a trusted anchor to a secure domain.
[edit]
user@host# set system services dns dnssec dlv domain domain2.net trusted-anchor dlv.isc.org
Results
From configuration mode, confirm your configuration by entering the show system services command. If
to correct it.
dns {
dnssec {
trusted-keys {
640
key domain1.net.ABC123ABCh; ## SECRET-DATA

}
dlv {
domain domain2.net trusted-anchor dlv.isc.org;
}
secure-domains {
domain1.net;
domain2.net;
}
}
}

Example: Configuring Keys for DNSSEC
You can load a public key from a file or you can copy and paste the key file from a terminal. In both cases,
you must save the keys to the configuration instead of to a file. The following example shows how to load
a key from a file:
[edit system services dns dnssec trusted-keys]

#load-key filename
The following example explains how to load the key from a terminal:
[edit system services dns dnssec trusted-keys]

# set key “...pasted-text...”
If you are done loading the keys from the file or terminal, click commit in the CLI editor.
641

DNS Proxy Overview
IN THIS SECTION
DNS Proxy Cache | 641
DNS Proxy with Split DNS | 642
Dynamic Domain Name System Client | 644
A dynamic name system (DNS) proxy allows clients to use an SRX300, SRX320, SRX340, SRX345, SRX550M,
or SRX1500 device as a DNS proxy server. A DNS proxy improves domain lookup performance by caching
previous lookups. A typical DNS proxy processes DNS queries by issuing a new DNS resolution query to
each name server that it has detected until the hostname is resolved.
DNS Proxy Cache
When a DNS query is resolved by a DNS proxy, the result is stored in the device's DNS cache. This stored
cache helps the device to resolve subsequent queries from the same domain and avoid network latency
delay.
NOTE: If the proxy cache is not available, the device sends the query to the configured DNS
server, which results in network latency delays.
DNS proxy maintains a cache entry for each resolved DNS query. These entries have a time-to-live (TTL)
timer so the device purges each entry from the cache as it reaches its TTL and expires. You can clear a
cache by using the clear system services dns-proxy cache command , or the cache will automatically expire
along with TTL when it goes to zero.
642
DNS Proxy with Split DNS
The split DNS proxy feature allows you to configure your proxy server to split the DNS query based on
both the interface and the domain name. You can also configure a set of name servers and associate then
with a given domain name. When you query that domain name, the device sends the DNS queries to only
those name servers that are configured for that domain name to ensure localization of DNS queries.
You can configure the transport method used to resolve a given domain name—for example, when the
device connects to the corporate network through an IPsec VPN or any other secure tunnel. When you
configure a secure VPN tunnel to transport the domain names belonging to the corporate network, the
DNS resolution queries are not leaked to the ISP DNS server and are contained within the corporate
network.
You can also configure a set of default domain (*) and name servers under the default domain to resolve
the DNS queries for a domain for which a name server is not configured.
Each DNS proxy must be associated with an interface. If an interface has no DNS proxy configuration, all
the DNS queries received on that interface are dropped.
Figure 31 on page 643 shows how the split DNS proxy works in a corporate network.
643
Figure 31: DNS Proxy with Split DNS
In the corporate network shown in Figure 31 on page 643, a PC client that points to the SRX Series device
as its DNS server makes two queries—to www.your-isp.com and to www.intranet.com, The DNS proxy
redirects the www.intranet.com, query to the www.intranet.com DNS server (203.0.113.253), while the
www.your-isp.com query is redirected to the ISP DNS server (209.100.3.130). Although the query for
644
www.your-isp.com is sent to the ISP DNS server as a regular DNS query using clear text protocols
(TCP/UDP), the query for the www.intranet.com domain goes to the intranet’s DNS servers over a secure
VPN tunnel.
A split DNS proxy has the following advantages:
• Domain lookups are usually more efficient. For example, DNS queries meant for a corporate domain
(such as acme.com) can go to the corporate DNS server exclusively, while all others go to the ISP DNS
server. Splitting DNS lookups reduces the load on the corporate server and can also prevent corporate
domain information from leaking onto the Internet.
• A DNS proxy allows you to transmit selected DNS queries through a tunnel interface, which prevents
malicious users from learning about the internal configuration of a network. For example, DNS queries
bound for the corporate server can pass through a tunnel interface to use security features such as
authentication and encryption.
Dynamic Domain Name System Client
Dynamic DNS (DDNS) allows clients to dynamically update IP addresses for registered domain names.
This feature is useful when an ISP uses Point-to-Point Protocol (PPP), Dynamic Host Configuration Protocol
(DHCP), or external authentication (XAuth) to dynamically change the IP address for a customer premises
equipment (CPE) router (such as a security device) that protects a Web server. Internet clients can reach
the Web server by using a domain name even if the IP address of the security device has previously changed
dynamically.
A DDNS server maintains a list of the dynamically changed addresses and their associated domain names.
The device updates these DDNS servers with this information periodically or in response to IP address
changes. The Junos OS DDNS client supports popular DDNS servers such as dyndns.org and ddo.jp
Figure 32 on page 645 illustrates how the DDNS client works.

645
Figure 32: Dynamic DNS
The IP address of the internal Web server is translated by Network Address Translation (NAT) to the IP
address of the untrust zone interface on the device. The hostname abc-host.com is registered with the
DDNS server and is associated with the IP address of the device’s untrust zone interface, which is monitored
646
by the DDNS client on the device. When the IP address of abc-host.com is changed, the DDNS server is
informed of the new address.
If a client in the network shown in Figure 32 on page 645 needs to access abc-host.com, the client queries
the DNS servers on the Internet. When the query reaches the DDNS server, it resolves the request and
provides the client with the latest IP address of abc-host.com.
Configuring the Device as a DNS Proxy
The Junos operating system (Junos OS) incorporates domain name system (DNS) support, which allows
you to use domain names as well as IP addresses for identifying locations. A DNS server keeps a table of
the IP addresses associated with domain names. Using DNS enables an SRX300, SRX320, SRX340, SRX345,
SRX550M, or SRX1500 device to reference locations by domain name (such as www.example.net) in
addition to using the routable IP address.
DNS features include:
• DNS proxy cache—The device proxies hostname resolution requests on behalf of the clients behind the
SRX Series device. DNS proxy improves domain lookup performance by using caching.
• Split DNS—The device redirects DNS queries over a secure connection to a specified DNS server in the
private network. Split DNS prevents malicious users from learning the network configuration, and thus
also prevents domain information leaks. Once configured, split DNS operates transparently.
• Dynamic DNS (DDNS) client—Servers protected by the device remain accessible despite dynamic IP
address changes. For example, a protected Web server continues to be accessible with the same hostname,
even after the dynamic IP address is changed because of address reassignment by the Dynamic Host
Configuration Protocol (DHCP) or Point-to-Point Protocol (PPP) by Internet service provider (ISP).
647
To configure the device as a DNS proxy, you enable DNS on a logical interface and configure DNS proxy
servers. Configuring a static cache enables branch office and corporate devices to use hostnames to
communicate. Configuring dynamic DNS (DDNS) clients allows IP address changes.
Perform the following procedure to configure the device as a DNS proxy server by enabling DNS proxy
on a logical interface—for example, ge-2/0/0.0—and configuring a set of name servers that are to be used
for resolving the specified domain names. You can specify a default domain name by using an asterisk (*)
and then configure a set of name servers for resolution. Use this approach when you need global name
servers to resolve domain name entries that do not have a specific name server configured.
1. DNS proxy with non-split dns configuration
• Enable DNS proxy on a logical interface.
[edit]
user@host# set system services dns dns-proxy interface ge-0/0/3.0
• Set dns resolver to forward received dns query.
[edit]
user@host# set system services dns forwarders 192.0.2.0
• If you are done configuring the device, commit the configuration.
[edit]
user@host# commit
To verify if the configuration is working properly, execute the show command.
user@host# show system services dns dns-proxy
2. DNS proxy with split dns configuration
• Enable DNS proxy on a logical interface.
[edit]
user@host# set system services dns dns-proxy interface ge-2/0/0.0
• Configure view for split DNS, specify the internal IP interface to handle the DNS query and view the
logical subnet address.
[edit]
user@host# set system services dns dns-proxy view internal match-clients 1.1.1.0/24
648
• Set a default internal domain name, and specify IP server for forwarding the DNS query according
to their IP addresses.
[edit]
user@host# set system services dns dns-proxy view internal domain aa.internal.com forwarders 1.1.1.1
user@host# set system services dns dns-proxy view internal domain bb.internal.com forwarders 2.2.2.2
• Configure view for split DNS, specify the external IP interface to handle the DNS query and view
the logical subnet address.
[edit]
user@host# set system services dns dns-proxy view external match-clients 11.1.1.0/24
• Set a default external domain name, and specify IP server for forwarding the DNS query according
to their IP addresses.
[edit]
user@host# set system services dns dns-proxy view external domain aa.external.com forwarders 3.3.3.3
user@host# set system services dns dns-proxy view external domain bb.external.com forwarders 4.4.4.4
[edit]
user@host# commit
3. DNS proxy cache configuration
• Configure the dns proxy static cache entries to specify the host's IPv4 address.
[edit]
user@host# set system services dns dns-proxy cache aa.example.net inet 10.10.10.10
user@host# set system services dns dns-proxy cache bb.example.net inet 20.20.20.20
[edit]
user@host# commit
649
4. Dynamic DNS proxy configuration
• Enable client.
[edit]
user@host# set system services dynamic-dns client abc.com agent juniper interface ge-2/0/0.0 username
test password test123
• Configure the server.
[edit]
test password test123 server ddo
test password test123 server dyndns
[edit]
user@host# commit
To verify if the configuration is working properly
user@host# show system services dynamic-dns client

11 CHAPTER
Permission Flags
access | 652
admin | 658
admin-control | 664
all-control | 665
clear | 666
configure | 767
control | 768
field | 769
firewall | 770
floppy | 776
flow-tap | 777
flow-tap-operation | 783
idp-profiler-operation | 784
interface | 784
maintenance | 791
network | 804
reset | 812
rollback | 814
routing | 814
secret | 831
security | 839
shell | 854
snmp | 855
snmp-control | 860
system | 861
trace | 871
trace-control | 883
view | 890
view-configuration | 1040
652
access
Can view the access configuration in configuration mode.
Commands
clear unified-edge
clear unified-edge ggsn-pgw
clear unified-edge ggsn-pgw aaa
clear unified-edge ggsn-pgw aaa radius
clear unified-edge ggsn-pgw aaa radius statistics
<clear-mobile-gateway-aaa-radius-statistics>
clear unified-edge ggsn-pgw aaa statistics
<clear-mobile-gateway-aaa-statistics>
clear unified-edge ggsn-pgw address-assignment
clear unified-edge ggsn-pgw address-assignment pool
<clear-mobile-gateway-sm-ippool-pool-sessions>
clear unified-edge ggsn-pgw address-assignment statistics
<clear-mobile-gateway-sm-ippool-statistics>
clear unified-edge ggsn-pgw call-admission-control
clear unified-edge ggsn-pgw call-admission-control statistics
<clear-mobile-gateway-cac-statistics>
clear unified-edge ggsn-pgw charging
clear unified-edge ggsn-pgw charging cdr
<clear-mobile-gateway-charging-clear-cdr>
clear unified-edge ggsn-pgw charging cdr wfa
<clear-mobile-gateway-charging-clear-cdr-wfa>
clear unified-edge ggsn-pgw charging local-persistent-storage
clear unified-edge ggsn-pgw charging local-persistent-storage statistics
<clear-mobile-gateway-charging-clear-lps-stats>
clear unified-edge ggsn-pgw charging path
clear unified-edge ggsn-pgw charging path statistics
<clear-mobile-gateway-charging-clear-path-stats>
clear unified-edge ggsn-pgw charging transfer
clear unified-edge ggsn-pgw charging transfer statistics
<clear-mobile-gateway-charging-clear-xfer-stats>
clear unified-edge ggsn-pgw diameter
clear unified-edge ggsn-pgw diameter dcca-gy
clear unified-edge ggsn-pgw diameter dcca-gy statistics
<clear-mobile-gateway-aaa-diam-stats-gy>
clear unified-edge ggsn-pgw diameter network-element
653
clear unified-edge ggsn-pgw diameter network-element statistics

<clear-mobile-gateway-aaa-diam-ne-statistics>
clear unified-edge ggsn-pgw diameter pcc-gx
clear unified-edge ggsn-pgw diameter pcc-gx statistics
<clear-mobile-gateway-aaa-diam-stats-gx>
clear unified-edge ggsn-pgw diameter peer
clear unified-edge ggsn-pgw diameter peer statistics
<clear-mobile-gateway-aaa-diam-peer-statistics>
clear unified-edge ggsn-pgw gtp
clear unified-edge ggsn-pgw gtp peer
clear unified-edge ggsn-pgw gtp peer statistics
<clear-mobile-gateway-gtp-peer-statistics>
clear unified-edge ggsn-pgw gtp statistics
<clear-mobile-gateway-gtp-statistics>
clear unified-edge ggsn-pgw ip-reassembly
clear unified-edge ggsn-pgw ip-reassembly statistics
<clear-mobile-gateways-ip-reassembly-statistics>
clear unified-edge ggsn-pgw statistics
<clear-mobile-gateway-statistics>
clear unified-edge ggsn-pgw subscribers
<clear-mobile-gateway-subscribers>
clear unified-edge ggsn-pgw subscribers bearer
clear unified-edge ggsn-pgw subscribers charging
<clear-mobile-gateway-subscribers-charging>
clear unified-edge ggsn-pgw subscribers peer
<clear-mobile-gateway-subscribers-peer>
clear unified-edge sgw
clear unified-edge sgw call-admission-control
clear unified-edge sgw call-admission-control statistics
<clear-mobile-sgw-cac-statistics>
clear unified-edge sgw charging
clear unified-edge sgw charging cdr
<clear-mobile-gateway-sgw-charging-clear-cdr>
clear unified-edge sgw charging cdr wfa
<clear-mobile-gateway-sgw-charging-clear-cdr-wfa>
clear unified-edge sgw charging local-persistent-storage
clear unified-edge sgw charging local-persistent-storage statistics
<clear-mobile-gateway-sgw-charging-clear-lps-stats>
clear unified-edge sgw charging path
clear unified-edge sgw charging path statistics
<clear-mobile-gateway-sgw-charging-clear-path-stats>
clear unified-edge sgw charging transfer
654
clear unified-edge sgw charging transfer statistics

<clear-mobile-gateway-sgw-charging-clear-xfer-stats>
clear unified-edge sgw gtp
clear unified-edge sgw gtp peer
clear unified-edge sgw gtp peer statistics
<clear-mobile-sgw-gtp-peer-statistics>
clear unified-edge sgw gtp statistics
<clear-mobile-sgw-gtp-statistics>
clear unified-edge sgw idle-mode-buffering
clear unified-edge sgw idle-mode-buffering statistics
<clear-mobile-gw-sgw-idle-mode-buffering-statistics>
clear unified-edge sgw ip-reassembly
clear unified-edge sgw ip-reassembly statistics
<clear-mobile-gateways-sgw-ip-reassembly-statistics-sgw>
clear unified-edge sgw statistics
<clear-mobile-sgw-statistics>
clear unified-edge sgw subscribers
<clear-mobile-sgw-subscribers>
clear unified-edge sgw subscribers charging
<clear-mobile-sgw-subscribers-charging>
clear unified-edge sgw subscribers peer
<clear-mobile-sgw-subscribers-peer>
clear unified-edge tdf
clear unified-edge tdf aaa
clear unified-edge tdf aaa radius
clear unified-edge tdf aaa radius client
clear unified-edge tdf aaa radius client statistics
<clear-radius-client-statistics>
clear unified-edge tdf aaa radius network-element
clear unified-edge tdf aaa radius network-element statistics
<clear-radius-network-element-statistics>
clear unified-edge tdf aaa radius server
clear unified-edge tdf aaa radius server statistics
<clear-radius-server-statistics>
clear unified-edge tdf aaa radius snoop-segment
clear unified-edge tdf aaa radius snoop-segment statistics
<clear-radius-snoop-segment-statistics>
clear unified-edge tdf aaa statistics
<clear-tdf-gateway-aaa-statistics>
clear unified-edge tdf address-assignment
clear unified-edge tdf address-assignment pool
<clear-mobile-gateway-tdf-sm-ippool-pool-sessions>
655
clear unified-edge tdf address-assignment statistics

<clear-mobile-gateway-tdf-sm-ippool-statistics>
clear unified-edge tdf call-admission-control
clear unified-edge tdf call-admission-control statistics
<clear-tdf-cac-statistics>
clear unified-edge tdf diameter
clear unified-edge tdf diameter network-element
clear unified-edge tdf diameter network-element statistics
<clear-diameter-network-element-statistics>
clear unified-edge tdf diameter pcc-gx
clear unified-edge tdf diameter pcc-gx statistics
<clear-diameter-statistics-gx>
clear unified-edge tdf diameter peer
clear unified-edge tdf diameter peer statistics
<clear-diameter-peer-statistics>
clear unified-edge tdf statistics
<clear-tdf-statistics>
clear unified-edge tdf subscribers
<clear-mobile-tdf-subscribers>
clear unified-edge tdf subscribers peer
<clear-mobile-gateway-tdf-subscribers-peer>
request unified-edge
request unified-edge ggsn-pgw
request unified-edge ggsn-pgw call-trace
<monitor-mobile-gateways-call-trace-start>
request unified-edge ggsn-pgw call-trace clear
<get-mobile-gateways-call-trace-clear>
request unified-edge ggsn-pgw call-trace show
<get-mobile-gateways-call-trace-information>
request unified-edge ggsn-pgw call-trace start
<get-mobile-gateways-call-trace-start-information>
request unified-edge ggsn-pgw call-trace stop
<get-mobile-gateways-call-trace-stop-information>
request unified-edge sgw
request unified-edge sgw call-trace
request unified-edge sgw call-trace clear
<get-mobile-gateways-sgw-call-trace-clear>
request unified-edge sgw call-trace show
<get-mobile-gateways-sgw-call-trace-information>
request unified-edge sgw call-trace start
<get-mobile-gateways-sgw-call-trace-start-information>
request unified-edge sgw call-trace stop
656
<get-mobile-gateways-sgw-call-trace-stop-information>
request unified-edge tdf
request unified-edge tdf call-trace
request unified-edge tdf call-trace clear
<get-mobile-gateways-tdf-call-trace-clear>
request unified-edge tdf call-trace show
<get-mobile-gateways-tdf-call-trace-information>
request unified-edge tdf call-trace start
<get-mobile-gateways-tdf-call-trace-start-information>
request unified-edge tdf call-trace stop
<get-mobile-gateways-tdf-call-trace-stop-information>
Configuration Hierarchy Levels
[edit access]
[edit access diameter]
[edit access ppp-options]
[edit access radius]
[edit dynamic-profile]
[edit logical-systems access]
[edit logical-systems routing-instances instance system services
static-subscribers access-profile]
static-subscribers dynamic-profile]
static-subscribers group access-profile]
static-subscribers group dynamic-profile]
[edit logical-systems system services static-subscribers access-profile]
[edit logical-systems system services static-subscribers dynamic-profile]
[edit logical-systems system services static-subscribers group access-profile]
[edit logical-systems system services static-subscribers group dynamic-profile]
[edit routing-instances instance system services static-subscribers
access-profile]
dynamic-profile]
[edit routing-instances instance system services static-subscribers group
access-profile]
dynamic-profile]
657
[edit system services extensible-subscriber-services access-profile]

[edit system services static-subscribers access-profile]
[edit system services static-subscribers dynamic-profile]
[edit system services static-subscribers group access-profile]
[edit system services static-subscribers group dynamic-profile]
[edit unified-edge]

Hierarchies | 126
access-control
Can view access configuration information. Can edit access configuration at the [edit access], [edit
logical-systems], [edit routing-instances, and [edit system services] hierarchy levels.
[edit access]
[edit access ppp-options]
[edit dynamic-profile]
[edit logical-systems access]
static-subscribers access-profile]
static-subscribers dynamic-profile]
658
static-subscribers group access-profile]

static-subscribers group dynamic-profile]
[edit logical-systems system services static-subscribers access-profile]
[edit logical-systems system services static-subscribers dynamic-profile]
[edit logical-systems system services static-subscribers group access-profile]
[edit logical-systems system services static-subscribers group dynamic-profile]
access-profile]
dynamic-profile]
access-profile]
dynamic-profile]
[edit system services static-subscribers access-profile]
[edit system services static-subscribers dynamic-profile]
[edit system services static-subscribers group access-profile]
[edit system services static-subscribers group dynamic-profile]

Hierarchies | 126
access | 652
admin
Can view user account information in configuration mode.
Commands
659
clear unified-edge
660
661
662

663

show system audit
[edit protocols uplink-failure-detection]

[edit system]
[edit system diag-port-authentication]
[edit system extensions]
[edit system login]
[edit system pic-console-authentication]
[edit system root-authentication]
[edit system services ssh authorized-keys-command]
[edit system services ssh authorized-keys-command-user]
[edit system services ssh ciphers]
[edit system services ssh client-alive-count-max]
[edit system services ssh client-alive-interval]]
[edit system services ssh fingerprint-hash]
[edit system services ssh hostkey-algorithm]
[edit system services ssh key-exchange]
[edit system services ssh macs]
[edit system services ssh max-sessions-per-connection]
[edit system services ssh no-tcp-fowarding]
[edit system services ssh protocol-version]
[edit system services ssh root-login]
[edit system services ssh tcp-fowarding]
[edit unified-edge]

664
Hierarchies | 126
admin-control | 664
admin-control
Can view user account information and configure it at the [edit system] hierarchy level.
Commands
show system audit

[edit system]
[edit system diag-port-authentication]
[edit system extensions]
[edit system login]
[edit system pic-console-authentication]
[edit system services ssh ciphers]
[edit system services ssh hostkey-algorithm]
[edit system services ssh key-exchange]
[edit system services ssh macs]
[edit system services ssh protocol-version]
[edit system services ssh root-login]

665
Hierarchies | 126
admin | 658
all-control
Can access all operational mode commands and configuration mode commands. Can modify configuration
in all the configuration hierarchy levels.
Commands
All CLI commands.
All CLI configuration hierarchy levels and statements.

Hierarchies | 126
666
clear
Can clear (delete) information learned from the network that is stored in various network databases.
Commands
clear
clear access-security
clear access-security router-advertisement-entries
<clear-as-router-advetisement-entry>
clear amt
clear amt statistics
<clear-amt-statistics>
clear amt tunnel
clear-amt-tunnel
clear amt tunnel gateway-address
<clear amt tunnel gateway-address>
clear amt tunnel statistics
<clear-amt-tunnel-statistics>
clear amt tunnel statistics gateway-address
<clear-amt-tunnel-gateway-address-statistics>
clear amt tunnel statistics tunnel-interface
<clear-amt-tunnel-interface-statistics>
clear amt tunnel tunnel-interface
<clear-amt-tunnel-interface<>
clear ancp
clear ancp neighbor
<clear-ancp-neighbor-connection>
clear ancp statistics
<clear-ancp-statistics>
clear ancp subscriber
<clear-ancp-subscriber-connection>
clear-appqos-counter
<clear-appqos-rate-limiters-statistics>
clear-appqos-rate-limiter-statistics
clear-appqos-rule-statistics
clear arp
<clear-arp-table>
clear auto-configuration
clear auto-configuration interfaces
<clear-auto-configuration-interfaces>
667
clear bfd
clear bfd adaptation
<clear-bfd-adaptation-information>
clear bfd adaptation address
<clear-bfd-adaptation-address>
clear bfd adaptation discriminator
<clear-bfd-adaptation-discriminator>
clear bfd session
<clear-bfd-session-information>
clear bfd session address
<clear-bfd-session-address>
clear bfd session discriminator
<clear-bfd-session-discriminator>
clear bgp
clear bgp damping
<clear-bgp-damping>
clear bgp neighbor
<clear-bgp-neighbor>
clear bgp table
<clear-bgp-table>
clear bridge
clear bridge evpn
clear bridge evpn arp-table
<clear-bridge-evpn-arp-table>
clear bridge evpn nd-table
<clear-bridge-evpn-nd-table>
clear bridge mac-table
<clear-bridge-mac-table>
clear bridge mac-table interface
<clear-bridge-interface-mac-table>
clear bridge recovery-timeout
<clear-bridge-recovery>
clear bridge recovery-timeout interface
<clear-bridge-recovery-interface>
clear bridge satellite
clear bridge satellite logging
<clear-satellite-control-logging>
clear bridge satellite vlan-auto-sense
<clear-satellite-control-plane-vlan-auto-sense>
clear captive-portal
clear captive-portal firewall
<clear-captive-portal-firewall>
668
clear captive-portal firewall interface

<clear-captive-portal-firewall-interface>
clear captive-portal interface
<clear-captive-portal-interface-session>
clear captive-portal mac-address
<clear-captive-portal-mac-session>
clear cli
clear cli logical-system
<clear-cli-logical-system>
clear database-replication
clear database-replication statistics
<clear-database-replication-statistics-information>
clear ddos-protection
clear ddos-protection protocols
clear ddos-protection protocols all-fiber-channel-enode
clear ddos-protection protocols all-fiber-channel-enode aggregate
clear ddos-protection protocols all-fiber-channel-enode aggregate culprit-flows
<clear-ddos-all-fc-enode-aggregate-flows>
clear ddos-protection protocols all-fiber-channel-enode aggregate states
<clear-ddos-all-fc-enode-aggregate-states>
clear ddos-protection protocols all-fiber-channel-enode aggregate statistics
<clear-ddos-all-fc-enode-aggregate-statistics>
clear ddos-protection protocols all-fiber-channel-enode culprit-flows
<clear-ddos-all-fc-enode-flows>
clear ddos-protection protocols all-fiber-channel-enode states
<clear-ddos-all-fc-enode-states>
clear ddos-protection protocols all-fiber-channel-enode statistics
<clear-ddos-all-fc-enode-statistics>
clear ddos-protection protocols amtv4
clear ddos-protection protocols amtv4 aggregate
clear ddos-protection protocols amtv4 aggregate culprit-flows
clear ddos-protection protocols amtv4 aggregate states
clear ddos-protection protocols amtv4 aggregate statistics
clear ddos-protection protocols amtv4 culprit-flows
clear ddos-protection protocols amtv4 states
clear ddos-protection protocols amtv4 statistics
clear ddos-protection protocols amtv6
clear ddos-protection protocols amtv6 aggregate
clear ddos-protection protocols amtv6 aggregate culprit-flows
<clear-ddos-amtv6-aggregate-flows>
clear ddos-protection protocols amtv6 aggregate states
<clear-ddos-amtv6-aggregate-states>
669
clear ddos-protection protocols amtv6 aggregate statistics

<clear-ddos-amtv6-aggregate-statistics>
clear ddos-protection protocols amtv6 culprit-flows
<clear-ddos-amtv6-flows>
clear ddos-protection protocols amtv6 states
<clear-ddos-amtv6-states<>
clear ddos-protection protocols amtv6 statistics
<clear-ddos-amtv6-statistics>
clear ddos-protection protocols ancp aggregate culprit-flows
<clear-ddos-ancp-aggregate-flows>
clear ddos-protection protocols ancp culprit-flows
clear ddos-protection protocols ancp
clear ddos-protection protocols ancp aggregate
clear ddos-protection protocols ancp aggregate states
clear ddos-protection protocols ancp aggregate statistics
<clear-ddos-ancp-aggregate-statistics>
clear ddos-protection protocols ancp states
<clear-ddos-ancp-states>
clear ddos-protection protocols ancp statistics
<clear-ddos-ancp-statistics>
clear ddos-protection protocols ancpv6
clear ddos-protection protocols ancpv6 aggregate
clear ddos-protection protocols ancpv6 aggregate states
clear ddos-protection protocols ancpv6 aggregate culprit-flows

clear ddos-protection protocols arp aggregate statistics
clear-ddos-arp-aggregate-statistics
clear ddos-protection protocols arp aggregate culprit-flows
clear ddos-protection protocols arp states
clear-ddos-arp-states
clear ddos-protection protocols arp statistics
<clear-ddos-arp-statistics>
clear ddos-protection protocols arp-snoop
clear ddos-protection protocols arp-snoop aggregate
clear ddos-protection protocols arp-snoop aggregate culprit-flows
<clear-ddos-arp-snoop-aggregate-flows>
clear ddos-protection protocols arp-snoop aggregate states
<clear-ddos-arp-snoop-aggregate-states>
clear ddos-protection protocols arp-snoop aggregate statistics
<clear-ddos-arp-snoop-aggregate-statistics>
clear ddos-protection protocols arp-snoop culprit-flows
<clear-ddos-arp-snoop-flows>
670
clear ddos-protection protocols arp-snoop states

<clear-ddos-arp-snoop-states>
clear ddos-protection protocols arp-snoop statistics
<clear-ddos-arp-snoop-statistics>
clear ddos-protection protocols arp culprit-flows
clear ddos-protection protocols atm
clear ddos-protection protocols atm aggregate
clear ddos-protection protocols atm aggregate culprit-flows
clear ddos-protection protocols atm aggregate states
<clear-ddos-atm-aggregate-states>
clear ddos-protection protocols atm aggregate statistics
<clear-ddos-atm-aggregate-statistics>
clear ddos-protection protocols atm culprit-flows
clear ddos-protection protocols bfd aggregate culprit-flows
clear ddos-protection protocols atm states
clear-ddos-atm-states
clear ddos-protection protocols atm statistics
clear-ddos-atm-statistics
clear ddos-protection protocols bfd
clear ddos-protection protocols bfd aggregate
clear ddos-protection protocols bfd culprit-flows
clear ddos-protection protocols bfd aggregate states
clear-ddos-bfd-aggregate-states
clear ddos-protection protocols bfd aggregate statistics
clear-ddos-bfd-aggregate-statistics
clear ddos-protection protocols bfd states
clear-ddos-bfd-states
clear ddos-protection protocols bfd statistics
clear-ddos-bfd-statistics
clear ddos-protection protocols bfdv6
clear ddos-protection protocols bfdv6 aggregate
clear ddos-protection protocols bfdv6 culprit-flows
clear ddos-protection protocols bfdv6 aggregate states
clear-ddos-bfdv6-aggregate-states
clear ddos-protection protocols bfdv6 aggregate statistics
clear-ddos-bfdv6-aggregate-statistics
clear ddos-protection protocols bfdv6 states
clear-ddos-bfdv6-states
clear ddos-protection protocols bfdv6 statistics
clear-ddos-bfdv6-statistics
clear ddos-protection protocols bgp
clear ddos-protection protocols bgp aggregate
671
clear ddos-protection protocols bgp aggregate culprit-flows

clear ddos-protection protocols bgp aggregate states
clear-ddos-bgp-aggregate-states
clear ddos-protection protocols bgp aggregate statistics
clear ddos-protection protocols bgp culprit-flows
clear ddos-protection protocols bgp states
clear-ddos-bgp-states
clear ddos-protection protocols bgp statistics
clear-ddos-bgp-statistics
clear ddos-protection protocols bgpv6
clear ddos-protection protocols bgpv6 aggregate
clear ddos-protection protocols bgpv6 aggregate culprit-flows
clear ddos-protection protocols bgpv6 aggregate states
clear-ddos-bgpv6-aggregate-states
clear ddos-protection protocols bgpv6 aggregate statistics
clear-ddos-bgpv6-aggregate-statistics
clear ddos-protection protocols bgpv6 states
clear-ddos-bgp-aggregate-states
clear-ddos-bgp-aggregate-statistics
clear-ddos-bgp-states
clear-ddos-bgp-statistics
clear-ddos-bgpv6-aggregate-states
clear-ddos-bgpv6-aggregate-statistics
clear-ddos-bgpv6-states
clear ddos-protection protocols bgpv6 statistics
<clear-ddos-bgpv6-statistics>
clear ddos-protection protocols bridge-control
clear ddos-protection protocols bridge-control aggregate
clear ddos-protection protocols bridge-control aggregate culprit-flows
<clear-ddos-brg-ctrl-aggregate-flows>
clear ddos-protection protocols bridge-control aggregate states
<clear-ddos-brg-ctrl-aggregate-states>
clear ddos-protection protocols bridge-control aggregate statistics
<clear-ddos-brg-ctrl-aggregate-statistics>
clear ddos-protection protocols bridge-control culprit-flows
<clear-ddos-brg-ctrl-flows>
clear ddos-protection protocols bridge-control states
<clear-ddos-brg-ctrl-states>
clear ddos-protection protocols bridge-control statistics
<clear-ddos-brg-ctrl-statistics>
clear ddos-protection protocols culprit-flows
clear ddos-protection protocols demux-autosense
672
clear ddos-protection protocols demux-autosense aggregate

clear ddos-protection protocols demux-autosense aggregate culprit-flows
clear ddos-protection protocols demux-autosense aggregate states
clear-ddos-demuxauto-aggregate-states
clear ddos-protection protocols demux-autosense aggregate statistics
clear ddos-protection protocols demux-autosense culprit-flows
clear ddos-protection protocols demux-autosense states
clear-ddos-demuxauto-states
clear ddos-protection protocols demux-autosense statistics
clear-ddos-demuxauto-statistics
clear ddos-protection protocols dhcpv4
clear ddos-protection protocols dhcpv4 ack
clear ddos-protection protocols dhcpv4 ack culprit-flows
clear ddos-protection protocols dhcpv4 ack states
clear ddos-protection protocols dhcpv4 ack statistics
clear ddos-protection protocols dhcpv4 aggregate
clear ddos-protection protocols dhcpv4v6
clear ddos-protection protocols dhcpv4v6 aggregate
clear ddos-protection protocols dhcpv4v6 aggregate culprit-flows
<clear-ddos-dhcpv4v6-aggregate-flows>
clear ddos-protection protocols dhcpv4v6 aggregate states
<clear-ddos-dhcpv4v6-aggregate-states>
clear ddos-protection protocols dhcpv4v6 aggregate statistics
<clear-ddos-dhcpv4v6-aggregate-statistics>
clear ddos-protection protocols dhcpv4v6 culprit-flows
<clear-ddos-dhcpv4v6-flows>
clear ddos-protection protocols dhcpv4v6 states
<clear-ddos-dhcpv4v6-states>
clear ddos-protection protocols dhcpv4v6 statistics
<clear-ddos-dhcpv4v6-statistics>
clear-ddos-demuxauto-aggregate-states
clear-ddos-demuxauto-aggregate-statistics
clear-ddos-demuxauto-states
clear-ddos-demuxauto-statistics
clear-ddos-dhcpv4-ack-states
clear ddos-protection protocols dhcpv4 ack statistics
clear-ddos-dhcpv4-ack-statistics
clear ddos-protection protocols dhcpv4 aggregate states
clear-ddos-dhcpv4-aggregate-states
clear ddos-protection protocols dhcpv4 aggregate statistics
clear-ddos-dhcpv4-aggregate-statistics
673
clear ddos-protection protocols dhcpv4 bad-packets

clear ddos-protection protocols dhcpv4 bad-packets states
clear-ddos-dhcpv4-bad-pack-states
clear ddos-protection protocols dhcpv4 bad-packets statistics
clear-ddos-dhcpv4-bad-pack-statistics
clear ddos-protection protocols dhcpv4 bootp
clear ddos-protection protocols dhcpv4 bootp states
clear-ddos-dhcpv4-bootp-states
clear ddos-protection protocols dhcpv4 bootp statistics
clear-ddos-dhcpv4-bootp-statistics
clear ddos-protection protocols dhcpv4 decline
clear ddos-protection protocols dhcpv4 decline culprit-flows
clear ddos-protection protocols dhcpv4 decline states
clear-ddos-dhcpv4-decline-states
clear ddos-protection protocols dhcpv4 decline statistics
clear-ddos-dhcpv4-decline-statistics
clear ddos-protection protocols dhcpv4 discover
clear ddos-protection protocols dhcpv4 discover states
clear-ddos-dhcpv4-discover-states
clear ddos-protection protocols dhcpv4 discover statistics
clear-ddos-dhcpv4-discover-statistics
clear ddos-protection protocols dhcpv4 force-renew
clear ddos-protection protocols dhcpv4 force-renew culprit-flows
clear ddos-protection protocols dhcpv4 force-renew states
clear-ddos-dhcpv4-forcerenew-states
clear ddos-protection protocols dhcpv4 force-renew statistics
clear-ddos-dhcpv4-forcerenew-statistics
clear ddos-protection protocols dhcpv4 inform
clear ddos-protection protocols dhcpv4 inform culprit-flows
clear ddos-protection protocols dhcpv4 inform states
clear-ddos-dhcpv4-discover-states
clear-ddos-dhcpv4-discover-statistics
clear-ddos-dhcpv4-forcerenew-states
clear-ddos-dhcpv4-forcerenew-statistics
clear ddos-protection protocols dhcpv4 unclassified culprit-flows
clear ddos-protection protocols dhcpv4 unclassified states
clear-ddos-dhcpv4-unclass-states
clear ddos-protection protocols dhcpv4 unclassified statistics
clear-ddos-dhcpv4-unclass-statistics
clear ddos-protection protocols dhcpv6
674
clear ddos-protection protocols dhcpv6 advertise

clear ddos-protection protocols dhcpv6 advertise culprit-flows
clear ddos-protection protocols dhcpv6 advertise states
clear-ddos-dhcpv6-advertise-states
clear ddos-protection protocols dhcpv6 advertise statistics
clear-ddos-dhcpv6-advertise-statistics
clear ddos-protection protocols dhcpv6 aggregate states
clear ddos-protection protocols dhcpv6 aggregate statistics
clear ddos-protection protocols dhcpv6 confirm
clear ddos-protection protocols dhcpv6 confirm culprit-flows
clear ddos-protection protocols dhcpv6 confirm states
clear-ddos-dhcpv6-confirm-states
clear ddos-protection protocols dhcpv6 confirm statistics
clear-ddos-dhcpv6-confirm-statistics
clear ddos-protection protocols dhcpv6 decline
clear ddos-protection protocols dhcpv6 decline states
clear ddos-protection protocols dhcpv6 decline statistics
clear ddos-protection protocols dhcpv6 information-request
clear ddos-protection protocols dhcpv6 information-request states
clear-ddos-dhcpv6-info-req-states
clear ddos-protection protocols dhcpv6 information-request statistics
clear-ddos-dhcpv6-info-req-statistics
clear ddos-protection protocols dhcpv6 leasequery
clear ddos-protection protocols dhcpv6 leasequery states
clear-ddos-dhcpv6-leasequery-states
clear ddos-protection protocols dhcpv6 leasequery statistics
clear-ddos-dhcpv6-leasequery-statistics
clear ddos-protection protocols dhcpv6 leasequery-data
clear ddos-protection protocols dhcpv6 leasequery-data states
clear ddos-protection protocols dhcpv6 leasequery-data statistics
clear ddos-protection protocols garp-reply
clear ddos-protection protocols garp-reply aggregate
clear ddos-protection protocols garp-reply aggregate culprit-flows
<clear-ddos-garp-reply-aggregate-flows>
clear ddos-protection protocols garp-reply aggregate states
<clear-ddos-garp-reply-aggregate-states>
clear ddos-protection protocols garp-reply aggregate statistics
675
<clear-ddos-garp-reply-aggregate-statistics>
clear ddos-protection protocols garp-reply culprit-flows
<clear-ddos-garp-reply-flows>
clear ddos-protection protocols garp-reply states
<clear-ddos-garp-reply-states>
clear ddos-protection protocols garp-reply statistics
<clear-ddos-garp-reply-statistics>
clear ddos-protection protocols gre hbc
clear ddos-protection protocols gre hbc culprit-flows
<clear-ddos-gre-hbc-flows>
clear ddos-protection protocols gre hbc states
<clear-ddos-gre-hbc-states>
clear ddos-protection protocols gre hbc statistics
<clear-ddos-gre-hbc-statistics>
clear ddos-protection protocols gre punt
clear ddos-protection protocols gre punt culprit-flows
<clear-ddos-gre-punt-flows>
clear ddos-protection protocols gre punt states
<clear-ddos-gre-punt-states>
clear ddos-protection protocols gre punt statistics
<clear-ddos-gre-punt-statistics>
clear ddos-protection protocols ipmc-reserved
clear ddos-protection protocols ipmc-reserved aggregate
clear ddos-protection protocols ipmc-reserved aggregate culprit-flows
<clear-ddos-ipmc-reserved-aggregate-flows>
clear ddos-protection protocols ipmc-reserved aggregate states
<clear-ddos-ipmc-reserved-aggregate-states>
clear ddos-protection protocols ipmc-reserved aggregate statistics
<clear-ddos-ipmc-reserved-aggregate-statistics>
clear ddos-protection protocols ipmc-reserved culprit-flows
<clear-ddos-ipmc-reserved-flows>
clear ddos-protection protocols ipmc-reserved states
<clear-ddos-ipmc-reserved-states>
clear ddos-protection protocols ipmc-reserved statistics
<clear-ddos-ipmc-reserved-statistics>
clear ddos-protection protocols ipmcast-miss
clear ddos-protection protocols ipmcast-miss aggregate
clear ddos-protection protocols ipmcast-miss aggregate culprit-flows
<clear-ddos-ipmcast-miss-aggregate-flows>
clear ddos-protection protocols ipmcast-miss aggregate states
<clear-ddos-ipmcast-miss-aggregate-states>
clear ddos-protection protocols ipmcast-miss aggregate statistics
676
<clear-ddos-ipmcast-miss-aggregate-statistics>
clear ddos-protection protocols ipmcast-miss culprit-flows
<clear-ddos-ipmcast-miss-flows>
clear ddos-protection protocols ipmcast-miss states
<clear-ddos-ipmcast-miss-states>
clear ddos-protection protocols ipmcast-miss statistics
<clear-ddos-ipmcast-miss-statistics>
clear ddos-protection protocols l3dest-miss
clear ddos-protection protocols l3dest-miss aggregate
clear ddos-protection protocols l3dest-miss aggregate culprit-flows
<clear-ddos-l3dest-miss-aggregate-flows>
clear ddos-protection protocols l3dest-miss aggregate states
<clear-ddos-l3dest-miss-aggregate-states>
clear ddos-protection protocols l3dest-miss aggregate statistics
<clear-ddos-l3dest-miss-aggregate-statistics>
clear ddos-protection protocols l3dest-miss culprit-flows
<clear-ddos-l3dest-miss-flows>
clear ddos-protection protocols l3dest-miss states
<clear-ddos-l3dest-miss-states>
clear ddos-protection protocols l3dest-miss statistics
<clear-ddos-l3dest-miss-statistics>
clear ddos-protection protocols l3mc-sgv-hit-icl
clear ddos-protection protocols l3mc-sgv-hit-icl aggregate
clear ddos-protection protocols l3mc-sgv-hit-icl aggregate culprit-flows
<clear-ddos-l3mc-sgv-hit-icl-aggregate-flows>
clear ddos-protection protocols l3mc-sgv-hit-icl aggregate states
<clear-ddos-l3mc-sgv-hit-icl-aggregate-states>
clear ddos-protection protocols l3mc-sgv-hit-icl aggregate statistics
<clear-ddos-l3mc-sgv-hit-icl-aggregate-statistics>
clear ddos-protection protocols l3mc-sgv-hit-icl culprit-flowsclear
ddos-protection protocols l3mc-sgv-hit-icl culprit-flows
<clear-ddos-l3mc-sgv-hit-icl-flows>
clear ddos-protection protocols l3mc-sgv-hit-icl states
<clear-ddos-l3mc-sgv-hit-icl-states>
clear ddos-protection protocols l3mc-sgv-hit-icl statistics
<clear-ddos-l3mc-sgv-hit-icl-statistics>
clear ddos-protection protocols l3mtu-fail
clear ddos-protection protocols l3mtu-fail aggregate
clear ddos-protection protocols l3mtu-fail aggregate culprit-flows
<clear-ddos-l3mtu-fail-aggregate-flows>
clear ddos-protection protocols l3mtu-fail aggregate states
<clear-ddos-l3mtu-fail-aggregate-states>
677
clear ddos-protection protocols l3mtu-fail aggregate statistics

<clear-ddos-l3mtu-fail-aggregate-statistics>
clear ddos-protection protocols l3mtu-fail culprit-flows
<clear-ddos-l3mtu-fail-flows>
clear ddos-protection protocols l3mtu-fail states
<clear-ddos-l3mtu-fail-states>
clear ddos-protection protocols l3mtu-fail statistics
<clear-ddos-l3mtu-fail-statistics>
clear ddos-protection protocols l3nhop
clear ddos-protection protocols l3nhop aggregate
clear ddos-protection protocols l3nhop aggregate culprit-flows
<clear-ddos-l3nhop-aggregate-flows>
clear ddos-protection protocols l3nhop aggregate states
<clear-ddos-l3nhop-aggregate-states>
clear ddos-protection protocols l3nhop aggregate statistics
<clear-ddos-l3nhop-aggregate-statistics>
clear ddos-protection protocols l3nhop culprit-flows
<clear-ddos-l3nhop-flows>
clear ddos-protection protocols l3nhop states
<clear-ddos-l3nhop-states>
clear ddos-protection protocols l3nhop statistics
<clear-ddos-l3nhop-statistics>
clear ddos-protection protocols localnh
clear ddos-protection protocols localnh aggregate
clear ddos-protection protocols localnh aggregate culprit-flows
<clear-ddos-localnh-aggregate-flows>
clear ddos-protection protocols localnh aggregate states
<clear-ddos-localnh-aggregate-states>
clear ddos-protection protocols localnh aggregate statistics
<clear-ddos-localnh-aggregate-statistics>
clear ddos-protection protocols localnh culprit-flows
<clear-ddos-localnh-flows>
clear ddos-protection protocols localnh states
<clear-ddos-localnh-states>
clear ddos-protection protocols localnh statistics
<clear-ddos-localnh-statistics>
clear-ddos-dhcpv6-advertise-states
clear-ddos-dhcpv6-advertise-statistics
678
clear-ddos-dhcpv6-confirm-states
clear-ddos-dhcpv6-confirm-statistics
clear-ddos-dhcpv6-info-req-states
clear-ddos-dhcpv6-info-req-statistics
clear-ddos-dhcpv6-leaseq-da-states
clear-ddos-dhcpv6-leasequery-states
clear-ddos-dhcpv6-leasequery-statistics
clear ddos-protection protocols dhcpv6 leasequery-done
clear ddos-protection protocols dhcpv6 leasequery-done states
clear-ddos-dhcpv6-leaseq-do-states
clear ddos-protection protocols dhcpv6 leasequery-done statistics
clear-ddos-dhcpv6-leaseq-do-statistics
clear ddos-protection protocols dhcpv6 leasequery-reply
clear ddos-protection protocols dhcpv6 leasequery-reply states
clear-ddos-dhcpv6-leaseq-re-states
clear ddos-protection protocols dhcpv6 leasequery-reply statistics
clear-ddos-dhcpv6-leaseq-re-statistics
clear ddos-protection protocols dhcpv6 rebind
clear ddos-protection protocols dhcpv6 rebind states
clear-ddos-dhcpv6-rebind-states
clear ddos-protection protocols dhcpv6 rebind statistics
clear-ddos-dhcpv6-rebind-statistics
clear ddos-protection protocols dhcpv6 reconfigure
clear ddos-protection protocols dhcpv6 reconfigure states
clear-ddos-dhcpv6-reconfig-states
clear ddos-protection protocols dhcpv6 reconfigure statistics
clear-ddos-dhcpv6-reconfig-statistics
clear ddos-protection protocols dhcpv6 relay-forward
clear ddos-protection protocols dhcpv6 relay-forward states
clear-ddos-dhcpv6-relay-for-states
clear ddos-protection protocols dhcpv6 relay-forward statistics
clear-ddos-dhcpv6-relay-for-statistics
clear ddos-protection protocols dhcpv6 relay-reply
clear ddos-protection protocols dhcpv6 relay-reply states
clear-ddos-dhcpv6-relay-rep-states
clear ddos-protection protocols dhcpv6 relay-reply statistics
clear-ddos-dhcpv6-relay-rep-statistics
clear ddos-protection protocols dhcpv6 release
clear ddos-protection protocols dhcpv6 release states
clear-ddos-dhcpv6-release-states
679
clear ddos-protection protocols dhcpv6 release statistics

clear-ddos-dhcpv6-release-statistics
clear ddos-protection protocols dhcpv6 renew
clear ddos-protection protocols dhcpv6 renew states
clear-ddos-dhcpv6-renew-states
clear ddos-protection protocols dhcpv6 renew statistics
clear-ddos-dhcpv6-renew-statistics
clear ddos-protection protocols dhcpv6 reply
clear ddos-protection protocols dhcpv6 reply states
clear-ddos-dhcpv6-reply-states
clear ddos-protection protocols dhcpv6 reply statistics
clear-ddos-dhcpv6-reply-statistics
clear ddos-protection protocols dhcpv6 request
clear ddos-protection protocols dhcpv6 request culprit-flows
clear ddos-protection protocols dhcpv6 request states
clear-ddos-dhcpv6-request-states
clear ddos-protection protocols dhcpv6 request statistics
clear-ddos-dhcpv6-request-statistics
clear ddos-protection protocols dhcpv6 solicit
clear ddos-protection protocols dhcpv6 solicit culprit-flows
clear ddos-protection protocols dhcpv6 solicit states
clear-ddos-dhcpv6-solicit-states
clear ddos-protection protocols dhcpv6 solicit statistics
clear-ddos-dhcpv6-solicit-statistics
clear ddos-protection protocols dhcpv6 states
clear-ddos-dhcpv6-states
clear ddos-protection protocols dhcpv6 statistics
clear-ddos-dhcpv6-statistics
clear ddos-protection protocols dhcpv6 unclassified
clear ddos-protection protocols dhcpv6 unclassified culprit-flows
clear ddos-protection protocols dhcpv6 unclassified states
clear ddos-protection protocols dhcpv6 unclassified statistics
clear ddos-protection protocols diameter
clear ddos-protection protocols diameter aggregate
clear ddos-protection protocols diameter aggregate culprit-flows
clear ddos-protection protocols diameter aggregate states
clear ddos-protection protocols diameter aggregate statistics
clear-ddos-dhcpv6-leaseq-da-statistics
clear-ddos-dhcpv6-leaseq-do-states
clear-ddos-dhcpv6-leaseq-do-statistics
680
clear-ddos-dhcpv6-leaseq-re-states
clear-ddos-dhcpv6-leaseq-re-statistics
clear-ddos-dhcpv6-rebind-states
clear-ddos-dhcpv6-rebind-statistics
clear-ddos-dhcpv6-reconfig-states
clear-ddos-dhcpv6-reconfig-statistics
clear-ddos-dhcpv6-relay-for-states
clear-ddos-dhcpv6-relay-for-statistics
clear-ddos-dhcpv6-relay-rep-states
clear-ddos-dhcpv6-relay-rep-statistics
clear-ddos-dhcpv6-release-states
clear-ddos-dhcpv6-release-statistics
clear-ddos-dhcpv6-renew-states
clear-ddos-dhcpv6-renew-statistics
clear-ddos-dhcpv6-reply-states
clear-ddos-dhcpv6-reply-statistics
clear-ddos-dhcpv6-request-states
clear-ddos-dhcpv6-request-statistics
clear-ddos-dhcpv6-solicit-states
clear-ddos-dhcpv6-solicit-statistics
clear-ddos-dhcpv6-states
clear-ddos-dhcpv6-statistics
clear-ddos-diameter-aggregate-states
clear ddos-protection protocols diameter aggregate statistics
clear-ddos-diameter-aggregate-statistics
clear ddos-protection protocols diameter states
clear-ddos-diameter-states
clear ddos-protection protocols diameter statistics
clear-ddos-diameter-statistics
clear ddos-protection protocols dns
clear ddos-protection protocols dns aggregate
clear ddos-protection protocols dns aggregate states
clear-ddos-dns-aggregate-states
clear ddos-protection protocols dns aggregate statistics
clear-ddos-dns-aggregate-statistics
clear ddos-protection protocols dns states
clear-ddos-dns-states
clear ddos-protection protocols dns statistics
clear-ddos-dns-statistics
clear ddos-protection protocols dtcp
681
clear ddos-protection protocols dtcp aggregate

clear ddos-protection protocols dtcp aggregate culprit-flows
clear ddos-protection protocols dtcp aggregate states
clear-ddos-dtcp-aggregate-states
clear ddos-protection protocols dtcp aggregate statistics
clear ddos-protection protocols dtcp culprit-flows
clear ddos-protection protocols dtcp states
clear-ddos-dtcp-states
clear ddos-protection protocols dtcp statistics
clear-ddos-dtcp-statistics
clear ddos-protection protocols dynamic-vlan
clear ddos-protection protocols dynamic-vlan aggregate
clear ddos-protection protocols dynamic-vlan aggregate culprit-flows
clear ddos-protection protocols dynamic-vlan aggregate states
clear-ddos-dynvlan-aggregate-states
clear ddos-protection protocols dynamic-vlan aggregate statistics
clear-ddos-dynvlan-aggregate-statistics
clear ddos-protection protocols dynamic-vlan states
clear-ddos-dynvlan-states
clear ddos-protection protocols dynamic-vlan statistics
clear-ddos-dynvlan-statistics
clear ddos-protection protocols egpv6
clear ddos-protection protocols egpv6 aggregate
clear ddos-protection protocols egpv6 aggregate culprit-flows
clear ddos-protection protocols egpv6 aggregate states
clear-ddos-egpv6-aggregate-states
clear ddos-protection protocols egpv6 aggregate statistics
clear-ddos-egpv6-aggregate-statistics
clear ddos-protection protocols egpv6 states
clear-ddos-egpv6-states
clear ddos-protection protocols egpv6 statistics
clear-ddos-egpv6-statistics
clear ddos-protection protocols eoam
clear ddos-protection protocols eoam aggregate
clear ddos-protection protocols eoam aggregate culprit-flows
clear ddos-protection protocols eoam aggregate states
clear-ddos-eoam-aggregate-states
clear ddos-protection protocols eoam aggregate statistics
clear-ddos-eoam-aggregate-statistics
clear ddos-protection protocols eoam states
clear-ddos-eoam-states
clear ddos-protection protocols eoam statistics
682
clear-ddos-eoam-statistics
clear ddos-protection protocols esmc
clear ddos-protection protocols esmc aggregate
clear ddos-protection protocols esmc aggregate culprit-flows
clear ddos-protection protocols esmc aggregate states
clear-ddos-esmc-aggregate-states
clear ddos-protection protocols esmc aggregate statistics
clear ddos-protection protocols esmc culprit-flows
clear ddos-protection protocols esmc states
clear-ddos-esmc-states
clear ddos-protection protocols esmc statistics
<clear-ddos-esmc-statistics>
clear ddos-protection protocols ethernet-tcc
clear ddos-protection protocols ethernet-tcc aggregate
clear ddos-protection protocols ethernet-tcc aggregate culprit-flows
<clear-ddos-eth-tcc-aggregate-flows>
clear ddos-protection protocols ethernet-tcc aggregate states
<clear-ddos-eth-tcc-aggregate-states>
clear ddos-protection protocols ethernet-tcc aggregate statistics
<clear-ddos-eth-tcc-aggregate-statistics>
clear ddos-protection protocols ethernet-tcc culprit-flows
<clear-ddos-eth-tcc-flows>
clear ddos-protection protocols ethernet-tcc states
<clear-ddos-eth-tcc-states>
clear ddos-protection protocols ethernet-tcc statistics
<clear-ddos-eth-tcc-statistics>
clear ddos-protection protocols exceptions
clear ddos-protection protocols exceptions aggregate
clear ddos-protection protocols exceptions aggregate culprit-flows
<clear-ddos-exception-aggregate-flows>
clear ddos-protection protocols exceptions aggregate states
<clear-ddos-exception-aggregate-states>
clear ddos-protection protocols exceptions aggregate statistics
<clear-ddos-exception-aggregate-statistics>
clear ddos-protection protocols exceptions culprit-flows
<clear-ddos-exception-flows>
clear ddos-protection protocols exceptions mcast-rpf-err
clear ddos-protection protocols exceptions mcast-rpf-err culprit-flows
<clear-ddos-exception-mcast-rpf-flows>
clear ddos-protection protocols exceptions mcast-rpf-err states
<clear-ddos-exception-mcast-rpf-states>
clear ddos-protection protocols exceptions mcast-rpf-err statistics
683
<clear-ddos-exception-mcast-rpf-statistics>
clear ddos-protection protocols exceptions mtu-exceeded
clear ddos-protection protocols exceptions mtu-exceeded culprit-flows
<clear-ddos-exception-mtu-exceed-flows>
clear ddos-protection protocols exceptions mtu-exceeded states
<clear-ddos-exception-mtu-exceed-states>
clear ddos-protection protocols exceptions mtu-exceeded statistics
<clear-ddos-exception-mtu-exceed-statistics>
clear ddos-protection protocols exceptions states
<clear-ddos-exception-states>
clear ddos-protection protocols exceptions statistics
<clear-ddos-exception-statistics>
clear ddos-protection protocols exceptions unclassified
clear ddos-protection protocols exceptions unclassified culprit-flows
<clear-ddos-exception-unclass-flows>
clear ddos-protection protocols exceptions unclassified states
<clear-ddos-exception-unclass-states>
clear ddos-protection protocols exceptions unclassified statistics
<clear-ddos-exception-unclass-statistics>
clear ddos-protection protocols fab-probe
clear ddos-protection protocols fab-probe aggregate
clear ddos-protection protocols fab-probe aggregate states
clear ddos-protection protocols fab-probe aggregate statistics
<clear-ddos-fab-probe-aggregate-statistics>
clear ddos-protection protocols martian-address
clear ddos-protection protocols martian-address aggregate
clear ddos-protection protocols martian-address aggregate culprit-flows
<clear-ddos-martian-address-aggregate-flows>
clear ddos-protection protocols martian-address aggregate states
<clear-ddos-martian-address-aggregate-states>
clear ddos-protection protocols martian-address aggregate statistics
<clear-ddos-martian-address-aggregate-statistics>
clear ddos-protection protocols martian-address culprit-flows
<clear-ddos-martian-address-flows>
clear ddos-protection protocols martian-address states
<clear-ddos-martian-address-states>
clear ddos-protection protocols martian-address statistics
<clear-ddos-martian-address-statistics>
clear-ddos-diameter-statistics
clear-ddos-dns-aggregate-states
clear-ddos-dns-aggregate-statistics
clear-ddos-dns-states
684
clear-ddos-dns-statistics
clear-ddos-dtcp-aggregate-states
clear-ddos-dtcp-aggregate-statistics
clear-ddos-dtcp-states
clear-ddos-dtcp-statistics
clear-ddos-dynvlan-aggregate-states
clear-ddos-dynvlan-aggregate-statistics
clear-ddos-dynvlan-states
clear-ddos-dynvlan-statistics
clear-ddos-egpv6-aggregate-states
clear-ddos-egpv6-aggregate-statistics
clear-ddos-egpv6-states
clear-ddos-egpv6-statistics
clear-ddos-eoam-aggregate-states
clear-ddos-eoam-aggregate-statistics
clear-ddos-eoam-states
clear-ddos-eoam-statistics
clear-ddos-esmc-aggregate-states
clear-ddos-esmc-aggregate-statistics
clear-ddos-esmc-states
clear ddos-protection protocols fab-probe states
<clear-ddos-fab-probe-states>
clear ddos-protection protocols fab-probe statistics
<clear-ddos-fab-probe-statistics>
clear-ddos-esmc-statistics
clear ddos-protection protocols firewall-host
clear ddos-protection protocols firewall-host aggregate
clear ddos-protection protocols firewall-host aggregate culprit-flows
clear ddos-protection protocols firewall-host aggregate states
clear-ddos-fw-host-aggregate-states
clear ddos-protection protocols firewall-host aggregate statistics
clear ddos-protection protocols firewall-host states
clear ddos-protection protocols firewall-host statistics
clear-ddos-esmc-statistics
clear-ddos-fw-host-aggregate-states
clear-ddos-fw-host-aggregate-statistics
<clear-ddos-fw-host-statistics>
clear-ddos-fw-host-states
clear ddos-protection protocols frame-relay
clear ddos-protection protocols frame-relay aggregate
clear ddos-protection protocols frame-relay aggregate culprit-flows
clear ddos-protection protocols frame-relay aggregate states
685
clear ddos-protection protocols frame-relay aggregate statistics

clear ddos-protection protocols frame-relay culprit-flows
clear ddos-protection protocols frame-relay frf15
clear ddos-protection protocols frame-relay frf15 culprit-flows
clear ddos-protection protocols frame-relay frf15 states
clear ddos-protection protocols frame-relay frf15 statistics
clear ddos-protection protocols frame-relay frf16
clear ddos-protection protocols frame-relay frf16 culprit-flows
clear ddos-protection protocols frame-relay frf16 states
clear ddos-protection protocols frame-relay frf16 statistics
clear ddos-protection protocols frame-relay states
clear ddos-protection protocols frame-relay statistics
clear ddos-protection protocols ftp
clear ddos-protection protocols ftp aggregate
clear ddos-protection protocols ftp aggregate culprit-flows
clear ddos-protection protocols ftp aggregate states
clear-ddos-ftp-aggregate-states
clear ddos-protection protocols ftp aggregate statistics
clear-ddos-ftp-aggregate-statistics
clear ddos-protection protocols ftp states
clear-ddos-ftp-states
clear ddos-protection protocols ftp statistics
clear-ddos-ftp-statistics
clear ddos-protection protocols ftpv6
clear ddos-protection protocols ftpv6 aggregate
clear ddos-protection protocols ftpv6 aggregate culprit-flows
clear ddos-protection protocols ftpv6 aggregate states
clear-ddos-ftpv6-aggregate-states
clear ddos-protection protocols ftpv6 aggregate statistics
clear-ddos-ftpv6-aggregate-statistics
clear ddos-protection protocols ftpv6 states
clear-ddos-ftpv6-states
clear ddos-protection protocols ftpv6 statistics
clear-ddos-ftpv6-statistics
clear ddos-protection protocols gre
clear ddos-protection protocols gre aggregate
clear ddos-protection protocols gre aggregate culprit-flow
clear ddos-protection protocols gre aggregate states
clear ddos-protection protocols gre culprit-flows
clear-ddos-ftp-statistics
clear-ddos-ftpv6-aggregate-states
clear-ddos-ftpv6-aggregate-statistics
686
clear-ddos-ftpv6-states
clear-ddos-ftpv6-statistics
clear-ddos-gre-aggregate-states
clear ddos-protection protocols gre aggregate statistics
clear-ddos-gre-aggregate-statistics
clear ddos-protection protocols gre states
clear-ddos-gre-states
clear ddos-protection protocols gre statistics
clear-ddos-gre-statistics
clear ddos-protection protocols icmp
clear ddos-protection protocols icmp aggregate
clear ddos-protection protocols icmp aggregate states
clear-ddos-icmp-aggregate-states
clear ddos-protection protocols icmp aggregate statistics
clear-ddos-icmp-aggregate-statistics
clear ddos-protection protocols icmp states
clear-ddos-icmp-states
clear ddos-protection protocols icmp statistics
clear-ddos-icmp-statistics
clear ddos-protection protocols icmpv6
clear ddos-protection protocols icmpv6 aggregate
clear ddos-protection protocols icmpv6 aggregate culprit-flows
clear ddos-protection protocols icmpv6 aggregate states
<clear-ddos-icmpv6-aggregate-states>
clear ddos-protection protocols icmpv6 aggregate statistics
<clear-ddos-icmp-aggregate-statistics>
<clear-ddos-icmpv6-aggregate-statistics>
clear ddos-protection protocols icmpv6 states
<clear-ddos-icmpv6-states>
clear ddos-protection protocols icmpv6 statistics
<clear-ddos-icmpv6-statistics>
clear ddos-protection protocols igmp
clear ddos-protection protocols igmp aggregate
clear ddos-protection protocols igmp aggregate culprit-flows
clear ddos-protection protocols igmp aggregate states
clear-ddos-igmp-aggregate-states
clear ddos-protection protocols igmp aggregate statistics
clear-ddos-igmp-aggregate-statistics
clear ddos-protection protocols igmp states
clear-ddos-igmp-states
clear ddos-protection protocols igmp statistics
clear-ddos-igmp-statistics
687
clear ddos-protection protocols igmp-snoop

clear ddos-protection protocols igmp-snoop aggregate
clear ddos-protection protocols igmp-snoop aggregate states
clear-ddos-igmp-snoop-aggregate-states
clear ddos-protection protocols igmp-snoop aggregate statistics
clear-ddos-igmp-snoop-aggregate-statistics
clear ddos-protection protocols igmp-snoop states
clear-ddos-igmp-snoop-states
clear ddos-protection protocols igmp-snoop statistics
clear-ddos-igmp-snoop-statistics
clear ddos-protection protocols igmpv4v6
clear ddos-protection protocols igmpv4v6 aggregate
clear ddos-protection protocols igmpv4v6 aggregate states
clear-ddos-igmpv4v6-aggregate-states
clear ddos-protection protocols igmpv4v6 aggregate statistics
clear ddos-protection protocols igmpv4v6 culprit-flows
clear ddos-protection protocols igmpv4v6 states
clear-ddos-igmpv4v6-states
clear ddos-protection protocols igmpv4v6 statistics
clear-ddos-igmpv4v6-statistics
clear ddos-protection protocols igmpv6
clear ddos-protection protocols igmpv6 aggregate
clear ddos-protection protocols igmpv6 aggregate culprit-flows
clear ddos-protection protocols igmpv6 aggregate states
clear ddos-protection protocols igmpv6 aggregate statistics
clear ddos-protection protocols igmpv6 states
clear ddos-protection protocols igmpv6 statistics
<clear-ddos-igmpv6-statistics>clear-ddos-igmp-snoop-states
clear-ddos-igmp-snoop-statistics
clear-ddos-igmp-statistics
clear-ddos-igmpv4v6-aggregate-states
clear-ddos-igmpv4v6-aggregate-statistics
clear-ddos-igmpv4v6-states
clear-ddos-igmpv4v6-statistics
clear-ddos-igmpv6-aggregate-states
clear ddos-protection protocols igmpv6 aggregate statistics
clear-ddos-igmpv6-aggregate-statistics
clear ddos-protection protocols igmpv6 states
clear-ddos-igmpv6-states
clear ddos-protection protocols inline-ka
clear ddos-protection protocols inline-ka aggregate
clear ddos-protection protocols inline-ka aggregate culprit-flows
688
clear ddos-protection protocols inline-ka aggregate states

clear ddos-protection protocols inline-ka aggregate statistics
clear ddos-protection protocols inline-ka culprit-flows
clear ddos-protection protocols inline-ka states
clear ddos-protection protocols inline-ka statistics
clear ddos-protection protocols inline-svcs
clear ddos-protection protocols inline-svcs aggregate
clear ddos-protection protocols inline-svcs aggregate culprit-flows
clear ddos-protection protocols inline-svcs aggregate states
clear ddos-protection protocols inline-svcs aggregate statistics
clear ddos-protection protocols inline-svcs culprit-flows
clear ddos-protection protocols inline-svcs states
clear ddos-protection protocols inline-svcs statistics
clear ddos-protection protocols ip-fragments
clear ddos-protection protocols ip-fragments aggregate
clear ddos-protection protocols ip-fragments aggregate states
clear-ddos-ip-frag-aggregate-states
clear ddos-protection protocols ip-fragments aggregate statistics
clear ddos-protection protocols ip-fragments culprit-flows
clear ddos-protection protocols ip-fragments first-fragment
clear ddos-protection protocols ip-fragments first-fragment states
clear-ddos-ip-frag-first-frag-states
clear ddos-protection protocols ip-fragments first-fragment statistics
clear-ddos-ip-frag-first-frag-statistics
clear ddos-protection protocols ip-fragments states
clear-ddos-ip-frag-states
clear ddos-protection protocols ip-fragments statistics
clear-ddos-ip-frag-statistics
clear ddos-protection protocols ip-fragments trail-fragment
clear ddos-protection protocols ip-fragments trail-fragment culprit-flows
clear ddos-protection protocols ip-fragments trail-fragment states
clear-ddos-ip-frag-trail-frag-states
clear ddos-protection protocols ip-fragments trail-fragment statistics
clear-ddos-ip-frag-trail-frag-statistics
clear ddos-protection protocols ip-options
clear ddos-protection protocols ip-options aggregate
clear ddos-protection protocols ip-options aggregate states
clear-ddos-ip-opt-aggregate-states
clear ddos-protection protocols ip-options aggregate statistics
clear-ddos-ip-opt-aggregate-statistics
clear ddos-protection protocols ip-options non-v4v6
clear ddos-protection protocols ip-options non-v4v6 states
689
<clear-ddos-ip-opt-non-v4v6-states>
clear-ddos-ip-frag-aggregate-states
clear-ddos-ip-frag-aggregate-statistics
clear-ddos-ip-frag-first-frag-states
clear-ddos-ip-frag-first-frag-statistics
clear-ddos-ip-frag-states
clear-ddos-ip-frag-statistics
clear-ddos-ip-frag-trail-frag-states
clear-ddos-ip-frag-trail-frag-statistics
clear-ddos-ip-opt-aggregate-states
clear-ddos-ip-opt-aggregate-statistics
clear ddos-protection protocols ip-options non-v4v6 statistics
<clear-ddos-ip-opt-non-v4v6-statistics>
clear ddos-protection protocols ip-options router-alert
clear ddos-protection protocols ip-options router-alert culprit-flows
clear ddos-protection protocols ip-options router-alert states
clear-ddos-ip-opt-rt-alert-states
clear ddos-protection protocols ip-options router-alert statistics
clear-ddos-ip-opt-rt-alert-statistics
clear ddos-protection protocols ip-options states
clear-ddos-ip-opt-states
clear ddos-protection protocols ip-options statistics
clear-ddos-ip-opt-statistics
clear ddos-protection protocols ip-options unclassified
clear ddos-protection protocols ip-options unclassified culprit-flows
clear ddos-protection protocols ip-options unclassified states
clear ddos-protection protocols ip-options unclassified statistics
clear-ddos-ip-opt-unclass-statistics
clear ddos-protection protocols ipv4-unclassified
clear ddos-protection protocols ipv4-unclassified aggregate
clear ddos-protection protocols ipv4-unclassified aggregate states
clear-ddos-ipv4-uncls-aggregate-states
clear ddos-protection protocols ipv4-unclassified aggregate statistics
clear-ddos-ipv4-uncls-aggregate-statistics
clear ddos-protection protocols ipv4-unclassified states
clear-ddos-ipv4-uncls-states
clear ddos-protection protocols ipv4-unclassified statistics
clear-ddos-ipv4-uncls-statistics
clear ddos-protection protocols ipv6-unclassified
clear ddos-protection protocols ipv6-unclassified aggregate
clear ddos-protection protocols ipv6-unclassified aggregate states
690
clear ddos-protection protocols ipv6-unclassified aggregate statistics

clear-ddos-ipv6-uncls-aggregate-statistics
clear ddos-protection protocols ipv6-unclassified states
clear-ddos-ipv6-uncls-states
clear ddos-protection protocols ipv6-unclassified statistics
clear-ddos-ipv6-uncls-statistics
clear ddos-protection protocols isis
clear ddos-protection protocols isis aggregate
clear ddos-protection protocols isis aggregate culprit-flows
clear ddos-protection protocols isis aggregate states
clear-ddos-ip-opt-rt-alert-states
clear-ddos-ip-opt-rt-alert-statistics
clear-ddos-ip-opt-states
clear-ddos-ip-opt-statistics
clear-ddos-ip-opt-unclass-states
clear-ddos-ip-opt-unclass-statistics
clear-ddos-isis-aggregate-states
clear ddos-protection protocols isis aggregate statistics
<clear-ddos-isis-aggregate-statistics>
clear ddos-protection protocols isis culprit-flows
clear ddos-protection protocols isis states
clear-ddos-isis-states
clear ddos-protection protocols isis statistics
clear-ddos-isis-statistics
clear ddos-protection protocols iso-tcc
clear ddos-protection protocols iso-tcc aggregate
clear ddos-protection protocols iso-tcc aggregate culprit-flows
<clear-ddos-iso-tcc-aggregate-flows>
clear ddos-protection protocols iso-tcc aggregate states
<clear-ddos-iso-tcc-aggregate-states>
clear ddos-protection protocols iso-tcc aggregate statistics
<clear-ddos-iso-tcc-aggregate-statistics>
clear ddos-protection protocols iso-tcc culprit-flows
<clear-ddos-iso-tcc-flows>
clear ddos-protection protocols iso-tcc states
<clear-ddos-iso-tcc-states>
clear ddos-protection protocols iso-tcc statistics
<clear-ddos-iso-tcc-statistics>
clear ddos-protection protocols jfm
clear ddos-protection protocols jfm aggregate
clear ddos-protection protocols jfm aggregate culprit-flows
691
clear ddos-protection protocols jfm aggregate states

clear-ddos-jfm-aggregate-states
clear ddos-protection protocols jfm aggregate statistics
clear-ddos-jfm-aggregate-statistics
clear ddos-protection protocols jfm states
clear-ddos-jfm-states
clear ddos-protection protocols jfm statistics
<clear-ddos-jfm-statistics>
clear ddos-protection protocols keepalive
clear ddos-protection protocols keepalive aggregate
clear ddos-protection protocols keepalive aggregate culprit-flows
clear ddos-protection protocols keepalive aggregate states
clear ddos-protection protocols keepalive aggregate statistics
clear ddos-protection protocols keepalive culprit-flows
clear ddos-protection protocols keepalive states
clear ddos-protection protocols keepalive statistics
clear ddos-protection protocols l2pt
clear ddos-protection protocols l2pt aggregate
clear ddos-protection protocols l2pt aggregate states
clear ddos-protection protocols l2pt aggregate statistics
clear ddos-protection protocols l2pt culprit-flows
clear ddos-protection protocols l2pt states
clear ddos-protection protocols l2pt statistics
clear ddos-protection protocols l2tp
clear ddos-protection protocols l2tp aggregate
clear ddos-protection protocols l2tp aggregate culprit-flows
clear ddos-protection protocols l2tp aggregate states
clear-ddos-l2tp-aggregate-states
clear ddos-protection protocols l2tp aggregate statistics
clear-ddos-l2tp-aggregate-statistics
clear ddos-protection protocols l2tp states
clear-ddos-l2tp-states
clear ddos-protection protocols l2tp statistics
clear-ddos-l2tp-statistics
clear ddos-protection protocols lacp
clear ddos-protection protocols lacp aggregate
clear ddos-protection protocols lacp aggregate culprit-flows
clear ddos-protection protocols lacp aggregate states
clear-ddos-lacp-aggregate-states
clear ddos-protection protocols lacp aggregate statistics
clear-ddos-lacp-aggregate-statistics
clear ddos-protection protocols lacp states
692
clear-ddos-lacp-states
clear ddos-protection protocols lacp statistics
clear-ddos-lacp-statistics
clear ddos-protection protocols ldp
clear ddos-protection protocols ldp aggregate
clear ddos-protection protocols ldp aggregate culprit-flows
clear ddos-protection protocols ldp aggregate states
clear-ddos-isis-states
clear-ddos-isis-statistics
clear-ddos-jfm-aggregate-states
clear-ddos-jfm-aggregate-statistics
clear-ddos-jfm-states
clear-ddos-l2tp-aggregate-states
clear-ddos-l2tp-aggregate-statistics
clear-ddos-l2tp-states
clear-ddos-l2tp-statistics
clear-ddos-lacp-aggregate-states
clear-ddos-lacp-aggregate-statistics
clear-ddos-lacp-states
clear-ddos-lacp-statistics
clear-ddos-ldp-aggregate-states
clear ddos-protection protocols ldp aggregate statistics
clear ddos-protection protocols ldp aggregate statistics
clear ddos-protection protocols ldp culprit-flows
clear ddos-protection protocols ldp culprit-flows
clear ddos-protection protocols ldp states
clear ddos-protection protocols ldp states
clear ddos-protection protocols ldp statistics
clear ddos-protection protocols ldp statistics
clear-ddos-ldp-statistics
clear ddos-protection protocols ldpv6
clear ddos-protection protocols ldpv6
clear ddos-protection protocols ldpv6 aggregate
clear ddos-protection protocols ldpv6 aggregate
clear ddos-protection protocols ldpv6 aggregate culprit-flows
clear ddos-protection protocols ldpv6 aggregate culprit-flows
clear ddos-protection protocols ldpv6 aggregate states
clear ddos-protection protocols ldpv6 aggregate states
clear ddos-protection protocols ldpv6 aggregate statistics
clear ddos-protection protocols ldpv6 aggregate statistics
clear-ddos-ldpv6-aggregate-statistics
clear ddos-protection protocols ldpv6 states
693
clear ddos-protection protocols ldpv6 states

clear ddos-protection protocols ldpv6 statistics
clear ddos-protection protocols ldpv6 statistics
clear ddos-protection protocols lldp
clear ddos-protection protocols lldp
clear ddos-protection protocols lldp aggregate
clear ddos-protection protocols lldp aggregate
clear ddos-protection protocols lldp aggregate culprit-flows
clear ddos-protection protocols lldp aggregate culprit-flows
clear ddos-protection protocols lldp aggregate states
clear ddos-protection protocols lldp aggregate states
clear ddos-protection protocols lldp aggregate statistics
clear ddos-protection protocols lldp aggregate statistics
clear ddos-protection protocols lldp states
clear ddos-protection protocols lldp states
clear-ddos-lldp-states
clear ddos-protection protocols lldp statistics
clear ddos-protection protocols lldp statistics
clear ddos-protection protocols lmp
clear ddos-protection protocols lmp
clear ddos-protection protocols lmp aggregate
clear ddos-protection protocols lmp aggregate
clear ddos-protection protocols lmp aggregate culprit-flows
clear ddos-protection protocols lmp aggregate culprit-flows
clear ddos-protection protocols lmp aggregate states
clear ddos-protection protocols lmp aggregate states
clear ddos-protection protocols lmp aggregate statistics
clear ddos-protection protocols lmp aggregate statistics
clear ddos-protection protocols lmp states
clear ddos-protection protocols lmp states
clear ddos-protection protocols lmp statistics
clear ddos-protection protocols lmp statistics
clear ddos-protection protocols lmpv6
clear ddos-protection protocols lmpv6
clear ddos-protection protocols lmpv6 aggregate
clear ddos-protection protocols lmpv6 aggregate
clear ddos-protection protocols lmpv6 aggregate culprit-flows
clear ddos-protection protocols lmpv6 aggregate culprit-flows
clear ddos-protection protocols lmpv6 aggregate states
clear ddos-protection protocols lmpv6 aggregate states
clear ddos-protection protocols lmpv6 aggregate statistics
clear ddos-protection protocols lmpv6 aggregate statistics
694
clear ddos-protection protocols lmpv6 culprit-flows

clear ddos-protection protocols lmpv6 states
clear-ddos-lmpv6-states
clear ddos-protection protocols lmpv6 statistics
clear-ddos-lmpv6-statistics
clear ddos-protection protocols mac-host
clear ddos-protection protocols mac-host aggregate
clear ddos-protection protocols mac-host aggregate culprit-flows
clear ddos-protection protocols mac-host aggregate states
clear-ddos-mac-host-aggregate-states
clear ddos-protection protocols mac-host aggregate statistics
clear-ddos-mac-host-aggregate-statistics
clear ddos-protection protocols mac-host states
clear-ddos-mac-host-states
clear ddos-protection protocols mac-host statistics
clear ddos-protection protocols mcast-snoop
clear ddos-protection protocols mcast-snoop aggregate
clear ddos-protection protocols mcast-snoop aggregate culprit-flows
clear ddos-protection protocols mcast-snoop aggregate states
clear ddos-protection protocols mcast-snoop aggregate statistics
clear ddos-protection protocols mcast-snoop culprit-flows
clear ddos-protection protocols mcast-snoop igmp
clear ddos-protection protocols mcast-snoop igmp culprit-flows
<clear-ddos-mcast-snoop-igmp-flows>
clear ddos-protection protocols mcast-snoop igmp states
<clear-ddos-mcast-snoop-igmp-states>
clear ddos-protection protocols mcast-snoop igmp statistics
<clear-ddos-mcast-snoop-igmp-statistics>
clear ddos-protection protocols mcast-snoop mld
clear ddos-protection protocols mcast-snoop mld culprit-flows
<clear-ddos-mcast-snoop-mld-flows>
clear ddos-protection protocols mcast-snoop mld states
<clear-ddos-mcast-snoop-mld-states>
clear ddos-protection protocols mcast-snoop mld statistics
<clear-ddos-mcast-snoop-mld-statistics>
clear ddos-protection protocols mld
clear ddos-protection protocols mld aggregate
clear ddos-protection protocols mld aggregate culprit-flows
<clear-ddos-mld-aggregate-flows>
clear ddos-protection protocols mld aggregate states
<clear-ddos-mld-aggregate-states>
clear ddos-protection protocols mld aggregate statistics
695
<clear-ddos-mld-aggregate-statistics>
clear ddos-protection protocols mld culprit-flows
<clear-ddos-mld-flows>
clear ddos-protection protocols mld states
<clear-ddos-mld-states>
clear ddos-protection protocols mld statistics
<clear-ddos-mld-statistics>
clear ddos-protection protocols mlp
clear ddos-protection protocols mlp add
clear ddos-protection protocols mlp add culprit-flows
<clear-ddos-mlp-add-flows>
clear ddos-protection protocols mlp add states
<clear-ddos-mlp-add-states>
clear ddos-protection protocols mlp add statistics
<clear-ddos-mlp-add-statistics>
clear ddos-protection protocols mlp aggregate
clear ddos-protection protocols mlp aggregate culprit-flows
clear ddos-protection protocols mlp aggregate states
clear-ddos-mlp-aggregate-states
clear ddos-protection protocols mlp aggregate statistics
clear-ddos-mlp-aggregate-statistics
clear ddos-protection protocols mlp aging-exception
clear ddos-protection protocols mlp aging-exception culprit-flows
clear ddos-protection protocols mlp aging-exception states
clear-ddos-mlp-aging-exc-states
clear ddos-protection protocols mlp aging-exception statistics
clear-ddos-mlp-aging-exc-statistics
clear ddos-protection protocols mlp packets
clear ddos-protection protocols mlp packets states
clear-ddos-mlp-packets-states
clear ddos-protection protocols mlp packets statistics
clear-ddos-mlp-packets-statistics
clear ddos-protection protocols mlp macpin-exception
clear ddos-protection protocols mlp macpin-exception culprit-flows
<clear-ddos-mlp-mac-pinning-flows>
clear ddos-protection protocols mlp macpin-exception states
<clear-ddos-mlp-mac-pinning-states>
clear ddos-protection protocols mlp macpin-exception statistics
<clear-ddos-mlp-mac-pinning-statistics>
clear ddos-protection protocols mlp states
clear-ddos-mlp-states
clear ddos-protection protocols mlp statistics
696
clear-ddos-mlp-statistics
clear ddos-protection protocols mlp unclassified
clear ddos-protection protocols mlp unclassified states
clear-ddos-mlp-unclass-states
clear ddos-protection protocols mlp unclassified statistics
clear-ddos-mlp-unclass-statistics
clear ddos-protection protocols msdp
clear ddos-protection protocols msdp aggregate
clear ddos-protection protocols msdp aggregate states
clear-ddos-msdp-aggregate-states
clear ddos-protection protocols msdp aggregate statistics
clear ddos-protection protocols msdp culprit-flows
clear ddos-protection protocols msdp states
clear-ddos-msdp-states
clear ddos-protection protocols msdp statistics
clear-ddos-msdp-statistics
clear ddos-protection protocols msdpv6
clear ddos-protection protocols msdpv6 aggregate
clear ddos-protection protocols msdpv6 aggregate culprit-flows
clear ddos-protection protocols msdpv6 aggregate states
clear-ddos-msdpv6-aggregate-states
clear ddos-protection protocols msdpv6 aggregate statistics
clear-ddos-msdpv6-aggregate-statistics
clear ddos-protection protocols msdpv6 states
clear-ddos-msdpv6-states
clear ddos-protection protocols msdpv6 statistics
clear-ddos-msdpv6-statistics
clear ddos-protection protocols multicast-copy
clear ddos-protection protocols multicast-copy aggregate
clear ddos-protection protocols multicast-copy aggregate states
clear-ddos-mcast-copy-aggregate-states
clear ddos-protection protocols multicast-copy aggregate statistics
clear-ddos-mcast-copy-aggregate-statistics
clear ddos-protection protocols multicast-copy states
clear-ddos-mcast-copy-states
clear ddos-protection protocols multicast-copy statistics
clear-ddos-mcast-copy-statistics
clear ddos-protection protocols mvrp
clear ddos-protection protocols mvrp aggregate
clear ddos-protection protocols mvrp aggregate states
clear-ddos-mvrp-aggregate-states
clear ddos-protection protocols mvrp aggregate statistics
697
clear ddos-protection protocols mvrp culprit-flows

clear ddos-protection protocols mvrp states
clear-ddos-mvrp-states
clear ddos-protection protocols mvrp statistics
clear-ddos-mvrp-statistics
clear ddos-protection protocols ndpv6
clear ddos-protection protocols ndpv6 aggregate
clear ddos-protection protocols ndpv6 aggregate states
clear ddos-protection protocols ndpv6 aggregate statistics
clear ddos-protection protocols ndpv6 neighbor-advertisement
clear ddos-protection protocols ndpv6 neighbor-advertisement culprit-flows
<clear-ddos-ndpv6-neighb-adv-flows>
clear ddos-protection protocols ndpv6 neighbor-advertisement states
<clear-ddos-ndpv6-neighb-adv-states>
clear ddos-protection protocols ndpv6 neighbor-advertisement statistics
<clear-ddos-ndpv6-neighb-adv-statistics>
clear ddos-protection protocols ndpv6 neighbor-solicitation
clear ddos-protection protocols ndpv6 neighbor-solicitation culprit-flows
<clear-ddos-ndpv6-neighb-sol-flows>
clear ddos-protection protocols ndpv6 neighbor-solicitation states
<clear-ddos-ndpv6-neighb-sol-states>
clear ddos-protection protocols ndpv6 neighbor-solicitation statistics
<clear-ddos-ndpv6-neighb-sol-statistics>
clear ddos-protection protocols ndpv6 redirect
clear ddos-protection protocols ndpv6 redirect culprit-flows
<clear-ddos-ndpv6-redirect-flows>
clear ddos-protection protocols ndpv6 redirect states
<clear-ddos-ndpv6-redirect-states>
clear ddos-protection protocols ndpv6 redirect statistics
<clear-ddos-ndpv6-redirect-statistics>
clear ddos-protection protocols ndpv6 router-advertisement
clear ddos-protection protocols ndpv6 router-advertisement culprit-flows
<clear-ddos-ndpv6-router-adv-flows>
clear ddos-protection protocols ndpv6 router-advertisement states
<clear-ddos-ndpv6-router-adv-states>
clear ddos-protection protocols ndpv6 router-advertisement statistics
<clear-ddos-ndpv6-router-adv-statistics>
clear ddos-protection protocols ndpv6 router-solicitation
clear ddos-protection protocols ndpv6 router-solicitation culprit-flows
<clear-ddos-ndpv6-router-sol-flows>
clear ddos-protection protocols ndpv6 router-solicitation states
<clear-ddos-ndpv6-router-sol-states>
698
clear ddos-protection protocols ndpv6 router-solicitation statistics

<clear-ddos-ndpv6-router-sol-statistics>
clear ddos-protection protocols ndpv6 states
clear ddos-protection protocols ndpv6 statistics
clear ddos-protection protocols nonucast-switch
clear ddos-protection protocols nonucast-switch aggregate
clear ddos-protection protocols nonucast-switch aggregate culprit-flows
<clear-ddos-nonucast-switch-aggregate-flows>
clear ddos-protection protocols nonucast-switch aggregate states
<clear-ddos-nonucast-switch-aggregate-states>
clear ddos-protection protocols nonucast-switch aggregate statistics
<clear-ddos-nonucast-switch-aggregate-statistics>
clear ddos-protection protocols nonucast-switch culprit-flows
<clear-ddos-nonucast-switch-flows>
clear ddos-protection protocols nonucast-switch states
<clear-ddos-nonucast-switch-states>
clear ddos-protection protocols nonucast-switch statistics
<clear-ddos-nonucast-switch-statistics>
clear ddos-protection protocols ntp aggregate
clear ddos-protection protocols ntp aggregate states
clear-ddos-ntp-aggregate-states
clear ddos-protection protocols ntp aggregate statistics
clear ddos-protection protocols ntp culprit-flows
clear ddos-protection protocols ntp states
clear-ddos-ntp-states
clear ddos-protection protocols ntp statistics
clear-ddos-ntp-statistics
clear ddos-protection protocols oam-cfm
clear ddos-protection protocols oam-cfm aggregate
clear ddos-protection protocols oam-cfm aggregate culprit-flows
<clear-ddos-oam-cfm-aggregate-flows>
clear ddos-protection protocols oam-cfm aggregate states
<clear-ddos-oam-cfm-aggregate-states>
clear ddos-protection protocols oam-cfm aggregate statistics
<clear-ddos-oam-cfm-aggregate-statistics>
clear ddos-protection protocols oam-cfm culprit-flows
<clear-ddos-oam-cfm-flows>
clear ddos-protection protocols oam-cfm states
<clear-ddos-oam-cfm-states>
clear ddos-protection protocols oam-cfm statistics
<clear-ddos-oam-cfm-statistics>
clear ddos-protection protocols oam-lfm
699
clear ddos-protection protocols oam-lfm aggregate

clear ddos-protection protocols oam-lfm aggregate states
clear-ddos-oam-lfm-aggregate-states
clear ddos-protection protocols oam-lfm aggregate statistics
clear-ddos-oam-lfm-aggregate-statistics
clear ddos-protection protocols oam-lfm states
clear-ddos-oam-lfm-states
clear ddos-protection protocols oam-lfm statistics
clear-ddos-oam-lfm-statistics
clear ddos-protection protocols ospf
clear ddos-protection protocols ospf aggregate
clear ddos-protection protocols ospf aggregate culprit-flows
clear ddos-protection protocols ospf aggregate states
clear-ddos-ospf-aggregate-states
clear ddos-protection protocols ospf aggregate statistics
clear-ddos-ospf-aggregate-statistics
clear ddos-protection protocols ospf states
clear ddos-protection protocols ospf statistics
clear ddos-protection protocols ospf-hello
clear ddos-protection protocols ospf-hello aggregate
clear ddos-protection protocols ospf-hello aggregate culprit-flows
<clear-ddos-ospf-hello-aggregate-flows>
clear ddos-protection protocols ospf-hello aggregate states
<clear-ddos-ospf-hello-aggregate-states>
clear ddos-protection protocols ospf-hello aggregate statistics
<clear-ddos-ospf-hello-aggregate-statistics>
clear ddos-protection protocols ospf-hello culprit-flows
<clear-ddos-ospf-hello-flows>
clear ddos-protection protocols ospf-hello states
<clear-ddos-ospf-hello-states>
clear ddos-protection protocols ospf-hello statistics
<clear-ddos-ospf-hello-statistics>
clear ddos-protection protocols ospfv3v6
clear ddos-protection protocols ospfv3v6 aggregate
clear ddos-protection protocols ospfv3v6 aggregate culprit-flows
clear ddos-protection protocols ospfv3v6 aggregate states
clear ddos-protection protocols ospfv3v6 aggregate statistics
clear ddos-protection protocols ospfv3v6 states
clear ddos-protection protocols ospfv3v6 statistics
clear-ddos-ldp-states
<clear-ddos-ldp-states>
clear ddos-protection protocols ldp-hello
700
clear ddos-protection protocols ldp-hello aggregate

clear ddos-protection protocols ldp-hello aggregate culprit-flows
<clear-ddos-ldp-hello-aggregate-flows>
clear ddos-protection protocols ldp-hello aggregate states
<clear-ddos-ldp-hello-aggregate-states>
clear ddos-protection protocols ldp-hello aggregate statistics
<clear-ddos-ldp-hello-aggregate-statistics>
clear ddos-protection protocols ldp-hello culprit-flows
<clear-ddos-ldp-hello-flows>
clear ddos-protection protocols ldp-hello states
<clear-ddos-ldp-hello-states>
clear ddos-protection protocols ldp-hello statistics
<clear-ddos-ldp-hello-statistics>
clear-ddos-ldpv6-aggregate-states
clear-ddos-ldpv6-aggregate-states
clear-ddos-ldpv6-states
clear-ddos-ldpv6-states
clear-ddos-ldpv6-statistics
clear-ddos-ldpv6-statistics
clear-ddos-lldp-aggregate-states
clear-ddos-lldp-aggregate-states
clear-ddos-lldp-aggregate-statistics
clear-ddos-lldp-aggregate-statistics
clear-ddos-lldp-statistics
clear-ddos-lldp-statistics
clear-ddos-lmp-aggregate-states
clear-ddos-lmp-aggregate-states
clear-ddos-lmp-aggregate-statistics
clear-ddos-lmp-aggregate-statistics
clear-ddos-lmp-states
clear-ddos-lmp-states
clear-ddos-lmp-statistics
clear-ddos-lmp-statistics
clear-ddos-lmpv6-aggregate-states
clear-ddos-lmpv6-aggregate-states
clear-ddos-lmpv6-states
701
clear-ddos-lmpv6-statistics
clear-ddos-mac-host-aggregate-states
clear-ddos-mac-host-aggregate-statistics
clear-ddos-mac-host-states
clear-ddos-mac-host-statistics
clear-ddos-mcast-copy-aggregate-states
clear-ddos-mcast-copy-aggregate-statistics
clear-ddos-mcast-copy-states
clear-ddos-mcast-copy-statistics
clear-ddos-mlp-aggregate-states
clear-ddos-mlp-aggregate-statistics
clear-ddos-mlp-aging-exc-states
clear-ddos-mlp-aging-exc-statistics
clear-ddos-mlp-packets-states
clear-ddos-mlp-packets-statistics
clear-ddos-mlp-states
clear-ddos-mlp-statistics
clear-ddos-mlp-unclass-states
clear-ddos-mlp-unclass-statistics
clear-ddos-msdp-aggregate-states
clear-ddos-msdp-aggregate-statistics
clear-ddos-msdp-states
clear-ddos-msdp-statistics
clear-ddos-msdpv6-aggregate-states
clear-ddos-msdpv6-aggregate-statistics
clear-ddos-msdpv6-states
clear-ddos-msdpv6-statistics
clear ddos-protection protocols multihop-bfd
clear ddos-protection protocols multihop-bfd aggregate
clear ddos-protection protocols multihop-bfd aggregate culprit-flows
<clear-ddos-mhop-bfd-aggregate-flows>
clear ddos-protection protocols multihop-bfd aggregate states
<clear-ddos-mhop-bfd-aggregate-states>
clear ddos-protection protocols multihop-bfd aggregate statistics
<clear-ddos-mhop-bfd-aggregate-statistics>
clear ddos-protection protocols multihop-bfd culprit-flows
<clear-ddos-mhop-bfd-flows>
clear ddos-protection protocols multihop-bfd states
<clear-ddos-mhop-bfd-states>
clear ddos-protection protocols multihop-bfd statistics
<clear-ddos-mhop-bfd-statistics>
clear-ddos-mvrp-aggregate-states
702
clear-ddos-mvrp-aggregate-statistics
clear-ddos-mvrp-states
clear-ddos-mvrp-statistics
clear-ddos-ntp-aggregate-states
clear-ddos-ntp-aggregate-statistics
clear-ddos-ntp-states
clear-ddos-ntp-statistics
clear-ddos-oam-lfm-aggregate-states
clear-ddos-oam-lfm-aggregate-statistics
clear-ddos-oam-lfm-states
clear-ddos-oam-lfm-statistics
clear-ddos-ospf-aggregate-states
clear-ddos-ospf-aggregate-statistics
clear-ddos-ospf-states
clear-ddos-ospf-statistics
clear-ddos-ospfv3v6-aggregate-states
clear ddos-protection protocols ospfv3v6 aggregate statistics
clear-ddos-ospfv3v6-aggregate-statistics
clear ddos-protection protocols ospfv3v6 states
clear-ddos-ospfv3v6-states
clear ddos-protection protocols pimv6
clear-ddos-pim-statistics
clear ddos-protection protocols pim-ctrl
clear ddos-protection protocols pim-ctrl aggregate
clear ddos-protection protocols pim-ctrl aggregate culprit-flows
<clear-ddos-pim-ctrl-aggregate-flows>
clear ddos-protection protocols pim-ctrl aggregate states
<clear-ddos-pim-ctrl-aggregate-states>
clear ddos-protection protocols pim-ctrl aggregate statistics
<clear-ddos-pim-ctrl-aggregate-statistics>
clear ddos-protection protocols pim-ctrl culprit-flows
<clear-ddos-pim-ctrl-flows>
clear ddos-protection protocols pim-ctrl states
<clear-ddos-pim-ctrl-states>
clear ddos-protection protocols pim-ctrl statistics
<clear-ddos-pim-ctrl-statistics>
clear ddos-protection protocols pim-data
clear ddos-protection protocols pim-data aggregate
clear ddos-protection protocols pim-data aggregate culprit-flows
<clear-ddos-pim-data-aggregate-flows>
clear ddos-protection protocols pim-data aggregate states
<clear-ddos-pim-data-aggregate-states>
703
clear ddos-protection protocols pim-data aggregate statistics

<clear-ddos-pim-data-aggregate-statistics>
clear ddos-protection protocols pim-data culprit-flows
<clear-ddos-pim-data-flows>
clear ddos-protection protocols pim-data states
<clear-ddos-pim-data-states>
clear ddos-protection protocols pim-data statistics
<clear-ddos-pim-data-statistics>
clear ddos-protection protocols pfe-alive
clear ddos-protection protocols pfe-alive aggregate
clear ddos-protection protocols pfe-alive aggregate states
clear-ddos-pfe-alive-aggregate-states
clear ddos-protection protocols pfe-alive aggregate statistics
clear ddos-protection protocols pfe-alive culprit-flows
clear ddos-protection protocols pfe-alive states
clear-ddos-pfe-alive-states
clear ddos-protection protocols pfe-alive statistics
clear-ddos-pfe-alive-statistics
clear ddos-protection protocols pim
clear ddos-protection protocols pim aggregate
clear ddos-protection protocols pim aggregate states
clear-ddos-pim-aggregate-states
clear ddos-protection protocols pim aggregate statistics
clear ddos-protection protocols pim culprit-flows
clear ddos-protection protocols pim states
clear-ddos-pim-states
clear ddos-protection protocols pim statistics
clear-ddos-pim-statistics
clear ddos-protection protocols pimv6
clear ddos-protection protocols pimv6 aggregate
clear ddos-protection protocols pimv6 aggregate culprit-flows
clear ddos-protection protocols pimv6 aggregate states
clear ddos-protection protocols pimv6 aggregate statistics
clear ddos-protection protocols pimv6 states
clear ddos-protection protocols pimv6 statistics
clear ddos-protection protocols pkt-inject
clear ddos-protection protocols pkt-inject aggregate
clear ddos-protection protocols pkt-inject aggregate culprit-flows
<clear-ddos-pkt-inject-aggregate-flows>
clear ddos-protection protocols pkt-inject aggregate states
<clear-ddos-pkt-inject-aggregate-states>
clear ddos-protection protocols pkt-inject aggregate statistics
704
<clear-ddos-pkt-inject-aggregate-statistics>
clear ddos-protection protocols pkt-inject culprit-flows
<clear-ddos-pkt-inject-flows>
clear ddos-protection protocols pkt-inject states
<clear-ddos-pkt-inject-states>
clear ddos-protection protocols pkt-inject statistics
<clear-ddos-pkt-inject-statistics>clear ddos-protection protocols pmvrp
clear ddos-protection protocols pmvrp aggregate
clear ddos-protection protocols pmvrp aggregate states
clear-ddos-pmvrp-aggregate-states
clear ddos-protection protocols pmvrp aggregate statistics
clear ddos-protection protocols pmvrp culprit-flows
clear ddos-protection protocols pmvrp states
clear-ddos-pmvrp-states
clear ddos-protection protocols pmvrp statistics
clear-ddos-pmvrp-statistics
clear ddos-protection protocols pos
clear ddos-protection protocols pos aggregate
clear ddos-protection protocols pos aggregate states
clear-ddos-pos-aggregate-states
clear ddos-protection protocols pos aggregate statistics
clear-ddos-pos-aggregate-statistics
clear ddos-protection protocols pos states
clear-ddos-pos-states
clear ddos-protection protocols pos statistics
clear-ddos-pos-statistics
clear ddos-protection protocols ppp
clear ddos-protection protocols ppp aggregate
clear ddos-protection protocols ppp aggregate states
clear-ddos-ppp-aggregate-states
clear ddos-protection protocols ppp aggregate statistics
clear-ddos-ppp-aggregate-statistics
clear ddos-protection protocols ppp authentication
clear ddos-protection protocols ppp authentication states
clear-ddos-ppp-auth-states
clear ddos-protection protocols ppp authentication statistics
705
clear-ddos-ppp-auth-statistics
clear ddos-protection protocols ppp ipcp
clear ddos-protection protocols ppp ipcp states
clear-ddos-ppp-ipcp-states
clear ddos-protection protocols ppp ipcp statistics
clear-ddos-ppp-ipcp-statistics
clear ddos-protection protocols ppp ipv6cp
clear ddos-protection protocols ppp ipv6cp states
clear-ddos-ppp-ipv6cp-states
clear ddos-protection protocols ppp ipv6cp statistics
clear-ddos-ppp-ipv6cp-statistics
clear ddos-protection protocols ppp isis
clear ddos-protection protocols ppp isis states
clear-ddos-ppp-isis-states
clear ddos-protection protocols ppp isis statistics
clear-ddos-ppp-isis-statistics
clear ddos-protection protocols ppp lcp
clear ddos-protection protocols ppp lcp states
clear-ddos-ppp-lcp-states
clear ddos-protection protocols ppp lcp statistics
clear-ddos-ppp-lcp-statistics
clear ddos-protection protocols ppp mplscp
clear ddos-protection protocols ppp mplscp states
clear-ddos-ppp-mplscp-states
clear ddos-protection protocols ppp mplscp statistics
clear-ddos-ppp-mplscp-statistics
clear ddos-protection protocols ppp states
clear-ddos-ppp-states
clear ddos-protection protocols ppp statistics
clear-ddos-ppp-statistics
clear ddos-protection protocols ppp unclassified
clear ddos-protection protocols ppp unclassified states
clear ddos-protection protocols ppp unclassified statistics
<clear-ddos-ppp-unclass-statistics>
clear ddos-protection protocols pppoe
clear ddos-protection protocols pppoe aggregate
clear ddos-protection protocols pppoe aggregate states
clear-ddos-pppoe-aggregate-states
clear ddos-protection protocols pppoe aggregate statistics
clear-ddos-pppoe-aggregate-statistics
clear ddos-protection protocols pppoe padi
clear ddos-protection protocols pppoe padi states
706
clear-ddos-pppoe-padi-states
clear ddos-protection protocols pppoe padi statistics
clear-ddos-pppoe-padi-statistics
clear ddos-protection protocols pppoe padm
clear ddos-protection protocols pppoe padm states
clear-ddos-pppoe-padm-states
clear ddos-protection protocols pppoe padm statistics
clear-ddos-pppoe-padm-statistics
clear ddos-protection protocols pppoe padn
clear ddos-protection protocols pppoe padn states
clear-ddos-pppoe-padn-states
clear ddos-protection protocols pppoe padn statistics
clear-ddos-pppoe-padn-statistics
clear ddos-protection protocols pppoe pado
clear ddos-protection protocols pppoe pado states
clear-ddos-pppoe-pado-states
clear ddos-protection protocols pppoe pado statistics
clear-ddos-pppoe-pado-statistics
clear ddos-protection protocols pppoe padr
clear ddos-protection protocols pppoe padr states
clear-ddos-pppoe-padr-states
clear ddos-protection protocols pppoe padr statistics
clear-ddos-pppoe-padr-statistics
clear ddos-protection protocols pppoe pads
clear ddos-protection protocols pppoe pads states
clear-ddos-pppoe-pads-states
clear ddos-protection protocols pppoe pads statistics
clear-ddos-pppoe-pads-statistics
clear ddos-protection protocols pppoe padt
clear ddos-protection protocols pppoe padt states
clear-ddos-pppoe-padt-states
clear ddos-protection protocols pppoe padt statistics
clear-ddos-pppoe-padt-statistics
clear ddos-protection protocols pppoe states
clear-ddos-pppoe-states
clear ddos-protection protocols pppoe statistics
clear-ddos-pppoe-statistics
clear ddos-protection protocols proto-802-1x
clear ddos-protection protocols proto-802-1x aggregate
clear ddos-protection protocols proto-802-1x aggregate culprit-flows
<clear-ddos-8021x-aggregate-flows>
clear ddos-protection protocols proto-802-1x aggregate states
707
<clear-ddos-8021x-aggregate-states>
clear ddos-protection protocols proto-802-1x aggregate statistics
<clear-ddos-8021x-aggregate-statistics>
clear ddos-protection protocols proto-802-1x culprit-flows
<clear-ddos-8021x-flows>
clear ddos-protection protocols proto-802-1x states
<clear-ddos-8021x-states>
clear ddos-protection protocols proto-802-1x statistics
<clear-ddos-8021x-statistics>
clear ddos-protection protocols ptp
clear ddos-protection protocols ptp aggregate
clear ddos-protection protocols ptp aggregate states
clear-ddos-ptp-aggregate-states
clear ddos-protection protocols ptp aggregate statistics
clear-ddos-ptp-aggregate-statistics
clear ddos-protection protocols ptp states
clear-ddos-ptp-states
clear ddos-protection protocols ptp statistics
clear-ddos-ptp-statistics
clear ddos-protection protocols ptpv6
clear ddos-protection protocols ptpv6 aggregate
clear ddos-protection protocols ptpv6 aggregate culprit-flows
<clear-ddos-ptpv6-aggregate-flows>
clear ddos-protection protocols ptpv6 aggregate states
<clear-ddos-ptpv6-aggregate-states>
clear ddos-protection protocols ptpv6 aggregate statistics
<clear-ddos-ptpv6-aggregate-statistics>
clear ddos-protection protocols ptpv6 culprit-flows
<clear-ddos-ptpv6-flows>
clear ddos-protection protocols ptpv6 states
<clear-ddos-ptpv6-states>
clear ddos-protection protocols ptpv6 statistics
<clear-ddos-ptpv6-statistics>
clear ddos-protection protocols pvstp
clear ddos-protection protocols pvstp aggregate
clear ddos-protection protocols pvstp aggregate states
clear-ddos-pvstp-aggregate-states
clear ddos-protection protocols pvstp aggregate statistics
clear-ddos-pvstp-aggregate-statistics
clear ddos-protection protocols pvstp states
clear-ddos-pvstp-states
clear ddos-protection protocols pvstp statistics
708
clear-ddos-pvstp-statistics
clear ddos-protection protocols radius
clear ddos-protection protocols radius accounting
clear ddos-protection protocols radius accounting states
clear-ddos-radius-account-states
clear ddos-protection protocols radius accounting statistics
clear-ddos-radius-account-statistics
clear ddos-protection protocols radius aggregate
clear ddos-protection protocols radius aggregate states
clear-ddos-radius-aggregate-states
clear ddos-protection protocols radius aggregate statistics
clear-ddos-radius-aggregate-statistics
clear ddos-protection protocols radius authorization
clear ddos-protection protocols radius authorization states
clear ddos-protection protocols radius authorization statistics
clear-ddos-ospfv3v6-statistics
clear-ddos-pfe-alive-aggregate-states
clear-ddos-pfe-alive-aggregate-statistics
clear-ddos-pfe-alive-states
clear-ddos-pfe-alive-statistics
clear-ddos-pim-aggregate-states
clear-ddos-pim-aggregate-statistics
clear-ddos-pim-states
clear-ddos-pmvrp-aggregate-states
clear-ddos-pmvrp-aggregate-statistics
clear-ddos-pmvrp-states
clear-ddos-pmvrp-statistics
clear-ddos-pos-aggregate-states
clear-ddos-pos-aggregate-statistics
clear-ddos-pos-states
clear-ddos-pos-statistics
clear-ddos-ppp-aggregate-states
clear-ddos-ppp-aggregate-statistics
clear-ddos-ppp-auth-states
clear-ddos-ppp-ipcp-states
clear-ddos-ppp-ipcp-statistics
clear-ddos-ppp-ipv6cp-states
clear-ddos-ppp-ipv6cp-statistics
clear-ddos-ppp-isis-states
clear-ddos-ppp-isis-statistics
clear-ddos-ppp-lcp-states
clear-ddos-ppp-lcp-statistics
709
clear-ddos-ppp-mplscp-states
clear-ddos-ppp-mplscp-statistics
clear-ddos-pppoe-aggregate-states
clear-ddos-pppoe-aggregate-statistics
clear-ddos-pppoe-padi-states
clear-ddos-pppoe-padi-statistics
clear-ddos-pppoe-padm-states
clear-ddos-pppoe-padm-statistics
clear-ddos-pppoe-padn-states
clear-ddos-pppoe-padn-statistics
clear-ddos-pppoe-pado-states
clear-ddos-pppoe-pado-statistics
clear-ddos-pppoe-padr-states
clear-ddos-pppoe-padr-statistics
clear-ddos-pppoe-pads-states
clear-ddos-pppoe-pads-statistics
clear-ddos-pppoe-padt-states
clear-ddos-pppoe-padt-statistics
clear-ddos-pppoe-states
clear-ddos-pppoe-statistics
clear-ddos-ppp-states
clear-ddos-ppp-statistics
clear-ddos-ptp-aggregate-states
clear-ddos-ptp-aggregate-statistics
clear-ddos-ptp-states
clear-ddos-ptp-statistics
clear-ddos-pvstp-aggregate-states
clear-ddos-pvstp-aggregate-statistics
clear-ddos-pvstp-states
clear-ddos-pvstp-statistics
clear-ddos-radius-account-states
clear-ddos-radius-account-statistics
clear-ddos-radius-aggregate-states
clear-ddos-radius-aggregate-statistics
clear-ddos-radius-auth-states
clear ddos-protection protocols radius authorization statistics
clear-ddos-radius-auth-statistics
clear ddos-protection protocols radius server
clear ddos-protection protocols radius server states
clear-ddos-radius-server-states
clear ddos-protection protocols radius server statistics
710
clear-ddos-radius-server-statistics
clear ddos-protection protocols radius states
clear-ddos-radius-states
clear ddos-protection protocols radius statistics
clear-ddos-radius-statistics
clear ddos-protection protocols redirect
clear ddos-protection protocols redirect aggregate
clear ddos-protection protocols redirect aggregate states
clear-ddos-redirect-aggregate-states
clear ddos-protection protocols redirect aggregate statistics
clear-ddos-redirect-aggregate-statistics
clear ddos-protection protocols redirect states
clear-ddos-redirect-states
clear ddos-protection protocols redirect statistics
clear-ddos-redirect-statistics
clear ddos-protection protocols reject
clear ddos-protection protocols reject aggregate
clear ddos-protection protocols reject aggregate states
clear ddos-protection protocols reject aggregate statistics
clear ddos-protection protocols reject states
clear ddos-protection protocols reject statistics
clear ddos-protection protocols rip
clear ddos-protection protocols rip aggregate
clear ddos-protection protocols rip aggregate states
clear-ddos-rip-aggregate-states
clear ddos-protection protocols rip aggregate statistics
clear-ddos-rip-aggregate-statistics
clear ddos-protection protocols rip states
clear-ddos-rip-states
clear ddos-protection protocols rip statistics
clear-ddos-rip-statistics
clear ddos-protection protocols ripv6
clear ddos-protection protocols ripv6 aggregate
clear ddos-protection protocols ripv6 aggregate states
clear-ddos-ripv6-aggregate-states
clear ddos-protection protocols ripv6 aggregate statistics
clear-ddos-ripv6-aggregate-statistics
clear ddos-protection protocols ripv6 states
clear-ddos-ripv6-states
clear ddos-protection protocols ripv6 statistics
clear-ddos-ripv6-statistics
clear ddos-protection protocols rsvp
711
clear ddos-protection protocols rsvp aggregate

clear ddos-protection protocols rsvp aggregate states
clear-ddos-rsvp-aggregate-states
clear ddos-protection protocols rsvp aggregate statistics
clear-ddos-rsvp-aggregate-statistics
clear ddos-protection protocols rsvp states
clear-ddos-rsvp-states
clear ddos-protection protocols rsvp statistics
clear-ddos-rsvp-statistics
clear ddos-protection protocols rsvpv6
clear ddos-protection protocols rsvpv6 aggregate
clear ddos-protection protocols rsvpv6 aggregate states
clear-ddos-rsvpv6-aggregate-states
clear ddos-protection protocols rsvpv6 aggregate statistics
clear-ddos-rsvpv6-aggregate-statistics
clear ddos-protection protocols rsvpv6 states
clear-ddos-rsvpv6-states
clear ddos-protection protocols rsvpv6 statistics
clear-ddos-rsvpv6-statistics
clear ddos-protection protocols sample
clear ddos-protection protocols sample aggregate
clear ddos-protection protocols sample aggregate states
<clear-ddos-sample-aggregate-states>
clear ddos-protection protocols sample aggregate statistics
<clear-ddos-sample-aggregate-statistics>
clear ddos-protection protocols sample host
clear ddos-protection protocols sample host states
<clear-ddos-sample-host-states>
clear ddos-protection protocols sample host statistics
<clear-ddos-sample-host-statistics>
clear ddos-protection protocols sample pfe
clear ddos-protection protocols sample pfe culprit-flows
clear ddos-protection protocols sample pfe states
<clear-ddos-sample-pfe-states>
clear ddos-protection protocols sample pfe statistics
clear ddos-protection protocols sample sflow
clear ddos-protection protocols sample sflow culprit-flows
<clear-ddos-sample-sflow-flows>
clear ddos-protection protocols sample sflow states
<clear-ddos-sample-sflow-states>
clear ddos-protection protocols sample sflow statistics
<clear-ddos-sample-sflow-statistics>
712
clear ddos-protection protocols sample states

<clear-ddos-sample-states>
clear ddos-protection protocols sample statistics
<clear-ddos-sample-statistics>
clear ddos-protection protocols sample syslog
clear ddos-protection protocols sample syslog culprit-flows
clear ddos-protection protocols sample syslog states
<clear-ddos-sample-syslog-states>
clear ddos-protection protocols sample syslog statistics
<clear-ddos-sample-syslog-statistics>
clear ddos-protection protocols sample tap
clear ddos-protection protocols sample tap states
clear ddos-protection protocols sample-dest
clear ddos-protection protocols sample-dest aggregate
clear ddos-protection protocols sample-dest aggregate culprit-flows
<clear-ddos-sample-dest-aggregate-flows>
clear ddos-protection protocols sample-dest aggregate states
<clear-ddos-sample-dest-aggregate-states>
clear ddos-protection protocols sample-dest aggregate statistics
<clear-ddos-sample-dest-aggregate-statistics>
clear ddos-protection protocols sample-dest culprit-flows
<clear-ddos-sample-dest-flows>
clear ddos-protection protocols sample-dest states
<clear-ddos-sample-dest-states>
clear ddos-protection protocols sample-dest statistics
<clear-ddos-sample-dest-statistics>
clear ddos-protection protocols sample-source
clear ddos-protection protocols sample-source aggregate
clear ddos-protection protocols sample-source aggregate culprit-flows
<clear-ddos-sample-source-aggregate-flows>
clear ddos-protection protocols sample-source aggregate states
<clear-ddos-sample-source-aggregate-states>
clear ddos-protection protocols sample-source aggregate statistics
<clear-ddos-sample-source-aggregate-statistics>
clear ddos-protection protocols sample-source culprit-flows
<clear-ddos-sample-source-flows>
clear ddos-protection protocols sample-source states
<clear-ddos-sample-source-states>
clear ddos-protection protocols sample-source statistics
<clear-ddos-sample-source-statistics>
clear ddos-protection protocols sample tap statistics
<clear-ddos-sample-tap-statistics>
713
clear ddos-protection protocols services

clear ddos-protection protocols services aggregate
clear ddos-protection protocols services aggregate states
clear-ddos-services-aggregate-states
clear ddos-protection protocols services aggregate statistics
clear ddos-protection protocols services bsdt
clear ddos-protection protocols services bsdt culprit-flows
<clear-ddos-services-BSDT-flows>
clear ddos-protection protocols services bsdt states
<clear-ddos-services-BSDT-states>
clear ddos-protection protocols services bsdt statistics
<clear-ddos-services-BSDT-statistics>
clear ddos-protection protocols services culprit-flows
<clear-ddos-services-flows>
clear ddos-protection protocols services packet
clear ddos-protection protocols services packet culprit-flows
<clear-ddos-services-packet-flows>
clear ddos-protection protocols services packet states
<clear-ddos-services-packet-states>
clear ddos-protection protocols services packet statistics
<clear-ddos-services-packet-statistics>
clear ddos-protection protocols services states
clear-ddos-services-states
clear ddos-protection protocols services statistics
clear-ddos-services-statistics
clear ddos-protection protocols snmp
clear ddos-protection protocols snmp aggregate
clear ddos-protection protocols snmp aggregate states
clear-ddos-snmp-aggregate-states
clear ddos-protection protocols snmp aggregate statistics
clear ddos-protection protocols snmp culprit-flows
clear ddos-protection protocols snmp states
clear-ddos-snmp-states
clear ddos-protection protocols snmp statistics
clear-ddos-snmp-statistics
clear ddos-protection protocols snmpv6
clear ddos-protection protocols snmpv6 aggregate
clear ddos-protection protocols snmpv6 aggregate states
clear-ddos-snmpv6-aggregate-states
clear ddos-protection protocols snmpv6 aggregate statistics
clear-ddos-snmpv6-aggregate-statistics
clear ddos-protection protocols snmpv6 states
714
clear-ddos-snmpv6-states
clear ddos-protection protocols snmpv6 statistics
clear-ddos-snmpv6-statistics
clear ddos-protection protocols ssh
clear ddos-protection protocols ssh aggregate
clear ddos-protection protocols ssh aggregate states
clear-ddos-ssh-aggregate-states
clear ddos-protection protocols ssh aggregate statistics
clear-ddos-ssh-aggregate-statistics
clear ddos-protection protocols ssh states
clear-ddos-ssh-states
clear ddos-protection protocols ssh statistics
clear-ddos-ssh-statistics
clear ddos-protection protocols sshv6
clear ddos-protection protocols sshv6 aggregate
clear ddos-protection protocols sshv6 aggregate states
clear-ddos-sshv6-aggregate-states
clear ddos-protection protocols sshv6 aggregate statistics
clear ddos-protection protocols sshv6 culprit-flows
clear ddos-protection protocols sshv6 states
clear-ddos-sshv6-states
clear ddos-protection protocols sshv6 statistics
clear-ddos-sshv6-statistics
clear ddos-protection protocols states
clear-ddos-protocols-states
clear ddos-protection protocols statistics
clear-ddos-protocols-statistics
clear ddos-protection protocols stp
clear ddos-protection protocols stp aggregate
clear ddos-protection protocols stp aggregate states
clear-ddos-stp-aggregate-states
clear ddos-protection protocols stp aggregate statistics
clear-ddos-stp-aggregate-statistics
clear ddos-protection protocols stp states
clear-ddos-stp-states
clear ddos-protection protocols stp statistics
clear-ddos-stp-statistics
clear ddos-protection protocols tacacs
clear ddos-protection protocols tacacs aggregate
clear ddos-protection protocols tacacs aggregate states
clear-ddos-tacacs-aggregate-states
clear ddos-protection protocols tacacs aggregate statistics
715
clear-ddos-tacacs-aggregate-statistics
clear ddos-protection protocols tacacs states
clear-ddos-tacacs-states
clear ddos-protection protocols tacacs statistics
clear-ddos-tacacs-statistics
clear ddos-protection protocols tcc
clear ddos-protection protocols tcc aggregate
clear ddos-protection protocols tcc aggregate culprit-flows
<clear-ddos-tcc-aggregate-flows>
clear ddos-protection protocols tcc aggregate states
<clear-ddos-tcc-aggregate-states>
clear ddos-protection protocols tcc aggregate statistics
<clear-ddos-tcc-aggregate-statistics>
clear ddos-protection protocols tcc culprit-flows
<clear-ddos-tcc-flows>
clear ddos-protection protocols tcc ethernet-tcc
clear ddos-protection protocols tcc ethernet-tcc culprit-flows
<clear-ddos-tcc-ethernet-tcc-flows>
clear ddos-protection protocols tcc ethernet-tcc states
<clear-ddos-tcc-ethernet-tcc-states>
clear ddos-protection protocols tcc ethernet-tcc statistics
<clear-ddos-tcc-ethernet-tcc-statistics>
clear ddos-protection protocols tcc iso-tcc
clear ddos-protection protocols tcc iso-tcc culprit-flows
<clear-ddos-tcc-iso-tcc-flows>
clear ddos-protection protocols tcc iso-tcc states
<clear-ddos-tcc-iso-tcc-states>
clear ddos-protection protocols tcc iso-tcc statistics
<clear-ddos-tcc-iso-tcc-statistics>
clear ddos-protection protocols tcc states
<clear-ddos-tcc-states>
clear ddos-protection protocols tcc statistics
<clear-ddos-tcc-statistics>
clear ddos-protection protocols tcc unclassified
clear ddos-protection protocols tcc unclassified culprit-flows
<clear-ddos-tcc-unclass-flows>
clear ddos-protection protocols tcc unclassified states
<clear-ddos-tcc-unclass-states>
clear ddos-protection protocols tcc unclassified statistics
<clear-ddos-tcc-unclass-statistics>
clear ddos-protection protocols tcp-flags
clear ddos-protection protocols tcp-flags aggregate
716
clear ddos-protection protocols tcp-flags aggregate states

clear-ddos-tcp-flags-aggregate-states
clear ddos-protection protocols tcp-flags aggregate statistics
clear-ddos-tcp-flags-aggregate-statistics
clear ddos-protection protocols tcp-flags established
clear ddos-protection protocols tcp-flags established states
clear-ddos-tcp-flags-establish-states
clear ddos-protection protocols tcp-flags established statistics
clear-ddos-tcp-flags-establish-statistics
clear ddos-protection protocols tcp-flags initial
clear ddos-protection protocols tcp-flags initial culprit-flows
clear ddos-protection protocols tcp-flags initial states
clear-ddos-tcp-flags-initial-states
clear ddos-protection protocols tcp-flags initial statistics
clear-ddos-tcp-flags-initial-statistics
clear ddos-protection protocols tcp-flags states
clear-ddos-tcp-flags-states
clear ddos-protection protocols tcp-flags statistics
clear-ddos-tcp-flags-statistics
clear ddos-protection protocols tcp-flags unclassified
clear ddos-protection protocols tcp-flags unclassified states
clear-ddos-tcp-flags-unclass-states
clear ddos-protection protocols tcp-flags unclassified statistics
clear-ddos-tcp-flags-unclass-statistics
clear ddos-protection protocols telnet
clear ddos-protection protocols telnet aggregate
clear ddos-protection protocols telnet aggregate culprit-flows
clear ddos-protection protocols telnet aggregate states
clear-ddos-telnet-aggregate-states
clear ddos-protection protocols telnet aggregate statistics
clear-ddos-telnet-aggregate-statistics
clear ddos-protection protocols telnet states
clear-ddos-telnet-states
clear ddos-protection protocols telnet statistics
clear-ddos-telnet-statistics
clear ddos-protection protocols telnetv6
clear ddos-protection protocols telnetv6 aggregate
clear ddos-protection protocols telnetv6 aggregate states
clear-ddos-telnetv6-aggregate-states
clear ddos-protection protocols telnetv6 aggregate statistics
clear-ddos-telnetv6-aggregate-statistics
clear ddos-protection protocols telnetv6 states
717
clear-ddos-telnetv6-states
clear ddos-protection protocols telnetv6 statistics
clear-ddos-telnetv6-statistics
clear ddos-protection protocols ttl
clear ddos-protection protocols ttl aggregate
clear ddos-protection protocols ttl aggregate culprit-flows
clear ddos-protection protocols ttl aggregate states
clear-ddos-ttl-aggregate-states
clear ddos-protection protocols ttl aggregate statistics
clear-ddos-ttl-aggregate-statistics
clear ddos-protection protocols ttl states
clear-ddos-ttl-states
clear ddos-protection protocols ttl statistics
clear-ddos-ttl-statistics
clear ddos-protection protocols tunnel-fragment
clear ddos-protection protocols tunnel-fragment aggregate
clear ddos-protection protocols tunnel-fragment aggregate states
clear-ddos-tun-frag-aggregate-states
clear ddos-protection protocols tunnel-fragment aggregate statistics
clear-ddos-tun-frag-aggregate-statistics
clear ddos-protection protocols tunnel-fragment states
clear-ddos-tun-frag-states
clear ddos-protection protocols tunnel-fragment statistics
clear-ddos-tun-frag-statistics
clear ddos-protection protocols unclassified
clear ddos-protection protocols unclassified aggregate
clear ddos-protection protocols unclassified aggregate states
clear ddos-protection protocols unclassified aggregate statistics
clear ddos-protection protocols unclassified control-layer2
clear ddos-protection protocols unclassified control-layer2 culprit-flows
clear ddos-protection protocols unclassified control-layer2 states
clear ddos-protection protocols unclassified control-layer2 statistics
clear ddos-protection protocols unclassified control-v4
clear ddos-protection protocols unclassified control-v4 culprit-flows
clear ddos-protection protocols unclassified control-v4 states
clear ddos-protection protocols unclassified control-v4 statistics
clear ddos-protection protocols unclassified control-v6
clear ddos-protection protocols unclassified control-v6 culprit-flows
clear ddos-protection protocols unclassified control-v6 states
clear ddos-protection protocols unclassified control-v6 statistics
clear ddos-protection protocols unclassified filter-v4 culprit-flows
clear ddos-protection protocols unclassified filter-v4 states
718
clear ddos-protection protocols unclassified filter-v4 statistics

clear ddos-protection protocols unclassified filter-v6
clear ddos-protection protocols unclassified filter-v6 culprit-flows
clear ddos-protection protocols unclassified filter-v6 states
clear ddos-protection protocols unclassified filter-v6 statistics
clear ddos-protection protocols unclassified fw-host
clear ddos-protection protocols unclassified fw-host culprit-flows
<clear-ddos-uncls-fw-host-flows>
clear ddos-protection protocols unclassified fw-host states
<clear-ddos-uncls-fw-host-states>
clear ddos-protection protocols unclassified fw-host statistics
<clear-ddos-uncls-fw-host-statistics>
clear ddos-protection protocols unclassified host-route-v4
clear ddos-protection protocols unclassified host-route-v4 culprit-flows
clear ddos-protection protocols unclassified host-route-v4 states
clear ddos-protection protocols unclassified host-route-v4 statistics
clear ddos-protection protocols unclassified host-route-v6
clear ddos-protection protocols unclassified host-route-v6 culprit-flows
clear ddos-protection protocols unclassified host-route-v6 statistics
clear ddos-protection protocols unclassified mcast-copy
clear ddos-protection protocols unclassified mcast-copy culprit-flows
<clear-ddos-uncls-mcast-copy-flows>
clear ddos-protection protocols unclassified mcast-copy states
<clear-ddos-uncls-mcast-copy-states>
clear ddos-protection protocols unclassified mcast-copy statistics
<clear-ddos-uncls-mcast-copy-statistics>
clear ddos-protection protocols unknown-l2mc
clear ddos-protection protocols unknown-l2mc aggregate
clear ddos-protection protocols unknown-l2mc aggregate culprit-flows
<clear-ddos-unknown-l2mc-aggregate-flows>
clear ddos-protection protocols unknown-l2mc aggregate states
<clear-ddos-unknown-l2mc-aggregate-states>
clear ddos-protection protocols unknown-l2mc aggregate statistics
<clear-ddos-unknown-l2mc-aggregate-statistics>
clear ddos-protection protocols unknown-l2mc culprit-flows
<clear-ddos-unknown-l2mc-flows>
clear ddos-protection protocols unknown-l2mc states
<clear-ddos-unknown-l2mc-states>
clear ddos-protection protocols unknown-l2mc statistics
<clear-ddos-unknown-l2mc-statistics>
719
clear ddos-protection protocols urpf-fail

clear ddos-protection protocols urpf-fail aggregate
clear ddos-protection protocols urpf-fail aggregate culprit-flows
<clear-ddos-urpf-fail-aggregate-flows>
clear ddos-protection protocols urpf-fail aggregate states
<clear-ddos-urpf-fail-aggregate-states>
clear ddos-protection protocols urpf-fail aggregate statistics
<clear-ddos-urpf-fail-aggregate-statistics>
clear ddos-protection protocols urpf-fail culprit-flows
<clear-ddos-urpf-fail-flows>
clear ddos-protection protocols urpf-fail states
<clear-ddos-urpf-fail-states>
clear ddos-protection protocols urpf-fail statistics
<clear-ddos-urpf-fail-statistics>
clear ddos-protection protocols vcipc-udp
clear ddos-protection protocols vcipc-udp aggregate
clear ddos-protection protocols vcipc-udp aggregate culprit-flows
<clear-ddos-vcipc-udp-aggregate-flows>
clear ddos-protection protocols vcipc-udp aggregate states
<clear-ddos-vcipc-udp-aggregate-states>
clear ddos-protection protocols vcipc-udp aggregate statistics
<clear-ddos-vcipc-udp-aggregate-statistics>
clear ddos-protection protocols vcipc-udp culprit-flows
<clear-ddos-vcipc-udp-flows>
clear ddos-protection protocols vcipc-udp states
<clear-ddos-vcipc-udp-states>
<clear-ddos-vcipc-udp-statistics>
clear ddos-protection protocols unclassified other
clear ddos-protection protocols unclassified other culprit-flows
clear ddos-protection protocols unclassified other states
clear ddos-protection protocols unclassified other statistics
clear ddos-protection protocols unclassified resolve-v4
clear ddos-protection protocols unclassified resolve-v4 culprit-flows
clear ddos-protection protocols unclassified resolve-v4 states
clear ddos-protection protocols unclassified resolve-v4 statistics
clear ddos-protection protocols unclassified resolve-v6
clear ddos-protection protocols unclassified resolve-v6 culprit-flows
clear ddos-protection protocols unclassified resolve-v6 states
clear ddos-protection protocols unclassified resolve-v6 statistics
clear ddos-protection protocols unclassified states
clear ddos-protection protocols unclassified statistics
<clear-ddos-uncls-statistics>
720
clear ddos-protection protocols virtual-chassis

clear ddos-protection protocols virtual-chassis aggregate
clear ddos-protection protocols virtual-chassis aggregate culprit-flows
clear ddos-protection protocols virtual-chassis aggregate states
clear-ddos-protocols-states
clear-ddos-protocols-statistics
clear-ddos-radius-server-states
clear-ddos-radius-server-statistics
clear-ddos-radius-states
clear-ddos-radius-statistics
clear ddos-protection protocols re-services
clear ddos-protection protocols re-services aggregate
clear ddos-protection protocols re-services aggregate culprit-flows
<clear-ddos-re-services-aggregate-flows>
clear ddos-protection protocols re-services aggregate states
<clear-ddos-re-services-aggregate-states>
clear ddos-protection protocols re-services aggregate statistics
<clear-ddos-re-services-aggregate-statistics>
clear ddos-protection protocols re-services captive-portal
clear ddos-protection protocols re-services captive-portal culprit-flows
<clear-ddos-re-services-captive-portal-flows>
clear ddos-protection protocols re-services captive-portal states
<clear-ddos-re-services-captive-portal-states>
clear ddos-protection protocols re-services captive-portal statistics
<clear-ddos-re-services-captive-portal-statistics>
clear ddos-protection protocols re-services culprit-flows
<clear-ddos-re-services-flows>
clear ddos-protection protocols re-services states
<clear-ddos-re-services-states>
clear ddos-protection protocols re-services statistics
<clear-ddos-re-services-statistics>
clear ddos-protection protocols re-services-v6
clear ddos-protection protocols re-services-v6 aggregate
clear ddos-protection protocols re-services-v6 aggregate culprit-flows
<clear-ddos-re-services-v6-aggregate-flows>
clear ddos-protection protocols re-services-v6 aggregate states
<clear-ddos-re-services-v6-aggregate-states>
clear ddos-protection protocols re-services-v6 aggregate statistics
<clear-ddos-re-services-v6-aggregate-statistics>
clear ddos-protection protocols re-services-v6 captive-portal
clear ddos-protection protocols re-services-v6 captive-portal culprit-flows
<clear-ddos-re-services-v6-captive-portal-v6-flows>
721
clear ddos-protection protocols re-services-v6 captive-portal states

<clear-ddos-re-services-v6-captive-portal-v6-states>
clear ddos-protection protocols re-services-v6 captive-portal statistics
<clear-ddos-re-services-v6-captive-portal-v6-statistics>
clear ddos-protection protocols re-services-v6 culprit-flows
<clear-ddos-re-services-v6-flows>
clear ddos-protection protocols re-services-v6 states
<clear-ddos-re-services-v6-states>
clear ddos-protection protocols re-services-v6 statistics
<clear-ddos-re-services-v6-statistics>
clear-ddos-redirect-aggregate-states
clear-ddos-redirect-states
clear-ddos-redirect-statistics
clear-ddos-rip-aggregate-states
clear-ddos-rip-aggregate-statistics
clear-ddos-rip-states
clear-ddos-rip-statistics
clear-ddos-ripv6-aggregate-states
clear-ddos-ripv6-aggregate-statistics
clear-ddos-ripv6-states
clear-ddos-ripv6-statistics
clear-ddos-rsvp-aggregate-states
clear-ddos-rsvp-aggregate-statistics
clear-ddos-rsvp-states
clear-ddos-rsvp-statistics
clear-ddos-rsvpv6-aggregate-states
clear-ddos-rsvpv6-aggregate-statistics
clear-ddos-rsvpv6-states
clear-ddos-rsvpv6-statistics
clear-ddos-services-aggregate-states
clear-ddos-services-aggregate-statistics
clear-ddos-services-states
clear-ddos-services-statistics
clear-ddos-snmp-aggregate-states
clear-ddos-snmp-aggregate-statistics
clear-ddos-snmp-states
clear-ddos-snmp-statistics
clear-ddos-snmpv6-aggregate-states
clear-ddos-snmpv6-aggregate-statistics
clear-ddos-snmpv6-states
clear-ddos-snmpv6-statistics
clear-ddos-ssh-aggregate-states
722
clear-ddos-ssh-aggregate-statistics
clear-ddos-ssh-states
clear-ddos-ssh-statistics
clear-ddos-sshv6-aggregate-states
clear-ddos-sshv6-aggregate-statistics
clear-ddos-sshv6-states
clear-ddos-sshv6-statistics
clear-ddos-stp-aggregate-states
clear-ddos-stp-aggregate-statistics
clear-ddos-stp-states
clear-ddos-stp-statistics
clear ddos-protection protocols syslog
clear ddos-protection protocols syslog aggregate
clear ddos-protection protocols syslog aggregate culprit-flows
<clear-ddos-syslog-aggregate-flows>
clear ddos-protection protocols syslog aggregate states
<clear-ddos-syslog-aggregate-states>
clear ddos-protection protocols syslog aggregate statistics
<clear-ddos-syslog-aggregate-statistics>
clear ddos-protection protocols syslog culprit-flows
<clear-ddos-syslog-flows>
clear ddos-protection protocols syslog states
<clear-ddos-syslog-states>
clear ddos-protection protocols syslog statistics
<clear-ddos-syslog-statistics>
clear-ddos-tacacs-aggregate-states
clear-ddos-tacacs-aggregate-statistics
clear-ddos-tacacs-states
clear-ddos-tacacs-statistics
clear-ddos-tcp-flags-aggregate-states
clear-ddos-tcp-flags-aggregate-statistics
clear-ddos-tcp-flags-establish-states
clear-ddos-tcp-flags-establish-statistics
clear-ddos-tcp-flags-initial-states
clear-ddos-tcp-flags-initial-statistics
clear-ddos-tcp-flags-states
clear-ddos-tcp-flags-statistics
clear-ddos-tcp-flags-unclass-states
clear-ddos-tcp-flags-unclass-statistics
clear-ddos-telnet-aggregate-states
clear-ddos-telnet-aggregate-statistics
clear-ddos-telnet-states
723
clear-ddos-telnet-statistics
clear-ddos-telnetv6-aggregate-states
clear-ddos-telnetv6-aggregate-statistics
clear-ddos-telnetv6-states
clear-ddos-telnetv6-statistics
clear-ddos-ttl-aggregate-states
clear-ddos-ttl-aggregate-statistics
clear-ddos-ttl-states
clear-ddos-ttl-statistics
clear-ddos-tun-frag-aggregate-states
clear-ddos-tun-frag-aggregate-statistics
clear-ddos-tun-frag-states
clear-ddos-tun-frag-statistics
clear ddos-protection protocols tunnel-ka
clear ddos-protection protocols tunnel-ka aggregate
clear ddos-protection protocols tunnel-ka aggregate culprit-flows
<clear-ddos-tunnel-ka-aggregate-flows>
clear ddos-protection protocols tunnel-ka aggregate states
<clear-ddos-tunnel-ka-aggregate-states>
clear ddos-protection protocols tunnel-ka aggregate statistics
<clear-ddos-tunnel-ka-aggregate-statistics>
clear ddos-protection protocols tunnel-ka culprit-flows
<clear-ddos-tunnel-ka-flows>
clear ddos-protection protocols tunnel-ka states
<clear-ddos-tunnel-ka-states>
clear ddos-protection protocols tunnel-ka statistics
<clear-ddos-tunnel-ka-statistics>
clear-ddos-vchassis-aggregate-states
clear ddos-protection protocols virtual-chassis aggregate statistics
clear-ddos-vchassis-aggregate-statistics
clear ddos-protection protocols virtual-chassis control-high
clear ddos-protection protocols virtual-chassis control-high states
clear-ddos-vchassis-control-hi-states
clear ddos-protection protocols virtual-chassis control-high statistics
clear-ddos-vchassis-control-hi-statistics
clear ddos-protection protocols virtual-chassis control-low
clear ddos-protection protocols virtual-chassis control-low states
clear-ddos-vchassis-control-lo-states
clear ddos-protection protocols virtual-chassis control-low statistics
clear-ddos-vchassis-control-lo-statistics
clear ddos-protection protocols virtual-chassis states
clear-ddos-vchassis-states
724
clear ddos-protection protocols virtual-chassis statistics

clear-ddos-vchassis-statistics
clear ddos-protection protocols virtual-chassis unclassified
clear ddos-protection protocols virtual-chassis unclassified culprit-flows
clear ddos-protection protocols virtual-chassis unclassified states
clear-ddos-vchassis-unclass-states
clear ddos-protection protocols virtual-chassis unclassified statistics
clear-ddos-vchassis-unclass-statistics
clear ddos-protection protocols virtual-chassis vc-packets
clear ddos-protection protocols virtual-chassis vc-packets states
clear-ddos-vchassis-vc-packets-states
clear ddos-protection protocols virtual-chassis vc-packets statistics
clear-ddos-vchassis-vc-packets-statistics
clear ddos-protection protocols virtual-chassis vc-ttl-errors
clear ddos-protection protocols virtual-chassis vc-ttl-errors states
clear-ddos-vchassis-vc-ttl-err-states
clear ddos-protection protocols virtual-chassis vc-ttl-errors statistics
clear-ddos-vchassis-vc-ttl-err-statistics
clear ddos-protection protocols vrrp
clear ddos-protection protocols vrrp aggregate
clear ddos-protection protocols vrrp aggregate states
clear-ddos-vrrp-aggregate-states
clear ddos-protection protocols vrrp aggregate statistics
clear ddos-protection protocols vrrp culprit-flows
clear ddos-protection protocols vrrp statistics
clear-ddos-vrrp-statistics
clear ddos-protection protocols vrrpv6
clear ddos-protection protocols vrrpv6 aggregate
clear ddos-protection protocols vrrpv6 aggregate states
clear-ddos-vrrpv6-aggregate-states
clear ddos-protection protocols vrrpv6 aggregate statistics
clear-ddos-vrrpv6-aggregate-statistics
clear ddos-protection protocols vrrpv6 states
clear-ddos-vrrpv6-states
clear ddos-protection protocols vrrpv6 statistics
clear-ddos-uncls-host-rt-v4-flows
clear-ddos-vchassis-aggregate-statistics
clear-ddos-vchassis-control-hi-states
clear-ddos-vchassis-control-hi-statistics
clear-ddos-vchassis-control-lo-states
clear-ddos-vchassis-control-lo-statistics
clear-ddos-vchassis-states
725
clear-ddos-vchassis-statistics
clear-ddos-vchassis-unclass-states
clear-ddos-vchassis-unclass-statistics
clear-ddos-vchassis-vc-packets-states
clear-ddos-vchassis-vc-packets-statistics
clear-ddos-vchassis-vc-ttl-err-states
clear-ddos-vchassis-vc-ttl-err-statistics
clear-ddos-vrrp-aggregate-states
clear-ddos-vrrp-aggregate-statistics
clear-ddos-vrrp-states
clear-ddos-vrrp-statistics
clear-ddos-vrrpv6-aggregate-states
clear-ddos-vrrpv6-aggregate-statistics
clear-ddos-vrrpv6-states
clear-ddos-vrrpv6-statistics
clear ddos-protection protocols vxlan
clear ddos-protection protocols vxlan aggregate
clear ddos-protection protocols vxlan aggregate culprit-flows
clear-ddos-vxlan-aggregate-flows
clear ddos-protection protocols vxlan aggregate states
<clear-ddos-vxlan-aggregate-states>
clear ddos-protection protocols vxlan aggregate statistics
<clear-ddos-vxlan-aggregate-statistics>
clear ddos-protection protocols vxlan culprit-flows
<clear-ddos-vxlan-flows>
clear ddos-protection protocols vxlan states
<clear-ddos-vxlan-states>
clear ddos-protection protocols vxlan statistics
<clear-ddos-vxlan-statistics>
clear dhcp
clear dhcp client
clear dhcp client binding
<clear-dhcp-client-binding-information>
clear dhcp client statistics
<clear-client-statistics-information>
clear dhcp proxy-client
clear dhcp proxy-client statistics
clear dhcp relay
clear dhcp relay binding
<clear-dhcp-relay-binding-information>
clear dhcp relay binding interface
<clear-dhcp-interface-bindings>
726
clear dhcp relay statistics

<clear-dhcp-relay-statistics-information>
<clear-dhcp-security-binding>
<clear-dhcp-security-binding-interface>
<clear-dhcp-security-binding-ip-address>
<clear-dhcp-security-binding-statistics>
<clear-dhcp-security-binding-vlan>
clear dhcp relay statistics bulk-leasequery-connections
<clear-dhcp-relay-bulk-leasequery-conn-statistics>
clear dhcp relay statistics leasequery
<clear-dhcp-relay-leasequery-statistics>
clear dhcp server
clear dhcp server binding
<clear-dhcp-server-binding-information>
clear dhcp server binding interface
<clear-dhcp-server-binding-interface>
clear dhcp server statistics
<clear-server-statistics-information>
clear dhcp statistics
<clear-dhcp-service-statistics-information>
clear dhcp-security statistics
<clear-dhcp-security-statistics>
clear dhcpv6
clear dhcpv6 client
clear dhcpv6 client binding
<clear-dhcpv6-client-binding-information>
clear dhcpv6 client statistics
<clear-dhcpv6-client-statistics-information>
clear dhcpv6 proxy-client
clear dhcpv6 proxy-client statistics
<clear-dhcpv6-proxy-client-statistics-information>
clear dhcpv6 relay
clear dhcpv6 relay binding
clear dhcpv6 relay binding interface
clear dhcpv6 relay statistics
<clear-dhcpv6-relay-statistics-information>
clear dhcpv6 relay statistics bulk-leasequery-connections
<clear-dhcpv6-relay-bulk-leasequery-conn-statistics>
clear dhcpv6 relay statistics leasequery
<clear-dhcpv6-relay-leasequery-statistics>
clear dhcpv6 server
clear dhcpv6 server binding
727
<clear-dhcpv6-server-binding-information>
clear dhcpv6 server binding interface
<clear-dhcpv6-server-binding-interface>
clear dhcpv6 server statistics
<clear-dhcpv6-server-statistics-information>
clear dhcpv6 server statistics bulk-leasequery-connections
<clear-dhcpv6-server-bulk-leasequery-statistics>
clear dhcpv6 statistics
<clear-dhcpv6-service-statistics-information>
clear diameter
clear diameter function
<clear-diameter-function>
clear diameter peer
<clear-diameter-peer>
<clear-dhcp-binding-information>
<clear-dhcp-conflict-information>
<clear-dhcp-statistics-information>
clear system subscriber-management
clear system subscriber-management arp
<clear-subscriber-management-arp>
clear system subscriber-management arp address
<clear-subscriber-management-arp-address>
clear system subscriber-management arp interface
<clear-subscriber-management-arp-interface>
clear system subscriber-management ipv6-neighbors
<clear-subscriber-management-ipv6-neighbors>
clear system subscriber-management ipv6-neighbors address
<clear-subscriber-management-ipv6-neighbor-address>clear system
subscriber-management ipv6-neighbors interface
<clear-subscriber-management-ipv6-neighbor-interface>
clear system subscriber-management statistics
<clear-subscriber-management-statistics>
clear dot1x
clear dot1x eapol-block
clear dot1x eapol-block interface
<clear-dot1x-eapol-block-interface-session>
clear dot1x eapol-block mac-address
<clear-dot1x-eapol-block-mac-session>
clear dot1x firewall
<clear-dot1x-firewall>
clear dot1x firewall interface
<clear-dot1x-firewall-interface>
728
clear dot1x interface

<clear-dot1x-interface-session>
clear dot1x mac-address
<clear-dot1x-mac-session>
clear dot1x statistics
<clear-dot1x-statistics>
clear dot1x statistics interface
<clear-dot1x-statistics-interface>
clear error
clear error bpdu
clear error bpdu interface
<clear-bpdu-error>
clear error loop-detect
clear error loop-detect interface
<clear-loop-detect-error>
clear error mac-rewrite
clear error mac-rewrite interface
<clear-mac-rewrite-error>
clear esis
clear esis adjacency
<clear-esis-adjacency>
clear esis statistics
<clear-esis-statistics>
clear ethernet-switching
clear ethernet-switching evpn
clear ethernet-switching evpn arp-table
<clear-ethernet-switching-evpn-arp-table>
clear ethernet-switching mac-learning-log
<clear-ethernet-switching-mac-learning-log>
clear ethernet-switching recovery-timeout
<clear-ethernet-switching-recovery>
clear ethernet-switching recovery-timeout interface
<clear-ethernet-switching-recovery-interface>
clear ethernet-switching satellite
clear ethernet-switching satellite logging
<clear-satellite-control-logging>
clear ethernet-switching satellite vlan-auto-sense
<clear-satellite-control-plane-vlan-auto-sense>
clear ethernet-switching table
<clear-ethernet-switching-table>
clear ethernet-switching table interface
<clear-ethernet-switching-interface-table>
729
clear ethernet-switching table persistent-learning

<clear-ethernet-switching-table-persistent-learning>
clear ethernet-switching table persistent-learning interface
<clear-ethernet-switching-table-persistent-learning>
clear ethernet-switching table persistent-learning mac
<clear-ethernet-switching-table-persistent-learning-mac>
clear evpn
clear evpn arp-table
<clear-evpn-arp-table>
clear evpn mac-table
<clear-evpn-mac-table>
clear evpn mac-table interface
<clear-evpn-interface-mac-table>
clear evpn nd-table
<clear-evpn-nd-table>
clear extensible-subscriber-services
clear extensible-subscriber-services counters
<clear-extensible-subscriber-services-counters>
clear extensible-subscriber-services sessions
<clear-extensible-subscriber-services-sessions>
clear fabric
<clear-fabric>
clear fabric statistics
<clear-fabric-statistics>
clear firewall
<clear-firewall-counters>
clear firewall all
<clear-all-firewall-conters>
clear firewall log
<clear-firewall-log>
clear firewall policer
clear firewall policer counter
clear firewall policer counter all
<clear-interface-aggregate-fwd-options>
<clear-interface-aggregate-fwd-options-all>
clear helper
clear helper statistics
<clear-helper-statistics-information>
clear igmp
clear igmp membership
<clear-igmp-membership>
clear igmp snooping
730
clear igmp snooping membership

<clear-igmp-snooping-membership>
clear igmp snooping membership bridge-domain
<clear-igmp-snooping-bridge-domain-membership>
clear igmp snooping membership vlan
<clear-igmp-snooping-vlan-membership>
clear igmp snooping statistics
<clear-igmp-snooping-statistics>
clear igmp snooping statistics bridge-domain
<clear-igmp-snooping-bridge-domain-statistics>
clear igmp snooping statistics vlan
<clear-igmp-snooping-vlan-statistics>
clear igmp statistics
<clear-igmp-statistics>
clear ike
clear ike security-associations
<clear-ike-security-associations>
clear ike statistics
<clear-ike-statistics>
clear ilmi
clear ilmi statistics
<clear-ilmi-statistics>
clear interfaces
clear interfaces interface-set
clear interfaces interface-set statistics
<clear-interface-set-statistics>
clear interfaces interface-set statistics all
<clear-interface-set-statistics-all>
clear interfaces interval
<clear-interfaces-interval>
clear interfaces mac-database
<clear-interfaces-mac-database>
clear interfaces mac-database statistics
<clear-interface-mac-database-statistics>
clear interfaces mac-database statistics all
<clear-interface-mac-database-statistics-all>
clear interfaces statistics
<clear-interfaces-statistics>
clear interfaces statistics all
<clear-interfaces-statistics-all>
clear interfaces transport
<clear-interface-transport-information>
731
clear interfaces transport optics

<clear-interface-transport-optics-information>
clear interfaces transport optics interval
<clear-interface-transport-optics-interval-information>
clear ipsec
clear ipsec security-associations
<clear-ipsec-security-associations>
clear ipv6
clear ipv6 neighbors
<clear-ipv6-nd-information>
clear ipv6 neighbors all
<clear-ipv6-all-neighbors>
clear isis
clear isis adjacency
<clear-isis-adjacency-information>
clear isis database
<clear-isis-database-information>
clear isis layer2-map
<clear-isis-layer2-map-information>
clear isis overload
<clear-isis-overload-information>
clear isis statistics
<clear-isis-statistics-information>
clear ipv6 router-advertisement
clear lacp
clear lacp statistics
clear l2-learning
clear l2-learning evpn
clear l2-learning evpn arp-statistics
<clear-evpn-arp-statistics>
clear l2-learning evpn arp-statistics interface
<clear-evpn-arp-statistics-interface>
clear l2-learning evpn nd-statistics
<clear-evpn-nd-statistics>
clear l2-learning evpn nd-statistics interface
<clear-evpn-nd-statistics-interface>
clear l2-learning mac-move-buffer
<clear-l2-learning-mac-move-buffer>
clear l2-learning mac-move-buffer active
<clear-l2-learning-mac-move-buffer-active>
clear-l2-learning-redundancy-group
<clear-l2-learning-redundancy-group-statistics>
732
clear l2-learning remote-backbone-edge-bridges

<clear-l2-learning-remote-backbone-edge-bridges>
clear l2circuit
clear ldp
clear ldp statistics
<clear-ldp-statistics>
clear ldp statistics interface
<clear-ldp-interface-hello-statistics>
clear ldp neighbor
<clear-ldp-neighbors>
clear ldp session
<clear-ldp-sessions>
clear lldp
clear lldp neighbors
<clear-lldp-neighbors>
clear lldp neighbors interface
<clear-lldp-interface-neighbors>
clear lldp statistics
<clear-lldp-statistics>
clear lldp statistics interface
<clear-lldp-interface-statistics>
clear loop-detect
clear loop-detect statistics
clear loop-detect statistics interface
<clear-loop-detect-statistics-information>
clear mld
clear mld membership
<clear-mld-membership>
clear mld snooping
clear mld snooping membership
<clear-mld-snooping-membership>
clear mld snooping membership bridge-domain
<clear-mld-snooping-bridge-domain-membership>
clear mld snooping membership vlan
<clear-mld-snooping-vlan-membership>
clear mld snooping statistics
<clear-mld-snooping-statistics>
clear mld snooping statistics bridge-domain
<clear-mld-snooping-bridge-domain-statistics>
clear mld snooping statistics vlan
<clear-mld-snooping-vlan-statistics>
clear mld statistics
733
<clear-mld-statistics>
clear mobile-ip
clear mobile-ip binding
clear mobile-ip binding all
<clear-binding-all>
clear mobile-ip binding ip-address
<clear-binding-ip>
clear mobile-ip binding nai
<clear-binding-nai>
clear mobile-ip visitor
clear mobile-ip visitor all
<clear-visitor-all>
clear mobile-ip visitor ip-address
<clear-visitor-ip>
clear mobile-ip visitor nai
<clear-visitor-nai>
clear mpls
clear mpls lsp
<clear-mpls-lsp-information>
clear mpls static-lsp
<clear-mpls-static-lsp-information>
clear mpls traceroute
clear mpls traceroute database
clear mpls traceroute database ldp
<clear-mpls-traceroute-database-ldp>
clear msdp
clear msdp cache
<clear-msdp-cache>
clear msdp statistics
<clear-msdp-statistics>
clear multicast
clear multicast bandwidth-admission
<clear-multicast-bandwidth-admission
clear multicast forwarding-cache
clear multicast scope
<clear-multicast-scope-statistics>
clear multicast sessions
<clear-multicast-sessions>
clear multicast statistics
<clear-multicast-statistics>
clear mvrp
clear mvrp statistics
734
<clear-mvrp-interface-statistics>
clear network-access
clear network-access aaa
clear network-access aaa statistics
<clear-aaa-statistics-table>
clear network-access aaa statistics address-assignment
clear network-access aaa statistics address-assignment client
<clear-aaa-address-assignment-client-statistics>
clear network-access aaa statistics address-assignment pool
<clear-aaa-address-assignment-pool-statistics>
clear network-access aaa subscriber
<clear-aaa-subscriber-table>
clear network-access aaa subscriber statistics
<clear-aaa-subscriber-table-specific-statistics>
clear network-access address-assignment
clear network-access address-assignment preserved
<clear-address-assignment-preserved>
clear network-access ocs
clear network-access ocs statistics
<clear-ocs-statistics-information>
clear network-access pcrf
clear network-access pcrf statistics
<clear-pcrf-statistics-information>
clear network-access pcrf subscribers
<clear-pcrf-subscribers>
clear network-access requests
clear network-access requests pending
<clear-authentication-pending-table>
clear network-access requests statistics
<clear-authentication-statistics>
clear network-access securid-node-secret-file
<clear-node-secret-file>
clear oam
clear oam ethernet
clear oam ethernet connectivity-fault-management
clear oam ethernet connectivity-fault-management continuity-measurement
<clear-cfm-continuity-measurement>
clear oam ethernet connectivity-fault-management delay-statistics
<clear-cfm-delay-statistics>
clear oam ethernet connectivity-fault-management event
<clear-cfm-action-profile-event>
clear oam ethernet connectivity-fault-management loss-statistics
735
<clear-cfm-loss-statistics>
clear oam ethernet connectivity-fault-management path-database
<clear-cfm-linktrace-path-database>
clear oam ethernet connectivity-fault-management policer
<clear-cfm-policer-statistics>
clear oam ethernet connectivity-fault-management sla-iterator-history
<clear-cfm-iterator-history>
clear oam ethernet connectivity-fault-management sla-iterator-statistics
<clear-cfm-iterator-statistics>
clear oam ethernet connectivity-fault-management statistics
<clear-cfm-statistics>
clear oam ethernet connectivity-fault-management synthetic-loss-statistics
<clear-cfm-slm-statistics>
clear oam ethernet link-fault-management
clear oam ethernet link-fault-management state
<clear-lfmd-state>
clear oam ethernet link-fault-management statistics
<clear-lfmd-statistics>
clear oam ethernet link-fault-management statistics action-profile
<clear-lfmd-action-profile-statistics>
clear oam ethernet lmi
clear oam ethernet lmi statistics
<clear-elmi-statistics>
clear ospf
clear ospf database
<clear-ospf-database-information>
clear ospf database-protection
<clear-ospf-database-protection>
clear ospf io-statistics
<clear-ospf-io-statistics-information>
clear ospf neighbor
<clear-ospf-neighbor-information>
clear ospf overload
<clear-ospf-overload-information>
clear ospf statistics
<clear-ospf-statistics-information>
clear ospf3
clear ospf3 database
<clear-ospf3-database-information>
clear ospf3 database-protection
<clear-ospf-database-protection>
clear ospf3 io-statistics
736
<clear-ospf3-io-statistics-information>
clear ospf3 neighbor
<clear-ospf3-neighbor-information>
clear ospf3 overload
<clear-ospf3-overload-information>
clear ospf3 statistics
<clear-ospf3-io-statistics-information>
clear ovsdb
clear ovsdb commit
clear ovsdb commit failures
<clear-ovsdb-commit-failure-information>
clear ovsdb statistics
clear ovsdb statistics interface
clear ovsdb statistics interface all
<clear-ovsdb-interfaces-statistics-all>
clear performance-monitoring
clear performance-monitoring mpls
clear performance-monitoring mpls lsp
<clear-pm-mpls-lsp-information>
clear pfe
clear pfe statistics
clear pfe statistics fabric
clear pfe statistics traffic detail
clear pfe statistics traffic egress-queues fpc
clear pfe statistics traffic multicast
clear pfe statistics traffic multicast fpc
clear pfe tcam-errors
clear pfe tcam-errors all-tcam-stages
<clear-pfe-tcam-errors-all-tcam-stages>
clear pfe tcam-errors app
<clear-pfe-tcam-errors-app>
clear pfe tcam-errors app bd-dtag-validate
<clear-pfe-tcam-errors-app-bd-dtag-validate>
clear pfe tcam-errors app bd-dtag-validate detail
clear pfe tcam-errors app bd-dtag-validate list-related-apps
clear pfe tcam-errors app bd-dtag-validate list-shared-apps
clear pfe tcam-errors app bd-dtag-validate shared-usage
clear pfe tcam-errors app bd-dtag-validate shared-usage detail
clear pfe tcam-errors app bd-tpid-swap
<clear-pfe-tcam-errors-app-bd-tpid-swap>
clear pfe tcam-errors app bd-tpid-swap detail
clear pfe tcam-errors app bd-tpid-swap list-related-apps
737
clear pfe tcam-errors app bd-tpid-swap list-shared-apps

clear pfe tcam-errors app bd-tpid-swap shared-usage
clear pfe tcam-errors app bd-tpid-swap shared-usage detail
clear pfe tcam-errors app cfm-bd-filter
<clear-pfe-tcam-errors-app-cfm-bd-filter>
clear pfe tcam-errors app cfm-bd-filter detail
clear pfe tcam-errors app cfm-bd-filter list-related-apps
clear pfe tcam-errors app cfm-bd-filter list-shared-apps
clear pfe tcam-errors app cfm-bd-filter shared-usage
clear pfe tcam-errors app cfm-bd-filter shared-usage detail
clear pfe tcam-errors app cfm-filter
<clear-pfe-tcam-errors-app-cfm-filter>
clear pfe tcam-errors app cfm-filter detail
clear pfe tcam-errors app cfm-filter list-related-apps
clear pfe tcam-errors app cfm-filter list-shared-apps
clear pfe tcam-errors app cfm-filter shared-usage
clear pfe tcam-errors app cfm-filter shared-usage detail
clear pfe tcam-errors app cfm-vpls-filter
<clear-pfe-tcam-errors-app-cfm-vpls-filter>
clear pfe tcam-errors app cfm-vpls-filter detail
clear pfe tcam-errors app cfm-vpls-filter list-related-apps
clear pfe tcam-errors app cfm-vpls-filter list-shared-apps
clear pfe tcam-errors app cfm-vpls-filter shared-usage
clear pfe tcam-errors app cfm-vpls-filter shared-usage detail
clear pfe tcam-errors app cfm-vpls-ifl-filter
<clear-pfe-tcam-errors-app-cfm-vpls-ifl-filter>
clear pfe tcam-errors app cfm-vpls-ifl-filter detail
clear pfe tcam-errors app cfm-vpls-ifl-filter list-related-apps
clear pfe tcam-errors app cfm-vpls-ifl-filter list-shared-apps
clear pfe tcam-errors app cfm-vpls-ifl-filter shared-usage
clear pfe tcam-errors app cfm-vpls-ifl-filter shared-usage detail
clear pfe tcam-errors app cos-fc
<clear-pfe-tcam-errors-app-cos-fc>
clear pfe tcam-errors app cos-fc detail
clear pfe tcam-errors app cos-fc list-related-apps
clear pfe tcam-errors app cos-fc list-shared-apps
clear pfe tcam-errors app cos-fc shared-usage
clear pfe tcam-errors app cos-fc shared-usage detail
clear pfe tcam-errors app fw-ccc-in
<clear-pfe-tcam-errors-app-fw-ccc-in>
clear pfe tcam-errors app fw-ccc-in detail
clear pfe tcam-errors app fw-ccc-in list-related-apps
738
clear pfe tcam-errors app fw-ccc-in list-shared-apps

clear pfe tcam-errors app fw-ccc-in shared-usage
clear pfe tcam-errors app fw-ccc-in shared-usage detail
clear pfe tcam-errors app fw-family-out
<clear-pfe-tcam-errors-app-fw-family-out>
clear pfe tcam-errors app fw-family-out detail
clear pfe tcam-errors app fw-family-out list-related-apps
clear pfe tcam-errors app fw-family-out list-shared-apps
clear pfe tcam-errors app fw-family-out shared-usage
clear pfe tcam-errors app fw-family-out shared-usage detail
clear pfe tcam-errors app fw-fbf
<clear-pfe-tcam-errors-app-fw-fbf>
clear pfe tcam-errors app fw-fbf detail
clear pfe tcam-errors app fw-fbf list-related-apps
clear pfe tcam-errors app fw-fbf list-shared-apps
clear pfe tcam-errors app fw-fbf shared-usage
clear pfe tcam-errors app fw-fbf shared-usage detail
clear pfe tcam-errors app fw-fbf-inet6
<clear-pfe-tcam-errors-app-fw-fbf-inet6>
clear pfe tcam-errors app fw-fbf-inet6 detail
clear pfe tcam-errors app fw-fbf-inet6 list-related-apps
clear pfe tcam-errors app fw-fbf-inet6 list-shared-apps
clear pfe tcam-errors app fw-fbf-inet6 shared-usage
clear pfe tcam-errors app fw-fbf-inet6 shared-usage detail
clear pfe tcam-errors app fw-ifl-in
<clear-pfe-tcam-errors-app-fw-ifl-in>
clear pfe tcam-errors app fw-ifl-in detail
clear pfe tcam-errors app fw-ifl-in list-related-apps
clear pfe tcam-errors app fw-ifl-in list-shared-apps
clear pfe tcam-errors app fw-ifl-in shared-usage
clear pfe tcam-errors app fw-ifl-in shared-usage detail
clear pfe tcam-errors app fw-ifl-out
<clear-pfe-tcam-errors-app-fw-ifl-out>
clear pfe tcam-errors app fw-ifl-out detail
clear pfe tcam-errors app fw-ifl-out list-related-apps
clear pfe tcam-errors app fw-ifl-out list-shared-apps
clear pfe tcam-errors app fw-ifl-out shared-usage
clear pfe tcam-errors app fw-ifl-out shared-usage detail
clear pfe tcam-errors app fw-inet-ftf
<clear-pfe-tcam-errors-app-fw-inet-ftf>
clear pfe tcam-errors app fw-inet-ftf detail
clear pfe tcam-errors app fw-inet-ftf list-related-apps
739
clear pfe tcam-errors app fw-inet-ftf list-shared-apps

clear pfe tcam-errors app fw-inet-ftf shared-usage
clear pfe tcam-errors app fw-inet-ftf shared-usage detail
clear pfe tcam-errors app fw-inet-in
<clear-pfe-tcam-errors-app-fw-inet-in>
clear pfe tcam-errors app fw-inet-in detail
clear pfe tcam-errors app fw-inet-in list-related-apps
clear pfe tcam-errors app fw-inet-in list-shared-apps
clear pfe tcam-errors app fw-inet-in shared-usage
clear pfe tcam-errors app fw-inet-in shared-usage detail
clear pfe tcam-errors app fw-inet-pm
<clear-pfe-tcam-errors-app-fw-inet-pm>
clear pfe tcam-errors app fw-inet-pm detail
clear pfe tcam-errors app fw-inet-pm list-related-apps
clear pfe tcam-errors app fw-inet-pm list-shared-apps
clear pfe tcam-errors app fw-inet-pm shared-usage
clear pfe tcam-errors app fw-inet-pm shared-usage detail
clear pfe tcam-errors app fw-inet-rpf
<clear-pfe-tcam-errors-app-fw-inet-rpf>
clear pfe tcam-errors app fw-inet-rpf detail
clear pfe tcam-errors app fw-inet-rpf list-related-apps
clear pfe tcam-errors app fw-inet-rpf list-shared-apps
clear pfe tcam-errors app fw-inet-rpf shared-usage
clear pfe tcam-errors app fw-inet-rpf shared-usage detail
clear pfe tcam-errors app fw-inet-rpf
<clear-pfe-tcam-errors-app-fw-inet-rpf>
clear pfe tcam-errors app fw-inet-rpf detail
clear pfe tcam-errors app fw-inet-rpf list-related-apps
clear pfe tcam-errors app fw-inet-rpf list-shared-apps
clear pfe tcam-errors app fw-inet-rpf shared-usage
clear pfe tcam-errors app fw-inet-rpf shared-usage detail
clear pfe tcam-errors app fw-inet6-family-out
<clear-pfe-tcam-errors-app-fw-inet6-family-out>
clear pfe tcam-errors app fw-inet6-family-out detail
clear pfe tcam-errors app fw-inet6-family-out list-related-apps
clear pfe tcam-errors app fw-inet6-family-out list-shared-apps
clear pfe tcam-errors app fw-inet6-family-out shared-usage
clear pfe tcam-errors app fw-inet6-family-out shared-usage detail
clear pfe tcam-errors app fw-inet6-ftf
<clear-pfe-tcam-errors-app-fw-inet6-ftf>
clear pfe tcam-errors app fw-inet6-ftf detail
clear pfe tcam-errors app fw-inet6-ftf list-related-apps
740
clear pfe tcam-errors app fw-inet6-ftf list-shared-apps

clear pfe tcam-errors app fw-inet6-ftf shared-usage
clear pfe tcam-errors app fw-inet6-ftf shared-usage detail
clear pfe tcam-errors app fw-inet6-in
<clear-pfe-tcam-errors-app-fw-inet6-in>
clear pfe tcam-errors app fw-inet6-in detail
clear pfe tcam-errors app fw-inet6-in list-related-apps
clear pfe tcam-errors app fw-inet6-in list-shared-apps
clear pfe tcam-errors app fw-inet6-in shared-usage
clear pfe tcam-errors app fw-inet6-in shared-usage detail
clear pfe tcam-errors app fw-inet6-rpf
<clear-pfe-tcam-errors-app-fw-inet6-rpf>
clear pfe tcam-errors app fw-inet6-rpf detail
clear pfe tcam-errors app fw-inet6-rpf list-related-apps
clear pfe tcam-errors app fw-inet6-rpf list-shared-apps
clear pfe tcam-errors app fw-inet6-rpf shared-usage
clear pfe tcam-errors app fw-inet6-rpf shared-usage detail
clear pfe tcam-errors app fw-l2-in
<clear-pfe-tcam-errors-app-fw-l2-in>
clear pfe tcam-errors app fw-l2-in detail
clear pfe tcam-errors app fw-l2-in list-related-apps
clear pfe tcam-errors app fw-l2-in list-shared-apps
clear pfe tcam-errors app fw-l2-in shared-usage
clear pfe tcam-errors app fw-l2-in shared-usage detail
clear pfe tcam-errors app fw-mpls-in
<clear-pfe-tcam-errors-app-fw-mpls-in>
clear pfe tcam-errors app fw-mpls-in detail
clear pfe tcam-errors app fw-mpls-in list-related-apps
clear pfe tcam-errors app fw-mpls-in list-shared-apps
clear pfe tcam-errors app fw-mpls-in shared-usage
clear pfe tcam-errors app fw-mpls-in shared-usage detail
clear pfe tcam-errors app fw-semantics
<clear-pfe-tcam-errors-app-fw-semantics>
clear pfe tcam-errors app fw-semantics detail
clear pfe tcam-errors app fw-semantics list-related-apps
clear pfe tcam-errors app fw-semantics list-shared-apps
clear pfe tcam-errors app fw-semantics shared-usage
clear pfe tcam-errors app fw-semantics shared-usage detail
clear pfe tcam-errors app fw-vpls-in
<clear-pfe-tcam-errors-app-fw-vpls-in>
clear pfe tcam-errors app fw-vpls-in detail
clear pfe tcam-errors app fw-vpls-in list-related-apps
741
clear pfe tcam-errors app fw-vpls-in list-shared-apps

clear pfe tcam-errors app fw-vpls-in shared-usage
clear pfe tcam-errors app fw-vpls-in shared-usage detail
clear pfe tcam-errors app gr-ifl-stats-egr
<clear-pfe-tcam-errors-app-gr-ifl-statistics-egr>
clear pfe tcam-errors app gr-ifl-stats-egr detail
clear pfe tcam-errors app gr-ifl-stats-egr list-related-apps
clear pfe tcam-errors app gr-ifl-stats-egr list-shared-apps
clear pfe tcam-errors app gr-ifl-stats-egr shared-usage
clear pfe tcam-errors app gr-ifl-stats-egr shared-usage detail
clear pfe tcam-errors app gr-ifl-stats-ing
<clear-pfe-tcam-errors-app-gr-ifl-statistics-ing>
clear pfe tcam-errors app gr-ifl-stats-ing detail
clear pfe tcam-errors app gr-ifl-stats-ing list-related-apps
clear pfe tcam-errors app gr-ifl-stats-ing list-shared-apps
clear pfe tcam-errors app gr-ifl-stats-ing shared-usage
clear pfe tcam-errors app gr-ifl-stats-ing shared-usage detail
clear pfe tcam-errors app gr-ifl-stats-preing
<clear-pfe-tcam-errors-app-gr-ifl-statistics-preing>
clear pfe tcam-errors app gr-ifl-stats-preing detail
clear pfe tcam-errors app gr-ifl-stats-preing list-related-apps
clear pfe tcam-errors app gr-ifl-stats-preing list-shared-apps
clear pfe tcam-errors app gr-ifl-stats-preing shared-usage
clear pfe tcam-errors app gr-ifl-stats-preing shared-usage detail
< clear pfe tcam-errors app ifd-src-mac-fil
<clear-pfe-tcam-errors-app-ifd-src-mac-fil>
clear pfe tcam-errors app ifd-src-mac-fil detail
clear pfe tcam-errors app ifd-src-mac-fil list-related-apps
clear pfe tcam-errors app ifd-src-mac-fil list-shared-apps
clear pfe tcam-errors app ifd-src-mac-fil shared-usage
clear pfe tcam-errors app ifd-src-mac-fil shared-usage detail
clear pfe tcam-errors app ifl-statistics-in
<clear-pfe-tcam-errors-app-ifl-statistics-in>
clear pfe tcam-errors app ifl-statistics-in detail
clear pfe tcam-errors app ifl-statistics-in list-related-apps
clear pfe tcam-errors app ifl-statistics-in list-shared-apps
clear pfe tcam-errors app ifl-statistics-in shared-usage
clear pfe tcam-errors app ifl-statistics-in shared-usage detail
clear pfe tcam-errors app ifl-statistics-out
<clear-pfe-tcam-errors-app-ifl-statistics-out>
clear pfe tcam-errors app ifl-statistics-out detail
clear pfe tcam-errors app ifl-statistics-out list-related-apps
742
clear pfe tcam-errors app ifl-statistics-out list-shared-apps

clear pfe tcam-errors app ifl-statistics-out shared-usage
clear pfe tcam-errors app ifl-statistics-out shared-usage detail
clear pfe tcam-errors app ing-out-iff
<clear-pfe-tcam-errors-app-ing-out-iff>
clear pfe tcam-errors app ing-out-iff detail
clear pfe tcam-errors app ing-out-iff list-related-apps
clear pfe tcam-errors app ing-out-iff list-shared-apps
clear pfe tcam-errors app ing-out-iff shared-usage
clear pfe tcam-errors app ing-out-iff shared-usage detail
clear pfe tcam-errors app ip-mac-val
<clear-pfe-tcam-errors-app-ip-mac-val>
clear pfe tcam-errors app ip-mac-val detail
clear pfe tcam-errors app ip-mac-val list-related-apps
clear pfe tcam-errors app ip-mac-val list-shared-apps
clear pfe tcam-errors app ip-mac-val shared-usage
clear pfe tcam-errors app ip-mac-val shared-usage detail
clear pfe tcam-errors app ip-mac-val-bcast
<clear-pfe-tcam-errors-app-ip-mac-val-bcast>
clear pfe tcam-errors app ip-mac-val-bcast detail
clear pfe tcam-errors app ip-mac-val-bcast list-related-apps
clear pfe tcam-errors app ip-mac-val-bcast list-shared-apps
clear pfe tcam-errors app ip-mac-val-bcast shared-usage
clear pfe tcam-errors app ip-mac-val-bcast shared-usage detail
clear pfe tcam-errors app ipsec-reverse-fil
<clear-pfe-tcam-errors-app-ipsec-reverse-fil>
clear pfe tcam-errors app ipsec-reverse-fil detail
clear pfe tcam-errors app ipsec-reverse-fil list-related-apps
clear pfe tcam-errors app ipsec-reverse-fil list-shared-apps
clear pfe tcam-errors app ipsec-reverse-fil shared-usage
clear pfe tcam-errors app ipsec-reverse-fil shared-usage detail
clear pfe tcam-errors app irb-cos-rw
<clear-pfe-tcam-errors-app-irb-cos-rw>
clear pfe tcam-errors app irb-cos-rw detail
clear pfe tcam-errors app irb-cos-rw list-related-apps
clear pfe tcam-errors app irb-cos-rw list-shared-apps
clear pfe tcam-errors app irb-cos-rw shared-usage
clear pfe tcam-errors app irb-cos-rw shared-usage detail
clear pfe tcam-errors app irb-fixed-cos
<clear-pfe-tcam-errors-app-irb-fixed-cos>
clear pfe tcam-errors app irb-fixed-cos detail
clear pfe tcam-errors app irb-fixed-cos list-related-apps
743
clear pfe tcam-errors app irb-fixed-cos list-shared-apps

clear pfe tcam-errors app irb-fixed-cos shared-usage
clear pfe tcam-errors app irb-fixed-cos shared-usage detail
clear pfe tcam-errors app irb-inet6-fil
<clear-pfe-tcam-errors-app-irb-inet6-fil>
clear pfe tcam-errors app irb-inet6-fil detail
clear pfe tcam-errors app irb-inet6-fil list-related-apps
clear pfe tcam-errors app irb-inet6-fil list-shared-apps
clear pfe tcam-errors app irb-inet6-fil shared-usage
clear pfe tcam-errors app irb-inet6-fil shared-usage detail
clear pfe tcam-errors app lfm-802.3ah-in
<clear-pfe-tcam-errors-app-lfm-802.3ah-in>
clear pfe tcam-errors app lfm-802.3ah-in detail
clear pfe tcam-errors app lfm-802.3ah-in list-related-apps
clear pfe tcam-errors app lfm-802.3ah-in list-shared-apps
clear pfe tcam-errors app lfm-802.3ah-in shared-usage
clear pfe tcam-errors app lfm-802.3ah-in shared-usage detail
clear pfe tcam-errors app lfm-802.3ah-out
<clear-pfe-tcam-errors-app-lfm-802.3ah-out>
clear pfe tcam-errors app lfm-802.3ah-out detail
clear pfe tcam-errors app lfm-802.3ah-out list-related-apps
clear pfe tcam-errors app lfm-802.3ah-out list-shared-apps
clear pfe tcam-errors app lfm-802.3ah-out shared-usage
clear pfe tcam-errors app lfm-802.3ah-out shared-usage detail
clear pfe tcam-errors app lo0-inet-fil
<clear-pfe-tcam-errors-app-lo0-inet-fil>
clear pfe tcam-errors app lo0-inet-fil detail
clear pfe tcam-errors app lo0-inet-fil list-related-apps
clear pfe tcam-errors app lo0-inet-fil list-shared-apps
clear pfe tcam-errors app lo0-inet-fil shared-usage
clear pfe tcam-errors app lo0-inet-fil shared-usage detail
clear pfe tcam-errors app lo0-inet6-fil
<clear-pfe-tcam-errors-app-lo0-inet6-fil>
clear pfe tcam-errors app lo0-inet6-fil detail
clear pfe tcam-errors app lo0-inet6-fil list-related-apps
clear pfe tcam-errors app lo0-inet6-fil list-shared-apps
clear pfe tcam-errors app lo0-inet6-fil shared-usage
clear pfe tcam-errors app lo0-inet6-fil shared-usage detail
clear pfe tcam-errors app mac-drop-cnt
<clear-pfe-tcam-errors-app-mac-drop-cnt>
clear pfe tcam-errors app mac-drop-cnt detail
clear pfe tcam-errors app mac-drop-cnt list-related-apps
744
clear pfe tcam-errors app mac-drop-cnt list-shared-apps

clear pfe tcam-errors app mac-drop-cnt shared-usage
clear pfe tcam-errors app mac-drop-cnt shared-usage detail
clear pfe tcam-errors app mrouter-port-in
<clear-pfe-tcam-errors-app-mrouter-port-in>
clear pfe tcam-errors app mrouter-port-in detail
clear pfe tcam-errors app mrouter-port-in list-related-apps
clear pfe tcam-errors app mrouter-port-in list-shared-apps
clear pfe tcam-errors app mrouter-port-in shared-usage
clear pfe tcam-errors app mrouter-port-in shared-usage detail
clear pfe tcam-errors app napt-reverse-fil
<clear-pfe-tcam-errors-app-napt-reverse-fil>
clear pfe tcam-errors app napt-reverse-fil detail
clear pfe tcam-errors app napt-reverse-fil list-related-apps
clear pfe tcam-errors app napt-reverse-fil list-shared-apps
clear pfe tcam-errors app napt-reverse-fil shared-usage
clear pfe tcam-errors app napt-reverse-fil shared-usage detail
clear pfe tcam-errors app no-local-switching
<clear-pfe-tcam-errors-app-no-local-switching>
clear pfe tcam-errors app no-local-switching detail
clear pfe tcam-errors app no-local-switching list-related-apps
clear pfe tcam-errors app no-local-switching list-shared-apps
clear pfe tcam-errors app no-local-switching shared-usage
clear pfe tcam-errors app no-local-switching shared-usage detail
clear pfe tcam-errors app ptpoe-cos-rw
<clear-pfe-tcam-errors-app-ptpoe-cos-rw>
clear pfe tcam-errors app ptpoe-cos-rw detail
clear pfe tcam-errors app ptpoe-cos-rw list-related-apps
clear pfe tcam-errors app ptpoe-cos-rw list-shared-apps
clear pfe tcam-errors app ptpoe-cos-rw shared-usage
clear pfe tcam-errors app ptpoe-cos-rw shared-usage detail
clear pfe tcam-errors app rfc2544-layer2-in
<clear-pfe-tcam-errors-app-rfc2544-layer2-in>
clear pfe tcam-errors app rfc2544-layer2-in detail
clear pfe tcam-errors app rfc2544-layer2-in list-related-apps
clear pfe tcam-errors app rfc2544-layer2-in list-shared-apps
clear pfe tcam-errors app rfc2544-layer2-in shared-usage
clear pfe tcam-errors app rfc2544-layer2-in shared-usage detail
clear pfe tcam-errors app rfc2544-layer2-out
<clear-pfe-tcam-errors-app-rfc2544-layer2-out>
clear pfe tcam-errors app rfc2544-layer2-out detail
clear pfe tcam-errors app rfc2544-layer2-out list-related-apps
745
clear pfe tcam-errors app rfc2544-layer2-out list-shared-apps

clear pfe tcam-errors app rfc2544-layer2-out shared-usage
clear pfe tcam-errors app rfc2544-layer2-out shared-usage detail
clear pfe tcam-errors app vpls-mesh-group-mcast
<get-upper-level-xml-name-vpls-mesh-group-mcast>
clear pfe tcam-errors app vpls-mesh-group-mcast detail
clear pfe tcam-errors app vpls-mesh-group-mcast list-related-apps
clear pfe tcam-errors app vpls-mesh-group-mcast list-shared-apps
clear pfe tcam-errors app vpls-mesh-group-mcast shared-usage
clear pfe tcam-errors app vpls-mesh-group-mcast shared-usage detail
clear pfe tcam-errors app vpls-mesh-group-ucast
<get-upper-level-xml-name-vpls-mesh-group-ucast>
clear pfe tcam-errors app vpls-mesh-group-ucast detail
clear pfe tcam-errors app vpls-mesh-group-ucast list-related-apps
clear pfe tcam-errors app vpls-mesh-group-ucast list-shared-apps
clear pfe tcam-errors app vpls-mesh-group-ucast shared-usage
clear pfe tcam-errors app vpls-mesh-group-ucast shared-usage detail
clear pfe tcam-errors tcam-stage
clear pfe tcam-errors tcam-stage egress
<clear-pfe-tcam-errors-egress-tcam-stage>
clear pfe tcam-errors tcam-stage egress app
clear-pfe-tcam-errors-egress-app
clear pfe tcam-errors tcam-stage egress app bd-dtag-validate
<clear-pfe-tcam-errors-egress-app-bd-dtag-validate>
clear pfe tcam-errors tcam-stage egress app bd-dtag-validate detail
clear pfe tcam-errors tcam-stage egress app bd-dtag-validate
list-related-appsclear pfe tcam-errors tcam-stage egress app bd-dtag-validate
list-shared-apps
clear pfe tcam-errors tcam-stage egress app bd-dtag-validate shared-usage
clear pfe tcam-errors tcam-stage egress app bd-dtag-validate shared-usage
detail
clear pfe tcam-errors tcam-stage egress app bd-tpid-swap
<clear-pfe-tcam-errors-egress-app-bd-tpid-swap>
clear pfe tcam-errors tcam-stage egress app bd-tpid-swap detail
clear pfe tcam-errors tcam-stage egress app bd-tpid-swap list-related-apps
clear pfe tcam-errors tcam-stage egress app bd-tpid-swap list-shared-apps
clear pfe tcam-errors tcam-stage egress app bd-tpid-swap shared-usage
clear pfe tcam-errors tcam-stage egress app bd-tpid-swap shared-usage detail
clear pfe tcam-errors tcam-stage egress app fw-family-out
<clear-pfe-tcam-errors-egress-app-fw-family-out>
clear pfe tcam-errors tcam-stage egress app fw-family-out detail
clear pfe tcam-errors tcam-stage egress app fw-family-out list-related-apps
746
clear pfe tcam-errors tcam-stage egress app fw-family-out list-shared-apps

clear pfe tcam-errors tcam-stage egress app fw-family-out shared-usage
clear pfe tcam-errors tcam-stage egress app fw-family-out shared-usage detail
clear pfe tcam-errors tcam-stage egress app fw-ifl-out
<clear-pfe-tcam-errors-egress-app-fw-ifl-out>
clear pfe tcam-errors tcam-stage egress app fw-ifl-out detail
clear pfe tcam-errors tcam-stage egress app fw-ifl-out list-related-apps
clear pfe tcam-errors tcam-stage egress app fw-ifl-out list-shared-apps
clear pfe tcam-errors tcam-stage egress app fw-ifl-out shared-usage
clear pfe tcam-errors tcam-stage egress app fw-ifl-out shared-usage detail
clear pfe tcam-errors tcam-stage egress app fw-inet6-family-out
<clear-pfe-tcam-errors-egress-app-fw-inet6-family-out>
clear pfe tcam-errors tcam-stage egress app fw-inet6-family-out detail
list-related-apps
list-shared-apps
clear pfe tcam-errors tcam-stage egress app fw-inet6-family-out shared-usage
clear pfe tcam-errors tcam-stage egress app fw-inet6-family-out shared-usage

detail
clear pfe tcam-errors tcam-stage egress app ifl-statistics-out
<clear-pfe-tcam-errors-egress-app-ifl-statistics-out>
clear pfe tcam-errors tcam-stage egress app ifl-statistics-out detail
clear pfe tcam-errors tcam-stage egress app ifl-statistics-out
list-related-apps
clear pfe tcam-errors tcam-stage egress app ifl-statistics-out list-shared-apps
clear pfe tcam-errors tcam-stage egress app ifl-statistics-out shared-usage
clear pfe tcam-errors tcam-stage egress app ifl-statistics-out shared-usage
detail
clear pfe tcam-errors tcam-stage egress app irb-cos-rw
<clear-pfe-tcam-errors-egress-app-irb-cos-rw>
clear pfe tcam-errors tcam-stage egress app irb-cos-rw detail
clear pfe tcam-errors tcam-stage egress app irb-cos-rw list-related-apps
clear pfe tcam-errors tcam-stage egress app irb-cos-rw list-shared-apps
clear pfe tcam-errors tcam-stage egress app irb-cos-rw shared-usage
clear pfe tcam-errors tcam-stage egress app irb-cos-rw shared-usage detail
clear pfe tcam-errors tcam-stage egress app lfm-802.3ah-out
<clear-pfe-tcam-errors-egress-app-lfm-802.3ah-out>
clear pfe tcam-errors tcam-stage egress app lfm-802.3ah-out detail
clear pfe tcam-errors tcam-stage egress app lfm-802.3ah-out list-related-apps
clear pfe tcam-errors tcam-stage egress app lfm-802.3ah-out list-shared-apps
747
clear pfe tcam-errors tcam-stage egress app lfm-802.3ah-out shared-usage

clear pfe tcam-errors tcam-stage egress app lfm-802.3ah-out shared-usage
detail
clear pfe tcam-errors tcam-stage egress app ptpoe-cos-rw
<clear-pfe-tcam-errors-egress-app-ptpoe-cos-rw>
clear pfe tcam-errors tcam-stage egress app ptpoe-cos-rw detail
clear pfe tcam-errors tcam-stage egress app ptpoe-cos-rw list-related-apps
clear pfe tcam-errors tcam-stage egress app ptpoe-cos-rw list-shared-apps
clear pfe tcam-errors tcam-stage egress app ptpoe-cos-rw shared-usage
clear pfe tcam-errors tcam-stage egress app ptpoe-cos-rw shared-usage detail
clear pfe tcam-errors tcam-stage egress app rfc2544-layer2-out
<clear-pfe-tcam-errors-egress-app-rfc2544-layer2-out>
clear pfe tcam-errors tcam-stage egress app rfc2544-layer2-out detail
clear pfe tcam-errors tcam-stage egress app rfc2544-layer2-out
list-related-apps
clear pfe tcam-errors tcam-stage egress app rfc2544-layer2-out list-shared-apps
clear pfe tcam-errors tcam-stage egress app rfc2544-layer2-out shared-usage
clear pfe tcam-errors tcam-stage egress app rfc2544-layer2-out shared-usage
detail
clear pfe tcam-errors tcam-stage ingress
<clear-pfe-tcam-errors-ingress-tcam-stage>
clear pfe tcam-errors tcam-stage ingress app
<clear-pfe-tcam-errors-ingress-app>
clear pfe tcam-errors tcam-stage ingress app cfm-bd-filter
<clear-pfe-tcam-errors-ingress-app-cfm-bd-filter>
clear pfe tcam-errors tcam-stage ingress app cfm-bd-filter detail
clear pfe tcam-errors tcam-stage ingress app cfm-bd-filter list-related-apps
clear pfe tcam-errors tcam-stage ingress app cfm-bd-filter list-shared-apps
clear pfe tcam-errors tcam-stage ingress app cfm-bd-filter shared-usage
clear pfe tcam-errors tcam-stage ingress app cfm-bd-filter shared-usage detail
clear pfe tcam-errors tcam-stage ingress app cfm-filter
<clear-pfe-tcam-errors-ingress-app-cfm-filter>
clear pfe tcam-errors tcam-stage ingress app cfm-filter detail
clear pfe tcam-errors tcam-stage ingress app cfm-filter list-related-apps
clear pfe tcam-errors tcam-stage ingress app cfm-filter list-shared-apps
clear pfe tcam-errors tcam-stage ingress app cfm-filter shared-usage
clear pfe tcam-errors tcam-stage ingress app cfm-filter shared-usage detail
clear pfe tcam-errors tcam-stage ingress app cfm-vpls-filter
<clear-pfe-tcam-errors-ingress-app-cfm-vpls-filter>
clear pfe tcam-errors tcam-stage ingress app cfm-vpls-filter detail
clear pfe tcam-errors tcam-stage ingress app cfm-vpls-filter list-related-apps
clear pfe tcam-errors tcam-stage ingress app cfm-vpls-filter list-shared-apps
748
clear pfe tcam-errors tcam-stage ingress app cfm-vpls-filter shared-usage

clear pfe tcam-errors tcam-stage ingress app cfm-vpls-filter shared-usage
detail
clear pfe tcam-errors tcam-stage ingress app cfm-vpls-ifl-filter
<clear-pfe-tcam-errors-ingress-app-cfm-vpls-ifl-filter>
clear pfe tcam-errors tcam-stage ingress app cfm-vpls-ifl-filter detail
list-related-apps
list-shared-apps
clear pfe tcam-errors tcam-stage ingress app cfm-vpls-ifl-filter shared-usage
clear pfe tcam-errors tcam-stage ingress app cfm-vpls-ifl-filter shared-usage
detail
clear pfe tcam-errors tcam-stage ingress app fw-ccc-in
<clear-pfe-tcam-errors-ingress-app-fw-ccc-in>
clear pfe tcam-errors tcam-stage ingress app fw-ccc-in detail
clear pfe tcam-errors tcam-stage ingress app fw-ccc-in list-related-apps
clear pfe tcam-errors tcam-stage ingress app fw-ccc-in list-shared-apps
clear pfe tcam-errors tcam-stage ingress app fw-ccc-in shared-usage
clear pfe tcam-errors tcam-stage ingress app fw-ccc-in shared-usage detail
clear pfe tcam-errors tcam-stage ingress app fw-ifl-in
<clear-pfe-tcam-errors-ingress-app-fw-ifl-in>
clear pfe tcam-errors tcam-stage ingress app fw-ifl-in detail
clear pfe tcam-errors tcam-stage ingress app fw-ifl-in list-related-apps
clear pfe tcam-errors tcam-stage ingress app fw-ifl-in list-shared-apps
clear pfe tcam-errors tcam-stage ingress app fw-ifl-in shared-usage
clear pfe tcam-errors tcam-stage ingress app fw-ifl-in shared-usage detail
clear pfe tcam-errors tcam-stage ingress app fw-inet-ftf
<clear-pfe-tcam-errors-ingress-app-fw-inet-ftf>
clear pfe tcam-errors tcam-stage ingress app fw-inet-ftf detail
clear pfe tcam-errors tcam-stage ingress app fw-inet-ftf list-related-apps
clear pfe tcam-errors tcam-stage ingress app fw-inet-ftf list-shared-apps
clear pfe tcam-errors tcam-stage ingress app fw-inet-ftf shared-usage
clear pfe tcam-errors tcam-stage ingress app fw-inet-ftf shared-usage detail
clear pfe tcam-errors tcam-stage ingress app fw-inet-in
<clear-pfe-tcam-errors-ingress-app-fw-inet-in>
clear pfe tcam-errors tcam-stage ingress app fw-inet-in detail
clear pfe tcam-errors tcam-stage ingress app fw-inet-in list-related-apps
clear pfe tcam-errors tcam-stage ingress app fw-inet-in list-shared-apps
clear pfe tcam-errors tcam-stage ingress app fw-inet-in shared-usage
clear pfe tcam-errors tcam-stage ingress app fw-inet-in shared-usage detail
clear pfe tcam-errors tcam-stage ingress app fw-inet-pm
749
<clear-pfe-tcam-errors-ingress-app-fw-inet-pm>
clear pfe tcam-errors tcam-stage ingress app fw-inet-pm detail
clear pfe tcam-errors tcam-stage ingress app fw-inet-pm list-related-apps
clear pfe tcam-errors tcam-stage ingress app fw-inet-pm list-shared-apps
clear pfe tcam-errors tcam-stage ingress app fw-inet-pm shared-usage
clear pfe tcam-errors tcam-stage ingress app fw-inet-pm shared-usage detail
clear pfe tcam-errors tcam-stage ingress app fw-inet-rpf
<clear-pfe-tcam-errors-ingress-app-fw-inet-rpf>
clear pfe tcam-errors tcam-stage ingress app fw-inet-rpf detail
clear pfe tcam-errors tcam-stage ingress app fw-inet-rpf list-related-apps
clear pfe tcam-errors tcam-stage ingress app fw-inet-rpf list-shared-apps
clear pfe tcam-errors tcam-stage ingress app fw-inet-rpf shared-usage
clear pfe tcam-errors tcam-stage ingress app fw-inet-rpf shared-usage detail
clear pfe tcam-errors tcam-stage ingress app fw-inet6-ftf
<clear-pfe-tcam-errors-ingress-app-fw-inet6-ftf>
clear pfe tcam-errors tcam-stage ingress app fw-inet6-ftf detail
clear pfe tcam-errors tcam-stage ingress app fw-inet6-ftf list-related-apps
clear pfe tcam-errors tcam-stage ingress app fw-inet6-ftf list-shared-apps
clear pfe tcam-errors tcam-stage ingress app fw-inet6-ftf shared-usage
clear pfe tcam-errors tcam-stage ingress app fw-inet6-ftf shared-usage detail
clear pfe tcam-errors tcam-stage ingress app fw-inet6-in
<clear-pfe-tcam-errors-ingress-app-fw-inet6-in>
clear pfe tcam-errors tcam-stage ingress app fw-inet6-in detail
clear pfe tcam-errors tcam-stage ingress app fw-inet6-in list-related-apps
clear pfe tcam-errors tcam-stage ingress app fw-inet6-in list-shared-apps
clear pfe tcam-errors tcam-stage ingress app fw-inet6-in shared-usage
clear pfe tcam-errors tcam-stage ingress app fw-inet6-in shared-usage detail
clear pfe tcam-errors tcam-stage ingress app fw-inet6-rpf
<clear-pfe-tcam-errors-ingress-app-fw-inet6-rpf>
clear pfe tcam-errors tcam-stage ingress app fw-inet6-rpf detail
clear pfe tcam-errors tcam-stage ingress app fw-inet6-rpf list-related-apps
clear pfe tcam-errors tcam-stage ingress app fw-inet6-rpf list-shared-apps
clear pfe tcam-errors tcam-stage ingress app fw-inet6-rpf shared-usage
clear pfe tcam-errors tcam-stage ingress app fw-inet6-rpf shared-usage detail
clear pfe tcam-errors tcam-stage ingress app fw-l2-in
<clear-pfe-tcam-errors-ingress-app-fw-l2-in>
clear pfe tcam-errors tcam-stage ingress app fw-l2-in detail
clear pfe tcam-errors tcam-stage ingress app fw-l2-in list-related-apps
clear pfe tcam-errors tcam-stage ingress app fw-l2-in list-shared-apps
clear pfe tcam-errors tcam-stage ingress app fw-l2-in shared-usage
clear pfe tcam-errors tcam-stage ingress app fw-l2-in shared-usage detail
clear pfe tcam-errors tcam-stage ingress app fw-mpls-in
750
<clear-pfe-tcam-errors-ingress-app-fw-mpls-in>
clear pfe tcam-errors tcam-stage ingress app fw-mpls-in detail
clear pfe tcam-errors tcam-stage ingress app fw-mpls-in list-related-apps
clear pfe tcam-errors tcam-stage ingress app fw-mpls-in list-shared-apps
clear pfe tcam-errors tcam-stage ingress app fw-mpls-in shared-usage
clear pfe tcam-errors tcam-stage ingress app fw-mpls-in shared-usage detail
clear pfe tcam-errors tcam-stage ingress app fw-vpls-in
<clear-pfe-tcam-errors-ingress-app-fw-vpls-in>
clear pfe tcam-errors tcam-stage ingress app fw-vpls-in detail
clear pfe tcam-errors tcam-stage ingress app fw-vpls-in list-related-apps
clear pfe tcam-errors tcam-stage ingress app fw-vpls-in list-shared-apps
clear pfe tcam-errors tcam-stage ingress app fw-vpls-in shared-usage
clear pfe tcam-errors tcam-stage ingress app fw-vpls-in shared-usage detail
clear pfe tcam-errors tcam-stage ingress app gr-ifl-stats-egr
<clear-pfe-tcam-errors-ingress-app-gr-ifl-statistics-egr>
clear pfe tcam-errors tcam-stage ingress app gr-ifl-stats-egr detail
clear pfe tcam-errors tcam-stage ingress app gr-ifl-stats-egr list-related-apps
clear pfe tcam-errors tcam-stage ingress app gr-ifl-stats-egr list-shared-apps
clear pfe tcam-errors tcam-stage ingress app gr-ifl-stats-egr shared-usage
clear pfe tcam-errors tcam-stage ingress app gr-ifl-stats-egr shared-usage
detail
clear pfe tcam-errors tcam-stage ingress app gr-ifl-stats-ing
<clear-pfe-tcam-errors-ingress-app-gr-ifl-statistics-ing>
clear pfe tcam-errors tcam-stage ingress app gr-ifl-stats-ing detail
clear pfe tcam-errors tcam-stage ingress app gr-ifl-stats-ing list-related-apps
clear pfe tcam-errors tcam-stage ingress app gr-ifl-stats-ing list-shared-apps
clear pfe tcam-errors tcam-stage ingress app gr-ifl-stats-ing shared-usage
clear pfe tcam-errors tcam-stage ingress app gr-ifl-stats-ing shared-usage
detail
clear pfe tcam-errors tcam-stage ingress app gr-ifl-stats-preing
<clear-pfe-tcam-errors-ingress-app-gr-ifl-statistics-preing>
clear pfe tcam-errors tcam-stage ingress app gr-ifl-stats-preing detail
list-related-apps
list-shared-apps
clear pfe tcam-errors tcam-stage ingress app gr-ifl-stats-preing shared-usage
clear pfe tcam-errors tcam-stage ingress app gr-ifl-stats-preing shared-usage
detail
clear pfe tcam-errors tcam-stage ingress app ifl-statistics-in
<clear-pfe-tcam-errors-ingress-app-ifl-statistics-in>
clear pfe tcam-errors tcam-stage ingress app ifl-statistics-in detail
751
clear pfe tcam-errors tcam-stage ingress app ifl-statistics-in

list-related-apps
clear pfe tcam-errors tcam-stage ingress app ifl-statistics-in list-shared-apps
clear pfe tcam-errors tcam-stage ingress app ifl-statistics-in shared-usage
clear pfe tcam-errors tcam-stage ingress app ifl-statistics-in shared-usage
detail
clear pfe tcam-errors tcam-stage ingress app ipsec-reverse-fil
<clear-pfe-tcam-errors-ingress-app-ipsec-reverse-fil>
clear pfe tcam-errors tcam-stage ingress app ipsec-reverse-fil detail
clear pfe tcam-errors tcam-stage ingress app ipsec-reverse-fil
list-related-apps
clear pfe tcam-errors tcam-stage ingress app ipsec-reverse-fil list-shared-apps
clear pfe tcam-errors tcam-stage ingress app ipsec-reverse-fil shared-usage
clear pfe tcam-errors tcam-stage ingress app ipsec-reverse-fil shared-usage
detail
clear pfe tcam-errors tcam-stage ingress app irb-fixed-cos
<clear-pfe-tcam-errors-ingress-app-irb-fixed-cos>
clear pfe tcam-errors tcam-stage ingress app irb-fixed-cos detail
clear pfe tcam-errors tcam-stage ingress app irb-fixed-cos list-related-apps
clear pfe tcam-errors tcam-stage ingress app irb-fixed-cos list-shared-apps
clear pfe tcam-errors tcam-stage ingress app irb-fixed-cos shared-usage
clear pfe tcam-errors tcam-stage ingress app irb-fixed-cos shared-usage detail
clear pfe tcam-errors tcam-stage ingress app irb-inet6-fil
<clear-pfe-tcam-errors-ingress-app-irb-inet6-fil>
clear pfe tcam-errors tcam-stage ingress app irb-inet6-fil detail
clear pfe tcam-errors tcam-stage ingress app irb-inet6-fil list-related-apps
clear pfe tcam-errors tcam-stage ingress app irb-inet6-fil list-shared-apps
clear pfe tcam-errors tcam-stage ingress app irb-inet6-fil shared-usage
clear pfe tcam-errors tcam-stage ingress app irb-inet6-fil shared-usage detail
clear pfe tcam-errors tcam-stage ingress app lfm-802.3ah-in
<clear-pfe-tcam-errors-ingress-app-lfm-802.3ah-in>
clear pfe tcam-errors tcam-stage ingress app lfm-802.3ah-in detail
clear pfe tcam-errors tcam-stage ingress app lfm-802.3ah-in list-related-apps
clear pfe tcam-errors tcam-stage ingress app lfm-802.3ah-in list-shared-apps
clear pfe tcam-errors tcam-stage ingress app lfm-802.3ah-in shared-usage
clear pfe tcam-errors tcam-stage ingress app lfm-802.3ah-in shared-usage
detail
clear pfe tcam-errors tcam-stage ingress app lo0-inet-fil
<clear-pfe-tcam-errors-ingress-app-lo0-inet-fil>
clear pfe tcam-errors tcam-stage ingress app lo0-inet-fil detail
clear pfe tcam-errors tcam-stage ingress app lo0-inet-fil list-related-apps
clear pfe tcam-errors tcam-stage ingress app lo0-inet-fil list-shared-apps
752
clear pfe tcam-errors tcam-stage ingress app lo0-inet-fil shared-usage

clear pfe tcam-errors tcam-stage ingress app lo0-inet-fil shared-usage detail
clear pfe tcam-errors tcam-stage ingress app lo0-inet6-fil
<clear-pfe-tcam-errors-ingress-app-lo0-inet6-fil>
clear pfe tcam-errors tcam-stage ingress app lo0-inet6-fil detail
clear pfe tcam-errors tcam-stage ingress app lo0-inet6-fil list-related-apps
clear pfe tcam-errors tcam-stage ingress app lo0-inet6-fil list-shared-apps
clear pfe tcam-errors tcam-stage ingress app lo0-inet6-fil shared-usage
clear pfe tcam-errors tcam-stage ingress app lo0-inet6-fil shared-usage detail
clear pfe tcam-errors tcam-stage ingress app mac-drop-cnt
<clear-pfe-tcam-errors-ingress-app-mac-drop-cnt>
clear pfe tcam-errors tcam-stage ingress app mac-drop-cnt detail
clear pfe tcam-errors tcam-stage ingress app mac-drop-cnt list-related-apps
clear pfe tcam-errors tcam-stage ingress app mac-drop-cnt list-shared-apps
clear pfe tcam-errors tcam-stage ingress app mac-drop-cnt shared-usage
clear pfe tcam-errors tcam-stage ingress app mac-drop-cnt shared-usage detail
clear pfe tcam-errors tcam-stage ingress app mrouter-port-in
<clear-pfe-tcam-errors-ingress-app-mrouter-port-in>
clear pfe tcam-errors tcam-stage ingress app mrouter-port-in detail
clear pfe tcam-errors tcam-stage ingress app mrouter-port-in list-related-apps
clear pfe tcam-errors tcam-stage ingress app mrouter-port-in list-shared-apps
clear pfe tcam-errors tcam-stage ingress app mrouter-port-in shared-usage
clear pfe tcam-errors tcam-stage ingress app mrouter-port-in shared-usage
detail
clear pfe tcam-errors tcam-stage ingress app napt-reverse-fil
<clear-pfe-tcam-errors-ingress-app-napt-reverse-fil>
clear pfe tcam-errors tcam-stage ingress app napt-reverse-fil detail
clear pfe tcam-errors tcam-stage ingress app napt-reverse-fil list-related-apps
clear pfe tcam-errors tcam-stage ingress app napt-reverse-fil list-shared-apps
clear pfe tcam-errors tcam-stage ingress app napt-reverse-fil shared-usage
clear pfe tcam-errors tcam-stage ingress app napt-reverse-fil shared-usage
detail
clear pfe tcam-errors tcam-stage ingress app no-local-switching
<clear-pfe-tcam-errors-ingress-app-no-local-switching>
clear pfe tcam-errors tcam-stage ingress app no-local-switching detail
list-related-apps
list-shared-apps
clear pfe tcam-errors tcam-stage ingress app no-local-switching shared-usage
clear pfe tcam-errors tcam-stage ingress app no-local-switching shared-usage
detail
753
clear pfe tcam-errors tcam-stage pre-ingress

<clear-pfe-tcam-errors-pre-ingress-tcam-stage>
clear pfe tcam-errors tcam-stage pre-ingress app
<clear-pfe-tcam-errors-pre-ingress-app>
clear pfe tcam-errors tcam-stage pre-ingress app cos-fc
<clear-pfe-tcam-errors-pre-ingress-app-cos-fc>
clear pfe tcam-errors tcam-stage pre-ingress app cos-fc detail
clear pfe tcam-errors tcam-stage pre-ingress app cos-fc list-related-apps
clear pfe tcam-errors tcam-stage pre-ingress app cos-fc list-shared-apps
clear pfe tcam-errors tcam-stage pre-ingress app cos-fc shared-usage
clear pfe tcam-errors tcam-stage pre-ingress app cos-fc shared-usage detail
clear pfe tcam-errors tcam-stage pre-ingress app fw-fbf
<clear-pfe-tcam-errors-pre-ingress-app-fw-fbf>
clear pfe tcam-errors tcam-stage pre-ingress app fw-fbf detail
clear pfe tcam-errors tcam-stage pre-ingress app fw-fbf list-related-apps
clear pfe tcam-errors tcam-stage pre-ingress app fw-fbf list-shared-apps
clear pfe tcam-errors tcam-stage pre-ingress app fw-fbf shared-usage
clear pfe tcam-errors tcam-stage pre-ingress app fw-fbf shared-usage detail
clear pfe tcam-errors tcam-stage pre-ingress app fw-fbf-inet6
<clear-pfe-tcam-errors-pre-ingress-app-fw-fbf-inet6>
clear pfe tcam-errors tcam-stage pre-ingress app fw-fbf-inet6 detail
clear pfe tcam-errors tcam-stage pre-ingress app fw-fbf-inet6 list-related-apps
clear pfe tcam-errors tcam-stage pre-ingress app fw-fbf-inet6 list-shared-apps
clear pfe tcam-errors tcam-stage pre-ingress app fw-fbf-inet6 shared-usage
clear pfe tcam-errors tcam-stage pre-ingress app fw-fbf-inet6 shared-usage
detail
clear pfe tcam-errors tcam-stage pre-ingress app fw-semantics
<clear-pfe-tcam-errors-pre-ingress-app-fw-semantics>
clear pfe tcam-errors tcam-stage pre-ingress app fw-semantics detail
clear pfe tcam-errors tcam-stage pre-ingress app fw-semantics list-related-apps
clear pfe tcam-errors tcam-stage pre-ingress app fw-semantics list-shared-apps
clear pfe tcam-errors tcam-stage pre-ingress app fw-semantics shared-usage
clear pfe tcam-errors tcam-stage pre-ingress app fw-semantics shared-usage
detail
clear pfe tcam-errors tcam-stage pre-ingress app ifd-src-mac-fil
<clear-pfe-tcam-errors-pre-ingress-app-ifd-src-mac-fil>
clear pfe tcam-errors tcam-stage pre-ingress app ifd-src-mac-fil detail
list-related-apps
list-shared-apps
clear pfe tcam-errors tcam-stage pre-ingress app ifd-src-mac-fil shared-usage
754
clear pfe tcam-errors tcam-stage pre-ingress app ifd-src-mac-fil shared-usage

detail
clear pfe tcam-errors tcam-stage pre-ingress app ing-out-iff
<clear-pfe-tcam-errors-pre-ingress-app-ing-out-iff>
clear pfe tcam-errors tcam-stage pre-ingress app ing-out-iff detail
clear pfe tcam-errors tcam-stage pre-ingress app ing-out-iff list-related-apps
clear pfe tcam-errors tcam-stage pre-ingress app ing-out-iff list-shared-apps
clear pfe tcam-errors tcam-stage pre-ingress app ing-out-iff shared-usage
clear pfe tcam-errors tcam-stage pre-ingress app ing-out-iff shared-usage
detail
clear pfe tcam-errors tcam-stage pre-ingress app ip-mac-val
<clear-pfe-tcam-errors-pre-ingress-app-ip-mac-val>
clear pfe tcam-errors tcam-stage pre-ingress app ip-mac-val detail
clear pfe tcam-errors tcam-stage pre-ingress app ip-mac-val list-related-apps
clear pfe tcam-errors tcam-stage pre-ingress app ip-mac-val list-shared-apps
clear pfe tcam-errors tcam-stage pre-ingress app ip-mac-val shared-usage
clear pfe tcam-errors tcam-stage pre-ingress app ip-mac-val shared-usage
detail
clear pfe tcam-errors tcam-stage pre-ingress app ip-mac-val-bcast
<clear-pfe-tcam-errors-pre-ingress-app-ip-mac-val-bcast>
clear pfe tcam-errors tcam-stage pre-ingress app ip-mac-val-bcast detail
list-related-apps
list-shared-apps
clear pfe tcam-errors tcam-stage pre-ingress app ip-mac-val-bcast shared-usage
clear pfe tcam-errors tcam-stage pre-ingress app ip-mac-val-bcast shared-usage
detail
clear pfe tcam-errors tcam-stage pre-ingress app rfc2544-layer2-in
<clear-pfe-tcam-errors-pre-ingress-app-rfc2544-layer2-in>
clear pfe tcam-errors tcam-stage pre-ingress app rfc2544-layer2-in detail
list-related-apps
list-shared-apps
clear pfe tcam-errors tcam-stage pre-ingress app rfc2544-layer2-in shared-usage
clear pfe tcam-errors tcam-stage pre-ingress app rfc2544-layer2-in shared-usage
detail
clear pfe tcam-errors tcam-stage pre-ingress app vpls-mesh-group-mcast
clear pfe tcam-errors tcam-stage pre-ingress app vpls-mesh-group-mcast detail
755
list-related-apps
list-shared-apps
shared-usage
shared-usage detail
clear pfe tcam-errors tcam-stage pre-ingress app vpls-mesh-group-ucast
clear pfe tcam-errors tcam-stage pre-ingress app vpls-mesh-group-ucast detail
list-related-apps
list-shared-apps
shared-usage
shared-usage detail
clear passive-monitoring
<clear-passive-monitoring>
clear passive-monitoring statistics
<clear-passive-monitoring-statistics>
clear pgm
clear pgm negative-acknowledgments
<clear-pgm-negative-acknowledgments>
clear pgm source-path-messages
<clear-pgm-source-path-messages>
clear pgm statistics
<clear-pgm-statistics>
clear pim
clear pim join
<clear-pim-join-state>
clear pim join-distribution
<clear-pim-join-distribution>
clear pim register
<clear-pim-register-state>
clear pim snooping
clear pim snooping join
clear pim snooping statistics
clear pim statistics
<clear-pim-statistics>
clear poe
756
clear poe telemetries

clear poe telemetries interface
<clear-poe-telemetries-information>
clear ppp
clear ppp statistics
<clear-ppp-statistics-information>
clear pppoe
clear pppoe lockout
<clear-pppoe-lockout-timers>
clear pppoe lockout atm-identifier
<clear-pppoe-lockout-timers-atm>
clear pppoe lockout vlan-identifier
clear pppoe sessions
<clear-pppoe-sessions-information>
clear-pppoe-lockout-timers-vlan
clear pppoe statistics
<clear-pppoe-statistics-information>
clear pppoe statistics interfaces
<clear-pppoe-statistics-interface-information>
clear protection-group
<clear protection-group>
clear protection-group ethernet-ring
<clear-ethernet-ring-information>
clear protection-group ethernet-ring statistics
<clear-ethernet-ring-information>
clear r2cp
clear r2cp radio
<clear-r2cp-radio>
clear r2cp session
<clear-r2cp-session>
clear r2cp statistics
<clear-r2cp-statistics>
clear r2cp statistics radio
clear r2cp statistics session
clear rip
clear rip general-statistics
<clear-rip-general-statistics>
clear rip statistics
<clear-rip-statistics>
clear rip statistics peer
<clear-rip-peer-statistics>
clear ripng
757
clear ripng general-statistics

<clear-ripng-general-statistic>
clear ripng statistics
<clear-ripng-statistics>
clear rsvp
clear rsvp session
<clear-rsvp-session-information>
clear rsvp statistics
< clear-rsvp-counters-information>
clear security group-vpn
clear security group-vpn member
clear security group-vpn member group
<clear-gvpn-group-information>
clear security group-vpn member ike
clear security group-vpn member ike security-associations
<clear-group-vpn-ike-security-associations>
clear security group-vpn member ipsec
clear security group-vpn member ipsec security-associations
<clear-gvpn-ipsec-security-association>
clear security group-vpn member ipsec security-associations statistics
<clear-gvpn-ipsec-security-association-statistics>
clear security group-vpn member ipsec statistics
<clear-gvpn-ipsec-statistics>
clear services
clear services accounting flow inline-jflow
<clear-services-accounting-inline-jflow-flows>
clear services alg
clear services alg statistics
<clear-services-alg-statistics>
clear services application-aware-access-list
clear services application-aware-access-list statistics
<clear-application-aware-access-list-statistics-interface>
clear services application-aware-access-list statistics interface
<clear-application-aware-access-list-statistics-interface>
clear services application-aware-access-list statistics subscriber
<clear-application-aware-access-list-statistics-subscriber>
clear services application-identification
clear services application-identification application-system-cache
<clear-appid-application-system-cache>
clear services application-identification counter
<clear-appid-counter>
clear services application-identification counter ssl-encrypted-sessions
758
<clear-appid-counter-encrypted>
clear services application-identification statistics
<clear-appid-application-statistics>
clear services application-identification statistics cumulative
<clear-appid-application-statistics-cumulative>
clear services application-identification statistics interval
<clear-appid-application-statistics-interval>
clear services border-signaling-gateway
clear services border-signaling-gateway denied-messages
<clear-service-bsg-denied-messages>
clear services border-signaling-gateway name-resolution-cache
clear services border-signaling-gateway name-resolution-cache all
<clear-service-border-signaling-gateway-name-resolution-cache-all>
clear services border-signaling-gateway name-resolution-cache by-fqdn
<clear-border-signaling-gateway-name-resolution-cache-by-fqdn>
clear services border-signaling-gateway statistics
<clear-service-border-signaling-gateway-statistics>
clear services captive-portal-content-delivery
clear services captive-portal-content-delivery statistics
clear services captive-portal-content-delivery statistics interface
<clear-cpcdd-interface-statistics>
clear services cos
clear services cos statistics
<clear-services-cos-statistics>
clear services crtp
clear services crtp statistics
<clear-services-crtp-statistics>
clear services dynamic-flow-capture
clear services dynamic-flow-capture criteria
<clear-services-dynamic-flow-capture-criteria>
clear services dynamic-flow-capture sequence-number
clear services flow-collector
<clear-services-flow-collector-information>
clear services flow-collector statistics
<clear-services-flow-collector-statistics>
clear-service-msp-flow-ipaction-table
clear services ha
clear services ha statistics
<clear-service-ha-statistics-information>
clear services hcm
clear services hcm pic-statistics
<clear-services-hcm-pic-statistics>
759
clear services hcm statistics

<clear-services-hcm-statistics>
clear services ids
<clear-services-ids-tables>
clear services ids destination-table
<clear-services-ids-destination-table>
clear services ids pair-table
<clear-services-ids-pair-table>
clear services ids source-table
<clear-services-ids-source-table>
clear services inline
clear services inline nat
clear services inline nat pool
<clear-inline-nat-pool-information>
clear services inline nat statistics
<clear-inline-nat-statistics>
clear services inline softwire
clear services inline softwire statistics
<clear-inline-softwire-statistics>
clear services ipsec-vpn
clear services ipsec-vpn ipsec
clear services ipsec-vpn ipsec security-associations
<clear-services-ipsec-vpn-security-associations>
clear services ipsec-vpn ike
clear services ipsec-vpn ike security-associations
<clear-services-ike-security-associations>
clear services ipsec-vpn ike statistics
<clear-services-ike-statistics>
clear services pcp
clear services pcp epoch
clear services pcp statistics
clear services ipsec-vpn ipsec statistics
<clear-ipsec-vpn-statistics>
clear services l2tp
<clear-l2tp-destinations-information>
clear services l2tp disconnect-cause-summary
<clear-l2tp-disconnect-cause-summary>
clear services l2tp multilink
<clear-l2tp-multilink-information>
clear services l2tp session
<clear-l2tp-session-information>
clear services l2tp destination
760
<clear-l2tp-destinations-information>
clear services l2tp disconnect-cause-summary
<clear-l2tp-disconnect-cause-summary>
clear services l2tp tunnel
<clear-l2tp-tunnel-information>
clear services l2tp user
<clear-l2tp-user-session-information>
clear services local-policy-decision-function
clear services local-policy-decision-function statistics
clear services local-policy-decision-function statistics interface
<clear-local-policy-decision-function-statistics-interface>
clear services local-policy-decision-function statistics subscriber
<clear-local-policy-decision-function-statistics-subscriber>
clear services server-load-balance
clear services server-load-balance external-manager-statistics
<clear-external-manager-statistics
clear services server-load-balance hash-table
<clear-hash-table-information>
clear services server-load-balance health-monitor-statistics>
<clear-health-monitor-statistics>
clear services server-load-balance real-server-group-statistics
<clear-real-server-group-statistics>
clear services server-load-balance real-server-statistics
<clear-real-server-statistics>
clear services server-load-balance sticky
<clear-sticky-table>
clear services server-load-balance virtual-server-statistics>
<clear-virtual-server-statistics>
clear services service-sets statistics integrity-drops
clear services service-sets statistics syslog
<clear-service-set-syslog-statistics>
clear services service-sets statistics tcp
<clear-service-tcp-tracker-statistics>
clear services stateful-firewall flow-analysis
<clear-service-flow-analysis>
clear services stateful-firewall flows
<clear-service-sfw-flow-table-information>
clear services stateful-firewall sip-call
<clear-service-sfw-sip-call-information>
clear services stateful-firewall sip-register
<clear-service-sfw-sip-register-information>
clear services stateful-firewall statistics
761
<clear-stateful-firewall-statistics>
clear services stateful-firewall subscriber-analysis
<clear-service-subs-analysis>
clear services subscriber
clear services subscriber sessions
<get-services-subscriber-sessions>
clear services video-monitoring
<clear-service-video-monitoring-information>
clear services video-monitoring mdi
<clear-service-video-monitoring-mdi-information>
clear services video-monitoring mdi alarm
<clear-service-video-monitoring-mdi-alarm-information>
clear services video-monitoring mdi alarm errors
<clear-services-video-monitoring-mdi-alarm-errors>
clear services video-monitoring mdi alarm stats
<clear-services-video-monitoring-mdi-alarm-statistics>
clear services video-monitoring mdi errors
<clear-service-video-monitoring-mdi-errors>
clear services video-monitoring mdi statistics
<clear-service-video-monitoring-mdi-statistics>
clear services sessions analysis
<clear-service-msp-session-analysis-information>
clear services softwire
clear services softwire statistics
<clear-services-softwire-statistics>
clear services stateful-firewall
clear services stateful-firewall flow-analysis
<clear-service-flow-analysis>
clear services stateful-firewall flows
<clear-service-sfw-flow-table-information>
clear services pgcp
clear services pgcp gates
<clear-service-pgcp-gates>
clear services pgcp gates gateway
<clear-service-pgcp-gates-gateway>
clear services pgcp statistics
<clear-service-pgcp-statistics>
clear services pgcp statistics gateway
<clear-service-pgcp-statistics-gateway>
<clear-rfc2544-information>
<clear-aborted-tests-information>
<clear-active-tests-information>
762
<clear-completed-tests-information>
clear sflow
clear sflow collector
clear sflow collector statistics
<clear-sflow-collector-statistics>
clear shmlog
clear shmlog all-info
<clear-shmlog-all-information>
clear shmlog entries
<clear-shmlog-entries>
clear shmlog statistics
<clear-shmlog-statistics>
clear snmp
clear snmp history
<clear-snmp-history>
<clear-health-monitor-routing-engine-history>.
clear snmp statistics
<clear-snmp-statistics>
clear spanning-tree
clear spanning-tree protocol-migration
clear spanning-tree protocol-migration interface
<clear-interface-stp-protocol-migration>
clear spanning-tree statistics
<clear-stp-interface-statistics>
clear spanning-tree statistics bridge
clear spanning-tree statistics interface
clear spanning-tree statistics routing-instance
<clear-stp-routing-instance-statistics>
clear spanning-tree stp-buffer
clear spanning-tree topology-change-counter
<clear-stp-topology-change-counter>
clear synchronous-ethernet
clear synchronous-ethernet esmc
clear synchronous-ethernet esmc statistics
clear system
clear system boot-media
<clear-boot-media>
clear system login
clear system login lockout
< clear-system-login-lockout>
clear-twamp-information
clear-twamp-server-information
763
clear-twamp-server-connection-information
clear unified-edge
764

765

clear validation
clear validation database
<clear-validation-database>
clear validation session
<clear-validation-session>
clear validation statistics
<clear-validation-statistics>
clear virtual-chassis
clear virtual-chassis heartbeat
<clear-virtual-chassis-heartbeat-statistics>
<clear virtual-chassis protocol>
clear virtual-chassis protocol statistics
<clear-virtual-chassis-statistics>
<clear-virtual-chassis-port-statistics>
clear vpls
clear vpls mac-address
<clear-vpls-mac-address>
clear vpls mac-table
<clear-vpls-mac-table>
clear vpls mac-table interface
<clear-vpls-interface-mac-table>
request interface rebalance
request pppoe
request pppoe connect
request pppoe disconnect
request security ike debug-disable
766
<get-disable-ike-debug>
request security ike debug-enable
<get-enable-ike-debug>
request services rpm twamp start
request services rpm twamp start client
<twamp-test-start>
request services rpm twamp stop
request services rpm twamp stop client
<twamp-test-stop>
request snmp
<request-snmp-utility-mib-clear>
<request-snmp-utility-mib-set>
clear vpls statistics
<clear-vpls-statistics>
clear vrrp
<clear-vrrp-information>
clear vrrp interface
<clear-vrrp-interface-statistics>
request mpls
request mpls lsp
request mpls lsp adjust-autobandwidth
<request-mpls-lsp-autobandwidth-adjust>
clear services inline stateful-firewall
clear services inline stateful-firewall flows
<clear-service-inline-sfw-flow-table-information>
clear services inline stateful-firewall statistics
<clear-inline-stateful-firewall-statistics>
clear services service-sets statistics drop-flow-limit>
<clear-service-set-drop-flow-statistics>
clear services service-sets statistics jflow-log
<clear-service-set-jflow-log-statistics>
request services ipsec-vpn ipsec
request services ipsec-vpn ipsec switch
request services ipsec-vpn ipsec switch tunnel
767

No asscociated CLI configuration hierarchy levels and statements.

Hierarchies | 126
configure
Can enter configuration mode.
Commands
768
configure
request snmp
request-snmp-utility-mib-clear
request-snmp-utility-mib-set
No associated CLI configuration hierarchy levels and statements.

Hierarchies | 126
control
Can perform all control-level operations; can modify any configuration.
Commands
request jnu
request jnu role
request jnu schema
request jnu schema add
request jnu schema delete
769

Hierarchies | 126
field
Can view field debug commands.
Commands
No associated CLI commands.
770

Hierarchies | 126
firewall
Can view the firewall filter configuration in configuration mode.
Commands
clear unified-edge
771
772

773
774

show firewall
<get-firewall-information>
show firewall counter

<get-firewall-counter-information>
show firewall filter

<get-firewall-filter-information>
show firewall filter version

<get-filter-version>
show firewall log

<get-firewall-log-information>
show firewall prefix-action-stats

<get-firewall-prefix-action-information>
show policer
<get-policer-information>

775
[edit chassis satellite-management]

[edit firewall]
[edit dynamic-profiles firewall]
[edit firewall]
[edit logical-systems firewall]
[edit unified-edge]

Hierarchies | 126
firewall-control
Can view and configure firewall filter information at the [edit dynamic-profiles firewall], [edit firewall],
and [edit logical-systems firewall] hierarchy levels.
Commands
show firewall
<get-firewall-information>
show firewall counter

<get-firewall-counter-information>
show firewall filter

<get-firewall-filter-information>
show firewall filter version

776
<get-filter-version>
show firewall log

<get-firewall-log-information>
show firewall prefix-action-stats

<get-firewall-prefix-action-information>
show policer
[edit dynamic-profiles firewall]

[edit firewall]
[edit logical-systems firewall]

Hierarchies | 126
firewall | 770
floppy
Can read from and write to the removable media.
Commands
777

Hierarchies | 126
flow-tap
Can view the flow-tap configuration in configuration mode.
Commands
clear unified-edge
778

779
780

781
[edit services flow-tap]

[edit services radius-flow-tap]
782
[edit system services flow-tap-dtcp]

[edit unified-edge]

Hierarchies | 126
flow-tap-control
Can view the flow-tap configuration in configuration mode and can configure flow-tap configuration
information at the [edit services flow-tap], [edit services radius-flow-tap], and [edit system services
flow-tap-dtcp] hierarchy levels.
Commands
[edit services flow-tap]

[edit system services flow-tap-dtcp]
783

Hierarchies | 126
flow-tap | 777
flow-tap-operation
Can make flow-tap requests to the router.
Commands

Hierarchies | 126
784
idp-profiler-operation
Can view profiler data.
Commands
CLI Configuration Hierarchy Levels
interface
Can view the interface configuration in configuration mode.
Commands
clear unified-edge
785
786

787
788

[edit accounting-options]
[edit chassis]
[edit class-of-service]
789
[edit class-of-service interfaces]

[edit dynamic-profiles class-of-service]
[edit dynamic-profiles class-of-service interfaces]
[edit dynamic-profiles interfaces]
[edit dynamic-profiles routing-instances instance system services
dhcp-local-server]
static-subscribers group]
[edit forwarding-options]
[edit interfaces]
[edit jnx-example]
[edit logical-systems forwarding-options]
[edit logical-systems interfaces]
dhcp-local-server]
[edit logical-systems system services dhcp-local-server]
[edit logical-systems system services static-subscribers group]
[edit routing-instances instance system services dhcp-local-server]
[edit routing-instances instance system services static-subscribers group]
[edit services logging]
[edit services radius-flow-tap interfaces]
[edit system services dhcp-local-server]
[edit system services static-subscribers group]
[edit unified-edge]

Hierarchies | 126
790
interface-control
Can view chassis, class of service (CoS), groups, forwarding options, and interfaces configuration information.
Can edit configuration at the [edit chassis], [edit class-of-service], [edit groups], [edit forwarding-options],
and [edit interfaces] hierarchy levels.
Commands
[edit chassis]
[edit class-of-service]
[edit class-of-service interfaces]
[edit dynamic-profiles class-of-service]
[edit dynamic-profiles class-of-service interfaces]
[edit dynamic-profiles interfaces]
dhcp-local-server]
[edit forwarding-options]
[edit interfaces]
[edit jnx-example]
[edit logical-systems forwarding-options]
[edit logical-systems interfaces]
dhcp-local-server]
[edit logical-systems system services dhcp-local-server]
[edit logical-systems system services static-subscribers group]
[edit routing-instances instance system services dhcp-local-server]
[edit routing-instances instance system services static-subscribers group]
[edit services logging]
791
[edit services radius-flow-tap interfaces]

[edit system services dhcp-local-server]
[edit system services static-subscribers group]

Hierarchies | 126
interface | 784
maintenance
Can perform system maintenance, including starting a local shell on the router and becoming the superuser
in the shell, and can halt and reboot the router.
Commands
clear system commit synchronize-server pending-jobs

<clear-pending-commit-sync-jobs>
clear system reboot
<clear-reboot>
clear-system-services-reverse-information
file archive
<file-archive>
file change-owner
<file-change-owner>
<extract-file>
monitor traffic
792
request chassis afeb

request chassis beacon
<request-chassis-beacon>
request chassis cb
<request-chassis-cb>
request chassis ccg
<request-chassis-ccg>
request chassis cfeb

request chassis cfeb master
request chassis cip
request chassis fabric
request chassis fabric device
request chassis fabric guided-cabling
request chassis fabric plane
request chassis fabric upgrade-bandwidth
request chassis fabric upgrade-bandwidth fpc
request chassis fabric upgrade-bandwidth info
request chassis fan-tray
request chassis feb
<request-feb>
request chassis fpc

<request-chassis-fpc>
request chassis fpc optical-module
<request-fpc-optical-module>
request chassis fpc optical-module amplifier-chain
<request-fpc-optical-module-amplifier-chain>
request chassis fpc optical-module amplifier-chain ila
<request-fpc-optical-module-ila>
request chassis fpc optical-module amplifier-chain ila firmware-upgrade
<request-fpc-optical-module-ila-firmware-upgrade>
request chassis fpc optical-module amplifier-chain ila hard-reset
<request-fpc-optical-module-ila-hard-reset>
request chassis fpc optical-module amplifier-chain ila soft-reset
<request-fpc-optical-module-ila-soft-reset>
request chassis fpc optical-module firmware-upgrade
<request-fpc-optical-module-firmware-upgrade>
request chassis fpm
request chassis mcs
request chassis mic
request chassis optics
793
request chassis pcg

request chassis pic
<request-chassis-pic>
request chassis port-led
request chassis port-led start
<request-chassis-port-led-switch-on>
request chassis port-led stop
<request-chassis-port-led-switch-off>
request chassis redundancy

request chassis redundancy feb
<request-redundancy-feb>
request chassis routing-engine
<request-chassis-routing-engine>
request chassis routing-engine hard-disk-test
request chassis routing-engine master
request chassis satellite device-mode
request chassis satellite disable
<request-chassis-satellite-disable>
request chassis satellite enable
<request-chassis-satellite-enable>
request chassis satellite file-copy
<request-chassis-satellite-file-copy>
request chassis satellite install
<request-chassis-satellite-install>
request chassis satellite interface
request chassis satellite login
<request-chassis-satellite-login>
request chassis satellite reboot
<request-chassis-satellite-reboot>
request chassis satellite restart
<request-chassis-satellite-restart>
request chassis satellite restart process
request chassis satellite shell-command
<request-chassis-satellite-shell-command>
request chassis scg

request chassis sfb
request chassis sfm
request chassis sfm master
request chassis sib
<request-chassis-sib>
794
request chassis sib f13
request chassis sib f2s

request chassis sib optics
request chassis spmb
<request-chassis-spmb>
request chassis ssb
request chassis ssb master
request chassis synchronization
request chassis synchronization force
request chassis synchronization force automatic-switching
request chassis synchronization force mark-failed
request chassis synchronization force unmark-failed
request chassis synchronization switch
request chassis tfeb
request chassis vcpu
request chassis vnpu
request diagnostics
request diagnostics tdr
request diagnostics tdr abort
request diagnostics tdr abort interface
<abort-tdr-interface-diagnostics>
request diagnostics tdr start
request diagnostics tdr start interface
<request-tdr-interface-diagnostics>
request extension-service
request extension-service start
<extension-service-start>
request extension-service stop
<extension-service-stop>
request l2circuit-switchover
request mpls
request mpls lsp
request security
request security certificate
request security certificate enroll
request security datapath-debug
request security datapath-debug action-profile
request security datapath-debug action-profile reload-all
<reload-eedebug-action-profile>
795
request security idp

<request-idp-security-policy-load>
equest security idp security-package

request security idp security-package download
<request-idp-security-package-download>
request security idp security-package download version

<request-idp-security-package-download-version>
request security idp security-package install

<request-idp-security-package-install>
request security idp security-package offline-download
<request-idp-security-package-offline-download>
request security idp ssl-inspection
request security idp ssl-inspection key
request security idp ssl-inspection key add
<request-idp-ssl-key-add>
request security idp ssl-inspection key delete

<request-idp-ssl-key-delete>
request security idp storage-cleanup
<request-idp-storage-cleanup>
request security ike
request security key-pair
request security pki
request security pki ca-certificate
request security pki ca-certificate ca-profile-group
request security pki ca-certificate ca-profile-group load
request security pki ca-certificate enroll
request security pki local-certificate export
request security pki ca-certificate load
<load-pki-ca-certificate>
request security pki ca-certificate verify
<verify-pki-ca-certificate>
request security pki crl
request security pki crl load
<load-pki-crl>
request security pki generate-certificate-request
<generate-pki-certificate-request>
request security pki generate-key-pair
796
<generate-pki-key-pair>
request security pki local-certificate
request security pki local-certificate enroll
request security pki local-certificate generate-self-signed
<generate-pki-self-signed-local-certificate>
request security pki local-certificate load
<load-pki-local-certificate>
request security pki local-certificate verify
<verify-pki-local-certificate>
request security pki verify-integrity-status
<verify-integrity-status>
request services fips
request services fips authorize
request services fips authorize pic
request services fips zeroize
request services fips zeroize pic
request services flow-collector
request services flow-collector change-destination
<request-services-flow-collector-destination>
request services ggsn

request services ggsn pdp
request services ggsn pdp terminate
request services ggsn pdp terminate apn
<request-ggsn-terminate-contexts-apn>
request services ggsn pdp terminate context

<request-ggsn-terminate-context>
request services ggsn pdp terminate context msisdn

<request-ggsn-terminate-msisdn-context>
request services ggsn restart

request services ggsn restart interface
<request-ggsn-restart-interface>
request services ggsn restart node

<request-ggsn-restart-node>
request services ggsn start

request services ggsn start interface
request services ggsn stop
797
request services ggsn stop interface

<request-ggsn-stop-interface>
request services ggsn stop node

<request-ggsn-stop-node>
request services ggsn trace

request services ggsn trace software
request services ggsn trace software update
<request-ggsn-software-update>
request services ggsn trace start

request services ggsn trace start imsi
<request-ggsn-start-imsi-trace>
request services ggsn trace start msisdn

<request-ggsn-start-msisdn-trace>
request services ggsn trace stop

request services ggsn trace stop all
<request-ggsn-stop-trace-activity>
request services ggsn trace stop imsi

<request-ggsn-stop-imsi-trace>
request services ggsn trace stop msisdn

<request-ggsn-stop-msisdn-trace>
request support
request support information
request system
request system boot-media
<request-boot-media>
request system certificate
request system certificate add
request system commit
request system commit server
request system commit server pause
<request-commit-server-pause>
request system commit server queue
request system commit server queue cleanup
<request-commit-server-cleanup>
798
request system commit server start

<request-commit-server-start>
request system configuration
request system configuration rescue
request system configuration rescue delete
<request-delete-rescue-configuration>
request system configuration rescue save

<request-save-rescue-configuration>
request system decrypt
<security-decrypt-password>
request system diagnostics
request system diagnostics log-archive
<request-log>
request system diagnostics transfer-control
<transfer-control>
request system firmware
request system firmware downgrade
request system firmware downgrade cb
<request-fpc-fpga-upgrade>
request system firmware downgrade cb i2c
<request-i2c-fpga-upgrade>
request system firmware downgrade feb
request system firmware downgrade fpc
request system firmware downgrade pic
request system firmware downgrade poe
request system firmware downgrade re
request system firmware downgrade scb
request system firmware downgrade sfm
request system firmware downgrade spmb
request system firmware downgrade ssb
request system firmware downgrade vcpu
request system firmware upgrade
request system firmware upgrade cb i2c
<request-i2c-fpga-upgrade>
request system firmware upgrade feb
request system firmware upgrade fpc
request system firmware upgrade fpga
request system firmware upgrade fpga cb
<request-cb-fpga-upgrade>
request system firmware upgrade fpga fpc
request system firmware upgrade fpga fpd
799
<request-fpd-fpga-upgrade>
request system firmware upgrade fpga ftc
<request-ftc-fpga-upgrade>
request system firmware upgrade fpga re
<request-re-fpga-upgrade>
request system firmware upgrade fpga scb

<request-scb-fpga-upgrade>
request system firmware upgrade fpga sib
<request-sib-fpga-upgrade>
request system firmware upgrade pic
request system firmware upgrade poe
request system firmware upgrade re
request system firmware upgrade re bios
request system firmware upgrade scb
request system firmware upgrade sfm
request system firmware upgrade spmb
request system firmware upgrade ssb
request system firmware upgrade vcpu
request system halt
<request-halt>
request system keep-alive

request system license
request system license add
request system license delete
<request-license-delete>
request system license revoke-licenses
<license-revoke-licenses>
request system license save

request system license update
<request-license-update>
request system logout
request system logs
<request-system-logs-copy>
request system partition

request system partition abort
request system partition compact-flash
request system partition hard-disk
request system power-off
800
<request-power-off>
request system power-on

<request-power-on-other-re>
request system process
request system process terminate
<request-process-terminate>
request system reboot
<request-reboot>
request system recover
request system scripts

request system scripts add
<request-scripts-package-add>
request system scripts convert

request system scripts convert slax-to-xslt
request system scripts convert xslt-to-slax
request system scripts delete
<request-scripts-package-delete>
request system scripts event-scripts

request system scripts event-scripts reload
<reload-event-scripts>
request system scripts refresh-from

<request-script-refresh-from>
request system scripts rollback

<request-scripts-package-rollback>
request system scripts synchronize

<request-scripts-synchronize>
request system snapshot

<request-snapshot>
request system software

request system software abort
request system software abort in-service-upgrade
<abort-in-service-upgrade>
801
request system software add

<request-package-add>
request system software delete

<request-package-delete>
request system software delete-backup

<request-package-delete-backup>
request system software in-service-upgrade

<request-package-in-service-upgrade>
request system software nonstop-upgrade

<request-package-nonstop-upgrade>
request system software recovery-package
request system software recovery-package add
request system software recovery-package delete
request system software recovery-package extract
request system software recovery-package extract ex-8200-package
request system software recovery-package extract ex-xre200-package
request system software rollback
<request-package-rollback>
request system software validate

<request-package-validate>
request system software validate in-service-upgrade
<check-in-service-upgrade>
request system storage

request system storage cleanup
<request-system-storage-cleanup>
request system storage cleanup qfabric
<remove-qfabric-repository-contents>
request system storage mount
<request-mount>
request system storage unified-edge
request system storage unified-edge charging
request system storage unified-edge charging media
request system storage unified-edge media
request system storage unified-edge media eject
request system storage unified-edge media prepare
request system storage unmount
802
<request-unmount>
request system subscriber-management
request system subscriber-management new-sessions-disable
<request-sm-new-sessions-disable>
request system subscriber-management new-sessions-enable
<request-sm-new-sessions-enable>
request system yang enable
<request-yang-enable>
request system yang update
<request-yang-update>
request system yang validate
<request-yang-validate>
request system zeroize
request vmhost
request vmhost cleanup
<request-vmhost-file-cleanup>
request vmhost file-copy
<request-vmhost-file-copy>
request vmhost halt
<request-vmhost-halt>
request vmhost hard-disk-test
<request-vmhost-hard-disk-test>
request vmhost power-off
<request-vmhost-poweroff>
request vmhost power-on
<request-power-on-other-re>
request vmhost reboot
<request-vmhost-reboot>
request vmhost snapshot
<request-vmhost-snapshot>
request vmhost snapshot partition
<request-vmhost-snapshot-partition>
request vmhost snapshot recovery
<request-vmhost-snapshot-recovery>
request vmhost snapshot recovery partition
<request-vmhost-snapshot-recovery-partition>
request vmhost software
request vmhost software abort
request vmhost software abort in-service-upgrade
<abort-in-service-upgrade>
request vmhost software add
<request-vmhost-package-add>
803
request vmhost software in-service-upgrade

<request-vmhost-package-in-service-upgrade>
request vmhost software rollback
<request-package-rollback>
request vmhost zeroize
<request-vmhost-zeroize>
request vpls-switchover
set date
set date ntp
show chassis usb
show chassis usb storage
<get-usb-storage-status>
show services fips
show system configuration database
show system configuration database usage
<get-database-usage>
start shell
start shell user
test access
test access profile
<get-radius-profile-access-test-result>
test access radius-server

<get-radius-server-access-test-result>
get-test-services-l2tp-tunnel-result
[edit event-options]
[edit security ipsec internal]
[edit security ipsect trusted-channel]
[edit services dynamic-flow-capture traceoptions]
[edit services ggsn]
[edit system fips]
[edit services ggsn rule-space]
[edit system processes daemon-process command]
[edit system scripts commit]
804
[edit system scripts op]

[edit system scripts snmp]

Hierarchies | 126
network
Can access the network by using the ping, ssh, telnet, and traceroute commands.
Commands
mtrace
mtrace from-source
mtrace monitor
mtrace to-gateway
ping
<ping>
ping atm
ping clns
ping ethernet
<request-ping-ethernet>
ping fibre-channel
ping mpls
ping mpls bgp
<request-ping-bgp-lsp>
805
ping mpls l2circuit

ping mpls l2circuit interface
<request-ping-l2circuit-interface>
ping mpls l2circuit virtual-circuit

<request-ping-l2circuit-virtual-circuit>
ping mpls l2vpn

ping mpls l2vpn fec129
ping mpls l2vpn fec129 interface
<request-ping-l2vpn-fec129-interface>
ping mpls l2vpn instance
<request-ping-l2vpn-instance>
ping mpls l2vpn interface

<request-ping-l2vpn-interface>
ping mpls l3vpn

<request-ping-l3vpn>
ping mpls ldp

<request-ping-ldp-lsp>
ping mpls ldp p2mp

<request-ping-ldp-p2mp-lsp>
ping mpls lsp-end-point

<request-ping-lsp-end-point>
ping mpls rsvp

<request-ping-rsvp-lsp>
ping overlay
<request-ping-overlay>
ping vpls
ping vpls instance
<request-ping-vpls-instance>
request routing-engine
request routing-engine login
<request-routing-engine-login>
request routing-engine login other-routing-engine
806
<request-login-to-other-routing-engine>
request services flow-collector
request services flow-collector test-file-transfer
<request-services-flow-collector-test-file-transfer>
show host
show interfaces level-extra descriptions
show multicast mrinfo
ssh
telnet
traceroute
<traceroute>
traceroute clns
traceroute ethernet
<request-traceroute-ethernet>
traceroute monitor
traceroute mpls
traceroute mpls l2vpn
<traceroute-mpls-l2vpn>
traceroute mpls l2vpn fec129
<traceroute-mpls-mspw>
traceroute mpls ldp
<traceroute-mpls-ldp>
traceroute mpls rsvp
<traceroute-mpls-rsvp>
traceroute overlay
<request-traceroute-overlay>

807

Hierarchies | 126
pgcp-session-mirroring
Can view session mirroring configuration by using the pgcp command.
Commands
clear unified-edge
808

809

810

811

show services pgcp gates gate-way display session-mirroring
[edit services pgcp gateway session-mirroring]

[edit services pgcp session-mirroring]
[edit unified-edge]

Hierarchies | 126
812
pgcp-session-mirroring-control
Can modify PGCP session mirroring configuration
Commands
show services pgcp gates gate-way display session-mirroring
[edit services pgcp gateway session-mirroring]

[edit services pgcp session-mirroring]

Hierarchies | 126
reset
Can restart software processes by using the restart command and can configure whether software processes
configured at the [edit system processes] hierarchy level are enabled or disabled.
Commands
813
request chassis cfeb master switch

request chassis cfeb master switch no-confirm
request chassis routing-engine master acquire
request chassis routing-engine master acquire force
request chassis routing-engine master acquire force no-confirm
request chassis routing-engine master acquire no-confirm
request chassis routing-engine master release
request chassis routing-engine master release no-confirm
request chassis routing-engine master switch
request chassis routing-engine master switch no-confirm
request chassis satellite install no-confirm
request chassis sfm master switch
request chassis sfm master switch no-confirm
request chassis ssb master switch
request chassis ssb master switch no-confirm
restart
restart kernel-replication
<restart-kernel-replication>
restart-named-service
restart routing
<routing-restart>
restart services
restart services border-signaling-gateway
<restart-border-signaling-gateway-service>
restart services pgcp
<restart-pgcp-service>
restart web-management
<restart-web-management>

814
Hierarchies | 126
rollback
Can roll back to previous configurations.
Commands
rollback
[edit]

Hierarchies | 126
routing
Can view general routing, routing protocol, and routing policy configuration information.
815
Commands
clear unified-edge
816

817

818

request mpls
request mpls lsp
819

[edit bridge-domains]
[edit bridge-domains domain multicast-snooping-options]
[edit bridge-domains domain multicast-snooping-options traceoptions]
[edit dynamic-profiles protocols igmp traceoptions]
[edit dynamic-profiles protocols mld traceoptions]
[edit dynamic-profiles protocols router-advertisement traceoptions]
[edit dynamic-profiles routing-instances]
[edit dynamic-profiles routing-instances instance bridge-domains]
[edit dynamic-profiles routing-instances instance bridge-domains domain
multicast-snooping-options]
multicast-snooping-options traceoptions]
[edit dynamic-profiles routing-instances instance multicast-snooping-options]
[edit dynamic-profiles routing-instances instance multicast-snooping-options
traceoptions]
[edit dynamic-profiles routing-instances instance pbb-options]
[edit dynamic-profiles routing-instances instance protocols]
[edit dynamic-profiles routing-instances instance protocols bgp group neighbor
traceoptions]
[edit dynamic-profiles routing-instances instance protocols bgp group
traceoptions]
[edit dynamic-profiles routing-instances instance protocols bgp traceoptions]
[edit dynamic-profiles routing-instances instance protocols esis traceoptions]
[edit dynamic-profiles routing-instances instance protocols isis traceoptions]
[edit dynamic-profiles routing-instances instance protocols l2vpn traceoptions]
[edit dynamic-profiles routing-instances instance protocols ldp traceoptions]
[edit dynamic-profiles routing-instances instance protocols msdp group peer
traceoptions]
820
[edit dynamic-profiles routing-instances instance protocols msdp group

traceoptions]
[edit dynamic-profiles routing-instances instance protocols msdp peer
traceoptions]
[edit dynamic-profiles routing-instances instance protocols msdp traceoptions]
[edit dynamic-profiles routing-instances instance protocols mvpn traceoptions]
[edit dynamic-profiles routing-instances instance protocols ospf traceoptions]
[edit dynamic-profiles routing-instances instance protocols pim traceoptions]
[edit dynamic-profiles routing-instances instance protocols rip traceoptions]
[edit dynamic-profiles routing-instances instance protocols ripng traceoptions]
[edit dynamic-profiles routing-instances instance protocols router-discovery
traceoptions]
[edit dynamic-profiles routing-instances instance protocols vpls traceoptions]
[[edit dynamic-profiles routing-instances instance routing-options]
[edit dynamic-profiles routing-instances instance routing-options multicast
traceoptions]
[edit dynamic-profiles routing-instances instance routing-options traceoptions]
[edit dynamic-profiles routing-instances instance service-groups]
[edit dynamic-profiles routing-instances instance switch-options]
[edit dynamic-profiles routing-options multicast traceoptions]
[edit jnx-example]
[edit fabric protocols]
[edit fabric protocols bgp group neighbor traceoptions]
[edit fabric protocols bgp group traceoptions]
[edit fabric protocols bgp traceoptions]
[edit fabric routing-instances]
[edit fabric routing-instances instance routing-options]
[edit fabric routing-instances instance routing-options traceoptions]
[edit fabric routing-options]
[edit fabric routing-options traceoptions]
[edit logical-systems bridge-domains]
[edit logical-systems bridge-domains domain multicast-snooping-options]
[edit logical-systems bridge-domains domain multicast-snooping-options
traceoptions]
[edit logical-systems policy-options]
[edit logical-systems protocols]
[edit logical-systems protocols bgp group neighbor traceoptions]
[edit logical-systems protocols bgp group traceoptions]
[edit logical-systems protocols bgp traceoptions]
[edit logical-systems protocols dvmrp traceoptions]
[edit logical-systems protocols esis traceoptions]
[edit logical-systems protocols igmp traceoptions]
821
[edit logical-systems protocols igmp-host traceoptions]

[edit logical-systems protocols isis traceoptions]
[edit logical-systems protocols l2circuit traceoptions]
[edit logical-systems protocols l2iw traceoptions]
[edit logical-systems protocols ldp traceoptions]
[edit logical-systems protocols mld traceoptions]
[edit logical-systems protocols mld-host traceoptions]
[edit logical-systems protocols msdp group peer traceoptions]
[edit logical-systems protocols msdp group traceoptions]
[edit logical-systems protocols msdp peer traceoptions]
[edit logical-systems protocols msdp traceoptions]
[edit logical-systems protocols mvpn traceoptions]
[edit logical-systems protocols ospf traceoptions]
[edit logical-systems protocols pim traceoptions]
[edit logical-systems protocols rip traceoptions]
[edit logical-systems protocols ripng traceoptions]
[edit logical-systems protocols router-advertisement traceoptions]
[edit logical-systems protocols router-discovery traceoptions]
[edit logical-systems protocols rsvp lsp-set]
[edit logical-systems protocols rsvp traceoptions]
[edit logical-systems routing-instances]
[edit logical-systems routing-instances instance bridge-domains]
[edit logical-systems routing-instances instance bridge-domains domain
[edit logical-systems routing-instances instance igmp-snooping-options]
[edit logical-systems routing-instances instance multicast-snooping-options]
[edit logical-systems routing-instances instance multicast-snooping-options
traceoptions]
[edit logical-systems routing-instances instance pbb-options]
[edit logical-systems routing-instances instance protocols]
[edit logical-systems routing-instances instance protocols bgp group neighbor
traceoptions]
[edit logical-systems routing-instances instance protocols bgp group
traceoptions]
[edit logical-systems routing-instances instance protocols bgp traceoptions]
[edit logical-systems routing-instances instance protocols esis traceoptions]
[edit logical-systems routing-instances instance protocols evpn traceoptions]
[edit logical-systems routing-instances instance protocols isis traceoptions]
[edit logical-systems routing-instances instance protocols l2vpn traceoptions]
[edit logical-systems routing-instances instance protocols ldp traceoptions]
822
[edit logical-systems routing-instances instance protocols msdp group peer

traceoptions]
[edit logical-systems routing-instances instance protocols msdp group
traceoptions]
[edit logical-systems routing-instances instance protocols msdp peer
traceoptions]
[edit logical-systems routing-instances instance protocols msdp traceoptions]
[edit logical-systems routing-instances instance protocols mvpn traceoptions]
[edit logical-systems routing-instances instance protocols ospf traceoptions]
[edit logical-systems routing-instances instance protocols pim traceoptions]
[edit logical-systems routing-instances instance protocols rip traceoptions]
[edit logical-systems routing-instances instance protocols ripng traceoptions]
[edit logical-systems routing-instances instance protocols router-discovery
traceoptions]
[edit logical-systems routing-instances instance protocols rsvp]
[edit logical-systems routing-instances instance protocols rsvp lsp-set
traceoptions]
[edit logical-systems routing-instances instance protocols vpls traceoptions]
[edit logical-systems routing-instances instance routing-options]
[edit logical-systems routing-instances instance routing-options multicast
traceoptions]
[edit logical-systems routing-instances instance routing-options validation
group session traceoptions]
[edit logical-systems routing-instances instance routing-options validation
traceoptions]
[edit logical-systems routing-instances instance routing-options traceoptions]
[edit logical-systems routing-options validation group session traceoptions]
sho[edit logical-systems routing-instances instance service-groups]
[edit logical-systems routing-instances instance switch-options]
[edit logical-systems routing-instances instance vlans]
[edit logical-systems routing-instances instance vlans vlan
[edit logical-systems routing-instances instance vlans vlan
[edit logical-systems routing-options]
[edit logical-systems routing-options validation group session traceoptions]
[edit logical-systems routing-options validation traceoptions]
[edit logical-systems routing-options multicast traceoptions]
[edit logical-systems routing-options traceoptions]
[edit logical-systems switch-options]
[edit logical-systems vlans]
[edit logical-systems vlans vlan multicast-snooping-options]
823
[edit logical-systems vlans vlan multicast-snooping-options traceoptions]

[edit multicast-snooping-options]
[edit multicast-snooping-options traceoptions]
[edit protocols]
[edit protocols amt traceoptions]
[edit protocols bgp group neighbor traceoptions]
[edit protocols bgp group traceoptions]
[edit protocols bgp traceoptions]
[edit protocols connections]
[edit protocols dvmrp traceoptions]
[edit protocols esis traceoptions]
[edit protocols igmp traceoptions]
[edit protocols igmp-host traceoptions]
[edit protocols igmp-snooping]
[edit protocols isis traceoptions]
[edit protocols l2circuit traceoptions]
[edit protocols l2iw traceoptions]
[edit protocols ldp traceoptions]
[edit protocols mld traceoptions]
[edit protocols mld-host traceoptions]
[edit protocols msdp group peer traceoptions]
[edit protocols msdp group traceoptions]
[edit protocols msdp peer traceoptions]
[edit protocols msdp traceoptions]
[edit protocols mstp]
[edit protocols mvrp]
[edit protocols oam]
[edit protocols ospf traceoptions]
[edit protocols pim traceoptions]
[edit protocols rip traceoptions]
[edit protocols ripng traceoptions]
[edit protocols router-advertisement traceoptions]
[edit protocols router-discovery traceoptions]
[edit protocols rsvp traceoptions]
[edit protocols sflow]
[edit protocols stp]
[edit protocols vstp]
824
[edit routing-instances]
[edit routing-instances instance bridge-domains]
[edit routing-instances instance bridge-domains domain
[edit routing-instances instance multicast-snooping-options]
[edit routing-instances instance multicast-snooping-options traceoptions]
[edit routing-instances instance pbb-options]
[edit routing-instances instance protocols]
[edit routing-instances instance protocols bgp group neighbor traceoptions]
[edit routing-instances instance protocols bgp group traceoptions]
[edit routing-instances instance protocols bgp traceoptions]
[edit routing-instances instance protocols esis traceoptions]
[edit routing-instances instance protocols evpn traceoptions]
[edit routing-instances instance protocols isis traceoptions]
[edit routing-instances instance protocols l2vpn traceoptions]
[edit routing-instances instance protocols ldp traceoptions]
[edit routing-instances instance protocols mld-snooping traceoptions]
[edit routing-instances instance protocols mld-snooping vlan traceoptions]
[edit routing-instances instance protocols msdp group peer traceoptions]
[edit routing-instances instance protocols msdp group traceoptions]
[edit routing-instances instance protocols msdp peer traceoptions]
[edit routing-instances instance protocols msdp traceoptions]
[edit routing-instances instance protocols mvpn traceoptions]
[edit routing-instances instance protocols ospf traceoptions]
[edit routing-instances instance protocols pim traceoptions]
[edit routing-instances instance protocols rip traceoptions]
[edit routing-instances instance protocols ripng traceoptions]
[edit routing-instances instance protocols router-discovery traceoptions]
[ed[edit routing-instances instance protocols vpls traceoptions]
[edit routing-instances instance routing-options]
[edit routing-instances instance routing-options validation group session
traceoptions]
[edit routing-instances instance routing-options validation traceoptions]
[edit routing-instances instance routing-options multicast traceoptions]
[edit routing-instances instance routing-options traceoptions]
[edit routing-instances instance service-groups]
[edit routing-instances instance switch-options]
[edit routing-instances instance vlans]
[edit routing-instances instance vlans vlan multicast-snooping-options]
[edit routing-instances instance vlans vlan multicast-snooping-options
825
traceoptions]
[edit routing-options]
[edit routing-options validation group session]
[edit routing-options multicast traceoptions]
[edit routing-options validation]
[edit routing-options traceoptions]
[edit unified-edge]
[edit vlans]
[edit vlans vlan multicast-snooping-options]
[edit vlans vlan multicast-snooping-options traceoptions]

Hierarchies | 126
routing-control
Can view general routing, routing protocol, and routing policy configuration information and can configure
general routing at the [edit routing-options] hierarchy level, routing protocols at the [edit protocols]
hierarchy level, and routing policy at the [edit policy-options] hierarchy level.
Commands

826
[edit bridge-domains]
[edit bridge-domains domain multicast-snooping-options]
[edit bridge-domains domain multicast-snooping-options traceoptions]
[edit dynamic-profiles routing-instances]
[edit dynamic-profiles routing-instances instance bridge-domains]
[edit dynamic-profiles routing-instances instance multicast-snooping-options]
traceoptions]
[edit dynamic-profiles routing-instances instance pbb-options]
[edit dynamic-profiles routing-instances instance protocols]
traceoptions]
traceoptions]
traceoptions]
traceoptions]
traceoptions]
traceoptions]
[edit dynamic-profiles routing-instances instance routing-options]
827

traceoptions]
[edit dynamic-profiles routing-instances instance service-groups]
[edit dynamic-profiles routing-instances instance switch-options]
[edit jnx-example]
[edit fabric protocols]
[edit fabric routing-instances]
[edit fabric routing-instances instance routing-options]
[edit fabric routing-options]
[edit logical-systems bridge-domains]
[edit logical-systems bridge-domains domain multicast-snooping-options]
[edit logical-systems bridge-domains domain multicast-snooping-options
traceoptions]
[edit logical-systems policy-options]
[edit logical-systems protocols]
828

[edit logical-systems routing-instances]
[edit logical-systems routing-instances instance bridge-domains]
[edit logical-systems routing-instances instance forwarding-options satellite]
[edit logical-systems routing-instances instance multicast-snooping-options]
traceoptions]
[edit logical-systems routing-instances instance pbb-options]
[edit logical-systems routing-instances instance protocols]
traceoptions]
traceoptions]
traceoptions]
traceoptions]
traceoptions]
traceoptions]
[edit logical-systems routing-instances instance routing-options]
829
traceoptions]
[edit logical-systems routing-instances instance service-groups]
[edit logical-systems routing-instances instance switch-options]
[edit logical-systems routing-options]
[edit logical-systems switch-options]
[edit multicast-snooping-options]
[edit protocols]
[edit protocols amt traceoptions]
[edit protocols connections][edit protocols dot1x]
[edit protocols igmp-snooping]
[edit protocols mstp]
[edit protocols mvrp]
[edit protocols oam]
830

[edit protocols sflow]
[edit protocols stp]
[edit protocols vstp]
[edit routing-instances]
[edit routing-instances instance bridge-domains]
[edit routing-instances instance multicast-snooping-options]
[edit routing-instances instance pbb-options]
[edit routing-instances instance protocols]
[edit routing-instances instance protocols vpls traceoptions]
[edit routing-instances instance routing-options]
[edit routing-instances instance service-groups]
[edit routing-instances instance switch-options]
[edit routing-options]
831


Hierarchies | 126
routing | 814
secret
Can view passwords and other authentication keys in the configuration.
Commands
clear unified-edge
832
833

834
835

[edit access profile client chap-secret]

[edit access profile client firewall-user password]
836
[edit access profile client l2tp shared-secret]

[edit access profile client pap-password]
[edit access profile radius-server secret]
[edit access radius clients accounting secret]
[edit access radius snoop-segments shared-secret]
[edit access radius-disconnect preauthentication-secret]
[edit access radius-disconnect secret]
[edit access radius-server preauthentication-secret]
[edit access radius-server secret]
[edit dynamic-profiles interfaces interface ppp-options chap
default-chap-secret]
[edit dynamic-profiles interfaces interface ppp-options pap default-password]
[edit dynamic-profiles interfaces interface ppp-options pap local-password]
[edit dynamic-profiles interfaces interface unit ppp-options chap
[edit dynamic-profiles interfaces interface unit ppp-options pap
default-password]
local-password]
[edit interfaces interface ppp-options chap default-chap-secret]
[edit interfaces interface ppp-options pap default-password]
[edit interfaces interface ppp-options pap local-password]
[edit interfaces interface unit ppp-options chap default-chap-secret]
[edit interfaces interface unit ppp-options pap default-password]
[edit interfaces interface unit ppp-options pap local-password]
[edit logical-systems interfaces interface unit ppp-options chap]
[edit logical-systems interfaces interface unit ppp-options pap
default-password]
[edit logical-systems interfaces interface unit ppp-options pap local-password]
static-subscribers authentication password]
static-subscribers group authentication password]
[edit logical-systems system services static-subscribers authentication
password]
[edit logical-systems system services static-subscribers group authentication
password]
authentication password]
[edit services ggsn apn radius accounting server secret]
837
[edit services ggsn apn radius authentication server secret]

[edit services ggsn radius server secret]
[edit system accounting destination radius server preauthentication-secret]
[edit system accounting destination radius server secret]
[edit system accounting destination tacplus server secret]
[edit system radius-server preauthentication-secret]
[edit system radius-server secret]
[edit system services outbound-ssh client secret]
[edit system services packet-triggered-subscribers partition-radius
accounting-shared-secret]
[edit system services static-subscribers authentication password]
[edit system services static-subscribers group authentication password]
[edit system tacplus-server secret]
[edit unified-edge]

Hierarchies | 126
secret-control
Can view passwords and other authentication keys in the configuration and can modify them in configuration
mode.
Commands
838
[edit access profile client chap-secret]

[edit access profile client firewall-user password]
[edit access profile client l2tp shared-secret]
[edit access profile client pap-password]
[edit access profile radius-server secret]
[edit access radius-disconnect secret]
[edit dynamic-profiles interfaces interface ppp-options chap
[edit dynamic-profiles interfaces interface ppp-options pap default-password]
[edit dynamic-profiles interfaces interface ppp-options pap local-password]
[edit dynamic-profiles interfaces interface unit ppp-options chap
default-password]
local-password]
[edit interfaces interface ppp-options chap default-chap-secret]
[edit interfaces interface ppp-options pap default-password]
[edit interfaces interface ppp-options pap local-password]
[edit interfaces interface unit ppp-options chap default-chap-secret]
[edit interfaces interface unit ppp-options pap default-password]
[edit interfaces interface unit ppp-options pap local-password]
[edit logical-systems interfaces interface unit ppp-options chap]
[edit logical-systems interfaces interface unit ppp-options pap
default-password]
[edit logical-systems interfaces interface unit ppp-options pap local-password]
static-subscribers authentication password]
static-subscribers group authentication password]
[edit logical-systems system services static-subscribers authentication
password]
[edit logical-systems system services static-subscribers group authentication
password]
839

[edit services ggsn apn radius accounting server secret]
[edit services ggsn apn radius authentication server secret]
[edit services ggsn radius server secret]
[edit system accounting destination tacplus server secret]
[edit system radius-server secret]
[edit system services outbound-ssh client secret]
[edit system services packet-triggered-subscribers partition-radius
accounting-shared-secret]
[edit system services static-subscribers authentication password]
[edit system services static-subscribers group authentication password]
[edit system tacplus-server secret]

Hierarchies | 126
secret | 831
security
Can view security configuration.
Commands
840
clear security
clear security alarms
<clear-security-alarm-information>
clear security idp
clear security idp application-ddos
clear security idp application-ddos cache
<clear-idp-appddos-cache>
clear security idp application-identification

clear security idp application-identification application-system-cache
<clear-idp-application-system-cache>
clear security idp application-statistics

<clear-idp-applications-information>
clear security idp attack

clear security idp attack table
<clear-idp-attack-table>
clear security idp counters

<clear-idp-counters-by-counter-class>
clear security idp counters action
clear security idp counters application-ddos
clear security idp counters application-identification
clear security idp counters dfa
clear security idp counters flow
clear security idp counters http-decoder
clear security idp counters ips
clear security idp counters log
clear security idp counters memory
clear security idp counters packet
clear security idp counters packet-log
clear security idp counters pdf-decoder
clear security idp counters policy-manager
clear security idp counters ssl-inspection
clear security idp counters tcp-reassembler
clear security idp ssl-inspection

clear security idp ssl-inspection session-id-cache
<clear-idp-ssl-session-cache-information>
841
clear security idp status

<clear-idp-status-information>
clear security log
<clear-security-log-information>
clear security pki
clear security pki ca-certificate
<clear-pki-ca-certificate>
clear security pki certificate-request
<clear-pki-certificate-request>
clear security pki crl
<clear-pki-crl>
clear security pki key-pair
<clear-pki-key-pair>
clear security pki local-certificate
<clear-pki-local-certificate>
clear unified-edge
842

843
844

request security
<request-idp-policy-load>
request security idp security-package

845



<request security pki crl load>
request security pki verify-integrity-status
<verify-integrity-status>
request system set-encryption-key
846

show security
show security alarms
<get-security-alarm-information>
show security idp
show security idp application-ddos
show security idp application-ddos application
<get-idp-addos-application-information>
show security idp application-identification

show security idp application-identification application-system-cache
<get-idp-application-system-cache>
847
show security idp application-statistics

<get-idp-applications-information>
show security idp attack

show security idp attack description
<get-idp-attack-description-information>
show security idp attack detail
<get-idp-attack-detail-information>
show security idp attack table
<get-idp-attack-table-information>
show security idp counters

<get-idp-counter-information>
show security idp counters action
show security idp counters application-ddos
show security idp counters application-identification
show security idp counters dfa
show security idp counters flow
show security idp counters http-decoder
show security idp counters ips
show security idp counters log
show security idp counters memory
show security idp counters packet
show security idp counters packet-log
show security idp counters pdf-decoder
show security idp counters policy-manager
show security idp counters ssl-inspection
show security idp counters tcp-reassembler
show security idp logical-system

show security idp logical-system policy-association
show security idp memory
<get-idp-memory-information>
show security idp policies

<get-idp-subscriber-policy-list>
show security idp policy-templates-list

<get-idp-policy-template-information>
<get-idp-predefined-attack-groups>
<get-idp-predefined-attack-group-filters>
<get-idp-predefined-attacks>
848
<get-idp-predefined-attack-filters>
<get-idp-recent-security-package-information>
show security idp policy-commit-status
<get-idp-policy-commit-status>
show security idp security-package-version

<get-idp-security-package-information>
show security idp ssl-inspection

show security idp ssl-inspection key
<get-idp-ssl-key-information>
show security idp ssl-inspection session-id-cache

<get-idp-ssl-session-cache-information>
show security idp status

<get-idp-status-information>
show security idp status detail

<get-idp-detail-status-information>
show security keychain
<get-hakr-keychain-information>
show security log
<get-security-log-information>
show security pki

show security pki ca-certificate
<get-pki-ca-certificate>
show security pki certificate-request
<get-pki-certificate-request>
show security pki crl
<get-pki-crl>
show security pki local-certificate
<get-pki-local-certificate>
[edit security]
849
[edit security alarms]

[edit security log]
[edit unified-edge]

Hierarchies | 126
security-control
Can view and configure security information at the [edit security] hierarchy level.
Commands
clear security
clear security alarms
<clear-security-alarm-information>
clear security idp
clear security idp application-ddos
clear security idp application-ddos cache
<clear-idp-appddos-cache>
clear security idp application-identification

clear security idp application-identification application-system-cache
<clear-idp-application-system-cache>
clear security idp application-statistics

850
<clear-idp-applications-information>
clear security idp attack

clear security idp attack table
<clear-idp-attack-table>
clear security idp counters

<clear-idp-counters-by-counter-class>
clear security idp ssl-inspection

clear security idp ssl-inspection session-id-cache
<clear-idp-ssl-session-cache-information>
clear security idp status
<clear-idp-status-information>
clear security log
<clear-security-log-information>
clear security pki
clear security pki ca-certificate
<clear-pki-ca-certificate>
clear security pki certificate-request
<clear-pki-certificate-request>
clear security pki crl
<clear-pki-crl>
clear security pki key-pair
<clear-pki-key-pair>
<clear-pki-local-certificate>
request security
<request-idp-policy-load>
request security idp security-package

851

request security idp security-package offline-download
<request-idp-security-package-offline-download>

<request security pki crl load>
request system set-encryption-key
show security
show security alarms
<get-security-alarm-information>
show security idp
show security idp application-ddos
852
show security idp application-ddos application

<get-idp-addos-application-information>
show security idp application-identification

show security idp application-identification application-system-cache
<get-idp-application-system-cache>
show security idp application-statistics

<get-idp-applications-information>
show security idp attack

show security idp attack description
<get-idp-attack-description-information>
show security idp attack detail
<get-idp-attack-detail-information>
show security idp attack table
<get-idp-attack-table-information>
show security idp counters

<get-idp-counter-information>
show security idp counters action
show security idp counters application-ddos
show security idp counters application-identification
show security idp counters dfa
show security idp counters flow
show security idp counters http-decoder
show security idp counters ips
show security idp counters log
show security idp counters memory
show security idp counters packet
show security idp counters packet-log
show security idp counters pdf-decoder
show security idp counters policy-manager
show security idp counters ssl-inspection
show security idp counters tcp-reassembler
show security idp logical-system

show security idp logical-system policy-association
show security idp memory
<get-idp-memory-information>
show security idp policies

853
<get-idp-subscriber-policy-list>
show security idp policy-templates-list

<get-idp-policy-template-information>
<get-idp-predefined-attack-groups>
<get-idp-predefined-attack-group-filters>
<get-idp-predefined-attacks>
<get-idp-predefined-attack-filters>
show security idp policy-commit-status
<get-idp-policy-commit-status>
show security idp security-package-version

<get-idp-security-package-information>
show security idp ssl-inspection

show security idp ssl-inspection key
<get-idp-ssl-key-information>
show security idp ssl-inspection session-id-cache

<get-idp-ssl-session-cache-information>
show security idp status

<get-idp-status-information>
show security idp status detail

<get-idp-detail-status-information>
show security keychain
<get-hakr-keychain-information>
show security log
<get-security-log-information>
show security pki

show security pki ca-certificate
<get-pki-ca-certificate>
show security pki certificate-request
<get-pki-certificate-request>
show security pki crl
<get-pki-crl>
854

<get-pki-local-certificate>
[edit security]
[edit security alarms]
[edit security log]

Hierarchies | 126
security | 839
shell
Can start a local shell on the router.
Commands
start shell
start shell user

855

Hierarchies | 126
snmp
Can view Simple Network Management Protocol (SNMP) configuration.
Commands
clear unified-edge
856

857
858

<clear-tdf-gateway-aaa-statistics
859

[edit snmp]
[edit unified-edge]
860

Hierarchies | 126
snmp-control
Can view SNMP configuration information and can modify SNMP configuration at the [edit snmp] hierarchy
level.
Commands
[edit snmp]

Hierarchies | 126
snmp | 855
861
system
Can view system-level configuration information.
Commands
clear unified-edge
862

863

864

request chassis synchronization
request chassis synchronization force
request chassis synchronization force automatic-switching
request chassis synchronization force mark-failed
request chassis synchronization force unmark-failed
request chassis synchronization switch
request path-computation-client retry-delegation
<request-path-computation-retry-delegation>
865

request virtual-chassis
request virtual-chassis device-reachability
<get-virtual-chassis-diagnostic-information>
request virtual-chassis member-id
request virtual-chassis member-id delete
delete-virtual-chassis-member-id
request virtual-chassis member-id set
<set-virtual-chassis-member-id>
request virtual-chassis mode
request virtual-chassis mode mixed
<request-virtual-chassis-mode-mixed>
request virtual-chassis reactivate
<request-virtual-chassis-reactivate>
request virtual-chassis recycle
<request-virtual-chassis-recycle>
request virtual-chassis renumber
<request-virtual-chassis-renumber>
request virtual-chassis routing-engine
request virtual-chassis routing-engine master
request virtual-chassis routing-engine master switch
<switch-vc-routing-engine-protocol-master>
request virtual-chassis vc-port
request virtual-chassis vc-port delete
866
request virtual-chassis vc-port delete fpc-slot

<request-virtual-chassis-vc-port-delete-fpc-slot>
request virtual-chassis vc-port delete pic-slot
<request-virtual-chassis-vc-port-delete-pic-slot>
request virtual-chassis vc-port set
request virtual-chassis vc-port set fpc-slot
<request-virtual-chassis-vc-port-set-fpc-slot>
request virtual-chassis vc-port set interface
<request-virtual-chassis-vc-port-set-interface>
request virtual-chassis vc-port set pic-slot
<request-virtual-chassis-vc-port-set-pic-slot>
<set-virtual-chassis-mode>
[edit applications]
[edit chassis network-slices]
[edit chassis system-domains]
[edit dynamic-profiles routing-instances instance forwarding-options helpers
tftp]
[edit dynamic-profiles routing-instances instance routing-options fate-sharing]
[edit fabric virtual-chassis]
[edit forwarding-options helpers bootp]
[edit forwarding-options helpers domain]
[edit forwarding-options helpers port]
[edit forwarding-options helpers tftp]
[edit logical-systems]
[edit logical-systems protocols uplink-failure-detection]
[edit logical-systems routing-instances instance forwarding-options helpers
bootp]
domain]
port]
tftp]
[edit logical-systems routing-instances instance routing-options fate-sharing]
[edit logical-systems routing-options fate-sharing]
867
[edit logical-systems system]

[edit logical-systems system syslog]
[edit poe]
[edit routing-instances instance forwarding-options helpers bootp]
[edit routing-instances instance forwarding-options helpers domain]
[edit routing-instances instance forwarding-options helpers port]
[edit routing-instances instance forwarding-options helpers tftp]
[edit routing-instances instance routing-options fate-sharing]
[edit routing-options fate-sharing]
[edit services]
[edit services ggsn charging charging-log traceoptions]
[edit system]
[edit system archival]
[edit system backup-router]
[edit system boot loader authentication]
[edit system compress-configuration-files]
[edit system default-address-selection]
[edit system domain-name]
[edit system domain-search]
[edit system encrypt-configuration-files]
[edit system host-name]
[edit system inet6-backup-router]
[edit system internet-options gre-path-mtu-discovery]
[edit system internet-options ipip-path-mtu-discovery]
[edit system internet-options ipv6-path-mtu-discovery]
[edit system internet-options ipv6-path-mtu-discovery-timeout]
[edit system internet-options ipv6-reject-zero-hop-limit]
[edit system internet-options no-tcp-reset]
[edit system internet-options no-tcp-rfc1323]
[edit system internet-options no-tcp-rfc1323-paws]
[edit system internet-options path-mtu-discovery]
[edit system internet-options source-port upper-limit]
[edit system internet-options source-quench]
[edit system internet-options tcp-drop-synfin-set]
[edit system internet-options tcp-mss]
[edit system license]
[edit system max-configuration-rollbacks]
[edit system max-configurations-on-flash]
[edit system mirror-flash-on-disk]
[edit system no-debugger-on-alt-break]
[edit system no-redirects-ipv6]
868
[edit system name-server]

[edit no-hidden-commands system]
[edit system no-multicast-echo]
[edit system no-neighbor-learn]
[edit system no-redirects]
[edit system ports auxiliary log-out-on-disconnect]
[edit system ports auxiliary port-type]
[edit system ports auxiliary silent-with-modem]
[edit system ports console log-out-on-disconnect]
[edit system ports console port-type]
[edit system ports console silent-with-modem]
[edit system processes]
[edit system proxy]
[edit system saved-core-context]
[edit system saved-core-files]
[edit system services web-management]
[edit system static-host-mapping]
[edit system syslog]
[edit system time-zone]
[edit unified-edge]
[edit virtual-chassis]
[edit virtual-chassis locality-bias]
[edit vlans]

Hierarchies | 126
869
system-control
Can view system-level configuration information and configure it at the [edit system] hierarchy level.
[edit applications]
[edit chassis system-domains]
[edit dynamic-profiles routing-instances instance forwarding-options helpers
tftp]
[edit dynamic-profiles routing-instances instance routing-options fate-sharing]
[edit forwarding-options helpers bootp]
[edit forwarding-options helpers domain]
[edit forwarding-options helpers port]
[edit forwarding-options helpers tftp]
[edit logical-systems]
bootp]
domain]
port]
tftp]
[edit logical-systems routing-instances instance routing-options fate-sharing]
[edit logical-systems routing-options fate-sharing]
[edit logical-systems system]
[edit poe]
[edit routing-instances instance forwarding-options helpers bootp]
[edit routing-instances instance forwarding-options helpers domain]
[edit routing-instances instance forwarding-options helpers port]
[edit routing-instances instance forwarding-options helpers tftp]
[edit routing-instances instance routing-options fate-sharing]
[edit routing-options fate-sharing]
[edit services]
[edit services ggsn charging charging-log traceoptions]
[edit system]
[edit system archival]
[edit system backup-router]
[edit system compress-configuration-files]
870
[edit system default-address-selection]

[edit system dgasp-in]
[edit system dgasp-usb]
[edit system domain-name]
[edit system domain-search]
[edit system encrypt-configuration-files]
[edit system host-name]
[edit system inet6-backup-router]
[edit system internet-options gre-path-mtu-discovery]
[edit system internet-options ipip-path-mtu-discovery]
[edit system internet-options ipv6-path-mtu-discovery]
[edit system internet-options ipv6-path-mtu-discovery-timeout]
[edit system internet-options ipv6-reject-zero-hop-limit]
[edit system internet-options no-tcp-reset]
[edit system internet-options no-tcp-rfc1323]
[edit system internet-options no-tcp-rfc1323-paws]
[edit system internet-options path-mtu-discovery]
[edit system internet-options source-port upper-limit]
[edit system internet-options source-quench]
[edit system internet-options tcp-drop-synfin-set]
[edit system internet-options tcp-mss]
[edit system license]
[edit system max-configuration-rollbacks]
[edit system max-configurations-on-flash]
[edit system mirror-flash-on-disk]
[edit system name-server]
[edit system no-multicast-echo]
[edit system no-neighbor-learn]
[edit system no-redirects]
[edit system ports auxiliary log-out-on-disconnect]
[edit system ports auxiliary port-type]
[edit system ports console log-out-on-disconnect]
[edit system ports console port-type]
[edit system saved-core-context]
[edit system saved-core-files]
[edit system static-host-mapping]
[edit system time-zone]
871
[edit virtual-chassis]
[edit vlans]

Hierarchies | 126
system | 861
trace
Can view trace file settings and configure trace file properties.
Commands
clear log
<clear-log>
clear log satellite
<clear-log-satellite>
clear unified-edge
872
873

874
875

monitor
request-monitor-ethernet-delay-measurement
<request-monitor-ethernet-loss-measurement>
monitor interface
monitor interface traffic
monitor label-switched-path
monitor list
monitor start
monitor static-lsp
monitor stop
876

show log
<get-log>
show log user
<get-syslog-events>
[edit unified-edge]
[edit vlans domain multicast-snooping-options traceoptions]
[edit vlans domain protocols igmp-snooping]
[edit vlans domain forwarding-options dhcp-relay traceoptions]
[edit vlans domain protocols igmp-snooping traceoptions]
[edit vlans domain forwarding-options dhcp-relay interface-traceoptions]
[edit class-of-service application-traffic-control traceoptions]
[edit demux traceoptions]
[edit dynamic-profiles class-of-service application-traffic-control
traceoptions]
[edit dynamic-profiles protocols oam ethernet link-fault-management
traceoptions]
[dynamic-profiles protocols oam ethernet lmi]
[edit dynamic-profiles protocols oam gre-tunnel traceoptions]
[edit dynamic-profiles routing-instances instance vlans domain
forwarding-options dhcp-relay traceoptions]
[edit dynamic-profiles routing-instances instance vlans domain protocols
igmp-snooping traceoptions]
[edit dynamic-profiles routing-instances instance forwarding-options dhcp-relay
traceoptions]
traceoptions]
877

traceoptions]
traceoptions]
[edit dynamic-profiles routing-instances instance protocols igmp-snooping
traceoptions]
traceoptions]
traceoptions]
traceoptions]
traceoptions]
traceoptions]
[edit dynamic-profiles routing-instances instance services mobile-ip
traceoptions]
dhcp-local-server traceoptions]
[edit jnx-example traceoptions]
[edit logical-systems vlans domain forwarding-options dhcp-relay traceoptions]
[edit logical-systems vlans domain forwarding-options dhcp-relay
878
interface-traceoptions]
[edit logical-systems vlans domain multicast-snooping-options traceoptions]
[edit logical-systems vlans domain protocols igmp-snooping traceoptions]
[edit logical-systems forwarding-options dhcp-relay traceoptions]
[edit logical-systems protocols ancp traceoptions]
[edit logical-systems protocols dot1x traceoptions]
[edit logical-systems protocols ilmi traceoptions]
[edit logical-systems protocols lacp traceoptions]
[edit logical-systems protocols layer2-control traceoptions]
[edit dynamic-profiles protocols oam ethernet fnp traceoptions]
[edit logical-systems protocols mpls label-switched-path oam traceoptions]
[edit logical-systems protocols mpls label-switched-path primary oam
traceoptions]
[edit logical-systems protocols mpls label-switched-path secondary oam
traceoptions]
[edit logical-systems protocols mpls oam traceoptions]
[edit logical-systems protocols neighbor-discovery secure traceoptions]
[edit logical-systems protocols oam ethernet fnp traceoptions]
[edit logical-systems protocols oam ethernet link-fault-management
traceoptions]
[edit logical-systems protocols oam ethernet lmi traceoptions]
[edit logical-systems protocols ppp monitor-session]
[edit logical-systems protocols ppp traceoptions]
879
[edit logical-systems protocols ppp-service traceoptions]

[edit logical-systems protocols pppoe traceoptions]
[edit logical-systems protocols rsvp lsp-set traceoptions]
[edit logical-systems routing-instances instance vlans domain
[edit logical-systems routing-instances instance vlans domain protocols
[edit logical-systems routing-instances instance forwarding-options dhcp-relay
traceoptions]
traceoptions]
traceoptions]
traceoptions]
[edit logical-systems routing-instances instance protocols igmp-snooping
traceoptions]
traceoptions]
traceoptions]
traceoptions]
traceoptions]
880

traceoptions]
[edit logical-systems routing-instances instance services mobile-ip
traceoptions]
dhcp-local-server interface-traceoptions]
[edit logical-systems services mobile-ip traceoptions]
[edit logical-systems system services dhcp-local-server traceoptions]
[edit logical-systems system services dhcp-local-server interface-traceoptions]
[edit protocols ancp traceoptions]
[edit protocols dot1x traceoptions]
[edit protocols ilmi traceoptions]
[edit protocols lacp traceoptions]
[edit protocols layer2-control traceoptions]
[edit protocols mpls label-switched-path oam traceoptions]
[edit protocols mpls label-switched-path primary oam traceoptions]
[edit protocols mpls label-switched-path secondary oam traceoptions]
[edit protocols mpls oam traceoptions]
[edit protocols neighbor-discovery secure traceoptions]
881
[edit protocols protocols oam ethernet fnp]

[edit protocols oam ethernet connectivity-fault-management traceoptions]
[edit protocols oam ethernet link-fault-management traceoptions]
[edit protocols oam ethernet lmi traceoptions]
[edit protocols ppp monitor-session]
[edit protocols ppp traceoptions]
[edit protocols ppp-service traceoptions]
[edit protocols pppoe traceoptions]
[edit protocols rsvp lsp-set traceoptions]
[edit routing-instances instance vlans domain multicast-snooping-options
traceoptions]
[edit routing-instances instance vlans domain protocols igmp-snooping
traceoptions]
[edit routing-instances instance protocols igmp-snooping traceoptions]
882

[edit security idp traceoptions]
[edit security pki traceoptions]
[edit services adaptive-services-pics traceoptions]
[edit services captive-portal-content-delivery]
[edit services l2tp traceoptions]
[edit services server-load-balance traceoptions]
[edit services logging traceoptions]
[edit services mobile-ip traceoptions]
[edit services ssl traceoptions]
[edit system accounting traceoptions]
[edit system auto-configuration traceoptions]
[edit system ddos-protection traceoptions]
[edit system license traceoptions]
[edit system processes app-engine-virtual-machine-management-service
traceoptions]
[edit system processes datapath-trace-service traceoptions]
[edit system processes dhcp-service interface-traceoptions]
[edit system processes dhcp-service traceoptions]
[edit system processes diameter-service traceoptions]
[edit system processes general-authentication-service traceoptions]
[edit system processes mac-validation traceoptions]
[edit system processes mag-service traceoptions]
[edit system processes process-monitor traceoptions]
[edit system processes resource-cleanup traceoptions]
[edit system processes sdk-service traceoptions]
[edit system processes static-subscribers traceoptions]
[edit system services database-replication traceoptions]
[edit system services dhcp traceoptions]
[edit system services local-policy-decision-function traceoptions]
[edit system services outbound-ssh traceoptions]
[edit system services service-deployment traceoptions]
[edit system services subscriber-management traceoptions]
[edit system services subscriber-management-helper traceoptions]
[edit system services web-management traceoptions]

883

Hierarchies | 126
trace-control | 883
trace-control
Can modify trace file settings and configure trace file properties.
[edit vlans domain forwarding-options dhcp-relay interface-traceoptions]

[edit vlans domain forwarding-options dhcp-relay traceoptions]
[edit demux traceoptions]
[edit dynamic-profiles protocols oam ethernet link-fault-management
traceoptions]
[dynamic-profiles protocols oam ethernet lmi]
[edit dynamic-profiles protocols oam gre-tunnel traceoptions]
[edit dynamic-profiles routing-instances instance vlans domain protocols
[edit dynamic-profiles routing-instances instance forwarding-options dhcp-relay
traceoptions]
traceoptions]
traceoptions]
884
traceoptions]
[edit dynamic-profiles routing-instances instance protocols igmp-snooping
traceoptions]
traceoptions]
traceoptions]
traceoptions]
traceoptions]
traceoptions]
[edit dynamic-profiles routing-instances instance services mobile-ip
traceoptions]
[edit forwarding-options dhcp-relay interface-traceoptions]
[edit forwarding-options dhcp-relay traceoptions]
[edit jnx-example traceoptions]
[edit logical-systems vlans domain forwarding-options dhcp-relay
[edit logical-systems vlans domain forwarding-options dhcp-relay traceoptions]
885
[edit logical-systems vlans domain multicast-snooping-options traceoptions]

[edit logical-systems vlans domain protocols igmp-snooping traceoptions]
[edit logical-systems forwarding-options dhcp-relay traceoptions]
[edit logical-systems protocols ancp traceoptions]
[edit logical-systems protocols dot1x traceoptions]
[edit logical-systems protocols ilmi traceoptions]
[edit logical-systems protocols lacp traceoptions]
[edit logical-systems protocols layer2-control traceoptions]
[edit logical-systems protocols mpls label-switched-path oam traceoptions]
[edit logical-systems protocols mpls label-switched-path primary oam
traceoptions]
[edit logical-systems protocols mpls label-switched-path secondary oam
traceoptions]
[edit logical-systems protocols mpls oam traceoptions]
[edit logical-systems protocols neighbor-discovery secure traceoptions]
[edit logical-systems protocols oam ethernet link-fault-management
traceoptions]
[edit logical-systems protocols oam ethernet lmi traceoptions]
[edit logical-systems protocols ppp monitor-session]
[edit logical-systems protocols ppp traceoptions]
[edit logical-systems protocols ppp-service traceoptions]
[edit logical-systems protocols pppoe traceoptions]
886

forwarding-options dhcp-relay interface-traceoptions]
[edit logical-systems routing-instances instance vlans domain protocols
[edit logical-systems routing-instances instance forwarding-options dhcp-relay
traceoptions]
traceoptions]
traceoptions]
traceoptions]
[edit logical-systems routing-instances instance protocols igmp-snooping
traceoptions]
traceoptions]
traceoptions]
traceoptions]
traceoptions]
887

traceoptions]
[edit logical-systems routing-instances instance services mobile-ip
traceoptions]
dhcp-local-server interface-traceoptions]
[edit logical-systems services mobile-ip traceoptions]
[edit logical-systems system services dhcp-local-server interface-traceoptions]
[edit logical-systems system services dhcp-local-server traceoptions]
[edit protocols ancp traceoptions]
[edit protocols dot1x traceoptions]
[edit protocols ilmi traceoptions]
[edit protocols lacp traceoptions]
[edit protocols layer2-control traceoptions]
[edit protocols mpls label-switched-path oam traceoptions]
[edit protocols mpls label-switched-path primary oam traceoptions]
[edit protocols mpls label-switched-path secondary oam traceoptions]
[edit protocols mpls oam traceoptions]
[edit protocols neighbor-discovery secure traceoptions]
888
[edit protocols oam ethernet connectivity-fault-management traceoptions]

[edit protocols oam ethernet link-fault-management traceoptions]
[edit protocols oam ethernet lmi traceoptions]
[edit protocols ppp monitor-session]
[edit protocols ppp traceoptions]
[edit protocols ppp-service traceoptions]
[edit protocols pppoe traceoptions]
[edit routing-instances instance vlans domain forwarding-options dhcp-relay
[edit routing-instances instance vlans domain forwarding-options dhcp-relay
traceoptions]
[edit routing-instances instance vlans domain multicast-snooping-options
traceoptions]
[edit routing-instances instance vlans domain protocols igmp-snooping
traceoptions]
[edit routing-instances instance forwarding-options dhcp-relay traceoptions]
[edit routing-instances instance forwarding-options dhcp-relay
[edit routing-instances instance protocols igmp-snooping traceoptions]
889

[edit routing-instances instance system services dhcp-local-server
[edit routing-instances instance system services dhcp-local-server
traceoptions]
[edit security idp traceoptions]
[edit security pki traceoptions]
[edit services adaptive-services-pics traceoptions]
[edit services captive-portal-content-delivery]
[edit system ddos-protection traceoptions]
[edit services l2tp traceoptions]
[edit services logging traceoptions]
[edit services mobile-ip traceoptions]
[edit services server-load-balance traceoptions]
[edit services ssl traceoptions]
[edit system accounting traceoptions]
[edit system auto-configuration traceoptions]
[edit system license traceoptions]
[edit system processes datapath-trace-service traceoptions]
[edit system processes diameter-service traceoptions]
[edit system processes general-authentication-service traceoptions]
[edit system processes mac-validation traceoptions]
[edit system processes process-monitor traceoptions]
[edit system processes resource-cleanup traceoptions]
[edit system processes sdk-service traceoptions]
[edit system processes static-subscribers traceoptions]
[edit system services database-replication traceoptions]
[edit system services dhcp traceoptions]
[edit system services dhcp-local-server traceoptions]
[edit system services dhcp-local-server interface-traceoptions]
[edit system services local-policy-decision-function traceoptions]
[edit system services outbound-ssh traceoptions]
[edit system services service-deployment traceoptions]
[edit system services subscriber-management traceoptions]
[edit system services subscriber-management-helper traceoptions]
890
[edit unified-edge aaa traceoptions]

[edit unified-edge gateways tdf charging traceoptions]

Hierarchies | 126
trace | 871
view
Can view current system-wide, routing table, and protocol-specific values and statistics.
Commands
clear ipv6 router-advertisement

<clear-ipv6-router-advertisement-information>clear l2circuit auto-sensing
<clear-l2ckt-pw-auto-sensing>
clear services redundancy-group
<clear-services-redundancy-group>
clear services redundancy-group statistics
<clear-services-redundancy-group-statistics>
<clear-services-redundancy-set>
clear services service-sets statistics ids
clear services service-sets statistics ids drops
<clear-service-set-ids-drops-statistics>
clear services traffic-load-balance
clear services traffic-load-balance statistics
<clear-service-traffic-load-balance-statistics>
891
<request-validation-policy>
show
show access-cac interface-set
<get-access-cac-iflset>
show access-security
show access-security router-advertisement-guard
show access-security router-advertisement-guard entries
<show-as-router-advetisement-entry>
show access-security router-advertisement-guard state
<show-as-ra-state>
show access-security router-advertisement-guard statistics
<get-as-router-advertisement-statistics>
show access-security router-advertisement-guard statistics interface
<get-as-router-advertisement-interface>
show accounting
show accounting profile

<get-accounting-profile-information>
show accounting records

<get-accounting-record-information>
show amt
show amt statistics
<get-amt-statistics>
show amt summary
<get-amt-summary>
show amt tunnel
<get-amt-tunnel-information>
show amt tunnel gateway-address
<get-amt-tunnel-gateway-address>
show amt tunnel tunnel-interface
<get-amt-tunnel-interface>
show analytics collector
<get-analytics-collector>
show ancp
show ancp cos
<get-ancp-cos-information>
show ancp cos last-update
<get-ancp-cos-last-update-information>
show ancp cos pending-update

892
<get-ancp-cos-pending-information>
show ancp neighbor

<get-ancp-neighbor-information>
show ancp statistics
<get-ancp-stats-information>
show ancp subscriber
<get-ancp-subscriber-information>
show ancp subscriber identifier

<get-ancp-subscriber-identifier-information>show ancp subscriber ip-address
<get-ancp-subscriber-neighbor-information>
show ancp subscriber system-name
<get-ancp-subscriber-mac-information>
show ancp subscriber neighbor
show app-engine
show app-engine information
show app-engine packages
show app-engine packages remote
<get-virtual-machine-package-remote>
show app-engine packages system
<get-virtual-machine-package-system>
show app-engine processes
show app-engine resource-usage
show app-engine route-table
show app-engine routing-instance
show app-engine routing-instance compute-clusters
show app-engine routing-instance virtual-machines
show app-engine status
show app-engine virtual-machine package
<get-virtual-machine-package-information>
show application-monitor
<get-application-monitor-information>
show application-monitor probe
show application-monitor probe flows
<get-application-monitor-probe-flows-information>
show application-monitor probe measurements
<get-application-monitor-probe-measurements>
show application-monitor probe mirrors
<get-application-monitor-probe-mirrors>
show app-engine virtual-machine vm-instance
show aps
893
<get-aps-information>
show aps group

<get-aps-group-information>
show aps interface
<get-aps-interface-information>
show arp
<get-arp-table-information>
show as-path
<get-as-path>
show as-path domain
<get-as-path-domain>
show auto-configuration
show auto-configuration interfaces
show backup-selection
<get-backup-selection>
show backup-selection instance
<get-backup-selection-instance>
show bfd
show bfd session
<get-bfd-session-information>
show bfd session address

<get-bfd-session-address>
show bfd session client
<get-bfd-session-client>
show bfd session client rsvp-oam
<get-bfd-session-client-rsvp>
show bfd session client vpls-oam
<get-bfd-session-client-vpls>
show bfd session client vpls-oam instance
<get-bfd-session-client-vpls-instance>
show bfd session discriminator
<get-bfd-session-discriminator>
show bfd session prefix
<get-bfd-session-prefix>
show bfd subscriber
show bfd subscriber session
<get-bfd-subscriber-session>
show bgp
show bgp bmp
894
<get-bgp-monitoring-protocol-statistics>
show bgp group
<get-bgp-group-information>
show bgp group output-queues
<get-bgp-group-output-queue-information>
show bgp group rtf

<get-bgp-rtf-information>
show bgp group traffic-statistics

<get-bgp-traffic-statistics-information>
show bgp neighbor

<get-bgp-neighbor-information>
show bgp neighbor orf

<get-bgp-orf-information>
show bgp neighbor output-queue
<get-bgp-output-queue-information>
show bgp output-scheduler
show bgp replication

<get-bgp-replication-information>
show bgp summary
<get-bgp-summary-information>
show bridge
show bridge domain
<get-bridge-instance-information>
show bridge domain operational

<get-operational-bridge-instance-information>
show bridge domain satellite
<get-satellite-control-bridge-domain>
show bridge evpn
show bridge evpn arp-table
<get-bridge-evpn-arp-table>
show bridge evpn nd-table
<get-bridge-evpn-nd-table>
show bridge evpn peer-gateway-macs
<get-bridge-peer-gateway-mac>
<get-bridge-flood-information>
895
show bridge flood

show bridge flood event-queue
<get-bridge-domain-event-queue-information>
show bridge flood next-hops
show bridge flood next-hops satellite
<get-satellite-control-composite-next-hop>
show bridge flood route
show bridge flood route all-ce-flood
<get-show-bridge-domain-all-ce-flood-route-information>
show bridge flood route all-ve-flood

<get-show-bridge-domain-ve-flood-route-information>
show bridge flood route alt-root-flood
<get-bridge-domain-alt-root-flood-route-information>
show bridge flood route bd-flood
<get-bridge-domain-bd-flood-route-information>
show bridge flood route mlp-flood
<get-bridge-domain-mlp-flood-route-information>
show bridge flood route re-flood
<get-bridge-domain-re-flood-route-information>
show bridge flood satellite
<get-satellite-control-flood-ethernet>
show bridge interface
show bridge interface satellite
<get-satellite-control-bridge-interface>
show bridge mac-table
<get-bridge-mac-table>
show bridge mac-table interface
<get-bridge-interface-mac-table>
show bridge mac-table satellite
<get-satellite-control-bridge-mac-table>
show bridge satellite
show bridge satellite device
<get-satellite-device-db>
show bridge satellite events
<get-satellite-control-history-information>
show bridge satellite logging
<get-satellite-control-logging-information>
show bridge satellite summary
<get-satellite-control-bridge-summary>
show bridge statistics

896
<get-bridge-statistics-information>
show chassis
show chassis adc
show chassis alarms
<get-alarm-information>
show chassis alarms fpc
<get-fpc-alarm-information>
show chassis alarms satellite
<get-chassis-alarm-satellite-information>
show chassis beacon
get-chassis-beacon-information>
show chassis beacon cb
<get-chassis-cb-beacon-information>
show chassis environment adc
show chassis environment ccg
<get-environment-ccg-information>
show chassis cfeb
<get-cfeb-information>
show chassis cip
show chassis craft-interface
<get-craft-information>
show chassis environment
<get-environment-information>
show chassis environment cb
<get-environment-cb-information>
show chassis environment cip
<get-environment-cip-information>
show chassis environment feb
<get-environment-feb-information>
show chassis environment fan
show chassis environment fpc
<get-environment-fpc-information>
show chassis environment fpc satellite
<get-chassis-environment-fpc-satellite-info>
show chassis environment fpm
<get-environment-fpm-information>
show chassis environment mcs
<get-environment-mcs-information>
show chassis environment pcg
<get-environment-pcg-information>
show chassis environment pdu
<get-environment-pdu-information>
897
show chassis environment pem

<get-environment-pem-information>
show chassis environment pem satellite
<get-chassis-environment-pem-satellite-info>
show chassis environment psm
show chassis environment psu
<get-environment-psu-information>
show chassis environment routing-engine
<get-environment-re-information>
show chassis environment routing-engine satellite
<get-chassis-environment-re-satellite-info>
show chassis environment satellite
<get-chassis-environment-satellite-information>
show chassis environment scg
<get-environment-scg-information>
show chassis environment service-node
<get-environment-service-node-information>
show chassis environment sfb
show chassis environment sfm
<get-environment-sfm-information>
show chassis environment sib

<get-environment-sib-information>
show chassis environment sib f13

show chassis environment sib f2s
show chassis ethernet-switch
show chassis ethernet-switch errors
show chassis ethernet-switch statistics
show chassis ethernet-switch temperature
show chassis fabric
show chassis fabric degraded-fabric-reachability
show chassis fabric device
<get-chassis-fabric-information-device>
show chassis fabric connectivity
<get-chassis-fabric-connectivity-information>
show chassis fabric degradation
<get-fm-degradation-information>
show chassis fabric degradation actions
<get-fm-degradation-information-details>
show chassis fabric destinations
<get-fm-fabric-destinations-state>
898
show chassis fabric errors

show chassis fabric errors autoheal
<get-fm-plane-autoheal-errors>
show chassis fabric errors fpc
<get-fm-fpc-errors>
show chassis fabric errors sib

<get-fm-sib-errors>
show chassis fabric errors sib f13

show chassis fabric errors sib f2s
show chassis fabric feb
show chassis fabric fpcs
<get-fm-fpc-state-information>
show chassis fabric links

<get-chassis-fabric-link-information>
show chassis fabric map
show chassis fabric plane
<get-fm-plane-state-information>
show chassis fabric plane-location

show chassis fabric reachability
<get-fm-fabric-reachability-information>
show chassis fabric sibs
<get-fm-sib-state-information>
show chassis fabric spray-weights
<get-chassis-fabric-spray-weight-information>
show chassis fabric spray-weights from
show chassis fabric spray-weights to
show chassis fabric summary
<get-fm-state-information>
show chassis fabric topology

<get-chassis-fabric-topology-information>
show chassis fabric unreachable-destinations
<get-fm-unreachable-dest-information>
show chassis fan
show chassis fan satellite
get-chassis-fan-satellite-information
show chassis feb
<get-feb-brief-information>
899
show chassis feb detail

<get-feb-information>
show chassis firmware

<get-firmware-information>
show chassis firmware detail

<get-firmware-information-detail>
show chassis firmware satellite
<get-chassis-firmware-satellite-information>
show chassis forwarding
<get-fwdd-information>
show chassis fpc

<get-fpc-information>
show chassis fpc errors

<get-fpc-error-information>
show chassis fpc optical-properties
<get-fpc-optical-information>
show chassis fpc optical-properties alarms
<get-fpc-optical-alarms-information>
show chassis fpc optical-properties amplifier-chain
show chassis fpc optical-properties amplifier-chain ila
<get-fpc-optical-amplifier-chain-information>
show chassis fpc optical-properties amplifier-chain ila alarms
<get-fpc-optical-ila-alarms-information>
show chassis fpc optical-properties amplifier-chain ila edfa
<get-fpc-optical-ila-edfa-information>
show chassis fpc optical-properties amplifier-chain ila osc
<get-fpc-optical-ila-osc-information>
show chassis fpc optical-properties amplifier-chain ila pm-current
<get-fpc-optical-ila-pm-current-information>
show chassis fpc optical-properties amplifier-chain ila pm-currentday
<get-fpc-optical-ila-pm-currentday-information>
show chassis fpc optical-properties amplifier-chain ila pm-interval
<get-fpc-optical-ila-pm-interval-information>
show chassis fpc optical-properties amplifier-chain ila pm-previousday
<get-fpc-optical-ila-pm-previousday-information>
show chassis fpc optical-properties amplifier-chain ila summary
<get-fpc-optical-ila-summary-information>
900
show chassis fpc optical-properties amplifier-chain ila voa

<get-fpc-optical-ila-voa-information>
show chassis fpc optical-properties amplifier-topology
<get-fpc-optical-amplifier-topology-information>
show chassis fpc optical-properties edfa
<get-fpc-optical-edfa-information>
show chassis fpc optical-properties mfg-info
<get-fpc-optical-mfg-info-information>
show chassis fpc optical-properties ocm
<get-fpc-optical-ocm-information>
show chassis fpc optical-properties pm-current
<get-fpc-optical-pm-current-information>
show chassis fpc optical-properties pm-currentday
<get-fpc-optical-pm-currentday-information>
show chassis fpc optical-properties pm-interval
<get-fpc-optical-pm-interval-information>
show chassis fpc optical-properties pm-previousday
<get-fpc-optical-pm-previousday-information>
show chassis fpc optical-properties status
<get-fpc-optical-status-information>
show chassis fpc optical-properties topology
<get-fpc-optical-topology-information>
show chassis fpc optical-properties wss
<get-fpc-optical-wss-information>
show chassis fpc pic-status
<get-pic-information>
show chassis fpc port-status
<get-fpc-port-information>
show chassis fpc-feb-connectivity
<get-fpc-feb-connectivity-information>
show chassis hardware

<get-chassis-inventory>
show chassis hardware satellite
<get-chassis-hardware-satellite-information>
show chassis hss
show chassis hss link-quality
show chassis in-service-upgrade
show chassis ioc-npc-connectivity
<get-ioc-npc-connectivity-information>
show chassis jam-test
<get-jam-test-information>
901
show chassis lcc-mode

<get-chassis-lcc-mode-information>
show chassis lccs

<get-fru-information>
<get-chassis-led-satellite-information>
show chassis location
<get-chassis-location>
show chassis location fpc

show chassis location interface
show chassis location interface by-name
<get-interface-location-name-information>
show chassis location interface by-slot

<get-interface-location-information>
show chassis mac-addresses
show chassis multicast-loadbalance
<get-chassis-ae-lb-information>
show chassis network-services

<network-services>
show chassis network-slices
<get-gnf-information>
show chassis nonstop-upgrade

show chassis pic
<get-pic-detail>
show chassis power

<get-power-usage-information>
show chassis power detail

<get-power-usage-information-detail>
show chassis power sequence
show chassis power upgrade
show chassis power-ratings

<get-power-management>
show chassis psd

<get-psd-information>
902
show chassis redundancy

show chassis redundancy feb
<get-feb-redundancy-information>
show chassis redundancy feb errors

<get-feb-redundancy-error-information>
show chassis redundancy feb redundancy-group

<get-feb-redundancy-group-information>
show chassis redundant-power-system

<get-rps-chassis-information>
show chassis routing-engine

<get-route-engine-information>
show chassis routing-engine bios

<get-bios-version-information>
show chassis routing-engine bios satellite
<get-chassis-routing-engine-bios-satellite-info>
show chassis routing-engine errors
<get-chassis-routing-engine-errors>
show chassis routing-engine satellite
<get-chassis-routing-engine-satellite-information>
show chassis satellite
<get-chassis-satellite-information>
show chassis satellite extended-port
<get-chassis-satellite-extended-port-information>
show chassis satellite interface
<get-chassis-satellite-interface-information>
show chassis satellite neighbor
<get-chassis-satellite-neighbor-information>
show chassis satellite neighbor statistics
<get-chassis-satellite-neighbor-statistics>
show chassis satellite power-budget-statistics
<get-power-budget-information>
show chassis satellite redundancy-group
<get-chassis-satellite-redundancy-group-info>
show chassis satellite redundancy-group devices
<get-chassis-satellite-redundacy-grp-devices-info>
show chassis satellite redundancy-group devices history
903
<get-chassis-satellite-redundancy-grp-dev-history>
show chassis satellite software
<get-satellite-management-software-information>
show chassis satellite statistics
<get-chassis-satellite-statistics>
show chassis satellite unprovision
<get-chassis-satellite-unprovision-information>
show chassis satellite upgrade-group
<get-chassis-satellite-upgrade-group-information>
show chassis satellite-cluster
<get-chassis-satellite-cluster-information>
show chassis satellite-cluster route
<get-chassis-satellite-cluster-route>
show chassis satellite-cluster statistics
<get-chassis-satellite-cluster-statistics>
show chassis scb
<get-scb-information>
show chassis service-node

<get-service-node-information>
show chassis sfm

<get-sfm-information>
show chassis sfm detail

show chassis sibs
<get-sib-information>
show chassis spmb

<get-spmb-information>
show chassis spmb errors
<get-spmb-error-information>
show chassis spmb sibs

<get-spmb-sib-information>
show chassis ssb

<get-ssb-information>
show chassis synchronization

<get-clock-synchronization-information>
904
show chassis synchronization backup

show chassis synchronization gnss
show chassis synchronization master
show chassis system-mode
<get-system-mode-information>
show chassis temperature-thresholds
<get-temperature-threshold-information>
show chassis temperature-thresholds satellite
<get-chassis-temp-thresholds-satellite-info>
show chassis vcpu
show chassis zones
<get-chassis-zones-information>
show class-of-service
<get-cos-information>
show class-of-service adaptive-shaper

<get-cos-adaptive-shaper-information>
show class-of-service application-traffic-control

show class-of-service application-traffic-control counter
show class-of-service application-traffic-control rate-limiters
show class-of-service application-traffic-control rate-limiters rl-all
<get-appqos-swrl-stat-all>
show class-of-service application-traffic-control rate-limiters rl-name
<get-appqos-swrl-stat-name>
show class-of-service application-traffic-control rate-limiters summary
<get-appqos-swrl-stat-summary>
show class-of-service application-traffic-control statistics
show class-of-service application-traffic-control statistics rate-limiter
show class-of-service application-traffic-control statistics rule
<get-appqos-rule-statistics>
show class-of-service bind-point
<get-cos-bind-point-feature-information>
show class-of-service bind-point interface
<get-cos-interface-feature-information>
show class-of-service bind-point interface-set
<get-cos-interface-set-feature-information>
show class-of-service bind-point routing-instance
<get-cos-routing-instance-feature-information>
show class-of-service bind-point-ownership
<get-cos-bind-point-ownership-summary>
show class-of-service classifier
905
<get-cos-classifier-information>
show class-of-service client
show class-of-service client internal-id
<get-cos-junos-client-information>
show class-of-service client name
<get-cos-junos-client-information>
show class-of-service client summary
<get-cos-junos-client-summary>
show class-of-service code-point-aliases

<get-cos-code-point-map-information>
show class-of-service congestion-notification

<get-cos-congestion-notification-information>
show class-of-service drop-profile
<get-cos-drop-profile-information>
show class-of-service fabric

show class-of-service fabric scheduler-map
<get-cos-fabric-scheduler-map-information>
show class-of-service fabric statistics

<get-fabric-queue-information>
show class-of-service fabric statistics detail

<get-fabric-queue-detailed-information>
show class-of-service forwarding-class

<get-cos-forwarding-class-information>
show class-of-service forwarding-class-set

<get-cos-forwarding-class-set-information>
show class-of-service forwarding-table
<get-cos-table-information>
show class-of-service forwarding-table classifier

<get-cos-classifier-table-information>
show class-of-service forwarding-table classifier mapping

<get-cos-classifier-table-map-information>
show class-of-service forwarding-table drop-profile

906
<get-cos-red-information>
show class-of-service forwarding-table fabric

show class-of-service forwarding-table fabric scheduler-map
<get-cos-fwtab-fabric-scheduler-map-information>
show class-of-service forwarding-table forwarding-class-map

<get-cos-forwarding-class-map-table-information>
show class-of-service forwarding-table forwarding-class-map mapping

<get-cos-forwarding-class-map-interface-table-information>
show class-of-service forwarding-table loss-priority-map

<get-cos-loss-priority-map-table-information>
show class-of-service forwarding-table loss-priority-map mapping

<get-cos-loss-priority-map-table-binding-information>
show class-of-service forwarding-table loss-priority-rewrite

<get-cos-loss-priority-rewrite-table-information>
show class-of-service forwarding-table loss-priority-rewrite mapping
<get-cos-loss-priority-rewrite-table-binding-information>
show class-of-service forwarding-table policer
<get-cos-policer-table-map-information>
show class-of-service forwarding-table policy-map
<get-cos-policy-map-table-information>
show class-of-service forwarding-table policy-map mapping
<get-cos-policy-map-table-map-information>show class-of-service
forwarding-table rewrite-rule
<get-cos-rewrite-table-information>
show class-of-service forwarding-table rewrite-rule mapping

<get-cos-rewrite-table-map-information>
show class-of-service forwarding-table scheduler-map

<get-cos-scheduler-map-table-information>
show class-of-service forwarding-table scheduler-map mapping
<get-scheduler-map-table-map-information>
show class-of-service forwarding-table shaper

<get-cos-shaper-table-map-information>
907
show class-of-service forwarding-table translation-table

<get-cos-translation-table-information>
show class-of-service forwarding-table translation-table mapping

<get-cos-translation-table-mapping-information>
show class-of-service fragmentation-map

<get-cos-fragmentation-map-information>
show class-of-service interface

<get-cos-interface-map-information>
show class-of-service interface-set

<get-cos-interface-set-map-information>
show class-of-service l2tp-session

<get-cos-l2tp-session-map-information>
show class-of-service loss-priority-map

<get-cos-loss-priority-map-information>
show class-of-service loss-priority-rewrite

<get-cos-loss-priority-rewrite-information>
show class-of-service multi-destination
<get-cos-multi-destination-information>
show class-of-service multi-destination classifier-binding
<get-cos-multi-destination-classifier-binding-information>
show class-of-service packet-buffer

<get-cos-packet-buffer-information>
show class-of-service packet-buffer usage
<get-cos-packet-buffer-usage-information>
show class-of-service policy-map
<get-cos-policy-map-information>
show class-of-service rewrite-rule

<get-cos-rewrite-information>
show class-of-service routing-instance

<get-cos-routing-instance-map-information>
show class-of-service scheduler-hierarchy

908
show class-of-service scheduler-hierarchy interface

<get-interface-scheduler-hierarchy-information>
show class-of-service scheduler-hierarchy interface-set

<get-interface-set-scheduler-hierarchy-information>
show class-of-service scheduler-map

<get-cos-scheduler-map-information>
show class-of-service traffic-control-profile

<get-cos-traffic-control-profile-information>
show class-of-service translation-table

<get-cos-translation-table-map-information>
show class-of-service virtual-channel

<get-cos-virtual-channel-information>
show class-of-service virtual-channel-group

<get-cos-virtual-channel-group-information>
show cli
show cli authorization
<get-authorization-information>
show cli commands
show cli commands
show cli directory
<get-current-working-directory>
show cli history
show cloud-analytics
show cloud-analytics connections
<get-cloud-analytics-connections>
show cloud-analytics discovery-service
<get-cloud-analytics-discovery-service>
show cloud-analytics linecard
<get-cloud-analytics-lc>
show cloud-analytics resources
<get-cloud-analytics-resources>
show cloud-analytics resources-sampling
<get-cloud-analytics-resources-sampling>
show cloud-analytics resources-summary
<get-cloud-analytics-resources-summary>
909
show cloud-analytics sensors

<sensor-information>
show cloud-analytics streaming-policies
<get-cloud-analytics-streaming-policies>
show configuration
show connections
<get-ccc-information>
show database-replication
show database-replication statistics
<get-database-replication-statistics-information>
show database-replication summary

<get-database-replication-summary-information>
show ddos-protection
show ddos-protection protocols
<get-ddos-protocols-information>
show ddos-protection protocols all-fiber-channel-enode
<get-ddos-all-fc-enode-information>
show ddos-protection protocols all-fiber-channel-enode aggregate
<get-ddos-all-fc-enode-aggregate>
show ddos-protection protocols all-fiber-channel-enode aggregate culprit-flows
<get-ddos-all-fc-enode-aggregate-flows>
show ddos-protection protocols all-fiber-channel-enode culprit-flows
<get-ddos-all-fc-enode-flows>
show ddos-protection protocols all-fiber-channel-enode flow-detection
<get-ddos-all-fc-enode-flow-parameters>
show ddos-protection protocols all-fiber-channel-enode parameters
<get-ddos-all-fc-enode-parameters>
show ddos-protection protocols all-fiber-channel-enode statistics
<get-ddos-all-fc-enode-statistics>
show ddos-protection protocols all-fiber-channel-enode violations
<get-ddos-all-fc-enode-violations>
show ddos-protection protocols amtv4
show ddos-protection protocols amtv4 aggregate
show ddos-protection protocols amtv4 aggregate culprit-flows
show ddos-protection protocols amtv4 culprit-flows
show ddos-protection protocols amtv4 flow-detection
show ddos-protection protocols amtv4 parameters
show ddos-protection protocols amtv4 statistics
show ddos-protection protocols amtv4 violations
show ddos-protection protocols amtv6
show ddos-protection protocols amtv6 aggregate
910
show ddos-protection protocols amtv6 aggregate culprit-flows

show ddos-protection protocols amtv6 culprit-flows
show ddos-protection protocols amtv6 flow-detection
show ddos-protection protocols amtv6 statistics
show ddos-protection protocols amtv6 violations
show ddos-protection protocols ancp

<get-ddos-ancp-information>
show ddos-protection protocols ancp aggregate

<get-ddos-ancp-aggregate>
show ddos-protection protocols ancp parameters
<get-ddos-ancp-parameters>
show ddos-protection protocols ancp statistics

<get-ddos-ancp-statistics>
show ddos-protection protocols ancp violations
<get-ddos-ancp-violations>
show ddos-protection protocols ancpv6
<get-ddos-ancpv6-information>
show ddos-protection protocols ancpv6 aggregate
get-ddos-ancpv6-aggregate
show ddos-protection protocols ancpv6 parameters
get-ddos-ancpv6-parameters
show ddos-protection protocols ancpv6 statistics
get-ddos-ancpv6-statistics
show ddos-protection protocols ancpv6 violations
get-ddos-ancpv6-violations
show ddos-protection protocols arp
get-ddos-arp-information
show ddos-protection protocols arp aggregate
get-ddos-arp-aggregate
show ddos-protection protocols arp parameters
get-ddos-arp-parameters
show ddos-protection protocols arp statistics
get-ddos-arp-statistics
show ddos-protection protocols arp violations
get-ddos-arp-violations
show ddos-protection protocols arp-snoop
<get-ddos-arp-snoop-information>
show ddos-protection protocols arp-snoop aggregate
911
<get-ddos-arp-snoop-aggregate>
show ddos-protection protocols arp-snoop aggregate culprit-flows
<get-ddos-arp-snoop-aggregate-flows>
show ddos-protection protocols arp-snoop culprit-flows
<get-ddos-arp-snoop-flows>
show ddos-protection protocols arp-snoop flow-detection
<get-ddos-arp-snoop-flow-parameters>
show ddos-protection protocols arp-snoop parameters
<get-ddos-arp-snoop-parameters>
show ddos-protection protocols arp-snoop statistics
<get-ddos-arp-snoop-statistics>
show ddos-protection protocols arp-snoop violations
<get-ddos-arp-snoop-violations>
show ddos-protection protocols atm
get-ddos-atm-information
show ddos-protection protocols atm aggregate
get-ddos-atm-aggregate
show ddos-protection protocols atm parameters
get-ddos-atm-parameters
show ddos-protection protocols atm statistics
get-ddos-atm-statistics
show ddos-protection protocols atm violations
get-ddos-atm-violations
show ddos-protection protocols bfd
get-ddos-bfd-information
show ddos-protection protocols bfd aggregate
get-ddos-bfd-aggregate
show ddos-protection protocols bfd parameters
get-ddos-bfd-parameters
show ddos-protection protocols bfd statistics
get-ddos-bfd-statistics
show ddos-protection protocols bfd violations
get-ddos-bfd-violations
show ddos-protection protocols bfdv6
get-ddos-bfdv6-information
show ddos-protection protocols bfdv6 aggregate
get-ddos-bfdv6-aggregate
show ddos-protection protocols bfdv6 parameters
get-ddos-bfdv6-parameters
show ddos-protection protocols bfdv6 statistics
get-ddos-bfdv6-statistics
show ddos-protection protocols bfdv6 violations
912
get-ddos-bfdv6-violations
show ddos-protection protocols bgp
get-ddos-bgp-information
show ddos-protection protocols bgp aggregate
get-ddos-bgp-aggregate
show ddos-protection protocols bgp parameters
get-ddos-bgp-parameters
show ddos-protection protocols bgp statistics
get-ddos-bgp-statistics
show ddos-protection protocols bgp violations
get-ddos-bgp-violations
show ddos-protection protocols bgpv6
get-ddos-bgpv6-information
show ddos-protection protocols bgpv6 aggregate
get-ddos-bgpv6-aggregate
show ddos-protection protocols bgpv6 parameters
get-ddos-bgpv6-parameters
show ddos-protection protocols bgpv6 statistics
get-ddos-bgpv6-statistics
show ddos-protection protocols bgpv6 violations
get-ddos-bgpv6-violations
show ddos-protection protocols bridge-control
<get-ddos-brg-ctrl-information>
show ddos-protection protocols bridge-control aggregate
<get-ddos-brg-ctrl-aggregate>
show ddos-protection protocols bridge-control aggregate culprit-flows
<get-ddos-brg-ctrl-aggregate-flows>
show ddos-protection protocols bridge-control culprit-flows
<get-ddos-brg-ctrl-flows>
show ddos-protection protocols bridge-control flow-detection
<get-ddos-brg-ctrl-flow-parameters>
show ddos-protection protocols bridge-control parameters
<get-ddos-brg-ctrl-parameters>
show ddos-protection protocols bridge-control statistics
<get-ddos-brg-ctrl-statistics>
show ddos-protection protocols bridge-control violations
<get-ddos-brg-ctrl-violations>show ddos-protection protocols demux-autosense
get-ddos-demuxauto-information
show ddos-protection protocols demux-autosense aggregate
get-ddos-demuxauto-aggregate
show ddos-protection protocols demux-autosense parameters
913
get-ddos-demuxauto-parameters
show ddos-protection protocols demux-autosense statistics
get-ddos-demuxauto-statistics
show ddos-protection protocols demux-autosense violations
get-ddos-demuxauto-violations
show ddos-protection protocols dhcpv4
get-ddos-dhcpv4-information
show ddos-protection protocols dhcpv4 ack
get-ddos-dhcpv4-ack
show ddos-protection protocols dhcpv4 aggregate
get-ddos-dhcpv4-aggregate
show ddos-protection protocols dhcpv4 bad-packets
get-ddos-dhcpv4-bad-pack
show ddos-protection protocols dhcpv4 bootp
get-ddos-dhcpv4-bootp
show ddos-protection protocols dhcpv4 decline
get-ddos-dhcpv4-decline
show ddos-protection protocols dhcpv4 discover
get-ddos-dhcpv4-discover
show ddos-protection protocols dhcpv4 force-renew
get-ddos-dhcpv4-forcerenew
show ddos-protection protocols dhcpv4 inform
get-ddos-dhcpv4-inform
show ddos-protection protocols dhcpv4 lease-active
get-ddos-dhcpv4-leaseact
show ddos-protection protocols dhcpv4 lease-query
get-ddos-dhcpv4-leasequery
show ddos-protection protocols dhcpv4 lease-unassigned
get-ddos-dhcpv4-leaseuna
show ddos-protection protocols dhcpv4 lease-unknown
get-ddos-dhcpv4-leaseunk
show ddos-protection protocols dhcpv4 nak
get-ddos-dhcpv4-nak
show ddos-protection protocols dhcpv4 no-message-type
get-ddos-dhcpv4-no-msgtype
show ddos-protection protocols dhcpv4 offer
get-ddos-dhcpv4-offer
show ddos-protection protocols dhcpv4 offer culprit-flows
show ddos-protection protocols dhcpv4 parameters
get-ddos-dhcpv4-parameters
show ddos-protection protocols dhcpv4 release
get-ddos-dhcpv4-release
914
show ddos-protection protocols dhcpv4 renew

get-ddos-dhcpv4-renew
show ddos-protection protocols dhcpv4 request
get-ddos-dhcpv4-request
show ddos-protection protocols dhcpv4 statistics
get-ddos-dhcpv4-statistics
show ddos-protection protocols dhcpv4 unclassified
get-ddos-dhcpv4-unclass
show ddos-protection protocols dhcpv4 violations
get-ddos-dhcpv4-violations
show ddos-protection protocols dhcpv4v6
<get-ddos-dhcpv4v6-information>
show ddos-protection protocols dhcpv4v6 aggregate
<get-ddos-dhcpv4v6-aggregate>
show ddos-protection protocols dhcpv4v6 aggregate culprit-flows
<get-ddos-dhcpv4v6-aggregate-flows>
show ddos-protection protocols dhcpv4v6 culprit-flows
<get-ddos-dhcpv4v6-flows>
show ddos-protection protocols dhcpv4v6 flow-detection
<get-ddos-dhcpv4v6-flow-parameters>
show ddos-protection protocols dhcpv4v6 parameters
<get-ddos-dhcpv4v6-parameters>
show ddos-protection protocols dhcpv4v6 statistics
<get-ddos-dhcpv4v6-statistics>
show ddos-protection protocols dhcpv4v6 violations
<get-ddos-dhcpv4v6-violations>
show ddos-protection protocols dhcpv6
get-ddos-dhcpv6-information
show ddos-protection protocols dhcpv6 advertise
get-ddos-dhcpv6-advertise
show ddos-protection protocols dhcpv6 advertise culprit-flows
show ddos-protection protocols dhcpv6 aggregate
get-ddos-dhcpv6-aggregate
show ddos-protection protocols dhcpv6 confirm
get-ddos-dhcpv6-confirm
show ddos-protection protocols dhcpv6 decline
get-ddos-dhcpv6-decline
show ddos-protection protocols dhcpv6 information-request
get-ddos-dhcpv6-info-req
show ddos-protection protocols dhcpv6 leasequery
get-ddos-dhcpv6-leasequery
show ddos-protection protocols dhcpv6 leasequery culprit-flows
915
show ddos-protection protocols dhcpv6 leasequery-data

get-ddos-dhcpv6-leaseq-da
show ddos-protection protocols dhcpv6 leasequery-done
get-ddos-dhcpv6-leaseq-do
show ddos-protection protocols dhcpv6 leasequery-reply
get-ddos-dhcpv6-leaseq-re
show ddos-protection protocols dhcpv6 parameters
get-ddos-dhcpv6-parameters
show ddos-protection protocols dhcpv6 rebind
get-ddos-dhcpv6-rebind
show ddos-protection protocols dhcpv6 reconfigure
get-ddos-dhcpv6-reconfig
show ddos-protection protocols dhcpv6 relay-forward
get-ddos-dhcpv6-relay-for
show ddos-protection protocols dhcpv6 relay-reply
get-ddos-dhcpv6-relay-rep
show ddos-protection protocols dhcpv6 release
get-ddos-dhcpv6-release
show ddos-protection protocols dhcpv6 renew
get-ddos-dhcpv6-renew
show ddos-protection protocols dhcpv6 reply
get-ddos-dhcpv6-reply
show ddos-protection protocols dhcpv6 request
get-ddos-dhcpv6-request
show ddos-protection protocols dhcpv6 solicit
get-ddos-dhcpv6-solicit
show ddos-protection protocols dhcpv6 statistics
get-ddos-dhcpv6-statistics
show ddos-protection protocols dhcpv6 unclassified
get-ddos-dhcpv6-unclass
show ddos-protection protocols dhcpv6 unclassified culprit-flows
show ddos-protection protocols dhcpv6 violations
get-ddos-dhcpv6-violations
show ddos-protection protocols diameter
get-ddos-diameter-information
show ddos-protection protocols diameter aggregate
get-ddos-diameter-aggregate
show ddos-protection protocols diameter parameters
get-ddos-diameter-parameters
show ddos-protection protocols diameter statistics
get-ddos-diameter-statistics
show ddos-protection protocols diameter violations
916
get-ddos-diameter-violations
show ddos-protection protocols dns
get-ddos-dns-information
show ddos-protection protocols dns aggregate
get-ddos-dns-aggregate
show ddos-protection protocols dns parameters
get-ddos-dns-parameters
show ddos-protection protocols dns statistics
get-ddos-dns-statistics
show ddos-protection protocols dns violations
get-ddos-dns-violations
show ddos-protection protocols dtcp
get-ddos-dtcp-information
show ddos-protection protocols dtcp aggregate
get-ddos-dtcp-aggregate
show ddos-protection protocols dtcp aggregate culprit-flows
show ddos-protection protocols dtcp parameters
get-ddos-dtcp-parameters
show ddos-protection protocols dtcp statistics
get-ddos-dtcp-statistics
show ddos-protection protocols dtcp violations
get-ddos-dtcp-violations
show ddos-protection protocols dynamic-vlan
get-ddos-dynvlan-information
show ddos-protection protocols dynamic-vlan aggregate
get-ddos-dynvlan-aggregate
show ddos-protection protocols dynamic-vlan parameters
get-ddos-dynvlan-parameters
show ddos-protection protocols dynamic-vlan statistics
get-ddos-dynvlan-statistics
show ddos-protection protocols dynamic-vlan violations
get-ddos-dynvlan-violations
show ddos-protection protocols egpv6
get-ddos-egpv6-information
show ddos-protection protocols egpv6 aggregate
get-ddos-egpv6-aggregate
show ddos-protection protocols egpv6 parameters
get-ddos-egpv6-parameters
show ddos-protection protocols egpv6 statistics
get-ddos-egpv6-statistics
show ddos-protection protocols egpv6 violations
get-ddos-egpv6-violations
917
show ddos-protection protocols eoam

get-ddos-eoam-information
show ddos-protection protocols eoam aggregate
get-ddos-eoam-aggregate
show ddos-protection protocols eoam parameters
get-ddos-eoam-parameters
show ddos-protection protocols eoam statistics
get-ddos-eoam-statistics
show ddos-protection protocols eoam violations
get-ddos-eoam-violations
show ddos-protection protocols esmc
get-ddos-esmc-information
show ddos-protection protocols esmc aggregate
get-ddos-esmc-aggregate
show ddos-protection protocols esmc parameters
get-ddos-esmc-parameters
show ddos-protection protocols esmc statistics
get-ddos-esmc-statistics
show ddos-protection protocols esmc violations
get-ddos-esmc-violations
show ddos-protection protocols ethernet-tcc
<get-ddos-eth-tcc-information>
show ddos-protection protocols ethernet-tcc aggregate
<get-ddos-eth-tcc-aggregate>
show ddos-protection protocols ethernet-tcc aggregate culprit-flows
<get-ddos-eth-tcc-aggregate-flows>
show ddos-protection protocols ethernet-tcc culprit-flows
<get-ddos-eth-tcc-flows>
show ddos-protection protocols ethernet-tcc flow-detection
<get-ddos-eth-tcc-flow-parameters>
show ddos-protection protocols ethernet-tcc parameters
<get-ddos-eth-tcc-parameters>
show ddos-protection protocols ethernet-tcc statistics
<get-ddos-eth-tcc-statistics>
show ddos-protection protocols ethernet-tcc violations
<get-ddos-eth-tcc-violations>
show ddos-protection protocols exceptions
<get-ddos-exception-information>
show ddos-protection protocols exceptions aggregate
<get-ddos-exception-aggregate>
show ddos-protection protocols exceptions aggregate culprit-flows
<get-ddos-exception-aggregate-flows>
918
show ddos-protection protocols exceptions culprit-flows

<get-ddos-exception-flows>
show ddos-protection protocols exceptions flow-detection
<get-ddos-exception-flow-parameters>
show ddos-protection protocols exceptions mcast-rpf-err
<get-ddos-exception-mcast-rpf>
show ddos-protection protocols exceptions mcast-rpf-err culprit-flows
<get-ddos-exception-mcast-rpf-flows>
show ddos-protection protocols exceptions mtu-exceeded
<get-ddos-exception-mtu-exceed>
show ddos-protection protocols exceptions mtu-exceeded culprit-flows
<get-ddos-exception-mtu-exceed-flows>
show ddos-protection protocols exceptions parameters
<get-ddos-exception-parameters>
show ddos-protection protocols exceptions statistics
<get-ddos-exception-statistics>
show ddos-protection protocols exceptions unclassified
<get-ddos-exception-unclass>
show ddos-protection protocols exceptions unclassified culprit-flows
<get-ddos-exception-unclass-flows>
show ddos-protection protocols exceptions violations
<get-ddos-exception-violations>
show ddos-protection protocols fab-probe

<get-ddos-fab-probe-information>
show ddos-protection protocols fab-probe aggregate
<get-ddos-fab-probe-aggregate>
show ddos-protection protocols fab-probe parameters
<get-ddos-fab-probe-parameters>
show ddos-protection protocols fab-probe statistics
<get-ddos-fab-probe-statistics>
show ddos-protection protocols fab-probe violations
<get-ddos-fab-probe-violations>
show ddos-protection protocols firewall-host
get-ddos-fw-host-information
show ddos-protection protocols firewall-host aggregate
get-ddos-fw-host-aggregate
show ddos-protection protocols firewall-host parameters
get-ddos-fw-host-parameters
show ddos-protection protocols firewall-host statistics
get-ddos-fw-host-statistics
show ddos-protection protocols firewall-host violations
919
get-ddos-fw-host-violations
show ddos-protection protocols ftp

get-ddos-ftp-information
show ddos-protection protocols ftp aggregate
get-ddos-ftp-aggregate
show ddos-protection protocols ftp parameters
get-ddos-ftp-parameters
show ddos-protection protocols ftp statistics
get-ddos-ftp-statistics
show ddos-protection protocols ftp violations
get-ddos-ftp-violations
show ddos-protection protocols ftpv6
get-ddos-ftpv6-information
show ddos-protection protocols ftpv6 aggregate
get-ddos-ftpv6-aggregate
show ddos-protection protocols ftpv6 parameters
get-ddos-ftpv6-parameters
show ddos-protection protocols ftpv6 statistics
get-ddos-ftpv6-statistics
show ddos-protection protocols ftpv6 violations
get-ddos-ftpv6-violations
show ddos-protection protocols garp-reply
<get-ddos-garp-reply-information>
show ddos-protection protocols garp-reply aggregate
<get-ddos-garp-reply-aggregate>
show ddos-protection protocols garp-reply aggregate culprit-flows
<get-ddos-garp-reply-aggregate-flows>
show ddos-protection protocols garp-reply culprit-flows
<get-ddos-garp-reply-flows>
show ddos-protection protocols garp-reply flow-detection
<get-ddos-garp-reply-flow-parameters>
show ddos-protection protocols garp-reply parameters
<get-ddos-garp-reply-parameters>
show ddos-protection protocols garp-reply statistics
<get-ddos-garp-reply-statistics>
show ddos-protection protocols garp-reply violations
<get-ddos-garp-reply-violations>
show ddos-protection protocols gre
get-ddos-gre-information
show ddos-protection protocols gre aggregate
920
get-ddos-gre-aggregate
show ddos-protection protocols gre hbc
<get-ddos-gre-hbc>
show ddos-protection protocols gre hbc culprit-flows
<get-ddos-gre-hbc-flows>
show ddos-protection protocols gre parameters
get-ddos-gre-parameters
show ddos-protection protocols gre punt
<get-ddos-gre-punt>
show ddos-protection protocols gre punt culprit-flows
<get-ddos-gre-punt-flows>
show ddos-protection protocols gre statistics
get-ddos-gre-statistics
show ddos-protection protocols gre violations
get-ddos-gre-violations
show ddos-protection protocols icmp
get-ddos-icmp-information
show ddos-protection protocols icmp aggregate
get-ddos-icmp-aggregate
show ddos-protection protocols icmp parameters
get-ddos-icmp-parameters
show ddos-protection protocols icmp statistics
get-ddos-icmp-statistics
show ddos-protection protocols icmp violations
get-ddos-icmp-violations
show ddos-protection protocols icmpv6
<get-ddos-icmpv6-information>
show ddos-protection protocols icmpv6 aggregate
<get-ddos-icmpv6-aggregate>
show ddos-protection protocols icmpv6 aggregate culprit-flows
<get-ddos-icmpv6-aggregate-flows>
show ddos-protection protocols icmpv6 parameters
<get-ddos-icmpv6-parameters>
show ddos-protection protocols icmpv6 statistics
<get-ddos-icmpv6-statistics>
show ddos-protection protocols icmpv6 violations
<get-ddos-icmpv6-violations>
show ddos-protection protocols igmp
get-ddos-igmp-information
show ddos-protection protocols igmp aggregate
get-ddos-igmp-aggregate
show ddos-protection protocols igmp aggregate culprit-flows
921
show ddos-protection protocols igmp parameters

get-ddos-igmp-parameters
show ddos-protection protocols igmp statistics
get-ddos-igmp-statistics
show ddos-protection protocols igmp violations
get-ddos-igmp-violations
show ddos-protection protocols igmp-snoop
get-ddos-igmp-snoop-information
show ddos-protection protocols igmp-snoop aggregate
get-ddos-igmp-snoop-aggregate
show ddos-protection protocols igmp-snoop parameters
get-ddos-igmp-snoop-parameters
show ddos-protection protocols igmp-snoop statistics
get-ddos-igmp-snoop-statistics
show ddos-protection protocols igmp-snoop violations
get-ddos-igmp-snoop-violations
show ddos-protection protocols igmpv4v6
get-ddos-igmpv4v6-information
show ddos-protection protocols igmpv4v6 aggregate
get-ddos-igmpv4v6-aggregate
show ddos-protection protocols igmpv4v6 aggregate culprit-flows
show ddos-protection protocols igmpv4v6 parameters
get-ddos-igmpv4v6-parameters
show ddos-protection protocols igmpv4v6 statistics
get-ddos-igmpv4v6-statistics
show ddos-protection protocols igmpv4v6 violations
get-ddos-igmpv4v6-violations
show ddos-protection protocols igmpv6
get-ddos-igmpv6-information
show ddos-protection protocols igmpv6 aggregate
get-ddos-igmpv6-aggregate
show ddos-protection protocols igmpv6 parameters
get-ddos-igmpv6-parameters
show ddos-protection protocols igmpv6 statistics
get-ddos-igmpv6-statistics
show ddos-protection protocols igmpv6 violations
get-ddos-igmpv6-violations
show ddos-protection protocols ip-fragments
get-ddos-ip-frag-information
show ddos-protection protocols ip-fragments aggregate
get-ddos-ip-frag-aggregate
show ddos-protection protocols ip-fragments first-fragment
922
get-ddos-ip-frag-first-frag
show ddos-protection protocols ip-fragments parameters
get-ddos-ip-frag-parameters
show ddos-protection protocols ip-fragments statistics
get-ddos-ip-frag-statistics
show ddos-protection protocols ip-fragments trail-fragment
get-ddos-ip-frag-trail-frag
show ddos-protection protocols ip-fragments violations
get-ddos-ip-frag-violations
show ddos-protection protocols ip-options
get-ddos-ip-opt-information
show ddos-protection protocols ip-options aggregate
get-ddos-ip-opt-aggregate
show ddos-protection protocols ip-options non-v4v6
<get-ddos-ip-opt-non-v4v6>
show ddos-protection protocols ip-options parameters
get-ddos-ip-opt-parameters
show ddos-protection protocols ip-options router-alert
get-ddos-ip-opt-rt-alert
show ddos-protection protocols ip-options statistics
get-ddos-ip-opt-statistics
show ddos-protection protocols ip-options unclassified
get-ddos-ip-opt-unclass
show ddos-protection protocols ipmc-reserved culprit-flows
<get-ddos-ipmc-reserved-flows>
show ddos-protection protocols ipmc-reserved flow-detection
<get-ddos-ipmc-reserved-flow-parameters>
show ddos-protection protocols ipmc-reserved parameters
<get-ddos-ipmc-reserved-parameters>
show ddos-protection protocols ipmc-reserved statistics
<get-ddos-ipmc-reserved-statistics>
show ddos-protection protocols ipmc-reserved violations
<get-ddos-ipmc-reserved-violations>
show ddos-protection protocols ipmcast-miss
<get-ddos-ipmcast-miss-information>
show ddos-protection protocols ipmcast-miss aggregate
<get-ddos-ipmcast-miss-aggregate>
show ddos-protection protocols ipmcast-miss aggregate culprit-flows
<get-ddos-ipmcast-miss-aggregate-flows>
show ddos-protection protocols ipmcast-miss culprit-flows
<get-ddos-ipmcast-miss-flows>
show ddos-protection protocols ipmcast-miss flow-detection
923
<get-ddos-ipmcast-miss-flow-parameters>
show ddos-protection protocols ipmcast-miss parameters
<get-ddos-ipmcast-miss-parameters>
show ddos-protection protocols ipmcast-miss statistics
<get-ddos-ipmcast-miss-statistics>
show ddos-protection protocols ipmcast-miss violations
<get-ddos-ipmcast-miss-violations>
show ddos-protection protocols ip-options violations
get-ddos-ip-opt-violations
show ddos-protection protocols ipv4-unclassified
get-ddos-ipv4-uncls-information
show ddos-protection protocols ipv4-unclassified aggregate
get-ddos-ipv4-uncls-aggregate
show ddos-protection protocols ipv4-unclassified parameters
get-ddos-ipv4-uncls-parameters
show ddos-protection protocols ipv4-unclassified statistics
get-ddos-ipv4-uncls-statistics
show ddos-protection protocols ipv4-unclassified violations
get-ddos-ipv4-uncls-violations
show ddos-protection protocols ipv6-unclassified
get-ddos-ipv6-uncls-information
show ddos-protection protocols ipv6-unclassified aggregate
get-ddos-ipv6-uncls-aggregate
show ddos-protection protocols ipv6-unclassified parameters
get-ddos-ipv6-uncls-parameters
show ddos-protection protocols ipv6-unclassified statistics
get-ddos-ipv6-uncls-statistics
show ddos-protection protocols ipv6-unclassified violations
get-ddos-ipv6-uncls-violations
show ddos-protection protocols isis
get-ddos-isis-information
show ddos-protection protocols isis aggregate
get-ddos-isis-aggregate
show ddos-protection protocols isis parameters
get-ddos-isis-parameters
show ddos-protection protocols isis statistics
get-ddos-isis-statistics
show ddos-protection protocols isis violations
get-ddos-isis-violations
show ddos-protection protocols iso-tcc
<get-ddos-iso-tcc-information>
show ddos-protection protocols iso-tcc aggregate
924
<get-ddos-iso-tcc-aggregate>
show ddos-protection protocols iso-tcc aggregate culprit-flows
<get-ddos-iso-tcc-aggregate-flows>
show ddos-protection protocols iso-tcc culprit-flows
<get-ddos-iso-tcc-flows>
show ddos-protection protocols iso-tcc flow-detection
<get-ddos-iso-tcc-flow-parameters>
show ddos-protection protocols iso-tcc parameters
<get-ddos-iso-tcc-parameters>
show ddos-protection protocols iso-tcc statistics
<get-ddos-iso-tcc-statistics>
show ddos-protection protocols iso-tcc violations
<get-ddos-iso-tcc-violations>
show ddos-protection protocols jfm
get-ddos-jfm-information
show ddos-protection protocols jfm aggregate
get-ddos-jfm-aggregate
show ddos-protection protocols jfm parameters
get-ddos-jfm-parameters
show ddos-protection protocols jfm statistics
get-ddos-jfm-statistics
show ddos-protection protocols jfm violations
get-ddos-jfm-violations
show ddos-protection protocols l2tp
get-ddos-l2tp-information
show ddos-protection protocols l2tp aggregate
get-ddos-l2tp-aggregate
show ddos-protection protocols l2tp parameters
get-ddos-l2tp-parameters
show ddos-protection protocols l2tp statistics
get-ddos-l2tp-statistics
show ddos-protection protocols l2tp violations
get-ddos-l2tp-violations
show ddos-protection protocols l3dest-miss
<get-ddos-l3dest-miss-information>
show ddos-protection protocols l3dest-miss aggregate
<get-ddos-l3dest-miss-aggregate>
show ddos-protection protocols l3dest-miss aggregate culprit-flows
<get-ddos-l3dest-miss-aggregate-flows>
show ddos-protection protocols l3dest-miss culprit-flows
<get-ddos-l3dest-miss-flows>
show ddos-protection protocols l3dest-miss flow-detection
925
<get-ddos-l3dest-miss-flow-parameters>
show ddos-protection protocols l3dest-miss parameters
<get-ddos-l3dest-miss-parameters>
show ddos-protection protocols l3dest-miss statistics
<get-ddos-l3dest-miss-statistics>
show ddos-protection protocols l3dest-miss violations
<get-ddos-l3dest-miss-violations>
show ddos-protection protocols l3mc-sgv-hit-icl
<get-ddos-l3mc-sgv-hit-icl-information>
show ddos-protection protocols l3mc-sgv-hit-icl aggregate
<get-ddos-l3mc-sgv-hit-icl-aggregate>
show ddos-protection protocols l3mc-sgv-hit-icl aggregate culprit-flows
<get-ddos-l3mc-sgv-hit-icl-aggregate-flows>
show ddos-protection protocols l3mc-sgv-hit-icl culprit-flows
<get-ddos-l3mc-sgv-hit-icl-flows>
show ddos-protection protocols l3mc-sgv-hit-icl flow-detection
<get-ddos-l3mc-sgv-hit-icl-flow-parameters>
show ddos-protection protocols l3mc-sgv-hit-icl parameters
<get-ddos-l3mc-sgv-hit-icl-parameters>
show ddos-protection protocols l3mc-sgv-hit-icl statistics
<get-ddos-l3mc-sgv-hit-icl-statistics>
show ddos-protection protocols l3mc-sgv-hit-icl violations
<get-ddos-l3mc-sgv-hit-icl-violations>
show ddos-protection protocols l3mtu-fail
<get-ddos-l3mtu-fail-information>
show ddos-protection protocols l3mtu-fail aggregate
<get-ddos-l3mtu-fail-aggregate>
show ddos-protection protocols l3mtu-fail aggregate culprit-flows
<get-ddos-l3mtu-fail-aggregate-flows>
show ddos-protection protocols l3mtu-fail culprit-flows
<get-ddos-l3mtu-fail-flows>
show ddos-protection protocols l3mtu-fail flow-detection
<get-ddos-l3mtu-fail-flow-parameters>
show ddos-protection protocols l3mtu-fail parameters
<get-ddos-l3mtu-fail-parameters>
show ddos-protection protocols l3mtu-fail statistics
<get-ddos-l3mtu-fail-statistics>
show ddos-protection protocols l3mtu-fail violations
<get-ddos-l3mtu-fail-violations>
show ddos-protection protocols l3nhop
<get-ddos-l3nhop-information>
show ddos-protection protocols l3nhop aggregate
926
<get-ddos-l3nhop-aggregate>
show ddos-protection protocols l3nhop aggregate culprit-flows
<get-ddos-l3nhop-aggregate-flows>
show ddos-protection protocols l3nhop culprit-flows
<get-ddos-l3nhop-flows>
show ddos-protection protocols l3nhop flow-detection
<get-ddos-l3nhop-flow-parameters>
show ddos-protection protocols l3nhop parameters
<get-ddos-l3nhop-parameters>
show ddos-protection protocols l3nhop statistics
<get-ddos-l3nhop-statistics>
show ddos-protection protocols l3nhop violations
<get-ddos-l3nhop-violations>
show ddos-protection protocols lacp
<get-ddos-lacp-information>
show ddos-protection protocols lacp aggregate
<get-ddos-lacp-aggregate>
show ddos-protection protocols lacp parameters
<get-ddos-lacp-parameters>
show ddos-protection protocols lacp statistics
<get-ddos-lacp-statistics>
show ddos-protection protocols lacp violations
<get-ddos-lacp-violations>
show ddos-protection protocols ldp
<get-ddos-ldp-information>
show ddos-protection protocols ldp aggregate
<get-ddos-ldp-aggregate>
show ddos-protection protocols ldp parameters
<get-ddos-ldp-parameters>
show ddos-protection protocols ldp statistics
<get-ddos-ldp-statistics>
show ddos-protection protocols ldp violations
<get-ddos-ldp-violations>
show ddos-protection protocols ldp-hello
<get-ddos-ldp-hello-information>
show ddos-protection protocols ldp-hello aggregate
<get-ddos-ldp-hello-aggregate>
show ddos-protection protocols ldp-hello aggregate culprit-flows
<get-ddos-ldp-hello-aggregate-flows>
show ddos-protection protocols ldp-hello culprit-flows
<get-ddos-ldp-hello-flows>
show ddos-protection protocols ldp-hello flow-detection
927
<get-ddos-ldp-hello-flow-parameters>
show ddos-protection protocols ldp-hello parameters
<get-ddos-ldp-hello-parameters>
show ddos-protection protocols ldp-hello statistics
<get-ddos-ldp-hello-statistics>
show ddos-protection protocols ldp-hello violations
<get-ddos-ldp-hello-violations>
show ddos-protection protocols ldpv6
<get-ddos-ldpv6-information>
show ddos-protection protocols ldpv6 aggregate
<get-ddos-ldpv6-aggregate>
show ddos-protection protocols ldpv6 parameters
<get-ddos-ldpv6-parameters>
show ddos-protection protocols ldpv6 statistics
<get-ddos-ldpv6-statistics>
show ddos-protection protocols ldpv6 violations
<get-ddos-ldpv6-violations>
show ddos-protection protocols lldp
<get-ddos-lldp-information>
show ddos-protection protocols lldp aggregate
<get-ddos-lldp-aggregate>
show ddos-protection protocols lldp parameters
<get-ddos-lldp-parameters>
show ddos-protection protocols lldp statistics
<get-ddos-lldp-statistics>
show ddos-protection protocols lldp violations
<get-ddos-lldp-violations>
show ddos-protection protocols lmp
<get-ddos-lmp-information>
show ddos-protection protocols lmp aggregate
<get-ddos-lmp-aggregate>
show ddos-protection protocols lmp parameters
<get-ddos-lmp-parameters>
show ddos-protection protocols lmp statistics
<get-ddos-lmp-statistics>
show ddos-protection protocols lmp violations
<get-ddos-lmp-violations>
show ddos-protection protocols lmpv6
<get-ddos-lmpv6-information>
show ddos-protection protocols lmpv6 aggregate
<get-ddos-lmpv6-aggregate>
show ddos-protection protocols lmpv6 parameters
928
<get-ddos-lmpv6-parameters>
show ddos-protection protocols lmpv6 statistics
<get-ddos-lmpv6-statistics>
show ddos-protection protocols lmpv6 violations
<get-ddos-lmpv6-violations>
show ddos-protection protocols localnh
<get-ddos-localnh-information>
show ddos-protection protocols localnh aggregate
<get-ddos-localnh-aggregate>
show ddos-protection protocols localnh aggregate culprit-flows
<get-ddos-localnh-aggregate-flows>
show ddos-protection protocols localnh culprit-flows
<get-ddos-localnh-flows>
show ddos-protection protocols localnh flow-detection
<get-ddos-localnh-flow-parameters>
show ddos-protection protocols localnh parameters
<get-ddos-localnh-parameters>
show ddos-protection protocols localnh statistics
<get-ddos-localnh-statistics>
show ddos-protection protocols localnh violations
<get-ddos-localnh-violations>
show ddos-protection protocols mac-host
<get-ddos-mac-host-information>
show ddos-protection protocols mac-host aggregate
<get-ddos-mac-host-aggregate>
show ddos-protection protocols mac-host aggregate culprit-flows
<get-ddos-mac-host-aggregate-flows>
show ddos-protection protocols mac-host culprit-flows
<get-ddos-mac-host-flows>
show ddos-protection protocols mac-host flow-detection
<get-ddos-mac-host-flow-parameters>
show ddos-protection protocols mac-host parameters
<get-ddos-mac-host-parameters>
show ddos-protection protocols mac-host statistics
<get-ddos-mac-host-statistics>
show ddos-protection protocols mac-host violations
<get-ddos-mac-host-violations>
show ddos-protection protocols martian-address
<get-ddos-martian-address-information>
show ddos-protection protocols martian-address aggregate
<get-ddos-martian-address-aggregate>
show ddos-protection protocols martian-address aggregate culprit-flows
929
<get-ddos-martian-address-aggregate-flows>
show ddos-protection protocols martian-address culprit-flows
<get-ddos-martian-address-flows>
show ddos-protection protocols martian-address flow-detection
<get-ddos-martian-address-flow-parameters>
show ddos-protection protocols martian-address parameters
<get-ddos-martian-address-parameters>
show ddos-protection protocols martian-address statistics
<get-ddos-martian-address-statistics>
show ddos-protection protocols martian-address violations
<get-ddos-martian-address-violations>
show ddos-protection protocols mac-host
<get-ddos-mac-host-information>
show ddos-protection protocols mac-host aggregate
<get-ddos-mac-host-aggregate>
show ddos-protection protocols mac-host parameters
<get-ddos-mac-host-parameters>
show ddos-protection protocols mac-host statistics
<get-ddos-mac-host-statistics>
show ddos-protection protocols mac-host violations
<get-ddos-mac-host-violations>
show ddos-protection protocols mcast-snoop mld
<get-ddos-mcast-snoop-mld>
show ddos-protection protocols mcast-snoop mld culprit-flows
<get-ddos-mcast-snoop-mld-flows>
show ddos-protection protocols mld
<get-ddos-mld-information>
show ddos-protection protocols mld aggregate
<get-ddos-mld-aggregate>
show ddos-protection protocols mld aggregate culprit-flows
show ddos-protection protocols mld culprit-flows
<get-ddos-mld-flows>
show ddos-protection protocols mld flow-detection
<get-ddos-mld-flow-parameters>
show ddos-protection protocols mld parameters
<get-ddos-mld-parameters>
show ddos-protection protocols mld statistics
<get-ddos-mld-statistics>
show ddos-protection protocols mld violations
<get-ddos-mld-violations>
show ddos-protection protocols mlp
<get-ddos-mlp-information>
930
show ddos-protection protocols mlp add

<get-ddos-mlp-add>
show ddos-protection protocols mlp add culprit-flows
<get-ddos-mlp-add-flows>
show ddos-protection protocols mlp aggregate
<get-ddos-mlp-aggregate>
show ddos-protection protocols mlp aggregate culprit-flows
<get-ddos-mlp-aggregate-flows>
show ddos-protection protocols mlp culprit-flows
<get-ddos-mlp-flows>
show ddos-protection protocols mlp delete
<get-ddos-mlp-delete>
show ddos-protection protocols mlp delete culprit-flows
get-ddos-mlp-delete-flows
show ddos-protection protocols mlp flow-detection
get-ddos-mlp-flow-parameters
show ddos-protection protocols mlp lookup
<get-ddos-mlp-lookup>
show ddos-protection protocols mlp lookup culprit-flows
<get-ddos-mlp-lookup-flows>
show ddos-protection protocols mlp macpin-exception
<get-ddos-mlp-mac-pinning>
show ddos-protection protocols mlp macpin-exception culprit-flows
<get-ddos-mlp-mac-pinning-flows>
show ddos-protection protocols mlp aging-exception
<get-ddos-mlp-aging-exc>
show ddos-protection protocols mlp packets
<get-ddos-mlp-packets>
show ddos-protection protocols mlp parameters
get-ddos-mlp-parameters
show ddos-protection protocols mlp statistics
<get-ddos-mlp-statistics>
show ddos-protection protocols mlp unclassified
<get-ddos-mlp-unclass>
show ddos-protection protocols mlp violations
<get-ddos-mlp-violations>
show ddos-protection protocols msdp
<get-ddos-msdp-information>
show ddos-protection protocols msdp aggregate
<get-ddos-msdp-aggregate>
show ddos-protection protocols msdp parameters
<get-ddos-msdp-parameters>
931
show ddos-protection protocols msdp statistics

<get-ddos-msdp-statistics>
show ddos-protection protocols msdp violations
<get-ddos-msdp-violations>
show ddos-protection protocols msdpv6
<get-ddos-msdpv6-information>
show ddos-protection protocols msdpv6 aggregate
<get-ddos-msdpv6-aggregate>
show ddos-protection protocols msdpv6 parameters
<get-ddos-msdpv6-parameters>
show ddos-protection protocols msdpv6 statistics
<get-ddos-msdpv6-statistics>
show ddos-protection protocols msdpv6 violations
<get-ddos-msdpv6-violations>
show ddos-protection protocols multihop-bfd
<get-ddos-mhop-bfd-information>
show ddos-protection protocols multihop-bfd aggregate
<get-ddos-mhop-bfd-aggregate>
show ddos-protection protocols multihop-bfd aggregate culprit-flows
<get-ddos-mhop-bfd-aggregate-flows>
show ddos-protection protocols multihop-bfd culprit-flows
<get-ddos-mhop-bfd-flows>
show ddos-protection protocols multihop-bfd flow-detection
<get-ddos-mhop-bfd-flow-parameters>
show ddos-protection protocols multihop-bfd parameters
<get-ddos-mhop-bfd-parameters>
show ddos-protection protocols multihop-bfd statistics
<get-ddos-mhop-bfd-statistics>
show ddos-protection protocols multihop-bfd violations
<get-ddos-mhop-bfd-violations>show ddos-protection protocols multicast-copy
<get-ddos-mcast-copy-information>
show ddos-protection protocols multicast-copy aggregate
<get-ddos-mcast-copy-aggregate>
show ddos-protection protocols multicast-copy parameters
<get-ddos-mcast-copy-parameters>
show ddos-protection protocols multicast-copy statistics
<get-ddos-mcast-copy-statistics>
show ddos-protection protocols multicast-copy violations
<get-ddos-mcast-copy-violations>
show ddos-protection protocols mvrp
<get-ddos-mvrp-information>
show ddos-protection protocols mvrp aggregate
932
<get-ddos-mvrp-aggregate>
show ddos-protection protocols mvrp parameters
<get-ddos-mvrp-parameters<
show ddos-protection protocols mvrp statistics
<get-ddos-mvrp-statistics>
show ddos-protection protocols mvrp violations
<get-ddos-mvrp-violations>
show ddos-protection protocols ndpv6
<get-ddos-ndpv6-information>
show ddos-protection protocols ndpv6 aggregate
<get-ddos-ndpv6-aggregate>
show ddos-protection protocols ndpv6 aggregate culprit-flows
<get-ddos-ndpv6-aggregate-flows>
show ddos-protection protocols ndpv6 culprit-flows
<get-ddos-ndpv6-flows>
show ddos-protection protocols ndpv6 flow-detection
<get-ddos-ndpv6-flow-parameters>
show ddos-protection protocols ndpv6 neighbor-advertisement
<get-ddos-ndpv6-neighb-adv>
show ddos-protection protocols ndpv6 neighbor-advertisement culprit-flows
<get-ddos-ndpv6-neighb-adv-flows>
show ddos-protection protocols ndpv6 neighbor-solicitation
<get-ddos-ndpv6-neighb-sol>
show ddos-protection protocols ndpv6 neighbor-solicitation culprit-flows
<get-ddos-ndpv6-neighb-sol-flows>
show ddos-protection protocols ndpv6 parameters
<get-ddos-ndpv6-parameters>
show ddos-protection protocols ndpv6 redirect
<get-ddos-ndpv6-redirect>
show ddos-protection protocols ndpv6 redirect culprit-flows
<get-ddos-ndpv6-redirect-flows>
show ddos-protection protocols ndpv6 router-advertisement
<get-ddos-ndpv6-router-adv>
show ddos-protection protocols ndpv6 router-advertisement culprit-flows
<get-ddos-ndpv6-router-adv-flows>
show ddos-protection protocols ndpv6 router-solicitation
<get-ddos-ndpv6-router-sol>
show ddos-protection protocols ndpv6 router-solicitation culprit-flows
<get-ddos-ndpv6-router-sol-flows>
show ddos-protection protocols nonucast-switch
<get-ddos-nonucast-switch-information>
show ddos-protection protocols nonucast-switch aggregate
933
<get-ddos-nonucast-switch-aggregate>
show ddos-protection protocols nonucast-switch aggregate culprit-flows
<get-ddos-nonucast-switch-aggregate-flows>
show ddos-protection protocols nonucast-switch culprit-flows
<get-ddos-nonucast-switch-flows>
show ddos-protection protocols nonucast-switch flow-detection
<get-ddos-nonucast-switch-flow-parameters>
show ddos-protection protocols nonucast-switch parameters
<get-ddos-nonucast-switch-parameters>
show ddos-protection protocols nonucast-switch statistics
<get-ddos-nonucast-switch-statistics>
show ddos-protection protocols nonucast-switch violations
<get-ddos-nonucast-switch-violations>
show ddos-protection protocols ntp
get-ddos-ntp-information
show ddos-protection protocols ntp aggregate
get-ddos-ntp-aggregate
show ddos-protection protocols ntp parameters
get-ddos-ntp-parameters
show ddos-protection protocols ntp statistics
get-ddos-ntp-statistics
show ddos-protection protocols ntp violations
get-ddos-ntp-violations
show ddos-protection protocols oam-cfm
get-ddos-oam-cfm-information
show ddos-protection protocols oam-cfm aggregate
<get-ddos-oam-cfm-aggregate>
show ddos-protection protocols oam-cfm aggregate culprit-flows
<get-ddos-oam-cfm-aggregate-flows>
show ddos-protection protocols oam-cfm culprit-flows
<get-ddos-oam-cfm-flows>
show ddos-protection protocols oam-cfm flow-detection
<get-ddos-oam-cfm-flow-parameters>
show ddos-protection protocols oam-cfm parameters
<get-ddos-oam-cfm-parameters>
show ddos-protection protocols oam-cfm statistics
<get-ddos-oam-cfm-statistics>
show ddos-protection protocols oam-cfm violations
<get-ddos-oam-cfm-violations>
show ddos-protection protocols oam-lfm
get-ddos-oam-lfm-information
show ddos-protection protocols oam-lfm aggregate
934
get-ddos-oam-lfm-aggregate
show ddos-protection protocols oam-lfm parameters
get-ddos-oam-lfm-parameters
show ddos-protection protocols oam-lfm statistics
get-ddos-oam-lfm-statistics
show ddos-protection protocols oam-lfm violations
get-ddos-oam-lfm-violations
show ddos-protection protocols ospf
get-ddos-ospf-information
show ddos-protection protocols ospf aggregate
get-ddos-ospf-aggregate
show ddos-protection protocols ospf parameters
get-ddos-ospf-parameters
show ddos-protection protocols ospf statistics
get-ddos-ospf-statistics
show ddos-protection protocols ospf violations
get-ddos-ospf-violations
show ddos-protection protocols ospf-hello
<get-ddos-ospf-hello-information>
show ddos-protection protocols ospf-hello aggregate
<get-ddos-ospf-hello-aggregate>
show ddos-protection protocols ospf-hello aggregate culprit-flows
<get-ddos-ospf-hello-aggregate-flows>
show ddos-protection protocols ospf-hello culprit-flows
<get-ddos-ospf-hello-flows>
show ddos-protection protocols ospf-hello flow-detection
<get-ddos-ospf-hello-flow-parameters>
show ddos-protection protocols ospf-hello parameters
<get-ddos-ospf-hello-parameters>
show ddos-protection protocols ospf-hello statistics
<get-ddos-ospf-hello-statistics>
show ddos-protection protocols ospf-hello violations
<get-ddos-ospf-hello-violations>
show ddos-protection protocols ospfv3v6
get-ddos-ospfv3v6-information
show ddos-protection protocols ospfv3v6 aggregate
get-ddos-ospfv3v6-aggregate
show ddos-protection protocols ospfv3v6 parameters
get-ddos-ospfv3v6-parameters
show ddos-protection protocols ospfv3v6 statistics
get-ddos-ospfv3v6-statistics
show ddos-protection protocols ospfv3v6 violations
935
get-ddos-ospfv3v6-violations
show ddos-protection protocols parameters
get-ddos-protocols-parameters
show ddos-protection protocols pfe-alive
get-ddos-pfe-alive-information
show ddos-protection protocols pfe-alive aggregate
get-ddos-pfe-alive-aggregate
show ddos-protection protocols pfe-alive parameters
get-ddos-pfe-alive-parameters
show ddos-protection protocols pfe-alive statistics
get-ddos-pfe-alive-statistics
show ddos-protection protocols pfe-alive violations
get-ddos-pfe-alive-violations
show ddos-protection protocols pim
get-ddos-pim-information
show ddos-protection protocols pim aggregate
get-ddos-pim-aggregate
show ddos-protection protocols pim aggregate culprit-flows
show ddos-protection protocols pim parameters
get-ddos-pim-parameters
show ddos-protection protocols pim statistics
get-ddos-pim-statistics
show ddos-protection protocols pim violations
get-ddos-pim-violations
show ddos-protection protocols pim-ctrl
<get-ddos-pim-ctrl-information>
show ddos-protection protocols pim-ctrl aggregate
<get-ddos-pim-ctrl-aggregate>
show ddos-protection protocols pim-ctrl aggregate culprit-flows
<get-ddos-pim-ctrl-aggregate-flows>
show ddos-protection protocols pim-ctrl culprit-flows
<get-ddos-pim-ctrl-flows>
show ddos-protection protocols pim-ctrl flow-detection
<get-ddos-pim-ctrl-flow-parameters>
show ddos-protection protocols pim-ctrl parameters
<get-ddos-pim-ctrl-parameters>
show ddos-protection protocols pim-ctrl statistics
<get-ddos-pim-ctrl-statistics>
show ddos-protection protocols pim-ctrl violations
<get-ddos-pim-ctrl-violations>
show ddos-protection protocols pim-data
<get-ddos-pim-data-information>
936
show ddos-protection protocols pim-data aggregate

<get-ddos-pim-data-aggregate>
show ddos-protection protocols pim-data aggregate culprit-flows
<get-ddos-pim-data-aggregate-flows>
show ddos-protection protocols pim-data culprit-flows
<get-ddos-pim-data-flows>
show ddos-protection protocols pim-data flow-detection
<get-ddos-pim-data-flow-parameters>
show ddos-protection protocols pim-data parameters
<get-ddos-pim-data-parameters>
show ddos-protection protocols pim-data statistics
<get-ddos-pim-data-statistics>
show ddos-protection protocols pim-data violations
<get-ddos-pim-data-violations>
show ddos-protection protocols pimv6
<get-ddos-pimv6-information>
show ddos-protection protocols pimv6 aggregate
<get-ddos-pimv6-aggregate>
show ddos-protection protocols pimv6 aggregate culprit-flows
show ddos-protection protocols pimv6 parameters
<get-ddos-pimv6-parameters>
show ddos-protection protocols pimv6 statistics
<get-ddos-pimv6-statistics>
show ddos-protection protocols pimv6 violations
<get-ddos-pimv6-violations>
show ddos-protection protocols pkt-inject
<get-ddos-pkt-inject-information>
show ddos-protection protocols pkt-inject aggregate
<get-ddos-pkt-inject-aggregate>
show ddos-protection protocols pkt-inject aggregate culprit-flows
<get-ddos-pkt-inject-aggregate-flows>
show ddos-protection protocols pkt-inject culprit-flows
<get-ddos-pkt-inject-flows>
show ddos-protection protocols pkt-inject flow-detection
<get-ddos-pkt-inject-flow-parameters>
show ddos-protection protocols pkt-inject parameters
<get-ddos-pkt-inject-parameters>
show ddos-protection protocols pkt-inject statistics
<get-ddos-pkt-inject-statistics>
show ddos-protection protocols pkt-inject violations
<get-ddos-pkt-inject-violations>
937
show ddos-protection protocols pmvrp

get-ddos-pmvrp-information
show ddos-protection protocols pmvrp aggregate
get-ddos-pmvrp-aggregate
show ddos-protection protocols pmvrp parameters
get-ddos-pmvrp-parameters
show ddos-protection protocols pmvrp statistics
get-ddos-pmvrp-statistics
show ddos-protection protocols pmvrp violations
get-ddos-pmvrp-violations
show ddos-protection protocols pos
get-ddos-pos-information
show ddos-protection protocols pos aggregate
get-ddos-pos-aggregate
show ddos-protection protocols pos aggregate culprit-flows
show ddos-protection protocols pos parameters
get-ddos-pos-parameters
show ddos-protection protocols pos statistics
get-ddos-pos-statistics
show ddos-protection protocols pos violations
get-ddos-pos-violations
show ddos-protection protocols ppp
get-ddos-ppp-information
show ddos-protection protocols ppp aggregate
get-ddos-ppp-aggregate
show ddos-protection protocols ppp authentication
get-ddos-ppp-auth
show ddos-protection protocols ppp authentication culprit-flows
show ddos-protection protocols ppp ipcp
get-ddos-ppp-ipcp
show ddos-protection protocols ppp ipv6cp
get-ddos-ppp-ipv6cp
show ddos-protection protocols ppp isis
get-ddos-ppp-isis
show ddos-protection protocols ppp isis culprit-flows
show ddos-protection protocols ppp lcp
get-ddos-ppp-lcp
show ddos-protection protocols ppp lcp culprit-flows
show ddos-protection protocols ppp mplscp
get-ddos-ppp-mplscp
show ddos-protection protocols ppp mplscp culprit-flows
938
show ddos-protection protocols ppp parameters

get-ddos-ppp-parameters
show ddos-protection protocols ppp statistics
get-ddos-ppp-statistics
show ddos-protection protocols ppp unclassified
<get-ddos-ppp-unclass>
show ddos-protection protocols ppp violations
get-ddos-ppp-violations
show ddos-protection protocols pppoe
get-ddos-pppoe-information
show ddos-protection protocols pppoe aggregate
get-ddos-pppoe-aggregate
show ddos-protection protocols pppoe padi
get-ddos-pppoe-padi
show ddos-protection protocols pppoe padm
get-ddos-pppoe-padm
show ddos-protection protocols pppoe padn
get-ddos-pppoe-padn
show ddos-protection protocols pppoe pado
get-ddos-pppoe-pado
show ddos-protection protocols pppoe padr
get-ddos-pppoe-padr
show ddos-protection protocols pppoe pads
get-ddos-pppoe-pads
show ddos-protection protocols pppoe padt
get-ddos-pppoe-padt
show ddos-protection protocols pppoe parameters
get-ddos-pppoe-parameters
show ddos-protection protocols pppoe statistics
get-ddos-pppoe-statistics
show ddos-protection protocols pppoe violations
get-ddos-pppoe-violations
show ddos-protection protocols proto-802-1x
<get-ddos-8021x-information>
show ddos-protection protocols proto-802-1x aggregate
<get-ddos-8021x-aggregate>
show ddos-protection protocols proto-802-1x aggregate culprit-flows
get-ddos-8021x-aggregate-flows
show ddos-protection protocols proto-802-1x culprit-flows
<get-ddos-8021x-flows>
show ddos-protection protocols proto-802-1x flow-detection
<get-ddos-8021x-flow-parameters>
939
show ddos-protection protocols proto-802-1x parameters

<get-ddos-8021x-parameters>
show ddos-protection protocols proto-802-1x statistics
<get-ddos-8021x-statistics>
show ddos-protection protocols proto-802-1x violations
<get-ddos-8021x-violations>
show ddos-protection protocols ptp
get-ddos-ptp-information
show ddos-protection protocols ptp aggregate
get-ddos-ptp-aggregate
show ddos-protection protocols ptp aggregate culprit-flows
show ddos-protection protocols ptp parameters
get-ddos-ptp-parameters
show ddos-protection protocols ptp statistics
get-ddos-ptp-statistics
show ddos-protection protocols ptp violations
get-ddos-ptp-violations
show ddos-protection protocols ptpv6
<get-ddos-ptpv6-information>
show ddos-protection protocols ptpv6 aggregate
<get-ddos-ptpv6-aggregate>
show ddos-protection protocols ptpv6 aggregate culprit-flows
<get-ddos-ptpv6-aggregate-flows>
show ddos-protection protocols ptpv6 culprit-flows
<get-ddos-ptpv6-flows>
show ddos-protection protocols ptpv6 flow-detection
<get-ddos-ptpv6-flow-parameters>
show ddos-protection protocols ptpv6 parameters
<get-ddos-ptpv6-parameters>
show ddos-protection protocols ptpv6 statistics
<get-ddos-ptpv6-statistics>
show ddos-protection protocols ptpv6 violations
<get-ddos-ptpv6-violations>
show ddos-protection protocols pvstp
get-ddos-pvstp-information
show ddos-protection protocols pvstp aggregate
get-ddos-pvstp-aggregate
show ddos-protection protocols pvstp parameters
get-ddos-pvstp-parameters
show ddos-protection protocols pvstp statistics
get-ddos-pvstp-statistics
show ddos-protection protocols pvstp violations
940
get-ddos-pvstp-violations
show ddos-protection protocols radius
get-ddos-radius-information
show ddos-protection protocols radius accounting
get-ddos-radius-account
show ddos-protection protocols radius aggregate
get-ddos-radius-aggregate
show ddos-protection protocols radius accounting culprit-flows
show ddos-protection protocols radius authorization
get-ddos-radius-auth
show ddos-protection protocols radius parameters
get-ddos-radius-parameters
show ddos-protection protocols radius server
get-ddos-radius-server
show ddos-protection protocols radius statistics
get-ddos-radius-statistics
show ddos-protection protocols radius violations
get-ddos-radius-violations
show ddos-protection protocols re-services
<get-ddos-re-services-information>
show ddos-protection protocols re-services aggregate
<get-ddos-re-services-aggregate>
show ddos-protection protocols re-services aggregate culprit-flows
<get-ddos-re-services-aggregate-flows>
show ddos-protection protocols re-services captive-portal
<get-ddos-re-services-captive-portal>
show ddos-protection protocols re-services captive-portal culprit-flows
<get-ddos-re-services-captive-portal-flows>
show ddos-protection protocols re-services culprit-flows
<get-ddos-re-services-flows>
show ddos-protection protocols re-services flow-detection
<get-ddos-re-services-flow-parameters>
show ddos-protection protocols re-services parameters
<get-ddos-re-services-parameters>
show ddos-protection protocols re-services statistics
<get-ddos-re-services-statistics>
show ddos-protection protocols re-services violations
<get-ddos-re-services-violations>
show ddos-protection protocols re-services-v6
<get-ddos-re-services-v6-information>
show ddos-protection protocols re-services-v6 aggregate
<get-ddos-re-services-v6-aggregate>
941
show ddos-protection protocols re-services-v6 aggregate culprit-flows

<get-ddos-re-services-v6-aggregate-flows>
show ddos-protection protocols re-services-v6 captive-portal
<get-ddos-re-services-v6-captive-portal-v6>
show ddos-protection protocols re-services-v6 captive-portal culprit-flows
<get-ddos-re-services-v6-captive-portal-v6-flows>
show ddos-protection protocols re-services-v6 culprit-flows
<get-ddos-re-services-v6-flows>
show ddos-protection protocols re-services-v6 flow-detection
<get-ddos-re-services-v6-flow-parameters>
show ddos-protection protocols re-services-v6 parameters
<get-ddos-re-services-v6-parameters>
show ddos-protection protocols re-services-v6 statistics
<get-ddos-re-services-v6-statistics>
show ddos-protection protocols re-services-v6 violations
<get-ddos-re-services-v6-violations>
show ddos-protection protocols redirect
get-ddos-redirect-information
show ddos-protection protocols redirect aggregate
get-ddos-redirect-aggregate
show ddos-protection protocols redirect parameters
get-ddos-redirect-parameters
show ddos-protection protocols redirect statistics
get-ddos-redirect-statistics
show ddos-protection protocols redirect violations
get-ddos-redirect-violations
show ddos-protection protocols reject

<get-ddos-reject-information>
show ddos-protection protocols reject aggregate
<get-ddos-reject-aggregate>
show ddos-protection protocols reject parameters
<get-ddos-reject-parameters>
show ddos-protection protocols reject statistics
<get-ddos-reject-statistics>
show ddos-protection protocols reject violations
<get-ddos-reject-violations>
show ddos-protection protocols rejectv6show ddos-protection protocols rejectv6
aggregate
show ddos-protection protocols rejectv6 aggregate culprit-flows
show ddos-protection protocols rejectv6 flow-detection
942
show ddos-protection protocols rejectv6 parameters

show ddos-protection protocols rejectv6 statistics
show ddos-protection protocols rejectv6 violations
show ddos-protection protocols rip
get-ddos-rip-information
show ddos-protection protocols rip aggregate
get-ddos-rip-aggregate
show ddos-protection protocols rip aggregate culprit-flows
show ddos-protection protocols rip culprit-flows
show ddos-protection protocols rip parameters
get-ddos-rip-parameters
show ddos-protection protocols rip statistics
get-ddos-rip-statistics
show ddos-protection protocols rip violations
get-ddos-rip-violations
show ddos-protection protocols ripv6
get-ddos-ripv6-information
show ddos-protection protocols ripv6 aggregate
get-ddos-ripv6-aggregate
show ddos-protection protocols ripv6 aggregate culprit-flows
show ddos-protection protocols ripv6 parameters
get-ddos-ripv6-parameters
show ddos-protection protocols ripv6 statistics
get-ddos-ripv6-statistics
show ddos-protection protocols ripv6 violations
get-ddos-ripv6-violations
show ddos-protection protocols rsvp
get-ddos-rsvp-information
show ddos-protection protocols rsvp aggregate
get-ddos-rsvp-aggregate
show ddos-protection protocols rsvp aggregate culprit-flows
show ddos-protection protocols rsvp parameters
get-ddos-rsvp-parameters
show ddos-protection protocols rsvp statistics
get-ddos-rsvp-statistics
show ddos-protection protocols rsvp violations
get-ddos-rsvp-violations
show ddos-protection protocols rsvpv6
get-ddos-rsvpv6-information
show ddos-protection protocols rsvpv6 aggregate
get-ddos-rsvpv6-aggregate
show ddos-protection protocols rsvpv6 aggregate culprit-flows
943
show ddos-protection protocols rsvpv6 parameters

get-ddos-rsvpv6-parameters
show ddos-protection protocols rsvpv6 statistics
get-ddos-rsvpv6-statistics
show ddos-protection protocols rsvpv6 violations
get-ddos-rsvpv6-violations
show ddos-protection protocols sample
<get-ddos-sample-information>
show ddos-protection protocols sample aggregate
<get-ddos-sample-aggregate>
show ddos-protection protocols sample aggregate culprit-flows
show ddos-protection protocols sample host
<get-ddos-sample-host>
show ddos-protection protocols sample parameters
<get-ddos-sample-parameters>
show ddos-protection protocols sample pfe
<get-ddos-sample-pfe>
show ddos-protection protocols sample pfe culprit-flows
show ddos-protection protocols sample sflow
<get-ddos-sample-sflow>
show ddos-protection protocols sample sflow culprit-flows
<get-ddos-sample-sflow-flows>
show ddos-protection protocols sample statistics
<get-ddos-sample-statistics>
show ddos-protection protocols sample syslog
show ddos-protection protocols sample tap
<get-ddos-sample-tap>
show ddos-protection protocols sample tap culprit-flows
show ddos-protection protocols sample violations
<get-ddos-sample-violations>
show ddos-protection protocols services
get-ddos-services-information
show ddos-protection protocols sample-dest
<get-ddos-sample-dest-information>
show ddos-protection protocols sample-dest aggregate
<get-ddos-sample-dest-aggregate>
show ddos-protection protocols sample-dest aggregate culprit-flows
<get-ddos-sample-dest-aggregate-flows>
show ddos-protection protocols sample-dest culprit-flows
<get-ddos-sample-dest-flows>
show ddos-protection protocols sample-dest flow-detection
<get-ddos-sample-dest-flow-parameters>
944
show ddos-protection protocols sample-dest parameters

<get-ddos-sample-dest-parameters>
show ddos-protection protocols sample-dest statistics
<get-ddos-sample-dest-statistics>
show ddos-protection protocols sample-dest violations
<get-ddos-sample-dest-violations>
show ddos-protection protocols sample-source
<get-ddos-sample-source-information>
show ddos-protection protocols sample-source aggregate
<get-ddos-sample-source-aggregate>
show ddos-protection protocols sample-source aggregate culprit-flows
<get-ddos-sample-source-aggregate-flows>
show ddos-protection protocols sample-source culprit-flows
<get-ddos-sample-source-flows>
show ddos-protection protocols sample-source flow-detection
<get-ddos-sample-source-flow-parameters>
show ddos-protection protocols sample-source parameters
<get-ddos-sample-source-parameters>
show ddos-protection protocols sample-source statistics
<get-ddos-sample-source-statistics>
show ddos-protection protocols sample-source violations
<get-ddos-sample-source-violations>
show ddos-protection protocols services aggregate
<get-ddos-services-aggregate>
show ddos-protection protocols services parameters
<get-ddos-services-parameters>
show ddos-protection protocols services statistics
<get-ddos-services-statistics>
show ddos-protection protocols syslog
<get-ddos-syslog-information>
show ddos-protection protocols syslog aggregate
<get-ddos-syslog-aggregate>
show ddos-protection protocols syslog aggregate culprit-flows
<get-ddos-syslog-aggregate-flows>
show ddos-protection protocols syslog culprit-flows
<get-ddos-syslog-flows>
show ddos-protection protocols syslog flow-detection
<get-ddos-syslog-flow-parameters>
show ddos-protection protocols syslog parameters
<get-ddos-syslog-parameters>
show ddos-protection protocols syslog statistics
<get-ddos-syslog-statistics>
945
show ddos-protection protocols syslog violations

<get-ddos-syslog-violations>
show ddos-protection protocols services violations
get-ddos-services-violations
show ddos-protection protocols snmp
get-ddos-snmp-information
show ddos-protection protocols snmp aggregate
get-ddos-snmp-aggregate
show ddos-protection protocols snmp aggregate culprit-flows
show ddos-protection protocols snmp parameters
get-ddos-snmp-parameters
show ddos-protection protocols snmp statistics
get-ddos-snmp-statistics
show ddos-protection protocols snmp violations
get-ddos-snmp-violations
show ddos-protection protocols snmpv6
get-ddos-snmpv6-information
show ddos-protection protocols snmpv6 aggregate
get-ddos-snmpv6-aggregate
show ddos-protection protocols snmpv6 aggregate culprit-flows
show ddos-protection protocols snmpv6 parameters
get-ddos-snmpv6-parameters
show ddos-protection protocols snmpv6 statistics
get-ddos-snmpv6-statistics
show ddos-protection protocols snmpv6 violations
get-ddos-snmpv6-violations
show ddos-protection protocols ssh
get-ddos-ssh-information
show ddos-protection protocols ssh aggregate
get-ddos-ssh-aggregate
show ddos-protection protocols ssh parameters
get-ddos-ssh-parameters
show ddos-protection protocols ssh statistics
get-ddos-ssh-statistics
show ddos-protection protocols ssh violations
get-ddos-ssh-violations
show ddos-protection protocols sshv6
get-ddos-sshv6-information
show ddos-protection protocols sshv6 aggregate
get-ddos-sshv6-aggregate
show ddos-protection protocols sshv6 parameters
get-ddos-sshv6-parameters
946
show ddos-protection protocols sshv6 statistics

<get-ddos-sshv6-statistics>
show ddos-protection protocols sshv6 violations
<get-ddos-sshv6-violations>
show ddos-protection protocols statistics
<get-ddos-protocols-statistics>
show ddos-protection protocols stp
<get-ddos-stp-information>
show ddos-protection protocols stp aggregate
<get-ddos-stp-aggregate>
show ddos-protection protocols stp parameters
<get-ddos-stp-parameters>
show ddos-protection protocols stp statistics
<get-ddos-stp-statistics>
show ddos-protection protocols stp violations
<get-ddos-stp-violations>
show ddos-protection protocols tacacs
<get-ddos-tacacs-information>
show ddos-protection protocols tacacs aggregate
<get-ddos-tacacs-aggregate>
show ddos-protection protocols tacacs parameters
<get-ddos-tacacs-parameters>
show ddos-protection protocols tacacs statistics
<get-ddos-tacacs-statistics>
show ddos-protection protocols tacacs violations
<get-ddos-tacacs-violations>
show ddos-protection protocols tcc

<get-ddos-tcc-information>
show ddos-protection protocols tcc aggregate
<get-ddos-tcc-aggregate>
show ddos-protection protocols tcc aggregate culprit-flows
<get-ddos-tcc-aggregate-flows>
show ddos-protection protocols tcc culprit-flows
<get-ddos-tcc-flows>
show ddos-protection protocols tcc ethernet-tcc
<get-ddos-tcc-ethernet-tcc>
show ddos-protection protocols tcc ethernet-tcc culprit-flows
<get-ddos-tcc-ethernet-tcc-flows>
show ddos-protection protocols tcc flow-detection
<get-ddos-tcc-flow-parameters>
show ddos-protection protocols tcc iso-tcc
947
<get-ddos-tcc-iso-tcc>
show ddos-protection protocols tcc iso-tcc culprit-flows
<get-ddos-tcc-iso-tcc-flows>
show ddos-protection protocols tcc parameters
<get-ddos-tcc-parameters>
show ddos-protection protocols tcc statistics
<get-ddos-tcc-statistics>
show ddos-protection protocols tcc unclassified
<get-ddos-tcc-unclass>
show ddos-protection protocols tcc unclassified culprit-flows
<get-ddos-tcc-unclass-flows>
show ddos-protection protocols tcc violations
<get-ddos-tcc-violations>
show ddos-protection protocols tcp-flags
<get-ddos-tcp-flags-information>
show ddos-protection protocols tcp-flags aggregate
<get-ddos-tcp-flags-aggregate>
show ddos-protection protocols tcp-flags established
<get-ddos-tcp-flags-establish>
show ddos-protection protocols tcp-flags initial
<get-ddos-tcp-flags-initial>
show ddos-protection protocols tcp-flags parameters
<get-ddos-tcp-flags-parameters>
show ddos-protection protocols tcp-flags statistics
<get-ddos-tcp-flags-statistics>
show ddos-protection protocols tcp-flags unclassified
<get-ddos-tcp-flags-unclass>
show ddos-protection protocols tcp-flags violations
<get-ddos-tcp-flags-violations>
show ddos-protection protocols telnet
<get-ddos-telnet-information>
show ddos-protection protocols telnet aggregate
<get-ddos-telnet-aggregate>
show ddos-protection protocols telnet aggregate culprit-flows
show ddos-protection protocols telnet parameters
<get-ddos-telnet-parameters>
show ddos-protection protocols telnet statistics
<get-ddos-telnet-statistics>
show ddos-protection protocols telnet violations
<get-ddos-telnet-violations>
show ddos-protection protocols telnetv6
<get-ddos-telnetv6-information>
948
show ddos-protection protocols telnetv6 aggregate

<get-ddos-telnetv6-aggregate>
show ddos-protection protocols telnetv6 aggregate culprit-flows
show ddos-protection protocols telnetv6 parameters
<get-ddos-telnetv6-parameters>
show ddos-protection protocols telnetv6 statistics
<get-ddos-telnetv6-statistics>
show ddos-protection protocols telnetv6 violations
<get-ddos-telnetv6-violations>
show ddos-protection protocols ttl
<get-ddos-ttl-information>
show ddos-protection protocols ttl aggregate
<get-ddos-ttl-aggregate>
show ddos-protection protocols ttl parameters
<get-ddos-ttl-parameters>
show ddos-protection protocols ttl statistics
<get-ddos-ttl-statistics>
show ddos-protection protocols ttl violations
<get-ddos-ttl-violations>
show ddos-protection protocols tunnel-fragment
<get-ddos-tun-frag-information>
show ddos-protection protocols tunnel-fragment aggregate
<get-ddos-tun-frag-aggregate>
show ddos-protection protocols tunnel-fragment aggregate culprit-flows
show ddos-protection protocols tunnel-fragment parameters
<get-ddos-tun-frag-parameters>
show ddos-protection protocols tunnel-fragment statistics
<get-ddos-tun-frag-statistics>
show ddos-protection protocols tunnel-fragment violations
<get-ddos-tun-frag-violations>
show ddos-protection protocols tunnel-ka
<get-ddos-tunnel-ka-information>
show ddos-protection protocols tunnel-ka aggregate
<get-ddos-tunnel-ka-aggregate>
show ddos-protection protocols tunnel-ka aggregate culprit-flows
<get-ddos-tunnel-ka-aggregate-flows>
show ddos-protection protocols tunnel-ka culprit-flows
<get-ddos-tunnel-ka-flows>
show ddos-protection protocols tunnel-ka flow-detection
<get-ddos-tunnel-ka-flow-parameters>
show ddos-protection protocols tunnel-ka parameters
<get-ddos-tunnel-ka-parameters>
949
show ddos-protection protocols tunnel-ka statistics

<get-ddos-tunnel-ka-statistics>
show ddos-protection protocols tunnel-ka violations
<get-ddos-tunnel-ka-violations>
show ddos-protection protocols unknown-l2mc
<get-ddos-unknown-l2mc-information>
show ddos-protection protocols unknown-l2mc aggregate
<get-ddos-unknown-l2mc-aggregate>
show ddos-protection protocols unknown-l2mc aggregate culprit-flows
<get-ddos-unknown-l2mc-aggregate-flows>
show ddos-protection protocols unknown-l2mc culprit-flows
<get-ddos-unknown-l2mc-flows>
show ddos-protection protocols unknown-l2mc flow-detection
<get-ddos-unknown-l2mc-flow-parameters>
show ddos-protection protocols unknown-l2mc parameters
<get-ddos-unknown-l2mc-parameters>
show ddos-protection protocols unknown-l2mc statistics
<get-ddos-unknown-l2mc-statistics>
show ddos-protection protocols unknown-l2mc violations
<get-ddos-unknown-l2mc-violations>
show ddos-protection protocols unclassified
<get-ddos-uncls-information>
show ddos-protection protocols unclassified aggregate
<get-ddos-uncls-aggregate>
show ddos-protection protocols unclassified parameters
<get-ddos-uncls-parameters>
show ddos-protection protocols unclassified resolve-v4
show ddos-protection protocols unclassified resolve-v4 culprit-flows
show ddos-protection protocols unclassified resolve-v6
show ddos-protection protocols unclassified resolve-v6 culprit-flows
show ddos-protection protocols unclassified statistics
<get-ddos-uncls-statistics>
show ddos-protection protocols unclassified violations
<get-ddos-uncls-violations>
show ddos-protection protocols urpf-fail
<get-ddos-urpf-fail-information>
show ddos-protection protocols urpf-fail aggregate
<get-ddos-urpf-fail-aggregate>
show ddos-protection protocols urpf-fail aggregate culprit-flows
<get-ddos-urpf-fail-aggregate-flows>
show ddos-protection protocols urpf-fail culprit-flows
<get-ddos-urpf-fail-flows>
950
show ddos-protection protocols urpf-fail flow-detection

<get-ddos-urpf-fail-flow-parameters>
show ddos-protection protocols urpf-fail parameters
<get-ddos-urpf-fail-parameters>
show ddos-protection protocols urpf-fail statistics
<get-ddos-urpf-fail-statistics>
show ddos-protection protocols urpf-fail violations
<get-ddos-urpf-fail-violations>
show ddos-protection protocols vcipc-udp
<get-ddos-vcipc-udp-information>
show ddos-protection protocols vcipc-udp aggregate
<get-ddos-vcipc-udp-aggregate>
show ddos-protection protocols vcipc-udp aggregate culprit-flows
<get-ddos-vcipc-udp-aggregate-flows>
show ddos-protection protocols vcipc-udp culprit-flows
<get-ddos-vcipc-udp-flows>
show ddos-protection protocols vcipc-udp flow-detection
<get-ddos-vcipc-udp-flow-parameters>
show ddos-protection protocols vcipc-udp parameters
<get-ddos-vcipc-udp-parameters>
show ddos-protection protocols vcipc-udp statistics
<get-ddos-vcipc-udp-statistics>
show ddos-protection protocols vcipc-udp violations
<get-ddos-vcipc-udp-violations>
show ddos-protection protocols violations
get-ddos-protocols-violations
show ddos-protection protocols virtual-chassis
get-ddos-vchassis-information
show ddos-protection protocols virtual-chassis aggregate
get-ddos-vchassis-aggregate
show ddos-protection protocols virtual-chassis aggregate culprit-flows
show ddos-protection protocols virtual-chassis control-high
get-ddos-vchassis-control-hi
show ddos-protection protocols virtual-chassis control-low
get-ddos-vchassis-control-lo
show ddos-protection protocols virtual-chassis parameters
get-ddos-vchassis-parameters
show ddos-protection protocols virtual-chassis statistics
get-ddos-vchassis-statistics
show ddos-protection protocols virtual-chassis unclassified
get-ddos-vchassis-unclass
show ddos-protection protocols virtual-chassis vc-packets
951
get-ddos-vchassis-vc-packets
show ddos-protection protocols virtual-chassis vc-ttl-errors
get-ddos-vchassis-vc-ttl-err
show ddos-protection protocols virtual-chassis violations
get-ddos-vchassis-violations
show ddos-protection protocols vrrp
get-ddos-vrrp-information
show ddos-protection protocols vrrp aggregate
get-ddos-vrrp-aggregate
show ddos-protection protocols vrrp aggregate culprit-flows
show ddos-protection protocols vrrp parameters
get-ddos-vrrp-parameters
show ddos-protection protocols vrrp statistics
get-ddos-vrrp-statistics
show ddos-protection protocols vrrp violations
get-ddos-vrrp-violations
show ddos-protection protocols vrrpv6
get-ddos-vrrpv6-information
show ddos-protection protocols vrrpv6 aggregate
get-ddos-vrrpv6-aggregate
show ddos-protection protocols vrrpv6 aggregate culprit-flows
show ddos-protection protocols vrrpv6 parameters
get-ddos-vrrpv6-parameters
show ddos-protection protocols vrrpv6 statistics
get-ddos-vrrpv6-statistics
show ddos-protection protocols vrrpv6 violations
get-ddos-vrrpv6-violations
show ddos-protection statistics
get-ddos-statistics-information
show ddos-protection version
get-ddos-version
show ddos-protection protocols vxlan
<get-ddos-vxlan-information>
show ddos-protection protocols vxlan aggregate
<get-ddos-vxlan-aggregate>
show ddos-protection protocols vxlan aggregate culprit-flows
<get-ddos-vxlan-aggregate-flows>
show ddos-protection protocols vxlan culprit-flows
<get-ddos-vxlan-flows>
show ddos-protection protocols vxlan flow-detection
<get-ddos-vxlan-flow-parameters>
show ddos-protection protocols vxlan parameters
952
<get-ddos-vxlan-parameters>
show ddos-protection protocols vxlan statistics
<get-ddos-vxlan-statistics>
show ddos-protection protocols vxlan violations
<get-ddos-vxlan-violations>
show dhcp
show dhcp proxy-client
show dhcp proxy-client binding
show dhcp proxy-client servers
show dhcp proxy-client statistics
<get-proxy-dhcp-client-statistics-information>
show dhcp relay
show dhcp relay binding
<get-dhcp-relay-binding-information>
show dhcp relay binding interface

<get-dhcp-relay-interface-bindings>
show dhcp relay binding lease-time-violation
<get-dhcp-relay-binding-ltv-information>
show dhcp relay statistics
<get-dhcp-relay-statistics-information>
show dhcp relay statistics bulk-leasequery-connections
<get-dhcp-relay-bulk-leasequery-conn-statistics>
show dhcp relay statistics leasequery
<get-dhcp-relay-leasequery-statistics>
show dhcp server

show dhcp server binding
<get-dhcp-server-binding-information>
show dhcp server binding interface

<get-dhcp-relay-binding-interface>
show dhcp server binding lease-time-violation
<get-dhcp-server-binding-ltv-information>
show dhcp server statistics
<get-dhcp-server-statistics-information>
show dhcp statistics
<get-dhcp-service-statistics-information>
show dhcp-security
<get-dhcp-security-arp-inspection-statistics>
show dhcp-security binding
<get-dhcp-security-binding>
953
show dhcp-security binding interface

<get-dhcp-security-binding-interface>
show dhcp-security binding ip-address
<get-dhcp-security-binding-ip-address>
show dhcp-security binding ip-source-guard
<get-dhcp-security-ip-source-guard>
show dhcp-security binding statistics
<get-dhcp-security-binding-statistics>
show dhcp-security binding vlan
get-dhcp-security-binding-vlan
show dhcp-security ipv6
show dhcp-security ipv6 binding
<get-dhcpv6-security-binding>
show dhcp-security ipv6 binding interface
<get-dhcpv6-security-binding-interface>
show dhcp-security ipv6 binding ipv6-address
<get-dhcpv6-security-binding-ip-address>
show dhcp-security ipv6 binding vlan
<get-dhcpv6-security-binding-vlan>
show dhcp-security ipv6 statistics
<get-dhcp-ipv6-statistics>
show dhcp-security neighbor-discovery-inspection
show dhcp-security neighbor-discovery-inspection statistics
<get-dhcp-security-nd-inspection-statistics>
show dhcp-security neighbor-discovery-inspection statistics interface
<get-dhcp-security-ndi-interface>
show dhcp-security statistics
<get-dhcp-security-statistics>
show dhcpv6
show dhcpv6 client
show dhcpv6 client binding
get-dhcpv6-client-binding-information
show dhcpv6 client binding interface
<get-dhcpv6-client-binding-information-by-interface>
show dhcpv6 client statistics
<get-dhcpv6-client-statistics-information>
show dhcpv6 proxy-client
show dhcpv6 proxy-client binding
show dhcpv6 proxy-client statistics
<get-proxy-dhcpv6-client-statistics-information>
show dhcpv6 relay
954
show dhcpv6 relay binding

<get-dhcpv6-relay-binding-information>
show dhcpv6 relay binding interface
<get-dhcpv6-relay-binding-interface>
show dhcpv6 relay binding lease-time-violation
<get-dhcpv6-relay-binding-ltv-information>
show dhcpv6 relay statistics
<get-dhcpv6-relay-statistics-information>
show dhcpv6 relay statistics bulk-leasequery-connections
<get-dhcpv6-relay-bulk-leasequery-conn-statistics>
show dhcpv6 relay statistics leasequery
<get-dhcpv6-relay-leasequery-statistics>
show dhcpv6 server
show dhcpv6 server binding
<get-dhcpv6-server-binding-information>
show dhcpv6 server binding interface

<get-dhcpv6-server-binding-interface>
show dhcpv6 server binding lease-time-violation
<get-dhcpv6-server-binding-ltv-information>
show dhcpv6 server statistics
<get-dhcpv6-server-statistics-information>
show dhcpv6 server statistics bulk-leasequery-connections
<get-dhcpv6-server-bulk-leasequery-conn-statistics>
show dhcpv6 statistics
<get-dhcpv6-service-statistics-information>
show diagnostics
show diagnostics tdr
<get-tdr-interface-information>
show diagnostics tdr interface
<get-tdr-interface-status>
show diameter
<get-diameter-information>
show diameter function
<get-diameter-function-information>
show diameter function statistics
<get-diameter-function-statistics>
show diameter instance
<get-diameter-instance-information>
show diameter network-element
<get-diameter-network-element-information>
show diameter network-element map
955
<get-diameter-network-element-map-information>
show diameter peer
<get-diameter-peer-information>
show diameter peer map
<get-diameter-peer-map-information>
show diameter peer statistics
<get-diameter-peer-statistics>
show diameter route
<get-diameter-route-information>
show dot1x
show dot1x accounting-attributes
get-dot1x-accounting-attributes
show dot1x accounting-attributes interface
<get-dot1x-interface-accounting-attributes>show dot1x
authentication-failed-users
<get-dot1x-authentication-failed-users>
show dot1x interface
<get-dot1x-interface-information>
show dot1x static-mac-address
<get-dot1x-static-mac-addresess>
show dot1x static-mac-address interface
<get-dot1x-interface-mac-addresses>
show dvmrp
show dvmrp interfaces
<get-dvmrp-interfaces-information>
show dvmrp neighbors
<get-dvmrp-neighbors-information>
show dvmrp prefix
<get-dvmrp-prefix-information>
show dvmrp prunes
<get-dvmrp-prunes-information>
show dynamic-profile
<get-dynamic-profile>
show dynamic-profile session
<get-dynamic-profile-session-information>
show dynamic-tunnels
show dynamic-tunnels database
<get-dynamic-tunnels-database>
show ethernet-switching mac-learning-log
<get-ethernet-switching-log-information>
show ethernet-switching mac-notification
<get-ethernet-switching-mac-notification-information>
956
show ethernet-switching flood next-hops

show ethernet-switching flood next-hops satellite
<get-satellite-control-composite-next-hop>
show ethernet-switching flood satellite
<get-satellite-control-flood>
show ethernet-switching nh-learn-entity
<get-l2-learning-nh-learn-entries>
show ethernet-switching redundancy-groups
<get-ethernet-switching-redundancy-groups>
show ethernet-switching satellite
show ethernet-switching satellite device
<get-satellite-device-db>
show ethernet-switching satellite events
<get-satellite-control-history-information>
show ethernet-switching satellite logging
<get-satellite-control-logging-information>
show ethernet-switching satellite summary
<get-satellite-control-bridge-summary>
show ethernet-switching table satellite
<get-satellite-control-bridge-mac-table>
show ethernet-switching vxlan-tunnel-end-point esi
<get-ethernet-switching-vxlan-esi-info>
show ethernet-switching vxlan-tunnel-end-point remote
<get-ethernet-switching-vxlan-rvtep-info>
show ethernet-switching vxlan-tunnel-end-point remote esi
<get-ethernet-switching-vxlan-esi-info>
show ethernet-switching vxlan-tunnel-end-point remote vtep-source-interface
<get-ethernet-switching-vxlan-remote-svtep-ip-information>
show ethernet-switching vxlan-tunnel-end-point source ip
<get-ethernet-switching-vxlan-svtep-ip-information>
show ephemeral-configuration
show esis
show esis adjacency
<get-esis-adjacency-information>
show esis interface
<get-esis-interface-information>
show esis statistics
<get-esis-statistics-information>
show event-options
show event-options event-scripts
show event-options event-scripts policies
<get-event-scripts-policies>
957
<get-event-summary>
show evpn
show evpn arp-table
<get-evpn-arp-table>
show evpn flood
<get-evpn-flood-information>
show evpn flood event-queue
<get-evpn-event-queue-information>
show evpn flood route
show evpn flood route all-ce-flood
<get-evpn-all-ce-flood-route-information>
show evpn flood route all-flood
<get-evpn-all-flood-route-information>
show evpn flood route alt-root-flood
<get-evpn-alt-root-flood-route-information>
show evpn flood route ce-flood
<get-evpn-ce-flood-route-information>
show evpn flood route mlp-flood
<get-evpn-mlp-flood-route-information>
show evpn flood route re-flood
<get-evpn-re-flood-route-information>
show evpn instance
<get-evpn-instance-information>show evpn ip-prefix-database
<get-evpn-ip-prefix-database-information>
show evpn l3-context
<get-evpn-l3-context-information>
show evpn mac-table
<get-evpn-mac-table>
show evpn mac-table interface
<get-evpn-interface-mac-table>
show evpn nd-table
<get-evpn-nd-table>
show evpn peer-gateway-macs
<get-evpn-peer-gateway-mac>
show evpn statistics
<get-evpn-statistics-information>
show evpn vpws-instance
<get-evpn-vpws-information>
show extensible-subscriber-services
show extensible-subscriber-services accounting
<get-extensible-subscriber-services-accounting>
show extensible-subscriber-services counters
958
<get-extensible-subscriber-services-counters>
show extensible-subscriber-services dictionary
<get-extensible-subscriber-services-dictionary>
show extensible-subscriber-services services
<get-extensible-subscriber-services-services>
show extensible-subscriber-services sessions
<get-extensible-subscriber-services-sessions>
show extension-provider
show extension-provider system
show extension-provider system connections
<get-mspinfo-connections>
show extension-provider system packages
<get-mspinfo-packages>
show extension-provider system processes
<get-mspinfo-processes>
show extension-provider system processes brief
<get-mspinfo-processes-brief>
show extension-provider system processes extensive
<get-mspinfo-processes-extensive>
show extension-provider system uptime
<get-mspinfo-uptime>
show extension-provider system virtual-memory
<get-core-key-list>
<get-fabric-summary-information>
<get-key-vg-binding>
<get-mac-ip-binding-information>
<get-mc-ccpc-cache-ccpc-select>
<get-mc-ccpc-cache-root-candidates>
<get-mc-ccpc-cache-spf>
<get-mc-ccpc-src-mod-filters>
<get-mc-edge-cache-ccpc-select>
<get-mc-edge-map-to-key-binding>
<get-mc-edge-key-to-map-binding>
<get-mc-edge-vg-portmap>
<get-mc-nsf>
<get-mc-root-cache-trunk>
<get-mc-root-key-to-map-binding>
<get-layer2-group-membership-entries>
<get-layer3-group-membership-entries>
<get-layer3-multicast-pending-routes>
<get-layer3-multicast-receivers>
<get-mc-root-map-to-key-binding>
959
<get-mc-root-vg-pfemap>
<get-fabric-multicast-statistics>
<get-mc-vccpdf-adjacency-database>
<get-mspinfo-virtual-memory>
get-fabric-statistics
get-fabric-summary-information
<get-vlan-domain-map-information>
show fabric multicast dirty-key-info
<get-mc-dirty-key-info>
show fabric multicast edge corekey-ifls-filters
<get-mc-edge-corekey-ifls-filters>
show fabric multicast edge ine-ifls-filters
<get-mc-edge-ine-ifls-filters>
show fabric multicast edge src-mod-filters
<get-mc-edge-src-mod-filters>
show fabric multicast graph
show fabric multicast graph core-tree
<get-fabric-multicast-graph>
show fabric multicast steal-key-info
<get-mc-steal-key-info>
show forwarding-options
show forwarding-options enhanced-hash-key
show forwarding-options enhanced-hash-key fpc
show forwarding-options hyper-mode
<get forwarding-options hyper-mode>
show forwarding-options load-balance
show forwarding-options next-hop-group
<get-forwarding-options-next-hop-group>
show forwarding-options port-mirroring
<get-forwarding-options-port-mirroring>
show helper
show helper statistics
<get-helper-statistics-information>
show hfrr
show hfrr profiles
show iccp
<get-inter-chassis-control-protocol-information>
show igmp
show igmp group
<get-igmp-group-information>
show igmp interface
<get-igmp-interface-information>
960
show igmp output-group

<get-igmp-output-group-information>
show igmp snooping
show igmp snooping interface
<get-igmp-snooping-interface-information>
show igmp snooping interface bridge-domain
<get-igmp-snooping-bridge-domain-interface>
show igmp snooping membership
<get-igmp-snooping-membership-information>
show igmp snooping membership bridge-domain
show igmp snooping options
<get-igmp-snooping-options-information>
show igmp snooping options
get-igmp-snooping-options-information
show igmp snooping statistics
<get-igmp-snooping-statistics-information>
show igmp snooping statistics bridge-domain
<get-igmp-snooping-bridge-domain-membership>
show igmp statistics
<get-igmp-statistics-information>
show ike
show ike security-associations
<get-ike-security-associations-information>
show ilmi
<get-ilmi-information>
show ilmi interface
<get-ilmi-interface-information>
show ilmi statistics
<get-ilmi-statistics>
show ingress-replication
<get-ingress-replication-information>
show interfaces
<get-interface-information>
show interfaces anchor-group
show interfaces controller
<get-interface-controller-information>
show interfaces destination-class
<get-destination-class-statistics>
show interfaces destination-class all

961
<get-all-destination-class-statistics>
show interfaces diagnostics
show interfaces diagnostics optics
<get-interface-optics-diagnostics-information>
show interfaces diagnostics optics satellite
<show-interface-optics-diagnostics-satellite>
show interfaces distribution-list
<get-distribution-list-information>
show interfaces far-end-interval

<show-interfaces-far-end-interval>
show interfaces filters
<get-interface-filter-information>
show interfaces forwarding-class-counters

<get-interface-fc-counters-information>
show interfaces interface-set

<get-interface-set-information>
show interfaces interface-set queue
<get-interface-set-queue-information>
show interfaces interval

<show-interfaces-interval>
show interfaces lib-clients
<get-dcd-lib-client-data>
show interfaces load-balancing
<interface-load-balancing>
show interfaces mac-database
<get-mac-database>
show interfaces mc-ae

<get-mc-ae-interface-information>
show interfaces mc-ae revertive-info
<get-mc-ae-revertive-information>
show interfaces policers
<get-interface-policer-information>
show interfaces queue

<get-interface-queue-information>
show interfaces redundancy

962
<get-redundancy-status>
show interfaces redundancy detail
<get-redundancy-status-details>
show interfaces routing
show interfaces source-class
<get-source-class-statistics>
show interfaces source-class all

<get-all-source-class-statistics>
show interfaces targeting
<get-targeting-information>
show interfaces transport
<get-interface-transport-information>
show interfaces transport optics
<get-interface-transport-optics-information>
show interfaces transport optics interval
<get-interface-transport-optics-interval-information>
show interfaces voq
<get-interface-voq-information>
show ipsec
show ipsec redundancy
show ipsec redundancy interface
<get-ipsec-pic-redundancy-information>
show ipsec redundancy security-associations

<get-ipsec-tunnel-redundancy-information>
show ipsec security-associations

<get-security-associations-information>
show ipv6
show ipv6 neighbors
<get-ipv6-nd-information>
show ipv6 router-advertisement

<get-ipv6-ra-information>
show isis
show isis adjacency
<get-isis-adjacency-information>
show isis authentication

963
<get-isis-authentication-information>
show isis backup

show isis backup coverage
<get-isis-backup-coverage-information>
show isis backup label-switched-path

<get-isis-backup-lsp-information>
show isis backup spf
show isis backup spf results

<get-isis-backup-spf-results-information>
show isis bgp-orr
<get-isis-bgporr-information>
show isis context-identifier

<get-isis-context-identifier-information>
show isis context-identifier identifier

<get-isis-context-identifier-origin-information>
show isis database
<get-isis-database-information>
show isis hostname

<get-isis-hostname-information>
show isis interface

<get-isis-interface-information>
show isis interface-group
<get-isis-interface-group-information>
show isis layer2-map
<get-isis-layer2-map-information>
show isis overview

<get-isis-overview-information>
show isis route

<get-isis-route-information>
show isis spf

show isis spf brief
964
<get-isis-spf-results-brief-information>
show isis spf log

<get-isis-spf-log-information>
show isis spf results

<get-isis-spf-results-information>
show isis statistics

<get-isis-statistics-information>
show l2-learning
show l2-learning backbone-instance
<get-l2-learning-backbone-instance>
show l2-learning evpn
show l2-learning evpn arp-statistics
<get-evpn-arp-statistics>
show l2-learning evpn arp-statistics interface
<get-evpn-arp-statistics-interface>
show l2-learning evpn nd-statistics
<get-evpn-nd-statistics>
show l2-learning evpn nd-statistics interface
<get-evpn-nd-statistics-interface>
show l2-learning global-information
<get-l2-learning-global-information>
show l2-learning global-mac-count
<get-l2-learning-global-mac-count>
show l2-learning instance
<get-l2-learning-routing-instances>
show l2-learning interface
<get-l2-learning-interface-information>
show l2-learning mac-move-buffer
<get-l2-learning-mac-move-buffer-information>
show l2-learning provider-instance
<get-l2-learning-provider-instance>
show l2-learning redundancy-groups
<get-l2-learning-redundancy-groups>
show l2-learning remote-backbone-edge-bridges
<get-l2-learning-remote-backbone-edge-bridges>
show l2-learning vxlan-tunnel-end-point
show l2-learning vxlan-tunnel-end-point esi
<get-l2-learning-vxlan-esi-info>show l2-learning vxlan-tunnel-end-point remote
965
<get-l2-learning-vxlan-rvtep-info>
show l2-learning vxlan-tunnel-end-point remote ip
<get-l2-learning-vxlan-rvtep-ip-information>
show l2-learning vxlan-tunnel-end-point remote mac-table
<get-l2-learning-vxlan-rvtep-mactable-information>
show l2-learning vxlan-tunnel-end-point remote vtep-source-interface
<get-l2-learning-vxlan-remote-svtep-ip-information>
show l2-learning vxlan-tunnel-end-point source
<get-l2-learning-vxlan-svtep-info>
show l2-learning vxlan-tunnel-end-point source ip
<get-l2-learning-vxlan-svtep-ip-information>
show l2circuit
show l2circuit auto-sensing
<get-l2ckt-pw-auto-sensing-information>
show l2circuit connections
<get-l2ckt-connection-information>
show l2cpd
show l2cpd task
<get-l2cpd-task-information>
show l2cpd task io
<get-l2cpd-tasks-io-statistics>
show l2cpd task memory
<get-l2cpd-task-memory>
show l2cpd task replication
<get-l2cpd-replication-information>
show l2vpn
show l2vpn connections
<get-l2vpn-connection-information>
show lacp
show lacp interfaces
<get-lacp-interface-information>
show lacp statistics
show lacp statistics interfaces
<get-lacp-interface-statistics>
show lacp timeouts
show ldp
show ldp database
<get-ldp-database-information>
show ldp fec-filters

966
<get-ldp-fec-filters-information>
show ldp interface

<get-ldp-interface-information>
show ldp neighbor

<get-ldp-neighbor-information>
show ldp oam

<get-ldp-oam-information>
show ldp overview
<get-ldp-overview-information>
show ldp p2mp
show ldp p2mp fec
<get-ldp-p2mp-fec-information>
show ldp p2mp path
<get-ldp-p2mp-path-information>
show ldp p2mp tunnel
<get-ldp-p2mp-tunnel-information>
show ldp path
<get-ldp-path-information>
show ldp rib-groups

<get-ldp-rib-groups-information>
show ldp route
<get-ldp-route-information>
show ldp session

<get-ldp-session-information>
show ldp statistics

<get-ldp-statistics-information>
show ldp traffic-statistics

<get-ldp-traffic-statistics-information>
show link-management
<get-lm-information>
show link-management peer

<get-lm-peer-information>
967
show link-management routing

<get-lm-routing-information>
show link-management routing peer

<get-lm-routing-peer-information>
show link-management routing resource

<get-lm-routing-resource-information>
show link-management routing te-link

<get-lm-routing-te-link-information>
show lldp
<get-lldp-information>
show lldp detail

<get-lldp-information-detail>
show lldp local-information

<get-lldp-local-info>
show lldp neighbors

<get-lldp-neighbors-information>
show lldp neighbors interface

<get-lldp-interface-neighbors>
show lldp remote-global-statistics
<get-lldp-remote-global-statistics>
show lldp statistics

<get-lldp-statistics-information>
show lldp statistics interface

<get-lldp-interface-statistics>
show loop-detect
show loop-detect interface
<get-loop-detect-interface-information>
show loop-detect statistics
show loop-detect statistics interface
<get-loop-detect-interface-statistics-information>
show link-management statistics
<get-lm-statistics-information>
968
show link-management statistics peer

<get-lm-peer-statistics>
show link-management te-link

<get-lm-te-link-information>
show mac-rewrite
show mac-rewrite interface
<get-mac-rewrite-interface-information>
show mld
show mld group
<get-mld-group-information>
show mld interface

<get-mld-interface-information>
show mld output-group

<get-mld-output-group-information>
show mld snooping

show mld snooping interface
<get-mld-snooping-interface-information>
show mld snooping interface bridge-domain
<get-mld-snooping-bridge-domain-interface>
show mld snooping interface vlan
<get-mld-snooping-vlan-interface>
show mld snooping membership
<get-mld-snooping-membership-information>
show mld snooping membership bridge-domain
<get-mld-snooping-bridge-domain-membership>
show mld snooping membership vlan
<get-mld-snooping-vlan-membership>
show mld snooping statistics
<get-mld-snooping-statistics-information>
show mld snooping statistics bridge-domain
<get-mld-snooping-bridge-domain-statistics>
show mld snooping statistics vlan
<get-mld-snooping-vlan-statistics>
show mld statistics
<get-mld-statistics-information>
969
show mobile-ip
show mobile-ip home-agent
show mobile-ip home-agent binding
<get-mip-binding-information>
show mobile-ip home-agent binding ip-address

<get-ip-mip-binding-information>
show mobile-ip home-agent binding nai

<get-nai-mip-binding-information>
show mobile-ip home-agent binding summary

<get-summary-mip-binding-information>
show mobile-ip home-agent interface

<get-mip-ha-interface-information>
show mobile-ip home-agent overview

<get-mip-ha-overview-information>
show mobile-ip home-agent traffic

<get-mip-ha-traffic-information>
show mobile-ip home-agent virtual-network

<get-mip-ha-virtual-network-information>
show mobile-ip tunnel

<get-mip-tunnel-information>
show mobile-ip wimax
show mobile-ip wimax release
<get-mip-wimax-release-information>
show mpls
show mpls abstract-hop-membership
<get-mpls-abstract-hop-membership-information>
show mpls admin-groups
<get-mpls-admin-group-information>
show mpls admin-groups-extended

<get-mpls-admin-group-extended-information>
show mpls association
show mpls association iif
970
<get-mpls-association-iif-information>
show mpls association oif
<get-mpls-association-oif-information>
show mpls association path
<get-mpls-association-path-information>
show mpls call-admission-control
<get-mpls-call-admission-control-information>
show mpls context-identifier

<get-mpls-context-identifier-information>
show mpls correlation
show mpls correlation label
<get-mpls-correlation-label-information>
show mpls correlation nexthop-id
<get-mpls-correlation-nexthop-information>
show network-access address-assignment preserved

<get-address-assignment-preserved-table>
show network-access domain-map
show network-access domain-map statistics
<get-domain-map-statistics>
show mpls cspf
<get-mpls-cspf-information>
show mpls diffserv-te

<get-mpls-diffserv-te-information>
show mpls egress-protection
show mpls interface
<get-mpls-interface-information>
show mpls label
<get mpls-label-space>
show mpls label usage
<get mpls-label-space-usage>
show mpls lsp

<get-mpls-lsp-information>
show mpls lsp abstract-computation
<get-mpls-lsp-abstract-computation>
show mpls lsp autobandwidth

<get-mpls-lsp-autobandwidth>
show mpls srlg
971
<get-mpls-srlg-information>
show oam ethernet fnp
show oam ethernet fnp interface
show oam ethernet fnp messages
show oam ethernet fnp status
<get-fnp-status>
show mpls lsp defaults
<get-mpls-lsp-defaults-information>
show mpls path

<get-mpls-path-information>
show mpls static-lsp

<get-mpls-static-lsp-information>
show mpls traceroute
show mpls traceroute database
show mpls traceroute database ldp
<get-mpls-traceroute-database-ldp>
show msdp
<get-msdp-information>
show msdp source
<get-msdp-source-information>
show msdp source-active

<get-msdp-source-active-information>
show msdp statistics

<get-msdp-statistics-information>
show multi-chassis
show multi-chassis mc-lag
show multi-chassis mc-lag configuration-consistency
<get-mclag-config-consistency-information>
show multi-chassis mc-lag configuration-consistency global-config
<get-mclag-global-config-consistency-information>
show multi-chassis mc-lag configuration-consistency icl-config
<get-mclag-icl-config-consistency-information>
show multi-chassis mc-lag configuration-consistency
list-of-parameters<get-mclag-config-consistency-information-params>
show multi-chassis mc-lag configuration-consistency mcae-config
get-mclag-config-consistency-information-mcae
show multi-chassis mc-lag configuration-consistency vlan-config
<get-mclag-vlan-config-consistency-information>
972
show multi-chassis mc-lag configuration-consistency vrrp-config

<get-mclag-vrrp-config-consistency-information>
show multicast
show multicast backup-pe-groups
<get-multicast-backup-pe-groups-information>
show multicast backup-pe-groups address

<get-multicast-backup-pe-address-information>
show multicast backup-pe-groups group

<get-multicast-backup-pe-group-information>
show multicast ecid-mapping
show multicast ecid-mapping satellite
<get-satellite-control-ecid>
show multicast flow-map
<get-multicast-flow-maps-information>
show multicast interface

<get-multicast-interface-information>
show multicast next-hops

<get-multicast-next-hops-information>
show multicast next-hops satellite
<get-satellite-control-next-hop>
show multicast pim-to-igmp-proxy

<get-multicast-pim-to-igmp-proxy-information>
show multicast pim-to-mld-proxy

<get-multicast-pim-to-mld-proxy-information>
show multicast route

<get-multicast-route-information>
show multicast rpf

<get-multicast-rpf-information>
show multicast scope

<get-multicast-scope-information>
show multicast sessions

<get-multicast-sessions-information>
973
show multicast snooping

show multicast snooping next-hops
<get-multicast-snooping-next-hops-information>
show multicast snooping next-hops satellite

<get-satellite-control-indirect-next-hop>
show multicast snooping route
<get-multicast-snooping-route-information>
show multicast snooping route satellite
get-satellite-control-multicast
show multicast statistics

<get-multicast-statistics-information>
show multicast statistics satellite
<get-satellite-control-statistics>
show multicast summary
show multicast summary satellite
<get-satellite-control-summary>
show multicast usage

<get-multicast-usage-information>
show mvpn
show mvpn c-multicast
<get-mvpn-c-multicasti-route>
show mvpn instance
<get-mvpn-instance-information>
show mvpn neighbor

<get-mvpn-neighbor-information>
show mvpn suppressed
get-mvpn-suppressed-information
show mvrp
<get-mvrp-information>
show mvrp applicant-state

<get-mvrp-applicant-information>
show mvrp dynamic-vlan-memberships

<get-mvrp-dynamic-vlan-memberships>
974
show mvrp interface

<get-mvrp-interface-information>
show mvrp registration-state

<get-mvrp-registration-state>
show mvrp statistics

<get-mvrp-interface-statistics>
show network-access
show network-access aaa
show network-access aaa radius-servers
<get-radius-servers-table>
show network-access aaa statistics
<get-aaa-module-statistics>
show network-access aaa statistics address-assignment

show network-access aaa statistics address-assignment client
<get-address-assignment-client-statistics>
show network-access aaa statistics address-assignment pool
<get-address-assignment-pool-statistics>
show network-access aaa subscribers
<get-aaa-subscriber-table>
show network-access aaa subscribers session-id
show network-access aaa subscribers statistics

<get-aaa-subscriber-statistics>
show network-access aaa terminate-code

<get-aaa-terminate-code>
show network-access aaa terminate-code aaa
<get-aaa-terminate-code-aaa>
show network-access aaa terminate-code dhcp
<get-aaa-terminate-code-dhcp>
show network-access aaa terminate-code l2tp
<get-aaa-terminate-code-l2tp>
show network-access aaa terminate-code ppp
<get-aaa-terminate-code-ppp>
show network-access aaa terminate-code reverse
<get-aaa-terminate-code-reverse>
975
show network-access aaa terminate-code reverse aaa

get-aaa-terminate-code-reverse-aaa>
show network-access aaa terminate-code reverse dhcp
<get-aaa-terminate-code-reverse-dhcp>
show network-access aaa terminate-code reverse l2tp
<get-aaa-terminate-code-reverse-l2tp>
show network-access aaa terminate-code reverse ppp
<get-aaa-terminate-code-reverse-ppp>
show network-access address-assignment
show network-access address-assignment pool
<get-address-assignment-pool-table>
show network-access nasreq
show network-access nasreq statistics
get-nasreq-counters
show network-access ocs
show network-access ocs state
<get-ocs-state-information>
show network-access ocs statistics
<get-ocs-statistics-information>
show network-access pcrf
show network-access pcrf state
<get-pcrf-state-information>
show network-access pcrf statistics
<get-pcrf-statistics-information>
show network-access requests

show network-access requests pending
<get-authentication-pending-table>
show network-access requests statistics

<get-authentication-statistics>
show network-access securid-node-secret-file

<get-node-secret-file-table>
show nonstop-routing
<get-nonstop-routing-information>
show ntp
show ntp associations
show ntp status
show oam
976
show oam ethernet

show oam ethernet connectivity-fault-management sla-iterator-history
<get-cfm-iterator-history>
show oam ethernet connectivity-fault-management
show oam ethernet connectivity-fault-management adjacencies
<get-cfm-adjacency-information>
show oam ethernet connectivity-fault-management delay-statistics
<get-cfm-delay-statistics>
show oam ethernet connectivity-fault-management forwarding-state

show oam ethernet connectivity-fault-management forwarding-state instance
<get-cfm-forwarding-state-instance-information>
show oam ethernet connectivity-fault-management forwarding-state interface

<get-cfm-forwarding-state-interface-information>
show oam ethernet connectivity-fault-management interfaces

<get-cfm-interfaces-information>
show oam ethernet connectivity-fault-management loss-statistics
<get-cfm-loss-statistics>
show oam ethernet connectivity-fault-management mep-database
<get-cfm-mep-database>
show oam ethernet connectivity-fault-management mep-statistics

<get-cfm-mep-statistics>
show oam ethernet connectivity-fault-management mip

<get-cfm-mip-information>
show oam ethernet connectivity-fault-management path-database

<get-cfm-linktrace-path-database>
show oam ethernet connectivity-fault-management policer

<get-evc-information>
show oam ethernet connectivity-fault-management sla-iterator-statistics

<get-cfm-iterator-statistics>
show oam ethernet evc
<get-evc-infromation>
show oam ethernet link-fault-management
<get-lfmd-information>
977
show oam ethernet lmi

<get-elmi-information>
show oam ethernet lmi statistics

<get-elmi-statistics>
show openflow
show openflow capability
show openflow controller
show openflow filters
show openflow flows
show openflow interfaces
show openflow statistics
show openflow statistics flows
show openflow statistics interfaces
show openflow statistics packet
show openflow statistics packet in
show openflow statistics packet out
show openflow statistics queue
show openflow statistics summary
show openflow statistics tables
show openflow summary
show openflow switch
show ospf
show ospf backup
show ospf backup coverage
<get-ospf-backup-coverage-information>
show ospf backup lsp

<get-ospf-backup-lsp-information>
show ospf backup neighbor

<get-ospf-backup-neighbor-information>
show ospf backup spf

<get-ospf-backup-spf-information>
show ospf bgp-orr
<get-ospf-bgporr-information>
show ospf context-identifier

<get-ospf-context-id-information>
978
show ospf database

<get-ospf-database-information>
show ospf interface

<get-ospf-interface-information>
show ospf io-statistics

<get-ospf-io-statistics-information>
show ospf log

<get-ospf-log-information>
show ospf neighbor

<get-ospf-neighbor-information>
show ospf overview

<get-ospf-overview-information>
show ospf route

<get-ospf-route-information>
show ospf statistics

<get-ospf-statistics-information>
show ospf3
show ospf3 backup
show ospf3 backup coverage
<get-ospf3-backup-coverage-information>
show ospf3 backup lsp

<get-ospf3-backup-lsp-information>
show ospf3 backup neighbor

<get-ospf3-backup-neighbor-information>
show ospf3 backup spf

<get-ospf3-backup-spf-information>
show ospf3 bgp-orr
<get-ospf-bgporr-information>
show ospf3 database

979
<get-ospf3-database-information>
show ospf3 interface

<get-ospf3-interface-information>
show ospf3 io-statistics

<get-ospf3-io-statistics-information>
show ospf3 log

<get-ospf3-log-information>
show ospf3 neighbor

<get-ospf3-neighbor-information>
show ospf3 overview

<get-ospf3-overview-information>
show ospf3 route

<get-ospf3-route-information>
show ospf3 statistics

<get-ospf3-statistics-information>
show overlay
<get-cloud-analytics-overlay-information>
show overlay vxlan
<get-cloud-analytics-overlay-vxlan-information>
show overlay vxlan vni
<get-application-monitor-overlay-vxlan-information>
show overlay vxlan vtep
<get-application-monitor-overlay-vtep-information>
show ovsdb
show ovsdb commit
show ovsdb commit failures
<get-ovsdb-commit-failure-information>
show ovsdb tunnels

<get-ovsdb-tunnels-information>
show ovsdb virtual-tunnel-end-point
<get-ovsdb-vtep-information>
show passive-monitoring
<get-passive-monitoring-information>
980
show passive-monitoring error

<get-passive-monitoring-error-information>
show passive-monitoring flow

<get-passive-monitoring-flow-information>
show passive-monitoring memory

<get-passive-monitoring-memory-information>
show passive-monitoring status

<get-passive-monitoring-status-information>
show passive-monitoring usage

<get-passive-monitoring-usage-information>
show path-computation-client
show path-computation-client active-pce
show path-computation-client lsp-retry-pending
<get-path-computation-client-lsp-retry-pending>
show path-computation-client statistics
show performance-monitoring
show performance-monitoring mpls
show performance-monitoring mpls lsp
<get-pm-mpls-lsp-information>
show pfe
show pfe cfeb
show pfe data
<get-pfe-data>
show pfe feb
show pfe filter
show pfe filter hw
show pfe filter hw summary
show pfe fpc
show pfe fwdd
show pfe lcc
show pfe next-hop
show pfe pfem
show pfe pfem detail
show pfe pfem extensive
show pfe route
show pfe route clnp
show pfe route clnp table
show pfe route inet6
981
show pfe route inet6 hw

show pfe route inet6 hw host
show pfe route inet6 hw lpm
show pfe route inet6 hw multicast
show pfe route inet6 table

show pfe route ip
show pfe route ip table
show pfe route iso
show pfe route iso table
show pfe scb
show pfe sfm
show pfe ssb
show pfe statistics
show pfe statistics exceptions
show pfe statistics fabric
show pfe statistics ip
show pfe route ip hw
show pfe route ip hw host
show pfe route ip hw lpm
show pfe route ip hw multicast
show pfe route summary
show pfe route summary hw
show pfe statistics ip6
show pfe statistics traffic
<get-pfe-statistics>
show pfe statistics traffic bandwidth
<get-pfe-traffic-statistics-bandwidth>
show pfe statistics traffic cpu

show pfe statistics traffic cpu fpe
show pfe statistics traffic detail
<get-pfe-traffic-statistics>
show pfe statistics traffic egress-queues
show pfe statistics traffic egress-queues fpc
show pfe statistics traffic multicast
show pfe statistics traffic multicast fpcshow pfe statistics traffic protocol
show pfe tcam
show pfe tcam app
<get-pfe-tcam-app-list>
show pfe tcam app bd-dtag-validate
<get-pfe-tcam-app-list-bd-dtag-validate>
982
show pfe tcam app bd-dtag-validate detail

show pfe tcam app bd-dtag-validate list-related-apps
show pfe tcam app bd-dtag-validate list-shared-apps
show pfe tcam app bd-dtag-validate shared-usage
show pfe tcam app bd-dtag-validate shared-usage detail
show pfe tcam app bd-tpid-swap
<get-pfe-tcam-app-list-bd-tpid-swap>
show pfe tcam app bd-tpid-swap detail
show pfe tcam app bd-tpid-swap list-related-apps
show pfe tcam app bd-tpid-swap list-shared-apps
show pfe tcam app bd-tpid-swap shared-usage
show pfe tcam app bd-tpid-swap shared-usage detail
show pfe tcam app cfm-bd-filter
<get-pfe-tcam-app-list-cfm-bd-filter>
show pfe tcam app cfm-bd-filter detail
show pfe tcam app cfm-bd-filter list-related-apps
show pfe tcam app cfm-bd-filter list-shared-apps
show pfe tcam app cfm-bd-filter shared-usage
show pfe tcam app cfm-bd-filter shared-usage detail
show pfe tcam app cfm-filter
<get-pfe-tcam-app-list-cfm-filter>
show pfe tcam app cfm-filter list-related-apps
show pfe tcam app cfm-filter list-shared-apps
show pfe tcam app cfm-filter shared-usage
show pfe tcam app cfm-filter shared-usage detail
show pfe tcam app cfm-vpls-filter
<get-pfe-tcam-app-list-cfm-vpls-filter>
show pfe tcam app cfm-vpls-filter detail
show pfe tcam app cfm-vpls-filter list-related-apps
show pfe tcam app cfm-vpls-filter list-shared-apps
show pfe tcam app cfm-vpls-filter shared-usage
show pfe tcam app cfm-vpls-filter shared-usage detail
show pfe tcam app cfm-vpls-ifl-filter
<get-pfe-tcam-app-list-cfm-vpls-ifl-filter>
show pfe tcam app cfm-vpls-ifl-filter detail
show pfe tcam app cfm-vpls-ifl-filter list-related-apps
show pfe tcam app cfm-vpls-ifl-filter list-shared-apps
show pfe tcam app cfm-vpls-ifl-filter shared-usage
show pfe tcam app cfm-vpls-ifl-filter shared-usage detail
show pfe tcam app cos-fc
<get-pfe-tcam-app-list-cos-fc>
show pfe tcam app cos-fc detail
983
show pfe tcam app cos-fc list-related-apps

show pfe tcam app cos-fc list-shared-apps
show pfe tcam app cos-fc shared-usage
show pfe tcam app cos-fc shared-usage detail
show pfe tcam app fw-ccc-in
<get-pfe-tcam-app-list-fw-ccc-in>
show pfe tcam app fw-ccc-in detail
show pfe tcam app fw-ccc-in list-related-apps
show pfe tcam app fw-ccc-in list-shared-apps
show pfe tcam app fw-ccc-in shared-usage
show pfe tcam app fw-ccc-in shared-usage detail
show pfe tcam app fw-family-out
<get-pfe-tcam-app-list-fw-family-out>
show pfe tcam app fw-family-out detail
show pfe tcam app fw-family-out list-related-apps
show pfe tcam app fw-family-out list-shared-apps
show pfe tcam app fw-family-out shared-usage
show pfe tcam app fw-family-out shared-usage detail
show pfe tcam app fw-fbf
<get-pfe-tcam-app-list-fw-fbf>
show pfe tcam app fw-fbf detail
show pfe tcam app fw-fbf list-related-apps
show pfe tcam app fw-fbf list-shared-apps
show pfe tcam app fw-fbf shared-usage
show pfe tcam app fw-fbf shared-usage detail
show pfe tcam app fw-fbf-inet6
<get-pfe-tcam-app-list-fw-fbf-inet6>
show pfe tcam app fw-fbf-inet6 detail
show pfe tcam app fw-fbf-inet6 list-related-apps
show pfe tcam app fw-fbf-inet6 list-shared-apps
show pfe tcam app fw-fbf-inet6 shared-usage
show pfe tcam app fw-fbf-inet6 shared-usage detail
show pfe tcam app fw-ifl-in
<get-pfe-tcam-app-list-fw-ifl-in>
show pfe tcam app fw-ifl-in detail
show pfe tcam app fw-ifl-in list-related-apps
show pfe tcam app fw-ifl-in list-shared-apps
show pfe tcam app fw-ifl-in shared-usage
show pfe tcam app fw-ifl-in shared-usage detail
show pfe tcam app fw-ifl-out
<get-pfe-tcam-app-list-fw-ifl-out>
show pfe tcam app fw-ifl-out detail
984
show pfe tcam app fw-ifl-out list-related-apps

show pfe tcam app fw-ifl-out list-shared-apps
show pfe tcam app fw-ifl-out shared-usage
show pfe tcam app fw-ifl-out shared-usage detail
show pfe tcam app fw-inet-ftf
<get-pfe-tcam-app-list-fw-inet-ftf>
show pfe tcam app fw-inet-ftf detail
show pfe tcam app fw-inet-ftf list-related-apps
show pfe tcam app fw-inet-ftf list-shared-apps
show pfe tcam app fw-inet-ftf shared-usage
show pfe tcam app fw-inet-ftf shared-usage detail
show pfe tcam app fw-inet-in
<get-pfe-tcam-app-list-fw-inet-in>
show pfe tcam app fw-inet-in detail
show pfe tcam app fw-inet-in list-related-apps
show pfe tcam app fw-inet-in list-shared-apps
show pfe tcam app fw-inet-in shared-usage
show pfe tcam app fw-inet-in shared-usage detail
show pfe tcam app fw-inet-pm
<get-pfe-tcam-app-list-fw-inet-pm>
show pfe tcam app fw-inet-pm detail
show pfe tcam app fw-inet-pm list-related-apps
show pfe tcam app fw-inet-pm list-shared-apps
show pfe tcam app fw-inet-pm shared-usage
show pfe tcam app fw-inet-pm shared-usage detail
show pfe tcam app fw-inet-rpf
<get-pfe-tcam-app-list-fw-inet-rpf>
show pfe tcam app fw-inet-rpf detail
show pfe tcam app fw-inet-rpf list-related-apps
show pfe tcam app fw-inet-rpf list-shared-apps
show pfe tcam app fw-inet-rpf shared-usage
show pfe tcam app fw-inet-rpf shared-usage detail
show pfe tcam app fw-inet6-family-out
<get-pfe-tcam-app-list-fw-inet6-family-out>
show pfe tcam app fw-inet6-family-out detail
show pfe tcam app fw-inet6-family-out list-related-apps
show pfe tcam app fw-inet6-family-out list-shared-apps
show pfe tcam app fw-inet6-family-out shared-usage
show pfe tcam app fw-inet6-family-out shared-usage detail
show pfe tcam app fw-inet6-ftf
<get-pfe-tcam-app-list-fw-inet6-ftf>
show pfe tcam app fw-inet6-ftf detail
985
show pfe tcam app fw-inet6-ftf list-related-apps

show pfe tcam app fw-inet6-ftf list-shared-apps
show pfe tcam app fw-inet6-ftf shared-usage
show pfe tcam app fw-inet6-ftf shared-usage detail
show pfe tcam app fw-inet6-in
<get-pfe-tcam-app-list-fw-inet6-in>
show pfe tcam app fw-inet6-in detail
show pfe tcam app fw-inet6-in list-related-apps
show pfe tcam app fw-inet6-in list-shared-apps
show pfe tcam app fw-inet6-in shared-usage
show pfe tcam app fw-inet6-in shared-usage detail
show pfe tcam app fw-inet6-rpf
<get-pfe-tcam-app-list-fw-inet6-rpf>
show pfe tcam app fw-inet6-rpf detail
show pfe tcam app fw-inet6-rpf list-related-apps
show pfe tcam app fw-inet6-rpf list-shared-apps
show pfe tcam app fw-inet6-rpf shared-usage
show pfe tcam app fw-inet6-rpf shared-usage detail
show pfe tcam app fw-l2-in
<get-pfe-tcam-app-list-fw-l2-in>
show pfe tcam app fw-l2-in detail
show pfe tcam app fw-l2-in list-related-apps
show pfe tcam app fw-l2-in list-shared-apps
show pfe tcam app fw-l2-in shared-usage
show pfe tcam app fw-l2-in shared-usage detail
show pfe tcam app fw-mpls-in
<get-pfe-tcam-app-list-fw-mpls-in>
show pfe tcam app fw-mpls-in detail
show pfe tcam app fw-mpls-in list-related-apps
show pfe tcam app fw-mpls-in list-shared-apps
show pfe tcam app fw-mpls-in shared-usage
show pfe tcam app fw-mpls-in shared-usage detail
show pfe tcam app fw-semantics
<get-pfe-tcam-app-list-fw-semantics>
show pfe tcam app fw-semantics detail
show pfe tcam app fw-semantics list-related-apps
show pfe tcam app fw-semantics list-shared-apps
show pfe tcam app fw-semantics shared-usage
show pfe tcam app fw-semantics shared-usage detail
show pfe tcam app fw-vpls-in
<get-pfe-tcam-app-list-fw-vpls-in>
show pfe tcam app fw-vpls-in detail
986
show pfe tcam app fw-vpls-in list-related-apps

show pfe tcam app fw-vpls-in list-shared-apps
show pfe tcam app fw-vpls-in shared-usage
show pfe tcam app fw-vpls-in shared-usage detail
show pfe tcam app gr-ifl-stats-egr
<get-pfe-tcam-app-list-gr-ifl-statistics-egr>
show pfe tcam app gr-ifl-stats-egr detail
show pfe tcam app gr-ifl-stats-egr list-related-apps
show pfe tcam app gr-ifl-stats-egr list-shared-apps
show pfe tcam app gr-ifl-stats-egr shared-usage
show pfe tcam app gr-ifl-stats-egr shared-usage detail
show pfe tcam app gr-ifl-stats-ing
<get-pfe-tcam-app-list-gr-ifl-statistics-ing>
show pfe tcam app gr-ifl-stats-ing detail
show pfe tcam app gr-ifl-stats-ing list-related-apps
show pfe tcam app gr-ifl-stats-ing list-shared-apps
show pfe tcam app gr-ifl-stats-ing shared-usage
show pfe tcam app gr-ifl-stats-ing shared-usage detail
show pfe tcam app gr-ifl-stats-preing
<get-pfe-tcam-app-list-gr-ifl-statistics-preing>
show pfe tcam app gr-ifl-stats-preing detail
show pfe tcam app gr-ifl-stats-preing list-related-apps
show pfe tcam app gr-ifl-stats-preing list-shared-apps
show pfe tcam app gr-ifl-stats-preing shared-usage
show pfe tcam app gr-ifl-stats-preing shared-usage detail
show pfe tcam app ifd-src-mac-fil
<get-pfe-tcam-app-list-ifd-src-mac-fil>
show pfe tcam app ifd-src-mac-fil detail
show pfe tcam app ifd-src-mac-fil list-related-apps
show pfe tcam app ifd-src-mac-fil list-shared-apps
show pfe tcam app ifd-src-mac-fil shared-usage
show pfe tcam app ifd-src-mac-fil shared-usage detail
show pfe tcam app ifl-statistics-in
<get-pfe-tcam-app-list-ifl-statistics-in>
show pfe tcam app ifl-statistics-in detail
show pfe tcam app ifl-statistics-in list-related-apps
show pfe tcam app ifl-statistics-in list-shared-apps
show pfe tcam app ifl-statistics-in shared-usage
show pfe tcam app ifl-statistics-in shared-usage detail
show pfe tcam app ifl-statistics-out
<get-pfe-tcam-app-list-ifl-statistics-out>
show pfe tcam app ifl-statistics-out detail
987
show pfe tcam app ifl-statistics-out list-related-apps

show pfe tcam app ifl-statistics-out list-shared-apps
show pfe tcam app ifl-statistics-out shared-usage
show pfe tcam app ifl-statistics-out shared-usage detail
show pfe tcam app ing-out-iff
<get-pfe-tcam-app-list-ing-out-iff>
show pfe tcam app ing-out-iff detail
show pfe tcam app ing-out-iff list-related-apps
show pfe tcam app ing-out-iff list-shared-apps
show pfe tcam app ing-out-iff shared-usage
show pfe tcam app ing-out-iff shared-usage detail
show pfe tcam app ip-mac-val
<get-pfe-tcam-app-list-ip-mac-val>
show pfe tcam app ip-mac-val detail
show pfe tcam app ip-mac-val list-related-apps
show pfe tcam app ip-mac-val list-shared-apps
show pfe tcam app ip-mac-val shared-usage
show pfe tcam app ip-mac-val shared-usage detail
show pfe tcam app ip-mac-val-bcast
<get-pfe-tcam-app-list-ip-mac-val-bcast>
show pfe tcam app ip-mac-val-bcast detail
show pfe tcam app ip-mac-val-bcast list-related-apps
show pfe tcam app ip-mac-val-bcast list-shared-apps
show pfe tcam app ip-mac-val-bcast shared-usage
show pfe tcam app ip-mac-val-bcast shared-usage detail
show pfe tcam app ipsec-reverse-fil
<get-pfe-tcam-app-list-ipsec-reverse-fil>
show pfe tcam app ipsec-reverse-fil detail
show pfe tcam app ipsec-reverse-fil list-related-apps
show pfe tcam app ipsec-reverse-fil list-shared-apps
show pfe tcam app ipsec-reverse-fil shared-usage
show pfe tcam app ipsec-reverse-fil shared-usage detail
show pfe tcam app irb-cos-rw
<get-pfe-tcam-app-list-irb-cos-rw>
show pfe tcam app irb-cos-rw detail
show pfe tcam app irb-cos-rw list-related-apps
show pfe tcam app irb-cos-rw list-shared-apps
show pfe tcam app irb-cos-rw shared-usage
show pfe tcam app irb-cos-rw shared-usage detail
show pfe tcam app irb-fixed-cos
<get-pfe-tcam-app-list-irb-fixed-cos>
show pfe tcam app irb-fixed-cos detail
988
show pfe tcam app irb-fixed-cos list-related-apps

show pfe tcam app irb-fixed-cos list-shared-apps
show pfe tcam app irb-fixed-cos shared-usage
show pfe tcam app irb-fixed-cos shared-usage detail
show pfe tcam app irb-inet6-fil
<get-pfe-tcam-app-list-irb-inet6-fil>
show pfe tcam app irb-inet6-fil detail
show pfe tcam app irb-inet6-fil list-related-apps
show pfe tcam app irb-inet6-fil list-shared-apps
show pfe tcam app irb-inet6-fil shared-usage
show pfe tcam app irb-inet6-fil shared-usage detail
show pfe tcam app lfm-802.3ah-in
<get-pfe-tcam-app-list-lfm-802.3ah-in>
show pfe tcam app lfm-802.3ah-in detail
show pfe tcam app lfm-802.3ah-in list-related-apps
show pfe tcam app lfm-802.3ah-in list-shared-apps
show pfe tcam app lfm-802.3ah-in shared-usage
show pfe tcam app lfm-802.3ah-in shared-usage detail
show pfe tcam app lfm-802.3ah-out
<get-pfe-tcam-app-list-lfm-802.3ah-out>
show pfe tcam app lfm-802.3ah-out detail
show pfe tcam app lfm-802.3ah-out list-related-apps
show pfe tcam app lfm-802.3ah-out list-shared-apps
show pfe tcam app lfm-802.3ah-out shared-usage
show pfe tcam app lfm-802.3ah-out shared-usage detail
show pfe tcam app lo0-inet-fil
<get-pfe-tcam-app-list-lo0-inet-fil>
show pfe tcam app lo0-inet-fil detail
show pfe tcam app lo0-inet-fil list-related-apps
show pfe tcam app lo0-inet-fil list-shared-apps
show pfe tcam app lo0-inet-fil shared-usage
show pfe tcam app lo0-inet-fil shared-usage detail
show pfe tcam app lo0-inet6-fil
<get-pfe-tcam-app-list-lo0-inet6-fil>
show pfe tcam app lo0-inet6-fil detail
show pfe tcam app lo0-inet6-fil list-related-apps
show pfe tcam app lo0-inet6-fil list-shared-apps
show pfe tcam app lo0-inet6-fil shared-usage
show pfe tcam app lo0-inet6-fil shared-usage detail
show pfe tcam app mac-drop-cnt
<get-pfe-tcam-app-list-mac-drop-cnt>
show pfe tcam app mac-drop-cnt detail
989
show pfe tcam app mac-drop-cnt list-related-apps

show pfe tcam app mac-drop-cnt list-shared-apps
show pfe tcam app mac-drop-cnt shared-usage
show pfe tcam app mac-drop-cnt shared-usage detail
show pfe tcam app mrouter-port-in
<get-pfe-tcam-app-list-mrouter-port-in>
show pfe tcam app mrouter-port-in detail
show pfe tcam app mrouter-port-in list-related-apps
show pfe tcam app mrouter-port-in list-shared-apps
show pfe tcam app mrouter-port-in shared-usage
show pfe tcam app mrouter-port-in shared-usage detail
show pfe tcam app napt-reverse-fil
<get-pfe-tcam-app-list-napt-reverse-fil>
show pfe tcam app napt-reverse-fil detail
show pfe tcam app napt-reverse-fil list-related-apps
show pfe tcam app napt-reverse-fil list-shared-apps
show pfe tcam app napt-reverse-fil shared-usage
show pfe tcam app napt-reverse-fil shared-usage detail
show pfe tcam app no-local-switching
<get-pfe-tcam-app-list-no-local-switching>
show pfe tcam app no-local-switching detail
show pfe tcam app no-local-switching list-related-apps
show pfe tcam app no-local-switching list-shared-apps
show pfe tcam app no-local-switching shared-usage
show pfe tcam app no-local-switching shared-usage detail
show pfe tcam app ptpoe-cos-rw
<get-pfe-tcam-app-list-ptpoe-cos-rw>
show pfe tcam app ptpoe-cos-rw detail
show pfe tcam app ptpoe-cos-rw list-related-apps
show pfe tcam app ptpoe-cos-rw list-shared-apps
show pfe tcam app ptpoe-cos-rw shared-usage
show pfe tcam app ptpoe-cos-rw shared-usage detail
show pfe tcam app rfc2544-layer2-in
<get-pfe-tcam-app-list-rfc2544-layer2-in>
show pfe tcam app rfc2544-layer2-in detail
show pfe tcam app rfc2544-layer2-in list-related-apps
show pfe tcam app rfc2544-layer2-in list-shared-apps
show pfe tcam app rfc2544-layer2-in shared-usage
show pfe tcam app rfc2544-layer2-in shared-usage detail
show pfe tcam app rfc2544-layer2-out
<get-pfe-tcam-app-list-rfc2544-layer2-out>
show pfe tcam app vpls-mesh-group-mcast
990
show pfe tcam app vpls-mesh-group-mcast detail
show pfe tcam app vpls-mesh-group-mcast list-related-apps
show pfe tcam app vpls-mesh-group-mcast list-shared-apps
show pfe tcam app vpls-mesh-group-mcast shared-usage
show pfe tcam app vpls-mesh-group-mcast shared-usage detail
show pfe tcam app vpls-mesh-group-ucast
show pfe tcam app vpls-mesh-group-ucast detail
show pfe tcam app vpls-mesh-group-ucast list-related-apps
show pfe tcam app vpls-mesh-group-ucast list-shared-apps
show pfe tcam app vpls-mesh-group-ucast shared-usage
show pfe tcam app vpls-mesh-group-ucast shared-usage detail
show pfe tcam app cfm-filter detail
show pfe tcam errors app fw-inet-rpf
<get-pfe-tcam-errors-app-fw-inet-rpf>
show pfe tcam errors app fw-inet-rpf detail
show pfe tcam errors app fw-inet-rpf list-related-apps
show pfe tcam errors app fw-inet-rpf list-shared-apps
show pfe tcam errors app fw-inet-rpf shared-usage
show pfe tcam errors app fw-inet-rpf shared-usage detail
show pfe tcam errors app fw-inet6-rpf
<get-pfe-tcam-errors-app-fw-inet6-rpf>
show pfe tcam errors app fw-inet6-rpf detail
show pfe tcam errors app fw-inet6-rpf list-related-apps
show pfe tcam errors app fw-inet6-rpf list-shared-apps
show pfe tcam errors app fw-inet6-rpf shared-usage
show pfe tcam errors app fw-inet6-rpf shared-usage detail
show pfe tcam errors app gr-ifl-stats-egr
<get-pfe-tcam-errors-app-gr-ifl-statistics-egr>
show pfe tcam errors app gr-ifl-stats-egr detail
show pfe tcam errors app gr-ifl-stats-egr list-related-apps
show pfe tcam errors app gr-ifl-stats-egr list-shared-apps
show pfe tcam errors app gr-ifl-stats-egr shared-usage
show pfe tcam errors app gr-ifl-stats-egr shared-usage detail
show pfe tcam errors app gr-ifl-stats-ing
<get-pfe-tcam-errors-app-gr-ifl-statistics-ing>
show pfe tcam errors app gr-ifl-stats-ing detail
show pfe tcam errors app gr-ifl-stats-ing list-related-apps
show pfe tcam errors app gr-ifl-stats-ing list-shared-apps
show pfe tcam errors app gr-ifl-stats-ing shared-usage
show pfe tcam errors app gr-ifl-stats-ing shared-usage detail
991
show pfe tcam errors app gr-ifl-stats-preing

<get-pfe-tcam-errors-app-gr-ifl-statistics-preing>
show pfe tcam errors app gr-ifl-stats-preing detail
show pfe tcam errors app gr-ifl-stats-preing list-related-apps
show pfe tcam errors app gr-ifl-stats-preing list-shared-apps
show pfe tcam errors app gr-ifl-stats-preing shared-usage
show pfe tcam errors app gr-ifl-stats-preing shared-usage detail
show pfe tcam errors app ing-out-iff
<get-pfe-tcam-errors-app-ing-out-iff>
show pfe tcam errors app ing-out-iff detail
show pfe tcam errors app ing-out-iff list-related-apps
show pfe tcam errors app ing-out-iff list-shared-apps
show pfe tcam errors app ing-out-iff shared-usage
show pfe tcam errors app ing-out-iff shared-usage detail
show pfe tcam errors app vpls-mesh-group-mcast
show pfe tcam errors app vpls-mesh-group-mcast detail
show pfe tcam errors app vpls-mesh-group-mcast list-related-apps
show pfe tcam errors app vpls-mesh-group-mcast list-shared-apps
show pfe tcam errors app vpls-mesh-group-mcast shared-usage
show pfe tcam errors app vpls-mesh-group-mcast shared-usage detail
show pfe tcam errors app vpls-mesh-group-ucast
show pfe tcam errors app vpls-mesh-group-ucast detail
show pfe tcam errors app vpls-mesh-group-ucast list-related-apps
show pfe tcam errors app vpls-mesh-group-ucast list-shared-apps
show pfe tcam errors app vpls-mesh-group-ucast shared-usage
show pfe tcam errors app vpls-mesh-group-ucast shared-usage detail
show pfe tcam errors tcam-stage ingress app fw-inet-rpf
<get-pfe-tcam-errors-ingress-tcam-stage-fw-inet-rpf>
show pfe tcam errors tcam-stage ingress app fw-inet-rpf detail
show pfe tcam errors tcam-stage ingress app fw-inet-rpf list-related-apps
show pfe tcam errors tcam-stage ingress app fw-inet-rpf list-shared-apps
show pfe tcam errors tcam-stage ingress app fw-inet-rpf shared-usage
show pfe tcam errors tcam-stage ingress app fw-inet-rpf shared-usage detail
show pfe tcam errors tcam-stage ingress app fw-inet6-rpf
<get-pfe-tcam-errors-ingress-tcam-stage-fw-inet6-rpf>
show pfe tcam errors tcam-stage ingress app fw-inet6-rpf detail
show pfe tcam errors tcam-stage ingress app fw-inet6-rpf list-related-apps
show pfe tcam errors tcam-stage ingress app fw-inet6-rpf list-shared-apps
show pfe tcam errors tcam-stage ingress app fw-inet6-rpf shared-usage
show pfe tcam errors tcam-stage ingress app fw-inet6-rpf shared-usage detail
992
show pfe tcam errors tcam-stage ingress app gr-ifl-stats-egr

<get-pfe-tcam-errors-ingress-tcam-stage-gr-ifl-statistics-egr>
show pfe tcam errors tcam-stage ingress app gr-ifl-stats-egr detail
show pfe tcam errors tcam-stage ingress app gr-ifl-stats-egr list-related-apps
show pfe tcam errors tcam-stage ingress app gr-ifl-stats-egr list-shared-apps
show pfe tcam errors tcam-stage ingress app gr-ifl-stats-egr shared-usage
show pfe tcam errors tcam-stage ingress app gr-ifl-stats-egr shared-usage
detail
show pfe tcam errors tcam-stage ingress app gr-ifl-stats-ing
<get-pfe-tcam-errors-ingress-tcam-stage-gr-ifl-statistics-ing>
show pfe tcam errors tcam-stage ingress app gr-ifl-stats-ing detail
show pfe tcam errors tcam-stage ingress app gr-ifl-stats-ing list-related-apps
show pfe tcam errors tcam-stage ingress app gr-ifl-stats-ing list-shared-apps
show pfe tcam errors tcam-stage ingress app gr-ifl-stats-ing shared-usage
show pfe tcam errors tcam-stage ingress app gr-ifl-stats-ing shared-usage
detail
show pfe tcam errors tcam-stage ingress app gr-ifl-stats-preing
<get-pfe-tcam-errors-ingress-tcam-stage-gr-ifl-statistics-preing>
show pfe tcam errors tcam-stage ingress app gr-ifl-stats-preing detail
list-related-apps
list-shared-apps
show pfe tcam errors tcam-stage ingress app gr-ifl-stats-preing shared-usage
show pfe tcam errors tcam-stage ingress app gr-ifl-stats-preing shared-usage
detail
show pfe tcam errors tcam-stage pre-ingress app ing-out-iff
<get-pfe-tcam-errors-pre-ingress-app-ing-out-iff>
show pfe tcam errors tcam-stage pre-ingress app ing-out-iff detail
show pfe tcam errors tcam-stage pre-ingress app ing-out-iff list-related-apps
show pfe tcam errors tcam-stage pre-ingress app ing-out-iff list-shared-apps
show pfe tcam errors tcam-stage pre-ingress app ing-out-iff shared-usage
show pfe tcam errors tcam-stage pre-ingress app ing-out-iff shared-usage
detail
show pfe tcam errors tcam-stage pre-ingress app vpls-mesh-group-mcast
show pfe tcam errors tcam-stage pre-ingress app vpls-mesh-group-mcast detail
list-related-apps
list-shared-apps
993
shared-usage
shared-usage detail
show pfe tcam errors tcam-stage pre-ingress app vpls-mesh-group-ucast
show pfe tcam errors tcam-stage pre-ingress app vpls-mesh-group-ucast detail
list-related-apps
list-shared-apps
shared-usage
shared-usage detail
show pfe tcam usage app fw-inet-rpf
<get-pfe-tcam-usage-app-fw-inet-rpf>
show pfe tcam usage app fw-inet-rpf detail
show pfe tcam usage app fw-inet-rpf list-related-apps
show pfe tcam usage app fw-inet-rpf list-shared-apps
show pfe tcam usage app fw-inet-rpf shared-usage
show pfe tcam usage app fw-inet-rpf shared-usage detail
show pfe tcam usage app fw-inet6-rpf
<get-pfe-tcam-usage-app-fw-inet6-rpf>
show pfe tcam usage app fw-inet6-rpf detail
show pfe tcam usage app fw-inet6-rpf list-related-apps
show pfe tcam usage app fw-inet6-rpf list-shared-apps
show pfe tcam usage app fw-inet6-rpf shared-usage
show pfe tcam usage app fw-inet6-rpf shared-usage detail
show pfe tcam usage app gr-ifl-stats-egr
<get-pfe-tcam-usage-app-gr-ifl-statistics-egr>
show pfe tcam usage app gr-ifl-stats-egr detail
show pfe tcam usage app gr-ifl-stats-egr list-related-apps
show pfe tcam usage app gr-ifl-stats-egr list-shared-apps
show pfe tcam usage app gr-ifl-stats-egr shared-usage
show pfe tcam usage app gr-ifl-stats-egr shared-usage detail
show pfe tcam usage app gr-ifl-stats-ing
<get-pfe-tcam-usage-app-gr-ifl-statistics-ing>
show pfe tcam usage app gr-ifl-stats-ing detail
show pfe tcam usage app gr-ifl-stats-ing list-related-apps
show pfe tcam usage app gr-ifl-stats-ing list-shared-apps
show pfe tcam usage app gr-ifl-stats-ing shared-usage
show pfe tcam usage app gr-ifl-stats-ing shared-usage detail
994
show pfe tcam usage app gr-ifl-stats-preing

<get-pfe-tcam-usage-app-gr-ifl-statistics-preing>
show pfe tcam usage app gr-ifl-stats-preing detail
show pfe tcam usage app gr-ifl-stats-preing list-related-apps
show pfe tcam usage app gr-ifl-stats-preing list-shared-apps
show pfe tcam usage app gr-ifl-stats-preing shared-usage
show pfe tcam usage app gr-ifl-stats-preing shared-usage detail
show pfe tcam usage app ing-out-iff
<get-pfe-tcam-usage-app-ing-out-iff>
show pfe tcam usage app ing-out-iff detail
show pfe tcam usage app ing-out-iff list-related-apps
show pfe tcam usage app ing-out-iff list-shared-apps
show pfe tcam usage app ing-out-iff shared-usage
show pfe tcam usage app ing-out-iff shared-usage detail
show pfe tcam usage app vpls-mesh-group-mcast
show pfe tcam usage app vpls-mesh-group-mcast detail
show pfe tcam usage app vpls-mesh-group-mcast list-related-apps
show pfe tcam usage app vpls-mesh-group-mcast list-shared-apps
show pfe tcam usage app vpls-mesh-group-mcast shared-usage
show pfe tcam usage app vpls-mesh-group-mcast shared-usage detail
show pfe tcam usage app vpls-mesh-group-ucast
show pfe tcam usage app vpls-mesh-group-ucast detail
show pfe tcam usage app vpls-mesh-group-ucast list-related-apps
show pfe tcam usage app vpls-mesh-group-ucast list-shared-apps
show pfe tcam usage app vpls-mesh-group-ucast shared-usage
show pfe tcam usage app vpls-mesh-group-ucast shared-usage detail
show pfe tcam usage tcam-stage egress app rfc2544-layer2-out shared-usage
detail
show pfe tcam usage tcam-stage egress detail
get-pfe-tcam-usage-egress-tcam-stage-detail
show pfe tcam usage tcam-stage ingress
<get-pfe-tcam-usage-ingress-tcam-stage>
show pfe tcam usage tcam-stage ingress app
<get-pfe-tcam-usage-ingress-app>
show pfe tcam usage tcam-stage ingress app cfm-bd-filter
<get-pfe-tcam-usage-ingress-app-cfm-bd-filter>
show pfe tcam usage tcam-stage ingress app cfm-bd-filter detail
show pfe tcam usage tcam-stage ingress app cfm-bd-filter list-related-apps
show pfe tcam usage tcam-stage ingress app cfm-bd-filter list-shared-apps
show pfe tcam usage tcam-stage ingress app cfm-bd-filter shared-usage
995
show pfe tcam usage tcam-stage ingress app cfm-bd-filter shared-usage detail
show pfe tcam usage tcam-stage ingress app cfm-filter
<get-pfe-tcam-usage-ingress-app-cfm-filter>
show pfe tcam usage tcam-stage ingress app cfm-filter detail
show pfe tcam usage tcam-stage ingress app cfm-filter list-related-apps
show pfe tcam usage tcam-stage ingress app cfm-filter list-shared-apps
show pfe tcam usage tcam-stage ingress app cfm-filter shared-usage
show pfe tcam usage tcam-stage ingress app cfm-filter shared-usage detail
show pfe tcam usage tcam-stage ingress app cfm-vpls-filter
<get-pfe-tcam-usage-ingress-app-cfm-vpls-filter>
show pfe tcam usage tcam-stage ingress app cfm-vpls-filter detail
show pfe tcam usage tcam-stage ingress app cfm-vpls-filter list-related-apps
show pfe tcam usage tcam-stage ingress app cfm-vpls-filter list-shared-apps
show pfe tcam usage tcam-stage ingress app cfm-vpls-filter shared-usage
show pfe tcam usage tcam-stage ingress app cfm-vpls-filter shared-usage detail
show pfe tcam usage tcam-stage ingress app cfm-vpls-ifl-filter
<get-pfe-tcam-usage-ingress-app-cfm-vpls-ifl-filter>
show pfe tcam usage tcam-stage ingress app cfm-vpls-ifl-filter detail
show pfe tcam usage tcam-stage ingress app cfm-vpls-ifl-filter
list-related-apps
show pfe tcam usage tcam-stage ingress app cfm-vpls-ifl-filter list-shared-apps
show pfe tcam usage tcam-stage ingress app cfm-vpls-ifl-filter shared-usage
show pfe tcam usage tcam-stage ingress app cfm-vpls-ifl-filter shared-usage
detail
show pfe tcam usage tcam-stage ingress app fw-ccc-in
<get-pfe-tcam-usage-ingress-app-fw-ccc-in>
show pfe tcam usage tcam-stage ingress app fw-ccc-in detail
show pfe tcam usage tcam-stage ingress app fw-ccc-in list-related-apps
show pfe tcam usage tcam-stage ingress app fw-ccc-in list-shared-apps
show pfe tcam usage tcam-stage ingress app fw-ccc-in shared-usage
show pfe tcam usage tcam-stage ingress app fw-ccc-in shared-usage detail
show pfe tcam usage tcam-stage ingress app fw-ifl-in
<get-pfe-tcam-usage-ingress-app-fw-ifl-in>
show pfe tcam usage tcam-stage ingress app fw-ifl-in detail
show pfe tcam usage tcam-stage ingress app fw-ifl-in list-related-apps
show pfe tcam usage tcam-stage ingress app fw-ifl-in list-shared-apps
show pfe tcam usage tcam-stage ingress app fw-ifl-in shared-usage
show pfe tcam usage tcam-stage ingress app fw-ifl-in shared-usage detail
show pfe tcam usage tcam-stage ingress app fw-inet-ftf
<get-pfe-tcam-usage-ingress-app-fw-inet-ftf>
show pfe tcam usage tcam-stage ingress app fw-inet-ftf detail
show pfe tcam usage tcam-stage ingress app fw-inet-ftf list-related-apps
996
show pfe tcam usage tcam-stage ingress app fw-inet-ftf list-shared-apps

show pfe tcam usage tcam-stage ingress app fw-inet-ftf shared-usage
show pfe tcam usage tcam-stage ingress app fw-inet-ftf shared-usage detail
show pfe tcam usage tcam-stage ingress app fw-inet-in
<get-pfe-tcam-usage-ingress-app-fw-inet-in>
show pfe tcam usage tcam-stage ingress app fw-inet-in detail
show pfe tcam usage tcam-stage ingress app fw-inet-in list-related-apps
show pfe tcam usage tcam-stage ingress app fw-inet-in list-shared-apps
show pfe tcam usage tcam-stage ingress app fw-inet-in shared-usage
show pfe tcam usage tcam-stage ingress app fw-inet-in shared-usage detail
show pfe tcam usage tcam-stage ingress app fw-inet-pm
<get-pfe-tcam-usage-ingress-app-fw-inet-pm>
show pfe tcam usage tcam-stage ingress app fw-inet-pm detail
show pfe tcam usage tcam-stage ingress app fw-inet-pm list-related-apps
show pfe tcam usage tcam-stage ingress app fw-inet-pm list-shared-apps
show pfe tcam usage tcam-stage ingress app fw-inet-pm shared-usage
show pfe tcam usage tcam-stage ingress app fw-inet-pm shared-usage detail
show pfe tcam usage tcam-stage ingress app fw-inet-rpf
<get-pfe-tcam-usage-ingress-app-fw-inet-rpf>
show pfe tcam usage tcam-stage ingress app fw-inet-rpf detail
show pfe tcam usage tcam-stage ingress app fw-inet-rpf list-related-apps
show pfe tcam usage tcam-stage ingress app fw-inet-rpf list-shared-apps
show pfe tcam usage tcam-stage ingress app fw-inet-rpf shared-usage
show pfe tcam usage tcam-stage ingress app fw-inet-rpf shared-usage detail
show pfe tcam usage tcam-stage ingress app fw-inet6-ftf
<get-pfe-tcam-usage-ingress-app-fw-inet6-ftf>
show pfe tcam usage tcam-stage ingress app fw-inet6-ftf detail
show pfe tcam usage tcam-stage ingress app fw-inet6-ftf list-related-apps
show pfe tcam usage tcam-stage ingress app fw-inet6-ftf list-shared-apps
show pfe tcam usage tcam-stage ingress app fw-inet6-ftf shared-usage
show pfe tcam usage tcam-stage ingress app fw-inet6-ftf shared-usage detail
show pfe tcam usage tcam-stage ingress app fw-inet6-in
<get-pfe-tcam-usage-ingress-app-fw-inet6-in>
show pfe tcam usage tcam-stage ingress app fw-inet6-in detail
show pfe tcam usage tcam-stage ingress app fw-inet6-in list-related-apps
show pfe tcam usage tcam-stage ingress app fw-inet6-in list-shared-apps
show pfe tcam usage tcam-stage ingress app fw-inet6-in shared-usage
show pfe tcam usage tcam-stage ingress app fw-inet6-in shared-usage detail
show pfe tcam usage tcam-stage ingress app fw-inet6-rpf
<get-pfe-tcam-usage-ingress-app-fw-inet6-rpf>
show pfe tcam usage tcam-stage ingress app fw-inet6-rpf detail
show pfe tcam usage tcam-stage ingress app fw-inet6-rpf list-related-apps
997
show pfe tcam usage tcam-stage ingress app fw-inet6-rpf list-shared-apps

show pfe tcam usage tcam-stage ingress app fw-inet6-rpf shared-usage
show pfe tcam usage tcam-stage ingress app fw-inet6-rpf shared-usage detail
show pfe tcam usage tcam-stage ingress app fw-l2-in
<get-pfe-tcam-usage-ingress-app-fw-l2-in>
show pfe tcam usage tcam-stage ingress app fw-l2-in detail
show pfe tcam usage tcam-stage ingress app fw-l2-in list-related-apps
show pfe tcam usage tcam-stage ingress app fw-l2-in list-shared-apps
show pfe tcam usage tcam-stage ingress app fw-l2-in shared-usage
show pfe tcam usage tcam-stage ingress app fw-l2-in shared-usage detail
show pfe tcam usage tcam-stage ingress app fw-mpls-in
<get-pfe-tcam-usage-ingress-app-fw-mpls-in>
show pfe tcam usage tcam-stage ingress app fw-mpls-in detail
show pfe tcam usage tcam-stage ingress app fw-mpls-in list-related-apps
show pfe tcam usage tcam-stage ingress app fw-mpls-in list-shared-apps
show pfe tcam usage tcam-stage ingress app fw-mpls-in shared-usage
show pfe tcam usage tcam-stage ingress app fw-mpls-in shared-usage detail
show pfe tcam usage tcam-stage ingress app fw-vpls-in
<get-pfe-tcam-usage-ingress-app-fw-vpls-in>
show pfe tcam usage tcam-stage ingress app fw-vpls-in detail
show pfe tcam usage tcam-stage ingress app fw-vpls-in list-related-apps
show pfe tcam usage tcam-stage ingress app fw-vpls-in list-shared-apps
show pfe tcam usage tcam-stage ingress app fw-vpls-in shared-usage
show pfe tcam usage tcam-stage ingress app fw-vpls-in shared-usage detail
show pfe tcam usage tcam-stage ingress app gr-ifl-stats-egr
<get-pfe-tcam-usage-ingress-app-gr-ifl-statistics-egr>
show pfe tcam usage tcam-stage ingress app gr-ifl-stats-egr detail
show pfe tcam usage tcam-stage ingress app gr-ifl-stats-egr list-related-apps
show pfe tcam usage tcam-stage ingress app gr-ifl-stats-egr list-shared-apps
show pfe tcam usage tcam-stage ingress app gr-ifl-stats-egr shared-usage
show pfe tcam usage tcam-stage ingress app gr-ifl-stats-egr shared-usage
detail
show pfe tcam usage tcam-stage ingress app gr-ifl-stats-ing
<get-pfe-tcam-usage-ingress-app-gr-ifl-statistics-ing>
show pfe tcam usage tcam-stage ingress app gr-ifl-stats-ing detail
show pfe tcam usage tcam-stage ingress app gr-ifl-stats-ing list-related-apps
show pfe tcam usage tcam-stage ingress app gr-ifl-stats-ing list-shared-apps
show pfe tcam usage tcam-stage ingress app gr-ifl-stats-ing shared-usage
show pfe tcam usage tcam-stage ingress app gr-ifl-stats-ing shared-usage
detail
show pfe tcam usage tcam-stage ingress app gr-ifl-stats-preing
<get-pfe-tcam-usage-ingress-app-gr-ifl-statistics-preing>
998
show pfe tcam usage tcam-stage ingress app gr-ifl-stats-preing detail

show pfe tcam usage tcam-stage ingress app gr-ifl-stats-preing
list-related-apps
show pfe tcam usage tcam-stage ingress app gr-ifl-stats-preing list-shared-apps
show pfe tcam usage tcam-stage ingress app gr-ifl-stats-preing shared-usage
show pfe tcam usage tcam-stage ingress app gr-ifl-stats-preing shared-usage
detail
show pfe tcam usage tcam-stage ingress app ifl-statistics-in
<get-pfe-tcam-usage-ingress-app-ifl-statistics-in>
show pfe tcam usage tcam-stage ingress app ifl-statistics-in detail
show pfe tcam usage tcam-stage ingress app ifl-statistics-in list-related-apps
show pfe tcam usage tcam-stage ingress app ifl-statistics-in list-shared-apps
show pfe tcam usage tcam-stage ingress app ifl-statistics-in shared-usage
show pfe tcam usage tcam-stage ingress app ifl-statistics-in shared-usage
detail
show pfe tcam usage tcam-stage ingress app ipsec-reverse-fil
<get-pfe-tcam-usage-ingress-app-ipsec-reverse-fil>
show pfe tcam usage tcam-stage ingress app ipsec-reverse-fil detail
show pfe tcam usage tcam-stage ingress app ipsec-reverse-fil list-related-apps
show pfe tcam usage tcam-stage ingress app ipsec-reverse-fil list-shared-apps
show pfe tcam usage tcam-stage ingress app ipsec-reverse-fil shared-usage
show pfe tcam usage tcam-stage ingress app ipsec-reverse-fil shared-usage
detail
show pfe tcam usage tcam-stage ingress app irb-fixed-cos
<get-pfe-tcam-usage-ingress-app-irb-fixed-cos>
show pfe tcam usage tcam-stage ingress app irb-fixed-cos detail
show pfe tcam usage tcam-stage ingress app irb-fixed-cos list-related-apps
show pfe tcam usage tcam-stage ingress app irb-fixed-cos list-shared-apps
show pfe tcam usage tcam-stage ingress app irb-fixed-cos shared-usage
show pfe tcam usage tcam-stage ingress app irb-fixed-cos shared-usage detail
show pfe tcam usage tcam-stage ingress app irb-inet6-fil
<get-pfe-tcam-usage-ingress-app-irb-inet6-fil>
show pfe tcam usage tcam-stage ingress app irb-inet6-fil detail
show pfe tcam usage tcam-stage ingress app irb-inet6-fil list-related-apps
show pfe tcam usage tcam-stage ingress app irb-inet6-fil list-shared-apps
show pfe tcam usage tcam-stage ingress app irb-inet6-fil shared-usage
show pfe tcam usage tcam-stage ingress app irb-inet6-fil shared-usage detail
show pfe tcam usage tcam-stage ingress app lfm-802.3ah-in
<get-pfe-tcam-usage-ingress-app-lfm-802.3ah-in>
show pfe tcam usage tcam-stage ingress app lfm-802.3ah-in detail
show pfe tcam usage tcam-stage ingress app lfm-802.3ah-in list-related-apps
show pfe tcam usage tcam-stage ingress app lfm-802.3ah-in list-shared-apps
999
show pfe tcam usage tcam-stage ingress app lfm-802.3ah-in shared-usage

show pfe tcam usage tcam-stage ingress app lfm-802.3ah-in shared-usage detail
show pfe tcam usage tcam-stage ingress app lo0-inet-fil
<get-pfe-tcam-usage-ingress-app-lo0-inet-fil>
show pfe tcam usage tcam-stage ingress app lo0-inet-fil detail
show pfe tcam usage tcam-stage ingress app lo0-inet-fil list-related-apps
show pfe tcam usage tcam-stage ingress app lo0-inet-fil list-shared-apps
show pfe tcam usage tcam-stage ingress app lo0-inet-fil shared-usage
show pfe tcam usage tcam-stage ingress app lo0-inet-fil shared-usage detail
show pfe tcam usage tcam-stage ingress app lo0-inet6-fil
<get-pfe-tcam-usage-ingress-app-lo0-inet6-fil>
show pfe tcam usage tcam-stage ingress app lo0-inet6-fil detail
show pfe tcam usage tcam-stage ingress app lo0-inet6-fil list-related-apps
show pfe tcam usage tcam-stage ingress app lo0-inet6-fil list-shared-apps
show pfe tcam usage tcam-stage ingress app lo0-inet6-fil list-shared-apps
show pfe tcam usage tcam-stage ingress app lo0-inet6-fil shared-usage
show pfe tcam usage tcam-stage ingress app lo0-inet6-fil shared-usage detail
show pfe tcam usage tcam-stage ingress app mac-drop-cnt
<get-pfe-tcam-usage-ingress-app-mac-drop-cnt>
show pfe tcam usage tcam-stage ingress app mac-drop-cnt detail
show pfe tcam usage tcam-stage ingress app mac-drop-cnt list-related-apps
show pfe tcam usage tcam-stage ingress app mac-drop-cnt list-shared-apps
show pfe tcam usage tcam-stage ingress app mac-drop-cnt shared-usage
show pfe tcam usage tcam-stage ingress app mac-drop-cnt shared-usage detail
<get-pfe-tcam-usage-ingress-app-mrouter-port-in>
show pfe tcam usage tcam-stage ingress app mrouter-port-in detail
show pfe tcam usage tcam-stage ingress app mrouter-port-in list-related-apps
show pfe tcam usage tcam-stage ingress app mrouter-port-in list-shared-apps
show pfe tcam usage tcam-stage ingress app mrouter-port-in shared-usage
show pfe tcam usage tcam-stage ingress app mrouter-port-in shared-usage detail
show pfe tcam usage tcam-stage ingress app napt-reverse-fil
<get-pfe-tcam-usage-ingress-app-napt-reverse-fil>
show pfe tcam usage tcam-stage ingress app napt-reverse-fil detail
show pfe tcam usage tcam-stage ingress app napt-reverse-fil list-related-apps
show pfe tcam usage tcam-stage ingress app napt-reverse-fil list-shared-apps
show pfe tcam usage tcam-stage ingress app napt-reverse-fil shared-usage
show pfe tcam usage tcam-stage ingress app napt-reverse-fil shared-usage
detail
show pfe tcam usage tcam-stage ingress app no-local-switching
<get-pfe-tcam-usage-ingress-app-no-local-switching>
show pfe tcam usage tcam-stage ingress app no-local-switching detail
show pfe tcam usage tcam-stage ingress app no-local-switching list-related-apps
1000
show pfe tcam usage tcam-stage ingress app no-local-switching list-shared-apps

show pfe tcam usage tcam-stage ingress app no-local-switching shared-usage
show pfe tcam usage tcam-stage ingress app no-local-switching shared-usage
detail
show pfe tcam usage tcam-stage ingress detail
<get-pfe-tcam-usage-ingress-tcam-stage-detail>
show pfe tcam usage tcam-stage pre-ingress
<get-pfe-tcam-usage-pre-ingress-tcam-stage>
show pfe tcam usage tcam-stage pre-ingress app
<get-pfe-tcam-usage-pre-ingress-app>
show pfe tcam usage tcam-stage pre-ingress app cos-fc
<get-pfe-tcam-usage-pre-ingress-app-cos-fc>
show pfe tcam usage tcam-stage pre-ingress app cos-fc detail
show pfe tcam usage tcam-stage pre-ingress app cos-fc list-related-apps
show pfe tcam usage tcam-stage pre-ingress app cos-fc list-shared-apps
show pfe tcam usage tcam-stage pre-ingress app cos-fc shared-usage
show pfe tcam usage tcam-stage pre-ingress app cos-fc shared-usage detail
show pfe tcam usage tcam-stage pre-ingress app fw-fbf
<get-pfe-tcam-usage-pre-ingress-app-fw-fbf>
show pfe tcam usage tcam-stage pre-ingress app fw-fbf detail
show pfe tcam usage tcam-stage pre-ingress app fw-fbf list-related-apps
show pfe tcam usage tcam-stage pre-ingress app fw-fbf list-shared-apps
show pfe tcam usage tcam-stage pre-ingress app fw-fbf shared-usage
show pfe tcam usage tcam-stage pre-ingress app fw-fbf shared-usage detail
show pfe tcam usage tcam-stage pre-ingress app fw-fbf-inet6
<get-pfe-tcam-usage-pre-ingress-app-fw-fbf-inet6>
show pfe tcam usage tcam-stage pre-ingress app fw-fbf-inet6 detail
show pfe tcam usage tcam-stage pre-ingress app fw-fbf-inet6 list-related-apps
show pfe tcam usage tcam-stage pre-ingress app fw-fbf-inet6 list-shared-apps
show pfe tcam usage tcam-stage pre-ingress app fw-fbf-inet6 shared-usage
show pfe tcam usage tcam-stage pre-ingress app fw-fbf-inet6 shared-usage
detail
show pfe tcam usage tcam-stage pre-ingress app fw-semantics
<get-pfe-tcam-usage-pre-ingress-app-fw-semantics>
show pfe tcam usage tcam-stage pre-ingress app fw-semantics detail
show pfe tcam usage tcam-stage pre-ingress app fw-semantics list-related-apps
show pfe tcam usage tcam-stage pre-ingress app fw-semantics list-shared-apps
show pfe tcam usage tcam-stage pre-ingress app fw-semantics shared-usage
show pfe tcam usage tcam-stage pre-ingress app fw-semantics shared-usage
detail
show pfe tcam usage tcam-stage pre-ingress app ifd-src-mac-fil
<get-pfe-tcam-usage-pre-ingress-app-ifd-src-mac-fil>
1001
show pfe tcam usage tcam-stage pre-ingress app ifd-src-mac-fil detail

show pfe tcam usage tcam-stage pre-ingress app ifd-src-mac-fil list-shared-apps
show pfe tcam usage tcam-stage pre-ingress app ifd-src-mac-fil shared-usage
show pfe tcam usage tcam-stage pre-ingress app ifd-src-mac-fil shared-usage
detail
show pfe tcam usage tcam-stage pre-ingress app ing-out-iff
<get-pfe-tcam-usage-pre-ingress-app-ing-out-iff>
show pfe tcam usage tcam-stage pre-ingress app ing-out-iff detail
show pfe tcam usage tcam-stage pre-ingress app ing-out-iff list-related-apps
show pfe tcam usage tcam-stage pre-ingress app ing-out-iff list-shared-apps
show pfe tcam usage tcam-stage pre-ingress app ing-out-iff shared-usage
show pfe tcam usage tcam-stage pre-ingress app ing-out-iff shared-usage detail
show pfe tcam usage tcam-stage pre-ingress app ip-mac-val
<get-pfe-tcam-usage-pre-ingress-app-ip-mac-val>
show pfe tcam usage tcam-stage pre-ingress app ip-mac-val detail
show pfe tcam usage tcam-stage pre-ingress app ip-mac-val list-related-apps
show pfe tcam usage tcam-stage pre-ingress app ip-mac-val list-shared-apps
show pfe tcam usage tcam-stage pre-ingress app ip-mac-val shared-usage
show pfe tcam usage tcam-stage pre-ingress app ip-mac-val shared-usage detail
show pfe tcam usage tcam-stage pre-ingress app ip-mac-val-bcast
<get-pfe-tcam-usage-pre-ingress-app-ip-mac-val-bcast>
show pfe tcam usage tcam-stage pre-ingress app ip-mac-val-bcast detail
list-related-apps
list-shared-apps
show pfe tcam usage tcam-stage pre-ingress app ip-mac-val-bcast shared-usage
show pfe tcam usage tcam-stage pre-ingress app ip-mac-val-bcast shared-usage
detail
show pfe tcam usage tcam-stage pre-ingress app rfc2544-layer2-in
<get-pfe-tcam-usage-pre-ingress-app-rfc2544-layer2-in>
show pfe tcam usage tcam-stage pre-ingress app rfc2544-layer2-in detail
list-related-apps
list-shared-apps
show pfe tcam usage tcam-stage pre-ingress app rfc2544-layer2-in shared-usage
show pfe tcam usage tcam-stage pre-ingress app rfc2544-layer2-in shared-usage
detail
show pfe tcam usage tcam-stage pre-ingress app vpls-mesh-group-mcast
show pfe tcam usage tcam-stage pre-ingress app vpls-mesh-group-mcast detail
1002

list-related-apps
list-shared-apps
shared-usage
shared-usage detail
show pfe tcam usage tcam-stage pre-ingress app vpls-mesh-group-ucast
show pfe tcam usage tcam-stage pre-ingress app vpls-mesh-group-ucast detail
list-related-apps
list-shared-apps
shared-usage
shared-usage detail
show pfe tcam usage tcam-stage pre-ingress detail
<get-pfe-tcam-usage-pre-ingress-tcam-stage-detail>
show pfe terse
<get-pfe-information>
show pfe version brief

show pfe version detail
show pgm
show pgm negative-acknowledgments
<get-pgm-nak>
show pgm source-path-messages

<get-pgm-source-path-messages>
show pgm statistics

<get-pgm-statistics>
show pim
show pim bidirectional
show pim bidirectional df-election
<get-pim-bidir-df-election-information>
show pim bidirectional df-election interface
<get-pim-bidir-df-election-interface-information>
1003
show pim bootstrap

<get-pim-bootstrap-information>
show pim interfaces

<get-pim-interfaces-information>
show pim join

<get-pim-join-information>
show pim mdt

<get-pim-mdt-information>
show pim mdt data-mdt-joins

<get-pim-data-mdt-join-information>
show pim mvpn
<get-pim-mvpn-information>
show pim neighbors

<get-pim-neighbors-information>
show pim rps

<get-pim-rps-information>
show pim snooping
show pim snooping interfaces
show pim snooping join
show pim snooping neighbors
show pim snooping statistics
show pim source
<get-pim-source-information>
show pim statistics

<get-pim-statistics-information>
show policy
show policy conditions
show policy damping
show ppp
show ppp address-pool
<get-ppp-address-pool-information>
show ppp interface

<get-ppp-interface-information>
1004
show ppp statistics

<get-ppp-statistics-information>
show ppp summary

<get-ppp-summary-information>
show pppoe
show pppoe interfaces
<get-pppoe-interface-information>
show pppoe lockout
<get-pppoe-lockout-information>
show pppoe lockout atm-identifier
<get-pppoe-lockout-atm-information>
show pppoe lockout vlan-identifier
<get-pppoe-lockout-vlan-information>
show pppoe service-name-tables

<get-pppoe-service-name-table-information>
show pppoe statistics

<get-pppoe-statistics-information>
show pppoe underlying-interfaces

<get-pppoe-underlying-interface-information>
show pppoe version

<get-pppoe-version>
show programmable-rpd
show programmable-rpd clients
<get-programmable-rpd-client-information>
show protection-group
show protection-group ethernet-aps
<show-protection-group-ethernet-aps>
show protection-group ethernet-ring
show protection-group ethernet-ring aps
<get-raps-pdu-information>
show protection-group ethernet-ring data-channel
<get-ring-data-channel-information>
show protection-group ethernet-ring interface
<get-ring-interface-information>
1005
show protection-group ethernet-ring node-state

<get-raps-state-machine-information>
show protection-group ethernet-ring node-state
show protection-group ethernet-ring statistics
<get-ring-tatistics>
show protection-group ethernet-ring vlan
<get-ring-vlan-information>
show ptp
show ptp clock
get-ptp-clock>
show ptp global-information
get-ptp-global-information>
show ptp hybrid
show ptp hybrid config
<get-ptp-hybrid-mapping>
show ptp hybrid status
<get-ptp-hybrid-status>
show ptp last-tod-update
<get-last-tod-update>
show ptp lock-status
get-ptp-lock-status>
show ptp master
<get-ptp-master>
show ptp path-trace
<get-ptp-path-trace>
show ptp port
<get-ptp-port>
show ptp quality-level-mapping
<get-ptp-quality-level-mapping>
show ptp slave
<get-ptp-slave>
show ptp stateful
<get-ptp-stateful>
show ptp statistics
<get-ptp-statistics>
show r2cp
show r2cp interfaces
<get-r2cp-interface-information>
show r2cp radio
<get-r2cp-radio-information>
show r2cp sessions
<get-r2cp-session-information>
1006
show r2cp statistics

<get-r2cp-statistics>
show redundant-power-system
show redundant-power-system led
show redundant-power-system multi-backup
<get-rps-scale-information>
show redundant-power-system network
<get-rps-network-information>
show redundant-power-system power-supply
show redundant-power-system status
show redundant-power-system upgrade
<get-rps-upgrade-information>
show redundant-power-system version
show rip
show rip general-statistics
<get-rip-general-statistics-information>
show rip neighbor

<get-rip-neighbor-information>
show rip statistics

<get-rip-statistics-information>
show rip statistics peer
<get-rip-peer-information>
show ripng
show ripng general-statistics
<get-ripng-general-statistics-information>
show ripng neighbor

<get-ripng-neighbor-information>
show ripng statistics
<get-ripng-statistics-information>
show route
<get-route-information>
show route cumulative

<get-route-cumulative>
show route export

<get-rtexport-table-information>
show route export instance

1007
<get-rtexport-instance-information>
show route localization

<get-fib-localization-information>
show route export vrf-target
<get-rtexport-target-information>
show route flow

show route flow validation
<get-rtflow-dep-information>
show route forwarding-table

<get-forwarding-table-information>
show route instance

<get-instance-information>
show route instance operational

<get-operational-routing-instance-information>
show route martians

<get-route-martians>
show route resolution
<get-route-resolution-information>
show route resolution summary
<get-route-resolution-summary>
show route resolution unresolved
show route rib-groups
<get-route-rib-groups>
show route snooping
<get-route-snooping-information>
show route snooping summary
<get-route-snooping-summary>
show route summary
<get-route-summary-information>
show rsvp
show rsvp interface
<get-rsvp-interface-information>
show rsvp neighbor

<get-rsvp-neighbor-information>
1008
show rsvp route-session-id

<get-rsvp-route-session-id-information>
show rsvp session

<get-rsvp-session-information>
show rsvp statistics

<get-rsvp-statistics-information>
show rsvp version

<get-rsvp-version-information>
show sap
show sap listen
<get-sap-listen-information>
show security group-vpn member kek
show security group-vpn member kek security-associations
<get-gvpn-kek-security-associations-information>
show services
show services accounting
<get-service-accounting-information>
show services accounting aggregation

<get-service-accounting-aggregation-information>
show services accounting aggregation as

<get-service-accounting-aggregation-as-information>
show services accounting aggregation destination-prefix

<get-service-accounting-aggregation-destination-prefix-information>
show services accounting aggregation protocol-port

<get-service-accounting-aggregation-protocol-port-information>
show services accounting aggregation source-destination-prefix

<get-service-accounting-aggregation-source-destination-prefix-information>
show services accounting aggregation source-prefix

<get-service-accounting-aggregation-source-prefix-information>
1009
show services accounting aggregation template

<get-service-accounting-aggregation-template-information>
show services accounting errors

<get-service-accounting-errors-information>
show services accounting flow

<get-service-accounting-flow-information>
show services accounting flow-detail

<get-service-accounting-flow-detail>
show services accounting memory

<get-service-accounting-memory-information>
show services accounting packet-size-distribution

<get-packet-distribution-information>
show services accounting status

<get-service-accounting-status-information>
show services accounting usage

<get-service-accounting-usage-information>
show services alg

show services alg conversations
<get-service-msp-alg-conversation-information>
show services alg sip-globals
<get-service-msp-alg-sip-globals-information>
show services alg statistics
show services application-aware-access-list
show services application-aware-access-list flows
show services application-aware-access-list flows interface
<get-application-aware-access-list-flows-interface>
show services application-aware-access-list flows subscriber
<get-application-aware-access-list-flows-subscriber>
show services application-aware-access-list statistics
show services application-aware-access-list statistics interface
<get-application-aware-access-list-statistics-interface>
show services application-aware-access-list statistics subscriber
<get-application-aware-access-list-statistics-subscriber>
show services application-identification
1010
show services application-identification application

show services application-identification application detail
<get-appid-application-signature-detail>
show services application-identification application summary
<get-appid-application-signature-summary>
show services application-identification application-system-cache
<get-appid-application-system-cache>
show services application-identification counter

<get-appid-counter>
show services application-identification counter ssl-encrypted-sessions
<get-appid-counter-encrypted>
show services application-identification group
show services application-identification group detail
<get-appid-application-group-detail>
show services application-identification group summary
<get-appid-application-group-summary>
show services application-identification statistics
show services application-identification statistics application-groups
<get-appid-application-group-statistics>
show services application-identification statistics applications
<get-appid-application-statistics>
show services application-identification status
<get-appid-staus-information>
show services application-identification version
<get-appid-package-version>
show services border-signaling-gateway

show services border-signaling-gateway accounting
show services border-signaling-gateway accounting statistics
<get-service-border-signaling-gateway-charging-statistics>
show services border-signaling-gateway accounting status
<get-service-border-signaling-gateway-charging-status>
show services border-signaling-gateway admission-control
<get-service-border-signaling-gateway-statistics-admission-control>
show services border-signaling-gateway by-call-context-id

<get-service-bsg-information-by-call-context-id>
show services border-signaling-gateway by-contact

<get-service-border-signaling-gateway-information-by-contact>
1011
show services border-signaling-gateway by-request-uri

<get-service-border-signaling-gateway-information-by-request-uri>
show services border-signaling-gateway calls

<get-service-border-signaling-gateway-statistics-calls>
show services border-signaling-gateway calls-duration

<get-service-border-signaling-gateway-calls-duration>
show services border-signaling-gateway calls-failed
how services border-signaling-gateway charging

show services border-signaling-gateway charging statistics
<get-service-border-signaling-gateway-charging-statistics>
show services border-signaling-gateway charging status
<get-service-border-signaling-gateway-charging-status>
show services border-signaling-gateway denied-messages
<get-service-bsg-denied-messages>
show services border-signaling-gateway embedded-spdf

<get-service-border-signaling-gateway-embedded-spdf>
show services border-signaling-gateway embedded-spdf status

<get-service-border-signaling-gateway-embedded-spdf-status>
show services border-signaling-gateway name-resolution-cache
show services border-signaling-gateway name-resolution-cache all

<get-service-border-signaling-gateway-name-resolution-cache-all>
show services border-signaling-gateway name-resolution-cache by-fqdn

<get-border-signaling-gateway-name-resolution-cache-by-fqdn>
show services border-signaling-gateway status
<get-service-bsg-status-information>
show services captive-portal-content-delivery
show services captive-portal-content-delivery pic
<get-cpcd-pic-information>
show services captive-portal-content-delivery profile
<get-cpcd-profile>
show services captive-portal-content-delivery rule
1012
<get-cpcd-rule>
show services captive-portal-content-delivery ruleset
<get-cpcd-rule-set>
show services captive-portal-content-delivery sset
<get-cpcd-service-set>
show services captive-portal-content-delivery statistics
<get-cpcd-pic-statistics>
show services captive-portal-content-delivery statistics interface
show services capture
<get-service-capture>
show services cos
show services cos statistics
<get-service-cos-statistics-information>
show services cos statistics diffserv

<get-service-cos-diffserv-statistics>
show services cos statistics forwarding-class

<get-service-cos-forwarding-class-statistics>
show services crtp

<get-service-crtp-params-information>
show services crtp extensive

<get-service-crtp-extensive-information>
show services crtp flows

<get-service-crtp-flow-table-information>
show services dynamic-flow-capture

show services dynamic-flow-capture content-destination
<get-services-dynamic-flow-capture-content-destination-information>
show services dynamic-flow-capture control-source

<get-services-dynamic-flow-capture-control-source-information>
show services dynamic-flow-capture statistics

<get-services-dfc-statistics-information>
show extension-service
show extension-service status
<jet-application-status>
show services fips
1013
show system commit synchronize-server pending-jobs

<get-pending-commit-sync-jobs>
show services fips pic
show services fips pic status
<get-fips-pic-status-information>
show services flow-collector

<get-services-flow-collector-information>
show services flow-collector file

<get-services-flow-collector-file-information>
show services flow-collector input

<get-services-flow-collector-input-information>
show services flow-table

show services flow-table statistics
<get-flow-table-statistics-information>
show services flows

<get-service-msp-flow-table-information>
show services ggsn

show services ggsn diagnostics
show services ggsn diagnostics pdp
<get-pdp-diagnostics-per-apn>
show services ggsn statistics

<get-ggsn-statistics>
show services ggsn statistics apn

<get-ggsn-apn-statistics-information>
show services ggsn statistics charging

<get-ggsn-charging-statistics-information>
show services ggsn statistics gtp

<get-ggsn-gtp-statistics-information>
show services ggsn statistics gtp-prime

<get-ggsn-gtp-prime-statistics-information>
1014
show services ggsn statistics imsi

<get-ggsn-imsi-user-information>
show services ggsn statistics l2tp-tunnel

<get-ggsn-l2tp-tunnel-statistics-information>
show services ggsn statistics msisdn

show services ggsn statistics radius
<get-ggsn-radius-statistics-information>
show services ggsn statistics sgsn

<get-ggsn-sgsn-statistics-information>
show services ggsn status

<get-ggsn-interface-information>
show services ggsn trace

show services ggsn trace all
<get-ggsn-trace>
show services ggsn trace imsi

<get-ggsn-imsi-trace>
show services ggsn trace msisdn

<get-ggsn-msisdn-trace>
show services ha
<get-service-ha-info>
show services hcm
show services hcm pic-statistics
<get-service-hcm-pic-statistics-information>
show services ids
show services ids destination-table
<get-service-ids-destination-table-information>
show services ids pair-table

<get-service-ids-pair-table-information>
show services ids source-table

<get-service-ids-source-table-information>
show services inline

show services inline ip-reassembly
1015
show services inline ip-reassembly statistics

show services inline nat
show services inline nat mappings
show services inline nat mappings nptv6
<get-inline-nat-mapping-nptv6-information>
show services inline nat pool
<get-inline-nat-pool-information>
show services inline nat statistics
<get-inline-nat-statistics-information>
show services inline softwire
show services inline softwire statistics
<get-inline-service-sw-statistics-information>
show services inline stateful-firewall
show services inline stateful-firewall flows
<get-inline-sfw-flow-table-information>
show services inline stateful-firewall statistics
<get-inline-sfw-statistics-information>
show services ipsec-vpn
show services ipsec-vpn ike
show services ipsec-vpn ike security-associations
<get-ike-services-security-associations-information>
show services ipsec-vpn ike statistics

<get-ike-services-statistics>
show services ipsec-vpn ipsec
show services ipsec-vpn ipsec security-associations
<get-services-security-associations-information>
show services ipsec-vpn ipsec statistics

<get-services-ipsec-statistics-information>
show services l2tp

show services l2tp client
<get-l2tp-client-information>
show services l2tp destination
<get-l2tp-destination-information>
show services l2tp destination lockout
<get-services-l2tp-destination-lockout>
show services l2tp disconnect-cause-summary<
<get-l2tp-disconnect-cause-summary>
show services l2tp multilink
<get-l2tp-multilink-information>
1016
show services l2tp radius

show services l2tp radius accounting
show services l2tp radius accounting servers
<get-services-l2tp-radius-accounting-servers-information>
show services l2tp radius accounting statistics

<get-services-l2tp-radius-accounting-statistics-information>
show services l2tp radius authentication

show services l2tp radius authentication servers
<get-services-l2tp-radius-authentication-servers-information>
show services l2tp radius authentication statistics

<get-services-l2tp-radius-authentication-statistics-information>
show services l2tp radius servers

<get-services-l2tp-radius-authentication-accounting-servers-information>
show services l2tp radius statistics

<get-services-l2tp-radius-authentication-accounting-statistics-information>
show services l2tp session

<get-l2tp-session-information>
show services l2tp session-limit-group
<get-l2tp-session-limit-group-information>
show services l2tp summary

<get-l2tp-summary-information>
show services l2tp tunnel

<get-l2tp-tunnel-information>
show services l2tp tunnel-group
<get-l2tp-tunnel-group-information>
show services l2tp user

<get-l2tp-user-information>
show services link-services
show services link-services cpu-usage
<get-link-services-cpu-usage>
show services local-policy-decision-function

1017
show services local-policy-decision-function flows

show services local-policy-decision-function flows interface
<get-local-policy-decision-function-flows-interface>
show services local-policy-decision-function flows subscriber
<get-local-policy-decision-function-flows-subscriber>
show services local-policy-decision-function statistics
show services local-policy-decision-function statistics interface
<get-local-policy-decision-function-statistics-interface>
show services local-policy-decision-function statistics subscriber
<get-local-policy-decision-function-statistics-subscriber>
show services logging
show services logging history
show services logging history client
show services logging logfiles
show services match-policies
<get-services-match-policies>
show services mobile
show services mobile hcm
show services mobile hcm statistics
show services nat
show services nat ipv6-multicast-interfaces
<get-service-nat-ipv6-multicast-information>
show services nat deterministic-nat

show services nat deterministic-nat internal-host
show services nat deterministic-nat nat-port-block
show services nat mappings
<get-service-nat-mapping-address-pooling-paired>
show services nat mappings brief
<get-service-nat-mapping-brief>
show services nat mappings detail
show services nat mappings endpoint-independent
<get-service-nat-mapping-endpoint-independent>
show services nat mappings brief
<get-service-nat-mapping-brief>
show services nat mappings detail
<get-service-nat-mapping-detail>
show services nat mappings pcp
show services nat mappings summary
<get-service-nat-mapping-summary>
show services nat pool
<get-service-nat-pool-information>
1018
show services pcp

show services pgcp
show services pgcp active-configuration
<get-pgcpd-active-configuration>
show services pgcp active-configuration gateway

<get-service-pgcp-active-configuration-gateway>
show services pgcp conversations

<get-service-pgcp-conversation-information>
show services pgcp conversations gateway

<get-service-pgcp-conversation-information-gateway>
show services pgcp flows

<get-service-pgcp-flow-table-information>
show services pgcp flows gateway

<get-service-pgcp-flow-table-information-gateway>
show services pgcp gate

<get-service-pgcp-gate>
show services pgcp gate gateway

<get-service-pgcp-gate-gateway>
show services pgcp gates

<get-service-pgcp-gates>
show services pgcp gates gateway

<get-service-pgcp-gates-gateway>
show services pgcp root-termination

<get-services-pgcpd-root-termination>
show services pgcp root-termination gateway

<get-services-pgcpd-root-termination-gateway>
show services pgcp statistics

<get-service-pgcp-statistics>
show services pgcp statistics gateway

1019
<get-service-pgcp-statistics-gateway>
show services pgcp terminations

<get-service-pgcp-terminations>
show services pgcp terminations gateway

<get-service-pgcp-terminations-gateway>
show services redundancy-group
<get-services-redundancy-group-information>
show services redundancy-group rg-id
<get-services-redundancy-group-id-information>
show services rpm

show services rpm active-servers
<get-active-servers>
show services rpm history-results

<get-history-results>
show services rpm probe-results

<get-probe-results>
show services rpm twamp

<twamp-information>
show services rpm twamp client
<twamp-client-information>
show services rpm twamp client connection
<twamp-client-connection-information>
show services rpm twamp client history-results
<twamp-get-history-results>
show services rpm twamp client probe-results
<twamp-get-probe-results>
show services rpm twamp client session
<twamp-client-test-session>
show services rpm twamp server
<twamp-server-information>
show services rpm twamp server connection
<twamp-server-connection-information>
show services rpm twamp server session
<twamp-server-session-information>
show services server-load-balance
show services server-load-balance external-manager
1020
show services server-load-balance external-manager information

show services server-load-balance external-manager statistics
<get-external-manager-statistics-information>
show services server-load-balance hash-table
<get-hash-table-information>
show services server-load-balance health-monitor
show services server-load-balance health-monitor information
<get-real-server-health-monitor-information>
show services server-load-balance health-monitor statistics
<get-real-server-health-monitor-statistics-information>
show services server-load-balance real-server
show services server-load-balance real-server statistics
<get-real-server-statistics-information>
show services server-load-balance real-server-group
show services server-load-balance real-server-group information
<get-real-server-group-information>
show services server-load-balance real-server-group statistics
<get-real-server-group-statistics-information>
show services server-load-balance sticky
<get-sticky-table-information>
show services server-load-balance virtual-server
show services server-load-balance virtual-server information
<get-virtual-server-information>
show services server-load-balance virtual-server statistics
<get-virtual-server-statistics-information>
show services service-identification
show services service-identification header-redirect
show services service-identification header-redirect statistics
<get-header-redirect-set-statistics-information>
show services service-identification statistics

<get-service-identification-statistics-information>
show services service-identification uri-redirect

show services service-identification uri-redirect statistics
<get-uri-redirect-set-statistics-information>
show services service-sets

show services service-sets cpu-usage
<get-service-set-cpu-statistics>
show services service-sets memory-usage

1021
<get-service-set-memory-statistics>
show services service-sets memory-usage zone

show services service-sets plug-ins
<get-service-set-plugin-summary>
show services service-sets statistics

show services service-sets statistics drop-flow-limit
<get-service-set-drop-flow-statistics>
show services service-sets statistics ids
show services service-sets statistics ids drops
<get-service-set-ids-drops-statistics>
show services service-sets statistics jflow-log
<get-service-set-jflow-log-statistics>
show services service-sets statistics packet-drops
<get-service-set-packet-drop-statistics>
show services service-sets statistics syslog

<get-service-set-syslog-statistics>
show services service-sets statistics tcp
<get-service-set-tcp-tracker-statistics>
show services service-sets statistics tcp-mss
<get-service-set-tcp-mss-statistics>
show services service-sets summary

<get-service-set-summary-information>
show services sessions

<get-msp-session-table>
show services sessions analysis
<show-service-msp-session-analysis-information>
show services sessions count
<get-service-msp-sess-count-information>
show services sessions utilization
<get-services-sessions-utilization>
show services softwire

<get-service-softwire-table-information>
show services softwire flows

<get-service-fwnat-flow-table-information>
1022
show services softwire statistics

<get-service-softwire-statistics-information>
show services stateful-firewall

show services stateful-firewall flow-analysis
<get-service-flow-analysis-information>
show services stateful-firewall conversations
<get-service-sfw-conversation-information>
show services stateful-firewall flows

<get-service-sfw-flow-table-information>
show services stateful-firewall redundancy-statistics
<get-service-sfw-redundancy-statistics>
show services stateful-firewall sip-call

<get-service-sfw-sip-call-information>
show services stateful-firewall sip-register

<get-service-sfw-sip-register-information>
show services stateful-firewall statistics

<get-service-sfw-statistics-information>
show services stateful-firewall statistics application-protocol

<et-sfw-application-protocol-statistics>
show services stateful-firewall subscriber-analysis
<get-service-subs-analysis-information>
show services subscriber
show services subscriber bandwidth
show services subscriber bandwidth client-id
<get-services-subscriber-bandwidth-by-session-id>
show services subscriber bandwidth interface
<get-services-subscriber-bandwidth-by-interface>
show services subscriber bandwidth ip-address
<get-services-subscriber-bandwidth-by-ip-address>
show services subscriber bandwidth service-interface
<get-services-subscriber-bandwidth-by-service-interface>
show services subscriber dynamic-policies
<get-services-subscriber-dynamic-policies>
show services subscriber flows
<get-services-subscriber-flows>
1023
show services subscriber sessions

<get-services-subscriber-session>
show services subscriber statistics
<get-services-subscriber-statistics>
show services traffic-detection-function
show services traffic-detection-function hcm
show services traffic-detection-function hcm statistics
<get-service-tdf-hcm-sessions-stats>
show services traffic-detection-function sessions
<get-service-tdf-sessions-information>
show services traffic-load-balance
show services traffic-load-balance statistics
<get-traffic-load-balance-statistics>
show services unified-access-control
show services unified-access-control authentication-table
<get-uac-auth-table>
show services unified-access-control counters
<get-uac-counters>
show services unified-access-control policies
<get-uac-policies>
show services unified-access-control roles
<get-uac-role-entries>
show services unified-access-control status
<get-uac-status>
show services video-monitoring
<get-service-video-monitoring-information>
show services video-monitoring mdi
<get-service-video-monitoring-mdi-information
show services video-monitoring mdi alarms
<get-services-video-monitoring-mdi-alarms-information>
show services video-monitoring mdi alarms errors
<get-services-video-monitoring-mdi-alarms-errors-information>
show services video-monitoring mdi alarms stats
<get-services-video-monitoring-mdi-alarms-stats-information>
show services video-monitoring mdi errors>
<get-service-video-monitoring-mdi-errors-information>
show services video-monitoring mdi flow
<get-service-video-monitoring-mdi-flows-information>
show services video-monitoring mdi stats
<get-service-video-monitoring-mdi-stats-information>
show shmlog
show shmlog argument-mappings
1024
<get-shmlog-argument-mappings>
show shmlog configuration
<show-shmlog-configuration>
show shmlog entries
<show-shmlog-entries>
show shmlog logs-summary
<show-shmlog-logsummary>
show shmlog statistics
<show-shmlog-statistics>
show snmp
show snmp health-monitor
<get-health-monitor-information>
show snmp health-monitor alarms

<get-health-monitor-alarm-information>
show snmp health-monitor logs

<get-health-monitor-log-information>
show snmp health-monitor routing-engine
show snmp health-monitor routing-engine history
<get-health-monitor-routing-engine-history>
show snmp health-monitor routing-engine history cpu
<get-routing-engine-cpu-history>
show snmp health-monitor routing-engine history memory
<get-routing-engine-memory-history>
show snmp health-monitor routing-engine history open-files-count
<get-routing-engine-fd-history>
show snmp health-monitor routing-engine history process-count
<get-routing-engine-pcount-history>
show snmp health-monitor routing-engine history storage
<get-routing-engine-storage-history>
show snmp health-monitor routing-engine history temperature
<get-routing-engine-temperature-history>
show snmp health-monitor routing-engine status
<get-health-monitor-routing-engine-information>
show snmp health-monitor routing-engine status detail
show snmp inform-statistics

<get-snmp-inform-statistics>
show snmp mib

show snmp mib get
1025
<get-snmp-object>
show snmp mib get-next

<get-next-snmp-object>
show snmp mib walk

<get-walk-snmp-object>
show snmp proxy

show snmp rmon
<get-rmon-information>
show snmp rmon alarms

<get-rmon-alarm-information>
show snmp rmon events

<get-rmon-event-information>
show snmp rmon history

<get-rmon-history-information>
show snmp rmon logs

<get-rmon-log-information>
show snmp statistics

<get-snmp-information>
show snmp v3
<get-snmp-v3-information>
show snmp v3 access

<get-snmp-v3-access-information>
show snmp v3 community

<get-snmp-v3-community-information>
show snmp v3 general

<get-snmp-v3-general-information>
show snmp v3 groups

<get-snmp-v3-group-information>
1026
show snmp v3 notify

<get-snmp-v3-notify-information>
show snmp v3 notify filter

<get-snmp-v3-notify-filter-information>
show snmp v3 target

<get-snmp-v3-target-information>
show snmp v3 target address

<get-snmp-v3-target-address-information>
show snmp v3 target parameters

<get-snmp-v3-target-parameters-information>
show snmp v3 users

<get-snmp-v3-usm-user-information>
show spanning-tree
show spanning-tree bridge
<get-stp-bridge-information>
show spanning-tree interface
<get-stp-interface-information>
show spanning-tree mstp
show spanning-tree mstp configuration
<get-mstp-configuration-information>
show spanning-tree statistics
<get-stp-interface-statistics>
show spanning-tree statistics bridge
show spanning-tree statistics interface
show spanning-tree statistics routing-instance
<get-stp-routing-instance-statistics>
show spanning-tree stp-buffer
show spanning-tree stp-buffer see-all
show ssl-certificates
<get-ssl-certificate-information>
show static-subscribers
show static-subscribers sessions
<show subscribers
<get-subscribers>
show subscribers summary
<get-subscribers-summary>
1027
<get-syslog-filenames>
show synchronous-ethernet
show synchronous-ethernet esmc
show synchronous-ethernet esmc statistics
show synchronous-ethernet esmc transmit
show synchronous-ethernet global-information
show system
show system alarms
<get-system-alarm-information>
show system auto-snapshot

show system boot-messages
show system buffers
show system certificate
show system commit
<get-commit-information>
show system commit revision
<get-commit-revision-information>
show system commit server
<get-commit-server-information>
show system commit ephemeral
<get-ephemeral-commit-information>
show system commit server queue
<get-commit-server-queue-information>
show system commit synchronize-server
show system configuration
show system configuration archival
<get-system-archival>
show system configuration rescue

<get-rescue-information>
show system connections

show system core-dumps
<get-system-core-dumps>
show system core-dumps core-file-info
<get-core-file-information>
show system core-dumps kernel-crashinfo

show system core-dumps satellite
<get-core-file-satellite>
1028
show system core-dumps transfer-status

show system diagnostics
show system diagnostics inventory
show system diagnostics usage
show system directory-usage
<get-directory-usage-information>
show system firmware

<get-system-firmware-information>
show system khms-stats
show system license

<get-license-summary-information>
show system license installed

<get-license-information>
show system license key-content
show system license keys
<get-license-key-information>
show system license usage

<get-license-usage-summary>
show system login
show system login lockout
<get-system-login-lockout-information>
show system memory
<show system processes
show system processes brief
show system processes esc-node
show system processes extensive
show system processes health
<get-process-health-information>
show system processes providers

show system processes host-processes detail
show system processes providers
show system processes resource-limits
<get-system-process-resource-limits>
show system processes summary
show system queues
show system reboot
1029
show system resource-cleanup

show system resource-cleanup processes
<get-system-resource-cleanup-processes-information>
<get-resource-monitor-fpc-information>
<get-resource-monitor-fpc-slot-information>
show system rollback

<get-rollback-information>
show system services

show system services dhcp
show system services dhcp binding
<get-dhcp-binding-information>
show system services dhcp conflict

<get-dhcp-conflict-information>
show system services dhcp global

<get-dhcp-global-information>
show system services dhcp pool

<get-dhcp-pool-information>
show system services dhcp statistics

<get-dhcp-statistics-information>
show system services reverse

<get-system-services-reverse-information>
show system services service-deployment

<get-service-deployment-service-information>
show system snapshot

<get-snapshot-information>
show system software

show system software backup
<get-package-backup-information>
<get-software-installation-status>
show system software recovery-package
show system software rollback
<show-package-rollback>
1030
show system statistics

<get-statistics-information>
show system statistics bridge

<get-system-bridge-statistics>
show system statistics extended
show system statistics vpls
show system storage
<get-system-storage>
show system storage partitions
<get-system-storage-partitions>
show system storage satellite
<get-system-storage-satellite>
show system subscriber-management
show system subscriber-management arp
<get-subscriber-management-arp>
show system subscriber-management arp address
<get-subscriber-management-arp-address>
show system subscriber-management arp interface
<get-subscriber-management-arp-interface>
show system subscriber-management ipv6-neighbors
<get-subscriber-management-ipv6-neighbors>
show system subscriber-management ipv6-neighbors address
<get-subscriber-management-ipv6-neighbor-address>
show system subscriber-management ipv6-neighbors interface
<get-subscriber-management-ipv6-neighbor-interface>.
show system subscriber-management route
<get-subscriber-management-route>
show system subscriber-management route next-hop
<get-subscriber-management-route-nh>
show system subscriber-management route prefix
show system subscriber-management route summary
<get-subscriber-management-route-summary>
show system subscriber-management statistics
<get-subscriber-management-statistics>
show system subscriber-management summary
show system switchover
<get-switchover-information>
show system uptime

<get-system-uptime-information>
1031
show system users

<get-system-users-information>
show system virtual-memory

show system yang
show system yang package
<get-system-yang-packages>
show task
show task io
show task logical-system-mux
<get-lrmuxd-task-information>
show task logical-system-mux io
<get-lrmuxd-tasks-io-statistics>
show task logical-system-mux memory
<get-lrmuxd-task-memory>
show task memory
show task replication
<get-routing-task-replication-state>
show task snooping
show task snooping io
show task snooping memory
<get-snooping-task-memory-information>
show ted
show ted database
<get-ted-database-information>
show ted link

<get-ted-link-information>
show ted protocol

<get-ted-protocol-information>
show unified-edge
show unified-edge gateways
show unified-edge ggsn-pgw
show unified-edge ggsn-pgw aaa
show unified-edge ggsn-pgw aaa network-element
show unified-edge ggsn-pgw aaa network-element status
show unified-edge ggsn-pgw aaa network-element-group
show unified-edge ggsn-pgw aaa network-element-group status
show unified-edge ggsn-pgw aaa radius
show unified-edge ggsn-pgw aaa radius statistics
1032
show unified-edge ggsn-pgw aaa statistics

show unified-edge ggsn-pgw address-assignment
show unified-edge ggsn-pgw address-assignment group
show unified-edge ggsn-pgw address-assignment pool
show unified-edge ggsn-pgw address-assignment service-mode
show unified-edge ggsn-pgw address-assignment statistics
show unified-edge ggsn-pgw apn
show unified-edge ggsn-pgw apn service-mode
show unified-edge ggsn-pgw apn statistics
show unified-edge ggsn-pgw call-rate
show unified-edge ggsn-pgw call-rate statistics
show unified-edge ggsn-pgw charging
show unified-edge ggsn-pgw charging global
show unified-edge ggsn-pgw charging global statistics
show unified-edge ggsn-pgw charging local-persistent-storage
show unified-edge ggsn-pgw charging local-persistent-storage statistics
show unified-edge ggsn-pgw charging path
show unified-edge ggsn-pgw charging path statistics
show unified-edge ggsn-pgw charging path status
show unified-edge ggsn-pgw charging service-mode
show unified-edge ggsn-pgw charging transfer
show unified-edge ggsn-pgw charging transfer statistics
show unified-edge ggsn-pgw charging transfer status
show unified-edge ggsn-pgw charging trigger-profile
show unified-edge ggsn-pgw gtp
show unified-edge ggsn-pgw gtp peer
show unified-edge ggsn-pgw gtp peer count
show unified-edge ggsn-pgw gtp peer history
show unified-edge ggsn-pgw gtp peer statistics
show unified-edge ggsn-pgw gtp statistics
show unified-edge ggsn-pgw ip-reassembly
show unified-edge ggsn-pgw ip-reassembly statistics
show unified-edge ggsn-pgw resource-manager
show unified-edge ggsn-pgw resource-manager clients
show unified-edge ggsn-pgw service-mode
show unified-edge ggsn-pgw statistics
show unified-edge ggsn-pgw statistics traffic-class
show unified-edge ggsn-pgw status
show unified-edge ggsn-pgw status gtp-peer
show unified-edge ggsn-pgw status preemption-list
show unified-edge ggsn-pgw status session-state
show unified-edge ggsn-pgw subscribers
1033
show unified-edge ggsn-pgw subscribers charging

show unified-edge ggsn-pgw subscribers traffic-class
show unified-edge ggsn-pgw system
show unified-edge ggsn-pgw system interfaces
show unified-edge ggsn-pgw system interfaces service-mode
show unified-edge sgw
show unified-edge sgw call-rate
show unified-edge sgw call-rate statistics
show unified-edge sgw charging
show unified-edge sgw charging global
show unified-edge sgw charging global statistics
show unified-edge sgw charging local-persistent-storage
show unified-edge sgw charging local-persistent-storage statistics
show unified-edge sgw charging path
show unified-edge sgw charging path statistics
show unified-edge sgw charging path status
show unified-edge sgw charging service-mode
show unified-edge sgw charging transfer
show unified-edge sgw charging transfer statistics
show unified-edge sgw charging transfer status
show unified-edge sgw charging trigger-profile
show unified-edge sgw gtp
show unified-edge sgw gtp peer
show unified-edge sgw gtp peer count
show unified-edge sgw gtp peer history
show unified-edge sgw gtp peer statistics
show unified-edge sgw gtp statistics
show unified-edge sgw idle-mode-buffering
show unified-edge sgw idle-mode-buffering statistics
show unified-edge sgw ip-reassembly
show unified-edge sgw ip-reassembly statistics
show unified-edge sgw resource-manager
show unified-edge sgw resource-manager clients
show unified-edge sgw service-mode
show unified-edge sgw statistics
show unified-edge sgw status
show unified-edge sgw status gtp-peer
show unified-edge sgw status preemption-list
show unified-edge sgw status session-state
show unified-edge sgw subscribers
show unified-edge sgw subscribers charging
show unified-edge sgw system
1034
show unified-edge sgw system interfaces

show unified-edge sgw system interfaces service-mode
<get-mobile-serving-gateway-interface-service-mode>
show unified-edge tdf
show unified-edge tdf aaa
show unified-edge tdf aaa radius
show unified-edge tdf aaa radius client
show unified-edge tdf aaa radius client statistics
<radius-client-statistics>
show unified-edge tdf aaa radius client status
show unified-edge tdf aaa radius network-element
show unified-edge tdf aaa radius network-element statistics
<get-aaa-radius-element-statistics>
show unified-edge tdf aaa radius network-element status>
<get-aaa-radius-element-status>
show unified-edge tdf aaa radius server
show unified-edge tdf aaa radius server statistics
radius-server-statistics
show unified-edge tdf aaa radius server status
<get-aaa-radius-server-status>
show unified-edge tdf aaa radius snoop-segment
show unified-edge tdf aaa radius snoop-segment statistics
<radius-snoop-segment-statistics>
show unified-edge tdf aaa statistics
<get-tdf-gateway-aaa-statistics>
show unified-edge tdf address-assignment
show unified-edge tdf address-assignment pool
<get-tdf-gateway-sm-ippool-pool-information>
show unified-edge tdf address-assignment service-mode
<get-tdf-address-assign-service-mode>
show unified-edge tdf address-assignment statistics
<get-tdf-gateway-sm-ippool-statistics>
show unified-edge tdf call-admission-control
show unified-edge tdf call-admission-control statistics
<get-tdf-cac-statistics>
show unified-edge tdf call-rate
show unified-edge tdf call-rate statistics
<get-tdf-call-rate-statistics>
show unified-edge tdf diameter
show unified-edge tdf diameter network-element
show unified-edge tdf diameter network-element statistics
<get-diameter-network-element-statistics>
1035
show unified-edge tdf diameter network-element status

<get-diamieter-network-element-status>
show unified-edge tdf diameter pcc-gx
show unified-edge tdf diameter pcc-gx statistics
<get-diameter-statistics-gx>
show unified-edge tdf diameter peer
show unified-edge tdf diameter peer statistics
<get-gateway-diameter-peer-statistics>
show unified-edge tdf diameter peer status
<get-diameter-peer-status>
show unified-edge tdf domain
show unified-edge tdf domain service-mode
<get-mobile-gateways-domain-service-mode>
show unified-edge tdf domain statistics
<get-mobile-gateways-domain-statistics>
show unified-edge tdf resource-manager
show unified-edge tdf resource-manager clients
<get-mobile-gateway-tdf-client-status-information>
show unified-edge tdf service-mode
<get-tdf-gateway-service-mode>
show unified-edge tdf statistics
<get-tdf-statistics>
show unified-edge tdf status
<get-tdf-gateway-status>
show unified-edge tdf status subscriber-state
<get-tdf-gateways-status-state>
show unified-edge tdf subscribers
<get-tdf-gateway-subscribers>
show unified-edge tdf subscribers data-plane
<get-tdf-gateway-subscriber-dataplane-statistics>
show unified-edge tdf subscribers stuck
<get-tdf-gateway-stuck-subscribers>
show unified-edge tdf system
show unified-edge tdf system interfaces
<get-tdf-interfaces-information>
show unified-edge tdf system interfaces service-mode
<get-mobile-tdf-interface-service-mode>
show version
<get-software-information>
show virtual-chassis
show virtual-chassis active-topology
1036
<get-virtual-chassis-active-topology>
show virtual-chassis device-topology
<get-virtual-chassis-device-topology>
show virtual-chassis fast-failover
<get-virtual-chassis-fast-failover>
show virtual-chassis heartbeat
<get-virtual-chassis-heartbeat-information>
show virtual-chassis login
<get-virtual-chassis-login>
show virtual-chassis mode
<get-virtual-chassis-mode-information>
show virtual-chassis protocol
show virtual-chassis protocol adjacency
<get-virtual-chassis-adjacency-information>
show virtual-chassis protocol database
<get-virtual-chassis-database-information>
show virtual-chassis protocol interface
<get-virtual-chassis-interface-information>
show virtual-chassis protocol route
<get-virtual-chassis-route-information>
show virtual-chassis protocol statistics
<get-virtual-chassis-statistics-information>
show virtual-chassis status
<get-virtual-chassis-information>
show virtual-chassis vc-path
<get-virtual-chassis-packet-path>
show virtual-chassis vc-port
<get-virtual-chassis-port-information>
show virtual-chassis vc-port diagnostics
show virtual-chassis vc-port diagnostics optics
<get-virtual-chassis-optics-diagnostics>
show virtual-chassis vc-port lag-hash
<get-virtual-chassis-port-lag-hash-information>
show virtual-chassis vc-port statistics
<get-virtual-chassis-port-statistics>
show vlans
<get-vlan-information>
show vlans operational
<get-operational-vlan-instance-information>
show vlans satellite
<get-satellite-control-bridge-domain>
show vmhost
1037
show vmhost bridge

<get-vmhost-bridge-information>
show vmhost crash
<get-vmhost-crash-information>
show vmhost hardware
<get-vmhost-hardware>
show vmhost information
<get-vmhost-information>
show vmhost logs
<get-vmhost-logs-information>
show vmhost management-if
<get-vmhost-management-if-info>
show vmhost netstat
<get-vmhost-netstat>
show vmhost processes
<get-vmhost-processes-information>
show vmhost resource-usage
<get-vmhost-resource-usage-information>
show vmhost snapshot
<get-vmhost-snapshot-information>
show vmhost status
<get-vmhost-staus>
show vmhost uptime
<get-vmhost-uptime>
show vmhost version
<get-vmhost-version-information>
show vpls
show vpls connections
<get-vpls-connection-information>
show vpls flood

show vpls flood event-queue
<get-vpls-event-queue-information>
show vpls flood route

show vpls flood route all-ce-flood
<get-vpls-all-ce-flood-route-information>
show vpls flood route all-flood

<get-vpls-all-flood-route-information>
1038
show vpls flood route alt-root-flood

<get-vpls-alt-root-flood-route-information>
show vpls flood route ce-flood

<get-vpls-ce-flood-route-information>
show vpls flood route mlp-flood

<get-vpls-mlp-flood-route-information>
show vpls flood route re-flood

<get-vpls-re-flood-route-information>
show vpls mac-table

<get-vpls-mac-table>
show vpls mac-table interface

<get-vpls-interface-mac-table>
show vpls statistics

<get-vpls-statistics-information>
show vrrp
show vrrp interface
show vrrp track
test interface
test interface fdl-line-loop
test interface fdl-line-loop ansi
test interface fdl-line-loop ansi initiate
test interface fdl-line-loop ansi terminate
test interface fdl-line-loop bellcore
test interface fdl-line-loop bellcore initiate
test interface fdl-line-loop bellcore terminate
test interface fdl-payload-loop
test interface fdl-payload-loop ansi
test interface fdl-payload-loop ansi initiate
test interface fdl-payload-loop ansi terminate
test interface fdl-payload-loop bellcore
test interface fdl-payload-loop bellcore initiate
test interface fdl-payload-loop bellcore terminate
test interface inband-line-loop
test interface inband-line-loop ansi
test interface inband-line-loop ansi initiate
1039
test interface inband-line-loop ansi terminate

test interface inband-line-loop bellcore
test interface inband-line-loop bellcore initiate
test interface inband-line-loop bellcore terminate
test interface inband-line-loop initiate
test interface inband-line-loop terminate
test interface inband-payload-loop
test interface inband-payload-loop ansi
test interface inband-payload-loop ansi initiate
test interface inband-payload-loop ansi terminate
test interface inband-payload-loop bellcore
test interface inband-payload-loop bellcore initiate
test interface inband-payload-loop bellcore terminate
test msdp
test msdp dependent-peers
test msdp rpf-peer
test policy
<
[edit dynamic-profiles routing-instances instance services mobile-ip home-agent

enable-service]
[edit logical-systems routing-instances instance services mobile-ip home-agent
enable-service]
[edit logical-systems services mobile-ip home-agent enable-service]
[edit routing-instances instance services mobile-ip home-agent enable-service]
[edit services mobile-ip home-agent enable-service]

Hierarchies | 126
1040
view-configuration
Can view all of the configuration (not including secrets).
Commands

Hierarchies | 126
12 CHAPTER
Configuration Statements
accounting (System) | 1048
accounting-order | 1050
accounting-port (RADIUS Server) | 1051
address-protection | 1054
algorithm (Authentication Keychain) | 1056
archival | 1057
authentication-order (Authenticator) | 1063
authentication-protocol | 1066
authentication-whitelist | 1068

broadcast | 1078
broadcast | 1080
ca-type | 1083
civic-based | 1087
connection-limit | 1100
custom-options | 1102
description (Authentication Keychain) | 1105
destination (RADSEC) | 1110
detection-time | 1112
disable (DNSSEC) | 1113
dlv | 1114
dot1x | 1115
eapol-block | 1118
events | 1121
failover-delay | 1122
finger | 1127
flow-tap-dtcp | 1128
ftp | 1129
host (SSH Known Hosts) | 1130

hostkey-algorithm | 1132
http (Web Management) | 1134
https (Web Management) | 1135
interface (Captive Portal) | 1145
interface (LLDP) | 1148
interface (LLDP-MED) | 1151
interface (VoIP) | 1153
interface-description-format | 1155
interfaces (ARP) | 1157
interfaces (Security Zones) | 1158
key (Authentication Keychain) | 1159
key-chain (Security) | 1161
key-exchange | 1163
lldp | 1165
lldp-med (Ethernet Switching) | 1173
lldp-priority | 1175
local-certificate | 1176
location (LLDP-MED) | 1177
location (System) | 1179
login | 1181
mac-radius | 1186
method | 1190
multi-domain | 1192
nas-port-extended-format | 1196
nas-port-id-format (Subscriber Management) | 1198

nas-port-type (Subscriber Management) | 1200
ntp | 1202
options (Security) | 1205
outbound-ssh | 1206
password-options | 1215
peer (NTP) | 1216
port (RADIUS Server) | 1218
port (SRC Server) | 1219
port (TACACS+ Server) | 1220
profile | 1221
profilerd | 1223
provisioning-order (Diameter Applications) | 1224
proxy | 1225
radius (System) | 1226
radius-options (System) | 1227
radius-server (System) | 1233
radsec | 1234
radsec-destination | 1236
rate-limit | 1237
regex-additive-logic | 1239
remote-debug-permission | 1240
retry | 1241
retry (RADIUS) | 1242
revert-interval (Access) | 1245

routing-engine-profile | 1248
routing-instance | 1249
secret (RADIUS or TACACS+ Server) | 1252
server (NTP) | 1254
server (DNS, Port, and TFTP Service) | 1256
server (RADIUS Accounting) | 1258
server (TACACS+ Accounting) | 1259
server-reject-bridge-domain | server-reject-vlan | 1260
servers | 1262
service (Service Accounting) | 1263
service-deployment | 1264
services (Switches) | 1265
session (Web Management) | 1266
single-connection | 1267
sip-server | 1268
source-address (NTP, RADIUS, System Logging, or TACACS+) | 1269
source-address (SRC Software) | 1270
ssh (System Services) | 1271
ssl-renegotiation | 1281
start-time (Authentication Key Transmission) | 1282
static (802.1X) | 1284
static-subscribers | 1285
statistics-service | 1286
subscriber-management-helper | 1287
tacplus | 1288
tacplus | 1289
tacplus-server | 1294
telnet | 1296
tftp | 1297
timeout (System) | 1298
timeout-action (Access Control Service) | 1299
tlv-filter | 1300
tlv-select | 1303
traceoptions (802.1X) | 1306
traceoptions (DNS, Port, and TFTP Packet Forwarding) | 1308
traceoptions (LLDP) | 1311
traceoptions (Outbound SSH) | 1314
traceoptions (SBC Configuration Process) | 1316
traceoptions (Security) | 1318
trusted-key | 1320
uac-policy | 1321
uac-service | 1322
uac-service | 1323
usb-control | 1325
voip | 1329
vpn (Forwarding Options) | 1330
watchdog | 1331
web-management (System Services) | 1332
web-management (System Processes) | 1336
xnm-clear-text | 1337
xnm-ssl | 1338
1048
accounting (System)
Syntax
accounting {
events [login change-log interactive-commands];
destination {
radius {
server {
server-address {
retry number;
secret password;
timeout seconds;
}
}
}
tacplus {
server {
server-address {
port port-number;
secret password;
single-connection;
timeout seconds;
}
}
}
}
}
Hierarchy Level
[edit system]
Release Information
Statement introduced before Junos OS Release 7.4.
Statement introduced in Junos OS Release 9.0 for EX Series switches.
enhanced-avs-max statement introduced in Junos OS Release 14.1.
1049
Support for the source-address-inet6 statement introduced in Junos OS Release 14.1X53-D10 for EX
Series switches.
Description
Configure audit of TACACS+ or RADIUS authentication events, configuration changes, and interactive
commands. Auditing these factors helps you track network usage for auditing and billing purposes.
The remaining statements are explained separately.
Required Privilege Level

admin—To view this statement in the configuration.
admin-control—To add this statement to the configuration.

1050
accounting-order
Syntax
accounting-order (radius | [accounting-order-data-list]);
Hierarchy Level
Release Information
Statement introduced in Junos OS Release 8.0.
Statement introduced in Junos OS Release 13.2X50-D10 for EX Series switches.
Description
Specify the order in which accounting methods are used.
Options
radius—Use the RADIUS accounting method.
[accounting-order-data-list]—Set of data listing the accounting order to be used, enclosed in brackets. This
can be any combination of accounting methods, up to and including a list of the entire accounting order.

Configuring the Accounting Order

1051
accounting-port (RADIUS Server)

Syntax
Hierarchy Level
[edit system accounting destination radius server server-address],

[edit system radius-server server-address]
Release Information
Statement introduced in Junos OS Release 11.1 for the QFX Series.
Statement introduced in Junos OS Release 14.1X53-D20 for the OCX Series.
Description
Configure the accounting port number on which to contact the RADIUS server.
Options
number—Port number on which to contact the RADIUS server.
Default: 1813

system—To view this statement in the configuration.
system-control—To add this statement to the configuration.

1052
accounting-server
Syntax
accounting-server[server-addresses];
Hierarchy Level
[edit access profile profile-name radius]
Release Information
Statement introduced in Junos OS Release 14.1X53-D20 for OCX Series switches.
Description
Configure the Remote Authentication Dial-In User Service (RADIUS) server for authentication. To configure
multiple RADIUS servers, include multiple server addresses. The servers are tried in order and in a
round-robin fashion until a valid response is received from one of the servers or until all the configured
retry limits are reached.
Default
Not enabled
Options
server-addresses—One or more addresses of RADIUS authentication servers.
NOTE: The [edit access] hierarchy is not available on QFabric systems.


1053

1054
address-protection
Syntax
address-protection {
reassign-on-match;
}
Hierarchy Level
[edit access],
[edit logical-systems logical-system-name routing-instances routing-instance-name access]
Release Information
Statement introduced in Junos OS Release 13.2X50-D10 on EX Series switches.
reassign-on-match option added in Junos OS Release 18.4R1.
Description
Prevent IPv4 addresses and IPv6 prefixes from being assigned to more than one subscriber session when
you use AAA to supply IPv4 addresses.
For IPv4:
If enabled, the router checks the following attributes received from external servers:
• Framed-IP-Address
• Framed-Pool
The router then takes one of the following actions:
• If an address matches an address in an address pool, the address is taken from the pool, provided it is
available.
• If the address is already in use, it is rejected as unavailable.
For IPv6:
If enabled, the router checks the following attributes received from external servers:
• Framed-IPv6-Prefix
• Framed-IPv6-Pool
The router then takes one of the following actions:
• If a prefix matches a prefix in an address pool, the prefix is taken from the pool, provided it is available.
1055
• If the prefix is already in use, it is rejected as unavailable.
• If the prefix length requested from the external server does not exactly match the pool’s prefix length,
the authentication request is denied. If configured, the Acct-Stop message includes the cause for
termination.
Options
reassign-on-match—Enable reassignment of an address from an existing subscriber to a new subscriber
requesting that address. The address in use must not be part of a locally configured pool and address
protection must be enabled. The request from the new subscriber is still rejected, but the existing
subscriber is sent a disconnect request to begin the logout process. This enables the new subscriber
to renegotiate and be assigned that IP address.
If the requested address is in a locally configured pool, the existing subscriber is not disconnected.
NOTE: This option is not supported for IPv6.
Default: Rejects the address request from the new subscriber; the existing subscriber remains intact
with the IP address.

routing—To view this statement in the configuration.
routing-control—To add this statement to the configuration.
Configuring Duplicate IPv4 Address Protection for AAA

Configuring Duplicate IPv6 Prefix Protection for Router Advertisement
1056
algorithm (Authentication Keychain)

Syntax
algorithm (hmac-sha-1 | md5);
Hierarchy Level
[edit security authentication-key-chains key-chain key-chain-name key key]
Release Information
Description
Configure the authentication algorithm for IS-IS.
Options
hmac-sha-1—96-bit hash-based message authentication code (SHA-1).
md5—Message digest 5.
Default: md5

Example: Configuring Hitless Authentication Key Rollover for IS-IS

Understanding Hitless Authentication Key Rollover for IS-IS
1057
archival
Syntax
archival {
configuration {
archive-sites {
file://<path>/<filename>;
ftp://username@host:<port>url-path password password;
http://username@host:<port>url-path password password;
pasvftp://username@host:<port>url-path password password;
scp://username@host:<port>url-path password password;
}
transfer-interval interval;
transfer-on-commit;
}
}
Hierarchy Level
[edit system]
Release Information
Description
Configure copying of the currently active configuration to an archive site. An archive site can be a file, or
an FTP, HTTP, passive FTP, or SCP location.
Options
configuration—Configure the router or switch to periodically transfer its currently active configuration (or
after each commit). Parameters include archive-sites, transfer-interval, and transfer-on-commit.
NOTE: The [edit system archival] hierarchy is not available on QFabric systems.
1058
archive-sites—Specify where to transfer the current configuration files. When specifying a URL in a Junos
OS statement using an IPv6 host address, you must enclose the entire URL in quotation marks (" ")
and enclose the IPv6 host address in brackets ([ ]). For example:
"scp://username<:password>@[ipv6-host-address]<:port>/url-path".
If you specify more than one archive site, the router or switch attempts to transfer the configuration
files to the first archive site in the list, moving to the next only if the transfer fails. The destination
filename is saved in the following format, where n corresponds to the number of the compressed
configuration rollback file that has been archived:
router-name_YYYYMMDD_HHMMSS_juniper.conf.n.gz
NOTE: The time included in the destination filename is always in Coordinated Universal Time
(UTC) regardless of whether the time on the router or switch is configured as UTC or the local
time zone. The default time zone on the router or switch is UTC.
transfer-interval—The frequency, in minutes, for transferring the current configuration to an archive site.
Valid intervals are 15 to 2880 minutes.
transfer-on-commit—Configure the router or switch to transfer its currently active configuration to an

archive site each time you commit a candidate configuration.
routing-instance—Defines the routing instance through which a server is reachable.

Backing Up Configurations to an Archive Site

1059
authentication-key-chains
Syntax
authentication-key-chains {
description text-string;
key key {
algorithm (md5 | hmac-sha-1);
options (basic | isis-enhanced);
secret secret-data;
}
tolerance seconds;
}
}
Hierarchy Level
[edit security]
Release Information
Statement introduced in Junos Limited edition for Junos OS Releases 15.1R8, 16.1R7, 16.2R3, 17.1R3,
17.2R3, 17.3R3, and 17.4R2.
Support for the BFD protocol introduced in Junos OS Release 9.6.
Support for the BFD protocol introduced in Junos OS Release 9.6 for EX Series switches.
Support for IS-IS introduced in JUNOS OS Release 11.2.
Description
Configure authentication key updates for the Border Gateway Protocol (BGP), the Label Distribution
Protocol (LDP) routing protocols, the Bidirectional Forwarding Detection (BFD) protocol, and the
Intermediate System-to-Intermediate System (IS-IS) protocol. When the authentication-key-chains
statement is configured at the [edit security] hierarchy level, and is associated with the BGP, LDP, or IS-IS
protocols at the [edit protocols] hierarchy level or with the BFD protocol using the bfd-liveness-detection
statement, authentication key updates can occur without interrupting routing and signaling protocols such
as Open Shortest Path First (OSPF) and Resource Reservation Setup Protocol (RSVP).
The remaining statements are explained separately. See CLI Explorer.

1060

Example: Configuring BFD Authentication for Securing Static Routes
1061
authentication-order (System)
Syntax
authentication-order [method1 method2...];
Hierarchy Level
[edit system]
Release Information
Statement introduced in Junos OS Release 9.0 for EX Series.
Statement introduced in Junos OS Release 14.1X53-D20 for OCX Series.
Description
Configure the order in which the software tries different user authentication methods when attempting
to authenticate a user. For each login attempt, the software tries the authentication methods in order,
starting with the first one, until the password matches.
Default
If you do not include the authentication-order statement, users are verified based on their configured
passwords.
Options
authentication-order [method1 method2...]—Specify the order in which the software tries different
authentication methods when attempting to authenticate a user.
Values: One or more of the following authentication methods listed in the order in which they must
be tried:
• password—Use the password configured for the user with the authentication statement at the [edit
system login user] hierarchy level.
• radius—Use RADIUS authentication services.
• tacplus—Use TACACS+ authentication services.

1062

1063
authentication-order (Authenticator)
Syntax
authentication-order [dot1x | mac-radius | captive-portal];
Hierarchy Level
[edit logical-systems name protocols dot1x authenticator interface],

Release Information
Statement introduced in Junos OS Release 15.1R3.
Description
Configure the preferred order of authentication methods that the device will use when attempting to
authenticate a client. If multiple authentication methods are configured on a single interface, when one
authentication method fails, the device falls back to another method. You can configure the
authentication-order statement to specify whether 802.1X authentication or MAC RADIUS authentication
must be the first authentication method tried.
By default, the device attempts to authenticate a client by using 802.1X authentication first. If 802.1X
authentication fails because there is no response from the client, and MAC RADIUS authentication is
configured on the interface, the device falls back to MAC RADIUS authentication. If MAC RADIUS fails,
and captive portal is configured on the device, the device falls back to captive portal.
Configuring MAC RADIUS authentication as the first method can help prevent the fallback timeout period
which occurs after an 802.1X authentication attempt is made for a host that does not support 802.1X
authentication. If MAC RADIUS authentication is configured as the first authentication method on an
interface, then on receiving data from any client on that interface, the device attempts to authenticate the
client by using MAC RADIUS authentication. If MAC RADIUS authentication fails, then the device falls
back to 802.1X authentication. If 802.1X authentication fails, and captive portal is configured on the
interface, the device falls back to captive portal.
802.1X authentication always has the highest priority, even if a client has been authenticated using another
method. If the device receives an EAP packet from a client that has been authenticated using MAC RADIUS
authentication, the device acknowledges the EAP packet and upgrades the authentication using 802.1X
authentication credentials. Similarly, if a client has been authenticated through fallback to captive portal,
and the device receives an EAP packet from that client, the device attempts to authenticate the client by
using 802.1X authentication.
The device attempts authentication using only methods that are configured on the interface. If an
authentication method is included in the authentication order, but is not configured on the interface, the
1064
device ignores that method and attempts authentication using the next method in the order that is enabled.
However, if a method is enabled on the interface, but is not included in the authentication order, the device
does not attempt using that method. For example, if captive portal is enabled for an interface, but the
authentication order is configured as [mac-radius dot1x], the authentication method for that interface
does not fall back to captive portal.
The authentication order can be configured for all interfaces by using the interface all option. If the
authentication order is configured for an individual interface, and there is also an authentication order
configured for all interfaces, then the order for the individual interface is followed. If there is no
authentication order configured for an individual interface, and there is an authentication order configured
for all interfaces, then the configuration for all interfaces is followed.
Use the following guidelines when configuring the authentication-order statement:
• The authentication order must include at least two methods of authentication.
• 802.1X authentication must be one of the methods included in the authentication order.
• If captive portal is included in the authentication order, it must be the last method in the order.
• If mac-radius-restrict is configured on an interface, then the authentication order cannot be configured.
The valid combinations for authentication-order are as follows:
• [dot1x mac-radius captive-portal]
• [dot1x captive-portal]
• [dot1x mac-radius]
• [mac-radius dot1x captive-portal]
Default
If authentication-order is not configured, the device attempts to authenticate the client by using 802.1X
authentication first, followed by MAC RADIUS authentication, and then captive portal, as follows:
1. 802.1X authentication—If 802.1X is configured on the interface, the device sends EAPoL requests to
the end device and attempts to authenticate the end device through 802.1X authentication. If the end
device does not respond to the EAP requests, the device checks whether MAC RADIUS authentication
is configured on the interface.
2. MAC RADIUS authentication—If MAC RADIUS authentication is configured on the interface, the device
sends the MAC RADIUS address of the end device to the authentication server. If MAC RADIUS
authentication is not configured, the device checks whether captive portal is configured on the interface.
3. Captive portal authentication—If captive portal is configured on the interface, the device attempts to
authenticate the end device by using this method after attempting any other configured authentication
methods.
1065
Options
captive-portal—Configure captive portal authentication in the order of authentication methods on the
interface.
dot1x—Configure 802.1X authentication in the order of authentication methods on the interface.
mac-radius—Configure MAC RADIUS authentication in the order of authentication methods on the

interface.


1066
authentication-protocol
Syntax
authentication-protocol {
eap-md5;
eap-peap {
resume;
}
pap;
}
Hierarchy Level
[edit logical-systems protocols dot1x authenticator interface interface-name mac-radius]

[edit protocols dot1x authenticator interface interface-name mac-radius]
Release Information
Statement introduced in Junos OS Release 15.1R3 for EX Series switches.
eap-peap introduced in Junos OS Release 17.2R1.
Description
Specify the protocol to be used by a supplicant to provide authentication credentials for MAC RADIUS
authentication. The protocols supported for MAC RADIUS authentication are EAP-MD5, which is the
default, Protected Extensible Authentication Protocol (EAP-PEAP), and Password Authentication Protocol
(PAP).
Default
If authentication-protocol is not configured, the EAP-MD5 authentication protocol is used for MAC
Options
eap-md5—Use the EAP-MD5 protocol for MAC RADIUS authentication. EAP-MD5 is an authentication
method belonging to the Extensible Authentication Protocol (EAP) authentication framework. EAP-MD5
uses MD5 to hash the username and password. EAP-MD5 provides for a one-way client authentication.
The server sends the client a random request for which the client must provide a response containing
an encryption of the request and its password for establishing its identity.
eap-peap <resume>—Use the EAP-PEAP protocol, also known as Protected EAP or PEAP, for MAC RADIUS
authentication. EAP-PEAP is a protocol that encapsulates EAP within a potentially encrypted and
authenticated Transport Layer Security (TLS) tunnel. By encapsulating the authentication process in
a TLS tunnel, PEAP addresses the vulnerabilities of an EAP like EAP-MD5.
1067
Syntax: resume—(Optional) Enable faster authentication when reconnecting by resuming the TLS
session.
pap—Use the PAP authentication protocol for MAC RADIUS authentication. PAP provides a simple
password-based authentication for users to establish their identity by using a two-way handshake.
PAP transmits plaintext passwords over the network without encryption. PAP must be configured if
the Lightweight Directory Access Protocol (LDAP), which supports only plaintext passwords for client
authentication, is used for RADIUS authentication.


1068
authentication-whitelist
Syntax
mac-address {
bridge-domain-assignment bridge-domain-assignment;
interface interface-name;
vlan-assignment ( vlan-id |vlan-name);
}
Hierarchy Level
[edit ethernet-switching-options];
[edit logical-systems name switch-options]
Release Information
The [edit switch-options] hierarchy level was introduced in Junos OS Release 13.2X50-D10 for EX Series
switches (ELS).
Statement introduced in Junos OS Release 14.1X53-D30 for the QFX Series.
Description
Configure MAC addresses to exclude from RADIUS authentication. The authentication whitelist provides
an authentication bypass mechanism for supplicants connecting to a port, permitting devices, such as
printers, to be connected to the network without going through the authentication process.
Options
mac-address —The MAC address of the device for which RADIUS authentication should be bypassed and
the device permitted access to the port.
bridge-domain-assignment bridge-domain-assignment—(MX Series only) Specify the bridge-domain name

or 802.1q tag identifier for the MAC address that should be allowed to bypass RADIUS authentication.
interface [interface-names]—Specify a list of interfaces on which the specified MAC addresses are allowed
to bypass RADIUS authentication and allowed to connect to the LAN without authentication.
vlan-assignment (vlan-id | vlan-name—(EX, QFX, and SRX Series only) Specify the VLAN 802.1q tag identifier
or name associated with the list of MAC addresses that should be allowed to bypass RADIUS
authentication.

1069

Example: Setting Up Captive Portal Authentication on an EX Series Switch with ELS Support | 463
Configuring Captive Portal Authentication (CLI Procedure) on an EX Series Switche with ELS
Support | 461
1070
authenticator
Syntax
authenticator {
interface (all | [ interface-names ]) {
authentication-order (captive-portal | dot1x | mac-radius);
disable;
guest-bridge-domain guest-bridge-domain;
guest-vlan guest-vlan;
ignore-port-bounce;
mac-radius {
eap-md5;
eap-peap {
resume;
}
pap;
}
flap-on-disconnect;
restrict;
}
maximum-requests number;
multi-domain {
max-data-session max-data-session;
packet-action (drop-and-log | shutdown);
recovery-timeout seconds;
}
(no-reauthentication | reauthentication interval );
no-tagged-mac-authentication;
redirect-url redirect-url;
retries (802.1X) number;
server-fail (bridge-domain bridge-domain | deny | permit | use-cache | vlan-name vlan-name);
server-fail-voip (deny | permit | use-cache | vlan-name vlan-name);
server-reject-bridge-domain bridge-domain {
block-interval seconds;
eapol-block;
}
server-reject-vlan (vlan-id | vlan-name) {
block-interval block-interval;
eapol-block;
}
1071
supplicant (single | single-secure | multiple);
}
ip-mac-session-binding;
no-mac-table-binding;
radius-options {
add-interface-text-description;
use-vlan-id;
use-vlan-name;
}
static mac-address {
interface interface;
vlan-assignment vlan-identifier;
}
}
Hierarchy Level
[edit logical-systems name protocols dot1x],

Release Information
Statement introduced in Junos OS Release 9.0 for the EX Series.
Statement introduced in Junos OS Release 9.3 for the MX Series.
no-mac-table-binding introduced in Junos OS Release 11.1.
radius-options introduced in Junos OS Release 12.1.
add-interface-text-description introduced in Junos OS Release 18.4.
ip-mac-session-binding introduced in Junos OS Release 20.1.
Description
Specify the group of servers to be used for IEEE 802.1X or MAC RADIUS authentication for Port-Based
Network Access Control, configure interfaces for 802.1x authentication, and configure static MAC bypass
for 802.1x and MAC RADIUS authentication. 802.1X authentication is supported on interfaces that are
members of private VLANs (PVLANs).
NOTE: You cannot configure 802.1X user authentication on interfaces that have been enabled
for Q-in-Q tunneling.
1072
Default
802.1X authentication is disabled.
Options
authentication-profile-name access-profile-name— Specify the name of the access profile to be used for
802.1X or MAC RADIUS user authentication. The access profile is configured at the [edit access profile]
hierarchy level and contains the RADIUS server IP address and other information used for
authentication.
clients.
Default: No access profile is specified.
ip-mac-session-binding—DHCP or DHCPv6 or SLAAC snooping checking for mac ageout.
no-mac-table-binding—Specify that the device not remove the session from the authentication session
table when the MAC address ages out of the Ethernet switching table.
Default: Not enabled
The remaining statements are explained separately. Search for a statement in CLI Explorer or click a linked
statement in the Syntax section for details.


Switch | 443
1073
boot-loader-authentication
Syntax
boot-loader-authentication {
(encrypted-password password | plain-text-password);
}
Hierarchy Level
[edit system]
Release Information
Description
Set the boot-loader password for accessing the U-Boot CLI during the boot process. The password can
be entered either as a plain-text password or as an encrypted password.
Encrypted passwords must be entered in Message Digest 5 (MD5) format. Plain-text passwords are
encrypted by using MD5 by default. The encryption format for plain-text passwords can be changed by
using the set system login password format command.
Encrypted passwords must be between 1 and 128 characters long. The password must be enclosed in
quotation marks and cannot be blank within the quotation marks (“ “).
The default requirements for plain-text passwords are as follows:
• The password must be between 6 and 128 characters long
• The password must contain at least one change of case or character class.
Options
encrypted-password password— Enter a password that has already been encrypted. You can specify only
one encrypted password.
plain-text-password—Enter a plain-text password. The CLI prompts you for the password and then encrypts
it. The CLI displays the encrypted version, and the software places the encrypted version in its user database.
You can specify only one plain-text password.

1074

password | 1209
1075
boot-server (NTP)
Syntax
boot-server (address | hostname);
Hierarchy Level
[edit system ntp]
Release Information
Description
Configure the server that NTP queries when the SRX Series device boots to determine the local date and
time.
When you boot the SRX Series device, it issues an ntpdate request, which polls a network server to
determine the local date and time. You need to configure a server that the SRX Series device uses to
determine the time when the SRX Series device boots. You can configure either an IP address or a hostname
for the boot server. If you configure a hostname instead of an IP address, the ntpdate request resolves
the hostname to an IP address when the SRX Series device boots up.
If you configure an NTP boot server, then when the SRX Series device boots, it immediately synchronizes
with the boot server even if the NTP process is explicitly disabled or if the time difference between the
client and the boot server exceeds the threshold value of 1000 seconds.
Options
• address—The IP address of an NTP boot server.
• hostname—The hostname of an NTP boot server.

ntp | 1202
1076
boot-server (NTP)
Syntax
boot-server (address | hostname);
Hierarchy Level
[edit system ntp]
Release Information
Description
Configure the server that NTP queries when the router or switch boots to determine the local date and
time.
When you boot the router, switch, or SRX Series device, it issues an ntpdate request, which polls a network
server to determine the local date and time. You need to configure a server that the router, switch, or SRX
Series device uses to determine the time when the device boots. Otherwise, NTP cannot synchronize to
a time server if the server time significantly differs from the local device’s time. You can configure either
an IP address or a hostname for the boot server. If you configure a hostname instead of an IP address, the
ntpdate request resolves the hostname to an IP address when the router, switch, or SRX Series device
boots up.
If you configure an NTP boot server, then when the SRX Series device boots, it immediately synchronizes
with the boot server even if the NTP process is explicitly disabled or if the time difference between the
client and the boot server exceeds the threshold value of 1000 seconds.
Options
• address—IP address of an NTP boot server.
• hostname—Hostname of an NTP boot server.

1077
Understanding NTP Time Servers

Configuring NTP Authentication Keys
Synchronizing and Coordinating Time Distribution Using NTP
1078
broadcast
Syntax
broadcast address <key key-number> <routing-instance-name routing-instance-name> <ttl value> <version value>;
Hierarchy Level
[edit system ntp]
Release Information
Description
Configure the SRX Series device to operate in broadcast mode with the remote system at the specified
address. In this mode, the SRX Series device sends periodic broadcast messages to a client population at
the specified broadcast or multicast address. Normally, you include this statement only when the SRX
Series device is operating as a transmitter.
Options
address—The broadcast address on one of the local networks or a multicast address assigned to NTP. You
must specify an address, not a hostname. If the multicast address is used, it must be 224.0.1.1.
key key-number—(Optional) All packets sent to the address include authentication fields that are encrypted
using the specified key number.
Range: Any unsigned 32-bit integer
routing-instance-name routing-instance-name—(Optional) The routing instance name in which the interface

has an address in the broadcast subnet.
Default: The default routing instance is used to broadcast packets.
ttl value—(Optional) Time-to-live (TTL) value to use.

Range: 1 through 255
Default: 1
version value—(Optional) Specify the version number to be used in outgoing NTP packets.
Range: 1 through 4
Default: 4

1079
ntp | 1202
1080
broadcast
Syntax
broadcast address <key key-number> <version value> <ttl value>;
Hierarchy Level
[edit system ntp]
Release Information
Description
Configure the local router or switch to operate in broadcast mode with the remote system at the specified
address to send periodic broadcast messages to a client population. Normally, you include this statement
only when the local router or switch is operating as a transmitter.
Options
address—Broadcast address on one of the local networks or a multicast address assigned to NTP. You must
specify an address, not a hostname. If the multicast address is used, it must be 224.0.1.1.
using the specified key number (any unsigned 32-bit integer).
ttl value—(Optional) Time-to-live (TTL) value to use.

Default: 1
Range: 1 through 4
Default: 4


1081

Configuring the NTP Time Server and Time Services
broadcast-client
Syntax
broadcast-client;
Hierarchy Level
[edit system ntp]
Release Information
Description
Configure the SRX Series device to listen for broadcast messages on the local network to discover other
servers on the same subnet.

ntp | 1202
1082
broadcast-client
Syntax
broadcast-client;
Hierarchy Level
[edit system ntp]
Release Information
Description
Configure the local switch to listen for broadcast messages on the local network to discover other servers
on the same subnet.


Configuring the Switch to Listen for Broadcast Messages Using NTP
1083
ca-type
Syntax
ca-type type {
ca-value value;
}
Hierarchy Level
[edit protocols lldp-med interface (all | interface-name location civic-based)]
Release Information
Statement introduced in Junos OS Release 11.1 for QFX Series.
Description
For Link Layer Discovery Protocol–Media Endpoint Device (LLDP-MED), configure the location types and
values that comprise the location information advertised from the device to the MED. This information is
used during emergency calls to identify the location (civic or postal address) of the caller.
For further information about the types and values that can be used to comprise the location, refer to RFC
4776, Dynamic Host Configuration Protocol (DHCPv4 and DHCPv6) Option for Civic Addresses Configuration
Information. A subset of those types, with sample values, is provided below.
Default
Disabled.
Options
ca-type type—Specify category codes that together with values represent information about the civic or
postal address of the caller’s location. The address is divided into information types, with each
information type represented by a code. Some of the codes, with corresponding sample values for the
ca-value option, are:
• 0—A code that specifies the language used to describe the location.
• 16—The leading-street direction, such as “N”.
• 17—A trailing street suffix, such as “SW”.
• 18—A street suffix or type, such as “Ave” or “Road”.
• 19—A house number, such as “6450”.
• 20—A house-number suffix, such as “A” or “1/2”.

1084
• 21—A landmark, such as “Stanford University”.
• 22—Additional location information, such as “South Wing”.
• 23—The name and occupant of a location, such as “Carrillo's Holiday Market”.
• 24—A house-number suffix, such as “95684”.
• 25—A building structure, such as “East Library”.
ca-value value—Configure location information (civic or postal address) that is indexed by the ca-type
code. See the description of the ca-type option for examples.

show lldp | 1473

Configuring LLDP-MED
1085
captive-portal
Syntax
captive-portal {
authentication-profile-name authentication-profile-name
custom-options {
banner-message string;
footer-bgcolor color;
footer-message string;
footer-text-color color;
form-header-bgcolor color;
form-header-message string;
form-header-text-color color;
form-reset-label label name;
form-submit-label label name;
header-bgcolor color;
header-logo filename;
header-message string;
header-text-color color;
post-authentication-url url-string;
}
interface (all | [interface-names]) {
retries number-of-retries;
session-expiry seconds;
supplicant (multiple | single | single-secure);
user-keepalive minutes;
}
secure-authentication (http | https);
}
Hierarchy Level
[edit services]
Release Information
user-keepalive introduced in Junos OS Release 16.1 for EX Series switches.
Description
1086
Configure captive portal to authenticate clients connected to the switch for access to the network.
Default
Captive portal is disabled.
Options
authentication-profile-name access-profile-name—Specify the name of the access profile to be used for
captive portal authentication. You configure the access profile at the [edit access profile] hierarchy
level. The access profile contains the RADIUS server IP address and other information used for
authentication.
Default: No access profile is specified.
secure-authentication (http | https)—Enable HTTP or HTTPS access on the captive portal interface.
Default: http
Values: Specify one of the following:
• http—Enables HTTP access on the captive portal interface.
• https—Enables HTTPS access on the captive portal interface. HTTPS is recommended.


OBSOLETE: Configuring the EX Series Switch for Captive Portal Authentication with Junos Pulse
Access Control Service (CLI Procedure) | 488
1087
civic-based
Syntax
civic-based {
ca-type name {
ca-value ca-value;
}
country-code country-code;
what what;
}
Hierarchy Level
[edit protocols lldp-med interface (all | interface-name) location]
Release Information
what modified in Junos OS Release 9.2 for EX Series to display new default.
Statement introduced in Junos OS Release 11.1 for QFX Series switches.
Description
For Link Layer Discovery Protocol–Media Endpoint Discovery (LLDP-MED), configure the geographic
location to be advertised from the device to the MED. This information is used during emergency calls to
identify the location of the MED.
Default
Disabled.
Options
country-code code—(Required) Configure the two-letter ISO 3166 country code in capital ASCII letters;
for example, US or DE. The code is part of the location information. Location information is advertised
from the device to the MED, and is used during emergency calls to identify the location of the MED.
The country code is required when configuring LLDP-MED based on location.
Default: Disabled.
what number—Configure the location to which the DHCP entry refers. This information is advertised, along
with other location information, from the switch to the MED. It is used during emergency calls to
identify the location of the MED.
Options 0 and 1 should not be used unless you know that the DHCP client is in close physical proximity
to the server or network element.
Values: Location to which the DHCP entry refers:
1088
• 0—Location of the DHCP server.
• 1—Location of a network element believed to be closest to the client.
• 2—Location of the client.
Default: 1

show lldp | 1473

1089
class (Defining Login Classes)

Syntax
class class-name {
access-end hh:mm;
access-start hh:mm;
( allow-commands ”(regular-expression1)|(regular-expression2)...” | allow-commands-regexps [“regular expression
1” “regular expression 2 ” ... ]);
( allow-configuration ”(regular-expression1)|(regular-expression2)...” | allow-configuration-regexps [“regular expression
allow-hidden-commands;
allow-sources [ source-addresses ... ];
allow-times [ times ... ];
cli {
prompt prompt;
}
}
( deny-commands ”(regular-expression1)|(regular-expression2)...” | deny-commands-regexps [“regular expression
( deny-configuration ”(regular-expression1)|(regular-expression2)...” | deny-configuration-regexps [“regular expression
deny-sources [ source-addresses ... ];
deny-times [ times ... ];
login-alarms;
login-script login-script;
login-tip;
no-hidden-commands {
except [“regular expression or command 1” “regular expression or command 2” ...];
}
no-scp-server;
no-sftp-server;
satellite all;
tenant tenant-system-name;
}
1090
Hierarchy Level
[edit system login]
Release Information
The class, allow-commands, deny-commands, allow-configuration, deny-configuration, idle-timeout,
login-alarms, login-tip, and permissions statements were introduced before Junos OS Release 7.4.
All of the previously mentioned statements were introduced in Junos OS Release 9.0 for the EX Series.
The login-script statement was introduced in Junos OS Release 9.5.
The access-end, access-start, and allowed-days statements were introduced in Junos OS Release 10.1.
All of the previously mentioned statements were introduced in Junos OS Release 11.1 for the QFX Series.
All of the previously mentioned statements were introduced in Junos OS Release 11.2 for the SRX Series.
The allow-configuration-regexps, deny-configuration-regexps, and security-role statements were
introduced in Junos OS Release 11.2.
The configuration-breadcrumbs statement was introduced in Junos OS Release 12.2.
All of the previously mentioned statements were introduced in Junos OS Release 14.1X53-D20 for the
OCX Series.
vSRX, SRX4100, SRX4200 and SRX1500 devices.
All of the previously mentioned statements were introduced in Junos OS Release 16.1 for the MX Series
and PTX Series.
The allow-hidden-commands, confirm-commands, no-hidden-commands, and satellite statements were
The cli statement was introduced in Junos OS Release 17.3.
The allow-commands-regexps and deny-commands-regexps statements were introduced in Junos OS
Release 18.1.
The tenant statement was introduced in Junos OS 18.4.
The no-scp-server and no-sftp-server statements were introduced in Junos OS Release 19.2.
Description
Define a login class. All users who log in to the router or switch must be in a login class. Therefore, you
must define a Junos OS login class for each user or type of user. You can define any number of login classes
depending on the types of permissions the users need. You may not need to define any login classes; Junos
OS has several predefined login classes, to suit a variety of needs. However, the predefined login classes
cannot be modified. If you define a class with the same name as a predefined class, Junos OS appends
-local to the login class name and creates a new login class. See “Predefined System Login Classes” on
page 37 for more information.
1091
Options
class-name— A name you choose for the login class.
access-end— Specify the end time in HH:MM (24-hour) format, where HH represents the hours and MM
represents the minutes.
NOTE: Access start and end times that span across 12:00 AM starting on a specified day results
in the user having access until the next day, even if the access day is not explicitly configured
on the allowed-days statement.
access-start— Specify the start time in HH:MM (24-hour) format, where HH represents the hours and MM
represents the minutes.
NOTE: Access start and end times that span across 12:00 AM starting on a specified day results
in the user having access until the next day, even if the access day is not explicitly configured
on the allowed-days statement.
( allow-commands | allow-commands-regexps )— Specify one or more regular expressions to allow users

in this class to issue operational mode commands. You use the allow-commands or the
allow-commands-regexps statement to explicitly allow authorization for commands that would
otherwise be denied by the access privilege levels for a login class.
For theallow-commands statement, each expression separated by a pipe (|) symbol must be a complete
For the allow-commands-regexps statement, you configure a set of strings in which each string is a
regular expression, enclosed in double quotes and separated with a space operator. Each string is
evaluated against the full path of the command, which provides faster matching than the
allow-command statement. You can also include values for variables in the regular expressions, which
is not supported using the allow-commands statement.
The deny-commands or the deny-commands-regexps statement takes precedence if it is used in the

same login class definition.
1092
NOTE: The allow/deny-commands and allow/deny-commands-regexps statements are mutually

exclusive and cannot be configured together for a login class. At a given point in time, a login
class can include either the allow/deny-commands statements, or the
allow/deny-commands-regexps statements. If you have existing configurations using the
allow/deny-commands statements, using the same configuration options with the
allow/deny-commands-regexps statements might not produce the same results, as the search
Authorizations can also be configured remotely by specifying Juniper Networks vendor-specific

TACACS+ attributes in your authentication server's configuration. For a remote user, when the
authorization parameters are configured both remotely and locally, authorization parameters configured
remotely and locally are both considered together for authorization. For a local user, only the
authorization parameters configured locally for the class are considered.
Default: If you do not configure authorizations for operational mode commands using the
allow/deny-commands or allow/deny-commands-regexps statements, users can edit only those
commands for which they have access privileges set with the permissions statement.
Syntax: regular-expression—Extended (modern) regular expression as defined in POSIX 1003.2. If the
regular expression contains any spaces, operators, or wildcard characters, enclose it in quotation marks.
Enter as many expressions as needed.
1093
( allow-configuration | allow-configuration-regexps )— Specify one or more regular expressions to explicitly

allow users in this class to access the specified levels in the configuration hierarchy even if the
permissions set with the permissions statement do not grant such access.
For theallow-configuration statement, each expression separated by a pipe (|) symbol must be a
complete standalone expression, and must be enclosed in parentheses ( ). Do not use spaces between
regular expressions separated with parentheses and connected with the pipe (|) symbol.
For the allow-configuration-regexps statement, you configure a set of strings in which each string is
a regular expression, enclosed in double quotes and separated with a space operator. Each string is
allow/deny-configuration statements. You can also include values for variables in the regular
expressions, which is not supported using the allow/deny-configuration statements.
The deny-configuration or deny-configuration-regexps statement takes precedence if it is used in

the same login class definition.

a login class can include either the allow/deny-configuration statements, or the
allow/deny-configuration-regexps statements. If you have existing configurations using the
allow/deny-configuration-regexps statements might not produce the same results, as the
search and match methods differ in the two forms of these statements.
Default: If you omit the allow-configuration/allow-configuration-regexps statement and the

deny-configuration/deny-configuration-regexps statement, users can edit only those commands for
which they have access privileges through the permissions statement.
allow-hidden-commands— Allow all hidden commands to be run. If the no-hidden-commands statement

is specified at the [edit system] hierarchy level, overrides that restriction for this login class. Hidden
commands are Junos OS commands that are not published but could be run on a router. Hidden
commands serve a specific purpose, but for most part are not expected to be used, and as such are
not actively supported. The no-hidden-commands statement at the [edit system] hierarchy level allows
you to block all hidden commands to all users except the root users.
Default: Hidden commands are enabled by default.
1094
allow-sources [ source-addresses ...]— Restrict incoming remote access to only particular hosts. Specify
one or more source addresses from which access is allowed. The source addresses can be IPv4 or IPv6
addresses, prefix lengths, or hostnames.
allow-times [ times...]— Restrict remote access to certain times.
allowed-days [ days of the week ]— Specify one or more days of the week when users in this class are
allowed to log in.
Values:
• monday—Monday
• tuesday—Tuesday
• wednesday—Wednesday
• thursday—Thursday
• friday—Friday
• saturday—Saturday
• sunday—Sunday
cli— Set the CLI prompt specified for the login class. If a CLI prompt is also set at the [edit system login
user cli] hierarchy level, the prompt set for the login user has precedence over the prompt set for the
login class.
prompt prompt— Specify the prompt string you want to see displayed in the CLI prompt.
configuration-breadcrumbs— Enable the configuration breadcrumbs view in the CLI to display the location
in the configuration hierarchy. For an example of how to enable this view, see Enabling Configuration
Breadcrumbs .
confirm-commands— Specify that confirmation for particular commands is explicitly required and, optionally,
specify the wording of the message displayed at confirm time. You can specify the commands using
a list of regular expressions or commands.
Syntax: message
Default: If you omit this option, then confirmation for commands is not required. If the optional
message is not set, then the default "Do you want to continue?" message is displayed.
1095
( deny-commands | deny-commands-regexps )— Specify one or more regular expressions to explicitly deny

users in this class permission to issue operational mode commands, even though the permissions set
with the permissions statement would allow it.
For the deny-commands statement, each expression separated by a pipe (|) symbol must be a complete
For the deny-commands-regexps statement, you configure a set of strings in which each string is a
regular expression, enclosed in double quotes and separated with a space operator. Each string is
allow/deny-command statements. You can also include values for variables in the regular expressions,
which is not supported using the allow/deny-commands statements.
Expressions configured with the deny-commands or the deny-commands-regexps statement take

precedence over expressions configured with allow-commands/allow-commands-regexps if the two
statements are used in the same login class definition.
NOTE: The allow/deny-commands and allow/deny-commands-regexps statements are mutually

exclusive and cannot be configured together for a login class. At a given point in time, a login
class can include either the allow/deny-commands statements, or the
allow/deny-commands-regexps statements. If you have existing configurations using the
allow/deny-commands statements, using the same configuration options with the
allow/deny-commands-regexps statements might not produce the same results, as the search
Authorizations can also be configured remotely by specifying Juniper Networks vendor-specific

TACACS+ attributes in your authentication server's configuration. For a remote user, when the
authorization parameters are configured both remotely and locally, authorization parameters configured
remotely and locally are both considered together for authorization. For a local user, only the
authorization parameters configured locally for the class are considered.
Default: If you do not configure authorizations for operational mode commands using
allow/deny-commands or allow/deny-commands-regexps, users can edit only those commands for
which they have access privileges set with the permissions statement.
1096
( deny-configuration | deny-configuration-regexps )— Specify one or more regular expressions to explicitly

deny users in this class access to the specified levels in the configuration hierarchy even if the
permissions set with the permissions statement grant such access. Note that the user cannot view a
particular hierarchy if configuration access is denied for that hierarchy.
For the deny-configuration statement, each expression separated by a pipe (|) symbol must be a
complete standalone expression, and must be enclosed in parentheses ( ). Do not use spaces between
regular expressions separated with parentheses and connected with the pipe (|) symbol.
For the deny-configuration-regexps statement, you configure a set of strings in which each string is
a regular expression, enclosed in double quotes and separated with a space operator. Each string is
allow/deny-configuration statements. You can also include values for variables in the regular
expressions, which is not supported using the allow/deny-configuration statements.
Expressions configured with deny-configuration/deny-configuration-regexps take precedence over

expressions configured with allow-configuration/allow-configuration-regexps if the two statements
are used in the same login class definition.

a login class can include either the allow/deny-configuration statements, or the
allow/deny-configuration-regexps statements. If you have existing configurations using the
allow/deny-configuration-regexps statements might not produce the same results, as the
search and match methods differ in the two forms of these statements.
Default: If you omit the deny-configuration/deny-configuration-regexps statement and the

allow-configuration/allow-configuration-regexps statement, users can edit those levels in the
configuration hierarchy for which they have access privileges through the permissions statement.
1097
deny-sources [source-addresses]— Never allow remote access from these hosts. The source addresses can
be IPv4 or IPv6 addresses, prefix lengths, or hostnames.
deny-times [times]— Never allow remote access during these times.
idle-timeout— For a login class, configure the maximum time in minutes that a session can be idle before
the session times out and the user is logged out of the device. The session times out after remaining
at the CLI operational mode prompt for the specified time.
NOTE: After the user logs in to a device from a shell prompt such as csh, if the user starts
another program to run in the foreground of the CLI, the idle-timer control is stopped from
being computed. The calculation of the idle time of the CLI session is restarted only after the
foreground process exits and the control is returned to the shell prompt. When the restart of
the idle-timer control occurs, if no interaction from the user occurs on the shell, the user is
automatically logged out after the time set on this statement.
Default: If you omit this statement, a user is never forced off the system after extended idle times.
Syntax: minutes—Maximum time in minutes that a session can be idle before a user is logged out.
Range: Range: 0 through 4294967295 minutes
NOTE: The idle-timeout feature is disabled if the value of minutes is set to 0.
login-alarms— Display system alarms when a user with admin permissions logs in to the device. For more
information about configuring this statement, see “Configuring System Alarms to Appear Automatically
Upon Login” on page 46.
login-script— Run the specified op script when a user belonging to the class logs in to the CLI. The script
must be enabled in the configuration.
logical-system— Assign the users in this login class to a logical system. If you specify a logical system, you
can’t include the satellite configuration statement in the configuration for this login class.
login-tip— Display CLI tips when logging in.

Default: If this statement is not configured, CLI tips are not displayed.
no-hidden-commands— Deny all hidden commands, except for those specified, for users in this login class.
Each command listed as an exception must be enclosed in quotation marks.
Default: Hidden commands are enabled by default.
Syntax: except [“command 1” “command 2”...]
1098
no-scp-server— Disable incoming SCP connections for this login class.
no-sftp-server— Disable incoming SFTP connections for this login class.
permissions— Specify login access privileges for the login class.

Syntax: permissions—One or more permission flags, which together specify the access privileges for
the login class. Permission flags are not cumulative, so for each class, you must list all the permission
flags needed, including view to display information and configure to enter configuration mode. For a
list of permission flags, see “Login Class Permission Flags” on page 85.
satellite— Specify access to Junos Fusion satellite devices for the login class. All users assigned to the login
class are satellite users. If you include this statement, you can’t include the logical-system configuration
statement in the configuration for this login class.
Values:
• all—Specify all Junos Fusion satellite devices.
security-role— Specify one or more Common Criteria (ISO/IEC 15408) security roles for the login class.
Values:
audit-administrator— Specify which users are responsible for the regular review of specific target of
evaluation (TOE) audit data and audit trail deletion. Audit administrators can also invoke the
non-cryptographic self-test.
crypto-administrator— Specify which users are responsible for the configuration and maintenance of
cryptographic elements related to the establishment of secure connections to and from the TOE
audit data.
ids-administrator— Specify which users can act as intrusion detection service (IDS) administrators,
who are responsible for all of the activities regarding identity and access management of the
organization’s employees.
security-administrator— Specify which users are responsible for ensuring that the organization’s
security policy is in place.
tenant— Assign the users in this class to a tenant system. Tenant systems are used when you need to
separate departments, organizations, or customers and each of them can be limited to one virtual
router. The main difference between a logical system and a tenant system is that a logical system
supports advanced routing functionality using multiple routing instances. In comparison, a tenant
system supports only one routing instance, but supports the deployment of significantly more tenants
per system.

1099

Configuring Time-Based User Access
Hierarchies | 126
Executing an Op Script on the Local Device
Tenant Systems Overview
user | 1326
1100
connection-limit
Syntax
Hierarchy Level
[edit system services finger],

[edit system services ftp],
[edit system services netconf ssh],
[edit system services ssh],
[edit system services telnet],
[edit system services xnm-clear-text],
[edit system services xnm-ssl]
Release Information
Statement introduced in Junos OS Release 11.4 for the SRX Series.
Description
Configure the maximum number of connections sessions for each type of system service (finger, ftp, ssh,
telnet, xnm-clear-text, or xnm-ssl) per protocol (either IPv6 or IPv4).
Options
limit—(Optional) Maximum number of established connections per protocol (either IPv6 or IPv4).
Default: 75
NOTE: The actual number of maximum connections depends on the availability of system
resources, and might be fewer than the configured connection-limit value if the system resources
are limited.

1101
1102
custom-options
Syntax
custom-options {
banner-message string;
footer-bgcolor color;
footer-message string;
footer-text-color color;
form-header-bgcolor color;
form-header-message string;
form-header-text-color color;
form-reset-label label name;
form-submit-label label name;
header-bgcolor color;
header-logo filename;
header-message string;
header-text-color color;
post-authentication-url url-string;
}
Hierarchy Level
Release Information
Description
Specify the design elements of a captive portal login page.
Options
banner-message—The first screen displayed before the captive portal login page is displayed—for example,
a disclaimer message or a terms and conditions of use page.
Range: 1–2047 characters
footer-bgcolor —The hexadecimal color code for the color of the footer bar across the bottom of the
captive portal login page—for example, #2E8B57 (sea green).
Values: # symbol followed by six characters.
footer-message—Text message displayed in the footer bar across the bottom of the captive portal login
page.
1103
Default: Copyright @2010, Juniper Networks Inc.
footer-text-color — Color of the text in the footer.

Default: The default color is white.
form-header-bgcolor —The hexadecimal color code for the background color of the header bar across the
top of the form area of the captive portal login page.
form-header-message—Text message displayed in the header bar across the top of the form area of the
captive portal login page.
Default: Captive Portal User Authentication
form-header-text-color—Color of the text in the form header.

Default: The default color is black.
form-reset-label—Label displayed in the button that the user can select to clear the username and password
fields on the form.
Default: Reset
form-submit-label —Label displayed in the button that the user selects to submit their login information—for
example, Log In.
Default: Log In
header-bgcolor—The hexadecimal color code for the color of the header bar across the top of the captive
portal login page.
header-logo—Filename of the file containing the image of the logo displayed at the top of the captive
portal login page. The image file can be in GIF, JPEG, or PNG format.
Default: The Juniper Networks logo
header-message—Text displayed in the header bar across the bottom of the captive portal login page.
Default: User Authentication
header-text-color—Color of the text in the header.

Default: The default color is white.
1104
post-authentication-url—URL to which the users are directed upon successful authentication—for example
www.mycafe.com.
Default: The page originally requested by the user.

routing–control—To add this statement to the configuration.

1105
description (Authentication Keychain)

Syntax
Hierarchy Level
[edit security authentication-key-chains key-chain key-chain-name]
Release Information
Support for IS-IS introduced in JUNOS OS Release 11.2.
Description
Configure a description for an authentication key-chain.
Options
text-string—A text string describing the authentication-key-chain. Put the text string in quotes (“text
description”).

1106
destination (Accounting)
Syntax
destination {
radius {
server {
server-address {
max-outstanding-requests value;
port port-number;
retry value;
secret password;
timeout seconds;
}
}
}
tacplus {
server {
server-address {
port port-number;
secret password;
single-connection;
timeout seconds;
}
}
}
}
Hierarchy Level
Release Information
radius statement added in Junos OS Release 7.4. Support for IPv6 source address added in Junos OS
Release 12.1X47-D15 for SRX1500, SRX5400, SRX5600, and SRX5800 devices.
Description
Configure the authentication server.
Options
1107

1108
destination (Accounting)
Syntax
destination {
radius {
server {
server-address {
retry number;
secret password;
source-address-inet6 IPv6-source-address;
timeout seconds;
}
}
}
tacplus {
server {
server-address {
port port-number;
secret password;
single-connection;
timeout seconds;
}
}
}
}
Hierarchy Level
Release Information
radius statement added in Junos OS Release 7.4.
Description
1109
Configure the authentication server.
Options
source-address-inet6 IPv6-source-address—A valid IPv6 address configured on one of the routers or switch
interfaces.


1110
destination (RADSEC)
Syntax
destination id-number {
address ip-address;
max-tx-buffers number;
}
Hierarchy Level
[edit access radsec]
Release Information
Description
Define the RADSEC server as a destination for RADIUS traffic. Traffic that is destined for a RADIUS server
can then be redirected to the RADSEC destination. RADSEC destinations are identified by a unique numeric
ID. You can configure multiple RADSEC destinations with different parameters pointing to the same
RADSEC server.
Options
id-number—Globally unique ID number for the RADSEC destination.
address ip-address—IP address of the RADSEC server.
max-tx-buffers number—Maximum number of packets buffered on transmission.
NOTE: The buffer allocation should be able to accommodate the max-outstanding-requests for
mapped RADIUS servers configured at the [edit access radius-server] hierarchy level.

Default: 100

1111

1112
detection-time
Syntax
detection-time {
threshold milliseconds;
}
Hierarchy Level
[edit system services dhcp-local-server liveness-detection method bfd],

[edit system services dhcp-local-server dhcpv6 liveness-detection method bfd],
[edit forwarding-options dhcp-relay liveness-detection method bfd], [edit forwarding-options dhcp-relay dhcpv6
liveness-detection method bfd],
[edit system services dhcp-local-server group group-name liveness-detection method bfd],
[edit system services dhcp-local-server dhcpv6 group group-name liveness-detection method bfd],
[edit forwarding-options dhcp-relay group group-name liveness-detection method bfd],
[edit forwarding-options dhcp-relay dhcpv6 group group-name liveness-detection method bfd]
Release Information
Description
Enable failure detection. The BFD failure detection timers are adaptive and can be adjusted to be faster
or slower. For example, the timers can adapt to a higher value if the adjacency fails, or a neighbor can
negotiate a higher value for a timer than the one configured.

Example: Configuring Group Liveness Detection with BFD for DHCP Local Server Clients
Example: Configuring Global Liveness Detection with BFD for DHCP Relay Agent Clients
1113
disable (DNSSEC)
Syntax
disable;
Hierarchy Level
[edit system services dns dnssec]
Release Information
Statement introduced in Junos OS Release 10.2 .
Description
Disables DNSSEC in the DNS server.

1114
dlv
Syntax
dlv {
domain-name domain-name trusted-anchor trusted-anchor;
}
Hierarchy Level
[edit system services dns dnssec]
Release Information
Statement introduced in Junos OS Release 10.2 .
Description
Configure DNSSEC Lookaside Validation (DLV).
Options
• domain-name domain-name—Specify the secure domain server name.
• trusted-anchor trusted-anchor—Specify the trusted DLV anchor.

1115
dot1x
Syntax
dot1x {
authenticator {
disable;
guest-vlan guest-vlan;
ignore-port-bounce;
mac-radius;
eap-md5;
eap-peap {
resume;
}
pap;
}
flap-on-disconnect;
restrict;
}
multi-domain {
}
(no-reauthentication | reauthentication interval );
retries number;
server-reject-bridge-domain bridge-domain {
block-interval seconds;
eapol-block;
}
server-reject-vlan (vlan-id | vlan-name) {
eapol-block;
1116
}
}
ip-mac-session-binding;
no-mac-table-binding;
radius-options {
add-interface-text-description;
use-vlan-id;
use-vlan-name;
}
interface interface;
vlan-assignment vlan-identifier;
}
}
}
ssl-certificate-path path-name;
traceoptions {
file filename <files files> <size size> <(world-readable | no-world-readable)>;
flag (all | config-internal | dot1x-debug | dot1x-event | dot1x-ipc | eapol | esw-if | general | iccp | normal | parse
| state | task | timer | vlan) {
disable;
}
}
}
Hierarchy Level
[edit logical-systems name protocols],

[edit protocols]
Release Information
Statement introduced in Junos OS Release 9.3 for MX Series routers.
Statement introduced in Junos OS Release 15.1X49-D80 for SRX Series.
ssl-certificate-path introduced in Junos OS Release 19.4.
1117
Description
Configure IEEE 802.1X authentication for Port-Based Network Access Control. 802.1X authentication is
supported on interfaces that are members of private VLANs (PVLANs).
Default
802.1X is disabled.
Options
ssl-certificate-path path-name—Specify the file path for SSL certificates if you are not using the default
path. The default path for SSL certificates is /var/tmp.

show dot1x | 1437

Series Switch | 405
Switch | 443
1118
eapol-block
Syntax
eapol-block {
captive-portal;
mac-radius;
server-fail <seconds>;
}
Hierarchy Level
[edit logical-systems name protocols dot1x authenticator interface (all | [interface-names])],

[edit logical-systems nameprotocols dot1x authenticator interface (all | [interface-names]) server-reject-bridge-domain
| server-reject-vlan]
[edit protocols dot1x authenticator interface (all | [interface-names])]
[edit protocols dot1x authenticator interface (all | [interface-names]) server-reject-bridge-domain | server-reject-vlan]
Release Information
Support at the [edit protocols dot1x authenticator interface interface-name] hierarchy level introduced
in Junos OS Releases 14.1X53-D40 and 15.1X53-D51 for EX Series switches.
captive-portal and mac-radius introduced in Junos OS Release 17.2R1.
Description
Enable the device to ignore Extensible Authentication Protocol over LAN (EAPoL)-Start messages received
from a client that has been authenticated so that the device does not trigger re-authentication. The device
typically attempts to restart the authentication procedure by contacting the authentication server when
it receives an EAPoL-Start message from a client—even for authenticated clients. You can configure the
eapol-block statement to help prevent unnecessary downtime that can occur when the device waits for
a response from the authentication server.
If you configure the device to block EAPoL-Start messages, when the device receives an EAPoL-Start
message from an authenticated client, the device ignores the message and does not attempt to contact
the authentication server for reauthentication. The existing authentication session that was established
for the client remains open.
The EAPoL-Start messages are blocked only if the client is in the authenticated state. EAPoL-Start messages
from new clients are accepted.
Default
1119
If the eapol-block statement is not configured, the device attempts to contact the authentication server
to authenticate the client when it receives an EAPoL-Start message.
Options
captive-portal —Configure the device to ignore EAPoL-Start messages received from a client that has been
authenticated using captive portal authentication.
mac-radius —Configure the device to ignore EAPoL-Start messages received from a client that has been
authenticated using MAC RADIUS authentication. The mac-radius option is also valid for clients
authenticated using central Web authentication (CWA).
server-fail <seconds>—Configure the device to ignore EAPoL-Start messages received from a client that
has been authenticated using server fail fallback or server reject VLAN methods. Optionally, configure
the time interval, in seconds, during which the device will not attempt to contact the authentication
server to re-authenticate a client that has already been authenticated using server fail fallback.
Default: 120 seconds.
Range: 120 through 65,535 seconds.

1120
enhanced-avs-max
Syntax
Hierarchy Level
Release Information
Description
Configure the number of attribute values to be displayed.
Options
<number>—Number of attribute values.
Range: 7 through 15
Default: 7

accounting | 1048
1121
events
Syntax
events (change-log | interactive-commands | login);
Hierarchy Level
Release Information
Description
Configure the types of events to track and log.
Options
change-log—Audit configuration changes.
interactive-commands—Audit interactive commands (any command-line input).
login—Audit logins.

Specifying TACACS+ Auditing and Accounting Events | 243

1122
failover-delay
Syntax
failover-delay milliseconds;
Hierarchy Level
[edit protocols vrrp]
Release Information
Description
Configure the failover delay for VRRP and VRRP for IPv6 operations.
Options
milliseconds—Specify the failover delay time, in milliseconds.

Configuring VRRP and VRRP for IPv6

1123
file (System Logging)

Syntax
file filename {
facility severity;
archive {
files number;
size size;
(no-world-readable | world-readable);
}
explicit-priority;
match "regular-expression";
match-strings string-name;
structured-data {
brief;
}
}
Hierarchy Level
Release Information
Description
Configure the logging of system messages to a file.
Options
facility—Class of messages to log. To specify multiple classes, include multiple facility severity statements.
For a list of the facilities, see Junos OS System Logging Facilities.
file filename—File in the /var/log directory in which to log messages from the specified facility. To log
messages to more than one file, include more than one file statement.
severity—Severity of the messages that belong to the facility specified by the paired facility name. Messages
with severities of the specified level and higher are logged. For a list of the severities, see System Log
Message Severity Levels.

1124

Directing System Log Messages to a Log File

1125
file (System Logging)

Syntax
file name {
allow-duplicates;
archive name password password routing-instance routing-instance <(binary-data | no-binary-data)> <files files>
<size bytes> <start-time start-time> <transfer-interval minutes> <(world-readable | no-world-readable)>;
contents (any | authorization | change-log | conflict-log | daemon | dfc | external | firewall | ftp |
interactive-commands | kernel | local0 | lpr | mail | news | ntp | pfe | privileged | security | syslog | user | uucp) {
}
explicit-priority;
match match;
match-strings [ match-strings ... ];
structured-data (brief | detail);
}
Hierarchy Level
Release Information
Statement introduced before Junos OS Release 12.1X47 for SRX Series.
Description
Specify the file in which to log data.
Options
• filename—Specify the name of the file in which to log data.
• allow-duplicates—Do not suppress the repeated messages.
• any—Specify all facilities information.
• alert—Specify the conditions that should be corrected immediately.
• critical—Specify the critical conditions.
• emergency—Specify the conditions that cause security functions to stop.
• error—Specify the general error conditions.
• info—Specify the information about normal security operations.
• none—Do not specify any messages.
• notice—Specify the conditions that should be handled specifically.

1126
• warning—Specify the general warning conditions.
• archive—Specify the archive file information.
• archive-sites—Specify a list of destination URLs for the archived log files.
• url—Specify the primary and failover URLs to receive archive files.
• binary-data—Mark file such that it contains binary data.
• no-binary-data—Do not mark the file such that it contains binary data.
• files—Specify the number of files to be archived. Range: 1 through 1000 files.
• size—Specify the size of files to be archived. Range: 65,536 through 1,073,741,824 bytes.
• world-readable—Allow any user to read the log file.
• no-world-readable—Do not allow any user to read the log file.
• start-time—Specify the start time for file transmission. Enter the start time in the yyyy-mm-dd.hh:mm
format.
• transfer-interval—Specify the frequency at which to transfer the files to archive sites.
• authorization—Specify the authorization system.
• change-log—Specify the configuration change log.
• conflict-log—Specify the configuration conflict log.
• daemon—Specify the various system processes.
• dfc—Specify the dynamic flow capture.
• explicit-priority—Include the priority and facility in messages.
• external—Specify the local external applications.
• firewall—Specify the firewall filtering system.
• ftp—Specify the FTP process.
• interactive-commands—Specify the commands executed by the UI.
• kernel—Specify the kernel information.
• match—Specify the regular expression for lines to be logged.
• ntp—Specify the NTP process.
• pfe—Specify the Packet Forwarding Engine.
• security—Specify the security-related information.

1127
• structured-data—Log the messages in structured log format.
• brief—Omit English language text from the end of the logged message.
• user—Specify the user processes.
• info—Specify the informational messages.

finger
Syntax
finger {
rate-limit limit;
}
Hierarchy Level
Release Information
Description
Allow finger requests from remote systems to the local router.


1128
flow-tap-dtcp
Syntax
flow-tap-dtcp {
ssh {
rate-limit limit;
}
}
Hierarchy Level
Release Information
Description
Configure Dynamic Tasking Control Protocol (DTCP) sessions to run over SSH in support of the flow-tap,
FlowTapLite, or radius-flow-tap services. Note that the flow-tap feature is not supported on outbound,
or egress, traffic. Only inbound, or ingress, traffic is supported.
This statement is required for DTCP-initiated subscriber secure policy mirroring (radius-flow-tap service).
Options
connection-limit limit—(Optional) Maximum number of connections allowed.
Default: 75
rate-limit limit—(Optional) Maximum number of connection attempts allowed per minute.

Default: 150

flow-tap—To view this statement in the configuration.
flow-tap-control—To add this statement to the configuration.
Configuring a DTCP-over-SSH Connection to the Mediation Device

1129
Configuring Flow-Tap Security Properties on MX, M and T Series Routers

Configuring FlowTapLite on MX Series Routers and M320 Routers with FPCs
ftp
Syntax
ftp {
authentication-order [authentication-methods];
rate-limit limit;
}
Hierarchy Level
Release Information
Description
Allow FTP requests from remote systems to the local router or switch.
Options

1130
host (SSH Known Hosts)

Syntax
host hostname {
dsa-key dsa-key;
ecdsa-sha2-nistp256-key ecdsa-sha2-nistp256-key;
ed25519-key ed25519-key
rsa-key rsa-key;
rsa1-key rsa1-key;
}
Hierarchy Level
Release Information
Statement modified in Junos OS Release 8.5.
Description
Configure the type of base-64 encoded host key.
Options
• hostname—Name of the SSH known host.
• dsa-key dsa-key—Digital Signature Algorithm (DSA) for SSH version 2
• ecdsa-sha2-nistp256-key ecdsa-sha2-nistp256-key—Elliptic Curve Digital Signature Algorithm (ECDSA)
• ed25519-key ed25519-key—Elliptic Curve Digital Signature Algorithm (ed25519 for ECDSA)
• rsa-key rsa-key—RSA public key algorithm, which supports encryption and digital signatures for SSH
version 1 and SSH version 2
• rsa1-key rsa1-key—RSA public key algorithm, which supports encryption and digital signatures for SSH
version 1

security—To view this statement in the configuration.
security-control—To add this statement to the configuration.
1131
1132
hostkey-algorithm
Syntax
hostkey-algorithm {
(no-ssh-dss | ssh-dss);
(no-ssh-rsa | ssh-rsa);
(no-ssh-ecdsa | ssh-ecdsa);
(no-ssh-ed25519 | ssh-ed25519);
}
Hierarchy Level
Release Information
Description
Allow or disallow a host-key algorithm to authenticate another host through the SSH protocol. The host-key
uses RSA, ECDSA, ED25519, and DSS algorithms.
The following are the behaviors when the hostkey-algorithm option is configured with SSH client and SSH
server:
• On the SSH client, the host-key algorithms that are supported when talking to a server are:
a. RSA: Equal or greater-than to 1024 bit
b. ECDSA: 256, 384, or 521 bit
c. ED25519: 256 bit
d. DSS: 1024 bit
• On the SSH server, the host-key algorithms that are generated and stored are:
a. RSA: 2048 bit
b. ECDSA: 256 bit
c. ED25519: 256 bit
d. DSS: 1024 bit
Options
1133
• ssh-ecdsa—Allow generation of an ECDSA host-key. Key pair sizes of 256, 384, or 521 bits are compatible
with ECDSA.
• ssh-dss—Allow generation of a 1024-bit DSA host-key.
NOTE: DSA keys are not supported in FIPS, so the ssh-dss option is not available on systems
operating in FIPS mode.
• ssh-rsa—Allow generation of RSA host-key. Key pair sizes greater than or equal to 1024 are compatible
with RSA.
• no-ssh-dss—Do not allow generation of a 1024-bit Digital Signature Algorithm (DSA) host-key.
• no-ssh-ecdsa—Do not allow generation of an Elliptic Curve Digital Signature Algorithm (ECDSA) host-key.
• no-ssh-rsa—Do not allow generation of an RSA host-key.

1134
http (Web Management)

Syntax
http {
interface [ interface-names ];
port port;
}
Hierarchy Level
Release Information
Statement introduced in Junos OS Release 8.5 for SRX Series.
Description
Configure the port and interfaces for the HTTP service, which is unencrypted.
Options
interface [ interface-names ]—Specify the name of one or more interfaces on which to accept access through
the HTTP service. By default, HTTP access is allowed through built-in Fast Ethernet or Gigabit Ethernet
interfaces only.
port port-number—Configure the TCP port number on which to connect the HTTP service.
Range: 1 through 65,535


Secure Management Access Configuration Summary
Firewall User Authentication Overview
J-Web Interface User Guide
https | 1135
1135
https (Web Management)

Syntax
https {
interface [ interface-names ];
( local-certificate name | pki-local-certificate name | system-generated-certificate );
port port;
}
Hierarchy Level
Release Information
pki-local-certificate introduced in Junos OS Release 9.1 for SRX Series.
system-generated-certificate introduced in Junos OS Release 11.1 for EX Series.
Statement introduced on the SRX5400, SRX5600, and SRX5800 devices starting from Junos OS Release
12.1X44-D10 and on vSRX, SRX300, SRX320, SRX340, SRX345, SRX380, SRX550M, and SRX1500 Services
Gateways starting from Junos OS Release 15.1X49-D40.
Description
Configure the secure version of the HTTP service, HTTPS, which is encrypted.
Options
interface [ interface-names ]—Specify the name of one or more interfaces on which to accept access through
the HTTPS service. By default, HTTPS access is allowed through any ingress interface, but HTTP access
is allowed through built-in Fast Ethernet or Gigabit Ethernet interfaces only.
( local-certificate name | pki-local-certificate name | system-generated-certificate )—Specify the X.509

certificate type for a Secure Sockets Layer (SSL) connection.
• local-certificate name—Specify the name of the X.509 certificate. You configure the local certificate
at the [edit security certificates local] hierarchy level.
• pki-local-certificate name—(EX, QFX, and SRX Series only) Specify the name of the X.509 certificate
that is generated by the public key infrastructure (PKI) and authenticated by a certificate authority
(CA).
• system-generated-certificate—(EX, QFX, and SRX Series only) Automatically generate a self-signed

X.509 certificate for enabling the HTTPS service.
1136
port port-number—Configure the TCP port number on which to connect the HTTPS service.


Understanding Certificates and PKI
Enabling HTTPS and XNM-SSL Services on Switches Using Self-Signed Certificates (CLI Procedure)
http | 1134
1137
interface (802.1X)
Syntax

disable;
eapol-block {
captive-portal;
mac-radius;
server-fail <block-interval>;
}
guest-vlan guest-vlan (vlan-id | vlan-name;
ignore-port-bounce;
mac-radius {
eap-md5;
eap-peap {
resume;
}
pap;
}
flap-on-disconnect;
restrict;
}
multi-domain {
}
(no-reauthentication | reauthentication seconds );
retries number;
server-reject-bridge-domain | server-reject-vlan identifier {
eapol-block;
}
1138

}
Hierarchy Level
[edit logical-systems name protocols dot1x authenticator],

Release Information
Statement introduced in Junos OS Release 9.0 for the EX Series.
server-reject-vlan introduced in Junos OS Release 9.3 for EX Series switches.
eapol-block introduced in Junos OS Release 11.2.
authentication-order and redirect-url introduced in Junos OS Release 15.1R3.
server-fail-voip introduced in Junos OS Releases 14.1X53-D40 and 15.1R4 for EX and QFX Series switches.
ignore-port-bounce introduced in Junos OS Release 17.3R1.
multi-domain introduced in Junos OS Release 18.3R1.
Description
Configure IEEE 802.1X authentication for Port-Based Network Access Control for all interfaces or for
specific interfaces.
1139
Options
(all | [ interface-names ])—Configure either a list of interface names or all interfaces for 802.1x authentication.
disable—Disable 802.1X authentication on a specified interface or all interfaces.

Default: 802.1X authentication is disabled on all interfaces.
guest-bridge-domain guest-bridge-domain—(MX Series only) Specify the bridge domain tag identifier or
the name of the guest bridge domain to which an interface is moved when no 802.1X supplicants are
connected on the interface. The bridge domain specified must already exist on the device.
guest-vlan (vlan-id | vlan-name—(EX, QFX, and SRX Series only) Specify the VLAN tag identifier or the
name of the guest VLAN to which an interface is moved when no 802.1X supplicants are connected
on the interface. The VLAN specified must already exist on the device. Guest VLANs can be configured
on devices that are using 802.1X authentication to provide limited access—typically only to the
Internet—for corporate guests. A guest VLAN is not used for supplicants that send incorrect credentials.
Those supplicants are directed to the server-reject VLAN instead.
ignore-port-bounce—Ignore the port-bounce command contained in a Change of Authorization (CoA)

request. CoA requests are RADIUS messages that are used to dynamically modify an authenticated
user session already in progress. CoA requests are sent from the authentication, authorization, and
accounting (AAA) server to the device, and are typically used to change the VLAN for the host based
on device profiling. End devices such as printers do not have a mechanism to detect the VLAN change,
so they do not renew the lease for their DHCP address in the new VLAN. The port-bounce command
is used to force the end device to initiate DHCP re-negotiation by causing a link flap on the
authenticated port.
Default: The port-bounce command is supported by default. If you do not configure the
ignore-port-bounce statement, the device responds to a port-bounce command by flapping the link
to re-initiate DHCP negotiation for the end device.
maximum-requests number—Specify the maximum number of times an EAPoL request packet is

retransmitted to the supplicant before the authentication session times out.
Range: 1 through 10
Default: 2
no-reauthentication | reauthentication seconds—Either disable reauthentication or configure the number

of seconds before the 802.1X authentication session times out and the client must reattempt
authentication.
takes priority over the value configured locally using the reauthentication statement. The
session timeout value is sent from the server to the client as an attribute of the RADIUS
Access-Accept message.
1140
Range: 1 through 4,294,967,296 seconds

Default: Reauthentication is enabled, with 3600 seconds until the client can attempt to authenticate
again.
no-tagged-mac-authentication—Don’t allow a tagged MAC address for RADIUS authentication.
quiet-period seconds—Specify the number of seconds the interface remains in the wait state following a
failed authentication attempt by a supplicant before reattempting authentication.
Range: 0 through 65,535 seconds
Default: 60 seconds
redirect-url redirect-url—Specify a URL that redirects unauthenticated hosts to a central Web authentication
(CWA) server. The CWA server provides a web portal where the user can enter a username and
password. If these credentials are validated by the CWA server, the user is authenticated and is allowed
The redirect URL for central Web authentication can be configured centrally on the AAA server or
locally on the switch. Use the redirect-url statement to configure the redirect URL locally on the
interface connecting the host to the switch.
The redirect URL and a dynamic firewall filter must both be present for the central Web authentication
process to be triggered. For more information about configuring the redirect URL and the dynamic
firewall filter for central Web authentication, see “Configuring Central Web Authentication” on page 477.
NOTE: When the dynamic firewall filter is configured using the special Filter-ID attribute
JNPR_RSVD_FILTER_CWA, the CWA redirect URL must include the IP address of the AAA
server, for example, https://10.10.10.10.
Syntax: The redirect URL must use the HTTP or HTTPS protocol and include an IP address or website
name. The following are examples of valid redirect URL formats:
• http://www.example.com
• https://www.example.com
• http://10.10.10.10
• https://10.10.10.10
• http://www.example.com/login.html
• https://www.example.com/login.html
• http://10.10.10.10/login.html
• https://10.10.10.10/login.html
Default: Disabled. The redirect URL is not enabled for central Web authentication by default.
1141
retries number—Specify the number of times the device attempts to authenticate the port after an initial
failure. When the limit is exceeded, the port waits to reattempt authentication for the number of
seconds specified with the quiet-period option configured at the same hierarchy level.
Range: 1 through 10 retries
Default: 3 retries
server-fail (bridge-domain bridge-domain | deny | permit | use-cache | vlan-name vlan-name)—Specify how

end devices connected to a device are supported if the RADIUS authentication server becomes
unavailable. Server fail fallback is triggered most often during reauthentication when the already
configured and in-use RADIUS server becomes inaccessible. However, server fail fallback can also be
triggered by a supplicant’s initial attempt at authentication through the RADIUS server.
You must specify an action that the device applies to end devices when the authentication servers
are unavailable. The device can accept or deny access to supplicants or maintain the access already
granted to supplicants before the RADIUS timeout occurred. You can also configure the switch to
move the supplicants to a specific VLAN or bridge domain. The VLAN or bridge domain must already
be configured on the device.
NOTE: The server-fail statement is specifically for data traffic. For VoIP-tagged traffic, use
the server-fail-voip statement. The same interface can have a server-fail VLAN and a
server-fail-voip VLAN configured.
Values: bridge-domain—(MX Series only) Move the supplicant on the interface to the bridge domain
specified by this name or numeric identifier. This action is allowed only if it is the first supplicant
connecting to an interface. If an authenticated supplicant is already connected, then the supplicant is
not moved to the bridge domain and is not authenticated. The bridge domain must already be configured
on the device. deny—Force the supplicant authentication to fail. No traffic will flow through the
interface.permit—Force the supplicant authentication to succeed. Traffic will flow through the interface
as if it were successfully authenticated by the RADIUS server.use-cache—Force the supplicant
authentication to succeed only if it was previously authenticated successfully. This action ensures that
already authenticated supplicants are not affected.vlan-name—(EX, QFX, or SRX Series only) Move
the supplicant on the interface to the VLAN specified by this name or numeric identifier. This action
is allowed only if it is the first supplicant connecting to the interface. If an authenticated supplicant is
already connected, then the supplicant is not moved to the VLAN and is not authenticated. The VLAN
must already be configured on the device.
Default: If the RADIUS authentication server becomes unavailable, the end device is not authenticated
and is denied access to the network.
1142
server-fail-voip (deny | permit | use-cache | vlan-name vlan-name)—(EX, QFX Series only) Specify how
VoIP clients sending voice traffic are supported if the RADIUS authentication server becomes
unavailable. Server fail fallback is triggered most often during reauthentication when the already
configured and in-use RADIUS server becomes inaccessible. However, server fail fallback can also be
triggered by a VoIP client’s initial attempt at authentication through the RADIUS server.
You must specify an action that the switch applies to VoIP clients when the authentication servers
are unavailable. The switch can accept or deny access to VoIP clients or maintain the access already
granted to clients before the RADIUS timeout occurred. You can also configure the switch to move
the VoIP clients to a specific VLAN. The VLAN must already be configured on the switch.
The server-fail-voip statement is specific to the VoIP-tagged traffic sent by clients. VoIP clients still
require that the server-fail statement be configured for the un-tagged traffic that they generate.
Therefore, when you configure the server-fail-voip statement you must also configure the server-fail
statement.
NOTE: An option other than server-fail deny must be configured for server-fail-voip to
successfully commit.
Values: deny—Force the VoIP client authentication to fail. No traffic will flow through the
interface.permit—Force the VoIP client authentication to succeed. Traffic will flow through the interface
as if it were successfully authenticated by the RADIUS server.use-cache—Force the VoIP client
authentication to succeed only if it was previously authenticated successfully. This action ensures that
already authenticated clients are not affected.vlan-name—Move the VoIP client on the interface to
the VLAN specified by this name or numeric identifier. This action is allowed only if it is the first VoIP
client connecting to the interface. If an authenticated VoIP client is already connected, then the VoIP
client is not moved to the VLAN and is not authenticated. The VLAN must already be configured on
the switch.
Default: If a RADIUS authentication server becomes unavailable, a VoIP client that begins authentication
by sending voice traffic is not authenticated, and the voice traffic is dropped.
server-timeout seconds—Specify the amount of time a port will wait for a reply when relaying a response
from the supplicant to the authentication server before timing out and invoking the server-fail action.
Range: 1 through 60 seconds
Default: 30 seconds
1143
supplicant (single | single-secure | multiple)—Specify the MAC-based method used to authenticate clients.
• single—Authenticates only the first client that connects to an authenticator port. All other clients
connecting to the authenticator port after the first are permitted free access to the port without
further authentication. If the first authenticated client logs out, all other supplicants are locked out
until a client authenticates again.
• single-secure—Authenticates only one client to connect to an authenticator port. The host must be
directly connected to the switch.
• multiple—Authenticates multiple clients individually on one authenticator port. You can configure
the number of clients per port. If you also configure a maximum number of devices that can be
connected to a port through port security settings, the lower of the configured values is used to
determine the maximum number of clients allowed per port.
Default: single
supplicant-timeout seconds—Specify the number of seconds the port waits for a response when relaying
a request from the authentication server to the supplicant before re-sending the request.
Default: 30 seconds
transmit-period seconds—Specify the number of seconds the port waits before retransmitting the initial
EAPoL PDUs to the supplicant.
Default: 30 seconds

1144
show dot1x | 1437

Series Switch | 405
Switch | 443
1145
interface (Captive Portal)

Syntax
interface (all | [interface-names]) {

retries number-of-retries;
session-expiry seconds;
supplicant ( multiple | single | single-secure);
user-keepalive minutes;
}
Hierarchy Level
Release Information
user-keepalive introduced in Junos OS Release 16.1 for EX Series switches.
Description
Configure captive portal authentication for all interfaces or for specific interfaces.
Options
all—All interfaces to be configured for captive portal authentication.
[interface-names]—List of names of interfaces to be configured for captive portal authentication.
quiet-period seconds—Configure time, in seconds, after a user exceeds the maximum number of retries
before they can attempt to authenticate.
Range: 1–65535 seconds
Default: 60 seconds
retries number-of-tries—Configure the number of times the user can attempt to submit authentication
information.
Range: 1–65535 tries
Default: 3 tries
server-timeout seconds—Configure the time in seconds an interface will wait for a reply when relaying a
response from the client to the authentication server before timing out and invoking the server-fail
action.
1146
Range: 1–65535 seconds

Default: 20 seconds
session-expiry seconds—Configure the number of seconds before the captive portal authentication session
times out and the client must reattempt authentication.
takes priority over the value configured locally using the session-expiry statement. The session
timeout value is sent from the server to the client as an attribute of the RADIUS Access-Accept
message.

Default: 3600 seconds
supplicant (multiple | single | single-secure)—Configure the MAC-based method used to authenticate

clients for captive portal authentication.
Values: Configure one of the following:
• single—Authenticates only the first client that connects to an authenticator port. All other clients
connecting to the authenticator port after the first are permitted free access to the port without
further authentication. If the first authenticated client logs out, all other supplicants are locked out
until a client authenticates again.
• single-secure—Authenticates only one client to connect to an authenticator port. The host must be
directly connected to the switch.
• multiple—Authenticates multiple clients individually on one authenticator port. You can configure
the number of clients per port. If you also configure a maximum number of devices that can be
connected to a port through port security settings, the lower of the configured values is used to
determine the maximum number of clients allowed per port.
Default: single
user-keepalive minutes—Extend a captive portal authentication session after the MAC table aging timer
expires, by the configured number of minutes. The keep-alive timer is started when the MAC address
of the authenticated host ages out of the Ethernet switching table. If traffic is received within the
keep-alive timeout period, the timer is deleted. If there is no traffic within the keep-alive timeout
period, the session is deleted, and the host must re-authenticate.
Default: Disabled. The captive portal authentication session ends when the associated MAC address
ages out of the Ethernet switching table.
Range: 7 through 65535 minutes
1147

routing–control—To add this statement to the configuration.

1148
interface (LLDP)
Syntax
interface (all | [interface-name-list]) {

(disable | enable);
power-negotiation <(disable | enable)>;
(tlv-filter | tlv-select);
trap-notification (disable | enable);
}
Hierarchy Level
[edit protocols lldp],

[edit routing-instances routing-instance-name protocols lldp]
Release Information
Statement introduced in Junos OS Release 9.6 for MX Series.
power-negotiation introduced in Junos OS Release 12.2 for EX and QFX Series switches.
trap-notification introduced in Junos OS Release 15.1R7-S3 for EX3300, EX4200, EX4500, EX4550,
EX6200, EX8200 switches.
Description
Configure Link Layer Discovery Protocol (LLDP) on all interfaces or on a particular interface.
NOTE: On MX Series and T Series routers, you run LLDP on a physical interface, such as ge-1/0/0,
and not at the logical interface (unit) level.
Starting with Junos OS Release 14.2, on MX Series devices, you can also configure LLDP on
management interfaces, such as fxp or me.
For information about interface names, see Interface Naming Overview. For information about
interface names for TX Matrix routers, see TX Matrix Router Chassis and Interface Names. For
information about FPC numbering on TX Matrix routers, see Routing Matrix with a TX Matrix
Router FPC Numbering.
For information about extended port names in the Junos Fusion technology, see Understanding
Junos Fusion Ports .
1149
NOTE: On EX4300 switches, LLDP cannot be configured on the me0 or vme interface. Issuing
the command set protocols lldp interface me0 generates the following error message:
error: name: 'me0': Invalid interface

Issuing the command set protocols lldp interface vme generates the following error message:
error: name: 'vme': Invalid interface

Options
(all | [interface-name-list])—Configure LLDP on all interfaces or on one or more interfaces.
(disable | enable)—Disable or enable LLDP on all interfaces or on the specified interfaces.

Default: Disable
power-negotiation <(disable | enable)>—(EX, QFX Series only) Configure LLDP power negotiation, which
negotiates with Power over Ethernet (PoE) powered devices to allocate power.
You must also configure the management class statement at the [edit poe] hierarchy level to activate
LLDP power negotiation.
• disable—Disable LLDP power negotiation.
• enable—Enable LLDP power negotiation.
trap-notification (disable | enable)—Disables or enables the LLDP and physical topology SNMP traps for
the specific interface or all the interfaces.
• disable—Disable the LLDP and physical topology SNMP trap notifications.
• enable—Enable the LLDP and physical topology SNMP trap notifications.
Default: disable
1150


Configuring LLDP
Configuring PoE on EX Series Switches (CLI Procedure)
1151
interface (LLDP-MED)
Syntax
interface name {
(disable | enable);
location {
civic-based {
ca-type type {
ca-value value;
}
what what;
}
co-ordinate {
lattitude latitude;
longitude longitude;
}
elin elin;
}
tlv-filter;
tlv-select;
}
Hierarchy Level
Release Information
Description
Configure Link Layer Discovery Protocol–Media Endpoint Discovery (LLDP-MED) on all interfaces or on
a specific interface.
Default
Not enabled.
Options
all | interface-name—Configure LLDP-MED on all interfaces or on a specific interface.
disable | enable—Disable or enable LLDP-MED on all interfaces or on one or more interfaces.

1152
Default: If you do not configure LLDP-MED, it is disabled on the device and on specific interfaces.

show lldp | 1473

1153
interface (VoIP)
Syntax
interface (all | [interface-name] | access-ports) {

forwarding-class forwarding-class;
vlan (vlan-id | vlan-name | untagged));
}
Hierarchy Level
• For platforms with ELS:
[edit switch-options voip]
• For platforms without ELS:
[edit ethernet-switching-options voip],
Release Information
Hierarchy level [edit switch-options] introduced in Junos OS Release 13.2X50-D10. (See Using the Enhanced
Layer 2 Software CLI for information about ELS.)
Description
(Required) Enable voice over IP (VoIP) on interfaces.
Options
all—Enable VoIP on all interfaces.
interface-name—Enable VoIP on a specific interface.
access-ports—(Switches without ELS only) Enable VoIP on all access ports.
forwarding-class forwarding-class—(Optional) For EX Series switches, configure the forwarding class used
to handle packets on the VoIP interface.
NOTE: The forwarding-class statement at the [edit ethernet-switching-options voip interface

interface-name] hierarchy level is used only by LLDP-MED for advertising the capabilities of
VoIP phones. It is not used to classify VoIP traffic.

1154
• assured-forwarding— Assured forwarding (AF) provides a group of values you can define and includes
four subclasses: AF1, AF2, AF3, and AF4, each with three drop probabilities: low, medium, and high.
• best-effort—Provides no service profile. For the best effort forwarding class, loss priority is typically
not carried in a class-of-service (CoS) value, and random early detection (RED) drop profiles are more
aggressive.
• expedited-forwading—Provides a low loss, low latency, low jitter, assured bandwidth, end-to-end
service.
• network-control—Provides a typically high priority because it supports protocol control.
Default: Disabled
vlan (vlan-id | vlan-name | untagged)—(Required) Specify the VLAN name or VLAN tag identifier associated
with the VLAN to be sent from the authenticating server to the IP phone or allow untagged VLAN
traffic.
Syntax: Specify one of the following:
• vlan-name—Name of a VLAN.
• vlan-id—The VLAN tag identifier.
• untagged—Allow untagged VLAN traffic.
Range: vlan-id range is 1 through 4094. Tags 0 and 4095 are reserved by the Junos OS; do not configure
them.

1155
interface-description-format
Syntax
interface-description-format {
exclude-adapter;
exclude-channel;
exclude-sub-interface;
}
Hierarchy Level
[edit access profile profile-name radius options]
Release Information
exclude-adapter and exclude-sub-interface options added in Junos OS Release 10.4.
exclude-channel option added in Junos OS Release 17.3R1.
Description
Specify the information that is excluded from the interface description that the device passes to RADIUS
for inclusion in the RADIUS attributes such as NAS-Port-ID (87) or Calling-Station-ID (31).
The default format for nonchannelized interfaces is as follows:
interface-type-slot/adapter/port.subinterface[:svlan-vlan]
For example, consider physical interface ge-1/2/0, with a subinterface of 100 and SVLAN identifier of
100. The interface description used in the NAS-Port-ID is ge-1/2/0.100:100. If you exclude the subinterface,
the description becomes ge-1/2/0:100.
The default format for channelized interfaces is as follows:
interface-type-slot/adapter/channel.subinterface[:svlan-vlan]
The channel information (logical port number) is determined by this formula:
Logical port number = 100 + (actual-port-number x 20) + channel-number.
For example, consider a channelized interface 3 on port 2 where the:
• Physical interface is xe-0/1/2:3.
• Subinterface is 4.
• SVLAN is 5.
1156
• VLAN is 6.
Using the formula, the logical port number = 100 + (2 x 20) + 3 = 143. Consequently, the default interface
description is xe-0/1/143.4-5.6. If you exclude the channel information, the description becomes
xe-0/1/2.4-5.6.
Options
exclude-adapter——(Optional) Exclude the adapter from the interface description.
exclude-channel—(Optional) Exclude the channel information from the interface description.
exclude-sub-interface——(Optional) Exclude the subinterface from the interface description.

Interface Text Descriptions for Inclusion in RADIUS Attributes

RADIUS Servers and Parameters for Subscriber Access
1157
interfaces (ARP)
Syntax
interfaces {
interface-name {
aging-timer minutes;
}
}
Hierarchy Level
[edit system arp]
Release Information
Description
Specify the Address Resolution Protocol (ARP) aging timer in minutes for a logical interface.
Options
aging-timer minutes—Time between ARP updates, in minutes.
Default: 20

DHCP Server Configuration Overview

1158
interfaces (Security Zones)

Syntax
interfaces interface-name {
host-inbound-traffic {
protocols protocol-name {
except;
}
system-services service-name {
except;
}
}
}
Hierarchy Level
[edit security zones functional-zone management],

[edit security zones security-zone zone-name]
Release Information
Description
Specify the set of interfaces that are part of the zone.
Options
interface-name —Name of the interface.

Understanding Security Zones

1159
key (Authentication Keychain)

Syntax
key key {
key-nameauthentication-key-name;
secret secret-data;
}
Hierarchy Level
[edit security authentication-key-chains key-chain key-chain-name]
Release Information
Support for IS-IS introduced in Junos OS Release 11.2.
Description
Configure the authentication element.
Options
key—Each key within a keychain is identified by a unique integer value.
Range: 0 through 63

1160
1161
key-chain (Security)
Syntax
key key {
key-nameauthentication-key-name;
secret secret-data;
}
tolerance seconds;
}
Hierarchy Level
[edit security authentication-key-chains]
Release Information
Description
Create the key-chain configuration for the Border Gateway Protocol (BGP), the Label Distribution Protocol
(LDP) routing protocols, the Bidirectional Forwarding Detection (BFD) protocol, and the Intermediate
System-to-Intermediate System (IS-IS) protocol.
Options
key-chain-name—Authentication keychain name. It can be up to 126 characters. Characters can include
any ASCII strings. If you include spaces, enclose all characters in quotation marks (“ ”).

1162
1163
key-exchange
Syntax
Hierarchy Level
Release Information
Statement introduced in Junos OS Release 11.2. Support for the curve25519-sha256 option added in
Junos OS Release 12.1X47-D10.
Description
Specify the set of Diffie-Hellman key exchange methods that the SSH server can use.
Options
Specify one or more of the following Diffie-Hellman key exchange methods:
• curve25519-sha256—The EC Diffie-Hellman key exchange method on Curve25519 with SHA2-256.
• dh-group1-sha1—The Diffie-Hellman group1 algorithm using SHA-1.
• dh-group14-sha1—The Diffie-Hellman group14 algorithm using SHA-1.
• ecdh-sha2-nistp256—The ECDH key exchange method with ephemeral keys generated on the nistp256
curve.
curve.
curve.
• group-exchange-sha1—The group exchange algorithm using SHA-1.
• group-exchange-sha2—The group exchange algorithm using SHA-2.
NOTE: The key-exchange represents a set. To configure key-exchange:
user@host#set system services ssh key-exchange [ecdh-sha2-nistp256 group-exchange-sha1]

1164
NOTE: Table 43 on page 1164 shows the supportability of Diffie-Hellman key exchange methods
on FIPS mode.
Table 43: Supportability of Diffie-Hellman key exchange methods on FIPS mode
Diffie-Hellman key
exchange methods Supported on FIPS mode
curve25519-sha256 No
dh-group1-sha1 No
dh-group14-sha1 Yes
ecdh-sha2-nistp256 Yes
group-exchange-sha1 No
group-exchange-sha2 No

1165
lldp
Syntax
lldp {
advertisement-interval seconds;
(disable | enable);
hold-multiplier number;
interface (all | [interface-name]) {
(disable | enable);
power-negotiation <(disable | enable)>;
trap-notification (disable | enable);
}
lldp-configuration-notification-interval seconds;
management-address ip-management-address;;
mau-type;
netbios-snooping;
no-tagging;
neighbour-port-info-display (port-description | port-id);
port-description-type (interface-alias | interface-description);
port-id-subtype (interface-name | locally-assigned);
ptopo-configuration-maximum-hold-time seconds;
ptopo-configuration-trap-interval seconds;
traceoptions {
file filename <files number> <size maximum-file-size> <world-readable | no-world-readable>;
flag flag <disable>;
}
transmit-delay seconds;
vlan-name-tlv-option (name | vlan-id);
}
Hierarchy Level
[edit protocols],
[edit routing-instances routing-instance-name protocols]
Release Information
management-address introduced in Junos OS Release 9.5.
ptopo-configuration-maximum-hold-time, ptopo-configuration-trap-interval, and transmit-delay introduced
in Junos OS Release 9.6.
1166

netbios-snooping introduced in Junos OS Release 11.1 for EX2200, EX3200, EX3300, EX4200, EX4500,
EX4550, EX6210, EX8208, and EX8216 switches.
port-id-subtype introduced in Junos OS Release 12.3R1.
port-description-type introduced in Junos OS Release 13.3R5, 14.2R2, 14.1R4, and 12.3R9.
no-tagging introduced in Junos OS Release 14.1X53-D10 for EX2200, EX3200, EX3300, EX4200, EX4500,
EX4550, EX6210, EX8208, and EX8216 switches.
neighbour-port-info-display introduced in Junos OS Release 14.1X53-D40 and Release 15.1R5 and Release
16.1R3.
mau-type introduced in Junos OS Release 15.1 for EX4300, EX9200, and EX9250 switches.
vlan-name-tlv-option introduced in Junos OS Release 15.1X53-D59 and 18.2R1 for EX3400 and EX4300
switches.
Description
Configure Link Layer Discovery Protocol (LLDP). The switch uses LLDP to advertise its identity and
capabilities on a LAN, as well as to receive information about other network devices. LLDP is defined in
the IEEE standard 802.1AB-2005.
NOTE: The transmit-delay and netbios-snooping options are not available on QFabric systems.
NOTE: On EX4300 switches, LLDP cannot be configured on the me0 or vme interface. Issuing
the command set protocols lldp interface me0 generates the following error message:
error: name: 'me0': Invalid interface

Issuing the command set protocols lldp interface vme generates the following error message:
error: name: 'vme': Invalid interface

1167
Default
LLDP is disabled. If you configure LLDP for all interfaces, you can later disable a particular interface.
NOTE: The interface-name must be the physical interface and not a logical interface (unit).
1168
Options
advertisement-interval seconds—Specify the frequency at which LLDP advertisements are sent. This value
is also used in combination with the hold-multiplier value to determine the length of time LLDP
information is held before it is discarded.
The advertisement-interval value must be greater than or equal to four times the transmit-delay value,
or an error will be returned when you attempt to commit the configuration.
NOTE: The default value of transmit-delay is 2 seconds. If you configure advertisement-interval

as less than 8 seconds and you do not configure a value for transmit-delay, the value of
transmit-delay is automatically changed to 1 second to satisfy the requirement that the
advertisement-interval value be greater than or equal to four times the transmit-delay value.
Default: 30 seconds
disable | enable—Disable or enable LLDP on the device.

Default: If you do not configure LLDP, it is disabled on the device.
hold-multiplier number—Specify the multiplier used in combination with the advertisement-interval value
to determine the length of time LLDP information is held before it is discarded.
Range: 2 through 10
Default: 4 (or 120 seconds with the default of 30 seconds for advertisement-interval)
lldp-configuration-notification-interval seconds—Specify how often SNMP trap notifications are generated

as a result of LLDP database changes.
Default: Disabled
management-address ip-management-address;—Specify the management address to be used in LLDP

Management Address type, length, and value (TLV) messages. The Management Address TLV typically
contains the IPv4 or IPv6 management addresses of the local system. Only out-of-band management
addresses can be used for the management-address. Other remote managers can use this address to
obtain information related to the local device.
Default: The LLDP Management Address TLV uses the IP address of the switch's management Ethernet
interface (me0), or the IP address of the virtual management Ethernet (VME) interface if the switch is
a Virtual Chassis member.
mau-type—(EX4300, EX9200, and EX9250 switches only) Configure the switch to advertise information
about the medium attachment unit (MAU) type. The MAU is a transceiver that interconnects the
attachment unit interface (AUI) port on an attached host computer to an Ethernet cable. MAU types
are defined in the IEEE 802.3 standard.
1169
The MAU type is included in the MAC/PHY Configuration Status type, length, and value (TLV) message.
TLVs are used by LLDP-capable devices to transmit information to neighbor devices. The MAC/PHY
Configuration Status TLV is an organizationally defined TLV that advertises information about the
physical interface. In addition to the MAU type, the MAC/PHY Configuration Status TLV also includes
information such as autonegotiation status, support, and advertised capabilities.
The MAU type cannot be changed by configuration; however, you must configure the mau-type
statement to include the MAU type value in the MAC/PHY Configuration Status TLV.
Default: If the mau-type statement is not configured, the MAU type field of the MAC/PHY
Configuration Status TLV contains the value Unknown.
netbios-snooping—(EX2200, EX3200, EX3300, EX4200, EX4500, EX4550, EX6210, EX8208, and EX8216
switches only) Enable NetBIOS snooping to learn information about NetBIOS hosts that are connected
to the switch.
no-tagging—(EX2200, EX3200, EX3300, EX4200, EX4500, EX4550, EX6210, EX8208, and EX8216 switches
only) Configure the switch to send LLDPDUs without including VLAN tags on the interfaces on which
VLAN tagging is enabled (tagged interfaces).
Default: Interfaces for which VLAN tagging is enabled include a VLAN tag (tag 0) in LLDPDUs if the
no-tagging option is not configured.
1170
neighbour-port-info-display (port-description | port-id)—Configure the type of LLDP neighbor port

information that the device displays in the Port info field in the output of the show lldp neighbors CLI
command.
Devices in a network use LLDP to learn about and identify neighbor devices. LLDP-capable devices
transmit information in type, length, and value (TLV) messages to neighbor devices.
The Port info field of the show lldp neighbors command displays the port information received from
LLDP neighbors. This information is sent from the LLDP neighbor to the device in a type, length, and
value (TLV) message. You can use the neighbor-port-info-display statement to configure the device
to display the information contained in either the port description TLV or the port identification TLV.
• port-description—Display the information from the port description TLV in the Port info field of the
show lldp neighbors CLI command.
The port description TLV contains the textual description of the logical unit or the port. The
description for the logical unit is used, if available; otherwise, the description for the physical interface
(port) is used. For example, LAG member interfaces do not contain a logical unit; therefore, only the
description configured on the physical interface is used.
• port-id—Display the information from the port identification TLV in the Port info field of the show
lldp neighbors CLI command.
The port identification TLV contains the identifier for the neighbor port. The SNMP index of the
interface is used as the port identifier.
Default: port-description—The information contained in the port description TLV is displayed in the
Port info field.
port-description-type (interface-alias | interface-description)—Configure the value to be used to generate

the port description TLV that the device advertises to neighbors.
• interface-alias—Use the ifAlias MIB object value to generate the port description TLV. The LLDP
MIB variable lldpLocPortDesc then contains the same value as ifAlias, which is the same as the
description of the interface.
• interface-description—Use the ifDescr MIB object value to generate the port description TLV. The
LLDP MIB variable lldpLocPortDesc then contains the same value as ifDescr, which is the same as
the interface name.
Default: interface-alias—The interface-alias value is same as the description of an interface configured

with set interface name description description command.
1171
port-id-subtype (interface-name | locally-assigned)—Configure the value to be used to generate the port

identification TLV that the device advertises to neighbors.
The Port info field of the show lldp neighbors command displays the port information received from
the port identification TLV. Configuring the port-id-subtype statement determines the information
shown for the Port info field on the neighbor device.
• interface-name—Use the interface name to generate the port identification TLV. The LLDP MIB
variable lldpLocPortId then contains the same value as the interface name.
• locally-assigned—Use the SNMP index of the interface to generate the port identification TLV. The
LLDP MIB variable lldpLocPortId then contains the same value as the SNMP index of the interface.
Default: locally-assigned
NOTE: For QFX5200 switches, the default is interface-name, not locally-assigned.
ptopo-configuration-maximum-hold-time seconds—Specify how long to maintain the physical topology

database entries. The physical topology identifies the devices on the network and their physical
interconnections.
ptopo-configuration-trap-interval seconds—Specify how often SNMP trap notifications are sent to the
Master Agent regarding changes in physical topology global statistics.
Default: Disabled
transmit-delay seconds—Specify the number of seconds the device delays before sending advertisements
to neighbors after a change is made in a TLV (type, length, or value) element in LLDP or in the state
of the local system, such as a change in hostname or management address. You can set this value to
reduce the delay in notifying neighbors of a change in the local system.
The advertisement-interval value must be greater than or equal to four times the transmit-delay value,
or an error will be returned when you attempt to commit the configuration.
Default:
• 2 seconds if the advertisement-interval value is set to 8 seconds or more
• 1 second if the advertisement-interval value is set to less than 8 seconds

1172
vlan-name-tlv-option (name | vlan-id)—Specify whether to use the VLAN name or the VLAN ID to generate
the LLDP VLAN name TLV when exchanging LLDP messages.
• name—use the VLAN name to generate the LLDP VLAN name TLV. The show lldp detail command
output displays the VLAN name in the Vlan-name column.
• vlan-id—use the VLAN ID to generate the LLDP VLAN name TLV. The show lldp detail command
output displays the default VLAN name string vlan-vlan-id in the Vlan-name column.
Default: vlan-id

Configuring LLDP
show lldp | 1473
1173
lldp-med (Ethernet Switching)

Syntax
lldp-med {
fast-start fast-start;
interface name {
(disable | enable);
location {
civic-based {
ca-type name {
ca-value ca-value;
}
what what;
}
co-ordinate {
lattitude latitude;
}
elin elin;
}
tlv-filter;
tlv-select;
}
tlv-filter;
tlv-select;
}
Hierarchy Level
[edit protocols]
Release Information
Description
Configure Link Layer Discovery Protocol–Media Endpoint Discovery. LLDP-MED is an extension of LLDP.
The device uses LLDP-MED to support device discovery of VoIP telephones and to create location databases
for these telephone locations for emergency services. LLDP-MED is defined in the standard ANSI/TIA-1057
by the Telecommunications Industry Association (TIA).
1174
Default
Disabled.
Options
fast-start number—Configure the number of LLDP-MED advertisements sent from the device in the first
second after it has detected an LLDP-MED device (such as an IP telephone).
Range: 1 through 10 advertisements
Default: 3 advertisements

show lldp | 1473

1175
lldp-priority
Syntax
lldp-priority;
Hierarchy Level
[edit poe],
[edit poe fpc (all | slot-number)]
Release Information
Description
Configure the switch to assign interfaces the power priority provided by the powered device by using Link
Layer Discovery Protocol (LLDP) power negotiation rather than the power priority configured on the switch
interface.

Configuring PoE on EX Series Switches (CLI Procedure)

1176
local-certificate
Syntax
local-certificate name;
Hierarchy Level
[edit system services service-deployment],

[edit system services xnm-ssl],
[edit system services grpc request-response grpc ssl]
Release Information
Statement introduced for the [edit system services extension-service request-response thrift] hierarchy
level in Junos OS Release 16.1 for MX80, MX480, MX960, MX2010, MX2020, vMX, and PTX Series.
Description
Import or reference an SSL certificate.
Specify the name of the local certificate to use. There is no default for local-certificate. The value for
local-certificate should be the same as the name provided during the import of the certificate using the
CLI configuration statement local at the [edit security certificates] hierarchy level.

Importing SSL Certificates for Junos XML Protocol Support
local
1177
location (LLDP-MED)
Syntax
location {
civic-based {
ca-type type {
ca-value value;
}
what what;
}
co-ordinate {
lattitude latitude;
}
elin elin;
}
Hierarchy Level
[edit protocols lldp-med interface (all | interface-name)]
Release Information
Description
For Link Layer Discovery Protocol–Media Endpoint Discovery (LLDP-MED), configure the location
information. Location information is advertised from the switch to the MED. This information is used
during emergency calls to identify the location of the MED.
Default
Disabled.
Options
co-ordinate—Geographical coordinates for the location of the MED.
Values: Specify these values:
• lattitude latitude—Latitude value for the location.
1178
• longitude longitude—Longitude value for the location.
Range: 0 through 360 degrees for both the latitude and longitude values.
elin elin—Configure the Emergency Line Identification Number (ELIN) as part of the location information.
The ELIN is a 10-digit telephone number, including the area code.

show lldp | 1473

1179
location (System)
Syntax
location {
altitude feet;
building name;
country -code code;
floor number;
hcoord horizontal-coordinate;
lata service-area;
latitude degrees;
longitude degrees;
npa-nxx number;
postal-code postal-code;
rack number;
vcoord vertical-coordinate;
}
Hierarchy Level
[edit system]
Release Information
Description
Configure the physical location of the device.
Options
• altitude feet—Number of feet above sea level.
• building name—Name of building. The name of the building can be 1 to 28 characters in length. If the
string contains spaces, enclose it in quotation marks (" ").
• country-code code—Two-letter country code.
• floor number—Floor number in the building.
• hcoord horizontal-coordinate—Bellcore Horizontal Coordinate.
• lata service-area—Long-distance service area.
• latitude degrees—Latitude in degree format.
• longitude degrees—Longitude in degree format.

1180
• npa-nxx number—First six digits of the phone number (area code and exchange).
• postal-code postal-code—Zip code or Postal code.
• rack number—Rack number.
• vcoord vertical-coordinate—Bellcore Vertical Coordinate.

1181
login
Syntax
login {
announcement text;
class class-name {
allow-hidden-commands;
no-hidden-commands {
except [“regular expression or command 1” “regular expression or command 2” ...];
}
access-end hh:mm;
access-start hh:mm;
( allow-commands ”(regular-expression1)|(regular-expression2)...” | allow-commands-regexps [“regular expression
( allow-configuration ”(regular-expression1)|(regular-expression2)...” | allow-configuration-regexps [“regular
expression 1” “regular expression 2 ” ... ]);
allow-sources [ source-addresses ... ];
allow-times [ times ... ];
cli {
prompt prompt;
}
}
( deny-commands ”(regular-expression1)|(regular-expression2)...” | deny-commands-regexps [“regular expression
( deny-configuration ”(regular-expression1)|(regular-expression2)...” | deny-configuration-regexps [“regular expression
deny-sources [ source-addresses ... ];
deny-times [ times ... ];
login-alarms;
login-script login-script;
login-tip;
no-scp-server;
no-sftp-server;
satellite all;
tenant tenant-system-name;
1182
}
deny-sources {
address [ source-addresses ... ];
}
message text;
password {
change-type (character-sets | set-transitions);
format (sha1 | sha2 | sha256 | sha512);
maximum-lifetime days
minimum-character-changes number
minimum-lifetime days
minimum-reuse number;
}
retry-options {
lockout-period minutes;
maximum-time seconds;
}
1183
user username {
authentication {
encrypted-password encrypted-password;
no-public-keys;
ssh-ecdsa name {
from from;
}
ssh-ed25519 name {
from from;
}
ssh-rsa name {
from from;
}
}
cli {
prompt prompt;
}
class class-name;
full-name full-name;
uid uid-value;
}
}
Hierarchy Level
[edit system]
Release Information
deny-sources option introduced in Junos OS Release 11.2.
All of the statements and options introduced previously were introduced in Junos OS Release 14.1X53-D20
for the OCX Series.
Description
Configure user access to the device.
1184
Options
announcement text—Configure a system login announcement. This announcement appears after a user
logs in. Sometimes you want to make announcements to authorized users only after they have logged
in. For example, you might want to announce an upcoming maintenance event.
To display a message before the user logs in, configure a system login message using the message
statement rather than configuring a system login announcement.
You can format the announcement using the following special characters:
• \n—New line
• \\—Backslash
If the text of the announcement contains any spaces, enclose the text in quotation marks.
Default: No login announcement is displayed.
deny-sources—(Mandatory) Never allow access from these hosts. The source addresses can be IPv4 or
IPv6 addresses, prefix lengths, or hostnames.
Syntax: address [source-addresses]
idle-timeout minutes— For a login class, configure the maximum time in minutes that a session can be idle
before the session times out and the user is logged out of the device. The session times out after
remaining at the CLI operational mode prompt for the specified time.
NOTE: After the user logs in to a device from a shell prompt such as csh, if the user starts
another program to run in the foreground of the CLI, the idle-timer control is stopped from
being computed. The calculation of the idle time of the CLI session is restarted only after the
foreground process exits and the control is returned to the shell prompt. When the restart of
the idle-timer control occurs, if no interaction from the user occurs on the shell, the user is
automatically logged out after the time set on this statement.
Default: If you omit this statement, a user is never forced off the system after extended idle times.
Range: Range: 0 through 4294967295 minutes
NOTE: The idle-timeout feature is disabled if the value of minutes is set to 0.

1185
message text—Configure a system login message. A login message displays a banner to users when they
access the device, before they log in. To display a message only after the user logs in, configure a
system login announcement using the announcement statement instead of configuring a system login
message.
Before you create any user accounts, it’s a good idea to configure an initial login message.
You can format the message using the following special characters:
• \n—New line
• \\—Backslash
If the text of the message contains any spaces, enclose the text in quotation marks.
Default: No login message is displayed.
The remaining statements are explained separately. See CLI Explorer or click a linked statement in the
Syntax section for details.


1186
mac-radius
Syntax
mac-radius {
eap-md5;
eap-peap {
resume;
}
pap;
}
flap-on-disconnect;
restrict;
}
Hierarchy Level
Release Information
flap-on-disconnect introduced in Junos OS Release 9.4.
Description
Configure MAC RADIUS authentication for specific interfaces. MAC RADIUS authentication allows LAN
access to permitted MAC addresses. When a new MAC address appears on an interface, the device consults
the RADIUS server to check whether the MAC address is a permitted address. If the MAC address is
configured on the RADIUS server, the device is allowed access to the LAN.
If MAC RADIUS is configured, the device first tries to get a response from the host for 802.1X
authentication. If the host is unresponsive, the device attempts to authenticate using MAC RADIUS.
To restrict authentication to MAC RADIUS only, use the restrict option. In restrictive mode, all 802.1X
packets are eliminated and the attached device on the interface is considered a nonresponsive host.
Options
flap-on-disconnect—(Optional) When the RADIUS server sends a disconnect message to a supplicant, the
device resets the interface on which the supplicant is authenticated. If the interface is configured for
multiple supplicant mode, the device resets all the supplicants on the specified interface. This option
takes effect only when the restrict option is also set.
1187
restrict—(Optional) Restricts authentication to MAC RADIUS only. When mac-radius restrict is configured,
the device drops all 802.1X packets. This option is useful when no other 802.1X authentication
methods, such as guest VLAN, are needed on the interface, and eliminates the delay that occurs while
the switch determines that a connected device is a non-802.1X-enabled host.

show dot1x | 1437

Series Switch | 405
1188
master-password
Syntax
master-password {
plain-text-password
iteration-count iteration-count;
pseudorandom-function (hmac-sha1 | hmac-sha2-256 | hmac-sha2-512);
}
Hierarchy Level
[edit system]
Release Information
Description
Master password for $8$-based password-encryption. The master password is used as input to the password
based key derivation function (PBKDF2) to generate an encryption key. the key is used as input to the
Advanced Encryption Standard in Galois/Counter Mode (AES256-GCM). The plain text that the user enters
is processed by the encryption algorithm (with key) to produce the encrypted text (cipher text).
Options
plain-text-password—Set the master password with plain text. The password quality is evaluated for
strength, and the device gives feedback if weak passwords are used.
iteration-count—The number of iterations to use for the PBKDF2 hash function. The iteration count slows
the hashing count, thus slowing attacker guesses.
Default: 100
Range: 10-10000
pseudorandom-function—Choose the algorithm to use for unpredictable number generation

Values:
• hmac-sha1—Hash-based MAC using secure hash algorithm-1 (SHA-1)
• hmac-sha2-256—256-bits of hash-based MAC using SHA-2

admin
1189

1190
method
Syntax
method {
bfd {
version (0 | 1 | automatic);
minimum-interval milliseconds;
minimum-receive-interval milliseconds;
multiplier number;
no-adaptation;
transmit-interval {
minimum-interval milliseconds;
}
detection-time {
}
session-mode (automatic | multihop | singlehop);
holddown-interval milliseconds;
}
layer2-liveness-detection {
max-consecutive-retries number;
transmit-interval interval;
}
}
Hierarchy Level
[edit forwarding-options dhcp-relay dhcpv6 group group-name liveness-detection],

[edit forwarding-options dhcp-relay dhcpv6 liveness-detection],
[edit forwarding-options dhcp-relay dual-stack-group dual-stack-group-name liveness-detection],
[edit forwarding-options dhcp-relay group group-name liveness-detection],
[edit forwarding-options dhcp-relay liveness-detection],
[edit system services dhcp-local-server dhcpv6 group group-name liveness-detection],
[edit system services dhcp-local-server dhcpv6 liveness-detection],
[edit system services dhcp-local-server dual-stack-group dual-stack-group-name liveness-detection],
[edit system services dhcp-local-server group group-name liveness-detection],
[edit system services dhcp-local-server liveness-detection]
Release Information
1191
Description
Configure the liveness detection method.
NOTE: The bfd stanza is not available at the [edit forwarding-options dhcp-relay dual-stack-group
dual-stack-group-name liveness-detection method] or [edit system services dhcp-local-server
dual-stack-group dual-stack-group-name liveness-detection hierarchy levels.

DHCP Liveness Detection Overview

Example: Configuring Group Liveness Detection with BFD for DHCP Local Server Clients
Example: Configuring Global Liveness Detection with BFD for DHCP Relay Agent Clients
DHCP Liveness Detection Using ARP and Neighbor Discovery Packets
1192
multi-domain
Syntax
multi-domain {
max-data-session max-data-sessions;
}
Hierarchy Level
[edit logical-systems name protocols dot1x authenticator interface],

[edit protocols dot1x authenticator interface]
Release Information
Description
Configure multi-domain authentication to restrict the number of authenticated data and VoIP sessions on
the port. Multi-domain authentication is an extension of multiple supplicant mode for 802.1X authentication,
and is designed to support VoIP and data clients on the same interface. The interface is divided into two
domains; one is the data domain and the other is the voice domain.
In multiple supplicant mode, any number of VoIP or data sessions can be authenticated; the number of
sessions can be restricted using MAC limiting, but there is no way to apply the limit specifically to either
data or VoIP sessions. Multi-domain authentication maintains separate session counts based on the domain
type.
The data device can be authenticated using 802.1X authentication or MAC RADIUS authentication.
Multi-domain authentication does not enforce the order of authentication. For best results, the VoIP device
should be authenticated before the data device.
You can configure the maximum number of authenticated data sessions allowed on the interface using
the max-data-session statement. The number of VoIP sessions is not configurable; only one authenticated
VoIP session is allowed.
If a new client attempts to authenticate on the interface after the maximum session count has been reached,
the default action is to drop the packet and generate an error log message. You can also configure the
action to shut down the interface. The port can be manually recovered from the down state by issuing the
clear dot1x recovery-timeout command, or can recover automatically after a recovery timeout period. To
configure automatic recovery, use the recovery-timeout option.
Options
1193
max-data-session max-data-sessions—The maximum number of authenticated data sessions allowed in

the data domain on the 802.1X-enabled interface.
Range: 1 through 1,000 sessions
Default: 1
packet-action (drop-and-log | shutdown)—Specify the action the device should take on packets that exceed
the limit of authenticated sessions allowed on the interface. The limit for data sessions is configured
using the max-data-session option. The number of VoIP sessions is not configurable; only one
authenticated VoIP session is allowed.
• drop-and-log—Drop the packet and generate an error syslog message.
• shutdown—Shut down the interface.
Default: drop-and-log
recovery-timeout seconds—If you configure the packet action with the shutdown option and you configure
the recovery timeout, the interface is temporarily disabled when the maximum number of authenticated
sessions is reached. The interface will recover automatically after the number of seconds specified.
Default: none

dot1x | 1115
1194
multicast-client
Syntax
multicast-client <address>;
Hierarchy Level
[edit system ntp]
Release Information
Description
For Network Time Protocol (NTP), configure the local router or switch to listen for multicast messages on
the local network to discover other servers on the same subnet.
Options
address—(Optional) One or more IP addresses. If you specify addresses, the router or switch joins those
multicast groups.
Default: 224.0.1.1.


Configuring the Switch to Listen for Multicast Messages Using NTP
1195
multicast-client
Syntax
Hierarchy Level
[edit system ntp]
Release Information
Description
For NTP, configure the SRX Series device to listen for multicast messages on the local network to discover
other servers on the same subnet.
Options
address—(Optional) One or more IP addresses. If you specify addresses, the SRX Series device joins those
multicast groups.
Default: 224.0.1.1.

ntp | 1202
1196
nas-port-extended-format
Syntax
nas-port-extended-format {
adapter-width bits;
ae-width bits;
atm {
adapter-width bits;
port-width bits;
slot-width bits;
vci-width bits;
vpi-width bits;
}
port-width bits;
pw-width bits;
slot-width bits;
stacked-vlan-width bits;
vlan-width bits;
}
Hierarchy Level
Release Information
ae-width option added in Junos OS Release 12.1.
atm option added in Junos OS Release 12.3R3 and supported in later 12.3Rx releases.
atm option supported in Junos OS Release 13.2 and later releases. (Not supported in Junos OS Release
13.1.)
pw-width option added in Junos OS Release 15.1.
Description
Configure the RADIUS client to use the extended format for RADIUS attribute 5 (NAS-Port) and specify
the width in bits of the fields in the NAS-Port attribute.
The NAS-Port attribute specifies the physical port number of the NAS that is authenticating the user, and
is formed by a combination of the physical port’s slot number, port number, adapter number, VLAN ID,
and S-VLAN ID. The NAS-Port extended format specifies the number of bits (bit width) for each field in
the NAS-Port attribute: slot, adapter, port, aggregated, Ethernet, VLAN, and S-VLAN.
1197
NOTE: The combined total of the widths of all fields for a subscriber must not exceed 32 bits,
or the configuration fails. The router may truncate the values of individual fields depending on
the bit width you specify.
Options
adapter-width width—Number of bits in the adapter field.
ae-width width—(Ethernet subscribers only) Number of bits in the aggregated Ethernet identifier field.
atm—Specify width for fields for ATM subscribers.
port-width width—Number of bits in the port field.
pw-width width—(Ethernet subscribers only) Number of bits in the pseudowire field. Appears in the Cisco
NAS-Port-Info AVP (100).
slot-width width—Number of bits in the slot field.
stacked-vlan-width width—Number of bits in the SVLAN ID field.
vci-width width—(ATM subscribers only) Number of bits in the ATM virtual circuit identifier (VCI) field.
vlan-width width—Number of bits in the VLAN ID field.
vpi-width width—(ATM subscribers only) Number of bits in the ATM virtual path identifier (VPI) field.
NOTE: The total of the widths must not exceed 32 bits, or the configuration will fail.

Configuring Access Profile Options for Interactions with RADIUS Servers

1198
nas-port-id-format (Subscriber Management)

Syntax
nas-port-id-format {
agent-circuit-id;
agent-remote-id;
interface-description;
interface-text-description;
nas-identifier;
order (agent-circuit-id | agent-remote-id | interface-description | interface-text-description | nas-identifier |
postpend-vlan-tags);
postpend-vlan-tags;
}
Hierarchy Level
Release Information
Options interface-text-description, order, and postpend-vlan-tags introduced in Junos OS Release 15.1.
Description
Specify the optional information that the router includes in the NAS-Port-ID (RADIUS attribute 87) that
is passed to the RADIUS server during authentication and accounting. You can include any combination
of the optional values.
When you specify the values for the NAS-Port-ID, you can configure the values to appear in either the
default order or a custom order of your choice.
NOTE: The default and custom order methods are mutually exclusive. The configuration fails if
you attempt to configure a NAS-Port-ID that includes values in both types of orders.
To specify that the optional values appear in the default order in the NAS-Port-ID, configure the values
directly under the nas-port-id-format statement. The default order is as follows, in which the # character
is the delimiter:
nas-identifier # interface-description # interface-text-description # agent-circuit-id # agent-remote-id

# postpend-vlan-tags
1199
To specify a custom order for the NAS-Port-ID string, you use the order option. Include the order option
before each optional value you want to include in the string, in the order in which you want the options
to appear. For example, the configuration, order interface-text-description order nas-identifier order
agent-remote-id produces the following NAS-Port-ID, in which the # character is the delimiter:
interface-text-description # nas-identifier # agent-remote-id
Default
The router includes the interface description in the NAS-Port-ID when no optional values are specified.
Options
agent-circuit-id—Include the agent circuit ID from either DHCP option 82 or the DSL forum VSAs.
agent-remote-id—Include the agent remote ID from either DHCP option 82 or the DSL forum VSAs.
interface-description—Include the interface description (interface identifier).
interface-text-description—Include the textual interface description (the text description that is statically
configured in the CLI).
nas-identifier—Include the NAS identifier value (RADIUS attribute 32).
order—Specify the optional values you want to include in the NAS-Port-ID and the customized order in
which you want the values to appear. You must include the order option before each optional value (for
example, order agent-circuit-id order interface-description).
postpend-vlan-tags—Include the VLAN tags. The router includes the tags in the format
:<outer-tag>-<inner-tag> for a double-tagged VLAN, or :<outer-tag> for a single-tagged VLAN.


Configuring a NAS-Port-ID with Additional Options
1200
nas-port-type (Subscriber Management)

Syntax
nas-port-type {
ethernet {
port-type;
}
}
Hierarchy Level
Release Information
Description
Specify the port type used to authenticate subscribers. The router includes the port type in RADIUS
attribute 61 (NAS-Port-Type attribute).
NOTE: This statement is ignored if the ethernet-port-type-virtual statement is included in the

same access profile.
Default
The router uses a port type of ethernet.
Options
port-type—One of the following port types:
• value—A value from 0-65535
• adsl-cap—Asymmetric DSL, carrierless amplitude phase (CAP) modulation
• adsl-dmt— Asymmetric DSL, discrete multitone (DMT)
• async—Asynchronous
• cable—Cable
• ethernet—Ethernet
1201
• fddi—Fiber Distributed Data Interface
• g3-fax—G.3 Fax
• hdlc-clear-channel—HDLC Clear Channel
• iapp—Inter-Access Point Protocol (IAPP)
• idsl—ISDN DSL
• isdn-sync—ISDN Synchronous
• isdn-v110—ISDN Async V.110
• isdn-v120—ISDN Async V.120
• piafs—Personal Handyphone System (PHS) Internet Access Forum Standard
• sdsl—Symmetric DSL
• sync—Synchronous
• token-ring—Token Ring
• virtual—Virtual
• wireless—Other wireless
• wireless-1x-ev—Wireless 1xEV
• wireless-cdma2000—Wireless code division multiple access (CDMA) 2000
• wireless-ieee80211—Wireless 802.11
• wireless-umts—Wireless universal mobile telecommunications system (UMTS)
• x25—X.25
• x75—X.75
• xdsl—DSL of unknown type


1202
ntp
Syntax
ntp {
authentication-key key-number type (md5 | sha1 | sha256) value password;
boot-server address;
broadcast <address> <key key-number> <routing-instance-name routing-instance-name> <version value> <ttl
value>;
broadcast-client;
peer address <key key-number> <version value> <prefer>;
server address <key key-number> <version value> <prefer>;
source-address source-address <routing-instance routing-instance-name>;
trusted-key [ key-numbers ];
}
Hierarchy Level
[edit system]
Release Information
Description
Configure NTP on the router or switch. In both standalone and chassis cluster modes, the primary Routing
Engine runs the NTP process to get the time from the external NTP server. Although the secondary Routing
Engine runs the NTP process in an attempt to get the time from the external NTP server, this attempt fails
because of network issues. For this reason, the secondary Routing Engine uses NTP to get the time from
the primary Routing Engine.
Options
authentication-key key_number— Configure key (key ID, key type, and key value) to authenticate NTP
packets with the devices (servers and clients). The range for the key number is from 1 to 65534. The
authentication key has two fields:
• type—when authentication is specified, the key identifier (key ID) followed by message digest is
appended to the NTP packet header. The supported message digest formats are md5, sha1, sha256.
• value—If the key value is available in ASCII format and without special characters, it can be entered
directly. If the key value contain special characters or is available in hex format, consider the following:
1203
For specifying the keys in hex format, prepend a "\x" for each two characters. For hex key example,
af60112f...39af4ced,
set system ntp authentication-key <ID> value "\xaf\x60\x11\x2f\....\x39\xaf\x4c\xed".
If the key contains one of the characters from (null) 0x00, (space) 0x20, " 0x22, & 0x26, ( 0x28 )
0x29 prepend a "\\x" . For example, \\x22.
boot-server—Configure the server that NTP queries when the router or switch boots to determine the
local date and time.
broadcast—Configure the local router or switch to operate in broadcast mode with the remote system.
broadcast-client—Configure the local router or switch to listen for broadcast messages on the local network
to discover other servers on the same subnet.
multicast-client—Configure the local router or switch to listen for multicast messages on the local network.
peer—Configure the local router or switch to operate in symmetric active mode with the remote system
at the specified address.
server—Configure the local router or switch to operate in client mode with the remote system
• address—Address of the remote system. You must specify an address, not a hostname.
• key key-number—(Optional) Use the specified key number to encrypt authentication fields in all
packets sent to the specified address. Range: Any unsigned 32-bit interger.
• prefer—(Optional) Mark the remote system as preferred host, which means that if all other things
are equal, this remote system is chosen for synchronization among a set of correctly operating
systems.
• routing-instance routing-instance—(Optional) Routing instance through which the server is reachable.
• version value—(Optional) Specify the version number to be used in outgoing NTP packets. Range:
1 through 4. Default: 4.
source-address—A valid IP address configured on one of the router or switch interfaces
trusted-key—Configure the keys you are allowed to use when you configure the local router or switch to
synchronize its time with other systems on the network.

1204
Synchronizing and Coordinating Time Distribution Using NTP

NTP Time Synchronization on SRX Series Devices
Configuring the NTP Time Server and Time Services
1205
options (Security)
Syntax
Hierarchy Level
Release Information
Description
For IS-IS only, configure the protocol transmission encoding format for encoding the message authentication
code in routing protocol packets.
Because this setting is for IS-IS only, the TCP and the BFD protocol ignore the encoding option configured
in the key.
Options
basic—RFC 5304 based encoding. Junos OS sends and receives RFC 5304-encoded routing protocols
packets, and drops 5310-encoded routing protocol packets that are received from other devices.
isis-enhanced—RFC 5310 based encoding. Junos OS sends RFC 5310-encoded routing protocol packets
and accepts both RFC 5304-encoded and RFC 5310-encoded routing protocol packets that are received
from other devices.
Default: basic


Understanding Hitless Authentication Key Rollover for IS-IS
1206
outbound-ssh
Syntax
outbound-ssh {
client client-id {
address {
port port-number;
retry number;
timeout seconds;
}
keep-alive {
retry number;
timeout seconds;
}
reconnect-strategy (in-order | sticky);
routing-instance routing-instance-name;
secret password;
services netconf;
}
traceoptions {
file <filename> <files number> <match regular-expression> <size size> <(world-readable | no-world-readable)>;
flag flag;
no-remote-trace;
}
}
Hierarchy Level
Release Information
Support for IPv6 addresses added in Junos OS Release 12.1X47-D15.
routing-instance option introduced in Junos OS Release 19.3R1 for SRX Series and MX Series devices.
Description
Configure a device running the Junos OS behind a firewall to initiate outbound SSH connections to
communicate with client management applications on the other side of the firewall.
Options
1207
client client-id—Defines a device-initiated connection. This value serves to uniquely identify the
outbound-ssh configuration stanza. Each outbound-ssh stanza represents a single outbound SSH
connection. Thus, the administrator is free to assign the client-id any meaningful unique value. This
attribute is not sent to the client management application.
address—Hostname, IPv4 address, or IPv6 address of the management application server.
NOTE: Starting in Release 15.1, Junos OS supports outbound SSH connections with devices
having IPv6 addresses.
Syntax: You can list multiple servers by adding each server’s IP address or hostname along with the
following connection parameters:
• port port-number—Specifies the port number at which a server listens for outbound SSH connection
requests.
Default: port 22
• retry number—Specifies the maximum number of times the device attempts to establish an outbound
SSH connection before giving up.
Default: 3 attempts
• timeout seconds—Specifies how long the device waits between attempts to reconnect to the specified
IP address to establish an outbound SSH connection before giving up.
Default: 15 seconds
device device-id—(Required) Identifies the device to the management application. Each time the device
establishes an outbound SSH connection, it first sends an initiation sequence (device-id) to the
management application.
keep-alive—(Optional) When configured, specifies that the device should send SSH protocol keepalive
messages to the management application.
Syntax: To configure keepalive messages, you must set both the retry and timeout attributes:
• retry number—specifies how many keepalive messages the device sends without receiving a response
from the application. When that number is exceeded, the device disconnects from the application,
ending the outbound SSH connection.
Default: 3 attempts
• timeout seconds—specifies how long the device waits to receive data before sending a request for
acknowledgment from the application.
Default: 15 seconds
1208
reconnect-strategy (in-order|sticky)—(Optional) Specify the method the device uses to reestablish a

disconnected outbound SSH connection.
Values: Two methods are available:
• in-order—Configures the device to reconnect to the first configured server. If this server is unavailable,
the device tries to connect to the next configured server. The device keeps trying each server in the
configured list until the device can establish a connection.
• sticky—Specify that the device should first attempt to reconnect to the management server from
which it disconnected. If that server is unavailable, the device then attempts to connect to the next
configured server. The device keeps trying each server in the configured list until the device can
establish a connection.
routing-instance routing-instance-name—(SRX Series and MX Series only) Specify the name of the routing
instance on which the outbound SSH connection needs to be established. If you do not specify a
routing instance, your device will establish the outbound SSH connection using the default routing
table.
secret password—Configures the device to send the device’s public SSH host key when the device connects
to the management server. This is the recommended method of maintaining a current copy of the
device’s public key.
services netconf—Configures the management application to accept NETCONF as an available service.

interface—To view this statement in the configuration.
interface-control—To add this statement to the configuration.

1209
password (Login)
Syntax
password {
change-type (character-sets | set-transitions);
format (sha1 | sha2 | sha256 | sha512);
maximum-lifetime days;
minimum-character-changes number;
minimum-lifetime days;
minimum-reuse number;
}
Hierarchy Level
[edit system login]
Release Information
Statements minimum-lower-cases, minimum-numerics, minimum-punctuations, and minimum-upper-cases
OCX Series.
Statements minimum-reuse and minimum-character-changes introduced in Junos OS Release 18.3.
Statements maximum-lifetime and minimum-lifetime introduced in Junos OS Release 18.4.
Option sha1 is not supported in Junos OS Evolved.
Description
Configure special requirements such as character length and encryption format for plain-text passwords.
Newly created passwords must meet these requirements.
Using several password minimum requirement options will cause the minimum-length to be reset if the
total sum of the required minimums exceeds the minimum-length setting.
1210
Options
change-type—Set requirements for using character sets in plain-text passwords. When you combine this
statement with the minimum-changes statement, you can check for the total number of character
sets included in the password or for the total number of character-set changes in the password. Newly
created passwords must meet these requirements.
• character-sets—The number of character sets in the password. Valid character sets include uppercase
letters, lowercase letters, numbers, punctuation, and other special characters.
• set-transitions—The number of transitions between character sets.
format—Configure the authentication algorithm for plain-text passwords. The hash algorithm that
authenticates the password can be one of these algorithms:
Values:
• sha1—Secure Hash Algorithm 1. Produces a 160-bit digest. The encrypted password starts with
$sha1$. The option sha1 is not supported in Junos OS Evolved.
• sha2—HMAC Secure Hash Algorithm. The encrypted password starts with $sha2$). The option sha1
is not supported in Junos OS Evolved.
• sha256—Secure Hash Algorithm 256. Produces a 256-bit digest. The encrypted password starts
with $5$.
• sha512—Secure Hash Algorithm 512. Produces a 512-bit digest. The encrypted password starts
with $6$.
Default: For Junos OS, the default encryption format is sha512. For Junos-FIPS software, the default
encryption format is sha1.
maximum-length length—Specify the maximum number of characters allowed in plain-text passwords.

Newly created passwords must meet this requirement.
Range: 20 through 128 characters
Default: For Junos-FIPS software, the maximum number of characters for plain-text passwords is 20.
For Junos OS, no maximum is set.
maximum-lifetime days—Specify the maximum duration of a password in days, where the password expires
after the maximum duration is reached. If you have the required permissions, you are able to control
the maximum duration of a password. If the age of the password reaches the maximum time configured,
the password expires and must be changed. If your password has expired, you cannot commit a
configuration until you change your password. Only passwords for local user accounts can expire
based on time configured on the maximum lifetime statement.
1211
NOTE: You cannot reuse the same password when the password expires, unless you also
configure the number of times the password can be reused on the minimum-reuse statement.
Older passwords cannot be re-configured on password expiry. Therefore, if you want to reuse
an old password, you must configure the minimum-reuse statement as well as the
maximum-lifetime statement in the new configuration, otherwise the commit fails.
If the maximum-lifetime statement is configured, a validation check for an expired password

is performed at the time of login and at the time of commit based on the password timestamp.
For passwords configured before the minimum-reuse configuration statement is committed,
the timestamp of the passwords is the time at which any configuration under the [edit system
login] hierarchy is committed following the commit for the minimum-reuse statement. For
passwords configured after minimum-reuse configuration statement is committed, the timestamp
of the passwords is the time at which those passwords are committed.
Range: 30 through 365 days
minimum-changes number—Specify the minimum number of character sets (or character set changes)
required for plain-text passwords. Newly created passwords must meet this requirement.
This statement is used in combination with the change-type statement. If the change-type is
character-sets, then the number of character sets included in the password is checked against the
specified minimum. If change-type is set-transitions, then the number of character set changes in the
password is checked against the specified minimum.
Default: For Junos OS, the minimum number of changes is 1. For Junos-FIPS Software, the minimum
number of changes is 3.
minimum-character-changes number—Specify the minimum number of character changes between old

and new passwords. Newly created passwords must meet this requirement. If you have the required
permissions, you are able to configure the number of character changes between passwords. If the
number of character changes between the old password and new password is greater than or equal
to the configured value for minimum number of character changes, the new password is accepted. If
the number of character changes is less than the configured value, the new password is rejected.
1212
minimum-length length—Specify the minimum number of characters required in plain-text passwords.

This statement can be used in combination with all of the other requirement options for plain-text
passwords, such as minimum-upper-cases, minimum-punctuations, minimum-lower-cases, and so
on.
Using several password minimum requirement options will cause the minimum password length to be
reset if the total sum of the required minimums exceeds the setting configured on the minimum-length
statement.
Default: For Junos OS, the minimum number of characters for plain-text passwords is six. For
Junos-FIPS software, the minimum number of characters for plain-text passwords is 10.
minimum-lifetime days—Specify in days the minimum duration of a password before the password can be
changed. If you have the required permissions, you are able to control the minimum lifetime of a
password. You cannot change the password if the age of the password does not exceed the duration
configured on the minimum-lifetime statement. When you change a password, the age of the existing
password is retrieved based on the time at which the password was configured and the current time
is fetched. If the age of the password is less than or equal to the configured value for the
minimum-lifetime statement, the new password is not accepted and an error message is displayed. If
the age of the password is more than the configured value for the minimum-lifetime statement, the
new password is accepted.
NOTE: The minimum-lifetime statement can be committed only after configuring the
minimum-reuse statement. The minimum lifetime statement works in coordination with
password history requirements, else the commit fails and an error message is displayed.
If minimum-lifetime is configured, password change for a user is accepted or rejected based

on the timestamp of the current password for that user. For passwords configured before the
minimum-reuse configuration statement is committed, the timestamp of the passwords is the
time at which any configuration under the [edit system login] hierarchy is committed following
the commit for the minimum-reuse statement. For passwords configured after minimum-reuse
configuration statement is committed, the timestamp of the passwords is the time at which
those passwords are committed.
Range: 1 through 30 days

1213
minimum-lower-cases number—Specify the minimum number of lower-case letters required in plain-text

passwords. Newly created passwords must meet this requirement.
passwords, such as minimum-length, minimum-punctuations, minimum-upper-cases, and so on.
statement.
Range: 1 through 128 lower-case letters
minimum-numerics number—Specify the minimum number of numeric-class characters required in plain-text

passwords. Newly created passwords must meet this requirement.
passwords, such as minimum-length, minimum-punctuations, minimum-lower-cases, and so on.
statement.
Range: 1 through 128 numeric-class characters
minimum-punctuations number—Specify the minimum number of punctuation-class characters required

in plain-text passwords. Newly created passwords must meet this requirement.
passwords, such as minimum-length, minimum-upper-cases, minimum-lower-cases, and so on.
statement.
Range: 1 through 128 punctuation-class characters
minimum-reuse number—Specify the number of old passwords which should not match the new password.
Newly created passwords must meet this requirement. If you have the required permissions, you are
able to control the number of old passwords that need to be compared. The number of old passwords
to compare with the new password depends on the value configured. If a match is found between the
new password and any of the old passwords, the device rejects the new password and aborts. If the
new password is different from the configured number of old passwords, the new password is accepted.
Range: 1 through 20 passwords
1214
minimum-upper-cases—Specify the minimum number of upper-case letters required in plain-text passwords.

passwords, such as minimum-length, minimum-punctuations, minimum-lower-cases, and so on.
statement.
Range: 1 through 128 upper-case letters


Special Requirements for Junos OS Plain-Text Passwords
1215
password-options
Syntax
password-options {
apply-groups;
apply-groups-except;
tacplus-authorization;
}
Hierarchy Level
[edit system]
Release Information
Statement introduced in Junos OS Release 19.3R1 on MX Series routers.
Option tacplus-authorization introduced in Junos OS Release 19.3R1 on MX Series routers.
NOTE: You must configure password under authentication-order when password-options is

configured.
Description
Configure options for local authentication.
Options
apply-groups—Choose the groups from which to inherit configuration data.
apply-groups-except—Choose the groups to be excluded from configuration data being inherited.
tacplus-authorization—Choose the remote authorization for locally authenticated users.

1216
peer (NTP)
Syntax
peer address <key key-number> <version value> <prefer>;
Hierarchy Level
[edit system ntp]
Release Information
Description
For NTP, configure the SRX Series device to operate in symmetric active mode with the remote system
at the specified address. In this mode, the SRX Series device and the remote system can synchronize with
each other. This configuration is useful in a network in which either the SRX Series device or the remote
system might be a better source of time.
Options
address—Address of the remote system. You must specify an address, not a hostname.
using the specified key number.
prefer—(Optional) Mark the remote system as the preferred host, which means that if all other factors are
equal, this remote system is chosen for synchronization among a set of correctly operating systems.
version value—(Optional) Specify the NTP version number to be used in outgoing NTP packets.
Range: 1 through 4
Default: 4

ntp | 1202
1217
port (NETCONF)
Syntax
port port-number;
Hierarchy Level
[edit system services netconf]
Release Information
Description
Configure the TCP port used for NETCONF-over-SSH connections.
NOTE:
• The configured port accepts only NETCONF-over-SSH connections. Regular SSH session
requests for this port are rejected.
• The default SSH port (22) continues to accept NETCONF sessions even with a configured
NETCONF server port. To disable the SSH port from accepting NETCONF sessions, you can
specify this in the login event script.
• We do not recommend configuring the default ports for FTP (21) and Telnet (23) services for
configuring NETCONF-over-SSH connections.
Options
port port-number—Port number on which to enable incoming NETCONF connections over SSH.
Default: 830 (as specified in RFC 4742, Using the NETCONF Configuration Protocol over Secure Shell (SSH))

NETCONF XML Management Protocol Guide

1218
port (RADIUS Server)

Syntax
port port-number;
Hierarchy Level
[edit system radius-serveraddress],

[edit system accounting destination radius server address]
Release Information
Description
Configure the port number on which to contact the RADIUS server.
Options
number—Port number on which to contact the RADIUS server.
Default: 1812 (as specified in RFC 2865)
NOTE: The [edit system accounting] hierarchy is not available on QFabric systems.


1219
port (SRC Server)

Syntax
port port-number;
Hierarchy Level
[edit system services service-deployment servers server-address]
Release Information
Description
Configure the port number on which to contact the SRC server.
Options
port-number—(Optional) The TCP port number for the SRC server.
Default: 3333

Configuring the Junos OS to Work with SRC Software

1220
port (TACACS+ Server)

Syntax
port port-number;
Hierarchy Level
Release Information
Description
Configure the port number on which to contact the TACACS+ server.
Options
number—Port number on which to contact the TACACS+ server.
Default: 49


1221
profile
Syntax
profile profile-name {
accounting {
accounting-stop-on-access-deny;
accounting-stop-on-failure;
order (radius | [ accounting-order-data-list ];
}
authentication-order [authentication-method];
radius {
accounting-server [server-addresses];
authentication-server [server-addresses];
}
}
Hierarchy Level
[edit access]
Release Information
Description
Configure an access profile. The access profile contains the entire authentication, authorization, and
accounting (AAA) configuration that aids in handling AAA requests, including the authentication method
and order, AAA server addresses, and AAA accounting.
Default
Not enabled.
Options
profile-name—Profile name of up to 32 characters.
NOTE: The [edit access] hierarchy is not available on QFabric systems.

1222


1223
profilerd
Syntax
profilerd {
command binary-file-path;
disable;
failover (alternate-media | other-routing-engine);
}
Hierarchy Level
Release Information
Description
Specify the profiler process.
Options
• command binary-file-path—Path to binary for process.
• disable—Disable the profiler process.
• failover—Configure the device to reboot if the software process fails four times within 30 seconds, and
specify the software to use during the reboot.
• alternate-media—Configure the device to switch to backup media that contains a version of the system
if a software process fails repeatedly.
• other-routing-engine—Instruct the secondary Routing Engine to take mastership if a software process

fails. If this statement is configured for a process, and that process fails four times within 30 seconds,
then the device reboots from the secondary Routing Engine.

1224
provisioning-order (Diameter Applications)

Syntax
provisioning-order (gx-plus | jsrc | pcrf);
Hierarchy Level
Release Information
Support for Gx-Plus introduced in Junos OS Release 11.2.
pcrf option added in Junos OS Release 16.2.
Description
Configure AAA to use the specified application for subscriber service provisioning.
Options
gx-plus—Specify Gx-Plus as the application used to communicate with a PCRF server for subscriber service
provisioning. Sets the Subscription-Id-Type Diameter AVP sub-attribute (450) to 4 (END_USER_PRIVATE)
and sets the Subscription-Id-Data Diameter AVP sub-attribute (444) to reserved. Both of these
sub-attributes are conveyed in the Diameter AVP Subscription-ID (443) by a CCR-I message.
jsrc—Specify JSRC as the application used to communicate with the SAE for subscriber service provisioning.
JSRC is used in an SRC environment to request services from the SAE for an authenticated subscriber.
JSRC attempts to activate these services. If successful, JSRC returns an ACK message. If unsuccessful, the
subscriber is denied access.
pcrf—Specify Policy Control and Charging Rules Function (PCRF) as the application used to request
provisioning from the PCRF server over the Gx protocol. If you change this configuration, any existing
subscriber sessions are unaffected.

JSRC Configuration Overview

1225
Provisioning Subscribers with JSRC

Configuring Gx-Plus
Provisioning Subscribers with Gx-Plus
Understanding Gx Interactions Between the Router and the PCRF
Understanding Interactions Between the PCRF, PCEF, and OCS
proxy
Syntax
proxy {
password password;
port port-number;
server url;
username user-name;
}
Hierarchy Level
[edit system]
Release Information
Description
Specify the proxy information for the router.
Options
• password password—Password configured in the proxy server.
• port port number—Proxy server port number.
• server url—URL or IP address of the proxy server host.
• username username—Username configured in the proxy server.

1226
radius (System)
Syntax
radius {
server {
server-address {
secret password;
retry number;
timeout seconds;
}
}
}
Hierarchy Level
[edit system accounting destination]
Release Information
Description
Configure the RADIUS accounting server.
Options
server-address—Address of the RADIUS accounting server.


1227
radius-options (System)
Syntax
radius-options {
attributes {
nas-id nas-id
nas-ip-address ip-address;
}
}
Hierarchy Level
[edit system]
Release Information
MS-CHAPv2 password protocol configuration option introduced in Junos OS Release 9.2.
MS-CHAPv2 password protocol configuration option introduced in Junos OS Release 9.2 for EX Series
switches.
Support for network access server (NAS) IPv6 address added in Junos OS Release 12.1X47-D15 for
SRX1500, SRX5400, SRX5600, and SRX5800 devices.
NOTE: The radius-options statement is not available on QFabric systems.
enhanced-accounting statement introduced in Junos OS Release 14.1.
Description
Configure RADIUS options for the NAS-IP address for outgoing RADIUS packets and password protocol
used in RADIUS packets.
Options
enhanced-accounting—Configure audit of TACACS+ or RADIUS authentication events such as access
method, remote port, and access privileges.
nas-id nas-id—Value of NAS-ID in outgoing RADIUS packets.

1228
nas-ip-address ip-address—IP address of the network access server (NAS) that requests user authentication.
password-protocol mschap-v2—Protocol MS-CHAPv2, used for password authentication and password

changing.


1229
radius-server
Syntax
port number;
retry number;
secret password;
timeout seconds;
}
Hierarchy Level
[edit system]
Release Information
Description
Configure a RADIUS server for Point-to-Point Protocol (PPP).
To configure multiple RADIUS servers, include multiple radius-server statements. The servers are tried in
order and in a round-robin fashion until a valid response is received from one of the servers or until all the
configured retry limits are reached.
Options
server-address—Address of the RADIUS authentication server.
NOTE: The accounting-port and source-address options are not available on QFabric systems.

1230

1231
radius-server
Syntax
max-outstanding-requests value;
port port-number;
retry value;
secret password;
timeout seconds;
}
Hierarchy Level
[edit system]
Release Information
Statement introduced in Junos OS Release 8.5. Support for IPv6 source address added in Junos OS Release
12.1X47-D15 for SRX1500, SRX5400, SRX5600, and SRX5800 devices.
Description
Configure RADIUS server address for subscriber access management, Layer 2 Tunnelling Protocol (L2TP),
or (Point-to-Point Protocol (PPP).
Options
• server-address—Address of the RADIUS server.
• accounting-port port-number—RADIUS server accounting port number.
Range: 1 through 65,335 files
Default: 1813
• port port-number—RADIUS server authentication port number.
Default: 1812
• retry value—Number of times that the router is allowed to attempt to contact a RADIUS server.
1232
Range: 1 through 10
Default: 3
• secret password—Password to use; it can include spaces if the character string is enclosed in quotation
marks.
• max-outstanding-requests value—Maximum number of outstanding requests in flight to server.
• source-address source-address—Valid IPv4 or IPv6 address configured on one of the router or switch
interfaces.
• timeout seconds—Amount of time to wait.
Default: 3 seconds

1233
radius-server (System)
Syntax
radius-server {
server-address {
port number;
retry number;
routing-instance routing-instance-name;
secret password;
source-addresssource-address;
timeout seconds;
}
Hierarchy Level
[edit system]
Release Information
Description
Configure a RADIUS server for Point-to-Point Protocol (PPP).
Options
server-address—Address of the RADIUS authentication server.


1234
radsec
Syntax
radsec {
destination id-number {
address ip-address;
max-tx-buffers number;
id-reuse-timeout seconds;
port port-number;
source-address ip-address;
tls-certificate certificate-name;
tls-force-ciphers [medium | low];
tls-min-version [v1.1 | v1.2];
tls-peer-name x0.radsec.com;
tls-timeout seconds;
}
}
Hierarchy Level
[edit access]
Release Information
Description
Configure RADIUS over TLS, also known as RADSEC, to redirect regular RADIUS traffic to remote RADIUS
servers connected over TLS. The TLS connection provides encryption, authentication, and data integrity
for the exchange of RADIUS messages.
TLS relies on certificates and private-public key exchange pairs to secure the transmission of data between
the RADSEC client and server. The RADSEC destination uses local certificates that are dynamically acquired
from the Junos PKI infrastructure.
To enable RADSEC, you must specify the name of the local certificate. If a certificate is not available, or
if the certificate was revoked, the RADSEC destination attempts to retrieve it every 300 seconds.
Default
RADSEC is not enabled by default.
Options
source-address ip-address—Source IP address of the dynamic request.
1235
id-reuse-timeout seconds—Response timeout after which the RADIUS ID field value can be reused.
port port-number—(Optional) Port number of the RADSEC server.

Default: 2083
source-port port-number—(Optional) Source port to include in RADIUS messages.
tls-certificate—Provide the name of the local certificate.
tls-force-ciphers [low | medium]—(Optional) Allow lower-grade ciphers than the default.
tls-min-version [v1.1 | v1.2]—(Optional) Configure TLS version to limit the lowest supported versions of
TLS that are enabled for SSL connections.
Default: v1.2
tls-peer-name name—Certified name of the RADSEC server.
tls-timeout seconds—Timeout for TLS negotiation.

Default: 5 seconds


1236
radsec-destination
Syntax
radsec-destination id-number;
Hierarchy Level
[edit access radius-server server-address],

[edit access profile profile-name radius-server server-address]
Release Information
Description
Configure a RADIUS over TLS (RADSEC) server as the destination for RADIUS traffic. The RADIUS traffic
is redirected from the RADIUS server to the RADSEC destination. You can redirect more than one RADIUS
server to the same RADSEC destination.
Options
id-number—The unique ID number for the RADSEC destination.


1237
rate-limit
Syntax
rate-limit limit;
Hierarchy Level
[edit system services finger],

[edit system services ftp],
[edit system services netconf ssh],
[edit system services ssh],
[edit system services telnet],
[edit system services tftp-server],
[edit system services xnm-clear-text],
Release Information
Description
Configure the maximum number of connections attempts per minute, per protocol (either IPv6 or IPv4)
on an access service. For example, a rate limit of 10 allows 10 IPv6 telnet session connection attempts
per minute and 10 IPv4 telnet session connection attempts per minute.
Default
150 connections
Options
rate-limit limit—(Optional) Maximum number of connection attempts allowed per minute, per IP protocol
(either IPv4 or IPv6).
Default: 150

1238
1239
regex-additive-logic
Syntax
regex-additive-logic;
Hierarchy Level
[edit system]
Release Information
Description
Enable additive logic (that is, deny all by default / allow some as specified) to be used in regular expressions.
This statement changes the behavior of existing regular expressions so that all configuration hierarchies
are denied by default and must be explicitly allowed using the allow-configuration-regexps statement.
For example, to grant users in a named user class access to a specific configuration hierarchy, but deny
access to all other configuration hierarchies, enable the regex-additive-logic statement and configure an
allow-configuration-regexps statement that includes the specific configuration hierarchy to which you
want to allow access. When a user logs in, only the specified configuration hierarchy is visible.
Default
By default, this statement is disabled; configuration hierarchies not explicitly denied with a
deny-configuration-regexps statement are visible to the user.

Hierarchies | 126
class | 1089
user | 1326
1240
remote-debug-permission
Syntax
remote-debug-permission (qfabric-admin | qfabric-operator | qfabric-user);
Hierarchy Level
[edit system login user username authentication]

Release Information
Description
(QFabric systems only) Configure authentication classes that permit or deny user access to individual
components of the QFabric system.
Default
qfabric-user
Options
qfabric-admin—Permits a user to log in to individual QFabric system components, view operations, and
change component configurations.
qfabric-operator—Permits a user to log in to individual QFabric system components and view component
operations.
qfabric-user—Prevents a user from logging in to individual QFabric system components.

Example: Configuring QFabric System Login Classes

Understanding QFabric System Login Classes
1241
retry
Syntax
retry number;
Hierarchy Level
[edit system radius-server server-address],

[edit system accounting destination radius server server-address]
Release Information
Description
Number of times the router or switch is allowed to try to contact a RADIUS authentication or accounting
server.
Options
number—Number of retries allowed for contacting a RADIUS server.
Range: 1 through 10
Default: 3
NOTE: The [edit system accounting] hierarchy is not available on QFabric systems.


timeout
1242
retry (RADIUS)
Syntax
retry number;
Hierarchy Level

[edit system accounting destination radius server server-address]
Release Information
Description
Number of times the router or switch is allowed to try to contact a RADIUS authentication or accounting
server.
Options
number—Number of retries allowed for contacting a RADIUS server.
Range: 1 through 10
Default: 3


timeout | 1298
1243
retry-options
Syntax
retry-options {
lockout-period minutes
maximum-time seconds;
}
Hierarchy Level
[edit system login
Release Information
maximum-time option introduced in Junos OS Release 9.6.
lockout-period option introduced in Junos OS Release 11.2.
Description
Limit the number of times a user can attempt to log in through SSH or Telnet before being disconnected.
Options
backoff-factor seconds—Length of delay in seconds after each failed login attempt. The length of delay
increases by this value for each subsequent failed login attempt after the value specified in the
backoff-threshold option.
Default: 5
Range: 5 through 10
backoff-threshold number—Threshold for the number of failed login attempts before the user experiences
a delay when attempting to log in again. Use the backoff-factor option to specify the length of delay,
in seconds.
Default: 2
Range: 1 through 3
1244
lockout-period minutes—Amount of time before the user can attempt to log in to the device after being
locked out. The user is locked out when the number of failed login attempts specified in the
tries-before-disconnect option is reached.
maximum-time seconds—Maximum length of time that the connection remains open for the user to enter
a username and password to log in. If the user remains idle and does not enter a username and password
within the time period configured with this option, the connection is closed.
Default: 120
minimum-time seconds—Minimum length of time that the connection remains open while the user is
attempting to enter a username and password to log in.
Default: 20
tries-before-disconnect—Maximum number of times a user is allowed to attempt to log in through SSH

or Telnet before closing the connection.
Default: 3
Range: 2 through 10

rate-limit | 1237
1245
revert-interval (Access)
Syntax
revert-interval interval;
Hierarchy Level
[edit access profile profile-name radius options],

[edit access radius-options]
Release Information
Description
Configure the amount of time the router or switch waits after a server has become unreachable. The router
or switch rechecks the connection to the server when the specified interval expires. If the server is then
reachable, it is used in accordance with the order of the server list.
Options
interval—Amount of time to wait.
Default: 60 seconds


Configuring Authentication and Accounting Parameters for Subscriber Access
1246
root-authentication
Syntax
encrypted-password "password";
no-public-keys
ssh-ecdsa name {
from from;
}
ssh-ed25519 name {
from from;
}
ssh-rsa name {
from from;
}
}
Hierarchy Level
[edit system]
Release Information
Description
Configure the authentication methods for the root-level user, whose username is root.
You can use the ssh-ecdsa, ssh-ed25519, or ssh-rsa statements to directly configure SSH ECDSA, ED25519,
or RSA keys to authenticate root logins. You can configure more than one public key for SSH authentication
of root logins as well as for user accounts. When a user logs in as root, the public keys are referenced to
determine whether the private key matches any of them.
Options
encrypted-password "password"—Specify the MD5 or other password. You can specify only one encrypted
password. You cannot configure a blank password using blank quotation marks (" "). You must configure
a password whose number of characters range from 1 through 128 characters and enclose the password
in quotation marks.
1247
no-public-keys—Disable SSH public key-based authentication.
ssh-ecdsa name from from—Use an SSH ECDSA public key. You can specify one or more public keys.
ssh-ed25519 name from from—Use an SSH ED25519 public key. You can specify one or more public keys.
ssh-rsa name from from—Use an SSH RSA public key. You can specify one or more public keys.


1248
routing-engine-profile
Syntax
routing-engine-profile profile-name {
fields {
field-name;
}
file filename;
interval minutes;
}
Hierarchy Level
Release Information
Description
Create a Routing Engine profile to collect selected Routing Engine statistics and write them to a file in the
/var/log directory.
Options
profile-name—Name of the Routing Engine statistics profile.

Configuring the Routing Engine Profile

1249
routing-instance
Syntax
routing-instance {
instance-name {
bridge-domain bridge-domain-name;
}
vlan (vlan-id | vlan-name);
}
Hierarchy Level
[edit forwarding-options analyzer analyzer-name input egress],

[edit forwarding-options analyzer analyzer-name input ingress],
[edit forwarding-options analyzer analyzer-name output]
Release Information
Description
Configure routing instance.
Options
instance-name—Name of the routing instance.

1250
routing-instance (Accounting and Authentication)

Syntax
Hierarchy Level

[edit system accounting destination tacplus server server-address],
Release Information
The existing statement becomes valid at multiple hierarchy levels that do not share a common parent:
Support at the following hierarchy levels introduced in Junos OS Release 18.1R1: [edit system accounting
destination radius server server-address] and [edit system radius-server server-address] hierarchy levels.
Description
Configure the routing instance name for the management routing instance, that is mgmt_junos. Configuring
this parameter along with the management-instance statement enables authentication processes (for
example, RADIUS and TACACS+) to use the non-default management routing instance for packet traffic.
NOTE: You must also define the mgmt_junos routing instance under the [edit routing-instances]
hierarchy level.
If you no not configure the mgmt_junos instance under the [edit routing-instances] hierarchy level and
configure it only under tacplus-server or radius-server, the commit will fail.
Options
routing-instance—Specify the name of the routing instance. In the case of configuring the non-default
management instance, use the value mgmt_junos.

1251
management-instance
Management Interface in a Nondefault Instance
1252
secret (RADIUS or TACACS+ Server)

Syntax
secret password;
Hierarchy Level

Release Information
Description
Configure the password to use with the RADIUS or TACACS+ server. The secret password used by the
local router or switch must match that used by the server.
NOTE: To ensure better security, we recommend you configure the TACACS+ secret password
with a minimum of 14 characters.
Options
password—Password to use; can include spaces included in quotation marks.


1253

1254
server (NTP)
Syntax
server address <key key-number> <version value> <prefer>;
Hierarchy Level
[edit system ntp]
Release Information
Description
For NTP, configure the SRX Series device to operate in client mode with the remote system at the specified
address. In this mode, the SRX Series device can be synchronized with the remote system, but the remote
system can never be synchronized with the SRX Series device.
If the NTP client time drifts so that the difference in time from the NTP server exceeds 128 milliseconds,
the client is automatically stepped back into synchronization. If the offset between the NTP client and
server exceeds the 1000-second threshold, the client still synchronizes with the server, but it also generates
a system log message noting that the threshold was exceeded.
Options
address—Address of the remote system. You must specify an address, not a hostname.
key key-number—(Optional) Use the specified key number to encrypt authentication fields in all packets
sent to the specified address.
prefer—(Optional) Mark the remote system as the preferred host, which means that if all other things are
equal, this remote system is chosen for synchronization among a set of correctly operating systems.
Range: 1 through 4
Default: 4

1255
ntp | 1202
1256
server (DNS, Port, and TFTP Service)

Syntax
server address <logical-system logical-system-name> <routing-instance routing-instance-name>;
Hierarchy Level
[edit forwarding-options helpers domain],

[edit forwarding-options helpers domain interface interface-name],
[edit forwarding-options helpers port port-number],
[edit forwarding-options helpers port port-number interface interface-name],
[edit forwarding-options helpers tftp],
[edit forwarding-options helpers tftp interface interface-name]
Release Information
Statement introduced for port helpers in Junos OS Release 17.2R1 for EX4300 switches.
Support for multiple server instances for a given port introduced in Junos OS Release 17.2 for MX Series
routers.
Support for multiple server instances for a given port introduced in Junos OS Release 17.3R1 for EX9200
switches.
Description
Specify the DNS or TFTP server for forwarding DNS or TFTP requests, or specify a destination server
address for forwarding LAN broadcast packets as unicast traffic for a custom-configured UDP port.
When configuring port helpers, in releases prior to Junos OS Release 17.2, only one server can be specified
for a given port. For Junos OS Release 17.2 and later, multiple servers can be specified for a given port at
the global or interface-specific level. When multiple servers are specified, the same packet, with the
originator IP address and port requests, is forwarded to the different configured servers; the payload of
the UDP packet is not modified.
Options
address—IP address of the server.
logical-system logical-system-name—(Optional) Logical system name of the server.
routing-instance [ routing-instance-names ]—(Optional) Set the routing instance name or names that belong
to the DNS server or TFTP server.

1257

Configuring DNS and TFTP Packet Forwarding

Configuring Port-based LAN Broadcast Packet Forwarding
1258
server (RADIUS Accounting)

Syntax
server {
server-address {
retry number;
secret password;
timeout seconds;
}
}
Hierarchy Level
[edit system accounting destination radius]
Release Information
Support for the source-address-inet6 statement introduced in Junos OS Release 14.1X53-D10 for EX
Series switches.
Description
Configure RADIUS logging.


1259
server (TACACS+ Accounting)

Syntax
server {
server-address {
port port-number;
routing-instance (Accounting and Authentication) routing-instance;
secret password;
single-connection;
timeout seconds;
}
}
Hierarchy Level
Release Information
routing-instance option introduced in Junos OS Release 17.4R1.
Description
Configure TACACS+ logging.


1260
server-reject-bridge-domain | server-reject-vlan
Syntax
(server-reject-bridge-domain bridge-domain | server-reject-vlan (vlan-id | vlan-name)) {

eapol-block;
}
Hierarchy Level
[edit logical-systems name protocols dot1x authenticator interface (all | [interface-names])],

[edit protocols dot1x authenticator interface (all | [interface-names])]
Release Information
server-reject-vlan introduced in Junos OS Release 9.3 for EX Series.
block-interval introduced in Junos OS Release 11.2 for EX Series.
server-reject-vlan introduced in Junos OS Release 14.2 for MX240, MX480, and MX960 routers in
enhanced LAN mode.
Description
For a device configured for 802.1X authentication, specify that when the device receives an Extensible
Authentication Protocol Over LAN (EAPoL) Access-Reject message during the authentication process
between the device and the RADIUS authentication server, supplicants attempting to access the LAN are
granted access and moved to a specific bridge domain or VLAN. Any bridge domain, VLAN name or VLAN
ID sent by a RADIUS server as part of the EAPoL Access-Reject message is ignored.
When you specify the bridge domain, VLAN ID, or VLAN name, bridge domain or VLAN must already be
configured on the device.
Default
None
Options
server-reject-bridge-domain bridge-domain—(MX Series only) Move the supplicant on the interface to the
bridge domain specified by this name or numeric identifier.
server-reject-vlan (vlan-id | vlan-name—(MX Series in enhanced LAN mode, EX, QFX, and SRX Series only)
Move the supplicant on the interface to the VLAN specified by this name or numeric identifier.
block-interval seconds—Specify the number of seconds that the 802.1X interface ignores Extensible
Authentication Protocol (EAP) start messages from the client when an EAPoL block has been enabled
on the 802.1X interface.
1261

show dot1x | 1437

1262
servers
Syntax
servers server-address {
port port-number;
}
Hierarchy Level
[edit system services service-deployment]
Release Information
Description
Configure an IPv4 address for the Session and Resource Control (SRC) server.
Options
server-address—The TCP port number.
Default: 3333


1263
service (Service Accounting)

Syntax
service {
accounting-order (activation-protocol | local | radius);
accounting {
statistics (time | volume-time);
update-interval minutes;
}
}
Hierarchy Level
Release Information
accounting, update-interval, and statistics options added in Junos OS Release 14.2R1 for MX Series
routers.
Description
Define the subscriber service accounting configuration.

Configuring Service Accounting with JSRC

Service Accounting with JSRC
Configuring Service Accounting in Local Flat Files
Configuring Service Accounting
Configuring Per-Subscriber Session Accounting
1264
service-deployment
Syntax
service-deployment {
servers server-address {
port port-number;
}
}
Hierarchy Level
Release Information
Description
Enable Junos OS to work with the Session and Resource Control (SRC) software.


1265
services (Switches)
Syntax
services {
service-deployment {
servers address {
port-number port-number;
}
}
ssh {
protocol-version [v1 v2];
rate-limit limit;
}
}
Hierarchy Level
[edit system]
Release Information
Description
Configure the switch so that users on remote systems can access the local switch through SSH.

1266
session (Web Management)

Syntax
session {
session-limit number of sessions;
}
Hierarchy Level
Release Information
Description
Configure limits for the number of minutes a session can be idle before it times out, and configure the
number of simultaneous J-Web user login sessions.
Options
idle-timeout minutes—Configure the number of minutes a session can be idle before it times out.
Default: 1440 minutes
session-limit number of sessions—Configure the maximum number of simultaneous J-Web user login
sessions.
Range: 1 through 1024 sessions
Default: Unlimited


1267
single-connection
Syntax
single-connection;
Hierarchy Level

[edit system tacplus-server server-address],
Release Information
Description
Optimize attempts to connect to a TACACS+ server. The software maintains one open TCP connection
to the server for multiple requests rather than opening a connection for each connection attempt.


1268
sip-server
Syntax
sip-server [address | name];
Hierarchy Level
[edit system services dhcp],

[edit system services dhcp],
[edit system services dhcp pool],
[edit system services dhcp static-binding]
Release Information
Description
Configure Session Initiation Protocol (SIP) server addresses or names for DHCP servers.
Options
address—IPv4 address of the SIP server. To configure multiple SIP servers, include multiple address options.
This address must be accessible by all clients served within a specified range of addresses (based on an
address pool or static binding).
name—Fully qualified domain name of the SIP server. To configure multiple SIP servers, include multiple
name options. This domain name must be accessible by all clients served within a specified range of
addresses (based on an address pool or static binding).

Configure DHCP SIP Server

Configuring a DHCP Server on Switches
1269
source-address (NTP, RADIUS, System Logging, or

TACACS+)
Syntax
source-address source-address <routing-instance routing-instance-name>;
Hierarchy Level

[edit system ntp],
[edit system syslog],
Release Information
Description
Specify a source address for each configured IPv4 or IPv6 TACACS+ server, RADIUS server, NTP server,
or the source address to record in system log messages that are directed to a remote machine.
Options
source-address—A valid IP address configured on one of the router or switch interfaces. For system logging,
the address is recorded as the message source in messages sent to the remote machines specified in all
host hostname statements at the [edit system syslog] hierarchy level, but not for messages directed to the
other Routing Engine.
routing-instance routing-instance-name—(Optional) The routing instance name in which the source address
is defined.
Default: The primary address of the interface

ntp | 1202
1270
source-address (SRC Software)

Syntax
Hierarchy Level
[edit system services service-deployment]
Release Information
Description
Enable Junos OS to work with the Session and Resource Control (SRC) software.
Options
source-address— Local IPv4 address to be used as source address for traffic to the SRC server. The source
address restricts traffic within the out-of-band network.


1271
ssh (System Services)

Syntax
ssh {
authentication-order [method 1 method2...];
authorized-keys-command authorized-keys-command;
authorized-keys-command-user authorized-keys-command-user;
ciphers [ cipher-1 cipher-2 cipher-3 ...];
client-alive-count-max number;
client-alive-interval seconds;
hostkey-algorithm (algorithm | no-algorithm);
log-key-changes log-key-changes;
macs [algorithm1 algorithm2...];
max-pre-authentication-packets number;
max-sessions-per-connection number;
no-challenge-response;
no-password-authentication;
no-passwords;
no-public-keys;
( no-tcp-forwarding | tcp-forwarding );
port port-number;
protocol-version [v2];
rate-limit number;
rekey {
data-limit bytes;
time-limit minutes;
}
sftp-server;
}
Hierarchy Level
Release Information
1272
ciphers, hostkey-algorithm, key-exchange, and macs statements introduced in Junos OS Release 11.2.
max-sessions-per-connection and no-tcp-forwarding statements introduced in Junos OS Release 11.4.
SHA-2 options introduced in Junos OS Release 12.1.
Support for the curve25519-sha256 option on the key-exchange statement added in Junos OS Release
12.1X47-D10.
client-alive-interval and client-alive-count-max statements introduced in Junos OS Release 12.2.
max-pre-authentication-packets statement introduced in Junos OS Release 12.3X48-D10.
no-passwords statement introduced in Junos OS Release 13.3.
no-public-keys statement introduced in Junos OS release 15.1.
tcp-forwarding statement introduced in Junos OS Release 15.1X53-D50 for the NFX250 Network Services
Platform.
fingerprint-hash statement introduced in Junos OS Release 16.1.
log-key-changes statement introduced in Junos OS Release 17.4R1.
sftp-server statement introduced in Junos OS Release 19.1R1.
no-challenge-response and no-password-authentication statements introduced in Junos OS Release
19.4R1.
Description
Allow SSH requests from remote systems to access the local device.
1273
Options
authentication-order [method1 method2...]—Configure the order in which the software tries different user
authentication methods when attempting to authenticate a user. For each login attempt, the software
tries the authentication methods in order, starting with the first one, until the password matches.
Default: If you do not include the authentication-order statement, users are verified based on their
configured passwords.
Syntax: Specify one or more of the following authentication methods listed in the order in which they
must be tried:
• password—Use the password configured for the user with the authentication statement at the [edit
system login user] hierarchy level.
• radius—Use RADIUS authentication services.
• tacplus—Use TACACS+ authentication services.
authorized-keys-command—Specify a command string to be used to look up the user's public keys.
authorized-keys-command-user—Specify the user under whose account the authorized-keys-command

is run.
ciphers [ cipher-1 cipher-2 cipher-3 ...]—Specify the set of ciphers the SSH server can use to perform
encryption and decryption functions.
NOTE: Ciphers represent a set. To configure SSH ciphers use the set command as shown in
the following example:
user@host#set system services ssh ciphers [ aes256-cbc aes192-cbc ]
Values: Specify one or more of the following ciphers:

• 3des-cbc—Triple Data Encryption Standard (DES) in Cipher Block Chaining (CBC) mode.
• aes128-cbc—128-bit Advanced Encryption Standard (AES) in CBC mode.
• aes128-ctr—128-bit AES in counter mode.
• [email protected]—128-bit AES in Galois/Counter Mode.
• aes192-cbc—192-bit AES in CBC mode.
• aes256-cbc—256-bit AES in CBC mode.
• [email protected]—256-bit AES in Galois/Counter Mode.

1274
• arcfour—128-bit RC4-stream cipher in CBC mode.
• arcfour128—128-bit RC4-stream cipher in CBC mode.
• arcfour256—256-bit RC4-stream cipher in CBC mode.
• blowfish-cbc—128-bit blowfish-symmetric block cipher in CBC mode.
• cast128-cbc—128-bit cast in CBC mode.
• [email protected]—ChaCha20 stream cipher and Poly1305 MAC.
client-alive-count-max number— Configure the number of client alive messages that can be sent without
sshd receiving any messages back from the client. If this threshold is reached while client alive messages
are being sent, sshd will disconnect the client, terminating the session. Client alive messages are sent
through the encrypted channel. Use in conjunction with the client-alive-interval statement to disconnect
unresponsive SSH clients.
Default: 3 messages
Range: 0 through 255 messages
client-alive-interval seconds— Configure a timeout interval in seconds, after which if no data has been
received from the client, sshd will send a message through the encrypted channel to request a response
from the client. This option applies to SSH protocol version 2 only. Use in conjunction with the
client-alive-count-max statement to disconnect unresponsive SSH clients.
Default: 0 seconds
fingerprint-hash (md5 | sha2-256)—Specify the hash algorithm used by the SSH server when it displays
key fingerprints.
NOTE: The FIPS image does not permit the use of MD5 fingerprints. On systems in FIPS mode,
sha2-256 is the only available option.

• md5—Enable the SSH server to use the MD5 algorithm.
• sha2-256—Enable the SSH server to use the sha2-256 algorithm.
Default: sha2-256
log-key-changes log-key-changes—Enable Junos OS to log the authorized SSH keys. When the
log-key-changes statement is configured and committed, Junos OS logs the changes to the set of
authorized SSH keys for each user (including the keys that were added or removed). Junos OS logs
the differences since the last time the log-key-changes statement was configured. If the log-key-changes
statement was never configured, then Junos OS logs all the authorized SSH keys.
Default: Junos OS logs all the authorized SSH keys.
1275
macs [algorithm1 algorithm2...]—Specify the set of message authentication code (MAC) algorithms that
the SSH server can use to authenticate messages.
NOTE: The macs configuration statement represents a set. Therefore, it must be configured
as follows:
user@host#set system services ssh macs [hmac-md5 hmac-sha1]
Values: Specify one or more of the following MAC algorithms to authenticate messages:
• hmac-md5—Hash-based MAC using Message-Digest 5 (MD5)
• hmac-md5-96—96-bits of hash-based MAC using MD5
• [email protected]—96-bits of hash-based Encrypt-then-MAC using MD5
• [email protected]—Hash-based Encrypt-then-MAC using MMD5
• hmac-ripemd160—Hash-based MAC using RIPEMD
• [email protected]—Hash-based Encrypt-then-MAC using RIPEMD
• hmac-sha1—Hash-based MAC using secure hash algorithm-1 (SHA-1)
• [email protected]—96-bits of hash-based Encrypt-then-MAC using SHA-1
• [email protected]—Hash-based Encrypt-then-MAC using SHA-1
• hmac-sha2-256—256-bits of hash-based MAC using secure hash algorithm-2 (SHA-2)
• [email protected]—Hash-based Encrypt-then-Mac using SHA-2
• [email protected]—Hash-based Encrypt-then-Mac using SHA-2
• [email protected]—Encrypt-then-MAC using UMAC-128 algorithm specified in RFC4418
• [email protected]—UMAC-128 algorithm specified in RFC4418
• [email protected]—Encrypt-then-MAC using UMAC-64 algorithm specified in RFC4418
• [email protected]—UMAC-64 algorithm specified in RFC4418
max-pre-authentication-packets number—Define the maximum number of pre-authentication SSH packets

that the SSH server will accept prior to user authentication.
Range: 20 through 2147483647 packets
Default: 128 packets
1276
max-sessions-per-connection number—Specify the maximum number of ssh sessions allowed per single
SSH connection.
Range: 1 through 65535 sessions
Default: 10 sessions
no-challenge-response—Disable SSH challenge-response-based authentication methods.
NOTE: Configuring this statement under the [edit system services ssh] hierarchy affects both
the SSH login service and the NETCONF over SSH service.
no-password-authentication—Disable SSH password-based authentication methods.
no-passwords—Disable both password-based and challenge-response-based authentication for SSH.
no-public-keys—Disable public key authentication system wide. If you specify the no-public-keys statement
at the [edit system login user user-name authentication] hierarchy level, you disable public key
authentication for a specific user.
no-tcp-forwarding—Prevent a user from creating an SSH tunnel over a CLI session to a device via SSH.
This type of tunnel could be used to forward TCP traffic, bypassing any firewall filters or ACLs, allowing
access to resources beyond the device.
NOTE: This statement applies only to new SSH sessions and has no effect on existing SSH
sessions.
port port-number—Specify the port number on which to accept incoming SSH connections.
Default: 22
1277
protocol-version [v2]—Specify the Secure Shell (SSH) protocol version.
Starting in Junos OS Release 19.3R1 and Junos OS Release 18.3R3, on all SRX Series devices, we’ve
removed the nonsecure SSH protocol version 1 (v1) option from the [edit system services ssh
protocol-version] hierarchy level. You can use the SSH protocol version 2 (v2) as the default option
to remotely manage systems and applications. With the v1 option deprecated, Junos OS is compatible
with OpenSSH 7.4 and later versions.
Junos OS releases before 19.3R1 and 18.3R3 continue to support the v1 option to remotely manage
systems and applications.
Default: v2—SSH protocol version 2 is the default, introduced in Junos OS Release 11.4.
rate-limit number—Configure the maximum number of connection attempts per minute, per protocol
(either IPv6 or IPv4) on an access service. For example, a rate limit of 10 allows 10 IPv6 SSH session
connection attempts per minute and 10 IPv4 SSH session connection attempts per minute.
Range: 1 through 250 connections
Default: 150 connections
rekey—Specify limits before the session keys are renegotiated.
data-limit bytes—Specify the data limit before renegotiating the session keys.
time-limit minutes—Specify the time limit before renegotiating the session keys.
root-login (allow | deny | deny-password)—Control user access through SSH.
• allow—Allow users to log in to the device as root through SSH.
• deny—Disable users from logging in to the device as root through SSH.
• deny-password—Allow users to log in to the device as root through SSH when the authentication
method (for example, RSA authentication) does not require a password.
Default: deny-password is the default for most systems.Starting in Junos release 17.4R1 for MX Series
routers, the default for root-login is deny. In previous Junos OS releases, the default setting for the
MX240, MX480, MX960, MX2010 and MX2020 was allow.
sftp-server—Globally enable incoming SSH File Transfer Protocol (SFTP) connections. By configuring the
sftp-server statement, you enable authorized devices to connect to the device through SFTP. If the
sftp-server statement is not present in the configuration, then SFTP is globally disabled and no devices
can connect to the device through SFTP.
tcp-forwarding—Enable a user to create an SSH tunnel over a CLI session to a disaggregated Junos OS
platform by using SSH.
1278

Configuring SSH Service for Remote Access to the Disaggregated Junos OS Platform
1279
ssh-known-hosts
Syntax
ssh-known-hosts {
host host-name {
fetch-from-server host-name;
load-key-file file-name;
}
}
Hierarchy Level
Release Information
Description
Configure SSH support for known hosts and for administering SSH host key updates.
Options
host host-name—Hostname of the SSH known host entry. This option has the following suboptions:
• fetch-from-server host-name—Retrieve SSH public host key information from a specified server.
• load-key-file filename—Import SSH host key information from the /var/tmp/ssh-known-hosts file.

Understanding Security Features on the QFabric System

1280
ssh-known-hosts
Syntax
ssh-known-hosts {
fetch-from-server server-name;
host hostname {
dsa-key dsa-key;
ed25519-key ed25519-key
rsa-key rsa-key;
rsa1-key rsa1-key;
}
load-key-file key-file;
}
Hierarchy Level
[edit security]
Release Information
Statement modified in Junos OS Release 8.5.
Description
Configure SSH support for known hosts and for administering SSH host key updates.
Options
• fetch-from-server server-name—Retrieve SSH public host key information from a specified server.
• load-key-file key-file—Import SSH host-key information from the specified /var/tmp/ssh-known-hosts

file.

1281
ssl-renegotiation
Syntax
ssl-renegotiation;
Hierarchy Level
Release Information
Statement introduced in Junos Os Release 13.3.
Description
Enable SSL re-negotiation for xnm-ssl service.
Default
SSL re-negotiation for xnm-ssl service is disabled by default.

1282
start-time (Authentication Key Transmission)

Syntax
start-time (now | yyyy-mm-dd.hh:mm:ss);
Hierarchy Level
Release Information
Description
Specify a start time for key transmission. You do not need to specify an end time for the key. If a new key
is present with a new start time, the keychain rolls over to the new one. The start time must be unique
within the keychain.
Options
now—Start time as the current year, month, day, hour, minute, and second.
daydays—Start time as the specified number of days after the current day. For example, if the current day
is the 12th and you configure start-time 2day, the start time will be on the 14th, exactly two days after
the configuration is entered.
hourhours—Start time as the specified number of hours after the current hour. For example, if the current
hour is 9:00 and you configure start-time 3hour, the start time will be in 12:00, exactly three hours after
the configuration is entered.
minuteminutes—Start time as the specified number of minutes after the current minute. For example, if
the current minute is 27 minutes after the hour and you configure start-time 5min, the start time will be
in 32 minutes after the hour, exactly five minutes after the configuration is entered.
monthmonths—Start time as the specified number of months after the current month. For example, if the
current month is March and you configure start-time 4month, the start time will be in July, exactly four
months after the configuration is entered.
1283
secondseconds—Start time as the specified number of seconds after the current second. For example, if
the current second is 10:20:40 and you configure start-time 10seconds, the start time will be 10:20:50,
exactly 10 seconds after the configuration is entered.
yearyears—Start time as the specified number of years after the current year. For example, if the current
year is 2011 and you configure start-time 1year, the start time will be in 2012, exactly one year after the
configuration is entered.
yyyy–mm-dd.hh:mm:ss—Start time in UTC (Coordinated Universal Time). The start time must be unique
within the keychain.

1284
static (802.1X)
Syntax
interface [interface-names];
vlan-assignment (vlan-id |vlan-name );
}
Hierarchy Level
Release Information
Description
Configure MAC addresses to exclude from 802.1X authentication. The static MAC list provides an
authentication bypass mechanism for supplicants connecting to a port, permitting devices such as printers
that are not 802.1X-enabled to be connected to the network on 802.1X-enabled ports.
Using this 802.1X authentication-bypass mechanism, the supplicant connected to the MAC address is
assumed to be successfully authenticated and the port is opened for it. No further authentication is done
for the supplicant.
You can optionally configure the VLAN so that the supplicant is moved to or the interfaces on which the
MAC address can gain access from.
Options
mac-address —The MAC address of the device for which 802.1X authentication should be bypassed and
the device permitted access to the port.
bridge-domain-assignment bridge-domain-assignment—(MX Series only) Specify the bridge-domain name

or 802.1q tag identifier for the MAC address that should be allowed to bypass RADIUS authentication.
interface [interface-names]—Specify a list of interfaces on which the specified MAC addresses are allowed
to bypass RADIUS authentication and allowed to connect to the LAN without authentication.
vlan-assignment (vlan-id | vlan-name—(EX, QFX, and SRX Series only) Specify the VLAN 802.1q tag identifier
or VLAN name associated with the list of MAC addresses that should be allowed to bypass RADIUS
authentication.
1285


Switch | 443
static-subscribers
Syntax
static-subscribers {
disable;
}
Hierarchy Level
Release Information
Description
Associate subscribers with statically configured interfaces, and provide dynamic service activation for
these subscribers.
Options
disable—Disable the static subscribers process.

1286
statistics-service
Syntax
statistics-service {
disable;
}
Hierarchy Level
Release Information
Description
Specify the Packet Forwarding Engine (PFE) statistics service management process.
Options
• command binary-file-path—Path to the binary process.
• disable—Disable the Packet Forwarding Engine (PFE) statistics service management process.

1287
subscriber-management-helper
Syntax
subscriber-management-helper {
disable;
}
Hierarchy Level
Release Information
Description
Specify the subscriber management helper process.
Options
• disable—Disable the subscriber management helper process.


1288
tacplus
Syntax
tacplus {
server {
server-address {
port port-number;
secret password;
single-connection;
timeout seconds;
}
}
}
Hierarchy Level
Release Information
Description
Configure the Terminal Access Controller Access Control System Plus (TACACS++).
Options
server-address—Address of the TACACS++ authentication server.


1289
tacplus
Syntax
tacplus {
server server-address {
port port-number;
secret password;
single-connection;
timeout seconds;
}
}
Hierarchy Level
Release Information
Description
Configure the TACACS+ accounting server.
Options
• server-address —Specify the address of the TACACS+ authentication server.
• port number—Configure the port number on which to contact the TACACS+ server.
• single-connection—Optimize attempts to connect to a TACACS+ server. The software maintains one

open TCP connection to the server for multiple requests rather than opening a connection for each
connection attempt.
• source-address address—Configure a source address for each configured TACACS+ server.
• timeout seconds—Configure the amount of time that the local device waits to receive a response from
a TACACS+ server.

1290

1291
tacplus-options
Syntax
tacplus-options {
(exclude-cmd-attribute | no-cmd-attribute-value);
authorization-time-interval minutes;
(strict-authorization | no-strict-authorization);
service-name service-name;
timestamp-and-timezone;
}
Hierarchy Level
[edit system]
Release Information
no-cmd-attribute-value and exclude-cmd-attribute options introduced in Junos OS Release 9.3.
timestamp-and-timezone option introduced in Junos OS Release 12.2.
strict-authorization and no-strict-authorization options introduced in Junos OS Release 13.3 for EX Series,
M Series, MX Series, PTX Series, and T Series.
enhanced-accounting option introduced in Junos OS Release 14.1.
authorization-time-interval option introduced in Junos OS Release 17.4.
Description
Configure TACACS+ options for authentication and accounting.
Options
authorization-time-interval minutes—Configure the time interval at which the authorization profile that
is configured on the TACACS+ server is fetched by the Junos OS device during a TACACS+
authentication session. The TACACS+ server sends the authorization profile once by default after the
user is successfully authenticated, and the authorization profile is stored locally on the Junos OS device.
The authorization-time-interval option enables the Junos OS device to periodically check the
authorization profile configured remotely on the TACACS+ server at the configured time interval.
If there is a change in the remote authorization profile, the device fetches the authorization profile
from the TACACS+ server and the authorization profile configured locally under the [edit system login
1292
class class-name] hierarchy. The device refreshes the authorization profile stored locally by combining
the remote and locally-configured authorization profiles. This ensures that any changes made to the
authorization profile configuration on the TACACS+ server are reflected on the Junos OS device
without the user having to restart the authentication process.
To enable the periodic refresh of the authorization profile, you must set the authorization time interval
at which the Junos OS device fetches the authorization profile configuration from the TACACS+ server
and refreshes the authorization profile stored locally. The time interval can be configured directly on
the TACACS+ server or locally on the Junos OS device using the CLI. Use the following guidelines to
determine which time interval configuration takes precedence:
• If there is no time interval configured on the TACACS+ server for periodic refresh, the Junos OS
device does not receive the time interval value in the authorization response. In this case, the value
configured locally on the Junos OS device will take effect.
• If the time interval is configured on the TACACS+ server and there is no authorization time interval
configured locally on the Junos OS device, the value configured on the TACACS+ server will take
effect.
• If the periodic refresh time interval is configured on the TACACS+ server and also locally on the
Junos OS device, the value configured on the TACACS+ server will take precedence.
• If there is no periodic refresh time interval configured on the TACACS+ server and there is no
authorization time interval configured on the Junos OS device, there will be no periodic refresh.
• If the periodic refresh time interval configured on the TACACS+ server is out of range or invalid,
the authorization time interval value configured locally will take effect.
• If the periodic refresh time interval configured on the TACACS+ server is out of range or invalid and
there is no authorization time interval configured locally, there will be no periodic refresh.
After the periodic authorization time interval is set, if the user changes the interval before the
authorization request is sent from the Junos OS device, the updated interval takes effect after the
next immediate periodic refresh.
Default: If the authorization time interval is not configured, the authorization profile is not refreshed
during a TACACS+ authentication session.
1293
enhanced-accounting—Configure the audit of TACACS+ authentication events, such as access method,

remote port, and access privileges.
exclude-cmd-attribute—Exclude the cmd attribute value completely from start and stop accounting records
to enable logging of accounting records in the correct log file on a TACACS+ server.
no-cmd-attribute-value—Set the cmd attribute value to an empty string in the TACACS+ accounting start
and stop requests to enable logging of accounting records in the correct log file on a TACACS+ server.
no-strict-authorization—Don't deny login if the authorization request fails. When a user is logging in, Junos
OS issues two TACACS+ requests—first the authentication request followed by the authorization
request.
Default: By default, when the authorization request is rejected by the TACACS+ server, Junos OS
ignores this and allows full access to the user. Specifying no-strict-authorization restores this default
behavior.
service-name service-name—Name of the authentication service used when you configure multiple TACACS+
servers to use the same authentication service.
Default: junos-exec
strict-authorization—Deny login if the authorization request fails. When a user is logging in, Junos OS
issues two TACACS+ requests—first the authentication request followed by the authorization request.
When the strict-authorization option is specified, Junos OS denies access to the user even when the
TACACS+ authorization request fails.
Default: By default, when the authorization request is rejected by the TACACS+ server, Junos OS
ignores this and allows full access to the user.
timestamp-and-timezone—Include this statement if you want start time, stop time, and time zone attributes
included in the start and stop accounting records.


1294
tacplus-server
Syntax
port port-number;
secret password;
single-connection;
timeout seconds;
}
Hierarchy Level
[edit system]
Release Information
Description
Configure the IPv4 or IPv6 TACACS+ server.
Options
server-address—Address of the IPv4 or IPv6 TACACS+ authentication server.
NOTE: Wildcard characters cannot be used in the TACACS+ server address or source address.
This is because the TACACS+ server and source can accept both IPv4 and IPv6 addresses and,
if you use wildcard characters for these addresses, Junos OS cannot validate mismatching
server and source address families.
port port-number—Configure the port number on which to contact the TACACS+ authentication server.
Default: 49
routing-instance routing-instance—Configure the routing instance name for the management routing
instance, that is mgmt_junos. Configuring this parameter along with the management-instance
1295
statement enables authentication processes (for example, RADIUS and TACACS+) to use the non-default
management routing instance for packet traffic.
NOTE: You must also define the mgmt_junos routing instance under the [edit routing-instances]
hierarchy level.
If you no not configure the mgmt_junos instance under the [edit routing-instances] hierarchy level
and configure it only under tacplus-server or radius-server, the commit will fail.
secret password—Configure the password to use with the RADIUS or TACACS+ server. The secret password
used by the local router or switch must match that used by the server. The password can include
spaces included in quotation marks.
NOTE: To ensure better security, we recommend you configure the TACACS+ secret password
with a minimum of 14 characters.
single-connection—Optimize attempts to connect to a TACACS+ server. The software maintains one open
TCP connection to the server for multiple requests rather than opening a connection for each connection
attempt.
source-address source-address—Specify a source address for each configured TACACS+ server to record
in system log messages that are directed to a remote machine. Configure a valid IP address on one of
the device interfaces. For system logging, the address is recorded as the message source in messages
sent to the remote machines specified in all host hostname statements at the [edit system syslog]
hierarchy level.
Default: The primary address of the interface.
timeout seconds—The amount of time that the local device waits to receive a response from a TACACS+
server.
Default: 3 seconds


1296
telnet
Syntax
telnet {
authentication-order [authentication-methods];
rate-limit limit;
}
Hierarchy Level
Release Information
Description
Provide Telnet connections from remote systems to the local router or switch.


1297
tftp
Syntax
tftp {
description text-description;
interface interface-name {
broadcast;
description text-description;
no-listen;
}
}
Hierarchy Level
[edit forwarding-options helpers]
Release Information
Description
Enable TFTP request packet forwarding.

Configuring DNS and TFTP Packet Forwarding

1298
timeout (System)
Syntax
timeout seconds;
Hierarchy Level

[edit system tacplus-server server-address],
Release Information
Description
Configure the amount of time that the local router or switch waits to receive a response from a RADIUS
or TACACS+ server.
Options
seconds—Amount of time to wait.
Default: 3 seconds


retry | 1242
1299
timeout-action (Access Control Service)

Syntax
timeout-action ( close | no-change);
Hierarchy Level
[edit services unified-access-control]
Release Information
Description
Specify the action to be taken when the timeout is reached for the switch’s connection with the Junos
Pulse Access Control Service.
Options
close—Remove existing sessions and block further traffic.
no-change—Preserve existing connections, but block new sessions.

Default: close

timeout (Access Control Service)

1300
tlv-filter
Syntax
tlv-filter tlv-name;
Hierarchy Level

[edit protocols lldp-med],
[edit protocols lldp interface interface-name],
[edit protocols lldp-med interface interface-name]
Release Information
Description
Select the type, length, and value (TLV) messages that should not be advertised by the Link Layer Discovery
Protocol (LLDP) or LLDP Media Endpoint Discovery (LLDP-MED) protocol. LLDP-capable devices transmit
information in type, length, and value (TLV) messages to neighbor devices. Device information can include
information such as chassis and port identification and system name and system capabilities.
sensitive information about a network device. You can configure LLDP or LLDP-MED to disable any
non-mandatory TLV message. (These mandatory TLVs are always advertised: chassis-id, port-id, and
time-to-live.)
When you configure the tlv-filter statement, you specify the TLVs that you want to disable. This is useful
when you want to allow most, but not all, TLVs.
You can also disable TLVs using the tlv-select statement. When you configure the tlv-select statement,
you specify the TLVs that you want to be advertised by LLDP or LLDP-MED. All other non-mandatory
TLVs are disabled.
NOTE: The tlv-select and tlv-filter statements are mutually exclusive and cannot be used on
the same configuration stanza at the same time.
Default
All TLVs for LLDP and LLDP-MED are enabled by default.
Options
1301
tlv-name—Specify the non-mandatory TLV message that you want to disable.

Values: You can disable the following TLV messages for LLDP:
• jnpr-chassis-serial—The chassis serial number.
• jnpr-vcp—Juniper virtual chassis port.
• link-aggregation—Advertises whether the port is aggregated and its aggregated port ID.
• mac-phy-config-status—Advertises information about the physical interface, such as autonegotiation

status and support and MAU (medium attachment unit) type.
• management-address— The IP management address of the local system.
• maximum-frame-size—The maximum transmission unit (MTU) of the interface sending LLDP frames.
• port-description—The user-configured port description.
• port-vid—Indicates the port VLAN ID that will be associated with an untagged or priority tagged
data frame received on the VLAN port.
• power-vi-mdi—Advertises MDI (media dependent interface) power support, PSE (power sourcing
equipment) power pair, and power class information.
• system-capabilities—The primary function performed by the system. The capabilities that system
supports are defined; for example, bridge or router. This information cannot be configured, but is
based on the model of the product.
• system-description—The user-configured name of the local system.
• system-name—The user-configured name of the local system.
• vlan-name—Indicates the assigned name of any VLAN at the device.
You can disable the following TLV messages for LLDP-MED:

• ext-power-via-mdi—The power type, power source, power priority, and power value of the port. It
is the responsibility of the PSE device (network connectivity device) to advertise the power priority
on a port.
• location-id—The physical location of the endpoint.
• med-capabilities—The primary function of the port.
• network-policy—The port VLAN configuration and associated Layer 2 and Layer 3 attributes.
Attributes include the policy identifier, application types, such as voice or streaming video, 802.1Q
VLAN tagging, and 802.1p priority bits and Diffserv code points.

1302
show lldp | 1473

1303
tlv-select
Syntax
tlv-select tlv-name;
Hierarchy Level

[edit protocols lldp-med],
[edit protocols lldp interface interface-name],
[edit protocols lldp-med interface interface-name]
Release Information
Description
Select the type, length, and value (TLV) messages that should be advertised by Link Layer Discovery
Protocol (LLDP) or LLDP Media Endpoint Discovery (LLDP-MED) protocol. LLDP-capable devices transmit
information in type, length, and value (TLV) messages to neighbor devices. Device information can include
information such as chassis and port identification and system name and system capabilities.
sensitive information about a network device. You can configure LLDP or LLDP-MED to choose which
non-mandatory TLV messages to advertise. (These mandatory TLVs are always advertised: chassis-id,
port-id, and time-to-live.)
When you configure the tlv-select statement, you specify the TLVs that LLDP or LLDP-MED should
advertise. All other non-mandatory TLVs are disabled. This is useful when you want to disable most, but
not all, TLVs.
You can also disable TLVs using the tlv-filter statement. When you configure the tlv-filter statement, you
specify the TLVs that should be disabled.
NOTE: The tlv-select and tlv-filter statements are mutually exclusive and cannot be used on
the same configuration stanza at the same time.
Default
All TLVs for LLDP and LLDP-MED are enabled by default.
Options
1304
tlv-name—Specify the non-mandatory TLV message that you want to advertise.

Values: You can advertise the following TLV messages for LLDP:
• jnpr-chassis-serial—The chassis serial number.
• jnpr-vcp—Juniper virtual chassis port.
• link-aggregation—Advertises whether the port is aggregated and its aggregated port ID.
• mac-phy-config-status—Advertises information about the physical interface, such as autonegotiation

status and support and MAU (medium attachment unit) type.
• management-address— The IP management address of the local system.
• maximum-frame-size—The maximum transmission unit (MTU) of the interface sending LLDP frames.
• port-description—The user-configured port description.
• port-vid—Indicates the port VLAN ID that will be associated with an untagged or priority tagged
data frame received on the VLAN port.
• power-vi-mdi—Advertises MDI (media dependent interface) power support, PSE (power sourcing
equipment) power pair, and power class information.
• system-capabilities—The primary function performed by the system. The capabilities that system
supports are defined; for example, bridge or router. This information cannot be configured, but is
based on the model of the product.
• system-description—The user-configured name of the local system.
• system-name—The user-configured name of the local system.
• vlan-name—Indicates the assigned name of any VLAN at the device.
You can advertise the following TLV messages for LLDP-MED:

• ext-power-via-mdi—The power type, power source, power priority, and power value of the port. It
is the responsibility of the PSE device (network connectivity device) to advertise the power priority
on a port.
• location-id—The physical location of the endpoint.
• med-capabilities—The primary function of the port.
• network-policy—The port VLAN configuration and associated Layer 2 and Layer 3 attributes.
Attributes include the policy identifier, application types, such as voice or streaming video, 802.1Q
VLAN tagging, and 802.1p priority bits and Diffserv code points.

1305
show lldp | 1473

1306
traceoptions (802.1X)
Syntax
traceoptions {
file filename <files number> <size size> <world-readable | no-world-readable> <match regex>;
flag flag;
}
Hierarchy Level
Release Information
Support for the dot1x-event and dot1x-ipc options introduced in Junos OS Release 13.2X50 for EX Series
switches.
Description
Define tracing operations for the 802.1X protocol.
Default
Tracing operations are disabled.
Options
file filename—Name of the file to receive the output of the tracing operation. Enclose the name within
quotation marks. All files are placed in the directory /var/log.
files number—(Optional) Maximum number of trace files. When a trace file named trace-file reaches its
maximum size, it is renamed trace-file.0, then trace-file.1, and so on, until the maximum number of trace
files is reached. Then the oldest trace file is overwritten. If you specify a maximum number of files, you
also must specify a maximum file size by using the size option.
Default: 3 files
flag flag—Tracing operation to perform. To specify more than one tracing operation, include multiple flag
statements. You can include the following flags:
• all—All tracing operations.
• config-internal—Trace internal configuration operations.
• dot1x-event—(Switches with ELS only) Trace 802.1x events.
• dot1x-debug—(Switches without ELS) Trace 802.1x events.

1307
• dot1x-ipc—(Switches with ELS only) Trace IPC interactions.
• eapol—Trace EAPOL packets transmitted and received.
• esw-if—(Switches without ELS) Trace ESW interactions.
• general—Trace general operations.
• normal—Trace normal operations.
• parse—Trace reading of the configuration.
• regex-parse—Trace regular-expression parsing operations.
• state—Trace protocol state changes.
• task—Trace protocol task operations.
• timer—Trace protocol timer operations.
• vlan—Trace VLAN transactions.
match regex—(Optional) Refine the output to include lines that contain the regular expression.
no-world-readable—(Optional) Restrict file access to the user who created the file.
size size—(Optional) Maximum size of each trace file, in kilobytes (KB), megabytes (MB), or gigabytes (GB).
When a trace file named trace-file reaches its maximum size, it is renamed trace-file.0, then trace-file.1,
and so on, until the maximum number of trace files is reached. Then the oldest trace file is overwritten. If
you specify a maximum number of files with the files option, you also must specify a maximum file size.
Syntax: xk to specify KB, xm to specify MB, or xg to specify GB
Range: 10 KB through 1 GB
Default: 128 KB
world-readable—(Optional) Enable unrestricted file access.

show lldp | 1473

1308
traceoptions (DNS, Port, and TFTP Packet Forwarding)

Syntax
traceoptions {
file filename <files number> <match regular-expression> <size bytes> <world-readable | no-world-readable>;
flag flag;
level level;
<no-remote-trace>;
}
Hierarchy Level
[edit forwarding-options helpers]
Release Information
Statement standardized and match option introduced in Junos OS Release 8.0.
Description
Configure tracing operations for BOOTP, DNS, TFTP, or custom UDP port packet forwarding.
Default
If you do not include this statement, no tracing operations are performed.
Options
file filename—Name of the file to receive the output of the tracing operation. Enclose the name in quotation
marks (" "). All files are placed in a file named fud in the directory /var/log. If you include the file statement,
you must specify a filename.
files is reached. Then the oldest trace file is overwritten.
If you specify a maximum number of files, you also must specify a maximum file size with the size option
and a filename.
Default: 3 files
1309
• address—Trace address management events
• all—Trace all events
• bootp—Trace BOOTP or DHCP services events
• config—Trace configuration events
• domain—Trace DNS service events
• ifdb—Trace interface database operations
• io—Trace I/O operations
• main—Trace main loop events
• port—Trace arbitrary protocol events
• rtsock—Trace routing socket operations
• tftp—Trace TFTP service events
• trace—Trace tracing operations
• ui—Trace user interface operations
• util—Trace miscellaneous utility operations
match regular-expression—(Optional) Refine the output to include lines that contain the regular expression.
no-remote-trace—(Optional) Disable remote tracing globally or for a specific tracing operation.
no-world-readable—(Optional) Restrict file access to the owner.
size size—(Optional) Maximum size of each trace file, in kilobytes (KB), megabytes (MB), or gigabytes (GB).
When a trace file named trace-file reaches this size, it is renamed trace-file.0. When the trace-file file
again reaches its maximum size, trace-file.0 is renamed trace-file.1 and trace-file is renamed trace-file.0.
This renaming scheme continues until the maximum number of trace files is reached. Then the oldest trace
file is overwritten.
If you specify a maximum file size, you also must specify a maximum number of trace files with the files
option and filename.
Range: 0 bytes through 4,294,967,295 KB
Default: 128 KB
world-readable—(Optional) Enable unrestricted file access.

1310
Tracing BOOTP, DNS, and TFTP Forwarding Operations

1311
traceoptions (LLDP)
Syntax
traceoptions {
file filename <files number> <size maximum-file-size> <world-readable | no-world-readable>;
flag flag <disable>;
}
Hierarchy Level

[edit routing-instances routing-instance-name protocols lldp]
Release Information
Description
Define tracing operations for the Link Layer Discovery Protocol (LLDP). You can trace messages under
LLDP for LLDP and physical topology SNMP MIBs.
NOTE: The traceoptions statement is not supported on the QFX3000 QFabric system.
Default
The default LLDP protocol-level trace options are inherited from the global traceoptions statement.
Options
disable—(Optional) Disable the tracing operation. One use of this option is to disable a single operation
when you have defined a broad group of tracing operations, such as all.
file filename—Name of the file to receive the output of the tracing operation. Enclose the name in quotation
marks. All files are placed in the directory /var/log. We recommend that you place spanning-tree
protocol tracing output in the file /var/log/stp-log.
maximum size, it is renamed trace-file.0, then trace-file.1, and so on, until the maximum number of
trace files is reached. Then, the oldest trace file is overwritten.
1312
If you specify a maximum number of files, you must also specify a maximum file size with the size
option.
Range: 2 through 1000 files
Default: 1 trace file only
flag—Specify a tracing operation to perform. To specify more than one tracing operation, include multiple
flag statements.
Values: The following are the LLDP-specific tracing options:
• all—Trace all operations.
• configuration—Log configuration events.
• interface—Trace interface update events.
• packet—Trace packet events.
• protocol—Trace protocol information.
• rtsock—Trace socket events.
• snmp—Trace SNMP configuration operations.
• vlan—Trace VLAN update events.
The following are the global tracing options:

• all—All tracing operations.
• config-internal—Trace configuration internals.
• general—Trace general events.
• normal—All normal events. This is the default. If you do not specify this option, only unusual or
abnormal operations are traced.
• parse—Trace configuration parsing.
• policy—Trace policy operations and actions.
• regex-parse—Trace regular-expression parsing.
• route—Trace routing table changes.
• state—Trace state transitions.
• task—Trace protocol task processing.
• timer—Trace protocol task timer processing.

1313
no-world-readable—(Optional) Prevent any user from reading the log file. This is the default. If you do not
include this option, tracing output is appended to an existing trace file.
size maximum-file-size—(Optional) Maximum size of each trace file, in kilobytes (KB) or megabytes (MB).
When a trace file named trace-file reaches this size, it is renamed trace-file.0. When the trace-file again
reaches its maximum size, trace-file.0 is renamed trace-file.1 and trace-file is renamed trace-file.0. This
renaming scheme continues until the maximum number of trace files is reached. Then the oldest trace
file is overwritten.
If you specify a maximum file size, you must also specify a maximum number of trace files with the
files option.
Range: 10 KB through the maximum file size supported on your system
Default: 1 MB
world-readable—(Optional) Allow any user to read the log file.


Tracing LLDP Operations
1314
traceoptions (Outbound SSH)

Syntax
traceoptions {
file <filename> <files number> <match regular-expression> <size size> <(world-readable | no-world-readable)>;
flag flag;
no-remote-trace;
}
Hierarchy Level
[edit system services outbound-ssh]
Release Information
Description
Set the trace options for the outbound SSH service. By default, tracing operations are disabled.
Options
• file—Configure the trace file information.
• filename—(Optional) By default, the name of the file is the name of the process being traced. Use this
option to override the default file name and specify a file to receive the output of the tracing operation.
Enclose the name within quotation marks. All trace files are placed in the directory /var/log.
• files number—(Optional) Specify the maximum number of trace files to create before overwriting the
oldest one. If you specify a maximum number of files, you also must specify a maximum file size with
the size option and a file name with the filename option.
Default: 3 files
• match regular-expression—(Optional) When configured, the system adds only those lines to the trace
file that match the regular expression. For example, if the regular expression is set to =error, the system
only adds lines to the trace file that include the string error.
• size maximum-file-size—(Optional) Specify the maximum size of each trace file, in kilobytes (KB),
megabytes (MB), or gigabytes (GB). When a trace file named trace-file reaches this size, it is renamed
trace-file.0. When trace-file again reaches its maximum size, trace-file.0 is renamed trace-file.1 and
trace-file is renamed trace-file.0. This renaming scheme continues until the maximum number of trace
1315
If you specify a maximum file size, you also must specify a maximum number of trace files by using
the files option and a filename by using the file option.
Syntax: x K to specify KB, x m to specify MB, or x g to specify GB
Default: 128 KB
• world-readable | no-world-readable—(Optional) By default, access to the trace files is restricted to

the user who configured the tracing operation. The world-readable option enables any user to read
the file. To explicitly set the default behavior, configure the no-world-readable option.
• flag—Specify the tracing operation to perform. To specify more than one tracing operation, include
multiple flag statements. You can include the following flags:
• all—Trace all events.
• configuration—Trace configuration events.
• connectivity—Trace TCP connection handling between the management application and the device.
• no-remote-trace—(Optional) Disable remote tracing and logging operations that track normal operations,
error conditions, and packets that are generated by or passed through the device.

trace—To view this statement in the configuration.
trace-control—To add this statement to the configuration.
Displaying Log and Trace Files

1316
traceoptions (SBC Configuration Process)

Syntax
traceoptions {
file filename <files number> <match regex> <size size> <world-readable | no-world-readable>;
flag flag;
}
Hierarchy Level
[edit system processes sbc-configuration-process]
Release Information
Description
Configure trace options for the session border controller (SBC) process of the border signaling gateway
(BSG).
Options
file filename—Name of the file that receives the output of the tracing operation. Enclose the name in
quotation marks. All files are placed in the directory /var/log. You can include the following file options:
• files number—(Optional) Maximum number of trace files. When a trace file named trace-file reaches its
If you specify a maximum number of files, you must also specify a maximum file size with the size option
and a filename.

Default: 3 files
• match regex—(Optional) Refine the output to include lines that contain the regular expression.
• no-world-readable—(Optional) Disable unrestricted file access.
• size size—(Optional) Maximum size of each trace file, in kilobytes (KB), megabytes (MB), or gigabytes
(GB). When a trace file named trace-file reaches this size, it is renamed trace-file.0. When the trace-file
again reaches its maximum size, trace-file.0 is renamed trace-file.1 and trace-file is renamed trace-file.0.
This renaming scheme continues until the maximum number of trace files is reached. Then the oldest
trace file is overwritten. If you specify a maximum file size, you also must specify a maximum number
of trace files with the files option and filename.
1317
Syntax: xk to specify KB, xm to specify MB, or xg to specify GB.

Default: 128 KB
• world-readable—(Optional) Enable unrestricted file access.
• all trace-level—Trace all SBC process operations.
• common trace-level—Trace common events.
• configuration trace-level—Trace configuration events.
• device-monitor trace-level—Trace device monitor events.
• ipc trace-level—Trace IPC events.
• memory—pool trace-level—Trace memory pool events.
• trace-level—Trace level options are related to the severity of the event being traced. When you choose
a trace level, messages at that level and higher levels are captured. Enter one of the following trace levels
as the trace-level:
• debug—Log all code flow of control.
• error—Log failures with a short-term effect.
• info—Log summary for normal operations, such as the policy decisions made for a call.
• trace—Log program trace START and EXIT macros.
• warning—Log failure recovery events or failure of an external entity.
• ui trace-level—Trace user interface operations.

See “Troubleshooting the IMSG” in the Junos Multiplay Solutions Guide

1318
traceoptions (Security)
Syntax
traceoptions {
file filename <files number> <size size>;
flag all;
flag certificates;
flag database;
flag general;
flag ike;
flag parse;
flag policy-manager;
flag routing-socket;
flag timer;
level
no-remote-trace
}
Hierarchy Level
[edit security],
[edit services ipsec-vpn]
Trace options can be configured at either the [edit security] or the [edit services ipsec-vpn] hierarchy
level, but not at both levels.
Release Information
Description
Configure security trace options.
To specify more than one trace option, include multiple flag statements. Trace option output is recorded
in the /var/log/kmd file.
NOTE: The traceoptionsstatement is not supported on QFabric systems.

1319
Options
files number—(Optional) Maximum number of trace files. When a trace file (for example, kmd) reaches its
maximum size, it is renamed kmd.0, then kmd.1, and so on, until the maximum number of trace files is
reached. Then the oldest trace file is overwritten.
If you specify a maximum number of files, you must also specify a maximum file size with the size option.
Default: 0 files
size size—(Optional) Maximum size of each trace file, in kilobytes (KB). When a trace file (for example, kmd)
reaches this size, it is renamed, kmd.0, then kmd.1 and so on, until the maximum number of trace files is
reached. Then the oldest trace file is overwritten.
Default: 1024 KB
flag flag—Trace operation to perform. To specify more than one trace operation, include multiple flag
statements.
• all—Trace all security events.
• certificates—Trace certificate events.
• database—Trace database events.
• general—Trace general events.
• ike—Trace IKE module processing.
• parse—Trace configuration processing.
• policy-manager—Trace policy manager processing.
• routing-socket—Trace routing socket messages.
• timer—Trace internal timer events.
level level—(Optional) Set traceoptions level.
• all—match all levels.
• error—Match error conditions.
• info—Match informational messages.
• notice—Match conditions that should be handled specially.
• verbose—Match verbose messages.
• warning—Match warning messages.
no-remote-trace—(Optional) Disable remote tracing

1320

admin—To view the configuration.
Configuring Tracing Operations
trusted-key
Syntax
trusted-key [key-numbers];
Hierarchy Level
[edit system ntp]
Release Information
Description
For NTP, configure the keys you are allowed to use when you configure the SRX Series device to synchronize
its time with other systems on the network.
Options
key-numbers—One or more key numbers. Each key can be any 32-bit unsigned integer except 0.

ntp | 1202
1321
uac-policy
Syntax
uac-policy;
Hierarchy Level
Release Information
Description
Configure Junos Pulse Access Control Service as the access policy to authenticate and authorize users
connected to the switch for admission to the network and for access to protected network resources.
Default
The Access Control Service access policy is disabled.

1322
uac-service
Syntax
uac-service {
timeout {
timeout-action {
Hierarchy Level
Release Information
Description
Configure Junos Pulse Access Control Service as one of the system processes.
Default
Junos Pulse Access Control Service process is disabled.

1323
uac-service
Syntax
uac-service {
disable;
}
Hierarchy Level
Release Information
Description
Specify the unified access control daemon process.
Options
• disable—Disable the unified access control daemon process.



1324
unattended-boot
Syntax
unattended-boot;
Hierarchy Level
[edit system]
Release Information
Description
Set the switch to unattended mode for U-Boot to prevent unauthorized access to the system before the
JUNOS OS login prompt appears. In unattended mode, access to the loader CLI is blocked, as well as
recovery mechanisms such as password recovery by using single-user mode and booting the switch by
using a USB flash drive. In order to access the CLI in U-Boot mode, the user must enter a boot-loader
password that has been previously configured.
NOTE: If the root password is lost while the switch is in unattended mode, the switch must be
reset to the factory default configuration using the LCD panel. For more information see Reverting
to the Default Factory Configuration for the EX Series Switch.
Default
Unattended mode is not enabled by default.


1325
usb-control
Syntax
usb-control {
disable;
}
Hierarchy Level
Release Information
Statement introduced in Junos OS Release 8.5 for SRX300, SRX320, SRX340, SRX345, and SRX550M
devices.
Description
Specify the universal serial bus (USB) supervise process.
Options
• disable—Disable the universal serial bus (USB) supervise process.

1326
user (Access)
Syntax
user user-name {
authentication {
encrypted-password encrypted-password;
no-public-keys;
ssh-ecdsa name {
from host-list;
}
ssh-ed25519 name {
from host-list;
}
ssh-rsa name {
from host-list;
}
}
class class-name;
cli {
prompt prompt;
}
full-name complete-name;
uid uid;
}
Hierarchy Level
[edit system login]
Release Information
Statement no-public-keys introduced in Junos OS Release 15.1.
Statement cli introduced in Junos OS 17.3.
Description
Configure access permission for individual users. Starting in Junos OS Release 18.3, the ssh-dsa hostkey
algorithm is deprecated— rather than immediately removed—to provide backward compatibility and a
1327
Options
authentication—Specify one or more authentication methods that a user can use to log in to the router
or switch. You can assign multiple authentication methods to a single user.
encrypted-password— Message Digest 5 (MD5) or other encrypted authentication. Specify the MD5
or other password. You can specify only one encrypted password for each user.

already encrypted, and you are entering the encrypted version of the password.
If you accidentally configure the encrypted-password statement with a plain-text

password or with blank quotation marks (" "), you will not be able to log in to the
device as this user.
Range: You cannot configure a blank password for encrypted-password using blank quotation
marks (" "). You must configure a password whose number of characters range from 1 through
128 characters and enclose the password in quotation marks.
no-public-keys— Disables ssh public key authentication for the user specified. If the no-public-keys
statement is specified at the [edit system services ssh] hierarchy level, public key authentication
is disabled for all users on the device.
ssh-ecdsa public-key— SSH version 2 authentication. Specify the ECDSA public key. You can specify
one or more public keys for each user.
from host-list— Specify a pattern-list of allowed hosts.
ssh-ed25519 public-key— SSH version 2 authentication. Specify the ED25519 public key. You can
specify one or more public keys for each user.
ssh-rsa public-key— SSH version 2 authentication. Specify the RSA public key. You can specify one or
more public keys for each user.
class class-name— Assign a user to a login class. You must assign each user to a login class. Specify one of
the classes defined at the [edit system login class] hierarchy level.
cli— Set the CLI prompt specified for a specified login user or specified login class. The prompt set for the
login user has precedence.
prompt prompt— Specify the prompt string you want to see displayed in the CLI prompt.
1328
full-name complete-name— Specify the user’s complete name. If the name contains spaces, enclose it in
quotation marks. Do not include colons or commas.
uid uid-value— Numeric identifier associated with the user account, either assigned by an administrator
or assigned automatically when you commit the user configuration. It is used by applications that
request numeric identifiers, such as some RADIUS queries, or secure applications, such as flow-tap
monitoring. This value must be unique on the router or switch.
Default: If you do not assign a UID to a user, the software assigns one when you commit the
configuration, preferring the lowest available number.


set cli prompt
class | 1089
1329
voip
Syntax
voip {
interface (all | [interface-name | access-ports]) {
forwarding-class forwarding-class;
vlan vlan-name );
}
}
Hierarchy Level
• For platforms with ELS:
[edit switch-options voip]
• For platforms without ELS:
[edit ethernet-switching-options voip],
Release Information
Hierarchy level [edit switch-options] introduced in Junos OS Release 13.2X50-D10. (See Using the Enhanced
Layer 2 Software CLI for information about ELS.)
Description
Configure voice over IP (VoIP) on interfaces.

1330
vpn (Forwarding Options)

Syntax
vpn;
Hierarchy Level
[edit forwarding-options dhcp-relay]
Release Information
Statement changed from vpn to source-ip-change in Junos OS Release 15.1X49-D130 and later releases.
Description
For Dynamic Host Configuration Protocol (DHCP) client request forwarding, enable source IP change for
the device to use address of egress interface as source IP address.

1331
watchdog
Syntax
watchdog {
disable;
enable;
timeout value;
}
Hierarchy Level
Release Information
Description
Enable or disable the watchdog timer when Junos OS encounters a problem.
Options
• disable—Disable the watchdog timer.
• enable—Enable the watchdog timer.
• timeout value—Specify amount of time to wait in seconds.
Range: 1 through 3600 seconds.

1332
web-management (System Services)

Syntax
web-management {
control max-threads max-threads;
http {
interface [interface-names] ;
port port;
}
https {
interface [interface-names];
( local-certificate name | pki-local-certificate name | system-generated-certificate );
port port;
}
management-url management-url;
session {
session-limit number;
}
traceoptions {
file {
filename;
files number;
match regular-expression;
size maximum-file-size;
(no-world-readable | world-readable);
}
flag flag level level;
no-remote-trace;
}
}
Hierarchy Level
Release Information
Statement introduced in Junos OS Release 9.0 for EX and SRX Series.
Support for https introduced for SRX5400, SRX5600, and SRX5800 devices starting from Junos OS Release
12.1X44-D10 and on vSRX, SRX300, SRX320, SRX340, SRX345, SRX380, SRX550M, and SRX1500 devices
starting from Junos OS Release 15.1X49-D40.
1333
Description
Configure settings for HTTP or HTTPS access. HTTP access allows management of the device using the
browser-based J-Web graphical user interface. HTTPS access allows secure management of the device
using the J-Web interface. With HTTPS access, communication between the device’s Web server and
your browser is encrypted.
NOTE: On SRX340, SRX345, and SRX380 devices, the factory-default configuration has a generic
HTTP configuration. To use Gigabit Ethernet (ge) and fxp0 ports as management ports, you must
use the set system services web-management http interface command to configure HTTP access
for those interfaces. The Web management HTTP and HTTPS interfaces are changed to fxp0.0
and from ge-0/0/1.0 through ge-0/0/7.0.
1334
Options
control max-threads max-threads—Configure the maximum number of simultaneous threads to handle
access requests.
Range: 0 through 16
management-url—Configure the URL path for Web management access.
traceoptions—Set the trace options.
• file—Configure the trace file information.
• filename—Name of the file to receive the output of the tracing operation. Enclose the name in
quotation marks. All files are placed in the directory /var/log. By default, the name of the file is
the name of the process being traced.
• files number— Maximum number of trace files. When a trace file named trace-file reaches its
maximum size, it is renamed trace-file.0, then trace-file.1, and so on, until the maximum number
of trace files is reached. Then the oldest trace file is overwritten.
If you specify a maximum number of files, you also must specify a maximum file size with the size
maximum file-size option.
Default: 10 files
• match regular-expression—Refine the output to include lines that contain the regular expression.
• size maximum-file-size—Maximum size of each trace file, in kilobytes (KB), megabytes (MB), or
gigabytes (GB).
Default: 128 KB
If you specify a maximum file size, you also must specify a maximum number of trace files with the
files number option.
• (world-readable | no-world-readable)— By default, log files can be accessed only by the user who
configures the tracing operation. The world-readable option enables any user to read the file. To
explicitly set the default behavior, use the no-world-readable option.
• flag flag—Specify which tracing operation to perform. To specify more than one tracing operation,
include multiple flag statements. You can include the following flags.
• all—Trace all areas.
• configuration—Trace configuration.
• dynamic-vpn—Trace dynamic VPN events.
• init—Trace the daemon init process.
• mgd—Trace MGD requests.

1335
• webauth—Trace Web authentication requests.
• level level —Specify the level of debugging output.
• all—Match all levels.
• error—Match error conditions.
• info—Match informational messages.
• notice—Match conditions that should be handled specially.
• verbose—Match verbose messages.
• warning—Match warning messages.
• no-remote-trace—Disable remote tracing.

Secure Management Access Configuration Summary

Dynamic VPN Overview
1336
web-management (System Processes)

Syntax
web-management {
disable;
}
Hierarchy Level
Release Information
Description
Specify the Web management process.
Options
• disable—Disable the Web management process.


1337
xnm-clear-text
Syntax
xnm-clear-text {
rate-limit limit;
}
Hierarchy Level
Release Information
Description
Allow Junos XML protocol clear-text requests from remote systems to the local router.
NOTE: Junos OS Evolved does not support the xnm-clear-text statement.

1338
xnm-ssl
Syntax
xnm-ssl {
local-certificate name;
rate-limit limit;
ssl-renegotiation ;
}
Hierarchy Level
Release Information
Support for the ssl-renegotiation statement added in Junos OS Release 13.3.
Description
Allow Junos XML protocol SSL requests from remote systems to the local router.
WARNING: Starting with Junos OS Release 15.1, the sslv3-support option is not
available for configuration with the set system services xnm-ssl and file copy
commands. SSLv3 is no longer supported and available.
For all releases prior to and including Junos OS Release 14.2, SSLv3 is disabled by
default at runtime. The sslv3-support option is hidden and deprecated in Junos OS
Release 14.2 and earlier releases. However, you can use the set system services xnm-ssl
sslv3-support command to enable SSLv3 for a Junos XML protocol client application
to use as the protocol to connect to the Junos XML protocol server on a router, and
you can use the file copy source destination sslv3-support command to enable the
copying of files from an SSLv3 URL.
Using SSLv3 presents a potential security vulnerability, and we recommend that you
not use SSLv3. For more details about this security vulnerability, go to
https://kb.juniper.net/InfoCenter/index?page=content&id=JSA10656.
1339
NOTE: When FIPS mode is enabled on the device, the xnm-ssl service does not support TLS
1.0. For a device in FIPS mode, the clients must communicate with the xnm-ssl service using
TLS 1.1 or later. In non-FIPS mode, clients can communicate with the xnm-ssl service using TLS
1.0 or later. The xnm-ssl service never negotiates with the SSLv2 or SSLv3 (the predecessors to
TLS 1.0) even if the FIPS mode is enabled or disbaled.

13 CHAPTER
Operational Commands
clear accounting server statistics archival-transfer | 1344
clear dot1x | 1348
clear network-access radsec state | 1355
clear network-access radsec statistics | 1356
clear security pki local-certificate | 1357
request ipsec switch | 1364
request message | 1365

request security certificate enroll (Signed) | 1367
request security certificate enroll (Unsigned) | 1369
request security key-pair | 1371
request security pki generate-key-pair | 1373
request security pki local-certificate generate-self-signed | 1375
request system firmware upgrade | 1395
request system license update | 1397
request system reboot | 1399
request system software abort in-service-upgrade (ICU) | 1415
request system software add (Maintenance) | 1417
request system zeroize | 1419
show accounting server statistics archival-transfer | 1421
show chassis routing-engine (View) | 1431
show dot1x | 1437

show dot1x accounting attribute | 1444
show dot1x authentication-failed-users | 1447
show dot1x firewall | 1449
show dot1x statistics | 1453
show ethernet-switching interface | 1456
show ethernet-switching interfaces | 1460
show firewall (View) | 1470
show lldp | 1473
show lldp local-information | 1481
show lldp remote-global-statistics | 1498
show network-access aaa statistics accounting | 1505
show network-access aaa statistics dynamic-requests | 1509
show network-access radsec local-certificate | 1511
show network-access radsec statistics | 1514
show network-access radsec state | 1517
show route extensive | 1520
show route instance | 1546
show security pki local-certificate | 1553
show services unified-access-control authentication-table | 1559
show services unified-access-control policies | 1562
show services unified-access-control status | 1565

show snmp | 1566
show ssl-certificates | 1577
show system download | 1582
show system license (View) | 1584
show system services service-deployment | 1590
show system snapshot media | 1592
show system storage partitions | 1595
show system users | 1599
ssh | 1605
telnet | 1608
test access profile | 1611
test access radius-server | 1616

1344
clear accounting server statistics archival-transfer

Syntax
Release Information
Command introduced in Junos OS Release 19.2.
Description
Clears the statistics of transfer attempted, succeeded, and failed for accounting statistics files and router
configuration archives.
Options
This command has no options.

clear
Output Fields
When you enter this command, the transfer statistics are cleared.
Sample Output
user@host> clear accounting server statistics archival-transfer
1345
clear captive-portal
Syntax
clear captive-portal (firewall [interface-names] | interface (802.1X) (all | [interface-names]) | mac-address

[mac-addresses])
Release Information
Command introduced in Junos OS Release 10.1 for EX Series switches.
Command introduced in Junos OS Release 14.2 for MX240, MX480, and MX960 routers in enhanced LAN
mode.
Description
Reset the authentication state of a captive portal interface or captive portal firewall statistics on one or
more interfaces.
Options
firewall [interface-names]—Resets captive portal statistics on all interfaces or on the specified interface.
interface (all | interface-names)—Resets the authentication state of users connected to all interfaces or the
specified interfaces.
mac-address mac-addresses—Resets the authentication state for the specified MAC addresses.

view

List of Sample Output

clear captive-portal interface on page 1346
clear captive-portal interface on page 1346
clear captive-portal mac-address on page 1347
clear captive-portal firewall on page 1347
1346
Output Fields
Table 44 on page 1346 lists the output fields for the clear captive-portal interface command. (The clear
captive-portal firewall and clear captive-portal mac-address commands have no output). Output fields
are listed in the approximate order in which they appear.
Table 44: clear captive-portal interface Output Fields
Field Name Field Description
Interface Interface on which captive portal has been configured.
State The state of the port:
• Authenticated—The client has been authenticated through the RADIUS server or has been permitted access
through server fail fallback.
• Authenticating—The client is authenticating through the RADIUS server.
• Connecting—Switch is attempting to contact the RADIUS server.
• Initialize—The interface link is down.
• Held—An action has been triggered through server fail fallback during a RADIUS server timeout. A supplicant
is denied access, permitted access through a specified VLAN, or maintains the authenticated state granted
to it before the RADIUS server timeout occurred.
MAC address The MAC address of the connected client on the interface.
User Users connected to the captive portal interface.
Sample Output
user@switch> clear captive-portal interface
ge-0/0/3.0

user@switch> clear captive-portal interface
Captive Portal Information:

Interface State MAC address User
ge-0/0/3.0 Authenticated 00:03:47:e1:ba:b9 aclallow
ge-0/0/5.0 Connecting
1347
clear captive-portal mac-address

user@switch> clear captive-portal mac-address 00:03:47:e1:ba:b9
This command has no output.
clear captive-portal firewall

user@switch> clear captive-portal firewall
This command has no output.

1348
clear dot1x
Syntax
clear dot1x (firewall <counter-name> | interface <[interface-name]> | mac-address [mac-addresses] | statistics

<interface interface-name>)
Release Information
firewall option added in Junos OS Release 9.5 for EX Series switches.
mode.
Command introduced in Junos OS Release 14.1X53-D30 for the QFX Series.
Support for eapol-block introduced in Junos OS Releases 14.1X53-D40 and 15.1X53-D51 for EX Series
switches.
Description
Reset the authentication state of an interface or delete 802.1X statistics from the switch. When you reset
an interface using the interface or mac-address options, reauthentication on the interface is also triggered.
The switch sends out a multicast message on the interface to restart the authentication of all connected
supplicants. If a MAC address is reset, then the switch sends out a unicast message to that specific MAC
address to restart authentication.
If a supplicant is sending traffic when the clear dot1x interface command is issued, the authenticator
immediately initiates reauthentication. This process happens quickly, and it might seem that reauthentication
did not occur. To verify that reauthentication has happened, issue the show dot1x interface detail command.
The values for Reauthentication due and Reauthentication interval will be about the same.
CAUTION: When you clear the learned MAC addresses from an interface using the
clear dot1x interface command, all MAC addresses are cleared, including those in static
MAC bypass list.
If you have enabled Media Access Control Security (MACsec) using static secure association key (SAK)
security mode on an EX Series switch, the SAKs are rotated when the clear dot1x command is entered.
The clear dot1x command has no impact on MACsec when MACsec is enabled using static connectivity
association keys (CAK) or any other security mode.
Options
eapol-block—Clear EAPOL block on the interface and allow the switch to receive EAPOL messages from
a supplicant connected to that interface.
1349
firewall <counter-name>—Clear 802.1X firewall counter statistics. If the counter-name option is specified,
clear 802.1X firewall statistics for that counter.
interface <[interface-name]>—Reset the authentication state of all the supplicants (also, clears all the
authentication bypassed clients) connected to the specified interface (when the interface is an
authenticator) or reset the authentication state for the interface itself (when the interface is a supplicant).
mac-address [mac-addresses]—Reset the authentication state of the specified MAC addresses.
statistics <interface interface-name>—Clear 802.1X statistics on all 802.1X-enabled interfaces. If the

interface option is specified, clear 802.1X firewall statistics for that interface or interfaces.

view
show dot1x | 1437

Series Switch | 405

clear dot1x firewall on page 1349
clear dot1x interface (Specific Interfaces) on page 1349
clear dot1x mac-address (Specific MAC Address) on page 1349
clear dot1x statistics interface (Specific Interface) on page 1350
clear dot1x eapol-block on page 1350
Sample Output
clear dot1x firewall
user@switch> clear dot1x firewall c1
clear dot1x interface (Specific Interfaces)

user@switch> clear dot1x interface ge-1/0/0 ge-2/0/0 ge-2/0/0 ge5/0/0
clear dot1x mac-address (Specific MAC Address)

user@switch> clear dot1x mac-address 00:04:ae:cd:23:5f
1350
clear dot1x statistics interface (Specific Interface)

user@switch> clear dot1x statistics interface ge-1/0/1
clear dot1x eapol-block

user@switch> clear dot1x eapol-block
1351

Syntax

<interface interface>
Release Information
Description
Clear the learned remote neighbor information on all or selected interfaces.
Options
none—Clear the remote neighbor information on all interfaces.
interface interface—(Optional) Clear the remote neighbor information from one or more selected interfaces.

view
show lldp | 1473


clear lldp neighbors on page 1351
clear lldp neighbors interface ge-0/1/1.0 on page 1351
Sample Output
user@switch> clear lldp neighbors
clear lldp neighbors interface ge-0/1/1.0

user@switch> clear lldp neighbors interface ge-0/1/1.0
1352

Syntax

Release Information
Description
Clear LLDP statistics on one or more interfaces.
Options
none—Clears LLDP statistics on all interfaces.
interface interface-names—(Optional) Clear LLDP statistics on one or more interfaces.

view


clear lldp statistics on page 1352
clear lldp statistics interface ge-0/1/1.0 on page 1352
Sample Output
user@switch> clear lldp statistics
clear lldp statistics interface ge-0/1/1.0

user@switch> clear lldp statistics interface ge-0/1/1.0
1353

Syntax
clear lldp neighbors <interface interface>
Release Information
Command introduced in Junos OS Release 14.1X53-D20 for OCX Series switches.
Command introduced in Junos OS Release 11.1 for the QFX Series.
Description
Clear the learned remote neighbor information on all or selected interfaces.
Options
none—Clear the remote neighbor information on all interfaces.
interface interface—(Optional) Clear the remote neighbor information from the selected interface.

view

clear lldp neighbors on page 1353
clear lldp neighbors interface on page 1353
Sample Output
user@switch> clear lldp neighbors
clear lldp neighbors interface

user@switch> clear lldp neighbors interface ge-0/1/1.0
1354

Syntax

Release Information
Description
Clear LLDP statistics on one or more interfaces.
Options
none—Clears LLDP statistics on all interfaces.
interface interface-names—(Optional) Clear LLDP statistics on an interface.

view

clear lldp statistics on page 1354
clear lldp statistics interface on page 1354
Sample Output
user@switch> clear lldp statistics
clear lldp statistics interface

user@switch> clear lldp statistics interface ge-0/1/1.0
1355
clear network-access radsec state

Syntax
clear network-access radsec state

<destination destination-id>
Release Information
Command introduced in Junos OS Release 19.1R1.
Description
Clear the connection state information for RADSEC destinations.
Options
destination destination–id—(Optional) Clear connection state information for the specified RADSEC
destination.

clear
Output Fields
This command produces no output.
1356
clear network-access radsec statistics

Syntax
clear network-access radsec statistics

Release Information
Description
Clear the connection statistics for RADSEC destinations.
Options
destination destination–id—(Optional) Clear connection statistics for the specified RADSEC destination.

clear
Output Fields
1357

Syntax

<all | certificate-id certificate-id-name | system-generated>
Release Information
Description
Delete local digital certificates, certificate requests, and the corresponding public/private key pairs from
the switch.
Options
all—(Optional) Delete all local digital certificates, certificate requests, and the corresponding public and
private key pairs from the router.
NOTE: This option does not delete the automatically generated self-signed certificate or its
public/private key pair.
certificate-id certificate-id-name—(Optional) Delete the specified local digital certificate and corresponding
public and private key pair.
system-generated—(Optional) Delete the automatically generated self-signed certificate.

clear

clear security pki local-certificate all on page 1358
Output Fields
1358
Sample Output
clear security pki local-certificate all
user@switch> clear security pki local-certificate all
1359
clear security ssh key-pair-identity

Syntax
clear security ssh key-pair-identity <all> | <identity-name>
Release Information
Command introduced in Junos OS Release 15.1X49-D70.
Description
Clear private and public SSH key pair for the specified files.
Options
• all— Clear all the key-pair files.
• identity-name—Clear identity name.

clear


clear security ssh key-pair-identity sample on page 1359
Output Fields
Sample Output
clear security ssh key-pair-identity sample
user@host> clear security ssh key-pair-identity sample
SSH key sample was removed

1360

Syntax

<all>
<user username>
Release Information
Description
Unlock the user account locked as a result of invalid login attempts.
Options
all—Clear all locked user accounts.
user username—Clear the specified locked user account.

clear
Output Fields
1361
request component login

Syntax
request component login component-name
Release Information
Description
(QFabric systems only) Log in to a QFabric system component. To gain access to individual components
by way of the request component login command, you must first provide the qfabric-admin or
qfabric-operator class privilege to your user (for more information, see: remote-debug-permission).
Options
component-name—Specify the QFabric system component to which you wish to log in.

admin

request component login (with qfabric-admin Privileges) on page 1361
request component login (with qfabric-operator Privileges) on page 1362
request component login (with qfabric-user Privileges) on page 1363
Sample Output
The three sample output displays show the results of attempts to log in to Node device EE3093. The
results differ depending on the privilege level assigned to the user.
request component login (with qfabric-admin Privileges)

admin@qfabric> request component login EE3093
Warning: Permanently added 'qfabric-node-ee3093,192.0.2.0' (RSA) to the list of

known hosts.
1362
--- JUNOS 11.3I built 2011-11-04 12:46:16 UTC

{master}
qfabric-admin@node-ee3093> ?
start Start shell
traceroute Trace route to remote host{master}
qfabric-admin@node-ee3093>
request component login (with qfabric-operator Privileges)

operator@qfabric> request component login EE3093
Warning: Permanently added 'qfabric-node-EE3093,192.0.2.0' (RSA) to the list of

known hosts.
--- JUNOS 11.3I built 2011-11-04 12:46:16 UTC
{master}
qfabric-operator@node-EE3093> ?
1363
start Start shell

{master}
qfabric-operator@node-ee3093>
request component login (with qfabric-user Privileges)

user0@qfabric> request component login EE3093
error: User user0 does not have sufficient permissions to login to device ee3093
1364
request ipsec switch

Syntax
request ipsec switch (interface <es-fpc/pic/port> | security-associations <sa-name>)
Release Information
Command introduced before Junos OS Release 7.4.
Description
(Encryption interface on M Series, PTX Series, and T Series routers and EX Series switches only) Manually
switch from the primary to the backup encryption services interface, or switch from the primary to the
backup IP Security (IPsec) tunnel.
Options
interface <es-fpc/pic/port>—Switch to the backup encryption interface.
security-associations <sa-name>—Switch to the backup tunnel.

view
show ipsec redundancy

request ipsec switch security-associations on page 1364
Output Fields
When you enter this command, you are provided feedback on the status of your request.
Sample Output
request ipsec switch security-associations
user@host> request ipsec switch security-associations sa-private
1365
request message
Syntax
request message all message "text"

request message message "text" (terminal terminal-name | user user-name)
Release Information
Command introduced in Junos OS Release 14.1X53-D20 for the OCX Series.
Description
Display a message on the screens of all users who are logged in to the router or switch or on specific
screens.
Options
all—Display a message on the terminal of all users who are currently logged in.
message "text"—Message to display.
terminal terminal-name—Name of the terminal on which to display the message.
user user-name—Name of the user to whom to direct the message.

maintenance

request message message on page 1365
Output Fields
Sample Output
request message message
user@host> request message message "Maintenance window in 10 minutes" user maria
1366
Message from user@host on ttyp0 at 20:27 ...

Maintenance window in 10 minutes
EOF
1367
request security certificate enroll (Signed)

Syntax
request security certificate enroll filename filename subject subject

alternative-subject alternative-subject certification-authority certification-authority encoding (binary | pem) key-file
key-file domain-name domain-name
Release Information
Description
(Encryption interface on M Series and T Series routers and EX Series switches only) Obtain a signed
certificate from a certificate authority (CA). The signed certificate validates the CA and the owner of the
certificate. The results are saved in a specified file to the /var/etc/ikecert directory.
NOTE: For FIPS mode, the digital security certificates must be compliant with the National
Institute of Standards and Technology (NIST) SP 800-131A standard. The request security
key-pair command is deprecated and not available with Junos in FIPS mode because it generates
RSA and DSA keys with sizes of 512 and 1024 bits that are not compliant with the NIST SP
800-131A standard.
Options
filename filename—File that stores the certificate.
subject subject—Distinguished name (dn), which consists of a set of components—for example, an

organization (o), an organization unit (ou), a country (c), and a locality (l).
alternative-subject alternative-subject—Tunnel source address.
certification-authority certification-authority—Name of the certificate authority profile in the configuration.
encoding (binary | pem)—File format used for the certificate. The format can be a binary file or
privacy-enhanced mail (PEM), an ASCII base64-encoded format. The default format is binary.
key-file key-file—File containing a local private key.
domain-name domain-name—Fully qualified domain name.

maintenance
1368

request security certificate enroll filename subject alternative-subject certification-authority key-file
domain-name (Signed) on page 1368
Output Fields
Sample Output
request security certificate enroll filename subject alternative-subject certification-authority key-file
domain-name (Signed)
user@host> request security certificate enroll filename host.crt subject c=uk,o=london
alternative-subject 10.50.1.4 certification-authority verisign key-file host-1.prv domain-name
host.example.com
CA name: example.com CA file: ca_verisign

local pub/private key pair: host.prv
subject: c=uk,o=london domain name: host.example.com
alternative subject: 10.50.1.4
Encoding: binary
Certificate enrollment has started. To view the status of your enrollment, check
the key management process (kmd) log file at /var/log/kmd. <--------------
1369
request security certificate enroll (Unsigned)

Syntax
request security certificate enroll filename filename ca-file ca-file ca-name ca-name
encoding (binary | perm) url url
Release Information
Description
(Encryption interface on M Series and T Series routers and EX Series switches only) Obtain a certificate
from a certificate authority (CA). The results are saved in a specified file to the /var/etc/ikecert directory.
Options
filename filename—File that stores the public key certificate.
ca-file ca-file—Name of the certificate authority profile in the configuration.
ca-name ca-name—Name of the certificate authority.
encoding (binary | pem)—File format used for the certificate. The format can be a binary file or
privacy-enhanced mail (PEM), an ASCII base64-encoded format. The default value is binary.
url url—Certificate authority URL.

maintenance

request security certificate enroll filename ca-file ca-name url (Unsigned) on page 1369
Output Fields
Sample Output
request security certificate enroll filename ca-file ca-name url (Unsigned)
user@host> request security certificate enroll filename ca_verisign ca-file verisign ca-name example.com
urlxyzcompany URL
1370
http://<verisign ca-name xyzcompany url>/cgi-bin/pkiclient.exe CA name: example.com

CA file: verisign Encoding: binary
Certificate enrollment has started. To view the status of your enrollment, check
the key management process (kmd) log file at /var/log/kmd. <--------------
1371

Syntax
request security key-pair filename

<size key-size>
<type (rsa | dsa)>
Release Information
Description
(Encryption interface on M Series and T Series routers and EX Series switches only) Generate a public
and private key pair for a digital certificate.
NOTE: The request security-certificates command is deprecated and are not available with
Junos in FIPS mode because security certificates are not compliant with the NIST SP 800-131A
standard.
Options
filename—Name of a file in which to store the key pair.
size key-size—(Optional) Key size, in bits. The key size can be 512, 1024, or 2048. The default value is
1024.
type—(Optional) Algorithm used to encrypt the key:
• rsa—RSA algorithm. This is the default.
• dsa—Digital signature algorithm with Secure Hash Algorithm (SHA).

maintenance

request security key-pair on page 1372
Output Fields
1372
Sample Output
user@host> request security key-pair security-key-file
1373

Syntax
request security pki generate-key-pair certificate-id certificate-id-name

<size (512 | 1024 | 2048)>
<type (dsa | rsa)>
Release Information
Description
Generate a public key infrastructure (PKI) public/private key pair for a local digital certificate.
Options
certificate-id certificate-id-name—Name of the local digital certificate and the public/private key pair.
size—(Optional) Key pair size. The key pair size can be 512, 1024, or 2048 bits. If a key pair size is not
specified, the default value, 1024 bits, is applied.
type—(Optional) The algorithm to be used for encrypting the public/private key pair. The encryption
algorithm can be dsa or rsa . If an encryption algorithm is not specified, the default value, rsa, is applied.

maintenance

request security pki generate-key-pair on page 1373
Output Fields
Sample Output
user@switch> request security pki generate-key-pair certificate-id billy size 2048
1374
Generated key pair billy, key size 2048 bits

1375

generate-self-signed
Syntax
request security pki local-certificate generate-self-signed certificate-id certificate-id-name domain-name domain-name

ip-address ip-address email email-address subject subject-distinguished-name
Release Information
Description
Manually generate a self-signed certificate for the given distinguished name.
Options
certificate-id certificate-id-name—Name of the local digital certificate and the public/private key pair.
domain-name domain-name—Fully qualified domain name (FQDN). The FQDN provides the identity of
the certificate owner for Internet Key Exchange (IKE) negotiations and provides an alternative to the
subject name.
email email-address—E-mail address of the certificate holder.
ip-address ip-address—IP address of the switch.
subject subject-distinguished-name—Distinguished name format that contains the common name,

department, company name, state, and country:
• CN—Common name
• OU—Organizational unit name
• O—Organization name
• ST—State
• C—Country

maintenance
security
1376

request security pki local-certificate generate-self-signed on page 1376
Output Fields
Sample Output
user@switch> request security pki local-certificate generate-self-signed certificate-id self-cert subject
cn=abc domain-name abc.net email [email protected]
Self-signed certificate generated and loaded successfully

1377
request security ssh key-pair-identity generate

Syntax
request security ssh key-pair-identity generate <identity-name> passphrase passphrase
Release Information
Description
Generate the SSH private and public key pair for a specified identity. The private and public key files are
stored in the /var/db directory, which is accessible through root only. Filenames are based on the
identity-name with extensions. The files are similar to the certificate files that are stored in Junos OS.
Options
• identity-name—Identity name.
• passphrase passphrase— An SSH identity generated with a passphrase. The passphrase is used to protect
the private key file stored in the file system. This option does not allow the user to enter a weak
passphrase, which ensures stronger security. A private key is used to connect to a remote server and is
never displayed or transferred between servers, even if the system is compromised. The private key
cannot be used to connect to a remote server if the passphrase is not known.
NOTE: By default, the passphrase uses Advanced Encryption Standard (AES) 128 in cipher
block chaining (CBC) mode to encrypt a private key. All generated keys are stored in the
/var/db/ssh_key directory.

maintenance


request security ssh key-pair-identity with passphrase on page 1378
Output Fields
1378
Sample Output
request security ssh key-pair-identity with passphrase
user@host> request security ssh key-pair-identity generate myident passphrase 1q2w3e
Created SSH key myident

1379
request security tpm master-encryption-password set

Syntax
Release Information
Description
Use this command to set or replace the password (in plain text).
Options
plain-text-password—Set or replace the password (in plain text).

maintenance

show security tpm status on page 1379
Output Fields
Sample Output
show security tpm status
user@host> request security tpm master-encryption-password set plain-text-password
Enter new master encryption password:

Repeat new master encryption password:
Binding password with TPM
Master encryption password is bound to TPM
Encoding master password ..
Successfully encoded master password
1380
Encrypted key-pair files

1381
request system autorecovery state

Syntax
request system autorecovery state (save | recover | clear)
Release Information
Command introduced in Junos OS Release 15.1X49-D35 for SRX300, SRX320, SRX345, and SRX550M
devices.
Command introduced in Junos OS Release 20.1R1for SRX380 devices.
Description
Prepare the system for autorecovery of configuration, licenses, and disk information.
Options
save—Save the current state of the disk partitioning, configuration, and licenses for autorecovery.
The active Junos OS configuration is saved as the Junos rescue configuration, after which the rescue
configuration, licenses, and disk partitioning information is saved for autorecovery. Autorecovery
information must be initially saved using this command for the autorecovery feature to verify integrity
of data on every bootup.
NOTE:
• Any recovery performed at a later stage will restore the data to the same state as it was
when the save command was executed.
• A fresh rescue configuration is generated when the command is executed. Any existing rescue
configuration will be overwritten.
recover—Recover the disk partitioning, configuration, and licenses.
After autorecovery data has been saved, the integrity of saved items is always checked automatically
on every bootup. The recovery command allows you to forcibly re-run the tests at any time if required.
clear—Clear all saved autorecovery information.
Only the autorecovery information is deleted; the original copies of the data used by the router are
not affected. Clearing the autorecovery information also disables all autorecovery integrity checks
performed during bootup.

maintenance
1382

request system autorecovery state save on page 1382
request system autorecovery state recover on page 1382
request system autorecovery state clear on page 1383
Output Fields
Sample Output
request system autorecovery state save
user@host> request system autorecovery state save
Saving config recovery information

Saving license recovery information
Saving bsdlabel recovery information
Sample Output
request system autorecovery state recover
user@host> request system autorecovery state recover
Configuration:
File Recovery Information Integrity Check Action / Status
rescue.conf.gz Saved Passed None
Licenses:
JUNOS282736.lic Saved Passed None
JUNOS282737.lic Saved Failed Recovered
BSD Labels:
Slice Recovery Information Integrity Check Action / Status
s1 Saved Passed None
1383
Sample Output
request system autorecovery state clear
user@host> request system autorecovery state clear
Clearing config recovery information

Clearing license recovery information
Clearing bsdlabel recovery information
1384
request system decrypt password

Syntax
request system decrypt password
Release Information
Statement introduced in Junos OS Release 15.1X49-D50 for SRX Series devices.
Statement introduced in Junos OS Release 16.2 for M, MX, PTX, and T Series devices.
Description
Use to display plain text versions of obfuscated ($9) or encrypted ($8) passwords. If the password was
encrypted using the new $8$ method, you are prompted for the master password.
Options
• decrypt—Decrypt a $8$-encrypted or $9$-encrypted password.

system
Output Fields
Sample Output
// Decrypting a $9 password
user@host> request system decrypt password $9$ABC123
Plaintext password: mysecret
1385
Sample Output
// Decrypting a $8 password
user@host> request system decrypt password $8$ABC123
Master password:
Plaintext password: mysecret
(Simple passwords like "mysecret" are discouraged. This is an example only.)
1386
request system download abort

Syntax
request system download abort <download-id>
Release Information
Command introduced in Junos OS Release 15.1X49-D35 for SRX300, SRX320, SRX340, SRX345, and
SRX550M devices.
Command introduced in Junos OS Release 13.2X50-D15 for EX Series switches.
Description
Abort a download. The download instance is stopped and cannot be resumed. Any partially downloaded
file is automatically deleted to free disk space. Information regarding the download is retained and can be
displayed with the show system download command until a request system download clear operation is
performed.
NOTE: Only downloads in the active, paused, and error states can be aborted.
Options
download-id—(Required) The ID number of the download to be aborted.

maintenance


request system download abort on page 1387
Output Fields
1387
Sample Output
request system download abort
user@host> request system download abort 1
Aborted download #1
1388
request system download clear

Syntax
Release Information
SRX550M devices.
Description
Delete the history of completed and aborted downloads.

maintenance


request system download clear on page 1388
Output Fields
Sample Output
user@host> request system download clear
Cleared information on completed and aborted downloads

1389
request system download pause

Syntax
request system download pause <download-id>
Release Information
SRX550M devices.
Description
Suspend a particular download instance.
NOTE: Only downloads in the active state can be paused.
Options
download-id—(Required) The ID number of the download to be paused.

maintenance


request system download pause on page 1390
Output Fields
1390
Sample Output
request system download pause
user@host> request system download pause 1
Paused download #1
1391
request system download resume

Syntax
request system download resume download-id <max-rate>
Release Information
SRX550M devices.
Description
Resume a download that has been paused. Download instances that are not in progress because of an
error or that have been explicitly paused by the user can be resumed by the user. The file will continue
downloading from the point where it paused. By default, the download resumes with the same bandwidth
specified with the request system download start command. The user can optionally specify a new
(maximum) bandwidth with the request system download resume command.
NOTE: Only downloads in the paused and error states can be resumed.
Options
download-id—(Required) The ID number of the download to be resumed.
max-rate—(Optional) The maximum bandwidth for the download.

maintenance


request system download resume on page 1392
1392
Output Fields
Sample Output
request system download resume
user@host> request system download resume 1
Resumed download #1
1393
request system download start

Syntax
request system download start (sftp-url | delay | identity-file | login | max-rate | passphrase | save as )
Release Information
SRX550M devices.
Description
Create a download instance and identify it with a unique integer called the download ID.
Options
sftp-url—(Required) The FTP or HTTP URL location of the file to be downloaded securely.
delay—(Optional) The number of hours after which the download should start (range from 1 through 48
hours).
identity-file—(Required) The name of the file requesting a Secure FTP (SFTP) download. The SFTP in smart
download leverages public key authentication to authenticate a download request. Users need to generate
a private or public key pair before starting a download, and then upload a public key to an SFTP server.
login—(Optional) The username and password for the server in the format username:password.
max-rate—(Optional) The maximum average bandwidth for the download. Numbers with the suffix k or
K, m or M, and g or G are interpreted as Kbps, Mbps, or Gbps, respectively.
passphrase—(Required) The passphrase to protect the private key file stored on the file system. This option
does not allow the user to enter a weak passphrase, which ensures stronger security.
save-as—(Optional) The filename to be used for saving the file in the /var/tmp location.

maintenance

1394

request system download start on page 1394
Output Fields
Sample Output
request system download start
user@host> request system download start identity-file mytestkey
sftp://mysftpserver/homes/kelly/test.tgz max-rate 200 save as newfile.tgz
Starting download #8
1395

Syntax
Release Information
Description
Upgrade firmware on a system.
Options
fpc—Upgrade FPC ROM monitor.
pic—Upgrade PIC firmware.
re—Upgrade baseboard BIOS/FPGA. There is an active BIOS image and a backup BIOS image.
• bios—(Optional) Upgrade BIOS.
• fpga—(Optional)Upgrade baseboard FPGA.
• i40nvm—(Optional) Upgrade baseboard i40.
• ssd—(Optional)Upgrade Routing Engine solid-state drive (SSD) firmware.
disk1—Upgrade SSD disk1 firmware.
disk2—Upgrade SSD disk2 firmware.
NOTE: Starting in Junos OS Release 17.2R1, you can upgrade the SSD firmware on routers
with the VM Host support.
Starting in Junos OS Release 19.3R1, you can upgrade the i40e NVM firmware on routers
with VM Host support.
vcpu—Upgrade VCPU ROM monitor.

maintenance
1396
request system halt

request system firmware upgrade on page 1396
Output Fields
Sample Output
user@host> request system firmware upgrade re bios
Part Type Tag Current Available Status

version version
Routing Engine 0 RE BIOS 0 1.5 1.9 OK
Routing Engine 0 RE BIOS Backup 1 1.7 1.9 OK
Perform indicated firmware upgrade ? [yes,no] (no) yes
user@host> request system firmware upgrade re bios backup

version version
Routing Engine 0 RE BIOS 0 1.5 1.9 OK
Routing Engine 0 RE BIOS Backup 1 1.7 1.9 OK
user@host> request system firmware upgrade re ssd disk1

version version
Routing Engine 0 RE SSD1 4 12028 12029 OK
Firmware upgrade initiated, use "show system firmware" to monitor status.

1397

Syntax
Release Information
Description
Starts autoupdating license keys from the license portal.
• The request system license update command always uses the default Juniper license server:
https://ae1.juniper.net/.
• The request system license update command is supported only on SRX, vSRX, and QFX Series devices.
The products supported by the Juniper Agile Licensing (JAL) portal includes: QFX series, SRX Series, EX
Series, NFX, vBNG, vMX, vSRX, and ACX. For other Juniper products (SPACE, JSA, SBR Carrier, Screen
OS and so on) access the License Management System (LMS).
Options
trial—Immediately updates trial license keys from the license portal.

maintenance

request system license update on page 1397
request system license update trial on page 1398
Output Fields
Sample Output
user@host> request system license update
Trying to update license keys from https://ae1.juniper.net has been sent, use show
system license to check status.
1398
request system license update trial

user@host> request system license update trial
Request to automatically update trial license keys from https://ae1.juniper.net

has been sent, use show system license to check status.
1399

List of Syntax
Syntax on page 1399
Syntax (EX Series Switches and EX Series Virtual Chassis) on page 1399
Syntax (MX Series Routers and MX Series Virtual Chassis, EX9200 Switches and EX9200 Virtual
Chassis) on page 1399
Syntax (QFabric Systems) on page 1400
Syntax (QFX Series Switches and QFX Series Virtual Chassis, Virtual Chassis Fabric) on page 1400
Syntax (TX Matrix Router) on page 1400
Syntax (TX Matrix Plus Router) on page 1400
Syntax

<at time>
<both-routing-engines>
<in minutes>
<media (compact-flash | disk | removable-compact-flash | usb)>
<message "text">
<other-routing-engine>
Syntax (EX Series Switches and EX Series Virtual Chassis)

<all-members | local | member member-id>
<at time>
<in minutes>
<media (external | internal)> | <media (compact-flash | disk | removable-compact-flash | usb)>
<message "text">
<slice slice>
Syntax (MX Series Routers and MX Series Virtual Chassis, EX9200 Switches and EX9200 Virtual Chassis)

<at time>
<in minutes>
<media (external | internal)> | <media (compact-flash | disk | usb)> | <junos | network | oam | usb>
<message "text">
1400
Syntax (QFabric Systems)

<all <graceful>>
<at time>
<director-device name>
<director-group <graceful>>
<fabric <graceful>>
<in minutes>
<in-service>
<media>
<message “text”>
<node-group name>
<slice slice>
Syntax (QFX Series Switches and QFX Series Virtual Chassis, Virtual Chassis Fabric)

<at time>
<in minutes>
<in-service>
<hypervisor>
<junos | network | oam | usb>
<message “text”>
<slice slice>
Syntax (TX Matrix Router)

<all-chassis | all-lcc | lcc number | scc>
<at time>
<in minutes>
<media (compact-flash | disk)>
<message "text">
Syntax (TX Matrix Plus Router)

<all-chassis | all-lcc | lcc number | sfc number>
<at time>
1401
<in minutes>
<media (compact-flash | disk)>
<message "text">
<partition (1 | 2 | alternate)>
Release Information
Option other-routing-engine introduced in Junos OS Release 8.0.
Option sfc introduced for the TX Matrix Plus router in Junos OS Release 9.6.
Option partition changed to slice in Junos OS Release 10.0 for EX Series switches.
Option both-routing-engines introduced in Junos OS Release 12.1.
Description
Reboot the software.
This command can be used on standalone devices and on devices supported in a Virtual Chassis, Virtual
Chassis Fabric, or QFabric system.
NOTE: Starting with Junos OS Release 15.1F3, the statement request system reboot reboots
only the guest operating system on the PTX5000 with RE-PTX-X8-64G and, MX240, MX480,
and MX960 with RE-S-X6-64G.
Starting with Junos OS Release 15.1F5, the statement request system reboot reboots only the
guest operating system on the MX2010, and MX2020 with REMX2K-X8-64G.
NOTE: Starting from Junos OS Release 17.2R1, PTX10008 routers do not support the request
system reboot command. Starting from Junos OS Release 17.4R1, PTX10016 routers do not
support the request system reboot command. Use the request vmhost reboot command instead
of the request system reboot command on the PTX10008 and PTX10016 routers to reboot
the Junos OS software package or bundle on the router. See request vmhost reboot.
NOTE: On a QFabric system, to avoid traffic loss on the network Node group, switch mastership
of the Routing Engine to the backup Routing Engine, and then reboot.
1402
Options
The options described here are not all supported on every platform or release of Junos OS. Refer to the
Syntax sections for the options commonly available on each type of platform.
none—Reboot the software immediately.
all-chassis—(Optional) On a TX Matrix router or TX Matrix Plus router, reboot all routers connected to the
TX Matrix or TX Matrix Plus router, respectively.
all-lcc—(Optional) On a TX Matrix router or TX Matrix Plus router, reboot all line card chassis connected
to the TX Matrix or TX Matrix Plus router, respectively.
all-members | local | member member-id—(Optional) Specify which member of the Virtual Chassis to reboot:
• all-members—Reboots each switch that is a member of the Virtual Chassis.
• local—Reboots only the local switch (switch where you are logged in).
• member member-id—Reboots the specified member switch of the Virtual Chassis
at time—(Optional) Time at which to reboot the software, specified in one of the following ways:
• now—Stop or reboot the software immediately. This is the default.
• +minutes—Number of minutes from now to reboot the software.
• yymmddhhmm—Absolute time at which to reboot the software, specified as year, month, day, hour,
and minute.
• hh:mm—Absolute time on the current day at which to stop the software, specified in 24-hour time.
both-routing-engines—(Optional) Reboot both Routing Engines at the same time.
hypervisor—(Optional) Reboot Junos OS, host OS, and any installed guest VMs.
in minutes—(Optional) Number of minutes from now to reboot the software. The minimum value is 1. This
option is an alias for the at +minutes option.
in-service—(Optional) Enables you to reset the software state (no software version change) of the system
with minimal disruption in data and control traffic.
junos—(Optional) Reboot from the Junos OS (main) volume.
lcc number——(Optional) Line-card chassis (LLC) number.
Replace number with the following values depending on the LCC configuration:
• 0 through 3, when T640 routers are connected to a TX Matrix router in a routing matrix.
• 0 through 3, when T1600 routers are connected to a TX Matrix Plus router in a routing matrix.
1403
• 0 through 7, when T1600 routers are connected to a TX Matrix Plus router with 3D SIBs in a routing
matrix.
• 0, 2, 4, or 6, when T4000 routers are connected to a TX Matrix Plus router with 3D SIBs in a routing
matrix.
media (compact-flash | disk | removable-compact-flash | usb)—(Optional) Use the indicated boot medium
for the next boot.
media (external | internal)—(Optional) Use the indicated boot medium for the next boot:
• external—Reboot the device using a software package stored on an external boot source, such as
a USB flash drive.
• internal—Reboot the device using a software package stored in an internal memory source.
message "text"—(Optional) Message to display to all system users before stopping or rebooting the software.
network—(Optional) Reboot using the Preboot Execution Environment (PXE) boot method over the network.
oam—(Optional) Reboot from the maintenance volume (OAM volume, usually the compact flash drive).
other-routing-engine—(Optional) Reboot the other Routing Engine from which the command is issued.
For example, if you issue the command from the master Routing Engine, the backup Routing Engine
is rebooted. Similarly, if you issue the command from the backup Routing Engine, the master Routing
Engine is rebooted.
partition partition—(Optional) Reboot using the specified partition on the boot media. This option is
equivalent to the slice option that is supported on some devices. Specify one of the following partition
values:
• 1—Reboot from partition 1.
• alternate—Reboot from the alternate partition.
scc—(Optional) Reboot the Routing Engine on the TX Matrix switch-card chassis. If you issue the command
from re0, re0 is rebooted. If you issue the command from re1, re1 is rebooted.
sfc number—(Optional) Reboot the Routing Engine on the TX Matrix Plus switch-fabric chassis. If you issue
the command from re0, re0 is rebooted. If you issue the command from re1, re1 is rebooted. Replace
number with 0.
slice slice—(Optional) Reboot using the specified partition on the boot media. This option was originally
the partitiion option but was renamed to slice on EX Series and QFX Series switches. Specify one of
the following slice values:

1404
• alternate—Reboot from the alternate partition (which did not boot the switch at the last bootup).
NOTE: The slice option is not supported on QFX Series switches that have no alternate slice
when Junos OS boots as a Virtual Machine (VM). To switch to the previous version of Junos
OS, issue the request system software rollback command.
usb—(Optional) Reboot from a USB device.
The following options are available only on QFabric Systems:
all—(Optional) Reboots the software on the Director group, fabric control Routing Engines, fabric manager
Routing Engines, Interconnect devices, and network and server Node groups.
director-device name—(Optional) Reboots the software on the Director device and the default partition
(QFabric CLI).
director-group—(Optional) Reboots the software on the Director group and the default partition (QFabric
CLI).
fabric—(Optional) Reboots the fabric control Routing Engines and the Interconnect devices.
node-group name—(Optional) Reboots the software on a server Node group or a network Node group.
graceful—(Optional) Enables the QFabric component to reboot with minimal impact to network traffic.
This sub-option is only available for the all, fabric, anddirector-group options.
Additional Information
Reboot requests are recorded in the system log files, which you can view with the show log command
(see show log). Also, the names of any running processes that are scheduled to be shut down are changed.
You can view the process names with the show system processes command (see show system processes).
On a TX Matrix or TX Matrix Plus router, if you issue the request system reboot command on the master
Routing Engine, all the master Routing Engines connected to the routing matrix are rebooted. If you issue
this command on the backup Routing Engine, all the backup Routing Engines connected to the routing
matrix are rebooted.
1405
NOTE: Before issuing the request system reboot command on a TX Matrix Plus router with no
options or the all-chassis, all-lcc, lcc number, or sfc options, verify that master Routing Engine
for all routers in the routing matrix are in the same slot number. If the master Routing Engine
for a line-card chassis is in a different slot number than the master Routing Engine for a TX Matrix
Plus router, the line-card chassis might become logically disconnected from the routing matrix
after the request system reboot command.
NOTE: To reboot a router that has two Routing Engines, reboot the backup Routing Engine (if
you have upgraded it) first, and then reboot the master Routing Engine.

maintenance
clear system reboot

request system halt
Routing Matrix with a TX Matrix Plus Router Solutions Page
request vmhost reboot

request system reboot on page 1405
request system reboot (at 2300) on page 1406
request system reboot (in 2 Hours) on page 1406
request system reboot (Immediately) on page 1406
request system reboot (at 1:20 AM) on page 1406
request system reboot in-service on page 1406
Output Fields
Sample Output
user@host> request system reboot
1406
Reboot the system ? [yes,no] (no)
request system reboot (at 2300)

user@host> request system reboot at 2300 message ?Maintenance time!?
Reboot the system ? [yes,no] (no) yes
shutdown: [pid 186]

*** System shutdown message from [email protected] ***
System going down at 23:00
request system reboot (in 2 Hours)
The following example, which assumes that the time is 5 PM (17:00), illustrates
three different ways to request the system to reboot in two hours:
user@host> request system reboot at +120
user@host> request system reboot in 120
user@host> request system reboot at 19:00
request system reboot (Immediately)

user@host> request system reboot at now
request system reboot (at 1:20 AM)
To reboot the system at 1:20 AM, enter the following command. Because 1:20 AM is
the next day, you must specify the absolute time.
user@host> request system reboot at 06060120
request system reboot at 120

Reboot the system at 120? [yes,no] (no) yes
request system reboot in-service

user@switch> request system reboot in-service
1407
Reboot the system ? [yes,no]

[Feb 22 02:37:04]:ISSU: Validating Image
PRE ISSR CHECK:

---------------
PFE Status : Online
Member Id zero : Valid
VC not in mixed or fabric mode : Valid
Member is single node vc : Valid
BFD minimum-interval check done : Valid
GRES enabled : Valid
NSR enabled : Valid
drop-all-tcp not configured : Valid
Ready for ISSR : Valid
warning: Do NOT use /user during ISSR. Changes to /user during ISSR may get lost!
Current image is jinstall-jcp-i386-flex-18.1.img
[Feb 22 02:37:14]:ISSU: Preparing Backup RE
Prepare for ISSR
[Feb 22 02:37:19]:ISSU: Backup RE Prepare Done
Spawning the backup RE
Spawn backup RE, index 1 successful
Starting secondary dataplane
Second dataplane container started
GRES in progress
Waiting for backup RE switchover ready
GRES operational
Copying home directories
Copying home directories successful
Initiating Chassis In-Service-Upgrade for ISSR
Chassis ISSU Started
[Feb 22 02:42:55]:ISSU: Preparing Daemons
[Feb 22 02:43:00]:ISSU: Daemons Ready for ISSU
[Feb 22 02:43:05]:ISSU: Starting Upgrade for FRUs
[Feb 22 02:43:15]:ISSU: FPC Warm Booting
[Feb 22 02:44:16]:ISSU: FPC Warm Booted
[Feb 22 02:44:27]:ISSU: Preparing for Switchover
[Feb 22 02:44:31]:ISSU: Ready for Switchover
Checking In-Service-Upgrade status
Item Status Reason
FPC 0 Online (ISSU)
Send ISSR done to chassisd on backup RE
Chassis ISSU Completed
Removing dcpfe0 eth1 128.168.0.16 IP
1408
Bringing down bme00

Post Chassis ISSU processing done
[Feb 22 02:44:33]:ISSU: IDLE
Stopping primary dataplane
Clearing ISSU states
Console and management sessions will be disconnected. Please login again.
device_handoff successful ret: 0
Shutdown NOW!
[pid 14305]
*** FINAL System shutdown message from root@sw-duckhorn-01 ***
System going down IMMEDIATELY

1409
request system reboot (SRX Series)

Syntax
request system reboot <at time> <in minutes><media><message “text”>
Release Information
Command hypervisor option introduced in Junos OS Release 15.1X49-D10 for vSRX.
Command introduced in Junos OS Release 15.1X49-D50 for SRX1500 devices.
Description
Reboot the software.
Options
• at time (Optional)— Specify the time at which to reboot the device. You can specify time in one of the
following ways:
• now— Reboot the device immediately. This is the default.
• +minutes— Reboot the device in the number of minutes from now that you specify.
• yymmddhhmm— Reboot the device at the absolute time on the date you specify. Enter the year, month,
day, hour (in 24-hour format), and minute.
• hh:mm— Reboot the device at the absolute time you specify, on the current day. Enter the time in
24-hour format, using a colon (:) to separate hours from minutes.
• in minutes(Optional)— Specify the number of minutes from now to reboot the device. This option is a
synonym for the at +minutes option
• media type(Optional)— Specify the boot device to boot the device from:
• disk/internal— Reboot from the internal media. This is the default.
• usb— Reboot from the USB storage device.
• compact flash— Reboot from the external CompactFlash card.
NOTE: The media command option is not available on vSRX.
• message “text” (Optional)— Provide a message to display to all system users before the device reboots.
Example: request system reboot at 5 in 50 media internal message stop

1410
maintenance

1411
request system snapshot (Maintenance)

Syntax
request system snapshot

<config-partition>
<media (compact-flash | hard-disk | internal | usb)>
<partition>
<root-partition>
<factory>
<node (all | local | node-id | primary)>
<slice (alternate) >
Release Information
Description
Back up the currently running and active file system partitions on the device.
Options
• config-partition— Creates a snapshot of the configuration partition only and stores it onto the default
/altconfig on the hard disk device or an /altconfig on a USB device.
• root-partition— Creates a snapshot of the root partition only and stores it onto the default /altroot on
the hard disk device or an /altroot on a USB device.
• factory— (Optional) Specifies that only the files shipped from the factory are included in the snapshot.
• media—(Optional) Specify the boot device the software is copied to:
• compact-flash—Copy software to the primary compact flash drive.
• hard-disk— Copy software to the hard disk.
• usb— Copy software to the device connected to the USB port.
• internal— Copy software to an internal flash drive. This is the default option.
NOTE: USB option is available on all SRX series devices; hard disk and compact-flash options
are available only on SRX5800, SRX5600, and SRX5400 devices; media internal option is
available only on SRX300, SRX320, SRX340, SRX345, SRX380, and SRX550M devices.
• external— Copies software to an external storage device. This option is available for the compact flash
on the SRX650 Services Gateway.
1412
• node—(Optional) Specify the archive data and executable areas of a specific node. If you do not specify
the node option, the device considers the current node as default option.
• node-id—Specify for node (0, 1).
• all—Specify for all nodes.
• local—Specify for local nodes.
• primary— Specify for primary nodes.
• partition—(Default) Specify that the target media should be repartitioned before the backup is saved to
it.
NOTE: The target media is partitioned whether or not it is specified in the command, because
this is a mandatory option.
Example: request system snapshot media usb partition
Example: request system snapshot media usb partition factory
• slice—(Optional) Take a snapshot of the root partition the system has currently booted from to another
slice in the same media.
• alternate—(Optional) Store the snapshot on the other root partition in the system.
NOTE: The slice option cannot be used along with the other request system snapshot options,
because the options are mutually exclusive. If you use the factory, media, or partition option,
you cannot use the slice option; if you use the slice option, you cannot use any of the other
options.

maintenance

request system snapshot config-partition on page 1413
request system snapshot root-partition on page 1413
request system snapshot media hard-disk on page 1413
request system snapshot media usb (when usb device is missing on page 1413
request system snapshot media compact-flash on page 1414
request system snapshot partition on page 1414
Output Fields
1413
Sample Output
request system snapshot config-partition
user@host> request system snapshot config-partition
Doing the initial labeling...

Verifying compatibility of destination media partitions...
Running newfs (391MB) on hard-disk media /config partition (ad1s1e)...
Copying '/dev/ad0s1e' to '/dev/ad1s1e' .. (this may take a few minutes)
The following filesystems were archived: /config
request system snapshot root-partition

user@host> request system snapshot root-partition
Doing the initial labeling...

Running newfs (3GB) on hard-disk media / partition (ad1s1a)...
Copying '/dev/ad0s1a' to '/dev/ad1s1a' .. (this may take a few minutes)
The following filesystems were archived: /
request system snapshot media hard-disk

user@host> request system snapshot media hard-disk

Running newfs (880MB) on hard-disk media / partition (ad2s1a)...
Running newfs (98MB) on hard-disk media /config partition (ad2s1e)...
Copying '/dev/ad0s1a' to '/dev/ad2s1a' .. (this may take a few minutes)
...
request system snapshot media usb (when usb device is missing

user@host> request system snapshot media usb

Running newfs (254MB) on usb media / partition (da1s1a)...
Running newfs (47MB) on usb media /config partition (da1s1e)...
1414
Copying '/dev/da0s2a' to '/dev/da1s1a' .. (this may take a few minutes)

Copying '/dev/da0s2e' to '/dev/da1s1e' .. (this may take a few minutes)
The following filesystems were archived: / /config
request system snapshot media compact-flash

user@host> request system snapshot media compact-flash
error: cannot snapshot to current boot device
request system snapshot partition

user@host> request system snapshot partition

Running newfs (439MB) on internal media / partition (da0s1a)...
Running newfs (46MB) on internal media /config partition (da0s1e)...
Copying '/dev/da1s1a' to '/dev/da0s1a' .. (this may take a few minutes)
Copying '/dev/da1s1e' to '/dev/da0s1e' .. (this may take a few minutes)
The following filesystems were archived: / /config
1415

(ICU)
Syntax
Release Information
SRX550M devices.
Description
Abort an in-band cluster upgrade (ICU). This command must be issued from a router session other than
the one on which you issued the request system in-service-upgrade command that launched the ICU. If
an ICU is in progress, this command aborts it. If the node is being upgraded, this command will cancel the
upgrade. The command is also helpful in recovering the node in case of a failed ICU.
NOTE: We recommend that you use the command only when there is an issue with the ongoing
session of ISSU. You may need to manually intervene to bring the system to sane state if after
issuing the command the system does not recover from the abort.
Options

view
Upgrading Devices in a Chassis Cluster Using ICU

request system software abort in-service-upgrade on page 1416
Output Fields
1416
Sample Output
user@host> request system software abort in-service-upgrade
In-Service-Upgrade aborted
1417
request system software add (Maintenance)

Syntax
request system software add package-name
Release Information
Partition option introduced in the command in Junos OS Release 10.1.
Description
Install the new software package on the device, for example: request system software add
junos-srxsme-10.0R2-domestic.tgz no-copy no-validate partition reboot.
Options
• delay–restart—Install the software package but does not restart the software process.
• best-effort-load—Activate a partial load and treat parsing errors as warnings instead of errors.
• no-copy—Install the software package but does not saves the copies of package files.
• no-validate—Do not check the compatibility with current configuration before installation starts.
• partition—Format and re-partition the media before installation.
• reboot—Reboot the device after installation is completed.
• unlink—Remove the software package after successful installation.
• validate—Check the compatibility with current configuration before installation starts.

maintenance

1418
request system software rollback (SRX Series)

Syntax
request system software rollback <node-id>
Release Information
Command introduced in Junos OS Release 15.1X49-D50 for SRX1500 devices.
Command introduced in Junos OS Release 17.4R1 for SRX4100 and SRX4200 devices.
Description
Revert to the software that was loaded at the last successful request system software add command. The
upgraded FreeBSD 11.x (supported in Junos OS Release 17.4R1) Junos OS image provides an option to
save a recovery image in an Operation, Administration, and Maintenance (OAM) partition, but that option
will save only the Junos OS image, not the Linux image. If a user saves the Junos OS image and recovers
it later, it might not be compatible with the Linux software loaded on the system.
Options
node-id—Identification number of the chassis cluster node. It can be 0 or 1.

maintenance

Upgrading Junos OS with Upgraded FreeBSD
Release Information for Junos OS with Upgraded FreeBSD
What Is Junos OS with Upgraded FreeBSD?
1419

Syntax
request system zeroize <media>
Description
Erases all configuration information and resets all key values. The command removes all data files, including
customized configuration and log files, by unlinking the files from their directories.
The command removes all user-created files from the system including all plain-text passwords, secrets,
and private keys for SSH, local encryption, local authentication, IPsec, RADIUS, TACACS+, and SNMP.
This command reboots the device and sets it to the factory default configuration. After the reboot, you
cannot access the device through the management Ethernet interface. Log in through the console as root
and start the Junos OS CLI by typing cli at the prompt.
Options
media—(Optional) In addition to removing all configuration and log files, the media option causes memory
and the media to be scrubbed, removing all traces of any user-created files. Every storage device
attached to the system is scrubbed, including disks, flash drives, removable USBs, and the like. The
duration of the scrubbing process is dependent on the size of the media being erased. As a result, the
request system zeroize media operation can take considerably more time than the request system
zeroize operation. However, the critical security parameters are all removed at the beginning of the
process.
NOTE: The media option is not supported on SRX5000 line devices.

Not applicable.


request system zeroize on page 1420
1420
Sample Output
user@host> request system zeroize
warning: System will be rebooted and may not boot without configuration
Erase all data, including configuration and log files? [yes,no] (no) yes
warning: zeroizing re0
Loading /boot/loader Consoles: serial port

BIOS driver C: is disk0
BIOS 607kB/2087552kB available memory
FreeBSD/i386 bootstrap loader, Revision 1.1

([email protected], Mon Mar 28 20:49:26 UTC 2011)
Loading /boot/defaults/loader.confg
/kernel text-0x837a60 data=0x46a78+0x9d44c syms=[0x4+0x8f38+0x4+0xca1ee]
Hit [Enter[ to boot immediately, or space bar for command prompt.

Booting [/kernel]...
platform_early_bootinit: MAG Series Early Boot Initilaization
GDB: debug ports: sio
GDB: current port: sio
KDB: debugger backends: ddb gdb
KDB: current backend: ddb
Copyright (c) 1996-2011, Juniper Networks, Inc.
All rights resrved.
Copyright (c) 1992-2006 The FreeBSD Project.
Copyright (c) 1979, 1980, 1983, 1986, 1988, 18\989, 1991, 1992, 1993,1994
The Regents of the University of California. All rights reserved.
...
output truncated
1421
show accounting server statistics archival-transfer

Syntax
Release Information
Description
Display the statistics of transfer attempted, succeeded, and failed for accounting statistics files and router
configuration archives.
Options

view
Sample Output
user@host> show accounting server statistics archival-transfer
File Name : /var/transfer/config/*

URL :scp://root@ce-bras-nvsrv-a:/var/www/html
Last transfer attempted timestamp :20190603_143642
Last successful transfer timestamp :20190603_143642
Success Count : 5
Failure Count : 0
1422
show captive-portal authentication-failed-users

Syntax
show captive-portal authentication-failed-users
Release Information
mode.
Description
Display the users that have failed captive portal authentication.

view


show captive-portal authentication-failed-users on page 1423
Output Fields
Table 45 on page 1422 lists the output fields for the show captive-portal authentication-failed-users command.
Output fields are listed in the approximate order in which they appear.
Table 45: show captive-portal authentication-failed-users Output Fields
Level of
Field Name Field Description Output
Interface The MAC address configured to bypass captive portal authentication. all
MAC address The MAC address configured statically on the interface. all
1423
Table 45: show captive-portal authentication-failed-users Output Fields (continued)
Level of
User Name of the user that has failed captive portal authentication. all
Failure Count The number of times that 802.1X authentication has failed on the interface. all
Sample Output
show captive-portal
user@host> show captive-portal authentication-failed-users
Interface MAC address User Failure Count

ge-0/0/17.0 00:37:00:00:00:00 003700000000 28
ge-0/0/20.0 00:04:10:00:00:00 000410000000 32
ge-0/0/18.0 00:00:03:00:0a:00 000003000a00 4
ge-0/0/19.0 00:00:03:00:0b:00 000003000b00 18
1424
show captive-portal firewall

Syntax

<brief | detail>
<interface-name>
<interface-name detail>
Release Information
mode.
Description
Display information about the firewall filters for each user that is authenticated on each captive portal
interface.
Options
none—Display all the firewall filters on all captive portal interfaces.
brief | detail—(Optional) Display the specified level of output.
interface-name—(Optional) Display all the terms of the firewall filters for the specified interface.
interface-name detail—(Optional) Display all of the terms of the firewall filters for the specified interface.

view


show captive-portal firewall brief on page 1425
show captive-portal firewall (Specific Interface) on page 1425
show captive-portal firewall on page 1425
1425
Output Fields
Output fields for the show captive-portal firewall command include any action modifier specified in firewall
filters except policers. Policers are not supported in the terms of the internally generated dynamic firewall
filters that are created when multiple supplicants authenticate on 802.1X-enabled interfaces.
Sample Output
show captive-portal firewall brief
user@switch> show captive-portal firewall brief

Interface State MAC address User
ge-0/0/10.0 Connecting 00:30:48:8c:66:bd No User
show captive-portal firewall (Specific Interface)


Counters:
Name Bytes Packets
dot1x_ge-0/0/10_CP_arp 7616 119

user@switch> show captive-portal firewall

Counters:
Name Bytes Packets
dot1x_ge-0/0/0_CP_arp 0 0
1426
Counters:
Name Bytes Packets
dot1x_ge-0/0/1_CP_arp 0 0
Counters:
Name Bytes Packets
dot1x_ge-0/0/10_CP_arp 7616 119
1427
show captive-portal interface

Syntax
show captive-portal interface

<interface-name>
detail
Release Information
mode.
Description
Display the current operational state of all captive portal interfaces with the list of connected users and
the configured values of captive portal attributes on the interfaces.
Options
none—Display all captive portal interfaces.
interface-name—(Optional) Display the state for the specified captive portal interface and lists the MAC
address and user names of any clients authenticated on the interface.
interface-name detail—(Optional) Display the configured values of captive portal attributes on the specified
captive portal interface.

view


show captive-portal interface (Only Captive Portal Enabled) on page 1429
show captive-portal interface (802.1X Authentication and Captive Portal Enabled) on page 1429
1428
show captive-portal interface detail (Only Captive Portal Enabled) on page 1430
show captive-portal interface detail (802.1X Authentication and Captive Portal Enabled) on page 1430
Output Fields
Table 46 on page 1428 lists the output fields for the show captive-portal interface command. Output fields
Table 46: show captive-portal interface Output Fields
Field Name Field Description Level of Output
Interface Interface on which captive portal has been configured. All levels
State The state of the interface: All levels
• Authenticated—The client has been authenticated through the RADIUS

server or has been permitted access through server fail fallback.
• Authenticating—The client is authenticating through the RADIUS server.
• Connecting—Switch is attempting to contact the RADIUS server.
• Initialize—The interface link is down.
• Held—An action has been triggered through server fail fallback during
a RADIUS server timeout. A supplicant is denied access, permitted
access through a specified VLAN, or maintains the authenticated state
granted to it before the RADIUS server timeout occurred.
MAC address The MAC address of the connected client on the interface.. brief
User Users connected to the captive portal interface. brief
Fallen back Indicates when 802.1X authentication and captive portal are both enabled
on an interface:
• If 802.1X authentication and captive portal are both enabled, CP fallen

back status is Yes.
• If 802.1X authentication and captive portal are not both enabled, CP
fallen back status is No.
Supplicant Mode used to authenticate clients—multiple, single, or single-supplicant. detail

mode
Number of Number of times the user can attempt to submit authentication detail
retries information.
Quiet period Time, in seconds, after a user exceeds the maximum number of retries detail
before they can attempt to authenticate.
1429
Table 46: show captive-portal interface Output Fields (continued)
Configured CP Time, in seconds, that a client can be idle before the session expires. detail
session
timeout
Server timeout Time, in seconds, that an interface will wait for a reply when relaying a detail
response from the client to the authentication server before timing out
and invoking the server-fail action.
Configured CP Time, in minutes, that a captive portal authentication session is extended detail
User-keepalive after the MAC aging timer expires.
timeout
Number of Number of users connecting through the captive portal interface. detail
connected Information for each user includes:
supplicants
• Supplicant—User name and MAC address.
• Operational state—See State (above).
• Dynamic CP session timeout—Timeout value dynamically downloaded
from the RADIUS server for this user, if any.
• CP Session expiration due in—Time remaining in session.
• Eapol-Block—Shows whether EAPOL block is in effect or not.
• CP Session User-keepalive Expiration due in—Time, in seconds,
remaining in the keep-alive period.
Sample Output
show captive-portal interface (Only Captive Portal Enabled)
user@switch> show captive-portal interface

Interface State MAC address User Fallen back
ge-6/0/5.0 Authenticated 00:30:48:8d:7a:9b abcdeX No
show captive-portal interface (802.1X Authentication and Captive Portal Enabled)

user@switch> show captive-portal interface
1430

Interface State MAC address User Fallen back
ge-6/0/5.0 Authenticated 00:30:48:8d:7a:9b abcdeX Yes
show captive-portal interface detail (Only Captive Portal Enabled)

user@switch> show captive-portal interface detail ge-6/0/5.0

Configured CP User-keepalive timeout: 7 minutes
CP fallen back: No
Supplicant: abcdeX, 00:30:48:8d:7a:9b
Dynamic CP Session Timeout: 3600 seconds
CP Session Expiration due in: 3583 seconds
Eapol-Block: In Effect
CP session User-keepalive Expiration due in: 420 seconds
show captive-portal interface detail (802.1X Authentication and Captive Portal Enabled)
user@switch> show captive-portal interface detail ge-6/0/5.0

CP fallen back: Yes
Supplicant: abcdeX, 00:30:48:8d:7a:9b
Dynamic CP Session Timeout: 3600 seconds
CP Session Expiration due in: 3583 seconds
1431
show chassis routing-engine (View)

Syntax
show chassis routing-engine
Release Information
Description
Display the Routing Engine status of the chassis cluster.

view
cluster (Chassis)

show chassis routing-engine (Sample 1 - SRX550M) on page 1432
show chassis routing-engine (Sample 2 - vSRX) on page 1433
show chassis routing-engine (Sample 3- SRX5400) on page 1434
Output Fields
Table 47 on page 1431 lists the output fields for the show chassis routing-engine command. Output fields
Table 47: show chassis routing-engine Output Fields
Temperature Routing Engine temperature. (Not available for vSRX deployments.)
CPU temperature CPU temperature. (Not available for vSRX deployments.)

1432
Table 47: show chassis routing-engine Output Fields (continued)
Total memory Total memory available on the system.
NOTE: Starting with Junos OS Release 15.1x49-D70 and Junos OS Release 17.3R1,
there is a change in the method for calculating the memory utilization by a Routing
Engine. The inactive memory is now subtracted from the total available memory.
There is thus, a decrease in the reported value for used memory; as the inactive
memory is now considered as free.
Control plane memory Memory available for the control plane.
Data plane memory Memory reserved for data plane processing.
CPU utilization Current CPU utilization statistics on the control plane core.
User Current CPU utilization in user mode on the control plane core.
Background Current CPU utilization in nice mode on the control plane core.
Kernel Current CPU utilization in kernel mode on the control plane core.
Interrupt Current CPU utilization in interrupt mode on the control plane core.
Idle Current CPU utilization in idle mode on the control plane core.
Model Routing Engine model.
Start time Routing Engine start time.
Uptime Length of time the Routing Engine has been up (running) since the last start.
Last reboot reason Reason for the last reboot of the Routing Engine.
Load averages The average number of threads waiting in the run queue or currently executing
over 1-, 5-, and 15-minute periods.
Sample Output
show chassis routing-engine (Sample 1 - SRX550M)
user@host> show chassis routing-engine
1433
Routing Engine status:

Temperature 38 degrees C / 100 degrees F
CPU temperature 36 degrees C / 96 degrees F
Total memory 512 MB Max 435 MB used ( 85 percent)
Control plane memory 344 MB Max 296 MB used ( 86 percent)
Data plane memory 168 MB Max 138 MB used ( 82 percent)
CPU utilization:
User 8 percent
Background 0 percent
Kernel 4 percent
Interrupt 0 percent
Idle 88 percent
Model RE-SRX5500-LOWMEM
Serial ID AAAP8652
Start time 2009-09-21 00:04:54 PDT
Uptime 52 minutes, 47 seconds
Last reboot reason 0x200:chassis control reset
Load averages: 1 minute 5 minute 15 minute
0.12 0.15 0.10
Sample Output
show chassis routing-engine (Sample 2 - vSRX)

Control plane memory 1024 MB Max 358 MB used ( 35 percent)
5 sec CPU utilization:
User 2 percent
Kernel 4 percent
Interrupt 6 percent
Idle 88 percent
Model VSRX RE
Start time 2015-03-03 07:04:18 UTC
Uptime 2 days, 11 hours, 51 minutes, 11 seconds
Last reboot reason Router rebooted after a normal shutdown.
0.07 0.04 0.06
1434
Sample Output
show chassis routing-engine (Sample 3- SRX5400)

Slot 0:
Current state Master
Election priority Master (default)
DRAM 16323 MB (16384 MB installed)
Memory utilization 10 percent
User 2 percent
Kernel 12 percent
Interrupt 1 percent
Idle 85 percent
Model RE-S-1800x4
Serial ID 9016272401
Start time 2019-07-08 01:17:10 PDT
Last reboot reason Router rebooted after a normal shutdown.
0.63 0.52 0.24
Sample Output

User 0 percent
1435
Kernel 0 percent
Interrupt 0 percent
Idle 100 percent
1 min CPU utilization:
User 0 percent
Kernel 0 percent
Interrupt 0 percent
Idle 100 percent
User 0 percent
Kernel 0 percent
Interrupt 0 percent
Idle 100 percent
User 0 percent
Kernel 0 percent
Interrupt 0 percent
Idle 100 percent
Model SRX Routing Engine
Serial ID BUILTIN
Uptime 17 days, 5 hours, 1 minute, 52 seconds
Last reboot reason 0x4000:VJUNOS reboot
0.00 0.00 0.00
The Total memory 64 GB is distributed between the routing engine in the form of virtual machine for the
TVP platforms (SRX1500, SRX4100, SRX4200) and the rest for the packet forwarding engine (PFE). TVP
has a different architecture differentiating PFE from Junos and additional API compatibility. The above
mentioned devices are the only ones with this TVP architecture in SRX. The show chassis routing-engine
command displays only the Routing Engine memory.
Sample Output

1436

User 0 percent
Kernel 0 percent
Interrupt 0 percent
Idle 100 percent
User 0 percent
Kernel 0 percent
Interrupt 0 percent
Idle 99 percent
User 0 percent
Kernel 0 percent
Interrupt 0 percent
Idle 99 percent
User 0 percent
Kernel 0 percent
Interrupt 0 percent
Idle 96 percent
Model SRX Routing Engine
Serial ID BUILTIN
Last reboot reason 0x4000:VJUNOS reboot
0.00 0.00 0.00
1437
show dot1x
Syntax
show dot1x
<brief | detail>
<interface interface-name>
Release Information
mode.
Description
Display the current operational state of all ports with the list of connected users.
This command displays the list of connected supplicants received from the RADIUS authentication server
regardless of the session state—that is, for both authenticated supplicants and for supplicants that attempted
authentication.
Options
none—Display information for all authenticator ports.
brief | detail—(Optional) Display the specified level of output.
interface interface-name—(Optional) Display information for the specified port with a list of connected
supplicants.

view
clear dot1x | 1348

Series Switch | 405
1438


show dot1x interface brief on page 1442
show dot1x interface detail on page 1442
Output Fields
Table 48 on page 1438 lists the output fields for the show dot1x command. Output fields are listed in the
approximate order in which they appear.
Table 48: show dot1x Output Fields
Interface Name of a port. All levels
MAC address The MAC address of the connected supplicant on the port. All levels
Role The 802.1X authentication role of the interface. When 802.1X is enabled brief, detail
on an interface, the role is Authenticator. As Authenticator, the interface
blocks LAN access until a supplicant is authenticated through 802.1X or
MAC RADIUS authentication.
State The state of the port: brief
• Authenticated—The supplicant has been authenticated through the

RADIUS server or has been permitted access through server fail fallback.
• Authenticating—The supplicant is authenticating through the RADIUS
server.
• Held—An action has been triggered through server fail fallback during
a RADIUS server timeout. A supplicant is denied access, permitted
access through a specified VLAN, or maintains the authenticated state
granted to it before the RADIUS server timeout occurred.
User The username of the connected supplicant. brief

1439
Table 48: show dot1x Output Fields (continued)
Administrative The administrative state of the port: detail

state
• auto—Traffic is allowed through the port based on the authentication
result (by default).
• force-authorize—All traffic flows through the port irrespective of the
authentication result. This state is not allowed on an interface whose
VLAN membership has been set to dynamic.
• force-unauthorize—All traffic drops on the port irrespective of the
authentication result. This state is not allowed on an interface whose
VLAN membership has been set to dynamic.
Supplicant The mode for the supplicant: detail
• single—Only the first supplicant is authenticated. All other supplicants

who connect later to the port are allowed full access without any further
authentication. They effectively “piggyback” on the first supplicant’s
authentication.
• single-secure—Only one supplicant is allowed to connect to the port.
No other supplicant is allowed to connect until the first supplicant logs
out.
• multiple—Multiple supplicants are allowed to connect to the port. Each
supplicant is authenticated individually.
Quiet period The number of seconds the port waits following a failed authentication detail
exchange with the supplicant before reattempting the authentication.
The default value is 60 seconds. The range is 0 through 65,535 seconds.
Transmit period The number of seconds the port waits before retransmitting the initial detail
EAPOL PDUs to the supplicant. The default value is 30 seconds. The range
is 1 through 65,535 seconds.
MAC radius MAC RADIUS authentication: detail
• enabled—The switch sends an EAPOL request to the connecting host

to attempt 802.1X authentication and if the connecting host is
unresponsive, the switch tries to authenticate the host by using the
MAC address.
• disabled—The default. The switch does not attempt to authenticate the
MAC address of the connecting host.
1440
MAC radius MAC RADIUS authentication protocol: detail

authentication
protocol • EAP-MD5—The EAP-MD5 protocol is used for MAC RADIUS
authentication. EAP-MD5 is an authentication method belonging to
the Extensible Authentication Protocol (EAP) authentication framework.
EAP-MD5 is the default authentication protocol.
• PAP—The Password Authentication Protocol (PAP) authentication
protocol is used for MAC RADIUS authentication.
MAC radius The authentication method is restricted to MAC RADIUS only. 802.1X detail
restrict authentication is not enabled.
Reauthentication The reauthentication state: detail
• disable—Periodic reauthentication of the client is disabled.

• interval—Sets the periodic reauthentication time interval. The default
value is 3600 seconds. The range is 1 through 65,535 seconds.
Supplicant timeout The number of seconds the port waits for a response when relaying a detail
request from the authentication server to the supplicant before resending
the request. The default value is 30 seconds. The range is 1 through 60
seconds.
Server timeout The number of seconds the port waits for a reply when relaying a response detail
from the supplicant to the authentication server before timing out. The
default value is 30 seconds. The range is 1 through 60 seconds.
Maximum EAPOL The maximum number of times an EAPOL request packet is retransmitted detail
requests to the supplicant before the authentication session times out. The default
value is 2. The range is 1 through 10.
Number of clients The number of non-802.1X clients granted access to the LAN by means detail
bypassed because of static MAC bypass. The following fields are displayed:
of authentication
• Client—MAC address of the client.
• vlan —The name of the VLAN to which the client is connected.
Guest VLAN The VLAN to which a supplicant is connected when the supplicant is detail
member authenticated using a guest VLAN. If a guest VLAN is not configured on
the interface, this field displays <not configured>.
Multi domain data The number of data sessions that have been authenticated on a detail
session count multi-domain authentication interface.
1441
Number of The number of supplicants connected to a port. detail

connected
supplicants
Supplicant The username and MAC address of the connected supplicant. detail
Authentication The authentication method used for a supplicant: detail

method
• CWA Authentication—A supplicant is authenticated by the central Web
authentication (CWA) server.
• Fail—Authentication failed and supplicant is in Held state.
• Guest VLAN—A supplicant is connected to the LAN through the guest
VLAN.
• MAC RADIUS—A nonresponsive host is authenticated based on its
MAC address. The MAC address is configured as permitted on the
RADIUS server, the RADIUS server lets the switch know that the MAC
address is a permitted address, and the switch opens LAN access to
the nonresponsive host on the interface to which it is connected.
• RADIUS—A supplicant is configured on the RADIUS server, the RADIUS
server communicates this to the switch, and the switch opens LAN
access on the interface to which the supplicant is connected.
• Server-fail—One of the following fallback actions is in effect because
the RADIUS server is unreachable. Indicates whether EAPOL block is
in effect, and the amount of time remaining for EAPOL block (in
seconds).
• deny—The supplicant is denied access to the LAN, preventing traffic
from flowing from the supplicant through the interface. This is the
default server fail fallback action.
• permit—The supplicant is permitted access to the LAN as if the
supplicant had been successfully authenticated by the RADIUS server.
• use-cache—In the event that the RADIUS server times out when the
supplicant is attempting reauthentication, the supplicant is
reauthenticated only if it was previously authenticated; otherwise,
the supplicant is denied LAN access.
• VLAN—The supplicant is configured to be moved to a specified VLAN
if the RADIUS server is unavailable to reauthenticate the supplicant.
(The VLAN must already exist on the switch.)
• Server-reject VLAN—The supplicant received a RADIUS access-reject

message from the authentication server and was moved to a
server-reject VLAN, a specified VLAN already configured on the switch.
1442
Authenticated The VLAN to which the supplicant is connected. detail

VLAN
Dynamic filter User policy filter sent by the RADIUS server. detail
Session Reauth The configured reauthentication interval. detail

interval
Reauthentication The number of seconds in which reauthentication will occur again for the detail
due in connected supplicant.
Session The number of seconds between interim RADIUS accounting messages. detail
Accounting Interim
Interval
Accounting The number of seconds until the next interim RADIUS accounting update detail
Update due in is due.
CWA Redirect URL The URL used to redirect the supplicant to a central Web server for detail
authentication.
Eapol Block Shows whether EAPOL block is in effect or not in effect. detail
Sample Output
show dot1x interface brief
802.1X Information:
ge-0/0/1 Authenticator Authenticated 00:a0:d2:18:1a:c8 user1
ge-0/0/2 Authenticator Connecting
ge-0/0/3 Authenticator Held 00:a6:55:f2:94:ae user3
show dot1x interface detail

1443
ge-0/0/16.0
Role: Authenticator
Mac Radius: Enabled
Mac Radius Authentication Protocol: PAP
Supplicant: abc, 00:30:48:8C:66:BD
Authenticated VLAN: v200
Eapol-Block: Not In Effect
Supplicant: 000303030303, 00:03:03:03:03:03
Backend Authentication state: Idle
Authentication method: Mac Radius
Authenticated VLAN: dyn_vlan2
1444
show dot1x accounting attribute

Syntax
show dot1x accounting attribute
Release Information
Command introduced in JUNOS Release 16.1 for EX Series switches.
Description
Display the RADIUS accounting attributes sent by the switch, operating as the network access server
(NAS), to the RADIUS accounting server. RADIUS accounting attributes convey information that is used
to account for a service provided to an authenticated user. The user session statistics are recorded by the
accounting server in an accounting log file.
RADIUS accounting attributes are included in Accounting-Request messages sent from the switch to the
accounting server. Attribute information is created only if the data for the attribute is available.

view
show dot1x | 1437

clear dot1x | 1348
Switch | 443
Series Switch | 405

show dot1x accounting-attributes on page 1445
Output Fields
Table 49 on page 1445 lists the output fields for the show dot1x accounting-attributes command. Output
fields are listed in the approximate order in which they appear.
1445
Table 49: show dot1x accounting attribute Output Fields
Accounting Shows the value for the RADIUS accounting attributes sent from the NAS to the server. An
attributes attribute is displayed only if data is available for that attribute value. The following RADIUS
accounting attributes are supported:
• User-Name—The name of the authenticated user.

• NAS-Port—The physical port number of the NAS which is authenticating the user.
• Framed-IP-Address—The IP address of the authenticated user.
• Filter-ID—The name of the filter list for the authenticated user.
• Framed-MTU—The maximum transmission unit that can be configured for user.
• Client-System-Name—This is a vendor-specific attribute (VSA) used to indicate the client host
name. Supported for LLDP-capable devices only.
• Session-Timeout—The maximum number of seconds that a session will stay active before
termination of the session or prompt.
• Called-Station-ID—Allows the NAS to send the phone number that the user called, using Dialed
Number Identification (DNIS) or similar technology.
• Calling-Station-ID—Allows the NAS to send the phone number that the call came from, using
Dialed Number Identification (DNIS) or similar technology.
• NAS-Identifier—Contains a string identifying the NAS originating the Accounting-Request.
• Acct-Status-Type—Indicates whether this Accounting-Request marks the beginning of the user
session (Start) or the end (Stop). Can also be used for an interim update (Interim-Update).
• Acct-Authentic—Indicates whether the user was authenticated locally (Local), by the RADIUS
server (RADIUS), or by another remote authentication protocol (Remote).
• Acct-Session-ID—A unique ID for a specific accounting session that can be used to match start
and stop records for a session in the log file.
• Event-Timestamp—Records the time an event occurred.
• NAS-Port-ID—The port of the NAS that is authenticating the user.
• Framed-IPv6-Address—The IPv6 address of the authenticated user.
Sample Output
show dot1x accounting-attributes
user@switch> show dot1x accounting-attributes
Accounting Attribute:
Calling Station Id: 88-e0-f3-1f-c5-e0
1446
Called station Id: 00-10-94-00-00-02

Framed Ipv6 Address :2001:db8:0:1:2a0:a514:0:24d
Accounting Session ID: 8O2.1x812f00250002dcc6
Client System Name: AVX149485
Session-Timeout: 120s
Framed-MTU: 492
Acct-Authentic: RADIUS
Nas-Port-ID ge-0/0/5.0
1447
show dot1x authentication-failed-users

Syntax
show dot1x authentication-failed-users
Release Information
Description
Display the supplicants (users) that have failed 802.1X authentication.

view
clear dot1x | 1348

Switch | 443

show dot1x authentication-failed-users on page 1448
Output Fields
Table 50 on page 1447 lists the output fields for the show dot1x authentication-failed-users command.
Table 50: show dot1x authentication-failed-users Output Fields
Interface The MAC address configured to bypass 802.1X authentication. all
MAC address The MAC address configured statically on the interface. all
User The user that is configured on the RADIUS server and that has failed all
802.1X authentication.
1448
Table 50: show dot1x authentication-failed-users Output Fields (continued)
Failure Count The number of times that 802.1X authentication has failed on the all
interface.
Sample Output
show dot1x
user@switch> show dot1x authentication-failed-users
Interface MAC address User Failure Count

ge-0/0/17.0 00:37:00:00:00:00 003700000000 28
ge-0/0/20.0 00:04:10:00:00:00 000410000000 32
ge-0/0/18.0 00:00:03:00:0a:00 000003000a00 4
ge-0/0/19.0 00:00:03:00:0b:00 000003000b00 18
1449
show dot1x firewall

Syntax
show dot1x firewall <interface interface-name>
Release Information
mode.
Description
Display information about the firewall filters for each user or nonresponsive host that is authenticated on
each 802.1X-enabled interface that is configured for multiple supplicants. For example, if the firewall filter
is configured with a term for counters, the command shows the count for each user.
Options
none—Display information for all interfaces.
interface interface-names—(Optional) Display information for the specified interface.

view
clear dot1x | 1348

show dot1x firewall on page 1449
show dot1x firewall on page 1450
Output Fields
Output fields include any action modifier that is specified in firewall filters.
Sample Output
show dot1x firewall
(Showing counter action)
1450
Counters
show dot1x firewall

(Showing policer action)
Counters
p1-t1 494946
1451

Syntax
show dot1x static-mac-address <(interface [interface-name])>
Release Information
mode.
Description
Display all the static MAC addresses that are configured to bypass 802.1X authentication on the switch.
Options
none—Display static MAC addresses for all interfaces.
interface interface-name—(Optional) Display static MAC addresses for a specific interface.

view
clear dot1x | 1348

Switch | 443
Adding a Static MAC Address Entry to the Ethernet Switching Table on a Switch with ELS Support

show dot1x static-mac-address on page 1452
show dot1x static-mac-address interface (Specific Interface) on page 1452
Output Fields
Table 51 on page 1452 lists the output fields for the show dot1x static-mac-address command. Output fields
1452
Table 51: show dot1x static-mac-address Output Fields
MAC address The MAC address of the device that is configured to bypass 802.1X all
authentication.
VLAN-Assignment The name of the VLAN to which the device is assigned. all
Interface The name of the interface on which authentication is bypassed for a given all
MAC address.
Sample Output

00:00:00:11:22:33
00:00:00:00:12:12 ge-0/0/3.0
00:00:00:02:34:56 facilities ge-0/0/1.0
show dot1x static-mac-address interface (Specific Interface)

user@switch> show dot1x static-mac-address interface ge-0/0/0.1

00:00:00:12:24:12 support ge-0/0/1.0
00:00:00:72:30:58 support ge-0/0/1.0
1453
show dot1x statistics

Syntax
show dot1x statistics

Release Information
Description
Display the number of EAPOL messages transmitted or received on all interfaces or specific interfaces.
Options
none—Displays statistical information for all interfaces.
interface interface-name—(Optional) Displays statistical information for the specified interface.

view
show dot1x | 1437

clear dot1x | 1348
Series Switch | 405

show dot1x statistics interface on page 1454
Output Fields
Table 49 on page 1445 lists the output fields for the show dot1x statistics command. Output fields are listed
in the approximate order in which they appear.
Table 52: show dot1x statistics Output Fields
TxReqId The number of EAP-Request/Identity messages transmitted on the interface.

1454
Table 52: show dot1x statistics Output Fields (continued)
TxReq The number of transmitted EAP-Request frames that were not EAP-Request/Identity.
TxTotal The total number of EAPOL messages transmitted on the interface.
RxStart The number of EAPOL-Start messages received on the interface.
RxLogoff The number of EAP-Logoff messages received on the interface.
RxRespId The number of EAP-Response/Identity frames received on the interface.
RxResp The number of EAP-Response messages received that were not EAP-Response/Identity.
CoA-Request The number of Change of Authorization (CoA) Request messages received on the interface.
CoA-Ack The number of CoA-Ack messages transmitted on the interface.
CoA-Nak The number of CoA-Nak messages transmitted on the interface.
RxInvalid The number of invalid EAPOL messages received on the interface.
RxLenErr The number of EAPOL messages with incorrect length received on the interface.
RxTotal The total number of EAPOL messages creceived on the interface.
LastRxVersion The version number of the last EAPOL message received on the interface.
LastRxSrcMac The source MAC address in the last EAPOL message received on the interface.
PortBounceReqRx The number of port bounce requests received on the port.
Sample Output
show dot1x statistics interface
user@host> show dot1x statistics interface ge-0/0/0
Interface: ge-0/0/0.0
TxReqId = 4 TxReq = 0 TxTotal = 4
1455
RxStart = 0 RxLogoff = 0 RxRespId = 0 RxResp = 0

CoA-Request = 0 CoA-Ack = 0 CoA-Nak = 0
RxInvalid = 0 RxLenErr = 0 RxTotal = 0
LastRxVersion = 0 LastRxSrcMac = 00:50:56:85:66:0f
PortBounceReqRx = 0
1456
show ethernet-switching interface

Syntax
show ethernet-switching interface

<brief | detail | extensive>
<interface-name>
Release Information
Command introduced in Junos OS Release 12.3R2 for EX Series switches.
Command introduced in Junos OS Release 13.2x51 for QFX Series switches.
Description
Display Layer 2 learning information for all the interfaces.
Options
none—Display Ethernet-switching information for all interfaces.
brief | detail | extensive—(Optional) Display the specified level of output.
interface-name—(Optional) Display Ethernet-switching information for the specified interface.

view

show ethernet switching interface (Specific Interface) on page 1457
show ethernet switching interface (Storm Control in Effect) on page 1458
show ethernet-switching interface detail on page 1459
Output Fields
Table 53 on page 1456 describes the output fields for the show ethernet-switching interface command.
Table 53: show ethernet-switching interface Output Fields
Logical interface Name of the logical interface.

1457
Table 53: show ethernet-switching interface Output Fields (continued)
VLAN members VLANs associated with this interface.
Tag VLAN ID.
MAC limit Number of MAC addresses that can be associated with the
interface.
STP state Spanning Tree protocol (STP) state.
Logical interface flags Status of Layer 2 learning properties for each interface:
• DL—MAC learning is disabled.

• LH—MAC interface limit has been reached.
• AD—Packets are dropped after the MAC interface limit is
reached.
• DN—The MAC interface is down.
• MMAS—The MAC interface is disabled after a MAC address
move.
• SCTL—The MAC interface is disabled after a configured
storm-control level is exceeded.
NOTE: If the physical interface is shutdown due to storm control,

all logical interfaces on the shutdown interface display the SCTL
logical interface flag.
Tagging Tagging state of the VLAN.
Sample Output
show ethernet switching interface (Specific Interface)
user@host> show ethernet-switching inerface ae10.0
Logical Interface flags (DL - disable learning, AD - packet action drop,

LH - MAC limit hit, DN - interface down)
Logical Vlan TAG MAC STP Logical Tagging

interface members limit state interface flags
ae10.0 8192 tagged
1458
VLAN70.. 701 1024 Forwarding
VLAN71.. 715
[...output truncated...]
show ethernet switching interface (Storm Control in Effect)

user@host> show ethernet-switching interface ge-0/0/2.0
Logical Interface flags (DL - disable learning, AD - packet action drop, LH -

MAC limit hit, DN - interface down, MMAS - Mac-move
action shutdown, AS - Autostate-exclude enabled, SCTL
- shutdown by Storm-control, MI - MAC+IP limit hit)
Logical Vlan TAG MAC MAC+IP STP Logical Tagging

interface members limit limit state interface flags
ge-0/0/2.0 524287 8192 DN,SCTL untagged
1459
VLAN1 100 65535 1024 Forwarding untagged
show ethernet-switching interface detail

user@host> show ethernet-switching interface detail
Information for interface family:

Name: ge-1/0/3.0
Type: IFF Handle: 0x8bba280
Index: 331 Generation: 159
Flags: UP,
IFD index: 141 Routing/Vlan index: 4
IFL index: 331 Address family: 50
Sequence number: 0 MAC sequence number: 0
MAC limit: 65535 MACs learned: 0
Static MACs learned: 0 Non configured static MACs learned: 0
Name: ge-1/0/3.0
Type: IFBD (static) Handle: 0x8bb6e00
Index: Generation: 129
Trunk id: 0 Flags: UP,
IFD index: Routing/Vlan index: 2
IFL index: Address family:
VSTP index: 11 Rewrite op:
Name: ge-1/0/3.0
Type: IFBD (static) Handle: 0x8bb6f00
Index: Generation: 130
Trunk id: 0 Flags: UP,
IFD index: Routing/Vlan index: 3
IFL index: Address family:
VSTP index: 11 Rewrite op:
1460
show ethernet-switching interfaces

Syntax

<brief | detail | summary>
Release Information
In Junos OS Release 9.6 for EX Series switches, the following updates were made:
• Blocking field output was updated.
• The default view was updated to include information about 802.1Q tags.
• The detail view was updated to include information on VLAN mapping.

In Junos OS Release 11.1 for EX Series switches, the detail view was updated to include reflective relay
information.
Description
Display information about switched Ethernet interfaces.
Options
none—(Optional) Display brief information for Ethernet-switching interfaces.
brief | detail | summary—(Optional) Display the specified level of output.
interface interface-name—(Optional) Display Ethernet-switching information for a specific interface.

view
Troubleshooting Ethernet SwitchingUnderstanding Bridging and VLANs on Switches

Example: Setting Up Basic Bridging and a VLAN on Switches
Example: Setting Up Bridging with Multiple VLANs
Understanding FCoE
Interfaces Overview for Switches
1461
show ethernet-switching mac-learning-log

show ethernet-switching table
Configuring Autorecovery for Port Security Events

show ethernet-switching interfaces on page 1464
show ethernet-switching interfaces summary on page 1465
show ethernet-switching interfaces brief on page 1465
show ethernet-switching interfaces detail on page 1465
show ethernet-switching interfaces interface-name on page 1466
show ethernet-switching interfaces on page 1467
show ethernet-switching interfaces ge-0/0/15 brief on page 1467
show ethernet-switching interfaces ge-0/0/2 detail (Blocked by RTG rtggroup) on page 1467
show ethernet-switching interfaces ge-0/0/15 detail (Blocked by STP) on page 1468
show ethernet-switching interfaces ge-0/0/17 detail (Disabled by bpdu-control) on page 1468
show ethernet-switching interfaces detail (C-VLAN to S-VLAN Mapping) on page 1468
show ethernet-switching interfaces detail (Reflective Relay Is Configured) on page 1468
Output Fields
For QFX Series, QFabric, NFX Series, EX4600 and OCX1100:
Table 54 on page 1461 lists the output fields for the show ethernet-switching interfaces command on QFX
Series, QFabric, NFX Series, EX4600 and OCX1100. Output fields are listed in the approximate order in
which they appear.
Table 54: show ethernet-switching interfaces Output Fields
Interface Name of a switching interface. All levels
State Interface state. Values are up or down. none, brief, detail,

summary
VLAN members Name of a VLAN. none, brief, detail,

summary
1462
Table 54: show ethernet-switching interfaces Output Fields (continued)
Blocking Forwarding state of the interface: none, brief, detail,

summary
• blocked—Traffic is not being forwarded on the interface.
• unblocked—Traffic is forwarded on the interface.
• MAC limit exceeded—The interface is temporarily disabled because of
a MAC limiting error. The disabled interface is automatically restored
to service when the disable timeout expires.
• MAC move limit exceeded—The interface is temporarily disabled
because of a MAC move limiting error. The disabled interface is
automatically restored to service when the disable timeout expires.
• Storm control in effect —The interface is temporarily disabled because
of a storm control error. The disabled interface is automatically restored
to service when the disable timeout expires.
• Storm control shutdown in effect —The interface is temporarily disabled
because of a storm control shutdown error. The disabled interface is
automatically restored to service when the disable timeout expires.
Index VLAN index internal to Junos OS software. detail
untagged | tagged Specifies whether the interface forwards IEEE802.1Q-tagged or untagged detail
traffic.
Output fields for EX Series:
Table 55 on page 1462 lists the output fields for the show ethernet-switching interfaces command on EX
Series switches. Output fields are listed in the approximate order in which they appear.
Table 55: show ethernet-switching interfaces Output Fields
Interface Name of a switching interface. none, brief, detail,

summary
Index VLAN index internal to Junos OS. detail
State Interface state. Values are up and down. none, brief, detail
Port mode The access mode is the port mode default and works with a single VLAN. detail
Port mode can also be trunk, which accepts tagged packets from multiple
VLANs on other switches. The third port mode value is tagged-access,
which accepts tagged packets from access devices.
1463
Reflective Relay Reflective relay allows packets to use the same interface for both upstream detail
Status and downstream traffic. When reflective relay has been configured, the
status displayed is always enabled . When reflective relay is not configured,
this entry does not appear in the command output.
Ether type for the Ether type is a two-octet field in an Ethernet frame used to indicate which detail
interface protocol is encapsulated in the payload of an incoming Ethernet packet.
Both 802.1Q packets and Q-in-Q packets use this field. The output
displayed for this particular field indicates the interface’s Ether type, which
is used to match the Ether type of incoming 802.1Q packets and Q-in-Q
packets. The indicated Ether type field is also added to the interface’s
outgoing 802.1Q and Q-in-Q packets.
VLAN membership Names of VLANs that belong to this interface. none, brief, detail,
Tag Number of the 802.1Q tag. none, brief, detail,
Tagging Specifies whether the interface forwards 802.1Q tagged or untagged none, brief, detail,
traffic.
Blocking The forwarding state of the interface: none, brief, detail,
• unblocked—Traffic is forwarded on the interface.

• blocked—Traffic is not being forwarded on the interface.
• Disabled by bpdu control—The interface is disabled due to receiving
BPDUs on a protected interface. If the disable-timeout statement has
been included in the BPDU configuration, the interface automatically
returns to service after the timer expires.
• blocked by RTG—The specified redundant trunk group is disabled.
• blocked by STP—The interface is disabled due to a spanning-tree
protocol error.
• MAC limit exceeded—The interface is temporarily disabled due to a
MAC limit error. The disabled interface is automatically restored to
service when the disable timeout expires.
• MAC move limit exceeded—The interface is temporarily disabled due
to a MAC move limit error. The disabled interface is automatically
restored to service when the disable timeout expires.
• Storm control in effect—The interface is temporarily disabled due to a
storm control error. The disabled interface is automatically restored to
service when the disable timeout expires.
1464
Number of MACs Number of MAC addresses learned by this interface. detail

learned on IFL
mapping When mapping is configured, the status is one of the following C-VLAN detail
to S-VLAN mapping types:
• dot1q-tunneled—The interface maps all traffic to the S-VLAN (all-in-one

bundling).
• native—The interface maps untagged and priority tagged packets to
the S-VLAN.
• push—The interface maps packets to a firewall filter to an S-VLAN.
• policy-mapped—The interface maps packets to a specifically defined
S-VLAN.
• integer—The interface maps packets to the specified S-VLAN.
When mapping is not configured, this entry does not appear in the
command output.
Sample Output for QFX Series Switches, QFabric, NFX Series, EX4600 and
OCX1100

xe-0/0/0.0 up T1122 unblocked
xe-0/0/1.0 down default — MAC limit exceeded
xe-0/0/2.0 down default — MAC move limit exceeded
xe-0/0/3.0 down default — Storm control in effect
xe-0/0/4.0 down default unblocked
1465

show ethernet-switching interfaces summary

user@switch> show ethernet-switching interfaces summary
xe-0/0/0.0
xe-0/0/1.0
xe-0/0/2.0
xe-0/0/3.0
xe-0/0/8.0
xe-0/0/10.0
xe-0/0/11.0
show ethernet-switching interfaces brief

user@switch> show ethernet-switching interfaces brief

xe-0/0/1.0 down employee-vlan unblocked
show ethernet-switching interfaces detail

user@switch> show ethernet-switching interfaces detail
1466
Interface: xe-0/0/0.0 Index: 65

State: down
VLANs:
default untagged unblocked

State: down
VLANs:
employee-vlan untagged unblocked

State: down
VLANs:

State: down
VLANs:

State: down
VLANs:

State: down
VLANs:
default untagged unblocked

State: down
VLANs:
employee-vlan tagged unblocked
show ethernet-switching interfaces interface-name

user@switch> show ethernet-switching interfaces xe-0/0/0.0

1467
Sample Output for EX Series Switches

Interface State VLAN members Tag Tagging Blocking
ae0.0 up default untagged unblocked

ge-0/0/2.0 up vlan300 300 untagged blocked by RTG (rtggroup)
ge-0/0/3.0 up default blocked by STP
ge-0/0/4.0 down default MAC limit exceeded
ge-0/0/5.0 down default MAC move limit exceeded
ge-0/0/6.0 down default Storm control in effect
ge-0/0/13.0 up default untagged unblocked
ge-0/0/14.0 up vlan100 100 tagged unblocked
vlan200 200 tagged unblocked
ge-0/0/15.0 up vlan100 100 tagged blocked by STP
vlan200 200 tagged blocked by STP
ge-0/0/16.0 down default untagged unblocked
ge-0/0/17.0 down vlan100 100 tagged Disabled by bpdu-control
vlan200 200 tagged Disabled by bpdu-control
show ethernet-switching interfaces ge-0/0/15 brief

user@switch> show ethernet-switching interfaces ge-0/0/15 brief
Interface State VLAN members Tag Tagging Blocking
ge-0/0/15.0 up vlan100 100 tagged blocked by STP

vlan200 200 tagged blocked by STP
show ethernet-switching interfaces ge-0/0/2 detail (Blocked by RTG rtggroup)

user@switch> show ethernet-switching interfaces ge-0/0/2 detail
Interface: ge-0/0/2.0, Index: 65, State: up, Port mode: Access

Ether type for the interface: 0X8100
VLAN membership:
vlan300, 802.1Q Tag: 300, untagged, msti-id: 0, blocked by RTG(rtggroup)
1468
Number of MACs learned on IFL: 0
show ethernet-switching interfaces ge-0/0/15 detail (Blocked by STP)

Interface: ge-0/0/15.0, Index: 70, State: up, Port mode: Trunk

VLAN membership:
vlan100, 802.1Q Tag: 100, tagged, msti-id: 0, blocked by STP
vlan200, 802.1Q Tag: 200, tagged, msti-id: 0, blocked by STP
show ethernet-switching interfaces ge-0/0/17 detail (Disabled by bpdu-control)

Interface: ge-0/0/17.0, Index: 71, State: down, Port mode: Trunk

VLAN membership:
vlan100, 802.1Q Tag: 100, tagged, msti-id: 1, Disabled by bpdu-control
vlan200, 802.1Q Tag: 200, tagged, msti-id: 2, Disabled by bpdu-control
show ethernet-switching interfaces detail (C-VLAN to S-VLAN Mapping)

user@switch>show ethernet-switching interfaces ge-0/0/6.0 detail
Interface: ge-0/0/6.0, Index: 73, State: up, Port mode: Access

VLAN membership:
map, 802.1Q Tag: 134, Mapped Tag: native, push, dot1q-tunneled, unblocked
map, 802.1Q Tag: 134, Mapped Tag: 20, push, dot1q-tunneled, unblocked
show ethernet-switching interfaces detail (Reflective Relay Is Configured)

user@switch1> show ethernet-switching interfaces ge-7/0/2 detail
1469
Interface: ge-7/0/2, Index: 66, State: down, Port mode: Tagged-access

Reflective Relay Status: Enabled
Ether type for the interface: 0x8100
VLAN membership:
VLAN_Purple VLAN_Orange VLAN_Blue, 802.1Q Tag: 450, tagged, unblocked
1470
show firewall (View)

Syntax
show firewall
<filter filter-name>
<counter counter-name>
<log>
<prefix-action-stats>
<terse>
Release Information
Command introduced before Junos OS Release 10.0 .
Description
Display statistics about configured firewall filters.
Options
none—Display statistics about configured firewall filters.
filter filter-name—Name of a configured filter.
counter counter-name—Name of a filter counter.
log—Display log entries for firewall filters.
prefix-action-stats—Display prefix action statistics for firewall filters.
terse—Display firewall filter names only.

view
firewall | 770

show firewall on page 1471
Output Fields
Table 56 on page 1471 lists the output fields for the show firewall command. Output fields are listed in the
1471
Table 56: show firewall Output Fields
Filter Name of a filter that has been configured with the filter at the [edit firewall] hierarchy level.
When an interface-specific filter is displayed, the name of the filter is followed by the full
interface name and by either -i for an input filter or -o for an output filter.
When dynamic filters are displayed, the name of the filter is followed by the full interface
name and by either -in for an input filter or -out for an output filter. When a logical
system–specific filter is displayed, the name of the filter is prefixed with two underscore (__)
characters and the name of the logical system (for example, __ls1/filter1).
Counters Display filter counter information:
• Name—Name of a filter counter that has been configured with the counter firewall filter
action.
• Bytes—Number of bytes that match the filter term under which the counter action is
specified.
• Packets—Number of packets that matched the filter term under which the counter action
is specified.
Policers Display policer information:
• Name—Name of policer.
• Bytes—Number of bytes that match the filter term under which the policer action is specified.
This is only the number out-of-specification (out-of-spec) byte counts, not all the bytes in
all packets policed by the policer.
• Packets—Number of packets that matched the filter term under which the policer action is
specified. This is only the number of out-of-specification (out-of-spec) packet counts, not
all packets policed by the policer.
Sample Output
show firewall
user@host> show firewall
Filter: ef_path
Counters:
Name Bytes Packets
def-count 0 0
video-count 0 0
1472
voice-count 0 0
Filter: __default_bpdu_filter__
Filter: deep
Counters:
Name Bytes Packets
deep2 302076 5031
Filter: deep-flood
Counters:
Name Bytes Packets
deep_flood_def 302136 5032
deep1 0 0
Policers:
Name Packets
deep-pol-op-first 0
1473
show lldp
Syntax
show lldp
<detail>
Release Information
Description
Display information about Link Layer Discovery Protocol (LLDP) and Link Level Discovery Protocol–Media
Endpoint Discovery (LLDP-MED) configuration and capabilities on the switch. LLDP and LLDP-MED are
used to learn about and to distribute device information on network links.
Options
none—Display LLDP information for all interfaces.
detail—(Optional) Display detailed LLDP information for all interfaces.

view


show lldp (EX3200 switches) on page 1477
show lldp (EX4300 switches) on page 1478
show lldp detail (EX4300 switches) on page 1478
show lldp detail (EX3400 switches with VLAN name TLV) on page 1479
Output Fields
Table 57 on page 1474 lists the output fields for the show lldp command. Output fields are listed in the
1474
Table 57: show lldp Output Fields
LLDP LLDP operating state. The state can be enabled or disabled. All levels
NOTE: If a VLAN that has been configured for untagged packets on an

interface also has Layer 2 protocol tunneling (L2PT) enabled for LLDP, the
LLDP operating state for that interface is displayed as disabled.
Advertisement Frequency, in seconds, at which LLDP advertisements are sent. All levels
interval
This value is set by the advertisement-interval configuration statement.
Transmit delay Seconds of delay before advertisements are sent to neighbors following All levels
a change to a TLV (type, length, or value) element in the LLDP protocol
or to the state of the local system, such as a change in hostname or
management address. You can set this value to reduce the delay in
notifying neighbors of a change in the local system.
This value is set by the transmit-delay configuration statement.
Hold timer On EX4300 switches, the hold timer shows the length of time LLDP All levels
information is held before it is discarded. The hold timer value is equal to
the advertisement interval multiplied by the hold multiplier.
On all other switches, the hold timer shows the value of the hold multiplier.
The hold multipler value is set by the hold-multiplier configuration

statement.
Notification interval How often LLDP trap notifications are generated as a result of LLDP All levels
database changes. If the interval value is 0, LLDP trap notifications on
database changes are disabled.
This value is set by the lldp-configuration-notification-interval

configuration statement.
Config Trap Interval How often LLDP trap notifications are generated as a result of changes All levels
in topology—for example, when an endpoint connects or disconnects. If
the interval value is 0, LLDP trap notifications on topology changes are
disabled.
This value is set by the ptopo-configuration-trap-interval configuration

statement.
1475
Table 57: show lldp Output Fields (continued)
Connection Hold Amount of time the system maintains dynamic topology entries. All levels
timer
This value is set by the ptopo-configuration-maximum-hold-time
configuration statement.
LLDP-MED LLDP-MED operating state. The state can be Enabled or Disabled. All levels
MED fast start count Number of advertisements sent from a switch to a device, such as a VoIP All levels
telephone, when the device is first detected by the switch. These increased
advertisements are temporary. After a device and a switch exchange
information and can communicate, advertisements are reduced to one
per second.
This value is set by using the fast-start configuration statement.
Interface Name of the interface for which LLDP configuration information is being All levels
reported.
Parent Interface Name of the aggregated Ethernet interface, if any, to which the interface All levels
belongs.
LLDP LLDP operating state. The state can be Enabled or Disabled. All levels
Power Negotiation LLDP power negotiation operating state. The state can be Enabled or All levels
Disabled.
Neighbor count Total number of new LLDP neighbors detected since the last switch reboot. detail
Interface Name of the interface that is advertising VLAN information. All levels
Vlan-id VLAN tag associated with the interface sending LLDP frames. If the detail
interface is not a member of a VLAN, the VLAN ID is advertised as 0.
Vlan-name VLAN name associated with the VLAN ID. detail
For switches running Junos OS releases with Enhanced Layer 2 Software

(ELS), this column displays the string vlan-vlan-id by default. Starting in
Junos OS Release 15.1X53-D59 and 18.2R1, you can configure the
vlan-name-tlv-option name option at the [edit protocols lldp] hierarchy
level to transmit the VLAN name in the LLDP VLAN name TLV in place of
the VLAN ID, and display the actual VLAN name in this output field instead.
1476
LLDP basic TLVs Basic TLVs supported on the switch: detail

supported
• Chassis identifier—TLV that advertises the MAC address associated
with the local system.
• Port identifier—TLV that advertises the port identification for the
specified port in the local system.
• Port description—Interface name for the port.
• System name—TLV that advertises the user-configured name of the
local system.
• System description—TLV that advertises the system description
containing information about the software and current image running
on the system. This information is taken from the software and is not
configurable.
• System capabilities—TLV that advertises the primary functions
performed by the system—for example, bridge or router.
• Management address—TLV that advertises the IP management address
of the local system.
Supported LLDP 802 802.3 TLVs supported on the switch: detail

TLVs
• MAC/PHY configuration status—TLV that advertises information about
the physical interface, such as autonegotiation status and support and
MAU type. The information is based on the physical interface structure
and is not configurable.
• Power via MDI—TLV that advertises MDI power support, PSE power
pair, and power class information.
• Link aggregation—TLV that advertises if the interface is aggregated and
its aggregated interface ID.
• Maximum frame size—TLV that advertises the maximum transmission
unit (MTU) of the interface sending LLDP frames.
• Port VLAN tag—TLV that advertises the VLAN tag configured on the
interface.
• Port VLAN name—TLV that advertises the VLAN name configured on
the interface.
1477
Supported LLDP MED LLDP-MED TLVs supported on the switch: detail

TLVs
• LLDP MED capabilities—TLV that advertises the primary function of
the port. The capabilities values range from 0 through 15:
• 0—Capabilities
• 1—Network Policy
• 2—Location Identification
• 3—Extended Power via MDI-PSE
• 4—Inventory
• 5–15—Reserved
• Network policy—TLV that advertises the port VLAN configuration and
associated Layer 2 and Layer 3 attributes. Attributes include the policy
identifier, application types—such as voice or streaming video—802.1Q
VLAN tagging, and 802.1p priority bits and DiffServ code points.
• Endpoint location—TLV that advertises the physical location of the
endpoint.
• Extended power Via MDI—TLV that advertises the power type, power
source, power priority, and power value of the port. It is the
responsibility of the PSE device (network connectivity device) to
Sample Output
show lldp (EX3200 switches)
user@switch> show lldp
LLDP : Enabled
LLDP MED : Disabled

1478

show lldp (EX4300 switches)

user@switch> show lldp
LLDP : Enabled
LLDP MED : Disabled


show lldp detail (EX4300 switches)

LLDP : Enabled
LLDP MED : Disabled


Neighbor count
8
1479

xe-3/0/0.0 ae31.0 100 vlan-100
xe-3/0/0.0 ae31.0 101 vlan-101
xe-3/0/0.0 ae31.0 4000 vlan-4000
xe-3/0/1.0 ae31.0 100 vlan-100
xe-3/0/1.0 ae31.0 101 vlan-101
xe-3/0/1.0 ae31.0 4000 vlan-4000
xe-3/0/2.0 ae31.0 100 vlan-100
xe-3/0/2.0 ae31.0 101 vlan-101
xe-3/0/2.0 ae31.0 4000 vlan-4000

Supported LLDP 802 TLVs:

MAC/PHY configuration/status, Power via MDI, Link aggregation, Maximum frame
size, Port VLAN tag, Port VLAN name.
Supported LLDP MED TLVs:

Via MDI.
show lldp detail (EX3400 switches with VLAN name TLV)

LLDP : Enabled
LLDP MED : Enabled

Port ID TLV subtype : locally-assigned

Port Description TLV type : interface-alias (ifAlias)
Interface Parent Interface LLDP LLDP-MED Power Negotiation Neighbor

1480
count
all - - Enabled - 5

ge-0/0/0 - 2 dc-vlan
1481

Syntax
Release Information
Description
Display the information that the switch provides in Link Layer Discovery Protocol (LLDP) advertisements
to its neighbors.

view


show lldp local-information (EX Series Switch) on page 1482
Output Fields
Table 58 on page 1481 lists the output fields for the show lldp local-information command. Output fields
Table 58: show lldp local-information Output Fields
LLDP Local Information about the local system (the switch):

Information details
• Chassis ID—MAC address associated with the switch.
• System name—User-configured name of the switch.
• System descr—System description containing information about the
switch model and the current software image running on the switch.
This information is taken from the software and is not configurable.
1482
Table 58: show lldp local-information Output Fields (continued)
System Capabilities (such as bridge or router) that are supported or enabled on

Capabilities the system.
Management Details of the management information: Port Name, Port Address (such
Information as 10.204.34.35), Address Type (such as ipv4 or ipv6), Port ID (SNMP
interface index), Port ID Subtype, and Port Subtype.
The Port Subtype displays:
• ifIndex(2)— IP address of the switch's management Ethernet interface

(me0) or virtual management Ethernet (VME) interface address (for a
virtual chassis) is used to manage the switch.
• unknown(1)—IP management address has been configured with set
protocols lldp management-address.
Interface name Name of the local interface which is configured for either LLDP or
LLDP-MED.
Parent Interface Name of the aggregated Ethernet interface, if any, to which the local
interface belongs.
SNMP Index SNMP interface index.
Interface User-configured port description.

description
Status Administrative status of the interface: either up or down.
Tunneling Status of tunneling on the interface: either enabled or disabled.
Sample Output
show lldp local-information (EX Series Switch)
user@switch> show lldp local-information
LLDP Local Information details
Chassis ID : 00:1d:b5:aa:b9:f0
1483
System name : switch

System descr : Juniper Networks, Inc. ex8208 , version 10.4I0 [builder] Build
date: 2010-11-17 12:38:30 UTC
System Capabilities
Supported : Bridge Router
Enabled : Bridge Router
Management Information
Port Name : -
Port Address : 10.93.54.6
Address Type : IPv4
Port ID : 34
Port ID Subtype : local(7)
Port Subtype : ifIndex(2)
Interface name Parent Interface SNMP Index Interface description Status Tunneling
me0.0 - 34 - Down Disabled
xe-3/0/0.0 ae31.0 769 xe-3/0/0.0 Up Disabled
1484
show lldp neighbors

Syntax
<show lldp neighbors>

<interface interface-ids>
Release Information
Description
Display learned information about Link Layer Discovery Protocol (LLDP) on all neighboring interfaces or
on selected interfaces.
Options
none—Display learned LLDP information on all neighboring interfaces and devices.
interface interface-ids—(Optional) Display learned LLDP information on the selected interfaces or devices.
NOTE: When a port with DCBX enabled begins to exchange type, length, and value (TLV) entries,
optional LLDP TLVs on that port are not advertised to neighbors in order to interoperate with
a wider variety of converged network adapters (CNAs). As a result, information for those ports
will not be listed in the output for this command.

view

show lldp neighbors on page 1487
show lldp neighbors interface on page 1488
Output Fields
Table 59 on page 1485 lists the output fields for the show lldp neighbors command. Output fields are listed
1485
Table 59: show lldp neighbors Output Fields
Local Interface List of local interfaces for which neighbor information is available.
Parent Interface List of aggregated Ethernet interfaces, if any, to which the local
interfaces belong.
Chassis ID List of chassis identifiers for neighbors.
Port info List of port information gathered from neighbors. This could be the
port identifier or port description.
System name List of system names gathered from neighbors.
LLDP Neighbor Information Information about both the local system (the switch) and a neighbor
system on the interface (appears when the interface option is used).
Local Information Information about the local system (appears when the interface option
is used).
Index Local interface index (appears when the interface option is used).
Time to live Number of seconds for which this information is valid (appears when
the interface option is used).
Time mark Date and timestamp of information (appears when the interface option
is used).
Local Interface Name of the local physical interface (appears when the interface option
is used).
Parent Interface Name of the aggregated Ethernet interface, if any, to which the
interface belongs (appears when the interface option is used).
Local Port ID Local interface SNMP index (appears when the interface option is
used).
Ageout Count Number of times the complete set of information advertised by the
neighbor has been deleted from LLDP neighbor information maintained
by the local system because the information timeliness interval has
expired (appears when the interface option is used).
1486
Table 59: show lldp neighbors Output Fields (continued)
Neighbor Information Information about a neighbor system on the interface (appears when
Chassis type Type of chassis identifier supplied, such as MAC address (appears when
Chassis ID Chassis identifier of the chassis type listed (appears when the interface
option is used).
Port type Type of port identifier supplied, such as locally assigned (appears when
Port ID Port identifier of the port type listed (appears when the interface option
is used).
Port description Port description (appears when the interface option is used).
System name Name supplied by the system on the interface (appears when the
interface option is used).
System Description Description supplied by the system on the interface (appears when
System capabilities Capabilities (such as Bridge, Router, and Telephone) that are supported
or enabled by the system on the interface (appears when the interface
option is used).
Management Info Details of management information: Type (such as ipv4 or ipv6),

Address (such as 10.204.34.35), Port ID, Subtype, Interface Subtype,
and organization identifier (OID) (appears when the interface option
is used).
The Interface Subtype displays:
• ifIndex(2)— IP address of the neighbor’s management Ethernet

interface (me0) or virtual management Ethernet (VME) interface
address (for a virtual chassis) is used to manage the switch.
• unknown(1)—Neighbor’s IP management address has been
configured with set protocols lldp management-address.
1487
Media Info Additional details about the endpoint device appear when a device
that supports LLDP-MED is attached to the interface. The specific
details depend upon the capabilities of the device. Details might include
Media endpoint class (such as Class 3 for communication devices such
as IP phones), MED Hardware revision, MED Firmware revision, MED
Software revision, MED Serial number, MED Manufacturer name, or
MED Model name.
Organization Info One or more entries listing remote information by organizationally

unique identifier (OUI), Subtype, Index, and Info (appears when the
Age How long the neighbor has been identified (appears when the interface
option is used and NetBIOS snooping is enabled on the switch).
is used and NetBIOS snooping is enabled on the switch).
interface belongs (appears when the interface option is used and
NetBIOS snooping is enabled on the switch).
Port description Port description (appears when the interface option is used and
System name NetBIOS name of the host (appears when the interface option is used
and NetBIOS snooping is enabled on the switch).
Sample Output
show lldp neighbors
user@switch> show lldp neighbors
Local Interface Parent Interface Chassis Id Port info System Name

1488
xe-3/0/4.0 ae31.0 b0:c6:9a:63:80:40 xe-0/0/0.0 newyork31

show lldp neighbors interface

user@switch> show lldp neighbors interface ge-0/0/2
LLLDP Neighbor Information:

Local Information:
Index: 1 Time to live: 240 Time mark: Wed Dec 1 10:23:24 2010 Age: 29 secs
Local Interface : ge-0/0/2.0
Parent Interface : -
Local Port ID : 507
Ageout Count : 0
Neighbour Information:
Chassis type : Mac address
Chassis ID : 00:1f:12:38:7f:c0
Port type : Locally assigned
Port ID : 507
Port description : ge-0/0/2.0
System name : bng-l48p5-dev
System Description : Juniper Networks, Inc. ex4200-48p , version 10.4I0 Build date:
2010-11-30 09:32:17 UTC
System capabilities
Supported : Bridge Router
Management Info
Type : IPv4
Address : 10.204.96.235
Port ID : 34
Subtype : 1
Interface Subtype : ifIndex(2)
1489
OID : 1.3.6.1.2.1.31.1.1.1.1.34
Media endpoint class: Network Connectivity
Organization Info
OUI : 0.12.f
Subtype : 1
Index : 1
Info : 22A8360000
Organization Info
OUI : 0.12.f
Subtype : 2
Index : 2
Info : 030100
1490
show lldp neighbors

Syntax
show lldp neighbors

Release Information
Description
Display the information about neighboring devices learned by the switch by using the Link Layer Discovery
Protocol (LLDP).
NOTE: The Chassis ID TLV has a subtype for Network Address Family. The supported network
address families are IPv4 and IPv6. LLDP frames are validated only if the Network Address
subtype of the Chassis ID TLV has a value of 1 (IPv4) or 2 (IPv6). For any other value, the
transmitting device is detected by LLDP as a neighbor and displayed in the output of the show
lldp neighbors command, but is not assigned to the VLAN.
Options
interface interface—(Optional) Display LLDP neighbor information for a selected interface.

view


show lldp neighbors on page 1493
show lldp neighbors interface ge-0/0/8 on page 1494
show lldp neighbors interface ge-0/0/0.0 (for a VoIP AvayaTelephone with LLDP-MED Support) on page 1495
show lldp neighbors interface ge-0/0/5.0 (with NetBIOS Snooping Enabled on the Switch) on page 1497
Output Fields
1491
Table 59 on page 1485 lists the output fields for the show lldp neighbors command. Output fields are listed
Table 60: show lldp neighbors Output Fields
Local Interface List of local interfaces for which neighbor information is available.
Parent Interface List of aggregated Ethernet interfaces, if any, to which the local
interfaces belong.
Chassis ID List of chassis identifiers for neighbors.
Port info This field displays the port information received from neighbors.
System name List of system names gathered from neighbors. Includes the host name
and the domain name.
LLDP Neighbor Information Information about both the local system (the switch) and a neighbor
system on the interface (appears when the interface option is used).
Local Information Information about the local system (appears when the interface option
is used).
Index Local interface index (appears when the interface option is used).
Time to live Number of seconds for which this information is valid (appears when
Time mark Date and timestamp of information (appears when the interface option
is used).
is used).
interface belongs (appears when the interface option is used).
Local Port ID Local interface SNMP index (appears when the interface option is
used).
Ageout Count Number of times the complete set of information advertised by the
neighbor has been deleted from LLDP neighbor information maintained
by the local system because the information timeliness interval expired
(appears when the interface option is used).
1492
Neighbor Information Information about a neighbor system on the interface (appears when
Chassis type Type of chassis identifier supplied, such as Mac address (appears when
option is used).
Port type Type of port identifier supplied, such as Locally assigned (appears when
Port ID Port identifier of the port type listed (appears when the interface option
is used).
Port description The port description field uses the configured port description, the
port name or the SNMP ifIndex (appears when the interface option is
used).
System name Name supplied by the system on the interface (appears when the
System Description Description supplied by the system on the interface (appears when
System capabilities Capabilities (such as Bridge, Bridge Router, and Bridge Telephone)
that are supported or enabled by the system on the interface (appears
when the interface option is used).
Management Info Details of management information: Type (such as IPv4 or IPv6),

Address (such as 10.204.34.35), Port ID, Subtype, Interface Subtype,
and organization identifier (OID) (appears when the interface option
is used).
The Interface Subtype displays:
• ifIndex(2)— IP address of the neighbor’s management Ethernet

interface (me0) or virtual management Ethernet (VME) interface
address (for a Virtual Chassis) is used to manage the switch.
• unknown(1)—Neighbor’s IP management address has been
configured with set protocols lldp management-address.
1493
Media Info Additional details about the endpoint device appear when a device
that supports LLDP-MED is attached to the interface. The specific
details depend upon the capabilities of the device. Details might include:
Media endpoint class (such as Class 3 for communication devices such
as IP phones), MED Hardware revision, MED Firmware revision, MED
Software revision, MED Serial number, MED Manufacturer name,
MED Model name.
Organization Info One or more entries (indexed by the Index element) listing more remote
interface information by organizationally unique identifier (OUI),
Subtype, and Info (appears when the interface option is used).
Age How long the neighbor has been identified (appears when the interface
is used and NetBIOS snooping is enabled on the switch).
interface belongs (appears when the interface option is used and
Sample Output
show lldp neighbors
user@switch> show lldp neighbors
Local Interface Parent Interface Chassis Id Port info System Name

xe-3/0/4.0 ae31.0 b0:c6:9a:63:80:40 xe-0/0/0.0 host.jnpr.net
1494

show lldp neighbors interface ge-0/0/8

LLDP Neighbor Information:

Local Information:
Index: 1 Time to live: 120 Time mark: Thu Nov 26 06:41:24 2015 Age: 1 secs
Local Interface : ge-0/0/8
Local Port ID : 518
Ageout Count : 0
Chassis type : Mac address
Chassis ID : 88:e0:f3:1f:14:e0
Port type : Locally assigned
Port ID : 880
Port description : ge-0/0/8
System name : bng-nw6moj.juniper.net
System Description : Juniper Networks, Inc. ex4300-24p Ethernet Switch, kernel

JUNOS 14.1I20151125_0548_rajjs, Build date: 2015-11-25 06:06:58 UTC Copyright (c)
1996-2015 Juniper Networks, Inc.
System capabilities
Supported: Bridge Router
Management address
Address Type : IPv4(1)
Address : 10.204.39.232
Interface Number : 33
OID : 1.3.6.1.2.1.31.1.1.1.1.33.
Media endpoint class: Network Connectivity
Organization Info
OUI : IEEE 802.3 Private (0x00120f)
Subtype : MAC/PHY Configuration/Status (1)
Info : Autonegotiation [supported, enabled (0x3)], PMD Autonegotiation
1495
Capability (0x1), MAU Type (0x0)

Index : 1
Organization Info
Subtype : MDI Power (2)
Info : MDI Power Support [PSE bit set, supported, disabled, CONTROL bit
not set (0x3)], MDI Power Pair [signal], MDI Power Class [Unknown (7)]
Index : 2
Organization Info
Subtype : Link Aggregation (3)
Info : Aggregation Status [supported, disabled (0x1)], Aggregation Port
ID (0)
Index : 3
Organization Info
Subtype : Maximum Frame Size (4)
Info : MTU Size (1514)
Index : 4
Organization Info
OUI : Juniper Specific (0x009069)
Subtype : Chassis Serial Type (1)
Info : Juniper Slot Serial [MS3112240009]
Index : 5
show lldp neighbors interface ge-0/0/0.0 (for a VoIP AvayaTelephone with LLDP-MED Support)
user@switch>show lldp neighbors interface ge-0/0/0.0
LLDP Neighbor Information:

Local Information:
Index: 20 Time to live: 120 Time mark: Thu Apr 15 22:26:22 2010 Age: 16 secs
Local Port ID : 517
Ageout Count : 0
Chassis type : Network address
1496
Chassis ID : 0.0.0.0
Port type : Mac address
Port ID : 00:04:0d:fc:55:48
System name : AVAFC5548.juniper.net
System capabilities
Supported : Bridge Telephone
Enabled : Bridge
Management Info
Type : IPv4
Address : 0.0.0.0
Port ID : 1
Subtype : 1
OID : 1.3.6.1.2.1.31.1.1.1.1.1
Media endpoint class: Class III Device
MED Hardware revision : 4610D01A

MED Firmware revision : b10d01b2_9.bin
MED Software revision : a10d01b2_9.bin
MED Serial number : 07N510103424
MED Manufacturer name : Avaya
MED Model name : 4610
Organization Info
Subtype : MAC/PHY Configuration/Status (1)
Info : Autonegotiation [supported, enabled (0x3)], PMD Autonegotiation
Capability (0x1d00), MAU Type (0x0)
Index : 1
Organization Info
Subtype : MDI Power (2)
Info : MDI Power Support [PSE bit set, supported, disabled, CONTROL bit
not set (0x3)], MDI Power Pair [signal], MDI Power Class [Unknown (7)]
Index : 2
Organization Info
Subtype : Link Aggregation (3)
Info : Aggregation Status [supported, disabled (0x1)], Aggregation Port
ID (0)
1497
Index : 3
Organization Info
Subtype : Maximum Frame Size (4)
Info : MTU Size (1514)
Index : 4
Organization Info
OUI : Ethernet Bridged (0x0080c2)
Subtype : Port Vid (1)
Info : VLAN ID (10),
Index : 5
Organization Info
OUI : Juniper Specific (0x009069)
Subtype : Chassis Serial Type (1)
Info : Juniper Slot Serial [BQ0208211462]
Index : 6
Organization Info
OUI : Ethernet Bridged (0x0080c2)
Subtype : VLAN Name (3)
Info : VLAN ID (10), VLAN Name (vtest)
Index : 7
show lldp neighbors interface ge-0/0/5.0 (with NetBIOS Snooping Enabled on the Switch)
Age: 299999 secs

Chassis ID : 00:10:94:00:00:02
Port description : 192.0.2.1
System name : host.juniper.net
1498

Syntax
Release Information
Description
Display remote Link Layer Discovery Protocol (LLDP) global statistics.
Options

view


show lldp remote-global-statistics on page 1499
Output Fields
Table 61 on page 1498 describes the output fields for the show lldp remote-global-statistics command.
Table 61: show lldp remote-global-statistics Output Fields
LLDP Remote Information about remote database table counters.

Database Table
Counters
LastchangeTime Time elapsed between LLDP agent startup and the last change to the
remote database table information.
Inserts Number of insertions made in the remote database table.

1499
Table 61: show lldp remote-global-statistics Output Fields (continued)
Deletes Number of deletions made in the remote database table.
Drops Number of LLDP frames dropped from the remote database table because
of errors.
Ageouts Number of remote database table entries that have aged out of the table.
Sample Output
user@host> show lldp remote-global-statistics
user@host> show lldp remote-global-statistics

LLDP Remote Database Table Counters
LastchangeTime Inserts Deletes Drops Ageouts
00:00:76 (76 sec) 192 0 0 0
1500

Syntax

<interface interface-ids>
Release Information
Description
Display LLDP statistics on all or selected interfaces.
Options
none—Display LLDP statistics on all interfaces and devices.
interface interface-ids—(Optional) Display LLDP statistics on the selected devices.

view

show lldp statistics on page 1501
Output Fields
Table 62 on page 1500 lists the output fields for the show lldp statistics command. Output fields are listed
Table 62: show lldp statistics Output Fields
Interface Name of an interface. All levels
Received Total number of LLDP frames received on an interface. All levels
Unknown-TLVs Number of unrecognized LLDP TLVs received on an interface. All levels

1501
Table 62: show lldp statistics Output Fields (continued)
With Errors Number of LLDP frames received that contain errors. All levels
Discarded TLVs Number of LLDP TLVs received and then discarded on an interface. All levels
Transmitted Total number of LLDP frames transmitted on an interface. All levels
Untransmitted Total number of LLDP frames not transmitted on an interface. All levels
Sample Output
user@switch> show lldp statistics
Interface Received Unknown TLVs With Errors Discarded TLVs Transmitted

Untransmitted
me0.0 0 0 0 0 8003 0
ge-0/0/0.0 8002 0 0 0 8003 0
ge-0/0/1.0 8002 0 0 0 8003 0

1502

Syntax

Release Information
Description
Display LLDP statistics for all interfaces or for the specified interface.
Options
none—Display LLDP statistics for all interfaces.
interface interface—(Optional) Display LLDP statistics for the specified interface.

view


show lldp statistics on page 1503
show lldp statistics interface xe-3/0/0.0 on page 1504
Output Fields
Table 62 on page 1500 lists the output fields for the show lldp statistics command. Output fields are listed
Table 63: show lldp statistics Output Fields
Interface Name of the interface.

1503
Table 63: show lldp statistics Output Fields (continued)
Parent Interface Name of the aggregated Ethernet interface, if any, to which the interface
belongs.
NOTE: Because LLDP packets are transmitted and received on member

interfaces only, statistics are available only for the member interfaces, not
for the aggregated interface.
Received Total number of LLDP frames received on an interface.
Unknown TLVs Number of unrecognized LLDP TLVs received on an interface.
With Errors Number of invalid LLDP TLVs received on an interface.
Discarded Number of LLDP TLVs received and then discarded on an interface.
Transmitted Total number of LLDP frames that were transmitted on an interface.
Untransmitted Total number of LLDP frames that were untransmitted on an interface.
Sample Output
user@switch> show lldp statistics
Interface Parent Interface Received Unknown TLVs With Errors

xe-3/0/0.0 ae31.0 1564 0 0
xe-3/0/1.0 ae31.0 1564 0 0
xe-3/0/2.0 ae31.0 1565 0 0
xe-3/0/3.0 ae31.0 1566 0 0
xe-3/0/4.0 ae31.0 1598 0 0
xe-3/0/5.0 ae31.0 1598 0 0
xe-3/0/6.0 ae31.0 1596 0 0
xe-3/0/7.0 ae31.0 1597 0 0
xe-5/0/6.0 - 0 0 0
xe-5/0/7.0 - 0 0 0
1504
Discarded TLVs Transmitted Untransmitted

0 3044 1
0 3044 1
0 3044 1
0 3044 1
0 3075 1
0 3075 1
0 3075 1
0 3075 1
0 17312 0
0 17312 0
show lldp statistics interface xe-3/0/0.0

user@switch> show lldp statistics interface xe-3/0/0.0
Interface Parent Interface Received Unknown TLVs With Errors

xe-3/0/0.0 ae31.0 1566 0 0
Discarded TLVs Transmitted Untransmitted

0 3046 1
1505
show network-access aaa statistics accounting

Syntax
show network-access aaa statistics accounting;
Release Information
Command introduced in Junos OS Release 11.1 for QFX Series switches.
Description
Display authentication, authorization, and accounting (AAA) accounting statistics.

view
accounting-stop-on-access-deny

show network-access aaa statistics accounting on page 1506
Output Fields
Table 64 on page 1505 lists the output fields for the show network-access aaa statistics accounting command.
Table 64: show network-access aaa statistics accounting Output Fields
Requests received The number of accounting-request packets sent from a switch to a RADIUS accounting server.
Accounting The number of accounting-response failure packets sent from the RADIUS accounting server
Response failures to the switch.
Accounting The number of accounting-response success packets sent from the RADIUS accounting server
Response Success to the switch.
1506
Table 64: show network-access aaa statistics accounting Output Fields (continued)
Requests timedout The number of requests-timedout packets sent from the RADIUS accounting server to the
switch.
Sample Output
show network-access aaa statistics accounting
user@switch> show network-access aaa statistics accounting

1507
show network-access aaa statistics authentication

Syntax
Release Information
Description
Display authentication, authorization, and accounting (AAA) authentication statistics.

view
authentication-server

show network-access aaa statistics authentication on page 1508
show network-access aaa statistics authentication (in QFX Series Switches) on page 1508
Output Fields
Table 65 on page 1507 lists the output fields for the show network-access aaa statistics authentication
command. Output fields are listed in the approximate order in which they appear.
Table 65: show network-access aaa statistics authentication Output Fields
Requests received The number of authentication requests received by the switch.
Accepts The number of authentication accepts received by the RADIUS server.
Rejects The number authentication rejects sent by the RADIUS server.
Challenges The number of authentication challenges sent by the RADIUS server.

1508
Sample Output
user@switch> show network-access aaa statistics authentication
Authentication module statistics

Accepts: 1
Rejects: 0
Challenges: 1
show network-access aaa statistics authentication (in QFX Series Switches)

user@switch> show network-access aaa statistics authentication
Authentication module statistics

Accepts: 1
Rejects: 0
Challenges: 1
1509
show network-access aaa statistics dynamic-requests

Syntax
show network-access aaa statistics dynamic-requests;
Release Information
Description
Display authentication, authorization, and accounting (AAA) authentication statistics for disconnects.

view
authentication-server

show network-access aaa statistics authentication on page 1510
Output Fields
Table 66 on page 1509 lists the output fields for the show network-access aaa statistics dynamic-requests
command. Output fields are listed in the approximate order in which they appear.
Table 66: show network-access aaa statistics dynamic-requests Output Fields
Requests received The number of dynamic requests received by the RADIUS server.
Processed The number of dynamic requests successfully processed by the RADIUS server.
successfully
Errors during The number of errors that occurred while the RADIUS server was processing the dynamic
processing request.
Silently dropped The number of silently dropped requests.

1510
Sample Output
user@switch> show network-access aaa statistics dynamic-requests
Dynamic-requests module statistics

Processed successfully: 0
Errors during processing: 0
Silently dropped: 0
1511
show network-access radsec local-certificate

Syntax
show network-access radsec local-certificate

<state>
<statistics [brief | detail | extensive]>
<certificate-name>
Release Information
Description
Display the state and statistics of local certificate acquisition. RADSEC uses local certificates dynamically
acquired from the public key infrastructure to establish a TLS connection.
If a certificate is not available, or if it was revoked, the RADSEC client will try to retrieve it every 300
seconds. Response timeout is 10 seconds, and failures are retried in 10 seconds.
Options
state—Display the state of acquisition for the local certificate.
statistics—Display acquisition statistics for the local certificate.
brief | detail | extensive—(Optional) Display the specified level of output.
certificate-name—(Optional) Display detailed information about the specified certificate.

view

show network-access radsec local-certificate state on page 1512
show network-access radsec local-certificate statistics on page 1512
show network-access radsec local-certificate statistics detail on page 1513
Output Fields
Table 67 on page 1512 lists the output fields for the show network-access local-certificate command. Output
1512
Table 67: show network-access radsec local-certificate Output Fields
Local certificate state State of acquisition for the local certificate. all
• active—Local certificate is active.

• waiting—Waiting to acquire local certificate.
Local certificate general Statistics for RADSEC local certificate acquisition. all
counters
NOTE: Default output level will
list only non-zero counters. Use
detail or extensive to view all
counters.
Sample Output
show network-access radsec local-certificate state
user@host> show network-access radsec local-certificate state
Local certificate state:

cert-2 active
cert-4 waiting
qqq waiting
Sample Output
show network-access radsec local-certificate statistics
user@host> show network-access radsec local-certificate statistics
Local certificate general counters:

total-requests 36
1513
Sample Output
show network-access radsec local-certificate statistics detail
user@host> show network-access radsec local-certificate statistics detail
Local certificate general counters:

total-requests 36
failed-requests 0
total-responses 0
configured-responses 0
1514
show network-access radsec statistics

Syntax

<[brief | detail | extensive]>
Release Information
Description
Display the connection statistics for the RADSEC destinations.
Options
brief | detail | extensive—(Optional) Display the specified level of output. The default is brief, which will
list only non-zero counters.
destination destination–id—(Optional) Display detailed information about the request specified by this
RADSEC destination.

view

show network-access radsec statistics on page 1515
show network-access radsec statistics detail on page 1515
Output Fields
Table 68 on page 1515 lists the output fields for the show network-access statistics command. Output fields
1515
Table 68: show network-access radsec statistics Output Fields
Radsec general counters Statistics for RADSEC syslog event counters. all
NOTE: Default output level will

list only non-zero counters. Use
detail or extensive to show all
counters.
Destination ID number of the RADSEC destination. all
Sample Output
user@host> show network-access radsec statistics
Radsec general counters:
destination 895
start-events 1
clear-events 1
timeout-events 1
loc-cert-acq-events 1
connected-events 1
ssl-ready-events 1
Sample Output
show network-access radsec statistics detail
user@host> show network-access radsec statistics detail
Radsec general counters:
destination 895
start-events 1
clear-events 1
1516
force-disconnect-events 0
timeout-events 1
loc-cert-acq-events 1
loc-cert-lost-events 0
connected-events 1
conn-failed-events 0
ssl-disconnected-events 0
ssl-ready-events 1
in-auth-reqs 0
in-acct-reqs 0
in-dyn-req-resps 0
tx-auth-reqs 0
tx-acct-reqs 0
tx-wd-reqs 9
tx-late-auth-reqs 0
tx-late-acct-reqs 0
tx-dyn-req-resps 0
rx-auth-resps 0
rx-acct-resps 0
rx-dyn-reqs 0
rx-dyn-req-naks 0
rx-dyn-req-drops 0
rx-wd-resps 9
rx-resps 0
rx-late-resps 0
rx-other-drops 0
resp-disconnect-drops 0
id-disconnect-drops 0
id-timeout-drops 0
tx-req-no-acct-supports 0
tx-req-dest-downs 0
tx-req-overflows 0
tx-req-disconnects 0
tx-req-bad-responses 0
tx-req-id-reuse-timeouts 0
tx-resp-dest-downs 0
tx-wd-reqs 9
rx-wd-resps 9
1517
show network-access radsec state

Syntax

Release Information
Description
Display the connection state of RADSEC destinations.
Options
destination destination–id—(Optional) Display detailed information about the request specified by this
RADSEC destination.

view

show network-access radsec state on page 1518
Output Fields
Table 69 on page 1517 lists the output fields for the show network-access state command. Output fields
Table 69: show network-access radsec state Output Fields
Level of
Radsec state State information for the RADSEC destination. all

1518
Table 69: show network-access radsec state Output Fields (continued)
Level of
state State of the RADSEC connection. all
• connecting—Establishing TCP connection.

• ssl-handshake—SSL negotiation in progress.
• open—RADSEC session is established for exchange of RADIUS messages.
• pause—Pause for restart of connection process. The length of the pause
is determined by the reason for restarting.
• local-cert-wait—Connection initiated but waiting for local certificate to
complete negotiation.
secs-in-state Length of time in seconds of the current state. all
remaining-secs Length of time in seconds remaining for the current state. all
pause-reason The reason for restarting the connection, which triggers the pause state. all
The pause reason determines the length of the pause until reattempting
the connection.
acct-support Shows whether the remote server supports accounting. all
• Y—Remote server supports accounting. This is the default value.

• N—If the client receives a NAK response to an accounting request, all
accounting requests will be dropped.
remote-failures Number of consecutive failures on the remote side. all
tx-requests Number of RADIUS request messages transmitted. all
tx-responses Number of RADIUS response messages transmitted. all
Sample Output
user@host> show network-access radsec state
Radsec state:
destination 895
1519
state open
secs-in-state 66
remaining-secs 4294967295
pause-reason none
acct-support Y
remote-failures 0
tx-requests 0
tx-responses 0
1520
show route extensive

List of Syntax
Syntax on page 1520
Syntax (EX Series Switches) on page 1520
Syntax

<destination-prefix>
<logical-system (all | logical-system-name)>
Syntax (EX Series Switches)

<destination-prefix>
Release Information
DeletePending flag added to the command output in Junos OS Release 19.4R1.
Description
Display extensive information about the active entries in the routing tables.
Options
none—Display all active entries in the routing table.
destination-prefix—(Optional) Display active entries for the specified address or range of addresses.
logical-system (all | logical-system-name)—(Optional) Perform this operation on all logical systems or on a

particular logical system.

view

show route extensive on page 1530
show route extensive (Access Route) on page 1539
show route extensive (BGP PIC Edge) on page 1540
show route extensive (FRR and LFA) on page 1541
show route extensive (IS-IS) on page 1542
show route extensive (Route Reflector) on page 1542
1521
show route label detail (Multipoint LDP Inband Signaling for Point-to-Multipoint LSPs) on page 1543
show route label detail (Multipoint LDP with Multicast-Only Fast Reroute) on page 1543
show route extensive (Flexible VXLAN Tunnel Profile) on page 1544
Output Fields
Table 70 on page 1521 describes the output fields for the show route extensive command. Output fields
Table 70: show route extensive Output Fields
routing-table-name Name of the routing table (for example, inet.0).
number destinations Number of destinations for which there are routes in the routing table.
number routes Number of routes in the routing table and total number of routes in the following states:
• active (routes that are active).

• holddown (routes that are in the pending state before being declared inactive).
• hidden (routes that are not used because of a routing policy).
route-destination Route destination (for example: 10.0.0.1/24). The entry value is the number of route for this
(entry, announced) destination, and the announced value is the number of routes being announced for this
destination. Sometimes the route destination is presented in another format, such as:
• MPLS-label (for example, 80001 ).

• interface-name (for example, ge-1/0/2).
• neighbor-address:control-word-status:encapsulation type:vc-id:source (Layer 2 circuit only;
for example, 10.1.1.195:NoCtrlWord:1:1:Local/96).
• neighbor-address—Address of the neighbor.
• control-word-status—Whether the use of the control word has been negotiated for this
virtual circuit: NoCtrlWord or CtrlWord.
• encapsulation type—Type of encapsulation, represented by a number: (1) Frame Relay
DLCI, (2) ATM AAL5 VCC transport, (3) ATM transparent cell transport, (4) Ethernet, (5)
VLAN Ethernet, (6) HDLC, (7) PPP, (8) ATM VCC cell transport, (10) ATM VPC cell
transport.
• vc-id—Virtual circuit identifier.
• source—Source of the advertisement: Local or Remote.
TSI Protocol header information.

1522
Table 70: show route extensive Output Fields (continued)
label stacking (Next-to-the-last-hop routing device for MPLS only) Depth of the MPLS label stack, where
the label-popping operation is needed to remove one or more labels from the top of the stack.
A pair of routes is displayed, because the pop operation is performed only when the stack
depth is two or more labels.
• S=0 route indicates that a packet with an incoming label stack depth of two or more exits
this router with one fewer label (the label-popping operation is performed).
• If there is no S= information, the route is a normal MPLS route, which has a stack depth of
1 (the label-popping operation is not performed).
[protocol, preference] Protocol from which the route was learned and the preference value for the route.
• +—A plus sign indicates the active route, which is the route installed from the routing table
into the forwarding table.
• - —A hyphen indicates the last active route.
• *—An asterisk indicates that the route is both the active and the last active route. An asterisk
before a to line indicates the best subpath to the route.
In every routing metric except for the BGP LocalPref attribute, a lesser value is preferred. In
order to use common comparison routines, Junos OS stores the 1's complement of the LocalPref
value in the Preference2 field. For example, if the LocalPref value for Route 1 is 100, the
Preference2 value is -101. If the LocalPref value for Route 2 is 155, the Preference2 value is
-156. Route 2 is preferred because it has a higher LocalPref value and a lower Preference2
value.
Level (IS-IS only). In IS-IS, a single autonomous system (AS) can be divided into smaller groups called
areas. Routing between areas is organized hierarchically, allowing a domain to be
administratively divided into smaller areas. This organization is accomplished by configuring
Level 1 and Level 2 intermediate systems. Level 1 systems route within an area. When the
destination is outside an area, they route toward a Level 2 system. Level 2 intermediate systems
route between areas and toward other ASs.
Route Distinguisher IP subnet augmented with a 64-bit prefix.
PMSI Provider multicast service interface (MVPN routing table).
Next-hop type Type of next hop. For a description of possible values for this field, see the Output Field table
in the show route detail command.
Next-hop reference Number of references made to the next hop.

count
1523
Flood nexthop Indicates that the number of flood next-hop branches exceeded the system limit of 32 branches,
branches exceed and only a subset of the flood next-hop branches were installed in the kernel.
maximum message
Source IP address of the route source.
Next hop Network layer address of the directly reachable neighboring system.
via Interface used to reach the next hop. If there is more than one interface available to the next
hop, the name of the interface that is actually used is followed by the word Selected. This
field can also contain the following information:
• Weight—Value used to distinguish primary, secondary, and fast reroute backup routes.
Weight information is available when MPLS label-switched path (LSP) link protection,
node-link protection, or fast reroute is enabled, or when the standby state is enabled for
secondary paths. A lower weight value is preferred. Among routes with the same weight
value, load balancing is possible.
• Balance—Balance coefficient indicating how traffic of unequal cost is distributed among
next hops when a routing device is performing unequal-cost load balancing. This information
is available when you enable BGP multipath load balancing.
Label-switched-path Name of the LSP used to reach the next hop.

lsp-path-name
Label operation MPLS label and operation occurring at this routing device. The operation can be pop (where
a label is removed from the top of the stack), push (where another label is added to the label
stack), or swap (where a label is replaced by another label).
Offset Whether the metric has been increased or decreased by an offset value.
Interface (Local only) Local interface name.
Protocol next hop Network layer address of the remote routing device that advertised the prefix. This address
is used to recursively derive a forwarding next hop.
label-operation MPLS label and operation occurring at this routing device. The operation can be pop (where
a label is removed from the top of the stack), push (where another label is added to the label
stack), or swap (where a label is replaced by another label).
1524
Indirect next hops When present, a list of nodes that are used to resolve the path to the next-hop destination,
in the order that they are resolved.
When BGP PIC Edge is enabled, the output lines that contain Indirect next hop: weight follow
next hops that the software can use to repair paths where a link failure occurs. The next-hop
weight has one of the following values:
• 0x1 indicates active next hops.

• 0x4000 indicates passive next hops.
State State of the route (a route can be in more than one state). See the Output Field table in the
show route detail command.
Session ID The BFD session ID number that represents the protection using MPLS fast reroute (FRR) and
loop-free alternate (LFA).
Weight Weight for the backup path. If the weight of an indirect next hop is larger than zero, the weight
value is shown.
For sample output, see show route table.

1525
Inactive reason If the route is inactive, the reason for its current state is indicated. Typical reasons include:
• Active preferred—Currently active route was selected over this route.

• Always compare MED—Path with a lower multiple exit discriminator (MED) is available.
• AS path—Shorter AS path is available.
• Cisco Non-deterministic MED selection—Cisco nondeterministic MED is enabled and a
path with a lower MED is available.
• Cluster list length—Path with a shorter cluster list length is available.
• Forwarding use only—Path is only available for forwarding purposes.
• IGP metric—Path through the next hop with a lower IGP metric is available.
• IGP metric type—Path with a lower OSPF link-state advertisement type is available.
• Interior > Exterior > Exterior via Interior—Direct, static, IGP, or EBGP path is available.
• Local preference—Path with a higher local preference value is available.
• Next hop address—Path with a lower metric next hop is available.
• No difference—Path from a neighbor with a lower IP address is available.
• Not Best in its group—Occurs when multiple peers of the same external AS advertise the
same prefix and are grouped together in the selection process. When this reason is displayed,
an additional reason is provided (typically one of the other reasons listed).
• Number of gateways—Path with a higher number of next hops is available.
• Origin—Path with a lower origin code is available.
• OSPF version—Path does not support the indicated OSPF version.
• RIB preference—Route from a higher-numbered routing table is available.
• Route destinguisher—64-bit prefix added to IP subnets to make them unique.
• Route metric or MED comparison—Route with a lower metric or MED is available.
• Route preference—Route with a lower preference value is available.
• Router ID—Path through a neighbor with a lower ID is available.
• Unusable path—Path is not usable because of one of the following conditions: the route is
damped, the route is rejected by an import policy, or the route is unresolved.
• Update source—Last tiebreaker is the lowest IP address value.
Local AS Autonomous system (AS) number of the local routing device.
Age How long the route has been known.
AIGP Accumulated interior gateway protocol (AIGP) BGP attribute.

1526
Metric Cost value of the indicated route. For routes within an AS, the cost is determined by IGP and
the individual protocol metrics. For external routes, destinations, or routing domains, the cost
is determined by a preference value.
MED-plus-IGP Metric value for BGP path selection to which the IGP cost to the next-hop destination has
been added.
TTL-Action For MPLS LSPs, state of the TTL propagation attribute. Can be enabled or disabled for all
RSVP-signaled and LDP-signaled LSPs or for specific VRF routing instances.
For sample output, see show route table.
Task Name of the protocol that has added the route.
Announcement bits List of protocols that are consumers of the route. Using the following output as an example,
Announcement bits (3): 0-KRT 5-Resolve tree 2 8-BGP RT Background there are (3)
announcement bits to reflect the three clients (protocols) that have state for this route: Kernel
(0-KRT), 5 (resolution tree process 2), and 8 (BGP).
The notation n-Resolve inet indicates that the route is used for route resolution for next hops
found in the routing table. n is an index used by Juniper Networks customer support only.
1527
AS path AS path through which the route was learned. The letters at the end of the AS path indicate
the path origin, providing an indication of the state of the route at the point at which the AS
path originated:
• I—IGP.
• E—EGP.
• Recorded—The AS path is recorded by the sample process (sampled).
• ?—Incomplete; typically, the AS path was aggregated.
When AS path numbers are included in the route, the format is as follows:
• [ ]—Brackets enclose the local AS number associated with the AS path if more than one AS
number is configured on the routing device, or if AS path prepending is configured.
• { }—Braces enclose AS sets, which are groups of AS numbers in which the order does not
matter. A set commonly results from route aggregation. The numbers in each AS set are
displayed in ascending order.
• ( )—Parentheses enclose a confederation.
• ( [ ] )—Parentheses and brackets enclose a confederation set.
NOTE: In Junos OS Release 10.3 and later, the AS path field displays an unrecognized attribute
and associated hexadecimal value if BGP receives attribute 128 (attribute set) and you have
not configured an independent domain in any routing instance.
validation-state (BGP-learned routes) Validation status of the route:
• Invalid—Indicates that the prefix is found, but either the corresponding AS received from
the EBGP peer is not the AS that appears in the database, or the prefix length in the BGP
update message is longer than the maximum length permitted in the database.
• Unknown—Indicates that the prefix is not among the prefixes or prefix ranges in the database.
• Unverified—Indicates that origin validation is not enabled for the BGP peers.
• Valid—Indicates that the prefix and autonomous system pair are found in the database.
FECs bound to route Point-to-multipoint root address, multicast source address, and multicast group address when
multipoint LDP (M-LDP) inband signaling is configured.
AS path: I (For route reflected output only) Originator ID attribute set by the route reflector.
<Originator>
1528
route status Indicates the status of a BGP route:
• Accepted—The specified BGP route is imported by the default BGP policy.

• Import—The route is imported into a Layer 3 VPN routing instance.
• Import-Protect—A remote instance egress that is protected.
• Multipath—A BGP multipath active route.
• MultipathContrib—The route is not active but contributes to the BGP multipath.
• Protect—An egress route that is protected.
• Stale—A route that is marked stale due to graceful restart.
Primary Upstream When multipoint LDP with multicast-only fast reroute (MoFRR) is configured, the primary
upstream path. MoFRR transmits a multicast join message from a receiver toward a source
on a primary path, while also transmitting a secondary multicast join message from the receiver
toward the source on a backup path.
RPF Nexthops When multipoint LDP with MoFRR is configured, the reverse-path forwarding (RPF) next-hop
information. Data packets are received from both the primary path and the secondary paths.
The redundant packets are discarded at topology merge points due to the RPF checks.
Label Multiple MPLS labels are used to control MoFRR stream selection. Each label represents a
separate route, but each references the same interface list check. Only the primary label is
forwarded while all others are dropped. Multiple interfaces can receive packets using the same
label.
weight Value used to distinguish MoFRR primary and backup routes. A lower weight value is preferred.
Among routes with the same weight value, load balancing is possible.
VC Label MPLS label assigned to the Layer 2 circuit virtual connection.
MTU Maximum transmission unit (MTU) of the Layer 2 circuit.
VLAN ID VLAN identifier of the Layer 2 circuit.
Cluster list (For route reflected output only) Cluster ID sent by the route reflector.
Originator ID (For route reflected output only) Address of router that originally sent the route to the route
reflector.
Prefixes bound to Forwarding Equivalent Class (FEC) bound to this route. Applicable only to routes installed by
route LDP.
1529
Communities Community path attribute for the route. See the Output Field table in the show route detail
command for all possible values for this field.
DeletePending The DeletePending flag indicates that a BGP route needs to be processed due to a BGP peer
down event. See the show route detail command for example output.
Layer2-info: encaps Layer 2 encapsulation (for example, VPLS).
control flags Control flags: none or Site Down.
mtu Maximum transmission unit (MTU) information.
Label-Base, range First label in a block of labels and label block size. A remote PE routing device uses this first
label when sending traffic toward the advertising PE routing device.
status vector Layer 2 VPN and VPLS network layer reachability information (NLRI).
Localpref Local preference value included in the route.
Router ID BGP router ID as advertised by the neighbor in the open message.
Primary Routing In a routing table group, the name of the primary routing table in which the route resides.
Table
Secondary Tables In a routing table group, the name of one or more secondary tables in which the route resides.
Originating RIB Name of the routing table whose active route was used to determine the forwarding next-hop
entry in the resolution database. For example, in the case of inet.0 resolving through inet.0
and inet.3, this field indicates which routing table, inet.0 or inet.3, provided the best path for
a particular prefix.
Node path count Number of nodes in the path.
Forwarding nexthops Number of forwarding next hops. The forwarding next hop is the network layer address of
the directly reachable neighboring system (if applicable) and the interface used to reach it.
1530
Sample Output
user@host> show route extensive
inet.0: 22 destinations, 23 routes (21 active, 0 holddown, 1 hidden)

203.0.113.10/16 (1 entry, 1 announced)
TSI:
KRT in-kernel 203.0.113.10/16 -> {192.168.71.254}
*Static Preference: 5
Next-hop reference count: 29
Next hop: 192.168.71.254 via fxp0.0, selected
State: <Active NoReadvrt Int Ext>
Local AS: 64496
Age: 1:34:06
Task: RT
Announcement bits (2): 0-KRT 3-Resolve tree 2
AS path: I
203.0.113.30/30 (2 entries, 1 announced)

*Direct Preference: 0
Next hop type: Interface
Next hop: via so-0/3/0.0, selected
State: <Active Int>
Local AS: 64496
Age: 1:32:40
Task: IF
Announcement bits (1): 3-Resolve tree 2
AS path: I
OSPF Preference: 10
Next hop: via so-0/3/0.0, selected
State: <Int>
Inactive reason: Route Preference
Local AS: 64496
Age: 1:32:40 Metric: 1
Area: 0.0.0.0
Task: OSPF
AS path: I
203.0.113.103/32 (1 entry, 1 announced)

*Local Preference: 0
Next hop type: Local
1531

Interface: so-0/3/0.0
State: <Active NoReadvrt Int>
Local AS: 644969
Age: 1:32:43
Task: IF
Announcement bits (1): 3-Resolve tree 2
AS path: I
...
203.0.113.203/30 (1 entry, 1 announced)

TSI:
KRT in-kernel 203.0.113.203/30 -> {203.0.113.216}
*OSPF Preference: 10
Next hop: via so-0/3/0.0
Next hop: 203.0.113.216 via ge-3/1/0.0, selected
State: <Active Int>
Local AS: 64496
Area: 0.0.0.0
Task: OSPF
AS path: I
...
198.51.100.2/32 (1 entry, 1 announced)

TSI:
KRT in-kernel 198.51.100.2/32 -> {}
*PIM Preference: 0
Local AS: 64496
Age: 1:34:08
Task: PIM Recv
AS path: I
...
198.51.100.22/32 (1 entry, 1 announced)

TSI:
1532
KRT in-kernel 198.51.100.22/32 -> {}

*IGMP Preference: 0
Local AS: 64496
Age: 1:34:06
Task: IGMP
AS path: I
203.0.113.103/32 (1 entry, 1 announced)

State: <FlashAll>
*RSVP Preference: 7
Next hop: 203.0.113.216 via ge-3/1/0.0 weight 0x1, selected
Label-switched-path green-r1-r3
Label operation: Push 100096
State: <Active Int>
Local AS: 64496
Task: RSVP
Announcement bits (2): 1-Resolve tree 1 2-Resolve tree 2
AS path: I
203.0.113.238/32 (1 entry, 1 announced)

State: <FlashAll>
*RSVP Preference: 7
Next hop: via so-0/3/0.0 weight 0x1, selected
State: <Active Int>
Local AS: 64496
Task: RSVP
Announcement bits (2): 1-Resolve tree 1 2-Resolve tree 2
AS path: I
private1__.inet.0: 2 destinations, 3 routes (2 active, 0 holddown, 0 hidden)
...
iso.0: 1 destinations, 1 routes (1 active, 0 holddown, 0 hidden)

1533
47.0005.80ff.f800.0000.0108.0001.0102.5507.1052/152 (1 entry, 0 announced)

Next hop: via lo0.0, selected
State: <Active Int>
Local AS: 64496
Age: 1:34:07
Task: IF
AS path: I
mpls.0: 5 destinations, 5 routes (5 active, 0 holddown, 0 hidden)
0 (1 entry, 1 announced)
TSI:
KRT in-kernel 0 /36 -> {}
*MPLS Preference: 0
Next hop type: Receive
State: <Active Int>
Local AS: 64496
Task: MPLS
Announcement bits (1): 0-KRT
AS path: I
...

TSI:
KRT in-kernel 299840 /52 -> {indirect(1048575)}
*RSVP Preference: 7/2
Next hop type: Flood
Address: 0x9174a30
Next hop type: Router, Next hop index: 798
Address: 0x9174c28
Next hop: 198.51.100.2 via lt-1/2/0.9 weight 0x1
Label-switched-path R2-to-R4-2p2mp
Label operation: Pop
1534
Address: 0x92544f0
Label-switched-path R2-to-R200-p2mp
State: <Active Int>
Age: 1:29 Metric: 1
Task: RSVP
AS path: I...
TSI:
KRT in-kernel 800010 /36 -> {vt-3/2/0.32769}
*VPLS Preference: 7
Next hop: via vt-3/2/0.32769, selected
State: <Active Int>
Age: 1:31:53
Task: Common L2 VC
AS path: I
vt-3/2/0.32769 (1 entry, 1 announced)

TSI:
KRT in-kernel vt-3/2/0.32769.0 /16 -> {indirect(1048574)}
*VPLS Preference: 7
Label operation: Push 800012, Push 100096(top)
Protocol next hop: 203.0.113.103
Push 800012
Indirect next hop: 87272e4 1048574
State: <Active Int>
Age: 1:31:53 Metric2: 2
Task: Common L2 VC
Announcement bits (2): 0-KRT 1-Common L2 VC
AS path: I
Communities: target:11111:1 Layer2-info: encaps:VPLS,
1535
control flags:, mtu: 0

Indirect next hops: 1
Protocol next hop: 203.0.113.103 Metric: 2
Push 800012
Indirect next hop: 87272e4 1048574
Indirect path forwarding next hops: 1
Next hop: 203.0.113.216 via ge-3/1/0.0 weight 0x1
203.0.113.103/32 Originating RIB: inet.3

Metric: 2 Node path count: 1
Forwarding nexthops: 1
Nexthop: 203.0.113.216 via ge-3/1/0.0
inet6.0: 5 destinations, 5 routes (5 active, 0 holddown, 0 hidden)
2001:db8::10:255:71:52/128 (1 entry, 0 announced)

State: <Active Int>
Local AS: 64496
Age: 1:34:07
Task: IF
AS path: I
fe80::280:42ff:fe10:f179/128 (1 entry, 0 announced)

Local AS: 64496
Age: 1:34:07
Task: IF
AS path: I
ff02::2/128 (1 entry, 1 announced)

TSI:
KRT in-kernel ff02::2/128 -> {}
*PIM Preference: 0
Local AS: 64496
1536
Age: 1:34:08
Task: PIM Recv6
AS path: I
ff02::d/128 (1 entry, 1 announced)

TSI:
KRT in-kernel ff02::d/128 -> {}
*PIM Preference: 0
Local AS: 64496
Age: 1:34:08
Task: PIM Recv6
AS path: I
ff02::16/128 (1 entry, 1 announced)

TSI:
KRT in-kernel ff02::16/128 -> {}
*MLD Preference: 0
Local AS: 64496
Age: 1:34:06
Task: MLD
AS path: I
private.inet6.0: 1 destinations, 1 routes (1 active, 0 holddown, 0 hidden)
fe80::280:42ff:fe10:f179/128 (1 entry, 0 announced)

Age: 1:34:07
Task: IF
AS path: I
green.l2vpn.0: 4 destinations, 4 routes (4 active, 0 holddown, 0 hidden)
203.0.113.103:1:3:1/96 (1 entry, 1 announced)

1537
*BGP Preference: 170/-101

Route Distinguisher: 203.0.113.103:1
Source: 203.0.113.103
Indirect next hop: 2 no-forward
State: <Secondary Active Int Ext>
Local AS: 64496 Peer AS: 64496
Age: 1:28:12 Metric2: 1
Task: BGP_69.203.0.113.103+179
Announcement bits (1): 0-green-l2vpn
AS path: I
Communities: target:11111:1 Layer2-info: encaps:VPLS,
control flags:, mtu: 0
Label-base: 800008, range: 8
Localpref: 100
Router ID: 203.0.113.103
Primary Routing Table bgp.l2vpn.0
203.0.113.152:1:1:1/96 (1 entry, 1 announced)

TSI:
Page 0 idx 0 Type 1 val 8699540
*L2VPN Preference: 170/-1
Indirect next hop: 0 -
State: <Active Int Ext>
Age: 1:34:03 Metric2: 1
Task: green-l2vpn
Announcement bits (1): 1-BGP.0.0.0.0+179
AS path: I
Communities: Layer2-info: encaps:VPLS, control flags:Site-Down,
mtu: 0
Label-base: 800016, range: 8, status-vector: 0x9F
203.0.113.152:1:5:1/96 (1 entry, 1 announced)

TSI:
Page 0 idx 0 Type 1 val 8699528
*L2VPN Preference: 170/-101
Indirect next hop: 0 -
Age: 1:34:03 Metric2: 1
1538
Task: green-l2vpn
Announcement bits (1): 1-BGP.0.0.0.0+179
AS path: I
Communities: Layer2-info: encaps:VPLS, control flags:, mtu: 0
Label-base: 800008, range: 8, status-vector: 0x9F
...
l2circuit.0: 2 destinations, 2 routes (2 active, 0 holddown, 0 hidden)
TSI:
203.0.113.163:CtrlWord:4:3:Local/96 (1 entry, 1 announced)

*L2CKT Preference: 7
Next hop: via so-1/1/2.0 weight 1, selected
Label-switched-path my-lsp
Label operation: Push 100000[0]
Protocol next hop: 203.0.113.163 Indirect next hop: 86af000 296
State: <Active Int>
Local AS: 64499
Age: 10:21
Task: l2 circuit
Announcement bits (1): 0-LDP
AS path: I
VC Label 100000, MTU 1500, VLAN ID 512
203.0.113.55/24 (1 entry, 1 announced)

TSI:
KRT queued (pending) add
198.51.100.0/24 -> {Push 300112}
Next hop type: Router
Address: 0x925c208
Source: 203.0.113.9
Label TTL action: prop-ttl
State: <Active Ext>
Age: 1w0d 23:06:56
AIGP: 25
Task: BGP_65539.203.0.113.9+56732
1539

AS path: 65539 64508 I
Accepted
Route Label: 300112
Localpref: 100
Router ID: 213.0.113.99
show route extensive (Access Route)

user@host> show route 203.0.113.102 extensive

203.0.113.102/32 (1 entry, 1 announced)
TSI:
KRT in-kernel 203.0.113.102/32 -> {192.0.2.2}
OSPF area : 0.0.0.0, LSA ID : 203.0.113.102, LSA type : Extern
*Access Preference: 13
Next hop: 192.0.2.2 via fe-0/0/0.0, selected
State: <Active Int>
Age: 12
Task: RPD Unix Domain Server./var/run/rpd_serv.local
Announcement bits (2): 0-KRT 1-OSPFv2
AS path: I
user@host> show route 2001:db8:4641:1::/48 extensive
inet6.0: 75 destinations, 81 routes (75 active, 0 holddown, 0 hidden)

2001:db8:4641:1::/48 (1 entry, 1 announced)
TSI:
KRT in-kernel 2001:db8:4641:1::/48 -> {#0 0.13.1.0.0.1}
*Access Preference: 13
Address: 0x1638c1d8
Next hop: #0 0.13.1.0.0.1 via demux0.1073753267, selected
Session Id: 0x0
State: <Active Int>
Age: 4:17
Validation State: unverified
1540

AS path: I
2001:db8:4641:1::/128 (1 entry, 1 announced)
TSI:
KRT in-kernel 2001:db8:4641:1::/128 -> {#0 0.13.1.0.0.1}
*Access-internal Preference: 12
Address: 0x1638c1d8
Next hop: #0 0.13.1.0.0.1 via demux0.1073753267, selected
Session Id: 0x0
State: <Active Int>
Age: 4:17
AS path: I
show route extensive (BGP PIC Edge)

ed.inet.0: 6 destinations, 9 routes (6 active, 0 holddown, 0 hidden)

State: <CalcForwarding>
TSI:
KRT in-kernel 198.51.100.6/32 -> {indirect(1048574), indirect(1048577)}
Page 0 idx 0 Type 1 val 9219e30
Nexthop: Self
AS path: [2] 3 I
Communities: target:2:1
Path 198.51.100.6 from 198.51.100.4 Vector len 4. Val: 0
..
#Multipath Preference: 255
Next hop type: Indirect
Address: 0x93f4010
..
Push 299824
Indirect next hop: 944c000 1048574 INH Session ID: 0x3
Indirect next hop: weight 0x1
Push 299824
1541
Indirect next hop: 944c1d8 1048577 INH Session ID: 0x4

Indirect next hop: weight 0x4000
State: <ForwardingOnly Int Ext)>
Inactive reason: Forwarding use only
Age: 25 Metric2: 15
Task: RT
AS path: 3 I
Communities: target:2:1
show route extensive (FRR and LFA)


State: FlashAll
TSI:
KRT in-kernel 203.0.113.20/24 -> {Push 299776, Push 299792}
*RSVP Preference: 7/1
Address: 0xbbbc010
Label-switched-path europa-d-to-europa-e
Session Id: 0x201
Next hop: 203.0.113.122 via ge-2/1/4.0 weight 0x4001
Label-switched-path europa-d-to-europa-e
Session Id: 0x202
State: Active Int
Local AS: 64500
Age: 5:31 Metric: 2
Task: RSVP
AS path: I
OSPF Preference: 10
Address: 0xb9d78c4
1542

Session Id: 0x201
State: Int
Inactive reason: Route Preference
Local AS: 64500
Age: 5:35 Metric: 3
Area: 0.0.0.0
Task: OSPF
AS path: I
show route extensive (IS-IS)

IS-IS Preference: 15
Level: 1
Address: 0xXXXXXXXXXX
Next-hop reference count: YY
Next hop: 203.0.113.22 via ae1.0 balance 43%, selected
Session Id: 0x141
Next hop: 203.0.113.22 via ae0.0 balance 57%
show route extensive (Route Reflector)

203.0.113.0/8 (1 entry, 1 announced)
TSI:
KRT in-kernel 203.0.113.0/8 -> {indirect(40)}
Source: 192.168.4.214
Protocol next hop: 198.51.100.192 Indirect next hop: 84ac908 40
Age: 3:09 Metric: 0 Metric2: 0
Task: BGP_65548.192.168.4.214+1033
Announcement bits (2): 0-KRT 4-Resolve inet.0
AS path: 65544 64507 I <Originator>
Cluster list: 198.51.100.1
Originator ID: 203.0.113.88
Communities: 7777:7777
1543
Localpref: 100
Router ID: 203.0.113.4
Indirect next hops: 1
Protocol next hop: 203.0.113.192 Metric: 0
Indirect next hop: 84ac908 40
Indirect path forwarding next hops: 0
Next hop type: Discard
show route label detail (Multipoint LDP Inband Signaling for Point-to-Multipoint LSPs)
user@host> show route label 299872 detail

*LDP Preference: 9
Address: 0x9097d90
Next hop: via vt-0/1/0.1
Next-hop index: 661
Address: 0x9172130
Next hop: via so-0/0/3.0
Next-hop index: 654
Label operation: Swap 299872
State: **Active Int>
Local AS: 64511
Age: 8:20 Metric: 1
Task: LDP
AS path: I
FECs bound to route: P2MP root-addr 203.0.113.166, grp 203.0.113.1,
src 192.168.142.2
show route label detail (Multipoint LDP with Multicast-Only Fast Reroute)
user@host> show route label 301568 detail

*LDP Preference: 9
1544
Address: 0x2735208
Address: 0x2735d2c
Next hop: 203.0.113.82 via ge-1/2/22.0
Load balance label: None;
Address: 0x2736290
Next hop: 203.0.113.2 via ge-1/2/18.0
Load balance label: None;
State: <Active Int AckRequest MulticastRPF>
Local AS: 64500
Age: 54:05 Metric: 1
Task: LDP
AS path: I
FECs bound to route: P2MP root-addr 198.51.100.1, grp: 203.0.113.1,
src: 192.168.219.11
Primary Upstream : 198.51.100.3:0--198.51.100.2:0
RPF Nexthops :
ge-1/2/15.0, 10.2.94.1, Label: 301568, weight: 0x1
ge-1/2/14.0, 10.2.3.1, Label: 301568, weight: 0x1
Backup Upstream : 198.51.100.3:0--198.51.100.6:0
RPF Nexthops :
ge-1/2/20.0, 198.51.100.96, Label: 301584, weight: 0xfffe
ge-1/2/19.0, 198.51.100.36, Label: 301584, weight: 0xfffe
show route extensive (Flexible VXLAN Tunnel Profile)

...
CUSTOMER_0001.inet.0: 5618 destinations, 6018 routes (5618 active, 0 holddown, 0
hidden)
192.168.0.2/32 (1 entry, 1 announced)

TSI:
KRT in-kernel 192.168.0.2/32 -> {fti0.6 Flags NSR-incapable}
1545
Opaque data client: FLEX-TNL

Address: 0xd00eee8
Opaque-data reference count: 2
Opaque data: Flexible IPv6 VXLAN tunnel profile
*Static Preference: 5/100
Address: 0x5d9b03cc
Next hop: via fti0.6, selected
Session Id: 0x24c8
State: <Active Int NSR-incapable OpaqueData Programmed>
Age: 1:34:00
Tag: 10000001 Tag2: 1
AS path: I
Flexible IPv6 VXLAN tunnel profile
Action: Encapsulate
Interface: fti0.6 (Index: 10921)
VNI: 10000001
Source Prefix: 2001:db8:255::2/128
Source UDP Port Range: 54614 - 60074
Destination Address: 2001:db8:80:1:1:1:0:1
Destination UDP Port: 4790
VXLAN Flags: 0x08
...
1546
show route instance

Syntax
show route instance

<brief | detail | summary>
<instance-name>
<operational>
Release Information
Description
(QFabric systems only) Display routing instance information.
Options
none—(Same as brief) Display standard information about all routing instances.
brief | detail | summary—(Optional) Display the specified level of output. If you do not specify a level of
output, the system defaults to brief. (These options are not available with the operational keyword.)
instance-name—(Optional) Display information for a specified routing instance.
operational—(Optional) Display operational routing instances.

view

show route instance on page 1547
show route instance detail on page 1548
show route instance operational on page 1549
show route instance summary on page 1549
Output Fields
Table 71 on page 1546 lists the output fields for the show route instance command. Output fields are listed
Table 71: show route instance Output Fields
Instance or instance-name Name of the routing instance. All levels

1547
Table 71: show route instance Output Fields (continued)
Operational Routing Instances (operational keyword only) Names of all operational —

routing instances.
Type Type of routing instance: forwarding or virtual-router. All levels
State State of the routing instance: active or inactive. detail
Interfaces Name of interfaces belonging to this routing instance. detail
Tables Tables (and number of routes) associated with this routing detail
instance.
Router ID Identifier for the router. detail
Primary RIB Primary table for this routing instance. brief none summary
Active/holddown/hidden Number of active, hold-down, and hidden routes. All levels
Sample Output
show route instance
user@switch> show route instance
Instance Type
Primary RIB Active/holddown/hidden
master forwarding
inet.0 4/0/1
__juniper_private1__ forwarding
__juniper_private1__.inet.0 1/0/3
1548
__master.anon__ forwarding
r1 virtual-router
r2 virtual-router
show route instance detail

user@switch> show route instance detail
master:
Router ID: 10.3.3.7
Type: forwarding State: Active
Tables:
inet.0 : 5 routes (4 active, 0 holddown, 1 hidden)
__juniper_private1__:
Router ID: 0.0.0.0
Interfaces:
lo0.16385
bme0.0
Tables:
__juniper_private1__.inet.0: 6 routes (1 active, 0 holddown, 3 hidden)
Router ID: 0.0.0.0
Interfaces:
lo0.16384
Tables:
Router ID: 0.0.0.0
Interfaces:
bme0.1
Tables:
1549
Router ID: 0.0.0.0

Interfaces:
bme0.2
Tables:
__master.anon__:
Router ID: 0.0.0.0
r1:
Router ID: 0.0.0.0
Type: virtual-router State: Active
Interfaces:
xe-0/0/0.0
r2:
Router ID: 0.0.0.0
Type: virtual-router State: Active
Interfaces:
xe-0/0/3.0
show route instance operational

user@switch> show route instance operational
Operational Routing Instances:
__juniper_private1__
r1---qfabric
r2---qfabric
master
show route instance summary

user@switch> show route instance summary
Instance Type
Primary RIB Active/holddown/hidden
1550
master forwarding
inet.0 4/0/1
__master.anon__ forwarding
r1 virtual-router
r2 virtual-router
1551
show security ssh key-pair-identity

Syntax
show security ssh key-pair-identity

( brief <identity-name> | public identity-name )
Release Information
Description
Display the SSH key pair identity information.
Options
• brief identity-name—Display the brief information for a specified identity. The identity-name variable is
optional, if an identity is not specified, the command will list brief information of all identities.
• public identity-name —Display the public key for a specified identity.
NOTE: The public and brief options are mutually exclusive

view


show security ssh key-pair-identity brief on page 1552
show security ssh key-pair-identity brief sample on page 1552
Output Fields
1552
Sample Output
show security ssh key-pair-identity brief
user@host> show security ssh key-pair-identity brief
SSH Key Pair Identity Information:

Name Create Time Encrypted
sample Dec 28, 17:40 yes
identity-name Dec 28, 17:26 yes
show security ssh key-pair-identity brief sample

user@host> show security ssh key-pair-identity brief sample
SSH Key Pair Identity Information:

Name Create Time Encrypted
sample Dec 28, 17:34 yes
1553

Syntax

<brief | detail>
<certificate-id certificate-id-name>
<system-generated>
Release Information
Description
Display information about the local digital certificates and the corresponding public keys installed in the
switch.
Options
none—(Same as brief) Display information about all local digital certificates and corresponding public keys.
brief | detail—(Optional) Display information about local digital certificates and corresponding public keys
for the specified level of output.
certificate-id certificate-id-name—(Optional) Display information about only the specified the local digital
certificate and corresponding public keys.
system-generated—(Optional) Display information about the automatically generated self-signed certificate.

view

show security pki local-certificate on page 1555
show security pki local-certificate detail on page 1555
Output Fields
Table 72 on page 1554 lists the output fields for the show security pki local-certificate command. Output
1554
Table 72: show security pki local-certificate Output Fields
Certificate Name of the digital certificate. All levels

identifier
Certificate Revision number of the digital certificate. detail

version
Serial number Unique serial number of the digital certificate. detail
Issued by Authority that issued the digital certificate. none brief
Issued to Device that was issued the digital certificate. none brief
Issuer Authority that issued the digital certificate, including details of the detail
authority organized using the distinguished name format. Possible subfields
are:
• Common name—Name of the authority.

• Organization—Organization of origin.
• Organizational unit—Department within an organization.
• State—State of origin.
• Country—Country of origin.
Subject Details of the digital certificate holder organized using the distinguished detail
name format. Possible subfields are:
• Common name—Name of the authority.

• Organization—Organization of origin.
• Organizational unit—Department within an organization.
• State—State of origin.
• Country—Country of origin.
Alternate subject Domain name or IP address of the device related to the digital certificate. detail
Validity Time period when the digital certificate is valid. Values are: All levels
• Not before—Start time when the digital certificate becomes valid.

• Not after—End time when the digital certificate becomes invalid.
Public key Encryption algorithm used with the private key, such as rsaEncryption All levels
algorithm (1024 bits).
1555
Table 72: show security pki local-certificate Output Fields (continued)
Public key Public key verification status: Failed or Passed. The detail output also All levels
verification provides the verification hash.
status
Signature Encryption algorithm that the CA used to sign the digital certificate, such detail
algorithm as sha1WithRSAEncryption.
Fingerprint Secure Hash Algorithm (SHA1) and Message Digest 5 (MD5) hashes used detail
to identify the digital certificate.
Distribution CRL Distinguished name information and URL for the certificate revocation detail
list (CRL) server.
Use for key Use of the public key, such as Certificate signing, CRL signing, Digital detail
signature, or Key encipherment.
Sample Output
user@switch> show security pki local-certificate
Certificate identifier: local-entrust2

Issued to: router2.juniper.net, Issued by: juniper
Validity:
Not before: 2005 Nov 21st, 23:28:22 GMT
Not after: 2008 Nov 21st, 23:58:22 GMT
Public key algorithm: rsaEncryption(1024 bits)
Public key verification status: Passed
show security pki local-certificate detail

user@switch> show security pki local-certificate detail
Certificate identifier: local-entrust3

Certificate version: 3
Serial number: 4355 94f9
Issuer:
1556
Organization: juniper, Country: us

Subject:
Organization: juniper, Country: us, Common name: switch1.juniper.net
Alternate subject: switch1.juniper.net
Validity:
Not before: 2005 Nov 21st, 23:33:58 GMT
Not after: 2008 Nov 22nd, 00:03:58 GMT
Public key algorithm: rsaEncryption(1024 bits)
Public key verification status: Passed
fb:79:df:d4:a9:03:0f:d3:69:7e:c1:e4:27:35:9c:d9:b1:a2:47:78
d2:6d:f3:e5:f4:68:4f:b3:04:45:88:57:99:82:39:a6:51:9e:5f:42
23:3f:d7:6e:3d:a5:54:a9:b1:2d:6e:90:dd:12:8a:bf:ef:2b:20:50
ba:f0:da:d9:0c:ad:5e:d6:c6:98:3a:ae:3f:90:dd:94:78:c1:ea:2e
7c:f0:2d:d4:79:d4:cd:f0:52:df:5e:72:f2:e7:ae:66:f7:61:f4:bc
72:57:3e:6c:6d:d3:24:58:8b:f4:ef:da:2a:6a:fa:eb:98:f8:34:84
79:54:da:4f:d3:6f:52:1f
Signature algorithm: sha1WithRSAEncryption
Fingerprint:
61:3a:d0:b4:7a:16:9b:39:ba:81:3f:9d:ab:34:e5:c8:be:3b:a1:6d (sha1)
60:a0:ff:58:05:4a:65:73:9d:74:3a:e1:83:6f:1b:c8 (md5)
Distribution CRL:
C=us, O=juniper, CN=CRL1
http://CA-1/CRL/juniper_us_crlfile.crl
Use for key: Digital signature
1557

Syntax
Release Information
Command introduced in Junos OS Release 15.1X49-D80 for SRX300, SRX320, SRX340, and SRX345
devices.
Command introduced in Junos OS Release 20.1R1 for SRX5400, SRX5600, and SRX5800 devices with
SRX5K-RE3-128G Routing Engine (RE3).
TPM family and TPM firmware version details are introduced in Junos OS Release 15.1X49-D120.
Description
Display the current status of the Trusted Platform Module (TPM). You can use this show security tpm
status command to check the status of TPM ownership, master binding key, master encryption password,
family version, and firmware version.
Options

security

show security tpm status on page 1557
Sample Output
user@host> show security tpm status
TPM Status:
Enabled: yes
1558
Owned: yes
Master Binding Key: not-created
Master Encryption Key: not-configured
TPM Family: 1.2
TPM Firmware version: 4.40
Table 73 on page 1558 lists the output fields for the show security tpm status command.
Table 73: show security tpm status Output Fields
Enabled Specifies whether TPM is enabled or disabled.
Owned Specifies the TPM ownership. TPM can be owned even

if the Master Encryption Key and Master Encryption
Key are not created/configured.
Master Binding Key Displays the TPM’s Master Binding Key status
whether it is created or not created. TPM generates
cryptographic keys and encrypts them so that those
can only be decrypted by the TPM. This process is
know as binding. Each TPM has a master binding
key, which is also know as storage root key.
Master Encryption Key Displays Master Encryption Password status whether

it is set or not set. The encrypted data and the
hash of the configuration is protected by the TPM
module using the master encryption password.
TPM Family Displays Trusted Computing Group’s (TCG) TPM family

version.
TPM Firmware version Displays the firmware version loaded in TPM.

1559
show services unified-access-control

authentication-table
Syntax
Release Information
Command introduced in Junos OS Release 9.4. Options updated in Junos OS Release 12.1.
Description
Display a summary of the authentication table entries configured from the IC Series UAC Appliance.
Authentication tables store mappings between traffic sessions and Unified Access Control (UAC) roles.
The IC Series appliance uses the roles specified in the mappings to help determine which UAC policies to
apply to a session.
Use this command when you have configured the SRX Series device to act as a Junos OS Enforcer in a
UAC deployment. When deployed as a Junos OS Enforcer, the SRX Series device enforces the policies
that are defined on the UAC’s IC Series appliance.
You can also use this command to display the content of the authentication table in a user role firewall
implementation. The table, pushed from a supporting UAC device, provides the user roles associated with
incoming traffic.
Options
• detail—Display a detailed view of all authentication table entries.
• extended—Display a view of all authentication table entries with the user roles listed.
• identifier id—Display all authentication table entries with the specified identifier number.
• ip source-ip-address—Display any authentication table entry for the specified IP address.
• role role-name—Display all authentication table entries for the specified role name.
• user username—Display all authentication table entries for the specified user.

view

1560

show services unified-access-control authentication-table on page 1560
show services unified-access-control authentication-table detail on page 1560
show services unified-access-control authentication-table extended on page 1560
show services unified-access-control authentication-table identifier id on page 1561
show services unified-access-control authentication-table ip on page 1561
show services unified-access-control authentication-table role on page 1561
show services unified-access-control authentication-table user username on page 1561
Sample Output
user@host>show services unified-access-control authentication-table
Id Source IP Username Age Role identifier

1 198.51.100.22 user1 0 0000000001.000005.0
Total: 1
show services unified-access-control authentication-table detail

user@host>show services unified-access-control authentication-table detail
Identifier: 1
Source IP: 198.51.100.22
Username: john
Age: 0
Role identifier Role name
0000000001.000005.0 Users
1113249951.100616.0 PersonalFirewall
1183670148.427197.0 UAC
Total: 1
show services unified-access-control authentication-table extended

user@host>show services unified-access-control authentication-table extended
Id Source IP Username Age Role name

3 10.214.161.195 johna 60 Users, PersonalFirewall
6 10.214.161.183 mayb 60 role-1
1561
Total: 2
show services unified-access-control authentication-table identifier id

user@host>show services unified-access-control authentication-table identifier 1
Identifier: 1
Source IP: 10.214.161.195
Username: johna
Age: 0
0000000001.000005.0 Users
1113249951.100616.0 PersonalFirewall
1183670148.427197.0 UAC
Total: 1
show services unified-access-control authentication-table ip

user@host>show services unified-access-control authentication-table ip 10.214.161.183

8 10.214.161.183 mayb 0 1420298444.225667.0
Total: 1
show services unified-access-control authentication-table role

user@host>show services unified-access-control authentication-table role role-1

6 10.214.161.183 maybe 60 1420298444.225667.0
Total: 1
show services unified-access-control authentication-table user username

user@host>show services unified-access-control authentication-table user prasanta

7 10.214.161.195 paul1 0 0000000001.000005.0
Total: 1
1562

Syntax
Release Information
Description
Display a summary of resource access policies configured from the IC Series UAC Appliance.
Unified Access Control (UAC) deployment. When deployed as a Junos OS Enforcer, the SRX Series device
enforces the policies that are defined on the UAC’s IC Series appliance.
Options
• detail—Display a detailed view of all policies.
• identifier id—Display information about a specific policy by identification number.

view

show services unified-access-control policies on page 1562
show services unified-access-control policies detail on page 1563
show services unified-access-control policies identifier 1 on page 1563
Sample Output
user@host> show services unified-access-control policies
1563
Id Resource Action Apply Role identifier

1 10.100.15.0/24:* allow selected 1113249951.100616.0
2 10.100.17.0/24:* deny all
Sample Output
show services unified-access-control policies detail
user@host> show services unified-access-control policies detail
Identifier: 1
Resource: 10.100.15.0/24:*
Resource: 10.100.16.23-10.100.16.60:*
Action: allow
Apply: selected
1113249951.100616.0 Personal Firewall
1112927873.881659.0 Antivirus
1183670148.427197.0 UAC
Identifier: 2
Resource: 10.100.17.0/24:*
Resource: 10.100.16.23-10.100.16.60:*
Resource: 10.100.18.0/24:*
Action: deny
Apply: all
Sample Output
show services unified-access-control policies identifier 1
user@host> show services unified-access-control policies identifier 1
Identifier: 1
Resource: 10.100.15.0/24:*
Resource: 10.100.16.23-10.100.16.60:*
Action: allow
Apply: selected
1113249951.100616.0 Personal Firewall
1564
1112927873.881659.0 Antivirus
1183670148.427197.0 UAC
1565

Syntax
Release Information
Description
Display the status of the connection between the SRX Series device and the IC Series UAC Appliance as
well as statistics to help debug connections to the IC Series appliance.
Unified Access Control (UAC) deployment. When deployed as a Junos OS Enforcer, the SRX Series device
enforces the policies that are defined on the UAC’s IC Series appliance.

view

show services unified-access-control status on page 1565
Sample Output
user@host> show services unified-access-control status
Host Address Port Interface State

dev106vm26 10.64.11.106 11123 ge-0/0/0.0 connected
dev107vm26 10.64.11.106 11123 ge-0/0/0.0 closed
1566
show snmp
There are several commands that you can access in Junos OS operational mode to monitor SNMP
information. Some of the commands are:
• show snmp health-monitor, which displays the health monitor log and alarm information.
• show snmp mib, which displays information from the MIBs, such as device and system information.
• show snmp statistics, which displays SNMP statistics such as the number of packets, silent drops, and
invalid output values.
• show snmp rmon, which displays the RMON alarm, event, history, and log information
The following example provides sample output from the show snmp health-monitor command:
user@switch> show snmp health-monitor
Alarm
Index Variable description Value State
32768 Health Monitor: root file system utilization

jnxHrStoragePercentUsed.1 58 active
32769 Health Monitor: /config file system utilization

jnxHrStoragePercentUsed.2 0 active
32770 Health Monitor: RE 0 CPU utilization

jnxOperatingCPU.9.1.0.0 0 active
32773 Health Monitor: RE 0 Memory utilization

jnxOperatingBuffer.9.1.0.0 35 active
32775 Health Monitor: jkernel daemon CPU utilization

Init daemon 0 active
Chassis daemon 50 active
Firewall daemon 0 active
Interface daemon 5 active
SNMP daemon 11 active
MIB2 daemon 42 active
...
The following example provides sample output from the show snmp mib command:
1567
user@switch> show snmp mib walk system
sysDescr.0 = Juniper Networks, Inc. qfx3500s internet router, kernel

JUNOS 11.1-20100926.0 #0: 2010-09-26 06:17:38 UTC [email protected]:
/volume/build/junos/11.1/production/20100926.0/obj-xlr/bsd/sys/compile/JUNIPER-xxxxx
Build date: 2010-09-26 06:00:10 U

sysObjectID.0 = jnxProductQFX3500
sysUpTime.0 = 24444184
sysContact.0 = J Smith
sysName.0 = Lab QFX3500
sysLocation.0 = Lab
sysServices.0 = 4
The following example provides sample output from the show snmp statistics command:
user@switch> show snmp statistics
SNMP statistics:
Input:
Packets: 0, Bad versions: 0, Bad community names: 0,
Bad community uses: 0, ASN parse errors: 0,
Too bigs: 0, No such names: 0, Bad values: 0,
Read onlys: 0, General errors: 0,
Total request varbinds: 0, Total set varbinds: 0,
Get requests: 0, Get nexts: 0, Set requests: 0,
Get responses: 0, Traps: 0,
Silent drops: 0, Proxy drops: 0, Commit pending drops: 0,
Throttle drops: 0, Duplicate request drops: 0
Output:
Packets: 0, Too bigs: 0, No such names: 0,
Bad values: 0, General errors: 0,
Get responses: 0, Traps: 0
health-monitor
show snmp mib
1568

1569

Syntax

<subagents>
Release Information
Option subagents introduced in Junos OS Release 14.2.
Description
Display statistics about Simple Network Management Protocol (SNMP) packets sent and received by the
router or switch.
Options
subagents—(Optional) Display the statistics of the protocol data unit (PDU), the number of SNMP requests
and responses per subagent, and the SNMP statistics received from each subagent per logical system.

view
clear snmp statistics

show snmp statistics on page 1574
show snmp statistics subagents on page 1574
Output Fields
Table 74 on page 1570 describes the output fields for the show snmp statistics command. Output fields are
listed in the approximate order in which they appear.
1570
Table 74: show snmp statistics Output Fields
Input Information about received packets:
• Packets(snmpInPkts)—Total number of messages delivered to the SNMP

entity from the transport service.
• Bad versions—(snmpInBadVersions) Total number of messages delivered
to the SNMP entity that were for an unsupported SNMP version.
• Bad community names—(snmpInBadCommunityNames) Total number of
messages delivered to the SNMP entity that used an SNMP community
name not known to the entity.
• Bad community uses—(snmpInBadCommunityUses) Total number of
messages delivered to the SNMP entity that represented an SNMP
operation that was not allowed by the SNMP community named in the
message.
• ASN parse errors—(snmpInASNParseErrs) Total number of ASN.1 or BER
errors encountered by the SNMP entity when decoding received SNMP
messages.
• Too bigs—(snmpInTooBigs) Total number of SNMP PDUs delivered to the
SNMP entity with an error status field of tooBig.
• No such names—(snmpInNoSuchNames) Total number of SNMP PDUs
delivered to the SNMP entity with an error status field of noSuchName.
• Bad values—(snmpInBadValues) Total number of SNMP PDUs delivered
to the SNMP entity with an error status field of badValue.
• Read onlys—(snmpInReadOnlys) Total number of valid SNMP PDUs
delivered to the SNMP entity with an error status field of readOnly. Only
incorrect implementations of SNMP generate this error.
1571
Table 74: show snmp statistics Output Fields (continued)
Input (continued) • General errors—(snmpInGenErrs) Total number of SNMP PDUs delivered

to the SNMP entity with an error status field of genErr.
• Total requests varbinds—(snmpInTotalReqVars) Total number of MIB
objects retrieved successfully by the SNMP entity as a result of receiving
valid SNMP GetRequest and GetNext PDUs.
• Total set varbinds—(snmpInSetVars) Total number of MIB objects modified
successfully by the SNMP entity as a result of receiving valid SNMP
SetRequest PDUs.
• Get requests—(snmpInGetRequests) Total number of SNMP GetRequest
PDUs that have been accepted and processed by the SNMP entity.
• Get nexts—(snmpInGetNexts) Total number of SNMP GetNext PDUs that
have been accepted and processed by the SNMP entity.
• Set requests—(snmpInSetRequests) Total number of SNMP SetRequest
PDUs that have been accepted and processed by the SNMP entity.
• Get responses—(snmpInGetResponses) Total number of SNMP
GetResponse PDUs that have been accepted and processed by the SNMP
entity.
• Traps—(snmpInTraps) Total number of SNMP traps generated by the SNMP
entity.
• Silent drops—(snmpSilentDrops) Total number of GetRequest,
GetNextRequest, GetBulkRequest, SetRequests, and InformRequest PDUs
delivered to the SNMP entity that were silently dropped because the size
of a reply containing an alternate response PDU with an empty
variable-bindings field was greater than either a local constraint or the
maximum message size associated with the originator of the requests.
• Proxy drops—(snmpProxyDrops) Total number of GetRequest,
GetNextRequest, GetBulkRequest, SetRequests, and InformRequest PDUs
delivered to the SNMP entity that were silently dropped because the
transmission of the message to a proxy target failed in such a way (other
than a timeout) that no response PDU could be returned.
• Commit pending drops—Number of SNMP packets for Set requests dropped
because of a previous pending SNMP Set request on the committed
configuration.
• Throttle drops—Number of SNMP packets for any requests dropped
reaching the throttle limit.
1572
V3 Input Information about SNMP version 3 packets:
• Unknown security models—(snmpUnknownSecurityModels) Total number

of packets received by the SNMP engine that were dropped because they
referenced a security model that was not known to or supported by the
SNMP engine.
• Invalid messages—(snmpInvalidMsgs) Number of packets received by the
SNMP engine that were dropped because there were invalid or inconsistent
components in the SNMP message.
• Unknown pdu handlers—(snmpUnknownPDUHandlers) Number of packets
received by the SNMP engine that were dropped because the PDU
contained in the packet could not be passed to an application responsible
for handling the PDU type.
• Unavailable contexts—(snmpUnavailableContexts) Number of requests
received for a context that is known to the SNMP engine, but is currently
unavailable.
• Unknown contexts—(snmpUnknownContexts) Total number of requests
received for a context that is unknown to the SNMP engine.
• Unsupported security levels—(usmStatsUnsupportedSecLevels) Total
number of packets received by the SNMP engine that were dropped
because they requested a security level unknown to the SNMP engine (or
otherwise unavailable).
• Not in time windows—(usmStatsNotInTimeWindows) Total number of
packets received by the SNMP engine that were dropped because they
appeared outside the authoritative SNMP engine’s window.
• Unknown user names—(usmStatsUnknownUserNames) Total number of
referenced a user that was not known to the SNMP engine.
• Unknown engine ids—(usmStatsUnknownEngineIDs) Total number of
referenced an SNMP engine ID that was not known to the SNMP engine.
• Wrong digests—(usmStatsWrongDigests) Total number of packets received
by the SNMP engine that were dropped because they did not contain the
expected digest value.
• Decryption errors—(usmStatsDecryptionErrors) Total number of packets
received by the SNMP engine that were dropped because they could not
be decrypted.
1573
Output Information about transmitted packets:
• Packets—(snmpOutPkts) Total number of messages passed from the SNMP

entity to the transport service.
• Too bigs—(snmpOutTooBigs) Total number of SNMP PDUs generated by
the SNMP entity with an error status field of tooBig.
• No such names—(snmpOutNoSuchNames) Total number of SNMP PDUs
delivered to the SNMP entity with an error status field of noSuchName.
• Bad values—(snmpOutBadValues) Total number of SNMP PDUs generated
by the SNMP entity with an error status field of badValue.
• General errors—(snmpOutGenErrs) Total number of SNMP PDUs generated
by the SNMP entity with an error status field of genErr.
• Get requests—(snmpOutGetRequests) Total number of SNMP GetRequest
PDUs generated by the SNMP entity.
• Get nexts—(snmpOutGetNexts) Total number of SNMP GetNext PDUs
generated by the SNMP entity.
• Set requests—(snmpOutSetRequests) Total number of SNMP SetRequest
PDUs generated by the SNMP entity.
• Get responses—(snmpOutGetResponses) Total number of SNMP
GetResponse PDUs generated by the SNMP entity.
• Traps—(snmpOutTraps) Total number of SNMP traps generated by the
SNMP entity.
Table 75 on page 1573 describes the output fields for the show snmp statistics subagents command. Output
Table 75: show snmp statistics subagents Output Fields
Subagent Location of the SNMP subagent.
Request PDUs Number of PDUs requested by the SNMP manager.
Response PDUs Number of response PDUs sent by the SNMP subagent.
Request Variables Number of variable bindings on the PDUs requested by the SNMP manager.
Response Variables Number of variable bindings on the PDUs sent by the SNMP subagent.
Average Response Time Average time taken by the SNMP subagent to send statistics response.
1574
Table 75: show snmp statistics subagents Output Fields (continued)
Maximum Response Time Maximum time taken by the SNMP subagent to send the statistics response.
Sample Output
user@host> show snmp statistics
SNMP statistics:
Input:
Packets: 246213, Bad versions: 12, Bad community names: 12,
Bad community uses: 0, ASN parse errors: 96,
Too bigs: 0, No such names: 0, Bad values: 0,
Read onlys: 0, General errors: 0,
Total request varbinds: 227084, Total set varbinds: 67,
Get responses: 0, Traps: 0,
Silent drops: 0, Proxy drops: 0, Commit pending drops: 0,
Throttle drops: 0,
V3 Input:
Unknown security models: 0, Invalid messages: 0
Unknown pdu handlers: 0, Unavailable contexts: 0
Unknown contexts: 0, Unsupported security levels: 1
Not in time windows: 0, Unknown user names: 0
Unknown engine ids: 44, Wrong digests: 23, Decryption errors: 0
Output:
Packets: 246093, Too bigs: 0, No such names: 31561,
Bad values: 0, General errors: 2,
Get responses: 246025, Traps: 0
show snmp statistics subagents
user@host> show snmp statistics subagents
Subagent: /var/run/cosd-20
Request PDUs: 0, Response PDUs: 0,
Request Variables: 0, Response Variables: 0,
1575
Average Response Time(ms): 0.00,

Maximum Response Time(ms): 0.00
Subagent: /var/run/pfed-30
Subagent: /var/run/rmopd-15
Subagent: /var/run/chassisd-30
Subagent: /var/run/pkid-13
Subagent: /var/run/apsd-13
Subagent: /var/run/dfcd-32
Subagent: /var/run/mib2d-33
1576
Subagent: /var/run/license-check-16
Subagent: /var/run/craftd-14
Subagent: /var/run/bfdd-19
Subagent: /var/run/smihelperd-24
Subagent: /var/run/cfmd-18
Subagent: /var/run/rpd_snmp
Subagent: /var/run/l2tpd-18
1577
Syntax
show ssl certificates
Release Information
Command introduced in Junos OS Release 17.2R1 for EX Series switches.
Description
Display information about the Secure Sockets Layer (SSL) certificates installed on the switch. When you
configure PEAP as the authentication protocol for MAC RADIUS authentication, you must load the
server-side Secure Sockets Layer (SSL) certificate on the switch. PEAP requires an SSL certificate to create
a secure TLS tunnel to protect user authentication, and uses server-side public key certificates to
authenticate the server. It then creates an encrypted TLS tunnel between the client and the authentication
server. The key for this encryption are transported using the server's public key. The ensuing exchange of
authentication information inside the tunnel to authenticate the client is then encrypted and user credentials
are safe from eavesdropping.
Options
none—Display information about all SSL certificates.
detail—Display information about SSL certificates for the specified level of output.

view
Configuring PEAP for MAC RADIUS Authentication

show ssl-certificates on page 1578
show ssl-certificates detail on page 1578
Output Fields
Table 72 on page 1554 lists the output fields for the show ssl-certificates command. Output fields are listed
1578
Table 76: show ssl-certificates Output Fields
Issuer Authority that issued the digital certificate, including details of the All levels
authority organized using the distinguished name format. Possible subfields
are:
• C—Country of origin.
• ST—State or province name.
• L—Locality.
• O—Organization of origin.
• OU—Organizational unit.
• CN—Common name of the authority.
Valid from Start time when the digital certificate becomes valid. detail
Valid from End time when the digital certificate becomes invalid. detail
Serial number Unique serial number of the digital certificate. detail
Subject Details of the digital certificate holder organized using the distinguished detail
name format. Possible subfields are:
• C—Country of origin.
• ST—State or province name.
• L—Locality.
• O—Organization of origin.
• OU—Organizational unit.
• CN—Common name of the authority.
Sample Output
user@root> show ssl-certificates
Issuer:
/C=IN/ST=KA/L=Blr/O=JNPR/OU=CP/CN=User-Radius/[email protected]
show ssl-certificates detail

user@root> show ssl-certificates detail
1579
Issuer:
Valid From: May 30 17:41:04 2016 GMT
Valid Till: May 29 17:41:04 2026 GMT
Serial Number: 0
Subject:
1580
show system autorecovery state

Syntax
Release Information
SRX550M devices.
Description
Perform checks and show status of all autorecovered items.

view

show system autorecovery state on page 1581
Output Fields
Table 77 on page 1580 lists the output fields for the show system autorecovery state command. Output
Table 77: show system autorecovery state Output Fields
File The name of the file on which autorecovery checks are performed.
Slice The disk partition on which autorecovery checks are performed.
Recovery Information Indicates whether autorecovery information for the file or slice has been saved.
Integrity Check Displays the status of the file's integrity check (passed or failed).
Action / Status Displays the status of the item, or the action required to be taken for that item.
1581
Sample Output
user@host> show system autorecovery state
Configuration:
rescue.conf.gz Saved Passed None
Licenses:
JUNOS282736.lic Saved Passed None
JUNOS282737.lic Not Saved Not checked Requires save
BSD Labels:
Slice Recovery Information Integrity Check Action / Status
1582
show system download

Syntax
show system download <download-id>
Release Information
SRX550M devices.
Description
Display a brief summary of all the download instances along with their current state and extent of progress.
If a download-id is provided, the command displays a detailed report of the particular download instance.
Options
• download-id—(Optional) The ID number of the download instance.

view

show system download on page 1583
show system download 1 on page 1583
Output Fields
Table 78 on page 1582 lists the output fields for the show system download command. Output fields are
Table 78: show system download Output Fields
ID Displays the download identification number.
Status Displays the state of a particular download.
Start Time Displays the start time of a particular download.

1583
Table 78: show system download Output Fields (continued)
Progress Displays the percentage of a download that has been completed.
URL Displays the URL from which the file was downloaded.
Sample Output
show system download
user@host> show system download
Download Status Information:

ID Status Start Time Progress URL
1 Active May 4 06:28:36 5% ftp://ftp-server//tftpboot/1m_file
2 Active May 4 06:29:07 3% ftp://ftp-server//tftpboot/5m_file
3 Error May 4 06:29:22 Unknown ftp://ftp-server//tftpboot/badfile
4 Completed May 4 06:29:40 100% ftp://ftp-server//tftpboot/smallfile
show system download 1

user@host> show system download 1
Download ID : 1
Status : Active
Progress : 6%
URL : ftp://ftp-server//tftpboot/1m_file
Local Path : /var/tmp/1m_file
Maximum Rate : 1k
Creation Time : May 4 06:28:36
Scheduled Time : May 4 06:28:36
Start Time : May 4 06:28:37
Error Count : 0
1584
show system license (View)

Syntax
show system license

<installed | keys | status | usage>
Release Information
Command introduced in Junos OS Release 9.5. Logical system status option added in Junos OS Release
11.2.
Description
Display licenses and information about how licenses are used.
Options
none—Display all license information.
installed—(Optional) Display installed licenses only.
keys—(Optional) Display a list of license keys. Use this information to verify that each expected license
key is present.
status—(Optional) Display license status for a specified logical system or for all logical systems.
usage—(Optional) Display the state of licensed features.

view
Adding New Licenses (CLI Procedure)

show system license on page 1585
show system license installed on page 1586
show system license keys on page 1586
show system license usage on page 1587
show system license status logical-system all on page 1587
Output Fields
Table 79 on page 1585 lists the output fields for the show system license command. Output fields are listed
1585
Table 79: show system license Output Fields
Feature name Name assigned to the configured feature. You use this information to verify that all the features
for which you installed licenses are present.
Licenses used Number of licenses used by the device. You use this information to verify that the number of
licenses used matches the number configured. If a licensed feature is configured, the feature
is considered used.
Licenses installed Information about the installed license key:
• License identifier—Identifier associated with a license key.

• License version—Version of a license. The version indicates how the license is validated,
the type of signature, and the signer of the license key.
• Valid for device—Device that can use a license key.
• Features—Feature associated with a license.
Licenses needed Number of licenses required for features being used but not yet properly licensed.
Expiry Time remaining in the grace period before a license is required for a feature being used.
Logical system Displays whether a license is enabled for a logical system.

license status
Sample Output
show system license
user@host> show system license
License usage:
Licenses Licenses Licenses Expiry
Feature name used installed needed
av_key_kaspersky_engine 1 1 0 2012-03-30
01:00:00 IST
wf_key_surfcontrol_cpa 0 1 0 2012-03-30
01:00:00 IST
dynamic-vpn 0 1 0 permanent
ax411-wlan-ap 0 2 0 permanent
1586
Licenses installed:
License identifier: JUNOS301998
License version: 2
Valid for device: AG4909AA0080
Features:
av_key_kaspersky_engine - Kaspersky AV
date-based, 2011-03-30 01:00:00 IST - 2012-03-30 01:00:00 IST

License version: 2
Features:
wf_key_surfcontrol_cpa - Web Filtering
show system license installed

user@host> show system license installed

License version: 2
Features:
av_key_kaspersky_engine - Kaspersky AV

License version: 2
Features:
wf_key_surfcontrol_cpa - Web Filtering
show system license keys

user@host> show system license keys
XXXXXXXXXX xxxxxx xxxxxx xxxxxx xxxxxx xxxxxx xxxxxx

xxxxxx xxxxxx xxxxxx xxxxxx xxxxxx xxxxxx
xxxxxx xxxxxx xxx
1587
show system license usage

user@host> show system license usage
Licenses Licenses Licenses Expiry

Feature name used installed needed
av_key_kaspersky_engine 1 1 0 2012-03-30
01:00:00 IST
wf_key_surfcontrol_cpa 0 1 0 2012-03-30
01:00:00 IST
dynamic-vpn 0 1 0 permanent
ax411-wlan-ap 0 2 0 permanent
show system license status logical-system all

user@host> show system license status logical-system all
Logical system license status:
logical system name license status

root-logical-system enabled
LSYS0 enabled
LSYS1 enabled
LSYS2 enabled
1588

Syntax
Release Information
Description
Display the usernames locked after unsuccessful login attempts.

view and system

show system login lockout on page 1589
Output Fields
Table 80 on page 1588 lists the output fields for the show system login lockout command. Output fields are
Table 80: show system login lockout
User Username All levels
Lockout start Date and time the username was locked All levels
Lockout end Date and time the username was unlocked All levels
1589
Sample Output
user@host> show system login lockout
User Lockout start Lockout end

root 2011-05-11 09:11:15 UTC 2011-05-11 09:13:15 UTC
1590

Syntax
Release Information
Description
Display information about a Session and Resource Control (SRC) client.
Options

system
view

show system services service-deployment on page 1591
Output Fields
Table 81 on page 1590 lists the output fields for the show system services service-deployment command.
Table 81: show system services service-deployment Output Fields
PDT Keepalive settings Configured PDT keepalive interval, in seconds.
Keepalives sent Number of keepalives sent.
Notifications sent Number of notifications sent.
Last update from peer Time at which the last update from a peer was received.
1591
Sample Output
user@host> show system services service-deployment
Connected to 192.0.2.0 port 10288 since 2004-05-03 11:04:34 PDT Keepalive settings:
Interval 15 seconds Keepalives sent: 750 Notifications sent: 0 Last update from
peer: 00:00:06 ago
1592
show system snapshot media

Syntax
show system snapshot < media (compact-flash | external | harddisk | internal | usb) >
Release Information
Command introduced in Junos OS Release 10.2 .
Description
Display information about the partitioning scheme present on the media. Information for only one root is
displayed for single-root partitioning, whereas information for both roots is displayed for dual-root
partitioning.
Options
• compact-flash— Show snapshot information from the CompactFlash card. (Supported on SRX5400,
SRX5600, SRX5800)
• external— Show snapshot information from the external CompactFlash card. (Not supported on SRX5000
Series devices)
• hard-disk— Show snapshot information from the Hard Disk. (Supported on SRX5400, SRX5600, SRX5800)
• internal— Show snapshot information from internal media. (Not supported on SRX5000 Series devices)
• usb— Show snapshot information from device connected to USB port.

View
Creating a Snapshot and Using It to Boot an SRX Series device

show system snapshot media compact-flash on page 1593
show system snapshot media external on page 1593
show system snapshot media internal on page 1593
show system snapshot media usb on page 1594
show system snapshot media hard-disk on page 1594
Output Fields
Table 82 on page 1593 lists the output fields for the show system snapshot media command. Output fields
1593
Table 82: show system snapshot media Output Fields
Creation date Date and time of the last snapshot.
JUNOS version on snapshot Junos OS release number of individual software packages.
Sample Output
show system snapshot media compact-flash
show system snapshot media compact-flash
Information for snapshot on compact-flash (ad0s1)

Creation date: Aug 21 11:58:14 2017
JUNOS version on snapshot:
junos : 12.3X48-D40.5-domestic
show system snapshot media external

show system snapshot media external
Information for snapshot on external (/dev/da1s2a) (primary)

Creation date: Apr 9 09:41:16 2018
Information for snapshot on external (/dev/da1s1a) (backup)
show system snapshot media internal

show system snapshot media internal
Information for snapshot on internal (/dev/da0s1a) (primary)

Creation date: Jan 15 10:43:26 2010
junos : 10.1B3-domestic
Information for snapshot on internal (/dev/da0s2a) (backup)
Creation date: Jan 15 10:15:32 2010
1594

junos : 10.2-20100112.0-domestic
show system snapshot media usb

show system snapshot media usb
Information for snapshot on usb (da0s1)

show system snapshot media hard-disk

show system snapshot media hard-disk
Information for snapshot on hard-disk (ad2s1)

1595

List of Syntax
Syntax (EX Series) on page 1595
Syntax (SRX Series) on page 1595
Syntax (EX Series)

<all-members>
<local>
<member member-id>
Syntax (SRX Series)
Release Information
SRX550HM devices.
Description
Display information about the disk partitioning scheme.
Options
none—Display partition information.
all-members—(Virtual Chassis systems only) (Optional) Display partition information for all members of
the Virtual Chassis.
local—(Virtual Chassis systems only) (Optional) Display partition information for the local Virtual Chassis
member.
member member-id—(Virtual Chassis systems only) (Optional) Display partition information for the specified
member of the Virtual Chassis configuration.

view
1596
Verifying Junos OS and Boot Loader Software Versions on an EX Series Switch

Example: Installing Junos OS on SRX Series Devices Using the Partition Option
[EX] Switch boots from backup root partition after file system corruption occurred on the primary root
partition

show system storage partitions (EX Series) on page 1596
show system storage partitions (SRX Series, Dual Root Partitioning) on page 1597
show system storage partitions (SRX Series, Single Root Partitioning) on page 1597
show system storage partitions (SRX Series, USB) on page 1598
Output Fields
Table 83 on page 1596 describes the output fields for the show system storage partitions command. Output
Table 83: show system storage partitions Output Fields
Boot Media Media (internal or external) from which the switch was booted.
Active Partition Name of the active root partition.
Backup Partition Name of the backup (alternate) root partition.
Currently booted from Partition from which the switch was last booted.
Partitions information Information about partitions on the boot media:
• Partition—Partition identifier.
• Size—Size of partition.
• Mountpoint—Directory on which the partition is mounted.
Sample Output
show system storage partitions (EX Series)
user@switch> show system storage partitions
fpc0:
--------------------------------------------------------------------------
Boot Media: internal (da0)
1597
Active Partition: da0s1a

Backup Partition: da0s2a
Currently booted from: active (da0s1a)
Partitions information:
Partition Size Mountpoint
s1a 184M /
s2a 184M altroot
s3d 369M /var/tmp
s3e 123M /var
s4d 62M /config
s4e unused (backup config)
show system storage partitions (SRX Series, Dual Root Partitioning)


Partitions Information:
s1a 293M altroot
s2a 293M /
s3e 24M /config
s3f 342M /var
s4a 30M recovery
show system storage partitions (SRX Series, Single Root Partitioning)


s1a 898M /
s1e 24M /config
s1f 61M /var
1598
show system storage partitions (SRX Series, USB)

Boot Media: usb (da1)

s1a 293M /
s2a 293M altroot
s3e 24M /config
s3f 342M /var
s4a 30M recovery
1599
show system users

List of Syntax
Syntax on page 1599
Syntax (TX Matrix Router) on page 1599
Syntax (TX Matrix Plus Router) on page 1599
Syntax (MX Series Router) on page 1599
Syntax
show system users

<no-resolve>
Syntax (TX Matrix Router)
show system users

<all-chassis | all-lcc | lccnumber | scc>
<no-resolve>
Syntax (TX Matrix Plus Router)
show system users

<detail>
<all-chassis | all-lcc | lcc number | sfc number> <no-resolve>
Syntax (MX Series Router)
show system users

<all-members>
<local>
<member member-id>
<no-resolve>
Release Information
sfc option introduced for the TX Matrix Plus router in JUNOS OS Release 9.6.
Description
List information about the users who are currently logged in to the router or switch.
1600
NOTE: The show system users command lists the information about administrative users that
are logged in to a router or switch using the CLI, J-Web, or an SSH client. The output does not
list information about web users or automated users that are logged in from a remote client
application using Junos XML APIs, such as NETCONF.
Options
none—List information about the users who are currently logged in to the router or switch.
all-chassis—(TX Matrix routers and TX Matrix Plus routers only) (Optional) Show users currently logged
in to all the routers in the chassis.
all-lcc—(TX Matrix routers and TX Matrix Plus routers only) (Optional) On a TX Matrix router, show users
currently logged in to all T640 routers (or line-card chassis) connected to the TX Matrix router. On a
TX Matrix Plus router, show users currently logged in to all connected T1600 or T4000 LCCs.
all-members—(MX Series routers only) (Optional) Display users currently logged in to all members of the
Virtual Chassis configuration.
lcc number—(TX Matrix routers and TX Matrix Plus routers only) (Optional) On a TX Matrix router, show
users currently logged in to a specific T640 router that is connected to the TX Matrix router. On a TX
Matrix Plus router, show users currently logged in to a specific router that is connected to the TX
Matrix Plus router.
Replace number with the following values depending on the LCC configuration:
• 0 through 3, when T640 routers are connected to a TX Matrix router in a routing matrix.
• 0 through 3, when T1600 routers are connected to a TX Matrix Plus router in a routing matrix.
• 0 through 7, when T1600 routers are connected to a TX Matrix Plus router with 3D SIBs in a routing
matrix.
• 0, 2, 4, or 6, when T4000 routers are connected to a TX Matrix Plus router with 3D SIBs in a routing
matrix.
local—(MX Series routers only) (Optional) Display users currently logged in to the local Virtual Chassis
member.
member member-id—(MX Series routers only) (Optional) Display users currently logged in to the specified
member of the Virtual Chassis configuration. Replace member-id with a value of 0 or 1.
no-resolve—(Optional) Do not attempt to resolve IP addresses to hostnames.
scc—(TX Matrix routers only) (Optional) Show users currently logged in to the TX Matrix router (or
switch-card chassis).
1601
sfc number—(TX Matrix Plus routersonly) (Optional) Show users currently logged in to the TX Matrix Plus
router. Replace number with 0.
By default, when you issue the show system users command on the master Routing Engine of a TX Matrix
router or a TX Matrix Plus router, the command is broadcast to all the master Routing Engines of the LCCs
connected to it in the routing matrix. Likewise, if you issue the same command on the backup Routing
Engine of a TX Matrix or a TX Matrix Plus router, the command is broadcast to all backup Routing Engines
of the LCCs that are connected to it in the routing matrix.

view
Routing Matrix with a TX Matrix Plus Router Solutions Page

show system users on page 1602
show system users lcc no-resolve (TX Matrix, TX Matrix Plus Router) on page 1602
show system users (TX Matrix Plus Router) on page 1602
show system users (QFX Series) on page 1604
show system users no-resolve (QFX Series) on page 1604
Output Fields
Table 84 on page 1601 describes the output fields for the show system users command. Output fields are
Table 84: show system users Output Fields
time and up Current time, in the local time zone, and how long the router or switch has been operational.
users Number of users logged in to the router or switch.
load averages Load averages for the last 1 minute, 5 minutes, and 15 minutes.
USER Username.
TTY Terminal through which the user is logged in.
FROM System from which the user has logged in. A hyphen indicates that the user is logged in through
the console.
1602
Table 84: show system users Output Fields (continued)
LOGIN@ Time when the user logged in.
IDLE How long the user has been idle.
WHAT Processes that the user is running.
Sample Output
show system users
user@host> show system users
7:30PM up 4 days, 2:26, 2 users, load averages: 0.07, 0.02, 0.01

root d0 - Fri05PM 4days -csh (csh)
blue p0 level5.company.net 7:30PM - cli
show system users lcc no-resolve (TX Matrix, TX Matrix Plus Router)
user@host> show system users lcc 2 no-resolve
lcc2-re0:
--------------------------------------------------------------------------
10:34AM PDT up 1 day, 7:11, 5 users, load averages: 0.03, 0.01, 0.00
root d0 - 3:21AM 7:12 /bin/csh
user1 p0 scc-re0 10:15AM - telnet hostA
show system users (TX Matrix Plus Router)

user@host> show system users
1603
sfc0-re0:
--------------------------------------------------------------------------
1:41AM up 26 mins, 3 users, load averages: 0.08, 0.04, 0.03
user2 p0 10.209.208.123 1:18AM 21 cli
user2 p1 192.0.2.207 1:37AM 2 cli
user2 p2 192.0.2.19 1:40AM - cli
lcc0-re0:
--------------------------------------------------------------------------
lcc1-re0:
--------------------------------------------------------------------------
lcc2-re0:
--------------------------------------------------------------------------
lcc3-re0:
--------------------------------------------------------------------------
user3@aj> show system users

sfc0-re0:
--------------------------------------------------------------------------
user p0 device1.example.com 1:18AM 22 cli
user p1 device2.example.com 1:37AM - cli
user p2 device3.example.com 1:40AM - cli
user p3 device4.example.com 1:42AM - -csh (csh)
lcc0-re0:
--------------------------------------------------------------------------
lcc1-re0:
--------------------------------------------------------------------------
lcc2-re0:
--------------------------------------------------------------------------
1604
lcc3-re0:
--------------------------------------------------------------------------
show system users (QFX Series)

user@switch> show system users

user1 p0 192.0.2.117 2:54AM 39 -cli (cli)
user2 p1 192.0.2.116 3:01AM - -cli (cli)
user3 p2 192.0.2.97 3:08AM 11 -cli (cli)
show system users no-resolve (QFX Series)

user@switch> show system users no-resolve

user1 p0 192.0.2.117 2:54AM 39 -cli (cli)
user2 p1 192.0.2.116 3:01AM - -cli (cli)
user3 p2 192.0.2.97 3:08AM 11 -cli (cli)
1605
ssh
List of Syntax
Syntax on page 1605
Syntax (EX Series Switch and the QFX Series) on page 1605
Syntax
ssh host
<bypass-routing>
<inet | inet6>
<logical-system logical-system-name>
<tenant tenant-name>
<routing-instance routing-instance-name>
<source address>
<v2>
<port port-number>
Syntax (EX Series Switch and the QFX Series)
ssh host
<bypass-routing>
<inet | inet6>
<source address>
<v2>
<port port-number>
Release Information
The command tenant option is introduced in Junos OS Release 19.2R1 for SRX Series.
Description
Use the SSH program to open a connection between a local router or switch and a remote system and
execute commands on the remote system. You can issue the ssh command from the Junos OS CLI to log
in to a remote system or from a remote system to log in to the local router or switch. When executing this
command, you include one or more CLI commands by enclosing them in quotation marks and separating
the commands with semicolons:
1606
ssh address 'cli-command1 ; cli-command2 '
Options
host—Name or address of the remote system.
bypass-routing—(Optional) Bypass the normal routing tables and send ping requests directly to a system
on an attached network. If the system is not on a directly attached network, an error is returned. Use
this option to ping a local system through an interface that has no route through it.
inet | inet6—(Optional) Create an IPv4 or IPv6 connection, respectively.
interface interface-name—(Optional) Interface name for the SSH session. (This option does not work when
default-address-selection is configured at the [edit system] hierarchy level, because this configuration
uses the loopback interface as the source address for all locally generated IP packets.)
logical-system logical-system-name—(Optional) Name of a particular logical system for the SSH attempt.
tenant tenant-name—(Optional) Name of a particular tenant system for the SSH attempt.
routing-instance routing-instance-name—(Optional) Name of the routing instance for the SSH attempt.
source address—(Optional) Source address of the SSH connection.
v2—(Optional) Use SSH version 2 when connecting to a remote host.
port port-number—(Optional) Specify a port number for the SSH connection.
To configure an SSH (version 2) key for your user account, include the authentication dsa-rsa statement
at the [edit system login user user-name] hierarchy level.
You can limit the number of times a user can attempt to enter a password while logging in through SSH.
To specify the number of times a user can attempt to enter a password to log in through SSH, include the
retry-options statement at the [edit system login] hierarchy level.

network

ssh on page 1607
1607
Output Fields
Sample Output
ssh
user@switch> ssh user
Host key not found from the list of known hosts.

Are you sure you want to continue connecting (yes/no)? yes
Host ?user' added to the list of known hosts.

user@device's password:
Last login: Sun Jun 21 10:43:42 1998 from junos-router
% ...
1608
telnet
List of Syntax
Syntax on page 1608
Syntax (EX Series Switches) on page 1608
Syntax (Junos OS Evolved) on page 1608
Syntax
telnet host
<8bit>
<inet | inet6>
<port port-number>
<logical-system logical-system-name>
<tenant tenant-name>
Syntax (EX Series Switches)
telnet host
<8bit>
<bypass-routing>
<inet | inet6>
<no-resolve>
<port port-number>
<source source-address>
Syntax (Junos OS Evolved)
telnet host
<8bit>
<inet | inet6>
<port port-number>
Release Information
The following options are deprecated in Junos OS Evolved Release 18.3R1: bypass-routing, interface,
no-resolve, and source.
1609
The command tenant option is introduced in Junos OS Release 19.2R1 for SRX Series.
Description
Open a telnet session to a remote system. Type Ctrl+] to escape from the telnet session to the telnet
command level, and then type quit to exit from telnet.
NOTE: For Junos OS Evolved, use the routing-instance mgmt_junos option to access a remote
system through the management interface.
Options
host—Name or address of the remote system.
8bit—(Optional) Use an 8-bit data path.
bypass-routing—(Optional) Bypass the normal routing tables and send ping requests directly to a system
on an attached network. If the system is not on a directly attached network, an error is returned. Use
this option to ping a local system through an interface that has no route through it.
inet | inet6—(Optional) Open an IPv4 or IPv6 session, respectively.
interface interface-name—(Optional) Interface name for the telnet session. (This option does not work
when default-address-selection is configured at the [edit system] hierarchy level, because this
configuration uses the loopback interface as the source address for all locally generated IP packets.)
logical-system logical-system-name—(Optional) Name of a particular logical system for the telnet attempt.
tenant tenant-name—(Optional) Name of a particular tenant system for the telnet attempt.
no-resolve—(Optional) This option is not supported for Junos OS Evolved Release 18.3R1. Do not attempt
to determine the hostname that corresponds to the IP address.
port port-number—(Optional) Port number or service name on the remote system.
routing-instance routing-instance-name—(Optional) Name of the routing instance for the telnet attempt.
source source-address—(Optional) This option is not supported for Junos OS Evolved Release 18.3R1.
Source address of the telnet connection.
You can limit the number of times a user can attempt to enter a password while logging in through telnet.
To specify the number of times a user can attempt to enter a password to log in through telnet, include
the retry-options statement at the [edit system login] hierarchy level.

network
1610

telnet on page 1610
Output Fields
Sample Output
telnet
user@host> telnet 192.154.1.254
Trying 192.154.169.254...
Connected to level5.company.net.
Escape character is '^]'.
ttypa
login:
1611
test access profile

Syntax
test access profile profile-name user username password password <detail>
Release Information
Description
Specify a profile to use to get information from a RADIUS server, which includes all the information from
the test access radius-server command.
Options
detail—(Optional) Show the RADIUS attributes returned by the server.
profile-name—Access profile name configured.
password—Password for the username.
username—User name to be authenticated to the RADIUS server.

view

test access profile on page 1612
test access profile detail on page 1613
Output Fields
Table 85 on page 1611 lists the output fields for the test access profile command. Output fields are listed
Table 85: test access profile Output Fields
Profile Name Name of the configured access profile.
Client Username The user name authenticated by the RADIUS server.
Client Password The user password authenticated by the RADIUS server.
Num Servers Number of RADIUS servers in the configured access profile.

1612
Table 85: test access profile Output Fields (continued)
Server List List of RADIUS servers in the configure access profile.
IP Address The IP address of the RADIUS server authenticated.
UDP Port The RADIUS server port utilized during the authentication test.
Source Address The source IP address of the client making the RADIUS request.
If no address is shown, it defaults to the address of the outgoing
interface.
Timeout The RADIUS server timeout period.
Retry Count The number of authentication attempts allowed by the RADIUS

server.
Secret The shared secret used for authentication with the RADIUS
server.
Status The test result status (Accepted or Rejected) and the number
of retransmits utilized during authentication.
Attempts The number of authentication attempts on the RADIUS server.
Attribute List The list of returned RADIUS attributes, sorted by the attribute
name, and including parameter length and value. See your
RADIUS server documentation for attribute descriptions.
(Attribute) Name The name of the attribute.
(Attribute) Length The attribute length in bytes.
(Attribute) Value The attribute value.
Sample Output
test access profile
The following example uses the test access profile command to access and display basic information about
the RADIUS server(s) shown in the resulting output:
1613
user@host> test access profile alpha user TEST password TEST
user@host> test access profile alpha user TEST password TEST

Test Radius Profile Access
Profile Name : alpha
Client Username : TEST
Client Password : TEST
Num Servers : 5
Server List
UDP Source Retry
IP Address Port Address Timeout Count Secret Status
Attempts
1.1.1.1 1812 10.10.10.10 2 1 TEST Timeout
2
1.2.3.4 1812 Default 1 2 TEST Timeout
3
192.168.10.10 1812 Default 3 3 TEST Accepted
1
test access profile detail

The following example uses the test access profile detail command to access and display detailed
information about the RADIUS server(s) shown in the resulting output:
user@host> test access profile alpha user TEST password TEST detail
user@host> test access profile alpha user TEST password TEST detail
Test Radius Profile Access Detailed
Profile Name : alpha
Client Username : TEST
Client Password : TEST
Num Servers : 5
Radius Server List
IP Address : 1.2.3.4
UDP Port : 1812
Source Address : 192.168.10.10
Timeout : 2
Retry Count : 1
Secret : TEST
Status : Timeout
Attempts : 2
IP Address : 1.2.3.5
1614
UDP Port : 1812

Source Address : Default
Timeout : 1
Retry Count : 2
Secret : TEST
Status : Timeout
Attempts : 3
IP Address : 192.168.10.10
UDP Port : 1812
Source Address : Default
Timeout : 3
Retry Count : 3
Secret : TEST
Status : Accepted
Attempts : 1
Attribute List
Name Length Value
Class 52 SBR2CLÍ½¾¿ðÕ¾¿
Acct-Interim-Interval 4 5
Callback-Id 12 123-456-789
Callback-Number 13 555-555-1212
Class 15 Class information
Filter-Id 4 999
Filter-Id 6 12345
Framed-Compression 4 0
Framed-IP-Address 4 1:2:3:4
Framed-IP-Netmask 4 255:255:255:255
Framed-IPv6-Route 15 1:2:3:4:5:6:7:8
Framed-MTU 4 1024
Framed-Pool 9 pool sbr
Framed-Protocol 4 1
Framed-Route 8 iproute
Framed-Routing 4 0
Vendor-Specific 11 583
Idle-Timeout 4 3
Vendor-Specific 10 a4c
Vendor-Specific 14 a4c
Login-IP-Host 4 10:1:1:1
Login-LAT-Group 10 lat group
Login-LAT-Node 9 lat node
Login-LAT-Port 9 lat port
1615
Login-LAT-Service 12 lat service

Login-Service 4 0
Login-TCP-Port 4 1812
Password-Retry 4 3
Port-Limit 4 100
Prompt 4
Reply-Message 18 Radius Server SB
Service-Type 4 2
Session-Timeout 4 10
Termination-Action 4 1
Tunnel-Assignment-ID 4
Tunnel-Client-Auth-ID 6
Tunnel-Client-Endpoint 4
Tunnel-Password 19
Tunnel-Type 4 12
MS BAP Usage 4 0
MS-CHAP MPPE-Keys 32 -1234567890
MS-CHAP2 Success 3 123456789
MS Filter 10 ms-filter
MS Link Drop Time Limit 4 5
MS Link Utilization Threshold 4 6
MS MPPE Encryption Policy 4 1
MS MPPE Encryption Types 3 -556677889
MS Primary DNS Server 4 1:1:1:1
MS Primary NBNS Server 4 2:2:2:2
MS Secondary DNS Server 4 3:3:3:3
MS Secondary NBNS Server 4 4:4:4:4
1616
test access radius-server

Syntax
test access radius-server address user username password password secret secret
<authentication-port port>
<retry number>
<source-address address>
<timeout number>
Release Information
Description
Verify RADIUS server authentication parameters.
Options
address—RADIUS server under test IP address.
password—Password for the user.
secret—Secret shared with the RADIUS server.
user—User name to be authenticated to the RADIUS server.
authentication-port—(Optional) RADIUS server authentication port number (1through 65535).
retry—(Optional) Retry attempts (1through 10).
source-address—(Optional) Use an alternate address as the source address.
timeout—(Optional) Request timeout period (1through 90 seconds).

view

test access radius-server user password secret on page 1617
Output Fields
Table 86 on page 1617 lists the output fields for the test access radius-server command. Output fields are
1617
Table 86: test access radius-server Output Fields
Server The IP address of the RADIUS server authenticated.
UDP port The RADIUS server port utilized during the authentication test.
Source IP Address “Default” is shown if the IP address is the same as that of the
RADIUS server. Alternatively, an IP address specified for
authentication is shown.
Server timeout The RADIUS server timeout period.
Sever retry count The number of authentication attempts allowed by the RADIUS
server.
Secret The shared secret used for authentication with the RADIUS
server.
Client Username The user name authenticated by the RADIUS server.
Client Password The user password authenticated by the RADIUS server.
Status The test result status (Accepted or Rejected) and the number
of retransmits utilized during authentication.
Sample Output
test access radius-server user password secret
The following example command tests RADIUS authentication with a specific server (172.28.30.95), user
(JOHNDOE), secret (No1Knows), and password (JohnPass); and displays the resulting output:
user@host> test access radius-server 172.28.30.95 user JOHNDOE password JohnPass secret
No1Knows
Test Radius Server Access

Server : 172.28.30.95
UDP port : 1812
Source IP Address : Default
Server timeout : 3
Sever retry count : 3
1618
Secret : No1Knows
Client Username : JOHNDOE
Client Password : JohnPass
Status : Accepted, retransmits: 0

User Access and Authentication User Guide

Uploaded by

Copyright:

Available Formats

User Access and Authentication User Guide

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

User Access and Authentication User Guide

Uploaded by

Copyright:

Available Formats

®

User Access and Authentication User Guide

Juniper Networks, Inc.

YEAR 2000 NOTICE

END USER LICENSE AGREEMENT

Documentation and Release Notes | xxix

Using the Examples in This Manual | xxix

Merging a Full Example | xxx

Merging a Snippet | xxxi

Documentation Conventions | xxxi

Documentation Feedback | xxxiv

Requesting Technical Support | xxxiv

Self-Help Online Tools and Resources | xxxv

Creating a Service Request with JTAC | xxxv

1 Login Classes and Login Settings

Junos OS Login Classes Overview | 37

Denying or Allowing Individual Commands | 41

Defining Junos OS Login Classes | 41

Example: Creating Login Classes with Specific Privileges | 42

Junos OS Login Settings | 43

Configuring Junos OS to Display a System Login Announcement | 44

Configuring System Alarms to Appear Automatically Upon Login | 46

Configuring Login Tips | 46

Examples: Configuring Time-Based User Access | 47

Configuring the Timeout Value for Idle Login Sessions | 48

Login Retry Options | 49

Example: Configuring Login Retry Options | 52

Junos OS User Accounts Overview | 57

Junos-FIPS Crypto Officer and User Accounts Overview | 59

Crypto Officer User Configuration | 60

FIPS User Configuration | 60

Example: Configuring User Accounts | 60

Example: Configuring New Users | 61

Configuring Junos OS User Accounts by Using a Configuration Group | 68

Junos OS Administrative Roles | 71

Understanding Administrative Roles | 72

Example: Configuring Administrative Roles | 74

Configuring a Local Administrator Account | 82

Junos OS User Access Privileges | 83

Understanding Junos OS Access Privilege Levels | 84

Junos OS Login Class Permission Flags | 84

Allowing or Denying Individual Commands for Junos OS Login Classes | 88

Example: Configuring User Permissions with Access Privilege Levels | 89

Understanding Regular Expressions | 94

Specifying Regular Expressions | 97

Regular Expressions Operators | 99

Regular Expression Examples | 102

Examples of Defining Access Privileges Using allow-configuration and deny-configuration

3 Passwords for User Access

Configuring the Root Password | 142

Example: Configuring a Plain-Text Password for Root Logins | 144

Example: Configuring SSH Authentication for Root Logins | 147

Recovering Root Password | 148

Recovering the Root Password on Routers | 148

Recovering the Root Password on Junos OS with Upgraded FreeBSD | 151

Recovering the Root Password for Junos OS Evolved | 154

Connecting to the Serial Port | 154

Recovering the Root Password | 156

Recovering the Root Password on Switches | 158

Plain-Text Passwords | 161