Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Configuring a Device Template

 

Device templates contain global parameters and workflows. Global parameters are a set of variables that can be customized easily.

Configuring Template Settings in a Device Template

To configure the device template settings:

  1. Select Resources > Device Template.

    The Device Templates page appears.

  2. Select the device template for which you want to configure the settings and then select Edit Device Template > Template Settings.

    The Template Settings page appears.

  3. Complete the configuration settings according to the guidelines in Table 1.

    The configurable settings supported and default values for different device templates are as follows:

  4. Click Save.

    The changes that you made to the device template are saved and you are returned to the Device Templates page. You can use the device template during the site addition workflow.

Table 1: Fields on the Template Settings Page for All Device Templates

Field Name

Description

Applicable To (Device Templates)

SSH Settings  

Prevent root login via SSH?

Specify whether root login (to the device) by using SSH should be allowed or not.

NFX250

NFX150

SRX4100

SRX4200

Restrict SSH access to be from CSO only

Specify whether SSH access to the device should be restricted only to Contrail Service Orchestration (CSO) or not.

NFX250

NFX150

SRX4100

SRX4200

Max number of SSH connections allowed at any time

Enter the maximum number of SSH connections allowed at any time.

Range: 1 through 250.



NFX250

NFX150

SRX4100

SRX4200

Max number of SSH connections allowed per minute

Enter the maximum number of SSH connections allowed per minute.

Range: 1 through 250.

NFX250

NFX150

SRX4100

SRX4200

Max number of sessions per SSH connection

Enter the maximum number of sessions allowed per SSH connection.

Range: 1 through 250.

NFX250

NFX150

SRX4100

SRX4200

Policer Settings  

Bandwidth limit for ICMP traffic towards the device

Enter the bandwidth limit, in bits per second (bps), for Internet Control Message Protocol (ICMP) traffic towards the device.

NFX250

Burst-size limit for ICMP traffic towards the device

Enter the burst-size limit, in bytes, for ICMP traffic towards the device.

NFX250

Bandwidth limit for trace-route traffic towards the device

Enter the bandwidth limit, in bits per second (bps), for traceroute traffic towards the device.

NFX250

Burst-size limit for trace-route traffic towards the device

Enter the burst-size limit, in bytes, for traceroute traffic towards the device.

NFX250

Bandwidth limit for DHCP traffic towards the device

Enter the bandwidth limit, in bits per second (bps), for Dynamic Host Configuration Protocol (DHCP) traffic towards the device.

NFX250

Burst-size limit for DHCP traffic towards the device

Enter the burst-size limit, in bytes, for DHCP traffic towards the device.

NFX250

Bandwidth limit for DNS traffic towards the device

Enter the bandwidth limit, in bits per second (bps), for Domain Name System (DNS) traffic towards the device.

NFX250

Burst-size limit for DNS traffic towards the device

Enter the burst-size limit, in bytes, for (DNS) traffic towards the device.

NFX250

Log Rotation Settings  

Max size (MB) for log files

Enter the maximum size, in megabytes (MB), of the log files stored on the device.

NFX250

Max number of log files

Enter the maximum number of log files to be stored on the device at any time.

NFX250

Customer Parameters 

NFX250

S2_MODEL_HUGEPAGE_COUNT

Enter the number of 1-GB huge pages usable by the virtualized network functions (VNFs) (on an NFX250-S2 device with a total memory of 32 GB.

NFX250

ADSL_VPI

Enter the Virtual Path Identifier (VPI) setting to connect to the asymmetric digital subscriber line (ADSL) service provider.

NFX250

ADSL_ENCAP

Enter the encapsulation that is used to connect to the ADSL service provider.

NFX250

VNF_OAM_TRANSLATED_PORT_START

Enter the first port number that can be used to expose (by using port translation) a VNF Operation, Administration, and Maintenance (OAM) port on the gateway router OAM interface or the WAN interface. This setting is used in cases where the VNF does not have its own OAM IP address from the in-band OAM network.

NFX250

ADSL_VCI

Enter the VCI (Virtual Channel Identifier) setting to connect to the ADSL service provider.

NFX250

AUTO_INSTALL_LICENSE_TO_DEVICE

Specify whether licenses should be automatically installed on the device during the ZTP workflow or not.

NFX250

AUTO_INSTALL_DEFAULT_TRUSTED_CERTS_

TO_DEVICE

Specify whether the Junos OS default trusted certificates should be installed on the device during the ZTP workflow or not.

NFX250

USE_SINGLE_SSH_TO_NFX

Specify whether to manage the NFX250 device and its components by using a single SSH connection between CSO and the NFX250 device.

NFX250

ENC_ROOT_PASSWORD

Specify the Junos OS root password to be set on the device. The password that you type is masked and the password is encrypted and stored.

NFX250

GWR_VSRX_IMAGE_LOCAL_FILE_PATH

Enter the local path of the vSRX image file present on the NFX250 device; this image file is used when the gateway router virtual machine (VM) is created.

For example, ./var/third-party/images/*vsrx*-15.1X*.qcow2. If this parameter is not set or if the file is not present on the NFX250 device, then a vSRX image with the filename specified in GWR_VSRX_IMAGE_CNAME_IN_CSO is downloaded from the CSO file server to the NFX250 device.

NFX250

GWR_VSRX_IMAGE_CNAME_IN_CSO

Enter the name with which the vSRX image was uploaded into the Image Management Service in CSO. If the vSRX image file specified in GWR_VSRX_IMAGE_LOCAL_FILE_PATH is not present, then an image with the name specified is downloaded to the NFX250 device.

NFX250

ACTIVATION_CODE_ENABLED

Specify whether an activation code must be specified to activate the device or not.

NFX250

INTERNAL_OAM_SUBNET

Enter the IP address for the subnet that is used for internal OAM connectivity between various components of the NFX250 device.

NFX250

AUTO_DEPLOY_STAGE2_CONFIG

Specify whether the stage-2 configuration should be automatically deployed on the device during the ZTP workflow.

NFX250

OOB_MGMT_ENABLED

Specify whether the out-of-band (OOB) management port of the device is being used for management connectivity or not.

If you enable this field, a default route must be available through the OOB interface. If you disable this field, there is no connectivity through the OOB management port of the device and the stage-1 configuration that is generated includes a static default route.

NFX250

S1_MODEL_HUGEPAGE_COUNT

Enter the number of 1-GB huge pages usable by the VNFs on an NFX250-S1 device with a total memory of 16 GB.

NFX250

CONTROL_LINK_PORT_NAME

Enter the physical port name for the control link connection for a dual CPE setup.

NFX250

FAB_LINK_PORT_NAME

Enter the physical port name for fabric link connection for a dual CPE setup.

NFX250

WAN_PORT_NAMES

Specify the mapping of the physical port names used for WAN side connectivity

NFX250

LAN_PORT_NAMES

Specify the mapping of the physical port names used for LAN side connectivity

NFX250

LAN_MEMBER_PORT_NAMES

Specify the physical ports on the dual CPE device that are used on the link aggregation group (LAG) interface connecting to the LAN-side switch.

NFX250

GWR_CPU_PIN

Specify the physical CPUs to which the vCPUs of the vSRX (gateway router) should be pinned.

Warning: We recommend that you do not modify the preconfigured CPU pinning values because these values are set based on Juniper's performance tests.

NFX250

AUX_Subnets

Specify the IP subnets assigned to the three auxiliary ports on the gateway router to which VNFs can be attached.

NFX250

LAN_Subnets

Specify the IP subnets assigned to the two LAN ports on the gateway router to which VNFs can be attached.

NFX250

Login Security Settings  

Login idle timeout (minutes)

Enter the time (in minutes) after which a session that is idle is timed out.

NFX250

Login attempts before locking out

Enter the maximum number of unsuccessful login attempts allowed before the user account is locked.

Range: 3 through 10.

NFX250

Login lockout period in minutes

Enter the period (in minutes) for which the user account should be locked.

Range: 1 through 43,200 minutes

NFX250

Login backoff factor in seconds

Specify the delay (in seconds) after each failed login attempt, which increases for each subsequent login attempt after specified login backoff threshold.

Range: 5 through 10.

NFX250

Login backoff threshold

Specify the threshold for the number of failed login attempts after which each subsequent login attempt is delayed by the time specified in the login backoff factor.

Range: 1 through 3

NFX250

Maximum time to enter password in seconds

Enter the maximum time allowed (in seconds) to enter a password to log in to the device after entering your username.

Range: 20 through 300 seconds.

NFX250

Maintenance user account

Enter the username of the user account to be used for maintenance activities (for example, troubleshooting) on the device.

NFX250

Login Announcement

Specify the system login announcement, which is displayed after a user successfully logs in to the device.

NFX250

Login Message

Specify the system login message, which is displayed before a user logs in to the device.

NFX250

Table 2: Configurable Settings Supported (and Their Defaults) on MX Series Device Template

Field Name

MX as SD-WAN Hub

AUTO_DEPLOY_STAGE2_CONFIG

Disabled

ZTP_ENABLED

Disabled

ACTIVATION_CODE_ENABLED

Disabled

OOB_OAM_Port

fxp0

AUTO_INSTALL_LICENSE_TO_DEVICE

Disabled

WAN Port Names

WAN_0 ge-0/0/0

WAN_1 ge-0/0/1

WAN_2 ge-0/0/2

WAN_3 ge-0/0/3

Table 3: Configurable Settings Supported (and Their Defaults) on NFX250 Device Templates

Field Name

NFX250 as

Hybrid WAN CPE

NFX250 as

Managed Internet CPE

NFX250 as

Secure Internet CPE

NFX250 as

SD-WAN CPE

Dual NFX250 as

SD-WAN CPEs

SSH Settings     

Prevent root login

via SSH?

Disabled

Disabled

Restrict SSH access

to be from CSO only

Disabled

Disabled

Max number of

SSH connections allowed

at any time

50

50

Max number of

SSH connections allowed

per minute

50

50

Max number of

sessions per SSH

connection

50

50

Policer Settings     

Bandwidth limit for

ICMP traffic towards

the device

1m

1m

Burst-size limit for

ICMP traffic towards

the device

2k

2k

Bandwidth limit for

trace-route traffic towards

the device

1m

1m

Burst-size limit for

trace-route traffic towards

the device

15k

15k

Bandwidth limit for

DHCP traffic towards

the device

1m

1m

Burst-size limit for

DHCP traffic towards

the device

15k

15k

Bandwidth limit for

DNS traffic towards

the device

1m

1m

Burst-size limit for

DNS traffic towards

the device

15k

15k

Log Rotation Settings     

Max size (MB) for

log files

10

10

Max number of

log files

10

10

Customer Parameters     

S2_MODEL_

HUGEPAGE_COUNT

21

21

21

13

13

ADSL_VPI

8

8

ADSL_ENCAP

llcsnap-bridged

-802.1q

llcsnap-bridged

-802.1q

VNF_OAM_TRANSLATED

_PORT_START

49152

49152

49152

49152

49152

ADSL_VCI

36

36

AUTO_INSTALL_LICENSE

_TO_DEVICE

Disabled

Disabled

Disabled

Disabled

Disabled

AUTO_INSTALL_DEFAULT

_TRUSTED_CERTS_

TO_DEVICE

Enabled

Enabled

Enabled

Enabled

Enabled

USE_SINGLE_SSH

_TO_NFX

Enabled

Enabled

ENC_ROOT_PASSWORD

Specified

Specified

Specified

Specified

Specified

GWR_VSRX_IMAGE

_CNAME_IN_CSO

vsrx-vmdisk-

15.1.qcow2

vsrx-vmdisk-

15.1.qcow2

vsrx-vmdisk-

15.1.qcow2

vsrx-vmdisk-

15.1.qcow2

vsrx-vmdisk-

15.1.qcow2

ACTIVATION_CODE

_ENABLED

Enabled

Enabled

Enabled

Enabled

Enabled

GWR_VSRX_IMAGE

_LOCAL_FILE_PATH



Not Specified

Not Specified

Not Specified

Not Specified

Not Specified

INTERNAL_OAM_

SUBNET

10.10.10.0/24

10.10.10.0/24

10.10.10.0/24

10.10.10.0/24

10.10.10.0/24

AUTO_DEPLOY

_STAGE2_CONFIG

Disabled

Disabled

Disabled

Disabled

Disabled

OOB_MGMT_

ENABLED

Enabled

Enabled

Enabled

Enabled

Enabled

S1_MODEL

_HUGEPAGE_COUNT

9

9

9

9

9

CONTROL_LINK

_PORT_NAME

xe-0/0/12

FAB_LINK

_PORT_NAME

xe-0/0/13

WAN_PORT_NAMES

WAN_0 ge-0/0/8

WAN_1 ge-0/0/9

WAN_0 ge-0/0/8

WAN_0 ge-0/0/8

WAN_0 ge-0/0/10

WAN_1 ge-0/0/11

WAN_2 xe-0/0/12

WAN_3 xe-0/0/13

WAN_0 primary

ge-0/0/10

WAN_1 secondary

ge-0/0/10

WAN_2 primary

ge-0/0/11

WAN_3 secondary

ge-0/0/11

LAN_PORT_NAMES

LAN_0 ge-0/0/0

LAN_1 ge-0/0/1

LAN_2 ge-0/0/2

LAN_3 ge-0/0/3

LAN_4 ge-0/0/4

LAN_5 ge-0/0/5

LAN_6 ge-0/0/6

LAN_7 ge-0/0/7

LAN_8 ge-0/0/8

LAN_9 ge-0/0/9

LAN_MEMBER_PORT

_NAMES

LAN_0_0:

ge-0/0/0

LAN_0_1:

ge-0/0/1

LAN_0_2:

ge-0/0/2

LAN_0_3:

ge-0/0/3

LAN_0_4:

ge-0/0/4

LAN_0_5:

ge-0/0/5

LAN_0_6:

ge-0/0/6

LAN_0_7:

ge-0/0/7

LAN_0_8:

ge-0/0/8

LAN_0_9:

ge-0/0/9

GWR_CPU_PIN

nfx250_s2_10_t: 4, 10

nfx250_s1e: 4, 10

nfx250_10_t: 4,10

nfx250_ls1_10_t: 2,6

nfx250_att_s1_10_t: 4, 10

nfx250_att_ls1_10_t: 2,6

nfx250_att_s2_10_t: 4,10

nfx250_s2_10_t: 4, 10

nfx250_s1e: 4, 10

nfx250_10_t: 4,10

nfx250_ls1_10_t: 2,6

nfx250_att_s1_10_t: 4, 10

nfx250_att_ls1_10_t: 2,6

nfx250_att_s2_10_t: 4,10

nfx250_s2_10_t: 4, 10

nfx250_s1e: 4, 10

nfx250_10_t: 4,10

nfx250_ls1_10_t: 2,6

nfx250_att_s1_10_t: 4, 10

nfx250_att_ls1_10_t: 2,6

nfx250_att_s2_10_t: 4,10

nfx250_s2_10_t: 4, 10

nfx250_s1e: 4, 10

nfx250_10_t: 4,10

nfx250_ls1_10_t: 2,6

nfx250_att_s1_10_t: 4, 10

nfx250_att_ls1_10_t: 2,6

nfx250_att_s2_10_t: 4,10

nfx250_s2_10_t: 4, 10

nfx250_s1e: 4, 10

nfx250_10_t: 4,10

nfx250_ls1_10_t: 2,6

nfx250_att_s1_10_t: 4, 10

nfx250_att_ls1_10_t: 2,6

nfx250_att_s2_10_t: 4,10

AUX_Subnets

AUX_0 10.10.0.0/24

AUX_1 10.10.12.0/24

AUX_2 10.10.13.0/24

AUX_0 10.10.0.0/24

AUX_1 10.10.12.0/24

AUX_2 10.10.13.0/24

AUX_0 10.10.0.0/24

AUX_1 10.10.12.0/24

AUX_2 10.10.13.0/24

AUX_0 10.10.0.0/24

AUX_1 10.10.12.0/24

AUX_2 10.10.13.0/24

AUX_0 10.10.0.0/24

AUX_1 10.10.12.0/24

AUX_2 10.10.13.0/24

LAN_Subnets

LAN_0 10.10.1.0/24

LAN_1 10.10.2.0/24

LAN_0 10.10.1.0/24

LAN_1 10.10.2.0/24

LAN_0 10.10.1.0/24

LAN_1 10.10.2.0/24

LAN_0 10.10.1.0/24

LAN_1 10.10.2.0/24

LAN_0 10.10.1.0/24

LAN_1 10.10.2.0/24

Login Security

Settings
     

Login idle

timeout (minutes)

10

10

Login attempts before

locking out

3

3

Login lockout period

in minutes

5

5

Login backoff factor

in seconds

5

5

Login backoff threshold

2

2

Maximum time to enter

password in seconds

20

20

Maintenance user

account

juniper

juniper

Login Announcement

This system is

private property.

This system is

private property.

Login Message

Unauthorized access

will be reported.

Unauthorized access

will be reported.

Table 4: Configurable Settings Supported on NFX150 Device Templates

Field Name

NFX150 as Hybrid WAN CPE

NFX150 as Managed Internet CPE

NFX150 as Secure Internet CPE

NFX150 as SD-WAN CPE

VNF_OAM_TRANSLATED_PORT_START

49152

49152

49152

49152

AUTO_INSTALL_LICENSE_TO_DEVICE

Disabled

Disabled

Disabled

Disabled

ZTP_ENABLED

Enabled

Enabled

Enabled

Enabled

INTERNAL_OAM_SUBNET

10.10.10.0/24

10.10.10.0/24

10.10.10.0/24

10.10.10.0/24

ENC_ROOT_PASSWORD

Specified

Specified

Specified

Specified

ACTIVATION_CODE_ENABLED

Enabled

Enabled

Enabled

Enabled

AUTO_DEPLOY_STAGE2_CONFIG

Disabled

Disabled

Disabled

Disabled

USE_SINGLE_SSH_TO_NFX

Enabled

Enabled

ADSL_VPI

8

ADSL_ENCAP

llcsnap-bridged-802.1q

ADSL_VCI

36

WAN Port Names for SKU with single slot

WAN_0 ge-1/0/1 heth-0-4

WAN_1 ge-1/0/2 heth-0-5

WAN_2 ge-1/0/3 heth-0-2

WAN_3 ge-1/0/4 heth-0-3

WAN_0 ge-1/0/1 heth-0-4

WAN_1 ge-1/0/2 heth-0-5

WAN_2 ge-1/0/3 heth-0-2

WAN_3 ge-1/0/4 heth-0-3

WAN_0 ge-1/0/1 heth-0-4

WAN_1 ge-1/0/2 heth-0-5

WAN_2 ge-1/0/3 heth-0-2

WAN_3 ge-1/0/4 heth-0-3

WAN_0 ge-1/0/1 heth-0-4

WAN_1 ge-1/0/2 heth-0-5

WAN_2 ge-1/0/3 heth-0-2

WAN_3 ge-1/0/4 heth-0-3

WAN Port Names for SKU with EM-6T2SFP expansion module.

WAN_0 ge-1/0/1 heth-0-4

WAN_1 ge-1/0/2 heth-0-5

WAN_2 ge-1/0/3 heth-1-6

WAN_3 ge-1/0/4 heth-1-7

WAN_0 ge-1/0/1 heth-0-4

WAN_1 ge-1/0/2 heth-0-5

WAN_2 ge-1/0/3 heth-1-6

WAN_3 ge-1/0/4 heth-1-7

WAN_0 ge-1/0/1 heth-0-4

WAN_1 ge-1/0/2 heth-0-5

WAN_2 ge-1/0/3 heth-1-6

WAN_3 ge-1/0/4 heth-1-7

WAN_0 ge-1/0/1 heth-0-4

WAN_1 ge-1/0/2 heth-0-5

WAN_2 ge-1/0/3 heth-1-6

WAN_3 ge-1/0/4 heth-1-7

Table 5: Configurable Settings Supported on SRX Series Device Templates

Field Name

SRX as Managed Internet CPE

SRX as Hybrid WAN CPE

SRX as SD-WAN CPE

SRX as SD-WAN Hub

Dual SRX as SD-WAN CPEs

vSRX as SD-WAN spoke in AWS

AUTO_DEPLOY_STAGE2_CONFIG

Disabled

Disabled

Disabled

Disabled

Disabled

Disabled

ZTP_ENABLED

Enabled

Disabled

Enabled

Enabled

Disabled

PRE-STAGED-CPE

Disabled

ACTIVATION_CODE_ENABLED

Disabled

Disabled

Enabled

Enabled

Disabled

OOB_OAM_Port

fxp0

fxp0

fxp0

fxp0

ge-0/0/0

ENC_ROOT_PASSWORD

Specified

Specified

Specified

Specified

Specified

Specified

AUTO_INSTALL_LICENSE_TO_DEVICE

Disabled

Disabled

Disabled

Disabled

Disabled

Disabled

CLUSTER_OFFSET

5

WAN Port Names

WAN_0 ge-0/0/0

WAN_0 ge-0/0/0

WAN_1 ge-0/0/1

WAN_0 ge-0/0/0

WAN_1 ge-0/0/1

WAN_2 ge-0/0/2

WAN_3 ge-0/0/3

WAN_0 ge-0/0/0

WAN_1 ge-0/0/1

WAN_2 ge-0/0/2

WAN_3 ge-0/0/3

WAN_0 ge-0/0/3

WAN_1 ge-{ {CLUSTER_

OFFSET.value}}/0/3

WAN_2 ge-0/0/4

WAN_3 ge-{ {CLUSTER_

OFFSET.value}}/0/4

WAN_0 ge-0/0/0

WAN_1 ge-0/0/1

OAM CE Port Names

OAM_CE_0 ge-0/0/0

OAM_CE_1 ge-0/0/1

OAM_CE_2 ge-0/0/2

OAM_CE_3 ge-0/0/3

FAB Port Names

FAB_0 ge-0/0/2

FAB_1 ge-{ {CLUSTER_

OFFSET.value}}/0/2

LAN Port Names

LAN_0 ge-0/0/0

LAN_1 ge-0/0/1

LAN_2 ge-0/0/2

LAN_3 ge-0/0/3

LAN_4 ge-0/0/4

LAN_5 ge-0/0/5

LAN_6 ge-0/0/6

LAN_7 ge-0/0/7

LAN_8 ge-0/0/8

LAN_9 ge-0/0/9

LAN_10 ge-0/0/10

LAN_0_0 ge-0/0/7

LAN_0_1 ge-0/0/8

LAN_0_2 ge-0/0/9

LAN_0_3 ge-0/0/10

LAN_0 ge-0/0/0

LAN_1 ge-0/0/1

LAN_2 ge-0/0/2

LAN_3 ge-0/0/3

LAN_4 ge-0/0/4

LAN_5 ge-0/0/5

LAN_6 ge-0/0/6

LAN_7 ge-0/0/7

LAN_8 ge-0/0/8

LAN_9 ge-0/0/9

LAN_10 ge-0/0/10

RESERVED_MEMBER_PORT_NAMES

PORT_0_0 ge-0/0/5

PORT_0_1 ge-0/0/6

RESERVED_SUBNETS

NODE_0 10.10.12.0/24

NODE_1 10.10.13.0/24

AUTO_INSTALL_DEFAULT

_TRUSTED_CERTS_

TO_DEVICE

Enabled

AMI_vSRX_BYOL

Specified

Table 6: Configurable Settings Supported on SRX4x00 Series Device Templates

Field Name

SRX-4x00 as SD-WAN CPE

Dual SRX4x00 as SD-WAN CPEs

SSH Settings  

Prevent root login via SSH?

Disabled

Disabled

Restrict SSH access to be from CSO only

Disabled

Disabled

Max number of SSH connections allowed at any time

50

50

Max number of SSH connections allowed per minute

50

50

Max number of sessions per SSH connection

50

50

Policer Settings  

Bandwidth limit for ICMP traffic towards the device

1m

1m

Burst-size limit for ICMP traffic towards the device

2k

2k

Bandwidth limit for trace-route traffic towards the device

1m

1m

Burst-size limit for trace-route traffic towards the device

15k

15k

Bandwidth limit for DHCP traffic towards the device

1m

1m

Burst-size limit for DHCP traffic towards the device

15k

15k

Bandwidth limit for DNS traffic towards the device

1m

1m

Burst-size limit for DNS traffic towards the device

15k

15k

Log Rotation Settings  

Max size (MB) for log files

10

10

Max number of log files

10

10

Feature Level Access Settings  

Allow TACACS access

Disabled

Disabled

Customer Parameters  

AUTO_INSTALL_LICENSE_TO_DEVICE

Disabled

Disabled

AUTO_INSTALL_DEFAULT_TRUSTED_CERTS_TO_DEVICE

Enabled

Enabled

ZTP_ENABLED

Disabled

Disabled

ENC_ROOT_PASSWORD

Specified

Specified

ACTIVATION_CODE_ENABLED

Disabled

Disabled

CLUSTER_OFFSET

7

AUTO_DEPLOY_STAGE2_CONFIG

Disabled

Disabled

OOB_OAM_PORT

fxp0

fxp0

MAX_DVPN_TUNNELS_ON_SITE  

srx

600

600

default-value

600

600

vsrx

600

600

WAN_PORT_NAMES  

WAN_0

xe-0/0/0

xe-0/0/0

WAN_1

xe-0/0/1

xe-{{CLUSTER_OFFSET.value}}/0/0

WAN_2

xe-0/0/2

xe-0/0/1

WAN_3

xe-0/0/3

xe-{{CLUSTER_OFFSET.value}}/0/1

MIN_DVPN_TUNNELS_TO_START_DEACTIVATE  

srx

200

200

default-value

200

200

vsrx

200

200

LAN_PORT_NAMES  

LAN_0

LAN_1

LAN_2

LAN_3

LAN_4

LAN_5

LAN_6

LAN_7

xe-0/0/0

xe-0/0/1

xe-0/0/2

xe-0/0/3

xe-0/0/4

xe-0/0/5

xe-0/0/6

xe-0/0/7

LAN_0_0— xe-0/0/2

LAN_0_1— xe-0/0/3

LAN_0_2— xe-0/0/4

LAN_0_3— xe-0/0/5

Login Security Settings  

Idle timeout (minutes)

10

10

Attempts before locking out

3

3

Lockout period in minutes

5

5

Backoff factor in seconds

5

5

Backoff threshold

2

2

Maximum time to enter password in seconds

20

20

Maintenance user account

juniper

juniper

Announcement

This system is private property.

This system is private property.

Message

Unauthorzied access will be reported.

Unauthorzied access will be reported.

RESERVED_MEMBER_PORT_NAMES  

PORT_0_1

xe-0/0/7

PORT_0_0

xe-0/0/6

RESERVED_SUBNETS  

NODE_1

10.10.13.0/24

NODE_0

10.10.12.0/24

Table 7: Fields on the Template Settings Page

Name

Description

Customer Parameters

AUTO_DEPLOY_STAGE2_CONFIG

Specify whether to automatically deploy stage-2 configuration at the end of the Zero Touch Provisioning (ZTP) workflow.

Example: Enabled

ZTP_ENABLED

Specify whether to enable ZTP for the device.

Note: This option is supported on SRX Series Services Gateways only.

Example: Enabled

PRE_STAGED_CPE

Specify whether the CPE device is pre-staged with WAN configuration.

Note: This option is supported on SRX Series Services Gateways only.

Example: Enabled

ACTIVATION_CODE_ENABLED

Specify whether the customer must use an activation code to activate the CPE device.

Example: Enabled

OOB_OAM_Port

Specify the name of the port used for out-of-band Operation, Administration, and Maintenance (OAM) traffic. This port is used in deployments where OAM and data traffic are on separate physical ports.

Note: This option is supported on SRX Series Services Gateways only.

Example: fxp0

S2_MODEL_HUGEPAGE_COUNT

Specify the number of 1-GB huge pages to be used by the VNFs on an NFX250-S2 device with a total memory of 32 GB.

Example: 21

USE_SINGLE_SSH_TO_NFX

Specify whether to enable device-initiated connections (outbound SSH) with port-forwarding capability. Port forwarding enables Contrail Service Orchestration to manage an NFX250 device through a single IP address.

Example: Enabled

S1_MODEL_HUGEPAGE_COUNT

Specify the number of 1-GB huge pages to be used by the VNFs on an NFX250-S1 device with a total memory of 16 GB.

Example: 21

VNF_OAM_TRANSLATED_PORT_START

Specify the first port number that can be used to expose a port on the gateway router’s OAM or WAN interface through port translation. Use this option in cases where the VNF does not have its own OAM IP address from the in-band OAM network.

ENC_ROOT_PASSWORD

Specify the Junos OS root password to be set on an NFX250 device.

Example: *****************

WAN Port Names

Specify the mapping Junos OS interface descriptors for the hardware ports. The RJ-45 port is the default port for the NFX250 device. You can change the default port if you want to use a different type of connector, such as SFP.

GWR_LAN_PORT

Specify the mapping of the gateway router’s LAN port names to the corresponding front panel physical port names on the NFX250 device. Currently, the logical ports are created on the ge-0/0/4 interface.

JCP_LAN_PORT_NAMES

Specify the port names from LAN_0 through LAN_9.

GWR_LAN_PORT_NAMES

Specify the port names from LAN_0 through LAN_9.

LAN_PORT_NAMES

Specify the port names from LAN_0 through LAN_10.

CONTROL_LINK_PORT_NAME

Enter the physical port name for control link connection.

Example: xe-0/0/12

FAB_LINK_PORT_NAME

Enter the physical port name for fabric link connection.

Example: xe-0/0/13

OOB_MGMT_ENABLED

Specify whether to use the out-of-band (OOB) management port of the device for management connectivity. If the field is enabled, a default route will be available through this interface. If the field is disabled, there is no connectivity through the OOB management port of the device and the stage-1 configuration that is generated will include a static default route.

AUTO_INSTALL_LICENSE_TO_DEVICE

Click the toggle button to enable automatic installation of the license on CPE device at the end of ZTP workflow.

GWR_VSRX_IMAGE_LOCAL_FILE_PATH

Enter the local path of the vSRX image that is installed on the NFX250 device. The image file is required when the gateway router VM is created. If this parameter is not set, or if the file is not present on the NFX250 device, then a vSRX image is downloaded from the CSO file server to the NFX250 device.

Example: ./var/third-party/images/*vsrx*-15.1X*.qcow2

GWR_VSRX_IMAGE_CNAME_IN_CSO

Enter the name of the vSRX image uploaded into the Image Management Service in CSO. When creating the gateway VM, if the vSRX image file is not present locally, then the image with this name is downloaded to the NFX250 device.

INTERNAL_OAM_SUBNET

Enter the IP address for the subnet that is used for internal OAM.

ADSL_VPI

Enter the Virtual Path Identifier (VPI) setting to connect to the ADSL service provider through PPPoE.

Example: 8

ADSL_ENCAP

Enter the encapsulation that is used to connect to the ADSL service provider through PPPoE.

Example: llcsnap-bridged-802.1q

ADSL_VCI

Enter the VCI (Virtual Channel Identifier) setting to connect to the ADSL service provider through PPPoE.

Example: 36

DSL_VLAN

Enter the reserved internal VLAN ID to be used as the native-vlan-id on xDSL ports to ensure that untagged control frames are processed.

Example: 4087

CLUSTER_OFFSET

Enter the cluster slot number for designated secondary node.

Table 8: Fields on the Template Settings Page for SRX4100 and SRX4200 Device Templates

Field Name

Description

SSH Settings 

Prevent root login via SSH?

Click the toggle button to enable root login through SSH. Root login through SSH is disabled by default.

Restrict SSH access to be from CSO only

Click the toggle button to restrict SSH access only to connections from Contrail Service Orchestration (CSO).

Default: Disabled

Max number of SSH connections allowed at any time

Enter the maximum number of concurrent SSH connections to be allowed.

Range: 1 through 250

Default: 50

Max number of SSH connections allowed per minute

Enter the maximum number of SSH connections allowed per minute.

Range: 1 through 250

Default: 50

Max number of sessions per SSH connection

Enter the maximum number of sessions per SSH connection.

Range: 1 through 65535

Default: 50

Policer Settings 

Bandwidth limit for ICMP traffic towards the device

Enter the bandwidth limit, in bits per second (bps), for Internet Control Message Protocol (ICMP) traffic towards the device.

Default: 1m

Burst-size limit for ICMP traffic towards the device

Enter the burst-size limit, in bytes, for ICMP traffic towards the device.

Default: 2k

Bandwidth limit for trace-route traffic towards the device

Enter the bandwidth limit, in bits per second (bps), for traceroute traffic towards the device.

Default: 1m

Burst-size limit for trace-route traffic towards the device

Enter the burst-size limit, in bytes, for traceroute traffic towards the device.

Default: 15k

Bandwidth limit for DHCP traffic towards the device

Enter the bandwidth limit, in bits per second (bps), for Dynamic Host Configuration Protocol (DHCP) traffic towards the device.

Default: 1m

Burst-size limit for DHCP traffic towards the device

Enter the bandwidth limit, in bits per second (bps), for DHCP traffic towards the device.

Default: 15k

Bandwidth limit for DNS traffic towards the device

Enter the bandwidth limit, in bits per second (bps), for Domain Name System (DNS) traffic towards the device.

Default: 1m

Burst-size limit for DNS traffic towards the device

Enter the burst-size limit, in bytes, for (DNS) traffic towards the device.

Default: 15k

Log Rotation Settings 

Max size (MB) for log files

Enter the maximum size of the log file, in megabytes (MB).

Default: 10

Max number of log files

Enter the maximum number of log files.

Default: 10

Feature Level Access Settings

Allow TACACS access

Click the toggle button to enable TACACS communication. By default, TACACS communication is disabled.

Customer Parameters 

AUTO_INSTALL_LICENSE_TO_DEVICE

Click the toggle button to enable automatic installation of the license file on the CPE device when the ZTP workflow ends.

Default: Disabled

AUTO_INSTALL_DEFAULT_TRUSTED_CERTS_TO_DEVICE

Click the toggle button to disable automatic installation of default trusted certificates on the CPE device when the ZTP workflow ends.

Default: Enabled

ZTP_ENABLED

Specify whether to enable ZTP for the device.

ENC_ROOT_PASSWORD

Specify the Junos OS-encrypted root password to be set on the CPE device.

ACTIVATION_CODE_ENABLED

Click the toggle button to enable the tenant to use an activation code to activate the CPE device.

Default: Disabled

CLUSTER_OFFSET

Enter the cluster slot number for designated secondary node.

AUTO_DEPLOY_STAGE2_CONFIG

Click the toggle button to enable automatic deployment of stage-2 configuration when the ZTP workflow ends.

Default: Disabled

OOB_OAM_PORT

Enter the port number for out-of-band Operation, Administration, and Maintenance (OAM) traffic on SRX Series Services Gateways. This port is used in deployments where OAM and data traffic are on separate physical ports.

Note: This option is supported on SRX Series Services Gateways only.

Default: fxp0

MAX_DVPN_TUNNELS_ON_SITE

Enter the maximum number of Dynamic Virtual Private Network (DVPN) tunnels that are allowed at the tenant site.

  • srx

  • default-value

  • vsrx

MIN_DVPN_TUNNELS_TO_START_DEACTIVATE

Enter the minimum number of Dynamic Virtual Private Network (DVPN) tunnels required at the tenant site.

  • srx

  • default-value

  • vsrx

WAN_PORT_NAMES

Specify the mapping of the physical port names used for NFX250 WAN side connectivity.

WAN_0

WAN_1

WAN_2

WAN_3

WAN_MEMBER_PORT_NAMES

WAN_0

WAN_1

WAN_2

WAN_3

LAN_PORT_NAMES

LAN_0— xe-0/0/0

LAN_1— xe-0/0/1

LAN_2— xe-0/0/2

LAN_3— xe-0/0/3

LAN_4— xe-0/0/4

LAN_5— xe-0/0/5

LAN_6— xe-0/0/6

LAN_7— xe-0/0/7

LAN_MEMBER_PORT_NAMES

LAN_0_0— xe-0/0/2

LAN_0_1— xe-0/0/3

LAN_0_2— xe-0/0/4

LAN_0_3— xe-0/0/5

Login Security Settings 

Idle timeout (minutes)

Enter the maximum time (in minutes) that a session can be idle before the user is logged out of the system.

Attempts before locking out

Enter the maximum number of unsuccessful login attempts allowed before the account is locked.

Range: 3 to 10

Lockout period in minutes

Enter the number of minutes an account must remain locked after the maximum number of unsuccessful login attempts.

Range: 1 to 43,200

Backoff factor in seconds

Enter the length of delay (in seconds) after each failed login attempt. The length of delay increases by this value for each subsequent login attempt after the value specified in the backoff-threshold option.

Range: 5 to 10

Backoff threshold

Enter the threshold for the number of failed login attempts before the user experiences a delay when attempting to reenter a password.

Range: 1 to 3

Maximum time to enter password in seconds

Enter the number of seconds that a connection remains open for the user to enter a username and password to log in.

Range: 20 to 300.

Maintenance user account

Announcement

Enter the login banner announcement when logging in.

Message

Enter the login banner message when logging in.

RESERVED_MEMBER_PORT_NAMES

Enter the port names of the two 1-Gigabit Ethernet/10-Gigabit Ethernet ports,( CTL (control port) and FAB (fabric port)) to be used for synchronizing data and maintaining state information in a chassis cluster setup.

Default:

  • PORT_0_0— xe-0/0/6

  • PORT_0_1— xe-0/0/7

RESERVED_SUBNETS

Enter the IP address of reserved subnets.

Default:

  • NODE_0— 10.10.12.0/24

  • NODE_1— 10.10.13.0/24

Updating Stage-2 Configuration Template in a Device Template

Each device template has a set of configuration templates that can be used to deploy additional configuration on to the CPE device after it is activated. These templates are known as stage-2 configuration templates. You can add or remove stage-2 configuration templates from a device template.

Note

By default, the CPE device configuration is not supported on the CPE device. If you need the CPE device configuration, then you must configure it through stage-2 configuration in the device templates.

To add a stage-2 configuration template:

  1. Select Resources > Device Template.

    The Device Templates page appears.

  2. Select a device template for which you want to add the stage-2 configuration and select Edit Device Template > Stage-2 Config Templates.

    The Stage-2 Configuration Templates page appears. Table 9 lists the fields (and their descriptions) on the Stage-2 Configuration Templates page.

  3. Click the add icon (+) and complete the configuration settings according to the guidelines provided in Table 10.
  4. Click Save.

    The new stage-2 configuration template is included in the device template.

Table 9: Fields on the Stage-2 Configuration Templates Page

Name

Description

Name

View the name of the stage-2 configuration template.

Example: LAN side config

Component Name

View the name of the component through which the settings are configured. The components that are currently supported are:

  • JUNOS—Supported only on SRX Series Services Gateway.

  • Juniper Device Manager (JDM)—Supported on NFX250 device. JDM is a Linux container that manages software components.

  • Juniper Control Plane (JCP)—Supported on NFX250 device. JCP is the Junos VM running on the hypervisor. Administrators can use JCP to configure the network ports of the NFX250 device. JCP is used to configure the switching and routing function on the NFX250 device.

  • Gateway Router (GWR)—Supported on NFX250 device. vSRX as a gateway provides the same capabilities as Juniper Networks SRX Series Services Gateways in a virtual form factor, providing perimeter security, IPsec connectivity, and filtering for malicious traffic without sacrificing reliability, visibility, or policy control. This virtual security and routing appliance ensures reliability and high availability for each application.

Example: JUNOS

Hide

Displays whether the template is hidden on Customer Portal.

  • true—Template is not visible on Customer Portal.

  • false—Template is visible on Customer Portal.

Example: false

Copy input from

Displays the template from which you copied the settings.

Auto Deploy

Displays whether the stage-2 configuration is automatically pushed to the device during ZTP process.

Enable for

Displays whether the stage-2 configuration template is enabled for all tenants, no tenants, or specific tenants.

Table 10: Fields on the Add New Template Page

Name

Description

Template

Select the configuration template from the drop-down list. The configuration templates are designed in the Configuration Designer tool.

Example: srx-basic-sdwan-cpe-config

Display Name

Specify the name of the template that you want to display on the configuration interface.

Example: SDWAN Config

Component Name

Specify the component name through which the settings are configured. The components that are currently supported are:

  • JUNOS—Supported on SRX Series Services Gateway.

  • Juniper Device Manager (JDM)— Supported on NFX250 device. JDM is a Linux container that manages software components.

  • Juniper Control Plane (JCP)—Supported on NFX250 device. JCP is the Junos VM running on the hypervisor. Administrators can use JCP to configure the network ports of the NFX250 device. JCP is used to configure the switching and routing function on the NFX250 device.

  • Gateway Router (GWR)—Supported on NFX250 device. vSRX as a gateway provides the same capabilities as Juniper Networks SRX Series Services Gateways in a virtual form factor, providing perimeter security, IPsec connectivity, and filtering for malicious traffic without sacrificing reliability, visibility, or policy control. This virtual security and routing appliance ensures reliability and high availability for each application.

Example: JUNOS

Hide

Specify whether you want to hide the configuration template on Customer Portal. You might want to choose to hide the template if you are reusing the template for multiple components.

  • hide—White dot on right with blue background.

  • show—White dot on left with gray background.

Example: hide

Copy From Template

If you have chosen to hide the configuration template on the user interface, then specify the template from which you want to copy the settings.

Example: srx-mis-lan-to-wan-config

Auto Deploy

Specify whether the stage-2 configuration must be automatically pushed to the device during ZTP process. The available options are

  • Same as global settings

  • Yes

  • No

Enabled for

You can enable the stage-2 configuration template for all tenants, specific tenants, an SP administrator or an OpCo administrator.

Note: Only users with SP administrator or OpCo administrator role can enable stage-2 configuration templates.

The available options are:

  • All Tenants—Select this option to enable stage-2 configuration template for all tenants. Both SP and OpCo administrators can view templates for all tenants by switching the scope to the specific tenant. By default, stage-2 configuration templates assigned to all tenants are automatically applied to any new tenant.

  • No Tenants—Select this option to enable stage-2 configuration template for an SP administrator or an OpCo administrator. An SP administrator can modify the stage-2 configuration template. An OpCo administrator cannot modify the stage-2 configuration template. However, an OpCo administrator can clone the stage-2 configuration template and then modify the template.

  • Selective Tenants—Select this option to enable stage-2 configuration template for specific tenants. A tenant administrator can view and manage stage-2 template for a specific tenant.

    When you select the Selective Tenants option, the Tenants section is displayed.

    Select one or more tenants. Click the greater-than icon (>) to move the selected tenant or tenants from the Available column to the Selected column. You can use the search icon on the top right of each column to search for tenant names.

The default option is All Tenants.

To remove a stage-2 configuration template:

  1. Select Resources > Device Templates.

    The Device Templates page appears.

  2. Select the device template for which you want to remove the stage-2 configuration and then select Edit Device Template > Stage-2 Config Templates.

    The Stage-2 Config Templates page appears.

  3. Select a configuration template and click the delete icon (X).

    A page requesting confirmation for the deletion appears.

  4. Click Yes to confirm that you want to delete the stage-2 configuration template.

    The configuration template is deleted.

Configuring Stage-2 Initial Configuration in a Device Template

In general, the tenant administrators initiate stage-2 configuration through Customer Portal. However, in certain cases, the same stage-2 configuration needs to be deployed to CPE devices in all sites that are activated using a specific device template. In such cases, you can attach an initial configuration to a stage-2 configuration template of a device template. When a new CPE device in the site is activated using the device template, the initial configuration is automatically deployed to the CPE device.

The list of initial configurations that are supported are:

  • Policies configuration

  • LAN configuration

  • SD-WAN configuration

  • Routing configuration

  • APN configuration

To update an initial configuration for stage-2 configuration template:

  1. Select Resources > Device Templates.

    The Device Templates page appears.

  2. Select the device template for which you want to configure the stage-2 configuration and then select Edit Device Template > Stage-2 Initial Config.

    The Stage-2 Initial Configuration page appears, listing the existing settings.

  3. Complete the configuration settings according to the guidelines provided in Table 11, Table 12, and Table 13 and Table 14.
  4. Click Ok.

Table 11: Fields for the VLAN Settings on the Stage-2 Initial Configuration Page

Field

Description

VLAN ID

Specify the identifier for the Layer 2 VLAN for the CPE device.

Example: 230

IRB IP Prefix

Specify the IP address, including the subnet prefix, and the integrated routing and bridging (IRB) interface on the CPE device.

Example: 192.0.2.15/24

LAN Ports

Specify the LAN ports on the CPE device.

Example: ge-0/0/0

Table 12: Fields for the LAN Settings on the Stage-2 Initial Configuration Page

Field

Description

LAN port

Specify the LAN ports on the CPE device.

Example: ge-0/0/0

IP Address

Specify the IP address on the CPE device.

Example: 192.0.2.255

Table 13: Fields for the SRX Basic SD-WAN Settings on the Stage-2 Initial Configuration Page

Field

Description

Manage App Group

Click to manage the application groups. The application group is predefined in the system for all SRX Series and vSRX configuration settings. The settings are preloaded and displayed on the portal. You can also create new application groups.

Manage App SLA Profile

Click to manage the application service-level agreements (SLA) profiles.

Rule Name

Specify the rule name.

Example: critical-apps

Application/Groups

Specify the applications or application groups for the rule.

Example: Oracle, SAP

Application SLA Profile

Specify the application SLA profile for the rule.

Example: critical-apps

Table 14: Fields for the APN Configuration Settings on the Stage-2 Initial Configuration Page

Field

Description

Use default APN settings

If this field is enabled (default), then the CPE device uses the default APN setting that is shipped along with the device.

If this field is disabled, then you can configure APN settings.

APN Settings 

APN Name

Enter the access point name (APN) of the gateway router. The name can contain alphanumeric characters and special characters.

SIM Change Required

You can change the SIM card on the CPE device either to use a different LTE service provider or to use a private APN with the current LTE service provider.

  • Enabled—You can change the SIM card on the device and configure the different APN settings for the new SIM card. This option is enabled by default.

  • Disabled—You use the default APN settings that is shipped with the CPE device.

Authentication Method

Select the authentication method for the APN configuration.

  • PAP— Select to use Password Authentication Protocol (PAP) authentication. This is the default option.

  • CHAP— Select to use Challenge Handshake Authentication Protocol (CHAP) authentication.

  • None—Select to indicate that there is no authentication method.

Authentication Information 

SIP User ID

Enter the Session Initiation Protocol (SIP) user ID for authentication if you have selected the APN authentication method as either PAP or CHAP.

SIP Password

Enter the SIP password for authentication if you have selected the APN authentication method as either PAP or CHAP.

The password must contain mixed case alphanumeric characters and special characters. The password must be six characters or more.