Configuring a Device Template
Device templates contain global parameters and workflows. Global parameters are a set of variables that can be customized easily.
Configuring Template Settings in a Device Template
To configure the device template settings:
- Select Resources > Device Template.
The Device Templates page appears.
- Select the device
template for which you want to configure the settings and then select Edit Device Template > Template Settings.
The Template Settings page appears.
- Complete the configuration settings according to the guidelines in Table 1.
The configurable settings supported and default values for different device templates are as follows:
- Click Save.
The changes that you made to the device template are saved and you are returned to the Device Templates page. You can use the device template during the site addition workflow.
Table 1: Fields on the Template Settings Page for All Device Templates
Field Name | Description | Applicable To (Device Templates) |
|---|---|---|
| SSH Settings | ||
Prevent root login via SSH? | Specify whether root login (to the device) by using SSH should be allowed or not. | NFX250 NFX150 SRX4100 SRX4200 |
Restrict SSH access to be from CSO only | Specify whether SSH access to the device should be restricted only to Contrail Service Orchestration (CSO) or not. | NFX250 NFX150 SRX4100 SRX4200 |
Max number of SSH connections allowed at any time | Enter the maximum number of SSH connections allowed at any time. Range: 1 through 250. | NFX250 NFX150 SRX4100 SRX4200 |
Max number of SSH connections allowed per minute | Enter the maximum number of SSH connections allowed per minute. Range: 1 through 250. | NFX250 NFX150 SRX4100 SRX4200 |
Max number of sessions per SSH connection | Enter the maximum number of sessions allowed per SSH connection. Range: 1 through 250. | NFX250 NFX150 SRX4100 SRX4200 |
| Policer Settings | ||
Bandwidth limit for ICMP traffic towards the device | Enter the bandwidth limit, in bits per second (bps), for Internet Control Message Protocol (ICMP) traffic towards the device. | NFX250 |
Burst-size limit for ICMP traffic towards the device | Enter the burst-size limit, in bytes, for ICMP traffic towards the device. | NFX250 |
Bandwidth limit for trace-route traffic towards the device | Enter the bandwidth limit, in bits per second (bps), for traceroute traffic towards the device. | NFX250 |
Burst-size limit for trace-route traffic towards the device | Enter the burst-size limit, in bytes, for traceroute traffic towards the device. | NFX250 |
Bandwidth limit for DHCP traffic towards the device | Enter the bandwidth limit, in bits per second (bps), for Dynamic Host Configuration Protocol (DHCP) traffic towards the device. | NFX250 |
Burst-size limit for DHCP traffic towards the device | Enter the burst-size limit, in bytes, for DHCP traffic towards the device. | NFX250 |
Bandwidth limit for DNS traffic towards the device | Enter the bandwidth limit, in bits per second (bps), for Domain Name System (DNS) traffic towards the device. | NFX250 |
Burst-size limit for DNS traffic towards the device | Enter the burst-size limit, in bytes, for (DNS) traffic towards the device. | NFX250 |
| Log Rotation Settings | ||
Max size (MB) for log files | Enter the maximum size, in megabytes (MB), of the log files stored on the device. | NFX250 |
Max number of log files | Enter the maximum number of log files to be stored on the device at any time. | NFX250 |
| Customer Parameters | NFX250 | |
S2_MODEL_HUGEPAGE_COUNT | Enter the number of 1-GB huge pages usable by the virtualized network functions (VNFs) (on an NFX250-S2 device with a total memory of 32 GB. | NFX250 |
ADSL_VPI | Enter the Virtual Path Identifier (VPI) setting to connect to the asymmetric digital subscriber line (ADSL) service provider. | NFX250 |
ADSL_ENCAP | Enter the encapsulation that is used to connect to the ADSL service provider. | NFX250 |
VNF_OAM_TRANSLATED_PORT_START | Enter the first port number that can be used to expose (by using port translation) a VNF Operation, Administration, and Maintenance (OAM) port on the gateway router OAM interface or the WAN interface. This setting is used in cases where the VNF does not have its own OAM IP address from the in-band OAM network. | NFX250 |
ADSL_VCI | Enter the VCI (Virtual Channel Identifier) setting to connect to the ADSL service provider. | NFX250 |
AUTO_INSTALL_LICENSE_TO_DEVICE | Specify whether licenses should be automatically installed on the device during the ZTP workflow or not. | NFX250 |
AUTO_INSTALL_DEFAULT_TRUSTED_CERTS_ | Specify whether the Junos OS default trusted certificates should be installed on the device during the ZTP workflow or not. | NFX250 |
USE_SINGLE_SSH_TO_NFX | Specify whether to manage the NFX250 device and its components by using a single SSH connection between CSO and the NFX250 device. | NFX250 |
ENC_ROOT_PASSWORD | Specify the Junos OS root password to be set on the device. The password that you type is masked and the password is encrypted and stored. | NFX250 |
GWR_VSRX_IMAGE_LOCAL_FILE_PATH | Enter the local path of the vSRX image file present on the NFX250 device; this image file is used when the gateway router virtual machine (VM) is created. For example, | NFX250 |
GWR_VSRX_IMAGE_CNAME_IN_CSO | Enter the name with which the vSRX image was uploaded into the Image Management Service in CSO. If the vSRX image file specified in GWR_VSRX_IMAGE_LOCAL_FILE_PATH is not present, then an image with the name specified is downloaded to the NFX250 device. | NFX250 |
ACTIVATION_CODE_ENABLED | Specify whether an activation code must be specified to activate the device or not. | NFX250 |
INTERNAL_OAM_SUBNET | Enter the IP address for the subnet that is used for internal OAM connectivity between various components of the NFX250 device. | NFX250 |
AUTO_DEPLOY_STAGE2_CONFIG | Specify whether the stage-2 configuration should be automatically deployed on the device during the ZTP workflow. | NFX250 |
OOB_MGMT_ENABLED | Specify whether the out-of-band (OOB) management port of the device is being used for management connectivity or not. If you enable this field, a default route must be available through the OOB interface. If you disable this field, there is no connectivity through the OOB management port of the device and the stage-1 configuration that is generated includes a static default route. | NFX250 |
S1_MODEL_HUGEPAGE_COUNT | Enter the number of 1-GB huge pages usable by the VNFs on an NFX250-S1 device with a total memory of 16 GB. | NFX250 |
CONTROL_LINK_PORT_NAME | Enter the physical port name for the control link connection for a dual CPE setup. | NFX250 |
FAB_LINK_PORT_NAME | Enter the physical port name for fabric link connection for a dual CPE setup. | NFX250 |
WAN_PORT_NAMES | Specify the mapping of the physical port names used for WAN side connectivity | NFX250 |
LAN_PORT_NAMES | Specify the mapping of the physical port names used for LAN side connectivity | NFX250 |
LAN_MEMBER_PORT_NAMES | Specify the physical ports on the dual CPE device that are used on the link aggregation group (LAG) interface connecting to the LAN-side switch. | NFX250 |
GWR_CPU_PIN | Specify the physical CPUs to which the vCPUs of the vSRX (gateway router) should be pinned. Warning: We recommend that you do not modify the preconfigured CPU pinning values because these values are set based on Juniper's performance tests. | NFX250 |
AUX_Subnets | Specify the IP subnets assigned to the three auxiliary ports on the gateway router to which VNFs can be attached. | NFX250 |
LAN_Subnets | Specify the IP subnets assigned to the two LAN ports on the gateway router to which VNFs can be attached. | NFX250 |
| Login Security Settings | ||
Login idle timeout (minutes) | Enter the time (in minutes) after which a session that is idle is timed out. | NFX250 |
Login attempts before locking out | Enter the maximum number of unsuccessful login attempts allowed before the user account is locked. Range: 3 through 10. | NFX250 |
Login lockout period in minutes | Enter the period (in minutes) for which the user account should be locked. Range: 1 through 43,200 minutes | NFX250 |
Login backoff factor in seconds | Specify the delay (in seconds) after each failed login attempt, which increases for each subsequent login attempt after specified login backoff threshold. Range: 5 through 10. | NFX250 |
Login backoff threshold | Specify the threshold for the number of failed login attempts after which each subsequent login attempt is delayed by the time specified in the login backoff factor. Range: 1 through 3 | NFX250 |
Maximum time to enter password in seconds | Enter the maximum time allowed (in seconds) to enter a password to log in to the device after entering your username. Range: 20 through 300 seconds. | NFX250 |
Maintenance user account | Enter the username of the user account to be used for maintenance activities (for example, troubleshooting) on the device. | NFX250 |
Login Announcement | Specify the system login announcement, which is displayed after a user successfully logs in to the device. | NFX250 |
Login Message | Specify the system login message, which is displayed before a user logs in to the device. | NFX250 |
Table 2: Configurable Settings Supported (and Their Defaults) on MX Series Device Template
Field Name | MX as SD-WAN Hub |
|---|---|
AUTO_DEPLOY_STAGE2_CONFIG | Disabled |
ZTP_ENABLED | Disabled |
ACTIVATION_CODE_ENABLED | Disabled |
OOB_OAM_Port | fxp0 |
AUTO_INSTALL_LICENSE_TO_DEVICE | Disabled |
WAN Port Names | WAN_0 ge-0/0/0 WAN_1 ge-0/0/1 WAN_2 ge-0/0/2 WAN_3 ge-0/0/3 |
Table 3: Configurable Settings Supported (and Their Defaults) on NFX250 Device Templates
Field Name | NFX250 as | NFX250 as | NFX250 as | NFX250 as | Dual NFX250 as |
|---|---|---|---|---|---|
| SSH Settings | |||||
Prevent root login | — | — | — | Disabled | Disabled |
Restrict SSH access | — | — | — | Disabled | Disabled |
Max number of | — | — | — | 50 | 50 |
Max number of | — | — | — | 50 | 50 |
Max number of | — | — | — | 50 | 50 |
| Policer Settings | |||||
Bandwidth limit for | — | — | — | 1m | 1m |
Burst-size limit for | — | — | — | 2k | 2k |
Bandwidth limit for | — | — | — | 1m | 1m |
Burst-size limit for | — | — | — | 15k | 15k |
Bandwidth limit for | — | — | — | 1m | 1m |
Burst-size limit for | — | — | — | 15k | 15k |
Bandwidth limit for | — | — | — | 1m | 1m |
Burst-size limit for | — | — | — | 15k | 15k |
| Log Rotation Settings | |||||
Max size (MB) for | — | — | — | 10 | 10 |
Max number of | — | — | — | 10 | 10 |
| Customer Parameters | |||||
S2_MODEL_ | 21 | 21 | 21 | 13 | 13 |
ADSL_VPI | — | — | — | 8 | 8 |
ADSL_ENCAP | — | — | — | llcsnap-bridged | llcsnap-bridged |
VNF_OAM_TRANSLATED | 49152 | 49152 | 49152 | 49152 | 49152 |
ADSL_VCI | — | — | — | 36 | 36 |
AUTO_INSTALL_LICENSE | Disabled | Disabled | Disabled | Disabled | Disabled |
AUTO_INSTALL_DEFAULT | Enabled | Enabled | Enabled | Enabled | Enabled |
USE_SINGLE_SSH | Enabled | — | — | Enabled | — |
ENC_ROOT_PASSWORD | Specified | Specified | Specified | Specified | Specified |
GWR_VSRX_IMAGE | vsrx-vmdisk- | vsrx-vmdisk- | vsrx-vmdisk- | vsrx-vmdisk- | vsrx-vmdisk- |
ACTIVATION_CODE | Enabled | Enabled | Enabled | Enabled | Enabled |
GWR_VSRX_IMAGE | Not Specified | Not Specified | Not Specified | Not Specified | Not Specified |
INTERNAL_OAM_ | 10.10.10.0/24 | 10.10.10.0/24 | 10.10.10.0/24 | 10.10.10.0/24 | 10.10.10.0/24 |
AUTO_DEPLOY | Disabled | Disabled | Disabled | Disabled | Disabled |
OOB_MGMT_ | Enabled | Enabled | Enabled | Enabled | Enabled |
S1_MODEL | 9 | 9 | 9 | 9 | 9 |
CONTROL_LINK | — | — | — | — | xe-0/0/12 |
FAB_LINK | — | — | — | — | xe-0/0/13 |
WAN_PORT_NAMES | WAN_0 ge-0/0/8 WAN_1 ge-0/0/9 | WAN_0 ge-0/0/8 | WAN_0 ge-0/0/8 | WAN_0 ge-0/0/10 WAN_1 ge-0/0/11 WAN_2 xe-0/0/12 WAN_3 xe-0/0/13 | WAN_0 primary WAN_1 secondary WAN_2 primary WAN_3 secondary |
LAN_PORT_NAMES | — | — | — | LAN_0 ge-0/0/0 LAN_1 ge-0/0/1 LAN_2 ge-0/0/2 LAN_3 ge-0/0/3 LAN_4 ge-0/0/4 LAN_5 ge-0/0/5 LAN_6 ge-0/0/6 LAN_7 ge-0/0/7 LAN_8 ge-0/0/8 LAN_9 ge-0/0/9 | — |
LAN_MEMBER_PORT | — | — | — | — | LAN_0_0: LAN_0_1: LAN_0_2: LAN_0_3: LAN_0_4: LAN_0_5: LAN_0_6: LAN_0_7: LAN_0_8: LAN_0_9: |
GWR_CPU_PIN | nfx250_s2_10_t: 4, 10 nfx250_s1e: 4, 10 nfx250_10_t: 4,10 nfx250_ls1_10_t: 2,6 nfx250_att_s1_10_t: 4, 10 nfx250_att_ls1_10_t: 2,6 nfx250_att_s2_10_t: 4,10 | nfx250_s2_10_t: 4, 10 nfx250_s1e: 4, 10 nfx250_10_t: 4,10 nfx250_ls1_10_t: 2,6 nfx250_att_s1_10_t: 4, 10 nfx250_att_ls1_10_t: 2,6 nfx250_att_s2_10_t: 4,10 | nfx250_s2_10_t: 4, 10 nfx250_s1e: 4, 10 nfx250_10_t: 4,10 nfx250_ls1_10_t: 2,6 nfx250_att_s1_10_t: 4, 10 nfx250_att_ls1_10_t: 2,6 nfx250_att_s2_10_t: 4,10 | nfx250_s2_10_t: 4, 10 nfx250_s1e: 4, 10 nfx250_10_t: 4,10 nfx250_ls1_10_t: 2,6 nfx250_att_s1_10_t: 4, 10 nfx250_att_ls1_10_t: 2,6 nfx250_att_s2_10_t: 4,10 | nfx250_s2_10_t: 4, 10 nfx250_s1e: 4, 10 nfx250_10_t: 4,10 nfx250_ls1_10_t: 2,6 nfx250_att_s1_10_t: 4, 10 nfx250_att_ls1_10_t: 2,6 nfx250_att_s2_10_t: 4,10 |
AUX_Subnets | AUX_0 10.10.0.0/24 AUX_1 10.10.12.0/24 AUX_2 10.10.13.0/24 | AUX_0 10.10.0.0/24 AUX_1 10.10.12.0/24 AUX_2 10.10.13.0/24 | AUX_0 10.10.0.0/24 AUX_1 10.10.12.0/24 AUX_2 10.10.13.0/24 | AUX_0 10.10.0.0/24 AUX_1 10.10.12.0/24 AUX_2 10.10.13.0/24 | AUX_0 10.10.0.0/24 AUX_1 10.10.12.0/24 AUX_2 10.10.13.0/24 |
LAN_Subnets | LAN_0 10.10.1.0/24 LAN_1 10.10.2.0/24 | LAN_0 10.10.1.0/24 LAN_1 10.10.2.0/24 | LAN_0 10.10.1.0/24 LAN_1 10.10.2.0/24 | LAN_0 10.10.1.0/24 LAN_1 10.10.2.0/24 | LAN_0 10.10.1.0/24 LAN_1 10.10.2.0/24 |
| Login Security Settings | |||||
Login idle | — | — | — | 10 | 10 |
Login attempts before | — | — | — | 3 | 3 |
Login lockout period | — | — | — | 5 | 5 |
Login backoff factor | — | — | — | 5 | 5 |
Login backoff threshold | — | — | — | 2 | 2 |
Maximum time to enter | — | — | — | 20 | 20 |
Maintenance user | — | — | — | juniper | juniper |
Login Announcement | — | — | — | This system is | This system is |
Login Message | — | — | — | Unauthorized access | Unauthorized access |
Table 4: Configurable Settings Supported on NFX150 Device Templates
Field Name | NFX150 as Hybrid WAN CPE | NFX150 as Managed Internet CPE | NFX150 as Secure Internet CPE | NFX150 as SD-WAN CPE |
|---|---|---|---|---|
VNF_OAM_TRANSLATED_PORT_START | 49152 | 49152 | 49152 | 49152 |
AUTO_INSTALL_LICENSE_TO_DEVICE | Disabled | Disabled | Disabled | Disabled |
ZTP_ENABLED | Enabled | Enabled | Enabled | Enabled |
INTERNAL_OAM_SUBNET | 10.10.10.0/24 | 10.10.10.0/24 | 10.10.10.0/24 | 10.10.10.0/24 |
ENC_ROOT_PASSWORD | Specified | Specified | Specified | Specified |
ACTIVATION_CODE_ENABLED | Enabled | Enabled | Enabled | Enabled |
AUTO_DEPLOY_STAGE2_CONFIG | Disabled | Disabled | Disabled | Disabled |
USE_SINGLE_SSH_TO_NFX | Enabled | — | — | Enabled |
ADSL_VPI | — | — | — | 8 |
ADSL_ENCAP | — | — | — | llcsnap-bridged-802.1q |
ADSL_VCI | — | — | — | 36 |
WAN Port Names for SKU with single slot | WAN_0 ge-1/0/1 heth-0-4 WAN_1 ge-1/0/2 heth-0-5 WAN_2 ge-1/0/3 heth-0-2 WAN_3 ge-1/0/4 heth-0-3 | WAN_0 ge-1/0/1 heth-0-4 WAN_1 ge-1/0/2 heth-0-5 WAN_2 ge-1/0/3 heth-0-2 WAN_3 ge-1/0/4 heth-0-3 | WAN_0 ge-1/0/1 heth-0-4 WAN_1 ge-1/0/2 heth-0-5 WAN_2 ge-1/0/3 heth-0-2 WAN_3 ge-1/0/4 heth-0-3 | WAN_0 ge-1/0/1 heth-0-4 WAN_1 ge-1/0/2 heth-0-5 WAN_2 ge-1/0/3 heth-0-2 WAN_3 ge-1/0/4 heth-0-3 |
WAN Port Names for SKU with EM-6T2SFP expansion module. | WAN_0 ge-1/0/1 heth-0-4 WAN_1 ge-1/0/2 heth-0-5 WAN_2 ge-1/0/3 heth-1-6 WAN_3 ge-1/0/4 heth-1-7 | WAN_0 ge-1/0/1 heth-0-4 WAN_1 ge-1/0/2 heth-0-5 WAN_2 ge-1/0/3 heth-1-6 WAN_3 ge-1/0/4 heth-1-7 | WAN_0 ge-1/0/1 heth-0-4 WAN_1 ge-1/0/2 heth-0-5 WAN_2 ge-1/0/3 heth-1-6 WAN_3 ge-1/0/4 heth-1-7 | WAN_0 ge-1/0/1 heth-0-4 WAN_1 ge-1/0/2 heth-0-5 WAN_2 ge-1/0/3 heth-1-6 WAN_3 ge-1/0/4 heth-1-7 |
Table 5: Configurable Settings Supported on SRX Series Device Templates
Field Name | SRX as Managed Internet CPE | SRX as Hybrid WAN CPE | SRX as SD-WAN CPE | SRX as SD-WAN Hub | Dual SRX as SD-WAN CPEs | vSRX as SD-WAN spoke in AWS |
|---|---|---|---|---|---|---|
AUTO_DEPLOY_STAGE2_CONFIG | Disabled | Disabled | Disabled | Disabled | Disabled | Disabled |
ZTP_ENABLED | Enabled | Disabled | Enabled | Enabled | Disabled | — |
PRE-STAGED-CPE | Disabled | — | — | — | — | — |
ACTIVATION_CODE_ENABLED | Disabled | Disabled | Enabled | Enabled | Disabled | — |
OOB_OAM_Port | fxp0 | fxp0 | fxp0 | fxp0 | ge-0/0/0 | — |
ENC_ROOT_PASSWORD | Specified | Specified | Specified | Specified | Specified | Specified |
AUTO_INSTALL_LICENSE_TO_DEVICE | Disabled | Disabled | Disabled | Disabled | Disabled | Disabled |
CLUSTER_OFFSET | — | — | — | — | 5 | — |
WAN Port Names | WAN_0 ge-0/0/0 | WAN_0 ge-0/0/0 WAN_1 ge-0/0/1 | WAN_0 ge-0/0/0 WAN_1 ge-0/0/1 WAN_2 ge-0/0/2 WAN_3 ge-0/0/3 | WAN_0 ge-0/0/0 WAN_1 ge-0/0/1 WAN_2 ge-0/0/2 WAN_3 ge-0/0/3 | WAN_0 ge-0/0/3 WAN_1 ge-{ {CLUSTER_ WAN_2 ge-0/0/4 WAN_3 ge-{ {CLUSTER_ | WAN_0 ge-0/0/0 WAN_1 ge-0/0/1 |
OAM CE Port Names | — | — | — | OAM_CE_0 ge-0/0/0 OAM_CE_1 ge-0/0/1 OAM_CE_2 ge-0/0/2 OAM_CE_3 ge-0/0/3 | — | — |
FAB Port Names | — | — | — | — | FAB_0 ge-0/0/2 FAB_1 ge-{ {CLUSTER_ | — |
LAN Port Names | — | — | LAN_0 ge-0/0/0 LAN_1 ge-0/0/1 LAN_2 ge-0/0/2 LAN_3 ge-0/0/3 LAN_4 ge-0/0/4 LAN_5 ge-0/0/5 LAN_6 ge-0/0/6 LAN_7 ge-0/0/7 LAN_8 ge-0/0/8 LAN_9 ge-0/0/9 LAN_10 ge-0/0/10 | — | LAN_0_0 ge-0/0/7 LAN_0_1 ge-0/0/8 LAN_0_2 ge-0/0/9 LAN_0_3 ge-0/0/10 | LAN_0 ge-0/0/0 LAN_1 ge-0/0/1 LAN_2 ge-0/0/2 LAN_3 ge-0/0/3 LAN_4 ge-0/0/4 LAN_5 ge-0/0/5 LAN_6 ge-0/0/6 LAN_7 ge-0/0/7 LAN_8 ge-0/0/8 LAN_9 ge-0/0/9 LAN_10 ge-0/0/10 |
RESERVED_MEMBER_PORT_NAMES | — | — | — | — | PORT_0_0 ge-0/0/5 PORT_0_1 ge-0/0/6 | — |
RESERVED_SUBNETS | — | — | — | — | NODE_0 10.10.12.0/24 NODE_1 10.10.13.0/24 | — |
AUTO_INSTALL_DEFAULT | — | — | — | — | — | Enabled |
AMI_vSRX_BYOL | — | — | — | — | — | Specified |
Table 6: Configurable Settings Supported on SRX4x00 Series Device Templates
Field Name | SRX-4x00 as SD-WAN CPE | Dual SRX4x00 as SD-WAN CPEs |
|---|---|---|
| SSH Settings | ||
Prevent root login via SSH? | Disabled | Disabled |
Restrict SSH access to be from CSO only | Disabled | Disabled |
Max number of SSH connections allowed at any time | 50 | 50 |
Max number of SSH connections allowed per minute | 50 | 50 |
Max number of sessions per SSH connection | 50 | 50 |
| Policer Settings | ||
Bandwidth limit for ICMP traffic towards the device | 1m | 1m |
Burst-size limit for ICMP traffic towards the device | 2k | 2k |
Bandwidth limit for trace-route traffic towards the device | 1m | 1m |
Burst-size limit for trace-route traffic towards the device | 15k | 15k |
Bandwidth limit for DHCP traffic towards the device | 1m | 1m |
Burst-size limit for DHCP traffic towards the device | 15k | 15k |
Bandwidth limit for DNS traffic towards the device | 1m | 1m |
Burst-size limit for DNS traffic towards the device | 15k | 15k |
| Log Rotation Settings | ||
Max size (MB) for log files | 10 | 10 |
Max number of log files | 10 | 10 |
| Feature Level Access Settings | ||
Allow TACACS access | Disabled | Disabled |
| Customer Parameters | ||
AUTO_INSTALL_LICENSE_TO_DEVICE | Disabled | Disabled |
AUTO_INSTALL_DEFAULT_TRUSTED_CERTS_TO_DEVICE | Enabled | Enabled |
ZTP_ENABLED | Disabled | Disabled |
ENC_ROOT_PASSWORD | Specified | Specified |
ACTIVATION_CODE_ENABLED | Disabled | Disabled |
CLUSTER_OFFSET | — | 7 |
AUTO_DEPLOY_STAGE2_CONFIG | Disabled | Disabled |
OOB_OAM_PORT | fxp0 | fxp0 |
| MAX_DVPN_TUNNELS_ON_SITE | ||
srx | 600 | 600 |
default-value | 600 | 600 |
vsrx | 600 | 600 |
| WAN_PORT_NAMES | ||
WAN_0 | xe-0/0/0 | xe-0/0/0 |
WAN_1 | xe-0/0/1 | xe-{{CLUSTER_OFFSET.value}}/0/0 |
WAN_2 | xe-0/0/2 | xe-0/0/1 |
WAN_3 | xe-0/0/3 | xe-{{CLUSTER_OFFSET.value}}/0/1 |
| MIN_DVPN_TUNNELS_TO_START_DEACTIVATE | ||
srx | 200 | 200 |
default-value | 200 | 200 |
vsrx | 200 | 200 |
| LAN_PORT_NAMES | ||
LAN_0 LAN_1 LAN_2 LAN_3 LAN_4 LAN_5 LAN_6 LAN_7 | xe-0/0/0 xe-0/0/1 xe-0/0/2 xe-0/0/3 xe-0/0/4 xe-0/0/5 xe-0/0/6 xe-0/0/7 | LAN_0_0— xe-0/0/2 LAN_0_1— xe-0/0/3 LAN_0_2— xe-0/0/4 LAN_0_3— xe-0/0/5 |
| Login Security Settings | ||
Idle timeout (minutes) | 10 | 10 |
Attempts before locking out | 3 | 3 |
Lockout period in minutes | 5 | 5 |
Backoff factor in seconds | 5 | 5 |
Backoff threshold | 2 | 2 |
Maximum time to enter password in seconds | 20 | 20 |
Maintenance user account | juniper | juniper |
Announcement | This system is private property. | This system is private property. |
Message | Unauthorzied access will be reported. | Unauthorzied access will be reported. |
| RESERVED_MEMBER_PORT_NAMES | ||
PORT_0_1 | — | xe-0/0/7 |
PORT_0_0 | — | xe-0/0/6 |
| RESERVED_SUBNETS | ||
NODE_1 | — | 10.10.13.0/24 |
NODE_0 | — | 10.10.12.0/24 |
Table 7: Fields on the Template Settings Page
Name | Description |
|---|---|
Customer Parameters | |
AUTO_DEPLOY_STAGE2_CONFIG | Specify whether to automatically deploy stage-2 configuration at the end of the Zero Touch Provisioning (ZTP) workflow. Example: Enabled |
ZTP_ENABLED | Specify whether to enable ZTP for the device. Note: This option is supported on SRX Series Services Gateways only. Example: Enabled |
PRE_STAGED_CPE | Specify whether the CPE device is pre-staged with WAN configuration. Note: This option is supported on SRX Series Services Gateways only. Example: Enabled |
ACTIVATION_CODE_ENABLED | Specify whether the customer must use an activation code to activate the CPE device. Example: Enabled |
OOB_OAM_Port | Specify the name of the port used for out-of-band Operation, Administration, and Maintenance (OAM) traffic. This port is used in deployments where OAM and data traffic are on separate physical ports. Note: This option is supported on SRX Series Services Gateways only. Example: fxp0 |
S2_MODEL_HUGEPAGE_COUNT | Specify the number of 1-GB huge pages to be used by the VNFs on an NFX250-S2 device with a total memory of 32 GB. Example: 21 |
USE_SINGLE_SSH_TO_NFX | Specify whether to enable device-initiated connections (outbound SSH) with port-forwarding capability. Port forwarding enables Contrail Service Orchestration to manage an NFX250 device through a single IP address. Example: Enabled |
S1_MODEL_HUGEPAGE_COUNT | Specify the number of 1-GB huge pages to be used by the VNFs on an NFX250-S1 device with a total memory of 16 GB. Example: 21 |
VNF_OAM_TRANSLATED_PORT_START | Specify the first port number that can be used to expose a port on the gateway router’s OAM or WAN interface through port translation. Use this option in cases where the VNF does not have its own OAM IP address from the in-band OAM network. |
ENC_ROOT_PASSWORD | Specify the Junos OS root password to be set on an NFX250 device. Example: ***************** |
WAN Port Names | Specify the mapping Junos OS interface descriptors for the hardware ports. The RJ-45 port is the default port for the NFX250 device. You can change the default port if you want to use a different type of connector, such as SFP. |
GWR_LAN_PORT | Specify the mapping of the gateway router’s LAN port names to the corresponding front panel physical port names on the NFX250 device. Currently, the logical ports are created on the ge-0/0/4 interface. |
JCP_LAN_PORT_NAMES | Specify the port names from LAN_0 through LAN_9. |
GWR_LAN_PORT_NAMES | Specify the port names from LAN_0 through LAN_9. |
LAN_PORT_NAMES | Specify the port names from LAN_0 through LAN_10. |
CONTROL_LINK_PORT_NAME | Enter the physical port name for control link connection. Example: xe-0/0/12 |
FAB_LINK_PORT_NAME | Enter the physical port name for fabric link connection. Example: xe-0/0/13 |
OOB_MGMT_ENABLED | Specify whether to use the out-of-band (OOB) management port of the device for management connectivity. If the field is enabled, a default route will be available through this interface. If the field is disabled, there is no connectivity through the OOB management port of the device and the stage-1 configuration that is generated will include a static default route. |
AUTO_INSTALL_LICENSE_TO_DEVICE | Click the toggle button to enable automatic installation of the license on CPE device at the end of ZTP workflow. |
GWR_VSRX_IMAGE_LOCAL_FILE_PATH | Enter the local path of the vSRX image that is installed on the NFX250 device. The image file is required when the gateway router VM is created. If this parameter is not set, or if the file is not present on the NFX250 device, then a vSRX image is downloaded from the CSO file server to the NFX250 device. Example: ./var/third-party/images/*vsrx*-15.1X*.qcow2 |
GWR_VSRX_IMAGE_CNAME_IN_CSO | Enter the name of the vSRX image uploaded into the Image Management Service in CSO. When creating the gateway VM, if the vSRX image file is not present locally, then the image with this name is downloaded to the NFX250 device. |
INTERNAL_OAM_SUBNET | Enter the IP address for the subnet that is used for internal OAM. |
ADSL_VPI | Enter the Virtual Path Identifier (VPI) setting to connect to the ADSL service provider through PPPoE. Example: 8 |
ADSL_ENCAP | Enter the encapsulation that is used to connect to the ADSL service provider through PPPoE. Example: llcsnap-bridged-802.1q |
ADSL_VCI | Enter the VCI (Virtual Channel Identifier) setting to connect to the ADSL service provider through PPPoE. Example: 36 |
DSL_VLAN | Enter the reserved internal VLAN ID to be used as the native-vlan-id on xDSL ports to ensure that untagged control frames are processed. Example: 4087 |
CLUSTER_OFFSET | Enter the cluster slot number for designated secondary node. |
Table 8: Fields on the Template Settings Page for SRX4100 and SRX4200 Device Templates
Field Name | Description |
|---|---|
| SSH Settings | |
Prevent root login via SSH? | Click the toggle button to enable root login through SSH. Root login through SSH is disabled by default. |
Restrict SSH access to be from CSO only | Click the toggle button to restrict SSH access only to connections from Contrail Service Orchestration (CSO). Default: Disabled |
Max number of SSH connections allowed at any time | Enter the maximum number of concurrent SSH connections to be allowed. Range: 1 through 250 Default: 50 |
Max number of SSH connections allowed per minute | Enter the maximum number of SSH connections allowed per minute. Range: 1 through 250 Default: 50 |
Max number of sessions per SSH connection | Enter the maximum number of sessions per SSH connection. Range: 1 through 65535 Default: 50 |
| Policer Settings | |
Bandwidth limit for ICMP traffic towards the device | Enter the bandwidth limit, in bits per second (bps), for Internet Control Message Protocol (ICMP) traffic towards the device. Default: 1m |
Burst-size limit for ICMP traffic towards the device | Enter the burst-size limit, in bytes, for ICMP traffic towards the device. Default: 2k |
Bandwidth limit for trace-route traffic towards the device | Enter the bandwidth limit, in bits per second (bps), for traceroute traffic towards the device. Default: 1m |
Burst-size limit for trace-route traffic towards the device | Enter the burst-size limit, in bytes, for traceroute traffic towards the device. Default: 15k |
Bandwidth limit for DHCP traffic towards the device | Enter the bandwidth limit, in bits per second (bps), for Dynamic Host Configuration Protocol (DHCP) traffic towards the device. Default: 1m |
Burst-size limit for DHCP traffic towards the device | Enter the bandwidth limit, in bits per second (bps), for DHCP traffic towards the device. Default: 15k |
Bandwidth limit for DNS traffic towards the device | Enter the bandwidth limit, in bits per second (bps), for Domain Name System (DNS) traffic towards the device. Default: 1m |
Burst-size limit for DNS traffic towards the device | Enter the burst-size limit, in bytes, for (DNS) traffic towards the device. Default: 15k |
| Log Rotation Settings | |
Max size (MB) for log files | Enter the maximum size of the log file, in megabytes (MB). Default: 10 |
Max number of log files | Enter the maximum number of log files. Default: 10 |
| Feature Level Access Settings | |
Allow TACACS access | Click the toggle button to enable TACACS communication. By default, TACACS communication is disabled. |
| Customer Parameters | |
AUTO_INSTALL_LICENSE_TO_DEVICE | Click the toggle button to enable automatic installation of the license file on the CPE device when the ZTP workflow ends. Default: Disabled |
AUTO_INSTALL_DEFAULT_TRUSTED_CERTS_TO_DEVICE | Click the toggle button to disable automatic installation of default trusted certificates on the CPE device when the ZTP workflow ends. Default: Enabled |
ZTP_ENABLED | Specify whether to enable ZTP for the device. |
ENC_ROOT_PASSWORD | Specify the Junos OS-encrypted root password to be set on the CPE device. |
ACTIVATION_CODE_ENABLED | Click the toggle button to enable the tenant to use an activation code to activate the CPE device. Default: Disabled |
CLUSTER_OFFSET | Enter the cluster slot number for designated secondary node. |
AUTO_DEPLOY_STAGE2_CONFIG | Click the toggle button to enable automatic deployment of stage-2 configuration when the ZTP workflow ends. Default: Disabled |
OOB_OAM_PORT | Enter the port number for out-of-band Operation, Administration, and Maintenance (OAM) traffic on SRX Series Services Gateways. This port is used in deployments where OAM and data traffic are on separate physical ports. Note: This option is supported on SRX Series Services Gateways only. Default: fxp0 |
| MAX_DVPN_TUNNELS_ON_SITE | Enter the maximum number of Dynamic Virtual Private Network (DVPN) tunnels that are allowed at the tenant site.
|
| MIN_DVPN_TUNNELS_TO_START_DEACTIVATE | Enter the minimum number of Dynamic Virtual Private Network (DVPN) tunnels required at the tenant site.
|
| WAN_PORT_NAMES | Specify the mapping of the physical port names used for NFX250 WAN side connectivity. WAN_0 WAN_1 WAN_2 WAN_3 |
| WAN_MEMBER_PORT_NAMES | WAN_0 WAN_1 WAN_2 WAN_3 |
| LAN_PORT_NAMES | LAN_0— xe-0/0/0 LAN_1— xe-0/0/1 LAN_2— xe-0/0/2 LAN_3— xe-0/0/3 LAN_4— xe-0/0/4 LAN_5— xe-0/0/5 LAN_6— xe-0/0/6 LAN_7— xe-0/0/7 |
| LAN_MEMBER_PORT_NAMES | LAN_0_0— xe-0/0/2 LAN_0_1— xe-0/0/3 LAN_0_2— xe-0/0/4 LAN_0_3— xe-0/0/5 |
| Login Security Settings | |
Idle timeout (minutes) | Enter the maximum time (in minutes) that a session can be idle before the user is logged out of the system. |
Attempts before locking out | Enter the maximum number of unsuccessful login attempts allowed before the account is locked. Range: 3 to 10 |
Lockout period in minutes | Enter the number of minutes an account must remain locked after the maximum number of unsuccessful login attempts. Range: 1 to 43,200 |
Backoff factor in seconds | Enter the length of delay (in seconds) after each failed login attempt. The length of delay increases by this value for each subsequent login attempt after the value specified in the backoff-threshold option. Range: 5 to 10 |
Backoff threshold | Enter the threshold for the number of failed login attempts before the user experiences a delay when attempting to reenter a password. Range: 1 to 3 |
Maximum time to enter password in seconds | Enter the number of seconds that a connection remains open for the user to enter a username and password to log in. Range: 20 to 300. |
Maintenance user account | |
Announcement | Enter the login banner announcement when logging in. |
Message | Enter the login banner message when logging in. |
| RESERVED_MEMBER_PORT_NAMES | Enter the port names of the two 1-Gigabit Ethernet/10-Gigabit Ethernet ports,( CTL (control port) and FAB (fabric port)) to be used for synchronizing data and maintaining state information in a chassis cluster setup. Default:
|
| RESERVED_SUBNETS | Enter the IP address of reserved subnets. Default:
|
See also
Updating Stage-2 Configuration Template in a Device Template
Each device template has a set of configuration templates that can be used to deploy additional configuration on to the CPE device after it is activated. These templates are known as stage-2 configuration templates. You can add or remove stage-2 configuration templates from a device template.
By default, the CPE device configuration is not supported on the CPE device. If you need the CPE device configuration, then you must configure it through stage-2 configuration in the device templates.
To add a stage-2 configuration template:
- Select Resources > Device Template.
The Device Templates page appears.
- Select a device template for which you want to add the
stage-2 configuration and select Edit Device Template > Stage-2
Config Templates.
The Stage-2 Configuration Templates page appears. Table 9 lists the fields (and their descriptions) on the Stage-2 Configuration Templates page.
- Click the add icon (+) and complete the configuration settings according to the guidelines provided in Table 10.
- Click Save.
The new stage-2 configuration template is included in the device template.
Table 9: Fields on the Stage-2 Configuration Templates Page
Name | Description |
|---|---|
Name | View the name of the stage-2 configuration template. Example: LAN side config |
Component Name | View the name of the component through which the settings are configured. The components that are currently supported are:
Example: JUNOS |
Hide | Displays whether the template is hidden on Customer Portal.
Example: false |
Copy input from | Displays the template from which you copied the settings. |
Auto Deploy | Displays whether the stage-2 configuration is automatically pushed to the device during ZTP process. |
Enable for | Displays whether the stage-2 configuration template is enabled for all tenants, no tenants, or specific tenants. |
Table 10: Fields on the Add New Template Page
Name | Description |
|---|---|
Template | Select the configuration template from the drop-down list. The configuration templates are designed in the Configuration Designer tool. Example: srx-basic-sdwan-cpe-config |
Display Name | Specify the name of the template that you want to display on the configuration interface. Example: SDWAN Config |
Component Name | Specify the component name through which the settings are configured. The components that are currently supported are:
Example: JUNOS |
Hide | Specify whether you want to hide the configuration template on Customer Portal. You might want to choose to hide the template if you are reusing the template for multiple components.
Example: hide |
Copy From Template | If you have chosen to hide the configuration template on the user interface, then specify the template from which you want to copy the settings. Example: srx-mis-lan-to-wan-config |
Auto Deploy | Specify whether the stage-2 configuration must be automatically pushed to the device during ZTP process. The available options are
|
Enabled for | You can enable the stage-2 configuration template for all tenants, specific tenants, an SP administrator or an OpCo administrator. Note: Only users with SP administrator or OpCo administrator role can enable stage-2 configuration templates. The available options are:
The default option is All Tenants. |
To remove a stage-2 configuration template:
- Select Resources > Device Templates.
The Device Templates page appears.
- Select the device template for which you want to remove
the stage-2 configuration and then select Edit Device Template
> Stage-2 Config Templates.
The Stage-2 Config Templates page appears.
- Select a configuration template and click the delete icon
(X).
A page requesting confirmation for the deletion appears.
- Click Yes to confirm that you want to delete
the stage-2 configuration template.
The configuration template is deleted.
Configuring Stage-2 Initial Configuration in a Device Template
In general, the tenant administrators initiate stage-2 configuration through Customer Portal. However, in certain cases, the same stage-2 configuration needs to be deployed to CPE devices in all sites that are activated using a specific device template. In such cases, you can attach an initial configuration to a stage-2 configuration template of a device template. When a new CPE device in the site is activated using the device template, the initial configuration is automatically deployed to the CPE device.
The list of initial configurations that are supported are:
Policies configuration
LAN configuration
SD-WAN configuration
Routing configuration
APN configuration
To update an initial configuration for stage-2 configuration template:
- Select Resources > Device Templates.
The Device Templates page appears.
- Select the device template for which you want to configure
the stage-2 configuration and then select Edit Device Template
> Stage-2 Initial Config.
The Stage-2 Initial Configuration page appears, listing the existing settings.
- Complete the configuration settings according to the guidelines provided in Table 11, Table 12, and Table 13 and Table 14.
- Click Ok.
Table 11: Fields for the VLAN Settings on the Stage-2 Initial Configuration Page
Field | Description |
|---|---|
VLAN ID | Specify the identifier for the Layer 2 VLAN for the CPE device. Example: 230 |
IRB IP Prefix | Specify the IP address, including the subnet prefix, and the integrated routing and bridging (IRB) interface on the CPE device. Example: 192.0.2.15/24 |
LAN Ports | Specify the LAN ports on the CPE device. Example: ge-0/0/0 |
Table 12: Fields for the LAN Settings on the Stage-2 Initial Configuration Page
Field | Description |
|---|---|
LAN port | Specify the LAN ports on the CPE device. Example: ge-0/0/0 |
IP Address | Specify the IP address on the CPE device. Example: 192.0.2.255 |
Table 13: Fields for the SRX Basic SD-WAN Settings on the Stage-2 Initial Configuration Page
Field | Description |
|---|---|
Manage App Group | Click to manage the application groups. The application group is predefined in the system for all SRX Series and vSRX configuration settings. The settings are preloaded and displayed on the portal. You can also create new application groups. |
Manage App SLA Profile | Click to manage the application service-level agreements (SLA) profiles. |
Rule Name | Specify the rule name. Example: critical-apps |
Application/Groups | Specify the applications or application groups for the rule. Example: Oracle, SAP |
Application SLA Profile | Specify the application SLA profile for the rule. Example: critical-apps |
Table 14: Fields for the APN Configuration Settings on the Stage-2 Initial Configuration Page
Field | Description |
|---|---|
Use default APN settings | If this field is enabled (default), then the CPE device uses the default APN setting that is shipped along with the device. If this field is disabled, then you can configure APN settings. |
| APN Settings | |
APN Name | Enter the access point name (APN) of the gateway router. The name can contain alphanumeric characters and special characters. |
SIM Change Required | You can change the SIM card on the CPE device either to use a different LTE service provider or to use a private APN with the current LTE service provider.
|
Authentication Method | Select the authentication method for the APN configuration.
|
| Authentication Information | |
SIP User ID | Enter the Session Initiation Protocol (SIP) user ID for authentication if you have selected the APN authentication method as either PAP or CHAP. |
SIP Password | Enter the SIP password for authentication if you have selected the APN authentication method as either PAP or CHAP. The password must contain mixed case alphanumeric characters and special characters. The password must be six characters or more. |