Configuring Template Settings in a Device Template

Procedure

To configure the device template settings:

Note This topic is applicable only to users with an SP Administrator role.

  1. Select Resources > Templates > Device Templates.

    The Device Templates page appears.

  2. Select the device template for which you want to configure the settings and then select Edit Device Template > Template Settings.

    The Template Settings page appears.

  3. Complete the configuration settings according to the guidelines in Table 65.
  4. Click Save.

    The changes that you made to the device template are saved and you are returned to the Device Templates page. After you modify a device template and use that device template to add a site, the modified parameters are used in the site addition workflow. The device template modifications do not take effect on existing sites.

Table 65: Fields on the Template Settings Page for All Device Templates

 

Field Name

Description

Applicable To (Device Templates)

SSH Settings  

Prevent root login via SSH?

Specify whether root login (to the device) by using SSH should be allowed or not.

NFX250

NFX150

SRX4100

SRX4200

Restrict SSH access to be from CSO only

Specify whether SSH access to the device should be restricted only to Contrail Service Orchestration (CSO) or not.

NFX250

NFX150

SRX4100

SRX4200

Max number of SSH connections allowed at any time

Enter the maximum number of SSH connections allowed at any time.

Range: 1 through 250.


NFX250

NFX150

SRX4100

SRX4200

Max number of SSH connections allowed per minute

Enter the maximum number of SSH connections allowed per minute.

Range: 1 through 250.

NFX250

NFX150

SRX4100

SRX4200

Max number of sessions per SSH connection

Enter the maximum number of sessions allowed per SSH connection.

Range: 1 through 250.

NFX250

NFX150

SRX4100

SRX4200

Policer Settings  

Bandwidth limit for ICMP traffic towards the device

Enter the bandwidth limit, in bits per second (bps), for Internet Control Message Protocol (ICMP) traffic towards the device.

NFX250

Burst-size limit for ICMP traffic towards the device

Enter the burst-size limit, in bytes, for ICMP traffic towards the device.

NFX250

Bandwidth limit for trace-route traffic towards the device

Enter the bandwidth limit, in bits per second (bps), for traceroute traffic towards the device.

NFX250

Burst-size limit for trace-route traffic towards the device

Enter the burst-size limit, in bytes, for traceroute traffic towards the device.

NFX250

Bandwidth limit for DHCP traffic towards the device

Enter the bandwidth limit, in bits per second (bps), for Dynamic Host Configuration Protocol (DHCP) traffic towards the device.

NFX250

Burst-size limit for DHCP traffic towards the device

Enter the burst-size limit, in bytes, for DHCP traffic towards the device.

NFX250

Bandwidth limit for DNS traffic towards the device

Enter the bandwidth limit, in bits per second (bps), for Domain Name System (DNS) traffic towards the device.

NFX250

Burst-size limit for DNS traffic towards the device

Enter the burst-size limit, in bytes, for (DNS) traffic towards the device.

NFX250

Log Rotation Settings  

Max size (MB) for log files

Enter the maximum size, in megabytes (MB), of the log files stored on the device.

NFX250

Max number of log files

Enter the maximum number of log files to be stored on the device at any time.

NFX250

Customer Parameters  

S2_MODEL_HUGEPAGE_COUNT

Enter the number of 1-GB huge pages usable by the virtualized network functions (VNFs) (on an NFX250-S2 device with a total memory of 32 GB.

NFX250

ADSL_VPI

Enter the Virtual Path Identifier (VPI) setting to connect to the asymmetric digital subscriber line (ADSL) service provider.

NFX150

NFX250

SRX320

SRX340

SRX345

ADSL_ENCAP

Enter the encapsulation that is used to connect to the ADSL service provider.

NFX150

NFX250

SRX320

SRX340

SRX345

VNF_OAM_TRANSLATED_PORT_START

Enter the first port number that can be used to expose (by using port translation) a VNF Operation, Administration, and Maintenance (OAM) port on the gateway router OAM interface or the WAN interface. This setting is used in cases where the VNF does not have its own OAM IP address from the in-band OAM network.

NFX250

ADSL_VCI

Enter the VCI (Virtual Channel Identifier) setting to connect to the ADSL service provider.

NFX150

NFX250

SRX320

SRX340

SRX345

AUTO_INSTALL_LICENSE_TO_DEVICE

Specify whether licenses should be automatically installed on the device during the ZTP workflow or not.

NFX250

AUTO_INSTALL_DEFAULT_TRUSTED_CERTS_
TO_DEVICE

Specify whether the Junos OS default trusted certificates should be installed on the device during the ZTP workflow or not.

NFX250

NO_LOCAL_FAVOR_ECMP

Use this parameter to control the behavior of local-breakout traffic in a dual CPE cluster. The overlay traffic continues to load-balance across nodes as usual and doesn’t have any dependency on this parameter.

  By default, this parameter is disabled. When disabled, Local-Breakout traffic will egress from the active link of the node on which the traffic has arrived. The local-breakout traffic will load-balance within this node and not across nodes.

  You can enable this parameter to load balance equal-cost multi path (ECMP) traffic across active-active links on both the nodes of a dual CPE cluster.

  Note: This parameter is available only when the devices in the cluster are running JUNOS OS Release 19.3R2-S1 or later.

NFX250

SRX Series Devices

USE_SINGLE_SSH_TO_NFX

Specify whether to manage the NFX250 device and its components by using a single SSH connection between CSO and the NFX250 device.

NFX250

ENC_ROOT_PASSWORD

Specify the Junos OS root password to be set on the device. The password that you type is masked and the password is encrypted and stored.

NFX250

GWR_VSRX_IMAGE_LOCAL_FILE_PATH

Enter the local path of the vSRX image file present on the NFX250 device; this image file is used when the gateway router virtual machine (VM) is created.

For example, ./var/third-party/images/*vsrx*-15.1X*.qcow2. If this parameter is not set or if the file is not present on the NFX250 device, then a vSRX image with the filename specified in GWR_VSRX_IMAGE_CNAME_IN_CSO is downloaded from the CSO file server to the NFX250 device.

NFX250

GWR_VSRX_IMAGE_CNAME_IN_CSO

Enter the name with which the vSRX image was uploaded into the Image Management Service in CSO. If the vSRX image file specified in GWR_VSRX_IMAGE_LOCAL_FILE_PATH is not present, then an image with the name specified is downloaded to the NFX250 device.

NFX250

ACTIVATION_CODE_ENABLED

Specify whether an activation code must be specified to activate the device or not.

NFX250

INTERNAL_OAM_SUBNET

Enter the IP address for the subnet that is used for internal OAM connectivity between various components of the NFX250 device.

NFX250

AUTO_DEPLOY_STAGE2_CONFIG

Specify whether the stage-2 configuration should be automatically deployed on the device during the ZTP workflow.

NFX250

OOB_MGMT_ENABLED

Specify whether the out-of-band (OOB) management port of the device is being used for management connectivity or not.

If you enable this field, a default route must be available through the OOB interface. If you disable this field, there is no connectivity through the OOB management port of the device and the stage-1 configuration that is generated includes a static default route.

NFX250

S1_MODEL_HUGEPAGE_COUNT

Enter the number of 1-GB huge pages usable by the VNFs on an NFX250-S1 device with a total memory of 16 GB.

NFX250

CONTROL_LINK_PORT_NAME

Enter the physical port name for the control link connection for a dual CPE setup.

NFX250

FAB_LINK_PORT_NAME

Enter the physical port name for fabric link connection for a dual CPE setup.

NFX250

MAX_DVPN_TUNNELS_ON_SITE

Enter the maximum number of dynamic mesh tunnels that are allowed to create at the tenant site.

NFX150

NFX250

SRX Series

MIN_DVPN_TUNNELS_TO_START_DEACTIVATE

Enter the minimum number of dynamic mesh tunnels at the tenant site after which the dynamic mesh tunnels are dynamically deleted.

NFX150

NFX250

SRX Series

WAN_PORT_NAMES

Specify the mapping of the physical or logical port names used for WAN side connectivity.

You specify logical port names if you want to configure more than one WAN link on the same physical interface. The WAN links are connected from the same physical interface to the Provider Edge (PE) nodes through logical sub-interfaces with VLAN separation.

NFX250

LAN_PORT_NAMES

Specify the mapping of the physical port names used for LAN side connectivity

NFX250

LAN_MEMBER_PORT_NAMES

Specify the physical ports on the dual CPE device that are used on the link aggregation group (LAG) interface connecting to the LAN-side switch.

NFX250

GWR_CPU_PIN

Specify the physical CPUs to which the vCPUs of the vSRX (gateway router) should be pinned.

Warning: We recommend that you do not modify the preconfigured CPU pinning values because these values are set based on Juniper's performance tests.

NFX250

AUX_Subnets

Specify the IP subnets assigned to the three auxiliary ports on the gateway router to which VNFs can be attached.

NFX250

LAN_Subnets

Specify the IP subnets assigned to the two LAN ports on the gateway router to which VNFs can be attached.

NFX250

Login Security Settings  

Login idle timeout (minutes)

Enter the time (in minutes) after which a session that is idle is timed out.

NFX250

Login attempts before locking out

Enter the maximum number of unsuccessful login attempts allowed before the user account is locked.

Range: 3 through 10.

NFX250

Login lockout period in minutes

Enter the period (in minutes) for which the user account should be locked.

Range: 1 through 43,200 minutes

NFX250

Login backoff factor in seconds

Specify the delay (in seconds) after each failed login attempt, which increases for each subsequent login attempt after specified login backoff threshold.

Range: 5 through 10.

NFX250

Login backoff threshold

Specify the threshold for the number of failed login attempts after which each subsequent login attempt is delayed by the time specified in the login backoff factor.

Range: 1 through 3

NFX250

Maximum time to enter password in seconds

Enter the maximum time allowed (in seconds) to enter a password to log in to the device after entering your username.

Range: 20 through 300 seconds.

NFX250

Maintenance user account

Enter the username of the user account to be used for maintenance activities (for example, troubleshooting) on the device.

NFX250

Login Announcement

Specify the system login announcement, which is displayed after a user successfully logs in to the device.

NFX250

Login Message

Specify the system login message, which is displayed before a user logs in to the device.

NFX250

ZTP_ENABLED

Specify whether to enable ZTP for the device.

SRX Series Services Gateways

Table 66: Fields on the Template Settings Page

 

Name

Description

Customer Parameters

AUTO_DEPLOY_STAGE2_CONFIG

Specify whether to automatically deploy stage-2 configuration at the end of the Zero Touch Provisioning (ZTP) workflow.

Example: Enabled

ZTP_ENABLED

Specify whether to enable ZTP for the device.

Note: This option is supported on SRX Series Services Gateways only.

Example: Enabled

PRE_STAGED_CPE

Specify whether the CPE device is pre-staged with WAN configuration.

Note: This option is supported on SRX Series Services Gateways only.

Example: Enabled

ACTIVATION_CODE_ENABLED

Specify whether the customer must use an activation code to activate the CPE device.

Example: Enabled

OOB_OAM_Port

Specify the name of the port used for out-of-band Operation, Administration, and Maintenance (OAM) traffic. This port is used in deployments where OAM and data traffic are on separate physical ports.

Note: This option is supported on SRX Series Services Gateways only.

Example: fxp0

S2_MODEL_HUGEPAGE_COUNT

Specify the number of 1-GB huge pages to be used by the VNFs on an NFX250-S2 device with a total memory of 32 GB.

Example: 21

USE_SINGLE_SSH_TO_NFX

Specify whether to enable device-initiated connections (outbound SSH) with port-forwarding capability. Port forwarding enables Contrail Service Orchestration to manage an NFX250 device through a single IP address.

Example: Enabled

S1_MODEL_HUGEPAGE_COUNT

Specify the number of 1-GB huge pages to be used by the VNFs on an NFX250-S1 device with a total memory of 16 GB.

Example: 21

VNF_OAM_TRANSLATED_PORT_START

Specify the first port number that can be used to expose a port on the gateway router’s OAM or WAN interface through port translation. Use this option in cases where the VNF does not have its own OAM IP address from the in-band OAM network.

ENC_ROOT_PASSWORD

Specify the Junos OS root password to be set on an NFX250 device.

Example: *****************

WAN Port Names

Specify the mapping Junos OS interface descriptors for the hardware ports. The RJ-45 port is the default port for the NFX250 device. You can change the default port if you want to use a different type of connector, such as SFP.

GWR_LAN_PORT

Specify the mapping of the gateway router’s LAN port names to the corresponding front panel physical port names on the NFX250 device. Currently, the logical ports are created on the ge-0/0/4 interface.

JCP_LAN_PORT_NAMES

Specify the port names from LAN_0 through LAN_9.

GWR_LAN_PORT_NAMES

Specify the port names from LAN_0 through LAN_9.

LAN_PORT_NAMES

Specify the port names from LAN_0 through LAN_10.

CONTROL_LINK_PORT_NAME

Enter the physical port name for control link connection.

Example: xe-0/0/12

FAB_LINK_PORT_NAME

Enter the physical port name for fabric link connection.

Example: xe-0/0/13

OOB_MGMT_ENABLED

Specify whether to use the out-of-band (OOB) management port of the device for management connectivity. If the field is enabled, a default route will be available through this interface. If the field is disabled, there is no connectivity through the OOB management port of the device and the stage-1 configuration that is generated will include a static default route.

AUTO_INSTALL_LICENSE_TO_DEVICE

Click the toggle button to enable automatic installation of the license on CPE device at the end of ZTP workflow.

GWR_VSRX_IMAGE_LOCAL_FILE_PATH

Enter the local path of the vSRX image that is installed on the NFX250 device. The image file is required when the gateway router VM is created. If this parameter is not set, or if the file is not present on the NFX250 device, then a vSRX image is downloaded from the CSO file server to the NFX250 device.

Example: ./var/third-party/images/*vsrx*-15.1X*.qcow2

GWR_VSRX_IMAGE_CNAME_IN_CSO

Enter the name of the vSRX image uploaded into the Image Management Service in CSO. When creating the gateway VM, if the vSRX image file is not present locally, then the image with this name is downloaded to the NFX250 device.

INTERNAL_OAM_SUBNET

Enter the IP address for the subnet that is used for internal OAM.

ADSL_VPI

Enter the Virtual Path Identifier (VPI) setting to connect to the ADSL service provider through PPPoE.

Example: 8

ADSL_ENCAP

Enter the encapsulation that is used to connect to the ADSL service provider through PPPoA.

Example: llcsnap-bridged-802.1q

ADSL_VCI

Enter the VCI (Virtual Channel Identifier) setting to connect to the ADSL service provider through PPPoE.

Example: 36

DSL_VLAN

Enter the reserved internal VLAN ID to be used as the native-vlan-id on xDSL ports to ensure that untagged control frames are processed.

Example: 4087

CLUSTER_OFFSET

Enter the cluster slot number for designated secondary node.

Table 67: Fields on the Template Settings Page for SRX4100 and SRX4200 Device Templates

 

Field Name

Description

SSH Settings 

Prevent root login via SSH?

Click the toggle button to enable root login through SSH. Root login through SSH is disabled by default.

Restrict SSH access to be from CSO only

Click the toggle button to restrict SSH access only to connections from Contrail Service Orchestration (CSO).

Default: Disabled

Max number of SSH connections allowed at any time

Enter the maximum number of concurrent SSH connections to be allowed.

Range: 1 through 250

Default: 50

Max number of SSH connections allowed per minute

Enter the maximum number of SSH connections allowed per minute.

Range: 1 through 250

Default: 50

Max number of sessions per SSH connection

Enter the maximum number of sessions per SSH connection.

Range: 1 through 65535

Default: 50

Policer Settings 

Bandwidth limit for ICMP traffic towards the device

Enter the bandwidth limit, in bits per second (bps), for Internet Control Message Protocol (ICMP) traffic towards the device.

Default: 1m

Burst-size limit for ICMP traffic towards the device

Enter the burst-size limit, in bytes, for ICMP traffic towards the device.

Default: 2k

Bandwidth limit for trace-route traffic towards the device

Enter the bandwidth limit, in bits per second (bps), for traceroute traffic towards the device.

Default: 1m

Burst-size limit for trace-route traffic towards the device

Enter the burst-size limit, in bytes, for traceroute traffic towards the device.

Default: 15k

Bandwidth limit for DHCP traffic towards the device

Enter the bandwidth limit, in bits per second (bps), for Dynamic Host Configuration Protocol (DHCP) traffic towards the device.

Default: 1m

Burst-size limit for DHCP traffic towards the device

Enter the bandwidth limit, in bits per second (bps), for DHCP traffic towards the device.

Default: 15k

Bandwidth limit for DNS traffic towards the device

Enter the bandwidth limit, in bits per second (bps), for Domain Name System (DNS) traffic towards the device.

Default: 1m

Burst-size limit for DNS traffic towards the device

Enter the burst-size limit, in bytes, for (DNS) traffic towards the device.

Default: 15k

Log Rotation Settings 

Max size (MB) for log files

Enter the maximum size of the log file, in megabytes (MB).

Default: 10

Max number of log files

Enter the maximum number of log files.

Default: 10

Feature Level Access Settings 

Allow TACACS access

Click the toggle button to enable TACACS communication. By default, TACACS communication is disabled.

Allow SNMP access

Click the toggle button to enable SNMP communication. By default, SNMP communication is disabled.

Customer Parameters 

AUTO_INSTALL_LICENSE_TO_DEVICE

Click the toggle button to enable automatic installation of the license file on the CPE device when the ZTP workflow ends.

Default: Disabled

AUTO_INSTALL_DEFAULT_TRUSTED_CERTS_TO_DEVICE

Click the toggle button to disable automatic installation of default trusted certificates on the CPE device when the ZTP workflow ends.

Default: Enabled

ZTP_ENABLED

Specify whether to enable ZTP for the device.

ENC_ROOT_PASSWORD

Specify the Junos OS-encrypted root password to be set on the CPE device.

ACTIVATION_CODE_ENABLED

Click the toggle button to enable the tenant to use an activation code to activate the CPE device.

Default: Disabled

CLUSTER_OFFSET

Enter the cluster slot number for designated secondary node.

AUTO_DEPLOY_STAGE2_CONFIG

Click the toggle button to enable automatic deployment of stage-2 configuration when the ZTP workflow ends.

Default: Disabled

OOB_OAM_PORT

Enter the port number for out-of-band Operation, Administration, and Maintenance (OAM) traffic. This port is used in deployments where OAM and data traffic are on separate physical ports.

Note: This option is supported only on SRX Series Services Gateways.

Default: fxp0

MAX_DVPN_TUNNELS_ON_SITE

Enter the maximum number of site to site dynamic mesh tunnels that can be created at a site, exceeding which the site to site tunnels are not created any more and traffic goes through the hub.

MIN_DVPN_TUNNELS_TO_START_DEACTIVATE

Enter the minimum number of site-to-site dynamic mesh tunnels that must be present at a site to start deactivating the inactive site-to-site tunnels.

WAN_PORT_NAMES

Specify the mapping of the physical or logical port names used for WAN side connectivity.

You specify logical port names if you want to configure more than one WAN link on the same physical interface. The WAN links are connected from the same physical interface to the Provider Edge (PE) nodes through logical sub-interfaces with VLAN separation.

WAN_0

WAN_1

WAN_2

WAN_3

WAN_MEMBER_PORT_NAMES

In case of dual CPE devices, specify the mapping of the physical or logical port names used for WAN side connectivity.

You specify logical port names if you want to configure more than one WAN link on the same physical interface. The WAN links are connected from the same physical interface to the Provider Edge (PE) nodes through logical sub-interfaces with VLAN separation.

WAN_0

WAN_1

WAN_2

WAN_3

LAN_PORT_NAMES

Enter the name of the physical interfaces for the ports that are used to connect to LAN side devices.

LAN_0— xe-0/0/0

LAN_1— xe-0/0/1

LAN_2— xe-0/0/2

LAN_3— xe-0/0/3

LAN_4— xe-0/0/4

LAN_5— xe-0/0/5

LAN_6— xe-0/0/6

LAN_7— xe-0/0/7

LAN_MEMBER_PORT_NAMES

In case of dual-CPE devices, enter the name of the physical interfaces for the ports that are used to connect to LAN side switch..

LAN_0_0— xe-0/0/2

LAN_0_1— xe-0/0/3

LAN_0_2— xe-0/0/4

LAN_0_3— xe-0/0/5

Login Security Settings 

Idle timeout (minutes)

Enter the maximum time (in minutes) that a session can be idle before the user is logged out of the system.

Attempts before locking out

Enter the maximum number of unsuccessful login attempts allowed before the account is locked.

Range: 3 to 10

Lockout period in minutes

Enter the number of minutes an account must remain locked after the maximum number of unsuccessful login attempts.

Range: 1 to 43,200

Backoff factor in seconds

Enter the length of delay (in seconds) after each failed login attempt. The length of delay increases by this value for each subsequent login attempt after the value specified in the backoff-threshold option.

Range: 5 to 10

Backoff threshold

Enter the threshold for the number of failed login attempts before the user experiences a delay when attempting to reenter a password.

Range: 1 to 3

Maximum time to enter password in seconds

Enter the maximum time allowed (in seconds) to enter a password to log in to the device after entering your username.

Range: 20 to 300.

Maintenance user account

Enter the name of a maintenance user account to be created on the device. The maintenance user account is used by maintenance personnel for troubleshooting when required.

Announcement

Enter the system login announcement, which is displayed after a user successfully logs in to the device.

Message

Enter the system login message, which is displayed when a user logs into the device.

RESERVED_MEMBER_PORT_NAMES

Enter the port names of the two 1-Gigabit Ethernet/10-Gigabit Ethernet ports,( CTL (control port) and FAB (fabric port)) to be used for synchronizing data and maintaining state information in a chassis cluster setup.

  • PORT_0_0— xe-0/0/6

  • PORT_0_1— xe-0/0/7

RESERVED_SUBNETS

Enter the IP address of reserved subnets that is used for System logs.

  • NODE_0— 10.10.12.0/24

  • NODE_1— 10.10.13.0/24