[Contents] [Prev] [Next] [Index] [Report an Error]

Configuring the Router Running the JUNOS Software for Outbound SSH

To configure the router for outbound SSH:

At the [edit system services ssh] hierarchy level, set the SSH protocol to v2:[edit system services ssh] user@host# set protocol-version v2
Generate or obtain a public/private key pair for the router. This key pair will be used to encrypt the data transferred across the SSH connection. For more information on generating key pairs, see the System Basics Configuration Guide.
If the public key will be installed on the configuration management server manually, transfer the public key to the configuration management server.
Add the following outbound-ssh statement at the [edit system services] hierarchy level:[edit system services] outbound-ssh { client client-id { device-id device-id; secret secret; keep-alive { retry number; timeout number; } reconnect-strategy (sticky | in-order); services netconf; [ address ] { port destination-port; retry number; timeout number; } } traceoptions { file filename { files files; size size; match match; (world-readable | no- world-readable) ; } flag (all | configuration | connectivity ); no-remote-trace; } }
The attributes are as follows:
- client client-id—outbound-ssh configuration stanza on the router. Each outbound-ssh stanza represents a single outbound SSH connection. This attribute is not sent to the client.
  device-id device-id—Unique ID identifying the router running the JUNOS software to the configuration management server during the initiation process.
- secret secret—(Optional) Public SSH host key of the router running the JUNOS software. If added to the outbound-ssh statement, during the initialization of the outbound SSH service, the JUNOS device passes its public key to the configuration management server. This is the recommended method of maintaining a current copy of the router's public key on the configuration management server.
- keep-alive—(Optional) Specify that keepalive messages be sent from the router to the configuration management server. To configure the keepalive message, you must set both the timeout and retry attributes.
  - retry number—Number of keepalive messages the JUNOS device sends without receiving a response from the configuration management server before the current SSH connection is terminated. The default is three tries.
  - timeout seconds—Amount of time, in seconds, that the JUNOS server waits for data before sending a keepalive signal. The default is 15 seconds.
- reconnect-strategy (sticky | in-order)—(Optional) Method the JUNOS router uses to reestablish a disconnected outbound SSH connection. Two methods are available:
  - sticky—The router attempts to reconnect to the configuration management server that it was last connected to. If the connection is unavailable, the router attempts to establish a connection with the next client on the configuration management server list and so forth until a connection is established.
  - in-order—The router attempt to establish an outbound SSH session based on the configuration management server address list. The router attempts to establish a session with the first server on the list. If this connection is not available, the router attempts to establish a session with the next server, and so on down the list until a connection is established.
  When reconnecting to a configuration management server, the router attempts to reconnect to the configuration management server based on the retry and timeout values for each client listed in the configuration management server list.
- services netconf—Services available for the session. Currently, NETCONF is the only service available.
- address—The client management server list. List the host name or the IPv4 address along with the following connection parameters for each client management server:
  - port destination-port—Outbound SSH port for the client. The default is port 22.
  - retry number– Number of times the router attempts to establish an outbound SSH connection before gving up. The default is 3 tries.
  - timeout seconds—Amount of time, in seconds, that the router attempts to establish an outbound SSH connection before giving up. The default is 15 seconds.
- file filemane—(Optional) File name of the log file used to record the trace options. By default it is the name of the traced process is the traced process. (for example mib2d or snmpd). Use this option to override the default value.
- files files—(Optional) Maximum number of trace files generated. By default, the maximum number of trace files is 10. Use this option to override the default value.
  When a trace file reaches its maximum size, the system archives the file and starts a new file. The system archives trace files by appending a number to the file name in sequential order from 1 to the maximum value (specified by the default value or the options value set here). Once the maximum value is reached, the numbering sequence is restarted at 1, overwriting the older file.
- size size—(Optional) The maximum size of the trace file in kilobytes (KB). Once the maximum file size is reached, the system will archive the file.The default value is 1000 KB. Use this option to override the default value.
- match match—(Optional) Add lines to the trace file that match the the regular expression specified. For example, if the match value is set to =error, the system will only record lines to the trace file that include the string error.
- (world-readable | no-world-readable)—(Optional) This option specifies whether the files are accessible by the originator of the trace operation only or by any user. By default, log files are only accessible by the user that started the trace operation (no-world-readable). Use this option to override the default value.
- (all | configuration | connectivity)—(Optional) Flag specifying the type of tracing operation to perform.
  - all—Log all events.
  - configuration—Log all events pertaining to the configuration of the router.
  - connectivity—Log all events pertaining to the establishment of a connection between the client server and the router.
- no-remote-trace—(Optional) Disables remote tracing.
Commit the configuration:[edit] user@host# commit

[Contents] [Prev] [Next] [Index] [Report an Error]