services (System Services)
Syntax
services {
bbe-stats-service { }
database-replication {
traceoptions {
file< filename><files files><match match><size size><(world-readable | no-world-readable)>;
flag name;
no-remote-trace;
}
}
dhcp {
boot-file boot-file;
boot-server boot-server;
default-lease-time(infinite | length);
domain-name domain-name;
domain-search name;
maximum-lease-time(infinite | length);
name-server name;
next-server next-server;
option name {
array {
(byte [ byte ... ] | flag(false | off | on | true) | integer [ integer ... ] | ip-address [ ip-address ... ] | short [ short ... ] | string string | unsigned-integer [ unsigned-integer ... ] | unsigned-short [ unsigned-short ... ]);
}
byte byte;
byte-stream byte-stream;
flag(false | off | on | true);
integer integer;
ip-address ip-address;
short short;
string string;
unsigned-integer unsigned-integer;
unsigned-short unsigned-short;
}
pool name {
address-rangehigh highlow low;
boot-file boot-file;
boot-server boot-server;
default-lease-time(infinite | length);
domain-name domain-name;
domain-search name;
exclude-address name;
maximum-lease-time(infinite | length);
name-server name;
next-server next-server;
option name {
array {
(byte [ byte ... ] | flag(false | off | on | true) | integer [ integer ... ] | ip-address [ ip-address ... ] | short [ short ... ] | string string | unsigned-integer [ unsigned-integer ... ] | unsigned-short [ unsigned-short ... ]);
}
byte byte;
byte-stream byte-stream;
flag(false | off | on | true);
integer integer;
ip-address ip-address;
short short;
string string;
unsigned-integer unsigned-integer;
unsigned-short unsigned-short;
}
router name;
server-identifier server-identifier;
sip-server {
address name;
name name;
}
wins-server name;
}
router name;
server-identifier server-identifier;
sip-server {
address name;
name name;
}
static-binding name {..}
wins-server name;
}
traceoptions {
file< filename><files files><match match><size size><(world-readable | no-world-readable)>;
flag name;
level(all | error | info | notice | verbose | warning);
no-remote-trace;
}
wins-server name;
}
dhcp-local-server {
(requested-ip-interface-match | requested-ip-network-match requested-ip-network-match);
access-profile access-profile;
active-leasequery {
idle-timeout seconds;
peer-address name;
timeout seconds;
topology-discover;
}
allow-active-leasequery {
idle-timeout seconds;
timeout seconds;
}
allow-bulk-leasequery {
max-connections max-connections;
max-empty-replies seconds;
restricted-requestor;
timeout seconds;
}
allow-leasequery {
restricted-requestor;
}
authentication {..}
}
}
dhcpv6 {
(requested-ip-interface-match | requested-ip-network-match requested-ip-network-match);
access-profile access-profile;
active-leasequery {
idle-timeout seconds;
peer-address name;
timeout seconds;
topology-discover;
}
allow-active-leasequery {
idle-timeout seconds;
timeout seconds;
}
allow-bulk-leasequery {
max-connections max-connections;
max-empty-replies seconds;
restricted-requestor;
timeout seconds;
}
allow-leasequery {
restricted-requestor;
}
authentication {
password password;
username-include {
circuit-type;
client-id<exclude-headers><use-automatic-ascii-hex-encoding>;
delimiter delimiter;
domain-name domain-name;
interface-description(device | logical);
interface-name;
logical-system-name;
mac-address;
relay-agent-interface-id;
relay-agent-remote-id {}
relay-agent-subscriber-id;
routing-instance-name;
user-prefix user-prefix;
vlan-tags;
}
}
duplicate-clientsincoming-interface;
dynamic-profile dynamic-profile(aggregate-clients(merge | replace) | use-primary use-primary);
dynamic-server {
group name {
interface name {
overrides {..}
delegated-pool delegated-pool;
ia-na-pool ia-na-pool;
interface-client-limit interface-client-limit;
process-inform {
pool pool;
}
rapid-commit;
}
}
neighbor-discovery-router-advertisement neighbor-discovery-router-advertisement;
overrides {..}
delegated-pool delegated-pool;
ia-na-pool ia-na-pool;
interface-client-limit interface-client-limit;
process-inform {
pool pool;
}
rapid-commit;
}
}
overrides {..}
delegated-pool delegated-pool;
ia-na-pool ia-na-pool;
interface-client-limit interface-client-limit;
process-inform {
pool pool;
}
rapid-commit;
}
}
forward-snooped-clients(all-interfaces | configured-interfaces | non-configured-interfaces);
group name {
access-profile access-profile;
authentication {..}
dynamic-profile dynamic-profile(aggregate-clients(merge | replace) | use-primary use-primary);
interface name {
access-profile access-profile;
dynamic-profile dynamic-profile(aggregate-clients(merge | replace) | use-primary use-primary);
exclude;
overrides {..}
delegated-pool delegated-pool;
delete-binding-on-renegotiation;
dual-stack dual-stack;
interface-client-limit interface-client-limit;
multi-address-embedded-option-response;
process-inform {
pool pool;
}
protocol-attributes protocol-attributes;
rapid-commit;
top-level-status-code;
}
service-profile service-profile;
short-cycle-protection<lockout-max-time lockout-max-time><lockout-min-time lockout-min-time>;
trace;
upto upto;
}
interface-tag name {
access-profile access-profile;
dynamic-profile dynamic-profile(aggregate-clients(merge | replace) | use-primary use-primary);
overrides {..}
delegated-pool delegated-pool;
delete-binding-on-renegotiation;
dual-stack dual-stack;
interface-client-limit interface-client-limit;
multi-address-embedded-option-response;
process-inform {
pool pool;
}
protocol-attributes protocol-attributes;
rapid-commit;
top-level-status-code;
}
service-profile service-profile;
short-cycle-protection<lockout-max-time lockout-max-time><lockout-min-time lockout-min-time>;
}
lease-time-validation {
lease-time-threshold seconds;
violation-action(override-lease | strict);
}
liveness-detection {
failure-action(clear-binding | clear-binding-if-interface-up | log-only);
method {
bfd {
no-adaptation;
detection-time {
threshold milliseconds;
}
holddown-interval milliseconds;
inline-disable;
minimum-interval milliseconds;
minimum-receive-interval milliseconds;
multiplier multiplier;
pdu-size pdu-size;
session-mode(automatic | multihop | single-hop);
transmit-interval {
minimum-interval milliseconds;
threshold milliseconds;
}
version(0 | 1 | automatic);
}
layer2-liveness-detection {
max-consecutive-retries max-consecutive-retries;
transmit-interval seconds;
}
}
}
overrides {..}
delegated-pool delegated-pool;
delete-binding-on-renegotiation;
dual-stack dual-stack;
interface-client-limit interface-client-limit;
multi-address-embedded-option-response;
process-inform {
pool pool;
}
protocol-attributes protocol-attributes;
rapid-commit;
top-level-status-code;
}
reauthenticate<lease-renewal><remote-id-mismatch>;
reconfigure {
attempts attempts;
clear-on-abort;
strict;
support-option-pd-exclude;
timeout timeout;
token token;
trigger {
radius-disconnect;
}
}
remote-id-mismatch {
disconnect;
}
route-suppression<access><access-internal>;
service-profile service-profile;
short-cycle-protection<lockout-max-time lockout-max-time><lockout-min-time lockout-min-time>;
}
lease-time-validation {
lease-time-threshold seconds;
violation-action(override-lease | strict);
}
liveness-detection {
failure-action(clear-binding | clear-binding-if-interface-up | log-only);
method {
bfd {
no-adaptation;
detection-time {
threshold milliseconds;
}
holddown-interval milliseconds;
inline-disable;
minimum-interval milliseconds;
minimum-receive-interval milliseconds;
multiplier multiplier;
pdu-size pdu-size;
session-mode(automatic | multihop | single-hop);
transmit-interval {
minimum-interval milliseconds;
threshold milliseconds;
}
version(0 | 1 | automatic);
}
layer2-liveness-detection {
max-consecutive-retries max-consecutive-retries;
transmit-interval seconds;
}
}
}
no-snoop;
overrides {..}
delegated-pool delegated-pool;
delete-binding-on-renegotiation;
dual-stack dual-stack;
interface-client-limit interface-client-limit;
multi-address-embedded-option-response;
process-inform {
pool pool;
}
protocol-attributes protocol-attributes;
rapid-commit;
top-level-status-code;
}
persistent-storageautomatic;
reauthenticate<lease-renewal><remote-id-mismatch>;
reconfigure {
attempts attempts;
clear-on-abort;
strict;
support-option-pd-exclude;
timeout timeout;
token token;
trigger {
radius-disconnect;
}
}
remote-id-mismatch {
disconnect;
}
route-suppression<access><access-internal>;
server-duid-type {
duid_ll;
}
service-profile service-profile;
short-cycle-protection<lockout-max-time lockout-max-time><lockout-min-time lockout-min-time>;
}
dual-stack-group name {
access-profile access-profile;
authentication {..}
}
classification-key {
circuit-id;
mac-address;
remote-id;
}
dual-stack-interface-client-limit dual-stack-interface-client-limit;
dynamic-profile dynamic-profile(aggregate-clients(merge | replace) | use-primary use-primary);
liveness-detection {
failure-action(clear-binding | clear-binding-if-interface-up | log-only);
method {
layer2-liveness-detection {
max-consecutive-retries max-consecutive-retries;
transmit-interval seconds;
}
}
}
on-demand-address-allocation;
protocol-master(inet | inet6);
reauthenticate<lease-renewal><remote-id-mismatch>;
service-profile service-profile;
short-cycle-protection<lockout-max-time lockout-max-time><lockout-min-time lockout-min-time>;
}
duplicate-clients-in-subnet(incoming-interface | option-82);
dynamic-profile dynamic-profile(aggregate-clients(merge | replace) | use-primary use-primary);
forward-snooped-clients(all-interfaces | configured-interfaces | non-configured-interfaces);
group name {
access-profile access-profile;
authentication {..}
dynamic-profile dynamic-profile(aggregate-clients(merge | replace) | use-primary use-primary);
interface name {
access-profile access-profile;
dynamic-profile dynamic-profile(aggregate-clients(merge | replace) | use-primary use-primary);
exclude;
overrides(dhcp-relay-agent) {..}
delete-binding-on-renegotiation;
dual-stack dual-stack;
include-option-82 {
forcerenew;
nak;
}
interface-client-limit interface-client-limit;
process-inform {
pool pool;
}
protocol-attributes protocol-attributes;
}
service-profile service-profile;
short-cycle-protection<lockout-max-time lockout-max-time><lockout-min-time lockout-min-time>;
trace;
upto upto;
}
interface-tag name {
access-profile access-profile;
dynamic-profile dynamic-profile(aggregate-clients(merge | replace) | use-primary use-primary);
overrides(dhcp-relay-agent) {..}
delete-binding-on-renegotiation;
dual-stack dual-stack;
include-option-82 {
forcerenew;
nak;
}
interface-client-limit interface-client-limit;
process-inform {
pool pool;
}
protocol-attributes protocol-attributes;
}
service-profile service-profile;
short-cycle-protection<lockout-max-time lockout-max-time><lockout-min-time lockout-min-time>;
}
lease-time-validation {
lease-time-threshold seconds;
violation-action(override-lease | strict);
}
liveness-detection {
failure-action(clear-binding | clear-binding-if-interface-up | log-only);
method {
bfd {
no-adaptation;
detection-time {
threshold milliseconds;
}
holddown-interval milliseconds;
inline-disable;
minimum-interval milliseconds;
minimum-receive-interval milliseconds;
multiplier multiplier;
pdu-size pdu-size;
session-mode(automatic | multihop | single-hop);
transmit-interval {
minimum-interval milliseconds;
threshold milliseconds;
}
version(0 | 1 | automatic);
}
layer2-liveness-detection {
max-consecutive-retries max-consecutive-retries;
transmit-interval seconds;
}
}
}
overrides {
allow-no-end-option;
asymmetric-lease-time seconds;
bootp-support;
client-discover-match(incoming-interface | option60-and-option82);
delay-offer {
based-on {
option-60 {
equals {
ascii name;
hexadecimal name;
}
not-equals {
ascii name;
hexadecimal name;
}
starts-with {
ascii name;
hexadecimal name;
}
}
option-77 {
equals {
ascii name;
hexadecimal name;
}
not-equals {
ascii name;
hexadecimal name;
}
starts-with {
ascii name;
hexadecimal name;
}
}
option-82 {
equals {
ascii name;
hexadecimal name;
}
not-equals {
ascii name;
hexadecimal name;
}
starts-with {
ascii name;
hexadecimal name;
}
}
}
delay-time seconds;
}
delete-binding-on-renegotiation;
dual-stack dual-stack;
include-option-82 {
forcerenew;
nak;
}
interface-client-limit interface-client-limit;
process-inform {
pool pool;
}
protocol-attributes protocol-attributes;
}
reauthenticate<actual-data-rate-change<actual-data-rate-downstream<threshold threshold>><actual-data-rate-upstream<threshold threshold>>><lease-renewal><remote-id-mismatch>;
reconfigure {
attempts attempts;
clear-on-abort;
support-option-pd-exclude;
timeout timeout;
token token;
trigger {
radius-disconnect;
}
}
remote-id-mismatch {
disconnect;
}
route-suppression {
(access-internal | destination);
}
service-profile service-profile;
short-cycle-protection<lockout-max-time lockout-max-time><lockout-min-time lockout-min-time>;
}
lease-time-validation {
lease-time-threshold seconds;
violation-action(override-lease | strict);
}
liveness-detection {
failure-action(clear-binding | clear-binding-if-interface-up | log-only);
method {
bfd {
no-adaptation;
detection-time {
threshold milliseconds;
}
holddown-interval milliseconds;
inline-disable;
minimum-interval milliseconds;
minimum-receive-interval milliseconds;
multiplier multiplier;
pdu-size pdu-size;
session-mode(automatic | multihop | single-hop);
transmit-interval {
minimum-interval milliseconds;
threshold milliseconds;
}
version(0 | 1 | automatic);
}
layer2-liveness-detection {
max-consecutive-retries max-consecutive-retries;
transmit-interval seconds;
}
}
}
no-snoop;
overrides (dhcp-relay-agent) {..}
delete-binding-on-renegotiation;
dual-stack dual-stack;
include-option-82 {
forcerenew;
nak;
}
interface-client-limit interface-client-limit;
process-inform {
pool pool;
}
protocol-attributes protocol-attributes;
}
persistent-storageautomatic;
pool-match-order name;
reauthenticate<actual-data-rate-change<actual-data-rate-downstream<threshold threshold>><actual-data-rate-upstream<threshold threshold>>><lease-renewal><remote-id-mismatch>;
reconfigure {
attempts attempts;
clear-on-abort;
support-option-pd-exclude;
timeout timeout;
token token;
trigger {
radius-disconnect;
}
}
remote-id-mismatch {
disconnect;
}
route-suppression {
(access-internal | destination);
}
service-profile service-profile;
short-cycle-protection<lockout-max-time lockout-max-time><lockout-min-time lockout-min-time>;
}
dns {
dnssec {..}
}
forwarders name;
max-cache-ttl seconds;
max-ncache-ttl seconds;
traceoptions {
category name;
debug-level debug-level;
file< filename><files files><size size><(world-readable | no-world-readable)>;
no-remote-trace;
}
}
dtcp-only;
extension-service {
notification {
allow-clients {
address [ address ... ];
}
broker-socket-send-buffer-size broker-socket-send-buffer-size;
max-connections max-connections;
port port;
}
remote-telemetry-service {
host host;
password password;
port port;
user user;
}
request-response {
grpc {
ssl {
address address;
hot-reloading;
local-certificate [ local-certificate ... ];
mutual-authentication {
certificate-authority certificate-authority;
client-certificate-request(no-certificate | request-certificate | request-certificate-and-verify | require-certificate | require-certificate-and-verify);
}
port port;
use-pki;
}
max-connections max-connections;
routing-instance routing-instance;
}
}
traceoptions {
file< filename><files files><match match><size size><(world-readable | no-world-readable)>;
flag name;
levelerror;
no-remote-trace;
}
}
finger {
connection-limit connections;
rate-limit connections per minute;
}
flow-tap-dtcp {
ssh {
connection-limit connections;
rate-limit connections per minute;
}
}
ftp {
authentication-order(one-time-password | otp-md4 | password | radius | tacplus);
connection-limit connections;
rate-limit connections per minute;
}
grpc-tunnel {
servers {
retry-interval seconds;
server name {
address address;
credentials {
tls {
ca-profiles [ ca-profiles ... ];
certificate-id certificate-id;
}
}
port port;
routing-instance routing-instance;
source-address source-address;
targets(gnmi-gnoi | netconf-ssh | ssh);
}
}
target-string-option {
custom-string custom-string;
delimiter delimiter;
pattern(custom | hostname | model | vendor | version);
}
traceoptions {
file< filename><files files><match match><size size><(world-readable | no-world-readable)>;
flag name;
level(all | error | info | notice | verbose | warning);
no-remote-trace;
}
}
jeb {
max-seed-size max-seed-size;
port port;
rbg(default-rng | hmac-drbg | jrbc);
tls {
cert-bundle cert-bundle;
certificate certificate;
key key;
}
}
netconf {
flatten-commit-results;
hello-message {
yang-module-capabilities {
advertise-custom-yang-modules;
advertise-native-yang-modules;
advertise-standard-yang-modules;
}
}
netconf-monitoring {
netconf-state-schemas {
retrieve-custom-yang-modules;
retrieve-standard-yang-modules;
}
}
notification {
interleave;
}
rfc-compliant;
ssh {
client-alive-count-max client-alive-count-max;
client-alive-interval seconds;
connection-limit connections;
port port;
rate-limit connections per minute;
}
tls {
client-identity name {
fingerprint fingerprint;
map-type(san-dirname-cn | specified);
username username;
}
default-client-identity {
map-type(san-dirname-cn | specified);
username username;
}
local-certificate local-certificate;
traceoptions {
file< filename><files files><match match><size size><(world-readable | no-world-readable)>;
flag name;
level(all | error | info | notice | verbose | warning);
no-remote-trace;
}
}
traceoptions {
file< filename><files files><match match><size size><(world-readable | no-world-readable)>;
flag name;
no-remote-trace;
on-demand;
}
unified {
unhide;
}
yang-compliant;
yang-modules {
device-specific;
emit-anyxml-in-rpc-output;
emit-extensions;
emit-family-ns-and-module-name;
}
}
netproxy;
outbound-https {
client name {
device-id device-id;
reconnect-strategy(in-order | sticky);
secret secret;
servers name {
port port;
trusted-cert trusted-cert;
}
waittime waittime;
}
}
resource-monitor {
free-fw-memory-watermark percentage;
free-heap-memory-watermark percentage;
free-nh-memory-watermark percentage;
high-cos-queue-threshold percentage;
high-threshold percentage;
no-load-throttle;
no-logging;
no-throttle;
no-usage-update;
resource-categoryjtree {
resource-type(contiguous-pages | free-dwords | free-pages) {
high-watermark high-watermark;
low-watermark low-watermark;
}
}
subscribers-limit {
client-type(any | dhcp | l2tp | pppoe) {
chassis {
limit limit;
}
fpc name {
limit limit;
pic name {
limit limit;
port name {
limit limit;
}
}
}
}
}
traceoptions {
file< filename><files files><match match><size size><(world-readable | no-world-readable)>;
flag name;
no-remote-trace;
}
}
rest {
control {
allowed-sources [ allowed-sources ... ];
connection-limit connection-limit;
}
enable-explorer;
http {
addresses [ addresses ... ];
port port;
}
https {
addresses [ addresses ... ];
ca-chain ca-chain;
cipher-list(dhe-rsa-with-3des-ede-cbc-sha | dhe-rsa-with-aes-128-cbc-sha | dhe-rsa-with-aes-128-cbc-sha256 | dhe-rsa-with-aes-128-gcm-sha256 | dhe-rsa-with-aes-256-cbc-sha | dhe-rsa-with-aes-256-cbc-sha256 | dhe-rsa-with-aes-256-gcm-sha384 | ecdhe-rsa-with-3des-ede-cbc-sha | ecdhe-rsa-with-aes-128-cbc-sha | ecdhe-rsa-with-aes-128-cbc-sha256 | ecdhe-rsa-with-aes-128-gcm-sha256 | ecdhe-rsa-with-aes-256-cbc-sha | ecdhe-rsa-with-aes-256-cbc-sha384 | ecdhe-rsa-with-aes-256-gcm-sha384 | ecdhe-rsa-with-rc4-128-sha | rsa-with-3des-ede-cbc-sha | rsa-with-aes-128-cbc-sha | rsa-with-aes-128-cbc-sha256 | rsa-with-aes-128-gcm-sha256 | rsa-with-aes-256-cbc-sha | rsa-with-aes-256-cbc-sha256 | rsa-with-aes-256-gcm-sha384 | rsa-with-rc4-128-md5 | rsa-with-rc4-128-sha | tls-aes-128-gcm-sha256 | tls-aes-256-gcm-sha384);
mutual-authentication {
certificate-authority certificate-authority;
}
port port;
server-certificate server-certificate;
}
https-5g {
addresses [ addresses ... ];
mutual-authentication {
certificate-authority certificate-authority;
}
port port;
server-certificate server-certificate;
}
routing-instance routing-instance;
traceoptions {
flag(all | juise | lighttpd);
}
}
reverse {
ssh {
port port;
}
telnet {
port port;
}
}
ssh {
access-disable-external;
allow-tcp-forwarding;
authentication-order(one-time-password | otp-md4 | password | radius | tacplus);
authorized-keys-command authorized-keys-command;
authorized-keys-command-user authorized-keys-command-user;
authorized-principals [ authorized-principals ... ];
authorized-principals-command authorized-principals-command;
authorized-principals-file authorized-principals-file;
cert-based-auth {
host-certificate host-certificate;
trusted-user-ca-keys name;
}
ciphers(3des-cbc | aes128-cbc | aes128-ctr | aes128-gcm@openssh.com | aes192-cbc | aes192-ctr | aes256-cbc | aes256-ctr | aes256-gcm@openssh.com | chacha20-poly1305@openssh.com);
client-alive-count-max client-alive-count-max;
client-alive-interval seconds;
connection-limit connections;
fingerprint-hash(md5 | sha2-256);
host-certificate-file host-certificate-file;
hostkey-algorithm-list {
ecdsa-sha2-nistp256;
ecdsa-sha2-nistp384;
ecdsa-sha2-nistp521;
ed25519;
rsa;
}
key-exchange(curve25519-sha256 | dh-group14-sha1 | dh-group1-sha1 | ecdh-sha2-nistp256 | ecdh-sha2-nistp384 | ecdh-sha2-nistp521 | group-exchange-sha1 | group-exchange-sha2);
log-key-changes;
macs(hmac-md5 | hmac-md5-96 | hmac-md5-96-etm@openssh.com | hmac-md5-etm@openssh.com | hmac-sha1 | hmac-sha1-96 | hmac-sha1-96-etm@openssh.com | hmac-sha1-etm@openssh.com | hmac-sha2-256 | hmac-sha2-256-etm@openssh.com | hmac-sha2-512 | hmac-sha2-512-etm@openssh.com | umac-128@openssh.com | umac-128-etm@openssh.com | umac-64@openssh.com | umac-64-etm@openssh.com);
max-pre-authentication-packets max-pre-authentication-packets;
max-sessions-per-connection max-sessions-per-connection;
no-challenge-response;
no-password-authentication;
no-passwords;
no-public-keys;
port port;
protocol-versionv2;
rate-limit connections per minute;
rekey {
data-limit bytes;
time-limit minutes;
}
root-login(allow | deny | deny-password);
sftp-server;
trusted-user-ca-key-file trusted-user-ca-key-file;
}
static-subscribers {
access-profile< access-profile-name>;
authentication {..}
}
auto-login;
baseline-stats;
dynamic-profile {
aggregate-clients(merge | replace);
dynamic-profile-name;
}
group name {
access-profile< access-profile-name>;
authentication {
password password;
username-include {
delimiter delimiter;
domain-name domain-name;
interface;
logical-system-name;
routing-instance-name;
user-prefix user-prefix;
vlan-tags;
}
}
auto-login;
dynamic-profile {
aggregate-clients(merge | replace);
dynamic-profile-name;
}
interface name {
exclude;
upto upto;
}
service-profile< service-profile-name>;
}
interface name {
subscriber-ip-address address;
subscriber-ipv6-address address;
}
service-profile< service-profile-name>;
}
subscriber-management {
enable {
}
enforce-strict-scale-limit-license;
gres-route-flush-delay;
interfaces name {
auto-configure {
agent-circuit-identifier {
dynamic-profile dynamic-profile;
}
line-identity {
dynamic-profile dynamic-profile;
includes {
accept-no-ids;
circuit-id;
remote-id;
}
}
remove-when-no-subscribers;
stacked-vlan-ranges {
access-profile access-profile-name;
authentication {
packet-types;
password password;
username-include {
circuit-type;
delimiter delimiter;
domain-name domain-name;
interface-name;
mac-address;
option-18;
option-37;
option-82<circuit-id><remote-id>;
radius-realm radius-realm;
user-prefix user-prefix;
vlan-tags;
}
}
dynamic-profile name {
accept;
access-profile ap-name;
ranges name;
}
override {
outer-tag name {
dynamic-profile dynamic-profile;
inner-tag inner-tag;
}
}
}
vlan-ranges {
access-profile access-profile-name;
authentication {..}
}
dynamic-profile name {
(accept | accept-out-of-band);
access-profile ap-name;
ranges name;
}
override {
tag name {
dynamic-profile dynamic-profile;
}
}
}
}
interface-tag interface-tag;
unit name {
pppoe-underlying-options {
access-concentrator access-concentrator;
direct-connect;
duplicate-protection;
dynamic-profile dynamic-profile;
max-sessions max-sessions;
max-sessions-vsa-ignore;
service-name-table service-name-table;
short-cycle-protection {
filteraci;
lockout-time-max seconds;
lockout-time-min seconds;
}
}
}
}
location location;
maintain-subscriber {
interface-delete;
}
mode {
control-plane {
control-plane-name control-plane-name;
cp-id cp-id;
instance name {
user-plane user-plane;
}
load-balancing {
group name {
user-plane name {
port name {
max-weight max-weight;
}
preferred;
}
}
}
pfcp {
enable-tracing;
heartbeat-interval seconds;
retransmission-timer seconds;
retries retries;
}
security-profiles name {
ca-cert-file-name ca-cert-file-name;
cert-file-name cert-file-name;
key-file-name key-file-name;
}
transport {..}
user-plane name {
(inet inet | inet6 inet6);
netconf {
password password;
port port;
user-name user-name;
}
partition partition;
service-set name {
captive-portal-content-delivery-profile captive-portal-content-delivery-profile;
interface-service {
service-interface service-interface;
}
service-set-options {
routing-engine-services;
}
}
statistics-reporting-interval minutes;
v6-delegated-partition v6-delegated-partition;
v6-na-partition v6-na-partition;
v6-ra-partition v6-ra-partition;
}
}
user-plane {
capabilities {
function-features {
exclude-lac;
exclude-lcp-keepalive-offload;
exclude-lns;
}
}
control-plane {
control-plane-name control-plane-name;
transport {
(inet inet | inet6 inet6);
inet-tcp inet-tcp;
port port;
}
}
pfcp {
enable-tracing;
heartbeat-interval seconds;
retransmission-timer seconds;
retries retries;
}
security-profiles name {
ca-cert-file-name ca-cert-file-name;
cert-file-name cert-file-name;
key-file-name key-file-name;
}
selection-function {
cluster name;
service-group name;
}
transport {
(inet inet | inet6 inet6);
security-profile security-profile;
}
user-plane-name user-plane-name;
}
}
overrides {
event {
catastrophic-failure {
reboot {
routing-engine-specifiers;
}
}
}
force-show-arp-resolve;
interfaces {
family {
inet {
ipoe-dynamic-arp-enable;
layer2-liveness-detection;
receive-gratuitous-arp;
}
inet6 {
layer2-liveness-detection;
}
}
}
no-unsolicited-ra;
shmlog {
disable;
file filename<files files><size size>;
filtering {
enable;
}
log-name name {..}
log-type(debug | info | notice) {..}
}
work-management {..}
}
redundancy {
group name {
interface name {
standby-mode(hot-standby | service-activation-on-failover);
}
}
interface name {
local-inet6-address local-inet6-address;
local-inet-address local-inet-address;
shared-key shared-key;
virtual-inet6-address virtual-inet6-address;
virtual-inet-address virtual-inet-address;
}
no-advertise-routes-on-backup;
protocol {
pseudo-wire;
vrrp;
}
re-authenticate-on-failover;
}
static-framed-route;
subscriber-group name {
control-plane-managed-mode {
preferred-user-plane-name preferred-user-plane-name;
redundancy-interface name {
logical-ports logical-ports;
}
}
user-plane-managed-mode {
redundancy-interface name {
logical-ports logical-ports;
}
}
virtual-mac virtual-mac;
}
traceoptions {
file< filename><files files><match match><size size><(world-readable | no-world-readable)>;
flag name;
no-remote-trace;
}
}
subscriber-management-helper {
traceoptions {
file< filename><files files><match match><size size><(world-readable | no-world-readable)>;
flag name;
no-remote-trace;
}
}
telnet {
authentication-order(one-time-password | otp-md4 | password | radius | tacplus);
connection-limit connections;
rate-limit connections per minute;
}
tftp-server {
connection-limit connections;
rate-limit connections per minute;
}
web-management<controlmax-threads max-threads><https(local-certificate local-certificate | pki-local-certificate pki-local-certificate | system-generated-certificate)<interface [ interface ... ]><port port> namemtlsca-profile ca-profile
nameport portpki-local-certificate pki-local-certificate><management-url management-url><session<idle-timeout minutes><session-limit session-limit>><traceoptions<file< filename><files files><match match><size size><(world-readable | no-world-readable)>> name<level(all | error | info | notice | verbose | warning)><no-remote-trace>>
;
xnm-clear-text {
connection-limit connections;
rate-limit connections per minute;
}
xnm-ssl {
connection-limit connections;
local-certificate local-certificate;
rate-limit connections per minute;
(ssl-renegotiation | no-ssl-renegotiation);
}
}Hierarchy Level
[edit system]
Description
Configure the router or switch so that users on remote systems can access the local router or switch through the DHCP server, DTCP over SSH, finger, outbound HTTPS, rlogin, SSH, telnet, Web management, Junos XML protocol SSL, and network utilities, or enable Junos OS to work with the Session and Resource Control (SRC) software. Also, enable configuration of third-party applications developed using the Juniper Extension Toolkit (JET) to run on Junos OS.
Starting in Junos OS Release 22.2R1, we’ve disabled the SSH TCP forwarding feature by default
to enhance security. To enable the SSH TCP forwarding feature, you can configure the
allow-tcp-forwarding statement at the [edit system services
ssh] hierarchy level. In addition, we’ve deprecated the
tcp-forwarding and no-tcp-forwarding statements at the
[edit system services ssh] hierarchy
level.
The option for system services webapi option is available only for SRX series
devices. For further information, see Related Information section.
The remaining statements are explained separately. Search for a statement in CLI Explorer or click a linked statement in the Syntax section for details.
Required Privilege Level
system—To view this statement in the configuration.
system-control—To add this statement to the configuration.
Release Information
Statement introduced before Junos OS Release 7.4.
extension-service option added in Junos OS Release 16.1 for MX80, MX104,
MX240, MX480, MX960, MX2010, MX2020, vMX Series.
grpc option added in Junos OS Release 16.2 for MX80, MX104, MX240, MX480,
MX960, MX2010, MX2020, vMX Series.
allow-tcp-forwarding option added in Junos OS Release
22.2R1.