services (System Services)
Syntax
services {
dhcp { # DHCP is not supported on a DCF
dhcp_services;
}
dtcp-only
finger {
connection-limit limit;
rate-limit limit;
}
flow-tap-dtcp {
ssh {
connection-limit limit;
rate-limit limit;
}
}
ftp {
authentication-order [authentication-methods];
connection-limit limit;
rate-limit limit;
}
grpc {
request-response {
grpc {
ssl {
address ip-address;
local-certificate local-certificate;
port port;
}
max-connections max-connections;
}
}
notification {
port port;
max-connections max-connections;
allow-clients {
address ip-address;
}
}
traceoptions {
file <filename> <files number> <match regex> <size size> <world-readable | no-world-readable>;
flag flag;
no-remote-trace;
}
}
netconf {
flatten-commit-results;
hello-message {
yang-module-capabilities {
advertise-native-yang-modules;
advertise-custom-yang-modules;
advertise-standard-yang-modules;
}
}
netconf-monitoring {
netconf-state-schemas {
retrieve-custom-yang-modules;
retrieve-standard-yang-modules;
}
}
notification;
rfc-compliant;
ssh {
client-alive-count-max number;
client-alive-interval seconds;
connection-limit limit;
port port;
rate-limit limit;
}
tls {
client-identity client-id {
fingerprint fingerprint;
map-type (san-dirname-cn | specified);
username username;
}
default-client-identity {
map-type (san-dirname-cn | specified);
username username;
}
local-certificate local-certificate;
traceoptions {
file <filename> <files files> <match match> <size size> <(world-readable | no-world-readable)>;
flag name;
level (all | error | info | notice | verbose | warning);
no-remote-trace;
}
}
traceoptions {
file <filename> <files number> <match regular-expression> <size size> <world-readable | no-world-readable>;
flag flag;
no-remote-trace;
on-demand;
}
yang-compliant;
yang-modules {
device-specific;
emit-extensions;
}
}
outbound-https {
client client-id {
address {
port port;
trusted-cert trusted-cert;
}
device-id device-id;
reconnect-strategy (in-order | sticky);
secret password;
waittime seconds;
}
}
service-deployment {
servers address {
port-number port-number;
}
source-address address;
}
ssh {
authentication-order [method 1 method2...];
authorized-keys-command authorized-keys-command;
authorized-keys-command-user authorized-keys-command-user;
ciphers [ cipher-1 cipher-2 cipher-3 ...];
client-alive-count-max number;
client-alive-interval seconds;
connection-limit limit;
fingerprint-hash (md5 | sha2-256);
hostkey-algorithm (algorithm | no-algorithm);
key-exchange [algorithm1 algorithm2...];
log-key-changes log-key-changes;
macs [algorithm1 algorithm2...];
max-pre-authentication-packets number;
max-sessions-per-connection number;
no-challenge-response;
no-password-authentication;
no-passwords;
no-public-keys;
allow-tcp-forwarding;
port port-number;
protocol-version [v2];
rate-limit number;
rekey {
data-limit bytes;
time-limit minutes;
}
root-login (allow | deny | deny-password);
sftp-server;
}
tcp-forwarding;
resource-monitor {
free-fw-memory-watermark number;
free-heap-memory-watermark number;
free-nh-memory-watermark number;
high-threshold number;
no-logging;
no-throttle;
resource-category jtree {
resource-category jtree (continguous-pages | free-dwords | free-pages) {
low-watermark number;
high-watermark number;
}
}
subscribers-limit {
(any | dhcp | l2tp | pppoe) {
{
limit limit;
}
{
limit limit;
}
fpc slot-number {
limit limit;
pic number {
limit limit;
port number {
limit limit;
}
}
}
}
}
traceoptions {
file filename <files number> <match regular-expression> <size maximum-file-size> <world-readable | no-world-readable>;
flag flag;
no-remote-trace;
}
}
subscriber-management {
enable (Enhanced Subscriber Management);
enforce-strict-scale-limit-license;
gres-route-flush-delay;
}
overrides {
event {
catastrophic-failure {
reboot (master | standby);
}
}
interfaces {
family (inet | inet6) {
layer2-liveness-detection;
}
}
no-unsolicited-ra;
ra-initial-interval-max seconds;
ra-initial-interval-min seconds;
shmlog {
disable;
file filename <files maximum-no-files> <size maximum-file-size>;
filtering enable;
log-name {
all;
logname {
<brief | detail | extensive | none | terse>;
<file-logging |no-file-logging>;
}
}
log-type (debug | info | notice);
|
}
redundancy {
interface name {
local-inet-address v4-address;
local-inet6-address v6-address;
shared-key string;
virtual-inet-address virtual-v4-address;
virtual-inet6-address virtual-v6-address;
}
no-advertise-routes-on-backup;
protocol {
pseudo-wire;
vrrp;
}
}
traceoptions {
file filename <files number> <match regular-expression > <size maximum-file-size> <world-readable | no-world-readable>;
flag flag;
}
}
telnet {
authentication-order [authentication-methods];
connection-limit limit;
rate-limit limit;
}
web-management {
http {
interfaces [ names ];
port port;
}
https {
interfaces [ names ];
local-certificate name;
port port;
}
session {
idle-timeout [ minutes ];
session-limit [ limit ];
}
}
xnm-ssl {
connection-limit limit;
local-certificate name;
rate-limit limit;
ssl-renegotiation;
}
}
Hierarchy Level
[edit system]
Description
Configure the router or switch so that users on remote systems can access the local router or switch through the DHCP server, DTCP over SSH, finger, outbound HTTPS, rlogin, SSH, telnet, Web management, Junos XML protocol SSL, and network utilities, or enable Junos OS to work with the Session and Resource Control (SRC) software. Also, enable configuration of third-party applications developed using the Juniper Extension Toolkit (JET) to run on Junos OS.
Starting in Junos OS Release 22.2R1, we’ve disabled the SSH TCP forwarding feature by
default to enhance security. To enable the SSH TCP forwarding feature, you can
configure the allow-tcp-forwarding statement at the [edit
system services ssh] hierarchy level. In addition, we’ve deprecated the
tcp-forwarding and no-tcp-forwarding
statements at the [edit system services ssh] hierarchy
level.
The remaining statements are explained separately. Search for a statement in CLI Explorer or click a linked statement in the Syntax section for details.
Required Privilege Level
system—To view this statement in the configuration.
system-control—To add this statement to the configuration.
Release Information
Statement introduced before Junos OS Release 7.4.
extension-service option added in Junos OS Release 16.1 for MX80,
MX104, MX240, MX480, MX960, MX2010, MX2020, vMX Series.
grpc option added in Junos OS Release 16.2 for MX80, MX104, MX240,
MX480, MX960, MX2010, MX2020, vMX Series.
allow-tcp-forwarding option added in Junos OS Release
22.2R1.