1. No category

Junos ® OS Release 12.1X47 Feature Guide

®
Junos OS Release 12.1X47 Feature Guide
Junos OS Release 12.1X47-D15
19 November 2014
Revision 1
This feature guide accompanies Junos OS Release 12.1X47-D15. This guide contains
detailed information about new or enhanced functionality introduced in Junos OS Release
12.1X47-D15 that is summarized in the Release Notes.
Contents
New Features in Junos OS Release 12.1X47-D15 . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
Application Identification and Tracking . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
Customizing Application Groups for Junos OS Application
Identification . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
SSL Proxy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
Authentication, Authorization, and Accounting (AAA) (RADIUS) . . . . . . . . . . 14
Configuring RADIUS Server Authentication . . . . . . . . . . . . . . . . . . . . . . . . 14
Configuring RADIUS System Accounting . . . . . . . . . . . . . . . . . . . . . . . . . . 18
destination (Accounting) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
radius-options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
radius-server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
Chassis Cluster . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
Encrypted Control Link . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
Flow-Based and Packet-Based Processing . . . . . . . . . . . . . . . . . . . . . . . . . . . 49
Data Path Debugging for SRX Series Devices . . . . . . . . . . . . . . . . . . . . . 49
Interfaces and Chassis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54
Next-Generation Switch Control Board II (SRX5K-SCBE) and Routing
Engine (SRX5K-RE-1800X4) for SRX5400, SRX5600, and
SRX5800 Devices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54
IPv6 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 94
Establishing an Outbound SSH Connection . . . . . . . . . . . . . . . . . . . . . . 94
Network Address Translation (NAT) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97
Understanding Source NAT Pools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97
Understanding NAT64 IPv6 Prefix to IPv4 Address-Persistent
Translation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 99
[edit security nat] Hierarchy Level . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101
source (Security Source NAT) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105
pool (Security Source NAT) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 108
Copyright © 2014, Juniper Networks, Inc.
1
Junos OS Release 12.1X47 Feature Guide
address-persistent (Security Source NAT Pool) . . . . . . . . . . . . . . . . . . . 109
Example: Configuring Address Persistent NAT64 Pools . . . . . . . . . . . . 109
show security nat source pool . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 112
Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 116
Network Management and Monitoring . . . . . . . . . . . . . . . . . . . . . . . . . . 116
TCP/TLS Support for Real-Time Logging . . . . . . . . . . . . . . . . . . . . . . . . 159
System Log Messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 164
Documentation Feedback . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 167
Requesting Technical Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 167
Self-Help Online Tools and Resources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 167
Opening a Case with JTAC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 168
Revision History . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 168
2
Copyright © 2014, Juniper Networks, Inc.
Application Identification and Tracking
New Features in Junos OS Release 12.1X47-D15
Junos OS Release 12.1X47-D15 introduces the following features:
•
Application Identification and Tracking on page 3
•
Authentication, Authorization, and Accounting (AAA) (RADIUS) on page 14
•
Chassis Cluster on page 24
•
Flow-Based and Packet-Based Processing on page 49
•
Interfaces and Chassis on page 54
•
IPv6 on page 94
•
Network Address Translation (NAT) on page 97
•
Management on page 116
Application Identification and Tracking
•
Customizing Application Groups for Junos OS Application Identification on page 3
•
SSL Proxy on page 8
Customizing Application Groups for Junos OS Application Identification
•
Customizing Application Groups for Junos OS Application Identification on page 3
•
Enabling Application Groups in Junos OS Application Identification on page 4
•
Example: Configuring a Custom Application Group for Junos OS Application
Identification for Simplified Management on page 4
•
application-group (Services) on page 8
Customizing Application Groups for Junos OS Application Identification
The hierarchy of application groups resembles a tree structure with associated
applications as the leaf nodes. The group any refers to the root node. The group unassigned
is always situated one level from the root and initially contains all applications. When a
group is defined, applications are assigned from the unassigned group to the new group.
When a group is deleted, its applications are moved back to the unassigned group.
All predefined application groups have the prefix “junos“ in the application group name
to prevent naming conflicts with custom application groups. You cannot modify the list
of applications within a predefined application group. However, you can copy a predefined
application group to use it as a template for creating a custom application group.
To customize a predefined application group, you must first disable the predefined group.
Note that a disabled predefined application group remains disabled after an application
database update. You can then use the operational command request services
application-identification group to copy the disabled predefined application group. The
copied group is placed in the configuration file, and the prefix “junos” is changed to “my”.
At this point, you can modify the list of applications in “my” application group and rename
the group with a unique name.
Copyright © 2014, Juniper Networks, Inc.
3
Junos OS Release 12.1X47 Feature Guide
To reassign an application from one custom group to another, you must remove the
application from its current custom application group, and then reassign it to the other.
Enabling Application Groups in Junos OS Application Identification
All application groups are enabled by default. Predefined application groups are enabled
at installation.
•
For predefined application groups, you can disable and reenable a group using the
request services application-identification group command. You cannot delete a
predefined signature or signature group.
•
To disable a predefined application group:
user@host> request services application-identification group disable
predefined-application-group-name
•
To reenable a disabled predefined application group:
user@host> request services application-identification group enable
predefined-application-group-name
Example: Configuring a Custom Application Group for Junos OS Application Identification
for Simplified Management
This example shows how to configure custom application groups for Junos OS application
identification for consistent reuse when defining policies.
•
Requirements on page 4
•
Overview on page 4
•
Configuration on page 5
Requirements
Before you begin, install an entire signature database from an IDP or an application
identification security package.
Overview
In this example, you define applications for an application group, delete an application
from an application group, and include an application group within another application
group.
In Junos OS, application identification allows you to group applications in policies.
Applications can be grouped under predefined and custom application groups. The entire
predefined application group can be downloaded as part of the IDP or application
identification security package. You can create custom application groups with a set of
similar applications for consistent reuse when defining policies.
4
Copyright © 2014, Juniper Networks, Inc.
Configuration
NOTE: You cannot modify the applications defined in a predefined application
group. However, you can copy a predefined application group using the
operational command request services application-identification group
group-name copy to create a custom application group and modify the list of
applications. For more information, see request services
application-identification group.
Configuration
•
Configuring Junos OS Application Identification User-Defined Application
Groups on page 5
•
Deleting an Application from a User-Defined Application Group on page 6
•
Creating Child Application Groups for an Application Group on page 7
Configuring Junos OS Application Identification User-Defined Application Groups
CLI Quick
Configuration
To quickly configure this section of the example, copy the following commands, paste
them into a text file, remove any line breaks, change any details necessary to match your
network configuration, copy and paste the commands into the CLI at the [edit] hierarchy
level, and then enter commit from configuration mode.
set services application-identification application-group my_web
set services application-identification application-group my_web applications junos:HTTP
set services application-identification application-group my_web applications junos:FTP
set services application-identification application-group my_web applications
junos:GOPHER
set services application-identification application-group my_web applications
junos:AMAZON
set services application-identification application-group my_peer
set services application-identification application-group my_peer applications
junos:BITTORRENT
set services application-identification application-group my_peer applications
junos:BITTORRENT-DHT
set services application-identification application-group my_peer applications
junos:BITTORRENT-UDP
set services application-identification application-group my_peer applications
junos:BITTRACKER
Step-by-Step
Procedure
The following example requires you to navigate various levels in the configuration
hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration
Mode in the CLI User Guide.
To configure a custom application group for application identification:
1.
Set the name of your custom application group.
[edit services application-identification]
user@host# set application-group my_web
2.
Add the list of applications that you want to include in your custom application
group.
[edit services application-identification]
Copyright © 2014, Juniper Networks, Inc.
5
Junos OS Release 12.1X47 Feature Guide
user@host# set application-group my_web applications junos:HTTP
user@host# set application-group my_web applications junos:FTP
user@host# set application-group my_web applications junos:GOPHER
user@host# set application-group my_web applications junos:AMAZON
3.
Set the name of a second custom application group.
[edit services application-identification]
user@host# set application-group my_peer
4.
Add the list of applications that you want to include in the group.
[edit services application-identification]
user@host# set application-group my_peer applications junos:BITTORRENT
user@host# set application-group my_peer applications junos:BITTORRENT-DHT
user@host# set application-group my_peer applications junos:BITTORRENT-UDP
user@host# set application-group my_peer applications junos:BITTRACKER
Results
From configuration mode, confirm your configuration by entering the show services
application-identification group command. If the output does not display the intended
configuration, repeat the configuration instructions in this example to correct it.
[edit]
user@host# show services application-identification application-group my_web
applications {
junos:HTTP;
junos:FTP;
junos:GOPHER;
junos:AMAZON
}
user@host# show services application-identification application-group my_peer
applications {
junos:BITTORRENT;
junos:BITTORRENT-DHT;
junos:BITTORRENT-UDP;
junos:BITTRACKER;
}
If you are done configuring the device, enter commit from configuration mode.
Deleting an Application from a User-Defined Application Group
CLI Quick
Configuration
To quickly configure this section of the example, copy the following command, paste it
into a text file, remove any line breaks, change any details necessary to match your
network configuration, copy and paste the command into the CLI at the [edit] hierarchy
level, and then enter commit from configuration mode.
[edit]
delete services application-identification application-group my_web applications
junos:AMAZON
Step-by-Step
Procedure
6
To delete an application from a custom application group:
[edit services application-identification]
user@host# delete application-group my_web applications junos:AMAZON
Copyright © 2014, Juniper Networks, Inc.
Creating Child Application Groups for an Application Group
Results
From configuration mode, confirm your configuration by entering the show services
application-identification application group detail command. If the output does not display
the intended configuration, repeat the configuration instructions in this example to correct
it.
[edit]
user@host# show services application-identification group detail
application group my_web {
junos:HTTP;
junos:FTP;
junos:GOPHER;
}
If you are done configuring the device, enter commit from configuration mode.
Creating Child Application Groups for an Application Group
CLI Quick
Configuration
To quickly configure this section of the example, copy the following commands, paste
them into a text file, remove any line breaks, change any details necessary to match your
network configuration, copy and paste the commands into the CLI at the [edit] hierarchy
level, and then enter commit from configuration mode.
set services application-identification application-group p2p
set services application-identification application-group p2p application-groups my_web
set services application-identification application-group p2p application-groups my_peer
Step-by-Step
Procedure
To configure child application groups for a custom application group:
1.
Set the name of the custom application group in which you are configuring the child
application groups.
[edit services application-identification]
user@host# set application-group p2p
2.
Add the child application groups.
[edit services application-identification]
user@host# set application-group p2p application-groups my_web
uer@host# set application-group p2p application-groups my_peer
Results
From configuration mode, confirm your configuration by entering the show services
application-identification application-group application-group-name command. If the
output does not display the intended configuration, repeat the configuration instructions
in this example to correct it.
[edit]
user@host# show services application-identification application-group p2p
applications-groups {
my_web;
my_peer;
}
If you are done configuring the device, enter commit from configuration mode.
Copyright © 2014, Juniper Networks, Inc.
7
Junos OS Release 12.1X47 Feature Guide
application-group (Services)
Syntax
Hierarchy Level
Release Information
Description
application-group group-name {
application-groups application-group-name;
applications application-name;
}
[edit services application-identification]
Statement introduced in Junos OS Release 11.2.
Specify any number of associated predefined applications, user-defined applications,
and other groups for ease of use in configuring application-based policies.
An application group is hierarchical: a tree structure of groups with applications as the
leaf nodes.
Options
group-name—Name of the group. This name is used in policy configuration statements
in place of multiple predefined applications, user-defined applications, or other
groups.
application-groups application-group-name— Name of an application group to be assigned
to this group. There is no maximum number of groups that can be assigned to a
group. Use multiple commands to assign multiple groups.
applications application-name—Name of an application to be assigned to this group. An
application can remain unassigned or be assigned to a group, but it cannot be
assigned to more than one group. There is no maximum number of applications that
can be assigned to a group. Use multiple commands to assign multiple groups.
Required Privilege
Level
security—To view this statement in the configuration.
security-control—To add this statement to the configuration.
SSL Proxy
8
•
show services application-identification counter (AppSecure)
•
show services application-identification application-system-cache (View)
•
clear services application-identification counter (Values)
Copyright © 2014, Juniper Networks, Inc.
show services application-identification counter (AppSecure)
show services application-identification counter (AppSecure)
Syntax
Release Information
Description
Options
Required Privilege
Level
Related
Documentation
List of Sample Output
Output Fields
show services application-identification counter
<ssl-encrypted-sessions>
Command introduced in Junos OS Release 10.2. Output updated in Junos OS Release
12.1X47-D10. Command and output updated in Junos OS Release 12.1X47-D15.
Display the status of all Junos OS application identification counter values per SPU.
ssl-encrypted-sessions—Display counters for SSL encrypted sessions.
view
•
Application Identification Feature Guide for Security Devices
•
clear services application-identification counter (Values)
show services application-identification counter on page 10
show services application-identification counter ssl-encrypted-sessions on page 11
Table 1 on page 9 lists the output fields for the show services application-identification
counter command. Output fields are listed in an approximate order in which they appear.
Table 1: show services application-identification counter Output Fields
Field Name
Field Description
PIC
PIC number of the accumulated statistics.
NOTE: The PIC number is always displayed as 0 for branch SRX Series devices.
Unknown applications
Number of unknown applications.
Encrypted unknown applications
Number of encrypted unknown applications.
Cache hits
Number of sessions that matched the application in the AI cache.
Cache misses
Number of sessions that did not find the application in the AI cache.
Client-to-server packets processed
Number of client-to-server packets processed.
Server-to-client packets processed
Number of server-to-client packets processed.
Client-to-server bytes processed
Number of client-to-server payload bytes processed.
Server-to-client layer bytes
processed
Number of server-to-client payload bytes processed.
Client-to-server packets processed
Number of client-to-server packets processed.
Copyright © 2014, Juniper Networks, Inc.
9
Junos OS Release 12.1X47 Feature Guide
Table 1: show services application-identification counter Output Fields (continued)
Field Name
Field Description
Server-to-client packets processed
Number of server-to-client packets processed.
Client-to-server bytes processed
Number of client-to-server payload bytes processed.
Server-to-client layer bytes
processed
Number of server-to-client payload bytes processed.
Client-to-server encrypted packets
processed
Number of client-to-server encrypted packets processed.
Server-to-client encrypted packets
processed
Number of server-to-client encrypted packets processed.
Client-to-server encrypted bytes
processed
Number of client-to-server encrypted payload bytes processed.
Server-to-client layer encrypted bytes
processed
Number of server-to-client encrypted payload bytes processed.
Sessions bypassed due to resource
allocation failure
Number of sessions bypassed due to resource allocation failure.
Segment case 1 - New segment to left
TCP segments contained before the previous segment.
Segment case 2 - New segment
overlap right
TCP segments that start before the previous segment and are contained in it.
Segment case 3 - Old segment
overlapped
TCP segments that start before the previous segment and extend beyond it.
Segment case 4 - New segment
overlapped
TCP segments that start and end within the previous segment.
Segment case 5 - New segment
overlap left
TCP segments that start within the previous segments and extend beyond it.
Segment case 6 - New segment
overlap left
TCP segments that start after the previous segment. This is the normal case.
Sample Output
show services application-identification counter
user@host> show services application-identification counter
pic: 6/0
Counter type
Unknown applications
Encrpted unknown applications
Cache hits
10
Value
5
0
0
Copyright © 2014, Juniper Networks, Inc.
show services application-identification counter (AppSecure)
Cache misses
Client-to-server packets processed
Server-to-client packets processed
Client-to-server bytes processed
Server-to-client bytes processed
Client-to-server encrypted packets processed
Server-to-client encrypted packets processed
Client-to-server encrypted bytes processed
Server-to-client encrypted bytes processed
Sessions bypassed due to resource allocation failure
Segment case 1 - New segment to left
Segment case 2 - New segment overlap right
Segment case 3 - Old segment overlapped
Segment case 4 - New segment overlapped
Segment case 5 - New segment overlap left
Segment case 6 - New segment to right
8
678
0
83577
0
0
0
0
0
0
0
0
0
0
0
0
Sample Output
show services application-identification counter ssl-encrypted-sessions
user@host> show services application-identification counter ssl-encrypted-sessions
pic: 1/0
Counter type
AI cache hits
AI cache hits by nested application
AI cache misses
AI matches
AI uni-matches
AI no-matches
AI partial matches
AI no-partial matches
Sessions that triggered Appid create session API
Sessions that do not incur signature match or decoding
Sessions that incur signature match or decoding
Client-to-server packets processed
Server-to-client packets processed
Client-to-server layer-7 bytes processed
Server-to-client layer-7 bytes processed
Terminal first data packets on both direction
pic: 1/1
Counter type
AI cache hits
AI cache hits by nested application
AI cache misses
AI matches
AI uni-matches
AI no-matches
AI partial matches
AI no-partial matches
Sessions that triggered Appid create session API
Sessions that do not incur signature match or decoding
Sessions that incur signature match or decoding
Client-to-server packets processed
Server-to-client packets processed
Client-to-server layer-7 bytes processed
Server-to-client layer-7 bytes processed
Terminal first data packets on both direction
Copyright © 2014, Juniper Networks, Inc.
Value
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
Value
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
11
Junos OS Release 12.1X47 Feature Guide
show services application-identification application-system-cache (View)
Syntax
show services application-identification application-system-cache
Release Information
Command introduced in Junos OS Release 10.2. Command updated in Junos OS Release
12.1X47-D10. Output updated in Junos OS Release 12.1X47-D15.
Description
Display application ID from default port/protocol binding or from the application system
cache.
Required Privilege
Level
Related
Documentation
List of Sample Output
Output Fields
view
•
Application Identification Feature Guide for Security Devices
•
clear services application-identification application-system-cache (Junos OS)
show services application-identification application-system-cache on page 13
Table 2 on page 12 lists the output fields for the show services application-identification
application-system-cache command. Output fields are listed in the approximate order
in which they appear.
Table 2: show services application-identification application-system-cache Output Fields
Field Name
Field Description
application-cache
On or Off status of the application cache.
nested-application-cache
On or Off status of the nested application cache.
cache-unknown-result
On or Off status for caching unknown results.
cache-entry-timeout
The number of seconds the mapping information is saved.
pic
PIC number of the accumulated statistics.
NOTE: The PIC number is always displayed as 0 for branch SRX Series devices.
Logical system name
Name of a specific logical system.
IP address
IP address.
Port
Port number.
Protocol
Type of protocol.
Application
Name of the application.
Encrypted
Yes or No to identify the traffic as encrypted or not.
12
Copyright © 2014, Juniper Networks, Inc.
show services application-identification application-system-cache (View)
Sample Output
show services application-identification application-system-cache
user@host> show services application-identification application-system-cache
Application System Cache Configurations:
application-cache: on
nested-application-cache: on
cache-unknown-result: on
cache-entry-timeout: 3600 seconds
pic: 1/0
Logical system name: root-logical-system
IP address: 5.0.0.1
Port: 443
Protocol: TCP
Application: SSL
pic: 1/1
Logical system name: root-logical-system
IP address: 5.0.0.1
Application: HTTP
Copyright © 2014, Juniper Networks, Inc.
Encrypted: Yes
Port: 80
Protocol: TCP
Encrypted: No
13
Junos OS Release 12.1X47 Feature Guide
clear services application-identification counter (Values)
Syntax
Release Information
Description
Options
clear services application-identification counter
<ssl-encrypted-sessions>
Command introduced in Junos OS Release 10.2. Command updated in Junos OS Release
12.1-X47-D15.
Reset all the Junos OS application identification counter values.
ssl-encrypted-sessions—Reset application identification counter values for SSL encrypted
sessions.
Required Privilege
Level
Related
Documentation
List of Sample Output
Output Fields
clear
•
Application Identification Feature Guide for Security Devices
•
show services application-identification counter (AppSecure)
clear services application-identification counter on page 14
When you enter this command, you are provided feedback on the status of your request.
Sample Output
clear services application-identification counter
user@host> clear services application-identification counter
clear_counter_class: counters cleared, status = 0
Authentication, Authorization, and Accounting (AAA) (RADIUS)
•
Configuring RADIUS Server Authentication on page 14
•
Configuring RADIUS System Accounting on page 18
•
destination (Accounting) on page 21
•
radius-options on page 22
•
radius-server on page 23
Configuring RADIUS Server Authentication
RADIUS authentication is a method of authenticating users who attempt to access the
router or switch.
The Junos OS supports two protocols for central authentication of users on multiple
routers: RADIUS and TACACS+. We recommend RADIUS because it is a multivendor
IETF standard, and its features are more widely accepted than those of TACACS+ or
other proprietary systems. In addition, we recommend using a one-time-password system
for increased security, and that all vendors of these systems support RADIUS.
14
Copyright © 2014, Juniper Networks, Inc.
Configuring RADIUS Server Authentication
You should use RADIUS when your priorities are interoperability and performance:
•
Interoperability—RADIUS is more interoperable than TACACS+, primarily because of
the proprietary nature of TACACS+. While TACACS+ supports more protocols, RADIUS
is universally supported.
•
Performance—RADIUS is much lighter on your routers and switches and for this reason,
network engineers generally prefer RADIUS over TACACS+.
To use RADIUS authentication on the device, configure information about one or more
RADIUS servers on the network by including one radius-server statement at the [edit
system] hierarchy level for each RADIUS server.
Because remote authentication is configured on multiple devices, it is commonly
configured inside of a configuration group. As such, the steps shown here are in a
configuration group called global. Using a configuration group is optional.
To configure authentication by a RADIUS server:
1.
Add an IPv4 or IPv6 server address.
•
Configure an IPv4 source address and server address:
[edit groups global]
user@host# set system radius-server server-address source-address source-address
For example:
[edit groups global]
user@host# set system radius-server 192.168.17.28 source-address 192.168.17.1
•
Configure an IPv6 source address and server address:
[edit groups global system radius-server server-address]
user@host# set server-address secret “secretkey” source-address source-address
For example:
[edit groups global system radius-server ::17.22.22.162]
user@host# set secret $9$lPOv87ZGiH.5JGn/AtOB7-dVgo source-address ::17.22.22.1
The source address is a valid IPv4 or IPv6 address configured on one of the router
or switch interfaces. This configuration sets a fixed address as the source address
for locally generated IP packets.
Server address is a unique IPv4 or IPv6 address that is assigned to a particular server
and used to route information to the server. If the Junos OS device has several
interfaces that can reach the RADIUS server, assign an IP address that Junos OS
can use for all its communication with the RADIUS server.
2. Include a shared secret password.
You must specify a password in the secret password statement. If the password
contains spaces, enclose it in quotation marks. The secret password used by the local
router or switch must match that used by the server. The secret password configures
the password that the Junos OS device uses to access the RADIUS server.
[edit groups global system radius-server server-address]
Copyright © 2014, Juniper Networks, Inc.
15
Junos OS Release 12.1X47 Feature Guide
user@host# set secret password
For example:
[edit groups global system radius-server 192.168.69.162]
user@host# set secret $9$gQ4UHf5F36CiH.5Tz9CuO1hreM8xw2oIENVwgZG
3. If necessary, specify a port on which to contact the RADIUS server.
By default, port number 1812 is used (as specified in RFC 2865).
NOTE: You can also specify an accounting port to send accounting packets
with the accounting-port statement. The default is 1813 (as specified in
RFC 2866).
[edit groups global system radius-server server-address]
user@host# set port port-number
For example:
[edit groups global system radius-server 192.168.69.162]
user@host# set port 1845
4. Specify the order in which Junos OS attempts authentication.
You must include the authentication-order statement in your remote authentication
configuration.
The example assumes your network includes both RADIUS and TACACS+ servers. In
this example, whenever a user attempts to log in, Junos OS begins by querying the
RADIUS server for authentication. If it fails, it next attempts authentication with locally
configured user accounts. Finally the TACACS+ server is tried.
[edit groups global system]
user@host# set authentication-order [ authentication-methods ]
For example:
[edit groups global system]
user@host# set authentication-order [ radius password tacplus ]
5. Assign a login class to RADIUS-authenticated users.
You can assign different user templates and login classes to RADIUS-authenticated
users. This allows RADIUS-authenticated users to be granted different administrative
permissions on the Junos OS device. By default, RADIUS-authenticated users use the
remote user template and are assigned to the associated class, which is specified in
the remote user template, if the remote user template is configured. The username
remote is a special case in Junos OS. It acts as a template for users who are
authenticated by a remote server, but do not have a locally-configured user account
on the device. In this method, Junos OS applies the permissions of the remote template
to those authenticated users without a locally defined account. All users mapped to
the remote template are of the same login class.
16
Copyright © 2014, Juniper Networks, Inc.
Configuring RADIUS Server Authentication
In the Junos OS configuration, a user template is configured in the same way as a
regular local user account, except that no local authentication password is configured
because the authentication is remotely performed on the RADIUS server.
•
To use the same permissions for all RADIUS-authenticated users:
[edit groups global system login]
user@host# set user remote class class
For example:
[edit groups global system login]
user@host# set user remote class super-user
•
To have different login classes be used for different RADIUS-authenticated users,
granting them different permissions:
a. Create multiple user templates in the Junos OS configuration.
Every user template can be assigned a different login class.
For example:
[edit groups global system login]
set user RO class read-only
set user OP class operator
set user SU class super-user
set user remote full-name "default remote access user template"
set user remote class read-only
b. Have the RADIUS server specify the name of the user template to be applied to
the authenticated user.
For a RADIUS server to indicate which user template is to be applied, it needs to
include the Juniper-Local-User-Name attribute (Vendor 2636, type 1, string)
Juniper VSA (vendor-specific attribute) in the RADIUS Access-Accept message.
The string value in the Juniper-Local-User-Name must correspond to the name
of a configured user template on the device. For a list of relevant Juniper RADIUS
VSAs, see Juniper Networks Vendor-Specific RADIUS Attributes.
If the Juniper-Local-User-Name is not included in the Access-Accept message
or the string contains a user template name that does not exist on the device,
the user is assigned to the remote user template, if configured. If it is not
configured, authentication fails for the user.
After logging in, the remotely authenticated user retains the same username
that was used to log in. However, the user inherits the user class from the assigned
user template.
In a RADIUS server, users can be assigned a Juniper-Local-User-Name string,
which indicates the user template to be used in the Junos OS device. From the
previous example, the string would be RO, OP, or SU.
Configuration of the RADIUS server depends on the server being used. For
instructions for the Juniper Steel-Belted Radius server, see Steel-Belted Radius
(SBR) Enterprise. For information on using FreeRADIUS, see
http://kb.juniper.net/InfoCenter/index?page=content&id=KB19446.
Copyright © 2014, Juniper Networks, Inc.
17
Junos OS Release 12.1X47 Feature Guide
Configuring RADIUS System Accounting
With RADIUS accounting enabled, Juniper Networks routers or switches, acting as RADIUS
clients, can notify the RADIUS server about user activities such as software logins,
configuration changes, and interactive commands. The framework for RADIUS accounting
is described in RFC 2866.
Tasks for configuring RADIUS system accounting are:
1.
Configuring Auditing of User Events on a RADIUS Server on page 18
2. Specifying RADIUS Server Accounting and Auditing Events on page 18
3. Configuring RADIUS Server Accounting on page 18
Configuring Auditing of User Events on a RADIUS Server
To audit user events, include the following statements at the [edit system accounting]
hierarchy level:
[edit system accounting]
destination {
radius {
server {
server-address {
accounting-port port-number;
max-outstanding-requests value;
port port-number;
retry value;
secret password;
source-address address;
timeout seconds;
}
}
}
}
Specifying RADIUS Server Accounting and Auditing Events
To specify the events you want to audit when using a RADIUS server for authentication,
include the events statement at the [edit system accounting] hierarchy level:
[edit system accounting]
events [ events ];
events is one or more of the following:
•
login—Audit logins
•
change-log—Audit configuration changes
•
interactive-commands—Audit interactive commands (any command-line input)
Configuring RADIUS Server Accounting
To configure RADIUS server accounting, include the server statement at the [edit system
accounting destination radius] hierarchy level:
18
Copyright © 2014, Juniper Networks, Inc.
Configuring RADIUS Server Accounting
server {
server-address {
accounting-port port-number;
max-outstanding-requests value;
port port-number;
retry value;
secret password;
source-address address;
timeout seconds;
}
}
server-address specifies the address of the RADIUS server. To configure multiple RADIUS
servers, include multiple server statements.
NOTE: If no RADIUS servers are configured at the [edit system accounting
destination radius] statement hierarchy level, the Junos OS uses the RADIUS
servers configured at the [edit system radius-server] hierarchy level.
accounting-port port-number specifies the RADIUS server accounting port number.
The default port number is 1813.
NOTE: If you enable RADIUS accounting at the [edit access profile profile-name
accounting-order] hierarchy level, accounting is triggered on the default port
of 1813 even if you do not specify a value for the accounting-port statement.
You must specify a secret (password) that the local router or switch passes to the RADIUS
client by including the secret statement. If the password contains spaces, enclose the
entire password in quotation marks (“ “).
In the source-address statement, specify a source address for the RADIUS server. Each
RADIUS request sent to a RADIUS server uses the specified source address. The source
address is a valid IPv4 or IPv6 address configured on one of the router or switch interfaces.
Optionally, you can specify the number of times that the router or switch attempts to
contact a RADIUS authentication server by including the retry statement. By default, the
router or switch retries three times. You can configure the router or switch to retry from
1 through 10 times.
Optionally, you can specify the length of time that the local router or switch waits to
receive a response from a RADIUS server by including the timeout statement. By default,
the router or switch waits 3 seconds. You can configure the timeout to be from 1 through
90 seconds.
If you use the enhanced-accounting statement at the [edit system radius-options] hierarchy
level, the RADIUS attributes such as access method, remote port, and access privileges
can be audited. You can limit the number of attribute values to be displayed for auditing
Copyright © 2014, Juniper Networks, Inc.
19
Junos OS Release 12.1X47 Feature Guide
by using the enhanced-avs-max <number> statement at the [edit system accounting]
hierarchy level.
[edit system radius-options]
enhanced-accounting;
[edit system accounting]
enhanced-avs-max <number>;
When a Juniper Networks router or switch is configured with RADIUS accounting, it sends
Accounting-Start and Accounting-Stop messages to the RADIUS server. These messages
contain information about user activities such as software logins, configuration changes,
and interactive commands. This information is typically used for monitoring a network,
collecting usage statistics, and ensuring that users are billed properly.
The following example shows three servers (10.5.5.5, 10.6.6.6, and 10.7.7.7) configured
for RADIUS accounting:
system {
accounting {
events [ login change-log interactive-commands ];
destination {
radius {
server {
10.5.5.5 {
accounting-port 3333;
secret $9$dkafeqwrew;
source-address 10.1.1.1;
retry 3;
timeout 3;
}
10.6.6.6 secret $9$fe3erqwrez;
10.7.7.7 secret $9$f34929ftby;
}
}
}
}
}
20
Copyright © 2014, Juniper Networks, Inc.
destination (Accounting)
destination (Accounting)
Syntax
Hierarchy Level
Release Information
Description
Options
Required Privilege
Level
destination {
radius {
server {
server-address {
accounting-port port-number;
max-outstanding-requests value;
port port-number;
retry value;
secret password;
source-address source-address;
timeout seconds;
}
}
}
tacplus {
server {
server-address {
port port-number;
secret password;
single-connection;
timeout seconds;
}
}
}
}
[edit system accounting]
Statement introduced before Junos OS Release 7.4.
radius statement added in Junos OS Release 7.4. Support for IPv6 source address added
in Junos OS Release 12.1X47-D15.
Configure the authentication server.
The remaining statements are explained separately. See CLI Explorer.
system—To view this statement in the configuration.
system-control—To add this statement to the configuration.
Copyright © 2014, Juniper Networks, Inc.
21
Junos OS Release 12.1X47 Feature Guide
radius-options
Syntax
Hierarchy Level
Release Information
Description
Options
radius-options {
attributes {
nas-ip-address nas-ip-address;
}
password-protocol mschap-v2;
}
[edit system]
Statement introduced in Junos OS Release 8.5. Support for network access server (NAS)
IPv6 address added in Junos OS Release 12.1X47-D15.
Configure RADIUS options for the NAS-IP address for outgoing RADIUS packets and
password protocol used in RADIUS packets.
•
attributes—Configure RADIUS attributes.
•
nas-ip-address nas-ip-address—Valid IPv4 or IPv6 address of the NAS requesting
user authentication.
•
password-protocol mschap-v2—Protocol MS-CHAPv2, used for password authentication
and password changing.
Required Privilege
Level
22
system—To view this statement in the configuration.
system-control—To add this statement to the configuration.
Copyright © 2014, Juniper Networks, Inc.
radius-server
radius-server
Syntax
Hierarchy Level
Release Information
Description
radius-server server-address {
accounting-port port-number;
max-outstanding-requests value;
port port-number;
retry value;
secret password;
source-address source-address;
timeout seconds;
}
[edit system]
Statement introduced in Junos OS Release 8.5. Support for IPv6 source address added
in Junos OS Release 12.1X47-D15.
Configure RADIUS server address for subscriber access management, Layer 2 Tunnelling
Protocol (L2TP), or (Point-to-Point Protocol (PPP).
To configure multiple RADIUS servers, include multiple radius-server statements. The
servers are tried in order and in a round-robin fashion until a valid response is received
from one of the servers or until all the configured retry limits are reached.
Options
•
server-address—Address of the RADIUS server.
•
accounting-port port-number—RADIUS server accounting port number.
Range: 1 through 65,335 files
Default: 1813
•
port port-number—RADIUS server authentication port number.
Range: 1 through 65,335 files
Default: 1812
•
retry value—Number of times that the router is allowed to attempt to contact a RADIUS
server.
Range: 1 through 10
Default: 3
•
secret password—Password to use; it can include spaces if the character string is
enclosed in quotation marks.
•
max-outstanding-requests value—Maximum number of outstanding requests in flight
to server.
Range: 1 through 65,335 files
•
source-address source-address—Valid IPv4 or IPv6 address configured on one of the
router or switch interfaces.
•
timeout seconds—Amount of time to wait.
Copyright © 2014, Juniper Networks, Inc.
23
Junos OS Release 12.1X47 Feature Guide
Range: 1 through 90 seconds
Default: 3 seconds
Required Privilege
Level
system—To view this statement in the configuration.
system-control—To add this statement to the configuration.
Chassis Cluster
•
Encrypted Control Link on page 24
Encrypted Control Link
•
Example: Configuring an SRX Series Services Gateway for the High-End as a Chassis
Cluster on page 24
•
Understanding the Low-Impact ISSU Process on Devices in a Chassis Cluster on page 39
•
internal (Security IPsec) on page 43
•
request security internal-security-association refresh
•
show chassis cluster interfaces
•
show security internal-security-association
Example: Configuring an SRX Series Services Gateway for the High-End as a Chassis
Cluster
This example shows how to set up basic active/passive chassis clustering on a high-end
SRX Series device.
•
Requirements on page 24
•
Overview on page 26
•
Configuration on page 28
•
Verification on page 36
Requirements
Before you begin:
•
You need two SRX5800 Services Gateways with identical hardware configurations,
one MX240 edge router, and one EX8208 Ethernet Switch.
•
Physically connect the two devices (back-to-back for the fabric and control ports)
and ensure that they are the same models.
•
Before the cluster is formed, you must configure control ports for each device, as well
as assign a cluster ID and node ID to each device, and then reboot. When the system
boots, both the nodes come up as a cluster.
NOTE: Control port configuration is required for SRX5400, SRX5600, and
SRX5800 devices. No control port configuration is needed for SRX1400,
SRX3400, or SRX3600 devices.
24
Copyright © 2014, Juniper Networks, Inc.
Requirements
•
To ensure secure login, configure the internal IPsec SA. When the internal IPsec is
configured, IPsec-based rlogin and remote command (rcmd) are enforced, so an
attacker cannot gain privileged access or observe traffic containing administrator
commands and outputs. You do not need to configure the internal IPsec on both the
nodes. When you commit the configuration, both nodes are synchronized. Only
3des-cbc encryption algorithm is supported. You must ensure that the manual
encryption key is ASCII text and 24 bytes long; otherwise, the configuration will result
in a commit failure.
You have the option to enable the iked-encryption. The device must be rebooted
after this option is configured.
•
Enable the iked-encryption:
user@host# set security ipsec internal security-association manual encryption
ike-ha-link-encryption enable
•
Enable the 3des-cbc encryption algorithm:
user@host# set security ipsec internal security-association manual encryption
algorithm 3des-cbc
•
Configure the encryption key:
user@host# set security ipsec internal security-association manual encryption key
ascii-text "$ABC1234EFGH5678IJKL9101"
NOTE: The existing control link access is enhanced to prevent hackers
from logging in to the system without authentication through the
control link because Telnet access is disabled. Using IPsec for internal
communication between devices, the configuration information that
passes through the chassis cluster link from the primary node to the
secondary node is encrypted.
•
Activate internal IPsec:
user@host> request security internal-security-association refresh
•
Use the show chassis cluster interfaces CLI command to verify that internal SA is
enabled:
user@host> show chassis cluster interfaces
Control link status: Up
Control interfaces:
Index
Interface
0
em0
1
em1
•
Status
Up
Down
Internal SA <- new column
enabled
enabled
Configure the control port for each device, and commit the configuration.
Select FPC 1/13, because the central point is always on the lowest SPC/SPU in the
cluster (for this example, it is slot 0). For maximum reliability, place the control ports
on a separate SPC from the central point (for this example, use the SPC in slot 1).
You must enter the operational mode commands on both devices. For example:
Copyright © 2014, Juniper Networks, Inc.
25
Junos OS Release 12.1X47 Feature Guide
•
On node 0:
user@host# set chassis cluster control-ports fpc 1 port 0
user@host# set chassis cluster control-ports fpc 13 port 0
user@host# commit
•
On node 1:
user@host# set chassis cluster control-ports fpc 1 port 0
user@host# set chassis cluster control-ports fpc 13 port 0
user@host# commit
•
Set the two devices to cluster mode. A reboot is required to enter into cluster mode
after the cluster ID and node ID are set. You can cause the system to boot
automatically by including the reboot parameter in the CLI command line. You must
enter the operational mode commands on both devices. For example:
•
On node 0:
user@host> set chassis cluster cluster-id 1 node 0 reboot
•
On node 1:
user@host> set chassis cluster cluster-id 1 node 1 reboot
The cluster ID is the same on both devices, but the node ID must be different because
one device is node 0 and the other device is node 1. The range for the cluster ID is 1
through 255. Setting a cluster ID to 0 is equivalent to disabling a cluster. Cluster ID
greater than 15 can only be set when the fabric and control link interfaces are
connected back-to-back.
Now the devices are a pair. From this point forward, configuration of the cluster is
synchronized between the node members, and the two separate devices function as one
device.
Overview
This example shows how to set up basic active/passive chassis clustering on a high-end
SRX Series device. The basic active/passive example is the most common type of chassis
cluster. The following high-end SRX Series devices are supported:
•
SRX1400
•
SRX3400
•
SRX3600
•
SRX5400
•
SRX5600
•
SRX5800
The basic active/passive chassis cluster consists of two devices:
•
26
One device actively provides routing, firewall, NAT, VPN, and security services, along
with maintaining control of the chassis cluster.
Copyright © 2014, Juniper Networks, Inc.
Overview
•
The other device passively maintains its state for cluster failover capabilities should
the active device become inactive.
NOTE: This active/passive mode example for the SRX5800 Services Gateway
does not describe in detail miscellaneous configurations such as how to
configure NAT, security policies, or VPNs. They are essentially the same as
they would be for standalone configurations. See NAT Overview, Security
Policies Overview, and VPN Overview. However, if you are performing proxy
ARP in chassis cluster configurations, you must apply the proxy ARP
configurations to the reth interfaces rather than the member interfaces
because the RETH interfaces hold the logical configurations. See Configuring
Proxy ARP (CLI Procedure). You can also configure separate logical interface
configurations using VLANs and trunked interfaces in the SRX5800 Services
Gateway. These configurations are similar to the standalone implementations
using VLANs and trunked interfaces.
Figure 1 on page 28 shows the topology used in this example.
Copyright © 2014, Juniper Networks, Inc.
27
Junos OS Release 12.1X47 Feature Guide
Figure 1: Basic Active/Passive Chassis Clustering on a High-End SRX
Series Device Topology Example
Configuration
CLI Quick
Configuration
To quickly configure this example, copy the following commands, paste them into a text
file, remove any line breaks, change any details necessary to match your network
configuration, copy and paste the commands into the CLI at the [edit] hierarchy level,
and then enter commit from configuration mode.
On {primary:node0}
[edit]
set interfaces fab0 fabric-options member-interfaces ge-11/3/0
set interfaces fab1 fabric-options member-interfaces ge-23/3/0
set groups node0 system host-name SRX5800-1
set groups node0 interfaces fxp0 unit 0 family inet address 10.3.5.1/24
set groups node0 system backup-router 10.3.5.254 destination 0.0.0.0/16
set groups node1 system host-name SRX5800-2
set groups node1 interfaces fxp0 unit 0 family inet address 10.3.5.2/24
set groups node1 system backup-router 10.3.5.254 destination 0.0.0.0/16
set apply-groups “${node}”
28
Copyright © 2014, Juniper Networks, Inc.
Configuration
set chassis cluster reth-count 2
set chassis cluster redundancy-group 0 node 0 priority 129
set chassis cluster redundancy-group 0 node 1 priority 128
set chassis cluster redundancy-group 1 node 0 priority 129
set chassis cluster redundancy-group 1 node 1 priority 128
set interfaces xe-6/0/0 gigether-options redundant-parent reth0
set interfaces xe-6/1/0 gigether-options redundant-parent reth1
set interfaces xe-18/0/0 gigether-options redundant-parent reth0
set interfaces xe-18/1/0 gigether-options redundant-parent reth1
set interfaces reth0 redundant-ether-options redundancy-group 1
set interfaces reth0 unit 0 family inet address 1.1.1.1/24
set interfaces reth1 redundant-ether-options redundancy-group 1
set interfaces reth1 unit 0 family inet address 2.2.2.1/24
set chassis cluster redundancy-group 1 interface-monitor xe-6/0/0 weight 255
set chassis cluster redundancy-group 1 interface-monitor xe-6/1/0 weight 255
set chassis cluster redundancy-group 1 interface-monitor xe-18/0/0 weight 255
set chassis cluster redundancy-group 1 interface-monitor xe-18/1/0 weight 255
set chassis cluster control-link-recovery
set security zones security-zone untrust interfaces reth0.0
set security zones security-zone trust interfaces reth1.0
set routing-options static route 0.0.0.0/0 next-hop 1.1.1.254
set routing-options static route 2.0.0.0/8 next-hop 2.2.2.254
To quickly configure an EX8208 Core Switch, copy the following commands and paste
them into the CLI at the [edit] hierarchy level, and then enter commit from configuration
mode.
On {primary:node0}
[edit]
set interfaces xe-1/0/0 unit 0 family ethernet-switching port-mode access vlan members
SRX5800
set interfaces xe-2/0/0 unit 0 family ethernet-switching port-mode access vlan members
SRX5800
set interfaces vlan unit 50 family inet address 2.2.2.254/24
set vlans SRX5800 vlan-id 50
set vlans SRX5800 l3-interface vlan.50
set routing-options static route 0.0.0.0/0 next-hop 2.2.2.1/24
To quickly configure an MX240 edge router, copy the following commands and paste
them into the CLI at the [edit] hierarchy level, and then enter commit from configuration
mode.
On {primary:node0}
[edit]
set interfaces xe-1/0/0 encapsulation ethernet-bridge unit 0 family bridge
set interfaces xe-2/0/0 encapsulation ethernet-bridge unit 0 family bridge
set interfaces irb unit 0 family inet address 1.1.1.254/24
set routing-options static route 2.0.0.0/8 next-hop 1.1.1.1
set routing-options static route 0.0.0.0/0 next-hop (upstream router)
set bridge-domains SRX5800 vlan-id X (could be set to “none”)
set bridge-domains SRX5800 domain-type bridge routing-interface irb.0
set bridge-domains SRX5800 domain-type bridge interface xe-1/0/0
set bridge-domains SRX5800 domain-type bridge interface xe-2/0/0
Copyright © 2014, Juniper Networks, Inc.
29
Junos OS Release 12.1X47 Feature Guide
Step-by-Step
Procedure
The following example requires you to navigate various levels in the configuration
hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration
Mode in the Junos OS CLI User Guide.
To configure a chassis cluster on a high-end SRX Series device:
NOTE: In cluster mode, the cluster is synchronized between the nodes when
you execute a commit command. All commands are applied to both nodes
regardless of from which device the command is configured.
1.
Configure the fabric (data) ports of the cluster that are used to pass RTOs in
active/passive mode. For this example, use one of the 1-Gigabit Ethernet ports
because running out of bandwidth using active/passive mode is not an issue. Define
two fabric interfaces, one on each chassis, to connect together.
user@host# set interfaces fab0 fabric-options member-interfaces ge-11/3/0
user@host# set interfaces fab1 fabric-options member-interfaces ge-23/3/0
2.
Because the SRX5800 Services Gateway chassis cluster configuration is contained
within a single common configuration, to assign some elements of the configuration
to a specific member only, you must use the Junos OS node-specific configuration
method called groups. The set apply-groups ${node} command uses the node
variable to define how the groups are applied to the nodes; each node recognizes
its number and accepts the configuration accordingly. You must also configure
out-of-band management on the fxp0 interface of the SRX5800 Services Gateway
using separate IP addresses for the individual control planes of the cluster.
NOTE: Configuring the backup router destination address as x.x.x.0/0
is not allowed.
user@host# set groups node0 system host-name SRX5800-1
user@host# set groups node0 interfaces fxp0 unit 0 family inet address 10.3.5.1/24
user@host# set groups node0 system backup-router 10.3.5.254 destination
0.0.0.0/16
user@host# set groups node1 system host-name SRX5800-2
user@host# set groups node1 interfaces fxp0 unit 0 family inet address 10.3.5.2/24
user@host# set groups node1 system backup-router 10.3.5.254 destination
0.0.0.0/16
user@host# set apply-groups “${node}”
3.
30
Configure redundancy groups for chassis clustering. Each node has interfaces in a
redundancy group where interfaces are active in active redundancy groups (multiple
active interfaces can exist in one redundancy group). Redundancy group 0 controls
the control plane and redundancy group 1+ controls the data plane and includes
the data plane ports. For this active/passive mode example, only one chassis cluster
member is active at a time so you need to define redundancy groups 0 and 1 only.
Besides redundancy groups, you must also define:
Copyright © 2014, Juniper Networks, Inc.
Configuration
•
Redundant Ethernet groups—Configure how many redundant Ethernet interfaces
(member links) will be active on the device so that the system can allocate the
appropriate resources for it.
•
Priority for control plane and data plane—Define which device has priority (for
chassis cluster, high priority is preferred) for the control plane, and which device
is preferred to be active for the data plane.
NOTE:
• In active/passive or active/active mode, the control plane
(redundancy group 0) can be active on a chassis different from the
data plane (redundancy group 1+ and groups) chassis. However,
for this example we recommend having both the control and data
plane active on the same chassis member. When traffic passes
through the fabric link to go to another member node, latency is
introduced (z line mode traffic).
•
On all high-end SRX Series devices, the IPsec VPN is not supported
in active/active chassis cluster configuration (that is, when there
are multiple RG1+ redundancy groups).
user@host# set chassis cluster reth-count 2
user@host# set chassis cluster redundancy-group 0 node 0 priority 129
user@host# set chassis cluster redundancy-group 0 node 1 priority 128
user@host# set chassis cluster redundancy-group 1 node 0 priority 129
user@host# set chassis cluster redundancy-group 1 node 1 priority 128
4.
Configure the data interfaces on the platform so that in the event of a data plane
failover, the other chassis cluster member can take over the connection seamlessly.
Seamless transition to a new active node will occur with data plane failover. In case
of control plane failover, all the daemons (processes) are restarted on the new
node thus enabling a graceful restart to avoid losing neighborship with peers (ospf,
bgp). This promotes a seamless transition to the new node without any packet loss.
You must define the following items:
•
Define the membership information of the member interfaces to the reth interface.
•
Define which redundancy group the reth interface is a member of. For this
active/passive example, it is always 1.
•
Define reth interface information such as the IP address of the interface.
user@host# set interfaces xe-6/0/0 gigether-options redundant-parent reth0
user@host# set interfaces xe-6/1/0 gigether-options redundant-parent reth1
user@host# set interfaces xe-18/0/0 gigether-options redundant-parent reth0
user@host# set interfaces xe-18/1/0 gigether-options redundant-parent reth1
user@host# set interfaces reth0 redundant-ether-options redundancy-group 1
user@host# set interfaces reth0 unit 0 family inet address 1.1.1.1/24
user@host# set interfaces reth1 redundant-ether-options redundancy-group 1
user@host# set interfaces reth1 unit 0 family inet address 2.2.2.1/24
Copyright © 2014, Juniper Networks, Inc.
31
Junos OS Release 12.1X47 Feature Guide
5.
Configure the chassis cluster behavior in case of a failure. For the SRX5800 Services
Gateway, the failover threshold is set at 255. You can alter the weights to determine
the impact on the chassis failover. You must also configure control link recovery.
The recovery automatically causes the secondary node to reboot should the control
link fail, and then come back online. Enter these commands on node 0.
user@host# set chassis cluster redundancy-group 1 interface-monitor xe-6/0/0
weight 255
user@host# set chassis cluster redundancy-group 1 interface-monitor xe-6/1/0
weight 255
user@host# set chassis cluster redundancy-group 1 interface-monitor xe-18/0/0
weight 255
user@host# set chassis cluster redundancy-group 1 interface-monitor xe-18/1/0
weight 255
user@host# set chassis cluster control-link-recovery
This step completes the chassis cluster configuration part of the active/passive
mode example for the SRX5800 Services Gateway. The rest of this procedure
describes how to configure the zone, virtual router, routing, EX8208 Core Switch,
and MX240 Edge Router to complete the deployment scenario.
6.
Configure and connect the reth interfaces to the appropriate zones and virtual
routers. For this example, leave the reth0 and reth1 interfaces in the default virtual
router inet.0, which does not require any additional configuration.
user@host# set security zones security-zone untrust interfaces reth0.0
user@host# set security zones security-zone trust interfaces reth1.0
7.
For this active/passive mode example, because of the simple network architecture,
use static routes to define how to route to the other network devices.
user@host# set routing-options static route 0.0.0.0/0 next-hop 1.1.1.254
user@host# set routing-options static route 2.0.0.0/8 next-hop 2.2.2.254
8.
For the EX8208 Ethernet Switch, the following commands provide only an outline
of the applicable configuration as it pertains to this active/passive mode example
for the SRX5800 Services Gateway; most notably the VLANs, routing, and interface
configuration.
user@host# set interfaces xe-1/0/0 unit 0 family ethernet-switching port-mode
access vlan members SRX5800
user@host# set interfaces xe-2/0/0 unit 0 family ethernet-switching port-mode
access vlan members SRX5800
user@host# set interfaces vlan unit 50 family inet address 2.2.2.254/24
user@host# set vlans SRX5800 vlan-id 50
user@host# set vlans SRX5800 l3-interface vlan.50
user@host# set routing-options static route 0.0.0.0/0 next-hop 2.2.2.1/24
9.
For the MX240 edge router, the following commands provide only an outline of the
applicable configuration as it pertains to this active/passive mode example for the
SRX5800 Services Gateway; most notably you must use an IRB interface within a
virtual switch instance on the switch.
user@host# set interfaces xe-1/0/0 encapsulation ethernet-bridge unit 0 family
bridge
user@host# set interfaces xe-2/0/0 encapsulation ethernet-bridge unit 0 family
bridge
32
Copyright © 2014, Juniper Networks, Inc.
Configuration
user@host# set interfaces irb unit 0 family inet address 1.1.1.254/24
user@host# set routing-options static route 2.0.0.0/8 next-hop 1.1.1.1
user@host# set routing-options static route 0.0.0.0/0 next-hop (upstream router)
user@host# set bridge-domains SRX5800 vlan-id X (could be set to “none”)
user@host# set bridge-domains SRX5800 domain-type bridge routing-interface
irb.0
user@host# set bridge-domains SRX5800 domain-type bridge interface xe-1/0/0
user@host# set bridge-domains SRX5800 domain-type bridge interface xe-2/0/0
Results
From operational mode, confirm your configuration by entering the show configuration
command. If the output does not display the intended configuration, repeat the
configuration instructions in this example to correct it.
> show configuration
version x.xx.x;
groups {
node0 {
system {
host-name SRX58001;
backup-router 10.3.5.254 destination 0.0.0.0/16;
}
interfaces {
fxp0 {
unit 0 {
family inet {
address 10.3.5.1/24;
}
}
}
}
}
node1 {
system {
host-name SRX58002;
backup-router 10.3.5.254 destination 0.0.0.0/16;
}
interfaces {
fxp0 {
unit 0 {
family inet {
address 10.3.5.2/24;
}
}
}
}
}
}
apply-groups "${node}";
system {
root-authentication {
encrypted-password "$1$zTMjraKG$qU8rjxoHzC6Y/WDmYpR9r.";
}
name-server {
4.2.2.2;
}
services {
ssh {
Copyright © 2014, Juniper Networks, Inc.
33
Junos OS Release 12.1X47 Feature Guide
root-login allow;
}
netconf {
ssh;
}
web-management {
http {
interface fxp0.0;
}
}
}
}
chassis {
cluster {
control-link-recovery;
reth-count 2;
control-ports {
fpc 1 port 0;
fpc 13 port 0;
}
redundancy-group 0 {
node 0 priority 129;
node 1 priority 128;
}
redundancy-group 1 {
node 0 priority 129;
node 1 priority 128;
interface-monitor {
xe–6/0/0 weight 255;
xe–6/1/0 weight 255;
xe–18/0/0 weight 255;
xe–18/1/0 weight 255;
}
}
}
}
interfaces {
xe–6/0/0 {
gigether–options {
redundant–parent reth0;
}
}
xe–6/1/0 {
gigether–options {
redundant–parent reth1;
}
}
xe–18/0/0 {
gigether–options {
redundant–parent reth0;
}
}
xe–18/1/0 {
gigether–options {
redundant–parent reth1;
}
}
fab0 {
fabric–options {
member–interfaces {
ge–11/3/0;
34
Copyright © 2014, Juniper Networks, Inc.
Configuration
}
}
}
fab1 {
fabric–options {
member–interfaces {
ge–23/3/0;
}
}
}
reth0 {
redundant–ether–options {
redundancy–group 1;
}
unit 0 {
family inet {
address 1.1.1.1/24;
}
}
}
reth1 {
redundant–ether–options {
redundancy–group 1;
}
unit 0 {
family inet {
address 2.2.2.1/24;
}
}
}
}
routing–options {
static {
route 0.0.0.0/0 {
next–hop 1.1.1.254;
}
route 2.0.0.0/8 {
next–hop 2.2.2.254;
}
}
}
security {
zones {
security–zone trust {
host–inbound–traffic {
system–services {
all;
}
}
interfaces {
reth0.0;
}
}
security–zone untrust {
interfaces {
reth1.0;
}
}
}
policies {
from–zone trust to–zone untrust {
Copyright © 2014, Juniper Networks, Inc.
35
Junos OS Release 12.1X47 Feature Guide
policy 1 {
match {
source–address any;
destination–address any;
application any;
}
then {
permit;
}
}
}
default–policy {
deny–all;
}
}
}
If you are done configuring the device, enter commit from configuration mode.
Verification
Confirm that the configuration is working properly.
•
Verifying Chassis Cluster Status on page 36
•
Verifying Chassis Cluster Interfaces on page 36
•
Verifying Chassis Cluster Statistics on page 37
•
Verifying Chassis Cluster Control Plane Statistics on page 38
•
Verifying Chassis Cluster Data Plane Statistics on page 38
•
Verifying Chassis Cluster Redundancy Group Status on page 39
•
Troubleshooting with Logs on page 39
Verifying Chassis Cluster Status
Purpose
Action
Verify the chassis cluster status, failover status, and redundancy group information.
From operational mode, enter the show chassis cluster status command.
{primary:node0}
show chassis cluster status
Cluster ID: 1
Node
Priority
Status
Preempt
Redundancy group: 0 , Failover count: 1
node0
129
primary
no
node1
128
secondary no
Redundancy group: 1 , Failover count: 1
node0
129
node1
128
primary
no
secondary no
Manual failover
no
no
no
no
Verifying Chassis Cluster Interfaces
Purpose
36
Verify information about chassis cluster interfaces.
Copyright © 2014, Juniper Networks, Inc.
Verifying Chassis Cluster Statistics
Action
From operational mode, enter the show chassis cluster interfaces command.
{primary:node0}
user@host> show chassis cluster interfaces
Control link name: fxp1
Redundant-ethernet Information:
Name
Status
Redundancy-group
reth0
Up
1
reth1
Up
1
Interface Monitoring:
Interface
xe-6/0/0
xe-6/1/0
xe-18/0/0
xe-18/1/0
Weight
255
255
255
255
Status
Up
Up
Up
Up
Redundancy-group
1
1
1
1
Verifying Chassis Cluster Statistics
Purpose
Action
Verify information about chassis cluster services and control link statistics (heartbeats
sent and received), fabric link statistics (probes sent and received), and the number of
RTOs sent and received for services.
From operational mode, enter the show chassis cluster statistics command.
{primary:node0}
user@host> show chassis cluster statistics
Control link statistics:
Control link 0:
Heartbeat packets sent: 258689
Heartbeat packets received: 258684
Heartbeat packets errors: 0
Fabric link statistics:
Child link 0
Probes sent: 258681
Probes received: 258681
Services Synchronized:
Service name
Translation context
Incoming NAT
Resource manager
Session create
Session close
Session change
Gate create
Session ageout refresh requests
Session ageout refresh replies
IPSec VPN
Firewall user authentication
MGCP ALG
H323 ALG
SIP ALG
SCCP ALG
PPTP ALG
RPC ALG
RTSP ALG
RAS ALG
MAC address learning
Copyright © 2014, Juniper Networks, Inc.
RTOs sent
0
0
6
161
148
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
RTOs received
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
37
Junos OS Release 12.1X47 Feature Guide
GPRS GTP
0
0
Verifying Chassis Cluster Control Plane Statistics
Purpose
Action
Verify information about chassis cluster control plane statistics (heartbeats sent and
received) and the fabric link statistics (probes sent and received).
From operational mode, enter the show chassis cluster control-plane statistics command.
{primary:node0}
user@host> show chassis cluster control-plane statistics
Control link statistics:
Control link 0:
Heartbeat packets sent: 258689
Heartbeat packets received: 258684
Heartbeat packets errors: 0
Fabric link statistics:
Child link 0
Probes sent: 258681
Probes received: 258681
Verifying Chassis Cluster Data Plane Statistics
Purpose
Action
Verify information about the number of RTOs sent and received for services.
From operational mode, enter the show chassis cluster data-plane statistics command.
{primary:node0}
user@host> show chassis cluster data-plane statistics
Services Synchronized:
Service name
Translation context
Incoming NAT
Resource manager
Session create
Session close
Session change
Gate create
Session ageout refresh requests
Session ageout refresh replies
IPSec VPN
Firewall user authentication
MGCP ALG
H323 ALG
SIP ALG
SCCP ALG
PPTP ALG
RPC ALG
RTSP ALG
RAS ALG
MAC address learning
GPRS GTP
38
RTOs sent
0
0
6
161
148
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
RTOs received
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
Copyright © 2014, Juniper Networks, Inc.
Verifying Chassis Cluster Redundancy Group Status
Verifying Chassis Cluster Redundancy Group Status
Purpose
Verify the state and priority of both nodes in a cluster and information about whether
the primary node has been preempted or whether there has been a manual failover.
Action
From operational mode, enter the chassis cluster status redundancy-group command.
{primary:node0}
user@host> show chassis cluster status redundancy-group 1
Cluster ID: 1
Node
Priority
Status
Preempt
Redundancy-Group: 1, Failover count: 1
node0
100
primary
no
node1
50
secondary no
Manual failover
no
no
Troubleshooting with Logs
Purpose
Action
Use these logs to identify any chassis cluster issues. You should run these logs on both
nodes.
From operational mode, enter these show log commands.
user@host>
user@host>
user@host>
user@host>
user@host>
Related
Documentation
show log jsrpd
show log chassisd
show log messages
show log dcd
show traceoptions
•
Chassis Cluster Feature Guide for Security Devices
•
Understanding Chassis Cluster Redundancy Groups.
•
Node Interfaces on Active SRX Series Chassis Clusters
•
Example: Configuring an SRX Series Services Gateway for the Branch as a Chassis Cluster
Understanding the Low-Impact ISSU Process on Devices in a Chassis Cluster
In-service software upgrade (ISSU) allows a software upgrade from one Junos OS version
to a later Junos OS version with little or no downtime.
The chassis cluster ISSU feature allows both devices in a cluster to be upgraded from
supported Junos OS versions with a minimal disruption in traffic and without a disruption
in service.
An ISSU provides the following benefits:
•
Eliminates network downtime during software image upgrades
•
Reduces operating costs, while delivering higher service levels
•
Allows fast implementation of new features
Copyright © 2014, Juniper Networks, Inc.
39
Junos OS Release 12.1X47 Feature Guide
NOTE:
The followings limitations are related to an ISSU:
•
ISSU is available only for Junos OS Release 10.4R4 or later.
•
ISSU does not support software downgrades.
•
If you upgrade from a Junos OS version that supports only IPv4 to a version
that supports both IPv4 and IPv6, the IPv4 traffic will continue to work
during the upgrade process. If you upgrade from a Junos OS version that
supports both IPv4 and IPv6 to a version that supports both IPv4 and IPv6,
both the IPv4 and IPv6 traffic will continue to work during the upgrade
process. Junos OS Release 10.2 and later releases support flow-based
processing for IPv6 traffic.
•
During an ISSU, you cannot bring any PICs online. You cannot perform
operations such as commit, restart, halt, and so on.
•
During an ISSU, operations like fabric monitoring, control link recovery, and
RGX preempt are suspended.
NOTE: For the latest ISSU support status, go to the Juniper Networks
Knowledge Base: http://kb.juniper.net/ and search for KB17946.
The following process occurs during an ISSU for devices in a chassis cluster. The
sequences given below are applicable when RG-0 is node 0 (primary node). Note that
you must initiate an ISSU from RG-0 primary. If you initiate the ISSU on node 1 (RG-0
secondary), an error message will be displayed.
1.
At the beginning of a chassis cluster ISSU, the system automatically fails over all
RG-1+ redundancy groups that are not primary on the node from which the ISSU is
started. This action ensures that the redundancy groups are all active on only the
RG-0 primary node.
NOTE: The automatic failover of all RG-1+ redundancy groups is available
from Junos OS Release 12.1 or later. If you are using Junos OS Release 11.4
or earlier, before starting an ISSU, ensure that the redundancy groups are
all active on only the RG-0 primary node.
After the system fails over all RG-1+ redundancy groups, it sets the manual failover
bit and changes all RG-1+ primary node priorities to 255, regardless of whether the
redundancy group failed over to the RG-0 primary node.
2. The primary node (node 0) validates the device configuration to ensure that it can be
committed using the new software version. Checks are made for disk space available
for the /var file system on both nodes, unsupported configurations, and unsupported
Physical Interface Cards (PICs).
40
Copyright © 2014, Juniper Networks, Inc.
Understanding the Low-Impact ISSU Process on Devices in a Chassis Cluster
If there is insufficient disk space available on either of the Routing Engines, the ISSU
process fails and returns an error message. However, unsupported PICs do not prevent
an ISSU. The software issues a warning to indicate that these PICs will restart during
the upgrade. Similarly, an unsupported protocol configuration does not prevent an
ISSU. The software issues a warning that packet loss might occur for the protocol
during the upgrade.
3. When the validation succeeds, the kernel state synchronization daemon (ksyncd)
synchronizes the kernel on the secondary node (node 1) with the node 0.
4. The node 1 is upgraded with the new software image. Before being upgraded, the node
1 gets the configuration file from the node 0 and validates the configuration to ensure
that it can be committed using the new software version. After being upgraded, it is
resynchronized with the node 0.
5. The chassis cluster process (chassisd) on the node 0 prepares other software
processes for the low-impact ISSU. When all the processes are ready, chassisd sends
a message to the PICs installed in the device.
6. The Packet Forwarding Engine on each Flexible PIC Concentrator (FPC) saves its
state and downloads the new software image from the node 1. Next, each Packet
Forwarding Engine sends a message (ISSU ready) to the chassisd.
7. After receiving the message (ISSU ready) from a Packet Forwarding Engine, the
chassisd sends a reboot message to the FPC on which the Packet Forwarding Engine
resides. The FPC reboots with the new software image. After the FPC is rebooted, the
Packet Forwarding Engine restores the FPC state and a high-speed internal link is
established with the node 1 running the new software. The chassisd is also
reestablished with the node 0.
8. After all Packet Forwarding Engines have sent a ready message using the chassisd
on the node 0, other software processes are prepared for a node switchover. The
system is ready for a switchover at this point.
9. The node switchover occurs and the node 1 becomes the new primary node (old
secondary node 1).
10. The new secondary node (old primary node 0) is now upgraded to the new software
image.
When both nodes are successfully upgraded, the ISSU is complete.
Copyright © 2014, Juniper Networks, Inc.
41
Junos OS Release 12.1X47 Feature Guide
NOTE: When upgrading a version cluster that does not support encryption
to a version that does support encryption, upgrade the first node to the new
version. Without the encryption configured and enabled, two nodes with
different versions can still communicate with each other and service is not
broken. Then upgrade the second node to the new version. Users can decide
whether to turn on the encryption feature after completing the upgrade.
Encryption must be deactivated before downgrading to a version that does
not support encryption. This ensures that communication between an
encryption-enabled version node and a downgraded node does not break
because both are no longer encrypted.
Related
Documentation
42
•
ISSU System Requirements
•
Upgrading Both Devices in a Chassis Cluster Using an ISSU
•
Troubleshooting Chassis Cluster ISSU Failures
•
Troubleshooting ISSU-Related Problems Using Log Error Messages
Copyright © 2014, Juniper Networks, Inc.
internal (Security IPsec)
internal (Security IPsec)
Syntax
Hierarchy Level
Release Information
Description
Options
internal {
security-association {
manual encryption {
iked_encryption enabled
algorithm 3des-cbc;
key ascii-text key;
}
}
}
[edit security ipsec internal-security-association]
Statement introduced in Junos OS Release 12.1X45-D10.
Support for iked_encryption option added in Junos OS Release 12.1X47-D15.
Enable secure login by configuring the internal IP security (IPsec) security association
(SA). When the internal IPsec is configured, IPsec-based rlogin and remote command
(rcmd) are enforced, so an attacker cannot gain unauthorized information.
security-association—Specify an IPsec SA.
manual encryption—Specify a manual SA.
iked_encryption—Select the iked encryption option.
algorithm—Specify the encryption algorithm for the internal
Routing-Engine-to-Routing-Engine IPsec SA configuration.
NOTE: Only the 3des-cbc encryption algorithm is supported.
key—Specify the encryption key. You must ensure that the manual encryption key is in
ASCII text and 24 characters long; otherwise, the configuration will result in a commit
failure.
Required Privilege
Level
Related
Documentation
interface—To view this statement in the configuration.
interface-control—To add this statement to the configuration.
•
Chassis Cluster Feature Guide for Security Devices
Copyright © 2014, Juniper Networks, Inc.
43
Junos OS Release 12.1X47 Feature Guide
request security internal-security-association refresh
Syntax
Release Information
Description
Required Privilege
Level
Related
Documentation
List of Sample Output
Output Fields
request security internal-security-association refresh
Command introduced in Junos OS Release 12.1X45-D10.
Activate internal IPsec so an attacker cannot gain unauthorized information.
maintenance
•
show security internal-security-association on page 49
•
internal (Security IPsec) on page 43
request security internal-security-association refresh on page 44
This command produces no output.
Sample Output
request security internal-security-association refresh
user@host> request security internal-security-association refresh
44
Copyright © 2014, Juniper Networks, Inc.
show chassis cluster interfaces
show chassis cluster interfaces
Syntax
Release Information
Description
Required Privilege
Level
Related
Documentation
List of Sample Output
Output Fields
show chassis cluster interfaces
Command modified in Junos OS Release 9.0. Output changed to support dual control
ports in Junos OS Release 10.0. Output changed to support control interfaces in Junos
OS Release 11.2. Output changed to support redundant pseudointerfaces in Junos OS
Release 12.1X44-D10. For high-end SRX Series devices, output changed to support the
internal security association (SA) option in Junos OS Release 12.1X45-D10.
Display the status of the control interface in a chassis cluster configuration.
view
•
Chassis Cluster Feature Guide for Security Devices
show chassis cluster interfaces on page 46
show chassis cluster interfaces (SRX3000 and SRX5000 line devices) on page 47
show chassis cluster interfaces on page 47
Table 3 on page 45 lists the output fields for the show chassis cluster interfaces command.
Output fields are listed in the approximate order in which they appear.
Table 3: show chassis cluster interfaces Output Fields
Field Name
Field Description
Control link status
State of the chassis cluster control interface: up or down.
Control interfaces
•
Index—Index number of the chassis cluster control interface.
•
Name—Name of the chassis cluster control interface.
•
Monitored-Status—Monitored state of the interface: up or down.
•
Internal SA—State of the internal SA option on the chassis cluster control link: enabled
or disabled.
NOTE: This field is available only on high-end SRX Series devices.
Fabric link status
State of the fabric interface: up or down.
Fabric interfaces
•
Name—Name of the fabric interface.
•
Child-interface—Name of the child fabric interface.
•
Status—State of the interface: up or down.
•
Name—Name of the redundant Ethernet interface.
•
Status—State of the interface: up or down.
•
Redundancy-group—Identification number (1–255) of the redundancy group associated
Redundant-ethernet Information
with the redundant Ethernet interface.
Copyright © 2014, Juniper Networks, Inc.
45
Junos OS Release 12.1X47 Feature Guide
Table 3: show chassis cluster interfaces Output Fields (continued)
Field Name
Field Description
Redundant-pseudo-interface
Information
•
Name—Name of the redundant pseudointerface.
•
Status—State of the redundant pseudointerface: up or down.
•
Redundancy-group—Identification number (1–255) of the redundancy group associated
with the redundant pseudointerface.
Interface Monitoring
•
Interface—Name of the interface to be monitored.
•
Weight—Relative importance of the interface to redundancy group operation.
•
Status—State of the interface: up or down.
•
Redundancy-group—Identification number of the redundancy group associated with
the interface.
Sample Output
show chassis cluster interfaces
user@host> show chassis cluster interfaces
Control link status: Up
Control interfaces:
Index
Interface
0
em0
1
em1
Monitored-Status
Up
Down
Fabric link status: Up
Fabric interfaces:
Name
Child-interface
fab0
ge-0/1/0
fab0
fab1
ge-6/1/0
fab1
Status
Up
Up
Redundant-ethernet Information:
Name
Status
Redundancy-group
reth0
Up
1
reth1
Up
2
reth2
Down
Not configured
reth3
Down
Not configured
reth4
Down
Not configured
reth5
Down
Not configured
reth6
Down
Not configured
reth7
Down
Not configured
reth8
Down
Not configured
reth9
Down
Not configured
reth10
Down
Not configured
reth11
Down
Not configured
Redundant-pseudo-interface Information:
Name
Status
Redundancy-group
lo0
Up
1
Interface Monitoring:
Interface
Weight
46
Status
Redundancy-group
Copyright © 2014, Juniper Networks, Inc.
show chassis cluster interfaces
ge-0/1/9
ge-0/1/9
100
100
Up
Up
0
Sample Output
show chassis cluster interfaces (SRX3000 and SRX5000 line devices)
user@host> show chassis cluster interfaces
Control link status: Up
Control interfaces:
Index
Interface
0
em0
1
em1
Monitored-Status
Up
Down
Internal SA
enabled
enabled
Fabric link status: Up
Fabric interfaces:
Name
Child-interface
fab0
ge-0/1/0
fab0
fab1
ge-6/1/0
fab1
Status
Up
Up
Redundant-ethernet Information:
Name
Status
Redundancy-group
reth0
Up
1
reth1
Up
2
reth2
Down
Not configured
reth3
Down
Not configured
reth4
Down
Not configured
reth5
Down
Not configured
reth6
Down
Not configured
reth7
Down
Not configured
reth8
Down
Not configured
reth9
Down
Not configured
reth10
Down
Not configured
reth11
Down
Not configured
Redundant-pseudo-interface Information:
Name
Status
Redundancy-group
lo0
Up
1
Interface Monitoring:
Interface
Weight
ge-0/1/9
100
ge-0/1/9
100
Status
Up
Up
Redundancy-group
0
Sample Output
show chassis cluster interfaces
user@host> show chassis cluster interfaces
The below output is specific to fabric monitoring failure.
Control link status: Up
Control interfaces:
Index
Interface
0
fxp1
Copyright © 2014, Juniper Networks, Inc.
Monitored-Status
Up
Internal-SA
Disabled
47
Junos OS Release 12.1X47 Feature Guide
Fabric link status: Down
Fabric interfaces:
Name
Child-interface
fab0
fab0
fab1
fab1
ge-0/0/2
Status
(Physical/Monitored)
Down / Down
ge-9/0/2
Up
/ Up
Redundant-pseudo-interface Information:
Name
Status
Redundancy-group
lo0
Up
0
48
Copyright © 2014, Juniper Networks, Inc.
show security internal-security-association
show security internal-security-association
Syntax
Release Information
Description
Required Privilege
Level
Related
Documentation
List of Sample Output
Output Fields
show security internal-security-association
Command introduced in Junos OS Release 12.1X47-D15.
Provide secure login by enabling the internal security association in a chassis cluster
configuration.
view
•
Chassis Cluster Feature Guide for Security Devices
show security internal-security-association on page 49
Table 3 on page 45 lists the output fields for the show security internal-security-association
command. Output fields are listed in the approximate order in which they appear.
Table 4: show security internal-security-association Output Fields
Field Name
Field Description
Internal SA Status
State of the internal SA option on the chassis cluster control link: enabled or disabled.
Iked Encryption Status
State of the iked encryption.
Sample Output
show security internal-security-association
user@host>show security internal-security-association
node0:
-------------------------------------------------------------------------Internal SA Status : Enabled
Iked Encryption Status : Enabled
node1:
-------------------------------------------------------------------------Internal SA Status : Enabled
Iked Encryption Status : Enabled
Flow-Based and Packet-Based Processing
•
Data Path Debugging for SRX Series Devices on page 49
Data Path Debugging for SRX Series Devices
•
Understanding Data Path Debugging for SRX Series Devices (SRX5K-MPC) on page 50
•
Example: Configuring End-to-End Debugging on a High-End SRX Series
Device on page 50
Copyright © 2014, Juniper Networks, Inc.
49
Junos OS Release 12.1X47 Feature Guide
Understanding Data Path Debugging for SRX Series Devices (SRX5K-MPC)
Data path debugging, or end-to-end debugging, support provides tracing and debugging
at multiple processing units along the packet-processing path. The packet filter can be
executed with minimal impact to the production system.
On a high-end SRX Series device, a packet goes through series of events involving different
components from ingress to egress processing.
With the data path debugging feature, you can trace and debug (capture packets) at
different data points along the processing path. The events available in the
packet-processing path are: NP ingress, load-balancing thread (LBT), jexec,
packet-ordering thread (POT), and NP egress. You can also enable flow module trace
to If the security flow trace flag for a certain module is set.
At each event, you can specify any of the four actions (count, packet dump, packet
summary, and trace). Data path debugging provides filters to define what packets to
capture, and only the matched packets are traced. The packet filter can filter out packets
based on logical interface, protocol, source IP address prefix, source port, destination IP
address prefix, and destination port.
To enable end-to-end debugging, you must perform the following steps:
1.
Define the capture file and specify the maximum capture size.
2. Define the packet filter to trace only a certain type of traffic based on the requirement.
3. Define the action profile specifying the location on the processing path from where
to capture the packets (for example, LBT or NP ingress).
4. Enable the data path debugging.
5. Capture traffic.
6. Disable data path debugging.
7. View or analyze the report.
Example: Configuring End-to-End Debugging on a High-End SRX Series Device
•
Requirements on page 50
•
Overview on page 51
•
Configuration on page 51
•
Enabling Data Path Debugging on page 53
•
Verification on page 53
Requirements
This example uses the following hardware and software components:
50
•
SRX5600 device with an SRX5K-MPC installed with 100-Gigabit Ethernet CFP installed
•
Junos OS Release 12.1X47-D15 or later for SRX Series devices
Copyright © 2014, Juniper Networks, Inc.
Overview
Before you begin:
•
See Understanding Data Path Debugging for SRX Series Devices.
No special configuration beyond device initialization is required before configuring this
feature.
Overview
Data path debugging enhances troubleshooting capabilities by providing tracing and
debugging at multiple processing units along the packet-processing path. With the data
path debugging feature, you can trace and debug (capture packets) at different data
points along the processing path. At each event, you can specify an action (count, packet
dump, packet summary, and trace) and you can set filters to define what packets to
capture.
In this example, you define a traffic filter, then you apply an action profile. The action
profile specifies a variety of actions on the processing unit. The NP ingresss and NP egress
are specified as location on the processing path to capture the data for incoming and
outgoing traffic.
Next, you enable data path debugging in operational mode, and finally you view the data
capture report.
Configuration
CLI Quick
Configuration
To quickly configure this example, copy the following commands, paste them into a text
file, remove any line breaks, change any details necessary to match your network
configuration, copy and paste the commands into the CLI at the [edit] hierarchy level,
and then enter commit from configuration mode.
set security datapath-debug traceoptions file e2e.trace size 10m
set security datapath-debug capture-file datapcap format pcap
set security datapath-debug maximum-capture-size 1500
set security datapath-debug action-profile profile-1 preserve-trace-order
set security datapath-debug action-profile profile-1 record-pic-history
set security datapath-debug action-profile profile-1 event np-ingress trace
set security datapath-debug action-profile profile-1 event np-ingress count
set security datapath-debug action-profile profile-1 event np-ingress packet-summary
set security datapath-debug action-profile profile-1 event np-ingress packet-count
set security datapath-debug action-profile profile-1 event np-egress trace
set security datapath-debug action-profile profile-1 event np-egress count
set security datapath-debug action-profile profile-1 event np-egress packet-summary
set security datapath-debug action-profile profile-1 event np-egress packet-count
set security datapath-debug packet-filter filter-1
set security datapath-debug packet-filter filter-1 action-profile profile-1
set security datapath-debug packet-filter filter-1 protocol tcp
set security datapath-debug packet-filter filter-1 source-prefix 200.7.6.0/24
set security datapath-debug packet-filter filter-1 destination-prefix 200.8.6.0/24
set security datapath-debug packet-filter filter-1 source-port 1000
set security datapath-debug packet-filter filter-1 destination-port 80
set security datapath-debug packet-filter filter-1 interface xe-2/2/0.0
Copyright © 2014, Juniper Networks, Inc.
51
Junos OS Release 12.1X47 Feature Guide
Step-by-Step
Procedure
The following example requires you to navigate various levels in the configuration
hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration
Mode in the CLI User Guide.
To configure data path debugging:
1.
Edit the security datapath-debug option for the multiple processing units along the
packet-processing path:
[edit]
user@host# edit security datapath-debug
2.
Enable the capture file, file format, file size, and the number of files.
[edit security datapath-debug]
user@host# set traceoptions file e2e.trace size 10m
user@host# set capture-file datapcap format pcap;
user@host# set maximum-capture-size 1500
3.
Configure action profile, event type, and actions for the action profile.
[edit security datapath-debug]
user@host# set action-profile profile-1 preserve-trace-order
user@host# set action-profile profile-1 record-pic-history
user@host# set action-profile profile-1 event np-ingress trace
user@host# set action-profile profile-1 event np-ingress count
user@host# set action-profile profile-1 event np-ingress packet-summary
user@host# set action-profile profile-1 event np-ingress packet-count
user@host# set action-profile profile-1 event np-egress trace
user@host# set action-profile profile-1 event np-egress count
user@host# set action-profile profile-1 event np-egress packet-summary
user@host# set action-profile profile-1 event np-egress packet-count
4.
Configure packet filter, action, and filter options.
[edit security datapath-debug]
user@host# set packet-filter filter-1
user@host# set packet-filter filter-1 action-profile profile-1
user@host# set packet-filter filter-1 protocol tcp
user@host# set packet-filter filter-1 source-prefix 200.7.6.0/24
user@host# set packet-filter filter-1 destination-prefix 200.8.6.0/24
user@host# set packet-filter filter-1 source-port 1000
user@host# set packet-filter filter-1 destination-port 80
user@host# set packet-filter filter-1 interface xe-2/2/0.0
Results
From configuration mode, confirm your configuration by entering the show security
datapath-debug command. If the output does not display the intended configuration,
repeat the configuration instructions in this example to correct it.
traceoptions {
file e2e.trace size 10m;
}
capture-file datapcap format pcap;
maximum-capture-size 1500;
action-profile {
profile-1 {
preserve-trace-order;
52
Copyright © 2014, Juniper Networks, Inc.
Enabling Data Path Debugging
record-pic-history;
event np-ingress {
trace;
count;
packet-summary;
packet-dump;
}
event np-egress {
trace;
count;
packet-summary;
packet-dump;
}
}
}
packet-filter filter-1 {
action-profile profile-1;
protocol tcp;
source-prefix 200.7.6.0/24;
destination-prefix 200.8.6.0/24;
source-port 1000;
destination-port 80;
interface xe-2/2/0.0;
}
If you are done configuring the device, enter commit from configuration mode.
Enabling Data Path Debugging
Step-by-Step
Procedure
After configuring data path debugging, you must start the process on the device from
operational mode.
1.
Enable data path debugging.
user@host> request security datapath-debug capture start
datapath-debug capture started on file datapcap
2.
Once you are done, you must disable data path debugging before you verify the
configuration and view the reports.
user@host> request security datapath-debug capture stop
datapath-debug capture succesfully stopped, use show security datapath-debug
capture to view
Verification
Confirm that the configuration is working properly.
•
Verifying Data Path Debug Packet Capture Details on page 53
Verifying Data Path Debug Packet Capture Details
Purpose
Verify the data captured by enabling the data path debugging configuration.
Copyright © 2014, Juniper Networks, Inc.
53
Junos OS Release 12.1X47 Feature Guide
Action
From operational mode, enter the show security datapath-debug capture command.
Packet 8, len 152: (C2/F2/P0/SEQ:57935:np-ingress)
00 10 db ff 10 02 00 30 48 83 8d 4f 08 00 45 00
00 54 00 00 40 00 40 01 9f c7 c8 07 05 69 c8 08
05 69 08 00 91 1f 8f 03 2a a2 ae 66 85 53 8c 7d
02 00 08 09 0a 0b 0c 0d 0e 0f 10 11 12 13 14 15
16 17 18 19 1a 1b 1c 1d 1e 1f 20 21 22 23 24 25
26 27 28 29 2a 2b 2c 2d 2e 2f 30 31 32 33 34 35
36 37
Packet 9, len 152: (C2/F2/P0/SEQ:57935:np-egress)
00 30 48 8d 1a bf 00 10 db ff 10 03 08 00 45 00
00 54 00 00 40 00 3f 01 a0 c7 c8 07 05 69 c8 08
05 69 08 00 91 1f 8f 03 2a a2 ae 66 85 53 8c 7d
02 00 08 09 0a 0b 0c 0d 0e 0f 10 11 12 13 14 15
16 17 18 19 1a 1b 1c 1d 1e 1f 20 21 22 23 24 25
26 27 28 29 2a 2b 2c 2d 2e 2f 30 31 32 33 34 35
36 37....
For brevity, the show command output is truncated to display only a few samples.
Additional samples have been replaced with ellipses (...).
To view the results, from CLI operational mode, access the local UNIX shell and navigate
to the directory /var/log/<file-name>. The result can be read by using the tcpdump utility.
Interfaces and Chassis
•
Next-Generation Switch Control Board II (SRX5K-SCBE) and Routing Engine
(SRX5K-RE-1800X4) for SRX5400, SRX5600, and SRX5800 Devices on page 54
Next-Generation Switch Control Board II (SRX5K-SCBE) and Routing Engine
(SRX5K-RE-1800X4) for SRX5400, SRX5600, and SRX5800 Devices
54
•
request chassis cb
•
show chassis environment cb
•
show chassis hardware (View)
•
show chassis environment (Security)
•
show chassis ethernet-switch
•
show chassis fabric plane
•
show chassis fabric plane-location
•
show chassis fabric summary
Copyright © 2014, Juniper Networks, Inc.
request chassis cb
request chassis cb
Syntax
Release Information
Description
Options
request chassis cb (offline | online) slot slot-number
Command introduced in Junos OS Release 9.2.
SRX Series devices control the operation of the Control Board (CB).
offline—Take the Control Board offline.
online—Bring the Control Board online.
slot slot-number—Control Board slot number.
Required Privilege
Level
Related
Documentation
List of Sample Output
Output Fields
maintenance
•
show chassis environment cb
request chassis cb on page 55
When you enter this command, you are provided feedback on the status of your request.
Sample Output
request chassis cb
user@host> request chassis cb offline slot 2 node local
node0:
-------------------------------------------------------------------------Offline initiated, use "show chassis environment cb" to verify
Copyright © 2014, Juniper Networks, Inc.
55
Junos OS Release 12.1X47 Feature Guide
show chassis environment cb
Syntax
show chassis environment cb
<slot>
Release Information
Command introduced in Junos OS Release 9.2.
Description
SRX Series devices display environmental information about the Control Boards (CBs).
Options
slot—(Optional) Display environmental information about the specified CB.
Required Privilege
Level
view
Related
Documentation
•
List of Sample Output
request chassis cb
show chassis environment cb node 0 (SRX5800 devices) on page 57
show chassis environment cb node 1(SRX5800 devices) on page 58
Output Fields
Table 5 on page 56 lists the output fields for the show chassis environment cb command.
Output fields are listed in the approximate order in which they appear.
Table 5: show chassis environment cb Output Fields
Field Name
Field Description
State
Status of the CB. If two CBs are installed and online, one is functioning as the master, and the other
is the standby.
Temperature
•
Online—CB is online and running.
•
Offline— CB is powered down.
Temperature in Celsius (C) and Fahrenheit (F) of the air flowing past the CB.
•
Temperature Intake—Measures the temperature of the air intake to cool the power supplies.
•
Temperature Exhaust—Measures the temperature of the hot air exhaust.
Power
Power required and measured on the CB. The left column displays the required power, in volts. The
right column displays the measured power, in millivolts.
BUS Revision
Revision level of the generic bus device.
FPGA Revision
Revision level of the field-programmable gate array (FPGA).
56
Copyright © 2014, Juniper Networks, Inc.
show chassis environment cb
Table 5: show chassis environment cb Output Fields (continued)
Field Name
Field Description
PMBus device
Enhanced SCB on SRX Series devices allows the system to save power by supplying only the amount
of voltage that is required. Configurable PMBus devices are used to provide the voltage for each
individual device. There is one PMBus device for each XF ASIC so that the output can be customized
to each device. The following PMBus device information is displayed for devices with Enhanced MX
SCB:
•
Expected voltage
•
Measured voltage
•
Measured current
•
Calculated power
Sample Output
show chassis environment cb node 0 (SRX5800 devices)
user@host> show chassis environment cb node 0
node0:
-------------------------------------------------------------------------CB 0 status:
State
Online Master
Temperature
32 degrees C / 89 degrees F
Power 1
1.0 V
1005 mV
1.2 V
1218 mV
1.5 V
1492 mV
1.8 V
1814 mV
2.5 V
2520 mV
3.3 V
3338 mV
5.0 V
5046 mV
5.0 V RE
4995 mV
12.0 V
12084 mV
12.0 V RE
11988 mV
Power 2
4.6 V bias MidPlane
4859 mV
11.3 V bias PEM
11234 mV
11.3 V bias FPD
11330 mV
11.3 V bias POE 0
11272 mV
11.3 V bias POE 1
11311 mV
Bus Revision
64
FPGA Revision
13
PMBus
Expected
Measured
Measured Calculated
device
voltage
voltage
current
power
XF ASIC A
1000 mV
996 mV
10046 mA
10005 mW
XF ASIC B
1000 mV
998 mV
11062 mA
11039 mW
CB 1 status:
State
Online
Temperature
32 degrees C / 89 degrees F
Power 1
1.0 V
1002 mV
1.2 V
1218 mV
1.5 V
1475 mV
1.8 V
1807 mV
2.5 V
2507 mV
3.3 V
3312 mV
5.0 V
5040 mV
Copyright © 2014, Juniper Networks, Inc.
57
Junos OS Release 12.1X47 Feature Guide
5.0 V RE
12.0 V
12.0 V RE
Power 2
4.6 V bias MidPlane
11.3 V bias PEM
11.3 V bias FPD
11.3 V bias POE 0
11.3 V bias POE 1
Bus Revision
FPGA Revision
PMBus
Expected
device
voltage
XF ASIC A
1000 mV
XF ASIC B
1000 mV
CB 2 status:
State
Temperature
Power 1
1.0 V
1.2 V
1.5 V
1.8 V
2.5 V
3.3 V
5.0 V
5.0 V RE
12.0 V
12.0 V RE
Power 2
4.6 V bias MidPlane
11.3 V bias PEM
11.3 V bias FPD
11.3 V bias POE 0
11.3 V bias POE 1
Bus Revision
FPGA Revision
PMBus
Expected
device
voltage
XF ASIC A
929 mV
XF ASIC B
929 mV
5001 mV
12007 mV
11968 mV
4840 mV
11272 mV
11292 mV
11234 mV
11311 mV
64
0
Measured
voltage
1001 mV
997 mV
Measured
current
12375 mA
9984 mA
Calculated
power
12387 mW
9954 mW
Online
31 degrees C / 87 degrees F
1011
1214
1482
1814
2533
3345
5059
5008
12007
0
mV
mV
mV
mV
mV
mV
mV
mV
mV
mV
4853 mV
11330 mV
11253 mV
11350 mV
11350 mV
64
0
Measured
voltage
931 mV
928 mV
Measured
current
13562 mA
9796 mA
Calculated
power
12626 mW
9090 mW
show chassis environment cb node 1(SRX5800 devices)
user@host> show chassis environment cb node 1
node1:
-------------------------------------------------------------------------CB 0 status:
State
Online Master
Temperature
32 degrees C / 89 degrees F
Power 1
1.0 V
1002 mV
1.2 V
1218 mV
1.5 V
1479 mV
1.8 V
1820 mV
2.5 V
2507 mV
3.3 V
3351 mV
5.0 V
5046 mV
5.0 V RE
4975 mV
12.0 V
12007 mV
12.0 V RE
11949 mV
58
Copyright © 2014, Juniper Networks, Inc.
show chassis environment cb
Power 2
4.6 V bias MidPlane
11.3 V bias PEM
11.3 V bias FPD
11.3 V bias POE 0
11.3 V bias POE 1
Bus Revision
FPGA Revision
PMBus
Expected
device
voltage
XF ASIC A
1000 mV
XF ASIC B
1000 mV
CB 1 status:
State
Temperature
Power 1
1.0 V
1.2 V
1.5 V
1.8 V
2.5 V
3.3 V
5.0 V
5.0 V RE
12.0 V
12.0 V RE
Power 2
4.6 V bias MidPlane
11.3 V bias PEM
11.3 V bias FPD
11.3 V bias POE 0
11.3 V bias POE 1
Bus Revision
FPGA Revision
PMBus
Expected
device
voltage
XF ASIC A
1000 mV
XF ASIC B
1000 mV
CB 2 status:
State
Temperature
Power 1
1.0 V
1.2 V
1.5 V
1.8 V
2.5 V
3.3 V
5.0 V
5.0 V RE
12.0 V
12.0 V RE
Power 2
4.6 V bias MidPlane
11.3 V bias PEM
11.3 V bias FPD
11.3 V bias POE 0
11.3 V bias POE 1
Bus Revision
FPGA Revision
PMBus
Expected
Copyright © 2014, Juniper Networks, Inc.
4846 mV
11292 mV
11350 mV
11292 mV
11292 mV
64
14
Measured
voltage
999 mV
999 mV
Measured
current
11062 mA
8562 mA
Calculated
power
11050 mW
8553 mW
Online
32 degrees C / 89 degrees F
1008
1218
1475
1817
2526
3338
5040
4975
12046
11968
mV
mV
mV
mV
mV
mV
mV
mV
mV
mV
4859 mV
11292 mV
11272 mV
11195 mV
11195 mV
64
0
Measured
voltage
999 mV
999 mV
Measured
current
9781 mA
12218 mA
Calculated
power
9771 mW
12205 mW
Online
32 degrees C / 89 degrees F
1002
1211
1475
1804
2520
3345
5040
4988
12084
0
mV
mV
mV
mV
mV
mV
mV
mV
mV
mV
4866 mV
11388 mV
11369 mV
11311 mV
11369 mV
64
0
Measured
Measured
Calculated
59
Junos OS Release 12.1X47 Feature Guide
device
XF ASIC A
XF ASIC B
60
voltage
929 mV
1000 mV
voltage
929 mV
999 mV
current
11281 mA
11359 mA
power
10480 mW
11347 mW
Copyright © 2014, Juniper Networks, Inc.
show chassis hardware (View)
show chassis hardware (View)
Syntax
Release Information
Description
Options
show chassis hardware
<clei-models | detail | extensive | models | node ( node-id | all | local | primary)>
Command modified in Release 9.2 of Junos OS; node options added in Release 9.0 of
Junos OS.
Display chassis hardware information.
•
clei-models—(Optional) Display Common Language Equipment Identifier Code (CLEI)
barcode and model number for orderable field-replaceable units (FRUs).
•
detail | extensive—(Optional) Display the specified level of output.
•
models—(Optional) Display model numbers and part numbers for orderable FRUs.
•
node—(Optional) For chassis cluster configurations, display chassis hardware
information on a specific node (device) in the cluster.
Required Privilege
Level
Related
Documentation
Output Fields
•
node-id —Identification number of the node. It can be 0 or 1.
•
local—Display information about the local node.
•
primary—Display information about the primary node.
view
•
Flow-Based Processing Feature Guide for Security Devices
•
Ethernet Interfaces Feature Guide for Security Devices
•
Junos OS Interfaces Library for Security Devices
Table 6 on page 61 lists the output fields for the show chassis hardware command. Output
fields are listed in the approximate order in which they appear.
Table 6: show chassis hardware Output Fields
Field Name
Field Description
Item
Chassis component—Information about the backplane; power supplies; fan trays; Routing
Engine; each Physical Interface Module (PIM)—reported as FPC and PIC—and each fan,
blower, and impeller.
Version
Revision level of the chassis component.
Part Number
Part number for the chassis component.
Serial Number
Serial number of the chassis component. The serial number of the backplane is also the
serial number of the device chassis. Use this serial number when you need to contact
Juniper Networks Customer Support about the device chassis.
Copyright © 2014, Juniper Networks, Inc.
61
Junos OS Release 12.1X47 Feature Guide
Table 6: show chassis hardware Output Fields (continued)
Field Name
Field Description
Assb ID or Assembly ID
Identification number that describes the FRU hardware.
FRU model number
Model number of FRU hardware component.
CLEI code
Common Language Equipment Identifier code. This value is displayed only for hardware
components that use ID EEPROM format v2. This value is not displayed for components
that use ID EEPROM format v1.
EEPROM Version
ID EEPROM version used by hardware component: 0x01 (version 1) or 0x02 (version 2).
Description
Brief description of the hardware item:
•
Type of power supply.
•
Switch Control Board (SCB)
Starting with Junos OS Release 12.1X47-D15, the Switch Control Board (SCB) II
(SRX5K-SCBE) is introduced.
•
There are three SCB slots in SRX5800 devices. The third slot can be used for an
SCB or an FPC. When an SRX5K-SCBE is used with an SRX5K-SCB, the third SCB
slot can only be used as an FPC slot (FPC 6). SCB redundancy is provided in chassis
cluster mode.
•
With an SRX5K-SCBE, a third SCB is supported. If a third SCB is plugged in, it provides
intra-chassis fabric redundancy.
•
The Ethernet switch in the SRX5K-SCBE provides the Ethernet connectivity among
all the FPCs and the Routing Engine. The Routing Engine uses this connectivity to
distribute forwarding and routing tables to the FPCs. The FPCs use this connectivity
to send exception packets to the Routing Engine.
•
Fabric connects all FPCs in the data plane. The Fabric Manager executes on the
Routing Engine and controls the fabric system in the chassis. Packet Forwarding
Engines on the FPC and fabric planes on the SCB are connected through HSL2
channels.
•
SRX5K-SCBE supports HSL2 with both 3.11-Gbps and 6.22-Gbps (SerDes) link
speed and various HSL2 modes. When an FPC is brought online, the link speed and
HSL2 mode are determined by the type of FPC.
•
Type of Flexible PIC Concentrator (FPC), IOC, Physical Interface Card (PIC), Modular
Interface Cards (MICs), and PIMs.
•
SRX Clustering Module (SCM)
•
Fan tray
•
For hosts, the Routing Engine type.
•
Starting with Junos OS Release 12.1X47-D15, the SRX5K-RE-1800X4 Routing Engine
is introduced.
•
The SRX5K-RE-1800X4 has an Intel Quad core Xeon processor, 16 GB of DRAM,
and a 128-GB solid-state drive (SSD).
The number 1800 refers to the speed of the processor (1.8 GHz). The maximum
required power for this Routing Engine is 90W.
NOTE: The SRX5K-RE-1800X4 provides significantly better performance than the
previously used Routing Engine, even with a single core.
62
Copyright © 2014, Juniper Networks, Inc.
show chassis hardware (View)
Sample Output
show chassis hardware
user@host> show chassis hardware
Hardware inventory:
Item
Version Part number
Chassis
Midplane
REV 07
710-020310
PEM 0
rev 05
740-027644
PEM 1
rev 05
740-027644
CB 0
REV 11
750-021914
Routing Engine
BUILTIN
CPP
BUILTIN
Mezz
REV 08
710-021035
FPC 0
REV 11
750-021882
PIC 0
BUILTIN
Xcvr 8
REV 01
740-011613
Xcvr 9
REV 02
740-011613
Xcvr 11
REV 01
740-014132
FPC 1
REV 10
750-016077
PIC 0
BUILTIN
FPC 2
REV 11
750-016077
PIC 0
BUILTIN
FPC 5
REV 15
750-020321
PIC 0
BUILTIN
Xcvr 0
REV 03
740-014289
Xcvr 1
REV 03
740-011571
FPC 10
REV 12
750-043828
Serial number
AB1609AA0082
VP8136
G087E6003S05P
G087E600AT05P
AAAC9887
BUILTIN
BUILTIN
AAAD9202
AAAD9785
BUILTIN
PDG0UMW
PGJ5GJF
62081010
AAAE9989
BUILTIN
AAAT8490
BUILTIN
AABB3820
BUILTIN
0ZT805000069
C933BK00F
AAAD9501
Description
SRX 3600
SRX 3600 Midplane
AC Power Supply
AC Power Supply
SRX3k RE-12-10
Routing Engine
Central PFE Processor
SRX HD Mezzanine Card
SRX3k SFB 12GE
8x 1GE-TX 4x 1GE-SFP
SFP-SX
SFP-SX
SFP-T
SRX3k SPC
SPU Cp-Flow
SRX3k SPC
SPU Flow
SRX3k 2x10GE XFP
2x 10GE-XFP
XFP-10G-SR
XFP-10G-SR
SRX1k3k 2x10GE NP-IOC
PIC 0
Fan Tray 0
BUILTIN
VR9734
2x 10GE-SFP+
SRX 3600 Fan Tray
REV 06
BUILTIN
750-021599
Sample Output
show chassis hardware (SRX5600 and SRX5800 devices for SRX5K-MPC)
user@host> show chassis hardware
Hardware inventory:
Item
Version Part number
Chassis
Midplane
REV 01
710-041799
FPM Board
REV 01
710-024632
PDM
Rev 03
740-013110
le
PEM 0
Rev 03
740-034724
n
PEM 1
Rev 03
740-034724
n
PEM 2
Rev 04
740-034724
n
PEM 3
Rev 03
740-034724
n
Routing Engine 0 REV 11
740-023530
CB 0
REV 09
710-024802
CB 1
REV 09
710-024802
FPC 0
REV 07
750-044175
CPU
BUILTIN
PIC 0
BUILTIN
PIC 1
BUILTIN
PIC 2
BUILTIN
Copyright © 2014, Juniper Networks, Inc.
Serial number
JN12170EAAGA
ACAX3849
CAAX7297
QCS170250DU
Description
SRX 5800
SRX 5800 Backplane
Front Panel Display
Power Distribution Modu
QCS17020203F
PS 4.1kW; 200-240V AC i
QCS17020203C
PS 4.1kW; 200-240V AC i
QCS17100200A
PS 4.1kW; 200-240V AC i
QCS17080200M
PS 4.1kW; 200-240V AC i
9012047437
CAAX7202
CAAX7157
CAAD0791
BUILTIN
BUILTIN
BUILTIN
BUILTIN
SRX5k RE-13-20
SRX5k SCB
SRX5k SCB
SRX5k SPC II
SRX5k DPC PPC
SPU Cp
SPU Flow
SPU Flow
63
Junos OS Release 12.1X47 Feature Guide
PIC 3
FPC 1
CPU
PIC 0
PIC 1
PIC 2
PIC 3
FPC 2
CPU
PIC 0
Xcvr 0
PIC 1
PIC 2
PIC 3
FPC 6
CPU
FPC 9
CPU
PIC 0
PIC 1
PIC 2
PIC 3
FPC 10
REV 08
MIC 0
PIC 0
Xcvr 0
Xcvr 1
MIC 1
PIC 2
Xcvr 0
FPC 11
REV 08
MIC 0
PIC 0
Xcvr 0
MIC 1
PIC 2
Xcvr 0
Xcvr 1
Fan Tray 0
Fan Tray 1
BUILTIN
BUILTIN
SPU Flow
750-044175
CAAD0751
SRX5k SPC II
BUILTIN
BUILTIN
SRX5k DPC PPC
BUILTIN
BUILTIN
SPU Flow
BUILTIN
BUILTIN
SPU Flow
BUILTIN
BUILTIN
SPU Flow
BUILTIN
BUILTIN
SPU Flow
REV 28
750-020751
CAAW1817
SRX5k DPC 4X 10GE
REV 04
710-024633
CAAZ5269
SRX5k DPC PMB
BUILTIN
BUILTIN
1x 10GE(LAN/WAN) RichQ
REV 02
740-014289
T10A00404
XFP-10G-SR
BUILTIN
BUILTIN
1x 10GE(LAN/WAN) RichQ
BUILTIN
BUILTIN
1x 10GE(LAN/WAN) RichQ
BUILTIN
BUILTIN
1x 10GE(LAN/WAN) RichQ
REV 02
750-044175
ZY2552
SRX5k SPC II
BUILTIN
BUILTIN
SRX5k DPC PPC
REV 10
750-044175
CAAP5932
SRX5k SPC II
BUILTIN
BUILTIN
SRX5k DPC PPC
BUILTIN
BUILTIN
SPU Flow
BUILTIN
BUILTIN
SPU Flow
BUILTIN
BUILTIN
SPU Flow
BUILTIN
BUILTIN
SPU Flow
REV 22
750-043157
ZH8192
SRX5k IOC II CPU
711-043360
YX3879
SRX5k MPC PMB
REV 01
750-049488
YZ2084
10x 10GE SFP+
BUILTIN
BUILTIN
10x 10GE SFP+
REV 01
740-031980
AMB0HG3
SFP+-10G-SR
REV 01
740-031980
AM20B6F
SFP+-10G-SR
REV 19
750-049486
CAAH3504
1x 100GE CFP
BUILTIN
BUILTIN
1x 100GE CFP
REV 01
740-035329
X000D375
CFP-100G-SR10
REV 07.04.07 750-043157 CAAJ8771
SRX5k IOC II CPU
711-043360
CAAJ3881
SRX5k MPC PMB
REV 19
750-049486
CAAH0979
1x 100GE CFP
BUILTIN
BUILTIN
1x 100GE CFP
REV 01
740-035329
UP1020Z
CFP-100G-SR10
REV 08
750-049487
CAAM1160
2x 40GE QSFP+
BUILTIN
BUILTIN
2x 40GE QSFP+
REV 01
740-032986
QB151094
QSFP+-40G-SR4
REV 01
740-032986
QB160509
QSFP+-40G-SR4
REV 04
740-035409
ACAE0875
Enhanced Fan Tray
REV 04
740-035409
ACAE0876
Enhanced Fan Tray
REV 07
Sample Output
show chassis hardware (with 20-Gigabit Ethernet MIC with SFP)
user@host> show chassis hardware
Hardware inventory:
Item
Version Part number Serial number
Chassis
JN108DA5AAGA
Midplane
REV 02
710-013698
TR0037
FPM Board
REV 02
710-014974
JY4635
PDM
Rev 02
740-013110
QCS10465005
PEM 0
Rev 03
740-023514
QCS11154040
PEM 2
Rev 02
740-023514
QCS10504014
Routing Engine 0 REV 05
740-015113
1000681023
CB 0
REV 05
710-013385
JY4775
FPC 1
REV 17
750-020751
WZ6349
CPU
REV 02
710-024633
WZ0718
PIC 0
BUILTIN
BUILTIN
64
Description
SRX 5800
SRX 5600 Midplane
Front Panel Display
Power Distribution Module
PS 1.7kW; 200-240VAC in
PS 1.7kW; 200-240VAC in
RE-S-1300
SRX5k SCB
SRX5k DPC 4X 10GE
SRX5k DPC PMB
1x 10GE(LAN/WAN) RichQ
Copyright © 2014, Juniper Networks, Inc.
show chassis hardware (View)
Xcvr 0
PIC 1
Xcvr 0
PIC 2
PIC 3
FPC 3
CPU
MIC 0
PIC 0
Xcvr 2
Xcvr 9
PIC 1
Xcvr 9
FPC 5
CPU
FPC 8
CPU
PIC 0
PIC 1
Fan Tray 0
Fan Tray 1
REV 02
REV 22
REV 06
REV 01
REV 02
REV 02
REV 02
REV 01
REV 08
REV 02
REV 03
REV 01
NON-JNPR
BUILTIN
740-011571
BUILTIN
BUILTIN
750-043157
711-043360
750-055732
BUILTIN
740-013111
740-011613
BUILTIN
740-011613
750-027945
C724XM088
BUILTIN
C831XJ08S
BUILTIN
BUILTIN
ZH8189
YX3912
CACF9115
BUILTIN
B358549
PNB1FQS
BUILTIN
PNB1FFF
JW9665
XFP-10G-SR
1x 10GE(LAN/WAN) RichQ
XFP-10G-SR
1x 10GE(LAN/WAN) RichQ
1x 10GE(LAN/WAN) RichQ
SRX5k IOC II
SRX5k MPC PMB
20x 1GE(LAN) SFP
10x 1GE(LAN) SFP
SFP-T
SFP-SX
10x 1GE(LAN) SFP
SFP-SX
SRX5k FIOC
750-023996
710-024633
BUILTIN
BUILTIN
740-014971
740-014971
XA7234
XA1599
BUILTIN
BUILTIN
TP0902
TP0121
SRX5k SPC
SRX5k DPC PMB
SPU Cp-Flow
SPU Flow
Fan Tray
Fan Tray
Sample Output
show chassis hardware
(SRX5600 and SRX5800 devices with SRX5000 line SCB II (SRX5K-SCBE) and SRX5K-RE-1800X4)
user@host> show chassis hardware
node0:
-------------------------------------------------------------------------Hardware inventory:
Item
Version Part number Serial number
Description
Chassis
JN122A040AGA
SRX5800
Midplane
REV 01
710-041799
ACRA7817
SRX5800 Backplane
FPM Board
REV 01
760-058099
CACA2100
Front Panel Display
PDM
Rev 03
740-013110
QCS1739517Z
Power Distribution Modu
PEM 0
Rev 05
740-034724
PEM 1
Rev 04
740-034724
Routing Engine 0 REV 01
Routing Engine 1
CB 0
REV 01
CB 1
REV 01
CB 2
REV 01
FPC 0
REV 10
CPU
PIC 0
PIC 1
PIC 2
PIC 3
FPC 1
REV 18
CPU
PIC 0
PIC 1
PIC 2
PIC 3
le
QCS17460203K
PS 4.1kW; 200-240V AC i
n
QCS172302017
PS 4.1kW; 200-240V AC i
740-056658
9013040855
SRX5k RE-1800X4
750-056587
750-056587
750-056587
750-056758
BUILTIN
BUILTIN
BUILTIN
BUILTIN
BUILTIN
750-054877
BUILTIN
BUILTIN
BUILTIN
BUILTIN
BUILTIN
CACG1424
CACC9307
CAAZ1128
CACS2667
BUILTIN
BUILTIN
BUILTIN
BUILTIN
BUILTIN
CACH4092
BUILTIN
BUILTIN
BUILTIN
BUILTIN
BUILTIN
SRX5k SCB
SRX5k SCB
SRX5k SCB
SRX5k SPC
SRX5k DPC
SPU Cp
SPU Flow
SPU Flow
SPU Flow
SRX5k SPC
SRX5k DPC
SPU Flow
SPU Flow
SPU Flow
SPU Flow
n
Copyright © 2014, Juniper Networks, Inc.
II
II
II
II
PPC
II
PPC
65
Junos OS Release 12.1X47 Feature Guide
FPC 2
CPU
PIC 0
PIC 1
PIC 2
PIC 3
FPC 3
CPU
MIC 0
PIC 0
Xcvr
MIC 1
PIC 2
Xcvr
Xcvr
Xcvr
Xcvr
FPC 4
CPU
PIC 0
PIC 1
PIC 2
PIC 3
FPC 7
CPU
PIC 0
PIC 1
PIC 2
PIC 3
FPC 8
CPU
MIC 0
PIC 0
Xcvr
FPC 9
CPU
PIC 0
PIC 1
PIC 2
PIC 3
FPC 10
CPU
Fan Tray 0
Fan Tray 1
REV 10
REV 10
REV 04
REV 19
0
REV 01
REV 04
0
1
2
3
REV
REV
REV
REV
REV
01
01
01
01
10
REV 10
REV 11
REV 04
REV 19
0
REV 01
REV 10
REV 07
REV 04
REV 04
750-056758
BUILTIN
BUILTIN
BUILTIN
BUILTIN
BUILTIN
750-043157
711-043360
750-049486
BUILTIN
740-035329
750-049488
BUILTIN
740-031980
740-031980
740-030658
740-031980
750-056758
BUILTIN
BUILTIN
BUILTIN
BUILTIN
BUILTIN
750-056758
BUILTIN
BUILTIN
BUILTIN
BUILTIN
BUILTIN
750-043157
711-043360
750-049486
BUILTIN
740-035329
750-056758
BUILTIN
BUILTIN
BUILTIN
BUILTIN
BUILTIN
750-044175
BUILTIN
740-035409
740-035409
CACV0038
BUILTIN
BUILTIN
BUILTIN
BUILTIN
BUILTIN
CACB6877
CACH6074
CAAH3504
BUILTIN
UP1020Z
CACB6429
BUILTIN
AP21RJ5
AP21RLJ
AD1148A0AYC
B11E02718
CACW0706
BUILTIN
BUILTIN
BUILTIN
BUILTIN
BUILTIN
CACS2725
BUILTIN
BUILTIN
BUILTIN
BUILTIN
BUILTIN
CABN4955
CACT9926
CAAH0979
BUILTIN
UP2077V
CACW0755
BUILTIN
BUILTIN
BUILTIN
BUILTIN
BUILTIN
CAAD0747
BUILTIN
ACAE2294
ACAE2099
SRX5k SPC II
SRX5k DPC PPC
SPU Flow
SPU Flow
SPU Flow
SPU Flow
SRX5k IOC II
SRX5k MPC PMB
1x 100GE CFP
1x 100GE CFP
CFP-100G-SR10
10x 10GE SFP+
10x 10GE SFP+
SFP+-10G-SR
SFP+-10G-SR
SFP+-10G-USR
SFP+-10G-SR
SRX5k SPC II
SRX5k DPC PPC
SPU Flow
SPU Flow
SPU Flow
SPU Flow
SRX5k SPC II
SRX5k DPC PPC
SPU Flow
SPU Flow
SPU Flow
SPU Flow
SRX5k IOC II
SRX5k MPC PMB
1x 100GE CFP
1x 100GE CFP
CFP-100G-SR10
SRX5k SPC II
SRX5k DPC PPC
SPU Flow
SPU Flow
SPU Flow
SPU Flow
SRX5k SPC II
SRX5k DPC PPC
Enhanced Fan Tray
Enhanced Fan Tray
node1:
-------------------------------------------------------------------------Hardware inventory:
Item
Version Part number Serial number
Description
Chassis
JN1235BC7AGA
SRX5800
Midplane
REV 01
710-024803
ACRC3244
SRX5800 Backplane
FPM Board
REV 01
710-024632
CACA2108
Front Panel Display
PDM
Rev 03
740-013110
QCS1739519B
Power Distribution Module
PEM 0
Rev 04
740-034724
QCS17230201Z
PS 4.1kW; 200-240V AC
in
PEM 1
Rev 05
740-034724
QCS174502014
PS 4.1kW; 200-240V AC
in
Routing Engine 0 REV 01
740-056658
9009153221
SRX5k RE-1800X4
Routing Engine 1
CB 0
REV 01
750-056587
CACC9541
SRX5k SCB II
CB 1
REV 01
750-056587
CACG1447
SRX5k SCB II
66
Copyright © 2014, Juniper Networks, Inc.
show chassis hardware (View)
CB 2
FPC 0
CPU
PIC 0
PIC 1
PIC 2
PIC 3
FPC 1
CPU
PIC 0
PIC 1
PIC 2
PIC 3
FPC 2
CPU
PIC 0
PIC 1
PIC 2
PIC 3
FPC 3
CPU
MIC 0
PIC 0
Xcvr
MIC 1
PIC 2
Xcvr
Xcvr
Xcvr
Xcvr
FPC 4
CPU
PIC 0
PIC 1
PIC 2
PIC 3
FPC 7
CPU
PIC 0
PIC 1
PIC 2
PIC 3
FPC 8
CPU
MIC 0
PIC 0
Xcvr
FPC 9
CPU
PIC 0
PIC 1
PIC 2
PIC 3
FPC 10
CPU
Fan Tray 0
Fan Tray 1
REV 01
REV 18
REV 18
REV 10
REV 11
REV 04
REV 19
0
REV 01
REV 04
0
1
2
3
REV
REV
REV
REV
REV
01
01
01
01
10
REV 10
REV 11
REV 04
REV 19
0
REV 01
REV 07
REV 18
REV 04
REV 04
750-056587
750-054877
BUILTIN
BUILTIN
BUILTIN
BUILTIN
BUILTIN
750-054877
BUILTIN
BUILTIN
BUILTIN
BUILTIN
BUILTIN
750-056758
BUILTIN
BUILTIN
BUILTIN
BUILTIN
BUILTIN
750-043157
711-043360
750-049486
BUILTIN
740-035329
750-049488
BUILTIN
740-031980
740-031980
740-031980
740-031980
750-044175
BUILTIN
BUILTIN
CACH9058
CACH4004
BUILTIN
BUILTIN
BUILTIN
BUILTIN
BUILTIN
CACH4082
BUILTIN
BUILTIN
BUILTIN
BUILTIN
BUILTIN
CACW0713
BUILTIN
BUILTIN
BUILTIN
BUILTIN
BUILTIN
CACA8792
CACA8809
CAAH3485
BUILTIN
UNM0G3C
CABX0782
BUILTIN
AMB0HX3
ANT0E6V
ANR0ZVY
AP308ZU
CAAS8024
BUILTIN
BUILTIN
SRX5k SCB II
SRX5k SPC II
SRX5k DPC PPC
SPU Cp
SPU Flow
SPU Flow
SPU Flow
SRX5k SPC II
SRX5k DPC PPC
SPU Flow
SPU Flow
SPU Flow
SPU Flow
SRX5k SPC II
SRX5k DPC PPC
SPU Flow
SPU Flow
SPU Flow
SPU Flow
SRX5k IOC II
SRX5k MPC PMB
1x 100GE CFP
1x 100GE CFP
CFP-100G-SR10
10x 10GE SFP+
10x 10GE SFP+
SFP+-10G-SR
SFP+-10G-SR
SFP+-10G-SR
SFP+-10G-SR
SRX5k SPC II
SRX5k DPC PPC
SPU Flow
BUILTIN
BUILTIN
750-056758
BUILTIN
BUILTIN
BUILTIN
BUILTIN
BUILTIN
750-043157
711-043360
750-049486
BUILTIN
740-035329
750-044175
BUILTIN
BUILTIN
BUILTIN
BUILTIN
BUILTIN
750-054877
BUILTIN
740-035409
740-035409
BUILTIN
BUILTIN
CACS5126
BUILTIN
BUILTIN
BUILTIN
BUILTIN
BUILTIN
CACA8798
CACA8826
CAAH0996
BUILTIN
UP30A6N
CAAD0745
BUILTIN
BUILTIN
BUILTIN
BUILTIN
BUILTIN
CACD2570
BUILTIN
ACAE2122
ACAE2254
SPU Flow
SPU Flow
SRX5k SPC II
SRX5k DPC PPC
SPU Flow
SPU Flow
SPU Flow
SPU Flow
SRX5k IOC II
SRX5k MPC PMB
1x 100GE CFP
1x 100GE CFP
CFP-100G-SR10
SRX5k SPC II
SRX5k DPC PPC
SPU Flow
SPU Flow
SPU Flow
SPU Flow
SRX5k SPC II
SRX5k DPC PPC
Enhanced Fan Tray
Enhanced Fan Tray
Sample Output
show chassis hardware detail
Copyright © 2014, Juniper Networks, Inc.
67
Junos OS Release 12.1X47 Feature Guide
(SRX5600 and SRX5800 devices with SRX5000 line SCB II (SRX5K-SCBE) and SRX5K-RE-1800X4)
user@host> show chassis hardware detail
node0:
-------------------------------------------------------------------------Hardware inventory:
Item
Version Part number Serial number
Description
Chassis
JN122A040AGA
SRX5800
Midplane
REV 01
710-041799
ACRA7817
SRX5800 Backplane
FPM Board
REV 01
760-058099
CACA2100
Front Panel Display
PDM
Rev 03
740-013110
QCS1739517Z
Power Distribution Module
PEM 0
Rev 05
740-034724
QCS17460203K
PS 4.1kW; 200-240V AC
in
PEM 1
Rev 04
740-034724
QCS172302017
PS 4.1kW; 200-240V AC
in
Routing Engine 0 REV 01
740-056658
9013040855
SRX5k RE-1800X4
ad0
3998 MB Virtium - TuffDrive VCF P1T0200269450529 741 Compact Flash
ad1
114304 MB VSFA18PI128G-KC
32779-073
Disk 1
usb0 (addr 1) EHCI root hub 0
Intel
uhub0
usb0 (addr 2) product 0x0020 32
vendor 0x8087
uhub1
DIMM 0
SGU04G72H1BD2SA-BB DIE REV-52 PCB REV-54 MFR ID-ce80
DIMM 1
SGU04G72H1BD2SA-BB DIE REV-52 PCB REV-54 MFR ID-ce80
DIMM 2
SGU04G72H1BD2SA-BB DIE REV-52 PCB REV-54 MFR ID-ce80
DIMM 3
SGU04G72H1BD2SA-BB DIE REV-52 PCB REV-54 MFR ID-ce80
Routing Engine 1
CB 0
REV 01
750-056587
CACG1424
SRX5k SCB II
CB 1
REV 01
750-056587
CACC9307
SRX5k SCB II
CB 2
REV 01
750-056587
CAAZ1128
SRX5k SCB II
FPC 0
REV 10
750-056758
CACS2667
SRX5k SPC II
CPU
BUILTIN
BUILTIN
SRX5k DPC PPC
PIC 0
BUILTIN
BUILTIN
SPU Cp
PIC 1
BUILTIN
BUILTIN
SPU Flow
PIC 2
BUILTIN
BUILTIN
SPU Flow
PIC 3
BUILTIN
BUILTIN
SPU Flow
FPC 1
REV 18
750-054877
CACH4092
SRX5k SPC II
CPU
BUILTIN
BUILTIN
SRX5k DPC PPC
PIC 0
BUILTIN
BUILTIN
SPU Flow
PIC 1
BUILTIN
BUILTIN
SPU Flow
PIC 2
BUILTIN
BUILTIN
SPU Flow
PIC 3
BUILTIN
BUILTIN
SPU Flow
FPC 2
REV 10
750-056758
CACV0038
SRX5k SPC II
CPU
BUILTIN
BUILTIN
SRX5k DPC PPC
PIC 0
BUILTIN
BUILTIN
SPU Flow
PIC 1
BUILTIN
BUILTIN
SPU Flow
PIC 2
BUILTIN
BUILTIN
SPU Flow
PIC 3
BUILTIN
BUILTIN
SPU Flow
FPC 3
REV 10
750-043157
CACB6877
SRX5k IOC II
CPU
REV 04
711-043360
CACH6074
SRX5k MPC PMB
MIC 0
REV 19
750-049486
CAAH3504
1x 100GE CFP
PIC 0
BUILTIN
BUILTIN
1x 100GE CFP
Xcvr 0
REV 01
740-035329
UP1020Z
CFP-100G-SR10
MIC 1
REV 04
750-049488
CACB6429
10x 10GE SFP+
PIC 2
BUILTIN
BUILTIN
10x 10GE SFP+
Xcvr 0
REV 01
740-031980
AP21RJ5
SFP+-10G-SR
Xcvr 1
REV 01
740-031980
AP21RLJ
SFP+-10G-SR
Xcvr 2
REV 01
740-030658
AD1148A0AYC
SFP+-10G-USR
Xcvr 3
REV 01
740-031980
B11E02718
SFP+-10G-SR
FPC 4
REV 10
750-056758
CACW0706
SRX5k SPC II
CPU
BUILTIN
BUILTIN
SRX5k DPC PPC
PIC 0
BUILTIN
BUILTIN
SPU Flow
PIC 1
BUILTIN
BUILTIN
SPU Flow
PIC 2
BUILTIN
BUILTIN
SPU Flow
68
Copyright © 2014, Juniper Networks, Inc.
show chassis hardware (View)
PIC 3
FPC 7
CPU
PIC 0
PIC 1
PIC 2
PIC 3
FPC 8
CPU
MIC 0
PIC 0
Xcvr 0
FPC 9
CPU
PIC 0
PIC 1
PIC 2
PIC 3
FPC 10
CPU
Fan Tray 0
Fan Tray 1
REV 10
REV 11
REV 04
REV 19
REV 01
REV 10
REV 07
REV 04
REV 04
BUILTIN
750-056758
BUILTIN
BUILTIN
BUILTIN
BUILTIN
BUILTIN
750-043157
711-043360
750-049486
BUILTIN
740-035329
750-056758
BUILTIN
BUILTIN
BUILTIN
BUILTIN
BUILTIN
750-044175
BUILTIN
740-035409
740-035409
BUILTIN
CACS2725
BUILTIN
BUILTIN
BUILTIN
BUILTIN
BUILTIN
CABN4955
CACT9926
CAAH0979
BUILTIN
UP2077V
CACW0755
BUILTIN
BUILTIN
BUILTIN
BUILTIN
BUILTIN
CAAD0747
BUILTIN
ACAE2294
ACAE2099
SPU Flow
SRX5k SPC II
SRX5k DPC PPC
SPU Flow
SPU Flow
SPU Flow
SPU Flow
SRX5k IOC II
SRX5k MPC PMB
1x 100GE CFP
1x 100GE CFP
CFP-100G-SR10
SRX5k SPC II
SRX5k DPC PPC
SPU Flow
SPU Flow
SPU Flow
SPU Flow
SRX5k SPC II
SRX5k DPC PPC
Enhanced Fan Tray
Enhanced Fan Tray
node1:
-------------------------------------------------------------------------Hardware inventory:
Item
Version Part number Serial number
Description
Chassis
JN1235BC7AGA
SRX5800
Midplane
REV 01
710-024803
ACRC3244
SRX5800 Backplane
FPM Board
REV 01
710-024632
CACA2108
Front Panel Display
PDM
Rev 03
740-013110
QCS1739519B
Power Distribution Module
PEM 0
Rev 04
740-034724
QCS17230201Z
PS 4.1kW; 200-240V AC
in
PEM 1
Rev 05
740-034724
QCS174502014
PS 4.1kW; 200-240V AC
in
Routing Engine 0 REV 01
740-056658
9009153221
SRX5k RE-1800X4
ad0
3998 MB Virtium - TuffDrive VCF P1T0200298450703 72 Compact Flash
ad1
114304 MB VSFA18PI128G-KC
32779-073
Disk 1
usb0 (addr 1) EHCI root hub 0
Intel
uhub0
usb0 (addr 2) product 0x0020 32
vendor 0x8087
uhub1
DIMM 0
VL31B5263F-F8SD DIE REV-0 PCB REV-0
MFR ID-ce80
DIMM 1
VL31B5263F-F8SD DIE REV-0 PCB REV-0
MFR ID-ce80
DIMM 2
VL31B5263F-F8SD DIE REV-0 PCB REV-0
MFR ID-ce80
DIMM 3
VL31B5263F-F8SD DIE REV-0 PCB REV-0
MFR ID-ce80
Routing Engine 1
CB 0
REV 01
750-056587
CACC9541
SRX5k SCB II
CB 1
REV 01
750-056587
CACG1447
SRX5k SCB II
CB 2
REV 01
750-056587
CACH9058
SRX5k SCB II
FPC 0
REV 18
750-054877
CACH4004
SRX5k SPC II
CPU
BUILTIN
BUILTIN
SRX5k DPC PPC
PIC 0
BUILTIN
BUILTIN
SPU Cp
PIC 1
BUILTIN
BUILTIN
SPU Flow
PIC 2
BUILTIN
BUILTIN
SPU Flow
PIC 3
BUILTIN
BUILTIN
SPU Flow
FPC 1
REV 18
750-054877
CACH4082
SRX5k SPC II
CPU
BUILTIN
BUILTIN
SRX5k DPC PPC
PIC 0
BUILTIN
BUILTIN
SPU Flow
PIC 1
BUILTIN
BUILTIN
SPU Flow
PIC 2
BUILTIN
BUILTIN
SPU Flow
PIC 3
BUILTIN
BUILTIN
SPU Flow
FPC 2
REV 10
750-056758
CACW0713
SRX5k SPC II
Copyright © 2014, Juniper Networks, Inc.
69
Junos OS Release 12.1X47 Feature Guide
CPU
PIC 0
PIC 1
PIC 2
PIC 3
FPC 3
CPU
MIC 0
PIC 0
Xcvr
MIC 1
PIC 2
Xcvr
Xcvr
Xcvr
Xcvr
FPC 4
CPU
PIC 0
PIC 1
PIC 2
PIC 3
FPC 7
CPU
PIC 0
PIC 1
PIC 2
PIC 3
FPC 8
CPU
MIC 0
PIC 0
Xcvr
FPC 9
CPU
PIC 0
PIC 1
PIC 2
PIC 3
FPC 10
CPU
Fan Tray 0
Fan Tray 1
REV 11
REV 04
REV 19
0
REV 01
REV 04
0
1
2
3
REV
REV
REV
REV
REV
01
01
01
01
10
REV 10
REV 11
REV 04
REV 19
0
REV 01
REV 07
REV 18
REV 04
REV 04
BUILTIN
BUILTIN
BUILTIN
BUILTIN
BUILTIN
750-043157
711-043360
750-049486
BUILTIN
740-035329
750-049488
BUILTIN
740-031980
740-031980
740-031980
740-031980
750-044175
BUILTIN
BUILTIN
BUILTIN
BUILTIN
BUILTIN
BUILTIN
BUILTIN
CACA8792
CACA8809
CAAH3485
BUILTIN
UNM0G3C
CABX0782
BUILTIN
AMB0HX3
ANT0E6V
ANR0ZVY
AP308ZU
CAAS8024
BUILTIN
BUILTIN
SRX5k DPC PPC
SPU Flow
SPU Flow
SPU Flow
SPU Flow
SRX5k IOC II
SRX5k MPC PMB
1x 100GE CFP
1x 100GE CFP
CFP-100G-SR10
10x 10GE SFP+
10x 10GE SFP+
SFP+-10G-SR
SFP+-10G-SR
SFP+-10G-SR
SFP+-10G-SR
SRX5k SPC II
SRX5k DPC PPC
SPU Flow
BUILTIN
BUILTIN
750-056758
BUILTIN
BUILTIN
BUILTIN
BUILTIN
BUILTIN
750-043157
711-043360
750-049486
BUILTIN
740-035329
750-044175
BUILTIN
BUILTIN
BUILTIN
BUILTIN
BUILTIN
750-054877
BUILTIN
740-035409
740-035409
BUILTIN
BUILTIN
CACS5126
BUILTIN
BUILTIN
BUILTIN
BUILTIN
BUILTIN
CACA8798
CACA8826
CAAH0996
BUILTIN
UP30A6N
CAAD0745
BUILTIN
BUILTIN
BUILTIN
BUILTIN
BUILTIN
CACD2570
BUILTIN
ACAE2122
ACAE2254
SPU Flow
SPU Flow
SRX5k SPC II
SRX5k DPC PPC
SPU Flow
SPU Flow
SPU Flow
SPU Flow
SRX5k IOC II
SRX5k MPC PMB
1x 100GE CFP
1x 100GE CFP
CFP-100G-SR10
SRX5k SPC II
SRX5k DPC PPC
SPU Flow
SPU Flow
SPU Flow
SPU Flow
SRX5k SPC II
SRX5k DPC PPC
Enhanced Fan Tray
Enhanced Fan Tray
Sample Output
show chassis hardware extensive node 1
(SRX5600 and SRX5800 devices with SRX5000 line SCB II (SRX5K-SCBE) and SRX5K-RE-1800X4)
user@host> show chassis hardware extensive node 1
node1:
-------------------------------------------------------------------------Hardware inventory:
Item
Version Part number Serial number
Description
Chassis
JN1235BC7AGA
SRX5800
Jedec Code:
0x7fb0
EEPROM Version:
0x02
S/N:
JN1235BC7AGA
Assembly ID: 0x051a
Assembly Version: 00.00
Date:
00-00-0000
Assembly Flags:
0x00
ID: SRX5800
Board Information Record:
70
Copyright © 2014, Juniper Networks, Inc.
show chassis hardware (View)
Address 0x00: 00 00 00 00 00 00 00 00 00 00 00 00
I2C Hex Data:
Address 0x00: 7f b0 02 ff 05 1a 00 00 00 00 00 00
Address 0x10: 00 00 00 00 00 00 00 00 00 00 00 00
Address 0x20: 4a 4e 31 32 33 35 42 43 37 41 47 41
Address 0x30: 00 00 00 ff 00 00 00 00 00 00 00 00
Address 0x40: 00 00 00 00 00 00 00 00 00 00 00 00
Address 0x50: 00 00 00 00 00 00 00 00 00 00 00 00
Address 0x60: 00 00 00 00 00 00 00 00 00 00 00 00
Address 0x70: 00 00 00 00 00 00 00 00 00 00 00 00
Midplane
REV 01
710-024803
ACRC3244
Jedec Code:
0x7fb0
EEPROM Version:
P/N:
710-024803
S/N:
Assembly ID: 0x091a
Assembly Version:
Date:
02-26-2014
Assembly Flags:
Version:
REV 01
ID: SRX5800 Backplane
FRU Model Number:
Board Information Record:
Address 0x00: ad 01 08 00 4c 96 14 d3 28 00 00 ff
I2C Hex Data:
Address 0x00: 7f b0 01 ff 09 1a 01 01 52 45 56 20
Address 0x10: 00 00 00 00 37 31 30 2d 30 32 34 38
Address 0x20: 53 2f 4e 20 41 43 52 43 33 32 34 34
Address 0x30: de ff ff ff ad 01 08 00 4c 96 14 d3
Address 0x40: ff ff ff ff 01 00 00 00 00 00 00 00
Address 0x50: 52 58 35 38 30 30 2d 42 50 2d 41 00
Address 0x60: 00 00 00 00 00 00 ff ff ff ff ff ff
Address 0x70: ff ff ff ff ff ff ff ff ff ff ff ff
FPM Board
REV 01
710-024632
CACA2108
Jedec Code:
0x7fb0
EEPROM Version:
P/N:
710-024632
S/N:
Assembly ID: 0x096f
Assembly Version:
Date:
02-05-2014
Assembly Flags:
Version:
REV 01
ID: Front Panel Display
FRU Model Number:
Board Information Record:
Address 0x00: ff ff ff ff ff ff ff ff ff ff ff ff
I2C Hex Data:
Address 0x00: 7f b0 01 ff 09 6f 01 01 52 45 56 20
Address 0x10: 00 00 00 00 37 31 30 2d 30 32 34 36
Address 0x20: 53 2f 4e 20 43 41 43 41 32 31 30 38
Address 0x30: de ff ff ff ff ff ff ff ff ff ff ff
Address 0x40: ff ff ff ff 01 00 00 00 00 00 00 00
Address 0x50: 52 58 35 38 30 30 2d 43 52 41 46 54
Address 0x60: 00 00 00 00 00 00 ff ff ff ff ff ff
Address 0x70: ff ff ff ff ff ff ff ff ff ff ff ff
PDM
Rev 03
740-013110
QCS1739519B
Jedec Code:
0x7fb0
P/N:
740-013110
Assembly ID: 0x0416
Date:
10-26-2013
Version:
Rev 03
ID: Power Distribution Module
Board Information Record:
Address 0x00: ff ff ff ff ff
I2C Hex Data:
Address 0x00: 7f b0 01 ff 04
Address 0x10: 00 00 00 00 37
Address 0x20: 51 43 53 31 37
Address 0x30: dd ff ff ff ff
Copyright © 2014, Juniper Networks, Inc.
EEPROM Version:
S/N:
Assembly Version:
Assembly Flags:
00 00 00 00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00 00
00 00
00 00
00 00
00 00
00 00
00 00
00 00
SRX5800 Backplane
0x01
S/N ACRC3244
01.01
0x00
SRX5800-BP-A
ff ff ff ff
30
30
00
28
00
00
ff
ff
31
33
1a
00
00
00
ff
ff
00 00
00 00
02 07
00 ff
00 53
00 00
ff ff
ff ff
Front Panel Display
0x01
S/N CACA2108
01.01
0x00
SRX5800-CRAFT-A
ff ff ff ff
30
33
00
ff
00
2d
ff
ff
31 00
32 00
05 02
ff ff
00 00
41 00
ff ff
ff ff
Power
00
00
07
ff
53
00
ff
ff
Distribution Module
0x01
QCS1739519B
01.03
0x00
ff ff ff ff ff ff ff ff 00 00 00
16
34
33
ff
01
30
39
ff
03
2d
35
ff
52
30
31
ff
65
31
39
ff
76
33
42
ff
20
31
00
ff
30
31
00
ff
33
30
1a
ff
00
00
0a
ff
00
00
07
ff
71
Junos OS Release 12.1X47 Feature Guide
Address 0x40: ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Address 0x50: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Address 0x60: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Address 0x70: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
PEM 0
Rev 04
740-034724
QCS17230201Z
PS 4.1kW; 200-240V AC
in
Jedec Code:
0x7fb0
EEPROM Version:
0x01
P/N:
740-034724
S/N:
QCS17230201Z
Assembly ID: 0x044b
Assembly Version: 01.04
Date:
06-04-2013
Assembly Flags:
0x00
Version:
Rev 04
ID: PS 4.1kW; 200-240V AC in
FRU Model Number: SRX5800-PWR-4100-AC
Board Information Record:
Address 0x00: ff ff ff ff ff ff ff ff ff ff ff ff 00 00 00 00
I2C Hex Data:
Address 0x00: 7f b0 01 ff 04 4b 01 04 52 65 76 20 30 34 00 00
Address 0x10: 00 00 00 00 37 34 30 2d 30 33 34 37 32 34 00 00
Address 0x20: 51 43 53 31 37 32 33 30 32 30 31 5a 00 04 06 07
Address 0x30: dd ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
Address 0x40: 00 00 00 00 01 00 00 00 00 00 00 00 00 00 00 53
Address 0x50: 52 58 35 38 30 30 2d 50 57 52 2d 34 31 30 30 2d
Address 0x60: 41 43 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Address 0x70: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
PEM 1
Rev 05
740-034724
QCS174502014
PS 4.1kW; 200-240V AC
in
Jedec Code:
0x7fb0
EEPROM Version:
0x01
P/N:
740-034724
S/N:
QCS174502014
Assembly ID: 0x044b
Assembly Version: 01.05
Date:
11-06-2013
Assembly Flags:
0x00
Version:
Rev 05
ID: PS 4.1kW; 200-240V AC in
FRU Model Number: SRX5800-PWR-4100-AC
Board Information Record:
Address 0x00: ff ff ff ff ff ff ff ff ff ff ff ff 00 00 00 00
I2C Hex Data:
Address 0x00: 7f b0 01 ff 04 4b 01 05 52 65 76 20 30 35 00 00
Address 0x10: 00 00 00 00 37 34 30 2d 30 33 34 37 32 34 00 00
Address 0x20: 51 43 53 31 37 34 35 30 32 30 31 34 00 06 0b 07
Address 0x30: dd ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
Address 0x40: 00 00 00 00 01 00 00 00 00 00 00 00 00 00 00 53
Address 0x50: 52 58 35 38 30 30 2d 50 57 52 2d 34 31 30 30 2d
Address 0x60: 41 43 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Address 0x70: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Routing Engine 0 REV 01
740-056658
9009153221
SRX5k RE-1800X4
Jedec Code:
0x7fb0
EEPROM Version:
0x02
P/N:
740-056658
S/N:
9009153221
Assembly ID: 0x0c1a
Assembly Version: 01.01
Date:
07-22-2013
Assembly Flags:
0x00
Version:
REV 01
CLEI Code:
PROTOXCLEI
ID: SRX5k RE-1800X4
FRU Model Number: SRX5K-RE-1800X4
Board Information Record:
Address 0x00: 54 32 30 32 37 45 43 2d 34 34 47 42 00 00 00 00
I2C Hex Data:
Address 0x00: 7f b0 02 ff 0c 1a 01 01 52 45 56 20 30 31 00 00
Address 0x10: 00 00 00 00 37 34 30 2d 30 35 36 36 35 38 00 00
Address 0x20: 39 30 30 39 31 35 33 32 32 31 00 00 00 16 07 07
Address 0x30: dd ff ff ff 54 32 30 32 37 45 43 2d 34 34 47 42
Address 0x40: 00 00 00 00 01 50 52 4f 54 4f 58 43 4c 45 49 53
Address 0x50: 52 58 35 4b 2d 52 45 2d 31 38 30 30 58 34 00 00
Address 0x60: 00 00 00 00 00 00 41 30 30 ff ff ff ff ff ff ff
Address 0x70: ff ff ff 64 ff ff ff ff ff ff ff ff ff ff ff ff
ad0
3998 MB Virtium - TuffDrive VCF P1T0200298450703 72 Compact Flash
72
Copyright © 2014, Juniper Networks, Inc.
show chassis hardware (View)
ad1
114304 MB VSFA18PI128G-KC
32779-073
Disk 1
usb0 (addr 1) EHCI root hub 0
Intel
uhub0
usb0 (addr 2) product 0x0020 32
vendor 0x8087
uhub1
DIMM 0
VL31B5263F-F8SD DIE REV-0 PCB REV-0
MFR ID-ce80
DIMM 1
VL31B5263F-F8SD DIE REV-0 PCB REV-0
MFR ID-ce80
DIMM 2
VL31B5263F-F8SD DIE REV-0 PCB REV-0
MFR ID-ce80
DIMM 3
VL31B5263F-F8SD DIE REV-0 PCB REV-0
MFR ID-ce80
Routing Engine 1
CB 0
REV 01
750-056587
CACC9541
SRX5k SCB II
Jedec Code:
0x7fb0
EEPROM Version:
0x02
P/N:
750-056587
S/N:
S/N CACC9541
Assembly ID: 0x0c19
Assembly Version: 01.01
Date:
03-07-2014
Assembly Flags:
0x00
Version:
REV 01
CLEI Code:
PROTOXCLEI
ID: SRX5k SCB II
FRU Model Number: SRX5K-SCBE
Board Information Record:
Address 0x00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
I2C Hex Data:
Address 0x00: 7f b0 02 fe 0c 19 01 01 52 45 56 20 30 31 00 00
Address 0x10: 00 00 00 00 37 35 30 2d 30 35 36 35 38 37 00 00
Address 0x20: 53 2f 4e 20 43 41 43 43 39 35 34 31 00 07 03 07
Address 0x30: de ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
Address 0x40: ff ff ff ff 01 50 52 4f 54 4f 58 43 4c 45 49 53
Address 0x50: 52 58 35 4b 2d 53 43 42 45 00 00 00 00 00 00 00
Address 0x60: 00 00 00 00 00 00 41 00 00 ff ff ff ff ff ff ff
Address 0x70: ff ff ff 08 ff ff ff ff ff ff ff ff ff ff ff ff
CB 1
REV 01
750-056587
CACG1447
SRX5k SCB II
Jedec Code:
0x7fb0
EEPROM Version:
0x02
P/N:
750-056587
S/N:
S/N CACG1447
Assembly ID: 0x0c19
Assembly Version: 01.01
Date:
03-07-2014
Assembly Flags:
0x00
Version:
REV 01
CLEI Code:
PROTOXCLEI
ID: SRX5k SCB II
FRU Model Number: SRX5K-SCBE
Board Information Record:
Address 0x00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
I2C Hex Data:
Address 0x00: 7f b0 02 fe 0c 19 01 01 52 45 56 20 30 31 00 00
Address 0x10: 00 00 00 00 37 35 30 2d 30 35 36 35 38 37 00 00
Address 0x20: 53 2f 4e 20 43 41 43 47 31 34 34 37 00 07 03 07
Address 0x30: de ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
Address 0x40: ff ff ff ff 01 50 52 4f 54 4f 58 43 4c 45 49 53
Address 0x50: 52 58 35 4b 2d 53 43 42 45 00 00 00 00 00 00 00
Address 0x60: 00 00 00 00 00 00 41 00 00 ff ff ff ff ff ff ff
Address 0x70: ff ff ff 08 ff ff ff ff ff ff ff ff ff ff ff ff
CB 2
REV 01
750-056587
CACH9058
SRX5k SCB II
Jedec Code:
0x7fb0
EEPROM Version:
0x02
P/N:
750-056587
S/N:
S/N CACH9058
Assembly ID: 0x0c19
Assembly Version: 01.01
Date:
03-06-2014
Assembly Flags:
0x00
Version:
REV 01
CLEI Code:
PROTOXCLEI
ID: SRX5k SCB II
FRU Model Number: SRX5K-SCBE
Board Information Record:
Address 0x00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
I2C Hex Data:
Address 0x00: 7f b0 02 fe 0c 19 01 01 52 45 56 20 30 31 00 00
Address 0x10: 00 00 00 00 37 35 30 2d 30 35 36 35 38 37 00 00
Address 0x20: 53 2f 4e 20 43 41 43 48 39 30 35 38 00 06 03 07
Address 0x30: de ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
Address 0x40: ff ff ff ff 01 50 52 4f 54 4f 58 43 4c 45 49 53
Address 0x50: 52 58 35 4b 2d 53 43 42 45 00 00 00 00 00 00 00
Copyright © 2014, Juniper Networks, Inc.
73
Junos OS Release 12.1X47 Feature Guide
Address 0x60: 00 00 00 00 00 00 41 00 00 ff ff ff ff ff ff ff
Address 0x70: ff ff ff 08 ff ff ff ff ff ff ff ff ff ff ff ff
Sample Output
show chassis hardware models (SRX1400 and SRX3000 devices)
user@host> show chassis hardware models
Hardware inventory:
Item
Version Part number
Midplane
REV 07
710-020310
PEM 0
rev 05
740-027644
PEM 1
rev 05
740-027644
CB 0
REV 11
750-021914
Routing Engine
BUILTIN
CPP
BUILTIN
FPC 0
REV 11
750-021882
FPC 1
REV 10
750-016077
FPC 2
REV 11
750-016077
FPC 5
REV 15
750-020321
FPC 10
REV 12
750-043828
Fan Tray 0
REV 06
750-021599
Serial number
VP8136
G087E6003S05P
G087E600AT05P
AAAC9887
BUILTIN
BUILTIN
AAAD9785
AAAE9989
AAAT8490
AABB3820
AAAD9501
VR9734
FRU model number
SRX3600-CHAS
AC Power Supply
AC Power Supply
SRX3K-RE-12-10
SRX3K-SFB-12GE
SRX3K-SPC-1-10-40
SRX3K-SPC-1-10-40
SRX3K-2XGE-XFP
SRX1K3K-NP-2XGE-SFPP
SRX3600-FAN
show chassis hardware models
(SRX5600 and SRX5800 devices with SRX5000 line SCB II (SRX5K-SCBE) and SRX5K-RE-1800X4)
user@host> show chassis hardware models
node0:
-------------------------------------------------------------------------Hardware inventory:
Item
Version Part number Serial number
FRU model number
FPM Board
REV 01
760-058099
CACA2100
SRX5800E-CRAFT
PEM 0
Rev 05
740-034724
QCS17460203K
SRX5800-PWR-4100-AC
PEM 1
Rev 04
740-034724
QCS172302017
SRX5800-PWR-4100-AC
Routing Engine 0 REV 01
740-056658
9013040855
SRX5K-RE-1800X4
CB 0
REV 01
750-056587
CACG1424
SRX5K-SCBE
CB 1
REV 01
750-056587
CACC9307
SRX5K-SCBE
CB 2
REV 01
750-056587
CAAZ1128
SRX5K-SCBE
FPC 0
REV 10
750-056758
CACS2667
SRX5K-SPC-4-15-320
CPU
BUILTIN
BUILTIN
FPC 1
REV 18
750-054877
CACH4092
SRX5K-SPC-4-15-320
CPU
BUILTIN
BUILTIN
FPC 2
REV 10
750-056758
CACV0038
SRX5K-SPC-4-15-320
CPU
BUILTIN
BUILTIN
FPC 3
REV 10
750-043157
CACB6877
SRX5K-MPC
MIC 0
REV 19
750-049486
CAAH3504
SRX-MIC-1X100G-CFP
MIC 1
REV 04
750-049488
CACB6429
SRX-MIC-10XG-SFPP
FPC 4
REV 10
750-056758
CACW0706
SRX5K-SPC-4-15-320
CPU
BUILTIN
BUILTIN
FPC 7
REV 10
750-056758
CACS2725
SRX5K-SPC-4-15-320
CPU
BUILTIN
BUILTIN
FPC 8
REV 11
750-043157
CABN4955
SRX5K-MPC
MIC 0
REV 19
750-049486
CAAH0979
SRX-MIC-1X100G-CFP
FPC 9
REV 10
750-056758
CACW0755
SRX5K-SPC-4-15-320
CPU
BUILTIN
BUILTIN
FPC 10
REV 07
750-044175
CAAD0747
750-044175
CPU
BUILTIN
BUILTIN
Fan Tray 0
REV 04
740-035409
ACAE2294
SRX5800-HC-FAN
Fan Tray 1
REV 04
740-035409
ACAE2099
SRX5800-HC-FAN
node1:
74
Copyright © 2014, Juniper Networks, Inc.
show chassis hardware (View)
-------------------------------------------------------------------------Hardware inventory:
Item
Version Part number Serial number
FRU model number
Midplane
REV 01
710-024803
ACRC3244
SRX5800-BP-A
FPM Board
REV 01
710-024632
CACA2108
SRX5800-CRAFT-A
PEM 0
Rev 04
740-034724
QCS17230201Z
SRX5800-PWR-4100-AC
PEM 1
Rev 05
740-034724
QCS174502014
SRX5800-PWR-4100-AC
Routing Engine 0 REV 01
740-056658
9009153221
SRX5K-RE-1800X4
CB 0
REV 01
750-056587
CACC9541
SRX5K-SCBE
CB 1
REV 01
750-056587
CACG1447
SRX5K-SCBE
CB 2
REV 01
750-056587
CACH9058
SRX5K-SCBE
FPC 0
REV 18
750-054877
CACH4004
SRX5K-SPC-4-15-320
CPU
BUILTIN
BUILTIN
FPC 1
REV 18
750-054877
CACH4082
SRX5K-SPC-4-15-320
CPU
BUILTIN
BUILTIN
FPC 2
REV 10
750-056758
CACW0713
SRX5K-SPC-4-15-320
CPU
BUILTIN
BUILTIN
FPC 3
REV 11
750-043157
CACA8792
SRX5K-MPC
MIC 0
REV 19
750-049486
CAAH3485
MIC3-3D-1X100GE-CFP
MIC 1
REV 04
750-049488
CABX0782
SRX-MIC-10XG-SFPP
FPC 4
REV 10
750-044175
CAAS8024
SRX5K-SPC-4-15-320
CPU
BUILTIN
BUILTIN
FPC 7
REV 10
750-056758
CACS5126
SRX5K-SPC-4-15-320
CPU
BUILTIN
BUILTIN
FPC 8
REV 11
750-043157
CACA8798
SRX5K-MPC
MIC 0
REV 19
750-049486
CAAH0996
MIC3-3D-1X100GE-CFP
FPC 9
REV 07
750-044175
CAAD0745
750-044175
CPU
BUILTIN
BUILTIN
FPC 10
REV 18
750-054877
CACD2570
SRX5K-SPC-4-15-320
CPU
BUILTIN
BUILTIN
Fan Tray 0
REV 04
740-035409
ACAE2122
SRX5800-HC-FAN
Fan Tray 1
REV 04
740-035409
ACAE2254
SRX5800-HC-FAN
Sample Output
show chassis hardware clei-models
(SRX5600 and SRX5800 devices with SRX5000 line SCB II (SRX5K-SCBE) and SRX5K-RE-1800X4)
user@host> show chassis hardware clei-models node 1
node1:
-------------------------------------------------------------------------Hardware inventory:
Item
Version Part number CLEI code
FRU model number
Midplane
REV 01
710-024803
SRX5800-BP-A
FPM Board
REV 01
710-024632
SRX5800-CRAFT-A
PEM 0
Rev 04
740-034724
SRX5800-PWR-4100-AC
PEM 1
Rev 05
740-034724
SRX5800-PWR-4100-AC
Routing Engine 0 REV 01
740-056658
COUCATTBAA
SRX5K-RE-1800X4
CB 0
REV 01
750-056587
COUCATSBAA
SRX5K-SCBE
CB 1
REV 01
750-056587
COUCATSBAA
SRX5K-SCBE
CB 2
REV 01
750-056587
COUCATSBAA
SRX5K-SCBE
FPC 0
REV 18
750-054877
COUCATLBAA
SRX5K-SPC-4-15-320
CPU
BUILTIN
FPC 1
REV 18
750-054877
COUCATLBAA
SRX5K-SPC-4-15-320
CPU
BUILTIN
FPC 2
REV 18
750-054877
COUCATLBAA
SRX5K-SPC-4-15-320
CPU
BUILTIN
FPC 3
REV 11
750-043157
COUIBCWBAA
SRX5K-MPC
MIC 0
REV 05
750-049486
COUIBCYBAA
SRX-MIC-1X100G-CFP
MIC 1
REV 04
750-049488
COUIBCXBAA
SRX-MIC-10XG-SFPP
FPC 4
REV 18
750-054877
COUCATLBAA
SRX5K-SPC-4-15-320
Copyright © 2014, Juniper Networks, Inc.
75
Junos OS Release 12.1X47 Feature Guide
CPU
FPC 7
CPU
FPC 8
MIC 0
FPC 9
CPU
FPC 10
CPU
Fan Tray 0
Fan Tray 1
REV 18
REV 11
REV 05
REV 18
REV 18
REV 04
REV 04
BUILTIN
750-054877
BUILTIN
750-043157
750-049486
750-054877
BUILTIN
750-054877
BUILTIN
740-035409
740-035409
COUCATLBAA
SRX5K-SPC-4-15-320
COUIBCWBAA
COUIBCYBAA
COUCATLBAA
SRX5K-MPC
SRX-MIC-1X100G-CFP
SRX5K-SPC-4-15-320
COUCATLBAA
SRX5K-SPC-4-15-320
SRX5800-HC-FAN
SRX5800-HC-FAN
Sample Output
show chassis hardware models
(SRX5600 and SRX5800 devices with SRX5000 line SCB II (SRX5K-SCBE) and SRX5K-RE-1800X4)
user@host> show chassis hardware
node0:
-------------------------------------------------------------------------Hardware inventory:
Item
Version Part number Serial number
FRU model number
FPM Board
REV 01
760-058099
CACA2100
SRX5800E-CRAFT
PEM 0
Rev 05
740-034724
QCS17460203K
SRX5800-PWR-4100-AC
PEM 1
Rev 04
740-034724
QCS172302017
SRX5800-PWR-4100-AC
Routing Engine 0 REV 01
740-056658
9013040855
SRX5K-RE-1800X4
CB 0
REV 01
750-056587
CACG1424
SRX5K-SCBE
CB 1
REV 01
750-056587
CACC9307
SRX5K-SCBE
CB 2
REV 01
750-056587
CAAZ1128
SRX5K-SCBE
FPC 0
REV 10
750-056758
CACS2667
SRX5K-SPC-4-15-320
CPU
BUILTIN
BUILTIN
FPC 1
REV 10
750-056758
CACW0713
SRX5K-SPC-4-15-320
CPU
BUILTIN
BUILTIN
FPC 2
REV 10
750-056758
CACV0038
SRX5K-SPC-4-15-320
CPU
BUILTIN
BUILTIN
FPC 3
REV 10
750-043157
CACB6877
SRX5K-MPC
MIC 0
REV 19
750-049486
CAAH3504
SRX-MIC-1X100G-CFP
MIC 1
REV 04
750-049488
CACB6429
SRX-MIC-10XG-SFPP
FPC 4
REV 10
750-056758
CACW0706
SRX5K-SPC-4-15-320
CPU
BUILTIN
BUILTIN
FPC 7
REV 10
750-056758
CACS2725
SRX5K-SPC-4-15-320
CPU
BUILTIN
BUILTIN
FPC 8
REV 11
750-043157
CABN4955
SRX5K-MPC
MIC 0
REV 19
750-049486
CAAH0979
SRX-MIC-1X100G-CFP
FPC 9
REV 10
750-056758
CACW0755
SRX5K-SPC-4-15-320
CPU
BUILTIN
BUILTIN
FPC 10
REV 10
750-056758
CACS5126
SRX5K-SPC-4-15-320
CPU
BUILTIN
BUILTIN
Fan Tray 0
REV 04
740-035409
ACAE2294
SRX5800-HC-FAN
Fan Tray 1
REV 04
740-035409
ACAE2099
SRX5800-HC-FAN
node1:
-------------------------------------------------------------------------Hardware inventory:
Item
Version Part number Serial number
FRU model number
Midplane
REV 01
710-024803
ACRC3244
SRX5800-BP-A
FPM Board
REV 01
710-024632
CACA2108
SRX5800-CRAFT-A
PEM 0
Rev 04
740-034724
QCS17230201Z
SRX5800-PWR-4100-AC
PEM 1
Rev 05
740-034724
QCS174502014
SRX5800-PWR-4100-AC
Routing Engine 0 REV 01
740-056658
9009153221
SRX5K-RE-1800X4
CB 0
REV 01
750-056587
CACC9541
SRX5K-SCBE
76
Copyright © 2014, Juniper Networks, Inc.
show chassis hardware (View)
CB 1
CB 2
FPC 0
CPU
FPC 1
CPU
FPC 2
CPU
FPC 3
MIC 0
MIC 1
FPC 4
CPU
FPC 7
CPU
FPC 8
MIC 0
FPC 9
CPU
FPC 10
CPU
Fan Tray 0
Fan Tray 1
Copyright © 2014, Juniper Networks, Inc.
REV 01
REV 01
REV 18
REV 18
REV 18
REV
REV
REV
REV
11
19
04
18
REV 18
REV 11
REV 19
REV 18
REV 18
REV 04
REV 04
750-056587
750-056587
750-054877
BUILTIN
750-054877
BUILTIN
750-054877
BUILTIN
750-043157
750-049486
750-049488
750-054877
BUILTIN
750-054877
BUILTIN
750-043157
750-049486
750-054877
BUILTIN
750-054877
BUILTIN
740-035409
740-035409
CACG1447
CACH9058
CACH4004
BUILTIN
CACH4082
BUILTIN
CACH4092
BUILTIN
CACA8792
CAAH3485
CABX0782
CACD2570
BUILTIN
CACA7024
BUILTIN
CACA8798
CAAH0996
CACH4088
BUILTIN
CACB7243
BUILTIN
ACAE2122
ACAE2254
SRX5K-SCBE
SRX5K-SCBE
SRX5K-SPC-4-15-320
SRX5K-SPC-4-15-320
SRX5K-SPC-4-15-320
SRX5K-MPC
MIC3-3D-1X100GE-CFP
SRX-MIC-10XG-SFPP
SRX5K-SPC-4-15-320
SRX5K-SPC-4-15-320
SRX5K-MPC
MIC3-3D-1X100GE-CFP
SRX5K-SPC-4-15-320
SRX5K-SPC-4-15-320
SRX5800-HC-FAN
SRX5800-HC-FAN
77
Junos OS Release 12.1X47 Feature Guide
show chassis environment (Security)
Syntax
Release Information
Description
Options
show chassis environment
Command introduced in Junos OS Release 9.2.
Display environmental information about the services gateway chassis, including the
temperature and information about the fans, power supplies, and Routing Engine.
none—Display environmental information about the device.
cb slot-number—Display chassis environmental information for the Control Board.
fpc fpc-slot—Display chassis environmental information for a specified Flexible PIC
Concentrator.
fpm—Display chassis environmental information for the craft interface (FPM).
pem slot-number—Display chassis environmental information for the specified Power
Entry Module.
routing-engine slot-number—Display chassis environmental information for the specified
Routing Engine.
Required Privilege
Level
Related
Documentation
List of Sample Output
Output Fields
view
•
Flow-Based Processing Feature Guide for Security Devices
show chassis environment on page 78
Table 7 on page 78 lists the output fields for the show chassis environment command.
Output fields are listed in the approximate order in which they appear.
Table 7: show chassis environment Output Fields
Field Name
Field Description
Temp
Temperature of air flowing through the chassis in degrees Celsius (C) and Fahrenheit (F).
Fan
Fan status: OK, Testing (during initial power-on), Failed, or Absent.
Sample Output
show chassis environment
user@host> show chassis environment
regress@mland03> show chassis environment
Class Item
Status
Temp PEM 0
OK
PEM 1
OK
PEM 2
OK
78
Measurement
40 degrees C / 104 degrees F
40 degrees C / 104 degrees F
40 degrees C / 104 degrees F
Copyright © 2014, Juniper Networks, Inc.
show chassis environment (Security)
PEM 3
Routing Engine 0
Routing Engine 0 CPU
Routing Engine 1
Routing Engine 1 CPU
CB 0 Intake
CB 0 Exhaust A
CB 0 Exhaust B
CB 0 ACBC
CB 0 SF A
CB 0 SF B
CB 1 Intake
CB 1 Exhaust A
CB 1 Exhaust B
CB 1 ACBC
CB 1 SF A
CB 1 SF B
CB 2 Intake
CB 2 Exhaust A
CB 2 Exhaust B
CB 2 ACBC
CB 2 XF A
CB 2 XF B
FPC 0 Intake
FPC 0 Exhaust A
FPC 0 Exhaust B
FPC 0 xlp0 TSen
FPC 0 xlp0 Chip
FPC 0 xlp1 TSen
FPC 0 xlp1 Chip
FPC 0 xlp2 TSen
FPC 0 xlp2 Chip
FPC 0 xlp3 TSen
FPC 0 xlp3 Chip
FPC 1 Intake
FPC 1 Exhaust A
FPC 1 Exhaust B
FPC 1 LU TSen
FPC 1 LU Chip
FPC 1 XM TSen
FPC 1 XM Chip
FPC 1 xlp0 TSen
FPC 1 xlp0 Chip
FPC 1 xlp1 TSen
FPC 1 xlp1 Chip
FPC 1 xlp2 TSen
FPC 1 xlp2 Chip
FPC 1 xlp3 TSen
FPC 1 xlp3 Chip
FPC 2 Intake
FPC 2 Exhaust A
FPC 2 Exhaust B
FPC 2 I3 0 TSensor
FPC 2 I3 0 Chip
FPC 2 I3 1 TSensor
FPC 2 I3 1 Chip
FPC 2 I3 2 TSensor
FPC 2 I3 2 Chip
FPC 2 I3 3 TSensor
FPC 2 I3 3 Chip
FPC 2 IA 0 TSensor
Copyright © 2014, Juniper Networks, Inc.
OK
OK
OK
Absent
Absent
OK
OK
OK
OK
OK
OK
OK
OK
OK
OK
OK
OK
Absent
Absent
Absent
Absent
Absent
Absent
OK
OK
OK
OK
OK
OK
OK
OK
OK
OK
OK
OK
OK
OK
OK
OK
OK
OK
OK
OK
OK
OK
OK
OK
OK
OK
OK
OK
OK
OK
OK
OK
OK
OK
OK
OK
OK
OK
45 degrees C / 113 degrees F
31 degrees C / 87 degrees F
27 degrees C / 80 degrees F
28
27
29
29
36
31
27
26
29
27
36
31
degrees
degrees
degrees
degrees
degrees
degrees
degrees
degrees
degrees
degrees
degrees
degrees
C
C
C
C
C
C
C
C
C
C
C
C
/
/
/
/
/
/
/
/
/
/
/
/
82
80
84
84
96
87
80
78
84
80
96
87
degrees
degrees
degrees
degrees
degrees
degrees
degrees
degrees
degrees
degrees
degrees
degrees
F
F
F
F
F
F
F
F
F
F
F
F
47
44
52
51
46
51
47
44
42
48
43
41
41
51
46
45
46
52
49
42
49
44
38
39
44
42
29
34
40
42
41
40
39
38
37
35
35
45
degrees
degrees
degrees
degrees
degrees
degrees
degrees
degrees
degrees
degrees
degrees
degrees
degrees
degrees
degrees
degrees
degrees
degrees
degrees
degrees
degrees
degrees
degrees
degrees
degrees
degrees
degrees
degrees
degrees
degrees
degrees
degrees
degrees
degrees
degrees
degrees
degrees
degrees
C
C
C
C
C
C
C
C
C
C
C
C
C
C
C
C
C
C
C
C
C
C
C
C
C
C
C
C
C
C
C
C
C
C
C
C
C
C
/
/
/
/
/
/
/
/
/
/
/
/
/
/
/
/
/
/
/
/
/
/
/
/
/
/
/
/
/
/
/
/
/
/
/
/
/
/
116 degrees F
111 degrees F
125 degrees F
123 degrees F
114 degrees F
123 degrees F
116 degrees F
111 degrees F
107 degrees F
118 degrees F
109 degrees F
105 degrees F
105 degrees F
123 degrees F
114 degrees F
113 degrees F
114 degrees F
125 degrees F
120 degrees F
107 degrees F
120 degrees F
111 degrees F
100 degrees F
102 degrees F
111 degrees F
107 degrees F
84 degrees F
93 degrees F
104 degrees F
107 degrees F
105 degrees F
104 degrees F
102 degrees F
100 degrees F
98 degrees F
95 degrees F
95 degrees F
113 degrees F
79
Junos OS Release 12.1X47 Feature Guide
Fans
80
FPC
FPC
FPC
FPC
FPC
FPC
FPC
FPC
FPC
FPC
FPC
FPC
FPC
FPC
FPC
FPC
FPC
FPC
FPC
FPC
FPC
FPC
FPC
FPC
FPC
FPC
FPC
FPC
FPC
FPC
FPC
FPC
FPC
FPC
FPC
FPC
FPC
FPC
FPC
FPC
FPC
FPC
FPC
FPC
FPC
FPC
FPC
FPC
FPC
FPC
FPC
FPC
Top
Top
Top
Top
Top
Top
Top
Top
Top
2 IA 0 Chip
2 IA 1 TSensor
2 IA 1 Chip
9 Intake
9 Exhaust A
9 Exhaust B
9 LU TSen
9 LU Chip
9 XM TSen
9 XM Chip
9 xlp0 TSen
9 xlp0 Chip
9 xlp1 TSen
9 xlp1 Chip
9 xlp2 TSen
9 xlp2 Chip
9 xlp3 TSen
9 xlp3 Chip
10 Intake
10 Exhaust A
10 Exhaust B
10 LU 0 TSen
10 LU 0 Chip
10 LU 1 TSen
10 LU 1 Chip
10 LU 2 TSen
10 LU 2 Chip
10 LU 3 TSen
10 LU 3 Chip
10 XM 0 TSen
10 XM 0 Chip
10 XF 0 TSen
10 XF 0 Chip
10 PLX Switch TSen
10 PLX Switch Chip
11 Intake
11 Exhaust A
11 Exhaust B
11 LU 0 TSen
11 LU 0 Chip
11 LU 1 TSen
11 LU 1 Chip
11 LU 2 TSen
11 LU 2 Chip
11 LU 3 TSen
11 LU 3 Chip
11 XM 0 TSen
11 XM 0 Chip
11 XF 0 TSen
11 XF 0 Chip
11 PLX Switch TSen
11 PLX Switch Chip
Fan Tray Temp
Tray Fan 1
Tray Fan 2
Tray Fan 3
Tray Fan 4
Tray Fan 5
Tray Fan 6
Tray Fan 7
Tray Fan 8
OK
OK
OK
OK
OK
OK
OK
OK
OK
OK
OK
OK
OK
OK
OK
OK
OK
OK
OK
OK
OK
OK
OK
OK
OK
OK
OK
OK
OK
OK
OK
OK
OK
OK
OK
OK
OK
OK
OK
OK
OK
OK
OK
OK
OK
OK
OK
OK
OK
OK
OK
OK
OK
OK
OK
OK
OK
OK
OK
OK
OK
42 degrees C / 107 degrees F
41 degrees C / 105 degrees F
43 degrees C / 109 degrees F
29 degrees C / 84 degrees F
41 degrees C / 105 degrees F
48 degrees C / 118 degrees F
48 degrees C / 118 degrees F
47 degrees C / 116 degrees F
48 degrees C / 118 degrees F
54 degrees C / 129 degrees F
45 degrees C / 113 degrees F
42 degrees C / 107 degrees F
49 degrees C / 120 degrees F
46 degrees C / 114 degrees F
37 degrees C / 98 degrees F
40 degrees C / 104 degrees F
45 degrees C / 113 degrees F
41 degrees C / 105 degrees F
32 degrees C / 89 degrees F
44 degrees C / 111 degrees F
53 degrees C / 127 degrees F
43 degrees C / 109 degrees F
52 degrees C / 125 degrees F
43 degrees C / 109 degrees F
44 degrees C / 111 degrees F
43 degrees C / 109 degrees F
50 degrees C / 122 degrees F
43 degrees C / 109 degrees F
58 degrees C / 136 degrees F
43 degrees C / 109 degrees F
53 degrees C / 127 degrees F
43 degrees C / 109 degrees F
64 degrees C / 147 degrees F
43 degrees C / 109 degrees F
44 degrees C / 111 degrees F
32 degrees C / 89 degrees F
41 degrees C / 105 degrees F
56 degrees C / 132 degrees F
45 degrees C / 113 degrees F
50 degrees C / 122 degrees F
45 degrees C / 113 degrees F
47 degrees C / 116 degrees F
45 degrees C / 113 degrees F
52 degrees C / 125 degrees F
45 degrees C / 113 degrees F
60 degrees C / 140 degrees F
45 degrees C / 113 degrees F
56 degrees C / 132 degrees F
45 degrees C / 113 degrees F
65 degrees C / 149 degrees F
45 degrees C / 113 degrees F
46 degrees C / 114 degrees F
34 degrees C / 93 degrees F
Spinning at normal speed
Spinning at normal speed
Spinning at normal speed
Spinning at normal speed
Spinning at normal speed
Spinning at normal speed
Spinning at normal speed
Spinning at normal speed
Copyright © 2014, Juniper Networks, Inc.
show chassis environment (Security)
Top Tray Fan 9
Top Tray Fan 10
Top Tray Fan 11
Top Tray Fan 12
Bottom Fan Tray
Bottom Tray Fan
Bottom Tray Fan
Bottom Tray Fan
Bottom Tray Fan
Bottom Tray Fan
Bottom Tray Fan
Bottom Tray Fan
Bottom Tray Fan
Bottom Tray Fan
Bottom Tray Fan
Bottom Tray Fan
Bottom Tray Fan
OK
Copyright © 2014, Juniper Networks, Inc.
Temp
1
2
3
4
5
6
7
8
9
10
11
12
OK
OK
OK
OK
OK
OK
OK
OK
OK
OK
OK
OK
OK
OK
OK
OK
OK
Spinning at normal speed
Spinning at normal speed
Spinning at normal speed
Spinning at normal speed
31 degrees C / 87 degrees F
Spinning at normal speed
Spinning at normal speed
Spinning at normal speed
Spinning at normal speed
Spinning at normal speed
Spinning at normal speed
Spinning at normal speed
Spinning at normal speed
Spinning at normal speed
Spinning at normal speed
Spinning at normal speed
Spinning at normal speed
81
Junos OS Release 12.1X47 Feature Guide
show chassis ethernet-switch
Syntax
show chassis ethernet-switch
Release Information
Command introduced in Junos OS Release 9.2.
Description
SRX Series devices display information about the ports on the Control Board (CB) Ethernet
switch.
Required Privilege
Level
view
List of Sample Output
show chassis ethernet-switch on page 82
Output Fields
Table 8 on page 82 lists the output fields for the show chassis ethernet-switch command.
Output fields are listed in the approximate order in which they appear.
Table 8: show chassis ethernet-switch Output Fields
Field Name
Field Description
Link is good on port n
connected to device
Information about the link between each port on the CB's Ethernet switch and one of the following
devices:
or
•
FPC0 (Flexible PIC Concentrator 0) through FPC7
•
Local controller
•
Routing Engine
•
Other Routing Engine (on a system with two Routing Engines)
•
SPMB (Switch Processor Mezzanine Board)
Link is good on Fast
Ethernet port n
connected to device
Speed is
Speed at which the Ethernet link is running.
Duplex is
Duplex type of the Ethernet link: full or half.
Autonegotiate is
Enabled (or Disabled)
By default, built-in Fast Ethernet ports on a PIC autonegotiate whether to operate at 10 Mbps or 100
Mbps. All other interfaces automatically choose the correct speed based on the PIC type and whether
the PIC is configured to operate in multiplexed mode.
Sample Output
show chassis ethernet-switch
user@host> show chassis ethernet-switch
node0:
-------------------------------------------------------------------------Displaying summary for switch 0
Link is good on GE port 0 connected to device: FPC0
Speed is 1000Mb
Duplex is full
Autonegotiate is Enabled
Flow Control TX is Disabled
Flow Control RX is Disabled
Link is good on GE port 1 connected to device: FPC1
82
Copyright © 2014, Juniper Networks, Inc.
show chassis ethernet-switch
Speed is 1000Mb
Duplex is full
Autonegotiate is Enabled
Flow Control TX is Disabled
Flow Control RX is Disabled
Link is good on GE port 2 connected to device: FPC2
Speed is 1000Mb
Duplex is full
Autonegotiate is Enabled
Flow Control TX is Disabled
Flow Control RX is Disabled
Link is good on GE port 3 connected to device: FPC3
Speed is 1000Mb
Duplex is full
Autonegotiate is Enabled
Flow Control TX is Disabled
Flow Control RX is Disabled
Link is good on GE port 4 connected to device: FPC4
Speed is 1000Mb
Duplex is full
Autonegotiate is Enabled
Flow Control TX is Disabled
Flow Control RX is Disabled
Link is down on GE port 5 connected to device: FPC5
Link is down on GE port 6 connected to device: FPC6
Link is good on GE port 7 connected to device: FPC7
Speed is 1000Mb
Duplex is full
Autonegotiate is Enabled
Flow Control TX is Disabled
Flow Control RX is Disabled
Link is good on GE port 8 connected to device: FPC8
Speed is 1000Mb
Duplex is full
Autonegotiate is Enabled
Flow Control TX is Disabled
Flow Control RX is Disabled
Link is good on GE port 9 connected to device: FPC9
Speed is 1000Mb
Duplex is full
Autonegotiate is Enabled
Flow Control TX is Disabled
Flow Control RX is Disabled
Link is down on GE port 10 connected to device: FPC10
Link is down on GE port 11 connected to device: FPC11
Link is good on GE port 12 connected to device: Other RE
Speed is 1000Mb
Duplex is full
Autonegotiate is Enabled
Flow Control TX is Disabled
Copyright © 2014, Juniper Networks, Inc.
83
Junos OS Release 12.1X47 Feature Guide
Flow Control RX is Disabled
Link is good on GE port 13 connected to device: RE-GigE
Speed is 1000Mb
Duplex is full
Autonegotiate is Enabled
Flow Control TX is Disabled
Flow Control RX is Disabled
Link is down on GE port 14 connected to device: Debug-GigE
node1:
-------------------------------------------------------------------------Displaying summary for switch 0
Link is good on GE port 0 connected to device: FPC0
Speed is 1000Mb
Duplex is full
Autonegotiate is Enabled
Flow Control TX is Disabled
Flow Control RX is Disabled
Link is good on GE port 1 connected to device: FPC1
Speed is 1000Mb
Duplex is full
Autonegotiate is Enabled
Flow Control TX is Disabled
Flow Control RX is Disabled
Link is good on GE port 2 connected to device: FPC2
Speed is 1000Mb
Duplex is full
Autonegotiate is Enabled
Flow Control TX is Disabled
Flow Control RX is Disabled
Link is good on GE port 3 connected to device: FPC3
Speed is 1000Mb
Duplex is full
Autonegotiate is Enabled
Flow Control TX is Disabled
Flow Control RX is Disabled
Link is good on GE port 4 connected to device: FPC4
Speed is 1000Mb
Duplex is full
Autonegotiate is Enabled
Flow Control TX is Disabled
Flow Control RX is Disabled
Link is down on GE port 5 connected to device: FPC5
Link is down on GE port 6 connected to device: FPC6
Link is good on GE port 7 connected to device: FPC7
Speed is 1000Mb
Duplex is full
Autonegotiate is Enabled
Flow Control TX is Disabled
Flow Control RX is Disabled
Link is good on GE port 8 connected to device: FPC8
84
Copyright © 2014, Juniper Networks, Inc.
show chassis ethernet-switch
Speed is 1000Mb
Duplex is full
Autonegotiate is Enabled
Flow Control TX is Disabled
Flow Control RX is Disabled
Link is good on GE port 9 connected to device: FPC9
Speed is 1000Mb
Duplex is full
Autonegotiate is Enabled
Flow Control TX is Disabled
Flow Control RX is Disabled
Link is down on GE port 10 connected to device: FPC10
Link is down on GE port 11 connected to device: FPC11
Link is good on GE port 12 connected to device: Other RE
Speed is 1000Mb
Duplex is full
Autonegotiate is Enabled
Flow Control TX is Disabled
Flow Control RX is Disabled
Link is good on GE port 13 connected to device: RE-GigE
Speed is 1000Mb
Duplex is full
Autonegotiate is Enabled
Flow Control TX is Disabled
Flow Control RX is Disabled
Link is down on GE port 14 connected to device: Debug-GigE
Copyright © 2014, Juniper Networks, Inc.
85
Junos OS Release 12.1X47 Feature Guide
show chassis fabric plane
Syntax
Release Information
Description
Required Privilege
Level
Related
Documentation
List of Sample Output
Output Fields
show chassis fabric plane
Command introduced in Junos OS Release 9.2.
Show state of fabric management plane.
view
show chassis fabric plane-location
•
show chassis fabric plane(SRX5600 and SRX5800 devices with SRX5000 line SCB
II (SRX5K-SCBE) and SRX5K-RE-1800X4) on page 87
Table 9 on page 86 lists the output fields for the show chassis fabric plane command.
Output fields are listed in the approximate order in which they appear.
Table 9: show chassis fabric plane Output Fields
Field Name
Field Description
Level of output
Plane
Number of the plane.
none
Plane state
State of each plane:
none
•
ACTIVE—SIB is operational and running.
•
FAULTY— SIB is in alarmed state where the SIB’s plane is not
operational for the following reasons:
•
On-board fabric ASIC is not operational.
•
Fiber-optic connector faults.
•
FPC connector faults.
•
SIB midplane connector faults.
FPC
Slot number of each Flexible PIC Concentrator (FPC).
none
PFE
Slot number of each Packet Forwarding Engine and the state of the
links to the FPC:
none
86
•
Links ok: Link between SIB and FPC is active.
•
Link error: Link between SIB and FPC is not operational.
•
Unused: No FPC is present.
Copyright © 2014, Juniper Networks, Inc.
show chassis fabric plane
Table 9: show chassis fabric plane Output Fields (continued)
Field Name
Field Description
Level of output
State
State of the fabric plane:
none
•
Online: Fabric plane is operational and running and links on the
SIB are operational.
•
Offline: Fabric plane state is Offline because the plane does not
have four or more F2S and one F13 online.
•
Empty: Fabric plane state is Empty if all SIBs in the plane are
absent.
•
Spare: Fabric plane is redundant and can be operational if the
operational fabric plane encounters an error.
•
Check: Fabric plane is in alarmed state due to the following reason
and the cause of the error must be resolved:
•
•
One or more SIBs (belonging to the fabric plane) in the Online
or Spare states has transitioned to the Check state.
Check state of the SIB can be caused by link errors or
destination errors.
Fault: Fabric plane is in alarmed state if one or more SIBs
belonging to the plane are in the Fault state. A SIB can be in the
Fault state because of the following reasons:
•
On-board fabric ASIC is not operational.
•
Fiber-optic connector faults.
•
FPC connector faults.
•
SIB midplane connector faults.
•
Link errors have exceeded the threshold.
Sample Output
show chassis fabric plane
(SRX5600 and SRX5800 devices with SRX5000 line SCB II (SRX5K-SCBE) and SRX5K-RE-1800X4)
user@host> show chassis fabric plane
node0:
-------------------------------------------------------------------------Fabric management PLANE state
Plane 0
Plane state: ACTIVE
FPC 0
PFE 0 :Links ok
FPC 2
PFE 0 :Links ok
FPC 3
PFE 0 :Links ok
FPC 4
PFE 0 :Links ok
FPC 7
PFE 0 :Links ok
FPC 8
PFE 0 :Links ok
FPC 9
PFE 0 :Links ok
FPC 10
PFE 0 :Links ok
Copyright © 2014, Juniper Networks, Inc.
87
Junos OS Release 12.1X47 Feature Guide
Plane 1
Plane state: ACTIVE
FPC 0
PFE 0 :Links
FPC 2
PFE 0 :Links
FPC 3
PFE 0 :Links
FPC 4
PFE 0 :Links
FPC 7
PFE 0 :Links
FPC 8
PFE 0 :Links
FPC 9
PFE 0 :Links
FPC 10
PFE 0 :Links
Plane 2
Plane state: ACTIVE
FPC 0
PFE 0 :Links
FPC 2
PFE 0 :Links
FPC 3
PFE 0 :Links
FPC 4
PFE 0 :Links
FPC 7
PFE 0 :Links
FPC 8
PFE 0 :Links
FPC 9
PFE 0 :Links
FPC 10
PFE 0 :Links
Plane 3
Plane state: ACTIVE
FPC 0
PFE 0 :Links
FPC 2
PFE 0 :Links
FPC 3
PFE 0 :Links
FPC 4
PFE 0 :Links
FPC 7
PFE 0 :Links
FPC 8
PFE 0 :Links
FPC 9
PFE 0 :Links
FPC 10
PFE 0 :Links
Plane 4
Plane state: SPARE
FPC 0
PFE 0 :Links
FPC 2
PFE 0 :Links
FPC 3
88
ok
ok
ok
ok
ok
ok
ok
ok
ok
ok
ok
ok
ok
ok
ok
ok
ok
ok
ok
ok
ok
ok
ok
ok
ok
ok
Copyright © 2014, Juniper Networks, Inc.
show chassis fabric plane
PFE 0 :Links
FPC 4
PFE 0 :Links
FPC 7
PFE 0 :Links
FPC 8
PFE 0 :Links
FPC 9
PFE 0 :Links
FPC 10
PFE 0 :Links
Plane 5
Plane state: SPARE
FPC 0
PFE 0 :Links
FPC 2
PFE 0 :Links
FPC 3
PFE 0 :Links
FPC 4
PFE 0 :Links
FPC 7
PFE 0 :Links
FPC 8
PFE 0 :Links
FPC 9
PFE 0 :Links
FPC 10
PFE 0 :Links
ok
ok
ok
ok
ok
ok
ok
ok
ok
ok
ok
ok
ok
ok
node1:
-------------------------------------------------------------------------Fabric management PLANE state
Plane 0
Plane state: ACTIVE
FPC 0
PFE 0 :Links ok
FPC 1
PFE 0 :Links ok
FPC 2
PFE 0 :Links ok
FPC 3
PFE 0 :Links ok
FPC 4
PFE 0 :Links ok
FPC 7
PFE 0 :Links ok
FPC 8
PFE 0 :Links ok
FPC 10
PFE 0 :Links ok
Plane 1
Plane state: ACTIVE
FPC 0
PFE 0 :Links ok
FPC 1
PFE 0 :Links ok
FPC 2
PFE 0 :Links ok
FPC 3
PFE 0 :Links ok
Copyright © 2014, Juniper Networks, Inc.
89
Junos OS Release 12.1X47 Feature Guide
FPC 4
PFE 0 :Links
FPC 7
PFE 0 :Links
FPC 8
PFE 0 :Links
FPC 10
PFE 0 :Links
Plane 2
Plane state: ACTIVE
FPC 0
PFE 0 :Links
FPC 1
PFE 0 :Links
FPC 2
PFE 0 :Links
FPC 3
PFE 0 :Links
FPC 4
PFE 0 :Links
FPC 7
PFE 0 :Links
FPC 8
PFE 0 :Links
FPC 10
PFE 0 :Links
Plane 3
Plane state: ACTIVE
FPC 0
PFE 0 :Links
FPC 1
PFE 0 :Links
FPC 2
PFE 0 :Links
FPC 3
PFE 0 :Links
FPC 4
PFE 0 :Links
FPC 7
PFE 0 :Links
FPC 8
PFE 0 :Links
FPC 10
PFE 0 :Links
Plane 4
Plane state: SPARE
FPC 0
PFE 0 :Links
FPC 1
PFE 0 :Links
FPC 2
PFE 0 :Links
FPC 3
PFE 0 :Links
FPC 4
PFE 0 :Links
FPC 7
PFE 0 :Links
FPC 8
PFE 0 :Links
FPC 10
90
ok
ok
ok
ok
ok
ok
ok
ok
ok
ok
ok
ok
ok
ok
ok
ok
ok
ok
ok
ok
ok
ok
ok
ok
ok
ok
ok
Copyright © 2014, Juniper Networks, Inc.
show chassis fabric plane
PFE 0 :Links
Plane 5
Plane state: SPARE
FPC 0
PFE 0 :Links
FPC 1
PFE 0 :Links
FPC 2
PFE 0 :Links
FPC 3
PFE 0 :Links
FPC 4
PFE 0 :Links
FPC 7
PFE 0 :Links
FPC 8
PFE 0 :Links
FPC 10
PFE 0 :Links
Copyright © 2014, Juniper Networks, Inc.
ok
ok
ok
ok
ok
ok
ok
ok
ok
91
Junos OS Release 12.1X47 Feature Guide
show chassis fabric plane-location
Syntax
Release Information
Description
Required Privilege
Level
List of Sample Output
Output Fields
show chassis fabric plane-location
Command introduced in Junos OS Release 9.2.
Show fabric plane location.
view
show chassis fabric plane-location(SRX5600 and SRX5800 devices with SRX5000
line SCB II (SRX5K-SCBE) and SRX5K-RE-1800X4) on page 92
Table 10 on page 92 lists the output fields for the show chassis fabric plane-location
command. Output fields are listed in the approximate order in which they appear.
Table 10: show chassis fabric plane-location Output Fields
Field Name
Field Description
Plane n
Plane number.
Control Board n
Control Board number.
Sample Output
show chassis fabric plane-location
(SRX5600 and SRX5800 devices with SRX5000 line SCB II (SRX5K-SCBE) and SRX5K-RE-1800X4)
user@host> show chassis fabric plane-location
node0:
-------------------------------------------------------------------------------------Fabric Plane Locations------------Plane 0
Control Board 0
Plane 1
Control Board 0
Plane 2
Control Board 1
Plane 3
Control Board 1
Plane 4
Control Board 2
Plane 5
Control Board 2
node1:
-------------------------------------------------------------------------------------Fabric Plane Locations------------Plane 0
Control Board 0
Plane 1
Control Board 0
Plane 2
Control Board 1
Plane 3
Control Board 1
Plane 4
Control Board 2
Plane 5
Control Board 2
92
Copyright © 2014, Juniper Networks, Inc.
show chassis fabric summary
show chassis fabric summary
Syntax
Release Information
Description
Options
Required Privilege
Level
List of Sample Output
Output Fields
show chassis fabric summary
Command introduced in Junos OS Release 9.2.
Show summary fabric management state.
This command has no options.
view
show chassis fabric summary(SRX5600 and SRX5800 devices with SRX5000 line
SCB II (SRX5K-SCBE) and SRX5K-RE-1800X4) on page 94
Table 11 on page 93 lists the output fields for the show chassis fabric summary command.
Output fields are listed in the approximate order in which they appear.
Table 11: show chassis fabric summary Output Fields
Field Name
Field Description
Plane
Plane number.
State
State of the SIB or FPC:
•
Online—Switch Interface Board (SIB) is operational and running.
•
Empty—SIB is powered down.
•
Check—SIB is in the Check state because of the following reasons:
•
SIB is not inserted properly.
•
Some destination errors are detected on the SIB. In this case,
the Packet Forwarding Engine stops using the SIB to send
traffic to the affected destination Packet Forwarding Engine.
•
Some link errors are detected on the channel between the SIB
and a Packet Forwarding Engine. Link errors can be detected
at initialization time or runtime:
• Link errors caused by a link training failure at initialization
time—The Packet Forwarding Engine does not use the SIB
to send traffic. The show chassis fabric fpcs command shows
Plane disabled as status for this link.
•
Link errors caused by CRC errors detected at runtime—The
Packet Forwarding Engine continues to use the SIB to send
traffic. The show chassis fabric fpcs command shows Link
error as the status for this link.
For information about link and destination errors, issue the show
chassis fabric fpcs commands.
•
Spare—SIB is redundant and will move to active state if one of
the working SIBs fails.
Errors
Indicates whether there is any error on the SIB.
•
Copyright © 2014, Juniper Networks, Inc.
None—No errors
93
Junos OS Release 12.1X47 Feature Guide
Table 11: show chassis fabric summary Output Fields (continued)
Field Name
Field Description
•
Link Errors—Fabric link errors were found on the SIB RX link.
•
Cell drops—Fabric cell drops were found on the SIB ASIC.
•
Link, Cell drops—Both link errors and cell drops were detected on
at least one of the FPC’s fabric links.
NOTE: The Errors column is empty only when the FPC or SIB is
offline.
Uptime
Elapsed time the plane has been online.
Sample Output
show chassis fabric summary
(SRX5600 and SRX5800 devices with SRX5000 line SCB II (SRX5K-SCBE) and SRX5K-RE-1800X4)
user@host> show chassis fabric summary
node0:
-------------------------------------------------------------------------Plane
State
Uptime
0
Online
14 minutes, 10 seconds
1
Online
14 minutes, 5 seconds
2
Online
14 minutes
3
Online
13 minutes, 55 seconds
4
Spare
13 minutes, 50 seconds
5
Spare
13 minutes, 44 seconds
node1:
-------------------------------------------------------------------------Plane
State
Uptime
0
Online
14 minutes, 7 seconds
1
Online
14 minutes, 2 seconds
2
Online
13 minutes, 57 seconds
3
Online
13 minutes, 51 seconds
4
Spare
13 minutes, 46 seconds
5
Spare
13 minutes, 41 seconds
IPv6
•
Establishing an Outbound SSH Connection on page 94
Establishing an Outbound SSH Connection
To enable a configuration management server to establish an outbound SSH connection
with the client server, you must satisfy the following requirements:
Configuring the Device Running Junos OS for Outbound SSH
To configure the device running Junos OS for outbound SSH:
1.
At the [edit system services ssh] hierarchy level, set the SSH protocol-version to v2:
[edit system services ssh]
user@host# set protocol-version v2
94
Copyright © 2014, Juniper Networks, Inc.
Establishing an Outbound SSH Connection
2. During the initialization of an outbound SSH connection, the client authenticates the
identity of the router or switch using the public SSH host key of the device. Therefore,
before the client can initiate the SSH sequence, it needs the public SSH key of the
device. When you configure the secret statement, the device passes its public SSH
key as part of the outbound SSH connection initiation sequence. When the secret
statement is set and the device establishes an outbound SSH connection, the device
communicates its device ID, its public SSH key, and an SHA1 hash derived in part from
the secret statement. The value of the secret statement is shared between the device
and the management client. The client uses the shared secret to authenticate the
public SSH host key it is receiving to determine whether the public key is from the
device identified by the device-id statement. This key pair will be used to encrypt the
data transferred across the SSH connection.
3. If the public key will be installed on the configuration management server manually,
transfer the public key to the configuration management server.
4. Once the client application has the device’s public SSH host key, it can then initiate
the sequence as if it had created the TCP/IP connection and can authenticate the
device using its copy of the device’s public host SSH key as part of that sequence.
5. To configure various client servers available for this outbound SSH connection, list
each client with a separate address statement.
6. Add the following outbound-ssh statement at the [edit system services ssh] hierarchy
level:
[edit system services]
outbound-ssh {
client client-id {
device-id device-id;
secret secret;
keep-alive {
retry number
timeout number;
}
reconnect-strategy (sticky | in-order);
services service-name;
address [ address ] {
port destination-port;
retry number;
timeout number;
}
}
}
Copyright © 2014, Juniper Networks, Inc.
95
Junos OS Release 12.1X47 Feature Guide
The attributes are as follows:
•
client client-id—Identifies the outbound SSH configuration stanza on the device.
Each outbound SSH stanza represents a single outbound SSH connection. This
attribute is not sent to the client.
device-id device-id—Unique ID identifying the device running Junos OS to the
configuration management server during the initiation process.
•
secret secret—(Optional) Public SSH host key of the device. If this statement is
added to the outbound SSH configuration hierarchy, the device will pass its public
key to the configuration management server during the initialization of the outbound
SSH service. This is the recommended method of maintaining a current copy of the
device's public key on the configuration management server.
•
keep-alive—(Optional) Specify that keepalive messages be sent from the device
running Junos OS to the configuration management server. To configure the
keepalive message, you must set both the timeout and retry attributes.
•
•
retry number—Number of keepalive messages the device running Junos OS sends
without receiving a response from the configuration management server before
the current SSH connection is terminated. The default is three tries.
•
timeout seconds—Amount of time, in seconds, that the server waits for data
before sending a keepalive signal. The default is 15 seconds.
reconnect-strategy (sticky | in-order)—(Optional) Method that the device running
Junos OS uses to reestablish a disconnected outbound SSH connection. Two
methods are available:
•
sticky—The device attempts to reconnect to the configuration management
server to which it was last connected. If the connection is unavailable, the device
attempts to establish a connection with the next configuration management
server on the list and so forth until a connection is established.
•
in-order—The device attempts to reestablish an outbound SSH session based
on the configuration management server address list. The device attempts to
establish a session with the first server on the list. If this connection is not available,
the device attempts to establish a session with the next server, and so on down
the list until a connection is established.
When reconnecting to a client, the device running Junos OS attempts to reconnect
to the client based on the retry and timeout values for each client listed in the
configuration management server list.
96
•
services service-name—(Required) Specifies the services available for the session.
•
address—(Required) The hostname or the IPv6 address of the configuration
management server. You can list multiple clients by adding each client's IP address
or hostname along with the following connection parameters:
•
port destination-port—Outbound SSH port for the client. The default is port 22.
•
retry number– Number of times the device running Junos OS attempts to establish
an outbound SSH connection before giving up. The default is three tries.
Copyright © 2014, Juniper Networks, Inc.
Network Address Translation (NAT)
•
timeout seconds—Amount of time, in seconds, that the device running Junos OS
attempts to establish an outbound SSH connection before giving up. The default
is 15 seconds.
7. Commit the configuration:
[edit]
user@host# commit
Network Address Translation (NAT)
•
Understanding Source NAT Pools on page 97
•
Understanding NAT64 IPv6 Prefix to IPv4 Address-Persistent Translation on page 99
•
[edit security nat] Hierarchy Level on page 101
•
source (Security Source NAT) on page 105
•
pool (Security Source NAT) on page 108
•
address-persistent (Security Source NAT Pool) on page 109
•
Example: Configuring Address Persistent NAT64 Pools on page 109
•
show security nat source pool
Understanding Source NAT Pools
For source Network Address Translation (NAT) address pools, specify the following:
•
Name of the source NAT address pool.
•
Up to eight address or address ranges.
NOTE: Do not overlap NAT addresses for source NAT, destination NAT,
and static NAT within one routing instance.
•
Routing instance to which the pool belongs (the default is the main inet.0 routing
instance).
•
No port translation (optional)—By default, Port Address Translation (PAT) is performed
with source NAT. If you specify the port no-translation option, the number of hosts that
the source NAT pool can support is limited to the number of addresses in the pool.
•
Overflow pool (optional)—Packets are dropped if there are no addresses available in
the designated source NAT pool. To prevent that from happening when the port
no-translation option is configured, you can specify an overflow pool. Once addresses
from the original source NAT pool are exhausted, IP addresses and port numbers are
allocated from the overflow pool. A user-defined source NAT pool or an egress interface
can be used as the overflow pool. (When the overflow pool is used, the pool ID is
returned with the address.)
•
IP address shifting (optional)—A range of original source IP addresses can be mapped
to another range of IP addresses, or to a single IP address, by shifting the IP addresses.
Copyright © 2014, Juniper Networks, Inc.
97
Junos OS Release 12.1X47 Feature Guide
Specify the host-address-base option with the base address of the original source IP
address range.
•
Address sharing (optional)—Multiple internal IP addresses can be mapped to the same
external IP address. This option can be used only when the source NAT pool is
configured with no port translation. Specify the address-shared option when a source
NAT pool has few external IP addresses available, or only one external IP address. With
a many-to-one mapping, use of this option increases NAT resources and improves
traffic.
•
Address pooling (optional)— Address pooling can be configured as paired or no-paired.
Specify address-pooling paired for applications that require all sessions associated
with one internal IP address to be mapped to the same external IP address for the
duration of a session. This differs from the persistent-address option, in which the same
internal address is translated to the same external address every time. Specify
address-pooling no-paired for applications that can be can be assigned IP addresses
in a round-robin fashion. If either address-pooling paired or address-pooling no-paired
is configured for a source NAT pool with PAT, the persistent address option is disabled.
If address-shared is configured on a source NAT pool without PAT, then the
persistent-address option is enabled. Both address-shared and address-pooling paired
can be configured on the same source NAT pool without PAT.
•
Address persistent (optional)— The address-persistent subscriber ipv6-prefix-length
option, which is configured in an IPv4 source NAT pool, ensures there is a sticky mapping
relationship between one specific IPv6 prefix and one translated IPv4 address. This
augments the NAT64 mechanism when IPv4 services work over IPv6-only networks
that are using a dual-translation mechanism (464XLAT).
You can use the show security nat resource usage source pool command to view address
use in a source NAT pool without PAT, and to view port use in a source NAT pool with
PAT.
When the raise-threshold option is configured for source NAT, an SNMP trap is triggered
if the source NAT pool utilization rises above this threshold. If the optional clear-threshold
option is configured, an SNMP trap is triggered if the source NAT pool utilization drops
below this threshold. If clear-threshold is not configured, it is set by default to 80 percent
of the raise-threshold value.
Related
Documentation
98
•
Source NAT Configuration Overview
•
Understanding Source NAT Pools with PAT
•
Understanding Source NAT Pools Without PAT
•
Understanding Source NAT Pools with Address Shifting
•
Understanding Persistent Addresses
•
Understanding NAT64 IPv6 Prefix to IPv4 Address-Persistent Translation
•
Understanding Source NAT Pools with Address Shifting
•
Understanding Source NAT Pools with Shared Address
•
Understanding Source NAT Pools with Address Pooling
Copyright © 2014, Juniper Networks, Inc.
Understanding NAT64 IPv6 Prefix to IPv4 Address-Persistent Translation
•
Network Address Translation Feature Guide for Security Devices
Understanding NAT64 IPv6 Prefix to IPv4 Address-Persistent Translation
The NAT64 mechanism enables IPv6 clients to contact IPv4 servers by translating IPv6
addresses to IPv4 addresses (and vice versa). However, some IPv4 applications and
services cannot work correctly over IPv6-only networks with standard NAT64 in a
dual-translation scenario, such as 464XLAT. In those scenarios, address-persistent
translation is required.
Figure 2 on page 99 illustrates the 464XLAT architecture, whereby IPv4 packets are
translated to IPv6 packets on the customer-side translator (CLAT), then go across the
IPv6-only network, and are translated back to IPv4 packets on the provider-side translator
(PLAT) to access global IPv4-only content in the core network. This architecture uses a
combination of stateless translation on the CLAT and stateful translation on the PLAT.
Figure 2: 464XLAT Architecture
When an SRX Series device functions as a PLAT, it is responsible for keeping the sticky
mapping relationship between one specific IPv6 prefix and one translated IPv4 address.
The SRX Series device treats the IPv6 prefix as a single user. This mapping is accomplished
by configuring the specific IPv6 prefix length in an IPv4 source NAT pool using the
address-persistent feature.
Copyright © 2014, Juniper Networks, Inc.
99
Junos OS Release 12.1X47 Feature Guide
Figure 3 on page 100 illustrates a NAT rule configured in the CLAT, which translates an
IPv4 address to an IPv6 address with an address-persistent prefix. With stateless NAT46
translation on the CLAT and stateful NAT64 translation on the PLAT, the traffic from
IPv4 host 192.168.1.2 reaches the global server 198.51.100.1 over an IPv6-only network.
Figure 3: NAT64 Translation on the PLAT (SRX Series Device)
Table 12 on page 100 lists other NAT features and their compatibility with the
address-persistent feature.
Table 12: NAT Feature Compatibility with the Address Persistent Feature
Feature
Compatible
PAT pools
IPv4
IPv6
NAT IPv4 to IPv6
No
NAT IPv6 to IPv4
Yes
NAT IPv4 to IPv6
No
NAT IPv6 to IPv4
No
Non-PAT pools
No
Port-overloading
Yes
Persistent NAT in PAT pool
Yes
Port block allocation
Yes
Deterministic NAT
No
Address pooling paired
No
ALG
Yes
(Existing ALG NAT translations , such as FTP/PPTP/RTSP/DNS/SIP from native IPv6 clients.)
Related
Documentation
100
•
Network Address Translation Feature Guide for Security Devices
Copyright © 2014, Juniper Networks, Inc.
[edit security nat] Hierarchy Level
[edit security nat] Hierarchy Level
security {
nat {
destination {
pool pool-name {
address <ip-address> {
(port port-number | to ip-address);
}
description text;
routing-instance (routing-instance-name | default);
}
rule-set rule-set-name {
description text;
from {
interface [interface-name];
routing-instance [routing-instance-name];
zone [zone-name];
}
rule rule-name {
description text;
match {
application {
[application];
any;
}
(destination-address ip-address | destination-address-name address-name);
destination-port (port-or-low <to high>);
protocol [protocol-name-or-number];
source-address [ip-address];
source-address-name [address-name];
}
then {
destination-nat (off | pool pool-name | rule-session-count-alarm
(clear-threshold value | raise-threshold value));
}
}
}
}
proxy-arp interface interface-name address ip-address;
to ip-address;
}
proxy-ndp interface interface-name address ip-address;
to ip-address;
}
source {
address-persistent;
interface (port-overloading off | port-overloading-factor number);
pool pool-name {
address ip-address {
to ip-address;
}
address-persistent subscriber ipv6-prefix-length prefix-length;
address-pooling (paired | no-paired);
address-shared;
Copyright © 2014, Juniper Networks, Inc.
101
Junos OS Release 12.1X47 Feature Guide
description text;
host-address-base ip-address;
overflow-pool (pool-name | interface);
pool-utilization-alarm (clear-threshold value | raise-threshold value);
port {
block-allocation {
active-block-timeouttimeout-interval;
block-size block-size;
log disable;
maximum-blocks-per-host maximum-block-number
}
deterministic {
block-size block-size;
host {
address ip-address;
address-name address-name;
}
no-translation;
port-overloading-factor number;
range {
port-low <to port-high>;
to port-high;
twin-port port-low <to port-high>;
}
}
routing-instance routing-instance-name;
}
pool-default-port-range lower-port-range to upper-port-range;
pool-default-twin-port-range lower-port-range to upper-port-range;
pool-utilization-alarm (clear-threshold value | raise-threshold value);
port-randomization disable;
rule-set rule-set-name {
description text;
from {
interface [interface-name];
routing-instance [routing-instance-name];
zone [zone-name];
}
rule rule-name {
description text;
match {
application {
[application];
any;
}
(destination-address <ip-address> | destination-address-name
<address-name>);
destination-port (port-or-low <to high>);
protocol [protocol-name-or-number];
source-address [ip-address];
source-address-name [address-name];
source-port (port-or-low <to high>);
}
then source-nat;
interface {
persistent-nat {
102
Copyright © 2014, Juniper Networks, Inc.
[edit security nat] Hierarchy Level
address-mapping;
inactivity-timeout seconds;
max-session-number value;
permit (any-remote-host | target-host | target-host-port);
}
off;
pool <pool-name>
persistent-nat
address-mapping;
inactivity-timeout seconds;
max-session-number number;
permit (any-remote-host | target-host | target-host-port);
}
rule-session-count-alarm (clear-threshold value | raise-threshold value);
}
}
to {
interface [interface-name];
routing-instance [routing-instance-name];
zone [zone-name];
}
}
}
static rule-set rule-set-name;
description text;
from {
interface [interface-name];
routing-instance [routing-instance-name];
zone [zone-name];
}
rule rule-name {
description text;
match {
(destination-address <ip-address> | destination-address-name
<address-name>);
destination-port (port-or-low | <to high>);
source-address [ip-address];
source-address-name [address-name];
source-port (port-or-low <to high>);
}
then static-nat;
inet {
routing-instance (routing-instance-name | default);
}
prefix {
address-prefix;
mapped-port lower-port-range to upper-port-range;
routing-instance (routing-instance-name| default);
}
prefix-name {
address-prefix-name;
mapped-port lower-port-range to upper-port-range;
routing-instance (routing-instance-name | default);
}
rule-session-count-alarm (clear-threshold value | raise-threshold value);
}
Copyright © 2014, Juniper Networks, Inc.
103
Junos OS Release 12.1X47 Feature Guide
}
}
}
}
traceoptions {
file {
filename;
files number;
match regular-expression;
(world-readable | no-world-readable);
size maximum-file-size;
}
flag flag;
no-remote-trace;
}
}
}
Related
Documentation
104
•
Security Configuration Statement Hierarchy
•
Network Address Translation Feature Guide for Security Devices
•
Junos OS Logical Systems Library for Security Devices
•
Network Monitoring and Troubleshooting Guide for Security Devices
Copyright © 2014, Juniper Networks, Inc.
source (Security Source NAT)
source (Security Source NAT)
Syntax
source {
address-persistent;
interface (port-overloading off | port-overloading-factor number);
pool pool-name {
address ip-address {
to ip-address;
}
address-persistent subscriber ipv6-prefix-length prefix-length;
address-pooling (paired | no-paired);
address-shared;
description text;
host-address-base ip-address;
overflow-pool (interface | pool-name);
pool-utilization-alarm (clear-threshold value | raise-threshold value);
port {
block-allocation {
active-block-timeout timeout-interval;
block-size block-size;
log disable;
maximum-blocks-per-host maximum-block-number
}
deterministic {
block-size block-size;
host {
address ip-address;
address-name address-name;
}
no-translation;
port-overloading-factor number;
range {
port-low <to port-high>;
to port-high;
twin-port port-low <to port-high>;
}
}
routing-instance routing-instance-name;
}
pool-default-port-range lower-port-range to upper-port-range;
pool-default-twin-port-range lower-port-range to upper-port-range;
pool-utilization-alarm (clear-threshold value | raise-threshold value);
port-randomization disable;
rule-set rule-set-name {
description text;
from {
interface [interface-name];
routing-instance [routing-instance-name];
zone [zone-name];
}
rule rule-name {
description text;
match {
application {
Copyright © 2014, Juniper Networks, Inc.
105
Junos OS Release 12.1X47 Feature Guide
[application];
any;
}
(destination-address <ip-address> | destination-address-name <address-name>);
destination-port (port-or-low <to high>);
protocol [protocol-name-or-number];
source-address [ip-address];
source-address-name [address-name];
source-port (port-or-low <to high>)
}
then source-nat
interface {
persistent-nat {
address-mapping;
inactivity-timeout seconds;
max-session-number value;
permit (any-remote-host | target-host | target-host-port);
}
}
off;
pool <pool-name>
persistent-nat {
address-mapping;
inactivity-timeout seconds;
max-session-number number;
permit (any-remote-host | target-host | target-host-port);
}
rule-session-count-alarm (clear-threshold value | raise-threshold value);
}
}
}
to {
interface [interface-name];
routing-instance [routing-instance-name];
zone [zone-name];
}
}
}
Hierarchy Level
Release Information
106
[edit security nat source pool pool-name port]
Statement modified in Junos OS Release 9.6. The description option added in Junos OS
Release 12.1. Statement modified in Junos OS Release 12.1X45-D10. Statement modified
in Junos OS Release 12.1X47-D10. Statement modified in Junos OS Release 12.1X47-D15.
Copyright © 2014, Juniper Networks, Inc.
source (Security Source NAT)
Description
Options
Required Privilege
Level
Related
Documentation
Configure source NAT, which allows you to configure the following:
•
Translate source IP address or addresses to the egress interface's IP address.
•
Translate a range of source IP addresses to another range of IP addresses. This mapping
is dynamic and without PAT.
•
Translate a range of source IP addresses to another range of IP addresses. This mapping
is dynamic and with PAT.
•
Translate a range of source IP addresses to another range of IP addresses. This mapping
is one-to-one, static, and without PAT.
The remaining statements are explained separately. See CLI Explorer.
security—To view this statement in the configuration.
security-control—To add this statement to the configuration.
•
Network Address Translation Feature Guide for Security Devices
Copyright © 2014, Juniper Networks, Inc.
107
Junos OS Release 12.1X47 Feature Guide
pool (Security Source NAT)
Syntax
Hierarchy Level
Release Information
Description
Options
pool pool-name {
address ip-address {
to ip-address;
}
address-persistent subscriber ipv6-prefix-length prefix-length;
address-pooling (paired | no-paired);
address-shared;
description text;
host-address-base ip-address;
overflow-pool (interface | pool-name);
pool-utilization-alarm (clear-threshold value | raise-threshold value);
port (no-translation | port-overloading-factor number | range port-low (to port-high));
routing-instance routing-instance-name;
}
[edit security nat source]
Statement modified in Junos OS Release 9.6. The description option added in Junos OS
Release 12.1. Statement modified in Junos OS Release 12.1X45-D10. Statement modified
in Junos OS Release 12.1X47-D15.
Define a source NAT pool to identify the pool uniquely.
pool-name—Name of the pool.
description—Description of the pool.
The remaining statements are explained separately. See CLI Explorer.
Required Privilege
Level
Related
Documentation
108
security—To view this statement in the configuration.
security-control—To add this statement to the configuration.
•
Network Address Translation Feature Guide for Security Devices
Copyright © 2014, Juniper Networks, Inc.
address-persistent (Security Source NAT Pool)
address-persistent (Security Source NAT Pool)
Syntax
Hierarchy Level
Release Information
Description
Options
address-persistent subscriber ipv6-prefix-length prefix-length;
[edit security nat source pool pool-name]
Statement introduced in Junos OS Release 12.1X47-D15.
Enable the device to translate an IPv6 address, with a consistent IPv6 prefix, to the same
IPv4 address to ensure that IPv4 services can be used over IPv6-only networks.
ipv6-prefix-length prefix-length—Specify the subscriber IPv6 prefix length.
Range: 8 through 128.
Required Privilege
Level
Related
Documentation
security—To view this statement in the configuration.
security-control—To add this statement to the configuration.
•
Understanding NAT64 IPv6 Prefix to IPv4 Address-Persistent Translation
•
Network Address Translation Feature Guide for Security Devices
Example: Configuring Address Persistent NAT64 Pools
This example shows how to configure address persistent NAT64 pools to ensure a sticky
mapping relationship between one specific IPv6 prefix, which is calculated by the
configured IPv6 prefix length, and one translated IPv4 address.
•
Requirements on page 109
•
Overview on page 109
•
Configuration on page 109
•
Verification on page 111
Requirements
Before you begin, be sure the existing NAT rules and pool configuration do not conflict
with the new one.
Overview
In this example, you configure an IPv6 prefix length of /64 in an IPv4 source NAT pool
for NAT IPv6 to IPv4 translations. Traffic matching the NAT rule and NAT pool perform
address persistent translation between the IPv6 prefix and the IPv4 translated address.
This configuration can be used on the provider-side translator (PLAT) in a dual-translation
scenario, 464XLAT, to enable IPv4 services to work over IPv6-only networks.
Configuration
CLI Quick
Configuration
To quickly configure this example, copy the following commands, paste them into a text
file, remove any line breaks, change any details necessary to match your network
configuration, and then copy and paste the commands into the CLI at the [edit] hierarchy
level.
Copyright © 2014, Juniper Networks, Inc.
109
Junos OS Release 12.1X47 Feature Guide
set security nat source pool NAT64 address 31.61.129.240/32 to 31.61.129.254/32
set security nat source pool NAT64 address-persistent subscriber ipv6-prefix-length 64
set security nat source rule-set RS1 from zone trust
set security nat source rule-set RS1 to zone untrust
set security nat source rule-set RS1 rule R1 match source-address 2a00:f41::/32
set security nat source rule-set RS1 rule R1 match destination-address 31.61.132.198/32
set security nat source rule-set RS1 rule R1 then source-nat pool NAT64
Step-by-Step
Procedure
The following example requires you to navigate throughout various levels in the
configuration hierarchy. For instructions on how to do that, see Using the CLI Editor in
Configuration Mode.
1.
Create a source NAT pool.
[edit security nat source]
user@host# set pool NAT64 address 31.61.129.240/32 to 31.61.129.254/32
2.
Specify the IPv6 prefix length for the source NAT pool.
[edit security nat source]
user@host# set pool NAT64 address-persistent subscriber ipv6-prefix-length 64
3.
Create a rule set.
[edit security nat source]
user@host# set rule-set RS1 from zone trust
user@host# set rule-set RS1 to zone untrust
4.
Match the rule.
[edit security nat source]
user@host# set rule-set RS1 rule R1 match source-address 2a00:f41::/32
user@host# set rule-set RS1 rule R1 match destination-address 31.61.132.198/32
5.
Provide the action to be performed when the rule matches.
[edit security nat source]
user@host# set security nat source rule-set RS1 rule R1 then source-nat pool NAT64
Results
From configuration mode, confirm your configuration by entering the show security nat
command. If the output does not display the intended configuration, repeat the
configuration instructions in this example to correct it.
[edit]
user@host# show security nat
source {
pool NAT64 {
address {
31.61.129.240/32 to 31.61.129.254/32;
}
address-persistent subscriber ipv6-prefix-length 64;
}
rule-set RS1 {
from zone trust;
to zone untrust;
rule R1 {
match {
source-address 2a00:f41::/32;
110
Copyright © 2014, Juniper Networks, Inc.
Verification
destination-address 31.61.132.198/32;
}
then {
source-nat {
pool {
NAT64;
}
}
}
}
}
}
If you are done configuring the device, enter commit from configuration mode.
Verification
Verifying NAT Application to Traffic
Purpose
Action
Related
Documentation
Verify that the same IPv6 prefix is translated to the persistent IPv4 address.
From operational mode, enter the show security flow session command.
•
Understanding NAT64 IPv6 Prefix to IPv4 Address-Persistent Translation
•
Network Address Translation Feature Guide for Security Devices
Copyright © 2014, Juniper Networks, Inc.
111
Junos OS Release 12.1X47 Feature Guide
show security nat source pool
Syntax
Release Information
Description
Options
show security nat source pool
pool-name
all
logical-system (logical-system-name | all)
root-logical-system
Command introduced in Junos OS Release 9.2. Description output field added in Junos
OS Release 12.1. The Address assignment output field and IPv6 logical system support
added in Junos OS Release 12.1X45-D10. The twin-port output field added in Junos OS
Release 12.1X47-D10. The Address-persistent output field added in Junos OS Release
12.1X47-D15.
Display information about the specified Network Address Translation (NAT) source
address pool and the configured twin port range per pool.
pool-name—Display source NAT information for the specified address pool.
all—Display information about all source NAT address pools.
logical-system (logical-system-name | all)—Display information about the specified logical
system source NAT pools or all logical system source NAT pools.
root-logical-system—Display information about the source NAT pools for the master
(root) logical system.
Required Privilege
Level
Related
Documentation
List of Sample Output
Output Fields
view
•
pool (Security Source NAT)
•
clear security nat statistics source pool
•
Network Address Translation Feature Guide for Security Devices
show security nat source pool src-p1 on page 113
show security nat source pool all on page 114
show security nat source pool sp1 on page 115
show security nat source pool P_1 on page 115
show security nat source pool src-nat-v4-with-pat on page 115
Table 13 on page 112 lists the output fields for the show security nat source pool command.
Output fields are listed in the approximate order in which they appear.
Table 13: show security nat source pool Output Fields
Field Name
Field Description
Pool name
Name of the source pool.
Description
Description of the source pool.
112
Copyright © 2014, Juniper Networks, Inc.
show security nat source pool
Table 13: show security nat source pool Output Fields (continued)
Field Name
Field Description
Pool id
Pool identification number.
Routing Instance
Name of the routing instance.
Host address base
Base address of the original source IP address range.
Port
Port numbers used for the source pool.
Twin port
Upper and lower limits of the twin port.
port overloading
Number of port overloading for the source pool.
Address assignment
Type of address assignment.
Total addresses
Number of IP addresses that are in use.
Translation hits
Number of translation hits.
Port block size
Block size for the deterministic pool.
Determ host range num
Host range for the deterministic pool.
Address range
IP address or IP address range for the source pool.
Address-Persistent
Address persistent information for IPv4 source pools:
•
IPv6 prefix length–Configured IPv6 prefix length.
•
IPv6 subscriber out of port–Number of port allocation failures.
Single Ports
Number of allocated single ports.
Twin Ports
Number of allocated twin ports.
Sample Output
show security nat source pool src-p1
user@host> show security nat source pool src-p1
Pool name
Description
Pool id
Routing instance
Host address base
Port
Address assignment
port overloading
Total addresses
Translation hits
Copyright © 2014, Juniper Networks, Inc.
:
:
:
:
:
:
:
:
:
:
src-p1
The source pool src-p1 is for the sales team
4
default
0.0.0.0
[1024, 63487]
paired
1
4
0
113
Junos OS Release 12.1X47 Feature Guide
Address range
3.3.3.0 - 3.3.3.3
Single Ports
0
Twin Ports
0
Sample Output
show security nat source pool all
user@host> show security nat source pool all
Total pools: 4
Pool name
: src-p1
Description
: The source pool src-p1 is for the sales team
Pool id
: 4
Routing instance
: default
Host address base : 0.0.0.0
Port
: [1024, 63487]
Address assignment : paired
port overloading
: 1
Total addresses
: 4
Translation hits
: 0
Address range
Single Ports
Twin Ports
3.3.3.0 - 3.3.3.3
0
0
Pool name
: src-p2
Description
: The source pool src-p2 is for the sales team
Pool id
: 5
Routing instance
: default
Host address base : 0.0.0.0
Port
: [1024, 63487]
Address assignment : no-paired
port overloading
: 1
Total addresses
: 4
Translation hits
: 0
Address range
Single Ports
Twin Ports
4.4.4.0 - 4.4.4.3
0
0
Pool name
: src-p3
Description
: The source pool src-p3 is for the sales team
Pool id
: 6
Routing instance
: default
Host address base : 0.0.0.0
Port
: [1024, 63487]
Address assignment : no-paired
port overloading
: 1
Total addresses
: 1
Translation hits
: 0
Address range
Single Ports
Twin Ports
2003::1 - 2003::1
0
0
Pool name
Description
Pool id
Routing instance
Host address base
Port
Address assignment
port overloading
Total addresses
Translation hits
114
:
:
:
:
:
:
:
:
:
:
src-p4
The source pool src-p4 is for the sales team
7
default
0.0.0.0
[1024, 63487]
no-paired
1
1
0
Copyright © 2014, Juniper Networks, Inc.
show security nat source pool
Address range
2004::1 - 2004::1
Single Ports
0
Twin Ports
0
show security nat source pool sp1
user@host>show security nat source pool sp1
Pool name
: sp1
Description
: The source pool src-p1 is for the sales team
Pool id
: 12
Routing instance
: default
Host address base : 0.0.0.0
Port
: [1024, 63487]
Twin port
: [63488, 64515]
Port overloading
: 1
Address assignment : no-paired
Total addresses
: 1
Translation hits
: 0
Address range
Single Ports
Twin Ports
55.1.1.1 - 55.1.1.1
0
0
show security nat source pool P_1
user@host>show security nat source pool P_1
Pool name
: P_1
Pool id
: 4
Routing instance
: default
Port
: [12345, 17890]
Port overloading
: 1
Address assignment : no-paired
Total addresses
: 256
Translation hits
: 0
Port block size
: 1000
Determ host range num: 3
Address range
Single Ports
3.3.3.0 - 3.3.3.255
0
Twin Ports
0
show security nat source pool src-nat-v4-with-pat
user@host>how security nat source pool src-nat-v4-with-pat
Pool name
: src-nat-v4-with-pat
Pool id
: 5
Routing instance
: default
Host address base : 0.0.0.0
Port
: [1024, 63487]
Port overloading
: 1
Address assignment : no-paired
Total addresses
: 10
Translation hits
: 0
Address-persistent
IPv6 prefix length: 64
IPv6 subscriber out of port: 0
Address range
Single Ports
3.3.3.1 - 3.3.3.10
0
Copyright © 2014, Juniper Networks, Inc.
Twin Ports
0
115
Junos OS Release 12.1X47 Feature Guide
Management
•
Network Management and Monitoring on page 116
•
TCP/TLS Support for Real-Time Logging on page 159
•
System Log Messages on page 164
Network Management and Monitoring
•
Understanding Vital MIB OID Data Collection on page 116
•
Generating Readable Raw OID Data Collections on page 117
•
Generating Raw MIB OID from a Policy on page 118
•
Generating Vital Data of Pre-Defined Group on page 119
•
Generating Vital Data from an Interface on page 120
•
Generating Vital Data from an IPsec VPN on page 121
•
Generating Vital Data from a NAT Rule on page 121
•
Generating Vital Data from an Operating Component on page 122
•
Generating Vital Data from a Screen on page 122
•
System Configuration Statement Hierarchy on page 123
•
log-vital on page 155
•
show system log-vital
Understanding Vital MIB OID Data Collection
MIB object identifier (OID) data is collected and configured for later use in reports. You
can configure data collection duration (default is 3 days), dump file size limitation (default
is 5 megabytes for branch SRX Series and 10 megabytes for high-end SRX Series), and
disk storage limitation (default is 80 percent). The expired dump file is removed
automatically. When the dump file exceeds the limited size, a new dump file is created
and the old dump file is compressed. When disk utilization exceeds the storage limitation,
data collection is skipped but is attempted the next time. If an issue should arise, then
the collected data is examined to help identify its cause.
Once you enable a predefined group, the vital data of all OIDs in the group are periodically
collected and analyzed. Only critical data is collected when CPU utilization exceeds 60
percent but is within 80 percent.
A maximum of 64 groups per OIDs are supported for branch SRX Series devices and a
maximum of 128 groups per OIDs are supported for high-end SRX Series devices.
You can also collect raw MIB OID data. For the format of raw OID output, the first volume
is 40 characters and the second volume is 30 characters in length. Any extra characters
are stripped.
TIP: To make the dump file easily understood, we recommend that you
configure short comments for each raw OID.
116
Copyright © 2014, Juniper Networks, Inc.
Generating Readable Raw OID Data Collections
Use the set system processes system-log-vital disable command to manually disable the
syslvd process (daemon). Disabling syslvd will not impact the existing data in the dump
file. Once all configuration commands are removed, syslvd is disabled automatically. If
syslvd is disabled in the middle of a collection, data from the current collection will be
lost but data available in the current dump file is retained.
Generating Readable Raw OID Data Collections
You can use the set system log-vital add oid comment “comment” command to make raw
object identifiers (OIDs) that are lengthy and unreadable easily understood.
[edit system]
log-vital {
add oid {
comment comment;
}
}
The OID parameter can be formatted as mib-table.index. For example,
jnxOperating1MinLoadAvg.9.1.0.0 is an OID.
The “comment” parameter describes the OID. If “comment” is present, the comment
instead of the OID is generated as the subject of the vital data.
For example, without the “comment” parameter, the output of the set system log-vital
add jnxJsPolicyNumber.0 command in the dump file is:
===========
jnxJsPolicyNumber.0
===========
1
With the “comment” parameter, the output of the set system log-vital add
jnxJsPolicyNumber.0 comment “Total Policy Number” command in the dump file is:
===========
Total Policy Number
===========
1
NOTE: For OIDs that are temporarily unavailable, the string NA is generated
for them and the system continues to get their values for every collection. In
this case, the output displayed in the dump file is:
===========
Total Policy Number
===========
Copyright © 2014, Juniper Networks, Inc.
NA
117
Junos OS Release 12.1X47 Feature Guide
Generating Raw MIB OID from a Policy
You can generate a raw MIB OID from a policy. You can also monitor the session number
associated with the policy and other policy MIB tables.
For example, consider a policy called test. Monitor the session number associated with
the policy.
[edit]
from-zone untrust to-zone trust {
policy test {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
count;
}
}
}
To monitor a session number associated with a policy:
1.
Identify the OID of the policy's session number.
user@host> show snmp mib walk jnxJsPolicyName | match test
jnxJsPolicyName.7.117.110.116.114.117.115.116.5.116.114.117.115.116.4.116.101.115.116
= test
In the above output, the index of the policy is
7.117.110.116.114.117.115.116.5.116.114.117.115.116.4.116.101.115.116; the policy name is test;
and the MIB table name is jnxJsPolicyName.
2. With the index, verify that both the from-zone and the to-zone match the configuration.
Enter the show snmp mib get command.
user@host> show snmp mib get
jnxJsPolicyFromZone.7.117.110.116.114.117.115.116.5.116.114.117.115.116.4.116.101.115.116
jnxJsPolicyFromZone.7.117.110.116.114.117.115.116.5.116.114.117.115.116.4.116.101.115.116
= untrust
user@host> show snmp mib get
jnxJsPolicyToZone.7.117.110.116.114.117.115.116.5.116.114.117.115.116.4.116.101.115.116
jnxJsPolicyToZone.7.117.110.116.114.117.115.116.5.116.114.117.115.116.4.116.101.115.116
= trust
3. Perform a mandatory from-zone and to-zone match check to avoid a scenario where
there is a policy with the same name but the from-zone or the to-zone is different.
4. After performing both the from-zone and the to-zone match checks, ensure that
7.117.110.116.114.117.115.116.5.116.114.117.115.116.4.116.101.115.116 is the index of the policy
called test in various policy MIB tables.
5. Monitor the session number using the following command:
[edit]
118
Copyright © 2014, Juniper Networks, Inc.
Generating Vital Data of Pre-Defined Group
user@host# set system log-vital add
jnxJsPolicyStatsNumSessions.7.117.110.116.114.117.115.116.5.116.114.117.115.116.4.116.101.115.116
comment “sess num of policy test”
The output of the configuration is:
===========
sess num of policy test
===========
100
To monitor other policy MIB tables:
1.
Combine a MIB table’s name with the index.
2. Monitor the session setup rate for the test policy using the command:
[edit]
set system log-vital add
jnxJsPolicyStatsSessionRate.7.117.110.116.114.117.115.116.5.116.114.117.115.116.4.116.101.115.116
comment “sess setup rate of policy test”
The output of the configuration is:
===========
sess setup rate of policy test
===========
233
Generating Vital Data of Pre-Defined Group
You can use the set system log-vital group [cluster-counter | idp | operating | storage | spu
<spu-name> | screen <zone-name> command to enable a pre-defined group.
[edit system]
group {
operating;
idp;
storage;
cluster-counter;
screen;
spu;
}
NOTE: The parameter for spu-name must be fwdd, all, fpcy.picz or
nodex.fpcy.picz.
The pre-defined groups are operating, SPU, storage, IDP, screen, and cluster-counter.
Once a group is enabled, all OIDs in the group are periodically collected and dumped.
The operating group includes state, temperature, current CPU utilization percentage,
buffer utilization percentage, heap-utilization percentage, up time, average-load in the
last 1 minute, 5 minutes, or 15 minutes, and buffer-pool utilization percentage in the
control plane of each operating component in the system.
The IDP group includes IDP data plane memory usage, IDP session usage and policies
loaded number.
Copyright © 2014, Juniper Networks, Inc.
119
Junos OS Release 12.1X47 Feature Guide
The storage group includes storage utilization of directory /var/log.
The cluster-counter group includes current total session number, total CPS, IPv4 CPS,
IPv6 CPS, current total IPv4 session number, and current total IPv6 session number of
both node 0 and node 1.
The screen group includes screen statistics of a specified zone.
The SPU group includes CPU usage, memory usage, current flow session number, current
CP session number, IPv4 session number, IPv6 session number, CP IPv4 session number,
and CP IPv6 session number of the SPU.
Generating Vital Data from an Interface
You can monitor the statistics of interface ge-0/0/0 by first obtaining the SNMP ifIndex
from the interface.
user@host> show interfaces ge-0/0/0
Physical interface: ge-0/0/0, Enabled, Physical link is Up
Interface index: 134, SNMP ifIndex: 509
In this output, the 509 value is the index of ge-0/0/0 in the interface MIB table. By
combining this index value with the interface MIB tables, the vital data of the interface
can be periodically collected.
For example, combine the 509 index with the ifInErrors interface MIB table to collect the
In-Error data of interface ge-0/0/0 by using the following command:
[edit]
user@host# set system log-vital add ifInErrors.509 comment “In-Err of ge-0/0/0”
The output for the command is:
===========
In-Err of ge-0/0/0
===========
100
The following interface MIB tables can be used to collect vital data:
120
•
ifInOctets
•
ifInUcastPkts
•
ifInNUcastPkts
•
ifInDiscards
•
ifInErrors
•
ifInUnknownProtos
•
ifOutOctets
•
ifOutUcastPkts
•
ifOutNUcastPkts
Copyright © 2014, Juniper Networks, Inc.
Generating Vital Data from an IPsec VPN
•
ifOutDiscards
•
ifOutErrors
Generating Vital Data from an IPsec VPN
You can monitor the vital data of an IPsec VPN by first obtaining the index of the VPN in
the IPsec VPN MIB table.
For example, consider the following below policy-based VPN configuration, where the
name of the policy is test.
user@host> show configuration security policies
from-zone untrust to-zone trust {
policy test {
match {
source-address any;
destination-address any;
application any;
}
then {
permit {
tunnel {
ipsec-vpn ike-vpn;
}
}
}
}
}
To monitor the error statistics for the VPN, you must first obtain the index of the VPN in
the IPsec VPN MIB table. You can obtain this value by using the command:
user@host> show snmp mib walk jnxJsIpSecTunPolicyName | match test
jnxJsIpSecTunPolicyName.1.4.2.2.2.1.2 = test
In the output, 1.4.2.2.2.1.2 is the index of the IPsec SA associated with the policy called
test. By combining the index with various IPsec VPN MIB tables, you can monitor the
statistics by using the following commands:
[edit]
user@host# set system log-vital add jnxIpSecTunMonReplayDropPkts.1.4.2.2.2.1.2 comment
“Anti-Replay drop number of VPN policy test”
user@host# set system log-vital add jnxIpSecTunMonBadHeaders.1.4.2.2.2.1.2 comment “Bad
Header number of VPN policy test”
Generating Vital Data from a NAT Rule
You can monitor the vital data from a NAT rule (in this example, r1) by first obtaining the
MIB index of r1.
Consider the following source NAT configuration.
user@host> show configuration security nat
source {
rule-set rs1 {
from zone trust;
Copyright © 2014, Juniper Networks, Inc.
121
Junos OS Release 12.1X47 Feature Guide
to zone untrust;
rule r1 {
match {
source-address 17.0.0.0/8;
destination-address 0.0.0.0/0;
}
then {
source-nat {
interface;
}
}
}
}
}
To find the MIB index of r1, enter the following command:
[edit]
user@host# show snmp mib walk jnxJsNatRuleName | grep r1
jnxJsNatRuleName.2.114.49.1 = r1
The output shows that 2.114.49.1 is the MIB index of r1.
Therefore, by combining the index with NAT MIB table jnxJsNatRuleHits, the session
number associated with NAT rule r1 can be monitored by using the command:
[edit]
user@host# set system log-vital add jnxJsNatRuleHits.2.114.49.1 comment “Number of sessions
on NAT rule r1”
Generating Vital Data from an Operating Component
You can monitor the vital data of an operating component. For example, to monitor the
temperature of the SPC component located at slot 3 of node 0, enter the following
command:
user@host> show snmp mib walk jnxOperatingDescr | match “SPC @ 3”
jnxOperatingDescr.7.4.0.0 = node0 FPC: SRX5k SPC @ 3/*/*
jnxOperatingDescr.7.10.0.0 = node1 FPC: SRX5k SPC @ 3/*/*
In the output, the SPC index at slot 3 of node 0 in the operating MIB table is 7.4.0.0. By
combining the 7.4.0.0 index with operating MIB table jnxOperatingTemp, the temperature
of SPC at slot 3 of node 0 can be monitored by using the following command:
[edit]
user@host# set system log-vital add jnxOperatingTemp.7.4.0.0 comment “Temperature of node0
SPC-3”
Generating Vital Data from a Screen
The screen group collects all screen statistics of a specified zone. However, it can only
collect some of the statistics rather than all statistics.
For example, consider the following screen configuration, where the number of UDP flood
attacks in the untrust zone is to be monitored.
user@host> show configuration security screen
ids-option zone-syn-flood {
122
Copyright © 2014, Juniper Networks, Inc.
System Configuration Statement Hierarchy
tcp {
syn-flood {
timeout 20;
}
}
}
user@host> show configuration security zones
security-zone untrust {
screen zone-syn-flood;
…
…
}
To monitor the number of UDP flood attacks, you must first obtain the index of the untrust
zone in various screen MIB tables.
user@host> show snmp mib walk jnxJsScreenZoneName | match untrust
jnxJsScreenZoneName.117.110.116.114.117.115.116.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0
= untrust
In the output, the string
117.110.116.114.117.115.116.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0 is the index of
the untrust zone in the MIB table.
By combining the index with screen MIB table jnxJsScreenMonUdpFlood, the number
can be monitored using the following command:
[edit]
user@host# set system log-vital add
jnxJsScreenMonUdpFlood.117.110.116.114.117.115.116.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0
comment “Number of UDP flood attack”
System Configuration Statement Hierarchy
Use the statements in the system configuration hierarchy to configure system
management functions including addresses of the Domain Name System (DNS) servers;
device’s hostname, address, and domain name; health monitoring; interface filtering;
properties of the device’s auxiliary and console ports; security profiles for logical systems;
time zones and Network Time Protocol (NTP) properties; trace options; and user login
accounts, including user authentication and the root-level user account. Statement
descriptions that are exclusive to the SRX Series devices running Junos OS are described
in this section.
system {
accounting {
destination {
radius {
server server-address {
accounting-port port-number;
max-outstanding-requests number;
port number;
retry number;
secret password;
source-address address;
timeout seconds;
Copyright © 2014, Juniper Networks, Inc.
123
Junos OS Release 12.1X47 Feature Guide
}
}
tacplus {
server server-address {
port port-number;
secret password;
single-connection;
source-address source-address;
timeout seconds;
}
}
}
events [change-log interactive-commands login];
traceoptions {
file {
filename;
files number;
size maximum-file-size;
(world-readable | no-world-readable);
}
flag flag;
no-remote-trace;
}
}
allow-v4mapped-packets;
archival {
configuration {
archive-sites url {
password password;
}
transfer-interval interval;
transfer-on-commit;
}
}
arp {
aging-timer minutes;
gratuitous-arp-delay seconds;
gratuitous-arp-on-ifup;
interfaces {
interface name {
aging-timer minutes;
}
}
passive-learning;
purging;
}
authentication-order [password radius tacplus];
auto-configuration {
traceoptions {
file {
filename;
files number;
match reqular-expression;
size maximum-file-size;
(world-readable | no-world-readable);
}
124
Copyright © 2014, Juniper Networks, Inc.
System Configuration Statement Hierarchy
flag flag;
level (all | error | info | notice | verbose | warning);
no-remote-trace;
}
}
auto-snapshot;
autoinstallation {
configuration-servers {
url {
password password;
}
}
interfaces {
interface-name {
bootp;
rarp;
}
}
usb {
disable;
}
}
auto-snapshot;
backup-router {
address;
destination [network];
}
commit {
server {
commit-interval seconds;
days-to-keep-error-logs days;
maximum-aggregate-pool number;
maximum entries number;
traceoptions {
file {
filename;
files number;
microsecond-stamp;
size maximum-file-size;
(world-readable | no-world-readable);
}
flag flag;
no-remote-trace;
}
}
synchronize;
}
compress-configuration-files;
default-address-selection;
diag-port-authentication {
encrypted-password passsword;
plain-text-password;
}
domain-name domain-name;
domain-search [domain-list];
donot-disable-ip6op-ondad;
Copyright © 2014, Juniper Networks, Inc.
125
Junos OS Release 12.1X47 Feature Guide
dump-device (boot-device | compact-flash | usb);
dynamic-profile-options {
versioning;
}
encrypt-configuration-files;
extensions {
providers {
provider-id {
license-type license deployment-scope [deployments];
}
}
resource-limits {
package package-name {
resources {
cpu {
priority number;
time seconds;
}
file {
core-size bytes;
open number;
size bytes;
}
memory {
data-size mbytes;
locked-in mbytes;
resident-set-size mbytes;
socket-buffers mbytes;
stack-size mbytes;
}
}
}
process process-ui-name {
resources {
cpu {
priority number;
time seconds;
}
file {
core-size bytes;
open number;
size bytes;
}
memory {
data-size mbytes;
locked-in mbytes;
resident-set-size mbytes;
socket-buffers mbytes;
stack-size mbytes;
}
}
}
}
}
fips {
level (0 | 1 | 2 | 3 | 4);
126
Copyright © 2014, Juniper Networks, Inc.
System Configuration Statement Hierarchy
}
host-name hostname;
inet6-backup-router {
address;
destination destination;
}
internet-options {
icmpv4-rate-limit {
bucket-size seconds;
packet-rate packets-per-second;
}
icmpv6-rate-limit {
bucket-size seconds;
packet-rate packets-per-second;
}
(ipip-path-mtu-discovery | no-ipip-path-mtu-discovery);
ipv6-duplicate-addr-detection-transmits number;
(ipv6-path-mtu-discovery | no-ipv6-path-mtu-discovery);
ipv6-path-mtu-discovery-timeout minutes;
no-tcp-reset (drop-all-tcp | drop-tcp-with-syn-only);
no-tcp-rfc1323;
no-tcp-rfc1323-paws;
(path-mtu-discovery | no-path-mtu-discovery);
source-port upper-limit upper-limit;
(source-quench | no-source-quench);
tcp-drop-synfin-set;
tcp-mss bytes;
}
kernel-replication;
license {
autoupdate {
url url;
password password;
}
renew {
before-expiration number;
interval interval-hours;
}
traceoptions {
file {
filename ;
files number;
match regular-expression;
size maximum-file-size;
(world-readable | no-world-readable);
}
flag flag;
no-remote-trace;
}
}
location {
altitude feet;
building name;
country-code code;
floor number;
hcoord horizontal-coordinate;
Copyright © 2014, Juniper Networks, Inc.
127
Junos OS Release 12.1X47 Feature Guide
lata service-area;
latitude degrees;
longitude degrees;
npa-nxx number;
postal-code postal-code;
rack number;
vcoord vertical-coordinate;
}
login {
announcement text;
class class-name {
access-end hh:mm;
access-start hh:mm;
allow-commands regular-expression;
allow-configuration regular-expression;
allow-configuration-regexps [regular-expression];
allowed-days [day];
deny-commands regular-expression;
deny-configuration regular-expression;
deny-configuration-regexps [regular-expression];
idle-timeout minutes;
logical-system logical-system;
login-alarms;
login-script script;
login-tip;
permissions [permissions ];
security-role (audit-administrator | crypto-administrator | ids-administrator |
security-administrator);
}
deny-sources {
address [address-or-hostname];
}
message text;
}
password {
change-type (character-set | set-transitions);
format (des | md5 | sha1);
maximum-length length;
minimum-changes number;
minimum-length length;
}
retry-options {
backoff-factor seconds;
backoff-threshold number;
lockout-period time;
maximum-time seconds;
minimum-time seconds;
tries-before-disconnect number;
}
user username {
authentication {
encrypted-password password;
load-key-file url;
plain-text-password;
ssh-dsa public-key;
ssh-rsa public-key;
128
Copyright © 2014, Juniper Networks, Inc.
System Configuration Statement Hierarchy
}
class class-name;
full-name complete-name;
uid uid-value;
}
}
log-vital {
interval minutes;
files days;
storage-limit percentage;
file-size Mbytes;
add oid{
comment comment;
}
group {
operating;
idp;
storage;
cluster-counter;
screen zone-name;
spu spu-name;
}
}
max-configuration-rollbacks number;
max-configurations-on-flash number;
mirror-flash-on-disk;
name-server ip-address;
nd-maxmcast-solicit value;
nd-retrasmit-timer value;
no-compress-configuration-files;
no-debugger-on-alt-break;
no-multicast-echo;
no-neighbor-learn;
no-ping-record-route;
no-ping-time-stamp;
no-redirects;
no-saved-core-context;
ntp {
authentication-key key-number {
type md5;
value password;
}
boot-server address;
broadcast broadcast-address {
key key;
ttl value;
version version;
}
broadcast-client;
multicast-client {
address;
}
peer peer-address {
key key;
prefer;
version version;
Copyright © 2014, Juniper Networks, Inc.
129
Junos OS Release 12.1X47 Feature Guide
}
server server-address {
key key;
prefer;
version version;
}
source-address source-address;
trusted-key [key-number];
}
pic-console-authentication {
encrypted-password password;
plain-text-password;
}
ports {
auxiliary {
disable;
insecure;
type (ansi | small-xterm | vt100 | xterm);
}
console {
disable;
insecure;
log-out-on-disconnect;
type (ansi | small-xterm | vt100 | xterm);
}
}
processes {
802.1x-protocol-daemon {
command binary-file-path;
disable;
}
adaptive-services {
command binary-file-path;
disable;
failover (alternate-media | other-routing-engine);
}
alarm-control {
command binary-file-path;
disable;
failover (alternate-media | other-routing-engine);
}
application-identification {
command binary-file-path;
disable;
failover (alternate-media | other-routing-engine);
}
application-security {
command binary-file-path;
disable;
failover (alternate-media | other-routing-engine);
}
audit-process {
command binary-file-path;
disable;
}
auto-configuration {
130
Copyright © 2014, Juniper Networks, Inc.
System Configuration Statement Hierarchy
command binary-file-path;
disable;
failover (alternate-media | other-routing-engine);
}
bootp {
command binary-file-path;
disable;
failover (alternate-media | other-routing-engine);
}
chassis-control {
disable;
failover alternate-media;
}
class-of-service {
command binary-file-path;
disable;
failover (alternate-media | other-routing-engine);
}
craft-control {
command binary-file-path;
disable;
failover (alternate-media | other-routing-engine);
}
database-replication {
command binary-file-path;
disable;
failover (alternate-media | other-routing-engine);
}
datapath-trace-service {
disable;
traceoptions {
file {
filename ;
files number;
match regular-expression;
size maximum-file-size;
(world-readable | no-world-readable);
}
flag flag;
level (all | error | info | notice | verbose | warning);
no-remote-trace;
}
}
dhcp {
command binary-file-path;
disable;
}
dhcp-service {
disable;
failover (alternate-media | other-routing-engine);
interface-traceoptions {
file {
filename ;
files number;
match regular-expression;
size maximum-file-size;
Copyright © 2014, Juniper Networks, Inc.
131
Junos OS Release 12.1X47 Feature Guide
(world-readable | no-world-readable);
}
flag flag;
level (all | error | info | notice | verbose | warning);
no-remote-trace;
}
traceoptions {
file {
filename ;
files number;
match regular-expression;
size maximum-file-size;
(world-readable | no-world-readable);
}
flag flag;
level (all | error | info | notice | verbose | warning);
no-remote-trace;
}
}
dialer-services {
disable;
traceoptions {
file {
filename;
files number;
match regular-expression;
size maximum-file-size;
(world-readable | no-world-readable);
}
flag flag;
no-remote-trace;
}
}
diameter-service {
disable;
traceoptions {
file {
filename;
files number;
match regular-expression;
size maximum-file-size;
(world-readable | no-world-readable);
}
flag flag;
level (all | error | info | notice | verbose | warning);
no-remote-trace;
}
}
disk-monitoring {
command binary-file-path;
disable;
}
dynamic-flow-capture {
command binary-file-path;
disable;
}
132
Copyright © 2014, Juniper Networks, Inc.
System Configuration Statement Hierarchy
ecc-error-logging {
command binary-file-path;
disable;
}
ethernet-connectivity-fault-management {
command binary-file-path;
disable;
failover (alternate-media | other-routing-engine);
}
ethernet-link-fault-management {
command binary-file-path;
disable;
}
ethernet-switching {
command binary-file-path;
disable;
}
event-processing {
command binary-file-path;
disable;
}
fipsd {
command binary-file-path;
disable;
failover (alternate-media | other-routing-engine);
}
firewall {
command binary-file-path;
disable;
failover (alternate-media | other-routing-engine);
}
firewall-authentication-service {
disable;
}
forwarding {
command binary-file-path;
disable;
}
general-authentication-service {
disable;
traceoptions {
file {
filename;
files number;
match regular-expression;
size maximum-file-size;
(world-readable | no-world-readable);
}
flag flag;
no-remote-trace;
}
}
gprs-process {
command binary-file-path;
disable;
failover (alternate-media | other-routing-engine);
Copyright © 2014, Juniper Networks, Inc.
133
Junos OS Release 12.1X47 Feature Guide
}
group-key-member {
disable;
}
group-key-server {
disable;
}
idp-policy {
command binary-file-path;
disable;
failover (alternate-media | other-routing-engine);
}
ilmi {
command binary-file-path;
disable;
failover (alternate-media | other-routing-engine);
}
inet-process {
command binary-file-path;
disable;
failover (alternate-media | other-routing-engine);
}
init {
command binary-file-path;
disable;
failover (alternate-media | other-routing-engine);
}
interface-control {
command binary-file-path;
disable;
failover (alternate-media | other-routing-engine);
}
ipmi {
command binary-file-path;
disable;
failover (alternate-media | other-routing-engine);
}
ipsec-key-management {
(disable | enable);
}
jsrp-service {
disable;
}
jtasktest {
command binary-file-path;
disable;
failover (alternate-media | other-routing-engine);
}
kernel-replication {
command binary-file-path;
disable;
}
l2-learning {
command binary-file-path;
disable;
}
134
Copyright © 2014, Juniper Networks, Inc.
System Configuration Statement Hierarchy
l2cpd-service {
command binary-file-path;
disable;
}
lacp {
command binary-file-path;
disable;
}
lldpd-service {
command binary-file-path;
disable;
}
logical-system-mux {
command binary-file-path;
disable;
failover (alternate-media | other-routing-engine);
}
logical-system-service {
disable;
traceoptions {
file {
filename;
files number;
match regular-expression;
size maximum-file-size;
(world-readable | no-world-readable);
}
flag flag;
no-remote-trace;
}
}
mib-process {
command binary-file-path;
disable;
failover (alternate-media | other-routing-engine);
}
mobile-ip {
command binary-file-path;
disable;
}
mountd-service {
command binary-file-path;
disable;
failover (alternate-media | other-routing-engine);
}
mspd {
command binary-file-path;
disable;
failover (alternate-media | other-routing-engine);
}
multicast-snooping {
command binary-file-path;
disable;
}
named-service {
disable;
Copyright © 2014, Juniper Networks, Inc.
135
Junos OS Release 12.1X47 Feature Guide
failover (alternate-media | other-routing-engine);
}
neighbor-liveness {
command binary-file-path;
disable;
failover (alternate-media | other-routing-engine);
}
network-security {
disable;
}
network-security-trace {
command binary-file-path;
disable;
failover (alternate-media | other-routing-engine);
}
nfsd-service {
command binary-file-path;
disable;
failover (alternate-media | other-routing-engine);
}
ntp {
disable;
failover (alternate-media | other-routing-engine);
}
ntpd-service {
command binary-file-path;
disable;
failover (alternate-media | other-routing-engine);
}
peer-selection-service {
command binary-file-path;
disable;
failover (alternate-media | other-routing-engine);
}
periodic-packet-services {
command binary-file-path;
disable;
failover (alternate-media | other-routing-engine);
}
pgcp-service {
command binary-file-path;
disable;
failover (alternate-media | other-routing-engine);
}
pgm {
command binary-file-path;
disable;
failover (alternate-media | other-routing-engine);
}
pic-services-logging {
command binary-file-path;
disable;
failover (alternate-media | other-routing-engine);
}
ppp {
command binary-file-path;
136
Copyright © 2014, Juniper Networks, Inc.
System Configuration Statement Hierarchy
disable;
}
pppoe {
command binary-file-path;
disable;
}
process-monitor {
disable;
traceoptions {
file {
filename;
files number;
match regular-expression;
size maximum-file-size;
(world-readable | no-world-readable);
}
flag flag;
level (all | error |info |notice | verbose | warning);
no-remote-trace;
}
}
profilerd {
command binary-file-path;
disable;
failover (alternate-media | other-routing-engine);
}
r2cp {
command binary-file-path;
disable;
}
redundancy-interface-process {
command binary-file-path;
disable;
failover (alternate-media | other-routing-engine);
}
remote-operations {
command binary-file-path;
disable;
failover (alternate-media | other-routing-engine);
}
resource-cleanup {
disable;
traceoptions {
file {
filename;
files number;
match regular-expression;
size maximum-file-size;
(world-readable | no-world-readable);
}
flag flag;
level (all | error |info |notice | verbose | warning);
no-remote-trace;
}
}
routing {
Copyright © 2014, Juniper Networks, Inc.
137
Junos OS Release 12.1X47 Feature Guide
disable;
failover (alternate-media | other-routing-engine);
}
sampling {
command binary-file-path;
disable;
failover (alternate-media | other-routing-engine);
}
sbc-configuration-process {
disable;
failover (alternate-media | other-routing-engine);
traceoptions {
file {
filename;
files number;
match regular-expression;
size maximum-file-size;
(world-readable | no-world-readable);
}
flag flag;
no-remote-trace;
}
}
sdk-service {
disable;
traceoptions {
file {
filename;
files number;
match regular-expression;
size maximum-file-size;
(world-readable | no-world-readable);
}
flag flag;
level (all | error |info |notice | verbose | warning);
no-remote-trace;
}
}
secure-neighbor-discovery {
command binary-file-path;
disable;
failover (alternate-media | other-routing-engine);
}
security-log {
command binary-file-path;
disable;
failover (alternate-media | other-routing-engine);
}
send {
disable;
}
service-deployment {
command binary-file-path;
disable;
failover (alternate-media | other-routing-engine);
}
138
Copyright © 2014, Juniper Networks, Inc.
System Configuration Statement Hierarchy
shm-rtsdbd {
command binary-file-path;
disable;
failover (alternate-media | other-routing-engine);
}
simple-mail-client-service {
command binary-file-path;
disable;
failover (alternate-media | other-routing-engine);
}
smtpd-service {
disable;
}
snmp {
command binary-file-path;
disable;
failover (alternate-media | other-routing-engine);
}
static-subscribers {
disable;
}
statistics-service {
command binary-file-path;
disable;
failover (alternate-media | other-routing-engine);
}
subscriber-management {
command binary-file-path;
disable;
failover (alternate-media | other-routing-engine);
}
subscriber-management-helper {
command binary-file-path;
disable;
failover (alternate-media | other-routing-engine);
}
system-health-management {
disable;
}
system-log-vital {
disable;
}
tunnel-oamd {
command binary-file-path;
disable;
}
uac-service {
command binary-file-path;
disable;
failover (alternate-media | other-routing-engine);
}
usb-control {
command binary-file-path;
disable;
}
virtualization-service {
Copyright © 2014, Juniper Networks, Inc.
139
Junos OS Release 12.1X47 Feature Guide
command binary-file-path;
disable;
failover (alternate-media | other-routing-engine);
}
vrrp {
command binary-file-path;
disable;
failover (alternate-media | other-routing-engine);
}
wan-acceleration {
disable;
traceoptions {
file {
filename;
files number;
match regular-expression;
size maximum-file-size;
(world-readable | no-world-readable);
}
flag flag;
no-remote-trace;
}
}
watchdog {
enable;
disable;
timeout value;
}
web-management {
disable;
failover (alternate media | other-routing-engine);
}
wireless-lan-service {
disable;
traceoptions {
file {
filename;
files number;
match regular-expression;
size maximum-file-size;
(world-readable | no-world-readable);
}
flag flag;
no-remote-trace;
}
}
wireless-wan-service {
disable;
traceoptions {
file {
filename;
files number;
match regular-expression;
size maximum-file-size;
(world-readable | no-world-readable);
}
140
Copyright © 2014, Juniper Networks, Inc.
System Configuration Statement Hierarchy
flag flag;
no-remote-trace;
}
}
proxy {
password password;
port port-number;
server url;
username user-name;
}
radius-options {
attributes {
nas-ip-address nas-ip-address;
}
password-protocol protocol-name;
}
radius-server server-address {
accounting-port number;
max-outstanding-requests number;
port number;
retry number;
secret password;
source-address source-address;
timeout seconds;
}
root-authentication {
encrypted-password password;
load-key-file url;
plain-text-password;
ssh-dsa public-key {
<from pattern-list>;
}
ssh-rsa public-key {
<from pattern-list>;
}
}
saved-core-context;
saved-core-files number;
scripts {
commit {
allow-transients;
direct-access;
file filename {
checksum (md5 | sha-256 | sha1);
optional;
refresh;
refresh-from url;
source url;
}
refresh;
refresh-from url;
traceoptions {
file {
filename;
files number;
size maximum-file-size;
Copyright © 2014, Juniper Networks, Inc.
141
Junos OS Release 12.1X47 Feature Guide
(world-readable | no-world-readable);
}
flag flag;
no-remote-trace;
}
}
load-scripts-from-flash;
op {
file filename {
arguments name {
description text;
}
checksum (md5 | sha-256 | sha1);
command filename-alias;
description cli-help-text;
refresh;
refresh-from url;
source url;
}
no-allow-url;
refresh;
refresh-from url;
traceoptions {
file {
filename;
files number;
size maximum-file-size;
(world-readable | no-world-readable);
}
flag flag;
no-remote-trace;
}
}
security-profile security-profile-name {
address-book {
maximum amount;
reserved amount;
}
appfw-profile {
maximum amount;
reserved amount;
}
appfw-rule {
maximum amount;
reserved amount;
}
appfw-rule-set {
maximum amount;
reserved amount;
}
auth-entry {
maximum amount;
reserved amount;
}
cpu {
reserved percent;
142
Copyright © 2014, Juniper Networks, Inc.
System Configuration Statement Hierarchy
}
dslite-softwire-initiator {
maximum amount;
reserved amount;
}
flow-gate {
maximum amount;
reserved amount;
}
flow-session {
maximum amount;
reserved amount;
}
idp-policy idp-policy-name;
logical-system logical-system-name;
nat-cone-binding {
maximum amount;
reserved amount;
}
nat-destination-pool {
maximum amount;
reserved amount;
}
nat-destination-rule {
maximum amount;
reserved amount;
}
nat-interface-port-ol {
maximum amount;
reserved amount;
}
nat-nopat-address {
maximum amount;
reserved amount;
}
nat-pat-address {
maximum amount;
reserved amount;
}
nat-pat-portnum {
maximum amount
reserved amount
}
nat-port-ol-ipnumber {
maximum amount;
reserved amount;
}
nat-rule-referenced-prefix {
maximum amount;
reserved amount;
}
nat-source-pool {
maximum amount;
reserved amount;
}
nat-source-rule {
Copyright © 2014, Juniper Networks, Inc.
143
Junos OS Release 12.1X47 Feature Guide
maximum amount;
reserved amount;
}
nat-static-rule {
maximum amount;
reserved amount;
}
policy {
maximum amount;
reserved amount;
}
policy-with-count {
maximum amount;
reserved amount;
}
root-logical-system;
scheduler {
maximum amount;
reserved amount;
}
zone {
maximum amount;
reserved amount;
}
}
security-profile-resources {
cpu-control;
cpu-control-target percent;
}
services {
database-replication {
traceoptions {
file {
filename ;
files number;
match regular-expression;
size maximum-file-size;
(world-readable | no-world-readable);
}
flag flag;
no-remote-trace;
}
}
dhcp {
boot-file filename;
boot-server (address | hostname);
default-lease-time (infinite | seconds);
domain-name domain-name;
domain-search dns-search-suffix;
maximum-lease-time (infinite | seconds);
name-server ip-address;
next-server ip-address;
option option-identifier-code array type-name [ type-values ] | byte 8-bit-value | flag
(false | off | on | true) | integer signed-32-bit-value | ip-address address | short
signed-16-bit-value | string text-string | unsigned-integer 32-bit-value |
unsigned-short 16-bit-value);
144
Copyright © 2014, Juniper Networks, Inc.
System Configuration Statement Hierarchy
pool subnet-ip-address/mask {
address-range {
high address;
low address;
}
boot-file filename;
boot-server (address | hostname);
default-lease-time (infinite | seconds);
domain-name domain-name;
domain-search dns-search-suffix;
exclude-address ip-address;
maximum-lease-time (infinite | seconds);
name-server ip-address;
next-server ip-address;
option option-identifier-code array type-name [ type-values ] | byte 8-bit-value |
flag (false | off | on | true) | integer signed-32-bit-value | ip-address address |
short signed-16-bit-value | string text-string | unsigned-integer 32-bit-value |
unsigned-short 16-bit-value);
propagate-ppp-settings interface-name;
propagate-settings interface-name;
router ip-address;
server-identifier dhcp-server;
sip-server {
address ip-address;
name sip-server-name;
}
wins-server ip-address;
}
propagate-ppp-settings interface-name;
propagate-settings interface-name;
router ip-address;
server-identifier dhcp-server;
sip-server {
address ip-address;
name sip-server-name;
}
static-binding mac-address;
traceoptions {
file {
filename ;
files number;
match regular-expression;
size maximum-file-size;
(world-readable | no-world-readable);
}
flag flag;
level (all | error | info | notice | verbose | warning);
no-remote-trace;
}
wins-server ip-address;
}
dhcp-local-server {
dhcpv6 {
authentication {
password password;
username-include {
Copyright © 2014, Juniper Networks, Inc.
145
Junos OS Release 12.1X47 Feature Guide
circuit-type;
client-id;
delimiter delimiter-character;
domain-name domain-name;
interface-name;
logical-system-name;
relay-agent-interface-id;
relay-agent-remote-id;
relay-agent-subscriber-id;
routing-instance-name;
user-prefix user-prefix;
}
}
dynamic-profile {
profile-name;
aggregate-clients {
merge;
replace;
}
junos-default-profile;
use-primary dynamic-profile-name;
}
group group-name {
authentication {
password password;
username-include {
circuit-type;
client-id;
delimiter delimiter-character;
domain-name domain-name;
interface-name;
logical-system-name;
relay-agent-interface-id;
relay-agent-remote-id;
relay-agent-subscriber-id;
routing-instance-name;
user-prefix user-prefix;
}
}
dynamic-profile {
profile-name;
aggregate-clients {
merge;
replace;
}
junos-default-profile;
use-primary dynamic-profile;
}
interface interface-name {
dynamic-profile {
profile-name;
aggregate-clients {
merge;
replace;
}
junos-default-profile;
146
Copyright © 2014, Juniper Networks, Inc.
System Configuration Statement Hierarchy
use-primary dynamic-profile-name;
}
exclude;
overrides {
delegated-pool pool-name;
interface-client-limit number;
process-inform {
pool pool-name;
}
rapid-commit ;
}
service-profile service-profile-name
trace ;
upto interface-name;
}
liveness-detection {
failure-action {
clear-binding;
clear-binding-if-interface-up;
log-only;
}
method {
bfd {
detection-time {
threshold milliseconds;
}
holddown-interval interval;
minimum-interval milliseconds;
minimum-receive-interval milliseconds;
multiplier number;
no-adaptation;
session-mode (automatic | multihop | single-hop);
transmit-interval {
minimum-interval milliseconds;
threshold milliseconds;
}
version (0 | 1 | automatic);
}
}
overrides {
delegated-pool pool-name;
interface-client-limit number;
process-inform {
pool pool-name;
}
rapid-commit ;
}
reconfigure {
attempts number;
clear-on-abort;
strict;
timeout number;
token token-name;
trigger {
radius-disconnect;
}
Copyright © 2014, Juniper Networks, Inc.
147
Junos OS Release 12.1X47 Feature Guide
}
service-profile service-profile-name;
}
liveness-detection {
failure-action {
clear-binding;
clear-binding-if-interface-up;
log-only;
}
method {
bfd {
detection-time {
threshold milliseconds;
}
holddown-interval interval;
minimum-interval milliseconds;
minimum-receive-interval milliseconds;
multiplier number;
no-adaptation;
session-mode (automatic | multihop | single-hop);
transmit-interval {
minimum-interval milliseconds;
threshold milliseconds;
}
version (0 | 1 | automatic);
}
}
overrides {
delegated-pool pool-name;
interface-client-limit number;
process-inform {
pool pool-name;
}
rapid-commit ;
}
reconfigure {
attempts number;
clear-on-abort;
strict;
timeout number;
token token-name;
trigger {
radius-disconnect;
}
}
service-profile service-profile-name;
}
group group-name {
interface interface-name {
exclude;
upto upto-interface-name;
}
}
}
dns {
dns-proxy {
148
Copyright © 2014, Juniper Networks, Inc.
System Configuration Statement Hierarchy
cache hostname inet ip-address;
default-domain domain-name {
forwarders ip-address;
}
interface interface-name;
propogate-setting (enable | disable);
view view-name {
domain domain-name {
forward-only;
forwarders ip-address;
}
match-clients subnet-address;
}
}
}
dnssec {
disable;
dlv {
domain-name domain-name trusted-anchor trusted-anchor;
}
secure-domains domain-name;
trusted-keys (key dns-key | load-key-file url);
forwarders {
ip-address;
}
max-cache-ttl seconds;
max-ncache-ttl seconds;
traceoptions {
category {
category-type;
}
debug-level level;
file {
filename;
files number;
size maximum-file-size;
(world-readable | no-world-readable);
}
flag flag;
level (all | error | info | notice | verbose | warning);
no-remote-trace;
}
}
dynamic-dns {
client hostname {
agent agent-name;
interface interface-name;
password server-password;
server server-name;
username user-name;
}
}
finger {
connection-limit number;
rate-limit number;
}
Copyright © 2014, Juniper Networks, Inc.
149
Junos OS Release 12.1X47 Feature Guide
ftp {
connection-limit number;
rate-limit number;
}
netconf {
ssh {
connection-limit number;
port port-number;
rate-limit number;
}
traceoptions {
file {
filename;
files number;
match regular-expression;
size maximum-file-size;
(world-readable | no-world-readable);
}
flag flag;
no-remote-trace;
on-demand;
}
}
outbound-ssh {
client client-id {
address {
port port-number;
retry number;
timeout value;
}
device-id device-id;
keep-alive {
retry number;
time-out value;
}
reconnect-strategy (in-order |sticky);
secret secret;
services {
netconf;
}
}
traceoptions {
file {
filename;
files number;
match regular-expression;
size maximum-file-size;
(world-readable | no-world-readable);
}
flag flag;
no-remote-trace;
}
}
service-deployment {
local-certificate certificate-name;
servers server-address {
150
Copyright © 2014, Juniper Networks, Inc.
System Configuration Statement Hierarchy
port port-number;
security-options {
ssl3;
tls;
}
user user-name;
}
source-address source-address;
traceoptions {
file {
filename;
files number;
match regular-expression;
size maximum-file-size;
(world-readable | no-world-readable);
}
flag flag;
no-remote-trace;
}
}
ssh {
ciphers [cipher];
client-alive-count-max number;
client-alive-interval seconds;
connection-limit number;
hostkey-algorithm {
(ssh-dss | no-ssh-dss);
(ssh-ecdsa |no-ssh-ecdsa);
(ssh-rsa | no-ssh-rsa);
}
key-exchange [algorithm];
macs [algorithm];
max-sessions-per-connection number;
protocol-version {
v1;
v2;
}
rate-limit number;
root-login (allow | deny | deny-password);
(tcp-forwarding | no-tcp-forwarding);
}
subscriber-management {
enforce-strict-scale-limit-license;
gres-route-flush-delay;
maintain-subscriber interface-delete;
traceoptions {
file {
filename;
files number;
match regular-expression;
size maximum-file-size;
(world-readable | no-world-readable);
}
flag flag;
no-remote-trace;
}
Copyright © 2014, Juniper Networks, Inc.
151
Junos OS Release 12.1X47 Feature Guide
}
subscriber-management-helper {
traceoptions {
file {
filename;
files number;
match regular-expression;
size maximum-file-size;
(world-readable | no-world-readable);
}
flag flag;
no-remote-trace;
}
}
telnet {
connection-limit number;
rate-limit number;
}
web-management {
control {
max-threads number;
}
http {
interface [interface-name];
port port-number;
}
https {
interface [interface-name];
local-certificate name;
pki-local-certificate name;
port port-number;
system-generated-certificate;
}
management-url url;
session {
idle-timeout minutes;
session-limit number;
}
traceoptions {
file {
filename;
files number;
match regular-expression;
size maximum-file-size;
(world-readable | no-world-readable);
}
flag flag;
level (all | error | info | notice | verbose | warning);
no-remote-trace;
}
}
xnm-clear-text {
connection-limit number;
rate-limit number;
}
xnm-ssl {
152
Copyright © 2014, Juniper Networks, Inc.
System Configuration Statement Hierarchy
connection-limit number;
local-certificate name;
rate-limit number;
}
}
static-host-mapping hostname {
alias [host-name-alias];
inet [ip- address];
inet6 [ipv6- address];
sysid system-identifier;
}
syslog {
allow-duplicates;
archive {
binary-data;
files number;
size maximum-file-size;
(world-readable | no-world-readable);
}
console {
(any | facility) severity;
}
file filename {
allow-duplicates;
archive {
archive-sites url {
password password;
}
(binary-data| no-binary-data);
files number;
size maximum-file-size;
start-time "YYYY-MM-DD.hh:mm";
transfer-interval minutes;
(world-readable | no-world-readable);
}
structure-data {
brief;
}
(any | facility) severity;
}
host (hostname | other-routing-engine) {
(any | facility) severity;
}
log-rotate-frequency minutes;
source-address source-address;
time-format {
millisecond;
year;
}
user (username | *) {
(any | facility) severity;
}
}
tacplus-options {
(exclude-cmd-attribute | no-cmd-attribute-value);
service-name service-name;
Copyright © 2014, Juniper Networks, Inc.
153
Junos OS Release 12.1X47 Feature Guide
}
tacplus-server server-address {
port port-number;
secret password;
single-connection;
source-address source-address;
timeout seconds;
}
time-zone (GMThour-offset | time-zone);
tracing {
destination-override {
syslog {
host address;
}
}
}
use-imported-time-zones;
}
Related
Documentation
154
•
Master Administrator for Logical Systems Feature Guide for Security Devices
•
Firewall User Authentication Feature Guide for Security Devices
•
Infranet Authentication Feature Guide for Security Devices
•
Installation and Upgrade Guide for Security Devices
Copyright © 2014, Juniper Networks, Inc.
log-vital
log-vital
Syntax
Hierarchy Level
Release Information
Description
Options
log-vital {
add <oid> {
comment <comment>;
}
file-size;
files;
group {
operating;
idp;
storage;
cluster-counter;
screen;
spu;
}
interval;
storage-limit;
}
[edit system]
Statement introduced in Junos OS Release 12.1X47-D15.
Configure vital log data.
add<oid>—Specify the OID to be used to collect the raw data.
•
comment—Specify the comment for the raw OID.
file-size—Specify the size of the current dump file.
Range: 1 MB to 100 MB.
Default: 5 MB for branch SRX Series devices and 10 MB for high-end SRX Series
devices.
files—Specify the lifetime (number of days) for the dump file to be stored. The dump file
is stored at /var/log/vital/.
Range: 1 to 30 days.
Default: 3 days.
group—Specify the pre-defined OID group to be used. Each group contains multiple OIDs
within the same area. Once a group enabled, all OIDs in the group will be periodically
collected and dumped.
•
operating—This group includes state, temperature, current CPU utilization
percentage, buffer utilization percentage, heap-utilization percentage, up time,
average-load in the last 1 minute, 5 minutes, or 15 minutes, and buffer-pool
utilization percentage in the control plane of each operating component in the
system.
•
idp—This group includes IDP data plane memory usage, IDP session usage and
policies loaded number.
Copyright © 2014, Juniper Networks, Inc.
155
Junos OS Release 12.1X47 Feature Guide
•
storage—This group includes storage utilization of directory /var/log.
•
cluster-counter—This group includes current total session number, total CPS,
IPv4 CPS, IPv6 CPS, current total IPv4 session number, and current total IPv6
session number of both node 0 and node 1.
•
screen—This group includes screen statistics of a specified zone.
•
spu—This group includes CPU usage, memory usage, current flow session number,
current CP session number, IPv4 session number, IPv6 session number, CP IPv4
session number, and CP IPv6 session number of the SPU.
interval—Specify the collection interval in minutes. The configuration takes effect
immediately with new interval value.
Range: 1 to 1440 minutes.
Default: 10 minutes.
storage-limit—Specify the storage usage limit in percentage. If the current storage usage
of the directory /var/log/ is above the upper limit, collection is canceled but is tried
next time.
Range: 1 to 100 percent.
Default: 80 percent.
Required Privilege
Level
156
security—To view this statement in the configuration.
security-control—To add this statement to the configuration.
Copyright © 2014, Juniper Networks, Inc.
show system log-vital
show system log-vital
Syntax
Release Information
Description
Options
show system log-vital
<data | oid | status>
Command introduced in Junos OS Release 12.1X47-D15.
Display the vital data of MIB OIDs.
data—Display detailed vital data of the current day.
oid—Display configured OID or group.
status—Display the settings of the vital log.
Required Privilege
Level
List of Sample Output
Output Fields
view
show system log-vital data on page 158
show system log-vital oid on page 159
show system log-vital status on page 159
Table 14 on page 157 lists the output fields for the show system log-vital command. Output
fields are listed in the approximate order in which they appear.
Table 14: show system log-vital Output fields
Field Name
Field Description
Node
Identification number of the node. It can be 0 or 1.
SPU
Identification of Services Processing Unit.
CPU
CPU usage of SPU in percentage.
Mem
Memory usage of SPU in percentage.
Flow-Sess
Number of flow sessions.
CP-Sess
Number of central point sessions.
IPv4-Sess
Number of IPv4 sessions.
IPv6-Sess
Number of IPv6 sessions.
CP-IPv4
Number of central point IPv4 sessions.
CP-IPv6
Number of central point IPv6 sessions.
OID list
OIDs that are being monitored.
Copyright © 2014, Juniper Networks, Inc.
157
Junos OS Release 12.1X47 Feature Guide
Table 14: show system log-vital Output fields (continued)
Field Name
Field Description
OID number
Number of OIDs that are being monitored.
Group SPU list
SPUs that are being monitored.
Group SPU number
Number of SPUs that are being monitored.
Group screen list
Security zones whose screen stats are being monitored.
Group screen number
Number of security zones whose screen stats are being monitored.
Group
A set of OIDs. Once a group is enabled, all OIDs in the group are monitored.
interval
Number of minutes used for the data collection interval.
file-days
Number of days for the dump file to be stored.
storage-limit
Storage usage limit in percentage.
file-size
Size of the current dump file.
state
Number that indicates which state the current collection is in. It could indicate IDLE
or ONGOING.
snmp mgmt-sock op number
Stat number of the querying MIB.
current timer counter
Number that indicates the collection timer.
Sample Output
show system log-vital data
user@host> show system log-vital data
#
# Start firefly-perimeter--"fw1" Vitals Check
#
Fri Sep
5 00:00:44 2014
[Fri Sep 5 00:00:44 2014] Vital data of SPU
Node
SPU
CPU
Mem
Flow-Sess
CP-Sess
IPv4-Sess
IPv6-Sess
CP-IPv4
CP-IPv6
==========================================================================================================
node0
fwdd
0
55
10
0
10
0
0
0
#
# End firefly-perimeter--"fw1" Vitals Check
#
#
# Start firefly-perimeter--"fw1" Vitals Check
158
Fri Sep
Fri Sep
5 00:00:45 2014
5 00:01:45 2014
Copyright © 2014, Juniper Networks, Inc.
show system log-vital
#
[Fri Sep 5 00:01:45 2014] Vital data of SPU
Node
SPU
CPU
Mem
Flow-Sess
CP-Sess
IPv4-Sess
IPv6-Sess
CP-IPv4
CP-IPv6
==========================================================================================================
node0
fwdd
0
55
16
0
16
0
0
0
#
# End firefly-perimeter--"fw1" Vitals Check
#
Fri Sep
5 00:01:45 2014
show system log-vital oid
user@host> show system log-vital oid
OID list:
lldpLocSysName.0
sys-name
jnxJsNodeCurrentTotalSessIPv4.0
.1.3.6.1.4.1.2636.3.1.13.1.8.9.1.0.0
IPv4-sess-number
re cpu usage
OID number: 3
Group SPU list:
All
Group SPU number: 1
Group screen list:
trust
untrust
Group screen number: 2
Group:
idp cluster-counter storage operating
show system log-vital status
user@host> show system log-vital status
log vital status:
interval: 1 Minutes
file-days: 4 days
storage-limit: 75 percent
file-size: 3 Mbytes
state: 5
snmp mgmt-sock op number: 0
current timer counter: 1 (vs 60)
TCP/TLS Support for Real-Time Logging
•
log (Security) on page 160
•
[edit security log] Hierarchy Level on page 161
•
transport (Security Log) on page 163
Copyright © 2014, Juniper Networks, Inc.
159
Junos OS Release 12.1X47 Feature Guide
log (Security)
Syntax
160
log {
cache {
exclude exclude-name {
destination-address destination-address;
destination-port destination-port;
event-id event-id;
failure;
interface-name interface-name;
policy-name policy-name;
process process-name;
protocol protocol;
source-address source-address;
source-port source-port;
success;
user-name user-name;
}
limit value;
}
disable;
event-rate rate;
file {
files max-file-number;
name file-name;
path binary-log-file-path;
size maximum-file-size;
}
format (binary | sd-syslog | syslog);
mode (event | stream);
rate-cap rate-cap-value;
(source-address source-address | source-interface interface-name);
stream stream-name {
category (all | content-security);
format (binary | sd-syslog | syslog | welf);
host {
ip-address;
port port-number;
}
severity (alert | critical | debug | emergency | error | info | notice | warning);
}
traceoptions {
file {
filename;
files number;
match regular-expression;
size maximum-file-size;
(world-readable | no-world-readable);
}
flag flag;
no-remote-trace;
}
transport {
protocol (udp | tcp | tls);
Copyright © 2014, Juniper Networks, Inc.
[edit security log] Hierarchy Level
tls-profile tls-profile-name;
tcp-connections tcp-connections;
}
utc-time-stamp;
}
Hierarchy Level
Release Information
Description
Options
[edit security]
Statement introduced in Junos OS Release 9.2.
Support for the source-interface option added in Junos OS Release 12.1X46-D25.
You can set the mode of logging (event for traditional system logging or stream for
streaming security logs through a revenue port to a server). You can also specify all the
other parameters for security logging.
disable—Disable the security logging for the device.
event-rate rate—Limit the rate (0 through 1500) at which logs will be streamed per second.
rate-cap rate-cap-value—Limit the rate (0 through 5000) at which data plane logs will
be generated per second.
source-address source-address—Specify a source IP address or IP address used when
exporting security logs.
source-interface interface-name—Specify a source interface name, which is mandatory
to configure stream.
NOTE: The source-address and source-interface are alternate values.
Using one of the options is mandatory.
utc-time-stamp—Specify to use UTC time for security log timestamps.
The remaining statements are explained separately.
Required Privilege
Level
Related
Documentation
security—To view this statement in the configuration.
security-control—To add this statement to the configuration.
•
Application Tracking Feature Guide for Security Devices
•
Master Administrator for Logical Systems Feature Guide for Security Devices
[edit security log] Hierarchy Level
security {
log {
cache {
exclude exclude-name {
destination-address destination-address;
destination-port destination-port;
event-id event-id;
Copyright © 2014, Juniper Networks, Inc.
161
Junos OS Release 12.1X47 Feature Guide
failure;
interface-name interface-name;
policy-name policy-name;
process process-name;
protocol protocol;
source-address source-address;
source-port source-port;
success;
user-name user-name;
}
limit value;
}
disable;
event-rate rate;
file {
files max-file-number;
name file-name;
path binary-log-file-path;
size maximum-file-size;
}
format (binary | sd-syslog | syslog);
mode (event | stream);
source-address source-address | source-interface interface-name;
stream stream-name {
category (all | content-security);
format (binary | sd-syslog | syslog | welf);
host {
ip-address;
port port-number;
}
severity (alert | critical | debug | emergency | error | info | notice | warning);
}
traceoptions {
file {
file-name;
files max-file-number;
match regular-expression;
(no-world-readable | world-readable);
size maximum-file-size;
}
flag flag;
no-remote-trace;
}
transport {
protocol (udp | tcp | tls);
tls-profile tls-profile-name;
tcp-connections tcp-connections;
}
utc-time-stamp;
}
}
Related
Documentation
162
•
Security Configuration Statement Hierarchy
•
Application Tracking Feature Guide for Security Devices
Copyright © 2014, Juniper Networks, Inc.
transport (Security Log)
•
Master Administrator for Logical Systems Feature Guide for Security Devices
transport (Security Log)
Syntax
Hierarchy Level
Release Information
Description
Options
transport {
protocol (udp | tcp | tls);
tls-profile tls-profile-name;
tcp-connections tcp-connections;
}
[edit security log]
Statement introduced in Junos OS Release 12.1X46-D25.
Configure security log transport options.
protocol—Specify the type of transport protocol to be used to log the data.
•
UDP—Set the transport protocol to UDP.
•
TCP—Set the transport protocol to TCP.
•
TLS—Set the transport protocol to TLS.
tls-profile tls-profile-name—Specify the TLS profile name.
tcp-connections tcp-connections—Specify the number of TCP connections per SPU.
Range: 1 through 5.
Default: 1.
Required Privilege
Level
Related
Documentation
security—To view this statement in the configuration.
security-control—To add this statement to the configuration.
•
Application Tracking Feature Guide for Security Devices
Copyright © 2014, Juniper Networks, Inc.
163
Junos OS Release 12.1X47 Feature Guide
System Log Messages
•
APPTRACK System Log Messages on page 164
•
RTLOG System Log Messages on page 166
•
UTM System Log Messages on page 166
APPTRACK System Log Messages
APPTRACK_SESSION_CLOSE
System Log Message
Description
Type
AppTrack session closed reason:
source-address/source-port->destination-address/destination-port service-name
application nested-application
nat-source-address/nat-source-port->nat-destination-address/nat-destination-port
src-nat-rule-name dst-nat-rule-name protocol-id policy-name source-zone-name
destination-zone-name session-id-32 packets-from-client(bytes-from-client)
packets-from-server(bytes-from-server) elapsed-time username roles encrypted
A security session being tracked by AppTrack, an application tracking tool, was closed.
Event: This message reports an event, not an error
Severity
info
Facility
ANY
APPTRACK_SESSION_CLOSE_LS
System Log Message
Description
Type
Lsys logical-system-name: AppTrack session closed reason:
source-address/source-port->destination-address/destination-port service-name
application nested-application
nat-source-address/nat-source-port->nat-destination-address/nat-destination-port
src-nat-rule-name dst-nat-rule-name protocol-id policy-name source-zone-name
destination-zone-name session-id-32 packets-from-client(bytes-from-client)
packets-from-server(bytes-from-server) elapsed-time username roles encrypted
A security session being tracked by AppTrack, an application tracking tool, was closed.
Event: This message reports an event, not an error
Severity
info
Facility
ANY
APPTRACK_SESSION_CREATE
System Log Message
164
AppTrack session created
source-address/source-port->destination-address/destination-port service-name
application nested-application
nat-source-address/nat-source-port->nat-destination-address/nat-destination-port
src-nat-rule-name dst-nat-rule-name protocol-id policy-name source-zone-name
destination-zone-name session-id-32 username roles encrypted
Copyright © 2014, Juniper Networks, Inc.
APPTRACK_SESSION_CREATE
Description
Type
A security session that will be monitored by AppTrack, an application tracking tool, was
created.
Event: This message reports an event, not an error
Severity
info
Facility
ANY
APPTRACK_SESSION_CREATE_LS
System Log Message
Description
Type
Lsys logical-system-name: AppTrack session created
source-address/source-port->destination-address/destination-port service-name
application nested-application
nat-source-address/nat-source-port->nat-destination-address/nat-destination-port
src-nat-rule-name dst-nat-rule-name protocol-id policy-name source-zone-name
destination-zone-name session-id-32 username roles encrypted
A security session that will be monitored by AppTrack, an application tracking tool, was
created.
Event: This message reports an event, not an error
Severity
info
Facility
ANY
APPTRACK_SESSION_VOL_UPDATE
System Log Message
Description
Type
AppTrack volume update:
source-address/source-port->destination-address/destination-port service-name
application nested-application
nat-source-address/nat-source-port->nat-destination-address/nat-destination-port
src-nat-rule-name dst-nat-rule-name protocol-id policy-name source-zone-name
destination-zone-name session-id-32 packets-from-client(bytes-from-client)
packets-from-server(bytes-from-server) elapsed-time username roles encrypted
Apptrack, an application tracking tool, sent periodic updates on the volume (byte and
packet count) for the session that it is monitoring. The update interval is determined by
the configuration.
Event: This message reports an event, not an error
Severity
info
Facility
ANY
APPTRACK_SESSION_VOL_UPDATE_LS
System Log Message
Lsys logical-system-name: AppTrack volume update:
source-address/source-port->destination-address/destination-port service-name
application nested-application
nat-source-address/nat-source-port->nat-destination-address/nat-destination-port
src-nat-rule-name dst-nat-rule-name protocol-id policy-name source-zone-name
Copyright © 2014, Juniper Networks, Inc.
165
Junos OS Release 12.1X47 Feature Guide
destination-zone-name session-id-32 packets-from-client(bytes-from-client)
packets-from-server(bytes-from-server) elapsed-time username roles encrypted
Description
Type
Apptrack, an application tracking tool, sent periodic updates on the volume (byte and
packet count) for the session that it is monitoring. The update interval is determined by
the configuration.
Event: This message reports an event, not an error
Severity
info
Facility
ANY
RTLOG System Log Messages
RTLOG_CONN_OPEN
System Log Message
Description
Type
args stream-name transport-proto source-address source-port destination-address
destination-port;
RTLOG connection was established.
Event: This message reports an event, not an error
RTLOG_CONN_CLOSE
System Log Message
Description
Type
args stream-name transport-proto source-address source-port destination-address
destination-port;
RTLOG connection was closed.
Event: This message reports an event, not an error
RTLOG_CONN_ERROR
System Log Message
Description
Type
args stream-name error-message;
RTLOG connection was aborted.
Event: This message reports an event, not an error
UTM System Log Messages
UTMD_EWF_CAT_OBSOLETE
System Log Message
Description
Type
Severity
166
args category-old category-new;
The UTM EWF category was obsoleted by a new category.
Event: This message reports an event, not an error.
LOG_NOTICE
Action
Please refer to release notes, and use a new category.
Cause
UTM EWF category has been updated.
Copyright © 2014, Juniper Networks, Inc.
Documentation Feedback
Documentation Feedback
We encourage you to provide feedback, comments, and suggestions so that we can
improve the documentation. You can provide feedback by using either of the following
methods:
•
Online feedback rating system—On any page at the Juniper Networks Technical
Documentation site at http://www.juniper.net/techpubs/index.html, simply click the
stars to rate the content, and use the pop-up form to provide us with information about
your experience. Alternately, you can use the online feedback form at
https://www.juniper.net/cgi-bin/docbugreport/.
•
E-mail—Send your comments to [email protected]. Include the document
or topic name, URL or page number, and software version (if applicable).
Requesting Technical Support
Technical product support is available through the Juniper Networks Technical Assistance
Center (JTAC). If you are a customer with an active J-Care or JNASC support contract,
or are covered under warranty, and need post-sales technical support, you can access
our tools and resources online or open a case with JTAC.
•
JTAC policies—For a complete understanding of our JTAC procedures and policies,
review the JTAC User Guide located at
http://www.juniper.net/us/en/local/pdf/resource-guides/7100059-en.pdf.
•
Product warranties—For product warranty information, visit
http://www.juniper.net/support/warranty/.
•
JTAC hours of operation—The JTAC centers have resources available 24 hours a day,
7 days a week, 365 days a year.
Self-Help Online Tools and Resources
For quick and easy problem resolution, Juniper Networks has designed an online
self-service portal called the Customer Support Center (CSC) that provides you with the
following features:
•
Find CSC offerings: http://www.juniper.net/customers/support/
•
Search for known bugs: http://www2.juniper.net/kb/
•
Find product documentation: http://www.juniper.net/techpubs/
•
Find solutions and answer questions using our Knowledge Base: http://kb.juniper.net/
•
Download the latest versions of software and review release notes:
http://www.juniper.net/customers/csc/software/
•
Search technical bulletins for relevant hardware and software notifications:
http://kb.juniper.net/InfoCenter/
Copyright © 2014, Juniper Networks, Inc.
167
Junos OS Release 12.1X47 Feature Guide
•
Join and participate in the Juniper Networks Community Forum:
http://www.juniper.net/company/communities/
•
Open a case online in the CSC Case Management tool: http://www.juniper.net/cm/
To verify service entitlement by product serial number, use our Serial Number Entitlement
(SNE) Tool: https://tools.juniper.net/SerialNumberEntitlementSearch/
Opening a Case with JTAC
You can open a case with JTAC on the Web or by telephone.
•
Use the Case Management tool in the CSC at http://www.juniper.net/cm/.
•
Call 1-888-314-JTAC (1-888-314-5822 toll-free in the USA, Canada, and Mexico).
For international or direct-dial options in countries without toll-free numbers, see
http://www.juniper.net/support/requesting-support.html.
Revision History
15 October 2014—Revision 1, Junos OS Release 12.1X47-D15 Feature Guide
Copyright © 2014, Juniper Networks, Inc. All rights reserved.
Juniper Networks, Junos, Steel-Belted Radius, NetScreen, and ScreenOS are registered trademarks of Juniper Networks, Inc. in the United
States and other countries. The Juniper Networks Logo, the Junos logo, and JunosE are trademarks of Juniper Networks, Inc. All other
trademarks, service marks, registered trademarks, or registered service marks are the property of their respective owners.
Juniper Networks assumes no responsibility for any inaccuracies in this document. Juniper Networks reserves the right to change, modify,
transfer, or otherwise revise this publication without notice.
168
Copyright © 2014, Juniper Networks, Inc.

 Download  Report

Paperzz.com

Your Paperzz

© Copyright 2026 Paperzz