Book Software Ex Series User Access Management

JUNOS® Software for EX Series Ethernet Switches, Release10.1: User and Access Management

Juniper Networks, Inc.1194 North Mathilda Avenue

Sunnyvale, California 94089

USA

408-745-2000

www.juniper.net

Revision 1Published: 2010-02-11

This product includes the Envoy SNMP Engine, developed by Epilogue Technology, an Integrated Systems Company. Copyright © 1986-1997, EpilogueTechnology Corporation. All rights reserved. This program and its documentation were developed at private expense, and no part of them is in the publicdomain.

This product includes memory allocation software developed by Mark Moraes, copyright © 1988, 1989, 1993, University of Toronto.

This product includes FreeBSD software developed by the University of California, Berkeley, and its contributors. All of the documentation and softwareincluded in the 4.4BSD and 4.4BSD-Lite Releases is copyrighted by the Regents of the University of California. Copyright © 1979, 1980, 1983, 1986, 1988,1989, 1991, 1992, 1993, 1994. The Regents of the University of California. All rights reserved.

GateD software copyright © 1995, the Regents of the University. All rights reserved. Gate Daemon was originated and developed through release 3.0 byCornell University and its collaborators. Gated is based on Kirton’s EGP, UC Berkeley’s routing daemon (routed), and DCN’s HELLO routing protocol.Development of Gated has been supported in part by the National Science Foundation. Portions of the GateD software copyright © 1988, Regents of theUniversity of California. All rights reserved. Portions of the GateD software copyright © 1991, D. L. S. Associates.

This product includes software developed by Maker Communications, Inc., copyright © 1996, 1997, Maker Communications, Inc.

Juniper Networks, the Juniper Networks logo, JUNOS, NetScreen, ScreenOS, and Steel-Belted Radius are registered trademarks of Juniper Networks, Inc. inthe United States and other countries. JUNOSe is a trademark of Juniper Networks, Inc. All other trademarks, service marks, registered trademarks, orregistered service marks are the property of their respective owners.

Juniper Networks assumes no responsibility for any inaccuracies in this document. Juniper Networks reserves the right to change, modify, transfer, orotherwise revise this publication without notice.

Products made or sold by Juniper Networks or components thereof might be covered by one or more of the following patents that are owned by or licensedto Juniper Networks: U.S. Patent Nos. 5,473,599, 5,905,725, 5,909,440, 6,192,051, 6,333,650, 6,359,479, 6,406,312, 6,429,706, 6,459,579, 6,493,347,6,538,518, 6,538,899, 6,552,918, 6,567,902, 6,578,186, and 6,590,785.

JUNOS® Software for EX Series Ethernet Switches, Release 10.1: User and Access ManagementCopyright © 2010, Juniper Networks, Inc.All rights reserved. Printed in USA.

Writing:Editing:Illustration:Cover Design:

Revision History12 February 2010—Revision 1

The information in this document is current as of the date listed in the revision history.

ii ■

END USER LICENSE AGREEMENT

READ THIS END USER LICENSE AGREEMENT (“AGREEMENT”) BEFORE DOWNLOADING, INSTALLING, OR USING THE SOFTWARE. BY DOWNLOADING,INSTALLING, OR USING THE SOFTWARE OR OTHERWISE EXPRESSING YOUR AGREEMENT TO THE TERMS CONTAINED HEREIN, YOU (AS CUSTOMEROR IF YOU ARE NOT THE CUSTOMER, AS A REPRESENTATIVE/AGENT AUTHORIZED TO BIND THE CUSTOMER) CONSENT TO BE BOUND BY THISAGREEMENT. IF YOU DO NOT OR CANNOT AGREE TO THE TERMS CONTAINED HEREIN, THEN (A) DO NOT DOWNLOAD, INSTALL, OR USE THE SOFTWARE,AND (B) YOU MAY CONTACT JUNIPER NETWORKS REGARDING LICENSE TERMS.

1. The Parties. The parties to this Agreement are (i) Juniper Networks, Inc. (if the Customer’s principal office is located in the Americas) or Juniper Networks(Cayman) Limited (if the Customer’s principal office is located outside the Americas) (such applicable entity being referred to herein as “Juniper”), and (ii)the person or organization that originally purchased from Juniper or an authorized Juniper reseller the applicable license(s) for use of the Software (“Customer”)(collectively, the “Parties”).

2. The Software. In this Agreement, “Software” means the program modules and features of the Juniper or Juniper-supplied software, for which Customerhas paid the applicable license or support fees to Juniper or an authorized Juniper reseller, or which was embedded by Juniper in equipment which Customerpurchased from Juniper or an authorized Juniper reseller. “Software” also includes updates, upgrades and new releases of such software. “EmbeddedSoftware” means Software which Juniper has embedded in or loaded onto the Juniper equipment and any updates, upgrades, additions or replacementswhich are subsequently embedded in or loaded onto the equipment.

3. License Grant. Subject to payment of the applicable fees and the limitations and restrictions set forth herein, Juniper grants to Customer a non-exclusiveand non-transferable license, without right to sublicense, to use the Software, in executable form only, subject to the following use restrictions:

a. Customer shall use Embedded Software solely as embedded in, and for execution on, Juniper equipment originally purchased by Customer from Juniperor an authorized Juniper reseller.

b. Customer shall use the Software on a single hardware chassis having a single processing unit, or as many chassis or processing units for which Customerhas paid the applicable license fees; provided, however, with respect to the Steel-Belted Radius or Odyssey Access Client software only, Customer shall usesuch Software on a single computer containing a single physical random access memory space and containing any number of processors. Use of theSteel-Belted Radius or IMS AAA software on multiple computers or virtual machines (e.g., Solaris zones) requires multiple licenses, regardless of whethersuch computers or virtualizations are physically contained on a single chassis.

c. Product purchase documents, paper or electronic user documentation, and/or the particular licenses purchased by Customer may specify limits toCustomer’s use of the Software. Such limits may restrict use to a maximum number of seats, registered endpoints, concurrent users, sessions, calls,connections, subscribers, clusters, nodes, realms, devices, links, ports or transactions, or require the purchase of separate licenses to use particular features,functionalities, services, applications, operations, or capabilities, or provide throughput, performance, configuration, bandwidth, interface, processing,temporal, or geographical limits. In addition, such limits may restrict the use of the Software to managing certain kinds of networks or require the Softwareto be used only in conjunction with other specific Software. Customer’s use of the Software shall be subject to all such limitations and purchase of all applicablelicenses.

d. For any trial copy of the Software, Customer’s right to use the Software expires 30 days after download, installation or use of the Software. Customermay operate the Software after the 30-day trial period only if Customer pays for a license to do so. Customer may not extend or create an additional trialperiod by re-installing the Software after the 30-day trial period.

e. The Global Enterprise Edition of the Steel-Belted Radius software may be used by Customer only to manage access to Customer’s enterprise network.Specifically, service provider customers are expressly prohibited from using the Global Enterprise Edition of the Steel-Belted Radius software to support anycommercial network access services.

The foregoing license is not transferable or assignable by Customer. No license is granted herein to any user who did not originally purchase the applicablelicense(s) for the Software from Juniper or an authorized Juniper reseller.

4. Use Prohibitions. Notwithstanding the foregoing, the license provided herein does not permit the Customer to, and Customer agrees not to and shallnot: (a) modify, unbundle, reverse engineer, or create derivative works based on the Software; (b) make unauthorized copies of the Software (except asnecessary for backup purposes); (c) rent, sell, transfer, or grant any rights in and to any copy of the Software, in any form, to any third party; (d) removeany proprietary notices, labels, or marks on or in any copy of the Software or any product in which the Software is embedded; (e) distribute any copy ofthe Software to any third party, including as may be embedded in Juniper equipment sold in the secondhand market; (f) use any ‘locked’ or key-restrictedfeature, function, service, application, operation, or capability without first purchasing the applicable license(s) and obtaining a valid key from Juniper, evenif such feature, function, service, application, operation, or capability is enabled without a key; (g) distribute any key for the Software provided by Juniperto any third party; (h) use the Software in any manner that extends or is broader than the uses purchased by Customer from Juniper or an authorized Juniperreseller; (i) use Embedded Software on non-Juniper equipment; (j) use Embedded Software (or make it available for use) on Juniper equipment that theCustomer did not originally purchase from Juniper or an authorized Juniper reseller; (k) disclose the results of testing or benchmarking of the Software toany third party without the prior written consent of Juniper; or (l) use the Software in any manner other than as expressly provided herein.

5. Audit. Customer shall maintain accurate records as necessary to verify compliance with this Agreement. Upon request by Juniper, Customer shall furnishsuch records to Juniper and certify its compliance with this Agreement.

■ iii

6. Confidentiality. The Parties agree that aspects of the Software and associated documentation are the confidential property of Juniper. As such, Customershall exercise all reasonable commercial efforts to maintain the Software and associated documentation in confidence, which at a minimum includesrestricting access to the Software to Customer employees and contractors having a need to use the Software for Customer’s internal business purposes.

7. Ownership. Juniper and Juniper’s licensors, respectively, retain ownership of all right, title, and interest (including copyright) in and to the Software,associated documentation, and all copies of the Software. Nothing in this Agreement constitutes a transfer or conveyance of any right, title, or interest inthe Software or associated documentation, or a sale of the Software, associated documentation, or copies of the Software.

8. Warranty, Limitation of Liability, Disclaimer of Warranty. The warranty applicable to the Software shall be as set forth in the warranty statement thataccompanies the Software (the “Warranty Statement”). Nothing in this Agreement shall give rise to any obligation to support the Software. Support servicesmay be purchased separately. Any such support shall be governed by a separate, written support services agreement. TO THE MAXIMUM EXTENT PERMITTEDBY LAW, JUNIPER SHALL NOT BE LIABLE FOR ANY LOST PROFITS, LOSS OF DATA, OR COSTS OR PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES,OR FOR ANY SPECIAL, INDIRECT, OR CONSEQUENTIAL DAMAGES ARISING OUT OF THIS AGREEMENT, THE SOFTWARE, OR ANY JUNIPER ORJUNIPER-SUPPLIED SOFTWARE. IN NO EVENT SHALL JUNIPER BE LIABLE FOR DAMAGES ARISING FROM UNAUTHORIZED OR IMPROPER USE OF ANYJUNIPER OR JUNIPER-SUPPLIED SOFTWARE. EXCEPT AS EXPRESSLY PROVIDED IN THE WARRANTY STATEMENT TO THE EXTENT PERMITTED BY LAW,JUNIPER DISCLAIMS ANY AND ALL WARRANTIES IN AND TO THE SOFTWARE (WHETHER EXPRESS, IMPLIED, STATUTORY, OR OTHERWISE), INCLUDINGANY IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR NONINFRINGEMENT. IN NO EVENT DOES JUNIPERWARRANT THAT THE SOFTWARE, OR ANY EQUIPMENT OR NETWORK RUNNING THE SOFTWARE, WILL OPERATE WITHOUT ERROR OR INTERRUPTION,OR WILL BE FREE OF VULNERABILITY TO INTRUSION OR ATTACK. In no event shall Juniper’s or its suppliers’ or licensors’ liability to Customer, whetherin contract, tort (including negligence), breach of warranty, or otherwise, exceed the price paid by Customer for the Software that gave rise to the claim, orif the Software is embedded in another Juniper product, the price paid by Customer for such other product. Customer acknowledges and agrees that Juniperhas set its prices and entered into this Agreement in reliance upon the disclaimers of warranty and the limitations of liability set forth herein, that the samereflect an allocation of risk between the Parties (including the risk that a contract remedy may fail of its essential purpose and cause consequential loss),and that the same form an essential basis of the bargain between the Parties.

9. Termination. Any breach of this Agreement or failure by Customer to pay any applicable fees due shall result in automatic termination of the licensegranted herein. Upon such termination, Customer shall destroy or return to Juniper all copies of the Software and related documentation in Customer’spossession or control.

10. Taxes. All license fees payable under this agreement are exclusive of tax. Customer shall be responsible for paying Taxes arising from the purchase ofthe license, or importation or use of the Software. If applicable, valid exemption documentation for each taxing jurisdiction shall be provided to Juniper priorto invoicing, and Customer shall promptly notify Juniper if their exemption is revoked or modified. All payments made by Customer shall be net of anyapplicable withholding tax. Customer will provide reasonable assistance to Juniper in connection with such withholding taxes by promptly: providing Juniperwith valid tax receipts and other required documentation showing Customer’s payment of any withholding taxes; completing appropriate applications thatwould reduce the amount of withholding tax to be paid; and notifying and assisting Juniper in any audit or tax proceeding related to transactions hereunder.Customer shall comply with all applicable tax laws and regulations, and Customer will promptly pay or reimburse Juniper for all costs and damages relatedto any liability incurred by Juniper as a result of Customer’s non-compliance or delay with its responsibilities herein. Customer’s obligations under thisSection shall survive termination or expiration of this Agreement.

11. Export. Customer agrees to comply with all applicable export laws and restrictions and regulations of any United States and any applicable foreignagency or authority, and not to export or re-export the Software or any direct product thereof in violation of any such restrictions, laws or regulations, orwithout all necessary approvals. Customer shall be liable for any such violations. The version of the Software supplied to Customer may contain encryptionor other capabilities restricting Customer’s ability to export the Software without an export license.

12. Commercial Computer Software. The Software is “commercial computer software” and is provided with restricted rights. Use, duplication, or disclosureby the United States government is subject to restrictions set forth in this Agreement and as provided in DFARS 227.7201 through 227.7202-4, FAR 12.212,FAR 27.405(b)(2), FAR 52.227-19, or FAR 52.227-14(ALT III) as applicable.

13. Interface Information. To the extent required by applicable law, and at Customer's written request, Juniper shall provide Customer with the interfaceinformation needed to achieve interoperability between the Software and another independently created program, on payment of applicable fee, if any.Customer shall observe strict obligations of confidentiality with respect to such information and shall use such information in compliance with any applicableterms and conditions upon which Juniper makes such information available.

14. Third Party Software. Any licensor of Juniper whose software is embedded in the Software and any supplier of Juniper whose products or technologyare embedded in (or services are accessed by) the Software shall be a third party beneficiary with respect to this Agreement, and such licensor or vendorshall have the right to enforce this Agreement in its own name as if it were Juniper. In addition, certain third party software may be provided with theSoftware and is subject to the accompanying license(s), if any, of its respective owner(s). To the extent portions of the Software are distributed under andsubject to open source licenses obligating Juniper to make the source code for such portions publicly available (such as the GNU General Public License(“GPL”) or the GNU Library General Public License (“LGPL”)), Juniper will make such source code portions (including Juniper modifications, as appropriate)available upon request for a period of up to three years from the date of distribution. Such request can be made in writing to Juniper Networks, Inc., 1194N. Mathilda Ave., Sunnyvale, CA 94089, ATTN: General Counsel. You may obtain a copy of the GPL at http://www.gnu.org/licenses/gpl.html, anda copy of the LGPL at http://www.gnu.org/licenses/lgpl.html.

15. Miscellaneous. This Agreement shall be governed by the laws of the State of California without reference to its conflicts of laws principles. The provisionsof the U.N. Convention for the International Sale of Goods shall not apply to this Agreement. For any disputes arising under this Agreement, the Partieshereby consent to the personal and exclusive jurisdiction of, and venue in, the state and federal courts within Santa Clara County, California. This Agreementconstitutes the entire and sole agreement between Juniper and the Customer with respect to the Software, and supersedes all prior and contemporaneous

iv ■

http://www.gnu.org/licenses/gpl.html

http://www.gnu.org/licenses/lgpl.html

agreements relating to the Software, whether oral or written (including any inconsistent terms contained in a purchase order), except that the terms of aseparate written agreement executed by an authorized Juniper representative and Customer shall govern to the extent such terms are inconsistent or conflictwith terms contained herein. No modification to this Agreement nor any waiver of any rights hereunder shall be effective unless expressly assented to inwriting by the party to be charged. If any portion of this Agreement is held invalid, the Parties agree that such invalidity shall not affect the validity of theremainder of this Agreement. This Agreement and associated documentation has been written in the English language, and the Parties agree that the Englishversion will govern. (For Canada: Les parties aux présentés confirment leur volonté que cette convention de même que tous les documents y compris toutavis qui s'y rattaché, soient redigés en langue anglaise. (Translation: The parties confirm that this Agreement and all related documentation is and will bein the English language)).

■ v

vi ■

Table of Contents

About This Topic Collection ix

How to Use This Guide ...................................................................................ixList of EX Series Guides for JUNOS Release 10.1 ............................................ixDownloading Software ....................................................................................xDocumentation Symbols Key .........................................................................xiDocumentation Feedback ..............................................................................xiiRequesting Technical Support .......................................................................xiii

Self-Help Online Tools and Resources ....................................................xiiiOpening a Case with JTAC ......................................................................xiii

Part 1 User Access and Management on EX Series Switches

Chapter 1 User Access and Management on EX Series Switches 3

JUNOS Software—Overview ............................................................................3EX Series Switch Software Features Overview ..........................................3Understanding Software Infrastructure and Processes ............................12

Routing Engine and Packet Forwarding Engine ................................13JUNOS Software Processes ...............................................................13

Configuring User Access ................................................................................14Configuring Management Access for the EX Series Switch (J-Web

Procedure) ........................................................................................14Generating SSL Certificates to Be Used for Secure Web Access ...............17

Monitoring the Switch, Users, and Traffic ......................................................18Managing Users (J-Web Procedure) .........................................................18Configuring MS-CHAPv2 to Provide Password-Change Support (CLI

Procedure) ........................................................................................21Monitoring Hosts Using the J-Web Ping Host Tool ...................................21Monitoring Switch Control Traffic ...........................................................23Monitoring Network Traffic Using Traceroute .........................................25Monitoring System Properties .................................................................27Monitoring System Process Information .................................................28

Configuration Statements for User and Access Management .........................30ftp ...........................................................................................................30http .........................................................................................................31https .......................................................................................................32local-certificate ........................................................................................33outbound-ssh ..........................................................................................34port (HTTP/HTTPS) .................................................................................37

Table of Contents ■ vii

port (SRC Server) ....................................................................................38protocol-version ......................................................................................38root-login ................................................................................................39servers ....................................................................................................40service-deployment .................................................................................41session ....................................................................................................42source-address (SRC Software) ................................................................43ssh ..........................................................................................................43telnet ......................................................................................................44web-management ...................................................................................45

viii ■ Table of Contents

JUNOS® Software for EX Series Ethernet Switches, Release 10.1: User and Access Management

About This Topic Collection

■ How to Use This Guide on page ix

■ List of EX Series Guides for JUNOS Release 10.1 on page ix

■ Downloading Software on page x

■ Documentation Symbols Key on page xi

■ Documentation Feedback on page xii

■ Requesting Technical Support on page xiii

How to Use This Guide

Complete documentation for the EX Series product family is provided on webpagesat http://www.juniper.net/techpubs/en_US/release-independent/information-products/pathway-pages/ex-series/product/index.html. We have selected contentfrom these webpages and created a number of EX Series guides that collect relatedtopics into a book-like format so that the information is easy to print and easy todownload to your local computer.

The release notes are athttp://www.juniper.net/techpubs/en_US/junos10.1/information-products/topic-collections/release-notes/10.1/junos-release-notes-10.1.pdf.

List of EX Series Guides for JUNOS Release 10.1

DescriptionTitle

Component descriptions, site preparation, installation,replacement, and safety and compliance informationfor EX2200 switches

Complete Hardware Guide for EX2200 Switches

Component descriptions, site preparation, installation,replacement, and safety and compliance informationfor EX3200 and EX4200 switches

Complete Hardware Guide for EX3200 and EX4200 Switches





How to Use This Guide ■ ix

http://www.juniper.net/techpubs/en_US/release-independent/information-products/pathway-pages/ex-series/product/index.html

http://www.juniper.net/techpubs/en_US/release-independent/information-products/pathway-pages/ex-series/product/index.html

http://www.juniper.net/techpubs/en_US/junos10.1/information-products/topic-collections/release-notes/10.1/junos-release-notes-10.1.pdf

http://www.juniper.net/techpubs/en_US/junos10.1/information-products/topic-collections/release-notes/10.1/junos-release-notes-10.1.pdf

DescriptionTitle

Software feature descriptions, configuration examples,and tasks for JUNOS Software for EX Series switches

Complete Software Guide for JUNOS® Software for EX Series Switches,Release 10.1

Software feature descriptions, configuration examplesand tasks, and reference pages for configurationstatements and operational commands (Thisinformation also appears in the Complete SoftwareGuide for JUNOS® Software for EX Series Switches,Release 10.1.)

Software Topic Collections

JUNOS® Software for EX Series Switches, Release 10.1: Access Control

JUNOS® Software for EX Series Switches, Release 10.1: Alarms and SystemLog Messages

JUNOS® Software for EX Series Switches, Release 10.1: Configurationand File Management

JUNOS® Software for EX Series Switches, Release 10.1: Class of Service

JUNOS® Software for EX Series Switches, Release 10.1: Device Security

JUNOS® Software for EX Series Switches, Release 10.1: Ethernet Switching

JUNOS® Software for EX Series Switches, Release 10.1: Interfaces

JUNOS® Software for EX Series Switches, Release 10.1: Layer 3 Protocols

JUNOS® Software for EX Series Switches, Release 10.1: MPLS

JUNOS® Software for EX Series Switches, Release 10.1: Multicast

JUNOS® Software for EX Series Switches, Release 10.1: NetworkManagement and Monitoring

JUNOS® Software for EX Series Switches, Release 10.1: Port Security

JUNOS® Software for EX Series Switches, Release 10.1: Routing Policyand Packet Filtering

JUNOS® Software for EX Series Switches, Release 10.1: Spanning-TreeProtocols

JUNOS® Software for EX Series Switches, Release 10.1: System Setup

JUNOS® Software for EX Series Switches, Release 10.1: User and AccessManagement

JUNOS® Software for EX Series Switches, Release 10.1: Virtual Systems

Downloading Software

You can download JUNOS Software for EX Series switches from the DownloadSoftware area at http://www.juniper.net/customers/support/ . To download the software,

x ■ Downloading Software


http://www.juniper.net/customers/support/

you must have a Juniper Networks user account. For information about obtaining anaccount, see http://www.juniper.net/entitlement/setupAccountInfo.do.

Documentation Symbols Key

Notice Icons

DescriptionMeaningIcon

Indicates important features or instructions.Informational note

Indicates a situation that might result in loss of data or hardware damage.Caution

Alerts you to the risk of personal injury or death.Warning

Alerts you to the risk of personal injury from a laser.Laser warning

Text and Syntax Conventions

ExamplesDescriptionConvention

To enter configuration mode, type theconfigure command:

user@host> configure

Represents text that you type.Bold text like this

user@host> show chassis alarmsNo alarms currently active

Represents output that appears on theterminal screen.

Fixed-width text like this

■ A policy term is a named structurethat defines match conditions andactions.

■ JUNOS System Basics ConfigurationGuide

■ RFC 1997, BGP CommunitiesAttribute

■ Introduces important new terms.

■ Identifies book names.

■ Identifies RFC and Internet drafttitles.

Italic text like this

Configure the machine’s domain name:

[edit]root@# set system domain-name

domain-name

Represents variables (options for whichyou substitute a value) in commands orconfiguration statements.

Italic text like this

Documentation Symbols Key ■ xi


http://www.juniper.net/entitlement/setupAccountInfo.do

Text and Syntax Conventions

ExamplesDescriptionConvention

■ To configure a stub area, includethe stub statement at the [editprotocols ospf area area-id] hierarchylevel.

■ The console port is labeledCONSOLE.

Represents names of configurationstatements, commands, files, anddirectories; IP addresses; configurationhierarchy levels; or labels on routingplatform components.

Plain text like this

stub <default-metric metric>;Enclose optional keywords or variables.< > (angle brackets)

broadcast | multicast

(string1 | string2 | string3)

Indicates a choice between the mutuallyexclusive keywords or variables on eitherside of the symbol. The set of choices isoften enclosed in parentheses for clarity.

| (pipe symbol)

rsvp { # Required for dynamic MPLS onlyIndicates a comment specified on thesame line as the configuration statementto which it applies.

# (pound sign)

community name members [ community-ids]

Enclose a variable for which you cansubstitute one or more values.

[ ] (square brackets)

[edit]routing-options {

static {route default {

nexthop address;retain;

}}

}

Identify a level in the configurationhierarchy.

Indention and braces ( { } )

Identifies a leaf statement at aconfiguration hierarchy level.

; (semicolon)

J-Web GUI Conventions

■ In the Logical Interfaces box, selectAll Interfaces.

■ To cancel the configuration, clickCancel.

Represents J-Web graphical userinterface (GUI) items you click or select.

Bold text like this

In the configuration editor hierarchy,select Protocols>Ospf.

Separates levels in a hierarchy of J-Webselections.

> (bold right angle bracket)

Documentation Feedback

We encourage you to provide feedback, comments, and suggestions so that we canimprove the documentation. Send e-mail to [email protected] with thefollowing:

xii ■ Documentation Feedback


[email protected]

■ Document URL or title

■ Page number if applicable

■ Software version

■ Your name and company

Requesting Technical Support

Technical product support is available through the Juniper Networks TechnicalAssistance Center (JTAC). If you are a customer with an active J-Care or JNASC supportcontract, or are covered under warranty, and need post-sales technical support, youcan access our tools and resources online or open a case with JTAC.

■ JTAC policies—For a complete understanding of our JTAC procedures and policies,review the JTAC User Guide located athttp://www.juniper.net/customers/support/downloads/7100059-EN.pdf .

■ Product warranties—For product warranty information, visithttp://www.juniper.net/support/warranty/ .

■ JTAC hours of operation—The JTAC centers have resources available 24 hours aday, 7 days a week, 365 days a year.

Self-Help Online Tools and Resources

For quick and easy problem resolution, Juniper Networks has designed an onlineself-service portal called the Customer Support Center (CSC) that provides you withthe following features:

■ Find CSC offerings: http://www.juniper.net/customers/support/

■ Search for known bugs: http://www2.juniper.net/kb/

■ Find product documentation: http://www.juniper.net/techpubs/

■ Find solutions and answer questions using our Knowledge Base:http://kb.juniper.net/

■ Download the latest versions of software and review release notes:http://www.juniper.net/customers/csc/software/

■ Search technical bulletins for relevant hardware and software notifications:https://www.juniper.net/alerts/

■ Join and participate in the Juniper Networks Community Forum:http://www.juniper.net/company/communities/

■ Open a case online in the CSC Case Management tool: http://www.juniper.net/cm/

To verify service entitlement by product serial number, use our Serial NumberEntitlement (SNE) Tool: https://tools.juniper.net/SerialNumberEntitlementSearch/

Opening a Case with JTAC

You can open a case with JTAC on the Web or by telephone.

Requesting Technical Support ■ xiii


http://www.juniper.net/customers/support/downloads/7100059-EN.pdf

http://www.juniper.net/support/warranty/

http://www.juniper.net/customers/support/

http://www2.juniper.net/kb/

http://www.juniper.net/techpubs/

http://kb.juniper.net/

http://www.juniper.net/customers/csc/software/

https://www.juniper.net/alerts/

http://www.juniper.net/company/communities/

http://www.juniper.net/cm/

https://tools.juniper.net/SerialNumberEntitlementSearch/

■ Use the Case Management tool in the CSC at http://www.juniper.net/cm/ .

■ Call 1-888-314-JTAC (1-888-314-5822 toll-free in the USA, Canada, and Mexico).

For international or direct-dial options in countries without toll-free numbers, seehttp://www.juniper.net/support/requesting support.html .

xiv ■ Requesting Technical Support


http://www.juniper.net/cm/

http://www.juniper.net/support/requestingsupport.html

Part 1

User Access and Management on EXSeries Switches

■ User Access and Management on EX Series Switches on page 3

User Access and Management on EX Series Switches ■ 1

2 ■ User Access and Management on EX Series Switches


Chapter 1

User Access and Management on EXSeries Switches

■ JUNOS Software—Overview on page 3

■ Configuring User Access on page 14

■ Monitoring the Switch, Users, and Traffic on page 18

■ Configuration Statements for User and Access Management on page 30

JUNOS Software—Overview

■ EX Series Switch Software Features Overview on page 3

■ Understanding Software Infrastructure and Processes on page 12

EX Series Switch Software Features Overview

The following tables list the Juniper Networks EX Series Ethernet Switches softwarefeatures and the Juniper Networks JUNOS Software release in which they wereintroduced:

■ Table 1 on page 4—Access Control Features

■ Table 2 on page 4—Administration Features

■ Table 3 on page 5—Class-of-Service (CoS) Features

■ Table 4 on page 5—High Availability and Resiliency Features

■ Table 5 on page 6—Interfaces Features

■ Table 6 on page 7—IP Address Management Features

■ Table 7 on page 7—IPv6 Features

■ Table 8 on page 7—Layer 2 Network Protocols Features

■ Table 9 on page 8—Layer 3 Protocols Features

■ Table 10 on page 10—MPLS Features

■ Table 11 on page 10—Multicast Features

■ Table 12 on page 11—Network Management and Monitoring Features

JUNOS Software—Overview ■ 3

■ Table 13 on page 11—Port Security Features

■ Table 14 on page 12—System Management Features

Table 1: Access Control Features

EX8200 Switches

EX3200 andEX4200SwitchesEX2200 SwitchesFeature

Not supportedJUNOS 9.0R2JUNOS 10.1R1802.1X authentication

Not supportedJUNOS 10.1R1Not supportedCaptive portal authentication

Not supportedJUNOS 10.0R1Not supportedDynamic allocation of TCAM memory to firewall filters

Not supportedJUNOS 9.0R2JUNOS 10.1R1Dynamic firewall filters for 802.1X authentication

JUNOS 9.4R1JUNOS 9.0R2JUNOS 10.1R1Firewall filters and rate limiting

For a list of supported firewall filter match conditions andactions, see Firewall Filter Match Conditions and Actions forEX Series Switches.

JUNOS 10.0R1JUNOS 9.0R2JUNOS 10.1R1Firewall filters on LAGs

JUNOS 9.6R1JUNOS 9.2R1JUNOS 10.1R1Firewall filter on loopback interface

Not supportedJUNOS 10.1R1Not supportedFirewall filters with IPv6

Not supportedJUNOS 9.3R2JUNOS 10.1R1MAC RADIUS authentication

JUNOS 9.4R1JUNOS 9.0R2JUNOS 10.1R1Policing

JUNOS 9.4R1JUNOS 9.3R2JUNOS 10.1R1Server fail fallback

JUNOS 9.4R1JUNOS 9.0R2JUNOS 10.1R1TACACS+

Table 2: Administration Features

EX8200 Switches


Not supportedJUNOS 9.6R1JUNOS 10.1R1Automatic software download

Not supportedJUNOS 9.3R2Not supportedSystem logging (syslog) over IPv6

9.4R19.0R2JUNOS 10.1R1System logging (syslog) over IPv4

JUNOS 10.0R1JUNOS 10.0R1Not supportedSystem snapshot

4 ■ EX Series Switch Software Features Overview


Table 3: Class-of-Service (CoS) Features

EX8200 Switches


JUNOS 9.4R1JUNOS 9.0R2JUNOS 10.1R1Class of service (CoS)—Class-based queuing with prioritization

Not supportedJUNOS 9.5R1Not supportedClass of service (CoS)—DSCP, IEEE 801.p, and IP precedencepacket rewrites on routed VLAN interfaces (RVIs)

Not supportedJUNOS 9.4R1Not supportedClass of service (CoS)—Interface-specific classifiers on routedVLAN interfaces (RVIs)

JUNOS 9.5R1Not applicableNot applicableClass of service (CoS) multidestination

JUNOS 9.4R1JUNOS 9.2R1JUNOS 10.1R1Class-of-service (CoS) support on LAGs

JUNOS 9.4R1JUNOS 9.4R1Not supportedClass-of-service (CoS) support on routed VLAN interfaces (RVIs)

Not supportedJUNOS 9.4R1Not supportedInterface-specific CoS rewrite rules

JUNOS 9.4R1JUNOS 9.3R2JUNOS 10.1R1JUNOS EZQoS for CoS

JUNOS 10.1R1JUNOS 9.3R2JUNOS 10.1R1Port shaping and queue shaping

Table 4: High Availability and Resiliency Features

EX8200 Switches


JUNOS 9.4R1JUNOS 9.3R2Not supportedGraceful protocol restart for IS-IS

JUNOS 9.4R1JUNOS 9.0R2Not supportedGraceful protocol restart for OSPF and BGP

Not applicableJUNOS 9.1R1(EX4200 only)

Not applicableGraceful Routing Engine switchover (GRES) for EX4200 VirtualChassis configurations

JUNOS 9.4R1JUNOS 9.2R1Not supportedGraceful Routing Engine switchover (GRES) for ARP entries

JUNOS 9.4R1JUNOS 9.2R1Not supportedGraceful Routing Engine switchover (GRES) for the forwardingdatabase

JUNOS 9.6R1JUNOS 9.2R1Not supportedGraceful Routing Engine switchover (GRES) for port security

JUNOS 9.4R1JUNOS 9.0R2JUNOS 10.1R1Link aggregation control protocol (LACP)

JUNOS 10.0R1JUNOS 10.0R1JUNOS 10.1R1Link aggregation control protocol (LACP) support fordual-homing applications in data centers

JUNOS 9.4R1JUNOS 9.0R2JUNOS 10.1R1Link aggregation groups (LAGs)


Not applicableLink aggregation groups (LAGs) over Virtual Chassis ports (VCPs)

JUNOS 9.4R1JUNOS 9.0R2JUNOS 10.1R1Redundant trunk groups

EX Series Switch Software Features Overview ■ 5

Chapter 1: User Access and Management on EX Series Switches

Table 4: High Availability and Resiliency Features (continued)

EX8200 Switches


JUNOS 9.4R1JUNOS 9.0R2Not supportedVirtual Router Redundancy Protocol (VRRP)

JUNOS10.1R1

JUNOS10.0R1

Not supportedVirtual Router Redundancy Protocol (VRRP) for IPv6 (exceptauthentication type and authentication key)


Not applicableVirtual Chassis

■ Atomic software upgrade

■ Fast failover

■ Split and merge



■ Automatic software update on prospective memberswitches

■ Front-panel configuration of uplink module ports as VirtualChassis ports (VCPs)



■ Autoprovisioning of Virtual Chassis ports (VCPs)



■ Support for SFP uplink module ports

Table 5: Interfaces Features

EX8200 Switches


JUNOS 10.0R1JUNOS 10.0R1Not supportedDigital optical monitoring (DOM)

JUNOS 10.0R1JUNOS 10.0R1JUNOS 10.1R1Interface-range support

Not applicableJUNOS 9.0R2JUNOS 10.1R1Power over Ethernet (PoE)

Not supportedJUNOS 9.3R2JUNOS 10.1R1Power over Ethernet (PoE) power management mode

JUNOS 10.1R1JUNOS 9.3R2Not supportedUnicast reverse-path forwarding (RPF)

JUNOS 9.4R1JUNOS 9.2R1Not supportedVLAN-tagged Layer 3 subinterfaces



Table 6: IP Address Management Features

EX8200 Switches


JUNOS 9.4R1JUNOS 9.3R2JUNOS 10.1R1DHCP server and relay with option 82 for Layer 2 VLANs

Not supportedJUNOS 9.3R2Not supportedDHCPv6 and IPv6 DNS

JUNOS 9.4R1JUNOS 9.3R2Not supportedLocal DHCP server

JUNOS 9.4R1JUNOS 9.0R2JUNOS 10.1R1Static addresses

Table 7: IPv6 Features

EX8200 Switches


Not supportedJUNOS 9.3R2Not supportedIPv6 (except multicast protocols)

A separate software license is required for IPv6. SeeUnderstanding Software Licenses for the EX Series Switch.

Not supportedJUNOS 10.1R1Not supportedIPv6 multicast protocols

A separate software license is required for IPv6. SeeUnderstanding Software Licenses for the EX Series Switch.

Table 8: Layer 2 Network Protocols Features

EX8200 Switches


JUNOS 9.4R1JUNOS 9.0R2JUNOS 10.1R1802.1Q VLAN tagging

JUNOS 9.4R1JUNOS 9.1R1JUNOS 10.1R1BPDU protection for spanning-tree protocols

JUNOS 9.4R1JUNOS 9.1R1Not supportedGARP VLAN Registration Protocol (GVRP)

Not supportedJUNOS 10.0Not supportedLayer 2 protocol tunneling (L2PT)

JUNOS 9.4R1JUNOS 9.0R2JUNOS 10.1R1Link Layer Discovery Protocol (LLDP)

Not supportedJUNOS 9.0R2JUNOS 10.1R1Link Layer Discovery Protocol-Media Endpoint Discovery(LLDP-MED) with voice over IP (VoIP) integration

JUNOS 9.4R1JUNOS 9.1R1JUNOS 10.1R1Loop protection for spanning-tree protocols

Not supportedJUNOS 9.2R1JUNOS 10.1R1MAC-based VLAN

JUNOS 10.0R1JUNOS 10.0R1Not supportedMultiple VLAN Registration Protocol (MVRP)



Table 8: Layer 2 Network Protocols Features (continued)

EX8200 Switches


JUNOS 10.1R1JUNOS 9.3R2Not supportedPrivate VLANs (PVLANs)

JUNOS 10.0R1JUNOS 10.0R1JUNOS 10.1R1Proxy ARP—restricted

JUNOS 10.1R1JUNOS 9.6R1JUNOS 10.1R1Proxy ARP—unrestricted

JUNOS 10.1R1JUNOS 10.1R1JUNOS 10.1R1Proxy ARP per VLAN

Not supportedJUNOS 9.3R2Not supportedQ-in-Q tunneling

Not supportedJUNOS 9.6R1Not supportedQ-in-Q VLAN extended support for <ultiple S-VLANs per accessinterface, firewall-filter-based VLAN assignment, and routedVLAN interfaces (RVIs)

JUNOS 9.4R1JUNOS 9.1R1JUNOS 10.1R1Root protection for spanning-tree protocols

JUNOS 9.4R1JUNOS 9.0R2JUNOS 10.1R1Spanning tree:

■ Spanning Tree Protocol (STP)

■ Rapid Spanning Tree Protocol (RSTP)

■ Multiple Spanning Tree Protocol (MSTP)

JUNOS 9.6R1JUNOS 9.4R1JUNOS 10.1R1Spanning tree:

■ VLAN Spanning Tree Protocol (VSTP)

JUNOS 9.4R1JUNOS 9.1R1JUNOS 10.1R1Storm control

JUNOS 10.0R1JUNOS 9.3R2Not supportedUnknown Layer 2 unicast forwarding

Not supportedJUNOS 10.0R1Not supportedVLAN ID translation

JUNOS 9.4R1JUNOS 9.2R1JUNOS 10.1R1VLAN range

Table 9: Layer 3 Protocols Features

EX8200 Switches


JUNOS 9.4R1JUNOS 9.0R2Not supportedBidirectional Forwarding Detection (BFD)

JUNOS 9.4R1JUNOS 9.0R2Not supportedBorder Gateway Protocol (BGP)

A separate software license is required for BGP and MBGP. SeeUnderstanding Software Licenses for the EX Series Switch.

JUNOS 9.6R1JUNOS 9.4R1Not supportedFilter-based forwarding



Table 9: Layer 3 Protocols Features (continued)

EX8200 Switches


JUNOS 9.4R1JUNOS 9.0R2Not supportedIntermediate System-to-Intermediate System (IS-IS)

A separate software license is required for IS-IS. SeeUnderstanding Software Licenses for the EX Series Switch.

JUNOS 9.4R1JUNOS 9.0R2Not supportedInternet Group Management Protocol (IGMP) version1 (v1) andIGMPv2

JUNOS 9.6R1JUNOS 9.3R2Not supportedIGMPv3

10.1R1JUNOS 9.3R2Not supportedIPv6 protocols: Open Shortest Path First version 3 (OSPFv3),RIPng, IS-IS for IPv6, IPv6 BGP

JUNOS 9.4R1JUNOS 9.4R1Not supportedJumbo frames on routed VLAN interfaces (RVIs)

JUNOS 9.4R1JUNOS 9.4R1Not supportedMulticast Source Discovery Protocol (MSDP)

See the JUNOS Software Routing Protocols Configuration Guideat http://www.juniper.net/techpubs/software/junos/junos101/index.html.

JUNOS 9.5R1JUNOS 9.5R1Not supportedOSPF Multitopology Routing (MT-OSPF)

See the JUNOS Software Routing Protocols Configuration Guideat http://www.juniper.net/techpubs/software/junos/junos101/index.html.

JUNOS 9.4R1JUNOS 9.0R2Not supportedOSPFv2

JUNOS 9.4R1JUNOS 9.2R1Not supportedProtocol Independent Multicast dense mode (PIM DM)

See the JUNOS Software Multicast Configuration Guide athttp://www.juniper.net/techpubs/software/junos/junos101/index.html.

Not supportedJUNOS 9.2R1Not supportedProtocol Independent Multicast source-specific multicast (PIMSSM)


JUNOS 9.4R1JUNOS 9.0R2Not supportedProtocol Independent Multicast sparse mode (PIM SM)


JUNOS 9.4R1JUNOS 9.0R2JUNOS 10.1R1Routed VLAN interfaces (RVIs)

JUNOS 9.4R1JUNOS 9.0R2Not supportedRouting Information Protocol version 1 (RIPv1) and RIPv2



http://www.juniper.net/techpubs/software/junos/junos101/index.html






http://www.juniper.net/techpubs/software/junos/ junos101/index.html




Table 9: Layer 3 Protocols Features (continued)

EX8200 Switches


JUNOS 9.4R1JUNOS 9.0R2JUNOS 10.1R1Static routes

JUNOS 9.6R1JUNOS 9.2R1Not supportedVirtual routing and forwarding (VRF) with IPv4—virtual routinginstances

JUNOS 10.0R1JUNOS 10.0R1Not supportedVirtual routing and forwarding (VRF) with IPv4—virtual routinginstances for multicast traffic

JUNOS 10.1R1JUNOS 10.1R1Not supportedVirtual routing and forwarding (VRF) with IPv6—virtual routinginstances for unicast traffic

Table 10: MPLS Features

EX8200 Switches


Not supportedJUNOS 9.5R1Not supportedMPLS with RSVP-based label switched paths (LSPs) andMPLS-based circuit cross-connects (CCCs)

A separate software license is required for MPLS. SeeUnderstanding Software Licenses for the EX Series Switch.

Not supportedJUNOS 10.1R1Not supportedMPLS with class of service (CoS) and IP over MPLS

Table 11: Multicast Features

EX8200 Switches


JUNOS 9.4R1JUNOS 9.1R1JUNOS 10.1R1IGMPv1/v2 snooping

JUNOS 9.4R1JUNOS 9.2R1JUNOS 10.1R1IGMP snooping with routed VLAN interfaces (RVIs)

JUNOS 9.6R1JUNOS 9.6R1JUNOS 10.1R1IGMPv3 snooping

Not supportedJUNOS 9.6R1Not supportedMulticast VLAN registration (MVR)

JUNOS 9.4R1JUNOS 9.0R2Not supportedSingle-source multicast



Table 12: Network Management and Monitoring Features

EX8200 Switches


JUNOS 10.0R1JUNOS 9.4R1Not supportedEthernet OAM link fault management (LFM)

JUNOS 9.4R1JUNOS 9.0R2JUNOS 10.1R1Port mirroring

JUNOS 9.5R1JUNOS 9.5R1Not supportedPort mirroring enhancements

■ Layer 3 interface support

■ Multiple VLAN support

Not supportedJUNOS 10.0R1Not supportedPort mirroring enhancements

■ Support for setting ingress-only and egress-only attributeson members of a VLAN to avoid the flooding of mirroredtraffic to the member interfaces of a VLAN in theintermediate switch

Not supportedJUNOS 9.3R2JUNOS 10.1R1Real-time performance monitoring (RPM)

JUNOS 9.4R1JUNOS 9.0R2JUNOS 10.1R1RMON

JUNOS 10.0R1JUNOS 9.3R2Not supportedsFlow monitoring technology

JUNOS 9.4R1JUNOS 9.0R2JUNOS 10.1R1Simple Network Management Protocol version 1 (SNMPv1),SNMPv2, and SNMPv3

Table 13: Port Security Features

EX8200 Switches


JUNOS 10.0R1JUNOS 9.6R1Not supportedAutomatic recovery for port error disable conditions

Not supportedJUNOS 9.3R2JUNOS 10.1R1DHCP option 82

Not supportedJUNOS 9.0R2JUNOS 10.1R1DHCP snooping

Not supportedJUNOS 9.0R2JUNOS 10.1R1Dynamic ARP inspection (DAI)

Not supportedJUNOS 9.2R1JUNOS 10.1R1IP source guard

Not supportedJUNOS 9.0R2JUNOS 10.1R1MAC limiting

Not supportedJUNOS 9.0R2JUNOS 10.1R1MAC move limiting

Not supportedJUNOS 9.4R1Not supportedPersistent storage for DHCP snooping

JUNOS 9.4R1JUNOS 9.0R2JUNOS 10.1R1Static ARP support



Table 14: System Management Features

EX8200 Switches


Not supportedJUNOS 9.4R1JUNOS 10.1R1Autoinstallation

JUNOS 9.4R1JUNOS 9.0R2JUNOS 10.1R1Configuration rollback

JUNOS 9.4R1JUNOS 9.4R1Not supportedIP directed broadcast

JUNOS 9.4R1JUNOS 9.0R2JUNOS 10.1R1J-Web interface, for switch configuration and management

Not applicableJUNOS 10.0R1Not applicableOnline insertion and removal (OIR) of uplink modules

Related Topics ■ High Availability Features for EX Series Switches Overview

■ Layer 3 Protocols Supported on EX Series Switches

■ Layer 3 Protocols Not Supported on EX Series Switches

■ EX2200 Switches Hardware Overview

■ EX3200 and EX4200 Switches Hardware Overview

■ EX8208 Switch Hardware Overview

■ EX8216 Switch Hardware Overview

Understanding Software Infrastructure and Processes

Each switch runs the Juniper Networks JUNOS Software for Juniper Networks EXSeries Ethernet Switches on its general-purpose processors. JUNOS Software includesprocesses for Internet Protocol (IP) routing and for managing interfaces, networks,and the chassis.

The JUNOS Software runs on the Routing Engine. The Routing Engine kernelcoordinates communication among the JUNOS Software processes and provides alink to the Packet Forwarding Engine.

With the J-Web interface and the command-line interface (CLI) to the JUNOS Software,you configure switching features and routing protocols and set the properties ofnetwork interfaces on your switch. After activating a software configuration, useeither the J-Web or CLI user interface to monitor the switch, manage operations, anddiagnose protocol and network connectivity problems.

■ Routing Engine and Packet Forwarding Engine on page 13

■ JUNOS Software Processes on page 13

12 ■ Understanding Software Infrastructure and Processes


Routing Engine and Packet Forwarding Engine

A switch has two primary software processing components:

■ Packet Forwarding Engine—Processes packets; applies filters, routing policies,and other features; and forwards packets to the next hop along the route to theirfinal destination.

■ Routing Engine—Provides three main functions:

■ Creates the packet forwarding switch fabric for the switch, providing routelookup, filtering, and switching on incoming data packets, then directingoutbound packets to the appropriate interface for transmission to the network

■ Maintains the routing tables used by the switch and controls the routingprotocols that run on the switch.

■ Provides control and monitoring functions for the switch, including controllingpower and monitoring system status.

JUNOS Software Processes

The JUNOS Software running on the Routing Engine and Packet Forwarding Engineconsists of multiple processes that are responsible for individual functions.

The separation of functions provides operational stability, because each processaccesses its own protected memory space. In addition, because each process is aseparate software package, you can selectively upgrade all or part of the JUNOSSoftware, for added flexibility.

Table 15 on page 13 describes the primary JUNOS Software processes.

Table 15: JUNOS Software Processes

DescriptionNameProcess

Detects hardware on the system that is used to configure network interfaces.

Monitors the physical status of hardware components and field-replaceable units(FRUs), detecting when environment sensors such as temperature sensors are triggered.

Relays signals and interrupts—for example, when devices are taken offline, so thatthe system can close sessions and shut down gracefully.

chassisdChassis process

Handles Layer 2 switching functionality such as MAC address learning, Spanning Treeprotocol and access port security. The process is also responsible for managing Ethernetswitching interfaces, VLANs, and VLAN interfaces.

Manages Ethernet switching interfaces, VLANs, and VLAN interfaces.

eswdEthernetswitchingprocess

Defines how routing protocols operate on the switch. The overall performance of theswitch is largely determined by the effectiveness of the forwarding process.

pfemForwardingprocess

Understanding Software Infrastructure and Processes ■ 13


Table 15: JUNOS Software Processes (continued)

DescriptionNameProcess

Configures and monitors network interfaces by defining physical characteristics suchas link encapsulation, hold times, and keepalive timers.

dcdInterfaceprocess

Provides communication between the other processes and an interface to theconfiguration database.

Populates the configuration database with configuration information and retrieves theinformation when queried by other processes to ensure that the system operates asconfigured.

Interacts with the other processes when commands are issued through one of the userinterfaces on the switch.

If a process terminates or fails to start when called, the management process attemptsto restart it a limited number of times to prevent thrashing and logs any failureinformation for further investigation.

mgdManagementprocess

Defines how routing protocols such as RIP, OSPF, and BGP operate on the device,including selecting routes and maintaining forwarding tables.

rpdRouting protocolprocess

Related Topics For more information about processes, see the JUNOS Network Operations Guideat http://www.juniper.net/techpubs/software/junos/junos90/index.html.

■

■ For more information about basic system parameters, supported protocols, andsoftware processes, see JUNOS System Basics Configuration Guide athttp://www.juniper.net/techpubs/software/junos/junos94/index.html.

Configuring User Access

■ Configuring Management Access for the EX Series Switch (J-WebProcedure) on page 14

■ Generating SSL Certificates to Be Used for Secure Web Access on page 17

Configuring Management Access for the EX Series Switch (J-Web Procedure)

You can manage an EX Series switch remotely through the J-Web interface. Tocommunicate with the switch, the J-Web interface uses Hypertext Transfer Protocol(HTTP). HTTP allows easy Web access but no encryption. The data that is transmittedbetween the Web browser and the switch by means of HTTP is vulnerable tointerception and attack. To enable secure Web access the switch supports HTTP overSecure Sockets Layer (HTTPS). You can enable HTTP or HTTPS access on specificinterfaces and ports as needed.

Navigate to the Secure Access Configuration page by selecting Configure>SystemProperties>Management Access. On this page, you can enable HTTP and HTTPSaccess on interfaces for managing the EX Series switch through the J-Web interface.You can also install SSL certificates and enable JUNOScript over SSL with the SecureAccess page.

14 ■ Configuring User Access




1. Click Edit to modify the configuration. Enter information into the ManagementAccess Configuration page, as described in Table 16 on page 15.

2. To verify that Web access is enabled correctly, connect to the switch using theappropriate method:

■ For HTTP access—In your Web browser, type http://URL or http://IP address.

■ For HTTPS access—In your Web browser, type https://URL or https://IPaddress .

■ For SSL JUNOScript access— To use this option, you must have aJUNOScriptclient such as JUNOScope. For information about how to log into JUNOScope,see the JUNOScope Software User Guide.

Table 16: Secure Management Access Configuration Summary

Your ActionFunctionField

Management Access tab

To specify an IPv4 address:

1. Select the check box IPv4 address.

2. Type an IP address — for example: 10.10.10.10.

3. Enter the subnet mask or address prefix. Forexample, 24 bits represents 255.255.255.0.

4. Click OK.

To specify an IPv6 address:

1. Select the check box IPv6 address.

2. Type an IP address—forexample:2001:ab8:85a3::8a2e:370:7334.

3. Enter the subnet mask or address prefix.

4. Click OK.

Specifies the management port IPaddress. The software supports both IPv4( displayed as IP) and IPv6 address.

NOTE: IPv6 is not supported on EX8200switches.

Management PortIP/Management PortIPv6

For IPv4 address type a 32-bit IP address, in dotteddecimal notation. Type a 128-bit IP address for IPv6address type.

Defines a default gateway through whichto direct packets addressed to networksthat are not explicitly listed in the bridgetable constructed by the switch.

Default Gateway

Type an IP address.Specifies the IP address of the loopbackinterface.

Loopback address

Enter the subnet mask or address prefix.Specifies the subnet mask for theloopback interface.

Subnet Mask

Services tab

Select to enable the required services.Specifies services to be enabled: telnetand SSH.

Services

Configuring Management Access for the EX Series Switch (J-Web Procedure) ■ 15


Table 16: Secure Management Access Configuration Summary (continued)


To enable clear text access, select the Enable JUNOScriptover Clear Text check box.

Enables clear text access to theJUNOScript XML scripting API.

Enable JUNOScriptover Clear Text

To enable SSL access, select the Enable JUNOScript overSSL check box.

Enables secure SSL access to theJUNOScript XML scripting API.

Enable JUNOScriptover SSL

To enable an SSL certificate, select a certificate from theJUNOScript SSL Certificate list—for example, new.

Specifies SSL certificates to be used forencryption.

This field is available only after you createat least one SSL certificate.

JUNOScriptCertificate

To enable HTTP access, select the Enable HTTP accesscheck box.

Select and clear interfaces by clicking the direction arrows:

■ To enable HTTP access on an interface, add theinterface to the HTTP Interfaces list. You can eitherselect all interfaces or specific interfaces.

Enables HTTP access on interfaces.Enable HTTP

To enable HTTPS access, select the Enable HTTPS accesscheck box.

Select and deselect interfaces by clicking the directionarrows:

■ To enable HTTPS access on an interface, add theinterface to the HTTPS Interfaces list. You can eitherselect all interfaces or specific interfaces.

NOTE: Specify the certificate to be used for HTTPS access.

Enables HTTPS access on interfaces.Enable HTTPS

Certificates tab

16 ■ Configuring Management Access for the EX Series Switch (J-Web Procedure)


Table 16: Secure Management Access Configuration Summary (continued)

To add a certificate:

1. Have a general SSL certificateavailable. See Generating SSLCertificates for more information.

2. Click Add. The Add a LocalCertificate page opens.

3. Type a name in the CertificateName box—for example, new.

4. Open the certificate file and copyits contents.

5. Paste the generated certificate andRSA private key in the Certificatebox.

To edit a certificate, select it and clickEdit.

To delete a certificate, select it and clickDelete.

Displays digital certificates required forSSL access to the switch.

Allows you to add and delete SSLcertificates.

Certificates

Related Topics Security Features for EX Series Switches Overview■

■ Understanding J-Web User Interface Sessions

Generating SSL Certificates to Be Used for Secure Web Access

You can set up secure Web access for an EX Series switch. To enable secure Webaccess, you must generate a digital Secure Sockets Layer (SSL) certificate and thenenable HTTPS access on the switch.

To generate an SSL certificate:

1. Enter the following openssl command in your SSH command-line interface ona BSD or Linux system on which openssl is installed. The openssl commandgenerates a self-signed SSL certificate in the privacy-enhanced mail (PEM) format.It writes the certificate and an unencrypted 1024-bit RSA private key to thespecified file.

% openssl req –x509 –nodes –newkey rsa:1024 –keyout filename.pem -outfilename.pem

where filename is the name of a file in which you want the SSL certificate to bewritten—for example, my-certificate.

2. When prompted, type the appropriate information in the identification form.For example, type US for the country name.

3. Display the contents of the file that you created.

cat my-certificate.pem

Generating SSL Certificates to Be Used for Secure Web Access ■ 17


You can use the J-Web Configuration page to install the SSL certificate on the switch.To do this, copy the file containing the certificate from the BSD or Linux system tothe switch. Then open the file, copy its contents, and paste them into the Certificatebox on the J-Web Secure Access Configuration page.

You can also use the following CLI statement to install the SSL certificate on theswitch:

[edit]user@switch# set security certificates local my-signed-cert load-key-filemy-certificate.pem

Related Topics Configuring Management Access for the EX Series Switch (J-Web Procedure) onpage 14

■

■ Security Features for EX Series Switches Overview

Monitoring the Switch, Users, and Traffic

■ Managing Users (J-Web Procedure) on page 18

■ Configuring MS-CHAPv2 to Provide Password-Change Support (CLIProcedure) on page 21

■ Monitoring Hosts Using the J-Web Ping Host Tool on page 21

■ Monitoring Switch Control Traffic on page 23

■ Monitoring Network Traffic Using Traceroute on page 25

■ Monitoring System Properties on page 27

■ Monitoring System Process Information on page 28

Managing Users (J-Web Procedure)

You can use the Users Configuration page for user information to add new users toa switching platform. For each account, you define a login name and password forthe user and specify a login class for access privileges.

To configure users:

1. In the J-Web interface, select Configure>System Properties>User Management.

The User Management page displays details of users, the authentication order,the RADIUS servers and TACACS servers present.

2. Click Edit.

3. Click any of the following options on the Users tab:

■ Add—Select this option to add a user. Enter details as described in Table 17on page 19.

■ Edit—Select this option to edit an existing user's details. Enter details asdescribed in Table 17 on page 19.

18 ■ Monitoring the Switch, Users, and Traffic


■ Delete—Select this option to delete a user.

4. Click any desired option on the Authentication Methods and Order tab:

■ Authentication Order—Drag and drop the authentication type from theAvailable Methods section to the Selected Methods. Click the up or downbuttons to modify the authentication order.

■ RADIUS server—Click one:

■ Add—Select this option to add an authentication server. Enter detailsas described in Table 18 on page 20.

■ Edit—Select this option to modify the authentication server details. Enterdetails as described in Table 18 on page 20.

■ Delete—Select this option to delete an authentication server from thelist.

■ TACACS server—Click one:

■ Add—Select this option to add an authentication server. Enter detailsas described in Table 18 on page 20.

■ Edit—Select this option to modify the authentication server details. Enterdetails as described in Table 18 on page 20.

■ Delete—Select this option to delete an authentication server from thelist.

Table 17: User Management > Add a User Configuration Page Summary


User Information

Type the username. It must be unique within the switchingplatform. Do not include spaces, colons, or commas in theusername.

Specifies the name that identifiesthe user.

Username (required)

Type the user’s ID.Specifies the user identification.User Id

Type the user's full name. If the full name contains spaces,enclose it in quotation marks. Do not include colons or commas.

Specifies the user's full name.Full Name

Select the user's login class from the list:

■ operator

■ read-only

■ super-user/superuser

■ unauthorized

This list also includes any user-defined login classes.

Defines the user's access privilege.Login Class (required)

Managing Users (J-Web Procedure) ■ 19


Table 17: User Management > Add a User Configuration Page Summary (continued)


Type the login password for this user. The login password mustmeet these criteria:

■ The password must be at least 6 characters long.

■ It can include alphabetic, numeric, and special characters,but not control characters.

■ It must contain at least one change of case or characterclass.

Specifies the login password forthis user.

Password

Retype the login password for this user.Verifies the login password for thisuser.

Confirm Password

Table 18: Add an Authentication Server


Type the server’s 32-bit IP address, in dotteddecimal notation.

Specifies the IP address of the server.IP Address

Type the password of the server.Specifies the password of the server.Password

Retype the password of the server.Verifies that the password of the server is enteredcorrectly.

Confirm Password

Type the port number.Specifies the port with which the server isassociated.

Server Port

Type the server’s 32-bit IP address, in dotteddecimal notation.

Specifies the source address of the server.Source Address

Type the number.

NOTE: Only 1 retry is permitted for a TACACSserver.

Specifies the number of login retries allowed aftera login failure.

Retry Attempts

Type the interval in seconds.Specifies the time interval to wait before theconnection to the server is closed.

Time out

20 ■ Managing Users (J-Web Procedure)


Related Topics ■ Configuring Management Access for the EX Series Switch (J-Web Procedure) onpage 14

Configuring MS-CHAPv2 to Provide Password-Change Support (CLI Procedure)

JUNOS Software for EX Series switches enables you to configure the MicrosoftCorporation implementation of the Challenge Handshake Authentication Protocolversion 2 (MS-CHAPv2) on the switch to provide password-change support. ConfiguringMS-CHAPv2 on the switch provides users accessing a switch the option of changingthe password when the password expires, is reset, or is configured to be changed atnext login.

See RFC 2433 at , Microsoft PPP CHAP Extensions, for information about MS-CHAP.

Before you configure MS-CHAPv2 to provide password-change support, ensure thatyou have:

■ Configured RADIUS server authentication. Configure users on the authenticationserver and set the first-tried option in the authentication order to radius. SeeExample: Connecting a RADIUS Server for 802.1X to an EX Series Switch.

To configure MS-CHAPv2, specify the following:

[edit system radius-options]user@switch# set password-protocol mschap-v2

You must have the required access permission on the switch in order to change yourpassword.

Related Topics Managing Users (J-Web Procedure) on page 18■

■ For more about configuring user access, see the JUNOS Software Access PrivilegeConfiguration Guide at

Monitoring Hosts Using the J-Web Ping Host Tool

Purpose Use the J-Web ping host tool to verify that the host can be reached over the network.The output is useful for diagnosing host and network connectivity problems. Theswitch sends a series of ICMP echo (ping) requests to a specified host and receivesICMP echo responses.

Action To use the J-Web ping host tool:

1. Select Troubleshoot>Ping Host.

2. Next to Advanced options, click the expand icon.

3. Enter information into the Ping Host page, as described in Table 19 on page 22.

The Remote Host field is the only required field.

Configuring MS-CHAPv2 to Provide Password-Change Support (CLI Procedure) ■ 21


http://www.faqs.org/rfcs/rfc2433.html


4. Click Start.

The results of the ping operation are displayed in the main pane . If no optionsare specified, each ping response is in the following format:

bytes bytes from ip-address: icmp_seq=number ttl=number time=time

5. To stop the ping operation before it is complete, click OK.

Meaning Table 19 on page 22 lists the fields.

Table 19: J-Web Ping Host Field Summary


Type the hostname or IP address of the host toping.

Identifies the host to ping.Remote Host

Advanced Options

■ To suppress the display of the hop hostnames,select the check box.

■ To display the hop hostnames, clear the checkbox.

Determines whether to display hostnames of thehops along the path.

Don't ResolveAddresses

Select the interface on which ping requests are sentfrom the list. If you select any, the ping requestsare sent on all interfaces.

Specifies the interface on which the ping requestsare sent.

Interface

Select the number of ping requests to send fromthe list.

Specifies the number of ping requests to send.Count

■ To set the DF bit, select the check box.

■ To clear the DF bit, clear the check box.

Specifies the Don't Fragment (DF) bit in the IPheader of the ping request packet.

Don't Fragment

■ To record and display the path of the packet,select the check box.

■ To suppress the recording and display of thepath of the packet, clear the check box.

Sets the record route option in the IP header of theping request packet. The path of the ping requestpacket is recorded within the packet and displayedin the main pane.

Record Route

Select the decimal value of the TOS field from thelist.

Specifies the type-of-service (TOS) value in the IPheader of the ping request packet.

Type-of-Service

Select the routing instance name from the list.Name of the routing instance for the ping attempt.Routing Instance

Select the interval from the list.Specifies the interval, in seconds, betweentransmissions of individual ping requests.

Interval

Type the size, in bytes, of the packet. The size canbe from 0 through 65468. The switch adds 8 bytesof ICMP header to the size.

Specifies the size of the ping request packet.Packet Size

Type the source IP address.Specifies the source address of the ping requestpacket.

Source Address

Select the TTL value from the list.Specifies the time-to-live (TTL) hop count for theping request packet.

Time-to-Live

22 ■ Monitoring Hosts Using the J-Web Ping Host Tool


Table 19: J-Web Ping Host Field Summary (continued)


■ To bypass the routing table and send the pingrequests to hosts on the specified interfaceonly, select the check box.

■ To route the ping requests using the routingtable, clear the check box.

Determines whether ping requests are routed bymeans of the routing table.

If the routing table is not used, ping requests aresent only to hosts on the interface specified in theInterface box. If the host is not on that interface,ping responses are not sent.

Bypass Routing

Related Topics ■ Monitoring Interface Status and Traffic

Monitoring Switch Control Traffic

Purpose Use the packet capture feature when you need to quickly capture and analyze switchcontrol traffic on a switch. The packet capture feature allows you to capture trafficdestined for or originating from the Routing Engine.

Action To use the packet capture feature in the J-Web interface, select Troubleshoot>PacketCapture.

To use the packet capture feature in the CLI, enter the following CLI command:

monitor traffic

Meaning You can use the packet capture feature to compose expressions with various matchingcriteria to specify the packets that you want to capture. You can decode and viewthe captured packets in the J-Web interface as they are captured. The packet capturefeature does not capture transient traffic.

Table 20: Packet Capture Field Summary


From the list, select an interface—forexample, ge-0/0/0.

Specifies the interface on which the packets are captured.If you select default, packets on the Ethernet managementport 0, are captured.

Interface

From the list, select Detail.Specifies the extent of details to be displayed for thepacket headers.

■ Brief—Displays the minimum packet headerinformation. This is the default.

■ Detail—Displays packet header information inmoderate detail.

■ Extensive—Displays the maximum packet headerinformation.

Detail level

Monitoring Switch Control Traffic ■ 23


Table 20: Packet Capture Field Summary (continued)


From the list, select the number of packetsto be captured—for example, 10.

Specifies the number of packets to be captured. Valuesrange from 1 to 1000. Default is 10. Packet capture stopscapturing packets after this number is reached.

Packets

Select address-matching criteria. For example:

1. From the Direction list, select source.

2. From the Type list, select host.

3. In the Address box, type 10.1.40.48.

4. Click Add.

Specifies the addresses to be matched for capturing thepackets using a combination of the following parameters:

■ Direction—Matches the packet headers for IPaddress, hostname, or network address of the source,destination or both.

■ Type—Specifies if packet headers are matched forhost address or network address.

You can add multiple entries to refine the match criteriafor addresses.

Addresses

From the list, select a protocol—for example,tcp.

Matches the protocol for which packets are captured. Youcan choose to capture TCP, UDP, or ICMP packets or acombination of TCP, UDP, and ICMP packets.

Protocols

Select a direction and a port. For example:

■ From the Type list, select src.

■ In the Port box, type 23.

Matches packet headers containing the specified sourceor destination TCP or UDP port number or port name.

Ports

Advanced Options

To display absolute TCP sequence numbersin the packet headers, select this check box.

Specifies that absolute TCP sequence numbers are to bedisplayed for the packet headers.

Absolute TCPSequence

To include link-layer packet headers whilecapturing packets, select this check box.

Specifies that link-layer packet headers are to bedisplayed.

Layer 2 Headers

To read all packets that reach the interface,select this check box.

Specifies not to place the interface in promiscuous mode,so that the interface reads only packets addressed to it.In promiscuous mode, the interface reads every packetthat reaches it.

Non-Promiscuous

To display the packet headers in hexadecimalformat, select this check box.

Specifies that packet headers, except link-layer headers,are to be displayed in hexadecimal format.

Display Hex

To display the packet headers in ASCII andhexadecimal formats, select this check box.

Specifies that packet headers are to be displayed inhexadecimal and ASCII format.

Display ASCII andHex

You can enter match conditions directly inthis field in expression format or modify theexpression composed from the matchconditions you specified for Addresses,Protocols, and Ports. If you change the matchconditions specified for Addresses, Protocols,and Ports again, packet capture overwritesyour changes with the new match conditions.

Specifies the match condition for the packets to becaptured. The match conditions you specify for Addresses,Protocols, and Ports are displayed in expression formatin this field.

HeaderExpression

24 ■ Monitoring Switch Control Traffic


Table 20: Packet Capture Field Summary (continued)


Type the number of bytes you want tocapture for each packet header—for example,256.

Specifies the number of bytes to be displayed for eachpacket. If a packet header exceeds this size, the displayis truncated for the packet header. The default value is96 bytes.

Packet Size

To prevent packet capture from resolving IPaddresses to hostnames, select this checkbox.

Specifies that IP addresses are not to be resolved intohostnames in the packet headers displayed.


To stop displaying timestamps in the capturedpacket headers, select this check box.

Suppresses the display of packet header timestamps.No Timestamp

To decode and display the packet headers onthe J-Web page, clear this check box.

Writes the captured packets to a file in PCAP format in/var/tmp. The files are named with the prefix jweb-pcapand the extension .pcap. If you select this option, thedecoded packet headers are not displayed on the packetcapture page.

Write PacketCapture File

Related Topics ■ Using the CLI Terminal

Monitoring Network Traffic Using Traceroute

Purpose Use the Traceroute page in the J-Web interface to trace a route between the switchand a remote host. You can use a traceroute task to display a list of waypointsbetween the switch and a specified destination host. The output is useful fordiagnosing a point of failure in the path from the switch platform to the destinationhost and addressing network traffic latency and throughput problems.

Action To use the traceroute tool:

1. Select Troubleshoot>Traceroute.

2. Next to Advanced options, click the expand icon.

3. Enter information into the Traceroute page.

The Remote Host field is the only required field.

4. Click Start.

5. To stop the traceroute operation before it is complete, click OK while the resultsof the traceroute operation are being displayed.

Meaning The switch generates the list of waypoints by sending a series of ICMP traceroutepackets in which the time-to-live (TTL) value in the messages sent to each successivewaypoint is incremented by 1. (The TTL value of the first traceroute packet is set to1.) In this manner, each waypoint along the path to the destination host replies witha Time Exceeded packet from which the source IP address can be obtained.

Monitoring Network Traffic Using Traceroute ■ 25


The results of the traceroute operation are displayed in the main pane. If no optionsare specified, each line of the traceroute display is in the following format:

hop-number host (ip-address) [as-number] time1 time2 time3

The switch sends a total of three traceroute packets to each waypoint along the pathand displays the round-trip time for each traceroute operation. If the switch timesout before receiving a Time Exceeded message, an asterisk (*) is displayed for thatround-trip time.

Table 21: Traceroute field summary


Type the hostname or IP address of thedestination host.

Identifies the destination host of the traceroute.Remote Host

Advanced Options

To suppress the display of the hophostnames, select the check box.

Determines whether hostnames of the hops along thepath are displayed, in addition to IP addresses.


Type the gateway IP address.Specifies the IP address of the gateway to route through.Gateway

Type the source IP address.Specifies the source address of the outgoing traceroutepackets.

Source Address

To bypass the routing table and send thetraceroute packets to hosts on the specifiedinterface only, select the check box.

Determines whether traceroute packets are routed bymeans of the routing table. If the routing table is notused, traceroute packets are sent only to hosts on theinterface specified in the Interface box. If the host is noton that interface, traceroute responses are not sent.

Bypass Routing

From the list, select the interface on whichtraceroute packets are sent. If you select any,the traceroute requests are sent on allinterfaces.

Specifies the interface on which the traceroute packetsare sent.

Interface

From the list, select the TTL.Specifies the maximum time-to-live (TTL) hop count forthe traceroute request packet.

Time-to-live

From the list, select the decimal value of theTOS field.

Specifies the type-of-service (TOS) value to include in theIP header of the traceroute request packet.

Type-of-Service

To display the AS numbers, select the checkbox.

Determines whether the autonomous system (AS)number of each intermediate hop between the routerand the destination host is displayed.

Resolve ASNumbers

Related Topics ■ Connecting and Configuring an EX Series Switch (CLI Procedure)

■ Connecting and Configuring an EX Series Switch (J-Web Procedure)

26 ■ Monitoring Network Traffic Using Traceroute


■ Configuring Gigabit Ethernet Interfaces (J-Web Procedure)

■ Monitoring Interface Status and Traffic

Monitoring System Properties

Purpose Use the monitoring functionality to view system properties such as the name and IPaddress of the switch and resource usage.

Action To monitor system properties in the J-Web interface, select Monitor > System View >System Information.

To monitor system properties in the CLI, enter the following commands:

■ show system uptime

■ show system users

■ show system storage

Meaning Table 22 on page 27 summarizes key output fields in the system properties display.

Table 22: Summary of Key System Properties Output Fields

Additional InformationValuesField

General Information

Serial number for the switch.SerialNumber

Export software is for use outside of the U.S. andCanada.

Version of JUNOS Software active on the switch,including whether the software is for domestic orexport use.

JUNOSSoftwareVersion

The name of switch.Hostname

The IP address of the switch.IP Address

The loopback address.LoopbackAddress

The address of the domain name server.DomainNameServer

The time zone on the switch.Time Zone

Time

Current system time, in Coordinated Universal Time(UTC).

CurrentTime

Monitoring System Properties ■ 27


Table 22: Summary of Key System Properties Output Fields (continued)


Date and time when the switch was last booted andhow long it has been running.

SystemBootedTime

Date and time when the switching protocols were laststarted and how long they have been running.

ProtocolStartedTime

Date and time when a configuration was lastcommitted. This field also shows the name of the userwho issued the last commit command, through eitherthe J-Web interface or the CLI.

LastConfiguredTime

The CPU load average for 1, 5, and 15 minutes.LoadAverage

Storage Media

Memory usage details of internal flash.InternalFlashMemory

Usage details of external flash memory.ExternalFlashMemory

Logged in Users Details

Username of any user logged in to the switchingplatform.

User

Terminal through which the user is logged in.Terminal

System from which the user has logged in. A hyphenindicates that the user is logged in through the console.

From

This is the LOGIN@ field in show system users commandoutput.

Time when the user logged in.Login Time

How long the user has been idle.Idle Time

Related Topics Monitoring System Process Information on page 28■

■ Understanding J-Web User Interface Sessions

Monitoring System Process Information

Purpose Use the monitoring functionality to view the processes running on the switch.

28 ■ Monitoring System Process Information


Action To view the software processes running on the switch in the J-Web interface, selectMonitor>System View>Process Details.

To view the software processes running on the switch in the CLI, enter the followingcommand.

show system processes

Meaning Table 23 on page 29 summarizes the output fields in the system process informationdisplay.

The display includes the total CPU load and total memory utilization.

Table 23: Summary of System Process Information Output Fields


Identifier of the process.PID

Owner of the process.Name

Current state of the process.State

Percentage of the CPU that is being used by theprocess.

CPU Load

Amount of memory that is being used by theprocess.

Memory Utilization

Time of day when the process started.Start Time

Related Topics Monitoring System Properties on page 27■

■ For more information about show system properties command, see show systemuptime

Monitoring System Process Information ■ 29


Configuration Statements for User and Access Management

ftp

Syntax ftp {connection-limit limit;rate-limit limit;

}

Hierarchy Level [edit system services]

Release Information Statement introduced before JUNOS Release 7.4.Statement introduced in JUNOS Release 9.0 for EX Series switches.

Description Allow FTP requests from remote systems to the local router or switch.

Options The remaining statements are explained separately.

Required Privilege Level system—To view this statement in the configuration.system-control—To add this statement to the configuration.

Related Topics ■ Configuring FTP Service for Remote Access to the Router or Switch

30 ■ Configuration Statements for User and Access Management


http

Syntax http {interfaces [ interface-names ];port port;

}

Hierarchy Level [edit system services web-management]


Description Configure the port and interfaces for HTTP service, which is unencrypted.

Options interfaces [ interface-names ]—Name of one or more interfaces on which to allow theHTTP service. By default, HTTP access is allowed through built-in Fast Ethernetor Gigabit Ethernet interfaces only.

The remaining statement is explained separately.


Related Topics ■ https on page 32

■ port on page 37

■ web-management on page 45

■ Configuring Management Access for the EX Series Switch (J-Web Procedure) onpage 14

■ J-Web Interface User Guide

http ■ 31


https

Syntax https {interfaces [ interface-names ];local-certificate name;port port;

}



Description Configure the secure version of HTTP (HTTPS) service, which is encrypted.

Options interfaces [ interface-names]—Name of one or more interfaces on which to allow theHTTPS service. By default, HTTPS access is allowed through any ingress interface,but HTTP access is allowed through built-in Fast Ethernet or Gigabit Ethernetinterfaces only.

local-certificate name—Name of the X.509 certificate for a Secure Sockets Layer (SSL)connection. An SSL connection is configured at the [edit security certificates local]hierarchy.

The remaining statements are explained separately.


Related Topics ■ http on page 31

■ port on page 37


■ Configuring Management Access for the EX Series Switch (J-Web Procedure) onpage 14


32 ■ https


local-certificate

Syntax local-certificate;

Hierarchy Level [edit system services service-deployment],[edit system services web-management https],[edit system services xnm-ssl]


Description Import or reference an SSL certificate.

Required Privilege Level admin—To view this statement in the configuration.admin-control—To add this statement to the configuration.

Related Topics ■ Configuring clear-text or SSL Service for JUNOScript Client Applications

■ Generating SSL Certificates to Be Used for Secure Web Access on page 17

■ Importing SSL Certificates for JUNOScript Support

local-certificate ■ 33


outbound-ssh

Syntax [edit system services]outbound-ssh {

client client-id {address {

port port-number;retry number;timeout seconds;

}device-id device-id;keep-alive {

retry number;timeout seconds;

}reconnect-strategy (in-order | sticky);secret password;services netconf;

}traceoptions {

file filename <files number> <match regex> <size size> <world-readable |no-world-readable>;

flag flag;no-remote-trace;

}}


Release Information Statement introduced in JUNOS Release 8.4.Statement introduced in JUNOS Release 9.0 for EX Series switches.

Description Configure a router or switch running the JUNOS Software behind a firewall tocommunicate with client management applications on the other side of the firewall.

Default To configure transmission of the router’s or switch’s device ID to the application,include the device-id statement at the [edit system services] hierarchy level.

Options client-id—Identifies the outbound-ssh configuration stanza on the router or switch.Each outbound-ssh stanza represents a single outbound SSH connection. Thisattribute is not sent to the client.

device-id—Identifies the router or switch to the client during the initiation sequence.

keep-alive—(Optional) When configured, specifies that the router or switch sendkeepalive messages to the management server. To configure the keepalivemessage, you must set both the timeout and retry attributes.

34 ■ outbound-ssh


reconnect-strategy—(Optional) Specify the method the router or switch uses toreestablish a disconnected outbound SSH connection. Two methods are available:

■ in-order—Specify that the router or switch first attempt to establish an outboundSSH session based on the management server address list. The router or switchattempts to establish a session with the first server on the list. If this connectionis not available, the router or switch attempts to establish a session with the nextserver, and so on down the list until a connection is established.

■ sticky—Specify that the router or switch first attempt to reconnect to themanagement server that it was last connected to. If the connection is unavailable,it attempts to establish a connection with the next client on the list and so forthuntil a connection is made.

retry—Number of keepalive messages the router or switch sends without receivinga response from the client before the current SSH connection is disconnected.The default is three messages.

secret—(Optional) Router’s or switch’s public SSH host key. If added to theoutbound-ssh statement, during the initialization of the outbound SSH service,the router or switch passes its public key to the management server. This is therecommended method of maintaining a current copy of the router’s or switch’spublic key.

timeout—Length of time that the JUNOS server waits for data before sending a keepalive signal. The default is 15 seconds.

When reconnecting to a client, the router or switch attempts to reconnect to theclient based on the retry and timeout values for each client listed.

address—Hostname or the IPv4 address of the NSM application server. You can listmultiple clients by adding each client’s IP address or hostname along with thefollowing connection parameters:

■ port—Outbound SSH port for the client. The default is port 22.

■ retry—Number of times the router or switch attempts to establish an outboundSSH connection before giving up. The default is three tries.

■ timeout—Length of time that the router or switch attempts to establish anoutbound SSH connection before giving up. The default is fifteen seconds.

filename—(Optional) By default, the filename of the log file used to record the traceoptions is the name of the traced process (for example, mib2d or snmpd). Usethis option to override the default value.

files—(Optional) Maximum number of trace files generated. By default, the maximumnumber of trace files is 10. Use this option to override the default value.

When a trace file reaches its maximum size, the system archives the file and startsa new file. The system archives trace files by appending a number to the filenamein sequential order from 1 to the maximum value (specified by the default valueor the options value set here). Once the maximum value is reached, thenumbering sequence is restarted at 1, overwriting the older file.

outbound-ssh ■ 35


size—(Optional) Maximum size of the trace file in kilobytes (KB). Once the maximumfile size is reached, the system archives the file. The default value is 1000 KB.Use this option to override the default value.

match—(Optional) When used, the system only adds lines to the trace file that matchthe regular expression specified. For example, if the match value is set to =error,the system only records lines to the trace file that include the string error.

services—Services available for the session. Currently, NETCONF is the only serviceavailable.

world-readable | no-world-readable—(Optional) Whether the files are accessible by theoriginator of the trace operation only or by any user. By default, log files are onlyaccessible by the user that started the trace operation (no-world-readable).

all | configuration | connectivity—(Optional) Type of tracing operation to perform.

all—Log all events.

configuration—Log all events pertaining to the configuration of the router or switch.

connectivity—Log all events pertaining to the establishment of a connection betweenthe client server and the router or switch.

no-remote-trace—(Optional) Disable remote tracing.

Required Privilege Level interface—To view this statement in the configuration.interface-control—To add this statement to the configuration.

Related Topics ■ Configuring Outbound SSH Service

■ System Management Complete Configuration Statements

36 ■ outbound-ssh


port (HTTP/HTTPS)

Syntax port port-number;



Description Configure the port on which the HTTP or HTTPS service is connected.

Options port-number—The TCP port number on which the specified service listens.



■ https on page 32


■ Table 16 on page 15


port (HTTP/HTTPS) ■ 37


port (SRC Server)

Syntax port port-number;

Hierarchy Level [edit system services service-deployment servers server-address]


Description Configure the port number on which to contact the SRC server.

Options port-number—(Optional) The TCP port number for the SRC server.Default: 3333


Related Topics ■ Configuring the JUNOS Software to Work with SRC Software

protocol-version

Syntax protocol-version version;

Hierarchy Level [edit system services ssh]


Description Specify the secure shell (SSH) protocol version.

Options version—SSH protocol versionValues: v1, u2, or [ v1 v2 ]Default: [v1 v2]


Related Topics ■ Configuring SSH Service for Remote Access to the Router or Switch

38 ■ port (SRC Server)


root-login

Syntax root-login (allow | deny | deny-password);

Hierarchy Level [edit system services ssh]


Description Control user access through SSH.

Default Allow user access through SSH.

Options allow—Allow users to log in to the router or switch as root through SSH.

deny—Disable users from logging in to the router or switch as root through SSH.

deny-password—Allow users to log in to the router or switch as root through SSHwhen the authentication method (for example, RSA authentication) does notrequire a password.



■ Configuring SSH Service for Remote Access to the Router or Switch

root-login ■ 39


servers

Syntax servers server-address {port port-number;

}

Hierarchy Level [edit system services service-deployment]


Description Configure an IPv4 address for the Session and Resource Control (SRC) server.

Options server-address—The TCP port number.Default: 3333




40 ■ servers


service-deployment

Syntax service-deployment {servers server-address {

port port-number;}source-address source-address;

}



Description Enable JUNOS Software to work with the Session and Resource Control (SRC) software.




service-deployment ■ 41


session

Syntax session {idle-timeout [ minutes ];session-limit [ session-limit ];

}


Release Information Statement introduced in JUNOS Release 8.3.Statement introduced in JUNOS Release 9.0 for EX Series switches.

Description Configure limits for the number of minutes a session can be idle before it times out,and configure the number of simultaneous J-Web user login sessions.

Options idle-timeout minutes—Configure the number of minutes a session can be idle beforeit times out.Range: 1 through 1440Default: 1440

session-limit session-limit—Configure the maximum number of simultaneous J-Webuser login sessions.Range: 1 through 1024Default: Unlimited


Related Topics ■ J-Web Interface User Guide

42 ■ session


source-address (SRC Software)

Syntax source-address source-address;

Hierarchy Level [edit system services service-deployment]


Description Enable JUNOS Software to work with the Session and Resource Control (SRC) software.

Options source-address— Local IPv4 address to be used as source address for traffic to theSRC server. The source address restricts traffic within the out-of-band network.



ssh

Syntax ssh {protocol-version [v1 v2];<connection-limit limit;<rate-limit limit;root-login (allow | deny | deny-password);

}



Description Allow SSH requests from remote systems to the local router or switch.




source-address (SRC Software) ■ 43


telnet

Syntax telnet {connection-limit limit;rate-limit limit;

}



Description Allow Telnet connections from remote systems to the local router or switch.



Related Topics ■ Configuring Telnet Service for Remote Access to a Router

44 ■ telnet


web-management

Syntax web-management {http {

interfaces [ interface-names ];port port;

}https {

interfaces [ interface-names ];local-certificate name;port port;

}}



Description Configure settings for HTTP or HTTPS access. HTTP access allows management ofthe router or switch using the browser-based J-Web graphical user interface. HTTPSaccess allows secure management of the router or switch using the J-Web interface.With HTTPS access, communication between the router or switch Web server andyour browser is encrypted.




■ https on page 32

■ port on page 37

■ Table 16 on page 15


web-management ■ 45


46 ■ web-management


Documents

Book Software Ex Series User Access Management