Junos services configuration module
Version: 2019-01-01
module junos-ex-conf-services { yang-version 1; namespace "http://yang.juniper.net/junos-ex/conf/services"; prefix jc-services; import junos-common-ddl-extensions { prefix junos; revision-date "2019-01-01"; } import junos-common-types { prefix jt; revision-date "2019-01-01"; } import junos-ex-conf-root { prefix jc; revision-date "2019-01-01"; } organization "Juniper Networks, Inc."; contact "yang-support@juniper.net"; description "Junos services configuration module"; revision "2019-01-01" { description "Junos: 21.3R1.9"; } augment /jc:configuration { uses services-group; } augment /jc:configuration/jc:groups { uses services-group; } grouping services-group { container services { description "System services"; uses apply-advanced; container flow-tap { description "Configure flow-tap parameters"; uses apply-advanced; container family { description "Address family of packets to tap"; uses apply-advanced; leaf inet { type empty; description "IPv4 family"; } leaf inet6 { type empty; description "IPv4 family"; } leaf ccc { type empty; description "CCC family"; } } // container family leaf interface { junos:must "(!("services flow-tap tunnel-interface"))"; junos:must-message "tunnel-interface and service interface cannot be confgured together for flowtap application"; junos:must "(!("services dynamic-flow-capture"))"; junos:must-message "Dynamic flow capture cannot be configured when flow tap is configured"; junos:must "("interfaces $$-IFL family inet")"; junos:must-message "Interface with family inet must be defined in the [edit interfaces] hierarchy"; type union { type jt:interface-name; type string { pattern "<.*>|$.*"; } } description "Service interface on which to configure flow-tap service"; } leaf tunnel-interface { junos:must "(!("services flow-tap interface"))"; junos:must-message "tunnel-interface and service interface cannot be confgured together for flowtap application"; junos:must "(!("services dynamic-flow-capture"))"; junos:must-message "Dynamic flow capture cannot be configured when flow tap is configured"; junos:must "("interfaces $$-IFL family inet6")"; junos:must-message "Interface with family inet6 must be defined in the [edit interfaces] hierarchy"; junos:must "("interfaces $$-IFL family inet")"; junos:must-message "Interface with family inet must be defined in the [edit interfaces] hierarchy"; type union { type jt:interface-name; type string { pattern "<.*>|$.*"; } } description "Tunnel interface through which flow-tap would communicate with MD"; } } // container flow-tap container radius-flow-tap { description "Configure radius triggered flow-tap parameters"; uses apply-advanced; leaf forwarding-class { type string { junos:posix-pattern "^.{1,64}$"; junos:pattern-message "Must be string of 64 characters or less"; } description "Forwarding class assigned to intercepted packets"; } leaf source-ipv4-address { type jt:ipv4addr; description "IP Address to use as source address in IPv4 header appended to intercepted packets"; } leaf multicast-interception { type empty; description "Enable Multicast Tapping"; } container interfaces { description "Tunnel Interfaces"; uses apply-advanced; list tunnel-interface { key "name"; uses tunnel_interface_type; } // list tunnel-interface } // container interfaces choice ri_or_ls { leaf routing-instance { junos:must "("routing-instances $$")"; junos:must-message "Referenced routing instance must be defined"; type string; description "Routing instance to be used for radius flow tap"; } list logical-system { key "name"; max-elements 1; ordered-by user; description "Logical system to be used for radius flow tap"; leaf name { junos:must "("logical-systems $$")"; junos:must-message "Referenced logical system must be defined"; type string; description "Logical system name"; } uses apply-advanced; leaf routing-instance { junos:must "("logical-systems ${logical-system} routing-instances $$")"; junos:must-message "Referenced routing instance must be defined"; type string; description "Routing instance to be used for radius flow tap"; } } // list logical-system } // choice ri_or_ls list policy { key "name"; ordered-by user; description "Policy"; leaf name { type string { junos:posix-pattern "^.{1,64}$"; junos:pattern-message "Must be string of 64 characters or less"; } description "Policy Name"; } uses apply-advanced; container inet { description "Protocol family IPv4 drop policy terms"; uses apply-advanced; list drop-policy { key "name"; ordered-by user; description "Define an IPv4 drop policy"; uses drop-policy-term; } // list drop-policy } // container inet container inet6 { description "Protocol family IPv6 drop policy terms"; uses apply-advanced; list drop-policy { key "name"; ordered-by user; description "Define an IPv6 drop policy"; uses drop-policy6-term; } // list drop-policy } // container inet6 } // list policy container snmp { description "SNMP options for radius flow tap"; uses apply-advanced; list notify-targets { key "name"; ordered-by user; description "Target list for packet mirror SNMP notifications"; leaf name { type jt:ipaddr; description "Target IP address"; } uses apply-advanced; } // list notify-targets } // container snmp } // container radius-flow-tap container mobile-flow-tap { description "Configure mobile triggered flow-tap parameters"; uses apply-advanced; container source-interface { junos:must "(!("services dynamic-flow-capture"))"; junos:must-message "mobile flow service and dynamic flow capture service cannot be configured together"; junos:must "(!("services radius-flow-tap"))"; junos:must-message "mobile flow service and radius flow capture service cannot be configured together"; junos:must "(!("services flow-tap"))"; junos:must-message "mobile flow service and flow capture service cannot be configured together"; presence "enable source-interface"; description "Source interface from which IRI packets will be sent"; leaf interface-name { junos:must "("interfaces $$")"; junos:must-message "Interface must be defined"; type union { type jt:interface-name; type string { pattern "<.*>|$.*"; } } description "Interface name"; } leaf ipv4-address { type jt:ipv4addr; description "Source IPv4 address to be used"; } } // container source-interface } // container mobile-flow-tap container jdaf { description "Juniper distributed application framework (JDAF)"; uses apply-advanced; leaf-list routing-instances { type string { length "1 .. 128"; } ordered-by user; description "List of routing-instance name for JDAF clients"; } } // container jdaf container rpm { presence "enable rpm"; description "Real-time performance monitoring"; uses apply-advanced; container traceoptions { description "RMOPD trace options"; uses rmopd-traceoptions; } // container traceoptions container bgp { description "BGP options for real-time performance monitoring"; uses apply-advanced; leaf probe-type { type enumeration { enum "icmp-ping" { value 0; description "Send ICMP echo request to target address"; } enum "icmp-ping-timestamp" { value 1; description "Send ICMP timestamp request to target address"; } enum "icmp6-ping" { value 2; description "Send ICMP6 echo request to target address"; } enum "tcp-ping" { value 3; description "Send TCP packets to target"; } enum "udp-ping" { value 4; description "Send UDP packets to target"; } enum "udp-ping-timestamp" { value 5; description "Send UDP packets with timestamp to target"; } } default "icmp-ping"; description "RPM-BGP probe request type"; } leaf probe-count { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "1 .. 15"; } } default "1"; description "Total number of probes per test"; } leaf probe-interval { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "1 .. 255"; } } units "seconds"; default "3"; description "Delay between probes"; } leaf test-interval { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 86400"; } } units "seconds"; default "1"; description "Delay between tests"; } leaf destination-port { type union { type string { pattern "<.*>|$.*"; } type uint16 { range "7 .. 65535"; } } description "TCP/UDP port number"; } leaf history-size { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 512"; } } default "50"; description "Number of stored history entries"; } leaf moving-average-size { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 1024"; } } default "0"; description "Number of samples used for moving average"; } leaf data-size { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 65400"; } } default "0"; description "Size of the data portion of the probes"; } leaf data-fill { type string { junos:posix-pattern "^[[:xdigit:]]+$"; junos:pattern-message "Must be hexadecimal digits (0-9, a-f, A-F)"; length "1 .. 2048"; } description "Define contents of the data portion of the probes"; } leaf ttl { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "1 .. 254"; } } default "64"; description "Time to Live (hop-limit) value for an RPM IPv4(IPv6) packet"; } list logical-system { key "name"; description "Logical systems"; uses bgp-logical-system; } // list logical-system list routing-instances { key "name"; description "Routing instances"; uses bgp-routing-instances; } // list routing-instances } // container bgp list probe { key "name"; ordered-by user; description "TCP/UDP/ICMP ping"; leaf name { type string { length "1 .. 32"; } description "Name of owner"; } uses apply-advanced; leaf delegate-probes { type empty; description "Offload real-time performance monitoring probes to MS-MIC/MS-MPC card"; } list test { key "name"; ordered-by user; description "TCP/UDP/ICMP/ICMP6 ping test"; leaf name { type string { length "1 .. 32"; } description "Name of test"; } uses apply-advanced; container rpm-scale { presence "enable rpm-scale"; description "Configuring real-time performance monitoring scale tests"; uses apply-advanced; leaf tests-count { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "1 .. 500000"; } } description "Number of probe-tests generated using scale config"; } choice target-type { container target { junos:must "(!(".. source-inet6"))"; junos:must-message "source-inet6 knob not valid for IPV4 probes"; presence "enable target"; description "Target address generation for scale test config"; uses apply-advanced; leaf address-base { type jt:ipv4addr; description "Base address of target host in a.b.c.d format"; } leaf step { type jt:ipv4addr; description "Steps to increment target address in a.b.c.d format"; } leaf count { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "1 .. 500000"; } } description "Target address count"; } } // container target container target-inet6 { junos:must "(!(".. source"))"; junos:must-message "source knob not valid for IPV6 probes"; presence "enable target-inet6"; description "IPv6 target address generation for scale test config"; uses apply-advanced; leaf address-base { type jt:ipv6addr; description "Base address of target host in a:b:c:d:e:f:g:h format"; } leaf step { type jt:ipv6addr; description "Steps to increment target address in a:b:c:d:e:f:g:h format"; } leaf count { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "1 .. 500000"; } } description "Target address count"; } } // container target-inet6 } // choice target-type choice source-type { container source { junos:must "(!(".. target-inet6"))"; junos:must-message "target-inet6 knob not valid for IPV4 probes"; presence "enable source"; description "Source address generation in scale tests"; uses apply-advanced; leaf address-base { type jt:ipv4addr; description "Base address of host in a.b.c.d format"; } leaf step { type jt:ipv4addr; description "Steps to increment src address in a.b.c.d format"; } leaf count { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "1 .. 500000"; } } description "Source-address count"; } } // container source container source-inet6 { junos:must "(!(".. target"))"; junos:must-message "target knob not valid for IPV6 probes"; presence "enable source-inet6"; description "IPv6 source address generation in scale tests"; uses apply-advanced; leaf address-base { type jt:ipv6addr; description "Base address of host in a:b:c:d:e:f:g:h format"; } leaf step { type jt:ipv6addr; description "Steps to increment src address in a:b:c:d:e:f:g:h format"; } leaf count { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "1 .. 500000"; } } description "Source-address count"; } } // container source-inet6 } // choice source-type container destination { presence "enable destination"; description "Name of output interface for probes"; uses apply-advanced; leaf interface { type union { type jt:interface-name; type string { pattern "<.*>|$.*"; } } description "Base destination interface for scale test"; } leaf subunit-cnt { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "1 .. 500000"; } } description "Subunit count for destination interface for scale test"; } } // container destination } // container rpm-scale leaf probe-type { type enumeration { enum "http-get" { value 0; description "Perform HTTP Get request at target URL"; } enum "http-metadata-get" { value 1; description "Perform HTTP Get request of metadata at target URL"; } enum "icmp-ping" { value 2; description "Send ICMP echo request to target address"; } enum "icmp-ping-timestamp" { value 3; description "Send ICMP timestamp request to target address"; } enum "icmp6-ping" { value 4; description "Send ICMP6 echo request to target address"; } enum "tcp-ping" { value 5; description "Send TCP packets to target"; } enum "udp-ping" { value 6; description "Send UDP packets to target"; } enum "udp-ping-timestamp" { value 7; description "Send UDP packets with timestamp to target"; } } default "icmp-ping"; description "Probe request type"; } container target { presence "enable target"; description "Target destination for probe"; choice target-type { leaf address { junos:must "(!(".. .. inet6-options"))"; junos:must-message "inet6-options knob not valid for IPV4 probes"; type jt:ipv4addr; description "Address of target host"; } leaf inet6-address { junos:must "(!(".. .. source-address"))"; junos:must-message "source-address knob not valid for IPV6 probes"; type jt:ipv6addr; description "Inet6 Address of target host"; } leaf url { junos:must "(!(".. .. inet6-options"))"; junos:must-message "inet6-options knob not valid for IPV4 probes"; type string; description "Fully formed target URL"; } leaf inet6-url { junos:must "(!(".. .. source-address"))"; junos:must-message "source-address knob not valid for IPV6 probes"; type string; description "Fully formed target IPV6 URL"; } } // choice target-type } // container target container inet6-options { presence "enable inet6-options"; description "IPV6 related options"; uses apply-advanced; leaf source-address { type jt:ipv6addr; description "Inet6 Source Address of the probe"; } } // container inet6-options leaf probe-count { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "1 .. 15"; } } default "1"; description "Total number of probes per test"; } leaf probe-interval { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "1 .. 255"; } } units "seconds"; default "3"; description "Delay between probes"; } leaf test-interval { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 86400"; } } units "seconds"; default "1"; description "Delay between tests"; } leaf destination-port { type union { type string { pattern "<.*>|$.*"; } type uint16 { range "7 .. 65535"; } } description "TCP/UDP port number"; } leaf source-address { junos:must "(!(".. target inet6-address"))"; junos:must-message "source-address knob for IPV6 based probes is under inet6-options"; type jt:ipv4addr; description "Source address for probe"; } leaf routing-instance { junos:must "(("routing-instances $$" || any "tenants <*> routing-instances $$"))"; junos:must-message "referenced routing-instance must be defined"; type string { junos:posix-pattern "!^((__.*__)|(all)|(.*[ ].*)|("")|(.{129,}))$"; junos:pattern-message "Must be a non-reserved string of 128 characters or less with no spaces."; } description "Routing instance used by probes"; } leaf history-size { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 512"; } } default "50"; description "Number of stored history entries"; } leaf moving-average-size { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 1024"; } } default "0"; description "Number of samples used for moving average"; } leaf dscp-code-points { type string { junos:posix-pattern "^(([01]{6})|([a-zA-Z].{0,63}))$"; junos:pattern-message "Not 6-bit pattern or code point alias"; } default "000000"; description "Differentiated Services code point bits or alias"; } leaf data-size { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 65400"; } } default "0"; description "Size of the data portion of the probes"; } leaf data-fill { type string { junos:posix-pattern "^[[:xdigit:]]+$"; junos:pattern-message "Must be hexadecimal digits (0-9, a-f, A-F)"; length "1 .. 2048"; } description "Define contents of the data portion of the probes"; } leaf ttl { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "1 .. 254"; } } default "64"; description "Time to Live (hop-limit) value for an RPM IPv4(IPv6) packet"; } container thresholds { presence "enable thresholds"; description "Probe and test threshold values. Set 0 to disable respective threshold"; uses apply-advanced; leaf successive-loss { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 15"; } } default "1"; description "Successive probe loss count indicating probe failure"; } leaf total-loss { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 15"; } } default "1"; description "Total probe loss count indicating test failure"; } leaf rtt { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 60000000"; } } units "microseconds"; default "0"; description "Maximum round trip time per probe"; } leaf jitter-rtt { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 60000000"; } } units "microseconds"; default "0"; description "Maximum jitter per test"; } leaf std-dev-rtt { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 60000000"; } } units "microseconds"; default "0"; description "Maximum standard deviation per test"; } leaf egress-time { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 60000000"; } } units "microseconds"; default "0"; description "Maximum source to destination time per probe"; } leaf ingress-time { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 60000000"; } } units "microseconds"; default "0"; description "Maximum destination to source time per probe"; } leaf jitter-ingress { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 60000000"; } } units "microseconds"; default "0"; description "Maximum destination to source jitter per test"; } leaf jitter-egress { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 60000000"; } } units "microseconds"; default "0"; description "Maximum source to destination jitter per test"; } leaf std-dev-ingress { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 60000000"; } } units "microseconds"; default "0"; description "Maximum destination to source standard deviation per test"; } leaf std-dev-egress { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 60000000"; } } units "microseconds"; default "0"; description "Maximum source to destination standard deviation per test"; } } // container thresholds leaf-list traps { type enumeration { enum "probe-failure" { value 0; description "Successive probe loss threshold reached"; } enum "test-failure" { value 1; description "Total probe loss threshold reached"; } enum "test-completion" { value 2; description "Test completed"; } enum "rtt-exceeded" { value 3; description "Exceeded maximum round trip time threshold"; } enum "std-dev-exceeded" { value 4; description "Exceeded round trip time standard deviation threshold"; } enum "jitter-exceeded" { value 5; description "Exceeded jitter in round trip time threshold"; } enum "ingress-time-exceeded" { value 6; description "Exceeded maximum ingress time threshold"; } enum "ingress-std-dev-exceeded" { value 7; description "Exceeded ingress time standard deviation threshold"; } enum "ingress-jitter-exceeded" { value 8; description "Exceeded jitter in ingress time threshold"; } enum "egress-time-exceeded" { value 9; description "Exceeded maximum egress time threshold"; } enum "egress-std-dev-exceeded" { value 10; description "Exceeded egress time standard deviation threshold"; } enum "egress-jitter-exceeded" { value 11; description "Exceeded jitter in egress time threshold"; } } ordered-by user; description "Trap to send if threshold is met or exceeded"; } leaf destination-interface { type union { type jt:interface-name; type string { pattern "<.*>|$.*"; } } description "Name of output interface for probes"; } leaf one-way-hardware-timestamp { junos:must "(!(".. target inet6-address"))"; junos:must-message "One-way hardware timestamping not supported for IPV6 based probes."; type empty; description "Enable hardware timestamps for one-way measurements"; } } // list test } // list probe container probe-server { description "ICMP/TCP/UDP probe server"; uses apply-advanced; container tcp { description "TCP probe server"; uses apply-advanced; leaf port { type union { type uint16; type string { pattern "<.*>|$.*"; } } description "Port number 7 through 65535"; } } // container tcp container udp { description "UDP probe server"; uses apply-advanced; leaf port { type union { type uint16; type string { pattern "<.*>|$.*"; } } description "Port number 7 through 65535"; } } // container udp } // container probe-server leaf probe-limit { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "1 .. 500"; } } default "100"; description "Maximum number of concurrent probes allowed"; } } // container rpm container app-engine { description "App-engine"; uses apply-advanced; container security { presence "enable security"; description "Enable app-engine security"; } // container security container monitor-cpu { description "Monitor node CPU usage"; uses monitor-threshold; } // container monitor-cpu container monitor-memory { description "Monitor node memory usage"; uses monitor-threshold; } // container monitor-memory container monitor-storage { description "Monitor storage usage"; uses monitor-threshold; } // container monitor-storage leaf default-compute-node-package { type string; description "Default JunosV App Engine package for appliance"; } list compute-cluster { key "name"; ordered-by user; description "Configure compute cluster"; leaf name { type string { length "1 .. 15"; } description "Compute cluster name"; } uses apply-advanced; container local-management { junos:must "(all ".. compute-node <*> interfaces")"; junos:must-message "Must specify compute-node management interface"; description "Management address connected to compute cluster"; uses apply-advanced; list routing-instance { junos:must "(!(any ".. logical-system <*>"))"; junos:must-message "Must specify 'family' only under one hierarchy"; key "routing-instance-name"; max-elements 1; ordered-by user; description "Packets are restriction to specified routing instance"; leaf routing-instance-name { type string { junos:posix-pattern "!^((__.*__)|(all)|(.*[ ].*)|("")|(.{129,}))$"; junos:pattern-message "Must be a non-reserved string of 128 characters or less with no spaces."; } description "Name of routing instance"; } uses apply-advanced; container family { description "Protocol family"; container inet { description "IPv4 parameters"; uses apply-advanced; leaf address { type jt:ipv4addr; description "Interface address"; } } // container inet } // container family } // list routing-instance container family { junos:must "(!(any ".. routing-instance <*>"))"; junos:must-message "Must specify 'family' only under one hierarchy"; description "Protocol family"; container inet { description "IPv4 parameters"; uses apply-advanced; leaf address { type jt:ipv4addr; description "Interface address"; } } // container inet } // container family } // container local-management container monitor-cpu { description "Monitor node CPU usage"; uses monitor-threshold; } // container monitor-cpu container monitor-memory { description "Monitor node memory usage"; uses monitor-threshold; } // container monitor-memory container monitor-storage { description "Monitor storage usage"; uses monitor-threshold; } // container monitor-storage list compute-node { key "name"; max-elements 1; ordered-by user; description "Compute node name"; leaf name { type string { length "1 .. 15"; } description "Compute node name"; } uses apply-advanced; container monitor-cpu { description "Monitor node CPU usage"; uses monitor-threshold; } // container monitor-cpu container monitor-memory { description "Monitor node memory usage"; uses monitor-threshold; } // container monitor-memory container monitor-storage { description "Monitor storage usage"; uses monitor-threshold; } // container monitor-storage choice compute-node-identifier { leaf mac-address { junos:must "(".. interfaces")"; junos:must-message "Must specify management interface"; junos:must "(".. .. local-management")"; junos:must-message "Must specify compute cluster local-management"; junos:must "(unique "services app-engine compute-cluster <*> compute-node <*> mac-address $$")"; junos:must-message "MAC address must be unique across compute clusters"; type jt:mac-addr; description "MAC address of the network boot interface"; } case case_2 { } // case case_2 case case_3 { } // case case_3 } // choice compute-node-identifier leaf package { type string; description "JunosV App Engine package"; } container routing-options { description "Route configuration for compute node"; uses apply-advanced; container static { description "Static routes"; uses apply-advanced; list route { key "name"; ordered-by user; description "Static route"; leaf name { junos:must "(!(any ".. .. .. rib <*> static route $$"))"; junos:must-message "Duplicate route entry"; type jt:ipv4prefix; description "Destination IP address or prefix"; } uses apply-advanced; leaf next-hop { type jt:ipv4addr; description "Next hop to destination"; } } // list route } // container static list rib { key "name"; ordered-by user; description "Routing table options"; leaf name { type string { junos:posix-pattern "inet.0"; junos:pattern-message "Only inet.0 is supported"; length "1 .. 10"; } description "Routing table name"; } uses apply-advanced; container static { description "Static routes"; uses apply-advanced; list route { key "name"; ordered-by user; description "Static route"; leaf name { junos:must "(!(".. .. .. .. static route $$"))"; junos:must-message "Duplicate route entry"; type jt:ipv4prefix; description "Destination IP address or prefix"; } uses apply-advanced; leaf next-hop { type jt:ipv4addr; description "Next hop to destination"; } } // list route } // container static } // list rib } // container routing-options container interfaces { description "Network interfaces configuration"; uses apply-advanced; list ethernet { key "name"; ordered-by user; description "Interface configuration"; leaf name { junos:must "(!(any ".. .. bridge <*> interface $$"))"; junos:must-message "This interface is already associated with a bridge"; junos:must "(!(".. .. bridge $$"))"; junos:must-message "A bridge is configured with this name"; type string { junos:posix-pattern "^eth[0-9]{1,2}$"; junos:pattern-message "Must be of the form eth<0-99>"; length "1 .. 15"; } description "Interface name"; } uses apply-advanced; leaf management { junos:must "(!(".. ether-options"))"; junos:must-message "This interface belongs to an aggregated interface"; junos:must "(!(".. .. .. fpc"))"; junos:must-message "Must not specify any interface as management with fpc"; junos:must "((".. family inet address" || ".. family inet dhcp"))"; junos:must-message "Management interface must have an address or dhcp configured"; junos:must "(!(".. enable-passthrough"))"; junos:must-message "Management interface cannot be passthrough interface"; type empty; description "Use this as management interface"; } container family { junos:must "(!(".. ether-options"))"; junos:must-message "This interface belongs to an aggregated interface"; description "Protocol family"; uses family; } // container family leaf enable-passthrough { junos:must "(!(".. ether-options"))"; junos:must-message "This interface belongs to an aggregated interface"; junos:must "(!(".. mtu"))"; junos:must-message "Passthrough interface cannot have MTU"; junos:must "(!(".. family inet address"))"; junos:must-message "Passthrough interface cannot have an address"; type empty; description "Enable passthrough on this interface"; } leaf mtu { type union { type string { pattern "<.*>|$.*"; } type uint16 { range "256 .. 9192"; } } description "Maximum transmit packet size"; } container ether-options { junos:must "((!(".. management") && (!(".. family") && !(".. enable-passthrough"))))"; junos:must-message "Ethernet interface can not exist separately if it is under a aggregated interface and vice versa"; uses apply-advanced; choice agg-intf { leaf ieee-802-3ad { junos:must "(!(".. .. mtu"))"; junos:must-message "Aggregate slave interface cannot have MTU"; junos:must "(!(".. .. .. bridge $$"))"; junos:must-message "A bridge is configured with this name"; type string { junos:posix-pattern "^ae[0-9]{1,2}$"; junos:pattern-message "Must be of the form ae<0-99>"; length "1 .. 15"; } description "Aggregated interface name"; } } // choice agg-intf } // container ether-options } // list ethernet list bridge { key "name"; ordered-by user; description "Bridge configuration"; leaf name { junos:must "(!(any ".. .. bridge <*> interface $$"))"; junos:must-message "Bridge name is already used in one of the bridge interface list"; junos:must "(!(".. .. aggregate $$"))"; junos:must-message "An aggregate interface is configured with this name"; junos:must "(!(".. .. ethernet $$"))"; junos:must-message "An interface is configured with this name"; type string { junos:posix-pattern "^[A-za-z][.0-9A-Za-z_]{1,15}$"; junos:pattern-message "Must be a string of 15 or fewer characters. The string should start with a letter and can contain letters, digits, underscores and periods"; length "1 .. 15"; } description "Bridge name"; } uses apply-advanced; leaf management { junos:must "(!(".. .. .. fpc"))"; junos:must-message "Must not specify any interface as management with FPC compute node"; junos:must "((".. family inet address" || ".. family inet dhcp"))"; junos:must-message "Management bridge must have an address or dhcp configured"; type empty; description "Use this as management bridge"; } container family { description "Protocol family"; uses family; } // container family leaf-list interface { junos:must "((!(".. .. aggregate family inet address") && !(".. .. aggregate family inet dhcp")))"; junos:must-message "Interface associated to bridge can not have address"; type string { length "1 .. 15"; } max-elements 4; ordered-by user; description "Bridge interface list"; } leaf mtu { type union { type string { pattern "<.*>|$.*"; } type uint16 { range "256 .. 9192"; } } description "Maximum transmit packet size"; } } // list bridge list aggregate { key "name"; ordered-by user; description "Aggregate interface configuration"; leaf name { junos:must "(!(".. .. bridge $$"))"; junos:must-message "A bridge is configured with this name"; junos:must "(!(".. .. ethernet $$"))"; junos:must-message "An interface is configured with this name"; junos:must "(any ".. .. ethernet <*> ether-options ieee-802-3ad $$")"; junos:must-message "Aggregated interface must have some slave interface"; type string { junos:posix-pattern "^ae[0-9]{1,2}$"; junos:pattern-message "Must be of the form ae<0-99>"; length "1 .. 15"; } description "Aggregated interface name"; } uses apply-advanced; leaf management { junos:must "((".. family inet address" || ".. family inet dhcp"))"; junos:must-message "Management aggregate must have an address or dhcp configured"; type empty; description "Use this as management aggregate"; } container family { description "Protocol family"; uses family; } // container family leaf mtu { type union { type string { pattern "<.*>|$.*"; } type uint16 { range "256 .. 9192"; } } description "Maximum transmit packet size"; } container aggregated-ether-options { presence "enable aggregated-ether-options"; description "Link aggregation parameters"; uses apply-advanced; leaf hash-policy { type enumeration { enum "layer-2" { value 0; description "Uses mac address of both source and destination for hashing"; } enum "layer-3-and-4" { value 1; description "Uses port number and IP address of both source and destination for hashing"; } enum "layer-2-and-3" { value 2; description "Uses mac and IP address of both source and destination for hashing"; } } default "layer-3-and-4"; } leaf miimon { type union { type uint32; type string { pattern "<.*>|$.*"; } } description "Link monitoring interval in milli-second"; } } // container aggregated-ether-options } // list aggregate } // container interfaces list syslog { key "name"; ordered-by user; description "System logging facility"; leaf name { type enumeration { enum "any" { value 0; description "All facilities"; } enum "authorization" { value 1; description "Authorization system"; } enum "privileged" { value 2; description "Privileged authorization events"; } enum "cron" { value 3; description "Cron daemon"; } enum "daemon" { value 4; description "Various system processes"; } enum "kernel" { value 5; description "Kernel"; } enum "syslog" { value 6; description "Syslog messages"; } enum "user" { value 7; description "User processes"; } enum "uucp" { value 8; description "UUCP system"; } enum "local0" { value 9; description "Local 0 messages"; } enum "local1" { value 10; description "Local 1 messages"; } enum "local2" { value 11; description "Local 2 messages"; } enum "local3" { value 12; description "Local 3 messages"; } enum "local4" { value 13; description "Local 4 messages"; } enum "local5" { value 14; description "Local 5 messages"; } enum "local6" { value 15; description "Local 6 messages"; } enum "local7" { value 16; description "Local 7 messages"; } } description "Facility type"; } choice level { leaf any { type empty; description "All levels"; } leaf emergency { type empty; description "Panic conditions"; } leaf alert { type empty; description "Conditions that should be corrected immediately"; } leaf critical { type empty; description "Critical conditions"; } leaf error { type empty; description "Error conditions"; } leaf warning { type empty; description "Warning messages"; } leaf notice { type empty; description "Conditions that should be handled specially"; } leaf info { type empty; description "Informational messages"; } leaf debug { type empty; description "Debug messages"; } } // choice level } // list syslog } // list compute-node } // list compute-cluster container virtual-machines { description "Virtual-machine management"; uses apply-advanced; list instance { key "name"; ordered-by user; description "Virtual-machine instance"; leaf name { type string { length "1 .. 39"; } description "Virtual-machine instance identifier"; } uses apply-advanced; leaf cpu { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "1 .. 16"; } } default "1"; description "Units of CPUs (default 1 cpu)"; } leaf memory { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "1 .. 32"; } } units "gigabytes"; default "1"; description "Memory for the virtual-machine (default 1 gigabytes)"; } leaf package { type string { length "1 .. 120"; } description "Virtual-machine package"; } container local-management { description "Management address connected to virtual machine"; uses apply-advanced; list routing-instance { junos:must "(!(any ".. logical-system <*>"))"; junos:must-message "Must specify 'family' only under one hierarchy"; key "routing-instance-name"; max-elements 1; ordered-by user; description "Packets are restriction to specified routing instance"; leaf routing-instance-name { type string { junos:posix-pattern "!^((__.*__)|(all)|(.*[ ].*)|("")|(.{129,}))$"; junos:pattern-message "Must be a non-reserved string of 128 characters or less with no spaces."; } description "Name of routing instance"; } uses apply-advanced; container family { description "Protocol family"; container inet { description "IPv4 parameters"; uses apply-advanced; leaf address { type jt:ipv4addr; description "Interface address"; } } // container inet } // container family } // list routing-instance container family { junos:must "(!(any ".. routing-instance <*>"))"; junos:must-message "Must specify 'family' only under one hierarchy"; description "Protocol family"; container inet { description "IPv4 parameters"; uses apply-advanced; leaf address { type jt:ipv4addr; description "Interface address"; } } // container inet } // container family } // container local-management list compute-cluster { key "name"; max-elements 1; ordered-by user; description "Compute cluster on which the virtual-machine runs"; leaf name { junos:must "("services app-engine compute-cluster $$")"; junos:must-message "Referenced compute cluster must be defined"; type string { length "1 .. 15"; } description "Compute cluster name"; } uses apply-advanced; leaf compute-node { junos:must "((("services app-engine compute-cluster ${compute-cluster} compute-node $$ fpc" && ".. .. local-management") || !("services app-engine compute-cluster ${compute-cluster} compute-node $$ fpc")))"; junos:must-message "Must specify local-management for virtual machine on FPC compute node"; junos:must "("services app-engine compute-cluster ${compute-cluster} compute-node $$")"; junos:must-message "Referenced compute node must be defined"; type string { length "1 .. 15"; } description "Compute node on which the virtual-machine runs"; } } // list compute-cluster list interface { key "name"; ordered-by user; description "Virtual-machine interface configuration"; leaf name { type string { length "1 .. 31"; } description "Virtual-machine interface name"; } uses apply-advanced; leaf hw-model { type enumeration { enum "e1000g" { value 0; description "Gigabit Ethernet e1000g driver"; } enum "virtio" { value 1; description "Para-virtualizing the interface"; } } default "e1000g"; description "Interface hardware model"; } leaf host-interface { type string { length "1 .. 15"; } description "Passthrough host interface for virtual-machine"; } leaf bridge { junos:must "(!(".. mtu"))"; junos:must-message "Bridged VM interface inherits MTU from the bridge"; junos:must "(!(".. host-interface"))"; junos:must-message "bridge can not defined with passthrough/host-interface"; type string { length "1 .. 15"; } description "Bridge that the interface connected to"; } leaf mtu { type union { type string { pattern "<.*>|$.*"; } type uint16 { range "256 .. 9192"; } } description "Maximum transmit packet size"; } container family { description "Interface address family"; container inet { presence "enable inet"; description "IPv4 parameters"; uses apply-advanced; list address { key "name"; ordered-by user; description "Interface address/destination prefix"; leaf name { type jt:ipv4prefix; description "Interface address/destination prefix"; } uses apply-advanced; leaf primary { type empty; description "Primary address on the interface"; } } // list address } // container inet } // container family } // list interface container routing-options { description "Route configuration for virutal machine"; uses apply-advanced; container static { description "Static routes"; uses apply-advanced; list route { key "name"; ordered-by user; description "Static route"; leaf name { junos:must "(!(any ".. .. .. rib <*> static route $$"))"; junos:must-message "Duplicate route entry"; type jt:ipv4prefix; description "Destination IP address or prefix"; } uses apply-advanced; leaf next-hop { type jt:ipv4addr; description "Next hop to destination"; } } // list route } // container static list rib { key "name"; ordered-by user; description "Routing table options"; leaf name { type string { junos:posix-pattern "inet.0"; junos:pattern-message "Only inet.0 is supported"; length "1 .. 10"; } description "Routing table name"; } uses apply-advanced; container static { description "Static routes"; uses apply-advanced; list route { key "name"; ordered-by user; description "Static route"; leaf name { junos:must "(!(".. .. .. .. static route $$"))"; junos:must-message "Duplicate route entry"; type jt:ipv4prefix; description "Destination IP address or prefix"; } uses apply-advanced; leaf next-hop { type jt:ipv4addr; description "Next hop to destination"; } } // list route } // container static } // list rib } // container routing-options list secondary-disk { key "name"; ordered-by user; description "Virtual-machine disk"; leaf name { type enumeration { enum "hdb" { value 0; description "Disk name is hdb"; } enum "hdc" { value 1; description "Disk name is hdc"; } enum "hdd" { value 2; description "Disk name is hdd"; } } description "Virtual-machine disk name"; } leaf size { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "1 .. 160"; } } units "gigabytes"; description "Virtual-machine secondary disk size"; } } // list secondary-disk } // list instance } // container virtual-machines } // container app-engine container unified-access-control { description "Configure Unified Access Control"; uses apply-advanced; list infranet-controller { key "name"; ordered-by user; description "Configure infranet controller"; leaf name { type string { length "1 .. 31"; } description "Infranet controller name"; } uses apply-advanced; leaf address { type jt:ipv4addr; description "Infranet controller IP address"; } leaf port { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "1 .. 65535"; } } default "11123"; description "Infranet controller port"; } leaf interface { type union { type jt:interface-name; type string { pattern "<.*>|$.*"; } } description "Outgoing interface"; } leaf password { type string { length "1 .. 255"; } description "Infranet controller server password"; } leaf-list ca-profile { type string; ordered-by user; description "Define a list of certificate authority"; } leaf server-certificate-subject { type string { length "1 .. 255"; } description "Subject name of infranet controller certificate to match"; } } // list infranet-controller leaf certificate-verification { type enumeration { enum "warning" { value 0; description "Warn if certificate is not being verified"; } enum "required" { value 1; description "Require certificate verification. Most secure"; } enum "optional" { value 2; description "Make verification optional, no warnings. Least secure"; } } default "warning"; description "Specify certificate verification requirement"; } leaf timeout { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "2 .. 10000"; } } default "300"; description "Timeout for idle infranet controller link in seconds"; } leaf interval { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "1 .. 9999"; } } default "30"; description "Heartbeat interval from infranet controller in seconds"; } leaf timeout-action { type enumeration { enum "close" { value 0; description "Remove existing sessions and block further traffic"; } enum "no-change" { value 1; description "Preserve existing connections; block new sessions"; } enum "open" { value 2; description "Allow traffic for new and existing sessions to go through"; } } default "close"; description "Specify action when infranet controller timeout occurs"; } container traceoptions { description "UAC trace options"; uses apply-advanced; leaf no-remote-trace { junos:must "("system tracing")"; junos:must-message "'no-remote-trace' is valid only when [system tracing] is configured"; type empty; description "Disable remote tracing"; } container file { description "Trace file information"; leaf filename { type string { junos:posix-pattern "![/ %]"; junos:pattern-message "Must not contain '/', % or a space"; length "1 .. 1024"; } description "Name of file in which to write trace information"; } leaf size { type string; description "Maximum trace file size"; } leaf files { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "2 .. 1000"; } } default "3"; description "Maximum number of trace files"; } choice world-readable-choice { leaf world-readable { type empty; description "Allow any user to read the log file"; } leaf no-world-readable { type empty; description "Don't allow any user to read the log file"; } } // choice world-readable-choice leaf match { type jt:regular-expression; description "Regular expression for lines to be logged"; } } // container file list flag { key "name"; ordered-by user; description "Tracing parameters"; leaf name { type enumeration { enum "all" { value 0; description "Trace with all flags enabled"; } enum "ipc" { value 1; description "IPC tracing"; } enum "config" { value 2; description "Configuration tracing"; } enum "connect" { value 3; description "Communication with infranet controller tracing"; } } } } // list flag } // container traceoptions } // container unified-access-control container captive-portal { description "Captive Portal options"; uses juniper-services-captive-portal; } // container captive-portal container ipsec-vpn { description "Configure IPSec VPN service"; uses apply-advanced; list rule { key "name"; ordered-by user; description "Define an IPSec rule"; uses ipsec_vpn_rule_object; } // list rule list rule-set { key "name"; max-elements 16960; ordered-by user; description "Defines a set of IPSec rules"; leaf name { type string { junos:posix-pattern "^[[:alnum:]][[:alnum:]_-]*$"; junos:pattern-message "Must be a string beginning with a number or letter and consisting of letters, numbers, dashes and underscores."; length "1 .. 63"; } description "Name of the rule set"; } uses apply-advanced; list rule { key "name"; max-elements 16960; ordered-by user; description "Rule to be included in this rule set"; leaf name { junos:must "("services ipsec-vpn rule $$")"; junos:must-message "rule must be configured"; type string { junos:posix-pattern "^[A-Za-z0-9][_0-9A-Za-z-]{0,62}$"; junos:pattern-message "Must be a string beginning with a number or letter and consisting of no more than 63 total letters, numbers, dashes and underscores."; } description "Rule name"; } uses apply-advanced; } // list rule } // list rule-set container ipsec { description "IPSec configuration"; uses services-ipsec; } // container ipsec container ike { description "IKE configuration"; uses services-ike; } // container ike container traceoptions { junos:must "(!("security traceoptions"))"; junos:must-message "The traceoptions must not be configured under [edit services ipsec-vpn] and [edit security] simultaneously"; description "Trace options for IPSec key management process"; uses ipsec-services-traceoptions; } // container traceoptions leaf no-ipsec-tunnel-in-traceroute { type empty; description "Do not display IPSec tunnel endpoint in traceroute output"; } leaf establish-tunnels { type enumeration { enum "immediately" { value 0; description "Establish tunnels immediately"; } enum "on-traffic" { value 1; description "Establish tunnels on traffic"; } enum "responder-only" { value 2; description "Don't establish tunnels on responder only"; } } default "on-traffic"; description "Define the criteria to establish tunnels"; } leaf clear-ike-sas-on-pic-restart { type empty; description "Clear IKE SAs when the corresponding PIC restarts"; } leaf clear-ipsec-sas-on-pic-restart { type empty; description "Clear IPSec SAs when the corresponding PIC restarts"; } leaf disable-natt { type empty; description "Disable NAT traversal even if NAT is detected"; } } // container ipsec-vpn container ssl { description "Configuration for Secure Socket Layer support service"; uses apply-advanced; container traceoptions { description "Trace options for Secure Socket Layer support service"; uses ssl-traceoptions; } // container traceoptions container termination { description "Configuration for Secure Socket Layer termination support service"; uses ssl-termination-config; } // container termination container initiation { description "Configuration for Secure Socket Layer initiation support service"; uses ssl-initiation-config; } // container initiation } // container ssl container pcp { description "Configure Port Control Protocol"; uses pcp-object; } // container pcp container rtlog { presence "enable rtlog"; description "Secure log daemon options"; uses apply-advanced; container traceoptions { description "Security log daemon trace options"; uses apply-advanced; leaf no-remote-trace { junos:must "("system tracing")"; junos:must-message "'no-remote-trace' is valid only when [system tracing] is configured"; type empty; description "Disable remote tracing"; } container file { description "Trace file information"; leaf filename { type string { junos:posix-pattern "![/ %]"; junos:pattern-message "Must not contain '/', % or a space"; length "1 .. 1024"; } description "Name of file in which to write trace information"; } leaf size { type string; description "Maximum trace file size"; } leaf files { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "2 .. 1000"; } } default "3"; description "Maximum number of trace files"; } choice world-readable-choice { leaf world-readable { type empty; description "Allow any user to read the log file"; } leaf no-world-readable { type empty; description "Don't allow any user to read the log file"; } } // choice world-readable-choice leaf match { type jt:regular-expression; description "Regular expression for lines to be logged"; } } // container file list flag { key "name"; ordered-by user; description "List of things to include in trace"; leaf name { type enumeration { enum "source" { value 0; description "Communication with security log forwarder"; } enum "configuration" { value 1; description "Reading of configuration"; } enum "all" { value 2; description "Everything"; } enum "report" { value 3; description "Trace report"; } enum "hpl" { value 4; description "Trace HPL logging"; } } } } // list flag } // container traceoptions } // container rtlog container service-interface-pools { description "Configure service interface pools"; uses apply-advanced; list pool { key "name"; ordered-by user; description "Define service interface pool"; uses service_interface_pool_object; } // list pool } // container service-interface-pools container hosted-services { description "Configuration for services performed in the remote server"; uses apply-advanced; list client-profile { key "name"; ordered-by user; description "Configure client profile"; leaf name { type string { length "3 .. 32"; } description "Client profile name"; } uses apply-advanced; leaf transport-type { type enumeration { enum "GRE" { value 0; description "GRE"; } enum "UDP" { value 1; description "UDP"; } enum "TCP" { value 2; description "TCP"; } } description "Transport type"; } leaf client-address { type jt:ipv4addr; description "Client address"; } leaf hosted-service-identifier { type union { type string { pattern "<.*>|$.*"; } type int32 { range "1 .. 63"; } } description "Identifier for the service performed on the remote server"; } } // list client-profile list server-profile { key "name"; ordered-by user; description "Configure server profile"; leaf name { type string { length "3 .. 32"; } description "Server profile name"; } uses apply-advanced; leaf transport-type { type enumeration { enum "GRE" { value 0; description "GRE"; } enum "UDP" { value 1; description "UDP"; } enum "TCP" { value 2; description "TCP"; } } description "Transport type"; } leaf server-address { type jt:ipv4addr; description "Server address"; } leaf client-address { type jt:ipv4addr; description "Client address"; } leaf hosted-service-identifier { type union { type string { pattern "<.*>|$.*"; } type int32 { range "1 .. 63"; } } description "Identifier for the service performed in the remote server"; } } // list server-profile } // container hosted-services container jflow-log { presence "enable jflow-log"; description "Configure jflow-logging parameters for services"; uses apply-advanced; list collector { key "name"; ordered-by user; description "Collector attributes"; leaf name { type string { length "1 .. 63"; } description "Profile name"; } uses apply-advanced; leaf destination-address { type string { junos:posix-pattern "^[[:alnum:]._-]+$"; junos:pattern-message "Must be a string of letters, numbers, dashes or underscores"; } description "IPv4 Address or hostname of the collector"; } leaf destination-port { type union { type string { pattern "<.*>|$.*"; } type uint16 { range "1 .. 65535"; } } description "Destination port of the collector"; } leaf source-ip { type jt:ipv4addr; description "Source IPv4 Address from which logging is to be done"; } } // list collector list collector-group { key "name"; ordered-by user; leaf name { type string { length "1 .. 63"; } description "Name of collector-group"; } uses apply-advanced; leaf-list collector { type string { length "1 .. 63"; } max-elements 8; ordered-by user; description "List of Collector profiles"; } } // list collector-group list template-profile { key "name"; ordered-by user; leaf name { junos:must "((any ".. collector <*>" || any ".. collector-group <*>"))"; junos:must-message "template-profile must have a collector or collector-group configured"; type string { length "1 .. 63"; } description "Specify name of the template"; } uses apply-advanced; leaf collector { junos:must "(!(any ".. collector-group <*>"))"; junos:must-message "Collector-group is already configured for this template"; junos:must "("services jflow-log collector $$")"; junos:must-message "The referenced collector is not defined"; type string { length "1 .. 63"; } description "Specify a collector name"; } leaf-list collector-group { junos:must "(!(any ".. collector <*>"))"; junos:must-message "Collector is already configured for this template profile"; type string { length "1 .. 63"; } max-elements 1; ordered-by user; description "Specify a collector-group name"; } leaf template-type { type enumeration { enum "nat" { value 0; description "Enable jflow-logs for NAT events"; } } description "Allow jflow-log for applications"; } leaf version { type enumeration { enum "v9" { value 0; description "Version 9"; } enum "ipfix" { value 1; description "Ipfix"; } } description "Version of jflow-logging"; } container refresh-rate { presence "enable refresh-rate"; uses apply-advanced; leaf packets { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "1 .. 48000"; } } default "4800"; description "Specify number of packets after which templates are sent to collector"; } leaf seconds { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "10 .. 1800"; } } default "1800"; description "Specify number of seconds after which templates are sent to collector"; } } // container refresh-rate } // list template-profile } // container jflow-log container service-device-pools { description "Configure service device pools"; uses apply-advanced; list pool { key "name"; ordered-by user; description "Define service device pool"; uses service_device_pool_object; } // list pool } // container service-device-pools container analytics { presence "enable analytics"; description "Traffic analytics configuration options"; uses apply-advanced; container zero-suppression { presence "enable zero-suppression"; description "Configure suppression of zeros for GRPC sensors"; uses apply-advanced; leaf no-zero-suppression { type empty; description "Disable zero suppression"; } } // container zero-suppression list streaming-server { key "name"; ordered-by user; description "Define Telemetry data servers"; leaf name { type string { length "1 .. 128"; } description "Telemetry App server Name"; } uses apply-advanced; leaf remote-address { type jt:ipaddr; description "Telemetry server IP address"; } leaf remote-port { type union { type uint16; type string { pattern "<.*>|$.*"; } } description "Telemetry server Port"; } leaf transport { type enumeration { enum "udp" { value 0; description "Use UDP transport protocol"; } enum "grpc" { value 1; description "Use grpc transport"; } } description "Telemetry export transport protocol"; } leaf dialout { type empty; description "Supports dynamic dialout subscriptions"; } } // list streaming-server list export-profile { key "name"; ordered-by user; description "Telemetry export profile name"; leaf name { type string { length "1 .. 128"; } description "Telemetry export profile name"; } uses apply-advanced; leaf local-address { type jt:ipv4addr; description "Source address for exported packets"; } leaf local-port { type union { type uint16; type string { pattern "<.*>|$.*"; } } description "Source port for exported packets"; } leaf dscp { type union { type string { pattern "<.*>|$.*"; } type uint8 { range "0 .. 63"; } } description "DSCP value for exported packets"; } leaf forwarding-class { type string { length "1 .. 64"; } description "Forwarding-class for exported packets, applicable only for PFE sensors"; } leaf reporting-rate { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 86400"; } } units "seconds"; description "Telemetry interval in seconds, max 24 hours"; } leaf payload-size { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "1400 .. 9192"; } } units "bytes"; default "5000"; description "Telemetry payload size"; } leaf format { type enumeration { enum "gpb" { value 0; description "Use gpb format"; } enum "gpb-sdm" { value 1; description "Use gpb self-describing-message format"; } enum "gpb-gnmi" { value 2; description "Use gnmi format for gpb messages"; } enum "json-gnmi" { value 3; description "Use gnmi format for json messages"; } } description "Telemetry export record format"; } leaf transport { type enumeration { enum "udp" { value 0; description "Use UDP transport protocol"; } enum "grpc" { value 1; description "Use grpc transport"; } } description "Telemetry export transport protocol"; } } // list export-profile list sensor { junos:must "(!("system services cloud-analytics instance"))"; junos:must-message "Cloud analytics shoud not be defined"; key "name"; ordered-by user; description "Define Telemetry sensors"; leaf name { type string { length "1 .. 128"; } description "Name of the sensor"; } uses apply-advanced; leaf-list server-name { type string { length "1 .. 128"; } ordered-by user; description "Define Telemetry server "; } leaf export-name { type string { length "1 .. 128"; } description "Define Telemetry export profiles"; } leaf polling-interval { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "1 .. 4294967295"; } } units "nanoseconds"; status deprecated; description "Define sensor polling interval in nano secs (1 .. 4294967295)"; } leaf resource { type string { length "1 .. 255"; } description "System resource identifier string"; } leaf resource-filter { type string { length "1 .. 1024"; } description "Regexp for filtering resource instances (1 .. 1024)"; } leaf subscription-id { type union { type uint64; type string { pattern "<.*>|$.*"; } } description "Subscription ID (Used internally to group sensors)"; } leaf suppress-zeros { type empty; description "Supress zeros while data export"; } leaf reporting-rate { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 86400"; } } units "seconds"; description "Telemetry interval in seconds, max 24 hours"; } leaf-list end-of-sync-identifiers { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "1 .. 64"; } } max-elements 10; ordered-by user; description "Set of end-of-syncs for this sensor"; } leaf target-defined { type empty; description "Allow target to decide periodic, on-change or mix"; } leaf life-time { type enumeration { enum "long-lived" { value 0; description "A long-lived subscription"; } enum "one-off" { value 1; description "An one-off subscription"; } } description "Denotes sensor life-time"; } } // list sensor container agent { description "Configure analytics agent"; uses apply-advanced; list service-agents { key "name"; ordered-by user; description "Analytics service agent configuration"; leaf name { type string; description "Analytics service agent name"; } uses apply-advanced; container inputs { description "List of input plugins"; uses apply-advanced; container input-jti-ipfix { presence "enable input-jti-ipfix"; description "Junos grpc IPFIX group plugin"; uses apply-advanced; container parameters { presence "enable parameters"; uses apply-advanced; list record-group { key "name"; max-elements 10; ordered-by user; description "Group sensors"; leaf name { type string; description "Group sensors"; } uses apply-advanced; leaf reporting-interval { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "60 .. 86400"; } } default "900"; description "Reporting-interval"; } leaf-list record { type enumeration { enum "port-statistics" { value 0; description "Port statistics"; } enum "address-pool-utilization" { value 1; description "Address pool utilization"; } enum "dhcpv4-server-stats" { value 2; description "Dhcpv4 server statistics"; } enum "thermal" { value 3; description "Thermal statistics"; } enum "chassis-inventory" { value 4; description "Chassis inventory details"; } enum "chassis-power" { value 5; description "Chassis power details"; } enum "resource-utilization" { value 6; description "Resource utilization details"; } enum "uptime" { value 7; description "Uptime value"; } enum "subscriber-statistics" { value 8; description "Subscriber statistics"; } enum "interface-metadata" { value 9; description "Interface metadata details"; } enum "interface-queue-statistics" { value 10; description "Interface Queue statistics"; } } ordered-by user; description "Ipfix record name"; } } // list record-group } // container parameters } // container input-jti-ipfix container input-ipfix { presence "enable input-ipfix"; description "Junos IPFIX Mediator input plugin"; uses apply-advanced; container parameters { presence "enable parameters"; description "List of IPFIX parameters"; uses apply-advanced; leaf tcp-port { type union { type uint16; type string { pattern "<.*>|$.*"; } } description "Listening TCP Port for IPFIX Mediator"; } leaf maximum-connections { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "1 .. 500"; } } description "Maximum TCP Connections 1..500"; } leaf vrf-name { type string; description "VRF name on which IPFIX packets are accepted"; } } // container parameters } // container input-ipfix container analytics { presence "enable analytics"; description "Junos Telemetry plugin"; uses apply-advanced; container parameters { presence "enable parameters"; description "List of key:value parameters"; uses apply-advanced; leaf sample-frequency { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 86400"; } } units "seconds"; default "5"; description "Interval for sensor data in seconds, max 24 hours"; } leaf sensors { type string { length "1 .. 2048"; } description "Space separated list of sensor paths"; } leaf generate-tags { type empty; description "Enable generation of tags"; } } // container parameters } // container analytics } // container inputs list outputs { key "name"; max-elements 1; ordered-by user; description "List of output plugins"; uses output-plugin; } // list outputs } // list service-agents container traceoptions { presence "enable traceoptions"; uses apply-advanced; leaf flag { type enumeration { enum "trace" { value 0; description "Log level TRACE, will trace everything"; } enum "debug" { value 1; description "Log level DEBUG, will trace debug messages"; } enum "info" { value 2; description "Log level INFO"; } enum "error" { value 3; description "Log level ERROR, will trace all error messages"; } } description "Set log level for tracing"; } leaf filename { type string; default "ntf-agent.log"; description "Configure filename for trace messages"; } } // container traceoptions } // container agent container traceoptions { description "Traffic analytics trace options"; uses apply-advanced; leaf no-remote-trace { junos:must "("system tracing")"; junos:must-message "'no-remote-trace' is valid only when [system tracing] is configured"; type empty; description "Disable remote tracing"; } container file { description "Trace file information"; leaf filename { type string { junos:posix-pattern "![/ %]"; junos:pattern-message "Must not contain '/', % or a space"; length "1 .. 1024"; } description "Name of file in which to write trace information"; } leaf size { type string; description "Maximum trace file size"; } leaf files { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "2 .. 1000"; } } default "3"; description "Maximum number of trace files"; } choice world-readable-choice { leaf world-readable { type empty; description "Allow any user to read the log file"; } leaf no-world-readable { type empty; description "Don't allow any user to read the log file"; } } // choice world-readable-choice leaf match { type jt:regular-expression; description "Regular expression for lines to be logged"; } } // container file list flag { key "name"; description "Tracing parameters"; leaf name { type enumeration { enum "all" { value 0; description "Trace configuration events"; } enum "configuration" { value 1; description "Log configuration events"; } enum "rtsock" { value 2; description "Trace rtsock message events"; } enum "client-server" { value 3; description "Trace client-server events"; } enum "interface" { value 4; description "Trace interface update events"; } enum "xmlproxy" { value 5; description "Trace xmlproxy events"; } } } leaf disable { type empty; description "Disable this trace flag"; } } // list flag } // container traceoptions list export-profiles { key "name"; ordered-by user; description "Mapping of export-profiles to collectors"; leaf name { type string { length "1 .. 64"; } description "Export profile name"; } uses apply-advanced; leaf stream-format { type enumeration { enum "gpb" { value 0; description "Google protocol buffer format"; } enum "json" { value 1; description "Java script object notation format"; } enum "csv" { value 2; description "Comma separated value"; } enum "tsv" { value 3; description "Tab separated value"; } } default "gpb"; description "Streaming data format"; } container interface { presence "enable interface"; description "Interface specific information"; uses apply-advanced; leaf information { type empty; description "Enable streaming of interface information"; } container statistics { description "Type of statistics to stream"; uses apply-advanced; leaf traffic { type empty; description "Enable streaming of interface traffic statistics"; } leaf queue { type empty; description "Enable streaming of interface queue statistics"; } } // container statistics container status { description "Type of statistics to stream"; uses apply-advanced; leaf link { type empty; description "Enable streaming of interface link status"; } leaf traffic { type empty; description "Enable streaming of interface traffic status"; } leaf queue { type empty; description "Enable streaming of interface queue status"; } } // container status } // container interface container system { presence "enable system"; description "Interface specific information"; uses apply-advanced; leaf information { type empty; description "Enable streaming of system information"; } container status { description "Type of statistics to stream"; uses apply-advanced; leaf traffic { type empty; description "Enable streaming of system traffic status"; } leaf queue { type empty; description "Enable streaming of system queue status"; } } // container status } // container system } // list export-profiles list resource-profiles { key "name"; ordered-by user; description "Mapping of resource profiles to interfaces/queues/system"; leaf name { type string { length "1 .. 64"; } description "Export profile name"; } uses apply-advanced; choice queue-monitoring-choice { leaf queue-monitoring { type empty; description "Enable queue statistics monitoring"; } leaf no-queue-monitoring { type empty; description "Don't enable queue statistics monitoring"; } } // choice queue-monitoring-choice choice traffic-monitoring-choice { leaf traffic-monitoring { type empty; description "Enable traffic statistics monitoring"; } leaf no-traffic-monitoring { type empty; description "Don't enable traffic statistics monitoring"; } } // choice traffic-monitoring-choice container depth-threshold { junos:must "(!(".. latency-threshold"))"; junos:must-message "latency and queue-depth thresholds can not be set together"; description "Depth threshold configuration"; leaf high { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "1 .. 1250000000"; } } units "bytes"; description "High queue depth threshold"; } leaf low { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "1 .. 1250000000"; } } units "bytes"; description "Low queue depth threshold"; } } // container depth-threshold container latency-threshold { junos:must "(!(".. depth-threshold"))"; junos:must-message "latency and queue-depth thresholds can not be set together"; description "Latency threshold configuration"; leaf high { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "1 .. 100000000"; } } units "nanoseconds"; description "High latency threshold"; } leaf low { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "1 .. 100000000"; } } units "nanoseconds"; description "Low latency threshold"; } } // container latency-threshold } // list resource-profiles container resource { presence "enable resource"; uses apply-advanced; container system { description "System configuration options"; uses apply-advanced; leaf resource-profile { junos:must "("services analytics resource-profiles $$")"; junos:must-message "binded resource-profile in not configured"; type string { length "1 .. 64"; } description "Resouce profile name"; } container polling-interval { description "Polling interval"; uses apply-advanced; leaf traffic-monitoring { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "1 .. 300"; } } units "seconds"; description "Traffic statistics polling interval"; } leaf queue-monitoring { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "1 .. 1000"; } } units "milliseconds"; description "Queue statistics polling interval"; } } // container polling-interval } // container system container interfaces { description "Interface configuration options"; uses apply-advanced; list interface { key "name"; uses interface_type; } // list interface } // container interfaces } // container resource container collector { description "Remote streaming servers configuration options"; uses apply-advanced; container local { description "Remote streaming servers configuration options"; uses apply-advanced; container file { description "Log file information"; leaf filename { type jt:filename; description "Name of file in which to write log information"; } leaf size { type string; description "Maximum log file size"; } leaf files { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "2 .. 1000"; } } default "10"; description "Maximum number of trace files"; } } // container file } // container local list address { key "name"; description "IP address of remote server"; leaf name { type jt:ipaddr; description "IP address"; } uses apply-advanced; list port { key "name"; description "Remote streaming server port number"; leaf name { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "1 .. 65535"; } } description "Port number"; } uses apply-advanced; list transport { key "name"; description "Transport protocol"; leaf name { type enumeration { enum "tcp" { value 0; description "Transmission control protocol"; } enum "udp" { value 1; description "User datagram protocol"; } } } uses apply-advanced; leaf export-profile { junos:must "("services analytics export-profiles $$")"; junos:must-message "binded export-profiles in not configured"; type string { length "1 .. 64"; } description "Export profile name"; } } // list transport } // list port } // list address } // container collector container traffic-statistics { status deprecated; description "Traffic statistics configuration options"; uses apply-advanced; container file { description "Log file information"; leaf filename { type jt:filename; description "Name of file in which to write log information"; } leaf size { type string; description "Maximum log file size"; } leaf files { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "2 .. 1000"; } } default "10"; description "Maximum number of trace files"; } } // container file leaf interval { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "1 .. 300"; } } units "seconds"; description "Traffic statistics polling interval"; } } // container traffic-statistics container queue-statistics { status deprecated; description "Microburst statistics configuration options"; uses apply-advanced; container file { description "Log file information"; leaf filename { type jt:filename; description "Name of file in which to write log information"; } leaf size { type string; description "Maximum log file size"; } leaf files { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "2 .. 1000"; } } default "10"; description "Maximum number of trace files"; } } // container file leaf interval { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "1 .. 1000"; } } units "milliseconds"; description "Queue statistics polling interval"; } } // container queue-statistics container interfaces { status deprecated; description "Interface configuration options"; uses apply-advanced; list interface { key "name"; uses interface_type; } // list interface } // container interfaces container streaming-servers { status deprecated; description "Remote streaming servers configuration options"; uses apply-advanced; list address { key "name"; ordered-by user; description "IP address of remote server"; leaf name { type jt:ipaddr; description "IP address"; } uses apply-advanced; list port { key "name"; description "Remote streaming server port number"; leaf name { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "1 .. 65535"; } } description "Port number"; } uses apply-advanced; leaf stream-format { type enumeration { enum "json" { value 0; description "Javascript object notation"; } enum "csv" { value 1; description "Comma separated value"; } enum "tsv" { value 2; description "Tab separated value"; } } description "Streaming data format"; } list stream-type { key "name"; description "Type of statistics to stream"; leaf name { type enumeration { enum "traffic-statistics" { value 0; description "Enable streaming of traffic statistics"; } enum "queue-statistics" { value 1; description "Enable streaming of queue statistics"; } } } uses apply-advanced; } // list stream-type } // list port } // list address } // container streaming-servers } // container analytics } // container services } // grouping services-group grouping apply-advanced { description "Apply advanced configuration logic"; leaf-list apply-groups { type string; ordered-by user; description "Groups from which to inherit configuration data"; } leaf-list apply-groups-except { type string; ordered-by user; description "Don't inherit configuration data from these groups"; } list apply-macro { key "name"; ordered-by user; description "Macro and parameters for commit script expansion"; uses apply-macro-type; } // list apply-macro } // grouping apply-advanced grouping apply-macro-type { description "Macro data for commit-script expansion"; leaf name { type string; description "Name of the macro to be expanded"; } list data { key "name"; uses macro-data-type; } // list data } // grouping apply-macro-type grouping bgp-logical-system { description "Logical systems configuration for rpm"; leaf name { type string { junos:posix-pattern "![^a-zA-Z0-9_-]|(^(all|.{64,})$)"; junos:pattern-message "Logical-system name is a string consisting of up to 63 letters, numbers, dashes and underscores"; } description "Logical system name"; } uses apply-advanced; list routing-instances { key "name"; description "Routing instances"; uses bgp-routing-instances; } // list routing-instances } // grouping bgp-logical-system grouping bgp-routing-instances { description "Routing-instance configuration for rpm"; leaf name { type string; description "Routing instance name"; } uses apply-advanced; } // grouping bgp-routing-instances grouping drop-policy-term { description "One or more drop terms"; leaf name { type string { junos:posix-pattern "^.{1,64}$"; junos:pattern-message "Must be string of 64 characters or less"; } description "Term name"; } uses apply-advanced; container from { description "Define match criteria"; uses apply-advanced; container source-address { presence "enable source-address"; description "Source IP Address"; uses li_policy_addr_simple_object; } // container source-address container destination-address { presence "enable destination-address"; description "Destination IP Address"; uses li_policy_addr_simple_object; } // container destination-address choice source-port_choice { container source-port { description "Match source port"; uses match_li_simple_port_value; } // container source-port } // choice source-port_choice choice destination-port_choice { container destination-port { description "Match destination port"; uses match_li_simple_port_value; } // container destination-port } // choice destination-port_choice choice protocol_choice { container protocol { description "Match IP protocol type"; uses match_li_simple_protocol_value; } // container protocol } // choice protocol_choice choice dscp_choice { container dscp { description "Match Differentiated Services (DiffServ) code point"; uses match_li_simple_dscp_value; } // container dscp } // choice dscp_choice } // container from } // grouping drop-policy-term grouping drop-policy6-term { description "One or more drop terms"; leaf name { type string { junos:posix-pattern "^.{1,64}$"; junos:pattern-message "Must be string of 64 characters or less"; } description "Term name"; } uses apply-advanced; container from { description "Define match criteria"; uses apply-advanced; container source-address { presence "enable source-address"; description "Source IPv6 Address or Prefix"; uses li_policy_addr6_simple_object; } // container source-address container destination-address { presence "enable destination-address"; description "Destination IPv6 Address or Prefix"; uses li_policy_addr6_simple_object; } // container destination-address choice source-port_choice { container source-port { description "Match source port"; uses match_li_simple_port_value; } // container source-port } // choice source-port_choice choice destination-port_choice { container destination-port { description "Match destination port"; uses match_li_simple_port_value; } // container destination-port } // choice destination-port_choice choice protocol_choice { container protocol { description "Match IP protocol type"; uses match_li_simple_protocol_value; } // container protocol } // choice protocol_choice choice dscp_choice { container dscp { description "Match Differentiated Services (DiffServ) code point"; uses match_li_simple_dscp_value; } // container dscp } // choice dscp_choice } // container from } // grouping drop-policy6-term grouping family { container inet { description "IPv4 parameters"; uses apply-advanced; choice if-addr { leaf dhcp { type empty; description "Enable DHCP on ethernet interface"; } leaf address { type jt:ipv4prefix; description "Interface address/destination prefix"; } } // choice if-addr } // container inet } // grouping family grouping interface_type { description "Physical interface"; leaf name { type string; } uses apply-advanced; choice queue-statistics-choice { leaf queue-statistics { type empty; status deprecated; description "Enable queue statistics collection"; } leaf no-queue-statistics { type empty; status deprecated; description "Don't enable queue statistics collection"; } } // choice queue-statistics-choice choice traffic-statistics-choice { leaf traffic-statistics { type empty; status deprecated; description "Enable traffic statistics collection"; } leaf no-traffic-statistics { type empty; status deprecated; description "Don't enable traffic statistics collection"; } } // choice traffic-statistics-choice leaf resource-profile { junos:must "("services analytics resource-profiles $$")"; junos:must-message "binded resource-profile in not configured"; type string { length "1 .. 64"; } description "Resouce profile name"; } } // grouping interface_type grouping ipsec-services-traceoptions { description "Trace options for key management process"; uses apply-advanced; leaf no-remote-trace { junos:must "("system tracing")"; junos:must-message "'no-remote-trace' is valid only when [system tracing] is configured"; type empty; description "Disable remote tracing"; } container file { description "Trace file information"; leaf filename { type string { junos:posix-pattern "![/ %]"; junos:pattern-message "Must not contain '/', % or a space"; length "1 .. 1024"; } description "Name of file in which to write trace information"; } leaf size { type string; description "Maximum trace file size"; } leaf files { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "2 .. 1000"; } } default "3"; description "Maximum number of trace files"; } choice world-readable-choice { leaf world-readable { type empty; description "Allow any user to read the log file"; } leaf no-world-readable { type empty; description "Don't allow any user to read the log file"; } } // choice world-readable-choice leaf match { type jt:regular-expression; description "Regular expression for lines to be logged"; } } // container file leaf level { type enumeration { enum "error" { value 0; description "Match error conditions"; } enum "warning" { value 1; description "Match warning messages"; } enum "notice" { value 2; description "Match conditions that should be handled specially"; } enum "info" { value 3; description "Match informational messages"; } enum "verbose" { value 4; description "Match verbose messages"; } enum "all" { value 5; description "Match all levels"; } } default "error"; description "Level of debugging output"; } list flag { key "name"; ordered-by user; description "Tracing parameters"; leaf name { type enumeration { enum "timer" { value 0; description "Trace internal timer events"; } enum "routing-socket" { value 1; description "Trace routing socket messages"; } enum "parse" { value 2; description "Trace configuration processing"; } enum "ike" { value 3; description "Trace IKE module processing"; } enum "policy-manager" { value 4; description "Trace policy manager processing"; } enum "general" { value 5; description "Trace general events"; } enum "database" { value 6; description "Trace security associations database events"; } enum "certificates" { value 7; description "Trace certificate events"; } enum "snmp" { value 8; description "Trace SNMP operations"; } enum "ams" { value 9; description "Trace AMS events"; } enum "lic" { value 10; description "Trace License events"; } enum "all" { value 11; description "Trace everything"; } } } } // list flag } // grouping ipsec-services-traceoptions grouping ipsec_vpn_rule_object { leaf name { type string { junos:posix-pattern "^[[:alnum:]][[:alnum:]_-]*$"; junos:pattern-message "Must be a string beginning with a number or letter and consisting of letters, numbers, dashes and underscores."; length "1 .. 63"; } description "Rule name"; } uses apply-advanced; list term { key "name"; ordered-by user; description "Define an IPSec term"; leaf name { type string { junos:posix-pattern "^[[:alnum:]][[:alnum:]_-]*$"; junos:pattern-message "Must be a string beginning with a number or letter and consisting of letters, numbers, dashes and underscores."; length "1 .. 63"; } description "Term name"; } uses apply-advanced; container from { description "Define match criteria"; uses ipsec_vpn_match_object; } // container from container then { presence "enable then"; description "Action to take if the 'from' condition is matched"; uses apply-advanced; leaf syslog { type empty; description "System log information about the packet"; } leaf remote-gateway { type jt:ipaddr; description "Remote gateway address"; } leaf backup-remote-gateway { junos:must "(".. dynamic")"; junos:must-message "Backup remote gateway can be configured with dynamic security associations only"; type jt:ipaddr; description "Backup remote gateway address"; } choice sa_choice { container manual { description "Define a manual security association"; uses apply-advanced; list direction { key "name"; ordered-by user; description "Define the direction of the security association"; leaf name { type enumeration { enum "inbound" { junos:must "(".. .. direction $$={outbound}")"; junos:must-message "Outbound block must be configured"; value 0; description "Inbound security association"; } enum "outbound" { junos:must "(".. .. direction $$={inbound}")"; junos:must-message "Inbound block must be configured"; value 1; description "Outbound security association"; } enum "bidirectional" { junos:must "((!(".. .. direction $$={inbound}") && !(".. .. direction $$={outbound}")))"; junos:must-message "Outbound or inbound blocks must not be configured"; value 2; description "Bidirectional security association"; } } } uses apply-advanced; leaf protocol { type enumeration { enum "ah" { junos:must "(!(".. encryption"))"; junos:must-message "Encryption must not be defined for AH"; junos:must "(".. authentication")"; junos:must-message "Authentication must be defined for AH"; value 0; description "Authentication header"; } enum "esp" { junos:must "((".. authentication" || ".. encryption"))"; junos:must-message "Either authentication or encryption must be defined for ESP"; value 1; description "Encapsulated Security Payload header"; } enum "bundle" { junos:must "(".. auxiliary-spi")"; junos:must-message "Auxiliary SPI must be defined for AH plus ESP bundle"; junos:must "(".. encryption")"; junos:must-message "Encryption must be defined for AH plus ESP bundle"; junos:must "(".. authentication")"; junos:must-message "Authentication must be defined for AH plus ESP bundle"; value 2; description "Bundle (AH authentication plus ESP encryption)"; } } description "Define an IPSec protocol for the security association"; } leaf spi { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "256 .. 16639"; } } description "Define security parameter index"; } leaf auxiliary-spi { junos:must "(".. protocol bundle")"; junos:must-message "Auxiliary SPI must be configured with protocol bundle only"; type union { type string { pattern "<.*>|$.*"; } type uint32 { range "256 .. 16639"; } } description "ESP security parameter index for IPSec SA bundle"; } container authentication { description "Define authentication parameters"; uses apply-advanced; leaf algorithm { type enumeration { enum "hmac-md5-96" { value 0; description "HMAC-MD5-96 authentication algorithm"; } enum "hmac-sha1-96" { value 1; description "HMAC-SHA1-96 authentication algorithm"; } enum "hmac-sha2-256" { value 2; description "HMAC-SHA2-256 authentication algorithm"; } enum "hmac-sha-256-128" { value 3; description "HMAC-SHA-256-128 authentication algorithm"; } } description "Define authentication algorithm"; } container key { description "Define an authentication key"; choice key-choice { leaf ascii-text { type string { length "1 .. 255"; } description "Format as text"; } leaf hexadecimal { type string { junos:posix-pattern "^[[:xdigit:]]+$"; junos:pattern-message "Must be hexadecimal digits (0-9, a-f, A-F)"; length "1 .. 255"; } description "Format as hexadecimal"; } } // choice key-choice } // container key } // container authentication container encryption { description "Define encryption parameters"; uses apply-advanced; leaf algorithm { type enumeration { enum "des-cbc" { value 0; description "DES-CBC encryption algorithm"; } enum "3des-cbc" { value 1; description "3DES-CBC encryption algorithm"; } enum "aes-128-cbc" { value 2; description "AES-CBC 128-bit encryption algorithm"; } enum "aes-192-cbc" { value 3; description "AES-CBC 192-bit encryption algorithm"; } enum "aes-256-cbc" { value 4; description "AES-CBC 256-bit encryption algorithm"; } } description "Define encryption algorithm"; } container key { description "Define an encryption key"; choice key-choice { leaf ascii-text { type string { length "1 .. 255"; } description "Format as text"; } leaf hexadecimal { type string { junos:posix-pattern "^[[:xdigit:]]+$"; junos:pattern-message "Must be hexadecimal digits (0-9, a-f, A-F)"; length "1 .. 255"; } description "Format as hexadecimal"; } } // choice key-choice } // container key } // container encryption } // list direction } // container manual container dynamic { description "Define a dynamic security association"; uses apply-advanced; leaf ike-policy { junos:must "(!("services ipsec-vpn ike policy $$ remote-id any-remote-id"))"; junos:must-message "Referenced IKE policy can include 'any-remote-id' statement only in the DEP (dynamic endpoints configuration) mode"; junos:must "(("services ipsec-vpn ike policy $$ pre-shared-key" || "services ipsec-vpn ike policy $$ local-certificate"))"; junos:must-message "Either pre-shared-key or local-certificate must be configured in the referencd ike policy"; junos:must "("services ipsec-vpn ike policy $$")"; junos:must-message "Referenced IKE policy must be defined under [edit services ipsec-vpn ike policy]"; type string { junos:posix-pattern "^[[:alnum:]][[:alnum:]_-]*$"; junos:pattern-message "Must be a string beginning with a number or letter and consisting of letters, numbers, dashes and underscores."; length "1 .. 32"; } description "Name of the IKE policy"; } leaf ipsec-policy { junos:must "("services ipsec-vpn ipsec policy $$")"; junos:must-message "Referenced IPSec policy must be defined under [edit services ipsec-vpn ipsec policy]"; type string { junos:posix-pattern "^[[:alnum:]][[:alnum:]_-]*$"; junos:pattern-message "Must be a string beginning with a number or letter and consisting of letters, numbers, dashes and underscores."; length "1 .. 32"; } description "Name of the IPSec policy"; } leaf natt-install-interval { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 10"; } } units "seconds"; default "0"; description "Installation interval of the IPSEC SA in NAT-T scenario"; } } // container dynamic } // choice sa_choice leaf clear-dont-fragment-bit { junos:must "((!(".. copy-dont-fragment-bit") && !(".. set-dont-fragment-bit")))"; junos:must-message "'clear' option can not be configured if either of 'copy' or 'set' is already configured"; type empty; description "Clear the do not fragment bit"; } leaf copy-dont-fragment-bit { junos:must "((!(".. clear-dont-fragment-bit") && !(".. set-dont-fragment-bit")))"; junos:must-message "'copy' option can not be configured if either of 'clear' or 'set' is already configured"; type empty; description "Copy the do not fragment bit"; } leaf set-dont-fragment-bit { junos:must "((!(".. copy-dont-fragment-bit") && !(".. clear-dont-fragment-bit")))"; junos:must-message "'set' option can not be configured if either of 'clear' or 'copy' is already configured"; type empty; description "Set the do not fragment bit"; } leaf no-anti-replay { junos:must "(!(".. anti-replay-window-size"))"; junos:must-message "anti-replay-window-size must not be defined"; type empty; description "Disable the anti-replay check"; } leaf tunnel-mtu { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "256 .. 9192"; } } description "Maximum transmit packet size"; } leaf initiate-dead-peer-detection { type empty; description "Initiate dead peer detection"; } container dead-peer-detection { junos:must "(".. initiate-dead-peer-detection")"; junos:must-message "[ edit services ipsec-vpn rule <*> term <*> then initiate-dead-peer-detection ] must be set"; presence "enable dead-peer-detection"; description "Dead peer detection options"; uses apply-advanced; leaf interval { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "1 .. 180"; } } units "seconds"; default "10"; description "Interval at which the DPD messages should be sent"; } leaf threshold { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "1 .. 10"; } } default "3"; description "Maximum number of DPD messages"; } } // container dead-peer-detection leaf anti-replay-window-size { junos:must "(!(".. no-anti-replay"))"; junos:must-message "no-anti-replay must not be defined"; type union { type string { pattern "<.*>|$.*"; } type uint32 { range "64 .. 4096"; } } description "Size of the anti-replay window"; } } // container then } // list term leaf match-direction { type enumeration { enum "input" { value 0; description "Match on input to interface"; } enum "output" { value 1; description "Match on output from interface"; } } description "Direction for which the rule match is applied"; } } // grouping ipsec_vpn_rule_object grouping ipsec_vpn_match_object { uses apply-advanced; list source-address { key "name"; max-elements 1; ordered-by user; description "Match IP source address"; uses ipsec_vpn_addr_object; } // list source-address list destination-address { key "name"; max-elements 1; ordered-by user; description "Match IP destination address"; uses ipsec_vpn_addr_object; } // list destination-address leaf ipsec-inside-interface { type union { type jt:interface-unit; type string { pattern "<.*>|$.*"; } } description "IPSec interface to internal network"; } } // grouping ipsec_vpn_match_object grouping ipsec_vpn_addr_object { leaf name { type jt:ipprefix-only; description "Prefix to match"; } } // grouping ipsec_vpn_addr_object grouping juniper-services-captive-portal { junos:must "(("services captive-portal secure-authentication" || "system services web-management http"))"; junos:must-message "HTTP web service should be enabled"; uses apply-advanced; leaf authentication-profile-name { junos:must "("access profile $$")"; junos:must-message "Access profile name must be defined in the [edit access profile] hierarchy"; type string { length "1 .. 63"; } description "Access profile name to use for authentication"; } container traceoptions { status deprecated; description "Trace options for CAPTIVE PORTAL"; uses apply-advanced; container file { description "Trace file options"; leaf filename { type string { junos:posix-pattern "![/ %]"; junos:pattern-message "Must not contain '/', % or a space"; length "1 .. 1024"; } description "Name of file in which to write trace information"; } leaf replace { type empty; status deprecated; description "Replace trace file rather than appending to it"; } leaf size { type string; description "Maximum trace file size"; } leaf files { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "2 .. 1000"; } } default "10"; description "Maximum number of trace files"; } leaf no-stamp { type empty; status deprecated; description "Do not timestamp trace file"; } choice world-readable-choice { leaf world-readable { type empty; description "Allow any user to read the log file"; } leaf no-world-readable { type empty; description "Don't allow any user to read the log file"; } } // choice world-readable-choice } // container file list flag { key "name"; ordered-by user; description "Tracing parameters"; leaf name { type enumeration { enum "dot1x-debug" { junos:must "(!("services captive-portal traceoptions flag dot1x-event"))"; junos:must-message "Can not configure dot1x-event with dot1x-debug flag"; value 0; description "Trace dot1x events"; } enum "parse" { value 1; description "Trace configuration parsing"; } enum "esw-if" { junos:must "(!("services captive-portal traceoptions flag dot1x-ipc"))"; junos:must-message "Can not configure dot1x-ipc with esw-if flag"; value 2; description "Trace ESW Interactions"; } enum "config-internal" { value 3; description "Trace configuration internals"; } enum "normal" { value 4; description "Trace normal events"; } enum "general" { value 5; description "Trace general events"; } enum "state" { value 6; description "Trace state transitions"; } enum "task" { value 7; description "Trace task processing"; } enum "timer" { value 8; description "Trace task timer processing"; } enum "all" { value 9; description "Trace everything"; } enum "dot1x-ipc" { value 10; description "Trace dot1x IPC interactions"; } enum "dot1x-event" { value 11; description "Trace dot1x events"; } } } leaf disable { type empty; description "Disable this trace flag"; } } // list flag } // container traceoptions list interface { key "name"; description "Captive Portal interface specific options"; leaf name { junos:must "(!("system phone-home"))"; junos:must-message "Can't configure captive-portal along with Phone-home. Delete phone-home config to enable captive-portal"; junos:must "("system services web-management http")"; junos:must-message "HTTP web service should be enabled"; junos:must "((!("switch-options no-mac-learning") || (!(".. .. .. .. .. switch-options no-mac-learning") || !(any ".. .. .. .. .. bridge-domains <*> bridge-options no-mac-learning interface $$-IFL"))))"; junos:must-message "Cannot configure captive-portal on this interface since no-mac-learning is enabled on the same interface"; junos:must "(!("protocols dot1x supplicant interface ${interface}"))"; junos:must-message "Must not configure supplicant and captive-portal on same interface"; junos:must "(!("interfaces $$-IFL family bridge interface-mode trunk"))"; junos:must-message "Cannot configure captive-portal on this interface since the interface-mode is defined as trunk"; junos:must "(!("interfaces $$-IFL family ethernet-switching interface-mode trunk"))"; junos:must-message "Cannot configure captive-portal on this interface since the interface-mode is defined as trunk"; junos:must "(!("interfaces $$-IFL family ethernet-switching port-mode trunk"))"; junos:must-message "Cannot configure captive-portal on this interface since the port-mode is defined as trunk"; type string; } uses apply-advanced; leaf supplicant { type enumeration { enum "single" { value 0; description "Allow multiple clients; authenticate first client only"; } enum "single-secure" { value 1; description "Allow and authenticate only a single client"; } enum "multiple" { value 2; description "Allow multiple clients; authenticate each individually"; } } description "Set supplicant mode for this interface"; } leaf retries { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "1 .. 10"; } } description "Number of retries after which port is placed into wait state"; } leaf quiet-period { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 65535"; } } units "seconds"; description "Time to wait after an authentication failure"; } leaf server-timeout { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "1 .. 60"; } } units "seconds"; description "Authentication server timeout interval"; } leaf session-expiry { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "1 .. 65535"; } } units "seconds"; description "Session Expiry Timeout"; } leaf user-keepalive { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "7 .. 65535"; } } units "minutes"; description "Session keepalive after mac-flush"; } } // list interface leaf secure-authentication { type enumeration { enum "http" { junos:must "("system services web-management http")"; junos:must-message "HTTP web service should be enabled"; value 0; description "Insecure plain-text HTTP will be used for Captive Portal authentication, username and password can be sniffed"; } enum "https" { junos:must "(("system services web-management http" && "system services web-management https"))"; junos:must-message "HTTP and HTTPS web services should be enabled"; value 1; description "Encrypted HTTPS will be used for Captive Portal authentication"; } } default "http"; description "Set secure authentication using encrypted HTTPS or insecure authentication using plain-text HTTP"; } container custom-options { presence "enable custom-options"; description "Captive Portal html user interface customization options"; uses apply-advanced; leaf header-logo { type string { junos:posix-pattern "^.+.((jpg)|(gif)|(jpeg)|(png))$"; junos:pattern-message "Only jpg, jpeg, gif, png image types allowed"; length "1 .. 255"; } description "Path to logo image file"; } leaf header-bgcolor { type string { junos:posix-pattern "^#[A-Fa-f0-9]{1,6}$"; junos:pattern-message "Must be Hex color code beginning with # and consisting of six digit hexadecimal numbers"; length "7"; } description "Background color of the html header in hex html format"; } leaf header-text-color { type string { junos:posix-pattern "^#[A-Fa-f0-9]{1,6}$"; junos:pattern-message "Must be Hex color code beginning with # and consisting of six digit hexadecimal numbers"; length "7"; } description "Text color of the html header in hex html format"; } leaf header-message { type string { length "1 .. 2047"; } description "Message to be displayed in the html header"; } leaf banner-message { type string { length "1 .. 2047"; } description "Terms and Conditions of usage message"; } leaf form-header-message { type string { length "1 .. 255"; } description "Message to be displayed in the login form header"; } leaf form-header-bgcolor { type string { junos:posix-pattern "^#[A-Fa-f0-9]{1,6}$"; junos:pattern-message "Must be Hex color code beginning with # and consisting of six digit hexadecimal numbers"; length "7"; } description "Background color of the login form header in hex html format"; } leaf form-header-text-color { type string { junos:posix-pattern "^#[A-Fa-f0-9]{1,6}$"; junos:pattern-message "Must be Hex color code beginning with # and consisting of six digit hexadecimal numbers"; length "7"; } description "Text color of the login form header in hex html format"; } leaf form-submit-label { type string { length "1 .. 255"; } description "Label to be displayed for the login form submit button"; } leaf form-reset-label { type string { length "1 .. 255"; } description "Label to be displayed for the login form reset button"; } leaf footer-message { type string { length "1 .. 2047"; } description "Message to be displayed in the html footer"; } leaf footer-bgcolor { type string { junos:posix-pattern "^#[A-Fa-f0-9]{1,6}$"; junos:pattern-message "Must be Hex color code beginning with # and consisting of six digit hexadecimal numbers"; length "7"; } description "Background color of the html footer in hex html format"; } leaf footer-text-color { type string { junos:posix-pattern "^#[A-Fa-f0-9]{1,6}$"; junos:pattern-message "Must be Hex color code beginning with # and consisting of six digit hexadecimal numbers"; length "7"; } description "Text color of the footer in hex html format"; } leaf post-authentication-url { type string { length "1 .. 255"; } description "Post authentication redirection URL"; } } // container custom-options } // grouping juniper-services-captive-portal grouping li_policy_addr6_simple_object { uses apply-advanced; leaf address { type jt:ipv6prefix; description "Prefix to match"; } } // grouping li_policy_addr6_simple_object grouping li_policy_addr_simple_object { uses apply-advanced; leaf address { type jt:ipv4prefix; description "Prefix to match"; } } // grouping li_policy_addr_simple_object grouping macro-data-type { leaf name { type string; description "Keyword part of the keyword-value pair"; } leaf value { type string; description "Value part of the keyword-value pair"; } } // grouping macro-data-type grouping match_li_simple_dscp_value { uses apply-advanced; leaf value_keyword { type string; } } // grouping match_li_simple_dscp_value grouping match_li_simple_port_value { uses apply-advanced; leaf value_keyword { type string; } } // grouping match_li_simple_port_value grouping match_li_simple_protocol_value { uses apply-advanced; leaf value_keyword { type string; } } // grouping match_li_simple_protocol_value grouping monitor-threshold { leaf normal { type union { type string { pattern "<.*>|$.*"; } type uint8 { range "1 .. 100"; } } description "Usage under normal conditions"; } leaf threshold { type union { type string { pattern "<.*>|$.*"; } type uint8 { range "1 .. 100"; } } description "Threshold upon which alarm is raised"; } } // grouping monitor-threshold grouping output-plugin { leaf name { type string; description "Plugin name"; } uses apply-advanced; list parameters { key "name"; ordered-by user; description "List of key:value parameters for plugin"; uses parameter-pair; } // list parameters } // grouping output-plugin grouping parameter-pair { leaf name { type string; description "Parameter key"; } uses apply-advanced; leaf value { type string; description "Parameter value"; } } // grouping parameter-pair grouping pcp-object { description "Configure Port Control Protocol"; uses apply-advanced; container traceoptions { description "Trace options for PCP-LOG"; uses apply-advanced; leaf no-remote-trace { junos:must "("system tracing")"; junos:must-message "'no-remote-trace' is valid only when [system tracing] is configured"; type empty; description "Disable remote tracing"; } container file { description "Trace file information"; leaf filename { type string { junos:posix-pattern "![/ %]"; junos:pattern-message "Must not contain '/', % or a space"; length "1 .. 1024"; } description "Name of file in which to write trace information"; } leaf size { type string; description "Maximum trace file size"; } leaf files { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "2 .. 1000"; } } default "3"; description "Maximum number of trace files"; } choice world-readable-choice { leaf world-readable { type empty; description "Allow any user to read the log file"; } leaf no-world-readable { type empty; description "Don't allow any user to read the log file"; } } // choice world-readable-choice leaf match { type jt:regular-expression; description "Regular expression for lines to be logged"; } } // container file list flag { key "name"; ordered-by user; description "Tracing parameters"; leaf name { type enumeration { enum "configuration" { value 0; description "Trace configuration events"; } enum "flow" { value 1; description "Trace flow events"; } enum "all" { value 2; description "Trace everything"; } } } } // list flag } // container traceoptions list rule-set { key "name"; max-elements 16960; ordered-by user; description "Defines a set of PCP rules"; leaf name { type string { junos:posix-pattern "^[[:alnum:]][[:alnum:]_-]*$"; junos:pattern-message "Must be a string beginning with a number or letter and consisting of letters, numbers, dashes and underscores."; length "1 .. 63"; } description "Name of the rule set"; } uses apply-advanced; list rule { key "name"; max-elements 16960; ordered-by user; description "Rule to be included in this rule set"; leaf name { junos:must "("services pcp rule $$")"; junos:must-message "rule must be configured"; type string { junos:posix-pattern "^[A-Za-z0-9][_0-9A-Za-z-]{0,62}$"; junos:pattern-message "Must be a string beginning with a number or letter and consisting of no more than 63 total letters, numbers, dashes and underscores."; } description "Rule name"; } uses apply-advanced; } // list rule } // list rule-set } // grouping pcp-object grouping rmopd-traceoptions { description "Trace options for remote-monitoring"; uses apply-advanced; leaf no-remote-trace { junos:must "("system tracing")"; junos:must-message "'no-remote-trace' is valid only when [system tracing] is configured"; type empty; description "Disable remote tracing"; } container file { description "Trace file information"; leaf filename { type string { junos:posix-pattern "![/ %]"; junos:pattern-message "Must not contain '/', % or a space"; length "1 .. 1024"; } description "Name of file in which to write trace information"; } leaf size { type string; description "Maximum trace file size"; } leaf files { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "2 .. 1000"; } } default "3"; description "Maximum number of trace files"; } choice world-readable-choice { leaf world-readable { type empty; description "Allow any user to read the log file"; } leaf no-world-readable { type empty; description "Don't allow any user to read the log file"; } } // choice world-readable-choice leaf match { type jt:regular-expression; description "Regular expression for lines to be logged"; } } // container file leaf level { type enumeration { enum "error" { value 0; description "Match error conditions"; } enum "warning" { value 1; description "Match warning messages"; } enum "notice" { value 2; description "Match conditions that should be handled specially"; } enum "info" { value 3; description "Match informational messages"; } enum "verbose" { value 4; description "Match verbose messages"; } enum "all" { value 5; description "Match all levels"; } } default "error"; description "Level of debugging output"; } list flag { key "name"; ordered-by user; description "Tracing parameters"; leaf name { type enumeration { enum "configuration" { value 0; description "Trace configuration events"; } enum "ipc" { value 1; description "Trace ipc messages"; } enum "ppm" { value 2; description "Trace ppm"; } enum "rpd" { value 3; description "Trace rpd events"; } enum "info" { value 4; description "Trace info events"; } enum "statistics" { value 5; description "Trace statistics"; } enum "error" { value 6; description "Trace events related to catastrophic errors in daemon"; } enum "all" { value 7; description "Trace everything"; } } } } // list flag } // grouping rmopd-traceoptions grouping service_device_pool_object { leaf name { type string { junos:posix-pattern "^[[:alnum:]][[:alnum:]_-]*$"; junos:pattern-message "Must be a string beginning with a number or letter and consisting of letters, numbers, dashes and underscores."; length "1 .. 63"; } description "Service device pool name"; } uses apply-advanced; list interface { key "name"; ordered-by user; description "Service device name"; leaf name { junos:must "(!(any "interfaces <*> aggregated-inline-services-options secondary-interface $$"))"; junos:must-message "must not be defined under asiX aggregated-inline-services-options"; junos:must "(!(any "interfaces <*> aggregated-inline-services-options primary-interface $$"))"; junos:must-message "must not be defined under asiX aggregated-inline-services-options"; type string; } uses apply-advanced; } // list interface } // grouping service_device_pool_object grouping service_interface_pool_object { leaf name { type string { junos:posix-pattern "^[[:alnum:]][[:alnum:]_-]*$"; junos:pattern-message "Must be a string beginning with a number or letter and consisting of letters, numbers, dashes and underscores."; length "1 .. 63"; } description "Service interface pool name"; } uses apply-advanced; list interface { key "name"; ordered-by user; description "Service interface name"; leaf name { junos:must "("interfaces $$")"; junos:must-message "referenced interface must be defined"; type union { type jt:interface-unit; type string { pattern "<.*>|$.*"; } } } uses apply-advanced; } // list interface } // grouping service_interface_pool_object grouping services-ike { uses apply-advanced; list proposal { key "name"; ordered-by user; description "Define an IKE proposal"; uses ike-proposal; } // list proposal list policy { key "name"; ordered-by user; description "Define an IKE policy"; uses svc-ike-policy; } // list policy } // grouping services-ike grouping ike-proposal { leaf name { junos:must "((("services ipsec-vpn ike proposal $$" && !("security ike proposal $$")) || ("security ike proposal $$" && !("services ipsec-vpn ike proposal $$"))))"; junos:must-message "Referenced IKE proposal must not be defined both under [edit security ike proposal] and [edit services ipsec-vpn ike proposal]"; type string { junos:posix-pattern "^[[:alnum:]][[:alnum:]_-]*$"; junos:pattern-message "Must be a string beginning with a number or letter and consisting of letters, numbers, dashes and underscores."; length "1 .. 32"; } description "Name of the IKE proposal"; } uses apply-advanced; leaf description { type string { length "1 .. 80"; } description "Text description of IKE proposal"; } leaf authentication-method { type enumeration { enum "pre-shared-keys" { value 0; description "Preshared keys"; } enum "rsa-signatures" { value 1; description "RSA signatures"; } enum "dsa-signatures" { value 2; description "DSA signatures"; } enum "ecdsa-signatures-256" { value 3; description "ECDSA signatures (254 bit modulus)"; } enum "ecdsa-signatures-384" { value 4; description "ECDSA signatures (384 bit modulus)"; } } description "Define authentication method"; } leaf dh-group { type enumeration { enum "group1" { value 0; description "Diffie-Hellman Group1"; } enum "group2" { value 1; description "Diffie-Hellman Group2"; } enum "group5" { value 2; description "Diffie-Hellman Group5"; } enum "group14" { value 3; description "Diffie-Hellman Group14"; } enum "group15" { value 4; description "Diffie-Hellman Group15"; } enum "group16" { value 5; description "Diffie-Hellman Group16"; } enum "group19" { value 6; description "Diffie-Hellman Group19"; } enum "group20" { value 7; description "Diffie-Hellman Group20"; } enum "group24" { value 8; description "Diffie-Hellman Group24"; } } description "Define Diffie-Hellman group"; } leaf authentication-algorithm { type enumeration { enum "md5" { value 0; description "MD5 authentication algorithm"; } enum "sha1" { value 1; description "SHA1 authentication algorithm"; } enum "sha-256" { value 2; description "SHA 256-bit authentication algorithm"; } enum "sha-384" { value 3; description "SHA 384-bit authentication algorithm"; } } description "Define authentication algorithm"; } leaf encryption-algorithm { type enumeration { enum "des-cbc" { value 0; description "DES-CBC encryption algorithm"; } enum "3des-cbc" { value 1; description "3DES-CBC encryption algorithm"; } enum "aes-128-cbc" { value 2; description "AES-CBC 128-bit encryption algorithm"; } enum "aes-192-cbc" { value 3; description "AES-CBC 192-bit encryption algorithm"; } enum "aes-256-cbc" { value 4; description "AES-CBC 256-bit encryption algorithm"; } } description "Define encryption algorithm"; } leaf lifetime-seconds { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "180 .. 86400"; } } units "seconds"; description "Lifetime, in seconds"; } } // grouping ike-proposal grouping services-ipsec { uses apply-advanced; list proposal { key "name"; ordered-by user; description "Define an IPSec proposal"; uses ipsec-proposal; } // list proposal list policy { key "name"; ordered-by user; description "Define an IPSec policy"; uses ipsec-policy; } // list policy } // grouping services-ipsec grouping ipsec-policy { leaf name { junos:must "((("services ipsec-vpn ipsec policy $$" && !("security ipsec policy $$")) || ("security ipsec policy $$" && !("services ipsec-vpn ipsec policy $$"))))"; junos:must-message "Referenced IPSec policy must not be defined both under [edit security ipsec policy] and [edit services ipsec-vpn ipsec policy]"; type string { junos:posix-pattern "^[[:alnum:]][[:alnum:]_-]*$"; junos:pattern-message "Must be a string beginning with a number or letter and consisting of letters, numbers, dashes and underscores."; length "1 .. 32"; } description "Name of the IPSec policy"; } uses apply-advanced; leaf description { type string { length "1 .. 80"; } description "Text description of IPSec policy"; } container perfect-forward-secrecy { description "Define perfect forward secrecy"; uses apply-advanced; leaf keys { type enumeration { enum "group1" { value 0; description "Diffie-Hellman Group1"; } enum "group2" { value 1; description "Diffie-Hellman Group2"; } enum "group5" { value 2; description "Diffie-Hellman Group5"; } enum "group14" { value 3; description "Diffie-Hellman Group14"; } enum "group15" { value 4; description "Diffie-Hellman Group15"; } enum "group16" { value 5; description "Diffie-Hellman Group16"; } enum "group19" { value 6; description "Diffie-Hellman Group19"; } enum "group20" { value 7; description "Diffie-Hellman Group20"; } enum "group24" { value 8; description "Diffie-Hellman Group24"; } } description "Define Diffie-Hellman group"; } } // container perfect-forward-secrecy leaf-list proposals { junos:must "(".. .. .. proposal $$")"; junos:must-message "Referenced proposal is not defined"; type string { junos:posix-pattern "^[[:alnum:]][[:alnum:]_-]*$"; junos:pattern-message "Must be a string beginning with a number or letter and consisting of letters, numbers, dashes and underscores."; length "1 .. 32"; } ordered-by user; description "Name of the proposal"; } leaf proposal-set { type enumeration { enum "basic" { junos:must "(!(".. proposals"))"; junos:must-message "IPSec policy must not have both proposals and proposal-set configured"; value 0; description "IPSEC basic proposal-set"; } enum "compatible" { junos:must "(!(".. proposals"))"; junos:must-message "IPSec policy must not have both proposals and proposal-set configured"; value 1; description "IPSEC compatible proposal-set"; } enum "standard" { junos:must "(!(".. proposals"))"; junos:must-message "IPSec policy must not have both proposals and proposal-set configured"; value 2; description "IPSEC standard proposal-set"; } } description "Types of default IPSEC proposal-set"; } } // grouping ipsec-policy grouping ipsec-proposal { leaf name { junos:must "((("services ipsec-vpn ipsec proposal $$" && !("security ipsec proposal $$")) || ("security ipsec proposal $$" && !("services ipsec-vpn ipsec proposal $$"))))"; junos:must-message "Referenced IPSec proposal must not be defined both under [edit security ipsec proposal] and [edit services ipsec-vpn ipsec proposal]"; type string { junos:posix-pattern "^[[:alnum:]][[:alnum:]_-]*$"; junos:pattern-message "Must be a string beginning with a number or letter and consisting of letters, numbers, dashes and underscores."; length "1 .. 32"; } description "Name of the IPSec proposal"; } uses apply-advanced; leaf description { type string { length "1 .. 80"; } description "Text description of IPSec proposal"; } leaf protocol { type enumeration { enum "ah" { junos:must "(!(".. encryption-algorithm"))"; junos:must-message "Encryption algorithm must not be defined for AH"; value 0; description "Authentication header"; } enum "esp" { value 1; description "Encapsulated Security Payload header"; } enum "bundle" { value 2; description "Bundle (AH authentication plus ESP encryption)"; } } description "Define an IPSec protocol for the proposal"; } leaf authentication-algorithm { type enumeration { enum "hmac-md5-96" { value 0; description "HMAC-MD5-96 authentication algorithm"; } enum "hmac-sha1-96" { value 1; description "HMAC-SHA1-96 authentication algorithm"; } enum "hmac-sha-256-128" { junos:must "(".. .. .. .. ipsec-vpn")"; junos:must-message "hmac-sha-256-128 algorithm is not supported for IKE and IPSec configuration in security hierarchy"; value 2; description "HMAC-SHA-256-128 authentication algorithm"; } enum "hmac-sha-256-96" { value 3; description "HMAC-SHA-256-96 authentication algorithm (non-RFC compliant)"; } enum "hmac-sha2-256" { value 4; description "HMAC-SHA2-256 authentication algorithm"; } } description "Define authentication algorithm"; } leaf encryption-algorithm { type enumeration { enum "des-cbc" { value 0; description "DES-CBC encryption algorithm"; } enum "3des-cbc" { value 1; description "3DES-CBC encryption algorithm"; } enum "aes-128-cbc" { value 2; description "AES-CBC 128-bit encryption algorithm"; } enum "aes-192-cbc" { value 3; description "AES-CBC 192-bit encryption algorithm"; } enum "aes-256-cbc" { value 4; description "AES-CBC 256-bit encryption algorithm"; } enum "aes-128-gcm" { junos:must "(!(".. authentication-algorithm"))"; junos:must-message "HMAC Authentication is not compatible with AES-GCM"; value 5; description "AES-GCM 128-bit encryption algorithm with 16 octet ICV"; } enum "aes-192-gcm" { junos:must "(!(".. authentication-algorithm"))"; junos:must-message "HMAC Authentication is not compatible with AES-GCM"; value 6; description "AES-GCM 192-bit encryption algorithm with 16 octet ICV"; } enum "aes-256-gcm" { junos:must "(!(".. authentication-algorithm"))"; junos:must-message "HMAC Authentication is not compatible with AES-GCM"; value 7; description "AES-GCM 256-bit encryption algorithm with 16 octet ICV"; } } description "Define encryption algorithm"; } leaf lifetime-seconds { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "180 .. 86400"; } } units "seconds"; description "Lifetime, in seconds"; } } // grouping ipsec-proposal grouping ssl-initiation-config { uses apply-advanced; list profile { key "name"; ordered-by user; description "SSL client profile"; leaf name { type string { length "1 .. 63"; } description "Profile identifier"; } uses apply-advanced; leaf enable-flow-tracing { type empty; description "Enable flow tracing for the profile"; } leaf protocol-version { type enumeration { enum "all" { value 0; description "TLS version 1.0 or TLS version 1.1 or TLS version 1.2 or TLS version 1.3"; } enum "ssl3" { value 1; description "SSL version 3"; } enum "tls1" { value 2; description "TLS version 1"; } enum "tls11" { value 3; description "TLS version 1.1"; } enum "tls12" { value 4; description "TLS version 1.2"; } enum "tls13" { value 5; description "TLS version 1.3"; } enum "tls12-and-lower" { value 6; description "Dont support TLS 1.3 (downgrade all the connections to TLS 1.2 or below)"; } } default "all"; description "Protocol SSL version accepted"; } leaf preferred-ciphers { type enumeration { enum "strong" { value 0; description "Use ciphers with key strength of 168-bits or greater"; } enum "medium" { value 1; description "Use ciphers with key strength of 128-bits or greater"; } enum "weak" { value 2; description "Use ciphers with key strength of 40-bits or greater"; } enum "custom" { junos:must "(".. custom-ciphers")"; junos:must-message "custom-ciphers must be configured for this choice"; value 3; description "Configure custom cipher suite and order of preference"; } } default "medium"; description "Select preferred ciphers"; } leaf-list custom-ciphers { type enumeration { enum "tls12-rsa-aes-128-cbc-sha" { junos:must "((!(".. .. preferred-ciphers custom") || !(".. .. protocol-version tls13")))"; junos:must-message "protocol-version must be <= tls12 to use tls12-rsa-aes-128-cbc-sha as custom cipher"; value 0; description "RSA, 128 bit aes/cbc, sha hash"; } enum "tls12-rsa-aes-256-cbc-sha" { junos:must "((!(".. .. preferred-ciphers custom") || !(".. .. protocol-version tls13")))"; junos:must-message "protocol-version must be <= tls12 to use tls12-rsa-aes-256-cbc-sha as custom cipher"; value 1; description "RSA, 256 bit aes/cbc, sha hash"; } enum "tls12-rsa-aes-256-gcm-sha384" { junos:must "((!(".. .. preferred-ciphers custom") || !(".. .. protocol-version tls13")))"; junos:must-message "protocol-version must be <= tls12 to use tls12-rsa-aes-256-gcm-sha384 as custom cipher"; value 2; description "RSA, 256 bit aes/gcm, sha384 hash "; } enum "tls12-rsa-aes-256-cbc-sha256" { junos:must "((!(".. .. preferred-ciphers custom") || !(".. .. protocol-version tls13")))"; junos:must-message "protocol-version must be <= tls12 to use tls12-rsa-aes-256-cbc-sha256 as custom cipher"; value 3; description "RSA, 256 bit aes/cbc, sha256 hash"; } enum "tls12-rsa-aes-128-gcm-sha256" { junos:must "((!(".. .. preferred-ciphers custom") || !(".. .. protocol-version tls13")))"; junos:must-message "protocol-version must be <= tls12 to use tls12-rsa-aes-128-gcm-sha256 as custom cipher"; value 4; description "RSA, 128 bit aes/gcm, sha256 hash"; } enum "tls12-rsa-aes-128-cbc-sha256" { junos:must "((!(".. .. preferred-ciphers custom") || !(".. .. protocol-version tls13")))"; junos:must-message "protocol-version must be <= tls12 to use tls12-rsa-aes-128-cbc-sha256 as custom cipher"; value 5; description "RSA, 128 bit aes/cbc, sha256 hash"; } enum "tls12-ecdhe-rsa-aes-256-gcm-sha384" { junos:must "((!(".. .. preferred-ciphers custom") || !(".. .. protocol-version tls13")))"; junos:must-message "protocol-version must be <= tls12 to use tls12-ecdhe-rsa-aes-256-gcm-sha384 as custom cipher"; value 6; description "ECDHE/rsa, 256 bit aes/gcm, sha384 hash"; } enum "tls12-ecdhe-rsa-aes-256-cbc-sha" { junos:must "((!(".. .. preferred-ciphers custom") || !(".. .. protocol-version tls13")))"; junos:must-message "protocol-version must be <= tls12 to use tls12-ecdhe-rsa-aes-256-cbc-sha as custom cipher"; value 7; description "ECDHE/rsa, 256 bit aes/cbc, sha hash"; } enum "tls12-ecdhe-rsa-aes-256-cbc-sha384" { junos:must "((!(".. .. preferred-ciphers custom") || !(".. .. protocol-version tls13")))"; junos:must-message "protocol-version must be <= tls12 to use tls12-ecdhe-rsa-aes-256-cbc-sha384 as custom cipher"; value 8; description "ECDHE/rsa, 256 bit aes/cbc, sha384 hash"; } enum "tls12-ecdhe-rsa-3des-ede-cbc-sha" { junos:must "((!(".. .. preferred-ciphers custom") || !(".. .. protocol-version tls13")))"; junos:must-message "protocol-version must be <= tls12 to use tls12-ecdhe-rsa-3des-ede-cbc-sha as custom cipher"; value 9; description "ECDHE/rsa, 3des ede/cbc, sha hash"; } enum "tls12-ecdhe-rsa-aes-128-gcm-sha256" { junos:must "((!(".. .. preferred-ciphers custom") || !(".. .. protocol-version tls13")))"; junos:must-message "protocol-version must be <= tls12 to use tls12-ecdhe-rsa-aes-128-gcm-sha256 as custom cipher"; value 10; description "ECDHE/rsa, 128 bit aes/gcm, sha256 hash"; } enum "tls12-ecdhe-rsa-aes-128-cbc-sha" { junos:must "((!(".. .. preferred-ciphers custom") || !(".. .. protocol-version tls13")))"; junos:must-message "protocol-version must be <= tls12 to use tls12-ecdhe-rsa-aes-128-cbc-sha as custom cipher"; value 11; description "ECDHE/rsa, 128 bit aes/cbc, sha hash"; } enum "tls12-ecdhe-rsa-aes-128-cbc-sha256" { junos:must "((!(".. .. preferred-ciphers custom") || !(".. .. protocol-version tls13")))"; junos:must-message "protocol-version must be <= tls12 to use tls12-ecdhe-rsa-aes-128-cbc-sha256 as custom cipher"; value 12; description "ECDHE/rsa, 128 bit aes/cbc, sha256 hash"; } enum "tls12-ecdhe-ecdsa-aes-256-gcm-sha384" { junos:must "((!(".. .. preferred-ciphers custom") || !(".. .. protocol-version tls13")))"; junos:must-message "protocol-version must be <= tls12 to use tls12-ecdhe-ecdsa-aes-256-gcm-sha384 as custom cipher"; value 13; description "ECDHE,ECDSA, 256 bit aes/gcm, sha384 hash"; } enum "tls12-ecdhe-ecdsa-aes-256-cbc-sha" { junos:must "((!(".. .. preferred-ciphers custom") || !(".. .. protocol-version tls13")))"; junos:must-message "protocol-version must be <= tls12 to use tls12-ecdhe-ecdsa-aes-256-cbc-sha as custom cipher"; value 14; description "ECDHE,ECDSA, 256 bit aes/cbc, sha hash"; } enum "tls12-ecdhe-ecdsa-aes-256-cbc-sha384" { junos:must "((!(".. .. preferred-ciphers custom") || !(".. .. protocol-version tls13")))"; junos:must-message "protocol-version must be <= tls12 to use tls12-ecdhe-ecdsa-aes-256-cbc-sha384 as custom cipher"; value 15; description "ECDHE,ECDSA, 256 bit aes/cbc, sha384 hash"; } enum "tls12-ecdhe-ecdsa-aes-128-gcm-sha256" { junos:must "((!(".. .. preferred-ciphers custom") || !(".. .. protocol-version tls13")))"; junos:must-message "protocol-version must be <= tls12 to use tls12-ecdhe-ecdsa-aes-128-gcm-sha256 as custom cipher"; value 16; description "ECDHE,ECDSA, 128 bit aes/gcm, sha256 hash"; } enum "tls12-ecdhe-ecdsa-aes-128-cbc-sha" { junos:must "((!(".. .. preferred-ciphers custom") || !(".. .. protocol-version tls13")))"; junos:must-message "protocol-version must be <= tls12 to use tls12-ecdhe-ecdsa-aes-128-cbc-sha as custom cipher"; value 17; description "ECDHE,ECDSA, 128 bit aes/cbc, sha hash"; } enum "tls12-ecdhe-ecdsa-aes-128-cbc-sha256" { junos:must "((!(".. .. preferred-ciphers custom") || !(".. .. protocol-version tls13")))"; junos:must-message "protocol-version must be <= tls12 to use tls12-ecdhe-ecdsa-aes-128-cbc-sha256 as custom cipher"; value 18; description "ECDHE,ECDSA, 128 bit aes/cbc, sha256 hash"; } enum "tls12-ecdhe-ecdsa-3des-ede-cbc-sha" { junos:must "((!(".. .. preferred-ciphers custom") || !(".. .. protocol-version tls13")))"; junos:must-message "protocol-version must be <= tls12 and to use tls12-ecdhe-ecdsa-3des-ede-cbc-sha as custom cipher"; value 19; description "ECDHE,ECDSA, 3des ede/cbc, sha hash"; } enum "tls13-with-aes-256-gcm-sha384" { value 20; description "Any key-exchange, Any authentication,256bit aes, sha384 hash"; } enum "tls13-with-aes-128-gcm-sha256" { value 21; description "Any key-exchange, Any authentication,128bit aes, sha256 hash"; } enum "tls13-with-chacha20-poly1305-sha256" { value 22; description "Any key-exchange, Any authentication,chacha, sha256 hash"; } enum "tls13-with-aes-128-ccm-sha256" { value 23; description "Any key-exchange, Any authentication,128bit aes, sha256 hash"; } enum "tls13-with-aes-128-ccm8-sha256" { value 24; description "Any key-exchange, Any authentication,128bit aes, sha256 hash"; } enum "rsa-with-rc4-128-md5" { value 25; description "RSA, 128bit rc4, md5 hash"; } enum "rsa-with-rc4-128-sha" { value 26; description "RSA, 128bit rc4, sha hash"; } enum "rsa-with-des-cbc-sha" { value 27; description "RSA, des cbc, sha hash"; } enum "rsa-with-3des-ede-cbc-sha" { value 28; description "RSA, 3des ede/cbc, sha hash"; } enum "rsa-with-aes-128-cbc-sha" { junos:must "((!(".. .. preferred-ciphers custom") || !(".. .. protocol-version ssl3")))"; junos:must-message "protocol-version must be tls1 or all to use the aes cipher"; value 29; description "RSA, 128 bit aes/cbc, sha hash"; } enum "rsa-with-aes-256-cbc-sha" { junos:must "((!(".. .. preferred-ciphers custom") || !(".. .. protocol-version ssl3")))"; junos:must-message "protocol-version must be tls1 or all to use the aes cipher"; value 30; description "RSA, 256 bit aes/cbc, sha hash"; } enum "rsa-export-with-rc4-40-md5" { value 31; description "RSA-export, 40 bit rc4, md5 hash"; } enum "rsa-export-with-des40-cbc-sha" { value 32; description "RSA-export, 40 bit des/cbc, sha hash"; } enum "rsa-export1024-with-des-cbc-sha" { value 33; description "RSA 1024 bit export, des/cbc, sha hash"; } enum "rsa-export1024-with-rc4-56-md5" { value 34; description "RSA 1024 bit export, 56 bit rc4, md5 hash"; } enum "rsa-export1024-with-rc4-56-sha" { value 35; description "RSA 1024 bit export, 56 bit rc4, sha hash"; } enum "rsa-with-aes-256-gcm-sha384" { value 36; description "RSA, 256 bit aes/gcm, sha384 hash "; } enum "rsa-with-aes-256-cbc-sha256" { value 37; description "RSA, 256 bit aes/cbc, sha256 hash"; } enum "rsa-with-aes-128-gcm-sha256" { value 38; description "RSA, 128 bit aes/gcm, sha256 hash"; } enum "rsa-with-aes-128-cbc-sha256" { value 39; description "RSA, 128 bit aes/cbc, sha256 hash"; } enum "ecdhe-rsa-with-aes-256-gcm-sha384" { value 40; description "ECDHE/rsa, 256 bit aes/gcm, sha384 hash"; } enum "ecdhe-rsa-with-aes-256-cbc-sha" { value 41; description "ECDHE/rsa, 256 bit aes/cbc, sha hash"; } enum "ecdhe-rsa-with-aes-256-cbc-sha384" { value 42; description "ECDHE/rsa, 256 bit aes/cbc, sha384 hash"; } enum "ecdhe-rsa-with-3des-ede-cbc-sha" { value 43; description "ECDHE/rsa, 3des ede/cbc, sha hash"; } enum "ecdhe-rsa-with-aes-128-gcm-sha256" { value 44; description "ECDHE/rsa, 128 bit aes/gcm, sha256 hash"; } enum "ecdhe-rsa-with-aes-128-cbc-sha" { value 45; description "ECDHE/rsa, 128 bit aes/cbc, sha hash"; } enum "ecdhe-rsa-with-aes-128-cbc-sha256" { value 46; description "ECDHE/rsa, 128 bit aes/cbc, sha256 hash"; } enum "ecdhe-ecdsa-with-aes-256-gcm-sha384" { value 47; description "ECDHE,ECDSA, 256 bit aes/gcm, sha384 hash"; } enum "ecdhe-ecdsa-with-aes-256-cbc-sha" { value 48; description "ECDHE,ECDSA, 256 bit aes/cbc, sha hash"; } enum "ecdhe-ecdsa-with-aes-256-cbc-sha384" { value 49; description "ECDHE,ECDSA, 256 bit aes/cbc, sha384 hash"; } enum "ecdhe-ecdsa-with-aes-128-gcm-sha256" { value 50; description "ECDHE,ECDSA, 128 bit aes/gcm, sha256 hash"; } enum "ecdhe-ecdsa-with-aes-128-cbc-sha" { value 51; description "ECDHE,ECDSA, 128 bit aes/cbc, sha hash"; } enum "ecdhe-ecdsa-with-aes-128-cbc-sha256" { value 52; description "ECDHE,ECDSA, 128 bit aes/cbc, sha256 hash"; } enum "ecdhe-ecdsa-with-3des-ede-cbc-sha" { value 53; description "ECDHE,ECDSA, 3des ede/cbc, sha hash"; } enum "dhe-rsa-with-aes-256-gcm-sha384" { value 54; description "DHE/rsa, 256 bit aes/gcm, sha384 hash"; } enum "dhe-rsa-with-aes-256-cbc-sha" { value 55; description "DHE/rsa, 256 bit aes/cbc, sha hash"; } enum "dhe-rsa-with-aes-256-cbc-sha256" { value 56; description "DHE/rsa, 256 bit aes/cbc, sha256 hash"; } enum "dhe-rsa-with-3des-ede-cbc-sha" { value 57; description "DHE/rsa, 3des ede/cbc, sha hash"; } enum "dhe-rsa-with-aes-128-gcm-sha256" { value 58; description "DHE/rsa, 128 bit aes/gcm, sha256 hash"; } enum "dhe-rsa-with-aes-128-cbc-sha" { value 59; description "DHE/rsa, 128 bit aes/cbc, sha hash"; } enum "dhe-rsa-with-aes-128-cbc-sha256" { value 60; description "DHE/rsa, 128 bit aes/cbc, sha256 hash"; } } max-elements 64; ordered-by user; description "Custom cipher list"; } leaf enable-session-cache { type empty; description "Enable SSL session cache"; } leaf client-certificate { type string { junos:posix-pattern "^.{1,32}$"; junos:pattern-message "Must be string of 32 characters or less"; } description "Local certificate identifier"; } container actions { description "Traffic related actions"; uses apply-advanced; leaf ignore-server-auth-failure { type empty; description "Ignore server authentication failure"; } container crl { description "Certificate Revocation actions."; leaf disable { type empty; description "Disable CRL validation."; } leaf if-not-present { type enumeration { enum "allow" { value 0; description "Allow session if CRL information is not present."; } enum "drop" { value 1; description "Drop session if CRL information is not present."; } } default "allow"; description "Action if CRL information is not present."; } leaf ignore-hold-instruction-code { type empty; description "Ignore 'Hold Instruction Code' present in the CRL entry."; } } // container crl leaf unsupported-cipher-on-hw { type enumeration { enum "drop" { value 0; description "Drop session if cipher isn't supported on hardware mode"; } enum "software-inspection" { value 1; description "Allow session in software mode"; } } default "drop"; description "Unsupported cipher processing on hardware mode"; } } // container actions } // list profile } // grouping ssl-initiation-config grouping ssl-termination-config { uses apply-advanced; list profile { key "name"; ordered-by user; description "SSL server profile"; leaf name { type string { length "1 .. 63"; } description "Profile identifier"; } uses apply-advanced; leaf enable-flow-tracing { type empty; description "Enable flow tracing for the profile"; } leaf protocol-version { type enumeration { enum "all" { value 0; description "TLS version 1.0 or TLS version 1.1 or TLS version 1.2 or TLS version 1.3"; } enum "ssl3" { value 1; description "SSL version 3"; } enum "tls1" { value 2; description "TLS version 1"; } enum "tls11" { value 3; description "TLS version 1.1"; } enum "tls12" { value 4; description "TLS version 1.2"; } enum "tls13" { value 5; description "TLS version 1.3"; } enum "tls12-and-lower" { value 6; description "Dont support TLS 1.3 (downgrade all the connections to TLS 1.2 or below)"; } } default "all"; description "Protocol SSL version accepted"; } leaf preferred-ciphers { type enumeration { enum "strong" { value 0; description "Use ciphers with key strength of 168-bits or greater"; } enum "medium" { value 1; description "Use ciphers with key strength of 128-bits or greater"; } enum "weak" { value 2; description "Use ciphers with key strength of 40-bits or greater"; } enum "custom" { junos:must "(".. custom-ciphers")"; junos:must-message "custom-ciphers must be configured for this choice"; value 3; description "Configure custom cipher suite and order of preference"; } } default "medium"; description "Select preferred ciphers"; } leaf-list custom-ciphers { type enumeration { enum "tls12-rsa-aes-128-cbc-sha" { junos:must "((!(".. .. preferred-ciphers custom") || !(".. .. protocol-version tls13")))"; junos:must-message "protocol-version must be <= tls12 to use tls12-rsa-aes-128-cbc-sha as custom cipher"; value 0; description "RSA, 128 bit aes/cbc, sha hash"; } enum "tls12-rsa-aes-256-cbc-sha" { junos:must "((!(".. .. preferred-ciphers custom") || !(".. .. protocol-version tls13")))"; junos:must-message "protocol-version must be <= tls12 to use tls12-rsa-aes-256-cbc-sha as custom cipher"; value 1; description "RSA, 256 bit aes/cbc, sha hash"; } enum "tls12-rsa-aes-256-gcm-sha384" { junos:must "((!(".. .. preferred-ciphers custom") || !(".. .. protocol-version tls13")))"; junos:must-message "protocol-version must be <= tls12 to use tls12-rsa-aes-256-gcm-sha384 as custom cipher"; value 2; description "RSA, 256 bit aes/gcm, sha384 hash "; } enum "tls12-rsa-aes-256-cbc-sha256" { junos:must "((!(".. .. preferred-ciphers custom") || !(".. .. protocol-version tls13")))"; junos:must-message "protocol-version must be <= tls12 to use tls12-rsa-aes-256-cbc-sha256 as custom cipher"; value 3; description "RSA, 256 bit aes/cbc, sha256 hash"; } enum "tls12-rsa-aes-128-gcm-sha256" { junos:must "((!(".. .. preferred-ciphers custom") || !(".. .. protocol-version tls13")))"; junos:must-message "protocol-version must be <= tls12 to use tls12-rsa-aes-128-gcm-sha256 as custom cipher"; value 4; description "RSA, 128 bit aes/gcm, sha256 hash"; } enum "tls12-rsa-aes-128-cbc-sha256" { junos:must "((!(".. .. preferred-ciphers custom") || !(".. .. protocol-version tls13")))"; junos:must-message "protocol-version must be <= tls12 to use tls12-rsa-aes-128-cbc-sha256 as custom cipher"; value 5; description "RSA, 128 bit aes/cbc, sha256 hash"; } enum "tls12-ecdhe-rsa-aes-256-gcm-sha384" { junos:must "((!(".. .. preferred-ciphers custom") || !(".. .. protocol-version tls13")))"; junos:must-message "protocol-version must be <= tls12 to use tls12-ecdhe-rsa-aes-256-gcm-sha384 as custom cipher"; value 6; description "ECDHE/rsa, 256 bit aes/gcm, sha384 hash"; } enum "tls12-ecdhe-rsa-aes-256-cbc-sha" { junos:must "((!(".. .. preferred-ciphers custom") || !(".. .. protocol-version tls13")))"; junos:must-message "protocol-version must be <= tls12 to use tls12-ecdhe-rsa-aes-256-cbc-sha as custom cipher"; value 7; description "ECDHE/rsa, 256 bit aes/cbc, sha hash"; } enum "tls12-ecdhe-rsa-aes-256-cbc-sha384" { junos:must "((!(".. .. preferred-ciphers custom") || !(".. .. protocol-version tls13")))"; junos:must-message "protocol-version must be <= tls12 to use tls12-ecdhe-rsa-aes-256-cbc-sha384 as custom cipher"; value 8; description "ECDHE/rsa, 256 bit aes/cbc, sha384 hash"; } enum "tls12-ecdhe-rsa-3des-ede-cbc-sha" { junos:must "((!(".. .. preferred-ciphers custom") || !(".. .. protocol-version tls13")))"; junos:must-message "protocol-version must be <= tls12 to use tls12-ecdhe-rsa-3des-ede-cbc-sha as custom cipher"; value 9; description "ECDHE/rsa, 3des ede/cbc, sha hash"; } enum "tls12-ecdhe-rsa-aes-128-gcm-sha256" { junos:must "((!(".. .. preferred-ciphers custom") || !(".. .. protocol-version tls13")))"; junos:must-message "protocol-version must be <= tls12 to use tls12-ecdhe-rsa-aes-128-gcm-sha256 as custom cipher"; value 10; description "ECDHE/rsa, 128 bit aes/gcm, sha256 hash"; } enum "tls12-ecdhe-rsa-aes-128-cbc-sha" { junos:must "((!(".. .. preferred-ciphers custom") || !(".. .. protocol-version tls13")))"; junos:must-message "protocol-version must be <= tls12 to use tls12-ecdhe-rsa-aes-128-cbc-sha as custom cipher"; value 11; description "ECDHE/rsa, 128 bit aes/cbc, sha hash"; } enum "tls12-ecdhe-rsa-aes-128-cbc-sha256" { junos:must "((!(".. .. preferred-ciphers custom") || !(".. .. protocol-version tls13")))"; junos:must-message "protocol-version must be <= tls12 to use tls12-ecdhe-rsa-aes-128-cbc-sha256 as custom cipher"; value 12; description "ECDHE/rsa, 128 bit aes/cbc, sha256 hash"; } enum "tls12-ecdhe-ecdsa-aes-256-gcm-sha384" { junos:must "((!(".. .. preferred-ciphers custom") || !(".. .. protocol-version tls13")))"; junos:must-message "protocol-version must be <= tls12 to use tls12-ecdhe-ecdsa-aes-256-gcm-sha384 as custom cipher"; value 13; description "ECDHE,ECDSA, 256 bit aes/gcm, sha384 hash"; } enum "tls12-ecdhe-ecdsa-aes-256-cbc-sha" { junos:must "((!(".. .. preferred-ciphers custom") || !(".. .. protocol-version tls13")))"; junos:must-message "protocol-version must be <= tls12 to use tls12-ecdhe-ecdsa-aes-256-cbc-sha as custom cipher"; value 14; description "ECDHE,ECDSA, 256 bit aes/cbc, sha hash"; } enum "tls12-ecdhe-ecdsa-aes-256-cbc-sha384" { junos:must "((!(".. .. preferred-ciphers custom") || !(".. .. protocol-version tls13")))"; junos:must-message "protocol-version must be <= tls12 to use tls12-ecdhe-ecdsa-aes-256-cbc-sha384 as custom cipher"; value 15; description "ECDHE,ECDSA, 256 bit aes/cbc, sha384 hash"; } enum "tls12-ecdhe-ecdsa-aes-128-gcm-sha256" { junos:must "((!(".. .. preferred-ciphers custom") || !(".. .. protocol-version tls13")))"; junos:must-message "protocol-version must be <= tls12 to use tls12-ecdhe-ecdsa-aes-128-gcm-sha256 as custom cipher"; value 16; description "ECDHE,ECDSA, 128 bit aes/gcm, sha256 hash"; } enum "tls12-ecdhe-ecdsa-aes-128-cbc-sha" { junos:must "((!(".. .. preferred-ciphers custom") || !(".. .. protocol-version tls13")))"; junos:must-message "protocol-version must be <= tls12 to use tls12-ecdhe-ecdsa-aes-128-cbc-sha as custom cipher"; value 17; description "ECDHE,ECDSA, 128 bit aes/cbc, sha hash"; } enum "tls12-ecdhe-ecdsa-aes-128-cbc-sha256" { junos:must "((!(".. .. preferred-ciphers custom") || !(".. .. protocol-version tls13")))"; junos:must-message "protocol-version must be <= tls12 to use tls12-ecdhe-ecdsa-aes-128-cbc-sha256 as custom cipher"; value 18; description "ECDHE,ECDSA, 128 bit aes/cbc, sha256 hash"; } enum "tls12-ecdhe-ecdsa-3des-ede-cbc-sha" { junos:must "((!(".. .. preferred-ciphers custom") || !(".. .. protocol-version tls13")))"; junos:must-message "protocol-version must be <= tls12 and to use tls12-ecdhe-ecdsa-3des-ede-cbc-sha as custom cipher"; value 19; description "ECDHE,ECDSA, 3des ede/cbc, sha hash"; } enum "tls13-with-aes-256-gcm-sha384" { value 20; description "Any key-exchange, Any authentication,256bit aes, sha384 hash"; } enum "tls13-with-aes-128-gcm-sha256" { value 21; description "Any key-exchange, Any authentication,128bit aes, sha256 hash"; } enum "tls13-with-chacha20-poly1305-sha256" { value 22; description "Any key-exchange, Any authentication,chacha, sha256 hash"; } enum "tls13-with-aes-128-ccm-sha256" { value 23; description "Any key-exchange, Any authentication,128bit aes, sha256 hash"; } enum "tls13-with-aes-128-ccm8-sha256" { value 24; description "Any key-exchange, Any authentication,128bit aes, sha256 hash"; } enum "rsa-with-rc4-128-md5" { value 25; description "RSA, 128bit rc4, md5 hash"; } enum "rsa-with-rc4-128-sha" { value 26; description "RSA, 128bit rc4, sha hash"; } enum "rsa-with-des-cbc-sha" { value 27; description "RSA, des cbc, sha hash"; } enum "rsa-with-3des-ede-cbc-sha" { value 28; description "RSA, 3des ede/cbc, sha hash"; } enum "rsa-with-aes-128-cbc-sha" { junos:must "((!(".. .. preferred-ciphers custom") || !(".. .. protocol-version ssl3")))"; junos:must-message "protocol-version must be tls1 or all to use the aes cipher"; value 29; description "RSA, 128 bit aes/cbc, sha hash"; } enum "rsa-with-aes-256-cbc-sha" { junos:must "((!(".. .. preferred-ciphers custom") || !(".. .. protocol-version ssl3")))"; junos:must-message "protocol-version must be tls1 or all to use the aes cipher"; value 30; description "RSA, 256 bit aes/cbc, sha hash"; } enum "rsa-export-with-rc4-40-md5" { value 31; description "RSA-export, 40 bit rc4, md5 hash"; } enum "rsa-export-with-des40-cbc-sha" { value 32; description "RSA-export, 40 bit des/cbc, sha hash"; } enum "rsa-export1024-with-des-cbc-sha" { value 33; description "RSA 1024 bit export, des/cbc, sha hash"; } enum "rsa-export1024-with-rc4-56-md5" { value 34; description "RSA 1024 bit export, 56 bit rc4, md5 hash"; } enum "rsa-export1024-with-rc4-56-sha" { value 35; description "RSA 1024 bit export, 56 bit rc4, sha hash"; } enum "rsa-with-aes-256-gcm-sha384" { value 36; description "RSA, 256 bit aes/gcm, sha384 hash "; } enum "rsa-with-aes-256-cbc-sha256" { value 37; description "RSA, 256 bit aes/cbc, sha256 hash"; } enum "rsa-with-aes-128-gcm-sha256" { value 38; description "RSA, 128 bit aes/gcm, sha256 hash"; } enum "rsa-with-aes-128-cbc-sha256" { value 39; description "RSA, 128 bit aes/cbc, sha256 hash"; } enum "ecdhe-rsa-with-aes-256-gcm-sha384" { value 40; description "ECDHE/rsa, 256 bit aes/gcm, sha384 hash"; } enum "ecdhe-rsa-with-aes-256-cbc-sha" { value 41; description "ECDHE/rsa, 256 bit aes/cbc, sha hash"; } enum "ecdhe-rsa-with-aes-256-cbc-sha384" { value 42; description "ECDHE/rsa, 256 bit aes/cbc, sha384 hash"; } enum "ecdhe-rsa-with-3des-ede-cbc-sha" { value 43; description "ECDHE/rsa, 3des ede/cbc, sha hash"; } enum "ecdhe-rsa-with-aes-128-gcm-sha256" { value 44; description "ECDHE/rsa, 128 bit aes/gcm, sha256 hash"; } enum "ecdhe-rsa-with-aes-128-cbc-sha" { value 45; description "ECDHE/rsa, 128 bit aes/cbc, sha hash"; } enum "ecdhe-rsa-with-aes-128-cbc-sha256" { value 46; description "ECDHE/rsa, 128 bit aes/cbc, sha256 hash"; } enum "ecdhe-ecdsa-with-aes-256-gcm-sha384" { value 47; description "ECDHE,ECDSA, 256 bit aes/gcm, sha384 hash"; } enum "ecdhe-ecdsa-with-aes-256-cbc-sha" { value 48; description "ECDHE,ECDSA, 256 bit aes/cbc, sha hash"; } enum "ecdhe-ecdsa-with-aes-256-cbc-sha384" { value 49; description "ECDHE,ECDSA, 256 bit aes/cbc, sha384 hash"; } enum "ecdhe-ecdsa-with-aes-128-gcm-sha256" { value 50; description "ECDHE,ECDSA, 128 bit aes/gcm, sha256 hash"; } enum "ecdhe-ecdsa-with-aes-128-cbc-sha" { value 51; description "ECDHE,ECDSA, 128 bit aes/cbc, sha hash"; } enum "ecdhe-ecdsa-with-aes-128-cbc-sha256" { value 52; description "ECDHE,ECDSA, 128 bit aes/cbc, sha256 hash"; } enum "ecdhe-ecdsa-with-3des-ede-cbc-sha" { value 53; description "ECDHE,ECDSA, 3des ede/cbc, sha hash"; } enum "dhe-rsa-with-aes-256-gcm-sha384" { value 54; description "DHE/rsa, 256 bit aes/gcm, sha384 hash"; } enum "dhe-rsa-with-aes-256-cbc-sha" { value 55; description "DHE/rsa, 256 bit aes/cbc, sha hash"; } enum "dhe-rsa-with-aes-256-cbc-sha256" { value 56; description "DHE/rsa, 256 bit aes/cbc, sha256 hash"; } enum "dhe-rsa-with-3des-ede-cbc-sha" { value 57; description "DHE/rsa, 3des ede/cbc, sha hash"; } enum "dhe-rsa-with-aes-128-gcm-sha256" { value 58; description "DHE/rsa, 128 bit aes/gcm, sha256 hash"; } enum "dhe-rsa-with-aes-128-cbc-sha" { value 59; description "DHE/rsa, 128 bit aes/cbc, sha hash"; } enum "dhe-rsa-with-aes-128-cbc-sha256" { value 60; description "DHE/rsa, 128 bit aes/cbc, sha256 hash"; } } max-elements 64; ordered-by user; description "Custom cipher list"; } leaf enable-session-cache { type empty; description "Enable SSL session cache"; } leaf server-certificate { type string { junos:posix-pattern "^.{1,32}$"; junos:pattern-message "Must be string of 32 characters or less"; } description "Local certificate identifier"; } } // list profile } // grouping ssl-termination-config grouping ssl-traceoptions { uses apply-advanced; leaf no-remote-trace { junos:must "("system tracing")"; junos:must-message "'no-remote-trace' is valid only when [system tracing] is configured"; type empty; description "Disable remote tracing"; } container file { description "Trace file information"; leaf filename { type string { junos:posix-pattern "![/ %]"; junos:pattern-message "Must not contain '/', % or a space"; length "1 .. 1024"; } description "Name of file in which to write trace information"; } leaf size { type string; description "Maximum trace file size"; } leaf files { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "2 .. 1000"; } } default "3"; description "Maximum number of trace files"; } choice world-readable-choice { leaf world-readable { type empty; description "Allow any user to read the log file"; } leaf no-world-readable { type empty; description "Don't allow any user to read the log file"; } } // choice world-readable-choice leaf match { type jt:regular-expression; description "Regular expression for lines to be logged"; } } // container file leaf level { type enumeration { enum "brief" { value 0; description "Brief debugging output"; } enum "detail" { value 1; description "Detailed debugging output"; } enum "extensive" { value 2; description "Extensive debugging output"; } enum "verbose" { value 3; description "Verbose debugging output"; } } default "brief"; description "Level of debugging output"; } list flag { key "name"; ordered-by user; description "Tracing parameters"; leaf name { type enumeration { enum "cli-configuration" { value 0; description "Trace CLI configuration events"; } enum "termination" { value 1; description "Trace termination service events"; } enum "initiation" { value 2; description "Trace initiation service events"; } enum "proxy" { value 3; description "Trace proxy service events"; } enum "selected-profile" { value 4; description "Trace events for profiles with enable-flow-tracing set"; } enum "all" { value 5; description "Trace everything"; } } } } // list flag container packet-filter { description "SSL Packet filter"; uses apply-advanced; leaf source-ip { type jt:ipaddr; description "Source IP address"; } leaf destination-ip { type jt:ipaddr; description "Destination IP address"; } leaf source-port { type union { type string { pattern "<.*>|$.*"; } type uint16 { range "1 .. 65535"; } } description "Source port"; } leaf destination-port { type union { type string { pattern "<.*>|$.*"; } type uint16 { range "1 .. 65535"; } } description "Destination port"; } } // container packet-filter } // grouping ssl-traceoptions grouping svc-ike-policy { leaf name { type string { junos:posix-pattern "^[[:alnum:]][[:alnum:]_-]*$"; junos:pattern-message "Must be a string beginning with a number or letter and consisting of letters, numbers, dashes and underscores."; length "1 .. 32"; } description "Name of the IKE policy"; } uses apply-advanced; leaf description { type string { length "1 .. 80"; } description "Text description of IKE policy"; } leaf mode { type enumeration { enum "main" { value 0; description "Main mode"; } enum "aggressive" { value 1; description "Aggressive mode"; } } description "Define the IKE first phase mode"; } leaf version { type enumeration { enum "1" { value 0; description "Initiate IKEv1 negotiation"; } enum "2" { value 1; description "Initiate IKEv2 negotiation"; } } description "Define the IKE version to use for the negotiation"; } leaf-list proposals { junos:must "(".. .. .. proposal $$")"; junos:must-message "Referenced proposal is not defined"; type string { junos:posix-pattern "^[[:alnum:]][[:alnum:]_-]*$"; junos:pattern-message "Must be a string beginning with a number or letter and consisting of letters, numbers, dashes and underscores."; length "1 .. 32"; } ordered-by user; description "Name of the proposal"; } container local-id { description "Define local identification"; choice id-type { leaf ipv4_addr { type jt:ipv4addr; description "One or more IPv4 address identification values"; } leaf distinguished-name { type empty; description "Use a distinguished name specified in local certificate"; } leaf fqdn { type string { length "1 .. 255"; } description "One or more fully qualified domain name values"; } leaf key-id { type string { junos:posix-pattern "^[[:xdigit:]]+$"; junos:pattern-message "Must be hexadecimal digits (0-9, a-f, A-F)"; length "1 .. 255"; } description "One or more key ID identification values"; } leaf ipv6-addr { type jt:ipv6addr; description "One or more IPv6 address identification values"; } } // choice id-type } // container local-id leaf-list certificate-policy-oids { type string { length "1 .. 63"; } max-elements 5; ordered-by user; description "Allowed certificate policy object identifiers (maximum 5)"; } leaf local-certificate { type string { junos:posix-pattern "^.{1,32}$"; junos:pattern-message "Must be string of 32 characters or less"; } description "Local certificate identifier"; } leaf peer-certificate-type { type enumeration { enum "pkcs7" { value 0; description "PKCS7 encoding"; } enum "x509-signature" { value 1; description "X509 signature encoding"; } } default "x509-signature"; description "Preferred type of certificate from peer"; } container remote-id { description "Define remote identification"; uses apply-advanced; leaf any-remote-id { junos:must "((!(".. distinguished-name") && (!(".. fqdn") && (!(".. ipv4_addr") && (!(".. key-id") && !(".. ipv6-addr"))))))"; junos:must-message "Specific 'remote-id' statement must not be configured when 'any-remote-id' statement is configured."; type empty; description "Allow any remote ID"; } leaf-list ipv4_addr { type jt:ipv4addr; ordered-by user; description "One or more IPv4 address identification values"; } container distinguished-name { description "One or more distinguished name values"; uses apply-advanced; leaf-list container { type string { length "1 .. 255"; } ordered-by user; description "One or more distinguished name container string"; } leaf-list wildcard { type string { length "1 .. 255"; } ordered-by user; description "One or more distinguished name wildcard string"; } leaf-list exact-match { type string { length "1 .. 255"; } ordered-by user; description "One or more distinguished name to do full length exact match"; } } // container distinguished-name leaf-list fqdn { type string { length "1 .. 255"; } ordered-by user; description "One or more fully qualified domain name values"; } leaf-list key-id { type string { length "1 .. 255"; } ordered-by user; description "One or more key ID identification values"; } leaf-list ipv6-addr { type jt:ipv6addr; ordered-by user; description "One or more IPv6 address identification values"; } } // container remote-id container pre-shared-key { description "Define a preshared key"; choice key-choice { leaf ascii-text { type string { length "1 .. 255"; } description "Format as text"; } leaf hexadecimal { type string { junos:posix-pattern "^[[:xdigit:]]+$"; junos:pattern-message "Must be hexadecimal digits (0-9, a-f, A-F)"; length "1 .. 255"; } description "Format as hexadecimal"; } } // choice key-choice } // container pre-shared-key container respond-bad-spi { presence "enable respond-bad-spi"; description "Respond to IPSec packets with bad SPI values"; leaf max-responses { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "1 .. 30"; } } default "5"; description "Maximum number of times to respond"; } } // container respond-bad-spi } // grouping svc-ike-policy grouping tunnel_interface_type { description "One or more tunnel interfaces on which to configure flow-tap service"; leaf name { junos:must "(!("services dynamic-flow-capture"))"; junos:must-message "Dynamic flow capture cannot be configured when flow-tap is configured"; junos:must "(!("interfaces $$-IFL family inet filter"))"; junos:must-message "Tunnel Interface assigned for Radius-Flow-Tap cannot be configured with firewall filter"; junos:must "("interfaces $$-IFL family inet")"; junos:must-message "Interface with family inet must be defined in the [edit interfaces] hierarchy"; type union { type jt:interface-unit; type string { pattern "<.*>|$.*"; } } description "Tunnel Interface name"; } uses apply-advanced; } // grouping tunnel_interface_type } // module junos-ex-conf-services
© 2023 YumaWorks, Inc. All rights reserved.