Junos® OS User Access and Authentication

Junos® OS User Access and Authentication
Junos® OS
User Access and Authentication Feature Guide for
Routing Devices
Modified: 2017-05-15
Copyright © 2017, Juniper Networks, Inc.
Juniper Networks, Inc.
1133 Innovation Way
Sunnyvale, California 94089
USA
408-745-2000
www.juniper.net
Juniper Networks, Junos, Steel-Belted Radius, NetScreen, and ScreenOS are registered trademarks of Juniper Networks, Inc. in the United
States and other countries. The Juniper Networks Logo, the Junos logo, and JunosE are trademarks of Juniper Networks, Inc. All other
trademarks, service marks, registered trademarks, or registered service marks are the property of their respective owners.
Juniper Networks assumes no responsibility for any inaccuracies in this document. Juniper Networks reserves the right to change, modify,
transfer, or otherwise revise this publication without notice.
®
Junos OS User Access and Authentication Feature Guide for Routing Devices
Copyright © 2017, Juniper Networks, Inc.
All rights reserved.
The information in this document is current as of the date on the title page.
YEAR 2000 NOTICE
Juniper Networks hardware and software products are Year 2000 compliant. Junos OS has no known time-related limitations through the
year 2038. However, the NTP application is known to have some difficulty in the year 2036.
END USER LICENSE AGREEMENT
The Juniper Networks product that is the subject of this technical documentation consists of (or is intended for use with) Juniper Networks
software. Use of such software is subject to the terms and conditions of the End User License Agreement (“EULA”) posted at
http://www.juniper.net/support/eula.html. By downloading, installing or using such software, you agree to the terms and conditions of
that EULA.
ii
Copyright © 2017, Juniper Networks, Inc.
Table of Contents
About the Documentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xvii
Documentation and Release Notes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xvii
Supported Platforms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xvii
Using the Examples in This Manual . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xvii
Merging a Full Example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xviii
Merging a Snippet . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xviii
Documentation Conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xix
Documentation Feedback . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxi
Requesting Technical Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxi
Self-Help Online Tools and Resources . . . . . . . . . . . . . . . . . . . . . . . . . . . xxi
Opening a Case with JTAC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxii
Chapter 1
User Access and Authentication Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
Junos OS Login Classes Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
Junos OS User Accounts Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
Understanding Junos OS Access Privilege Levels . . . . . . . . . . . . . . . . . . . . . . . . . . 26
Junos OS Login Class Permission Flags . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
Allowing or Denying Individual Commands for Junos OS Login Classes . . . . 29
Junos OS User Authentication Methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31
Understanding Remote Authentication Servers . . . . . . . . . . . . . . . . . . . . . . . . . . . 31
Junos OS Authentication Order for RADIUS, TACACS+, and Password
Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32
Using RADIUS or TACACS+ Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . 32
Using Local Password Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33
Order of Authentication Attempts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33
Junos OS Authentication Methods for Routing Protocols . . . . . . . . . . . . . . . . . . . . 37
Chapter 2
Configuring Junos OS Login Classes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39
Defining Junos OS Login Classes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39
Example: Creating Login Classes with Specific Privileges . . . . . . . . . . . . . . . . . . . 40
Configuring the Timeout Value for Idle Login Sessions . . . . . . . . . . . . . . . . . . . . . . 41
Using Junos OS to Configure Logical System Administrators . . . . . . . . . . . . . . . . . 41
Configuring the Junos OS to Display a System Login Message . . . . . . . . . . . . . . . 42
Configuring the Junos OS to Display a System Login Announcement . . . . . . . . . . 44
Examples: Configuring Time-Based User Access . . . . . . . . . . . . . . . . . . . . . . . . . . 45
Configuring System Alarms to Appear Automatically Upon Login . . . . . . . . . . . . 46
Copyright © 2017, Juniper Networks, Inc.
iii
User Access and Authentication Feature Guide for Routing Devices
Chapter 3
Configuring Junos OS User Accounts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47
Junos-FIPS Crypto Officer and User Accounts Overview . . . . . . . . . . . . . . . . . . . . 47
Crypto Officer User Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47
FIPS User Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48
Configuring Time-Based User Access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48
Examples: Configuring Time-Based User Access . . . . . . . . . . . . . . . . . . . . . . . . . . 49
Configuring Local User Template Accounts for User Authentication . . . . . . . . . . 50
Configuring Remote Template Accounts for User Authentication . . . . . . . . . . . . . 52
Configuring a Local Administrator Account . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52
Configuring Junos OS User Accounts by Using a Configuration Group . . . . . . . . . 53
Example: Configuring User Accounts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56
Limiting the Number of User Login Attempts for SSH and Telnet Sessions . . . . . 57
Example: Limiting the Number of Login Attempts for SSH and Telnet Sessions
to Prevent Unauthorized Access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58
Configuring Login Tips . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58
Handling Authorization Failure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59
Example: Configuring System Retry Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60
Chapter 4
Configuring User Access Privileges . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65
Example: Configuring User Permissions with Access Privilege Levels . . . . . . . . . . 65
Regular Expressions for Allowing and Denying Junos OS Operational Mode
Commands, Configuration Statements, and Hierarchies . . . . . . . . . . . . . . . . 69
Understanding Regular Expressions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69
Specifying Regular Expressions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70
Regular Expressions Operators . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72
Regular Expression Examples . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75
Example: Configuring User Permissions with Access Privileges for Operational
Mode Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76
Example: Configuring User Permissions with Access Privileges for Configuration
Statements and Hierarchies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87
Example: Configuring User Permissions with Access Privileges for Operational
Mode Commands, Configuration Statements, and Hierarchies . . . . . . . . . . 100
Example: Using Additive Logic With Regular Expressions to Specify Access
Privileges . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 109
Chapter 5
Permission Flags for User Access Privileges . . . . . . . . . . . . . . . . . . . . . . . . . . 113
Access Privilege User Permission Flags Overview . . . . . . . . . . . . . . . . . . . . . . . . . 114
access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 116
access-control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 119
admin . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 120
admin-control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 124
all-control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 124
clear . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 125
configure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 195
control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 195
field . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 196
firewall . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 196
firewall-control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 200
floppy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 201
iv
Copyright © 2017, Juniper Networks, Inc.
Table of Contents
flow-tap . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 201
flow-tap-control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 204
flow-tap-operation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 205
idp-profiler-operation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 205
interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 205
interface-control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 209
maintenance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 210
network . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 219
pgcp-session-mirroring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 221
pgcp-session-mirroring-control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 224
reset . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 224
rollback . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 225
routing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 226
routing-control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 233
secret . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 237
secret-control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 241
security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 242
security-control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 249
shell . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 252
snmp . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 253
snmp-control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 256
system . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 257
system-control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 262
trace . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 264
trace-control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 272
view . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 277
view-configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 379
Chapter 6
Configuring Passwords for User Access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 381
Configuring the Root Password . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 381
Example: Protecting Network Security by Configuring the Root Password . . . . . 383
Example: Configuring a Plain-Text Password for Root Logins . . . . . . . . . . . . . . . 383
Example: Configuring SSH Authentication for Root Logins . . . . . . . . . . . . . . . . . 386
Recovering the Root Password . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 386
Changing the Requirements for Junos OS Plain-Text Passwords . . . . . . . . . . . . 389
Example: Changing the Requirements for Junos OS Plain-Text Passwords . . . . 389
Configuring MS-CHAPv2 for Password-Change Support . . . . . . . . . . . . . . . . . . . 391
Chapter 7
Configuring Local Password Authentication . . . . . . . . . . . . . . . . . . . . . . . . . 393
Special Requirements for Junos OS Plain-Text Passwords . . . . . . . . . . . . . . . . . 393
Changing the Requirements for Junos OS Plain-Text Passwords . . . . . . . . . . . . 396
Example: Changing the Requirements for Junos OS Plain-Text Passwords . . . . 396
Configuring the Junos OS Authentication Order for RADIUS, TACACS+, and Local
Password Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 399
Example: Configuring System Authentication for RADIUS, TACACS+, and
Password Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 400
Copyright © 2017, Juniper Networks, Inc.
v
User Access and Authentication Feature Guide for Routing Devices
Chapter 8
Configuring Radius Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 403
Configuring RADIUS Server Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 403
Example: Configuring RADIUS Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . 407
Example: Configuring RADIUS Template Accounts . . . . . . . . . . . . . . . . . . . . . . . 408
Juniper Networks Vendor-Specific RADIUS Attributes . . . . . . . . . . . . . . . . . . . . 408
Configuring RADIUS System Accounting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 411
Configuring Auditing of User Events on a RADIUS Server . . . . . . . . . . . . . . . . 411
Specifying RADIUS Server Accounting and Auditing Events . . . . . . . . . . . . . 412
Configuring RADIUS Server Accounting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 412
Example: Configuring RADIUS System Accounting . . . . . . . . . . . . . . . . . . . . . . . . 414
Using Regular Expressions on a RADIUS or TACACS+ Server to Allow or Deny
Access to Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 414
Overview of Template Accounts for RADIUS and TACACS+ Authentication . . . . 416
Configuring the Junos OS Authentication Order for RADIUS, TACACS+, and Local
Password Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 417
Example: Configuring System Authentication for RADIUS, TACACS+, and
Password Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 418
Chapter 9
Configuring TACACS+ Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 421
Configuring TACACS+ Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 421
Configuring TACACS+ Server Details . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 421
Specifying a Source Address for the Junos OS to Access External TACACS+
Servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 422
Configuring the Same Authentication Service for Multiple TACACS+
Servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 423
Configuring Juniper Networks Vendor-Specific TACACS+ Attributes . . . . . . 423
Using Regular Expressions on a RADIUS or TACACS+ Server to Allow or Deny
Access to Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 424
Juniper Networks Vendor-Specific TACACS+ Attributes . . . . . . . . . . . . . . . . . . . 425
Configuring TACACS+ System Accounting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 427
Specifying TACACS+ Auditing and Accounting Events . . . . . . . . . . . . . . . . . 428
Configuring TACACS+ Server Accounting . . . . . . . . . . . . . . . . . . . . . . . . . . . 428
Configuring TACACS+ Accounting on a TX Matrix Router . . . . . . . . . . . . . . . . . . 429
Overview of Template Accounts for RADIUS and TACACS+ Authentication . . . 429
Configuring the Junos OS Authentication Order for RADIUS, TACACS+, and Local
Password Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 430
Example: Configuring System Authentication for RADIUS, TACACS+, and
Password Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 432
Chapter 10
Configuring DHCP Access Service for IP Address Management . . . . . . . . 435
DHCP Access Service Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Network Address Assignments (Allocating a New Address) . . . . . . . . . . .
Network Address Assignments (Reusing a Previously Assigned Address) .
Static and Dynamic Bindings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Compatibility with Autoinstallation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
vi
.
.
.
.
.
436
436
438
438
439
Copyright © 2017, Juniper Networks, Inc.
Table of Contents
Conflict Detection and Resolution . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 439
DHCP Statement Hierarchy and Inheritance . . . . . . . . . . . . . . . . . . . . . . . . . . . . 439
Configuring Address Pools for DHCP Dynamic Bindings . . . . . . . . . . . . . . . . . . . . 441
Configuring Manual (Static) DHCP Bindings Between a Fixed IP Address and a
Client MAC Address . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 442
Specifying DHCP Lease Times for IP Address Assignments . . . . . . . . . . . . . . . . 444
Configuring a DHCP Boot File and DHCP Boot Server . . . . . . . . . . . . . . . . . . . . . 444
Configuring a Static IP Address as DHCP Server Identifier . . . . . . . . . . . . . . . . . . 445
Configuring a Domain Name and Domain Search List for a DHCP Server Host . . 446
Configuring Routers Available to the DHCP Client . . . . . . . . . . . . . . . . . . . . . . . . 447
Creating User-Defined DHCP Options Not Included in the Default Junos
Implementation of the DHCP Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 447
Example: Complete DHCP Server Configuration . . . . . . . . . . . . . . . . . . . . . . . . . 448
Example: Viewing DHCP Bindings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 450
Example: Viewing DHCP Address Pools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 450
Example: Viewing and Clearing DHCP Conflicts . . . . . . . . . . . . . . . . . . . . . . . . . . 451
Configuring Tracing Operations for DHCP Processes . . . . . . . . . . . . . . . . . . . . . . 451
Configuring the DHCP Processes Log Filename . . . . . . . . . . . . . . . . . . . . . . 452
Configuring the Number and Size of DHCP Processes Log Files . . . . . . . . . 452
Configuring Access to the DHCP Log File . . . . . . . . . . . . . . . . . . . . . . . . . . . . 452
Configuring a Regular Expression for Refining the Output of DHCP Logged
Events . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 453
Configuring DHCP Trace Operation Events . . . . . . . . . . . . . . . . . . . . . . . . . . 453
DHCP Processes Tracing Flags . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 453
Configuring the Router as an Extended DHCP Local Server . . . . . . . . . . . . . . . . 455
Interaction Among the DHCP Client, Extended DHCP Local Server, and
Address-Assignment Pools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 457
Extended DHCP Local Server and Address-Assignment Pools . . . . . . . . . . . . . . 457
Methods Used by the Extended DHCP Local Server to Determine Which
Address-Assignment Pool to Use . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 458
Matching the Client IP Address to the Address-Assignment Pool . . . . . . . . 458
Matching Option 82 Information to Named Address Ranges . . . . . . . . . . . . 458
Default Options Provided by the Extended DHCP Server for the DHCP Client . . 459
Using External AAA Authentication Services to Authenticate DHCP Clients . . . 459
Configuring Authentication Support for an Extended DHCP Application . . 460
Grouping Interfaces with Common DHCP Configurations . . . . . . . . . . . . . . . 461
Configuring Passwords for Usernames the DHCP Application Presents to
the External AAA Authentication Service . . . . . . . . . . . . . . . . . . . . . . . . 462
Creating Unique Usernames the Extended DHCP Application Passes to the
External AAA Authentication Service . . . . . . . . . . . . . . . . . . . . . . . . . . . 462
Client Configuration Information Exchanged Between the External Authentication
Server, DHCP Application, and DHCP Client . . . . . . . . . . . . . . . . . . . . . . . . . 464
Example: Configuring the Minimum Extended DHCP Local Server
Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 465
Example: Extended DHCP Local Server Configuration with Optional Pool
Matching . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 465
Verifying and Managing the DHCP Server Configuration . . . . . . . . . . . . . . . . . . . 465
Copyright © 2017, Juniper Networks, Inc.
vii
User Access and Authentication Feature Guide for Routing Devices
Tracing Extended DHCP Local Server Operations . . . . . . . . . . . . . . . . . . . . . . . . 466
Configuring the Filename of the Extended DHCP Local Server Processes
Log . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 467
Configuring the Number and Size of Extended DHCP Local Server Processes
Log Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 467
Configuring Access to the Log File . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 467
Configuring a Regular Expression for Lines to Be Logged . . . . . . . . . . . . . . . 467
Configuring Trace Option Flags . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 468
Chapter 11
Configuring Remote Access to a Router or Switch . . . . . . . . . . . . . . . . . . . . 469
System Services Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 469
Configuring Telnet Service for Remote Access to a Router or Switch . . . . . . . . . 470
Configuring FTP Service for Remote Access to the Router or Switch . . . . . . . . . . 471
Configuring Finger Service for Remote Access to the Router . . . . . . . . . . . . . . . . 471
Configuring SSH Service for Remote Access to the Router or Switch . . . . . . . . . 472
Configuring the Root Login Through SSH . . . . . . . . . . . . . . . . . . . . . . . . . . . 473
Configuring the SSH Protocol Version . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 473
Configuring the Client Alive Mechanism . . . . . . . . . . . . . . . . . . . . . . . . . . . . 474
Configuring the SSH Fingerprint Hash Algorithm . . . . . . . . . . . . . . . . . . . . . 474
Configuring the SSH Service to Support Legacy Cryptography . . . . . . . . . . . . . . 475
Configuring Outbound SSH Service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 477
Configuring the Device Identifier for Outbound SSH Connections . . . . . . . . 477
Sending the Public SSH Host Key to the Outbound SSH Client . . . . . . . . . . 478
Configuring Keepalive Messages for Outbound SSH Connections . . . . . . . . 479
Configuring a New Outbound SSH Connection . . . . . . . . . . . . . . . . . . . . . . . 479
Configuring the Outbound SSH Client to Accept NETCONF as an Available
Service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 479
Configuring Outbound SSH Clients . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 480
Configuring DTCP-over-SSH Service for the Flow-Tap Application . . . . . . . . . . 480
Configuring NETCONF-Over-SSH Connections on a Specified TCP Port . . . . . . 481
Configuring clear-text or SSL Service for Junos XML Protocol Client
Applications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 482
Configuring clear-text Service for Junos XML Protocol Client
Applications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 482
Configuring SSL Service for Junos XML Protocol Client Applications . . . . . 483
Configuring the Junos OS to Work with SRC Software . . . . . . . . . . . . . . . . . . . . 483
Chapter 12
Configuring Authentication for Routing Protocols . . . . . . . . . . . . . . . . . . . . 485
Example: Configuring the BGP and IS-IS Routing Protocols . . . . . . . . . . . . . . . . 485
Configuring BGP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 485
Configuring IS-IS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 486
Configuring the Authentication Key Update Mechanism for BGP and LDP Routing
Protocols . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 487
Configuring Authentication Key Updates . . . . . . . . . . . . . . . . . . . . . . . . . . . . 487
Configuring BGP and LDP for Authentication Key Updates . . . . . . . . . . . . . 488
Chapter 13
Configuration Statements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 489
System Management Configuration Statements . . . . . . . . . . . . . . . . . . . . . . . . . 493
accounting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 500
access-end . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 501
viii
Copyright © 2017, Juniper Networks, Inc.
Table of Contents
access-start . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 501
accounting-port (RADIUS Server) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 502
allow-commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 503
allow-configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 504
allow-configuration-regexps . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 506
allowed-days . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 507
authentication (DHCP Local Server) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 508
authentication (Login) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 509
authentication-order . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 510
backoff-factor . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 511
backoff-threshold . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 512
boot-file . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 513
boot-server (DHCP) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 514
change-type . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 515
ciphers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 516
circuit-type . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 517
class (Assigning a Class to an Individual User) . . . . . . . . . . . . . . . . . . . . . . . . . . . 518
class (Defining Login Classes) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 519
client-alive-count-max . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 520
client-alive-interval . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 521
connection-limit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 522
delimiter (DHCP Local Server) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 523
deny-commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 525
deny-configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 526
deny-configuration-regexps . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 528
destination (Accounting) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 529
dhcp . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 530
dhcpv6 (DHCP Local Server) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 532
dhcp-local-server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 536
domain-name (DHCP) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 542
domain-name (DHCP Local Server) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 543
dynamic-profile-options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 544
enhanced-accounting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 544
enhanced-avs-max . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 545
finger . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 545
flow-tap-dtcp . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 546
format . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 547
ftp . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 548
full-name . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 548
group (DHCP Local Server) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 549
http . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 551
https . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 552
hostkey-algorithm . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 553
idle-timeout (System-Login) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 554
interface (DHCP Local Server) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 555
idle-timeout (System) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 556
ip-address-first . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 557
key-exchange . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 558
load-key-file . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 559
Copyright © 2017, Juniper Networks, Inc.
ix
User Access and Authentication Feature Guide for Routing Devices
local-certificate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 560
lockout-period . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 561
logical-system-name (DHCP Local Server) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 562
login . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 563
login-alarms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 564
login-script (Op Scripts) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 564
mac-address (DHCP Local Server) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 565
macs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 566
maximum-lease-time (DHCP) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 567
maximum-length . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 568
max-sessions-per-connection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 569
maximum-time . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 569
minimum-changes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 570
minimum-length . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 571
minimum-lower-cases . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 572
minimum-numerics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 573
minimum-punctuations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 574
minimum-time . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 575
minimum-upper-cases . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 576
next-server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 577
no-passwords . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 577
no-public-keys . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 578
no-tcp-forwarding . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 578
option (DHCP server) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 579
option-60 (DHCP Local Server) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 580
option-82 (DHCP Local Server Authentication) . . . . . . . . . . . . . . . . . . . . . . . . . . 581
option-82 (DHCP Local Server Pool Matching) . . . . . . . . . . . . . . . . . . . . . . . . . . 582
outbound-ssh . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 583
password (DHCP Local Server) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 586
password (Login) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 587
permissions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 588
pool (System) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 589
pool-match-order . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 590
port (HTTP/HTTPS) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 591
port (NETCONF) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 592
port (RADIUS Server) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 593
port (SRC Server) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 594
port (TACACS+ Server) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 594
protocol-version . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 595
radius (System) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 596
radius-options (edit system) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 597
radius-server (System) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 598
rate-limit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 599
regex-additive-logic . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 600
retry (RADIUS) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 601
retry-options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 602
root-login . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 603
router . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 604
routing-instance-name (DHCP Local Server) . . . . . . . . . . . . . . . . . . . . . . . . . . . 605
x
Copyright © 2017, Juniper Networks, Inc.
Table of Contents
secret . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 606
server (RADIUS Accounting) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 607
server (TACACS+ Accounting) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 608
servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 609
server-identifier . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 610
service-deployment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 611
services (System Services) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 612
session (Time-out) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 615
single-connection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 616
source-address (NTP, RADIUS, System Logging, or TACACS+) . . . . . . . . . . . . . . 617
source-address (SRC Software) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 618
source-port (Port Addresses) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 618
ssh . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 619
ssl-renegotiation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 620
static-binding . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 621
system . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 622
tacplus . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 622
tacplus-options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 623
tacplus-server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 624
telnet . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 625
timeout (System) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 626
traceoptions (Address-Assignment Pool) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 627
traceoptions (DHCP) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 629
traceoptions (DHCP Server) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 632
traceoptions (SBC Configuration Process) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 635
tries-before-disconnect . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 637
uid . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 638
user (Access) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 639
username-include (DHCP Local Server) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 640
user-prefix (DHCP Local Server) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 642
versioning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 643
web-management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 644
wins-server (System) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 645
xnm-clear-text . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 646
xnm-ssl . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 647
Chapter 14
Operational Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 649
show cli authorization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 650
show cli directory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 652
clear system services dhcp binding . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 653
clear system services dhcp conflict . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 654
clear system services dhcp statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 655
show system services dhcp conflict . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 656
show system services dhcp global . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 657
show system services dhcp pool . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 659
show system services dhcp statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 662
show system services service-deployment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 665
show system users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 666
ssh . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 671
Copyright © 2017, Juniper Networks, Inc.
xi
User Access and Authentication Feature Guide for Routing Devices
telnet . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 673
test access profile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 675
test access radius-server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 679
xii
Copyright © 2017, Juniper Networks, Inc.
List of Figures
Chapter 4
Configuring User Access Privileges . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65
Figure 1: Configuring TACACS+ Server Authentication . . . . . . . . . . . . . . . . . . . . . . 79
Figure 2: Configuring TACACS+ Server Authentication . . . . . . . . . . . . . . . . . . . . . . 93
Figure 3: Configuring TACACS+ Server Authentication . . . . . . . . . . . . . . . . . . . . . 104
Chapter 10
Configuring DHCP Access Service for IP Address Management . . . . . . . . 435
Figure 4: DHCP Discover . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 437
Figure 5: DHCP Offer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 437
Figure 6: DHCP Request . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 437
Figure 7: DHCP ACK . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 438
Figure 8: DHCP Release . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 438
Copyright © 2017, Juniper Networks, Inc.
xiii
User Access and Authentication Feature Guide for Routing Devices
xiv
Copyright © 2017, Juniper Networks, Inc.
List of Tables
About the Documentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xvii
Table 1: Notice Icons . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xix
Table 2: Text and Syntax Conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xx
Chapter 1
User Access and Authentication Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
Table 3: Predefined System Login Classes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
Table 4: Login Class Permission Flags . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
Table 5: Order of Authentication Attempts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34
Chapter 4
Configuring User Access Privileges . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65
Table 6: Sample Local and Remote Authentication Configuration Using Regular
Expressions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70
Table 7: Specifying Regular Expressions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71
Table 8: Common Regular Expression Operators . . . . . . . . . . . . . . . . . . . . . . . . . . 73
Table 9: Regular Expressions Examples . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75
Table 10: Restricting Configuration Access Using deny-configurtion and
deny-configuration-regexps Statements . . . . . . . . . . . . . . . . . . . . . . . . . . . . 90
Chapter 7
Configuring Local Password Authentication . . . . . . . . . . . . . . . . . . . . . . . . . 393
Table 11: Special Requirements for Plain-Text Passwords . . . . . . . . . . . . . . . . . . 393
Chapter 8
Configuring Radius Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 403
Table 12: Juniper Networks Vendor-Specific RADIUS Attributes . . . . . . . . . . . . . 408
Chapter 9
Configuring TACACS+ Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 421
Table 13: Juniper Networks Vendor-Specific TACACS+ Attributes . . . . . . . . . . . . 425
Chapter 10
Configuring DHCP Access Service for IP Address Management . . . . . . . . 435
Table 14: Pool and Binding Statements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 440
Table 15: Common Configuration Statements . . . . . . . . . . . . . . . . . . . . . . . . . . . 441
Table 16: DHCP Processes Tracing Flags . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 453
Chapter 14
Operational Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 649
Table 17: show system services dhcp conflict Output Fields . . . . . . . . . . . . . . . . 656
Table 18: show system services dhcp global Output Fields . . . . . . . . . . . . . . . . . 657
Table 19: show system services dhcp pool Output Fields . . . . . . . . . . . . . . . . . . 659
Table 20: show system services dhcp statistics Output Fields . . . . . . . . . . . . . . 662
Table 21: show system services service-deployment Output Fields . . . . . . . . . . 665
Table 22: show system users Output Fields . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 668
Table 23: test access profile Output Fields . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 675
Table 24: test access radius-server Output Fields . . . . . . . . . . . . . . . . . . . . . . . . 679
Copyright © 2017, Juniper Networks, Inc.
xv
User Access and Authentication Feature Guide for Routing Devices
xvi
Copyright © 2017, Juniper Networks, Inc.
About the Documentation
•
Documentation and Release Notes on page xvii
•
Supported Platforms on page xvii
•
Using the Examples in This Manual on page xvii
•
Documentation Conventions on page xix
•
Documentation Feedback on page xxi
•
Requesting Technical Support on page xxi
Documentation and Release Notes
®
To obtain the most current version of all Juniper Networks technical documentation,
see the product documentation page on the Juniper Networks website at
http://www.juniper.net/techpubs/.
If the information in the latest release notes differs from the information in the
documentation, follow the product Release Notes.
Juniper Networks Books publishes books by Juniper Networks engineers and subject
matter experts. These books go beyond the technical documentation to explore the
nuances of network architecture, deployment, and administration. The current list can
be viewed at http://www.juniper.net/books.
Supported Platforms
For the features described in this document, the following platforms are supported:
•
M Series
•
MX Series
•
T Series
•
PTX Series
Using the Examples in This Manual
If you want to use the examples in this manual, you can use the load merge or the load
merge relative command. These commands cause the software to merge the incoming
configuration into the current candidate configuration. The example does not become
active until you commit the candidate configuration.
Copyright © 2017, Juniper Networks, Inc.
xvii
User Access and Authentication Feature Guide for Routing Devices
If the example configuration contains the top level of the hierarchy (or multiple
hierarchies), the example is a full example. In this case, use the load merge command.
If the example configuration does not start at the top level of the hierarchy, the example
is a snippet. In this case, use the load merge relative command. These procedures are
described in the following sections.
Merging a Full Example
To merge a full example, follow these steps:
1.
From the HTML or PDF version of the manual, copy a configuration example into a
text file, save the file with a name, and copy the file to a directory on your routing
platform.
For example, copy the following configuration to a file and name the file ex-script.conf.
Copy the ex-script.conf file to the /var/tmp directory on your routing platform.
system {
scripts {
commit {
file ex-script.xsl;
}
}
}
interfaces {
fxp0 {
disable;
unit 0 {
family inet {
address 10.0.0.1/24;
}
}
}
}
2. Merge the contents of the file into your routing platform configuration by issuing the
load merge configuration mode command:
[edit]
user@host# load merge /var/tmp/ex-script.conf
load complete
Merging a Snippet
To merge a snippet, follow these steps:
1.
From the HTML or PDF version of the manual, copy a configuration snippet into a text
file, save the file with a name, and copy the file to a directory on your routing platform.
For example, copy the following snippet to a file and name the file
ex-script-snippet.conf. Copy the ex-script-snippet.conf file to the /var/tmp directory
on your routing platform.
commit {
xviii
Copyright © 2017, Juniper Networks, Inc.
About the Documentation
file ex-script-snippet.xsl; }
2. Move to the hierarchy level that is relevant for this snippet by issuing the following
configuration mode command:
[edit]
user@host# edit system scripts
[edit system scripts]
3. Merge the contents of the file into your routing platform configuration by issuing the
load merge relative configuration mode command:
[edit system scripts]
user@host# load merge relative /var/tmp/ex-script-snippet.conf
load complete
For more information about the load command, see CLI Explorer.
Documentation Conventions
Table 1 on page xix defines notice icons used in this guide.
Table 1: Notice Icons
Icon
Meaning
Description
Informational note
Indicates important features or instructions.
Caution
Indicates a situation that might result in loss of data or hardware damage.
Warning
Alerts you to the risk of personal injury or death.
Laser warning
Alerts you to the risk of personal injury from a laser.
Tip
Indicates helpful information.
Best practice
Alerts you to a recommended use or implementation.
Table 2 on page xx defines the text and syntax conventions used in this guide.
Copyright © 2017, Juniper Networks, Inc.
xix
User Access and Authentication Feature Guide for Routing Devices
Table 2: Text and Syntax Conventions
Convention
Description
Examples
Bold text like this
Represents text that you type.
To enter configuration mode, type the
configure command:
user@host> configure
Fixed-width text like this
Italic text like this
Italic text like this
Represents output that appears on the
terminal screen.
user@host> show chassis alarms
•
Introduces or emphasizes important
new terms.
•
•
Identifies guide names.
A policy term is a named structure
that defines match conditions and
actions.
•
Identifies RFC and Internet draft titles.
•
Junos OS CLI User Guide
•
RFC 1997, BGP Communities Attribute
No alarms currently active
Represents variables (options for which
you substitute a value) in commands or
configuration statements.
Configure the machine’s domain name:
Represents names of configuration
statements, commands, files, and
directories; configuration hierarchy levels;
or labels on routing platform
components.
•
To configure a stub area, include the
stub statement at the [edit protocols
ospf area area-id] hierarchy level.
•
The console port is labeled CONSOLE.
< > (angle brackets)
Encloses optional keywords or variables.
stub <default-metric metric>;
| (pipe symbol)
Indicates a choice between the mutually
exclusive keywords or variables on either
side of the symbol. The set of choices is
often enclosed in parentheses for clarity.
broadcast | multicast
# (pound sign)
Indicates a comment specified on the
same line as the configuration statement
to which it applies.
rsvp { # Required for dynamic MPLS only
[ ] (square brackets)
Encloses a variable for which you can
substitute one or more values.
community name members [
community-ids ]
Indention and braces ( { } )
Identifies a level in the configuration
hierarchy.
; (semicolon)
Identifies a leaf statement at a
configuration hierarchy level.
Text like this
[edit]
root@# set system domain-name
domain-name
(string1 | string2 | string3)
[edit]
routing-options {
static {
route default {
nexthop address;
retain;
}
}
}
GUI Conventions
xx
Copyright © 2017, Juniper Networks, Inc.
About the Documentation
Table 2: Text and Syntax Conventions (continued)
Convention
Description
Examples
Bold text like this
Represents graphical user interface (GUI)
items you click or select.
•
In the Logical Interfaces box, select
All Interfaces.
•
To cancel the configuration, click
Cancel.
> (bold right angle bracket)
Separates levels in a hierarchy of menu
selections.
In the configuration editor hierarchy,
select Protocols>Ospf.
Documentation Feedback
We encourage you to provide feedback, comments, and suggestions so that we can
improve the documentation. You can provide feedback by using either of the following
methods:
•
Online feedback rating system—On any page of the Juniper Networks TechLibrary site
at http://www.juniper.net/techpubs/index.html, simply click the stars to rate the content,
and use the pop-up form to provide us with information about your experience.
Alternately, you can use the online feedback form at
http://www.juniper.net/techpubs/feedback/.
•
E-mail—Send your comments to techpubs-comments@juniper.net. Include the document
or topic name, URL or page number, and software version (if applicable).
Requesting Technical Support
Technical product support is available through the Juniper Networks Technical Assistance
Center (JTAC). If you are a customer with an active J-Care or Partner Support Service
support contract, or are covered under warranty, and need post-sales technical support,
you can access our tools and resources online or open a case with JTAC.
•
JTAC policies—For a complete understanding of our JTAC procedures and policies,
review the JTAC User Guide located at
http://www.juniper.net/us/en/local/pdf/resource-guides/7100059-en.pdf.
•
Product warranties—For product warranty information, visit
http://www.juniper.net/support/warranty/.
•
JTAC hours of operation—The JTAC centers have resources available 24 hours a day,
7 days a week, 365 days a year.
Self-Help Online Tools and Resources
For quick and easy problem resolution, Juniper Networks has designed an online
self-service portal called the Customer Support Center (CSC) that provides you with the
following features:
Copyright © 2017, Juniper Networks, Inc.
xxi
User Access and Authentication Feature Guide for Routing Devices
•
Find CSC offerings: http://www.juniper.net/customers/support/
•
Search for known bugs: http://www2.juniper.net/kb/
•
Find product documentation: http://www.juniper.net/techpubs/
•
Find solutions and answer questions using our Knowledge Base: http://kb.juniper.net/
•
Download the latest versions of software and review release notes:
http://www.juniper.net/customers/csc/software/
•
Search technical bulletins for relevant hardware and software notifications:
http://kb.juniper.net/InfoCenter/
•
Join and participate in the Juniper Networks Community Forum:
http://www.juniper.net/company/communities/
•
Open a case online in the CSC Case Management tool: http://www.juniper.net/cm/
To verify service entitlement by product serial number, use our Serial Number Entitlement
(SNE) Tool: https://tools.juniper.net/SerialNumberEntitlementSearch/
Opening a Case with JTAC
You can open a case with JTAC on the Web or by telephone.
•
Use the Case Management tool in the CSC at http://www.juniper.net/cm/.
•
Call 1-888-314-JTAC (1-888-314-5822 toll-free in the USA, Canada, and Mexico).
For international or direct-dial options in countries without toll-free numbers, see
http://www.juniper.net/support/requesting-support.html.
xxii
Copyright © 2017, Juniper Networks, Inc.
CHAPTER 1
User Access and Authentication Overview
•
Junos OS Login Classes Overview on page 23
•
Junos OS User Accounts Overview on page 24
•
Understanding Junos OS Access Privilege Levels on page 26
•
Junos OS User Authentication Methods on page 31
•
Understanding Remote Authentication Servers on page 31
•
Junos OS Authentication Order for RADIUS, TACACS+, and Password
Authentication on page 32
•
Junos OS Authentication Methods for Routing Protocols on page 37
Junos OS Login Classes Overview
All users who can log in to the router or switch must be in a login class. With login classes,
you define the following:
•
Access privileges that users have when they are logged in to the router or switch
•
Commands and statements that users can and cannot specify
•
How long a login session can be idle before it times out and the user is logged out
You can define any number of login classes and then apply one login class to an individual
user account.
The Junos operating system (Junos OS) contains a few predefined login classes, which
are listed in Table 3 on page 23. The predefined login classes cannot be modified.
Table 3: Predefined System Login Classes
Login Class
Permission Flag Set
operator
clear, network, reset, trace, and view
read-only
view
superuser or super-user
all
unauthorized
None
Copyright © 2017, Juniper Networks, Inc.
23
User Access and Authentication Feature Guide for Routing Devices
NOTE:
•
You cannot modify a predefined login class name. If you issue the set
command on a predefined class name, the Junos OS appends -local to the
login class name. The following message also appears:
warning: '<class-name>' is a predefined class name; changing to
'<class-name>-local'
•
You cannot issue the rename or copy command on a predefined login class.
Doing so results in the following error message:
error: target '<class-name>' is a predefined class
Related
Documentation
•
Defining Junos OS Login Classes on page 39
Junos OS User Accounts Overview
User accounts provide one way for users to access the router. (Users can access the
router without accounts if you configured RADIUS or TACACS+ servers, as described in
“Junos OS User Authentication Methods” on page 31.) For each account, you define the
login name for the user and, optionally, information that identifies the user. After you
have created an account, the software creates a home directory for the user.
For each user account, you can define the following:
•
Username—Name that identifies the user. It must be unique within the router. Do not
include spaces, colons, or commas in the username. The username can be up to 64
characters long.
•
User’s full name—(Optional) If the full name contains spaces, enclose it in quotation
marks. Do not include colons or commas.
•
User identifier (UID)—(Optional) Numeric identifier that is associated with the user
account name. The identifier must be in the range from 100 through 64,000 and must
be unique within the router. If you do not assign a UID to a username, the software
assigns one when you commit the configuration, preferring the lowest available number.
You must ensure that the UID is unique. However, it is possible to assign the same UID
to different users. If you do this, the CLI displays a warning when you commit the
configuration and then assigns the duplicate UID.
24
•
User’s access privilege—(Required) One of the login classes you defined in the class
statement at the [edit system login] hierarchy level, or one of the default classes listed
in “Regular Expressions for Allowing and Denying Junos OS Operational Mode
Commands, Configuration Statements, and Hierarchies” on page 69.
•
Authentication method or methods and passwords that the user can use to access
the router—(Optional) You can use SSH or a Message Digest 5 (MD5) password, or
you can enter a plain-text password that the Junos OS encrypts using MD5-style
encryption before entering it in the password database. For each method, you can
Copyright © 2017, Juniper Networks, Inc.
Chapter 1: User Access and Authentication Overview
specify the user’s password. If you configure the plain-text-password option, you are
prompted to enter and confirm the password:
[edit system login user username]
user@host# set authentication plain-text-password
New password: type password here
Retype new password: retype password here
The default requirements for plain-text passwords are:
•
The password must be between 6 and 128 characters long.
•
You can include most character classes in a password (uppercase letters, lowercase
letters, numbers, punctuation marks, and other special characters). Control characters
are not recommended.
•
Valid passwords must contain at least one change of case or character class.
Junos-FIPS and Common Criteria have special password requirements. FIPS and
Common Criteria passwords must be between 10 and 20 characters in length.
Passwords must use at least three of the five defined character sets (uppercase letters,
lowercase letters, digits, punctuation marks, and other special characters). If Junos-FIPS
is installed on the router, you cannot configure passwords unless they meet this
standard.
For SSH authentication, you can copy the contents of an SSH key file into the configuration
or directly configure SSH key information. Use the load-key-file URL filename command
to load an SSH key file that was previously generated, e.g. by using ssh-keygen. The URL
filename is the path to the file’s location and name. This command loads RSA (SSH
version 1 and SSH version 2) and DSA (SSH version 2) public keys. The contents of the
SSH key file are copied into the configuration immediately after you enter the load-key-file
statement. Optionally, you can use the ssh-dsa public key <from hostname> and the
ssh-rsa public key <from hostname> statements to directly configure SSH keys.
For each user account and for root logins, you can configure more than one public RSA
or DSA key for user authentication. When a user logs in using a user account or as root,
the configured public keys are referenced to determine whether the private key matches
any of them.
To view the SSH keys entries, use the configuration mode show command. For example:
[edit system login user boojum]
user@host# set authentication load-key-file my-host:.ssh/id_dsa.pub
.file.19692 | 0 KB | 0.3 kB/s | ETA: 00:00:00 | 100%
[edit system]
user@host# show
root-authentication {
ssh-rsa "1024 35 9727638204084251055468226757249864241630322
207404962528390382038690141584534964170019610608358722961563
475784918273603361276441874265946893207739108344813125957722
625461667999278316123500438660915866283822489746732605661192
181489539813862940327687806538169602027491641637359132693963
44008443 boojum@juniper.net"; # SECRET-DATA
}
Copyright © 2017, Juniper Networks, Inc.
25
User Access and Authentication Feature Guide for Routing Devices
An account for the user root is always present in the configuration. You configure the
password for root using the root-authentication statement, as described in “Configuring
the Root Password” on page 381.
Related
Documentation
•
Configuring Junos OS User Accounts by Using a Configuration Group on page 53
•
Junos OS Login Classes Overview on page 23
Understanding Junos OS Access Privilege Levels
Each top-level CLI command and each configuration statement have an access privilege
level associated with them. Users can execute only those commands and configure and
view only those statements for which they have access privileges. The access privileges
for each login class are defined by one or more permission flags.
For each login class, you can explicitly deny or allow the use of operational and
configuration mode commands that would otherwise be permitted or not allowed by a
privilege level specified in the permissions statement.
The following sections provide additional information about permissions:
•
Junos OS Login Class Permission Flags on page 26
•
Allowing or Denying Individual Commands for Junos OS Login Classes on page 29
Junos OS Login Class Permission Flags
The permissions statement specifies one or more of the permission flags listed in
Table 4 on page 26. Permission flags are not cumulative, so for each class you must list
all the permission flags needed, including view to display information and configure to
enter configuration mode. Two forms of permissions control for individual parts of the
configuration are:
•
"Plain” form—Provides read-only capability for that permission type. An example is
interface.
•
Form that ends in -control—Provides read and write capability for that permission type.
An example is interface-control.
Table 4 on page 26 lists the Junos OS login class permission flags that you can configure
by including the permissions statement at the [edit system login class class-name]
hierarchy level.
Table 4: Login Class Permission Flags
26
Permission Flag
Description
access
Can view the access configuration in configuration mode and
with the show configuration operational mode command.
access-control
Can view and configure access information at the [edit access]
hierarchy level.
Copyright © 2017, Juniper Networks, Inc.
Chapter 1: User Access and Authentication Overview
Table 4: Login Class Permission Flags (continued)
Permission Flag
Description
admin
Can view user account information in configuration mode and
with the show configuration operational mode command.
admin-control
Can view user accounts and configure them at the [edit system
login] hierarchy level.
all
Can access all operational mode commands and configuration
mode commands. Can modify configuration in all the
configuration hierarchy levels.
clear
Can clear (delete) information learned from the network that
is stored in various network databases by using the clear
commands.
configure
Can enter configuration mode by using the configure command.
control
Can perform all control-level operations—all operations
configured with the -control permission flags.
field
Can view field debug commands. Reserved for debugging
support.
firewall
Can view the firewall filter configuration in configuration mode.
firewall-control
Can view and configure firewall filter information at the [edit
firewall] hierarchy level.
floppy
Can read from and write to the removable media.
flow-tap
Can view the flow-tap configuration in configuration mode.
flow-tap-control
Can view the flow-tap configuration in configuration mode and
can configure flow-tap configuration information at the [edit
services flow-tap] hierarchy level.
flow-tap-operation
Can make flow-tap requests to the router or switch. For
example, a Dynamic Tasking Control Protocol (DTCP) client
must have flow-tap-operation permission to authenticate itself
to the Junos OS as an administrative user.
NOTE: The flow-tap-operation option is not included in the
all-control permissions flag.
idp-profiler-operation
Can view profiler data.
interface
Can view the interface configuration in configuration mode and
with the show configuration operational mode command.
Copyright © 2017, Juniper Networks, Inc.
27
User Access and Authentication Feature Guide for Routing Devices
Table 4: Login Class Permission Flags (continued)
28
Permission Flag
Description
interface-control
Can view chassis, class of service (CoS), groups, forwarding
options, and interfaces configuration information. Can edit
configuration at the following hierarchy levels:
•
[edit chassis]
•
[edit class-of-service]
•
[edit groups]
•
[edit forwarding-options]
•
[edit interfaces]
maintenance
Can perform system maintenance, including starting a local
shell on the router or switch and becoming the superuser in the
shell by using the su root command, and can halt and reboot
the router or switch by using the request system commands.
network
Can access the network by using the ping, ssh, telnet, and
traceroute commands.
pgcp-session-mirroring
Can view the pgcp session mirroring configuration.
pgcp-session-mirroring-control
Can modify the pgcp session mirroring configuration.
reset
Can restart software processes by using the restart command
and can configure whether software processes are enabled or
disabled at the [edit system processes] hierarchy level.
rollback
Can use the rollback command to return to a previously
committed configuration other than the most recently
committed one.
routing
Can view general routing, routing protocol, and routing policy
configuration information in configuration and operational
modes.
routing-control
Can view general routing, routing protocol, and routing policy
configuration information and can configure general routing at
the [edit routing-options] hierarchy level, routing protocols at
the [edit protocols] hierarchy level, and routing policy at the
[edit policy-options] hierarchy level.
secret
Can view passwords and other authentication keys in the
configuration.
secret-control
Can view passwords and other authentication keys in the
configuration and can modify them in configuration mode.
security
Can view security configuration in configuration mode and with
the show configuration operational mode command.
Copyright © 2017, Juniper Networks, Inc.
Chapter 1: User Access and Authentication Overview
Table 4: Login Class Permission Flags (continued)
Permission Flag
Description
security-control
Can view and configure security information at the [edit security]
hierarchy level.
shell
Can start a local shell on the router or switch by using the start
shell command.
snmp
Can view Simple Network Management Protocol (SNMP)
configuration information in configuration and operational
modes.
snmp-control
Can view SNMP configuration information and can modify SNMP
configuration at the [edit snmp] hierarchy level.
system
Can view system-level information in configuration and
operational modes.
system-control
Can view system-level configuration information and configure
it at the [edit system] hierarchy level.
trace
Can view trace file settings and configure trace file properties.
trace-control
Can modify trace file settings and configure trace file properties.
view
Can use various commands to display current system-wide,
routing table, and protocol-specific values and statistics. Cannot
view the secret configuration.
view-configuration
Can view all of the configuration excluding secrets, system
scripts, and event options.
NOTE: Only users with the maintenance permission can view
commit script, op script, or event script configuration.
Allowing or Denying Individual Commands for Junos OS Login Classes
By default, all top-level CLI commands have associated access privilege levels. Users
can execute only those commands and view only those statements for which they have
access privileges. For each login class, you can explicitly deny or allow the use of
operational and configuration mode commands that would otherwise be permitted or
not allowed by a privilege level specified in the permissions statement.
Permission flags are used to grant a user access to operational mode commands and
configuration hierarchy levels and statements. By specifying a specific permission flag
on the user's login class at the [edit system login class] hierarchy level, you grant the user
access to the corresponding commands and configuration hierarchy levels and
statements. To grant access to all commands and configuration statements, use the all
permissions flag. For permission flags that grant access to configuration hierarchy levels
and statements, the flags grant read-only privilege to that configuration. For example,
the interface permissions flag grants read-only access to the [edit interfaces] hierarchy
Copyright © 2017, Juniper Networks, Inc.
29
User Access and Authentication Feature Guide for Routing Devices
level. The -control form of the flag grants read-write access to that configuration. Using
the preceding example, interface-control grants read-write access to the [edit interfaces]
hierarchy level.
•
The all login class permission bits take precedence over extended regular expressions
when a user issues rollback command with rollback permission flag enabled.
•
Expressions used to allow and deny commands for users on RADIUS and TACACS+
servers have been simplified. Instead of a single, long expression with multiple
commands (allow-commands=cmd1 cmd2 ... cmdn), you can specify each command
as a separate expression. This new syntax is valid for allow-configuration,
deny-configuration, allow-commands, deny-commands, and all user permission bits.
•
Users cannot issue the load override command when specifying an extended regular
expression. Users can only issue the merge, replace, and patch configuration commands.
•
If you allow and deny the same commands, the allow-commands permissions take
precedence over the permissions specified by the deny-commands. For example, if you
include allow-commands "request system software add" and deny-commands "request
system software add", the login class user is allowed to install software using the
request system software add command.
•
Regular expressions for allow-commands and deny-commands can also include the
commit, load, rollback, save, status, and update commands.
•
If you specify a regular expression for allow-commands and deny-commands with two
different variants of a command, the longest match is always executed.
For example, if you specify a regular expression for allow-commands with the
commit-synchronize command and a regular expression for deny-commands with the
commit command, users assigned to such a login class would be able to issue the
commit synchronize command, but not the commit command. This is because
commit-synchronize is the longest match between commit and commit-synchronize
and it is specified for allow-commands.
Likewise, if you specify a regular expression for allow-commands with the commit
command and a regular expression for deny-commands with the commit-synchronize
command, users assigned to such a login class would be able to issue the commit
command, but not the commit-synchronize command. This is because
commit-synchronize is the longest match between commit and commit-synchronize
and it is specified for deny-commands.
Related
Documentation
30
•
Example: Configuring User Permissions with Access Privilege Levels on page 65
•
Regular Expressions for Allowing and Denying Junos OS Operational Mode Commands,
Configuration Statements, and Hierarchies on page 69
•
Access Privilege User Permission Flags Overview on page 114
Copyright © 2017, Juniper Networks, Inc.
Chapter 1: User Access and Authentication Overview
Junos OS User Authentication Methods
The Junos OS supports three methods of user authentication: local password
authentication, Remote Authentication Dial-In User Service (RADIUS), and Terminal
Access Controller Access Control System Plus (TACACS+).
With local password authentication, you configure a password for each user allowed to
log in to the router or switch.
RADIUS and TACACS+ are authentication methods for validating users who attempt to
access the router or switch using telnet. They are both distributed client-server
systems—the RADIUS and TACACS+ clients run on the router or switch, and the server
runs on a remote network system.
You can configure the router or switch to be both a RADIUS and TACACS+ client, and
you can also configure authentication passwords in the Junos OS configuration file. You
can prioritize the methods to configure the order in which the software tries the different
authentication methods when verifying user access.
Related
Documentation
•
Configuring RADIUS Server Authentication on page 403
•
Configuring TACACS+ Authentication on page 421
•
Junos OS Authentication Order for RADIUS, TACACS+, and Password Authentication
on page 32
Understanding Remote Authentication Servers
You probably already use a remote authentication server (or servers) in your network. It
is a recommended best practice, because the servers allow you to centrally create a
consistent set of user accounts for all devices in your network. There are many good
reasons for implementing a authentication, authorization, and accountability (AAA)
solution in your network, not the least of which is to make the management of user
accounts easier.
There are two basic methods of remote authentication in use by most enterprises
today—RADIUS and TACACS+. Junos OS supports both types and can be configured to
query multiple remote authentication servers of both types. The idea behind a RADIUS
or TACACS+ server is simple, a central authentication server that routers, switches,
security devices, and even servers can use to authenticate users as they attempt to gain
access to these systems. Think of the advantages that a central user directory brings for
authentication auditing and access control in a client server model, and you have your
justification for RADIUS or TACACS+ for your networks infrastructure.
Using a central server has multiple advantages over the alternative of creating local users
on each device, a time-consuming and error-prone task. A central authentication system
also simplifies the use of one-time password systems such as SecureID, which offer
protection against password sniffing and password replay attacks, in which someone
uses a captured password to pose as a system administrator.
Copyright © 2017, Juniper Networks, Inc.
31
User Access and Authentication Feature Guide for Routing Devices
•
•
Related
Documentation
RADIUS—You should use RADIUS when your priorities are interoperability and
performance.
•
Interoperability—RADIUS is more interoperable than TACACS+, primarily because
of the proprietary nature of TACACS+. While TACACS+ supports more protocols,
RADIUS is universally supported.
•
Performance—RADIUS is much lighter on your routers and switches and for this
reason, network engineers generally prefer RADIUS over TACACS+.
TACACS+—You should use TACACS+ when your priorities are security and flexibility.
•
Security—TACACS+ is more secure than RADIUS. Not only is the full session
encrypted, but authorization and authentication are done separately to prevent
someone from trying to force their way into your network.
•
Flexibility—TCP is a more flexible transport protocol than UDP. You can do more
with it in more advanced networks. In addition, TACACS+ supports more of the
enterprise protocols like NetBios or Appletalk.
•
Junos OS Authentication Order for RADIUS, TACACS+, and Password Authentication
Using the authentication-order statement, you can prioritize the order in which the Junos
OS tries the different authentication methods when verifying user access to a router or
switch.
If none of the configured authentication methods accept the login credentials and if a
reject response is received, the login attempt fails. If no response is received from any
configured authentication method, the Junos OS consults local password authentication
as a last resort.
Using RADIUS or TACACS+ Authentication
You can configure the Junos OS to be both a RADIUS and TACACS+ authentication client.
If an authentication method included in the [authentication-order] statement is not
available, or if the authentication is available but returns a reject response, the Junos OS
tries the next authentication method included in the authentication-order statement.
The RADIUS or TACACS+ server authentication might fail because of the following
reasons:
32
•
The authentication method is configured, but the corresponding authentication servers
are not configured. For instance, the RADIUS and TACACS+ authentication methods
are included in the authentication-order statement, but the corresponding RADIUS or
TACACS+ servers are not configured at the respective [edit system radius-server] and
[edit system tacplus-server] hierarchy levels.
•
The RADIUS or TACACS+ server does not respond within the timeout period configured
at the [edit system radius-server] or [edit system tacplus-server] hierarchy levels.
Copyright © 2017, Juniper Networks, Inc.
Chapter 1: User Access and Authentication Overview
•
The RADIUS or TACACS+ server is not reachable because of a network problem.
The RADIUS or TACACS+ server authentication might return a reject response because
of the following reasons:
•
The user profiles of users accessing a router or switch might not be configured on the
RADIUS or TACACS+ server.
•
The user enters incorrect logon credentials.
Using Local Password Authentication
You can explicitly configure the password authentication method or use this method as
a fallback mechanism when remote authentication servers fail. The password
authentication method consults the local user profiles configured at the [edit system
login] hierarchy level. Users can log in to a router or switch using their local username
and password in the following scenarios:
•
The password authentication method (password) is explicitly configured as one of
the authentication methods in the [authentication-order authentication-methods]
statement. In this case, the password authentication method is tried if no previous
authentication accepts the logon credentials. This is true whether the previous
authentication method fails to respond or returns a reject response because of an
incorrect username or password.
•
The password authentication method is not explicitly configured as one of the
authentication methods in the authentication-order authentication-methods statement.
In this case, the password authentication method is tried only if all configured
authentication methods fail to respond. It is not consulted if any configured
authentication method returns a reject response because of an incorrect username or
password.
Order of Authentication Attempts
Table 5 on page 34 describes how the authentication-order statement at the [edit system]
hierarchy level determines the procedure that the Junos OS uses to authenticate users
for access to a router or switch.
Copyright © 2017, Juniper Networks, Inc.
33
User Access and Authentication Feature Guide for Routing Devices
Table 5: Order of Authentication Attempts
Syntax
Order of Authentication Attempts
authentication-order radius;
1.
Try configured RADIUS authentication servers.
2. If RADIUS server is available and authentication is accepted,
grant access.
3. If RADIUS server is available but authentication is rejected,
deny access.
4. If RADIUS servers are not available, try password
authentication.
NOTE: If a RADIUS server is available, password
authentication is not attempted, because it is not explicitly
configured in the authentication order.
authentication-order [ radius password ];
1.
Try configured RADIUS authentication servers.
2. If RADIUS servers fail to respond or return a reject response,
try password authentication, because it is explicitly
configured in the authentication order.
authentication-order [ radius tacplus ];
1.
Try configured RADIUS authentication servers.
2. If RADIUS server is available and authentication is accepted,
grant access.
3. If RADIUS servers fail to respond or return a reject response,
try configured TACACS+ servers.
4. If TACACS+ server is available and authentication is
accepted, grant access.
5. If TACACS+ server is available but authentication is rejected,
deny access.
6. If both RADIUS and TACACS+ servers are not available, try
password authentication.
NOTE: If either RADIUS or TACACS+ servers are available,
password authentication is not attempted, because it is not
explicitly configured in the authentication order.
34
Copyright © 2017, Juniper Networks, Inc.
Chapter 1: User Access and Authentication Overview
Table 5: Order of Authentication Attempts (continued)
Syntax
Order of Authentication Attempts
authentication-order [ radius tacplus password ];
1.
Try configured RADIUS authentication servers.
2. If RADIUS server is available and authentication is accepted,
grant access.
3. If RADIUS servers fail to respond or return a reject response,
try configured TACACS+ servers.
4. If TACACS+ server is available and authentication is
accepted, grant access.
5. If TACACS+ servers fail to respond or return a reject
response, try password authentication, because it is
explicitly configured in the authentication order.
authentication-order tacplus;
1.
Try configured TACACS+ authentication servers.
2. If TACACS+ server is available and authentication is
accepted, grant access.
3. If TACACS+ server is available but authentication is rejected,
deny access.
4. If TACACS+ servers are not available, try password
authentication.
NOTE: If a TACACS+ server is available, password
authentication is not attempted, because it is not explicitly
configured in the authentication order.
authentication-order [ tacplus password ];
1.
Try configured TACACS+ authentication servers.
2. If TACACS+ servers fail to respond or return a reject
response, try password authentication, because it is
explicitly configured in the authentication order.
Copyright © 2017, Juniper Networks, Inc.
35
User Access and Authentication Feature Guide for Routing Devices
Table 5: Order of Authentication Attempts (continued)
Syntax
Order of Authentication Attempts
authentication-order [ tacplus radius ];
1.
Try configured TACACS+ authentication servers.
2. If TACACS+ server is available and authentication is
accepted, grant access.
3. If TACACS+ servers fail to respond or return a reject
response, try configured RADIUS servers.
4. If RADIUS server is available and authentication is accepted,
grant access.
5. If RADIUS server is available but authentication is rejected,
deny access.
6. If both TACACS+ and RADIUS servers are not available, try
password authentication.
NOTE: If either TACACS+ or RADIUS servers are available,
password authentication is not attempted, because it is not
explicitly configured in the authentication order.
authentication-order [ tacplus radius password ];
1.
Try configured TACACS+ authentication servers.
2. If TACACS+ server is available and authentication is
accepted, grant access.
3. If TACACS+ servers fail to respond or return a reject
response, try configured RADIUS servers.
4. If RADIUS server is available and authentication is accepted,
grant access.
5. If RADIUS servers fail to respond or return a reject response
try password authentication, because it is explicitly
configured in the authentication order.
authentication-order password;
1.
Try to authenticate the user, using the password configured
at the [edit system login] hierarchy level.
2. If the authentication is accepted, grant access.
3. If the authentication is rejected, deny access.
36
Copyright © 2017, Juniper Networks, Inc.
Chapter 1: User Access and Authentication Overview
NOTE: If SSH public keys are configured, SSH user authentication first tries
to perform public key authentication before using the authentication methods
configured in the authentication-order statement. If you want SSH logins to
use the authentication methods configured in the authentication-order
statement without first trying to perform public key authentication, do not
configure SSH public keys.
In a routing matrix based on a TX Matrix router, the authentication order must
be configured only at the configuration groups re0 and re1. The authentication
order must not be configured at the [edit system] hierarchy. This is because
the authentication order for the routing matrix is controlled on the switch-card
chassis (or TX Matrix router) or switch-fabric chassis (for TX Matrix Plus
router) only.
In Junos OS Release 10.0 and later, the superuser (belonging to the super-user
login class) is also authenticated based on the authentication order that is
configured for TACACS+, RADIUS, or password authentication using the
authentication-order statement. For example, if the only configured
authentication order is TACACS+, the superuser can only be authenticated
by the TACACS+ server and password authentication cannot be used as an
alternative. However, in Junos OS Release 9.6 and earlier, the superuser can
use password authentication to login, even if password authentication is not
configured explicitly using the authentication-order statement.
Related
Documentation
•
Overview of Template Accounts for RADIUS and TACACS+ Authentication on page 416
•
Configuring the Junos OS Authentication Order for RADIUS, TACACS+, and Local
Password Authentication on page 399
•
Limiting the Number of User Login Attempts for SSH and Telnet Sessions on page 57
•
Example: Configuring System Authentication for RADIUS, TACACS+, and Password
Authentication on page 400
Junos OS Authentication Methods for Routing Protocols
Some interior gateway protocols (IGPs)—Intermediate System-to-Intermediate System
(IS-IS), Open Shortest Path First (OSPF), and Routing Information Protocol (RIP)—and
Resource Reservation Protocol (RSVP) allow you to configure an authentication method
and password. Neighboring routers use the password to verify the authenticity of packets
sent by the protocol from the router or from a router interface. The following
authentication methods are supported:
•
Simple authentication (IS-IS, OSPF, and RIP)—Uses a simple text password. The
receiving router uses an authentication key (password) to verify the packet. Because
the password is included in the transmitted packet, this method of authentication is
relatively insecure. We recommend that you not use this authentication method.
Copyright © 2017, Juniper Networks, Inc.
37
User Access and Authentication Feature Guide for Routing Devices
•
MD5 and HMAC-MD5 (IS-IS, OSPF, RIP, and RSVP)—Message Digest 5 (MD5) creates
an encoded checksum that is included in the transmitted packet. HMAC-MD5, which
combines HMAC authentication with MD5, adds the use of an iterated cryptographic
hash function. With both types of authentication, the receiving router uses an
authentication key (password) to verify the packet. HMAC-MD5 authentication is
defined in RFC 2104, HMAC: Keyed-Hashing for Message Authentication.
In general, authentication passwords are text strings consisting of a maximum of 16 or
255 letters and digits. Characters can include any ASCII strings. If you include spaces in
a password, enclose all characters in quotation marks (“ ”).
Junos-FIPS has special password requirements. FIPS passwords must be between 10
and 20 characters in length. Passwords must use at least three of the five defined
character sets (uppercase letters, lowercase letters, digits, punctuation marks, and other
special characters). If Junos-FIPS is installed on the router, you cannot configure
passwords unless they meet this standard.
Related
Documentation
38
•
Example: Configuring the BGP and IS-IS Routing Protocols on page 485
•
Special Requirements for Junos OS Plain-Text Passwords on page 393
Copyright © 2017, Juniper Networks, Inc.
CHAPTER 2
Configuring Junos OS Login Classes
•
Defining Junos OS Login Classes on page 39
•
Example: Creating Login Classes with Specific Privileges on page 40
•
Configuring the Timeout Value for Idle Login Sessions on page 41
•
Using Junos OS to Configure Logical System Administrators on page 41
•
Configuring the Junos OS to Display a System Login Message on page 42
•
Configuring the Junos OS to Display a System Login Announcement on page 44
•
Examples: Configuring Time-Based User Access on page 45
•
Configuring System Alarms to Appear Automatically Upon Login on page 46
Defining Junos OS Login Classes
Login classes allow you to define the following:
•
Access privileges that users have when they are logged in to the router or switch
•
Commands and statements that users can and cannot specify
•
How long a login session can be idle before it times out and the user is logged out
All users who can log in to the router or switch must be in a login class. Therefore, you
must define a Junos OS login class for each user or class of users. You can define any
number of login classes depending on the types of permissions the users need.
To define a login class and its access privileges, include the class statement at the [edit
system login] hierarchy level:
[edit system login]
class class-name {
access-end;
access-start;
allow-commands "regular-expression";
( allow-configuration | allow-configuration-regexps) “regular expression 1” “regular
expression 2”;
allowed-days;
configuration-breadcrumbs;
deny-commands "regular-expression";
( deny-configuration | deny-configuration-regexps ) “regular expression 1” “regular
expression 2 ”;
Copyright © 2017, Juniper Networks, Inc.
39
User Access and Authentication Feature Guide for Routing Devices
idle-timeout minutes;
login-script filename;
login-tip;
permissions [ permissions ];
}
Related
Documentation
•
Junos OS User Accounts Overview on page 24
•
Example: Creating Login Classes with Specific Privileges on page 40
•
Using Junos OS to Configure Logical System Administrators on page 41
Example: Creating Login Classes with Specific Privileges
Login classes are used to assign certain permissions or restrictions to groups of users,
ensuring that sensitive commands are only accessible to the appropriate users. By default,
Juniper Networks devices have four types of login classes with preset permissions:
operator, read-only, superuser or super-user, and unauthorized.
You can create new custom login classes to make different combinations of permissions
that are not found in the default login classes. The following example shows how to
create three custom login classes, each with specific privileges and timers to disconnect
the class members after a period of inactivity. Inactivity timers help protect network
security by disconnecting a user from the network if the user is away from his computer
for too long, preventing potential security risks created by leaving an unattended account
logged in to a switch or router. The permissions and inactivity timers shown here are only
examples and should be customized to your organization.
The first class of users is called observation and they can only view statistics and
configuration. They are not allowed to modify any configuration. The second class of
users is called operation and they can view and modify the configuration. The third class
of users is called engineering and they have unlimited access and control. All three login
classes use the same inactivity timer of 5 minutes.
[edit]
system {
login {
class observation {
idle-timeout 5;
permissions [ view ];
}
class operation {
idle-timeout 5;
permissions [ admin clear configure interface interface-control network
reset routing routing-control snmp snmp-control trace-control
firewall-control rollback ];
}
class engineering {
idle-timeout 5;
permissions all;
}
}
}
40
Copyright © 2017, Juniper Networks, Inc.
Chapter 2: Configuring Junos OS Login Classes
Related
Documentation
•
Junos OS Login Classes Overview on page 23
•
Defining Junos OS Login Classes on page 39
•
Configuring a Local Administrator Account on page 52
Configuring the Timeout Value for Idle Login Sessions
An idle login session is one in which the CLI operational mode prompt is displayed but
there is no input from the keyboard. By default, a login session remains established until
a user logs out of the router or switch, even if that session is idle. To close idle sessions
automatically, you must configure a time limit for each login class. If a session established
by a user in that class remains idle for the configured time limit, the session automatically
closes.
To define the timeout value for idle login sessions, include the idle-timeout statement at
the [edit system login class class-name] hierarchy level:
[edit system login class class-name]
idle-timeout minutes;
Specify the number of minutes that a session can be idle before it is automatically closed.
If you have configured a timeout value, the CLI displays messages similar to the following
when timing out an idle user. It starts displaying these messages 5 minutes before timing
out the user.
user@host# Session will be closed in 5 minutes if there is no activity.
Warning: session will be closed in 1 minute if there is no activity
Warning: session will be closed in 10 seconds if there is no activity
Idle timeout exceeded: closing session
If you configure a timeout value, the session closes after the specified time has elapsed,
unless the user is running telnet or monitoring interfaces using the monitor interface or
monitor traffic command.
Related
Documentation
•
Defining Junos OS Login Classes on page 39
•
idle-timeout (System-Login) on page 554
Using Junos OS to Configure Logical System Administrators
Using Junos OS, you can partition a single router or switch into multiple logical devices
that perform independent routing or switching tasks. When creating logical systems, you
must configure logical system administrators and interfaces, assign logical interfaces to
logical systems, and configure various other logical system statements.
The master administrator can assign one or more logical system administrators to each
logical system. Once assigned to a logical system, administrators are restricted to viewing
only configurations of the logical system to which they are assigned and accessing only
the operational commands that apply to that particular logical system. This restriction
means that these administrators cannot access global configuration statements, and
Copyright © 2017, Juniper Networks, Inc.
41
User Access and Authentication Feature Guide for Routing Devices
all command output is restricted to the logical system to which the administrators are
assigned.
To configure logical system administrators, include the logical-system logical-system-name
statement at the [edit system login class class-name] hierarchy level and apply the class
to the user. For example:
[edit]
system {
login {
class admin1 {
permissions all;
logical-system logical-system-LS1;
}
class admin2 {
permissions view; # Gives users assigned to class admin2 the ability to view
# but not to change the configuration.
logical-system logical-system-LS2;
}
user user1 {
class admin1;
}
user user2 {
class admin2;
}
}
}
Fully implementing logical systems requires that you also configure any protocols, routing
statements, switching statements, and policy statements for the logical system.
Related
Documentation
•
Defining Junos OS Login Classes on page 39
•
Defining Junos OS Login Classes
Configuring the Junos OS to Display a System Login Message
You can create login banners for those who post messages and announcements to those
who access the device. You might want to configure an initial login message now, before
you create any user accounts.
A login message displays a banner to users when they access the device, before they log
in. To display a message only after the user logs in, use a system login announcement
instead of a system login message.
You can format the login message using the following special characters:
42
•
\n—New line
•
\t—Horizontal tab
•
\'—Single quotation mark
Copyright © 2017, Juniper Networks, Inc.
Chapter 2: Configuring Junos OS Login Classes
•
\"—Double quotation mark
•
\\—Backslash
If the message text contains any spaces, enclose it in quotation marks.
To configure a login banner:
1.
Include the message statement in the [edit system login] configuration.
[edit system login]
message text;
For example:
system {
login {
message "\n\n\n\tUNAUTHORIZED USE OF THIS SYSTEM\n
\tIS STRICTLY PROHIBITED!\n\n\tPlease contact
\'company-noc@company.com\' to gain\authorization
to this equipment if you need access.\n\n\n";
}
}
2. Commit the configuration.
[edit system login]
user@host# commit
3. Connect to the device in a new session to verify the presence of the new banner.
The preceding login message configuration example produces a login message similar
to the following:
server% telnet router1
Trying 1.1.1.1...
Connected to router1.
Escape character is '^]'.
UNAUTHORIZED USE OF THIS SYSTEM
IS STRICTLY PROHIBITED!
Please contact 'company-noc@company.com' to gain
authorization to this equipment if you need access.
router1 (ttyp0)
login:
NOTE: On some platforms, when you log in from the console, the login
banner message is not seen unless you press Ctrl-D at the login prompt.
Copyright © 2017, Juniper Networks, Inc.
43
User Access and Authentication Feature Guide for Routing Devices
Related
Documentation
•
Configuring the Junos OS to Display a System Login Announcement on page 44
•
Defining Junos OS Login Classes on page 39
•
Configuring the Junos OS to Display a System Login Announcement on page 44
Configuring the Junos OS to Display a System Login Announcement
Sometimes you want to make announcements only to authorized users after they have
logged in. For example, you might want to announce an upcoming maintenance event.
You can format the announcement using the following special characters:
•
\n—New line
•
\t—Horizontal tab
•
\'—Single quotation mark
•
\"—Double quotation mark
•
\\—Backslash
If the message text contains any spaces, enclose it in quotation marks.
By default, no login announcement is displayed.
To configure an announcement that can be seen only by authorized users:
1.
Include the announcement statement in the [edit system login] configuration.
[edit system login]
user@host# set announcement text
For example:
system {
login {
announcement "\tJuly 27th 1:00 AM to 8:00\n\nPlanned Network
Maintenance\n\nAFFECTED LOCATIONS: Sunnyvale\n\nPLANNED ACTIVITY:
Upgrade all 6200 switch firmware to the Enterprise TAC recommended firmware
version\n\nPURPOSE: This activity will help to minimize the impact of unplanned
power outages as well as address known issues within our currently installed
firmware version(s)\n\nWHAT TO EXPECT: During the maintenance window for
your site, the office network will not be available.\n\n";
message "\n\n\n\tTP0 - M7i - iX Router Lab\n\n\tUNAUTHORIZED USE OF THIS
ROUTER\n\tIS STRICTLY PROHIBITED!\n\n\tPlease contact
\'astatti@juniper.net\' to gain\n\taccess to this equipment if you need
authorization.\n\n\n"
}
}
2. Commit the configuration.
[edit system login]
user@host# commit
44
Copyright © 2017, Juniper Networks, Inc.
Chapter 2: Configuring Junos OS Login Classes
3. Connect to the device in a new session to verify the presence of the new banner.
The preceding login message configuration example produces a login message similar
to the following:
server% telnet host
Trying 203.0.113.0
Connected to host.example.net
Escape character is ’^]’.
TP0 - M7i - iX Router Lab
UNAUTHORIZED USE OF THIS ROUTER
IS STRICTLY PROHIBITED!
Please contact 'astatti@juniper.net' to gain
access to this equipment if you need authorization
login: user
Password:
July 27th 1:00 AM to 8:00
Planned Network Maintenance
AFFECTED
LOCATIONS:
Sunnyvale
PLANNED ACTIVITY: Upgrade all 6200 switch firmware to the Enterprise TAC
recommended firmware version
PURPOSE: This activity will help to minimize the impact of unplanned power
outages as well as address known issues within our currently installed firmware
version(s)
WHAT TO EXPECT: During the maintenance window for your site, the office network
will not be available.
Related
Documentation
•
Configuring the Junos OS to Display a System Login Message on page 42
Examples: Configuring Time-Based User Access
The following example shows how to configure user access for the
operator-round-the-clock-access login class from Monday through Friday without any
restriction on access time or duration of login:
[edit system]
login {
class operator-round-the-clock-access {
allowed-days [ monday tuesday wednesday thursday friday ];
}
Copyright © 2017, Juniper Networks, Inc.
45
User Access and Authentication Feature Guide for Routing Devices
The following example shows how to configure user access for the operator-day-shift
login class on Monday, Wednesday, and Friday from 8:30 AM to 4:30 PM:
[edit system]
login {
class operator-day-shift {
allowed-days [ monday wednesday friday ];
access-start 0830;
access-end 1630;
}
}
Alternatively, you can also specify the login start time and end time for the
operator-day-shift login class to be from 8:30 AM to 4:30 PM in the following format:
[edit system]
login {
class operator-day-shift {
allowed-days [ monday wednesday friday ];
access-start 08:30am;
access-end 04:30pm;
}
}
The following example shows how to configure user access for the
operator-day-shift-all-days-of-the-week login class to be on all days of the week from
8:30 AM to 4:30 PM:
[edit system]
login {
class operator-day-shift-all-days-of-the-week {
access-start 0830;
access-end 1630;
}
}
Related
Documentation
•
Configuring Time-Based User Access on page 48
Configuring System Alarms to Appear Automatically Upon Login
You can configure Juniper Networks routers and switches to run the show system alarms
command whenever a user with the login class admin logs in to the router or switch. To
do so, include the login-alarms statement at the [edit system login class admin] hierarchy
level.
[edit system login class admin]
login-alarms;
For more information on the show system alarms command, see the CLI Explorer.
Related
Documentation
46
•
show system alarms
Copyright © 2017, Juniper Networks, Inc.
CHAPTER 3
Configuring Junos OS User Accounts
•
Junos-FIPS Crypto Officer and User Accounts Overview on page 47
•
Configuring Time-Based User Access on page 48
•
Examples: Configuring Time-Based User Access on page 49
•
Configuring Local User Template Accounts for User Authentication on page 50
•
Configuring Remote Template Accounts for User Authentication on page 52
•
Configuring a Local Administrator Account on page 52
•
Configuring Junos OS User Accounts by Using a Configuration Group on page 53
•
Example: Configuring User Accounts on page 56
•
Limiting the Number of User Login Attempts for SSH and Telnet Sessions on page 57
•
Example: Limiting the Number of Login Attempts for SSH and Telnet Sessions to
Prevent Unauthorized Access on page 58
•
Configuring Login Tips on page 58
•
Handling Authorization Failure on page 59
•
Example: Configuring System Retry Options on page 60
Junos-FIPS Crypto Officer and User Accounts Overview
Junos-FIPS defines a restricted set of user roles. Unlike the Junos OS, which enables a
wide range of capabilities to users, FIPS 140-2 defines specific types of users (Crypto
Officer, User, and Maintenance). Crypto Officers and FIPS Users perform all FIPS-related
configuration tasks and issue all FIPS-related commands. Crypto Officer and FIPS User
configurations must follow FIPS 140-2 guidelines. Typically, no user besides a Crypto
Officer can perform FIPS-related tasks.
Crypto Officer User Configuration
Junos-FIPS offers finer control of user permissions than those mandated by FIPS 140-2.
For FIPS 140-2 conformance, any Junos-FIPS user with the secret, security, and
maintenance permission bits set is a Crypto Officer. In most cases, the super-user class
should be reserved for a Crypto Officer. A FIPS User can be defined as any Junos-FIPS
user that does not have the secret, security, and maintenance bits set.
Copyright © 2017, Juniper Networks, Inc.
47
User Access and Authentication Feature Guide for Routing Devices
FIPS User Configuration
A Crypto Officer sets up FIPS Users. FIPS Users can be granted permissions normally
reserved for a Crypto Officer; for example, permission to zeroize the system and individual
AS-II FIPS PICs.
Related
Documentation
•
Junos OS User Accounts Overview on page 24
Configuring Time-Based User Access
The Junos OS enables you to configure time-based restrictions for user access to log in
to a device. This is useful for restricting the time and duration of user logins for all users
belonging to a login class. You can specify the days of the week when users can log in,
the access start time, and the access end time.
•
To configure user access on specific days of the week, without any restrictions on the
duration of login, include the allowed-days statement only.
[edit system]
login {
class class-name {
allowed-days [ days-of-the-week ];
}
•
To configure user access on all the days of the week for a specific duration, include the
access-start and access-end statements only.
[edit system]
login {
class class-name {
access-start HH:MM;
access-end HH:MM;
}
}
•
To configure user access on specific days of the week for a specified duration, include
the allowed-days, access-start, and access-end statements.
[edit system]
login {
class class-name {
allowed-days [ days-of-the-week ];
access-start HH:MM;
access-end HH:MM;
}
}
Specify the start time and end time in HH:MM (24-hour) format, where HH represents
the hours and MM represents the minutes.
48
Copyright © 2017, Juniper Networks, Inc.
Chapter 3: Configuring Junos OS User Accounts
NOTE: Access start time and end time that spans across 12:00 AM on a
specified day results in the user having access until the next day, even if the
access day is not explicitly configured. For instance, the following
configuration results in the user having access until 6:00 AM on Tuesday and
Thursday, although the allowed-days statement specifies access only on
Monday and Wednesday:
[edit system]
login {
class operator-night-shift {
allowed-days [ monday wednesday ];
access-start 2000;
access-end 0600;
}
}
Related
Documentation
•
Examples: Configuring Time-Based User Access on page 45
•
Defining Junos OS Login Classes on page 39
•
access-end on page 501
•
access-start on page 501
•
allowed-days on page 507
•
access-end
Examples: Configuring Time-Based User Access
The following example shows how to configure user access for the
operator-round-the-clock-access login class from Monday through Friday without any
restriction on access time or duration of login:
[edit system]
login {
class operator-round-the-clock-access {
allowed-days [ monday tuesday wednesday thursday friday ];
}
The following example shows how to configure user access for the operator-day-shift
login class on Monday, Wednesday, and Friday from 8:30 AM to 4:30 PM:
[edit system]
login {
class operator-day-shift {
allowed-days [ monday wednesday friday ];
access-start 0830;
access-end 1630;
}
}
Copyright © 2017, Juniper Networks, Inc.
49
User Access and Authentication Feature Guide for Routing Devices
Alternatively, you can also specify the login start time and end time for the
operator-day-shift login class to be from 8:30 AM to 4:30 PM in the following format:
[edit system]
login {
class operator-day-shift {
allowed-days [ monday wednesday friday ];
access-start 08:30am;
access-end 04:30pm;
}
}
The following example shows how to configure user access for the
operator-day-shift-all-days-of-the-week login class to be on all days of the week from
8:30 AM to 4:30 PM:
[edit system]
login {
class operator-day-shift-all-days-of-the-week {
access-start 0830;
access-end 1630;
}
}
Related
Documentation
•
Configuring Time-Based User Access on page 48
Configuring Local User Template Accounts for User Authentication
You use local user template accounts when you need different types of templates for
authentication. Each template can define a different set of permissions appropriate for
the group of users who use that template. These templates are defined locally on the
router or switch and referenced by the TACACS+ and RADIUS authentication servers.
When you configure local user templates and a user logs in, Junos OS issues a request
to the authentication server to authenticate the user’s login name. If a user is
authenticated, the server returns the local username to Junos OS, which then determines
whether a local username is specified for that login name (local-username for TACACS+,
Juniper-Local-User for RADIUS). If so, Junos OS selects the appropriate local user template
locally configured on the router or switch. If a local user template does not exist for the
authenticated user, the router or switch defaults to the remote template.
To configure different access privileges for users who share the local user template
account, include the allow-commands and deny-commands commands in the
authentication server configuration file.
To configure a local user template, include the user local-username statement at the [edit
system login] hierarchy level and specify the privileges you want to grant to the local
users to whom the template applies:
[edit system login]
user local-username {
full-name "Local user account";
50
Copyright © 2017, Juniper Networks, Inc.
Chapter 3: Configuring Junos OS User Accounts
uid uid-value;
class class-name;
}
This example configures the sales and engineering local user templates:
[edit]
system {
login {
user sales {
uid uid-value;
class class-name;
}
user engineering {
uid uid-value;
class class-name;
}
}
}
user = simon {
...
service = junos-exec {
local-user-name = sales
allow-commands = "configure"
deny-commands = "shutdown"
}
}
user = rob {
...
service = junos-exec {
local-user-name = sales
allow-commands = "(request system) | (show rip neighbor)"
deny-commands = "clear"
}
}
user = harold {
...
service = junos-exec {
local-user-name = engineering
allow-commands = "monitor | help | show | ping | traceroute"
deny-commands = "configure"
}
}
user = jim {
...
service = junos-exec {
local-user-name = engineering
allow-commands = "show bgp neighbor"
deny-commands = "telnet | ssh"
}
}
When the login users Simon and Rob are authenticated, the router or switch applies the
sales local user template. When login users Harold and Jim are authenticated, the router
or switch applies the engineering local user template.
Copyright © 2017, Juniper Networks, Inc.
51
User Access and Authentication Feature Guide for Routing Devices
Related
Documentation
•
Overview of Template Accounts for RADIUS and TACACS+ Authentication on page 416
•
user (Access) on page 639
Configuring Remote Template Accounts for User Authentication
By default, the Junos OS uses remote template accounts for user authentication when:
•
The authenticated user does not exist locally on the router or switch.
•
The authenticated user’s record in the authentication server specifies local user, or the
specified local user does not exist locally on the router or switch.
To configure the remote template account, include the user remote statement at the
[edit system login] hierarchy level and specify the privileges you want to grant to remote
users:
[edit system login]
user remote {
full-name "All remote users";
uid uid-value;
class class-name;
}
To configure different access privileges for users who share the remote template account,
include the allow-commands and deny-commands statements in the authentication
server configuration file.
Related
Documentation
•
Overview of Template Accounts for RADIUS and TACACS+ Authentication on page 416
•
user (Access) on page 639
Configuring a Local Administrator Account
The following example shows how to configure a password- protected local
administration account called admin with superuser privileges. Superuser privileges give
a user permission to use any command on the router and are generally reserved for a
select few users such as system administrators. It is important to protect the local
administrator account with a password to prevent unauthorized users from gaining access
to superuser commands that can be used to alter the system configuration. Even users
with RADIUS authentication should configure a local password. If RADIUS fails or becomes
unreachable, the login process will revert to password authentication on the local
administrator account.
[edit]
system {
login {
user admin {
uid 1000;
class superuser;
authentication {
encrypted-password "<PASSWORD>"; # SECRET-DATA
52
Copyright © 2017, Juniper Networks, Inc.
Chapter 3: Configuring Junos OS User Accounts
}
}
}
}
Related
Documentation
•
Junos OS Login Classes Overview on page 23
•
Configuring Junos OS User Accounts by Using a Configuration Group on page 53
Configuring Junos OS User Accounts by Using a Configuration Group
User accounts provide a way for users to access a router or switch. Junos OS requires
that all users have a predefined user account before they can log in to the device. For
each user account, you define the login name for the user and, optionally, information
that identifies the user. After you have created an account, the software creates a home
directory for the user.
It is a common practice to use remote authentication servers to centrally store information
about users. Even so, it is also a good practice to configure at least one nonroot user
directly on each device, in case access to the remote authentication server is disrupted.
This one nonroot user commonly has a generic name, such as admin.
Because user accounts are configured on multiple devices, they are commonly configured
inside of a configuration group. As such, the examples shown here are in a configuration
group called global. Using a configuration group for your user accounts is optional.
To create a user account:
1.
Add a new user, using the user’s assigned account login name.
[edit groups global]
user@host# edit system login user user username
2. (Optional) Configure a full descriptive name for the account.
If the full name includes spaces, enclose the entire name in quotation marks.
[edit groups global system login user user-name]
user@host# set full-name complete-name
For example:
user@host# show groups
global {
system {
login {
user admin {
full-name "general administrator";
}
}
}
}
Copyright © 2017, Juniper Networks, Inc.
53
User Access and Authentication Feature Guide for Routing Devices
3. (Optional) Set the user identifier (UID) for the account.
As with UNIX systems, the UID enforces user permissions and file access. If you do
not set the UID, Junos OS assigns one for you. The format of the UID is a number in
the range of 100 to 64000.
[edit groups global system login user user-name]
user@host# set uid uid-value
For example:
user@host# show groups
global {
system {
login {
user admin {
uid 9999;
}
}
}
}
4. Assign the user to a login class.
You can define your own login classes or assign one of the predefined Junos OS login
classes.
The predefined login classes are as follows:
•
super-user—all permissions
•
operator—clear, network, reset, trace, and view permissions
•
read-only— view permissions
•
unauthorized—no permissions
[edit groups global system login user user-name]
user@host# set class class-name
For example:
user@host# show groups
global {
system {
login {
user admin {
class super-user;
}
}
}
}
5. Use one of the following methods to configure the user password.
•
54
To enter a clear-text password that the system encrypts for you, use the following
command to set the user password:
Copyright © 2017, Juniper Networks, Inc.
Chapter 3: Configuring Junos OS User Accounts
[edit groups global system login user user-name]
user@host# set authentication plain-text-password password
New Password: type password here
Retype new password: retype password here
As you enter the password in plain text, Junos OS encrypts it immediately. You do
not have to configure Junos OS to encrypt the password as in some other systems.
Plain-text passwords are therefore hidden and marked as ## SECRET-DATA in the
configuration.
•
To enter a password that is already encrypted, use the following command to set
the user password:
CAUTION: Do not use the encrypted-password option unless the
password is already encrypted, and you are entering the encrypted
version of the password.
If you accidentally configure the encrypted-password option with a
plain-text password or with blank quotation marks (" "), you will not be
able to log in to the device as this user.
[edit groups global system login user user-name]
user@host# set authentication encrypted-password "password"
New Password: type password here
Retype new password: retype password here
•
To load previously generated public keys from a named file at a specified URL
location, use the following command to set the user password:
[edit groups global system login user user-name]
user@host# set authentication load-key-file URL filename
•
To enter an ssh public string, use the following command to set the user password:
[edit groups global system login user user-name]
user@host# set authentication (ssh-dsa | ssh-ecdsa | ssh-rsa) authorized-key
6. At the top level of the configuration, apply the configuration group.
If you use a configuration group, you must apply it for it to take effect.
[edit]
user@host# set apply-groups global
7. Commit the configuration.
user@host# commit
8. To verify the configuration, log out and log back in as the new user.
Related
Documentation
•
Defining Junos OS Login Classes on page 39
•
Example: Creating Login Classes with Specific Privileges on page 40
•
Junos OS User Accounts Overview on page 24
Copyright © 2017, Juniper Networks, Inc.
55
User Access and Authentication Feature Guide for Routing Devices
•
Limiting the Number of User Login Attempts for SSH and Telnet Sessions on page 57
•
User Access and Authentication Feature Guide for Routing Devices
Example: Configuring User Accounts
The following example shows how to create accounts for four router or switch users,
and create an account for the template user remote. All users use one of the default
system login classes. User alexander also has two digital signal algorithm (DSA) public
keys configured for SSH authentication.
[edit]
system {
login {
user philip {
full-name “Philip of Macedonia”;
uid 1001;
class super-user;
authentication {
encrypted-password “$ABC123”;
}
}
user alexander {
full-name “Alexander the Great”;
uid 1002;
class view;
authentication {
encrypted-password “$ABC123”;
ssh-dsa “8924 37 5678 5678@gaugamela.per”;
ssh-dsa “6273 94 9283@boojum.per”;
}
}
user darius {
full-name “Darius King of Persia”;
uid 1003;
class operator;
authentication {
ssh-rsa “1024 37 12341234@ecbatana.per”;
}
}
user anonymous {
class unauthorized;
}
user remote {
full-name “All remote users”;
uid 9999;
class read-only;
}
}
}
Related
Documentation
56
•
Junos OS User Accounts Overview on page 24
•
Limiting the Number of User Login Attempts for SSH and Telnet Sessions on page 57
Copyright © 2017, Juniper Networks, Inc.
Chapter 3: Configuring Junos OS User Accounts
Limiting the Number of User Login Attempts for SSH and Telnet Sessions
You can limit the number of times a user can attempt to enter a password while logging
in through SSH or Telnet. The connection is terminated if a user fails to log in after the
number of attempts specified. You can also specify a delay, in seconds, before a user
can try to enter a password after a failed attempt. In addition, you can specify the
threshold for the number of failed attempts before the user experiences a delay in being
able to enter a password again.
To specify the number of times a user can attempt to enter a password while logging in,
include the retry-options statement at the [edit system login] hierarchy level:
[edit system login]
retry-options {
tries-before-disconnect number;
backoff-threshold number;
backoff-factor seconds;
maximum-time seconds
minimum-time seconds;
}
You can configure the following options:
•
tries-before-disconnect—Number of times a user can attempt to enter a password
when logging in. The connection closes if a user fails to log in after the number specified.
The range is from 1 through 10, and the default is 10.
•
backoff-threshold—Threshold for the number of failed login attempts before the user
experiences a delay in being able to enter a password again. Use the backoff-factor
option to specify the length of the delay in seconds. The range is from 1 through 3, and
the default is 2.
•
backoff-factor—Length of time, in seconds, before a user can attempt to log in after a
failed attempt. The delay increases by the value specified for each subsequent attempt
after the threshold. The range is from 5 through 10, and the default is 5 seconds.
•
maximum-time seconds—Maximum length of time, in seconds, that the connection
remains open for the user to enter a username and password to log in. If the user
remains idle and does not enter a username and password within the configured
maximum-time, the connection is closed. The range is from 20 through 300 seconds,
and the default is 120 seconds.
•
minimum-time—Minimum length of time, in seconds, that a connection remains open
while a user is attempting to enter a correct password. The range is from 20 through
60, and the default is 40.
Related
Documentation
•
Example: Limiting the Number of Login Attempts for SSH and Telnet Sessions to
Prevent Unauthorized Access on page 58
•
Configuring Junos OS User Accounts by Using a Configuration Group on page 53
Copyright © 2017, Juniper Networks, Inc.
57
User Access and Authentication Feature Guide for Routing Devices
Example: Limiting the Number of Login Attempts for SSH and Telnet Sessions to
Prevent Unauthorized Access
Limiting the number of SSH and Telnet login attempts per user is one of the most effective
methods of stopping brute force attacks from compromising your network security. Brute
force attackers execute a large number of login attempts in a short period of time to
illegitimately gain access to a private network. By configuring the retry-options command,
you can create an increasing delay after each failed login attempt, eventually
disconnecting any user who passes your set threshold of login attempts.
The following example shows how to limit the user to four attempts when the user enters
a password while logging in through SSH or Telnet. Set the backoff-threshold to 2, the
back-off-factor to 5 seconds, and the minimum-time to 40 seconds. The user experiences
a delay of 5 seconds after the second attempt to enter a correct password fails. After
each subsequent failed attempt, the delay increases by 5 seconds. After the fourth and
final failed attempt to enter a correct password, the user experiences an additional
10-second delay, and the connection closes after a total of 40 seconds.
The additional variables maximum-time and lockout-period are not set in this example.
[edit]
system {
login {
retry-options {
backoff-threshold 2;
backoff-factor 5;
minimum-time 40;
tries-before-disconnect 4;
}
password {
}
}
}
NOTE: This sample only shows the portion of the [edit system login] hierarchy
level being modified.
Related
Documentation
•
Limiting the Number of User Login Attempts for SSH and Telnet Sessions on page 57
•
login on page 563
Configuring Login Tips
The Junos OS CLI provides the option of configuring login tips for the user. By default,
the tip command is not enabled when a user logs in.
58
Copyright © 2017, Juniper Networks, Inc.
Chapter 3: Configuring Junos OS User Accounts
•
To enable tips, include the login-tip statement at the [edit system login class class-name]
hierarchy level:
[edit system login class class-name]
login-tip;
Adding this statement enables the tip command for the class specified, provided the
user logs in using the CLI.
Related
Documentation
•
Defining Junos OS Login Classes on page 39
Handling Authorization Failure
The security administrator can configure the number of times a user can try to log in to
the device with invalid login credentials. The device can be locked after the specified
number of unsuccessful authentication attempts. This helps to protect the device from
malicious users attempting to access the system by guessing an account’s password.
The security administrator can unlock the user account or define a time period for the
user account to remain locked.
The system lockout-period defines the amount of time the device can be locked for a
user account after a specified number of unsuccessful login attempts.
The security administrator can configure a period of time after which an inactive session
will be locked and require re-authentication to be unlocked. This helps to protect the
device from being idle for a long period before the session times out.
The system idle-timeout defines length of time the CLI operational mode prompt remains
active before the session times out.
The security administrator can configure a banner with an advisory notice to be displayed
before the identification and authentication screen.
The system message defines the system login message. This message appears before
a user logs in.
The number of reattempts the device allows is defined by the tries-before-disconnect
option. The device allows 3 unsuccessful attempts by default or as configured by the
administrator. The device prevents the locked users to perform activities that require
authentication, until a security administrator manually clears the lock or the defined time
period for the device to remain locked has elapsed. However, the existing locks are ignored
when the user attempts to log in from the local console.
Copyright © 2017, Juniper Networks, Inc.
59
User Access and Authentication Feature Guide for Routing Devices
NOTE: To clear the console during an administrator-initiated logout, the
administrator must configure the set system login message “message string”
such that, the message-string contains newline (\n) characters and a login
banner message at the end of the \n characters.
To ensure that configuration information is cleared completely, the
administrator can enter 50 or more \n characters in the message-string of
the command set system login message “message string”.
For example, set system login message
"\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n
Welcome to Junos!!!"
Related
Documentation
•
Example: Configuring System Retry Options on page 60
Example: Configuring System Retry Options
This example shows how to configure system retry options to protect the device from
malicious users.
•
Requirements on page 60
•
Overview on page 60
•
Configuration on page 62
•
Verification on page 63
Requirements
Before you begin, you should understand “Handling Authorization Failure” on page 59.
No special configuration beyond device initialization is required before configuring this
feature.
Overview
Malicious users sometimes try to log in to a secure device by guessing an authorized user
account’s password. Locking out a user account after a number of failed authentication
attempts helps protect the device from malicious users.
Device lockout allows you to configure the number of failed attempts before the user
account is locked out of the device and configure the amount of time before the user can
attempt to log in to the device again. You can configure the amount of time in-between
failed login attempts of a user account and can manually lock and unlock user accounts.
60
Copyright © 2017, Juniper Networks, Inc.
Chapter 3: Configuring Junos OS User Accounts
NOTE:
This example includes the following settings:
•
backoff-factor — Sets the length of delay in seconds after each failed login
attempt. When a user incorrectly logs in to the device, the user must wait
the configured amount of time before attempting to log in to the device
again. The length of delay increases by this value for each subsequent login
attempt after the value specified in the backoff-threshold statement. The
default value for this statement is five seconds, with a range of five to ten
seconds.
•
backoff-threshold — Sets the threshold for the number of failed login
attempts on the device before the user experiences a delay when
attempting to reenter a password. When a user incorrectly logs in to the
device and hits the threshold of failed login attempts, the user experiences
a delay that is set in the backoff-factor statement before attempting to log
in to the device again. The default value for this statement is two, with a
range of one through three.
•
lockout-period — Sets the amount of time in minutes before the user can
attempt to log in to the device after being locked out due to the number of
failed login attempts specified in the tries-before-disconnect statement.
When a user fails to correctly login after the number of allowed attempts
specified by the tries-before-disconnect statement, the user must wait the
configured amount of minutes before attempting to log in to the device
again. The lockout-period must be greater than zero. The range at which
you can configure the lockout-period is one through 43,200 minutes.
•
tries-before-disconnect — Sets the maximum number of times the user is
allowed to enter a password to attempt to log in to the device through SSH
or Telnet. When the user reaches the maximum number of failed login
attempts, the user is locked out of the device. The user must wait the
configured amount of minutes in the lockout-period statement before
attempting to log back in to the device. The tries-before-disconnect
statement must be set when the lockout-period statement is set; otherwise,
the lockout-period statement is meaningless. The default number of
attempts is ten, with a range of one through ten attempts.
Once a user is locked out of the device, if you are the security administrator,
you can manually remove the user from this state using the clear system login
lockout <username> command. You can also use the show system login lockout
command to view which users are currently locked out, when the lockout
period began for each user, and when the lockout period ends for each user.
If the security administrator is locked out of the device, he can log in to the
device from the console port, which ignores any user locks. This provides a
way for the administrator to remove the user lock on their own user account.
Copyright © 2017, Juniper Networks, Inc.
61
User Access and Authentication Feature Guide for Routing Devices
In this example the user waits for the backoff-threshold multiplied by the backoff-factor
interval, in seconds, to get the login prompt. In this example, the user must wait 5 seconds
after the first failed login attempt and 10 seconds after the second failed login attempt
to get the login prompt. The user gets disconnected after 15 seconds after the third failed
attempt because the tries-before-disconnect option is configured as 3.
The user cannot attempt anther login until 120 minutes has elapsed, unless a security
administrator manually clears the lock sooner.
Configuration
CLI Quick
Configuration
To quickly configure this example, copy the following commands, paste them into a text
file, remove any line breaks, change any details necessary to match your network
configuration, copy and paste the commands into the CLI at the [edit] hierarchy level,
and then enter commit from configuration mode.
set system login retry-options backoff-factor 5
set system login retry-options backoff-threshold 1
set system login retry-options lockout-period 120
set system login retry-options tries-before-disconnect 3
Step-by-Step
Procedure
To configure system retry-options:
1.
Configure the backoff factor.
[edit ]
user@host# set system login retry-options backoff-factor 5
2.
Configure the backoff threshold.
[edit]
user@host# set system login retry-options backoff-threshold 1
3.
Configure the amount of time the device gets locked after failed attempts.
[edit]
user@host# set system login retry-options lockout-period 5
4.
Configure the number of unsuccessful attempts during which, the device can remain
unlocked.
[edit]
user@host# set system login retry-options tries-before-disconnect 3
Results
From configuration mode, confirm your configuration by entering the show system login
retry-options command. If the output does not display the intended configuration, repeat
the configuration instructions in this example to correct it.
[edit]
user@host# show system login retry-options
backoff-factor 5;
backoff-threshold 1;
62
Copyright © 2017, Juniper Networks, Inc.
Chapter 3: Configuring Junos OS User Accounts
lockout-period 5;
tries-before-disconnect 3;
Confirm that the configuration is working properly.
If you are done configuring the device, enter commit from configuration mode.
Verification
Displaying the Locked User Logins
Purpose
Verify that the login lockout configuration is enabled.
Action
Attempt three unsuccessful logins for a particular username. The device will be locked
for that username; then log in to the device with a different username. From operational
mode, enter the show system login lockout command.
Meaning
When you perform three unsuccessful login attempts with a particular username, the
device is locked for that user for five minutes, as configured in the example. You can verify
that the device is locked for that user by logging in to the device with a different username
and entering the show system login lockout command.
Related
Documentation
•
Handling Authorization Failure on page 59
Copyright © 2017, Juniper Networks, Inc.
63
User Access and Authentication Feature Guide for Routing Devices
64
Copyright © 2017, Juniper Networks, Inc.
CHAPTER 4
Configuring User Access Privileges
•
Example: Configuring User Permissions with Access Privilege Levels on page 65
•
Regular Expressions for Allowing and Denying Junos OS Operational Mode Commands,
Configuration Statements, and Hierarchies on page 69
•
Example: Configuring User Permissions with Access Privileges for Operational Mode
Commands on page 76
•
Example: Configuring User Permissions with Access Privileges for Configuration
Statements and Hierarchies on page 87
•
Example: Configuring User Permissions with Access Privileges for Operational Mode
Commands, Configuration Statements, and Hierarchies on page 100
•
Example: Using Additive Logic With Regular Expressions to Specify Access
Privileges on page 109
Example: Configuring User Permissions with Access Privilege Levels
This example shows how to view permissions for a user account and configure the user
permissions with access privileges for a login class. This enables users to execute only
those commands and configure and view only those statements for which they have
access privileges. This prevents unauthorized users from executing or configuring sensitive
commands and statements that could potentially cause damage to the network.
•
Requirements on page 65
•
Overview on page 66
•
Configuration on page 67
•
Verification on page 68
Requirements
This example uses the following hardware and software components:
•
One Juniper Networks device
•
One TACACS+ (or RADIUS) server
•
Junos OS build running on the Juniper Networks device
Copyright © 2017, Juniper Networks, Inc.
65
User Access and Authentication Feature Guide for Routing Devices
Before you begin:
•
Establish connection between the device and the TACACS+ server.
For information on configuring a TACACS+ server, see “Configuring TACACS+
Authentication” on page 421.
•
Configure at least one user assigned to a login class on the Juniper Networks device.
There can be more than one login class, each with varying permission configurations,
and more than one user on the device.
Overview
Each top-level command-line interface (CLI) command and each configuration statement
in Junos OS has an access privilege level associated with it. For each login class, you can
explicitly deny or allow the use of operational and configuration mode commands that
would otherwise be permitted or not allowed by a privilege level. Users can execute only
those commands and configure and view only those statements for which they have
access privileges. To configure access privilege levels, include the permissions statement
at the [edit system login class class-name] hierarchy level.
The access privileges for each login class are defined by one or more permission flags
specified in the permissions statement. Permission flags are used to grant a user access
to operational mode commands, statements, and configuration hierarchies. Permission
flags are not cumulative, so for each login class you must list all the permission flags
needed, including view to display information and configure to enter configuration mode.
By specifying a specific permission flag on the user's login class, you grant the user access
to the corresponding commands, statements, and configuration hierarchies. To grant
access to all commands and configuration statements, use the all permissions flag. The
permission flags provide read-only (“plain” form) and read and write (form that ends in
-control) capability for a permission type.
NOTE: The all login class permission bits take precedence over extended
regular expressions when a user issues a rollback command with the rollback
permission flag enabled.
To configure user access privilege levels:
1.
View permissions for a user account.
You can view the permissions for a user account before configuring the access
privileges for those permissions.
To view the user permissions, enter ? at the [edit] hierarchy level:
[edit]
?
2. Configure user permissions with access privileges.
66
Copyright © 2017, Juniper Networks, Inc.
Chapter 4: Configuring User Access Privileges
All users who can log in to a device must be in a login class. For each login class, you
can configure the access privileges that the associated users can have when they are
logged in to the device.
To configure access privilege levels for user permissions, include the permissions
statement at the [edit system login class class-name] hierarchy level, followed by the
user permission, the permissions option, and the required permission flags.
[edit system login]
user@host# set class class-name permissions user-permission permissions [permission
flags];
Configuration
Configuring User Permissions with Access Privilege Levels
Step-by-Step
Procedure
To configure access privileges:
1.
From the device, view the list of permissions available for the user account. In this
example, the username of the user account is host.
[edit]
user@host> ?
Possible completions:
clear
configure
file
help
load
monitor
mtrace
op
ping
quit
request
restart
save
set
message
show
ssh
start
telnet
test
traceroute
Clear information in the system
Manipulate software configuration information
Perform file operations
Provide help information
Load information from file
Show real-time debugging information
Trace multicast path from source to receiver
Invoke an operation script
Ping remote target
Exit the management session
Make system-level requests
Restart software process
Save information to file
Set CLI properties, date/time, craft interface
Show system information
Start secure shell on another host
Start shell
Telnet to another host
Perform diagnostic debugging
Trace route to remote host
The output lists the permissions for the user host. Customized login classes can be
created by configuring different access privileges on these user permissions.
2.
Configure an access privilege class to enable user host to configure and view SNMP
parameters only. In this example, this login class is called network-management.
To customize the network-management login class, include the SNMP permission
flags to the configure user permission.
[edit system login class network-management]
user@host# set permissions configure permissions snmp
user@host# set permissions configure permissions snmp-control
Copyright © 2017, Juniper Networks, Inc.
67
User Access and Authentication Feature Guide for Routing Devices
Here, the configured permission flags provide both read (snmp) and read-and-write
(snmp-control) capability for SNMP, and this is the only allowed access privilege
for the network-management login class. In other words, all other access privileges
other than configuring and viewing SNMP parameters are denied.
Results
From configuration mode, confirm your configuration by entering the show system login
command. If the output does not display the intended configuration, repeat the
instructions in this example to correct the configuration.
user@host# show system login
class network-management {
permissions [ configure snmp snmp-control ];
}
Verification
Log in as the username assigned with the new login class, and confirm that the
configuration is working properly.
•
Verifying SNMP Configuration on page 68
•
Verifying non-SNMP Configuration on page 68
Verifying SNMP Configuration
Purpose
Action
Verify that SNMP configuration can be executed.
From configuration mode, execute basic SNMP commands at the [edit snmp] hierarchy
level.
[edit snmp]
user@host# set name device1
user@host# set description switch1
user@host# set location Lab1
user@host# set contact example.com
user@host# commit
Meaning
The user host assigned to the network-management login class is able to configure
SNMP parameters, as the permission flags specified for this class include both snmp
(read capabilities) and snmp-control (read and write capabilities) permission bits.
Verifying non-SNMP Configuration
Purpose
Action
68
Verify that non-SNMP configuration is denied for the network-management login class.
From the configuration mode, execute any non-SNMP configuration, for example,
interfaces configuration.
Copyright © 2017, Juniper Networks, Inc.
Chapter 4: Configuring User Access Privileges
[edit]
user@host# edit interfaces
Syntax error, expecting <statement> or <identifier>.
Related
Documentation
•
Understanding Junos OS Access Privilege Levels on page 26
•
Regular Expressions for Allowing and Denying Junos OS Operational Mode Commands,
Configuration Statements, and Hierarchies on page 69
Regular Expressions for Allowing and Denying Junos OS Operational Mode Commands,
Configuration Statements, and Hierarchies
This topic contains the following sections:
•
Understanding Regular Expressions on page 69
•
Specifying Regular Expressions on page 70
•
Regular Expressions Operators on page 72
•
Regular Expression Examples on page 75
Understanding Regular Expressions
You can use extended regular expressions to specify which operational mode commands,
configuration statements, and hierarchies are denied or allowed. You specify these regular
expressions locally in the allow/deny-commands, allow/deny-configuration-regexps, and
allow/deny-configuration statements at the [edit system login class class-name] hierarchy
level, or remotely by specifying Juniper Networks vendor-specific TACACS+ or RADIUS
attributes in your authentication server’s configuration.
The difference between a local and remote authentication configuration is the pattern
in which the regular expressions statements are executed. While it is possible to specify
multiple regular expressions using strings in the local authentication configuration, in a
remote configuration, the regular expressions statements need to be split and specified
in individual strings. When the authentication parameters are configured both remotely
and locally, the regular expressions received during TACACS+ or RADIUS authentication
get merged with any regular expressions available on the local device.
Table 6 on page 70 differentiates the local and remote authentication configuration using
regular expressions.
Copyright © 2017, Juniper Networks, Inc.
69
User Access and Authentication Feature Guide for Routing Devices
Table 6: Sample Local and Remote Authentication Configuration Using Regular Expressions
Local Configuration
Remote Configuration
login {
class local {
permissions configure;
allow-commands "(ping .*)|(traceroute
.*)|(show .*)|(configure
.*)|(edit)|(exit)|(commit)|(rollback .*)";
deny-commands .*;
allow-configuration "(interfaces .* unit 0
family ethernet-switching vlan mem.*
.*)|(interfaces .* native.* .*)|(interfaces
.* unit 0 family ethernet-switching
interface-mo.* .*)|(interfaces .* unit
.*)|(interfaces .* disable)|(interfaces .*
description .*)|(vlans .* vlan-.* .*)"
deny-configuration .*;
}
}
user = remote {
login = username
service = junos-exec {
allow-commands1 = "ping .*"
allow-commands2 = "traceroute .*"
allow-commands3 = "show .*"
allow-commands4 = "configure"
allow-commands5 = "edit"
allow-commands6 = "exit"
allow-commands7 = "commit"
allow-commands8 = ".*xml-mode" <<<<<
allow-commands9 = ".*netconf" <<<<<
allow-commands10 = ".*need-trailer" <<<<<
allow-commands11 = "rollback.*"
deny-commands1 = ".*"
allow-configuration1 = "interfaces .* unit 0 family
ethernet-switching vlan mem.* .*"
allow-configuration2 = "interfaces .* native.* .*"
allow-configuration3 = "interfaces .* unit 0 family
ethernet-switching interface-mo.* .*"
allow-configuration4 = "interfaces .* unit .*"
allow-configuration5 = "interfaces .* disable"
allow-configuration6 = "interfaces .* description .*"
allow-configuration7 = "interfaces .*"
allow-configuration8 = "vlans .* vlan-.* .*"
deny-configuration1 = ".*"
local-user-name = local-username
user-permissions = "configure"
}
}
NOTE:
•
You need to explicitly allow access to the NETCONF mode, either locally
or remotely, by issuing the following three commands: xml-mode, netconf,
and need-trailer.
•
When the deny-configuration = “.*” statement is used, all the other desired
configurations should be allowed using the allow-configuration statement.
This can affect the allowed regular expressions buffer limit for the
allow-configuration statement. When this limit exceeds, the allowed
configuration might not work. This regular expression buffer size limit has
been increased in Junos OS Release 14.1x53-D40, 15.1, and 16.1.
Specifying Regular Expressions
WARNING: When you specify regular expression for commands and
configuration statements, pay close attention to the following examples, as
70
Copyright © 2017, Juniper Networks, Inc.
Chapter 4: Configuring User Access Privileges
regular expression with invalid syntax might not produce the desired results,
even if the configuration is committed without any error.
Regular expressions for commands and configuration statements should be specified
in the same manner as executing the complete command or statement.
Table 7 on page 71 lists the regular expressions for configuring access privileges for the
[edit interfaces] and [edit vlans] statement hierarchies, and for the delete interfaces
command.
Table 7: Specifying Regular Expressions
Statement
Regular Expression
Configuration Notes
[edit interfaces]
The set interfaces statement is incomplete
by itself, and requires the unit option to
execute the statement.
•
The .* operator denotes everything from the
specified point onward for that particular
command or statement. In this example, it
denotes any interface name with any unit
value.
•
Specifying only the deny-configuration
"interfaces .*" statement is incorrect and
does not deny access to the interfaces
configuration for the specified login class.
•
Other valid options can be included in the
regular expression, for example:
The set command for interfaces
is executed as follows:
[edit]
user@host# set interfaces
interface-name unit
interface-unit-number
As a result, the regular expression required
for denying the set interfaces configuration
must specify the entire executable string
with the .* operator in place of statement
variables:
[edit system login class class-name]
user@host# set permissions configure
user@host# set deny-configuration
"interfaces .* unit .*"
[edit system login class class-name]
user@host# set permissions configure
user@host# set deny-configuration
"interfaces .* description .*"
[edit system login class class-name]
user@host# set permissions configure
user@host# set
allow-configuration-regexps [
"interfaces .* description .*” “interfaces
.* unit .* description .*” “interfaces .*
unit .* family inet address .*”
“interfaces.* disable" ]
[edit system login class class-name]
user@host# set permissions configure
user@host# set allow-configuration
"interfaces .* unit 0 family
ethernet-switching vlan mem.* .*"
Note: The mem.* regular expression in this
example is used when multiple strings
starting with the mem keyword are expected
to be included in the specified regular
expression. When only one member string is
expected to be included, the member .*
regular expression is used.
Copyright © 2017, Juniper Networks, Inc.
71
User Access and Authentication Feature Guide for Routing Devices
Table 7: Specifying Regular Expressions (continued)
Statement
Regular Expression
Configuration Notes
delete interfaces
The delete interfaces statement can be
executed by itself and does not require
additional statements to be complete.
•
The .* operator denotes everything from the
specified point onward for that particular
command or statement. In this example, it
denotes any interface name.
•
For the deny-configuration "interfaces .*"
regular expression to take effect, the
specified login class should allow
configuration permissions for the interfaces
hierarchy using the allow-configuration
"interfaces .*" regular expression.
•
The .* operator denotes everything from the
specified point onward for that particular
command or statement. In this example, it
denotes any VLAN name with any VLAN ID.
•
Other valid options under the [edit vlans]
statement hierarchy can be included in the
regular expression, for example:
The delete command for
interfaces is executed as follows:
[edit]
user@host# delete interfaces
interface-name
As a result, the regular expression required
for denying the delete interfaces
statement should specify the following:
[edit system login class class-name]
user@host# set permissions configure
user@host# set allow-configuration
"interfaces .*"
user@host# set deny-configuration
"interfaces .*"
[edit vlans]
The set command for VLANs is
executed as follows:
[edit]
user@host# set vlans
vlan-name vlan-id vlan-id
Here, the set vlans statement is
incomplete by itself, and requires the
vlan-id option to execute the statement.
As a result, the regular expression required
for allowing the set vlans configuration
must specify the entire executable string
with the .* operator in place of statement
variables:
[edit system login class class-name]
user@host# set permissions configure
user@host# set allow-configuration
"vlans .* vlan-id .*"
[edit system login class class-name]
user@host# set permissions configure
user@host# set
allow-configuration-regexps [ "vlans
.* vlan-id .*" "vlans .* vlan-id .*
description .*" "vlans .* vlan-id .* filter
.*" ]
Regular Expressions Operators
Table 8 on page 73 lists common regular expression operators that you can use for
allowing or denying operational and configuration modes.
Command regular expressions implement the extended (modern) regular expressions,
as defined in POSIX 1003.2.
72
Copyright © 2017, Juniper Networks, Inc.
Chapter 4: Configuring User Access Privileges
Table 8: Common Regular Expression Operators
Operator
Match
|
One of two or
more terms
separated by
the pipe. Each
term must be a
complete
standalone
expression
enclosed in
parentheses ( ),
with no spaces
between the
pipe and the
adjacent
parentheses.
^
At the beginning
of an
expression, used
to denote where
the command
begins, where
there might be
some ambiguity.
Example
[edit system login class test]
user@host# set permissions configure
user@host# set allow-commands "(ping)|(traceroute)|(show system alarms)|(show
system software)"
user@host# set deny-configuration
"(access)|(access-profile)|(accounting-options)|(applications)|(apply-groups)|
(bridge-domains)|(chassis)|(class-of-service)"
With the above configuration, the users assigned to the test login class have operational
mode access restricted to only the commands specified in the allow-commands statement,
and access to the configuration mode, excluding the hierarchy levels specified in the
deny-configuration statement.
[edit system login class test]
user@host# set permissions interface
user@host# set permissions interface-control
user@host# set allow-commands "(^show) (log|interfaces|policer))|(^monitor)"
With the above configuration, the users assigned to the test login class have access to
configuring and viewing interface configuration from the operational and configuration mode.
The allow-commands statement specifies access to commands that begin with show and
monitor keywords.
For the first filter, the commands specified include the show log, show interfaces, and show
policer commands. The second filter specifies all commands starting with the monitor keyword,
such as monitor interfaces or monitor traffic commands.
$
[]
Character at the
end of a
command. Used
to denote a
command that
must be
matched
exactly up to
that point.
Range of letters
or digits. To
separate the
start and end of
a range, use a
hyphen ( - ).
[edit system login class test]
user@host# set permissions interface
user@host# set allow-commands "(show interfaces$)"
With the above configuration, the users assigned to the test login class can view the interface
configuration in the configuration mode and with the show configuration operational mode
command with the interface user permission. However, the regular expression specified in
the allow-commands statement restricts the users to execute only the show interfaces
command and denies access to the command extensions, such as show interfaces detail or
show interfaces extensive.
[edit system login class test]
user@host# set permissions clear
user@host# set permissions configure
user@host# set permissions network
user@host# set permissions trace
user@host# set permissions view
user@host# set allow-configuration-regexps [ "interfaces [gx]e-.* unit [0-9]* description
.*" ]
With the above configuration, the users assigned to the test login class have operator-level
user permissions, and have access to configure interfaces within the specified range of
interface name and unit number (0 through 9).
Copyright © 2017, Juniper Networks, Inc.
73
User Access and Authentication Feature Guide for Routing Devices
Table 8: Common Regular Expression Operators (continued)
Operator
Match
()
A group of
commands,
indicating a
complete,
standalone
expression to be
evaluated. The
result is then
evaluated as
part of the
overall
expression.
Parentheses
must be used in
conjunction with
pipe operators,
as explained.
*
Example
[edit system login class test]
user@host# set permissions all
user@host# set allow-commands "(clear)|(configure)"
user@host# deny-commands "(mtrace)|(start)|(delete)"
With the above configuration, users assigned to the test login class have superuser-level
permissions, and have access to the commands specified in the allow-commands statement.
Zero or more
terms.
[edit system login class test]
user@host# set permissions configure
user@host# set deny-configuration "(system login class m*)"
With the above configuration, users assigned to the test login class whose login username
begins with m are denied configuration access.
+
One or more
terms.
[edit system login class test]
user@host# set permissions configure
user@host# set deny-configuration "(system login class m+)"
With the above configuration, users assigned to the test login class whose login username
begins with m are denied configuration access.
.
Any character
except for a
space " ".
[edit system login class test]
user@host# set permissions configure
user@host# set deny-configuration "(system login class m.)"
With the above configuration, users assigned to the test login class whose login username
begins with m are denied configuration access.
.*
Everything from
the specified
point onward.
[edit system login class test]
user@host# set permissions configure
user@host# set deny-configuration "(system login class m .*)"
With the above configuration, users assigned to the test login class whose login username
begins with m are denied configuration access.
Similarly, the deny-configuration "protocols .*" statement denies all configuration access
under the [edit protocols] hierarchy level.
NOTE:
74
•
The *, +, and . operations can be achieved by using .*.
•
The deny-commands .* and deny-configuration .* statements deny access to all operational
mode commands and configuration hierarchies, respectively.
Copyright © 2017, Juniper Networks, Inc.
Chapter 4: Configuring User Access Privileges
NOTE: Junos OS does not support the ! regular expression operator.
Regular Expression Examples
Table 9 on page 75 lists the regular expressions used to allow configuration options under
two configuration hierarchies—[edit system ntp server] and [edit protocols rip]—as an
example for specifying regular expressions.
NOTE: Table 9 on page 75 does not provide a comprehensive list of all regular
expressions and keywords for all configuration statements and hierarchies.
The regular expressions listed in the table are supported in Junos OS Release
16.1, and are validated only for the [edit system ntp server] and [edit protocols
rip] statement hierarchies.
Table 9: Regular Expressions Examples
Statement
Hierarchy
Allowed
Configuration
Denied Configuration
[edit system login class test]
set permissions configure
set allow-configuration-regexps [ "system ntp
server .*" "system ntp server .* key .*" ]
set deny-configuration-regexps [ "system ntp
server .* version .*" "system ntp server .*
prefer" ]
•
server IP
•
version
•
server IP and key
•
prefer
version
version-number
[edit system login class test]
set permissions configure
set allow-configuration-regexps [ "system ntp
server .*" "system ntp server .* version .*" ]
set deny-configuration-regexps [ "system ntp
server .* key .*" "system ntp server .* prefer"
]
•
server IP
•
key
•
server IP and version
•
prefer
prefer
[edit system login class test]
set permissions configure
set allow-configuration-regexps [ "system ntp
server .*" "system ntp server .* prefer" ];
set deny-configuration-regexps [ "system ntp
server .* key .*" "system ntp server .* version
.*" ]
•
server IP
•
key
•
server IP and prefer
•
version
Regular Expressions
[edit system ntp
server]
key key-number
[edit protocols rip]
Copyright © 2017, Juniper Networks, Inc.
75
User Access and Authentication Feature Guide for Routing Devices
Table 9: Regular Expressions Examples (continued)
Statement
Hierarchy
Allowed
Configuration
Denied Configuration
[edit system login class test]
set permissions configure
set allow-configuration-regexps "protocols
rip message-size .*"
set deny-configuration-regexps [ "protocols
rip metric-in .*" "protocols rip route-timeout
.*" "protocols rip update-interval .*" ]
•
•
metric-in
•
route-timeout
•
update-interval
[edit system login class test]
set permissions configure
set allow-configuration-regexps "protocols
rip metric-in .*"
set deny-configuration-regexps [ "protocols
rip message-size .*" "protocols rip
route-timeout .*" "protocols rip
update-interval .*" ]
•
•
message-size
•
route-timeout
•
update-interval
[edit system login class test]
set permissions configure
set allow-configuration-regexps "protocols
rip route-timeout .*"
set deny-configuration-regexps [ "protocols
rip metric-in .*" "protocols rip message-size
.*" "protocols rip update-interval .*" ]
•
•
message-size
•
metric-in
•
update-interval
[edit system login class test]
set permissions configure
set allow-configuration-regexps "protocols
rip update-interval .*"
set deny-configuration-regexps [ "protocols
rip metric-in .*" "protocols rip route-timeout
.*" "protocols rip message-size .*" ]
•
•
message-size
•
metric-in
•
route-timeout
Regular Expressions
message-size
message-size
metric-in metric-in
route-timeout
route-timeout
update-interval
update-interval
Related
Documentation
message-size
metric-in
route-timeout
update-interval
•
Example: Configuring User Permissions with Access Privileges for Operational Mode
Commands, Configuration Statements, and Hierarchies on page 100
•
Example: Configuring User Permissions with Access Privileges for Configuration
Statements and Hierarchies on page 87
•
Example: Configuring User Permissions with Access Privileges for Operational Mode
Commands on page 76
•
Regular Expressions for Allowing and Denying Junos OS Operational Mode Commands,
Configuration Statements, and Hierarchies on page 69
Example: Configuring User Permissions with Access Privileges for Operational Mode
Commands
This example shows how to configure custom login classes and assign access privileges
for operational mode commands. This enables users of the customized login class to
execute only those operational commands for which access privileges have been specified.
76
Copyright © 2017, Juniper Networks, Inc.
Chapter 4: Configuring User Access Privileges
This prevents unauthorized users from executing sensitive commands that could
potentially cause damage to the network.
•
Requirements on page 77
•
Overview and Topology on page 77
•
Configuration on page 79
•
Verification on page 84
Requirements
This example uses the following hardware and software components:
•
One Juniper Networks device
•
One TACACS+ (or RADIUS) server
•
Junos OS build running on the Juniper Networks device
Before you begin:
•
Establish a TCP connection between the device and the TACACS+ server. In the case
of the RADIUS server, establish a UDP connection between the device and the RADIUS
server.
For information on configuring a TACACS+ server, see “Configuring TACACS+
Authentication” on page 421.
•
Configure at least one user assigned to a login class on the Juniper Networks device.
There can be more than one login class, each with varying permission configurations,
and more than one user on the device.
Overview and Topology
Each top-level command-line interface (CLI) command and each configuration statement
in Junos OS has an access privilege level associated with it. For each login class, you can
explicitly deny or allow the use of operational and configuration mode commands that
would otherwise be permitted or not allowed by a privilege level. Users can execute only
those commands and configure and view only those statements for which they have
access privileges. To configure access privilege levels, include the permissions statement
at the [edit system login class class-name] hierarchy level.
The access privileges for each login class are defined by one or more permission flags
specified in the permissions statement. In addition to this, you can specify extended
regular expressions with the following statements:
•
allow-commands and deny-commands—Allow or deny access to operational mode
commands only.
•
allow-configuration and deny-configuration—Allow or deny access to a particular
configuration hierarchy only.
•
allow-configuration-regexps and deny-configuration-regexps—Allow or deny access to
a particular configuration hierarchy only using strings of regular expressions.
Copyright © 2017, Juniper Networks, Inc.
77
User Access and Authentication Feature Guide for Routing Devices
The above statements define a user’s access privileges to individual operational mode
commands, configuration statements, and hierarchies. These statements take precedence
over a login class permissions bit set for a user.
Configuration Notes
When configuring the allow-commands and deny-commands statements with access
privileges, take the following into consideration:
•
You can include one deny-commands and one allow-commands statement in each
login class.
•
If the exact same command is configured under both allow-commands and
deny-commands statements, then the allow operation takes precedence over the deny
command.
For instance, with the following configuration, a user assigned to login class test is
allowed to install software using the request system software add command, although
the deny-commands statement also includes it:
[edit system login]
user@host# set class test permissions allow-commands "request system software
add"
user@host# set class test permissions deny-commands "request system software add"
•
If you specify a regular expression for allow-commands and deny-commands statements
with two different variants of a command, the longest match is always executed.
For instance, for the following configuration, a user assigned to test login class is allowed
to execute the commit synchronize command and not the commit command. This is
because commit-synchronize is the longest match between commit and
commit-synchronize and it is specified for allow-commands.
[edit system login class]
user@host# set class test permissions allow-commands "commit-synchronize"
user@host# set class test permissions deny-commands commit
•
Regular expressions for allow-commands and deny-commands statements can also
include the commit, load, rollback, save, status, and update commands.
•
If the regular expression contains any spaces, operators, or wildcard characters, enclose
the expression in quotation marks. Regular expressions are not case-sensitive, for
example, allow-commands "show interfaces";
•
Modifiers, such as set, log, and count, are not supported within the regular expression
string to be matched. If a modifier is used, then nothing is matched.
Incorrect configuration:
[edit system login]
user@host# set class test permission deny-commands "set protocols"
Correct configuration:
[edit system login]
user@host# set class test permission deny-commands protocols
78
Copyright © 2017, Juniper Networks, Inc.
Chapter 4: Configuring User Access Privileges
•
Anchors are required when specifying complex regular expressions with the
allow-commands statement.
For example:
[edit system login]
user@host# set class test permissions allow-commands "(^monitor) | (^ping) | (^show)
| (^exit)"
OR
set class test permissions allow-commands "allow-commands ="^(monitor | ping |
show | exit)"
Topology
Figure 1: Configuring TACACS+ Server Authentication
10.209.1.66/24
R1
TACACS+
Server
g043487
TCP connection
Figure 1 on page 79 illustrates a simple topology, where Router R1 is a Juniper Networks
device and has a TCP connection established with a TACACS+ server.
In this example, R1 is configured with three customized login classes—Class1, Class2, and
Class3—for specifying access privileges with extended regular expressions using the
allow-commands and deny-commands statements differently.
The purpose of each login class is as follows:
•
Class1—Defines access privileges for the user with the allow-commands statement
only. This login class provides operator-level user permissions, and should provide
authorization for only rebooting the device.
•
Class2—Defines access privileges for the user with the deny-commands statement
only. This login class provides operator-level user permissions, and should deny access
to set commands.
•
Class3—Defines access privileges for the user with both the allow-commands and
deny-commands statements. This login class provides superuser-level user permissions,
and should provide authorization for accessing interfaces and viewing device
information. It should also deny access to edit and configure commands.
Router R1 has three different users, User1, User2, and User3, assigned to Class1, Class2,
and Class3 login classes, respectively.
Configuration
CLI Quick
Configuration
To quickly configure this example, copy the following commands, paste them into a text
file, remove any line breaks, change any details necessary to match your network
configuration, copy and paste the commands into the CLI at the [edit] hierarchy level,
and then enter commit from configuration mode.
Copyright © 2017, Juniper Networks, Inc.
79
User Access and Authentication Feature Guide for Routing Devices
R1
set system authentication-order tacplus
set system authentication-order radius
set system authentication-order password
set system radius-server 10.209.1.66 secret "$ABC123"
set system tacplus-server 10.209.1.66
set system radius-options enhanced-accounting
set system tacplus-options enhanced-accounting
set system accounting events login
set system accounting events change-log
set system accounting events interactive-commands
set system accounting traceoptions file auditlog
set system accounting traceoptions flag all
set system accounting destination tacplus server 10.209.1.66
set system login class Class1 permissions clear
set system login class Class1 permissions network
set system login class Class1 permissions reset
set system login class Class1 permissions trace
set system login class Class1 permissions view
set system login class Class1 allow-commands "request system reboot"
set system login class Class2 permissions clear
set system login class Class2 permissions network
set system login class Class2 permissions reset
set system login class Class2 permissions trace
set system login class Class2 permissions view
set system login class Class2 deny-commands set
set system login class Class3 permissions all
set system login class Class3 allow-commands configure
set system login class Class3 deny-commands .*
set system login user User1 uid 2001
set system login user User1 class Class1
set system login user User1 authentication encrypted-password "$ABC123"
set system login user User2 uid 2002
set system login user User2 class Class2
set system login user User2 authentication encrypted-password "$ABC123"
set system login user User3 uid 2003
set system login user User3 class Class3
set system login user User3 authentication encrypted-password "$ABC123"
set system syslog file messages any any
Configuring Authentication Parameters for Router R1
Step-by-Step
Procedure
The following example requires that you navigate various levels in the configuration
hierarchy. For information about navigating the CLI, see Using the CLI Editor in Configuration
Mode in the CLI User Guide.
To configure Router R1 authentication:
1.
Configure the order in which authentication should take place for R1. In this example,
TACACS+ server authentication is first, followed by RADIUS server authentication,
and then the local password.
[edit system]
user@R1# set authentication-order tacplus
user@R1# set authentication-order radius
user@R1# set authentication-order password
80
Copyright © 2017, Juniper Networks, Inc.
Chapter 4: Configuring User Access Privileges
2.
Establish R1 connection with the TACACS+ server.
[edit system]
user@R1# set tacplus-server 10.209.1.66
user@R1# set tacplus-options enhanced-accounting
user@R1# set accounting destination tacplus server 10.209.1.66
3.
Configure RADIUS server authentication parameters.
[edit system]
user@R1# set radius-server 10.209.1.66 secret "$ABC123"
user@R1# set radius-options enhanced-accounting
4.
Configure R1 accounting configuration parameters.
[edit system]
user@R1# set accounting events login
user@R1# set accounting events change-log
user@R1# set accounting events interactive-commands
user@R1# set accounting traceoptions file auditlog
user@R1# set accounting traceoptions flag all
Configuring Access Privileges with allow-commands Statement Only (Class1)
Step-by-Step
Procedure
To specify regular expressions using the allow-commands statement only:
1.
Configure Class1 custom login class and assign operator-level user permissions. For
information on the predefined system login classes, see the “Junos OS Login Classes
Overview” on page 23.
[edit system login]
user@R1# set class Class1 permissions clear
user@R1t# set class Class1 permissions network
user@R1# set class Class1 permissions reset
user@R1# set class Class1 permissions trace
user@R1# set class Class1 permissions view
2.
Specify the command to enable rebooting of R1 in the allow-commands statement.
[edit system login]
user@R1# set class Class1 allow-commands "request system reboot"
3.
Configure the user account for the Class1 login class.
[edit system login]
user@R1# set user User1 uid 2001
user@R1# set user User1 class Class1
user@R1# set user User1 authentication encrypted-password "$ABC123"
Copyright © 2017, Juniper Networks, Inc.
81
User Access and Authentication Feature Guide for Routing Devices
Configuring Access Privileges with deny-commands Statement Only (Class2)
Step-by-Step
Procedure
To specify regular expressions using the deny-commands statement only:
1.
Configure the Class2 custom login class and assign operator-level user permissions.
For information on the predefined system login classes, see the “Junos OS Login
Classes Overview” on page 23.
[edit system login]
user@R1# set class Class1 permissions clear
user@R1# set class Class1 permissions network
user@R1# set class Class1 permissions reset
user@R1# set class Class1 permissions trace
user@R1# set class Class1 permissions view
2.
Disable execution of any set commands in the deny-commands statement.
[edit system login]
user@R1# set class Class1 deny-commands "set"
3.
Configure the user account for the Class2 login class.
user@R1# set login user User2 uid 2002
user@R1# set login user User2 class Class2
user@R1# set login user User2 authentication encrypted-password "$ABC123"
Configuring Access Privileges with Both allow-commands and deny-commands
Statements (Class3)
Step-by-Step
Procedure
To specify regular expressions using both the allow-commands and deny-commands
statements:
1.
Configure the Class3 custom login class and assign superuser-level user permissions.
For information on the predefined system login classes, see the “Junos OS Login
Classes Overview” on page 23.
[edit system login]
user@R1# set class Class3 permissions all
2.
Specify the commands to enable only configure commands in the allow-commands
statement.
[edit system login]
user@R1# set class Class3 allow-commands configure
3.
Disable execution of all commands in the deny-commands statement.
[edit system login]
user@R1# set class Class3 deny-commands .*
4.
82
Configure the user account for the Class1 login class.
Copyright © 2017, Juniper Networks, Inc.
Chapter 4: Configuring User Access Privileges
[edit system login]
user@R1# set login user User3 uid 2003
user@R1# set login user User3 class Class3
user@R1# set login user User3 authentication encrypted-password "$ABC123"
Results
From configuration mode, confirm your configuration by entering the show system
command. If the output does not display the intended configuration, repeat the
instructions in this example to correct the configuration.
user@R1# show system
authentication-order [ tacplus radius password ];
radius-server {
10.209.1.66 secret "$ABC123";
}
tacplus-server {
10.209.1.66;
}
radius-options {
enhanced-accounting;
}
tacplus-options {
enhanced-accounting;
}
accounting {
events [ login change-log interactive-commands ];
traceoptions {
file auditlog;
flag all;
}
destination {
tacplus {
server {
10.209.1.66;
}
}
}
}
login {
class Class1 {
permissions [ clear network reset trace view ];
allow-commands "request system reboot";
}
class Class2 {
permissions [ clear network reset trace view ];
deny-commands set;
}
class Class3 {
permissions all;
allow-commands configure;
deny-commands .*;
}
user User1 {
Copyright © 2017, Juniper Networks, Inc.
83
User Access and Authentication Feature Guide for Routing Devices
uid 2001;
class Class1;
authentication {
encrypted-password "$ABC123";
}
}
user User2 {
uid 2002;
class Class2;
authentication {
encrypted-password "$ABC123";
}
}
user User3 {
uid 2003;
class Class3;
authentication {
encrypted-password “$ABC123”;
}
}
}
syslog {
file messages {
any any;
}
}
Verification
Log in as the username assigned with the new login class, and confirm that the
configuration is working properly.
•
Verifying Class1 Configuration on page 84
•
Verifying Class2 Configuration on page 85
•
Verifying Class3 Configuration on page 86
Verifying Class1 Configuration
Purpose
84
Verify that the permissions and commands allowed in the Class1 login class are working.
Copyright © 2017, Juniper Networks, Inc.
Chapter 4: Configuring User Access Privileges
Action
From operational mode, run the show system users command.
User1@R1> show system users
12:39PM up 6 days, 23 mins, 6 users, load averages: 0.00, 0.01, 0.00
USER
TTY
FROM
LOGIN@ IDLE WHAT
User1 p0
abc.example.net 12:34AM 12:04 cli
User2 p1
abc.example.net 12:36AM 12:02 -cli (cli)
User3 p2
abc.example.net 10:41AM
11 -cli (cli)
From operational mode, run the request system reboot command.
User1@R1> request system ?
Possible completions:
reboot
Reboot the system
Meaning
The Class1 login class to which User1 is assigned has the operator-level user permissions,
and is allowed to execute the request system reboot command.
The predefined operator login class has the following permission flags specified:
•
clear—Can clear (delete) information learned from the network that is stored in various
network databases by using the clear commands.
•
network—Can access the network by using the ping, ssh, telnet, and traceroute
commands.
•
reset—Can restart software processes by using the restart command and can configure
whether software processes are enabled or disabled at the [edit system processes]
hierarchy level.
•
trace—Can view trace file settings and configure trace file properties.
•
view—Can use various commands to display current system-wide, routing table, and
protocol-specific values and statistics. Cannot view the secret configuration.
For the Class1 login class, in addition to the above-mentioned user permissions, User1
can execute the request system reboot command. The first output displays the view
permissions as an operator, and the second output shows that the only request command
that User1 can execute as an operator is the request system reboot command.
Verifying Class2 Configuration
Purpose
Verify that the permissions and commands allowed for the Class2 login class are working.
Copyright © 2017, Juniper Networks, Inc.
85
User Access and Authentication Feature Guide for Routing Devices
Action
From the operational mode, run the ping command.
User2@R1> ping 10.209.1.66
ping 10.209.1.66
PING 10.209.1.66 (10.209.1.66): 56 data bytes
64 bytes from 10.209.1.66: icmp_seq=0 ttl=52 time=212.521 ms
64 bytes from 10.209.1.66: icmp_seq=1 ttl=52 time=212.844 ms
64 bytes from 10.209.1.66: icmp_seq=2 ttl=52 time=211.304 ms
64 bytes from 10.209.1.66: icmp_seq=3 ttl=52 time=210.963 ms
^C
--- 10.209.1.66 ping statistics --4 packets transmitted, 4 packets received, 0% packet loss
round-trip min/avg/max/stddev = 210.963/211.908/212.844/0.792 ms
From the CLI prompt, check the available permissions.
User2@R1> ?
Possible completions:
clear
file
help
load
monitor
mtrace
op
ping
quit
request
restart
save
show
ssh
start
telnet
test
traceroute
Clear information in the system
Perform file operations
Provide help information
Load information from file
Show real-time debugging information
Trace multicast path from source to receiver
Invoke an operation script
Ping remote target
Exit the management session
Make system-level requests
Restart software process
Save information to file
Show system information
Start secure shell on another host
Start shell
Telnet to another host
Perform diagnostic debugging
Trace route to remote host
From the CLI prompt, execute any set command.
User2@R1> set
^
unknown command.
Meaning
The Class2 login class to which User2 is assigned has the operator-level user permissions,
and is denied access to all set commands. This is displayed in the command outputs.
The permission flags specified for the predefined operator login class are the same as
that of Class1.
Verifying Class3 Configuration
Purpose
86
Verify that the permissions and commands allowed for the Class3 login class are working.
Copyright © 2017, Juniper Networks, Inc.
Chapter 4: Configuring User Access Privileges
Action
From the CLI prompt, check the available permissions.
User3@R1> ?
Possible completions:
configure
Manipulate software configuration information
From the operational mode, enter configuration mode.
User3@R1> configure
Entering configuration mode
[edit]
User3@R1#
Meaning
Related
Documentation
The Class3 login class to which User3 is assigned has the superuser (all) user permissions,
but is allowed to execute the configure command only, and is denied access to all other
operational mode commands. Because the regular expressions specified in the
allow/deny-commands statements take precedence over the user permissions, User3
on R1 has access only to configuration mode, and is denied access to all other operational
mode commands.
•
Understanding Junos OS Access Privilege Levels on page 26
•
Regular Expressions for Allowing and Denying Junos OS Operational Mode Commands,
Configuration Statements, and Hierarchies on page 69
•
Example: Configuring User Permissions with Access Privileges for Configuration
Statements and Hierarchies on page 87
•
Example: Configuring User Permissions with Access Privileges for Operational Mode
Commands, Configuration Statements, and Hierarchies on page 100
Example: Configuring User Permissions with Access Privileges for Configuration
Statements and Hierarchies
This example shows how to configure custom login classes and assign access privileges
to portions of the configuration hierarchy. This enables users of the customized login
class to execute only those configuration statements and hierarchies for which access
privileges have been specified. This prevents unauthorized users from accessing device
configurations that could potentially cause damage to the network.
•
Requirements on page 88
•
Overview and Topology on page 88
•
Configuration on page 94
•
Verification on page 98
Copyright © 2017, Juniper Networks, Inc.
87
User Access and Authentication Feature Guide for Routing Devices
Requirements
This example uses the following hardware and software components:
•
One Juniper Networks device
•
One TACACS+ (or RADIUS) server
•
Junos OS build running on the Juniper Networks device
Before you begin:
•
Establish a TCP connection between the device and the TACACS+ server. In the case
of the RADIUS server, establish a UDP connection between the device and the RADIUS
server.
For information on configuring a TACACS+ server, see “Configuring TACACS+
Authentication” on page 421.
•
Configure at least one user assigned to a login class on the Juniper Networks device.
There can be more than one login class, each with varying permission configurations,
and more than one user on the device.
Overview and Topology
Each top-level command-line interface (CLI) command and each configuration statement
in Junos OS has an access privilege level associated with it. For each login class, you can
explicitly deny or allow the use of operational and configuration mode commands that
would otherwise be permitted or not allowed by a privilege level. Users can execute only
those commands and configure and view only those statements for which they have
access privileges. To configure access privilege levels, include the permissions statement
at the [edit system login class class-name] hierarchy level.
The access privileges for each login class are defined by one or more permission flags
specified in the permissions statement. In addition to this, you can specify extended
regular expressions with the following statements:
•
allow-commands and deny-commands—Allow or deny access to operational mode
commands.
•
allow-configuration and deny-configuration—Allow or deny access to parts of the
configuration hierarchy.
These statements perform slower matching, with more flexibility, especially in wildcard
matching. However, it can take a very long time to evaluate all of the possible
statements if a great number of full-path regular expressions or wildcard expressions
are configured, possibly impacting performance.
•
allow-configuration-regexps and deny-configuration-regexps—Allow or deny access to
a particular configuration hierarchy using strings of regular expressions. These
statements are similar to allow-configuration and deny-configuration statements,
except that in the allow/deny-configuration-regexps statements you can configure
sets of strings in which the strings include spaces when using the first set of statements.
88
Copyright © 2017, Juniper Networks, Inc.
Chapter 4: Configuring User Access Privileges
The above statements define a user’s access privileges to individual operational mode
commands, configuration statements, and hierarchies. These statements take precedence
over a login class permissions bit set for a user.
Difference between allow/deny-configuration and allow/deny-configuration-regexps
statements
The allow-configuration and deny-configuration statements were introduced before Junos
OS Release 7.4. The allow-configuration-regexps and deny-configuration-regexps
statements were introduced in Junos OS Release 11.2. In Junos OS Release 11.4, the
allow-configuration and deny-configuration statements were deprecated, but because
these statements were useful in executing simple configurations, these statements were
undeprecated in Junos OS Release 11.4R6, and starting with the 11.4R6 release, both the
allow/deny-configuration and the allow/deny-configuration-regexps statements are
supported.
The allow/deny-configuration-regexps statements split up the regular expression into
tokens and match each piece against each part of the specified configuration’s full path,
whereas the allow/deny-configuration statements match against the full string. For
allow/deny-configuration-regexps statements, you configure a set of strings in which
each string is a regular expression, with spaces between the terms of the string. This
provides very fast matching, but with less flexibility. For specifying wildcard expressions
you must set up wildcards for each token of the space-delimited string you want to
match, and this makes it more tedious to use wildcard expressions for these statements.
For example:
•
Regular expression matching one token using allow-configuration-regexps
This example shows that options is the only matched expression against the first token
of the statement.
[edit system]
login {
class test {
permissions configure;
allow-configuration-regexps .*options;
}
}
The above configuration matches the following statements:
•
set policy-options condition condition dynamic-db
•
set routing-options static route static-route next-hop next-hop
•
set event-options generate-event event time-interval seconds
The above configuration does not match the following statements:
•
system host-name host-options
•
interfaces interface-name description options
Copyright © 2017, Juniper Networks, Inc.
89
User Access and Authentication Feature Guide for Routing Devices
•
Regular expression matching three tokens using allow-configuration-regexps
This example shows that ssh is the only matched expression against the third token
of the statement.
[edit system]
login {
class test {
permissions configure;
allow-configuration-regexps ".* .* .*ssh";
}
}
In the above example, the three tokens include .*, .*, and .*ssh, respectively.
The above configuration matches the following statements:
•
system host-name hostname-ssh
•
system services ssh
•
system services outbound-ssh
The above configuration does not match the following statement:
•
interfaces interface-name description ssh
You can restrict configuration access easily using the deny-configuration statement as
compared to using the deny-configuration-regexps statement. Table 10 on page 90
illustrates the use of both the deny-configuration and deny-configuration-regexps
statements in different configurations to achieve the same result of restricting access
to a particular configuration.
Table 10: Restricting Configuration Access Using deny-configurtion and
deny-configuration-regexps Statements
Configuration
Denied
xnm-ssl
90
Using: deny-configuration
[edit system]
login {
class test {
permissions configure;
allow-configuration .*;
deny-configuration .*xnm-ssl;
}
}
Using: deny-configuration-regexps
[edit system]
login {
class test {
permissions configure;
allow-configuration .*;
deny-configuration-regexps ".* .*
.*-ssl"";
}
}
Result
The following
configuration
statement is
denied:
•
system services
xnm-ssl
Copyright © 2017, Juniper Networks, Inc.
Chapter 4: Configuring User Access Privileges
Table 10: Restricting Configuration Access Using deny-configurtion and
deny-configuration-regexps Statements (continued)
ssh
[edit system]
login {
class test {
permissions configure;
allow-configuration .*;
deny-configuration ".*ssh";
}
}
[edit system]
login {
class test {
permissions configure;
allow-configuration .*;
deny-configuration-regexps ".*ssh";
deny-configuration-regexps ".*
.*ssh";
deny-configuration-regexps ".* .*
.*ssh";
}
}
The following
configuration
statements are
denied:
•
system
host-name
hostname-ssh
•
system services
ssh
•
system services
outbound-ssh
•
security
ssh-known-host
Although the allow/deny-configuration statements are also useful when simple
configuration is desired, the allow/deny-configuration-regexps statements provide better
performance and overcome the ambiguity that existed when combining expressions set
in the allow/deny-configuration statements.
NOTE: The allow/deny-configuration and allow/deny-configuration-regexps
statements are mutually exclusive and cannot be configured together for a
login class. At a given point in time, a login class can include either the
allow/deny-configuration statement, or the allow/deny-configuration-regexps
statement. If you have existing configurations using the
allow/deny-configuration statements, using the same configuration options
with the allow/deny-configuration-regexps statements might not produce the
same results, as the search and match methods differ in the two forms of
these statements.
Configuration Notes
When configuring the allow-configuration, deny-configuration, allow-configuration-regexps,
and deny-configuration-regexps statements with access privileges, take the following
into consideration:
•
You can include one deny-configuration and one allow-configuration statement in each
login class.
•
The allow/deny-configuration and allow/deny-configuration-regexps statements are
mutually exclusive and cannot be configured together for a login class. At a given point
in time, a login class can include either the allow/deny-configuration statement, or the
allow/deny-configuration-regexps statement. If you have existing configurations using
the allow/deny-configuration statements, using the same configuration options with
the allow/deny-configuration-regexps statements might not produce the same results,
as the search and match methods differ in the two forms of these statements.
Copyright © 2017, Juniper Networks, Inc.
91
User Access and Authentication Feature Guide for Routing Devices
•
Explicitly allowing configuration mode hierarchies or regular expressions using the
allow-configuration statement adds to the regular permissions set using the permissions
statement. Likewise, explicitly denying configuration mode hierarchies or regular
expressions using the deny-configuration statement removes permissions for the
specified configuration mode hierarchy, from the default permissions provided by the
permissions statement.
For example, for the following configuration, the login class user can edit the
configuration at the [edit system services] hierarchy level and issue configuration mode
commands (such as commit), in addition to just entering the configuration mode using
the configure command, which is the permission specified by the configure permission
flag:
[edit system login]
user@host# set class test permissions configure allow-configuration "system services"
Likewise, for the following configuration, the login class user can perform all operations
allowed by the all permissions flag, except issuing configuration mode commands
(such as commit) or modifying the configuration at the [edit system services] hierarchy
level:
[edit system login]
user@host# set class test permissions all deny-configuration "system services"
•
To define access privileges to parts of the configuration hierarchy, specify the full paths
in the extended regular expressions with the allow-configuration and deny-configuration
statements. Use parentheses around an extended regular expression that connects
two or more expressions with the pipe (|) symbol.
For example:
[edit system login]
user@host# set class test deny-configuration "(system login class)|(system services)"
•
When specifying extended regular expressions using the allow/deny-commands and
allow/deny-configuration statements, each expression separated by a pipe (|) symbol
must be a complete standalone expression, and must be enclosed in parentheses ( ).
Do not use spaces between regular expressions separated with parentheses and
connected with the pipe (|) symbol.
For example:
[edit system login]
user@host# set class test allow-commands "(ping .*)|(traceroute .*)|(show
.*)|(configure .*)|(edit)|(exit)|(commit)|(rollback .*)"
user@host# set class test deny-configuration "(system login class)|(system services)"
•
When specifying extended regular expressions using the
allow-deny-configuration-regexps statement, each expression enclosed within quotes
(") and separated by a space must be enclosed in angular brackets [ ].
For example:
[edit system login]
user@host# set class test allow-configuration-regexps [ "interfaces .* description .*”
“interfaces .* unit .* description .*” “interfaces .* unit .* family inet address .*”
“interfaces.* disable" ]
92
Copyright © 2017, Juniper Networks, Inc.
Chapter 4: Configuring User Access Privileges
•
If the exact same command is configured under both allow-configuration and
deny-configuration statements, then the allow operation takes precedence over the
deny statement.
For instance, with the following configuration, a user assigned to login class test is
allowed to access the [edit system services] configuration hierarchy, although the
deny-configuration statement also includes it:
[edit system login]
user@host# set class test permissions allow-configuration "system services"
user@host# set class test permissions deny-configuration "system services"
For instance, if a certain command or configuration is allowed, for example, using
permission all, then we can use the deny-configuration command to deny access to a
particular hierarchy.
•
Modifiers such as set, log, and count are not supported within the regular expression
string to be matched. If a modifier is used, then nothing is matched.
Incorrect configuration:
[edit system login]
user@host# set class test permission deny-configuration "set protocols"
Correct configuration:
[edit system login]
user@host# set class test permission deny-configuration protocols
•
You can use the * wildcard character when denoting regular expressions. However, it
must be used as a portion of a regular expression. You cannot use [ * ] or [ .* ] alone.
•
You cannot configure the allow-configuration statement with the (interfaces (description
(|.*)) regular expression, as this evaluates to allow-configuration = .* regular expression.
•
You can configure as many regular expressions as needed to be allowed or denied.
Regular expressions to be denied take precedence over configurations to be allowed.
Topology
Figure 2: Configuring TACACS+ Server Authentication
10.209.1.66/24
R1
TACACS+
Server
g043487
TCP connection
Figure 2 on page 93 illustrates a simple topology, where Router R1 is a Juniper Networks
device and has a TCP connection established with a TACACS+ server.
In this example, R1 is configured with two customized login classes—Class1 and Class2—for
specifying access privileges with extended regular expressions using the
allow-configuration, deny-configuration, allow-configuration-regexps, and
deny-configuration-regexps statements differently.
Copyright © 2017, Juniper Networks, Inc.
93
User Access and Authentication Feature Guide for Routing Devices
The purpose of the login classes is as follows:
•
Class1—Define access privileges for the user with the allow-configuration and
deny-configuration statements. This login class should provide access to configure
interfaces hierarchy only, and deny all other access on the device. To do this, the user
permissions should include configure to provide configuration access. In addition to
this, the allow-configuration statement should allow interfaces configuration, and the
deny-configuration statement should deny access to all other configurations. Because
the allow statement takes precedence over the deny statement, the users assigned
to the Class1 login class can access only the [edit interfaces] hierarchy level.
•
Class2—Define access privileges for the user with the allow-configuration-regexps and
deny-configuration-regexps statements. This login class provides superuser-level user
permissions, and in addition, explicitly allows configuration under multiple hierarchy
levels for interfaces. It also denies configuration access to the [edit system] and [edit
protocols] hierarchy levels.
Router R1 has two users, User1 and User2, assigned to the Class1 and Class2 login classes,
respectively.
Configuration
94
CLI Quick
Configuration
To quickly configure this example, copy the following commands, paste them into a text
file, remove any line breaks, change any details necessary to match your network
configuration, copy and paste the commands into the CLI at the [edit] hierarchy level,
and then enter commit from configuration mode.
R1
set system authentication-order tacplus
set system authentication-order radius
set system authentication-order password
set system radius-server 10.209.1.66 secret "$ABC123"
set system tacplus-server 10.209.1.66
set system radius-options enhanced-accounting
set system tacplus-options enhanced-accounting
set system accounting events login
set system accounting events change-log
set system accounting events interactive-commands
set system accounting traceoptions file auditlog
set system accounting traceoptions flag all
set system accounting destination tacplus server 10.209.1.66
set system login class Class1 permissions configure
set system login class Class1 allow-configuration "interfaces .* unit .*"
set system login class Class1 deny-configuration .*
set system login class Class2 permissions all
set system login class Class2 allow-configuration-regexps [ "interfaces .* description .*"
"interfaces .* unit .* description .*" "interfaces .* unit .* family inet address .*"
"interfaces.* disable" ]
set system login class Class2 deny-configuration-regexps [ "system" "protocols" ]
set system login user User1 uid 2004
set system login user User1 class Class1
set system login user User1 authentication encrypted-password "$ABC123"
set system login user User2 uid 2006
set system login user User2 class Class2
Copyright © 2017, Juniper Networks, Inc.
Chapter 4: Configuring User Access Privileges
set system login user User2 authentication encrypted-password "$ABC123"
set system syslog file messages any any
Configuring Authentication Parameters for Router R1
Step-by-Step
Procedure
The following example requires that you navigate various levels in the configuration
hierarchy. For information about navigating the CLI, see Using the CLI Editor in Configuration
Mode in the CLI User Guide.
To configure Router R1 authentication:
1.
Configure the order in which authentication should take place for R1. In this example,
TACACS+ server authentication is first, followed by RADIUS server authentication,
then the local password.
[edit system]
user@R1# set authentication-order tacplus
user@R1# set authentication-order radius
user@R1# set authentication-order password
2.
Establish R1 connection with the TACACS+ server.
[edit system]
user@R1# set tacplus-server 10.209.1.66
user@R1# set tacplus-options enhanced-accounting
user@R1# set accounting destination tacplus server 10.209.1.66
3.
Configure RADIUS server authentication parameters.
[edit system]
user@R1# set radius-server 10.209.1.66 secret "$ABC123"
user@R1# set radius-options enhanced-accounting
4.
Configure the R1 accounting configuration parameters.
[edit system]
user@R1# set accounting events login
user@R1# set accounting events change-log
user@R1# set accounting events interactive-commands
user@R1# set accounting traceoptions file auditlog
user@R1# set accounting traceoptions flag all
Configuring Access Privileges with allow-configuration and deny-configuration
Statements (Class1)
Step-by-Step
Procedure
To specify regular expressions using the allow-configuration and deny-configuration
statements:
1.
Configure the Class1 custom login class and assign configuration user permissions.
[edit system login]
user@R1# set class Class1 permissions configure
Copyright © 2017, Juniper Networks, Inc.
95
User Access and Authentication Feature Guide for Routing Devices
2.
Specify the regular expression in the allow-configuration statement to allow
configuration at the [edit interfaces] hierarchy level. To allow set commands at the
[edit interfaces] hierarchy level, the regular expression used is interfaces .* unit .*.
[edit system login]
user@R1# set class Class1 allow-configuration "interfaces .* unit .*"
3.
Specify the regular expression in the deny-configuration statement to disable all
configuration access. The regular expression used to deny all configuration access
is .*.
[edit system login]
user@R1# set class Class1 deny-configuration .*
4.
Configure the user account for the Class1 login class.
[edit system login]
user@R1# set system login user User1 uid 2004
user@R1# set system login user User1 class Class1
user@R1# set system login user User1 authentication encrypted-password "$ABC123"
Configuring Access Privileges with allow-configuration-regexps and
deny-configuration-regexps Statements (Class2)
Step-by-Step
Procedure
To specify regular expressions using the allow-configuration-regexps and
deny-configuration-regexps statements:
1.
Configure the Class2 custom login class and assign superuser (all) user permissions.
For information on the predefined system login classes, see “Junos OS Login Classes
Overview” on page 23.
[edit system login]
user@R1# set class Class2 permissions all
2.
Specify the regular expression to allow access to multiple hierarchies under the
[edit interfaces] hierarchy level.
[edit system login]
user@R1# set class Class2 allow-configuration-regexps [ "interfaces .* description
.*" "interfaces .* unit .* description .*" "interfaces .* unit .* family inet address .*"
"interfaces.* disable" ]
3.
Specify the regular expression to deny configuration at the [edit system] and [edit
protocols] hierarchy levels.
[edit system login]
user@R1# set class Class2 deny-configuration-regexps [ "system" "protocols" ]
4.
Configure the user account for the Class2 login class.
[edit system login]
user@R1# set system login user User2 uid 2006
96
Copyright © 2017, Juniper Networks, Inc.
Chapter 4: Configuring User Access Privileges
user@R1# set system login user User2 class Class2
user@R1# set system login user User2 authentication encrypted-password "$ABC123"
Results
From configuration mode, confirm your configuration by entering the show system
command. If the output does not display the intended configuration, repeat the
instructions in this example to correct the configuration.
user@R1# show system
authentication-order [ tacplus radius password ];
radius-server {
10.209.1.66 secret "$ABC123";
}
tacplus-server {
10.209.1.66;
}
radius-options {
enhanced-accounting;
}
tacplus-options {
enhanced-accounting;
}
accounting {
events [ login change-log interactive-commands ];
traceoptions {
file auditlog;
flag all;
}
destination {
tacplus {
server {
10.209.1.66;
}
}
}
}
login {
class Class1 {
permissions configure;
allow-configuration "interfaces .* unit .*";
deny-configuration .*;
}
class Class2 {
permissions all;
allow-configuration-regexps [ "interfaces .* description .*" "interfaces .* unit .*
description .*" "interfaces .* unit .* family inet address .*" "interfaces.* disable" ];
deny-configuration-regexps [ "system" "protocols" ];
}
user User1 {
uid 2001;
class Class1;
authentication {
encrypted-password "$ABC123";
Copyright © 2017, Juniper Networks, Inc.
97
User Access and Authentication Feature Guide for Routing Devices
}
}
user User2 {
uid 2002;
class Class2;
authentication {
encrypted-password "$ABC123";
}
}
}
syslog {
file messages {
any any;
}
}
Verification
Log in as the username assigned with the new login class, and confirm that the
configuration is working properly.
•
Verifying Class1 Configuration on page 98
•
Verifying Class2 Configuration on page 99
Verifying Class1 Configuration
Purpose
98
Verify that the permissions allowed in the Class1 login class are working.
Copyright © 2017, Juniper Networks, Inc.
Chapter 4: Configuring User Access Privileges
Action
From the CLI prompt, check the available permissions.
User1@R1> ?
Possible completions:
clear
configure
file
help
load
op
quit
request
save
set
start
test
Clear information in the system
Manipulate software configuration information
Perform file operations
Provide help information
Load information from file
Invoke an operation script
Exit the management session
Make system-level requests
Save information to file
Set CLI properties, date/time, craft interface message
Start shell
Perform diagnostic debugging
From the configuration mode, check the available configuration permissions.
User1@R1# edit ?
Possible completions:
> interfaces
Meaning
Interface configuration
User1 has configure user permissions seen in the first output, and the only configuration
access allowed for User1 is at the interfaces hierarchy level. All other configuration is
denied, as seen in the second output.
Verifying Class2 Configuration
Purpose
Action
Verify that the Class2 configuration is working.
From the configuration mode, access the interfaces configuration.
[edit interfaces]
User2@R1# set ?
Possible completions:
<interface-name> Interface name
+ apply-groups
Groups from which to inherit configuration data
+ apply-groups-except Don't inherit configuration data from these groups
ge-0/0/3
Interface name
> interface-range
Interface ranges configuration
> interface-set
Logical interface set configuration
> traceoptions
Interface trace options
From the configuration mode, access the system and protocols configuration hierarchies.
User2@R1# edit system
^
Syntax error, expecting <statement> or <identifier>.
User2@R1# edit protocols
^
Syntax error, expecting <statement> or <identifier>.
Copyright © 2017, Juniper Networks, Inc.
99
User Access and Authentication Feature Guide for Routing Devices
Meaning
Related
Documentation
User2 has permissions to configure interfaces of R1, but the [edit system] and [edit
protocols] hierarchy levels are denied access, as seen in the output.
•
Understanding Junos OS Access Privilege Levels on page 26
•
Regular Expressions for Allowing and Denying Junos OS Operational Mode Commands,
Configuration Statements, and Hierarchies on page 69
•
Example: Configuring User Permissions with Access Privileges for Operational Mode
Commands on page 76
•
Example: Configuring User Permissions with Access Privileges for Operational Mode
Commands, Configuration Statements, and Hierarchies on page 100
Example: Configuring User Permissions with Access Privileges for Operational Mode
Commands, Configuration Statements, and Hierarchies
This example shows how to configure custom login classes and assign access privileges
for operational mode commands and to portions of the configuration hierarchy. This
enables users of the customized login class to execute only those commands and access
only those configuration statements and hierarchies for which access privileges have
been specified. This prevents unauthorized users from executing sensitive commands
or accessing device configurations that could potentially cause damage to the network.
•
Requirements on page 100
•
Overview and Topology on page 101
•
Configuration on page 104
•
Verification on page 107
Requirements
This example uses the following hardware and software components:
•
One Juniper Networks device
•
One TACACS+ (or RADIUS) server
•
Junos OS build running on the Juniper Networks device
Before you begin:
•
Establish a TCP connection between the device and the TACACS+ server. In the case
of the RADIUS server, establish a UDP connection between the device and the RADIUS
server.
For information on configuring a TACACS+ server, see “Configuring TACACS+
Authentication” on page 421.
100
Copyright © 2017, Juniper Networks, Inc.
Chapter 4: Configuring User Access Privileges
•
Configure at least one user assigned to a login class on the Juniper Networks device.
There can be more than one login class, each with varying permission configurations,
and more than one user on the device.
Overview and Topology
Each top-level command-line interface (CLI) command and each configuration statement
in Junos OS has an access privilege level associated with it. For each login class, you can
explicitly deny or allow the use of operational and configuration mode commands that
would otherwise be permitted or not allowed by a privilege level. Users can execute only
those commands and configure and view only those statements for which they have
access privileges. To configure access privilege levels, include the permissions statement
at the [edit system login class class-name] hierarchy level.
The access privileges for each login class are defined by one or more permission flags
specified in the permissions statement. In addition to this, you can specify extended
regular expressions with the following statements:
•
allow-commands and deny-commands—Allow or deny access to operational mode
commands only.
•
allow-configuration and deny-configuration—Allow or deny access to a particular
configuration hierarchy only.
•
allow-configuration-regexps and deny-configuration-regexps—Allow or deny access to
a particular configuration hierarchy only using strings of regular expressions.
The above statements define a user’s access privileges to individual operational mode
commands, configuration statements, and hierarchies. These statements take precedence
over a login class permissions bit set for a user.
Configuration Notes
When configuring the allow-commands, deny-commands, allow-configuration, and
deny-configuration statements with access privileges, take the following into
consideration:
•
You can include the allow/deny statement only once in each login class.
•
If the exact same command is configured under both allow-commands and
deny-commands statements, or both allow-configuration and deny-configuration
statements, then the allow operation takes precedence over the deny statement.
For instance, with the following configuration, a user assigned to login class test is
allowed to install software using the request system software add command, although
the deny-commands statement also includes it:
[edit system login]
user@host# set class test permissions allow-commands "request system software
add"
user@host# set class test permissions deny-commands "request system software add"
Copyright © 2017, Juniper Networks, Inc.
101
User Access and Authentication Feature Guide for Routing Devices
For instance, with the following configuration, a user assigned to login class test is
allowed to access the [edit system services] configuration hierarchy, although the
deny-configuration statement also includes it:
[edit system login]
user@host# set class test permissions allow-configuration "system services"
user@host# set class test permissions deny-configuration "system services"
•
If you specify a regular expression for allow-commands and deny-commands statements
with two different variants of a command, the longest match is always executed.
For instance, for the following configuration, a user assigned to test login class is allowed
to execute the commit synchronize command and not the commit command. This is
because commit-synchronize is the longest match between commit and
commit-synchronize, and it is specified for allow-commands.
[edit system login class]
user@host# set class test permissions allow-commands "commit-synchronize"
user@host# set class test permissions deny-commands commit
•
Regular expressions for allow-commands and deny-commands statements can also
include the commit, load, rollback, save, status, and update commands.
•
Explicitly allowing configuration mode hierarchies or regular expressions using the
allow-configuration statement adds to the regular permissions set using the permissions
statement. Likewise, explicitly denying configuration mode hierarchies or regular
expressions using the deny-configuration statement removes permissions for the
specified configuration mode hierarchy, from the default permissions provided by the
permissions statement.
For example, for the following configuration, the login class user can edit the
configuration at the [edit system services] hierarchy level and issue configuration mode
commands (such as commit), in addition to just entering the configuration mode using
the configure command, which is the permission specified by the configure permission
flag:
[edit system login]
user@host# set class test permissions configure allow-configuration "system services"
Likewise, for the following configuration, the login class user can perform all operations
allowed by the all permissions flag, except issuing configuration mode commands
(such as commit) or modifying the configuration at the [edit system services] hierarchy
level:
[edit system login]
user@host# set class test permissions all deny-configuration "system services"
•
102
The allow/deny-configuration and allow/deny-configuration-regexps statements are
mutually exclusive and cannot be configured together for a login class. At a given point
in time, a login class can include either the allow/deny-configuration statement, or the
allow/deny-configuration-regexps statement. If you have existing configurations using
the allow/deny-configuration statements, using the same configuration options with
the allow/deny-configuration-regexps statements might not produce the same results,
as the search and match methods differ in the two forms of these statements.
Copyright © 2017, Juniper Networks, Inc.
Chapter 4: Configuring User Access Privileges
•
To define access privileges to parts of the configuration hierarchy, specify the full paths
in the extended regular expressions with the allow-configuration and deny-configuration
statements. Use parentheses around an extended regular expression that connects
two or more expressions with the pipe (|) symbol.
For example:
[edit system login]
user@host# set class test deny-configuration "(system login class) | (system services)"
•
If the regular expression contains any spaces, operators, or wildcard characters, enclose
the expression in quotation marks. Regular expressions are not case-sensitive; for
example, allow-commands "show interfaces".
•
Modifiers such as set, log, and count are not supported within the regular expression
string to be matched. If a modifier is used, then nothing is matched.
Incorrect configuration:
[edit system login]
user@host# set class test permission deny-commands "set protocols"
Correct configuration:
[edit system login]
user@host# set class test permission deny-commands protocols
•
Anchors are required when specifying complex regular expressions with the
allow-commands statement.
For example:
[edit system login]
user@host# set class test permissions allow-commands "(^monitor) | (^ping) | (^show)
| (^exit)"
OR
set class test permissions allow-commands "allow-commands ="^(monitor | ping |
show | exit)"
•
When specifying extended regular expressions using the allow/deny-commands and
allow/deny-configuration statements, each expression separated by a pipe (|) symbol
must be a complete standalone expression, and must be enclosed in parentheses ( ).
Do not use spaces between regular expressions separated with parentheses and
connected with the pipe (|) symbol.
For example:
[edit system login]
user@host# set class test allow-commands "(ping .*)|(traceroute .*)|(show
.*)|(configure .*)|(edit)|(exit)|(commit)|(rollback .*)"
user@host# set class test deny-configuration "(system login class)|(system services)"
•
When specifying extended regular expressions using the
allow-deny-configuration-regexps statement, each expression enclosed within quotes
(") and separated by a space must be enclosed in angular brackets [ ].
For example:
Copyright © 2017, Juniper Networks, Inc.
103
User Access and Authentication Feature Guide for Routing Devices
[edit system login]
user@host# set class test allow-configuration-regexps [ "interfaces .* description .*”
“interfaces .* unit .* description .*” “interfaces .* unit .* family inet address .*”
“interfaces.* disable" ]
•
You can use the * wildcard character when denoting regular expressions. However, it
must be used as a portion of a regular expression. You cannot use [ * ] or [ .* ] alone.
•
You cannot configure the allow-configuration statement with the (interfaces (description
(|.*)) regular expression, as this evaluates to allow-configuration = .* regular expression.
•
You can configure as many regular expressions as needed to be allowed or denied.
Regular expressions to be denied take precedence over configurations to be allowed.
Topology
Figure 3: Configuring TACACS+ Server Authentication
10.209.1.66/24
R1
TACACS+
Server
g043487
TCP connection
Figure 3 on page 104 illustrates a simple topology, where Router R1 is a Juniper Networks
device and has a TCP connection established with a TACACS+ server. In this example,
R1 has a customized login class, Class1, with an associated login user, User1.
The purpose of the Class1 login class is to provide security user permission with access
to only the configure command, and deny access to all other operational mode commands.
The login class again filters the configuration access to only group VPN configuration
under the [edit security] hierarchy, and denies access to the multi-chassis configuration
statement, which is allowed with the security user permissions.
User1 is the login user assigned to the Class1 login class.
Configuration
CLI Quick
Configuration
R1
104
To quickly configure this example, copy the following commands, paste them into a text
file, remove any line breaks, change any details necessary to match your network
configuration, copy and paste the commands into the CLI at the [edit] hierarchy level,
and then enter commit from configuration mode.
set system authentication-order tacplus
set system authentication-order radius
set system authentication-order password
set system ports console log-out-on-disconnect
set system radius-server 10.209.1.66 secret "$ABC123"
set system tacplus-server 10.209.1.66
set system radius-options enhanced-accounting
set system tacplus-options enhanced-accounting
set system accounting events login
set system accounting events change-log
set system accounting events interactive-commands
set system accounting traceoptions file auditlog
Copyright © 2017, Juniper Networks, Inc.
Chapter 4: Configuring User Access Privileges
set system accounting traceoptions flag all
set system accounting destination tacplus server 10.209.1.66
set system login class Class1 permissions security
set system login class Class1 allow-commands configure
set system login class Class1 deny-commands .*
set system login class Class1 allow-configuration "security group-vpn"
set system login class Class1 deny-configuration multi-chassis
set system login user User1 uid 2005
set system login user User1 class Class1
set system login user User1 authentication encrypted-password "$ABC123"
Configuring Authentication Parameters for Router R1
Step-by-Step
Procedure
The following example requires that you navigate various levels in the configuration
hierarchy. For information about navigating the CLI, see Using the CLI Editor in Configuration
Mode in the CLI User Guide.
To configure Router R1 authentication:
1.
Configure the order in which authentication should take place for R1. In this example,
TACACS+ server authentication is first, followed by RADIUS server authentication,
then the local password.
[edit system]
user@R1# set authentication-order tacplus
user@R1# set authentication-order radius
user@R1# set authentication-order password
2.
Establish R1 connection with the TACACS+ server.
[edit system]
user@R1# set tacplus-server 10.209.1.66
user@R1# set tacplus-options enhanced-accounting
user@R1# set accounting destination tacplus server 10.209.1.66
3.
Configure RADIUS server authentication parameters.
[edit system]
user@R1# set radius-server 10.209.1.66 secret "$ABC123"
user@R1# set radius-options enhanced-accounting
4.
Configure the R1 accounting configuration parameters.
[edit system]
user@R1# set accounting events login
user@R1# set accounting events change-log
user@R1# set accounting events interactive-commands
user@R1# set accounting traceoptions file auditlog
user@R1# set accounting traceoptions flag all
Copyright © 2017, Juniper Networks, Inc.
105
User Access and Authentication Feature Guide for Routing Devices
Configuring Access Privileges with Regular Expressions
Step-by-Step
Procedure
To specify regular expressions for user permissions with access privileges:
1.
Configure the Class1 custom login class and assign security user permissions.
[edit system login]
user@R1# set class Class1 permissions security
2.
Specify the regular expression in the allow-commands statement to enter the
configuration mode.
[edit system login]
user@R1# set class Class1 allow-commands configure
3.
Specify the regular expression in the deny-commands statement to disable access
to all other operational mode commands. The regular expression used to deny all
access is deny-commands .*.
[edit system login]
user@R1# set class Class1 deny-commands .*
4.
Specify the regular expression in the allow-configuration statement to allow access
to the group VPN configuration at the [edit security] hierarchy level.
[edit system login]
user@R1# set class Class1 allow-configuration "security group-vpn"
5.
Specify the regular expression in the deny-configuration statement to disable access
to the multi-chassis configuration statement.
[edit system login]
user@R1# set class Class1 deny-configuration multi-chassis
6.
Configure the user account for the Class1 login class.
[edit system login]
user@R1# set user User1 uid 2005
user@R1# set user User1 class Class1
user@R1# set user User1 authentication encrypted-password "$ABC123"
Results
From configuration mode, confirm your configuration by entering the show system
command. If the output does not display the intended configuration, repeat the
instructions in this example to correct the configuration.
user@R1# show system
authentication-order [ tacplus radius password ];
ports {
console log-out-on-disconnect;
106
Copyright © 2017, Juniper Networks, Inc.
Chapter 4: Configuring User Access Privileges
}
radius-server {
10.209.1.66 secret "$ABC123";
}
tacplus-server {
10.209.1.66;
}
radius-options {
enhanced-accounting;
}
tacplus-options {
enhanced-accounting;
}
accounting {
events [ login change-log interactive-commands ];
traceoptions {
file auditlog;
flag all;
}
destination {
tacplus {
server {
10.209.1.66;
}
}
}
}
login {
class Class1 {
permissions security;
allow-commands configure;
deny-commands .*;
allow-configuration "security group-vpn";
deny-configuration multi-chassis;
}
user User1 {
uid 2005;
class Class1;
authentication {
encrypted-password "$ABC123";
}
}
}
Verification
Log in as the username assigned with the new login class, and confirm that the
configuration is working properly.
•
Verifying Class1 Configuration on page 107
Verifying Class1 Configuration
Purpose
Verify that the permissions and regular expressions allowed in Class1 login class are
working.
Copyright © 2017, Juniper Networks, Inc.
107
User Access and Authentication Feature Guide for Routing Devices
Action
From the CLI prompt, view the allowed user permissions.
User1@R1> ?
Possible completions:
configure
Manipulate software configuration information
From the configuration mode, enter the [edit security] hierarchy and view the allowed
configuration statements.
User1@R1> edit ?
Possible completions:
> group-vpn
Group VPN configuration
From the configuration mode, enter the multi-chassis configuration statement.
User1@R1# edit multi-chassis
^
Syntax error, expecting <statement> or <identifier>.
Meaning
User 1 has security user permissions, which allows the user to view the security
configuration in configuration mode and with the show configuration operational mode
command. However, this has been altered with the allow-commands and deny-commands
statements, where User1 is able to enter configuration mode with the configure command
in the allow-commands statement, and is denied access to all other operational mode
commands with the use of the deny-commands .* statement. As a result, even the show
configuration command, which was allowed with the security user permissions, is now
denied. This is displayed in the first output.
In the second output, the allow-configuration statement takes effect, and the only allowed
configuration under the [edit security] hierarchy level is for group VPN.
In the last output, the deny-configuration statement takes effect, and the multi-chassis
configuration statement that is allowed with the security user permissions is denied for
User1.
Related
Documentation
108
•
Understanding Junos OS Access Privilege Levels on page 26
•
Regular Expressions for Allowing and Denying Junos OS Operational Mode Commands,
Configuration Statements, and Hierarchies on page 69
•
Example: Configuring User Permissions with Access Privileges for Operational Mode
Commands on page 76
•
Example: Configuring User Permissions with Access Privileges for Configuration
Statements and Hierarchies on page 87
Copyright © 2017, Juniper Networks, Inc.
Chapter 4: Configuring User Access Privileges
Example: Using Additive Logic With Regular Expressions to Specify Access Privileges
This example shows how to use additive logic when using regular expressions to set up
configuration access privileges.
•
Requirements on page 109
•
Overview on page 109
•
Configuration on page 110
•
Examples on page 110
Requirements
This example uses the following hardware and software components:
•
One Juniper Networks J Series, M Series, MX Series, or T Series device
•
Junos OS Release 16.1 or later
•
There must be at least one user assigned to a login class.
•
There can be more than one login class, each with varying permission configurations,
and more than one user on the device.
Overview
To control who can make configuration changes to the system, and what specifically
they can change, you can create regular expressions that indicate specific portions of
the configuration hierarchy that users in a named user class are permitted to access. For
example, you can create regular expressions that specify a group of routing instances
that users are allowed to modify, and prevent the users from making changes to any
other routing instances, or to any other configuration level.
You configure regular expressions using the allow-configuration-regexps and
deny-configuration-regexps statements. By default, deny-configuration-regexps statements
take precedence over allow-configuration-regexps statements for users in the named
user class to which they are applied.
If a configuration hierarchy appears in a deny-configuration-regexps statement for a
named user class, it is not visible to the users, regardless of the contents of the
allow-configuration-regexps statement. If a configuration hierarchy does not appear in
a deny-configuration-regexps statement, it is visible if it appears in an
allow-configuration-regexps statement, or if there is no allow-configuration-regexps
statement configured for the user class..
You can optionally change this default behavior so additive logic (that is, deny all by
default / allow some as specified) is used in regular expressions. When additive logic is
enabled, the behavior of existing regular expressions changes so that all configuration
hierarchies are denied unless they are included in an allow-configuration-regexps
statement for the named user class.
Copyright © 2017, Juniper Networks, Inc.
109
User Access and Authentication Feature Guide for Routing Devices
Configuration
To enable additive logic for regular expressions:
1.
To explicitly allow one or more individual configuration mode hierarchies, include the
allow-configuration-regexps statement at the [edit system login class class-name]
hierarchy level, configured with the regular expressions to be allowed.
[edit system login class class-name]
user@host# set allow-configuration-regexps "regular expression 1" "regular expression
2" "regular expression 3" "regular expression 4" ...
2. Assign the login class to one or more users.
[edit system login]
user@host# set user username class class-name
3. Enable additive logic for regular expressions.
[edit system]
user@host# set regex-additive-logic
4. Commit your changes.
Users assigned this login class have access to the configuration hierarchies included
in the allow-configuration-regexps statement, but no others.
Examples
Using Regular Expressions with Additive Logic
Purpose
This section provides examples of regular expressions that use additive logic to give you
ideas for creating configurations appropriate for your system.
Allow Specific Routing
Instances
The following example login class includes a regular expression that allows configuration
of routing instances whose names start with CUST-VRF-; for example, CUST-VRF-1,
CUST-VRF-25, CUST-VRF-100, and so on:
[edit system login class class-name]
user@host# set permissions configure view view-configuration
user@host# set allow-configuration-regexps "routing-instances CUST-VRF-.* .*"
If the following statement is included in the configuration, it prevents the user from
configuring any other routing instances and denies access to any non-routing instance
configuration hierarchy:
[edit system]
user@host# set regex-additive-logic
Allow BGP Peer
Configuration Only
The following example login class includes a regular expression that allows configuration
of BGP peers:
[edit system login class class-name]
110
Copyright © 2017, Juniper Networks, Inc.
Chapter 4: Configuring User Access Privileges
user@host# set permissions configure view view-configuration
user@host# set allow-configuration-regexps "protocols bgp group *"
If the following statement is included in the configuration, it prevents the user from making
any other changes, such as deleting or disabling BGP statements:
[edit system]
user@host# set regex-additive-logic
Verification
To verify that you have set the access privileges correctly:
1.
Configure a login class and commit the changes.
2. Assign the login class to a username.
3. Log in as the username assigned with the new login class.
4. Attempt to perform the configurations that have been allowed.
Related
Documentation
•
You should be able to perform configuration changes to hierarchy levels and regular
expressions that have been allowed.
•
All other hierarchies should not be visible.
•
Any allowed or denied expressions should take precedence over any permissions
granted with the permissions statement.
•
Example: Configuring User Permissions with Access Privileges for Operational Mode
Commands on page 76
•
Regular Expressions for Allowing and Denying Junos OS Operational Mode Commands,
Configuration Statements, and Hierarchies on page 69
•
Understanding Junos OS Access Privilege Levels on page 26
Copyright © 2017, Juniper Networks, Inc.
111
User Access and Authentication Feature Guide for Routing Devices
112
Copyright © 2017, Juniper Networks, Inc.
CHAPTER 5
Permission Flags for User Access
Privileges
•
Access Privilege User Permission Flags Overview on page 114
•
access on page 116
•
access-control on page 119
•
admin on page 120
•
admin-control on page 124
•
all-control on page 124
•
clear on page 125
•
configure on page 195
•
control on page 195
•
field on page 196
•
firewall on page 196
•
firewall-control on page 200
•
floppy on page 201
•
flow-tap on page 201
•
flow-tap-control on page 204
•
flow-tap-operation on page 205
•
idp-profiler-operation on page 205
•
interface on page 205
•
interface-control on page 209
•
maintenance on page 210
•
network on page 219
•
pgcp-session-mirroring on page 221
•
pgcp-session-mirroring-control on page 224
•
reset on page 224
•
rollback on page 225
•
routing on page 226
Copyright © 2017, Juniper Networks, Inc.
113
User Access and Authentication Feature Guide for Routing Devices
•
routing-control on page 233
•
secret on page 237
•
secret-control on page 241
•
security on page 242
•
security-control on page 249
•
shell on page 252
•
snmp on page 253
•
snmp-control on page 256
•
system on page 257
•
system-control on page 262
•
trace on page 264
•
trace-control on page 272
•
view on page 277
•
view-configuration on page 379
Access Privilege User Permission Flags Overview
Permission flags are used to grant a user access to operational mode commands and
configuration hierarchy levels and statements. By specifying a specific permission flag
on the user's login class at the [edit system login class] hierarchy level, you grant the user
access to the corresponding commands and configuration hierarchy levels and
statements. To grant access to all commands and configuration statements, use the all
permissions flag.
For permission flags that grant access to configuration hierarchy levels and statements,
the flags grant read-only privilege to that configuration. For example, the interface
permissions flag grants read-only access to the [edit interfaces] hierarchy level. The
-control form of the flag grants read-write access to that configuration. Using the
preceding example, interface-control grants read-write access to the [edit interfaces]
hierarchy level.
The permission flags listed in "Related Documentation" grant a specific set of access
privileges. Each permission flag is listed with the operational mode commands and
configuration hierarchy levels and statements for which that flag grants access.
NOTE: Each command listed represents that command and all subcommands
with that command as a prefix. Each configuration statement listed represents
the top of the configuration hierarchy to which that flag grants access.
Related
Documentation
114
•
Understanding Junos OS Access Privilege Levels on page 26
•
access on page 116
•
access-control on page 119
Copyright © 2017, Juniper Networks, Inc.
Chapter 5: Permission Flags for User Access Privileges
•
admin on page 120
•
admin-control on page 124
•
all-control on page 124
•
clear on page 125
•
configure on page 195
•
control on page 195
•
field on page 196
•
firewall on page 196
•
firewall-control on page 200
•
floppy on page 201
•
flow-tap on page 201
•
flow-tap-operation on page 205
•
idp-profiler-operation on page 205
•
interface on page 205
•
interface-control on page 209
•
maintenance on page 210
•
network on page 219
•
pgcp-session-mirroring on page 221
•
pgcp-session-mirroring-control on page 224
•
reset on page 224
•
rollback on page 225
•
secret on page 237
•
secret-control on page 241
•
security on page 242
•
security-control on page 249
•
shell on page 252
•
snmp on page 253
•
system on page 257
•
system-control on page 262
•
trace on page 264
•
trace-control on page 272
•
view on page 277
•
view-configuration on page 379
Copyright © 2017, Juniper Networks, Inc.
115
User Access and Authentication Feature Guide for Routing Devices
access
Can view the access configuration in configuration mode.
Commands
116
clear unified-edge
clear unified-edge ggsn-pgw
clear unified-edge ggsn-pgw aaa
clear unified-edge ggsn-pgw aaa radius
clear unified-edge ggsn-pgw aaa radius statistics
<clear-mobile-gateway-aaa-radius-statistics>
clear unified-edge ggsn-pgw aaa statistics
<clear-mobile-gateway-aaa-statistics>
clear unified-edge ggsn-pgw address-assignment
clear unified-edge ggsn-pgw address-assignment pool
<clear-mobile-gateway-sm-ippool-pool-sessions>
clear unified-edge ggsn-pgw address-assignment statistics
<clear-mobile-gateway-sm-ippool-statistics>
clear unified-edge ggsn-pgw call-admission-control
clear unified-edge ggsn-pgw call-admission-control statistics
<clear-mobile-gateway-cac-statistics>
clear unified-edge ggsn-pgw charging
clear unified-edge ggsn-pgw charging cdr
<clear-mobile-gateway-charging-clear-cdr>
clear unified-edge ggsn-pgw charging cdr wfa
<clear-mobile-gateway-charging-clear-cdr-wfa>
clear unified-edge ggsn-pgw charging local-persistent-storage
clear unified-edge ggsn-pgw charging local-persistent-storage statistics
<clear-mobile-gateway-charging-clear-lps-stats>
clear unified-edge ggsn-pgw charging path
clear unified-edge ggsn-pgw charging path statistics
<clear-mobile-gateway-charging-clear-path-stats>
clear unified-edge ggsn-pgw charging transfer
clear unified-edge ggsn-pgw charging transfer statistics
<clear-mobile-gateway-charging-clear-xfer-stats>
clear unified-edge ggsn-pgw diameter
clear unified-edge ggsn-pgw diameter dcca-gy
clear unified-edge ggsn-pgw diameter dcca-gy statistics
<clear-mobile-gateway-aaa-diam-stats-gy>
clear unified-edge ggsn-pgw diameter network-element
clear unified-edge ggsn-pgw diameter network-element statistics
<clear-mobile-gateway-aaa-diam-ne-statistics>
clear unified-edge ggsn-pgw diameter pcc-gx
clear unified-edge ggsn-pgw diameter pcc-gx statistics
<clear-mobile-gateway-aaa-diam-stats-gx>
clear unified-edge ggsn-pgw diameter peer
clear unified-edge ggsn-pgw diameter peer statistics
<clear-mobile-gateway-aaa-diam-peer-statistics>
clear unified-edge ggsn-pgw gtp
clear unified-edge ggsn-pgw gtp peer
clear unified-edge ggsn-pgw gtp peer statistics
<clear-mobile-gateway-gtp-peer-statistics>
clear unified-edge ggsn-pgw gtp statistics
<clear-mobile-gateway-gtp-statistics>
clear unified-edge ggsn-pgw ip-reassembly
clear unified-edge ggsn-pgw ip-reassembly statistics
<clear-mobile-gateways-ip-reassembly-statistics>
clear unified-edge ggsn-pgw statistics
<clear-mobile-gateway-statistics>
clear unified-edge ggsn-pgw subscribers
Copyright © 2017, Juniper Networks, Inc.
Chapter 5: Permission Flags for User Access Privileges
<clear-mobile-gateway-subscribers>
clear unified-edge ggsn-pgw subscribers bearer
clear unified-edge ggsn-pgw subscribers charging
<clear-mobile-gateway-subscribers-charging>
clear unified-edge ggsn-pgw subscribers peer
<clear-mobile-gateway-subscribers-peer>
clear unified-edge sgw
clear unified-edge sgw call-admission-control
clear unified-edge sgw call-admission-control statistics
<clear-mobile-sgw-cac-statistics>
clear unified-edge sgw charging
clear unified-edge sgw charging cdr
<clear-mobile-gateway-sgw-charging-clear-cdr>
clear unified-edge sgw charging cdr wfa
<clear-mobile-gateway-sgw-charging-clear-cdr-wfa>
clear unified-edge sgw charging local-persistent-storage
clear unified-edge sgw charging local-persistent-storage statistics
<clear-mobile-gateway-sgw-charging-clear-lps-stats>
clear unified-edge sgw charging path
clear unified-edge sgw charging path statistics
<clear-mobile-gateway-sgw-charging-clear-path-stats>
clear unified-edge sgw charging transfer
clear unified-edge sgw charging transfer statistics
<clear-mobile-gateway-sgw-charging-clear-xfer-stats>
clear unified-edge sgw gtp
clear unified-edge sgw gtp peer
clear unified-edge sgw gtp peer statistics
<clear-mobile-sgw-gtp-peer-statistics>
clear unified-edge sgw gtp statistics
<clear-mobile-sgw-gtp-statistics>
clear unified-edge sgw idle-mode-buffering
clear unified-edge sgw idle-mode-buffering statistics
<clear-mobile-gw-sgw-idle-mode-buffering-statistics>
clear unified-edge sgw ip-reassembly
clear unified-edge sgw ip-reassembly statistics
<clear-mobile-gateways-sgw-ip-reassembly-statistics-sgw>
clear unified-edge sgw statistics
<clear-mobile-sgw-statistics>
clear unified-edge sgw subscribers
<clear-mobile-sgw-subscribers>
clear unified-edge sgw subscribers charging
<clear-mobile-sgw-subscribers-charging>
clear unified-edge sgw subscribers peer
<clear-mobile-sgw-subscribers-peer>
clear unified-edge tdf
clear unified-edge tdf aaa
clear unified-edge tdf aaa radius
clear unified-edge tdf aaa radius client
clear unified-edge tdf aaa radius client statistics
<clear-radius-client-statistics>
clear unified-edge tdf aaa radius network-element
clear unified-edge tdf aaa radius network-element statistics
<clear-radius-network-element-statistics>
clear unified-edge tdf aaa radius server
clear unified-edge tdf aaa radius server statistics
<clear-radius-server-statistics>
clear unified-edge tdf aaa radius snoop-segment
clear unified-edge tdf aaa radius snoop-segment statistics
<clear-radius-snoop-segment-statistics>
clear unified-edge tdf aaa statistics
<clear-tdf-gateway-aaa-statistics>
Copyright © 2017, Juniper Networks, Inc.
117
User Access and Authentication Feature Guide for Routing Devices
clear unified-edge tdf address-assignment
clear unified-edge tdf address-assignment pool
<clear-mobile-gateway-tdf-sm-ippool-pool-sessions>
clear unified-edge tdf address-assignment statistics
<clear-mobile-gateway-tdf-sm-ippool-statistics>
clear unified-edge tdf call-admission-control
clear unified-edge tdf call-admission-control statistics
<clear-tdf-cac-statistics>
clear unified-edge tdf diameter
clear unified-edge tdf diameter network-element
clear unified-edge tdf diameter network-element statistics
<clear-diameter-network-element-statistics>
clear unified-edge tdf diameter pcc-gx
clear unified-edge tdf diameter pcc-gx statistics
<clear-diameter-statistics-gx>
clear unified-edge tdf diameter peer
clear unified-edge tdf diameter peer statistics
<clear-diameter-peer-statistics>
clear unified-edge tdf statistics
<clear-tdf-statistics>
clear unified-edge tdf subscribers
<clear-mobile-tdf-subscribers>
clear unified-edge tdf subscribers peer
<clear-mobile-gateway-tdf-subscribers-peer>
request unified-edge
request unified-edge ggsn-pgw
request unified-edge ggsn-pgw call-trace
<monitor-mobile-gateways-call-trace-start>
request unified-edge ggsn-pgw call-trace clear
<get-mobile-gateways-call-trace-clear>
request unified-edge ggsn-pgw call-trace show
<get-mobile-gateways-call-trace-information>
request unified-edge ggsn-pgw call-trace start
<get-mobile-gateways-call-trace-start-information>
request unified-edge ggsn-pgw call-trace stop
<get-mobile-gateways-call-trace-stop-information>
request unified-edge sgw
request unified-edge sgw call-trace
request unified-edge sgw call-trace clear
<get-mobile-gateways-sgw-call-trace-clear>
request unified-edge sgw call-trace show
<get-mobile-gateways-sgw-call-trace-information>
request unified-edge sgw call-trace start
<get-mobile-gateways-sgw-call-trace-start-information>
request unified-edge sgw call-trace stop
<get-mobile-gateways-sgw-call-trace-stop-information>
request unified-edge tdf
request unified-edge tdf call-trace
request unified-edge tdf call-trace clear
<get-mobile-gateways-tdf-call-trace-clear>
request unified-edge tdf call-trace show
<get-mobile-gateways-tdf-call-trace-information>
request unified-edge tdf call-trace start
<get-mobile-gateways-tdf-call-trace-start-information>
request unified-edge tdf call-trace stop
<get-mobile-gateways-tdf-call-trace-stop-information>
Configuration
Hierarchy Levels
118
[edit
[edit
[edit
[edit
access]
access diameter]
access ppp-options]
access radius]
Copyright © 2017, Juniper Networks, Inc.
Chapter 5: Permission Flags for User Access Privileges
[edit dynamic-profile]
[edit logical-systems access]
[edit logical-systems routing-instances instance system services
static-subscribers access-profile]
[edit logical-systems routing-instances instance system services
static-subscribers dynamic-profile]
[edit logical-systems routing-instances instance system services
static-subscribers group access-profile]
[edit logical-systems routing-instances instance system services
static-subscribers group dynamic-profile]
[edit logical-systems system services static-subscribers access-profile]
[edit logical-systems system services static-subscribers dynamic-profile]
[edit logical-systems system services static-subscribers group access-profile]
[edit logical-systems system services static-subscribers group dynamic-profile]
[edit routing-instances instance system services static-subscribers
access-profile]
[edit routing-instances instance system services static-subscribers
dynamic-profile]
[edit routing-instances instance system services static-subscribers group
access-profile]
[edit routing-instances instance system services static-subscribers group
dynamic-profile]
[edit system services extensible-subscriber-services access-profile]
[edit system services static-subscribers access-profile]
[edit system services static-subscribers dynamic-profile]
[edit system services static-subscribers group access-profile]
[edit system services static-subscribers group dynamic-profile]
[edit unified-edge]
Related
Documentation
•
Access Privilege User Permission Flags Overview on page 114
•
Understanding Junos OS Access Privilege Levels on page 26
•
Example: Configuring User Permissions with Access Privilege Levels on page 65
•
Example: Configuring User Permissions with Access Privileges for Operational Mode
Commands on page 76
•
Example: Configuring User Permissions with Access Privileges for Configuration
Statements and Hierarchies on page 87
•
access-control on page 119
access-control
Can view access configuration information. Can edit access configuration at the [edit
access], [edit logical-systems], [edit routing-instances, and [edit system services] hierarchy
levels.
Configuration
Hierarchy Levels
[edit access]
[edit access ppp-options]
[edit dynamic-profile]
[edit logical-systems access]
[edit logical-systems routing-instances instance system services
static-subscribers access-profile]
[edit logical-systems routing-instances instance system services
static-subscribers dynamic-profile]
Copyright © 2017, Juniper Networks, Inc.
119
User Access and Authentication Feature Guide for Routing Devices
[edit logical-systems routing-instances instance system services
static-subscribers group access-profile]
[edit logical-systems routing-instances instance system services
static-subscribers group dynamic-profile]
[edit logical-systems system services static-subscribers access-profile]
[edit logical-systems system services static-subscribers dynamic-profile]
[edit logical-systems system services static-subscribers group access-profile]
[edit logical-systems system services static-subscribers group dynamic-profile]
[edit routing-instances instance system services static-subscribers
access-profile]
[edit routing-instances instance system services static-subscribers
dynamic-profile]
[edit routing-instances instance system services static-subscribers group
access-profile]
[edit routing-instances instance system services static-subscribers group
dynamic-profile]
[edit system services static-subscribers access-profile]
[edit system services static-subscribers dynamic-profile]
[edit system services static-subscribers group access-profile]
[edit system services static-subscribers group dynamic-profile]
Related
Documentation
•
Access Privilege User Permission Flags Overview on page 114
•
Understanding Junos OS Access Privilege Levels on page 26
•
Example: Configuring User Permissions with Access Privilege Levels on page 65
•
Example: Configuring User Permissions with Access Privileges for Operational Mode
Commands on page 76
•
Example: Configuring User Permissions with Access Privileges for Configuration
Statements and Hierarchies on page 87
•
access on page 116
admin
Can view user account information in configuration mode.
Commands
120
clear unified-edge
clear unified-edge ggsn-pgw
clear unified-edge ggsn-pgw aaa
clear unified-edge ggsn-pgw aaa radius
clear unified-edge ggsn-pgw aaa radius statistics
<clear-mobile-gateway-aaa-radius-statistics>
clear unified-edge ggsn-pgw aaa statistics
<clear-mobile-gateway-aaa-statistics>
clear unified-edge ggsn-pgw address-assignment
clear unified-edge ggsn-pgw address-assignment pool
<clear-mobile-gateway-sm-ippool-pool-sessions>
clear unified-edge ggsn-pgw address-assignment statistics
<clear-mobile-gateway-sm-ippool-statistics>
clear unified-edge ggsn-pgw call-admission-control
clear unified-edge ggsn-pgw call-admission-control statistics
<clear-mobile-gateway-cac-statistics>
clear unified-edge ggsn-pgw charging
clear unified-edge ggsn-pgw charging cdr
<clear-mobile-gateway-charging-clear-cdr>
Copyright © 2017, Juniper Networks, Inc.
Chapter 5: Permission Flags for User Access Privileges
clear unified-edge ggsn-pgw charging cdr wfa
<clear-mobile-gateway-charging-clear-cdr-wfa>
clear unified-edge ggsn-pgw charging local-persistent-storage
clear unified-edge ggsn-pgw charging local-persistent-storage statistics
<clear-mobile-gateway-charging-clear-lps-stats>
clear unified-edge ggsn-pgw charging path
clear unified-edge ggsn-pgw charging path statistics
<clear-mobile-gateway-charging-clear-path-stats>
clear unified-edge ggsn-pgw charging transfer
clear unified-edge ggsn-pgw charging transfer statistics
<clear-mobile-gateway-charging-clear-xfer-stats>
clear unified-edge ggsn-pgw diameter
clear unified-edge ggsn-pgw diameter dcca-gy
clear unified-edge ggsn-pgw diameter dcca-gy statistics
<clear-mobile-gateway-aaa-diam-stats-gy>
clear unified-edge ggsn-pgw diameter network-element
clear unified-edge ggsn-pgw diameter network-element statistics
<clear-mobile-gateway-aaa-diam-ne-statistics>
clear unified-edge ggsn-pgw diameter pcc-gx
clear unified-edge ggsn-pgw diameter pcc-gx statistics
<clear-mobile-gateway-aaa-diam-stats-gx>
clear unified-edge ggsn-pgw diameter peer
clear unified-edge ggsn-pgw diameter peer statistics
<clear-mobile-gateway-aaa-diam-peer-statistics>
clear unified-edge ggsn-pgw gtp
clear unified-edge ggsn-pgw gtp peer
clear unified-edge ggsn-pgw gtp peer statistics
<clear-mobile-gateway-gtp-peer-statistics>
clear unified-edge ggsn-pgw gtp statistics
<clear-mobile-gateway-gtp-statistics>
clear unified-edge ggsn-pgw ip-reassembly
clear unified-edge ggsn-pgw ip-reassembly statistics
<clear-mobile-gateways-ip-reassembly-statistics>
clear unified-edge ggsn-pgw statistics
<clear-mobile-gateway-statistics>
clear unified-edge ggsn-pgw subscribers
<clear-mobile-gateway-subscribers>
clear unified-edge ggsn-pgw subscribers bearer
clear unified-edge ggsn-pgw subscribers charging
<clear-mobile-gateway-subscribers-charging>
clear unified-edge ggsn-pgw subscribers peer
<clear-mobile-gateway-subscribers-peer>
clear unified-edge sgw
clear unified-edge sgw call-admission-control
clear unified-edge sgw call-admission-control statistics
<clear-mobile-sgw-cac-statistics>
clear unified-edge sgw charging
clear unified-edge sgw charging cdr
<clear-mobile-gateway-sgw-charging-clear-cdr>
clear unified-edge sgw charging cdr wfa
<clear-mobile-gateway-sgw-charging-clear-cdr-wfa>
clear unified-edge sgw charging local-persistent-storage
clear unified-edge sgw charging local-persistent-storage statistics
<clear-mobile-gateway-sgw-charging-clear-lps-stats>
clear unified-edge sgw charging path
clear unified-edge sgw charging path statistics
<clear-mobile-gateway-sgw-charging-clear-path-stats>
clear unified-edge sgw charging transfer
clear unified-edge sgw charging transfer statistics
<clear-mobile-gateway-sgw-charging-clear-xfer-stats>
clear unified-edge sgw gtp
Copyright © 2017, Juniper Networks, Inc.
121
User Access and Authentication Feature Guide for Routing Devices
clear unified-edge sgw gtp peer
clear unified-edge sgw gtp peer statistics
<clear-mobile-sgw-gtp-peer-statistics>
clear unified-edge sgw gtp statistics
<clear-mobile-sgw-gtp-statistics>
clear unified-edge sgw idle-mode-buffering
clear unified-edge sgw idle-mode-buffering statistics
<clear-mobile-gw-sgw-idle-mode-buffering-statistics>
clear unified-edge sgw ip-reassembly
clear unified-edge sgw ip-reassembly statistics
<clear-mobile-gateways-sgw-ip-reassembly-statistics-sgw>
clear unified-edge sgw statistics
<clear-mobile-sgw-statistics>
clear unified-edge sgw subscribers
<clear-mobile-sgw-subscribers>
clear unified-edge sgw subscribers charging
<clear-mobile-sgw-subscribers-charging>
clear unified-edge sgw subscribers peer
<clear-mobile-sgw-subscribers-peer>
clear unified-edge tdf
clear unified-edge tdf aaa
clear unified-edge tdf aaa radius
clear unified-edge tdf aaa radius client
clear unified-edge tdf aaa radius client statistics
<clear-radius-client-statistics>
clear unified-edge tdf aaa radius network-element
clear unified-edge tdf aaa radius network-element statistics
<clear-radius-network-element-statistics>
clear unified-edge tdf aaa radius server
clear unified-edge tdf aaa radius server statistics
<clear-radius-server-statistics>
clear unified-edge tdf aaa radius snoop-segment
clear unified-edge tdf aaa radius snoop-segment statistics
<clear-radius-snoop-segment-statistics>
clear unified-edge tdf aaa statistics
<clear-tdf-gateway-aaa-statistics>
clear unified-edge tdf address-assignment
clear unified-edge tdf address-assignment pool
<clear-mobile-gateway-tdf-sm-ippool-pool-sessions>
clear unified-edge tdf address-assignment statistics
<clear-mobile-gateway-tdf-sm-ippool-statistics>
clear unified-edge tdf call-admission-control
clear unified-edge tdf call-admission-control statistics
<clear-tdf-cac-statistics>
clear unified-edge tdf diameter
clear unified-edge tdf diameter network-element
clear unified-edge tdf diameter network-element statistics
<clear-diameter-network-element-statistics>
clear unified-edge tdf diameter pcc-gx
clear unified-edge tdf diameter pcc-gx statistics
<clear-diameter-statistics-gx>
clear unified-edge tdf diameter peer
clear unified-edge tdf diameter peer statistics
<clear-diameter-peer-statistics>
clear unified-edge tdf statistics
<clear-tdf-statistics>
clear unified-edge tdf subscribers
<clear-mobile-tdf-subscribers>
clear unified-edge tdf subscribers peer
<clear-mobile-gateway-tdf-subscribers-peer>
request unified-edge
122
Copyright © 2017, Juniper Networks, Inc.
Chapter 5: Permission Flags for User Access Privileges
request unified-edge ggsn-pgw
request unified-edge ggsn-pgw call-trace
<monitor-mobile-gateways-call-trace-start>
request unified-edge ggsn-pgw call-trace clear
<get-mobile-gateways-call-trace-clear>
request unified-edge ggsn-pgw call-trace show
<get-mobile-gateways-call-trace-information>
request unified-edge ggsn-pgw call-trace start
<get-mobile-gateways-call-trace-start-information>
request unified-edge ggsn-pgw call-trace stop
<get-mobile-gateways-call-trace-stop-information>
request unified-edge sgw
request unified-edge sgw call-trace
request unified-edge sgw call-trace clear
<get-mobile-gateways-sgw-call-trace-clear>
request unified-edge sgw call-trace show
<get-mobile-gateways-sgw-call-trace-information>
request unified-edge sgw call-trace start
<get-mobile-gateways-sgw-call-trace-start-information>
request unified-edge sgw call-trace stop
<get-mobile-gateways-sgw-call-trace-stop-information>
request unified-edge tdf
request unified-edge tdf call-trace
request unified-edge tdf call-trace clear
<get-mobile-gateways-tdf-call-trace-clear>
request unified-edge tdf call-trace show
<get-mobile-gateways-tdf-call-trace-information>
request unified-edge tdf call-trace start
<get-mobile-gateways-tdf-call-trace-start-information>
request unified-edge tdf call-trace stop
<get-mobile-gateways-tdf-call-trace-stop-information>
show system audit
Configuration
Hierarchy Levels
[edit
[edit
[edit
[edit
[edit
[edit
[edit
[edit
[edit
[edit
[edit
[edit
[edit
[edit
[edit
[edit
[edit
[edit
[edit
[edit
[edit
[edit
[edit
Copyright © 2017, Juniper Networks, Inc.
protocols uplink-failure-detection]
system]
system accounting]
system diag-port-authentication]
system extensions]
system login]
system pic-console-authentication]
system root-authentication]
system services ssh authorized-keys-command]
system services ssh authorized-keys-command-user]
system services ssh ciphers]
system services ssh client-alive-count-max]
system services ssh client-alive-interval]]
system services ssh fingerprint-hash]
system services ssh hostkey-algorithm]
system services ssh key-exchange]
system services ssh macs]
system services ssh max-sessions-per-connection]
system services ssh no-tcp-fowarding]
system services ssh protocol-version]
system services ssh root-login]
system services ssh tcp-fowarding]
unified-edge]
123
User Access and Authentication Feature Guide for Routing Devices
Related
Documentation
•
Access Privilege User Permission Flags Overview on page 114
•
Understanding Junos OS Access Privilege Levels on page 26
•
Example: Configuring User Permissions with Access Privilege Levels on page 65
•
Example: Configuring User Permissions with Access Privileges for Operational Mode
Commands on page 76
•
Example: Configuring User Permissions with Access Privileges for Configuration
Statements and Hierarchies on page 87
•
admin-control on page 124
admin-control
Can view user account information and configure it at the [edit system] hierarchy level.
Commands
show system audit
Configuration
Hierarchy Levels
Related
Documentation
[edit
[edit
[edit
[edit
[edit
[edit
[edit
[edit
[edit
[edit
[edit
[edit
[edit
[edit
protocols uplink-failure-detection]
system]
system accounting]
system diag-port-authentication]
system extensions]
system login]
system pic-console-authentication]
system root-authentication]
system services ssh ciphers]
system services ssh hostkey-algorithm]
system services ssh key-exchange]
system services ssh macs]
system services ssh protocol-version]
system services ssh root-login]
•
Access Privilege User Permission Flags Overview on page 114
•
Understanding Junos OS Access Privilege Levels on page 26
•
Example: Configuring User Permissions with Access Privilege Levels on page 65
•
Example: Configuring User Permissions with Access Privileges for Operational Mode
Commands on page 76
•
Example: Configuring User Permissions with Access Privileges for Configuration
Statements and Hierarchies on page 87
•
admin on page 120
all-control
Can access all operational mode commands and configuration mode commands. Can
modify configuration in all the configuration hierarchy levels.
124
Copyright © 2017, Juniper Networks, Inc.
Chapter 5: Permission Flags for User Access Privileges
Commands
Configuration
Hierarchy Levels
Related
Documentation
All CLI commands.
All CLI configuration hierarchy levels and statements.
•
Access Privilege User Permission Flags Overview on page 114
•
Understanding Junos OS Access Privilege Levels on page 26
•
Example: Configuring User Permissions with Access Privilege Levels on page 65
•
Example: Configuring User Permissions with Access Privileges for Operational Mode
Commands on page 76
•
Example: Configuring User Permissions with Access Privileges for Configuration
Statements and Hierarchies on page 87
clear
Can clear (delete) information learned from the network that is stored in various network
databases.
Commands
clear
clear access-security
clear access-security router-advertisement-entries
<clear-as-router-advetisement-entry>
clear amt
clear amt statistics
<clear-amt-statistics>
clear amt tunnel
clear-amt-tunnel
clear amt tunnel gateway-address
<clear amt tunnel gateway-address>
clear amt tunnel statistics
<clear-amt-tunnel-statistics>
clear amt tunnel statistics gateway-address
<clear-amt-tunnel-gateway-address-statistics>
clear amt tunnel statistics tunnel-interface
<clear-amt-tunnel-interface-statistics>
clear amt tunnel tunnel-interface
<clear-amt-tunnel-interface<>
clear ancp
clear ancp neighbor
<clear-ancp-neighbor-connection>
clear ancp statistics
<clear-ancp-statistics>
clear ancp subscriber
<clear-ancp-subscriber-connection>
clear-appqos-counter
<clear-appqos-rate-limiters-statistics>
clear-appqos-rate-limiter-statistics
clear-appqos-rule-statistics
clear arp
<clear-arp-table>
clear auto-configuration
clear auto-configuration interfaces
<clear-auto-configuration-interfaces>
Copyright © 2017, Juniper Networks, Inc.
125
User Access and Authentication Feature Guide for Routing Devices
clear bfd
clear bfd adaptation
<clear-bfd-adaptation-information>
clear bfd adaptation address
<clear-bfd-adaptation-address>
clear bfd adaptation discriminator
<clear-bfd-adaptation-discriminator>
clear bfd session
<clear-bfd-session-information>
clear bfd session address
<clear-bfd-session-address>
clear bfd session discriminator
<clear-bfd-session-discriminator>
clear bgp
clear bgp damping
<clear-bgp-damping>
clear bgp neighbor
<clear-bgp-neighbor>
clear bgp table
<clear-bgp-table>
clear bridge
clear bridge evpn
clear bridge evpn arp-table
<clear-bridge-evpn-arp-table>
clear bridge evpn nd-table
<clear-bridge-evpn-nd-table>
clear bridge mac-table
<clear-bridge-mac-table>
clear bridge mac-table interface
<clear-bridge-interface-mac-table>
clear bridge recovery-timeout
<clear-bridge-recovery>
clear bridge recovery-timeout interface
<clear-bridge-recovery-interface>
clear bridge satellite
clear bridge satellite logging
<clear-satellite-control-logging>
clear bridge satellite vlan-auto-sense
<clear-satellite-control-plane-vlan-auto-sense>
clear captive-portal
clear captive-portal firewall
<clear-captive-portal-firewall>
clear captive-portal firewall interface
<clear-captive-portal-firewall-interface>
clear captive-portal interface
<clear-captive-portal-interface-session>
clear captive-portal mac-address
<clear-captive-portal-mac-session>
clear cli
clear cli logical-system
<clear-cli-logical-system>
clear database-replication
clear database-replication statistics
<clear-database-replication-statistics-information>
clear ddos-protection
clear ddos-protection protocols
clear ddos-protection protocols all-fiber-channel-enode
clear ddos-protection protocols all-fiber-channel-enode aggregate
clear ddos-protection protocols all-fiber-channel-enode aggregate culprit-flows
<clear-ddos-all-fc-enode-aggregate-flows>
clear ddos-protection protocols all-fiber-channel-enode aggregate states
126
Copyright © 2017, Juniper Networks, Inc.
Chapter 5: Permission Flags for User Access Privileges
<clear-ddos-all-fc-enode-aggregate-states>
clear ddos-protection protocols all-fiber-channel-enode aggregate statistics
<clear-ddos-all-fc-enode-aggregate-statistics>
clear ddos-protection protocols all-fiber-channel-enode culprit-flows
<clear-ddos-all-fc-enode-flows>
clear ddos-protection protocols all-fiber-channel-enode states
<clear-ddos-all-fc-enode-states>
clear ddos-protection protocols all-fiber-channel-enode statistics
<clear-ddos-all-fc-enode-statistics>
clear ddos-protection protocols amtv4
clear ddos-protection protocols amtv4 aggregate
clear ddos-protection protocols amtv4 aggregate culprit-flows
clear ddos-protection protocols amtv4 aggregate states
clear ddos-protection protocols amtv4 aggregate statistics
clear ddos-protection protocols amtv4 culprit-flows
clear ddos-protection protocols amtv4 states
clear ddos-protection protocols amtv4 statistics
clear ddos-protection protocols amtv6
clear ddos-protection protocols amtv6 aggregate
clear ddos-protection protocols amtv6 aggregate culprit-flows
<clear-ddos-amtv6-aggregate-flows>
clear ddos-protection protocols amtv6 aggregate states
<clear-ddos-amtv6-aggregate-states>
clear ddos-protection protocols amtv6 aggregate statistics
<clear-ddos-amtv6-aggregate-statistics>
clear ddos-protection protocols amtv6 culprit-flows
<clear-ddos-amtv6-flows>
clear ddos-protection protocols amtv6 states
<clear-ddos-amtv6-states<>
clear ddos-protection protocols amtv6 statistics
<clear-ddos-amtv6-statistics>
clear ddos-protection protocols ancp aggregate culprit-flows
<clear-ddos-ancp-aggregate-flows>
clear ddos-protection protocols ancp culprit-flows
clear ddos-protection protocols ancp
clear ddos-protection protocols ancp aggregate
clear ddos-protection protocols ancp aggregate states
clear ddos-protection protocols ancp aggregate statistics
<clear-ddos-ancp-aggregate-statistics>
clear ddos-protection protocols ancp states
<clear-ddos-ancp-states>
clear ddos-protection protocols ancp statistics
<clear-ddos-ancp-statistics>
clear ddos-protection protocols ancpv6
clear ddos-protection protocols ancpv6 aggregate
clear ddos-protection protocols ancpv6 aggregate states
clear ddos-protection protocols ancpv6 aggregate culprit-flows
clear ddos-protection protocols arp aggregate statistics
clear-ddos-arp-aggregate-statistics
clear ddos-protection protocols arp aggregate culprit-flows
clear ddos-protection protocols arp states
clear-ddos-arp-states
clear ddos-protection protocols arp statistics
<clear-ddos-arp-statistics>
clear ddos-protection protocols arp-snoop
clear ddos-protection protocols arp-snoop aggregate
clear ddos-protection protocols arp-snoop aggregate culprit-flows
<clear-ddos-arp-snoop-aggregate-flows>
clear ddos-protection protocols arp-snoop aggregate states
<clear-ddos-arp-snoop-aggregate-states>
Copyright © 2017, Juniper Networks, Inc.
127
User Access and Authentication Feature Guide for Routing Devices
clear ddos-protection protocols arp-snoop aggregate statistics
<clear-ddos-arp-snoop-aggregate-statistics>
clear ddos-protection protocols arp-snoop culprit-flows
<clear-ddos-arp-snoop-flows>
clear ddos-protection protocols arp-snoop states
<clear-ddos-arp-snoop-states>
clear ddos-protection protocols arp-snoop statistics
<clear-ddos-arp-snoop-statistics>
clear ddos-protection protocols arp culprit-flows
clear ddos-protection protocols atm
clear ddos-protection protocols atm aggregate
clear ddos-protection protocols atm aggregate culprit-flows
clear ddos-protection protocols atm aggregate states
<clear-ddos-atm-aggregate-states>
clear ddos-protection protocols atm aggregate statistics
<clear-ddos-atm-aggregate-statistics>
clear ddos-protection protocols atm culprit-flows
clear ddos-protection protocols bfd aggregate culprit-flows
clear ddos-protection protocols atm states
clear-ddos-atm-states
clear ddos-protection protocols atm statistics
clear-ddos-atm-statistics
clear ddos-protection protocols bfd
clear ddos-protection protocols bfd aggregate
clear ddos-protection protocols bfd culprit-flows
clear ddos-protection protocols bfd aggregate states
clear-ddos-bfd-aggregate-states
clear ddos-protection protocols bfd aggregate statistics
clear-ddos-bfd-aggregate-statistics
clear ddos-protection protocols bfd states
clear-ddos-bfd-states
clear ddos-protection protocols bfd statistics
clear-ddos-bfd-statistics
clear ddos-protection protocols bfdv6
clear ddos-protection protocols bfdv6 aggregate
clear ddos-protection protocols bfdv6 culprit-flows
clear ddos-protection protocols bfdv6 aggregate states
clear-ddos-bfdv6-aggregate-states
clear ddos-protection protocols bfdv6 aggregate statistics
clear-ddos-bfdv6-aggregate-statistics
clear ddos-protection protocols bfdv6 states
clear-ddos-bfdv6-states
clear ddos-protection protocols bfdv6 statistics
clear-ddos-bfdv6-statistics
clear ddos-protection protocols bgp
clear ddos-protection protocols bgp aggregate
clear ddos-protection protocols bgp aggregate culprit-flows
clear ddos-protection protocols bgp aggregate states
clear-ddos-bgp-aggregate-states
clear ddos-protection protocols bgp aggregate statistics
clear ddos-protection protocols bgp culprit-flows
clear ddos-protection protocols bgp states
clear-ddos-bgp-states
clear ddos-protection protocols bgp statistics
clear-ddos-bgp-statistics
clear ddos-protection protocols bgpv6
clear ddos-protection protocols bgpv6 aggregate
clear ddos-protection protocols bgpv6 aggregate culprit-flows
clear ddos-protection protocols bgpv6 aggregate states
clear-ddos-bgpv6-aggregate-states
clear ddos-protection protocols bgpv6 aggregate statistics
128
Copyright © 2017, Juniper Networks, Inc.
Chapter 5: Permission Flags for User Access Privileges
clear-ddos-bgpv6-aggregate-statistics
clear ddos-protection protocols bgpv6 states
clear-ddos-bgp-aggregate-states
clear-ddos-bgp-aggregate-statistics
clear-ddos-bgp-states
clear-ddos-bgp-statistics
clear-ddos-bgpv6-aggregate-states
clear-ddos-bgpv6-aggregate-statistics
clear-ddos-bgpv6-states
clear ddos-protection protocols bgpv6 statistics
<clear-ddos-bgpv6-statistics>
clear ddos-protection protocols bridge-control
clear ddos-protection protocols bridge-control aggregate
clear ddos-protection protocols bridge-control aggregate culprit-flows
<clear-ddos-brg-ctrl-aggregate-flows>
clear ddos-protection protocols bridge-control aggregate states
<clear-ddos-brg-ctrl-aggregate-states>
clear ddos-protection protocols bridge-control aggregate statistics
<clear-ddos-brg-ctrl-aggregate-statistics>
clear ddos-protection protocols bridge-control culprit-flows
<clear-ddos-brg-ctrl-flows>
clear ddos-protection protocols bridge-control states
<clear-ddos-brg-ctrl-states>
clear ddos-protection protocols bridge-control statistics
<clear-ddos-brg-ctrl-statistics>
clear ddos-protection protocols culprit-flows
clear ddos-protection protocols demux-autosense
clear ddos-protection protocols demux-autosense aggregate
clear ddos-protection protocols demux-autosense aggregate culprit-flows
clear ddos-protection protocols demux-autosense aggregate states
clear-ddos-demuxauto-aggregate-states
clear ddos-protection protocols demux-autosense aggregate statistics
clear ddos-protection protocols demux-autosense culprit-flows
clear ddos-protection protocols demux-autosense states
clear-ddos-demuxauto-states
clear ddos-protection protocols demux-autosense statistics
clear-ddos-demuxauto-statistics
clear ddos-protection protocols dhcpv4
clear ddos-protection protocols dhcpv4 ack
clear ddos-protection protocols dhcpv4 ack culprit-flows
clear ddos-protection protocols dhcpv4 ack states
clear ddos-protection protocols dhcpv4 ack statistics
clear ddos-protection protocols dhcpv4 aggregate
clear ddos-protection protocols dhcpv4v6
clear ddos-protection protocols dhcpv4v6 aggregate
clear ddos-protection protocols dhcpv4v6 aggregate culprit-flows
<clear-ddos-dhcpv4v6-aggregate-flows>
clear ddos-protection protocols dhcpv4v6 aggregate states
<clear-ddos-dhcpv4v6-aggregate-states>
clear ddos-protection protocols dhcpv4v6 aggregate statistics
<clear-ddos-dhcpv4v6-aggregate-statistics>
clear ddos-protection protocols dhcpv4v6 culprit-flows
<clear-ddos-dhcpv4v6-flows>
clear ddos-protection protocols dhcpv4v6 states
<clear-ddos-dhcpv4v6-states>
clear ddos-protection protocols dhcpv4v6 statistics
<clear-ddos-dhcpv4v6-statistics>
clear-ddos-demuxauto-aggregate-states
clear-ddos-demuxauto-aggregate-statistics
clear-ddos-demuxauto-states
clear-ddos-demuxauto-statistics
Copyright © 2017, Juniper Networks, Inc.
129
User Access and Authentication Feature Guide for Routing Devices
clear-ddos-dhcpv4-ack-states
clear ddos-protection protocols dhcpv4 ack statistics
clear-ddos-dhcpv4-ack-statistics
clear ddos-protection protocols dhcpv4 aggregate
clear ddos-protection protocols dhcpv4 aggregate states
clear-ddos-dhcpv4-aggregate-states
clear ddos-protection protocols dhcpv4 aggregate statistics
clear-ddos-dhcpv4-aggregate-statistics
clear ddos-protection protocols dhcpv4 bad-packets
clear ddos-protection protocols dhcpv4 bad-packets states
clear-ddos-dhcpv4-bad-pack-states
clear ddos-protection protocols dhcpv4 bad-packets statistics
clear-ddos-dhcpv4-bad-pack-statistics
clear ddos-protection protocols dhcpv4 bootp
clear ddos-protection protocols dhcpv4 bootp states
clear-ddos-dhcpv4-bootp-states
clear ddos-protection protocols dhcpv4 bootp statistics
clear-ddos-dhcpv4-bootp-statistics
clear ddos-protection protocols dhcpv4 decline
clear ddos-protection protocols dhcpv4 decline culprit-flows
clear ddos-protection protocols dhcpv4 decline states
clear-ddos-dhcpv4-decline-states
clear ddos-protection protocols dhcpv4 decline statistics
clear-ddos-dhcpv4-decline-statistics
clear ddos-protection protocols dhcpv4 discover
clear ddos-protection protocols dhcpv4 discover states
clear-ddos-dhcpv4-discover-states
clear ddos-protection protocols dhcpv4 discover statistics
clear-ddos-dhcpv4-discover-statistics
clear ddos-protection protocols dhcpv4 force-renew
clear ddos-protection protocols dhcpv4 force-renew culprit-flows
clear ddos-protection protocols dhcpv4 force-renew states
clear-ddos-dhcpv4-forcerenew-states
clear ddos-protection protocols dhcpv4 force-renew statistics
clear-ddos-dhcpv4-forcerenew-statistics
clear ddos-protection protocols dhcpv4 inform
clear ddos-protection protocols dhcpv4 inform culprit-flows
clear ddos-protection protocols dhcpv4 inform states
clear-ddos-dhcpv4-decline-states
clear-ddos-dhcpv4-decline-statistics
clear-ddos-dhcpv4-discover-states
clear-ddos-dhcpv4-discover-statistics
clear-ddos-dhcpv4-forcerenew-states
clear-ddos-dhcpv4-forcerenew-statistics
clear ddos-protection protocols dhcpv4 unclassified culprit-flows
clear ddos-protection protocols dhcpv4 unclassified states
clear-ddos-dhcpv4-unclass-states
clear ddos-protection protocols dhcpv4 unclassified statistics
clear-ddos-dhcpv4-unclass-statistics
clear ddos-protection protocols dhcpv6
clear ddos-protection protocols dhcpv6 advertise
clear ddos-protection protocols dhcpv6 advertise culprit-flows
clear ddos-protection protocols dhcpv6 advertise states
clear-ddos-dhcpv6-advertise-states
clear ddos-protection protocols dhcpv6 advertise statistics
clear-ddos-dhcpv6-advertise-statistics
clear ddos-protection protocols dhcpv6 aggregate
clear ddos-protection protocols dhcpv6 aggregate states
clear-ddos-dhcpv6-aggregate-states
clear ddos-protection protocols dhcpv6 aggregate statistics
clear-ddos-dhcpv6-aggregate-statistics
130
Copyright © 2017, Juniper Networks, Inc.
Chapter 5: Permission Flags for User Access Privileges
clear ddos-protection protocols dhcpv6 confirm
clear ddos-protection protocols dhcpv6 confirm culprit-flows
clear ddos-protection protocols dhcpv6 confirm states
clear-ddos-dhcpv6-confirm-states
clear ddos-protection protocols dhcpv6 confirm statistics
clear-ddos-dhcpv6-confirm-statistics
clear ddos-protection protocols dhcpv6 decline
clear ddos-protection protocols dhcpv6 decline states
clear-ddos-dhcpv6-decline-states
clear ddos-protection protocols dhcpv6 decline statistics
clear-ddos-dhcpv6-decline-statistics
clear ddos-protection protocols dhcpv6 information-request
clear ddos-protection protocols dhcpv6 information-request states
clear-ddos-dhcpv6-info-req-states
clear ddos-protection protocols dhcpv6 information-request statistics
clear-ddos-dhcpv6-info-req-statistics
clear ddos-protection protocols dhcpv6 leasequery
clear ddos-protection protocols dhcpv6 leasequery states
clear-ddos-dhcpv6-leasequery-states
clear ddos-protection protocols dhcpv6 leasequery statistics
clear-ddos-dhcpv6-leasequery-statistics
clear ddos-protection protocols dhcpv6 leasequery-data
clear ddos-protection protocols dhcpv6 leasequery-data states
clear ddos-protection protocols dhcpv6 leasequery-data statistics
clear ddos-protection protocols garp-reply
clear ddos-protection protocols garp-reply aggregate
clear ddos-protection protocols garp-reply aggregate culprit-flows
<clear-ddos-garp-reply-aggregate-flows>
clear ddos-protection protocols garp-reply aggregate states
<clear-ddos-garp-reply-aggregate-states>
clear ddos-protection protocols garp-reply aggregate statistics
<clear-ddos-garp-reply-aggregate-statistics>
clear ddos-protection protocols garp-reply culprit-flows
<clear-ddos-garp-reply-flows>
clear ddos-protection protocols garp-reply states
<clear-ddos-garp-reply-states>
clear ddos-protection protocols garp-reply statistics
<clear-ddos-garp-reply-statistics>
clear ddos-protection protocols gre hbc
clear ddos-protection protocols gre hbc culprit-flows
<clear-ddos-gre-hbc-flows>
clear ddos-protection protocols gre hbc states
<clear-ddos-gre-hbc-states>
clear ddos-protection protocols gre hbc statistics
<clear-ddos-gre-hbc-statistics>
clear ddos-protection protocols gre punt
clear ddos-protection protocols gre punt culprit-flows
<clear-ddos-gre-punt-flows>
clear ddos-protection protocols gre punt states
<clear-ddos-gre-punt-states>
clear ddos-protection protocols gre punt statistics
<clear-ddos-gre-punt-statistics>
clear ddos-protection protocols ipmc-reserved
clear ddos-protection protocols ipmc-reserved aggregate
clear ddos-protection protocols ipmc-reserved aggregate culprit-flows
<clear-ddos-ipmc-reserved-aggregate-flows>
clear ddos-protection protocols ipmc-reserved aggregate states
<clear-ddos-ipmc-reserved-aggregate-states>
clear ddos-protection protocols ipmc-reserved aggregate statistics
<clear-ddos-ipmc-reserved-aggregate-statistics>
clear ddos-protection protocols ipmc-reserved culprit-flows
Copyright © 2017, Juniper Networks, Inc.
131
User Access and Authentication Feature Guide for Routing Devices
<clear-ddos-ipmc-reserved-flows>
clear ddos-protection protocols ipmc-reserved states
<clear-ddos-ipmc-reserved-states>
clear ddos-protection protocols ipmc-reserved statistics
<clear-ddos-ipmc-reserved-statistics>
clear ddos-protection protocols ipmcast-miss
clear ddos-protection protocols ipmcast-miss aggregate
clear ddos-protection protocols ipmcast-miss aggregate culprit-flows
<clear-ddos-ipmcast-miss-aggregate-flows>
clear ddos-protection protocols ipmcast-miss aggregate states
<clear-ddos-ipmcast-miss-aggregate-states>
clear ddos-protection protocols ipmcast-miss aggregate statistics
<clear-ddos-ipmcast-miss-aggregate-statistics>
clear ddos-protection protocols ipmcast-miss culprit-flows
<clear-ddos-ipmcast-miss-flows>
clear ddos-protection protocols ipmcast-miss states
<clear-ddos-ipmcast-miss-states>
clear ddos-protection protocols ipmcast-miss statistics
<clear-ddos-ipmcast-miss-statistics>
clear ddos-protection protocols l3dest-miss
clear ddos-protection protocols l3dest-miss aggregate
clear ddos-protection protocols l3dest-miss aggregate culprit-flows
<clear-ddos-l3dest-miss-aggregate-flows>
clear ddos-protection protocols l3dest-miss aggregate states
<clear-ddos-l3dest-miss-aggregate-states>
clear ddos-protection protocols l3dest-miss aggregate statistics
<clear-ddos-l3dest-miss-aggregate-statistics>
clear ddos-protection protocols l3dest-miss culprit-flows
<clear-ddos-l3dest-miss-flows>
clear ddos-protection protocols l3dest-miss states
<clear-ddos-l3dest-miss-states>
clear ddos-protection protocols l3dest-miss statistics
<clear-ddos-l3dest-miss-statistics>
clear ddos-protection protocols l3mc-sgv-hit-icl
clear ddos-protection protocols l3mc-sgv-hit-icl aggregate
clear ddos-protection protocols l3mc-sgv-hit-icl aggregate culprit-flows
<clear-ddos-l3mc-sgv-hit-icl-aggregate-flows>
clear ddos-protection protocols l3mc-sgv-hit-icl aggregate states
<clear-ddos-l3mc-sgv-hit-icl-aggregate-states>
clear ddos-protection protocols l3mc-sgv-hit-icl aggregate statistics
<clear-ddos-l3mc-sgv-hit-icl-aggregate-statistics>
clear ddos-protection protocols l3mc-sgv-hit-icl culprit-flowsclear
ddos-protection protocols l3mc-sgv-hit-icl culprit-flows
<clear-ddos-l3mc-sgv-hit-icl-flows>
clear ddos-protection protocols l3mc-sgv-hit-icl states
<clear-ddos-l3mc-sgv-hit-icl-states>
clear ddos-protection protocols l3mc-sgv-hit-icl statistics
<clear-ddos-l3mc-sgv-hit-icl-statistics>
clear ddos-protection protocols l3mtu-fail
clear ddos-protection protocols l3mtu-fail aggregate
clear ddos-protection protocols l3mtu-fail aggregate culprit-flows
<clear-ddos-l3mtu-fail-aggregate-flows>
clear ddos-protection protocols l3mtu-fail aggregate states
<clear-ddos-l3mtu-fail-aggregate-states>
clear ddos-protection protocols l3mtu-fail aggregate statistics
<clear-ddos-l3mtu-fail-aggregate-statistics>
clear ddos-protection protocols l3mtu-fail culprit-flows
<clear-ddos-l3mtu-fail-flows>
clear ddos-protection protocols l3mtu-fail states
<clear-ddos-l3mtu-fail-states>
clear ddos-protection protocols l3mtu-fail statistics
132
Copyright © 2017, Juniper Networks, Inc.
Chapter 5: Permission Flags for User Access Privileges
<clear-ddos-l3mtu-fail-statistics>
clear ddos-protection protocols l3nhop
clear ddos-protection protocols l3nhop aggregate
clear ddos-protection protocols l3nhop aggregate culprit-flows
<clear-ddos-l3nhop-aggregate-flows>
clear ddos-protection protocols l3nhop aggregate states
<clear-ddos-l3nhop-aggregate-states>
clear ddos-protection protocols l3nhop aggregate statistics
<clear-ddos-l3nhop-aggregate-statistics>
clear ddos-protection protocols l3nhop culprit-flows
<clear-ddos-l3nhop-flows>
clear ddos-protection protocols l3nhop states
<clear-ddos-l3nhop-states>
clear ddos-protection protocols l3nhop statistics
<clear-ddos-l3nhop-statistics>
clear ddos-protection protocols localnh
clear ddos-protection protocols localnh aggregate
clear ddos-protection protocols localnh aggregate culprit-flows
<clear-ddos-localnh-aggregate-flows>
clear ddos-protection protocols localnh aggregate states
<clear-ddos-localnh-aggregate-states>
clear ddos-protection protocols localnh aggregate statistics
<clear-ddos-localnh-aggregate-statistics>
clear ddos-protection protocols localnh culprit-flows
<clear-ddos-localnh-flows>
clear ddos-protection protocols localnh states
<clear-ddos-localnh-states>
clear ddos-protection protocols localnh statistics
<clear-ddos-localnh-statistics>
clear-ddos-dhcpv4-unclass-states
clear-ddos-dhcpv4-unclass-statistics
clear-ddos-dhcpv6-advertise-states
clear-ddos-dhcpv6-advertise-statistics
clear-ddos-dhcpv6-aggregate-states
clear-ddos-dhcpv6-aggregate-statistics
clear-ddos-dhcpv6-confirm-states
clear-ddos-dhcpv6-confirm-statistics
clear-ddos-dhcpv6-decline-states
clear-ddos-dhcpv6-decline-statistics
clear-ddos-dhcpv6-info-req-states
clear-ddos-dhcpv6-info-req-statistics
clear-ddos-dhcpv6-leaseq-da-states
clear-ddos-dhcpv6-leasequery-states
clear-ddos-dhcpv6-leasequery-statistics
clear ddos-protection protocols dhcpv6 leasequery-done
clear ddos-protection protocols dhcpv6 leasequery-done states
clear-ddos-dhcpv6-leaseq-do-states
clear ddos-protection protocols dhcpv6 leasequery-done statistics
clear-ddos-dhcpv6-leaseq-do-statistics
clear ddos-protection protocols dhcpv6 leasequery-reply
clear ddos-protection protocols dhcpv6 leasequery-reply states
clear-ddos-dhcpv6-leaseq-re-states
clear ddos-protection protocols dhcpv6 leasequery-reply statistics
clear-ddos-dhcpv6-leaseq-re-statistics
clear ddos-protection protocols dhcpv6 rebind
clear ddos-protection protocols dhcpv6 rebind states
clear-ddos-dhcpv6-rebind-states
clear ddos-protection protocols dhcpv6 rebind statistics
clear-ddos-dhcpv6-rebind-statistics
clear ddos-protection protocols dhcpv6 reconfigure
clear ddos-protection protocols dhcpv6 reconfigure states
Copyright © 2017, Juniper Networks, Inc.
133
User Access and Authentication Feature Guide for Routing Devices
clear-ddos-dhcpv6-reconfig-states
clear ddos-protection protocols dhcpv6 reconfigure statistics
clear-ddos-dhcpv6-reconfig-statistics
clear ddos-protection protocols dhcpv6 relay-forward
clear ddos-protection protocols dhcpv6 relay-forward states
clear-ddos-dhcpv6-relay-for-states
clear ddos-protection protocols dhcpv6 relay-forward statistics
clear-ddos-dhcpv6-relay-for-statistics
clear ddos-protection protocols dhcpv6 relay-reply
clear ddos-protection protocols dhcpv6 relay-reply states
clear-ddos-dhcpv6-relay-rep-states
clear ddos-protection protocols dhcpv6 relay-reply statistics
clear-ddos-dhcpv6-relay-rep-statistics
clear ddos-protection protocols dhcpv6 release
clear ddos-protection protocols dhcpv6 release states
clear-ddos-dhcpv6-release-states
clear ddos-protection protocols dhcpv6 release statistics
clear-ddos-dhcpv6-release-statistics
clear ddos-protection protocols dhcpv6 renew
clear ddos-protection protocols dhcpv6 renew states
clear-ddos-dhcpv6-renew-states
clear ddos-protection protocols dhcpv6 renew statistics
clear-ddos-dhcpv6-renew-statistics
clear ddos-protection protocols dhcpv6 reply
clear ddos-protection protocols dhcpv6 reply states
clear-ddos-dhcpv6-reply-states
clear ddos-protection protocols dhcpv6 reply statistics
clear-ddos-dhcpv6-reply-statistics
clear ddos-protection protocols dhcpv6 request
clear ddos-protection protocols dhcpv6 request culprit-flows
clear ddos-protection protocols dhcpv6 request states
clear-ddos-dhcpv6-request-states
clear ddos-protection protocols dhcpv6 request statistics
clear-ddos-dhcpv6-request-statistics
clear ddos-protection protocols dhcpv6 solicit
clear ddos-protection protocols dhcpv6 solicit culprit-flows
clear ddos-protection protocols dhcpv6 solicit states
clear-ddos-dhcpv6-solicit-states
clear ddos-protection protocols dhcpv6 solicit statistics
clear-ddos-dhcpv6-solicit-statistics
clear ddos-protection protocols dhcpv6 states
clear-ddos-dhcpv6-states
clear ddos-protection protocols dhcpv6 statistics
clear-ddos-dhcpv6-statistics
clear ddos-protection protocols dhcpv6 unclassified
clear ddos-protection protocols dhcpv6 unclassified culprit-flows
clear ddos-protection protocols dhcpv6 unclassified states
clear-ddos-dhcpv6-unclass-states
clear ddos-protection protocols dhcpv6 unclassified statistics
clear-ddos-dhcpv6-unclass-statistics
clear ddos-protection protocols diameter
clear ddos-protection protocols diameter aggregate
clear ddos-protection protocols diameter aggregate culprit-flows
clear ddos-protection protocols diameter aggregate states
clear ddos-protection protocols diameter aggregate statistics
clear-ddos-dhcpv6-leaseq-da-statistics
clear-ddos-dhcpv6-leaseq-do-states
clear-ddos-dhcpv6-leaseq-do-statistics
clear-ddos-dhcpv6-leaseq-re-states
clear-ddos-dhcpv6-leaseq-re-statistics
clear-ddos-dhcpv6-rebind-states
134
Copyright © 2017, Juniper Networks, Inc.
Chapter 5: Permission Flags for User Access Privileges
clear-ddos-dhcpv6-rebind-statistics
clear-ddos-dhcpv6-reconfig-states
clear-ddos-dhcpv6-reconfig-statistics
clear-ddos-dhcpv6-relay-for-states
clear-ddos-dhcpv6-relay-for-statistics
clear-ddos-dhcpv6-relay-rep-states
clear-ddos-dhcpv6-relay-rep-statistics
clear-ddos-dhcpv6-release-states
clear-ddos-dhcpv6-release-statistics
clear-ddos-dhcpv6-renew-states
clear-ddos-dhcpv6-renew-statistics
clear-ddos-dhcpv6-reply-states
clear-ddos-dhcpv6-reply-statistics
clear-ddos-dhcpv6-request-states
clear-ddos-dhcpv6-request-statistics
clear-ddos-dhcpv6-solicit-states
clear-ddos-dhcpv6-solicit-statistics
clear-ddos-dhcpv6-states
clear-ddos-dhcpv6-statistics
clear-ddos-dhcpv6-unclass-states
clear-ddos-dhcpv6-unclass-statistics
clear-ddos-diameter-aggregate-states
clear ddos-protection protocols diameter aggregate statistics
clear-ddos-diameter-aggregate-statistics
clear ddos-protection protocols diameter states
clear-ddos-diameter-states
clear ddos-protection protocols diameter statistics
clear-ddos-diameter-statistics
clear ddos-protection protocols dns
clear ddos-protection protocols dns aggregate
clear ddos-protection protocols dns aggregate states
clear-ddos-dns-aggregate-states
clear ddos-protection protocols dns aggregate statistics
clear-ddos-dns-aggregate-statistics
clear ddos-protection protocols dns states
clear-ddos-dns-states
clear ddos-protection protocols dns statistics
clear-ddos-dns-statistics
clear ddos-protection protocols dtcp
clear ddos-protection protocols dtcp aggregate
clear ddos-protection protocols dtcp aggregate culprit-flows
clear ddos-protection protocols dtcp aggregate states
clear-ddos-dtcp-aggregate-states
clear ddos-protection protocols dtcp aggregate statistics
clear ddos-protection protocols dtcp culprit-flows
clear ddos-protection protocols dtcp states
clear-ddos-dtcp-states
clear ddos-protection protocols dtcp statistics
clear-ddos-dtcp-statistics
clear ddos-protection protocols dynamic-vlan
clear ddos-protection protocols dynamic-vlan aggregate
clear ddos-protection protocols dynamic-vlan aggregate culprit-flows
clear ddos-protection protocols dynamic-vlan aggregate states
clear-ddos-dynvlan-aggregate-states
clear ddos-protection protocols dynamic-vlan aggregate statistics
clear-ddos-dynvlan-aggregate-statistics
clear ddos-protection protocols dynamic-vlan states
clear-ddos-dynvlan-states
clear ddos-protection protocols dynamic-vlan statistics
clear-ddos-dynvlan-statistics
clear ddos-protection protocols egpv6
Copyright © 2017, Juniper Networks, Inc.
135
User Access and Authentication Feature Guide for Routing Devices
clear ddos-protection protocols egpv6 aggregate
clear ddos-protection protocols egpv6 aggregate culprit-flows
clear ddos-protection protocols egpv6 aggregate states
clear-ddos-egpv6-aggregate-states
clear ddos-protection protocols egpv6 aggregate statistics
clear-ddos-egpv6-aggregate-statistics
clear ddos-protection protocols egpv6 states
clear-ddos-egpv6-states
clear ddos-protection protocols egpv6 statistics
clear-ddos-egpv6-statistics
clear ddos-protection protocols eoam
clear ddos-protection protocols eoam aggregate
clear ddos-protection protocols eoam aggregate culprit-flows
clear ddos-protection protocols eoam aggregate states
clear-ddos-eoam-aggregate-states
clear ddos-protection protocols eoam aggregate statistics
clear-ddos-eoam-aggregate-statistics
clear ddos-protection protocols eoam states
clear-ddos-eoam-states
clear ddos-protection protocols eoam statistics
clear-ddos-eoam-statistics
clear ddos-protection protocols esmc
clear ddos-protection protocols esmc aggregate
clear ddos-protection protocols esmc aggregate culprit-flows
clear ddos-protection protocols esmc aggregate states
clear-ddos-esmc-aggregate-states
clear ddos-protection protocols esmc aggregate statistics
clear ddos-protection protocols esmc culprit-flows
clear ddos-protection protocols esmc states
clear-ddos-esmc-states
clear ddos-protection protocols esmc statistics
<clear-ddos-esmc-statistics>
clear ddos-protection protocols ethernet-tcc
clear ddos-protection protocols ethernet-tcc aggregate
clear ddos-protection protocols ethernet-tcc aggregate culprit-flows
<clear-ddos-eth-tcc-aggregate-flows>
clear ddos-protection protocols ethernet-tcc aggregate states
<clear-ddos-eth-tcc-aggregate-states>
clear ddos-protection protocols ethernet-tcc aggregate statistics
<clear-ddos-eth-tcc-aggregate-statistics>
clear ddos-protection protocols ethernet-tcc culprit-flows
<clear-ddos-eth-tcc-flows>
clear ddos-protection protocols ethernet-tcc states
<clear-ddos-eth-tcc-states>
clear ddos-protection protocols ethernet-tcc statistics
<clear-ddos-eth-tcc-statistics>
clear ddos-protection protocols exceptions
clear ddos-protection protocols exceptions aggregate
clear ddos-protection protocols exceptions aggregate culprit-flows
<clear-ddos-exception-aggregate-flows>
clear ddos-protection protocols exceptions aggregate states
<clear-ddos-exception-aggregate-states>
clear ddos-protection protocols exceptions aggregate statistics
<clear-ddos-exception-aggregate-statistics>
clear ddos-protection protocols exceptions culprit-flows
<clear-ddos-exception-flows>
clear ddos-protection protocols exceptions mcast-rpf-err
clear ddos-protection protocols exceptions mcast-rpf-err culprit-flows
<clear-ddos-exception-mcast-rpf-flows>
clear ddos-protection protocols exceptions mcast-rpf-err states
<clear-ddos-exception-mcast-rpf-states>
136
Copyright © 2017, Juniper Networks, Inc.
Chapter 5: Permission Flags for User Access Privileges
clear ddos-protection protocols exceptions mcast-rpf-err statistics
<clear-ddos-exception-mcast-rpf-statistics>
clear ddos-protection protocols exceptions mtu-exceeded
clear ddos-protection protocols exceptions mtu-exceeded culprit-flows
<clear-ddos-exception-mtu-exceed-flows>
clear ddos-protection protocols exceptions mtu-exceeded states
<clear-ddos-exception-mtu-exceed-states>
clear ddos-protection protocols exceptions mtu-exceeded statistics
<clear-ddos-exception-mtu-exceed-statistics>
clear ddos-protection protocols exceptions states
<clear-ddos-exception-states>
clear ddos-protection protocols exceptions statistics
<clear-ddos-exception-statistics>
clear ddos-protection protocols exceptions unclassified
clear ddos-protection protocols exceptions unclassified culprit-flows
<clear-ddos-exception-unclass-flows>
clear ddos-protection protocols exceptions unclassified states
<clear-ddos-exception-unclass-states>
clear ddos-protection protocols exceptions unclassified statistics
<clear-ddos-exception-unclass-statistics>
clear ddos-protection protocols fab-probe
clear ddos-protection protocols fab-probe aggregate
clear ddos-protection protocols fab-probe aggregate states
clear ddos-protection protocols fab-probe aggregate statistics
<clear-ddos-fab-probe-aggregate-statistics>
clear ddos-protection protocols martian-address
clear ddos-protection protocols martian-address aggregate
clear ddos-protection protocols martian-address aggregate culprit-flows
<clear-ddos-martian-address-aggregate-flows>
clear ddos-protection protocols martian-address aggregate states
<clear-ddos-martian-address-aggregate-states>
clear ddos-protection protocols martian-address aggregate statistics
<clear-ddos-martian-address-aggregate-statistics>
clear ddos-protection protocols martian-address culprit-flows
<clear-ddos-martian-address-flows>
clear ddos-protection protocols martian-address states
<clear-ddos-martian-address-states>
clear ddos-protection protocols martian-address statistics
<clear-ddos-martian-address-statistics>
clear-ddos-diameter-statistics
clear-ddos-dns-aggregate-states
clear-ddos-dns-aggregate-statistics
clear-ddos-dns-states
clear-ddos-dns-statistics
clear-ddos-dtcp-aggregate-states
clear-ddos-dtcp-aggregate-statistics
clear-ddos-dtcp-states
clear-ddos-dtcp-statistics
clear-ddos-dynvlan-aggregate-states
clear-ddos-dynvlan-aggregate-statistics
clear-ddos-dynvlan-states
clear-ddos-dynvlan-statistics
clear-ddos-egpv6-aggregate-states
clear-ddos-egpv6-aggregate-statistics
clear-ddos-egpv6-states
clear-ddos-egpv6-statistics
clear-ddos-eoam-aggregate-states
clear-ddos-eoam-aggregate-statistics
clear-ddos-eoam-states
clear-ddos-eoam-statistics
clear-ddos-esmc-aggregate-states
Copyright © 2017, Juniper Networks, Inc.
137
User Access and Authentication Feature Guide for Routing Devices
clear-ddos-esmc-aggregate-statistics
clear-ddos-esmc-states
clear ddos-protection protocols fab-probe states
<clear-ddos-fab-probe-states>
clear ddos-protection protocols fab-probe statistics
<clear-ddos-fab-probe-statistics>
clear-ddos-esmc-statistics
clear ddos-protection protocols firewall-host
clear ddos-protection protocols firewall-host aggregate
clear ddos-protection protocols firewall-host aggregate culprit-flows
clear ddos-protection protocols firewall-host aggregate states
clear-ddos-fw-host-aggregate-states
clear ddos-protection protocols firewall-host aggregate statistics
clear ddos-protection protocols firewall-host states
clear ddos-protection protocols firewall-host statistics
clear-ddos-esmc-statistics
clear-ddos-fw-host-aggregate-states
clear-ddos-fw-host-aggregate-statistics
<clear-ddos-fw-host-statistics>
clear-ddos-fw-host-states
clear ddos-protection protocols frame-relay
clear ddos-protection protocols frame-relay aggregate
clear ddos-protection protocols frame-relay aggregate culprit-flows
clear ddos-protection protocols frame-relay aggregate states
clear ddos-protection protocols frame-relay aggregate statistics
clear ddos-protection protocols frame-relay culprit-flows
clear ddos-protection protocols frame-relay frf15
clear ddos-protection protocols frame-relay frf15 culprit-flows
clear ddos-protection protocols frame-relay frf15 states
clear ddos-protection protocols frame-relay frf15 statistics
clear ddos-protection protocols frame-relay frf16
clear ddos-protection protocols frame-relay frf16 culprit-flows
clear ddos-protection protocols frame-relay frf16 states
clear ddos-protection protocols frame-relay frf16 statistics
clear ddos-protection protocols frame-relay states
clear ddos-protection protocols frame-relay statistics
clear ddos-protection protocols ftp
clear ddos-protection protocols ftp aggregate
clear ddos-protection protocols ftp aggregate culprit-flows
clear ddos-protection protocols ftp aggregate states
clear-ddos-ftp-aggregate-states
clear ddos-protection protocols ftp aggregate statistics
clear-ddos-ftp-aggregate-statistics
clear ddos-protection protocols ftp states
clear-ddos-ftp-states
clear ddos-protection protocols ftp statistics
clear-ddos-ftp-statistics
clear ddos-protection protocols ftpv6
clear ddos-protection protocols ftpv6 aggregate
clear ddos-protection protocols ftpv6 aggregate culprit-flows
clear ddos-protection protocols ftpv6 aggregate states
clear-ddos-ftpv6-aggregate-states
clear ddos-protection protocols ftpv6 aggregate statistics
clear-ddos-ftpv6-aggregate-statistics
clear ddos-protection protocols ftpv6 states
clear-ddos-ftpv6-states
clear ddos-protection protocols ftpv6 statistics
clear-ddos-ftpv6-statistics
clear ddos-protection protocols gre
clear ddos-protection protocols gre aggregate
clear ddos-protection protocols gre aggregate culprit-flow
138
Copyright © 2017, Juniper Networks, Inc.
Chapter 5: Permission Flags for User Access Privileges
clear ddos-protection protocols gre aggregate states
clear ddos-protection protocols gre culprit-flows
clear-ddos-ftp-statistics
clear-ddos-ftpv6-aggregate-states
clear-ddos-ftpv6-aggregate-statistics
clear-ddos-ftpv6-states
clear-ddos-ftpv6-statistics
clear-ddos-gre-aggregate-states
clear ddos-protection protocols gre aggregate statistics
clear-ddos-gre-aggregate-statistics
clear ddos-protection protocols gre states
clear-ddos-gre-states
clear ddos-protection protocols gre statistics
clear-ddos-gre-statistics
clear ddos-protection protocols icmp
clear ddos-protection protocols icmp aggregate
clear ddos-protection protocols icmp aggregate states
clear-ddos-icmp-aggregate-states
clear ddos-protection protocols icmp aggregate statistics
clear-ddos-icmp-aggregate-statistics
clear ddos-protection protocols icmp states
clear-ddos-icmp-states
clear ddos-protection protocols icmp statistics
clear-ddos-icmp-statistics
clear ddos-protection protocols icmpv6
clear ddos-protection protocols icmpv6 aggregate
clear ddos-protection protocols icmpv6 aggregate culprit-flows
clear ddos-protection protocols icmpv6 aggregate states
<clear-ddos-icmpv6-aggregate-states>
clear ddos-protection protocols icmpv6 aggregate statistics
<clear-ddos-icmp-aggregate-statistics>
<clear-ddos-icmpv6-aggregate-statistics>
clear ddos-protection protocols icmpv6 states
<clear-ddos-icmpv6-states>
clear ddos-protection protocols icmpv6 statistics
<clear-ddos-icmpv6-statistics>
clear ddos-protection protocols igmp
clear ddos-protection protocols igmp aggregate
clear ddos-protection protocols igmp aggregate culprit-flows
clear ddos-protection protocols igmp aggregate states
clear-ddos-igmp-aggregate-states
clear ddos-protection protocols igmp aggregate statistics
clear-ddos-igmp-aggregate-statistics
clear ddos-protection protocols igmp states
clear-ddos-igmp-states
clear ddos-protection protocols igmp statistics
clear-ddos-igmp-statistics
clear ddos-protection protocols igmp-snoop
clear ddos-protection protocols igmp-snoop aggregate
clear ddos-protection protocols igmp-snoop aggregate states
clear-ddos-igmp-snoop-aggregate-states
clear ddos-protection protocols igmp-snoop aggregate statistics
clear-ddos-igmp-snoop-aggregate-statistics
clear ddos-protection protocols igmp-snoop states
clear-ddos-igmp-snoop-states
clear ddos-protection protocols igmp-snoop statistics
clear-ddos-igmp-snoop-statistics
clear ddos-protection protocols igmpv4v6
clear ddos-protection protocols igmpv4v6 aggregate
clear ddos-protection protocols igmpv4v6 aggregate states
clear-ddos-igmpv4v6-aggregate-states
Copyright © 2017, Juniper Networks, Inc.
139
User Access and Authentication Feature Guide for Routing Devices
clear ddos-protection protocols igmpv4v6 aggregate statistics
clear ddos-protection protocols igmpv4v6 culprit-flows
clear ddos-protection protocols igmpv4v6 states
clear-ddos-igmpv4v6-states
clear ddos-protection protocols igmpv4v6 statistics
clear-ddos-igmpv4v6-statistics
clear ddos-protection protocols igmpv6
clear ddos-protection protocols igmpv6 aggregate
clear ddos-protection protocols igmpv6 aggregate culprit-flows
clear ddos-protection protocols igmpv6 aggregate states
clear ddos-protection protocols igmpv6 aggregate statistics
clear ddos-protection protocols igmpv6 states
clear ddos-protection protocols igmpv6 statistics
<clear-ddos-igmpv6-statistics>clear-ddos-igmp-snoop-states
clear-ddos-igmp-snoop-statistics
clear-ddos-igmp-statistics
clear-ddos-igmpv4v6-aggregate-states
clear-ddos-igmpv4v6-aggregate-statistics
clear-ddos-igmpv4v6-states
clear-ddos-igmpv4v6-statistics
clear-ddos-igmpv6-aggregate-states
clear ddos-protection protocols igmpv6 aggregate statistics
clear-ddos-igmpv6-aggregate-statistics
clear ddos-protection protocols igmpv6 states
clear-ddos-igmpv6-states
clear ddos-protection protocols inline-ka
clear ddos-protection protocols inline-ka aggregate
clear ddos-protection protocols inline-ka aggregate culprit-flows
clear ddos-protection protocols inline-ka aggregate states
clear ddos-protection protocols inline-ka aggregate statistics
clear ddos-protection protocols inline-ka culprit-flows
clear ddos-protection protocols inline-ka states
clear ddos-protection protocols inline-ka statistics
clear ddos-protection protocols inline-svcs
clear ddos-protection protocols inline-svcs aggregate
clear ddos-protection protocols inline-svcs aggregate culprit-flows
clear ddos-protection protocols inline-svcs aggregate states
clear ddos-protection protocols inline-svcs aggregate statistics
clear ddos-protection protocols inline-svcs culprit-flows
clear ddos-protection protocols inline-svcs states
clear ddos-protection protocols inline-svcs statistics
clear ddos-protection protocols ip-fragments
clear ddos-protection protocols ip-fragments aggregate
clear ddos-protection protocols ip-fragments aggregate states
clear-ddos-ip-frag-aggregate-states
clear ddos-protection protocols ip-fragments aggregate statistics
clear ddos-protection protocols ip-fragments culprit-flows
clear ddos-protection protocols ip-fragments first-fragment
clear ddos-protection protocols ip-fragments first-fragment states
clear-ddos-ip-frag-first-frag-states
clear ddos-protection protocols ip-fragments first-fragment statistics
clear-ddos-ip-frag-first-frag-statistics
clear ddos-protection protocols ip-fragments states
clear-ddos-ip-frag-states
clear ddos-protection protocols ip-fragments statistics
clear-ddos-ip-frag-statistics
clear ddos-protection protocols ip-fragments trail-fragment
clear ddos-protection protocols ip-fragments trail-fragment culprit-flows
clear ddos-protection protocols ip-fragments trail-fragment states
clear-ddos-ip-frag-trail-frag-states
clear ddos-protection protocols ip-fragments trail-fragment statistics
140
Copyright © 2017, Juniper Networks, Inc.
Chapter 5: Permission Flags for User Access Privileges
clear-ddos-ip-frag-trail-frag-statistics
clear ddos-protection protocols ip-options
clear ddos-protection protocols ip-options aggregate
clear ddos-protection protocols ip-options aggregate states
clear-ddos-ip-opt-aggregate-states
clear ddos-protection protocols ip-options aggregate statistics
clear-ddos-ip-opt-aggregate-statistics
clear ddos-protection protocols ip-options non-v4v6
clear ddos-protection protocols ip-options non-v4v6 states
<clear-ddos-ip-opt-non-v4v6-states>
clear-ddos-ip-frag-aggregate-states
clear-ddos-ip-frag-aggregate-statistics
clear-ddos-ip-frag-first-frag-states
clear-ddos-ip-frag-first-frag-statistics
clear-ddos-ip-frag-states
clear-ddos-ip-frag-statistics
clear-ddos-ip-frag-trail-frag-states
clear-ddos-ip-frag-trail-frag-statistics
clear-ddos-ip-opt-aggregate-states
clear-ddos-ip-opt-aggregate-statistics
clear ddos-protection protocols ip-options non-v4v6 statistics
<clear-ddos-ip-opt-non-v4v6-statistics>
clear ddos-protection protocols ip-options router-alert
clear ddos-protection protocols ip-options router-alert culprit-flows
clear ddos-protection protocols ip-options router-alert states
clear-ddos-ip-opt-rt-alert-states
clear ddos-protection protocols ip-options router-alert statistics
clear-ddos-ip-opt-rt-alert-statistics
clear ddos-protection protocols ip-options states
clear-ddos-ip-opt-states
clear ddos-protection protocols ip-options statistics
clear-ddos-ip-opt-statistics
clear ddos-protection protocols ip-options unclassified
clear ddos-protection protocols ip-options unclassified culprit-flows
clear ddos-protection protocols ip-options unclassified states
clear ddos-protection protocols ip-options unclassified statistics
clear-ddos-ip-opt-unclass-statistics
clear ddos-protection protocols ipv4-unclassified
clear ddos-protection protocols ipv4-unclassified aggregate
clear ddos-protection protocols ipv4-unclassified aggregate states
clear-ddos-ipv4-uncls-aggregate-states
clear ddos-protection protocols ipv4-unclassified aggregate statistics
clear-ddos-ipv4-uncls-aggregate-statistics
clear ddos-protection protocols ipv4-unclassified states
clear-ddos-ipv4-uncls-states
clear ddos-protection protocols ipv4-unclassified statistics
clear-ddos-ipv4-uncls-statistics
clear ddos-protection protocols ipv6-unclassified
clear ddos-protection protocols ipv6-unclassified aggregate
clear ddos-protection protocols ipv6-unclassified aggregate states
clear-ddos-ipv6-uncls-aggregate-states
clear ddos-protection protocols ipv6-unclassified aggregate statistics
clear-ddos-ipv6-uncls-aggregate-statistics
clear ddos-protection protocols ipv6-unclassified states
clear-ddos-ipv6-uncls-states
clear ddos-protection protocols ipv6-unclassified statistics
clear-ddos-ipv6-uncls-statistics
clear ddos-protection protocols isis
clear ddos-protection protocols isis aggregate
clear ddos-protection protocols isis aggregate culprit-flows
clear ddos-protection protocols isis aggregate states
Copyright © 2017, Juniper Networks, Inc.
141
User Access and Authentication Feature Guide for Routing Devices
clear-ddos-ip-opt-rt-alert-states
clear-ddos-ip-opt-rt-alert-statistics
clear-ddos-ip-opt-states
clear-ddos-ip-opt-statistics
clear-ddos-ip-opt-unclass-states
clear-ddos-ip-opt-unclass-statistics
clear-ddos-ipv4-uncls-aggregate-states
clear-ddos-isis-aggregate-states
clear ddos-protection protocols isis aggregate statistics
<clear-ddos-isis-aggregate-statistics>
clear ddos-protection protocols isis culprit-flows
clear ddos-protection protocols isis states
clear-ddos-isis-states
clear ddos-protection protocols isis statistics
clear-ddos-isis-statistics
clear ddos-protection protocols iso-tcc
clear ddos-protection protocols iso-tcc aggregate
clear ddos-protection protocols iso-tcc aggregate culprit-flows
<clear-ddos-iso-tcc-aggregate-flows>
clear ddos-protection protocols iso-tcc aggregate states
<clear-ddos-iso-tcc-aggregate-states>
clear ddos-protection protocols iso-tcc aggregate statistics
<clear-ddos-iso-tcc-aggregate-statistics>
clear ddos-protection protocols iso-tcc culprit-flows
<clear-ddos-iso-tcc-flows>
clear ddos-protection protocols iso-tcc states
<clear-ddos-iso-tcc-states>
clear ddos-protection protocols iso-tcc statistics
<clear-ddos-iso-tcc-statistics>
clear ddos-protection protocols jfm
clear ddos-protection protocols jfm aggregate
clear ddos-protection protocols jfm aggregate culprit-flows
clear ddos-protection protocols jfm aggregate states
clear-ddos-jfm-aggregate-states
clear ddos-protection protocols jfm aggregate statistics
clear-ddos-jfm-aggregate-statistics
clear ddos-protection protocols jfm states
clear-ddos-jfm-states
clear ddos-protection protocols jfm statistics
<clear-ddos-jfm-statistics>
clear ddos-protection protocols keepalive
clear ddos-protection protocols keepalive aggregate
clear ddos-protection protocols keepalive aggregate culprit-flows
clear ddos-protection protocols keepalive aggregate states
clear ddos-protection protocols keepalive aggregate statistics
clear ddos-protection protocols keepalive culprit-flows
clear ddos-protection protocols keepalive states
clear ddos-protection protocols keepalive statistics
clear ddos-protection protocols l2pt
clear ddos-protection protocols l2pt aggregate
clear ddos-protection protocols l2pt aggregate states
clear ddos-protection protocols l2pt aggregate statistics
clear ddos-protection protocols l2pt culprit-flows
clear ddos-protection protocols l2pt states
clear ddos-protection protocols l2pt statistics
clear ddos-protection protocols l2tp
clear ddos-protection protocols l2tp aggregate
clear ddos-protection protocols l2tp aggregate culprit-flows
clear ddos-protection protocols l2tp aggregate states
clear-ddos-l2tp-aggregate-states
clear ddos-protection protocols l2tp aggregate statistics
142
Copyright © 2017, Juniper Networks, Inc.
Chapter 5: Permission Flags for User Access Privileges
clear-ddos-l2tp-aggregate-statistics
clear ddos-protection protocols l2tp states
clear-ddos-l2tp-states
clear ddos-protection protocols l2tp statistics
clear-ddos-l2tp-statistics
clear ddos-protection protocols lacp
clear ddos-protection protocols lacp aggregate
clear ddos-protection protocols lacp aggregate culprit-flows
clear ddos-protection protocols lacp aggregate states
clear-ddos-lacp-aggregate-states
clear ddos-protection protocols lacp aggregate statistics
clear-ddos-lacp-aggregate-statistics
clear ddos-protection protocols lacp states
clear-ddos-lacp-states
clear ddos-protection protocols lacp statistics
clear-ddos-lacp-statistics
clear ddos-protection protocols ldp
clear ddos-protection protocols ldp aggregate
clear ddos-protection protocols ldp aggregate culprit-flows
clear ddos-protection protocols ldp aggregate states
clear-ddos-isis-states
clear-ddos-isis-statistics
clear-ddos-jfm-aggregate-states
clear-ddos-jfm-aggregate-statistics
clear-ddos-jfm-states
clear-ddos-l2tp-aggregate-states
clear-ddos-l2tp-aggregate-statistics
clear-ddos-l2tp-states
clear-ddos-l2tp-statistics
clear-ddos-lacp-aggregate-states
clear-ddos-lacp-aggregate-statistics
clear-ddos-lacp-states
clear-ddos-lacp-statistics
clear-ddos-ldp-aggregate-states
clear ddos-protection protocols ldp aggregate statistics
clear ddos-protection protocols ldp aggregate statistics
clear ddos-protection protocols ldp culprit-flows
clear ddos-protection protocols ldp culprit-flows
clear ddos-protection protocols ldp states
clear ddos-protection protocols ldp states
clear ddos-protection protocols ldp statistics
clear ddos-protection protocols ldp statistics
clear-ddos-ldp-statistics
clear ddos-protection protocols ldpv6
clear ddos-protection protocols ldpv6
clear ddos-protection protocols ldpv6 aggregate
clear ddos-protection protocols ldpv6 aggregate
clear ddos-protection protocols ldpv6 aggregate culprit-flows
clear ddos-protection protocols ldpv6 aggregate culprit-flows
clear ddos-protection protocols ldpv6 aggregate states
clear ddos-protection protocols ldpv6 aggregate states
clear ddos-protection protocols ldpv6 aggregate statistics
clear ddos-protection protocols ldpv6 aggregate statistics
clear-ddos-ldpv6-aggregate-statistics
clear ddos-protection protocols ldpv6 states
clear ddos-protection protocols ldpv6 states
clear ddos-protection protocols ldpv6 statistics
clear ddos-protection protocols ldpv6 statistics
clear ddos-protection protocols lldp
clear ddos-protection protocols lldp
clear ddos-protection protocols lldp aggregate
Copyright © 2017, Juniper Networks, Inc.
143
User Access and Authentication Feature Guide for Routing Devices
clear ddos-protection protocols lldp aggregate
clear ddos-protection protocols lldp aggregate culprit-flows
clear ddos-protection protocols lldp aggregate culprit-flows
clear ddos-protection protocols lldp aggregate states
clear ddos-protection protocols lldp aggregate states
clear ddos-protection protocols lldp aggregate statistics
clear ddos-protection protocols lldp aggregate statistics
clear ddos-protection protocols lldp states
clear ddos-protection protocols lldp states
clear-ddos-lldp-states
clear ddos-protection protocols lldp statistics
clear ddos-protection protocols lldp statistics
clear ddos-protection protocols lmp
clear ddos-protection protocols lmp
clear ddos-protection protocols lmp aggregate
clear ddos-protection protocols lmp aggregate
clear ddos-protection protocols lmp aggregate culprit-flows
clear ddos-protection protocols lmp aggregate culprit-flows
clear ddos-protection protocols lmp aggregate states
clear ddos-protection protocols lmp aggregate states
clear ddos-protection protocols lmp aggregate statistics
clear ddos-protection protocols lmp aggregate statistics
clear ddos-protection protocols lmp states
clear ddos-protection protocols lmp states
clear ddos-protection protocols lmp statistics
clear ddos-protection protocols lmp statistics
clear ddos-protection protocols lmpv6
clear ddos-protection protocols lmpv6
clear ddos-protection protocols lmpv6 aggregate
clear ddos-protection protocols lmpv6 aggregate
clear ddos-protection protocols lmpv6 aggregate culprit-flows
clear ddos-protection protocols lmpv6 aggregate culprit-flows
clear ddos-protection protocols lmpv6 aggregate states
clear ddos-protection protocols lmpv6 aggregate states
clear ddos-protection protocols lmpv6 aggregate statistics
clear ddos-protection protocols lmpv6 aggregate statistics
clear ddos-protection protocols lmpv6 culprit-flows
clear ddos-protection protocols lmpv6 states
clear-ddos-lmpv6-states
clear ddos-protection protocols lmpv6 statistics
clear-ddos-lmpv6-statistics
clear ddos-protection protocols mac-host
clear ddos-protection protocols mac-host aggregate
clear ddos-protection protocols mac-host aggregate culprit-flows
clear ddos-protection protocols mac-host aggregate states
clear-ddos-mac-host-aggregate-states
clear ddos-protection protocols mac-host aggregate statistics
clear-ddos-mac-host-aggregate-statistics
clear ddos-protection protocols mac-host states
clear-ddos-mac-host-states
clear ddos-protection protocols mac-host statistics
clear ddos-protection protocols mcast-snoop
clear ddos-protection protocols mcast-snoop aggregate
clear ddos-protection protocols mcast-snoop aggregate culprit-flows
clear ddos-protection protocols mcast-snoop aggregate states
clear ddos-protection protocols mcast-snoop aggregate statistics
clear ddos-protection protocols mcast-snoop culprit-flows
clear ddos-protection protocols mcast-snoop igmp
clear ddos-protection protocols mcast-snoop igmp culprit-flows
<clear-ddos-mcast-snoop-igmp-flows>
clear ddos-protection protocols mcast-snoop igmp states
144
Copyright © 2017, Juniper Networks, Inc.
Chapter 5: Permission Flags for User Access Privileges
<clear-ddos-mcast-snoop-igmp-states>
clear ddos-protection protocols mcast-snoop igmp statistics
<clear-ddos-mcast-snoop-igmp-statistics>
clear ddos-protection protocols mcast-snoop mld
clear ddos-protection protocols mcast-snoop mld culprit-flows
<clear-ddos-mcast-snoop-mld-flows>
clear ddos-protection protocols mcast-snoop mld states
<clear-ddos-mcast-snoop-mld-states>
clear ddos-protection protocols mcast-snoop mld statistics
<clear-ddos-mcast-snoop-mld-statistics>
clear ddos-protection protocols mld
clear ddos-protection protocols mld aggregate
clear ddos-protection protocols mld aggregate culprit-flows
<clear-ddos-mld-aggregate-flows>
clear ddos-protection protocols mld aggregate states
<clear-ddos-mld-aggregate-states>
clear ddos-protection protocols mld aggregate statistics
<clear-ddos-mld-aggregate-statistics>
clear ddos-protection protocols mld culprit-flows
<clear-ddos-mld-flows>
clear ddos-protection protocols mld states
<clear-ddos-mld-states>
clear ddos-protection protocols mld statistics
<clear-ddos-mld-statistics>
clear ddos-protection protocols mlp
clear ddos-protection protocols mlp add
clear ddos-protection protocols mlp add culprit-flows
<clear-ddos-mlp-add-flows>
clear ddos-protection protocols mlp add states
<clear-ddos-mlp-add-states>
clear ddos-protection protocols mlp add statistics
<clear-ddos-mlp-add-statistics>
clear ddos-protection protocols mlp aggregate
clear ddos-protection protocols mlp aggregate culprit-flows
clear ddos-protection protocols mlp aggregate states
clear-ddos-mlp-aggregate-states
clear ddos-protection protocols mlp aggregate statistics
clear-ddos-mlp-aggregate-statistics
clear ddos-protection protocols mlp aging-exception
clear ddos-protection protocols mlp aging-exception culprit-flows
clear ddos-protection protocols mlp aging-exception states
clear-ddos-mlp-aging-exc-states
clear ddos-protection protocols mlp aging-exception statistics
clear-ddos-mlp-aging-exc-statistics
clear ddos-protection protocols mlp packets
clear ddos-protection protocols mlp packets states
clear-ddos-mlp-packets-states
clear ddos-protection protocols mlp packets statistics
clear-ddos-mlp-packets-statistics
clear ddos-protection protocols mlp macpin-exception
clear ddos-protection protocols mlp macpin-exception culprit-flows
<clear-ddos-mlp-mac-pinning-flows>
clear ddos-protection protocols mlp macpin-exception states
<clear-ddos-mlp-mac-pinning-states>
clear ddos-protection protocols mlp macpin-exception statistics
<clear-ddos-mlp-mac-pinning-statistics>
clear ddos-protection protocols mlp states
clear-ddos-mlp-states
clear ddos-protection protocols mlp statistics
clear-ddos-mlp-statistics
clear ddos-protection protocols mlp unclassified
Copyright © 2017, Juniper Networks, Inc.
145
User Access and Authentication Feature Guide for Routing Devices
clear ddos-protection protocols mlp unclassified states
clear-ddos-mlp-unclass-states
clear ddos-protection protocols mlp unclassified statistics
clear-ddos-mlp-unclass-statistics
clear ddos-protection protocols msdp
clear ddos-protection protocols msdp aggregate
clear ddos-protection protocols msdp aggregate states
clear-ddos-msdp-aggregate-states
clear ddos-protection protocols msdp aggregate statistics
clear ddos-protection protocols msdp culprit-flows
clear ddos-protection protocols msdp states
clear-ddos-msdp-states
clear ddos-protection protocols msdp statistics
clear-ddos-msdp-statistics
clear ddos-protection protocols msdpv6
clear ddos-protection protocols msdpv6 aggregate
clear ddos-protection protocols msdpv6 aggregate culprit-flows
clear ddos-protection protocols msdpv6 aggregate states
clear-ddos-msdpv6-aggregate-states
clear ddos-protection protocols msdpv6 aggregate statistics
clear-ddos-msdpv6-aggregate-statistics
clear ddos-protection protocols msdpv6 states
clear-ddos-msdpv6-states
clear ddos-protection protocols msdpv6 statistics
clear-ddos-msdpv6-statistics
clear ddos-protection protocols multicast-copy
clear ddos-protection protocols multicast-copy aggregate
clear ddos-protection protocols multicast-copy aggregate states
clear-ddos-mcast-copy-aggregate-states
clear ddos-protection protocols multicast-copy aggregate statistics
clear-ddos-mcast-copy-aggregate-statistics
clear ddos-protection protocols multicast-copy states
clear-ddos-mcast-copy-states
clear ddos-protection protocols multicast-copy statistics
clear-ddos-mcast-copy-statistics
clear ddos-protection protocols mvrp
clear ddos-protection protocols mvrp aggregate
clear ddos-protection protocols mvrp aggregate states
clear-ddos-mvrp-aggregate-states
clear ddos-protection protocols mvrp aggregate statistics
clear ddos-protection protocols mvrp culprit-flows
clear ddos-protection protocols mvrp states
clear-ddos-mvrp-states
clear ddos-protection protocols mvrp statistics
clear-ddos-mvrp-statistics
clear ddos-protection protocols ndpv6
clear ddos-protection protocols ndpv6 aggregate
clear ddos-protection protocols ndpv6 aggregate states
clear ddos-protection protocols ndpv6 aggregate statistics
clear ddos-protection protocols ndpv6 neighbor-advertisement
clear ddos-protection protocols ndpv6 neighbor-advertisement culprit-flows
<clear-ddos-ndpv6-neighb-adv-flows>
clear ddos-protection protocols ndpv6 neighbor-advertisement states
<clear-ddos-ndpv6-neighb-adv-states>
clear ddos-protection protocols ndpv6 neighbor-advertisement statistics
<clear-ddos-ndpv6-neighb-adv-statistics>
clear ddos-protection protocols ndpv6 neighbor-solicitation
clear ddos-protection protocols ndpv6 neighbor-solicitation culprit-flows
<clear-ddos-ndpv6-neighb-sol-flows>
clear ddos-protection protocols ndpv6 neighbor-solicitation states
<clear-ddos-ndpv6-neighb-sol-states>
146
Copyright © 2017, Juniper Networks, Inc.
Chapter 5: Permission Flags for User Access Privileges
clear ddos-protection protocols ndpv6 neighbor-solicitation statistics
<clear-ddos-ndpv6-neighb-sol-statistics>
clear ddos-protection protocols ndpv6 redirect
clear ddos-protection protocols ndpv6 redirect culprit-flows
<clear-ddos-ndpv6-redirect-flows>
clear ddos-protection protocols ndpv6 redirect states
<clear-ddos-ndpv6-redirect-states>
clear ddos-protection protocols ndpv6 redirect statistics
<clear-ddos-ndpv6-redirect-statistics>
clear ddos-protection protocols ndpv6 router-advertisement
clear ddos-protection protocols ndpv6 router-advertisement culprit-flows
<clear-ddos-ndpv6-router-adv-flows>
clear ddos-protection protocols ndpv6 router-advertisement states
<clear-ddos-ndpv6-router-adv-states>
clear ddos-protection protocols ndpv6 router-advertisement statistics
<clear-ddos-ndpv6-router-adv-statistics>
clear ddos-protection protocols ndpv6 router-solicitation
clear ddos-protection protocols ndpv6 router-solicitation culprit-flows
<clear-ddos-ndpv6-router-sol-flows>
clear ddos-protection protocols ndpv6 router-solicitation states
<clear-ddos-ndpv6-router-sol-states>
clear ddos-protection protocols ndpv6 router-solicitation statistics
<clear-ddos-ndpv6-router-sol-statistics>
clear ddos-protection protocols ndpv6 states
clear ddos-protection protocols ndpv6 statistics
clear ddos-protection protocols nonucast-switch
clear ddos-protection protocols nonucast-switch aggregate
clear ddos-protection protocols nonucast-switch aggregate culprit-flows
<clear-ddos-nonucast-switch-aggregate-flows>
clear ddos-protection protocols nonucast-switch aggregate states
<clear-ddos-nonucast-switch-aggregate-states>
clear ddos-protection protocols nonucast-switch aggregate statistics
<clear-ddos-nonucast-switch-aggregate-statistics>
clear ddos-protection protocols nonucast-switch culprit-flows
<clear-ddos-nonucast-switch-flows>
clear ddos-protection protocols nonucast-switch states
<clear-ddos-nonucast-switch-states>
clear ddos-protection protocols nonucast-switch statistics
<clear-ddos-nonucast-switch-statistics>
clear ddos-protection protocols ntp aggregate
clear ddos-protection protocols ntp aggregate states
clear-ddos-ntp-aggregate-states
clear ddos-protection protocols ntp aggregate statistics
clear ddos-protection protocols ntp culprit-flows
clear ddos-protection protocols ntp states
clear-ddos-ntp-states
clear ddos-protection protocols ntp statistics
clear-ddos-ntp-statistics
clear ddos-protection protocols oam-cfm
clear ddos-protection protocols oam-cfm aggregate
clear ddos-protection protocols oam-cfm aggregate culprit-flows
<clear-ddos-oam-cfm-aggregate-flows>
clear ddos-protection protocols oam-cfm aggregate states
<clear-ddos-oam-cfm-aggregate-states>
clear ddos-protection protocols oam-cfm aggregate statistics
<clear-ddos-oam-cfm-aggregate-statistics>
clear ddos-protection protocols oam-cfm culprit-flows
<clear-ddos-oam-cfm-flows>
clear ddos-protection protocols oam-cfm states
<clear-ddos-oam-cfm-states>
clear ddos-protection protocols oam-cfm statistics
Copyright © 2017, Juniper Networks, Inc.
147
User Access and Authentication Feature Guide for Routing Devices
<clear-ddos-oam-cfm-statistics>
clear ddos-protection protocols oam-lfm
clear ddos-protection protocols oam-lfm aggregate
clear ddos-protection protocols oam-lfm aggregate states
clear-ddos-oam-lfm-aggregate-states
clear ddos-protection protocols oam-lfm aggregate statistics
clear-ddos-oam-lfm-aggregate-statistics
clear ddos-protection protocols oam-lfm states
clear-ddos-oam-lfm-states
clear ddos-protection protocols oam-lfm statistics
clear-ddos-oam-lfm-statistics
clear ddos-protection protocols ospf
clear ddos-protection protocols ospf aggregate
clear ddos-protection protocols ospf aggregate culprit-flows
clear ddos-protection protocols ospf aggregate states
clear-ddos-ospf-aggregate-states
clear ddos-protection protocols ospf aggregate statistics
clear-ddos-ospf-aggregate-statistics
clear ddos-protection protocols ospf states
clear ddos-protection protocols ospf statistics
clear ddos-protection protocols ospf-hello
clear ddos-protection protocols ospf-hello aggregate
clear ddos-protection protocols ospf-hello aggregate culprit-flows
<clear-ddos-ospf-hello-aggregate-flows>
clear ddos-protection protocols ospf-hello aggregate states
<clear-ddos-ospf-hello-aggregate-states>
clear ddos-protection protocols ospf-hello aggregate statistics
<clear-ddos-ospf-hello-aggregate-statistics>
clear ddos-protection protocols ospf-hello culprit-flows
<clear-ddos-ospf-hello-flows>
clear ddos-protection protocols ospf-hello states
<clear-ddos-ospf-hello-states>
clear ddos-protection protocols ospf-hello statistics
<clear-ddos-ospf-hello-statistics>
clear ddos-protection protocols ospfv3v6
clear ddos-protection protocols ospfv3v6 aggregate
clear ddos-protection protocols ospfv3v6 aggregate culprit-flows
clear ddos-protection protocols ospfv3v6 aggregate states
clear ddos-protection protocols ospfv3v6 aggregate statistics
clear ddos-protection protocols ospfv3v6 states
clear ddos-protection protocols ospfv3v6 statistics
clear-ddos-ldp-states
<clear-ddos-ldp-states>
clear ddos-protection protocols ldp-hello
clear ddos-protection protocols ldp-hello aggregate
clear ddos-protection protocols ldp-hello aggregate culprit-flows
<clear-ddos-ldp-hello-aggregate-flows>
clear ddos-protection protocols ldp-hello aggregate states
<clear-ddos-ldp-hello-aggregate-states>
clear ddos-protection protocols ldp-hello aggregate statistics
<clear-ddos-ldp-hello-aggregate-statistics>
clear ddos-protection protocols ldp-hello culprit-flows
<clear-ddos-ldp-hello-flows>
clear ddos-protection protocols ldp-hello states
<clear-ddos-ldp-hello-states>
clear ddos-protection protocols ldp-hello statistics
<clear-ddos-ldp-hello-statistics>
clear-ddos-ldp-statistics
clear-ddos-ldp-statistics
clear-ddos-ldpv6-aggregate-states
clear-ddos-ldpv6-aggregate-states
148
Copyright © 2017, Juniper Networks, Inc.
Chapter 5: Permission Flags for User Access Privileges
clear-ddos-ldpv6-aggregate-statistics
clear-ddos-ldpv6-aggregate-statistics
clear-ddos-ldpv6-states
clear-ddos-ldpv6-states
clear-ddos-ldpv6-statistics
clear-ddos-ldpv6-statistics
clear-ddos-lldp-aggregate-states
clear-ddos-lldp-aggregate-states
clear-ddos-lldp-aggregate-statistics
clear-ddos-lldp-aggregate-statistics
clear-ddos-lldp-states
clear-ddos-lldp-states
clear-ddos-lldp-statistics
clear-ddos-lldp-statistics
clear-ddos-lmp-aggregate-states
clear-ddos-lmp-aggregate-states
clear-ddos-lmp-aggregate-statistics
clear-ddos-lmp-aggregate-statistics
clear-ddos-lmp-states
clear-ddos-lmp-states
clear-ddos-lmp-statistics
clear-ddos-lmp-statistics
clear-ddos-lmpv6-aggregate-states
clear-ddos-lmpv6-aggregate-states
clear-ddos-lmpv6-states
clear-ddos-lmpv6-statistics
clear-ddos-mac-host-aggregate-states
clear-ddos-mac-host-aggregate-statistics
clear-ddos-mac-host-states
clear-ddos-mac-host-statistics
clear-ddos-mcast-copy-aggregate-states
clear-ddos-mcast-copy-aggregate-statistics
clear-ddos-mcast-copy-states
clear-ddos-mcast-copy-statistics
clear-ddos-mlp-aggregate-states
clear-ddos-mlp-aggregate-statistics
clear-ddos-mlp-aging-exc-states
clear-ddos-mlp-aging-exc-statistics
clear-ddos-mlp-packets-states
clear-ddos-mlp-packets-statistics
clear-ddos-mlp-states
clear-ddos-mlp-statistics
clear-ddos-mlp-unclass-states
clear-ddos-mlp-unclass-statistics
clear-ddos-msdp-aggregate-states
clear-ddos-msdp-aggregate-statistics
clear-ddos-msdp-states
clear-ddos-msdp-statistics
clear-ddos-msdpv6-aggregate-states
clear-ddos-msdpv6-aggregate-statistics
clear-ddos-msdpv6-states
clear-ddos-msdpv6-statistics
clear ddos-protection protocols multihop-bfd
clear ddos-protection protocols multihop-bfd
clear ddos-protection protocols multihop-bfd
<clear-ddos-mhop-bfd-aggregate-flows>
clear ddos-protection protocols multihop-bfd
<clear-ddos-mhop-bfd-aggregate-states>
clear ddos-protection protocols multihop-bfd
<clear-ddos-mhop-bfd-aggregate-statistics>
clear ddos-protection protocols multihop-bfd
Copyright © 2017, Juniper Networks, Inc.
aggregate
aggregate culprit-flows
aggregate states
aggregate statistics
culprit-flows
149
User Access and Authentication Feature Guide for Routing Devices
<clear-ddos-mhop-bfd-flows>
clear ddos-protection protocols multihop-bfd states
<clear-ddos-mhop-bfd-states>
clear ddos-protection protocols multihop-bfd statistics
<clear-ddos-mhop-bfd-statistics>
clear-ddos-mvrp-aggregate-states
clear-ddos-mvrp-aggregate-statistics
clear-ddos-mvrp-states
clear-ddos-mvrp-statistics
clear-ddos-ntp-aggregate-states
clear-ddos-ntp-aggregate-statistics
clear-ddos-ntp-states
clear-ddos-ntp-statistics
clear-ddos-oam-lfm-aggregate-states
clear-ddos-oam-lfm-aggregate-statistics
clear-ddos-oam-lfm-states
clear-ddos-oam-lfm-statistics
clear-ddos-ospf-aggregate-states
clear-ddos-ospf-aggregate-statistics
clear-ddos-ospf-states
clear-ddos-ospf-statistics
clear-ddos-ospfv3v6-aggregate-states
clear ddos-protection protocols ospfv3v6 aggregate statistics
clear-ddos-ospfv3v6-aggregate-statistics
clear ddos-protection protocols ospfv3v6 states
clear-ddos-ospfv3v6-states
clear ddos-protection protocols pimv6
clear-ddos-pim-statistics
clear ddos-protection protocols pim-ctrl
clear ddos-protection protocols pim-ctrl aggregate
clear ddos-protection protocols pim-ctrl aggregate culprit-flows
<clear-ddos-pim-ctrl-aggregate-flows>
clear ddos-protection protocols pim-ctrl aggregate states
<clear-ddos-pim-ctrl-aggregate-states>
clear ddos-protection protocols pim-ctrl aggregate statistics
<clear-ddos-pim-ctrl-aggregate-statistics>
clear ddos-protection protocols pim-ctrl culprit-flows
<clear-ddos-pim-ctrl-flows>
clear ddos-protection protocols pim-ctrl states
<clear-ddos-pim-ctrl-states>
clear ddos-protection protocols pim-ctrl statistics
<clear-ddos-pim-ctrl-statistics>
clear ddos-protection protocols pim-data
clear ddos-protection protocols pim-data aggregate
clear ddos-protection protocols pim-data aggregate culprit-flows
<clear-ddos-pim-data-aggregate-flows>
clear ddos-protection protocols pim-data aggregate states
<clear-ddos-pim-data-aggregate-states>
clear ddos-protection protocols pim-data aggregate statistics
<clear-ddos-pim-data-aggregate-statistics>
clear ddos-protection protocols pim-data culprit-flows
<clear-ddos-pim-data-flows>
clear ddos-protection protocols pim-data states
<clear-ddos-pim-data-states>
clear ddos-protection protocols pim-data statistics
<clear-ddos-pim-data-statistics>
clear ddos-protection protocols pfe-alive
clear ddos-protection protocols pfe-alive aggregate
clear ddos-protection protocols pfe-alive aggregate states
clear-ddos-pfe-alive-aggregate-states
clear ddos-protection protocols pfe-alive aggregate statistics
150
Copyright © 2017, Juniper Networks, Inc.
Chapter 5: Permission Flags for User Access Privileges
clear ddos-protection protocols pfe-alive culprit-flows
clear ddos-protection protocols pfe-alive states
clear-ddos-pfe-alive-states
clear ddos-protection protocols pfe-alive statistics
clear-ddos-pfe-alive-statistics
clear ddos-protection protocols pim
clear ddos-protection protocols pim aggregate
clear ddos-protection protocols pim aggregate states
clear-ddos-pim-aggregate-states
clear ddos-protection protocols pim aggregate statistics
clear ddos-protection protocols pim culprit-flows
clear ddos-protection protocols pim states
clear-ddos-pim-states
clear ddos-protection protocols pim statistics
clear-ddos-pim-statistics
clear ddos-protection protocols pimv6
clear ddos-protection protocols pimv6 aggregate
clear ddos-protection protocols pimv6 aggregate culprit-flows
clear ddos-protection protocols pimv6 aggregate states
clear ddos-protection protocols pimv6 aggregate statistics
clear ddos-protection protocols pimv6 states
clear ddos-protection protocols pimv6 statistics
clear ddos-protection protocols pkt-inject
clear ddos-protection protocols pkt-inject aggregate
clear ddos-protection protocols pkt-inject aggregate culprit-flows
<clear-ddos-pkt-inject-aggregate-flows>
clear ddos-protection protocols pkt-inject aggregate states
<clear-ddos-pkt-inject-aggregate-states>
clear ddos-protection protocols pkt-inject aggregate statistics
<clear-ddos-pkt-inject-aggregate-statistics>
clear ddos-protection protocols pkt-inject culprit-flows
<clear-ddos-pkt-inject-flows>
clear ddos-protection protocols pkt-inject states
<clear-ddos-pkt-inject-states>
clear ddos-protection protocols pkt-inject statistics
<clear-ddos-pkt-inject-statistics>clear ddos-protection protocols pmvrp
clear ddos-protection protocols pmvrp aggregate
clear ddos-protection protocols pmvrp aggregate states
clear-ddos-pmvrp-aggregate-states
clear ddos-protection protocols pmvrp aggregate statistics
clear ddos-protection protocols pmvrp culprit-flows
clear ddos-protection protocols pmvrp culprit-flows
clear ddos-protection protocols pmvrp culprit-flows
clear ddos-protection protocols pmvrp culprit-flows
clear ddos-protection protocols pmvrp culprit-flows
clear ddos-protection protocols pmvrp culprit-flows
clear ddos-protection protocols pmvrp culprit-flows
clear ddos-protection protocols pmvrp states
clear-ddos-pmvrp-states
clear ddos-protection protocols pmvrp statistics
clear-ddos-pmvrp-statistics
clear ddos-protection protocols pos
clear ddos-protection protocols pos aggregate
clear ddos-protection protocols pos aggregate states
clear-ddos-pos-aggregate-states
clear ddos-protection protocols pos aggregate statistics
clear-ddos-pos-aggregate-statistics
clear ddos-protection protocols pos states
clear-ddos-pos-states
clear ddos-protection protocols pos statistics
clear-ddos-pos-statistics
Copyright © 2017, Juniper Networks, Inc.
151
User Access and Authentication Feature Guide for Routing Devices
clear ddos-protection protocols ppp
clear ddos-protection protocols ppp aggregate
clear ddos-protection protocols ppp aggregate states
clear-ddos-ppp-aggregate-states
clear ddos-protection protocols ppp aggregate statistics
clear-ddos-ppp-aggregate-statistics
clear ddos-protection protocols ppp authentication
clear ddos-protection protocols ppp authentication states
clear-ddos-ppp-auth-states
clear ddos-protection protocols ppp authentication statistics
clear-ddos-ppp-auth-statistics
clear ddos-protection protocols ppp ipcp
clear ddos-protection protocols ppp ipcp states
clear-ddos-ppp-ipcp-states
clear ddos-protection protocols ppp ipcp statistics
clear-ddos-ppp-ipcp-statistics
clear ddos-protection protocols ppp ipv6cp
clear ddos-protection protocols ppp ipv6cp states
clear-ddos-ppp-ipv6cp-states
clear ddos-protection protocols ppp ipv6cp statistics
clear-ddos-ppp-ipv6cp-statistics
clear ddos-protection protocols ppp isis
clear ddos-protection protocols ppp isis states
clear-ddos-ppp-isis-states
clear ddos-protection protocols ppp isis statistics
clear-ddos-ppp-isis-statistics
clear ddos-protection protocols ppp lcp
clear ddos-protection protocols ppp lcp states
clear-ddos-ppp-lcp-states
clear ddos-protection protocols ppp lcp statistics
clear-ddos-ppp-lcp-statistics
clear ddos-protection protocols ppp mplscp
clear ddos-protection protocols ppp mplscp states
clear-ddos-ppp-mplscp-states
clear ddos-protection protocols ppp mplscp statistics
clear-ddos-ppp-mplscp-statistics
clear ddos-protection protocols ppp states
clear-ddos-ppp-states
clear ddos-protection protocols ppp statistics
clear-ddos-ppp-statistics
clear ddos-protection protocols ppp unclassified
clear ddos-protection protocols ppp unclassified states
clear ddos-protection protocols ppp unclassified statistics
<clear-ddos-ppp-unclass-statistics>
clear ddos-protection protocols pppoe
clear ddos-protection protocols pppoe aggregate
clear ddos-protection protocols pppoe aggregate states
clear-ddos-pppoe-aggregate-states
clear ddos-protection protocols pppoe aggregate statistics
clear-ddos-pppoe-aggregate-statistics
clear ddos-protection protocols pppoe padi
clear ddos-protection protocols pppoe padi states
clear-ddos-pppoe-padi-states
clear ddos-protection protocols pppoe padi statistics
clear-ddos-pppoe-padi-statistics
clear ddos-protection protocols pppoe padm
clear ddos-protection protocols pppoe padm states
clear-ddos-pppoe-padm-states
clear ddos-protection protocols pppoe padm statistics
clear-ddos-pppoe-padm-statistics
clear ddos-protection protocols pppoe padn
152
Copyright © 2017, Juniper Networks, Inc.
Chapter 5: Permission Flags for User Access Privileges
clear ddos-protection protocols pppoe padn states
clear-ddos-pppoe-padn-states
clear ddos-protection protocols pppoe padn statistics
clear-ddos-pppoe-padn-statistics
clear ddos-protection protocols pppoe pado
clear ddos-protection protocols pppoe pado states
clear-ddos-pppoe-pado-states
clear ddos-protection protocols pppoe pado statistics
clear-ddos-pppoe-pado-statistics
clear ddos-protection protocols pppoe padr
clear ddos-protection protocols pppoe padr states
clear-ddos-pppoe-padr-states
clear ddos-protection protocols pppoe padr statistics
clear-ddos-pppoe-padr-statistics
clear ddos-protection protocols pppoe pads
clear ddos-protection protocols pppoe pads states
clear-ddos-pppoe-pads-states
clear ddos-protection protocols pppoe pads statistics
clear-ddos-pppoe-pads-statistics
clear ddos-protection protocols pppoe padt
clear ddos-protection protocols pppoe padt states
clear-ddos-pppoe-padt-states
clear ddos-protection protocols pppoe padt statistics
clear-ddos-pppoe-padt-statistics
clear ddos-protection protocols pppoe states
clear-ddos-pppoe-states
clear ddos-protection protocols pppoe statistics
clear-ddos-pppoe-statistics
clear ddos-protection protocols proto-802-1x
clear ddos-protection protocols proto-802-1x aggregate
clear ddos-protection protocols proto-802-1x aggregate culprit-flows
<clear-ddos-8021x-aggregate-flows>
clear ddos-protection protocols proto-802-1x aggregate states
<clear-ddos-8021x-aggregate-states>
clear ddos-protection protocols proto-802-1x aggregate statistics
<clear-ddos-8021x-aggregate-statistics>
clear ddos-protection protocols proto-802-1x culprit-flows
<clear-ddos-8021x-flows>
clear ddos-protection protocols proto-802-1x states
<clear-ddos-8021x-states>
clear ddos-protection protocols proto-802-1x statistics
<clear-ddos-8021x-statistics>
clear ddos-protection protocols ptp
clear ddos-protection protocols ptp aggregate
clear ddos-protection protocols ptp aggregate states
clear-ddos-ptp-aggregate-states
clear ddos-protection protocols ptp aggregate statistics
clear-ddos-ptp-aggregate-statistics
clear ddos-protection protocols ptp states
clear-ddos-ptp-states
clear ddos-protection protocols ptp statistics
clear-ddos-ptp-statistics
clear ddos-protection protocols ptpv6
clear ddos-protection protocols ptpv6 aggregate
clear ddos-protection protocols ptpv6 aggregate culprit-flows
<clear-ddos-ptpv6-aggregate-flows>
clear ddos-protection protocols ptpv6 aggregate states
<clear-ddos-ptpv6-aggregate-states>
clear ddos-protection protocols ptpv6 aggregate statistics
<clear-ddos-ptpv6-aggregate-statistics>
clear ddos-protection protocols ptpv6 culprit-flows
Copyright © 2017, Juniper Networks, Inc.
153
User Access and Authentication Feature Guide for Routing Devices
<clear-ddos-ptpv6-flows>
clear ddos-protection protocols ptpv6 states
<clear-ddos-ptpv6-states>
clear ddos-protection protocols ptpv6 statistics
<clear-ddos-ptpv6-statistics>
clear ddos-protection protocols pvstp
clear ddos-protection protocols pvstp aggregate
clear ddos-protection protocols pvstp aggregate states
clear-ddos-pvstp-aggregate-states
clear ddos-protection protocols pvstp aggregate statistics
clear-ddos-pvstp-aggregate-statistics
clear ddos-protection protocols pvstp states
clear-ddos-pvstp-states
clear ddos-protection protocols pvstp statistics
clear-ddos-pvstp-statistics
clear ddos-protection protocols radius
clear ddos-protection protocols radius accounting
clear ddos-protection protocols radius accounting states
clear-ddos-radius-account-states
clear ddos-protection protocols radius accounting statistics
clear-ddos-radius-account-statistics
clear ddos-protection protocols radius aggregate
clear ddos-protection protocols radius aggregate states
clear-ddos-radius-aggregate-states
clear ddos-protection protocols radius aggregate statistics
clear-ddos-radius-aggregate-statistics
clear ddos-protection protocols radius authorization
clear ddos-protection protocols radius authorization states
clear ddos-protection protocols radius authorization statistics
clear-ddos-ospfv3v6-statistics
clear-ddos-pfe-alive-aggregate-states
clear-ddos-pfe-alive-aggregate-statistics
clear-ddos-pfe-alive-states
clear-ddos-pfe-alive-statistics
clear-ddos-pim-aggregate-states
clear-ddos-pim-aggregate-statistics
clear-ddos-pim-states
clear-ddos-pmvrp-aggregate-states
clear-ddos-pmvrp-aggregate-statistics
clear-ddos-pmvrp-states
clear-ddos-pmvrp-statistics
clear-ddos-pos-aggregate-states
clear-ddos-pos-aggregate-statistics
clear-ddos-pos-states
clear-ddos-pos-statistics
clear-ddos-ppp-aggregate-states
clear-ddos-ppp-aggregate-statistics
clear-ddos-ppp-auth-states
clear-ddos-ppp-ipcp-states
clear-ddos-ppp-ipcp-statistics
clear-ddos-ppp-ipv6cp-states
clear-ddos-ppp-ipv6cp-statistics
clear-ddos-ppp-isis-states
clear-ddos-ppp-isis-statistics
clear-ddos-ppp-lcp-states
clear-ddos-ppp-lcp-statistics
clear-ddos-ppp-mplscp-states
clear-ddos-ppp-mplscp-statistics
clear-ddos-pppoe-aggregate-states
clear-ddos-pppoe-aggregate-statistics
clear-ddos-pppoe-padi-states
154
Copyright © 2017, Juniper Networks, Inc.
Chapter 5: Permission Flags for User Access Privileges
clear-ddos-pppoe-padi-statistics
clear-ddos-pppoe-padm-states
clear-ddos-pppoe-padm-statistics
clear-ddos-pppoe-padn-states
clear-ddos-pppoe-padn-statistics
clear-ddos-pppoe-pado-states
clear-ddos-pppoe-pado-statistics
clear-ddos-pppoe-padr-states
clear-ddos-pppoe-padr-statistics
clear-ddos-pppoe-pads-states
clear-ddos-pppoe-pads-statistics
clear-ddos-pppoe-padt-states
clear-ddos-pppoe-padt-statistics
clear-ddos-pppoe-states
clear-ddos-pppoe-statistics
clear-ddos-ppp-states
clear-ddos-ppp-statistics
clear-ddos-ptp-aggregate-states
clear-ddos-ptp-aggregate-statistics
clear-ddos-ptp-states
clear-ddos-ptp-statistics
clear-ddos-pvstp-aggregate-states
clear-ddos-pvstp-aggregate-statistics
clear-ddos-pvstp-states
clear-ddos-pvstp-statistics
clear-ddos-radius-account-states
clear-ddos-radius-account-statistics
clear-ddos-radius-aggregate-states
clear-ddos-radius-aggregate-statistics
clear-ddos-radius-auth-states
clear ddos-protection protocols radius authorization statistics
clear-ddos-radius-auth-statistics
clear ddos-protection protocols pmvrp culprit-flows
clear ddos-protection protocols radius server
clear ddos-protection protocols radius server states
clear-ddos-radius-server-states
clear ddos-protection protocols radius server statistics
clear-ddos-radius-server-statistics
clear ddos-protection protocols radius states
clear-ddos-radius-states
clear ddos-protection protocols radius statistics
clear-ddos-radius-statistics
clear ddos-protection protocols redirect
clear ddos-protection protocols redirect aggregate
clear ddos-protection protocols redirect aggregate states
clear-ddos-redirect-aggregate-states
clear ddos-protection protocols redirect aggregate statistics
clear-ddos-redirect-aggregate-statistics
clear ddos-protection protocols redirect states
clear-ddos-redirect-states
clear ddos-protection protocols redirect statistics
clear-ddos-redirect-statistics
clear ddos-protection protocols reject
clear ddos-protection protocols reject aggregate
clear ddos-protection protocols reject aggregate states
clear ddos-protection protocols reject aggregate statistics
clear ddos-protection protocols reject states
clear ddos-protection protocols reject statistics
clear ddos-protection protocols rip
clear ddos-protection protocols rip aggregate
clear ddos-protection protocols rip aggregate states
Copyright © 2017, Juniper Networks, Inc.
155
User Access and Authentication Feature Guide for Routing Devices
clear-ddos-rip-aggregate-states
clear ddos-protection protocols rip aggregate statistics
clear-ddos-rip-aggregate-statistics
clear ddos-protection protocols rip states
clear-ddos-rip-states
clear ddos-protection protocols rip statistics
clear-ddos-rip-statistics
clear ddos-protection protocols ripv6
clear ddos-protection protocols ripv6 aggregate
clear ddos-protection protocols ripv6 aggregate states
clear-ddos-ripv6-aggregate-states
clear ddos-protection protocols ripv6 aggregate statistics
clear-ddos-ripv6-aggregate-statistics
clear ddos-protection protocols ripv6 states
clear-ddos-ripv6-states
clear ddos-protection protocols ripv6 statistics
clear-ddos-ripv6-statistics
clear ddos-protection protocols rsvp
clear ddos-protection protocols rsvp aggregate
clear ddos-protection protocols rsvp aggregate states
clear-ddos-rsvp-aggregate-states
clear ddos-protection protocols rsvp aggregate statistics
clear-ddos-rsvp-aggregate-statistics
clear ddos-protection protocols rsvp states
clear-ddos-rsvp-states
clear ddos-protection protocols rsvp statistics
clear-ddos-rsvp-statistics
clear ddos-protection protocols rsvpv6
clear ddos-protection protocols rsvpv6 aggregate
clear ddos-protection protocols rsvpv6 aggregate states
clear-ddos-rsvpv6-aggregate-states
clear ddos-protection protocols rsvpv6 aggregate statistics
clear-ddos-rsvpv6-aggregate-statistics
clear ddos-protection protocols rsvpv6 states
clear-ddos-rsvpv6-states
clear ddos-protection protocols rsvpv6 statistics
clear-ddos-rsvpv6-statistics
clear ddos-protection protocols sample
clear ddos-protection protocols sample aggregate
clear ddos-protection protocols sample aggregate states
<clear-ddos-sample-aggregate-states>
clear ddos-protection protocols sample aggregate statistics
<clear-ddos-sample-aggregate-statistics>
clear ddos-protection protocols sample host
clear ddos-protection protocols sample host states
<clear-ddos-sample-host-states>
clear ddos-protection protocols sample host statistics
<clear-ddos-sample-host-statistics>
clear ddos-protection protocols sample pfe
clear ddos-protection protocols sample pfe culprit-flows
clear ddos-protection protocols sample pfe states
<clear-ddos-sample-pfe-states>
clear ddos-protection protocols sample pfe statistics
clear ddos-protection protocols sample sflow
clear ddos-protection protocols sample sflow culprit-flows
<clear-ddos-sample-sflow-flows>
clear ddos-protection protocols sample sflow states
<clear-ddos-sample-sflow-states>
clear ddos-protection protocols sample sflow statistics
<clear-ddos-sample-sflow-statistics>
clear ddos-protection protocols sample states
156
Copyright © 2017, Juniper Networks, Inc.
Chapter 5: Permission Flags for User Access Privileges
<clear-ddos-sample-states>
clear ddos-protection protocols sample statistics
<clear-ddos-sample-statistics>
clear ddos-protection protocols sample syslog
clear ddos-protection protocols sample syslog culprit-flows
clear ddos-protection protocols sample syslog states
<clear-ddos-sample-syslog-states>
clear ddos-protection protocols sample syslog statistics
<clear-ddos-sample-syslog-statistics>
clear ddos-protection protocols sample tap
clear ddos-protection protocols sample tap states
clear ddos-protection protocols sample-dest
clear ddos-protection protocols sample-dest aggregate
clear ddos-protection protocols sample-dest aggregate culprit-flows
<clear-ddos-sample-dest-aggregate-flows>
clear ddos-protection protocols sample-dest aggregate states
<clear-ddos-sample-dest-aggregate-states>
clear ddos-protection protocols sample-dest aggregate statistics
<clear-ddos-sample-dest-aggregate-statistics>
clear ddos-protection protocols sample-dest culprit-flows
<clear-ddos-sample-dest-flows>
clear ddos-protection protocols sample-dest states
<clear-ddos-sample-dest-states>
clear ddos-protection protocols sample-dest statistics
<clear-ddos-sample-dest-statistics>
clear ddos-protection protocols sample-source
clear ddos-protection protocols sample-source aggregate
clear ddos-protection protocols sample-source aggregate culprit-flows
<clear-ddos-sample-source-aggregate-flows>
clear ddos-protection protocols sample-source aggregate states
<clear-ddos-sample-source-aggregate-states>
clear ddos-protection protocols sample-source aggregate statistics
<clear-ddos-sample-source-aggregate-statistics>
clear ddos-protection protocols sample-source culprit-flows
<clear-ddos-sample-source-flows>
clear ddos-protection protocols sample-source states
<clear-ddos-sample-source-states>
clear ddos-protection protocols sample-source statistics
<clear-ddos-sample-source-statistics>
clear ddos-protection protocols sample tap statistics
<clear-ddos-sample-tap-statistics>
clear ddos-protection protocols services
clear ddos-protection protocols services aggregate
clear ddos-protection protocols services aggregate states
clear-ddos-services-aggregate-states
clear ddos-protection protocols services aggregate statistics
clear ddos-protection protocols services bsdt
clear ddos-protection protocols services bsdt culprit-flows
<clear-ddos-services-BSDT-flows>
clear ddos-protection protocols services bsdt states
<clear-ddos-services-BSDT-states>
clear ddos-protection protocols services bsdt statistics
<clear-ddos-services-BSDT-statistics>
clear ddos-protection protocols services culprit-flows
<clear-ddos-services-flows>
clear ddos-protection protocols services packet
clear ddos-protection protocols services packet culprit-flows
<clear-ddos-services-packet-flows>
clear ddos-protection protocols services packet states
<clear-ddos-services-packet-states>
clear ddos-protection protocols services packet statistics
Copyright © 2017, Juniper Networks, Inc.
157
User Access and Authentication Feature Guide for Routing Devices
<clear-ddos-services-packet-statistics>
clear ddos-protection protocols services states
clear-ddos-services-states
clear ddos-protection protocols services statistics
clear-ddos-services-statistics
clear ddos-protection protocols snmp
clear ddos-protection protocols snmp aggregate
clear ddos-protection protocols snmp aggregate states
clear-ddos-snmp-aggregate-states
clear ddos-protection protocols snmp aggregate statistics
clear ddos-protection protocols snmp culprit-flows
clear ddos-protection protocols snmp states
clear-ddos-snmp-states
clear ddos-protection protocols snmp statistics
clear-ddos-snmp-statistics
clear ddos-protection protocols snmpv6
clear ddos-protection protocols snmpv6 aggregate
clear ddos-protection protocols snmpv6 aggregate states
clear-ddos-snmpv6-aggregate-states
clear ddos-protection protocols snmpv6 aggregate statistics
clear-ddos-snmpv6-aggregate-statistics
clear ddos-protection protocols snmpv6 states
clear-ddos-snmpv6-states
clear ddos-protection protocols snmpv6 statistics
clear-ddos-snmpv6-statistics
clear ddos-protection protocols ssh
clear ddos-protection protocols ssh aggregate
clear ddos-protection protocols ssh aggregate states
clear-ddos-ssh-aggregate-states
clear ddos-protection protocols ssh aggregate statistics
clear-ddos-ssh-aggregate-statistics
clear ddos-protection protocols ssh states
clear-ddos-ssh-states
clear ddos-protection protocols ssh statistics
clear-ddos-ssh-statistics
clear ddos-protection protocols sshv6
clear ddos-protection protocols sshv6 aggregate
clear ddos-protection protocols sshv6 aggregate states
clear-ddos-sshv6-aggregate-states
clear ddos-protection protocols sshv6 aggregate statistics
clear ddos-protection protocols sshv6 culprit-flows
clear ddos-protection protocols sshv6 states
clear-ddos-sshv6-states
clear ddos-protection protocols sshv6 statistics
clear-ddos-sshv6-statistics
clear ddos-protection protocols states
clear-ddos-protocols-states
clear ddos-protection protocols statistics
clear-ddos-protocols-statistics
clear ddos-protection protocols stp
clear ddos-protection protocols stp aggregate
clear ddos-protection protocols stp aggregate states
clear-ddos-stp-aggregate-states
clear ddos-protection protocols stp aggregate statistics
clear-ddos-stp-aggregate-statistics
clear ddos-protection protocols stp states
clear-ddos-stp-states
clear ddos-protection protocols stp statistics
clear-ddos-stp-statistics
clear ddos-protection protocols tacacs
clear ddos-protection protocols tacacs aggregate
158
Copyright © 2017, Juniper Networks, Inc.
Chapter 5: Permission Flags for User Access Privileges
clear ddos-protection protocols tacacs aggregate states
clear-ddos-tacacs-aggregate-states
clear ddos-protection protocols tacacs aggregate statistics
clear-ddos-tacacs-aggregate-statistics
clear ddos-protection protocols tacacs states
clear-ddos-tacacs-states
clear ddos-protection protocols tacacs statistics
clear-ddos-tacacs-statistics
clear ddos-protection protocols tcc
clear ddos-protection protocols tcc aggregate
clear ddos-protection protocols tcc aggregate culprit-flows
<clear-ddos-tcc-aggregate-flows>
clear ddos-protection protocols tcc aggregate states
<clear-ddos-tcc-aggregate-states>
clear ddos-protection protocols tcc aggregate statistics
<clear-ddos-tcc-aggregate-statistics>
clear ddos-protection protocols tcc culprit-flows
<clear-ddos-tcc-flows>
clear ddos-protection protocols tcc ethernet-tcc
clear ddos-protection protocols tcc ethernet-tcc culprit-flows
<clear-ddos-tcc-ethernet-tcc-flows>
clear ddos-protection protocols tcc ethernet-tcc states
<clear-ddos-tcc-ethernet-tcc-states>
clear ddos-protection protocols tcc ethernet-tcc statistics
<clear-ddos-tcc-ethernet-tcc-statistics>
clear ddos-protection protocols tcc iso-tcc
clear ddos-protection protocols tcc iso-tcc culprit-flows
<clear-ddos-tcc-iso-tcc-flows>
clear ddos-protection protocols tcc iso-tcc states
<clear-ddos-tcc-iso-tcc-states>
clear ddos-protection protocols tcc iso-tcc statistics
<clear-ddos-tcc-iso-tcc-statistics>
clear ddos-protection protocols tcc states
<clear-ddos-tcc-states>
clear ddos-protection protocols tcc statistics
<clear-ddos-tcc-statistics>
clear ddos-protection protocols tcc unclassified
clear ddos-protection protocols tcc unclassified culprit-flows
<clear-ddos-tcc-unclass-flows>
clear ddos-protection protocols tcc unclassified states
<clear-ddos-tcc-unclass-states>
clear ddos-protection protocols tcc unclassified statistics
<clear-ddos-tcc-unclass-statistics>
clear ddos-protection protocols tcp-flags
clear ddos-protection protocols tcp-flags aggregate
clear ddos-protection protocols tcp-flags aggregate states
clear-ddos-tcp-flags-aggregate-states
clear ddos-protection protocols tcp-flags aggregate statistics
clear-ddos-tcp-flags-aggregate-statistics
clear ddos-protection protocols tcp-flags established
clear ddos-protection protocols tcp-flags established states
clear-ddos-tcp-flags-establish-states
clear ddos-protection protocols tcp-flags established statistics
clear-ddos-tcp-flags-establish-statistics
clear ddos-protection protocols tcp-flags initial
clear ddos-protection protocols tcp-flags initial culprit-flows
clear ddos-protection protocols tcp-flags initial states
clear-ddos-tcp-flags-initial-states
clear ddos-protection protocols tcp-flags initial statistics
clear-ddos-tcp-flags-initial-statistics
clear ddos-protection protocols tcp-flags states
Copyright © 2017, Juniper Networks, Inc.
159
User Access and Authentication Feature Guide for Routing Devices
clear-ddos-tcp-flags-states
clear ddos-protection protocols tcp-flags statistics
clear-ddos-tcp-flags-statistics
clear ddos-protection protocols tcp-flags unclassified
clear ddos-protection protocols tcp-flags unclassified states
clear-ddos-tcp-flags-unclass-states
clear ddos-protection protocols tcp-flags unclassified statistics
clear-ddos-tcp-flags-unclass-statistics
clear ddos-protection protocols telnet
clear ddos-protection protocols telnet aggregate
clear ddos-protection protocols telnet aggregate culprit-flows
clear ddos-protection protocols telnet aggregate states
clear-ddos-telnet-aggregate-states
clear ddos-protection protocols telnet aggregate statistics
clear-ddos-telnet-aggregate-statistics
clear ddos-protection protocols telnet states
clear-ddos-telnet-states
clear ddos-protection protocols telnet statistics
clear-ddos-telnet-statistics
clear ddos-protection protocols telnetv6
clear ddos-protection protocols telnetv6 aggregate
clear ddos-protection protocols telnetv6 aggregate states
clear-ddos-telnetv6-aggregate-states
clear ddos-protection protocols telnetv6 aggregate statistics
clear-ddos-telnetv6-aggregate-statistics
clear ddos-protection protocols telnetv6 states
clear-ddos-telnetv6-states
clear ddos-protection protocols telnetv6 statistics
clear-ddos-telnetv6-statistics
clear ddos-protection protocols ttl
clear ddos-protection protocols ttl aggregate
clear ddos-protection protocols ttl aggregate culprit-flows
clear ddos-protection protocols ttl aggregate states
clear-ddos-ttl-aggregate-states
clear ddos-protection protocols ttl aggregate statistics
clear-ddos-ttl-aggregate-statistics
clear ddos-protection protocols ttl states
clear-ddos-ttl-states
clear ddos-protection protocols ttl statistics
clear-ddos-ttl-statistics
clear ddos-protection protocols tunnel-fragment
clear ddos-protection protocols tunnel-fragment aggregate
clear ddos-protection protocols tunnel-fragment aggregate states
clear-ddos-tun-frag-aggregate-states
clear ddos-protection protocols tunnel-fragment aggregate statistics
clear-ddos-tun-frag-aggregate-statistics
clear ddos-protection protocols tunnel-fragment states
clear-ddos-tun-frag-states
clear ddos-protection protocols tunnel-fragment statistics
clear-ddos-tun-frag-statistics
clear ddos-protection protocols unclassified
clear ddos-protection protocols unclassified aggregate
clear ddos-protection protocols unclassified aggregate states
clear ddos-protection protocols unclassified aggregate statistics
clear ddos-protection protocols unclassified control-layer2
clear ddos-protection protocols unclassified control-layer2 culprit-flows
clear ddos-protection protocols unclassified control-layer2 states
clear ddos-protection protocols unclassified control-layer2 statistics
clear ddos-protection protocols unclassified control-v4
clear ddos-protection protocols unclassified control-v4 culprit-flows
clear ddos-protection protocols unclassified control-v4 states
160
Copyright © 2017, Juniper Networks, Inc.
Chapter 5: Permission Flags for User Access Privileges
clear ddos-protection protocols unclassified control-v4 statistics
clear ddos-protection protocols unclassified control-v6
clear ddos-protection protocols unclassified control-v6 culprit-flows
clear ddos-protection protocols unclassified control-v6 states
clear ddos-protection protocols unclassified control-v6 statistics
clear ddos-protection protocols unclassified filter-v4 culprit-flows
clear ddos-protection protocols unclassified filter-v4 states
clear ddos-protection protocols unclassified filter-v4 statistics
clear ddos-protection protocols unclassified filter-v6
clear ddos-protection protocols unclassified filter-v6 culprit-flows
clear ddos-protection protocols unclassified filter-v6 states
clear ddos-protection protocols unclassified filter-v6 statistics
clear ddos-protection protocols unclassified fw-host
clear ddos-protection protocols unclassified fw-host culprit-flows
<clear-ddos-uncls-fw-host-flows>
clear ddos-protection protocols unclassified fw-host states
<clear-ddos-uncls-fw-host-states>
clear ddos-protection protocols unclassified fw-host statistics
<clear-ddos-uncls-fw-host-statistics>
clear ddos-protection protocols unclassified host-route-v4
clear ddos-protection protocols unclassified host-route-v4 culprit-flows
clear ddos-protection protocols unclassified host-route-v4 states
clear ddos-protection protocols unclassified host-route-v4 states
clear ddos-protection protocols unclassified host-route-v4 statistics
clear ddos-protection protocols unclassified host-route-v6
clear ddos-protection protocols unclassified host-route-v6 culprit-flows
clear ddos-protection protocols unclassified host-route-v6 states
clear ddos-protection protocols unclassified host-route-v6 statistics
clear ddos-protection protocols unclassified mcast-copy
clear ddos-protection protocols unclassified mcast-copy culprit-flows
<clear-ddos-uncls-mcast-copy-flows>
clear ddos-protection protocols unclassified mcast-copy states
<clear-ddos-uncls-mcast-copy-states>
clear ddos-protection protocols unclassified mcast-copy statistics
<clear-ddos-uncls-mcast-copy-statistics>
clear ddos-protection protocols unknown-l2mc
clear ddos-protection protocols unknown-l2mc aggregate
clear ddos-protection protocols unknown-l2mc aggregate culprit-flows
<clear-ddos-unknown-l2mc-aggregate-flows>
clear ddos-protection protocols unknown-l2mc aggregate states
<clear-ddos-unknown-l2mc-aggregate-states>
clear ddos-protection protocols unknown-l2mc aggregate statistics
<clear-ddos-unknown-l2mc-aggregate-statistics>
clear ddos-protection protocols unknown-l2mc culprit-flows
<clear-ddos-unknown-l2mc-flows>
clear ddos-protection protocols unknown-l2mc states
<clear-ddos-unknown-l2mc-states>
clear ddos-protection protocols unknown-l2mc statistics
<clear-ddos-unknown-l2mc-statistics>
clear ddos-protection protocols urpf-fail
clear ddos-protection protocols urpf-fail aggregate
clear ddos-protection protocols urpf-fail aggregate culprit-flows
<clear-ddos-urpf-fail-aggregate-flows>
clear ddos-protection protocols urpf-fail aggregate states
<clear-ddos-urpf-fail-aggregate-states>
clear ddos-protection protocols urpf-fail aggregate statistics
<clear-ddos-urpf-fail-aggregate-statistics>
clear ddos-protection protocols urpf-fail culprit-flows
<clear-ddos-urpf-fail-flows>
clear ddos-protection protocols urpf-fail states
<clear-ddos-urpf-fail-states>
Copyright © 2017, Juniper Networks, Inc.
161
User Access and Authentication Feature Guide for Routing Devices
clear ddos-protection protocols urpf-fail statistics
<clear-ddos-urpf-fail-statistics>
clear ddos-protection protocols vcipc-udp
clear ddos-protection protocols vcipc-udp aggregate
clear ddos-protection protocols vcipc-udp aggregate culprit-flows
<clear-ddos-vcipc-udp-aggregate-flows>
clear ddos-protection protocols vcipc-udp aggregate states
<clear-ddos-vcipc-udp-aggregate-states>
clear ddos-protection protocols vcipc-udp aggregate statistics
<clear-ddos-vcipc-udp-aggregate-statistics>
clear ddos-protection protocols vcipc-udp culprit-flows
<clear-ddos-vcipc-udp-flows>
clear ddos-protection protocols vcipc-udp states
<clear-ddos-vcipc-udp-states>
<clear-ddos-vcipc-udp-statistics>
clear ddos-protection protocols unclassified other
clear ddos-protection protocols unclassified other culprit-flows
clear ddos-protection protocols unclassified other states
clear ddos-protection protocols unclassified other statistics
clear ddos-protection protocols unclassified resolve-v4
clear ddos-protection protocols unclassified resolve-v4 culprit-flows
clear ddos-protection protocols unclassified resolve-v4 states
clear ddos-protection protocols unclassified resolve-v4 statistics
clear ddos-protection protocols unclassified resolve-v6
clear ddos-protection protocols unclassified resolve-v6 culprit-flows
clear ddos-protection protocols unclassified resolve-v6 states
clear ddos-protection protocols unclassified resolve-v6 statistics
clear ddos-protection protocols unclassified states
clear ddos-protection protocols unclassified statistics
<clear-ddos-uncls-statistics>
clear ddos-protection protocols virtual-chassis
clear ddos-protection protocols virtual-chassis aggregate
clear ddos-protection protocols virtual-chassis aggregate culprit-flows
clear ddos-protection protocols virtual-chassis aggregate states
clear-ddos-protocols-states
clear-ddos-protocols-statistics
clear-ddos-radius-server-states
clear-ddos-radius-server-statistics
clear-ddos-radius-states
clear-ddos-radius-statistics
clear ddos-protection protocols re-services
clear ddos-protection protocols re-services aggregate
clear ddos-protection protocols re-services aggregate culprit-flows
<clear-ddos-re-services-aggregate-flows>
clear ddos-protection protocols re-services aggregate states
<clear-ddos-re-services-aggregate-states>
clear ddos-protection protocols re-services aggregate statistics
<clear-ddos-re-services-aggregate-statistics>
clear ddos-protection protocols re-services captive-portal
clear ddos-protection protocols re-services captive-portal culprit-flows
<clear-ddos-re-services-captive-portal-flows>
clear ddos-protection protocols re-services captive-portal states
<clear-ddos-re-services-captive-portal-states>
clear ddos-protection protocols re-services captive-portal statistics
<clear-ddos-re-services-captive-portal-statistics>
clear ddos-protection protocols re-services culprit-flows
<clear-ddos-re-services-flows>
clear ddos-protection protocols re-services states
<clear-ddos-re-services-states>
clear ddos-protection protocols re-services statistics
<clear-ddos-re-services-statistics>
162
Copyright © 2017, Juniper Networks, Inc.
Chapter 5: Permission Flags for User Access Privileges
clear ddos-protection protocols re-services-v6
clear ddos-protection protocols re-services-v6 aggregate
clear ddos-protection protocols re-services-v6 aggregate culprit-flows
<clear-ddos-re-services-v6-aggregate-flows>
clear ddos-protection protocols re-services-v6 aggregate states
<clear-ddos-re-services-v6-aggregate-states>
clear ddos-protection protocols re-services-v6 aggregate statistics
<clear-ddos-re-services-v6-aggregate-statistics>
clear ddos-protection protocols re-services-v6 captive-portal
clear ddos-protection protocols re-services-v6 captive-portal culprit-flows
<clear-ddos-re-services-v6-captive-portal-v6-flows>
clear ddos-protection protocols re-services-v6 captive-portal states
<clear-ddos-re-services-v6-captive-portal-v6-states>
clear ddos-protection protocols re-services-v6 captive-portal statistics
<clear-ddos-re-services-v6-captive-portal-v6-statistics>
clear ddos-protection protocols re-services-v6 culprit-flows
<clear-ddos-re-services-v6-flows>
clear ddos-protection protocols re-services-v6 states
<clear-ddos-re-services-v6-states>
clear ddos-protection protocols re-services-v6 statistics
<clear-ddos-re-services-v6-statistics>
clear-ddos-redirect-aggregate-states
clear-ddos-redirect-states
clear-ddos-redirect-statistics
clear-ddos-rip-aggregate-states
clear-ddos-rip-aggregate-statistics
clear-ddos-rip-states
clear-ddos-rip-statistics
clear-ddos-ripv6-aggregate-states
clear-ddos-ripv6-aggregate-statistics
clear-ddos-ripv6-states
clear-ddos-ripv6-statistics
clear-ddos-rsvp-aggregate-states
clear-ddos-rsvp-aggregate-statistics
clear-ddos-rsvp-states
clear-ddos-rsvp-statistics
clear-ddos-rsvpv6-aggregate-states
clear-ddos-rsvpv6-aggregate-statistics
clear-ddos-rsvpv6-states
clear-ddos-rsvpv6-statistics
clear-ddos-services-aggregate-states
clear-ddos-services-aggregate-statistics
clear-ddos-services-states
clear-ddos-services-statistics
clear-ddos-snmp-aggregate-states
clear-ddos-snmp-aggregate-statistics
clear-ddos-snmp-states
clear-ddos-snmp-statistics
clear-ddos-snmpv6-aggregate-states
clear-ddos-snmpv6-aggregate-statistics
clear-ddos-snmpv6-states
clear-ddos-snmpv6-statistics
clear-ddos-ssh-aggregate-states
clear-ddos-ssh-aggregate-statistics
clear-ddos-ssh-states
clear-ddos-ssh-statistics
clear-ddos-sshv6-aggregate-states
clear-ddos-sshv6-aggregate-statistics
clear-ddos-sshv6-states
clear-ddos-sshv6-statistics
clear-ddos-stp-aggregate-states
Copyright © 2017, Juniper Networks, Inc.
163
User Access and Authentication Feature Guide for Routing Devices
clear-ddos-stp-aggregate-statistics
clear-ddos-stp-states
clear-ddos-stp-statistics
clear ddos-protection protocols syslog
clear ddos-protection protocols syslog aggregate
clear ddos-protection protocols syslog aggregate culprit-flows
<clear-ddos-syslog-aggregate-flows>
clear ddos-protection protocols syslog aggregate states
<clear-ddos-syslog-aggregate-states>
clear ddos-protection protocols syslog aggregate statistics
<clear-ddos-syslog-aggregate-statistics>
clear ddos-protection protocols syslog culprit-flows
<clear-ddos-syslog-flows>
clear ddos-protection protocols syslog states
<clear-ddos-syslog-states>
clear ddos-protection protocols syslog statistics
<clear-ddos-syslog-statistics>
clear-ddos-tacacs-aggregate-states
clear-ddos-tacacs-aggregate-statistics
clear-ddos-tacacs-states
clear-ddos-tacacs-statistics
clear-ddos-tcp-flags-aggregate-states
clear-ddos-tcp-flags-aggregate-statistics
clear-ddos-tcp-flags-establish-states
clear-ddos-tcp-flags-establish-statistics
clear-ddos-tcp-flags-initial-states
clear-ddos-tcp-flags-initial-statistics
clear-ddos-tcp-flags-states
clear-ddos-tcp-flags-statistics
clear-ddos-tcp-flags-unclass-states
clear-ddos-tcp-flags-unclass-statistics
clear-ddos-telnet-aggregate-states
clear-ddos-telnet-aggregate-statistics
clear-ddos-telnet-states
clear-ddos-telnet-statistics
clear-ddos-telnetv6-aggregate-states
clear-ddos-telnetv6-aggregate-statistics
clear-ddos-telnetv6-states
clear-ddos-telnetv6-statistics
clear-ddos-ttl-aggregate-states
clear-ddos-ttl-aggregate-statistics
clear-ddos-ttl-states
clear-ddos-ttl-statistics
clear-ddos-tun-frag-aggregate-states
clear-ddos-tun-frag-aggregate-statistics
clear-ddos-tun-frag-states
clear-ddos-tun-frag-statistics
clear ddos-protection protocols tunnel-ka
clear ddos-protection protocols tunnel-ka aggregate
clear ddos-protection protocols tunnel-ka aggregate culprit-flows
<clear-ddos-tunnel-ka-aggregate-flows>
clear ddos-protection protocols tunnel-ka aggregate states
<clear-ddos-tunnel-ka-aggregate-states>
clear ddos-protection protocols tunnel-ka aggregate statistics
<clear-ddos-tunnel-ka-aggregate-statistics>
clear ddos-protection protocols tunnel-ka culprit-flows
<clear-ddos-tunnel-ka-flows>
clear ddos-protection protocols tunnel-ka states
<clear-ddos-tunnel-ka-states>
clear ddos-protection protocols tunnel-ka statistics
<clear-ddos-tunnel-ka-statistics>
164
Copyright © 2017, Juniper Networks, Inc.
Chapter 5: Permission Flags for User Access Privileges
clear-ddos-vchassis-aggregate-states
clear ddos-protection protocols virtual-chassis aggregate statistics
clear-ddos-vchassis-aggregate-statistics
clear ddos-protection protocols virtual-chassis control-high
clear ddos-protection protocols virtual-chassis control-high states
clear-ddos-vchassis-control-hi-states
clear ddos-protection protocols virtual-chassis control-high statistics
clear-ddos-vchassis-control-hi-statistics
clear ddos-protection protocols virtual-chassis control-low
clear ddos-protection protocols virtual-chassis control-low states
clear-ddos-vchassis-control-lo-states
clear ddos-protection protocols virtual-chassis control-low statistics
clear-ddos-vchassis-control-lo-statistics
clear ddos-protection protocols virtual-chassis states
clear-ddos-vchassis-states
clear ddos-protection protocols virtual-chassis statistics
clear-ddos-vchassis-statistics
clear ddos-protection protocols virtual-chassis unclassified
clear ddos-protection protocols virtual-chassis unclassified culprit-flows
clear ddos-protection protocols virtual-chassis unclassified states
clear-ddos-vchassis-unclass-states
clear ddos-protection protocols virtual-chassis unclassified statistics
clear-ddos-vchassis-unclass-statistics
clear ddos-protection protocols virtual-chassis vc-packets
clear ddos-protection protocols virtual-chassis vc-packets states
clear-ddos-vchassis-vc-packets-states
clear ddos-protection protocols virtual-chassis vc-packets statistics
clear-ddos-vchassis-vc-packets-statistics
clear ddos-protection protocols virtual-chassis vc-ttl-errors
clear ddos-protection protocols virtual-chassis vc-ttl-errors states
clear-ddos-vchassis-vc-ttl-err-states
clear ddos-protection protocols virtual-chassis vc-ttl-errors statistics
clear-ddos-vchassis-vc-ttl-err-statistics
clear ddos-protection protocols vrrp
clear ddos-protection protocols vrrp aggregate
clear ddos-protection protocols vrrp aggregate states
clear-ddos-vrrp-aggregate-states
clear ddos-protection protocols vrrp aggregate statistics
clear ddos-protection protocols vrrp culprit-flows
clear ddos-protection protocols vrrp statistics
clear-ddos-vrrp-statistics
clear ddos-protection protocols vrrpv6
clear ddos-protection protocols vrrpv6 aggregate
clear ddos-protection protocols vrrpv6 aggregate states
clear-ddos-vrrpv6-aggregate-states
clear ddos-protection protocols vrrpv6 aggregate statistics
clear-ddos-vrrpv6-aggregate-statistics
clear ddos-protection protocols vrrpv6 states
clear-ddos-vrrpv6-states
clear ddos-protection protocols vrrpv6 statistics
clear-ddos-uncls-host-rt-v4-flows
clear-ddos-vchassis-aggregate-statistics
clear-ddos-vchassis-control-hi-states
clear-ddos-vchassis-control-hi-statistics
clear-ddos-vchassis-control-lo-states
clear-ddos-vchassis-control-lo-statistics
clear-ddos-vchassis-states
clear-ddos-vchassis-statistics
clear-ddos-vchassis-unclass-states
clear-ddos-vchassis-unclass-statistics
clear-ddos-vchassis-vc-packets-states
Copyright © 2017, Juniper Networks, Inc.
165
User Access and Authentication Feature Guide for Routing Devices
clear-ddos-vchassis-vc-packets-statistics
clear-ddos-vchassis-vc-ttl-err-states
clear-ddos-vchassis-vc-ttl-err-statistics
clear-ddos-vrrp-aggregate-states
clear-ddos-vrrp-aggregate-statistics
clear-ddos-vrrp-states
clear-ddos-vrrp-statistics
clear-ddos-vrrpv6-aggregate-states
clear-ddos-vrrpv6-aggregate-statistics
clear-ddos-vrrpv6-states
clear-ddos-vrrpv6-statistics
clear ddos-protection protocols vxlan
clear ddos-protection protocols vxlan aggregate
clear ddos-protection protocols vxlan aggregate culprit-flows
clear-ddos-vxlan-aggregate-flows
clear ddos-protection protocols vxlan aggregate states
<clear-ddos-vxlan-aggregate-states>
clear ddos-protection protocols vxlan aggregate statistics
<clear-ddos-vxlan-aggregate-statistics>
clear ddos-protection protocols vxlan culprit-flows
<clear-ddos-vxlan-flows>
clear ddos-protection protocols vxlan states
<clear-ddos-vxlan-states>
clear ddos-protection protocols vxlan statistics
<clear-ddos-vxlan-statistics>
clear dhcp
clear dhcp client
clear dhcp client binding
<clear-dhcp-client-binding-information>
clear dhcp client statistics
<clear-client-statistics-information>
clear dhcp proxy-client
clear dhcp proxy-client statistics
clear dhcp relay
clear dhcp relay binding
<clear-dhcp-relay-binding-information>
clear dhcp relay binding interface
<clear-dhcp-interface-bindings>
clear dhcp relay statistics
<clear-dhcp-relay-statistics-information>
<clear-dhcp-security-binding>
<clear-dhcp-security-binding-interface>
<clear-dhcp-security-binding-ip-address>
<clear-dhcp-security-binding-statistics>
<clear-dhcp-security-binding-vlan>
clear dhcp relay statistics bulk-leasequery-connections
<clear-dhcp-relay-bulk-leasequery-conn-statistics>
clear dhcp relay statistics leasequery
<clear-dhcp-relay-leasequery-statistics>
clear dhcp server
clear dhcp server binding
<clear-dhcp-server-binding-information>
clear dhcp server binding interface
<clear-dhcp-server-binding-interface>
clear dhcp server statistics
<clear-server-statistics-information>
clear dhcp statistics
<clear-dhcp-service-statistics-information>
clear dhcp-security statistics
<clear-dhcp-security-statistics>
clear dhcpv6
166
Copyright © 2017, Juniper Networks, Inc.
Chapter 5: Permission Flags for User Access Privileges
clear dhcpv6 client
clear dhcpv6 client binding
<clear-dhcpv6-client-binding-information>
clear dhcpv6 client statistics
<clear-dhcpv6-client-statistics-information>
clear dhcpv6 proxy-client
clear dhcpv6 proxy-client statistics
<clear-dhcpv6-proxy-client-statistics-information>
clear dhcpv6 relay
clear dhcpv6 relay binding
clear dhcpv6 relay binding interface
clear dhcpv6 relay statistics
<clear-dhcpv6-relay-statistics-information>
clear dhcpv6 relay statistics bulk-leasequery-connections
<clear-dhcpv6-relay-bulk-leasequery-conn-statistics>
clear dhcpv6 relay statistics leasequery
<clear-dhcpv6-relay-leasequery-statistics>
clear dhcpv6 server
clear dhcpv6 server binding
<clear-dhcpv6-server-binding-information>
clear dhcpv6 server binding interface
<clear-dhcpv6-server-binding-interface>
clear dhcpv6 server statistics
<clear-dhcpv6-server-statistics-information>
clear dhcpv6 server statistics bulk-leasequery-connections
<clear-dhcpv6-server-bulk-leasequery-statistics>
clear dhcpv6 statistics
<clear-dhcpv6-service-statistics-information>
clear diameter
clear diameter function
<clear-diameter-function>
clear diameter peer
<clear-diameter-peer>
<clear-dhcp-binding-information>
<clear-dhcp-conflict-information>
<clear-dhcp-statistics-information>
clear system subscriber-management
clear system subscriber-management arp
<clear-subscriber-management-arp>
clear system subscriber-management arp address
<clear-subscriber-management-arp-address>
clear system subscriber-management arp interface
<clear-subscriber-management-arp-interface>
clear system subscriber-management ipv6-neighbors
<clear-subscriber-management-ipv6-neighbors>
clear system subscriber-management ipv6-neighbors address
<clear-subscriber-management-ipv6-neighbor-address>clear system
subscriber-management ipv6-neighbors interface
<clear-subscriber-management-ipv6-neighbor-interface>
clear system subscriber-management statistics
<clear-subscriber-management-statistics>
clear dot1x
clear dot1x eapol-block
clear dot1x eapol-block interface
<clear-dot1x-eapol-block-interface-session>
clear dot1x eapol-block mac-address
<clear-dot1x-eapol-block-mac-session>
clear dot1x firewall
<clear-dot1x-firewall>
clear dot1x firewall interface
<clear-dot1x-firewall-interface>
Copyright © 2017, Juniper Networks, Inc.
167
User Access and Authentication Feature Guide for Routing Devices
clear dot1x interface
<clear-dot1x-interface-session>
clear dot1x mac-address
<clear-dot1x-mac-session>
clear dot1x statistics
<clear-dot1x-statistics>
clear dot1x statistics interface
<clear-dot1x-statistics-interface>
clear error
clear error bpdu
clear error bpdu interface
<clear-bpdu-error>
clear error loop-detect
clear error loop-detect interface
<clear-loop-detect-error>
clear error mac-rewrite
clear error mac-rewrite interface
<clear-mac-rewrite-error>
clear esis
clear esis adjacency
<clear-esis-adjacency>
clear esis statistics
<clear-esis-statistics>
clear ethernet-switching
clear ethernet-switching evpn
clear ethernet-switching evpn arp-table
<clear-ethernet-switching-evpn-arp-table>
clear ethernet-switching mac-learning-log
<clear-ethernet-switching-mac-learning-log>
clear ethernet-switching recovery-timeout
<clear-ethernet-switching-recovery>
clear ethernet-switching recovery-timeout interface
<clear-ethernet-switching-recovery-interface>
clear ethernet-switching satellite
clear ethernet-switching satellite logging
<clear-satellite-control-logging>
clear ethernet-switching satellite vlan-auto-sense
<clear-satellite-control-plane-vlan-auto-sense>
clear ethernet-switching table
<clear-ethernet-switching-table>
clear ethernet-switching table interface
<clear-ethernet-switching-interface-table>
clear ethernet-switching table persistent-learning
<clear-ethernet-switching-table-persistent-learning>
clear ethernet-switching table persistent-learning interface
<clear-ethernet-switching-table-persistent-learning>
clear ethernet-switching table persistent-learning mac
<clear-ethernet-switching-table-persistent-learning-mac>
clear evpn
clear evpn arp-table
<clear-evpn-arp-table>
clear evpn mac-table
<clear-evpn-mac-table>
clear evpn mac-table interface
<clear-evpn-interface-mac-table>
clear evpn nd-table
<clear-evpn-nd-table>
clear extensible-subscriber-services
clear extensible-subscriber-services counters
<clear-extensible-subscriber-services-counters>
clear extensible-subscriber-services sessions
168
Copyright © 2017, Juniper Networks, Inc.
Chapter 5: Permission Flags for User Access Privileges
<clear-extensible-subscriber-services-sessions>
clear fabric
<clear-fabric>
clear fabric statistics
<clear-fabric-statistics>
clear firewall
<clear-firewall-counters>
clear firewall all
<clear-all-firewall-conters>
clear firewall log
<clear-firewall-log>
clear firewall policer
clear firewall policer counter
clear firewall policer counter all
<clear-interface-aggregate-fwd-options>
<clear-interface-aggregate-fwd-options-all>
clear helper
clear helper statistics
<clear-helper-statistics-information>
clear igmp
clear igmp membership
<clear-igmp-membership>
clear igmp snooping
clear igmp snooping membership
<clear-igmp-snooping-membership>
clear igmp snooping membership bridge-domain
<clear-igmp-snooping-bridge-domain-membership>
clear igmp snooping membership vlan
<clear-igmp-snooping-vlan-membership>
clear igmp snooping statistics
<clear-igmp-snooping-statistics>
clear igmp snooping statistics bridge-domain
<clear-igmp-snooping-bridge-domain-statistics>
clear igmp snooping statistics vlan
<clear-igmp-snooping-vlan-statistics>
clear igmp statistics
<clear-igmp-statistics>
clear ike
clear ike security-associations
<clear-ike-security-associations>
clear ike statistics
<clear-ike-statistics>
clear ilmi
clear ilmi statistics
<clear-ilmi-statistics>
clear interfaces
clear interfaces interface-set
clear interfaces interface-set statistics
<clear-interface-set-statistics>
clear interfaces interface-set statistics all
<clear-interface-set-statistics-all>
clear interfaces interval
<clear-interfaces-interval>
clear interfaces mac-database
<clear-interfaces-mac-database>
clear interfaces mac-database statistics
<clear-interface-mac-database-statistics>
clear interfaces mac-database statistics all
<clear-interface-mac-database-statistics-all>
clear interfaces statistics
<clear-interfaces-statistics>
Copyright © 2017, Juniper Networks, Inc.
169
User Access and Authentication Feature Guide for Routing Devices
clear interfaces statistics all
<clear-interfaces-statistics-all>
clear interfaces transport
<clear-interface-transport-information>
clear interfaces transport optics
<clear-interface-transport-optics-information>
clear interfaces transport optics interval
<clear-interface-transport-optics-interval-information>
clear ipsec
clear ipsec security-associations
<clear-ipsec-security-associations>
clear ipv6
clear ipv6 neighbors
<clear-ipv6-nd-information>
clear ipv6 neighbors all
<clear-ipv6-all-neighbors>
clear isis
clear isis adjacency
<clear-isis-adjacency-information>
clear isis database
<clear-isis-database-information>
clear isis layer2-map
<clear-isis-layer2-map-information>
clear isis overload
<clear-isis-overload-information>
clear isis statistics
<clear-isis-statistics-information>
clear ipv6 router-advertisement
clear lacp
clear lacp statistics
clear l2-learning
clear l2-learning evpn
clear l2-learning evpn arp-statistics
<clear-evpn-arp-statistics>
clear l2-learning evpn arp-statistics interface
<clear-evpn-arp-statistics-interface>
clear l2-learning evpn nd-statistics
<clear-evpn-nd-statistics>
clear l2-learning evpn nd-statistics interface
<clear-evpn-nd-statistics-interface>
clear l2-learning mac-move-buffer
<clear-l2-learning-mac-move-buffer>
clear l2-learning mac-move-buffer active
<clear-l2-learning-mac-move-buffer-active>
clear-l2-learning-redundancy-group
<clear-l2-learning-redundancy-group-statistics>
clear l2-learning remote-backbone-edge-bridges
<clear-l2-learning-remote-backbone-edge-bridges>
clear l2circuit
clear ldp
clear ldp statistics
<clear-ldp-statistics>
clear ldp statistics interface
<clear-ldp-interface-hello-statistics>
clear ldp neighbor
<clear-ldp-neighbors>
clear ldp session
<clear-ldp-sessions>
clear lldp
clear lldp neighbors
<clear-lldp-neighbors>
170
Copyright © 2017, Juniper Networks, Inc.
Chapter 5: Permission Flags for User Access Privileges
clear lldp neighbors interface
<clear-lldp-interface-neighbors>
clear lldp statistics
<clear-lldp-statistics>
clear lldp statistics interface
<clear-lldp-interface-statistics>
clear loop-detect
clear loop-detect statistics
clear loop-detect statistics interface
<clear-loop-detect-statistics-information>
clear mld
clear mld membership
<clear-mld-membership>
clear mld snooping
clear mld snooping membership
<clear-mld-snooping-membership>
clear mld snooping membership bridge-domain
<clear-mld-snooping-bridge-domain-membership>
clear mld snooping membership vlan
<clear-mld-snooping-vlan-membership>
clear mld snooping statistics
<clear-mld-snooping-statistics>
clear mld snooping statistics bridge-domain
<clear-mld-snooping-bridge-domain-statistics>
clear mld snooping statistics vlan
<clear-mld-snooping-vlan-statistics>
clear mld statistics
<clear-mld-statistics>
clear mobile-ip
clear mobile-ip binding
clear mobile-ip binding all
<clear-binding-all>
clear mobile-ip binding ip-address
<clear-binding-ip>
clear mobile-ip binding nai
<clear-binding-nai>
clear mobile-ip visitor
clear mobile-ip visitor all
<clear-visitor-all>
clear mobile-ip visitor ip-address
<clear-visitor-ip>
clear mobile-ip visitor nai
<clear-visitor-nai>
clear mpls
clear mpls lsp
<clear-mpls-lsp-information>
clear mpls static-lsp
<clear-mpls-static-lsp-information>
clear mpls traceroute
clear mpls traceroute database
clear mpls traceroute database ldp
<clear-mpls-traceroute-database-ldp>
clear msdp
clear msdp cache
<clear-msdp-cache>
clear msdp statistics
<clear-msdp-statistics>
clear multicast
clear multicast bandwidth-admission
<clear-multicast-bandwidth-admission
clear multicast forwarding-cache
Copyright © 2017, Juniper Networks, Inc.
171
User Access and Authentication Feature Guide for Routing Devices
clear multicast scope
<clear-multicast-scope-statistics>
clear multicast sessions
<clear-multicast-sessions>
clear multicast statistics
<clear-multicast-statistics>
clear mvrp
clear mvrp statistics
<clear-mvrp-interface-statistics>
clear network-access
clear network-access aaa
clear network-access aaa statistics
<clear-aaa-statistics-table>
clear network-access aaa statistics address-assignment
clear network-access aaa statistics address-assignment client
<clear-aaa-address-assignment-client-statistics>
clear network-access aaa statistics address-assignment pool
<clear-aaa-address-assignment-pool-statistics>
clear network-access aaa subscriber
<clear-aaa-subscriber-table>
clear network-access aaa subscriber statistics
<clear-aaa-subscriber-table-specific-statistics>
clear network-access address-assignment
clear network-access address-assignment preserved
<clear-address-assignment-preserved>
clear network-access ocs
clear network-access ocs statistics
<clear-ocs-statistics-information>
clear network-access pcrf
clear network-access pcrf statistics
<clear-pcrf-statistics-information>
clear network-access pcrf subscribers
<clear-pcrf-subscribers>
clear network-access requests
clear network-access requests pending
<clear-authentication-pending-table>
clear network-access requests statistics
<clear-authentication-statistics>
clear network-access securid-node-secret-file
<clear-node-secret-file>
clear oam
clear oam ethernet
clear oam ethernet connectivity-fault-management
clear oam ethernet connectivity-fault-management continuity-measurement
<clear-cfm-continuity-measurement>
clear oam ethernet connectivity-fault-management delay-statistics
<clear-cfm-delay-statistics>
clear oam ethernet connectivity-fault-management event
<clear-cfm-action-profile-event>
clear oam ethernet connectivity-fault-management loss-statistics
<clear-cfm-loss-statistics>
clear oam ethernet connectivity-fault-management path-database
<clear-cfm-linktrace-path-database>
clear oam ethernet connectivity-fault-management policer
<clear-cfm-policer-statistics>
clear oam ethernet connectivity-fault-management sla-iterator-history
<clear-cfm-iterator-history>
clear oam ethernet connectivity-fault-management sla-iterator-statistics
<clear-cfm-iterator-statistics>
clear oam ethernet connectivity-fault-management statistics
<clear-cfm-statistics>
172
Copyright © 2017, Juniper Networks, Inc.
Chapter 5: Permission Flags for User Access Privileges
clear oam ethernet connectivity-fault-management synthetic-loss-statistics
<clear-cfm-slm-statistics>
clear oam ethernet link-fault-management
clear oam ethernet link-fault-management state
<clear-lfmd-state>
clear oam ethernet link-fault-management statistics
<clear-lfmd-statistics>
clear oam ethernet link-fault-management statistics action-profile
<clear-lfmd-action-profile-statistics>
clear oam ethernet lmi
clear oam ethernet lmi statistics
<clear-elmi-statistics>
clear ospf
clear ospf database
<clear-ospf-database-information>
clear ospf database-protection
<clear-ospf-database-protection>
clear ospf io-statistics
<clear-ospf-io-statistics-information>
clear ospf neighbor
<clear-ospf-neighbor-information>
clear ospf overload
<clear-ospf-overload-information>
clear ospf statistics
<clear-ospf-statistics-information>
clear ospf3
clear ospf3 database
<clear-ospf3-database-information>
clear ospf3 database-protection
<clear-ospf-database-protection>
clear ospf3 io-statistics
<clear-ospf3-io-statistics-information>
clear ospf3 neighbor
<clear-ospf3-neighbor-information>
clear ospf3 overload
<clear-ospf3-overload-information>
clear ospf3 statistics
<clear-ospf3-io-statistics-information>
clear ovsdb
clear ovsdb commit
clear ovsdb commit failures
<clear-ovsdb-commit-failure-information>
clear ovsdb statistics
clear ovsdb statistics interface
clear ovsdb statistics interface all
<clear-ovsdb-interfaces-statistics-all>
clear performance-monitoring
clear performance-monitoring mpls
clear performance-monitoring mpls lsp
<clear-pm-mpls-lsp-information>
clear pfe
clear pfe statistics
clear pfe statistics fabric
clear pfe statistics traffic detail
clear pfe statistics traffic egress-queues fpc
clear pfe statistics traffic multicast
clear pfe statistics traffic multicast fpc
clear pfe tcam-errors
clear pfe tcam-errors all-tcam-stages
<clear-pfe-tcam-errors-all-tcam-stages>
clear pfe tcam-errors app
Copyright © 2017, Juniper Networks, Inc.
173
User Access and Authentication Feature Guide for Routing Devices
<clear-pfe-tcam-errors-app>
clear pfe tcam-errors app bd-dtag-validate
<clear-pfe-tcam-errors-app-bd-dtag-validate>
clear pfe tcam-errors app bd-dtag-validate detail
clear pfe tcam-errors app bd-dtag-validate list-related-apps
clear pfe tcam-errors app bd-dtag-validate list-shared-apps
clear pfe tcam-errors app bd-dtag-validate shared-usage
clear pfe tcam-errors app bd-dtag-validate shared-usage detail
clear pfe tcam-errors app bd-tpid-swap
<clear-pfe-tcam-errors-app-bd-tpid-swap>
clear pfe tcam-errors app bd-tpid-swap detail
clear pfe tcam-errors app bd-tpid-swap list-related-apps
clear pfe tcam-errors app bd-tpid-swap list-shared-apps
clear pfe tcam-errors app bd-tpid-swap shared-usage
clear pfe tcam-errors app bd-tpid-swap shared-usage detail
clear pfe tcam-errors app cfm-bd-filter
<clear-pfe-tcam-errors-app-cfm-bd-filter>
clear pfe tcam-errors app cfm-bd-filter detail
clear pfe tcam-errors app cfm-bd-filter list-related-apps
clear pfe tcam-errors app cfm-bd-filter list-shared-apps
clear pfe tcam-errors app cfm-bd-filter shared-usage
clear pfe tcam-errors app cfm-bd-filter shared-usage detail
clear pfe tcam-errors app cfm-filter
<clear-pfe-tcam-errors-app-cfm-filter>
clear pfe tcam-errors app cfm-filter detail
clear pfe tcam-errors app cfm-filter list-related-apps
clear pfe tcam-errors app cfm-filter list-shared-apps
clear pfe tcam-errors app cfm-filter shared-usage
clear pfe tcam-errors app cfm-filter shared-usage detail
clear pfe tcam-errors app cfm-vpls-filter
<clear-pfe-tcam-errors-app-cfm-vpls-filter>
clear pfe tcam-errors app cfm-vpls-filter detail
clear pfe tcam-errors app cfm-vpls-filter list-related-apps
clear pfe tcam-errors app cfm-vpls-filter list-shared-apps
clear pfe tcam-errors app cfm-vpls-filter shared-usage
clear pfe tcam-errors app cfm-vpls-filter shared-usage detail
clear pfe tcam-errors app cfm-vpls-ifl-filter
<clear-pfe-tcam-errors-app-cfm-vpls-ifl-filter>
clear pfe tcam-errors app cfm-vpls-ifl-filter detail
clear pfe tcam-errors app cfm-vpls-ifl-filter list-related-apps
clear pfe tcam-errors app cfm-vpls-ifl-filter list-shared-apps
clear pfe tcam-errors app cfm-vpls-ifl-filter shared-usage
clear pfe tcam-errors app cfm-vpls-ifl-filter shared-usage detail
clear pfe tcam-errors app cos-fc
<clear-pfe-tcam-errors-app-cos-fc>
clear pfe tcam-errors app cos-fc detail
clear pfe tcam-errors app cos-fc list-related-apps
clear pfe tcam-errors app cos-fc list-shared-apps
clear pfe tcam-errors app cos-fc shared-usage
clear pfe tcam-errors app cos-fc shared-usage detail
clear pfe tcam-errors app fw-ccc-in
<clear-pfe-tcam-errors-app-fw-ccc-in>
clear pfe tcam-errors app fw-ccc-in detail
clear pfe tcam-errors app fw-ccc-in list-related-apps
clear pfe tcam-errors app fw-ccc-in list-shared-apps
clear pfe tcam-errors app fw-ccc-in shared-usage
clear pfe tcam-errors app fw-ccc-in shared-usage detail
clear pfe tcam-errors app fw-family-out
<clear-pfe-tcam-errors-app-fw-family-out>
clear pfe tcam-errors app fw-family-out detail
clear pfe tcam-errors app fw-family-out list-related-apps
174
Copyright © 2017, Juniper Networks, Inc.
Chapter 5: Permission Flags for User Access Privileges
clear pfe tcam-errors app fw-family-out list-shared-apps
clear pfe tcam-errors app fw-family-out shared-usage
clear pfe tcam-errors app fw-family-out shared-usage detail
clear pfe tcam-errors app fw-fbf
<clear-pfe-tcam-errors-app-fw-fbf>
clear pfe tcam-errors app fw-fbf detail
clear pfe tcam-errors app fw-fbf list-related-apps
clear pfe tcam-errors app fw-fbf list-shared-apps
clear pfe tcam-errors app fw-fbf shared-usage
clear pfe tcam-errors app fw-fbf shared-usage detail
clear pfe tcam-errors app fw-fbf-inet6
<clear-pfe-tcam-errors-app-fw-fbf-inet6>
clear pfe tcam-errors app fw-fbf-inet6 detail
clear pfe tcam-errors app fw-fbf-inet6 list-related-apps
clear pfe tcam-errors app fw-fbf-inet6 list-shared-apps
clear pfe tcam-errors app fw-fbf-inet6 shared-usage
clear pfe tcam-errors app fw-fbf-inet6 shared-usage detail
clear pfe tcam-errors app fw-ifl-in
<clear-pfe-tcam-errors-app-fw-ifl-in>
clear pfe tcam-errors app fw-ifl-in detail
clear pfe tcam-errors app fw-ifl-in list-related-apps
clear pfe tcam-errors app fw-ifl-in list-shared-apps
clear pfe tcam-errors app fw-ifl-in shared-usage
clear pfe tcam-errors app fw-ifl-in shared-usage detail
clear pfe tcam-errors app fw-ifl-out
<clear-pfe-tcam-errors-app-fw-ifl-out>
clear pfe tcam-errors app fw-ifl-out detail
clear pfe tcam-errors app fw-ifl-out list-related-apps
clear pfe tcam-errors app fw-ifl-out list-shared-apps
clear pfe tcam-errors app fw-ifl-out shared-usage
clear pfe tcam-errors app fw-ifl-out shared-usage detail
clear pfe tcam-errors app fw-inet-ftf
<clear-pfe-tcam-errors-app-fw-inet-ftf>
clear pfe tcam-errors app fw-inet-ftf detail
clear pfe tcam-errors app fw-inet-ftf list-related-apps
clear pfe tcam-errors app fw-inet-ftf list-shared-apps
clear pfe tcam-errors app fw-inet-ftf shared-usage
clear pfe tcam-errors app fw-inet-ftf shared-usage detail
clear pfe tcam-errors app fw-inet-in
<clear-pfe-tcam-errors-app-fw-inet-in>
clear pfe tcam-errors app fw-inet-in detail
clear pfe tcam-errors app fw-inet-in list-related-apps
clear pfe tcam-errors app fw-inet-in list-shared-apps
clear pfe tcam-errors app fw-inet-in shared-usage
clear pfe tcam-errors app fw-inet-in shared-usage detail
clear pfe tcam-errors app fw-inet-pm
<clear-pfe-tcam-errors-app-fw-inet-pm>
clear pfe tcam-errors app fw-inet-pm detail
clear pfe tcam-errors app fw-inet-pm list-related-apps
clear pfe tcam-errors app fw-inet-pm list-shared-apps
clear pfe tcam-errors app fw-inet-pm shared-usage
clear pfe tcam-errors app fw-inet-pm shared-usage detail
clear pfe tcam-errors app fw-inet-rpf
<clear-pfe-tcam-errors-app-fw-inet-rpf>
clear pfe tcam-errors app fw-inet-rpf detail
clear pfe tcam-errors app fw-inet-rpf list-related-apps
clear pfe tcam-errors app fw-inet-rpf list-shared-apps
clear pfe tcam-errors app fw-inet-rpf shared-usage
clear pfe tcam-errors app fw-inet-rpf shared-usage detail
clear pfe tcam-errors app fw-inet-rpf
<clear-pfe-tcam-errors-app-fw-inet-rpf>
Copyright © 2017, Juniper Networks, Inc.
175
User Access and Authentication Feature Guide for Routing Devices
clear pfe tcam-errors app fw-inet-rpf detail
clear pfe tcam-errors app fw-inet-rpf list-related-apps
clear pfe tcam-errors app fw-inet-rpf list-shared-apps
clear pfe tcam-errors app fw-inet-rpf shared-usage
clear pfe tcam-errors app fw-inet-rpf shared-usage detail
clear pfe tcam-errors app fw-inet6-family-out
<clear-pfe-tcam-errors-app-fw-inet6-family-out>
clear pfe tcam-errors app fw-inet6-family-out detail
clear pfe tcam-errors app fw-inet6-family-out list-related-apps
clear pfe tcam-errors app fw-inet6-family-out list-shared-apps
clear pfe tcam-errors app fw-inet6-family-out shared-usage
clear pfe tcam-errors app fw-inet6-family-out shared-usage detail
clear pfe tcam-errors app fw-inet6-ftf
<clear-pfe-tcam-errors-app-fw-inet6-ftf>
clear pfe tcam-errors app fw-inet6-ftf detail
clear pfe tcam-errors app fw-inet6-ftf list-related-apps
clear pfe tcam-errors app fw-inet6-ftf list-shared-apps
clear pfe tcam-errors app fw-inet6-ftf shared-usage
clear pfe tcam-errors app fw-inet6-ftf shared-usage detail
clear pfe tcam-errors app fw-inet6-in
<clear-pfe-tcam-errors-app-fw-inet6-in>
clear pfe tcam-errors app fw-inet6-in detail
clear pfe tcam-errors app fw-inet6-in list-related-apps
clear pfe tcam-errors app fw-inet6-in list-shared-apps
clear pfe tcam-errors app fw-inet6-in shared-usage
clear pfe tcam-errors app fw-inet6-in shared-usage detail
clear pfe tcam-errors app fw-inet6-rpf
<clear-pfe-tcam-errors-app-fw-inet6-rpf>
clear pfe tcam-errors app fw-inet6-rpf detail
clear pfe tcam-errors app fw-inet6-rpf list-related-apps
clear pfe tcam-errors app fw-inet6-rpf list-shared-apps
clear pfe tcam-errors app fw-inet6-rpf shared-usage
clear pfe tcam-errors app fw-inet6-rpf shared-usage detail
clear pfe tcam-errors app fw-l2-in
<clear-pfe-tcam-errors-app-fw-l2-in>
clear pfe tcam-errors app fw-l2-in detail
clear pfe tcam-errors app fw-l2-in list-related-apps
clear pfe tcam-errors app fw-l2-in list-shared-apps
clear pfe tcam-errors app fw-l2-in shared-usage
clear pfe tcam-errors app fw-l2-in shared-usage detail
clear pfe tcam-errors app fw-mpls-in
<clear-pfe-tcam-errors-app-fw-mpls-in>
clear pfe tcam-errors app fw-mpls-in detail
clear pfe tcam-errors app fw-mpls-in list-related-apps
clear pfe tcam-errors app fw-mpls-in list-shared-apps
clear pfe tcam-errors app fw-mpls-in shared-usage
clear pfe tcam-errors app fw-mpls-in shared-usage detail
clear pfe tcam-errors app fw-semantics
<clear-pfe-tcam-errors-app-fw-semantics>
clear pfe tcam-errors app fw-semantics detail
clear pfe tcam-errors app fw-semantics list-related-apps
clear pfe tcam-errors app fw-semantics list-shared-apps
clear pfe tcam-errors app fw-semantics shared-usage
clear pfe tcam-errors app fw-semantics shared-usage detail
clear pfe tcam-errors app fw-vpls-in
<clear-pfe-tcam-errors-app-fw-vpls-in>
clear pfe tcam-errors app fw-vpls-in detail
clear pfe tcam-errors app fw-vpls-in list-related-apps
clear pfe tcam-errors app fw-vpls-in list-shared-apps
clear pfe tcam-errors app fw-vpls-in shared-usage
clear pfe tcam-errors app fw-vpls-in shared-usage detail
176
Copyright © 2017, Juniper Networks, Inc.
Chapter 5: Permission Flags for User Access Privileges
clear pfe tcam-errors app gr-ifl-stats-egr
<clear-pfe-tcam-errors-app-gr-ifl-statistics-egr>
clear pfe tcam-errors app gr-ifl-stats-egr detail
clear pfe tcam-errors app gr-ifl-stats-egr list-related-apps
clear pfe tcam-errors app gr-ifl-stats-egr list-shared-apps
clear pfe tcam-errors app gr-ifl-stats-egr shared-usage
clear pfe tcam-errors app gr-ifl-stats-egr shared-usage detail
clear pfe tcam-errors app gr-ifl-stats-ing
<clear-pfe-tcam-errors-app-gr-ifl-statistics-ing>
clear pfe tcam-errors app gr-ifl-stats-ing detail
clear pfe tcam-errors app gr-ifl-stats-ing list-related-apps
clear pfe tcam-errors app gr-ifl-stats-ing list-shared-apps
clear pfe tcam-errors app gr-ifl-stats-ing shared-usage
clear pfe tcam-errors app gr-ifl-stats-ing shared-usage detail
clear pfe tcam-errors app gr-ifl-stats-preing
<clear-pfe-tcam-errors-app-gr-ifl-statistics-preing>
clear pfe tcam-errors app gr-ifl-stats-preing detail
clear pfe tcam-errors app gr-ifl-stats-preing list-related-apps
clear pfe tcam-errors app gr-ifl-stats-preing list-shared-apps
clear pfe tcam-errors app gr-ifl-stats-preing shared-usage
clear pfe tcam-errors app gr-ifl-stats-preing shared-usage detail
< clear pfe tcam-errors app ifd-src-mac-fil
<clear-pfe-tcam-errors-app-ifd-src-mac-fil>
clear pfe tcam-errors app ifd-src-mac-fil detail
clear pfe tcam-errors app ifd-src-mac-fil list-related-apps
clear pfe tcam-errors app ifd-src-mac-fil list-shared-apps
clear pfe tcam-errors app ifd-src-mac-fil shared-usage
clear pfe tcam-errors app ifd-src-mac-fil shared-usage detail
clear pfe tcam-errors app ifl-statistics-in
<clear-pfe-tcam-errors-app-ifl-statistics-in>
clear pfe tcam-errors app ifl-statistics-in detail
clear pfe tcam-errors app ifl-statistics-in list-related-apps
clear pfe tcam-errors app ifl-statistics-in list-shared-apps
clear pfe tcam-errors app ifl-statistics-in shared-usage
clear pfe tcam-errors app ifl-statistics-in shared-usage detail
clear pfe tcam-errors app ifl-statistics-out
<clear-pfe-tcam-errors-app-ifl-statistics-out>
clear pfe tcam-errors app ifl-statistics-out detail
clear pfe tcam-errors app ifl-statistics-out list-related-apps
clear pfe tcam-errors app ifl-statistics-out list-shared-apps
clear pfe tcam-errors app ifl-statistics-out shared-usage
clear pfe tcam-errors app ifl-statistics-out shared-usage detail
clear pfe tcam-errors app ing-out-iff
<clear-pfe-tcam-errors-app-ing-out-iff>
clear pfe tcam-errors app ing-out-iff detail
clear pfe tcam-errors app ing-out-iff list-related-apps
clear pfe tcam-errors app ing-out-iff list-shared-apps
clear pfe tcam-errors app ing-out-iff shared-usage
clear pfe tcam-errors app ing-out-iff shared-usage detail
clear pfe tcam-errors app ip-mac-val
<clear-pfe-tcam-errors-app-ip-mac-val>
clear pfe tcam-errors app ip-mac-val detail
clear pfe tcam-errors app ip-mac-val list-related-apps
clear pfe tcam-errors app ip-mac-val list-shared-apps
clear pfe tcam-errors app ip-mac-val shared-usage
clear pfe tcam-errors app ip-mac-val shared-usage detail
clear pfe tcam-errors app ip-mac-val-bcast
<clear-pfe-tcam-errors-app-ip-mac-val-bcast>
clear pfe tcam-errors app ip-mac-val-bcast detail
clear pfe tcam-errors app ip-mac-val-bcast list-related-apps
clear pfe tcam-errors app ip-mac-val-bcast list-shared-apps
Copyright © 2017, Juniper Networks, Inc.
177
User Access and Authentication Feature Guide for Routing Devices
clear pfe tcam-errors app ip-mac-val-bcast shared-usage
clear pfe tcam-errors app ip-mac-val-bcast shared-usage detail
clear pfe tcam-errors app ipsec-reverse-fil
<clear-pfe-tcam-errors-app-ipsec-reverse-fil>
clear pfe tcam-errors app ipsec-reverse-fil detail
clear pfe tcam-errors app ipsec-reverse-fil list-related-apps
clear pfe tcam-errors app ipsec-reverse-fil list-shared-apps
clear pfe tcam-errors app ipsec-reverse-fil shared-usage
clear pfe tcam-errors app ipsec-reverse-fil shared-usage detail
clear pfe tcam-errors app irb-cos-rw
<clear-pfe-tcam-errors-app-irb-cos-rw>
clear pfe tcam-errors app irb-cos-rw detail
clear pfe tcam-errors app irb-cos-rw list-related-apps
clear pfe tcam-errors app irb-cos-rw list-shared-apps
clear pfe tcam-errors app irb-cos-rw shared-usage
clear pfe tcam-errors app irb-cos-rw shared-usage detail
clear pfe tcam-errors app irb-fixed-cos
<clear-pfe-tcam-errors-app-irb-fixed-cos>
clear pfe tcam-errors app irb-fixed-cos detail
clear pfe tcam-errors app irb-fixed-cos list-related-apps
clear pfe tcam-errors app irb-fixed-cos list-shared-apps
clear pfe tcam-errors app irb-fixed-cos shared-usage
clear pfe tcam-errors app irb-fixed-cos shared-usage detail
clear pfe tcam-errors app irb-inet6-fil
<clear-pfe-tcam-errors-app-irb-inet6-fil>
clear pfe tcam-errors app irb-inet6-fil detail
clear pfe tcam-errors app irb-inet6-fil list-related-apps
clear pfe tcam-errors app irb-inet6-fil list-shared-apps
clear pfe tcam-errors app irb-inet6-fil shared-usage
clear pfe tcam-errors app irb-inet6-fil shared-usage detail
clear pfe tcam-errors app lfm-802.3ah-in
<clear-pfe-tcam-errors-app-lfm-802.3ah-in>
clear pfe tcam-errors app lfm-802.3ah-in detail
clear pfe tcam-errors app lfm-802.3ah-in list-related-apps
clear pfe tcam-errors app lfm-802.3ah-in list-shared-apps
clear pfe tcam-errors app lfm-802.3ah-in shared-usage
clear pfe tcam-errors app lfm-802.3ah-in shared-usage detail
clear pfe tcam-errors app lfm-802.3ah-out
<clear-pfe-tcam-errors-app-lfm-802.3ah-out>
clear pfe tcam-errors app lfm-802.3ah-out detail
clear pfe tcam-errors app lfm-802.3ah-out list-related-apps
clear pfe tcam-errors app lfm-802.3ah-out list-shared-apps
clear pfe tcam-errors app lfm-802.3ah-out shared-usage
clear pfe tcam-errors app lfm-802.3ah-out shared-usage detail
clear pfe tcam-errors app lo0-inet-fil
<clear-pfe-tcam-errors-app-lo0-inet-fil>
clear pfe tcam-errors app lo0-inet-fil detail
clear pfe tcam-errors app lo0-inet-fil list-related-apps
clear pfe tcam-errors app lo0-inet-fil list-shared-apps
clear pfe tcam-errors app lo0-inet-fil shared-usage
clear pfe tcam-errors app lo0-inet-fil shared-usage detail
clear pfe tcam-errors app lo0-inet6-fil
<clear-pfe-tcam-errors-app-lo0-inet6-fil>
clear pfe tcam-errors app lo0-inet6-fil detail
clear pfe tcam-errors app lo0-inet6-fil list-related-apps
clear pfe tcam-errors app lo0-inet6-fil list-shared-apps
clear pfe tcam-errors app lo0-inet6-fil shared-usage
clear pfe tcam-errors app lo0-inet6-fil shared-usage detail
clear pfe tcam-errors app mac-drop-cnt
<clear-pfe-tcam-errors-app-mac-drop-cnt>
clear pfe tcam-errors app mac-drop-cnt detail
178
Copyright © 2017, Juniper Networks, Inc.
Chapter 5: Permission Flags for User Access Privileges
clear pfe tcam-errors app mac-drop-cnt list-related-apps
clear pfe tcam-errors app mac-drop-cnt list-shared-apps
clear pfe tcam-errors app mac-drop-cnt shared-usage
clear pfe tcam-errors app mac-drop-cnt shared-usage detail
clear pfe tcam-errors app mrouter-port-in
<clear-pfe-tcam-errors-app-mrouter-port-in>
clear pfe tcam-errors app mrouter-port-in detail
clear pfe tcam-errors app mrouter-port-in list-related-apps
clear pfe tcam-errors app mrouter-port-in list-shared-apps
clear pfe tcam-errors app mrouter-port-in shared-usage
clear pfe tcam-errors app mrouter-port-in shared-usage detail
clear pfe tcam-errors app napt-reverse-fil
<clear-pfe-tcam-errors-app-napt-reverse-fil>
clear pfe tcam-errors app napt-reverse-fil detail
clear pfe tcam-errors app napt-reverse-fil list-related-apps
clear pfe tcam-errors app napt-reverse-fil list-shared-apps
clear pfe tcam-errors app napt-reverse-fil shared-usage
clear pfe tcam-errors app napt-reverse-fil shared-usage detail
clear pfe tcam-errors app no-local-switching
<clear-pfe-tcam-errors-app-no-local-switching>
clear pfe tcam-errors app no-local-switching detail
clear pfe tcam-errors app no-local-switching list-related-apps
clear pfe tcam-errors app no-local-switching list-shared-apps
clear pfe tcam-errors app no-local-switching shared-usage
clear pfe tcam-errors app no-local-switching shared-usage detail
clear pfe tcam-errors app ptpoe-cos-rw
<clear-pfe-tcam-errors-app-ptpoe-cos-rw>
clear pfe tcam-errors app ptpoe-cos-rw detail
clear pfe tcam-errors app ptpoe-cos-rw list-related-apps
clear pfe tcam-errors app ptpoe-cos-rw list-shared-apps
clear pfe tcam-errors app ptpoe-cos-rw shared-usage
clear pfe tcam-errors app ptpoe-cos-rw shared-usage detail
clear pfe tcam-errors app rfc2544-layer2-in
<clear-pfe-tcam-errors-app-rfc2544-layer2-in>
clear pfe tcam-errors app rfc2544-layer2-in detail
clear pfe tcam-errors app rfc2544-layer2-in list-related-apps
clear pfe tcam-errors app rfc2544-layer2-in list-shared-apps
clear pfe tcam-errors app rfc2544-layer2-in shared-usage
clear pfe tcam-errors app rfc2544-layer2-in shared-usage detail
clear pfe tcam-errors app rfc2544-layer2-out
<clear-pfe-tcam-errors-app-rfc2544-layer2-out>
clear pfe tcam-errors app rfc2544-layer2-out detail
clear pfe tcam-errors app rfc2544-layer2-out list-related-apps
clear pfe tcam-errors app rfc2544-layer2-out list-shared-apps
clear pfe tcam-errors app rfc2544-layer2-out shared-usage
clear pfe tcam-errors app rfc2544-layer2-out shared-usage detail
clear pfe tcam-errors app vpls-mesh-group-mcast
<get-upper-level-xml-name-vpls-mesh-group-mcast>
clear pfe tcam-errors app vpls-mesh-group-mcast detail
clear pfe tcam-errors app vpls-mesh-group-mcast list-related-apps
clear pfe tcam-errors app vpls-mesh-group-mcast list-shared-apps
clear pfe tcam-errors app vpls-mesh-group-mcast shared-usage
clear pfe tcam-errors app vpls-mesh-group-mcast shared-usage detail
clear pfe tcam-errors app vpls-mesh-group-ucast
<get-upper-level-xml-name-vpls-mesh-group-ucast>
clear pfe tcam-errors app vpls-mesh-group-ucast detail
clear pfe tcam-errors app vpls-mesh-group-ucast list-related-apps
clear pfe tcam-errors app vpls-mesh-group-ucast list-shared-apps
clear pfe tcam-errors app vpls-mesh-group-ucast shared-usage
clear pfe tcam-errors app vpls-mesh-group-ucast shared-usage detail
clear pfe tcam-errors tcam-stage
Copyright © 2017, Juniper Networks, Inc.
179
User Access and Authentication Feature Guide for Routing Devices
clear pfe tcam-errors tcam-stage egress
<clear-pfe-tcam-errors-egress-tcam-stage>
clear pfe tcam-errors tcam-stage egress app
clear-pfe-tcam-errors-egress-app
clear pfe tcam-errors tcam-stage egress app bd-dtag-validate
<clear-pfe-tcam-errors-egress-app-bd-dtag-validate>
clear pfe tcam-errors tcam-stage egress app bd-dtag-validate detail
clear pfe tcam-errors tcam-stage egress app bd-dtag-validate
list-related-appsclear pfe tcam-errors tcam-stage egress app bd-dtag-validate
list-shared-apps
clear pfe tcam-errors tcam-stage egress app bd-dtag-validate shared-usage
clear pfe tcam-errors tcam-stage egress app bd-dtag-validate shared-usage
detail
clear pfe tcam-errors tcam-stage egress app bd-tpid-swap
<clear-pfe-tcam-errors-egress-app-bd-tpid-swap>
clear pfe tcam-errors tcam-stage egress app bd-tpid-swap detail
clear pfe tcam-errors tcam-stage egress app bd-tpid-swap list-related-apps
clear pfe tcam-errors tcam-stage egress app bd-tpid-swap list-shared-apps
clear pfe tcam-errors tcam-stage egress app bd-tpid-swap shared-usage
clear pfe tcam-errors tcam-stage egress app bd-tpid-swap shared-usage detail
clear pfe tcam-errors tcam-stage egress app fw-family-out
<clear-pfe-tcam-errors-egress-app-fw-family-out>
clear pfe tcam-errors tcam-stage egress app fw-family-out detail
clear pfe tcam-errors tcam-stage egress app fw-family-out list-related-apps
clear pfe tcam-errors tcam-stage egress app fw-family-out list-shared-apps
clear pfe tcam-errors tcam-stage egress app fw-family-out shared-usage
clear pfe tcam-errors tcam-stage egress app fw-family-out shared-usage detail
clear pfe tcam-errors tcam-stage egress app fw-ifl-out
<clear-pfe-tcam-errors-egress-app-fw-ifl-out>
clear pfe tcam-errors tcam-stage egress app fw-ifl-out detail
clear pfe tcam-errors tcam-stage egress app fw-ifl-out list-related-apps
clear pfe tcam-errors tcam-stage egress app fw-ifl-out list-shared-apps
clear pfe tcam-errors tcam-stage egress app fw-ifl-out shared-usage
clear pfe tcam-errors tcam-stage egress app fw-ifl-out shared-usage detail
clear pfe tcam-errors tcam-stage egress app fw-inet6-family-out
<clear-pfe-tcam-errors-egress-app-fw-inet6-family-out>
clear pfe tcam-errors tcam-stage egress app fw-inet6-family-out detail
clear pfe tcam-errors tcam-stage egress app fw-inet6-family-out
list-related-apps
clear pfe tcam-errors tcam-stage egress app fw-inet6-family-out list-shared-apps
clear pfe tcam-errors tcam-stage egress app fw-inet6-family-out shared-usage
clear pfe tcam-errors tcam-stage egress app fw-inet6-family-out shared-usage
detail
clear pfe tcam-errors tcam-stage egress app ifl-statistics-out
<clear-pfe-tcam-errors-egress-app-ifl-statistics-out>
clear pfe tcam-errors tcam-stage egress app ifl-statistics-out detail
clear pfe tcam-errors tcam-stage egress app ifl-statistics-out list-related-apps
clear pfe tcam-errors tcam-stage egress app ifl-statistics-out list-shared-apps
clear pfe tcam-errors tcam-stage egress app ifl-statistics-out shared-usage
clear pfe tcam-errors tcam-stage egress app ifl-statistics-out shared-usage
detail
clear pfe tcam-errors tcam-stage egress app irb-cos-rw
<clear-pfe-tcam-errors-egress-app-irb-cos-rw>
clear pfe tcam-errors tcam-stage egress app irb-cos-rw detail
clear pfe tcam-errors tcam-stage egress app irb-cos-rw list-related-apps
clear pfe tcam-errors tcam-stage egress app irb-cos-rw list-shared-apps
clear pfe tcam-errors tcam-stage egress app irb-cos-rw shared-usage
clear pfe tcam-errors tcam-stage egress app irb-cos-rw shared-usage detail
clear pfe tcam-errors tcam-stage egress app lfm-802.3ah-out
<clear-pfe-tcam-errors-egress-app-lfm-802.3ah-out>
clear pfe tcam-errors tcam-stage egress app lfm-802.3ah-out detail
180
Copyright © 2017, Juniper Networks, Inc.
Chapter 5: Permission Flags for User Access Privileges
clear pfe tcam-errors tcam-stage egress app lfm-802.3ah-out list-related-apps
clear pfe tcam-errors tcam-stage egress app lfm-802.3ah-out list-shared-apps
clear pfe tcam-errors tcam-stage egress app lfm-802.3ah-out shared-usage
clear pfe tcam-errors tcam-stage egress app lfm-802.3ah-out shared-usage detail
clear pfe tcam-errors tcam-stage egress app ptpoe-cos-rw
<clear-pfe-tcam-errors-egress-app-ptpoe-cos-rw>
clear pfe tcam-errors tcam-stage egress app ptpoe-cos-rw detail
clear pfe tcam-errors tcam-stage egress app ptpoe-cos-rw list-related-apps
clear pfe tcam-errors tcam-stage egress app ptpoe-cos-rw list-shared-apps
clear pfe tcam-errors tcam-stage egress app ptpoe-cos-rw shared-usage
clear pfe tcam-errors tcam-stage egress app ptpoe-cos-rw shared-usage detail
clear pfe tcam-errors tcam-stage egress app rfc2544-layer2-out
<clear-pfe-tcam-errors-egress-app-rfc2544-layer2-out>
clear pfe tcam-errors tcam-stage egress app rfc2544-layer2-out detail
clear pfe tcam-errors tcam-stage egress app rfc2544-layer2-out list-related-apps
clear pfe tcam-errors tcam-stage egress app rfc2544-layer2-out list-shared-apps
clear pfe tcam-errors tcam-stage egress app rfc2544-layer2-out shared-usage
clear pfe tcam-errors tcam-stage egress app rfc2544-layer2-out shared-usage
detail
clear pfe tcam-errors tcam-stage ingress
<clear-pfe-tcam-errors-ingress-tcam-stage>
clear pfe tcam-errors tcam-stage ingress app
<clear-pfe-tcam-errors-ingress-app>
clear pfe tcam-errors tcam-stage ingress app cfm-bd-filter
<clear-pfe-tcam-errors-ingress-app-cfm-bd-filter>
clear pfe tcam-errors tcam-stage ingress app cfm-bd-filter detail
clear pfe tcam-errors tcam-stage ingress app cfm-bd-filter list-related-apps
clear pfe tcam-errors tcam-stage ingress app cfm-bd-filter list-shared-apps
clear pfe tcam-errors tcam-stage ingress app cfm-bd-filter shared-usage
clear pfe tcam-errors tcam-stage ingress app cfm-bd-filter shared-usage detail
clear pfe tcam-errors tcam-stage ingress app cfm-filter
<clear-pfe-tcam-errors-ingress-app-cfm-filter>
clear pfe tcam-errors tcam-stage ingress app cfm-filter detail
clear pfe tcam-errors tcam-stage ingress app cfm-filter list-related-apps
clear pfe tcam-errors tcam-stage ingress app cfm-filter list-shared-apps
clear pfe tcam-errors tcam-stage ingress app cfm-filter shared-usage
clear pfe tcam-errors tcam-stage ingress app cfm-filter shared-usage detail
clear pfe tcam-errors tcam-stage ingress app cfm-vpls-filter
<clear-pfe-tcam-errors-ingress-app-cfm-vpls-filter>
clear pfe tcam-errors tcam-stage ingress app cfm-vpls-filter detail
clear pfe tcam-errors tcam-stage ingress app cfm-vpls-filter list-related-apps
clear pfe tcam-errors tcam-stage ingress app cfm-vpls-filter list-shared-apps
clear pfe tcam-errors tcam-stage ingress app cfm-vpls-filter shared-usage
clear pfe tcam-errors tcam-stage ingress app cfm-vpls-filter shared-usage
detail
clear pfe tcam-errors tcam-stage ingress app cfm-vpls-ifl-filter
<clear-pfe-tcam-errors-ingress-app-cfm-vpls-ifl-filter>
clear pfe tcam-errors tcam-stage ingress app cfm-vpls-ifl-filter detail
clear pfe tcam-errors tcam-stage ingress app cfm-vpls-ifl-filter
list-related-apps
clear pfe tcam-errors tcam-stage ingress app cfm-vpls-ifl-filter
list-shared-apps
clear pfe tcam-errors tcam-stage ingress app cfm-vpls-ifl-filter shared-usage
clear pfe tcam-errors tcam-stage ingress app cfm-vpls-ifl-filter shared-usage
detail
clear pfe tcam-errors tcam-stage ingress app fw-ccc-in
<clear-pfe-tcam-errors-ingress-app-fw-ccc-in>
clear pfe tcam-errors tcam-stage ingress app fw-ccc-in detail
clear pfe tcam-errors tcam-stage ingress app fw-ccc-in list-related-apps
clear pfe tcam-errors tcam-stage ingress app fw-ccc-in list-shared-apps
clear pfe tcam-errors tcam-stage ingress app fw-ccc-in shared-usage
Copyright © 2017, Juniper Networks, Inc.
181
User Access and Authentication Feature Guide for Routing Devices
clear pfe tcam-errors tcam-stage ingress app fw-ccc-in shared-usage detail
clear pfe tcam-errors tcam-stage ingress app fw-ifl-in
<clear-pfe-tcam-errors-ingress-app-fw-ifl-in>
clear pfe tcam-errors tcam-stage ingress app fw-ifl-in detail
clear pfe tcam-errors tcam-stage ingress app fw-ifl-in list-related-apps
clear pfe tcam-errors tcam-stage ingress app fw-ifl-in list-shared-apps
clear pfe tcam-errors tcam-stage ingress app fw-ifl-in shared-usage
clear pfe tcam-errors tcam-stage ingress app fw-ifl-in shared-usage detail
clear pfe tcam-errors tcam-stage ingress app fw-inet-ftf
<clear-pfe-tcam-errors-ingress-app-fw-inet-ftf>
clear pfe tcam-errors tcam-stage ingress app fw-inet-ftf detail
clear pfe tcam-errors tcam-stage ingress app fw-inet-ftf list-related-apps
clear pfe tcam-errors tcam-stage ingress app fw-inet-ftf list-shared-apps
clear pfe tcam-errors tcam-stage ingress app fw-inet-ftf shared-usage
clear pfe tcam-errors tcam-stage ingress app fw-inet-ftf shared-usage detail
clear pfe tcam-errors tcam-stage ingress app fw-inet-in
<clear-pfe-tcam-errors-ingress-app-fw-inet-in>
clear pfe tcam-errors tcam-stage ingress app fw-inet-in detail
clear pfe tcam-errors tcam-stage ingress app fw-inet-in list-related-apps
clear pfe tcam-errors tcam-stage ingress app fw-inet-in list-shared-apps
clear pfe tcam-errors tcam-stage ingress app fw-inet-in shared-usage
clear pfe tcam-errors tcam-stage ingress app fw-inet-in shared-usage detail
clear pfe tcam-errors tcam-stage ingress app fw-inet-pm
<clear-pfe-tcam-errors-ingress-app-fw-inet-pm>
clear pfe tcam-errors tcam-stage ingress app fw-inet-pm detail
clear pfe tcam-errors tcam-stage ingress app fw-inet-pm list-related-apps
clear pfe tcam-errors tcam-stage ingress app fw-inet-pm list-shared-apps
clear pfe tcam-errors tcam-stage ingress app fw-inet-pm shared-usage
clear pfe tcam-errors tcam-stage ingress app fw-inet-pm shared-usage detail
clear pfe tcam-errors tcam-stage ingress app fw-inet-rpf
<clear-pfe-tcam-errors-ingress-app-fw-inet-rpf>
clear pfe tcam-errors tcam-stage ingress app fw-inet-rpf detail
clear pfe tcam-errors tcam-stage ingress app fw-inet-rpf list-related-apps
clear pfe tcam-errors tcam-stage ingress app fw-inet-rpf list-shared-apps
clear pfe tcam-errors tcam-stage ingress app fw-inet-rpf shared-usage
clear pfe tcam-errors tcam-stage ingress app fw-inet-rpf shared-usage detail
clear pfe tcam-errors tcam-stage ingress app fw-inet6-ftf
<clear-pfe-tcam-errors-ingress-app-fw-inet6-ftf>
clear pfe tcam-errors tcam-stage ingress app fw-inet6-ftf detail
clear pfe tcam-errors tcam-stage ingress app fw-inet6-ftf list-related-apps
clear pfe tcam-errors tcam-stage ingress app fw-inet6-ftf list-shared-apps
clear pfe tcam-errors tcam-stage ingress app fw-inet6-ftf shared-usage
clear pfe tcam-errors tcam-stage ingress app fw-inet6-ftf shared-usage detail
clear pfe tcam-errors tcam-stage ingress app fw-inet6-in
<clear-pfe-tcam-errors-ingress-app-fw-inet6-in>
clear pfe tcam-errors tcam-stage ingress app fw-inet6-in detail
clear pfe tcam-errors tcam-stage ingress app fw-inet6-in list-related-apps
clear pfe tcam-errors tcam-stage ingress app fw-inet6-in list-shared-apps
clear pfe tcam-errors tcam-stage ingress app fw-inet6-in shared-usage
clear pfe tcam-errors tcam-stage ingress app fw-inet6-in shared-usage detail
clear pfe tcam-errors tcam-stage ingress app fw-inet6-rpf
<clear-pfe-tcam-errors-ingress-app-fw-inet6-rpf>
clear pfe tcam-errors tcam-stage ingress app fw-inet6-rpf detail
clear pfe tcam-errors tcam-stage ingress app fw-inet6-rpf list-related-apps
clear pfe tcam-errors tcam-stage ingress app fw-inet6-rpf list-shared-apps
clear pfe tcam-errors tcam-stage ingress app fw-inet6-rpf shared-usage
clear pfe tcam-errors tcam-stage ingress app fw-inet6-rpf shared-usage detail
clear pfe tcam-errors tcam-stage ingress app fw-l2-in
<clear-pfe-tcam-errors-ingress-app-fw-l2-in>
clear pfe tcam-errors tcam-stage ingress app fw-l2-in detail
clear pfe tcam-errors tcam-stage ingress app fw-l2-in list-related-apps
182
Copyright © 2017, Juniper Networks, Inc.
Chapter 5: Permission Flags for User Access Privileges
clear pfe tcam-errors tcam-stage ingress app fw-l2-in list-shared-apps
clear pfe tcam-errors tcam-stage ingress app fw-l2-in shared-usage
clear pfe tcam-errors tcam-stage ingress app fw-l2-in shared-usage detail
clear pfe tcam-errors tcam-stage ingress app fw-mpls-in
<clear-pfe-tcam-errors-ingress-app-fw-mpls-in>
clear pfe tcam-errors tcam-stage ingress app fw-mpls-in detail
clear pfe tcam-errors tcam-stage ingress app fw-mpls-in list-related-apps
clear pfe tcam-errors tcam-stage ingress app fw-mpls-in list-shared-apps
clear pfe tcam-errors tcam-stage ingress app fw-mpls-in shared-usage
clear pfe tcam-errors tcam-stage ingress app fw-mpls-in shared-usage detail
clear pfe tcam-errors tcam-stage ingress app fw-vpls-in
<clear-pfe-tcam-errors-ingress-app-fw-vpls-in>
clear pfe tcam-errors tcam-stage ingress app fw-vpls-in detail
clear pfe tcam-errors tcam-stage ingress app fw-vpls-in list-related-apps
clear pfe tcam-errors tcam-stage ingress app fw-vpls-in list-shared-apps
clear pfe tcam-errors tcam-stage ingress app fw-vpls-in shared-usage
clear pfe tcam-errors tcam-stage ingress app fw-vpls-in shared-usage detail
clear pfe tcam-errors tcam-stage ingress app gr-ifl-stats-egr
<clear-pfe-tcam-errors-ingress-app-gr-ifl-statistics-egr>
clear pfe tcam-errors tcam-stage ingress app gr-ifl-stats-egr detail
clear pfe tcam-errors tcam-stage ingress app gr-ifl-stats-egr list-related-apps
clear pfe tcam-errors tcam-stage ingress app gr-ifl-stats-egr list-shared-apps
clear pfe tcam-errors tcam-stage ingress app gr-ifl-stats-egr shared-usage
clear pfe tcam-errors tcam-stage ingress app gr-ifl-stats-egr shared-usage
detail
clear pfe tcam-errors tcam-stage ingress app gr-ifl-stats-ing
<clear-pfe-tcam-errors-ingress-app-gr-ifl-statistics-ing>
clear pfe tcam-errors tcam-stage ingress app gr-ifl-stats-ing detail
clear pfe tcam-errors tcam-stage ingress app gr-ifl-stats-ing list-related-apps
clear pfe tcam-errors tcam-stage ingress app gr-ifl-stats-ing list-shared-apps
clear pfe tcam-errors tcam-stage ingress app gr-ifl-stats-ing shared-usage
clear pfe tcam-errors tcam-stage ingress app gr-ifl-stats-ing shared-usage
detail
clear pfe tcam-errors tcam-stage ingress app gr-ifl-stats-preing
<clear-pfe-tcam-errors-ingress-app-gr-ifl-statistics-preing>
clear pfe tcam-errors tcam-stage ingress app gr-ifl-stats-preing detail
clear pfe tcam-errors tcam-stage ingress app gr-ifl-stats-preing
list-related-apps
clear pfe tcam-errors tcam-stage ingress app gr-ifl-stats-preing
list-shared-apps
clear pfe tcam-errors tcam-stage ingress app gr-ifl-stats-preing shared-usage
clear pfe tcam-errors tcam-stage ingress app gr-ifl-stats-preing shared-usage
detail
clear pfe tcam-errors tcam-stage ingress app ifl-statistics-in
<clear-pfe-tcam-errors-ingress-app-ifl-statistics-in>
clear pfe tcam-errors tcam-stage ingress app ifl-statistics-in detail
clear pfe tcam-errors tcam-stage ingress app ifl-statistics-in list-related-apps
clear pfe tcam-errors tcam-stage ingress app ifl-statistics-in list-shared-apps
clear pfe tcam-errors tcam-stage ingress app ifl-statistics-in shared-usage
clear pfe tcam-errors tcam-stage ingress app ifl-statistics-in shared-usage
detail
clear pfe tcam-errors tcam-stage ingress app ipsec-reverse-fil
<clear-pfe-tcam-errors-ingress-app-ipsec-reverse-fil>
clear pfe tcam-errors tcam-stage ingress app ipsec-reverse-fil detail
clear pfe tcam-errors tcam-stage ingress app ipsec-reverse-fil list-related-apps
clear pfe tcam-errors tcam-stage ingress app ipsec-reverse-fil list-shared-apps
clear pfe tcam-errors tcam-stage ingress app ipsec-reverse-fil shared-usage
clear pfe tcam-errors tcam-stage ingress app ipsec-reverse-fil shared-usage
detail
clear pfe tcam-errors tcam-stage ingress app irb-fixed-cos
<clear-pfe-tcam-errors-ingress-app-irb-fixed-cos>
Copyright © 2017, Juniper Networks, Inc.
183
User Access and Authentication Feature Guide for Routing Devices
clear pfe tcam-errors tcam-stage ingress app irb-fixed-cos detail
clear pfe tcam-errors tcam-stage ingress app irb-fixed-cos list-related-apps
clear pfe tcam-errors tcam-stage ingress app irb-fixed-cos list-shared-apps
clear pfe tcam-errors tcam-stage ingress app irb-fixed-cos shared-usage
clear pfe tcam-errors tcam-stage ingress app irb-fixed-cos shared-usage detail
clear pfe tcam-errors tcam-stage ingress app irb-inet6-fil
<clear-pfe-tcam-errors-ingress-app-irb-inet6-fil>
clear pfe tcam-errors tcam-stage ingress app irb-inet6-fil detail
clear pfe tcam-errors tcam-stage ingress app irb-inet6-fil list-related-apps
clear pfe tcam-errors tcam-stage ingress app irb-inet6-fil list-shared-apps
clear pfe tcam-errors tcam-stage ingress app irb-inet6-fil shared-usage
clear pfe tcam-errors tcam-stage ingress app irb-inet6-fil shared-usage detail
clear pfe tcam-errors tcam-stage ingress app lfm-802.3ah-in
<clear-pfe-tcam-errors-ingress-app-lfm-802.3ah-in>
clear pfe tcam-errors tcam-stage ingress app lfm-802.3ah-in detail
clear pfe tcam-errors tcam-stage ingress app lfm-802.3ah-in list-related-apps
clear pfe tcam-errors tcam-stage ingress app lfm-802.3ah-in list-shared-apps
clear pfe tcam-errors tcam-stage ingress app lfm-802.3ah-in shared-usage
clear pfe tcam-errors tcam-stage ingress app lfm-802.3ah-in shared-usage detail
clear pfe tcam-errors tcam-stage ingress app lo0-inet-fil
<clear-pfe-tcam-errors-ingress-app-lo0-inet-fil>
clear pfe tcam-errors tcam-stage ingress app lo0-inet-fil detail
clear pfe tcam-errors tcam-stage ingress app lo0-inet-fil list-related-apps
clear pfe tcam-errors tcam-stage ingress app lo0-inet-fil list-shared-apps
clear pfe tcam-errors tcam-stage ingress app lo0-inet-fil shared-usage
clear pfe tcam-errors tcam-stage ingress app lo0-inet-fil shared-usage detail
clear pfe tcam-errors tcam-stage ingress app lo0-inet6-fil
<clear-pfe-tcam-errors-ingress-app-lo0-inet6-fil>
clear pfe tcam-errors tcam-stage ingress app lo0-inet6-fil detail
clear pfe tcam-errors tcam-stage ingress app lo0-inet6-fil list-related-apps
clear pfe tcam-errors tcam-stage ingress app lo0-inet6-fil list-shared-apps
clear pfe tcam-errors tcam-stage ingress app lo0-inet6-fil shared-usage
clear pfe tcam-errors tcam-stage ingress app lo0-inet6-fil shared-usage detail
clear pfe tcam-errors tcam-stage ingress app mac-drop-cnt
<clear-pfe-tcam-errors-ingress-app-mac-drop-cnt>
clear pfe tcam-errors tcam-stage ingress app mac-drop-cnt detail
clear pfe tcam-errors tcam-stage ingress app mac-drop-cnt list-related-apps
clear pfe tcam-errors tcam-stage ingress app mac-drop-cnt list-shared-apps
clear pfe tcam-errors tcam-stage ingress app mac-drop-cnt shared-usage
clear pfe tcam-errors tcam-stage ingress app mac-drop-cnt shared-usage detail
clear pfe tcam-errors tcam-stage ingress app mrouter-port-in
<clear-pfe-tcam-errors-ingress-app-mrouter-port-in>
clear pfe tcam-errors tcam-stage ingress app mrouter-port-in detail
clear pfe tcam-errors tcam-stage ingress app mrouter-port-in list-related-apps
clear pfe tcam-errors tcam-stage ingress app mrouter-port-in list-shared-apps
clear pfe tcam-errors tcam-stage ingress app mrouter-port-in shared-usage
clear pfe tcam-errors tcam-stage ingress app mrouter-port-in shared-usage
detail
clear pfe tcam-errors tcam-stage ingress app napt-reverse-fil
<clear-pfe-tcam-errors-ingress-app-napt-reverse-fil>
clear pfe tcam-errors tcam-stage ingress app napt-reverse-fil detail
clear pfe tcam-errors tcam-stage ingress app napt-reverse-fil list-related-apps
clear pfe tcam-errors tcam-stage ingress app napt-reverse-fil list-shared-apps
clear pfe tcam-errors tcam-stage ingress app napt-reverse-fil shared-usage
clear pfe tcam-errors tcam-stage ingress app napt-reverse-fil shared-usage
detail
clear pfe tcam-errors tcam-stage ingress app no-local-switching
<clear-pfe-tcam-errors-ingress-app-no-local-switching>
clear pfe tcam-errors tcam-stage ingress app no-local-switching detail
clear pfe tcam-errors tcam-stage ingress app no-local-switching
list-related-apps
184
Copyright © 2017, Juniper Networks, Inc.
Chapter 5: Permission Flags for User Access Privileges
clear pfe tcam-errors tcam-stage ingress app no-local-switching list-shared-apps
clear pfe tcam-errors tcam-stage ingress app no-local-switching shared-usage
clear pfe tcam-errors tcam-stage ingress app no-local-switching shared-usage
detail
clear pfe tcam-errors tcam-stage pre-ingress
<clear-pfe-tcam-errors-pre-ingress-tcam-stage>
clear pfe tcam-errors tcam-stage pre-ingress app
<clear-pfe-tcam-errors-pre-ingress-app>
clear pfe tcam-errors tcam-stage pre-ingress app cos-fc
<clear-pfe-tcam-errors-pre-ingress-app-cos-fc>
clear pfe tcam-errors tcam-stage pre-ingress app cos-fc detail
clear pfe tcam-errors tcam-stage pre-ingress app cos-fc list-related-apps
clear pfe tcam-errors tcam-stage pre-ingress app cos-fc list-shared-apps
clear pfe tcam-errors tcam-stage pre-ingress app cos-fc shared-usage
clear pfe tcam-errors tcam-stage pre-ingress app cos-fc shared-usage detail
clear pfe tcam-errors tcam-stage pre-ingress app fw-fbf
<clear-pfe-tcam-errors-pre-ingress-app-fw-fbf>
clear pfe tcam-errors tcam-stage pre-ingress app fw-fbf detail
clear pfe tcam-errors tcam-stage pre-ingress app fw-fbf list-related-apps
clear pfe tcam-errors tcam-stage pre-ingress app fw-fbf list-shared-apps
clear pfe tcam-errors tcam-stage pre-ingress app fw-fbf shared-usage
clear pfe tcam-errors tcam-stage pre-ingress app fw-fbf shared-usage detail
clear pfe tcam-errors tcam-stage pre-ingress app fw-fbf-inet6
<clear-pfe-tcam-errors-pre-ingress-app-fw-fbf-inet6>
clear pfe tcam-errors tcam-stage pre-ingress app fw-fbf-inet6 detail
clear pfe tcam-errors tcam-stage pre-ingress app fw-fbf-inet6 list-related-apps
clear pfe tcam-errors tcam-stage pre-ingress app fw-fbf-inet6 list-shared-apps
clear pfe tcam-errors tcam-stage pre-ingress app fw-fbf-inet6 shared-usage
clear pfe tcam-errors tcam-stage pre-ingress app fw-fbf-inet6 shared-usage
detail
clear pfe tcam-errors tcam-stage pre-ingress app fw-semantics
<clear-pfe-tcam-errors-pre-ingress-app-fw-semantics>
clear pfe tcam-errors tcam-stage pre-ingress app fw-semantics detail
clear pfe tcam-errors tcam-stage pre-ingress app fw-semantics list-related-apps
clear pfe tcam-errors tcam-stage pre-ingress app fw-semantics list-shared-apps
clear pfe tcam-errors tcam-stage pre-ingress app fw-semantics shared-usage
clear pfe tcam-errors tcam-stage pre-ingress app fw-semantics shared-usage
detail
clear pfe tcam-errors tcam-stage pre-ingress app ifd-src-mac-fil
<clear-pfe-tcam-errors-pre-ingress-app-ifd-src-mac-fil>
clear pfe tcam-errors tcam-stage pre-ingress app ifd-src-mac-fil detail
clear pfe tcam-errors tcam-stage pre-ingress app ifd-src-mac-fil
list-related-apps
clear pfe tcam-errors tcam-stage pre-ingress app ifd-src-mac-fil
list-shared-apps
clear pfe tcam-errors tcam-stage pre-ingress app ifd-src-mac-fil shared-usage
clear pfe tcam-errors tcam-stage pre-ingress app ifd-src-mac-fil shared-usage
detail
clear pfe tcam-errors tcam-stage pre-ingress app ing-out-iff
<clear-pfe-tcam-errors-pre-ingress-app-ing-out-iff>
clear pfe tcam-errors tcam-stage pre-ingress app ing-out-iff detail
clear pfe tcam-errors tcam-stage pre-ingress app ing-out-iff list-related-apps
clear pfe tcam-errors tcam-stage pre-ingress app ing-out-iff list-shared-apps
clear pfe tcam-errors tcam-stage pre-ingress app ing-out-iff shared-usage
clear pfe tcam-errors tcam-stage pre-ingress app ing-out-iff shared-usage
detail
clear pfe tcam-errors tcam-stage pre-ingress app ip-mac-val
<clear-pfe-tcam-errors-pre-ingress-app-ip-mac-val>
clear pfe tcam-errors tcam-stage pre-ingress app ip-mac-val detail
clear pfe tcam-errors tcam-stage pre-ingress app ip-mac-val list-related-apps
clear pfe tcam-errors tcam-stage pre-ingress app ip-mac-val list-shared-apps
Copyright © 2017, Juniper Networks, Inc.
185
User Access and Authentication Feature Guide for Routing Devices
clear pfe tcam-errors tcam-stage pre-ingress app ip-mac-val shared-usage
clear pfe tcam-errors tcam-stage pre-ingress app ip-mac-val shared-usage detail
clear pfe tcam-errors tcam-stage pre-ingress app ip-mac-val-bcast
<clear-pfe-tcam-errors-pre-ingress-app-ip-mac-val-bcast>
clear pfe tcam-errors tcam-stage pre-ingress app ip-mac-val-bcast detail
clear pfe tcam-errors tcam-stage pre-ingress app ip-mac-val-bcast
list-related-apps
clear pfe tcam-errors tcam-stage pre-ingress app ip-mac-val-bcast
list-shared-apps
clear pfe tcam-errors tcam-stage pre-ingress app ip-mac-val-bcast shared-usage
clear pfe tcam-errors tcam-stage pre-ingress app ip-mac-val-bcast shared-usage
detail
clear pfe tcam-errors tcam-stage pre-ingress app rfc2544-layer2-in
<clear-pfe-tcam-errors-pre-ingress-app-rfc2544-layer2-in>
clear pfe tcam-errors tcam-stage pre-ingress app rfc2544-layer2-in detail
clear pfe tcam-errors tcam-stage pre-ingress app rfc2544-layer2-in
list-related-apps
clear pfe tcam-errors tcam-stage pre-ingress app rfc2544-layer2-in
list-shared-apps
clear pfe tcam-errors tcam-stage pre-ingress app rfc2544-layer2-in shared-usage
clear pfe tcam-errors tcam-stage pre-ingress app rfc2544-layer2-in shared-usage
detail
clear pfe tcam-errors tcam-stage pre-ingress app vpls-mesh-group-mcast
<get-upper-level-xml-name-vpls-mesh-group-mcast>
clear pfe tcam-errors tcam-stage pre-ingress app vpls-mesh-group-mcast detail
clear pfe tcam-errors tcam-stage pre-ingress app vpls-mesh-group-mcast
list-related-apps
clear pfe tcam-errors tcam-stage pre-ingress app vpls-mesh-group-mcast
list-shared-apps
clear pfe tcam-errors tcam-stage pre-ingress app vpls-mesh-group-mcast
shared-usage
clear pfe tcam-errors tcam-stage pre-ingress app vpls-mesh-group-mcast
shared-usage detail
clear pfe tcam-errors tcam-stage pre-ingress app vpls-mesh-group-ucast
<get-upper-level-xml-name-vpls-mesh-group-ucast>
clear pfe tcam-errors tcam-stage pre-ingress app vpls-mesh-group-ucast detail
clear pfe tcam-errors tcam-stage pre-ingress app vpls-mesh-group-ucast
list-related-apps
clear pfe tcam-errors tcam-stage pre-ingress app vpls-mesh-group-ucast
list-shared-apps
clear pfe tcam-errors tcam-stage pre-ingress app vpls-mesh-group-ucast
shared-usage
clear pfe tcam-errors tcam-stage pre-ingress app vpls-mesh-group-ucast
shared-usage detail
clear passive-monitoring
<clear-passive-monitoring>
clear passive-monitoring statistics
<clear-passive-monitoring-statistics>
clear pgm
clear pgm negative-acknowledgments
<clear-pgm-negative-acknowledgments>
clear pgm source-path-messages
<clear-pgm-source-path-messages>
clear pgm statistics
<clear-pgm-statistics>
clear pim
clear pim join
<clear-pim-join-state>
clear pim join-distribution
<clear-pim-join-distribution>
clear pim register
186
Copyright © 2017, Juniper Networks, Inc.
Chapter 5: Permission Flags for User Access Privileges
<clear-pim-register-state>
clear pim snooping
clear pim snooping join
clear pim snooping statistics
clear pim statistics
<clear-pim-statistics>
clear poe
clear poe telemetries
clear poe telemetries interface
<clear-poe-telemetries-information>
clear ppp
clear ppp statistics
<clear-ppp-statistics-information>
clear pppoe
clear pppoe lockout
<clear-pppoe-lockout-timers>
clear pppoe lockout atm-identifier
<clear-pppoe-lockout-timers-atm>
clear pppoe lockout vlan-identifier
clear pppoe sessions
<clear-pppoe-sessions-information>
clear-pppoe-lockout-timers-vlan
clear pppoe statistics
<clear-pppoe-statistics-information>
clear pppoe statistics interfaces
<clear-pppoe-statistics-interface-information>
clear protection-group
<clear protection-group>
clear protection-group ethernet-ring
<clear-ethernet-ring-information>
clear protection-group ethernet-ring statistics
<clear-ethernet-ring-information>
clear r2cp
clear r2cp radio
<clear-r2cp-radio>
clear r2cp session
<clear-r2cp-session>
clear r2cp statistics
<clear-r2cp-statistics>
clear r2cp statistics radio
clear r2cp statistics session
clear rip
clear rip general-statistics
<clear-rip-general-statistics>
clear rip statistics
<clear-rip-statistics>
clear rip statistics peer
<clear-rip-peer-statistics>
clear ripng
clear ripng general-statistics
<clear-ripng-general-statistic>
clear ripng statistics
<clear-ripng-statistics>
clear rsvp
clear rsvp session
<clear-rsvp-session-information>
clear rsvp statistics
< clear-rsvp-counters-information>
clear security group-vpn
clear security group-vpn member
clear security group-vpn member group
Copyright © 2017, Juniper Networks, Inc.
187
User Access and Authentication Feature Guide for Routing Devices
<clear-gvpn-group-information>
clear security group-vpn member ike
clear security group-vpn member ike security-associations
<clear-group-vpn-ike-security-associations>
clear security group-vpn member ipsec
clear security group-vpn member ipsec security-associations
<clear-gvpn-ipsec-security-association>
clear security group-vpn member ipsec security-associations statistics
<clear-gvpn-ipsec-security-association-statistics>
clear security group-vpn member ipsec statistics
<clear-gvpn-ipsec-statistics>
clear services
clear services accounting flow inline-jflow
<clear-services-accounting-inline-jflow-flows>
clear services alg
clear services alg statistics
<clear-services-alg-statistics>
clear services application-aware-access-list
clear services application-aware-access-list statistics
<clear-application-aware-access-list-statistics-interface>
clear services application-aware-access-list statistics interface
<clear-application-aware-access-list-statistics-interface>
clear services application-aware-access-list statistics subscriber
<clear-application-aware-access-list-statistics-subscriber>
clear services application-identification
clear services application-identification application-system-cache
<clear-appid-application-system-cache>
clear services application-identification counter
<clear-appid-counter>
clear services application-identification counter ssl-encrypted-sessions
<clear-appid-counter-encrypted>
clear services application-identification statistics
<clear-appid-application-statistics>
clear services application-identification statistics cumulative
<clear-appid-application-statistics-cumulative>
clear services application-identification statistics interval
<clear-appid-application-statistics-interval>
clear services border-signaling-gateway
clear services border-signaling-gateway denied-messages
<clear-service-bsg-denied-messages>
clear services border-signaling-gateway name-resolution-cache
clear services border-signaling-gateway name-resolution-cache all
<clear-service-border-signaling-gateway-name-resolution-cache-all>
clear services border-signaling-gateway name-resolution-cache by-fqdn
<clear-border-signaling-gateway-name-resolution-cache-by-fqdn>
clear services border-signaling-gateway statistics
<clear-service-border-signaling-gateway-statistics>
clear services captive-portal-content-delivery
clear services captive-portal-content-delivery statistics
clear services captive-portal-content-delivery statistics interface
<clear-cpcdd-interface-statistics>
clear services cos
clear services cos statistics
<clear-services-cos-statistics>
clear services crtp
clear services crtp statistics
<clear-services-crtp-statistics>
clear services dynamic-flow-capture
clear services dynamic-flow-capture criteria
<clear-services-dynamic-flow-capture-criteria>
clear services dynamic-flow-capture sequence-number
188
Copyright © 2017, Juniper Networks, Inc.
Chapter 5: Permission Flags for User Access Privileges
clear services flow-collector
<clear-services-flow-collector-information>
clear services flow-collector statistics
<clear-services-flow-collector-statistics>
clear-service-msp-flow-ipaction-table
clear services ha
clear services ha statistics
<clear-service-ha-statistics-information>
clear services hcm
clear services hcm pic-statistics
<clear-services-hcm-pic-statistics>
clear services hcm statistics
<clear-services-hcm-statistics>
clear services ids
<clear-services-ids-tables>
clear services ids destination-table
<clear-services-ids-destination-table>
clear services ids pair-table
<clear-services-ids-pair-table>
clear services ids source-table
<clear-services-ids-source-table>
clear services inline
clear services inline nat
clear services inline nat pool
<clear-inline-nat-pool-information>
clear services inline nat statistics
<clear-inline-nat-statistics>
clear services inline softwire
clear services inline softwire statistics
<clear-inline-softwire-statistics>
clear services ipsec-vpn
clear services ipsec-vpn ipsec
clear services ipsec-vpn ipsec security-associations
<clear-services-ipsec-vpn-security-associations>
clear services ipsec-vpn ike
clear services ipsec-vpn ike security-associations
<clear-services-ike-security-associations>
clear services ipsec-vpn ike statistics
<clear-services-ike-statistics>
clear services pcp
clear services pcp epoch
clear services pcp statistics
clear services ipsec-vpn ipsec statistics
<clear-ipsec-vpn-statistics>
clear services l2tp
<clear-l2tp-destinations-information>
clear services l2tp disconnect-cause-summary
<clear-l2tp-disconnect-cause-summary>
clear services l2tp multilink
<clear-l2tp-multilink-information>
clear services l2tp session
<clear-l2tp-session-information>
clear services l2tp destination
<clear-l2tp-destinations-information>
clear services l2tp disconnect-cause-summary
<clear-l2tp-disconnect-cause-summary>
clear services l2tp tunnel
<clear-l2tp-tunnel-information>
clear services l2tp user
<clear-l2tp-user-session-information>
clear services local-policy-decision-function
Copyright © 2017, Juniper Networks, Inc.
189
User Access and Authentication Feature Guide for Routing Devices
clear services local-policy-decision-function statistics
clear services local-policy-decision-function statistics interface
<clear-local-policy-decision-function-statistics-interface>
clear services local-policy-decision-function statistics subscriber
<clear-local-policy-decision-function-statistics-subscriber>
clear services server-load-balance
clear services server-load-balance external-manager-statistics
<clear-external-manager-statistics
clear services server-load-balance hash-table
<clear-hash-table-information>
clear services server-load-balance health-monitor-statistics>
<clear-health-monitor-statistics>
clear services server-load-balance real-server-group-statistics
<clear-real-server-group-statistics>
clear services server-load-balance real-server-statistics
<clear-real-server-statistics>
clear services server-load-balance sticky
<clear-sticky-table>
clear services server-load-balance virtual-server-statistics>
<clear-virtual-server-statistics>
clear services service-sets statistics integrity-drops
clear services service-sets statistics syslog
<clear-service-set-syslog-statistics>
clear services service-sets statistics tcp
<clear-service-tcp-tracker-statistics>
clear services stateful-firewall flow-analysis
<clear-service-flow-analysis>
clear services stateful-firewall flows
<clear-service-sfw-flow-table-information>
clear services stateful-firewall sip-call
<clear-service-sfw-sip-call-information>
clear services stateful-firewall sip-register
<clear-service-sfw-sip-register-information>
clear services stateful-firewall statistics
<clear-stateful-firewall-statistics>
clear services stateful-firewall subscriber-analysis
<clear-service-subs-analysis>
clear services subscriber
clear services subscriber sessions
<get-services-subscriber-sessions>
clear services video-monitoring
<clear-service-video-monitoring-information>
clear services video-monitoring mdi
<clear-service-video-monitoring-mdi-information>
clear services video-monitoring mdi alarm
<clear-service-video-monitoring-mdi-alarm-information>
clear services video-monitoring mdi alarm errors
<clear-services-video-monitoring-mdi-alarm-errors>
clear services video-monitoring mdi alarm stats
<clear-services-video-monitoring-mdi-alarm-statistics>
clear services video-monitoring mdi errors
<clear-service-video-monitoring-mdi-errors>
clear services video-monitoring mdi statistics
<clear-service-video-monitoring-mdi-statistics>
clear services sessions analysis
<clear-service-msp-session-analysis-information>
clear services softwire
clear services softwire statistics
<clear-services-softwire-statistics>
clear services stateful-firewall
clear services stateful-firewall flow-analysis
190
Copyright © 2017, Juniper Networks, Inc.
Chapter 5: Permission Flags for User Access Privileges
<clear-service-flow-analysis>
clear services stateful-firewall flows
<clear-service-sfw-flow-table-information>
clear services pgcp
clear services pgcp gates
<clear-service-pgcp-gates>
clear services pgcp gates gateway
<clear-service-pgcp-gates-gateway>
clear services pgcp statistics
<clear-service-pgcp-statistics>
clear services pgcp statistics gateway
<clear-service-pgcp-statistics-gateway>
<clear-rfc2544-information>
<clear-aborted-tests-information>
<clear-active-tests-information>
<clear-completed-tests-information>
clear sflow
clear sflow collector
clear sflow collector statistics
<clear-sflow-collector-statistics>
clear shmlog
clear shmlog all-info
<clear-shmlog-all-information>
clear shmlog entries
<clear-shmlog-entries>
clear shmlog statistics
<clear-shmlog-statistics>
clear snmp
clear snmp history
<clear-snmp-history>
<clear-health-monitor-routing-engine-history>.
clear snmp statistics
<clear-snmp-statistics>
clear spanning-tree
clear spanning-tree protocol-migration
clear spanning-tree protocol-migration interface
<clear-interface-stp-protocol-migration>
clear spanning-tree statistics
<clear-stp-interface-statistics>
clear spanning-tree statistics bridge
clear spanning-tree statistics interface
clear spanning-tree statistics routing-instance
<clear-stp-routing-instance-statistics>
clear spanning-tree stp-buffer
clear spanning-tree topology-change-counter
<clear-stp-topology-change-counter>
clear synchronous-ethernet
clear synchronous-ethernet esmc
clear synchronous-ethernet esmc statistics
clear system
clear system boot-media
<clear-boot-media>
clear system login
clear system login lockout
< clear-system-login-lockout>
clear-twamp-information
clear-twamp-server-information
clear-twamp-server-connection-information
clear unified-edge
clear unified-edge ggsn-pgw
clear unified-edge ggsn-pgw aaa
Copyright © 2017, Juniper Networks, Inc.
191
User Access and Authentication Feature Guide for Routing Devices
clear unified-edge ggsn-pgw aaa radius
clear unified-edge ggsn-pgw aaa radius statistics
<clear-mobile-gateway-aaa-radius-statistics>
clear unified-edge ggsn-pgw aaa statistics
<clear-mobile-gateway-aaa-statistics>
clear unified-edge ggsn-pgw address-assignment
clear unified-edge ggsn-pgw address-assignment pool
<clear-mobile-gateway-sm-ippool-pool-sessions>
clear unified-edge ggsn-pgw address-assignment statistics
<clear-mobile-gateway-sm-ippool-statistics>
clear unified-edge ggsn-pgw call-admission-control
clear unified-edge ggsn-pgw call-admission-control statistics
<clear-mobile-gateway-cac-statistics>
clear unified-edge ggsn-pgw charging
clear unified-edge ggsn-pgw charging cdr
<clear-mobile-gateway-charging-clear-cdr>
clear unified-edge ggsn-pgw charging cdr wfa
<clear-mobile-gateway-charging-clear-cdr-wfa>
clear unified-edge ggsn-pgw charging local-persistent-storage
clear unified-edge ggsn-pgw charging local-persistent-storage statistics
<clear-mobile-gateway-charging-clear-lps-stats>
clear unified-edge ggsn-pgw charging path
clear unified-edge ggsn-pgw charging path statistics
<clear-mobile-gateway-charging-clear-path-stats>
clear unified-edge ggsn-pgw charging transfer
clear unified-edge ggsn-pgw charging transfer statistics
<clear-mobile-gateway-charging-clear-xfer-stats>
clear unified-edge ggsn-pgw diameter
clear unified-edge ggsn-pgw diameter dcca-gy
clear unified-edge ggsn-pgw diameter dcca-gy statistics
<clear-mobile-gateway-aaa-diam-stats-gy>
clear unified-edge ggsn-pgw diameter network-element
clear unified-edge ggsn-pgw diameter network-element statistics
<clear-mobile-gateway-aaa-diam-ne-statistics>
clear unified-edge ggsn-pgw diameter pcc-gx
clear unified-edge ggsn-pgw diameter pcc-gx statistics
<clear-mobile-gateway-aaa-diam-stats-gx>
clear unified-edge ggsn-pgw diameter peer
clear unified-edge ggsn-pgw diameter peer statistics
<clear-mobile-gateway-aaa-diam-peer-statistics>
clear unified-edge ggsn-pgw gtp
clear unified-edge ggsn-pgw gtp peer
clear unified-edge ggsn-pgw gtp peer statistics
<clear-mobile-gateway-gtp-peer-statistics>
clear unified-edge ggsn-pgw gtp statistics
<clear-mobile-gateway-gtp-statistics>
clear unified-edge ggsn-pgw ip-reassembly
clear unified-edge ggsn-pgw ip-reassembly statistics
<clear-mobile-gateways-ip-reassembly-statistics>
clear unified-edge ggsn-pgw statistics
<clear-mobile-gateway-statistics>
clear unified-edge ggsn-pgw subscribers
<clear-mobile-gateway-subscribers>
clear unified-edge ggsn-pgw subscribers bearer
clear unified-edge ggsn-pgw subscribers charging
<clear-mobile-gateway-subscribers-charging>
clear unified-edge ggsn-pgw subscribers peer
<clear-mobile-gateway-subscribers-peer>
clear unified-edge sgw
clear unified-edge sgw call-admission-control
clear unified-edge sgw call-admission-control statistics
192
Copyright © 2017, Juniper Networks, Inc.
Chapter 5: Permission Flags for User Access Privileges
<clear-mobile-sgw-cac-statistics>
clear unified-edge sgw charging
clear unified-edge sgw charging cdr
<clear-mobile-gateway-sgw-charging-clear-cdr>
clear unified-edge sgw charging cdr wfa
<clear-mobile-gateway-sgw-charging-clear-cdr-wfa>
clear unified-edge sgw charging local-persistent-storage
clear unified-edge sgw charging local-persistent-storage statistics
<clear-mobile-gateway-sgw-charging-clear-lps-stats>
clear unified-edge sgw charging path
clear unified-edge sgw charging path statistics
<clear-mobile-gateway-sgw-charging-clear-path-stats>
clear unified-edge sgw charging transfer
clear unified-edge sgw charging transfer statistics
<clear-mobile-gateway-sgw-charging-clear-xfer-stats>
clear unified-edge sgw gtp
clear unified-edge sgw gtp peer
clear unified-edge sgw gtp peer statistics
<clear-mobile-sgw-gtp-peer-statistics>
clear unified-edge sgw gtp statistics
<clear-mobile-sgw-gtp-statistics>
clear unified-edge sgw idle-mode-buffering
clear unified-edge sgw idle-mode-buffering statistics
<clear-mobile-gw-sgw-idle-mode-buffering-statistics>
clear unified-edge sgw ip-reassembly
clear unified-edge sgw ip-reassembly statistics
<clear-mobile-gateways-sgw-ip-reassembly-statistics-sgw>
clear unified-edge sgw statistics
<clear-mobile-sgw-statistics>
clear unified-edge sgw subscribers
<clear-mobile-sgw-subscribers>
clear unified-edge sgw subscribers charging
<clear-mobile-sgw-subscribers-charging>
clear unified-edge sgw subscribers peer
<clear-mobile-sgw-subscribers-peer>
clear validation
clear validation database
<clear-validation-database>
clear validation session
<clear-validation-session>
clear validation statistics
<clear-validation-statistics>
clear virtual-chassis
clear virtual-chassis heartbeat
<clear-virtual-chassis-heartbeat-statistics>
<clear virtual-chassis protocol>
clear virtual-chassis protocol statistics
<clear-virtual-chassis-statistics>
<clear-virtual-chassis-port-statistics>
clear vpls
clear vpls mac-address
<clear-vpls-mac-address>
clear vpls mac-table
<clear-vpls-mac-table>
clear vpls mac-table interface
<clear-vpls-interface-mac-table>
request interface rebalance
request pppoe
request pppoe connect
request pppoe disconnect
request security ike debug-disable
Copyright © 2017, Juniper Networks, Inc.
193
User Access and Authentication Feature Guide for Routing Devices
<get-disable-ike-debug>
request security ike debug-enable
<get-enable-ike-debug>
request services rpm twamp start
request services rpm twamp start client
<twamp-test-start>
request services rpm twamp stop
request services rpm twamp stop client
<twamp-test-stop>
request snmp
<request-snmp-utility-mib-clear>
<request-snmp-utility-mib-set>
clear vpls statistics
<clear-vpls-statistics>
clear vrrp
<clear-vrrp-information>
clear vrrp interface
<clear-vrrp-interface-statistics>
request mpls
request mpls lsp
request mpls lsp adjust-autobandwidth
<request-mpls-lsp-autobandwidth-adjust>
clear services inline stateful-firewall
clear services inline stateful-firewall flows
<clear-service-inline-sfw-flow-table-information>
clear services inline stateful-firewall statistics
<clear-inline-stateful-firewall-statistics>
clear services service-sets statistics drop-flow-limit>
<clear-service-set-drop-flow-statistics>
clear services service-sets statistics jflow-log
<clear-service-set-jflow-log-statistics>
request services ipsec-vpn ipsec
request services ipsec-vpn ipsec switch
request services ipsec-vpn ipsec switch tunnel
request unified-edge
request unified-edge ggsn-pgw
request unified-edge ggsn-pgw call-trace
<monitor-mobile-gateways-call-trace-start>
request unified-edge ggsn-pgw call-trace clear
<get-mobile-gateways-call-trace-clear>
request unified-edge ggsn-pgw call-trace show
<get-mobile-gateways-call-trace-information>
request unified-edge ggsn-pgw call-trace start
<get-mobile-gateways-call-trace-start-information>
request unified-edge ggsn-pgw call-trace stop
<get-mobile-gateways-call-trace-stop-information>
request unified-edge sgw
request unified-edge sgw call-trace
request unified-edge sgw call-trace clear
<get-mobile-gateways-sgw-call-trace-clear>
request unified-edge sgw call-trace show
<get-mobile-gateways-sgw-call-trace-information>
request unified-edge sgw call-trace start
<get-mobile-gateways-sgw-call-trace-start-information>
request unified-edge sgw call-trace stop
<get-mobile-gateways-sgw-call-trace-stop-information>
194
Copyright © 2017, Juniper Networks, Inc.
Chapter 5: Permission Flags for User Access Privileges
Configuration
Hierarchy Levels
Related
Documentation
No asscociated CLI configuration hierarchy levels and statements.
•
Access Privilege User Permission Flags Overview on page 114
•
Understanding Junos OS Access Privilege Levels on page 26
•
Example: Configuring User Permissions with Access Privilege Levels on page 65
•
Example: Configuring User Permissions with Access Privileges for Operational Mode
Commands on page 76
•
Example: Configuring User Permissions with Access Privileges for Configuration
Statements and Hierarchies on page 87
configure
Can enter configuration mode.
Commands
configure
request snmp
request-snmp-utility-mib-clear
request-snmp-utility-mib-set
Configuration
Hierarchy Levels
Related
Documentation
No associated CLI configuration hierarchy levels and statements.
•
Access Privilege User Permission Flags Overview on page 114
•
Understanding Junos OS Access Privilege Levels on page 26
•
Example: Configuring User Permissions with Access Privilege Levels on page 65
•
Example: Configuring User Permissions with Access Privileges for Operational Mode
Commands on page 76
•
Example: Configuring User Permissions with Access Privileges for Configuration
Statements and Hierarchies on page 87
control
Can perform all control-level operations; can modify any configuration.
Commands
request
request
request
request
request
Copyright © 2017, Juniper Networks, Inc.
jnu
jnu
jnu
jnu
jnu
role
schema
schema add
schema delete
195
User Access and Authentication Feature Guide for Routing Devices
Configuration
Hierarchy Levels
Related
Documentation
No associated CLI configuration hierarchy levels and statements.
•
Access Privilege User Permission Flags Overview on page 114
•
Understanding Junos OS Access Privilege Levels on page 26
•
Example: Configuring User Permissions with Access Privilege Levels on page 65
•
Example: Configuring User Permissions with Access Privileges for Operational Mode
Commands on page 76
•
Example: Configuring User Permissions with Access Privileges for Configuration
Statements and Hierarchies on page 87
field
Can view field debug commands.
Commands
Configuration
Hierarchy Levels
Related
Documentation
No associated CLI commands.
No associated CLI configuration hierarchy levels and statements.
•
Access Privilege User Permission Flags Overview on page 114
•
Understanding Junos OS Access Privilege Levels on page 26
•
Example: Configuring User Permissions with Access Privilege Levels on page 65
•
Example: Configuring User Permissions with Access Privileges for Operational Mode
Commands on page 76
•
Example: Configuring User Permissions with Access Privileges for Configuration
Statements and Hierarchies on page 87
firewall
Can view the firewall filter configuration in configuration mode.
Commands
196
clear unified-edge
clear unified-edge ggsn-pgw
clear unified-edge ggsn-pgw aaa
clear unified-edge ggsn-pgw aaa radius
clear unified-edge ggsn-pgw aaa radius statistics
<clear-mobile-gateway-aaa-radius-statistics>
clear unified-edge ggsn-pgw aaa statistics
<clear-mobile-gateway-aaa-statistics>
clear unified-edge ggsn-pgw address-assignment
clear unified-edge ggsn-pgw address-assignment pool
<clear-mobile-gateway-sm-ippool-pool-sessions>
clear unified-edge ggsn-pgw address-assignment statistics
<clear-mobile-gateway-sm-ippool-statistics>
clear unified-edge ggsn-pgw call-admission-control
Copyright © 2017, Juniper Networks, Inc.
Chapter 5: Permission Flags for User Access Privileges
clear unified-edge ggsn-pgw call-admission-control statistics
<clear-mobile-gateway-cac-statistics>
clear unified-edge ggsn-pgw charging
clear unified-edge ggsn-pgw charging cdr
<clear-mobile-gateway-charging-clear-cdr>
clear unified-edge ggsn-pgw charging cdr wfa
<clear-mobile-gateway-charging-clear-cdr-wfa>
clear unified-edge ggsn-pgw charging local-persistent-storage
clear unified-edge ggsn-pgw charging local-persistent-storage statistics
<clear-mobile-gateway-charging-clear-lps-stats>
clear unified-edge ggsn-pgw charging path
clear unified-edge ggsn-pgw charging path statistics
<clear-mobile-gateway-charging-clear-path-stats>
clear unified-edge ggsn-pgw charging transfer
clear unified-edge ggsn-pgw charging transfer statistics
<clear-mobile-gateway-charging-clear-xfer-stats>
clear unified-edge ggsn-pgw diameter
clear unified-edge ggsn-pgw diameter dcca-gy
clear unified-edge ggsn-pgw diameter dcca-gy statistics
<clear-mobile-gateway-aaa-diam-stats-gy>
clear unified-edge ggsn-pgw diameter network-element
clear unified-edge ggsn-pgw diameter network-element statistics
<clear-mobile-gateway-aaa-diam-ne-statistics>
clear unified-edge ggsn-pgw diameter pcc-gx
clear unified-edge ggsn-pgw diameter pcc-gx statistics
<clear-mobile-gateway-aaa-diam-stats-gx>
clear unified-edge ggsn-pgw diameter peer
clear unified-edge ggsn-pgw diameter peer statistics
<clear-mobile-gateway-aaa-diam-peer-statistics>
clear unified-edge ggsn-pgw gtp
clear unified-edge ggsn-pgw gtp peer
clear unified-edge ggsn-pgw gtp peer statistics
<clear-mobile-gateway-gtp-peer-statistics>
clear unified-edge ggsn-pgw gtp statistics
<clear-mobile-gateway-gtp-statistics>
clear unified-edge ggsn-pgw ip-reassembly
clear unified-edge ggsn-pgw ip-reassembly statistics
<clear-mobile-gateways-ip-reassembly-statistics>
clear unified-edge ggsn-pgw statistics
<clear-mobile-gateway-statistics>
clear unified-edge ggsn-pgw subscribers
<clear-mobile-gateway-subscribers>
clear unified-edge ggsn-pgw subscribers bearer
clear unified-edge ggsn-pgw subscribers charging
<clear-mobile-gateway-subscribers-charging>
clear unified-edge ggsn-pgw subscribers peer
<clear-mobile-gateway-subscribers-peer>
clear unified-edge sgw
clear unified-edge sgw call-admission-control
clear unified-edge sgw call-admission-control statistics
<clear-mobile-sgw-cac-statistics>
clear unified-edge sgw charging
clear unified-edge sgw charging cdr
<clear-mobile-gateway-sgw-charging-clear-cdr>
clear unified-edge sgw charging cdr wfa
<clear-mobile-gateway-sgw-charging-clear-cdr-wfa>
clear unified-edge sgw charging local-persistent-storage
clear unified-edge sgw charging local-persistent-storage statistics
<clear-mobile-gateway-sgw-charging-clear-lps-stats>
clear unified-edge sgw charging path
clear unified-edge sgw charging path statistics
Copyright © 2017, Juniper Networks, Inc.
197
User Access and Authentication Feature Guide for Routing Devices
<clear-mobile-gateway-sgw-charging-clear-path-stats>
clear unified-edge sgw charging transfer
clear unified-edge sgw charging transfer statistics
<clear-mobile-gateway-sgw-charging-clear-xfer-stats>
clear unified-edge sgw gtp
clear unified-edge sgw gtp peer
clear unified-edge sgw gtp peer statistics
<clear-mobile-sgw-gtp-peer-statistics>
clear unified-edge sgw gtp statistics
<clear-mobile-sgw-gtp-statistics>
clear unified-edge sgw idle-mode-buffering
clear unified-edge sgw idle-mode-buffering statistics
<clear-mobile-gw-sgw-idle-mode-buffering-statistics>
clear unified-edge sgw ip-reassembly
clear unified-edge sgw ip-reassembly statistics
<clear-mobile-gateways-sgw-ip-reassembly-statistics-sgw>
clear unified-edge sgw statistics
<clear-mobile-sgw-statistics>
clear unified-edge sgw subscribers
<clear-mobile-sgw-subscribers>
clear unified-edge sgw subscribers charging
<clear-mobile-sgw-subscribers-charging>
clear unified-edge sgw subscribers peer
<clear-mobile-sgw-subscribers-peer>
clear unified-edge tdf
clear unified-edge tdf aaa
clear unified-edge tdf aaa radius
clear unified-edge tdf aaa radius client
clear unified-edge tdf aaa radius client statistics
<clear-radius-client-statistics>
clear unified-edge tdf aaa radius network-element
clear unified-edge tdf aaa radius network-element statistics
<clear-radius-network-element-statistics>
clear unified-edge tdf aaa radius server
clear unified-edge tdf aaa radius server statistics
<clear-radius-server-statistics>
clear unified-edge tdf aaa radius snoop-segment
clear unified-edge tdf aaa radius snoop-segment statistics
<clear-radius-snoop-segment-statistics>
clear unified-edge tdf aaa statistics
<clear-tdf-gateway-aaa-statistics>
clear unified-edge tdf address-assignment
clear unified-edge tdf address-assignment pool
<clear-mobile-gateway-tdf-sm-ippool-pool-sessions>
clear unified-edge tdf address-assignment statistics
<clear-mobile-gateway-tdf-sm-ippool-statistics>
clear unified-edge tdf call-admission-control
clear unified-edge tdf call-admission-control statistics
<clear-tdf-cac-statistics>
clear unified-edge tdf diameter
clear unified-edge tdf diameter network-element
clear unified-edge tdf diameter network-element statistics
<clear-diameter-network-element-statistics>
clear unified-edge tdf diameter pcc-gx
clear unified-edge tdf diameter pcc-gx statistics
<clear-diameter-statistics-gx>
clear unified-edge tdf diameter peer
clear unified-edge tdf diameter peer statistics
<clear-diameter-peer-statistics>
clear unified-edge tdf statistics
<clear-tdf-statistics>
198
Copyright © 2017, Juniper Networks, Inc.
Chapter 5: Permission Flags for User Access Privileges
clear unified-edge tdf subscribers
<clear-mobile-tdf-subscribers>
clear unified-edge tdf subscribers peer
<clear-mobile-gateway-tdf-subscribers-peer>
request unified-edge
request unified-edge ggsn-pgw
request unified-edge ggsn-pgw call-trace
<monitor-mobile-gateways-call-trace-start>
request unified-edge ggsn-pgw call-trace clear
<get-mobile-gateways-call-trace-clear>
request unified-edge ggsn-pgw call-trace show
<get-mobile-gateways-call-trace-information>
request unified-edge ggsn-pgw call-trace start
<get-mobile-gateways-call-trace-start-information>
request unified-edge ggsn-pgw call-trace stop
<get-mobile-gateways-call-trace-stop-information>
request unified-edge sgw
request unified-edge sgw call-trace
request unified-edge sgw call-trace clear
<get-mobile-gateways-sgw-call-trace-clear>
request unified-edge sgw call-trace show
<get-mobile-gateways-sgw-call-trace-information>
request unified-edge sgw call-trace start
<get-mobile-gateways-sgw-call-trace-start-information>
request unified-edge sgw call-trace stop
<get-mobile-gateways-sgw-call-trace-stop-information>
request unified-edge tdf
request unified-edge tdf call-trace
request unified-edge tdf call-trace clear
<get-mobile-gateways-tdf-call-trace-clear>
request unified-edge tdf call-trace show
<get-mobile-gateways-tdf-call-trace-information>
request unified-edge tdf call-trace start
<get-mobile-gateways-tdf-call-trace-start-information>
request unified-edge tdf call-trace stop
<get-mobile-gateways-tdf-call-trace-stop-information>
show firewall
<get-firewall-information>
show firewall counter
<get-firewall-counter-information>
show firewall filter
<get-firewall-filter-information>
show firewall filter version
<get-filter-version>
show firewall log
<get-firewall-log-information>
show firewall prefix-action-stats
<get-firewall-prefix-action-information>
show policer
<get-policer-information>
Configuration
Hierarchy Levels
[edit
[edit
[edit
[edit
Copyright © 2017, Juniper Networks, Inc.
chassis satellite-management]
firewall]
dynamic-profiles firewall]
firewall]
199
User Access and Authentication Feature Guide for Routing Devices
[edit logical-systems firewall]
[edit unified-edge]
Related
Documentation
•
Access Privilege User Permission Flags Overview on page 114
•
Understanding Junos OS Access Privilege Levels on page 26
•
Example: Configuring User Permissions with Access Privilege Levels on page 65
•
Example: Configuring User Permissions with Access Privileges for Operational Mode
Commands on page 76
•
Example: Configuring User Permissions with Access Privileges for Configuration
Statements and Hierarchies on page 87
•
firewall-control on page 200
firewall-control
Can view and configure firewall filter information at the [edit dynamic-profiles firewall],
[edit firewall], and [edit logical-systems firewall] hierarchy levels.
Commands
show firewall
<get-firewall-information>
show firewall counter
<get-firewall-counter-information>
show firewall filter
<get-firewall-filter-information>
show firewall filter version
<get-filter-version>
show firewall log
<get-firewall-log-information>
show firewall prefix-action-stats
<get-firewall-prefix-action-information>
show policer
Configuration
Hierarchy Levels
Related
Documentation
200
[edit dynamic-profiles firewall]
[edit firewall]
[edit logical-systems firewall]
•
Access Privilege User Permission Flags Overview on page 114
•
Understanding Junos OS Access Privilege Levels on page 26
•
Example: Configuring User Permissions with Access Privilege Levels on page 65
•
Example: Configuring User Permissions with Access Privileges for Operational Mode
Commands on page 76
Copyright © 2017, Juniper Networks, Inc.
Chapter 5: Permission Flags for User Access Privileges
•
Example: Configuring User Permissions with Access Privileges for Configuration
Statements and Hierarchies on page 87
•
firewall on page 196
floppy
Can read from and write to the removable media.
Commands
Configuration
Hierarchy Levels
Related
Documentation
No associated CLI commands.
No associated CLI configuration hierarchy levels and statements.
•
Access Privilege User Permission Flags Overview on page 114
•
Understanding Junos OS Access Privilege Levels on page 26
•
Example: Configuring User Permissions with Access Privilege Levels on page 65
•
Example: Configuring User Permissions with Access Privileges for Operational Mode
Commands on page 76
•
Example: Configuring User Permissions with Access Privileges for Configuration
Statements and Hierarchies on page 87
flow-tap
Can view the flow-tap configuration in configuration mode.
Commands
clear unified-edge
clear unified-edge ggsn-pgw
clear unified-edge ggsn-pgw aaa
clear unified-edge ggsn-pgw aaa radius
clear unified-edge ggsn-pgw aaa radius statistics
<clear-mobile-gateway-aaa-radius-statistics>
clear unified-edge ggsn-pgw aaa statistics
<clear-mobile-gateway-aaa-statistics>
clear unified-edge ggsn-pgw address-assignment
clear unified-edge ggsn-pgw address-assignment pool
<clear-mobile-gateway-sm-ippool-pool-sessions>
clear unified-edge ggsn-pgw address-assignment statistics
<clear-mobile-gateway-sm-ippool-statistics>
clear unified-edge ggsn-pgw call-admission-control
clear unified-edge ggsn-pgw call-admission-control statistics
<clear-mobile-gateway-cac-statistics>
clear unified-edge ggsn-pgw charging
clear unified-edge ggsn-pgw charging cdr
<clear-mobile-gateway-charging-clear-cdr-wfa>
clear unified-edge ggsn-pgw charging local-persistent-storage
clear unified-edge ggsn-pgw charging local-persistent-storage statistics
<clear-mobile-gateway-charging-clear-lps-stats>
clear unified-edge ggsn-pgw charging path
clear unified-edge ggsn-pgw charging path statistics
Copyright © 2017, Juniper Networks, Inc.
201
User Access and Authentication Feature Guide for Routing Devices
<clear-mobile-gateway-charging-clear-path-stats>
clear unified-edge ggsn-pgw charging transfer
clear unified-edge ggsn-pgw charging transfer statistics
<clear-mobile-gateway-charging-clear-xfer-stats>
clear unified-edge ggsn-pgw diameter
clear unified-edge ggsn-pgw diameter dcca-gy
clear unified-edge ggsn-pgw diameter dcca-gy statistics
<clear-mobile-gateway-aaa-diam-stats-gy>
clear unified-edge ggsn-pgw diameter network-element
clear unified-edge ggsn-pgw diameter network-element statistics
<clear-mobile-gateway-aaa-diam-ne-statistics>
clear unified-edge ggsn-pgw diameter pcc-gx
clear unified-edge ggsn-pgw diameter pcc-gx statistics
<clear-mobile-gateway-aaa-diam-stats-gx>
clear unified-edge ggsn-pgw diameter peer
clear unified-edge ggsn-pgw diameter peer statistics
<clear-mobile-gateway-aaa-diam-peer-statistics>
clear unified-edge ggsn-pgw gtp
clear unified-edge ggsn-pgw gtp peer
clear unified-edge ggsn-pgw gtp peer statistics
<clear-mobile-gateway-gtp-peer-statistics>
clear unified-edge ggsn-pgw gtp statistics
<clear-mobile-gateway-gtp-statistics>
clear unified-edge ggsn-pgw ip-reassembly
clear unified-edge ggsn-pgw ip-reassembly statistics
<clear-mobile-gateways-ip-reassembly-statistics>
clear unified-edge ggsn-pgw statistics
<clear-mobile-gateway-statistics>
clear unified-edge ggsn-pgw subscribers
<clear-mobile-gateway-subscribers>
clear unified-edge ggsn-pgw subscribers bearer
clear unified-edge ggsn-pgw subscribers charging
<clear-mobile-gateway-subscribers-charging>
clear unified-edge ggsn-pgw subscribers peer
<clear-mobile-gateway-subscribers-peer>
clear unified-edge sgw
clear unified-edge sgw call-admission-control
clear unified-edge sgw call-admission-control statistics
<clear-mobile-sgw-cac-statistics>
clear unified-edge sgw charging
clear unified-edge sgw charging cdr
<clear-mobile-gateway-sgw-charging-clear-cdr>
clear unified-edge sgw charging cdr wfa
<clear-mobile-gateway-sgw-charging-clear-cdr-wfa>
clear unified-edge sgw charging local-persistent-storage
clear unified-edge sgw charging local-persistent-storage statistics
<clear-mobile-gateway-sgw-charging-clear-lps-stats>
clear unified-edge sgw charging path
clear unified-edge sgw charging path statistics
<clear-mobile-gateway-sgw-charging-clear-path-stats>
clear unified-edge sgw charging transfer
clear unified-edge sgw charging transfer statistics
<clear-mobile-gateway-sgw-charging-clear-xfer-stats>
clear unified-edge sgw gtp
clear unified-edge sgw gtp peer
clear unified-edge sgw gtp peer statistics
<clear-mobile-sgw-gtp-peer-statistics>
clear unified-edge sgw gtp statistics
<clear-mobile-sgw-gtp-statistics>
clear unified-edge sgw idle-mode-buffering
clear unified-edge sgw idle-mode-buffering statistics
202
Copyright © 2017, Juniper Networks, Inc.
Chapter 5: Permission Flags for User Access Privileges
<clear-mobile-gw-sgw-idle-mode-buffering-statistics>
clear unified-edge sgw ip-reassembly
clear unified-edge sgw ip-reassembly statistics
<clear-mobile-gateways-sgw-ip-reassembly-statistics-sgw>
clear unified-edge sgw statistics
<clear-mobile-sgw-statistics>
clear unified-edge sgw subscribers
<clear-mobile-sgw-subscribers>
clear unified-edge sgw subscribers charging
<clear-mobile-sgw-subscribers-charging>
clear unified-edge sgw subscribers peer
<clear-mobile-sgw-subscribers-peer>
clear unified-edge tdf
clear unified-edge tdf aaa
clear unified-edge tdf aaa radius
clear unified-edge tdf aaa radius client
clear unified-edge tdf aaa radius client statistics
<clear-radius-client-statistics>
clear unified-edge tdf aaa radius network-element
clear unified-edge tdf aaa radius network-element statistics
<clear-radius-network-element-statistics>
clear unified-edge tdf aaa radius server
clear unified-edge tdf aaa radius server statistics
<clear-radius-server-statistics>
clear unified-edge tdf aaa radius snoop-segment
clear unified-edge tdf aaa radius snoop-segment statistics
<clear-radius-snoop-segment-statistics>
clear unified-edge tdf aaa statistics
<clear-tdf-gateway-aaa-statistics>
clear unified-edge tdf address-assignment
clear unified-edge tdf address-assignment pool
<clear-mobile-gateway-tdf-sm-ippool-pool-sessions>
clear unified-edge tdf address-assignment statistics
<clear-mobile-gateway-tdf-sm-ippool-statistics>
clear unified-edge tdf call-admission-control
clear unified-edge tdf call-admission-control statistics
<clear-tdf-cac-statistics>
clear unified-edge tdf diameter
clear unified-edge tdf diameter network-element
clear unified-edge tdf diameter network-element statistics
<clear-diameter-network-element-statistics>
clear unified-edge tdf diameter pcc-gx
clear unified-edge tdf diameter pcc-gx statistics
<clear-diameter-statistics-gx>
clear unified-edge tdf diameter peer
clear unified-edge tdf diameter peer statistics
<clear-diameter-peer-statistics>
clear unified-edge tdf statistics
<clear-tdf-statistics>
clear unified-edge tdf subscribers
<clear-mobile-tdf-subscribers>
clear unified-edge tdf subscribers peer
<clear-mobile-gateway-tdf-subscribers-peer>
request unified-edge
request unified-edge ggsn-pgw
request unified-edge ggsn-pgw call-trace
<monitor-mobile-gateways-call-trace-start>
request unified-edge ggsn-pgw call-trace clear
<get-mobile-gateways-call-trace-clear>
request unified-edge ggsn-pgw call-trace show
<get-mobile-gateways-call-trace-information>
Copyright © 2017, Juniper Networks, Inc.
203
User Access and Authentication Feature Guide for Routing Devices
request unified-edge ggsn-pgw call-trace start
<get-mobile-gateways-call-trace-start-information>
request unified-edge ggsn-pgw call-trace stop
<get-mobile-gateways-call-trace-stop-information>
request unified-edge sgw
request unified-edge sgw call-trace
request unified-edge sgw call-trace clear
<get-mobile-gateways-sgw-call-trace-clear>
request unified-edge sgw call-trace show
<get-mobile-gateways-sgw-call-trace-information>
request unified-edge sgw call-trace start
<get-mobile-gateways-sgw-call-trace-start-information>
request unified-edge sgw call-trace stop
<get-mobile-gateways-sgw-call-trace-stop-information>
request unified-edge tdf
request unified-edge tdf call-trace
request unified-edge tdf call-trace clear
<get-mobile-gateways-tdf-call-trace-clear>
request unified-edge tdf call-trace show
<get-mobile-gateways-tdf-call-trace-information>
request unified-edge tdf call-trace start
<get-mobile-gateways-tdf-call-trace-start-information>
request unified-edge tdf call-trace stop
<get-mobile-gateways-tdf-call-trace-stop-information>
Configuration
Hierarchy Levels
Related
Documentation
[edit
[edit
[edit
[edit
services flow-tap]
services radius-flow-tap]
system services flow-tap-dtcp]
unified-edge]
•
Access Privilege User Permission Flags Overview on page 114
•
Understanding Junos OS Access Privilege Levels on page 26
•
Example: Configuring User Permissions with Access Privilege Levels on page 65
•
Example: Configuring User Permissions with Access Privileges for Operational Mode
Commands on page 76
•
Example: Configuring User Permissions with Access Privileges for Configuration
Statements and Hierarchies on page 87
•
flow-tap-control on page 204
flow-tap-control
Can view the flow-tap configuration in configuration mode and can configure flow-tap
configuration information at the [edit services flow-tap], [edit services radius-flow-tap],
and [edit system services flow-tap-dtcp] hierarchy levels.
Commands
Configuration
Hierarchy Levels
204
No associated CLI commands.
[edit services flow-tap]
[edit services radius-flow-tap]
[edit system services flow-tap-dtcp]
Copyright © 2017, Juniper Networks, Inc.
Chapter 5: Permission Flags for User Access Privileges
Related
Documentation
•
Access Privilege User Permission Flags Overview on page 114
•
Understanding Junos OS Access Privilege Levels on page 26
•
Example: Configuring User Permissions with Access Privilege Levels on page 65
•
Example: Configuring User Permissions with Access Privileges for Operational Mode
Commands on page 76
•
Example: Configuring User Permissions with Access Privileges for Configuration
Statements and Hierarchies on page 87
•
flow-tap on page 201
flow-tap-operation
Can make flow-tap requests to the router.
Commands
Configuration
Hierarchy Levels
Related
Documentation
No associated CLI commands.
No associated CLI configuration hierarchy levels and statements.
•
Access Privilege User Permission Flags Overview on page 114
•
Understanding Junos OS Access Privilege Levels on page 26
•
Example: Configuring User Permissions with Access Privilege Levels on page 65
•
Example: Configuring User Permissions with Access Privileges for Operational Mode
Commands on page 76
•
Example: Configuring User Permissions with Access Privileges for Configuration
Statements and Hierarchies on page 87
idp-profiler-operation
Can view profiler data.
Commands
CLI Configuration
Hierarchy Levels
No associated CLI commands.
No associated CLI configuration hierarchy levels and statements.
interface
Can view the interface configuration in configuration mode.
Commands
clear
clear
clear
clear
Copyright © 2017, Juniper Networks, Inc.
unified-edge
unified-edge ggsn-pgw
unified-edge ggsn-pgw aaa
unified-edge ggsn-pgw aaa radius
205
User Access and Authentication Feature Guide for Routing Devices
clear unified-edge ggsn-pgw aaa radius statistics
<clear-mobile-gateway-aaa-radius-statistics>
clear unified-edge ggsn-pgw aaa statistics
<clear-mobile-gateway-aaa-statistics>
clear unified-edge ggsn-pgw address-assignment
clear unified-edge ggsn-pgw address-assignment pool
<clear-mobile-gateway-sm-ippool-pool-sessions>
clear unified-edge ggsn-pgw address-assignment statistics
<clear-mobile-gateway-sm-ippool-statistics>
clear unified-edge ggsn-pgw call-admission-control
clear unified-edge ggsn-pgw call-admission-control statistics
<clear-mobile-gateway-cac-statistics>
clear unified-edge ggsn-pgw charging
clear unified-edge ggsn-pgw charging cdr
<clear-mobile-gateway-charging-clear-cdr>
clear unified-edge ggsn-pgw charging cdr wfa
<clear-mobile-gateway-charging-clear-cdr-wfa>
clear unified-edge ggsn-pgw charging local-persistent-storage
clear unified-edge ggsn-pgw charging local-persistent-storage statistics
<clear-mobile-gateway-charging-clear-lps-stats>
clear unified-edge ggsn-pgw charging path
clear unified-edge ggsn-pgw charging path statistics
<clear-mobile-gateway-charging-clear-path-stats>
clear unified-edge ggsn-pgw charging transfer
clear unified-edge ggsn-pgw charging transfer statistics
<clear-mobile-gateway-charging-clear-xfer-stats>
clear unified-edge ggsn-pgw diameter
clear unified-edge ggsn-pgw diameter dcca-gy
clear unified-edge ggsn-pgw diameter dcca-gy statistics
<clear-mobile-gateway-aaa-diam-stats-gy>
clear unified-edge ggsn-pgw diameter network-element
clear unified-edge ggsn-pgw diameter network-element statistics
<clear-mobile-gateway-aaa-diam-ne-statistics>
clear unified-edge ggsn-pgw diameter pcc-gx
clear unified-edge ggsn-pgw diameter pcc-gx statistics
<clear-mobile-gateway-aaa-diam-stats-gx>
clear unified-edge ggsn-pgw diameter peer
clear unified-edge ggsn-pgw diameter peer statistics
<clear-mobile-gateway-aaa-diam-peer-statistics>
clear unified-edge ggsn-pgw gtp
clear unified-edge ggsn-pgw gtp peer
clear unified-edge ggsn-pgw gtp peer statistics
<clear-mobile-gateway-gtp-peer-statistics>
clear unified-edge ggsn-pgw gtp statistics
<clear-mobile-gateway-gtp-statistics>
clear unified-edge ggsn-pgw ip-reassembly
clear unified-edge ggsn-pgw ip-reassembly statistics
<clear-mobile-gateways-ip-reassembly-statistics>
clear unified-edge ggsn-pgw statistics
<clear-mobile-gateway-statistics>
clear unified-edge ggsn-pgw subscribers
<clear-mobile-gateway-subscribers>
clear unified-edge ggsn-pgw subscribers bearer
clear unified-edge ggsn-pgw subscribers charging
<clear-mobile-gateway-subscribers-charging>
clear unified-edge ggsn-pgw subscribers peer
<clear-mobile-gateway-subscribers-peer>
clear unified-edge sgw
clear unified-edge sgw call-admission-control
clear unified-edge sgw call-admission-control statistics
<clear-mobile-sgw-cac-statistics>
206
Copyright © 2017, Juniper Networks, Inc.
Chapter 5: Permission Flags for User Access Privileges
clear unified-edge sgw charging
clear unified-edge sgw charging cdr
<clear-mobile-gateway-sgw-charging-clear-cdr>
clear unified-edge sgw charging cdr wfa
<clear-mobile-gateway-sgw-charging-clear-cdr-wfa>
clear unified-edge sgw charging local-persistent-storage
clear unified-edge sgw charging local-persistent-storage statistics
<clear-mobile-gateway-sgw-charging-clear-lps-stats>
clear unified-edge sgw charging path
clear unified-edge sgw charging path statistics
<clear-mobile-gateway-sgw-charging-clear-path-stats>
clear unified-edge sgw charging transfer
clear unified-edge sgw charging transfer statistics
<clear-mobile-gateway-sgw-charging-clear-xfer-stats>
clear unified-edge sgw gtp
clear unified-edge sgw gtp peer
clear unified-edge sgw gtp peer statistics
<clear-mobile-sgw-gtp-peer-statistics>
clear unified-edge sgw gtp statistics
<clear-mobile-sgw-gtp-statistics>
clear unified-edge sgw idle-mode-buffering
clear unified-edge sgw idle-mode-buffering statistics
<clear-mobile-gw-sgw-idle-mode-buffering-statistics>
clear unified-edge sgw ip-reassembly
clear unified-edge sgw ip-reassembly statistics
<clear-mobile-gateways-sgw-ip-reassembly-statistics-sgw>
clear unified-edge sgw statistics
<clear-mobile-sgw-statistics>
clear unified-edge sgw subscribers
<clear-mobile-sgw-subscribers>
clear unified-edge sgw subscribers charging
<clear-mobile-sgw-subscribers-charging>
clear unified-edge sgw subscribers peer
<clear-mobile-sgw-subscribers-peer>
clear unified-edge tdf
clear unified-edge tdf aaa
clear unified-edge tdf aaa radius
clear unified-edge tdf aaa radius client
clear unified-edge tdf aaa radius client statistics
<clear-radius-client-statistics>
clear unified-edge tdf aaa radius network-element
clear unified-edge tdf aaa radius network-element statistics
<clear-radius-network-element-statistics>
clear unified-edge tdf aaa radius server
clear unified-edge tdf aaa radius server statistics
<clear-radius-server-statistics>
clear unified-edge tdf aaa radius snoop-segment
clear unified-edge tdf aaa radius snoop-segment statistics
<clear-radius-snoop-segment-statistics>
clear unified-edge tdf aaa statistics
<clear-tdf-gateway-aaa-statistics>
clear unified-edge tdf address-assignment
clear unified-edge tdf address-assignment pool
<clear-mobile-gateway-tdf-sm-ippool-pool-sessions>
clear unified-edge tdf address-assignment statistics
<clear-mobile-gateway-tdf-sm-ippool-statistics>
clear unified-edge tdf call-admission-control
clear unified-edge tdf call-admission-control statistics
<clear-tdf-cac-statistics>
clear unified-edge tdf diameter
clear unified-edge tdf diameter network-element
Copyright © 2017, Juniper Networks, Inc.
207
User Access and Authentication Feature Guide for Routing Devices
clear unified-edge tdf diameter network-element statistics
<clear-diameter-network-element-statistics>
clear unified-edge tdf diameter pcc-gx
clear unified-edge tdf diameter pcc-gx statistics
<clear-diameter-statistics-gx>
clear unified-edge tdf diameter peer
clear unified-edge tdf diameter peer statistics
<clear-diameter-peer-statistics>
clear unified-edge tdf statistics
<clear-tdf-statistics>
clear unified-edge tdf subscribers
<clear-mobile-tdf-subscribers>
clear unified-edge tdf subscribers peer
<clear-mobile-gateway-tdf-subscribers-peer>
request unified-edge
request unified-edge ggsn-pgw
request unified-edge ggsn-pgw call-trace
<monitor-mobile-gateways-call-trace-start>
request unified-edge ggsn-pgw call-trace clear
<get-mobile-gateways-call-trace-clear>
request unified-edge ggsn-pgw call-trace show
<get-mobile-gateways-call-trace-information>
request unified-edge ggsn-pgw call-trace start
<get-mobile-gateways-call-trace-start-information>
request unified-edge ggsn-pgw call-trace stop
<get-mobile-gateways-call-trace-stop-information>
request unified-edge sgw
request unified-edge sgw call-trace
request unified-edge sgw call-trace clear
<get-mobile-gateways-sgw-call-trace-clear>
request unified-edge sgw call-trace show
<get-mobile-gateways-sgw-call-trace-information>
request unified-edge sgw call-trace start
<get-mobile-gateways-sgw-call-trace-start-information>
request unified-edge sgw call-trace stop
<get-mobile-gateways-sgw-call-trace-stop-information>
request unified-edge tdf
request unified-edge tdf call-trace
request unified-edge tdf call-trace clear
<get-mobile-gateways-tdf-call-trace-clear>
request unified-edge tdf call-trace show
<get-mobile-gateways-tdf-call-trace-information>
request unified-edge tdf call-trace start
<get-mobile-gateways-tdf-call-trace-start-information>
request unified-edge tdf call-trace stop
<get-mobile-gateways-tdf-call-trace-stop-information>
Configuration
Hierarchy Levels
208
[edit accounting-options]
[edit chassis]
[edit class-of-service]
[edit class-of-service interfaces]
[edit dynamic-profiles class-of-service]
[edit dynamic-profiles class-of-service interfaces]
[edit dynamic-profiles interfaces]
[edit dynamic-profiles routing-instances instance system services
dhcp-local-server]
[edit dynamic-profiles routing-instances instance system services
static-subscribers group]
[edit forwarding-options]
[edit interfaces]
[edit jnx-example]
Copyright © 2017, Juniper Networks, Inc.
Chapter 5: Permission Flags for User Access Privileges
[edit logical-systems forwarding-options]
[edit logical-systems interfaces]
[edit logical-systems routing-instances instance system services
dhcp-local-server]
[edit logical-systems routing-instances instance system services
static-subscribers group]
[edit logical-systems system services dhcp-local-server]
[edit logical-systems system services static-subscribers group]
[edit routing-instances instance system services dhcp-local-server]
[edit routing-instances instance system services static-subscribers group]
[edit services logging]
[edit services radius-flow-tap]
[edit services radius-flow-tap interfaces]
[edit system services dhcp-local-server]
[edit system services static-subscribers group]
[edit unified-edge]
Related
Documentation
•
Access Privilege User Permission Flags Overview on page 114
•
Understanding Junos OS Access Privilege Levels on page 26
•
Example: Configuring User Permissions with Access Privilege Levels on page 65
•
Example: Configuring User Permissions with Access Privileges for Operational Mode
Commands on page 76
•
Example: Configuring User Permissions with Access Privileges for Configuration
Statements and Hierarchies on page 87
•
interface-control on page 209
interface-control
Can view chassis, class of service (CoS), groups, forwarding options, and interfaces
configuration information. Can edit configuration at the [edit chassis], [edit
class-of-service], [edit groups], [edit forwarding-options], and [edit interfaces] hierarchy
levels.
Commands
Configuration
Hierarchy Levels
No associated CLI commands.
[edit accounting-options]
[edit chassis]
[edit class-of-service]
[edit class-of-service interfaces]
[edit dynamic-profiles class-of-service]
[edit dynamic-profiles class-of-service interfaces]
[edit dynamic-profiles interfaces]
[edit dynamic-profiles routing-instances instance system services
dhcp-local-server]
[edit dynamic-profiles routing-instances instance system services
static-subscribers group]
[edit forwarding-options]
[edit interfaces]
[edit jnx-example]
[edit logical-systems forwarding-options]
[edit logical-systems interfaces]
Copyright © 2017, Juniper Networks, Inc.
209
User Access and Authentication Feature Guide for Routing Devices
[edit logical-systems routing-instances instance system services
dhcp-local-server]
[edit logical-systems routing-instances instance system services
static-subscribers group]
[edit logical-systems system services dhcp-local-server]
[edit logical-systems system services static-subscribers group]
[edit routing-instances instance system services dhcp-local-server]
[edit routing-instances instance system services static-subscribers group]
[edit services logging]
[edit services radius-flow-tap]
[edit services radius-flow-tap interfaces]
[edit system services dhcp-local-server]
[edit system services static-subscribers group]
Related
Documentation
•
Access Privilege User Permission Flags Overview on page 114
•
Understanding Junos OS Access Privilege Levels on page 26
•
Example: Configuring User Permissions with Access Privilege Levels on page 65
•
Example: Configuring User Permissions with Access Privileges for Operational Mode
Commands on page 76
•
Example: Configuring User Permissions with Access Privileges for Configuration
Statements and Hierarchies on page 87
•
interface on page 205
maintenance
Can perform system maintenance, including starting a local shell on the router and
becoming the superuser in the shell, and can halt and reboot the router.
Commands
clear system commit synchronize-server pending-jobs
<clear-pending-commit-sync-jobs>
clear system reboot
<clear-reboot>
clear-system-services-reverse-information
file archive
<file-archive>
file change-owner
<file-change-owner>
<extract-file>
monitor traffic
request chassis afeb
request chassis beacon
<request-chassis-beacon>
request chassis cb
<request-chassis-cb>
request chassis ccg
<request-chassis-ccg>
request
request
request
request
210
chassis
chassis
chassis
chassis
cfeb
cfeb master
cip
fabric
Copyright © 2017, Juniper Networks, Inc.
Chapter 5: Permission Flags for User Access Privileges
request chassis fabric device
request chassis fabric guided-cabling
request chassis fabric plane
request chassis fabric upgrade-bandwidth
request chassis fabric upgrade-bandwidth fpc
request chassis fabric upgrade-bandwidth info
request chassis fan-tray
request chassis feb
<request-feb>
request chassis fpc
<request-chassis-fpc>
request chassis fpc optical-module
<request-fpc-optical-module>
request chassis fpc optical-module amplifier-chain
<request-fpc-optical-module-amplifier-chain>
request chassis fpc optical-module amplifier-chain ila
<request-fpc-optical-module-ila>
request chassis fpc optical-module amplifier-chain ila firmware-upgrade
<request-fpc-optical-module-ila-firmware-upgrade>
request chassis fpc optical-module amplifier-chain ila hard-reset
<request-fpc-optical-module-ila-hard-reset>
request chassis fpc optical-module amplifier-chain ila soft-reset
<request-fpc-optical-module-ila-soft-reset>
request chassis fpc optical-module firmware-upgrade
<request-fpc-optical-module-firmware-upgrade>
request chassis fpm
request chassis mcs
request chassis mic
request chassis optics
request chassis pcg
request chassis pic
<request-chassis-pic>
request chassis port-led
request chassis port-led start
<request-chassis-port-led-switch-on>
request chassis port-led stop
<request-chassis-port-led-switch-off>
request chassis redundancy
request chassis redundancy feb
<request-redundancy-feb>
request chassis routing-engine
<request-chassis-routing-engine>
request chassis routing-engine hard-disk-test
request chassis routing-engine master
request chassis satellite device-mode
request chassis satellite disable
<request-chassis-satellite-disable>
request chassis satellite enable
<request-chassis-satellite-enable>
request chassis satellite file-copy
<request-chassis-satellite-file-copy>
request chassis satellite install
<request-chassis-satellite-install>
request chassis satellite interface
request chassis satellite login
<request-chassis-satellite-login>
request chassis satellite reboot
<request-chassis-satellite-reboot>
request chassis satellite restart
Copyright © 2017, Juniper Networks, Inc.
211
User Access and Authentication Feature Guide for Routing Devices
<request-chassis-satellite-restart>
request chassis satellite restart process
request chassis satellite shell-command
<request-chassis-satellite-shell-command>
request chassis scg
request chassis sfb
request chassis sfm
request chassis sfm master
request chassis sib
<request-chassis-sib>
request chassis sib f13
request chassis sib f2s
request chassis sib optics
request chassis spmb
<request-chassis-spmb>
request chassis ssb
request chassis ssb master
request chassis synchronization
request chassis synchronization force
request chassis synchronization force automatic-switching
request chassis synchronization force mark-failed
request chassis synchronization force unmark-failed
request chassis synchronization switch
request chassis tfeb
request chassis vcpu
request chassis vnpu
request diagnostics
request diagnostics tdr
request diagnostics tdr abort
request diagnostics tdr abort interface
<abort-tdr-interface-diagnostics>
request diagnostics tdr start
request diagnostics tdr start interface
<request-tdr-interface-diagnostics>
request extension-service
request extension-service start
<extension-service-start>
request extension-service stop
<extension-service-stop>
request l2circuit-switchover
request mpls
request mpls lsp
request mpls lsp adjust-autobandwidth
<request-mpls-lsp-autobandwidth-adjust>
request security
request security certificate
request security certificate enroll
request security datapath-debug
request security datapath-debug action-profile
request security datapath-debug action-profile reload-all
<reload-eedebug-action-profile>
request security idp
<request-idp-security-policy-load>
equest security idp security-package
request security idp security-package download
<request-idp-security-package-download>
212
Copyright © 2017, Juniper Networks, Inc.
Chapter 5: Permission Flags for User Access Privileges
request security idp security-package download version
<request-idp-security-package-download-version>
request security idp security-package install
<request-idp-security-package-install>
request security idp security-package offline-download
<request-idp-security-package-offline-download>
request security idp ssl-inspection
request security idp ssl-inspection key
request security idp ssl-inspection key add
<request-idp-ssl-key-add>
request security idp ssl-inspection key delete
<request-idp-ssl-key-delete>
request security idp storage-cleanup
<request-idp-storage-cleanup>
request security ike
request security key-pair
request security pki
request security pki ca-certificate
request security pki ca-certificate ca-profile-group
request security pki ca-certificate ca-profile-group load
request security pki ca-certificate enroll
request security pki local-certificate export
request security pki ca-certificate load
<load-pki-ca-certificate>
request security pki ca-certificate verify
<verify-pki-ca-certificate>
request security pki crl
request security pki crl load
<load-pki-crl>
request security pki generate-certificate-request
<generate-pki-certificate-request>
request security pki generate-key-pair
<generate-pki-key-pair>
request security pki local-certificate
request security pki local-certificate enroll
request security pki local-certificate generate-self-signed
<generate-pki-self-signed-local-certificate>
request security pki local-certificate load
<load-pki-local-certificate>
request security pki local-certificate verify
<verify-pki-local-certificate>
request security pki verify-integrity-status
<verify-integrity-status>
request services fips
request services fips authorize
request services fips authorize pic
request services fips zeroize
request services fips zeroize pic
request services flow-collector
request services flow-collector change-destination
<request-services-flow-collector-destination>
request services ggsn
request services ggsn pdp
request services ggsn pdp terminate
request services ggsn pdp terminate apn
<request-ggsn-terminate-contexts-apn>
request services ggsn pdp terminate context
Copyright © 2017, Juniper Networks, Inc.
213
User Access and Authentication Feature Guide for Routing Devices
<request-ggsn-terminate-context>
request services ggsn pdp terminate context msisdn
<request-ggsn-terminate-msisdn-context>
request services ggsn restart
request services ggsn restart interface
<request-ggsn-restart-interface>
request services ggsn restart node
<request-ggsn-restart-node>
request services ggsn start
request services ggsn start interface
request services ggsn stop
request services ggsn stop interface
<request-ggsn-stop-interface>
request services ggsn stop node
<request-ggsn-stop-node>
request services ggsn trace
request services ggsn trace software
request services ggsn trace software update
<request-ggsn-software-update>
request services ggsn trace start
request services ggsn trace start imsi
<request-ggsn-start-imsi-trace>
request services ggsn trace start msisdn
<request-ggsn-start-msisdn-trace>
request services ggsn trace stop
request services ggsn trace stop all
<request-ggsn-stop-trace-activity>
request services ggsn trace stop imsi
<request-ggsn-stop-imsi-trace>
request services ggsn trace stop msisdn
<request-ggsn-stop-msisdn-trace>
request support
request support information
request system
request system boot-media
<request-boot-media>
request system certificate
request system certificate add
request system commit
request system commit server
request system commit server pause
<request-commit-server-pause>
request system commit server queue
request system commit server queue cleanup
<request-commit-server-cleanup>
request system commit server start
<request-commit-server-start>
request system configuration
request system configuration rescue
214
Copyright © 2017, Juniper Networks, Inc.
Chapter 5: Permission Flags for User Access Privileges
request system configuration rescue delete
<request-delete-rescue-configuration>
request system configuration rescue save
<request-save-rescue-configuration>
request system decrypt
<security-decrypt-password>
request system diagnostics
request system diagnostics log-archive
<request-log>
request system diagnostics transfer-control
<transfer-control>
request system firmware
request system firmware downgrade
request system firmware downgrade cb
<request-fpc-fpga-upgrade>
request system firmware downgrade cb i2c
<request-i2c-fpga-upgrade>
request system firmware downgrade feb
request system firmware downgrade fpc
request system firmware downgrade pic
request system firmware downgrade poe
request system firmware downgrade re
request system firmware downgrade scb
request system firmware downgrade sfm
request system firmware downgrade spmb
request system firmware downgrade ssb
request system firmware downgrade vcpu
request system firmware upgrade
request system firmware upgrade cb i2c
<request-i2c-fpga-upgrade>
request system firmware upgrade feb
request system firmware upgrade fpc
request system firmware upgrade fpga
request system firmware upgrade fpga cb
<request-cb-fpga-upgrade>
request system firmware upgrade fpga fpc
request system firmware upgrade fpga fpd
<request-fpd-fpga-upgrade>
request system firmware upgrade fpga ftc
<request-ftc-fpga-upgrade>
request system firmware upgrade fpga re
<request-re-fpga-upgrade>
request system firmware upgrade
<request-scb-fpga-upgrade>
request system firmware upgrade
<request-sib-fpga-upgrade>
request system firmware upgrade
request system firmware upgrade
request system firmware upgrade
request system firmware upgrade
request system firmware upgrade
request system firmware upgrade
request system firmware upgrade
request system firmware upgrade
request system firmware upgrade
request system halt
<request-halt>
fpga scb
fpga sib
pic
poe
re
re bios
scb
sfm
spmb
ssb
vcpu
request system keep-alive
Copyright © 2017, Juniper Networks, Inc.
215
User Access and Authentication Feature Guide for Routing Devices
request system license
request system license add
request system license delete
<request-license-delete>
request system license revoke-licenses
<license-revoke-licenses>
request system license save
request system license update
<request-license-update>
request system logout
request system logs
<request-system-logs-copy>
request system partition
request system partition abort
request system partition compact-flash
request system partition hard-disk
request system power-off
<request-power-off>
request system power-on
<request-power-on-other-re>
request system process
request system process terminate
<request-process-terminate>
request system reboot
<request-reboot>
request system recover
request system scripts
request system scripts add
<request-scripts-package-add>
request system scripts convert
request system scripts convert slax-to-xslt
request system scripts convert xslt-to-slax
request system scripts delete
<request-scripts-package-delete>
request system scripts event-scripts
request system scripts event-scripts reload
<reload-event-scripts>
request system scripts refresh-from
<request-script-refresh-from>
request system scripts rollback
<request-scripts-package-rollback>
request system scripts synchronize
<request-scripts-synchronize>
request system snapshot
<request-snapshot>
request system software
request system software abort
request system software abort in-service-upgrade
<abort-in-service-upgrade>
216
Copyright © 2017, Juniper Networks, Inc.
Chapter 5: Permission Flags for User Access Privileges
request system software add
<request-package-add>
request system software delete
<request-package-delete>
request system software delete-backup
<request-package-delete-backup>
request system software in-service-upgrade
<request-package-in-service-upgrade>
request system software nonstop-upgrade
<request-package-nonstop-upgrade>
request system software recovery-package
request system software recovery-package
request system software recovery-package
request system software recovery-package
request system software recovery-package
request system software recovery-package
request system software rollback
<request-package-rollback>
add
delete
extract
extract ex-8200-package
extract ex-xre200-package
request system software validate
<request-package-validate>
request system software validate in-service-upgrade
<check-in-service-upgrade>
request system storage
request system storage cleanup
<request-system-storage-cleanup>
request system storage cleanup qfabric
<remove-qfabric-repository-contents>
request system storage mount
<request-mount>
request system storage unified-edge
request system storage unified-edge charging
request system storage unified-edge charging media
request system storage unified-edge media
request system storage unified-edge media eject
request system storage unified-edge media prepare
request system storage unmount
<request-unmount>
request system subscriber-management
request system subscriber-management new-sessions-disable
<request-sm-new-sessions-disable>
request system subscriber-management new-sessions-enable
<request-sm-new-sessions-enable>
request system yang enable
<request-yang-enable>
request system yang update
<request-yang-update>
request system yang validate
<request-yang-validate>
request system zeroize
request vmhost
request vmhost cleanup
<request-vmhost-file-cleanup>
request vmhost file-copy
<request-vmhost-file-copy>
request vmhost halt
Copyright © 2017, Juniper Networks, Inc.
217
User Access and Authentication Feature Guide for Routing Devices
<request-vmhost-halt>
request vmhost hard-disk-test
<request-vmhost-hard-disk-test>
request vmhost power-off
<request-vmhost-poweroff>
request vmhost power-on
<request-power-on-other-re>
request vmhost reboot
<request-vmhost-reboot>
request vmhost snapshot
<request-vmhost-snapshot>
request vmhost snapshot partition
<request-vmhost-snapshot-partition>
request vmhost snapshot recovery
<request-vmhost-snapshot-recovery>
request vmhost snapshot recovery partition
<request-vmhost-snapshot-recovery-partition>
request vmhost software
request vmhost software abort
request vmhost software abort in-service-upgrade
<abort-in-service-upgrade>
request vmhost software add
<request-vmhost-package-add>
request vmhost software in-service-upgrade
<request-vmhost-package-in-service-upgrade>
request vmhost software rollback
<request-package-rollback>
request vmhost zeroize
<request-vmhost-zeroize>
request vpls-switchover
set date
set date ntp
show chassis usb
show chassis usb storage
<get-usb-storage-status>
show services fips
show system configuration database
show system configuration database usage
<get-database-usage>
start shell
start shell user
test access
test access profile
<get-radius-profile-access-test-result>
test access radius-server
<get-radius-server-access-test-result>
get-test-services-l2tp-tunnel-result
Configuration
Hierarchy Levels
218
[edit
[edit
[edit
[edit
[edit
[edit
[edit
[edit
[edit
[edit
event-options]
security ipsec internal]
security ipsect trusted-channel]
services dynamic-flow-capture traceoptions]
services ggsn]
system fips]
services ggsn rule-space]
system processes daemon-process command]
system scripts]
system scripts commit]
Copyright © 2017, Juniper Networks, Inc.
Chapter 5: Permission Flags for User Access Privileges
[edit system scripts op]
[edit system scripts snmp]
Related
Documentation
•
Access Privilege User Permission Flags Overview on page 114
•
Understanding Junos OS Access Privilege Levels on page 26
•
Example: Configuring User Permissions with Access Privilege Levels on page 65
•
Example: Configuring User Permissions with Access Privileges for Operational Mode
Commands on page 76
•
Example: Configuring User Permissions with Access Privileges for Configuration
Statements and Hierarchies on page 87
network
Can access the network by using the ping, ssh, telnet, and traceroute commands.
Commands
mtrace
mtrace from-source
mtrace monitor
mtrace to-gateway
ping
<ping>
ping atm
ping clns
ping ethernet
<request-ping-ethernet>
ping fibre-channel
ping mpls
ping mpls bgp
<request-ping-bgp-lsp>
ping mpls l2circuit
ping mpls l2circuit interface
<request-ping-l2circuit-interface>
ping mpls l2circuit virtual-circuit
<request-ping-l2circuit-virtual-circuit>
ping mpls l2vpn
ping mpls l2vpn fec129
ping mpls l2vpn fec129 interface
<request-ping-l2vpn-fec129-interface>
ping mpls l2vpn instance
<request-ping-l2vpn-instance>
ping mpls l2vpn interface
<request-ping-l2vpn-interface>
ping mpls l3vpn
<request-ping-l3vpn>
ping mpls ldp
<request-ping-ldp-lsp>
Copyright © 2017, Juniper Networks, Inc.
219
User Access and Authentication Feature Guide for Routing Devices
ping mpls ldp p2mp
<request-ping-ldp-p2mp-lsp>
ping mpls lsp-end-point
<request-ping-lsp-end-point>
ping mpls rsvp
<request-ping-rsvp-lsp>
ping overlay
<request-ping-overlay>
ping vpls
ping vpls instance
<request-ping-vpls-instance>
request routing-engine
request routing-engine login
<request-routing-engine-login>
request routing-engine login other-routing-engine
<request-login-to-other-routing-engine>
request services flow-collector
request services flow-collector test-file-transfer
<request-services-flow-collector-test-file-transfer>
show host
show interfaces level-extra descriptions
show multicast mrinfo
ssh
telnet
traceroute
<traceroute>
traceroute clns
traceroute ethernet
<request-traceroute-ethernet>
traceroute monitor
traceroute mpls
traceroute mpls l2vpn
<traceroute-mpls-l2vpn>
traceroute mpls l2vpn fec129
<traceroute-mpls-mspw>
traceroute mpls ldp
<traceroute-mpls-ldp>
traceroute mpls rsvp
<traceroute-mpls-rsvp>
traceroute overlay
<request-traceroute-overlay>
Configuration
Hierarchy Levels
Related
Documentation
220
No associated CLI configuration hierarchy levels and statements.
•
Access Privilege User Permission Flags Overview on page 114
•
Understanding Junos OS Access Privilege Levels on page 26
•
Example: Configuring User Permissions with Access Privilege Levels on page 65
Copyright © 2017, Juniper Networks, Inc.
Chapter 5: Permission Flags for User Access Privileges
•
Example: Configuring User Permissions with Access Privileges for Operational Mode
Commands on page 76
•
Example: Configuring User Permissions with Access Privileges for Configuration
Statements and Hierarchies on page 87
pgcp-session-mirroring
Can view session mirroring configuration by using the pgcp command.
Commands
clear unified-edge
clear unified-edge ggsn-pgw
clear unified-edge ggsn-pgw aaa
clear unified-edge ggsn-pgw aaa radius
clear unified-edge ggsn-pgw aaa radius statistics
<clear-mobile-gateway-aaa-radius-statistics>
clear unified-edge ggsn-pgw aaa statistics
<clear-mobile-gateway-aaa-statistics>
clear unified-edge ggsn-pgw address-assignment
clear unified-edge ggsn-pgw address-assignment pool
<clear-mobile-gateway-sm-ippool-pool-sessions>
clear unified-edge ggsn-pgw address-assignment statistics
<clear-mobile-gateway-sm-ippool-statistics>
clear unified-edge ggsn-pgw call-admission-control
clear unified-edge ggsn-pgw call-admission-control statistics
<clear-mobile-gateway-cac-statistics>
clear unified-edge ggsn-pgw charging
clear unified-edge ggsn-pgw charging cdr
<clear-mobile-gateway-charging-clear-cdr>
clear unified-edge ggsn-pgw charging cdr wfa
<clear-mobile-gateway-charging-clear-cdr-wfa>
clear unified-edge ggsn-pgw charging local-persistent-storage
clear unified-edge ggsn-pgw charging local-persistent-storage statistics
<clear-mobile-gateway-charging-clear-lps-stats>
clear unified-edge ggsn-pgw charging path
clear unified-edge ggsn-pgw charging path statistics
<clear-mobile-gateway-charging-clear-path-stats>
clear unified-edge ggsn-pgw charging transfer
clear unified-edge ggsn-pgw charging transfer statistics
<clear-mobile-gateway-charging-clear-xfer-stats>
clear unified-edge ggsn-pgw diameter
clear unified-edge ggsn-pgw diameter dcca-gy
clear unified-edge ggsn-pgw diameter dcca-gy statistics
<clear-mobile-gateway-aaa-diam-stats-gy>
clear unified-edge ggsn-pgw diameter network-element
clear unified-edge ggsn-pgw diameter network-element statistics
<clear-mobile-gateway-aaa-diam-ne-statistics>
clear unified-edge ggsn-pgw diameter pcc-gx
clear unified-edge ggsn-pgw diameter pcc-gx statistics
<clear-mobile-gateway-aaa-diam-stats-gx>
clear unified-edge ggsn-pgw diameter peer
clear unified-edge ggsn-pgw diameter peer statistics
<clear-mobile-gateway-aaa-diam-peer-statistics>
clear unified-edge ggsn-pgw gtp
clear unified-edge ggsn-pgw gtp peer
clear unified-edge ggsn-pgw gtp peer statistics
<clear-mobile-gateway-gtp-peer-statistics>
clear unified-edge ggsn-pgw gtp statistics
Copyright © 2017, Juniper Networks, Inc.
221
User Access and Authentication Feature Guide for Routing Devices
<clear-mobile-gateway-gtp-statistics>
clear unified-edge ggsn-pgw ip-reassembly
clear unified-edge ggsn-pgw ip-reassembly statistics
<clear-mobile-gateways-ip-reassembly-statistics>
clear unified-edge ggsn-pgw statistics
<clear-mobile-gateway-statistics>
clear unified-edge ggsn-pgw subscribers
<clear-mobile-gateway-subscribers>
clear unified-edge ggsn-pgw subscribers bearer
clear unified-edge ggsn-pgw subscribers charging
<clear-mobile-gateway-subscribers-charging>
clear unified-edge ggsn-pgw subscribers peer
<clear-mobile-gateway-subscribers-peer>
clear unified-edge sgw
clear unified-edge sgw call-admission-control
clear unified-edge sgw call-admission-control statistics
<clear-mobile-sgw-cac-statistics>
clear unified-edge sgw charging
clear unified-edge sgw charging cdr
<clear-mobile-gateway-sgw-charging-clear-cdr>
clear unified-edge sgw charging cdr wfa
<clear-mobile-gateway-sgw-charging-clear-cdr-wfa>
clear unified-edge sgw charging local-persistent-storage
clear unified-edge sgw charging local-persistent-storage statistics
<clear-mobile-gateway-sgw-charging-clear-lps-stats>
clear unified-edge sgw charging path
clear unified-edge sgw charging path statistics
<clear-mobile-gateway-sgw-charging-clear-path-stats>
clear unified-edge sgw charging transfer
clear unified-edge sgw charging transfer statistics
<clear-mobile-gateway-sgw-charging-clear-xfer-stats>
clear unified-edge sgw gtp
clear unified-edge sgw gtp peer
clear unified-edge sgw gtp peer statistics
<clear-mobile-sgw-gtp-peer-statistics>
clear unified-edge sgw gtp statistics
<clear-mobile-sgw-gtp-statistics>
clear unified-edge sgw idle-mode-buffering
clear unified-edge sgw idle-mode-buffering statistics
<clear-mobile-gw-sgw-idle-mode-buffering-statistics>
clear unified-edge sgw ip-reassembly
clear unified-edge sgw ip-reassembly statistics
<clear-mobile-gateways-sgw-ip-reassembly-statistics-sgw>
clear unified-edge sgw statistics
<clear-mobile-sgw-statistics>
clear unified-edge sgw subscribers
<clear-mobile-sgw-subscribers>
clear unified-edge sgw subscribers charging
<clear-mobile-sgw-subscribers-charging>
clear unified-edge sgw subscribers peer
<clear-mobile-sgw-subscribers-peer>
clear unified-edge tdf
clear unified-edge tdf aaa
clear unified-edge tdf aaa radius
clear unified-edge tdf aaa radius client
clear unified-edge tdf aaa radius client statistics
<clear-radius-client-statistics>
clear unified-edge tdf aaa radius network-element
clear unified-edge tdf aaa radius network-element statistics
<clear-radius-network-element-statistics>
clear unified-edge tdf aaa radius server
222
Copyright © 2017, Juniper Networks, Inc.
Chapter 5: Permission Flags for User Access Privileges
clear unified-edge tdf aaa radius server statistics
<clear-radius-server-statistics>
clear unified-edge tdf aaa radius snoop-segment
clear unified-edge tdf aaa radius snoop-segment statistics
<clear-radius-snoop-segment-statistics>
clear unified-edge tdf aaa statistics
<clear-tdf-gateway-aaa-statistics>
clear unified-edge tdf address-assignment
clear unified-edge tdf address-assignment pool
<clear-mobile-gateway-tdf-sm-ippool-pool-sessions>
clear unified-edge tdf address-assignment statistics
<clear-mobile-gateway-tdf-sm-ippool-statistics>
clear unified-edge tdf call-admission-control
clear unified-edge tdf call-admission-control statistics
<clear-tdf-cac-statistics>
clear unified-edge tdf diameter
clear unified-edge tdf diameter network-element
clear unified-edge tdf diameter network-element statistics
<clear-diameter-network-element-statistics>
clear unified-edge tdf diameter pcc-gx
clear unified-edge tdf diameter pcc-gx statistics
<clear-diameter-statistics-gx>
clear unified-edge tdf diameter peer
clear unified-edge tdf diameter peer statistics
<clear-diameter-peer-statistics>
clear unified-edge tdf statistics
<clear-tdf-statistics>
clear unified-edge tdf subscribers
<clear-mobile-tdf-subscribers>
clear unified-edge tdf subscribers peer
<clear-mobile-gateway-tdf-subscribers-peer>
request unified-edge
request unified-edge ggsn-pgw
request unified-edge ggsn-pgw call-trace
<monitor-mobile-gateways-call-trace-start>
request unified-edge ggsn-pgw call-trace clear
<get-mobile-gateways-call-trace-clear>
request unified-edge ggsn-pgw call-trace show
<get-mobile-gateways-call-trace-information>
request unified-edge ggsn-pgw call-trace start
<get-mobile-gateways-call-trace-start-information>
request unified-edge ggsn-pgw call-trace stop
<get-mobile-gateways-call-trace-stop-information>
request unified-edge sgw
request unified-edge sgw call-trace
request unified-edge sgw call-trace clear
<get-mobile-gateways-sgw-call-trace-clear>
request unified-edge sgw call-trace show
<get-mobile-gateways-sgw-call-trace-information>
request unified-edge sgw call-trace start
<get-mobile-gateways-sgw-call-trace-start-information>
request unified-edge sgw call-trace stop
<get-mobile-gateways-sgw-call-trace-stop-information>
request unified-edge tdf
request unified-edge tdf call-trace
request unified-edge tdf call-trace clear
<get-mobile-gateways-tdf-call-trace-clear>
request unified-edge tdf call-trace show
<get-mobile-gateways-tdf-call-trace-information>
request unified-edge tdf call-trace start
<get-mobile-gateways-tdf-call-trace-start-information>
Copyright © 2017, Juniper Networks, Inc.
223
User Access and Authentication Feature Guide for Routing Devices
request unified-edge tdf call-trace stop
<get-mobile-gateways-tdf-call-trace-stop-information>
show services pgcp gates gate-way display session-mirroring
Configuration
Hierarchy Levels
Related
Documentation
[edit services pgcp gateway session-mirroring]
[edit services pgcp session-mirroring]
[edit unified-edge]
•
Access Privilege User Permission Flags Overview on page 114
•
Understanding Junos OS Access Privilege Levels on page 26
•
Example: Configuring User Permissions with Access Privilege Levels on page 65
•
Example: Configuring User Permissions with Access Privileges for Operational Mode
Commands on page 76
•
Example: Configuring User Permissions with Access Privileges for Configuration
Statements and Hierarchies on page 87
•
pgcp-session-mirroring-control on page 224
pgcp-session-mirroring-control
Can modify PGCP session mirroring configuration
Commands
show services pgcp gates gate-way display session-mirroring
Configuration
Hierarchy Levels
Related
Documentation
[edit services pgcp gateway session-mirroring]
[edit services pgcp session-mirroring]
•
Access Privilege User Permission Flags Overview on page 114
•
Understanding Junos OS Access Privilege Levels on page 26
•
Example: Configuring User Permissions with Access Privilege Levels on page 65
•
Example: Configuring User Permissions with Access Privileges for Operational Mode
Commands on page 76
•
Example: Configuring User Permissions with Access Privileges for Configuration
Statements and Hierarchies on page 87
•
pgcp-session-mirroring on page 221
reset
Can restart software processes by using the restart command and can configure whether
software processes configured at the [edit system processes] hierarchy level are enabled
or disabled.
224
Copyright © 2017, Juniper Networks, Inc.
Chapter 5: Permission Flags for User Access Privileges
Commands
Configuration
Hierarchy Levels
Related
Documentation
request chassis cfeb master switch
request chassis cfeb master switch no-confirm
request chassis routing-engine master acquire
request chassis routing-engine master acquire force
request chassis routing-engine master acquire force no-confirm
request chassis routing-engine master acquire no-confirm
request chassis routing-engine master release
request chassis routing-engine master release no-confirm
request chassis routing-engine master switch
request chassis routing-engine master switch no-confirm
request chassis satellite install no-confirm
request chassis sfm master switch
request chassis sfm master switch no-confirm
request chassis ssb master switch
request chassis ssb master switch no-confirm
restart
restart kernel-replication
<restart-kernel-replication>
restart-named-service
restart routing
<routing-restart>
restart services
restart services border-signaling-gateway
<restart-border-signaling-gateway-service>
restart services pgcp
<restart-pgcp-service>
restart web-management
<restart-web-management>
No associated CLI configuration hierarchy levels and statements.
•
Access Privilege User Permission Flags Overview on page 114
•
Understanding Junos OS Access Privilege Levels on page 26
•
Example: Configuring User Permissions with Access Privilege Levels on page 65
•
Example: Configuring User Permissions with Access Privileges for Operational Mode
Commands on page 76
•
Example: Configuring User Permissions with Access Privileges for Configuration
Statements and Hierarchies on page 87
rollback
Can roll back to previous configurations.
Commands
Configuration
Hierarchy Levels
rollback
[edit]
Copyright © 2017, Juniper Networks, Inc.
225
User Access and Authentication Feature Guide for Routing Devices
Related
Documentation
•
Access Privilege User Permission Flags Overview on page 114
•
Understanding Junos OS Access Privilege Levels on page 26
•
Example: Configuring User Permissions with Access Privilege Levels on page 65
•
Example: Configuring User Permissions with Access Privileges for Operational Mode
Commands on page 76
•
Example: Configuring User Permissions with Access Privileges for Configuration
Statements and Hierarchies on page 87
routing
Can view general routing, routing protocol, and routing policy configuration information.
Commands
226
clear unified-edge
clear unified-edge ggsn-pgw
clear unified-edge ggsn-pgw aaa
clear unified-edge ggsn-pgw aaa radius
clear unified-edge ggsn-pgw aaa radius statistics
<clear-mobile-gateway-aaa-radius-statistics>
clear unified-edge ggsn-pgw aaa statistics
<clear-mobile-gateway-aaa-statistics>
clear unified-edge ggsn-pgw address-assignment
clear unified-edge ggsn-pgw address-assignment pool
<clear-mobile-gateway-sm-ippool-pool-sessions>
clear unified-edge ggsn-pgw address-assignment statistics
<clear-mobile-gateway-sm-ippool-statistics>
clear unified-edge ggsn-pgw call-admission-control
clear unified-edge ggsn-pgw call-admission-control statistics
<clear-mobile-gateway-cac-statistics>
clear unified-edge ggsn-pgw charging
clear unified-edge ggsn-pgw charging cdr
<clear-mobile-gateway-charging-clear-cdr>
clear unified-edge ggsn-pgw charging cdr wfa
<clear-mobile-gateway-charging-clear-cdr-wfa>
clear unified-edge ggsn-pgw charging local-persistent-storage
clear unified-edge ggsn-pgw charging local-persistent-storage statistics
<clear-mobile-gateway-charging-clear-lps-stats>
clear unified-edge ggsn-pgw charging path
clear unified-edge ggsn-pgw charging path statistics
<clear-mobile-gateway-charging-clear-path-stats>
clear unified-edge ggsn-pgw charging transfer
clear unified-edge ggsn-pgw charging transfer statistics
<clear-mobile-gateway-charging-clear-xfer-stats>
clear unified-edge ggsn-pgw diameter
clear unified-edge ggsn-pgw diameter dcca-gy
clear unified-edge ggsn-pgw diameter dcca-gy statistics
<clear-mobile-gateway-aaa-diam-stats-gy>
clear unified-edge ggsn-pgw diameter network-element
clear unified-edge ggsn-pgw diameter network-element statistics
<clear-mobile-gateway-aaa-diam-ne-statistics>
clear unified-edge ggsn-pgw diameter pcc-gx
clear unified-edge ggsn-pgw diameter pcc-gx statistics
<clear-mobile-gateway-aaa-diam-stats-gx>
clear unified-edge ggsn-pgw diameter peer
clear unified-edge ggsn-pgw diameter peer statistics
<clear-mobile-gateway-aaa-diam-peer-statistics>
Copyright © 2017, Juniper Networks, Inc.
Chapter 5: Permission Flags for User Access Privileges
clear unified-edge ggsn-pgw gtp
clear unified-edge ggsn-pgw gtp peer
clear unified-edge ggsn-pgw gtp peer statistics
<clear-mobile-gateway-gtp-peer-statistics>
clear unified-edge ggsn-pgw gtp statistics
<clear-mobile-gateway-gtp-statistics>
clear unified-edge ggsn-pgw ip-reassembly
clear unified-edge ggsn-pgw ip-reassembly statistics
<clear-mobile-gateways-ip-reassembly-statistics>
clear unified-edge ggsn-pgw statistics
<clear-mobile-gateway-statistics>
clear unified-edge ggsn-pgw subscribers
<clear-mobile-gateway-subscribers>
clear unified-edge ggsn-pgw subscribers bearer
clear unified-edge ggsn-pgw subscribers charging
<clear-mobile-gateway-subscribers-charging>
clear unified-edge ggsn-pgw subscribers peer
<clear-mobile-gateway-subscribers-peer>
clear unified-edge sgw
clear unified-edge sgw call-admission-control
clear unified-edge sgw call-admission-control statistics
<clear-mobile-sgw-cac-statistics>
clear unified-edge sgw charging
clear unified-edge sgw charging cdr
<clear-mobile-gateway-sgw-charging-clear-cdr>
clear unified-edge sgw charging cdr wfa
<clear-mobile-gateway-sgw-charging-clear-cdr-wfa>
clear unified-edge sgw charging local-persistent-storage
clear unified-edge sgw charging local-persistent-storage statistics
<clear-mobile-gateway-sgw-charging-clear-lps-stats>
clear unified-edge sgw charging path
clear unified-edge sgw charging path statistics
<clear-mobile-gateway-sgw-charging-clear-path-stats>
clear unified-edge sgw charging transfer
clear unified-edge sgw charging transfer statistics
<clear-mobile-gateway-sgw-charging-clear-xfer-stats>
clear unified-edge sgw gtp
clear unified-edge sgw gtp peer
clear unified-edge sgw gtp peer statistics
<clear-mobile-sgw-gtp-peer-statistics>
clear unified-edge sgw gtp statistics
<clear-mobile-sgw-gtp-statistics>
clear unified-edge sgw idle-mode-buffering
clear unified-edge sgw idle-mode-buffering statistics
<clear-mobile-gw-sgw-idle-mode-buffering-statistics>
clear unified-edge sgw ip-reassembly
clear unified-edge sgw ip-reassembly statistics
<clear-mobile-gateways-sgw-ip-reassembly-statistics-sgw>
clear unified-edge sgw statistics
<clear-mobile-sgw-statistics>
clear unified-edge sgw subscribers
<clear-mobile-sgw-subscribers>
clear unified-edge sgw subscribers charging
<clear-mobile-sgw-subscribers-charging>
clear unified-edge sgw subscribers peer
<clear-mobile-sgw-subscribers-peer>
clear unified-edge tdf
clear unified-edge tdf aaa
clear unified-edge tdf aaa radius
clear unified-edge tdf aaa radius client
clear unified-edge tdf aaa radius client statistics
Copyright © 2017, Juniper Networks, Inc.
227
User Access and Authentication Feature Guide for Routing Devices
<clear-radius-client-statistics>
clear unified-edge tdf aaa radius network-element
clear unified-edge tdf aaa radius network-element statistics
<clear-radius-network-element-statistics>
clear unified-edge tdf aaa radius server
clear unified-edge tdf aaa radius server statistics
<clear-radius-server-statistics>
clear unified-edge tdf aaa radius snoop-segment
clear unified-edge tdf aaa radius snoop-segment statistics
<clear-radius-snoop-segment-statistics>
clear unified-edge tdf aaa statistics
<clear-tdf-gateway-aaa-statistics>
clear unified-edge tdf address-assignment
clear unified-edge tdf address-assignment pool
<clear-mobile-gateway-tdf-sm-ippool-pool-sessions>
clear unified-edge tdf address-assignment statistics
<clear-mobile-gateway-tdf-sm-ippool-statistics>
clear unified-edge tdf call-admission-control
clear unified-edge tdf call-admission-control statistics
<clear-tdf-cac-statistics>
clear unified-edge tdf diameter
clear unified-edge tdf diameter network-element
clear unified-edge tdf diameter network-element statistics
<clear-diameter-network-element-statistics>
clear unified-edge tdf diameter pcc-gx
clear unified-edge tdf diameter pcc-gx statistics
<clear-diameter-statistics-gx>
clear unified-edge tdf diameter peer
clear unified-edge tdf diameter peer statistics
<clear-diameter-peer-statistics>
clear unified-edge tdf statistics
<clear-tdf-statistics>
clear unified-edge tdf subscribers
<clear-mobile-tdf-subscribers>
clear unified-edge tdf subscribers peer
<clear-mobile-gateway-tdf-subscribers-peer>
request mpls
request mpls lsp
request mpls lsp adjust-autobandwidth
<request-mpls-lsp-autobandwidth-adjust>
request unified-edge
request unified-edge ggsn-pgw
request unified-edge ggsn-pgw call-trace
<monitor-mobile-gateways-call-trace-start>
request unified-edge ggsn-pgw call-trace clear
<get-mobile-gateways-call-trace-clear>
request unified-edge ggsn-pgw call-trace show
<get-mobile-gateways-call-trace-information>
request unified-edge ggsn-pgw call-trace start
<get-mobile-gateways-call-trace-start-information>
request unified-edge ggsn-pgw call-trace stop
<get-mobile-gateways-call-trace-stop-information>
request unified-edge sgw
request unified-edge sgw call-trace
request unified-edge sgw call-trace clear
<get-mobile-gateways-sgw-call-trace-clear>
request unified-edge sgw call-trace show
<get-mobile-gateways-sgw-call-trace-information>
request unified-edge sgw call-trace start
<get-mobile-gateways-sgw-call-trace-start-information>
request unified-edge sgw call-trace stop
228
Copyright © 2017, Juniper Networks, Inc.
Chapter 5: Permission Flags for User Access Privileges
<get-mobile-gateways-sgw-call-trace-stop-information>
request unified-edge tdf
request unified-edge tdf call-trace
request unified-edge tdf call-trace clear
<get-mobile-gateways-tdf-call-trace-clear>
request unified-edge tdf call-trace show
<get-mobile-gateways-tdf-call-trace-information>
request unified-edge tdf call-trace start
<get-mobile-gateways-tdf-call-trace-start-information>
request unified-edge tdf call-trace stop
<get-mobile-gateways-tdf-call-trace-stop-information>
Configuration
Hierarchy Levels
[edit bridge-domains]
[edit bridge-domains domain multicast-snooping-options]
[edit bridge-domains domain multicast-snooping-options traceoptions]
[edit dynamic-profiles protocols igmp traceoptions]
[edit dynamic-profiles protocols mld traceoptions]
[edit dynamic-profiles protocols router-advertisement traceoptions]
[edit dynamic-profiles routing-instances]
[edit dynamic-profiles routing-instances instance bridge-domains]
[edit dynamic-profiles routing-instances instance bridge-domains domain
multicast-snooping-options]
[edit dynamic-profiles routing-instances instance bridge-domains domain
multicast-snooping-options traceoptions]
[edit dynamic-profiles routing-instances instance multicast-snooping-options]
[edit dynamic-profiles routing-instances instance multicast-snooping-options
traceoptions]
[edit dynamic-profiles routing-instances instance pbb-options]
[edit dynamic-profiles routing-instances instance protocols]
[edit dynamic-profiles routing-instances instance protocols bgp group neighbor
traceoptions]
[edit dynamic-profiles routing-instances instance protocols bgp group
traceoptions]
[edit dynamic-profiles routing-instances instance protocols bgp traceoptions]
[edit dynamic-profiles routing-instances instance protocols esis traceoptions]
[edit dynamic-profiles routing-instances instance protocols isis traceoptions]
[edit dynamic-profiles routing-instances instance protocols l2vpn traceoptions]
[edit dynamic-profiles routing-instances instance protocols ldp traceoptions]
[edit dynamic-profiles routing-instances instance protocols msdp group peer
traceoptions]
[edit dynamic-profiles routing-instances instance protocols msdp group
traceoptions]
[edit dynamic-profiles routing-instances instance protocols msdp peer
traceoptions]
[edit dynamic-profiles routing-instances instance protocols msdp traceoptions]
[edit dynamic-profiles routing-instances instance protocols mvpn traceoptions]
[edit dynamic-profiles routing-instances instance protocols ospf traceoptions]
[edit dynamic-profiles routing-instances instance protocols pim traceoptions]
[edit dynamic-profiles routing-instances instance protocols rip traceoptions]
[edit dynamic-profiles routing-instances instance protocols ripng traceoptions]
[edit dynamic-profiles routing-instances instance protocols router-discovery
traceoptions]
[edit dynamic-profiles routing-instances instance protocols vpls traceoptions]
[[edit dynamic-profiles routing-instances instance routing-options]
[edit dynamic-profiles routing-instances instance routing-options multicast
traceoptions]
[edit dynamic-profiles routing-instances instance routing-options traceoptions]
[edit dynamic-profiles routing-instances instance service-groups]
[edit dynamic-profiles routing-instances instance switch-options]
[edit dynamic-profiles routing-options multicast traceoptions]
[edit jnx-example]
Copyright © 2017, Juniper Networks, Inc.
229
User Access and Authentication Feature Guide for Routing Devices
[edit fabric protocols]
[edit fabric protocols bgp group neighbor traceoptions]
[edit fabric protocols bgp group traceoptions]
[edit fabric protocols bgp traceoptions]
[edit fabric routing-instances]
[edit fabric routing-instances instance routing-options]
[edit fabric routing-instances instance routing-options traceoptions]
[edit fabric routing-options]
[edit fabric routing-options traceoptions]
[edit logical-systems bridge-domains]
[edit logical-systems bridge-domains domain multicast-snooping-options]
[edit logical-systems bridge-domains domain multicast-snooping-options
traceoptions]
[edit logical-systems policy-options]
[edit logical-systems protocols]
[edit logical-systems protocols bgp group neighbor traceoptions]
[edit logical-systems protocols bgp group traceoptions]
[edit logical-systems protocols bgp traceoptions]
[edit logical-systems protocols dvmrp traceoptions]
[edit logical-systems protocols esis traceoptions]
[edit logical-systems protocols igmp traceoptions]
[edit logical-systems protocols igmp-host traceoptions]
[edit logical-systems protocols isis traceoptions]
[edit logical-systems protocols l2circuit traceoptions]
[edit logical-systems protocols l2iw traceoptions]
[edit logical-systems protocols ldp traceoptions]
[edit logical-systems protocols mld traceoptions]
[edit logical-systems protocols mld-host traceoptions]
[edit logical-systems protocols msdp group peer traceoptions]
[edit logical-systems protocols msdp group traceoptions]
[edit logical-systems protocols msdp peer traceoptions]
[edit logical-systems protocols msdp traceoptions]
[edit logical-systems protocols mvpn traceoptions]
[edit logical-systems protocols ospf traceoptions]
[edit logical-systems protocols pim traceoptions]
[edit logical-systems protocols rip traceoptions]
[edit logical-systems protocols ripng traceoptions]
[edit logical-systems protocols router-advertisement traceoptions]
[edit logical-systems protocols router-discovery traceoptions]
[edit logical-systems protocols rsvp lsp-set]
[edit logical-systems protocols rsvp traceoptions]
[edit logical-systems routing-instances]
[edit logical-systems routing-instances instance bridge-domains]
[edit logical-systems routing-instances instance bridge-domains domain
multicast-snooping-options]
[edit logical-systems routing-instances instance bridge-domains domain
multicast-snooping-options traceoptions]
[edit logical-systems routing-instances instance igmp-snooping-options]
[edit logical-systems routing-instances instance multicast-snooping-options]
[edit logical-systems routing-instances instance multicast-snooping-options
traceoptions]
[edit logical-systems routing-instances instance pbb-options]
[edit logical-systems routing-instances instance protocols]
[edit logical-systems routing-instances instance protocols bgp group neighbor
traceoptions]
[edit logical-systems routing-instances instance protocols bgp group
traceoptions]
[edit logical-systems routing-instances instance protocols bgp traceoptions]
[edit logical-systems routing-instances instance protocols esis traceoptions]
[edit logical-systems routing-instances instance protocols evpn traceoptions]
[edit logical-systems routing-instances instance protocols isis traceoptions]
230
Copyright © 2017, Juniper Networks, Inc.
Chapter 5: Permission Flags for User Access Privileges
[edit logical-systems routing-instances instance protocols l2vpn traceoptions]
[edit logical-systems routing-instances instance protocols ldp traceoptions]
[edit logical-systems routing-instances instance protocols msdp group peer
traceoptions]
[edit logical-systems routing-instances instance protocols msdp group
traceoptions]
[edit logical-systems routing-instances instance protocols msdp peer
traceoptions]
[edit logical-systems routing-instances instance protocols msdp traceoptions]
[edit logical-systems routing-instances instance protocols mvpn traceoptions]
[edit logical-systems routing-instances instance protocols ospf traceoptions]
[edit logical-systems routing-instances instance protocols pim traceoptions]
[edit logical-systems routing-instances instance protocols rip traceoptions]
[edit logical-systems routing-instances instance protocols ripng traceoptions]
[edit logical-systems routing-instances instance protocols router-discovery
traceoptions]
[edit logical-systems routing-instances instance protocols rsvp]
[edit logical-systems routing-instances instance protocols rsvp lsp-set
traceoptions]
[edit logical-systems routing-instances instance protocols vpls traceoptions]
[edit logical-systems routing-instances instance routing-options]
[edit logical-systems routing-instances instance routing-options multicast
traceoptions]
[edit logical-systems routing-instances instance routing-options validation
group session traceoptions]
[edit logical-systems routing-instances instance routing-options validation
traceoptions]
[edit logical-systems routing-instances instance routing-options traceoptions]
[edit logical-systems routing-options validation group session traceoptions]
sho[edit logical-systems routing-instances instance service-groups]
[edit logical-systems routing-instances instance switch-options]
[edit logical-systems routing-instances instance vlans]
[edit logical-systems routing-instances instance vlans vlan
multicast-snooping-options]
[edit logical-systems routing-instances instance vlans vlan
multicast-snooping-options traceoptions]
[edit logical-systems routing-options]
[edit logical-systems routing-options validation group session traceoptions]
[edit logical-systems routing-options validation traceoptions]
[edit logical-systems routing-options multicast traceoptions]
[edit logical-systems routing-options traceoptions]
[edit logical-systems switch-options]
[edit logical-systems vlans]
[edit logical-systems vlans vlan multicast-snooping-options]
[edit logical-systems vlans vlan multicast-snooping-options traceoptions]
[edit multicast-snooping-options]
[edit multicast-snooping-options traceoptions]
[edit policy-options]
[edit protocols]
[edit protocols amt traceoptions]
[edit protocols bgp group neighbor traceoptions]
[edit protocols bgp group traceoptions]
[edit protocols bgp traceoptions]
[edit protocols connections]
[edit protocols dot1x]
[edit protocols dvmrp traceoptions]
[edit protocols esis traceoptions]
[edit protocols igmp traceoptions]
[edit protocols igmp-host traceoptions]
[edit protocols igmp-snooping]
[edit protocols isis traceoptions]
Copyright © 2017, Juniper Networks, Inc.
231
User Access and Authentication Feature Guide for Routing Devices
[edit protocols l2circuit traceoptions]
[edit protocols l2iw traceoptions]
[edit protocols ldp traceoptions]
[edit protocols lldp]
[edit protocols lldp-med]
[edit protocols mld traceoptions]
[edit protocols mld-host traceoptions]
[edit protocols msdp group peer traceoptions]
[edit protocols msdp group traceoptions]
[edit protocols msdp peer traceoptions]
[edit protocols msdp traceoptions]
[edit protocols mstp]
[edit protocols mvrp]
[edit protocols oam]
[edit protocols ospf traceoptions]
[edit protocols pim traceoptions]
[edit protocols rip traceoptions]
[edit protocols ripng traceoptions]
[edit protocols router-advertisement traceoptions]
[edit protocols router-discovery traceoptions]
[edit protocols rsvp traceoptions]
[edit protocols sflow]
[edit protocols stp]
[edit protocols uplink-failure-detection]
[edit protocols vstp]
[edit routing-instances]
[edit routing-instances instance bridge-domains]
[edit routing-instances instance bridge-domains domain
multicast-snooping-options]
[edit routing-instances instance bridge-domains domain
multicast-snooping-options traceoptions]
[edit routing-instances instance multicast-snooping-options]
[edit routing-instances instance multicast-snooping-options traceoptions]
[edit routing-instances instance pbb-options]
[edit routing-instances instance protocols]
[edit routing-instances instance protocols bgp group neighbor traceoptions]
[edit routing-instances instance protocols bgp group traceoptions]
[edit routing-instances instance protocols bgp traceoptions]
[edit routing-instances instance protocols esis traceoptions]
[edit routing-instances instance protocols evpn traceoptions]
[edit routing-instances instance protocols isis traceoptions]
[edit routing-instances instance protocols l2vpn traceoptions]
[edit routing-instances instance protocols ldp traceoptions]
[edit routing-instances instance protocols mld-snooping traceoptions]
[edit routing-instances instance protocols mld-snooping vlan traceoptions]
[edit routing-instances instance protocols msdp group peer traceoptions]
[edit routing-instances instance protocols msdp group traceoptions]
[edit routing-instances instance protocols msdp peer traceoptions]
[edit routing-instances instance protocols msdp traceoptions]
[edit routing-instances instance protocols mvpn traceoptions]
[edit routing-instances instance protocols ospf traceoptions]
[edit routing-instances instance protocols pim traceoptions]
[edit routing-instances instance protocols rip traceoptions]
[edit routing-instances instance protocols ripng traceoptions]
[edit routing-instances instance protocols router-discovery traceoptions]
[ed[edit routing-instances instance protocols vpls traceoptions]
[edit routing-instances instance routing-options]
[edit routing-instances instance routing-options validation group session
traceoptions]
[edit routing-instances instance routing-options validation traceoptions]
[edit routing-instances instance routing-options multicast traceoptions]
232
Copyright © 2017, Juniper Networks, Inc.
Chapter 5: Permission Flags for User Access Privileges
[edit routing-instances instance routing-options traceoptions]
[edit routing-instances instance service-groups]
[edit routing-instances instance switch-options]
[edit routing-instances instance vlans]
[edit routing-instances instance vlans vlan multicast-snooping-options]
[edit routing-instances instance vlans vlan multicast-snooping-options
traceoptions]
[edit routing-options]
[edit routing-options validation group session]
[edit routing-options multicast traceoptions]
[edit routing-options validation]
[edit routing-options traceoptions]
[edit switch-options]
[edit unified-edge]
[edit vlans]
[edit vlans vlan multicast-snooping-options]
[edit vlans vlan multicast-snooping-options traceoptions]
Related
Documentation
•
Access Privilege User Permission Flags Overview on page 114
•
Understanding Junos OS Access Privilege Levels on page 26
•
Example: Configuring User Permissions with Access Privilege Levels on page 65
•
Example: Configuring User Permissions with Access Privileges for Operational Mode
Commands on page 76
•
Example: Configuring User Permissions with Access Privileges for Configuration
Statements and Hierarchies on page 87
•
routing-control on page 233
routing-control
Can view general routing, routing protocol, and routing policy configuration information
and can configure general routing at the [edit routing-options] hierarchy level, routing
protocols at the [edit protocols] hierarchy level, and routing policy at the [edit
policy-options] hierarchy level.
Commands
Configuration
Hierarchy Levels
No associated CLI commands.
[edit bridge-domains]
[edit bridge-domains domain multicast-snooping-options]
[edit bridge-domains domain multicast-snooping-options traceoptions]
[edit dynamic-profiles protocols igmp traceoptions]
[edit dynamic-profiles protocols mld traceoptions]
[edit dynamic-profiles protocols router-advertisement traceoptions]
[edit dynamic-profiles routing-instances]
[edit dynamic-profiles routing-instances instance bridge-domains]
[edit dynamic-profiles routing-instances instance bridge-domains domain
multicast-snooping-options]
[edit dynamic-profiles routing-instances instance bridge-domains domain
multicast-snooping-options traceoptions]
[edit dynamic-profiles routing-instances instance multicast-snooping-options]
[edit dynamic-profiles routing-instances instance multicast-snooping-options
traceoptions]
Copyright © 2017, Juniper Networks, Inc.
233
User Access and Authentication Feature Guide for Routing Devices
[edit dynamic-profiles routing-instances instance pbb-options]
[edit dynamic-profiles routing-instances instance protocols]
[edit dynamic-profiles routing-instances instance protocols bgp group neighbor
traceoptions]
[edit dynamic-profiles routing-instances instance protocols bgp group
traceoptions]
[edit dynamic-profiles routing-instances instance protocols bgp traceoptions]
[edit dynamic-profiles routing-instances instance protocols esis traceoptions]
[edit dynamic-profiles routing-instances instance protocols isis traceoptions]
[edit dynamic-profiles routing-instances instance protocols l2vpn traceoptions]
[edit dynamic-profiles routing-instances instance protocols ldp traceoptions]
[edit dynamic-profiles routing-instances instance protocols msdp group peer
traceoptions]
[edit dynamic-profiles routing-instances instance protocols msdp group
traceoptions]
[edit dynamic-profiles routing-instances instance protocols msdp peer
traceoptions]
[edit dynamic-profiles routing-instances instance protocols msdp traceoptions]
[edit dynamic-profiles routing-instances instance protocols mvpn traceoptions]
[edit dynamic-profiles routing-instances instance protocols ospf traceoptions]
[edit dynamic-profiles routing-instances instance protocols pim traceoptions]
[edit dynamic-profiles routing-instances instance protocols rip traceoptions]
[edit dynamic-profiles routing-instances instance protocols ripng traceoptions]
[edit dynamic-profiles routing-instances instance protocols router-discovery
traceoptions]
[edit dynamic-profiles routing-instances instance protocols vpls traceoptions]
[edit dynamic-profiles routing-instances instance routing-options]
[edit dynamic-profiles routing-instances instance routing-options multicast
traceoptions]
[edit dynamic-profiles routing-instances instance routing-options traceoptions]
[edit dynamic-profiles routing-instances instance service-groups]
[edit dynamic-profiles routing-instances instance switch-options]
[edit dynamic-profiles routing-options multicast traceoptions]
[edit jnx-example]
[edit fabric protocols]
[edit fabric protocols bgp group neighbor traceoptions]
[edit fabric protocols bgp group traceoptions]
[edit fabric protocols bgp traceoptions]
[edit fabric routing-instances]
[edit fabric routing-instances instance routing-options]
[edit fabric routing-instances instance routing-options traceoptions]
[edit fabric routing-options]
[edit fabric routing-options traceoptions]
[edit logical-systems bridge-domains]
[edit logical-systems bridge-domains domain multicast-snooping-options]
[edit logical-systems bridge-domains domain multicast-snooping-options
traceoptions]
[edit logical-systems policy-options]
[edit logical-systems protocols]
[edit logical-systems protocols bgp group neighbor traceoptions]
[edit logical-systems protocols bgp group traceoptions]
[edit logical-systems protocols bgp traceoptions]
[edit logical-systems protocols dvmrp traceoptions]
[edit logical-systems protocols esis traceoptions]
[edit logical-systems protocols igmp traceoptions]
[edit logical-systems protocols igmp-host traceoptions]
[edit logical-systems protocols isis traceoptions]
[edit logical-systems protocols l2circuit traceoptions]
[edit logical-systems protocols l2iw traceoptions]
[edit logical-systems protocols ldp traceoptions]
[edit logical-systems protocols mld traceoptions]
234
Copyright © 2017, Juniper Networks, Inc.
Chapter 5: Permission Flags for User Access Privileges
[edit logical-systems protocols mld-host traceoptions]
[edit logical-systems protocols msdp group peer traceoptions]
[edit logical-systems protocols msdp group traceoptions]
[edit logical-systems protocols msdp peer traceoptions]
[edit logical-systems protocols msdp traceoptions]
[edit logical-systems protocols ospf traceoptions]
[edit logical-systems protocols pim traceoptions]
[edit logical-systems protocols rip traceoptions]
[edit logical-systems protocols ripng traceoptions]
[edit logical-systems protocols router-advertisement traceoptions]
[edit logical-systems protocols router-discovery traceoptions]
[edit logical-systems protocols rsvp traceoptions]
[edit logical-systems routing-instances]
[edit logical-systems routing-instances instance bridge-domains]
[edit logical-systems routing-instances instance bridge-domains domain
multicast-snooping-options]
[edit logical-systems routing-instances instance bridge-domains domain
multicast-snooping-options traceoptions]
[edit logical-systems routing-instances instance forwarding-options satellite]
[edit logical-systems routing-instances instance multicast-snooping-options]
[edit logical-systems routing-instances instance multicast-snooping-options
traceoptions]
[edit logical-systems routing-instances instance pbb-options]
[edit logical-systems routing-instances instance protocols]
[edit logical-systems routing-instances instance protocols bgp group neighbor
traceoptions]
[edit logical-systems routing-instances instance protocols bgp group
traceoptions]
[edit logical-systems routing-instances instance protocols bgp traceoptions]
[edit logical-systems routing-instances instance protocols esis traceoptions]
[edit logical-systems routing-instances instance protocols isis traceoptions]
[edit logical-systems routing-instances instance protocols l2vpn traceoptions]
[edit logical-systems routing-instances instance protocols ldp traceoptions]
[edit logical-systems routing-instances instance protocols msdp group peer
traceoptions]
[edit logical-systems routing-instances instance protocols msdp group
traceoptions]
[edit logical-systems routing-instances instance protocols msdp peer
traceoptions]
[edit logical-systems routing-instances instance protocols msdp traceoptions]
[edit logical-systems routing-instances instance protocols mvpn traceoptions]
[edit logical-systems routing-instances instance protocols ospf traceoptions]
[edit logical-systems routing-instances instance protocols pim traceoptions]
[edit logical-systems routing-instances instance protocols rip traceoptions]
[edit logical-systems routing-instances instance protocols ripng traceoptions]
[edit logical-systems routing-instances instance protocols router-discovery
traceoptions]
[edit logical-systems routing-instances instance protocols vpls traceoptions]
[edit logical-systems routing-instances instance routing-options]
[edit logical-systems routing-instances instance routing-options multicast
traceoptions]
[edit logical-systems routing-instances instance routing-options traceoptions]
[edit logical-systems routing-instances instance service-groups]
[edit logical-systems routing-instances instance switch-options]
[edit logical-systems routing-options]
[edit logical-systems routing-options multicast traceoptions]
[edit logical-systems routing-options traceoptions]
[edit logical-systems switch-options]
[edit multicast-snooping-options]
[edit multicast-snooping-options traceoptions]
[edit policy-options]
Copyright © 2017, Juniper Networks, Inc.
235
User Access and Authentication Feature Guide for Routing Devices
[edit protocols]
[edit protocols amt traceoptions]
[edit protocols bgp group neighbor traceoptions]
[edit protocols bgp group traceoptions]
[edit protocols bgp traceoptions]
[edit protocols connections][edit protocols dot1x]
[edit protocols dvmrp traceoptions]
[edit protocols esis traceoptions]
[edit protocols igmp traceoptions]
[edit protocols igmp-host traceoptions]
[edit protocols igmp-snooping]
[edit protocols isis traceoptions]
[edit protocols l2circuit traceoptions]
[edit protocols l2iw traceoptions]
[edit protocols ldp traceoptions]
[edit protocols lldp]
[edit protocols lldp-med]
[edit protocols mld traceoptions]
[edit protocols mld-host traceoptions]
[edit protocols msdp group peer traceoptions]
[edit protocols msdp group traceoptions]
[edit protocols msdp peer traceoptions]
[edit protocols msdp traceoptions]
[edit protocols mstp]
[edit protocols mvrp]
[edit protocols oam]
[edit protocols ospf traceoptions]
[edit protocols pim traceoptions]
[edit protocols rip traceoptions]
[edit protocols ripng traceoptions]
[edit protocols router-advertisement traceoptions]
[edit protocols router-discovery traceoptions]
[edit protocols rsvp traceoptions]
[edit protocols sflow]
[edit protocols stp]
[edit protocols uplink-failure-detection]
[edit protocols vstp]
[edit routing-instances]
[edit routing-instances instance bridge-domains]
[edit routing-instances instance bridge-domains domain
multicast-snooping-options]
[edit routing-instances instance bridge-domains domain
multicast-snooping-options traceoptions]
[edit routing-instances instance multicast-snooping-options]
[edit routing-instances instance multicast-snooping-options traceoptions]
[edit routing-instances instance pbb-options]
[edit routing-instances instance protocols]
[edit routing-instances instance protocols bgp group neighbor traceoptions]
[edit routing-instances instance protocols bgp group traceoptions]
[edit routing-instances instance protocols bgp traceoptions]
[edit routing-instances instance protocols esis traceoptions]
[edit routing-instances instance protocols isis traceoptions]
[edit routing-instances instance protocols l2vpn traceoptions]
[edit routing-instances instance protocols ldp traceoptions]
[edit routing-instances instance protocols msdp group peer traceoptions]
[edit routing-instances instance protocols msdp group traceoptions]
[edit routing-instances instance protocols msdp peer traceoptions]
[edit routing-instances instance protocols msdp traceoptions]
[edit routing-instances instance protocols mvpn traceoptions]
[edit routing-instances instance protocols ospf traceoptions]
[edit routing-instances instance protocols pim traceoptions]
236
Copyright © 2017, Juniper Networks, Inc.
Chapter 5: Permission Flags for User Access Privileges
[edit
[edit
[edit
[edit
[edit
[edit
[edit
[edit
[edit
[edit
[edit
[edit
[edit
Related
Documentation
routing-instances instance protocols rip traceoptions]
routing-instances instance protocols ripng traceoptions]
routing-instances instance protocols router-discovery traceoptions]
routing-instances instance protocols vpls traceoptions]
routing-instances instance routing-options]
routing-instances instance routing-options multicast traceoptions]
routing-instances instance routing-options traceoptions]
routing-instances instance service-groups]
routing-instances instance switch-options]
routing-options]
routing-options multicast traceoptions]
routing-options traceoptions]
switch-options]
•
Access Privilege User Permission Flags Overview on page 114
•
Understanding Junos OS Access Privilege Levels on page 26
•
Example: Configuring User Permissions with Access Privilege Levels on page 65
•
Example: Configuring User Permissions with Access Privileges for Operational Mode
Commands on page 76
•
Example: Configuring User Permissions with Access Privileges for Configuration
Statements and Hierarchies on page 87
•
routing on page 226
secret
Can view passwords and other authentication keys in the configuration.
Commands
No associated CLI commands.
clear unified-edge
clear unified-edge ggsn-pgw
clear unified-edge ggsn-pgw aaa
clear unified-edge ggsn-pgw aaa radius
clear unified-edge ggsn-pgw aaa radius statistics
<clear-mobile-gateway-aaa-radius-statistics>
clear unified-edge ggsn-pgw aaa statistics
<clear-mobile-gateway-aaa-statistics>
clear unified-edge ggsn-pgw address-assignment
clear unified-edge ggsn-pgw address-assignment pool
<clear-mobile-gateway-sm-ippool-pool-sessions>
clear unified-edge ggsn-pgw address-assignment statistics
<clear-mobile-gateway-sm-ippool-statistics>
clear unified-edge ggsn-pgw call-admission-control
clear unified-edge ggsn-pgw call-admission-control statistics
<clear-mobile-gateway-cac-statistics>
clear unified-edge ggsn-pgw charging
clear unified-edge ggsn-pgw charging cdr
<clear-mobile-gateway-charging-clear-cdr>
clear unified-edge ggsn-pgw charging cdr wfa
<clear-mobile-gateway-charging-clear-cdr-wfa>
clear unified-edge ggsn-pgw charging local-persistent-storage
clear unified-edge ggsn-pgw charging local-persistent-storage statistics
Copyright © 2017, Juniper Networks, Inc.
237
User Access and Authentication Feature Guide for Routing Devices
<clear-mobile-gateway-charging-clear-lps-stats>
clear unified-edge ggsn-pgw charging path
clear unified-edge ggsn-pgw charging path statistics
<clear-mobile-gateway-charging-clear-path-stats>
clear unified-edge ggsn-pgw charging transfer
clear unified-edge ggsn-pgw charging transfer statistics
<clear-mobile-gateway-charging-clear-xfer-stats>
clear unified-edge ggsn-pgw diameter
clear unified-edge ggsn-pgw diameter dcca-gy
clear unified-edge ggsn-pgw diameter dcca-gy statistics
<clear-mobile-gateway-aaa-diam-stats-gy>
clear unified-edge ggsn-pgw diameter network-element
clear unified-edge ggsn-pgw diameter network-element statistics
<clear-mobile-gateway-aaa-diam-ne-statistics>
clear unified-edge ggsn-pgw diameter pcc-gx
clear unified-edge ggsn-pgw diameter pcc-gx statistics
<clear-mobile-gateway-aaa-diam-stats-gx>
clear unified-edge ggsn-pgw diameter peer
clear unified-edge ggsn-pgw diameter peer statistics
<clear-mobile-gateway-aaa-diam-peer-statistics>
clear unified-edge ggsn-pgw gtp
clear unified-edge ggsn-pgw gtp peer
clear unified-edge ggsn-pgw gtp peer statistics
<clear-mobile-gateway-gtp-peer-statistics>
clear unified-edge ggsn-pgw gtp statistics
<clear-mobile-gateway-gtp-statistics>
clear unified-edge ggsn-pgw ip-reassembly
clear unified-edge ggsn-pgw ip-reassembly statistics
<clear-mobile-gateways-ip-reassembly-statistics>
clear unified-edge ggsn-pgw statistics
<clear-mobile-gateway-statistics>
clear unified-edge ggsn-pgw subscribers
<clear-mobile-gateway-subscribers>
clear unified-edge ggsn-pgw subscribers bearer
clear unified-edge ggsn-pgw subscribers charging
<clear-mobile-gateway-subscribers-charging>
clear unified-edge ggsn-pgw subscribers peer
<clear-mobile-gateway-subscribers-peer>
clear unified-edge sgw
clear unified-edge sgw call-admission-control
clear unified-edge sgw call-admission-control statistics
<clear-mobile-sgw-cac-statistics>
clear unified-edge sgw charging
clear unified-edge sgw charging cdr
<clear-mobile-gateway-sgw-charging-clear-cdr>
clear unified-edge sgw charging cdr wfa
<clear-mobile-gateway-sgw-charging-clear-cdr-wfa>
clear unified-edge sgw charging local-persistent-storage
clear unified-edge sgw charging local-persistent-storage statistics
<clear-mobile-gateway-sgw-charging-clear-lps-stats>
clear unified-edge sgw charging path
clear unified-edge sgw charging path statistics
<clear-mobile-gateway-sgw-charging-clear-path-stats>
clear unified-edge sgw charging transfer
clear unified-edge sgw charging transfer statistics
<clear-mobile-gateway-sgw-charging-clear-xfer-stats>
clear unified-edge sgw gtp
clear unified-edge sgw gtp peer
clear unified-edge sgw gtp peer statistics
<clear-mobile-sgw-gtp-peer-statistics>
clear unified-edge sgw gtp statistics
238
Copyright © 2017, Juniper Networks, Inc.
Chapter 5: Permission Flags for User Access Privileges
<clear-mobile-sgw-gtp-statistics>
clear unified-edge sgw idle-mode-buffering
clear unified-edge sgw idle-mode-buffering statistics
<clear-mobile-gw-sgw-idle-mode-buffering-statistics>
clear unified-edge sgw ip-reassembly
clear unified-edge sgw ip-reassembly statistics
<clear-mobile-gateways-sgw-ip-reassembly-statistics-sgw>
clear unified-edge sgw statistics
<clear-mobile-sgw-statistics>
clear unified-edge sgw subscribers
<clear-mobile-sgw-subscribers>
clear unified-edge sgw subscribers charging
<clear-mobile-sgw-subscribers-charging>
clear unified-edge sgw subscribers peer
<clear-mobile-sgw-subscribers-peer>
clear unified-edge tdf
clear unified-edge tdf aaa
clear unified-edge tdf aaa radius
clear unified-edge tdf aaa radius client
clear unified-edge tdf aaa radius client statistics
<clear-radius-client-statistics>
clear unified-edge tdf aaa radius network-element
clear unified-edge tdf aaa radius network-element statistics
<clear-radius-network-element-statistics>
clear unified-edge tdf aaa radius server
clear unified-edge tdf aaa radius server statistics
<clear-radius-server-statistics>
clear unified-edge tdf aaa radius snoop-segment
clear unified-edge tdf aaa radius snoop-segment statistics
<clear-radius-snoop-segment-statistics>
clear unified-edge tdf aaa statistics
<clear-tdf-gateway-aaa-statistics>
clear unified-edge tdf address-assignment
clear unified-edge tdf address-assignment pool
<clear-mobile-gateway-tdf-sm-ippool-pool-sessions>
clear unified-edge tdf address-assignment statistics
<clear-mobile-gateway-tdf-sm-ippool-statistics>
clear unified-edge tdf call-admission-control
clear unified-edge tdf call-admission-control statistics
<clear-tdf-cac-statistics>
clear unified-edge tdf diameter
clear unified-edge tdf diameter network-element
clear unified-edge tdf diameter network-element statistics
<clear-diameter-network-element-statistics>
clear unified-edge tdf diameter pcc-gx
clear unified-edge tdf diameter pcc-gx statistics
<clear-diameter-statistics-gx>
clear unified-edge tdf diameter peer
clear unified-edge tdf diameter peer statistics
<clear-diameter-peer-statistics>
clear unified-edge tdf statistics
<clear-tdf-statistics>
clear unified-edge tdf subscribers
<clear-mobile-tdf-subscribers>
clear unified-edge tdf subscribers peer
<clear-mobile-gateway-tdf-subscribers-peer>
request unified-edge
request unified-edge ggsn-pgw
request unified-edge ggsn-pgw call-trace
<monitor-mobile-gateways-call-trace-start>
request unified-edge ggsn-pgw call-trace clear
Copyright © 2017, Juniper Networks, Inc.
239
User Access and Authentication Feature Guide for Routing Devices
<get-mobile-gateways-call-trace-clear>
request unified-edge ggsn-pgw call-trace show
<get-mobile-gateways-call-trace-information>
request unified-edge ggsn-pgw call-trace start
<get-mobile-gateways-call-trace-start-information>
request unified-edge ggsn-pgw call-trace stop
<get-mobile-gateways-call-trace-stop-information>
request unified-edge sgw
request unified-edge sgw call-trace
request unified-edge sgw call-trace clear
<get-mobile-gateways-sgw-call-trace-clear>
request unified-edge sgw call-trace show
<get-mobile-gateways-sgw-call-trace-information>
request unified-edge sgw call-trace start
<get-mobile-gateways-sgw-call-trace-start-information>
request unified-edge sgw call-trace stop
<get-mobile-gateways-sgw-call-trace-stop-information>
request unified-edge tdf
request unified-edge tdf call-trace
request unified-edge tdf call-trace clear
<get-mobile-gateways-tdf-call-trace-clear>
request unified-edge tdf call-trace show
<get-mobile-gateways-tdf-call-trace-information>
request unified-edge tdf call-trace start
<get-mobile-gateways-tdf-call-trace-start-information>
request unified-edge tdf call-trace stop
<get-mobile-gateways-tdf-call-trace-stop-information>
Configuration
Hierarchy Levels
240
[edit access profile client chap-secret]
[edit access profile client firewall-user password]
[edit access profile client l2tp shared-secret]
[edit access profile client pap-password]
[edit access profile radius-server secret]
[edit access radius clients accounting secret]
[edit access radius snoop-segments shared-secret]
[edit access radius-disconnect preauthentication-secret]
[edit access radius-disconnect secret]
[edit access radius-server preauthentication-secret]
[edit access radius-server secret]
[edit dynamic-profiles interfaces interface ppp-options chap
default-chap-secret]
[edit dynamic-profiles interfaces interface ppp-options pap default-password]
[edit dynamic-profiles interfaces interface ppp-options pap local-password]
[edit dynamic-profiles interfaces interface unit ppp-options chap
default-chap-secret]
[edit dynamic-profiles interfaces interface unit ppp-options pap
default-password]
[edit dynamic-profiles interfaces interface unit ppp-options pap local-password]
[edit interfaces interface ppp-options chap default-chap-secret]
[edit interfaces interface ppp-options pap default-password]
[edit interfaces interface ppp-options pap local-password]
[edit interfaces interface unit ppp-options chap default-chap-secret]
[edit interfaces interface unit ppp-options pap default-password]
[edit interfaces interface unit ppp-options pap local-password]
[edit logical-systems interfaces interface unit ppp-options chap]
[edit logical-systems interfaces interface unit ppp-options pap
default-password]
[edit logical-systems interfaces interface unit ppp-options pap local-password]
[edit logical-systems routing-instances instance system services
static-subscribers authentication password]
Copyright © 2017, Juniper Networks, Inc.
Chapter 5: Permission Flags for User Access Privileges
[edit logical-systems routing-instances instance system services
static-subscribers group authentication password]
[edit logical-systems system services static-subscribers authentication
password]
[edit logical-systems system services static-subscribers group authentication
password]
[edit routing-instances instance system services static-subscribers
authentication password]
[edit routing-instances instance system services static-subscribers group
authentication password]
[edit services ggsn apn radius accounting server secret]
[edit services ggsn apn radius authentication server secret]
[edit services ggsn radius server secret]
[edit system accounting destination radius server preauthentication-secret]
[edit system accounting destination radius server secret]
[edit system accounting destination radius server secret]
[edit system accounting destination tacplus server secret]
[edit system radius-server preauthentication-secret]
[edit system radius-server secret]
[edit system services outbound-ssh client secret]
[edit system services packet-triggered-subscribers partition-radius
accounting-shared-secret]
[edit system services static-subscribers authentication password]
[edit system services static-subscribers group authentication password]
[edit system tacplus-server secret]
[edit unified-edge]
Related
Documentation
•
Access Privilege User Permission Flags Overview on page 114
•
Understanding Junos OS Access Privilege Levels on page 26
•
Example: Configuring User Permissions with Access Privilege Levels on page 65
•
Example: Configuring User Permissions with Access Privileges for Operational Mode
Commands on page 76
•
Example: Configuring User Permissions with Access Privileges for Configuration
Statements and Hierarchies on page 87
•
secret-control on page 241
secret-control
Can view passwords and other authentication keys in the configuration and can modify
them in configuration mode.
Commands
Configuration
Hierarchy Levels
No associated CLI commands.
[edit access profile client chap-secret]
[edit access profile client firewall-user password]
[edit access profile client l2tp shared-secret]
[edit access profile client pap-password]
[edit access profile radius-server secret]
[edit access radius-disconnect secret]
[edit dynamic-profiles interfaces interface ppp-options chap
default-chap-secret]
[edit dynamic-profiles interfaces interface ppp-options pap default-password]
Copyright © 2017, Juniper Networks, Inc.
241
User Access and Authentication Feature Guide for Routing Devices
[edit dynamic-profiles interfaces interface ppp-options pap local-password]
[edit dynamic-profiles interfaces interface unit ppp-options chap
default-chap-secret]
[edit dynamic-profiles interfaces interface unit ppp-options pap
default-password]
[edit dynamic-profiles interfaces interface unit ppp-options pap local-password]
[edit interfaces interface ppp-options chap default-chap-secret]
[edit interfaces interface ppp-options pap default-password]
[edit interfaces interface ppp-options pap local-password]
[edit interfaces interface unit ppp-options chap default-chap-secret]
[edit interfaces interface unit ppp-options pap default-password]
[edit interfaces interface unit ppp-options pap local-password]
[edit logical-systems interfaces interface unit ppp-options chap]
[edit logical-systems interfaces interface unit ppp-options pap
default-password]
[edit logical-systems interfaces interface unit ppp-options pap local-password]
[edit logical-systems routing-instances instance system services
static-subscribers authentication password]
[edit logical-systems routing-instances instance system services
static-subscribers group authentication password]
[edit logical-systems system services static-subscribers authentication
password]
[edit logical-systems system services static-subscribers group authentication
password]
[edit routing-instances instance system services static-subscribers
authentication password]
[edit routing-instances instance system services static-subscribers group
authentication password]
[edit services ggsn apn radius accounting server secret]
[edit services ggsn apn radius authentication server secret]
[edit services ggsn radius server secret]
[edit system accounting destination radius server secret]
[edit system accounting destination tacplus server secret]
[edit system radius-server secret]
[edit system services outbound-ssh client secret]
[edit system services packet-triggered-subscribers partition-radius
accounting-shared-secret]
[edit system services static-subscribers authentication password]
[edit system services static-subscribers group authentication password]
[edit system tacplus-server secret]
Related
Documentation
•
Access Privilege User Permission Flags Overview on page 114
•
Understanding Junos OS Access Privilege Levels on page 26
•
Example: Configuring User Permissions with Access Privilege Levels on page 65
•
Example: Configuring User Permissions with Access Privileges for Operational Mode
Commands on page 76
•
Example: Configuring User Permissions with Access Privileges for Configuration
Statements and Hierarchies on page 87
•
secret on page 237
security
Can view security configuration.
242
Copyright © 2017, Juniper Networks, Inc.
Chapter 5: Permission Flags for User Access Privileges
Commands
clear security
clear security alarms
<clear-security-alarm-information>
clear security idp
clear security idp application-ddos
clear security idp application-ddos cache
<clear-idp-appddos-cache>
clear security idp application-identification
clear security idp application-identification application-system-cache
<clear-idp-application-system-cache>
clear security idp application-statistics
<clear-idp-applications-information>
clear security idp attack
clear security idp attack table
<clear-idp-attack-table>
clear security idp counters
<clear-idp-counters-by-counter-class>
clear security idp counters action
clear security idp counters application-ddos
clear security idp counters application-identification
clear security idp counters dfa
clear security idp counters flow
clear security idp counters http-decoder
clear security idp counters ips
clear security idp counters log
clear security idp counters memory
clear security idp counters packet
clear security idp counters packet-log
clear security idp counters pdf-decoder
clear security idp counters policy-manager
clear security idp counters ssl-inspection
clear security idp counters tcp-reassembler
clear security idp ssl-inspection
clear security idp ssl-inspection session-id-cache
<clear-idp-ssl-session-cache-information>
clear security idp status
<clear-idp-status-information>
clear security log
<clear-security-log-information>
clear security pki
clear security pki ca-certificate
<clear-pki-ca-certificate>
clear security pki certificate-request
<clear-pki-certificate-request>
clear security pki crl
<clear-pki-crl>
clear security pki key-pair
<clear-pki-key-pair>
clear security pki local-certificate
<clear-pki-local-certificate>
clear unified-edge
clear unified-edge ggsn-pgw
clear unified-edge ggsn-pgw aaa
clear unified-edge ggsn-pgw aaa radius
Copyright © 2017, Juniper Networks, Inc.
243
User Access and Authentication Feature Guide for Routing Devices
clear unified-edge ggsn-pgw aaa radius statistics
<clear-mobile-gateway-aaa-radius-statistics>
clear unified-edge ggsn-pgw aaa statistics
<clear-mobile-gateway-aaa-statistics>
clear unified-edge ggsn-pgw address-assignment
clear unified-edge ggsn-pgw address-assignment pool
<clear-mobile-gateway-sm-ippool-pool-sessions>
clear unified-edge ggsn-pgw address-assignment statistics
<clear-mobile-gateway-sm-ippool-statistics>
clear unified-edge ggsn-pgw call-admission-control
clear unified-edge ggsn-pgw call-admission-control statistics
<clear-mobile-gateway-cac-statistics>
clear unified-edge ggsn-pgw charging
clear unified-edge ggsn-pgw charging cdr
<clear-mobile-gateway-charging-clear-cdr>
clear unified-edge ggsn-pgw charging cdr wfa
<clear-mobile-gateway-charging-clear-cdr-wfa>
clear unified-edge ggsn-pgw charging local-persistent-storage
clear unified-edge ggsn-pgw charging local-persistent-storage statistics
<clear-mobile-gateway-charging-clear-lps-stats>
clear unified-edge ggsn-pgw charging path
clear unified-edge ggsn-pgw charging path statistics
<clear-mobile-gateway-charging-clear-path-stats>
clear unified-edge ggsn-pgw charging transfer
clear unified-edge ggsn-pgw charging transfer statistics
<clear-mobile-gateway-charging-clear-xfer-stats>
clear unified-edge ggsn-pgw diameter
clear unified-edge ggsn-pgw diameter dcca-gy
clear unified-edge ggsn-pgw diameter dcca-gy statistics
<clear-mobile-gateway-aaa-diam-stats-gy>
clear unified-edge ggsn-pgw diameter network-element
clear unified-edge ggsn-pgw diameter network-element statistics
<clear-mobile-gateway-aaa-diam-ne-statistics>
clear unified-edge ggsn-pgw diameter pcc-gx
clear unified-edge ggsn-pgw diameter pcc-gx statistics
<clear-mobile-gateway-aaa-diam-stats-gx>
clear unified-edge ggsn-pgw diameter peer
clear unified-edge ggsn-pgw diameter peer statistics
<clear-mobile-gateway-aaa-diam-peer-statistics>
clear unified-edge ggsn-pgw gtp
clear unified-edge ggsn-pgw gtp peer
clear unified-edge ggsn-pgw gtp peer statistics
<clear-mobile-gateway-gtp-peer-statistics>
clear unified-edge ggsn-pgw gtp statistics
<clear-mobile-gateway-gtp-statistics>
clear unified-edge ggsn-pgw ip-reassembly
clear unified-edge ggsn-pgw ip-reassembly statistics
<clear-mobile-gateways-ip-reassembly-statistics>
clear unified-edge ggsn-pgw statistics
<clear-mobile-gateway-statistics>
clear unified-edge ggsn-pgw subscribers
<clear-mobile-gateway-subscribers>
clear unified-edge ggsn-pgw subscribers bearer
clear unified-edge ggsn-pgw subscribers charging
<clear-mobile-gateway-subscribers-charging>
clear unified-edge ggsn-pgw subscribers peer
<clear-mobile-gateway-subscribers-peer>
clear unified-edge sgw
clear unified-edge sgw call-admission-control
clear unified-edge sgw call-admission-control statistics
<clear-mobile-sgw-cac-statistics>
244
Copyright © 2017, Juniper Networks, Inc.
Chapter 5: Permission Flags for User Access Privileges
clear unified-edge sgw charging
clear unified-edge sgw charging cdr
<clear-mobile-gateway-sgw-charging-clear-cdr>
clear unified-edge sgw charging cdr wfa
<clear-mobile-gateway-sgw-charging-clear-cdr-wfa>
clear unified-edge sgw charging local-persistent-storage
clear unified-edge sgw charging local-persistent-storage statistics
<clear-mobile-gateway-sgw-charging-clear-lps-stats>
clear unified-edge sgw charging path
clear unified-edge sgw charging path statistics
<clear-mobile-gateway-sgw-charging-clear-path-stats>
clear unified-edge sgw charging transfer
clear unified-edge sgw charging transfer statistics
<clear-mobile-gateway-sgw-charging-clear-xfer-stats>
clear unified-edge sgw gtp
clear unified-edge sgw gtp peer
clear unified-edge sgw gtp peer statistics
<clear-mobile-sgw-gtp-peer-statistics>
clear unified-edge sgw gtp statistics
<clear-mobile-sgw-gtp-statistics>
clear unified-edge sgw idle-mode-buffering
clear unified-edge sgw idle-mode-buffering statistics
<clear-mobile-gw-sgw-idle-mode-buffering-statistics>
clear unified-edge sgw ip-reassembly
clear unified-edge sgw ip-reassembly statistics
<clear-mobile-gateways-sgw-ip-reassembly-statistics-sgw>
clear unified-edge sgw statistics
<clear-mobile-sgw-statistics>
clear unified-edge sgw subscribers
<clear-mobile-sgw-subscribers>
clear unified-edge sgw subscribers charging
<clear-mobile-sgw-subscribers-charging>
clear unified-edge sgw subscribers peer
<clear-mobile-sgw-subscribers-peer>
clear unified-edge tdf
clear unified-edge tdf aaa
clear unified-edge tdf aaa radius
clear unified-edge tdf aaa radius client
clear unified-edge tdf aaa radius client statistics
<clear-radius-client-statistics>
clear unified-edge tdf aaa radius network-element
clear unified-edge tdf aaa radius network-element statistics
<clear-radius-network-element-statistics>
clear unified-edge tdf aaa radius server
clear unified-edge tdf aaa radius server statistics
<clear-radius-server-statistics>
clear unified-edge tdf aaa radius snoop-segment
clear unified-edge tdf aaa radius snoop-segment statistics
<clear-radius-snoop-segment-statistics>
clear unified-edge tdf aaa statistics
<clear-tdf-gateway-aaa-statistics>
clear unified-edge tdf address-assignment
clear unified-edge tdf address-assignment pool
<clear-mobile-gateway-tdf-sm-ippool-pool-sessions>
clear unified-edge tdf address-assignment statistics
<clear-mobile-gateway-tdf-sm-ippool-statistics>
clear unified-edge tdf call-admission-control
clear unified-edge tdf call-admission-control statistics
<clear-tdf-cac-statistics>
clear unified-edge tdf diameter
clear unified-edge tdf diameter network-element
Copyright © 2017, Juniper Networks, Inc.
245
User Access and Authentication Feature Guide for Routing Devices
clear unified-edge tdf diameter network-element statistics
<clear-diameter-network-element-statistics>
clear unified-edge tdf diameter pcc-gx
clear unified-edge tdf diameter pcc-gx statistics
<clear-diameter-statistics-gx>
clear unified-edge tdf diameter peer
clear unified-edge tdf diameter peer statistics
<clear-diameter-peer-statistics>
clear unified-edge tdf statistics
<clear-tdf-statistics>
clear unified-edge tdf subscribers
<clear-mobile-tdf-subscribers>
clear unified-edge tdf subscribers peer
<clear-mobile-gateway-tdf-subscribers-peer>
request security
request security certificate
request security certificate enroll
request security datapath-debug
request security datapath-debug action-profile
request security datapath-debug action-profile reload-all
request security idp
<request-idp-policy-load>
request security idp security-package
request security idp security-package download
<request-idp-security-package-download>
request security idp security-package download version
<request-idp-security-package-download-version>
request security idp security-package install
<request-idp-security-package-install>
request security idp ssl-inspection
request security idp ssl-inspection key
request security idp ssl-inspection key add
<request-idp-ssl-key-add>
request security idp ssl-inspection key delete
<request-idp-ssl-key-delete>
request security idp storage-cleanup
<request-idp-storage-cleanup>
request security key-pair
request security pki
request security pki ca-certificate
request security pki ca-certificate verify
<verify-pki-ca-certificate>
request security pki ca-certificate enroll
request security pki ca-certificate load
<load-pki-ca-certificate>
request security pki crl
request security pki crl load
<request security pki crl load>
request security pki generate-certificate-request
<generate-pki-certificate-request>
request security pki generate-key-pair
<generate-pki-key-pair>
request security pki local-certificate
request security pki local-certificate verify
<verify-pki-local-certificate>
request security pki verify-integrity-status
<verify-integrity-status>
246
Copyright © 2017, Juniper Networks, Inc.
Chapter 5: Permission Flags for User Access Privileges
request security pki local-certificate enroll
request security pki local-certificate generate-self-signed
<generate-pki-self-signed-local-certificate>
request security pki local-certificate load
<load-pki-local-certificate>
request system set-encryption-key
request unified-edge
request unified-edge ggsn-pgw
request unified-edge ggsn-pgw call-trace
<monitor-mobile-gateways-call-trace-start>
request unified-edge ggsn-pgw call-trace clear
<get-mobile-gateways-call-trace-clear>
request unified-edge ggsn-pgw call-trace show
<get-mobile-gateways-call-trace-information>
request unified-edge ggsn-pgw call-trace start
<get-mobile-gateways-call-trace-start-information>
request unified-edge ggsn-pgw call-trace stop
<get-mobile-gateways-call-trace-stop-information>
request unified-edge sgw
request unified-edge sgw call-trace
request unified-edge sgw call-trace clear
<get-mobile-gateways-sgw-call-trace-clear>
request unified-edge sgw call-trace show
<get-mobile-gateways-sgw-call-trace-information>
request unified-edge sgw call-trace start
<get-mobile-gateways-sgw-call-trace-start-information>
request unified-edge sgw call-trace stop
<get-mobile-gateways-sgw-call-trace-stop-information>
request unified-edge tdf
request unified-edge tdf call-trace
request unified-edge tdf call-trace clear
<get-mobile-gateways-tdf-call-trace-clear>
request unified-edge tdf call-trace show
<get-mobile-gateways-tdf-call-trace-information>
request unified-edge tdf call-trace start
<get-mobile-gateways-tdf-call-trace-start-information>
request unified-edge tdf call-trace stop
<get-mobile-gateways-tdf-call-trace-stop-information>
show security
show security alarms
<get-security-alarm-information>
show security idp
show security idp application-ddos
show security idp application-ddos application
<get-idp-addos-application-information>
show security idp application-identification
show security idp application-identification application-system-cache
<get-idp-application-system-cache>
show security idp application-statistics
<get-idp-applications-information>
show security idp attack
show security idp attack description
<get-idp-attack-description-information>
show security idp attack detail
<get-idp-attack-detail-information>
show security idp attack table
<get-idp-attack-table-information>
Copyright © 2017, Juniper Networks, Inc.
247
User Access and Authentication Feature Guide for Routing Devices
show security idp counters
<get-idp-counter-information>
show security idp counters action
show security idp counters application-ddos
show security idp counters application-identification
show security idp counters dfa
show security idp counters flow
show security idp counters http-decoder
show security idp counters ips
show security idp counters log
show security idp counters memory
show security idp counters packet
show security idp counters packet-log
show security idp counters pdf-decoder
show security idp counters policy-manager
show security idp counters ssl-inspection
show security idp counters tcp-reassembler
show security idp logical-system
show security idp logical-system policy-association
show security idp memory
<get-idp-memory-information>
show security idp policies
<get-idp-subscriber-policy-list>
show security idp policy-templates-list
<get-idp-policy-template-information>
<get-idp-predefined-attack-groups>
<get-idp-predefined-attack-group-filters>
<get-idp-predefined-attacks>
<get-idp-predefined-attack-filters>
<get-idp-recent-security-package-information>
show security idp policy-commit-status
<get-idp-policy-commit-status>
<get-idp-recent-security-package-information>
show security idp security-package-version
<get-idp-security-package-information>
show security idp ssl-inspection
show security idp ssl-inspection key
<get-idp-ssl-key-information>
show security idp ssl-inspection session-id-cache
<get-idp-ssl-session-cache-information>
show security idp status
<get-idp-status-information>
show security idp status detail
<get-idp-detail-status-information>
show security keychain
<get-hakr-keychain-information>
show security log
<get-security-log-information>
show security pki
show security pki ca-certificate
<get-pki-ca-certificate>
248
Copyright © 2017, Juniper Networks, Inc.
Chapter 5: Permission Flags for User Access Privileges
show security pki certificate-request
<get-pki-certificate-request>
show security pki crl
<get-pki-crl>
show security pki local-certificate
<get-pki-local-certificate>
Configuration
Hierarchy Levels
Related
Documentation
[edit
[edit
[edit
[edit
security]
security alarms]
security log]
unified-edge]
•
Access Privilege User Permission Flags Overview on page 114
•
Understanding Junos OS Access Privilege Levels on page 26
•
Example: Configuring User Permissions with Access Privilege Levels on page 65
•
Example: Configuring User Permissions with Access Privileges for Operational Mode
Commands on page 76
•
Example: Configuring User Permissions with Access Privileges for Configuration
Statements and Hierarchies on page 87
•
security-control on page 249
security-control
Can view and configure security information at the [edit security] hierarchy level.
Commands
clear security
clear security alarms
<clear-security-alarm-information>
clear security idp
clear security idp application-ddos
clear security idp application-ddos cache
<clear-idp-appddos-cache>
clear security idp application-identification
clear security idp application-identification application-system-cache
<clear-idp-application-system-cache>
clear security idp application-statistics
<clear-idp-applications-information>
clear security idp attack
clear security idp attack table
<clear-idp-attack-table>
clear security idp counters
<clear-idp-counters-by-counter-class>
clear security idp ssl-inspection
clear security idp ssl-inspection session-id-cache
<clear-idp-ssl-session-cache-information>
clear security idp status
Copyright © 2017, Juniper Networks, Inc.
249
User Access and Authentication Feature Guide for Routing Devices
<clear-idp-status-information>
clear security log
<clear-security-log-information>
clear security pki
clear security pki ca-certificate
<clear-pki-ca-certificate>
clear security pki certificate-request
<clear-pki-certificate-request>
clear security pki crl
<clear-pki-crl>
clear security pki key-pair
<clear-pki-key-pair>
clear security pki local-certificate
<clear-pki-local-certificate>
request security
request security certificate
request security certificate enroll
request security datapath-debug
request security datapath-debug action-profile
request security datapath-debug action-profile reload-all
request security idp
<request-idp-policy-load>
request security idp security-package
request security idp security-package download
<request-idp-security-package-download>
request security idp security-package download version
<request-idp-security-package-download-version>
request security idp security-package install
<request-idp-security-package-install>
request security idp security-package offline-download
<request-idp-security-package-offline-download>
request security idp ssl-inspection
request security idp ssl-inspection key
request security idp ssl-inspection key add
<request-idp-ssl-key-add>
request security idp ssl-inspection key delete
<request-idp-ssl-key-delete>
request security idp storage-cleanup
<request-idp-storage-cleanup>
request security key-pair
request security pki
request security pki ca-certificate
request security pki ca-certificate verify
<verify-pki-ca-certificate>
request security pki ca-certificate enroll
request security pki ca-certificate load
<load-pki-ca-certificate>
request security pki crl
request security pki crl load
<request security pki crl load>
request security pki generate-certificate-request
<generate-pki-certificate-request>
request security pki generate-key-pair
<generate-pki-key-pair>
request security pki local-certificate
request security pki local-certificate verify
<verify-pki-local-certificate>
request security pki local-certificate enroll
250
Copyright © 2017, Juniper Networks, Inc.
Chapter 5: Permission Flags for User Access Privileges
request security pki local-certificate generate-self-signed
<generate-pki-self-signed-local-certificate>
request security pki local-certificate load
<load-pki-local-certificate>
request system set-encryption-key
show security
show security alarms
<get-security-alarm-information>
show security idp
show security idp application-ddos
show security idp application-ddos application
<get-idp-addos-application-information>
show security idp application-identification
show security idp application-identification application-system-cache
<get-idp-application-system-cache>
show security idp application-statistics
<get-idp-applications-information>
show security idp attack
show security idp attack description
<get-idp-attack-description-information>
show security idp attack detail
<get-idp-attack-detail-information>
show security idp attack table
<get-idp-attack-table-information>
show security idp counters
<get-idp-counter-information>
show security idp counters action
show security idp counters application-ddos
show security idp counters application-identification
show security idp counters dfa
show security idp counters flow
show security idp counters http-decoder
show security idp counters ips
show security idp counters log
show security idp counters memory
show security idp counters packet
show security idp counters packet-log
show security idp counters pdf-decoder
show security idp counters policy-manager
show security idp counters ssl-inspection
show security idp counters tcp-reassembler
show security idp logical-system
show security idp logical-system policy-association
show security idp memory
<get-idp-memory-information>
show security idp policies
<get-idp-subscriber-policy-list>
show security idp policy-templates-list
<get-idp-policy-template-information>
<get-idp-predefined-attack-groups>
<get-idp-predefined-attack-group-filters>
<get-idp-predefined-attacks>
<get-idp-predefined-attack-filters>
<get-idp-recent-security-package-information>
Copyright © 2017, Juniper Networks, Inc.
251
User Access and Authentication Feature Guide for Routing Devices
show security idp policy-commit-status
<get-idp-policy-commit-status>
<get-idp-recent-security-package-information>
show security idp security-package-version
<get-idp-security-package-information>
show security idp ssl-inspection
show security idp ssl-inspection key
<get-idp-ssl-key-information>
show security idp ssl-inspection session-id-cache
<get-idp-ssl-session-cache-information>
show security idp status
<get-idp-status-information>
show security idp status detail
<get-idp-detail-status-information>
show security keychain
<get-hakr-keychain-information>
show security log
<get-security-log-information>
show security pki
show security pki ca-certificate
<get-pki-ca-certificate>
show security pki certificate-request
<get-pki-certificate-request>
show security pki crl
<get-pki-crl>
show security pki local-certificate
<get-pki-local-certificate>
Configuration
Hierarchy Levels
Related
Documentation
[edit security]
[edit security alarms]
[edit security log]
•
Access Privilege User Permission Flags Overview on page 114
•
Understanding Junos OS Access Privilege Levels on page 26
•
Example: Configuring User Permissions with Access Privilege Levels on page 65
•
Example: Configuring User Permissions with Access Privileges for Operational Mode
Commands on page 76
•
Example: Configuring User Permissions with Access Privileges for Configuration
Statements and Hierarchies on page 87
•
security on page 242
shell
Can start a local shell on the router.
252
Copyright © 2017, Juniper Networks, Inc.
Chapter 5: Permission Flags for User Access Privileges
Commands
Configuration
Hierarchy Levels
Related
Documentation
start shell
start shell user
No associated CLI configuration hierarchy levels and statements.
•
Access Privilege User Permission Flags Overview on page 114
•
Understanding Junos OS Access Privilege Levels on page 26
•
Example: Configuring User Permissions with Access Privilege Levels on page 65
•
Example: Configuring User Permissions with Access Privileges for Operational Mode
Commands on page 76
•
Example: Configuring User Permissions with Access Privileges for Configuration
Statements and Hierarchies on page 87
snmp
Can view Simple Network Management Protocol (SNMP) configuration.
Commands
clear unified-edge
clear unified-edge ggsn-pgw
clear unified-edge ggsn-pgw aaa
clear unified-edge ggsn-pgw aaa radius
clear unified-edge ggsn-pgw aaa radius statistics
<clear-mobile-gateway-aaa-radius-statistics>
clear unified-edge ggsn-pgw aaa statistics
<clear-mobile-gateway-aaa-statistics>
clear unified-edge ggsn-pgw address-assignment
clear unified-edge ggsn-pgw address-assignment pool
<clear-mobile-gateway-sm-ippool-pool-sessions>
clear unified-edge ggsn-pgw address-assignment statistics
<clear-mobile-gateway-sm-ippool-statistics>
clear unified-edge ggsn-pgw call-admission-control
clear unified-edge ggsn-pgw call-admission-control statistics
<clear-mobile-gateway-cac-statistics>
clear unified-edge ggsn-pgw charging
clear unified-edge ggsn-pgw charging cdr
<clear-mobile-gateway-charging-clear-cdr>
clear unified-edge ggsn-pgw charging cdr wfa
<clear-mobile-gateway-charging-clear-cdr-wfa>
clear unified-edge ggsn-pgw charging local-persistent-storage
clear unified-edge ggsn-pgw charging local-persistent-storage statistics
<clear-mobile-gateway-charging-clear-lps-stats>
clear unified-edge ggsn-pgw charging path
clear unified-edge ggsn-pgw charging path statistics
<clear-mobile-gateway-charging-clear-path-stats>
clear unified-edge ggsn-pgw charging transfer
clear unified-edge ggsn-pgw charging transfer statistics
<clear-mobile-gateway-charging-clear-xfer-stats>
clear unified-edge ggsn-pgw diameter
clear unified-edge ggsn-pgw diameter dcca-gy
clear unified-edge ggsn-pgw diameter dcca-gy statistics
<clear-mobile-gateway-aaa-diam-stats-gy>
clear unified-edge ggsn-pgw diameter network-element
Copyright © 2017, Juniper Networks, Inc.
253
User Access and Authentication Feature Guide for Routing Devices
clear unified-edge ggsn-pgw diameter network-element statistics
<clear-mobile-gateway-aaa-diam-ne-statistics>
clear unified-edge ggsn-pgw diameter pcc-gx
clear unified-edge ggsn-pgw diameter pcc-gx statistics
<clear-mobile-gateway-aaa-diam-stats-gx>
clear unified-edge ggsn-pgw diameter peer
clear unified-edge ggsn-pgw diameter peer statistics
<clear-mobile-gateway-aaa-diam-peer-statistics>
clear unified-edge ggsn-pgw gtp
clear unified-edge ggsn-pgw gtp peer
clear unified-edge ggsn-pgw gtp peer statistics
<clear-mobile-gateway-gtp-peer-statistics>
clear unified-edge ggsn-pgw gtp statistics
<clear-mobile-gateway-gtp-statistics>
clear unified-edge ggsn-pgw ip-reassembly
clear unified-edge ggsn-pgw ip-reassembly statistics
<clear-mobile-gateways-ip-reassembly-statistics>
clear unified-edge ggsn-pgw statistics
<clear-mobile-gateway-statistics>
clear unified-edge ggsn-pgw subscribers
<clear-mobile-gateway-subscribers>
clear unified-edge ggsn-pgw subscribers bearer
clear unified-edge ggsn-pgw subscribers charging
<clear-mobile-gateway-subscribers-charging>
clear unified-edge ggsn-pgw subscribers peer
<clear-mobile-gateway-subscribers-peer>
clear unified-edge sgw
clear unified-edge sgw call-admission-control
clear unified-edge sgw call-admission-control statistics
<clear-mobile-sgw-cac-statistics>
clear unified-edge sgw charging
clear unified-edge sgw charging cdr
<clear-mobile-gateway-sgw-charging-clear-cdr>
clear unified-edge sgw charging cdr wfa
<clear-mobile-gateway-sgw-charging-clear-cdr-wfa>
clear unified-edge sgw charging local-persistent-storage
clear unified-edge sgw charging local-persistent-storage statistics
<clear-mobile-gateway-sgw-charging-clear-lps-stats>
clear unified-edge sgw charging path
clear unified-edge sgw charging path statistics
<clear-mobile-gateway-sgw-charging-clear-path-stats>
clear unified-edge sgw charging transfer
clear unified-edge sgw charging transfer statistics
<clear-mobile-gateway-sgw-charging-clear-xfer-stats>
clear unified-edge sgw gtp
clear unified-edge sgw gtp peer
clear unified-edge sgw gtp peer statistics
<clear-mobile-sgw-gtp-peer-statistics>
clear unified-edge sgw gtp statistics
<clear-mobile-sgw-gtp-statistics>
clear unified-edge sgw idle-mode-buffering
clear unified-edge sgw idle-mode-buffering statistics
<clear-mobile-gw-sgw-idle-mode-buffering-statistics>
clear unified-edge sgw ip-reassembly
clear unified-edge sgw ip-reassembly statistics
<clear-mobile-gateways-sgw-ip-reassembly-statistics-sgw>
clear unified-edge sgw statistics
<clear-mobile-sgw-statistics>
clear unified-edge sgw subscribers
<clear-mobile-sgw-subscribers>
clear unified-edge sgw subscribers charging
254
Copyright © 2017, Juniper Networks, Inc.
Chapter 5: Permission Flags for User Access Privileges
<clear-mobile-sgw-subscribers-charging>
clear unified-edge sgw subscribers peer
<clear-mobile-sgw-subscribers-peer>
clear unified-edge tdf
clear unified-edge tdf aaa
clear unified-edge tdf aaa radius
clear unified-edge tdf aaa radius client
clear unified-edge tdf aaa radius client statistics
<clear-radius-client-statistics>
clear unified-edge tdf aaa radius network-element
clear unified-edge tdf aaa radius network-element statistics
<clear-radius-network-element-statistics>
clear unified-edge tdf aaa radius server
clear unified-edge tdf aaa radius server statistics
<clear-radius-server-statistics>
clear unified-edge tdf aaa radius snoop-segment
clear unified-edge tdf aaa radius snoop-segment statistics
<clear-radius-snoop-segment-statistics>
clear unified-edge tdf aaa statistics
<clear-tdf-gateway-aaa-statistics
clear unified-edge tdf address-assignment
clear unified-edge tdf address-assignment pool
<clear-mobile-gateway-tdf-sm-ippool-pool-sessions>
clear unified-edge tdf address-assignment statistics
<clear-mobile-gateway-tdf-sm-ippool-statistics>
clear unified-edge tdf call-admission-control
clear unified-edge tdf call-admission-control statistics
<clear-tdf-cac-statistics>
clear unified-edge tdf diameter
clear unified-edge tdf diameter network-element
clear unified-edge tdf diameter network-element statistics
<clear-diameter-network-element-statistics>
clear unified-edge tdf diameter pcc-gx
clear unified-edge tdf diameter pcc-gx statistics
<clear-diameter-statistics-gx>
clear unified-edge tdf diameter peer
clear unified-edge tdf diameter peer statistics
<clear-diameter-peer-statistics>
clear unified-edge tdf statistics
<clear-tdf-statistics>
clear unified-edge tdf subscribers
<clear-mobile-tdf-subscribers>
clear unified-edge tdf subscribers peer
<clear-mobile-gateway-tdf-subscribers-peer>
request unified-edge
request unified-edge ggsn-pgw
request unified-edge ggsn-pgw call-trace
<monitor-mobile-gateways-call-trace-start>
request unified-edge ggsn-pgw call-trace clear
<get-mobile-gateways-call-trace-clear>
request unified-edge ggsn-pgw call-trace show
<get-mobile-gateways-call-trace-information>
request unified-edge ggsn-pgw call-trace start
<get-mobile-gateways-call-trace-start-information>
request unified-edge ggsn-pgw call-trace stop
<get-mobile-gateways-call-trace-stop-information>
request unified-edge sgw
request unified-edge sgw call-trace
request unified-edge sgw call-trace clear
<get-mobile-gateways-sgw-call-trace-clear>
request unified-edge sgw call-trace show
Copyright © 2017, Juniper Networks, Inc.
255
User Access and Authentication Feature Guide for Routing Devices
<get-mobile-gateways-sgw-call-trace-information>
request unified-edge sgw call-trace start
<get-mobile-gateways-sgw-call-trace-start-information>
request unified-edge sgw call-trace stop
<get-mobile-gateways-sgw-call-trace-stop-information>
request unified-edge tdf
request unified-edge tdf call-trace
request unified-edge tdf call-trace clear
<get-mobile-gateways-tdf-call-trace-clear>
request unified-edge tdf call-trace show
<get-mobile-gateways-tdf-call-trace-information>
request unified-edge tdf call-trace start
<get-mobile-gateways-tdf-call-trace-start-information>
request unified-edge tdf call-trace stop
<get-mobile-gateways-tdf-call-trace-stop-information>
Configuration
Hierarchy Levels
Related
Documentation
[edit snmp]
[edit unified-edge]
•
Access Privilege User Permission Flags Overview on page 114
•
Understanding Junos OS Access Privilege Levels on page 26
•
Example: Configuring User Permissions with Access Privilege Levels on page 65
•
Example: Configuring User Permissions with Access Privileges for Operational Mode
Commands on page 76
•
Example: Configuring User Permissions with Access Privileges for Configuration
Statements and Hierarchies on page 87
snmp-control
Can view SNMP configuration information and can modify SNMP configuration at the
[edit snmp] hierarchy level.
Commands
No associated CLI commands.
Configuration
Hierarchy Levels
Related
Documentation
256
[edit snmp]
•
Access Privilege User Permission Flags Overview on page 114
•
Understanding Junos OS Access Privilege Levels on page 26
•
Example: Configuring User Permissions with Access Privilege Levels on page 65
•
Example: Configuring User Permissions with Access Privileges for Operational Mode
Commands on page 76
•
Example: Configuring User Permissions with Access Privileges for Configuration
Statements and Hierarchies on page 87
•
snmp on page 253
Copyright © 2017, Juniper Networks, Inc.
Chapter 5: Permission Flags for User Access Privileges
system
Can view system-level configuration information.
Commands
clear unified-edge
clear unified-edge ggsn-pgw
clear unified-edge ggsn-pgw aaa
clear unified-edge ggsn-pgw aaa radius
clear unified-edge ggsn-pgw aaa radius statistics
<clear-mobile-gateway-aaa-radius-statistics>
clear unified-edge ggsn-pgw aaa statistics
<clear-mobile-gateway-aaa-statistics>
clear unified-edge ggsn-pgw address-assignment
clear unified-edge ggsn-pgw address-assignment pool
<clear-mobile-gateway-sm-ippool-pool-sessions>
clear unified-edge ggsn-pgw address-assignment statistics
<clear-mobile-gateway-sm-ippool-statistics>
clear unified-edge ggsn-pgw call-admission-control
clear unified-edge ggsn-pgw call-admission-control statistics
<clear-mobile-gateway-cac-statistics>
clear unified-edge ggsn-pgw charging
clear unified-edge ggsn-pgw charging cdr
<clear-mobile-gateway-charging-clear-cdr>
clear unified-edge ggsn-pgw charging cdr wfa
<clear-mobile-gateway-charging-clear-cdr-wfa>
clear unified-edge ggsn-pgw charging local-persistent-storage
clear unified-edge ggsn-pgw charging local-persistent-storage statistics
<clear-mobile-gateway-charging-clear-lps-stats>
clear unified-edge ggsn-pgw charging path
clear unified-edge ggsn-pgw charging path statistics
<clear-mobile-gateway-charging-clear-path-stats>
clear unified-edge ggsn-pgw charging transfer
clear unified-edge ggsn-pgw charging transfer statistics
<clear-mobile-gateway-charging-clear-xfer-stats>
clear unified-edge ggsn-pgw diameter
clear unified-edge ggsn-pgw diameter dcca-gy
clear unified-edge ggsn-pgw diameter dcca-gy statistics
<clear-mobile-gateway-aaa-diam-stats-gy>
clear unified-edge ggsn-pgw diameter network-element
clear unified-edge ggsn-pgw diameter network-element statistics
<clear-mobile-gateway-aaa-diam-ne-statistics>
clear unified-edge ggsn-pgw diameter pcc-gx
clear unified-edge ggsn-pgw diameter pcc-gx statistics
<clear-mobile-gateway-aaa-diam-stats-gx>
clear unified-edge ggsn-pgw diameter peer
clear unified-edge ggsn-pgw diameter peer statistics
<clear-mobile-gateway-aaa-diam-peer-statistics>
clear unified-edge ggsn-pgw gtp
clear unified-edge ggsn-pgw gtp peer
clear unified-edge ggsn-pgw gtp peer statistics
<clear-mobile-gateway-gtp-peer-statistics>
clear unified-edge ggsn-pgw gtp statistics
<clear-mobile-gateway-gtp-statistics>
clear unified-edge ggsn-pgw ip-reassembly
clear unified-edge ggsn-pgw ip-reassembly statistics
<clear-mobile-gateways-ip-reassembly-statistics>
clear unified-edge ggsn-pgw statistics
<clear-mobile-gateway-statistics>
clear unified-edge ggsn-pgw subscribers
Copyright © 2017, Juniper Networks, Inc.
257
User Access and Authentication Feature Guide for Routing Devices
<clear-mobile-gateway-subscribers>
clear unified-edge ggsn-pgw subscribers bearer
clear unified-edge ggsn-pgw subscribers charging
<clear-mobile-gateway-subscribers-charging>
clear unified-edge ggsn-pgw subscribers peer
<clear-mobile-gateway-subscribers-peer>
clear unified-edge sgw
clear unified-edge sgw call-admission-control
clear unified-edge sgw call-admission-control statistics
<clear-mobile-sgw-cac-statistics>
clear unified-edge sgw charging
clear unified-edge sgw charging cdr
<clear-mobile-gateway-sgw-charging-clear-cdr>
clear unified-edge sgw charging cdr wfa
<clear-mobile-gateway-sgw-charging-clear-cdr-wfa>
clear unified-edge sgw charging local-persistent-storage
clear unified-edge sgw charging local-persistent-storage statistics
<clear-mobile-gateway-sgw-charging-clear-lps-stats>
clear unified-edge sgw charging path
clear unified-edge sgw charging path statistics
<clear-mobile-gateway-sgw-charging-clear-path-stats>
clear unified-edge sgw charging transfer
clear unified-edge sgw charging transfer statistics
<clear-mobile-gateway-sgw-charging-clear-xfer-stats>
clear unified-edge sgw gtp
clear unified-edge sgw gtp peer
clear unified-edge sgw gtp peer statistics
<clear-mobile-sgw-gtp-peer-statistics>
clear unified-edge sgw gtp statistics
<clear-mobile-sgw-gtp-statistics>
clear unified-edge sgw idle-mode-buffering
clear unified-edge sgw idle-mode-buffering statistics
<clear-mobile-gw-sgw-idle-mode-buffering-statistics>
clear unified-edge sgw ip-reassembly
clear unified-edge sgw ip-reassembly statistics
<clear-mobile-gateways-sgw-ip-reassembly-statistics-sgw>
clear unified-edge sgw statistics
<clear-mobile-sgw-statistics>
clear unified-edge sgw subscribers
<clear-mobile-sgw-subscribers>
clear unified-edge sgw subscribers charging
<clear-mobile-sgw-subscribers-charging>
clear unified-edge sgw subscribers peer
<clear-mobile-sgw-subscribers-peer>
clear unified-edge tdf
clear unified-edge tdf aaa
clear unified-edge tdf aaa radius
clear unified-edge tdf aaa radius client
clear unified-edge tdf aaa radius client statistics
<clear-radius-client-statistics>
clear unified-edge tdf aaa radius network-element
clear unified-edge tdf aaa radius network-element statistics
<clear-radius-network-element-statistics>
clear unified-edge tdf aaa radius server
clear unified-edge tdf aaa radius server statistics
<clear-radius-server-statistics>
clear unified-edge tdf aaa radius snoop-segment
clear unified-edge tdf aaa radius snoop-segment statistics
<clear-radius-snoop-segment-statistics>
clear unified-edge tdf aaa statistics
<clear-tdf-gateway-aaa-statistics>
258
Copyright © 2017, Juniper Networks, Inc.
Chapter 5: Permission Flags for User Access Privileges
clear unified-edge tdf address-assignment
clear unified-edge tdf address-assignment pool
<clear-mobile-gateway-tdf-sm-ippool-pool-sessions>
clear unified-edge tdf address-assignment statistics
<clear-mobile-gateway-tdf-sm-ippool-statistics>
clear unified-edge tdf call-admission-control
clear unified-edge tdf call-admission-control statistics
<clear-tdf-cac-statistics>
clear unified-edge tdf diameter
clear unified-edge tdf diameter network-element
clear unified-edge tdf diameter network-element statistics
<clear-diameter-network-element-statistics>
clear unified-edge tdf diameter pcc-gx
clear unified-edge tdf diameter pcc-gx statistics
<clear-diameter-statistics-gx>
clear unified-edge tdf diameter peer
clear unified-edge tdf diameter peer statistics
<clear-diameter-peer-statistics>
clear unified-edge tdf statistics
<clear-tdf-statistics>
clear unified-edge tdf subscribers
<clear-mobile-tdf-subscribers>
clear unified-edge tdf subscribers peer
<clear-mobile-gateway-tdf-subscribers-peer>
request chassis synchronization
request chassis synchronization force
request chassis synchronization force automatic-switching
request chassis synchronization force mark-failed
request chassis synchronization force unmark-failed
request chassis synchronization switch
request path-computation-client retry-delegation
<request-path-computation-retry-delegation>
request unified-edge
request unified-edge ggsn-pgw
request unified-edge ggsn-pgw call-trace
<monitor-mobile-gateways-call-trace-start>
request unified-edge ggsn-pgw call-trace clear
<get-mobile-gateways-call-trace-clear>
request unified-edge ggsn-pgw call-trace show
<get-mobile-gateways-call-trace-information>
request unified-edge ggsn-pgw call-trace start
<get-mobile-gateways-call-trace-start-information>
request unified-edge ggsn-pgw call-trace stop
<get-mobile-gateways-call-trace-stop-information>
request unified-edge sgw
request unified-edge sgw call-trace
request unified-edge sgw call-trace clear
<get-mobile-gateways-sgw-call-trace-clear>
request unified-edge sgw call-trace show
<get-mobile-gateways-sgw-call-trace-information>
request unified-edge sgw call-trace start
<get-mobile-gateways-sgw-call-trace-start-information>
request unified-edge sgw call-trace stop
<get-mobile-gateways-sgw-call-trace-stop-information>
request unified-edge tdf
request unified-edge tdf call-trace
request unified-edge tdf call-trace clear
<get-mobile-gateways-tdf-call-trace-clear>
request unified-edge tdf call-trace show
<get-mobile-gateways-tdf-call-trace-information>
request unified-edge tdf call-trace start
Copyright © 2017, Juniper Networks, Inc.
259
User Access and Authentication Feature Guide for Routing Devices
<get-mobile-gateways-tdf-call-trace-start-information>
request unified-edge tdf call-trace stop
<get-mobile-gateways-tdf-call-trace-stop-information>
request virtual-chassis
request virtual-chassis device-reachability
<get-virtual-chassis-diagnostic-information>
request virtual-chassis member-id
request virtual-chassis member-id delete
delete-virtual-chassis-member-id
request virtual-chassis member-id set
<set-virtual-chassis-member-id>
request virtual-chassis mode
request virtual-chassis mode mixed
<request-virtual-chassis-mode-mixed>
request virtual-chassis reactivate
<request-virtual-chassis-reactivate>
request virtual-chassis recycle
<request-virtual-chassis-recycle>
request virtual-chassis renumber
<request-virtual-chassis-renumber>
request virtual-chassis routing-engine
request virtual-chassis routing-engine master
request virtual-chassis routing-engine master switch
<switch-vc-routing-engine-protocol-master>
request virtual-chassis vc-port
request virtual-chassis vc-port delete
request virtual-chassis vc-port delete fpc-slot
<request-virtual-chassis-vc-port-delete-fpc-slot>
request virtual-chassis vc-port delete pic-slot
<request-virtual-chassis-vc-port-delete-pic-slot>
request virtual-chassis vc-port set
request virtual-chassis vc-port set fpc-slot
<request-virtual-chassis-vc-port-set-fpc-slot>
request virtual-chassis vc-port set interface
<request-virtual-chassis-vc-port-set-interface>
request virtual-chassis vc-port set pic-slot
<request-virtual-chassis-vc-port-set-pic-slot>
<set-virtual-chassis-mode>
Configuration
Hierarchy Levels
260
[edit applications]
[edit chassis network-slices]
[edit chassis system-domains]
[edit dynamic-profiles routing-instances instance forwarding-options helpers
tftp]
[edit dynamic-profiles routing-instances instance routing-options fate-sharing]
[edit ethernet-switching-options]
[edit fabric virtual-chassis]
[edit forwarding-options helpers bootp]
[edit forwarding-options helpers domain]
[edit forwarding-options helpers port]
[edit forwarding-options helpers tftp]
[edit logical-systems]
[edit logical-systems protocols uplink-failure-detection]
[edit logical-systems routing-instances instance forwarding-options helpers
bootp]
[edit logical-systems routing-instances instance forwarding-options helpers
domain]
[edit logical-systems routing-instances instance forwarding-options helpers
port]
[edit logical-systems routing-instances instance forwarding-options helpers
Copyright © 2017, Juniper Networks, Inc.
Chapter 5: Permission Flags for User Access Privileges
tftp]
[edit
[edit
[edit
[edit
[edit
[edit
[edit
[edit
[edit
[edit
[edit
[edit
[edit
[edit
[edit
[edit
[edit
[edit
[edit
[edit
[edit
[edit
[edit
[edit
[edit
[edit
[edit
[edit
[edit
[edit
[edit
[edit
[edit
[edit
[edit
[edit
[edit
[edit
[edit
[edit
[edit
[edit
[edit
[edit
[edit
[edit
[edit
[edit
[edit
[edit
[edit
[edit
[edit
[edit
[edit
[edit
[edit
[edit
[edit
[edit
Copyright © 2017, Juniper Networks, Inc.
logical-systems routing-instances instance routing-options fate-sharing]
logical-systems routing-options fate-sharing]
logical-systems system]
logical-systems system syslog]
poe]
protocols uplink-failure-detection]
routing-instances instance forwarding-options helpers bootp]
routing-instances instance forwarding-options helpers domain]
routing-instances instance forwarding-options helpers port]
routing-instances instance forwarding-options helpers tftp]
routing-instances instance routing-options fate-sharing]
routing-options fate-sharing]
services]
services ggsn charging charging-log traceoptions]
system]
system archival]
system backup-router]
system boot loader authentication]
system compress-configuration-files]
system default-address-selection]
system domain-name]
system domain-search]
system encrypt-configuration-files]
system host-name]
system inet6-backup-router]
system internet-options gre-path-mtu-discovery]
system internet-options ipip-path-mtu-discovery]
system internet-options ipv6-path-mtu-discovery]
system internet-options ipv6-path-mtu-discovery-timeout]
system internet-options ipv6-reject-zero-hop-limit]
system internet-options no-tcp-reset]
system internet-options no-tcp-rfc1323]
system internet-options no-tcp-rfc1323-paws]
system internet-options path-mtu-discovery]
system internet-options source-port upper-limit]
system internet-options source-quench]
system internet-options tcp-drop-synfin-set]
system internet-options tcp-mss]
system license]
system max-configuration-rollbacks]
system max-configurations-on-flash]
system mirror-flash-on-disk]
system no-debugger-on-alt-break]
system no-redirects-ipv6]
system name-server]
no-hidden-commands system]
system no-multicast-echo]
system no-neighbor-learn]
system no-redirects]
system ports auxiliary log-out-on-disconnect]
system ports auxiliary port-type]
system ports auxiliary silent-with-modem]
system ports console log-out-on-disconnect]
system ports console port-type]
system ports console silent-with-modem]
system processes]
system proxy]
system saved-core-context]
system saved-core-files]
system services]
261
User Access and Authentication Feature Guide for Routing Devices
[edit
[edit
[edit
[edit
[edit
[edit
[edit
[edit
Related
Documentation
system services web-management]
system static-host-mapping]
system syslog]
system time-zone]
unified-edge]
virtual-chassis]
virtual-chassis locality-bias]
vlans]
•
Access Privilege User Permission Flags Overview on page 114
•
Understanding Junos OS Access Privilege Levels on page 26
•
Example: Configuring User Permissions with Access Privilege Levels on page 65
•
Example: Configuring User Permissions with Access Privileges for Operational Mode
Commands on page 76
•
Example: Configuring User Permissions with Access Privileges for Configuration
Statements and Hierarchies on page 87
•
system-control on page 262
system-control
Can view system-level configuration information and configure it at the [edit system]
hierarchy level.
Configuration
Hierarchy Levels
262
[edit applications]
[edit chassis system-domains]
[edit dynamic-profiles routing-instances instance forwarding-options helpers
tftp]
[edit dynamic-profiles routing-instances instance routing-options fate-sharing]
[edit ethernet-switching-options]
[edit forwarding-options helpers bootp]
[edit forwarding-options helpers domain]
[edit forwarding-options helpers port]
[edit forwarding-options helpers tftp]
[edit logical-systems]
[edit logical-systems routing-instances instance forwarding-options helpers
bootp]
[edit logical-systems routing-instances instance forwarding-options helpers
domain]
[edit logical-systems routing-instances instance forwarding-options helpers
port]
[edit logical-systems routing-instances instance forwarding-options helpers
tftp]
[edit logical-systems routing-instances instance routing-options fate-sharing]
[edit logical-systems routing-options fate-sharing]
[edit logical-systems system]
[edit poe]
[edit routing-instances instance forwarding-options helpers bootp]
[edit routing-instances instance forwarding-options helpers domain]
[edit routing-instances instance forwarding-options helpers port]
[edit routing-instances instance forwarding-options helpers tftp]
[edit routing-instances instance routing-options fate-sharing]
[edit routing-options fate-sharing]
[edit services]
Copyright © 2017, Juniper Networks, Inc.
Chapter 5: Permission Flags for User Access Privileges
[edit
[edit
[edit
[edit
[edit
[edit
[edit
[edit
[edit
[edit
[edit
[edit
[edit
[edit
[edit
[edit
[edit
[edit
[edit
[edit
[edit
[edit
[edit
[edit
[edit
[edit
[edit
[edit
[edit
[edit
[edit
[edit
[edit
[edit
[edit
[edit
[edit
[edit
[edit
[edit
[edit
[edit
[edit
[edit
[edit
[edit
[edit
[edit
Related
Documentation
services ggsn charging charging-log traceoptions]
system]
system archival]
system backup-router]
system compress-configuration-files]
system default-address-selection]
system dgasp-in]
system dgasp-usb]
system domain-name]
system domain-search]
system encrypt-configuration-files]
system host-name]
system inet6-backup-router]
system internet-options gre-path-mtu-discovery]
system internet-options ipip-path-mtu-discovery]
system internet-options ipv6-path-mtu-discovery]
system internet-options ipv6-path-mtu-discovery-timeout]
system internet-options ipv6-reject-zero-hop-limit]
system internet-options no-tcp-reset]
system internet-options no-tcp-rfc1323]
system internet-options no-tcp-rfc1323-paws]
system internet-options path-mtu-discovery]
system internet-options source-port upper-limit]
system internet-options source-quench]
system internet-options tcp-drop-synfin-set]
system internet-options tcp-mss]
system license]
system max-configuration-rollbacks]
system max-configurations-on-flash]
system mirror-flash-on-disk]
system name-server]
system no-multicast-echo]
system no-neighbor-learn]
system no-redirects]
system ports auxiliary log-out-on-disconnect]
system ports auxiliary port-type]
system ports console log-out-on-disconnect]
system ports console port-type]
system processes]
system saved-core-context]
system saved-core-files]
system services]
system services web-management]
system static-host-mapping]
system syslog]
system time-zone]
virtual-chassis]
vlans]
•
Access Privilege User Permission Flags Overview on page 114
•
Understanding Junos OS Access Privilege Levels on page 26
•
Example: Configuring User Permissions with Access Privilege Levels on page 65
•
Example: Configuring User Permissions with Access Privileges for Operational Mode
Commands on page 76
•
Example: Configuring User Permissions with Access Privileges for Configuration
Statements and Hierarchies on page 87
Copyright © 2017, Juniper Networks, Inc.
263
User Access and Authentication Feature Guide for Routing Devices
•
system on page 257
trace
Can view trace file settings and configure trace file properties.
Commands
clear log
<clear-log>
clear log satellite
<clear-log-satellite>
clear unified-edge
clear unified-edge ggsn-pgw
clear unified-edge ggsn-pgw aaa
clear unified-edge ggsn-pgw aaa radius
clear unified-edge ggsn-pgw aaa radius statistics
<clear-mobile-gateway-aaa-radius-statistics>
clear unified-edge ggsn-pgw aaa statistics
<clear-mobile-gateway-aaa-statistics>
clear unified-edge ggsn-pgw address-assignment
clear unified-edge ggsn-pgw address-assignment pool
<clear-mobile-gateway-sm-ippool-pool-sessions>
clear unified-edge ggsn-pgw address-assignment statistics
<clear-mobile-gateway-sm-ippool-statistics>
clear unified-edge ggsn-pgw call-admission-control
clear unified-edge ggsn-pgw call-admission-control statistics
<clear-mobile-gateway-cac-statistics>
clear unified-edge ggsn-pgw charging
clear unified-edge ggsn-pgw charging cdr
<clear-mobile-gateway-charging-clear-cdr>
clear unified-edge ggsn-pgw charging cdr wfa
<clear-mobile-gateway-charging-clear-cdr-wfa>
clear unified-edge ggsn-pgw charging local-persistent-storage
clear unified-edge ggsn-pgw charging local-persistent-storage statistics
<clear-mobile-gateway-charging-clear-lps-stats>
clear unified-edge ggsn-pgw charging path
clear unified-edge ggsn-pgw charging path statistics
<clear-mobile-gateway-charging-clear-path-stats>
clear unified-edge ggsn-pgw charging transfer
clear unified-edge ggsn-pgw charging transfer statistics
<clear-mobile-gateway-charging-clear-xfer-stats>
clear unified-edge ggsn-pgw diameter
clear unified-edge ggsn-pgw diameter dcca-gy
clear unified-edge ggsn-pgw diameter dcca-gy statistics
<clear-mobile-gateway-aaa-diam-stats-gy>
clear unified-edge ggsn-pgw diameter network-element
clear unified-edge ggsn-pgw diameter network-element statistics
<clear-mobile-gateway-aaa-diam-ne-statistics>
clear unified-edge ggsn-pgw diameter pcc-gx
clear unified-edge ggsn-pgw diameter pcc-gx statistics
<clear-mobile-gateway-aaa-diam-stats-gx>
clear unified-edge ggsn-pgw diameter peer
clear unified-edge ggsn-pgw diameter peer statistics
<clear-mobile-gateway-aaa-diam-peer-statistics>
clear unified-edge ggsn-pgw gtp
clear unified-edge ggsn-pgw gtp peer
clear unified-edge ggsn-pgw gtp peer statistics
<clear-mobile-gateway-gtp-peer-statistics>
clear unified-edge ggsn-pgw gtp statistics
264
Copyright © 2017, Juniper Networks, Inc.
Chapter 5: Permission Flags for User Access Privileges
<clear-mobile-gateway-gtp-statistics>
clear unified-edge ggsn-pgw ip-reassembly
clear unified-edge ggsn-pgw ip-reassembly statistics
<clear-mobile-gateways-ip-reassembly-statistics>
clear unified-edge ggsn-pgw statistics
<clear-mobile-gateway-statistics>
clear unified-edge ggsn-pgw subscribers
<clear-mobile-gateway-subscribers>
clear unified-edge ggsn-pgw subscribers bearer
clear unified-edge ggsn-pgw subscribers charging
<clear-mobile-gateway-subscribers-charging>
clear unified-edge ggsn-pgw subscribers peer
<clear-mobile-gateway-subscribers-peer>
clear unified-edge sgw
clear unified-edge sgw call-admission-control
clear unified-edge sgw call-admission-control statistics
<clear-mobile-sgw-cac-statistics>
clear unified-edge sgw charging
clear unified-edge sgw charging cdr
<clear-mobile-gateway-sgw-charging-clear-cdr>
clear unified-edge sgw charging cdr wfa
<clear-mobile-gateway-sgw-charging-clear-cdr-wfa>
clear unified-edge sgw charging local-persistent-storage
clear unified-edge sgw charging local-persistent-storage statistics
<clear-mobile-gateway-sgw-charging-clear-lps-stats>
clear unified-edge sgw charging path
clear unified-edge sgw charging path statistics
<clear-mobile-gateway-sgw-charging-clear-path-stats>
clear unified-edge sgw charging transfer
clear unified-edge sgw charging transfer statistics
<clear-mobile-gateway-sgw-charging-clear-xfer-stats>
clear unified-edge sgw gtp
clear unified-edge sgw gtp peer
clear unified-edge sgw gtp peer statistics
<clear-mobile-sgw-gtp-peer-statistics>
clear unified-edge sgw gtp statistics
<clear-mobile-sgw-gtp-statistics>
clear unified-edge sgw idle-mode-buffering
clear unified-edge sgw idle-mode-buffering statistics
<clear-mobile-gw-sgw-idle-mode-buffering-statistics>
clear unified-edge sgw ip-reassembly
clear unified-edge sgw ip-reassembly statistics
<clear-mobile-gateways-sgw-ip-reassembly-statistics-sgw>
clear unified-edge sgw statistics
<clear-mobile-sgw-statistics>
clear unified-edge sgw subscribers
<clear-mobile-sgw-subscribers>
clear unified-edge sgw subscribers charging
<clear-mobile-sgw-subscribers-charging>
clear unified-edge sgw subscribers peer
<clear-mobile-sgw-subscribers-peer>
clear unified-edge tdf
clear unified-edge tdf aaa
clear unified-edge tdf aaa radius
clear unified-edge tdf aaa radius client
clear unified-edge tdf aaa radius client statistics
<clear-radius-client-statistics>
clear unified-edge tdf aaa radius network-element
clear unified-edge tdf aaa radius network-element statistics
<clear-radius-network-element-statistics>
clear unified-edge tdf aaa radius server
Copyright © 2017, Juniper Networks, Inc.
265
User Access and Authentication Feature Guide for Routing Devices
clear unified-edge tdf aaa radius server statistics
<clear-radius-server-statistics>
clear unified-edge tdf aaa radius snoop-segment
clear unified-edge tdf aaa radius snoop-segment statistics
<clear-radius-snoop-segment-statistics>
clear unified-edge tdf aaa statistics
<clear-tdf-gateway-aaa-statistics>
clear unified-edge tdf address-assignment
clear unified-edge tdf address-assignment pool
<clear-mobile-gateway-tdf-sm-ippool-pool-sessions>
clear unified-edge tdf address-assignment statistics
<clear-mobile-gateway-tdf-sm-ippool-statistics>
clear unified-edge tdf call-admission-control
clear unified-edge tdf call-admission-control statistics
<clear-tdf-cac-statistics>
clear unified-edge tdf diameter
clear unified-edge tdf diameter network-element
clear unified-edge tdf diameter network-element statistics
<clear-diameter-network-element-statistics>
clear unified-edge tdf diameter pcc-gx
clear unified-edge tdf diameter pcc-gx statistics
<clear-diameter-statistics-gx>
clear unified-edge tdf diameter peer
clear unified-edge tdf diameter peer statistics
<clear-diameter-peer-statistics>
clear unified-edge tdf statistics
<clear-tdf-statistics>
clear unified-edge tdf subscribers
<clear-mobile-tdf-subscribers>
clear unified-edge tdf subscribers peer
<clear-mobile-gateway-tdf-subscribers-peer>
monitor
request-monitor-ethernet-delay-measurement
<request-monitor-ethernet-loss-measurement>
monitor interface
monitor interface traffic
monitor label-switched-path
monitor list
monitor start
monitor static-lsp
monitor stop
request unified-edge
request unified-edge ggsn-pgw
request unified-edge ggsn-pgw call-trace
<monitor-mobile-gateways-call-trace-start>
request unified-edge ggsn-pgw call-trace clear
<get-mobile-gateways-call-trace-clear>
request unified-edge ggsn-pgw call-trace show
<get-mobile-gateways-call-trace-information>
request unified-edge ggsn-pgw call-trace start
<get-mobile-gateways-call-trace-start-information>
request unified-edge ggsn-pgw call-trace stop
<get-mobile-gateways-call-trace-stop-information>
request unified-edge sgw
request unified-edge sgw call-trace
request unified-edge sgw call-trace clear
<get-mobile-gateways-sgw-call-trace-clear>
request unified-edge sgw call-trace show
<get-mobile-gateways-sgw-call-trace-information>
request unified-edge sgw call-trace start
<get-mobile-gateways-sgw-call-trace-start-information>
266
Copyright © 2017, Juniper Networks, Inc.
Chapter 5: Permission Flags for User Access Privileges
request unified-edge sgw call-trace stop
<get-mobile-gateways-sgw-call-trace-stop-information>
request unified-edge tdf
request unified-edge tdf call-trace
request unified-edge tdf call-trace clear
<get-mobile-gateways-tdf-call-trace-clear>
request unified-edge tdf call-trace show
<get-mobile-gateways-tdf-call-trace-information>
request unified-edge tdf call-trace start
<get-mobile-gateways-tdf-call-trace-start-information>
request unified-edge tdf call-trace stop
<get-mobile-gateways-tdf-call-trace-stop-information>
show log
<get-log>
show log user
<get-syslog-events>
Configuration
Hierarchy Levels
[edit unified-edge]
[edit vlans domain multicast-snooping-options traceoptions]
[edit vlans domain protocols igmp-snooping]
[edit vlans domain forwarding-options dhcp-relay traceoptions]
[edit vlans domain protocols igmp-snooping traceoptions]
[edit vlans domain forwarding-options dhcp-relay interface-traceoptions]
[edit vlans domain multicast-snooping-options traceoptions]
[edit vlans domain protocols igmp-snooping traceoptions]
[edit class-of-service application-traffic-control traceoptions]
[edit demux traceoptions]
[edit dynamic-profiles protocols igmp traceoptions]
[edit dynamic-profiles protocols mld traceoptions]
[edit dynamic-profiles class-of-service application-traffic-control
traceoptions]
[edit dynamic-profiles protocols oam ethernet link-fault-management
traceoptions]
[dynamic-profiles protocols oam ethernet lmi]
[edit dynamic-profiles protocols router-advertisement traceoptions]
[edit dynamic-profiles protocols oam gre-tunnel traceoptions]
[edit dynamic-profiles routing-instances instance vlans domain
forwarding-options dhcp-relay traceoptions]
[edit dynamic-profiles routing-instances instance vlans domain
multicast-snooping-options traceoptions]
[edit dynamic-profiles routing-instances instance vlans domain protocols
igmp-snooping traceoptions]
[edit dynamic-profiles routing-instances instance forwarding-options dhcp-relay
traceoptions]
[edit dynamic-profiles routing-instances instance multicast-snooping-options
traceoptions]
[edit dynamic-profiles routing-instances instance protocols bgp group neighbor
traceoptions]
[edit dynamic-profiles routing-instances instance protocols bgp group
traceoptions]
[edit dynamic-profiles routing-instances instance protocols bgp traceoptions]
[edit dynamic-profiles routing-instances instance protocols esis traceoptions]
[edit dynamic-profiles routing-instances instance protocols igmp-snooping
traceoptions]
[edit dynamic-profiles routing-instances instance protocols isis traceoptions]
[edit dynamic-profiles routing-instances instance protocols l2vpn traceoptions]
[edit dynamic-profiles routing-instances instance protocols ldp traceoptions]
[edit dynamic-profiles routing-instances instance protocols msdp group peer
traceoptions]
[edit dynamic-profiles routing-instances instance protocols msdp group
traceoptions]
Copyright © 2017, Juniper Networks, Inc.
267
User Access and Authentication Feature Guide for Routing Devices
[edit dynamic-profiles routing-instances instance protocols msdp peer
traceoptions]
[edit dynamic-profiles routing-instances instance protocols msdp traceoptions]
[edit dynamic-profiles routing-instances instance protocols mvpn traceoptions]
[edit dynamic-profiles routing-instances instance protocols ospf traceoptions]
[edit dynamic-profiles routing-instances instance protocols pim traceoptions]
[edit dynamic-profiles routing-instances instance protocols rip traceoptions]
[edit dynamic-profiles routing-instances instance protocols ripng traceoptions]
[edit dynamic-profiles routing-instances instance protocols router-discovery
traceoptions]
[edit dynamic-profiles routing-instances instance protocols vpls traceoptions]
[edit dynamic-profiles routing-instances instance routing-options multicast
traceoptions]
[edit dynamic-profiles routing-instances instance routing-options traceoptions]
[edit dynamic-profiles routing-instances instance services mobile-ip
traceoptions]
[edit dynamic-profiles routing-instances instance system services
dhcp-local-server traceoptions]
[edit dynamic-profiles routing-options multicast traceoptions]
[edit fabric protocols bgp group neighbor traceoptions]
[edit fabric protocols bgp group traceoptions]
[edit fabric protocols bgp traceoptions]
[edit fabric routing-instances instance routing-options traceoptions]
[edit fabric routing-options traceoptions]
[edit jnx-example traceoptions]
[edit logical-systems vlans domain forwarding-options dhcp-relay traceoptions]
[edit logical-systems vlans domain forwarding-options dhcp-relay
interface-traceoptions]
[edit logical-systems vlans domain multicast-snooping-options traceoptions]
[edit logical-systems vlans domain protocols igmp-snooping traceoptions]
[edit logical-systems forwarding-options dhcp-relay traceoptions]
[edit logical-systems protocols ancp traceoptions]
[edit logical-systems protocols bgp group neighbor traceoptions]
[edit logical-systems protocols bgp group traceoptions]
[edit logical-systems protocols bgp traceoptions]
[edit logical-systems protocols dot1x traceoptions]
[edit logical-systems protocols dvmrp traceoptions]
[edit logical-systems protocols esis traceoptions]
[edit logical-systems protocols igmp traceoptions]
[edit logical-systems protocols igmp-host traceoptions]
[edit logical-systems protocols ilmi traceoptions]
[edit logical-systems protocols isis traceoptions]
[edit logical-systems protocols l2circuit traceoptions]
[edit logical-systems protocols l2iw traceoptions]
[edit logical-systems protocols lacp traceoptions]
[edit logical-systems protocols layer2-control traceoptions]
[edit logical-systems protocols ldp traceoptions]
[edit logical-systems protocols mld traceoptions]
[edit dynamic-profiles protocols oam ethernet fnp traceoptions]
[edit logical-systems protocols mld-host traceoptions]
[edit logical-systems protocols mpls label-switched-path oam traceoptions]
[edit logical-systems protocols mpls label-switched-path primary oam
traceoptions]
[edit logical-systems protocols mpls label-switched-path secondary oam
traceoptions]
[edit logical-systems protocols mpls oam traceoptions]
[edit logical-systems protocols msdp group peer traceoptions]
[edit logical-systems protocols msdp group traceoptions]
[edit logical-systems protocols msdp peer traceoptions]
[edit logical-systems protocols msdp traceoptions]
[edit logical-systems protocols neighbor-discovery secure traceoptions]
268
Copyright © 2017, Juniper Networks, Inc.
Chapter 5: Permission Flags for User Access Privileges
[edit logical-systems protocols oam ethernet fnp traceoptions]
[edit logical-systems protocols oam ethernet link-fault-management traceoptions]
[edit logical-systems protocols oam ethernet lmi traceoptions]
[edit logical-systems protocols ospf traceoptions]
[edit logical-systems protocols pim traceoptions]
[edit logical-systems protocols ppp monitor-session]
[edit logical-systems protocols ppp traceoptions]
[edit logical-systems protocols ppp-service traceoptions]
[edit logical-systems protocols pppoe traceoptions]
[edit logical-systems protocols rip traceoptions]
[edit logical-systems protocols ripng traceoptions]
[edit logical-systems protocols router-advertisement traceoptions]
[edit logical-systems protocols router-discovery traceoptions]
[edit logical-systems protocols rsvp lsp-set traceoptions]
[edit logical-systems protocols rsvp traceoptions]
[edit logical-systems routing-instances instance vlans domain
multicast-snooping-options traceoptions]
[edit logical-systems routing-instances instance vlans domain protocols
igmp-snooping traceoptions]
[edit logical-systems routing-instances instance forwarding-options dhcp-relay
traceoptions]
[edit logical-systems routing-instances instance multicast-snooping-options
traceoptions]
[edit logical-systems routing-instances instance protocols bgp group neighbor
traceoptions]
[edit logical-systems routing-instances instance protocols bgp group
traceoptions]
[edit logical-systems routing-instances instance protocols bgp traceoptions]
[edit logical-systems routing-instances instance protocols esis traceoptions]
[edit logical-systems routing-instances instance protocols igmp-snooping
traceoptions]
[edit logical-systems routing-instances instance protocols isis traceoptions]
[edit logical-systems routing-instances instance protocols l2vpn traceoptions]
[edit logical-systems routing-instances instance protocols ldp traceoptions]
[edit logical-systems routing-instances instance protocols msdp group peer
traceoptions]
[edit logical-systems routing-instances instance protocols msdp group
traceoptions]
[edit logical-systems routing-instances instance protocols msdp peer
traceoptions]
[edit logical-systems routing-instances instance protocols msdp traceoptions]
[edit logical-systems routing-instances instance protocols mvpn traceoptions]
[edit logical-systems routing-instances instance protocols ospf traceoptions]
[edit logical-systems routing-instances instance protocols pim traceoptions]
[edit logical-systems routing-instances instance protocols rip traceoptions]
[edit logical-systems routing-instances instance protocols ripng traceoptions]
[edit logical-systems routing-instances instance protocols router-discovery
traceoptions]
[edit logical-systems routing-instances instance protocols vpls traceoptions]
[edit logical-systems routing-instances instance routing-options multicast
traceoptions]
[edit logical-systems routing-instances instance routing-options traceoptions]
[edit logical-systems routing-instances instance services mobile-ip
traceoptions]
[edit logical-systems routing-instances instance system services
dhcp-local-server traceoptions]
[edit logical-systems routing-instances instance system services
dhcp-local-server interface-traceoptions]
[edit logical-systems routing-options multicast traceoptions]
[edit logical-systems routing-options traceoptions]
[edit logical-systems services mobile-ip traceoptions]
Copyright © 2017, Juniper Networks, Inc.
269
User Access and Authentication Feature Guide for Routing Devices
[edit logical-systems system services dhcp-local-server traceoptions]
[edit logical-systems system services dhcp-local-server interface-traceoptions]
[edit multicast-snooping-options traceoptions]
[edit protocols ancp traceoptions]
[edit protocols bgp group neighbor traceoptions]
[edit protocols bgp group traceoptions]
[edit protocols bgp traceoptions]
[edit protocols dot1x traceoptions]
[edit protocols dvmrp traceoptions]
[edit protocols esis traceoptions]
[edit protocols igmp traceoptions]
[edit protocols igmp-host traceoptions]
[edit protocols ilmi traceoptions]
[edit protocols isis traceoptions]
[edit protocols l2circuit traceoptions]
[edit protocols l2iw traceoptions]
[edit protocols lacp traceoptions]
[edit protocols layer2-control traceoptions]
[edit protocols ldp traceoptions]
[edit protocols mld traceoptions]
[edit protocols mld-host traceoptions]
[edit protocols mpls label-switched-path oam traceoptions]
[edit protocols mpls label-switched-path primary oam traceoptions]
[edit protocols mpls label-switched-path secondary oam traceoptions]
[edit protocols mpls oam traceoptions]
[edit protocols msdp group peer traceoptions]
[edit protocols msdp group traceoptions]
[edit protocols msdp peer traceoptions]
[edit protocols msdp traceoptions]
[edit protocols neighbor-discovery secure traceoptions]
[edit protocols protocols oam ethernet fnp]
[edit protocols oam ethernet connectivity-fault-management traceoptions]
[edit protocols oam ethernet link-fault-management traceoptions]
[edit protocols oam ethernet lmi traceoptions]
[edit protocols ospf traceoptions]
[edit protocols pim traceoptions]
[edit protocols ppp monitor-session]
[edit protocols ppp traceoptions]
[edit protocols ppp-service traceoptions]
[edit protocols pppoe traceoptions]
[edit protocols rip traceoptions]
[edit protocols ripng traceoptions]
[edit protocols router-advertisement traceoptions]
[edit protocols router-discovery traceoptions]
[edit protocols rsvp lsp-set traceoptions]
[edit protocols rsvp traceoptions]
[edit routing-instances instance vlans domain multicast-snooping-options
traceoptions]
[edit routing-instances instance vlans domain protocols igmp-snooping
traceoptions]
[edit routing-instances instance multicast-snooping-options traceoptions]
[edit routing-instances instance protocols bgp group neighbor traceoptions]
[edit routing-instances instance protocols bgp group traceoptions]
[edit routing-instances instance protocols bgp traceoptions]
[edit routing-instances instance protocols esis traceoptions]
[edit routing-instances instance protocols igmp-snooping traceoptions]
[edit routing-instances instance protocols isis traceoptions]
[edit routing-instances instance protocols l2vpn traceoptions]
[edit routing-instances instance protocols ldp traceoptions]
[edit routing-instances instance protocols msdp group peer traceoptions]
[edit routing-instances instance protocols msdp group traceoptions]
270
Copyright © 2017, Juniper Networks, Inc.
Chapter 5: Permission Flags for User Access Privileges
[edit routing-instances instance protocols msdp peer traceoptions]
[edit routing-instances instance protocols msdp traceoptions]
[edit routing-instances instance protocols mvpn traceoptions]
[edit routing-instances instance protocols ospf traceoptions]
[edit routing-instances instance protocols pim traceoptions]
[edit routing-instances instance protocols rip traceoptions]
[edit routing-instances instance protocols ripng traceoptions]
[edit routing-instances instance protocols router-discovery traceoptions]
[edit routing-instances instance protocols vpls traceoptions]
[edit routing-instances instance routing-options multicast traceoptions]
[edit routing-instances instance routing-options traceoptions]
[edit routing-options multicast traceoptions]
[edit routing-options traceoptions]
[edit security idp traceoptions]
[edit security pki traceoptions]
[edit services adaptive-services-pics traceoptions]
[edit services captive-portal-content-delivery]
[edit services l2tp traceoptions]
[edit services server-load-balance traceoptions]
[edit services logging traceoptions]
[edit services mobile-ip traceoptions]
[edit services ssl traceoptions]
[edit system accounting traceoptions]
[edit system auto-configuration traceoptions]
[edit system ddos-protection traceoptions]
[edit system license traceoptions]
[edit system processes app-engine-virtual-machine-management-service
traceoptions]
[edit system processes datapath-trace-service traceoptions]
[edit system processes dhcp-service interface-traceoptions]
[edit system processes dhcp-service traceoptions]
[edit system processes diameter-service traceoptions]
[edit system processes general-authentication-service traceoptions]
[edit system processes mac-validation traceoptions]
[edit system processes mag-service traceoptions]
[edit system processes process-monitor traceoptions]
[edit system processes resource-cleanup traceoptions]
[edit system processes sdk-service traceoptions]
[edit system processes static-subscribers traceoptions]
[edit system services database-replication traceoptions]
[edit system services dhcp traceoptions]
[edit system services local-policy-decision-function traceoptions]
[edit system services outbound-ssh traceoptions]
[edit system services service-deployment traceoptions]
[edit system services subscriber-management traceoptions]
[edit system services subscriber-management-helper traceoptions]
[edit system services web-management traceoptions]
Related
Documentation
•
Access Privilege User Permission Flags Overview on page 114
•
Understanding Junos OS Access Privilege Levels on page 26
•
Example: Configuring User Permissions with Access Privilege Levels on page 65
•
Example: Configuring User Permissions with Access Privileges for Operational Mode
Commands on page 76
•
Example: Configuring User Permissions with Access Privileges for Configuration
Statements and Hierarchies on page 87
Copyright © 2017, Juniper Networks, Inc.
271
User Access and Authentication Feature Guide for Routing Devices
•
trace-control on page 272
trace-control
Can modify trace file settings and configure trace file properties.
Configuration
Hierarchy Levels
272
[edit vlans domain forwarding-options dhcp-relay interface-traceoptions]
[edit vlans domain forwarding-options dhcp-relay traceoptions]
[edit vlans domain multicast-snooping-options traceoptions]
[edit vlans domain protocols igmp-snooping traceoptions]
[edit demux traceoptions]
[edit dynamic-profiles protocols igmp traceoptions]
[edit dynamic-profiles protocols mld traceoptions]
[edit dynamic-profiles protocols oam ethernet link-fault-management
traceoptions]
[dynamic-profiles protocols oam ethernet lmi]
[edit dynamic-profiles protocols router-advertisement traceoptions]
[edit dynamic-profiles protocols oam gre-tunnel traceoptions]
[edit dynamic-profiles routing-instances instance vlans domain
forwarding-options dhcp-relay traceoptions]
[edit dynamic-profiles routing-instances instance vlans domain
multicast-snooping-options traceoptions]
[edit dynamic-profiles routing-instances instance vlans domain protocols
igmp-snooping traceoptions]
[edit dynamic-profiles routing-instances instance forwarding-options dhcp-relay
traceoptions]
[edit dynamic-profiles routing-instances instance multicast-snooping-options
traceoptions]
[edit dynamic-profiles routing-instances instance protocols bgp group neighbor
traceoptions]
[edit dynamic-profiles routing-instances instance protocols bgp group
traceoptions]
[edit dynamic-profiles routing-instances instance protocols bgp traceoptions]
[edit dynamic-profiles routing-instances instance protocols esis traceoptions]
[edit dynamic-profiles routing-instances instance protocols igmp-snooping
traceoptions]
[edit dynamic-profiles routing-instances instance protocols isis traceoptions]
[edit dynamic-profiles routing-instances instance protocols l2vpn traceoptions]
[edit dynamic-profiles routing-instances instance protocols ldp traceoptions]
[edit dynamic-profiles routing-instances instance protocols msdp group peer
traceoptions]
[edit dynamic-profiles routing-instances instance protocols msdp group
traceoptions]
[edit dynamic-profiles routing-instances instance protocols msdp peer
traceoptions]
[edit dynamic-profiles routing-instances instance protocols msdp traceoptions]
[edit dynamic-profiles routing-instances instance protocols mvpn traceoptions]
[edit dynamic-profiles routing-instances instance protocols ospf traceoptions]
[edit dynamic-profiles routing-instances instance protocols pim traceoptions]
[edit dynamic-profiles routing-instances instance protocols rip traceoptions]
[edit dynamic-profiles routing-instances instance protocols ripng traceoptions]
[edit dynamic-profiles routing-instances instance protocols router-discovery
traceoptions]
[edit dynamic-profiles routing-instances instance protocols vpls traceoptions]
[edit dynamic-profiles routing-instances instance routing-options multicast
traceoptions]
[edit dynamic-profiles routing-instances instance routing-options traceoptions]
[edit dynamic-profiles routing-instances instance services mobile-ip
Copyright © 2017, Juniper Networks, Inc.
Chapter 5: Permission Flags for User Access Privileges
traceoptions]
[edit dynamic-profiles routing-instances instance system services
dhcp-local-server traceoptions]
[edit dynamic-profiles routing-options multicast traceoptions]
[edit fabric protocols bgp group neighbor traceoptions]
[edit fabric protocols bgp group traceoptions]
[edit fabric protocols bgp traceoptions]
[edit fabric routing-instances instance routing-options traceoptions]
[edit fabric routing-options traceoptions]
[edit forwarding-options dhcp-relay interface-traceoptions]
[edit forwarding-options dhcp-relay traceoptions]
[edit jnx-example traceoptions]
[edit logical-systems vlans domain forwarding-options dhcp-relay
interface-traceoptions]
[edit logical-systems vlans domain forwarding-options dhcp-relay traceoptions]
[edit logical-systems vlans domain multicast-snooping-options traceoptions]
[edit logical-systems vlans domain protocols igmp-snooping traceoptions]
[edit logical-systems forwarding-options dhcp-relay traceoptions]
[edit logical-systems protocols ancp traceoptions]
[edit logical-systems protocols bgp group neighbor traceoptions]
[edit logical-systems protocols bgp group traceoptions]
[edit logical-systems protocols bgp traceoptions]
[edit logical-systems protocols dot1x traceoptions]
[edit logical-systems protocols dvmrp traceoptions]
[edit logical-systems protocols esis traceoptions]
[edit logical-systems protocols igmp traceoptions]
[edit logical-systems protocols igmp-host traceoptions]
[edit logical-systems protocols ilmi traceoptions]
[edit logical-systems protocols isis traceoptions]
[edit logical-systems protocols l2circuit traceoptions]
[edit logical-systems protocols l2iw traceoptions]
[edit logical-systems protocols lacp traceoptions]
[edit logical-systems protocols layer2-control traceoptions]
[edit logical-systems protocols ldp traceoptions]
[edit logical-systems protocols mld traceoptions]
[edit logical-systems protocols mld-host traceoptions]
[edit logical-systems protocols mpls label-switched-path oam traceoptions]
[edit logical-systems protocols mpls label-switched-path primary oam
traceoptions]
[edit logical-systems protocols mpls label-switched-path secondary oam
traceoptions]
[edit logical-systems protocols mpls oam traceoptions]
[edit logical-systems protocols msdp group peer traceoptions]
[edit logical-systems protocols msdp group traceoptions]
[edit logical-systems protocols msdp peer traceoptions]
[edit logical-systems protocols msdp traceoptions]
[edit logical-systems protocols neighbor-discovery secure traceoptions]
[edit logical-systems protocols oam ethernet link-fault-management traceoptions]
[edit logical-systems protocols oam ethernet lmi traceoptions]
[edit logical-systems protocols ospf traceoptions]
[edit logical-systems protocols pim traceoptions]
[edit logical-systems protocols ppp monitor-session]
[edit logical-systems protocols ppp traceoptions]
[edit logical-systems protocols ppp-service traceoptions]
[edit logical-systems protocols pppoe traceoptions]
[edit logical-systems protocols rip traceoptions]
[edit logical-systems protocols ripng traceoptions]
[edit logical-systems protocols router-advertisement traceoptions]
[edit logical-systems protocols router-discovery traceoptions]
[edit logical-systems protocols rsvp traceoptions]
[edit logical-systems routing-instances instance vlans domain forwarding-options
Copyright © 2017, Juniper Networks, Inc.
273
User Access and Authentication Feature Guide for Routing Devices
dhcp-relay interface-traceoptions]
[edit logical-systems routing-instances instance vlans domain forwarding-options
dhcp-relay traceoptions]
[edit logical-systems routing-instances instance vlans domain
multicast-snooping-options traceoptions]
[edit logical-systems routing-instances instance vlans domain protocols
igmp-snooping traceoptions]
[edit logical-systems routing-instances instance forwarding-options dhcp-relay
traceoptions]
[edit logical-systems routing-instances instance multicast-snooping-options
traceoptions]
[edit logical-systems routing-instances instance protocols bgp group neighbor
traceoptions]
[edit logical-systems routing-instances instance protocols bgp group
traceoptions]
[edit logical-systems routing-instances instance protocols bgp traceoptions]
[edit logical-systems routing-instances instance protocols esis traceoptions]
[edit logical-systems routing-instances instance protocols igmp-snooping
traceoptions]
[edit logical-systems routing-instances instance protocols isis traceoptions]
[edit logical-systems routing-instances instance protocols l2vpn traceoptions]
[edit logical-systems routing-instances instance protocols ldp traceoptions]
[edit logical-systems routing-instances instance protocols msdp group peer
traceoptions]
[edit logical-systems routing-instances instance protocols msdp group
traceoptions]
[edit logical-systems routing-instances instance protocols msdp peer
traceoptions]
[edit logical-systems routing-instances instance protocols msdp traceoptions]
[edit logical-systems routing-instances instance protocols mvpn traceoptions]
[edit logical-systems routing-instances instance protocols ospf traceoptions]
[edit logical-systems routing-instances instance protocols pim traceoptions]
[edit logical-systems routing-instances instance protocols rip traceoptions]
[edit logical-systems routing-instances instance protocols ripng traceoptions]
[edit logical-systems routing-instances instance protocols router-discovery
traceoptions]
[edit logical-systems routing-instances instance protocols vpls traceoptions]
[edit logical-systems routing-instances instance routing-options multicast
traceoptions]
[edit logical-systems routing-instances instance routing-options traceoptions]
[edit logical-systems routing-instances instance services mobile-ip
traceoptions]
[edit logical-systems routing-instances instance system services
dhcp-local-server interface-traceoptions]
[edit logical-systems routing-instances instance system services
dhcp-local-server traceoptions]
[edit logical-systems routing-options multicast traceoptions]
[edit logical-systems routing-options traceoptions]
[edit logical-systems services mobile-ip traceoptions]
[edit logical-systems system services dhcp-local-server interface-traceoptions]
[edit logical-systems system services dhcp-local-server traceoptions]
[edit multicast-snooping-options traceoptions]
[edit protocols ancp traceoptions]
[edit protocols bgp group neighbor traceoptions]
[edit protocols bgp group traceoptions]
[edit protocols bgp traceoptions]
[edit protocols dot1x traceoptions]
[edit protocols dvmrp traceoptions]
[edit protocols esis traceoptions]
[edit protocols igmp traceoptions]
[edit protocols igmp-host traceoptions]
274
Copyright © 2017, Juniper Networks, Inc.
Chapter 5: Permission Flags for User Access Privileges
[edit protocols ilmi traceoptions]
[edit protocols isis traceoptions]
[edit protocols l2circuit traceoptions]
[edit protocols l2iw traceoptions]
[edit protocols lacp traceoptions]
[edit protocols layer2-control traceoptions]
[edit protocols ldp traceoptions]
[edit protocols mld traceoptions]
[edit protocols mld-host traceoptions]
[edit protocols mpls label-switched-path oam traceoptions]
[edit protocols mpls label-switched-path primary oam traceoptions]
[edit protocols mpls label-switched-path secondary oam traceoptions]
[edit protocols mpls oam traceoptions]
[edit protocols msdp group peer traceoptions]
[edit protocols msdp group traceoptions]
[edit protocols msdp peer traceoptions]
[edit protocols msdp traceoptions]
[edit protocols neighbor-discovery secure traceoptions]
[edit protocols oam ethernet connectivity-fault-management traceoptions]
[edit protocols oam ethernet link-fault-management traceoptions]
[edit protocols oam ethernet lmi traceoptions]
[edit protocols ospf traceoptions]
[edit protocols pim traceoptions]
[edit protocols ppp monitor-session]
[edit protocols ppp traceoptions]
[edit protocols ppp-service traceoptions]
[edit protocols pppoe traceoptions]
[edit protocols rip traceoptions]
[edit protocols ripng traceoptions]
[edit protocols router-advertisement traceoptions]
[edit protocols router-discovery traceoptions]
[edit protocols rsvp traceoptions]
[edit routing-instances instance vlans domain forwarding-options dhcp-relay
interface-traceoptions]
[edit routing-instances instance vlans domain forwarding-options dhcp-relay
traceoptions]
[edit routing-instances instance vlans domain multicast-snooping-options
traceoptions]
[edit routing-instances instance vlans domain protocols igmp-snooping
traceoptions]
[edit routing-instances instance forwarding-options dhcp-relay traceoptions]
[edit routing-instances instance forwarding-options dhcp-relay
interface-traceoptions]
[edit routing-instances instance multicast-snooping-options traceoptions]
[edit routing-instances instance protocols bgp group neighbor traceoptions]
[edit routing-instances instance protocols bgp group traceoptions]
[edit routing-instances instance protocols bgp traceoptions]
[edit routing-instances instance protocols esis traceoptions]
[edit routing-instances instance protocols igmp-snooping traceoptions]
[edit routing-instances instance protocols isis traceoptions]
[edit routing-instances instance protocols l2vpn traceoptions]
[edit routing-instances instance protocols ldp traceoptions]
[edit routing-instances instance protocols msdp group peer traceoptions]
[edit routing-instances instance protocols msdp group traceoptions]
[edit routing-instances instance protocols msdp peer traceoptions]
[edit routing-instances instance protocols msdp traceoptions]
[edit routing-instances instance protocols mvpn traceoptions]
[edit routing-instances instance protocols ospf traceoptions]
[edit routing-instances instance protocols pim traceoptions]
[edit routing-instances instance protocols rip traceoptions]
[edit routing-instances instance protocols ripng traceoptions]
Copyright © 2017, Juniper Networks, Inc.
275
User Access and Authentication Feature Guide for Routing Devices
[edit routing-instances instance protocols router-discovery traceoptions]
[edit routing-instances instance protocols vpls traceoptions]
[edit routing-instances instance routing-options multicast traceoptions]
[edit routing-instances instance routing-options traceoptions]
[edit routing-instances instance system services dhcp-local-server
interface-traceoptions]
[edit routing-instances instance system services dhcp-local-server traceoptions]
[edit routing-options multicast traceoptions]
[edit routing-options traceoptions]
[edit security idp traceoptions]
[edit security pki traceoptions]
[edit services adaptive-services-pics traceoptions]
[edit services captive-portal-content-delivery]
[edit system ddos-protection traceoptions]
[edit services l2tp traceoptions]
[edit services logging traceoptions]
[edit services mobile-ip traceoptions]
[edit services server-load-balance traceoptions]
[edit services ssl traceoptions]
[edit system accounting traceoptions]
[edit system auto-configuration traceoptions]
[edit system license traceoptions]
[edit system processes datapath-trace-service traceoptions]
[edit system processes diameter-service traceoptions]
[edit system processes general-authentication-service traceoptions]
[edit system processes mac-validation traceoptions]
[edit system processes process-monitor traceoptions]
[edit system processes resource-cleanup traceoptions]
[edit system processes sdk-service traceoptions]
[edit system processes static-subscribers traceoptions]
[edit system services database-replication traceoptions]
[edit system services dhcp traceoptions]
[edit system services dhcp-local-server traceoptions]
[edit system services dhcp-local-server interface-traceoptions]
[edit system services local-policy-decision-function traceoptions]
[edit system services outbound-ssh traceoptions]
[edit system services service-deployment traceoptions]
[edit system services subscriber-management traceoptions]
[edit system services subscriber-management-helper traceoptions]
[edit unified-edge aaa traceoptions]
[edit unified-edge gateways tdf charging traceoptions]
Related
Documentation
276
•
Access Privilege User Permission Flags Overview on page 114
•
Understanding Junos OS Access Privilege Levels on page 26
•
Example: Configuring User Permissions with Access Privilege Levels on page 65
•
Example: Configuring User Permissions with Access Privileges for Operational Mode
Commands on page 76
•
Example: Configuring User Permissions with Access Privileges for Configuration
Statements and Hierarchies on page 87
•
trace on page 264
Copyright © 2017, Juniper Networks, Inc.
Chapter 5: Permission Flags for User Access Privileges
view
Can view current system-wide, routing table, and protocol-specific values and statistics.
Commands
clear ipv6 router-advertisement
<clear-ipv6-router-advertisement-information>clear l2circuit auto-sensing
<clear-l2ckt-pw-auto-sensing>
clear services redundancy-group
<clear-services-redundancy-group>
clear services redundancy-group statistics
<clear-services-redundancy-group-statistics>
<clear-services-redundancy-set>
clear services service-sets statistics ids
clear services service-sets statistics ids drops
<clear-service-set-ids-drops-statistics>
clear services traffic-load-balance
clear services traffic-load-balance statistics
<clear-service-traffic-load-balance-statistics>
<request-validation-policy>
show
show access-cac interface-set
<get-access-cac-iflset>
show access-security
show access-security router-advertisement-guard
show access-security router-advertisement-guard entries
<show-as-router-advetisement-entry>
show access-security router-advertisement-guard state
<show-as-ra-state>
show access-security router-advertisement-guard statistics
<get-as-router-advertisement-statistics>
show access-security router-advertisement-guard statistics interface
<get-as-router-advertisement-interface>
show accounting
show accounting profile
<get-accounting-profile-information>
show accounting records
<get-accounting-record-information>
show amt
show amt statistics
<get-amt-statistics>
show amt summary
<get-amt-summary>
show amt tunnel
<get-amt-tunnel-information>
show amt tunnel gateway-address
<get-amt-tunnel-gateway-address>
show amt tunnel tunnel-interface
<get-amt-tunnel-interface>
show analytics collector
<get-analytics-collector>
show ancp
show ancp cos
<get-ancp-cos-information>
show ancp cos last-update
<get-ancp-cos-last-update-information>
Copyright © 2017, Juniper Networks, Inc.
277
User Access and Authentication Feature Guide for Routing Devices
show ancp cos pending-update
<get-ancp-cos-pending-information>
show ancp neighbor
<get-ancp-neighbor-information>
show ancp statistics
<get-ancp-stats-information>
show ancp subscriber
<get-ancp-subscriber-information>
show ancp subscriber identifier
<get-ancp-subscriber-identifier-information>show ancp subscriber ip-address
<get-ancp-subscriber-neighbor-information>
show ancp subscriber system-name
<get-ancp-subscriber-mac-information>
show ancp subscriber neighbor
show app-engine
show app-engine information
show app-engine packages
show app-engine packages remote
<get-virtual-machine-package-remote>
show app-engine packages system
<get-virtual-machine-package-system>
show app-engine processes
show app-engine resource-usage
show app-engine route-table
show app-engine routing-instance
show app-engine routing-instance compute-clusters
show app-engine routing-instance virtual-machines
show app-engine status
show app-engine virtual-machine package
<get-virtual-machine-package-information>
show application-monitor
<get-application-monitor-information>
show application-monitor probe
show application-monitor probe flows
<get-application-monitor-probe-flows-information>
show application-monitor probe measurements
<get-application-monitor-probe-measurements>
show application-monitor probe mirrors
<get-application-monitor-probe-mirrors>
show app-engine virtual-machine vm-instance
show aps
<get-aps-information>
show aps group
<get-aps-group-information>
show aps interface
<get-aps-interface-information>
show arp
<get-arp-table-information>
show as-path
<get-as-path>
show as-path domain
<get-as-path-domain>
show auto-configuration
show auto-configuration interfaces
show backup-selection
<get-backup-selection>
278
Copyright © 2017, Juniper Networks, Inc.
Chapter 5: Permission Flags for User Access Privileges
show backup-selection instance
<get-backup-selection-instance>
show bfd
show bfd session
<get-bfd-session-information>
show bfd session address
<get-bfd-session-address>
show bfd session client
<get-bfd-session-client>
show bfd session client rsvp-oam
<get-bfd-session-client-rsvp>
show bfd session client vpls-oam
<get-bfd-session-client-vpls>
show bfd session client vpls-oam instance
<get-bfd-session-client-vpls-instance>
show bfd session discriminator
<get-bfd-session-discriminator>
show bfd session prefix
<get-bfd-session-prefix>
show bfd subscriber
show bfd subscriber session
<get-bfd-subscriber-session>
show bgp
show bgp bmp
<get-bgp-monitoring-protocol-statistics>
show bgp group
<get-bgp-group-information>
show bgp group output-queues
<get-bgp-group-output-queue-information>
show bgp group rtf
<get-bgp-rtf-information>
show bgp group traffic-statistics
<get-bgp-traffic-statistics-information>
show bgp neighbor
<get-bgp-neighbor-information>
show bgp neighbor orf
<get-bgp-orf-information>
show bgp neighbor output-queue
<get-bgp-output-queue-information>
show bgp output-scheduler
show bgp replication
<get-bgp-replication-information>
show bgp summary
<get-bgp-summary-information>
show bridge
show bridge domain
<get-bridge-instance-information>
show bridge domain operational
<get-operational-bridge-instance-information>
show bridge domain satellite
<get-satellite-control-bridge-domain>
show bridge evpn
show bridge evpn arp-table
Copyright © 2017, Juniper Networks, Inc.
279
User Access and Authentication Feature Guide for Routing Devices
<get-bridge-evpn-arp-table>
show bridge evpn nd-table
<get-bridge-evpn-nd-table>
show bridge evpn peer-gateway-macs
<get-bridge-peer-gateway-mac>
<get-bridge-flood-information>
show bridge flood
show bridge flood event-queue
<get-bridge-domain-event-queue-information>
show bridge flood next-hops
show bridge flood next-hops satellite
<get-satellite-control-composite-next-hop>
show bridge flood route
show bridge flood route all-ce-flood
<get-show-bridge-domain-all-ce-flood-route-information>
show bridge flood route all-ve-flood
<get-show-bridge-domain-ve-flood-route-information>
show bridge flood route alt-root-flood
<get-bridge-domain-alt-root-flood-route-information>
show bridge flood route bd-flood
<get-bridge-domain-bd-flood-route-information>
show bridge flood route mlp-flood
<get-bridge-domain-mlp-flood-route-information>
show bridge flood route re-flood
<get-bridge-domain-re-flood-route-information>
show bridge flood satellite
<get-satellite-control-flood-ethernet>
show bridge interface
show bridge interface satellite
<get-satellite-control-bridge-interface>
show bridge mac-table
<get-bridge-mac-table>
show bridge mac-table interface
<get-bridge-interface-mac-table>
show bridge mac-table satellite
<get-satellite-control-bridge-mac-table>
show bridge satellite
show bridge satellite device
<get-satellite-device-db>
show bridge satellite events
<get-satellite-control-history-information>
show bridge satellite logging
<get-satellite-control-logging-information>
show bridge satellite summary
<get-satellite-control-bridge-summary>
show bridge statistics
<get-bridge-statistics-information>
show chassis
show chassis adc
show chassis alarms
<get-alarm-information>
show chassis alarms fpc
<get-fpc-alarm-information>
show chassis alarms satellite
<get-chassis-alarm-satellite-information>
show chassis beacon
get-chassis-beacon-information>
show chassis beacon cb
<get-chassis-cb-beacon-information>
280
Copyright © 2017, Juniper Networks, Inc.
Chapter 5: Permission Flags for User Access Privileges
show chassis environment adc
show chassis environment ccg
<get-environment-ccg-information>
show chassis cfeb
<get-cfeb-information>
show chassis cip
show chassis craft-interface
<get-craft-information>
show chassis environment
<get-environment-information>
show chassis environment cb
<get-environment-cb-information>
show chassis environment cip
<get-environment-cip-information>
show chassis environment feb
<get-environment-feb-information>
show chassis environment fan
show chassis environment fpc
<get-environment-fpc-information>
show chassis environment fpc satellite
<get-chassis-environment-fpc-satellite-info>
show chassis environment fpm
<get-environment-fpm-information>
show chassis environment mcs
<get-environment-mcs-information>
show chassis environment pcg
<get-environment-pcg-information>
show chassis environment pdu
<get-environment-pdu-information>
show chassis environment pem
<get-environment-pem-information>
show chassis environment pem satellite
<get-chassis-environment-pem-satellite-info>
show chassis environment psm
show chassis environment psu
<get-environment-psu-information>
show chassis environment routing-engine
<get-environment-re-information>
show chassis environment routing-engine satellite
<get-chassis-environment-re-satellite-info>
show chassis environment satellite
<get-chassis-environment-satellite-information>
show chassis environment scg
<get-environment-scg-information>
show chassis environment service-node
<get-environment-service-node-information>
show chassis environment sfb
show chassis environment sfm
<get-environment-sfm-information>
show chassis environment sib
<get-environment-sib-information>
show
show
show
show
show
show
show
show
Copyright © 2017, Juniper Networks, Inc.
chassis
chassis
chassis
chassis
chassis
chassis
chassis
chassis
environment sib f13
environment sib f2s
ethernet-switch
ethernet-switch errors
ethernet-switch statistics
ethernet-switch temperature
fabric
fabric degraded-fabric-reachability
281
User Access and Authentication Feature Guide for Routing Devices
show chassis fabric device
<get-chassis-fabric-information-device>
show chassis fabric connectivity
<get-chassis-fabric-connectivity-information>
show chassis fabric degradation
<get-fm-degradation-information>
show chassis fabric degradation actions
<get-fm-degradation-information-details>
show chassis fabric destinations
<get-fm-fabric-destinations-state>
show chassis fabric errors
show chassis fabric errors autoheal
<get-fm-plane-autoheal-errors>
show chassis fabric errors fpc
<get-fm-fpc-errors>
show chassis fabric errors sib
<get-fm-sib-errors>
show
show
show
show
chassis fabric errors sib f13
chassis fabric errors sib f2s
chassis fabric feb
chassis fabric fpcs
<get-fm-fpc-state-information>
show chassis fabric links
<get-chassis-fabric-link-information>
show chassis fabric map
show chassis fabric plane
<get-fm-plane-state-information>
show chassis fabric plane-location
show chassis fabric reachability
<get-fm-fabric-reachability-information>
show chassis fabric sibs
<get-fm-sib-state-information>
show chassis fabric spray-weights
<get-chassis-fabric-spray-weight-information>
show chassis fabric spray-weights from
show chassis fabric spray-weights to
show chassis fabric summary
<get-fm-state-information>
show chassis fabric topology
<get-chassis-fabric-topology-information>
show chassis fabric unreachable-destinations
<get-fm-unreachable-dest-information>
show chassis fan
show chassis fan satellite
get-chassis-fan-satellite-information
show chassis feb
<get-feb-brief-information>
show chassis feb detail
<get-feb-information>
show chassis firmware
<get-firmware-information>
show chassis firmware detail
<get-firmware-information-detail>
282
Copyright © 2017, Juniper Networks, Inc.
Chapter 5: Permission Flags for User Access Privileges
show chassis firmware satellite
<get-chassis-firmware-satellite-information>
show chassis forwarding
<get-fwdd-information>
show chassis fpc
<get-fpc-information>
show chassis fpc errors
<get-fpc-error-information>
show chassis fpc optical-properties
<get-fpc-optical-information>
show chassis fpc optical-properties alarms
<get-fpc-optical-alarms-information>
show chassis fpc optical-properties amplifier-chain
show chassis fpc optical-properties amplifier-chain ila
<get-fpc-optical-amplifier-chain-information>
show chassis fpc optical-properties amplifier-chain ila
<get-fpc-optical-ila-alarms-information>
show chassis fpc optical-properties amplifier-chain ila
<get-fpc-optical-ila-edfa-information>
show chassis fpc optical-properties amplifier-chain ila
<get-fpc-optical-ila-osc-information>
show chassis fpc optical-properties amplifier-chain ila
<get-fpc-optical-ila-pm-current-information>
show chassis fpc optical-properties amplifier-chain ila
<get-fpc-optical-ila-pm-currentday-information>
show chassis fpc optical-properties amplifier-chain ila
<get-fpc-optical-ila-pm-interval-information>
show chassis fpc optical-properties amplifier-chain ila
<get-fpc-optical-ila-pm-previousday-information>
show chassis fpc optical-properties amplifier-chain ila
<get-fpc-optical-ila-summary-information>
show chassis fpc optical-properties amplifier-chain ila
<get-fpc-optical-ila-voa-information>
show chassis fpc optical-properties amplifier-topology
<get-fpc-optical-amplifier-topology-information>
show chassis fpc optical-properties edfa
<get-fpc-optical-edfa-information>
show chassis fpc optical-properties mfg-info
<get-fpc-optical-mfg-info-information>
show chassis fpc optical-properties ocm
<get-fpc-optical-ocm-information>
show chassis fpc optical-properties pm-current
<get-fpc-optical-pm-current-information>
show chassis fpc optical-properties pm-currentday
<get-fpc-optical-pm-currentday-information>
show chassis fpc optical-properties pm-interval
<get-fpc-optical-pm-interval-information>
show chassis fpc optical-properties pm-previousday
<get-fpc-optical-pm-previousday-information>
show chassis fpc optical-properties status
<get-fpc-optical-status-information>
show chassis fpc optical-properties topology
<get-fpc-optical-topology-information>
show chassis fpc optical-properties wss
<get-fpc-optical-wss-information>
show chassis fpc pic-status
<get-pic-information>
show chassis fpc port-status
<get-fpc-port-information>
Copyright © 2017, Juniper Networks, Inc.
alarms
edfa
osc
pm-current
pm-currentday
pm-interval
pm-previousday
summary
voa
283
User Access and Authentication Feature Guide for Routing Devices
show chassis fpc-feb-connectivity
<get-fpc-feb-connectivity-information>
show chassis hardware
<get-chassis-inventory>
show chassis hardware satellite
<get-chassis-hardware-satellite-information>
show chassis hss
show chassis hss link-quality
show chassis in-service-upgrade
show chassis ioc-npc-connectivity
<get-ioc-npc-connectivity-information>
show chassis jam-test
<get-jam-test-information>
show chassis lcc-mode
<get-chassis-lcc-mode-information>
show chassis lccs
<get-fru-information>
<get-chassis-led-satellite-information>
show chassis location
<get-chassis-location>
show chassis location fpc
show chassis location interface
show chassis location interface by-name
<get-interface-location-name-information>
show chassis location interface by-slot
<get-interface-location-information>
show chassis mac-addresses
show chassis multicast-loadbalance
<get-chassis-ae-lb-information>
show chassis network-services
<network-services>
show chassis network-slices
<get-gnf-information>
show chassis nonstop-upgrade
show chassis pic
<get-pic-detail>
show chassis power
<get-power-usage-information>
show chassis power detail
<get-power-usage-information-detail>
show chassis power sequence
show chassis power upgrade
show chassis power-ratings
<get-power-management>
show chassis psd
<get-psd-information>
show chassis redundancy
show chassis redundancy feb
<get-feb-redundancy-information>
284
Copyright © 2017, Juniper Networks, Inc.
Chapter 5: Permission Flags for User Access Privileges
show chassis redundancy feb errors
<get-feb-redundancy-error-information>
show chassis redundancy feb redundancy-group
<get-feb-redundancy-group-information>
show chassis redundant-power-system
<get-rps-chassis-information>
show chassis routing-engine
<get-route-engine-information>
show chassis routing-engine bios
<get-bios-version-information>
show chassis routing-engine bios satellite
<get-chassis-routing-engine-bios-satellite-info>
show chassis routing-engine errors
<get-chassis-routing-engine-errors>
show chassis routing-engine satellite
<get-chassis-routing-engine-satellite-information>
show chassis satellite
<get-chassis-satellite-information>
show chassis satellite extended-port
<get-chassis-satellite-extended-port-information>
show chassis satellite interface
<get-chassis-satellite-interface-information>
show chassis satellite neighbor
<get-chassis-satellite-neighbor-information>
show chassis satellite neighbor statistics
<get-chassis-satellite-neighbor-statistics>
show chassis satellite power-budget-statistics
<get-power-budget-information>
show chassis satellite redundancy-group
<get-chassis-satellite-redundancy-group-info>
show chassis satellite redundancy-group devices
<get-chassis-satellite-redundacy-grp-devices-info>
show chassis satellite redundancy-group devices history
<get-chassis-satellite-redundancy-grp-dev-history>
show chassis satellite software
<get-satellite-management-software-information>
show chassis satellite statistics
<get-chassis-satellite-statistics>
show chassis satellite unprovision
<get-chassis-satellite-unprovision-information>
show chassis satellite upgrade-group
<get-chassis-satellite-upgrade-group-information>
show chassis satellite-cluster
<get-chassis-satellite-cluster-information>
show chassis satellite-cluster route
<get-chassis-satellite-cluster-route>
show chassis satellite-cluster statistics
<get-chassis-satellite-cluster-statistics>
show chassis scb
<get-scb-information>
show chassis service-node
<get-service-node-information>
show chassis sfm
<get-sfm-information>
Copyright © 2017, Juniper Networks, Inc.
285
User Access and Authentication Feature Guide for Routing Devices
show chassis sfm detail
show chassis sibs
<get-sib-information>
show chassis spmb
<get-spmb-information>
show chassis spmb errors
<get-spmb-error-information>
show chassis spmb sibs
<get-spmb-sib-information>
show chassis ssb
<get-ssb-information>
show chassis synchronization
<get-clock-synchronization-information>
show chassis synchronization backup
show chassis synchronization gnss
show chassis synchronization master
show chassis system-mode
<get-system-mode-information>
show chassis temperature-thresholds
<get-temperature-threshold-information>
show chassis temperature-thresholds satellite
<get-chassis-temp-thresholds-satellite-info>
show chassis vcpu
show chassis zones
<get-chassis-zones-information>
show class-of-service
<get-cos-information>
show class-of-service adaptive-shaper
<get-cos-adaptive-shaper-information>
show class-of-service application-traffic-control
show class-of-service application-traffic-control
show class-of-service application-traffic-control
show class-of-service application-traffic-control
<get-appqos-swrl-stat-all>
show class-of-service application-traffic-control
<get-appqos-swrl-stat-name>
show class-of-service application-traffic-control
<get-appqos-swrl-stat-summary>
show class-of-service application-traffic-control
show class-of-service application-traffic-control
show class-of-service application-traffic-control
<get-appqos-rule-statistics>
show class-of-service bind-point
<get-cos-bind-point-feature-information>
show class-of-service bind-point interface
<get-cos-interface-feature-information>
show class-of-service bind-point interface-set
<get-cos-interface-set-feature-information>
show class-of-service bind-point routing-instance
<get-cos-routing-instance-feature-information>
show class-of-service bind-point-ownership
<get-cos-bind-point-ownership-summary>
show class-of-service classifier
<get-cos-classifier-information>
286
counter
rate-limiters
rate-limiters rl-all
rate-limiters rl-name
rate-limiters summary
statistics
statistics rate-limiter
statistics rule
Copyright © 2017, Juniper Networks, Inc.
Chapter 5: Permission Flags for User Access Privileges
show class-of-service client
show class-of-service client internal-id
<get-cos-junos-client-information>
show class-of-service client name
<get-cos-junos-client-information>
show class-of-service client summary
<get-cos-junos-client-summary>
show class-of-service code-point-aliases
<get-cos-code-point-map-information>
show class-of-service congestion-notification
<get-cos-congestion-notification-information>
show class-of-service drop-profile
<get-cos-drop-profile-information>
show class-of-service fabric
show class-of-service fabric scheduler-map
<get-cos-fabric-scheduler-map-information>
show class-of-service fabric statistics
<get-fabric-queue-information>
show class-of-service fabric statistics detail
<get-fabric-queue-detailed-information>
show class-of-service forwarding-class
<get-cos-forwarding-class-information>
show class-of-service forwarding-class-set
<get-cos-forwarding-class-set-information>
show class-of-service forwarding-table
<get-cos-table-information>
show class-of-service forwarding-table classifier
<get-cos-classifier-table-information>
show class-of-service forwarding-table classifier mapping
<get-cos-classifier-table-map-information>
show class-of-service forwarding-table drop-profile
<get-cos-red-information>
show class-of-service forwarding-table fabric
show class-of-service forwarding-table fabric scheduler-map
<get-cos-fwtab-fabric-scheduler-map-information>
show class-of-service forwarding-table forwarding-class-map
<get-cos-forwarding-class-map-table-information>
show class-of-service forwarding-table forwarding-class-map mapping
<get-cos-forwarding-class-map-interface-table-information>
show class-of-service forwarding-table loss-priority-map
<get-cos-loss-priority-map-table-information>
show class-of-service forwarding-table loss-priority-map mapping
<get-cos-loss-priority-map-table-binding-information>
show class-of-service forwarding-table loss-priority-rewrite
<get-cos-loss-priority-rewrite-table-information>
Copyright © 2017, Juniper Networks, Inc.
287
User Access and Authentication Feature Guide for Routing Devices
show class-of-service forwarding-table loss-priority-rewrite mapping
<get-cos-loss-priority-rewrite-table-binding-information>
show class-of-service forwarding-table policer
<get-cos-policer-table-map-information>
show class-of-service forwarding-table policy-map
<get-cos-policy-map-table-information>
show class-of-service forwarding-table policy-map mapping
<get-cos-policy-map-table-map-information>show class-of-service forwarding-table
rewrite-rule
<get-cos-rewrite-table-information>
show class-of-service forwarding-table rewrite-rule mapping
<get-cos-rewrite-table-map-information>
show class-of-service forwarding-table scheduler-map
<get-cos-scheduler-map-table-information>
show class-of-service forwarding-table scheduler-map mapping
<get-scheduler-map-table-map-information>
show class-of-service forwarding-table shaper
<get-cos-shaper-table-map-information>
show class-of-service forwarding-table translation-table
<get-cos-translation-table-information>
show class-of-service forwarding-table translation-table mapping
<get-cos-translation-table-mapping-information>
show class-of-service fragmentation-map
<get-cos-fragmentation-map-information>
show class-of-service interface
<get-cos-interface-map-information>
show class-of-service interface-set
<get-cos-interface-set-map-information>
show class-of-service l2tp-session
<get-cos-l2tp-session-map-information>
show class-of-service loss-priority-map
<get-cos-loss-priority-map-information>
show class-of-service loss-priority-rewrite
<get-cos-loss-priority-rewrite-information>
show class-of-service multi-destination
<get-cos-multi-destination-information>
show class-of-service multi-destination classifier-binding
<get-cos-multi-destination-classifier-binding-information>
show class-of-service packet-buffer
<get-cos-packet-buffer-information>
show class-of-service packet-buffer usage
<get-cos-packet-buffer-usage-information>
show class-of-service policy-map
<get-cos-policy-map-information>
show class-of-service rewrite-rule
<get-cos-rewrite-information>
show class-of-service routing-instance
288
Copyright © 2017, Juniper Networks, Inc.
Chapter 5: Permission Flags for User Access Privileges
<get-cos-routing-instance-map-information>
show class-of-service scheduler-hierarchy
show class-of-service scheduler-hierarchy interface
<get-interface-scheduler-hierarchy-information>
show class-of-service scheduler-hierarchy interface-set
<get-interface-set-scheduler-hierarchy-information>
show class-of-service scheduler-map
<get-cos-scheduler-map-information>
show class-of-service traffic-control-profile
<get-cos-traffic-control-profile-information>
show class-of-service translation-table
<get-cos-translation-table-map-information>
show class-of-service virtual-channel
<get-cos-virtual-channel-information>
show class-of-service virtual-channel-group
<get-cos-virtual-channel-group-information>
show cli
show cli authorization
<get-authorization-information>
show cli commands
show cli commands
show cli directory
<get-current-working-directory>
show cli history
show cloud-analytics
show cloud-analytics connections
<get-cloud-analytics-connections>
show cloud-analytics discovery-service
<get-cloud-analytics-discovery-service>
show cloud-analytics linecard
<get-cloud-analytics-lc>
show cloud-analytics resources
<get-cloud-analytics-resources>
show cloud-analytics resources-sampling
<get-cloud-analytics-resources-sampling>
show cloud-analytics resources-summary
<get-cloud-analytics-resources-summary>
show cloud-analytics sensors
<sensor-information>
show cloud-analytics streaming-policies
<get-cloud-analytics-streaming-policies>
show configuration
show connections
<get-ccc-information>
show database-replication
show database-replication statistics
<get-database-replication-statistics-information>
show database-replication summary
<get-database-replication-summary-information>
show ddos-protection
show ddos-protection protocols
<get-ddos-protocols-information>
Copyright © 2017, Juniper Networks, Inc.
289
User Access and Authentication Feature Guide for Routing Devices
show ddos-protection protocols all-fiber-channel-enode
<get-ddos-all-fc-enode-information>
show ddos-protection protocols all-fiber-channel-enode aggregate
<get-ddos-all-fc-enode-aggregate>
show ddos-protection protocols all-fiber-channel-enode aggregate culprit-flows
<get-ddos-all-fc-enode-aggregate-flows>
show ddos-protection protocols all-fiber-channel-enode culprit-flows
<get-ddos-all-fc-enode-flows>
show ddos-protection protocols all-fiber-channel-enode flow-detection
<get-ddos-all-fc-enode-flow-parameters>
show ddos-protection protocols all-fiber-channel-enode parameters
<get-ddos-all-fc-enode-parameters>
show ddos-protection protocols all-fiber-channel-enode statistics
<get-ddos-all-fc-enode-statistics>
show ddos-protection protocols all-fiber-channel-enode violations
<get-ddos-all-fc-enode-violations>
show ddos-protection protocols amtv4
show ddos-protection protocols amtv4 aggregate
show ddos-protection protocols amtv4 aggregate culprit-flows
show ddos-protection protocols amtv4 culprit-flows
show ddos-protection protocols amtv4 flow-detection
show ddos-protection protocols amtv4 parameters
show ddos-protection protocols amtv4 statistics
show ddos-protection protocols amtv4 violations
show ddos-protection protocols amtv6
show ddos-protection protocols amtv6 aggregate
show ddos-protection protocols amtv6 aggregate culprit-flows
show ddos-protection protocols amtv6 culprit-flows
show ddos-protection protocols amtv6 flow-detection
show ddos-protection protocols amtv6 statistics
show ddos-protection protocols amtv6 violations
show ddos-protection protocols ancp
<get-ddos-ancp-information>
show ddos-protection protocols ancp aggregate
<get-ddos-ancp-aggregate>
show ddos-protection protocols ancp parameters
<get-ddos-ancp-parameters>
show ddos-protection protocols ancp statistics
<get-ddos-ancp-statistics>
show ddos-protection protocols ancp violations
<get-ddos-ancp-violations>
show ddos-protection protocols ancpv6
<get-ddos-ancpv6-information>
show ddos-protection protocols ancpv6 aggregate
get-ddos-ancpv6-aggregate
show ddos-protection protocols ancpv6 parameters
get-ddos-ancpv6-parameters
show ddos-protection protocols ancpv6 statistics
get-ddos-ancpv6-statistics
show ddos-protection protocols ancpv6 violations
get-ddos-ancpv6-violations
show ddos-protection protocols arp
get-ddos-arp-information
show ddos-protection protocols arp aggregate
get-ddos-arp-aggregate
show ddos-protection protocols arp parameters
get-ddos-arp-parameters
290
Copyright © 2017, Juniper Networks, Inc.
Chapter 5: Permission Flags for User Access Privileges
show ddos-protection protocols arp statistics
get-ddos-arp-statistics
show ddos-protection protocols arp violations
get-ddos-arp-violations
show ddos-protection protocols arp-snoop
<get-ddos-arp-snoop-information>
show ddos-protection protocols arp-snoop aggregate
<get-ddos-arp-snoop-aggregate>
show ddos-protection protocols arp-snoop aggregate culprit-flows
<get-ddos-arp-snoop-aggregate-flows>
show ddos-protection protocols arp-snoop culprit-flows
<get-ddos-arp-snoop-flows>
show ddos-protection protocols arp-snoop flow-detection
<get-ddos-arp-snoop-flow-parameters>
show ddos-protection protocols arp-snoop parameters
<get-ddos-arp-snoop-parameters>
show ddos-protection protocols arp-snoop statistics
<get-ddos-arp-snoop-statistics>
show ddos-protection protocols arp-snoop violations
<get-ddos-arp-snoop-violations>
show ddos-protection protocols atm
get-ddos-atm-information
show ddos-protection protocols atm aggregate
get-ddos-atm-aggregate
show ddos-protection protocols atm parameters
get-ddos-atm-parameters
show ddos-protection protocols atm statistics
get-ddos-atm-statistics
show ddos-protection protocols atm violations
get-ddos-atm-violations
show ddos-protection protocols bfd
get-ddos-bfd-information
show ddos-protection protocols bfd aggregate
get-ddos-bfd-aggregate
show ddos-protection protocols bfd parameters
get-ddos-bfd-parameters
show ddos-protection protocols bfd statistics
get-ddos-bfd-statistics
show ddos-protection protocols bfd violations
get-ddos-bfd-violations
show ddos-protection protocols bfdv6
get-ddos-bfdv6-information
show ddos-protection protocols bfdv6 aggregate
get-ddos-bfdv6-aggregate
show ddos-protection protocols bfdv6 parameters
get-ddos-bfdv6-parameters
show ddos-protection protocols bfdv6 statistics
get-ddos-bfdv6-statistics
show ddos-protection protocols bfdv6 violations
get-ddos-bfdv6-violations
show ddos-protection protocols bgp
get-ddos-bgp-information
show ddos-protection protocols bgp aggregate
get-ddos-bgp-aggregate
show ddos-protection protocols bgp parameters
get-ddos-bgp-parameters
show ddos-protection protocols bgp statistics
get-ddos-bgp-statistics
show ddos-protection protocols bgp violations
get-ddos-bgp-violations
show ddos-protection protocols bgpv6
Copyright © 2017, Juniper Networks, Inc.
291
User Access and Authentication Feature Guide for Routing Devices
get-ddos-bgpv6-information
show ddos-protection protocols bgpv6 aggregate
get-ddos-bgpv6-aggregate
show ddos-protection protocols bgpv6 parameters
get-ddos-bgpv6-parameters
show ddos-protection protocols bgpv6 statistics
get-ddos-bgpv6-statistics
show ddos-protection protocols bgpv6 violations
get-ddos-bgpv6-violations
show ddos-protection protocols bridge-control
<get-ddos-brg-ctrl-information>
show ddos-protection protocols bridge-control aggregate
<get-ddos-brg-ctrl-aggregate>
show ddos-protection protocols bridge-control aggregate culprit-flows
<get-ddos-brg-ctrl-aggregate-flows>
show ddos-protection protocols bridge-control culprit-flows
<get-ddos-brg-ctrl-flows>
show ddos-protection protocols bridge-control flow-detection
<get-ddos-brg-ctrl-flow-parameters>
show ddos-protection protocols bridge-control parameters
<get-ddos-brg-ctrl-parameters>
show ddos-protection protocols bridge-control statistics
<get-ddos-brg-ctrl-statistics>
show ddos-protection protocols bridge-control violations
<get-ddos-brg-ctrl-violations>show ddos-protection protocols demux-autosense
get-ddos-demuxauto-information
show ddos-protection protocols demux-autosense aggregate
get-ddos-demuxauto-aggregate
show ddos-protection protocols demux-autosense parameters
get-ddos-demuxauto-parameters
show ddos-protection protocols demux-autosense statistics
get-ddos-demuxauto-statistics
show ddos-protection protocols demux-autosense violations
get-ddos-demuxauto-violations
show ddos-protection protocols dhcpv4
get-ddos-dhcpv4-information
show ddos-protection protocols dhcpv4 ack
get-ddos-dhcpv4-ack
show ddos-protection protocols dhcpv4 aggregate
get-ddos-dhcpv4-aggregate
show ddos-protection protocols dhcpv4 bad-packets
get-ddos-dhcpv4-bad-pack
show ddos-protection protocols dhcpv4 bootp
get-ddos-dhcpv4-bootp
show ddos-protection protocols dhcpv4 decline
get-ddos-dhcpv4-decline
show ddos-protection protocols dhcpv4 discover
get-ddos-dhcpv4-discover
show ddos-protection protocols dhcpv4 force-renew
get-ddos-dhcpv4-forcerenew
show ddos-protection protocols dhcpv4 inform
get-ddos-dhcpv4-inform
show ddos-protection protocols dhcpv4 lease-active
get-ddos-dhcpv4-leaseact
show ddos-protection protocols dhcpv4 lease-query
get-ddos-dhcpv4-leasequery
show ddos-protection protocols dhcpv4 lease-unassigned
get-ddos-dhcpv4-leaseuna
show ddos-protection protocols dhcpv4 lease-unknown
get-ddos-dhcpv4-leaseunk
show ddos-protection protocols dhcpv4 nak
292
Copyright © 2017, Juniper Networks, Inc.
Chapter 5: Permission Flags for User Access Privileges
get-ddos-dhcpv4-nak
show ddos-protection protocols dhcpv4 no-message-type
get-ddos-dhcpv4-no-msgtype
show ddos-protection protocols dhcpv4 offer
get-ddos-dhcpv4-offer
show ddos-protection protocols dhcpv4 offer culprit-flows
show ddos-protection protocols dhcpv4 parameters
get-ddos-dhcpv4-parameters
show ddos-protection protocols dhcpv4 release
get-ddos-dhcpv4-release
show ddos-protection protocols dhcpv4 renew
get-ddos-dhcpv4-renew
show ddos-protection protocols dhcpv4 request
get-ddos-dhcpv4-request
show ddos-protection protocols dhcpv4 statistics
get-ddos-dhcpv4-statistics
show ddos-protection protocols dhcpv4 unclassified
get-ddos-dhcpv4-unclass
show ddos-protection protocols dhcpv4 violations
get-ddos-dhcpv4-violations
show ddos-protection protocols dhcpv4v6
<get-ddos-dhcpv4v6-information>
show ddos-protection protocols dhcpv4v6 aggregate
<get-ddos-dhcpv4v6-aggregate>
show ddos-protection protocols dhcpv4v6 aggregate culprit-flows
<get-ddos-dhcpv4v6-aggregate-flows>
show ddos-protection protocols dhcpv4v6 culprit-flows
<get-ddos-dhcpv4v6-flows>
show ddos-protection protocols dhcpv4v6 flow-detection
<get-ddos-dhcpv4v6-flow-parameters>
show ddos-protection protocols dhcpv4v6 parameters
<get-ddos-dhcpv4v6-parameters>
show ddos-protection protocols dhcpv4v6 statistics
<get-ddos-dhcpv4v6-statistics>
show ddos-protection protocols dhcpv4v6 violations
<get-ddos-dhcpv4v6-violations>
show ddos-protection protocols dhcpv6
get-ddos-dhcpv6-information
show ddos-protection protocols dhcpv6 advertise
get-ddos-dhcpv6-advertise
show ddos-protection protocols dhcpv6 advertise culprit-flows
show ddos-protection protocols dhcpv6 aggregate
get-ddos-dhcpv6-aggregate
show ddos-protection protocols dhcpv6 confirm
get-ddos-dhcpv6-confirm
show ddos-protection protocols dhcpv6 decline
get-ddos-dhcpv6-decline
show ddos-protection protocols dhcpv6 information-request
get-ddos-dhcpv6-info-req
show ddos-protection protocols dhcpv6 leasequery
get-ddos-dhcpv6-leasequery
show ddos-protection protocols dhcpv6 leasequery culprit-flows
show ddos-protection protocols dhcpv6 leasequery-data
get-ddos-dhcpv6-leaseq-da
show ddos-protection protocols dhcpv6 leasequery-done
get-ddos-dhcpv6-leaseq-do
show ddos-protection protocols dhcpv6 leasequery-reply
get-ddos-dhcpv6-leaseq-re
show ddos-protection protocols dhcpv6 parameters
get-ddos-dhcpv6-parameters
show ddos-protection protocols dhcpv6 rebind
Copyright © 2017, Juniper Networks, Inc.
293
User Access and Authentication Feature Guide for Routing Devices
get-ddos-dhcpv6-rebind
show ddos-protection protocols dhcpv6 reconfigure
get-ddos-dhcpv6-reconfig
show ddos-protection protocols dhcpv6 relay-forward
get-ddos-dhcpv6-relay-for
show ddos-protection protocols dhcpv6 relay-reply
get-ddos-dhcpv6-relay-rep
show ddos-protection protocols dhcpv6 release
get-ddos-dhcpv6-release
show ddos-protection protocols dhcpv6 renew
get-ddos-dhcpv6-renew
show ddos-protection protocols dhcpv6 reply
get-ddos-dhcpv6-reply
show ddos-protection protocols dhcpv6 request
get-ddos-dhcpv6-request
show ddos-protection protocols dhcpv6 solicit
get-ddos-dhcpv6-solicit
show ddos-protection protocols dhcpv6 statistics
get-ddos-dhcpv6-statistics
show ddos-protection protocols dhcpv6 unclassified
get-ddos-dhcpv6-unclass
show ddos-protection protocols dhcpv6 unclassified culprit-flows
show ddos-protection protocols dhcpv6 violations
get-ddos-dhcpv6-violations
show ddos-protection protocols diameter
get-ddos-diameter-information
show ddos-protection protocols diameter aggregate
get-ddos-diameter-aggregate
show ddos-protection protocols diameter parameters
get-ddos-diameter-parameters
show ddos-protection protocols diameter statistics
get-ddos-diameter-statistics
show ddos-protection protocols diameter violations
get-ddos-diameter-violations
show ddos-protection protocols dns
get-ddos-dns-information
show ddos-protection protocols dns aggregate
get-ddos-dns-aggregate
show ddos-protection protocols dns parameters
get-ddos-dns-parameters
show ddos-protection protocols dns statistics
get-ddos-dns-statistics
show ddos-protection protocols dns violations
get-ddos-dns-violations
show ddos-protection protocols dtcp
get-ddos-dtcp-information
show ddos-protection protocols dtcp aggregate
get-ddos-dtcp-aggregate
show ddos-protection protocols dtcp aggregate culprit-flows
show ddos-protection protocols dtcp parameters
get-ddos-dtcp-parameters
show ddos-protection protocols dtcp statistics
get-ddos-dtcp-statistics
show ddos-protection protocols dtcp violations
get-ddos-dtcp-violations
show ddos-protection protocols dynamic-vlan
get-ddos-dynvlan-information
show ddos-protection protocols dynamic-vlan aggregate
get-ddos-dynvlan-aggregate
show ddos-protection protocols dynamic-vlan parameters
get-ddos-dynvlan-parameters
294
Copyright © 2017, Juniper Networks, Inc.
Chapter 5: Permission Flags for User Access Privileges
show ddos-protection protocols dynamic-vlan statistics
get-ddos-dynvlan-statistics
show ddos-protection protocols dynamic-vlan violations
get-ddos-dynvlan-violations
show ddos-protection protocols egpv6
get-ddos-egpv6-information
show ddos-protection protocols egpv6 aggregate
get-ddos-egpv6-aggregate
show ddos-protection protocols egpv6 parameters
get-ddos-egpv6-parameters
show ddos-protection protocols egpv6 statistics
get-ddos-egpv6-statistics
show ddos-protection protocols egpv6 violations
get-ddos-egpv6-violations
show ddos-protection protocols eoam
get-ddos-eoam-information
show ddos-protection protocols eoam aggregate
get-ddos-eoam-aggregate
show ddos-protection protocols eoam parameters
get-ddos-eoam-parameters
show ddos-protection protocols eoam statistics
get-ddos-eoam-statistics
show ddos-protection protocols eoam violations
get-ddos-eoam-violations
show ddos-protection protocols esmc
get-ddos-esmc-information
show ddos-protection protocols esmc aggregate
get-ddos-esmc-aggregate
show ddos-protection protocols esmc parameters
get-ddos-esmc-parameters
show ddos-protection protocols esmc statistics
get-ddos-esmc-statistics
show ddos-protection protocols esmc violations
get-ddos-esmc-violations
show ddos-protection protocols ethernet-tcc
<get-ddos-eth-tcc-information>
show ddos-protection protocols ethernet-tcc aggregate
<get-ddos-eth-tcc-aggregate>
show ddos-protection protocols ethernet-tcc aggregate culprit-flows
<get-ddos-eth-tcc-aggregate-flows>
show ddos-protection protocols ethernet-tcc culprit-flows
<get-ddos-eth-tcc-flows>
show ddos-protection protocols ethernet-tcc flow-detection
<get-ddos-eth-tcc-flow-parameters>
show ddos-protection protocols ethernet-tcc parameters
<get-ddos-eth-tcc-parameters>
show ddos-protection protocols ethernet-tcc statistics
<get-ddos-eth-tcc-statistics>
show ddos-protection protocols ethernet-tcc violations
<get-ddos-eth-tcc-violations>
show ddos-protection protocols exceptions
<get-ddos-exception-information>
show ddos-protection protocols exceptions aggregate
<get-ddos-exception-aggregate>
show ddos-protection protocols exceptions aggregate culprit-flows
<get-ddos-exception-aggregate-flows>
show ddos-protection protocols exceptions culprit-flows
<get-ddos-exception-flows>
show ddos-protection protocols exceptions flow-detection
<get-ddos-exception-flow-parameters>
show ddos-protection protocols exceptions mcast-rpf-err
Copyright © 2017, Juniper Networks, Inc.
295
User Access and Authentication Feature Guide for Routing Devices
<get-ddos-exception-mcast-rpf>
show ddos-protection protocols exceptions
<get-ddos-exception-mcast-rpf-flows>
show ddos-protection protocols exceptions
<get-ddos-exception-mtu-exceed>
show ddos-protection protocols exceptions
<get-ddos-exception-mtu-exceed-flows>
show ddos-protection protocols exceptions
<get-ddos-exception-parameters>
show ddos-protection protocols exceptions
<get-ddos-exception-statistics>
show ddos-protection protocols exceptions
<get-ddos-exception-unclass>
show ddos-protection protocols exceptions
<get-ddos-exception-unclass-flows>
show ddos-protection protocols exceptions
<get-ddos-exception-violations>
mcast-rpf-err culprit-flows
mtu-exceeded
mtu-exceeded culprit-flows
parameters
statistics
unclassified
unclassified culprit-flows
violations
show ddos-protection protocols fab-probe
<get-ddos-fab-probe-information>
show ddos-protection protocols fab-probe aggregate
<get-ddos-fab-probe-aggregate>
show ddos-protection protocols fab-probe parameters
<get-ddos-fab-probe-parameters>
show ddos-protection protocols fab-probe statistics
<get-ddos-fab-probe-statistics>
show ddos-protection protocols fab-probe violations
<get-ddos-fab-probe-violations>
show ddos-protection protocols firewall-host
get-ddos-fw-host-information
show ddos-protection protocols firewall-host aggregate
get-ddos-fw-host-aggregate
show ddos-protection protocols firewall-host parameters
get-ddos-fw-host-parameters
show ddos-protection protocols firewall-host statistics
get-ddos-fw-host-statistics
show ddos-protection protocols firewall-host violations
get-ddos-fw-host-violations
show ddos-protection protocols
get-ddos-ftp-information
show ddos-protection protocols
get-ddos-ftp-aggregate
show ddos-protection protocols
get-ddos-ftp-parameters
show ddos-protection protocols
get-ddos-ftp-statistics
show ddos-protection protocols
get-ddos-ftp-violations
show ddos-protection protocols
get-ddos-ftpv6-information
show ddos-protection protocols
get-ddos-ftpv6-aggregate
show ddos-protection protocols
get-ddos-ftpv6-parameters
show ddos-protection protocols
get-ddos-ftpv6-statistics
show ddos-protection protocols
get-ddos-ftpv6-violations
show ddos-protection protocols
296
ftp
ftp aggregate
ftp parameters
ftp statistics
ftp violations
ftpv6
ftpv6 aggregate
ftpv6 parameters
ftpv6 statistics
ftpv6 violations
garp-reply
Copyright © 2017, Juniper Networks, Inc.
Chapter 5: Permission Flags for User Access Privileges
<get-ddos-garp-reply-information>
show ddos-protection protocols garp-reply aggregate
<get-ddos-garp-reply-aggregate>
show ddos-protection protocols garp-reply aggregate culprit-flows
<get-ddos-garp-reply-aggregate-flows>
show ddos-protection protocols garp-reply culprit-flows
<get-ddos-garp-reply-flows>
show ddos-protection protocols garp-reply flow-detection
<get-ddos-garp-reply-flow-parameters>
show ddos-protection protocols garp-reply parameters
<get-ddos-garp-reply-parameters>
show ddos-protection protocols garp-reply statistics
<get-ddos-garp-reply-statistics>
show ddos-protection protocols garp-reply violations
<get-ddos-garp-reply-violations>
show ddos-protection protocols gre
get-ddos-gre-information
show ddos-protection protocols gre aggregate
get-ddos-gre-aggregate
show ddos-protection protocols gre hbc
<get-ddos-gre-hbc>
show ddos-protection protocols gre hbc culprit-flows
<get-ddos-gre-hbc-flows>
show ddos-protection protocols gre parameters
get-ddos-gre-parameters
show ddos-protection protocols gre punt
<get-ddos-gre-punt>
show ddos-protection protocols gre punt culprit-flows
<get-ddos-gre-punt-flows>
show ddos-protection protocols gre statistics
get-ddos-gre-statistics
show ddos-protection protocols gre violations
get-ddos-gre-violations
show ddos-protection protocols icmp
get-ddos-icmp-information
show ddos-protection protocols icmp aggregate
get-ddos-icmp-aggregate
show ddos-protection protocols icmp parameters
get-ddos-icmp-parameters
show ddos-protection protocols icmp statistics
get-ddos-icmp-statistics
show ddos-protection protocols icmp violations
get-ddos-icmp-violations
show ddos-protection protocols icmpv6
<get-ddos-icmpv6-information>
show ddos-protection protocols icmpv6 aggregate
<get-ddos-icmpv6-aggregate>
show ddos-protection protocols icmpv6 aggregate culprit-flows
<get-ddos-icmpv6-aggregate-flows>
show ddos-protection protocols icmpv6 parameters
<get-ddos-icmpv6-parameters>
show ddos-protection protocols icmpv6 statistics
<get-ddos-icmpv6-statistics>
show ddos-protection protocols icmpv6 violations
<get-ddos-icmpv6-violations>
show ddos-protection protocols igmp
get-ddos-igmp-information
show ddos-protection protocols igmp aggregate
get-ddos-igmp-aggregate
show ddos-protection protocols igmp aggregate culprit-flows
show ddos-protection protocols igmp parameters
Copyright © 2017, Juniper Networks, Inc.
297
User Access and Authentication Feature Guide for Routing Devices
get-ddos-igmp-parameters
show ddos-protection protocols igmp statistics
get-ddos-igmp-statistics
show ddos-protection protocols igmp violations
get-ddos-igmp-violations
show ddos-protection protocols igmp-snoop
get-ddos-igmp-snoop-information
show ddos-protection protocols igmp-snoop aggregate
get-ddos-igmp-snoop-aggregate
show ddos-protection protocols igmp-snoop parameters
get-ddos-igmp-snoop-parameters
show ddos-protection protocols igmp-snoop statistics
get-ddos-igmp-snoop-statistics
show ddos-protection protocols igmp-snoop violations
get-ddos-igmp-snoop-violations
show ddos-protection protocols igmpv4v6
get-ddos-igmpv4v6-information
show ddos-protection protocols igmpv4v6 aggregate
get-ddos-igmpv4v6-aggregate
show ddos-protection protocols igmpv4v6 aggregate culprit-flows
show ddos-protection protocols igmpv4v6 parameters
get-ddos-igmpv4v6-parameters
show ddos-protection protocols igmpv4v6 statistics
get-ddos-igmpv4v6-statistics
show ddos-protection protocols igmpv4v6 violations
get-ddos-igmpv4v6-violations
show ddos-protection protocols igmpv6
get-ddos-igmpv6-information
show ddos-protection protocols igmpv6 aggregate
get-ddos-igmpv6-aggregate
show ddos-protection protocols igmpv6 parameters
get-ddos-igmpv6-parameters
show ddos-protection protocols igmpv6 statistics
get-ddos-igmpv6-statistics
show ddos-protection protocols igmpv6 violations
get-ddos-igmpv6-violations
show ddos-protection protocols ip-fragments
get-ddos-ip-frag-information
show ddos-protection protocols ip-fragments aggregate
get-ddos-ip-frag-aggregate
show ddos-protection protocols ip-fragments first-fragment
get-ddos-ip-frag-first-frag
show ddos-protection protocols ip-fragments parameters
get-ddos-ip-frag-parameters
show ddos-protection protocols ip-fragments statistics
get-ddos-ip-frag-statistics
show ddos-protection protocols ip-fragments trail-fragment
get-ddos-ip-frag-trail-frag
show ddos-protection protocols ip-fragments violations
get-ddos-ip-frag-violations
show ddos-protection protocols ip-options
get-ddos-ip-opt-information
show ddos-protection protocols ip-options aggregate
get-ddos-ip-opt-aggregate
show ddos-protection protocols ip-options non-v4v6
<get-ddos-ip-opt-non-v4v6>
show ddos-protection protocols ip-options parameters
get-ddos-ip-opt-parameters
show ddos-protection protocols ip-options router-alert
get-ddos-ip-opt-rt-alert
show ddos-protection protocols ip-options statistics
298
Copyright © 2017, Juniper Networks, Inc.
Chapter 5: Permission Flags for User Access Privileges
get-ddos-ip-opt-statistics
show ddos-protection protocols ip-options unclassified
get-ddos-ip-opt-unclass
show ddos-protection protocols ipmc-reserved culprit-flows
<get-ddos-ipmc-reserved-flows>
show ddos-protection protocols ipmc-reserved flow-detection
<get-ddos-ipmc-reserved-flow-parameters>
show ddos-protection protocols ipmc-reserved parameters
<get-ddos-ipmc-reserved-parameters>
show ddos-protection protocols ipmc-reserved statistics
<get-ddos-ipmc-reserved-statistics>
show ddos-protection protocols ipmc-reserved violations
<get-ddos-ipmc-reserved-violations>
show ddos-protection protocols ipmcast-miss
<get-ddos-ipmcast-miss-information>
show ddos-protection protocols ipmcast-miss aggregate
<get-ddos-ipmcast-miss-aggregate>
show ddos-protection protocols ipmcast-miss aggregate culprit-flows
<get-ddos-ipmcast-miss-aggregate-flows>
show ddos-protection protocols ipmcast-miss culprit-flows
<get-ddos-ipmcast-miss-flows>
show ddos-protection protocols ipmcast-miss flow-detection
<get-ddos-ipmcast-miss-flow-parameters>
show ddos-protection protocols ipmcast-miss parameters
<get-ddos-ipmcast-miss-parameters>
show ddos-protection protocols ipmcast-miss statistics
<get-ddos-ipmcast-miss-statistics>
show ddos-protection protocols ipmcast-miss violations
<get-ddos-ipmcast-miss-violations>
show ddos-protection protocols ip-options violations
get-ddos-ip-opt-violations
show ddos-protection protocols ipv4-unclassified
get-ddos-ipv4-uncls-information
show ddos-protection protocols ipv4-unclassified aggregate
get-ddos-ipv4-uncls-aggregate
show ddos-protection protocols ipv4-unclassified parameters
get-ddos-ipv4-uncls-parameters
show ddos-protection protocols ipv4-unclassified statistics
get-ddos-ipv4-uncls-statistics
show ddos-protection protocols ipv4-unclassified violations
get-ddos-ipv4-uncls-violations
show ddos-protection protocols ipv6-unclassified
get-ddos-ipv6-uncls-information
show ddos-protection protocols ipv6-unclassified aggregate
get-ddos-ipv6-uncls-aggregate
show ddos-protection protocols ipv6-unclassified parameters
get-ddos-ipv6-uncls-parameters
show ddos-protection protocols ipv6-unclassified statistics
get-ddos-ipv6-uncls-statistics
show ddos-protection protocols ipv6-unclassified violations
get-ddos-ipv6-uncls-violations
show ddos-protection protocols isis
get-ddos-isis-information
show ddos-protection protocols isis aggregate
get-ddos-isis-aggregate
show ddos-protection protocols isis parameters
get-ddos-isis-parameters
show ddos-protection protocols isis statistics
get-ddos-isis-statistics
show ddos-protection protocols isis violations
get-ddos-isis-violations
Copyright © 2017, Juniper Networks, Inc.
299
User Access and Authentication Feature Guide for Routing Devices
show ddos-protection protocols iso-tcc
<get-ddos-iso-tcc-information>
show ddos-protection protocols iso-tcc aggregate
<get-ddos-iso-tcc-aggregate>
show ddos-protection protocols iso-tcc aggregate culprit-flows
<get-ddos-iso-tcc-aggregate-flows>
show ddos-protection protocols iso-tcc culprit-flows
<get-ddos-iso-tcc-flows>
show ddos-protection protocols iso-tcc flow-detection
<get-ddos-iso-tcc-flow-parameters>
show ddos-protection protocols iso-tcc parameters
<get-ddos-iso-tcc-parameters>
show ddos-protection protocols iso-tcc statistics
<get-ddos-iso-tcc-statistics>
show ddos-protection protocols iso-tcc violations
<get-ddos-iso-tcc-violations>
show ddos-protection protocols jfm
get-ddos-jfm-information
show ddos-protection protocols jfm aggregate
get-ddos-jfm-aggregate
show ddos-protection protocols jfm parameters
get-ddos-jfm-parameters
show ddos-protection protocols jfm statistics
get-ddos-jfm-statistics
show ddos-protection protocols jfm violations
get-ddos-jfm-violations
show ddos-protection protocols l2tp
get-ddos-l2tp-information
show ddos-protection protocols l2tp aggregate
get-ddos-l2tp-aggregate
show ddos-protection protocols l2tp parameters
get-ddos-l2tp-parameters
show ddos-protection protocols l2tp statistics
get-ddos-l2tp-statistics
show ddos-protection protocols l2tp violations
get-ddos-l2tp-violations
show ddos-protection protocols l3dest-miss
<get-ddos-l3dest-miss-information>
show ddos-protection protocols l3dest-miss aggregate
<get-ddos-l3dest-miss-aggregate>
show ddos-protection protocols l3dest-miss aggregate culprit-flows
<get-ddos-l3dest-miss-aggregate-flows>
show ddos-protection protocols l3dest-miss culprit-flows
<get-ddos-l3dest-miss-flows>
show ddos-protection protocols l3dest-miss flow-detection
<get-ddos-l3dest-miss-flow-parameters>
show ddos-protection protocols l3dest-miss parameters
<get-ddos-l3dest-miss-parameters>
show ddos-protection protocols l3dest-miss statistics
<get-ddos-l3dest-miss-statistics>
show ddos-protection protocols l3dest-miss violations
<get-ddos-l3dest-miss-violations>
show ddos-protection protocols l3mc-sgv-hit-icl
<get-ddos-l3mc-sgv-hit-icl-information>
show ddos-protection protocols l3mc-sgv-hit-icl aggregate
<get-ddos-l3mc-sgv-hit-icl-aggregate>
show ddos-protection protocols l3mc-sgv-hit-icl aggregate culprit-flows
<get-ddos-l3mc-sgv-hit-icl-aggregate-flows>
show ddos-protection protocols l3mc-sgv-hit-icl culprit-flows
<get-ddos-l3mc-sgv-hit-icl-flows>
show ddos-protection protocols l3mc-sgv-hit-icl flow-detection
300
Copyright © 2017, Juniper Networks, Inc.
Chapter 5: Permission Flags for User Access Privileges
<get-ddos-l3mc-sgv-hit-icl-flow-parameters>
show ddos-protection protocols l3mc-sgv-hit-icl parameters
<get-ddos-l3mc-sgv-hit-icl-parameters>
show ddos-protection protocols l3mc-sgv-hit-icl statistics
<get-ddos-l3mc-sgv-hit-icl-statistics>
show ddos-protection protocols l3mc-sgv-hit-icl violations
<get-ddos-l3mc-sgv-hit-icl-violations>
show ddos-protection protocols l3mtu-fail
<get-ddos-l3mtu-fail-information>
show ddos-protection protocols l3mtu-fail aggregate
<get-ddos-l3mtu-fail-aggregate>
show ddos-protection protocols l3mtu-fail aggregate culprit-flows
<get-ddos-l3mtu-fail-aggregate-flows>
show ddos-protection protocols l3mtu-fail culprit-flows
<get-ddos-l3mtu-fail-flows>
show ddos-protection protocols l3mtu-fail flow-detection
<get-ddos-l3mtu-fail-flow-parameters>
show ddos-protection protocols l3mtu-fail parameters
<get-ddos-l3mtu-fail-parameters>
show ddos-protection protocols l3mtu-fail statistics
<get-ddos-l3mtu-fail-statistics>
show ddos-protection protocols l3mtu-fail violations
<get-ddos-l3mtu-fail-violations>
show ddos-protection protocols l3nhop
<get-ddos-l3nhop-information>
show ddos-protection protocols l3nhop aggregate
<get-ddos-l3nhop-aggregate>
show ddos-protection protocols l3nhop aggregate culprit-flows
<get-ddos-l3nhop-aggregate-flows>
show ddos-protection protocols l3nhop culprit-flows
<get-ddos-l3nhop-flows>
show ddos-protection protocols l3nhop flow-detection
<get-ddos-l3nhop-flow-parameters>
show ddos-protection protocols l3nhop parameters
<get-ddos-l3nhop-parameters>
show ddos-protection protocols l3nhop statistics
<get-ddos-l3nhop-statistics>
show ddos-protection protocols l3nhop violations
<get-ddos-l3nhop-violations>
show ddos-protection protocols lacp
<get-ddos-lacp-information>
show ddos-protection protocols lacp aggregate
<get-ddos-lacp-aggregate>
show ddos-protection protocols lacp parameters
<get-ddos-lacp-parameters>
show ddos-protection protocols lacp statistics
<get-ddos-lacp-statistics>
show ddos-protection protocols lacp violations
<get-ddos-lacp-violations>
show ddos-protection protocols ldp
<get-ddos-ldp-information>
show ddos-protection protocols ldp aggregate
<get-ddos-ldp-aggregate>
show ddos-protection protocols ldp parameters
<get-ddos-ldp-parameters>
show ddos-protection protocols ldp statistics
<get-ddos-ldp-statistics>
show ddos-protection protocols ldp violations
<get-ddos-ldp-violations>
show ddos-protection protocols ldp-hello
<get-ddos-ldp-hello-information>
Copyright © 2017, Juniper Networks, Inc.
301
User Access and Authentication Feature Guide for Routing Devices
show ddos-protection protocols ldp-hello aggregate
<get-ddos-ldp-hello-aggregate>
show ddos-protection protocols ldp-hello aggregate culprit-flows
<get-ddos-ldp-hello-aggregate-flows>
show ddos-protection protocols ldp-hello culprit-flows
<get-ddos-ldp-hello-flows>
show ddos-protection protocols ldp-hello flow-detection
<get-ddos-ldp-hello-flow-parameters>
show ddos-protection protocols ldp-hello parameters
<get-ddos-ldp-hello-parameters>
show ddos-protection protocols ldp-hello statistics
<get-ddos-ldp-hello-statistics>
show ddos-protection protocols ldp-hello violations
<get-ddos-ldp-hello-violations>
show ddos-protection protocols ldpv6
<get-ddos-ldpv6-information>
show ddos-protection protocols ldpv6 aggregate
<get-ddos-ldpv6-aggregate>
show ddos-protection protocols ldpv6 parameters
<get-ddos-ldpv6-parameters>
show ddos-protection protocols ldpv6 statistics
<get-ddos-ldpv6-statistics>
show ddos-protection protocols ldpv6 violations
<get-ddos-ldpv6-violations>
show ddos-protection protocols lldp
<get-ddos-lldp-information>
show ddos-protection protocols lldp aggregate
<get-ddos-lldp-aggregate>
show ddos-protection protocols lldp parameters
<get-ddos-lldp-parameters>
show ddos-protection protocols lldp statistics
<get-ddos-lldp-statistics>
show ddos-protection protocols lldp violations
<get-ddos-lldp-violations>
show ddos-protection protocols lmp
<get-ddos-lmp-information>
show ddos-protection protocols lmp aggregate
<get-ddos-lmp-aggregate>
show ddos-protection protocols lmp parameters
<get-ddos-lmp-parameters>
show ddos-protection protocols lmp statistics
<get-ddos-lmp-statistics>
show ddos-protection protocols lmp violations
<get-ddos-lmp-violations>
show ddos-protection protocols lmpv6
<get-ddos-lmpv6-information>
show ddos-protection protocols lmpv6 aggregate
<get-ddos-lmpv6-aggregate>
show ddos-protection protocols lmpv6 parameters
<get-ddos-lmpv6-parameters>
show ddos-protection protocols lmpv6 statistics
<get-ddos-lmpv6-statistics>
show ddos-protection protocols lmpv6 violations
<get-ddos-lmpv6-violations>
show ddos-protection protocols localnh
<get-ddos-localnh-information>
show ddos-protection protocols localnh aggregate
<get-ddos-localnh-aggregate>
show ddos-protection protocols localnh aggregate culprit-flows
<get-ddos-localnh-aggregate-flows>
show ddos-protection protocols localnh culprit-flows
302
Copyright © 2017, Juniper Networks, Inc.
Chapter 5: Permission Flags for User Access Privileges
<get-ddos-localnh-flows>
show ddos-protection protocols localnh flow-detection
<get-ddos-localnh-flow-parameters>
show ddos-protection protocols localnh parameters
<get-ddos-localnh-parameters>
show ddos-protection protocols localnh statistics
<get-ddos-localnh-statistics>
show ddos-protection protocols localnh violations
<get-ddos-localnh-violations>
show ddos-protection protocols mac-host
<get-ddos-mac-host-information>
show ddos-protection protocols mac-host aggregate
<get-ddos-mac-host-aggregate>
show ddos-protection protocols mac-host aggregate culprit-flows
<get-ddos-mac-host-aggregate-flows>
show ddos-protection protocols mac-host culprit-flows
<get-ddos-mac-host-flows>
show ddos-protection protocols mac-host flow-detection
<get-ddos-mac-host-flow-parameters>
show ddos-protection protocols mac-host parameters
<get-ddos-mac-host-parameters>
show ddos-protection protocols mac-host statistics
<get-ddos-mac-host-statistics>
show ddos-protection protocols mac-host violations
<get-ddos-mac-host-violations>
show ddos-protection protocols martian-address
<get-ddos-martian-address-information>
show ddos-protection protocols martian-address aggregate
<get-ddos-martian-address-aggregate>
show ddos-protection protocols martian-address aggregate culprit-flows
<get-ddos-martian-address-aggregate-flows>
show ddos-protection protocols martian-address culprit-flows
<get-ddos-martian-address-flows>
show ddos-protection protocols martian-address flow-detection
<get-ddos-martian-address-flow-parameters>
show ddos-protection protocols martian-address parameters
<get-ddos-martian-address-parameters>
show ddos-protection protocols martian-address statistics
<get-ddos-martian-address-statistics>
show ddos-protection protocols martian-address violations
<get-ddos-martian-address-violations>
show ddos-protection protocols mac-host
<get-ddos-mac-host-information>
show ddos-protection protocols mac-host aggregate
<get-ddos-mac-host-aggregate>
show ddos-protection protocols mac-host parameters
<get-ddos-mac-host-parameters>
show ddos-protection protocols mac-host statistics
<get-ddos-mac-host-statistics>
show ddos-protection protocols mac-host violations
<get-ddos-mac-host-violations>
show ddos-protection protocols mcast-snoop mld
<get-ddos-mcast-snoop-mld>
show ddos-protection protocols mcast-snoop mld culprit-flows
<get-ddos-mcast-snoop-mld-flows>
show ddos-protection protocols mld
<get-ddos-mld-information>
show ddos-protection protocols mld aggregate
<get-ddos-mld-aggregate>
show ddos-protection protocols mld aggregate culprit-flows
show ddos-protection protocols mld culprit-flows
Copyright © 2017, Juniper Networks, Inc.
303
User Access and Authentication Feature Guide for Routing Devices
<get-ddos-mld-flows>
show ddos-protection protocols mld flow-detection
<get-ddos-mld-flow-parameters>
show ddos-protection protocols mld parameters
<get-ddos-mld-parameters>
show ddos-protection protocols mld statistics
<get-ddos-mld-statistics>
show ddos-protection protocols mld violations
<get-ddos-mld-violations>
show ddos-protection protocols mlp
<get-ddos-mlp-information>
show ddos-protection protocols mlp add
<get-ddos-mlp-add>
show ddos-protection protocols mlp add culprit-flows
<get-ddos-mlp-add-flows>
show ddos-protection protocols mlp aggregate
<get-ddos-mlp-aggregate>
show ddos-protection protocols mlp aggregate culprit-flows
<get-ddos-mlp-aggregate-flows>
show ddos-protection protocols mlp culprit-flows
<get-ddos-mlp-flows>
show ddos-protection protocols mlp delete
<get-ddos-mlp-delete>
show ddos-protection protocols mlp delete culprit-flows
get-ddos-mlp-delete-flows
show ddos-protection protocols mlp flow-detection
get-ddos-mlp-flow-parameters
show ddos-protection protocols mlp lookup
<get-ddos-mlp-lookup>
show ddos-protection protocols mlp lookup culprit-flows
<get-ddos-mlp-lookup-flows>
show ddos-protection protocols mlp macpin-exception
<get-ddos-mlp-mac-pinning>
show ddos-protection protocols mlp macpin-exception culprit-flows
<get-ddos-mlp-mac-pinning-flows>
show ddos-protection protocols mlp aging-exception
<get-ddos-mlp-aging-exc>
show ddos-protection protocols mlp packets
<get-ddos-mlp-packets>
show ddos-protection protocols mlp parameters
get-ddos-mlp-parameters
show ddos-protection protocols mlp statistics
<get-ddos-mlp-statistics>
show ddos-protection protocols mlp unclassified
<get-ddos-mlp-unclass>
show ddos-protection protocols mlp violations
<get-ddos-mlp-violations>
show ddos-protection protocols msdp
<get-ddos-msdp-information>
show ddos-protection protocols msdp aggregate
<get-ddos-msdp-aggregate>
show ddos-protection protocols msdp parameters
<get-ddos-msdp-parameters>
show ddos-protection protocols msdp statistics
<get-ddos-msdp-statistics>
show ddos-protection protocols msdp violations
<get-ddos-msdp-violations>
show ddos-protection protocols msdpv6
<get-ddos-msdpv6-information>
show ddos-protection protocols msdpv6 aggregate
<get-ddos-msdpv6-aggregate>
304
Copyright © 2017, Juniper Networks, Inc.
Chapter 5: Permission Flags for User Access Privileges
show ddos-protection protocols msdpv6 parameters
<get-ddos-msdpv6-parameters>
show ddos-protection protocols msdpv6 statistics
<get-ddos-msdpv6-statistics>
show ddos-protection protocols msdpv6 violations
<get-ddos-msdpv6-violations>
show ddos-protection protocols multihop-bfd
<get-ddos-mhop-bfd-information>
show ddos-protection protocols multihop-bfd aggregate
<get-ddos-mhop-bfd-aggregate>
show ddos-protection protocols multihop-bfd aggregate culprit-flows
<get-ddos-mhop-bfd-aggregate-flows>
show ddos-protection protocols multihop-bfd culprit-flows
<get-ddos-mhop-bfd-flows>
show ddos-protection protocols multihop-bfd flow-detection
<get-ddos-mhop-bfd-flow-parameters>
show ddos-protection protocols multihop-bfd parameters
<get-ddos-mhop-bfd-parameters>
show ddos-protection protocols multihop-bfd statistics
<get-ddos-mhop-bfd-statistics>
show ddos-protection protocols multihop-bfd violations
<get-ddos-mhop-bfd-violations>show ddos-protection protocols multicast-copy
<get-ddos-mcast-copy-information>
show ddos-protection protocols multicast-copy aggregate
<get-ddos-mcast-copy-aggregate>
show ddos-protection protocols multicast-copy parameters
<get-ddos-mcast-copy-parameters>
show ddos-protection protocols multicast-copy statistics
<get-ddos-mcast-copy-statistics>
show ddos-protection protocols multicast-copy violations
<get-ddos-mcast-copy-violations>
show ddos-protection protocols mvrp
<get-ddos-mvrp-information>
show ddos-protection protocols mvrp aggregate
<get-ddos-mvrp-aggregate>
show ddos-protection protocols mvrp parameters
<get-ddos-mvrp-parameters<
show ddos-protection protocols mvrp statistics
<get-ddos-mvrp-statistics>
show ddos-protection protocols mvrp violations
<get-ddos-mvrp-violations>
show ddos-protection protocols ndpv6
<get-ddos-ndpv6-information>
show ddos-protection protocols ndpv6 aggregate
<get-ddos-ndpv6-aggregate>
show ddos-protection protocols ndpv6 aggregate culprit-flows
<get-ddos-ndpv6-aggregate-flows>
show ddos-protection protocols ndpv6 culprit-flows
<get-ddos-ndpv6-flows>
show ddos-protection protocols ndpv6 flow-detection
<get-ddos-ndpv6-flow-parameters>
show ddos-protection protocols ndpv6 neighbor-advertisement
<get-ddos-ndpv6-neighb-adv>
show ddos-protection protocols ndpv6 neighbor-advertisement culprit-flows
<get-ddos-ndpv6-neighb-adv-flows>
show ddos-protection protocols ndpv6 neighbor-solicitation
<get-ddos-ndpv6-neighb-sol>
show ddos-protection protocols ndpv6 neighbor-solicitation culprit-flows
<get-ddos-ndpv6-neighb-sol-flows>
show ddos-protection protocols ndpv6 parameters
<get-ddos-ndpv6-parameters>
Copyright © 2017, Juniper Networks, Inc.
305
User Access and Authentication Feature Guide for Routing Devices
show ddos-protection protocols ndpv6 redirect
<get-ddos-ndpv6-redirect>
show ddos-protection protocols ndpv6 redirect culprit-flows
<get-ddos-ndpv6-redirect-flows>
show ddos-protection protocols ndpv6 router-advertisement
<get-ddos-ndpv6-router-adv>
show ddos-protection protocols ndpv6 router-advertisement culprit-flows
<get-ddos-ndpv6-router-adv-flows>
show ddos-protection protocols ndpv6 router-solicitation
<get-ddos-ndpv6-router-sol>
show ddos-protection protocols ndpv6 router-solicitation culprit-flows
<get-ddos-ndpv6-router-sol-flows>
show ddos-protection protocols nonucast-switch
<get-ddos-nonucast-switch-information>
show ddos-protection protocols nonucast-switch aggregate
<get-ddos-nonucast-switch-aggregate>
show ddos-protection protocols nonucast-switch aggregate culprit-flows
<get-ddos-nonucast-switch-aggregate-flows>
show ddos-protection protocols nonucast-switch culprit-flows
<get-ddos-nonucast-switch-flows>
show ddos-protection protocols nonucast-switch flow-detection
<get-ddos-nonucast-switch-flow-parameters>
show ddos-protection protocols nonucast-switch parameters
<get-ddos-nonucast-switch-parameters>
show ddos-protection protocols nonucast-switch statistics
<get-ddos-nonucast-switch-statistics>
show ddos-protection protocols nonucast-switch violations
<get-ddos-nonucast-switch-violations>
show ddos-protection protocols ntp
get-ddos-ntp-information
show ddos-protection protocols ntp aggregate
get-ddos-ntp-aggregate
show ddos-protection protocols ntp parameters
get-ddos-ntp-parameters
show ddos-protection protocols ntp statistics
get-ddos-ntp-statistics
show ddos-protection protocols ntp violations
get-ddos-ntp-violations
show ddos-protection protocols oam-cfm
get-ddos-oam-cfm-information
show ddos-protection protocols oam-cfm aggregate
<get-ddos-oam-cfm-aggregate>
show ddos-protection protocols oam-cfm aggregate culprit-flows
<get-ddos-oam-cfm-aggregate-flows>
show ddos-protection protocols oam-cfm culprit-flows
<get-ddos-oam-cfm-flows>
show ddos-protection protocols oam-cfm flow-detection
<get-ddos-oam-cfm-flow-parameters>
show ddos-protection protocols oam-cfm parameters
<get-ddos-oam-cfm-parameters>
show ddos-protection protocols oam-cfm statistics
<get-ddos-oam-cfm-statistics>
show ddos-protection protocols oam-cfm violations
<get-ddos-oam-cfm-violations>
show ddos-protection protocols oam-lfm
get-ddos-oam-lfm-information
show ddos-protection protocols oam-lfm aggregate
get-ddos-oam-lfm-aggregate
show ddos-protection protocols oam-lfm parameters
get-ddos-oam-lfm-parameters
show ddos-protection protocols oam-lfm statistics
306
Copyright © 2017, Juniper Networks, Inc.
Chapter 5: Permission Flags for User Access Privileges
get-ddos-oam-lfm-statistics
show ddos-protection protocols oam-lfm violations
get-ddos-oam-lfm-violations
show ddos-protection protocols ospf
get-ddos-ospf-information
show ddos-protection protocols ospf aggregate
get-ddos-ospf-aggregate
show ddos-protection protocols ospf parameters
get-ddos-ospf-parameters
show ddos-protection protocols ospf statistics
get-ddos-ospf-statistics
show ddos-protection protocols ospf violations
get-ddos-ospf-violations
show ddos-protection protocols ospf-hello
<get-ddos-ospf-hello-information>
show ddos-protection protocols ospf-hello aggregate
<get-ddos-ospf-hello-aggregate>
show ddos-protection protocols ospf-hello aggregate culprit-flows
<get-ddos-ospf-hello-aggregate-flows>
show ddos-protection protocols ospf-hello culprit-flows
<get-ddos-ospf-hello-flows>
show ddos-protection protocols ospf-hello flow-detection
<get-ddos-ospf-hello-flow-parameters>
show ddos-protection protocols ospf-hello parameters
<get-ddos-ospf-hello-parameters>
show ddos-protection protocols ospf-hello statistics
<get-ddos-ospf-hello-statistics>
show ddos-protection protocols ospf-hello violations
<get-ddos-ospf-hello-violations>
show ddos-protection protocols ospfv3v6
get-ddos-ospfv3v6-information
show ddos-protection protocols ospfv3v6 aggregate
get-ddos-ospfv3v6-aggregate
show ddos-protection protocols ospfv3v6 parameters
get-ddos-ospfv3v6-parameters
show ddos-protection protocols ospfv3v6 statistics
get-ddos-ospfv3v6-statistics
show ddos-protection protocols ospfv3v6 violations
get-ddos-ospfv3v6-violations
show ddos-protection protocols parameters
get-ddos-protocols-parameters
show ddos-protection protocols pfe-alive
get-ddos-pfe-alive-information
show ddos-protection protocols pfe-alive aggregate
get-ddos-pfe-alive-aggregate
show ddos-protection protocols pfe-alive parameters
get-ddos-pfe-alive-parameters
show ddos-protection protocols pfe-alive statistics
get-ddos-pfe-alive-statistics
show ddos-protection protocols pfe-alive violations
get-ddos-pfe-alive-violations
show ddos-protection protocols pim
get-ddos-pim-information
show ddos-protection protocols pim aggregate
get-ddos-pim-aggregate
show ddos-protection protocols pim aggregate culprit-flows
show ddos-protection protocols pim parameters
get-ddos-pim-parameters
show ddos-protection protocols pim statistics
get-ddos-pim-statistics
show ddos-protection protocols pim violations
Copyright © 2017, Juniper Networks, Inc.
307
User Access and Authentication Feature Guide for Routing Devices
get-ddos-pim-violations
show ddos-protection protocols pim-ctrl
<get-ddos-pim-ctrl-information>
show ddos-protection protocols pim-ctrl aggregate
<get-ddos-pim-ctrl-aggregate>
show ddos-protection protocols pim-ctrl aggregate culprit-flows
<get-ddos-pim-ctrl-aggregate-flows>
show ddos-protection protocols pim-ctrl culprit-flows
<get-ddos-pim-ctrl-flows>
show ddos-protection protocols pim-ctrl flow-detection
<get-ddos-pim-ctrl-flow-parameters>
show ddos-protection protocols pim-ctrl parameters
<get-ddos-pim-ctrl-parameters>
show ddos-protection protocols pim-ctrl statistics
<get-ddos-pim-ctrl-statistics>
show ddos-protection protocols pim-ctrl violations
<get-ddos-pim-ctrl-violations>
show ddos-protection protocols pim-data
<get-ddos-pim-data-information>
show ddos-protection protocols pim-data aggregate
<get-ddos-pim-data-aggregate>
show ddos-protection protocols pim-data aggregate culprit-flows
<get-ddos-pim-data-aggregate-flows>
show ddos-protection protocols pim-data culprit-flows
<get-ddos-pim-data-flows>
show ddos-protection protocols pim-data flow-detection
<get-ddos-pim-data-flow-parameters>
show ddos-protection protocols pim-data parameters
<get-ddos-pim-data-parameters>
show ddos-protection protocols pim-data statistics
<get-ddos-pim-data-statistics>
show ddos-protection protocols pim-data violations
<get-ddos-pim-data-violations>
show ddos-protection protocols pimv6
<get-ddos-pimv6-information>
show ddos-protection protocols pimv6 aggregate
<get-ddos-pimv6-aggregate>
show ddos-protection protocols pimv6 aggregate culprit-flows
show ddos-protection protocols pimv6 parameters
<get-ddos-pimv6-parameters>
show ddos-protection protocols pimv6 statistics
<get-ddos-pimv6-statistics>
show ddos-protection protocols pimv6 violations
<get-ddos-pimv6-violations>
show ddos-protection protocols pkt-inject
<get-ddos-pkt-inject-information>
show ddos-protection protocols pkt-inject aggregate
<get-ddos-pkt-inject-aggregate>
show ddos-protection protocols pkt-inject aggregate culprit-flows
<get-ddos-pkt-inject-aggregate-flows>
show ddos-protection protocols pkt-inject culprit-flows
<get-ddos-pkt-inject-flows>
show ddos-protection protocols pkt-inject flow-detection
<get-ddos-pkt-inject-flow-parameters>
show ddos-protection protocols pkt-inject parameters
<get-ddos-pkt-inject-parameters>
show ddos-protection protocols pkt-inject statistics
<get-ddos-pkt-inject-statistics>
show ddos-protection protocols pkt-inject violations
<get-ddos-pkt-inject-violations>
308
Copyright © 2017, Juniper Networks, Inc.
Chapter 5: Permission Flags for User Access Privileges
show ddos-protection protocols
get-ddos-pmvrp-information
show ddos-protection protocols
get-ddos-pmvrp-aggregate
show ddos-protection protocols
get-ddos-pmvrp-parameters
show ddos-protection protocols
get-ddos-pmvrp-statistics
show ddos-protection protocols
get-ddos-pmvrp-violations
show ddos-protection protocols
get-ddos-pos-information
show ddos-protection protocols
get-ddos-pos-aggregate
show ddos-protection protocols
show ddos-protection protocols
get-ddos-pos-parameters
show ddos-protection protocols
get-ddos-pos-statistics
show ddos-protection protocols
get-ddos-pos-violations
show ddos-protection protocols
get-ddos-ppp-information
show ddos-protection protocols
get-ddos-ppp-aggregate
show ddos-protection protocols
get-ddos-ppp-auth
show ddos-protection protocols
show ddos-protection protocols
get-ddos-ppp-ipcp
show ddos-protection protocols
get-ddos-ppp-ipv6cp
show ddos-protection protocols
get-ddos-ppp-isis
show ddos-protection protocols
show ddos-protection protocols
get-ddos-ppp-lcp
show ddos-protection protocols
show ddos-protection protocols
get-ddos-ppp-mplscp
show ddos-protection protocols
show ddos-protection protocols
get-ddos-ppp-parameters
show ddos-protection protocols
get-ddos-ppp-statistics
show ddos-protection protocols
<get-ddos-ppp-unclass>
show ddos-protection protocols
get-ddos-ppp-violations
show ddos-protection protocols
get-ddos-pppoe-information
show ddos-protection protocols
get-ddos-pppoe-aggregate
show ddos-protection protocols
get-ddos-pppoe-padi
show ddos-protection protocols
get-ddos-pppoe-padm
show ddos-protection protocols
get-ddos-pppoe-padn
show ddos-protection protocols
Copyright © 2017, Juniper Networks, Inc.
pmvrp
pmvrp aggregate
pmvrp parameters
pmvrp statistics
pmvrp violations
pos
pos aggregate
pos aggregate culprit-flows
pos parameters
pos statistics
pos violations
ppp
ppp aggregate
ppp authentication
ppp authentication culprit-flows
ppp ipcp
ppp ipv6cp
ppp isis
ppp isis culprit-flows
ppp lcp
ppp lcp culprit-flows
ppp mplscp
ppp mplscp culprit-flows
ppp parameters
ppp statistics
ppp unclassified
ppp violations
pppoe
pppoe aggregate
pppoe padi
pppoe padm
pppoe padn
pppoe pado
309
User Access and Authentication Feature Guide for Routing Devices
get-ddos-pppoe-pado
show ddos-protection protocols pppoe padr
get-ddos-pppoe-padr
show ddos-protection protocols pppoe pads
get-ddos-pppoe-pads
show ddos-protection protocols pppoe padt
get-ddos-pppoe-padt
show ddos-protection protocols pppoe parameters
get-ddos-pppoe-parameters
show ddos-protection protocols pppoe statistics
get-ddos-pppoe-statistics
show ddos-protection protocols pppoe violations
get-ddos-pppoe-violations
show ddos-protection protocols proto-802-1x
<get-ddos-8021x-information>
show ddos-protection protocols proto-802-1x aggregate
<get-ddos-8021x-aggregate>
show ddos-protection protocols proto-802-1x aggregate culprit-flows
get-ddos-8021x-aggregate-flows
show ddos-protection protocols proto-802-1x culprit-flows
<get-ddos-8021x-flows>
show ddos-protection protocols proto-802-1x flow-detection
<get-ddos-8021x-flow-parameters>
show ddos-protection protocols proto-802-1x parameters
<get-ddos-8021x-parameters>
show ddos-protection protocols proto-802-1x statistics
<get-ddos-8021x-statistics>
show ddos-protection protocols proto-802-1x violations
<get-ddos-8021x-violations>
show ddos-protection protocols ptp
get-ddos-ptp-information
show ddos-protection protocols ptp aggregate
get-ddos-ptp-aggregate
show ddos-protection protocols ptp aggregate culprit-flows
show ddos-protection protocols ptp parameters
get-ddos-ptp-parameters
show ddos-protection protocols ptp statistics
get-ddos-ptp-statistics
show ddos-protection protocols ptp violations
get-ddos-ptp-violations
show ddos-protection protocols ptpv6
<get-ddos-ptpv6-information>
show ddos-protection protocols ptpv6 aggregate
<get-ddos-ptpv6-aggregate>
show ddos-protection protocols ptpv6 aggregate culprit-flows
<get-ddos-ptpv6-aggregate-flows>
show ddos-protection protocols ptpv6 culprit-flows
<get-ddos-ptpv6-flows>
show ddos-protection protocols ptpv6 flow-detection
<get-ddos-ptpv6-flow-parameters>
show ddos-protection protocols ptpv6 parameters
<get-ddos-ptpv6-parameters>
show ddos-protection protocols ptpv6 statistics
<get-ddos-ptpv6-statistics>
show ddos-protection protocols ptpv6 violations
<get-ddos-ptpv6-violations>
show ddos-protection protocols pvstp
get-ddos-pvstp-information
show ddos-protection protocols pvstp aggregate
get-ddos-pvstp-aggregate
show ddos-protection protocols pvstp parameters
310
Copyright © 2017, Juniper Networks, Inc.
Chapter 5: Permission Flags for User Access Privileges
get-ddos-pvstp-parameters
show ddos-protection protocols pvstp statistics
get-ddos-pvstp-statistics
show ddos-protection protocols pvstp violations
get-ddos-pvstp-violations
show ddos-protection protocols radius
get-ddos-radius-information
show ddos-protection protocols radius accounting
get-ddos-radius-account
show ddos-protection protocols radius aggregate
get-ddos-radius-aggregate
show ddos-protection protocols radius accounting culprit-flows
show ddos-protection protocols radius authorization
get-ddos-radius-auth
show ddos-protection protocols radius parameters
get-ddos-radius-parameters
show ddos-protection protocols radius server
get-ddos-radius-server
show ddos-protection protocols radius statistics
get-ddos-radius-statistics
show ddos-protection protocols radius violations
get-ddos-radius-violations
show ddos-protection protocols re-services
<get-ddos-re-services-information>
show ddos-protection protocols re-services aggregate
<get-ddos-re-services-aggregate>
show ddos-protection protocols re-services aggregate culprit-flows
<get-ddos-re-services-aggregate-flows>
show ddos-protection protocols re-services captive-portal
<get-ddos-re-services-captive-portal>
show ddos-protection protocols re-services captive-portal culprit-flows
<get-ddos-re-services-captive-portal-flows>
show ddos-protection protocols re-services culprit-flows
<get-ddos-re-services-flows>
show ddos-protection protocols re-services flow-detection
<get-ddos-re-services-flow-parameters>
show ddos-protection protocols re-services parameters
<get-ddos-re-services-parameters>
show ddos-protection protocols re-services statistics
<get-ddos-re-services-statistics>
show ddos-protection protocols re-services violations
<get-ddos-re-services-violations>
show ddos-protection protocols re-services-v6
<get-ddos-re-services-v6-information>
show ddos-protection protocols re-services-v6 aggregate
<get-ddos-re-services-v6-aggregate>
show ddos-protection protocols re-services-v6 aggregate culprit-flows
<get-ddos-re-services-v6-aggregate-flows>
show ddos-protection protocols re-services-v6 captive-portal
<get-ddos-re-services-v6-captive-portal-v6>
show ddos-protection protocols re-services-v6 captive-portal culprit-flows
<get-ddos-re-services-v6-captive-portal-v6-flows>
show ddos-protection protocols re-services-v6 culprit-flows
<get-ddos-re-services-v6-flows>
show ddos-protection protocols re-services-v6 flow-detection
<get-ddos-re-services-v6-flow-parameters>
show ddos-protection protocols re-services-v6 parameters
<get-ddos-re-services-v6-parameters>
show ddos-protection protocols re-services-v6 statistics
<get-ddos-re-services-v6-statistics>
show ddos-protection protocols re-services-v6 violations
Copyright © 2017, Juniper Networks, Inc.
311
User Access and Authentication Feature Guide for Routing Devices
<get-ddos-re-services-v6-violations>
show ddos-protection protocols redirect
get-ddos-redirect-information
show ddos-protection protocols redirect aggregate
get-ddos-redirect-aggregate
show ddos-protection protocols redirect parameters
get-ddos-redirect-parameters
show ddos-protection protocols redirect statistics
get-ddos-redirect-statistics
show ddos-protection protocols redirect violations
get-ddos-redirect-violations
show ddos-protection protocols reject
<get-ddos-reject-information>
show ddos-protection protocols reject aggregate
<get-ddos-reject-aggregate>
show ddos-protection protocols reject parameters
<get-ddos-reject-parameters>
show ddos-protection protocols reject statistics
<get-ddos-reject-statistics>
show ddos-protection protocols reject violations
<get-ddos-reject-violations>
show ddos-protection protocols rejectv6show ddos-protection protocols rejectv6
aggregate
show ddos-protection protocols rejectv6 aggregate culprit-flows
show ddos-protection protocols rejectv6 flow-detection
show ddos-protection protocols rejectv6 parameters
show ddos-protection protocols rejectv6 statistics
show ddos-protection protocols rejectv6 violations
show ddos-protection protocols rip
get-ddos-rip-information
show ddos-protection protocols rip aggregate
get-ddos-rip-aggregate
show ddos-protection protocols rip aggregate culprit-flows
show ddos-protection protocols rip culprit-flows
show ddos-protection protocols rip parameters
get-ddos-rip-parameters
show ddos-protection protocols rip statistics
get-ddos-rip-statistics
show ddos-protection protocols rip violations
get-ddos-rip-violations
show ddos-protection protocols ripv6
get-ddos-ripv6-information
show ddos-protection protocols ripv6 aggregate
get-ddos-ripv6-aggregate
show ddos-protection protocols ripv6 aggregate culprit-flows
show ddos-protection protocols ripv6 parameters
get-ddos-ripv6-parameters
show ddos-protection protocols ripv6 statistics
get-ddos-ripv6-statistics
show ddos-protection protocols ripv6 violations
get-ddos-ripv6-violations
show ddos-protection protocols rsvp
get-ddos-rsvp-information
show ddos-protection protocols rsvp aggregate
get-ddos-rsvp-aggregate
show ddos-protection protocols rsvp aggregate culprit-flows
show ddos-protection protocols rsvp parameters
get-ddos-rsvp-parameters
show ddos-protection protocols rsvp statistics
312
Copyright © 2017, Juniper Networks, Inc.
Chapter 5: Permission Flags for User Access Privileges
get-ddos-rsvp-statistics
show ddos-protection protocols rsvp violations
get-ddos-rsvp-violations
show ddos-protection protocols rsvpv6
get-ddos-rsvpv6-information
show ddos-protection protocols rsvpv6 aggregate
get-ddos-rsvpv6-aggregate
show ddos-protection protocols rsvpv6 aggregate culprit-flows
show ddos-protection protocols rsvpv6 parameters
get-ddos-rsvpv6-parameters
show ddos-protection protocols rsvpv6 statistics
get-ddos-rsvpv6-statistics
show ddos-protection protocols rsvpv6 violations
get-ddos-rsvpv6-violations
show ddos-protection protocols sample
<get-ddos-sample-information>
show ddos-protection protocols sample aggregate
<get-ddos-sample-aggregate>
show ddos-protection protocols sample aggregate culprit-flows
show ddos-protection protocols sample host
<get-ddos-sample-host>
show ddos-protection protocols sample parameters
<get-ddos-sample-parameters>
show ddos-protection protocols sample pfe
<get-ddos-sample-pfe>
show ddos-protection protocols sample pfe culprit-flows
show ddos-protection protocols sample sflow
<get-ddos-sample-sflow>
show ddos-protection protocols sample sflow culprit-flows
<get-ddos-sample-sflow-flows>
show ddos-protection protocols sample statistics
<get-ddos-sample-statistics>
show ddos-protection protocols sample syslog
show ddos-protection protocols sample tap
<get-ddos-sample-tap>
show ddos-protection protocols sample tap culprit-flows
show ddos-protection protocols sample violations
<get-ddos-sample-violations>
show ddos-protection protocols services
get-ddos-services-information
show ddos-protection protocols sample-dest
<get-ddos-sample-dest-information>
show ddos-protection protocols sample-dest aggregate
<get-ddos-sample-dest-aggregate>
show ddos-protection protocols sample-dest aggregate culprit-flows
<get-ddos-sample-dest-aggregate-flows>
show ddos-protection protocols sample-dest culprit-flows
<get-ddos-sample-dest-flows>
show ddos-protection protocols sample-dest flow-detection
<get-ddos-sample-dest-flow-parameters>
show ddos-protection protocols sample-dest parameters
<get-ddos-sample-dest-parameters>
show ddos-protection protocols sample-dest statistics
<get-ddos-sample-dest-statistics>
show ddos-protection protocols sample-dest violations
<get-ddos-sample-dest-violations>
show ddos-protection protocols sample-source
<get-ddos-sample-source-information>
show ddos-protection protocols sample-source aggregate
<get-ddos-sample-source-aggregate>
show ddos-protection protocols sample-source aggregate culprit-flows
Copyright © 2017, Juniper Networks, Inc.
313
User Access and Authentication Feature Guide for Routing Devices
<get-ddos-sample-source-aggregate-flows>
show ddos-protection protocols sample-source culprit-flows
<get-ddos-sample-source-flows>
show ddos-protection protocols sample-source flow-detection
<get-ddos-sample-source-flow-parameters>
show ddos-protection protocols sample-source parameters
<get-ddos-sample-source-parameters>
show ddos-protection protocols sample-source statistics
<get-ddos-sample-source-statistics>
show ddos-protection protocols sample-source violations
<get-ddos-sample-source-violations>
show ddos-protection protocols services aggregate
<get-ddos-services-aggregate>
show ddos-protection protocols services parameters
<get-ddos-services-parameters>
show ddos-protection protocols services statistics
<get-ddos-services-statistics>
show ddos-protection protocols syslog
<get-ddos-syslog-information>
show ddos-protection protocols syslog aggregate
<get-ddos-syslog-aggregate>
show ddos-protection protocols syslog aggregate culprit-flows
<get-ddos-syslog-aggregate-flows>
show ddos-protection protocols syslog culprit-flows
<get-ddos-syslog-flows>
show ddos-protection protocols syslog flow-detection
<get-ddos-syslog-flow-parameters>
show ddos-protection protocols syslog parameters
<get-ddos-syslog-parameters>
show ddos-protection protocols syslog statistics
<get-ddos-syslog-statistics>
show ddos-protection protocols syslog violations
<get-ddos-syslog-violations>
show ddos-protection protocols services violations
get-ddos-services-violations
show ddos-protection protocols snmp
get-ddos-snmp-information
show ddos-protection protocols snmp aggregate
get-ddos-snmp-aggregate
show ddos-protection protocols snmp aggregate culprit-flows
show ddos-protection protocols snmp parameters
get-ddos-snmp-parameters
show ddos-protection protocols snmp statistics
get-ddos-snmp-statistics
show ddos-protection protocols snmp violations
get-ddos-snmp-violations
show ddos-protection protocols snmpv6
get-ddos-snmpv6-information
show ddos-protection protocols snmpv6 aggregate
get-ddos-snmpv6-aggregate
show ddos-protection protocols snmpv6 aggregate culprit-flows
show ddos-protection protocols snmpv6 parameters
get-ddos-snmpv6-parameters
show ddos-protection protocols snmpv6 statistics
get-ddos-snmpv6-statistics
show ddos-protection protocols snmpv6 violations
get-ddos-snmpv6-violations
show ddos-protection protocols ssh
get-ddos-ssh-information
show ddos-protection protocols ssh aggregate
get-ddos-ssh-aggregate
314
Copyright © 2017, Juniper Networks, Inc.
Chapter 5: Permission Flags for User Access Privileges
show ddos-protection protocols ssh parameters
get-ddos-ssh-parameters
show ddos-protection protocols ssh statistics
get-ddos-ssh-statistics
show ddos-protection protocols ssh violations
get-ddos-ssh-violations
show ddos-protection protocols sshv6
get-ddos-sshv6-information
show ddos-protection protocols sshv6 aggregate
get-ddos-sshv6-aggregate
show ddos-protection protocols sshv6 parameters
get-ddos-sshv6-parameters
show ddos-protection protocols sshv6 statistics
<get-ddos-sshv6-statistics>
show ddos-protection protocols sshv6 violations
<get-ddos-sshv6-violations>
show ddos-protection protocols statistics
<get-ddos-protocols-statistics>
show ddos-protection protocols stp
<get-ddos-stp-information>
show ddos-protection protocols stp aggregate
<get-ddos-stp-aggregate>
show ddos-protection protocols stp parameters
<get-ddos-stp-parameters>
show ddos-protection protocols stp statistics
<get-ddos-stp-statistics>
show ddos-protection protocols stp violations
<get-ddos-stp-violations>
show ddos-protection protocols tacacs
<get-ddos-tacacs-information>
show ddos-protection protocols tacacs aggregate
<get-ddos-tacacs-aggregate>
show ddos-protection protocols tacacs parameters
<get-ddos-tacacs-parameters>
show ddos-protection protocols tacacs statistics
<get-ddos-tacacs-statistics>
show ddos-protection protocols tacacs violations
<get-ddos-tacacs-violations>
show ddos-protection protocols tcc
<get-ddos-tcc-information>
show ddos-protection protocols tcc
<get-ddos-tcc-aggregate>
show ddos-protection protocols tcc
<get-ddos-tcc-aggregate-flows>
show ddos-protection protocols tcc
<get-ddos-tcc-flows>
show ddos-protection protocols tcc
<get-ddos-tcc-ethernet-tcc>
show ddos-protection protocols tcc
<get-ddos-tcc-ethernet-tcc-flows>
show ddos-protection protocols tcc
<get-ddos-tcc-flow-parameters>
show ddos-protection protocols tcc
<get-ddos-tcc-iso-tcc>
show ddos-protection protocols tcc
<get-ddos-tcc-iso-tcc-flows>
show ddos-protection protocols tcc
<get-ddos-tcc-parameters>
show ddos-protection protocols tcc
<get-ddos-tcc-statistics>
Copyright © 2017, Juniper Networks, Inc.
aggregate
aggregate culprit-flows
culprit-flows
ethernet-tcc
ethernet-tcc culprit-flows
flow-detection
iso-tcc
iso-tcc culprit-flows
parameters
statistics
315
User Access and Authentication Feature Guide for Routing Devices
show ddos-protection protocols tcc unclassified
<get-ddos-tcc-unclass>
show ddos-protection protocols tcc unclassified culprit-flows
<get-ddos-tcc-unclass-flows>
show ddos-protection protocols tcc violations
<get-ddos-tcc-violations>
show ddos-protection protocols tcp-flags
<get-ddos-tcp-flags-information>
show ddos-protection protocols tcp-flags aggregate
<get-ddos-tcp-flags-aggregate>
show ddos-protection protocols tcp-flags established
<get-ddos-tcp-flags-establish>
show ddos-protection protocols tcp-flags initial
<get-ddos-tcp-flags-initial>
show ddos-protection protocols tcp-flags parameters
<get-ddos-tcp-flags-parameters>
show ddos-protection protocols tcp-flags statistics
<get-ddos-tcp-flags-statistics>
show ddos-protection protocols tcp-flags unclassified
<get-ddos-tcp-flags-unclass>
show ddos-protection protocols tcp-flags violations
<get-ddos-tcp-flags-violations>
show ddos-protection protocols telnet
<get-ddos-telnet-information>
show ddos-protection protocols telnet aggregate
<get-ddos-telnet-aggregate>
show ddos-protection protocols telnet aggregate culprit-flows
show ddos-protection protocols telnet parameters
<get-ddos-telnet-parameters>
show ddos-protection protocols telnet statistics
<get-ddos-telnet-statistics>
show ddos-protection protocols telnet violations
<get-ddos-telnet-violations>
show ddos-protection protocols telnetv6
<get-ddos-telnetv6-information>
show ddos-protection protocols telnetv6 aggregate
<get-ddos-telnetv6-aggregate>
show ddos-protection protocols telnetv6 aggregate culprit-flows
show ddos-protection protocols telnetv6 parameters
<get-ddos-telnetv6-parameters>
show ddos-protection protocols telnetv6 statistics
<get-ddos-telnetv6-statistics>
show ddos-protection protocols telnetv6 violations
<get-ddos-telnetv6-violations>
show ddos-protection protocols ttl
<get-ddos-ttl-information>
show ddos-protection protocols ttl aggregate
<get-ddos-ttl-aggregate>
show ddos-protection protocols ttl parameters
<get-ddos-ttl-parameters>
show ddos-protection protocols ttl statistics
<get-ddos-ttl-statistics>
show ddos-protection protocols ttl violations
<get-ddos-ttl-violations>
show ddos-protection protocols tunnel-fragment
<get-ddos-tun-frag-information>
show ddos-protection protocols tunnel-fragment aggregate
<get-ddos-tun-frag-aggregate>
show ddos-protection protocols tunnel-fragment aggregate culprit-flows
show ddos-protection protocols tunnel-fragment parameters
<get-ddos-tun-frag-parameters>
316
Copyright © 2017, Juniper Networks, Inc.
Chapter 5: Permission Flags for User Access Privileges
show ddos-protection protocols tunnel-fragment statistics
<get-ddos-tun-frag-statistics>
show ddos-protection protocols tunnel-fragment violations
<get-ddos-tun-frag-violations>
show ddos-protection protocols tunnel-ka
<get-ddos-tunnel-ka-information>
show ddos-protection protocols tunnel-ka aggregate
<get-ddos-tunnel-ka-aggregate>
show ddos-protection protocols tunnel-ka aggregate culprit-flows
<get-ddos-tunnel-ka-aggregate-flows>
show ddos-protection protocols tunnel-ka culprit-flows
<get-ddos-tunnel-ka-flows>
show ddos-protection protocols tunnel-ka flow-detection
<get-ddos-tunnel-ka-flow-parameters>
show ddos-protection protocols tunnel-ka parameters
<get-ddos-tunnel-ka-parameters>
show ddos-protection protocols tunnel-ka statistics
<get-ddos-tunnel-ka-statistics>
show ddos-protection protocols tunnel-ka violations
<get-ddos-tunnel-ka-violations>
show ddos-protection protocols unknown-l2mc
<get-ddos-unknown-l2mc-information>
show ddos-protection protocols unknown-l2mc aggregate
<get-ddos-unknown-l2mc-aggregate>
show ddos-protection protocols unknown-l2mc aggregate culprit-flows
<get-ddos-unknown-l2mc-aggregate-flows>
show ddos-protection protocols unknown-l2mc culprit-flows
<get-ddos-unknown-l2mc-flows>
show ddos-protection protocols unknown-l2mc flow-detection
<get-ddos-unknown-l2mc-flow-parameters>
show ddos-protection protocols unknown-l2mc parameters
<get-ddos-unknown-l2mc-parameters>
show ddos-protection protocols unknown-l2mc statistics
<get-ddos-unknown-l2mc-statistics>
show ddos-protection protocols unknown-l2mc violations
<get-ddos-unknown-l2mc-violations>
show ddos-protection protocols unclassified
<get-ddos-uncls-information>
show ddos-protection protocols unclassified aggregate
<get-ddos-uncls-aggregate>
show ddos-protection protocols unclassified parameters
<get-ddos-uncls-parameters>
show ddos-protection protocols unclassified resolve-v4
show ddos-protection protocols unclassified resolve-v4 culprit-flows
show ddos-protection protocols unclassified resolve-v6
show ddos-protection protocols unclassified resolve-v6 culprit-flows
show ddos-protection protocols unclassified statistics
<get-ddos-uncls-statistics>
show ddos-protection protocols unclassified violations
<get-ddos-uncls-violations>
show ddos-protection protocols urpf-fail
<get-ddos-urpf-fail-information>
show ddos-protection protocols urpf-fail aggregate
<get-ddos-urpf-fail-aggregate>
show ddos-protection protocols urpf-fail aggregate culprit-flows
<get-ddos-urpf-fail-aggregate-flows>
show ddos-protection protocols urpf-fail culprit-flows
<get-ddos-urpf-fail-flows>
show ddos-protection protocols urpf-fail flow-detection
<get-ddos-urpf-fail-flow-parameters>
show ddos-protection protocols urpf-fail parameters
Copyright © 2017, Juniper Networks, Inc.
317
User Access and Authentication Feature Guide for Routing Devices
<get-ddos-urpf-fail-parameters>
show ddos-protection protocols urpf-fail statistics
<get-ddos-urpf-fail-statistics>
show ddos-protection protocols urpf-fail violations
<get-ddos-urpf-fail-violations>
show ddos-protection protocols vcipc-udp
<get-ddos-vcipc-udp-information>
show ddos-protection protocols vcipc-udp aggregate
<get-ddos-vcipc-udp-aggregate>
show ddos-protection protocols vcipc-udp aggregate culprit-flows
<get-ddos-vcipc-udp-aggregate-flows>
show ddos-protection protocols vcipc-udp culprit-flows
<get-ddos-vcipc-udp-flows>
show ddos-protection protocols vcipc-udp flow-detection
<get-ddos-vcipc-udp-flow-parameters>
show ddos-protection protocols vcipc-udp parameters
<get-ddos-vcipc-udp-parameters>
show ddos-protection protocols vcipc-udp statistics
<get-ddos-vcipc-udp-statistics>
show ddos-protection protocols vcipc-udp violations
<get-ddos-vcipc-udp-violations>
show ddos-protection protocols violations
get-ddos-protocols-violations
show ddos-protection protocols virtual-chassis
get-ddos-vchassis-information
show ddos-protection protocols virtual-chassis aggregate
get-ddos-vchassis-aggregate
show ddos-protection protocols virtual-chassis aggregate culprit-flows
show ddos-protection protocols virtual-chassis control-high
get-ddos-vchassis-control-hi
show ddos-protection protocols virtual-chassis control-low
get-ddos-vchassis-control-lo
show ddos-protection protocols virtual-chassis parameters
get-ddos-vchassis-parameters
show ddos-protection protocols virtual-chassis statistics
get-ddos-vchassis-statistics
show ddos-protection protocols virtual-chassis unclassified
get-ddos-vchassis-unclass
show ddos-protection protocols virtual-chassis vc-packets
get-ddos-vchassis-vc-packets
show ddos-protection protocols virtual-chassis vc-ttl-errors
get-ddos-vchassis-vc-ttl-err
show ddos-protection protocols virtual-chassis violations
get-ddos-vchassis-violations
show ddos-protection protocols vrrp
get-ddos-vrrp-information
show ddos-protection protocols vrrp aggregate
get-ddos-vrrp-aggregate
show ddos-protection protocols vrrp aggregate culprit-flows
show ddos-protection protocols vrrp parameters
get-ddos-vrrp-parameters
show ddos-protection protocols vrrp statistics
get-ddos-vrrp-statistics
show ddos-protection protocols vrrp violations
get-ddos-vrrp-violations
show ddos-protection protocols vrrpv6
get-ddos-vrrpv6-information
show ddos-protection protocols vrrpv6 aggregate
get-ddos-vrrpv6-aggregate
show ddos-protection protocols vrrpv6 aggregate culprit-flows
show ddos-protection protocols vrrpv6 parameters
318
Copyright © 2017, Juniper Networks, Inc.
Chapter 5: Permission Flags for User Access Privileges
get-ddos-vrrpv6-parameters
show ddos-protection protocols vrrpv6 statistics
get-ddos-vrrpv6-statistics
show ddos-protection protocols vrrpv6 violations
get-ddos-vrrpv6-violations
show ddos-protection statistics
get-ddos-statistics-information
show ddos-protection version
get-ddos-version
show ddos-protection protocols vxlan
<get-ddos-vxlan-information>
show ddos-protection protocols vxlan aggregate
<get-ddos-vxlan-aggregate>
show ddos-protection protocols vxlan aggregate culprit-flows
<get-ddos-vxlan-aggregate-flows>
show ddos-protection protocols vxlan culprit-flows
<get-ddos-vxlan-flows>
show ddos-protection protocols vxlan flow-detection
<get-ddos-vxlan-flow-parameters>
show ddos-protection protocols vxlan parameters
<get-ddos-vxlan-parameters>
show ddos-protection protocols vxlan statistics
<get-ddos-vxlan-statistics>
show ddos-protection protocols vxlan violations
<get-ddos-vxlan-violations>
show dhcp
show dhcp proxy-client
show dhcp proxy-client binding
show dhcp proxy-client servers
show dhcp proxy-client statistics
<get-proxy-dhcp-client-statistics-information>
show dhcp relay
show dhcp relay binding
<get-dhcp-relay-binding-information>
show dhcp relay binding interface
<get-dhcp-relay-interface-bindings>
show dhcp relay binding lease-time-violation
<get-dhcp-relay-binding-ltv-information>
show dhcp relay statistics
<get-dhcp-relay-statistics-information>
show dhcp relay statistics bulk-leasequery-connections
<get-dhcp-relay-bulk-leasequery-conn-statistics>
show dhcp relay statistics leasequery
<get-dhcp-relay-leasequery-statistics>
show dhcp server
show dhcp server binding
<get-dhcp-server-binding-information>
show dhcp server binding interface
<get-dhcp-relay-binding-interface>
show dhcp server binding lease-time-violation
<get-dhcp-server-binding-ltv-information>
show dhcp server statistics
<get-dhcp-server-statistics-information>
show dhcp statistics
<get-dhcp-service-statistics-information>
show dhcp-security
<get-dhcp-security-arp-inspection-statistics>
show dhcp-security binding
Copyright © 2017, Juniper Networks, Inc.
319
User Access and Authentication Feature Guide for Routing Devices
<get-dhcp-security-binding>
show dhcp-security binding interface
<get-dhcp-security-binding-interface>
show dhcp-security binding ip-address
<get-dhcp-security-binding-ip-address>
show dhcp-security binding ip-source-guard
<get-dhcp-security-ip-source-guard>
show dhcp-security binding statistics
<get-dhcp-security-binding-statistics>
show dhcp-security binding vlan
get-dhcp-security-binding-vlan
show dhcp-security ipv6
show dhcp-security ipv6 binding
<get-dhcpv6-security-binding>
show dhcp-security ipv6 binding interface
<get-dhcpv6-security-binding-interface>
show dhcp-security ipv6 binding ipv6-address
<get-dhcpv6-security-binding-ip-address>
show dhcp-security ipv6 binding vlan
<get-dhcpv6-security-binding-vlan>
show dhcp-security ipv6 statistics
<get-dhcp-ipv6-statistics>
show dhcp-security neighbor-discovery-inspection
show dhcp-security neighbor-discovery-inspection statistics
<get-dhcp-security-nd-inspection-statistics>
show dhcp-security neighbor-discovery-inspection statistics interface
<get-dhcp-security-ndi-interface>
show dhcp-security statistics
<get-dhcp-security-statistics>
show dhcpv6
show dhcpv6 client
show dhcpv6 client binding
get-dhcpv6-client-binding-information
show dhcpv6 client binding interface
<get-dhcpv6-client-binding-information-by-interface>
show dhcpv6 client statistics
<get-dhcpv6-client-statistics-information>
show dhcpv6 proxy-client
show dhcpv6 proxy-client binding
show dhcpv6 proxy-client statistics
<get-proxy-dhcpv6-client-statistics-information>
show dhcpv6 relay
show dhcpv6 relay binding
<get-dhcpv6-relay-binding-information>
show dhcpv6 relay binding interface
<get-dhcpv6-relay-binding-interface>
show dhcpv6 relay binding lease-time-violation
<get-dhcpv6-relay-binding-ltv-information>
show dhcpv6 relay statistics
<get-dhcpv6-relay-statistics-information>
show dhcpv6 relay statistics bulk-leasequery-connections
<get-dhcpv6-relay-bulk-leasequery-conn-statistics>
show dhcpv6 relay statistics leasequery
<get-dhcpv6-relay-leasequery-statistics>
show dhcpv6 server
show dhcpv6 server binding
<get-dhcpv6-server-binding-information>
show dhcpv6 server binding interface
<get-dhcpv6-server-binding-interface>
320
Copyright © 2017, Juniper Networks, Inc.
Chapter 5: Permission Flags for User Access Privileges
show dhcpv6 server binding lease-time-violation
<get-dhcpv6-server-binding-ltv-information>
show dhcpv6 server statistics
<get-dhcpv6-server-statistics-information>
show dhcpv6 server statistics bulk-leasequery-connections
<get-dhcpv6-server-bulk-leasequery-conn-statistics>
show dhcpv6 statistics
<get-dhcpv6-service-statistics-information>
show diagnostics
show diagnostics tdr
<get-tdr-interface-information>
show diagnostics tdr interface
<get-tdr-interface-status>
show diameter
<get-diameter-information>
show diameter function
<get-diameter-function-information>
show diameter function statistics
<get-diameter-function-statistics>
show diameter instance
<get-diameter-instance-information>
show diameter network-element
<get-diameter-network-element-information>
show diameter network-element map
<get-diameter-network-element-map-information>
show diameter peer
<get-diameter-peer-information>
show diameter peer map
<get-diameter-peer-map-information>
show diameter peer statistics
<get-diameter-peer-statistics>
show diameter route
<get-diameter-route-information>
show dot1x
show dot1x accounting-attributes
get-dot1x-accounting-attributes
show dot1x accounting-attributes interface
<get-dot1x-interface-accounting-attributes>show dot1x
authentication-failed-users
<get-dot1x-authentication-failed-users>
show dot1x interface
<get-dot1x-interface-information>
show dot1x static-mac-address
<get-dot1x-static-mac-addresess>
show dot1x static-mac-address interface
<get-dot1x-interface-mac-addresses>
show dvmrp
show dvmrp interfaces
<get-dvmrp-interfaces-information>
show dvmrp neighbors
<get-dvmrp-neighbors-information>
show dvmrp prefix
<get-dvmrp-prefix-information>
show dvmrp prunes
<get-dvmrp-prunes-information>
show dynamic-profile
<get-dynamic-profile>
show dynamic-profile session
<get-dynamic-profile-session-information>
show dynamic-tunnels
show dynamic-tunnels database
Copyright © 2017, Juniper Networks, Inc.
321
User Access and Authentication Feature Guide for Routing Devices
<get-dynamic-tunnels-database>
show ethernet-switching mac-learning-log
<get-ethernet-switching-log-information>
show ethernet-switching mac-notification
<get-ethernet-switching-mac-notification-information>
show ethernet-switching flood next-hops
show ethernet-switching flood next-hops satellite
<get-satellite-control-composite-next-hop>
show ethernet-switching flood satellite
<get-satellite-control-flood>
show ethernet-switching nh-learn-entity
<get-l2-learning-nh-learn-entries>
show ethernet-switching redundancy-groups
<get-ethernet-switching-redundancy-groups>
show ethernet-switching satellite
show ethernet-switching satellite device
<get-satellite-device-db>
show ethernet-switching satellite events
<get-satellite-control-history-information>
show ethernet-switching satellite logging
<get-satellite-control-logging-information>
show ethernet-switching satellite summary
<get-satellite-control-bridge-summary>
show ethernet-switching table satellite
<get-satellite-control-bridge-mac-table>
show ethernet-switching vxlan-tunnel-end-point esi
<get-ethernet-switching-vxlan-esi-info>
show ethernet-switching vxlan-tunnel-end-point remote
<get-ethernet-switching-vxlan-rvtep-info>
show ethernet-switching vxlan-tunnel-end-point remote esi
<get-ethernet-switching-vxlan-esi-info>
show ethernet-switching vxlan-tunnel-end-point remote vtep-source-interface
<get-ethernet-switching-vxlan-remote-svtep-ip-information>
show ethernet-switching vxlan-tunnel-end-point source ip
<get-ethernet-switching-vxlan-svtep-ip-information>
show ephemeral-configuration
show esis
show esis adjacency
<get-esis-adjacency-information>
show esis interface
<get-esis-interface-information>
show esis statistics
<get-esis-statistics-information>
show event-options
show event-options event-scripts
show event-options event-scripts policies
<get-event-scripts-policies>
<get-event-summary>
show evpn
show evpn arp-table
<get-evpn-arp-table>
show evpn flood
<get-evpn-flood-information>
show evpn flood event-queue
<get-evpn-event-queue-information>
show evpn flood route
show evpn flood route all-ce-flood
<get-evpn-all-ce-flood-route-information>
show evpn flood route all-flood
<get-evpn-all-flood-route-information>
show evpn flood route alt-root-flood
322
Copyright © 2017, Juniper Networks, Inc.
Chapter 5: Permission Flags for User Access Privileges
<get-evpn-alt-root-flood-route-information>
show evpn flood route ce-flood
<get-evpn-ce-flood-route-information>
show evpn flood route mlp-flood
<get-evpn-mlp-flood-route-information>
show evpn flood route re-flood
<get-evpn-re-flood-route-information>
show evpn instance
<get-evpn-instance-information>show evpn ip-prefix-database
<get-evpn-ip-prefix-database-information>
show evpn l3-context
<get-evpn-l3-context-information>
show evpn mac-table
<get-evpn-mac-table>
show evpn mac-table interface
<get-evpn-interface-mac-table>
show evpn nd-table
<get-evpn-nd-table>
show evpn peer-gateway-macs
<get-evpn-peer-gateway-mac>
show evpn statistics
<get-evpn-statistics-information>
show evpn vpws-instance
<get-evpn-vpws-information>
show extensible-subscriber-services
show extensible-subscriber-services accounting
<get-extensible-subscriber-services-accounting>
show extensible-subscriber-services counters
<get-extensible-subscriber-services-counters>
show extensible-subscriber-services dictionary
<get-extensible-subscriber-services-dictionary>
show extensible-subscriber-services services
<get-extensible-subscriber-services-services>
show extensible-subscriber-services sessions
<get-extensible-subscriber-services-sessions>
show extension-provider
show extension-provider system
show extension-provider system connections
<get-mspinfo-connections>
show extension-provider system packages
<get-mspinfo-packages>
show extension-provider system processes
<get-mspinfo-processes>
show extension-provider system processes brief
<get-mspinfo-processes-brief>
show extension-provider system processes extensive
<get-mspinfo-processes-extensive>
show extension-provider system uptime
<get-mspinfo-uptime>
show extension-provider system virtual-memory
<get-core-key-list>
<get-fabric-summary-information>
<get-key-vg-binding>
<get-mac-ip-binding-information>
<get-mc-ccpc-cache-ccpc-select>
<get-mc-ccpc-cache-root-candidates>
<get-mc-ccpc-cache-spf>
<get-mc-ccpc-src-mod-filters>
<get-mc-edge-cache-ccpc-select>
<get-mc-edge-map-to-key-binding>
<get-mc-edge-key-to-map-binding>
Copyright © 2017, Juniper Networks, Inc.
323
User Access and Authentication Feature Guide for Routing Devices
<get-mc-edge-vg-portmap>
<get-mc-nsf>
<get-mc-root-cache-trunk>
<get-mc-root-key-to-map-binding>
<get-layer2-group-membership-entries>
<get-layer3-group-membership-entries>
<get-layer3-multicast-pending-routes>
<get-layer3-multicast-receivers>
<get-mc-root-map-to-key-binding>
<get-mc-root-vg-pfemap>
<get-fabric-multicast-statistics>
<get-mc-vccpdf-adjacency-database>
<get-mspinfo-virtual-memory>
get-fabric-statistics
get-fabric-summary-information
<get-vlan-domain-map-information>
show fabric multicast dirty-key-info
<get-mc-dirty-key-info>
show fabric multicast edge corekey-ifls-filters
<get-mc-edge-corekey-ifls-filters>
show fabric multicast edge ine-ifls-filters
<get-mc-edge-ine-ifls-filters>
show fabric multicast edge src-mod-filters
<get-mc-edge-src-mod-filters>
show fabric multicast graph
show fabric multicast graph core-tree
<get-fabric-multicast-graph>
show fabric multicast steal-key-info
<get-mc-steal-key-info>
show forwarding-options
show forwarding-options enhanced-hash-key
show forwarding-options enhanced-hash-key fpc
show forwarding-options hyper-mode
<get forwarding-options hyper-mode>
show forwarding-options load-balance
show forwarding-options next-hop-group
<get-forwarding-options-next-hop-group>
show forwarding-options port-mirroring
<get-forwarding-options-port-mirroring>
show helper
show helper statistics
<get-helper-statistics-information>
show hfrr
show hfrr profiles
show iccp
<get-inter-chassis-control-protocol-information>
show igmp
show igmp group
<get-igmp-group-information>
show igmp interface
<get-igmp-interface-information>
show igmp output-group
<get-igmp-output-group-information>
show igmp snooping
show igmp snooping interface
<get-igmp-snooping-interface-information>
show igmp snooping interface bridge-domain
<get-igmp-snooping-bridge-domain-interface>
show igmp snooping membership
<get-igmp-snooping-membership-information>
show igmp snooping membership bridge-domain
324
Copyright © 2017, Juniper Networks, Inc.
Chapter 5: Permission Flags for User Access Privileges
show igmp snooping options
<get-igmp-snooping-options-information>
show igmp snooping options
get-igmp-snooping-options-information
show igmp snooping statistics
<get-igmp-snooping-statistics-information>
show igmp snooping statistics bridge-domain
<get-igmp-snooping-bridge-domain-membership>
show igmp statistics
<get-igmp-statistics-information>
show ike
show ike security-associations
<get-ike-security-associations-information>
show ilmi
<get-ilmi-information>
show ilmi interface
<get-ilmi-interface-information>
show ilmi statistics
<get-ilmi-statistics>
show ingress-replication
<get-ingress-replication-information>
show interfaces
<get-interface-information>
show interfaces anchor-group
show interfaces controller
<get-interface-controller-information>
show interfaces destination-class
<get-destination-class-statistics>
show interfaces destination-class all
<get-all-destination-class-statistics>
show interfaces diagnostics
show interfaces diagnostics optics
<get-interface-optics-diagnostics-information>
show interfaces diagnostics optics satellite
<show-interface-optics-diagnostics-satellite>
show interfaces distribution-list
<get-distribution-list-information>
show interfaces far-end-interval
<show-interfaces-far-end-interval>
show interfaces filters
<get-interface-filter-information>
show interfaces forwarding-class-counters
<get-interface-fc-counters-information>
show interfaces interface-set
<get-interface-set-information>
show interfaces interface-set queue
<get-interface-set-queue-information>
show interfaces interval
<show-interfaces-interval>
show interfaces lib-clients
<get-dcd-lib-client-data>
show interfaces load-balancing
<interface-load-balancing>
show interfaces mac-database
Copyright © 2017, Juniper Networks, Inc.
325
User Access and Authentication Feature Guide for Routing Devices
<get-mac-database>
show interfaces mc-ae
<get-mc-ae-interface-information>
show interfaces mc-ae revertive-info
<get-mc-ae-revertive-information>
show interfaces policers
<get-interface-policer-information>
show interfaces queue
<get-interface-queue-information>
show interfaces redundancy
<get-redundancy-status>
show interfaces redundancy detail
<get-redundancy-status-details>
show interfaces routing
show interfaces source-class
<get-source-class-statistics>
show interfaces source-class all
<get-all-source-class-statistics>
show interfaces targeting
<get-targeting-information>
show interfaces transport
<get-interface-transport-information>
show interfaces transport optics
<get-interface-transport-optics-information>
show interfaces transport optics interval
<get-interface-transport-optics-interval-information>
show interfaces voq
<get-interface-voq-information>
show ipsec
show ipsec redundancy
show ipsec redundancy interface
<get-ipsec-pic-redundancy-information>
show ipsec redundancy security-associations
<get-ipsec-tunnel-redundancy-information>
show ipsec security-associations
<get-security-associations-information>
show ipv6
show ipv6 neighbors
<get-ipv6-nd-information>
show ipv6 router-advertisement
<get-ipv6-ra-information>
show isis
show isis adjacency
<get-isis-adjacency-information>
show isis authentication
<get-isis-authentication-information>
show isis backup
show isis backup coverage
<get-isis-backup-coverage-information>
326
Copyright © 2017, Juniper Networks, Inc.
Chapter 5: Permission Flags for User Access Privileges
show isis backup label-switched-path
<get-isis-backup-lsp-information>
show isis backup spf
show isis backup spf results
<get-isis-backup-spf-results-information>
show isis bgp-orr
<get-isis-bgporr-information>
show isis context-identifier
<get-isis-context-identifier-information>
show isis context-identifier identifier
<get-isis-context-identifier-origin-information>
show isis database
<get-isis-database-information>
show isis hostname
<get-isis-hostname-information>
show isis interface
<get-isis-interface-information>
show isis interface-group
<get-isis-interface-group-information>
show isis layer2-map
<get-isis-layer2-map-information>
show isis overview
<get-isis-overview-information>
show isis route
<get-isis-route-information>
show isis spf
show isis spf brief
<get-isis-spf-results-brief-information>
show isis spf log
<get-isis-spf-log-information>
show isis spf results
<get-isis-spf-results-information>
show isis statistics
<get-isis-statistics-information>
show l2-learning
show l2-learning backbone-instance
<get-l2-learning-backbone-instance>
show l2-learning evpn
show l2-learning evpn arp-statistics
<get-evpn-arp-statistics>
show l2-learning evpn arp-statistics interface
<get-evpn-arp-statistics-interface>
show l2-learning evpn nd-statistics
<get-evpn-nd-statistics>
show l2-learning evpn nd-statistics interface
<get-evpn-nd-statistics-interface>
show l2-learning global-information
<get-l2-learning-global-information>
Copyright © 2017, Juniper Networks, Inc.
327
User Access and Authentication Feature Guide for Routing Devices
show l2-learning global-mac-count
<get-l2-learning-global-mac-count>
show l2-learning instance
<get-l2-learning-routing-instances>
show l2-learning interface
<get-l2-learning-interface-information>
show l2-learning mac-move-buffer
<get-l2-learning-mac-move-buffer-information>
show l2-learning provider-instance
<get-l2-learning-provider-instance>
show l2-learning redundancy-groups
<get-l2-learning-redundancy-groups>
show l2-learning remote-backbone-edge-bridges
<get-l2-learning-remote-backbone-edge-bridges>
show l2-learning vxlan-tunnel-end-point
show l2-learning vxlan-tunnel-end-point esi
<get-l2-learning-vxlan-esi-info>show l2-learning vxlan-tunnel-end-point remote
<get-l2-learning-vxlan-rvtep-info>
show l2-learning vxlan-tunnel-end-point remote ip
<get-l2-learning-vxlan-rvtep-ip-information>
show l2-learning vxlan-tunnel-end-point remote mac-table
<get-l2-learning-vxlan-rvtep-mactable-information>
show l2-learning vxlan-tunnel-end-point remote vtep-source-interface
<get-l2-learning-vxlan-remote-svtep-ip-information>
show l2-learning vxlan-tunnel-end-point source
<get-l2-learning-vxlan-svtep-info>
show l2-learning vxlan-tunnel-end-point source ip
<get-l2-learning-vxlan-svtep-ip-information>
show l2circuit
show l2circuit auto-sensing
<get-l2ckt-pw-auto-sensing-information>
show l2circuit connections
<get-l2ckt-connection-information>
show l2cpd
show l2cpd task
<get-l2cpd-task-information>
show l2cpd task io
<get-l2cpd-tasks-io-statistics>
show l2cpd task memory
<get-l2cpd-task-memory>
show l2cpd task replication
<get-l2cpd-replication-information>
show l2vpn
show l2vpn connections
<get-l2vpn-connection-information>
show lacp
show lacp interfaces
<get-lacp-interface-information>
show lacp statistics
show lacp statistics interfaces
<get-lacp-interface-statistics>
show lacp timeouts
show ldp
show ldp database
<get-ldp-database-information>
show ldp fec-filters
<get-ldp-fec-filters-information>
328
Copyright © 2017, Juniper Networks, Inc.
Chapter 5: Permission Flags for User Access Privileges
show ldp interface
<get-ldp-interface-information>
show ldp neighbor
<get-ldp-neighbor-information>
show ldp oam
<get-ldp-oam-information>
show ldp overview
<get-ldp-overview-information>
show ldp p2mp
show ldp p2mp fec
<get-ldp-p2mp-fec-information>
show ldp p2mp path
<get-ldp-p2mp-path-information>
show ldp p2mp tunnel
<get-ldp-p2mp-tunnel-information>
show ldp path
<get-ldp-path-information>
show ldp rib-groups
<get-ldp-rib-groups-information>
show ldp route
<get-ldp-route-information>
show ldp session
<get-ldp-session-information>
show ldp statistics
<get-ldp-statistics-information>
show ldp traffic-statistics
<get-ldp-traffic-statistics-information>
show link-management
<get-lm-information>
show link-management peer
<get-lm-peer-information>
show link-management routing
<get-lm-routing-information>
show link-management routing peer
<get-lm-routing-peer-information>
show link-management routing resource
<get-lm-routing-resource-information>
show link-management routing te-link
<get-lm-routing-te-link-information>
show lldp
<get-lldp-information>
show lldp detail
<get-lldp-information-detail>
show lldp local-information
<get-lldp-local-info>
Copyright © 2017, Juniper Networks, Inc.
329
User Access and Authentication Feature Guide for Routing Devices
show lldp neighbors
<get-lldp-neighbors-information>
show lldp neighbors interface
<get-lldp-interface-neighbors>
show lldp remote-global-statistics
<get-lldp-remote-global-statistics>
show lldp statistics
<get-lldp-statistics-information>
show lldp statistics interface
<get-lldp-interface-statistics>
show loop-detect
show loop-detect interface
<get-loop-detect-interface-information>
show loop-detect statistics
show loop-detect statistics interface
<get-loop-detect-interface-statistics-information>
show link-management statistics
<get-lm-statistics-information>
show link-management statistics peer
<get-lm-peer-statistics>
show link-management te-link
<get-lm-te-link-information>
show mac-rewrite
show mac-rewrite interface
<get-mac-rewrite-interface-information>
show mld
show mld group
<get-mld-group-information>
show mld interface
<get-mld-interface-information>
show mld output-group
<get-mld-output-group-information>
show mld snooping
show mld snooping interface
<get-mld-snooping-interface-information>
show mld snooping interface bridge-domain
<get-mld-snooping-bridge-domain-interface>
show mld snooping interface vlan
<get-mld-snooping-vlan-interface>
show mld snooping membership
<get-mld-snooping-membership-information>
show mld snooping membership bridge-domain
<get-mld-snooping-bridge-domain-membership>
show mld snooping membership vlan
<get-mld-snooping-vlan-membership>
show mld snooping statistics
<get-mld-snooping-statistics-information>
show mld snooping statistics bridge-domain
<get-mld-snooping-bridge-domain-statistics>
show mld snooping statistics vlan
<get-mld-snooping-vlan-statistics>
show mld statistics
330
Copyright © 2017, Juniper Networks, Inc.
Chapter 5: Permission Flags for User Access Privileges
<get-mld-statistics-information>
show mobile-ip
show mobile-ip home-agent
show mobile-ip home-agent binding
<get-mip-binding-information>
show mobile-ip home-agent binding ip-address
<get-ip-mip-binding-information>
show mobile-ip home-agent binding nai
<get-nai-mip-binding-information>
show mobile-ip home-agent binding summary
<get-summary-mip-binding-information>
show mobile-ip home-agent interface
<get-mip-ha-interface-information>
show mobile-ip home-agent overview
<get-mip-ha-overview-information>
show mobile-ip home-agent traffic
<get-mip-ha-traffic-information>
show mobile-ip home-agent virtual-network
<get-mip-ha-virtual-network-information>
show mobile-ip tunnel
<get-mip-tunnel-information>
show mobile-ip wimax
show mobile-ip wimax release
<get-mip-wimax-release-information>
show mpls
show mpls abstract-hop-membership
<get-mpls-abstract-hop-membership-information>
show mpls admin-groups
<get-mpls-admin-group-information>
show mpls admin-groups-extended
<get-mpls-admin-group-extended-information>
show mpls association
show mpls association iif
<get-mpls-association-iif-information>
show mpls association oif
<get-mpls-association-oif-information>
show mpls association path
<get-mpls-association-path-information>
show mpls call-admission-control
<get-mpls-call-admission-control-information>
show mpls context-identifier
<get-mpls-context-identifier-information>
show mpls correlation
show mpls correlation label
<get-mpls-correlation-label-information>
show mpls correlation nexthop-id
<get-mpls-correlation-nexthop-information>
show network-access address-assignment preserved
Copyright © 2017, Juniper Networks, Inc.
331
User Access and Authentication Feature Guide for Routing Devices
<get-address-assignment-preserved-table>
show network-access domain-map
show network-access domain-map statistics
<get-domain-map-statistics>
show mpls cspf
<get-mpls-cspf-information>
show mpls diffserv-te
<get-mpls-diffserv-te-information>
show mpls egress-protection
show mpls interface
<get-mpls-interface-information>
show mpls label
<get mpls-label-space>
show mpls label usage
<get mpls-label-space-usage>
show mpls lsp
<get-mpls-lsp-information>
show mpls lsp abstract-computation
<get-mpls-lsp-abstract-computation>
show mpls lsp autobandwidth
<get-mpls-lsp-autobandwidth>
show mpls srlg
<get-mpls-srlg-information>
show oam ethernet fnp
show oam ethernet fnp interface
show oam ethernet fnp messages
show oam ethernet fnp status
<get-fnp-status>
show mpls lsp defaults
<get-mpls-lsp-defaults-information>
show mpls path
<get-mpls-path-information>
show mpls static-lsp
<get-mpls-static-lsp-information>
show mpls traceroute
show mpls traceroute database
show mpls traceroute database ldp
<get-mpls-traceroute-database-ldp>
show msdp
<get-msdp-information>
show msdp source
<get-msdp-source-information>
show msdp source-active
<get-msdp-source-active-information>
show msdp statistics
<get-msdp-statistics-information>
show multi-chassis
show multi-chassis mc-lag
show multi-chassis mc-lag configuration-consistency
<get-mclag-config-consistency-information>
show multi-chassis mc-lag configuration-consistency global-config
<get-mclag-global-config-consistency-information>
show multi-chassis mc-lag configuration-consistency icl-config
<get-mclag-icl-config-consistency-information>
332
Copyright © 2017, Juniper Networks, Inc.
Chapter 5: Permission Flags for User Access Privileges
show multi-chassis mc-lag configuration-consistency
list-of-parameters<get-mclag-config-consistency-information-params>
show multi-chassis mc-lag configuration-consistency mcae-config
get-mclag-config-consistency-information-mcae
show multi-chassis mc-lag configuration-consistency vlan-config
<get-mclag-vlan-config-consistency-information>
show multi-chassis mc-lag configuration-consistency vrrp-config
<get-mclag-vrrp-config-consistency-information>
show multicast
show multicast backup-pe-groups
<get-multicast-backup-pe-groups-information>
show multicast backup-pe-groups address
<get-multicast-backup-pe-address-information>
show multicast backup-pe-groups group
<get-multicast-backup-pe-group-information>
show multicast ecid-mapping
show multicast ecid-mapping satellite
<get-satellite-control-ecid>
show multicast flow-map
<get-multicast-flow-maps-information>
show multicast interface
<get-multicast-interface-information>
show multicast next-hops
<get-multicast-next-hops-information>
show multicast next-hops satellite
<get-satellite-control-next-hop>
show multicast pim-to-igmp-proxy
<get-multicast-pim-to-igmp-proxy-information>
show multicast pim-to-mld-proxy
<get-multicast-pim-to-mld-proxy-information>
show multicast route
<get-multicast-route-information>
show multicast rpf
<get-multicast-rpf-information>
show multicast scope
<get-multicast-scope-information>
show multicast sessions
<get-multicast-sessions-information>
show multicast snooping
show multicast snooping next-hops
<get-multicast-snooping-next-hops-information>
show multicast snooping next-hops satellite
<get-satellite-control-indirect-next-hop>
show multicast snooping route
<get-multicast-snooping-route-information>
show multicast snooping route satellite
get-satellite-control-multicast
Copyright © 2017, Juniper Networks, Inc.
333
User Access and Authentication Feature Guide for Routing Devices
show multicast statistics
<get-multicast-statistics-information>
show multicast statistics satellite
<get-satellite-control-statistics>
show multicast summary
show multicast summary satellite
<get-satellite-control-summary>
show multicast usage
<get-multicast-usage-information>
show mvpn
show mvpn c-multicast
<get-mvpn-c-multicasti-route>
show mvpn instance
<get-mvpn-instance-information>
show mvpn neighbor
<get-mvpn-neighbor-information>
show mvpn suppressed
get-mvpn-suppressed-information
show mvrp
<get-mvrp-information>
show mvrp applicant-state
<get-mvrp-applicant-information>
show mvrp dynamic-vlan-memberships
<get-mvrp-dynamic-vlan-memberships>
show mvrp interface
<get-mvrp-interface-information>
show mvrp registration-state
<get-mvrp-registration-state>
show mvrp statistics
<get-mvrp-interface-statistics>
show network-access
show network-access aaa
show network-access aaa radius-servers
<get-radius-servers-table>
show network-access aaa statistics
<get-aaa-module-statistics>
show network-access aaa statistics address-assignment
show network-access aaa statistics address-assignment client
<get-address-assignment-client-statistics>
show network-access aaa statistics address-assignment pool
<get-address-assignment-pool-statistics>
show network-access aaa subscribers
<get-aaa-subscriber-table>
show network-access aaa subscribers session-id
show network-access aaa subscribers statistics
<get-aaa-subscriber-statistics>
show network-access aaa terminate-code
<get-aaa-terminate-code>
334
Copyright © 2017, Juniper Networks, Inc.
Chapter 5: Permission Flags for User Access Privileges
show network-access aaa terminate-code aaa
<get-aaa-terminate-code-aaa>
show network-access aaa terminate-code dhcp
<get-aaa-terminate-code-dhcp>
show network-access aaa terminate-code l2tp
<get-aaa-terminate-code-l2tp>
show network-access aaa terminate-code ppp
<get-aaa-terminate-code-ppp>
show network-access aaa terminate-code reverse
<get-aaa-terminate-code-reverse>
show network-access aaa terminate-code reverse
get-aaa-terminate-code-reverse-aaa>
show network-access aaa terminate-code reverse
<get-aaa-terminate-code-reverse-dhcp>
show network-access aaa terminate-code reverse
<get-aaa-terminate-code-reverse-l2tp>
show network-access aaa terminate-code reverse
<get-aaa-terminate-code-reverse-ppp>
show network-access address-assignment
show network-access address-assignment pool
<get-address-assignment-pool-table>
show network-access nasreq
show network-access nasreq statistics
get-nasreq-counters
show network-access ocs
show network-access ocs state
<get-ocs-state-information>
show network-access ocs statistics
<get-ocs-statistics-information>
show network-access pcrf
show network-access pcrf state
<get-pcrf-state-information>
show network-access pcrf statistics
<get-pcrf-statistics-information>
aaa
dhcp
l2tp
ppp
show network-access requests
show network-access requests pending
<get-authentication-pending-table>
show network-access requests statistics
<get-authentication-statistics>
show network-access securid-node-secret-file
<get-node-secret-file-table>
show nonstop-routing
<get-nonstop-routing-information>
show ntp
show ntp associations
show ntp status
show oam
show oam ethernet
show oam ethernet connectivity-fault-management sla-iterator-history
<get-cfm-iterator-history>
show oam ethernet connectivity-fault-management
show oam ethernet connectivity-fault-management adjacencies
<get-cfm-adjacency-information>
show oam ethernet connectivity-fault-management delay-statistics
<get-cfm-delay-statistics>
Copyright © 2017, Juniper Networks, Inc.
335
User Access and Authentication Feature Guide for Routing Devices
show oam ethernet connectivity-fault-management forwarding-state
show oam ethernet connectivity-fault-management forwarding-state instance
<get-cfm-forwarding-state-instance-information>
show oam ethernet connectivity-fault-management forwarding-state interface
<get-cfm-forwarding-state-interface-information>
show oam ethernet connectivity-fault-management interfaces
<get-cfm-interfaces-information>
show oam ethernet connectivity-fault-management loss-statistics
<get-cfm-loss-statistics>
show oam ethernet connectivity-fault-management mep-database
<get-cfm-mep-database>
show oam ethernet connectivity-fault-management mep-statistics
<get-cfm-mep-statistics>
show oam ethernet connectivity-fault-management mip
<get-cfm-mip-information>
show oam ethernet connectivity-fault-management path-database
<get-cfm-linktrace-path-database>
show oam ethernet connectivity-fault-management policer
<get-evc-information>
show oam ethernet connectivity-fault-management sla-iterator-statistics
<get-cfm-iterator-statistics>
show oam ethernet evc
<get-evc-infromation>
show oam ethernet link-fault-management
<get-lfmd-information>
show oam ethernet lmi
<get-elmi-information>
show oam ethernet lmi statistics
<get-elmi-statistics>
show
show
show
show
show
show
show
show
show
show
show
show
show
show
show
show
show
openflow
openflow
openflow
openflow
openflow
openflow
openflow
openflow
openflow
openflow
openflow
openflow
openflow
openflow
openflow
openflow
openflow
capability
controller
filters
flows
interfaces
statistics
statistics
statistics
statistics
statistics
statistics
statistics
statistics
statistics
summary
switch
flows
interfaces
packet
packet in
packet out
queue
summary
tables
show ospf
show ospf backup
show ospf backup coverage
<get-ospf-backup-coverage-information>
336
Copyright © 2017, Juniper Networks, Inc.
Chapter 5: Permission Flags for User Access Privileges
show ospf backup lsp
<get-ospf-backup-lsp-information>
show ospf backup neighbor
<get-ospf-backup-neighbor-information>
show ospf backup spf
<get-ospf-backup-spf-information>
show ospf bgp-orr
<get-ospf-bgporr-information>
show ospf context-identifier
<get-ospf-context-id-information>
show ospf database
<get-ospf-database-information>
show ospf interface
<get-ospf-interface-information>
show ospf io-statistics
<get-ospf-io-statistics-information>
show ospf log
<get-ospf-log-information>
show ospf neighbor
<get-ospf-neighbor-information>
show ospf overview
<get-ospf-overview-information>
show ospf route
<get-ospf-route-information>
show ospf statistics
<get-ospf-statistics-information>
show ospf3
show ospf3 backup
show ospf3 backup coverage
<get-ospf3-backup-coverage-information>
show ospf3 backup lsp
<get-ospf3-backup-lsp-information>
show ospf3 backup neighbor
<get-ospf3-backup-neighbor-information>
show ospf3 backup spf
<get-ospf3-backup-spf-information>
show ospf3 bgp-orr
<get-ospf-bgporr-information>
show ospf3 database
<get-ospf3-database-information>
show ospf3 interface
<get-ospf3-interface-information>
Copyright © 2017, Juniper Networks, Inc.
337
User Access and Authentication Feature Guide for Routing Devices
show ospf3 io-statistics
<get-ospf3-io-statistics-information>
show ospf3 log
<get-ospf3-log-information>
show ospf3 neighbor
<get-ospf3-neighbor-information>
show ospf3 overview
<get-ospf3-overview-information>
show ospf3 route
<get-ospf3-route-information>
show ospf3 statistics
<get-ospf3-statistics-information>
show overlay
<get-cloud-analytics-overlay-information>
show overlay vxlan
<get-cloud-analytics-overlay-vxlan-information>
show overlay vxlan vni
<get-application-monitor-overlay-vxlan-information>
show overlay vxlan vtep
<get-application-monitor-overlay-vtep-information>
show ovsdb
show ovsdb commit
show ovsdb commit failures
<get-ovsdb-commit-failure-information>
show ovsdb tunnels
<get-ovsdb-tunnels-information>
show ovsdb virtual-tunnel-end-point
<get-ovsdb-vtep-information>
show passive-monitoring
<get-passive-monitoring-information>
show passive-monitoring error
<get-passive-monitoring-error-information>
show passive-monitoring flow
<get-passive-monitoring-flow-information>
show passive-monitoring memory
<get-passive-monitoring-memory-information>
show passive-monitoring status
<get-passive-monitoring-status-information>
show passive-monitoring usage
<get-passive-monitoring-usage-information>
show path-computation-client
show path-computation-client active-pce
show path-computation-client lsp-retry-pending
<get-path-computation-client-lsp-retry-pending>
show path-computation-client statistics
show performance-monitoring
show performance-monitoring mpls
show performance-monitoring mpls lsp
<get-pm-mpls-lsp-information>
show pfe
338
Copyright © 2017, Juniper Networks, Inc.
Chapter 5: Permission Flags for User Access Privileges
show pfe cfeb
show pfe data
<get-pfe-data>
show pfe feb
show pfe filter
show pfe filter hw
show pfe filter hw summary
show pfe fpc
show pfe fwdd
show pfe lcc
show pfe next-hop
show pfe pfem
show pfe pfem detail
show pfe pfem extensive
show pfe route
show pfe route clnp
show pfe route clnp table
show pfe route inet6
show pfe route inet6 hw
show pfe route inet6 hw host
show pfe route inet6 hw lpm
show pfe route inet6 hw multicast
show
show
show
show
show
show
show
show
show
show
show
show
show
show
show
show
show
show
show
show
pfe route inet6 table
pfe route ip
pfe route ip table
pfe route iso
pfe route iso table
pfe scb
pfe sfm
pfe ssb
pfe statistics
pfe statistics exceptions
pfe statistics fabric
pfe statistics ip
pfe route ip hw
pfe route ip hw host
pfe route ip hw lpm
pfe route ip hw multicast
pfe route summary
pfe route summary hw
pfe statistics ip6
pfe statistics traffic
<get-pfe-statistics>
show pfe statistics traffic bandwidth
<get-pfe-traffic-statistics-bandwidth>
show pfe statistics traffic cpu
show pfe statistics traffic cpu fpe
show pfe statistics traffic detail
<get-pfe-traffic-statistics>
show pfe statistics traffic egress-queues
show pfe statistics traffic egress-queues fpc
show pfe statistics traffic multicast
show pfe statistics traffic multicast fpcshow pfe statistics traffic protocol
show pfe tcam
show pfe tcam app
<get-pfe-tcam-app-list>
show pfe tcam app bd-dtag-validate
<get-pfe-tcam-app-list-bd-dtag-validate>
show pfe tcam app bd-dtag-validate detail
Copyright © 2017, Juniper Networks, Inc.
339
User Access and Authentication Feature Guide for Routing Devices
show pfe tcam app bd-dtag-validate list-related-apps
show pfe tcam app bd-dtag-validate list-shared-apps
show pfe tcam app bd-dtag-validate shared-usage
show pfe tcam app bd-dtag-validate shared-usage detail
show pfe tcam app bd-tpid-swap
<get-pfe-tcam-app-list-bd-tpid-swap>
show pfe tcam app bd-tpid-swap detail
show pfe tcam app bd-tpid-swap list-related-apps
show pfe tcam app bd-tpid-swap list-shared-apps
show pfe tcam app bd-tpid-swap shared-usage
show pfe tcam app bd-tpid-swap shared-usage detail
show pfe tcam app cfm-bd-filter
<get-pfe-tcam-app-list-cfm-bd-filter>
show pfe tcam app cfm-bd-filter detail
show pfe tcam app cfm-bd-filter list-related-apps
show pfe tcam app cfm-bd-filter list-shared-apps
show pfe tcam app cfm-bd-filter shared-usage
show pfe tcam app cfm-bd-filter shared-usage detail
show pfe tcam app cfm-filter
<get-pfe-tcam-app-list-cfm-filter>
show pfe tcam app cfm-filter list-related-apps
show pfe tcam app cfm-filter list-shared-apps
show pfe tcam app cfm-filter shared-usage
show pfe tcam app cfm-filter shared-usage detail
show pfe tcam app cfm-vpls-filter
<get-pfe-tcam-app-list-cfm-vpls-filter>
show pfe tcam app cfm-vpls-filter detail
show pfe tcam app cfm-vpls-filter list-related-apps
show pfe tcam app cfm-vpls-filter list-shared-apps
show pfe tcam app cfm-vpls-filter shared-usage
show pfe tcam app cfm-vpls-filter shared-usage detail
show pfe tcam app cfm-vpls-ifl-filter
<get-pfe-tcam-app-list-cfm-vpls-ifl-filter>
show pfe tcam app cfm-vpls-ifl-filter detail
show pfe tcam app cfm-vpls-ifl-filter list-related-apps
show pfe tcam app cfm-vpls-ifl-filter list-shared-apps
show pfe tcam app cfm-vpls-ifl-filter shared-usage
show pfe tcam app cfm-vpls-ifl-filter shared-usage detail
show pfe tcam app cos-fc
<get-pfe-tcam-app-list-cos-fc>
show pfe tcam app cos-fc detail
show pfe tcam app cos-fc list-related-apps
show pfe tcam app cos-fc list-shared-apps
show pfe tcam app cos-fc shared-usage
show pfe tcam app cos-fc shared-usage detail
show pfe tcam app fw-ccc-in
<get-pfe-tcam-app-list-fw-ccc-in>
show pfe tcam app fw-ccc-in detail
show pfe tcam app fw-ccc-in list-related-apps
show pfe tcam app fw-ccc-in list-shared-apps
show pfe tcam app fw-ccc-in shared-usage
show pfe tcam app fw-ccc-in shared-usage detail
show pfe tcam app fw-family-out
<get-pfe-tcam-app-list-fw-family-out>
show pfe tcam app fw-family-out detail
show pfe tcam app fw-family-out list-related-apps
show pfe tcam app fw-family-out list-shared-apps
show pfe tcam app fw-family-out shared-usage
show pfe tcam app fw-family-out shared-usage detail
show pfe tcam app fw-fbf
<get-pfe-tcam-app-list-fw-fbf>
340
Copyright © 2017, Juniper Networks, Inc.
Chapter 5: Permission Flags for User Access Privileges
show pfe tcam app fw-fbf detail
show pfe tcam app fw-fbf list-related-apps
show pfe tcam app fw-fbf list-shared-apps
show pfe tcam app fw-fbf shared-usage
show pfe tcam app fw-fbf shared-usage detail
show pfe tcam app fw-fbf-inet6
<get-pfe-tcam-app-list-fw-fbf-inet6>
show pfe tcam app fw-fbf-inet6 detail
show pfe tcam app fw-fbf-inet6 list-related-apps
show pfe tcam app fw-fbf-inet6 list-shared-apps
show pfe tcam app fw-fbf-inet6 shared-usage
show pfe tcam app fw-fbf-inet6 shared-usage detail
show pfe tcam app fw-ifl-in
<get-pfe-tcam-app-list-fw-ifl-in>
show pfe tcam app fw-ifl-in detail
show pfe tcam app fw-ifl-in list-related-apps
show pfe tcam app fw-ifl-in list-shared-apps
show pfe tcam app fw-ifl-in shared-usage
show pfe tcam app fw-ifl-in shared-usage detail
show pfe tcam app fw-ifl-out
<get-pfe-tcam-app-list-fw-ifl-out>
show pfe tcam app fw-ifl-out detail
show pfe tcam app fw-ifl-out list-related-apps
show pfe tcam app fw-ifl-out list-shared-apps
show pfe tcam app fw-ifl-out shared-usage
show pfe tcam app fw-ifl-out shared-usage detail
show pfe tcam app fw-inet-ftf
<get-pfe-tcam-app-list-fw-inet-ftf>
show pfe tcam app fw-inet-ftf detail
show pfe tcam app fw-inet-ftf list-related-apps
show pfe tcam app fw-inet-ftf list-shared-apps
show pfe tcam app fw-inet-ftf shared-usage
show pfe tcam app fw-inet-ftf shared-usage detail
show pfe tcam app fw-inet-in
<get-pfe-tcam-app-list-fw-inet-in>
show pfe tcam app fw-inet-in detail
show pfe tcam app fw-inet-in list-related-apps
show pfe tcam app fw-inet-in list-shared-apps
show pfe tcam app fw-inet-in shared-usage
show pfe tcam app fw-inet-in shared-usage detail
show pfe tcam app fw-inet-pm
<get-pfe-tcam-app-list-fw-inet-pm>
show pfe tcam app fw-inet-pm detail
show pfe tcam app fw-inet-pm list-related-apps
show pfe tcam app fw-inet-pm list-shared-apps
show pfe tcam app fw-inet-pm shared-usage
show pfe tcam app fw-inet-pm shared-usage detail
show pfe tcam app fw-inet-rpf
<get-pfe-tcam-app-list-fw-inet-rpf>
show pfe tcam app fw-inet-rpf detail
show pfe tcam app fw-inet-rpf list-related-apps
show pfe tcam app fw-inet-rpf list-shared-apps
show pfe tcam app fw-inet-rpf shared-usage
show pfe tcam app fw-inet-rpf shared-usage detail
show pfe tcam app fw-inet6-family-out
<get-pfe-tcam-app-list-fw-inet6-family-out>
show pfe tcam app fw-inet6-family-out detail
show pfe tcam app fw-inet6-family-out list-related-apps
show pfe tcam app fw-inet6-family-out list-shared-apps
show pfe tcam app fw-inet6-family-out shared-usage
show pfe tcam app fw-inet6-family-out shared-usage detail
Copyright © 2017, Juniper Networks, Inc.
341
User Access and Authentication Feature Guide for Routing Devices
show pfe tcam app fw-inet6-ftf
<get-pfe-tcam-app-list-fw-inet6-ftf>
show pfe tcam app fw-inet6-ftf detail
show pfe tcam app fw-inet6-ftf list-related-apps
show pfe tcam app fw-inet6-ftf list-shared-apps
show pfe tcam app fw-inet6-ftf shared-usage
show pfe tcam app fw-inet6-ftf shared-usage detail
show pfe tcam app fw-inet6-in
<get-pfe-tcam-app-list-fw-inet6-in>
show pfe tcam app fw-inet6-in detail
show pfe tcam app fw-inet6-in list-related-apps
show pfe tcam app fw-inet6-in list-shared-apps
show pfe tcam app fw-inet6-in shared-usage
show pfe tcam app fw-inet6-in shared-usage detail
show pfe tcam app fw-inet6-rpf
<get-pfe-tcam-app-list-fw-inet6-rpf>
show pfe tcam app fw-inet6-rpf detail
show pfe tcam app fw-inet6-rpf list-related-apps
show pfe tcam app fw-inet6-rpf list-shared-apps
show pfe tcam app fw-inet6-rpf shared-usage
show pfe tcam app fw-inet6-rpf shared-usage detail
show pfe tcam app fw-l2-in
<get-pfe-tcam-app-list-fw-l2-in>
show pfe tcam app fw-l2-in detail
show pfe tcam app fw-l2-in list-related-apps
show pfe tcam app fw-l2-in list-shared-apps
show pfe tcam app fw-l2-in shared-usage
show pfe tcam app fw-l2-in shared-usage detail
show pfe tcam app fw-mpls-in
<get-pfe-tcam-app-list-fw-mpls-in>
show pfe tcam app fw-mpls-in detail
show pfe tcam app fw-mpls-in list-related-apps
show pfe tcam app fw-mpls-in list-shared-apps
show pfe tcam app fw-mpls-in shared-usage
show pfe tcam app fw-mpls-in shared-usage detail
show pfe tcam app fw-semantics
<get-pfe-tcam-app-list-fw-semantics>
show pfe tcam app fw-semantics detail
show pfe tcam app fw-semantics list-related-apps
show pfe tcam app fw-semantics list-shared-apps
show pfe tcam app fw-semantics shared-usage
show pfe tcam app fw-semantics shared-usage detail
show pfe tcam app fw-vpls-in
<get-pfe-tcam-app-list-fw-vpls-in>
show pfe tcam app fw-vpls-in detail
show pfe tcam app fw-vpls-in list-related-apps
show pfe tcam app fw-vpls-in list-shared-apps
show pfe tcam app fw-vpls-in shared-usage
show pfe tcam app fw-vpls-in shared-usage detail
show pfe tcam app gr-ifl-stats-egr
<get-pfe-tcam-app-list-gr-ifl-statistics-egr>
show pfe tcam app gr-ifl-stats-egr detail
show pfe tcam app gr-ifl-stats-egr list-related-apps
show pfe tcam app gr-ifl-stats-egr list-shared-apps
show pfe tcam app gr-ifl-stats-egr shared-usage
show pfe tcam app gr-ifl-stats-egr shared-usage detail
show pfe tcam app gr-ifl-stats-ing
<get-pfe-tcam-app-list-gr-ifl-statistics-ing>
show pfe tcam app gr-ifl-stats-ing detail
show pfe tcam app gr-ifl-stats-ing list-related-apps
show pfe tcam app gr-ifl-stats-ing list-shared-apps
342
Copyright © 2017, Juniper Networks, Inc.
Chapter 5: Permission Flags for User Access Privileges
show pfe tcam app gr-ifl-stats-ing shared-usage
show pfe tcam app gr-ifl-stats-ing shared-usage detail
show pfe tcam app gr-ifl-stats-preing
<get-pfe-tcam-app-list-gr-ifl-statistics-preing>
show pfe tcam app gr-ifl-stats-preing detail
show pfe tcam app gr-ifl-stats-preing list-related-apps
show pfe tcam app gr-ifl-stats-preing list-shared-apps
show pfe tcam app gr-ifl-stats-preing shared-usage
show pfe tcam app gr-ifl-stats-preing shared-usage detail
show pfe tcam app ifd-src-mac-fil
<get-pfe-tcam-app-list-ifd-src-mac-fil>
show pfe tcam app ifd-src-mac-fil detail
show pfe tcam app ifd-src-mac-fil list-related-apps
show pfe tcam app ifd-src-mac-fil list-shared-apps
show pfe tcam app ifd-src-mac-fil shared-usage
show pfe tcam app ifd-src-mac-fil shared-usage detail
show pfe tcam app ifl-statistics-in
<get-pfe-tcam-app-list-ifl-statistics-in>
show pfe tcam app ifl-statistics-in detail
show pfe tcam app ifl-statistics-in list-related-apps
show pfe tcam app ifl-statistics-in list-shared-apps
show pfe tcam app ifl-statistics-in shared-usage
show pfe tcam app ifl-statistics-in shared-usage detail
show pfe tcam app ifl-statistics-out
<get-pfe-tcam-app-list-ifl-statistics-out>
show pfe tcam app ifl-statistics-out detail
show pfe tcam app ifl-statistics-out list-related-apps
show pfe tcam app ifl-statistics-out list-shared-apps
show pfe tcam app ifl-statistics-out shared-usage
show pfe tcam app ifl-statistics-out shared-usage detail
show pfe tcam app ing-out-iff
<get-pfe-tcam-app-list-ing-out-iff>
show pfe tcam app ing-out-iff detail
show pfe tcam app ing-out-iff list-related-apps
show pfe tcam app ing-out-iff list-shared-apps
show pfe tcam app ing-out-iff shared-usage
show pfe tcam app ing-out-iff shared-usage detail
show pfe tcam app ip-mac-val
<get-pfe-tcam-app-list-ip-mac-val>
show pfe tcam app ip-mac-val detail
show pfe tcam app ip-mac-val list-related-apps
show pfe tcam app ip-mac-val list-shared-apps
show pfe tcam app ip-mac-val shared-usage
show pfe tcam app ip-mac-val shared-usage detail
show pfe tcam app ip-mac-val-bcast
<get-pfe-tcam-app-list-ip-mac-val-bcast>
show pfe tcam app ip-mac-val-bcast detail
show pfe tcam app ip-mac-val-bcast list-related-apps
show pfe tcam app ip-mac-val-bcast list-shared-apps
show pfe tcam app ip-mac-val-bcast shared-usage
show pfe tcam app ip-mac-val-bcast shared-usage detail
show pfe tcam app ipsec-reverse-fil
<get-pfe-tcam-app-list-ipsec-reverse-fil>
show pfe tcam app ipsec-reverse-fil detail
show pfe tcam app ipsec-reverse-fil list-related-apps
show pfe tcam app ipsec-reverse-fil list-shared-apps
show pfe tcam app ipsec-reverse-fil shared-usage
show pfe tcam app ipsec-reverse-fil shared-usage detail
show pfe tcam app irb-cos-rw
<get-pfe-tcam-app-list-irb-cos-rw>
show pfe tcam app irb-cos-rw detail
Copyright © 2017, Juniper Networks, Inc.
343
User Access and Authentication Feature Guide for Routing Devices
show pfe tcam app irb-cos-rw list-related-apps
show pfe tcam app irb-cos-rw list-shared-apps
show pfe tcam app irb-cos-rw shared-usage
show pfe tcam app irb-cos-rw shared-usage detail
show pfe tcam app irb-fixed-cos
<get-pfe-tcam-app-list-irb-fixed-cos>
show pfe tcam app irb-fixed-cos detail
show pfe tcam app irb-fixed-cos list-related-apps
show pfe tcam app irb-fixed-cos list-shared-apps
show pfe tcam app irb-fixed-cos shared-usage
show pfe tcam app irb-fixed-cos shared-usage detail
show pfe tcam app irb-inet6-fil
<get-pfe-tcam-app-list-irb-inet6-fil>
show pfe tcam app irb-inet6-fil detail
show pfe tcam app irb-inet6-fil list-related-apps
show pfe tcam app irb-inet6-fil list-shared-apps
show pfe tcam app irb-inet6-fil shared-usage
show pfe tcam app irb-inet6-fil shared-usage detail
show pfe tcam app lfm-802.3ah-in
<get-pfe-tcam-app-list-lfm-802.3ah-in>
show pfe tcam app lfm-802.3ah-in detail
show pfe tcam app lfm-802.3ah-in list-related-apps
show pfe tcam app lfm-802.3ah-in list-shared-apps
show pfe tcam app lfm-802.3ah-in shared-usage
show pfe tcam app lfm-802.3ah-in shared-usage detail
show pfe tcam app lfm-802.3ah-out
<get-pfe-tcam-app-list-lfm-802.3ah-out>
show pfe tcam app lfm-802.3ah-out detail
show pfe tcam app lfm-802.3ah-out list-related-apps
show pfe tcam app lfm-802.3ah-out list-shared-apps
show pfe tcam app lfm-802.3ah-out shared-usage
show pfe tcam app lfm-802.3ah-out shared-usage detail
show pfe tcam app lo0-inet-fil
<get-pfe-tcam-app-list-lo0-inet-fil>
show pfe tcam app lo0-inet-fil detail
show pfe tcam app lo0-inet-fil list-related-apps
show pfe tcam app lo0-inet-fil list-shared-apps
show pfe tcam app lo0-inet-fil shared-usage
show pfe tcam app lo0-inet-fil shared-usage detail
show pfe tcam app lo0-inet6-fil
<get-pfe-tcam-app-list-lo0-inet6-fil>
show pfe tcam app lo0-inet6-fil detail
show pfe tcam app lo0-inet6-fil list-related-apps
show pfe tcam app lo0-inet6-fil list-shared-apps
show pfe tcam app lo0-inet6-fil shared-usage
show pfe tcam app lo0-inet6-fil shared-usage detail
show pfe tcam app mac-drop-cnt
<get-pfe-tcam-app-list-mac-drop-cnt>
show pfe tcam app mac-drop-cnt detail
show pfe tcam app mac-drop-cnt list-related-apps
show pfe tcam app mac-drop-cnt list-shared-apps
show pfe tcam app mac-drop-cnt shared-usage
show pfe tcam app mac-drop-cnt shared-usage detail
show pfe tcam app mrouter-port-in
<get-pfe-tcam-app-list-mrouter-port-in>
show pfe tcam app mrouter-port-in detail
show pfe tcam app mrouter-port-in list-related-apps
show pfe tcam app mrouter-port-in list-shared-apps
show pfe tcam app mrouter-port-in shared-usage
show pfe tcam app mrouter-port-in shared-usage detail
show pfe tcam app napt-reverse-fil
344
Copyright © 2017, Juniper Networks, Inc.
Chapter 5: Permission Flags for User Access Privileges
<get-pfe-tcam-app-list-napt-reverse-fil>
show pfe tcam app napt-reverse-fil detail
show pfe tcam app napt-reverse-fil list-related-apps
show pfe tcam app napt-reverse-fil list-shared-apps
show pfe tcam app napt-reverse-fil shared-usage
show pfe tcam app napt-reverse-fil shared-usage detail
show pfe tcam app no-local-switching
<get-pfe-tcam-app-list-no-local-switching>
show pfe tcam app no-local-switching detail
show pfe tcam app no-local-switching list-related-apps
show pfe tcam app no-local-switching list-shared-apps
show pfe tcam app no-local-switching shared-usage
show pfe tcam app no-local-switching shared-usage detail
show pfe tcam app ptpoe-cos-rw
<get-pfe-tcam-app-list-ptpoe-cos-rw>
show pfe tcam app ptpoe-cos-rw detail
show pfe tcam app ptpoe-cos-rw list-related-apps
show pfe tcam app ptpoe-cos-rw list-shared-apps
show pfe tcam app ptpoe-cos-rw shared-usage
show pfe tcam app ptpoe-cos-rw shared-usage detail
show pfe tcam app rfc2544-layer2-in
<get-pfe-tcam-app-list-rfc2544-layer2-in>
show pfe tcam app rfc2544-layer2-in detail
show pfe tcam app rfc2544-layer2-in list-related-apps
show pfe tcam app rfc2544-layer2-in list-shared-apps
show pfe tcam app rfc2544-layer2-in shared-usage
show pfe tcam app rfc2544-layer2-in shared-usage detail
show pfe tcam app rfc2544-layer2-out
<get-pfe-tcam-app-list-rfc2544-layer2-out>
show pfe tcam app vpls-mesh-group-mcast
<get-upper-level-xml-name-vpls-mesh-group-mcast>
show pfe tcam app vpls-mesh-group-mcast detail
show pfe tcam app vpls-mesh-group-mcast list-related-apps
show pfe tcam app vpls-mesh-group-mcast list-shared-apps
show pfe tcam app vpls-mesh-group-mcast shared-usage
show pfe tcam app vpls-mesh-group-mcast shared-usage detail
show pfe tcam app vpls-mesh-group-ucast
<get-upper-level-xml-name-vpls-mesh-group-ucast>
show pfe tcam app vpls-mesh-group-ucast detail
show pfe tcam app vpls-mesh-group-ucast list-related-apps
show pfe tcam app vpls-mesh-group-ucast list-shared-apps
show pfe tcam app vpls-mesh-group-ucast shared-usage
show pfe tcam app vpls-mesh-group-ucast shared-usage detail
show pfe tcam app cfm-filter detail
show pfe tcam errors app fw-inet-rpf
<get-pfe-tcam-errors-app-fw-inet-rpf>
show pfe tcam errors app fw-inet-rpf detail
show pfe tcam errors app fw-inet-rpf list-related-apps
show pfe tcam errors app fw-inet-rpf list-shared-apps
show pfe tcam errors app fw-inet-rpf shared-usage
show pfe tcam errors app fw-inet-rpf shared-usage detail
show pfe tcam errors app fw-inet6-rpf
<get-pfe-tcam-errors-app-fw-inet6-rpf>
show pfe tcam errors app fw-inet6-rpf detail
show pfe tcam errors app fw-inet6-rpf list-related-apps
show pfe tcam errors app fw-inet6-rpf list-shared-apps
show pfe tcam errors app fw-inet6-rpf shared-usage
show pfe tcam errors app fw-inet6-rpf shared-usage detail
show pfe tcam errors app gr-ifl-stats-egr
<get-pfe-tcam-errors-app-gr-ifl-statistics-egr>
show pfe tcam errors app gr-ifl-stats-egr detail
Copyright © 2017, Juniper Networks, Inc.
345
User Access and Authentication Feature Guide for Routing Devices
show pfe tcam errors app gr-ifl-stats-egr list-related-apps
show pfe tcam errors app gr-ifl-stats-egr list-shared-apps
show pfe tcam errors app gr-ifl-stats-egr shared-usage
show pfe tcam errors app gr-ifl-stats-egr shared-usage detail
show pfe tcam errors app gr-ifl-stats-ing
<get-pfe-tcam-errors-app-gr-ifl-statistics-ing>
show pfe tcam errors app gr-ifl-stats-ing detail
show pfe tcam errors app gr-ifl-stats-ing list-related-apps
show pfe tcam errors app gr-ifl-stats-ing list-shared-apps
show pfe tcam errors app gr-ifl-stats-ing shared-usage
show pfe tcam errors app gr-ifl-stats-ing shared-usage detail
show pfe tcam errors app gr-ifl-stats-preing
<get-pfe-tcam-errors-app-gr-ifl-statistics-preing>
show pfe tcam errors app gr-ifl-stats-preing detail
show pfe tcam errors app gr-ifl-stats-preing list-related-apps
show pfe tcam errors app gr-ifl-stats-preing list-shared-apps
show pfe tcam errors app gr-ifl-stats-preing shared-usage
show pfe tcam errors app gr-ifl-stats-preing shared-usage detail
show pfe tcam errors app ing-out-iff
<get-pfe-tcam-errors-app-ing-out-iff>
show pfe tcam errors app ing-out-iff detail
show pfe tcam errors app ing-out-iff list-related-apps
show pfe tcam errors app ing-out-iff list-shared-apps
show pfe tcam errors app ing-out-iff shared-usage
show pfe tcam errors app ing-out-iff shared-usage detail
show pfe tcam errors app vpls-mesh-group-mcast
<get-upper-level-xml-name-vpls-mesh-group-mcast>
show pfe tcam errors app vpls-mesh-group-mcast detail
show pfe tcam errors app vpls-mesh-group-mcast list-related-apps
show pfe tcam errors app vpls-mesh-group-mcast list-shared-apps
show pfe tcam errors app vpls-mesh-group-mcast shared-usage
show pfe tcam errors app vpls-mesh-group-mcast shared-usage detail
show pfe tcam errors app vpls-mesh-group-ucast
<get-upper-level-xml-name-vpls-mesh-group-ucast>
show pfe tcam errors app vpls-mesh-group-ucast detail
show pfe tcam errors app vpls-mesh-group-ucast list-related-apps
show pfe tcam errors app vpls-mesh-group-ucast list-shared-apps
show pfe tcam errors app vpls-mesh-group-ucast shared-usage
show pfe tcam errors app vpls-mesh-group-ucast shared-usage detail
show pfe tcam errors tcam-stage ingress app fw-inet-rpf
<get-pfe-tcam-errors-ingress-tcam-stage-fw-inet-rpf>
show pfe tcam errors tcam-stage ingress app fw-inet-rpf detail
show pfe tcam errors tcam-stage ingress app fw-inet-rpf list-related-apps
show pfe tcam errors tcam-stage ingress app fw-inet-rpf list-shared-apps
show pfe tcam errors tcam-stage ingress app fw-inet-rpf shared-usage
show pfe tcam errors tcam-stage ingress app fw-inet-rpf shared-usage detail
show pfe tcam errors tcam-stage ingress app fw-inet6-rpf
<get-pfe-tcam-errors-ingress-tcam-stage-fw-inet6-rpf>
show pfe tcam errors tcam-stage ingress app fw-inet6-rpf detail
show pfe tcam errors tcam-stage ingress app fw-inet6-rpf list-related-apps
show pfe tcam errors tcam-stage ingress app fw-inet6-rpf list-shared-apps
show pfe tcam errors tcam-stage ingress app fw-inet6-rpf shared-usage
show pfe tcam errors tcam-stage ingress app fw-inet6-rpf shared-usage detail
show pfe tcam errors tcam-stage ingress app gr-ifl-stats-egr
<get-pfe-tcam-errors-ingress-tcam-stage-gr-ifl-statistics-egr>
show pfe tcam errors tcam-stage ingress app gr-ifl-stats-egr detail
show pfe tcam errors tcam-stage ingress app gr-ifl-stats-egr list-related-apps
show pfe tcam errors tcam-stage ingress app gr-ifl-stats-egr list-shared-apps
show pfe tcam errors tcam-stage ingress app gr-ifl-stats-egr shared-usage
show pfe tcam errors tcam-stage ingress app gr-ifl-stats-egr shared-usage
detail
346
Copyright © 2017, Juniper Networks, Inc.
Chapter 5: Permission Flags for User Access Privileges
show pfe tcam errors tcam-stage ingress app gr-ifl-stats-ing
<get-pfe-tcam-errors-ingress-tcam-stage-gr-ifl-statistics-ing>
show pfe tcam errors tcam-stage ingress app gr-ifl-stats-ing detail
show pfe tcam errors tcam-stage ingress app gr-ifl-stats-ing list-related-apps
show pfe tcam errors tcam-stage ingress app gr-ifl-stats-ing list-shared-apps
show pfe tcam errors tcam-stage ingress app gr-ifl-stats-ing shared-usage
show pfe tcam errors tcam-stage ingress app gr-ifl-stats-ing shared-usage
detail
show pfe tcam errors tcam-stage ingress app gr-ifl-stats-preing
<get-pfe-tcam-errors-ingress-tcam-stage-gr-ifl-statistics-preing>
show pfe tcam errors tcam-stage ingress app gr-ifl-stats-preing detail
show pfe tcam errors tcam-stage ingress app gr-ifl-stats-preing
list-related-apps
show pfe tcam errors tcam-stage ingress app gr-ifl-stats-preing list-shared-apps
show pfe tcam errors tcam-stage ingress app gr-ifl-stats-preing shared-usage
show pfe tcam errors tcam-stage ingress app gr-ifl-stats-preing shared-usage
detail
show pfe tcam errors tcam-stage pre-ingress app ing-out-iff
<get-pfe-tcam-errors-pre-ingress-app-ing-out-iff>
show pfe tcam errors tcam-stage pre-ingress app ing-out-iff detail
show pfe tcam errors tcam-stage pre-ingress app ing-out-iff list-related-apps
show pfe tcam errors tcam-stage pre-ingress app ing-out-iff list-shared-apps
show pfe tcam errors tcam-stage pre-ingress app ing-out-iff shared-usage
show pfe tcam errors tcam-stage pre-ingress app ing-out-iff shared-usage detail
show pfe tcam errors tcam-stage pre-ingress app vpls-mesh-group-mcast
<get-upper-level-xml-name-vpls-mesh-group-mcast>
show pfe tcam errors tcam-stage pre-ingress app vpls-mesh-group-mcast detail
show pfe tcam errors tcam-stage pre-ingress app vpls-mesh-group-mcast
list-related-apps
show pfe tcam errors tcam-stage pre-ingress app vpls-mesh-group-mcast
list-shared-apps
show pfe tcam errors tcam-stage pre-ingress app vpls-mesh-group-mcast
shared-usage
show pfe tcam errors tcam-stage pre-ingress app vpls-mesh-group-mcast
shared-usage detail
show pfe tcam errors tcam-stage pre-ingress app vpls-mesh-group-ucast
<get-upper-level-xml-name-vpls-mesh-group-ucast>
show pfe tcam errors tcam-stage pre-ingress app vpls-mesh-group-ucast detail
show pfe tcam errors tcam-stage pre-ingress app vpls-mesh-group-ucast
list-related-apps
show pfe tcam errors tcam-stage pre-ingress app vpls-mesh-group-ucast
list-shared-apps
show pfe tcam errors tcam-stage pre-ingress app vpls-mesh-group-ucast
shared-usage
show pfe tcam errors tcam-stage pre-ingress app vpls-mesh-group-ucast
shared-usage detail
show pfe tcam usage app fw-inet-rpf
<get-pfe-tcam-usage-app-fw-inet-rpf>
show pfe tcam usage app fw-inet-rpf detail
show pfe tcam usage app fw-inet-rpf list-related-apps
show pfe tcam usage app fw-inet-rpf list-shared-apps
show pfe tcam usage app fw-inet-rpf shared-usage
show pfe tcam usage app fw-inet-rpf shared-usage detail
show pfe tcam usage app fw-inet6-rpf
<get-pfe-tcam-usage-app-fw-inet6-rpf>
show pfe tcam usage app fw-inet6-rpf detail
show pfe tcam usage app fw-inet6-rpf list-related-apps
show pfe tcam usage app fw-inet6-rpf list-shared-apps
show pfe tcam usage app fw-inet6-rpf shared-usage
show pfe tcam usage app fw-inet6-rpf shared-usage detail
show pfe tcam usage app gr-ifl-stats-egr
Copyright © 2017, Juniper Networks, Inc.
347
User Access and Authentication Feature Guide for Routing Devices
<get-pfe-tcam-usage-app-gr-ifl-statistics-egr>
show pfe tcam usage app gr-ifl-stats-egr detail
show pfe tcam usage app gr-ifl-stats-egr list-related-apps
show pfe tcam usage app gr-ifl-stats-egr list-shared-apps
show pfe tcam usage app gr-ifl-stats-egr shared-usage
show pfe tcam usage app gr-ifl-stats-egr shared-usage detail
show pfe tcam usage app gr-ifl-stats-ing
<get-pfe-tcam-usage-app-gr-ifl-statistics-ing>
show pfe tcam usage app gr-ifl-stats-ing detail
show pfe tcam usage app gr-ifl-stats-ing list-related-apps
show pfe tcam usage app gr-ifl-stats-ing list-shared-apps
show pfe tcam usage app gr-ifl-stats-ing shared-usage
show pfe tcam usage app gr-ifl-stats-ing shared-usage detail
show pfe tcam usage app gr-ifl-stats-preing
<get-pfe-tcam-usage-app-gr-ifl-statistics-preing>
show pfe tcam usage app gr-ifl-stats-preing detail
show pfe tcam usage app gr-ifl-stats-preing list-related-apps
show pfe tcam usage app gr-ifl-stats-preing list-shared-apps
show pfe tcam usage app gr-ifl-stats-preing shared-usage
show pfe tcam usage app gr-ifl-stats-preing shared-usage detail
show pfe tcam usage app ing-out-iff
<get-pfe-tcam-usage-app-ing-out-iff>
show pfe tcam usage app ing-out-iff detail
show pfe tcam usage app ing-out-iff list-related-apps
show pfe tcam usage app ing-out-iff list-shared-apps
show pfe tcam usage app ing-out-iff shared-usage
show pfe tcam usage app ing-out-iff shared-usage detail
show pfe tcam usage app vpls-mesh-group-mcast
<get-upper-level-xml-name-vpls-mesh-group-mcast>
show pfe tcam usage app vpls-mesh-group-mcast detail
show pfe tcam usage app vpls-mesh-group-mcast list-related-apps
show pfe tcam usage app vpls-mesh-group-mcast list-shared-apps
show pfe tcam usage app vpls-mesh-group-mcast shared-usage
show pfe tcam usage app vpls-mesh-group-mcast shared-usage detail
show pfe tcam usage app vpls-mesh-group-ucast
<get-upper-level-xml-name-vpls-mesh-group-ucast>
show pfe tcam usage app vpls-mesh-group-ucast detail
show pfe tcam usage app vpls-mesh-group-ucast list-related-apps
show pfe tcam usage app vpls-mesh-group-ucast list-shared-apps
show pfe tcam usage app vpls-mesh-group-ucast shared-usage
show pfe tcam usage app vpls-mesh-group-ucast shared-usage detail
show pfe tcam usage tcam-stage egress app rfc2544-layer2-out shared-usage
detail
show pfe tcam usage tcam-stage egress detail
get-pfe-tcam-usage-egress-tcam-stage-detail
show pfe tcam usage tcam-stage ingress
<get-pfe-tcam-usage-ingress-tcam-stage>
show pfe tcam usage tcam-stage ingress app
<get-pfe-tcam-usage-ingress-app>
show pfe tcam usage tcam-stage ingress app cfm-bd-filter
<get-pfe-tcam-usage-ingress-app-cfm-bd-filter>
show pfe tcam usage tcam-stage ingress app cfm-bd-filter detail
show pfe tcam usage tcam-stage ingress app cfm-bd-filter list-related-apps
show pfe tcam usage tcam-stage ingress app cfm-bd-filter list-shared-apps
show pfe tcam usage tcam-stage ingress app cfm-bd-filter shared-usage
show pfe tcam usage tcam-stage ingress app cfm-bd-filter shared-usage detail
show pfe tcam usage tcam-stage ingress app cfm-filter
<get-pfe-tcam-usage-ingress-app-cfm-filter>
show pfe tcam usage tcam-stage ingress app cfm-filter detail
show pfe tcam usage tcam-stage ingress app cfm-filter list-related-apps
show pfe tcam usage tcam-stage ingress app cfm-filter list-shared-apps
348
Copyright © 2017, Juniper Networks, Inc.
Chapter 5: Permission Flags for User Access Privileges
show pfe tcam usage tcam-stage ingress app cfm-filter shared-usage
show pfe tcam usage tcam-stage ingress app cfm-filter shared-usage detail
show pfe tcam usage tcam-stage ingress app cfm-vpls-filter
<get-pfe-tcam-usage-ingress-app-cfm-vpls-filter>
show pfe tcam usage tcam-stage ingress app cfm-vpls-filter detail
show pfe tcam usage tcam-stage ingress app cfm-vpls-filter list-related-apps
show pfe tcam usage tcam-stage ingress app cfm-vpls-filter list-shared-apps
show pfe tcam usage tcam-stage ingress app cfm-vpls-filter shared-usage
show pfe tcam usage tcam-stage ingress app cfm-vpls-filter shared-usage detail
show pfe tcam usage tcam-stage ingress app cfm-vpls-ifl-filter
<get-pfe-tcam-usage-ingress-app-cfm-vpls-ifl-filter>
show pfe tcam usage tcam-stage ingress app cfm-vpls-ifl-filter detail
show pfe tcam usage tcam-stage ingress app cfm-vpls-ifl-filter list-related-apps
show pfe tcam usage tcam-stage ingress app cfm-vpls-ifl-filter list-shared-apps
show pfe tcam usage tcam-stage ingress app cfm-vpls-ifl-filter shared-usage
show pfe tcam usage tcam-stage ingress app cfm-vpls-ifl-filter shared-usage
detail
show pfe tcam usage tcam-stage ingress app fw-ccc-in
<get-pfe-tcam-usage-ingress-app-fw-ccc-in>
show pfe tcam usage tcam-stage ingress app fw-ccc-in detail
show pfe tcam usage tcam-stage ingress app fw-ccc-in list-related-apps
show pfe tcam usage tcam-stage ingress app fw-ccc-in list-shared-apps
show pfe tcam usage tcam-stage ingress app fw-ccc-in shared-usage
show pfe tcam usage tcam-stage ingress app fw-ccc-in shared-usage detail
show pfe tcam usage tcam-stage ingress app fw-ifl-in
<get-pfe-tcam-usage-ingress-app-fw-ifl-in>
show pfe tcam usage tcam-stage ingress app fw-ifl-in detail
show pfe tcam usage tcam-stage ingress app fw-ifl-in list-related-apps
show pfe tcam usage tcam-stage ingress app fw-ifl-in list-shared-apps
show pfe tcam usage tcam-stage ingress app fw-ifl-in shared-usage
show pfe tcam usage tcam-stage ingress app fw-ifl-in shared-usage detail
show pfe tcam usage tcam-stage ingress app fw-inet-ftf
<get-pfe-tcam-usage-ingress-app-fw-inet-ftf>
show pfe tcam usage tcam-stage ingress app fw-inet-ftf detail
show pfe tcam usage tcam-stage ingress app fw-inet-ftf list-related-apps
show pfe tcam usage tcam-stage ingress app fw-inet-ftf list-shared-apps
show pfe tcam usage tcam-stage ingress app fw-inet-ftf shared-usage
show pfe tcam usage tcam-stage ingress app fw-inet-ftf shared-usage detail
show pfe tcam usage tcam-stage ingress app fw-inet-in
<get-pfe-tcam-usage-ingress-app-fw-inet-in>
show pfe tcam usage tcam-stage ingress app fw-inet-in detail
show pfe tcam usage tcam-stage ingress app fw-inet-in list-related-apps
show pfe tcam usage tcam-stage ingress app fw-inet-in list-shared-apps
show pfe tcam usage tcam-stage ingress app fw-inet-in shared-usage
show pfe tcam usage tcam-stage ingress app fw-inet-in shared-usage detail
show pfe tcam usage tcam-stage ingress app fw-inet-pm
<get-pfe-tcam-usage-ingress-app-fw-inet-pm>
show pfe tcam usage tcam-stage ingress app fw-inet-pm detail
show pfe tcam usage tcam-stage ingress app fw-inet-pm list-related-apps
show pfe tcam usage tcam-stage ingress app fw-inet-pm list-shared-apps
show pfe tcam usage tcam-stage ingress app fw-inet-pm shared-usage
show pfe tcam usage tcam-stage ingress app fw-inet-pm shared-usage detail
show pfe tcam usage tcam-stage ingress app fw-inet-rpf
<get-pfe-tcam-usage-ingress-app-fw-inet-rpf>
show pfe tcam usage tcam-stage ingress app fw-inet-rpf detail
show pfe tcam usage tcam-stage ingress app fw-inet-rpf list-related-apps
show pfe tcam usage tcam-stage ingress app fw-inet-rpf list-shared-apps
show pfe tcam usage tcam-stage ingress app fw-inet-rpf shared-usage
show pfe tcam usage tcam-stage ingress app fw-inet-rpf shared-usage detail
show pfe tcam usage tcam-stage ingress app fw-inet6-ftf
<get-pfe-tcam-usage-ingress-app-fw-inet6-ftf>
Copyright © 2017, Juniper Networks, Inc.
349
User Access and Authentication Feature Guide for Routing Devices
show pfe tcam usage tcam-stage ingress app fw-inet6-ftf detail
show pfe tcam usage tcam-stage ingress app fw-inet6-ftf list-related-apps
show pfe tcam usage tcam-stage ingress app fw-inet6-ftf list-shared-apps
show pfe tcam usage tcam-stage ingress app fw-inet6-ftf shared-usage
show pfe tcam usage tcam-stage ingress app fw-inet6-ftf shared-usage detail
show pfe tcam usage tcam-stage ingress app fw-inet6-in
<get-pfe-tcam-usage-ingress-app-fw-inet6-in>
show pfe tcam usage tcam-stage ingress app fw-inet6-in detail
show pfe tcam usage tcam-stage ingress app fw-inet6-in list-related-apps
show pfe tcam usage tcam-stage ingress app fw-inet6-in list-shared-apps
show pfe tcam usage tcam-stage ingress app fw-inet6-in shared-usage
show pfe tcam usage tcam-stage ingress app fw-inet6-in shared-usage detail
show pfe tcam usage tcam-stage ingress app fw-inet6-rpf
<get-pfe-tcam-usage-ingress-app-fw-inet6-rpf>
show pfe tcam usage tcam-stage ingress app fw-inet6-rpf detail
show pfe tcam usage tcam-stage ingress app fw-inet6-rpf list-related-apps
show pfe tcam usage tcam-stage ingress app fw-inet6-rpf list-shared-apps
show pfe tcam usage tcam-stage ingress app fw-inet6-rpf shared-usage
show pfe tcam usage tcam-stage ingress app fw-inet6-rpf shared-usage detail
show pfe tcam usage tcam-stage ingress app fw-l2-in
<get-pfe-tcam-usage-ingress-app-fw-l2-in>
show pfe tcam usage tcam-stage ingress app fw-l2-in detail
show pfe tcam usage tcam-stage ingress app fw-l2-in list-related-apps
show pfe tcam usage tcam-stage ingress app fw-l2-in list-shared-apps
show pfe tcam usage tcam-stage ingress app fw-l2-in shared-usage
show pfe tcam usage tcam-stage ingress app fw-l2-in shared-usage detail
show pfe tcam usage tcam-stage ingress app fw-mpls-in
<get-pfe-tcam-usage-ingress-app-fw-mpls-in>
show pfe tcam usage tcam-stage ingress app fw-mpls-in detail
show pfe tcam usage tcam-stage ingress app fw-mpls-in list-related-apps
show pfe tcam usage tcam-stage ingress app fw-mpls-in list-shared-apps
show pfe tcam usage tcam-stage ingress app fw-mpls-in shared-usage
show pfe tcam usage tcam-stage ingress app fw-mpls-in shared-usage detail
show pfe tcam usage tcam-stage ingress app fw-vpls-in
<get-pfe-tcam-usage-ingress-app-fw-vpls-in>
show pfe tcam usage tcam-stage ingress app fw-vpls-in detail
show pfe tcam usage tcam-stage ingress app fw-vpls-in list-related-apps
show pfe tcam usage tcam-stage ingress app fw-vpls-in list-shared-apps
show pfe tcam usage tcam-stage ingress app fw-vpls-in shared-usage
show pfe tcam usage tcam-stage ingress app fw-vpls-in shared-usage detail
show pfe tcam usage tcam-stage ingress app gr-ifl-stats-egr
<get-pfe-tcam-usage-ingress-app-gr-ifl-statistics-egr>
show pfe tcam usage tcam-stage ingress app gr-ifl-stats-egr detail
show pfe tcam usage tcam-stage ingress app gr-ifl-stats-egr list-related-apps
show pfe tcam usage tcam-stage ingress app gr-ifl-stats-egr list-shared-apps
show pfe tcam usage tcam-stage ingress app gr-ifl-stats-egr shared-usage
show pfe tcam usage tcam-stage ingress app gr-ifl-stats-egr shared-usage detail
show pfe tcam usage tcam-stage ingress app gr-ifl-stats-ing
<get-pfe-tcam-usage-ingress-app-gr-ifl-statistics-ing>
show pfe tcam usage tcam-stage ingress app gr-ifl-stats-ing detail
show pfe tcam usage tcam-stage ingress app gr-ifl-stats-ing list-related-apps
show pfe tcam usage tcam-stage ingress app gr-ifl-stats-ing list-shared-apps
show pfe tcam usage tcam-stage ingress app gr-ifl-stats-ing shared-usage
show pfe tcam usage tcam-stage ingress app gr-ifl-stats-ing shared-usage detail
show pfe tcam usage tcam-stage ingress app gr-ifl-stats-preing
<get-pfe-tcam-usage-ingress-app-gr-ifl-statistics-preing>
show pfe tcam usage tcam-stage ingress app gr-ifl-stats-preing detail
show pfe tcam usage tcam-stage ingress app gr-ifl-stats-preing list-related-apps
show pfe tcam usage tcam-stage ingress app gr-ifl-stats-preing list-shared-apps
show pfe tcam usage tcam-stage ingress app gr-ifl-stats-preing shared-usage
show pfe tcam usage tcam-stage ingress app gr-ifl-stats-preing shared-usage
350
Copyright © 2017, Juniper Networks, Inc.
Chapter 5: Permission Flags for User Access Privileges
detail
show pfe tcam usage tcam-stage ingress app ifl-statistics-in
<get-pfe-tcam-usage-ingress-app-ifl-statistics-in>
show pfe tcam usage tcam-stage ingress app ifl-statistics-in detail
show pfe tcam usage tcam-stage ingress app ifl-statistics-in list-related-apps
show pfe tcam usage tcam-stage ingress app ifl-statistics-in list-shared-apps
show pfe tcam usage tcam-stage ingress app ifl-statistics-in shared-usage
show pfe tcam usage tcam-stage ingress app ifl-statistics-in shared-usage
detail
show pfe tcam usage tcam-stage ingress app ipsec-reverse-fil
<get-pfe-tcam-usage-ingress-app-ipsec-reverse-fil>
show pfe tcam usage tcam-stage ingress app ipsec-reverse-fil detail
show pfe tcam usage tcam-stage ingress app ipsec-reverse-fil list-related-apps
show pfe tcam usage tcam-stage ingress app ipsec-reverse-fil list-shared-apps
show pfe tcam usage tcam-stage ingress app ipsec-reverse-fil shared-usage
show pfe tcam usage tcam-stage ingress app ipsec-reverse-fil shared-usage
detail
show pfe tcam usage tcam-stage ingress app irb-fixed-cos
<get-pfe-tcam-usage-ingress-app-irb-fixed-cos>
show pfe tcam usage tcam-stage ingress app irb-fixed-cos detail
show pfe tcam usage tcam-stage ingress app irb-fixed-cos list-related-apps
show pfe tcam usage tcam-stage ingress app irb-fixed-cos list-shared-apps
show pfe tcam usage tcam-stage ingress app irb-fixed-cos shared-usage
show pfe tcam usage tcam-stage ingress app irb-fixed-cos shared-usage detail
show pfe tcam usage tcam-stage ingress app irb-inet6-fil
<get-pfe-tcam-usage-ingress-app-irb-inet6-fil>
show pfe tcam usage tcam-stage ingress app irb-inet6-fil detail
show pfe tcam usage tcam-stage ingress app irb-inet6-fil list-related-apps
show pfe tcam usage tcam-stage ingress app irb-inet6-fil list-shared-apps
show pfe tcam usage tcam-stage ingress app irb-inet6-fil shared-usage
show pfe tcam usage tcam-stage ingress app irb-inet6-fil shared-usage detail
show pfe tcam usage tcam-stage ingress app lfm-802.3ah-in
<get-pfe-tcam-usage-ingress-app-lfm-802.3ah-in>
show pfe tcam usage tcam-stage ingress app lfm-802.3ah-in detail
show pfe tcam usage tcam-stage ingress app lfm-802.3ah-in list-related-apps
show pfe tcam usage tcam-stage ingress app lfm-802.3ah-in list-shared-apps
show pfe tcam usage tcam-stage ingress app lfm-802.3ah-in shared-usage
show pfe tcam usage tcam-stage ingress app lfm-802.3ah-in shared-usage detail
show pfe tcam usage tcam-stage ingress app lo0-inet-fil
<get-pfe-tcam-usage-ingress-app-lo0-inet-fil>
show pfe tcam usage tcam-stage ingress app lo0-inet-fil detail
show pfe tcam usage tcam-stage ingress app lo0-inet-fil list-related-apps
show pfe tcam usage tcam-stage ingress app lo0-inet-fil list-shared-apps
show pfe tcam usage tcam-stage ingress app lo0-inet-fil shared-usage
show pfe tcam usage tcam-stage ingress app lo0-inet-fil shared-usage detail
show pfe tcam usage tcam-stage ingress app lo0-inet6-fil
<get-pfe-tcam-usage-ingress-app-lo0-inet6-fil>
show pfe tcam usage tcam-stage ingress app lo0-inet6-fil detail
show pfe tcam usage tcam-stage ingress app lo0-inet6-fil list-related-apps
show pfe tcam usage tcam-stage ingress app lo0-inet6-fil list-shared-apps
show pfe tcam usage tcam-stage ingress app lo0-inet6-fil list-shared-apps
show pfe tcam usage tcam-stage ingress app lo0-inet6-fil shared-usage
show pfe tcam usage tcam-stage ingress app lo0-inet6-fil shared-usage detail
show pfe tcam usage tcam-stage ingress app mac-drop-cnt
<get-pfe-tcam-usage-ingress-app-mac-drop-cnt>
show pfe tcam usage tcam-stage ingress app mac-drop-cnt detail
show pfe tcam usage tcam-stage ingress app mac-drop-cnt list-related-apps
show pfe tcam usage tcam-stage ingress app mac-drop-cnt list-shared-apps
show pfe tcam usage tcam-stage ingress app mac-drop-cnt shared-usage
show pfe tcam usage tcam-stage ingress app mac-drop-cnt shared-usage detail
<get-pfe-tcam-usage-ingress-app-mrouter-port-in>
Copyright © 2017, Juniper Networks, Inc.
351
User Access and Authentication Feature Guide for Routing Devices
show pfe tcam usage tcam-stage ingress app mrouter-port-in detail
show pfe tcam usage tcam-stage ingress app mrouter-port-in list-related-apps
show pfe tcam usage tcam-stage ingress app mrouter-port-in list-shared-apps
show pfe tcam usage tcam-stage ingress app mrouter-port-in shared-usage
show pfe tcam usage tcam-stage ingress app mrouter-port-in shared-usage detail
show pfe tcam usage tcam-stage ingress app napt-reverse-fil
<get-pfe-tcam-usage-ingress-app-napt-reverse-fil>
show pfe tcam usage tcam-stage ingress app napt-reverse-fil detail
show pfe tcam usage tcam-stage ingress app napt-reverse-fil list-related-apps
show pfe tcam usage tcam-stage ingress app napt-reverse-fil list-shared-apps
show pfe tcam usage tcam-stage ingress app napt-reverse-fil shared-usage
show pfe tcam usage tcam-stage ingress app napt-reverse-fil shared-usage detail
show pfe tcam usage tcam-stage ingress app no-local-switching
<get-pfe-tcam-usage-ingress-app-no-local-switching>
show pfe tcam usage tcam-stage ingress app no-local-switching detail
show pfe tcam usage tcam-stage ingress app no-local-switching list-related-apps
show pfe tcam usage tcam-stage ingress app no-local-switching list-shared-apps
show pfe tcam usage tcam-stage ingress app no-local-switching shared-usage
show pfe tcam usage tcam-stage ingress app no-local-switching shared-usage
detail
show pfe tcam usage tcam-stage ingress detail
<get-pfe-tcam-usage-ingress-tcam-stage-detail>
show pfe tcam usage tcam-stage pre-ingress
<get-pfe-tcam-usage-pre-ingress-tcam-stage>
show pfe tcam usage tcam-stage pre-ingress app
<get-pfe-tcam-usage-pre-ingress-app>
show pfe tcam usage tcam-stage pre-ingress app cos-fc
<get-pfe-tcam-usage-pre-ingress-app-cos-fc>
show pfe tcam usage tcam-stage pre-ingress app cos-fc detail
show pfe tcam usage tcam-stage pre-ingress app cos-fc list-related-apps
show pfe tcam usage tcam-stage pre-ingress app cos-fc list-shared-apps
show pfe tcam usage tcam-stage pre-ingress app cos-fc shared-usage
show pfe tcam usage tcam-stage pre-ingress app cos-fc shared-usage detail
show pfe tcam usage tcam-stage pre-ingress app fw-fbf
<get-pfe-tcam-usage-pre-ingress-app-fw-fbf>
show pfe tcam usage tcam-stage pre-ingress app fw-fbf detail
show pfe tcam usage tcam-stage pre-ingress app fw-fbf list-related-apps
show pfe tcam usage tcam-stage pre-ingress app fw-fbf list-shared-apps
show pfe tcam usage tcam-stage pre-ingress app fw-fbf shared-usage
show pfe tcam usage tcam-stage pre-ingress app fw-fbf shared-usage detail
show pfe tcam usage tcam-stage pre-ingress app fw-fbf-inet6
<get-pfe-tcam-usage-pre-ingress-app-fw-fbf-inet6>
show pfe tcam usage tcam-stage pre-ingress app fw-fbf-inet6 detail
show pfe tcam usage tcam-stage pre-ingress app fw-fbf-inet6 list-related-apps
show pfe tcam usage tcam-stage pre-ingress app fw-fbf-inet6 list-shared-apps
show pfe tcam usage tcam-stage pre-ingress app fw-fbf-inet6 shared-usage
show pfe tcam usage tcam-stage pre-ingress app fw-fbf-inet6 shared-usage detail
show pfe tcam usage tcam-stage pre-ingress app fw-semantics
<get-pfe-tcam-usage-pre-ingress-app-fw-semantics>
show pfe tcam usage tcam-stage pre-ingress app fw-semantics detail
show pfe tcam usage tcam-stage pre-ingress app fw-semantics list-related-apps
show pfe tcam usage tcam-stage pre-ingress app fw-semantics list-shared-apps
show pfe tcam usage tcam-stage pre-ingress app fw-semantics shared-usage
show pfe tcam usage tcam-stage pre-ingress app fw-semantics shared-usage detail
show pfe tcam usage tcam-stage pre-ingress app ifd-src-mac-fil
<get-pfe-tcam-usage-pre-ingress-app-ifd-src-mac-fil>
show pfe tcam usage tcam-stage pre-ingress app ifd-src-mac-fil detail
show pfe tcam usage tcam-stage pre-ingress app ifd-src-mac-fil list-shared-apps
show pfe tcam usage tcam-stage pre-ingress app ifd-src-mac-fil shared-usage
show pfe tcam usage tcam-stage pre-ingress app ifd-src-mac-fil shared-usage
detail
352
Copyright © 2017, Juniper Networks, Inc.
Chapter 5: Permission Flags for User Access Privileges
show pfe tcam usage tcam-stage pre-ingress app ing-out-iff
<get-pfe-tcam-usage-pre-ingress-app-ing-out-iff>
show pfe tcam usage tcam-stage pre-ingress app ing-out-iff detail
show pfe tcam usage tcam-stage pre-ingress app ing-out-iff list-related-apps
show pfe tcam usage tcam-stage pre-ingress app ing-out-iff list-shared-apps
show pfe tcam usage tcam-stage pre-ingress app ing-out-iff shared-usage
show pfe tcam usage tcam-stage pre-ingress app ing-out-iff shared-usage detail
show pfe tcam usage tcam-stage pre-ingress app ip-mac-val
<get-pfe-tcam-usage-pre-ingress-app-ip-mac-val>
show pfe tcam usage tcam-stage pre-ingress app ip-mac-val detail
show pfe tcam usage tcam-stage pre-ingress app ip-mac-val list-related-apps
show pfe tcam usage tcam-stage pre-ingress app ip-mac-val list-shared-apps
show pfe tcam usage tcam-stage pre-ingress app ip-mac-val shared-usage
show pfe tcam usage tcam-stage pre-ingress app ip-mac-val shared-usage detail
show pfe tcam usage tcam-stage pre-ingress app ip-mac-val-bcast
<get-pfe-tcam-usage-pre-ingress-app-ip-mac-val-bcast>
show pfe tcam usage tcam-stage pre-ingress app ip-mac-val-bcast detail
show pfe tcam usage tcam-stage pre-ingress app ip-mac-val-bcast
list-related-apps
show pfe tcam usage tcam-stage pre-ingress app ip-mac-val-bcast list-shared-apps
show pfe tcam usage tcam-stage pre-ingress app ip-mac-val-bcast shared-usage
show pfe tcam usage tcam-stage pre-ingress app ip-mac-val-bcast shared-usage
detail
show pfe tcam usage tcam-stage pre-ingress app rfc2544-layer2-in
<get-pfe-tcam-usage-pre-ingress-app-rfc2544-layer2-in>
show pfe tcam usage tcam-stage pre-ingress app rfc2544-layer2-in detail
show pfe tcam usage tcam-stage pre-ingress app rfc2544-layer2-in
list-related-apps
show pfe tcam usage tcam-stage pre-ingress app rfc2544-layer2-in
list-shared-apps
show pfe tcam usage tcam-stage pre-ingress app rfc2544-layer2-in shared-usage
show pfe tcam usage tcam-stage pre-ingress app rfc2544-layer2-in shared-usage
detail
show pfe tcam usage tcam-stage pre-ingress app vpls-mesh-group-mcast
<get-upper-level-xml-name-vpls-mesh-group-mcast>
show pfe tcam usage tcam-stage pre-ingress app vpls-mesh-group-mcast detail
show pfe tcam usage tcam-stage pre-ingress app vpls-mesh-group-mcast
list-related-apps
show pfe tcam usage tcam-stage pre-ingress app vpls-mesh-group-mcast
list-shared-apps
show pfe tcam usage tcam-stage pre-ingress app vpls-mesh-group-mcast
shared-usage
show pfe tcam usage tcam-stage pre-ingress app vpls-mesh-group-mcast
shared-usage detail
show pfe tcam usage tcam-stage pre-ingress app vpls-mesh-group-ucast
<get-upper-level-xml-name-vpls-mesh-group-ucast>
show pfe tcam usage tcam-stage pre-ingress app vpls-mesh-group-ucast detail
show pfe tcam usage tcam-stage pre-ingress app vpls-mesh-group-ucast
list-related-apps
show pfe tcam usage tcam-stage pre-ingress app vpls-mesh-group-ucast
list-shared-apps
show pfe tcam usage tcam-stage pre-ingress app vpls-mesh-group-ucast
shared-usage
show pfe tcam usage tcam-stage pre-ingress app vpls-mesh-group-ucast
shared-usage detail
show pfe tcam usage tcam-stage pre-ingress detail
<get-pfe-tcam-usage-pre-ingress-tcam-stage-detail>
show pfe terse
<get-pfe-information>
show pfe version brief
Copyright © 2017, Juniper Networks, Inc.
353
User Access and Authentication Feature Guide for Routing Devices
show pfe version detail
show pgm
show pgm negative-acknowledgments
<get-pgm-nak>
show pgm source-path-messages
<get-pgm-source-path-messages>
show pgm statistics
<get-pgm-statistics>
show pim
show pim bidirectional
show pim bidirectional df-election
<get-pim-bidir-df-election-information>
show pim bidirectional df-election interface
<get-pim-bidir-df-election-interface-information>
show pim bootstrap
<get-pim-bootstrap-information>
show pim interfaces
<get-pim-interfaces-information>
show pim join
<get-pim-join-information>
show pim mdt
<get-pim-mdt-information>
show pim mdt data-mdt-joins
<get-pim-data-mdt-join-information>
show pim mvpn
<get-pim-mvpn-information>
show pim neighbors
<get-pim-neighbors-information>
show pim rps
<get-pim-rps-information>
show pim snooping
show pim snooping interfaces
show pim snooping join
show pim snooping neighbors
show pim snooping statistics
show pim source
<get-pim-source-information>
show pim statistics
<get-pim-statistics-information>
show
show
show
show
show
policy
policy conditions
policy damping
ppp
ppp address-pool
<get-ppp-address-pool-information>
show ppp interface
<get-ppp-interface-information>
show ppp statistics
354
Copyright © 2017, Juniper Networks, Inc.
Chapter 5: Permission Flags for User Access Privileges
<get-ppp-statistics-information>
show ppp summary
<get-ppp-summary-information>
show pppoe
show pppoe interfaces
<get-pppoe-interface-information>
show pppoe lockout
<get-pppoe-lockout-information>
show pppoe lockout atm-identifier
<get-pppoe-lockout-atm-information>
show pppoe lockout vlan-identifier
<get-pppoe-lockout-vlan-information>
show pppoe service-name-tables
<get-pppoe-service-name-table-information>
show pppoe statistics
<get-pppoe-statistics-information>
show pppoe underlying-interfaces
<get-pppoe-underlying-interface-information>
show pppoe version
<get-pppoe-version>
show programmable-rpd
show programmable-rpd clients
<get-programmable-rpd-client-information>
show protection-group
show protection-group ethernet-aps
<show-protection-group-ethernet-aps>
show protection-group ethernet-ring
show protection-group ethernet-ring aps
<get-raps-pdu-information>
show protection-group ethernet-ring data-channel
<get-ring-data-channel-information>
show protection-group ethernet-ring interface
<get-ring-interface-information>
show protection-group ethernet-ring node-state
<get-raps-state-machine-information>
show protection-group ethernet-ring node-state
show protection-group ethernet-ring statistics
<get-ring-tatistics>
show protection-group ethernet-ring vlan
<get-ring-vlan-information>
show ptp
show ptp clock
get-ptp-clock>
show ptp global-information
get-ptp-global-information>
show ptp hybrid
show ptp hybrid config
<get-ptp-hybrid-mapping>
show ptp hybrid status
<get-ptp-hybrid-status>
show ptp last-tod-update
<get-last-tod-update>
show ptp lock-status
get-ptp-lock-status>
Copyright © 2017, Juniper Networks, Inc.
355
User Access and Authentication Feature Guide for Routing Devices
show ptp master
<get-ptp-master>
show ptp path-trace
<get-ptp-path-trace>
show ptp port
<get-ptp-port>
show ptp quality-level-mapping
<get-ptp-quality-level-mapping>
show ptp slave
<get-ptp-slave>
show ptp stateful
<get-ptp-stateful>
show ptp statistics
<get-ptp-statistics>
show r2cp
show r2cp interfaces
<get-r2cp-interface-information>
show r2cp radio
<get-r2cp-radio-information>
show r2cp sessions
<get-r2cp-session-information>
show r2cp statistics
<get-r2cp-statistics>
show redundant-power-system
show redundant-power-system led
show redundant-power-system multi-backup
<get-rps-scale-information>
show redundant-power-system network
<get-rps-network-information>
show redundant-power-system power-supply
show redundant-power-system status
show redundant-power-system upgrade
<get-rps-upgrade-information>
show redundant-power-system version
show rip
show rip general-statistics
<get-rip-general-statistics-information>
show rip neighbor
<get-rip-neighbor-information>
show rip statistics
<get-rip-statistics-information>
show rip statistics peer
<get-rip-peer-information>
show ripng
show ripng general-statistics
<get-ripng-general-statistics-information>
show ripng neighbor
<get-ripng-neighbor-information>
show ripng statistics
<get-ripng-statistics-information>
show route
<get-route-information>
show route cumulative
<get-route-cumulative>
show route export
<get-rtexport-table-information>
356
Copyright © 2017, Juniper Networks, Inc.
Chapter 5: Permission Flags for User Access Privileges
show route export instance
<get-rtexport-instance-information>
show route localization
<get-fib-localization-information>
show route export vrf-target
<get-rtexport-target-information>
show route flow
show route flow validation
<get-rtflow-dep-information>
show route forwarding-table
<get-forwarding-table-information>
show route instance
<get-instance-information>
show route instance operational
<get-operational-routing-instance-information>
show route martians
<get-route-martians>
show route resolution
<get-route-resolution-information>
show route resolution summary
<get-route-resolution-summary>
show route resolution unresolved
show route rib-groups
<get-route-rib-groups>
show route snooping
<get-route-snooping-information>
show route snooping summary
<get-route-snooping-summary>
show route summary
<get-route-summary-information>
show rsvp
show rsvp interface
<get-rsvp-interface-information>
show rsvp neighbor
<get-rsvp-neighbor-information>
show rsvp route-session-id
<get-rsvp-route-session-id-information>
show rsvp session
<get-rsvp-session-information>
show rsvp statistics
<get-rsvp-statistics-information>
show rsvp version
<get-rsvp-version-information>
show sap
show sap listen
<get-sap-listen-information>
show security group-vpn member kek
Copyright © 2017, Juniper Networks, Inc.
357
User Access and Authentication Feature Guide for Routing Devices
show security group-vpn member kek security-associations
<get-gvpn-kek-security-associations-information>
show services
show services accounting
<get-service-accounting-information>
show services accounting aggregation
<get-service-accounting-aggregation-information>
show services accounting aggregation as
<get-service-accounting-aggregation-as-information>
show services accounting aggregation destination-prefix
<get-service-accounting-aggregation-destination-prefix-information>
show services accounting aggregation protocol-port
<get-service-accounting-aggregation-protocol-port-information>
show services accounting aggregation source-destination-prefix
<get-service-accounting-aggregation-source-destination-prefix-information>
show services accounting aggregation source-prefix
<get-service-accounting-aggregation-source-prefix-information>
show services accounting aggregation template
<get-service-accounting-aggregation-template-information>
show services accounting errors
<get-service-accounting-errors-information>
show services accounting flow
<get-service-accounting-flow-information>
show services accounting flow-detail
<get-service-accounting-flow-detail>
show services accounting memory
<get-service-accounting-memory-information>
show services accounting packet-size-distribution
<get-packet-distribution-information>
show services accounting status
<get-service-accounting-status-information>
show services accounting usage
<get-service-accounting-usage-information>
show services alg
show services alg conversations
<get-service-msp-alg-conversation-information>
show services alg sip-globals
<get-service-msp-alg-sip-globals-information>
show services alg statistics
show services application-aware-access-list
show services application-aware-access-list flows
show services application-aware-access-list flows interface
<get-application-aware-access-list-flows-interface>
show services application-aware-access-list flows subscriber
<get-application-aware-access-list-flows-subscriber>
358
Copyright © 2017, Juniper Networks, Inc.
Chapter 5: Permission Flags for User Access Privileges
show services application-aware-access-list statistics
show services application-aware-access-list statistics interface
<get-application-aware-access-list-statistics-interface>
show services application-aware-access-list statistics subscriber
<get-application-aware-access-list-statistics-subscriber>
show services application-identification
show services application-identification application
show services application-identification application detail
<get-appid-application-signature-detail>
show services application-identification application summary
<get-appid-application-signature-summary>
show services application-identification application-system-cache
<get-appid-application-system-cache>
show services application-identification
<get-appid-counter>
show services application-identification
<get-appid-counter-encrypted>
show services application-identification
show services application-identification
counter
counter ssl-encrypted-sessions
group
group detail
<get-appid-application-group-detail>
show services application-identification group summary
<get-appid-application-group-summary>
show services application-identification statistics
show services application-identification statistics application-groups
<get-appid-application-group-statistics>
show services application-identification statistics applications
<get-appid-application-statistics>
show services application-identification status
<get-appid-staus-information>
show services application-identification version
<get-appid-package-version>
show services border-signaling-gateway
show services border-signaling-gateway accounting
show services border-signaling-gateway accounting statistics
<get-service-border-signaling-gateway-charging-statistics>
show services border-signaling-gateway accounting status
<get-service-border-signaling-gateway-charging-status>
show services border-signaling-gateway admission-control
<get-service-border-signaling-gateway-statistics-admission-control>
show services border-signaling-gateway by-call-context-id
<get-service-bsg-information-by-call-context-id>
show services border-signaling-gateway by-contact
<get-service-border-signaling-gateway-information-by-contact>
show services border-signaling-gateway by-request-uri
<get-service-border-signaling-gateway-information-by-request-uri>
show services border-signaling-gateway calls
<get-service-border-signaling-gateway-statistics-calls>
show services border-signaling-gateway calls-duration
<get-service-border-signaling-gateway-calls-duration>
show services border-signaling-gateway calls-failed
Copyright © 2017, Juniper Networks, Inc.
359
User Access and Authentication Feature Guide for Routing Devices
how services border-signaling-gateway charging
show services border-signaling-gateway charging statistics
<get-service-border-signaling-gateway-charging-statistics>
show services border-signaling-gateway charging status
<get-service-border-signaling-gateway-charging-status>
show services border-signaling-gateway denied-messages
<get-service-bsg-denied-messages>
show services border-signaling-gateway embedded-spdf
<get-service-border-signaling-gateway-embedded-spdf>
show services border-signaling-gateway embedded-spdf status
<get-service-border-signaling-gateway-embedded-spdf-status>
show services border-signaling-gateway name-resolution-cache
show services border-signaling-gateway name-resolution-cache all
<get-service-border-signaling-gateway-name-resolution-cache-all>
show services border-signaling-gateway name-resolution-cache by-fqdn
<get-border-signaling-gateway-name-resolution-cache-by-fqdn>
show services border-signaling-gateway status
<get-service-bsg-status-information>
show services captive-portal-content-delivery
show services captive-portal-content-delivery pic
<get-cpcd-pic-information>
show services captive-portal-content-delivery profile
<get-cpcd-profile>
show services captive-portal-content-delivery rule
<get-cpcd-rule>
show services captive-portal-content-delivery ruleset
<get-cpcd-rule-set>
show services captive-portal-content-delivery sset
<get-cpcd-service-set>
show services captive-portal-content-delivery statistics
<get-cpcd-pic-statistics>
show services captive-portal-content-delivery statistics interface
show services capture
<get-service-capture>
show services cos
show services cos statistics
<get-service-cos-statistics-information>
show services cos statistics diffserv
<get-service-cos-diffserv-statistics>
show services cos statistics forwarding-class
<get-service-cos-forwarding-class-statistics>
show services crtp
<get-service-crtp-params-information>
show services crtp extensive
<get-service-crtp-extensive-information>
show services crtp flows
<get-service-crtp-flow-table-information>
show services dynamic-flow-capture
show services dynamic-flow-capture content-destination
<get-services-dynamic-flow-capture-content-destination-information>
360
Copyright © 2017, Juniper Networks, Inc.
Chapter 5: Permission Flags for User Access Privileges
show services dynamic-flow-capture control-source
<get-services-dynamic-flow-capture-control-source-information>
show services dynamic-flow-capture statistics
<get-services-dfc-statistics-information>
show extension-service
show extension-service status
<jet-application-status>
show services fips
show system commit synchronize-server pending-jobs
<get-pending-commit-sync-jobs>
show services fips pic
show services fips pic status
<get-fips-pic-status-information>
show services flow-collector
<get-services-flow-collector-information>
show services flow-collector file
<get-services-flow-collector-file-information>
show services flow-collector input
<get-services-flow-collector-input-information>
show services flow-table
show services flow-table statistics
<get-flow-table-statistics-information>
show services flows
<get-service-msp-flow-table-information>
show services ggsn
show services ggsn diagnostics
show services ggsn diagnostics pdp
<get-pdp-diagnostics-per-apn>
show services ggsn statistics
<get-ggsn-statistics>
show services ggsn statistics apn
<get-ggsn-apn-statistics-information>
show services ggsn statistics charging
<get-ggsn-charging-statistics-information>
show services ggsn statistics gtp
<get-ggsn-gtp-statistics-information>
show services ggsn statistics gtp-prime
<get-ggsn-gtp-prime-statistics-information>
show services ggsn statistics imsi
<get-ggsn-imsi-user-information>
show services ggsn statistics l2tp-tunnel
<get-ggsn-l2tp-tunnel-statistics-information>
show services ggsn statistics msisdn
show services ggsn statistics radius
<get-ggsn-radius-statistics-information>
Copyright © 2017, Juniper Networks, Inc.
361
User Access and Authentication Feature Guide for Routing Devices
show services ggsn statistics sgsn
<get-ggsn-sgsn-statistics-information>
show services ggsn status
<get-ggsn-interface-information>
show services ggsn trace
show services ggsn trace all
<get-ggsn-trace>
show services ggsn trace imsi
<get-ggsn-imsi-trace>
show services ggsn trace msisdn
<get-ggsn-msisdn-trace>
show services ha
<get-service-ha-info>
show services hcm
show services hcm pic-statistics
<get-service-hcm-pic-statistics-information>
show services ids
show services ids destination-table
<get-service-ids-destination-table-information>
show services ids pair-table
<get-service-ids-pair-table-information>
show services ids source-table
<get-service-ids-source-table-information>
show services inline
show services inline ip-reassembly
show services inline ip-reassembly statistics
show services inline nat
show services inline nat mappings
show services inline nat mappings nptv6
<get-inline-nat-mapping-nptv6-information>
show services inline nat pool
<get-inline-nat-pool-information>
show services inline nat statistics
<get-inline-nat-statistics-information>
show services inline softwire
show services inline softwire statistics
<get-inline-service-sw-statistics-information>
show services inline stateful-firewall
show services inline stateful-firewall flows
<get-inline-sfw-flow-table-information>
show services inline stateful-firewall statistics
<get-inline-sfw-statistics-information>
show services ipsec-vpn
show services ipsec-vpn ike
show services ipsec-vpn ike security-associations
<get-ike-services-security-associations-information>
show services ipsec-vpn ike statistics
<get-ike-services-statistics>
show services ipsec-vpn ipsec
show services ipsec-vpn ipsec security-associations
<get-services-security-associations-information>
362
Copyright © 2017, Juniper Networks, Inc.
Chapter 5: Permission Flags for User Access Privileges
show services ipsec-vpn ipsec statistics
<get-services-ipsec-statistics-information>
show services l2tp
show services l2tp client
<get-l2tp-client-information>
show services l2tp destination
<get-l2tp-destination-information>
show services l2tp destination lockout
<get-services-l2tp-destination-lockout>
show services l2tp disconnect-cause-summary<
<get-l2tp-disconnect-cause-summary>
show services l2tp multilink
<get-l2tp-multilink-information>
show services l2tp radius
show services l2tp radius accounting
show services l2tp radius accounting servers
<get-services-l2tp-radius-accounting-servers-information>
show services l2tp radius accounting statistics
<get-services-l2tp-radius-accounting-statistics-information>
show services l2tp radius authentication
show services l2tp radius authentication servers
<get-services-l2tp-radius-authentication-servers-information>
show services l2tp radius authentication statistics
<get-services-l2tp-radius-authentication-statistics-information>
show services l2tp radius servers
<get-services-l2tp-radius-authentication-accounting-servers-information>
show services l2tp radius statistics
<get-services-l2tp-radius-authentication-accounting-statistics-information>
show services l2tp session
<get-l2tp-session-information>
show services l2tp session-limit-group
<get-l2tp-session-limit-group-information>
show services l2tp summary
<get-l2tp-summary-information>
show services l2tp tunnel
<get-l2tp-tunnel-information>
show services l2tp tunnel-group
<get-l2tp-tunnel-group-information>
show services l2tp user
<get-l2tp-user-information>
show services link-services
show services link-services cpu-usage
<get-link-services-cpu-usage>
show services local-policy-decision-function
show services local-policy-decision-function flows
show services local-policy-decision-function flows interface
<get-local-policy-decision-function-flows-interface>
show services local-policy-decision-function flows subscriber
<get-local-policy-decision-function-flows-subscriber>
Copyright © 2017, Juniper Networks, Inc.
363
User Access and Authentication Feature Guide for Routing Devices
show services local-policy-decision-function statistics
show services local-policy-decision-function statistics interface
<get-local-policy-decision-function-statistics-interface>
show services local-policy-decision-function statistics subscriber
<get-local-policy-decision-function-statistics-subscriber>
show services logging
show services logging history
show services logging history client
show services logging logfiles
show services match-policies
<get-services-match-policies>
show services mobile
show services mobile hcm
show services mobile hcm statistics
show services nat
show services nat ipv6-multicast-interfaces
<get-service-nat-ipv6-multicast-information>
show services nat deterministic-nat
show services nat deterministic-nat internal-host
show services nat deterministic-nat nat-port-block
show services nat mappings
<get-service-nat-mapping-address-pooling-paired>
show services nat mappings brief
<get-service-nat-mapping-brief>
show services nat mappings detail
show services nat mappings endpoint-independent
<get-service-nat-mapping-endpoint-independent>
show services nat mappings brief
<get-service-nat-mapping-brief>
show services nat mappings detail
<get-service-nat-mapping-detail>
show services nat mappings pcp
show services nat mappings summary
<get-service-nat-mapping-summary>
show services nat pool
<get-service-nat-pool-information>
show services pcp
show services pgcp
show services pgcp active-configuration
<get-pgcpd-active-configuration>
show services pgcp active-configuration gateway
<get-service-pgcp-active-configuration-gateway>
show services pgcp conversations
<get-service-pgcp-conversation-information>
show services pgcp conversations gateway
<get-service-pgcp-conversation-information-gateway>
show services pgcp flows
<get-service-pgcp-flow-table-information>
show services pgcp flows gateway
<get-service-pgcp-flow-table-information-gateway>
show services pgcp gate
<get-service-pgcp-gate>
show services pgcp gate gateway
364
Copyright © 2017, Juniper Networks, Inc.
Chapter 5: Permission Flags for User Access Privileges
<get-service-pgcp-gate-gateway>
show services pgcp gates
<get-service-pgcp-gates>
show services pgcp gates gateway
<get-service-pgcp-gates-gateway>
show services pgcp root-termination
<get-services-pgcpd-root-termination>
show services pgcp root-termination gateway
<get-services-pgcpd-root-termination-gateway>
show services pgcp statistics
<get-service-pgcp-statistics>
show services pgcp statistics gateway
<get-service-pgcp-statistics-gateway>
show services pgcp terminations
<get-service-pgcp-terminations>
show services pgcp terminations gateway
<get-service-pgcp-terminations-gateway>
show services redundancy-group
<get-services-redundancy-group-information>
show services redundancy-group rg-id
<get-services-redundancy-group-id-information>
show services rpm
show services rpm active-servers
<get-active-servers>
show services rpm history-results
<get-history-results>
show services rpm probe-results
<get-probe-results>
show services rpm twamp
<twamp-information>
show services rpm twamp client
<twamp-client-information>
show services rpm twamp client connection
<twamp-client-connection-information>
show services rpm twamp client history-results
<twamp-get-history-results>
show services rpm twamp client probe-results
<twamp-get-probe-results>
show services rpm twamp client session
<twamp-client-test-session>
show services rpm twamp server
<twamp-server-information>
show services rpm twamp server connection
<twamp-server-connection-information>
show services rpm twamp server session
<twamp-server-session-information>
show services server-load-balance
show services server-load-balance external-manager
show services server-load-balance external-manager information
Copyright © 2017, Juniper Networks, Inc.
365
User Access and Authentication Feature Guide for Routing Devices
show services server-load-balance external-manager statistics
<get-external-manager-statistics-information>
show services server-load-balance hash-table
<get-hash-table-information>
show services server-load-balance health-monitor
show services server-load-balance health-monitor information
<get-real-server-health-monitor-information>
show services server-load-balance health-monitor statistics
<get-real-server-health-monitor-statistics-information>
show services server-load-balance real-server
show services server-load-balance real-server statistics
<get-real-server-statistics-information>
show services server-load-balance real-server-group
show services server-load-balance real-server-group information
<get-real-server-group-information>
show services server-load-balance real-server-group statistics
<get-real-server-group-statistics-information>
show services server-load-balance sticky
<get-sticky-table-information>
show services server-load-balance virtual-server
show services server-load-balance virtual-server information
<get-virtual-server-information>
show services server-load-balance virtual-server statistics
<get-virtual-server-statistics-information>
show services service-identification
show services service-identification header-redirect
show services service-identification header-redirect statistics
<get-header-redirect-set-statistics-information>
show services service-identification statistics
<get-service-identification-statistics-information>
show services service-identification uri-redirect
show services service-identification uri-redirect statistics
<get-uri-redirect-set-statistics-information>
show services service-sets
show services service-sets cpu-usage
<get-service-set-cpu-statistics>
show services service-sets memory-usage
<get-service-set-memory-statistics>
show services service-sets memory-usage zone
show services service-sets plug-ins
<get-service-set-plugin-summary>
show services service-sets statistics
show services service-sets statistics drop-flow-limit
<get-service-set-drop-flow-statistics>
show services service-sets statistics ids
show services service-sets statistics ids drops
<get-service-set-ids-drops-statistics>
show services service-sets statistics jflow-log
<get-service-set-jflow-log-statistics>
show services service-sets statistics packet-drops
<get-service-set-packet-drop-statistics>
show services service-sets statistics syslog
<get-service-set-syslog-statistics>
show services service-sets statistics tcp
366
Copyright © 2017, Juniper Networks, Inc.
Chapter 5: Permission Flags for User Access Privileges
<get-service-set-tcp-tracker-statistics>
show services service-sets statistics tcp-mss
<get-service-set-tcp-mss-statistics>
show services service-sets summary
<get-service-set-summary-information>
show services sessions
<get-msp-session-table>
show services sessions analysis
<show-service-msp-session-analysis-information>
show services sessions count
<get-service-msp-sess-count-information>
show services sessions utilization
<get-services-sessions-utilization>
show services softwire
<get-service-softwire-table-information>
show services softwire flows
<get-service-fwnat-flow-table-information>
show services softwire statistics
<get-service-softwire-statistics-information>
show services stateful-firewall
show services stateful-firewall flow-analysis
<get-service-flow-analysis-information>
show services stateful-firewall conversations
<get-service-sfw-conversation-information>
show services stateful-firewall flows
<get-service-sfw-flow-table-information>
show services stateful-firewall redundancy-statistics
<get-service-sfw-redundancy-statistics>
show services stateful-firewall sip-call
<get-service-sfw-sip-call-information>
show services stateful-firewall sip-register
<get-service-sfw-sip-register-information>
show services stateful-firewall statistics
<get-service-sfw-statistics-information>
show services stateful-firewall statistics application-protocol
<et-sfw-application-protocol-statistics>
show services stateful-firewall subscriber-analysis
<get-service-subs-analysis-information>
show services subscriber
show services subscriber bandwidth
show services subscriber bandwidth client-id
<get-services-subscriber-bandwidth-by-session-id>
show services subscriber bandwidth interface
<get-services-subscriber-bandwidth-by-interface>
show services subscriber bandwidth ip-address
<get-services-subscriber-bandwidth-by-ip-address>
show services subscriber bandwidth service-interface
<get-services-subscriber-bandwidth-by-service-interface>
show services subscriber dynamic-policies
Copyright © 2017, Juniper Networks, Inc.
367
User Access and Authentication Feature Guide for Routing Devices
<get-services-subscriber-dynamic-policies>
show services subscriber flows
<get-services-subscriber-flows>
show services subscriber sessions
<get-services-subscriber-session>
show services subscriber statistics
<get-services-subscriber-statistics>
show services traffic-detection-function
show services traffic-detection-function hcm
show services traffic-detection-function hcm statistics
<get-service-tdf-hcm-sessions-stats>
show services traffic-detection-function sessions
<get-service-tdf-sessions-information>
show services traffic-load-balance
show services traffic-load-balance statistics
<get-traffic-load-balance-statistics>
show services unified-access-control
show services unified-access-control authentication-table
<get-uac-auth-table>
show services unified-access-control counters
<get-uac-counters>
show services unified-access-control policies
<get-uac-policies>
show services unified-access-control roles
<get-uac-role-entries>
show services unified-access-control status
<get-uac-status>
show services video-monitoring
<get-service-video-monitoring-information>
show services video-monitoring mdi
<get-service-video-monitoring-mdi-information
show services video-monitoring mdi alarms
<get-services-video-monitoring-mdi-alarms-information>
show services video-monitoring mdi alarms errors
<get-services-video-monitoring-mdi-alarms-errors-information>
show services video-monitoring mdi alarms stats
<get-services-video-monitoring-mdi-alarms-stats-information>
show services video-monitoring mdi errors>
<get-service-video-monitoring-mdi-errors-information>
show services video-monitoring mdi flow
<get-service-video-monitoring-mdi-flows-information>
show services video-monitoring mdi stats
<get-service-video-monitoring-mdi-stats-information>
show shmlog
show shmlog argument-mappings
<get-shmlog-argument-mappings>
show shmlog configuration
<show-shmlog-configuration>
show shmlog entries
<show-shmlog-entries>
show shmlog logs-summary
<show-shmlog-logsummary>
show shmlog statistics
<show-shmlog-statistics>
show snmp
show snmp health-monitor
<get-health-monitor-information>
show snmp health-monitor alarms
<get-health-monitor-alarm-information>
368
Copyright © 2017, Juniper Networks, Inc.
Chapter 5: Permission Flags for User Access Privileges
show snmp health-monitor logs
<get-health-monitor-log-information>
show snmp health-monitor routing-engine
show snmp health-monitor routing-engine history
<get-health-monitor-routing-engine-history>
show snmp health-monitor routing-engine history cpu
<get-routing-engine-cpu-history>
show snmp health-monitor routing-engine history memory
<get-routing-engine-memory-history>
show snmp health-monitor routing-engine history open-files-count
<get-routing-engine-fd-history>
show snmp health-monitor routing-engine history process-count
<get-routing-engine-pcount-history>
show snmp health-monitor routing-engine history storage
<get-routing-engine-storage-history>
show snmp health-monitor routing-engine history temperature
<get-routing-engine-temperature-history>
show snmp health-monitor routing-engine status
<get-health-monitor-routing-engine-information>
show snmp health-monitor routing-engine status detail
show snmp inform-statistics
<get-snmp-inform-statistics>
show snmp mib
show snmp mib get
<get-snmp-object>
show snmp mib get-next
<get-next-snmp-object>
show snmp mib walk
<get-walk-snmp-object>
show snmp proxy
show snmp rmon
<get-rmon-information>
show snmp rmon alarms
<get-rmon-alarm-information>
show snmp rmon events
<get-rmon-event-information>
show snmp rmon history
<get-rmon-history-information>
show snmp rmon logs
<get-rmon-log-information>
show snmp statistics
<get-snmp-information>
show snmp v3
<get-snmp-v3-information>
show snmp v3 access
<get-snmp-v3-access-information>
show snmp v3 community
<get-snmp-v3-community-information>
Copyright © 2017, Juniper Networks, Inc.
369
User Access and Authentication Feature Guide for Routing Devices
show snmp v3 general
<get-snmp-v3-general-information>
show snmp v3 groups
<get-snmp-v3-group-information>
show snmp v3 notify
<get-snmp-v3-notify-information>
show snmp v3 notify filter
<get-snmp-v3-notify-filter-information>
show snmp v3 target
<get-snmp-v3-target-information>
show snmp v3 target address
<get-snmp-v3-target-address-information>
show snmp v3 target parameters
<get-snmp-v3-target-parameters-information>
show snmp v3 users
<get-snmp-v3-usm-user-information>
show spanning-tree
show spanning-tree bridge
<get-stp-bridge-information>
show spanning-tree interface
<get-stp-interface-information>
show spanning-tree mstp
show spanning-tree mstp configuration
<get-mstp-configuration-information>
show spanning-tree statistics
<get-stp-interface-statistics>
show spanning-tree statistics bridge
show spanning-tree statistics interface
show spanning-tree statistics routing-instance
<get-stp-routing-instance-statistics>
show spanning-tree stp-buffer
show spanning-tree stp-buffer see-all
show ssl-certificates
<get-ssl-certificate-information>
show static-subscribers
show static-subscribers sessions
<show subscribers
<get-subscribers>
show subscribers summary
<get-subscribers-summary>
<get-syslog-filenames>
show
show
show
show
show
show
show
synchronous-ethernet
synchronous-ethernet esmc
synchronous-ethernet esmc statistics
synchronous-ethernet esmc transmit
synchronous-ethernet global-information
system
system alarms
<get-system-alarm-information>
show system auto-snapshot
370
Copyright © 2017, Juniper Networks, Inc.
Chapter 5: Permission Flags for User Access Privileges
show
show
show
show
system boot-messages
system buffers
system certificate
system commit
<get-commit-information>
show system commit revision
<get-commit-revision-information>
show system commit server
<get-commit-server-information>
show system commit ephemeral
<get-ephemeral-commit-information>
show system commit server queue
<get-commit-server-queue-information>
show system commit synchronize-server
show system configuration
show system configuration archival
<get-system-archival>
show system configuration rescue
<get-rescue-information>
show system connections
show system core-dumps
<get-system-core-dumps>
show system core-dumps core-file-info
<get-core-file-information>
show system core-dumps kernel-crashinfo
show system core-dumps satellite
<get-core-file-satellite>
show system core-dumps transfer-status
show system diagnostics
show system diagnostics inventory
show system diagnostics usage
show system directory-usage
<get-directory-usage-information>
show system firmware
<get-system-firmware-information>
show system khms-stats
show system license
<get-license-summary-information>
show system license installed
<get-license-information>
show system license key-content
show system license keys
<get-license-key-information>
show system license usage
<get-license-usage-summary>
show system login
show system login lockout
<get-system-login-lockout-information>
show system memory
<show system processes
show system processes brief
show system processes esc-node
show system processes extensive
Copyright © 2017, Juniper Networks, Inc.
371
User Access and Authentication Feature Guide for Routing Devices
show system processes health
<get-process-health-information>
show system processes providers
show system processes host-processes detail
show system processes providers
show system processes resource-limits
<get-system-process-resource-limits>
show system processes summary
show system queues
show system reboot
show system resource-cleanup
show system resource-cleanup processes
<get-system-resource-cleanup-processes-information>
<get-resource-monitor-fpc-information>
<get-resource-monitor-fpc-slot-information>
show system rollback
<get-rollback-information>
show system services
show system services dhcp
show system services dhcp binding
<get-dhcp-binding-information>
show system services dhcp conflict
<get-dhcp-conflict-information>
show system services dhcp global
<get-dhcp-global-information>
show system services dhcp pool
<get-dhcp-pool-information>
show system services dhcp statistics
<get-dhcp-statistics-information>
show system services reverse
<get-system-services-reverse-information>
show system services service-deployment
<get-service-deployment-service-information>
show system snapshot
<get-snapshot-information>
show system software
show system software backup
<get-package-backup-information>
<get-software-installation-status>
show system software recovery-package
show system software rollback
<show-package-rollback>
show system statistics
<get-statistics-information>
show system statistics bridge
<get-system-bridge-statistics>
show system statistics extended
show system statistics vpls
372
Copyright © 2017, Juniper Networks, Inc.
Chapter 5: Permission Flags for User Access Privileges
show system storage
<get-system-storage>
show system storage partitions
<get-system-storage-partitions>
show system storage satellite
<get-system-storage-satellite>
show system subscriber-management
show system subscriber-management arp
<get-subscriber-management-arp>
show system subscriber-management arp address
<get-subscriber-management-arp-address>
show system subscriber-management arp interface
<get-subscriber-management-arp-interface>
show system subscriber-management ipv6-neighbors
<get-subscriber-management-ipv6-neighbors>
show system subscriber-management ipv6-neighbors address
<get-subscriber-management-ipv6-neighbor-address>
show system subscriber-management ipv6-neighbors interface
<get-subscriber-management-ipv6-neighbor-interface>.
show system subscriber-management route
<get-subscriber-management-route>
show system subscriber-management route next-hop
<get-subscriber-management-route-nh>
show system subscriber-management route prefix
show system subscriber-management route summary
<get-subscriber-management-route-summary>
show system subscriber-management statistics
<get-subscriber-management-statistics>
show system subscriber-management summary
show system switchover
<get-switchover-information>
show system uptime
<get-system-uptime-information>
show system users
<get-system-users-information>
show system virtual-memory
show system yang
show system yang package
<get-system-yang-packages>
show task
show task io
show task logical-system-mux
<get-lrmuxd-task-information>
show task logical-system-mux io
<get-lrmuxd-tasks-io-statistics>
show task logical-system-mux memory
<get-lrmuxd-task-memory>
show task memory
show task replication
<get-routing-task-replication-state>
show task snooping
show task snooping io
show task snooping memory
<get-snooping-task-memory-information>
show ted
show ted database
<get-ted-database-information>
Copyright © 2017, Juniper Networks, Inc.
373
User Access and Authentication Feature Guide for Routing Devices
show ted link
<get-ted-link-information>
show ted protocol
<get-ted-protocol-information>
show unified-edge
show unified-edge gateways
show unified-edge ggsn-pgw
show unified-edge ggsn-pgw aaa
show unified-edge ggsn-pgw aaa network-element
show unified-edge ggsn-pgw aaa network-element status
show unified-edge ggsn-pgw aaa network-element-group
show unified-edge ggsn-pgw aaa network-element-group status
show unified-edge ggsn-pgw aaa radius
show unified-edge ggsn-pgw aaa radius statistics
show unified-edge ggsn-pgw aaa statistics
show unified-edge ggsn-pgw address-assignment
show unified-edge ggsn-pgw address-assignment group
show unified-edge ggsn-pgw address-assignment pool
show unified-edge ggsn-pgw address-assignment service-mode
show unified-edge ggsn-pgw address-assignment statistics
show unified-edge ggsn-pgw apn
show unified-edge ggsn-pgw apn service-mode
show unified-edge ggsn-pgw apn statistics
show unified-edge ggsn-pgw call-rate
show unified-edge ggsn-pgw call-rate statistics
show unified-edge ggsn-pgw charging
show unified-edge ggsn-pgw charging global
show unified-edge ggsn-pgw charging global statistics
show unified-edge ggsn-pgw charging local-persistent-storage
show unified-edge ggsn-pgw charging local-persistent-storage statistics
show unified-edge ggsn-pgw charging path
show unified-edge ggsn-pgw charging path statistics
show unified-edge ggsn-pgw charging path status
show unified-edge ggsn-pgw charging service-mode
show unified-edge ggsn-pgw charging transfer
show unified-edge ggsn-pgw charging transfer statistics
show unified-edge ggsn-pgw charging transfer status
show unified-edge ggsn-pgw charging trigger-profile
show unified-edge ggsn-pgw gtp
show unified-edge ggsn-pgw gtp peer
show unified-edge ggsn-pgw gtp peer count
show unified-edge ggsn-pgw gtp peer history
show unified-edge ggsn-pgw gtp peer statistics
show unified-edge ggsn-pgw gtp statistics
show unified-edge ggsn-pgw ip-reassembly
show unified-edge ggsn-pgw ip-reassembly statistics
show unified-edge ggsn-pgw resource-manager
show unified-edge ggsn-pgw resource-manager clients
show unified-edge ggsn-pgw service-mode
show unified-edge ggsn-pgw statistics
show unified-edge ggsn-pgw statistics traffic-class
show unified-edge ggsn-pgw status
show unified-edge ggsn-pgw status gtp-peer
show unified-edge ggsn-pgw status preemption-list
show unified-edge ggsn-pgw status session-state
show unified-edge ggsn-pgw subscribers
show unified-edge ggsn-pgw subscribers charging
show unified-edge ggsn-pgw subscribers traffic-class
show unified-edge ggsn-pgw system
show unified-edge ggsn-pgw system interfaces
374
Copyright © 2017, Juniper Networks, Inc.
Chapter 5: Permission Flags for User Access Privileges
show unified-edge ggsn-pgw system interfaces service-mode
show unified-edge sgw
show unified-edge sgw call-rate
show unified-edge sgw call-rate statistics
show unified-edge sgw charging
show unified-edge sgw charging global
show unified-edge sgw charging global statistics
show unified-edge sgw charging local-persistent-storage
show unified-edge sgw charging local-persistent-storage statistics
show unified-edge sgw charging path
show unified-edge sgw charging path statistics
show unified-edge sgw charging path status
show unified-edge sgw charging service-mode
show unified-edge sgw charging transfer
show unified-edge sgw charging transfer statistics
show unified-edge sgw charging transfer status
show unified-edge sgw charging trigger-profile
show unified-edge sgw gtp
show unified-edge sgw gtp peer
show unified-edge sgw gtp peer count
show unified-edge sgw gtp peer history
show unified-edge sgw gtp peer statistics
show unified-edge sgw gtp statistics
show unified-edge sgw idle-mode-buffering
show unified-edge sgw idle-mode-buffering statistics
show unified-edge sgw ip-reassembly
show unified-edge sgw ip-reassembly statistics
show unified-edge sgw resource-manager
show unified-edge sgw resource-manager clients
show unified-edge sgw service-mode
show unified-edge sgw statistics
show unified-edge sgw status
show unified-edge sgw status gtp-peer
show unified-edge sgw status preemption-list
show unified-edge sgw status session-state
show unified-edge sgw subscribers
show unified-edge sgw subscribers charging
show unified-edge sgw system
show unified-edge sgw system interfaces
show unified-edge sgw system interfaces service-mode
<get-mobile-serving-gateway-interface-service-mode>
show unified-edge tdf
show unified-edge tdf aaa
show unified-edge tdf aaa radius
show unified-edge tdf aaa radius client
show unified-edge tdf aaa radius client statistics
<radius-client-statistics>
show unified-edge tdf aaa radius client status
show unified-edge tdf aaa radius network-element
show unified-edge tdf aaa radius network-element statistics
<get-aaa-radius-element-statistics>
show unified-edge tdf aaa radius network-element status>
<get-aaa-radius-element-status>
show unified-edge tdf aaa radius server
show unified-edge tdf aaa radius server statistics
radius-server-statistics
show unified-edge tdf aaa radius server status
<get-aaa-radius-server-status>
show unified-edge tdf aaa radius snoop-segment
show unified-edge tdf aaa radius snoop-segment statistics
<radius-snoop-segment-statistics>
Copyright © 2017, Juniper Networks, Inc.
375
User Access and Authentication Feature Guide for Routing Devices
show unified-edge tdf aaa statistics
<get-tdf-gateway-aaa-statistics>
show unified-edge tdf address-assignment
show unified-edge tdf address-assignment pool
<get-tdf-gateway-sm-ippool-pool-information>
show unified-edge tdf address-assignment service-mode
<get-tdf-address-assign-service-mode>
show unified-edge tdf address-assignment statistics
<get-tdf-gateway-sm-ippool-statistics>
show unified-edge tdf call-admission-control
show unified-edge tdf call-admission-control statistics
<get-tdf-cac-statistics>
show unified-edge tdf call-rate
show unified-edge tdf call-rate statistics
<get-tdf-call-rate-statistics>
show unified-edge tdf diameter
show unified-edge tdf diameter network-element
show unified-edge tdf diameter network-element statistics
<get-diameter-network-element-statistics>
show unified-edge tdf diameter network-element status
<get-diamieter-network-element-status>
show unified-edge tdf diameter pcc-gx
show unified-edge tdf diameter pcc-gx statistics
<get-diameter-statistics-gx>
show unified-edge tdf diameter peer
show unified-edge tdf diameter peer statistics
<get-gateway-diameter-peer-statistics>
show unified-edge tdf diameter peer status
<get-diameter-peer-status>
show unified-edge tdf domain
show unified-edge tdf domain service-mode
<get-mobile-gateways-domain-service-mode>
show unified-edge tdf domain statistics
<get-mobile-gateways-domain-statistics>
show unified-edge tdf resource-manager
show unified-edge tdf resource-manager clients
<get-mobile-gateway-tdf-client-status-information>
show unified-edge tdf service-mode
<get-tdf-gateway-service-mode>
show unified-edge tdf statistics
<get-tdf-statistics>
show unified-edge tdf status
<get-tdf-gateway-status>
show unified-edge tdf status subscriber-state
<get-tdf-gateways-status-state>
show unified-edge tdf subscribers
<get-tdf-gateway-subscribers>
show unified-edge tdf subscribers data-plane
<get-tdf-gateway-subscriber-dataplane-statistics>
show unified-edge tdf subscribers stuck
<get-tdf-gateway-stuck-subscribers>
show unified-edge tdf system
show unified-edge tdf system interfaces
<get-tdf-interfaces-information>
show unified-edge tdf system interfaces service-mode
<get-mobile-tdf-interface-service-mode>
show version
<get-software-information>
show virtual-chassis
show virtual-chassis active-topology
376
Copyright © 2017, Juniper Networks, Inc.
Chapter 5: Permission Flags for User Access Privileges
<get-virtual-chassis-active-topology>
show virtual-chassis device-topology
<get-virtual-chassis-device-topology>
show virtual-chassis fast-failover
<get-virtual-chassis-fast-failover>
show virtual-chassis heartbeat
<get-virtual-chassis-heartbeat-information>
show virtual-chassis login
<get-virtual-chassis-login>
show virtual-chassis mode
<get-virtual-chassis-mode-information>
show virtual-chassis protocol
show virtual-chassis protocol adjacency
<get-virtual-chassis-adjacency-information>
show virtual-chassis protocol database
<get-virtual-chassis-database-information>
show virtual-chassis protocol interface
<get-virtual-chassis-interface-information>
show virtual-chassis protocol route
<get-virtual-chassis-route-information>
show virtual-chassis protocol statistics
<get-virtual-chassis-statistics-information>
show virtual-chassis status
<get-virtual-chassis-information>
show virtual-chassis vc-path
<get-virtual-chassis-packet-path>
show virtual-chassis vc-port
<get-virtual-chassis-port-information>
show virtual-chassis vc-port diagnostics
show virtual-chassis vc-port diagnostics optics
<get-virtual-chassis-optics-diagnostics>
show virtual-chassis vc-port lag-hash
<get-virtual-chassis-port-lag-hash-information>
show virtual-chassis vc-port statistics
<get-virtual-chassis-port-statistics>
show vlans
<get-vlan-information>
show vlans operational
<get-operational-vlan-instance-information>
show vlans satellite
<get-satellite-control-bridge-domain>
show vmhost
show vmhost bridge
<get-vmhost-bridge-information>
show vmhost crash
<get-vmhost-crash-information>
show vmhost hardware
<get-vmhost-hardware>
show vmhost information
<get-vmhost-information>
show vmhost logs
<get-vmhost-logs-information>
show vmhost management-if
<get-vmhost-management-if-info>
show vmhost netstat
<get-vmhost-netstat>
show vmhost processes
<get-vmhost-processes-information>
show vmhost resource-usage
<get-vmhost-resource-usage-information>
show vmhost snapshot
Copyright © 2017, Juniper Networks, Inc.
377
User Access and Authentication Feature Guide for Routing Devices
<get-vmhost-snapshot-information>
show vmhost status
<get-vmhost-staus>
show vmhost uptime
<get-vmhost-uptime>
show vmhost version
<get-vmhost-version-information>
show vpls
show vpls connections
<get-vpls-connection-information>
show vpls flood
show vpls flood event-queue
<get-vpls-event-queue-information>
show vpls flood route
show vpls flood route all-ce-flood
<get-vpls-all-ce-flood-route-information>
show vpls flood route all-flood
<get-vpls-all-flood-route-information>
show vpls flood route alt-root-flood
<get-vpls-alt-root-flood-route-information>
show vpls flood route ce-flood
<get-vpls-ce-flood-route-information>
show vpls flood route mlp-flood
<get-vpls-mlp-flood-route-information>
show vpls flood route re-flood
<get-vpls-re-flood-route-information>
show vpls mac-table
<get-vpls-mac-table>
show vpls mac-table interface
<get-vpls-interface-mac-table>
show vpls statistics
<get-vpls-statistics-information>
show
show
show
test
test
test
test
test
test
test
test
test
test
test
test
test
test
378
vrrp
vrrp interface
vrrp track
interface
interface fdl-line-loop
interface fdl-line-loop ansi
interface fdl-line-loop ansi initiate
interface fdl-line-loop ansi terminate
interface fdl-line-loop bellcore
interface fdl-line-loop bellcore initiate
interface fdl-line-loop bellcore terminate
interface fdl-payload-loop
interface fdl-payload-loop ansi
interface fdl-payload-loop ansi initiate
interface fdl-payload-loop ansi terminate
interface fdl-payload-loop bellcore
interface fdl-payload-loop bellcore initiate
Copyright © 2017, Juniper Networks, Inc.
Chapter 5: Permission Flags for User Access Privileges
test
test
test
test
test
test
test
test
test
test
test
test
test
test
test
test
test
test
test
test
test
<
Configuration
Hierarchy Levels
Related
Documentation
interface fdl-payload-loop bellcore terminate
interface inband-line-loop
interface inband-line-loop ansi
interface inband-line-loop ansi initiate
interface inband-line-loop ansi terminate
interface inband-line-loop bellcore
interface inband-line-loop bellcore initiate
interface inband-line-loop bellcore terminate
interface inband-line-loop initiate
interface inband-line-loop terminate
interface inband-payload-loop
interface inband-payload-loop ansi
interface inband-payload-loop ansi initiate
interface inband-payload-loop ansi terminate
interface inband-payload-loop bellcore
interface inband-payload-loop bellcore initiate
interface inband-payload-loop bellcore terminate
msdp
msdp dependent-peers
msdp rpf-peer
policy
[edit dynamic-profiles routing-instances instance services mobile-ip home-agent
enable-service]
[edit logical-systems routing-instances instance services mobile-ip home-agent
enable-service]
[edit logical-systems services mobile-ip home-agent enable-service]
[edit routing-instances instance services mobile-ip home-agent enable-service]
[edit services mobile-ip home-agent enable-service]
•
Access Privilege User Permission Flags Overview on page 114
•
Understanding Junos OS Access Privilege Levels on page 26
•
Example: Configuring User Permissions with Access Privilege Levels on page 65
•
Example: Configuring User Permissions with Access Privileges for Operational Mode
Commands on page 76
•
Example: Configuring User Permissions with Access Privileges for Configuration
Statements and Hierarchies on page 87
view-configuration
Can view all of the configuration (not including secrets).
Commands
Configuration
Hierarchy Levels
Related
Documentation
No associated CLI commands.
No associated CLI configuration hierarchy levels and statements.
•
Access Privilege User Permission Flags Overview on page 114
•
Understanding Junos OS Access Privilege Levels on page 26
Copyright © 2017, Juniper Networks, Inc.
379
User Access and Authentication Feature Guide for Routing Devices
380
•
Example: Configuring User Permissions with Access Privilege Levels on page 65
•
Example: Configuring User Permissions with Access Privileges for Operational Mode
Commands on page 76
•
Example: Configuring User Permissions with Access Privileges for Configuration
Statements and Hierarchies on page 87
Copyright © 2017, Juniper Networks, Inc.
CHAPTER 6
Configuring Passwords for User Access
•
Configuring the Root Password on page 381
•
Example: Protecting Network Security by Configuring the Root Password on page 383
•
Example: Configuring a Plain-Text Password for Root Logins on page 383
•
Example: Configuring SSH Authentication for Root Logins on page 386
•
Recovering the Root Password on page 386
•
Changing the Requirements for Junos OS Plain-Text Passwords on page 389
•
Example: Changing the Requirements for Junos OS Plain-Text Passwords on page 389
•
Configuring MS-CHAPv2 for Password-Change Support on page 391
Configuring the Root Password
The Junos OS is preinstalled on the router or switch. When the router or switch is powered
on, it is ready to be configured. Initially, you log in as the user root with no password. The
root directory of a UNIX device is the entry point to all other folders and files on that
device. As a result, access to the root directory is restricted by default to a predefined
user account known as the root user. The root user (also referred to as superuser) has
unrestricted access and full permissions within the system. The expression “log in as
root” is commonly used when an action requires the user to log into the device as the
root user.
NOTE: If you configure a blank password using the encrypted-password
statement at the [edit system root-authentication] hierarchy level for root
authentication, you can commit a configuration but you cannot log in as the
root user and gain root level access to the router or switch.
After you log in, you should configure the root (superuser) password by including the
root-authentication statement at the [edit system] hierarchy level and configuring one
of the password options:
[edit system]
root-authentication {
(encrypted-password "password"| plain-text-password);
load-key-file URL filename;
ssh-dsa “public-key” <from hostname>;
Copyright © 2017, Juniper Networks, Inc.
381
User Access and Authentication Feature Guide for Routing Devices
ssh-ecdsa “public-key” <from hostname>;
ssh-rsa “public-key” <from hostname>;
}
If you configure the plain-text-password option, you are prompted to enter and confirm
the password:
[edit system]
user@host# set root-authentication plain-text-password
New password: type password here
Retype new password: retype password here
The default requirements for plain-text passwords are:
•
The password must be between 6 and 128 characters long
•
You can include most character classes in a password (uppercase letters, lowercase
letters, numbers, punctuation marks, and other special characters). Control characters
are not recommended.
•
Valid passwords must contain at least one change of case or character class.
You can use the load-key-file URL filename statement to load an SSH key file that was
previously generated using ssh-keygen. The URL filename is the path to the file’s location
and name. When using this option, the contents of the key file are copied into the
configuration immediately after entering the load-key-file URL statement. This command
loads RSA (SSH version 1 and SSH version 2) and DSA (SSH version 2) public keys.
Optionally, you can use the ssh-dsa, ssh-ecdsa, or ssh-rsa statements to directly configure
SSH RSA, DSA, or ECDSA keys to authenticate root logins. You can configure more than
one public key for SSH authentication of root logins as well as for user accounts. When
a user logs in as root, the public keys are referenced to determine whether the private
key matches any of them.
To view the SSH keys entries, use the configuration mode show command. For example:
[edit system]
user@host# set root-authentication load-key-file my-host:.ssh/id_dsa.pub
.file.19692 | 0 KB | 0.3 kB/s | ETA: 00:00:00 | 100%
[edit system]
user@host# show
root-authentication {
ssh-rsa "$ABC123"; #
SECRET-DATA
}
Junos-FIPS software has special password requirements. FIPS passwords must be
between 10 and 20 characters in length. Passwords must use at least three of the five
defined character sets (uppercase letters, lowercase letters, digits, punctuation marks,
and other special characters). If Junos-FIPS is installed on the router or switch, you cannot
configure passwords unless they meet this standard. If you use the encrypted-password
option, then a null-password (empty) is not permitted.
382
Copyright © 2017, Juniper Networks, Inc.
Chapter 6: Configuring Passwords for User Access
You cannot configure a blank password for encrypted-password using blank quotation
marks (" "). You must configure a password whose number of characters range from 1
through 128 characters and enclose the password in quotation marks.
Related
Documentation
•
Protecting Network Security by Configuring the Root Password
•
Example: Configuring a Plain-Text Password for Root Logins on page 383
•
Example: Configuring SSH Authentication for Root Logins on page 386
•
Example: Changing the Requirements for Junos OS Plain-Text Passwords on page 389
•
Recovering the Root Password on page 386
Example: Protecting Network Security by Configuring the Root Password
Configuring the root password on your Junos OS-enabled router helps prevent
unauthorized users from making changes to your network. The root user (also referred
to as superuser) has unrestricted access and full permissions within the system, so it is
crucial to protect these functions by setting a strong password when setting up a new
router.
After a new router is initially powered on, you log in as the user root with no password.
Junos OS requires configuration of the root password before it accepts a commit
operation. On a new device, the root password must always be a part of the configuration
submitted with your initial commit.
The following example shows how to configure the root password:
[edit]
user@switch# set system root-authentication encrypted-password "$ABC123"
[edit]
user@switch# show
system {
root-authentication {
encrypted-password "$ABC123";
}
}
Related
Documentation
•
Protecting Network Security by Configuring the Root Password
•
Example: Configuring a Plain-Text Password for Root Logins on page 383
•
Configuring the Root Password
Example: Configuring a Plain-Text Password for Root Logins
This example shows how to configure a plain-text password for the root-level user (whose
username is root). Configuring a plain-text password is one way to protect access to the
Copyright © 2017, Juniper Networks, Inc.
383
User Access and Authentication Feature Guide for Routing Devices
root level by unauthorized users. You must prevent unauthorized users from gaining
access to superuser commands that can be used to alter your system configuration.
•
Requirements on page 384
•
Overview on page 384
•
Configuration on page 384
•
Verification on page 385
Requirements
No special configuration beyond device initialization is required before configuring this
example.
Make sure that you understand the requirements for a valid plain-text password. For
Junos OS, the default requirements for a plain-text password are as follows:
•
Must be from 6 up to 128 characters long.
•
Can include most character classes (uppercase letters, lowercase letters, numbers,
punctuation marks, and other special characters). Control characters are not
recommended.
•
Must contain at least one change of case or character class.
Overview
Junos OS is preinstalled on the router. When the router is powered on, it is ready to be
configured. Initially, you log in as the root-level user with no password. To set the root
password, you have several options. This example shows how to enter a plain-text
password that Junos OS then encrypts for you.
Configuration
CLI Quick
Configuration
To quickly configure this example, copy the following command and paste it into the
window. When prompted, type the new password, and then when prompted, retype it.
set system root-authentication plain-text-password
Configuring a Plain-Text Password for User Root
Step-by-Step
Procedure
To configure a plain-text password for the root-level user:
1.
Type the set command for the plain-text password and press Enter.
[edit]
user@host# set system root-authentication plain-text-password
New password:
2.
Type the new password next to the New password prompt and press Enter.
New password: new-password
Retype new password:
384
Copyright © 2017, Juniper Networks, Inc.
Chapter 6: Configuring Passwords for User Access
3.
Retype the same password next to the Retype new password prompt and press
Enter.
Results
From configuration mode, confirm your configuration by using the show command. It
should look something like this:
[edit ]
user@host# show system
root-authentication {
encrypted-password "$ABC123"; ## SECRET-DATA
}
If the output does not display the intended configuration, repeat the instructions in this
example to correct the configuration.
After you have confirmed that the configuration is correct, enter commit from configuration
mode.
Verification
Verifying the Configuration of a Plain-Text Password for User Root
Purpose
Action
Verify the configuration of a plain-text password for the root-level user.
From operational mode, confirm your configuration by entering the show configuration
system command.
user@host> show configuration system
root-authentication {
encrypted-password "$ABC123"; ## SECRET-DATA
}
Meaning
Related
Documentation
If you use a clear-text password, Junos OS displays the password as an encrypted string
so that users viewing the configuration cannot see the unencrypted password. That is,
as you enter the password in plain text, Junos OS encrypts it immediately. You do not
have to configure Junos OS to encrypt the password as in some other systems. Plain-text
passwords are hidden and marked as ## SECRET-DATA in the configuration.
•
root-authentication
•
Special Requirements for Junos OS Plain-Text Passwords on page 393
•
Configuring Special Requirements for Plain-Text Passwords
•
Changing the Requirements for Junos OS Plain-Text Passwords on page 389
Copyright © 2017, Juniper Networks, Inc.
385
User Access and Authentication Feature Guide for Routing Devices
Example: Configuring SSH Authentication for Root Logins
The following example shows how to configure two public DSA keys for SSH
authentication of root logins:
[edit system]
root-authentication {
encrypted-password "$ABC123";
## SECRET-DATA;
ssh-dsa "2354 95 9304@user.device";
ssh-dsa "0483 02 8362@user.device";
}
Related
Documentation
•
Configuring the Root Password on page 381
•
Special Requirements for Junos OS Plain-Text Passwords on page 393
Recovering the Root Password
If you forget the root password for the router, you can use the password recovery
procedure to reset the root password.
NOTE: You need console access to recover the root password.
NOTE: This password recovery procedure does not apply to devices running
Junos OS with Upgraded FreeBSD. See Recovering the Root Password on
Junos OS with Upgraded FreeBSD
Video: Recovering the Root Password
To recover the root password:
1.
Power off the router by pressing the power button on the front panel.
2. Turn off the power to the management device, such as a PC or laptop computer, that
you want to use to access the CLI.
3. Plug one end of the Ethernet rollover cable supplied with the router into the
RJ-45–to–DB-9 serial port adapter supplied with the router.
4. Plug the RJ-45–to–DB-9 serial port adapter into the serial port on the management
device.
386
Copyright © 2017, Juniper Networks, Inc.
Chapter 6: Configuring Passwords for User Access
5. Connect the other end of the Ethernet rollover cable to the console port on the router.
6. Turn on the power to the management device.
7. On the management device, start your asynchronous terminal emulation application
(such as Microsoft Windows Hyperterminal) and select the appropriate COM port to
use (for example, COM1).
8. Configure the port settings as follows:
•
Bits per second: 9600
•
Data bits: 8
•
Parity: None
•
Stop bits: 1
•
Flow control: None
9. Power on the router by pressing the power button on the front panel.
Verify that the POWER LED on the front panel turns green.
The terminal emulation screen on your management device displays the router’s boot
sequence.
10. When the following prompt appears, press the Spacebar to access the router’s
bootstrap loader command prompt:
Depending on your device hardware, the bootstrap loader might proceed quite quickly
at this step without pausing for input. Therefore, you might need to press the spacebar
multiple times at the beginning of the boot sequence.
Hit [Enter] to boot immediately, or space bar for command prompt.
Booting [kernel] in 9 seconds...
11. At the following prompt, type boot -s to start the system in single-user mode.
ok boot -s
12. At the following prompt, type recovery to start the root password recovery procedure.
Enter full pathname of shell or 'recovery' for root password recovery or RETURN
for /bin/sh: recovery
13. Enter configuration mode in the CLI.
14. Set the root password.
When you configure a plain-text password, Junos OS encrypts the password for you.
Copyright © 2017, Juniper Networks, Inc.
387
User Access and Authentication Feature Guide for Routing Devices
CAUTION: Do not use the encrypted-password option unless the password
is already encrypted, and you are entering the encrypted version of the
password. If you commit the encrypted-password option with a plain-text
password or with blank quotation marks (" "), you will not be able to log
in to the device as root, and you will need to repeat this password recovery
process.
Optionally, instead of configuring the root password at the [edit system] hierarchy
level, you can use a configuration group, as shown in this procedure. This is a
recommended best practice for configuring the root password.
For example:
user@host# set groups global system root-authentication plain-text-password
15. At the following prompt, enter the new root password, for example:
New password: password
Retype new password:
16. At the second prompt, reenter the new root password.
17. If you used a configuration group, apply the configuration group, substituting global
with the appropriate group name.
[edit]
user@host# set apply-groups global
18. After you have finished configuring the password, commit the configuration.
root@host# commit
commit complete
19. Exit configuration mode in the CLI.
20. Exit operational mode in the CLI.
21. At the prompt, type y to reboot the router.
Reboot the system? [y/n] y
Related
Documentation
388
•
Configuring the Root Password on page 381
•
Recovering the Root Password on Junos OS with Upgraded FreeBSD
Copyright © 2017, Juniper Networks, Inc.
Chapter 6: Configuring Passwords for User Access
Changing the Requirements for Junos OS Plain-Text Passwords
To change the requirements for plain-text passwords, include the password statement
at the [edit system login] hierarchy level:
[edit system login]
password {
change-type (set-transitions | character-set);
format (md5 | sha1);
maximum-length length;
minimum-changes number;
minimum-length length;
minimum-lower-cases number;
minimum-numerics number;
minimum-punctuations number;
minimum-upper-cases number;
}
NOTE: These statements apply to plain-text passwords only, not encrypted
passwords.
Related
Documentation
•
Special Requirements for Junos OS Plain-Text Passwords on page 393
•
Configuring the Root Password on page 381
•
Example: Changing the Requirements for Junos OS Plain-Text Passwords on page 389
Example: Changing the Requirements for Junos OS Plain-Text Passwords
This example shows how to set various maximum and minimum requirements for
plain-text passwords to increase password strength.
•
Requirements on page 389
•
Overview on page 389
•
Configuration on page 390
Requirements
This example requires a device running Junos 12.2 or greater. The minimum-length and
maximum-length password requirements statements are available in earlier releases,
however, you must have Junos OS Release 12.2 or greater to configure
minimum-lower-cases, minimum-numerics, minimum-punctuations, or
minimum-upper-cases.
Overview
You can use a variety of requirements to strengthen plain-text passwords for greater
security. Junos OS provides a number of possible configurations at the [edit system login
password] hierarchy level that allow you to require users to create plain-text passwords
Copyright © 2017, Juniper Networks, Inc.
389
User Access and Authentication Feature Guide for Routing Devices
that conform to a particular set of requirements that may include such things as length,
number of changes, type of characters, numbers, or letter case.
Configuration
CLI Quick
Configuration
To quickly configure this example, copy the following commands, paste them into a text
file, remove any line breaks, change any details necessary to match your network
configuration, and then copy and paste the commands into the CLI at the [edit] hierarchy
level.
set system login password minimum-length 12
set system login password maximum-length 22
set system login password minimum-numerics 1
set system login password minimum-upper-cases 1
set system login password minimum-lower-cases 1
set system login password minimum-punctuations 1
Configuring Requirements for Plain-Text Passwords
Step-by-Step
Procedure
This example configures password requirements that require the user to creat a password
that has a minimum length of 12 characters, a maximum length of 22 characters, and
that includes at least one lower-case letter, at least one upper-case letter, at least one
punctuation character, and at least one numeric character.
1.
Navigate to configuration mode in the [system login password] hierarchy level.
user@host> edit
[edit]
user@host# edit system login password
2.
Set a minimum length requirement of 12 characters and a maximum length
requirement of 22 characters for user passwords.
[edit system login password]
user@host# set minimum-length 12
[edit system login password]
user@host# set maximum-length 22
3.
Require users to set a password that has at least one lower-case letter and at least
one upper-case letter.
[edit system login password]
user@host# set minimum-lower-cases 1
[edit system login password]
user@host# set minimum-upper-cases 1
4.
Require users to set a password that has at least one punctuation-class character
and at least one number.
[edit system login password]
user@host# set minimum-punctuations 1
[edit system login password]
user@host# set minimum-numerics 1
390
Copyright © 2017, Juniper Networks, Inc.
Chapter 6: Configuring Passwords for User Access
Results
From configuration mode, confirm your configuration by entering the show command at
the edit system login password hierarchy level. if the output does not display the intended
configuration, repeat the instructions in this example to correct the configuration.
[edit system login password]
user@host# show
minimum-length 12;
maximum-length 22;
minimum-numerics 1;
minimum-upper-cases 1;
minimum-lower-cases 1;
Related
Documentation
•
Special Requirements for Junos OS Plain-Text Passwords on page 393
•
password (Login) on page 587
Configuring MS-CHAPv2 for Password-Change Support
You can configure the Microsoft implementation of the Challenge Handshake
Authentication Protocol version 2 (MS-CHAPv2) on the router or switch to support
changing of passwords. This feature provides users accessing a router or switch the
option of changing the password when the password expires, is reset, or is configured to
be changed at next logon.
Before you configure MS-CHAPv2 for password-change support, ensure that you have
done the following:
•
Configured RADIUS server authentication parameters.
•
Set the first tried option in the authentication order to RADIUS server.
To configure MS-CHAP-v2, include the following statements at the [edit system
radius-options] hierarchy level:
[edit system radius-options]
password-protocol mschap-v2;
The following example shows statements for configuring the MS-CHAPv2 password
protocol, password authentication order, and user accounts:
[edit]
system {
authentication-order [ radius password ];
radius-server {
192.168.69.149 secret "$9$G-j.5Qz6tpBk.1hrlXxUjiq5Qn/C"; ## SECRET-DATA
}
radius-options {
password-protocol mschap-v2;
}
login {
Copyright © 2017, Juniper Networks, Inc.
391
User Access and Authentication Feature Guide for Routing Devices
user bob {
class operator;
}
}
}
Related
Documentation
392
•
Configuring Access Profiles for L2TP or PPP Parameters
Copyright © 2017, Juniper Networks, Inc.
CHAPTER 7
Configuring Local Password
Authentication
•
Special Requirements for Junos OS Plain-Text Passwords on page 393
•
Changing the Requirements for Junos OS Plain-Text Passwords on page 396
•
Example: Changing the Requirements for Junos OS Plain-Text Passwords on page 396
•
Configuring the Junos OS Authentication Order for RADIUS, TACACS+, and Local
Password Authentication on page 399
•
Example: Configuring System Authentication for RADIUS, TACACS+, and Password
Authentication on page 400
Special Requirements for Junos OS Plain-Text Passwords
Junos OS has special requirements when you create plain-text passwords on a router or
switch. Table 11 on page 393 shows the default requirements.
Table 11: Special Requirements for Plain-Text Passwords
Junos OS
Junos-FIPS
The password must be between 6 and 128
characters long.
FIPS passwords must be between 10 and 20
characters long
You can include most character classes in a
password (uppercase letters, lowercase letters,
numbers, punctuation marks, and other special
characters). Control characters are not
recommended.
You can include most character classes in a
password (uppercase letters, lowercase letters,
numbers, punctuation marks, and other special
characters). Control characters are not
recommended.
Valid passwords must contain at least one
change of case or character class.
Passwords must use at least three of the five
defined character classes (uppercase letters,
lowercase letters, numbers, punctuation marks,
and other special characters).
You can change the requirements for plain-text passwords.
Junos OS supports the following five character classes for plain-text passwords:
Copyright © 2017, Juniper Networks, Inc.
393
User Access and Authentication Feature Guide for Routing Devices
•
Lowercase letters
•
Uppercase letters
•
Numbers
•
Punctuation
•
Special characters: ! @ # $ % ^ & * , +< >
NOTE: "!" and "," are punctuation characters, but are listed under "special
characters".
Control characters are not recommended.
You can include the plain-text-password statement at the following hierarchy levels:
•
[edit system diag-port-authentication]
•
[edit system pic-console-authentication]
•
[edit system root-authentication]
•
[edit system login user username authentication]
The change-type statement specifies whether the password is checked for the following:
•
The total number of character sets used (character-set)
•
The total number of character set changes (set-transitions)
For example, the following password:
MyPassWd@2
has four character sets (uppercase letters, lowercase letters, special characters, and
numbers) and seven character set changes (M–y, y–P, P–a, s–W, W–d, d–@, and @–2).
The change-type statement is optional. If you omit the change-type option, Junos-FIPS
plain-text passwords are checked for character sets, and Junos OS plain-text passwords
are checked for character set changes.
The minimum-changes statement specifies how many character sets or character set
changes are required for the password. This statement is optional. If you do not use
the minimum-changes statement, character sets are not checked for Junos OS. If the
change-type statement is configured for the character-set option, then the
minimum-changes value must be 5 or less, because Junos OS only supports five
character sets.
The format statement specifies the hash algorithm (md5, sha1, sha256, sha512 or des)
for authenticating plain-text passwords. This statement is optional. For Junos OS, the
default format is md5. For Junos-FIPS, only sha1 is supported.
394
Copyright © 2017, Juniper Networks, Inc.
Chapter 7: Configuring Local Password Authentication
NOTE: Starting with Junos OS Release 13.3, the sha1 does not enable
secure, protected specification of passwords. Instead, you can use the
sha256 or sha512 to specify passwords. Using a 256-bit or 512-bit
cryptographic hash algorithm results in robust and reliable operation.
Additionally, starting with Junos OS Release 17.1, user passwords default
to sha512 cryptographic hashing.
The maximum-length statement specifies the maximum number of characters allowed
in a password. This statement is optional. By default, Junos OS passwords have no
maximum; however, only the first 128 characters are significant. Junos-FIPS passwords
must be 20 characters or less. The range for Junos OS maximum-length passwords is
from 20 to 128 characters.
The minimum-length statement specifies the minimum number of characters required
for a password. This statement is optional. By default, Junos OS passwords must be
at least 6 characters long, and Junos-FIPS passwords must be at least 10 characters
long. The range is from 6 to 20 characters.
Changes to password requirements do not take effect until the configuration is
committed. When requirements change, only newly created, plain-text passwords are
checked; existing passwords are not checked against the new requirements.
The default configuration for Junos OS plain-text passwords is:
[edit system login]
passwords {
change-type set-transitions;
format md5;
minimum-changes 1;
minimum-length 6;
}
The default configuration for Junos-FIPS plain-text passwords is:
[edit system login]
passwords {
change-type set-transitions;
format sha1;
maximum-length 20;
minimum-changes 3;
minimum-length 10;
}
Copyright © 2017, Juniper Networks, Inc.
395
User Access and Authentication Feature Guide for Routing Devices
Release History Table
Related
Documentation
Release
Description
13.3
Starting with Junos OS Release 13.3, the sha1 does not enable secure,
protected specification of passwords. Instead, you can use the sha256 or
sha512 to specify passwords.
•
Changing the Requirements for Junos OS Plain-Text Passwords on page 389
•
Configuring the Root Password on page 381
Changing the Requirements for Junos OS Plain-Text Passwords
To change the requirements for plain-text passwords, include the password statement
at the [edit system login] hierarchy level:
[edit system login]
password {
change-type (set-transitions | character-set);
format (md5 | sha1);
maximum-length length;
minimum-changes number;
minimum-length length;
minimum-lower-cases number;
minimum-numerics number;
minimum-punctuations number;
minimum-upper-cases number;
}
NOTE: These statements apply to plain-text passwords only, not encrypted
passwords.
Related
Documentation
•
Special Requirements for Junos OS Plain-Text Passwords on page 393
•
Configuring the Root Password on page 381
•
Example: Changing the Requirements for Junos OS Plain-Text Passwords on page 389
Example: Changing the Requirements for Junos OS Plain-Text Passwords
This example shows how to set various maximum and minimum requirements for
plain-text passwords to increase password strength.
396
•
Requirements on page 397
•
Overview on page 397
•
Configuration on page 397
Copyright © 2017, Juniper Networks, Inc.
Chapter 7: Configuring Local Password Authentication
Requirements
This example requires a device running Junos 12.2 or greater. The minimum-length and
maximum-length password requirements statements are available in earlier releases,
however, you must have Junos OS Release 12.2 or greater to configure
minimum-lower-cases, minimum-numerics, minimum-punctuations, or
minimum-upper-cases.
Overview
You can use a variety of requirements to strengthen plain-text passwords for greater
security. Junos OS provides a number of possible configurations at the [edit system login
password] hierarchy level that allow you to require users to create plain-text passwords
that conform to a particular set of requirements that may include such things as length,
number of changes, type of characters, numbers, or letter case.
Configuration
CLI Quick
Configuration
To quickly configure this example, copy the following commands, paste them into a text
file, remove any line breaks, change any details necessary to match your network
configuration, and then copy and paste the commands into the CLI at the [edit] hierarchy
level.
set system login password minimum-length 12
set system login password maximum-length 22
set system login password minimum-numerics 1
set system login password minimum-upper-cases 1
set system login password minimum-lower-cases 1
set system login password minimum-punctuations 1
Configuring Requirements for Plain-Text Passwords
Step-by-Step
Procedure
This example configures password requirements that require the user to creat a password
that has a minimum length of 12 characters, a maximum length of 22 characters, and
that includes at least one lower-case letter, at least one upper-case letter, at least one
punctuation character, and at least one numeric character.
1.
Navigate to configuration mode in the [system login password] hierarchy level.
user@host> edit
[edit]
user@host# edit system login password
2.
Set a minimum length requirement of 12 characters and a maximum length
requirement of 22 characters for user passwords.
[edit system login password]
user@host# set minimum-length 12
[edit system login password]
user@host# set maximum-length 22
Copyright © 2017, Juniper Networks, Inc.
397
User Access and Authentication Feature Guide for Routing Devices
3.
Require users to set a password that has at least one lower-case letter and at least
one upper-case letter.
[edit system login password]
user@host# set minimum-lower-cases 1
[edit system login password]
user@host# set minimum-upper-cases 1
4.
Require users to set a password that has at least one punctuation-class character
and at least one number.
[edit system login password]
user@host# set minimum-punctuations 1
[edit system login password]
user@host# set minimum-numerics 1
Results
From configuration mode, confirm your configuration by entering the show command at
the edit system login password hierarchy level. if the output does not display the intended
configuration, repeat the instructions in this example to correct the configuration.
[edit system login password]
user@host# show
minimum-length 12;
maximum-length 22;
minimum-numerics 1;
minimum-upper-cases 1;
minimum-lower-cases 1;
Related
Documentation
398
•
Special Requirements for Junos OS Plain-Text Passwords on page 393
•
password (Login) on page 587
Copyright © 2017, Juniper Networks, Inc.
Chapter 7: Configuring Local Password Authentication
Configuring the Junos OS Authentication Order for RADIUS, TACACS+, and Local
Password Authentication
Using the authentication-order statement, you can prioritize the order in which Junos OS
tries the different authentication methods when verifying user access to a router or switch.
If you do not set the authentication order, users are verified based on their configured
passwords.
When configuring a password using plain text and relying on Junos OS to encrypt it, you
are still passing the password over the wire in plain text. Using pre-encrypted passwords
is more secure because it means that the plain text of the password never has to pass
over the Internet. Also, with passwords, only one user can be assigned to a password at
a time.
On the other hand, both RADIUS and TACACS+ pre-ecrypt passwords. Both let you assign
a set of users at a time instead of one by one. But here are how these authentication
systems differ:
•
RADIUS uses UDP TACACS+ uses TCP.
•
RADIUS encrypts only the password during transmission whereas TACACS+ encrypts
the entire session.
•
RADIUS combines authentication (device) and authorization (user) whereas TACACS+
separates authentication, authorization, and accountability.
In short, TACACAS+ is the more secure of the two. But RADIUS has better performance
and is more interoperable. RADIUS is widely supported, but TACACS is a proprietary
product of Cisco and not widely supported outside of Cisco.
Configure the authentication order based on your system, its restrictions, and your
preferences.
To configure the authentication order, include the authentication-order statement at the
[edit system] hierarchy level:
[edit system]
authentication-order [ authentication-methods ];
For a list of hierarchy levels at which you can include this statement, see the statement
summary section for this statement.
Specify one or more of the following authentication methods in the preferred order, from
first tried to last tried:
•
radius—Verify the user using RADIUS authentication services
•
tacplus—Verify the user using TACACS+ authentication services.
•
password—Verify the user using the username and password configured locally by
including the authentication statement at the [edit system login user] hierarchy level.
Copyright © 2017, Juniper Networks, Inc.
399
User Access and Authentication Feature Guide for Routing Devices
The CHAP authentication sequence cannot take more than 30 seconds. If it takes longer
to authenticate a client, the authentication is abandoned and a new sequence is initiated.
For example, if you configure three RADIUS servers so that the router or switch attempts
to contact each server three times, and with each retry the server times out after
3 seconds, then the maximum time given to the RADIUS authentication method before
CHAP considers it a failure is 27 seconds. If you add more RADIUS servers to this
configuration, they might not be contacted because the authentication process might
be abandoned before these servers are tried.
The Junos OS enforces a limit on the number of standing authentication server requests
that the CHAP authentication can have at one time. Thus, an authentication server
method—RADIUS, for example—might fail to authenticate a client when this limit is
exceeded. If it fails, the authentication sequence is reinitiated by the router or switch until
authentication succeeds and the link is brought up. However, if the RADIUS servers are
not available and if additional authentication methods such as tacplus or password are
configured along with radius, the next authentication method is tried.
The following example shows how to configure radius and password authentication:
[edit system]
user@switch# authentication-order [ radius password ];
The following example shows how to delete the radius statement from the authentication
order:
[edit system]
user@switch# delete authentication-order radius
The following example shows how to insert the tacplus statement after the radius
statement:
[edit system]
user@switch# insert authentication-order tacplus after radius
Related
Documentation
•
Junos OS Authentication Order for RADIUS, TACACS+, and Password Authentication
on page 32
•
Using Regular Expressions on a RADIUS or TACACS+ Server to Allow or Deny Access
to Commands on page 414
•
Example: Configuring System Authentication for RADIUS, TACACS+, and Password
Authentication on page 400
•
authentication-order on page 510
Example: Configuring System Authentication for RADIUS, TACACS+, and Password
Authentication
The following example shows how to configure system authentication for RADIUS,
TACACS+, and password authentication.
In this example, only the user Philip and users authenticated by a remote RADIUS server
can log in. If a user logs in and is not authenticated by the RADIUS server, the user is
400
Copyright © 2017, Juniper Networks, Inc.
Chapter 7: Configuring Local Password Authentication
denied access to the router or switch. If the RADIUS server is not available, the user is
authenticated using the password authentication method and allowed access to the
router or switch. For more information about the password authentication method, see
“Using Local Password Authentication” on page 33.
When Philip tries to log in to the system, if the RADIUS server authenticates him, he is
given access and privileges for the super-user class. Local accounts are not configured
for other users. When they log in to the system and the RADIUS server authenticates
them, they are given access using the same user ID (UID) 9999 and the privileges
associated with the operator class.
[edit]
system {
authentication-order radius;
login {
user philip {
full-name "Philip";
uid 1001;
class super-user;
}
user remote {
full-name "All remote users";
uid 9999;
class operator;
}
}
}
NOTE: For authorization purposes, you can use a template account to create
a single account that can be shared by a set of users at the same time. For
example, when you create a remote template account, a set of remote users
can concurrently share a single UID. For more information about template
accounts, see “Overview of Template Accounts for RADIUS and TACACS+
Authentication” on page 416.
When a user logs in to a device, the user’s login name is used by the RADIUS or TACACS+
server for authentication. If the user is authenticated successfully by the authentication
server and the user is not configured at the [edit system login user] hierarchy level, the
device uses the default remote template user account for the user, provided a remote
template account is configured at the edit system login user remote hierarchy level. The
remote template account serves as a default template user account for all users that
are authenticated by the authentication server but not having a locally configured user
account on the device. Such users share the same login class and UID.
To configure an alternate template user, specify the user-name parameter returned in
the RADIUS authentication response packet. Not all RADIUS servers allow you to change
this parameter. The following shows a sample Junos OS configuration:
[edit]
system {
authentication-order radius;
Copyright © 2017, Juniper Networks, Inc.
401
User Access and Authentication Feature Guide for Routing Devices
login {
user philip {
full-name "Philip";
uid 1001;
class super-user;
}
user operator {
full-name "All operators";
uid 9990;
class operator;
}
user remote {
full-name "All remote users";
uid 9999;
class read-only;
}
}
}
Assume your RADIUS server is configured with the following information:
•
User Philip with password “olympia”
•
User Alexander with password “bucephalus” and username “operator”
•
User Darius with password “redhead” and username “operator”
•
User Roxane with password “athena”
Philip would be given access as a superuser (super-user) because he has his own local
user account. Alexander and Darius share UID 9990 and have access as operators. Roxane
has no template-user override, so she shares access with all the other remote users,
getting read-only access.
Related
Documentation
402
•
Configuring the Junos OS Authentication Order for RADIUS, TACACS+, and Local
Password Authentication on page 399
Copyright © 2017, Juniper Networks, Inc.
CHAPTER 8
Configuring Radius Authentication
•
Configuring RADIUS Server Authentication on page 403
•
Example: Configuring RADIUS Authentication on page 407
•
Example: Configuring RADIUS Template Accounts on page 408
•
Juniper Networks Vendor-Specific RADIUS Attributes on page 408
•
Configuring RADIUS System Accounting on page 411
•
Example: Configuring RADIUS System Accounting on page 414
•
Using Regular Expressions on a RADIUS or TACACS+ Server to Allow or Deny Access
to Commands on page 414
•
Overview of Template Accounts for RADIUS and TACACS+ Authentication on page 416
•
Configuring the Junos OS Authentication Order for RADIUS, TACACS+, and Local
Password Authentication on page 417
•
Example: Configuring System Authentication for RADIUS, TACACS+, and Password
Authentication on page 418
Configuring RADIUS Server Authentication
RADIUS authentication is a method of authenticating users who attempt to access the
router or switch.
The Junos OS supports two protocols for central authentication of users on multiple
routers: RADIUS and TACACS+. We recommend RADIUS because it is a multivendor
IETF standard, and its features are more widely accepted than those of TACACS+ or
other proprietary systems. In addition, we recommend using a one-time-password system
for increased security, and all vendors of these systems support RADIUS.
You should use RADIUS when your priorities are interoperability and performance:
•
Interoperability—RADIUS is more interoperable than TACACS+, primarily because of
the proprietary nature of TACACS+. While TACACS+ supports more protocols, RADIUS
is universally supported.
•
Performance—RADIUS is much lighter on your routers and switches and for this reason,
network engineers generally prefer RADIUS over TACACS+.
Copyright © 2017, Juniper Networks, Inc.
403
User Access and Authentication Feature Guide for Routing Devices
To use RADIUS authentication on the device, configure information about one or more
RADIUS servers on the network by including one radius-server statement at the [edit
system] hierarchy level for each RADIUS server.
Because remote authentication is configured on multiple devices, it is commonly
configured inside of a configuration group. As such, the steps shown here are in a
configuration group called global. Using a configuration group is optional.
To configure authentication by a RADIUS server:
1.
Add an IPv4 or IPv6 server address.
•
Configure an IPv4 source-address and server-address:
[edit groups global]
user@host# set system radius-server server-address source-address source-address
For example:
[edit groups global]
user@host# set system radius-server 192.168.17.28 source-address 192.168.17.1
•
Configure an IPv6 source-address and server address:
[edit groups global system radius-server server-address]
user@host# set server-address secret “secretkey” source-address-inet6
source-address
For example:
[edit groups global system radius-server ::17.22.22.162]
user@host# set secret $9$lPOv87ZGiH.5JGn/AtOB7-dVgo source-address-inet6
::17.22.22.1
Source address is a valid IPv4 or IPv6 address configured on one of the router or
switch interfaces. This sets a fixed address as the source address for locally
generated IP packets.
Server address is a unique IPv4 or IPv6 address that is assigned to a particular server
and used to route information to the server. If the Junos OS device has several
interfaces that can reach the RADIUS server, assign an IP address that Junos OS
can use for all its communication with the RADIUS server.
2. Include a shared secret password.
You must specify a password in the secret password statement. If the password
contains spaces, enclose it in quotation marks. The secret password used by the local
router or switch must match that used by the server. The secret password configures
the password that the Junos OS device uses to access the RADIUS server.
[edit groups global system radius-server server-address]
user@host# set secret password
For example:
[edit groups global system radius-server 192.168.69.162]
user@host# set secret $9$gQ4UHf5F36CiH.5Tz9CuO1hreM8xw2oIENVwgZG
404
Copyright © 2017, Juniper Networks, Inc.
Chapter 8: Configuring Radius Authentication
3. If necessary, specify a port on which to contact the RADIUS server.
By default, port number 1812 is used (as specified in RFC 2865).
NOTE: You can also specify an accounting port to send accounting packets
with the accounting-port statement. The default is 1813 (as specified in
RFC 2866).
[edit groups global system radius-server server-address]
user@host# set port port-number
For example:
[edit groups global system radius-server 192.168.69.162]
user@host# set port 1845
4. Specify the order in which Junos OS attempts authentication.
You must include the authentication-order statement in your remote authentication
configuration.
The example assumes your network includes both RADIUS and TACACS+ servers. In
this example, whenever a user attempts to log in, Junos OS begins by querying the
RADIUS server for authentication. If it fails, it next attempts authentication with locally
configured user accounts. Finally the TACACS+ server is tried.
[edit groups global system]
user@host# set authentication-order [ authentication-methods ]
For example:
[edit groups global system]
user@host# set authentication-order [ radius password tacplus ]
5. Assign a login class to RADIUS-authenticated users.
You can assign different user templates and login classes to RADIUS-authenticated
users. This allows RADIUS-authenticated users to be granted different administrative
permissions on the Junos OS device. By default, RADIUS-authenticated users use the
remote user template and are assigned to the associated class, which is specified in
the remote user template, if the remote user template is configured. The username
remote is a special case in Junos OS. It acts as a template for users who are
authenticated by a remote server, but do not have a locally-configured user account
on the device. In this method, Junos OS applies the permissions of the remote template
to those authenticated users without a locally defined account. All users mapped to
the remote template are of the same login class.
In the Junos OS configuration, a user template is configured in the same way as a
regular local user account, except that no local authentication password is configured
because the authentication is remotely performed on the RADIUS server.
•
To use the same permissions for all RADIUS-authenticated users:
[edit groups global system login]
Copyright © 2017, Juniper Networks, Inc.
405
User Access and Authentication Feature Guide for Routing Devices
user@host# set user remote class class
For example:
[edit groups global system login]
user@host# set user remote class super-user
•
To have different login classes be used for different RADIUS-authenticated users,
granting them different permissions:
a. Create multiple user templates in the Junos OS configuration.
Every user template can be assigned a different login class.
For example:
[edit groups global system login]
set user RO class read-only
set user OP class operator
set user SU class super-user
set user remote full-name "default remote access user template"
set user remote class read-only
b. Have the RADIUS server specify the name of the user template to be applied to
the authenticated user.
For a RADIUS server to indicate which user template is to be applied, it needs to
include the Juniper-Local-User-Name attribute (Vendor 2636, type 1, string)
Juniper VSA (vendor-specific attribute) in the RADIUS Access-Accept message.
The string value in the Juniper-Local-User-Name must correspond to the name
of a configured user template on the device. For a list of relevant Juniper RADIUS
VSAs, see “Juniper Networks Vendor-Specific RADIUS Attributes” on page 408.
If the Juniper-Local-User-Name is not included in the Access-Accept message
or the string contains a user template name that does not exist on the device,
the user is assigned to the remote user template, if configured. If it is not
configured, authentication fails for the user.
After logging in, the remotely authenticated user retains the same username
that was used to log in. However, the user inherits the user class from the assigned
user template.
In a RADIUS server, users can be assigned a Juniper-Local-User-Name string,
which indicates the user template to be used in the Junos OS device. From the
previous example, the string would be RO, OP, or SU.
Configuration of the RADIUS server depends on the server being used. For
instructions for the Juniper Steel-Belted Radius server, see Steel-Belted Radius
(SBR) Enterprise. For information on using FreeRADIUS, see
http://kb.juniper.net/InfoCenter/index?page=content&id=KB19446.
Related
Documentation
406
•
Example: Configuring RADIUS Authentication on page 407
•
Example: Configuring System Authentication for RADIUS, TACACS+, and Password
Authentication on page 400
•
Juniper Networks Vendor-Specific RADIUS Attributes on page 408
Copyright © 2017, Juniper Networks, Inc.
Chapter 8: Configuring Radius Authentication
•
Overview of Template Accounts for RADIUS and TACACS+ Authentication on page 416
•
Example: Configuring RADIUS Template Accounts on page 408
•
Using Regular Expressions on a RADIUS or TACACS+ Server to Allow or Deny Access
to Commands on page 414
•
Junos OS User Authentication Methods on page 31
•
Example: Configuring RADIUS System Accounting on page 414
Example: Configuring RADIUS Authentication
The Junos OS supports two protocols for central authentication of users on multiple
routers: RADIUS and TACACS+. We recommend RADIUS because it is a multivendor
IETF standard, and its features are more widely accepted than those of TACACS+ or
other proprietary systems. In addition, we recommend using a one-time-password system
for increased security, and all vendors of these systems support RADIUS.
The Junos OS uses one or more template accounts to perform user authentication. You
create the template account or accounts, and then configure the user access to use that
account. If the RADIUS server is unavailable, the fallback is for the login process to use
the local account that set up on the router or switch.
The following example shows how to configure RADIUS authentication:
[edit]
system {
authentication-order [ radius password ];
root-authentication {
encrypted-password "$ABC123; # SECRET-DATA
}
name-server {
10.1.1.1;
10.1.1.2;
}
}
The following example shows how to enable RADIUS authentication and define the
shared secret between the client and the server. The secret enables the client and server
to determine that they are talking to the trusted peer.
Define a timeout value for each server, so that if there is no response within the specified
number of seconds, the router can try either the next server or the next authentication
mechanism.
[edit]
system {
radius-server {
10.1.2.1 {
secret "$ABC123”; # SECRET-DATA
timeout 5;
}
10.1.2.2 {
Copyright © 2017, Juniper Networks, Inc.
407
User Access and Authentication Feature Guide for Routing Devices
secret "$ABC123"; # SECRET-DATA
timeout 5;
}
}
}
Related
Documentation
•
Configuring RADIUS Server Authentication on page 403
Example: Configuring RADIUS Template Accounts
The following example shows how to configure RADIUS template accounts for different
users or groups of users:
[edit]
system {
login {
user observation {
uid 1001;
class observation;
}
user operation {
uid 1002;
class operation;
}
user engineering {
uid 1003;
class engineering;
}
}
}
Related
Documentation
•
Overview of Template Accounts for RADIUS and TACACS+ Authentication on page 416
Juniper Networks Vendor-Specific RADIUS Attributes
Junos OS supports the configuration of Juniper Networks RADIUS vendor-specific
attributes (VSAs). These VSAs are encapsulated in a RADIUS vendor-specific attribute
with the vendor ID set to the Juniper Networks ID number, 2636. Table 12 on page 408 lists
the Juniper Networks VSAs you can configure.
Table 12: Juniper Networks Vendor-Specific RADIUS Attributes
Name
Description
Type
Length
String
Juniper-Local-User-Name
Indicates the name of the user
template used by this user when
logging in to a device. This
attribute is used only in
Access-Accept packets.
1
≥3
One or more octets
containing printable ASCII
characters.
408
Copyright © 2017, Juniper Networks, Inc.
Chapter 8: Configuring Radius Authentication
Table 12: Juniper Networks Vendor-Specific RADIUS Attributes (continued)
Name
Description
Type
Length
String
Juniper-Allow-Commands
Contains an extended regular
expression that enables the user
to run operational mode
commands in addition to the
commands authorized by the
user’s login class permission
bits. This attribute is used only
in Access-Accept packets.
2
≥3
One or more octets
containing printable ASCII
characters, in the form of
an extended regular
expression. See “Regular
Expressions for Allowing
and Denying Junos OS
Operational Mode
Commands,
Configuration
Statements, and
Hierarchies” on page 69.
Juniper-Deny-Commands
Contains an extended regular
expression that denies the user
permission to run operation
mode commands authorized by
the user’s login class permission
bits. This attribute is used only
in Access-Accept packets.
3
≥3
One or more octets
containing printable ASCII
characters, in the form of
an extended regular
expression. See “Regular
Expressions for Allowing
and Denying Junos OS
Operational Mode
Commands,
Configuration
Statements, and
Hierarchies” on page 69.
Juniper-Allow-Configuration
Contains an extended regular
expression that enables the user
to run configuration mode
commands in addition to the
commands authorized by the
user’s login class permission
bits. This attribute is used only
in Access-Accept packets.
4
≥3
One or more octets
containing printable ASCII
characters, in the form of
an extended regular
expression. See “Regular
Expressions for Allowing
and Denying Junos OS
Operational Mode
Commands,
Configuration
Statements, and
Hierarchies” on page 69.
Juniper-Deny-Configuration
Contains an extended regular
expression that denies the user
permission to run configuration
commands authorized by the
user’s login class permission
bits. This attribute is used only
in Access-Accept packets.
5
≥3
One or more octets
containing printable ASCII
characters, in the form of
an extended regular
expression. See “Regular
Expressions for Allowing
and Denying Junos OS
Operational Mode
Commands,
Configuration
Statements, and
Hierarchies” on page 69.
Copyright © 2017, Juniper Networks, Inc.
409
User Access and Authentication Feature Guide for Routing Devices
Table 12: Juniper Networks Vendor-Specific RADIUS Attributes (continued)
Name
Description
Type
Length
String
Juniper-Interactive-Command
Indicates the interactive
command entered by the user.
This attribute is used only in
Accounting-Request packets.
8
≥3
One or more octets
containing printable ASCII
characters.
Juniper-Configuration-Change
Indicates the interactive
command that results in a
configuration (database)
change. This attribute is used
only in Accounting-Request
packets.
9
≥3
One or more octets
containing printable ASCII
characters.
Juniper-User-Permissions
Contains information the server
uses to specify user permissions.
This attribute is used only in
Access-Accept packets.
10
≥3
One or more octets
containing printable ASCII
characters.
The string is a list of
permission flags
separated by a space. The
exact name of each flag
must be specified in its
entirety. See Table 4 on
page 26.
NOTE: When the
Juniper-User-Permissions
attribute is configured to grant
the Junos OS maintenance or all
permissions on a RADIUS server,
the UNIX wheel group
membership is not
automatically added to a user’s
list of group memberships.
Some operations such as
running the su root command
from a local shell require wheel
group membership permissions.
However, when a user is
configured locally with the
permissions maintenance or all,
the user is automatically
granted membership to the
UNIX wheel group. Therefore,
we recommend that you create
a template user account with
the required permissions and
associate individual user
accounts with the template user
account.
Juniper-Authentication-Type
410
Indicates the authentication
method (local database, or
RADIUS server) used to
authenticate a user. If the user
is authenticated using a local
database, the attribute value
shows ’local’. If the user is
authenticated using RADIUS
server, the attribute value shows
’remote’.
11
≥5
One or more octets
containing printable ASCII
characters.
Copyright © 2017, Juniper Networks, Inc.
Chapter 8: Configuring Radius Authentication
Table 12: Juniper Networks Vendor-Specific RADIUS Attributes (continued)
Name
Description
Type
Length
String
Juniper-Session-Port
Indicates the source port
number of the established
session.
12
size of
integer
Integer
For more information about the VSAs, see RFC 2138, Remote Authentication Dial In User
Service (RADIUS).
Related
Documentation
•
Configuring RADIUS Server Authentication on page 403
Configuring RADIUS System Accounting
With RADIUS accounting enabled, Juniper Networks routers or switches, acting as RADIUS
clients, can notify the RADIUS server about user activities such as software logins,
configuration changes, and interactive commands. The framework for RADIUS accounting
is described in RFC 2866.
NOTE: Supported on SRX1500, SRX5400, SRX5600, and SRX5800 devices
only.
Tasks for configuring RADIUS system accounting are:
1.
Configuring Auditing of User Events on a RADIUS Server on page 411
2. Specifying RADIUS Server Accounting and Auditing Events on page 412
3. Configuring RADIUS Server Accounting on page 412
Configuring Auditing of User Events on a RADIUS Server
To audit user events, include the following statements at the [edit system accounting]
hierarchy level:
[edit system accounting]
events [ events ];
destination {
radius {
server {
server-address {
accounting-port port-number;
secret password;
source-address address;
retry number;
timeout seconds;
}
}
}
}
Copyright © 2017, Juniper Networks, Inc.
411
User Access and Authentication Feature Guide for Routing Devices
Specifying RADIUS Server Accounting and Auditing Events
To specify the events you want to audit when using a RADIUS server for authentication,
include the events statement at the [edit system accounting] hierarchy level:
[edit system accounting]
events [ events ];
events is one or more of the following:
•
login—Audit logins
•
change-log—Audit configuration changes
•
interactive-commands—Audit interactive commands (any command-line input)
Configuring RADIUS Server Accounting
To configure RADIUS server accounting, include the server statement at the [edit system
accounting destination radius] hierarchy level:
server {
server-address {
accounting-port port-number;
secret password;
source-address address;
retry number;
timeout seconds;
}
}
server-address specifies the address of the RADIUS server. To configure multiple RADIUS
servers, include multiple server statements.
NOTE: If no RADIUS servers are configured at the [edit system accounting
destination radius] statement hierarchy level, the Junos OS uses the RADIUS
servers configured at the [edit system radius-server] hierarchy level.
accounting-port port-number specifies the RADIUS server accounting port number.
The default port number is 1813.
NOTE: If you enable RADIUS accounting at the [edit access profile profile-name
accounting-order] hierarchy level, accounting is triggered on the default port
of 1813 even if you do not specify a value for the accounting-port statement.
You must specify a secret (password) that the local router or switch passes to the RADIUS
client by including the secret statement. If the password contains spaces, enclose the
entire password in quotation marks (“ “).
412
Copyright © 2017, Juniper Networks, Inc.
Chapter 8: Configuring Radius Authentication
In the source-address statement, specify a source address for the RADIUS server. Each
RADIUS request sent to a RADIUS server uses the specified source address. The source
address is a valid IPv4 address (in case if radius-server address is IPv4) or IPv6 address
(in case if radius-server address is IPv6) configured on one of the router or switch
interfaces.
Optionally, you can specify the number of times that the router or switch attempts to
contact a RADIUS authentication server by including the retry statement. By default, the
router or switch retries three times. You can configure the router or switch to retry from
1 through 10 times.
Optionally, you can specify the length of time that the local router or switch waits to
receive a response from a RADIUS server by including the timeout statement. By default,
the router or switch waits 3 seconds. You can configure the timeout to be from 1 through
90 seconds.
Starting with Junos OS Release 14.1, you can configure the enhanced-accounting statement
to view the attribute values of a logged in user. If you use the enhanced-accounting
statement at the [edit system radius-options] hierarchy level, the RADIUS attributes such
as access method, remote port, and access privileges can be audited. You can limit the
number of attribute values to be displayed for auditing by using the enhanced-avs-max
<number> statement at the [edit system accounting] hierarchy level.
[edit system radius-options]
enhanced-accounting;
[edit system accounting]
enhanced-avs-max <number>;
When a Juniper Networks router or switch is configured with RADIUS accounting, it sends
Accounting-Start and Accounting-Stop messages to the RADIUS server. These messages
contain information about user activities such as software logins, configuration changes,
and interactive commands. This information is typically used for monitoring a network,
collecting usage statistics, and ensuring that users are billed properly.
The following example shows three servers (10.5.5.5, 10.6.6.6, and 10.7.7.7) configured
for RADIUS accounting:
system {
accounting {
events [ login change-log interactive-commands ];
destination {
radius {
server {
10.5.5.5 {
accounting-port 3333;
secret $ABC123;
source-address 10.1.1.1;
retry 3;
timeout 3;
}
10.6.6.6 secret $ABC123;
10.7.7.7 secret $ABC123;
}
Copyright © 2017, Juniper Networks, Inc.
413
User Access and Authentication Feature Guide for Routing Devices
}
}
}
}
Release History Table
Release
Description
14.1
Starting with Junos OS Release 14.1, you can configure the
enhanced-accounting statement to view the attribute values of a logged
in user.
Example: C