Licensing Guide

Published
2020-05-28
 ii

Juniper Networks, Inc.

1133 Innovation Way
Sunnyvale, California 94089
USA
408-745-2000
www.juniper.net

Juniper Networks, the Juniper Networks logo, Juniper, and Junos are registered trademarks of Juniper Networks, Inc. in
the United States and other countries. All other trademarks, service marks, registered marks, or registered service marks
are the property of their respective owners.

Juniper Networks assumes no responsibility for any inaccuracies in this document. Juniper Networks reserves the right
to change, modify, transfer, or otherwise revise this publication without notice.

Licensing Guide
Copyright © 2020 Juniper Networks, Inc. All rights reserved.

The information in this document is current as of the date on the title page.

YEAR 2000 NOTICE

Juniper Networks hardware and software products are Year 2000 compliant. Junos OS has no known time-related
limitations through the year 2038. However, the NTP application is known to have some difficulty in the year 2036.

END USER LICENSE AGREEMENT

The Juniper Networks product that is the subject of this technical documentation consists of (or is intended for use with)
Juniper Networks software. Use of such software is subject to the terms and conditions of the End User License Agreement
(“EULA”) posted at https://support.juniper.net/support/eula/. By downloading, installing or using such software, you
agree to the terms and conditions of that EULA.
 iii

Table of Contents
About the Documentation | xi

Documentation and Release Notes | xi

Documentation Conventions | xi

Documentation Feedback | xiv

Requesting Technical Support | xiv

Self-Help Online Tools and Resources | xv

Creating a Service Request with JTAC | xv

1 Flex Software Subscription Model

Overview | 2

Flex Software Subscription Model | 2

Flex Software Subscription Model Overview | 2

Getting Started | 3

Understanding the Three-Tier Model | 3

Understanding Subscription Licenses | 4

License Portability | 5

Flex Software Subscription Model Support | 5

ACX5448-D and ACX5448-M | 6

Contrail Enterprise Data Center | 7

cRPD | 10

Contrail Service Orchestration | 12

cSRX | 15

MPC10E, MX2K-MPC11E, MX10K3-L2103, MX10K-LC2101 Line Cards and MX204

Routers | 18

NFX350 | 22

PTX10003 | 24

PTX10008 | 27

QFX Switches | 31

SRX Series Services Gateways | 33

 iv

vSRX | 35

HealthBot Licensing | 38

HealthBot Licensing Overview | 38

Managing HealthBot Licenses | 41

Add a License to HealthBot | 41

View Licensing Status in HealthBot | 41

2 Software Licenses
Overview | 45

Software License Overview | 45

Platforms Supported in the Licensing Guide | 45

Junos OS Feature Licenses | 46

License Enforcement | 47

Junos OS Feature License Keys | 48

License Key Components | 48

License Management Fields Summary | 48

Release-Tied License Keys and Upgrade Licenses on MX Series Routers | 50

Licensable Ports on MX5, MX10, and MX40 Routers | 51

Port Activation on MX104 Routers | 52

Download and Activate Your Software | 54

Managing Licenses | 55

Adding New Licenses (CLI Procedure) | 55

Installing a License Using a Configuration Statement | 56

Installing a License Using an Operational Command | 60

Deleting License Keys (CLI) | 61

Using the Operational Command to Delete Licenses | 61

Using a Configuration Command to Delete Licenses | 62

Verifying Junos OS License Installation (CLI) | 64

Displaying Installed Licenses | 64

Displaying License Usage | 65

Saving License Keys (CLI) | 66

show system license | 67

show system license (View) | 79

traceoptions (System License) | 83

 v

request system license add | 85

request system license save | 87

request system license update | 89

request system license delete | 91

license | 92

license-type | 94

Licenses for Routing Devices | 95

Licenses for ACX Series | 95

Software Features Requiring Licenses on ACX5448-D and ACX5448-M Routers | 95

Licenses for PTX, MX, M and T Series | 96

Software Features That Require Licenses on M Series, MX Series, and T Series Routers | 96

Software Features That Require Licenses on MX Series Routers Only | 100

Software Features That Require Licenses on M Series Routers Only | 110

License Modes for PTX Series Routers | 111

License Modes for Enhanced MPCs Overview | 113

Configuring the License Mode for Specific Enhanced MPCs on MX Series Routers | 114

Example: Configuring the License Mode for MPC5E | 115

Junos OS Feature License Keys | 121

Release-Tied License Keys and Upgrade Licenses on MX Series Routers | 121

Licensable Ports on MX5, MX10, and MX40 Routers | 122

Port Activation on MX104 Routers | 123

Subscriber Access Licensing Overview | 124

Subscriber Secure Policy Licensing Requirements | 126

Address-Assignment Pools Licensing Requirements | 126

Licenses for vMX | 127

vMX Licenses for AWS | 127

vMX Licenses for KVM and VMware | 128

Managing vMX Licenses | 130

Adding a License | 131

Deleting a License | 132

 vi

License Configuration | 133

Installing Junos OS Licenses on Virtual Chassis Member Routers | 134

Installing Junos OS Licenses on Members | 134

Reinstalling Junos OS Licenses on New Members | 135

Configuring the JET Application and its License on a Device Running Junos OS | 136

Configuring a Python Application to Run on Junos OS | 137

Configuring a C or C++ Application to Run on Junos OS | 138

Configuring the Router to Strictly Enforce the Subscriber Scaling License | 138

Licenses for Switching Devices | 140

Understanding Software Licenses for EX Series Switches | 140

Purchasing a Software Feature License | 141

License Key Components for the EX Series Switch | 141

Features Requiring a License on EX2200 Switches | 142

Features Requiring a License on EX2300 Switches | 143

Features Requiring a License on EX3300 Switches | 144

Features Requiring a License on EX3400 Switches | 145

Features Requiring a License on EX4300 Switches | 147

Features Requiring a License on EX4600 Switches | 149

Features Requiring a License on EX4650 Switches | 150

Features Requiring a License on EX3200, EX4200, EX4500, EX4550, EX6200, EX8200, EX9200
and EX9250 Switches | 151

License Warning Messages | 153

Licenses for EX Series | 154

Understanding Software Licenses for EX Series Switches | 154

Purchasing a Software Feature License | 155

License Key Components for the EX Series Switch | 156

Features Requiring a License on EX2200 Switches | 156

Features Requiring a License on EX2300 Switches | 157

Features Requiring a License on EX3300 Switches | 158

Features Requiring a License on EX3400 Switches | 159

Features Requiring a License on EX4300 Switches | 161

Features Requiring a License on EX4600 Switches | 163

Features Requiring a License on EX4650 Switches | 164

 vii

Features Requiring a License on EX3200, EX4200, EX4500, EX4550, EX6200, EX8200,

EX9200 and EX9250 Switches | 165

License Warning Messages | 167

Software Features That Require Licenses on EX Series Switches | 168

License Key Components for the EX Series Switch | 169

Managing Licenses for EX Series Switches (CLI Procedure) | 169

Adding New Licenses | 170

Deleting Licenses | 171

Saving License Keys | 171

Deleting Licenses | 171

Monitoring Licenses for the EX Series Switches | 171

Displaying Installed Licenses and License Usage Details | 171

Displaying Installed License Keys | 172

Licenses for QFX Series | 173

Generating License Keys | 173

Software Features That Require Licenses on the QFX Series | 175

Disaggregated Software Features That Require Licenses on the QFX Series | 182

Disaggregated Software Feature Licenses on QFX5200 Switches | 182

Generating the License Keys for a QFabric System | 183

Understanding Junos Fusion Licenses | 185

Licenses for Security Devices | 187

Licenses for SRX Series | 187

Software Feature Licenses for SRX Series Devices | 187

Features Requiring a License on SRX100 and SRX110 Devices | 188

Features Requiring a License on SRX210 Devices | 189

Features Requiring a License on SRX220 Devices | 191

Features Requiring a License on SRX240 Devices | 192

Features Requiring a License on SRX300 Devices | 193

Features Requiring a License on SRX320 Devices | 195

Features Requiring a License on SRX340 Devices | 195

Features Requiring a License on SRX345 Devices | 196

Features Requiring a License on SRX550 Devices | 197

Features Requiring a License on SRX650 Devices | 200

Features Requiring a License on SRX1400 Devices | 201

 viii

Features Requiring a License on SRX1500 Devices | 202

Features Requiring a License on SRX3400 Devices | 204

Features Requiring a License on SRX3600 Devices | 205

Features Requiring a License on SRX4100 Devices | 206

Features Requiring a License on SRX4200 Devices | 207

Features Requiring a License on SRX4600 Devices | 209

Features Requiring a License on SRX5400 Devices | 211

Features Requiring a License on SRX5600 Devices | 213

Features Requiring a License on SRX5800 Devices | 215

Understanding Chassis Cluster Licensing Requirements | 216

Installing Licenses on the SRX Series Devices in a Chassis Cluster | 217

Verifying Licenses on an SRX Series Device in a Chassis Cluster | 220

Understanding Licenses for Logical Systems and Tenant Systems on SRX Series Devices | 222

Understanding UTM Licensing | 223

Updating UTM Licenses (CLI Procedure) | 224

Installing the IPS License (CLI) | 225

Installing and Verifying Licenses for an Application Signature Package | 226

Managing Junos OS Licenses | 228

Displaying License Keys in J-Web | 229

Downloading License Keys | 229

Generating a License Key | 229

Saving License Keys | 230

Updating License Keys (CLI) | 230

Example: Adding a New License Key | 232

Example: Deleting a License Key | 235

Licenses for vSRX | 237

vSRX Feature Licenses Overview | 238

vSRX License Procurement and Renewal | 238

vSRX Evaluation License | 239

License Types | 240

Throughput | 241

License Duration | 242

Individual (á la carte) Feature Licenses | 242

Bundled Licenses | 242

 ix

Stacking Licenses | 242

vSRX License Keys Components | 243

License Management Fields Summary | 243

Managing Licenses for vSRX | 246

vSRX Evaluation License Installation Process | 246

Adding a New License Key with J-Web | 248

Adding a New License Key from the CLI | 249

View vSRX License Information | 250

Updating vSRX Licenses | 250

Deleting a License with J-Web | 251

Deleting a License with the CLI | 252

License Warning Messages | 253

vSRX License Model Numbers | 254

vSRX License Model Numbers for Contrail, KVM, Microsoft Hyper-V, and VMware | 256

Licenses for Advanced Threat Prevention | 266

Licenses for JATP Advanced Threat Prevention Appliance | 266

Licensing and Platform Support information | 266

Setting the Juniper ATP Appliance License Key | 268

Licenses for Juniper Sky Advanced Threat Prevention (ATP) | 270

Juniper Sky Advanced Threat Prevention License Types | 270

Managing the Juniper Sky Advanced Threat Prevention License | 272

Troubleshooting Juniper Sky Advanced Threat Prevention: Checking the

application-identification License | 275

Licenses for Network Management | 277

Licenses for Network Management | 277

Licenses for Junos Space | 277

Viewing Licenses With Edge Services Director | 278

Viewing Licenses With Connectivity Services Director | 280

Viewing Licenses With Network Director | 281

Installing VCF Software Licenses | 282

Junos Space License Installation Overview | 283

Exporting the License Inventory | 284

Generating and Uploading the Junos Space License Key File | 287
 x

Viewing Junos Space Licenses | 288

Juniper Connected Security for VMware NSX Licensing | 289

Licenses for Network and Security Manager (NSM) | 292

Installing Advanced License Keys | 292

Managing License Keys (ScreenOS Only) | 293

Generating the NSM License Key File | 294

Licenses for J-Web Device Manager | 300

Managing Licenses for the EX Series Switch (J-Web Procedure) | 301

Licenses for Contrail Service Orchestration | 303

Licenses for Contrail Service Orchestration | 303

About the Device License Files Page | 303

Tasks You Can Perform | 303

Field Descriptions | 304

Uploading a Device License File | 305

Editing and Deleting Device Licenses | 305

Editing a Device License Entry | 306

Deleting a Device License | 306

Pushing a License to Devices | 307

About the CSO Licenses Page | 307

Tasks You Can Perform | 308

Field Descriptions | 308

Assign CSO Licenses, and Update or Unassign CSO License Assignments | 309

Assign CSO Licenses to Tenants | 310

Update or Unassign CSO License Assignments | 311

Licenses for Steel-Belted Radius® Carrier | 313

Obtaining License Keys | 313

 xi

About the Documentation

IN THIS SECTION

Documentation and Release Notes | xi

Documentation Conventions | xi

Documentation Feedback | xiv

Requesting Technical Support | xiv

This guide describes how to activate, install, manage, and monitor licenses on Juniper Networks devices.
Note that this guide includes instructions for two different licensing portals:

• Juniper Agile Licensing (JAL) portal—Available at: https://license.juniper.net/licensemanage/. Use the

JAL portal to activate and manage licenses on most Juniper products.

• Licensing Management System (LMS)— Available at: https://lms.juniper.net/lcrs/license.do. Use the LMS
to activate and manage licenses on Application Acceleration, Firewall/IPSec VPN, Identity and Policy
Control (IPC) SRC, IDP Appliances, Junos Space, NSM, STRM/JSA, SBR Carrier, WLC Series and WLM
Series.

Documentation and Release Notes

®
To obtain the most current version of all Juniper Networks technical documentation, see the product
documentation page on the Juniper Networks website at https://www.juniper.net/documentation/.

If the information in the latest release notes differs from the information in the documentation, follow the
product Release Notes.

Juniper Networks Books publishes books by Juniper Networks engineers and subject matter experts.
These books go beyond the technical documentation to explore the nuances of network architecture,
deployment, and administration. The current list can be viewed at https://www.juniper.net/books.

Documentation Conventions

Table 1 on page xii defines notice icons used in this guide.

 xii

Table 1: Notice Icons

Icon Meaning Description

Informational note Indicates important features or instructions.

Caution Indicates a situation that might result in loss of data or hardware

damage.

Warning Alerts you to the risk of personal injury or death.

Laser warning Alerts you to the risk of personal injury from a laser.

Tip Indicates helpful information.

Best practice Alerts you to a recommended use or implementation.

Table 2 on page xii defines the text and syntax conventions used in this guide.

Table 2: Text and Syntax Conventions

Convention Description Examples

Bold text like this Represents text that you type. To enter configuration mode, type
the configure command:

user@host> configure

Fixed-width text like this Represents output that appears on user@host> show chassis alarms
the terminal screen.
No alarms currently active

Italic text like this • Introduces or emphasizes important • A policy term is a named structure
new terms. that defines match conditions and
• Identifies guide names. actions.

• Identifies RFC and Internet draft • Junos OS CLI User Guide

titles. • RFC 1997, BGP Communities
Attribute
 xiii

Table 2: Text and Syntax Conventions (continued)

Convention Description Examples

Italic text like this Represents variables (options for Configure the machine’s domain
which you substitute a value) in name:
commands or configuration
[edit]
statements.
root@# set system domain-name
domain-name

Text like this Represents names of configuration • To configure a stub area, include
statements, commands, files, and the stub statement at the [edit
directories; configuration hierarchy protocols ospf area area-id]
levels; or labels on routing platform hierarchy level.
components. • The console port is labeled
CONSOLE.

< > (angle brackets) Encloses optional keywords or stub <default-metric metric>;
variables.

| (pipe symbol) Indicates a choice between the broadcast | multicast

mutually exclusive keywords or
(string1 | string2 | string3)
variables on either side of the symbol.
The set of choices is often enclosed
in parentheses for clarity.

# (pound sign) Indicates a comment specified on the rsvp { # Required for dynamic MPLS
same line as the configuration only
statement to which it applies.

[ ] (square brackets) Encloses a variable for which you can community name members [
substitute one or more values. community-ids ]

Indention and braces ( { } ) Identifies a level in the configuration [edit]

hierarchy. routing-options {
static {
; (semicolon) Identifies a leaf statement at a route default {
configuration hierarchy level. nexthop address;
retain;
}
}
}

GUI Conventions
 xiv

Table 2: Text and Syntax Conventions (continued)

Convention Description Examples

Bold text like this Represents graphical user interface • In the Logical Interfaces box, select
(GUI) items you click or select. All Interfaces.
• To cancel the configuration, click
Cancel.

> (bold right angle bracket) Separates levels in a hierarchy of In the configuration editor hierarchy,
menu selections. select Protocols>Ospf.

Documentation Feedback

We encourage you to provide feedback so that we can improve our documentation. You can use either
of the following methods:

• Online feedback system—Click TechLibrary Feedback, on the lower right of any page on the Juniper
Networks TechLibrary site, and do one of the following:

• Click the thumbs-up icon if the information on the page was helpful to you.

• Click the thumbs-down icon if the information on the page was not helpful to you or if you have
suggestions for improvement, and use the pop-up form to provide feedback.

• E-mail—Send your comments to [email protected]. Include the document or topic name,

URL or page number, and software version (if applicable).

Requesting Technical Support

Technical product support is available through the Juniper Networks Technical Assistance Center (JTAC).
If you are a customer with an active Juniper Care or Partner Support Services support contract, or are
 xv

covered under warranty, and need post-sales technical support, you can access our tools and resources
online or open a case with JTAC.

• JTAC policies—For a complete understanding of our JTAC procedures and policies, review the JTAC User
Guide located at https://www.juniper.net/us/en/local/pdf/resource-guides/7100059-en.pdf.

• Product warranties—For product warranty information, visit https://www.juniper.net/support/warranty/.

• JTAC hours of operation—The JTAC centers have resources available 24 hours a day, 7 days a week,
365 days a year.

Self-Help Online Tools and Resources

For quick and easy problem resolution, Juniper Networks has designed an online self-service portal called
the Customer Support Center (CSC) that provides you with the following features:

• Find CSC offerings: https://www.juniper.net/customers/support/

• Search for known bugs: https://prsearch.juniper.net/

• Find product documentation: https://www.juniper.net/documentation/

• Find solutions and answer questions using our Knowledge Base: https://kb.juniper.net/

• Download the latest versions of software and review release notes:

https://www.juniper.net/customers/csc/software/

• Search technical bulletins for relevant hardware and software notifications:

https://kb.juniper.net/InfoCenter/

• Join and participate in the Juniper Networks Community Forum:

https://www.juniper.net/company/communities/

• Create a service request online: https://myjuniper.juniper.net

To verify service entitlement by product serial number, use our Serial Number Entitlement (SNE) Tool:
https://entitlementsearch.juniper.net/entitlementsearch/

Creating a Service Request with JTAC

You can create a service request with JTAC on the Web or by telephone.

• Visit https://myjuniper.juniper.net.

• Call 1-888-314-JTAC (1-888-314-5822 toll-free in the USA, Canada, and Mexico).

For international or direct-dial options in countries without toll-free numbers, see

https://support.juniper.net/support/requesting-support/.
1 PART

Flex Software Subscription Model

Overview | 2
 2

CHAPTER 1

Overview

IN THIS CHAPTER

Flex Software Subscription Model | 2

Flex Software Subscription Model Support | 5

HealthBot Licensing | 38

Flex Software Subscription Model

IN THIS SECTION

Flex Software Subscription Model Overview | 2

Getting Started | 3

Understanding Subscription Licenses | 4

Flex Software Subscription Model Overview

The Flex Software Subscription Model is a framework, set of policies, and tools that help unify and thereby
simplify Juniper product-driven licensing and packaging.

The major components of the framework are:

• A focus on customer segments (enterprise, service provider, and cloud) and use cases for Juniper Networks
hardware and software products.

• The introduction of subscription licenses and subscription portability for all Juniper Networks products
including Junos OS, Contrail, and Juniper cloud-based services.

• The introduction of a common, three-tiered model (standard, advanced, and premium) for all Juniper
Networks software products.
 3

Getting Started

As a customer ordering a Juniper Networks product under the Flex Software Subscription Model that
includes hardware, you order:

• The hardware platform that includes the standard license.

• The customer support package that fits your needs.

• The advanced or premium subscription licenses, according to your use case. These subscription licenses
include embedded customer support.

As a customer ordering a Juniper Networks software product, you order:

• The standard, advanced, or premium subscription license, according to your use case. These subscription
licenses include embedded customer support.

Understanding the Three-Tier Model

As new hardware platforms become available under the Flex Software Subscription Model, you can
customize your purchase using one of the following three models:

• Standard License

The standard license includes the hardware platform and a license to use the software with the standard
feature set. Standard Return Material Authorization (RMA) policies apply with no changes in case of
hardware failure. Customer support is ordered separately as you select your preferred hardware support
policy and support for the standard software features. For more information about support policy, see
Contact Support. The hardware platform does not require a separate license, and the software right-to-use
(RTU) license is perpetual for the licensed features.

• Advanced License

The advanced license includes the subscription-based license to use the advanced software features.
The license term is 1 year, 3 years, or 5 years. Customer support for the software features is included.
These features differ by use case and platform. For example, to view the list of features for the QFX
Switches, see QFX switch device class and SKUs.

• Premium License

The premium license includes the subscription-based license to use the Junos OS software features.
The license term is 1 year, 3 years, or 5 years. Customer support for the software features is included.
These features differ by use case and platform. The premium license is a superset and includes all the
features from the advanced license and additional features. For example, to view the list of features for
the QFX Switches, see QFX switch device class and SKUs.
 4

Figure 1: Three-Tier Model for the Flex Software Subscription Model

INTEGRATED STAND-ALONE
HARDWARE/SOFTWARE SOFTWARE & CLOUD SERVICES

PREMIUM PREMIUM

ADVANCED ADVANCED

STANDARD STANDARD

Customer
JUNIPER NETWORKS

g300551
Support
HARDWARE
HW & SW

Understanding Subscription Licenses

All advanced and premium licenses are offered as subscriptions under the Flex Software Subscription
Model. Subscription licenses are available in 1-year, 3-year, or 5-year terms. After the order fulfilment,
the subscription period begins after the completion of a 30-day grace period.

Table 3 on page 4 describes the subscription terms for purchase and number of months to use the license.

Table 3: Subscription Terms Details

Subscription Terms Number of Months for the License

1-year 13 months

3-year 37 months

5-year 61 months

Flex Software Subscription licenses include the following attributes:

• Specific products might offer a subset of these licenses. At the end of the term, you have three options:

• You can renew the subscription, to continue to use the features and scale granted under the license.

• You can order a replacement subscription.

Upgrading and downgrading the subscription models is supported. In both cases, subscription models
are processed as a new order, and you might use the features and scale granted under the new license.
 5

For example, you have a 5-year subscription and you want to downgrade to a 3-year subscription or
the other way around.

• You might decline to renew or purchase a replacement subscription. In this case, you may no longer
use the features and scale granted under the expired subscription. You can continue to use the hardware
and any software features which are granted under the perpetual license.

• Alternatively, when an advanced subscription term expires, your needs may require an upgrade to the
premium subscription term.

• Subscription licenses include Juniper customer support for software features as part of the subscription
license, unless customer support is provided by a Juniper partner directly. There is no need to order a
separate customer support policy for the advanced and premium licenses.

• Premium licenses include all the features in the premium and advanced licenses.

• Subscriptions may be ordered at any time.

• New software features may be available over time with new software versions.

• Subscription licenses are portable for similar devices.

• Subscriptions are cancelable at the end of the term.

• Renewals are not automatic.

License Portability
Subscription licenses are portable. This means that if you buy a new similar hardware platform, then you
can port the subscription license. You can stop using the license on one hardware platform and move it
to another hardware platform. This portability allows you to balance features across hardware platforms
in the network without having to buy extra feature licenses.

Flex Software Subscription Model Support

IN THIS SECTION

ACX5448-D and ACX5448-M | 6

Contrail Enterprise Data Center | 7

cRPD | 10

Contrail Service Orchestration | 12

cSRX | 15

MPC10E, MX2K-MPC11E, MX10K3-L2103, MX10K-LC2101 Line Cards and MX204 Routers | 18

NFX350 | 22
 6

PTX10003 | 24

PTX10008 | 27

QFX Switches | 31

SRX Series Services Gateways | 33

vSRX | 35

The Flex Software Subscription Model supports the following Juniper products:

ACX5448-D and ACX5448-M

Table 4 on page 6 describes the licensing support for the ACX5448-D and ACX5448-M Universal Metro
Routers.

Figure 2 on page 6 shows ACX5448-D and ACX5448-M Universal Metro Routers features for Flex
Software Subscription Model Three-Tier (standard, advanced, and premium licenses).

Figure 2: ACX5448-D and ACX5448-M

Advanced Features License Premium Features License

Layer 2 VPN (Pseudowire Emulation With the premium license, you can
Customer Edge to Edge, VPLS, EVPN), Layer 3 VPN, use all the advanced features that are
Licenses timing, E-OAM, HQoS, telemetry, supported on ACX5448-D and
Support
and RFC2544 ACX5448-M Universal Metro Routers
with full platform scale of FIB and VPNs.

Base Feature
Software Layer 2 (VLAN and Q-in-Q), Layer 3 basic routing (with IGP only), and port queues

+ Customer
Support

ACX5448-D/M ACX5448-D/M Router (Perpetual Purchase)

g300667

Router

Table 4: Supported Features on ACX5448-D and ACX5448-M

Use Case Examples or Detailed Features for

License Model Solutions Fabric Management Scale

Standard license for Basic Layer 2 aggregation Layer 2 (VLAN and Q-in-Q), Default Layer 2 scale and 8
integrated SKUs and Layer 3 Layer 3 basic routing (with queues
IGP only), and port queues
 7

Table 4: Supported Features on ACX5448-D and ACX5448-M (continued)

Use Case Examples or Detailed Features for

License Model Solutions Fabric Management Scale

Advanced license for Layer 2 or Layer 3 Layer 2 VPN (Pseudowire Per 100 Gbps – 256K FIBs,
integrated and advanced aggregation, Distributed Emulation Edge to Edge, 1K Layer 3 VPNs, full-scale
SKUs Access Architecture (DAA), VPLS, EVPN), Layer 3 VPN, Layer 2 VPN, and MACsec
Converged Interconnect timing, E-OAM, HQoS,
Network (CIN), mobile telemetry, and RFC2544
backhaul (BH), fronthaul
(FH), or midhaul (MH), and
next-generation fiber to the
home (NG-FTTH)

Premium license for Provider edge With the premium license, Per 100 Gbps – Full-scale
integrated and premium you can use all the FIB and Layer 2 or Layer 3
SKUs advanced features that are VPN supported by platform
supported on ACX5448-D
and ACX5448-M Universal
Metro Routers with full
platform scale of FIB and
VPNs.

For ACX5448-D and ACX5448-M Universal Metro Routers, the Flex Software Subscription Model supports
subscription portability for the cloud, enterprise, and service provider segments.

Contrail Enterprise Data Center

Table 5 on page 8 describes licensing support for fabric management on Contrail Enterprise Data Center.

Figure 3 on page 8 shows Contrail Enterprise Data Center features for the Flex Software Subscription
Model Three-Tier (standard, advanced, and premium licenses).
 8

Figure 3: Contrail Enterprise Multicloud

FABRIC MANAGEMENT PRIVATE CLOUD AUTOMATION PUBLIC CLOUD AUTOMATION

Advanced
Advanced security: FeaturesLayer
Policy generation, License
7 host-based firewall

PREMIUM
Designer for infrastructures, Premium feature set for
High availability for VPCs
topology, and services virtualizing computation

PaaS or virtualized
Data center integration: compute pods with OSH
Direct connect for VPCs
Firewall based on ESXi and
in a public cloud environment
Nutanix orchestrators Red Hat OpenStack
ADVANCED VM orchestration

Advanced
Tag-based security: Features
Policy License
enforcement and visualization

Advanced
Data center automation: Features
Advanced License
analytics and visualization

Basic analytics, operations,

STANDARD No standard features for private and public cloud automation use cases
and troubleshooting

g300687
Table 5: Supported Features on Fabric Management on Contrail Enterprise Data Center

Contrail Enterprise Data Center License Model Detailed Features for Fabric Management

Standard Fabric management: Basic analytics, operations, and

troubleshooting

Advanced Tag-based security: Policy enforcement and visualization

Data center integration: Firewall based on ESXi and

Nutanix orchestrators

Data center automation: Advanced analytics and

visualization

Fabric management: Basic analytics, operations, and

troubleshooting
 9

Table 5: Supported Features on Fabric Management on Contrail Enterprise Data Center (continued)

Contrail Enterprise Data Center License Model Detailed Features for Fabric Management

Premium Designer for infrastructure, topology, and services

Advanced security: Policy generation, Layer 7 host-based

firewall

Data center integration: Firewall based on ESXi and

Nutanix orchestrators

Data center automation: Advanced analytics and

visualization

Fabric management: Basic analytics, operations, and

troubleshooting

For fabric management, the Flex Software Subscription Model supports subscription portability for the
cloud, enterprise, and service provider segments.

Table 6 on page 9 describes licensing support for private cloud automation on Contrail Enterprise Data
Center.

Table 6: Supported Features on Private Cloud Automation on Contrail Enterprise Data Center

Contrail Enterprise Data Center License Model Detailed Features for Private Cloud Automation

Advanced Tag-based security: Policy enforcement and visualization

Data center automation: Advanced analytics and

visualization

Red Hat OpenStack VM orchestration

PaaS or virtualized compute pods with OSH

Premium Advanced security: Policy generation, Layer 7 host-based

firewall

PaaS or virtualized compute pods with OSH

Premium feature set for virtualizing computation

Tag-based security: Policy enforcement and visualization

Data center automation: Advanced analytics and

visualization

Red Hat OpenStack VM orchestration

 10

For private cloud automation, the Flex Software Subscription Model supports subscription portability for
the cloud, enterprise, and service provider segments.

Table 7 on page 10 describes licensing support for public cloud automation on Contrail Enterprise Data
Center.

Table 7: Supported Features on Public Cloud Automation on Contrail Enterprise Data Center

Contrail Enterprise Data Center License Model Detailed Features for Public Cloud Automation

Advanced Tag-based security: Policy enforcement and visualization

Data center automation: Advanced analytics and

visualization

Direct connect for VPCs in a public cloud environment

Premium Advanced security: Policy generation, Layer 7 host-based

firewall

Direct connect for VPCs in a public cloud environment

High availability for VPCs

Tag-based security: Policy enforcement and visualization

For public cloud automation, the Flex Software Subscription Model supports subscription portability for
the cloud, enterprise, and service provider segments.

cRPD

Figure 4 on page 11 shows cRPD features for for Flex Software Subscription Model.
 11

Figure 4: cRPD

Routing Stack for Host Route Reflector

cRPD Routing cRPD Routing

Premium Software License

No features in Premium Software License for cRPD
(includes customer support)

Advanced: Layer 3 deployments

with MPLS or SR starting at the host
Advanced Software License No features in Advanced Software
License for Route Reflector
(includes customer support)
Includes the features from Standard tier
along with BGP sharding, and enhanced MPLS

Standard: Layer 3 to the IP host Standard: Route Reflector or Route Server

Standard Software License

(includes customer support)
Automation and programmability, Automation and programmability, BGP,
BGP, IGP, LSP, MPLS, and telemetry BGP sharding, IGP, MPLS, and telemetry

USE CASE

FEATURES

g301024
SUBSCRIPTION

Table 8 on page 11 describes the licensing support for Routing Stack for Host on containerized routing
protocol process (cRPD).

Table 8: Routing Stack for Host Features on cRPD

Routing Stack for Use Case Examples

License Model Host SKUs or Solutions Detailed Features Scale

Advanced license S-CRPD-S-HR-1/3/5 Layer 3 deployments Includes the features Without scale
S-CRPD-100-S-HR-1/3/5 with MPLS or SR from Standard tier restrictions on BGP
S-CRPD-1K-S-HR-1/3/5 starting at the host along with BGP peers and RIB
S-CRPD-10K-S-HR-1/3/5 sharding, and
enhanced MPLS

Standard license S-CRPD-A-HR-1/3/5 Layer 3 to the IP host Automation and 16 BGP Peers and
S-CRPD-100-A-HR-1/3/5 programmability, 4M RIB
S-CRPD-1K-A-HR-1/3/5 BGP, IGP, LSP, MPLS,
S-CRPD-10K-A-HR-1/3/5 and telemetry
 12

Table 9 on page 12 describes the licensing support with use case examples Route Reflector on containerized
routing protocol process (cRPD).

Table 9: Route Reflector Features on cRPD

Route Reflector Use Case Examples

License Model SKUs or Solutions Detailed Features Scale

Standard license S-CRPD-S-RR-1 Route Reflector or Automation and No scale restrictions

S-CRPD-S-RR-3 Route Server programmability, on RIB
S-CRPD-S-RR-5 BGP, BGP sharding,
IGP, MPLS, and
telemetry

Table 10 on page 12 shows cRPD SKU definition.

Table 10: cRPD SKU Definition

SKU SKU Character Description

S-CRPD-S/A-HR-1/3/5 S—Software

S-CRPD-100/1K/10K-S/A-HR-1/3/5 CRPD—Product name cRPD

S-CRPD-S-RR-1/3/5 S—Standard software subscription

A—Advanced software subscription

HR—Host Routing

RR—Route Reflector

100—Bundle of 100 software licenses

1K—Bundle of 1000 software licenses

10K—Bundle of 10000 software licenses

1/3/5—Subscription term 1, 3, or 5 years

To add, delete, and managing license, refer Managing Licenses.

Contrail Service Orchestration

Table 11 on page 13 describes the standard and advance license model support with use case examples
for the Contrail Service Orchestration (CSO) software. Table 12 on page 14 lists the supported devices
categorized into device classes.

Figure 5 on page 13 shows CSO features for the standard and advanced licenses.
 13

Figure 5: Contrail Service Orchestration

• Tiered Model –Standard and Advanced includes Juniper Software Advantage Support
• Advanced (A1) includes Standard (S1)
• Per Device/ Device Class Based
CSO ADVANCED - A1
CSO CSO STANDARD - S1
Software SD-WAN

Next-generation Next-
Hybrid WAN SD-LAN Hybrid
Firewall Generation
WAN
Firewall

Junos OS software +
Junos OS software + SRX Junos OS software + SRX
Platform SRX Series with Junos
Series with Junos Software Series with Junos Junos OS software +
Software Software Enhanced (JSE)
Base (JSB) or NFX or vSRX Software Base (JSB) or vSRX feature licenses
or NFX or vSRX +
standard + feature licenses standard + feature licenses
advanced feature license
Separately
Purchased CPE/Spoke: SRX300 line
CPE/Spoke: SRX300 line
of devices, SRX550M,
of devices, SRX550M, EX2300, EX3400,
Platform SRX300 line of NFX150, NFX250, and vSRX
NFX150, NFX250, and vSRX. EX4300, EX4600
Hardware devices and vSRX Hub: SRX1500, SRX4100,
Hub: MX104, MX240, and EX4650
SRX4200, MX104, MX240,
MX480, MX960, and vSRX
MX480, MX960, and vSRX

g300866

Table 11 on page 13 describes the Flex Software Subscription Model support with use case examples for
the Contrail Service Orchestration (CSO) software.

Table 11: CSO SKUs for Standard and Advanced License Model

License Use Case Examples or

Model Solutions Features Supported

Standard Hybrid WAN, A,B, and C class devices supports the following features:
license next-generation firewall
Authentication for VPNs, firewall, hybrid WAN-dual WAN links
management, and
(active/backup), NAT, security event logs and reporting, single-WAN
SD-LAN
link-managed CPE, user firewall, UTM, and zero-touch provisioning
(ZTP) for CPE devices.

D and E class devices supports the following features:

Automated switch deployment through ZTP, LAN configuration and

monitoring, Mist Wi-Fi integration, switch management, and virtual
chassis (VC).

For more information on device categories, see Table 12 on page 14.

 14

Table 11: CSO SKUs for Standard and Advanced License Model (continued)

License Use Case Examples or

Model Solutions Features Supported

Advanced Hybrid WAN, A,B, and C class devices supports the following features:
license next-generation firewall
APBR, AppQoE, Authentication for VPNs, AWS cloud endpoint,
management, and
bandwidth-optimized SLA (RPM), dual CPE, firewall, full mesh or
SD-WAN
dynamic VPN, hub multihoming, hybrid WAN-dual WAN links
(active/backup), Internet Zscaler breakout, NAT, network segmentation,
real-time-optimized SLA (AppQoE), SD-WAN up to four WAN links
(active/active), security event logs and reporting, single-WAN
link-managed CPE, SLA-based dynamic path selection, user firewall,
UTM, and zero-touch provisioning (ZTP) for CPE devices

For more information on device categories, see Table 12 on page 14.

CSO supports various Juniper Networks devices. Table 12 on page 14 lists the supported devices categorized
into device classes.

Table 12: CSO supported Device Classification

Device Class Supported Devices

A SD-WAN Supported Devices Next-Generation Firewall

• CPE/Spoke (<250) Next-Generation Firewall Devices

SRX300 line of devices with Junos Software Enhanced
• Next-Generation Firewall servies
(JSE)
with Junos Software Enhanced
NFX150 (JSE)
vSRX (2 vCPUs) SRX300 line of devices
vSRX (2 vCPUs)

B • CPE/Spoke (<1Gbps) Next-Generation Firewall Devices

NFX250
• Next-Generation Firewall servies
SRX550 with Junos Software Enhanced (JSE) with Junos Software Enhanced
vSRX (5 vCPUs) (JSE)
• Enterprise Hub Devices (Gateway) (<1Gbps) vSRX (5 vCPUs)
SRX1500 (CSO release 5.0x onwards)
Services gateways with Junos Software Enhanced (JSE)
• Cloud Hub Devices (<1Gbps)
SRX1500
Services gateways with Junos Software Enhanced (JSE)
 15

Table 12: CSO supported Device Classification (continued)

Device Class Supported Devices

C • Enterprise Hub Devices (Gateway) (>1Gbps) Next-Generation Firewall Devices

SRX4100 and SRX4200
• Next-Generation Firewall servies
Services gateways with Junos Software Enhanced (JSE) with Junos Software Enhanced
• Cloud Hub Devices (>1Gbps) (JSE)
Services gateways with Junos Software Enhanced (JSE) vSRX (7 or 19 vCPUs)
SRX4100 and SRX4200
MX80, MX104, MX240, MX480, and MX960
vSRX (7 or 19 vCPUs)

D Class D does not support any SD-WAN devices SD-LAN Devices

• EX2300, EX3400, and EX4300

switches

E Class E does not support any SD-WAN devices SD-LAN Devices

• EX4600 and EX4650 switches

cSRX

Table 13 on page 16 shows cSRX features for Flex Software Subscription Model.

Figure 6 on page 16 shows cSRX features for the Three-Tier (standard, advanced, and premium licenses).
 16

Figure 6: cSRX

Premium 1: Use for data center Premium 2: Use for next-generation Premium 3: Use for data center
security + ATP Cloud firewall + ATP Cloud security + ATP Cloud
Premium Software License
(includes customer support) Includes standard features + Includes standard features +
Includes standard features +
Application Security, ATP Cloud, Application Security, ATP Cloud,
Application Security, ATP Cloud,
cloud-based antivirus, IPS, and IPS, on-box antivirus, and
and IPS
URL filtering URL filtering

Advanced 1: Use for data Advanced 2: Use for next-generation Advanced 3: Use for next-generation
center security firewall with cloud-based antivirus firewall with on-box antivirus
Advanced Software License
(includes customer support)
Includes standard features + Includes standard features +
Includes standard features +
Application Security, cloud-based Application Security, IPS, on-box
Application Security, and IPS
antivirus, IPS, and URL filtering antivirus, and URL filtering

Standard: Use for standard firewall and secure branch routers

Standard
Software
License + Customer
Support

Standard firewall (routing, firewall, switching, NAT, VPN, and MPLS) and secure branch routers

USE CASE SUBSCRIPTION

g301011
FEATURES PERPETUAL

Table 13: cSRX Flex Software Subscription Model

cSRX License Use Case Examples

Model cSRX SKUs or Solutions Detailed Features

Standard S-CSRX-STD-1 Use for standard Standard firewall

firewall and secure (routing, firewall,
S-CSRX-STD-3
branch routers switching, NAT, VPN,

S-CSRX-STD-5 and MPLS) and

secure branch routers
 17

Table 13: cSRX Flex Software Subscription Model (continued)

cSRX License Use Case Examples

Model cSRX SKUs or Solutions Detailed Features

Advanced S-CSRX-A1-1 Advanced 1 Advanced 1

S-CSRX-A1-3 Use for data center Includes standard

security features +
S-CSRX-A1-5
Application Security,
and IPS

S-CSRX-A2-1 Advanced 2 Advanced 2

S-CSRX-A2-3 Use for Includes standard

next-generation features +
S-CSRX-A2-5
firewall with cloud Application Security,
based antivirus cloud-based antivirus,
IPS, and URL filtering

S-CSRX-A3-1 Advanced 3 Advanced 3

S-CSRX-A3-3 Use for Includes standard

next-generation features +
S-CSRX-A3-5
firewall with on-box Application Security,
antivirus IPS, on-box antivirus,
and URL filtering
 18

Table 13: cSRX Flex Software Subscription Model (continued)

cSRX License Use Case Examples

Model cSRX SKUs or Solutions Detailed Features

Premium S-CSRX-P1-1 Premium 1 Premium 1

S-CSRX-P1-3 Use for data center Includes standard

security + ATP Cloud features +
S-CSRX-P1-5
Application Security,
ATP Cloud, and IPS

S-CSRX-P2-1 Premium 2 Premium 2

S-CSRX-P2-3 Use for Includes standard

next-generation features +
S-CSRX-P2-5
firewall + ATP Cloud Application Security,
ATP Cloud,
cloud-based antivirus,
IPS, and URL filtering.

S-CSRX-P3-1 Premium 3 Premium 3

S-CSRX-P3-3 Use for data center Includes standard

security + ATP Cloud features +
S-CSRX-P3-5
Application Security,
ATP Cloud, IPS,
on-box antivirus, and
URL filtering

MPC10E, MX2K-MPC11E, MX10K3-L2103, MX10K-LC2101 Line Cards and MX204 Routers

Table 14 on page 19 describes the licensing support with use case examples for the MPC10E,
MX2K-MPC11E, MX10K3-L2103, MX10K-LC2101 line cards and MX204 routers.

MPC10E-10C and MPC10E-15C line cards are supported on MX240, MX480, and MX960 devices

MX2K-MPC11E line cards are supported on MX2010 and MX2020 devices

MX10K3-L2103 line card is supported on MX10003 device

MX10K-LC2101 line cards are supported on MX10008 and MX10016 devices

Figure 7 on page 19 shows MPC10E, MX2K-MPC11E, MX10K3-L2103, MX10K-LC2101 Line Cards and
MX204 Routers features for the Three-Tier (standard, advanced, and premium licenses).
 19

Figure 7: MPC10E, MX2K-MPC11E, MX10K3-L2103, MX10K-LC2101 Line Cards and MX204 Routers

Premium: Services

• Includes advanced features SCALE:

Premium Software License
• High scale IP-VPNs 32+ IP VPNs
(includes customer support) • IP fabrics (SRv6 and SRm6) 8+ multicast VPNs
• PWHT for Layer 3 VPNs or BNG
• Inline NAT and inline MDI
• 1:1 inline J-Flow

Advanced: Transport

• IP routing, IGP (OSFP and IS-IS), IP-FRR, PIM variants, and IGMP SCALE:
• Internet eBGP peering, BGP multihoming (add path and multi-path), EPE, and BGP PIC 32 IP VPNs – all
• BGP Flow specification address families
• All Layer 2 services—E-LINE (Layer 2 VPNs, Layer 2 ckt, EVPN VPWS, EVPN FXC), with BGP PIC
Advanced Software License E-LAN (bridging, H-VPLS, EVPN, and IRB), E-TREE (H-VPLS, EVPN, and IRB), Layer 2
multicast (snooping included) 8 next-generation
(includes customer support) • All MPLS transport—LDP, RSVP-TE, SR, SR-TE, and MPLS-FRR (including TI-LFA) MVPN
• IP fabrics (GRE, MPLSoUDP, VxLAN, and IPinIP)
• Streaming telemetry and SNMP
• Policers, ACLs, J-Flow (sampled), sFLow, port mirroring, and per VLAN queuing
• Timing (all variants)
• OAM—BFD, Ethernet CFM or LFM, MPLS or SR (ping and traceroute), services
OAM, RPM, and TWAMP

Standard Standard: Basic Layer 2 features

Software
License
Basic control plane DDoS, basic Layer 2 switching, basic Layer 3 forwarding/routing IP only, SCALE:

+ Customer
Support
BGP, ECMP, IGP, IS-IS, J-Flow, OSPF, per-port queuing and shaping, policers, port CoS,
security ACL filters, security agents, SNMP, and telemetry agents.
Not Applicable

Hardware

USE CASE SUBSCRIPTION

g301053
FEATURES PERPETUAL

Table 14: Supported Features on MPC10E, MX2K-MPC11E, MX10K3-L2103, MX10K-LC2101 Line Cards
and MX204 Routers

Use Case Examples

License Model or Solutions Feature Buckets Scale

Standard Basic Layer 2 Bridging with port and single level VLAN Not Applicable
features (dot1Q), and LAG
 20

Table 14: Supported Features on MPC10E, MX2K-MPC11E, MX10K3-L2103, MX10K-LC2101 Line Cards
and MX204 Routers (continued)

Use Case Examples

License Model or Solutions Feature Buckets Scale

Advanced Transport • IP routing, IGP (OSFP and IS-IS), IP-FRR, 32 IP VPNs – all
PIM variants, and IGMP address families with
• Internet eBGP peering, BGP multihoming BGP PIC
(add path and multi-path), EPE, and BGP
8 next-generation
PIC
MVPN
• BGP Flow specification
• All Layer 2 services—E-LINE (Layer 2 VPNs,
Layer 2 ckt, EVPN VPWS, EVPN FXC),
E-LAN (bridging, H-VPLS, EVPN, and IRB),
E-TREE (H-VPLS, EVPN, and IRB), Layer 2
multicast (snooping included)
• All MPLS transport—LDP, RSVP-TE, SR,
SR-TE, and MPLS-FRR (including TI-LFA)
• IP fabrics (GRE, MPLSoUDP, VxLAN, and
IPinIP)
• Streaming telemetry and SNMP
• Policers, ACLs, J-Flow (sampled), sFLow,
port mirroring, and per VLAN queuing
• Timing (all variants)
• OAM—BFD, Ethernet CFM or LFM, MPLS
or SR (ping and traceroute), services OAM,
RPM, and TWAMP

The Junos Fusion Technology feature requires

an additional license in addition to Advanced
license.

Premium Services • Includes advanced features 32+ IP VPNs

• High scale IP-VPNs
8+ multicast VPNs
• IP fabrics (SRv6 and SRm6)
• PWHT for Layer 3 VPNs or BNG
• Inline NAT and inline MDI
• 1:1 inline J-Flow
The subscriber management (BNG or CUPS)
feature requires an additional license in
addition to Premium license.
 21

Licensing tiers for Flex Software Subscription Model are based on large functional blocks. Features that
are not explicitly listed in Premium license are included in Advanced license, except for the following:

• Junos Fusion Technology requires additional license in addition to Advanced or Premium license.

• Premium software tier is a prerequisite for running subscriber services (BNG(PL), BNG CUPS, MX Mobile
User Plane (SAEGW-U, 5G AGF or UPF)).

Table 15 on page 21 describes SKUs for MPC10E, MX2K-MPC11E, MX10K3-L2103, MX10K-LC2101

Line Cards and MX204 Routers.

Table 15: MPC10E, MX2K-MPC11E, MX10K3-L2103, MX10K-LC2101 Line Cards and MX204 Routers
SKUs

Product Model License Model SKUs

MX204 Subscription MX204-HW-BASE

S-MX-4C-A1-C1-3/5/1*

S-MX-4C-P1-C1-3/5/1*

MX204 Perpetual MX204-HW-BASE

S-MX-4C-A1-C1-P

S-MX-4C-P1-C1-P

MX10K3-L2103 Subscription MX10K3-L2103-BASE

Supported on MX10003 device S-MX-12C-A1-C1-3/5/1*

S-MX-12C-P1-C1-3/5/1*

MX10K3-L2103 Perpetual MX10K3-L2103-BASE

Supported on MX10003 device S-MX-12C-A1-C1-P

S-MX-12C-P1-C1-P

MX10K-LC2101 Subscription MX10K-LC2101-BASE

Supported on MX10008 and MX10016 S-MX-24C-A1-3/5/1*

devices
S-MX-24C-P1-3/5/1*

MX10K-LC2101 Perpetual MX10K-LC2101-BASE

Supported on MX10008 and MX10016 S-MX-24C-A1-P

devices
S-MX-24C-P1-P
 22

Table 15: MPC10E, MX2K-MPC11E, MX10K3-L2103, MX10K-LC2101 Line Cards and MX204 Routers
SKUs (continued)

Product Model License Model SKUs

MX2K-MPC11E Subscription MX2K-MPC11E-BASE

Supported on MX2010 and MX2020 devices S-MX-40C-A1-3/5/1*

S-MX-40C-P1-3/5/1*

MX2K-MPC11E Perpetual MX2K-MPC11E-BASE

Supported on MX2010 and MX2020 devices S-MX-40C-A1-P

S-MX-40C-P1-P

MPC10E-10C Subscription MPC10E-10C-P-BASE

Supported on MX240, MX480, and MX960 S-MX-10C-A1-3/5/1*

devices
S-MX-10C-P1-3/5/1*

MPC10E-10C Perpetual MPC10E-10C-P-BASE

Supported on MX240, MX480, and MX960 S-MX-10C-A1-P

devices
S-MX-10C-P1-P

MPC10E-15C Subscription MPC10E-15C-P-BASE

Supported on MX240, MX480, and MX960 S-MX-15C-A1-3/5/1*

devices
S-MX-15C-P1-3/5/1*

MPC10E-15C Perpetual MPC10E-15C-P-BASE

Supported on MX240, MX480, and MX960 S-MX-15C-A1-P

devices
S-MX-15C-P1-P

*1 year subscription term is for renewal only.

NFX350

Table 16 on page 23 shows NFX350 features for Flex Software Subscription Model.

Figure 8 on page 23 shows NFX350 features for the Three-Tier (standard, advanced, and premium licenses).
 23

Figure 8: NFX350

Premium 1: Use for data center Premium 2: Use for next- Premium 3: Use for data center
security or SD-WAN + ATP Cloud generation firewall + ATP Cloud security or SD-WAN + ATP Cloud
Premium Software License
(includes customer support)
Includes IPS, Application Security, Includes IPS, Application Security,
Includes IPS, Application Security,
URL filtering, Sophos antivirus URL filtering, On-box antivirus,
and ATP Cloud
and antispam, and ATP Cloud and ATP Cloud

Advanced 1: Use for data center Advanced 2: Use for next- Advanced 3: Use for next-
security + SD-WAN generation firewall with Sophos generation firewall with Avira
Advanced Software License
(includes customer support)
Includes IPS, Application Security,
Includes IPS and Includes IPS, Application Security,
URL filtering, Sophos antivirus
Application Security URL filtering, On-box antivirus
and antispam

Standard
Software Standard: Use for basic firewall and secure branch routers
License

+ Customer
Support

Hardware Includes hardware, plus Junos Base JSB (routing, firewall, switching, NAT, VPN, and MPLS)

USE CASE SUBSCRIPTION

g300976
FEATURES PERPETUAL

Table 16: NFX350 Flex Software Subscription Model

NFX350
License
Model Use Case Examples or Solutions Detailed Features

Standard Use for basic firewall and secure branch Includes hardware, plus Junos Base JSB (routing,
routers firewall, switching, NAT, VPN, and MPLS)

Advanced Advanced 1 Advanced 1

Use for data center security + SD-WAN Includes IPS and Application Security

Advanced 2 Advanced 2

Use for next-generation firewall with Sophos Includes IPS, Application Security, URL filtering,
Sophos antivirus and antipsam

Advanced 3 Advanced 3

Use for next-generation firewall with Avira Includes IPS, Application Security, URL filtering,
On-box antivirus
 24

Table 16: NFX350 Flex Software Subscription Model (continued)

NFX350
License
Model Use Case Examples or Solutions Detailed Features

Premium Premium 1 Premium 1

Use for data center security or SD-WAN + Includes IPS, Application Security, and ATP Cloud
Cloud ATP

Premium 2 Premium 2

Use for next-generation firewall + Cloud ATP Includes IPS, Application Security, URL filtering,
Sophos antivirus and antispam, and ATP Cloud

Premium 3 Premium 3

Use for data center security or SD-WAN + Includes IPS, Application Security, URL filtering,
Cloud ATP On-box antivirus, and ATP Cloud

PTX10003

Table 17 on page 25 describes the licensing support for the PTX10003.

Figure 9 on page 25 shows PTX10003 features for the Three-Tier (standard, advanced, and premium
licenses).
 25

Figure 9: PTX10003

Premium 1 and 2 Features License

With the premium license, you can use all the software features that are supported on PTX10003.

Advanced 2 Features License

Licenses Customer Advanced 1 features, EVPN-MPLS, Layer 2 circuit, Layer 3 VPN, LDP, RSVP, segment routing, and
Support
segment routing traffic engineering (SR-TE)

Advanced 1 Features License

BGP, connectivity fault management (CFM), EVPN-VXLAN, filter-based forwarding (FBF), filter-
based generic routing encapsulation (GRE), IS-IS, Juniper telemetry interface (JTI), Layer 3 multicast,
MACsec, OAM, OSPF, PTP, Q-in-Q, VRF, and VRRP

Base
Feature Filters (Layer 2 and Layer 3), Layer 2 (xSTP, 802.1Q, LAG),
Software Layer 3 (static), quality of service or QoS (Layer 2 and Layer 3), and SNMP

Customer
Support

PTX10003 PTX10003 Router (Perpetual Purchase)

Router

g300668

Table 17: Supported Features on PTX10003

PTX10003 License Use Case Examples or Detailed Features for

Model Solutions Fabric Management Scale

Standard Basic Layer 2 switching or Filters (Layer 2 and Layer 64K FIBs
basic Layer 3 routing 3), Layer 2 (xSTP, 802.1Q,
LAG), Layer 3 (static),
quality of service or QoS
(Layer 2 and Layer 3), and
SNMP
 26

Table 17: Supported Features on PTX10003 (continued)

PTX10003 License Use Case Examples or Detailed Features for

Model Solutions Fabric Management Scale

Advanced Advanced 1

Data center IP spine (cloud BGP, connectivity fault 256K FIBs, 3M RIBs, and
and enterprise segment) management (CFM), 256 VRFs
EVPN-VXLAN, filter-based
forwarding (FBF),
filter-based generic routing
encapsulation (GRE), IS-IS,
Juniper telemetry interface
(JTI), Layer 3 multicast,
MACsec, OAM, OSPF, PTP,
Q-in-Q, VRF, and VRRP

Advanced 2

Data center interconnect Advanced 1 features, 1M FIBs, 3M RIBs, 1K LSPs,

and data center or WAN EVPN-MPLS, Layer 2 and 1K VRFs
edge circuit, Layer 3 VPN, LDP,
RSVP, segment routing, and
segment routing traffic
engineering (SR-TE)

Premium Premium 1

Label switch routing (LSR) With the premium license, 2M FIBs, 6M RIBs, 32K
and peering you can use all the software LSPs, and 1K VRFs
features that are supported
on PTX10003.

Premium 2

High-scale LSR, IP core, and With the premium license, 2M to 4M FIBs, 60M to 80
peering you can use all the software M RIBs, 100K+ LSPs, and
features that are supported 1K to 2K VRFs
on PTX10003.

For PTX10003, the Flex Software Subscription Model supports subscription portability for the cloud,
enterprise, and service provider segments.
 27

PTX10008

Table 18 on page 28 describes the licensing support for the PTX10008 Packet Transport Router.

Figure 10 on page 27 shows PTX10008 features for the Three-Tier (standard, advanced, and premium
licenses).

Figure 10: PTX10008

Premium 1: Label-switching router (LSR) and peering Premium 2: High-scale LSR, IP core, and peering

Premium Software License

SCALE: SCALE:
(includes customer support) With the premium license, you can use 2M FIBs, WithWith
the premium
the premium
license,
license,
you you
can use 2M to 4M FIBs,
all software features that are supported 6M RIBs, all software
can use features
all the software
that arefeatures
supported 60M to 80M RIBs,
on the PTX10008. 32K LSPs, on the
thatPTX10008.
are supported on PTX10003. 100K+ LSPs, and
and 1K VRFs 1K to 2K VRFs

Advanced 2: Data center interconnect and

Advanced 1: Data center IP spine
data center or WAN edge

Advanced Software License

BGP, connectivity fault management (CFM),
EVPN, EVPN-VXLAN, fine-grained CoS, filter- SCALE:
(includes customer support) SCALE: Advanced 1 features, EVPN-MPLS,
based forwarding (FBF), filter-based generic 1M FIBs,
256K FIBs, Layer 2 circuit, Layer 3 VPN, LDP, RSVP,
routing encapsulation (GRE), IS-IS, Junos 3M RIBs,
telemetry interface (JTI), Layer 3 multicast,
3M RIBs, segment routing, and segment routing
1K LSPs,
MC-LAG, MPLS forwarding, OAM, OSPF, and 256 VRFs traffic engineering (SR-TE)
and 1K VRFs
PTP-TC, Q-in-Q, sFlow, VRF, and VRRP

Standard
Software Standard: Basic Layer 2 switching or basic Layer 3 routing
License

+ Customer
Support
Filters (Layer 2 and Layer 3), Layer 2 (xSTP, 802.1Q, LAG), Layer 3 (static), SCALE:
Hardware
quality of service or QoS (Layer 2 and Layer 3), and SNMP 64K FIBs

USE CASE SUBSCRIPTION

g301036
FEATURES PERPETUAL
 28

Table 18: Supported Features on PTX10008

PTX10008
License Use Case Examples Detailed Features for
Model or Solutions Fabric Management Scale Security License

Standard Basic Layer 2 switching Filters (Layer 2 and 64K FIBs The PTX10008 router
or basic Layer 3 routing Layer 3), Layer 2 (xSTP, supports the MACsec
802.1Q, LAG), Layer 3 feature, but you must
(static), quality of purchase a license
service or QoS (Layer 2 separately to use the
and Layer 3), and feature.
SNMP

Advanced Advanced 1

Data center IP spine BGP, connectivity fault 256K FIBs, 3M RIBs,

management (CFM), and 256 VRFs
EVPN, EVPN-VXLAN,
fine-grained CoS,
filter-based forwarding
(FBF), filter-based
generic routing
encapsulation (GRE),
IS-IS, Junos telemetry
interface (JTI), Layer 3
multicast, MC-LAG,
MPLS forwarding,
OAM, OSPF, PTP-TC,
Q-in-Q, sFlow, VRF,
and VRRP

Advanced 2

Data center Advanced 1 features, 1M FIBs, 3M RIBs, 1K

interconnect and data EVPN-MPLS, Layer 2 LSPs, and 1K VRFs
center or WAN edge circuit, Layer 3 VPN,
LDP, PTP-BC, RSVP,
segment routing, and
segment routing-traffic
engineering (SR-TE)

Premium Premium 1

Label-switching router 2M FIBs, 6M RIBs, 32K

(LSR) and peering LSPs, and 1K VRFs
 29

Table 18: Supported Features on PTX10008 (continued)

PTX10008
License Use Case Examples Detailed Features for
Model or Solutions Fabric Management Scale Security License

With the premium

license, you can use all
software features that
are supported on the
PTX10008.

Premium 2

High-scale LSR, IP core, With the premium 2M to 4M FIBs, 60M to

and peering license, you can use all 80M RIBs, 100K+ LSPs,
software features that and 1K to 2K VRFs
are supported on the
PTX10008.

For PTX10008, the Flex Software Subscription Model supports subscription portability for the cloud,
enterprise, and service provider segments.

For feature support on the PTX10008, see Feature Explorer or contact customer support.

The PTX10008 supports MACsec, but you must purchase a license to use the MACsec feature. MACsec
licenses are perpetual. The licenses are available in two variants, which are described in Table 19 on page 29.

Table 19: MACsec Feature License SKUs

MACsec License SKU Description

S-PTX10K100GMSEC-P 100-Gigabit Ethernet MACsec license; can be applied to one 100-Gigabit

Ethernet port or two 40-Gigabit Ethernet ports

S-PTX10K400GMSEC-P 400-Gigabit Ethernet MACsec license; can be applied to one 400-Gigabit

Ethernet port or four 100-Gigabit Ethernet ports

Table 20 on page 29 describes SKUs for the PTX10000 14.4-Tbps line card.

Table 20: PTX10000 14.4-Tbps Line-Card License SKUs

Line Card License Model SKU

PTX10000 14.4-Tbps line card Perpetual PTX10K-LC1201-36CD

 30

Table 20: PTX10000 14.4-Tbps Line-Card License SKUs (continued)

Line Card License Model SKU

PTX10000 14.4-Tbps line card licenses without Perpetual S-PTX10K-144C-A1/A2-P

customer support
S-PTX10K-144C-P1/P2-P

PTX10000 14.4-Tbps line card licenses with Subscription S-PTX10K-144C-A1/A2-3/5

customer support
S-PTX10K-144C-P1/P2-3/5

Table 21 on page 30 describes partner SKUs for the PTX10000 14.4-Tbps line card.

Table 21: PTX10000 14.4-Tbps Line-Card Partner License SKUs

Line Card License Model SKU

PTX10000 14.4-Tbps line card Subscription S-PARPTX10K144CA13

licenses with customer support
S-PARPTX10K144CA23

S-PARPTX10K144CA15

S-PARPTX10K144CA25

S-PARPTX10K144CP13

S-PARPTX10K144CP15

S-PARPTX10K144CP23

S-PARPTX10K144CP25

Table 22 on page 31 defines the parts of a PTX10000 SKU definition.

 31

Table 22: PTX10000 SKU Definition

SKU SKU Character Description

S-PTX10K-144C-A1/A2/P1/P2-P S—Software

S-PTX10K-144C-A1/A2/P1/P2-3/5 PTX10K—Product name: PTX10000 line of routers

S-PARPTX10K144CA1/A2/P1/P2/3/5 144C—14.4 Tbps

PAR—Partner

A1/A2—Advanced 1 or advanced 2 software features

P1/P2—Premium 1 or premium 2 software features

3/5—Subscription term 3 or 5 years

QFX Switches

QFX switch models that support the Software Subscription Model:

• QFX5120-32C

• QFX5120-48Y

QFX5120-48Y supports non-Flex Software Subscription Models such as QFX5120-48Y-AFO and Flex
Software Subscription Models such as QFX5120-48Y-AFO2.

• QFX5120-48T

• QFX5220-32CD

• QFX5220-128C

Figure 11 on page 32 shows QFX switch features for the Three-Tier (standard, advanced, and premium
licenses).
 32

Figure 11: QFX Switch

Premium Features

Advanced Enterprise Features Advanced enterprise features,

EVPN-MPLS, Layer 2 circuit,
Advanced Cloud Features BGP, CFM, EVPN-VXLAN, FBF, Layer 3 VPN, LDP, RSVP,
Customer GRE, IS-IS, JTI, Layer 3 multicast, Segment routing, and SR-TE.
Licenses Support MC-LAG, VRRP, OSPF, MC-LAG, OAM, OSPF, PTP,
IS-IS, BGP, VRF, FBF, GRE, Q-in-Q, Virtual Chassis, VRF
and JTI. and VRRP.

Base Feature Filters (Layer 2 and Layer 3), Layer 2 (xSTP, 802.1Q, LAG),
Software
Layer 3 (static), QoS (Layer 2 and Layer 3), and SNMP

QFX Series
+ Customer
Support
QFX Series Hardware (Perpetual Purchase)
Hardware

Perpetual Only

g300378
Subscription + Perpetual
Feature Options

Table 23 on page 32 describes the licensing support with use case examples for the QFX5120, QFX5200,
and QFX5220 switches.

Table 23: Supported Features on QFX5120, QFX5200, and QFX5220 switches

Use Case Examples or

QFX Switch License Model Solutions Detailed Features

Standard license for integrated Basic Layer 2 switching or Filters (Layer 2 and Layer 3), Layer 2 (xSTP, 802.1Q,
SKUs (standard hardware and basic Layer 3 forwarding LAG), Layer 3 (static), QoS (Layer 2 and Layer 3),
software platform) and SNMP

Advanced license for integrated Data center fabric Advanced 1: BGP, FBF, GRE, IS-IS, JTI, MC-LAG,
and advanced SKUs OSPF, VRF and VRRP.

Advanced 2: BGP, CFM, EVPN-VXLAN, FBF, GRE,

IS-IS, JTI, Layer 3 multicast, MC-LAG, OAM, OSPF,
PTP, Q-in-Q, Virtual Chassis, VRF and VRRP.

Premium license for integrated Data center interconnect or MPLS: Advance Enterprise Features, EVPN-MPLS,
and premium SKUs data center edge Layer 2 circuit, Layer 3 VPN, LDP, RSVP, Segment
routing, and SR-TE.

QFX switch supports 3-year and 5-year subscription models only.

Table 24 on page 33 describes classification of QFX switch device class and SKUs.
 33

Table 24: QFX switch device class and SKUs

QFX 5000
Series Product
Class QFX Device Models SKUs

Class 1 QFX5120-48Y-AFO2 S-QFX5K-C1-A1-3

QFX5120-48Y-AFI2 S-QFX5K-C1-A1-5
QFX5120-48Y-D-AFO2 S-QFX5K-C1-A2-3
QFX5120-48Y-D-AFI2 S-QFX5K-C1-A2-5
QFX5120-48T-AFO S-QFX5K-C1-P1-3
QFX5120-48T-AFI S-QFX5K-C1-P1-5
QFX5120-48T-DC-AFO
QFX5120-48T-DC-AFI

Class 2 QFX5200-32C-L S-QFX5K-C2-A1-3

QFX5120-32C-AFO S-QFX5K-C2-A1-5
QFX5120-32C-AFI S-QFX5K-C2-A2-3
QFX5120-32C-DC-AFO S-QFX5K-C2-A2-5
QFX5120-32C-DC-AFI S-QFX5K-C2-P1-3
S-QFX5K-C2-P1-5

Class 3 QFX5220-32CD-AFO S-QFX5K-C3-A1-3

QFX5220-32CD-AFI S-QFX5K-C3-A1-5
QFX5220-32CD-DC-AFO S-QFX5K-C3-A2-3
QFX5220-32CD-DC-AFI S-QFX5K-C3-A2-5
QFX5220-128C-AFO S-QFX5K-C3-P1-3
QFX5220-128C-D-AFO S-QFX5K-C3-P1-5

SRX Series Services Gateways

Flex Software Subscription Model supported on SRX300, SRX550M, SRX1500, SRX4100, SRX4200,
SRX4600, SRX5400, SRX5600, and SRX5800 devices.

Figure 12 on page 34 shows SRX Series Services Gateways features for Flex Software Subscription Model
Three-Tier (standard, advanced, and premium licenses).
 34

Figure 12: SRX Series Services Gateways

Premium 1: Use for data center Premium 2: Use for next- Premium 3: Use for data center
security or SD-WAN + ATP Cloud generation firewall + ATP Cloud security or SD-WAN + ATP Cloud
Premium Software License
(includes customer support)
Includes IPS, Application Security, Includes IPS, Application Security,
Includes IPS, Application Security,
URL filtering, Sophos antivirus URL filtering, On-box antivirus,
and ATP Cloud
and antispam, and ATP Cloud and ATP Cloud

Advanced 1: Use for data center Advanced 2: Use for next- Advanced 3: Use for next-
security + SD-WAN generation firewall with Sophos generation firewall with Avira
Advanced Software License
(includes customer support)
Includes IPS, Application Security,
Includes IPS and Includes IPS, Application Security,
URL filtering, Sophos antivirus
Application Security URL filtering, On-box antivirus
and antispam

Standard
Software Standard: Use for basic firewall and secure branch routers
License

+ Customer
Support

Hardware Includes hardware, plus Junos Base JSB (routing, firewall, switching, NAT, VPN, and MPLS)

USE CASE SUBSCRIPTION

g300976
FEATURES PERPETUAL

Table 25 on page 34 shows SRX Series Services Gateways features for Flex Software Subscription Model.

Table 25: SRX Series Services Gateways Flex Software Subscription Model

SRX Series
Services
Gateways
License Model Use Case Examples or Solutions Detailed Features

Standard Use for basic firewall and secure branch Includes hardware, plus Junos Base JSB (routing,
routers firewall, switching, NAT, VPN, and MPLS)
 35

Table 25: SRX Series Services Gateways Flex Software Subscription Model (continued)

SRX Series
Services
Gateways
License Model Use Case Examples or Solutions Detailed Features

Advanced Advanced 1 Advanced 1

Use for data center security + SD-WAN Includes IPS and Application Security

Advanced 2 Advanced 2

Use for next-generation firewall with Sophos Includes IPS, Application Security, URL filtering,
Sophos antivirus and antispam

Advanced 3 Advanced 3

Use for next-generation firewall with Avira Includes IPS, Application Security, URL filtering,
On-box antivirus

Premium Premium 1 Premium 1

Use for data center security or SD-WAN + Includes IPS, Application Security, and ATP Cloud
ATP Cloud

Premium 2 Premium 2

Use for next-generation firewall + ATP Cloud Includes IPS, Application Security, URL filtering,
Sophos antivirus and antispam, and ATP Cloud

Premium 3 Premium 3

Use for data center security or SD-WAN + Includes IPS, Application Security, URL filtering,
ATP Cloud On-box antivirus, and ATP Cloud

Advanced 3 and Premium 3 license models are not supported on SRX300, SRX320, SRX340, SRX345, and
SRX380 devices.

vSRX

Table 26 on page 36 shows vSRX features for Flex Software Subscription Model.

Figure 13 on page 36 shows vSRX features for Flex Software Subscription Model Three-Tier (standard,
advanced, and premium licenses).
 36

Figure 13: vSRX

Premium 1: Use for data center Premium 2: Use for next- Premium 3: Use for next-
security and ATP Cloud generation firewall and ATP Cloud generation firewall and ATP Cloud
Premium Software License
(includes customer support)
Includes standard and Advanced 1 Includes standard and Advanced 2 Includes standard and Advanced 3
features, and ATP Cloud features, and ATP Cloud features, and ATP Cloud

Advanced 2: Use for next- Advanced 3: Use for next-

Advanced 1: Use for data
generation firewall generation firewall
center security
with cloud-based antivirus with on-box antivirus
Advanced Software License
(includes customer support) Includes standard features + IPS and Includes standard and Advanced 1 Includes standard and
Application Security (Application
features, Sophos antivirus, Advanced 1 features, Avira
Identification, Application Firewall,
Application Quality of Service, and Web filtering, Antispam, and antivirus, Web filtering, Antispam,
Application Tracking) content filtering and content filtering

Standard: Use for standard firewall and secure branch routers

Standard
Software
License + Customer
Support
ALGs, BGP, Class of Service (CoS), DHCP, diagnostics, firewall, GRE, IP tunneling, IPv4 and IPv6,
Jflow, management (J-Web, CLI, and NetConf), MPLS, multicast, NAT, on-box logging, OSPF, screens,
site to site VPN, static routing, and user firewall

USE CASE SUBSCRIPTION

g301010
FEATURES PERPETUAL

Table 26: vSRX Flex Software Subscription Model

vSRX
License Use Case Examples or Number of
Model Solutions vCPUs Required Detailed Features

Standard Use for standard firewall and 2,5,9, or 17 vCPUs ALGs, BGP, Class of Service (CoS), DHCP,
secure branch routers diagnostics, firewall, GRE, IP tunneling, IPv4 and
IPv6, Jflow, management (J-Web, CLI, and
NetConf), MPLS, multicast, NAT, on-box logging,
OSPF, screens, site to site VPN, static routing,
and user firewall
 37

Table 26: vSRX Flex Software Subscription Model (continued)

vSRX
License Use Case Examples or Number of
Model Solutions vCPUs Required Detailed Features

Advanced Advanced 1 2,5,9, or 17 vCPUs Advanced 1

Use for data center security Includes standard features + IPS and Application
Security (Application Identification, Application
Firewall, Application Quality of Service, and
Application Tracking)

Advanced 2 2,5,9, or 17 vCPUs Advanced 2

Use for next-generation firewall Includes standard and Advanced 1 features,

with cloud based antivirus Sophos antivirus, Web filtering, Antispam, and
content filtering

Advanced 3 5,9, or 17 vCPUs Advanced 3

Use for next-generation firewall Includes standard and Advanced 1 features,

with on-box antivirus Avira antivirus, Web filtering, Antispam, and
content filtering

Premium Premium 1 2,5,9, or 17 vCPUs Premium 1

Use for data center security and Includes standard and Advanced 1 features, and
ATP Cloud ATP Cloud

Premium 2 2,5,9, or 17 vCPUs Premium 2

Use for next-generation firewall Includes standard and Advanced 2 features, and
and ATP Cloud ATP Cloud

Premium 3 5,9, or 17 vCPUs Premium 3

Use for next-generation firewall Includes standard and Advanced 3 features, and
and ATP Cloud ATP Cloud

vSRX Flex Software Subscription Model supports standard, advanced, or premium subscription license.
Subscription term is 1 year, 3 years, or 5 years and includes customer support.

For public cloud, vSRX Flex Software Subscription Model supports—Pay-As-You-Go (PAYG) and Bring
Your Own License (BYOL) license model. Pricing is based on number of vCPU cores, with a minimum of
2 vCPU cores.

Table 27 on page 38 shows vSRX SKU definition.

 38

Table 27: vSRX SKU Definition

SKU SKU Character Description

S-VSRX-2C/5C/9C/17C-S/A1/A2/A3/P1/P2/P3-1/3/5 S—Software

Example: VSRX—Product name vSRX

• S-VSRX-2C-S-1 2C/5C/9C/17C—Number of vCPUs

• S-VSRX-5C-S-3
S/A1/A2/A3/P1/P2/P3
• S-VSRX-9C-S-5
• S = Standard license model
• S-VSRX-5C-A1-1
• A1 = Advanced 1 license model
• S-VSRX-17C-A2-3
• A2 = Advanced 2 license model
• S-VSRX-17C-A3-5
• A3 = Advanced 3 license model
• S-VSRX-5C-P1-1
• P1 = Premium 1 license model
• S-VSRX-17C-P2-3
• P2 = Premium 2 license model
• S-VSRX-17C-P3-5
• P3 = Premium 3 license model
1/3/5—Subscription term 1, 3, or 5 years

HealthBot Licensing

IN THIS SECTION

HealthBot Licensing Overview | 38

Managing HealthBot Licenses | 41

HealthBot Licensing Overview

Juniper Networks introduced the Juniper Agile Licensing solution to provide an efficient way for customers
and partners to manage licenses for hardware and software features. Contrail HealthBot uses this licensing
model.

To use a licensed feature, you need to purchase and activate a license that corresponds to that feature
and deploy that license so that it can be utilized by the software during normal operation. You can administer
and manage the licenses through the Juniper Agile Licensing Portal. The portal provides an intuitive,
task-based user interface that provides full lifecycle management of licenses.
 39

For more details on how to obtain, install and use the Juniper Agile Licensing Portal and Juniper Agile
License Manager, see Juniper Agile Licensing Guide.

HealthBot supports the standalone mode for deploying licenses. Standalone mode allows you to activate
a license on a software instance. Such a license can only be used by the instance on which it is activated.
Sharing a license with multiple instances is not permissible.

HealthBot has two service levels:

HealthBot Standard—This is the free model solution and is available for customers that have a valid support
contract. No license is required.

HealthBot Advanced—This is the first tier of the fee-based model solution and requires that you purchase
a HealthBot base feature license. You may purchase additional device-based feature licenses depending
on your business needs.

NOTE: The HealthBot Premium tier license is not available in this HealthBot release. We are
planning to support the Premium tier in an upcoming release of HealthBot.

The following table shows a comparison between the HealthBot Standard and HealthBot Advanced service
models:

HealthBot Standard HealthBot Advanced (Fee-based)

Free with a valid Juniper support contract. You must purchase a HealthBot base feature license. Additional
device feature licenses available.

No license required. Perpetual and subscription licenses.

Limit of 5 custom playbooks and 10 custom rules. Unlimited custom playbooks and custom rules.

Number of devices allowed is based on your Number of devices allowed is based on the HealthBot base and
contractual agreement. device feature licenses purchased.

Limited support for generating reports. You Full support for generating reports.
cannot configure reports settings.

Limited support for generating notifications (only Full support for generating notifications.
local, no external). You cannot configure
notifications settings.
 40

HealthBot Standard HealthBot Advanced (Fee-based)

Limited support for Time Series Database (TSDB) Full support for changing TSDB HA settings.
HA settings. You cannot configure TSDB HA
NOTE: Support for changing TSDB HA settings will move to the
settings.
Premium tier when that tier is available.

— Support for default and custom rules with machine learning

features such as dynamic thresholds, outlier detection, median
prediction, and microburst.

— Support for default and custom rules with user-defined functions.

— Multivendor telemetry data collection.

*For information about HealthBot product options or to obtain a trial license, contact your local sales
representative.

The following table lists the available HealthBot feature licenses:

Feature License Name Description

HBOT-BASE The HBOT-BASE feature license is required for enabling the HealthBot Advanced
capabilities. Along with this, it also allows you to add 50 G1 and 10 G2 category
devices to HealthBot.

For a list of G1 or G2 category devices, contact your local sales representative.

HBOT-G1 After adding the HBOT-BASE feature license, you can add HBOT-G1 licenses
to increase the number of G1 category devices that can be managed by
HealthBot. These devices are mostly fixed form factor devices (non-modular
sytems).

For a list of G1 category devices, contact your local sales representative.

HBOT-G2 After adding the HBOT-BASE feature license, you can add HBOT-G2 licenses
to increase the number of G2 category devices that can be managed by
HealthBot. These devices are mostly modular form factor devices and
chassis-based systems.

For a list of G2 category devices, contact your local sales representative.

 41

Managing HealthBot Licenses

IN THIS SECTION

Add a License to HealthBot | 41

View Licensing Status in HealthBot | 41

Once you have obtained a HealthBot license through the Juniper Agile Licensing Portal, you can:

Add a License to HealthBot

To add a HealthBot license:

1. Click on the Settings > License Management option in the left-nav bar.

2. Click the + License button.

3. Click the Choose File button in the pop-up window.

4. Navigate to the license file you want to add, and then click Open.

5. Click the Add button to add the license file.

The file should now appear in the Licenses Added table on the License Management page. For
information about the Licenses Added table, see “Licenses Added” on page 42.

View Licensing Status in HealthBot

IN THIS SECTION

Features Summary | 42

Licenses Added | 42

The License Management page consists of two tables; the Features Summary table and the Licenses added
table. Details of the table contents are shown below.
 42

Features Summary
The following table describes the HealthBot feature license attributes in the Features Summary table:

Attribute Description

Feature HealthBot feature license name.

Description Brief description of the HealthBot feature license.

License Limit The number of valid HealthBot licenses successfully added and available for
use.

HBOT-BASE—Maximum number is 1. This feature license is required for enabling

the licensed HealthBot capabilities.

HBOT-G1—Maximum number of G1 devices that can be managed by HealthBot

based on the HBOT-G1 feature licenses added.

HBOT-G2—Maximum number of G2 devices that can be managed by HealthBot

based on the HBOT-G2 feature licenses added.

Usage Count HBOT-BASE—Value must be 1 to enable the licensed HealthBot capabilities.

HBOT-G1—Number of G1 devices in use.

HBOT-G2—Number of G2 devices in use.

Valid Until Date and time when the license expires.

Compliance Color definitions for dot indicator:

Green—Feature licenses are in compliance with Juniper's End User License

Agreement.

Red—Feature licenses are not in compliance with Juniper's End User License
Agreement. Click on the red dot to view details about the compliance issue.

Licenses Added
The following table describes the HealthBot license attributes in the Licenses Added table. Click the caret
next to the License ID to view the features that are provided by the license ID.

Attribute Description

License ID Identification number for the HealthBot license generated through the Juniper
Agile Licensing Portal.

SKU Name Name of the HealthBot software licensing package.

 43

Attribute Description

Customer ID Identification name for the customer.

Order Type Types include: Commercial, demo, education, emergency, lab, and unknown.

Validity Type Types include: Date-based or permanent.

Start Date Start date of the HealthBot license.

End Date End date of the HealthBot license.

Feature ID Identification number for the feature license.

Feature Name HealthBot feature license name. For more information, see “Features Summary”
on page 42.

Feature Description Brief description of the HealthBot feature license.

License Count HBOT-BASE—Each HBOT-BASE feature license counts as one license.

HBOT-G1—Number of G1 devices that can be managed by HealthBot provided

by this feature license.

HBOT-G2—Number of G2 devices that can be managed by HealthBot provided

by this feature license.
2 PART

Software Licenses

Overview | 45

Licenses for Routing Devices | 95

Licenses for Switching Devices | 140

Licenses for Security Devices | 187

Licenses for Network Management | 277

Licenses for Contrail Service Orchestration | 303

Licenses for Steel-Belted Radius® Carrier | 313

 45

CHAPTER 2

Overview

IN THIS CHAPTER

Software License Overview | 45

Download and Activate Your Software | 54

Managing Licenses | 55

Software License Overview

IN THIS SECTION

Platforms Supported in the Licensing Guide | 45

Junos OS Feature Licenses | 46

License Enforcement | 47

Junos OS Feature License Keys | 48

Platforms Supported in the Licensing Guide

This guide describes how to install, manage, and monitor licenses on Juniper Networks devices.
Table 28 on page 45 shows the platforms supported in the licensing guide.

Table 28: Platforms Supported in the Licensing Guide

Category Platforms

Juniper Flex Program ACX5448-D and ACX5448-M, Contrail Enterprise Multicloud, cRPD, Contrail
Service Orchestration, cSRX, HealthBot, MPC10E, MX2K-MPC11E,
MX10K3-L2103, MX10K-LC2101 Line Cards and MX204 Routers, NFX350,
PTX10003, PTX10008 QFX5120-32C, QFX5120-48T, QFX5120-48Y,
QFX5200-32C-L, QFX5220-32CD, and QFX5220-128C, SRX Series Services
Gateways, and vSRX
 46

Table 28: Platforms Supported in the Licensing Guide (continued)

Category Platforms

Routing cRPD, M Series, MX Series, PTX Series, T Series, and vMX

Security SRX Series and vSRX

Switching EX Series, QFX Series, and QFabric System

Network Management Junos Space, Network and Security Manager (NSM), and J-Web Device Manager

Contrail Service Orchestration Contrail Service Orchestration (CSO)

Steel-Belted Radius Carrier Steel-Belted Radius (SBR) or OAC or IMS AAA (formerly Funk)

Junos OS Feature Licenses

Some Junos OS software features require a license to activate the feature. To enable a licensed feature,
you need to purchase, install, manage, and verify a license key that corresponds to each licensed feature.
To conform to Junos OS feature licensing requirements, you must purchase one license per feature per
device. The presence of the appropriate software license key on your device determines whether you are
eligible to configure and use the licensed feature.

To speed deployment of licensed features, Junos OS software implements an honor-based licensing

structure and provides you with a 30-day grace period to use a licensed feature without a license key
installed. The grace period begins when you configure the feature and your device uses the licensed feature
for the first time, but not necessarily when you install the license. After the grace period expires, the system
generates system log messages saying that the feature requires a license. To clear the error message and
use the licensed feature properly, you must install and verify the required license.

Data center customers, for example those using the QFX platform, use universal licenses. Starting in Junos
OS Release 15.1, to ensure that license keys are used properly, Juniper Networks license key generation
is enhanced to specify a customer ID in the license key. You can see the customer ID displayed in the
output of the show system license command.

For information about how to purchase software licenses, contact your Juniper Networks sales
representative.

SEE ALSO

Verifying Junos OS License Installation (CLI) | 64

show system license | 67
 47

License Enforcement

For features or scaling levels that require a license, you must install and properly configure the license to
meet the requirements for using the licensable feature or scale level. The device enables you to commit
a configuration that specifies a licensable feature or scale without a license for a 30-day grace period. The
grace period is a short-term grant that enables you to start using features in the pack or scale up to the
system limits (regardless of the license key limit) without a license key installed. The grace period begins
when the licensable feature or scaling level is actually used by the device (not when it is first committed).
In other words, you can commit licensable features or scaling limits to the device configuration, but the
grace period does not begin until the device uses the licensable feature or exceeds a licensable scaling
level.

Configurations might include both licensed and nonlicensed features. For these situations, the license is
enforced up to the point where the license can be clearly distinguished. For example, an authentication-order
configuration is shared by both Authentication, Authorization, and Accounting (AAA), which is licensed,
and by Layer 2 Tunneling Protocol (L2TP), which is not licensed. When the configuration is committed,
the device does not issue any license warnings, because it is not yet known whether AAA or L2TP is using
the configuration. However, at runtime, the device checks for a license when AAA authenticates clients,
but does not check when L2TP authenticates clients.

The device reports any license breach as a warning log message whenever a configuration is committed
that contains a feature or scale limit usage that requires a license. Following the 30-day grace period, the
device periodically reports the breach to syslog messages until a license is installed and properly configured
on the device to resolve the breach.

Successful commitment of a licensable feature or scaling configuration does not imply that the required
licenses are installed or not required. If a required license is not present, the system issues a warning
message after it commits the configuration.

SEE ALSO

Adding New Licenses (CLI Procedure) | 55

Deleting License Keys (CLI) | 61
Saving License Keys (CLI) | 66
Verifying Junos OS License Installation (CLI) | 64
 48

Junos OS Feature License Keys

IN THIS SECTION

License Key Components | 48

License Management Fields Summary | 48

Release-Tied License Keys and Upgrade Licenses on MX Series Routers | 50

Licensable Ports on MX5, MX10, and MX40 Routers | 51

Port Activation on MX104 Routers | 52

This section contains the following topics:

License Key Components

A license key consists of two parts:

• License ID—Alphanumeric string that uniquely identifies the license key. When a license is generated,
it is given a license ID.

• License data—Block of binary data that defines and stores all license key objects.

For example, in the following typical license key, the string XXXXXXXXXX is the license ID, and the trailing
block of data is the license data:

XXXXXXXXXX xxxxxx xxxxxx xxxxxx xxxxxx xxxxxx xxxxxx

xxxxxx xxxxxx xxxxxx xxxxxx xxxxxx xxxxxx
xxxxxx xxxxxx xxx

The license data defines the device ID for which the license is valid and the version of the license.

License Management Fields Summary

The Licenses page displays a summary of licensed features that are configured on the device and a list of
licenses that are installed on the device. The information on the license management page is summarized
in Table 29 on page 48.

Table 29: Summary of License Management Fields

Field Name Definition

Feature Summary
 49

Table 29: Summary of License Management Fields (continued)

Field Name Definition

Feature Name of the licensed feature:

• Features—Software feature licenses.

• All features—All-inclusive licenses

Licenses Used Number of licenses currently being used on the device. Usage is determined by the
configuration on the device. If a feature license exists and that feature is configured,
the license is considered used.

Licenses Installed Number of licenses installed on the device for the particular feature.

Licenses Needed Number of licenses required for legal use of the feature. Usage is determined by the
configuration on the device: If a feature is configured and the license for that feature
is not installed, a single license is needed.

Installed Licenses

ID Unique alphanumeric ID of the license.

State Valid—The installed license key is valid.

Invalid—The installed license key is not valid.

Version Numeric version number of the license key.

Group If the license defines a group license, this field displays the group definition.

If the license requires a group license, this field displays the required group definition.

Because group licenses are currently unsupported, this field is always blank.

Enabled Features Name of the feature that is enabled with the particular license.

Expiry Verify that the expiration information for the license is correct.

For Junos OS, only permanent licenses are supported. If a license has expired, it is
shown as invalid.

To speed deployment of licensed features, Juniper Networks implements an honor-based licensing structure
and provides you with a 30-day grace period to use a licensed feature without a license key installed. The
grace period begins when you configure the feature and your device uses the licensed feature for the first
time, but not necessarily when you install the license. After the grace period expires, the system generates
 50

system log messages saying that the feature requires a license. To clear the error message and use the
licensed feature properly, you must install and verify the required license.

Data center customers, for example those using the QFX platform, use universal licenses. Starting in Junos
OS Release 15.1, to ensure that license keys are used properly, Juniper Networks license key generation
is enhanced to specify a customer ID in the license key. You can see the customer ID displayed in the
output of the show system license command.

Release-Tied License Keys and Upgrade Licenses on MX Series Routers

The Junos OS licensing infrastructure currently associates a license feature with attributes such as date,
platform, and validity. In addition to these attributes, for MX Series routers running Junos OS Release 12.2
and later, a licensed feature can be associated with a release number at the time of generating the license
key. This type of release-tied license key is used to validate a particular licensed feature while attempting
a software upgrade. The upgrade process aborts if the release number in the license key is earlier than the
Junos OS release number to which the system is being upgraded.

Additionally, an upgrade license key can be generated for a release-tied licensed feature. An upgrade
license key is used for carrying forward a capacity license to the upgrade release. Although an upgrade
license might be an acceptable license on the current release, it does not add to the existing capacity limit.
The capacity added in the upgrade license key is valid for the upgrade software release only.

The release number embedded in the license key indicates the maximum release number up to which
Junos OS can be upgraded.

As an example, assume that your system is running Junos OS Release 12.2 and is using the scale-subscriber
licensed feature with a later release-tied upgrade license key installed. If you request a software upgrade
to the later release of Junos OS, the software upgrade operation fails and the following error message is
displayed:

mgd: error: No valid upgrade license found for feature 'scale-subscriber'.

Aborting Software upgrade.
Validation failed

In this example, to successfully upgrade to the later release of Junos OS, the release number included in
the upgrade license key should be greater than or equal to the later release number. Also, you can perform
software upgrades up to the previous release without any additional license keys to retain the existing
scale limit.

When you install a release-tied license, the following apply:

• You can purchase an upgrade capacity license only if a base capacity license for the same scale-tier has
already been generated or purchased.

• You cannot install an upgrade license if the capacity does not match any of the existing base capacity
licenses on the system.
 51

• The license installation fails when you install a lower release number license key on a higher software
release number.

• A release-tied license can be installed on a Junos OS release number that is lower than or equal to the
release number included in the license key. For example, a 12.2 license key is valid on Junos OS Release
12.1.

• An upgrade license is valid only on the target release number specified in the license key, but can be
installed on an earlier Junos OS release. For example, a 4 K scale-tier upgrade license for Junos OS
Release 12.2 can be installed on an earlier release, and the installed count of licenses remains unaltered.

• Release-tied licenses of the previous release are not deleted on upgrading Junos OS to a newer release
version.

Licensable Ports on MX5, MX10, and MX40 Routers

Starting with Junos OS Release 12.2, license keys are available to enhance the port capacity on MX5,
MX10, and MX40 routers up to the port capacity of an MX80 router. The MX5, MX10, and MX40 routers
are derived from the modular MX80 chassis with similar slot and port assignments, and provide all
functionality available on an MX80 router, but at a lower capacity. Restricting port capacity is achieved
by making a set of MIC slots and ports licensable. MICs without a license are locked, and are unlocked or
made usable by installing appropriate upgrade licenses.

The base capacity of a router is identified by the Ideeprom assembly ID (I2C ID), which defines the board
type. However, the Junos OS licensing infrastructure allows the use of restricted ports without a license
for a grace period of 30 days. After the grace period expires, the router reverts back to the base capacity
if no upgrade license is purchased and installed for the locked ports. The I2C ID along with an upgrade
license determine the final capacity of an MX5, MX10, or MX40 router.

The MX5, MX10, MX40, and MX80 routers support the following types of MICs:

• A built-in 10-Gigabit Ethernet MIC with four 10-Gigabit Ethernet ports

• Two front-pluggable MICs

A feature ID is assigned to every license upgrade for enhancing port capacity. Table 30 on page 52 displays
the chassis types and their associated port capacity, I2C ID, base capacity, feature ID, feature name, and
the final capacity after a license upgrade.
 52

Table 30: Upgrade Licenses for Enhancing Port Capacity

Feature
ID and
Chassis Port Feature
Type Capacity I2C ID Base Capacity Name Upgrade Capacity

MX5 20G 0x556 Slot 1 f1—MX5 Slot 1 and 2

to MX10
• 1/MIC0 upgrade • 1/MIC0
• 1/MIC1

MX10 40G 0x555 Slot 1 and 2 f2—MX10 Slot 2 and first 2 ports on Slot 0
to MX40
• 1/MIC0 upgrade • 1/MIC1
• 1/MIC1 • First 2 ports on 0/MIC0

MX40 60G 0x554 Slot 1, SLot 2 and first 2 f3—MX40 Slot 2 and all ports on Slot 0
ports on Slot 0 to MX80
upgrade • 1/MIC1
• 1/MIC0 • All 4 ports on 0/MIC0
• 1/MIC1
• First 2 ports on
0/MIC0

When installing an upgrade license for enhancing port capacity on MX5, MX10 and MX40 routers, consider
the following:

• To upgrade an MX5 router to MX80 router capacity, licenses for all three features (f1, f2, f3) must be
installed. All three features can be provided in a single license key.

• To upgrade an MX10 router to MX40 router capacity, installing a license key with f2 feature is sufficient.

• Non-applicable feature IDs in a license key reject the upgrade license. For example:

• An f1 feature ID on an MX10 upgrade license key rejects the license.

• Feature IDs f1 and f2 on an MX40 upgrade license key reject the entire license.

Port Activation on MX104 Routers

Starting with Junos OS Release 13.3, license keys are available to activate the ports on the MX104 router.
MX104 routers have four built-in ports. By default, in the absence of valid licenses, all four built-in ports
are deactivated. By installing licenses, you can activate any two of the four or all of the four built-in ports.
For instance, you can install a license to activate the first two built-in ports (xe-2/0/0 and xe-2/0/1) or
you can install a license to activate the next two built-in ports (xe-2/0/2 and xe-2/0/3). You can also install
a license to activate all four built-in ports (xe-2/0/0, xe-2/0/1, xe-2/0/2, and xe-2/0/3). If you have already
activated two of the built-in ports, you can install an additional license to activate the other two built-in
ports on the MX104 router.
 53

A feature ID is assigned to every license for activating the built-in ports on the MX104 router. The port
license model with the feature ID is described in Table 31 on page 53.

Table 31: Port Activation License Model for MX104 Routers

Feature ID Feature Name Functionality

F1 MX104 2X10G Port Activate (0 and 1) Ability to activate first two built-in ports (xe-2/0/0
and xe-2/0/1)

F2 MX104 2X10G Port Activate (2 and 3) Ability to activate next two built-in ports (xe-2/0/2
and xe-2/0/3)

Both the features are also provided in a single license key for ease of use. To activate all four ports, you
must either install the licenses for both the features listed in Table 31 on page 53 or the single license key
for both features. If you install the single license key when feature IDs F1 and F2 are already installed, the
license does not get rejected. Also, MX104 routers do not support the graceful license expiry policy. A
graceful license expiry policy allows the use of a feature for a certain period of time (usually a grace period
of 30 days), and reverts if the license for that feature is not installed after the grace period.

SEE ALSO

Updating License Keys (CLI) | 230

Release History Table

Release Description

15.1 Starting in Junos OS Release 15.1, to ensure that license keys are used properly, Juniper
Networks license key generation is enhanced to specify a customer ID in the license key.

RELATED DOCUMENTATION

Managing Licenses | 55
 54

Download and Activate Your Software

1. Gather your software serial number, and if activating additional capacity or features, gather your
activation codes.

Keep the software serial number in a safe place, as it is needed to identify your installation when you
contact Juniper Networks for support. Upon installation, this serial number is visible in your product.

• Software Serial Number: The serial number is a unique 14-digit number that Juniper uses to identify
your particular software installation. You can find the software serial number in the Software Serial
Number Certificate attached to the email that was sent when you ordered your Juniper Networks
software.

• Activation Code: The 16-digit alphanumeric activation code is sent through email in response to your
order and is used to generate license capacity / feature activation key(s) for your Juniper Networks
software. The activation code is used to generate your license activation key—it is not the license
activation key itself.

2. Download Software

Go to Juniper’s Support Downloads page. A Juniper Customer Support Center (CSC) user account is
needed to access support content. (If you do not already have an account, go to Login Assistance.)
Look for and click on your software’s product line and download the software

3. Install the software according to the instructions in the product documentation.

4. Generate and install license activation key(s).

Upon initial setup, a base activation key might be required to activate the software. If further capacity
or feature(s) were purchased and are being added to the software, each capacity increment and feature
needs to be added via another activation key. For the base activation key, gather the software serial
number. For additional capacity / feature key(s), gather the software serial number and the activation
code(s). Generate license activation keys using the Juniper Agile Licensing Portal. At the top of the
portal, enter your activation code, and click Activate. Then follow the instructions on screen. Juniper
provides license activation keys in one of two ways:

• Download: You can download activation keys from the Juniper Agile Licensing Portal.

• Email: You receive an email that contains the license activation key(s).

5. Obtain internet activation.

The software might need to contact the Juniper Agile Licensing Portal through the internet as part of
the activation sequence.
 55

Managing Licenses

IN THIS SECTION

Adding New Licenses (CLI Procedure) | 55

Deleting License Keys (CLI) | 61

Verifying Junos OS License Installation (CLI) | 64

Saving License Keys (CLI) | 66

show system license | 67

show system license (View) | 79

traceoptions (System License) | 83

request system license add | 85

request system license save | 87

request system license update | 89

request system license delete | 91

license | 92

license-type | 94

Adding New Licenses (CLI Procedure)

IN THIS SECTION

Installing a License Using a Configuration Statement | 56

Installing a License Using an Operational Command | 60

Before adding new licenses, complete the following tasks:

• Purchase the required licenses.

• Establish basic network connectivity with the router or switch. For instructions on establishing basic
connectivity, see the Getting Started Guide or Quick Start Guide for your device.

There are two ways to add licenses using the Junos OS CLI:
 56

• The system license keys key configuration statement enables you to configure and delete license keys
in a Junos OS CLI configuration file.

• The request system license add operational command installs a license through URL or using the license
file.

On QFabric systems, install your licenses in the default partition of the QFabric system and not on the
individual components (Node devices and Interconnect devices).

To add licenses, complete one of the following procedures:

Installing a License Using a Configuration Statement

IN THIS SECTION

Installing Licenses Using the CLI Directly | 56

Installing Licenses Using a Configuration File | 57

Starting with Junos OS Release 15.1, you can configure and delete license keys in a Junos OS CLI
configuration file. The system license keys key statement at the [edit] hierarchy level installs a license by
using a configuration statement.

The system license keys key configuration statement is not required to install a license. The operational
command request system license add installs a license immediately. But because the set system license
keys key command is a configuration statement, you can use it to install a license as part of a configuration
commit, either directly or by configuration file.

The license keys are validated and installed after a successful commit of the configuration file. If a license
key is invalid, the commit fails and issues an error message. You can configure individual license keys or
multiple license keys by issuing Junos OS CLI commands or by loading the license key configuration
contained in a file. All installed license keys are stored in the /config/license/ directory.

Select a procedure to install a license using configuration:

Installing Licenses Using the CLI Directly

To install an individual license key using the Junos OS CLI:

1. Issue the set system license keys key name statement.

The name parameter includes the license ID and the license key. For example:

[edit]
user@device# set system license keys key "JUNOS_TEST_LIC_FEAT xxxxxx xxxxxx xxxxxx xxxxxx xxxxxx
xxxxxx xxxxxx xxxxxx xxxxxx xxxxxx xxxxxx xxxxxx xxxxxx"
 57

To install multiple license keys in the Junos OS CLI, issue the set system license keys key name statement
for each license key to install. For example:

[edit]
user@device# set system license keys key "key_1"
set system license keys key "key_2"
set system license keys key "key_2"
set system license keys key "key_4"

2. Issue the commit command.

[edit]
user@device# commit
commit complete

3. Verify that the license key was installed.

For example:

user@device# run show system license

License usage:
Licenses Licenses Licenses Expiry
Feature name used installed needed
sdk-test-feat1 0 1 0 permanent

Licenses installed:
License identifier: JUNOS_TEST_LIC_FEAT
License version: 2
Features:
sdk-test-feat1 - JUNOS SDK Test Feature 1
permanent

Alternatively, you can issue the show system license command from operational mode.

Installing Licenses Using a Configuration File

Before you begin, prepare the configuration file. In this example, use the Unix shell cat command to write
the license.conf file:

1. Go to the shell.
 58

[edit]
user@device# exit
user@device> exit
%

2. Open the new license.conf file.

% cat > license.conf

3. Type the configuration information for the license key or keys:

• For a single license, for example, type the following content:

system {
license {
keys {
key "JUNOS_TEST_LIC_FEAT xxxxxx xxxxxx xxxxxx xxxxxx xxxxxx xxxxxx
xxxxxx xxxxxx xxxxxx xxxxxx xxxxxx xxxxxx xxxxxx";
}
}
}

• For multiple license keys, for example, type something like this:

system {
license {
keys {
key "key_1"
key "key_2"
key "key_3"
...
key "key_n"
}
}
}

4. Press Ctrl+d to save the file.

To install a license key configuration in a file:

1. Go to the CLI configuration mode.

 59

% cli
user@device> configure
[edit]
user@device#

2. Load and merge the license configuration file.

For example:

user@device# load merge license.conf

load complete

3. Issue the show | compare command to see the configuration.

For example:

[edit]
user@device# show | compare
[edit system]
+ license {
+ keys {
+ key "JUNOS_TEST_LIC_FEAT xxxxxx xxxxxx xxxxxx xxxxxx xxxxxx xxxxxx
xxxxxx xxxxxx xxxxxx xxxxxx xxxxxx xxxxxx xxxxxx";
+ }
+ }

4. Issue the commit command.

[edit]
user@device# commit

5. To verify that the license key was installed, issue the show system license command.

For example:

root@switch> show system license

License usage:
Licenses Licenses Licenses Expiry
Feature name used installed needed
 60

sdk-test-feat1 0 1 0 permanent

Licenses installed:
License identifier: JUNOS_TEST_LIC_FEAT
License version: 2
Features:
sdk-test-feat1 - JUNOS SDK Test Feature 1
permanent

Installing a License Using an Operational Command

IN THIS SECTION

Adding a License to a Device with a Single Routing Engine | 60

Adding a License to a Device with Dual Routing Engines | 61

Complete the procedure that relates to your system:

Adding a License to a Device with a Single Routing Engine

To add a new license key to the device using an operational command:

1. From the CLI operational mode, enter one of the following CLI commands:

• To add a license key from a file or URL, enter the following command, specifying the filename or the
URL where the key is located:

user@host> request system license add filename | url

• To add a license key from the terminal, enter the following command:

user@host> request system license add terminal

2. When prompted, enter the license key, separating multiple license keys with a blank line.

If the license key you enter is invalid, an error appears in the CLI output when you press Ctrl+d to exit
license entry mode.

3. Go on to “Verifying Junos OS License Installation (CLI)” on page 64.

 61

Adding a License to a Device with Dual Routing Engines

On routers that have graceful Routing Engine switchover (GRES) enabled, after successfully adding the
new license on the master Routing Engine, the license keys are automatically synchronized on the backup
Routing Engine as well. However, in case GRES is not enabled, the new license is added on each Routing
Engine separately. This ensures that the license key is enabled on the backup Routing Engine during
changeover of mastership between the Routing Engines.

To add a new license key to a router with dual Routing Engines without GRES:

1. After adding the new license key on the master Routing Engine, use the request chassis routing-engine
master switch command to have the backup Routing Engine become the master Routing Engine.

2. Log in to the active Routing Engine and add the new license key, repeat the same step.

Adding a license key to the router or switch might be delayed if a kernel resynchronization operation is in
progress at that time. The following message is displayed on the CLI when the license-adding operation
is about to be delayed:
A kernel re-sync operation is in progress. License update may take several minutes to complete.

SEE ALSO

Junos OS Feature Licenses | 46

Deleting License Keys (CLI)

IN THIS SECTION

Using the Operational Command to Delete Licenses | 61

Using a Configuration Command to Delete Licenses | 62

Before deleting a license, ensure that the features enabled by the license will not be needed.

You can use the request system license delete operational command, or the delete or deactivate
configuration command to delete a license:

Using the Operational Command to Delete Licenses

To delete licenses using the request system license delete command:

1. Display the licenses available to be deleted.

user@host> request system license delete license-identifier-list ?

 62

Possible completions:
E00468XXX4 License key identifier
JUNOS10XXX1 License key identifier
JUNOS10XXX2 License key identifier
JUNOS10XXX3 License key identifier
JUNOS10XXX4 License key identifier
[ Open a set of values

2. To delete a license key or keys from a device using the CLI operational mode, select one of the following
methods:

• Delete a single license by specifying the license ID. Using this option, you can delete only one license
at a time.

user@host> request system license delete license-identifier

• Delete all license keys from the device.

user@host> request system license delete all

• Delete multiple license keys from the device. Specify the license identifier for each key and enclose
the list of identifiers in brackets.

user@host> request system license delete license-identifier-list [JUNOS10XXX1 JUNOS10XXX3

JUNOS10XXX4 ...]

Delete license(s) ?
[yes,no] (no) yes

3. Verify the license was deleted by entering the show system license command.

Using a Configuration Command to Delete Licenses

Starting in Junos OS Release 16.1, to remove licenses from the configuration, you can use either the delete
or deactivate configuration command. The delete command deletes a statement or identifier, and all
subordinate statements and identifiers contained within the specified statement path are deleted with it.
The deactivate command adds the inactive: tag to a statement, effectively commenting out the statement
or identifier from the configuration. Statements or identifiers marked as inactive do not take effect when
you issue the commit command. To remove the inactive: tag from a statement, issue the activate command.
Statements or identifiers that have been activated take effect when you next issue the commit command.

The following procedure uses the delete command, but you could use the deactivate command as well.
 63

To delete one or all licenses using the delete command:

You can use the deactivate command instead of the delete command in this procedure.

1. Display the licenses available to be deleted.

Issue the run request system license delete license-identifier-list ? command from the configuration
mode of the CLI.

[edit]
user@host# run request system license delete license-identifier-list ?

A list of licenses on the device is displayed:

Possible completions:
E00468XXX4 License key identifier
JUNOS10XXX1 License key identifier
JUNOS10XXX2 License key identifier
JUNOS10XXX3 License key identifier
JUNOS10XXX4 License key identifier
[ Open a set of values

2. Delete the license or licenses you want.

• To delete a single license, for example:

[edit]
user@host# delete system license keys key “E00468XXX4”

• To delete all licenses, for example:

[edit]
user@host# delete system license keys

3. Commit the configuration by entering the commit command.

4. Verify the license was deleted by entering the show system license command.
 64

Verifying Junos OS License Installation (CLI)

IN THIS SECTION

Displaying Installed Licenses | 64

Displaying License Usage | 65

To verify Junos OS license management, perform the following tasks:

Displaying Installed Licenses

Purpose
Verify that the expected licenses are installed and active on the device.

Action
From the CLI, enter the show system license command.

Sample Output

user@host> show system license

License usage:
Licenses Licenses Licenses Expiry
Feature name used installed needed
subscriber-acct 0 1 0 permanent
subscriber-auth 0 1 0 permanent
subscriber-addr 0 1 0 permanent
subscriber-vlan 0 1 0 permanent
subscriber-ip 0 1 0 permanent
scale-subscriber 0 1000 0 permanent
scale-l2tp 0 1000 0 permanent
scale-mobile-ip 0 1000 0 permanent

Licenses installed:
License identifier: E000185416
License version: 2
Features:
subscriber-acct - Per Subscriber Radius Accounting
permanent
 65

subscriber-auth - Per Subscriber Radius Authentication

permanent
subscriber-addr - Address Pool Assignment
permanent
subscriber-vlan - Dynamic Auto-sensed Vlan
permanent
subscriber-ip - Dynamic and Static IP
permanent

Meaning
The output shows a list of the license usage and a list of the licenses installed on the device. Verify the
following information:

• Each license is present. Licenses are listed in ascending alphanumeric order by license ID.

• The state of each license is permanent.

A state of invalid indicates that the license key is not a valid license key. Either it was entered incorrectly
or it is not valid for the specific device.

• The feature for each license is the expected feature. The features enabled are listed by license. An
all-inclusive license has all features listed.

• All configured features have the required licenses installed. The Licenses needed column must show
that no licenses are required.

Displaying License Usage

Purpose
Verify that the licenses fully cover the feature configuration on the device.

Action
From the CLI, enter the show system license usage command.

Sample Output

user@host> show system license usage

Licenses Licenses Licenses Expiry

Feature name used installed needed
subscriber-addr 1 0 1 29 days
scale-subscriber 0 1000 0 permanent
 66

scale-l2tp 0 1000 0 permanent

scale-mobile-ip 0 1000 0 permanent

Meaning
The output shows any licenses installed on the device and how they are used. Verify the following
information:

• Any configured licenses appear in the output. The output lists features in ascending alphabetical order
by license name. The number of licenses appears in the third column. Verify that you have installed the
appropriate number of licenses.

• The number of licenses used matches the number of configured features. If a licensed feature is
configured, the feature is considered used. The sample output shows that the subscriber address pooling
feature is configured.

• A license is installed on the device for each configured feature. For every feature configured that does
not have a license, one license is needed.

For example, the sample output shows that the subscriber address feature is configured but that the
license for the feature has not yet been installed. The license must be installed within the remaining
grace period to be in compliance.

Saving License Keys (CLI)

To save the licenses installed on a device:

1. From operational mode, do one of the following tasks

• To save the installed license keys to a file or URL, enter the following command:

user@host> request system license save filename | url

For example, the following command saves the installed license keys to a file named license.config:

user@host>request system license save license.config

• To output installed license keys to the terminal, enter the following command:

user@host> request system license save terminal

 67

show system license

Syntax

show system license

<installed | key-content filename | keys | revoked-info | usage>

Release Information
Command introduced before Junos OS Release 7.4.
Command introduced in Junos OS Release 9.0 for EX Series switches.
Command introduced in Junos OS Release 11.1 for the QFX Series.
Command introduced in Junos OS Release 13.3 for the MX Series 5G Universal Routing Platform.
Customer ID added to output of data center users in Junos OS Release 15.1.
Corrected output for duration of license added in Junos OS Release 17.4R1.

Description
Display licenses and information about how they are used.

Options
none—Display all license information.

key-content filename—(Optional) Display license key contents of the specified filename.

installed—(Optional) Display installed licenses only.

keys—(Optional) Display a list of license keys. Use this information to verify that each expected license
key is present.

revoked-info—(Optional) Display information about revoked licenses.

usage—(Optional) Display the state of licensed features.

Required Privilege Level

maintenance

List of Sample Output

show system license (Virtual devices such as vMX and vSRX) on page 69
show system license on page 70
show system license installed on page 70
show system license keys on page 71
show system license usage on page 71
show system license (MX104 Routers) on page 71
show system license installed (MX104 Routers) on page 72
show system license keys (MX104 Routers) on page 72
show system license usage (MX104 Routers) on page 73
 68

show system license (MX104 Routers) on page 73

show system license installed (MX104 Routers) on page 74
show system license keys (MX104 Routers) on page 74
show system license usage (MX104 Routers) on page 74
show system license (MX104 Routers) on page 75
show system license installed (MX104 Routers) on page 75
show system license keys (MX104 Routers) on page 76
show system license usage (MX104 Routers) on page 76
show system license (QFX Series) on page 76
show system license (QFX5110 Switch with Disaggregated Feature License) on page 77
show system license key-content srx_1year_sub.lic on page 78

Output Fields
Table 32 on page 68 lists the output fields for the show system license command. Output fields are listed
in the approximate order in which they appear.

Table 32: show system license Output Fields

Field Name Field Description

Feature name Name assigned to the configured feature. You use this information to verify that all the features
for which you installed licenses are present.

Licenses used Number of licenses used by a router or switch. You use this information to verify that the
number of licenses used matches the number configured. If a licensed feature is configured,
the feature is considered used.

In Junos OS Release 10.1 and later, the Licenses used column displays the actual usage count
based on the number of active sessions or connections as reported by the corresponding
feature daemons. This is applicable for scalable license-based features such as Subscriber
Access (scale-subscriber), L2TP (scale-l2tp), Mobile IP (scale-mobile-ip), and so on.

Licenses installed Information about the installed license key:

• License identifier—Identifier associated with a license key.

• State—State of the license key:valid or invalid. An invalid state indicates that the key was
entered incorrectly or is not valid for the specific device.
• License version—Version of a license. The version indicates how the license is validated,
the type of signature, and the signer of the license key.
• Customer ID—Name of the customer license is for. Feature added as of Junos OS Release
15.1 for data center customers (for example QFX Series platform users).
• Valid for device—Device that can use a license key.
• Group defined—Group membership of a device.
• Features—Feature associated with a license, such as data link switching (DLSw).
 69

Table 32: show system license Output Fields (continued)

Field Name Field Description

Licenses needed Number of licenses required for features being used but not yet properly licensed.

Expiry Amount of time left within the grace period before a license is required for a feature being
used.

Sample Output
show system license (Virtual devices such as vMX and vSRX)
user@host> show system license

License usage:
Licenses Licenses Licenses Expiry
Feature name used installed needed
VMX-SCALE 0 1 0 permanent
VMX-BANDWIDTH 0 130000 0 permanent
mobile-next-DPI-base 0 1000 0 permanent
mobile-next-policy-prepaid-scaling 0 1000 0 permanent
mobile-next-http-app-scaling 0 1000 0 permanent
mobile-next-scaling 0 1000 0 permanent
logical-system 0 1 0 permanent
ax411-wlan-ap 0 2 0 permanent
dynamic-vpn 0 2 0 permanent
scale-mobile-ip 0 1000 0 permanent
scale-l2tp 0 1000 0 permanent
scale-subscriber 0 64010 0 permanent

Licenses installed:
License identifier: RMS818090001
License version: 1
Software Serial Number: AID000000001
Customer ID: LABJuniperTest
License count: 1
Features:
VMX-SCALE - Max scale supported by the VMX
date-based, 2017-03-15 05:30:00 IST - 2017-05-14 05:30:00 IST

License identifier: RMS818020001

License version: 1
 70

Software Serial Number: AID000000001

Customer ID: vMX-JuniperNetworks
License count: 1
Features:
VMX-SCALE - Max scale supported by the VMX
permanent
…

show system license

user@host> show system license

License usage:
Licenses Licenses Licenses Expiry
Feature name used installed needed
subscriber-accounting 2 2 0 permanent
subscriber-authentication 1 2 0 permanent
subscriber-address-assignment 2 2 0 permanent
subscriber-vlan 2 2 0 permanent
subscriber-ip 0 2 0 permanent
scale-subscriber 2 3 0 permanent
scale-l2tp 4 5 0 permanent
scale-mobile-ip 1 2 0 permanent

Licenses installed:
License identifier: XXXXXXXXXX
License version: 2
Customer ID: ACME CORPORATIOM
Features:
subscriber-accounting - Per Subscriber Radius Accounting
permanent
subscriber-authentication - Per Subscriber Radius Authentication
permanent
subscriber-address-assignment - Radius/SRC Address Pool Assignment
permanent
subscriber-vlan - Dynamic Auto-sensed Vlan
permanent
subscriber-ip - Dynamic and Static IP
permanent

show system license installed

user@host> show system license installed
 71

License identifier: XXXXXXXXXX

License version: 2
Features:
subscriber-accounting - Per Subscriber Radius Accounting
permanent
subscriber-authentication - Per Subscriber Radius Authentication
permanent
subscriber-address-assignment - Radius/SRC Address Pool Assignment
permanent
subscriber-vlan - Dynamic Auto-sensed Vlan
permanent
subscriber-ip - Dynamic and Static IP
permanent

show system license keys

user@host> show system license keys

XXXXXXXXXX xxxxxx xxxxxx xxxxxx xxxxxx xxxxxx xxxxxx

xxxxxx xxxxxx xxxxxx xxxxxx xxxxxx xxxxxx
xxxxxx xxxxxx xxx

show system license usage

user@host> show system license usage

License usage:
Licenses Licenses Licenses Expiry
Feature name used installed needed
subscriber-accounting 2 2 0 permanent
subscriber-authentication 1 2 0 permanent
subscriber-address-assignment 2 2 0 permanent
subscriber-vlan 2 2 0 permanent
subscriber-ip 0 2 0 permanent
scale-subscriber 2 3 0 permanent
scale-l2tp 4 5 0 permanent
scale-mobile-ip 1 2 0 permanent

show system license (MX104 Routers)

In the following output, ports 0 and 1 are activated by installing the license to activate the first two built-in
ports.
 72

user@host> show system license

License usage:
Licenses Licenses Licenses Expiry
Feature name used installed needed
scale-subscriber 0 1000 0 permanent
scale-l2tp 0 1000 0 permanent
scale-mobile-ip 0 1000 0 permanent
MX104-2x10Gig-port-0-1 0 1 0 permanent

Licenses installed:
License identifier: XXXXXXXXXX
License version: 2
Features:
MX104-2x10Gig-port-0-1 - MX104 2X10Gig Builtin Port(xe-2/0/0 & xe-2/0/1) upgrade

permanent

show system license installed (MX104 Routers)

In the following output, ports 0 and 1 are activated by installing the license to activate the first two built-in
ports.

user@host > show system license installed

License identifier: XXXXXXXXXX

License version: 2
Features:
MX104-2x10Gig-port-0-1 - MX104 2X10Gig Builtin Port(xe-2/0/0 & xe-2/0/1) upgrade

permanent

show system license keys (MX104 Routers)

In the following output, ports 0 and 1 are activated by installing the license to activate the first two built-in
ports.

user@host > show system license keys

XXXXXXXXXX xxxxxx xxxxxx xxxxxx xxxxxx xxxxxx xxxxxx

xxxxxx xxxxxx xxxxxx xxxxxx xxxxxx xxxxxx
xxxxxx xxxx
 73

show system license usage (MX104 Routers)

In the following output, ports 0 and 1 are activated by installing the license to activate the first two built-in
ports.

user@host > show system license usage

Licenses Licenses Licenses Expiry

Feature name used installed needed
scale-subscriber 0 1000 0 permanent
scale-l2tp 0 1000 0 permanent
scale-mobile-ip 0 1000 0 permanent
MX104-2x10Gig-port-0-1 0 1 0 permanent

show system license (MX104 Routers)

In the following output, ports 2 and 3 are activated by installing the license to activate the next two built-in
ports after installing the license to activate the first two built-in ports.

user@host > show system license

License usage:
Licenses Licenses Licenses Expiry
Feature name used installed needed
scale-subscriber 0 1000 0 permanent
scale-l2tp 0 1000 0 permanent
scale-mobile-ip 0 1000 0 permanent
MX104-2x10Gig-port-0-1 0 1 0 permanent
MX104-2x10Gig-port-2-3 0 1 0 permanent

Licenses installed:
License identifier: XXXXXXXXXX
License version: 2
Features:
MX104-2x10Gig-port-0-1 - MX104 2X10Gig Builtin Port(xe-2/0/0 & xe-2/0/1) upgrade

permanent

License identifier: XXXXXXXXXX

License version: 2
Features:
MX104-2x10Gig-port-2-3 - MX104 2X10Gig Builtin Port(xe-2/0/2 & xe-2/0/3) upgrade

permanent
 74

show system license installed (MX104 Routers)

In the following output, ports 2 and 3 are activated by installing the license to activate the next two built-in
ports after installing the license to activate the first two built-in ports.

user@host > show system license installed

License identifier: XXXXXXXXXX

License version: 2
Features:
MX104-2x10Gig-port-0-1 - MX104 2X10Gig Builtin Port(xe-2/0/0 & xe-2/0/1) upgrade

permanent

License identifier: XXXXXXXXXX

License version: 2
Features:
MX104-2x10Gig-port-2-3 - MX104 2X10Gig Builtin Port(xe-2/0/2 & xe-2/0/3) upgrade

permanent

show system license keys (MX104 Routers)

In the following output, ports 2 and 3 are activated by installing the license to activate the next two built-in
ports after installing the license to activate the first two built-in ports.

user@host > show system license keys

XXXXXXXXXX xxxxxx xxxxxx xxxxxx xxxxxx xxxxxx xxxxxx

xxxxxx xxxxxx xxxxxx xxxxxx xxxxxx xxxxxx
xxxxxx xxxx

XXXXXXXXXX xxxxxx xxxxxx xxxxxx xxxxxx xxxxxx xxxxxx

xxxxxx xxxxxx xxxxxx xxxxxx xxxxxx xxxxxx
xxxxxx xxxx

show system license usage (MX104 Routers)

In the following output, ports 2 and 3 are activated by installing the license to activate the next two built-in
ports after installing the license to activate the first two built-in ports.

user@host > show system license usage

 75

Licenses Licenses Licenses Expiry

Feature name used installed needed
scale-subscriber 0 1000 0 permanent
scale-l2tp 0 1000 0 permanent
scale-mobile-ip 0 1000 0 permanent
MX104-2x10Gig-port-0-1 0 1 0 permanent
MX104-2x10Gig-port-2-3 0 1 0 permanent

show system license (MX104 Routers)

In the following output, ports 0,1,2, and 3 are activated by installing a single license key to activate all four
built-in ports.

user@host > show system license

License usage:
Licenses Licenses Licenses Expiry
Feature name used installed needed
scale-subscriber 0 1000 0 permanent
scale-l2tp 0 1000 0 permanent
scale-mobile-ip 0 1000 0 permanent
MX104-2x10Gig-port-0-1 0 1 0 permanent
MX104-2x10Gig-port-2-3 0 1 0 permanent

Licenses installed:
License identifier: XXXXXXXXXX
License version: 2
Features:
MX104-2x10Gig-port-0-1 - MX104 2X10Gig Builtin Port(xe-2/0/0 & xe-2/0/1) upgrade

permanent
MX104-2x10Gig-port-2-3 - MX104 2X10Gig Builtin Port(xe-2/0/2 & xe-2/0/3) upgrade

permanent

show system license installed (MX104 Routers)

In the following output, ports 0,1,2, and 3 are activated by installing a single license key to activate all four
built-in ports.

user@host > show system license installed

 76

License identifier: XXXXXXXXXX

License version: 2
Features:
MX104-2x10Gig-port-0-1 - MX104 2X10Gig Builtin Port(xe-2/0/0 & xe-2/0/1) upgrade

permanent
MX104-2x10Gig-port-2-3 - MX104 2X10Gig Builtin Port(xe-2/0/2 & xe-2/0/3) upgrade

permanent

show system license keys (MX104 Routers)

In the following output, ports 0,1,2, and 3 are activated by installing a single license key to activate all four
built-in ports.

user@host > show system license keys

XXXXXXXXX xxxxxx xxxxxx xxxxxx xxxxxx xxxxxx

xxxxxx xxxxxx xxxxxx xxxxxx xxxxxx
xxxxxx xxxxxx x

show system license usage (MX104 Routers)

In the following output, ports 0,1,2, and 3 are activated by installing a single license key to activate all four
built-in ports.

user@host > show system license usage

Licenses Licenses Licenses Expiry

Feature name used installed needed
scale-subscriber 0 1000 0 permanent
scale-l2tp 0 1000 0 permanent
scale-mobile-ip 0 1000 0 permanent
MX104-2x10Gig-port-0-1 0 1 0 permanent
MX104-2x10Gig-port-2-3 0 1 0 permanent

show system license (QFX Series)

user@switch> show system license

License usage:
Licenses Licenses Licenses Expiry
 77

Feature name used installed needed

qfx-edge-fab 1 1 1 permanent
Licenses installed:
License identifier: JUNOS417988
License version: 1
Features:
qfx-edge-fab - QFX3000 Series QF/Node feature license
permanent

show system license (QFX5110 Switch with Disaggregated Feature License)

user@switch> show system license

License usage:
Licenses Licenses Licenses Expiry
Feature name used installed needed
bgp 0 1 0 2017-07-05
00:00:00 UTC
isis 0 1 0 2017-07-05
00:00:00 UTC
vxlan 0 1 0 2017-07-05
00:00:00 UTC
ovsdb 0 1 0 2017-07-05
00:00:00 UTC
jbs1 0 1 0 2017-07-02
00:00:00 UTC
upgrade1 0 1 0 2017-07-05
00:00:00 UTC

Licenses installed:
License identifier: JUNOS797095
License version: 4
Software Serial Number: 91730A00223925
Customer ID: Juniper
Features:
JUNOS-BASE-SERVICES-CLASS-1 - QFX Junos Base Services license for Class 1 HW
date-based, 2016-07-01 00:00:00 UTC - 2017-07-02 00:00:00 UTC

License identifier: JUNOS797646

License version: 4
Software Serial Number: 91730A00224207
Customer ID: Juniper
Features:
CLASS-1-JUNOS-BASE-ADVANCED-UPGRADE - Class 1 Junos Base to Advanced Services
 78

Upgrade
date-based, 2016-07-04 00:00:00 UTC - 2017-07-05 00:00:00 UTC

{master:0}

show system license key-content srx_1year_sub.lic

License Key Content:

License Id: LICENSE-1
License version: 4
Valid for device: CW2716AF0740
Features:
idp-sig - IDP Signature
date-based, 2016-07-03 00:00:00 GMT - 2017-07-03 00:00:00 GMT
 79

show system license (View)

Syntax

show system license

<installed | keys | status | usage>

Release Information
Command introduced in Junos OS Release 9.5. Logical system status option added in Junos OS Release
11.2.

Description
Display licenses and information about how licenses are used.

Options
none—Display all license information.

installed—(Optional) Display installed licenses only.

keys—(Optional) Display a list of license keys. Use this information to verify that each expected license
key is present.

status—(Optional) Display license status for a specified logical system or for all logical systems.

usage—(Optional) Display the state of licensed features.

Required Privilege Level

view

SEE ALSO

Adding New Licenses (CLI Procedure) | 55

List of Sample Output

show system license on page 80
show system license installed on page 81
show system license keys on page 81
show system license usage on page 82
show system license status logical-system all on page 82

Output Fields
Table 33 on page 80 lists the output fields for the show system license command. Output fields are listed
in the approximate order in which they appear.
 80

Table 33: show system license Output Fields

Field Name Field Description

Feature name Name assigned to the configured feature. You use this information to verify that all the features
for which you installed licenses are present.

Licenses used Number of licenses used by the device. You use this information to verify that the number of
licenses used matches the number configured. If a licensed feature is configured, the feature
is considered used.

Licenses installed Information about the installed license key:

• License identifier—Identifier associated with a license key.

• License version—Version of a license. The version indicates how the license is validated,
the type of signature, and the signer of the license key.
• Valid for device—Device that can use a license key.
• Features—Feature associated with a license.

Licenses needed Number of licenses required for features being used but not yet properly licensed.

Expiry Time remaining in the grace period before a license is required for a feature being used.

Logical system Displays whether a license is enabled for a logical system.

license status

Sample Output
show system license
user@host> show system license

License usage:
Licenses Licenses Licenses Expiry
Feature name used installed needed
av_key_kaspersky_engine 1 1 0 2012-03-30
01:00:00 IST
wf_key_surfcontrol_cpa 0 1 0 2012-03-30
01:00:00 IST
dynamic-vpn 0 1 0 permanent
ax411-wlan-ap 0 2 0 permanent
 81

Licenses installed:
License identifier: JUNOS301998
License version: 2
Valid for device: AG4909AA0080
Features:
av_key_kaspersky_engine - Kaspersky AV
date-based, 2011-03-30 01:00:00 IST - 2012-03-30 01:00:00 IST

License identifier: JUNOS302000

License version: 2
Valid for device: AG4909AA0080
Features:
wf_key_surfcontrol_cpa - Web Filtering
date-based, 2011-03-30 01:00:00 IST - 2012-03-30 01:00:00 IST

show system license installed

user@host> show system license installed

License identifier: JUNOS301998

License version: 2
Valid for device: AG4909AA0080
Features:
av_key_kaspersky_engine - Kaspersky AV
date-based, 2011-03-30 01:00:00 IST - 2012-03-30 01:00:00 IST

License identifier: JUNOS302000

License version: 2
Valid for device: AG4909AA0080
Features:
wf_key_surfcontrol_cpa - Web Filtering
date-based, 2011-03-30 01:00:00 IST - 2012-03-30 01:00:00 IST

show system license keys

user@host> show system license keys

XXXXXXXXXX xxxxxx xxxxxx xxxxxx xxxxxx xxxxxx xxxxxx

xxxxxx xxxxxx xxxxxx xxxxxx xxxxxx xxxxxx
xxxxxx xxxxxx xxx
 82

show system license usage

user@host> show system license usage

Licenses Licenses Licenses Expiry

Feature name used installed needed
av_key_kaspersky_engine 1 1 0 2012-03-30
01:00:00 IST
wf_key_surfcontrol_cpa 0 1 0 2012-03-30
01:00:00 IST
dynamic-vpn 0 1 0 permanent
ax411-wlan-ap 0 2 0 permanent

show system license status logical-system all

user@host> show system license status logical-system all

Logical system license status:

logical system name license status

root-logical-system enabled
LSYS0 enabled
LSYS1 enabled
LSYS2 enabled
 83

traceoptions (System License)

Syntax

traceoptions {
file {
filename;
files number;
match regular-expression;
size maximum-file-size;
(world-readable | no-world-readable);
}
flag flag;
no-remote-trace;
}

Hierarchy Level

[edit system license]

Release Information
Statement introduced in Junos OS Release 8.5 for SRX Series and vSRX.
Statement introduced in Junos OS Release 14.1X53-D10 for EX Series and QFX Series.
Statement introduced in Junos OS Release 15.1 for M Series, MX Series, and T Series.

Description
Set trace options for licenses.

Options
file—Configure the trace file information.

filename—Name of the file to receive the output of the tracing operation. Enclose the name within
quotation marks. All files are placed in the directory /var/log. By default, the name of the file is
the name of the process being traced.

files number—Maximum number of trace files. When a trace file named trace-file reaches its maximum
size, it is renamed trace-file.0, then trace-file.1, and so on, until the maximum number of trace
files is reached. Then the oldest trace file is overwritten.

If you specify a maximum number of files, you also must specify a maximum file size with the size
maximum file-size option.
Range: 2 through 1000 files
Default: 10 files
 84

match regular-expression—Refine the output to include lines that contain the regular expression.

size size—Maximum size of each trace file, in kilobytes (KB), megabytes (MB), or gigabytes (GB). If you
specify a maximum file size, you also must specify a maximum number of trace files with the files
number option.
Range: 10 KB through 1 GB
Default: 128 KB

world-readable | no-world-readable—By default, log files can be accessed only by the user who
configures the tracing operation. The world-readable option enables any user to read the file. To
explicitly set the default behavior, use the no-world-readable option.

flag flag—Specify which tracing operation to perform. To specify more than one tracing operation, include
multiple flag statements. You can include the following flags.

• all—Trace all operations.

• config—Trace license configuration processing.

• events—Trace licensing events and their processing.

no-remote-trace—Disable the remote tracing.

Required Privilege Level

trace—To view this statement in the configuration.
trace-control—To add this statement to the configuration.
 85

request system license add

Syntax

request system license add (filename | terminal)

Release Information
Command introduced before Junos OS Release 7.4.
Command introduced in Junos OS Release 9.0 for EX Series switches.
Command introduced in Junos OS Release 9.5 for SRX Series devices.
Command introduced in Junos OS Release 11.1 for the QFX Series.
Added additional information section on XML RPC in Junos OS Release 17.4.

Description
Adding a license key to the Junos OS devices to activate the feature.

Starting in Junos OS Release 18.3R1, the display xml rpc CLI option is supported for request system license
add and request system license save commands while installing licenses on Juniper Networks devices.

Options
filename—License key from a file or URL. Specify the filename or the URL where the key is located.

terminal—License key from the terminal.

Additional Information
The | display xml rpc filter returns “xml rpc equivalent of this command is not available,” the following RPC
is supported for license installation:

The following RPC is supported for license installation:

<rpc>
<request-license-add>
<key-data> key </key-data>
</request-license-add>
</rpc>

Where key-data is the license key data.

<rpc>
<request-license-add>
<filename> key-file </filename>
</request-license-add>
</rpc>
 86

Where source is the URL of the source license key file.

Required Privilege Level

maintenance

List of Sample Output

request system license add on page 86

Output Fields
When you enter this command, you are provided feedback on the status of your request.

Sample Output
request system license add
user@host> request system license add terminal

XXXXXXXXXX xxxxxx xxxxxx xxxxxx xxxxxx xxxxxx xxxxxx

xxxxxx xxxxxx xxxxxx xxxxxx xxxxxx xxxxxx
xxxxxx xxxxxx xxx
XXXXXXXXXX: successfully added
add license complete (no errors)
 87

request system license save

Syntax

request system license save (filename | terminal)

Release Information
Command introduced before Junos OS Release 7.4.
Command introduced in Junos OS Release 9.0 for EX Series switches.
Command introduced in Junos OS Release 11.1 for the QFX Series.
Command introduced in Junos OS Release 9.5 for SRX Series devices.
Added additional information section on XML RPC in Junos OS Release 17.4.

Description
Save installed license keys to a file or URL.

Starting in Junos OS Release 18.3R1, the display xml rpc CLI option is supported for request system license
add and request system license save commands while installing licenses on Juniper Networks devices.

Options
filename—License key from a file or URL. Specify the filename or the URL where the key is located.

terminal—License key from the terminal.

Additional Information
The following RPC is supported for saving installed license keys to a file or URL:

<rpc>
<request-license-save>
<filename>destination</filename>
</request-license-save>
</rpc>

Where destination is the URL of the destination license key file.

Required Privilege Level

maintenance

List of Sample Output

request system license save on page 88

Output Fields
When you enter this command, you are provided feedback on the status of your request.
 88

Sample Output
request system license save
user@host> request system license save ftp://user@host/license.conf
 89

request system license update

Syntax

request system license update

Release Information
Command introduced in Junos OS Release 9.5.

Description
Starts autoupdating license keys from the license portal.

• The request system license update command always uses the default Juniper license server:
https://ae1.juniper.net/.

• The request system license update command is supported only on SRX, vSRX, and QFX Series devices.

The products supported by the Juniper Agile Licensing (JAL) portal includes: QFX series, SRX Series, EX
Series, NFX, vBNG, vMX, vSRX, and ACX. For other Juniper products (SPACE, JSA, SBR Carrier, Screen
OS and so on) access the License Management System (LMS).

Options
trial—Immediately updates trial license keys from the license portal.

Required Privilege Level

maintenance

List of Sample Output

request system license update on page 89
request system license update trial on page 90

Output Fields
When you enter this command, you are provided feedback on the status of your request.

Sample Output
request system license update
user@host> request system license update

Trying to update license keys from https://ae1.juniper.net has been sent, use show
system license to check status.
 90

request system license update trial

user@host> request system license update trial

Request to automatically update trial license keys from https://ae1.juniper.net

has been sent, use show system license to check status.
 91

request system license delete

Syntax

request system license delete ( license-identifier | license-identifier-list [ licenseid001 licenseid002 licenseid003 ] | all
)

Release Information
Command introduced before Junos OS Release 7.4.
Command introduced in Junos OS Release 9.0 for EX Series switches.
Command introduced in Junos OS Release 11.1 for the QFX Series.
Option license-identifier-list introduced in Junos OS Release 13.1.

Description
Delete a license key. You can choose to delete one license at a time, all licenses at once, or a list of license
identifiers enclosed in brackets.

Options
license-identifier—Text string that uniquely identifies a license key.

license-identifier-list [ licenseid001 licenseid002 licenseid003....]—Delete multiple license identifiers as a

list enclosed in brackets.

all—Delete all licenses on the device.

Required Privilege Level

maintenance
 92

license

Syntax

license {
autoupdate {
url url <password password>;
}
keys {
key key
}
renew {
before-expiration number;
interval interval-hours;
}
traceoptions (System License) {
file {
filename;
files number;
match regular-expression;
size maximum-file-size;
(world-readable | no-world-readable);
}
flag flag;
no-remote-trace;
}
}

Hierarchy Level

[edit system]

Release Information
Statement introduced in Junos OS Release 8.5 for SRX Series and vSRX.
Options keys introduced in Junos OS Release 14.1X53-D10.
Statement introduced in Junos OS Release 14.1X53-D10 for EX Series and QFX Series, with option keys
included.
Statement introduced in Junos OS Release 15.1 for M Series, MX Series, PTX Series, and T Series, with
option keys included.

Description
Specify license information for the device.

Options
 93

autoupdate—Autoupdate license keys from license servers.

before-expiration number—License renewal lead time before expiration, in days.

Range: 0 through 60 days

interval interval-hours—License checking interval, in hours.

Range: 1 through 336 hours

keys key key—Configure one or more license keys. For example,

[edit]
user@device# set system license keys key "key_1"
user@device# set system license keys key "key_2"
user@device# set system license keys key "key_3"
user@device# set system license keys key "key_4"
user@device# commit
commit complete

renew—License renewal lead time and checking interval.

url—URL of a license server.

The remaining statements are explained separately. See CLI Explorer.

Required Privilege Level

system—To view this statement in the configuration.
system-control—To add this statement to the configuration.
 94

license-type

Syntax

license-type license deployment-scope [ deployments ];

Hierarchy Level

[edit system extensions providersprovider-id]

Release Information
Statement introduced in Junos OS Release 11.1 for FX Series switches.

Description
Configure the license type and the scope of SDK application deployment.

Options
license—Type of license. Obtain correct value from the application’s provider.

deployment—Scope of SDK application deployment. You can configure a set of deployments. Obtain correct
value from the application’s provider.

Required Privilege Level

admin—To view this statement in the configuration.
admin-control—To add this statement to the configuration.
 95

CHAPTER 3

Licenses for Routing Devices

IN THIS CHAPTER

Licenses for ACX Series | 95

Licenses for PTX, MX, M and T Series | 96

Licenses for vMX | 127

License Configuration | 133

Licenses for ACX Series

IN THIS SECTION

Software Features Requiring Licenses on ACX5448-D and ACX5448-M Routers | 95

Software Features Requiring Licenses on ACX5448-D and ACX5448-M Routers

Each feature license is tied to one software feature, and that license is valid for one device. Each license
allows you to run the specified software features on a single device.

Table 34 on page 96 lists the licensed features that you can purchase for ACX5448-D and ACX5448-M
Series Universal Metro Routers.
 96

Table 34: Junos OS Feature License Model Number for ACX5448-D and ACX5448-M Series Universal
Metro Routers

License
Supported Device Licenses Software Feature Model Scale Model Number

ACX5448-D and IP, MPLS, timing, CoS, E-OAM, Advanced 32 L3VPN and S-ACX-400G-A-1
ACX5448-M telemetry, RFC2544 8 NG-MVPN
S-ACX-400G-A-3

S-ACX-400G-A-5

ACX5448-D and All advanced software Premium Full-scale S-ACX-400G-P-1

ACX5448-M subscription license features
S-ACX-400G-P-3
with full-scale.

S-ACX-400G-P-5

Licenses for PTX, MX, M and T Series

IN THIS SECTION

Software Features That Require Licenses on M Series, MX Series, and T Series Routers | 96

Software Features That Require Licenses on MX Series Routers Only | 100

Software Features That Require Licenses on M Series Routers Only | 110

License Modes for PTX Series Routers | 111

License Modes for Enhanced MPCs Overview | 113

Configuring the License Mode for Specific Enhanced MPCs on MX Series Routers | 114

Example: Configuring the License Mode for MPC5E | 115

Junos OS Feature License Keys | 121

Subscriber Access Licensing Overview | 124

Address-Assignment Pools Licensing Requirements | 126

Software Features That Require Licenses on M Series, MX Series, and T Series Routers

Table 35 on page 97 lists the licenses you can purchase for each M Series, MX Series, and T Series software
feature. Each license allows you to run the specified software feature on a single device.
 97

The DHCP server functionality for Junos OS is part of the subscriber management feature. You must have
the S-SA-FP, S-MX80-SA-FP or S-MX104-SA-FP license in order to enable the DHCP server. For service
accounting, you must also have S-SSM-FP.

For information about how to purchase a software license, contact your Juniper Networks sales
representative at https://www.juniper.net/in/en/contact-us/.

Table 35: Junos OS Feature License Model Number for M Series, MX Series, and T Series Routers

Licensed Software Feature Supported Devices Model Number

Generalized Multiprotocol Label M10i, M7i, M120, M160, M20, M320, M40e, JS-GMPLS
Switching (GMPLS) Support on Junos OS T320, T640, and MX Series Routers

IPv6 Support on Junos OS M120, M160, M20, M320, M40e, T320, T640, JS-IPv6
and MX Series Routers

Logical Router Support for Junos OS M10i, M120, M160, M20, M320, M40e, M7i, JS-LR
T320, T640, and MX Series Routers

J-Flow accounting license for Adaptive M10i, M120, M160, M20, M320, M40e, M7i, S-ACCT
Services (AS) PIC and Multiservices PIC T320, M10, M5, T640, and T1600

Chassis license for Application Traffic MX104, MX240, MX480, MX960, M Series, S-ATO
Optimization service, policy enforcement and T Series Routers
and application statistics. This license
includes S-AI and S-LDPF fucntionality
and 1-year Signature Subscription License

Software License for Passive Monitoring M320, T640, T320, T1600 S-COLLECTOR-100K
Flow Collector Application, supporting
100 Kpps throughput; Chassis based
license for Multiservices PIC

License to use Compressed Real-Time M10i, M120, M160, M20, M320, M40e, M7i, S-CRTP
Transport Protocol (CRTP) feature in AS T320, M10, M5, T640, and T1600
PIC and Multiservices PIC

Software License for Passive Monitoring M320, T640, T320, and T1600 S-DFC-100K
DFC Application, supporting 100Kpps
throughput; Chassis based license for
Multiservices PIC

Security Services license for AS PIC and M10i, M7i, M5, M120, M160, M20, M320, S-ES
Multiservices PIC M40e, T320, T640, M10, and T1600
 98

Table 35: Junos OS Feature License Model Number for M Series, MX Series, and T Series Routers (continued)

Licensed Software Feature Supported Devices Model Number

Chassis license for IDP service, policy MX104, MX240, MX480, MX960, M Series, S-IDP
enforcement. This license includes S-AI and T Series Routers
and S-LDPF fucntionality and 1-year
Signature Subscription License

Junos-FIPS Software License M10i, M7i, M320, M40e, T320, and T640 S-JUNOS-FIPS

Link Services Software License—up to M5, M7i, M10, M10i, M20, M40e, M120, S-LSSL-1023
1023 ML bundles per Chassis for M320, T320, T640, T1600, MX240, MX480,
Multiservices PIC and Multiservices and MX960
Dense Port Concentrator (DPC)

Link Services Software Ugrade M5, M7i, M10, M10i, M20, M40e, M120, S-LSSL-1023-UPG
License—from 255 to 1023 ML bundles M320, T320, T640, T1600, MX240, MX480,
per Chassis for Multiservices PIC and and MX960
Multiservices DPC

Link Services Software Ugrade M5, M7i, M10, M10i, M20, M40e, M120, S-LSSL-255-UPG
License—from 64 to 255 ML bundles per M320, T320, T640, T1600, MX240, MX480,
Chassis for AS PIC, Multiservices PIC, and and MX960
Multiservices DPC

Link Services Software License—up to M10, M7i, M5, M120, M20, M320, M40e, S-LSSL-256
255 ML bundles per Chassis for AS PIC, T320, T640, M10i, T1600, MX240, MX480,
Multiservices PIC, and Multiservices DPC and MX960

Link Services Software License—up to 4 M10i, M120, M20, M320, M40e, M7i, T320, S-LSSL-4
ML bundles per Chassis for AS PIC, M10, M5, T640, T1600, MX240, MX480, and
Multiservices PIC, and Multiservices DPC MX960

Link Services Software License—up to 64 M10, M7i, M5, M120, M20, M320, M40e, S-LSSL-64
ML bundles per Chassis for AS PIC, MS T320, T640, M10i, T1600, MX240, MX480,
PIC and MS DPC and MX960

Link Services Software Upgrade M5, M7i, M10, M10i, M20, M40e, M120, S-LSSL-64-UPG
License—from 4 to 64 ML bundles per M320, T320, T640, T1600, MX240, MX480,
Chassis for AS PIC, Multiservices PIC, and and MX960
Multiservices DPC
 99

Table 35: Junos OS Feature License Model Number for M Series, MX Series, and T Series Routers (continued)

Licensed Software Feature Supported Devices Model Number

Software License for Passive Monitoring M320, T640, T320, and T1600 S-MONITOR-1M
Flow Monitor Application, supporting 1M
flows. Chassis based license for
Multiservices PIC

Network Address Translation (NAT), FW M10, M7i, M5, M120, M160, M20, M320, S-NAT-FW-MULTI
license on AS PIC and Multiservices PIC: M40e, T320, T640, M10i, and T1600
Multi-instance

NAT, FW license on AS PIC and M10, M7i, M5, M120, M160, M20, M320, S-NAT-FW-SINGLE
Multiservices PIC: Single-instance M40e, T320, T640, M10i, and T1600

Software license for Packet trigger MX240, MX480, MX960, M120, and M320 S-PTSP
subscriber policy

Subscriber Access Feature Pack License MX104, MX240, MX480, MX960, M120, and S-SA-128K
Scaling (128000) M320

Subscriber Access Feature Pack License MX104, MX240, MX480, MX960, M120, and S-SA-32K
Scaling (32000) M320

Subscriber Access Feature Pack License MX104, MX240, MX480, MX960, M120, S-SA-4K
Scaling (4000) M320, and MX80

Subscriber Access Feature Pack License MX104, MX240, MX480, MX960, M120, and S-SA-64K
Scaling (64000) M320

Subscriber Access Feature Pack License MX104, MX240, MX480, MX960, M120, S-SA-8K
Scaling (8000) M320, and MX80

Subscriber Access Feature Pack License MX104, MX240, MX480, MX960, M120, and S-SA-96K
Scaling (96000) M320

Subscriber Access Feature Pack license MX104, MX240, MX480, MX960, M120, and S-SA-FP
M320

Stateful Failover for Services on AS PIC M10, M7i, M5, M120, M160, M20, M320, S-SERVICES-SFO
and Multiservices PIC: Multilink PPP M40e, T320, T640, M10i, and T1600
(MLPPP) only
 100

Table 35: Junos OS Feature License Model Number for M Series, MX Series, and T Series Routers (continued)

Licensed Software Feature Supported Devices Model Number

Subscriber Service Management Feature MX104, MX240, MX480, MX960, M120, and S-SSM-FP
Packet License (RADIUS/SRC based M320
Service Activation and Deactivation)
Per-Service Accounting Features for
Subscribers

Subscriber Traffic Lawful Intercept MX240, MX480, MX960, M120, M320, and S-SSP-FP
Feature Pack License MX80

Software license for application aware MX240, MX480, MX960, M120, and M320 S-TFDIRECT-APP
traffic direct feature

Software license for subscriber aware MX240, MX480, MX960, M120, and M320 S-TFDIRECT-SUB
traffic direct feature

Video Services Feature Pack license M120, M320, MX80, MX104, MX240, MX480, S-VIDEO-FP
and MX960

Port capacity enhancement Feature Pack MX5 mx5-to-mx10-upgrade

License for MX5 routers

Port capacity enhancement Feature Pack MX10 mx10-to-mx40-upgrade

License for MX10 routers

Port capacity enhancement Feature Pack MX40 mx40-to-mx80-upgrade

License for MX40 routers

Software Features That Require Licenses on MX Series Routers Only

Table 36 on page 102 lists the licenses you can purchase for each MX Series software feature. Each license
allows you to run the specified software feature on a single device.

• This is not a complete list of licenses. Contact your Juniper Networks representative for license
information.

• License is not required to use NAT feature on MX150, MX204, and MX10003 routers.

For information about how to purchase a software license, contact your Juniper Networks sales
representative at https://www.juniper.net/in/en/contact-us/.
 101

The DHCP server functionality for Junos OS is part of the subscriber management feature. You must have
the S-SA-FP, S-MX80-SA-FP or S-MX104-SA-FP license in order to enable the DHCP server. For service
accounting, you must also have S-SSM-FP.

Starting in Junos OS Release 16.1R1, after the completion of the 30 day grace period, DHCP bindings on
MX series devices are limited to 10. This counts against broadband scale licenses S-MX104-SA-FP and
S-SA-4K.

Licensing details for DHCP Relay Configurations—If processing dhcp-relay relay-option-82 is not required,
then configure the forward-only statement under the [edit forwarding-options dhcp-relay relay-option
(default-action | equals | starts-with)] hierarchy-level instead of configuring dhcp-relay directly. The
forward-only DHCP Relay configurations do not require the S-SA-FP / S-MX80-SA-FP / S-MX104-SA-FP
license to be installed. Also, configuring forward-only DHCP Relay assumes that the peer DHCP server is
capable of returning relay-option-82 attributes originally sent via the DHCP Relay.

Subscriber Access Feature Pack (SKUs - S-SA-FP, S-MX80-SA-FP, and S-MX104-SA)

• Per subscriber RADIUS accounting (time and volume based) – require SSM for per service accounting

• RADIUS-based authentication and authorization

• Subscriber configuration through client profiles at subscriber login

• You require the S-SSM-FP SKU to change variable values within client profiles through radius grant or
access accept, COA or RID, and SRC

• RADIUS and SDX based address pool management

• Static and dynamic IP management

• Dynamic auto-sensed VLANs

• Video edge services (S-SA-FP SKU is the superset and the S-VIDEO-FP SKU is not required)

Subscriber Services Management Feature Pack (SKUs - S-SSM-FP, S-MX80-SSM-FP, and

S-MX104-SSM-FP)

• Per service RADIUS accounting (time and volume based)

• Activate or deactivate service profiles at subscriber login through the RADIUS grants or access accepts
(services activation and deactivation VSAs) or changes to existing sessions through the RADIUS COA
or RID, or SRC

• Parameterization of service profiles

• ANCP QoS adjustment based on synchronization rate through ANCP

 102

Table 36: Junos OS Feature License Model Number for MX Series Routers

Licensed Software Feature Supported Devices Model Number

Upgrade license—from MX80 MX80-10G40G-UPG-ADV-B

MX80-10G-ADV to MX80-40G-ADV

Upgrade license—from MX80-10G MX80 MX80-10G40G-UPG-B

to MX80-40G

Upgrade license—from MX80 MX80-40G-UPG-ADV-B

MX80-40G-ADV to full MX80

Upgrade license—from MX80-40G MX80 MX80-40G-UPG-B

to full MX80

Upgrade license-–from MX80 MX80-5G10G-UPG-ADV-B

MX80-5G-ADV to MX80-10G-ADV

Upgrade license—from MX80-5G to MX80 MX80-5G10G-UPG-B

MX80-10G

Upgrade license to activate 2x10GE MX104 S-MX104-ADD-2X10GE

P2&3

Upgrade license to activate 2X10GE MX104 S-MX104-UPG-2X10GE

P0&1

Upgrade license to activate 4X10GE MX104 S-MX104-UPG-4X10GE

fixed ports on MX104

License to support per VLAN queuing MX5, MX10, MX40, and MX80 S-MX80-Q
on MX80

License to support per VLAN queuing MX104 S-MX104-Q

on MX104

Chassis-based software license for MX5, MX10, MX40, MX80, and S-JFLOW-CH-MX5-104
inline J-Flow monitoring on MX5, MX104
MX10, M40, MX80, and MX104
Series routers

Chassis-based software license for MX240 S-JFLOW-CH-MX240

inline J-Flow monitoring on MX240
routers
 103

Table 36: Junos OS Feature License Model Number for MX Series Routers (continued)

Licensed Software Feature Supported Devices Model Number

Chassis-based software license for MX480 S-JFLOW-CH-MX480

inline J-Flow monitoring on MX480
routers

Chassis-based software license for MX960 S-JFLOW-CH-MX960

inline J-Flow monitoring on MX960
routers

Chassis-based software license for MX2008 S-JFLOW-CH-MX2008

inline J-Flow monitoring on MX2008
routers

Chassis-based software license for MX2010 S-JFLOW-CH-MX2010

inline J-Flow monitoring on MX2010
routers

Chassis-based software license for MX2020 S-JFLOW-CH-MX2020

inline J-Flow monitoring on MX2020
routers

Flow monitoring and accounting MX240, MX480, and MX960 S-ACCT-JFLOW-CHASSIS

features using J-Flow service on any
Modular Port Concentrator (MPC) or
MS-DPC

Software License for in-line J-Flow MX240, MX480, MX960, MX2008, S-ACCT-JFLOW-IN
service on Trio MPCs MX2010, and MX2020

Flow monitoring and accounting MX80 S-ACCT-JFLOW-IN-10G

features using J-Flow service on any
MPC limited to 10G of total JFLOW
traffic

Flow monitoring and accounting MX80 S-ACCT-JFLOW-IN-10G-UPG

features using J-Flow service on any
MPC limited to 10G of total JFLOW
traffic

Flow monitoring and accounting MX80 S-ACCT-JFLOW-IN-5G

features using J-Flow service on any
MPC limited to 5G of total JFLOW
traffic
 104

Table 36: Junos OS Feature License Model Number for MX Series Routers (continued)

Licensed Software Feature Supported Devices Model Number

Security services (IPsec, VPN and MX Series Routers S-ES-NPU

group VPN) license based on a single
NPU for MS-MIC, MS-DPC or
MS-MPC

2000 IKE sessions on MS-DPC; MX240, MX480, and MX960 S-ES-2K

Chassis based, limited to 6000 per
Chassis

4000 IKE sessions on MS-DPC; MX240, MX480, and MX960 S-ES-4K

Chassis based, limited to 6000 per
Chassis

Upgrade from 2000 IKE sessions to MX240, MX480, and MX960 S-ES-4K-UPG
4000 IKE sessions on MS-DPC;
Chassis based, limited to 6000 per
Chassis

6000 IKE sessions on MS-DPC; MX240, MX480, and MX960 S-ES-6K

Chassis based, limited to 6000 per
Chassis

Upgrade from 4000 IKE sessions to MX240, MX480, and MX960 S-ES-6K-UPG
6000 IKE Sessions on MS-DPC;
Chassis based, limited to 6000 per
Chassis

License to run stateful firewall on one MX Series Routers S-FW-NPU

NPU per MS-MIC, MS-DPC or
MS-MPC

License to support DS3 MX5, MX10, MX40, MX80, MX104, S-MIC-3D-8CHDS3

Channelization (down to DS0) on MX240, MX480, MX960, MX2010,
each Modular Interface Card (MIC) and MX2020
for MIC-3D-8DS3-E3; also requires
license S-MX80-Q when used on the
MX80 platform

License to support full-scale Layer 3 MX5, MX10, MX40, and MX80 S-MX80-ADV-R
routes and Layer 3 VPN

License to support 256K routes MX104 S-MX104-ADV-R1

 105

Table 36: Junos OS Feature License Model Number for MX Series Routers (continued)

Licensed Software Feature Supported Devices Model Number

License to support scaling Layer 3 MX104 S-MX104-ADV-R2

and VPN routes to 1 million or more
entries on MX104 platforms

License to support full-scale Layer 3 MX240, MX480, MX960, MX2010, S-MPC-3D-16XGE-ADV-R

routes and Layer 3 VPN on each slot and MX2020
for MPC-3D-16XGE-SFPP

License to support full-scale Layer 3 MX240, MX480, MX960, MX2010, S-MPC-3D-PQ-ADV-R

routes and Layer 3 VPN on each slot and MX2020
for port queuing MPCs

License to support Precision Timing MX204, MX240, MX480, MX960, S-MPC-3D-PTP

Protocol (PTP) MX10003, MX10008, and MX10016

License to support full-scale Layer 3 MX240, MX480, MX960, MX2010, S-MPC-3D-VQ-ADV-R

routes and Layer 3 VPN on each slot and MX2020
for hierarchical quality of service
(HQoS) MPCs

Subscriber Management Feature MX5, MX10, MX40, and MX80 S-MX80-SA-FP

Pack License
(Includes S-LNS-IN)

MX104 S-MX104-SA-FP

(Includes S-LNS-IN)

Subscriber Access Feature Pack MX204, MX240, MX480, MX960, S-SA-FP

License MX2008, MX2010, MX2020, and
MX10003

Subscriber Service Management MX5, MX10, MX40, and MX80 S-MX80-SSM-FP

Feature Packet License—RADIUS and
SRC-based service activation and MX104 S-MX104-SSM-FP
deactivation per-service accounting
features MX204, MX240, MX480, MX960, S-SSM-FP
MX2008, MX2010, MX2020, and
MX10003

Upgrade to Traffic Direct Advanced MX960 S-MX-TD-UPG

(per MS-DPC)
 106

Table 36: Junos OS Feature License Model Number for MX Series Routers (continued)

Licensed Software Feature Supported Devices Model Number

License to run one instance of the MX240, MX480, and MX960 S-NAT
NAT software on one NPU per
MS-DPC

License to support inline NAT MX5, MX10, MX40, MX80, and S-NAT-IN-MX5-104 (Replaces
software on MX5, MX10, MX40, MX104 S-NAT-IN-MX40-MX80 and
MX80, MX104 S-NAT-IN-MX5-MX10)

License to run one instance of the MX Series Routers S-NAT-NPU (Replaces

NAT software on one NPU per S-NAT-IN-MX40-MX80-UPG)
MS-MIC, MS-DPC, or MS-MPC

License to run NAT using any MPC MX240, MX480, and MX960 S-NAT-IN-MX-CHASSIS
in an MX Chassis

Subscriber Access Feature Pack MX5, MX10, MX40, MX80, MX104, S-SA-4K
License Scaling (4000) MX204, MX240, MX480, MX960,
MX2008, MX2010, MX2020, and
MX10003

Upgrade license—Subscriber Access MX5, MX10, MX40, MX80, MX104, S-SA-UP-8K

Feature Pack scaling license upgrade MX204, MX240, MX480, MX960,
from 4000 through 8000 subscribers MX2008, MX2010, MX2020, and
MX10003

Subscriber Access Feature Pack MX5, MX10, MX40, MX80, MX104, S-SA-8K
License Scaling (8000) MX204, MX240, MX480, MX960,
MX2008, MX2010, MX2020, and
MX10003

Upgrade license—Subscriber Access MX5, MX10, MX40, MX80, MX104, S-SA-UP-16K

Feature Pack scaling license upgrade MX204, MX240, MX480, MX960,
from 8000 through 16,000 MX2008, MX2010, MX2020, and
subscribers MX10003

Subscriber Access Feature Pack MX5, MX10, MX40, MX80, MX104, S-SA-16K
License Scaling (16,000) MX204, MX240, MX480, MX960,
MX2008, MX2010, MX2020, and
MX10003
 107

Table 36: Junos OS Feature License Model Number for MX Series Routers (continued)

Licensed Software Feature Supported Devices Model Number

Upgrade license—Subscriber Access MX5, MX10, MX40, MX80, MX104, S-SA-UP-32K

Feature Pack scaling license upgrade MX204, MX240, MX480, MX960,
from 16,000 through 32,000 MX2008, MX2010, MX2020, and
subscribers MX10003

Subscriber Access Feature Pack MX5, MX10, MX40, MX80, MX104, S-SA-32K
License Scaling (32,000) MX204, MX240, MX480, MX960,
MX2008, MX2010, MX2020, and
MX10003

Upgrade license—Subscriber Access MX5, MX10, MX40, MX80, MX104, S-SA-UP-64K

Feature Pack scaling license upgrade MX204, MX240, MX480, MX960,
from 32,000 through 64,000 MX2008, MX2010, MX2020, and
subscribers MX10003

Subscriber Access Feature Pack MX5, MX10, MX40, MX80, MX104, S-SA-64K
License Scaling (64,000) MX204, MX240, MX480, MX960,
MX2008, MX2010, MX2020, and
MX10003

Upgrade license—Subscriber Access MX5, MX10, MX40, MX80, MX104, S-SA-UP-96K

Feature Pack scaling license upgrade MX204, MX240, MX480, MX960,
from 64,000 through 96,000 MX2008, MX2010, MX2020, and
subscribers MX10003

Subscriber Access Feature Pack MX5, MX10, MX40, MX80, MX104, S-SA-96K
License Scaling (96,000) MX204, MX240, MX480, MX960,
MX2008, MX2010, MX2020, and
MX10003

Upgrade license—Subscriber Access MX5, MX10, MX40, MX80, MX104, S-SA-UP-128K

Feature Pack scaling license upgrade MX204, MX240, MX480, MX960,
from 96,000 through 128,000 MX2008, MX2010, MX2020, and
subscribers MX10003

Subscriber Access Feature Pack MX5, MX10, MX40, MX80, MX104, S-SA-128K
License Scaling (128,000) MX204, MX240, MX480, MX960,
MX2008, MX2010, MX2020, and
MX10003
 108

Table 36: Junos OS Feature License Model Number for MX Series Routers (continued)

Licensed Software Feature Supported Devices Model Number

Upgrade license—Subscriber Access MX5, MX10, MX40, MX80, MX104, S-SA-UP-256K

Feature Pack scaling license upgrade MX204, MX240, MX480, MX960,
from 128,000 through 256,000 MX2008, MX2010, MX2020, and
subscribers MX10003

Subscriber Access Feature Pack MX5, MX10, MX40, MX80, MX104, S-SA-256K
License Scaling (256,000) MX204, MX240, MX480, MX960,
MX2008, MX2010, MX2020, and
MX10003

Software License for Secure Flow MX80, MX104, MX240, MX480, and S-SFM-FLOWTAP-IN
Mirroring Service (FlowTap) (does MX960
not require MS-DPC)

License to run one instance of the MX960, MX480, and MX240 S-SFW
SFW and software on a MS-DPC

Software license for one member of MX240, MX480, MX960, MX2008, S-VCR
an MX Virtual Chassis MX2010, MX2020, and MX10003

Upgrade license—from MX10 to MX10-T MX10-40-UPG

equivalent of MX40; allows
additional 2x10G fixed ports to be
used on the MX10 router

Upgrade license—from MX10 to MX10-T MX10-80-UPG

equivalent of MX80; allows
additional 4x10G fixed ports to be
used on the MX10 router

Upgrade license—from MX40 to MX40-T MX40-80-UPG

equivalent of MX80; allows
additional 2x10G fixed ports to be
used on the MX40 router

Upgrade license—from MX5 to MX5-T MX5-10-UPG

equivalent of MX10; allows second
MIC slot to be used on the MX5
router
 109

Table 36: Junos OS Feature License Model Number for MX Series Routers (continued)

Licensed Software Feature Supported Devices Model Number

Upgrade license—from MX5 to MX5-T MX5-40-UPG

equivalent of MX40; allows second
MIC slot and 2x10G fixed ports to
be used on the MX5 router

Upgrade license—from MX5 to MX5-T MX5-80-UPG

equivalent of MX80. Allows second
MIC slot and 4x10G fixed ports to
be used on the MX5 router

License to use MX as Controller or MX5, MX10, MX40, MX80, MX104, S-MX-AD-FUSION-LIC

Aggregation device for Junos Fusion. MX240, MX480, MX960, MX2010,
One license per MX is needed. and MX2020

License to run any supported MX204, MX240, MX480, MX960, S-MX-SAT-EX4300

EX4300 model as a satellite device MX2010, MX2020, and MX10003
in Junos Fusion mode. One license
per EX4300 is needed

License to run any supported MX204, MX240, MX480, MX960, S-MX-SAT-QFX5100

QFX5100 model as a satellite device MX2010, MX2020, and MX10003
in Junos Fusion mode. One license
per QFX5100 is needed

Subscriber Traffic Lawful Intercept MX204, MX240, MX480, MX960, S-SSP-FP

Feature Pack License MX2008, MX2010, MX2020, and
MX10003
Software License for FlowTapLite

Junos BB Policy Enforcement MX204, MX240, MX480, MX960, S-BB-NASREQ

Feature License for dynamic MX2008, MX2010, MX2020, and
subscriber authentication and MX10003
authorization using NASREQ (1 per
chassis)

Junos BB Policy Enforcement feature MX204, MX240, MX480, MX960, S-BB-GX

license for PCRF communications MX2008, MX2010, MX2020, and
using 3GPP Gx and Gx+ (1 per MX10003
chassis)
 110

Table 36: Junos OS Feature License Model Number for MX Series Routers (continued)

Licensed Software Feature Supported Devices Model Number

Junos BB Policy Enforcement feature MX204, MX240, MX480, MX960, S-BB-GY

license for online charging using MX2008, MX2010, MX2020, and
3GPP Gy interface (1 per chassis) MX10003

Software License for Inline L2TP LNS MX204, MX240, MX480, MX960, S-LNS-IN
(MX204, MX240/480/960, MX2008, MX2008, MX2010, MX2020, and
MX2010/2020) (1 per chassis) MX10003

Software Features That Require Licenses on M Series Routers Only

Table 37 on page 110 lists the licenses you can purchase for each M Series software feature. Each license
allows you to run the specified software feature on a single device.

For information about how to purchase a software license, contact your Juniper Networks sales
representative at https://www.juniper.net/in/en/contact-us/.

Table 37: Junos OS Feature License Model Number for M Series Routers

Licensed Software Feature Supported Devices Model Number

J-Flow accounting license on Integrated Adaptive Services M7i S-ACCT-BB

Module (ASM) and Integrated Multiservices Module

Security Services license on ASM and Integrated Multiservices M7i S-ES-BB

Module

Layer 2 Tunneling Protocol (L2TP) L2TP Network Server (LNS) M120 S-LNS-16K
license for 16000 sessions on Multiservices PIC

L2TP LNS license Upgrade—from 8000 to 16000 sessions on M120 S-LNS-16K-UPG

Multiservices PIC

L2TP LNS license for 2000 sessions on AS PIC or Integrated M7i, M10i, and M120 S-LNS-2K
Adaptive Services Module and Multiservices PIC

L2TP LNS license for 4000 sessions on AS PIC or Integrated M7i, M10i, and M120 S-LNS-4K
Adaptive Services Module and Multiservices PIC

L2TP LNS license Upgrade—from 2000 to 4000 sessions on M7i, M10i, and M120 S-LNS-4K-UPG
AS PIC or Integrated Adaptive Services Module and
Multiservices PIC
 111

Table 37: Junos OS Feature License Model Number for M Series Routers (continued)

Licensed Software Feature Supported Devices Model Number

L2TP LNS license for 8000 sessions on Multiservices PIC M7i, M10i, and M120 S-LNS-8K

L2TP LNS license Upgrade—from 4000 to 8000 sessions on M7i, M10i, and M120 S-LNS-8K-UPG
AS PIC and Multiservices PIC

Link services software license on integrated ASM and M7i S-LSSL-BB

Integrated Multi Services Module—up to 4 ML bundles

NAT, FW license on Integrated ASM and Integrated Multi M7i S-NAT-FW-MULTI-BB

Services Module: Multi instance

NAT, FW license on Integrated ASM and Integrated Multi M7i S-NAT-FW-SINGLE-BB

Services Module: Single instance

Tunnel services software license for AS PIC and Multiservices M7i and M10i S-TUNNEL
PIC (chassis license)

License Modes for PTX Series Routers

PTX Series routers are available in two license variants: IR and R. Depending on the license purchased, the
router offers full IP or LSR.

Table 38 on page 111 describes the two license variants for the PTX1000.

Table 38: License Variants for the PTX1000

License Description Scale Restictions

IR Scaled up LSR and peering • Up to 1 million routes in the

forwarding information base (FIB)
• Up to 6 million routes in the routing
information base (RIB)
• Up to 256 routing instances of the
virtual routing and forwarding (VRF)
instance type
• Up to 128 thousand LSPs

R Full IP core None

The license-mode statement is only supported on the PTX3000 and PTX5000 Series routers with
third-generation FPCs.
 112

Table 39 on page 112 describes the two license variants for the PTX3000 and PTX5000.

Table 39: License Variants for the PTX3000 and PTX5000 FPCs

License Description Scale Restrictions

IR Scaled up LSR and peering • Up to 2 million routes in the

forwarding information base (FIB)
• Up to 6 million routes in the routing
information base (RIB)
• Up to 256 routing instances of the
virtual routing and forwarding (VRF)
instance type
• Up to 128 thousand LSPs

R Full IP core None

For the PTX3000 and PTX5000, If you purchase two FPCs: one with an IR license and one with an R
license. After the FPCs are installed on a router, both FPCs appear identical. To distinguish between an
FPC with an IR license and an FPC with an R license after the FPC is installed on the router, you must
configure the license mode based on the license purchased. For instance, if you purchased an FPC with
the IR license, you must configure the license mode for that FPC as IR. The license mode settings are set
specific to each FPC slot. If the FPC is installed in a different slot, or moved to another device, the license
mode settings must be reconfigured on the new slot or device. Also, the license mode settings previously
configured must be deleted.

The license mode settings are used only to provide information. You cannot set or alter the license of the
FPC by configuring the license mode.

To view the current license mode settings, from the configuration mode, use the show chassis fpc command.
To view the current license mode settings, from the operational mode, use the show chassis hardware
extensive command. To delete the existing license mode settings, use the delete chassis fpc command.
 113

License Modes for Enhanced MPCs Overview

Enhanced MPCs are available in three license variants. Before Junos OS Release 16.1, there were two
variants: infrastructure routing (IR) and routing (R). Starting in Junos OS Release 16.1, there is also a base
variant, making a total of three licence variants. All variants support an identical feature set, but with a
few scale differences.Table 40 on page 113 describes the three license variants.

Table 40: License Variants for MPCs

License How to Identify Description

base No special suffix in the license name. • All Layer 2, Layer 2.5, and Layer 3 features.
• Up to 32 Layer 3 routing instances of the
virtual routing and forwarding (VRF) instance.
The VRF support includes Layer 3 VPN
(L3VPN).
• Up to 2 million routes in the forwarding
information base (FIB), provided there is
hardware support. (FIB is also known as
forwarding table.)
• Up to 6 million routes in the routing
information base (RIB), also known as routing
table.

IR -IR suffix in the license name. • All Layer 2, Layer 2.5, and Layer 3 features.
• Up to 32 Layer 3 routing instances of the
virtual routing and forwarding (VRF) instance.
The VRF support includes Layer 3 VPN
(L3VPN).

R -R suffix in the license name. Full-scale Layer 2, Layer 2.5, and Layer 3 features.
Scale is determined by the hardware capabilities.

Suppose you have purchased two MPC4Es: one with IR license and one with R license. After the MPCs
are installed on a router, both MPCs appear identical. To distinguish between an MPC with an IR license
and an MPC with an R license after the MPC is installed on the router, you must configure the license
mode based on the license purchased. For instance, if you have purchased an MPC with the IR license,
you must configure the license mode for that MPC as IR. The license mode settings are set specific to each
MPC slot. If the MPC is installed in a different slot, or moved to another device, the license mode settings
must be reconfigured on the new slot or device. Also, the license mode settings previously configured
must be deleted.

The license mode settings are used only to provide information. You cannot set or alter the license of the
MPC by configuring the license mode.

To view the current license mode settings on an MPC, from the configuration mode, use the show chassis
 114

fpc command. To view the current license mode settings on an MPC, from the operational mode, use the
show chassis hardware extensive command. To delete the existing license mode settings on an MPC, use
the delete chassis fpc command.

Configuring the License Mode for Specific Enhanced MPCs on MX Series Routers

Starting with Junos OS Release 14.2, you can set the license mode for enhanced MPCs such as MPC4E,
MPC5E, and MPC6. Configuring the license mode enables you to distinguish between an MPC with an IR
license and an MPC with an R license after the MPC is installed on the router. An MPC with an R license
supports all the Layer 2, Layer 2.5, and Layer 3 features. An MPC with an IR license offers partial support
for these features. For more information about the license variants, see “License Modes for Enhanced
MPCs Overview” on page 113

The license mode settings are used only to provide information. You cannot set or alter the license of the
MPC when you configure the license mode.

Before you configure the license mode of the MPC, verify the license of the MPC. You will need this
information do configure the license mode.

Do not try to set the license mode while the card is rebooting or the following error message will appear:
Card not online or TRIO/DPC based.

To configure the license mode for MPCs on MX Series routers:

1. Configure the license mode for the MPC in a specified MPC slot.

If the MPC has an IR license, configure the license mode as IR. If the MPC has an R license, configure
the license mode of the MPC as R.

[edit]
user@host# set chassis fpc slot-number ir-mode ir-mode

2. In configuration mode, verify the configuration, for example:

[edit]
user@host# show chassis
fpc 1 {
ir-mode IR;
}

3. After verifying the license mode, commit the changes by using the commit statement.

[edit]
 115

user@host# commit

Example: Configuring the License Mode for MPC5E

IN THIS SECTION

Requirements | 115

Overview | 115

Configuration | 116

Verification | 118

This example describes how to configure the license mode for MPC5E on the MX480 router. It also
describes how to remove the license mode settings and reconfigure the license mode settings on a new
slot.

Requirements
This example uses the following hardware and software components:

• Junos OS Release 14.2 or later for MX Series routers

• A single MX480 router with MPC5E with R license

Overview
Configuring the license mode for an MPC enables you to distinguish between an MPC with an IR license
and an MPC with an R license after the MPC is installed on the router.

The license mode settings are used only to provide information. You cannot set or alter the license of the
MPC when you configure the license mode.

The license mode settings are set specific to each MPC slot. If the MPC is installed in a different slot, or
moved to another device, the license mode settings must be reconfigured on the new slot or device. Also,
the license mode settings configured previously must be removed. You can view the license mode settings
from both configuration mode and operational mode.

Topology
In this example, an MPC5E is installed in slot 4 of an MX480 router and has an R license. The R license
indicates that all Layer 2, Layer 2.5, and Layer 3 features are supported on the MPC. You first configure
the license mode of the MPC5E in slot 4 to R. After configuring the license mode, you can verify the license
mode settings. You then install the MPC5E in slot 2 of the same router. License mode settings are set
 116

specific to each MPC slot. Therefore, the license mode setting must be reconfigured. After you move the
MPC5E, delete the license mode setting on slot 4 and then reconfigure the license mode setting on slot
2.

Configuration

IN THIS SECTION

Configuring the License Mode for MPC5E in Slot 4 | 116

Deleting the License Mode for MPC5E in Slot 4 | 117

Configuring the License Mode for MPC5E in Slot 2 | 117

To configure the license mode for the MPC5E according to the topology specified in the overview section,
perform these tasks:

Configuring the License Mode for MPC5E in Slot 4

Step-by-Step Procedure
To configure the license mode for the MPC5E in slot 4:

1. Configure the license mode R for the MPC5E in slot 4:

[edit]
user@host# set chassis fpc 4 ir-mode R

2. In configuration mode, verify the configuration.

user@host# show chassis fpc 4

pic 0 {
power off;
}
pic 1 {
power off;
}
ir-mode R;

3. After verifying the license mode, commit the changes by using the commit statement.

[edit]
user@host# commit
 117

Deleting the License Mode for MPC5E in Slot 4

Step-by-Step Procedure
To delete the license mode R for the MPC5E in slot 4:

1. Delete the license mode for the MPC5E.

[edit]
user@host# delete chassis fpc 4 ir-mode R

2. In configuration mode, verify the configuration.

user@host# show chassis fpc 4

pic 0 {
power off;
}
pic 1 {
power off;
}

3. After verifying the license mode, commit the changes by using the commit statement.

[edit]
user@host# commit

Configuring the License Mode for MPC5E in Slot 2

Step-by-Step Procedure
To configure the license mode for the MPC5E in slot 2:

1. Configure the license mode R for the MPC5E.

[edit]
user@host# set chassis fpc 2 ir-mode R

2. In configuration mode, verify the configuration.

user@host# show chassis fpc 2

pic 0 {
power off;
}
 118

pic 1{
power off;
}
ir-mode R;

3. After verifying the license mode, commit the changes by using the commit statement.

[edit]
user@host# commit

Verification

IN THIS SECTION

Verifying That License Mode Is Configured for MPC5E in Slot 4 | 118

Verifying That the Configured License Mode Is Deleted | 119

Verifying That the License Mode Is Configured for MPC5E in Slot 2 | 120

To confirm that you have accurately configured the license mode settings on MPC5E, perform these tasks:

Verifying That License Mode Is Configured for MPC5E in Slot 4

Purpose
To verify that license mode R is configured for the MPC5E in slot 4.

Action
From operational mode, enter the show chassis hardware extensive command.

user@host> show chassis hardware extensive

...
FPC 4 REV 30 750-045715 CABM2612 MPC5E 3D Q 24XGE+6XLGE
Jedec Code: 0x7fb0 EEPROM Version: 0x02
P/N: 750-045715 S/N: CABM2612
Assembly ID: 0x0b8a Assembly Version: 01.30
Date: 08-27-2013 Assembly Flags: 0x00
Version: REV 30 CLEI Code: PROTOXCLEI
ID: MPC5E 3D Q 24XGE+6XLGE FRU Model Number: PROTO-ASSEMBLY
Board Information Record:
 119

Address 0x00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
I2C Hex Data:
Address 0x00: 7f b0 02 fe 0b 8a 01 1e 52 45 56 20 33 30 00 00
Address 0x10: 00 00 00 00 37 35 30 2d 30 34 35 37 31 35 00 00
Address 0x20: 53 2f 4e 20 43 41 42 4d 32 36 31 32 00 1b 08 07
Address 0x30: dd ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
Address 0x40: ff ff ff ff 01 50 52 4f 54 4f 58 43 4c 45 49 50
Address 0x50: 52 4f 54 4f 2d 41 53 53 45 4d 42 4c 59 00 00 00
Address 0x60: 00 00 00 00 00 00 41 30 30 ff ff ff ff ff ff ff
Address 0x70: ff ff ff c2 ff ff ff ff ff ff ff ff ff ff ff ff
R/IR Mode: R
...

Meaning
License mode R is configured for the MPC5E in slot 4.

Verifying That the Configured License Mode Is Deleted

Purpose
To verify that the configured license mode is deleted.

Action
From operational mode, enter the show chassis hardware extensive command.

user@host> show chassis hardware extensive

...
FPC 4 REV 30 750-045715 CABM2612 MPC5E 3D Q 24XGE+6XLGE
Jedec Code: 0x7fb0 EEPROM Version: 0x02
P/N: 750-045715 S/N: CABM2612
Assembly ID: 0x0b8a Assembly Version: 01.30
Date: 08-27-2013 Assembly Flags: 0x00
Version: REV 30 CLEI Code: PROTOXCLEI
ID: MPC5E 3D Q 24XGE+6XLGE FRU Model Number: PROTO-ASSEMBLY
Board Information Record:
Address 0x00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
I2C Hex Data:
Address 0x00: 7f b0 02 fe 0b 8a 01 1e 52 45 56 20 33 30 00 00
Address 0x10: 00 00 00 00 37 35 30 2d 30 34 35 37 31 35 00 00
Address 0x20: 53 2f 4e 20 43 41 42 4d 32 36 31 32 00 1b 08 07
Address 0x30: dd ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
Address 0x40: ff ff ff ff 01 50 52 4f 54 4f 58 43 4c 45 49 50
Address 0x50: 52 4f 54 4f 2d 41 53 53 45 4d 42 4c 59 00 00 00
 120

Address 0x60: 00 00 00 00 00 00 41 30 30 ff ff ff ff ff ff ff
Address 0x70: ff ff ff c2 ff ff ff ff ff ff ff ff ff ff ff ff
...

Meaning
The license mode setting has been removed for the MPC5E in slot 4.

Verifying That the License Mode Is Configured for MPC5E in Slot 2

Purpose
To verify that license mode R is configured for the MPC5E in slot 2.

Action
From operational mode, enter the show chassis hardware extensive command.

user@host> show chassis hardware extensive

...
FPC 2 REV 30 750-045715 CABM2612 MPC5E 3D Q 24XGE+6XLGE
Jedec Code: 0x7fb0 EEPROM Version: 0x02
P/N: 750-045715 S/N: CABM2612
Assembly ID: 0x0b8a Assembly Version: 01.30
Date: 08-31-2013 Assembly Flags: 0x00
Version: REV 30 CLEI Code: PROTOXCLEI
ID: MPC5E 3D Q 24XGE+6XLGE FRU Model Number: PROTO-ASSEMBLY
Board Information Record:
Address 0x00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
I2C Hex Data:
Address 0x00: 7f b0 02 fe 0b 8a 01 1e 52 45 56 20 33 30 00 00
Address 0x10: 00 00 00 00 37 35 30 2d 30 34 35 37 31 35 00 00
Address 0x20: 53 2f 4e 20 43 41 42 4d 32 36 31 32 00 1b 08 07
Address 0x30: dd ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
Address 0x40: ff ff ff ff 01 50 52 4f 54 4f 58 43 4c 45 49 50
Address 0x50: 52 4f 54 4f 2d 41 53 53 45 4d 42 4c 59 00 00 00
Address 0x60: 00 00 00 00 00 00 41 30 30 ff ff ff ff ff ff ff
Address 0x70: ff ff ff c2 ff ff ff ff ff ff ff ff ff ff ff ff
R/IR Mode: R
...

Meaning
License mode R is configured for the MPC5E in slot 2.
 121

Junos OS Feature License Keys

Some Junos OS software features require a license to be activated. To enable each licensed feature, you
must purchase, install, manage, and verify a license key that corresponds to the licensed feature.

Release-Tied License Keys and Upgrade Licenses on MX Series Routers

The Junos OS licensing infrastructure currently associates a license feature with attributes such as date,
platform, and validity. In addition to these attributes, for MX Series routers running Junos OS Release 12.2
and later, a licensed feature can be associated with a release number at the time of generating the license
key. This type of release-tied license key is used to validate a particular licensed feature while attempting
a software upgrade. The upgrade process aborts if the release number in the license key is earlier than the
Junos OS release number to which the system is being upgraded.

Additionally, an upgrade license key can be generated for a release-tied licensed feature. An upgrade
license key is used for carrying forward a capacity license to the upgrade release. Although an upgrade
license might be an acceptable license on the current release, it does not add to the existing capacity limit.
The capacity added in the upgrade license key is valid for the upgrade software release only.

The release number embedded in the license key indicates the maximum release number up to which
Junos OS can be upgraded.

As an example, assume that your system is running Junos OS Release 12.2 and is using the scale-subscriber
licensed feature with a later release-tied upgrade license key installed. If you request a software upgrade
to the later release of Junos OS, the software upgrade operation fails and the following error message is
displayed:

mgd: error: No valid upgrade license found for feature 'scale-subscriber'.

Aborting Software upgrade.
Validation failed

In this example, to successfully upgrade to the later release of Junos OS, the release number included in
the upgrade license key should be greater than or equal to the later release number. Also, you can perform
software upgrades up to the previous release without any additional license keys to retain the existing
scale limit.

When you install a release-tied license, the following apply:

• You can purchase an upgrade capacity license only if a base capacity license for the same scale-tier has
already been generated or purchased.

• You cannot install an upgrade license if the capacity does not match any of the existing base capacity
licenses on the system.

• The license installation fails when you install a lower release number license key on a higher software
release number.
 122

• A release-tied license can be installed on a Junos OS release number that is lower than or equal to the
release number included in the license key. For example, a 12.2 license key is valid on Junos OS Release
12.1.

• An upgrade license is valid only on the target release number specified in the license key, but can be
installed on an earlier Junos OS release. For example, a 4 K scale-tier upgrade license for Junos OS
Release 12.2 can be installed on an earlier release, and the installed count of licenses remains unaltered.

• Release-tied licenses of the previous release are not deleted on upgrading Junos OS to a newer release
version.

Licensable Ports on MX5, MX10, and MX40 Routers

Starting with Junos OS Release 12.2, license keys are available to enhance the port capacity on MX5,
MX10, and MX40 routers up to the port capacity of an MX80 router. The MX5, MX10, and MX40 routers
are derived from the modular MX80 chassis with similar slot and port assignments, and provide all
functionality available on an MX80 router, but at a lower capacity. Restricting port capacity is achieved
by making a set of MIC slots and ports licensable. MICs without a license are locked, and are unlocked or
made usable by installing appropriate upgrade licenses.

The base capacity of a router is identified by the Ideeprom assembly ID (I2C ID), which defines the board
type. However, the Junos OS licensing infrastructure allows the use of restricted ports without a license
for a grace period of 30 days. After the grace period expires, the router reverts back to the base capacity
if no upgrade license is purchased and installed for the locked ports. The I2C ID along with an upgrade
license determine the final capacity of an MX5, MX10, or MX40 router.

The MX5, MX10, MX40, and MX80 routers support the following types of MICs:

• A built-in 10-Gigabit Ethernet MIC with four 10-Gigabit Ethernet ports

• Two front-pluggable MICs

A feature ID is assigned to every license upgrade for enhancing port capacity. Table 30 on page 52 displays
the chassis types and their associated port capacity, I2C ID, base capacity, feature ID, feature name, and
the final capacity after a license upgrade.

Table 41: Upgrade Licenses for Enhancing Port Capacity

Feature
ID and
Chassis Port Feature
Type Capacity I2C ID Base Capacity Name Upgrade Capacity

MX5 20G 0x556 Slot 1 f1—MX5 Slot 1 and 2

to MX10
• 1/MIC0 upgrade • 1/MIC0
• 1/MIC1
 123

Table 41: Upgrade Licenses for Enhancing Port Capacity (continued)

Feature
ID and
Chassis Port Feature
Type Capacity I2C ID Base Capacity Name Upgrade Capacity

MX10 40G 0x555 Slot 1 and 2 f2—MX10 Slot 2 and first 2 ports on Slot 0
to MX40
• 1/MIC0 upgrade • 1/MIC1
• 1/MIC1 • First 2 ports on 0/MIC0

MX40 60G 0x554 Slot 1, SLot 2 and first 2 f3—MX40 Slot 2 and all ports on Slot 0
ports on Slot 0 to MX80
upgrade • 1/MIC1
• 1/MIC0 • All 4 ports on 0/MIC0
• 1/MIC1
• First 2 ports on
0/MIC0

When installing an upgrade license for enhancing port capacity on MX5, MX10 and MX40 routers, consider
the following:

• To upgrade an MX5 router to MX80 router capacity, licenses for all three features (f1, f2, f3) must be
installed. All three features can be provided in a single license key.

• To upgrade an MX10 router to MX40 router capacity, installing a license key with f2 feature is sufficient.

• Non-applicable feature IDs in a license key reject the upgrade license. For example:

• An f1 feature ID on an MX10 upgrade license key rejects the license.

• Feature IDs f1 and f2 on an MX40 upgrade license key reject the entire license.

Port Activation on MX104 Routers

Starting with Junos OS Release 13.3, license keys are available to activate the ports on the MX104 router.
MX104 routers have four built-in ports. By default, in the absence of valid licenses, all four built-in ports
are deactivated. By installing licenses, you can activate any two of the four or all of the four built-in ports.
For instance, you can install a license to activate the first two built-in ports (xe-2/0/0 and xe-2/0/1) or
you can install a license to activate the next two built-in ports (xe-2/0/2 and xe-2/0/3). You can also install
a license to activate all four built-in ports (xe-2/0/0, xe-2/0/1, xe-2/0/2, and xe-2/0/3). If you have already
activated two of the built-in ports, you can install an additional license to activate the other two built-in
ports on the MX104 router.

A feature ID is assigned to every license for activating the built-in ports on the MX104 router. The port
license model with the feature ID is described in Table 31 on page 53.
 124

Table 42: Port Activation License Model for MX104 Routers

Feature ID Feature Name Functionality

F1 MX104 2X10G Port Activate (0 and 1) Ability to activate first two built-in ports (xe-2/0/0
and xe-2/0/1)

F2 MX104 2X10G Port Activate (2 and 3) Ability to activate next two built-in ports (xe-2/0/2
and xe-2/0/3)

Both the features are also provided in a single license key for ease of use. To activate all four ports, you
must either install the licenses for both the features listed in Table 31 on page 53 or the single license key
for both features. If you install the single license key when feature IDs F1 and F2 are already installed, the
license does not get rejected. Also, MX104 routers do not support the graceful license expiry policy. A
graceful license expiry policy allows the use of a feature for a certain period of time (usually a grace period
of 30 days), and reverts if the license for that feature is not installed after the grace period.

Subscriber Access Licensing Overview

To enable some Juniper Networks Junos OS features or router scaling levels, you might have to purchase,
install, and manage separate software license packs. The presence on the router of the appropriate software
license keys (passwords) determines whether you can configure and use certain features or configure a
feature to a predetermined scale.

You need only one license if the DHCP dual stack session running with a single SDB session. To configure
the single SDB session, use the classification-key option in the edit system services dhcp-local-server
hierarchy .

Table 43 on page 124 describes number of subscriber interface and license required on subscriber access
models.

Table 43: Number of Licenses Required per Access Model

Access Model Number of Licenses Required

CVLAN DHCPv4 1

CVLAN PPPoEv4 1

CVLAN Dual Stack DHCP 1 (single SDB session)

2 (two SDB session)

CVLAN Dual Stack PPPoE 1

Pseudowire Headend Termnation (PWHT) DHCPv4 1

 125

Table 43: Number of Licenses Required per Access Model (continued)

Access Model Number of Licenses Required

PWHT PPPoEv4 1

PWHT Dual Stack DHCP 1 (single SDB session)

2 (dual SDB session)

PWHT Dual Stack PPPoE 1

Agent circuit identifier (ACI) DHCPv4 Number of sessions with same ACI

ACI PPPoEv4 Number of sessions with same ACI

Layer 2 Tunneling Protocol (L2TP) Point-to-Point Protocol (PPP) or 1

L2TP access concentrator (LAC)

L2TP Point-to-Point Protocol (PPP) or L2TP network server (LNS) 1

L2TP Dual Stack PPP or LNS 1

L2TP tunnel switch (LTS) PPPv4 1

LTS version Dual Stack PPP 1

Wi-Fi access gateway (WAG) DHCPv4 1

WAG Dual Stack DHCP 1 (single SDB session)

2 (dual SDB session)

Hybrid access gateway (HAG) generic routing encapsulation (GRE)v4 1

Hybrid access gateway (HAG) Dual Stack GRE 1 (single SDB session)

2 (two SDB session)

Fixed wireless 1

For the latest information about subscriber access licensing, contact your Juniper Networks sales
representative at https://www.juniper.net/in/en/contact-us/.
 126

Subscriber Secure Policy Licensing Requirements

To enable and use subscriber secure policy, you must install and properly configure the Subscriber Secure
Policy license.

SEE ALSO

Configuring the Router to Strictly Enforce the Subscriber Scaling License | 138

Address-Assignment Pools Licensing Requirements

The address-assignment pool feature is part of the Junos OS Subscriber Management Feature Pack license.
You must install and properly configure the license to meet the requirements for using the
address-assignment pool feature.

Release History Table

Release Description

16.1R1 Starting in Junos OS Release 16.1R1, after the completion of the 30 day grace period, DHCP
bindings on MX series devices are limited to 10. This counts against broadband scale licenses
S-MX104-SA-FP and S-SA-4K.

16.1 Starting in Junos OS Release 16.1, there is also a base variant, making a total of three licence
variants.

14.2 Starting with Junos OS Release 14.2, you can set the license mode for enhanced MPCs such
as MPC4E, MPC5E, and MPC6.

RELATED DOCUMENTATION

Configuring the JET Application and its License on a Device Running Junos OS | 136
 127

Licenses for vMX

IN THIS SECTION

vMX Licenses for AWS | 127

vMX Licenses for KVM and VMware | 128

Managing vMX Licenses | 130

vMX Licenses for AWS

Licenses are required to use vMX features in the Amazon Bring Your Own License (BYOL) model on AWS.
When you order licenses, this information is bound to a customer ID. If you did not order the licenses,
contact your account team or Juniper Networks Customer Care for assistance.

The vMX licenses are based on application packages and processing capacity. Table 44 on page 127describes
the features available with application packages.

Table 44: Application Packages for Licenses

Application Package Features

BASE IP routing with up to 256,000 routes in the forwarding table

Basic Layer 2 functionality, Layer 2 bridging and switching

ADVANCE Features in the BASE application package, plus:

IP routing with up to 2,000,000 routes in the forwarding table

IP and MPLS switching for unicast and multicast applications

Layer 2 features—Layer 2 VPN, VPLS, EVPN, and Layer 2 Circuit

PREMIUM Features in the BASE and ADVANCE application packages, plus:

IP routing with up to 4,000,000 routes in the forwarding table

Layer 3 VPN for IP and multicast

IPsec
 128

An application package is associated with a bandwidth license. Bandwidth licenses that are not associated
with a specific application package apply to all application packages. Bandwidth licenses are additive. For
example, if you add a 500 Mbps license and a 1 Gbps license, you are entitled to use 1.5 Gbps of capacity.

vMX Evaluation License

Juniper Networks provides a 60-day evaluation license for vMX. On AWS, you can try one instance for
60 days with the BYOL model without incurring hourly software charges for this instance but AWS
infrastructure charges still apply.

For information about the 60-day evaluation license for vMX, see
https://www.juniper.net/us/en/dm/free-vmx-trial/.

vMX License Model Numbers

The Juniper Networks licenses are based on SKUs, which represent lists of features that the license enables.

The following SKUs are supported for vMX Bring Your Own License (BYOL):

• VMX-100M-1YR

• VMX-250M-1YR

• VMX-500M-1YR

• VMX-PRM-1G-1YR

• VMX-PRM-5G-1YR

• VMX-PRM-10G-1YR

vMX Licenses for KVM and VMware

Licenses are required for using vMX features. When you order licenses, this information is bound to a
customer ID. If you did not order the licenses, contact your account team or Juniper Networks Customer
Care for assistance. When you order a license, you receive instructions for generating license activation
keys on the Juniper Networks License Management System.

The vMX licenses are based on application packages and processing capacity. Table 45 on page 128 describes
the features available with application packages.

Table 45: Application Packages for Licenses

Application Package Features

BASE IP routing with 256,000 routes in the forwarding table

 129

Table 45: Application Packages for Licenses (continued)

Application Package Features

ADVANCE Features in the BASE application package

IP routing with up to 2,000,000 routes in the forwarding table

16 instances of Layer 3 VPN

PREMIUM Features in the BASE and ADVANCE application packages

IP routing with up to 4,000,000 routes in the forwarding table

Layer 3 VPN for IP and multicast

Table 46 on page 129 describes the queuing licenses.

Table 46: vMX Queuing License

Queuing License SKU Description

VMX-1G-Q 1 Gbps queuing

VMX-5G-Q 5 Gbps queuing

VMX-10G-Q 10 Gbps queuing

VMX-40G-Q 40 Gbps queuing

VMX-100G-Q 100 Gbps queuing

An application package is associated with a bandwidth license. vMX provides egress bandwidth in the
following capacities: 100 Mbps, 250 Mbps, 500 Mbps, 1 Gbps, 5 Gbps, 10 Gbps, and 40 Gbps. Bandwidth
licenses that are not associated with a specific application package apply to all application packages.
Bandwidth licenses are additive. For example, if you add a 500 Mbps license and a 1 Gbps license, you are
entitled to use 1.5 Gbps of capacity.

You can download the vMX software BASE application package with 1 Mbps bandwidth and evaluate it
without a license. To use additional features, you must order the appropriate license. If you delete all valid
licenses, you can only use the BASE application package with 1 Mbps bandwidth.

Supported in Junos OS Release 15.1F4 you can download the vMX software BASE application package
with 1 Mbps bandwidth and evaluate it for 30 days without a license. To use additional features beyond
the 30 days, you must order the appropriate license.
 130

If you upgrade from a BASE package license to an ADVANCE or PREMIUM package license or if you
downgrade from an ADVANCE or PREMIUM package license to a BASE package license, you must restart
the routing protocol process. If your configuration has logical systems, you must restart the routing protocol
process for all logical systems.

If you need to move your vMX installation to another host, you must remove vMX from the current host
before installing vMX and adding the license on the new host.

Starting in Junos OS Release 17.2 with the appropriate vMX PREMIUM license, you can evaluate vBNG
without a vBNG subscriber scale license for 30 days. After 30 days, you are limited to 10 subscriber
sessions.

To deploy a vBNG instance, you must purchase these licenses:

• vMX PREMIUM application package license with 1 Gbps, 5 Gbps, 10 Gbps, or 40 Gbps bandwidth

• vBNG subscriber scale license with 1000, 10 thousand, 100 thousand, or 1 million subscriber sessions
for one of these tiers:

Table 47: vBNG Subscriber Scale License Tiers

Tier Description

Introductory L2TP features including L2TP LNS services, secure policy, service activation and
deactivation

Preferred Features in the Introductory tier, and DHCP subscriber services, PPP/LAC subscriber
services, DHCP relay and DHCP local server

Elite Features in the Preferred tier, and pseudowire head end termination, Gx, and Gy

Managing vMX Licenses

IN THIS SECTION

Adding a License | 131

Deleting a License | 132

You must add a license to use vMX features. The licensed features are enforced based on the license you
purchased.
 131

Starting in Junos OS Release 17.4 for AWS, you must add a license if you are using vMX in the Bring Your
Own License (BYOL) model.

If you upgrade from a BASE package license to an ADVANCE or PREMIUM package license or if you
downgrade from an ADVANCE or PREMIUM package license to a BASE package license, you must restart
the routing protocol process (restart routing). If your configuration has logical systems, you must restart
the routing protocol process for all logical systems (restart routing logical-system logical-system-name).

If you need to move your vMX installation to another host, you must remove vMX from the current host
before installing vMX and adding the license on the new host.

Adding a License
To add a license key to the vMX:

1. Copy the license activation key file to the VCP and add the license key by specifying the filename.

user@vmx> request system license add filename

Or, you can copy and paste the license activation key directly to add the license key. For example:

user@vmx> request system license add terminal

XXXXXXX XXXXXX XXXXXX XXXXXX XXXXXX XXXXXX XXXXXX
XXXXXX XXXXXX XXXXXX XXXXXX XXXXXX XXXXXX
XXXXXX XXXXXX

2. Verify that the license is installed. VMX-BANDWIDTH indicates the licensed bandwidth (in Mbps) and
VMX-SCALE indicates the application package. (VMX-SCALE 1 is the BASE package, VMX-SCALE 2 is
the ADVANCE package, and VMX-SCALE 3 is the PREMIUM package.) This information is also listed
as Features in the Licenses installed section. For example, this output indicates that the 40G perpetual
license for the PREMIUM application package is installed.

user@vmx> show system license

License usage:
Licenses Licenses Licenses Expiry
Feature name used installed needed
scale-subscriber 0 1000 0 permanent
scale-l2tp 0 1000 0 permanent
scale-mobile-ip 0 1000 0 permanent
VMX-BANDWIDTH 40000 40000 0 permanent
VMX-SCALE 3 3 0 permanent

Licenses installed:
License identifier: JUNOS640113
 132

License version: 4
Software Serial Number: XXXXXXX
Customer ID: vMX-Juniper
Features:
vmx-bandwidth-40g - vmx-bandwidth-40g
permanent
vmx-feature-premium - vmx-feature-premium
permanent

3. Verify the configured bandwidth for PFE traffic matches the licensed bandwidth (VMX-BANDWIDTH).
The current and average bandwidth are also displayed.

user@vmx> show pfe statistics traffic bandwidth

Configured Bandwidth : 40000000000 bps

Bandwidth : 0 bps
Average Bandwidth : 0 bps

Deleting a License
To delete a vMX license:

1. Display the installed licenses.

user@vmx> show system license installed

License identifier: JUNOS640113

License version: 4
Features:
vmx-bandwidth-40g - vmx-bandwidth-40g
permanent
vmx-feature-premium - vmx-feature-premium
permanent

2. Delete the license.

user@vmx> request system license delete license-identifier

For example:

user@vmx> request system license delete JUNOS640113

3. Verify that the license is deleted.

 133

user@vmx> show system license

License usage:
Licenses Licenses Licenses Expiry
Feature name used installed needed
scale-subscriber 0 1000 0 permanent
scale-l2tp 0 1000 0 permanent
scale-mobile-ip 0 1000 0 permanent

Licenses installed: none

Release History Table

Release Description

17.4 Starting in Junos OS Release 17.4 for AWS, you must add a license if you are using vMX in the
Bring Your Own License (BYOL) model.

17.2 Starting in Junos OS Release 17.2 with the appropriate vMX PREMIUM license, you can evaluate
vBNG without a vBNG subscriber scale license for 30 days. After 30 days, you are limited to 10
subscriber sessions.

License Configuration

IN THIS SECTION

Installing Junos OS Licenses on Virtual Chassis Member Routers | 134

Configuring the JET Application and its License on a Device Running Junos OS | 136

Configuring the Router to Strictly Enforce the Subscriber Scaling License | 138
 134

Installing Junos OS Licenses on Virtual Chassis Member Routers

IN THIS SECTION

Installing Junos OS Licenses on Members | 134

Reinstalling Junos OS Licenses on New Members | 135

To enable some Junos OS features or router scaling levels, you might have to purchase, install, and manage
separate software license packs. The presence on the router of the appropriate software license keys
(passwords) determines whether you can configure and use certain features or configure a feature to a
predetermined scale.

Before you configure an MX Series Virtual Chassis, install the following Junos OS software licenses on
each MX Series router to be configured as a member of the Virtual Chassis:

• MX Virtual Chassis Redundancy Feature Pack—You must install a unique MX Virtual Chassis Redundancy
Feature Pack for each member router in the Virtual Chassis. If you issue the request virtual-chassis
member-id set, request virtual-chassis member-id delete, request virtual-chassis vc-port set, or request
virtual-chassis vc-port delete command to set or delete member IDs or Virtual Chassis ports without
first installing an MX Virtual Chassis Redundancy Feature Pack on both member routers, the software
displays a warning message that you are operating without a valid Virtual Chassis software license.

There is no separate license for Virtual Chassis like there is for Virtual Chassis Fabric.

• Junos OS feature licenses—Purchase and install the appropriate Junos OS feature licenses to enable use
of a particular software feature or scaling level in your network. You must install the required feature
licenses on each member router in the Virtual Chassis.

Sometimes, if a Virtual Chassis member is newly installed, the licenses are lost, creating a situation in which
any new license installed in master Routing Engine will get synced across all members, but any previously
installed license (any license installed before the newly installed member) does not get synced. In this case,
you must reinstall (delete and add) licenses in the master Routing Engine if a Virtual Chassis member is
replaced. This procedure will sync all installed licenses to all members.

This topic covers the following procedures:

Installing Junos OS Licenses on Members

Before you begin:

• Prepare your site for the Virtual Chassis configuration.

See Preparing for a Virtual Chassis Configuration.

• Familiarize yourself with the procedures for installing and managing Junos OS licenses.
 135

See Software Installation and Upgrade Guide.

To install Junos OS licenses on each member router in the Virtual Chassis:

1. Install the required licenses on the MX Series router to be designated as the protocol master for the
Virtual Chassis.

a. Install the MX Virtual Chassis Redundancy Feature Pack.

b. Install the Junos OS feature licenses required for your software feature or scaling level.

2. Install the required licenses on the MX Series router to be designated as the protocol backup for the
Virtual Chassis.

a. Install the MX Virtual Chassis Redundancy Feature Pack.

b. Install the Junos OS feature licenses required for your software feature or scaling level.

3. (Optional) Verify the license installation on each member router.

For example:

user@host> show system license

License usage:
Licenses Licenses Licenses Expiry
Feature name used installed needed
subscriber-accounting 0 1 0 permanent
subscriber-authentication 0 1 0 permanent
subscriber-address-assignment 0 1 0 permanent
subscriber-vlan 0 1 0 permanent
subscriber-ip 0 1 0 permanent
scale-subscriber 0 256000 0 permanent
scale-l2tp 0 1000 0 permanent
scale-mobile-ip 0 1000 0 permanent
virtual-chassis 0 1 0 permanent

Reinstalling Junos OS Licenses on New Members

When you need to install a new Virtual Chassis member router, use this procedure to ensure all installed
licenses are synced to all members.

Before adding the new Routing Engine to the Virtual Chassis, install required operational packages. This
is like the first procedure, Installing Junos OS Licenses on Members.

To sync Junos OS licenses from master to newly replaced virtual chassis members:

1. On the master router, exit the CLI to switch to user root.

 136

{master:member0-re1}

user@host> start shell user root

{master:member0-re1}
Password:

2. Enter the root password and go back into the CLI.

root@host% cli

3. Copy the licenses from the master member to the Routing Engine that does not have licenses installed
(that is, the newly installed Routing Engine).

{master:member0-re1}

user@host> file copy /config/license/*.lic member0-re0:/config/license/

{master:member0-re1}
user@host>

SEE ALSO

License Modes for Enhanced MPCs Overview | 113

Configuring the License Mode for Specific Enhanced MPCs on MX Series Routers | 114
Software Features That Require Licenses on MX Series Routers Only | 100

Configuring the JET Application and its License on a Device Running Junos OS

IN THIS SECTION

Configuring a Python Application to Run on Junos OS | 137

Configuring a C or C++ Application to Run on Junos OS | 138

 137

Before you can start a JET application on a device running Junos OS, first determine if you must configure
the license. License configuration for JET applications is required only if you are deploying on-box
applications written in C or C++ and built using the Juniper Extension Toolkit (JET) development
environment. This task is not required for simple Python JET applications, which do not require licensing.

This topic describes how to configure two types of JET applications to run on Junos OS: Python applications
and C or C++ applications.

Configuring a Python Application to Run on Junos OS

To configure a JET Python application to run on a device running Junos OS and its license:

1. (Optional if Python application is signed) Issue the set system scripts language (python | python3)
command.

[edit]
user@device# set system scripts language python

If you do not include the language python or language python3 statement, you cannot execute unsigned
Python scripts on the device.

Junos OS supports using symbolic links for files in the /var/db/scripts/jet directory, but the device will
only execute the script at the target location if it is signed.

2. At the [edit system extensions] hierarchy level, configure the application’s provider’s ID. The same
provider license must be used to configure a JET application to run on Junos OS as was used to package
it.

[edit system extensions]

user@device# set providers xyzcompany

3. Configure the license type and deployment scope.

[edit system extensions]

user@device# set providers xyzcompany license-type juniper deployment-scope commercial

4. Commit the configuration.

[edit system extensions]

user@device# top
[edit]
user@device# commit
 138

Configuring a C or C++ Application to Run on Junos OS

To configure a JET C or C++ application to run on a device running Junos OS and its license:

1. Configure the application’s provider’s ID, license type, and deployment scope. The same provider license
must be used to configure a JET application to run on Junos OS as was used to package it.

The following application example was packaged using chef as the provider license:

[edit]
user@device# set system extensions providers chef license-type juniper deployment-scope commercial

2. Commit the configuration and exit to operational mode.

[edit]
user@device# commit
commit complete

[edit]
user@device# exit
user@device>

SEE ALSO

JET Overview
License Modes for Enhanced MPCs Overview | 113
Configuring the License Mode for Specific Enhanced MPCs on MX Series Routers | 114
Software Features That Require Licenses on MX Series Routers Only | 100

Configuring the Router to Strictly Enforce the Subscriber Scaling License

To enable some Juniper Networks Junos OS features or router scaling levels, you might have to purchase,
install, and manage separate software license packs. The presence on the router of the appropriate software
license keys (passwords) determines whether you can configure and use certain features or configure a
feature to a predetermined scale.

For the latest information about subscriber access licensing, contact your Juniper Networks sales
representative at https://www.juniper.net/in/en/contact-us/.

Subscriber Secure Policy Licensing Requirements

 139

To enable and use subscriber secure policy, you must install and properly configure the Subscriber Secure
Policy license.

You can configure the router to strictly enforce the subscriber scaling feature, which is part of the Junos
Subscriber Access Feature Pack license. The subscriber scaling feature specifies the maximum number of
subscribers that can be logged in at any one time.

When you configure strict scaling license support, the router performs the following actions:

• Strictly enforces the subscriber scaling license and does not allow any grace period. When the number
of logged-in subscriber reaches the number allowed by the scaling license, no additional subscribers are
allowed to log in.

• Creates the informational log message, “90 percent of installed subscriber scale licenses in use" in
/var/log/messages, to inform you when you have 10 percent of the total allowed licenses remaining.
The router clears this condition when license usage falls below 90 percent. The log message is created
again if the 90 percent usage is later reached.

To configure the router to strictly enforce the subscriber scaling license:

1. Specify that you want to configure subscriber management.

[edit system services]

user@host# edit subscriber-management

2. Configure the router to enforce the scaling license.

[edit system services subscriber-management]

user@host# set enforce-strict-scale-limit-license
 140

CHAPTER 4

Licenses for Switching Devices

IN THIS CHAPTER

Understanding Software Licenses for EX Series Switches | 140

Licenses for EX Series | 154

Licenses for QFX Series | 173

Understanding Software Licenses for EX Series Switches

IN THIS SECTION

Purchasing a Software Feature License | 141

License Key Components for the EX Series Switch | 141

Features Requiring a License on EX2200 Switches | 142

Features Requiring a License on EX2300 Switches | 143

Features Requiring a License on EX3300 Switches | 144

Features Requiring a License on EX3400 Switches | 145

Features Requiring a License on EX4300 Switches | 147

Features Requiring a License on EX4600 Switches | 149

Features Requiring a License on EX4650 Switches | 150

Features Requiring a License on EX3200, EX4200, EX4500, EX4550, EX6200, EX8200, EX9200 and EX9250
Switches | 151

License Warning Messages | 153

 141

To enable and use some of the Juniper Networks operating system (Junos OS) features, you must purchase,
install, and manage separate software licenses. If the switch has the appropriate software license, you can
configure and use these features.

The Junos OS feature license (that is, the purchased authorization code) is universal. However, to conform
to Junos OS feature licensing requirements, you must install a unique license key (a combination of the
authorization code and the switch’s serial number) on each switch.

For a Virtual Chassis deployment, two license keys are recommended for redundancy—one for the device
in the master role and the other for the device in the backup role:

• In an EX8200 Virtual Chassis, the devices in the master and backup roles are always XRE200 External
Routing Engines.

• In all other Virtual Chassis, the devices in the master and backup roles are switches.

You do not need additional license keys for Virtual Chassis member switches that are in the linecard role
or for the redundant Routing Engine (RE) modules or the redundant Switch Fabric and Routing Engine
(SRE) modules in an EX8200 member switch.

This topic describes:

Purchasing a Software Feature License

The following sections list features that require separate licenses. To purchase a software license, contact
your Juniper Networks sales representative (https://www.juniper.net/us/en/contact-us/sales-offices).
You will be asked to supply the chassis serial number of your switch; you can obtain the serial number by
running the show chassis hardware command.

You are required to provide the 12-digit serial number when purchasing a license for an XRE200 External
Routing Engine in an EX8200 Virtual Chassis.

The serial number listed on the XRE200 External Routing Engine serial ID label is 16 digits long. Use the
last 12 digits of the 16-digit serial number to purchase the license.

You can use the show chassis hardware command output to display the 12-digit serial number of the
XRE200 External Routing Engine.

License Key Components for the EX Series Switch

When you purchase a license for a Junos OS feature that requires a separate license, you receive a license
key.

A license key consists of two parts:

• License ID—Alphanumeric string that uniquely identifies the license key. When a license is generated,
it is given a license ID.
 142

• License data—Block of binary data that defines and stores all license key objects.

For example, in the following typical license key, the stringJunos204558 is the license ID, and the trailing
block of data is the license data:

XXXXXXXXXX xxxxxx xxxxxx xxxxxx xxxxxx xxxxxx xxxxxx

xxxxxx xxxxxx xxxxxx xxxxxx xxxxxx xxxxxx
xxxxxx xxxxxx xxx

The license data defines the device ID for which the license is valid and the version of the license.

Features Requiring a License on EX2200 Switches

For EX2200 switches, the following features can be added to basic Junos OS by installing an enhanced
feature license (EFL):

• Bidirectional Forwarding Detection (BFD)

• Connectivity fault management (IEEE 802.1ag)

• IGMP (Internet Group Management Protocol) version 1 (IGMPv1), IGMPv2, and IGMPv3

• OSPFv1/v2 (with four active interfaces)

• Protocol Independent Multicast (PIM) dense mode, PIM source-specific mode, PIM sparse mode

• Q-in-Q tunneling (IEEE 802.1ad)

• Real-time performance monitoring (RPM)

• Virtual Router

• Virtual Router Redundancy Protocol (VRRP)

Table 48 on page 142 lists the EFLs that you can purchase for EX2200 switch models. If you have the
license, you can run all of the enhanced software features mentioned above on your EX2200 switch.

Table 48: Junos OS Part Number on EX2200 Switches

Switch Model Part Number

EX2200-C-12P-2G EX-12-EFL
EX2200-C-12T-2G

EX2200-24T-4G EX-24-EFL
EX2200-24P-4G
EX2200-24T-DC-4G

EX2200-48T-4G EX-48-EFL
EX2200-48P-4G
 143

Features Requiring a License on EX2300 Switches

EX2300 switches have enhanced feature licenses (EFLs).

To use the following features on the EX2300 switches, you must install an EFL:

• Bidirectional Forwarding Detection (BFD)

• IGMP (Internet Group Management Protocol) version 1 (IGMPv1), IGMPv2, and IGMPv3

• IPv6 routing protocols: Multicast Listener Discovery version 1 and 2 (MLD v1/v2), OSPFv3, PIM multicast,
VRRPv3

• Multicast Source Discovery protocol (MSDP)

• Operations Administration Management (OAM) (Connectivity Fault Management (CFM)

• OSPF v2/v3

• Protocol Independent Multicast (PIM) dense mode, PIM source-specific mode, PIM sparse mode

• Real-time performance monitoring (RPM)

• RIPng (RIPng is for RIP IPv6)

• Virtual Router Redundancy Protocol (VRRP)

Table 49 on page 143 lists the EFLs that you can purchase for EX2300 switch models. If you have the
license, you can run all of the enhanced software features mentioned above on your EX2300 switch.

Table 49: Junos OS Part Number on EX2300 Switches

Switch Model Part Number

EX2300-C-12P EX-12-EFL
EX2300-C-12T

EX2300-24T EX-24-EFL
EX2300-24P
EX2300-24MP

EX2300-48T EX-48-EFL
EX2300-48P
EX2300-48MP

Virtual Chassis feature support on EX2300 switches:

• The EX-12-EFL SKU includes the EX2300-VC (Virtual Chassis feature) license. EX2300-C-12P and
EX2300-C-12T switches do not require an additional EX2300-VC license if you purchases the EFL
license.
 144

• EX2300-24T, EX2300-24P, EX2300-24MP, EX2300-48T, EX2300-48P, and EX2300-48MP switches

do not include the EX2300-VC (Virtual Chassis feature). If you want to use Virtual Chassis feature, you
must purchase a separate EX2300-VC license for each EX2300 switch.

Features Requiring a License on EX3300 Switches

Two types of licenses are available on EX3300 switches: enhanced feature licenses (EFLs) and advanced
feature licenses (AFLs).

To use the following features on the EX3300 switches, you must install an EFL:

• Bidirectional Forwarding Detection (BFD)

• IGMP (Internet Group Management Protocol) version 1 (IGMPv1), IGMPv2, and IGMPv3

• IPv6 routing protocols: Multicast Listener Discovery version 1 and 2 (MLD v1/v2), OSPFv3, PIM multicast,
VRRPv3, virtual router support for unicast and filter-based forwarding (FBF)

• Intermediate System-to-Intermediate System (IS-IS)

• OSPFv1/v2

• Protocol Independent Multicast (PIM) dense mode, PIM source-specific mode, PIM sparse mode

• Q-in-Q tunneling (IEEE 802.1ad)

• Real-time performance monitoring (RPM)

• Unicast reverse-path forwarding (RPF)

• Virtual Router

• Virtual Router Redundancy Protocol (VRRP)

Table 50 on page 144 lists the EFLs that you can purchase for EX3300 switch models. If you have the
license, you can run all of the enhanced software features mentioned above on your EX3300 switch.

Table 50: Junos OS Part Number on EX3300 Switches

Switch Model Part Number

EX3300-24T EX-24-EFL
EX3300-24P
EX3300-24T-DC

EX3300-48T EX-48-EFL
EX3300-48T-BF
EX3300-48P
 145

To use the following feature on EX3300 switches, you must install an AFL:

• Border Gateway Protocol (BGP) and multiprotocol BGP (MBGP)

• IPv6 routing protocols: IPv6 BGP and IPv6 for MBGP

• Virtual routing and forwarding (VRF) BGP

Table 51 on page 145 lists the AFLs that you can purchase for EX3300 switch models. For EX3300 switches,
you must purchase and install a corresponding EFL along with the AFL to enable the advanced license
features. If you have both these licenses, you can run all of the advanced software features mentioned
above on your EX3300 switch.

Table 51: Junos OS AFL Part Number on EX3300 Switches

Switch Model AFL Part Number

EX3300-24T EX-24-AFL
EX3300-24P
EX3300-24T-DC

EX3300-48T EX-48-AFL
EX3300-48T-BF
EX3300-48P

Features Requiring a License on EX3400 Switches

EX3400 switches has an enhanced feature licenses (EFLs) and MACSec license.

To use the following features on the EX3400 switches, you must install an EFL:

• Bidirectional Forwarding Detection (BFD)

• IGMP (Internet Group Management Protocol) version 1 (IGMPv1), IGMPv2, and IGMPv3

• IPv6 routing protocols: : Multicast Listener Discovery version 1 and 2 (MLD v1/v2), OSPFv3, PIM
multicast, VRRPv3, virtual router support for unicast and filter-based forwarding (FBF)

• Multicast Source Discovery Protocol (MSDP)

• Operations Administration Management (OAM) (Connectivity Fault Management (CFM)

• OSPF v2/v3

• Protocol Independent Multicast (PIM) dense mode, PIM source-specific mode, PIM sparse mode

• Real-time performance monitoring (RPM)

• RIPng (RIPng is for RIP IPv6)

• Unicast reverse-path forwarding (RPF)

 146

• Virtual Router

• Virtual Router Redundancy Protocol (VRRP)

Table 52 on page 146 lists the EFLs that you can purchase for EX3400 switch models. If you have the
license, you can run all of the enhanced software features mentioned above on your EX3400 switch.

Table 52: Junos OS Part Number on EX3400 Switches

Switch Model Part Number

EX3400-24T EX-24-EFL
EX3400-24P

EX3400-48P EX-48-EFL
EX3400-48T
EX3400-48T-AFI
EX3400-48T-DC
EX3400-48T-DC-AFI

To use the following features on the EX3400 switches, you must install an AFL:

• Border Gateway Protocol (BGP) and multiprotocol BGP (MBGP)

• Intermediate System-to-Intermediate System (IS-IS)

Table 53 on page 146 lists the AFLs that you can purchase for EX3400 switch models. For EX3400 switches,
you must purchase and install a corresponding EFL along with the AFL to enable the advanced license
features. If you have both these licenses, you can run all of the advanced software features mentioned
above on your EX3400 switch.

Table 53: Junos OS Part Number on EX3400 Switches

Switch Model Part Number

EX3400-24T EX-24-AFL
EX3400-24P

EX3400-48P EX-48-AFL
EX3400-48T
EX3400-48T-AFI
EX3400-48T-DC
EX3400-48T-DC-AFI

You must download a MACsec feature license to enable MACsec. The MACsec feature license is an
independent feature license; the enhanced feature licenses (EFLs) or advanced feature licenses (AFLs) that
must be purchased to enable some features on EX Series switches cannot be purchased to enable MACsec.
 147

To purchase a feature license for MACsec, contact your Juniper Networks sales representative
(https://www.juniper.net/us/en/contact-us/sales-offices). The Juniper sales representative will provide
you with a feature license file and a license key.

MACsec is supported on EX3400 switches.

Table 54 on page 147 lists the MACsec model number that you can purchase for EX3400 switch models.

Table 54: Junos OS MACsec model number on EX3400 Switches

Switch Model Model Number

EX3400 EX-QFX-MACSEC-ACC

Features Requiring a License on EX4300 Switches

Two types of licenses are available on EX4300 switches: enhanced feature licenses (EFLs) and advanced
feature licenses (AFLs).

To use the following features on the EX4300 switches, you must install an EFL:

• Bidirectional Forwarding Detection (BFD)

• Connectivity fault management (IEEE 802.1ag)

• IGMP (Internet Group Management Protocol) version 1 (IGMPv1), IGMPv2, and IGMPv3

• Multicast Source Discovery Protocol (MSDP)

• Operations Administration Management (OAM) (Connectivity Fault Management (CFM))

• OSPFv2/v3

• Real-time perfomance monitoring (RPM)

• RIPng (RIPng is for RIP IPv6)

• Unicast reverse-path forwarding (RPF)

• Virtual Router

• Virtual Router Redundancy Protocol (VRRP)

Table 55 on page 147 lists the EFLs that you can purchase for EX4300 switch models. If you have the
license, you can run all of the enhanced software features mentioned above on your EX4300 switch.

Table 55: Junos OS Part Number on EX4300 Switches

Switch Model Part Number

EX4300-24T EX4300-24-EFL
EX4300-24P
 148

Table 55: Junos OS Part Number on EX4300 Switches (continued)

Switch Model Part Number

EX4300-48MP EX4300-48-EFL
EX4300-48P
EX4300-48T
EX4300-48T-AFI
EX4300-48T-DC
EX4300-48T-DC-AFI

EX4300-32F EX4300-32F-EFL
EX4300-32F-DC

To use the following features on EX4300 switches, you must install an AFL:

• Border Gateway Protocol (BGP) and multiprotocol BGP (MBGP)

• Intermediate System-to-Intermediate System (IS-IS)

• Ethernet VPN (EVPN) with Virtual Extensible LAN (VXLAN)

• Supported only on EX4300-48MP switch.

• Requires the Border Gateway Protocol (BGP) for configuration.

Table 56 on page 148 lists the AFLs that you can purchase for EX4300 switch models. For EX4300 switches,
you must purchase and install a corresponding EFL along with the AFL to enable the advanced license
features. If you have both these licenses, you can run all of the advanced software features mentioned
above on your EX4300 switch.

Table 56: Junos OS AFL Part Number on EX4300 Switches

Switch Model AFL Part Number

EX4300-24T EX4300-24-AFL
EX4300-24P

EX4300-48MP EX4300-48-AFL
EX4300-48P
EX4300-48T
EX4300-48T-AFI
EX4300-48T-DC
EX4300-48T-DC-AFI

EX4300-32F EX4300-32F-AFL
EX4300-32F-DC
 149

You must download a MACsec feature license (Part Number-EX-QFX-MACSEC- ACC) to enable MACsec.
The MACsec feature license is an independent feature license; the enhanced feature licenses (EFLs) or
advanced feature licenses (AFLs) that must be purchased to enable some features on EX Series switches
cannot be purchased to enable MACsec.

To purchase a feature license for MACsec, contact your Juniper Networks sales representative
(https://www.juniper.net/us/en/contact-us/sales-offices). The Juniper sales representative will provide
you with a feature license file and a license key.

MACsec is supported on EX4300 switches.

Table 57 on page 149 lists the MACsec model number that you can purchase for EX4300 switch models.

Table 57: Junos OS MACsec model number on EX4300 Switches

Switch Model Model Number

EX4300 EX-QFX-MACSEC-ACC

Features Requiring a License on EX4600 Switches

To use the following features on EX4600 switches, you must install an advanced feature license:

• Border Gateway Protocol (BGP) and multiprotocol BGP (MBGP)

• Intermediate System-to-Intermediate System (IS-IS)

• Multiprotocol Label Switching (MPLS)

• Virtual Extensible LAN (VXLAN)

Table 58 on page 149 lists the AFLs that you can purchase for EX4600 switch models.

Table 58: Junos OS AFL Part Number on EX4600 Switches

Switch Model AFL Part Number

EX4600-40F EX4600-AFL

You must download a MACsec feature license to enable MACsec. The MACsec feature license is an
independent feature license; the enhanced feature licenses (EFLs) or advanced feature licenses (AFLs) that
must be purchased to enable some features on EX Series switches cannot be purchased to enable MACsec.

To purchase a feature license for MACsec, contact your Juniper Networks sales representative
(https://www.juniper.net/us/en/contact-us/sales-offices). The Juniper sales representative will provide
you with a feature license file and a license key.

MACsec is supported on EX4600 switches.

 150

Table 59 on page 150 lists the MACsec model number that you can purchase for EX4600 switch models.

Table 59: Junos OS AFL Part Number on EX4600 Switches

Switch Model Model Number

EX4600-40F EX-QFX-MACSEC-AGG

Features Requiring a License on EX4650 Switches

Table 60 on page 150 lists the PFLs and AFLs that you can purchase for EX4650 switch models. If you have
the license, you can run all of the premium and advanced software features mentioned below on your
EX4650 switch.

Table 60: Junos OS Part Numbers on EX4650 Switches

Switch Model License Type Part Number

EX4650-48Y Premium EX4650-PFL

EX4650-48Y Advanced EX4650-AFL

Table 61 on page 150 lists the standard Junos OS features which require licenses on EX4650 switches.

Table 61: Features which Require Licenses on EX4650 Switches

License Model Detailed Features

Base Features Basic IPv6, BFD, CFM (IEEE 802.1ag), Class of service (COS)/ Policing/Shaping/Marking,
Filtering, IGMPv1/v2/v3 (includes IGMP Snooping), Junos Telemetry Interface, MC-LAG,
MLDv1/v2 and MSDP, OSPFv2 and OSPFv3, PIM-DM/SM/SSM and PIMv6, Q-in-Q
tunneling (IEEE 802.1ad), RIPng and RPM, Timing – Boundary Clock and Timing –
Transparent Clock, Unicast reverse-path forwarding (RPF), VC, Virtual Router, VRRP, and
VRRPv6, Zero Touch Provisioning (ZTP)

Premium Features Includes all base features, BGP and MBGP, Ethernet VPN, IPv6 for BGP or MGBP, IS-IS or
IPv4 and IPv6, VRF, VXLAN

Advanced Features Includes all PFL features, MPLS, MPLS based Circuit cross-connect (CCC), Resource
Reservation Protocol (RSVP) label-switched path (LSP), Segment Routing, MACsec is not
supported on EX4650 switch.
 151

Features Requiring a License on EX3200, EX4200, EX4500, EX4550, EX6200, EX8200, EX9200
and EX9250 Switches

To use the following features on EX3200, EX4200, EX4500, EX4550, EX8200, EX9200 and EX9250
switches, you must install an advanced feature license (AFL):

• Border Gateway Protocol (BGP) and multiprotocol BGP (MBGP)

• Ethernet VPN (available only on EX9200 and EX9250 switches)

• Intermediate System-to-Intermediate System (IS-IS)

• IPv6 routing protocols: IS-IS for IPv6, IPv6 BGP, IPv6 for MBGP

• Logical systems (available only on EX9200 switches)

• MPLS with RSVP-based label-switched paths (LSPs)

Starting with Junos OS Release 17.3R1, you can enable up to 200 RSVP-TE sessions in the EX9200
advanced feature license (AFL).

• MPLS-based circuit cross-connects (CCCs) (available only on EX4200 and EX4550 switches)

• Open vSwitch Database (OVSDB) (available only on EX9200 switches)

• Virtual Extensible LAN (VXLAN) (available only on EX9200 and EX9250 switches)

To use the following features on Juniper Networks EX6200 Ethernet Switches, you must install an advanced
feature license (AFL):

• Border Gateway Protocol (BGP)

• Intermediate System-to-Intermediate System (IS-IS)

• IPv6 routing protocols: IS-IS for IPv6, IPv6 BGP

To use MACsec feature on Juniper Networks EX9253 Switches, you must install an security feature license
(SFL).

To use Forwarding Information Base (FIB) and Address Resolution Protocol (ARP) features on Juniper
Networks EX9251 and EX9253 Switches, you must install an mid-scale license (ML).

Table 62 on page 152 lists the AFLs that you can purchase for EX3200, EX4200, EX4500, EX4550, EX6200,
EX8200, EX9200 and EX9250 switches. If you have the license, you can run all of the advanced software
features mentioned above on your EX3200, EX4200, EX4500, EX4550, EX6200, EX8200, or EX9200
switch. An EFL is not applicable to this range of switches.
 152

Table 62: Junos OS AFL Part Number on EX3200, EX4200, EX4500, EX4550, EX6200, EX8200, EX9200
and EX9250 Switches

Switch Model AFL Part Number

EX3200-24P EX-24-AFL
EX3200-24T
EX4200-24F
EX4200-24P
EX4200-24PX
EX4200-24T

EX3200-48P EX-48-AFL
EX3200-48T
EX4200-48F
EX4200-48P
EX4200-48PX
EX4200-48T

EX4500-40F-BF EX-48-AFL
EX4500-40F-BF-C
EX4500-40F-FB
EX4500-40F-FB-C

EX4550 EX4550-AFL

EX6210 EX6210-AFL

EX8208 EX8208-AFL

EX8216 EX8216-AFL

EX-XRE200 EX-XRE200-AFL

EX9204 EX9204-AFL

EX9208 EX9208-AFL

EX9214 EX9214-AFL

EX9251 EX9251-AFL

EX9251-ML
 153

Table 62: Junos OS AFL Part Number on EX3200, EX4200, EX4500, EX4550, EX6200, EX8200, EX9200
and EX9250 Switches (continued)

Switch Model AFL Part Number

EX9253 EX9253-AFL

EX9253-ML

EX9253-SFL

You must download a MACsec feature license to enable MACsec. The MACsec feature license is an
independent feature license; the enhanced feature licenses (EFLs) or advanced feature licenses (AFLs) that
must be purchased to enable some features on EX Series switches cannot be purchased to enable MACsec.

To purchase a feature license for MACsec, contact your Juniper Networks sales representative
(https://www.juniper.net/us/en/contact-us/sales-offices). The Juniper sales representative will provide
you with a feature license file and a license key.

MACsec is supported on EX4200 and EX4550 switches.

Table 63 on page 153 lists the MACsec model number that you can purchase for EX4200 and EX4550
switch models.

Table 63: Junos OS MACsec model number on EX4200 and EX4550 Switches

Switch Model Model Number

EX4550 EX-QFX-MACSEC-AGG

EX4200 EX-QFX-MACSEC-ACC

License Warning Messages

For using features that require a license, you must install and configure a license key. To obtain a license
key, use the contact information provided in your certificate.

If you have not purchased the AFL or EFL and installed the license key, you receive warnings when you
try to commit the configuration:

[edit protocols]
'bgp'
warning: requires 'bgp' license
error: commit failed: (statements constraint check failed)
 154

The system generates system log (syslog) alarm messages notifying you that the feature requires a
license—for example:

Sep 3 05:59:11 craftd[806]: Minor alarm set, BGP Routing Protocol usage requires
a license
Sep 3 05:59:11 alarmd[805]: Alarm set: License color=YELLOW, class=CHASSIS,
reason=BGP Routing Protocol usage requires a license
Sep 3 05:59:11 alarmd[805]: LICENSE_EXPIRED: License for feature bgp(47) expired

Output of the show system alarms command displays the active alarms:

user@switch> show system alarms

1 alarm currently active

Alarm time Class Description
2009-09-03 06:00:11 UTC Minor BGP Routing Protocol usage requires a license

Licenses for EX Series

IN THIS SECTION

Understanding Software Licenses for EX Series Switches | 154

Software Features That Require Licenses on EX Series Switches | 168

License Key Components for the EX Series Switch | 169

Managing Licenses for EX Series Switches (CLI Procedure) | 169

Monitoring Licenses for the EX Series Switches | 171

Understanding Software Licenses for EX Series Switches

IN THIS SECTION

Purchasing a Software Feature License | 155

License Key Components for the EX Series Switch | 156

 155

Features Requiring a License on EX2200 Switches | 156

Features Requiring a License on EX2300 Switches | 157

Features Requiring a License on EX3300 Switches | 158

Features Requiring a License on EX3400 Switches | 159

Features Requiring a License on EX4300 Switches | 161

Features Requiring a License on EX4600 Switches | 163

Features Requiring a License on EX4650 Switches | 164

Features Requiring a License on EX3200, EX4200, EX4500, EX4550, EX6200, EX8200, EX9200 and EX9250
Switches | 165

License Warning Messages | 167

To enable and use some of the Juniper Networks operating system (Junos OS) features, you must purchase,
install, and manage separate software licenses. If the switch has the appropriate software license, you can
configure and use these features.

The Junos OS feature license (that is, the purchased authorization code) is universal. However, to conform
to Junos OS feature licensing requirements, you must install a unique license key (a combination of the
authorization code and the switch’s serial number) on each switch.

For a Virtual Chassis deployment, two license keys are recommended for redundancy—one for the device
in the master role and the other for the device in the backup role:

• In an EX8200 Virtual Chassis, the devices in the master and backup roles are always XRE200 External
Routing Engines.

• In all other Virtual Chassis, the devices in the master and backup roles are switches.

You do not need additional license keys for Virtual Chassis member switches that are in the linecard role
or for the redundant Routing Engine (RE) modules or the redundant Switch Fabric and Routing Engine
(SRE) modules in an EX8200 member switch.

This topic describes:

Purchasing a Software Feature License

The following sections list features that require separate licenses. To purchase a software license, contact
your Juniper Networks sales representative (https://www.juniper.net/us/en/contact-us/sales-offices).
You will be asked to supply the chassis serial number of your switch; you can obtain the serial number by
running the show chassis hardware command.

You are required to provide the 12-digit serial number when purchasing a license for an XRE200 External
Routing Engine in an EX8200 Virtual Chassis.
 156

The serial number listed on the XRE200 External Routing Engine serial ID label is 16 digits long. Use the
last 12 digits of the 16-digit serial number to purchase the license.

You can use the show chassis hardware command output to display the 12-digit serial number of the
XRE200 External Routing Engine.

License Key Components for the EX Series Switch

When you purchase a license for a Junos OS feature that requires a separate license, you receive a license
key.

A license key consists of two parts:

• License ID—Alphanumeric string that uniquely identifies the license key. When a license is generated,
it is given a license ID.

• License data—Block of binary data that defines and stores all license key objects.

For example, in the following typical license key, the stringJunos204558 is the license ID, and the trailing
block of data is the license data:

XXXXXXXXXX xxxxxx xxxxxx xxxxxx xxxxxx xxxxxx xxxxxx

xxxxxx xxxxxx xxxxxx xxxxxx xxxxxx xxxxxx
xxxxxx xxxxxx xxx

The license data defines the device ID for which the license is valid and the version of the license.

Features Requiring a License on EX2200 Switches

For EX2200 switches, the following features can be added to basic Junos OS by installing an enhanced
feature license (EFL):

• Bidirectional Forwarding Detection (BFD)

• Connectivity fault management (IEEE 802.1ag)

• IGMP (Internet Group Management Protocol) version 1 (IGMPv1), IGMPv2, and IGMPv3

• OSPFv1/v2 (with four active interfaces)

• Protocol Independent Multicast (PIM) dense mode, PIM source-specific mode, PIM sparse mode

• Q-in-Q tunneling (IEEE 802.1ad)

• Real-time performance monitoring (RPM)

• Virtual Router

• Virtual Router Redundancy Protocol (VRRP)

Table 48 on page 142 lists the EFLs that you can purchase for EX2200 switch models. If you have the
license, you can run all of the enhanced software features mentioned above on your EX2200 switch.
 157

Table 64: Junos OS Part Number on EX2200 Switches

Switch Model Part Number

EX2200-C-12P-2G EX-12-EFL
EX2200-C-12T-2G

EX2200-24T-4G EX-24-EFL
EX2200-24P-4G
EX2200-24T-DC-4G

EX2200-48T-4G EX-48-EFL
EX2200-48P-4G

Features Requiring a License on EX2300 Switches

EX2300 switches have enhanced feature licenses (EFLs).

To use the following features on the EX2300 switches, you must install an EFL:

• Bidirectional Forwarding Detection (BFD)

• IGMP (Internet Group Management Protocol) version 1 (IGMPv1), IGMPv2, and IGMPv3

• IPv6 routing protocols: Multicast Listener Discovery version 1 and 2 (MLD v1/v2), OSPFv3, PIM multicast,
VRRPv3

• Multicast Source Discovery protocol (MSDP)

• Operations Administration Management (OAM) (Connectivity Fault Management (CFM)

• OSPF v2/v3

• Protocol Independent Multicast (PIM) dense mode, PIM source-specific mode, PIM sparse mode

• Real-time performance monitoring (RPM)

• RIPng (RIPng is for RIP IPv6)

• Virtual Router Redundancy Protocol (VRRP)

Table 49 on page 143 lists the EFLs that you can purchase for EX2300 switch models. If you have the
license, you can run all of the enhanced software features mentioned above on your EX2300 switch.

Table 65: Junos OS Part Number on EX2300 Switches

Switch Model Part Number

EX2300-C-12P EX-12-EFL
EX2300-C-12T
 158

Table 65: Junos OS Part Number on EX2300 Switches (continued)

Switch Model Part Number

EX2300-24T EX-24-EFL
EX2300-24P
EX2300-24MP

EX2300-48T EX-48-EFL
EX2300-48P
EX2300-48MP

Virtual Chassis feature support on EX2300 switches:

• The EX-12-EFL SKU includes the EX2300-VC (Virtual Chassis feature) license. EX2300-C-12P and
EX2300-C-12T switches do not require an additional EX2300-VC license if you purchases the EFL
license.

• EX2300-24T, EX2300-24P, EX2300-24MP, EX2300-48T, EX2300-48P, and EX2300-48MP switches

do not include the EX2300-VC (Virtual Chassis feature). If you want to use Virtual Chassis feature, you
must purchase a separate EX2300-VC license for each EX2300 switch.

Features Requiring a License on EX3300 Switches

Two types of licenses are available on EX3300 switches: enhanced feature licenses (EFLs) and advanced
feature licenses (AFLs).

To use the following features on the EX3300 switches, you must install an EFL:

• Bidirectional Forwarding Detection (BFD)

• IGMP (Internet Group Management Protocol) version 1 (IGMPv1), IGMPv2, and IGMPv3

• IPv6 routing protocols: Multicast Listener Discovery version 1 and 2 (MLD v1/v2), OSPFv3, PIM multicast,
VRRPv3, virtual router support for unicast and filter-based forwarding (FBF)

• Intermediate System-to-Intermediate System (IS-IS)

• OSPFv1/v2

• Protocol Independent Multicast (PIM) dense mode, PIM source-specific mode, PIM sparse mode

• Q-in-Q tunneling (IEEE 802.1ad)

• Real-time performance monitoring (RPM)

• Unicast reverse-path forwarding (RPF)

• Virtual Router

• Virtual Router Redundancy Protocol (VRRP)

 159

Table 50 on page 144 lists the EFLs that you can purchase for EX3300 switch models. If you have the
license, you can run all of the enhanced software features mentioned above on your EX3300 switch.

Table 66: Junos OS Part Number on EX3300 Switches

Switch Model Part Number

EX3300-24T EX-24-EFL
EX3300-24P
EX3300-24T-DC

EX3300-48T EX-48-EFL
EX3300-48T-BF
EX3300-48P

To use the following feature on EX3300 switches, you must install an AFL:

• Border Gateway Protocol (BGP) and multiprotocol BGP (MBGP)

• IPv6 routing protocols: IPv6 BGP and IPv6 for MBGP

• Virtual routing and forwarding (VRF) BGP

Table 51 on page 145 lists the AFLs that you can purchase for EX3300 switch models. For EX3300 switches,
you must purchase and install a corresponding EFL along with the AFL to enable the advanced license
features. If you have both these licenses, you can run all of the advanced software features mentioned
above on your EX3300 switch.

Table 67: Junos OS AFL Part Number on EX3300 Switches

Switch Model AFL Part Number

EX3300-24T EX-24-AFL
EX3300-24P
EX3300-24T-DC

EX3300-48T EX-48-AFL
EX3300-48T-BF
EX3300-48P

Features Requiring a License on EX3400 Switches

EX3400 switches has an enhanced feature licenses (EFLs) and MACSec license.

To use the following features on the EX3400 switches, you must install an EFL:

• Bidirectional Forwarding Detection (BFD)

• IGMP (Internet Group Management Protocol) version 1 (IGMPv1), IGMPv2, and IGMPv3
 160

• IPv6 routing protocols: : Multicast Listener Discovery version 1 and 2 (MLD v1/v2), OSPFv3, PIM
multicast, VRRPv3, virtual router support for unicast and filter-based forwarding (FBF)

• Multicast Source Discovery Protocol (MSDP)

• Operations Administration Management (OAM) (Connectivity Fault Management (CFM)

• OSPF v2/v3

• Protocol Independent Multicast (PIM) dense mode, PIM source-specific mode, PIM sparse mode

• Real-time performance monitoring (RPM)

• RIPng (RIPng is for RIP IPv6)

• Unicast reverse-path forwarding (RPF)

• Virtual Router

• Virtual Router Redundancy Protocol (VRRP)

Table 52 on page 146 lists the EFLs that you can purchase for EX3400 switch models. If you have the
license, you can run all of the enhanced software features mentioned above on your EX3400 switch.

Table 68: Junos OS Part Number on EX3400 Switches

Switch Model Part Number

EX3400-24T EX-24-EFL
EX3400-24P

EX3400-48P EX-48-EFL
EX3400-48T
EX3400-48T-AFI
EX3400-48T-DC
EX3400-48T-DC-AFI

To use the following features on the EX3400 switches, you must install an AFL:

• Border Gateway Protocol (BGP) and multiprotocol BGP (MBGP)

• Intermediate System-to-Intermediate System (IS-IS)

Table 53 on page 146 lists the AFLs that you can purchase for EX3400 switch models. For EX3400 switches,
you must purchase and install a corresponding EFL along with the AFL to enable the advanced license
features. If you have both these licenses, you can run all of the advanced software features mentioned
above on your EX3400 switch.
 161

Table 69: Junos OS Part Number on EX3400 Switches

Switch Model Part Number

EX3400-24T EX-24-AFL
EX3400-24P

EX3400-48P EX-48-AFL
EX3400-48T
EX3400-48T-AFI
EX3400-48T-DC
EX3400-48T-DC-AFI

You must download a MACsec feature license to enable MACsec. The MACsec feature license is an
independent feature license; the enhanced feature licenses (EFLs) or advanced feature licenses (AFLs) that
must be purchased to enable some features on EX Series switches cannot be purchased to enable MACsec.

To purchase a feature license for MACsec, contact your Juniper Networks sales representative
(https://www.juniper.net/us/en/contact-us/sales-offices). The Juniper sales representative will provide
you with a feature license file and a license key.

MACsec is supported on EX3400 switches.

Table 54 on page 147 lists the MACsec model number that you can purchase for EX3400 switch models.

Table 70: Junos OS MACsec model number on EX3400 Switches

Switch Model Model Number

EX3400 EX-QFX-MACSEC-ACC

Features Requiring a License on EX4300 Switches

Two types of licenses are available on EX4300 switches: enhanced feature licenses (EFLs) and advanced
feature licenses (AFLs).

To use the following features on the EX4300 switches, you must install an EFL:

• Bidirectional Forwarding Detection (BFD)

• Connectivity fault management (IEEE 802.1ag)

• IGMP (Internet Group Management Protocol) version 1 (IGMPv1), IGMPv2, and IGMPv3

• Multicast Source Discovery Protocol (MSDP)

• Operations Administration Management (OAM) (Connectivity Fault Management (CFM))

• OSPFv2/v3

• Real-time perfomance monitoring (RPM)

 162

• RIPng (RIPng is for RIP IPv6)

• Unicast reverse-path forwarding (RPF)

• Virtual Router

• Virtual Router Redundancy Protocol (VRRP)

Table 55 on page 147 lists the EFLs that you can purchase for EX4300 switch models. If you have the
license, you can run all of the enhanced software features mentioned above on your EX4300 switch.

Table 71: Junos OS Part Number on EX4300 Switches

Switch Model Part Number

EX4300-24T EX4300-24-EFL
EX4300-24P

EX4300-48MP EX4300-48-EFL
EX4300-48P
EX4300-48T
EX4300-48T-AFI
EX4300-48T-DC
EX4300-48T-DC-AFI

EX4300-32F EX4300-32F-EFL
EX4300-32F-DC

To use the following features on EX4300 switches, you must install an AFL:

• Border Gateway Protocol (BGP) and multiprotocol BGP (MBGP)

• Intermediate System-to-Intermediate System (IS-IS)

• Ethernet VPN (EVPN) with Virtual Extensible LAN (VXLAN)

• Supported only on EX4300-48MP switch.

• Requires the Border Gateway Protocol (BGP) for configuration.

Table 56 on page 148 lists the AFLs that you can purchase for EX4300 switch models. For EX4300 switches,
you must purchase and install a corresponding EFL along with the AFL to enable the advanced license
features. If you have both these licenses, you can run all of the advanced software features mentioned
above on your EX4300 switch.
 163

Table 72: Junos OS AFL Part Number on EX4300 Switches

Switch Model AFL Part Number

EX4300-24T EX4300-24-AFL
EX4300-24P

EX4300-48MP EX4300-48-AFL
EX4300-48P
EX4300-48T
EX4300-48T-AFI
EX4300-48T-DC
EX4300-48T-DC-AFI

EX4300-32F EX4300-32F-AFL
EX4300-32F-DC

You must download a MACsec feature license (Part Number-EX-QFX-MACSEC- ACC) to enable MACsec.
The MACsec feature license is an independent feature license; the enhanced feature licenses (EFLs) or
advanced feature licenses (AFLs) that must be purchased to enable some features on EX Series switches
cannot be purchased to enable MACsec.

To purchase a feature license for MACsec, contact your Juniper Networks sales representative
(https://www.juniper.net/us/en/contact-us/sales-offices). The Juniper sales representative will provide
you with a feature license file and a license key.

MACsec is supported on EX4300 switches.

Table 57 on page 149 lists the MACsec model number that you can purchase for EX4300 switch models.

Table 73: Junos OS MACsec model number on EX4300 Switches

Switch Model Model Number

EX4300 EX-QFX-MACSEC-ACC

Features Requiring a License on EX4600 Switches

To use the following features on EX4600 switches, you must install an advanced feature license:

• Border Gateway Protocol (BGP) and multiprotocol BGP (MBGP)

• Intermediate System-to-Intermediate System (IS-IS)

• Multiprotocol Label Switching (MPLS)

• Virtual Extensible LAN (VXLAN)

Table 58 on page 149 lists the AFLs that you can purchase for EX4600 switch models.
 164

Table 74: Junos OS AFL Part Number on EX4600 Switches

Switch Model AFL Part Number

EX4600-40F EX4600-AFL

You must download a MACsec feature license to enable MACsec. The MACsec feature license is an
independent feature license; the enhanced feature licenses (EFLs) or advanced feature licenses (AFLs) that
must be purchased to enable some features on EX Series switches cannot be purchased to enable MACsec.

To purchase a feature license for MACsec, contact your Juniper Networks sales representative
(https://www.juniper.net/us/en/contact-us/sales-offices). The Juniper sales representative will provide
you with a feature license file and a license key.

MACsec is supported on EX4600 switches.

Table 59 on page 150 lists the MACsec model number that you can purchase for EX4600 switch models.

Table 75: Junos OS AFL Part Number on EX4600 Switches

Switch Model Model Number

EX4600-40F EX-QFX-MACSEC-AGG

Features Requiring a License on EX4650 Switches

Table 60 on page 150 lists the PFLs and AFLs that you can purchase for EX4650 switch models. If you have
the license, you can run all of the premium and advanced software features mentioned below on your
EX4650 switch.

Table 76: Junos OS Part Numbers on EX4650 Switches

Switch Model License Type Part Number

EX4650-48Y Premium EX4650-PFL

EX4650-48Y Advanced EX4650-AFL

Table 61 on page 150 lists the standard Junos OS features which require licenses on EX4650 switches.
 165

Table 77: Features which Require Licenses on EX4650 Switches

License Model Detailed Features

Base Features Basic IPv6, BFD, CFM (IEEE 802.1ag), Class of service (COS)/ Policing/Shaping/Marking,
Filtering, IGMPv1/v2/v3 (includes IGMP Snooping), Junos Telemetry Interface, MC-LAG,
MLDv1/v2 and MSDP, OSPFv2 and OSPFv3, PIM-DM/SM/SSM and PIMv6, Q-in-Q
tunneling (IEEE 802.1ad), RIPng and RPM, Timing – Boundary Clock and Timing –
Transparent Clock, Unicast reverse-path forwarding (RPF), VC, Virtual Router, VRRP, and
VRRPv6, Zero Touch Provisioning (ZTP)

Premium Features Includes all base features, BGP and MBGP, Ethernet VPN, IPv6 for BGP or MGBP, IS-IS or
IPv4 and IPv6, VRF, VXLAN

Advanced Features Includes all PFL features, MPLS, MPLS based Circuit cross-connect (CCC), Resource
Reservation Protocol (RSVP) label-switched path (LSP), Segment Routing, MACsec is not
supported on EX4650 switch.

Features Requiring a License on EX3200, EX4200, EX4500, EX4550, EX6200, EX8200, EX9200 and EX9250
Switches
To use the following features on EX3200, EX4200, EX4500, EX4550, EX8200, EX9200 and EX9250
switches, you must install an advanced feature license (AFL):

• Border Gateway Protocol (BGP) and multiprotocol BGP (MBGP)

• Ethernet VPN (available only on EX9200 and EX9250 switches)

• Intermediate System-to-Intermediate System (IS-IS)

• IPv6 routing protocols: IS-IS for IPv6, IPv6 BGP, IPv6 for MBGP

• Logical systems (available only on EX9200 switches)

• MPLS with RSVP-based label-switched paths (LSPs)

Starting with Junos OS Release 17.3R1, you can enable up to 200 RSVP-TE sessions in the EX9200
advanced feature license (AFL).

• MPLS-based circuit cross-connects (CCCs) (available only on EX4200 and EX4550 switches)

• Open vSwitch Database (OVSDB) (available only on EX9200 switches)

• Virtual Extensible LAN (VXLAN) (available only on EX9200 and EX9250 switches)

To use the following features on Juniper Networks EX6200 Ethernet Switches, you must install an advanced
feature license (AFL):

• Border Gateway Protocol (BGP)

• Intermediate System-to-Intermediate System (IS-IS)

• IPv6 routing protocols: IS-IS for IPv6, IPv6 BGP

 166

To use MACsec feature on Juniper Networks EX9253 Switches, you must install an security feature license
(SFL).

To use Forwarding Information Base (FIB) and Address Resolution Protocol (ARP) features on Juniper
Networks EX9251 and EX9253 Switches, you must install an mid-scale license (ML).

Table 62 on page 152 lists the AFLs that you can purchase for EX3200, EX4200, EX4500, EX4550, EX6200,
EX8200, EX9200 and EX9250 switches. If you have the license, you can run all of the advanced software
features mentioned above on your EX3200, EX4200, EX4500, EX4550, EX6200, EX8200, or EX9200
switch. An EFL is not applicable to this range of switches.

Table 78: Junos OS AFL Part Number on EX3200, EX4200, EX4500, EX4550, EX6200, EX8200, EX9200
and EX9250 Switches

Switch Model AFL Part Number

EX3200-24P EX-24-AFL
EX3200-24T
EX4200-24F
EX4200-24P
EX4200-24PX
EX4200-24T

EX3200-48P EX-48-AFL
EX3200-48T
EX4200-48F
EX4200-48P
EX4200-48PX
EX4200-48T

EX4500-40F-BF EX-48-AFL
EX4500-40F-BF-C
EX4500-40F-FB
EX4500-40F-FB-C

EX4550 EX4550-AFL

EX6210 EX6210-AFL

EX8208 EX8208-AFL

EX8216 EX8216-AFL

EX-XRE200 EX-XRE200-AFL

EX9204 EX9204-AFL
 167

Table 78: Junos OS AFL Part Number on EX3200, EX4200, EX4500, EX4550, EX6200, EX8200, EX9200
and EX9250 Switches (continued)

Switch Model AFL Part Number

EX9208 EX9208-AFL

EX9214 EX9214-AFL

EX9251 EX9251-AFL

EX9251-ML

EX9253 EX9253-AFL

EX9253-ML

EX9253-SFL

You must download a MACsec feature license to enable MACsec. The MACsec feature license is an
independent feature license; the enhanced feature licenses (EFLs) or advanced feature licenses (AFLs) that
must be purchased to enable some features on EX Series switches cannot be purchased to enable MACsec.

To purchase a feature license for MACsec, contact your Juniper Networks sales representative
(https://www.juniper.net/us/en/contact-us/sales-offices). The Juniper sales representative will provide
you with a feature license file and a license key.

MACsec is supported on EX4200 and EX4550 switches.

Table 63 on page 153 lists the MACsec model number that you can purchase for EX4200 and EX4550
switch models.

Table 79: Junos OS MACsec model number on EX4200 and EX4550 Switches

Switch Model Model Number

EX4550 EX-QFX-MACSEC-AGG

EX4200 EX-QFX-MACSEC-ACC

License Warning Messages

For using features that require a license, you must install and configure a license key. To obtain a license
key, use the contact information provided in your certificate.
 168

If you have not purchased the AFL or EFL and installed the license key, you receive warnings when you
try to commit the configuration:

[edit protocols]
'bgp'
warning: requires 'bgp' license
error: commit failed: (statements constraint check failed)

The system generates system log (syslog) alarm messages notifying you that the feature requires a
license—for example:

Sep 3 05:59:11 craftd[806]: Minor alarm set, BGP Routing Protocol usage requires
a license
Sep 3 05:59:11 alarmd[805]: Alarm set: License color=YELLOW, class=CHASSIS,
reason=BGP Routing Protocol usage requires a license
Sep 3 05:59:11 alarmd[805]: LICENSE_EXPIRED: License for feature bgp(47) expired

Output of the show system alarms command displays the active alarms:

user@switch> show system alarms

1 alarm currently active

Alarm time Class Description
2009-09-03 06:00:11 UTC Minor BGP Routing Protocol usage requires a license

Software Features That Require Licenses on EX Series Switches

The following Junos OS features require an Enhanced Feature License (EFL) or Advanced Feature License
(AFL) on EX Series devices:

• (EX2200 only) Bidirectional forwarding detection (BFD)

• (EX2200 only) Connectivity fault management (IEEE 802.lag)

• (EX2200 only) Internet Group Management Protocol version 1 (IGMPv1), IGMPv2, and IGMPv3

• (EX2200 and EX3300) OSPFv1/v2 (with 4 active interfaces)

• (EX2200 only) Protocol Independent Multicast (PIM) dense mode, PIM source-specific mode, PIM sparse
mode

• (EX2200 and EX3300) Q-in-Q tunneling (IEEE 802.lad)

 169

• (EX2200 only) Real-time performance monitoring (RPM)

• (EX3200, EX4200, EX4500, EX6200, and EX8200) Border Gateway Protocol (BGP) and multiprotocol
BGP (MBGP)

• (EX3200, EX4200, EX4500, EX6200, and EX8200) Intermediate System-to-Intermediate System (IS-IS)

• (EX3200, EX4200, EX4500, EX6200, and EX8200) IPv6 protocols: OSPFv3, PIPng, IS-IS for IPv6, IPv6
BGP

• (EX3200, EX4200, EX4500, EX6200, and EX8200) MPLS with RSVP-based label-switched paths (LSPs)
and MPLS-based circuit cross-connects (CCCs)

For more details regarding EX Series feature licenses, see Understanding Software Licenses for EX Series
Switches.

For information about how to purchase a software license, contact your Juniper Networks sales
representative at https://www.juniper.net/in/en/contact-us/.

License Key Components for the EX Series Switch

When you purchase a license for a Junos OS feature that requires a separate license, you receive a license
key.

A license key consists of two parts:

• License ID—Alphanumeric string that uniquely identifies the license key. When a license is generated,
it is given a license ID.

• License data—Block of binary data that defines and stores all license key objects.

For example, in the following typical license key, the stringJunos204558 is the license ID, and the trailing
block of data is the license data:

XXXXXXXXXX xxxxxx xxxxxx xxxxxx xxxxxx xxxxxx xxxxxx

xxxxxx xxxxxx xxxxxx xxxxxx xxxxxx xxxxxx
xxxxxx xxxxxx xxx

The license data defines the device ID for which the license is valid and the version of the license.

Managing Licenses for EX Series Switches (CLI Procedure)

IN THIS SECTION

Adding New Licenses | 170

Deleting Licenses | 171

 170

Saving License Keys | 171

Deleting Licenses | 171

To enable and use some Junos OS features on an EX Series switch, you must purchase, install, and manage
separate software licenses. Each switch requires one license. For a Virtual Chassis deployment, two licenses
are recommended for redundancy. After you have configured the features, you see a warning message if
the switch does not have a license for the feature.

Before you begin managing licenses, be sure that you have:

• Obtained the needed licenses. For information about how to purchase software licenses, contact your
Juniper Networks sales representative.

• Understand what makes up a license key. For more information, see “License Key Components for the
EX Series Switch” on page 169.

This topic includes the following tasks:

Adding New Licenses

To add one or more new license keys on the switch, with the CLI:

1. Add the license key or keys:

• To add one or more license keys from a file or URL, specify the filename of the file or the URL where
the key is located:

user@switch> request system license add filename | url

• To add a license key from the terminal:

user@switch> request system license add terminal

2. When prompted, enter the license key, separating multiple license keys with a blank line.

If the license key you enter is invalid, an error appears in the CLI output when you press Ctrl+d to exit
the license entry mode.
 171

Deleting Licenses
To delete one or more license keys from the switch with the CLI, specify the license ID:

user@switch> request system license delete license-id

You can delete only one license at a time.

Saving License Keys

To save the installed license keys to a file (which can be a URL) or to the terminal:

user@switch> request system license save filename | url

For example, the following command saves the installed license keys to a file named license.conf:

user@switch> request system license save ftp://user@switch/license.conf

Deleting Licenses
To delete one or more license keys from the switch with the CLI, specify the license ID:

user@switch> request system license delete license-id

You can delete only one license at a time.

Monitoring Licenses for the EX Series Switches

Displaying Installed Licenses and License Usage Details

Purpose
Verify that the expected license is installed and active on the switch and fully covers the switch
configuration.

Action
From the CLI, enter the show system license command. (To display only the License usage list, enter the
show system license usage command. To display only the Licenses installed output, enter show system
license installed.)

user@switch> show system license

License usage:

Licenses Licenses Licenses Expiry

 172

Feature name used installed needed

bgp 1 1 0 permanent

isis 0 1 0 permanent

ospf3 0 1 0 permanent

ripng 0 1 0 permanent

mpls 0 1 0 permanent

Licenses installed:

License identifier: XXXXXXXXXX

License version: 2

Valid for device: XXXXXXXXXX

Features:

ex—series - Licensed routing protocols in ex-series

permanent

Meaning
The output shows the license or licenses (for Virtual Chassis deployments) installed on the switch and
license usage. Verify the following information:

• If a feature that requires a license is configured (used), a license is installed on the switch. The Licenses
neededd column must show that no licenses are required.

• The appropriate number of licenses is installed. Each switch requires one license. For a Virtual Chassis
deployment, two licenses are recommended for redundancy.

• The expected license is installed.

Displaying Installed License Keys

Purpose
Verify that the expected license keys are installed on the switch.
 173

Action
From the CLI, enter the show system license keys command.

user@switch> show system license keys

XXXXXXXXXX xxxxxx xxxxxx xxxxxx xxxxxx xxxxxx xxxxxx

xxxxxx xxxxxx xxxxxx xxxxxx xxxxxx xxxxxx
xxxxxx xxxxxx xxx

Meaning
The output shows the license key or keys (for Virtual Chassis deployments) installed on the switch. Verify
that each expected license key is present.

Licenses for QFX Series

IN THIS SECTION

Generating License Keys | 173

Software Features That Require Licenses on the QFX Series | 175

Disaggregated Software Features That Require Licenses on the QFX Series | 182

Generating the License Keys for a QFabric System | 183

Understanding Junos Fusion Licenses | 185

Generating License Keys

When you purchase a Junos OS software feature license for a device, you receive an e-mail containing an
authorization code for the feature license from Juniper Networks. You can use the authorization code to
generate a unique license key (a combination of the authorization code and the device’s serial number) for
the device, and then add the license key on the device.

Before generating the license keys for a device:

• Purchase the required licenses for the device. See “Software Features That Require Licenses on the QFX
Series” on page 175 and “Disaggregated Software Features That Require Licenses on the QFX Series” on
page 182.
 174

• Note down the authorization code in the e-mail you received from Juniper Networks when you purchased
the license. Determine the serial number of the device. For instructions, see Download and Activate
Your Software

To generate the license keys for a device:

This procedure shows you how to generate license keys on a QFX Series device, but you can follow the
same procedure for any device.

1. In a browser, log in to the Juniper Networks License Management System at

https://www.juniper.net/lcrs/license.do.

The Manage Product Licenses page appears.

To access the licensing site, you must have a service contract with Juniper Networks and an access
account. If you need help obtaining an account, complete the registration form at the Juniper Networks
website
https://www.juniper.net/registration/Register.jsp .

2. On the Generate Licenses tab, select QFX Series Product from the drop-down list, and click Go.

The Generate Licenses - QFX Series Product page appears.

3. In the Device Serial Number field, enter the serial number for the device.

4. In the Authorization Code field, enter the authorization code in the e-mail you received from Juniper
Networks when you purchased the license.

5. (Optional) If you want to enter another authorization code for the same device, click Enter More
Authorization Codes to display a new authorization code field. Enter the authorization code in this
field.

6. Click Confirm.

The Confirm License Information page appears, displaying a summary of the information you submitted
to the License Management System.

7. Review the information to ensure everything is correct and then click Generate License.

The Generate Licenses - QFX Series Product Devices page appears, displaying a summary of your
license keys, including a link that displays the details of your new license keys.

8. Select the file format in which you want to obtain your new license keys.

9. Select the delivery method you want to use to obtain your new license keys.
 175

To download the license keys:

• Select the Download to this computer option button, and click OK.

To e-mail the license keys:

• Select the Send e-mail to e-mail ID option button, and click OK.

SEE ALSO

Software Features That Require Licenses on the QFX Series | 175

Software Features That Require Licenses on the QFX Series

The standard Junos OS software shipped on the hardware platform for QFX Series switches except the
QFX5200-32C, includes a perpetual base license. This license is valid for the life of the hardware platform.

You must purchase the perpetual base license on the disaggregated Junos OS feature licenses on the
QFX5200-32C. See “Disaggregated Software Features That Require Licenses on the QFX Series” on
page 182.

For information regarding newer subscription based licenses, including platforms supported, see Flex
Software Subscription Model.

For information about how to purchase any software license, contact your Juniper Networks sales
representative, or an approved Juniper Partner.

Table 80 on page 175 lists the Junos OS features which require licenses on QFX5100,
QFX5110-48S-AFI/AFO (DC), QFX5110-32Q-AFI/AFO (DC), QFX5120-48Y-AFI/AFO (DC), QFX5200-32C,
QFX5210-64C and QFX10000 line of switches.

Table 80: Software Features which Require Licenses on QFX5100, QFX5110-48S-AFI/AFO (DC),
QFX5110-32Q-AFI/AFO (DC), QFX5120-48Y-AFI/AFO (DC), QFX5200-32C, QFX5210-64C and QFX10000
line of switches.

Base Features Premium Features Advanced Features

Basic IPv6 BGP MPLS

BFD Ethernet VPN MPLS-based CCC

CFM (IEEE 802.1ag) IPv6 for BGP/MBGP RSVP-based LSP

Class of service (COS)/Policing/Shaping/Marking IS-IS Segment Routing

 176

Table 80: Software Features which Require Licenses on QFX5100, QFX5110-48S-AFI/AFO (DC),
QFX5110-32Q-AFI/AFO (DC), QFX5120-48Y-AFI/AFO (DC), QFX5200-32C, QFX5210-64C and QFX10000
line of switches. (continued)

Base Features Premium Features Advanced Features

Filtering IS-IS for IPv6

IGMPv1/v2/v3 (includes IGMP Snooping) MBGP

Junos Telemetry Interface OVSDB

MC-LAG VRF(BGP)

MLDv1/v2 VXLAN

OSPFv2

OSPFv3

PIM-DM/SM/SSM

PIMv6

Q-in-Q tunneling (IEEE 802.1ad)

RIPng

RPM

Timing – Boundary Clock

Timing – Transparent Clock

Unicast reverse-path forwarding(RPF)

Virtual Chassis (VC)

Applicable also for QFX5200-32C/48Y switches.

Virtual Router

VRRP

VRRPv6
 177

Table 80: Software Features which Require Licenses on QFX5100, QFX5110-48S-AFI/AFO (DC),
QFX5110-32Q-AFI/AFO (DC), QFX5120-48Y-AFI/AFO (DC), QFX5200-32C, QFX5210-64C and QFX10000
line of switches. (continued)

Base Features Premium Features Advanced Features

Zero Touch Provisioning (ZTP)

Table 81 on page 177 lists the Junos OS features which require licenses on QFX5120, QFX5200-48Y,
QFX5210, QFX5200-32C-L, and QFX5220 switches.

Table 81: Software Features which Require Licenses on QFX5120, QFX5200-48Y, QFX5210,
QFX5200-32C-L, and QFX5220 switches.

Base Features Premium Features Advanced Features

Basic IPv6 BGP MPLS

BFD Ethernet VPN MPLS-based CCC

CFM (IEEE 802.1ag) IPv6 for BGP/MBGP RSVP-based LSP

Class of service (COS)/Policing/Shaping/Marking IS-IS Segment Routing

Filtering IS-IS for IPv6

IGMPv1/v2/v3 (includes IGMP Snooping) MBGP

Junos Telemetry Interface OVSDB

MC-LAG

MLDv1/v2 VXLAN

OSPFv2

OSPFv3

PIM-DM/SM/SSM

PIMv6

Q-in-Q tunneling (IEEE 802.1ad)

RIPng
 178

Table 81: Software Features which Require Licenses on QFX5120, QFX5200-48Y, QFX5210,
QFX5200-32C-L, and QFX5220 switches. (continued)

Base Features Premium Features Advanced Features

RPM

Timing – Boundary Clock

Timing – Transparent Clock

Unicast reverse-path forwarding(RPF)

Virtual Chassis (VC)

Except for QFX5200-32C/48Y

switches.

Virtual Router

VRRP

VRRPv6

Zero Touch Provisioning (ZTP)

• If you try to configure a feature that is not licensed, you will receive syslog messages saying that you
are using a feature that is licensable and that you do not possess a license for the feature. If you try to
commit configuration changes for a feature that is not licensed, you will receive a commit warning saying
that you have exceeded the allowed license limit for the feature. The feature will commit and be usable
but this action violates EULA agreement.

• On QFX5100 and QFX5110, there is no separate license for Virtual Chassis like there is for Virtual
Chassis Fabric.

• Premium Feature Licenses (PFL) include the Base License Features. Advanced Feature Licenses (AFL)
include the Base and Premium License Features.

Table 82 on page 178 describes the licenses required for QFX series switches:

Table 82: Licenses Required for QFX Series Switches

Number of Licenses QFX Devices

Licence Description Required Supported

Base Features included with the - -

switch - No License required
 179

Table 82: Licenses Required for QFX Series Switches (continued)

Number of Licenses QFX Devices

Licence Description Required Supported

QFX-JSL-EDGE-ADV1 QFX Series Edge Advanced One per switch, two per QFX3500, QFX3600,
Feature License Virtual Chassis, and two QFX5100-48S,
per Virtual Chassis QFX5100-48T
Fabric

QFX5100-HDNSE-LIC QFX5100-24Q and One per switch, two per QFX5100-24Q ,

QFX5100-96S Advanced Virtual Chassis, and two QFX5100-96S
Feature License per Virtual Chassis
Fabric

QFX5K-C1-PFL QFX5000 Class 1 Premium One per switch, two per QFX5110-32Q,
Feature License Virtual Chassis, and two QFX5110-48S,
per Virtual Chassis QFX5120-48Y,
Fabric QFX5200-48Y

QFX5K-C1-AFL QFX5000 Class 1 Advanced One per switch, two per QFX5110-32Q,
Feature License Virtual Chassis, and two QFX5110-48S,
per Virtual Chassis QFX5120-48Y,
Fabric QFX5200-48Y

QFX5K-C2-PFL QFX5000 Class 2 Premium One per switch QFX5210-64C

Feature License

QFX5K-C2-AFL QFX5000 Class 2 Advanced One per switch QFX5210-64C

Feature License

QFX5000-35-JBS QFX5200-32C Base Services One per switch QFX5200-32C

License

QFX5000-35-JPS QFX5200-32C Premium One per switch QFX5200-32C

Services License

QFX5000-35-JAS QFX5200-32C Advanced One per switch QFX5200-32C

Feature License

QFX10002-36Q-PFL QFX10002-36Q Premium One per switch QFX10002-36Q

Feature License

QFX10002-36Q-AFL QFX10002-36Q Advanced One per switch QFX10002-36Q

Feature License
 180

Table 82: Licenses Required for QFX Series Switches (continued)

Number of Licenses QFX Devices

Licence Description Required Supported

QFX10002-60C-PFL QFX10002-60C Premium One per switch QFX10002-60C

Feature License

QFX10002-60C-AFL QFX10002-60C Advanced One per switch QFX10002-60C

Feature License

QFX10002-72Q-PFL QFX10002-72Q Premium One per switch QFX10002-72Q

Feature License

QFX10002-72Q-AFL QFX10002-72Q Advanced One per switch QFX10002-72Q

Feature License

QFX10008-PFL QFX10008 Premium Feature One per switch QFX10008

License

QFX10008-AFL QFX10008 Advanced Feature One per switch QFX10008

License

QFX10016-PFL QFX10016 Premium Feature One per switch QFX10016

License

QFX10016-AFL QFX10016 Advanced Feature One per switch QFX10016

License

QFX-JSL-DRCTR-ADV1 QFX Series Control Advanced One per Node device in QFX3100 Director
feature license 1 a network Node group device

QFX-JSL-EDGE-FC QFX Series Edge feature license One per switch on QFX3500
for Fibre Channel which fibre channel
ports are configured

QFX-JSL-DRCTR-FC QFX Series Control Feature One per QFX3500 QFX3100 Director
License for Fibre Channel Node device on which device
fibre channel ports are
configured

QFX-JSL-DRCTR-FC-C16 QFX Series Control Feature One for up to 16 QFX3100 Director

License for Fibre Channel QFX3500 Node devices device
Capacity 16 on which fibre channel
ports are configured
 181

Table 82: Licenses Required for QFX Series Switches (continued)

Number of Licenses QFX Devices

Licence Description Required Supported

QFX3000-JSL-EDGE-FAB QFX3000 Series QFabric /Node One per device QFX3100 Director
Feature License device

QFX3008-JSL-DRCTR-FAB QFX3000-G Base Fabric One per QFX3000-G QFX3000-G

Software QFabric system

QFX3000M-JSL-DRCTR-FAB QFX3000-M Base Fabric One per QFX3000-M QFX3000-M

Software QFabric system

EX-QFX-MACSEC-AGG QFX and EX Series feature One per switch, two per QFX switches that
license for enabling Media Virtual Chassis support MACsec
Access Control security
(MACsec). See Understanding
Media Access Control Security
(MACsec)

QFX-VCF-LIC Virtual Chassis Fabric (VCF) Two per Virtual Chassis QFX5100 and
License for QFX5100 and Fabric (VCF) QFX5110.
QFX5110.

QFX10000-30C-LFIB 1 Million (v4 or v6) Forwarding One per line card QFX10000-30C,
Information Base (FIB) entries QFX10000-30C-M line
license cards

QFX10000-36Q-LFIB 1 Million (v4 or v6) Forwarding One per line card QFX10000-36Q,
Information Base (FIB) entries QFX10K-12C-DWDM
license line cards

QFX10000-60S-LFIB 1 Million (v4 or v6) Forwarding One per line card QFX10000-60S-6Q
Information Base (FIB) entires line card
license

QFX10002-36Q-LFIB 1 Million (v4 or v6) Forwarding One per switch QFX10002 36-port
Information Base (FIB) entries 40GbE QSFP+/12-port
license 100GbE QSFP28
switch

QFX10002-60C-LFIB 1 Million (v4 or v6) Forwarding One per switch QFX10002-60C

Information Base (FIB) entries
license
 182

Table 82: Licenses Required for QFX Series Switches (continued)

Number of Licenses QFX Devices

Licence Description Required Supported

QFX10002-72Q-LFIB 1 Million (v4 or v6) Forwarding One per switch QFX10002-72Q

Information Base (FIB) entries
license

Disaggregated Software Features That Require Licenses on the QFX Series

Disaggregated Software Feature Licenses on QFX5200 Switches

The disaggregated software feature licenses are only applicable for QFX5200-32C devices. For
QFX5200-48Y devices, the base software features are included with the device. Additional licenses are
required only for premium and advanced features.

For information on standard Junos OS feature licenses, see “Software Features That Require Licenses on
the QFX Series” on page 175.

The Junos OS software is disaggregated from the hardware. With disaggregated Junos OS, you can purchase
the following feature licenses, which are available on a perpetual basis:

• Junos Base Software (JBS) license:

Includes basic layer 2 switching, basic layer 3 routing, multicast, automation, programmability, Zero
Touch Provisioning (ZTP) and basic monitoring.

You must purchase the JBS license to use basic functions, but you do not need to install the license key
in Junos OS Release 15.1X53-D30. JBS basic functions work with this release without installing the
license key. However, you will need to install the license key in a future release of Junos OS to be
determined, so make sure to retain the authorization code you received from the license portal to
generate a license key for the JBS license. If the license is not installed, system triggers the log messages.

The products supported by the Juniper Agile Licensing (JAL) portal includes: QFX series, SRX Series, EX
Series, NFX, vBNG, vMX, vSRX, and ACX. For other Juniper products (SPACE, JSA, SBR Carrier, Screen
OS and so on) access the License Management System (LMS).

• Junos Advanced Software (JAS) license:

Includes features supported in JBS license and Border Gateway Protocol (BGP), Intermediate
System-to-Intermediate System (IS-IS), and Virtual Extensible Local Area Network (VXLAN). You need
to install the license key to use these features.

• Junos Premium Software (JPS) license:

Includes features supported in JAS license and Multi-protocol Label Switching (MPLS) feature set. You
need to install the license key to use these features.
 183

For information about how to purchase a software feature license, contact your Juniper Networks sales
representative.

Table 83: Disaggregated Junos OS Feature Licenses and Associated SKU’s

Licensed Software Features SKU’s

Junos base software (JBS) license QFX5000-35-JBS

Junos advanced software (JAS) license QFX5000-35-JAS

Junos premium software (JPS) license QFX5000-35-JPS

Generating the License Keys for a QFabric System

When you purchase a Junos OS software feature license for a QFabric system, you receive an e-mail
containing an authorization code for the feature license from Juniper Networks. You can use the
authorization code to generate a unique license key (a combination of the authorization code and the
QFabric system ID ) for the QFabric system, and then add the license key on the QFabric system.

Before generating the license keys for a QFabric system:

• Purchase the required licenses for the QFabric system. See “Software Features That Require Licenses
on the QFX Series” on page 175.

• Note down the authorization code in the e-mail you received from Juniper Networks when you purchased
the license.

• Perform the initial setup of the QFabric system on the Director group. See Performing the QFabric System
Initial Setup on a QFX3100 Director Group.

• Log in to the QFabric system, issue the show version command, and note down the software serial
number and QFabric system ID for the QFabric system.

user@qfabric> show version

Hostname: qfabric
Model: qfx3000-g
Serial Number: qfsn-0123456789
QFabric System ID: f158527a-f99e-11e0-9fbd-00e081c57cda
JUNOS Base Version [12.2I20111018_0215_dc-builder]
 184

To generate the license keys for a QFabric system:

1. In a browser, log in to the license portal.

The products supported by the Juniper Agile Licensing (JAL) portal includes: QFX series, SRX Series,
EX Series, NFX, vBNG, vMX, vSRX, and ACX. For other Juniper products (SPACE, JSA, SBR Carrier,
Screen OS and so on) access the License Management System (LMS).

The Manage Product Licenses page appears.

To access the licensing site, you must have a service contract with Juniper Networks and an access
account. If you need help obtaining an account, complete the registration form at the Juniper Networks
website
https://www.juniper.net/registration/Register.jsp .

2. On the Generate Licenses tab, select QFX Series Product from the drop-down list, and click Go.

The Generate Licenses - QFX Series Product page appears.

3. Select the QFX Series Product Fabric option button, and then click Continue.

The Generate Licenses - QFX Series Product Fabrics page appears.

4. In the Software Serial No field, enter the software serial number for the QFabric system.

5. In the QFabric System ID field, enter the QFabric system ID for the QFabric system.

6. In the Authorization Code field, enter the authorization code in the e-mail you received from Juniper
Networks when you purchased the license.

7. (Optional) If you want to enter another authorization code for the same device, click Enter More
Authorization Codes to display a new authorization code field. Enter the authorization code in this
field.

8. Click Confirm.

The Confirm License Information page appears, displaying a summary of the information you submitted
to the license portal.

9. Review the information to ensure everything is correct and then click Generate License.

The Generate Licenses - QFX Series Product Fabrics page appears, displaying a summary of your license
keys, including a link that displays the details of your new license keys.
 185

10. Select the file format in which you want to obtain your new license keys.

11. Select the delivery method you want to use to obtain your new license keys.

To download the license keys:

• Select the Download to this computer option button, and click OK.

To e-mail the license keys:

• Select the Send e-mail to e-mail ID option button, and click OK.

SEE ALSO

Performing the QFabric System Initial Setup on a QFX3100 Director Group

show version

Understanding Junos Fusion Licenses

New deployments for Multichassis link aggregation groups (MC-LAG) or Ethernet VPN (EVPN) based Junos
Fusion Data Center are not recommended.

Starting with Junos OS Release 17.2R1, you need to install a Junos Fusion license in addition to any other
feature licenses that you install to track and activate certain QFX5100-48SH and QFX5100-48TH models
that are shipped with satellite software. These models can only be used as satellite devices. For these
models, you need to install a Junos Fusion license in addition to any other feature licenses that you install.
See Table 84 on page 186 for a list of satellite devices that require Junos Fusion licenses.

You do not need Junos Fusion licenses for satellite device models that were purchased as Junos OS-based
top-of-rack switches.

Install the Junos Fusion licenses on the aggregation device because the aggregation device is the single
point of management in a Junos Fusion. If your Junos Fusion is operating in a topology with multiple
aggregation devices, you only need to install the licenses on one aggregation device because the license
keys are synchronized between the two aggregation devices.

You can install a single-pack license to activate one satellite device, or you can install multi-pack licenses,
which can activate up to 128 satellite devices. If the number of satellite devices in a Junos Fusion exceeds
the number of Junos Fusion licenses you have installed, the satellite devices are provisioned, but the system
will issue a warning saying that there is a license limit violation. If the satellite device does not have a
corresponding Junos Fusion license installed, the satellite device is provisioned, but the system will issue
a warning.

Table 84 on page 186 lists the supported aggregation and satellite devices as well as the model numbers
of the Junos Fusion license packs.
 186

For information about how to purchase a software license, contact your Juniper Networks sales
representative. For information on standard Junos OS feature licenses, see “Software Features That Require
Licenses on the QFX Series” on page 175.

Table 84: Junos Fusion License Model Numbers for Satellite Devices

Aggregation Devices Satellite Devices Requiring

Supported Licenses Model Numbers of License Packs

QFX10002, QFX10008 and • QFX5100-48SH-AFO QFX10K-C1-JFS-1

QFX10016 switches • QFX5100-48SH-AFI
QFX10K-C1-JFS-4
• QFX5100-48TH-AFO
QFX10K-C1-JFS-8
• QFX5100-48TH-AFI
QFX10K-C1-JFS-16

QFX10K-C1-JFS-32

QFX10K-C1-JFS-64

SEE ALSO

Generating License Keys | 173

 187

CHAPTER 5

Licenses for Security Devices

IN THIS CHAPTER

Licenses for SRX Series | 187

Managing Junos OS Licenses | 228

Licenses for vSRX | 237

Licenses for Advanced Threat Prevention | 266

Licenses for SRX Series

IN THIS SECTION

Software Feature Licenses for SRX Series Devices | 187

Understanding Chassis Cluster Licensing Requirements | 216

Installing Licenses on the SRX Series Devices in a Chassis Cluster | 217

Verifying Licenses on an SRX Series Device in a Chassis Cluster | 220

Understanding Licenses for Logical Systems and Tenant Systems on SRX Series Devices | 222

Understanding UTM Licensing | 223

Installing the IPS License (CLI) | 225

Installing and Verifying Licenses for an Application Signature Package | 226

Software Feature Licenses for SRX Series Devices

IN THIS SECTION

Features Requiring a License on SRX100 and SRX110 Devices | 188

Features Requiring a License on SRX210 Devices | 189

 188

Features Requiring a License on SRX220 Devices | 191

Features Requiring a License on SRX240 Devices | 192

Features Requiring a License on SRX300 Devices | 193

Features Requiring a License on SRX320 Devices | 195

Features Requiring a License on SRX340 Devices | 195

Features Requiring a License on SRX345 Devices | 196

Features Requiring a License on SRX550 Devices | 197

Features Requiring a License on SRX650 Devices | 200

Features Requiring a License on SRX1400 Devices | 201

Features Requiring a License on SRX1500 Devices | 202

Features Requiring a License on SRX3400 Devices | 204

Features Requiring a License on SRX3600 Devices | 205

Features Requiring a License on SRX4100 Devices | 206

Features Requiring a License on SRX4200 Devices | 207

Features Requiring a License on SRX4600 Devices | 209

Features Requiring a License on SRX5400 Devices | 211

Features Requiring a License on SRX5600 Devices | 213

Features Requiring a License on SRX5800 Devices | 215

Each feature license is tied to exactly one software feature, and that license is valid for exactly one device.
Each license allows you to run the specified advanced software features on a single device. Platform
support depends on the Junos OS release in your installation.

NOTE: To understand more about Junos OS Software Licensing, see the Juniper Licensing Guide.
Please refer to the product Data Sheets accessible from Products & Services for details, or contact
your Juniper Account Team or Juniper Partner.

Sky Advanced Threat Prevention, ThreatFeed and Enhanced Web Filtering individual license are
available. This is not a complete list of licenses. For the most up-to-date license models available,
contact your Juniper Networks representative for license information.

Features Requiring a License on SRX100 and SRX110 Devices

Table 85 on page 189 lists the licenses you can purchase for each SRX Series software feature.
 189

Table 85: SRX100 and SRX110 Junos OS Feature License Model Number

Licensed Software Feature Supported Devices Model Number

Application Security and Intrusion Prevention SRX100 SRX100-APPSEC-A-1

Signatures (1 year and 3 years subscription)
SRX110 SRX100-APPSEC-A-3

SRX1XX-APPSEC-A-1

SRX1XX-APPSEC-A-3

Dynamic VPN (5 Concurrent users, PulseSecure) SRX100 SRX-RAC-5-LTU

Dynamic VPN (10 Concurrent users, PulseSecure) SRX100 SRX-RAC-10-LTU

Dynamic VPN (25 Concurrent users, PulseSecure) SRX100 SRX-RAC-25-LTU

Intrusion Detection and Prevention (1 year and 3 years SRX100 SRX1XX-IDP

subscription)
SRX110 SRX1XX-IDP-3

Kaspersky antivirus (1 year and 3 years subscription) SRX100 SRX1XX-K-AV

SRX110 SRX1XX-K-AV-3

Kaspersky antivirus, Enhanced Web Filtering, Sophos SRX100 SRX1XX-SMB4-CS

antispam, Application Security and Intrusion Detection
SRX110 SRX1XX-SMB4-CS-3
and Prevention (1 year and 3 years subscription)

Sophos antispam (1 year and 3 years subscription) SRX100 SRX1XX-S2-AS

SRX110 SRX1XX-S2-AS-3

Sophos antivirus (1 year and 3 years subscription) SRX100 SRX1XX-S-AV

SRX110 SRX1XX-S-AV-3

Sophos antivirus, Enhanced Web Filtering, Sophos SRX100 SRX1XX-S-SMB4-CS

antispam, Application Security and Intrusion Detection
SRX110 SRX1XX-S-SMB4-CS-3
and Prevention (1 year and 3 years subscription)

Websense Enhanced Web Filtering (1 year and 3 years SRX100 SRX1XX-W-EWF

subscription)
SRX110 SRX1XX-W-EWF-3

Features Requiring a License on SRX210 Devices

Table 86 on page 190 lists the licenses you can purchase for each SRX Series software feature.
 190

Table 86: SRX210 Junos OS Feature License Model Number

Supported
Licensed Software Feature Devices Model Number

Application Security and Intrusion Prevention Signatures SRX210 SRX210-APPSEC-A-1

(1 year and 3 years subscription)
SRX210-APPSEC-A-3

Dynamic VPN (5 Concurrent users, PulseSecure) SRX210 SRX-RAC-5-LTU

Dynamic VPN (10 Concurrent users, PulseSecure) SRX210 SRX-RAC-10-LTU

Dynamic VPN (25 Concurrent users, PulseSecure) SRX210 SRX-RAC-25-LTU

Dynamic VPN (50 Concurrent users, PulseSecure) SRX210 SRX-RAC-50-LTU

Dynamic VPN (100 Concurrent users, PulseSecure) SRX210 SRX-RAC-100-LTU

Dynamic VPN (150 Concurrent users, PulseSecure) SRX210 SRX-RAC-150-LTU

Dynamic VPN (250 Concurrent users, PulseSecure) SRX210 SRX-RAC-250-LTU

Intrusion Detection and Prevention (1 year and 3 years SRX210 SRX210-IDP

subscription)
SRX210-IDP-3

Kaspersky antivirus (1 year and 3 years subscription) SRX210 SRX210-K-AV

SRX210-K-AV-3

Kaspersky antivirus, Enhanced Web Filtering, Sophos SRX210 SRX210-SMB4-CS

antispam, Application Security and Intrusion Detection
SRX210-SMB4-CS-3
and Prevention (1 year and 3 years subscription)

Sophos antispam (1 year and 3 years subscription) SRX210 SRX210-S2-AS

SRX210-S2-AS-3

Sophos antivirus (1 year and 3 years subscription) SRX210 SRX210-S-AV

SRX210-S-AV-3

Sophos antivirus, Enhanced Web Filtering, Sophos SRX210 SRX210-S-SMB4-CS

antispam, Application Security and Intrusion Detection
SRX210-S-SMB4-CS-3
and Prevention (1 year and 3 years subscription)
 191

Table 86: SRX210 Junos OS Feature License Model Number (continued)

Supported
Licensed Software Feature Devices Model Number

Websense Enhanced Web Filtering (1 year and 3 years SRX210 SRX210-W-EWF

subscription)
SRX210-W-EWF-3

Features Requiring a License on SRX220 Devices

Table 87 on page 191 lists the licenses you can purchase for each SRX Series software feature.

Table 87: SRX220 Junos OS Feature License Model Number

Supported
Licensed Software Feature Devices Model Number

Application Security and Intrusion Prevention Signatures SRX220 SRX220-APPSEC-A-1

(1 year and 3 years subscription)
SRX220-APPSEC-A-3

Dynamic VPN (5 Concurrent users, PulseSecure) SRX220 SRX-RAC-5-LTU

Dynamic VPN (10 Concurrent users, PulseSecure) SRX220 SRX-RAC-10-LTU

Dynamic VPN (25 Concurrent users, PulseSecure) SRX220 SRX-RAC-25-LTU

Dynamic VPN (50 Concurrent users, PulseSecure) SRX220 SRX-RAC-50-LTU

Dynamic VPN (100 Concurrent users, PulseSecure) SRX220 SRX-RAC-100-LTU

Dynamic VPN (150 Concurrent users, PulseSecure) SRX220 SRX-RAC-150-LTU

Dynamic VPN (250 Concurrent users, PulseSecure) SRX220 SRX-RAC-250-LTU

Intrusion Detection and Prevention (1 year and 3 years SRX220 SRX220-IDP

subscription)
SRX220-IDP-3

Kaspersky antivirus (1 year and 3 years subscription) SRX220 SRX220-K-AV

SRX220-K-AV-3

Kaspersky antivirus, Enhanced Web Filtering, Sophos SRX220 SRX220-SMB4-CS

antispam, Application Security and Intrusion Detection
SRX220-SMB4-CS-3
and Prevention (1 year and 3 years subscription)
 192

Table 87: SRX220 Junos OS Feature License Model Number (continued)

Supported
Licensed Software Feature Devices Model Number

Sophos antispam (1 year and 3 years subscription) SRX220 SRX220-S2-AS

SRX220-S2-AS-3

Sophos antivirus (1 year and 3 years subscription) SRX220 SRX220-S-AV

SRX220-S-AV-3

Sophos antivirus, Enhanced Web Filtering, Sophos SRX220 SRX220-S-SMB4-CS

antispam, Application Security and Intrusion Detection
SRX220-S-SMB4-CS-3
and Prevention (1 year and 3 years subscription)

Websense Enhanced Web Filtering (1 year and 3 years SRX220 SRX220-W-EWF

subscription)
SRX220-W-EWF-3

Features Requiring a License on SRX240 Devices

Table 88 on page 192 lists the licenses you can purchase for each SRX Series software feature.

Table 88: SRX240 Junos OS Feature License Model Number

Supported
Licensed Software Feature Devices Model Number

Application Security and Intrusion Prevention Signatures SRX240 SRX240-APPSEC-A-1

(1 year and 3 years subscription)
SRX240-APPSEC-A-3

Dynamic VPN (5 Concurrent users, PulseSecure) SRX240 SRX-RAC-5-LTU

Dynamic VPN (10 Concurrent users, PulseSecure) SRX240 SRX-RAC-10-LTU

Dynamic VPN (25 Concurrent users, PulseSecure) SRX240 SRX-RAC-25-LTU

Dynamic VPN (50 Concurrent users, PulseSecure) SRX240 SRX-RAC-50-LTU

Dynamic VPN (100 Concurrent users, PulseSecure) SRX240 SRX-RAC-100-LTU

Dynamic VPN (150 Concurrent users, PulseSecure) SRX240 SRX-RAC-150-LTU

Dynamic VPN (250 Concurrent users, PulseSecure) SRX240 SRX-RAC-250-LTU

 193

Table 88: SRX240 Junos OS Feature License Model Number (continued)

Supported
Licensed Software Feature Devices Model Number

Intrusion Detection and Prevention (1 year and 3 years SRX240 SRX240-IDP

subscription)
SRX240-IDP-3

Kaspersky antivirus (1 year and 3 years subscription) SRX240 SRX240-K-AV

SRX240-K-AV-3

Kaspersky antivirus, Enhanced Web Filtering, Sophos SRX240 SRX240-SMB4-CS

antispam, Application Security and Intrusion Detection
SRX240-SMB4-CS-3
and Prevention (1 year and 3 years subscription)

Sophos antispam (1 year and 3 years subscription) SRX240 SRX240-S2-AS

SRX240-S2-AS-3

Sophos antivirus (1 year and 3 years subscription) SRX240 SRX240-S-AV

SRX240-S-AV-3

Sophos antivirus, Enhanced Web Filtering, Sophos SRX240 SRX240-S-SMB4-CS

antispam, Application Security and Intrusion Detection
SRX240-S-SMB4-CS-3
and Prevention (1 year and 3 years subscription)

Websense Enhanced Web Filtering (1 year and 3 years SRX240 SRX240-W-EWF

subscription)
SRX240-W-EWF-3

Features Requiring a License on SRX300 Devices

Table 89 on page 193 lists the licenses you can purchase for each SRX Series software feature.

Table 89: SRX300 Junos OS Feature License Model Number

Supported
Licensed Software Feature Devices Model Number

Application Security, Intrusion Detection and Prevention, SRX300 SRX300-ATP-BUN-1

Enhanced Web Filtering, Antivirus and Sky Advanced
SRX300-ATP-BUN-3
Threat Prevention (1 year, 3 years and 5 years
subscription)
 194

Table 89: SRX300 Junos OS Feature License Model Number (continued)

Supported
Licensed Software Feature Devices Model Number

Application Security, Intrusion Prevention Signatures, SRX300 SRX300-CS-BUN-1

Antivirus, Enhanced Web Filtering (1 year, 3 years and 5
SRX300-CS-BUN-3
years subscription)

SRX300-CS-BUN-5

Dynamic VPN (5 Concurrent users, PulseSecure) SRX300 SRX-RAC-5-LTU

Dynamic VPN (10 Concurrent users, PulseSecure) SRX300 SRX-RAC-10-LTU

Dynamic VPN (25 Concurrent users, PulseSecure) SRX300 SRX-RAC-25-LTU

Dynamic VPN (50 Concurrent users, PulseSecure) SRX300 SRX-RAC-50-LTU

Dynamic VPN (100 Concurrent users, PulseSecure) SRX300 SRX-RAC-100-LTU

Dynamic VPN (150 Concurrent users, PulseSecure) SRX300 SRX-RAC-150-LTU

Dynamic VPN (250 Concurrent users, PulseSecure) SRX300 SRX-RAC-250-LTU

Enhanced Web Filtering (1 year, 3 years and 5 years SRX300 SRX300-W-EWF-1

subscription)
SRX300-W-EWF-3

SRX300-W-EWF-5

Intrusion Detection and Prevention (1 year, 3 years and SRX300 SRX300-IPS-1

5 years subscription)
SRX300-IPS-3

SRX300-IPS-5

Remote Access (5 Concurrent users, NCP) SRX300 SRX-RA1-5

Remote Access (10 Concurrent users, NCP) SRX300 SRX-RA1-10

Remote Access (25 Concurrent users, NCP) SRX300 SRX-RA1-25

Remote Access (50 Concurrent users, NCP) SRX300 SRX-RA1-50

Remote Access (100 Concurrent users, NCP) SRX300 SRX-RA1-100

 195

Table 89: SRX300 Junos OS Feature License Model Number (continued)

Supported
Licensed Software Feature Devices Model Number

Remote Access (150 Concurrent users, NCP) SRX300 SRX-RA1-150

Remote Access (250 Concurrent users, NCP) SRX300 SRX-RA1-250

Features Requiring a License on SRX320 Devices

Table 90 on page 195 lists the licenses you can purchase for each SRX Series software feature.

Table 90: SRX320 Junos OS Feature License Model Number

Supported
Licensed Software Feature Devices Model Number

Application Security, Intrusion Detection and Prevention, SRX320 SRX320-ATP-BUN-1

Enhanced Web Filtering, Antivirus and Sky Advanced
SRX320-ATP-BUN-3
Threat Prevention (1 year and 3 years subscription)

Application Security, Intrusion Prevention Signatures, SRX320 SRX320-CS-BUN-1

Antivirus, Enhanced Web Filtering (1 year, 3 years and
SRX320-CS-BUN-3
5 years subscription)

SRX320-CS-BUN-5

Enhanced Web Filtering (1 year, 3 years and 5 years SRX320 SRX320-W-EWF-1

subscription)
SRX320-W-EWF-3

SRX320-W-EWF-5

Intrusion Detection and Prevention (1 year, 3 years and SRX320 SRX320-IPS-1

5 years subscription)
SRX320-IPS-3

SRX320-IPS-5

Features Requiring a License on SRX340 Devices

Table 91 on page 196 lists the licenses you can purchase for each SRX Series software feature.
 196

Table 91: SRX340 Junos OS Feature License Model Number

Supported
Licensed Software Feature Devices Model Number

Application Security, Intrusion Detection and SRX340 SRX340-ATP-BUN-1

Prevention, Enhanced Web Filtering, Antivirus and Sky
SRX340-ATP-BUN-3
Advanced Threat Prevention (1 year, 3 years and 5 years
subscription) SRX340-ATP-BUN-5

Application Security, Intrusion Prevention Signatures, SRX340 SRX340-CS-BUN-1

Antivirus, Enhanced Web Filtering (1 year and 3 years
SRX340-CS-BUN-3
subscription)

SRX340-CS-BUN-5

Enhanced Web Filtering (1 year, 3 years and 5 years SRX340 SRX340-W-EWF-1

subscription)
SRX340-W-EWF-3

SRX340-W-EWF-5

Intrusion Detection and Prevention (1 year, 3 years and SRX340 SRX340-IPS-1

5 years subscription)
SRX340-IPS-3

SRX340-IPS-5

Sky Advanced Threat Prevention (1 year, 3 years and SRX340 SRX340-ATP-1

5 years subscription)
SRX340-ATP-3

SRX340-ATP-5

Sky Advanced Threat Prevention Threat Intelligence SRX340 SRX340-THRTFEED-1

Feeds only (1 year and 3 years subscription)
SRX340-THRTFEED-3

SRX340-THRTFEED-5

Features Requiring a License on SRX345 Devices

Table 92 on page 197 lists the licenses you can purchase for each SRX Series software feature.
 197

Table 92: SRX345 Junos OS Feature License Model Number

Supported
Licensed Software Feature Devices Model Number

Application Security, Intrusion Detection and SRX345 SRX345-ATP-BUN-1

Prevention, Enhanced Web Filtering, Antivirus and Sky
SRX345-ATP-BUN-3
Advanced Threat Prevention (1 year, 3 years and 5 years
subscription) SRX345-ATP-BUN-5

Application Security, Antispam, Intrusion Prevention SRX345 SRX345-CS-BUN-1

Signatures, Antivirus, Enhanced Web Filtering (1 year
SRX345-CS-BUN-3
and 3 years subscription)

SRX345-CS-BUN-5

Enhanced Web Filtering (1 year, 3 years and 5 years SRX345 SRX345-W-EWF-1

subscription)
SRX345-W-EWF-3

SRX345-W-EWF-5

Intrusion Prevention Signature (1 year, 3 years and 5 SRX345 SRX345-IPS-1

years subscription)
SRX345-IPS-3

SRX345-IPS-5

Sky Advanced Threat Prevention (1 year, 3 years and SRX345 SRX345-ATP-1

5 years subscription)
SRX345-ATP-3

SRX345-ATP-5

Sky Advanced Threat Prevention Threat Intelligence SRX345 SRX345-THRTFEED-1

Feeds only (1 year and 3 years subscription)
SRX345-THRTFEED-3

SRX345-THRTFEED-5

Features Requiring a License on SRX550 Devices

Table 93 on page 198 lists the licenses you can purchase for each SRX Series software feature.
 198

Table 93: SRX550 Junos OS Feature License Model Number

Supported
Licensed Software Feature Devices Model Number

Application Security and Intrusion Prevention Signature SRX550 SRX550-APPSEC-A-1

(1 year, 3 years and 5 years subscription)
SRX550-APPSEC-A-3

SRX550-APPSEC-A-5

Enhanced Web Filtering (1 year, 3 years and 5 years SRX550 SRX550-W-EWF

subscription)
SRX550-W-EWF-3

SRX500-W-EWF-5

Dynamic VPN (5 Concurrent users, PulseSecure) SRX550 SRX-RAC-5-LTU

Dynamic VPN (10 Concurrent users, PulseSecure) SRX550 SRX-RAC-10-LTU

Dynamic VPN (25 Concurrent users, PulseSecure) SRX550 SRX-RAC-25-LTU

Dynamic VPN (50 Concurrent users, PulseSecure) SRX550 SRX-RAC-50-LTU

Dynamic VPN (100 Concurrent users, PulseSecure) SRX550 SRX-RAC-100-LTU

Dynamic VPN (150 Concurrent users, PulseSecure) SRX550 SRX-RAC-150-LTU

Dynamic VPN (250 Concurrent users, PulseSecure) SRX550 SRX-RAC-250-LTU

Dynamic VPN (500 Concurrent users, PulseSecure) SRX550 SRX-RAC-500-LTU

Intrusion Detection and Prevention (1 year, 3 years and SRX550 SRX550-IDP

5 years subscription)
SRX550-IDP-3

SRX550-IDP-5

Kaspersky antivirus (1 year, 3 years and 5 years SRX550 SRX550-K-AV

subscription)
SRX550-K-AV-3

SRX550-K-AV-5
 199

Table 93: SRX550 Junos OS Feature License Model Number (continued)

Supported
Licensed Software Feature Devices Model Number

Kaspersky antivirus, Enhanced Web Filtering, Sophos SRX550 SRX550-SMB4-CS

antispam, Application Security and Intrusion Detection
SRX550-SMB4-CS-3
and Prevention (1 year and 3 years subscription)

SRX550-SMB4-CS-5

Remote Access (5 Concurrent users, NCP) SRX550 SRX-RA1-5

Remote Access (10 Concurrent users, NCP) SRX550 SRX-RA1-10

Remote Access (25 Concurrent users, NCP) SRX550 SRX-RA1-25

Remote Access (50 Concurrent users, NCP) SRX550 SRX-RA1-50

Remote Access (100 Concurrent users, NCP) SRX550 SRX-RA1-100

Remote Access (150 Concurrent users, NCP) SRX550 SRX-RA1-150

Remote Access (250 Concurrent users, NCP) SRX550 SRX-RA1-250

Remote Access (500 Concurrent users, NCP) SRX550 SRX-RA1-500

Remote Access (1000 Concurrent users, NCP) SRX550 SRX-RA1-1000

Sky Advanced Threat Prevention Threat Intelligence SRX550 SRX550-THRTFEED-1

Feeds only (1 year, 3 years and 5 years subscription)
SRX550-THRTFEED-3

SRX550-THRTFEED-5

Sky Advanced Threat Prevention (1 year, 3 years and 5 SRX550 SRX550-ATP-1

years subscription)
SRX550-ATP-3

SRX550-ATP-5

Sophos antispam (1 year, 3 years and 5 years SRX550 SRX550-S2-AS

subscription)
SRX550-S2-AS-3

SRX550-S2-AS-5
 200

Table 93: SRX550 Junos OS Feature License Model Number (continued)

Supported
Licensed Software Feature Devices Model Number

Sophos antivirus (1 year and 3 years subscription) SRX550 SRX550-S-AV

SRX550-S-AV-3

SRX550-S-AV-5

Sophos antivirus, Enhanced Web Filtering, Sophos SRX550 SRX550-S-SMB4-CS

antispam, Application Security and Intrusion Detection
SRX550-S-SMB4-CS-3
and Prevention (1 year, 3 years and 5 years subscription)

SRX550-S-SMB4-CS-5

Features Requiring a License on SRX650 Devices

Table 94 on page 200 lists the licenses you can purchase for each SRX Series software feature.

Table 94: SRX650 Junos OS Feature License Model Number

Supported
Licensed Software Feature Devices Model Number

Application Security and Intrusion Prevention Signature SRX650 SRX650-APPSEC-A-1

(1 year and 3 years subscription)
SRX650-APPSEC-A-3

Enhanced Web Filtering (1 year, 3 years and 5 years SRX650 SRX650-W-EWF

subscription)
SRX650-W-EWF-3

Dynamic VPN (5 Concurrent users, PulseSecure) SRX650 SRX-RAC-5-LTU

Dynamic VPN (10 Concurrent users, PulseSecure) SRX650 SRX-RAC-10-LTU

Dynamic VPN (25 Concurrent users, PulseSecure) SRX650 SRX-RAC-25-LTU

Dynamic VPN (50 Concurrent users, PulseSecure) SRX650 SRX-RAC-50-LTU

Dynamic VPN (100 Concurrent users, PulseSecure) SRX650 SRX-RAC-100-LTU

Dynamic VPN (150 Concurrent users, PulseSecure) SRX650 SRX-RAC-150-LTU

Dynamic VPN (250 Concurrent users, PulseSecure) SRX650 SRX-RAC-250-LTU

Dynamic VPN (500 Concurrent users, PulseSecure) SRX650 SRX-RAC-500-LTU

 201

Table 94: SRX650 Junos OS Feature License Model Number (continued)

Supported
Licensed Software Feature Devices Model Number

Intrusion Detection and Prevention (1 year and 3 years SRX650 SRX650-IDP

subscription)
SRX650-IDP-3

Kaspersky antivirus (1 year and 3 years subscription) SRX650 SRX650-K-AV

SRX650-K-AV-3

Kaspersky antivirus, Enhanced Web Filtering, Sophos SRX650 SRX650-SMB4-CS

antispam, Application Security and Intrusion Detection
SRX650-SMB4-CS-3
and Prevention (1 year and 3 years subscription)

Sophos antispam (1 year and 3 years subscription) SRX650 SRX650-S2-AS

SRX650-S2-AS-3

Sophos antivirus (1 year and 3 years subscription) SRX650 SRX650-S-AV

SRX650-S-AV-3

Sophos antivirus, Enhanced Web Filtering, Sophos SRX650 SRX650-S-SMB4-CS

antispam, Application Security and Intrusion Detection
SRX650-S-SMB4-CS-3
and Prevention (1 year and 3 years subscription)

Features Requiring a License on SRX1400 Devices

Table 95 on page 201 lists the licenses you can purchase for each SRX Series software feature.

Table 95: SRX1400 Junos OS Feature License Model Number

Supported
Licensed Software Feature Devices Model Number

Application Security and Intrusion Prevention Signature SRX1400 SRX1400-APPSEC-A-1

(1 year and 3 years subscription)
SRX1400-APPSEC-A-3

Application Security, Intrusion Detection and SRX1400 SRX1400-CS-BUN-1

Prevention, Enhanced Web Filtering, Antivirus and
SRX1400-CS-BUN-3
Antispam (1 year and 3 years subscription)

Enhanced Web Filtering (1 year, 3 years and 5 years SRX1400 SRX1400-W-EWF-1

subscription)
SRX1400-W-EWF-3
 202

Table 95: SRX1400 Junos OS Feature License Model Number (continued)

Supported
Licensed Software Feature Devices Model Number

Intrusion Detection and Prevention (1 year and 3 years SRX1400 SRX1400-IDP

subscription)
SRX1400-IDP-3

Sophos antispam (1 year and 3 years subscription) SRX1400 SRX1400-S-AS-1

SRX1400-S-AS-3

Sophos antivirus (1 year and 3 years subscription) SRX1400 SRX1400-S-AV-1

SRX1400-S-AV-3

SRX Content Security (1 Incremental Logical Systems SRX1400 SRX-1400-LSYS-1

License for NetSecure)

Features Requiring a License on SRX1500 Devices

Table 96 on page 202 lists the licenses you can purchase for each SRX Series software feature.

Table 96: SRX1500 Junos OS Feature License Model Number

Supported
Licensed Software Feature Devices Model Number

Application Security, Antispam, Intrusion Detection and SRX1500 SRX1500-ATP-BUN-1

Prevention, Enhanced Web Filtering, Antivirus and Sky
SRX1500-ATP-BUN-3
Advanced Threat Prevention (1 year, 3 years and 5 years
subscription) SRX1500-ATP-BUN-5

Application Security, Intrusion Detection and SRX1500 SRX1500-A-BUN-1

Prevention, Enhanced Web Filtering, and Avira antivirus
SRX1500-A-BUN-3
(1 year, 3 years and 5 years subscription)

SRX1500-A-BUN-5

Application Security, Antispam, Intrusion Prevention SRX1500 SRX1500-CS-BUN-1

Signatures, Antivirus, Enhanced Web Filtering (1 year,
SRX1500-CS-BUN-3
3 years and 5 years subscription)

SRX1500-CS-BUN-5
 203

Table 96: SRX1500 Junos OS Feature License Model Number (continued)

Supported
Licensed Software Feature Devices Model Number

Enhanced Web Filtering (1 year, 3 years and 5 years SRX1500 SRX1500-W-EWF-1

subscription)
SRX1500-W-EWF-3

SRX1500-W-EWF-5

Intrusion Prevention Signature (1 year, 3 years and 5 SRX1500 SRX1500-IPS-1

years subscription)
SRX1500-IPS-3

SRX1500-IPS-5

Logical System License (1, 5, and 25 Incremental) SRX1500 SRX-1500-LSYS-1

SRX-1500-LSYS-5

SRX-1500-LSYS-25

Remote Access (5 Concurrent users, NCP) SRX1500 SRX-RA1-5

Remote Access (10 Concurrent users, NCP) SRX1500 SRX-RA1-10

Remote Access (25 Concurrent users, NCP) SRX1500 SRX-RA1-25

Remote Access (50 Concurrent users, NCP) SRX1500 SRX-RA1-50

Remote Access (100 Concurrent users, NCP) SRX1500 SRX-RA1-100

Remote Access (150 Concurrent users, NCP) SRX1500 SRX-RA1-150

Remote Access (250 Concurrent users, NCP) SRX1500 SRX-RA1-250

Remote Access (500 Concurrent users, NCP) SRX1500 SRX-RA1-500

Remote Access (1000 Concurrent users, NCP) SRX1500 SRX-RA1-1000

Remote Access (2000 Concurrent users, NCP) SRX1500 SRX-RA1-2000

Sky Advanced Threat Prevention Threat Intelligence SRX1500 SRX1500-THRTFEED-1

Feeds only (1 year, 3 years and 5 years subscription)
SRX1500-THRTFEED-3

SRX1500-THRTFEED-5
 204

Table 96: SRX1500 Junos OS Feature License Model Number (continued)

Supported
Licensed Software Feature Devices Model Number

Sky Advanced Threat Protection (1 year, 3 years and 5 SRX1500 SRX1500-ATP-1

years subscription)
SRX1500-ATP-3

SRX1500-ATP-5

Features Requiring a License on SRX3400 Devices

Table 97 on page 204 lists the licenses you can purchase for each SRX Series software feature.

Table 97: SRX3400 Junos OS Feature License Model Number

Supported
Licensed Software Feature Devices Model Number

Application Security, Intrusion Detection and SRX3400 SRX3400-ATP-BUN-1

Prevention, Enhanced Web Filtering, Antivirus and Sky
SRX3400-ATP-BUN-3
Advanced Threat Prevention (1 year and 3 year
subscription) SRX3400-ATP-BUN-5

Application Security, Intrusion Prevention Signatures, SRX3400 SRX3400-CS-BUN-1

Antivirus, Enhanced Web Filtering (1 year and 3 years
SRX3400-CS-BUN-3
subscription)

Application Security and Intrusion Prevention Signature SRX3400 SRX3400-APPSEC-A-1

(1 year and 3 year subscription)
SRX3400-APPSEC-A-3

Enhanced Web Filtering (1 year and 3 years SRX3400 SRX3400-W-EWF-1

subscription)
SRX3400-W-EWF-3

Intrusion Detection and Prevention (1 year and 3 years SRX3400 SRX3K-IDP

subscription)
SRX3K-IDP-3

Logical System License (1, 5, and 25 Incremental) SRX3400 SRX-3400-LSYS-1

SRX-3400-LSYS-5

SRX-3400-LSYS-25
 205

Table 97: SRX3400 Junos OS Feature License Model Number (continued)

Supported
Licensed Software Feature Devices Model Number

Sophos antispam (1 year and 3 year subscription) SRX3400 SRX3400-S-AS-1

SRX3400-S-AS-3

Sophos antivirus (1 year and 3 year subscription) SRX3400 SRX3400-S-AV-1

SRX3400-S-AV-3

Features Requiring a License on SRX3600 Devices

Table 98 on page 205 lists the licenses you can purchase for each SRX Series software feature.

Table 98: SRX3600 Junos OS Feature License Model Number

Supported
Licensed Software Feature Devices Model Number

Application Security, Intrusion Prevention Signatures, SRX3600 SRX3600-CS-BUN-1

Antivirus, Enhanced Web Filtering (1 year and 3 years
SRX3600-CS-BUN-3
subscription)

Application Security and Intrusion Prevention SRX3600 SRX3600-APPSEC-A-1

Signature (1 year and 3 year subscription)
SRX3600-APPSEC-A-3

Enhanced Web Filtering (1 year and 3 years SRX3600 SRX3600-W-EWF-1

subscription)
SRX3600-W-EWF-3

Intrusion Detection and Prevention (1 year and 3 SRX3600 SRX3K-IDP

years subscription)
SRX3K-IDP-3

Logical System License (1, 5, and 25 Incremental) SRX3600 SRX-3600-LSYS-1

SRX-3600-LSYS-5

SRX-3600-LSYS-25

Sophos antispam (1 year and 3 year subscription) SRX3600 SRX3600-S-AS-1

SRX3600-S-AS-3
 206

Table 98: SRX3600 Junos OS Feature License Model Number (continued)

Supported
Licensed Software Feature Devices Model Number

Sophos antivirus (1 year and 3 year subscription) SRX3600 SRX3600-S-AV-1

SRX3600-S-AV-3

Features Requiring a License on SRX4100 Devices

Table 99 on page 206 lists the licenses you can purchase for each SRX Series software feature.

Table 99: SRX4100 Junos OS Feature License Model Number

Supported
Licensed Software Feature Devices Model Number

Application Security, Intrusion Prevention Signatures, SRX4100 SRX4100-ATP-BUN-1

Enhanced Web Filtering, Antivirus and Sky Advanced
SRX4100-ATP-BUN-3
Threat Prevention (1 year, 3 years and 5 years
subscription) SRX4100-ATP-BUN-5

Application Security, Intrusion Prevention Signatures, SRX4100 SRX4100-CS-BUN-1

Enhanced Web Filtering, Antivirus and Antispam (1
SRX4100-CS-BUN-3
year, 3 years and 5 years subscription)

SRX4100-CS-BUN-5

Application Security, Intrusion Detection and SRX4100 SRX4100-A-BUN-1

Prevention, Enhanced Web Filtering, and Avira antivirus
SRX4100-A-BUN-3
(1 year, 3 years and 5 years subscription)

SRX4100-A-BUN-5

Enhanced Web Filtering (1 year, 3 years and 5 years SRX4100 SRX4100-W-EWF-1

subscription)
SRX4100-W-EWF-3

SRX4100-W-EWF-5

Intrusion Prevention Signature (1 year, 3 years and 5 SRX4100 SRX4100-IPS-1

years subscription)
SRX4100-IPS-3

SRX4100-IPS-5
 207

Table 99: SRX4100 Junos OS Feature License Model Number (continued)

Supported
Licensed Software Feature Devices Model Number

Logical System License (1, 5, and 25 Incremental) SRX4100 SRX-4100-LSYS-1

SRX-4100-LSYS-5

SRX-4100-LSYS-25

Remote Access (5 Concurrent users, NCP) SRX4100 SRX-RA1-5

Remote Access (10 Concurrent users, NCP) SRX4100 SRX-RA1-10

Remote Access (25 Concurrent users, NCP) SRX4100 SRX-RA1-25

Remote Access (50 Concurrent users, NCP) SRX4100 SRX-RA1-50

Remote Access (100 Concurrent users, NCP) SRX4100 SRX-RA1-100

Remote Access (150 Concurrent users, NCP) SRX4100 SRX-RA1-150

Remote Access (250 Concurrent users, NCP) SRX4100 SRX-RA1-250

Remote Access (500 Concurrent users, NCP) SRX4100 SRX-RA1-500

Remote Access (1000 Concurrent users, NCP) SRX4100 SRX-RA1-1000

Remote Access (2000 Concurrent users, NCP) SRX4100 SRX-RA1-2000

Remote Access (5000 Concurrent users, NCP) SRX4100 SRX-RA1-5000

Sky Advanced Threat Prevention Threat Intelligence SRX4100 SRX4100-THRTFEED-1

Feeds only (1 year, 3 years and 5 years subscription)
SRX4100-THRTFEED-3

SRX4100-THRTFEED-5

Sky Advanced Threat Protection (1 year, 3 years and 5 SRX4100 SRX4100-ATP-1

years subscription)
SRX4100-ATP-3

SRX4100-ATP-5

Features Requiring a License on SRX4200 Devices

Table 100 on page 208 lists the licenses you can purchase for each SRX Series software feature.
 208

Table 100: SRX4200 Junos OS Feature License Model Number

Supported
Licensed Software Feature Devices Model Number

Application Security, Intrusion Prevention Signatures, SRX4200 SRX4200-ATP-BUN-1

Enhanced Web Filtering, Antivirus and Sky Advanced
SRX4200-ATP-BUN-3
Threat Prevention (1 year, 3 years and 5 years
subscription) SRX4200-ATP-BUN-5

Application Security, Intrusion Prevention Signatures, SRX4200 SRX4200-CS-BUN-1

Enhanced Web Filtering, Antivirus and Antispam (1
SRX4200-CS-BUN-3
year, 3 years and 5 years subscription)

SRX4200-CS-BUN-5

Application Security, Intrusion Detection and SRX4200 SRX4200-A-BUN-1

Prevention, Enhanced Web Filtering, and Avira antivirus
SRX4200-A-BUN-3
(1 year, 3 years and 5 years subscription)

SRX4200-A-BUN-5

Enhanced Web Filtering (1 year, 3 years and 5 years SRX4200 SRX4200-W-EWF-1

subscription)
SRX4200-W-EWF-3

SRX4200-W-EWF-5

Intrusion Prevention Signature (1 year, 3 years and 5 SRX4200 SRX4200-IPS-1

years subscription)
SRX4200-IPS-3

SRX4200-IPS-5

Logical System License (1, 5, and 25 Incremental) SRX4200 SRX-4200-LSYS-1

SRX-4200-LSYS-5

SRX-4200-LSYS-25

Remote Access (5 Concurrent users, NCP) SRX4200 SRX-RA1-5

Remote Access (10 Concurrent users, NCP) SRX4200 SRX-RA1-10

Remote Access (25 Concurrent users, NCP) SRX4200 SRX-RA1-25

Remote Access (50 Concurrent users, NCP) SRX4200 SRX-RA1-50

Remote Access (100 Concurrent users, NCP) SRX4200 SRX-RA1-100

 209

Table 100: SRX4200 Junos OS Feature License Model Number (continued)

Supported
Licensed Software Feature Devices Model Number

Remote Access (150 Concurrent users, NCP) SRX4200 SRX-RA1-150

Remote Access (250 Concurrent users, NCP) SRX4200 SRX-RA1-250

Remote Access (500 Concurrent users, NCP) SRX4200 SRX-RA1-500

Remote Access (1000 Concurrent users, NCP) SRX4200 SRX-RA1-1000

Remote Access (2000 Concurrent users, NCP) SRX4200 SRX-RA1-2000

Remote Access (5000 Concurrent users, NCP) SRX4200 SRX-RA1-5000

Sky Advanced Threat Prevention Threat Intelligence SRX4200 SRX4200-THRTFEED-1

Feeds only (1 year, 3 years and 5 years subscription)
SRX4200-THRTFEED-3

SRX4200-THRTFEED-5

Sky Advanced Threat Protection (1 year, 3 years and 5 SRX4200 SRX4200-ATP-1

years subscription)
SRX4200-ATP-3

SRX4200-ATP-5

Features Requiring a License on SRX4600 Devices

Table 101 on page 209 lists the licenses you can purchase for each SRX Series software feature.

Table 101: SRX4600 Junos OS Feature License Model Number

Supported
Licensed Software Feature Devices Model Number

Intrusion Prevention Signatures, Enhanced Web SRX4600 SRX4600-ATP-BUN-1

Filtering, Antivirus and Sky Advanced Threat Prevention
SRX4600-ATP-BUN-3
(1 year, 3 years and 5 years subscription)

SRX4600-ATP-BUN-5

Application Security, Intrusion Prevention Signatures, SRX4600 SRX4600-CS-BUN-1

Enhanced Web Filtering, Antivirus and Antispam (1
SRX4600-CS-BUN-3
year, 3 years and 5 years subscription)

SRX4600-CS-BUN-5
 210

Table 101: SRX4600 Junos OS Feature License Model Number (continued)

Supported
Licensed Software Feature Devices Model Number

Application Security, Intrusion Detection and SRX4600 SRX4600-A-BUN-1

Prevention, Enhanced Web Filtering, and Avira antivirus
SRX4600-A-BUN-3
(1 year, 3 years and 5 years subscription)

SRX4600-A-BUN-5

Enhanced Web Filtering (1 year, 3 years and 5 years SRX4600 SRX4600-W-EWF-1

subscription)
SRX4600-W-EWF-3

SRX4600-W-EWF-5

Intrusion Prevention Signature (1 year, 3 years and 5 SRX4600 SRX4600-IPS-1

years subscription)
SRX4600-IPS-3

SRX4600-IPS-5

Logical System License (1, 5, and 25 Incremental) SRX4600 SRX-4600-LSYS-1

SRX-4600-LSYS-5

SRX-4600-LSYS-25

Remote Access (5 Concurrent users, NCP) SRX4600 SRX-RA1-5

Remote Access (10 Concurrent users, NCP) SRX4600 SRX-RA1-10

Remote Access (25 Concurrent users, NCP) SRX4600 SRX-RA1-25

Remote Access (50 Concurrent users, NCP) SRX4600 SRX-RA1-50

Remote Access (100 Concurrent users, NCP) SRX4600 SRX-RA1-100

Remote Access (150 Concurrent users, NCP) SRX4600 SRX-RA1-150

Remote Access (250 Concurrent users, NCP) SRX4600 SRX-RA1-250

Remote Access (500 Concurrent users, NCP) SRX4600 SRX-RA1-500

Remote Access (1000 Concurrent users, NCP) SRX4600 SRX-RA1-1000

Remote Access (2000 Concurrent users, NCP) SRX4600 SRX-RA1-2000

 211

Table 101: SRX4600 Junos OS Feature License Model Number (continued)

Supported
Licensed Software Feature Devices Model Number

Remote Access (5000 Concurrent users, NCP) SRX4600 SRX-RA1-5000

Sky Advanced Threat Prevention Threat Intelligence SRX4600 SRX4600-THRTFEED-1

Feeds only (1 year, 3 years and 5 years subscription)
SRX4600-THRTFEED-3

SRX4600-THRTFEED-5

Sky Advanced Threat Protection (1 year, 3 years and 5 SRX4600 SRX4600-ATP-1

years subscription)
SRX4600-ATP-3

SRX4600-ATP-5

Features Requiring a License on SRX5400 Devices

Table 102 on page 211 lists the licenses you can purchase for each SRX Series software feature.

Table 102: SRX5400 Junos OS Feature License Model Number

Supported
Licensed Software Feature Devices Model Number

Application Security, Intrusion Prevention Signatures, SRX5400 SRX5400-ATP-BUN-1

Enhanced Web Filtering, Antivirus and Sky Advanced
SRX5400-ATP-BUN-3
Threat Prevention (1 year, 3 years and 5 years
subscription) SRX5400-ATP-BUN-5

Application Security, Intrusion Prevention Signatures, SRX5400 SRX5400-CS-BUN-1

Enhanced Web Filtering, Antivirus and Antispam (1
SRX5400-CS-BUN-3
year, 3 years and 5 years subscription)

SRX5400-CS-BUN-5

Application Security and Intrusion Prevention Signature SRX5400 SRX5400-APPSEC-1

(1 year, 3 years and 5 years subscription)
SRX5400-APPSEC-3

SRX5400-APPSEC-5

Enhanced Web Filtering (1 year, 3 years and 5 years SRX5400 SRX5400-W-EWF-1

subscription)
SRX5400-W-EWF-3

SRX5400-W-EWF-5
 212

Table 102: SRX5400 Junos OS Feature License Model Number (continued)

Supported
Licensed Software Feature Devices Model Number

Intrusion Detection and Prevention (1 year, 3 years and SRX5400 SRX5K-IDP

5 years subscription)
SRX5K-IDP-3

SRX5K-IDP-5

Logical System License (1, 5, and 25 Incremental) SRX5400 SRX-5400-LSYS-1

SRX-5400-LSYS-5

SRX-5400-LSYS-25

Remote Access (5 Concurrent users, NCP) SRX5400 SRX-RA1-5

Remote Access (10 Concurrent users, NCP) SRX5400 SRX-RA1-10

Remote Access (25 Concurrent users, NCP) SRX5400 SRX-RA1-25

Remote Access (50 Concurrent users, NCP) SRX5400 SRX-RA1-50

Remote Access (100 Concurrent users, NCP) SRX5400 SRX-RA1-100

Remote Access (150 Concurrent users, NCP) SRX5400 SRX-RA1-150

Remote Access (250 Concurrent users, NCP) SRX5400 SRX-RA1-250

Remote Access (500 Concurrent users, NCP) SRX5400 SRX-RA1-500

Remote Access (1000 Concurrent users, NCP) SRX5400 SRX-RA1-1000

Remote Access (2000 Concurrent users, NCP) SRX5400 SRX-RA1-2000

Remote Access (5000 Concurrent users, NCP) SRX5400 SRX-RA1-5000

Remote Access (10K Concurrent users, NCP) SRX5400 SRX-RA1-10000

Sky Advanced Threat Prevention Threat Intelligence SRX5400 SRX5400-THRTFEED-1

Feeds only (1 year, 3 years and 5 years subscription)
SRX5400-THRTFEED-3

SRX5400-THRTFEED-5
 213

Table 102: SRX5400 Junos OS Feature License Model Number (continued)

Supported
Licensed Software Feature Devices Model Number

Sky Advanced Threat Protection (1 year, 3 years and SRX5400 SRX5400-ATP-1

5 years subscription)
SRX5400-ATP-3

SRX5400-ATP-5

Features Requiring a License on SRX5600 Devices

Table 103 on page 213 lists the licenses you can purchase for each SRX Series software feature.

Table 103: SRX5600 Junos OS Feature License Model Number

Supported
Licensed Software Feature Devices Model Number

Application Security, Intrusion Prevention Signatures, SRX5600 SRX5600-ATP-BUN-1

Enhanced Web Filtering, Antivirus and Sky Advanced
SRX5600-ATP-BUN-3
Threat Prevention (1 year, 3 years and 5 years
subscription) SRX5600-ATP-BUN-5

Application Security, Intrusion Prevention Signatures, SRX5600 SRX5600-CS-BUN-1

Enhanced Web Filtering, Antivirus and Antispam (1
SRX5600-CS-BUN-3
year, 3 years and 5 years subscription)

SRX5600-CS-BUN-5

Application Security and Intrusion Prevention Signature SRX5600 SRX5600-APPSEC-A-1

(1 year, 3 years and 5 years subscription)
SRX5600-APPSEC-A-3

SRX5600-APPSEC-A-5

Enhanced Web Filtering (1 year, 3 years and 5 years SRX5600 SRX5600-W-EWF-1

subscription)
SRX5600-W-EWF-3

SRX5600-W-EWF-5

Intrusion Detection and Prevention (1 year, 3 years SRX5600 SRX5K-IDP

and 5 years subscription)
SRX5K-IDP-3

SRX5K-IDP-5
 214

Table 103: SRX5600 Junos OS Feature License Model Number (continued)

Supported
Licensed Software Feature Devices Model Number

Logical System License (1, 5, and 25 Incremental) SRX5600 SRX-5600-LSYS-1

SRX-5600-LSYS-5

SRX-5600-LSYS-25

Remote Access (5 Concurrent users, NCP) SRX5600 SRX-RA1-5

Remote Access (10 Concurrent users, NCP) SRX5600 SRX-RA1-10

Remote Access (25 Concurrent users, NCP) SRX5600 SRX-RA1-25

Remote Access (50 Concurrent users, NCP) SRX5600 SRX-RA1-50

Remote Access (100 Concurrent users, NCP) SRX5600 SRX-RA1-100

Remote Access (150 Concurrent users, NCP) SRX5600 SRX-RA1-150

Remote Access (250 Concurrent users, NCP) SRX5600 SRX-RA1-250

Remote Access (500 Concurrent users, NCP) SRX5600 SRX-RA1-500

Remote Access (1000 Concurrent users, NCP) SRX5600 SRX-RA1-1000

Remote Access (2000 Concurrent users, NCP) SRX5600 SRX-RA1-2000

Remote Access (5000 Concurrent users, NCP) SRX5600 SRX-RA1-5000

Remote Access (10K Concurrent users, NCP) SRX5600 SRX-RA1-10000

Sky Advanced Threat Prevention Threat Intelligence SRX5600 SRX5600-THRTFEED-1

Feeds only (1 year, 3 years and 5 years subscription)
SRX5600-THRTFEED-3

SRX5600-THRTFEED-5

Sky Advanced Threat Protection (1 year, 3 years and SRX5600 SRX5600-ATP-1

5 years subscription)
SRX5600-ATP-3

SRX5600-ATP-5
 215

Features Requiring a License on SRX5800 Devices

Table 104 on page 215 lists the licenses you can purchase for each SRX Series software feature.

Table 104: SRX5800 Junos OS Feature License Model Number

Supported
Licensed Software Feature Devices Model Number

Application Security, Intrusion Prevention Signatures, SRX5800 SRX5800-ATP-BUN-1

Enhanced Web Filtering, Antivirus and Sky Advanced
SRX5800-ATP-BUN-3
Threat Prevention (1 year, 3 years and 5 years
subscription) SRX5800-ATP-BUN-5

Application Security, Intrusion Prevention Signatures, SRX5800 SRX5800-CS-BUN-1

Enhanced Web Filtering, Antivirus and Antispam (1
SRX5800-CS-BUN-3
year, 3 years and 5 years subscription)

SRX5800-CS-BUN-5

Application Security and Intrusion Prevention Signature SRX5800 SRX5800-APPSEC-A-1

(1 year, 3 years and 5 years subscription)
SRX5800-APPSEC-A-3

SRX5800-APPSEC-A-5

Enhanced Web Filtering (1 year, 3 years and 5 years SRX5800 SRX5800-W-EWF-1

subscription)
SRX5800-W-EWF-3

SRX5800-W-EWF-5

Intrusion Detection and Prevention (1 year, 3 years SRX5800 SRX5K-IDP

and 5 years subscription)
SRX5K-IDP-3

SRX5K-IDP-5

Logical System License (1, 5, and 25 Incremental) SRX5800 SRX-5800-LSYS-1

SRX-5800-LSYS-5

SRX-5800-LSYS-25

Remote Access (5 Concurrent users, NCP) SRX5800 SRX-RA1-5

Remote Access (10 Concurrent users, NCP) SRX5800 SRX-RA1-10

Remote Access (25 Concurrent users, NCP) SRX5800 SRX-RA1-25

 216

Table 104: SRX5800 Junos OS Feature License Model Number (continued)

Supported
Licensed Software Feature Devices Model Number

Remote Access (50 Concurrent users, NCP) SRX5800 SRX-RA1-50

Remote Access (100 Concurrent users, NCP) SRX5800 SRX-RA1-100

Remote Access (150 Concurrent users, NCP) SRX5800 SRX-RA1-150

Remote Access (250 Concurrent users, NCP) SRX5800 SRX-RA1-250

Remote Access (500 Concurrent users, NCP) SRX5800 SRX-RA1-500

Remote Access (1000 Concurrent users, NCP) SRX5800 SRX-RA1-1000

Remote Access (2000 Concurrent users, NCP) SRX5800 SRX-RA1-2000

Remote Access (5000 Concurrent users, NCP) SRX5800 SRX-RA1-5000

Remote Access (10K Concurrent users, NCP) SRX5800 SRX-RA1-10000

Sky Advanced Threat Prevention Threat Intelligence SRX5800 SRX5800-THRTFEED-1

Feeds only (1 year, 3 years and 5 years subscription)
SRX5800-THRTFEED-3

SRX5800-THRTFEED-5

Sky Advanced Threat Protection (1 year, 3 years and SRX5800 SRX5800-ATP-1

5 years subscription)
SRX5800-ATP-3

SRX5800-ATP-5

SEE ALSO

Understanding Licenses for Logical Systems and Tenant Systems on SRX Series Devices

Understanding Chassis Cluster Licensing Requirements

There is no separate license required for chassis cluster. However, some Junos OS software features
require a license to activate the feature. To configure and use the licensed feature in a chassis cluster
setup, you must purchase one license per feature per device and the license needs to be installed on both
 217

nodes of the chassis cluster. Both devices (which are going to form a chassis cluster) must have the valid,
identical features licenses installed on them. If both devices do not have an identical set of licenses, then
after a failover, a particular feature (that is, a feature that is not licensed on both devices) might not work
or the configuration might not synchronize in chassis cluster formation. Licensing is usually ordered when
the device is purchased, and this information is bound to the chassis serial number. For example, Intrusion
Detection and Prevention (IDP) is a licensed feature and the license for this specific feature is tied to the
serial number of the device.

For information about how to purchase software licenses, contact your Juniper Networks sales
representative at https://www.juniper.net/in/en/contact-us/.

Installing Licenses on the SRX Series Devices in a Chassis Cluster

You can add a license key from a file or a URL, from a terminal, or from the J-Web user interface. Use the
filename option to activate a perpetual license directly on the device. Use the url option to send a
subscription-based license key entitlement (such as unified threat management [UTM]) to the Juniper
Networks licensing server for authorization. If authorized, the server downloads the license to the device
and activates it.

Before adding new licenses, complete the following tasks:

• Purchase the required licenses.

• Set the chassis cluster node ID and the cluster ID. See Example: Setting the Node ID and Cluster ID for
Security Devices in a Chassis Cluster .

• Ensure that your SRX Series device has a connection to the Internet (if particular feature requires Internet
or if (automatic) renewal of license through internet is to be used). For instructions on establishing basic
connectivity, see the Getting Started Guide or Quick Start Guide for your device.
 218

To install licenses on the primary node of an SRX Series device in a chassis cluster:

1. Run the show chassis cluster status command and identify which node is primary for redundancy group
0 on your SRX Series device.

{primary:node0}
user@host> show chassis cluster status redundancy-group 0

Cluster ID: 9
Node Priority Status Preempt Manual failover

Redundancy group: 0 , Failover count: 1

node0 254 primary no no
node1 1 secondary no no

Output to this command indicates that node 0 is primary and node 1 is secondary.

2. From CLI operational mode, enter one of the following CLI commands:

• To add a license key from a file or a URL, enter the following command, specifying the filename or
the URL where the key is located:

user@host> request system license add filename | url

• To add a license key from the terminal, enter the following command:

user@host> request system license add terminal

3. When prompted, enter the license key, separating multiple license keys with a blank line.

If the license key you enter is invalid, an error appears in the CLI output when you press Ctrl+d to exit
license entry mode.

4. Verify the installed licenses.

For more details, see Adding New Licenses (CLI Procedure).

To install licenses on the secondary node of an SRX Series device in a chassis cluster:

1. Initiate a failover to change node 1 (secondary node) to be the primary node:

{primary:node0}

user@host> request chassis cluster failover redundancy-group 0 node 1

 219

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
-
Initiated manual failover for redundancy group 0

NOTE: Initiating a failover to the secondary node is not required if you are installing licenses
manually on the device. However, if you are installing the license directly from the Internet,
you must initiate a failover.

2. Repeat the steps described in “Step-by-Step Procedure” on page 218 to install licenses on the secondary
node.

3. Reboot the device for licenses to take effect.

NOTE: You must install the updated license on both nodes of the chassis cluster before the
existing license expires.

NOTE: In a chassis cluster configuration, when one device has a license installed, and the other
device does not have the same license installed, an error message is displayed when you try to
configure that specific feature as shown in the following example:

[edit security utm feature-profile web-filtering type]

'type juniper-enhanced'
warning: requires 'wf_key_websense_ewf' license <<<<<<<<<<<<<<<<<<<<<<
configuration check succeeds

TIP: If you are not using any specific feature or license , you can delete the license from both
devices in a chassis cluster. You need to connect to each node separately to delete the licenses.
For details, see “Example: Deleting a License Key” on page 235.
 220

Verifying Licenses on an SRX Series Device in a Chassis Cluster

Purpose
You can verify the licenses installed on both the devices in a chassis cluster setup by using the show system
license installed command to view license usage.

Action

Licenses details on node 0.

user@host> show system license installed

{primary:node0}
user@host> show system license
License usage:
Licenses Licenses Licenses Expiry
Feature name used installed needed
logical-system 1 26 0 permanent
services-offload 0 1 0 permanent

Licenses installed:
License identifier: JUNOS363684
License version: 2
Valid for device: JN111A654AGB
Features:
services-offload - services offload mode
permanent

License identifier: JUNOS531744

License version: 4
Valid for device: JN111A654AGB
Features:
services-offload - services offload mode
permanent

License identifier: JUNOS558173

License version: 4
Valid for device: JN111A654AGB
Features:
logical-system-25 - Logical System Capacity
permanent

Licenses details on node 1.

 221

{secondary-hold:node1}
user@host> show system license
License usage:
Licenses Licenses Licenses Expiry
Feature name used installed needed
idp-sig 0 1 0 permanent
logical-system 1 26 0 permanent
services-offload 0 1 0 permanent

Licenses installed:
License identifier: JUNOS209661
License version: 2
Valid for device: JN111AB4DAGB
Features:
idp-sig - IDP Signature
permanent

License identifier: JUNOS336648

License version: 2
Valid for device: JN111AB4DAGB
Features:
logical-system-25 - Logical System Capacity
permanent

License identifier: JUNOS363685

License version: 2
Valid for device: JN111AB4DAGB
Features:
services-offload - services offload mode
permanent

License identifier: JUNOS531745

License version: 4
Valid for device: JN111AB4DAGB
Features:
services-offload - services offload mode
permanent

Meaning
Use the fields License version and Features to make sure that licenses installed on both the nodes are
identical.
 222

Understanding Licenses for Logical Systems and Tenant Systems on SRX Series Devices

This topic provides licensing information for SRX Series devices running logical systems and tenant systems.

Starting in Junos OS Release 18.3R1, an SRX Series device running logical systems or tenant systems
includes three licenses by default. One license for a master logical system and the other two licenses for
user-defined logical system or tenant system. The system does not allow you to configure additional logical
systems or tenant systems if the number of logical systems and tenant systems exceeds the number of
available licenses. In the earlier releases, the system allowed you to configure an additional logical system
even if the number of logical systems exceeds the number of available licenses, but with a warning message
of non-licensed logical-systems do not pass traffic. You can purchase licenses for additional logical systems
and tenant systems that you intend to create. If you intend to configure an interconnect logical system or
interconnect tenant system to use as a switch, it also requires separate licenses.

We enforce that you do not configure more logical systems or tenant systems than the number of licenses
you have purchased. If the number of logical systems or tenant systems that you attempt to configure
exceeds the number of licenses that you have purchased, then the system displays an error message similar
to the following:

user@host> commit

error: 2 more multitenancy license(s) are needed!

error: configuration check-out failed

You can use the show system license status all-logical-systems-tenants or show system license usage
commands to view the active logical systems and tenant systems on the device.

user@host> show system license status all-logical-systems-tenants

logical system name license status

root-logical-system enabled
LSYS2 enabled
LSYS0 enabled
LSYS11 enabled
LSYS12 enabled
LSYS23 enabled
TSYS1 enabled
 223

TSYS2 enabled
TSYS3 enabled

user@host> show system license usage

Licenses Licenses Licenses Expiry

Feature name used installed needed
logical-system 9 11 0 2019-05-18
08:00:00 CST

When you use SRX Series devices running logical systems or tenant systems in a chassis cluster, you must
purchase and install the same number of licenses for each node in the chassis cluster. Logical systems or
tenant systems licenses pertain to a single chassis, or node, within a chassis cluster and not to the cluster
collectively.

SEE ALSO

Understanding Logical Systems for SRX Series Services Gateways

Understanding Tenant Systems

Understanding UTM Licensing

The majority of UTM features function as a subscription service requiring a license. You can redeem this
license once you have purchased your subscription license SKUs. You redeem your license by entering
your authorization code and chassis serial number into the Customer Service license portal interface. Once
your entitlement is generated, you can use the CLI from your device to send a license update request to
the license portal. The license portal then sends your subscription license directly to the device.

NOTE: The products supported by the Juniper Agile Licensing (JAL) portal includes: QFX series,
SRX Series, EX Series, NFX, vBNG, vMX, vSRX, and ACX. For other Juniper products (SPACE,
JSA, SBR Carrier, Screen OS and so on) access the License Management System (LMS).

NOTE: UTM requires 1 GB of memory.

 224

Table 105: UTM Feature Subscription Service License Requirements

UTM Feature Requires License

Antispam Yes

Antivirus: sophos Yes

Content Filtering No

Web Filtering: integrated Yes

Web Filtering: redirect No

Web Filtering: local No

Web Filtering: enhanced Yes

NOTE: License enforcement is supported on all SRX Series devices. Licensed features including
anti-virus or Enhanced Web Filtering will not function until a license has been installed. The
license must be installed after installing or upgrading to a new Junos OS Release version.
Unlicensed features such as UTM blacklists and whitelists will continue to function without a
license.

Updating UTM Licenses (CLI Procedure)

To apply the UTM subscription license to SRX Series devices, use the following CLI command:

user@host> request system license update

After you install the license for SRX300, SRX320, SRX340, SRX345, SRX550M, and SRX1400 devices,
reboot the device. The device reserves additional memory for UTM features and hence decreases the
session capacity.

For SRX3400, SRX3600, SRX4600, SRX5600 and SRX5800 devices, use the following command to manually
reallocate the memory for UTM features:

user@host>set security forwarding-process application-services enable-utm-memory

Reboot the device for the configuration to take effect.

 225

NOTE: SRX1500, SRX4100 and SRX4200 devices have enough memory for UTM. These devices
do not require any command for memory allocation.

SEE ALSO

Understanding Licenses for Logical Systems and Tenant Systems on SRX Series Devices

Installing the IPS License (CLI)

You can either download an IPS license from the license server, or manually install IPS if you received a
license from Juniper Networks.

Access the SRX Series device console through the serial cable plugged into the console port on the device
or by using a terminal session such as SSH.

To apply your IPS subscription license to the device, use the following CLI command:

user@host> request system license update

If you received a license for manual installation, perform the following tasks:

1. Access the SRX Series Services Gateway console either by plugging the serial cable into the console
port on the device or by using a terminal session such as SSH.

2. Check for an IPS license (required for all IPS updates):

user@host> show system license

License usage:
Licenses Licenses Licenses Expiry
Feature name used installed needed
logical-system 0 0 0 permanent

3. If there are no licenses installed, obtain the chassis serial number by using the following CLI command:

user@host> show chassis hardware

 226

4. A serial number is needed to generate the IPS license. You can add a license key from a file or URL or
from the terminal.

• From a file or URL:

user@host> request system license add <file name>

• From the terminal:

user@host> request system license add terminal

5. When prompted, enter the license key, separating multiple license keys with a blank line. If the license
key you enter is invalid, an error is generated when you press Ctrl-D to exit license entry mode.

6. Verify the system license by entering the show system license command.

user@host> show system license

License usage:
Licenses Licenses Licenses Expiry
Feature name used installed needed
idp-sig 4 1 0 permanent

Licenses installed:
License identifier: JUNOS208639
License version: 2
Valid for device: AA4508AD0005
Features:
idp-sig - IDP Signature
date-based, 2009-0406 08:00:00 GMT-8 - 2010-04-06 08:00:00 GMT-8

SEE ALSO

Understanding Licenses for Logical Systems and Tenant Systems on SRX Series Devices

Installing and Verifying Licenses for an Application Signature Package

The Junos OS application signature package update is a separately licensed subscription service. You must
install the application signature package update license key on your device to download and install the
 227

signature database updates provided by Juniper Networks. If your license key expires, you can continue
to use the locally stored application signature package content.

Licensing is usually ordered when the device is purchased, and this information is bound to the chassis
serial number. These instructions assume that you already have the license. If you did not order the license
during the purchase of the device, contact your account team or Juniper customer care for assistance. For
more information, refer to the Knowledge Base article KB9731 at
https://kb.juniper.net/InfoCenter/index?page=home.

Starting from Junos OS 15.1X49-D30 and Junos OS Release 17.3R1, on SRX1500 devices, AppSecure is
part of Junos Software Enhanced (JSE) software license package. There is no separate license key for
AppSecure is available. You must use JSE software license on your device to download and install the
AppID signature database updates, or to use other AppSecure features such as AppFW, AppQoS, and
AppTrack.

Starting from Junos OS 15.1X49-D30 and Junos OS Release 17.3R1, on SRX300, SRX320, SRX340, and
SRX345 devices, AppSecure is part of Junos Software Enhanced (JSE) software license package. There is
no separate license key for AppSecure is available. You must use JSE software license on your device to
download and install the AppID signature database updates, or to use other AppSecure features such as
AppFW, AppQoS, and AppTrack.

Starting from 15.1X49-D65 and Junos OS Release 17.3R1, on SRX4100, and SRX4200 devices, AppSecure
is part of Junos Software Enhanced (JSE) license package. There is no separate license key for AppSecure
is available. You must use JSE software license on your device to download and install the AppID signature
database updates, or to use other AppSecure features such as AppFW, AppQoS, and AppTrack.

Starting from Junos OS Release 17.4R1, for SRX4600, application signatures are included by default.

Junos Software Base (JSB) package does not include application signatures. Please refer to the product
Data Sheets at SRX Series Services Gateways for details, or contact your Juniper Account Team or Juniper
Partner.

You can install the license on the SRX Series device using either the automatic method or manual method
as follows:

• Install your license automatically on the device.

To install or update your license automatically, your device must be connected to the Internet .

user@host> request system license update

Trying to update license keys from https://ae1.juniper.net, use 'show system

license' to check status.

• Install the licenses manually on the device.

 228

user@host> request system license add terminal

[Type ^D at a new line to end input,

enter blank line between each license key]

Paste the license key and press Enter to continue.

• Verify the license is installed on your device.

Use the show system license command command to view license usage, as shown in the following
example:

License usage:
Licenses Licenses Licenses Expiry
Feature name used installed needed
logical-system 4 1 3 permanent

License identifier: JUNOSXXXXXX

License version: 2
Valid for device: AA4XXXX005
Features:
appid-sig - APPID Signature
date-based, 2014-02-17 08:00:00 GMT-8 - 2015-02-11 08:00:00 GMT-8

The output sample is truncated to display only license usage details.

SEE ALSO

Adding New Licenses (CLI Procedure) | 55

Managing Junos OS Licenses

IN THIS SECTION

Displaying License Keys in J-Web | 229

Downloading License Keys | 229

 229

Generating a License Key | 229

Saving License Keys | 230

Updating License Keys (CLI) | 230

Example: Adding a New License Key | 232

Example: Deleting a License Key | 235

Displaying License Keys in J-Web

To display license keys installed on the device:

1. In the J-Web interface, under Administration>License Management>Installed Licenses, click Add to

add a new license key.

2. Under Installed Licenses, click Display Keys to display all the license keys installed on the device.

A screen displaying the license keys in text format appears. Multiple licenses are separated by a blank
line.

Downloading License Keys

To download license keys installed on the device:

1. In the J-Web interface, under Administration>License Management>Installed Licenses, click Download

Keys to download all the license keys installed on the device to a single file.

2. Select Save it to disk and specify the file to which the license keys are to be written.

Generating a License Key

To generate a license key:

1. Gather the authorization code that you received when you purchased your license as well as your
device serial number.

2. Go to the Juniper Networks licensing page at:

https://www.juniper.net/lcrs/generateLicense.do
 230

3. Enter the device serial number and authorization code in the webpage and click Generate. Depending
on the type of license you purchased, you will receive one of the following responses:

• License key—If you purchased a perpetual license, you will receive a license key from the licensing
management system. You can enter this key directly into the system to activate the feature on your
device.

• License key entitlement—If you purchased a subscription-based license, you will receive a license
key entitlement from the licensing management system. You can use this entitlement to validate
your license on the Juniper Networks licensing server and download the feature license from the
server to your device.

Saving License Keys

To save license keys installed on the device:

1. From operational mode, save the installed license keys to a file or URL.

user@host>request system license save filename | url

For example, the following command saves the installed license keys to a file named license.config:

request system license save ftp://user@host/license.conf

SEE ALSO

Junos OS Feature License Keys | 48

Updating License Keys (CLI)

Use this task to update a subscription license or a trial license. You can do immediate update from command
mode or set up automatic updates using the CLI.

You can set up a proxy server to allow indirect access to the license portal. To set up a proxy server for
license updates, see Example: Configuring a Proxy Server for License Updates.

The products supported by the Juniper Agile Licensing (JAL) portal includes: QFX series, SRX Series, EX
Series, NFX, vBNG, vMX, vSRX, and ACX. For other Juniper products (SPACE, JSA, SBR Carrier, Screen
OS and so on) access the License Management System (LMS).
 231

To do immediate update of a license key from command mode:

1. From operational mode, do one of the following tasks:

• Update the license keys immediately from the license portal. You can only use this command to
update subscription-based licenses (such as UTM).

user@host> request system license update

The request system license update command always uses the default license portal.

• Update the trial license keys immediately from the license portal.

user@host>request system license update trial

To enable automatic license updates from the CLI:

1. Contact your account team or Juniper Networks Customer Care to extend the validity period of existing
license keys and obtain the URL for a valid update server.

2. Once you have successfully extended your license key and received the update server URL, configure
the auto-update parameter:

user@host> set system license autoupdate url https://ae1.juniper.net/

3. (Optional) Configure renew options. The following sample allows the device to contact the license
server 30 days before the current license expires and sends an automatic update request every 6 hours.

user@host> set system license renew before-expiration 30

user@host> set system license renew interval 6

SEE ALSO

Understanding Chassis Cluster Licensing Requirements | 216

Understanding Licenses for Logical Systems and Tenant Systems on SRX Series Devices | 222
 232

Example: Adding a New License Key

IN THIS SECTION

Requirements | 232

Overview | 232

Configuration | 232

Verification | 234

This example shows how to add a new license key.

Requirements
Before you begin, confirm that your Junos OS feature requires you to purchase, install, and manage a
separate software license.

Overview
You can add a license key from a file or URL, from a terminal, or from the J-Web user interface. Use the
filename option to activate a perpetual license directly on the device. (Most feature licenses are perpetual.)
Use the url to send a subscription-based license key entitlement (such as UTM) to the Juniper Networks
licensing server for authorization. If authorized, the server downloads the license to the device and activates
it.

In this example, the file name is bgp-reflection.

Configuration

CLI Quick Configuration

To quickly configure this section of the example, copy the following commands, paste them into a text
file, remove any line breaks, change any details necessary to match your network configuration, copy and
paste the commands into the CLI at the [edit] hierarchy level, and then enter commit from configuration
mode.

From operational mode, you can add a license key in either way:

• From a file or URL:

user@hostname> request system license add bgp-reflection

• From the terminal:

user@hostname> request system license add terminal

 233

GUI Step-by-Step Procedure

To add a new license key:

1. In the J-Web user interface, under Administration>License Management>Installed Licenses, click Add
to add a new license key.

2. Do one of the following, using a blank line to separate multiple license keys:

• In the License File URL box, type the full URL to the destination file containing the license key to be
added.

• In the License Key Text box, paste the license key text, in plain-text format, for the license to be
added.

3. Click OK to add the license key.

If you added the SRX100 Memory Upgrade license, the device reboots immediately and comes back
up as a high-memory device.

4. Click OK to check your configuration and save it as a candidate configuration.

5. If you are done configuring the device, click Commit Options>Commit.

Step-by-Step Procedure
To add a new license key:

1. From operational mode, add a license key in either way:

• From a file or URL:

user@host> request system license add bgp-reflection

• From the terminal:

user@host>request system license add terminal

2. When prompted, enter the license key, separating multiple license keys with a blank line. If the license
key you enter is invalid, an error is generated when you press Ctrl-D to exit license entry mode.

If you added the SRX100 Memory Upgrade license, the device reboots immediately and comes back
up as a high-memory device.

Results
From operational mode, confirm your configuration by entering the show system license command. If the
output does not display the intended configuration, repeat the configuration instructions in this example
to correct it.
 234

user@hostname> show system license

License usage:
Licenses Licenses Licenses Expiry
Feature name used installed needed
bgp-reflection 0 1 0 permanent

Licenses installed:
License identifier: G0300000xxxx
License version: 2
Valid for device: JN001875AB
Features:
bgp-reflection - Border Gateway Protocol route reflection
permanent

License identifier: G0300000xxxx

License version: 2
Valid for device: JN001875AB

If you are done configuring the device, enter commit from configuration mode.

Verification
Confirm that the configuration is working properly.

Verifying Installed Licenses

Purpose
Verify that the expected licenses have been installed and are active on the device.

Action
From operational mode, enter the show system license command.

The output shows a list of the licenses used and a list of the licenses installed on the device and when they
expire.

Verifying License Usage

Purpose
Verify that the licenses fully cover the feature configuration on the device.

Action
From operational mode, enter the show system license usage command.
 235

user@hostname> show system license usage

Licenses Licenses Licenses Expiry

Feature name used installed needed
bgp-reflection 1 1 0 permanent

The output shows a list of the licenses installed on the device and how they are used.

Verifying Installed License Keys

Purpose
Verify that the license keys were installed on the device.

Action
From operational mode, enter the show system license keys command.

user@hostname> show system license keys

XXXXXXXXXX xxxxxx xxxxxx xxxxxx xxxxxx xxxxxx xxxxxx

xxxxxx xxxxxx xxxxxx xxxxxx xxxxxx xxxxxx
xxxxxx xxxxxx xxxxxx xxxxxx xxxxxx xxxxxx
xxxxxx xxxxxx xxxxxx xxxxxx xxxxxx xxxxxx

The output shows a list of the license keys installed on the device. Verify that each expected license key
is present.

Example: Deleting a License Key

IN THIS SECTION

Requirements | 236

Overview | 236

Configuration | 236

Verification | 237
 236

This example shows how to delete a license key.

Requirements
Before you delete a license key, confirm that it is no longer needed.

Overview
You can delete a license key from the CLI or J-Web user interface. In this example, the license ID is
G0300000xxxx.

Configuration

CLI Quick Configuration

To quickly configure this section of the example, copy the following commands, paste them into a text
file, remove any line breaks, change any details necessary to match your network configuration, copy and
paste the commands into the CLI at the [edit] hierarchy level, and then enter commit from configuration
mode.

user@host> request system license delete G0300000xxxx

GUI Step-by-Step Procedure

To delete a license key:

1. In the J-Web user interface, under Administration>License Management>Installed Licenses.

2. Select the check box of the license or licenses you want to delete.

3. Click Delete.

If you deleted the SRX100 Memory Upgrade license, the device reboots immediately and comes back
up as a low-memory device.

4. Click OK to check your configuration and save it as a candidate configuration.

5. If you are done configuring the device, click Commit Options>Commit.

Step-by-Step Procedure
To delete a license key:

1. From operational mode, for each license, enter the following command and specify the license ID. You
can delete only one license at a time.

user@host> request system license delete G0300000xxxx

 237

If you deleted the SRX100 Memory Upgrade license, the device reboots immediately and comes back
up as a low-memory device.

Results
From configuration mode, confirm your deletion by entering the show system license command. The
license key you deleted will be removed. If the output does not display the intended configuration, repeat
the configuration instructions in this example to correct it.

If you are done configuring the device, enter commit from configuration mode.

Verification

IN THIS SECTION

Verifying Installed Licenses | 237

Confirm that the configuration is working properly.

Verifying Installed Licenses

Purpose
Verify that the expected licenses have been removed from the device.

Action
From operational mode, enter the show system license command.

Licenses for vSRX

IN THIS SECTION

vSRX Feature Licenses Overview | 238

Managing Licenses for vSRX | 246

vSRX License Model Numbers | 254

vSRX License Model Numbers for Contrail, KVM, Microsoft Hyper-V, and VMware | 256
 238

vSRX Feature Licenses Overview

IN THIS SECTION

vSRX License Procurement and Renewal | 238

vSRX Evaluation License | 239

License Types | 240

Throughput | 241

License Duration | 242

Individual (á la carte) Feature Licenses | 242

Bundled Licenses | 242

Stacking Licenses | 242

vSRX License Keys Components | 243

License Management Fields Summary | 243

Some Junos OS software features require a license to activate the feature.

To enable a licensed feature, you need to purchase, install, manage, and verify a license key that corresponds
to each licensed feature. To conform to software feature licensing requirements, you must purchase one
license per feature per instance. The presence of the appropriate software unlocking key on your virtual
instance allows you to configure and use the licensed feature.

If applicable for your vSRX deployment, vSRX pay-as-you-go images do not require any separate licenses.

vSRX License Procurement and Renewal

Licenses are usually ordered when the software application is purchased, and this information is bound to
a customer ID. If you did not order the licenses when you purchased your software application, contact
your account team or Juniper Networks Customer Care for assistance.

Licenses can be procured from the Juniper Networks License Management System (LMS).

For license renewal, use the show system license command to find the Juniper vSRX software serial number
that you use to renew a license.

vsrx> show system license

License usage:
Licenses Licenses Licenses Expiry
Feature name used installed needed
 239

Virtual Appliance 1 1 0 58 days

Licenses installed:
License identifier: E420588955
License version: 4
Software Serial Number: 20150625
Customer ID: vSRX-JuniperEval
Features:
Virtual Appliance - Virtual Appliance
count-down, Original validity: 60 days

License identifier: JUNOS657051

License version: 4
Software Serial Number: 9XXXXAXXXXXXX9
Customer ID: MyCompany
Features:
Virtual Appliance - Virtual Appliance
permanent

Do not use the show chassis hardware command to get the serial number on vSRX, because that command
is only appropriate for the physical SRX Series devices. Also, the license for advanced security features
available on the physical SRX Series devices cannot be used with vSRX deployments.

If you are performing a software downgrade with licenses installed, you will see an error message in the
CLI when you try to configure the licensed features or run the show system license status command.

We recommend deleting existing licenses before performing a software downgrade.

vSRX Evaluation License

To speed deployment of licensed features, the vSRX software image provides you with a 60-day product
evaluation license and a 30-day advanced security features license, both of which allow you to use vSRX
and licensed features for a specified period without having to install a license key.

Table 106 on page 239 lists vSRX evaluation license types.

Table 106: vSRX Evaluation License Type

License Model
License Package Type Period Number

Trial license (temporary for Product evaluation–Basic 60 days -

evaluation only)
Product evaluation–Advanced 30 days -
features
 240

Product Evaluation License

The vSRX software image includes a 60-day trial license. When you download and install the vSRX image,
you are entitled to use this trial license for 60 days. It is intended as an evaluation license for using vSRX.
This product-unlocking license is required to use the basic functions of the vSRX, such as networking,
routing, and basic security features (such as stateful firewall).

The use of the 60-day trial license does not include vSRX support unless you already have a pre-existing
vSRX support contract. If you require support during this 60-day evaluation period, please work with your
Juniper Account team or go to the J-Net Community forum (https://forums.juniper.net/) and view the
Support topics under the vSRX category.

Within 30 days of the license expiration date, a license expiration warning appears each time you log in
to the vSRX instance. After the product evaluation license expires, you will not be able to use the vSRX;
it will be disabled and flow configuration options will not work (the vSRX will stop forwarding traffic). At
this point, only management interfaces and CLI configurations are preserved.

Advanced Security Features Evaluation License

The advanced security features license is a 30-day trial license for vSRX that is required for advanced
security features such as UTM, IDP, and AppSecure. You can download the trial license for advanced
security features from the vSRX Free Trial License Page.

The 30-day trial license period begins on the day you enable the enhanced security features after you
install the 60-day product evaluation license for vSRX. To continue using vSRX features after the 30-day
license period expires, you must purchase and install the license; otherwise, the features are disabled. If
the license for advanced security features expires while the evaluation license (product unlocking license)
is still valid, only the advanced security features that require a license are disabled.

The UTM advanced features have a slightly different trial license strategy. UTM does not requires 30-day
trial license but only a 30-day grace period. Once the 30-day advanced security features trial license
expires, Juniper Networks supports a 30-day grace period for you to continue using UTM features. The
30-day grace period goes into effect after the 30-trial license expires.

There is also a 30-day trial license available for Juniper Sky Advanced Threat Prevention (ATP). This is a
second license that you can apply for a 30-day period in addition to the advanced security features license
for vSRX to enable the Juniper Sky ATP features. You can download the Juniper Sky ATP trial license from
the vSRX Free Trial License Page.

License Types
Juniper Networks provides a variety of licenses for both basic firewall features and advanced security
features for different throughputs and durations.

If you want to use vSRX to provide basic firewall features, you can use standard (basic) licenses. However,
to use some of the more advanced security features, such as AppSecure, IDP, and UTM, you might need
to purchase advanced features licenses.
 241

The high-level categories for licenses are:

• Throughput—All licenses have an associated throughput. Throughput rates include 1 Gbps, 2 Gbps, and
4 Gbps on most platforms.

• Features—Licenses are available for different combinations of feature sets, from standard (STD) through
Content Security Bundled (CSB).

• Individual or bundled—Licenses can be individual (á la carte) licenses for a set of features, or can be
bundled together to provide a broad range of features in one easy license to maintain.

Individual licenses are not supported.

• Duration—All licenses have an associated time duration. You can purchase basic licenses as perpetual
(never expire) or subscription based (1-year or 3-year duration). All vSRX licenses are subscription based.

• New or renewal—All subscription licenses are either new (first-time purchase) or renewals (extending
the license duration when the initial new subscription license is about to expire).

Figure 14 on page 241 shows a sample license SKU and identifies how each field maps to these categories.

Figure 14: Sample vSRX License SKU

Bundled or New or
Throughput individual renewal

VSRX-100M-ASECB-3-R

g043428
Product Feature set Duration

These categories of licenses can also be combined, or stacked, to provide more flexibility for your vSRX
use cases.

Throughput
Bandwidth or throughput license types allow you to use a single instance of the software for up to the
maximum throughput specified in the license entitlement. Throughput can be combined on a single instance
of the software so that the maximum throughput for that instance is the aggregate of all the throughput
licenses assigned to that instance. A throughput license cannot be split across multiple instances. Throughput
is identified in the license entitlement in megabits per second (Mbps), or gigabits per second (Gbps).

For example, if you want 3 Gbps of throughput for a vSRX instance using the STD features, you would
purchase a 1G STD license and a 2G STD license and install both on the vSRX. If you wanted 2 Gbps of
throughput on two vSRX instances acting as a chassis cluster, you could not use the same 2 Gbps license
on both vSRX instances. You would need to purchase one set of licenses for each vSRX instance in the
cluster.
 242

License Duration
All licenses can be perpetual or subscription based.

• Perpetual license–A perpetual license allows you to use the licensed software indefinitely. Perpetual
licenses do not require renewals. Perpetual licenses do not include maintenance and upgrade support.
You must purchase that separately, vSRX software releases such as vSRX for Nutanix do not support
perpetual licenses.

• Subscription license–A subscription license is an annual license that allows you to use the licensed
software feature for the matching duration. Subscriptions might involve periodic downloads of content
(such as for IDP threat signature files). Subscription licenses start when you retrieve the license key or
30 days after purchase if you have not retrieved the license key. At the end of the license period, you
need to renew the license to continue using it.

All subscription licenses are renewable. To renew a subscription license, purchase a new subscription
of the same license. For more information, see Subscription - Register and Install.

Individual (á la carte) Feature Licenses

Every vSRX instance requires at least one standard license to support the desired throughput rate. Beyond
that, you can select from a range of individual feature licenses that provide additional security feature sets.
The feature license must match the standard license rate.

Individual licenses are not supported.

For example, if you need AppSecure and Sophos antivirus features at 1 Gbps of throughput for a year,
you could purchase the following individual licenses:

• VSRX-STD-1G-1—Provides the standard feature set and 1 Gbps of throughput.

• VSRX-CS-1G-1—Provides the advanced features.

Bundled Licenses
Bundled licenses simplify the license management by combining one or more individual licenses into a
single bundled license. Instead of installing and managing a standard throughput license and one or more
individual advanced feature licenses, you can purchase one of the bundle license options and manage one
license instead.

For example, if you need AppSecure and Sophos antivirus features at 1 Gbps of throughput for a year,
you could purchase the single bundled VSRX-CS-B-1G-1 license, which includes the STD throughput
license. This means you only need to manage one license instead of two individual licenses.

Stacking Licenses
You can combine individual or bundled licenses to combine features or build up the overall supplied
throughput for the vSRX instance.
 243

For example, you can combine a 1-Gbps license and a 2-Gbps license to have 3 Gbps of throughput for
the vSRX instance. You can also combine individual licenses, such as Sophos antivirus (SAV) and Websense
Enhanced Web Filtering (EWF) to get both sets of security features.

Individual licenses require an STD license with the same throughput rate.

vSRX License Keys Components

A license key consists of two parts:

• License ID—Alphanumeric string that uniquely identifies the license key. When a license is generated,
it is given a license ID.

• License data—Block of binary data that defines and stores all license key objects.

For example, in the following typical license key, the string E413XXXX57 is the license ID, and the trailing
block of data is the license data:

E413XXXX57 aaaaaa bbbbbb cccccc dddddd eeeeee ffffff

cccccc bbbbbb dddddd aaaaaa ffffff aaaaaa
aaaaaa bbbbbb cccccc dddddd eeeeee ffffff
cccccc bbbbbb dddddd aaaaaa ffffff

The license data conveys the customer ID and the software serial number (Juniper Networks support
reference number) to the vSRX instance.

License Management Fields Summary

The Licenses window displays a summary of licensed features that are configured on the vSRX instance
and a list of licenses that are installed on the vSRX instance.

To view the license details, select Maintain>Licenses in the J-Web user interface. The Licenses window
appears as shown in Figure 15 on page 244.
 244

Figure 15: J-Web Licenses Window Showing Installed Licenses

You can also view the details of a license in the CLI using the show system license command. The following
sample shows details of an evaluation license in the CLI:

License usage:
Licenses Licenses Licenses Expiry
Feature name used installed needed
anti_spam_key_sbl 0 1 0 2016-04-15
08:00:00 CST
idp-sig 0 1 0 2016-04-15
08:00:00 CST
appid-sig 0 1 0 2016-04-15
08:00:00 CST
av_key_sophos_engine 0 3 0 2016-07-29
08:00:00 CST
wf_key_websense_ewf 0 1 0 2016-04-15
08:00:00 CST
Virtual Appliance 1 1 0 2016-04-25
08:00:00 CST

Licenses installed:
License identifier: E420588955
License version: 4
Software Serial Number: 20150625
Customer ID: vSRX-JuniperEval
 245

Features:
Virtual Appliance - Virtual Appliance
count-down, Original validity: 60 days

The information on the license management page is summarized in Table 29 on page 48.

Table 107: Summary of License Management Fields

Field Name Definition

Feature Summary

Feature Name of the licensed feature:

• Features—Software feature licenses.

• All features—All-inclusive licenses.

Licenses Used Number of licenses currently being used on the vSRX instance. Usage is determined
by the configuration. If a feature license exists and that feature is configured, the
license is considered used.

Licenses Installed Number of licenses installed on the vSRX instance for the particular feature.

Licenses Needed Number of licenses required for legal use of the feature. Usage is determined by
the configuration on the vSRX instance: If a feature is configured and the license
for that feature is not installed, a license is needed.

Licenses expires on Date the license expires.

Installed Licenses

ID Unique alphanumeric ID of the license.

State Valid—The installed license key is valid.

Invalid—The installed license key is not valid.

Version Numeric version number of the license key.

Group If the license defines a group license, this field displays the group definition.

Because group licenses are currently unsupported, this field is always blank.

Enabled Features Name of the feature that is enabled with the particular license.

Expiration Date the license expires.

 246

Table 107: Summary of License Management Fields (continued)

Field Name Definition

Software serial number The serial number is a unique 14-digit number that Juniper Networks uses to
identify your particular software installation. You can find the software serial
number in the Software Serial Number Certificate attached to the e-mail that was
sent when you ordered your Juniper Networks software or license. You can also
use the show system license command to find the software serial number.

Customer ID ID that identifies the registered user.

Managing Licenses for vSRX

IN THIS SECTION

vSRX Evaluation License Installation Process | 246

Adding a New License Key with J-Web | 248

Adding a New License Key from the CLI | 249

View vSRX License Information | 250

Updating vSRX Licenses | 250

Deleting a License with J-Web | 251

Deleting a License with the CLI | 252

License Warning Messages | 253

Before you begin, ensure that you have retrieved the license key from the Juniper Agile Licensing (JAL)
Portal.

For more information on Juniper Agile Licensing (JAL) Portal, see Juniper Agile Licensing (JAL) Portal -
Frequently Asked Questions

This section includes the following topics:

vSRX Evaluation License Installation Process

Juniper Networks provides a 60-day evaluation license for vSRX standard features. When you download
and install the vSRX image, you are entitled to use this evaluation license for 60 days as a trial. In addition
to the 60-day vSRX evaluation license, there is a 30-day advanced security features trial license for vSRX
that is required for advanced security features such as UTM, IDP, and AppSecure.
 247

You can download the 30-day advanced security feature trial license from the vSRX Free Trial License
Page.

There is also a 30-day trial license available for Juniper Sky Advanced Threat Prevention (ATP). This is a
second license that you can apply for a 30-day period in addition to the advanced security features license
for vSRX to enable the Sky ATP features. You can download the Sky ATP trial license from the vSRX Free
Trial License Page

Installation of the advanced security feature trial license is similar to the regular license installation performed
from the CLI (see “Adding a New License Key from the CLI” on page 249).

Within 30 days of the license expiration date, a license expiration warning appears each time you log in
to the vSRX instance. After the product evaluation license expires, you will not be able to use the vSRX;
it will be disabled and flow configuration options will not work (the vSRX will stop forwarding traffic). At
this point, only management interfaces and CLI configurations are preserved.

The 30-day evaluation license period begins on the day you enable enhanced security features after
installing evaluation licenses.

To continue using vSRX features after an optional 30-day evaluation period, you must purchase and install
the license. Otherwise, the features are disabled.

For details about the 60- and 30-day license evaluation periods for the vSRX see “vSRX Feature Licenses
Overview” on page 238 .
 248

Adding a New License Key with J-Web

To install a license using the J-Web interface:

1. Select Maintain>Licenses on the J-Web user interface. The Licenses window is displayed as shown in
Figure 16 on page 248.

Figure 16: J-Web Licenses Window

2. Under Installed Licenses, click Add. The Add License window is displayed as shown in
Figure 17 on page 248.

Figure 17: Add License Window

3. Do one of the following, using a blank line to separate multiple license keys:

• Enter the full URL to the destination file containing the license key in the License File URL box.
 249

• Paste the license key text, in plaintext format, in the License Key Text box.

4. Click OK to add the license key. The License Details window is displayed as shown in
Figure 18 on page 249.

Figure 18: License Details Window

The license key is installed and activated on the vSRX instance.

Adding a New License Key from the CLI

You can add a license key from a local file, from a remote URL, or from the terminal.

To install a license from the CLI:

1. Use the request system license add operational mode command to either add the license from a local
file or remote URL that contains the license key, or to manually paste the license key in the terminal.

user@vsrx> request system license add terminal

[Type ^D at a new line to end input,

enter blank line between each license key]

E413XXXX57 aaaaaa bbbbbb cccccc dddddd eeeeee ffffff

cccccc bbbbbb dddddd aaaaaa ffffff aaaaaa
aaaaaa bbbbbb cccccc dddddd eeeeee ffffff
cccccc bbbbbb dddddd aaaaaa ffffff

E413XXXX57: successfully added

add license complete (no errors)

You can save the license key to a file and upload the file to the vSRX file system through FTP or Secure
Copy (SCP), and then use the request system license add file-name command to install the license.
 250

2. Optionally, use the show system license command to view details of the licenses.

root@host> show system license

License usage: Licenses Licenses Licenses Expiry

Feature name used installed needed
wf key websense ewf 1 0 1 invalid

Licenses installed: none

The license key is installed and activated on the vSRX instance.

View vSRX License Information

You can view the vSRX license information using either of the following two methods:

• Serial Number Entitlement

• Juniper Agile Licensing Portal

To view the vSRX licenses information using Serial Number Entitlement:

1. Navigate to the Serial Number Entitlement.

2. Enter the Serial Number or Software Support Reference Number or Contract ID in the data input field.

3. Click View Entitlement Information to see the vSRX license information for the given Serial Number or
Software Support Reference Number or Contract ID.

To view the vSRX licenses information using Juniper Agile Licensing Portal

1. Log in to the Juniper Agile Licensing Portal.

2. Navigate to My Entitlements section to see the vSRX license information.

Updating vSRX Licenses

You can update the vSRX licenses using either of the following two methods:

• Automatic license update using the CLI

• Manual license update using the CLI

As a prerequisite, you must install at least one valid license key on your vSRX instance for required features.
Automatic license updates as well as manual license updates are performed based on a valid software
serial number and customer ID embedded in the license key.
 251

To enable automatic license updates from the CLI:

1. Contact your account team or Juniper Networks Customer Care to extend the validity period of existing
license keys and obtain the URL for a valid update server.

2. Once you have successfully extended your license key and received the update server URL, configure
the auto-update parameter:

user@host# set system license autoupdate url https://ae1.juniper.net/

3. Configure renew options (if required). The following sample allows vSRX to contact the license server
30 days before the current license expires and sends an automatic update request every 6 hours.

user@host> set system license renew before-expiration 30

user@host> set system license renew interval 6

To manually update the licenses from the CLI:

1. Use the following command to update the license keys manually:

user@host> request system license update <url.of.license.server>

This command sends a license update request to the license server immediately.

The request system license update command will always use the default Juniper license server:
https://ae1.juniper.net

2. Check the status of the license by entering the show system license command.

Deleting a License with J-Web

To delete a license using the J-Web interface:

1. Select Maintain>Licenses.

2. Select the check box of the license or licenses you want to delete as shown in Figure 19 on page 252.
 252

Figure 19: Deleting a License

3. Click Delete.

4. Click OK to confirm your deletion as shown in Figure 20 on page 252.

Figure 20: Delete Licenses Window

The license you deleted is removed.

Deleting a License with the CLI

To delete a license using the CLI:

1. From operational mode, for each license, enter the following command and specify the license ID. You
can delete only one license at a time.
 253

user@host> request system license delete <license-key-identifier>

Or you can use the following command to delete all installed licenses.

user@host> request system license delete all

2. Type yes when you are prompted to confirm the deletion.

Delete license JUNOS606279 ? [yes,no] (no)

The license you deleted is removed.

License Warning Messages

You must purchase a new license or renew your existing subscription-based license to have a seamless
transition from the old license to the new one.

The following conditions occur when a license expires on vSRX:

• Evaluation license for the core expires—Packet forwarding on vSRX is disabled. However, you can manage
vSRX through the fxp0 management interface, and the CLI configuration is preserved.

• Subscription-based licenses for advanced security features expire but subscription-based licenses for
core services are active—A 30-day grace period begins, allowing the user to continue using advanced
security features. After the grace period, advanced security features are disabled. Basic features are
always available in the vSRX. After subscription-based licenses for core services expire, a warning message
is displayed to notify the user, but basic features will remain preserved for the user.

• Subscription-based license for core features expires but subscription-based license for advanced security
features is active—A warning message is displayed to notify the user. However, you can continue to use
the basic features on the vSRX. Advanced security features are disabled when the subscription-based
license for advanced security features expires, but basic features will remain preserved for the user.

All advanced and premium licenses are offered as subscriptions. Subscription licenses are available in 1
year, 3 years, or 5 years terms. After the order fulfilment, the subscription period begins after the completion
of 30 days grace period.

Table 3 on page 4 describes the subscription terms for purchase and number of months to use the license.

Table 108: Subscription Terms Details

Subscription Terms Number of Months for the License

1 year 13 months
 254

Table 108: Subscription Terms Details (continued)

3 years 37 months

5 years 61 months

All subscription licenses are renewable. To renew a subscription license, purchase a new subscription of
the same license. For more information, see Subscription - Register and Install .

To use features that require a license, you must install and configure a license. After the license expires,
warning messages are displayed in the system log and on the J-Web dashboard.

When a license expires, the System Alarms section of the J-Web dashboard displays a message stating
that the license has expired as shown in Figure 21 on page 254.

Figure 21: J-Web Dashboard for License Expiry Warning

When a license expires, the following message appears when you log in:

Virtual Appliance License is invalid

vSRX License Model Numbers

The licenses used by all Juniper Networks instances are based on SKUs, which represent lists of features.
Each license includes a list of features that the license enables along with information about those features.

For information about purchasing software licenses, contact your Juniper Networks sales representative
at https://www.juniper.net/in/en/contact-us/.

vSRX licenses are based on application packages and processing capacity.

vSRX provides bandwidth in the following capacities (throughput per instance): 1 Gbps, 2 Gbps, and 4
Gbps. Each of these bandwidth tiers is offered with three different packages.
 255

Table 109 on page 255 describes the features available with the various license packages.

Table 109: vSRX Licensing Package Types

License
Type Description License Model Number

STD Includes the following features: These Standard (STD) bandwidth SKUs are available for vSRX:

• Core security—firewall, ALG, screens, • VSRX-1G-STD-CLD-1: 1-Gbps throughput (1-year

user firewall subscription)
• IPsec VPN (site-to-site VPN) • VSRX-1G-STD-CLD-3: 1-Gbps throughput (3-year
• NAT subscription)

• CoS • VSRX-2G-STD-CLD-1: 2-Gbps throughput (1-year

subscription)
• Routing services—BGP, OSPF, DHCP,
J-Flow, IPv4 • VSRX-2G-STD-CLD-3: 2-Gbps throughput (3-year
subscription)
• Foundation—Static routing,
management (J-Web, CLI, and • VSRX-4G-STD-CLD-1: 4-Gbps throughput (1-year
NETCONF), on-box logging, subscription)
diagnostics • VSRX-4G-STD-CLD-3: 4-Gbps throughput (3-year
subscription)

ASCB Includes all STD features bundled with These AppSecurity Bundled (ASB) bandwidth SKUs are
IPS and Appsecure signatures, along available for vSRX:
with the following features:
• VSRX-1G-ASB-CLD-1: 1-Gbps throughput (1-year
• AppID subscription)
• AppFW • VSRX-1G-ASB-CLD-3: 1-Gbps throughput (3-year
• AppQoS subscription)

• AppTrack • VSRX-2G-ASB-CLD-1: 2-Gbps throughput (1-year

subscription)
• VSRX-2G-ASB-CLD-3: 2-Gbps throughput (3-year
subscription)
• VSRX-4G-ASB-CLD-1: 4-Gbps throughput (1-year
subscription)
• VSRX-4G-ASB-CLD-3: 4-Gbps throughput (3-year
subscription)
 256

Table 109: vSRX Licensing Package Types (continued)

License
Type Description License Model Number

CSB Includes all STD features, along with the These Content Security Bundled (CSB) bandwidth SKUs are
features bundled with ASCB, including available for vSRX:
the addition of the following UTM
features: • VSRX-1G-CSB-CLD-1: 1-Gbps throughput (1-year
subscription)
• Antivirus • VSRX-1G-CSB-CLD-3: 1-Gbps throughput (3-year
• Content filtering subscription)
• Web filtering • VSRX-2G-CSB-CLD-1: 2-Gbps throughput (1-year
subscription)
• VSRX-2G-CSB-CLD-3: 2-Gbps throughput (3-year
subscription)
• VSRX-4G-CSB-CLD-1: 4-Gbps throughput (1-year
subscription)
• VSRX-4G-CSB-CLD-3: 4-Gbps throughput (3-year
subscription)

ATP-B vSRX-1G-ATP-B bundle includes: A vSRX-1G-ATP-B-1 bundle includes: 1G Throughput, 1 year

Subscription License for vSRX ATP package, including features
• Juniper Sky ATP + in Content Security (CS) package, and Juniper SkyATP.
• Content Security +
• ASEC (IDP + AppFW) +
• STD

License stacking is allowed. So, for example, to license 3 Gbps of throughput for the standard (STD) feature
set for 1 year, use a VSRX-1G-STD-CLD-1 license and a VSRX-2G-STD-CLD-1.

vSRX License Model Numbers for Contrail, KVM, Microsoft Hyper-V, and VMware

The licenses used by all Juniper Networks instances are based on SKUs, which represent lists of features.
Each license includes a list of features that the license enables along with information about those features.

For information about purchasing software licenses, contact your Juniper Networks sales representative
at https://www.juniper.net/in/en/contact-us/.

vSRX licenses are based on application packages and processing capacity.

Bandwidth (throughput) licenses allow you to use a single instance of the software for up to the maximum
throughput specified in the license entitlement. Throughput licenses can be combined on a single instance
of the software so that the maximum throughput for that instance is the aggregate of all the throughput
licenses assigned to that instance. A throughput license cannot be split across multiple instances. Throughput
 257

licenses are identified in the license entitlement in megabits per second (Mbps), or gigabits per second
(Gbps).

vSRX provides bandwidth in the following capacities (throughput per instance): 100 Mbps, 1 Gbps, 2 Gbps,
4 Gbps, 10 Gbps, and 20 Gbps. Each of these bandwidth tiers is offered with four different packages along
with bandwidth based, a la carte, advanced Layer 7 security services SKUs.

Table 110 on page 257 describes the features available with the various license packages.

Table 110: vSRX Licensing Package Types

License Type Description Duration

STD Includes the following features: Both perpetual and subscription license
options are available.
• Core security – firewall, ALG, screens, user
firewall
• IPsec VPN (site-to-site VPN)
See Table 111 on page 259 for STD bandwidth
• NAT SKUs available for vSRX.
• CoS
• Multicast services – IP Multicast (PIM, IGMP)
• Routing services – BGP, OSPF, DHCP, J-Flow,
IPv4, and IPv6
• High availability
• Foundation – Static routing, management
(J-Web, CLI, and NETCONF), on-box logging,
diagnostics
• Software platform – KVM, Openstack, ESXi
6.0, Contrail

ASCB and Includes all STD features bundled with the Subscription licenses only.
ASECB following additional AppSecure features:

• AppID
See Table 112 on page 260 for bandwidth SKUs
• AppFW
available for vSRX with AppSecure and IPS
• AppQoS features.
• AppTrack

CS-B Includes all STD features bundled with ASEC Subscription licenses only.
features and the addition of UTM capabilities:

• Antispam
See Table 114 on page 262 for CS-B bandwidth
• Antivirus
SKUs available for vSRX.
• Content filtering
• Web filtering
 258

Table 110: vSRX Licensing Package Types (continued)

License Type Description Duration

ATP-B vSRX-1G-ATP-B bundle includes: A vSRX-1G-ATP-B-1 bundle includes: 1G

Throughput, 1 year Subscription License for
• Sky ATP + vSRX ATP package, including features in
• Content Security + Content Security (CS) package, and SkyATP.
• ASEC (IDP + AppFW) +
This license is not supported for Contrail
• STD deployments.

Individual (a la Individual (a la carte) Layer 7 security services Subscription licenses only.

carte) licenses including:
See Table 113 on page 261 for AppSecure and
Advanced
Security • Sophos antivirus IPS SKUs available for vSRX.

Services ( • Websense enhanced Web filtering

See Table 116 on page 264 for Sophos antivirus
ASEC, S-AV, • AppSecure and IPS bandwidth SKUs available for vSRX.
W-EWF, CS)
• Content Security (CS)
Table 117 on page 265 lists the Web filtering
subscription licenses available for vSRX.

License stacking is allowed. For example, to license 3 Gbps of throughput for the standard (STD) feature
set for 1 year, use a VSRX-1G-STD-1 license and a VSRX-2G-STD-1.

Table 111 on page 259 lists the standard bandwidth licenses available for vSRX.
 259

Table 111: Standard (STD) vSRX Bandwidth Licenses

STD Licenses Model Number

100M/1G/2G/4G/10G/20G VSRX-100M-STD
throughput—vSRX standard package
VSRX-100M-STD-1
(1 year, 3 years, and perpetual)

VSRX-100M-STD-3

VSRX-1G-STD

VSRX-1G-STD-1

VSRX-1G-STD-3

VSRX-2G-STD

VSRX-2G-STD-1

VSRX-2G-STD-3

VSRX-4G-STD

VSRX-4G-STD-1

VSRX-4G-STD-3

VSRX-10G-STD

VSRX-10G-STD-1

VSRX-10G-STD-3

VSRX-20G-STD

VSRX-20G-STD-1

VSRX-20G-STD-3

Table 112 on page 260 lists the bandwidth licenses available for vSRX bundled with AppSecure and IPS
features.
 260

Table 112: vSRX AppSecure and IPS Bundled (ASCB and ASECB) Bandwidth Licenses

ASCB / ASECB Licenses Model Number

100M/1G/2G/4G/10G/20G VSRX-100M-ASCB-1
throughput—vSRX AppSecure
VSRX-100M-ASCB-3
package includes all features in the
STD package with IPS and AppSecure
(1-year or 3-year subscription)
VSRX-1G-ASECB-1

VSRX-1G-ASECB-3

VSRX-2G-ASECB-1

VSRX-2G-ASECB-3

VSRX-4G-ASECB-1

VSRX-4G-ASECB-3

VSRX-10G-ASECB-1

VSRX-10G-ASECB-3

VSRX-20G-ASECB-1

VSRX-20G-ASECB-3

Table 113 on page 261 lists the individual (a la cart) subscription licenses available for vSRX with AppSecure
and IPS features.
 261

Table 113: Individual vSRX AppSecure and IPS Subscription Licenses

ASEC Licenses Model Number

100M/1G/2G/4G/10G/20G VSRX-100M-ASEC-1
subscription—vSRX AppSecure
VSRX-100M-ASEC-3
package includes IPS and AppSecure
(1-year or 3-year subscription)

VSRX-1G-ASEC-1

VSRX-1G-ASEC-3

VSRX-2G-ASEC-1

VSRX-2G-ASEC-3

VSRX-4G-ASEC-1

VSRX-4G-ASEC-3

VSRX-10G-ASEC-1

VSRX-10G-ASEC-3

VSRX-20G-ASEC-1

VSRX-20G-ASEC-3

Table 114 on page 262 lists the Content Security Bundled (CSB) bandwidth licenses available for vSRX.
 262

Table 114: vSRX Content Security Bundled (CSB) Bandwidth Licenses

CS Licenses Model Number

100M/1G/2G/4G/10G/20G VSRX-100M-CS-B-1
throughput—vSRX CS package
VSRX-100M-CS-B-3
includes all features in STD, IPS, and
AppSecure, enhanced Web filtering,
Sophos antivirus, antispam, content
filtering, (1-year or 3-year VSRX-1G-CS-B-1
subscription).
VSRX-1G-CS-B-3

VSRX-2G-CS-B-1

VSRX-2G-CS-B-3

VSRX-4G-CS-B-1

VSRX-4G-CS-B-3

VSRX-10G-CS-B-1

VSRX-10G-CS-B-3

VSRX-20G-CS-B-1

VSRX-20G-CS-B-3

Table 115 on page 263 lists the individual (a la carte) CS subscription licenses available for vSRX.
 263

Table 115: vSRX Individual Content Security (CS) Subscription Licenses

CS Licenses Model Number

100M/1G/2G/4G/10G/20G VSRX-100M-CS-1
throughput—vSRX CS package
VSRX-100M-CS-3
includes enhanced Web filtering,
Sophos antivirus, antispam,
AppSecure and IPS (1-year or 3-year
subscription). VSRX-1G-CS-1

VSRX-1G-CS-3

VSRX-2G-CS-1

VSRX-2G-CS-3

VSRX-4G-CS-1

VSRX-4G-CS-3

VSRX-10G-CS-1

VSRX-10G-CS-3

VSRX-20G-CS-1

VSRX-20G-CS-3

Table 116 on page 264 lists the individual (a la carte) Sophos antivirus (S-AV) bandwidth licenses available
for vSRX.
 264

Table 116: vSRX Individual Sophos Antivirus (S-AV) Bandwidth Licenses

S-AV Licenses Model Number

100M/1G/2G/4G/10G/20G VSRX-100M-S-AV-1
throughput—vSRX S-AV license
VSRX-100M-S-AV-3
(1-year or 3-year subscription).

VSRX-1G-S-AV-1

VSRX-1G-S-AV-3

VSRX-2G-S-AV-1

VSRX-2G-S-AV-3

VSRX-4G-S-AV-1

VSRX-4G-S-AV-3

VSRX-10G-S-AV-1

VSRX-10G-S-AV-3

VSRX-20G-S-AV-1

VSRX-20G-S-AV-3

Table 117 on page 265 lists the individual (a la carte) enhanced Web filtering (W-EWF) subscription licenses
available for vSRX.
 265

Table 117: vSRX Individual Enhanced Web Filtering (W-EWF) Bandwidth Licenses

W-EWF Licenses Model Number

100M/1G/2G/4G/10G/20G VSRX-100M-WEWF-1
throughput—vSRX W-EWF license
VSRX-100M-WEWF-3
(1-year or 3 year subscription).

VSRX-1G-W-EWF-1

VSRX-1G-W-EWF-3

VSRX-2G-W-EWF-1

VSRX-2G-W-EWF-3

VSRX-4G-W-EWF-1

VSRX-4G-W-EWF-3

VSRX-10G-W-EWF-1

VSRX-10G-W-EWF-3

VSRX-20G-W-EWF-1

VSRX-20G-W-EWF-3

Table 118 on page 265 lists the remote access licenses you can purchase for vSRX.

Table 118: vSRX Remote Access Licenses

Remote Access Licenses Model Number

Remote Access (5 Concurrent users, NCP) vSRX-RA1-5

Remote Access (10 Concurrent users, NCP) vSRX-RA1-10

Remote Access (25 Concurrent users, NCP) vSRX-RA1-25

Remote Access (50 Concurrent users, NCP) vSRX-RA1-50

 266

Table 118: vSRX Remote Access Licenses (continued)

Remote Access Licenses Model Number

Remote Access (100 Concurrent users, NCP) vSRX-RA1-100

Remote Access (150 Concurrent users, NCP) vSRX-RA1-150

Remote Access (250 Concurrent users, NCP) vSRX-RA1-250

Remote Access (500 Concurrent users, NCP) vSRX-RA1-500

Licenses for Advanced Threat Prevention

IN THIS SECTION

Licenses for JATP Advanced Threat Prevention Appliance | 266

Licenses for Juniper Sky Advanced Threat Prevention (ATP) | 270

Licenses for JATP Advanced Threat Prevention Appliance

IN THIS SECTION

Licensing and Platform Support information | 266

Setting the Juniper ATP Appliance License Key | 268

Licensing and Platform Support information

IN THIS SECTION

JATP and SRX Series Integration Licensing | 267

Supported SRX Series Devices | 267

 267

The following sections provide information on licensing requirements and SRX Series device platform
support.

JATP and SRX Series Integration Licensing

Unlike other Layer 7 features, there is no separate license required on the SRX Series device for integration
with JATP. In this deployment, the JATP Core is the licensed component. If the Core has a valid license,
then the SRX Series device can connect to the Core and enroll successfully. If not, the enrollment will fail.

For JATP license upload instructions, see “Setting the Juniper ATP Appliance License Key” on page 268.

NOTE: AppSecure functionality on the SRX Series device is a pre-requisite for integrating with
JATP. Depending on the SRX Series platform, a separate license may be required to enable
AppSecure. Please consult the SRX Series platform data sheet for the most accurate information.

Supported SRX Series Devices

This section describes the hardware and software components that are compatible with JATP.

Platform Hardware Requirements Software Versions

vSRX Series Junos 18.2R1 and above

SRX Series SRX320, SRX300 Junos 18.3R1 and above

SRX Series SRX4100, SRX4200, SRX4600 Junos 15.1X49-D65 and above for
SRX4100 and SRX4200

Junos 17.4R1-S1 and above for

SRX4600

SRX Series SRX340, SRX345, SRX550m Junos 15.1X49-D60 and above

SRX Series SRX5800, SRX5600, SRX5400 Junos 15.1X49-D50 and above

SRX Series SRX1500 Junos 15.1X49-D33 and above

The following devices support scanning SMTP e-mail attachments:

• SRX300 Series device

• SRX320 Series device

• SRX340 Series device

• SRX345 Series device

 268

• SRX1500 Series device

• SRX4100 Series device

• SRX4200 Series device

• SRX4600 Series device

• SRX5400 Series device

• SRX5600 Series device

• SRX5800 Series device

• vSRX Series

The following devices support scanning IMAP e-mail attachments:

• SRX300 Series device

• SRX320 Series device

• SRX340 Series device

• SRX345 Series device

• SRX1500 Series device

• SRX4100 Series device

• SRX4200 Series device

• SRX4600 Series device

• SRX5400 Series device

• SRX5600 Series device

• SRX5800 Series device

• vSRX Series

SEE ALSO

Getting Started with JATP and the SRX Series Device

Setting the Juniper ATP Appliance License Key

Without a valid product license key, the Juniper ATP Appliance system will not work. Likewise, an expired
product key, or an expired support or content license, prevents full operations and disables content or
software updates.

Use the Config>System Profiles>Licensing configuration window to upload a License key to the Juniper
ATP Appliance or software service. To license your system, you will need to upload the license using this
configuration window and also use the CLI to get the system UUID.
 269

NOTE: License Keys are obtained from Juniper Customer Support.

To upload a product license key:

1. Navigate to the Config>System Profiles>Licensing page.

2. Click Add New Juniper ATP Appliance License button to upload a new license key file.

3. Click the Choose File button to select the license key for upload, then click Submit to apply the
configuration.

NOTE: A GSS connection is required in order for Juniper ATP Appliance to run regular
licensing checks. Adding a license manually does not enable JATPsupport.
 270

Licenses for Juniper Sky Advanced Threat Prevention (ATP)

IN THIS SECTION

Juniper Sky Advanced Threat Prevention License Types | 270

Managing the Juniper Sky Advanced Threat Prevention License | 272

Troubleshooting Juniper Sky Advanced Threat Prevention: Checking the application-identification

License | 275

Juniper Sky Advanced Threat Prevention License Types

Juniper Sky ATP has three service levels:

• Free—The free model solution is available on all supported SRX Series devices (see the Supported
Platforms Guide) and for customers that have a valid support contract, but only scans executable file
types (see Juniper Sky Advanced Threat Prevention Profile Overview). Based on this result, the SRX Series
device can allow the traffic or perform inline blocking.

• Basic (feed only)—Includes executable file scanning and adds filtering using the following threat feed
types: Command and Control, GeoIP, Custom Filtering, and Threat Intel feeds. Threat Intel feeds use
APIs that allow you to injects feeds into Juniper Sky ATP.

• Premium—Includes all features provided in the Free and Basic licenses, but provides deeper analysis. All
supported file types are scanned and examined using several analysis techniques to give better coverage.
Full reporting provides details about the threats found on your network.

NOTE: On the Enrolled Devices page in the Juniper Sky ATP Web UI, the License Expiration
column contains the status of your current license, including expiration information. There is a
60 day grace period after the license expires before the SRX Series device is disenrolled from
Juniper Sky ATP. On the SRX Series device, you can run the > show system license command
to view license details.

NOTE: You do not need to download any additional software to run Juniper Sky ATP.

Table 119 on page 271 shows a comparison between the free model and the premium model.
 271

Table 119: Comparing the Juniper Sky ATP Free Model, Basic-Threat Feed, and Premium Model

Free Model Basic-Threat Feeds Model Premium Model

Management through cloud Management through cloud Management through cloud interface. Zero
interface. Zero on-premise interface. Zero on-premise footprint on-premise footprint beyond the SRX Series
footprint beyond the SRX beyond the SRX Series device. device.
Series device.

Inbound protection. Inbound protection. Inbound protection.

Outbound protection. Outbound protection. Outbound protection.

— C&C feeds. C&C feeds.

— GeoIP filtering. GeoIP filtering.

Custom feeds Custom feeds

Infected host feed/endpoint quarantine

Threat Intelligence APIs only All APIs including File/Hash

— — C&C protection with event data returned

to the Juniper Sky ATP cloud.

— — Compromised endpoint dashboard.

Inspects only executable file Inspects only executable file types. No restrictions on object file types
types. Executables go through Executables go through the entire inspected beyond those imposed by the
the entire pipeline (cache, pipeline (cache, antivirus, static and Juniper Sky ATP service. You can specify
antivirus, static and dynamic). dynamic). which file types are sent to service for
inspection.

Reporting with rich detail on Reporting with rich detail on Reporting with rich detail on malware
malware behaviors. malware behaviors. behaviors.

For more information on analysis techniques, see How is Malware Analyzed and Detected?. For additional
information on product options, see the Juniper Sky ATP datasheet.

For more information on this and premium license SKUs, contact your local sales representative.
 272

Additional License Requirements

AppSecure functionality on the SRX Series device is a pre-requisite for the Juniper Sky Advanced Threat
Prevention feature. Depending on the SRX Series platform, a separate license may be required to enable
AppSecure. Please consult the SRX Series platform datasheet for the most accurate information.

Managing the Juniper Sky Advanced Threat Prevention License

IN THIS SECTION

Obtaining the Premium License Key | 272

License Management and SRX Series Devices | 273

Juniper Sky ATP Premium Evaluation License for vSRX | 273

License Management and vSRX Deployments | 274

High Availability | 275

This topic describes how to install the Juniper Sky ATP premium license onto your SRX Series devices and
vSRX deployments. You do not need to install the Juniper Sky ATP free license as these are included your
base software. Note that the free license has a limited feature set (see Juniper Sky Advanced Threat Prevention
License Types and Sky Advanced Threat Prevention File Limitations).

When installing the license key, you must use the license that is specific your device type. For example,
the Juniper Sky ATP premium license available for the SRX Series device cannot be used on vSRX
deployments.

Obtaining the Premium License Key

The Juniper Sky ATP premium license can be found on the Juniper Networks product price list. The
procedure for obtaining the premium license entitlement is the same as for all other Juniper Network
products. The following steps provide an overview.

1. Contact your local sales office or Juniper Networks partner to place an order for the Juniper Sky ATP
premium license.

After your order is complete, an authorization code is e-mailed to you. An authorization code is a unique
16-digit alphanumeric used in conjunction with your device serial number to generate a premium license
entitlement.

2. (SRX Series devices only) Use the show chassis hardware CLI command to find the serial number of
the SRX Series devices that are to be tied to the Juniper Sky ATP premium license.
 273

[edit]
root@SRX# run show chassis hardware
Hardware inventory:
Item Version Part number Serial number Description
Chassis CM1915AK0326 SRX1500
Midplane REV 09 750-058562 ACMH1590 SRX1500
Pseudo CB 0
Routing Engine 0 BUILTIN BUILTIN SRX Routing Engine
FPC 0 REV 08 711-053832 ACMG3280 FEB
PIC 0 BUILTIN BUILTIN 12x1G-T-4x1G-SFP-4x10G

Look for the serial number associated with the chassis item. In the above example, the serial number
is CM1915AK0326.

3. Open a browser window and go to https://license.juniper.net.

4. Click Login to Generate License Keys and follow the instructions.

NOTE: You must have a valid Juniper Networks Customer Support Center (CSC) account to
log in.

License Management and SRX Series Devices

Unlike other Juniper Networks products, Juniper Sky ATP does not require you to install a license key
onto your SRX Series device. Instead, your entitlement for a specific serial number is automatically
transferred to the cloud server when you generate your license key. It may take up to 24 hours for your
activation to be updated in the Juniper Sky ATP cloud server.

Juniper Sky ATP Premium Evaluation License for vSRX

The 30-day Juniper Sky ATP countdown premium evaluation license allows you to protect your network
from advanced threats with Juniper Sky ATP. The license allows you to use Juniper Sky ATP premium
features for 30-days without having to install a license key. After the trial license expires, the connection
to the Juniper Sky ATP cloud is broken and you will no longer be able to use any Juniper Sky ATP features.

Instructions for downloading the trial license are here: https://www.juniper.net/us/en/dm/free-vsrx-trial/.

NOTE: The 30-day trial license period begins on the day you install the evaluation license.

To continue using Juniper Sky ATP features after the optional 30-day period, you must purchase
and install the date-based license; otherwise, the features are disabled.
 274

After installing your trial license, set up your realm and contact information before using Juniper Sky ATP.
For more information, see Registering a Juniper Sky Advanced Threat Prevention Account.

License Management and vSRX Deployments

Unlike with physical SRX Series devices, you must install Juniper Sky ATP premium licenses onto your
vSRX. Installing the Juniper Sky ATP license follows the same procedure as with most standard vSRX
licenses.

The following instructions describe how to install a license key from the CLI. You can also add a new license
key with J-Web (see Managing Licenses for vSRX.)

NOTE: If you are reinstalling a Juniper Sky ATP license key on your vSRX, you must first remove
the existing Juniper Sky ATP license. For information on removing licenses on the vSRX, see
Managing Licenses for vSRX.

To install a license key from the CLI:

1. Use the request system license add command to manually paste the license key in the terminal.

user@vsrx> request system license add terminal

[Type ^D at a new line to end input,

enter blank line between each license key]

JUNOS123456 aaaaaa bbbbbb cccccc dddddd eeeeee ffffff

cccccc bbbbbb dddddd aaaaaa ffffff aaaaaa
aaaaaa bbbbbb cccccc dddddd eeeeee ffffff
cccccc bbbbbb dddddd aaaaaa ffffff

JUNOS123456: successfully added

add license complete (no errors)

NOTE: You can save the license key to a file and upload the file to the vSRX file system
through FTP or Secure Copy (SCP), and then use the request system license add file-name
command to install the license.

2. (Optional) Use the show system license command to view details of the licenses.

Example of a premium license output:

 275

root@host> show system license

License identifier: JUNOS123456

License version: 4
Software Serial Number: 1234567890
Customer ID: JuniperTest
Features:
Sky ATP - Sky ATP: Cloud Based Advanced Threat Prevention on SRX
firewalls
date-based, 2016-07-19 17:00:00 PDT - 2016-07-30 17:00:00 PDT

Example of a free license output:

root@host> show system license

License identifier: JUNOS123456

License version: 4
Software Serial Number: 1234567890
Customer ID: JuniperTest
Features:
Virtual Appliance - Virtual Appliance permanent

3. The license key is installed and activated on your vSRX.

High Availability
Before enrolling your devices with the Juniper Sky ATP cloud, set up your HA cluster as described in your
product documentation. For vSRX deployments, make sure the same license key is used on both cluster
nodes. When enrolling your devices, you only need to enroll one node. The Juniper Sky ATP cloud will
recognize this is an HA cluster and will automatically enroll the other node.

Troubleshooting Juniper Sky Advanced Threat Prevention: Checking the application-identification License
If you are using an SRX1500 Series device, you must have a have a valid application-identification license
installed. Use the show services application-identification version CLI command to verify the applications
packages have been installed. You must have version 2540 or later installed. For example:

user@host> show services application-identification version

Application package version: 2540
 276

If you do not see the package or the package version is incorrect, use the request services
application-identification download CLI command to download the latest application package for Junos
OS application identification. For example:

user@host> request services application-identification download

Please use command "request services application-identification download status" to check status

Then use the request services application-identification install CLI command to install the downloaded
application signature package.

user@host> request services application-identification install

Please use command "request services application-identification install status" to check status

Use the show services application-identification application version CLI command again to verify the
applications packages is installed.
 277

CHAPTER 6

Licenses for Network Management

IN THIS CHAPTER

Licenses for Network Management | 277

Licenses for Network Management

IN THIS SECTION

Licenses for Junos Space | 277

Licenses for Network and Security Manager (NSM) | 292

Licenses for J-Web Device Manager | 300

Licenses for Junos Space

IN THIS SECTION

Viewing Licenses With Edge Services Director | 278

Viewing Licenses With Connectivity Services Director | 280

Viewing Licenses With Network Director | 281

Installing VCF Software Licenses | 282

Junos Space License Installation Overview | 283

Exporting the License Inventory | 284

Generating and Uploading the Junos Space License Key File | 287

Viewing Junos Space Licenses | 288

Juniper Connected Security for VMware NSX Licensing | 289

 278

Viewing Licenses With Edge Services Director

Juniper Networks devices require a license to operate some features. You can view the licenses for devices
connected to Edge Services Director.

To view the license for a Juniper Networks device on your network:

1. Select the Build icon in the Edge Services Director banner.

2. In the View pane, select a wireless or wired device.

3. In the Tasks pane, select View License Information.

The Licenses page for that object is displayed with the fields listed in Table 120 on page 278.

Table 120: Viewing Licenses with Edge Services Director

Field Description

Feature Name Name of the licensed SKU or feature. It can be used to look up the license
with Juniper Networks. Not all devices support this.

License Count Number of times an item has been licensed. This value can have
contributions from more than one licensed SKU or feature. Alternatively,
it can be 1, no matter how many times it has been licensed.

Used Count Number of times the feature is used. For some types of licenses, the license
count will be 1, no matter how many times it is used. For capacity-based
licensable items, if infringement is supported, the license count can exceed
the given count, which has a corresponding effect on the need count.

Need Count Number of times the feature is used without a license. Not all devices can
provide this information.

Given Count Number of instances of the feature that are provided by default.

If a device does not have a license, a blank page is displayed with the message, No license is installed
on this device. If you are sure the device has a license, try resynchronizing the device before displaying
the license again.

4. Optionally, expand the license information by feature name to view the feature SKU information.
Table 121 on page 279 describes the additional fields that are displayed.
 279

Table 121: Additional Licensing Information

Field Description

Validity Type Validity type can be Databased (license expires on end date), Permanent,
Countdown (license expires when time remaining is zero), or Trial. If the
validity type is either Databased or Countdown, more information is
displayed—License Name, License Version, License State, and Time
Remaining. Additional information can be added in the details grid based
on the SKU type (SKU or Feature)—Start Date, End Date, or Original Time
Allowed.

License Name If the validity type is either Databased or Countdown, the identifier
associated with a license key is displayed.

License Version If the validity type is either Databased or Countdown, the version of a
license is displayed. The version indicates how the license is validated, the
type of signature, and the signer of the license key.

License State If the validity type is either Databased or Countdown, the state of the
license is displayed—Valid, Invalid, or Expired.

Time Remaining If the validity type is either Databased or Countdown, the remaining time
left on the license is displayed. For a trial license, the number of days
remaining after you installed the device is displayed. For a commercial
license, the time remaining is unlimited.

Start Date Based on the SKU type, the start date of the license can be displayed in
the details grid.

End Date Based on the SKU type, the end date of the license can be displayed in
the details grid.

Original Time Allowed Based on the SKU type, the original license timeframe can be displayed
here.

If you apply a new license to an existing device, you must resynchronize the device before the new license
is seen in Edge Services Director. For directions, see Resynchronizing Device Configuration.

SEE ALSO

Understanding the Edge Services Director User Interface

 280

Viewing Licenses With Connectivity Services Director

Juniper Networks devices require a license to operate some features. You can view the licenses for devices
connected to Connectivity Services Director.

To view the license for a Juniper Networks device on your network:

1. Select the Build icon in the Connectivity Services Director banner.

2. In the View pane, select a device.

3. In the Tasks pane, select View License Information.

The Licenses page for that object is displayed with the fields listed in Table 122 on page 280.

Table 122: Viewing Licenses with Connectivity Services Director

Field Description

Feature Name Name of the licensed SKU or feature. It can be used to look up the license
with Juniper Networks. Not all devices support this.

License Count Number of times an item has been licensed. This value can have
contributions from more than one licensed SKU or feature. Alternatively,
it can be 1, no matter how many times it has been licensed.

Used Count Number of times the feature is used. For some types of licenses, the license
count will be 1, no matter how many times it is used. For capacity-based
licensable items, if infringement is supported, the license count can exceed
the given count, which has a corresponding effect on the need count.

Need Count Number of times the feature is used without a license. Not all devices can
provide this information.

Given Count Number of instances of the feature that are provided by default.

If a device does not have a license, a blank page is displayed with the message, No license is installed
on this device. If you are sure the device has a license, try resynchronizing the device before displaying
the license again.

If you apply a new license to an existing device, you must resynchronize the device before the new license
is seen in Connectivity Services Director. For directions, see Resynchronizing Device Configuration.
 281

Viewing Licenses With Network Director

Juniper Networks devices require a license to operate some features. You can view the licenses for devices
connected to Network Director.

To view the license for a Juniper Networks device on your network:

1. Select the Build icon in the Network Director banner.

2. In the View pane, select a wireless or wired device.

3. In the Tasks pane, select View License Information.

The Licenses page for that object is displayed with the fields listed in Table 123 on page 281.

Table 123: Viewing Licenses with Network Director

Field Description

Feature Name Name of the licensed SKU or feature. It can be used to look up the license
with Juniper Networks. Not all devices support this.

License Count Number of times an item has been licensed. This value can have
contributions from more than one licensed SKU or feature. Alternatively,
it can be 1, no matter how many times it has been licensed.

Used Count Number of times the feature is used. For some types of licenses, the license
count will be 1, no matter how many times it is used. For capacity-based
licensable items, if infringement is supported, the license count can exceed
the given count, which has a corresponding effect on the need count.

Need Count Number of times the feature is used without a license. Not all devices can
provide this information.

Given Count Number of instances of the feature that are provided by default.

If a device does not have a license, a blank page is displayed with the message, No license is installed
on this device. If you are sure the device has a license, try resynchronizing the device before displaying
the license again.

4. Optionally, expand the license information by feature name to view the feature SKU information.
Table 124 on page 282 describes the additional fields that are displayed.
 282

Table 124: Additional Licensing Information

Field Description

Validity Type Validity type can be Databased (license expires on end date), Permanent,
Countdown (license expires when time remaining is zero), or Trial. If the
validity type is either Databased or Countdown, more information is
displayed—License Name, License Version, License State, and Time
Remaining. Additional information can be added in the details grid based
on the SKU type (SKU or Feature)—Start Date, End Date, or Original Time
Allowed.

License Name If the validity type is either Databased or Countdown, the identifier
associated with a license key is displayed.

License Version If the validity type is either Databased or Countdown, the version of a
license is displayed. The version indicates how the license is validated, the
type of signature, and the signer of the license key.

License State If the validity type is either Databased or Countdown, the state of the
license is displayed—Valid, Invalid, or Expired.

Time Remaining If the validity type is either Databased or Countdown, the remaining time
left on the license is displayed. For a trial license, the number of days
remaining after you installed the device is displayed. For a commercial
license, the time remaining is unlimited.

Start Date Based on the SKU type, the start date of the license can be displayed in
the details grid.

End Date Based on the SKU type, the end date of the license can be displayed in
the details grid.

Original Time Allowed Based on the SKU type, the original license timeframe can be displayed
here.

If you apply a new license to an existing wireless LAN controller, you must resynchronize the device before
the new license is seen in Network Director. For directions, see Resynchronizing Device Configuration.

Installing VCF Software Licenses

To install a VCF software license:

1. Purchase two VCF software license keys (QFX-VCF-LIC) from your Juniper Networks sales
representative.
 283

The sales representative will provide you with the feature license files and license keys. You will be
asked to supply the chassis serial number of your switch; you can obtain the serial number by issuing
the show virtual-chassis command.

2. Install the first software license on one device in the VCF (for example, the device acting in the master
role):

user@device> request system license add (filename | url)

3. Install the second software license on a second device in the VCF (for example, the device acting in
the backup role):

user@device> request system license add (filename | url)

Junos Space License Installation Overview

Junos Space Network Management Platform comes with a 60-day full-featured trial license. You must
procure and install a valid license during this period to ensure continued operation beyond the trial period.

If you fail to upload a valid license during the 60-day trial period, the Junos Space user interface displays
an error message when you log in indicating that the license has expired. Your access is limited to the
Licenses page (Administration > Licenses) from where you can execute the Import License task to enter
a valid license.

You can use either of the following options to install a valid license for Junos Space Platform:

• If you plan to use the Junos Space Platform with only the Support Automation applications (Service Now
and Service Insight), you can navigate to the Add Organization page (Service Now > Administration >
Organizations > Add Organization) in the Service Now user interface to activate these applications.
However, to activate these applications, you must have a valid support contract for your Juniper Networks
devices and valid credentials to access the Juniper Support System (JSS) back end.

If you choose this option and if you want to use other Junos Space applications beyond the trial period,
you must purchase a license for Junos Space Platform (as explained in the bulleted item that follows).

• If you want to use Junos Space applications other than Service Now and Service Insight, or if you do
not have a valid support contract for your Juniper Networks devices, you must purchase a license for
Junos Space Platform. After you obtain the license file, you can install the license from the Import License
page (Administration > Licenses > Import License). For more information about installing a valid license
for Junos Space Platform, see the “Generating and Uploading the Junos Space License Key File” on
page 287 topic (in the Junos Space Network Management Platform Workspaces Feature Guide).
 284

Exporting the License Inventory

The Device Licence Inventory feature enables you to display the currently installed license inventory
information for all DMI schema-based devices under Junos Space Network Management Platform
management.

The license inventory is generated when the device is first discovered and synchronized in Junos Space
Network Management Platform.

The licenses used by all Juniper Networks devices are based on SKUs, which represent lists of features.
Each license includes a list of features that the license enables and information about those features.
Sometimes the license information also includes the inventory keys of hardware or software elements
upon which the license can be installed.

To view the license(s) for Junos Space Network Management Platform itself, see “Viewing Junos Space
Licenses” on page 288.

This topic also covers:

• Absence of license

• Trial information

• Count-down information

• Date-based information

DMI enables each device family to maintain its own license catalog in the DMI Update Repository. The
license catalog is a flat list of all the licenses used by a device family. The key for a license element is its
SKU name. Each license element in the catalog includes a list of features that the license enables and
information about each feature (that is, its name and value). Optionally, the license element can also list
the inventory keys of hardware or software elements and where it can be installed.

If the license inventory on the device is changed, the result depends on whether the network is the system
of record or Junos Space Network Management Platform is the system of record. See Systems of Record
in Junos Space Overview.

If the network is the system of record, Junos Space Network Management Platform automatically
synchronizes with the managed device. You can also manually resynchronize the Junos Space Network
Management Platform license database with the device by using the Resynchronize with Network action.
See Resynchronizing Managed Devices with the Network.

If Junos Space Network Management Platform is the system of record, neither automatic nor manual
resynchronization is available.

Viewing device license inventory does not include pushing license keys to devices. You can, however, push
licenses with the Configuration Editor to any device that has license keys in its configuration. You can
export device license inventory information to a CSV file for use in other applications.
 285

License inventory information shows individually installed licenses as well as a license usage summary,
with statistics for various features.

To export the license inventory for a device:

1. On the Network Management Platform user interface, select Devices > Device Management.

The Device Management page displays the devices managed in Junos Space Network Management
Platform.

2. Select Device Inventory > View License Inventory from the Actions menu.

The License Inventory page displays the license information listed in Table 125 on page 285.

Need Counts in red indicate violations. In other words, entries in red indicate that you are using features
that you are not licensed to use. You may also encounter the message that you have no licenses installed.

3. (Optional) View the list of licensed features for the selected license by double-clicking a license usage
summary or clicking on the forward action icon to the left of a license usage summary.

The information displayed is described in Table 126 on page 286.

4. (Optional) Click Return to Inventory View at the top of the inventory page.

5. (Optional) Click Export at the top of the inventory page, to export the license inventory information.

The Export Device License Information dialog box appears, displaying a link: Download license file for
selected device (CSV format).

6. (Optional) Click the download link.

The Opening Device License-xxxxxxCSV dialog box appears, where xxxxxx represents a number.

7. Open the file with an application of your choice, or download the file by clicking Save.

The CSV file contains the fields described in Table 126 on page 286 and Table 127 on page 286. These
fields are not populated if the information is not available for the selected license.

Exporting device license information generates an audit log entry.

Table 125: License Usage Summary Fields

Field Description

Feature name Name of the licensed SKU or feature. It can be used to look up the license with Juniper
Networks. Not all devices support this.
 286

Table 125: License Usage Summary Fields (continued)

Field Description

License count Number of times an item has been licensed. This value may have contributions from
more than one licensed SKU or feature. Alternatively, it may be 1, no matter how many
times it has been licensed.

Used count Number of times the feature is used. For some types of licenses, the license count will
be 1, no matter how many times it is used. For capacity-based licensable items, if
infringement is supported, the license count may exceed the given count, which has a
corresponding effect on the need count.

Need count Number of times the feature is used without a license. Not all devices can provide this
information.

Given count Number of instances of the feature that are provided by default.

Table 126: License Feature or SKU Fields

Field Description

Feature Name Name of the licensed SKU or feature. It can be used to look up the license with Juniper
Networks. Not all devices support this.

Validity Type The SKU or feature is considered permanent if it is not trial, count-down, or data-based.

Table 127: Additional Fields in CSV Files

Field Description

State Status of the license: valid, invalid, or expired. Only licenses marked as valid are
considered when calculating the license count.

Version Version of the license.

Type Permanent, trial, and so on.

Start Date Licensed feature starting date.

End Date Licensed feature ending date.

Time Remaining Licensed feature time remaining.

 287

Generating and Uploading the Junos Space License Key File

IN THIS SECTION

Generating the Junos Space License Key File | 288

Uploading the Junos Space License Key File Contents | 288

• From Junos Space Network Management Platform Release 13.1R1 onward, the licensing model of Junos
Space does not require license keys for Junos Space applications. Nevertheless, a license file is still
needed for the Junos Space Platform functionality because the default Junos Space Platform license file
is valid only for 60 days after which the Junos Space Platform functionality is not available.

When you purchase a commercial version of Junos Space Platform, Juniper Networks provides you with
a license file that does not have any expiry date. After you import this license into Junos Space Platform,
you have access to the full Junos Space Platform functionality for an unlimited period.

• Since Junos Space applications do not use license keys, the Licenses page (Administration > Licenses)
does not display licensing information for any Junos Space applications that you might have purchased
and installed. However, if you use Junos Space Platform with only Service Now and Service Insight
installed, licensing information for those applications is displayed on the Licenses page. To find out the
licensing information about Junos Space applications that you purchased, contact the Juniper Technical
Assistance Center.

The Junos Space Platform software provides a default, 60-day trial license. After 60 days, the use of the
Junos Space Platform software expires except for the Import License action. The administrator must
activate the software with the Juniper Networks license key to regain use of the Junos Space Platform.
Two weeks before the license expiration date, a license expiration warning appears when users log in to
Junos Space Platform.

Junos Space Platform license management involves a two-step process:

1. Generating the license key file. Juniper Networks uses a license management system (LMS) to manage
the deployment of the Junos Space Platform product—appliances, connection points, connections, and
applications. When you order Junos Space Platform, the Juniper Networks LMS sends you an e-mail
with an authorization code and a software serial number and instructions on how to generate a license
key.

2. Import the license key into Junos Space Platform. The system administrator must import the Junos
Space license key file from the Licenses page (Administration > Licenses) to use Junos Space Platform
beyond the trial period.

This topic includes the following sections:

 288

Generating the Junos Space License Key File

When you order Junos Space Platform, Juniper Networks sends an e-mail containing an authorization
code and a software serial number (the serial number that identifies the software installation) along with
instructions on how to generate the license key.

When you order a Junos Space Appliance, Juniper Networks sends an e-mail containing the serial number
for the appliance that is licensed for the appropriate stock-keeping unit (SKU).

Uploading the Junos Space License Key File Contents

To upload the Junos Space license key file, perform the following steps:

1. Open the Juniper Networks Authorization Codes e-mail you received and follow the directions.

2. Open the Junos Space license key text file attached to the e-mail and copy all the contents.

3. In the Junos Space Platform UI, select Administration > Licenses.

The Licenses page appears.

4. Click the Import License icon.

The Import License page appears.

5. Paste the contents of the Junos Space license key text file in the License data field.

Paste the license data into the License data field using Ctrl+V or by selecting paste in the browser Edit
menu.

6. Click Upload.

The license key data is uploaded to the Junos Space Platform database. A message indicating that the
Junos Space license is uploaded successfully appears.

7. Click OK.

The Junos Space license appears on the Licenses inventory page.

Viewing Junos Space Licenses

From Junos Space Network Management Platform Release 13.1R1 onward, the licensing model of Junos
Space does not require license keys for Junos Space applications. However, a license file is still needed
for the Junos Space Platform functionality because the default Junos Space Platform license file is valid
only for 60 days after which the Junos Space Platform functionality is not available.

Since Junos Space applications do not use license keys, the Licenses page (Administration > Licenses) does
not display licensing information for any Junos Space applications that you might have purchased and
installed. However, if you use Junos Space Platform with only Service Now and Service Insight installed,
 289

licensing information for those applications is displayed on the Licenses page. To find out the licensing
information about Junos Space applications that you purchased, please contact the Juniper Technical
Assistance Center.

The Licenses inventory page displays the Junos Space Platform license that the administrator has uploaded.
For more information about obtaining and uploading the Junos Space Platform license, see “Generating
and Uploading the Junos Space License Key File” on page 287.

The Licenses page displays the Junos Space Platform trial license until you upload the one specifically
generated for your software installation.

To view the Junos Space license details:

1. In the Junos Space Platform UI, select Administration > Licenses.

The Licenses page appears displaying the details of the Junos Space Platform license, as shown in
Table 128 on page 289.

Table 128: License Details

Field Description

License Type The Junos Space Platform license can either be a trial license installed (Trial) with the
Junos Space Platform software image or a commercial one (Commerical) that you upload
into Junos Space Platform.

Sku Model # The Junos Space Platform license stock-keeping unit (SKU) model number. If the license
is a trial license, the SKU displayed is Trial-license. If it is a commercial license, the license
SKU is displayed; for example, JS-PLATFORM.

Total License Days For a trial license, the total number of license days is 60. For a commercial license, the
total number of license days is unlimited (Unlimited).

Remaining License Days For a trial license, the remaining number of days is the countdown of the number of days
since you installed Junos Space Platform (for example, 36). For a commercial license, the
remaining number of days is unlimited (Unlimited).

Juniper Connected Security for VMware NSX Licensing

IN THIS SECTION

Juniper Connected Security for VMware NSX Advanced Security Licenses | 290

License Duration | 291

License Procurement and Installation | 291

 290

VMware NSX is VMware’s network virtualization platform for the Software Defined Data Center (SDDC).
You can add the vSRX Virtual Services Gateway as a partner security service in the VMware NSX
environment. The vSRX security service is managed by the Junos Space Security Director and VMware
NSX Manager to deliver a complete and integrated virtual security solution for your SDDC environment.
The vSRX provides advanced security services (Layer 7 services), including intrusion detection and prevention
(IDP), and application control and visibility services through AppSecure.

The Juniper Connected Security for VMware NSX licensing includes support for Juniper’s virtual firewall
(vSRX), Network Security services (AppSecure, IDP) and the Juniper Connected Security and Security
Management solutions (Policy Enforcer and Security Director) for VMware NSX-based private cloud
advanced security.

Juniper Connected Security for VMware NSX Advanced Security Licenses

The Juniper Connected Security for NSX Advanced Security (ADS) licenses that are available from Juniper
Networks provide entitlement for protection of one physical CPU socket, with one vSRX instance key
provided for each license. Typically, a VMware ESXi server has multiple CPU sockets, and each CPU socket
has multiple cores.

All Juniper Connected Security for NSX ADS licenses have an associated time duration; you purchase
licenses as subscription based for a 1-year, 3-year, or 5-year duration.

A Juniper Connected Security for NSX ADS license cannot be purchased as a perpetual (never expire)
license. Each license is only available on a subscription basis.

Each license includes support for the following:

• Juniper vSRX Series Virtual Services Gateway, including:

• Stateful L3-L4 firewall

• Advanced Application Security (ASEC) features (such as AppID, AppFW, AppQoS, and AppTrack)

• Intrusion Detection and Prevention (IDP)

• Juniper Security Management solutions, including:

• Junos Space Security Director

• Juniper Connected Security Policy Enforcer

The licenses available in the Juniper Connected Security for VMware NSX ADS licensing model are based
on SKUs which represent the terms of subscription and the supported features.

Table 110 on page 257 describes the various license packages.

 291

Table 129: Juniper Connected Security for VMware NSX ADS Licensing Packages

License Model
Number Description

JNSX-ADS-1-1Y Juniper Connected Security for NSX Advanced Security with vSRX for 1 physical CPU
socket - 1 Year Subscription

The 1 year subscription license includes support for Security Director, Policy Enforcer,
1 vSRX entitlement for 1 physical CPU socket protection with AppSecure and IDP feature
support

JNSX-ADS-1-3Y Juniper Connected Security for NSX Advanced Security with vSRX for 1 physical CPU
socket - 3 Year Subscription

The 3 year subscription license includes support for Security Director, Policy Enforcer,
1 vSRX entitlement for 1 physical CPU socket protection with AppSecure and IDP feature
support

JNSX-ADS-1-5Y Juniper Connected Security for NSX Advanced Security with vSRX for 1 physical CPU
socket - 5 Year Subscription

The 5 year subscription license includes support for Security Director, Policy Enforcer,
1 vSRX entitlement for 1 physical CPU socket protection with AppSecure and IDP feature
support

License Duration
The Juniper Connected Security for NSX ADS license model is subscription based. A subscription license
is an annual license that allows you to use the licensed software for the matching duration. Subscriptions
might involve periodic downloads of content (such as for IDP threat signature files). At the end of the
license period, you need to renew the license to continue using it.

Subscription licenses start when you retrieve the license key or 30 days after purchase if you have not
retrieved the license key. All subscription licenses are renewable.

License Procurement and Installation

To enable a Juniper Connected Security for NSX ADS license, you must purchase, install, and manage the
license key that corresponds to the specific terms of each license. The presence of the appropriate software
unlocking key on your virtual instance allows you to configure and use that license.

Licenses are usually ordered when the software application is purchased, and this information is bound to
a customer ID. If you did not order the licenses when you purchased your software application, contact
your account team or Juniper Networks Customer Care for assistance. Licenses can be procured from the
Juniper Networks License Management System (LMS).

From the Junos Space Security Director you discover the NSX Manager and perform service registration
of the vSRX VM with the NSX Manager. The NSX Manager is added as a device in Security Director and
 292

its inventory is synchronized with Security Director. Discovering the NSX Manager and registering vSRX
as a security service in Security Director are described in detail in Deploying the vSRX as an Advanced
Security Service in a VMware NSX Environment.

As part of the service registration procedure, in the Service Manager Registration section of the Add NSX
Manager page, you enter the license key (see Figure 22 on page 292).

Figure 22: Service Manager Registration: Entering the License Key

Licenses for Network and Security Manager (NSM)

IN THIS SECTION

Installing Advanced License Keys | 292

Managing License Keys (ScreenOS Only) | 293

Generating the NSM License Key File | 294

Installing Advanced License Keys

To access the IDP functionality on a security module, you must install both an Advanced license key and
an IDP license key on the security device. For details on obtaining and installing a license key.

Installing the IDP license key disables the Deep Inspection (DI) feature.
 293

Managing License Keys (ScreenOS Only)

Some security devices support the activation of optional features or the increased capacity of existing
features through the installation of license keys. You must first obtain a license key from your value-added
reseller (VAR) or from Juniper Networks. Then you can use the NSM UI to install the license key on the
managed device.

After you have installed the license key on the device, the device can begin to use the new feature
immediately. However, because the information in the license key is decoded only after it has been installed
on the device, you must import the license key information from the device into the NSM system before
the new feature appears in the UI. Importing license keys from the device can also resolve any license key
mismatches between NSM and the managed device.

Installing License Keys on a Device

To obtain a license key:

1. Contact the value-added reseller (VAR) who sold you the security device, or contact Juniper Networks
directly.

2. Provide the serial number of your device and state the feature option you want. The license key is
generated and then sent to you in an e-mail message.

To install the license key on a device using the NSM UI:

1. In the main navigation tree, right-click the device on which you want to install the license key and select
Admin > Install License Key. The Install License Key dialog box appears.

2. Either copy and paste the license key into the dialog box, or click the Browse button to locate the
license key file on your computer.

3. Click OK.

Importing License Key Information into NSM

After you install a new license key on a device, either through the NSM UI or locally (through the Web UI
or CLI) you must import that license key information into the NSM system.

Importing license key information from a device also enables you to quickly view all license keys installed
on a device, and the features and capacities available on the device.

To import or view license key information:

1. In the main navigation tree, right-click the device on which you want to install the licence key and select
Admin > Import License Key Info.

2. Click Yes at the confirmation dialog box. The Job Information window displays the license key
information.
 294

Installing Trial License Keys

A trial license key allows you to view and evaluate NSM before purchasing the subscription. You can install
a trial license on NSM which allows you to add up to 6025 devices on a software installation and 525
devices on an appliance setup. You can choose trial periods of 30, 60 and 90 days.

The Expires in (Days) field in the NSM License Information window shows the status of your license.
When you install a trial license, NSM displays a warning that your license expires inX number of days.
When your license expires, NSM notifies you that your trial period is over and prompts you to install a
new license. You can proceed with the NSM GUI log in only after the installation of a valid permanent
license.

Generating the NSM License Key File

In Release 2007.3 and later releases, the NSM product line uses a licensing mechanism to prevent access
to an unlicensed copy of NSM and to enforce a limit on the maximum number of devices that can be
managed by NSM. New installations and installations upgrading from a release prior to 2007.3 must obtain
a license to use NSM.

The base license supports 25 devices with high availability (HA), including devices running ScreenOS, IDP,
or Junos OS with Enhanced Services; EX Series, Secure Access, or Infranet Controller devices; and including
any modeled or vsys devices. For details on these devices, see the Network and Security Manager
Administration Guide.

To manage more than 25 devices, a license key must be purchased separately, retrieved from the Juniper
License Management Server (LMS), and then installed onto the NSM Server or NSM appliance.

LMS provides an interface to generate licenses based upon serial number, authorization code and installation
ID.

Procedures provided in the following sections use the NSM installer to generate the installation ID.
Alternatively, you can download a utility from the Juniper Networks Software Download site for generating
the installation ID.

Installing NSM for the First Time

The first time you install NSM 2007.3 or later release software only, you need to generate a license key
file that requires an installation ID.

NSM Trial Licenses

You can generate a trial license for NSM for periods of 30, 60 or 90 days. The NSM License Information
dialog box displays the validity period in the Expires in (Days) field. Licenses can only be installed or updated
from the NSM GUI. When the trial period is over, NSM notifies you and prompts you to install a new
license. If you install the new license, you can proceed to log in to NSM. If not, you must exit from the
GUI.

Generating the License Key for an NSM Software-Only Installation

To generate the license key file for an NSM 2007.3 or later software-only installation:
 295

1. Run the NSM installer image on the server designated for NSM. The NSM Server generates an installation
ID.

2. Log in to the LMS system and select License key generation for NSM.

3. Enter the serial number and authorization code.

Your serial number is printed on the paper license certificate given to you when you purchased NSM.

Depending on the package you purchased, Juniper Networks provides an authorization code by e-mail.
If you received a paper license certificate, and are managing more than 25 devices, call Juniper Networks
Customer Service. The Customer Service will validate your purchase and generate a license key file.

4. Enter the installation ID that was generated by the NSM Server.

The LMS system generates a license key file for the SKU recorded. You can choose to download the
license key file, or to receive it by e-mail.

5. Save the license key file to your local drive for use during installation.

Generating the License Key for an NSM Appliance Installation

To generate the license key file for an NSM appliance installation:

1. Log in to the LMS system and select License key generation for NSM.

2. Enter the serial number and authorization code.

The serial number is on the back of the NSM appliance chassis.

Depending on the package you purchased, Juniper Networks provides an authorization code via e-mail.
If you received a paper license certificate, and are managing more than 25 devices, call Juniper Networks
Customer Service. Customer Service will validate your purchase and generate a license key.

The LMS system generates a license key file for the SKU recorded. You can choose to download the
license key file, or to receive it by e-mail.

3. Save the license key file to your local drive for use during installation.

Generating the License Key for a High Availability NSM Installation

To generate the license key file for an NSM 2007.3 or later HA installation:

1. Run the NSM installer image on the server designated as your primary NSM (or primary GUI server).
The NSM Server generates an installation ID.

2. Run the NSM 2007.3 or later installer image on the server designated as your secondary NSM (or
secondary GUI server). The NSM Server generates an installation ID.

3. Log in to the LMS system and select License key generation for NSM.

4. Enter the serial number and authorization code of your primary NSM.

For an NSM appliance installation, enter the serial number of the primary server. The hardware serial
number is located on the back of the NSM appliance chassis.
 296

For a software-only installation:

a. Enter the serial number.

The serial number of your software is printed on the paper license certificate given to you when
you purchased NSM. If you do not have the software serial number or the LMS System fails to
recognize the serial number, call Juniper Networks Customer Service.

b. Enter the installation ID of the primary NSM.

Depending on the package you purchased, Juniper Networks provides an authorization code via e-mail.
If you received a paper license certificate, and are managing more than 25 devices, call Juniper Networks
Customer Service. Customer Service will validate your purchase and generate a license key.

5. Select the Need High Availability Key check box. The LMS systems prompts you to provide the NSM
Secondary serial number and Secondary Installation ID.

The LMS system generates a license key file for the SKU recorded. You can choose to download the
file, or to receive it by e-mail.

6. Save the license key file to your local drive for use during installation.

Upgrading to an NSM Release that Requires a License

When you upgrade to an NSM 2007.3 or later release from a version that is older than 2007.3, you need
to generate a license key file that requires an installation ID.

Generating the License Key for an NSM Software-Only Upgrade

To generate the license key file to upgrade to NSM 2007.3 or later release:

1. Run the NSM installer image on the server designated for NSM. The NSM Server generates an installation
ID.

2. Log in to the LMS system and select License key generation for NSM.

3. Enter the serial number and authorization code.

Your serial number is printed on the paper license certificate given to you when you purchased NSM.
If you do not have the serial number or the LMS System fails to recognize the serial number, call Juniper
Networks Customer Service.

Depending on the package you purchased, Juniper Networks provides an authorization code via e-mail.
If you received a paper license certificate, and are managing more than 25 devices, call Juniper Networks
Customer Service. The Customer Service will validate your purchase and generate a license key.

4. Enter the installation ID that was generated by the NSM Server.

The LMS system generates a license key file for the SKU recorded. You can choose to download the
file or to receive it by e-mail.

5. Save the license key file to your local drive for use during installation.
 297

The NSM upgrade to 2007.3 or later release will not proceed without the license key file if NSM manages
more than 25 devices.

Generating the License Key for an NSM Appliance Upgrade Installation

To generate the license key file to upgrade an NSM appliance:

1. Log in to the LMS system and select License key generation for NSM.

2. Enter the hardware serial number and authorization code.

The hardware serial number is located on the back of the NSM appliance chassis.

Depending on the package you purchased, Juniper Networks provides an authorization code via e-mail.
If you received a paper license certificate, and are managing more than 25 devices, call Juniper Networks
Customer Service. Customer Service will validate your purchase and generate a license key.

The LMS system generates a license key file for the SKU recorded. You can choose to download the
file or to receive it by e-mail.

3. Save the license key file to your local drive for use during installation.

The NSMXpress upgrade to 2007.3 or later release will not proceed without the license key file if NSM
manages more than 25 devices.

Generating the License Key File for an NSM 2007.3 or Later High Availability Upgrade Installation
To generate the license key file to upgrade to NSM 2007.3 or later release with high availability:

1. Run the NSM installer image on the server designated as your primary NSM (or primary GUI server).
The NSM Server generates an installation ID.

2. Run the NSM 2007.3 or later installer image on the server designated as your secondary NSM (or
secondary GUI server). The NSM Server generates an installation ID.

3. Log in to the LMS system and select License key generation for NSM.

4. Enter the serial number and authorization code of your primary NSM.

For an NSM appliance installation, enter the serial number of the primary server. The hardware serial
number is located on the back of the NSM appliance chassis.

For a software-only installation:

a. Enter the serial number.

The serial number of your software is printed on the paper license certificate given to you when
you purchased NSM. If you do not have the software serial number or the LMS System fails to
recognize the serial number, call Juniper Networks Customer Service.

b. Enter the installation ID of the primary NSM.

Depending on the package you purchased, Juniper Networks provides an authorization code via e-mail.
If you received a paper license certificate, and are managing more than 25 devices, call Juniper Networks
Customer Service. Customer Service will validate your purchase and generate a license key.
 298

5. Select the Need High Availability Key check box. The LMS systems prompts you to provide the NSM
Secondary serial number and Secondary Installation ID.

The LMS system generates a license key file for the SKU recorded. You can choose to download the
file, or to receive it by e-mail.

6. Save the license key file to your local drive for use during installation.

The NSM upgrade to 2007.3 or later release will not proceed without the license key file if NSM manages
more than 25 devices.

Example of an NSM License File

-----BEGIN PGP SIGNED MESSAGE-----

Hash: SHA1

NSM License File (v1)

Generated on Thu Sep 20 19:11:08 IST 2007

This license file is for:

Serial Number: 0000000 Installation ID: 200003AC65C52
Serial Number: 00000 Installation ID: ID-2

This license file enables the following features:

High-Availability: Enabled
Max-Device: 100
Evaluation-Mode: P30D

This license file reflects the following SKUs:

NS-SM-ADD-50
NS-SM-ADD-50

-----BEGIN PGP SIGNATURE-----

Version: GnuPG v1.2.6 (GNU/Linux)

iQCVAwUBRvJ4dCNvzN729P/TAQI+rgQAoG7fGLDh9vCFxbjeMrCGp+zd1AZ0KUxp
7xOrhIZnuT9urbumyQq9ySO3ovFjXzTJbiIbncmj6IUh4bkfKpu9H4WIu5qrsBvK
iRHzGJFMBcSCCleqV0TTBZVF82wblwy+RjWLhW71EHKtU46mVPSYQvy9vZKu/AZf
TwQ3So2hRqg=
=DTk4
-----END PGP SIGNATURE-----

If your downloaded license key file has any extra lines before "-----BEGIN PGP SIGNED MESSAGE-----"
or after "-----END PGP SIGNATURE-----", delete those lines before installing the license key file.
 299

Installing the License Key File in Various Configurations

Instructions for installing the license key are included in the various installation chapters.

Upgrading the License Key

License upgrades can be purchased at any time for any supported product. After purchasing a license
upgrade, you receive a Right to Use (RTU) certificate containing an authorization code that allows you to
log in to the LMS system and generate a permanent license key that can be applied to the NSM product.

Viewing License Key Information

You can view key information about licenses, in the NSM License Information window. From the menu
bar, selectTools > NSM License Information to view this information

Enforcing Licenses
The maximum number of devices allowed for NSMXpress appliance installations is 525. The maximum
number of devices allowed for NSM software-only installations is 6025. These numbers include all modeled
devices, vsys devices, and cluster devices.

Each cluster member of a cluster device counts as one device.

Even though the SKU installation is cumulative, NSM restricts the maximum number of manageable devices.
NSM rejects the application for a license when the maximum device supported limit is reached for both
appliance and software installations.

If you add a device after the number of devices added reaches 90 percent of the license limit, a warning
message appears. If you try to add an extra device after the maximum limit is reached, a dialog box appears
with the message “Maximum number of supported devices is reached.” You are not allowed to add devices
after reaching the license limit. you must purchase an upgrade before adding more devices.

Licensing FAQ
Table 130 on page 299 answers frequently asked questions about NSM licensing.

Table 130: Licensing FAQ

Question Answer

Which device types does NSM count towards NSM counts each single addition of a firewall, IDP, router, switch,
the total device count? Secure Access, or Infranet Controller device as one device. Each cluster
member counts as one device. Each vsys device added to a firewall
root device counts as one device.

Does NSM Central Manager (NS-SM-A-CM) The NSM Central Manager does not require a license key file for
require a license key file? installation. Enforcement is built into the product.
 300

Table 130: Licensing FAQ (continued)

Question Answer

Are there any differences in licenses for an No. Both follow the same licensing scheme, but their installation
NSM appliance and software-only methods are different. NSM software version uses the NSM Installer
installations? to install the new license. An NSM appliance uses the Web UI to install
the license. A license can also be installed via the NSM UI after the
base installation is completed.

What is the procedure to add a new license License upgrades can be purchased at any time for any supported
after the device count limit is reached? product. After purchasing a license upgrade, you receive a Right to
Use (RTU) certificate containing an authorization code that allows you
to log in to the LMS system and generate a permanent license key
that can be applied to the NSM product. License key updates can then
be applied from NSM GUI from Tools > NSM License Information.

I already have NSM installed in my network. Yes, if you are upgrading from a release that is older than 2007.3.
I have more than 25 devices installed on NSM.
Do I need a license key file to upgrade to
2007.3 or later release?

What is the procedure to obtain the license For new installations, see “Installing NSM for the First Time” on
key file? page 294. For upgrades, see “Upgrading to an NSM Release that
Requires a License” on page 296.

I don't have an NSM Serial number available. Call Juniper Networks Customer Service.
What do I do?

Licenses for J-Web Device Manager

IN THIS SECTION

Managing Licenses for the EX Series Switch (J-Web Procedure) | 301

 301

Managing Licenses for the EX Series Switch (J-Web Procedure)

IN THIS SECTION

Adding New Licenses | 301

Deleting Licenses | 302

Displaying License Keys | 302

Downloading Licenses | 302

This topic applies only to the J-Web Application package.

To enable and use some Junos OS features on an EX Series switch, you must purchase, install, and manage
separate software licenses. Each switch requires one license. For a Virtual Chassis deployment, two licenses
are recommended for redundancy. After you have configured the features, you see a warning message if
the switch does not have a license for the feature.

Before you begin managing licenses, be sure that you have:

• Obtained the needed licenses. For information about how to purchase software licenses, contact your
Juniper Networks sales representative.

• Understand what makes up a license key. For more information, see “License Key Components for the
EX Series Switch” on page 169.

This topic includes the following tasks:

Adding New Licenses

To add one or more new license keys on the switch, with the J-Web license manager:

1. In the J-Web interface, select Maintain > Licenses.

2. Under Installed Licenses, click Add to add a new license key or keys.

3. Do one of the following, using a blank line to separate multiple license keys:

• In the License File URL box, type the full URL to the destination file containing the license key or
keys to be added.

• In the License Key Text box, paste the license key text, in plain-text format, for the license to be
added.

4. Click OK to add the license key or keys.

 302

A list of features that use the license key is displayed. The table also lists the ID, state, and version of the
license key.

Deleting Licenses
To delete one or more license keys from a switch with the J-Web license manager:

1. In the J-Web interface, select Maintain > Licenses.

2. Select the check box of the license or licenses you want to delete.

3. Click Delete.

Displaying License Keys

To display the license keys installed on a switch with the J-Web license manager:

1. In the J-Web interface, select Maintain > Licenses.

2. Under Installed Licenses, click Display Keys to display all the license keys installed on the switch.

A screen displaying the license keys in text format appears. Multiple licenses are separated by a blank line.

Downloading Licenses
To download the license keys installed on the switch with the J-Web license manager:

1. In the J-Web interface, select Maintain > Licenses.

2. Under Installed Licenses, click Download Keys to download all the license keys installed on the switch
to a single file.

3. Select Save it to disk and specify the file to which the license keys are to be written. You can also
download the license file to your system.
 303

CHAPTER 7

Licenses for Contrail Service Orchestration

IN THIS CHAPTER

Licenses for Contrail Service Orchestration | 303

Licenses for Contrail Service Orchestration

IN THIS SECTION

About the Device License Files Page | 303

Uploading a Device License File | 305

Editing and Deleting Device Licenses | 305

Pushing a License to Devices | 307

About the CSO Licenses Page | 307

Assign CSO Licenses, and Update or Unassign CSO License Assignments | 309

About the Device License Files Page

To access this page, click Administration > Licenses> Device Licenses.

You can use the Device License Files page to upload licenses for devices and virtual network services from
your local file system. Each device license file should contain only one license key. A license key is required
to enable various features including virtual network services such as application-based routing, application
monitoring, and vSRX security features.

Tasks You Can Perform

You can perform the following tasks from this page:

• Add device license files. See Uploading a License File.

• Edit and delete device license entries. See “Editing and Deleting Device Licenses” on page 305.
 304

• Push licenses to devices. See “Pushing a License to Devices” on page 307.

• View details of a device license. Click the details icon that appears when you mouse over the row for
each license file or click More > Details. See Viewing Object Details.

• Show or hide columns about the device license files.

• Sort the device license files. See Sorting Objects.

• Search an object about the device license files. See Searching for Text in an Object Data Table.

Field Descriptions
Table 131 on page 304 describes the fields on the License Files page.

Table 131: Fields on the License Files Page

Field Description

File Name Displays the filename of the license.

Example: license_Image_v1.txt

Description Displays the description of the license.

Example: License file for application routing.

Tenant Displays the name of the tenant if the license is associated with a tenant.

Example: Tenant 1

Uploaded By Displays the administrator who uploaded the license.

Example: test_admin

Uploaded Displays the date and time when the license was uploaded.

Example: Jun 5, 2018, 12:41:08 PM

Devices Displays the number of devices to which the license is pushed.

Click the number to view the devices to which the license is pushed.
 305

Uploading a Device License File

To upload a device license file:

1. Click Administration > Licenses > Device Licenses.

The Device License Files page appears.

2. Click the plus icon (+).

The Add Device Licenses page appears.

3. In the Device License File field, specify the location of the license file that you want to upload.
Alternatively, you can click Browse to navigate to the file location and select the file.

NOTE: Each license file should contain only one license key.

4. (Optional) From the Tenants list, select the tenant to which you want to associate the license file.

If you associate a license with a tenant, you can apply that license only to devices that belong to that
tenant. If a tenant has licenses associated with the tenant, when a device is activated during ZTP, a
matching license from the licenses associated with the tenant is downloaded to the device.

You can apply a license that is not associated with a tenant to any device of any of the tenants. During
ZTP, when a device is activated for a tenant that does not have any license associated with it, a matching
license from the licenses that are not associated with any tenant is downloaded to the device.

5. In the Description field, enter a description for the license that you want to upload.

6. Click OK to upload the license.

You are returned to the Device License Files page.

Editing and Deleting Device Licenses

IN THIS SECTION

Editing a Device License Entry | 306

Deleting a Device License | 306

 306

The following sections describe the procedure for editing and deleting uploaded device licenses:

Editing a Device License Entry

You can edit a device license entry to modify the description for the license file.

1. Click Administration > Licenses > Device Licenses.

The Device License Files page appears.

2. Select the device license for which you want to modify the description and click the Edit icon.

The Update Device License page appears.

3. Update the description.

4. Click OK to save the changes. To discard the changes, click Cancel.

If you click Cancel, a confirmation message appears. Click Yes to confirm that you want to cancel the
update.

Deleting a Device License

To delete a device license:

1. Click Administration > Licenses > Device Licenses.

The Device License Files page appears.

2. Select the device license that you want to delete and click the delete icon.

3. In the confirmation message, click Yes to delete the device license.

To cancel the delete operation, click No.

 307

Pushing a License to Devices

You can push licenses on to devices from the Licenses page of the Administration portal. If a license is
associated with a tenant, you can push that license only to devices associated with that tenant. However,
if no tenant is associated with a license, you can apply the license to any device that belongs to any tenant.

When a license is applied to a device, the license information is added to the device object. When the
same license is pushed to the device again, the a device-level error message is created. Similarly, if a pushed
license does not match a device, the device generates an error message.

To push a license to a device:

1. Click Administration > Licenses > Device Licenses.

The License Files page appears.

2. Select the license that you want to push to a device.

The Push License button is enabled.

3. Click the Push License button.

The Push License page appears.

4. From the Tenants list, select the tenant associated with the site and devices to which you want to apply
the license.

NOTE: If the license has already been associated with a tenant, you cannot select a different
tenant. You can apply the license only to the sites and devices associated with the tenant.

Sites and devices associated with the selected tenant appear.

5. Select the sites and devices to which you want to apply the license and click Push Licenses.

CSO applies the license to the selected devices.

About the CSO Licenses Page

To access this page, click Administration > Licenses > CSO Licenses.

Users with the OpCo Administrator role can use the CSO Licenses page to view information about the
CSO licenses issued by the SP administrator, assign the licenses to one or more tenants, and update or
unassign license assignments.
 308

Tasks You Can Perform

You can perform the following tasks from this page:

• Assign CSO licenses to one or more tenants—See “Assign CSO Licenses, and Update or Unassign CSO
License Assignments” on page 309.

• View the tenants previously assigned to a CSO license—Click assigned-number corresponding to a license.
The View Assigned page appears displaying the tenants and quantity assigned to each tenant.

• Update or unassign CSO license assignments—See “Assign CSO Licenses, and Update or Unassign CSO
License Assignments” on page 309.

• Search for CSO licenses by using keywords—Click the search icon and enter the search term in the text
box and press Enter. The search results are displayed on the same page.

You can search using license SKU, sales order, type, tier, or device class.

• Sort CSO licenses—Click a column name to sort based on the column name.

NOTE: Sorting is applicable only to some fields.

• Show or hide columns—Click the Show Hide Columns icon at the top right corner of the page and select
the columns that you want displayed on the CSO Licenses page.

Field Descriptions
Table 132 on page 308 describes the fields on the CSO Licenses page.

Table 132: Fields on the CSO Licenses page

Field Description

License SKU Displays the license SKU name; for example,

S-CSO-C-S1-A-3.

Sales Order Sales order number; for example, 15563238.

Type Type of site—on-premise or cloud.

Tier Support tier associated with the license; for example,

Standard.

Device Class Class of the Juniper device associated with the license; for
example, B-class.
 309

Table 132: Fields on the CSO Licenses page (continued)

Field Description

SSRN Software support reference number, which is necessary

to identify your purchase order when you contact Juniper
Networks for support

Start Date Date (in MMM DD , YYYY format) from which the license
is valid; for example, Aug 29, 2019.

End Date Date (in MMM DD , YYYY format) up to which the license
is valid. CSO calculates the end date based on the validity
of the license SKU.

Device Quantity Total number of devices (that the tenant can add) that you
can assign for a license.

Available Available number of devices (that the tenant can add) that
you can assign to tenants.

Assigned Number of devices (that the tenant can add) that are
already assigned to one or more tenants:

• Click assigned-number to view the tenants and quantity

assigned for each tenant. The View Assigned page
appears displaying the tenants and quantity assigned to
each tenant.
• If the CSO license is not assigned to any tenants, click
Assign to assign the license to one or more tenants. See
“Assign CSO Licenses, and Update or Unassign CSO
License Assignments” on page 309.

Assign CSO Licenses, and Update or Unassign CSO License Assignments

IN THIS SECTION

Assign CSO Licenses to Tenants | 310

Update or Unassign CSO License Assignments | 311

Users with the Operating Company (OpCo) Administrator role can:

 310

• Assign a CSO license to one or more tenants.

• Update the assignment of a CSO license that was previously assigned to one or more tenants.

• Unassign a CSO license that was previously assigned to a tenant.

Assign CSO Licenses to Tenants

To assign a CSO license that is not yet assigned to a tenant:

1. Select Administration > Licenses > CSO Licenses.

The CSO Licenses page appears.

2. Click the Assign link corresponding to the license that you want to assign (in the Assigned column).

The Assign CSO License page appears.

3. Configure the fields according to the guidelines provided in Table 133 on page 310.

4. Click Assign.

CSO validates the quantities that you assigned against the total quantity for the license:

• If the sum of assigned quantities is greater than the total quantity, an error message is displayed. You
must then modify the assigned quantities to proceed.

• If the sum of assigned quantities is less than or equal to the total quantity, a job is triggered. You are
returned to the CSO Licenses page and a confirmation message is displayed on the top of the page.
After the job completes successfully, the CSO Licenses page displays the updated information in the
Available and Assigned columns.

Table 133: Fields on the Assign CSO License page

Field Description

License Information Displays the following information for the license:

• Sales Order
• License SKU
• Start Date

License Assignment

Device Quantity Displays the total quantity that can be assigned to tenants.

Available Displays the available quantity that can be allocated to tenants.

 311

Table 133: Fields on the Assign CSO License page (continued)

Field Description

Tenants List To assign the license to one or more tenants:

1. Click the + icon.

A row is added in the grid and selected.

2. In the Tenant column, select the tenant to which you want to assign the license.

3. In the Device Quantity column, enter the quantity that you want to assign to the
tenant.

4. Click √ (check mark) to save your changes.

5. (Optional) Click the pencil icon to modify the tenant name or the quantity and click
√ (check mark) to save your changes.

6. (Optional) Repeat the steps if you want to assign the license to additional tenants.

Update or Unassign CSO License Assignments

For a CSO license that is already assigned to one or more tenants, to update or unassign the license
assignment:

1. Select Administration > Licenses > CSO Licenses.

The CSO Licenses page appears.

2. Select the license for which you want to update or unassign the license assignment and click the Update
Assignment button.

The Assign CSO License page appears.

3. From the list of tenants displayed in the grid, select the tenant (row) and do one of the following:

• To update the license assignment:

a. Click the edit (pencil) icon.

b. In the Device Quantity column, modify the device quantity.

c. Click √ (check mark) to save your changes.

The modification that you made is displayed in the grid.

 312

• To unassign the license assignment:

a. Click the delete (trash can) icon.

A popup appears asking you to confirm the unassign operation.

b. Click Yes.

The license is unassigned from the tenant that you selected and the tenant is removed from the
grid.

4. (Optional) If the available quantity is non-zero, you can assign the license to additional tenants. See
Table 133 on page 310 for more information.

5. Click Assign.

CSO validates the modifications against the total device quantity for the license:

• If the sum of assigned quantities is greater than the total quantity, an error message is displayed. You
must then modify the assigned quantities to proceed.

• If the sum of assigned quantities is less than or equal to the total quantity, a job is triggered and you
are returned to the CSO Licenses page. A confirmation message is displayed on the top of the page.

After the job completes successfully, the CSO Licenses page displays the updated information in the
Available and Assigned columns.
 313

CHAPTER 8

®
Licenses for Steel-Belted Radius Carrier

IN THIS CHAPTER

Obtaining License Keys | 313

Obtaining License Keys

You must have a unique single-seat software license key for each server installation and for each optional
module that you want to activate.

If you are installing Session State Register, you need a license for each SBR Carrier server, each optional
module, and a Starter Kit license—a single number that is used on all four servers in the Starter Kit cluster.
If you are installing more nodes than in the Starter Kit, each additional SBR Carrier server, Expansion Kit,
and Management Node kit require unique licenses.

When a license for the base product or an optional module is purchased, a certificate containing an
authorization code is issued. Use the authorization code to generate a license key on the Juniper Networks
support server.

1. Go to https://www.juniper.net/lcrs/license.do. You may be prompted to log in.

2. On the Manage Product Licenses screen, select SBR Carrier from the drop-down list and click Go.
 314

3. Enter the authorization code from your certificate and the registered E-mail address. (The E-mail address
is used only for account verification at this point; you can elect not to receive the license through E-mail
in the next step.)

4. When the key is generated, a success screen is displayed. You can view the license online and record
the key number, download it, or have it sent to the E-mail address you entered.