Beruflich Dokumente
Kultur Dokumente
mastering JUNOS Configuration watch the books videos, and then sim-
ply copy and paste from the PDF books
prompts to configure the Junosphere virtual
machine online. Learn by doing, not reading.
1 VM - 3+ hrs
Virtual Day One - Learn by Doing!
n n Experience the Junos CLI in both videos and
real hands-on training modules
Whether you are new to Junos or just n n Learn how to navigate through the Junos
want to improve your configuration hierarchies
n n Master basic and advanced configuration
skills, this Junosphere lab will boost techniques
your mastery of the Junos OS. n n Unveil the mysteries of rollback and commit
internals
n n Understand how Junos handles simultaneous
configurations
n n And much more in this 3 hour lab prepared
just for you.
by Antonio Snchez-Monge
J
uniper Networks Junosphere cloud-based services allow networking professionals to perform network
testing, design, and training exercises in a risk-free virtual environment that uses real network operating
systems. Junosphere allows you to closely replicate physical networks consisting of Junos OS-based devices
and ecosystem tools without the cost, complexity, or limitations of a physical lab.
To ensure you have the best possible experience with Junosphere, check that you have the required settings.
Consider these recommendations for optional freeware programs to facilitate Junosphere usage.
Required n nOnly Firefox 19 and higher, and Internet Explorer 9 and higher, are supported
Settings n nEnable pop-ups for junosphere.net
n nAllow downloads from junosphere.net
n nInstall latest Java plug-in
ISBN 978-1936779796
50900
Color quality: For best results, use 16-bit (8-bit, 24-bit, and 32-bit are also supported).
Monitor resolutions: 1,024 x 768 pixels is recommended; up to 2,048 x 2,048 pixels is supported.
PDF Recommendations
Use Acrobat Reader to copy and paste this books config files into the terminal for the best results.
Acknowledgements
q
1h 2h 3h
vDay One: Mastering Junos Configuration 4
Welcome to vDay One The prerequisites for this virtual workshop are:
q
1h 2h 3h
vDay One: Mastering Junos Configuration 5
TIP Lab vs. Classroom? There are two types of sandbox: Lab
or Classroom. The vDay One topologies are available for both
of them make sure you choose the right one for your sand-
box. Note that the promotional code is only available for
Classroom.
q
1h 2h 3h
vDay One: Mastering Junos Configuration 6
2. Navigating the Junos OS Configuration You are about to replace the currently active configuration
with a simpler one. The following command simply displays
the contents of a file:
Lets start by loading a simple Junos OS configuration. Then,
you will examine it without modifying it using different CLI > file show /var/tmp/myJunos.conf
modes.
Later in this book, you will see the configure, load, save and
commit commands explained in detail. The following procedure
First connect to the console of the device, using a telnet client: saves a backup of the current configuration into a file called
original.conf, and then activates a completely new configura-
telnet <IP> <port>
tion based on the contents of myJunos.conf:
The <IP> address and the <port> are indicated in the column
> configure
labeled Console, in the Virtual Machines tab of the Junosphere # save /var/tmp/original.conf
GUI. The username is root and the password is Clouds. Why the # load override /var/tmp/myJunos.conf
console and why the username root? Because you will soon # commit and-quit
erase most of the configuration, leaving root as the only valid
user, and the console as the only valid access method. The goal CAUTION Currently Junosphere does not support a method
is to obtain a very short and simple configuration, that can ease to reset console connections. If for whatever reason you lose
your learning process. When you log in as root, the prompt is %, connectivity to the console before the middle of Section 4, and
corresponding to the freeBSD shell. This is not an officially sup- you fail to reconnect, you will need to restart the topology.
ported mode, so you need to start a Junos OS CLI session,
Its time to watch Video 2. But its important to watch the video
changing the prompt to >.
in its entirety, then tackle the hands-on tasks. If you execute
% cli commands before the video finishes (pausing and resuming it),
>
testers have found the experience much less helpful, not to
In Junospheres VJX, the initial configuration would be mention encountering slight differences between the video and
specified inside the topology.vmm file as follows: the practice. This advice is valid for all the videos in this book.
install "ENV(HOME)/active/configset/juniper.conf" "/root/olive.conf";
q
1h 2h 3h
vDay One: Mastering Junos Configuration 7
How is this configuration actually applied? Lets see: Its normal to see an error in the last command, as edit is
designed to enter branches, not leaves. Two more commands
> show interfaces terse lo0.0
and youll be ready for the next section.
> show interfaces terse ge-0/0/1
> show interfaces terse ge-0/0/1 routing-instance default # up 2
> show interfaces ge-0/0/1.1 | match vlan # top
q
1h 2h 3h
vDay One: Mastering Junos Configuration 8
candidate configuration either: the initial and the final states are
identical.
# top
# copy interfaces ge-0/0/1 to ge-0/0/2
# show interfaces
# delete interfaces ge-0/0/1
# show interfaces
# rename interfaces ge-0/0/2 to ge-0/0/1
# show interfaces
ing copy and rename does not result in any net change on the # show
q
1h 2h 3h
vDay One: Mastering Junos Configuration 9
Lets now face the risks of the powerful command replace. The 4. Committing Configuration Changes
following sequence does not result in any net candidate
configuration changes:
Its time to introduce two of the most important and differenti-
# top ating commands in Junos OS configuration: rollback and commit.
# edit interfaces The terms are inherited from relational databases, and are
# show based on opposite concepts.
# replace pattern 1 with 2
# show
With rollback, you discard the pending configuration changes.
# replace pattern 2 with 1
# show
The candidate database becomes identical to the active configu-
# show | compare ration, which in turn does not change at all.
# replace pattern 10.100.1.1/31 with 10.100.1.1/32
# show With commit, you activate the configuration changes by copying
# show | compare the candidate database into the active configuration.
q
1h 2h 3h
vDay One: Mastering Junos Configuration 10
Now, from another terminal, try to telnet to the device using cerned by the configuration change. In this way, the
the address you wrote down, and the user and password just routing protocol daemon (rpd), the firewall daemon
configured: (dfwd), the Class of Service daemon (cosd), the
interface daemon (dcd), etc., may be requested to read
telnet <address>
the configuration and perform a validation check.
Username: vdayone
Password: Clouds
NOTE A daemon is the common name of any background
Have a look at Video 4 for a graphical illustration of a configu- process in freeBSD and other UNIX-like operating systems.
ration commit.
Each background daemon does fork() a child daemon
that will be in charge of the validation task, while the
parent daemon keeps focused on its usual job. Each
child daemon inspects the part of the configuration
that considers relevant, and checks its consistency
for example, an interface can not have a filter applied
if the filter is not globally defined. The child processes
return their validation results to mgd, and they expire.
The validation check only succeeds if all the child
daemons report a successful result of their validation
to mgd. If the command commit was launched with the
check option, it would just provide the validation
results and exit without committing any changes.
Likewise, a regular commit (without the check option)
would stop here if any of the daemons reported a
Video 4 Committing Configuration Changes
validation error.
At this point, if the validation is successful and the
Now, lets see a commit in action: check option is not used, mgd activates the candidate
# set system host-name EVEREST configuration, rotates the configuration files as shown
# show | compare in next section, sends a SIGHUP signal to the relevant
# commit background processes, and returns the prompt.
q
1h 2h 3h
vDay One: Mastering Junos Configuration 11
> configure
Lets start by discarding any potential changes in the candidate # rollback 1
q
1h 2h 3h
vDay One: Mastering Junos Configuration 12
QUESTION #5 How could you go back to the configuration CAUTION In devices with control plane redundancy (more
that contained host-name Everest, without configuring the than one Routing Engine), the commit synchronize option is key,
host-name explicitly? as it allows to keep both planes synchronized in case there is a
switchover. You can configure set system commit synchronize so
QUESTION #6 What would be the outcome of executing that this option is automatically added upon commit.
the sequence: rollback 1 + commit, 999 times? And 1000 times?
Finally, set the hostname to the highest peak on Earth:
There are several useful commit options. For example, you # set system host-name EVEREST
already tested the comment option. Lets look at two other useful # commit and-quit
options:
Execute these two commands to find the actual location of
# set system host-name NANGA-PARBAT
whole commit history:
# show | compare
# commit check > file list /config/juniper* detail
> file list /var/db/config/ detail
QUESTION #7 What does the check option do?
# show | compare
Use the file show command to display the uncompressed
# commit confirmed 1 contents of one of the files listed above. Also have a look at the
/var/db/commits file, where the first column contains the
Wait for a couple of minutes. What happened? commit time in UTC format.
The confirmed option is essential for safer operation when risky TRY THIS List the directory /var/run/db and spot two binary
configuration changes need to be completed. Any engineer with files called juniper.data and juniper.db . These are the real
hands-on experience has seen how a CLI session suddenly configuration databases. Don't try to show their contents, since
becomes unresponsive after a configuration change. The trigger they are in binary format. However, if you play with configura-
can be something obvious (like disabling the management port) tion commands and look at the modification dates of these two
or something more sophisticated. In any case, if you are about files, you will be able to find out which one is the candidate,
to apply a configuration change that may affect your session at and which one is the active configuration database.
some point, the confirmed option is your ally. The changes are
only active for the specified amount of minutes (10, by default), MORE? Batch commits allow for queuing the commit
and if during that time there have been no further commits, the operations and grouping them all together in a single commit
device automatically rolls back to the previous configuration, operation. This can be useful in highly provisioned systems.
getting your CLI session to a responsive state again. For more about the feature, see Juniper Techpubs documenta-
tion, www.juniper.net/techpubs.
q
1h 2h 3h
vDay One: Mastering Junos Configuration 13
6. Other Views of Junos OS Configuration Finally, the XML format may not be the nicest to read, but its
an open standard format. It works fine with all the XML
libraries in the industry, and its essential for the whole Junos
The classical view of the Junos OS configuration, with all its Automation feature set, including Commit, Event, and Op
magic curly brackets, is practical to display and read. However, Scripts:
for certain applications, other formats are more convenient.
Watch Video 6 to see one of the most typically used formats:
# show interfaces | display xml
Coffee Break!
q
1h 2h 3h
vDay One: Mastering Junos Configuration 14
There are many instances when youll need to deal with blocks of
> configure
configuration in an efficient way. For example, if you have a # delete
complete or partial configuration of a device, you may want to This will delete the entire configuration
port it (conveniently adapted in a text editor) to another device. Delete everything under this level? [yes,no] (no) yes
Or you may need to undo, or redo, a given configuration change
that was done at commit #33. Not to mention the configuration # show
backup and restore applications. # show | compare myFile1
# load override myFile1
# show
Junos OS is particularly powerful and flexible in this aspect:
# show | compare myFile1
configuring large networks is not such a big deal with Junos OS!
The last command output should be empty, since there are no
Lets watch Video 7 just to see a sample of the different applica- differences between the candidate configuration and myFile1.
tions:
NOTE So far we only acted on the candidate database, as no
commit was performed.
q
1h 2h 3h
vDay One: Mastering Junos Configuration 15
(use any external text editor for this), and keep the document # show interfaces lo0
# load patch myFile3
open:
# show interfaces lo0
# show interfaces lo0 # show | compare
# rollback
Now, delete the configuration of the lo0 interface and apply it in # exit
curly bracket format:
# delete interfaces lo0
# edit interfaces lo0
# show
# load merge terminal relative
q
1h 2h 3h
vDay One: Mastering Junos Configuration 16
Open another CLI session to the device: TIP If you do a set + delete sequence that results in no
pending changes, the candidate database has the modified flag
telnet <address>
Username: vdayone
set, even if show | compare output is empty. In this case, just
Password: Clouds execute rollback and then you can do a clean exit.
TIP You can use the operational command show interfaces As you saw in the video, the sessions in private mode do not
terse ge-0/0/0if you dont remember the management IPv4 have direct access to the shared configuration database. Try it
address. yourself!
Now you have two CLI sessions (#1 and #2) connected to the
SESSION #1 SESSION #2
same device. Both sessions will be in configuration mode at the
same time. @K2> configure private @K2> configure private
@K2# show system host-name @K2# show system host-name
@K2# set system host-name ANNAPURNA @K2#
IMPORTANT By default, the configure command provides @K2# show system host-name @K2# show system host-name
direct read-write access to the candidate database. @K2# exit @K2#
The configuration has been changed
The candidate database is shared by all the sessions accessing but not committed
it. Test how it works by following these instructions. Consider Discard uncommitted changes? yes
the vertical line as the time axis. You should progress to the @K2> configure private @K2#
next line only if both sessions have already executed the current @K2# show system host-name @K2# show system host-name
line. Remember you are simulating two users doing things at @K2# set system host-name ANNAPURNA @K2#
the same time, so you need to change from one terminal to @K2# show system host-name @K2# show system host-name
another very frequently during this practice: @K2# show | compare @K2# show | compare
@K2# commit @K2#
@ANNAPURNA# @ANNAPURNA# show system host-name
SESSION #1 SESSION #2 @ANNAPURNA# @ANNAPURNA# set system host-name MAKALU
@ANNAPURNA# show system host-name @ANNAPURNA# show system host-name
@EVEREST> configure @EVEREST> configure @ANNAPURNA# @ANNAPURNA# show | compare
@EVEREST# show system host-name @EVEREST# show system host-name @ANNAPURNA# @ANNAPURNA# commit
@EVEREST# set system host-name LHOTSE @EVEREST# @ANNAPURNA# [edit system host-name]
@EVEREST# show system host-name @EVEREST# show system host-name @ANNAPURNA# host-name ANNAPURNA
@EVEREST# exit @EVEREST# exit @ANNAPURNA# statement does not match patch:
The configuration has been changed but The configuration has been changed @ANNAPURNA# ANNAPURNA != K2
not committed but not committed @ANNAPURNA#
Exit with uncommitted changes? yes Exit with uncommitted changes? yes @ANNAPURNA# show system host-name @ANNAPURNA# show system host-name
@EVEREST> configure @EVEREST> configure @ANNAPURNA# @ANNAPURNA# show | compare
@EVEREST# show system host-name @EVEREST# show system host-name @ANNAPURNA# @ANNAPURNA# commit
@EVEREST# @EVEREST# set system host-name K2 @MAKALU# show system host-name @MAKALU# show system host-name
@EVEREST# show system host-name @EVEREST# show system host-name @MAKALU# exit @MAKALU# exit
@EVEREST# show | compare @EVEREST# show | compare
@EVEREST# @EVEREST# commit
@K2# exit @K2# exit
@K2> @K2>
q
1h 2h 3h
vDay One: Mastering Junos Configuration 17
SESSION #1 SESSION #2 Junos OS configuration is far from being a monolithic text file.
In fact, there is a pre-inheritance and a post-inheritance view.
@MAKALU> configure @MAKALU> configure exclusive
When you display the configuration, you typically see the
@MAKALU# set system host-name ANNAPURNA
error: configuration database locked
pre-inheritance view. But when you do a commit, Junos builds
@MAKALU# exit @MAKALU# exit the post-inheritance view. Different pre-inheritance views can
result in the same post-inheritance view.
And finally, the interaction between a session in default con- So whats the inheritance about? Imagine you want to tempo-
figuration mode (accessing the shared configuration database) rarily remove an interface from the configuration. You can
with another session in private mode: delete it, so that the interface is no longer in the configuration.
But you can also deactivate it, and leave it in the configuration
with an inactive flag. The two commands delete and deactivate
SESSION #1 SESSION #2 only make a difference in the pre-inheritance view. Once the
@MAKALU> configure private @MAKALU> configure post-inheritance view is calculated, the interface is no longer
@MAKALU# set system host-name ANNAPURNA @MAKALU# there.
@MAKALU# @MAKALU# set system host-name CHO-OYU
error: private edits in use. Try You also have the possibility of defining certain structures
configure private or configure called groups, that can be applied in a hierarchical manner to
exclusive.
several parts of the configuration at the same time. In this
@MAKALU# exit @MAKALU# exit
sense, the pre-inheritance and post-inheritance stages of the
configuration come before and after applying the groups.
q
1h 2h 3h
vDay One: Mastering Junos Configuration 18
One of the most useful commands in Junos OS is deactivate. The configuration validation process detected an error. The
This command allows you to suppress a part of the configura- logical interface family MTU (Maximum Transmission Unit)
tion from an operational/functional perspective, but without can never exceed the physical MTU. Lets clear the error
deleting it. In order to bring that configuration back to life, condition:
you just need to activate it. Lets give it a try:
# replace pattern 1600 with 1300
> configure # commit check
# show interfaces ge-0/0/1
# show interfaces ge-0/0/1 | display inheritance At the end of Section 4, you saw a list of the internal steps
# deactivate interfaces ge-0/0/1 associated to a commit operation. Actually, inheritance is
# show interfaces ge-0/0/1 performed before Step 1. In other words, mgd starts the
# show interfaces ge-0/0/1 | display inheritance validation process once the candidate configuration has been
# run show interfaces ge-0/0/1 terse processed via display inheritance.
# commit
# run show interfaces ge-0/0/1 terse
During the boot process in Junos OS, a commit is performed in
order to activate the configuration file /config/juniper.conf. The
# activate interfaces ge-0/0/1 validation process may change from one Junos OS version to
# show interfaces ge-0/0/1
another. So its possible that a given configuration passes the
# show interfaces ge-0/0/1 | display inheritance
validation check in release A, but not in release B. In that case,
# run show interfaces ge-0/0/1 terse
# commit
an upgrade from A to B would leave the device in the so-called
# run show interfaces ge-0/0/1 terse
Amnesiac mode, corresponding to an empty (factory default)
active configuration.
Configuration groups are another widely used technique. Get
a feel for them in action, here: How can you take a device out of Amnesiac mode? By fixing
# set groups myMTU interfaces <ge-*> unit <*> family inet mtu 1600 the consistency issue in the candidate database and committing
it. However, this is a manual operation.
If you want to see the latter command as a whole, change the
session properties by executing:
How can you prevent a device from entering Amnesiac mode?
# run set cli screen-width 200 The request system software add command has the validate
option enabled by default. With this option, the current active
Lets apply the group you just created at the interfaces hierar- configuration is checked by the validation routines of the target
chy: release, and ensure that it would commit successfully after the
upgrade.
# show interfaces | display inheritance
# set interfaces apply-groups myMTU
# show interfaces CAUTION From the point of view of the release schedule, if
# show interfaces | display inheritance Junos OS version A and B are very far from each other this
# show interfaces | display inheritance no-comments validation is not guaranteed to work, in the sense that you may
# show interfaces | display inheritance | display set
get a generic error even if the configuration is perfectly valid for
# show | compare
A and B. You would need to skip that step with the no-validate
# commit check
q
1h 2h 3h
vDay One: Mastering Junos Configuration 19
option. If this is a production device, try to load in advance the # run file show /var/db/scripts/commit/ge-mtu.slax
active configuration in a lab device running version B, and see if # set system scripts commit file ge-mtu.slax
# commit check
it passes the commit check.
# rollback
# exit
MORE? Explore some use cases of the apply-path knob. You
can find them at Juniper Techpubs, www.juniper.net/techpubs. Even though the configuration is syntactically correct from the
perspective of Junos OS, it fails the validation process because
it doesnt match a customized engineering rule that you have
defined.
10. Custom Engineering Rules Commit Scripts Going back to the list at the end of Section 5, commit scripts
process the post-inheritance view, before Step 1 in the list. In
You already saw in a previous section how an inconsistency in fact, a commit script can even modify the candidate configura-
the configuration is typically detected during the validation tion before the standard Junos OS validation process starts
process (commit check). However, the fact that a configuration is (step 1).
completely consistent and syntactically correct from a Junos OS
perspective, does not guarantee that it meets the requirements MORE? Commit Scripts and Junos Automation are a large
of the specific service you are deploying. and rich feature set. Have a look at the Day One Junos Auto-
mation suite of books at www.juniper.net/dayone.
For example, Junos OS definitely allows an interface to be
configured in IS-IS, even if its not configured in MPLS. But in
your network, it may be mandatory from a design perspective,
to enable MPLS on all the IS-IS interfaces. These kinds of
custom engineering rules can be defined and applied by using a
key element of the Junos Automation feature set: commit
scripts. As a network administrator or designer, you decide
which conditions a candidate configuration must meet before
submitting it to the standard Junos OS validation.
q
1h 2h 3h
vDay One: Mastering Junos Configuration 20
Answers to Questions
1h 2h 3h
vDay One: Mastering Junos Configuration 21
The challenge consists of a Virtual Machine running Junos, in CAUTION This is not a hacking challenge. You must
Junosphere. All you need to do is stop your current topology, execute only established Junos CLI commands!
and start another topology called vDay One Challenge 1,
which is also in the Junosphere Public Library. Once you join
this single-VM topology, try to figure out the answer to the Check if the solution is already posted, either online on this
following challenge. books landing page at www.juniper.net/dayone, or in the latest
version of this vDay One book. If the solution is not posted yet,
send your own answer to vday-one-demo@juniper.net and if it
The Challenge is correct, you will be awarded free time on your Junosphere
account or other prizes.
Someone has deleted the interface ge-0/0/1 units 2, 4, 6, and 8
from the configuration. Your task is to come up with a proce- NOTE Dont worry if some of the rollbacks are missing. The
dure to recover the original configuration of these units. Your rest of the commit history is fine.
procedure must not change any other configuration on the
device. THE WINNER The contest starts as soon as this book is
released. The first person who solves the challenge will be
During your research phase, try to figure out the right proce- recognized in J-Net as the winner of the contest.
dure.You are allowed to do one thing only: type show commands,
as many as you want, but dont use the pipe ( | ) at this stage.
Your research should conclude with the proposal of a procedure
that fulfills the following conditions:
1h 2h 3h