Junos
- I haven't dealt much with Juniper equipment so it's time to change that
- Day One books are great
- "Day One: JunOS for IOS engineers" is a brilliant idea ("This example shows the standard Junos configuration output with curly braces. This may seem intimidating at first (it's not C programming), but once you get a handle on how things are laid out, you'll find it far more intuitive than in IOS, where configuration sections can have no rhyme or reason.") - valid burn
general
- JunOS is more of an application running on Linux/FreeBSD than standalone OS
- RE = Routing Engine; PFE = Packet Forwarding Engine
- case-sensitive
- J-Web - GUI to manage (enable with
set system services web-management https interface ge-/0/0/0)
- standard UNIX hotkeys work
- in Junos there is always a rule: more specific wins
- the space bar automatically completes only builtin commands; by contrast, the tab button automatically-completes even your own user-defined objects
- the
apply-flags omit command is actually hidden. You won't be able to tab-complete it. Some commands are hidden to prevent casual users from using them, and to stop expert users from accidentally typing them. You have to actively choose to use this command!
h [ elp ] to [ pic ] for theory, h r [ eference ] for config, h s [ yslog ] _TERM_ for meaning of logs, h a [ propos ] _TERM_ for approximate about help, h ti [ p ] c [ li ] for helpful tips
h for help in more display
exi [ t ] or q [ uit ] - exit/quit
ed [ it ] - jump to a specific location within the candidate configuration
ru [ n ] - run operational commands from the config mode
up [ _N_ ] - go up the hierarchy level
t [ op ] - allows you to move to the first hierarchy level
an [ notate ] _CONTAINER_ _COMMENT_ - comment (to delete a comment - an _CONTAINER_ "")
se [ t ] - inserts a statement and values into the candidate configuration
del [ ete ] - removes statements from the candidate configuration
dea [ ctivate ] - make configuration changes and mark them as inactive until you are ready to use them
cop [ y ] _INTERFACE_ to _INTERFACE_2_
ren [ ame ]
rep [ lace ]
i [ nsert ]
prot [ ect ]
mo [ nitor ]
pipe
n [ o-more ] - disable paging
m [ atch ] - include, show only text that matches a pattern
e [ xcept ] - exclude, show only text that does not match a pattern
c [ ount ] - count occurrences
l [ ast ] [ _N_ ] - display end of output only
ref [ resh ] - refresh a continuous display of the command
f [ ind ] - begin, search for first occurrence of pattern
d [ isplay ] s [ et ] - show config as typed
c [ ompare ] - compare configuration changes with prior version
modes
- operational - managing and monitoring;
>
- configuration -
#
- to enter config mode:
co [ nfigure ] or ed [ it ]
- ways to enter the config mode
- standard - allows any number of users to edit the candidate configuration simultaneously, and changes made by a single user are visibly shared so that all users can see them
- exclusive - locks all other users out of configuration mode until the exclusive user closes the exclusive stat
- private - provides a private configuration, whereby the device keeps a separate candidate copy containing only the changes by the private use
- note - by default, if more than one user is modifying the configuration, committing the configuration saves and activates the changes of all users (unless a user is in configure private mode)
CLI
>se [ t ] cli { screen-w [ idth ] _N_ | screen-l [ ength ] _N_ | ti [ mestamp ] } - longer cli, default 80 char, 0 to disable
>set cli i [ dle-timeout ] _MINUTES_
sh cli [ a [ uthorization ] | d [ irectory ] | h [ istory ] [ _N_ ] ]
config
load factory-default - factory default config
request system-zeroize - removes all data files, including customized configuration and log files
com [ mit ] - activate the candidate configuration ("Obviously no one is denying that rebooting a device, and causing a potential 10-minute outage while you wait for it to reboot and re-calibrate, is an absolutely brilliant way to undo your change. Truly fantastic. An undeniably great process. Everyone loves downtime! Brilliant and perfect advice, and not in any way terrible or awful, or bad. You won't find an engineer in the world who thinks this is anything other than the best possible way to deal with this situation.")
com ch [ eck ] - check the correctness of syntax; do not apply changes
com con [ firmed ] [ _MINUTES_ ] - commits a candidate configuration for n minutes (by default 10). If you don't then follow up with a second commit command, the device automatically rolls back to the previous configuration ; If you do not confirm the configuration by entering a second commit command, the CLI will roll back the device to the previously active configuration at the end of the n minute
ro [ llback ] [ _N_ | rescue ] - return to the most recent previous configuration file (stores the last 49 configs)
sh sy comm [ it ] - commit history
com at _TIME_, show system commit, clear system commit
request system configuration rescue save - saves current active configuration as rescue configuration in /config
request system configuration rescue delete - delete rescue config
management
sh [ ow ] conf [ iguration ] - show config
set system host-name _HOSTNAME_ - hostname
sh ve [ rsion ] - version
sh sy { information | license }
sh sy [ stem ] up [ time ] - show time, show clock
sh sy us [ ers ] - logged in users
sh chassis { ha [ rdware ] | en [ vironment ] }
set chassis alarm ethernet link-down yellow
se d [ ate ] YYYYMMDDhhmm.ss - time/clock
req [ uest ] sy [ stem ] reb [ oot ]
req message all message _MESSAGE_ - console chat
req system software add reboot /var/tmp/ _FILE_.tgz - software upgrade
req system halt - stops all processes on the box (including the forwarding of traffic) but leave the box powered on and still reachable via the serial console
req sy power-off
req sy reb [ oot ] [ at _TIME_ ] - reboot; cl sys r [ eboot] to cancel pending reboot
users
set system root-authentication plain-text-password - root password
- fxp0/me0/em0 - dedicated management port
- user login classes
- superuser - all permissions
- operator - clear, network, reset, trace and view permissions
- read-only - view permissions
- unauthorized - no permissions
set system login user _USER_NAME_ class _CLASS_ full-name "_FULL_NAME_" authentication plain-text-password - add a user
set system login class _CLASS_ permissions _PERMISSIONS_ - custom built login clas
set system login class _CLASS_ login-alarms - show system alarms automatically when a user logs in
set system login class _CLASS_ idle-timeout _SECONDS_
set system login class _CLASS_ login-tip - provides the option of configuring login tips for the user
set system radius-server address _IP_
set system radius-server _IP_ secret _PASSWORD_
set system radius-server _IP_ source-address _IP_
interfaces
- PIC = Physical Interface Card, FPC = Flexible PIC Concentrator
_INTERFACE_-fpc/pic/port
set interfaces _INTERFACE_ (l0 | ge0/0/1...) unit _UNIT_ (usually 0) family inet address _IP_/_PREFIX_ - set interface IP (JunOS logical unit number ~ IOS subinterface); default mask is /32
- interfaces are enabled by default and may be shut down with
set interfaces _INTERFACE_ disable and committing
sh [ ow ] int [ erfaces ] te [ rse ] - sh int status, sh int te ge*
cl in [ terfaces ] s [ tatistics ] { all | _INTERFACE_ } - clear counters
mo t [ raffic ] [ m [ atching ] _REGEX_ ] - packet capture of the exception traffic (matching udp&&port ntp, matching src||dst 192.168.1.1)
acronyms
ae - Aggregated Ethernet interface. This is a virtual aggregated link and has one or more member links associated with it.
es - Encryption interface
fxp - Management and internal Ethernet interfaces
gr - Generic routing encapsulation (GRE) tunnel interface
lo - Loopback interface. The Junos OS automatically configures one loopback interface (lo0).
so - SONET/SDH interface
vt - Virtual loopback tunnel interface
fe - Fast Ethernet interface (100m)
ge - Gigabit Ethernet interface (1G)
xe - 10-Gigabit Ethernet interface
et - 40, and 100-Gigabit Ethernet
services
set system services ssh - enable SSH
set system services ssh protocol-version _VERSION_
set system name-server _IP_ - DNS server
set system ntp boot-server _IP_ - just take the time, regardless of the difference at boot-time
set system ntp server _IP_
set system ntp authentication-key ...
set system syslog ... - syslog
set snmp ... - snmp
logs
sh log messages - logs
cl log messages - clear logs
monitor { start | stop } messages - live logs
- traceoptions - record more detailed messages about the operation of routing protocols, such as the various types of routing protocol packets sent and received, and routing policy actions; cpu intensive, so minimize
switching
set vlans _VLAN_ vlan-id _ID_ - set vlan
set interfaces _INTERFACE_ unit _UNIT_ family ethernet-switching port-mode access - access port
set interfaces _INTERFACE_ unit _UNIT_ family ethernet-switching port-mode trunk vlan members all - trunk port
- IOS SVI = JunOS RVI (Routed Virtual Interface)
set vlans _VLAN_ interface _INTERFACE_ - assign an interface to the vlan
set interfaces vlan unit _UNIT_ family inet address _IP_/_PREFIX_
routing
- default routing table =
inet.0 and inet6.0
- administrative distance - route preference
- direct = 0
- local = 0
- static = 5
- ospf int = 10
- rip = 100
- ospf ext = 150
- bgp = 170
- routing policy - way to control routing info (attributes, metrics, redistribution...)
sh ro [ ute ] [ _IP_ [ /_PREFIX_ ] | instance [ _INSTANCE_ ] ] - routing table (instance = VRF)
sh route forwarding-table - FIB
sh rout
set routing-options static route _IP_/_PREFIX_ next-hop _IP_ - static route
ospf
set protocols ospf area _N_ interface _INTERFACE_ [ passive ] - assign an interface to the ospf area
sh ospf { neighbor | interface [ brief ] | overview } - verify ospf
set routing-options router-id _ID_ - router id
bgp
set protocols bgp group EBGP neighbor _IP_ peer-as _ASN_ - ebgp neighbor
set protocols bgp group IBGP type internal neighbor _IP_ local-address _IP_ - ibgp neighbor
set routing-options autonomous-system _ASN_
sh bgp { neighbor | summary } - verify bgp
edit policy-options policy-statement _POLICY_, set term _TERM_ from protocol direct, set term _TERM_ from route-filter _IP_/_PREFIX_ exact, set term _TERM_ then accept, set protocols bgp group EBGP neighbor _IP_ export _POLICY_ - routing policy config
nat
edit security nat source rule-set LAN_RULE, set from zone LAN, set to zone INET, set rule _RULE_ match source-address _IP_/_PREFIX_, set rule _RULE_ match destination-address _IP_/_PREFIX_, set rule _RULE_ then source-nat interface - source nat
set security nat destination pool _POOL_ address _IP_/_PREFIX_, set security nat destination pool _POOL_ address port _PORT_, edit security nat destination rule-set _RULE_, set from zone INET, set rule _RULE_ match source-address 0.0.0.0/0, set rule _RULE_ match destination-address _IP_/_PREFIX_, set rule _RULE_ match destination-port _PORT_, set rule _RULE_ then destination-nat pool _POOL_
firewall
- filters are stateless
- actions: accept, discard (silent), reject (ICMP message back)
- implicit discard
sh fi [ rewall ]