Junos

• I haven't dealt much with Juniper equipment so it's time to change that
• Day One books are great
• "Day One: JunOS for IOS engineers" is a brilliant idea ("This example shows the standard Junos configuration output with curly braces. This may seem intimidating at first (it's not C programming), but once you get a handle on how things are laid out, you'll find it far more intuitive than in IOS, where configuration sections can have no rhyme or reason.") - valid burn

general

• JunOS is more of an application running on Linux/FreeBSD than standalone OS
• RE = Routing Engine; PFE = Packet Forwarding Engine
• case-sensitive
• J-Web - GUI to manage (enable with set system services web-management https interface ge-/0/0/0)
• standard UNIX hotkeys work
• in Junos there is always a rule: more specific wins
• the space bar automatically completes only builtin commands; by contrast, the tab button automatically-completes even your own user-defined objects
• the apply-flags omit command is actually hidden. You won't be able to tab-complete it. Some commands are hidden to prevent casual users from using them, and to stop expert users from accidentally typing them. You have to actively choose to use this command!
• h [ elp ] to [ pic ] for theory, h r [ eference ] for config, h s [ yslog ] _TERM_ for meaning of logs, h a [ propos ] _TERM_ for approximate about help, h ti [ p ] c [ li ] for helpful tips
• h for help in more display
• exi [ t ] or q [ uit ] - exit/quit
• ed [ it ] - jump to a specific location within the candidate configuration
• ru [ n ] - run operational commands from the config mode
• up [ _N_ ] - go up the hierarchy level
• t [ op ] - allows you to move to the first hierarchy level
• an [ notate ] _CONTAINER_ _COMMENT_ - comment (to delete a comment - an _CONTAINER_ "")
• se [ t ] - inserts a statement and values into the candidate configuration
• del [ ete ] - removes statements from the candidate configuration
• dea [ ctivate ] - make configuration changes and mark them as inactive until you are ready to use them
• cop [ y ] _INTERFACE_ to _INTERFACE_2_
• ren [ ame ]
• rep [ lace ]
• i [ nsert ]
• prot [ ect ]
• mo [ nitor ]

pipe

• n [ o-more ] - disable paging
• m [ atch ] - include, show only text that matches a pattern
• e [ xcept ] - exclude, show only text that does not match a pattern
• c [ ount ] - count occurrences
• l [ ast ] [ _N_ ] - display end of output only
• ref [ resh ] - refresh a continuous display of the command
• f [ ind ] - begin, search for first occurrence of pattern
• d [ isplay ] s [ et ] - show config as typed
• c [ ompare ] - compare configuration changes with prior version

modes

• operational - managing and monitoring; >
• configuration - #
• to enter config mode: co [ nfigure ] or ed [ it ]
• ways to enter the config mode
  • standard - allows any number of users to edit the candidate configuration simultaneously, and changes made by a single user are visibly shared so that all users can see them
  • exclusive - locks all other users out of configuration mode until the exclusive user closes the exclusive stat
  • private - provides a private configuration, whereby the device keeps a separate candidate copy containing only the changes by the private use
• note - by default, if more than one user is modifying the configuration, committing the configuration saves and activates the changes of all users (unless a user is in configure private mode)

CLI

• >se [ t ] cli { screen-w [ idth ] _N_ | screen-l [ ength ] _N_ | ti [ mestamp ] } - longer cli, default 80 char, 0 to disable
• >set cli i [ dle-timeout ] _MINUTES_
• sh cli [ a [ uthorization ] | d [ irectory ] | h [ istory ] [ _N_ ] ]

config

• load factory-default - factory default config
• request system-zeroize - removes all data files, including customized configuration and log files
• com [ mit ] - activate the candidate configuration ("Obviously no one is denying that rebooting a device, and causing a potential 10-minute outage while you wait for it to reboot and re-calibrate, is an absolutely brilliant way to undo your change. Truly fantastic. An undeniably great process. Everyone loves downtime! Brilliant and perfect advice, and not in any way terrible or awful, or bad. You won't find an engineer in the world who thinks this is anything other than the best possible way to deal with this situation.")
• com ch [ eck ] - check the correctness of syntax; do not apply changes
• com con [ firmed ] [ _MINUTES_ ] - commits a candidate configuration for n minutes (by default 10). If you don't then follow up with a second commit command, the device automatically rolls back to the previous configuration ; If you do not confirm the configuration by entering a second commit command, the CLI will roll back the device to the previously active configuration at the end of the n minute
• ro [ llback ] [ _N_ | rescue ] - return to the most recent previous configuration file (stores the last 49 configs)
• sh sy comm [ it ] - commit history
• com at _TIME_, show system commit, clear system commit
• request system configuration rescue save - saves current active configuration as rescue configuration in /config
• request system configuration rescue delete - delete rescue config

management

• sh [ ow ] conf [ iguration ] - show config
• set system host-name _HOSTNAME_ - hostname
• sh ve [ rsion ] - version
• sh sy { information | license }
• sh sy [ stem ] up [ time ] - show time, show clock
• sh sy us [ ers ] - logged in users
• sh chassis { ha [ rdware ] | en [ vironment ] }
• set chassis alarm ethernet link-down yellow
• se d [ ate ] YYYYMMDDhhmm.ss - time/clock
• req [ uest ] sy [ stem ] reb [ oot ]
• req message all message _MESSAGE_ - console chat
• req system software add reboot /var/tmp/ _FILE_.tgz - software upgrade
• req system halt - stops all processes on the box (including the forwarding of traffic) but leave the box powered on and still reachable via the serial console
• req sy power-off
• req sy reb [ oot ] [ at _TIME_ ] - reboot; cl sys r [ eboot] to cancel pending reboot

users

• set system root-authentication plain-text-password - root password
• fxp0/me0/em0 - dedicated management port
• user login classes
  • superuser - all permissions
  • operator - clear, network, reset, trace and view permissions
  • read-only - view permissions
  • unauthorized - no permissions
• set system login user _USER_NAME_ class _CLASS_ full-name "_FULL_NAME_" authentication plain-text-password - add a user
• set system login class _CLASS_ permissions _PERMISSIONS_ - custom built login clas
• set system login class _CLASS_ login-alarms - show system alarms automatically when a user logs in
• set system login class _CLASS_ idle-timeout _SECONDS_
• set system login class _CLASS_ login-tip - provides the option of configuring login tips for the user
• set system radius-server address _IP_
• set system radius-server _IP_ secret _PASSWORD_
• set system radius-server _IP_ source-address _IP_

interfaces

• PIC = Physical Interface Card, FPC = Flexible PIC Concentrator
• _INTERFACE_-fpc/pic/port
• set interfaces _INTERFACE_ (l0 | ge0/0/1...) unit _UNIT_ (usually 0) family inet address _IP_/_PREFIX_ - set interface IP (JunOS logical unit number ~ IOS subinterface); default mask is /32
• interfaces are enabled by default and may be shut down with set interfaces _INTERFACE_ disable and committing
• sh [ ow ] int [ erfaces ] te [ rse ] - sh int status, sh int te ge*
• cl in [ terfaces ] s [ tatistics ] { all | _INTERFACE_ } - clear counters
• mo t [ raffic ] [ m [ atching ] _REGEX_ ] - packet capture of the exception traffic (matching udp&&port ntp, matching src||dst 192.168.1.1)

acronyms

• ae - Aggregated Ethernet interface. This is a virtual aggregated link and has one or more member links associated with it.
• es - Encryption interface
• fxp - Management and internal Ethernet interfaces
• gr - Generic routing encapsulation (GRE) tunnel interface
• lo - Loopback interface. The Junos OS automatically configures one loopback interface (lo0).
• so - SONET/SDH interface
• vt - Virtual loopback tunnel interface
• fe - Fast Ethernet interface (100m)
• ge - Gigabit Ethernet interface (1G)
• xe - 10-Gigabit Ethernet interface
• et - 40, and 100-Gigabit Ethernet

services

• set system services ssh - enable SSH
• set system services ssh protocol-version _VERSION_
• set system name-server _IP_ - DNS server
• set system ntp boot-server _IP_ - just take the time, regardless of the difference at boot-time
• set system ntp server _IP_
• set system ntp authentication-key ...
• set system syslog ... - syslog
• set snmp ... - snmp

logs

• sh log messages - logs
• cl log messages - clear logs
• monitor { start | stop } messages - live logs
• traceoptions - record more detailed messages about the operation of routing protocols, such as the various types of routing protocol packets sent and received, and routing policy actions; cpu intensive, so minimize

switching

• set vlans _VLAN_ vlan-id _ID_ - set vlan
• set interfaces _INTERFACE_ unit _UNIT_ family ethernet-switching port-mode access - access port
• set interfaces _INTERFACE_ unit _UNIT_ family ethernet-switching port-mode trunk vlan members all - trunk port
• IOS SVI = JunOS RVI (Routed Virtual Interface)
• set vlans _VLAN_ interface _INTERFACE_ - assign an interface to the vlan
• set interfaces vlan unit _UNIT_ family inet address _IP_/_PREFIX_

routing

• default routing table = inet.0 and inet6.0
• administrative distance - route preference
  • direct = 0
  • local = 0
  • static = 5
  • ospf int = 10
  • rip = 100
  • ospf ext = 150
  • bgp = 170
• routing policy - way to control routing info (attributes, metrics, redistribution...)
• sh ro [ ute ] [ _IP_ [ /_PREFIX_ ] | instance [ _INSTANCE_ ] ] - routing table (instance = VRF)
• sh route forwarding-table - FIB
• sh rout
• set routing-options static route _IP_/_PREFIX_ next-hop _IP_ - static route

ospf

• set protocols ospf area _N_ interface _INTERFACE_ [ passive ] - assign an interface to the ospf area
• sh ospf { neighbor | interface [ brief ] | overview } - verify ospf
• set routing-options router-id _ID_ - router id

bgp

• set protocols bgp group EBGP neighbor _IP_ peer-as _ASN_ - ebgp neighbor
• set protocols bgp group IBGP type internal neighbor _IP_ local-address _IP_ - ibgp neighbor
• set routing-options autonomous-system _ASN_
• sh bgp { neighbor | summary } - verify bgp
• edit policy-options policy-statement _POLICY_, set term _TERM_ from protocol direct, set term _TERM_ from route-filter _IP_/_PREFIX_ exact, set term _TERM_ then accept, set protocols bgp group EBGP neighbor _IP_ export _POLICY_ - routing policy config

nat

• edit security nat source rule-set LAN_RULE, set from zone LAN, set to zone INET, set rule _RULE_ match source-address _IP_/_PREFIX_, set rule _RULE_ match destination-address _IP_/_PREFIX_, set rule _RULE_ then source-nat interface - source nat
• set security nat destination pool _POOL_ address _IP_/_PREFIX_, set security nat destination pool _POOL_ address port _PORT_, edit security nat destination rule-set _RULE_, set from zone INET, set rule _RULE_ match source-address 0.0.0.0/0, set rule _RULE_ match destination-address _IP_/_PREFIX_, set rule _RULE_ match destination-port _PORT_, set rule _RULE_ then destination-nat pool _POOL_

firewall

• filters are stateless
• actions: accept, discard (silent), reject (ICMP message back)
• implicit discard
• sh fi [ rewall ]