The CLI has two modes: operational and configuration. Operational mode is where you can troubleshoot and monitor the software, router, and network. Configuration mode is where the actual statements for interfaces, routing protocols, and others are placed.

When a user first enters the router via Telnet, Secure Shell (SSH), or direct console access, the user will see a login prompt. After entering the correct username and password, the user will be placed directly into operational mode. Operational mode will be designated by the > (chevron) character at the router prompt of username@hostname. As shown here, user doug logs into a router called Hops:

Hops (ttyd0)

login:doug
Password:

--- JUNOS 8.0R1.9 built 2006-08-11 16:25:40 UTC
doug@Hops>

An exception to being automatically placed into operational mode occurs when you log in as user root. In this case, the user will actually be placed into the shell (designated by the percent sign) and will have to start the CLI process manually:

Hops (ttyd0)

login:root
Password:

--- JUNOS 8.0R2.8 built 2006-09-29 09:22:36 UTC
root@Hops% cli
root@Hops>

Most of the commands that you will run in operational mode are show commands, which allow you to gather information about the routing protocols, interfaces, router’s software, and router’s hardware. Ping, traceroute, telnet, and ssh can also be performed from this mode. Finally, some very JUNOS-specific commands, such as request, restart, and test, may be issued. Request commands perform system-wide functions such as rebooting, upgrading, and shutting down the router. Restart commands are similar to the Unix-style kill commands, which allow you to restart certain software processes. Test commands allow verifications for save configuration files, proactive testing of policies, and interface testing such as BERT (bit error rate testing) and FEAC (far-end alarm and control) loopbacks.

There are a few general JUNOS software CLI features worth mentioning, including command completion, EMACs-style keys, and pipe commands.

doug@Hops>sh<space>ow conf<space>iguration int<space>erfaces
at<tab>−0/2/1<enter>

user@host>show ip<space>
                   ^
'ip' is ambiguous.
Possible completions:
  ipsec                Show IP Security information
  ipv6                 Show IP version 6 information

doug@Hops>show route | match /27 | count
Count: 1 lines

doug@Hops>show route | match /32 | match 10.0
10.0.15.2/32       *[Local/0] 03:18:28
10.0.16.1/32       *[Local/0] 03:20:49
10.0.21.1/32       *[Local/0] 03:30:30
10.0.0.4/32        *[Local/0] 08:54:55

doug@Hops>show route | match "/32|10.0"
10.0.15.0/24       *[Direct/0] 03:22:46
10.0.15.2/32       *[Local/0] 03:22:46
10.0.16.0/24       *[Direct/0] 03:25:07
10.0.16.1/32       *[Local/0] 03:25:07
10.0.21.0/24       *[Direct/0] 03:34:48
10.0.21.1/32       *[Local/0] 03:34:48
10.210.8.1/32      *[Local/0] 04:07:19
192.168.16.1/32    *[Direct/0] 03:34:48
10.0.0.0/8         *[Direct/0] 08:59:13
10.0.0.4/32        *[Local/0] 08:59:13
fec0::10:0:0:4/128 *[Local/0] 08:59:13

To actually configure the router, enter configuration mode by typing the word configure in operational mode. The router prompt will change to the octothorpe (#) symbol:

doug@Hops>configure
Entering configuration mode

[edit]
doug@Hops#

By default, when entering configuration mode, multiple users can enter the router and make changes at the same time. To avoid any issues that may arise, you can use the configure exclusive or configure private command. The former command allows only a single user to configure the router, whereas the latter command allows multiple users to configure different pieces of the configuration. If you use configure exclusive, no other users can make changes to the configuration besides the single user that entered exclusively. Using private mode, each user will get a copy of the current configuration and only changes that they make will be applied. If two users attempt to make the same change, such as adding an IP address to the same interface, the change will be rejected and both users will exit configuration mode to resolve their conflict.

In configuration mode, you can add configuration by using a set command. For example, to enable the Telnet server application on the router, issue this command:

doug@Hops# set system services telnet

The CLI is actually composed of many directories and subdirectories, which will eventually contain the command that is input. You can think of this as you would a PC, where the hard drive is normally named C:\ and it is partitioned into directories such as Windows, program files, drivers, and so on. These directories may contain subdirectories, which will eventually contain files or applications.

C:\>dir/w
 Volume in drive C has no label.
 Volume SerialNumber is 7806-197A

 Directory of C:\

AUTOEXEC.BAT                 [Backup]
bi-admin.dat                 Catalog.LiveSubscribe
[Config.Msi]                 CONFIG.SYS
[dell]                       [Dell962]
dlbx.log                     dlbxscan.log
[Documents and Settings]     [drivers]
DVDPATH.TXT                  [ERDNT]
[f403a5940e14ba07a40a99897c] [HP LJ1160-LJ1320]
HuskyInstallerLog.txt        [i386]
INFCACHE.1                   [ipv0011]
[ipv0021]                    [My Downloads]
[nslabs]                     [Program Files]
[reg_backup]                 statusclient.log
tmuninst.ini                 ut.bat
ut9x.bat                     [WINDOWS]
[Xitami]                     YServer.txt
              14 File(s)      4,055,509 bytes
              18 Dir(s)  26,173,308,928 bytes free

In JUNOS software, the top level, or C:\, is named edit, with multiple directories partitioned below it. You can view these directories by using the set ? command:

[edit]
doug@Hops# set ?
Possible completions:
> access             Network access configuration
> accounting-options Accounting data configuration
> applications       Define applications by protocol characteristics
+ apply-groups       Groups from which to inherit configuration data
> chassis            Chassis configuration
> class-of-service   Class-of-service configuration
> event-options      Event processing configuration
> firewall           Define a firewall configuration
> forwarding-options Configure options to control packet sampling
> groups             Configuration groups
> interfaces         Interface configuration
> policy-options     Routing policy option configuration
> protocols          Routing protocol configuration
> routing-instances  Routing instance configuration
> routing-options    Protocol-independent routing option configuration
> security           Security configuration
> services           Service PIC applications settings
> snmp               Simple Network Management Protocol configuration
> system             System parameters

So, when you issue the command set system services telnet, the system directory is accessed, followed by the subdirectory services and ending in the command telnet to enable the Telnet service. Figure 1-5 shows a partial directory tree to illustrate this process. Thankfully, you do not need to memorize the entire hierarchical tree structure, but it is important to understand the hierarchical structure and how it relates to configuration mode commands.

Figure 1-5. Subsection of JUNOS configuration tree

The opposite of the set command to remove configuration from the router is the delete command. Usually this command is used to remove a single line, but you also can use it to remove an entire hierarchy. In the simplest case, for example, to remove the Telnet service from the router, change the previous set command to a delete command:

doug@Hops#delete system services telnet

You can issue configuration commands such as set and delete from the top root level or from inside a subdirectory. To navigate to a subdirectory, issue an edit command, which is essentially a change directory command. If the Telnet service needed to be enabled, you could use an alternative method of moving into the subdirectory system services and then issuing a short set command:

[edit]
doug@Hops#edit system services

[edit system services]
doug@Hops#set telnet

Using the edit command is not necessary, but it allows the user to issue shorter set commands when compared to the top level. Just like choosing a color for a new car, you can choose how you want to configure the router as long as the desired result is achieved. Once in a certain directory, there are multiple ways to navigate the directory tree using commands such as up, top, and even exit. The up command will move you up one level in the directory tree or multiple levels if a numerical value is given after the up command:

[edit system services]
doug@Hops#up

[edit system]
doug@Hops# edit services

[edit system services]
doug@Hops# up 2

[edit]
doug@Hops#

From any hierarchy, you can issue the top command to move you up to the root level of the configuration tree. It has the added functionality of allowing multiple configuration statements after issuing the command, such as top edit or top set:

[edit system services]
doug@Hopstop

[edit]
doug@Hops# edit system services

[edit system services]
doug@Hops# top edit protocols ospf

[edit protocols ospf]
doug@Hops#

Another nice feature of configuration mode allows you to view the configuration that was just completed by issuing a show command. For instance, to view the configuration of the system services, issue this command:

[edit]
doug@Hops#show system services
ftp;
ssh;
telnet;

Or try yet another way to view the system services, by issuing the show command inside the subdirectory in question. A show command with no additional arguments shows the configuration from that hierarchy and below:

[edit]
doug@Hops#edit system services

[edit system services]
doug@Hops# show
ftp;
ssh;
telnet;

After issuing a plethora of set and delete commands, the keen user will notice that no changes have actually occurred in the router! To apply the changes, a special word—one that is often difficult to say in the real world—must be used: commit. To understand what is occurring when issuing the commit command, it’s best to examine the different types of configurations that occur in the JUNOS router.

A Juniper Networks router has two configuration files that are always present: the candidate configuration and the active configuration. The active configuration is the current running configuration in the router, whereas the candidate configuration is the temporary text file that is being modified while in configuration mode. When the commit command is issued, the candidate configuration becomes the active configuration if no syntax errors are detected. In addition, the old active configuration is archived into a file called a rollback 1. So, if a mistake is made, you can easily recover the old active configuration by issuing a rollback 1. This causes the candidate configuration to be replaced by the old active configuration. A commit command must then be issued to activate this rollback file. JUNOS saves not only this last active configuration, but also the previous 49 configurations. Each time a commit is issued, the archived file shifts down the list of 49. The first commit creates a rollback 1, the second commit (the old active) becomes rollback 1, the old rollback 1 becomes rollback 2, and so on, down the line. Figure 1-6 illustrates this rollback process.

Figure 1-6. Configuration and rollback

Another important rollback command that can be useful is a rollback 0, which copies the active configuration to the candidate configuration. As an example, imagine that user doug logs into a router and issues a command to change the hostname of the router to a less desirable name, but does not actually activate the change.

doug@Hops>configure
Entering configuration mode

[edit]
doug@Hops# set system host-name yousmell

[edit]
doug@Hops# exit
The configuration has been changed but not committed
Exit with uncommitted changes? [yes,no] (yes) yes

Exiting configuration mode

doug@Hops>exit

A new user logs into the router, enters configuration mode, and observes that changes have occurred:

doug@Hops>configure
Entering configuration mode
The configuration has been changed but not committed

[edit]
lab@Hops#

It would seem at first glance that the new user is in between a rock and a hard place, but JUNOS has a very useful pipe command you can use—the compare command. This command allows any two files, including rollback files, active files, and candidate files, to be compared and the differences displayed. In this example, the candidate and active configurations will be compared:

[edit]
doug@Hops#show | compare
[edit system]
-  host-name Hops;
+  host-name yousmell;

It appears that user doug has been up to his old pranks again, attempting to change the hostname of the router. If a commit is issued, the hostname Hops will be removed and the hostname yousmell will be added. To wipe out these statements, a rollback 0 could be issued to stop doug and his mischievous ways:

doug@Hops#rollback 0
load complete

[edit]
lab@Hops#show | compare

One last key point of the two configuration types is that any operational mode command can be issued in configuration mode as long as the keyword run is issued before the command. For instance:

lab@Hops#ping
          ^
unknown command.

[edit]
dougHops# run ping 10.210.8.2
PING 10.210.8.2 (10.210.8.2): 56 data bytes
64 bytes from 10.210.8.2: icmp_seq=0 ttl=64 time=0.387 ms
64 bytes from 10.210.8.2: icmp_seq=1 ttl=64 time=0.296 ms
^C
--- 10.210.8.2 ping statistics ---
2 packets transmitted, 2 packets received, 0% packet loss
round-trip min/avg/max/stddev = 0.296/0.342/0.387/0.045 ms

To save the candidate configuration to the user’s home directory, you must issue the save command while in configuration mode.

It is important to realize which configuration directory you are located in when issuing the save command, as the command saves from the current hierarchy. To save the entire candidate configuration, issue the save command from the top of the directory tree:

[edit]
doug@Hops#save junos_is_cool
Wrote 413 lines of configuration to 'junos_is_cool'

Sometimes it is not desirable to save the entire configuration, so to save a portion, simply navigate into the desired directory to be saved. For instance, if every router in your network has the same system login information, you may want to save only that portion to load into other routers later:

[edit system login]
doug@Hops#save only_system_login
Wrote 31 lines of configuration to 'only_system_login'

It would be fantastic to eliminate the need to issue manual saves, so system archival allows for the automatic saving of configurations when issuing a commit or at a set time interval:

doug@Hops#set archival configuration ?
Possible completions:
+ apply-groups         Groups from which to inherit configuration data
+ apply-groups-except  Don't inherit configuration data from these groups
> archive-sites
  transfer-interval    Frequency at which file transfer happens (minutes)
  transfer-on-commit   Transfer after each commit

These files can be FTP’d or scp’d off to a server under the archivel-sites configuration. In the example that follows, every time a commit is issued, the configuration file is sent to an FTP server with user doug, password okemos123, and IP address 66.17.3.254, and then into the /config/junos directory:

archival {
    configuration {
        transfer-on-commit;
        archive-sites {
            "ftp://doug:okemos123@66.17.3.254/config/junos";
        }

The opposite of saving a configuration is loading a configuration, which you can accomplish by the load command. There are several variations of the load command:

doug@Hops# load ?
Possible completions:
 factory-default Override existing configuration with factory default
 merge           Merge contents with existing configuration
 override        Override existing configuration
 patch           Load patch file into configuration
 replace         Replace configuration data
 set             Execute set of commands on existing configuration
 update          Update existing configuration

Although each type of load command has its advantages, we will examine only the most common command variations here. One of the most common loads is the override command, which replaces the current candidate configuration with the specified file:

[edit]
doug@Hops#load override junos_is_cool
load complete

The merge switch will also be used often when just a small piece of configuration needs to be added to the candidate configuration. For instance, you can issue the following command to add the system login configuration saved previously:

[edit]
doug@Hops#load merge only_system_login
load complete

Since it is highly likely that more than one router will exist in a network, cutting and pasting configurations can give you a few more hours of free time in your life. There are several ways to cut and paste configurations into the router, including using variations of the load command, or copying set commands directly into the router. The oldest JUNOS software method is to use the load command with the terminal option, which opens a terminal buffer, allowing full or partial configurations to be pasted in:

doug@Hops#load merge terminal
[Type ^D at a new line to end input]
system {
services {
        ftp;
        ssh;
        telnet;
    }
}
load complete

Cutting and pasting using this method definitely takes some practice, as the proper number of levels and braces must always be present. The terminal command always assumes that the entire top-level hierarchy is known. If the upper-level directories are not included, errors will occur and the relative keyword could become very useful:

[edit]
doug@Hops#load merge terminal
[Type ^D at a new line to end input]
services {
    ftp;
  terminal:2:(7) syntax error: ftp
   [edit services]
    'ftp;'
      syntax error
 ssh;
    telnet;
}
[edit]
  'services'
    warning: statement has no contents; ignored
load complete (1 errors)

Since the pasting started at the services level and not at the system level, the pasting causes errors and does not complete. One solution is to navigate to the system directory and indicate that the configuration will be loaded relative to that directory:

[edit]
doug@Hops#edit system

[edit system]
doug@Hops# load merge terminal relative
[Type ^D at a new line to end input]
services {
    ftp;
    ssh;
    telnet;
}
load complete

Or perhaps a simpler method would be to load set commands directly into the router by simply pasting a carriage return after each set command or by using the load set command:

doug@Hopsload set terminal
[Type ^D at a new line to end input]
set system services ftp
set system services ssh
set system services telnet
load complete

If the router is causing you problems, simply ask it for help. You can accomplish this in a few ways. The first is with a question mark (?) to display possible command completions:

doug@Hops#set system login ?
Possible completions:
  announcement         System announcement message (displayed after
login)
+ apply-groups         Groups from which to inherit configuration
data
+ apply-groups-except  Don't inherit configuration data from these
groups
> class                Login class
  message              System login message
> password
> user                 Username

The > character indicates a directory that contains subdirectories, + indicates a command that takes multiple arguments, and no symbol means the command takes a single argument or is in fact the end statement of a command.

The help command is a secret resource of which few are aware. This displays the same technical documentation that can also be located online. Sometimes a small piece of a command is remembered but not the full statement; help can aid in finding that full command by searching through the JUNOS software configuration tree for a particular string:

doug@Hops#help apropos host-name
set system host-name <host-name>
    Hostname for this router
set system static-host-mapping <host-name>
    Fully qualified name of system
set system services dhcp static-binding <mac-address> host-name
<host-name>
    Hostname for this client
set system syslog host
    Host to be notified
set interfaces <interface_name> services-options syslog host
<host-name>
    Name of host to notify
set accounting-options routing-engine-profile <profile-name> fields
host-name
    Hostname for this router
set services l2tp tunnel-group <name> syslog host <host-name>
    Name of host to notify
set services service-set <service-set-name> syslog host <host-name>
    Name of host to notify

If you encounter a command in the router that needs clarification, you can obtain more information by issuing the help topic or help reference command. The former will display general usage guidelines for that command:

doug@Hops#help topic ospf hello-interval
 Modifying the Hello Interval

  Routers send hello packets at a fixed interval on all interfaces,
  including virtual links, to establish and maintain neighbor
  relationships. This interval, which must be the same on all routers
  on a shared network, is advertised in the hello interval field in
  the hello packet. By default, the router sends hello packets every
  10 seconds.

  To modify how often the router sends hello packets out of an
  interface, include the hello-interval statement:
    hello-interval seconds;

  For a list of hierarchy levels at which you can configure this
  statement, see the statement summary section for this statement.

  On nonbroadcast networks, the router sends hello packets every 120
  seconds until active neighbors are detected by default. This
  interval is long enough to minimize the bandwidth required on slow
  WAN links. To modify this interval, include the poll-interval
  statement: poll-interval seconds;

+-------------------------------------------------------------+
|NOTE:  The poll-interval statement is valid for OSPFv2 only. |
+-------------------------------------------------------------+

   For a list of hierarchy levels at which you can configure this
   statement, see the statement summary section for this statement.
   Once the router detects an active neighbor, the hello packet
   interval changes from the time specified in the poll-interval time
   statement to the specified in the hello-interval statement.

After you’ve learned what a certain command accomplishes and when you should use it, you can view the actual syntax and possible options using the help reference command. It’s similar to the manual command seen on other operating systems:

[edit]
doug@Hops#help reference ospf hello-interval
hello-interval

      Syntax

   hello-interval seconds;

      Hierarchy Level

   [edit logical-routers logical-router-name protocols ospf area area-id
   peer-interface
       interface-name],
   [edit logical-routers logical-router-name protocols (ospf | ospf3) area
   area-id
       interface interface-name],
   [edit logical-routers logical-router-name protocols (ospf | ospf3) area
   area-id virtual-link],
   [edit logical-routers logical-router-name routing-instances
   routing-instance-name
       protocols (ospf | ospf3) area area-id interface interface-name],
   [edit logical-routers logical-router-name routing-instances
   routing-instance-name
       protocols (ospf | ospf3) area area-id virtual-link],
   [edit protocols ospf area area-id peer-interface interface-name],
   [edit protocols (ospf | ospf3) area area-id interface interface-name],
   [edit protocols (ospf | ospf3) area area-id virtual-link],
   [edit routing-instances routing-instance-name protocols (ospf | ospf3)
   area area-id
       interface interface-name],
   [edit routing-instances routing-instance-name protocols (ospf | ospf3)
   area area-id
       virtual-link]

      Release Information

   Statement introduced before JUNOS Release 7.4.

      Description

   Specify how often the router sends hello packets out the interface.
   The hello interval must be the same for all routers on a shared
   logical IP network.

      Options
   seconds--Time between hello packets, in seconds.
   Range: 1 through 255 seconds
   Default: 10 seconds; 120 seconds (nonbroadcast networks)

      Usage Guidelines

   See "Modifying the Hello Interval".

      Required Privilege Level

   routing--To view this statement in the configuration.
   routing-control--To add this statement to the configuration.

      See Also

   dead-interval