Swconfig50 Getting Started

JUNOS Internet Software Configuration Guide
Getting Started
Release 5.0
Juniper Networks, Inc. 1194 North Mathilda Avenue Sunnyvale, CA 94089 USA 408-745-2000 www.juniper.net
Part Number: 530-004542-01, Revision 2
ii
This product includes the Envoy SNMP Engine, developed by Epilogue Technology, an Integrated Systems Company. Copyright 19861997, Epilogue Technology Corporation. All rights reserved. This program and its documentation were developed at private expense, and no part of them is in the public domain. This product includes memory allocation software developed by Mark Moraes, copyright 1988, 1989, 1993, University of Toronto. This product includes FreeBSD software developed by the University of California, Berkeley, and its contributors. All of the documentation and software included in the 4.4BSD and 4.4BSD-Lite Releases is copyrighted by The Regents of the University of California. Copyright 1979, 1980, 1983, 1986, 1988, 1989, 1991, 1992, 1993, 1994. The Regents of the University of California. All rights reserved. GateD software copyright 1995, The Regents of the University. All rights reserved. Gate Daemon was originated and developed through release 3.0 by Cornell University and its collaborators. Gated is based on Kirtons EGP, UC Berkeleys routing daemon (routed), and DCNs HELLO routing protocol. Development of Gated has been supported in part by the National Science Foundation. Portions of the GateD software copyright 1988, Regents of the University of California. All rights reserved. Portions of the GateD software copyright 1991, D. L. S. Associates. This product includes software developed by Maker Communications, Inc., Copyright 1996, 1997, Maker Communications, Inc. Juniper Networks is a registered trademark of Juniper Networks, Inc. Internet Processor, Internet Processor II, JUNOS, JUNOScript, M5, M10, M20, M40, and M160 are trademarks of Juniper Networks, Inc. All other trademarks, service marks, registered trademarks, or registered service marks may be the property of their respective owners. All specifications are subject to change without notice. JUNOS Internet Software Configuration Guide: Getting Started, Release 5.0 Copyright 2001, Juniper Networks, Inc. All rights reserved. Printed in USA. Writers: Margaret Jones, John Gilbert Chan Editors: Cris Morris, Pam Muraca, Cathy Steinberg Covers and template design: Edmonds Design Revision History 10 August 2001First Edition. The information in this document is current as of the date listed in the revision history above. The information in this document has been carefully verified and is believed to be accurate. Juniper Networks assumes no responsibilities for any inaccuracies that may appear in this document. In no event will Juniper Networks be liable for direct, indirect, special, exemplary, incidental or consequential damages resulting from any defect or omission in this document, even if advised of the possibility of such damages. Juniper Networks reserves the right to change, modify, transfer or otherwise revise this publication without notice. YEAR 2000 NOTICE Juniper Networks hardware and software products are Year 2000 compliant. The JUNOS software has no known time-related limitations through the year 2038. However, the NTP application is known to have some difficulty in the year 2036. SOFTWARE LICENSE The terms and conditions for using this software are described in the software license contained in the acknowledgment to your purchase order or, to the extent applicable, to any reseller agreement or end-user purchase agreement executed between you and Juniper Networks, Inc. By using this software, you indicate that you understand and agree to be bound by those terms and conditions. Generally speaking, the software license restricts the manner in which you are permitted to use the software and may contain prohibitions against certain uses. The software license may state conditions under which the license is automatically terminated. You should consult the license for further details. For complete product documentation, please see the Juniper Networks Web site at www.juniper.net/techpubs.
Abbreviated Table of Contents About this Manual Part 1 Overview

Chapter 1 Architecture ............................................................................................3 Product Chapter 2 JUNOS Software Overview .................................................................................9 Chapter 3 Configuration Mode Complete
Commands and Statements ............................................................................25
Part 2 Software Installation and Upgrade

Chapter 4 Overview ..........................................................................................55 Installation Chapter 5 Configure the Software Initially ..................................................................59 Chapter 6 the Software .......................................................................................63 Reinstall Chapter 7 Software Packages .........................................................................67 Upgrade Chapter 8 to Release 5.0 or Downgrade from Release 5.0 ...........73 Upgrade
iii
Abbreviated Table of Contents
iv
Part 3 Command-Line Interface

Chapter 9 Command-Line Interface Overview ............................................................79 Chapter 10 Command-Line Interface Operational Mode ......................................... 81 Chapter 11 Control the CLI Environment ..........................................................................99 Chapter 12 the Router with the CLI ........................................................... 103 Configure Chapter 13 Groups ........................................................................................149 Configuration Chapter 14of CLI Environment Commands ............................................167 Summary Chapter 15of CLI Configuration Mode Commands ...........................173 Summary Chapter 16of CLI Operational Mode Commands................................183 Summary
Part 4 System Management

Chapter 17 System Management Overview .................................................................. 191 Chapter 18 System Management Configuration Statements ...........................197 Chapter 19 Configure Basic System Management ................................................... 201 Chapter 20 System Authentication ............................................................209 Configure Chapter 21 User Access ..................................................................................... 215 Configure Chapter 22 Time ......................................................................................................223 Configure Chapter 23 Configure System Logging ............................................................................229
JUNOS 5.0 Internet Software Configuration Guide: Getting Started
Chapter 24 Miscellaneous System Management ..............................235 Configure Chapter 25of System Management Summary
Configuration Statements..............................................................................243
Part 5 Router Chassis

Chapter Router26 Chassis Configuration Guidelines ..........................................279 Chapter 27of Router Chassis Configuration Statements ............289 Summary
Part 6 Appendix
Appendix GlossaryA .....................................................................................................................299
Part 7 Indexes
Index Index .............................................................................................................................317 Index Index of Statements and Commands......................................................327
Abbreviated Table of Contents
vi
Table of Contents About this Manual

Objectives .......................................................................................................... xxiii Audience............................................................................................................ xxiv Document Organization..................................................................................... xxiv Related Documentation ..................................................................................... xxvi Part Organization............................................................................................... xxvi Using the Index................................................................................................. xxvii Documentation Conventions ........................................................................... xxviii General Conventions ............................................................................... xxviii Conventions for Software Commands and Statements ............................. xxviii Documentation Feedback ...................................................................................xxx How to Request Support .....................................................................................xxx
Part 1 Overview
Chapter 1 Architecture ............................................................................................3 Product
Hardware Overview ................................................................................................3 Product Architecture ...............................................................................................4 Packet Forwarding Engine ..............................................................................5 Packet Flow through the Router ...............................................................5 Routing Engine ...............................................................................................6
vii
Table of Contents
viii
Chapter JUNOS2 Software Overview .................................................................................9

Routing Engine Software Components ...................................................................9 Routing Protocol Process ...............................................................................10 Routing Protocols ...................................................................................10 Routing and Forwarding Tables..............................................................11 Routing Policy .......................................................................................12 Interface Process ...........................................................................................13 Chassis Process .............................................................................................13 SNMP and MIB II Processes ...........................................................................13 Management Process ....................................................................................13 Routing Engine Kernel...................................................................................14 Software Installation Overview .............................................................................14 Tools for Accessing and Controlling the Software .................................................14 Software Configuration Overview .........................................................................15 Methods of Configuring the Software ............................................................15 Configuring the Software...............................................................................15 Activating a Configuration .............................................................................16 Software Monitoring Tools....................................................................................16 Supported Software Standards..............................................................................16 Supported Internet RFCs and Drafts ..............................................................17 ATM .......................................................................................................17 BGP ........................................................................................................17 Frame Relay...........................................................................................17 GRE and IP-IP Encapsulation ..................................................................17 IP Multicast ............................................................................................17 IS-IS........................................................................................................18 LDP ........................................................................................................18 MIBs ......................................................................................................18 MPLS......................................................................................................20 OSPF ......................................................................................................20 PPP ........................................................................................................20 RIP ........................................................................................................20 RSVP ......................................................................................................21 TCP/IP v4 ...............................................................................................21 Supported ISO Standards...............................................................................22 IS-IS........................................................................................................22 Supported SDH and SONET Standards ..........................................................22 Other Supported Standards ...........................................................................23 ATM .......................................................................................................23 Frame Relay...........................................................................................23 Ethernet .................................................................................................23 T3 ..........................................................................................................23
Chapter 3 Configuration Mode Complete

Commands and Statements ............................................................................25
Complete Configuration Mode Commands ...........................................................25 Complete Configuration Statement Hierarchy.......................................................26 [edit accounting-options] Hierarchy Level......................................................26 [edit chassis] Hierarchy Level ........................................................................27 [edit class-of-service] Hierarchy Level ...........................................................27 [edit firewall] Hierarchy Level........................................................................29 [edit forwarding-options] Hierarchy Level......................................................29 [edit groups] Hierarchy Level.........................................................................30 [edit interfaces] Hierarchy Level ....................................................................30 [edit policy-options] Hierarchy Level .............................................................34 [edit protocols] Hierarchy Level .....................................................................35 [edit routing-instances] Hierarchy Level.........................................................45 [edit routing-options] Hierarchy Level............................................................47 [edit snmp] Hierarchy Level ..........................................................................49 [edit system] Hierarchy Level ........................................................................50

Chapter 4 Overview ..........................................................................................55 Installation
JUNOS Software Distribution ................................................................................55 JUNOS Software Naming Conventions ..................................................................56 Software Release Name ................................................................................56 Package Names .............................................................................................57 Storage Media ......................................................................................................57 Boot Devices .........................................................................................................57 Boot Sequence ......................................................................................................58
Chapter 5 the Software Initially ..................................................................59 Configure Chapter 6 Reinstall the Software .......................................................................................63
Prepare to Reinstall the JUNOS Software ..............................................................63 Reinstall the JUNOS Software................................................................................63 Reconfigure the JUNOS Software ..........................................................................64
ix
Table of Contents
Chapter 7 Software Packages Upgrade
........................................................................67
Upgrade All Software Packages.............................................................................68 Upgrade Individual Software Packages .................................................................69
Chapter 8 to Release 5.0 or Downgrade from Release 5.0 ...........73 Upgrade

Chapter 9 Command-Line Interface Overview ............................................................79
CLI Modes.............................................................................................................79 CLI Command Hierarchy ......................................................................................80
Chapter 10 Command-Line Interface Operational Mode ......................................... 81

Use the CLI ...........................................................................................................82 Get Help About Commands ...........................................................................83 Examples: Get Help About Commands...................................................83 Have the CLI Complete Commands ...............................................................84 Examples: Use CLI Command Completion .............................................85 CLI Messages.................................................................................................85 Move around and Edit the Command Line ....................................................86 How Output Appears on the Screen ..............................................................87 Display Output One Screen at a Time ....................................................87 Filter Command Output ........................................................................88 Place Command Output in a File.....................................................89 Search for a String in the Output.....................................................90 Compare Configuration Changes with a Prior Version.....................92 Count the Number of Lines in the Output .......................................94 Display All Output at Once..............................................................94 Retain the Output after the Last Screen...........................................94 Display Additional Information about the Configuration ................94 Filter Command Output Multiple Times ..........................................97 Set the Current Date and Time .............................................................................97 Display CLI Command History..............................................................................97 Monitor Who Uses the CLI ....................................................................................98
Chapter 11 Control the CLI Environment ..........................................................................99

Set the Terminal Type...........................................................................................99 Set the Screen Length ...........................................................................................99 Set the Screen Width ..........................................................................................100 Set the CLI Prompt..............................................................................................100 Set the Idle Timeout............................................................................................100 Set CLI to Prompt after a Software Upgrade........................................................100 Set Command Completion..................................................................................100 Display CLI Settings ............................................................................................101 Example: Control the CLI Environment...............................................................101
Chapter 12 the Router with the CLI............................................................103 Configure

Configuration Statement Hierarchy.....................................................................104 How the Configuration Is Stored ........................................................................106 Enter Configuration Mode...................................................................................107 Using the Configure Command....................................................................108 Using the Configure Exclusive Command ...................................................108 Configuration Mode Prompt................................................................................109 Configuration Mode Banner ................................................................................109 Configuration Statements and Identifiers............................................................109 Get Help about Configuration Mode Commands, Statements, and Identifiers..........................................................................111 Use Command Completion in Configuration Mode......................................111 Examples: Use Command Completion in Configuration Mode .............112 Get Help Based on a String in a Statement Name ........................................113 Example: Get Help Based on a String Contained in a Statement Name ....................................................................114 Create and Modify the Configuration ..................................................................114 Examples: Create and Modify the Configuration..........................................115 Move among Levels of the Hierarchy ..................................................................117 Move Down to a Specific Level ...................................................................117 Move Back Up to Your Previous Level..........................................................118 Move Up One Level .....................................................................................118 Move Directly to the Top of the Hierarchy ...................................................118 Warning Messages When Moving Up...........................................................119 Exit Configuration Mode .....................................................................................119 Display the Current Configuration.......................................................................120 Examples: Display the Current Configuration ..............................................120 Display Users Currently Editing the Configuration ..............................................121 Remove a Statement from the Configuration......................................................122 Examples: Remove a Statement from the Configuration .............................122 Copy a Statement in the Configuration ...............................................................123 Example: Copy a Statement in the Configuration ........................................124 Rename an Identifier ..........................................................................................124 Example: Rename an Identifier ...................................................................124 Insert a New Identifier ........................................................................................125 Examples: Insert a New Identifier................................................................125
xi
Table of Contents
xii
Run an Operational Mode CLI Command from Configuration Mode...................127 Example: Run an Operational Mode CLI Command from Configuration Mode .....................................................................127 Display Configuration Mode Command History..................................................128 Verify a Configuration.........................................................................................128 Commit a Configuration .....................................................................................128 Commit a Configuration and Exit Configuration Mode ................................129 Activate a Configuration for a Limited Time ................................................130 Save a Configuration to a File ............................................................................131 Load a Configuration .........................................................................................131 Examples: Load a Configuration from a File ................................................132 Return to a Previously Committed Configuration................................................134 Example: Return to a Previously Committed Version of the Configuration ..135 Configuration Mode Error Messages ...................................................................135 Deactivate and Reactivate Statements and Identifiers in a Configuration ...........136 Examples: Deactivate and Reactivate Statements and Identifiers in a Configuration................................................................136 Add Comments in a Configuration......................................................................137 Examples: Include Comments in Configurations .........................................138 Have Multiple Users Configure the Software .......................................................139 Walk-through Example: Using the CLI to Configure the Router ..........................140 Shortcut.......................................................................................................140 Longer Configuration Example ....................................................................140 Additional Details about Specifying Statements and Identifiers ..........................145 How to Specify Statements .........................................................................145 How the CLI Performs Type Checking .........................................................147
Chapter 13 Groups ........................................................................................149 Configuration

Overview ............................................................................................................149 Inheritance Model .......................................................................................149 Configuration Groups Configuration Statements .................................................150 Configuration Groups Configuration Guidelines ..................................................150 Create a Configuration Group ......................................................................150 Apply a Configuration Group .......................................................................151 Example: Configure and Apply Configuration Groups...........................152 Display Inherited Values..............................................................................153 Use Wildcards .............................................................................................153 Example: Use Wildcards.......................................................................156 Examples: Configuration Groups ........................................................................157 Configure Sets of Statements.......................................................................157 Configure Interfaces ....................................................................................159 Configure Peer Entities ................................................................................161 Establish Regional Configurations................................................................163 Select Wildcard Names................................................................................164 Summary of Configuration Group Statements ....................................................165 apply-groups................................................................................................165 groups .........................................................................................................166
Chapter 14of CLI Environment Commands ............................................167 Summary

set cli complete-on-space ...................................................................................167 set cli idle-timeout ..............................................................................................167 set cli prompt......................................................................................................168 set cli restart-on-upgrade ....................................................................................168 set cli screen-length ............................................................................................169 set cli screen-width .............................................................................................169 set cli terminal ....................................................................................................169 set date ...............................................................................................................170 show cli ..............................................................................................................170 show cli history...................................................................................................171
Chapter 15of CLI Configuration Mode Commands ...........................173 Summary

activate ...............................................................................................................173 annotate .............................................................................................................173 commit ...............................................................................................................174 copy....................................................................................................................174 deactivate ...........................................................................................................175 delete .................................................................................................................175 edit .....................................................................................................................176 exit .....................................................................................................................176 help ....................................................................................................................176 insert ..................................................................................................................177 load ....................................................................................................................177 quit .....................................................................................................................178 rename ...............................................................................................................178 rollback...............................................................................................................178 run......................................................................................................................179 save ....................................................................................................................179 set.......................................................................................................................180 show...................................................................................................................181 status ..................................................................................................................181 top ......................................................................................................................181 up .......................................................................................................................182
Chapter 16of CLI Operational Mode Commands ................................183 Summary

clear....................................................................................................................183 configure ............................................................................................................183 file .....................................................................................................................183 monitor ..............................................................................................................184 ping ....................................................................................................................184 | (pipe) ................................................................................................................184 quit .....................................................................................................................185 request ...............................................................................................................185 restart ................................................................................................................185
Table of Contents
xiii
xiv
set .....................................................................................................................185 show...................................................................................................................186 ssh......................................................................................................................186 start ....................................................................................................................186 telnet ..................................................................................................................186 test ....................................................................................................................187 traceroute ..........................................................................................................187

Chapter 17 System Management Overview .................................................................. 191
How to Specify IP Addresses, Network Masks, and Prefixes ...............................191 How to Specify Filenames and URLs...................................................................192 Directories on the Router ...................................................................................193 Tracing and Logging Operations .........................................................................193 Protocol Authentication .....................................................................................194 User Authentication ............................................................................................195
Chapter 18 System Management Configuration Statements ...........................197 Chapter 19 Basic System Management................................................... 201 Configure
Configure the Routers Name and Addresses ......................................................201 Configure the Routers Name ......................................................................201 Map the Routers Name to IP Addresses......................................................202 Configure an ISO Sysid................................................................................202 Example: Configure a Routers Name, IP Address, and Sysid ......................203 Configure the Routers Domain Name ...............................................................203 Example: Configure the Routers Domain Name .........................................203 Configure Which Domains to Search ..................................................................204 Example: Configure Which Domains to Search ...........................................204 Configure a DNS Name Server ............................................................................204 Example: Configure a DNS Name Server .....................................................204 Configure a Backup Router .................................................................................205 Example: Configure a Backup Router ..........................................................205 Configure Flash Disk Mirroring ...........................................................................205 Configure the System Location ...........................................................................206 Configure the Root Password..............................................................................206 Example: Configure the Root Password.......................................................207 Compress the Current Configuration File ............................................................208
Chapter 20 System Authentication.............................................................209 Configure

Configure RADIUS Authentication ......................................................................209 Configure Juniper NetworksSpecific RADIUS Attributes .............................210 Configure TACACS+ Authentication ..................................................................210 Configure Shared User Accounts for RADIUS and TACACS+ Authentication .....211 Configure the Authentication Order ...................................................................212 Example: Remove an Ordered Set from the Authentication Order ..............212 Example: Insert an Order Set in the Authentication Order...........................212 Examples: Configure System Authentication ......................................................213
Chapter 21 User Access .....................................................................................215 Configure

Define Login Classes ..........................................................................................215 Configure Access Privilege Levels ................................................................216 Example: Configure Access Privilege Levels .........................................218 Deny or Allow Individual Commands ..........................................................218 Example: Deny or Allow Individual Commands ...................................219 Configure the Timeout Value for Idle Login Sessions ...................................220 Configure User Accounts ....................................................................................220 Example: Configure User Accounts..............................................................222
Chapter 22 Time.......................................................................................................223 Configure

Set the Time Zone...............................................................................................223 Examples: Set the Time Zone ......................................................................223 Configure the Network Time Protocol .................................................................224 Configure the NTP Boot Server ....................................................................225 Configure the NTP Time Server and Time Services ......................................225 Configure the Router to Operate in Client Mode ...................................226 Configure the Router to Operate in Symmetric Active Mode ................226 Configure the Router to Operate in Broadcast Mode.............................227 Configure NTP Authentication Keys ............................................................227 Configure the Router to Listen for Broadcast Messages................................228 Configure the Router to Listen for Multicast Messages .................................228
Chapter 23 System Logging.............................................................................229 Configure

Configure System Logging ..................................................................................229 Archive System Logs...........................................................................................231 Override the Facility ...........................................................................................232 Configure Log Message Prefixes..........................................................................232 Examples: Configure System Logging .................................................................233
xv
Table of Contents
xvi
Chapter 24 Miscellaneous System Management ..............................235 Configure

Configure Console and Auxiliary Port Properties ...............................................235 Disable the Sending of Redirect Messages on the Router ....................................236 Configure the Source Address for Locally Generated TCP/IP Packets ..................236 Configure the Router or Interface to Act as a DHCP/BOOTP Relay Agent ..........................................................................237 Configure System Services..................................................................................238 Configure Finger Service .............................................................................238 Configure Rlogin Service .............................................................................238 Configure SSH Service .................................................................................239 Configure Root Login............................................................................239 Configure SSH Protocol Version ...........................................................240 Configure Telnet Service .............................................................................240 Configure a System Login Message.....................................................................240 Configure JUNOS Software Processes .................................................................241 Disable JUNOS Software Processes .............................................................241 Configure Failover to Backup Media if a Software Process Fails ..................241 Configure a Password on the Diagnostics Port....................................................242
Chapter 25 Summary of System Management

Configuration Statements .............................................................................243
allow-commands ................................................................................................243 authentication.....................................................................................................244 authentication-key ..............................................................................................245 authentication-order ..........................................................................................245 auxiliary ............................................................................................................246 backup-router .....................................................................................................247 boot-server .........................................................................................................247 broadcast............................................................................................................248 broadcast-client ..................................................................................................248 class ...................................................................................................................249 compress-configuration-files ...............................................................................249 console ..............................................................................................................250 default-address-selection ....................................................................................250 deny-commands.................................................................................................251 dhcp-relay...........................................................................................................252 diag-port-authentication......................................................................................253 domain-name .....................................................................................................253 domain-search....................................................................................................254 full-name ............................................................................................................254 host-name ..........................................................................................................254 idle-timeout ........................................................................................................255 location...............................................................................................................256 login ...................................................................................................................257 message .............................................................................................................257 mirror-flash-on-disk ............................................................................................258 multicast-client ...................................................................................................258 name-server .......................................................................................................259 no-redirects ........................................................................................................259
ntp......................................................................................................................260 peer ....................................................................................................................260 permissions ........................................................................................................261 port.....................................................................................................................262 ports ...................................................................................................................262 processes ............................................................................................................263 protocol-version ..................................................................................................264 radius-server .......................................................................................................264 retry....................................................................................................................265 root-authentication .............................................................................................265 root-login ............................................................................................................266 secret..................................................................................................................266 server .................................................................................................................267 services ..............................................................................................................268 single-connection................................................................................................269 static-host-mapping ............................................................................................269 syslog..................................................................................................................270 system ................................................................................................................271 tacplus-server......................................................................................................272 timeout ...............................................................................................................272 time-zone............................................................................................................273 trusted-key..........................................................................................................275 uid ......................................................................................................................275 user ...................................................................................................................276

Chapter Router26 Chassis Configuration Guidelines ..........................................279
Minimum Chassis Configuration .........................................................................280 Configure Aggregated Devices ...........................................................................280 Configure Conditions That Trigger Alarms .........................................................280 Chassis Conditions That Trigger Alarms ......................................................282 Silence External Devices .............................................................................282 Configure SONET/SDH Framing .........................................................................283 Configure Channelized PIC Operation ................................................................283 Configure the Drop Policy for Traffic with Source-Route Constraints .................284 Configure Redundancy .......................................................................................284 Configure Routing Engine Redundancy ......................................................285 Copy a Configuration File from One Routing Engine to the Other .......285 Load a Package from the Other Routing Engine ..................................287 Change over to the Backup Routing Engine .........................................287 Configure SSB Redundancy .........................................................................288 Configure Packet Scheduling ..............................................................................288
xvii
Table of Contents
xviii
Chapter 27of Router Chassis Configuration Statements............289 Summary

aggregated-devices .............................................................................................289 alarm .................................................................................................................290 chassis ...............................................................................................................290 device-count .......................................................................................................291 ethernet..............................................................................................................291 failover ...............................................................................................................291 fpc .....................................................................................................................292 framing ..............................................................................................................292 keepalive-time ....................................................................................................292 no-concatenate ..................................................................................................293 packet-scheduling ..............................................................................................293 pic .....................................................................................................................294 redundancy .......................................................................................................294 routing-engine ...................................................................................................295 sonet ..................................................................................................................295 source-route .......................................................................................................296 ssb .....................................................................................................................296
Part 6 Appendix
Appendix A Glossary .....................................................................................................................299
Part 7 Indexes
Index Index ............................................................................................................................ 317 Index Index of Statements and Commands .....................................................327
List of Figures List of Figures

Figure 1: Figure 2: Figure 3: Figure 4: Figure 5: Product Architecture .............................................................................5 CLI Command Hierarchy Example......................................................80 Configuration Mode Hierarchy of Statements ...................................105 Commands for Storing and Modifying the Router Configuration.......106 Confirm a Configuration ...................................................................130
xix
List of Figures
List of Figures
xx
List of Tables List of Tables

Release 5.0 Device Names.............................................................57 CLI Keyboard Sequences ...................................................................86 ---More--- Prompt Keyboard Sequences ..............................................87 Common Regular Expression Operators .............................................90 Configuration Mode Top-Level Statements .......................................110 CLI Configuration Input Types .........................................................148 Juniper NetworksSpecific RADIUS Attributes ..................................210 Login Class Permission Bits...............................................................216 Default System Login Classes ...........................................................217 Common Regular Expression Operators ...........................................219 System Logging Facilities ..................................................................230 System Logging Severity Levels ........................................................230 System Logging Facilities That You Can Specify on the facility-override Statement .....................................................232 Table 14: Configurable PIC Alarm Conditions ..................................................281 Table 15: Chassis Component Alarm Conditions .............................................282 Table 1: Table 2: Table 3: Table 4: Table 5: Table 6: Table 7: Table 8: Table 9: Table 10: Table 11: Table 12: Table 13:
xxi
List of Tables
List of Tables
xxii
About this Manual

This chapter provides a high-level overview of the JUNOS Internet Software Configuration Guide: Getting Started: ! Objectives on page xxiii ! Audience on page xxiv ! Document Organization on page xxiv ! Related Documentation on page xxvi ! Part Organization on page xxvi ! Using the Index on page xxvii ! Documentation Conventions on page xxviii ! Documentation Feedback on page xxx ! How to Request Support on page xxx
Objectives
This manual provides an overview of the JUNOS Internet software and describes how to install and upgrade the software. This manual also describes how to configure system management functions and how to configure the chassis, including user accounts, passwords, and redundancy. This manual documents Release 5.0 of the JUNOS Internet software. To obtain additional information about the JUNOS softwareeither corrections to information in this manual or information that might have been omitted from this manualrefer to the software release notes. To obtain the most current version of this manual and the most current version of the software release notes, refer to the product documentation page on the Juniper Networks Web site, which is located at http://www.juniper.net/. To order printed copies of this manual or to order a documentation CD-ROM, which contains this manual, please contact your sales representative.
xxiii
About this Manual
Audience
xxiv
Audience
This manual is designed for network administrators who are configuring a Juniper Networks router. It assumes that you have a broad understanding of networks in general, the Internet in particular, networking principles, and network configuration. This manual assumes that you are familiar with one or more of the following Internet routing protocols: Border Gateway Protocol (BGP), Routing Information Protocol (RIP), Intermediate System-to-Intermediate System (IS-IS), Open Shortest Path First (OSPF), Internet Control Message Protocol (ICMP) router discovery, Internet Group Management Protocol (IGMP), Distance Vector Multicast Routing Protocol (DVMRP), Protocol-Independent Multicast (PIM), Multiprotocol Label Switching (MPLS), Resource Reservation Protocol (RSVP), and Simple Network Management Protocol (SNMP).
Document Organization
This manual is divided into several parts. Each part describes a major functional area of the JUNOS software, and the individual chapters within a part describe the software components of that functional area. This manual contains the following parts and chapters: ! Part 1, Overview, provides an overview of the hardware and software components of the router, describes the user command-line interface, and provides the procedures for installing and upgrading the software.
!
Chapter 1, Product Architecture, discusses the router hardware and product architecture. Chapter 2, JUNOS Software Overview, provides an overview of the JUNOS software features and lists the software standards that the JUNOS software supports. Chapter 3, Complete Configuration Mode Commands and Statements, lists all the commands available in configuration mode. It also lists the complete configuration statement hierarchy, showing all possible configuration statements and levels in the configuration hierarchy.
! Part 2, Software Installation and Upgrade, describes how to install, reinstall, and upgrade the JUNOS software on a router.
!
Chapter 4, Installation Overview, provides background information for the installation process. Chapter 5, Configure the Software Initially, describes how to initially configure the JUNOS software. Chapter 6, Reinstall the Software, describes how to reinstall the JUNOS software. Chapter 7, Upgrade Software Packages, describes how to upgrade software packages. Chapter 8, Upgrade to Release 5.0 or Downgrade from Release 5.0 describes how to upgrade to Release 5.0 or downgrade from Release to 5.0.
! !
Document Organization
! Part 3, Command-Line Interface, describes the interface that you use to configure and monitor the JUNOS software. The command-line interface (CLI) is the interface you use whenever you access the router.
!
Chapter 9, Command-Line Interface Overview, provides an overview of the functions of the CLI. Chapter 10, Command-Line Interface Operational Mode, describes the operational mode of the CLI. Chapter 12, Configure the Router with the CLI, describes the configuration mode of the CLI. Chapter 13, Configuration Groups, describes configuration groups. Chapter 14, Summary of CLI Environment Commands, explains each of the CLI environment commands. Chapter 11, Control the CLI Environment, describes how to configure the CLI environment. Chapter 15, Summary of CLI Configuration Mode Commands, explains each of the CLI configuration mode commands. Chapter 16, Summary of CLI Operational Mode Commands, explains each of the CLI operational mode commands.
! !
! Part 4, System Management, describes how to manage the router using the CLI.
!
Chapter 17, System Management Overview, provides background information for configuring system management functions. Chapter 18, System Management Configuration Statements, lists all the statements available at the [edit system] hierarchy level. Chapter 19, Configure Basic System Management, describes how to configure basic system management functions. Chapter 20, Configure System Authentication, describes how to configure RADIUS and TACACS+ authentication. Chapter 21, Configure User Access, describes how to configure user access. Chapter 22, Configure Time, describes how to set the time zone and configure the Network Time Protocol, which provides mechanisms to synchronize time and coordinate time distribution in a large, diverse network. Chapter 23, Configure System Logging, describes how to control system logging and how much information the system should log. Chapter 24, Configure Miscellaneous System Management, describes how to configure various system management functions, such as console and auxiliary port properties and the source address for locally generated TCP/IP packets. Chapter 25, Summary of System Management Configuration Statements, explains each of the system management configuration statements.
! !
xxv
About this Manual
Related Documentation
xxvi
! Part 5, Router Chassis, covers the configuration of router chassis properties.

!
Chapter 26, Router Chassis Configuration Guidelines, describes how to configure router chassis properties. Chapter 27, Summary of Router Chassis Configuration Statements, provides a detailed listing of all configuration statements used in router chassis configuration.
This manual also contains a glossary and an index.
Related Documentation
The following additional documentation describes the JUNOS Internet software: ! JUNOS Internet Software Configuration Guide: Interfaces, Class of Service, and FirewallsProvides an overview of the interface, class-of-service, and firewall functions of the JUNOS Internet software and describes how to configure the interfaces on the router. ! JUNOS Internet Software Configuration Guide: MPLS ApplicationsProvides an overview of traffic engineering concepts and describes how to configure traffic engineering protocols. ! JUNOS Internet Software Configuration Guide: MulticastProvides an overview of multicast concepts and describes how to configure multicast routing protocols. ! JUNOS Internet Software Configuration Guide: Network ManagementProvides an overview of network management concepts and describes how to configure various network management features, such as SNMP, accounting options, and cflowd. ! JUNOS Internet Software Configuration Guide: Routing and Routing ProtocolsProvides an overview of routing concepts and describes how to configure routing, routing policy, and unicast routing protocols. ! JUNOS Internet Software Operational Mode Command ReferenceDescribes the JUNOS Internet software operational mode commands you use to monitor and troubleshoot Juniper Networks routers. ! JUNOScript API GuideDescribes how to use the JUNOScript API to monitor and configure Juniper Networks routers. ! JUNOScript API ReferenceProvides a reference page for each tag in the JUNOScript API.
Part Organization
The parts in this manual generally include the following information: ! OverviewProvides background information about and discusses concepts related to the software component described in that part of the book. ! Configuration statementsLists all the configuration statements available to configure the software component. This list is designed to provide an overview of the configuration statement hierarchy for that software component.
Using the Index
! Configuration guidelinesDescribes how to configure all the features of the software component. The first section of the configuration guidelines describes the minimum configuration for that component, listing the configuration statements you must include to enable the software component on the router with only the bare minimum functionality. The remaining sections in the configuration guidelines are generally arranged so that the most common features are near the beginning. ! Statement summaryA reference that lists all configuration statements alphabetically and explains each statement and all its options. The explanation of each configuration statement consists of the following parts:
!
SyntaxDescribes the full syntax of the configuration statement. For an explanation of how to read the syntax statements, see Documentation Conventions on page xxviii. Hierarchy levelTells where in the configuration statement hierarchy you include the statement. DescriptionDescribes the function of the configuration statement. OptionsDescribes the configuration statements options, if there are any. For options with numeric values, the allowed range and default value, if any, are listed. For multiple options, if one option is the default, that fact is stated. If a configuration statement is at the top of a hierarchy of options that are other configuration statements, these options are generally explained separately in the statement summary section. Usage guidelinesPoints to the section or sections in the configuration guidelines section that describe how to use the configuration statement. Required privilege levelIndicates the permissions that the user must have to view or modify the statement in the router configuration. For an explanation of the permissions, see the appropriate chapters in this manual. See alsoIndicates other configuration statements that might provide related or similar functionality.
! !
Using the Index

The index entry for each configuration statement always contains at least two entries. The first, with a bold page number on the same line as the statement name, references the statement summary section. The second entry, usage guidelines, references the section in a configuration guidelines chapter that describes how to use the statement.
xxvii
About this Manual
Documentation Conventions
xxviii
Documentation Conventions General Conventions

This manual uses the following text conventions: ! Statements, commands, filenames, directory names, IP addresses, and configuration hierarchy levels are shown in a sans serif font. In the following example, stub is a statement name and [edit protocols ospf area area-id ] is a configuration hierarchy level: To configure a stub area, include the stub statement at the [edit protocols ospf area area-id ] hierarchy level: ! In examples, text that you type literally is shown in bold. In the following example, you type the word show:
[edit protocols ospf area area-id ] cli# show stub <default-metric metric >
! Examples of command output are generally shown in a fixed-width font to preserve the column alignment. For example:
> show interfaces terse Interface Admin Link Proto Local at-1/3/0 up up at-1/3/0.0 up up inet 1.0.0.1 iso fxp0 up up fxp0.0 up up inet 192.168.5.59/24
Remote --> 1.0.0.2
Conventions for Software Commands and Statements

When describing the JUNOS software, this manual uses the following type and presentation conventions: ! Statement or command names that you type literally are shown nonitalicized. In the following example, the statement name is area: You configure all these routers by including the following area statement at the [edit protocols ospf] hierarchy level: ! Options, which are variable terms for which you substitute appropriate values, are shown in italics. In the following example, area-id is an option. When you type the area statement, you substitute a value for area-id.
area area-id;
! Optional portions of a configuration statement are enclosed in angle brackets. In the following example, the default-metric metric portion of the statement is optional:
stub <default-metric metric >;
Documentation Conventions
! For text strings separated by a pipe ( | ), you must specify either string1 or string2, but you cannot specify both or neither of them. Parentheses are sometimes used to group the strings.
string1 | string2 (string1 | string2 )
In the following example, you must specify either broadcast or multicast, but you cannot specify both:
broadcast | multicast
! For some statements, you can specify a set of values. The set must be enclosed in square brackets. For example:
community name members [community-id ]
! The configuration examples in this manual are generally formatted in the way that they appear when you issue a show command. This format includes braces ({ }) and semicolons. When you type configuration statements in the CLI, you do not type the braces and semicolons. However, when you type configuration statements in an ASCII file, you must include the braces and semicolons. For example:
[edit] cli# set routing-options static route default nexthop address retain [edit] cli# show routing-options { static { route default { nexthop address; retain; } } }
! Comments in the configuration examples are shown either preceding the lines that the comments apply to, or more often, they appear on the same line. When comments appear on the same line, they are preceded by a pound sign (#) to indicate where the comment starts. In an actual configuration, comments can only precede a line; they cannot be on the same line as a configuration statement. For example:
protocols { mpls { interface (interface-name | all); } rsvp { interface interface-name; } }
# Required to enable MPLS on the interface # Required for dynamic MPLS only
! The general syntax descriptions provide no indication of the number of times you can specify a statement, option, or keyword. This information is provided in the text of the statement summary.
xxix
About this Manual
Documentation Feedback
xxx
Documentation Feedback
We are always interested in hearing from our customers. Please let us know what you like and do not like about the Juniper Networks documentation, and let us know of any suggestions you have for improving the documentation. Also, let us know if you find any mistakes in the documentation. Send your feedback to [email protected].
How to Request Support

For technical support, contact Juniper Networks at [email protected], or at 1-888-314-JTAC (within the United States) or 408-745-2121 (from outside the United States).
Part 1 Overview
! Product Architecture on page 3 ! JUNOS Software Overview on page 9 ! Complete Configuration Mode Commands and Statements on page 25
Chapter 1 Product Architecture

The JUNOS Internet software provides IP routing protocol softwareas well as software for interface, network, and chassis managementspecifically designed for the large production networks typically supported by Internet service providers (ISPs). The JUNOS Internet software runs on all Juniper Networks routers. For more detailed information about hardware features, see the hardware installation guide for your router model. This chapter provides an overview of the router hardware and then discusses the relationships between the hardware and the software: ! Hardware Overview on page 3 ! Product Architecture on page 4
Hardware Overview
The routers consist of the following major hardware components: ! Sheet metal of the chassis. ! Power supplies (AC or DC). ! Impeller trays. ! Fan assemblies. ! Routing Engine. ! System Control Board (SCB), System and Switch Board (SSB), Switching and Forwarding Module (SFM), or Forwarding Engine Board (FEB). ! Flexible PIC Concentrators (FPCs), each populated by up to four Physical Interface Cards (PICs) for various interface types, including SONET/SDH OC-192, OC-48, OC-12, and OC-3, ATM OC-12 and OC-3, DS3 (T3), E3, DS1 (T1), E1, Gigabit Ethernet, Fast Ethernet, and Channelized OC-12. Some PICs do not require an FPC.
Product Architecture
A fundamental architectural feature is the use of shared memory as the interconnection between slots. Specifically, when a packet arrives on an input interface, it is placed into a buffer where it stays until it is sent out of the output interface. This architecture has several consequences. First, because the complexity of the system is partly due to the number of buffering stages, the architecture is relatively clean and simple. Second, the centralized buffer can support buffering for each interface that is equal to the bandwidth times the delay and therefore can meet TCPs buffering needs in order to maximize throughput. Finally, the shared memory architecture supports multicast traffic at nearly the theoretical maximum efficiency.
The router is composed of two components (see Figure 1): ! Packet Forwarding EngineForwards packets through the router. The Packet Forwarding Engine is a high-performance switch that is capable of forwarding 40 million packets per second for any packet size. ! Routing EnginePerforms routing updates and system management. The Routing Engine consists of routing-protocol software processes running inside a protected memory environment on a general-purpose computer platform. The Routing Engine has a direct 100-Mbps connection to the Packet Forwarding Engine. Because this architecture separates control operations such as routing updates and system management from packet forwarding, the router can deliver superior performance and highly reliable Internet operation.
Figure 1: Product Architecture
JUNOS Internet Software Routing Engine
SNMP User
Routing tables
Routing protocol process
Interface process
Command-line interface (CLI)
Chassis process
Forwarding table
Kernel
Forwarding table Embedded Microkernel Packet Forwarding Engine
Interface process
Distributed ASICs
Chassis process
Microkernel
Packet Forwarding Engine

The Packet Forwarding Engine forwards packets between input and output interfaces.
Packet Flow through the Router

The function of the Packet Forwarding Engine can be understood by following the flow of a packet through the routerfirst into a PIC, then through the switching fabric, and finally out another PIC for transmission on a network link. When a packet arrives on an input interface, a media-specific PIC performs all the media-specific details such as framing and checksum verification. The PIC then passes a serial stream of bits into the FPC, which parses and appropriately decapsulates the packet. The FPC also breaks the packet into 64-byte memory blocks and passes each memory block to the Distributed Buffer Manager ASIC. The Distributed Buffer Manager ASIC then writes them into packet buffer memory, which is distributed evenly across all the FPCs installed in the router.
1410
In parallel with the buffering, the Distributed Buffer Manager ASIC extracts the information from the packet needed for route lookup and passes that information to the Internet Processor ASIC, which performs a lookup in its full forwarding table and finds the outgoing interface and the specific next hop. The forwarding table can forward all unicast packets that do not have options and multicast packets that have been previously cached. Unicast packets with options and noncached multicast packets are sent to the Routing Engine for resolution. After the Internet Processor ASIC has determined the next hop, it passes the results of the lookup to a second Distributed Buffer Manager ASIC, which in turn passes it to the outgoing interface. (Note that there could be multiple outgoing interfaces in the case of multicast.) It is at this stage that a pointer to the packet is queued, not the packet itself. Each output port has four queues, each of which has a configured share of the link bandwidth. Several factors can account for queuing order, including the value of the precedence bits, utilization of the input interface, destination address, and RED and WRED algorithms. If the outgoing interface decides to queue the packet for transmission, when the packet reaches the front of the queue and is ready for transmission, the memory blocks are read from packet buffer memory. Then the packet is reassembled and passed to the media-specific PIC for transmission on the line.
Routing Engine
The Routing Engine handles all the routing protocol processes and other software processes that control the routers interfaces, a few of the chassis components, system management, and user access to the router. These routing and software processes run on top of a kernel that interacts with the Packet Forwarding Engine. The Routing Engine has these features: ! Process routing protocol packetsAll routing protocol packets from the network are directed to the Routing Engine, and therefore do not delay the Packet Forwarding Engine unnecessarily. ! Software modularityBy dividing software functions into separate processes, a failure of one process has little or no effect on the other software processes. ! In-depth Internet functionalityEach routing protocol is implemented with a complete set of Internet features and provides full flexibility for advertising, filtering, and modifying routes. Routing policies are set according to route parameters, such as prefix, prefix lengths, and BGP attributes. ! ScalabilityThe JUNOS routing tables are designed to hold all the routes in current and near-future networks. Additionally, the JUNOS software can efficiently support large numbers of interfaces and virtual circuits. ! Management interfacesSystem management is possible with a command-line interface (CLI), a craft interface, and SNMP.
! Storage and change managementConfiguration files, system images, and microcode can be held and maintained in one primary and two secondary storage systems, permitting local or remote upgrades. ! Monitoring efficiency and flexibilityAlarms can be generated and packets can be counted without adversely affecting packet forwarding performance. The Routing Engine constructs and maintains one or more routing tables. From the routing tables, the Routing Engine derives a table of active routes, called the forwarding table, which is then copied into the Packet Forwarding Engine. The forwarding table in the Packet Forwarding Engine can be updated without interrupting the routers forwarding.
Chapter 2 JUNOS Software Overview

The JUNOS Internet software runs on the routers Routing Engine. It consists of software processes that support Internet routing protocols, control the routers interfaces and the router chassis itself, and allow router system management. All these processes run on top of a kernel that enables communication among all the processes and has a direct link to the Packet Forwarding Engine software. You use the JUNOS software to configure the routing protocols that should run on the router and to configure properties of the routers interfaces. Afterward, you use the JUNOS software to monitor the router and to troubleshoot protocol and network connectivity problems. For more information about monitoring the router and troubleshooting problems, see the JUNOS Internet Software Operational Mode Command Reference. This chapter discusses the following topics: ! Routing Engine Software Components on page 9 ! Software Installation Overview on page 14 ! Tools for Accessing and Controlling the Software on page 14 ! Software Configuration Overview on page 15 ! Software Monitoring Tools on page 16 ! Supported Software Standards on page 16
Routing Engine Software Components

The Routing Engine software consists of several software processes that control router functionality and a kernel that provides the communication among all the processes (see Figure 1 on page 5). This section describes the Routing Engine components: ! Routing Protocol Process on page 10 ! Interface Process on page 13 ! Chassis Process on page 13 ! SNMP and MIB II Processes on page 13 ! Management Process on page 13 ! Routing Engine Kernel on page 14
JUNOS Software Overview
Routing Protocol Process

The routing protocol process controls the routing protocols that run on the router. It starts all configured routing protocols and handles all routing messages. It maintains one or more routing tables, which consolidate the routing information learned from all routing protocols into common tables. From this routing information, the routing protocol process determines the active routes to network destinations and installs these routes into the Routing Engines forwarding table. Finally, it implements routing policy, which allows you to control the routing information that is transferred between the routing protocols and the routing table. Using routing policy, you can filter routing information so that only some of it is transferred, and you also can set properties associated with the routes.
Routing Protocols
The JUNOS software implements full IP routing functionality, providing support for IP Version 4 (IPv4). The routing protocols are fully interoperable with existing IP routing protocols, and they have been developed to provide the scale and control necessary for the Internet core. The software provides the following routing and MPLS applications protocols: ! Unicast routing protocols
!
IS-ISIntermediate System-to-Intermediate System is a link-state interior gateway protocol (IGP) for IP networks that uses the shortest-path-first (SPF) algorithm, which also is referred to as the Dijkstra algorithm, to determine routes. The JUNOS IS-IS software is a new and complete implementation of the protocol, addressing issues of scale, convergence, and resilience. OSPFOpen Shortest Path First, Version 2, is an IGP that was developed for IP networks by the Internet Engineering Task Force (IETF). OSPF is a link-state protocol that makes routing decisions based on the SPF algorithm. The JUNOS OSPF software is a new and complete implementation of the protocol, addressing issues of scale, convergence, and resilience. RIPRouting Information Protocol, Version 2, is an IGP for IP networks based on the Bellman-Ford algorithm. RIP is a distance-vector protocol. RIP dynamically routes packets between a subscriber and a service provider without the subscriber having to configure BGP or to participate in the service providers IGP discovery process. ICMPInternet Control Message Protocol router discovery allows hosts to discover the addresses of operational routers on the subnet. BGPBorder Gateway Protocol, Version 4, is an exterior gateway protocol (EGP) that guarantees loop-free exchange of routing information between routing domains (also called autonomous systems). BGP, in conjunction with JUNOS routing policy, provides a system of administrative checks and balances that can be used to implement peering and transit agreements.
10
! Multicast routing protocols

!
DVMRPDistance Vector Multicast Routing Protocol is a dense-mode (flood-and-prune) multicast routing protocol. PIM sparse mode and dense modeProtocol-Independent Multicast is a multicast routing protocol. PIM sparse mode routes to multicast groups that might span wide-area and interdomain internets. PIM dense mode is a flood-and-prune protocol. MSDPMulticast Source Discovery Protocol allows multiple PIM sparse mode domains to be joined. A rendezvous point (RP) in a PIM sparse mode domain has a peer relationship with an RP in another domain, enabling it to discover multicast sources from other domains. IGMPInternet Group Management Protocol, Versions 1 and 2, is used to manage membership in multicast groups. SAP/SDPSession Announcement Protocol and Session Description Protocol handle conference session announcements.
! MPLS applications protocols

!
MPLSMultiprotocol Label Switching, formerly known as tag switching, allows you to manually or dynamically configure label-switched paths (LSPs) through a network. It lets you direct traffic through particular paths rather than rely on the IGPs least-cost algorithm to choose a path. RSVPThe Resource Reservation Protocol, Version 1, provides a mechanism for engineering network traffic patterns that is independent of the shortest path decided upon by a routing protocol. RSVP itself is not a routing protocol; it operates with current and future unicast and multicast routing protocols. The primary purpose of the JUNOS RSVP software is to support dynamic signaling for MPLS label-switched paths (LSPs). LDPThe Label Distribution Protocol provides a mechanism for distributing labels in nontraffic-engineered applications. LDP allows routers to establish LSPs through a network by mapping network-layer routing information directly to data-link layer switched paths. LSPs created by LDP can also traverse LSPs created by RSVP.
Routing and Forwarding Tables

A major function of the JUNOS routing protocol process is to maintain the Routing Engines routing tables and from these tables to determine the active routes to network destinations. The routing protocol process then installs these routes into the Routing Engines forwarding table. The JUNOS kernel then copies this forwarding table to the Packet Forwarding Engine. Refer to Figure 1 on page 5 for an illustration of the interrelationships between the routing and forwarding tables.
11
The routing protocol process maintains multiple routing tables. By default, it maintains the following three routing tables. You can configure additional routing tables to suit your requirements. ! Unicast routing tableStores routing information for all unicast routing protocols running on the router. IS-IS, OSPF, RIP, and BGP all store their routing information in this routing table. You can configure additional routes, such as static routes, to be included in this routing table. IS-IS, OSPF, RIP, and BGP use the routes in this routing table when advertising routing information to their neighbors. ! Multicast routing table (cache)Stores routing information for all the running multicast protocols. DVMRP and PIM both store their routing information in this routing table, and you can configure additional routes to be included in this routing table. ! MPLS routing tableStores MPLS path and label information. With each routing table, the routing protocol process uses the collected routing information to determine active routes to network destinations. For unicast routes, the routing protocol process determines active routes by choosing the most preferred route, which is the route with the lowest preference value. By default, the routes preference value is simply a function of how the routing protocol process learned about the route. You can modify the default preference value using routing policy and with software configuration parameters. For multicast traffic, the routing protocol process determines active routes based on traffic flow and other parameters specified by the multicast routing protocol algorithms. The routing protocol process then installs one or more active routes to each network destination into the Routing Engines forwarding table.
Routing Policy
By default, all routing protocols place their routes into the routing table. When advertising routes, the routing protocols by default advertise only a limited set of routes from the routing table. Specifically, each routing protocol exports only the active routes that were learned by that protocol. In addition, the IGPs (IS-IS, OSPF, and RIP) export the direct (interface) routes for the interfaces on which the protocol is explicitly configured. You can control the routes that a protocol places into each table and the routes from that table that the protocol advertises. You do this by defining one or more routing policies and then applying them to the specific routing protocol. Routing policies applied when the routing protocol places routes into the routing table are referred to as import policies because the routes are being imported into the routing table. Policies applied when the routing protocol is advertising routes that are in the routing table are referred to as export policies because the routes are being exported from the routing table. In other words, the terms import and export are used with respect to the routing table. Routing policy allows you to control (filter) which routes a routing protocol imports into the routing table and which routes a routing protocol exports from the routing table. Routing policy also allows you to set the information associated with a route as it is being imported into or exported from the routing table. Filtering imported routes allows you to control the routes used to determine active routes. Filtering routes being exported from the routing table allows you to control the routes that a protocol advertises to its neighbors.
12
You implement routing policy by defining policies. A policy specifies the conditions to use to match a route and the action to perform on the route when a match occurs. For example, when a routing table imports routing information from a routing protocol, a routing policy might modify the routes preference, mark the route with a color to identify it and allow it to be manipulated at a later time, or prevent the route from even being installed in a routing table. When exporting routes from a routing table into a routing protocol, a policy might assign metric values, modify the BGP community information, tag the route with additional information, or prevent the route from being exported altogether. You also can define policies for redistributing the routes learned from one protocol into another protocol.
Interface Process
The JUNOS interface process allows you to configure and control the physical interface devices and logical interfaces present in a router. You can configure various interface properties such as the interface location (that is, which slot the FPC is installed in and which location on the FPC the PIC is installed in), the interface encapsulation, and interface-specific properties. You can configure the interfaces that currently are present in the router, as well as interfaces that currently are not present but that you may be adding at a future time. The JUNOS interface process communicates, through the JUNOS kernel, with the interface process in the Packet Forwarding Engine, thus enabling the JUNOS software to track the status and condition of the routers interfaces.
Chassis Process
The JUNOS chassis process allows you to configure and control the properties of the router, including conditions that trigger alarms and clock sources. The chassis process communicates directly with a chassis process in the JUNOS kernel.
SNMP and MIB II Processes

The JUNOS software supports the SNMP, which helps administrators monitor the state of a router. The software supports SNMP Version 1 and Version 2 (also known as Version 2c, or v2c). The JUNOS implementation of SNMP does not include any of the security features that were originally included in the IETF SNMP drafts but were later dropped because of the inability to standardize on a particular method. The SNMP software is controlled by the JUNOS SNMP and MIB II processes, which consist of an SNMP master agent and various subagents.
Management Process
Within the JUNOS software, a process-controlling process is responsible for starting and monitoring all the other software processes, as well as starting the CLI, which is the primary tool you use to control and monitor the JUNOS Internet software. This management process starts all the software processes and the CLI when the router boots. If a software process should terminate for some reason, the management process makes all reasonable attempts to restart it.
13
Software Installation Overview
Routing Engine Kernel

The Routing Engine kernel provides the underlying infrastructure for all JUNOS software processes. In addition, it provides the link between the routing tables and the Routing Engines forwarding table. It is also responsible for all communication with the Packet Forwarding Engine, which includes keeping the Packet Forwarding Engines copy of the forwarding table synchronized with the master copy in the Routing Engine.
Software Installation Overview

The JUNOS Internet software is preinstalled on the router. Once the router is powered on, it is ready to be configured. The primary copy of the software is installed on a nonrotating flash disk. Two backup copies are included, one on the routers rotating hard disk and a second on the removable media (either an LS-120 floppy disk [a 120-MB disk] or a PCMCIA card) that is shipped with the router. When the router boots, it first attempts to start the software image from the removable media if one is installed in the router. If this fails, the router next tries the flash disk, then finally the hard disk. Normally, you want the router to boot from the flash disk. To upgrade the software, you copy a set of software images over the network to the routers flash disk using SCP or another similar utility. The JUNOS software set consists of three images, one for the software processes, a second for the kernel, and the third for the Packet Forwarding Engine. You normally upgrade all images simultaneously.
Tools for Accessing and Controlling the Software

The primary means of accessing and controlling the JUNOS software is the command-line interface (CLI). The router provides three ports on the craft interface for connecting external management devices to the Routing Engine and the JUNOS Internet software: ! Console portConnects a system console using an RS-232 serial cable. ! Auxiliary portConnects a laptop or modem using an RS-232 serial cable. ! Ethernet management portConnects the Routing Engine to a management LAN (or any other device that plugs into an Ethernet connection) for out-of-band management of the router. The Ethernet port is 10/100 Mbps autosensing and requires an RJ-45 connector. The CLI is the interface to the JUNOS software that you use whenever you access the router from the console or through a remote network connection. The CLI provides commands that perform various tasks, including configuring the JUNOS software, and monitoring and troubleshooting the software, network connectivity, and the router hardware. The CLI is a straightforward command interface. You type commands on a single line, and the commands are executed when you press the Enter key. The CLI provides command help and command completion, and it also provides Emacs-style keyboard sequences that allow you to move around on a command line and scroll through a buffer that contains recently executed commands.
14
Software Configuration Overview
Software Configuration Overview

To configure the JUNOS software, you specify a hierarchy of configuration statements that define the preferred software properties. You can configure all properties of the JUNOS software, including interfaces, general routing information, routing protocols, and user access, as well as some system hardware properties. After you have created a candidate configuration, you commit the configuration to be evaluated and activated by the JUNOS software.
Methods of Configuring the Software

There are two basic ways to configure the JUNOS software: ! You can create the configuration for the router interactively, working in the CLI on the router. ! You can load an ASCII file containing a router configuration that you created earlier, either on this system or on another system. You can then activate and run the configuration file as is or you can edit it using the CLI and then activate it.
Configuring the Software

When you initially boot a router, the system prompts you for the minimal information needed to configure the router, including the routers name, domain name, and the Internet address of at least one interface on the router. After the router finishes this initial boot, you log in as the user root (with no password) and configure a password for the user root. After completing this initial minimal configuration, you can configure software properties. If you configure the software interactively using the CLI, you enter software configuration statements to create a candidate configuration that contains a hierarchy of statements. At any hierarchy level, you generally can enter statements in any order. While you are interactively configuring the software, you can display all or portions of the candidate configuration, and you can insert or delete statements. Any changes you make affect only the candidate configuration, not the active configuration that is running on the router. The configuration hierarchy logically groups related functions, which results in configuration statements that have a regular, consistent syntax. As examples, you configure routing protocols, routing policies, interfaces, and SNMP management each in its own separate portion of the configuration hierarchy. At each level of the hierarchy, you can display a list of the statements available at that level, along with short descriptions of the statements functions. To have the CLI complete the statement name if it is unambiguous or to provide a list of possible completions, you can type a partial statement name followed by a space or tab. More than one user can edit a routers configuration simultaneously. All changes made by all users are visible to everyone editing the configuration.
15
Software Monitoring Tools
Activating a Configuration
To have a candidate configuration take effect, you commit the changes. At this point, the candidate file is checked for proper syntax, activated, and marked as the current, operational software configuration file. If multiple users are editing the configuration, when you commit the candidate configuration, all changes made by all the users take effect. The CLI always maintains a copy of previously committed versions of the software configuration. If you need to return to a previous configuration, you can do this from within the CLI.
Software Monitoring Tools

The primary method of monitoring and troubleshooting the software, routing protocols, network connectivity, and the router hardware is to enter commands from the CLI. The CLI enables you to display information in the routing tables, display routing protocol-specific information, and check network connectivity using ping and traceroute. The JUNOS software includes SNMP software, which allows you to manage routers. The SNMP software consists of an SNMP master agent and a MIB II agent, and supports MIB II SNMP version 1 traps and version 2 notifications, SNMP version 1 Get and GetNext requests, and version 2 GetBulk requests. The software also supports tracing and logging operations so that you can track events that occur in the routerboth normal router operations and error conditionsand track the packets that are generated by or pass through the router. Logging operations use a syslog-like mechanism to record systemwide, high-level operations, such as interfaces going up or down and users logging into or out of the router. Tracing operations record more detailed messages about the operation of routing protocols, such as the various types of routing protocol packets sent and received, and routing policy actions.
Supported Software Standards

This section lists the standards supported by the JUNOS software: ! Supported Internet RFCs and Drafts on page 17 ! Supported ISO Standards on page 22 ! Supported SDH and SONET Standards on page 22 ! Other Supported Standards on page 23 To access Internet RFCs and drafts, go to the IETF web site: http://www.ietf.org.
16
Supported Internet RFCs and Drafts

ATM
! RFC 1483, Multiprotocol Encapsulation over ATM Adaptation Layer 5 (routed Protocol Data Units only) ! RFC 2225, Classical IP and ARP over ATM (responses only)
BGP
! RFC 1771, A Border Gateway Protocol 4 (BGP-4) ! RFC 1772, Application of the Border Gateway Protocol in the Internet ! RFC 1965, Autonomous System Confederations for BGP ! RFC 1966, BGP Route ReflectionAn Alternative to Full-Mesh IBGP ! RFC 1997, BGP Communities Attribute ! RFC 2270, Using a Dedicated AS for Sites Homed to a Single Provider ! RFC 2283, Multiprotocol Extensions for BGP-4 ! RFC 2385, Protection of BGP Sessions via the TCP MD5 Signature Option ! RFC 2439, BGP Route Flap Damping ! Capabilities Negotiation with BGP4, IETF draft draft-ietf-idr-cap-neg-01
Frame Relay
! RFC 1490, Multiprotocol Interconnect over Frame Relay
GRE and IP-IP Encapsulation

! RFC 1701, Generic Routing Encapsulation (GRE) ! RFC 1702, Generic Routing Encapsulation over IPv4 Networks ! RFC 2003, IP Encapsulation within IP
IP Multicast
! RFC 1112, Host Extensions for IP Multicasting (defines IGMP Version 1) ! RFC 2236, Internet Group Management Protocol, Version 2 ! RFC 2327, SDP: Session Description Protocol ! RFC 2362, Protocol Independent Multicast-Sparse Mode (PIM-SM): Protocol Specification
17
! RFC 2365, Administratively Scoped IP Multicast ! Protocol Independent Multicast-Sparse Mode (PIM-SM): Protocol Specification, Internet Draft draft-ietf-idmr-pim-sm-specv2-00 ! Protocol Independent Multicast-Version 2 Dense Mode Specification, Internet Draft draft-ietf-pim-v2-dm-03 ! Distance Vector Multicast Routing Protocol, Internet draft draft-ietf-idmr-dvmrp-v3-07 ! SAP: Session Announcement Protocol, Internet draft draft-ietf-mmusic-sap-00 ! Multicast Source Discovery Protocol (MSDP), Internet draft draft-ietf-msdp-spec-01.txt ! Anycast RP Mechanism using PIM and MSDP, Internet draft draft-ietf-mboned-anycast-rp-05.txt
IS-IS
! RFC 1195, Use of OSI IS-IS for Routing in TCP/IP and Dual Environments ! RFC 2104, HMAC: Keyed-Hashing for Message Authentication ! RFC 2763, Dynamic Hostname Exchange Mechanism for IS-IS ! RFC 2966, Domain-wide Prefix Distribution with Two-Level IS-IS ! RFC 2973, IS-IS Mesh Groups ! IS-IS Extensions for Traffic Engineering, Internet draft draft-ietf-isis-traffic-02.txt ! Three-Way Handshake for IS-IS Point-to-Point Adjacencies, Internet draft draft-ietf-isis-3way-03.txt
LDP
! Label Distribution Protocol (LDP)Version 1 Functional Specification, (draft-ietf-mpls-ldp-06.txt)
MIBs
! IEEE, 802.3ad, Aggregation of Multiple Link Segments (only the objects dot3adAggMACAddress, dot3adAggAggregateOrIndividual, dot3adAggPortListPorts, dot3adAggPortStatsMarkerPDUsRx, dot3adAggPortStatsMarkerResponsePDUsRx, dot3adAggPortStatsMarkerPDUsTx, dot3adAggPortStatsMarkerResponsePDUsTx, and dot3adTablesLastChanged) ! RFC 1213, Management Information Base for Network Management of TCP/IP-based internets: MIB-II ! RFC 1215, Convention for defining traps for use with the SNMP ! RFC 1657, Definitions of Managed Objects for the Fourth Version of the Border Gateway Protocol (BGP-4) using SMIv2
18
! RFC 1850, OSPF Version 2 Management Information Base (except for the ospfOriginateNewLsas and ospfRxNewLsas objects, the Host Table, and the traps ospfOriginateLSA, ospfLsdbOverflow, and ospfApproachingLsdbOverflow) ! RFC 1906, Transport Mappings for Version 2 of the Simple Network Management Protocol ! RFC 1907, Management Information Base for Version 2 of the Simple Network Management Protocol (SNMPv2) ! RFC 2011, SNMPv2 Management Information Base for the Internet Protocol using SMIv2 ! RFC 2012, SNMPv2 Management Information Base for the Transmission Control Protocol using SMIv2 ! RFC 2013, SNMPv2 Management Information Base for the User Datagram Protocol using SMIv2 ! RFC 2096, IP Forwarding Table MIB ! RFC 2115, Management Information Base for Frame Relay DTEs Using SMIv2 ! RFC 2233, The Interfaces Group MIB-II using SMIv2 ! RFC 2495, Definitions of Managed Objects for the DS1, E1, DS2, and E2 Interface Types (except for dsx1FarEndConfigTable, dsx1FarEndCurrentTable, dsx1FarEndIntervalTable, dsx1FarEndTotalTable, and dsx1FracTable) ! RFC 2496, Definitions of Managed Object for the DS3/E3 Interface Type ! RFC 2515, Definitions of Managed Objects for ATM Management ! RFC 2558, Definitions of Managed Objects for the SONET/SDH Interface Type ! RFC 2665, Definitions of Managed Objects for the Ethernet-like Interface Types ! RFC 2790, Host Resources MIB (only the objects of the hrSystem and hrSWInstalled groups) ! RFC 2819, Remote Network Monitoring Management Information Base (the etherStatsTable for Ethernet interfaces only) ! RFC 2925, Definitions of Managed Objects for Remote Ping, Traceroute, and Lookup Operations (only PingMIB ). ! RFC 2932, IPv4 Multicast Routing MIB ! IANAiftype Textual Convention MIB, Internet Assigned Numbers Authority (referenced by RFC 2233, available at ftp://ftp.isi.edu/mib/ianaiftype.mib) ! Internet Group Management Protocol (IGMP) MIB, Internet draft draft-ietf-idmr-igmp-mib-13.txt ! Protocol Independent Multicast (PIM) MIB, Internet draft draft-ietf-idmr-pim-mib-09.txt
19
MPLS
! RFC 2205, Resource ReSerVation Protocol (RSVP)Version 1 Functional Specification ! RFC 2209, Resource ReSerVation Protocol (RSVP)Version 1 Message Processing Rules ! RFC 2961, RSVP Refresh Overhead Reduction Extensions ! RFC 2210, The Use of RSVP with IETF Integrated Services ! RFC 2211, Specification of the Controlled-Load Network Element Service ! RFC 2215, General Characterization Parameters for Integrated Service Network Elements ! RFC 2216, Network Element Service Specification Template ! RFC 2702, Requirements for Traffic Engineering Over MPLS ! ICMP Extensions for Multiprotocol Label Switching, Internet draft draft-ietf-mpls-icmp-01.txt ! MPLS Label Stack Encoding, Internet draft draft-ietf-mpls-label-encaps-07.txt ! Extensions to RSVP for LSP Tunnels, Internet draft draft-ietf-mpls-rsvp-lsp-tunnel-05.txt
OSPF
! RFC 1587, The OSPF NSSA Option ! RFC 2328, OSPF Version 2 ! Traffic Engineering Extensions to OSPF, Internet draft draft-katz-yeung-ospf-traffic-01.txt
PPP
! RFC 1332, The PPP Internet Protocol Control Protocol (IPCP) ! RFC 1661, The Point-to-Point Protocol (PPP) ! RFC 1662, PPP in HDLC-like Framing ! RFC 2615, PPP over SONET/SDH
RIP
! RFC 1058, Routing Information Protocol ! RFC 2453, RIP Version 2
20
RSVP
! RFC 2205, Resource ReSerVation Protocol (RSVP), Version 1, Functional Specification ! RFC 2209, Resource ReSerVation Protocol (RSVP), Version 1, Message Processing Rules ! RFC 2210, The Use of RSVP with IETF Integrated Services ! RFC 2211, Specification of the Controlled-Load Network Element Service ! RFC 2212, Specification of Guaranteed Quality of Service ! RFC 2215, General Characterization Parameters for Integrated Service Network Elements ! RFC 2216, Network Element Service Specification Template ! RFC 2747, RSVP Cryptographic Authentication ! Extensions to RSVP for LSP Tunnels, Internet draft draft-ietf-mpls-rsvp-lsp-tunnel-05.txt ! RSVP Refresh Reduction Extensions, Internet draft draft-ietf-rsvp-refresh-reduct-05.txt
TCP/IP v4
! RFC 768, User Datagram Protocol ! RFC 791, Internet Protocol ! RFC 792, Internet Control Message Protocol ! RFC 793, Transmission Control Protocol ! RFC 826, Ethernet Address Resolution Protocol ! RFC 854, Telnet Protocol Specification ! RFC 862, Echo Protocol ! RFC 863, Discard Protocol ! RFC 896, Congestion Control in IP/TCP Internetworks ! RFC 919, Broadcasting Internet Datagrams ! RFC 922, Broadcasting Internet Datagrams in the Presence of Subnets ! RFC 959, File Transfer Protocol ! RFC 1027, Using ARP to Implement Transparent Subnet Gateways ! RFC 1042, Standard for the Transmission of IP Datagrams over IEEE 802 Networks ! RFC 1157, Simple Network Management Protocol (SNMP) ! RFC 1166, Internet Numbers
21
! RFC 1195, Use of OSI IS-IS for Routing in TCP/IP and Dual Environments ! RFC 1256, ICMP Router Discovery Messages ! RFC 1305, Network Time Protocol (Version 3) Specification, Implementation, and Analysis ! RFC 1519, Classless Inter-Domain Routing (CIDR): An Address Assignment and Aggregation Strategy ! RFC 1812, Requirements for IP Version 4 Routers ! RFC 2338, Virtual Router Redundancy Protocol
Supported ISO Standards

IS-IS
! ISO/IEC 10589, Information technology, Telecommunications and information exchange between systems, Intermediate system to intermediate system intradomain routing information exchange protocol for use in conjunction with the protocol for providing the connectionless-mode network service (ISO 8473)
Supported SDH and SONET Standards

! ANSI T1.105, Synchronous Optical Network (SONET) Basic Description Including Multiplex Structures, Rates, and Formats ! ANSI T1.105.02, Synchronous Optical Network (SONET) Payload Mappings ! ANSI T1.105.06, SONET: Physical Layer Specifications ! GR-253-CORE, SONET Transport Systems: Common Generic Criteria ! GR-499-CORE, Transport System Generic Requirements (TSGR): Common Requirements ! GR-1377-CORE, SONET OC-192 Transport System Generic Criteria ! ITU-T Recommendation G.691, Optical interfaces for single channel SDH systems with optical amplifiers, and STM-64 systems ! ITU-T Recommendation G.707 (1996), Network node interface for the synchronous digital hierarchy (SDH) ! ITU-T Recommendation G.783 (1994), Characteristics of Synchronous Digital Hierarchy (SDH) equipment functional blocks ! ITU-T Recommendation G.813 (1996), Timing characteristics of SDH equipment slave clocks (SEC) ! ITU-T Recommendation G.825 (1993), The control of jitter and wander within digital networks which are based on the Synchronous Digital Hierarchy (SDH) ! ITU-T Recommendation G.826 (1999), Error performance parameters and objectives for international, constant bit rate digital paths at or above the primary rate
22
! ITU-T Recommendation G.831 (1993), Management capabilities of transport networks based on Synchronous Digital Hierarchy (SDH) ! ITU-T Recommendation G.957 (1995), Optical interfaces for equipment and systems relating to the synchronous digital hierarchy ! ITU-T Recommendation G.958 (1994), Digital line systems based on the Synchronous Digital Hierarchy for use on optical fibre cables ! ITU-T Recommendation I.432 (1993), B-ISDN User-Network Interface Physical layer specification
Other Supported Standards

ATM
! ITU-T Recommendation I.363, B-ISDN ATM adaptation layer sublayers: service-specific coordination function to provide the connection-oriented transport service (JUNOS software conforms only to the AAL5/IP over ATM portion of this standard) ! ITU-T Recommendation I.432.3, B-ISDN user-network interface Physical layer specifications: 51,840 kbits/s operation
Frame Relay
! ANSI T1.617-1991, Annex D, Additional procedures for permanent virtual connections (PVCs) using unnumbered information frames ! ITU Q.933a, Annex A, Additional Procedures for Permanent Virtual Connections (PVC) status management (using Unnumbered Information frames)
Ethernet
! IEEE, 802.3ad, Aggregation of Multiple Link Segments ! IEEE, 802.3, Carrier Sense Multiple Access with Collision Detection (CSMA/CD)
T3
! ITU-T Recommendation G.703, Physical/electrical characteristics of hierarchical digital interfaces
23
24
Chapter 3 Complete Configuration Mode

Commands and Statements
This chapter shows the complete configuration mode commands and the complete configuration statement hierarchy. Using these commands and statements is described in other chapters. ! Complete Configuration Mode Commands on page 25 ! Complete Configuration Statement Hierarchy on page 26 For information about CLI operational mode commands, see the JUNOS Internet Software Operational Mode Command Reference.
Complete Configuration Mode Commands

The following is the complete list of configuration mode commands, listing all possible commands in the hierarchy.
user@host# ? Possible completions: <[Enter]> Execute this command activate Remove the inactive tag from a statement annotate Annotate the statement with a comment commit Commit current set of changes copy Copy a statement deactivate Add the inactive tag to a statement delete Delete a data element edit Edit a sub-element exit Exit from this level help Provide help information insert Insert a new ordered data element load Load configuration from an ASCII file quit Quit from this level rename Rename a statement rollback Roll back database to last committed version run Run an operational-mode command save Save configuration to an ASCII file set Set a parameter show Show a parameter status Display database user status top Exit to top level of configuration up Exit one level of configuration
Complete Configuration Mode Commands and Statements
25
Complete Configuration Statement Hierarchy

This section shows the complete configuration statement hierarchy, listing all possible configuration statements and showing their level in the configuration hierarchy. When you are configuring the JUNOS software, your current hierarchy level is shown in the banner on the line preceding the user@host# prompt. This section is organized as follows: ! [edit accounting-options] Hierarchy Level on page 26 ! [edit chassis] Hierarchy Level on page 27 ! [edit class-of-service] Hierarchy Level on page 27 ! [edit firewall] Hierarchy Level on page 29 ! [edit forwarding-options] Hierarchy Level on page 29 ! [edit groups] Hierarchy Level on page 30 ! [edit interfaces] Hierarchy Level on page 30 ! [edit policy-options] Hierarchy Level on page 34 ! [edit protocols] Hierarchy Level on page 35 ! [edit routing-instances] Hierarchy Level on page 45 ! [edit routing-options] Hierarchy Level on page 47 ! [edit snmp] Hierarchy Level on page 49 ! [edit system] Hierarchy Level on page 50
[edit accounting-options] Hierarchy Level

accounting-options { file file-name { size bytes files number transfer-interval minutes ; archive-sites { site-name; } } filter-profile profile-name { counters { counter-name; } file filename; interval minutes ; } }
26
interface-profile profile-name { fields { field-name ; } file filename ; interval minutes ; } } # End of [edit accounting-options] hierarchy level
[edit chassis] Hierarchy Level

chassis { aggregated-devices { ethernet { device-count number ; } sonet { device-count number ; } } alarm { interface-type { alarm-name (red | yellow | ignore); } } fpcslot-number { pic pic-number { framing (sdh | sonet); no-concatenate; } } (packet-scheduling | no-packet-scheduling); (source-route | no-source-route); redundancy { failover on-loss-of-keepalives; keepalive-timeseconds; routing-engine slot-number (master | backup | disabled); ssb slot-number (always | preferred); } } #End of [edit chassis] hierarchy level
[edit class-of-service] Hierarchy Level

class-of-service { cos-next-hop-map map-name { output-queue queue-number { next-hop address; } } input { fpc fpc-number { precedence-map map-name ; }
27
interfaces { interface-name { inet-precedence-map; mpls-cos-map; unit unit-number { output-queue queue-number ; } } } precedence-map map-name { bits precedence-bit output-queue queue-number ; } } output { drop-profile profile-name { stream-profile { fill-level fill-percentage drop-probability probability-percentage ; } plp-set-queue-profile { fill-level fill-percentage drop-probability probability-percentage ; } plp-clear-queue-profile { fill-level fill-percentage drop-probability probability-percentage ; } } fpc fpc-number { drop-profile profile-name ; } interfaces { interface-name { transmit-queues { output-queue queue-number buffer-percentage percentage ; } weighted-round-robin { output-queue queue-number weight percentage ; } unit unit-number { precedence-rewrite { output-queue queue-number { plp-clear rewrite-bits precedence-bit; plp-set rewrite-bits precedence-bit; } } } } } } policy { class class-name { classification-override { output-queue queue-number ; } } } } # End of [edit class-of-service] hierarchy level
28
[edit firewall] Hierarchy Level

firewall { filter filter-name { accounting-profile name; interface-specific; term term-name { from { match-conditions ; } then { action ; action-modifiers ; } } } } # End of [edit firewall] hierarchy level
[edit forwarding-options] Hierarchy Level

forwarding-options { hash-key { family inet { layer-3; layer-4; } } sampling { disable; input { family inet { rate number ; run-length number ; } } output { cflowd hostname { aggregation { autonomous-system; destination-prefix; protocol-port; source-destination-prefix; source-prefix; } autonomous-system-type (origin | peer); (local-dump | no-local-dump); port portnumber ; port format ; } file { filename filename ; files number; size bytes ; (stamp | no-stamp); (world-readable | no-world-readable); } }

29
traceoptions { file filename { files number ; size bytes ; (world-readable | no-world-readable); } } } } #End of [edit forwarding-options] hierarchy level
[edit groups] Hierarchy Level

groups { group-name { configuration-data; } } #End of [edit groups] hierarchy level
[edit interfaces] Hierarchy Level

interfaces { interface-name { disable; accounting-profile name; description text; aggregated-ether-options { (flow-control | no-flow-control); (loopback | no-loopback); minimum-links number ; source-address-filter { mac-address; } (source-filtering | no-source-filtering); } aggregated-sonet options { link-speed speed; minimum-links number ; { atm-options { vpi vpi-identifier max-vcs maximum-vcs ; ilmi; e3-options { atm-encapsulation (direct | PLCP); buildout distance (ft | m); framing (g751 | g832); loopback (local | remote); (payload-scrambler | no-payload-scrambler); } t3-options { atm-encapsulation (direct | PLCP); buildout distance (ft | m); (cbit-parity | no-cbit-parity); loopback (local | remote); (payload-scrambler | no-payload-scrambler); } } clocking clock-source ; dce;
30
e1-options { bert-error-rate rate; bert-period seconds; fcs (32 | 16); framing (g704 | unframed); idle-cycle-flag (flags | ones); loopback (local | remote); start-end-flag (shared | filler); timeslots slot-number ; } e3-options { bert-algorithm algorithm ; bert-error-rate rate ; bert-period seconds ; compatibility-mode (digital-link | kentrox) <subrate value>; fcs (32 | 16); idle-cycle-flag value ; loopback (local | remote); (payload-scrambler | no-payload-scrambler); start-end-flag value ; } encapsulation type ; fastether-options { 802.3ad aeX; (flow-control | no-flow-control); (loopback | no-loopback); source-address-filter { mac-address ; } (source-filtering | no-source-filtering); } gigether-options { 802.3ad aeX; (flow-control | no-flow-control); (loopback | no-loopback); source-address-filter { mac-address ; } (source-filtering | no-source-filtering); } hold-time up milliseconds down milliseconds ; keepalives <down-count number> <interval seconds> <up-count number>; link-mode mode ; lmi { lmi-type (ansi | itu); n391dte number ; n392dce number ; n392dte number ; n393dce number ; n393dte number ; t391dte seconds; t392dce seconds; } mac mac-address ; mtu bytes ; no-keepalives; no-traps; receive-bucket { overflow (tag | discard); rate percentage ; threshold number ; }
31
sonet-options { aggregate asX; aps { advertise-interval milliseconds ; authentication-key key ; force; hold-time milliseconds ; lockout; neighbor address ; paired-group group-name ; protect-circuit group-name ; request; revert-time seconds ; working-circuit group-name ; } bytes { e1-quiet value ; f1 value ; f2 value ; s1 value ; z3 value ; z4 value ; } fcs (32 | 16); loopback (local | remote); path-trace trace-string ; (payload-scrambler | no-payload-scrambler); rfc-2615; (z0-increment | no-z0-increment); } speed (10m | 100m); t1-options { bert-error-rate rate; bert-period seconds; buildout (0-133 | 133-266 | 266-399 | 399-532 | 532-655); byte-encoding (nx64 | nx56); fcs (32 | 16); framing (sf | esf); idle-cycle-flags (flags | ones); invert-data; line-encoding (ami | b8zs); loopback (local | remote); start-end-flag (shared | filler); timeslots slot-number ; } t3-options { bert-algorithm algorithm ; bert-error-rate rate ; bert-period seconds ; (cbit-parity | no-cbit-parity); compatibility-mode (digital-link | kentrox | larscom) <subrate value >; fcs (32 | 16); (feac-loop-respond | no-feac-loop-respond); idle-cycle-flag value ; (long-buildout | no-long-buildout); loopback (local | remote); (payload-scrambler | no-payload-scrambler); start-end-flag value ; } traceoptions { flag flag <flag-modifier > <disable>; }
32
transmit-bucket { overflow (tag | discard); rate percentage ; threshold number ; } vlan-tagging; unit logical-unit-number { accounting-profile name; allow_any_vci; disable; dlci dlci-identifier ; drop-timeout milliseconds; encapsulation type ; fragment-threshold bytes; inverse-arp; mrru bytes; multicast-dlci dlci-identifier ; multicast-vci vpi-identifier.vci-identifier ; multipoint; no-traps; oam-liveness { up-count cells ; down-count cells ; } oam-period (disable | seconds ); point-to-point; shaping { (cbr rate | vbr peak rate sustained rate burst length ); queue-length number ; } short-sequence; tunnel { source source-address ; destination destination-address ; ttl number ; } vci vpi-identifier.vci-identifier ; vlan-id number ; family family { bundle ml-fpc/pic/port; destination class usage; dhcp-relay { disable; maximum-hop-count number ; minimum-wait-time seconds; server [ address ]; } filter { input filter-name ; output filter-name ; group filter-group-number ; } mtu size ; multicasts-only; no-redirects; primary; address address { arp ip-address mac mac-address <publish>; destination destination-address ; broadcast address ; multipoint-destination destination-address (dlci dlci-identifier | vci vci-identifier ); multipoint-destination destination-address { inverse-arp;
33
oam-liveness { up-count cells ; down-count cells ; } oam-period seconds ; shaping { (cbr rate | vbr peak rate sustained rate burst length ); queue-length number ; } vci vpi-identifier.vci-identifier ; } preferred; primary; vrrp-group group-number { virtual-address [ addresses ]; priority number ; (accept-data | no-accept-data); advertise-interval seconds ; authentication-type authentication ; authentication-key key ; (preempt | no-preempt); track { interface interface-name priority-cost cost ; } } } } } } } # End of [edit interfaces] hierarchy level
[edit policy-options] Hierarchy Level

policy-options { as-path name regular-expression ; community name members [ community-ids ]; damping name { disable; half-life minutes ; max-suppress minutes ; reuse number ; suppress number ; } policy-statement policy-name { term term-name { from { match-conditions ; route-filter destination-prefix match-type <actions >; source-address-filter destination-prefix match-type <actions>; prefix-list name; } to { match-conditions ; } then actions ; } } prefix-list name { ip-addresses ; } } # End of [edit policy-options] hierarchy level
34
[edit protocols] Hierarchy Level

protocols { BGP bgp { advertise-inactive; authentication-key key ; cluster cluster-identifier ; damping; description text-description ; disable; export [policy-name ]; family inet { (any | unicast | multicast) { prefix-limit { maximum number ; teardown <percentage >; } rib-group group-name; } } hold-time seconds ; import [policy-name ]; keep (all | none); local-address address ; local-as autonomous-system <private>; local-preference local-preference ; log-updown; metric-out (metric | minimum-igp <offset> | igp <offset>; multihop <ttl-value>; no-aggregator-id; no-client-reflect; out-delay seconds ; passive; path-selection (cisco-non-deterministic | always-compare-med); peer-as autonomous-system ; preference preference ; remove-private; traceoptions { file name <replace> <size size> <files number > <no-stamp> <(world-readable | no-world-readable)>; flag flag <flag-modifier > <disable>; } group group-name { advertise-inactive; allow [ network/mask-length ]; as-override; authentication-key key ; cluster cluster-identifier ; damping; description text-description ; export [policy-name ]; family inet { (any | unicast | multicast) { prefix-limit { maximum number ; teardown <percentage >; } rib-group group-name; } }
35
hold-time seconds ; import [policy-name ]; keep (all | none); local-address address ; local-as autonomous-system <private>; local-preference local-preference ; log-updown; metric-out (metric | minimum-igp <offset> | igp <offset>); multihop <ttl-value>; multipath; no-aggregator-id; no-client-reflect; out-delay seconds ; passive; peer-as autonomous-system ; preference preference ; protocol protocol ; remove-private; traceoptions { file name <replace> <size size> <files number > <no-stamp> <(world-readable | no-world-readable)>; flag flag <flag-modifier > <disable>; } type type ; neighbor address { advertise-inactive; as-override; authentication-key key ; cluster cluster-identifier ; damping; description text-description ; export [policy-name ]; family inet { (any | unicast | multicast) { prefix-limit { maximum number ; teardown <percentage >; } rib-group group-name; } } hold-time seconds ; import [ policy-name ]; keep (all | none); local-address address ; local-as autonomous-system <private>; local-preference local-preference ; log-updown; metric-out (metric | minimum-igp <offset> | igp <offset>); multihop <ttl-value>; multipath; no-aggregator-id; no-client-reflect; out-delay seconds ; passive; peer-as autonomous-system ; preference preference ; remove-private;
36
traceoptions { file name <replace> <size size> <files number > <no-stamp> <(world-readable | no-world-readable)>; flag flag <flag-modifier > <disable>; } } } } # End of [edit protocols bgp] hierarchy level Connections connections { interface-switch connection-name { interface interface-name.unit-number ; interface interface-name.unit-number ; } lsp-switch connection-name { transmit-lsp label-switched-path ; receive-lsp label-switched-path; } remote-interface-switch connection-name { interface interface-name.unit-number ; transmit-lsp label-switched-path ; receive-lsp label-switched-path ; } } # End of [edit protocols connections] hierarchy level dvmrp { disable; export [ policy-name ]; import [ policy-name ]; rib-group group-name ; inet; traceoptions { file name <replace> <size size> <files number > <no-stamp> <(world-readable | no-world-readable)>; flag flag <flag-modifier > <disable>; } interface interface-name { disable; hold-time seconds ; metric metric ; mode (forwarding | unicast-routing); } } # End of [edit protocols dvmrp] hierarchy level igmp { interface interface-name { disable; version version ; query-interval seconds ; query-last-member-interval seconds ; query-response-interval seconds ; robust-count number ; traceoptions { file name <replace> <size size> <files number > <no-stamp> <(world-readable | no-world-readable)>; flag flag <flag-modifier > <disable>; } } } # End of [edit protocols igmp] hierarchy level
DVMRP
IGMP
37
IS-IS
isis { disable; authentication-key key ; authentication-type authentication ; export [ policy-name ]; label-switched-path name level level metric metric; level level-number { authentication-key key ; authentication-type authentication ; external-preference preference ; preference preference ; wide-metrics-only; } lsp-lifetime seconds ; multicast-topology; no-authentication-check; overload <timeout seconds >; reference-bandwidth reference-bandwidth ; rib-group group name; traffic-engineering { disable; shortcuts; } traceoptions { file name <replace> <size size> <files number > <no-stamp> <(world-readable | no-world-readable)>; flag flag <flag-modifier > <disable>; } interface interface-name { disable; csnp-interval (seconds | disable); hello-authentication-key key ; hello-authentication-type authentication ; lsp-interval milliseconds ; mesh-group (value | blocked); passive; level level-number { disable; hello-authentication-key key ; hello-authentication-type authentication ; hello-interval seconds ; hold-time seconds ; metric metric ; passive ; priority number ; te-metric metric ; } } } # End of [edit protocols isis] hierarchy level l2vpn { encapsulation-type <type> traceoptions { file filename <replace> <size size> <files number> <nostamp>; flag flag <flag-modifier> <disable>; } site site-name { site-identifier identifier ; interface interface-name { site-offset offset; } } }
L2vpn
38
LDP
ldp { import policy-name; deaggregate | no-deaggregate; egress-policy policy-name ; export policy-name; keepalive-interval seconds ; keepalive-timeout seconds ; preference preference; transport-address ( interface | loopback ); interface interface-name { disable; hello-interval seconds ; hold-time seconds; deaggregate | no-deaggregate; transport-address ( interface | loopback ); } traceoptions { file filename <replace> <size size> <files number> <no-stamp> <(world-readable | no-world-readable)>; flag flag <flag-modifier> <disable>; } } } # End of [edit protocols ldp] hierarchy level mpls { disable; admin-groups { group-name group-value ; } log-updown { (syslog | no-syslog); (trap | no-trap); } no-propagate-ttl; optimize-aggressive; path path-name { disable; address <strict | loose>; } statistics { file filename size size files number <no-stamp>; interval seconds ; } traceoptions { file name <replace> <size size> <files number > <no-stamp> <(world-readable | no-world-readable)>; flag flag <flag-modifier > <disable>; } traffic-engineering (bgp | bgp-igp); label-switched-path lsp-path-name { disable; to address ; from address ; adaptive; admin-group { include [ group-name ]; exclude [ group-name ]; } bandwidth bps ; class-of-service class-of-service ; fast-reroute { bandwidth bps; hop-limit number ;
MPLS
39
(include group-names | no-include); (exclude group-names | no-exclude); } hop-limit number ; ldp-tunneling; metric metric; no-cspf; no-decrement-ttl; optimize-timer seconds ; preference preference ; priority setup-priority hold-priority ; (random | least-fill | most-fill); (record | no-record); retry-limit number ; retry-timer seconds ; standby; primary path-name { adaptive; admin-group { include [ group-names ]; exclude [ group-names ]; } bandwidth bps ; class-of-service class-of-service ; hop-limit number ; no-cspf; optimize-timer seconds ; preference preference ; priority setup-priority hold-priority ; (record | no-record); standby; } secondary path-name { adaptive; admin-group { include group-names; exclude group-names ; } bandwidth bps ; class-of-service class-of-service ; hop-limit number ; no-cspf; optimize-timer seconds ; preference preference ; priority setup-priority hold-priority ; (record | no-record); standby; } install { destination-prefix/prefix-length <active>; } } interface (interface-name | all) { disable; admin-group { group-name ; } label-map in-label { (nexthop (address | interface-name | address/interface-name )) | (reject | discard); (pop | (swap <out-label >); class-of-service class-of-service ; preference preference ; type type ;
40
} } static-path inet { prefix { nexthop (address | interface-name | address/interface-name ); push out-label ; class-of-service class-of-service ; preference preference ; } } } # End of [edit protocols mpls] hierarchy level MSDP msdp { disable; export [ policy-name ]; import [ policy-name ]; local address address; rib-group group-name ; traceoptions { file name <replace> <size size> <files number > <no-stamp> <(world-readable | no-world-readable)>; flag flag <flag-modifier > <disable>; } peer address { disable; local-address address ; export [ policy-name ]; import [ policy-name ]; traceoptions { file name <replace> <size size> <files number > <no-stamp> <(world-readable | no-world-readable)>; flag flag <flag-modifier > <disable>; } } group group-name { disable; export [ policy-name ]; import [ policy-name ]; local-address address ; mode <(mesh-group | standard)>; traceoptions { file name <replace> <size size> <files number > <no-stamp> <(world-readable | no-world-readable)>; flag flag <flag-modifier > <disable>; } peer address; { disable; export [ policy-name ]; import [ policy-name ]; local-address address ; traceoptions { file name <replace> <size size> <files number > <no-stamp> <(world-readable | no-world-readable)>; flag flag <flag-modifier > <disable>; } } } } #End of [edit protocols msdp] hierarchy level ospf { disable; domain-id domain-id; export [ policy-name ];
OSPF
41
external-preference preference ; overload { timeout seconds; } preference preference ; reference-bandwidth reference-bandwidth ; rib-group group-name; traffic-engineering { no-topology; shortcuts; } traceoptions { file name <replace> <size size> <files number > <no-stamp> <(world-readable | no-world-readable)>; flag flag <flag-modifier > <disable>; } area area-id { area-range network/masklen <restrict>; authentication-type authentication ; interface interface-name { disable; authentication-key key <key-id identifier >; dead-interval seconds ; hello-interval seconds ; interface-type type ; metric metric ; neighbor address <eligible>; passive; poll-interval seconds ; priority number ; retransmit-interval seconds ; transit-delay seconds ; transmit-interval seconds ; } label-switched-path name metric metric; nssa { area-range network/masklen <restrict>; default-metric metric ; (no-summaries | summaries); } stub <default-metric metric > < (no-summaries | summaries)>; virtual-link neighbor-id router-id transit-area area-id { disable; authentication-key key <key-id identifier >; dead-interval seconds ; hello-interval seconds ; retransmit-interval seconds ; transit-delay seconds ; } } } # End of [edit protocols ospf] hierarchy level PIM pim { disable; dense-groups { addresses ; } import [ policy-name ]; rib-group group-name ; traceoptions { file name <replace> <size size> <files number > <no-stamp> <(world-readable | no-world-readable)>; flag flag <flag-modifier > <disable>;
42
} interface interface-name { disable; mode (dense | sparse | sparse-dense); priority number ; version version ; } rp { local { disable; address address ; group-ranges { destination-mask ; } hold-time seconds ; priority number ; } auto-rp (announce | discovery | mapping); bootstrap-priority number ; static { address address { version version ; group-ranges { destination-mask ; } } } } } # End of [edit protocols pim] hierarchy level RIP rip { traceoptions { file name <replace> <size size> <files number > <no-stamp> <(world-readable | no-world-readable)>; flag flag <flag-modifier > <disable>; } authentication-key password ; authentication-type type; (check-zero | no-check-zero); import [policy -name]; message-size number ; metric-in metric ; receive receive-options ; send send-options ; group group-name { export [policy-name ]; metric-out metric ; preference preference ; neighbor neighbor-name { authentication-key password ; authentication-type type ; (check-zero | no-check-zero); import [policy -name]; message-size number ; metric-in metric ; receive receive-options ; send send-options ; } } } # End of [edit protocols rip] hierarchy level
43
Router Discovery
router-discovery { disable; traceoptions { file name <replace> <size size> <files number > <no-stamp> <(world-readable | no-world-readable)>; flag flag <flag-modifier > <disable>; } interface interface-name { min-advertisement-interval seconds ; max-advertisement-interval seconds ; lifetime seconds ; } address address { (advertise | ignore); (broadcast | multicast); (priority number | ineligible); } } # End of [edit protocols router-discovery] hierarchy level rsvp { disable; keep-multiplier number ; preemption (aggressive | disabled | normal); refresh-time seconds ; traceoptions { file name <replace> <size size> <files number > <no-stamp> <(world-readable | no-world-readable)>; flag flag <flag-modifier > <disable>; } interface interface-name { disable; (aggregate | no-aggregate); authentication-key key ; bandwidth bps ; hello-interval seconds ; subscription percentage ; } } # End of [edit protocols rsvp] hierarchy level sap { disable; listen <address> <port port >; } # End of [edit protocols sap] hierarchy level
RSVP
SDP/SAP
44
[edit routing-instances] Hierarchy Level

routing-instances { routing-instance-name { interface interface-name; instance-type (forwarding | I2vpn | no-forwarding | vrf); route-distinguisher (as-number :number | ip-address:number); vrf-import [policy-name]; vrf-export [policy-name]; protocols { bgp { bgp-configuration; } isis { isis-configuration; } l2vpn { l2vpn-configuration; } ospf { ospf-configuration ; } rip { rip-configuration; } } routing-options { aggregate { defaults { aggregate-options ; } route destination-prefix { policy policy-name ; aggregate-options ; } } autonomous-system autonomous-system <loops number>; confederation confederation-autonomous-system members autonomous-system ; fate-sharing { group group-name; cost value ; from address [to address]; } forwarding-table { export [ policy-name ]; } generate { defaults { generate-options ; } route destination-prefix { policy policy-name ; generate-options ; } } interface-routes { rib-group group-name ; } martians { destination-prefix match-type <allow>; }
45
multicast { scope scope-name { interface interface-name ; prefix destination-prefix ; } ssm-groups { addresses; } } options { syslog (level level | upto level ); } resolution { tracefilter [filter-policy]; traceoptions { file name <replace> <size size> <files number> <no-stamp> <(world-readable | no-world-readable)>; flag flag <flag-modifier> <disable>; } } rib routing-table { aggregate { defaults { aggregate-options ; } route destination-prefix { policy policy-name ; aggregate-options ; } } generate { defaults { generate-options; } route destination-prefix { policy policy-name; generate-options; } } martians { destination-prefix match-type <allow>; } static { defaults { static-options ; } rib-group group-name; route destination-prefix { next-hop ; qualified-next-hop address { metric metric; preference preference; } static-options ; } } } rib-groups { group-name { import-rib [ group-name ]; export-rib group-name ; } }
46
route-record; router-id address ; static { defaults { static-options ; } rib-group group-name; route destination-prefix { next-hop ; qualified-next-hop address { metric metric; preference preference; } static-options ; } } traceoptions { file name <replace> <size size> <files number > <no-stamp> <(world-readable | no-world-readable)>; flag flag <flag-modifier> <disable>; } } } } #End of [edit routing-instances] hierarchy level
[edit routing-options] Hierarchy Level

routing-options { aggregate { defaults { aggregate-options; } route destination-prefix { policy policy-name ; aggregate-options; } } autonomous-system autonomous-system <loops number>; confederation confederation-autonomous-system members autonomous-system ; fate-sharing { group group-name; cost value; from address [to address]; } forwarding-table { export [ policy-name ]; } generate { defaults { generate-options; } route destination-prefix { policy policy-name ; generate-options; } } interface-routes { rib-group group-name ; }
47
martians { destination-prefix match-type <allow>; } multicast { scope scope-name { interface interface-name ; prefix destination-prefix ; } ssm-groups { address; } } options { syslog (level level | upto level ); } resolution { tracefilter [filter-policy]; traceoptions { file name <replace> <size size> <files number> <no-stamp> <(world-readable | no-world-readable)>; flag flag <flag-modifier> <disable>; } } rib routing-table { aggregate { defaults { aggregate-options; } rib-group group-name; route destination-prefix { policy policy-name; aggregate-options; } } generate { defaults { generate-options; } route destination-prefix { policy policy-name ; generate-options; } } martians { destination-prefix match-type <allow>; } static { defaults { static-options; } rib-group group-name; route destination-prefix { next-hop; static-options; } } } rib-groups { group-name { import-rib [ group-name ]; export-rib group-name; } }
48
route record; router-id address ; static { defaults { static-options ; } rib-group group-name; route destination-prefix { next-hop ; static-options ; } } traceoptions { file name <replace> <size size> <files number > <no-stamp> <(world-readable | no-world-readable)>; flag flag <flag-modifier > <disable>; } } # End of [edit routing-options] hierarchy level
[edit snmp] Hierarchy Level

snmp { description description ; location location ; contact contact ; interface [ interface-names ]; community community-name { authorization authorization ; clients { default restrict; address <restrict>; } } trap-group group-name { categories category ; targets { address ; } version version ; } traceoptions { file <files number > <size size>; flag flag <disable>; } } # End of [edit snmp] hierarchy level
49
[edit system] Hierarchy Level

system { authentication-order [ authentication-methods ]; backup-router address <destination destination-address>; compress-configuration-files; default-address-selection; dhcp-relay { no-listen; maximum-hop-count; minimum-wait-time seconds; server [ address ]; interface interface-group { no-listen; maximum-hop-count; minimum-wait-time seconds; server [ address ]; } } diag-port-authentication (encrypted-password password | plain-text-password); domain-name domain-name ; domain-search [domain-list]; host-name host-name ; location { altitude feet ; country-code code ; hcoord horizontal-coordinate ; lata service-area ; latitude degrees ; longitude degrees ; npa-nxx number ; postal-code postal-code ; vcoord vertical-coordinate ; } login { message text ; class class-name { allow-commands "regular-expression " ; deny-commands "regular-expression"; idle-timeout minutes ; permissions [ permissions ]; } user user-name { full-name complete-name ; uid uid-value ; class class-name ; authentication { (encrypted-password "password " | plain-text-password); ssh-rsa "public-key"; ssh-dsa "public-key"; } } } mirror-flash-on-disk; name-server { address ; } no-redirects;
50
ntp { authentication-key key-number type type value password ; boot-server address ; broadcast <address> <key key-number> <version value> <ttl value>; broadcast-client; multicast-client <address>; peer address <key key-number> <version value> <prefer>; server address <key key-number> <version value> <prefer>; trusted-key [ key-numbers ]; } ports { auxiliary { insecure; speed baud-rate ; type terminal-type ; } console { insecure; speed baud-rate ; type terminal-type ; } } processes { inet-process (enable | disable) failover (alternate-media | other-routing-engine); interface-control (enable | disable) failover (alternate-media | other-routing-engine); mib-process (enable | disable) failover (alternate-media | other-routing-engine); ntp (enable | disable) failover (alternate-media | other-routing-engine); routing (enable | disable) failover (alternate-media | other-routing-engine); snmp (enable | disable) failover (alternate-media | other-routing-engine); watchdog (enable | disable) failover (alternate-media | other-routing-engine) timeout seconds ; } radius-server server-address { port number ; retry number ; secret password ; timeout seconds ; } root-authentication { (encrypted-password "password" | plain-text-password); ssh-rsa "public-key"; ssh-dsa "public-key" ; } services { finger ( <connection-limit limit>; <rate-limit limit>; } rlogin { <connection-limit limit>; <rate-limit limit>; } ssh { root-login (allow | deny | deny-password); protocol-version [v1 v2]; <connection-limit limit>; <rate-limit limit>; } telnet { <connection-limit limit>; <rate-limit limit>; } }
51
static-host-mapping { host-name { inet [ address ]; sysid system-identifier ; alias [ alias ]; } } syslog { file filename { facility level ; archive { files number ; size size ; (world-readable | no-world-readable); } } host hostname { facility level ; facility-override facility; log-prefix string; } user (username | *) { facility level ; } console { facility level ; } archive { files number ; size size ; (world-readable | no-world-readable); } } tacplus-server server-address { secret password ; single-connection; timeout seconds ; } time-zone time-zone ; } # End of [edit system] hierarchy level
52

! Installation Overview on page 55 ! Configure the Software Initially on page 59 ! Reinstall the Software on page 63 ! Upgrade Software Packages on page 67 ! Upgrade to Release 5.0 or Downgrade from Release 5.0 on page 73
53
54
Chapter 4 Installation Overview

Your router comes with JUNOS software installed on it. When you power on the router, all software starts automatically. You simply need to configure the software and the router will be ready to participate in the network. The software is installed on the routers flash drive (a nonrotating drive) and hard drive (a rotating disk). A copy of the software also is provided on removable media, either an LS-120 floppy disk or a PCMCIA card, which can be inserted into the routers drive or card slot. Normally, when you power on the router, it runs the copy of the software that is installed on the flash drive. You might want to upgrade the router software as new features are added or software problems are fixed. You normally obtain new software by downloading the images onto your router or onto another system on your local network. Then you install the software upgrade on the routers flash and hard drives. You can also copy the software onto the removable media. If the software on the flash, hard disk, or removable media becomes damaged, you can reinstall the software onto those devices. This chapter discusses the following concepts and terminology related to installing and upgrading the JUNOS software: ! JUNOS Software Distribution on page 55 ! JUNOS Software Naming Conventions on page 56 ! Storage Media on page 57 ! Boot Devices on page 57 ! Boot Sequence on page 58
JUNOS Software Distribution

Each JUNOS software release consists of the following components: ! Base package, which contains additions to the operating system ! Kernel and network tools package, which contains the operating system ! Routing package, which contains the software that runs on the Routing Engine
Installation Overview
55
JUNOS Software Naming Conventions
! Packet Forwarding Engine software package ! Crypto package, which contains security software (domestic version) ! Documentation package, which contains the documentation for the software A package is a collection of files that make up a software component. These software packages are provided as a single unit, called a bundle, which you can use to upgrade all the packages at once. You can also upgrade the packages individually. When upgrading to a new major release, you must upgrade using the bundle; do not upgrade packages individually. If you are upgrading to Release 5.0 from 4.x or downgrading from 5.0 to 4.x, use the jinstall package. Otherwise, use the jbundle package to upgrade to a new release. Downgrading from Release 5.0 to 4.x might require a two-step process. For more information, see Upgrade to Release 5.0 or Downgrade from Release 5.0 on page 73. Two sets of JUNOS software packages are provided, one for customers in the United States and Canada and another for other customers. The worldwide version does not include any capabilities that provide encryption of data leaving the router. Otherwise, the two packages are identical.
JUNOS Software Naming Conventions Software Release Name

A JUNOS software release has a name in the following format:
JUNOS-m.nZnumber
m.n is two integers that represent the software release number; m denotes the major release number. Z is a capital letter that indicates the type of software release. In most cases, it is an R, to indicate that this is released software. If you are involved in testing prereleased software, this letter might be an A (for alpha-level software), B (for beta-level software), or I (a capital letter I; for internal, test, or experimental versions of software). number represents the version of the major software release. The following is an example of a software release name:
JUNOS-5.0R1
56
Storage Media
Package Names
A software package has a name in the following format:
package-name-release.tgz
package-name is the name of the package. Examples are jroute (the routing package) and jkernel (the operating system package). release is the software release number; for example, 5.0R1 or 4.4R1.5. The following are examples of package names:
jroute-5.0R1.tgz jkernel-5.0R1.tgz jpfe-5.0R1.tgz jinstall-5.0R1.tgz
Storage Media
The router has three forms of storage media: ! Flash drive, which is a nonrotating drive. When a new router is shipped from the factory, the JUNOS software is preinstalled on the flash drive. ! Hard drive, which is a rotating drive. When a new router is shipped from the factory, the JUNOS software is preinstalled on the hard drive. This drive also is used to store system log files and diagnostic dump files. ! Removable media, either a LS-120 floppy drive (which reads a 120-MB LS-120 floppy disk) or a PCMCIA card slot. The removable media that ships with each router contains a copy of the JUNOS software. The storage media have the following device names, which are displayed when the router boots.
Table 1: Release 5.0 Device Names

Device
Flash drive Hard drive Removable media
CPV5000
ad0 ad2 afd0
Teknor
ad0 ad1 ad4
Boot Devices
The router typically boots from the flash disk. (Although it is possible to boot the router from the hard drive and removable media, typically this is not done.) These disks are referred to as the boot devices. The disk from which the router boots is called the primary boot device, and the other disk is the alternate boot device. The primary boot device is generally the flash disk, and the alternate boot device is generally the hard disk.
Installation Overview
57
Boot Sequence
Boot Sequence
Normally, the router boots from the flash disk. If it fails, it attempts to boot from the hard drive, which is the alternate medium. If a removable medium is installed when the router boots, the router attempts to boot the image on it. If the router fails, it next tries the flash disk and finally the hard disk. If the router boots from an alternative medium, the JUNOS software displays a message indicating this when you log into the router. For example, this message shows that the software booted from the hard disk (/dev/ad2s1a):
login: username Password: password Last login: date on terminal --- JUNOS 5.0R1 built date ----- NOTICE: System is running on alternate media device (/dev/ad2s1a).
58
Chapter 5 Configure the Software Initially

You can configure the router from a system console connected to the routers console port or by using Telnet to access the router remotely. Before you configure the software for the first time, you need the following information: ! Name of the machine ! Machines domain name ! IP address and prefix length information for routers management Ethernet interface ! IP address of a default router ! IP address of a DNS server ! Password for the user root To configure the software for the first time, follow these steps: 1. 2. 3. Power on the router. The JUNOS software boots automatically. Log in as the user root. There is no password. Start the command-line interface (CLI):
root# cli root@>
4.
Enter configuration mode:

cli> configure [edit] root@#
5.
Configure the name of the machine. If the name includes spaces, enclose the entire name in quotation marks (" ").
[edit] root@# set system host-name host-name
6.
Configure the machines domain name:

[edit] root@# set system domain-name domain-name
Configure the Software Initially
59
7.
Configure the IP address and prefix length for the routers management Ethernet interface:
[edit] root@# set interfaces fxp0 unit 0 family inet address address/prefix-length
8.
Configure the IP address of a default router. This system is called the backup router because it is used only while the routing protocol process is not running.
[edit] root@# set system backup-router address
9.
Configure the IP address of a DNS server:

[edit] root@# set system name-server address
10. Set the root password, entering either a clear-text password that the system will encrypt, a password that is already encrypted, or an SSH public key string. To enter a clear-text password, use the following command to set the root password:
[edit] root@# set system root-authentication plain-text-password New password: type password Retype new password: retype password
To enter a password that is already encrypted, use the following command to set the root password:
[edit] root@# set system root-authentication encrypted-password encrypted-password
To enter an SSH public string, use the following command to set the root password:
[edit] root@# set system root-authentication ssh-rsa key
11. Optionally, display the configuration statements:

[edit] root@ show system { host-name host-name ; domain-name domain.name ; backup-router address ; name-server { address ; } interfaces { fxp0 { unit 0 { family inet { address address ; } } } }
60
12. Commit the configuration, which activates the configuration on the router:
[edit] root@# commit
13. If you want to configure additional properties at this time, remain in configuration mode and add the necessary configuration statements. Then commit the changes to activate them on the router:
[edit] root@host-name# commit
14. When you have completed configuring the router, exit from configuration mode:
[edit] root@host-name# exit root@host-name>
15. After you have installed the software on the router, committed the configuration, and are satisfied that the new configuration is successfully running, you should issue the request system snapshot command to back up the new software onto the /altconfig file system. If you do not issue the request system snapshot command, the configuration on the alternate boot drive will be out of sync with the configuration on the primary boot drive. The request system snapshot command causes the root file system to be backed up to /altroot, and /config to be backed up to /altconfig. The root and /config file systems are on the routers flash drive, and the /altroot and /altconfig file systems are on the routers hard drive. After you issue this command, you cannot return to the previous version of the software, because the running and backup copies of the software are identical.
Configure the Software Initially
61
62
Chapter 6 Reinstall the Software

If any of the software becomes damaged, you might want to reinstall it. Also, you might want to periodically upgrade the router software as new features become available or as software problems are fixed. This chapter discusses the following topics related to reinstalling the JUNOS Internet software: ! Prepare to Reinstall the JUNOS Software on page 63 ! Reinstall the JUNOS Software on page 63 ! Reconfigure the JUNOS Software on page 64
Prepare to Reinstall the JUNOS Software

Before you install the JUNOS software, you must do the following: 1. Copy the existing configuration in the file /config/juniper.conf from the router to another system or to removable media. You also might want to copy any backup configurations (the files named /config/juniper.conf.n, where n is a number from 0 through 9). To copy the files, use the file copy command. Have available the removable medium that shipped with the router (also called a boot floppy). If you do not have a boot floppy, contact customer support.
2.
Reinstall the JUNOS Software

To reinstall the JUNOS software, follow these steps: 1. 2. Insert the removable medium into the router. Reboot the router, either by power-cycling it or by issuing the request system reboot command from the command-line interface (CLI). When the software asks the following question, type y.
WARNING: The installation will erase the contents of your disk. Do you wish to continue (y/n)?
3.
Reinstall the Software
63
Reconfigure the JUNOS Software
4.
The router then copies the software from the removable medium onto your system, occasionally displaying status messages. Copying the software can take up to 10 minutes. Remove the removable medium when prompted. The router then reboots from the primary boot device on which the software was just installed. When the reboot is complete, the router displays the login prompt.
5.

After you have reinstalled the software, you must copy the routers configuration files back to the router. (You also can configure the router from scratch as described in Configure the Software Initially on page 59.) However, before you can copy the configuration files, you must establish network connectivity. To reconfigure the software, follow these steps: 1. 2. Log in as root. There is no password. Start the CLI:
root# cli root@>
3.
Enter configuration mode:

cli> configure [edit] root@#
4.
Configure the name of the machine. If the name includes spaces, enclose the entire name in quotation marks (" ").
[edit] root@# set system host-name host-name
5.
Configure the machines domain name:

[edit] root@# set system domain-name domain-name
6.
Configure the IP address and prefix length for the routers management Ethernet interface:
[edit] root@# set interfaces fxp0 unit 0 family inet address address/prefix-length
7.
Configure the IP address of a default router. This system is called the backup router because it is used only while the routing protocol process is not running.
[edit] root@# set system backup-router address
64
8.
Configure the IP address of a DNS server:

[edit] root@# set system name-server address
9.
Set the root password, entering either a clear-text password that the system will encrypt, a password that is already encrypted, or an SSH public key string. To enter a clear-text password, use the following command to set the root password:
[edit] root@# set system root-authentication plain-text-password New password: type password Retype new password: retype password
To enter a password that is already encrypted, use the following command to set the root password:
[edit] root@# set system root-authentication encrypted-password encrypted-password
To enter an SSH public string, use the following command to set the root password:
[edit] root@# set system root-authentication ssh-rsa key
10. Commit the changes:

[edit] root@# commit
11. Exit from configuration mode:

[edit] root@# exit root@>
12. To check that the router has network connectivity, issue a ping command to a system on the network:
root@> ping address
If there is no response, reboot the router. 13. Copy the existing configuration and any backup configurations back onto the router. Place the files in the /config directory. To copy the files, use the file copy command. 14. Load and activate the desired configuration:
root@> configure [edit] root@# load merge /config/filename or load replace /config/filename [edit] root@# commit
Reinstall the Software
65
15. After you have installed the software on the router, committed the configuration, and are satisfied that the new configuration is successfully running, you should issue the request system snapshot command to back up the new software onto the /altconfig file system. If you do not issue the request system snapshot command, the configuration on the alternate boot drive will be out of sync with the configuration on the primary boot drive. The request system snapshot command causes the root file system to be backed up to /altroot, and /config to be backed up to /altconfig. The root and /config file systems are on the routers flash drive and the /altroot and /altconfig file systems are on the routers hard drive. After you issue this command, you cannot return to the previous version of the software, because the running and backup copies of the software are identical.
66
Chapter 7 Upgrade Software Packages

Each JUNOS software release consists of the following software packages: ! jbaseAdditions to the operating system ! jkernelOperating system package ! jrouteSoftware that runs on the Routing Engine ! jpfeSoftware that runs on the Packet Forwarding Engine ! jdocsDocumentation for the software ! jcryptoSecurity software (in domestic software only) The packages are also grouped together in a bundle, which is called jbundle. Normally, you use the bundle to upgrade all of the software packages at the same time. You also can upgrade them individually. When upgrading to a new release, you must install the bundle; do not upgrade the packages individually. If you are upgrading to Release 5.0 from 4.x or downgrading from 5.0 to 4.x, use the jinstall package. Otherwise, use the jbundle package to upgrade to a new release. Downgrading from Release 5.0 to 4.x might require a two-step process. For more information, see Upgrade to Release 5.0 or Downgrade from Release 5.0 on page 73. To determine which packages are running on the router and to get information about these packages, use the show version command at the top level of the CLI. This chapter discusses the following topics: ! Upgrade All Software Packages on page 68 ! Upgrade Individual Software Packages on page 69
Upgrade Software Packages
67
Upgrade All Software Packages
Upgrade All Software Packages

To upgrade all software packages, follow these steps: 1. Download the software packages you need from the Juniper Networks Support Web site, http://www.juniper.net/support/. To download the software packages, you must have a service contract and an access account. If you need help obtaining an account, contact your Juniper Networks sales representative or send e-mail to [email protected]. We recommend that you upgrade all software packages out-of-band using the console or fxp0 interface because in-band connections can be lost during the upgrade process.
2.
Back up the currently running and active file system so that you can recover to a known, stable environment in case something goes wrong with the upgrade:
user@host> request system snapshot
The root file system is backed up to /altroot, and /config is backed up to /altconfig. The root and /config file systems are on the routers flash drive, and the /altroot and /altconfig file systems are on the routers hard drive. After you issue the request system snapshot command, you cannot return to the previous version of the software, because the running and backup copies of the software are identical.
3.
Copy each software package to the router. We recommend that you copy them to the /var/tmp directory, which is on the rotating medium (hard disk) and is a large file system.
user@host> file copy ftp://username:[email protected]/ filename /var/tmp/filename
68
Upgrade Individual Software Packages
4.
Delete the existing software packages and add the new ones:
user@host> request system software add /var/tmp/jbundle-package-name Installing package '/var/tmp/jbundle-package-name' ... Auto-deleting old jroute... Auto-deleting old jdocs... Auto-deleting old jpfe... Auto-deleting old jkernel... Adding JUNOS base software release-number... Adding jkernel... Adding jpfe... Adding jdocs... Adding jroute... NOTICE: uncommitted changes have been saved in /var/db/config/juniper.conf.pre-install Saving package file in /var/sw/pkg/jbundle-package-name ...
package-name is the full URL to the file. release-number is the major software release number; for example, 4.2R1. 5. Reboot the router to start the new software:
user@host> request system reboot
6.
After you have upgraded or downgraded the software and are satisfied that the new software is successfully running, issue the request system snapshot command to back up the new software: user@host> request system snapshot The root file system is backed up to /altroot, and /config is backed up to /altconfig. The root and /config file systems are on the routers flash drive, and the /altroot and /altconfig file systems are on the routers hard drive. After you issue the request system snapshot command, you cannot return to the previous version of the software, because the running and backup copies of the software are identical.

To upgrade an individual JUNOS software package, follow these steps: 1. Download the software packages you need from the Juniper Networks Support Web page, http://www.juniper.net/support/. To download the software packages, you must have a service contract and an access account. If you need help obtaining an account, contact your Juniper Networks sales representative or send e-mail to [email protected]. We recommend that you upgrade all individual software packages out-of-band using the console or fxp0 interface because in-band connections can be lost during the upgrade process.
69
2.
The root file system is backed up to /altroot, and /config is backed up to /altconfig. The root and /config file systems are on the routers flash drive, and the /altroot and /altconfig file systems are on the routers hard drive.
After you issue the request system snapshot command, you cannot return to the previous version of the software, because the running and backup copies of the software are identical.
3.
Copy each software package to the router. You might want to copy them to the /var/tmp directory, which is on the rotating media (hard disk) and is a large file system.
4.
Delete the old package and add the new package:

user@host> request system software add /var/tmp/package-name Checking available free disk space...11200k available, 6076k suggested.
package-name is the full URL to the file. The system might display the following message:
pkg_delete: couldnt entirely delete package
This message indicates that someone manually deleted or changed an item that was in a package. You do not need to take any action; the package is still properly deleted. If you are upgrading more than one package at the same time, add jbase first and the routing software package jroute last. If you are using this procedure to upgrade all packages at once, add them in the following order:
user@host> user@host> user@host> user@host> user@host> user@host> request request request request request request system system system system system system software software software software software software add add add add add add /var/tmp/jbase /var/tmp/jkernel /var/tmp/jpfe /var/tmp/jdocs /var/tmp/jroute /var/tmp/jcrypto
5.
Reboot the router to start the new software:

user@host> request system reboot
70
6.
After you have upgraded or downgraded the software and are satisfied that the new software is successfully running, issue the request system snapshot command to back up the new software.
After you issue the request system snapshot command, you cannot return to the previous version of the software, because the running and backup copies of the software are identical.
71
72
Chapter 8 Upgrade to Release 5.0 or Downgrade from Release 5.0

The procedure to upgrade to Release 5.0 from 4.x and downgrade from Release 5.0 to 4.x is the same. To upgrade to Release 5.0 from a 4.x Release, use the 5.0 jinstall package. To downgrade from Release 5.0 to 4.x, use the appropriate 4.x jinstall package. If you are upgrading to Release 5.0 from 4.x or downgrading from 5.0 to 4.x, use the jinstall package. If you are upgrading or downgrading from one 5.0 release to another 5.0 release, use the jbundle package. For example, to upgrade from Release 5.0B1 to 5.0B2, use the 5.0B2 jbundle package.
Downgrading from Release 5.0 to 4.x might require a two-step process, depending on the target release: 1. 2. Add the jinstall package for Release 4.x R1. If you need to upgrade from there to a maintenance release or daily, add the appropriate jbundle package. For example, to downgrade from Release 5.0 to Release 4.4 R2.3, add the jinstall package for 4.4 R1 and then the jbundle package for 4.4 R2.3.
To upgrade to or downgrade from Release 5.0, follow these steps: 1. Download the software packages you need from the Juniper Networks Support Web site, http://www.juniper.net/support/.
To download the software packages, you must have a service contract and an access account. If you need help obtaining an account, complete the registration form at the Juniper Networks web site, https://www.juniper.net/registration/Register.jsp. You can also call Juniper Networks support at 1-888-314-JTAC (from within the United States), 1-408-745-2121 (from outside the United States). We recommend that you upgrade and downgrade software packages out-of-band using the console or fxp0 interface because in-band connections can be lost during the downgrade or upgrade process.
Upgrade to Release 5.0 or Downgrade from Release 5.0
73
2.
After you issue this command, you cannot return to the previous version of the software, because the running and backup copies of the software are identical.
3.
Copy the jinstall package to the router. You might want to copy them to the /var/tmp directory, which is on the rotating media (hard disk) and is a large file system.
4.
Add the jinstall package:

user@host> request system software add /var/tmp/ jinstall-package-name Installing package '/var/tmp/jinstall-package-name'... WARNING: WARNING: WARNING: WARNING: WARNING: This package will load JUNOS software release-number. It will save JUNOS configuration files, log files, and SSH keys (if configured), but erase all other files and information stored on this machine. This is the pre-installation stage and all the software is loaded when you reboot the system.
Saving the config files ... Installing the bootstrap installer ... WARNING: WARNING: WARNING: WARNING: WARNING: A REBOOT IS REQUIRED TO LOAD THIS SOFTWARE CORRECTLY. Use the 'request system reboot' command when software installation is complete. To abort the installation, do not reboot your system, instead use the 'request system software delete jinstall' command as soon as this operation completes.
Saving package file in /var/sw/pkg/ jinstall-package-name ... Saving state for rollback ...
The installation process removes most stored files (except log, juniper.conf, and ssh files) on the router, such as configuration templates and shell scripts. To preserve these files, copy them to another system before upgrading or downgrading the software.
74
5.
Reboot the router to load the JUNOS software:

root@host>request system reboot Reboot the system ? [yes,no] (no) yes Shutdown NOW!
You must reboot to load the JUNOS software. To reboot, issue the request system reboot command when you are done installing the software. To abort the installation, do not reboot your system; instead, issue the request system software delete jinstall command when you are done installing the software.
All the software is loaded when you reboot the system. Installation can take between 5 and 10 minutes. The router then reboots from the primary boot device on which the software was just installed. When the reboot is complete, the router displays the login prompt. 6. Log in and verify the version of software running after the the router reboots. Issue the show log message or show version command. After you have upgraded or downgraded the software and are satisfied that the new software is successfully running, issue the request system snapshot command to back up the new software. The request system snapshot command causes the root file system to be backed up to /altroot, and /config to be backed up to /altconfig. The root and /config file systems are on the routers flash drive, and the /altroot and /altconfig file systems are on the routers hard drive. After you issue the request system snapshot command, you cannot return to the previous version of the software, because the running and backup copies of the software are identical.
7.
You cannot issue the request system software rollback command to return to the previously installed software after using a jinstall package. To return to the previously installed software, use the jinstall package that corresponds with the previously installed software.
Upgrade to Release 5.0 or Downgrade from Release 5.0
75
76

! Command-Line Interface Overview on page 79 ! Command-Line Interface Operational Mode on page 81 ! Configure the Router with the CLI on page 103 ! Configuration Groups on page 149 ! Summary of CLI Environment Commands on page 167 ! Control the CLI Environment on page 99 ! Summary of CLI Configuration Mode Commands on page 173 ! Summary of CLI Operational Mode Commands on page 183
77
78
Chapter 9 Command-Line Interface Overview

The command-line interface (CLI) is the interface to the software that you use whenever you access the routerwhether from the console or through a remote network connection. The CLI, which automatically starts after the router finishes booting, provides commands that you use to perform various tasks, including configuring the JUNOS software and monitoring and troubleshooting the software, network connectivity, and the router hardware. The CLI is a straightforward command interface. You type commands on a single line, and the commands are executed when you press the Enter key. The CLI provides command help and command completion, and it also provides Emacs-style keyboard sequences that allow you to move around on a command line and scroll through a buffer that contains recently executed commands. The CLI is indicated by the presence of the > prompt, which is preceded by a string that defaults to the name of the user and the name of the router. For example:
user@host>
For information about customizing your CLI session, see Configure the Router with the CLI on page 103.
CLI Modes
The CLI has two modes, operational and configuration. In operational mode, you monitor and troubleshoot the software, network connectivity, and the router by entering CLI commands. For more information on operational mode, see Command-Line Interface Operational Mode on page 81. When in configuration mode, you configure the JUNOS software by creating a hierarchy of configuration statements. You can do this by using the CLI or by creating a text (ASCII) file that contains the statement hierarchy. (The statement hierarchy is identical in both the CLI and text configuration file.) You can configure all properties of the JUNOS software, including interfaces, general routing information, routing protocols, and user access, as well as several system hardware properties. When you have finished entering the configuration statements, you commit them, which activates the configuration on the router. For more information about configuration mode, see Configure the Router with the CLI on page 103.
Command-Line Interface Overview
79
CLI Command Hierarchy
CLI Command Hierarchy

The CLI commands are organized in a hierarchical fashion, with commands that perform a similar function grouped together under the same level. For example, all commands that display information about the system and the system software are grouped under the show command, and all commands that display information about the routing table are grouped under the show route command. Figure 2 illustrates a portion of the show command hierarchy.
Figure 2: CLI Command Hierarchy Example
show
bgp
isis
ospf
route
system
.......
.......
brief
.......
exact protocol
.......
table terse
1411
To execute a command, you enter the full command name, starting at the top level of the hierarchy. For example, to display a brief view of the routes in the router table, use the command show route brief. The hierarchical organization results in commands that have a regular syntax and provides several features that simplify CLI use: ! Consistent command namesCommands that provide the same type of function have the same name, regardless of the portion of the software they are operating on. As examples, all show commands display software information and statistics, and all clear commands erase various types of system information. ! Lists and short descriptions of available commandsInformation about available commands is provided at each level of the CLI command hierarchy. If you type a question mark (?) at any level, you see a list of the available commands along with a short description of each command. This means that if you already are familiar with the JUNOS software or with other routing software, you can use many of the CLI commands without referring to the documentation. ! Command completionCommand completion for command names (keywords) and for command options is also available at each level of the hierarchy. If you type a partial command name followed immediately by a question mark (with no intervening space), you see a list of commands that match the partial name you typed.
80
Chapter 10 Command-Line Interface Operational Mode

When you log into the router and the CLI starts, you are at the top level of operational mode. At this level, there are a number of broad groups of CLI commands: ! Commands for controlling the CLI environmentThe commands in the set hierarchy configure the CLI display screen. For information about these commands, see Control the CLI Environment on page 99. ! Commands for monitoring and troubleshootingThe following commands let you display information and statistics about the software and test network connectivity. Using these commands is discussed in the JUNOS Internet Software Operational Mode Command Reference.
! !
clearClear statistics and protocol database information. monitorPerform real-time debugging of various software components, including the routing protocols and interfaces. pingDetermine the reachability of a remote network host. showDisplay the current configuration and information about interfaces, routing protocols, routing tables, routing policy filters, and the chassis. test Test the configuration and application of policy filters and AS path regular expressions. tracerouteTrace the route to a remote network host.
! !
! Commands for connecting to other network systemsThe ssh command opens secure shell connections, and the telnet command opens Telnet sessions to other hosts on the network. For information about these commands, see the JUNOS Internet Software Operational Mode Command Reference. ! Commands for copying filesThe file and copy commands copy files from one location on the router to another, from the router to a remote system, or from a remote system to the router. For information about these commands, see the JUNOS Internet Software Operational Mode Command Reference. ! Commands for restarting software processesThe commands in the restart hierarchy restart the various JUNOS software processes, including the routing protocol, interface, and SNMP. For information about these commands, see the JUNOS Internet Software Operational Mode Command Reference.
Command-Line Interface Operational Mode
81
Use the CLI
! A commandrequestfor performing system-level operations, including stopping and rebooting the router and loading JUNOS software images. For information about this command, see the JUNOS Internet Software Operational Mode Command Reference. ! A commandstartto exit the CLI and start a UNIX shell. For information about this command, see the JUNOS Internet Software Operational Mode Command Reference. ! A commandconfigurefor entering configuration mode, which provides a series of commands that configure the JUNOS software, including the routing protocols, interfaces, network management, and user access. For information about the CLI configuration commands, see Configure the Router with the CLI on page 103. ! A commandquitto exit the CLI. For information about this command, see the JUNOS Internet Software Operational Mode Command Reference. For more information about the CLI operational mode commands, see the JUNOS Internet Software Operational Mode Command Reference. This chapter discusses the following topics about the CLI: ! Use the CLI on page 82 ! Set the Current Date and Time on page 97 ! Display CLI Command History on page 97 ! Monitor Who Uses the CLI on page 98
Use the CLI

This section describes how to use the JUNOS software CLI. It discusses the following topics: ! Get Help About Commands on page 83 ! Have the CLI Complete Commands on page 84 ! CLI Messages on page 85 ! Move around and Edit the Command Line on page 86 ! How Output Appears on the Screen on page 87
82
Use the CLI
Get Help About Commands

The CLI provides context-sensitive help at every level of the command hierarchy. The help information tells you which commands are available at the current level in the hierarchy and provides a brief description of each. To get help while in the CLI, type ?. You do not need to press Enter after typing the question mark. ! If you type the question mark at the command-line prompt, the CLI lists the available commands and options. ! If you type the question mark after entering the complete name of a command or command option, the CLI lists the available commands and options, then redisplays the command names and options that you typed. ! If you type the question mark in the middle of a command name, the CLI lists possible command completions that match the letters you have entered so far, then redisplays the letters that you typed.
Examples: Get Help About Commands

List all available commands at the top level of the CLIs operational mode:
user@host> ? Possible completions: clear Clear information in the system configure Manipulate software configuration information file Perform file operations help Provide help information monitor Real-time debugging ping Ping a remote target quit Exit the management session request Make system-level requests restart Restart a software process set Set CLI properties, date, time, craft display text show Show information about the system ssh Open a secure shell to another host start Start a software process telnet Telnet to another host test Diagnostic debugging commands traceroute Trace the route to a remote host user@host>
List all commands that start with the letter c:

user@host> c? Possible completions: clear Clear information in the system configure Manipulate software configuration information user@host> c
83
Use the CLI
List all available clear commands:

user@host> clear ? Possible completions: arp Clear address-resolution information bgp Clear BGP information chassis Clear chassis information firewall Clear firewall counters igmp Clear IGMP information interfaces Clear interface information ilmi Clear ILMI statistics information isis Clear IS-IS information ldp Clear LDP information log Clear contents of a log file mpls Clear MPLS information msdp Clear MSDP information multicast Clear Multicast information ospf Clear OSPF information pim Clear PIM information rip Clear RIP information route Clear routing table information rsvp Clear RSVP information snmp Clear SNMP information system Clear system status vrrp Clear VRRP statistics information user@host> clear
Have the CLI Complete Commands

You do not always have to remember or type the full command or option name for the CLI to recognize it. To display all possible command or option completions, type the partial command followed immediately by a question mark. To complete a command or option that you have partially typed, press a tab or a space. If the partially typed letters begin a string that uniquely identifies a command, the complete command name appears. Otherwise, a beep indicates that you have entered an ambiguous command, and the possible completions are displayed. Command completion also applies to other strings, such as filenames and usernames. To display all possible values, type a partial string followed immediately by a question mark. However, to complete these strings, press a tab; pressing a space does not work.
84
Use the CLI
Examples: Use CLI Command Completion

Issue the show interfaces command:
user@host> sh<Space>ow i<Space> i is ambiguous. Possible completions: igmp Show information about IGMP interface Show interface information isis Show information about IS-IS user@host> show in<Space>terfaces <Enter> Physical interface: at-0/1/0, Enabled, Physical link is Up Interface index: 11, SNMP ifIndex: 65 Link-level type: ATM-PVC, MTU: 4482, Clocking: Internal, SONET mode Speed: OC12, Loopback: None, Payload scrambler: Enabled Device flags : Present Running Link flags : 0x01 ... user@host>
Display a list of all log files whose names start with the string messages, and then display the contents of one of the files:
user@myhost> show log mes? Possible completions: <filename> Log file to display messages Size: 1417052, Last changed: Mar 3 00:33 messages.0.gz Size: 145575, Last changed: Mar 3 00:00 messages.1.gz Size: 134253, Last changed: Mar 2 23:00 messages.10.gz Size: 137022, Last changed: Mar 2 14:00 messages.2.gr Size: 137112, Last changed: Mar 2 22:00 messages.3.gz Size: 121633, Last changed: Mar 2 21:00 messages.4.gz Size: 135715, Last changed: Mar 2 20:00 messages.5.gz Size: 137504, Last changed: Mar 2 19:00 messages.6.gz Size: 134591, Last changed: Mar 2 18:00 messages.7.gz Size: 132670, Last changed: Mar 2 17:00 messages.8.gz Size: 136596, Last changed: Mar 2 16:00 messages.9.gz Size: 136210, Last changed: Mar 2 15:00 user@myhost> show log mes<Tab>sages.4<Tab>.gz<Enter> Jan 15 21:00:00 myhost newsyslog[1381]: logfile turned over ...
CLI Messages
Messages appear when you enter and exit from configuration mode, when you commit a configuration, and when you type a string or value that is not valid. When you commit a configuration, the JUNOS software checks the configuration you are committing. If there are no problems, a message indicates that the configuration was accepted. If there are problems, a message indicates where the errors are.
85
Use the CLI
In the top-level CLI commands and in configuration mode, if you type an invalid stringfor example, the name of a command or statement that does not existyou see the message syntax error or unknown command. A caret (^) indicates where the error is. Examples:
user@host> clear route ^ syntax error, expecting <command>. [edit] user@host# telnet ^ unknown command.
When the number of choices is limited, a message might display the commands you can enter to correct the syntax error. For example,
[edit] user@host# load myconfig-file<Enter> ^ syntax error, expecting merge, override, or replace.
Move around and Edit the Command Line

In the CLI, you can use keyboard sequences to move around on a command line and edit the command line. You can also use keyboard sequences to scroll through a list of recently executed commands. Table 2 lists some of the CLI keyboard sequences. They are the same as those used in Emacs.
Table 2: CLI Keyboard Sequences

Category
Move the Cursor
Action
Move the cursor back one character. Move the cursor back one word. Move the cursor forward one character. Move the cursor forward one word. Move the cursor to the beginning of the command line. Move the cursor to the end of the command line.
Keyboard Sequence
Ctrl-b Esc-b or Alt-b Ctrl-f Esc-f or Alt-f Ctrl-a Ctrl-e Ctrl-h, Delete, or Backspace Ctrl-d Ctrl-k Ctrl-u or Ctrl-x Ctrl-w, Esc-Backspace, or Alt-Backspace Esc-d or Alt-d Ctrl-y
Delete Characters
Delete the character before the cursor. Delete the character at the cursor. Delete all characters from the cursor to the end of the command line. Delete all characters on the command line. Delete the word before the cursor. Delete the word after the cursor.
Insert Recently Deleted Text
Insert the most recently deleted text at the cursor.
86
Use the CLI
Category
Redraw the Screen Display Previous Command Lines
Action
Redraw the current line. Scroll backward through the list of recently executed commands. Scroll forward through the list of recently executed commands. Search the CLI history in reverse order for lines matching the search string. Search the CLI history by typing some text at the prompt, followed by the keyboard sequence. The CLI attempts to expand the text into the most recent word in the history for which the text is a prefix.
Keyboard Sequence
Ctrl-l Ctrl-p Ctrl-n Ctrl-r Esc-/
Repeat Keyboard Sequences
Specify the number of times to execute a keyboard sequence. number can be from 1 through 9.
Esc-number sequence or Alt-number sequence
How Output Appears on the Screen

When you issue commands in operational mode, or when you issue the show command in configuration mode, the output appears on the screen. You can also filter the output of commands, either to perform simple commands on the output or to place the output into a file.
Display Output One Screen at a Time

If the output is longer than the screen length, it appears one screen at a time using a UNIX more-type interface. The prompt ---More--- indicates that more output is available. Table 3 lists the keyboard sequences you can use at the ---More--- prompt. As soon as the CLI knows how long the output is (usually by the second screen), it displays the percentage of the command output above the prompt.
Table 3: ---More--- Prompt Keyboard Sequences

Category
Get Help
Action
Display information about the keyboard sequences you can display at the ---More--prompt. Scroll down one line. Scroll down one-half screen. Scroll down one whole screen. Scroll down to the bottom of the output. Display the output all at once instead of one screen at a time. (Same as specifying the | no-more command.)
Keyboard Sequence
h
Scroll Down
Enter, Return, k, Ctrl-m, Ctrl-n, or down arrow Tab, d, Ctrl-d, or Ctrl-x Space or Ctrl-f Ctrl-e or G N
Scroll Up
Display the previous line of output. Scroll up one-half screen. Scroll up one whole screen. Scroll up to the top of the output.
j, Ctrl-h, Ctrl-p, or up arrow u or Ctrl-u b or Ctrl-b Ctrl-a or g
87
Use the CLI
Category
Search
Action
Search forward for a string. Search backward for a string. Repeat the previous search for a string. Search for a text string. You are prompted for the string to match. (Same as specifying the | match string command.) Search, ignoring a text string. You are prompted for the string to not match. (Same as specifying the | except string command.)
Keyboard Sequence
/string ?string n m or M
e or E
Interrupt or End Output, Redraw the Output, and Save the Output to a File
Interrupt the display of output. Do not redisplay the CLI prompt immediately after displaying the output, but remain at the ---More--- prompt. (Same as specifying the | hold command.) Clear any match conditions and display the complete output. Redraw the output on the screen. Save the command output to a file. You are prompted for a filename. (Same as specifying the | save filename command.)
Ctrl-C, q, Q, or Ctrl-k H
c or C Ctrl-l s or S
Filter Command Output

For operational and configuration commands that display output, such as the show commands, you can filter the output. When you display help about these commands, one of the options listed is |, called a pipe, which allows you to filter the command output. For example:
user@host> show configuration ? Possible completions: <[Enter]> Execute this command | Pipe through a command user@host> show configuration | ? Possible completions: count Count occurrences except Show only text that does not match a pattern find Search for the first occurrence of a pattern hold Hold text without exiting the ---(More)--- prompt match Show only text that matches a pattern no-more Don't paginate output resolve Resolve IP addresses save Save output text to a file trim Trim specified number of columns from the start line
88
Use the CLI
In configuration mode, two additional filters appear, display and compare:

[edit] user@host # show | ? Possible completions: compare Compare configuration changes with a prior version count Count occurrences display Display additional configuration information except Show only text that does not match a pattern find Search for the first occurrence of a pattern hold Hold text without exiting the ----More--- prompt match Show only text that matches a pattern no-more Don't paginate output resolve Resolve IP addresses save Save output text to a file trim Trim specified number of columns from the start line
The following filtering operations are available: ! Place Command Output in a File on page 89 ! Search for a String in the Output on page 90 ! Compare Configuration Changes with a Prior Version on page 92 ! Count the Number of Lines in the Output on page 94 ! Display All Output at Once on page 94 ! Retain the Output after the Last Screen on page 94 ! Display Additional Information about the Configuration on page 94 ! Filter Command Output Multiple Times on page 97
Place Command Output in a File

When the output is very long, when you need to store or analyze the output, or when you need to email or FTP the output, you can place the output of a command into a file. Doing this is useful when the output scrolls off the screen, making it difficult to cut the output from a window and paste it into another. To save the output to a file, specify the save command after the pipe:
user@host> command | save filename
By default, the file is placed in your home directory on the router. For information about how you can specify the name of the file, see How to Specify Filenames and URLs on page 192. This example stores the output of the request support information command in a file:
user@host> request support information | save filename Wrote 1143 lines of output to filename user@host>
89
Use the CLI
Search for a String in the Output

You can search for text matching a regular expression by filtering output. You can make a regular expression match everything except a regular expression, or find the first occurrence of text matching a regular expression. Searches are not case-sensitive. To match a regular expression, specify the match command after the pipe:
user@host> command | match regular-expression
To ignore text that matches a regular expression, specify the except command after the pipe:
user@host> command | except regular-expression
If the regular-expression contains any spaces, operators, or wildcard characters, enclose it in quotation marks. You use extended regular expressions to specify what text in the output to match. Command regular expressions implement the extended (modern) regular expressions as defined in POSIX 1003.2. Table 4 lists common regular expression operators.
Table 4: Common Regular Expression Operators

Operator
| ^ $
Match...
One of the two terms on either side of the pipe. At the beginning of an expression, used to denote where the command begins, where there might be some ambiguity. Character at the end of a command. Used to denote a command that must be matched exactly up to that point. For example, allow-commands show interfaces $ means that the user cannot issue show interfaces detail or show interfaces extensive. Range of letters or digits. To separate the start and end of a range, use a hyphen ( - ). A group of commands, indicating an expression to be evaluated; the result is then evaluated as part of the overall expression.
[] ()
For example, if a command produces the following output:

one two two two three two one four
The match two command displays:

one two two two three two one
The except one command displays:

two two four
90
Use the CLI
List all the ATM interfaces in the configuration:

user@host> show configuration | match atat-2/1/0 { at-2/1/1 { at-2/2/0 { at-5/2/0 { at-5/3/0 {
Display a skeleton of your router configuration:

[edit] user@host # show | match { system { root-authentication { name-server { login { class superuser { user juniper { authentication { services { syslog { file messages { processes { chassis { alarm { sonet { images { scb { fpc { interfaces { at-2/1/1 { atm-options { unit 0 { at-2/2/0 { ... snmp { community public { clients { routing-options { static { route 0.0.0.0/0 { route 192.168.0.0/16 { route 208.197.169.0/24 { protocols { rsvp { interface so-5/1/0 { mpls { interface so-5/1/0 { bgp { group internal { ospf { area 0.0.0.0 { interface so-5/1/0 {
List all users who are logged into the router except for the user root:
user@host> show system users | except root 8:28PM up 1 day, 13:59, 2 users, load averages: 0.01, 0.01, 0.00 USER TTY FROM LOGIN@ IDLE WHAT sheep p0 baa.juniper.net 7:25PM - cli
91
Use the CLI
Save the configuration, except for encrypted passwords, to a file:

user@host> show configuration | except SECRET-DATA | save my.output.file
Display the output, starting not at the beginning but rather at the first occurrence of text matching a regular expression, using the find command after the pipe:
user@host> command | find regular-expression
If the regular expression contains spaces, operators, or wildcard characters, enclose the expression in quotation marks. List the routes in the routing table starting at 208.197.169.0:
user@host> show route | find 208.197.169.0 208.197.169.0/24 *[Static/5] 1d 13:22:11 > to 192.168.4.254 via so-3/0/0.0 224.0.0.5/32 *[OSPF/10] 1d 13:22:12, metric 1 iso.0: 1 destinations, 1 routes (1 active, 0 holddown, 0 hidden) + = Active Route, - = Last Active, * = Both 47.0005.80ff.f800.0000.0108.0001.1921.6800.4015.00/160 *[Direct/0] 1d 13:22:12 > via lo0.0
Compare Configuration Changes with a Prior Version

In configuration mode only, when you have made changes to the configuration and want to compare the candidate configuration with a prior version, you can use the compare command to display the configuration. The compare command compares the candidate configuration with either the current committed configuration or a configuration file and displays the differences between the two configurations. To compare configurations, specify the compare command after the pipe:
[edit] user@host# show | compare [filename | rollback n ]
filename is the full path to a configuration file. The file must be in the proper format, a hierarchy of statements. For information about how to save a configuration to a file, see Save a Configuration to a File on page 131. For information about formatting the hierarchy of statements, see Configuration Statement Hierarchy on page 104. n is the index into the list of previously committed configurations. The most recently saved configuration is number 0, and the oldest saved configuration is number 9. If you do not specify arguments, the candidate configuration is compared against the active configuration file (/config/juniper.conf). The comparison output uses the following conventions: ! Statements that are only in the candidate configuration are prefixed with a plus sign (+). ! Statements that are only in the comparison file are prefixed with a minus sign (). ! Statements that are unchanged are prefixed with a single blank space ( ).
92
Use the CLI
The following example shows various changes, then a comparison of the candidate configuration with the active configuration, showing only the changes made at the [edit protocols bgp] hierarchy level.
[edit] user@host# edit protocols bgp [edit protocols bgp] user@host# show group "my group" { type internal; hold-time 60; advertise-inactive; allow 1.1.1.1/32; } group fred { allow 2.2.2.2/32; } group "test peers" { type external; allow 3.3.3.3/32; } [edit protocols bgp] user@host# set group "my group" hold-time 90 [edit protocols bgp] user@host# delete group "my group" advertise-inactive [edit protocols bgp] user@host# set group fred advertise-inactive [edit protocols bgp] user@host# delete group "test peers" [edit protocols bgp] user@host# show | compare group "my group" { type internal; - hold-time 60; + hold-time 90; - advertise-inactive; allow 1.1.1.1/32; } group fred { + advertise-inactive; allow 2.2.2.2/32; } -group "test peers" { - type external; - allow 3.3.3.3/32; -} [edit protocols bgp] user@host# show group "my group" { type internal; hold-time 90; allow 1.1.1.1/32; } group fred { advertise-inactive; allow 2.2.2.2/32; }
To show only the changes between the two configurations, use a match command:
user@host# show | compare | match "^[+-]"
93
Use the CLI
Count the Number of Lines in the Output

To count the number of lines in the output, specify the count command after the pipe:
user@host> command | count
For example:
user@host> show configuration | count Count: 269 lines user@host> show route | count Count: 67 lines
Display All Output at Once

To display the output all at once instead of one screen at a time, specify the no-more command after the pipe. This command is equivalent to the set cli screen-length 0 command, but affects the output of the one command only.
user@host> command | no-more
Retain the Output after the Last Screen

When you view output one screen at a time, you typically return to the CLI prompt after viewing the last screen. To not return immediately, use the hold command after the pipe. This feature is useful, for example, when you want to scroll or search through the output.
user@host> command | hold
Display Additional Information about the Configuration

In configuration mode only, to display additional information about the configuration, use the display detail command after the pipe in conjunction with a show command. The additional information includes the help string that explains each configuration statement and the permission bits required to add and modify the configuration statement.
user@host> show <hierarchy-level> | display detail
For example:
[edit] user@host> show | display detail ## ## version: Software version information ## require: system ## version "3.4R1 [tlim]";
94
Use the CLI
system { ## ## host-name: Host name for this router ## match: ^[[:alnum:]._-]+$ ## require: system ## host-name router-name; ## ## domain-name: Domain name for this router ## match: ^[[:alnum:]._-]+$ ## require: system ## domain-name isp.net; ## ## backup-router: Address of router to use while booting ## backup-router 192.168.100.1; root-authentication { ## ## encrypted-password: Crypted password string ## encrypted-password "$1$BYJQE$/ocQof8pmcm7MSGK0"; # SECRET-DATA } ## ## name-server: DNS name servers ## require: system ## name-server { ## ## name-server: DNS name server address ## 208.197.1.0; } login { ## ## class: User name (login) ## match: ^[[:alnum:]_-]+$ ## class superuser { ## ## permissions: Set of permitted operation categories ## permissions all; } ... ## ## services: System services ## require: system ## services { ## services: Service name ## ftp; ## ## services: Service name ## telnet; ## }
95
Use the CLI
syslog { ## ## file-name: File to record logging data ## file messages { ## ## Facility type ## Level name ## any notice; ## ## Facility type ## Level name ## authorization info; } } } chassis { alarm { sonet { ## ## lol: Loss of light ## alias: loss-of-light ## lol red; } } } } interfaces { ## ## Interface name ## at-2/1/1 { atm-options { ## ## vpi: Virtual path index ## range: 0 .. 255 ## maximum-vcs: Maximum number of virtual circuits on this VP ## vpi 0 maximum-vcs 512; } ## ## unit: Logical unit number ## range: 0 .. 16384 ## unit 0 { ## ## vci: ATM point-to-point virtual circuit identifier ([vpi.]vci) ## match: ^([[:digit:]]+.){0,1}[[:digit:]]+$ ## vci 0.128; } } ...
96
Set the Current Date and Time
Filter Command Output Multiple Times

For the output of a single command, you can filter the output one or more times. For example:
user@host> command | match regular-expression | except regular-expression | match other-regular-expression | find regular-expression | hold
Set the Current Date and Time

To set the current date and time on the router, use the set date command:
user@host> set date YYYYMMDDhhmm.ss
YYYY is the four-digit year, MM is the two-digit month, DD is the two-digit date, hh is the two-digit hour, mm is the two-digit minute, and ss is the two-digit second. At a minimum, you must specify the two-digit minute. All other parts of the date and time are optional. To set the time zone, see Set the Time Zone on page 223. To configure time synchronization, see Configure the Network Time Protocol on page 224.
Display CLI Command History

You can display a list of recent commands that you issued. To display the command history, use the show cli history command:
user@host> show cli history 03-03 01:00:50 -- show cli history 03-03 01:01:12 -- show interfaces terse 03-03 01:01:22 -- show interfaces lo0 03-03 01:01:44 -- show bgp next-hop-database 03-03 01:01:51 -- show cli history
By default, this command displays the last 100 commands issued in the CLI. If you specify a number with the command, it displays that number of recent commands. For example:
user@host> show cli history 3 01:01:44 -- show bgp next-hop-database 01:01:51 -- show cli history 01:02:51 -- show cli history 3
97
Monitor Who Uses the CLI
Monitor Who Uses the CLI

Depending upon how you configure the JUNOS software, multiple users can log in to the router, use the CLI, and configure or modify the software configuration. The JUNOS software provides a general syslog-like mechanism to log system operations, such as when users log in to the router and when they issue CLI commands. To configure system logging, include the syslog statement in the configuration, as described in the section Configure System Logging on page 229. If, when you enter configuration mode, another user is also in configuration mode, a notification message is displayed that indicates who the user is and what portion of the configuration they are viewing or editing:
user@host> configure Entering configuration mode Current configuration users: root terminal p3 (pid 1088) on since 1999-05-13 01:03:27 EDT [edit interfaces so-3/0/0 unit 0 family inet] The configuration has been changed but not committed
98
Chapter 11 Control the CLI Environment

To configure the command-line interface (CLI) environment, use the operational-mode CLI set command:
user@host> set cli ? Possible completions: complete-on-space idle-timeout prompt restart-on-upgrade screen-length screen-width terminal
Toggle word completion on space Set the cli maximum idle time Set the cli command prompt string Set cli to prompt for restart after a software upgrade Set number of lines on screen Set number of characters on a line Set terminal type
When you log into the router using ssh, or log in from the console when its terminal type is already configured (as described in Configure Console and Auxiliary Port Properties on page 235), your terminal type, screen length, and screen width are already set, so you do not need to change them from the CLI.
Set the Terminal Type

To set the terminal type, use the set cli terminal command:
user@host> set cli terminal terminal-type
The terminal-type can be one of the following: ansi, vt100, small-xterm, or xterm.
Set the Screen Length

The default CLI screen length is 24 lines. To change the length, use the set cli screen-length command:
user@host> set cli screen-length length
Setting the screen length to 0 lines disables the display of output one screen at a time. Disabling this UNIX more-type interface can be useful when you are issuing CLI commands from scripts.
Control the CLI Environment
99
Set the Screen Width
Set the Screen Width

The default CLI screen width is 80 columns. To change the width, use the set cli screen-width command:
user@host> set cli screen-width width
Set the CLI Prompt

The default CLI prompt is user@host>. To change this, use the set cli prompt command. If the prompt string contains spaces, enclose the string in quotation marks (" ").
user@host> set cli prompt string
Set the Idle Timeout

By default, an individual CLI session never times out after extended times, unless the idle-timeout statement has been included in the users login class configuration. To set the maximum time an individual session can be idle before the user is logged off the router, use the set cli idle-timeout command:
user@host> set cli idle-timeout timeout
timeout can be 0 to 100,000 minutes. Setting timeout to 0 disables the timeout.
Set CLI to Prompt after a Software Upgrade

By default, the CLI prompts you to restart after a software upgrade. To disable the prompt for an individual session, use the set cli restart-on-upgrade off command:
user@host> set cli restart-on-upgrade off
To re-enable the prompt, use the set cli restart-on-upgrade on command:

user@host> set cli restart-on-upgrade on
Set Command Completion

By default, you can type a space or tab to have the CLI complete a command. To have the CLI allow only a tab to complete a command, use the set cli complete-on-space off command:
user@host> set cli complete-on-space off Disabling complete-on-space user@host>
To re-enable the use of both space and tab characters for command completion, use the set cli complete-on-space on command:
user@host> set cli complete-on-space on Enabling complete-on-space user@host>
100
Display CLI Settings
Display CLI Settings

To display the current CLI settings, use the show cli command:
user@host> show cli CLI screen length set to 24 CLI screen width set to 80 CLI complete-on-space set to on
Example: Control the CLI Environment

Change the default CLI environment:
user@host> set cli screen-length 66 Screen length set to 66 user@host> set cli screen-width 40 Screen width set to 40 user@host> set cli prompt router1-san-jose > router1-san-jose > show cli CLI complete-on-space set to on CLI idle-timeout disabled CLI restart-on-upgrade set to on CLI screen length set to 66 CLI screen width set to 40 CLI terminal is xterm router1-san-jose >

Control the CLI Environment
101
Example: Control the CLI Environment
102
Chapter 12 Configure the Router with the CLI

To configure the router, including the routing protocols, the router interfaces, network management, and user access, you must enter a separate mode, called configuration mode, by issuing the configure operational mode command. In configuration mode, the CLI provides commands to configure the router, load a text (ASCII) file that contains the router configuration, activate a configuration, and save the configuration to a text file. This chapter discusses the following topics: ! Configuration Statement Hierarchy on page 104 ! How the Configuration Is Stored on page 106 ! Enter Configuration Mode on page 107 ! Configuration Mode Prompt on page 109 ! Configuration Mode Banner on page 109 ! Configuration Statements and Identifiers on page 109 ! Get Help about Configuration Mode Commands, Statements, and Identifiers on page 111 ! Create and Modify the Configuration on page 114 ! Move among Levels of the Hierarchy on page 117 ! Exit Configuration Mode on page 119 ! Display the Current Configuration on page 120 ! Display Users Currently Editing the Configuration on page 121 ! Remove a Statement from the Configuration on page 122 ! Copy a Statement in the Configuration on page 123 ! Rename an Identifier on page 124 ! Insert a New Identifier on page 125 ! Run an Operational Mode CLI Command from Configuration Mode on page 127
Configure the Router with the CLI
103
Configuration Statement Hierarchy
! Display Configuration Mode Command History on page 128 ! Verify a Configuration on page 128 ! Commit a Configuration on page 128 ! Save a Configuration to a File on page 131 ! Load a Configuration on page 131 ! Return to a Previously Committed Configuration on page 134 ! Configuration Mode Error Messages on page 135 ! Deactivate and Reactivate Statements and Identifiers in a Configuration on page 136 ! Add Comments in a Configuration on page 137 ! Have Multiple Users Configure the Software on page 139 ! Walk-through Example: Using the CLI to Configure the Router on page 140 ! Additional Details about Specifying Statements and Identifiers on page 145 For information about the configuration statements to use to configure particular system functionality, see the chapter about that feature.

The JUNOS software configuration consists of a hierarchy of statements. There are two types of statements: container statements, which are statements that contain other statements, and leaf statements, which do not contain other statements. All the container and leaf statements together form the configuration hierarchy. Each statement at the top level of the configuration hierarchy resides at the trunk (or root level) of a hierarchy tree. The top-level statements are container statements, containing other statements that form the tree branches. The leaf statements are the leaves of the hierarchy tree. An individual hierarchy of statements, which starts at the trunk of the hierarchy tree, is called a statement path. Figure 3 illustrates the hierarchy tree, showing a statement path for the portion of the protocol configuration hierarchy that configures the hello interval on an interface in an OSPF area. The protocols statement is a top-level statement at the trunk of the configuration tree. The ospf, area, and interface statements are all subordinate container statements of a higher statement (they are branches of the hierarchy tree), and the hello-interval statement is a leaf on the tree, which, in this case, contains a data value, the length of the hello interval in seconds.
104
Figure 3: Configuration Mode Hierarchy of Statements
Trunk of hierarchy tree (Top-level statements) Protocols bgp dvmrp icmp igmp isis mpis ospf rip router-discovery rsvp sap
Branches of hierarchy tree (Container statements)
Tree leaves (Leaf statements)
dead-interval hello-interval interface-type area-range area traceoptions interface stub virtual-link metric mtu poll-interval priority retransmit-interval transit-delay transmit-interval
1412
The CLI represents the statement path shown in Figure 3 as [protocols ospf area area-number interface interface-name ], and it displays the configuration as follows:
protocols { ospf { area 0.0.0.0 { interface so-0/0/0 { hello-interval 5; } interface so-0/0/1 { hello-interval 5; } } } }
The CLI indents each level in the hierarchy to indicate each statements relative position in the hierarchy and generally sets off each level with braces, using an open brace at the beginning of each hierarchy level and a closing brace at the end. If the statement at a hierarchy level is empty, the braces are not printed. Each leaf statement ends with a semicolon. If the hierarchy does not extend as far as a leaf statement, the last statement in the hierarchy ends with a semicolon. The CLI uses this indented representation when it displays the current system configuration, and you use this format when creating ASCII files that contain the software configuration. However, the format of ASCII configuration files is not as strict as the CLI output of the configuration. Although the braces and semicolons are required, the indention and use of new lines, as shown above, are not required in ASCII configuration files.
105
How the Configuration Is Stored
How the Configuration Is Stored

When you edit a configuration, you work in a copy of the current configuration to create a candidate configuration. The changes you make to the candidate configuration are visible in the CLI immediately, so if multiple users are editing the configuration at the same time, all users can see all changes. To have a candidate configuration take effect, you commit the changes. At this point, the candidate file is checked for proper syntax, activated, and marked as the current, operational software configuration file. If multiple users are editing the configuration, when you commit the candidate configuration, all changes made by all the users take effect. In addition to saving the current configuration, the CLI saves the current operational version and the previous nine versions of committed configurations. The most recently committed configuration is version 0 (the current operational version, which is the default configuration that the system returns to if you roll back to a previous configuration), and the oldest saved configuration is version 9. The currently operational JUNOS software configuration is stored in the file juniper.conf, and the last three committed configurations are stored in the files juniper.conf.1, juniper.conf.2, and juniper.conf.3. These four files are located in the directory /config, which is on the routers flash drive. The remaining six previous versions of committed configurations, the files juniper.conf.4 through juniper.conf.9, are stored in the directory /var/db/config on the hard disk. Figure 4 illustrates the various states of router configuration and the configuration mode commands that you use to act upon the configuration.
Figure 4: Commands for Storing and Modifying the Router Configuration
commit confirmed load Configuration in text file copy, save Candidate configuration commit rollback Nine previous configurations
Interim configuration 10 minutes without committing Active configuration
106
1413
Enter Configuration Mode

You enter configuration mode by entering the configure operational mode command. The following configuration mode commands are available:
user@host> configure entering configuration mode [edit] user@host# ? Possible completions: <[Enter]> Execute this command activate Remove the inactive tag from a statement annotate Annotate the statement with a comment commit Commit current set of changes copy Copy a statement deactivate Add the inactive tag to a statement delete Delete a data element edit Edit a sub-element exit Exit from this level help Provide help information insert Insert a new ordered data element load Load configuration from an ASCII file quit Quit from this level rename Rename a statement rollback Roll back database to last committed version run Run an operational-mode command save Save configuration to an ASCII file set Set a parameter show Show a parameter status Display database user status top Exit to top level of configuration up Exit one level of configuration
The access privilege level required to enter configuration mode is controlled by the configure permission bit. Users for whom this permission bit is not set do not see the configure command as a possible completion when they enter a ? in operational mode, and they cannot enter configuration mode. Users for whom this bit is set do see this command and can enter configuration mode. When in configuration mode, a user can view and modify only those statements for which they have access privileges set. For more information, see Configure Access Privilege Levels on page 216. You can enter configuration mode with either the configure command or the configure exclusive command. The configure exclusive command gives you sole access to the configuration database, locking out all other users.
107
Using the Configure Command

If you and other users enter configuration mode with the configure command, everyone can make configuration changes and commit all changes made to the configuration. This means that if you and another user have made configuration changes and the other user commits, the changes you made are committed as well. That is, no one has a lockout on the configuration file. If, when you enter configuration mode, another user is also in configuration mode, a message indicates who the user is and what portion of the configuration the user is viewing or editing:
user@host> configure Entering configuration mode Current configuration users: root terminal p3 (pid 1088) on since 1999-05-13 01:03:27 EDT [edit interfaces so-3/0/0 unit 0 family inet] The configuration has been changed but not committed [edit] user@host>
If, when you enter configuration mode, the configuration contains changes that have not been committed, a message appears:
user@host> configure Entering configuration mode The configuration has been changed but not committed [edit] user@host>
If, while in configuration mode, you try to make a change while the configuration is locked by another user, a message indicates that the configuration database is locked, who the user is, and what portion of the configuration the user is viewing or editing:
user@host# set system host-name ipswitch error: configuration database locked by: user2 terminal d0 (pid 1828) on since 19:47:58 EDT, idle 00:02:11 exclusive [edit protocols]
Using the Configure Exclusive Command

If you enter configuration mode with the configure exclusive command, you lock the candidate configuration for as long as you remain in configuration mode, allowing you to make changes without interference from other users. Other users can enter and exit configuration mode, but they cannot change the configuration. If another user has locked the configuration, and you need to forcibly log them out, enter the operational mode command request system logout user. If, when you enter configuration mode, another user is also in configuration mode, and has the configuration locked, a message indicates who the user is and what portion of the configuration the user is viewing or editing:
user@host> configure Entering configuration mode Users currently editing the configuration: root terminal p3 (pid 1088) on since 2000-10-30 19:47:58 EDT, idle 00:00:44 exclusive [edit interfaces so-3/0/0 unit 0 family inet]
108
Configuration Mode Prompt
Configuration Mode Prompt

In configuration mode, the prompt changes from a > to a #. For example:
user@host> configure entering configuration mode [edit] user@host#
Configuration Mode Banner

The portion of the prompt in braces, [edit], is a banner. The banner indicates that you are in configuration mode and shows your location in the statement hierarchy. When you first enter configuration mode, you always are at the top level of the hierarchy, which is indicated by the [edit] banner. For example:
user@host> configure entering configuration mode [edit] <----------------------------------------------------------------- Top-level banner user@host# edit protocols bgp [edit protocols bgp] <----------------------------------------- Banner at the "protocols bgp" hierarchy level user@host#
Configuration Statements and Identifiers

You configure all router properties by including statements in the configuration. A statement consists of a keyword, which is fixed text, and, optionally, an identifier. An identifier is an identifying name that you define, such as the name of an interface or a user name, and that allows you and the CLI to discriminate among a collection of statements. The following list shows the statements available at the top level of configuration mode (that is, the trunk of the hierarchy tree). Table 5 on page 110 describes each statement.
user@host# set ? Possible completions: > accounting-options + apply-groups > chassis > class-of-service > firewall > forwarding-options > groups > interfaces > policy-options > protocols > routing-instances > routing-options > snmp > system
Accounting data configuration Groups from which to inherit configuration data Chassis configuration Class-of-service configuration Define a firewall configuration Configure options to control packet sampling Configuration groups Interface configuration Routing policy option configuration Routing protocol configuration Routing instance configuration Protocol-independent routing option configuration Simple Network Management Protocol System parameters
An angle bracket ( > ) before the statement name indicates that it is a container statement and that you can define other statements at levels below it. If there is no angle bracket ( > ) before the statement name, the statement is a leaf statement; you cannot define other statements at hierarchy levels below it.
109
Configuration Statements and Identifiers
A plus sign (+) before the statement name indicates that it can contain a set of values. To specify a set, include the values in brackets. For example:
[edit] user@host# set policy-options community my-as1-transit members [65535:10 65535:11]
In some statements, you can include an identifier. For some identifiers, such as interface names, you must specify the identifier in a precise format. For example, the interface name so-0/0/0 refers to a SONET/SDH interface that is on the FPC in slot 0, in the first PIC location, and in the first port on the PIC. For other identifiers, such as interface descriptive text and policy and firewall term names, you can specify any names, including any characters. You must enclose in quotation marks (double quotes) identifiers and any strings that include the following characters: space tab ( ) [ ] { } ! @ # $ % ^ & | = ?
Table 5: Configuration Mode Top-Level Statements

Statement
accounting-options
Description
Configure accounting statistics data collection for interfaces and firewall filters. For information about the statements in this hierarchy, see the JUNOS Internet Software Configuration Guide: Network Management. Configure properties of the router chassis, including the clock source, conditions that activate alarms, and SONET/SDH framing and concatenation properties. For information about the statements in this hierarchy, see the JUNOS Internet Software Configuration Guide: Interfaces, Class of Service, and Firewalls. Configure class-of-service parameters. For information about the statements in this hierarchy, see the JUNOS Internet Software Configuration Guide: Interfaces, Class of Service, and Firewalls. Define filters that select packets based on their contents. For information about the statements in this hierarchy, see the JUNOS Internet Software Configuration Guide: Interfaces, Class of Service, and Firewalls. Define forwarding options, including traffic sampling options. For information about the statements in this hierarchy, see the JUNOS Internet Software Configuration Guide: Interfaces, Class of Service, and Firewalls. Configure configuration groups. For information about statements in this hierarchy, see Configuration Groups on page 149. Configure interface information, such as encapsulation, interfaces, VCIs, and DLCIs. For information about the statements in this hierarchy, see the JUNOS Internet Software Configuration Guide: Interfaces, Class of Service, and Firewalls. Define routing policies, which allow you to filter and set properties in incoming and outgoing routes. For information about the statements in this hierarchy, see the JUNOS Internet Software Configuration Guide: Routing and Routing Protocols. Configure routing protocols, including BGP, IS-IS, OSPF, RIP, MPLS, LDP, and RSVP. For information about the statements in this hierarchy, see the chapters that discuss how to configure the individual routing protocols in the JUNOS Internet Software Configuration Guide: Routing and Routing Protocols and the JUNOS Internet Software Configuration Guide: MPLS Applications.
chassis
class-of-service firewall
forwarding-options
groups interfaces
policy-options
protocols
110
Get Help about Configuration Mode Commands, Statements, and Identifiers
Statement
routing-instances routing-options
Description
Configure multiple routing instances. For information about the statements in this hierarchy, see the JUNOS Internet Software Configuration Guide: Routing and Routing Protocols. Configure protocol-independent routing options, such as static routes, autonomous system numbers, confederation members, and global tracing (debugging) operations to log. For information about the statements in this hierarchy, see the JUNOS Internet Software Configuration Guide: Routing and Routing Protocols. Configure SNMP community strings, interfaces, traps, and notifications. For information about the statements in this hierarchy, see JUNOS Internet Software Configuration Guide: Network Management. Configure systemwide properties, including the host name, domain name, DNS name server, user logins and permissions, mappings between host names and addresses, and software processes. For information about the statements in this hierarchy, see System Management Configuration Statements on page 197.
snmp
system

Configuration mode provides two different types of help: ! Use Command Completion in Configuration Mode on page 111 ! Get Help Based on a String in a Statement Name on page 113
Use Command Completion in Configuration Mode

The CLI command completion functions described in the section Have the CLI Complete Commands on page 84, which refer to operational mode commands, also apply to the commands in configuration mode and to configuration statements. Specifically, to display all possible commands or statements, type the partial string followed immediately by a question mark, and to complete a command or statement that you have partially typed, press a tab or space. Command completion also applies to identifiers, with one slight difference. To display all possible identifiers, type a partial string followed immediately by a question mark. However, to complete an identifier, you must press tab. This scheme allows you to enter identifiers with similar names and then press the space key when you are done typing the identifier name.
111
Examples: Use Command Completion in Configuration Mode

List the configuration mode commands:
user@host#? Possible completions: <[Enter]> Execute this command activate Remove the inactive tag from a statement annotate Annotate the statement with a comment commit Commit current set of changes copy Copy a statement deactivate Add the inactive tag to a statement delete Delete a data element edit Edit a sub-element exit Exit from this level help Provide help information insert Insert a new ordered data element load Load configuration from an ASCII file quit Quit from this level rename Rename a statement rollback Roll back database to last committed version run Run an operational-mode command save Save configuration to an ASCII file set Set a parameter show Show a parameter status Display database user status top Exit to top level of configuration up Exit one level of configuration
List all the statements available at a particular hierarchy level:

[edit] user@host# edit ? Possible completions: > accounting-options > chassis > class-of-service > firewall > forwarding-options > groups > interfaces > policy-options > protocols > routing-instances > routing-options > snmp > system
Accounting data configuration Chassis configuration Class-of-service configuration Define a firewall configuration Configure options to control packet sampling Configuration groups Interface configuration Routing policy option configuration Routing protocol configuration Routing instance configuration Protocol-independent routing option configuration Simple Network Management Protocol System parameters
user@host# edit protocols ? Possible completions: <[Enter]> Execute this command > bgp BGP options > connections Circuit cross-connect configuration > dvmrp DVMRP options > igmp IGMP options > isis IS-IS options > ldp LDP options > mpls Multiprotocol Label Switching options > msdp MSDP options > ospf OSPF configuration > pim PIM options > rip RIP options
112
> > > >
router-discovery rsvp sap vrrp
| [edit] user@host# edit protocols
ICMP router discovery options RSVP options Session Advertisement Protocol options VRRP options Pipe through a command
List all commands that start with a particular letter or string:

user@host# edit routing-options a? Possible completions: > aggregate Coalesced routes > autonomous-system Autonomous system number [edit] user@host# edit routing-options a
List all configured ATM interfaces:

user@host# edit interfaces at? Possible completions: <interface_name> Interface name at-2/1/1 at-2/2/0 at-5/1/0 [edit] user@host# edit interfaces at
Display a list of all configured policy statements:

[edit] user@host# show policy-options policy-statement ? Possible completions: <policy_name> Name to identify a policy filter [edit] user@host# show policy-options policy-statement
Get Help Based on a String in a Statement Name

In configuration mode, you can display help based on a text string contained in a statement name using the help command. This command displays help for statements at the current hierarchy level and below.
help apropos string
string is a text string about which you want to get help. This string is used to match statement names as well as the help strings that are displayed for the statements. If the string contains spaces, enclose it in quotation marks (" "). You also can specify a regular expression for the string, using standard UNIX-style regular expression syntax. You can also display help based on a text string contained in a statement name using the help topic and help reference commands.
help topic string help reference string
The help topic command displays usage guidelines for the statement, while the help reference command displays summary information about the statement.
113
Create and Modify the Configuration
Example: Get Help Based on a String Contained in a Statement Name

Get help about statements that contain the string traps:
[edit] user@host# help apropos traps set interfaces <interface_name> Enable SNMP notifications on state changes set interfaces <interface_name> unit <interface_unit_number> Enable SNMP notifications on state changes set snmp trap-group Configure traps and notifications set snmp trap-group <group_name> version <version> all Send SNMPv1 and SNMPv2 traps set snmp trap-group <group_name> version <version> v1 Send SNMPv1 traps set snmp trap-group <group_name> version <version> v2 Send SNMPv2 traps set protocols mpls log-updown Send SNMP traps set firewall filter <filter-name> term <rule-name> from source-port snmptrap SNMP traps set firewall filter <filter-name> term <rule-name> from source-port-except snmptrap SNMP traps set firewall filter <filter-name> term <rule-name> from destination-port snmptrap SNMP traps set firewall filter <filter-name> term <rule-name> from destination-port-except snmptrap SNMP traps set firewall filter <filter-name> term <rule-name> from port snmptrap SNMP traps set firewall filter <filter-name> term <rule-name> from port-except snmptrap SNMP traps [edit] user@host# edit interfaces at-5/3/0 [edit interfaces at-5/3/0] user@host# help apropos traps set <interface_name> Enable SNMP notifications on state changes set <interface_name> unit <interface_unit_number> Enable SNMP notifications on state changes

To configure the router or to modify an existing router configuration, you add statements to the configuration, in the process creating a statement hierarchy. For each statement hierarchy, you create the hierarchy starting with a statement at the top level and continuing with statements that move progressively lower in the hierarchy. For example, to configure an interface in OSPF area 0, you must configure the following hierarchy of statements:
protocols ospf area 0 interface interface-name
114
To create the hierarchy and thereby configure the router, you use two configuration mode commands: ! setCreates a statement hierarchy and sets identifier values. After you issue a set command, you remain at the same level in the hierarchy. The set command has the following syntax:
set <statement-path> statement <identifier >
statement-path is the hierarchy to the configuration statement and the statement itself. If you have already moved to the statements hierarchy level, you omit this. statement is the configuration statement itself. identifier is a string that identifies an instance of a statement. Not all statements require identifiers. In the example shown at the beginning of this section, the area name and the interface names are identifiers. In many cases, the identifier can contain a space. When you type these identifiers in the configuration, you must enclose them in quotation marks. When the CLI displays these identifiers in the output of a show or other command, it encloses them in quotation marks. The set command is analogous to an operating system command in which you specify the full path name of the statement you are performing an action on, for example, mkdir /usr/home/boojum/files or mkdir f:\home\boojum\files. For statements that can have more than one identifier, when you issue a set command to set an identifier, only that identifier is set. The other identifiers that are specified in the statement remain. ! editMoves to a particular hierarchy level. If that hierarchy level does not exist, the edit command creates it and then moves to it. After you issue an edit command, the banner changes to indicate your current level in the hierarchy. The edit command has the following general syntax:
edit <statement-path> statement <identifier >
The edit command is analogous to the combination of operating system commands that you would use to first change into a directory and then perform an action; for example, cd /usr/home/boojum;mkdir files.
Examples: Create and Modify the Configuration

To configure an interface to run OSPF, you could issue a single set command from the top level of the configuration hierarchy. The initial [edit] banner indicates that you are at the top level. Notice that after you issue the set command, you remain at the top level of the statement hierarchy, as indicated by the second [edit] banner.
[edit] user@host# set protocols ospf area 0.0.0.0 interface so-0/0/0 hello-interval 5 [edit] user@host#
115
You also can use the edit command to create and move to the [edit protocols ospf area 0.0.0.0 interface so-0/0/0] hierarchy level and then issue a set command to set the value of the hello-interval statement. After you issue the edit command, you move down in the hierarchy, as indicated by the [edit protocols ospf area 0.0.0.0 interface so-0/0/0] banner.
[edit] user@host# edit protocols ospf area 0.0.0.0 interface so-0/0/0 [edit protocols ospf area 0.0.0.0 interface so-0/0/0] user@host# set hello-interval 5 [edit protocols ospf area 0.0.0.0 interface so-0/0/0] user@host#
Because hello-interval is an identifier and not a statement, you cannot use the edit command to set the hello interval value. You must use the set command. You can determine that hello-interval is an identifier by listing the available commands at the [edit protocols ospf area 0.0.0.0 interface so-0/0/0] banner. All the statements not preceded by a > are identifiers.
[edit] user@host# edit protocols ospf area 0.0.0.0 interface so-0/0/0 [edit protocols ospf area 0.0.0.0 interface so-0/0/0] user@host# set ? Possible completions: + apply-groups Groups from which to inherit configuration data > authentication-key Authentication key dead-interval Dead interval (seconds) disable Disable OSPF on this interface hello-interval Hello interval (seconds) interface-type Type of interface metric Interface metric (1..65535) > neighbor NBMA neighbor passive Do not run OSPF, but advertise it poll-interval Poll interval for NBMA interfaces priority Designated router priority retransmit-interval Retransmission interval (seconds) transit-delay Transit delay (seconds) transmit-interval OSPF packet transmit interval (milliseconds) [edit protocols ospf area 0.0.0.0 interface so-0/0/0] user@host# set
In both examples above, using either just the set command or a combination of the set and edit commands, you create the same configuration hierarchy:
[edit] user@host# show protocols { ospf { area 0.0.0.0 { interface so-0/0/0 { hello-interval 5; } } } }
Notice that the CLI uses indentation to visually represent the hierarchy levels, and it also places braces at the beginning and end of each hierarchy level to set them off. The CLI also places a semicolon at the end of the line that configures the hello-interval statement.
116
Move among Levels of the Hierarchy
You also use the set command to modify the value of an existing identifier. The following example changes the hello interval in the configuration shown above:
[edit] user@host# set protocols ospf area 0.0.0.0 interface so-0/0/0 hello-interval 20 [edit] user@host# show protocols { ospf { area 0.0.0.0 { interface so-0/0/0 { hello-interval 20; } } } }
When a statement can have more than one identifier, use the set command to add additional identifiers. Any identifiers that you have already set remain set.

When you first enter configuration mode, you are at the top level of the configuration command hierarchy, which is indicated by the [edit] banner:
Move Down to a Specific Level

To move down through an existing configuration command hierarchy, or to create a hierarchy and move down to that level, use the edit configuration mode command, specifying the hierarchy level at which you want to be. After you issue an edit command, the banner changes to indicate your current level in the hierarchy.
edit <statement-path> identifier
For example:
[edit] user@host# edit protocols ospf [edit protocols ospf] user@host#
117
Move Back Up to Your Previous Level

To move up the hierarchy, use the exit configuration mode command. This command is, in effect, the opposite of the edit command. That is, the exit command moves you back to your previous level. For example:
[edit] user@host# edit protocols ospf [edit protocols ospf] user@host# edit area 0.0.0.0 interface so-0/0/0 [edit protocols ospf area 0.0.0.0 interface so-0/0/0] user@host# exit [edit protocols ospf] user@host# exit [edit] user@host#
Move Up One Level

To move up the hierarchy one level at a time, use the up configuration mode command. For example:
[edit] user@host# edit protocols ospf area 0.0.0.0 interface so-0/0/0 [edit protocols ospf area 0.0.0.0 interface so-0/0/0] user@host# set hello-interval 5 [edit protocols ospf area 0.0.0.0 interface so-0/0/0] user@host# up [edit protocols ospf area 0.0.0.0] user@host# up [edit protocols ospf] user@host#
Move Directly to the Top of the Hierarchy

To move directly to the top level, use the top configuration mode command. For example:
[edit protocols ospf area 0.0.0.0 interface so-0/0/0] user@host# top [edit] user@host#
118
Exit Configuration Mode
Warning Messages When Moving Up

If you have omitted a required statement at a particular level, when you issue a show command that displays that hierarchy level, a warning message indicates which statement is missing. For example:
[edit protocols mpls] user@host# set statistics file [edit protocols mpls] user@host# show statistics { file; # Warning: missing mandatory statement(s): <filename> } interface all; interface so-3/0/0 { disable; }
Exit Configuration Mode

To exit from configuration mode, use the exit configuration-mode configuration mode command from any level or use the exit command from the top level. For example:
[edit protocols ospf area 0.0.0.0 interface so-0/0/0] user@host# exit configuration-mode exiting configuration mode user@host> [edit] user@host# exit exiting configuration mode user@host>
If you try to exit from configuration mode using the exit command, and the configuration contains changes that have not been committed, you see a message and prompt:
[edit] user@host# exit The configuration has been changed but not committed Exit with uncommitted changes? [yes,no] (yes) <Enter> Exiting configuration mode user@host>
To exit with uncommitted changes without having to respond to a prompt, use the exit configuration-mode command. This command is useful when you are using scripts to perform remote configuration.
[edit] user@host# exit configuration-mode The configuration has been changed but not committed Exiting configuration mode user@host>
119
Display the Current Configuration
Display the Current Configuration

To display the current configuration, use the show configuration mode command. This command displays the configuration at the current hierarchy level or at the specified level.
user@host> show <statement-path>
When displaying the configuration, the CLI indents each subordinate hierarchy level, inserts braces to indicate the beginning and end of each hierarchy level, and places semicolons at the end of statements that are at the lowest level of the hierarchy. This is the same format that you use when creating an ASCII configuration file, and it is the same format that the CLI uses when saving a configuration to an ASCII file. The configuration statements appear in a fixed order, and interfaces appear alphabetically by type, and then in numerical order by slot number, PIC number, and port number. Note that when you configure the router, you can enter statements in any order. You also can use the CLI operational mode show configuration command to display the last committed current configuration, which is the configuration currently running on the router:
user@host> show configuration
If you have omitted a required statement at a particular hierarchy level, when you issue the show command in configuration mode, a message indicates which statement is missing. As long as a mandatory statement is missing, the CLI continues to display this message each time you issue a show command. For example:
[edit] user@host# show protocols { pim { interface so-0/0/0 { priority 4; version 2; # Warning: missing mandatory statement(s): 'mode' } } }
Examples: Display the Current Configuration

Display the entire configuration:
[edit] user@host# set protocols ospf area 0.0.0.0 interface so-0/0/0 hello-interval 5 [edit] user@host# show protocols { ospf { area 0.0.0.0 { interface so-0/0/0 { hello-interval 5; } } } }
120
Display Users Currently Editing the Configuration
Display a particular hierarchy in the configuration:

[edit] user@host# show protocols ospf area 0.0.0.0 interface so-0/0/0 { hello-interval 5; }
Move down to a level and display the configuration at that level:

[edit] user@host# edit protocols ospf area 0.0.0.0 [edit protocols ospf area 0.0.0.0] user@host# show interface so-0/0/0 { hello-interval 5; }
Display all of the last committed configuration:

[edit] user@host# set protocols ospf area 0.0.0.0 interface so-0/0/0 hello-interval 5 [edit] user@host# commit commit complete [edit] user@host# quit exiting configuration mode user@host> show configuration protocols { ospf { area 0.0.0.0 { interface so-0/0/0 { hello-interval 5; } } } }
Display Users Currently Editing the Configuration

To display the users currently editing the configuration, use the status configuration mode command:
user@host# status Current configuration users: user terminal p0 (pid 518) on since 2000-03-12 18:24:27 PST [edit protocols]
The system displays who is editing the configuration (user), from where the user is logged in (terminal p0), the date and time the user logged in (2000-03-12 18:24:27 PST), and what level of the hierarchy the user is editing ([edit protocols]).
121
Remove a Statement from the Configuration
Remove a Statement from the Configuration

To delete a statement or identifier, use the delete configuration mode command. Deleting a statement or an identifier effectively unconfigures the functionality associated with that statement or identifier, returning that functionality to its default condition.
delete <statement-path > <identifier >
When you delete a statement, the statement and all its subordinate statements and identifiers are removed from the configuration. For statements that can have more than one identifier, when you delete one identifier, only that identifier is deleted. The other identifiers in the statement remain. To delete the entire hierarchy starting at the current hierarchy level, do not specify a statement or an identifier in the delete command. When you omit the statement or identifier, a prompt appears asking you to confirm the deletion:
[edit] user@host# delete Delete everything under this level? [yes, no] (no) ? Possible completions: no Don't delete everything under this level yes Delete everything under this level Delete everything under this level? [yes, no] (no)
Examples: Remove a Statement from the Configuration

Delete the ospf statement, effectively unconfiguring OSPF on the router:
[edit] user@host# set protocols ospf area 0.0.0.0 interface so-0/0/0 hello-interval 5 [edit] user@host# show protocols { ospf { area 0.0.0.0 { interface so-0/0/0 { hello-interval 5; } } } } [edit] user@host# delete protocols ospf [edit] user@host# show [edit] user@host#
122
Copy a Statement in the Configuration
Delete all statements from the current level down:

[edit] user@host# edit protocols ospf area 0.0.0.0 [edit protocols ospf area 0.0.0.0] user@host# set interface so-0/0/0 hello-interval 5 [edit protocols ospf area 0.0.0.0] user@host# delete Delete everything under this level? [yes, no] (no) yes [edit protocols ospf area 0.0.0.0] user@host# show [edit] user@host#
Unconfigure a particular property:

[edit] user@host# set interfaces so-3/0/0 speed 100mb [edit] user@host# show interfaces { so-3/0/0 { speed 100mb; } } [edit] user@host# delete interfaces so-3/0/0 speed [edit] user@host# show interfaces { so-3/0/0; }
Copy a Statement in the Configuration

When you have many statements in a configuration that are similar, you can add one statement, then make copies of that statement. Copying a statement duplicates that statement and the entire hierarchy of statements configured under that statement. Copying statements is useful when you are configuring many physical or logical interfaces of the same type. To make a copy of an existing statement in the configuration, use the configuration mode copy command:
copy existing-statement to new-statement
Immediately after you have copied a portion of the configuration, the configuration might not be valid. You must check the validity of the new configuration, and if necessary, modify either the copied portion or the original portion for the configuration to be valid.
123
Rename an Identifier
Example: Copy a Statement in the Configuration

After you have created one virtual connection (VC) on an interface, copy its configuration to create a second VC:
[edit interfaces] user@host# show at-1/0/0 { description "PAIX to MAE West" encapsulation atm-pvc; unit 61 { point-to-point; vci 0.61; family inet { address 10.0.1.1/24; } } } } [edit interfaces] user@host# edit at-1/0/0 [edit interfaces at-1/0/0] user@host# copy unit 61 to unit 62 [edit interfaces at-1/0/0] user@host# show description "PAIX to MAE West" encapsulation atm-pvc; unit 61 { point-to-point; vci 0.61; family inet { address 10.0.1.1/24; } } unit 62 { point-to-point; vci 0.61; family inet { address 10.0.1.1/24; } } }
Rename an Identifier
When modifying a configuration, you can rename an identifier that is already in the configuration. You can do this either by deleting the identifier (using the delete command) and then adding the renamed identifier (using the set and edit commands), or you can rename the identifier using the rename configuration mode command:
rename <statement-path> identifier1 to identifier2
Example: Rename an Identifier

Change the network time (NTP) server address to 10.0.0.6:
[edit] user@host# rename system network-time server 10.0.0.7 to server 10.0.0.6
124
Insert a New Identifier

When configuring the router, you can enter most statements and identifiers in any order. Regardless of the order in which you enter the configuration statements, the CLI always displays the configuration in a strict order. However, there are a few cases where the ordering of the statements matters because the configuration statements create a sequence that is analyzed in order. For example, in a routing policy or firewall filter, you define terms that are analyzed sequentially. Also, when you create a named path in dynamic Multiprotocol Label Switching (MPLS), you define an ordered list of the transit routers in the path, starting with the first transit router and ending with the last one. To modify a portion of the configuration in which the statement order matters, use the insert configuration mode command:
insert <statement-path> identifier1 (before | after) identifier2
If you do not use the insert command, but instead simply configure the identifier, it is placed at the end of the list of similar identifiers.
Examples: Insert a New Identifier

Insert policy terms in a routing policy configuration. Note that if you do not use the insert command, but rather just configure another term, the added term is placed at the end of the existing list of terms.
[edit] user@host# show policy-options { policy-statement statics { term term1 { from { route-filter 192.168.0.0/16 orlonger; route-filter 224.0.0.0/3 orlonger; } then reject; } term term2 { from protocol direct; then reject; } term term3 { from protocol static; then reject; } term term4 { then accept; } } } [edit] user@host# rename policy-options policy-statement statics term term4 to term term6 [edit] user@host# insert policy-options policy-statement statics term term4 after term term3 [edit] user@host# insert policy-options policy-statement statics term term5 after term term4 [edit] user@host# edit policy-options policy-statement statics term4
125
[edit policy-options policy-statement statics term4] user@host# set from protocol local [edit policy-options policy-statement statics term4] user@host# set then reject [edit policy-options policy-statement statics term4] user@host# edit policy-options policy-statement statics term5 [edit policy-options policy-statement statics term5] user@host# set from protocol aggregate [edit policy-options policy-statement statics term5] user@host# set then reject [edit policy-options policy-statement statics term5] user@host# top [edit] user@host# show policy-options { policy-statement statics { term term1 { from { route-filter 192.168.0.0/16 orlonger; route-filter 224.0.0.0/3 orlonger; } then reject; # reject the prefixes in the route list } term term2 { # reject direct routes from protocol direct; then reject; } term term3 { # reject static routes from protocol static; then reject; } term term4 { # reject local routes from protocol local; then reject; } term term5 { # reject aggregate routes from protocol aggregate; then reject; } term term6 { then accept; # accept all other routes } } }
126
Run an Operational Mode CLI Command from Configuration Mode
Insert a transit router in a dynamic MPLS path:

[edit protocols mpls path ny-sf] user@host# show 1.1.1.1; 2.2.2.2; 3.3.3.3 loose; 4.4.4.4 strict; 6.6.6.6; [edit protocols mpls path ny-sf] user@host# insert 5.5.5.5 before 6.6.6.6 [edit protocols mpls path ny-sf] user@host# set 5.5.5.5 strict [edit protocols mpls path ny-sf] user@host# show 1.1.1.1; 2.2.2.2; 3.3.3.3 loose; 4.4.4.4 strict; 5.5.5.5 strict; 6.6.6.6;
Run an Operational Mode CLI Command from Configuration Mode

At times, you might need to display the output of an operational mode show or other command while configuring the software. While in configuration mode, you can execute a single operational mode command by issuing the configuration mode run command and specifying the operational mode command:
[edit] user@host# run operational-mode-command
Example: Run an Operational Mode CLI Command from Configuration Mode

Display the priority value of the VRRP master router while you are modifying the VRRP configuration for a backup router:
[edit interfaces ge-4/2/0 unit 0 family inet vrrp-group 27] user@host# show virtual-address [ 192.168.1.15 ]; [edit interfaces ge-4/2/0 unit 0 family inet vrrp-group 27] user@host# run show vrrp detail Physical interface: ge-5/2/0, Unit: 0, Address: 192.168.29.10/24 Interface state: up, Group: 10, State: backup Priority: 190, Advertisement interval: 3, Authentication type: simple Preempt: yes, VIP count: 1, VIP: 192.168.29.55 Dead timer: 8.326, Master priority: 201, Master router: 192.168.29.254 [edit interfaces ge-4/2/0 unit 0 family inet vrrp-group 27] user@host# set priority ...
127
Display Configuration Mode Command History
Display Configuration Mode Command History

In configuration mode, you can display a list of the recent commands you issued while in configuration mode. To do this, use the run show cli history command:
user@host> configure ... [edit] user@host# run show cli history 12:40:08 -- show 12:40:17 -- edit protocols 12:40:27 -- set isis 12:40:29 -- edit isis 12:40:40 -- run show cli history [edit protocols isis] user@host#
By default, this command displays the last 100 commands issued in the CLI. If you specify a number with the command, it displays that number of recent commands. For example:
user@host# run show cli history 3 12:40:08 -- show 12:40:17 -- edit protocols 12:40:27 -- set isis
Verify a Configuration
To verify that the syntax of a configuration is correct, use the configuration mode commit check command:
[edit] user@host# commit check configuration check succeeds [edit] user@host#
If the commit check command finds an error, a message indicates the location of the error.
Commit a Configuration
To save software configuration changes to the configuration database and activate the configuration on the router, use the commit configuration mode command:
[edit] user@host# commit commit complete [edit] user@host#
The configuration is checked for syntax errors. If the syntax is correct, the configuration is activated and becomes the current, operational router configuration. You can issue the commit command from any hierarchy level.
128
If the configuration contains syntax errors, a message indicates the location of the error and the configuration is not activated. The error message has the following format:
[edit edit-path] offending-statement ; error-message
For example:
[edit firewall filter login-allowed term allowed from] icmp-type [ echo-request echo-reply ]; keyword echo-reply unrecognized
You must correct the error before recommitting the configuration. To return quickly to the hierarchy level where the error is located, copy the path from the first line of the error and paste it at the configuration mode prompt at the [edit] hierarchy level. When you commit a configuration, you commit the entire configuration in its current form. If more than one user is modifying the configuration, committing it saves and activates the changes of all the users. After you have committed the configuration and are satisfied that the new configuration is successfully running, you should issue the request system snapshot command to back up the new software onto the /altconfig file system. If you do not issue the request system snapshot command, the configuration on the alternate boot drive will be out of sync with the configuration on the primary boot drive. The request system snapshot command causes the root file system to be backed up to /altroot, and /config to be backed up to /altconfig. The root and /config file systems are on the routers flash drive, and the /altroot and /altconfig file systems are on the routers hard drive. After you issue this command, you cannot return to the previous version of the software, because the running and backup copies of the software are identical.
Commit a Configuration and Exit Configuration Mode

To save software configuration changes, activate the configuration on the router, and exit configuration mode, use the commit and-quit configuration mode command. This command succeeds only if the configuration contains no errors.
[edit] user@host# commit and-quit commit complete exiting configuration mode user@host>
129
Activate a Configuration for a Limited Time

There might be times when you want to commit a candidate configuration, activating the configuration for a limited time to determine that it functions properly, and then reverting to the previous configuration afterwards. For example, you might want to ensure that a modified configuration does not lock you out of the command-line interface or the router. To activate a configuration for a limited time, use the commit confirmed configuration mode command:
[edit] user@host# commit confirmed commit complete [edit] user@host#
As with the commit command, the commit confirmed command verifies the configuration syntax and reports any errors. If there are no errors, the configuration is activated and begins running on the router. By default, the configuration runs for 10 minutes. Then the router reverts to the previous configuration. To keep the new configuration active, enter a commit or commit check command within 10 minutes of the commit confirmed command. Figure 5 illustrates how the commit confirmed command works.
Figure 5: Confirm a Configuration
Candidate configuration
Running configuration (limited time only) commit or commit check
Edit the configuration
To change the amount of time before you have to confirm the new configuration, specify the number of minutes when you issue the command:
[edit] user@host# commit confirmed minutes commit complete [edit] user@host#
130
1414
Current running configuration
Expiration of limited time (default: 10 minutes)
New running configuration
Save a Configuration to a File
Save a Configuration to a File

You can save the software configuration from your current configuration session to an ASCII file, which saves the configuration in its current form, including any uncommitted changes. If more than one user is modifying the configuration, saving it captures all changes made by all users. You might want to save the configuration to a file so that you can edit it with a text editor of your choice. To save software configuration changes to an ASCII file, use the save configuration mode command:
[edit] user@host# save filename [edit] user@host#
By default, the configuration is saved to that file in your home directory, which is on the flash disk. For information about specifying the filename, see How to Specify Filenames and URLs on page 192.
Load a Configuration
You can create a file, copy the file to the local router, and then load the file into the CLI. After you have loaded the file, you can commit it to activate the configuration on the router, or you can edit the configuration interactively using the CLI and commit it at a later time. You can also create a configuration while typing at the terminal and then load it. Loading a configuration from the terminal is generally useful when you are cutting existing portions of the configuration and pasting them elsewhere in the configuration. To load an existing configuration file that is located on the router, use the load configuration mode command:
[edit] user@host# load (replace | merge | override) filename
To load a configuration from the terminal, use the following version of the load configuration mode command:
[edit] user@host# load (replace | merge | override) terminal [Type ^D to end input]
To replace an entire configuration, specify the override option. An override operation discards the current candidate configuration and loads the configuration in filename or the one that you type at the terminal. To combine the current configuration and the configuration in filename or the one that you type at the terminal, specify the merge option. A merge operation is useful when you are adding a new section to an existing configuration. If the existing configuration and the incoming configuration contain conflicting statements, the statements in the incoming configuration override those in the existing configuration.
131
To replace portions of a configuration, specify the replace option. For this operation to work, you must include replace: tags in the file or configuration you type at the terminal. The software searches for the replace: tags, deletes the existing statements of the same name, if any, and replaces them with the incoming configuration. If there is no existing statement of the same name, the replace operation adds to the configuration the statements marked with replace: tag. If, in an override or merge operation, you specify a file or type text that contains replace: tags, the replace: tags are ignored, and the override or merge operation is performed. If, when you are performing a replace operation, the file you specify or text you type does not contain any replace: tags, the replace operation is effectively equivalent to a merge operation. This might be useful if you are running automated scripts and cannot know in advance whether the scripts need to perform a replace or a merge operation. The scripts can use the replace operation to cover either case. For information about specifying the filename, see How to Specify Filenames and URLs on page 192. To copy a configuration file from another network system to the local router, you can use the SSH and Telnet utilities, as described in the JUNOS Internet Software Operational Mode Command Reference.
Examples: Load a Configuration from a File
Current configuration: interfaces { lo0 { unit 0 { family inet { address 127.0.0.1; } } } so-3/0/0 { unit 0 { family inet { address 204.69.248.181/28; } } } }
File contents: interfaces { replace: so-3/0/0 { unit 0 { family inet { address 10.0.0.1/8; } } } }
load override
New contents: interfaces { so-3/0/0 { unit 0 { family inet { address 10.0.0.1/8; } } } }
132
New contents: interfaces { lo0 { unit 0 { family inet { address 127.0.0.1; } } } so-3/0/0{ unit 0 { family inet { address 10.0.0.1/8; } } } }
load replace
New contents: interfaces { lo0 { unit 0 { family inet { address 127.0.0.1; } } } so-3/0/0 { unit 0 { family inet { address 10.0.0.1/8; address 204.69.248.181/28; } } } }
load merge
133
Return to a Previously Committed Configuration
Return to a Previously Committed Configuration

To return to the most recently committed configuration and load it into configuration mode without activating it, use the rollback configuration mode command:
[edit] user@host# rollback load complete
To activate the configuration that you loaded, use the commit command:
[edit] user@host# rollback load complete [edit] user@host# commit
To return to a configuration prior to the most recently committed one, include the number in the rollback command:
[edit] user@host# rollback number load complete
number can be a number in the range 0 through 9. The most recently saved configuration is number 0 (which is the default configuration to which the system returns), and the oldest saved configuration is number 9. To display the previous configurations, including rollback number, date, time, name of user who committed changes, and method of commit, use the rollback ? command.
[edit] user@host# rollback ? Possible completions: <[Enter]> Execute this command <number> Numeric argument 0 2001-02-27 12:52:10 PST by abc via cli 1 2001-02-26 14:47:42 PST by cde via cli 2 2001-02-14 21:55:45 PST by fgh via cli 3 2001-02-10 16:11:30 PST by hij via cli 4 2001-02-10 16:02:35 PST by klm via cli | Pipe through a command [edit]
For more information about versions of the configuration, see How the Configuration Is Stored on page 106. The access privilege level for using the rollback command is controlled by the rollback permission bit. Users for whom this permission bit is not set can return only to the most recently committed configuration. Users for whom this bit is set can return to any prior committed configuration. For more information, see Configure Access Privilege Levels on page 216.
134
Configuration Mode Error Messages
Example: Return to a Previously Committed Version of the Configuration

Return to and activate the version stored in the file juniper.conf.3:
[edit] user@host# rollback 3 load complete [edit] user@host# commit
Configuration Mode Error Messages

If you do not type an option for a statement that requires one, a message indicates the type of information expected. In this example, you need to type an area number to complete the command:
[edit] user@host# set protocols ospf area<Enter>
^
syntax error, expecting <identifier>.
In this example, you need to type a value for the hello interval to complete the command:
[edit] user@host# set protocols ospf area 45 interface so-0/0/0
hello-interval<Enter>
^ syntax error, expecting <data>
If you have omitted a required statement at a particular hierarchy level, when you attempt to move from that hierarchy level or when you issue the show command in configuration mode, a message indicates which statement is missing. For example:
[edit protocols pim interface so-0/0/0] user@host# top Warning: missing mandatory statement: 'mode' [edit] user@host# show protocols { pim { interface so-0/0/0 { priority 4; version 2; # Warning: missing mandatory statement(s): 'mode' } } }
135
Deactivate and Reactivate Statements and Identifiers in a Configuration
Deactivate and Reactivate Statements and Identifiers in a Configuration

In a configuration, you can deactivate statements and identifiers so that they do not take effect when you issue the commit command. Any deactivated statements and identifiers are marked with the inactive: tag. They remain in the configuration, but are not activated when you issue a commit command. To deactivate a statement or identifier, use the deactivate configuration mode command:
deactivate (statement | identifier )
To reactivate a statement or identifier, use the activate configuration mode command:

activate (statement | identifier )
In both commands, the statement or identifier you specify must be at the current hierarchy level. In some portions of the configuration hierarchy, you can include a disable statement to disable functionality. One example is disabling an interface by including the disable statement at the [edit interface interface-name ] hierarchy level. When you deactivate a statement, that specific object or property is completely ignored and is not applied at all when you issue a commit command. When you disable a functionality, it is activated when you issue a commit command but is treated as being down or administratively disabled.
Examples: Deactivate and Reactivate Statements and Identifiers in a Configuration

Deactivate an interface in the configuration:
[edit interfaces] user@host# show at-5/2/0 { traceoptions { traceflag all; } atm-options { vpi 0 maximum-vcs 256; } unit 0 { ... [edit interfaces] user@host# deactivate at-5/2/0 [edit interfaces] user@host# show inactive: at-5/2/0 { traceoptions { traceflag all; } ...
136
Add Comments in a Configuration
Reactivate the interface:

[edit interfaces] user@host# activate at-5/2/0 [edit interfaces] user@host# show at-5/2/0 { traceoptions { traceflag all; } ...

You can include comments in a configuration to describe any statement in the configuration. You can add commands interactively in the CLI and by editing the ASCII configuration file. When you add comments in configuration mode, they are associated with a statement at the current level. Each statement can have one single-line comment associated with it. Before you can associate a comment with a statement, the statement must exist. The comment is placed on the line preceding the statement. To add comments to a configuration, use the annotate configuration mode command:
annotate statement "comment-string"
statement is the configuration statement to which you are attaching the comment, and it must be at the current hierarchy level. If a comment for the specified statement already exists, it is deleted and replaced with the new comment. comment-string is the text of the comment. The comment text can be any length, and you must type it on a single line. If the comment contains spaces, you must enclose it in quotation marks. In the comment string, you can include the comment delimiters /* */ or #. If you do not specify any, the comment string is enclosed with the /* */ comment delimiters. To delete an existing comment, specify an empty comment string:
annotate statement ""
When you edit the ASCII configuration file and add comments, they can be one or more lines and must precede the statement they are associated with. If you place the comments in other places in the file, such as on the same line following a statement or on a separate line following a statement, they are removed when you use the load command to open the configuration into the CLI. When you include comments in the configuration file directly, you can format comments in the following ways: ! Start the comment with a /* and end it with a */. The comment text can be on a single line or can span multiple lines. ! Start the comment with a # and end it with a new line (carriage return).
137
If you add comments with the annotate command, you can view the comments within the configuration by entering the show configuration mode command or the show configuration operational mode command. When configuring interfaces, you can add comments about the interface by including the description statement at the [edit interfaces interface-name] hierarchy level. Any comments you include appear in the output of the show interfaces commands. For more information about the description statement, see the JUNOS Internet Software Configuration Guide: Interfaces and Chassis.
Examples: Include Comments in Configurations

Add comments to a configuration:
[edit] user@host# show protocols { ospf { area 0.0.0.0 { interface so-0/0/0 { hello-interval 5; } } } } [edit] user@host# edit protocols ospf [edit protocols ospf] user@host# set area 0.0.0.0 user@host# annotate area 0.0.0.0 "Backbone area configuration added June 15, 1998" [edit protocols ospf] user@host# edit area 0.0.0.0 [edit protocols ospf area 0.0.0.0] user@host# annotate interface so0 "Interface from router sj1 to router sj2" [edit protocols ospf area 0.0.0.0] user@host# top [edit] user@host# show protocols { ospf { /* Backbone area configuration added June 15, 1998 */ area 0.0.0.0 { /* Interface from router sj1 to router sj2 */ interface so-0/0/0 { hello-interval 5; } } } } [edit] user@host#
138
Have Multiple Users Configure the Software
The following excerpt from a configuration example illustrates how to enter comments in a configuration file:
/* This comment goes with routing-options */ routing-options { /* This comment goes with routing-options traceoptions */ traceoptions { /* This comment goes with routing-options traceoptions tracefile */ tracefile rpd size 1m files 10; /* This comment goes with routing-options traceoptions traceflag task */ traceflag task; /* This comment goes with routing-options traceoptions traceflag general */ traceflag general; } autonomous-system 10458; /* This comment is dropped */ } routing-options { rib-groups { ifrg { import-rib [ inet.0 inet.2 ]; /* A comment here is dropped */ } dvmrp-rib { import-rib inet.2; export-rib inet.2; /* A comment here is dropped */ } /* A comment here is dropped */ } /* A comment here is dropped */ }
Have Multiple Users Configure the Software

Up to 32 users can be in configuration mode simultaneously, and they all can be making changes to the configuration. All changes made by all users are visible to everyone editing the configurationthe changes become visible as soon as the user presses the Enter key at the end of a command that changes the configuration, such as set, edit, or delete. When any of the users editing the configuration issues a commit command, all changes made by all users are checked and activated.
139
Walk-through Example: Using the CLI to Configure the Router

This section walks through an example of creating a simple configuration, illustrating how to use the CLI to create, display, and modify the software configuration for your system. The example used in this section creates the following configuration:
protocols { ospf { area 0.0.0.0 { interface so-0/0/0 { hello-interval 5; dead-interval 20; } interface so-0/0/1 { hello-interval 5; dead-interval 20; } } } }
Shortcut
You can create this entire configuration with two commands:
[edit] user@host# set protocols ospf area 0.0.0.0 interface so-0/0/0 hello-interval 5 dead-interval 20 [edit] user@host# set protocols ospf area 0.0.0.0 interface so-0/0/1 hello-interval 5 dead-interval 20
Longer Configuration Example

The remainder of this section provides a longer example of creating the OSPF configuration. In the process, it illustrates how to use the different features of the CLI. First, you enter configuration mode by issuing the configure top-level command:
The prompt in braces shows that you are in configuration edit mode, at the top of the hierarchy. If you want to create the above configuration, you start by editing the protocols ospf statements:
[edit] user@host# edit protocols ospf [edit protocols ospf] user@host#
Now, add the OSPF area:

[edit protocols ospf] user@host# edit area 0.0.0.0 [edit protocols ospf area 0.0.0.0] user@host#
140
Next, add the first interface:

[edit protocols ospf area 0.0.0.0] user@host# edit interface so0 [edit protocols ospf area 0.0.0.0 interface so-0/0/0] user@host#
You now have four nested statements. Next, set the hello and dead intervals. Note that command completion (enter a tab or space) and context-sensitive help (type a question mark) are always available.
[edit protocols ospf area 0.0.0.0 interface so-0/0/0] user@host# set ? Possible completions: + apply-groups Groups from which to inherit configuration data > authentication-key Authentication key dead-interval Dead interval (seconds) disable Disable OSPF on this interface hello-interval Hello interval (seconds) interface-type Type of interface metric Interface metric (1..65535) > neighbor NBMA neighbor passive Do not run OSPF, but advertise it poll-interval Poll interval for NBMA interfaces priority Designated router priority retransmit-interval Retransmission interval (seconds) transit-delay Transit delay (seconds) transmit-interval OSPF packet transmit interval (milliseconds) [edit protocols ospf area 0.0.0.0 interface so-0/0/0] user@host# set hello-interval 5 [edit protocols ospf area 0.0.0.0 interface so-0/0/0] user@host# set dead-interval 20 [edit protocols ospf area 0.0.0.0 interface so-0/0/0] user@host#
You can see what is configured at the current level with the show command:
[edit protocols ospf area 0.0.0.0 interface so-o] user@host# show hello-interval 5; dead-interval 20; [edit protocols ospf area 0.0.0.0 interface so-0/0/0] user@host#
You are finished at this level, so back up a level and take a look at what you have so far:
[edit protocols ospf area 0.0.0.0 interface so-0/0/0] user@host# up [edit protocols ospf area 0.0.0.0] user@host# show interface so-0/0/0 { hello-interval 5; dead-interval 20; } [edit protocols ospf area 0.0.0.0] user@host#
Note that the interface statement has come into view because you have moved to inside the area statement.
141
Now add the second interface:

[edit protocols ospf area 0.0.0.0] user@host# edit interface so-0/0/1 [edit protocols ospf area 0.0.0.0 interface so-0/0/1] user@host# set hello-interval 5 [edit protocols ospf area 0.0.0.0 interface so-0/0/1] user@host# set dead-interval 20 [edit protocols ospf area 0.0.0.0 interface so-0/0/1] user@host# up [edit protocols ospf area 0.0.0.0] user@host# show interface so-0/0/0 { hello-interval 5; dead-interval 20; } interface so-0/0/1 { hello-interval 5; dead-interval 20; } [edit protocols ospf area 0.0.0.0] user@host#
Now back up to the top level and see what you have:
[edit protocols ospf area 0.0.0.0] user@host# top [edit] user@host# show protocols { ospf { area 0.0.0.0 { interface so-0/0/0 { hello-interval 5; dead-interval 20; } interface so-0/0/1 { hello-interval 5; dead-interval 20; } } } } [edit] user@host#
This configuration now contains the statements you want. Before committing it, which activiates the configuration, verify that the configuration is correct:
[edit] user@host# commit check configuration check succeeds [edit] user@host#
Now you can commit the configuration to activate it on the router:

[edit] user@host# commit commit complete [edit] user@host#
142
Suppose you decide to use different dead and hello intervals on interface so-0/0/1. You can make changes to the configuration. Note that you can jump all the way down through the hierarchy by typing the full hierarchy path to the statement you want to edit.
[edit] user@host# edit protocols ospf area 0.0.0.0 interface so-0/0/1 [edit protocols ospf area 0.0.0.0 interface so-0/0/1] user@host# show hello-interval 5; dead-interval 20; [edit protocols ospf area 0.0.0.0 interface so-0/0/1] user@host# set hello-interval 7 [edit protocols ospf area 0.0.0.0 interface so-0/0/1] user@host# set dead-interval 28 [edit protocols ospf area 0.0.0.0 interface so-0/0/1] user@host# top [edit] user@host# show protocols { ospf { area 0.0.0.0 { interface so-0/0/0 { hello-interval 5; dead-interval 20; } interface so-0/0/1 { hello-interval 7; dead-interval 28; } } } } [edit] user@host#
Next, if you change your mind and decide not to run OSPF on the first interface, you can just delete the statement:
[edit] user@host# edit protocols ospf area 0.0.0.0 [edit protocols ospf area 0.0.0.0] user@host# delete interface so-0/0/0 [edit protocols ospf area 0.0.0.0] user@host# top [edit] user@host# show protocols { ospf { area 0.0.0.0 { interface so-0/0/1 { hello-interval 7; dead-interval 28; } } } } [edit] user@host#
Note that everything inside of the statement you deleted was deleted with it. You could eliminate the entire OSPF configuration by simply entering delete protocols ospf while at the top level.
143
Next, you decide to use the default values for the hello and dead intervals on your remaining interface (but you want OSPF to run on that interface):
[edit] user@host# edit protocols ospf area 0.0.0.0 interface so-0/0/1 [edit protocols ospf area 0.0.0.0 interface so-0/0/1] user@host# delete hello-interval [edit protocols ospf area 0.0.0.0 interface so-0/0/1] user@host# delete dead-interval [edit protocols ospf area 0.0.0.0 interface so-0/0/1] user@host# top [edit] user@host# show protocols { ospf { area 0.0.0.0 { interface so-0/0/1; } } } [edit] user@host#
Note that you can set multiple statements at the same time as long as they are all part of the same hierarchy (the path of statements from the top inward, as well as one or more statements at the bottom of the hierarchy). Doing this can reduce considerably the number of commands that must be entered. For instance, if you want to go back to the original hello and dead interval timers on interface so-0/0/1, you can enter:
[edit] user@host# edit protocols ospf area 0.0.0.0 interface so-0/0/1 [edit protocols ospf area 0.0.0.0 interface so-0/0/1] user@host# set hello-interval 5 dead-interval 20 [edit protocols ospf area 0.0.0.0 interface so-0/0/1] user@host# exit [edit] user@host# show protocols { ospf { area 0.0.0.0 { interface so-0/0/1 { hello-interval 5; dead-interval 20; } } } } [edit] user@host#
144
Additional Details about Specifying Statements and Identifiers
You also can re-create the other interface, as you had it before, with only a single entry:
[edit] user@host# set protocols ospf area 0.0.0.0 interface so-0/0/1 hello-interval 5 dead-interval 20 [edit] user@host# show protocols { ospf { area 0.0.0.0 { interface so-0/0/0 { hello-interval 5; dead-interval 20; } interface so-0/0/1 { hello-interval 5; dead-interval 20; } } } }

This section provides more detailed information about specifying statements and identifiers in configuration mode: ! How to Specify Statements on page 145 ! How the CLI Performs Type Checking on page 147
How to Specify Statements

This section provides more detailed information about CLI container and leaf statements so that you can better understand how the CLI displays them in a configuration and how you must specify them when creating ASCII configuration files. Statements are shown one of two ways, either with braces or without: ! Statement name and identifier, with one or more lower-level statements enclosed in braces:
< statement-name > < identifier > { statement ; additional-statements ; }
! Statement name, identifier, and a single identifier:

< statement-name > < identifier > identifier ;
The statement-name is the name of the statement. In the configuration example shown in the previous section, ospf and area are statement names. The identifier is a name or other string that uniquely identifies an instance of a statement. The identifier is used when a statement can be specified more than once in a configuration. In the configuration example shown in the previous section, the identifier for the area statement is 0 and the identifier for the interface statement is so-0/0/0.
145
When specifying a statement, you must specify either a statement name or an identifier, or both, depending on the statement hierarchy. You specify identifiers in one of the following ways: ! identifierThe identifier is a flag, which is a single keyword. ! identifier valueThe identifier is a keyword, and the value is a required option variable. ! identifier [value1 value 2 value3 ...]The identifier is a set that accepts multiple values. The brackets are required when you specify a set of identifiers; however, they are optional when you specify only one identifier. The following examples illustrate how statements and identifiers are specified in the configuration:
protocol { # Top-level statement (statement-name). ospf { # Statement under "protocol" (statement-name). area 0.0.0.0 { # OSPF area "0.0.0.0" (statement-name identifier), interface so-0/0/0 { # which contains an interface named "so-0/0/0." hello-interval 25; # Identifier and value (identifier-name value). priority 2; # Identifier and value (identifier-name value). disable; # Flag identifier (identifier-name). } interface so-0/0/1; # Another instance of "interface," named so-0/0/1, } # this instance contains no data, so no braces } # are displayed. } policy-options { # Top-level statement (statement-name). term term1 { # Statement under "policy-options" # (statement-name value). from { # Statement under "term" (statement-name). route-filter 10.0.0.0/8 orlonger reject; # One identifier ("route-filter") with route-filter 127.0.0.0/8 orlonger reject; # multiple values. route-filter 128.0.0.0/16 orlonger reject; route-filter 149.20.64.0/24 orlonger reject; route-filter 172.16.0.0/12 orlonger reject; route-filter 191.255.0.0/16 orlonger reject; } then { # Statement under "term" (statement-name). next term; # Identifier (identifier-name). } } }
146
When you create an ASCII configuration file, you can specify statements and identifiers in one of the following ways. However, each statement has a preferred style, and the CLI uses that style when displaying the configuration in response to a configuration mode show command. ! Statement followed by identifiers:
statement-name identifier-name [...] identifier-name value [...];
! Statement followed by identifiers enclosed in braces:

statement-name { identifier-name ; [...] identifier-name value ; [...] }
! For some repeating identifiers, you can use one set of braces for all the statements:
statement-name { identifier-name value1 ; identifier-name value2 ; }
How the CLI Performs Type Checking

When you specify identifiers and values, the CLI expects to receive specific types of input and performs type checking to verify that the data you have typed is in the correct format. For example, for a statement in which you must specify an IP address, the CLI checks that you have typed an address in a valid format. If you have not, an error message indicates what you were expected to type. Table 6 lists the data types that the CLI checks.
147
Table 6: CLI Configuration Input Types

Data Type
Physical interface name (used in the edit interfaces hierarchy) Full interface name Full or abbreviated interface name (used in places other than the edit interfaces hierarchy) IP address
Format
type-fpc/pic/port
Examples
Correct: so-0/0/1 Incorrect: so-0 Correct: so-0/0/1.0 Incorrect: so-0/0/1 Correct: so, so-1, so-1/2/3:4.5
type-fpc/pic/port<:channel>.logical type-<fpc</pic/port>><<:channel>.logical>
0xhex-bytes octet<.octet<.octet.<octet>>>
Correct: 1.2.3.4, 0x01020304, 128.8.1, 128.8 Sample translations: 1.2.3 becomes 1.2.3.0 0x01020304 becomes 1.2.3.4 0x010203 becomes 0.1.2.3
IP address (destination prefix) and prefix length
0xhex-bytes</length> octet<.octet<.octet.<octet>>></length >
Correct: 10/8, 128.8/16, 1.2.3.4/32, 1.2.3.4 Sample translations: 1.2.3 becomes 1.2.3.0/32 0x01020304 becomes 1.2.3.4/32 0x010203 becomes 0.1.2.3/32 default becomes 0.0.0.0/0
ISO address
hex-nibble<hex-nibble ...>
Correct: 47.1234.2345.3456.00, 47123423453456.00, 47.12.34.23.45.34.56.00 Sample translations: 47123456 becomes 47.1234.56 47.12.34.56 becomes 47.1234.56 4712.3456 becomes 47.1234.56
OSPF area identifier (ID)
0xhex-bytes octet<.octet<.octet.<octet >>> decimal-number
Correct: 54, 0.0.0.54, 0x01020304, 1.2.3.4 Sample translations: 54 becomes 0.0.0.54 257 becomes 0.0.1.1 128.8 becomes 128.8.0.0 0x010203 becomes 0.1.2.3
148
Chapter 13 Configuration Groups

This chapter discusses the following topics: ! Overview on page 149 ! Configuration Groups Configuration Statements on page 150 ! Configuration Groups Configuration Guidelines on page 150 ! Examples: Configuration Groups on page 157 ! Summary of Configuration Group Statements on page 165
Overview
Configuration groups allow you to create a group containing configuration statements and to direct the inheritance of that groups statements in the rest of the configuration. The same group can be applied to different sections of the configuration, and different sections of one groups configuration statements can be inherited in different places in the configuration. Configuration groups allow you to create smaller, more logically constructed configuration files, making it easier to configure and maintain the JUNOS software. For example, you can group statements that are repeated in many places in the configuration, such as when configuring interfaces, and thereby limit updates to just the group. You can also use wildcards in a configuration group to allow configuration data to be inherited by any object that matches a wildcard expression. The configuration group mechanism is separate from the grouping mechanisms used elsewhere in the configuration, such as BGP groups. Configuration groups provide a generic mechanism that can be used throughout the configuration but that are known only to the JUNOS CLI. The individual software processes that perform the actions directed by the configuration receive the expanded form of the configuration; they have no knowledge of configuration groups.
Inheritance Model
Configuration groups use true inheritance, which involves a dynamic, ongoing relationship between the source of the configuration data and the target of that data. Data values changed in the configuration group are automatically inherited by the target. The target need not contain the inherited information, although the inherited values can be overridden in the target without affecting the source from which they were inherited.
Configuration Groups
149
Configuration Groups Configuration Statements
This inheritance model allows you to see only the instance-specific information without seeing the inherited details. A command pipe in configuration mode allows you to display the inherited data.
Configuration Groups Configuration Statements

To configure configuration groups and inheritance, you can include the following statements in the configuration:
groups { group-name { configuration-data; } }
Include the apply-groups [ group-names ] statement anywhere in the configuration that the configuration statements contained in a configuration group are needed.
Configuration Groups Configuration Guidelines

For areas of your configuration to inherit configuration statements, you must first put the statements into a configuration group and then apply that group to the levels in the configuration hierarchy that require the statements. This section covers the following topics: ! Create a Configuration Group on page 150 ! Apply a Configuration Group on page 151 ! Display Inherited Values on page 153 ! Use Wildcards on page 153
Create a Configuration Group

To create a configuration group, include the groups statement at the [edit] hierarchy level:
groups { group-name { configuration-data; } }
group-name is the name of a configuration group. To configure multiple groups, specify more than one group-name. On routers that support multiple Routing Engines, you can also specify two special group names: ! re0Configuration statements applied to the Routing Engine in slot 0. ! re1Configuration statements applied to the Routing Engine in slot 1.
150
The configuration specified in group re0 is only applied if the current Routing Engine is in slot 0; likewise, the configuration specified in group re1 is only applied if the current Routing Engine is in slot 1. Therefore, both Routing Engines can use the same configuration file, each using only the configuration statements that apply to it. Each re0 or re1 group contains at a minimum the configuration for the hostname and the management interface (fxp0). If each Routing Engine uses a different management interface, the group also should contain the configuration for the backup router and static routes. configuration-data contains the configuration statements applied elsewhere in the configuration with the apply-groups statement, to have the target configuration inherit the statements in the group.
Apply a Configuration Group

To have a configuration inherit the statements in a configuration group, include the apply-groups statement:
apply-groups [ group-name ];
If you specify more than one group name, list them in order of inheritance priority. The configuration data in the first group takes priority over the data in subsequent groups. For routers that support multiple Routing Engines, you can specify re0 and re1 as group names. The configuration specified in group re0 is only applied if the current Routing Engine is in slot 0; likewise, the configuration specified in group re1 is only applied if the current Routing Engine is in slot 1. Therefore, both Routing Engines can use the same configuration file, each using only the configuration statements that apply to it. Each re0 or re1 group contains at a minimum the configuration for the hostname and the management interface (fxp0). If each Routing Engine uses a different management interface, the group also should contain the configuration for the backup router and static routes. You can include the apply-groups statement at any level of the configuration hierarchy, listing group names within each apply-groups statement in priority order. You can include only one apply-groups statement at each specific level of the configuration hierarchy. The apply-groups statement at a specific hierarchy level lists the configuration groups to be added to the containing statements list of configuration groups. Values specified at the specific hierarchy level override values inherited from the configuration group.
151
Groups listed in nested apply-groups statements take priority over groups in outer statements. In the following example, the BGP neighbor 10.0.0.1 inherits configuration data from group one first, then from groups two and three. Configuration data in group one overrides data in any other group. Data from group ten is used only if a statement is not contained in any other group.
apply-groups [ eight nine ten ]; protocols { apply-groups seven; bgp { apply-groups [ five six ]; group some-bgp-group { apply-groups four; neighbor 10.0.0.1 { apply-groups [ one two three ]; } } } }
Example: Configure and Apply Configuration Groups

In this example, the SNMP configuration is divided between the group basic and the normal configuration hierarchy. There are a number of advantages to placing the system-specific configuration (SNMP contact) into a configuration group and thus separating it from the normal configuration hierarchythe user can replace (using the load replace command) either section without discarding data from the other. In addition, setting a contact for a specific box is now possible because the group data would be hidden by the router-specific data.
[edit] groups { # "groups" is a top-level statement basic { # User defined group name snmp { # This group contains some snmp data contact "My Engineering Group"; community BasicAccess { authorization read-only; } } } } apply-groups basic; # Enable inheritance from group "basic" snmp { # Some normal (non-group) configuration location "West of Nowhere"; }
This configuration is equivalent to the following:

[edit] snmp { location "West of Nowhere"; contact "My Engineering Group"; community BasicAccess { authorization read-only; } }
152
Display Inherited Values

Configuration groups can add some confusion regarding the actual values used by the router, because configuration data can be inherited from configuration groups. To view the actual values used by the router, use the display inheritance command after the pipe in a show command. This command displays the inherited statements at the level at which they are inherited and the group from which they have been inherited.
[edit] user@host# show | display inheritance snmp { location "West of Nowhere"; ## ## My Engineering Group was inherited from group basic ## contact "My Engineering Group"; ## ## BasicAccess was inherited from group basic ## community BasicAccess { ## ## read-only was inherited from group basic ## authorization read-only; } }
To display the expanded configuration (the configuration, including the inherited statements) without the ## lines, use the except command after the pipe in a show command:
[edit] user@host# show | display inheritance | except ## snmp { location "West of Nowhere"; contact "My Engineering Group"; community BasicAccess { authorization read-only; } }
Use Wildcards
You can use wildcards to identify names and allow one statement to provide data for a variety of statements. For example, grouping the configuration of the sonet-options statement over all SONET/SDH interfaces or the dead interval for OSPF over all ATM interfaces simplifies configuration files and eases their maintenance. Wildcarding in normal configuration data is done in a style that is consistent with traditional UNIX shell name wildcarding. In this style of wildcarding, you can use the following metacharacters: ! Asterisk ( * )Matches any string of characters. ! Question mark ( ? )Matches any single character. ! Open bracket ( [ )Introduces a character class.
153
! Close bracket ( ] )Indicates the end of a character class. If the close bracket is missing, the open bracket matches a [ rather than introduces a character class. ! A character class matches any of the characters between the square brackets. Character classes must be enclosed in quotation marks ( ). ! Hyphen ( - )Specifies a range of characters. ! Exclamation point ( ! )The character class can be complemented by making an exclamation point the first character of the character class. To include a ] in a character class, make it the first character listed (after the !, if any). To include a minus sign, make it the first or last character listed. Wildcarding in configuration groups follows the same rules, but the wildcard pattern must be enclosed in angle brackets (<pattern>) to differentiate it from other wildcarding in the configuration file. For example:
[edit] groups { sonet-default { interfaces { <so-*> { sonet-options { payload-scrambler; rfc-2615; } } } } }
Wildcard expressions match (and provide configuration data for) existing statements in the configuration that match their expression only. In the example above, the expression <so-*> passes its sonet-options statement to any interface that matches the expression so-*. Angle brackets allow you to pass normal wildcarding through without modification. In all matching within the configuration, whether it is done with or without wildcards, the first item encountered in the configuration that matches is used. In the following example, data from the wildcarded BGP groups is inherited in the order in which the groups are listed. The preference value from <*a*> overrides the preference in <*b*>, just as the p value from <*c*> overrides the one from <*d*>. Data values from any of these groups override the data values from abcd.
[edit] user@host# show groups { one { protocols { bgp { group <*a*> { preference 1; } group <*b*> { preference 2; } group <*c*> { out-delay 3; }
154
group <*d*> { out-delay 4; } group abcd { preference 10; hold-time 10; out-delay 10; } } } } } protocols { bgp { group abcd { apply-groups one; } } } [edit] user@host# show | display inheritance protocols { bgp { group abcd { ## ## 1 was inherited from group one ## preference 1; ## ## 10 was inherited from group one ## hold-time 10; ## ## 3 was inherited from group one ## out-delay 3; } } }

155
Example: Use Wildcards

The following example demonstrates the use of wildcarding. The interface so-0/0/0 inherits data from the various SONET/SDH interface wildcard patterns in group one.
[edit] user@host# show groups { one { interfaces { <so-*> { sonet-options { rfc-2615; } } <so-0/*> { sonet-options { fcs 32; } } <so-*/0/*> { sonet-options { fcs 16; } } <so-*/*/0> { sonet-options { payload-scrambler; } } } } } apply-groups one; interfaces { so-0/0/0 { unit 0 { family inet { address 10.0.0.1/8; } } } }
156
Examples: Configuration Groups
[edit] user@host# show | display inheritance interfaces { so-0/0/0 { ## ## sonet-options was inherited from group one ## sonet-options { ## ## 32 was inherited from group one ## fcs 32; ## ## payload-scrambler was inherited from group one ## payload-scrambler; ## ## rfc-2615 was inherited from group one ## rfc-2615; } unit 0 { family inet { address 10.0.0.1/8; } } } }

The following examples illustrate ways to use configuration groups and inheritance: ! Configure Sets of Statements on page 157 ! Configure Interfaces on page 159 ! Configure Peer Entities on page 161 ! Establish Regional Configurations on page 163 ! Select Wildcard Names on page 164
Configure Sets of Statements

When sets of statements exist in configuration groups, all values are inherited. For example:
[edit] user@host# show groups { basic { snmp { interface so-1/1/1.0; } } }
157
apply-groups basic; snmp { interface so-0/0/0.0; } [edit] user@host# show | display inheritance snmp { ## ## so-1/1/1.0 was inherited from group basic ## interface [ so-0/0/0.0 so-1/1/1.0 ]; }
For sets that are not displayed within brackets, all values are also inherited. For example:
[edit] user@host# show groups { worldwide { system { name-server { 10.0.0.100; 10.0.0.200; } } } } apply-groups worldwide; system { name-server { 10.0.0.1; 10.0.0.2; } } [edit] user@host# show | display inheritance system { name-server { 10.0.0.1; 10.0.0.2; ## ## 10.0.0.100 was inherited from group worldwide ## 10.0.0.100; ## ## 10.0.0.200 was inherited from group worldwide ## 10.0.0.200; } }
158
Configure Interfaces
You can use configuration groups to separate the common interface media parameters from the interface-specific addressing information. The following example places configuration data for ATM interfaces into a group called atm-options:
[edit] user@host# show groups { atm-options { interfaces { <at-*> { atm-options { vpi 0 maximum-vcs 1024; } unit <*> { encapsulation atm-snap; point-to-point; family iso; } } } } } apply-groups atm-options; interfaces { at-0/0/0 { unit 100 { vci 0.100; family inet { address 10.0.0.100/30; } } unit 200 { vci 0.200; family inet { address 10.0.0.200/30; } } } } [edit] user@host# show | display inheritance interfaces { at-0/0/0 { ## ## "atm-options" was inherited from group "atm-options" ## atm-options { ## ## "1024" was inherited from group "atm-options" ## vpi 0 maximum-vcs 1024; } unit 100 { ## ## "atm-snap" was inherited from group "atm-options" ## encapsulation atm-snap; ## ## "point-to-point" was inherited from group "atm-options" ##
159
point-to-point; vci 0.100; family inet { address 10.0.0.100/30; } ## ## "iso" was inherited from group "atm-options" ## family iso; } unit 200 { ## ## "atm-snap" was inherited from group "atm-options" ## encapsulation atm-snap; ## ## "point-to-point" was inherited from group "atm-options" ## point-to-point; vci 0.200; family inet { address 10.0.0.200/30; } ## ## "iso" was inherited from group "atm-options" ## family iso; } } } [edit] user@host# show | display inheritance | except ## interfaces { at-0/0/0 { atm-options { vpi 0 maximum-vcs 1024; } unit 100 { encapsulation atm-snap; point-to-point; vci 0.100; family inet { address 10.0.0.100/30; } family iso; } unit 200 { encapsulation atm-snap; point-to-point; vci 0.200; family inet { address 10.0.0.200/30; } family iso; } } }
160
Configure Peer Entities

In this example, we create a group some-isp that contains configuration data relating to another ISP. We can then insert apply-group statements at any point to allow any location in the configuration hierarchy to inherit this data.
[edit] user@host# show groups { some-isp { interfaces { <ge-*> { gigether-options { flow-control; } } } protocols { bgp { group <*> { neighbor <*> { remove-private; } } } pim { interface <*> { version 1; } } } } } interfaces { ge-0/0/0 { apply-groups some-isp; unit 0 { family inet { address 10.0.0.1/24; } } } } protocols { bgp { group main { neighbor 10.254.0.1 { apply-groups some-isp; } } } pim { interface ge-0/0/0.0 { apply-groups some-isp; } } } [edit] user@host# show | display inheritance
161
interfaces { ge-0/0/0 { ## ## "gigether-options" was inherited from group "some-isp" ## gigether-options { ## ## "flow-control" was inherited from group "some-isp" ## flow-control; } unit 0 { family inet { address 10.0.0.1/24; } } } } protocols { bgp { group main { neighbor 10.254.0.1 { ## ## "remove-private" was inherited from group "some-isp" ## remove-private; } } } pim { interface ge-0/0/0.0 { ## ## "1" was inherited from group "some-isp" ## version 1; } } }
162
Establish Regional Configurations

In this example, one group is populated with configuration data that is standard throughout the company, while another group contains regional deviations from this standard.
[edit] user@host# show groups { standard { interfaces { <t3-*> { t3-options { compatibility-mode larscom subrate 10; idle-cycle-flag ones; } } } } northwest { interfaces { <t3-*> { t3-options { long-buildout; compatibility-mode kentrox; } } } } } apply-groups standard; interfaces { t3-0/0/0 { apply-groups northwest; } } [edit] user@host# show | display inheritance interfaces { t3-0/0/0 { ## ## "t3-options" was inherited from group "northwest" ## t3-options { ## ## "long-buildout" was inherited from group "northwest" ## long-buildout; ## ## "kentrox" was inherited from group "northwest" ## compatibility-mode kentrox; ## ## "ones" was inherited from group "standard" ## idle-cycle-flag ones; } } }
163
Select Wildcard Names

You can combine wildcarding and thoughtful use of names in statements to tailor statement values.
[edit] user@host# show groups { mpls-conf { protocols { mpls { label-switched-path <*-major> { retry-timer 5; bandwidth 155m; optimize-timer 60; } label-switched-path <*-minor> { retry-timer 15; bandwidth 64k; optimize-timer 120; } } } } } apply-groups mpls-conf; protocols { mpls { label-switched-path metro-major { to 10.0.0.10; } label-switched-path remote-minor { to 10.0.0.20; } } } [edit] user@host# show | display inheritance protocols { mpls { label-switched-path metro-major { to 10.0.0.10; ## ## "5" was inherited from group "mpls-conf" ## retry-timer 5; # ## "155m" was inherited from group "mpls-conf" ## bandwidth 155m; ## ## "60" was inherited from group "mpls-conf" ## optimize-timer 60; } label-switched-path remote-minor { to 10.0.0.20; ## ## "15" was inherited from group "mpls-conf" ## retry-timer 15; ##
164
Summary of Configuration Group Statements
## "64k" was inherited from group "mpls-conf" ## bandwidth 64k; ## ## "120" was inherited from group "mpls-conf" ## optimize-timer 120; } } }

The following sections explain each of the configuration group statements. The statements are organized alphabetically.
apply-groups
Syntax Hierarchy Level Description
apply-groups [ group-name ]; All hierarchy levels Apply a configuration group to a specific hierarchy level in a configuration, to have a configuration inherit the statements in the configuration group. You can specify more than one group name. You must list them in order of inheritance priority. The configuration data in the first group takes priority over the data in subsequent groups. For routers that support multiple Routing Engines, you can specify re0 and re1 as group names. The configuration specified in group re0 is applied only if the current Routing Engine is in slot 0; likewise, the configuration specified in group re1 is applied only if the current Routing Engine is in slot 1. Therefore, both Routing Engines can use the same configuration file, each using only the configuration statements that apply to it. Each re0 or re1 group contains at a minimum the configuration for the hostname and the management interface (fxp0). If each Routing Engine uses a different management interface, the group also should contain the configuration for the backup router and static routes. You can include the apply-groups statement at any level of the configuration hierarchy. You can include only one apply-groups statement at each specific level of the configuration hierarchy. The apply-groups statement at a specific hierarchy level lists the configuration groups to be added to the containing statements list of configuration groups.
Options Usage Guidelines Required Privilege Level
group-nameNames specified on the group statement. See Apply a Configuration Group on page 151. configureTo enter configuration mode; other required privilege levels depend on where the statement is located in the configuration hierarchy. groups on page 166
See Also
165
groups
Syntax
groups { group-name { configuration-data; } } [edit] Create a configuration group. configuration-dataThe configuration statements that are to be applied elsewhere in the configuration with the apply-groups statement, to have the target configuration inherit the statements in the group. group-nameName of the configuration group. To configure multiple groups, specify more than one group-name. On routers that support multiple Routing Engines, you can also specify two special group names: ! re0Configuration statements that are to be applied to the Routing Engine in slot 0. ! re1Configuration statements that are to be applied to the Routing Engine in slot 1. The configuration specified in group re0 is applied only if the current Routing Engine is in slot 0; likewise, the configuration specified in group re1 is applied only if the current Routing Engine is in slot 1. Therefore, both Routing Engines can use the same configuration file, each using only the configuration statements that apply to it. Each re0 or re1 group contains at a minimum the configuration for the hostname and the management interface (fxp0). If each Routing Engine uses a different management interface, the group also should contain the configuration for the backup router and static routes.
Hierarchy Level Description Options
Usage Guidelines Required Privilege Level See Also
See Create a Configuration Group on page 150. configureTo enter configuration mode. apply-groups on page 165
166
Chapter 14 Summary of CLI Environment Commands

The following sections explain each of the CLI environment commands. The commands are organized alphabetically.
set cli complete-on-space

Syntax Description Default Options
set cli complete-on-space (off | on); Configure the keys to use for command completion. When you type a space or tab, the CLI performs command completion. offAllow only a tab to be used for command completion. onAllow either a space or a tab to be used for command completion.
Sample Output
user@host> user@host> user@host> user@host> user@host>
set set set set
cli cli cli cli
com<Space> complete-on-space off com<Tab> complete-on-space on
Usage Guidelines Required Privilege Level
See Set Command Completion on page 100. view
set cli idle-timeout

Syntax Description
set cli idle-timeout <minutes> Set the maximum time that an individual session can be idle before the user is logged off the router. The session times out after remaining at the CLI operational mode prompt for the specified time. The session can time out while monitoring log files. If you do not issue this command, and the users login class does not specify this value, the user is never forced off the system after extended idle times. minutesMaximum idle time. Range: 0 through 100,000 minutes. Setting it to 0 disables the timeout.
Default
Options
Summary of CLI Environment Commands
167
set cli prompt
See Set the Idle Timeout on page 100. view idle-timeout on page 255
set cli prompt

Syntax Description Default Options Sample Output
set cli prompt string Set the prompt to display within the CLI. user@host> stringCLI prompt. To include spaces in the prompt, enclose the string in quotation marks.
user@host> set cli prompt "cli% " cli%
See Set the CLI Prompt on page 100. view
set cli restart-on-upgrade

Syntax Description
set cli restart-on-upgrade (off | on) For an individual session, set the CLI to prompt you to restart the router after upgrading the software. The CLI prompts you to restart, unless the screen length has been set to 0. offDisables the prompt. onEnables the prompt.
Default Options
See Set CLI to Prompt after a Software Upgrade on page 100. view
168
set cli screen-length
set cli screen-length

Syntax Description Options
set cli screen-length lines Set the number of lines of text that the screen can display. linesNumber of lines on the screen. Range: 0 through 100,000 Default: 24 lines
user@host> set cli screen-length 66 Screen length is set to 66 user@host>
Sample Output
See Set the Screen Length on page 99. view
set cli screen-width

set cli screen-width width Set the number of characters that the screen can display on a single line. widthNumber of columns on the screen. Range: 0 through 100,000 Default: 80 columns
user@host> set cli screen-width 40 Screen width set to 40 user@host>
Sample Output
See Set the CLI Prompt on page 100. view
set cli terminal

set cli terminal terminal-type Set the terminal type. terminal-typeType of terminal that is connected to the port. Values: ansi, vt100, small-xterm, xterm Default: The terminal type is unknown. See Set the Terminal Type on page 99. view
169
set date
set date
set date YYYYMMDDhhmm.ss Set the current date and time on the router. YYYYMMDDhhmm.ssDate and time to set. YYYY is the four-digit year, MM is the two-digit month, DD is the two-digit date, hh is the two-digit hour, mm is the two-digit minute, and ss is the two-digit second. At a minimum, you must specify the two-digit minute. All other parts of the date and time are optional. See Set the Current Date and Time on page 97. view ntp on page 260, time-zone on page 273
show cli
Syntax Description Sample Output
show cli Display information about how the CLI environment is configured.
user@host> show cli CLI screen length set to 60 CLI screen width set to 80 CLI complete-on-space set to on user@host>
See Display CLI Settings on page 101. view
170
show cli history
show cli history

Syntax Description
show cli history <count> List recent commands that you issued in the CLI and the time they were issued. If you issue the run show cli history command from configuration mode, the command lists the most recent configuration mode commands that you issued and the time they were issued.
Options
count(Optional) Number of recent commands to display. Range: 0 through 65,535 Default: 100
user@host> show cli history 12:33:39 -- configure 12:42:52 -- show cli history 12:43:02 -- show interfaces terse 12:43:14 -- show interfaces lo0 12:43:20 -- show bgp 12:43:28 -- show bgp next-hop-database 12:43:32 -- show cli history user@host> configure ... [edit] user@host# run show cli history 12:40:08 -- show 12:40:17 -- edit protocols 12:40:27 -- set isis 12:40:29 -- edit isis 12:40:40 -- run show cli history [edit protocols isis] user@host#
Sample Output
Usage Guidelines
See the sections Display CLI Command History on page 97 and Display Configuration Mode Command History on page 128. view
Required Privilege Level
171
show cli history
172
Chapter 15 Summary of CLI Configuration Mode Commands

The following sections explain each of the CLI configuration mode commands. The commands are organized alphabetically.
activate
Syntax Description
activate (statement | identifier ) Remove the inactive: tag from a statement, effectively adding the statement or identifier back to the configuration. Statements or identifiers that have been activated take effect when you next issue the commit command. identifierIdentifier from which you are removing the inactive tag. It must be an identifier at the current hierarchy level. statementStatement from which you are removing the inactive tag. It must be a statement at the current hierarchy level.
Options
See Deactivate and Reactivate Statements and Identifiers in a Configuration on page 136. configureTo enter configuration mode; other required privilege levels depend on where the statement is located in the configuration hierarchy. deactivate on page 175
See Also
annotate
Syntax Description
annotate statement "comment-string " Add comments to a configuration. You can add comments only at the current hierarchy level. Any comments you add appear only when you view the configuration by entering the show command in configuration mode or the show configuration command in operational mode.
Options
comment-stringText of the comment. You must enclose it in quotation marks. In the comment string, you can include the comment delimiters /* */ or #. If you do not specify any, the comment string is enclosed with the /* */ comment delimiters. If a comment for the specified statement already exists, it is deleted and replaced with the new comment. statementStatement to which you are attaching the comment.
Summary of CLI Configuration Mode Commands
173
commit
See Add Comments in a Configuration on page 137. configureTo enter configuration mode; other required privilege levels depend on where the statement is located in the configuration hierarchy. See the description statement in the JUNOS Internet Software Configuration Guide: Interfaces and Chassis.
See Also
commit
Syntax Description
commit <and-quit> <check> <confirmed <minutes>> Commit the set of changes back to the database and cause the changes to take operational effect. and-quit(Optional) Commit the configuration and, if the configuration contains no errors and the commit succeeds, exit from configuration mode. check(Optional) Verify the syntax of the configuration, but do not activate it. confirmed <minutes>(Optional) Require that the commit be confirmed within the specified amount of time. To confirm a commit, enter either a commit or commit check command. If the commit is not confirmed within the time limit, the configuration rolls back automatically to the precommit configuration. Range: 1 through 65,535 minutes Default: 10 minutes
Options
Usage Guidelines
See the sections Verify a Configuration on page 128 and Commit a Configuration on page 128. configureTo enter configuration mode.
copy
copy existing-statement to new-statement Make a copy of an existing statement in the configuration. existing-statementStatement to copy. new-statementCopy of the statement.
See Copy a Statement in the Configuration on page 123. configureTo enter configuration mode; other required privilege levels depend on where the statement is located in the configuration hierarchy.
174
deactivate
deactivate
Syntax Description
deactivate (statement | identifier ) Add the inactive: tag to a statement, effectively commenting out the statement or identifier from the configuration. Statements or identifiers marked as inactive do not take effect when you issue the commit command. identifierIdentifier to which you are adding the inactive: tag. It must be an identifier at the current hierarchy level. statementStatement to which you are adding the inactive: tag. It must be a statement at the current hierarchy level.
Options
See Deactivate and Reactivate Statements and Identifiers in a Configuration on page 136. configureTo enter configuration mode; other required privilege levels depend on where the statement is located in the configuration hierarchy. activate on page 173, delete on page 175
See Also
delete
Syntax Description
delete <statement-path> <identifier > Delete a statement or identifier. All subordinate statements and identifiers contained within the specified statement path are deleted with it. Deleting a statement or an identifier effectively unconfigures or disables the functionality associated with that statement or identifier. If you do not specify statement-path or identifier, the entire hierarchy starting at the current hierarchy level is removed.
Options
statement-path(Optional) Path to an existing statement or identifier. Include this if the statement or identifier to be deleted is not at the current hierarchy level. identifier(Optional) Name of the statement or identifier to delete.
See Remove a Statement from the Configuration on page 122. configureTo enter configuration mode; other required privilege levels depend on where the statement is located in the configuration hierarchy. deactivate on page 175
See Also
175
edit
edit
Syntax Description
edit statement-path Move inside the specified statement hierarchy. If the statement does not exist, it is created. You cannot use the edit command to change the value of identifiers. You must use the set command.
statement-pathPath to the statement. See Create and Modify the Configuration on page 114. configureTo enter configuration mode; other required privilege levels depend on where the statement is located in the configuration hierarchy. set on page 180
See Also
exit
Syntax Description
exit <configuration-mode> Exit the current level of the statement hierarchy, returning to the level prior to the last edit command, or exit from configuration mode. The quit and exit commands are synonyms. noneReturn to the previous edit level. If you are at the top of the statement hierarchy, exit configuration mode. configuration-mode(Optional) Exit from configuration mode.
Options
See Move among Levels of the Hierarchy on page 117. configureTo enter configuration mode; other required privilege levels depend on where the statement is located in the configuration hierarchy. top on page 181, up on page 182
See Also
help
help (apropos | topic | reference) <string > Display help about available configuration statements. aproposDisplay all hierarchy levels containing the statement. referenceDisplay summary information for the statement. stringString or regular expression matching configuration statements for which you need help. topic(Optional) Display usage guidelines for the statement.
See Get Help Based on a String in a Statement Name on page 113. configureTo enter configuration mode.
176
insert
insert
insert <statement-path> identifier1 (before | after) identifier2 Insert an identifier into an existing hierarchy. afterPlace identifier1 after identifier2. beforePlace identifier1 before identifier2. identifier1Existing identifier. identifier2New identifier to insert. statement-path(Optional) Path to the existing identifier.
See Insert a New Identifier on page 125. configureTo enter configuration mode; other required privilege levels depend on where the statement is located in the configuration hierarchy.
load
Syntax Description
load (replace | merge | override) (filename | terminal) Load a configuration from an ASCII configuration file or from terminal input. Your current location in the configuration hierarchy is ignored when the load operation occurs. filenameName of the file to load. For information about specifying the filename, see How to Specify Filenames and URLs on page 192. mergeCombine the configuration that is currently shown in the CLI and the configuration in filename. overrideDiscard the entire configuration that is currently shown in the CLI and load the entire configuration in filename. replaceLook for a replace: tag in filename, delete the existing statement of the same name, and replace it with the configuration in filename. terminalUse the text you type at the terminal as input to the configuration. Type Ctrl-D to end terminal input.
Options
See Load a Configuration on page 131. configureTo enter configuration mode; other required privilege levels depend on where the statement is located in the configuration hierarchy.
177
quit
quit
Syntax Description
quit <configuration-mode> Exit the current level of the statement hierarchy, returning to the level prior to the last edit command, or exit from configuration mode. The quit and exit commands are synonyms. noneReturn to the previous edit level. If you are at the top of the statement hierarchy, exit configuration mode. configuration-mode(Optional) Exit from configuration mode.
Options
See Move among Levels of the Hierarchy on page 117. configureTo enter configuration mode; other required privilege levels depend on where the statement is located in the configuration hierarchy. top on page 181, up on page 182
See Also
rename
rename <statement-path> identifier1 to identifier2 Rename an existing configuration statement or identifier. identifier1Existing identifier to rename. identifier2New name of identifier. statement-path(Optional) Path to an existing statement or identifier.
See Rename an Identifier on page 124. configureTo enter configuration mode; other required privilege levels depend on where the statement is located in the configuration hierarchy.
rollback
Syntax Description
rollback <number> Return to a previously committed configuration. The software saves the last ten committed configurations, including the rollback number, date, time, and name of user who issued the commit configuration command. The currently operational JUNOS software configuration is stored in the file juniper.conf, and the last three committed configurations are stored in the files juniper.conf.1, juniper.conf.2, and juniper.conf.3. These four files are located in the directory /config, which is on the routers flash drive. The remaining six previous committed configurations, the files juniper.conf.4 through juniper.conf.9, are stored in the directory /var/db/config, which is on the routers hard disk.
178
run
Options
noneReturn to the most recently saved configuration. numberConfiguration to return to. Range: 0 through 9. The most recently saved configuration is number 0, and the oldest saved configuration is number 9. Default: 0
See Return to a Previously Committed Configuration on page 134. rollbackTo roll back to configurations other than the most recently committed one.
run
Syntax Description Options Usage Guidelines Required Privilege Level
run command Run a top-level CLI command without exiting from configuration mode. commandCLI top-level command. See Run an Operational Mode CLI Command from Configuration Mode on page 127. configureTo enter configuration mode.
save
Syntax Description
save filename Save the configuration to an ASCII file. The contents of the current level of the statement hierarchy (and below) are saved, along with the statement hierarchy containing it. This allows a section of the configuration to be saved, while fully specifying the statement hierarchy. When saving a file to a remote system, the software uses the scp/ssh protocol.
Options
filenameName of the saved file. You can specify a filename in one of the following ways: ! filenameFile in the users home directory (the current directory) on the local flash disk. ! path/filenameFile on the local flash disk. ! /var/filename or /var/path/filenameFile on the local hard disk. ! a:filename or a:path/filenameFile on the local drive. The default path is / (the root-level directory). The removable media can be in MS-DOS or UNIX (UFS) format. ! hostname:/path/filename, hostname:filename, hostname:path/filename, or scp://hostname/path/filenameFile on an scp/ssh client. This form is not available in the worldwide version of the JUNOS software. The default path is the users home directory on the remote system. You can also specify hostname as username@hostname.
179
set
! ftp://hostname/path/filenameFile on an FTP server. You can also specify hostname as username@hostname or username :password@hostname. The default path is the users home directory. To specify an absolute path, the path must start with%2F; for example, ftp://hostname/%2Fpath/filename. To have the system prompt you for the password, specify prompt in place of the password. If a password is required, and you do not specify the password or prompt, an error message is displayed:
user@host > file copy ftp://[email protected]//filename file copy ftp.hostname.net: Not logged in. user@host > file copy ftp://username:[email protected]//filename Password for [email protected]:
! http://hostname/path/filenameFile on an HTTP server. You can also specify hostname as username@hostname or username :password@hostname. If a password is required and you omit it, you are prompted for it. ! re0:/path/filename or re1:/path/filenameFile on a local Routing Engine.
See Save a Configuration to a File on page 131. configureTo enter configuration mode.
set
Syntax Description
set <statement-path> identifier Create a statement hierarchy and set identifier values. This is similar to edit except that your current level in the hierarchy does not change. identifierName of the statement or identifier to set. statement-path(Optional) Path to an existing statement hierarchy level. If that hierarchy level does not exist, it is created.
Options
See Create and Modify the Configuration on page 114. configureTo enter configuration mode; other required privilege levels depend on where the statement is located in the configuration hierarchy. edit on page 176
See Also
180
show
show
show <statement-path> <identifier> Display the current configuration. noneDisplay the entire configuration at the current hierarchy level. identifier(Optional) Display the configuration for the specified identifier. statement-path(Optional) Display the configuration for the specified statement hierarchy path.
See Display the Current Configuration on page 120. configureTo enter configuration mode; other required privilege levels depend on where the statement is located in the configuration hierarchy.
status
Syntax Description Usage Guidelines Required Privilege Level
status Display the users currently editing the configuration. See Display Users Currently Editing the Configuration on page 121. configureTo enter configuration mode.
top
Syntax Description
top Return to the top level of configuration command mode, which is indicated by the [edit] banner. See Move among Levels of the Hierarchy on page 117. configureTo enter configuration mode. exit on page 176, up on page 182
181
up
up
up <number> Move up one level in the statement hierarchy. noneMove up one level in the configuration hierarchy. number(Optional) Move up the specified number of levels in the configuration hierarchy.
See Move among Levels of the Hierarchy on page 117. configureTo enter configuration mode. exit on page 176, top on page 181
182
Chapter 16 Summary of CLI Operational Mode Commands

The following sections explain each of the CLI operational mode commands. The commands are organized alphabetically.
clear
Syntax
clear (arp | bgp | chassis | firewall | igmp | interfaces | isis | ldp | log | mpls | msdp | multicast | ospf | pim | rip | route | rsvp | snmp | system | vrrp) Clear statistics and protocol database information. The various clear commands are discussed in the JUNOS Internet Software Operational Mode Command Reference. clear
Description Usage Guidelines
configure
configure | configure exclusive Enter configuration mode. See Enter Configuration Mode on page 107. configure
file
file (copy | delete | list | rename | show) Copy files to and from the router. See the JUNOS Internet Software Operational Mode Command Reference. maintenance
Summary of CLI Operational Mode Commands
183
monitor
monitor
monitor (start | stop | interface | list | traffic) Monitor a log file or interface traffic in real time. See the JUNOS Internet Software Operational Mode Command Reference. Depends on the specific command.
ping
ping Check the reachability of network hosts. See the JUNOS Internet Software Operational Mode Command Reference. network
| (pipe)
Syntax
| (compare | count | display <detail | inheritance | xml> | except pattern | find pattern | hold | match pattern | no-more | resolve <full-names> | save filename | trim columns) Filter the output of an operational mode or a configuration mode command. compare (filename | rollback n )(Configuration mode only, with the show command only) Compare configuration changes with another configuration file. countDisplay the number of lines in the output. displayDisplay additional information about the contents of the configuration. ! detail(Configuration mode only) Display configuration data detail. ! inheritance(Configuration mode only) Display inherited configuration data and source group. ! xml(Operational mode only) Display XML content of the command. except patternIgnore text matching a regular expression when searching the output. If the regular expression contains spaces, operators, or wildcard characters, enclose it in quotation marks. find patternDisplay the output starting at the first occurrence of text matching a regular expression. If the regular expression contains spaces, operators, or wildcard characters, enclose it in quotation marks. holdHold text without exiting the --More-- prompt. match patternSearch for text matching a regular expression. If the regular expression contains spaces, operators, or wildcard characters, enclose it in quotation marks. no-moreDisplay output all at once rather than one screen at a time.
Description Options
184
quit
resolveConvert IP addresses into DNS names. Truncates to fit original size unless full-names specified. To prevent the names from being truncated, use the full-name option. save filenameSave the output to a file or URL. For information about specifying the filename, see How to Specify Filenames and URLs on page 192. trim columnsTrim specified number of columns from the start line.
Usage Guidelines
See Filter Command Output on page 88.
quit
Syntax Description Required Privilege Level See Also
quit Exit from the CLI to a UNIX shell. shell and maintenance start on page 186
request
request system (reboot | halt | software | snapshot) Stop or reboot the router, load software packages, and back up the routers file systems. See the JUNOS Internet Software Operational Mode Command Reference. maintenance
restart
restart (fpc | interface-control | mib-process | routing | sampling | sfm | snmp | soft) Restart router software processes. See the JUNOS Internet Software Operational Mode Command Reference. reset
set
Syntax Description Usage Guidelines
set (chassis | cli | date) Configure chassis and CLI properties and the routers date and time. See Control the CLI Environment on page 99 and Set the Current Date and Time on page 97. For information about setting chassis properties, see the JUNOS Internet Software Operational Mode Command Reference. view
185
show
show
Syntax
show (aps | arp | as-path | bgp | chassis | cli | configuration | connections | dvmrp | firewall | host | igmp | interfaces | isis | ldp | log | mpls | msdpl | multicast | ntp | ospf | pfe | pim | policy | ripl | route | rsvp | sap | snmp | system | task | ted | version | vrrp) Show information about all aspects of the software, including interfaces and the routing protocols. The various show commands are discussed in the JUNOS Internet Software Operational Mode Command Reference. Depends on the specific command.
Description
Usage Guidelines
ssh
ssh Open a secure shell to another host. See the JUNOS Internet Software Operational Mode Command Reference. network
start
start shell Start a UNIX shell on the router. See the JUNOS Internet Software Operational Mode Command Reference. shell and maintenance
telnet
telnet Establish a Telnet session to another host. See the JUNOS Internet Software Operational Mode Command Reference. network
186
test
test
Syntax Description Usage Guidelines
test (configuration | interface | msdp | policy) Run various diagnostic debugging commands. The various test commands are discussed in the JUNOS Internet Software Operational Mode Command Reference. Depends on the specific command.
traceroute
traceroute Trace the route to a remote host. See the JUNOS Internet Software Operational Mode Command Reference. network
187
traceroute
188

! System Management Overview on page 191 ! System Management Configuration Statements on page 197 ! Configure Basic System Management on page 201 ! Configure System Authentication on page 209 ! Configure User Access on page 215 ! Configure Time on page 223 ! Configure System Logging on page 229 ! Configure Miscellaneous System Management on page 235 ! Summary of System Management Configuration Statements on page 243
189
190
Chapter 17 System Management Overview

The JUNOS software provides a variety of parameters that allow you to configure system management functions, including the routers host name, address, and domain name; the addresses of DNS servers; user login accounts, including user authentication and the root-level user account; time zones and Network Time Protocol (NTP) properties; and properties of the routers auxiliary and console ports. This chapter discusses the following topics, which provide background information related to configuring system management: ! How to Specify IP Addresses, Network Masks, and Prefixes on page 191 ! How to Specify Filenames and URLs on page 192 ! Directories on the Router on page 193 ! Tracing and Logging Operations on page 193 ! Protocol Authentication on page 194 ! User Authentication on page 195
How to Specify IP Addresses, Network Masks, and Prefixes

Many statements in the JUNOS software configuration include an option to specify an IP address or route prefix. In this manual, this option is represented in one of the following ways: ! network/prefix-lengthNetwork portion of the IP address, followed by a slash and the destination prefix length (previously called the subnet mask). For example, 10.0.0.1/8. ! networkIP address. An example is 10.0.0.2. ! destination-prefix/prefix-lengthRoute prefix, followed by a slash and the destination prefix length. For example, 192.168.1.10/32. You enter all IP addresses in classless mode. You can enter the IP address with or without a prefix length, in standard dotted notation (for example, 1.2.3.4), or hexadecimal notation as a 32-bit number in network-byte order (for example, 0x01020304). If you omit any octets, they are assumed to be zero. Specify the prefix length as a decimal number in the range 1 through 32.
System Management Overview
191
How to Specify Filenames and URLs
How to Specify Filenames and URLs

In some CLI commands and configuration statementsincluding file copy, load, save, set system login user user-name authentication load-key-file, and request system software addyou can include a filename. You can specify a filename or URL in one of the following ways: ! filenameFile in the users home directory (the current directory) on the local flash disk. ! path/filenameFile on the local flash disk. ! /var/filename or /var/path/filenameFile on the local hard disk. ! a:filename or a:path/filenameFile on the local drive. The default path is / (the root-level directory). The removable media can be in MS-DOS or UNIX (UFS) format. ! hostname:/path/filename, hostname:filename, hostname:path/filename, or scp://hostname/path/filenameFile on an scp/ssh client. This form is not available in the worldwide version of the JUNOS software. The default path is the users home directory on the remote system. You can also specify hostname as username@hostname. ! ftp://hostname/path/filenameFile on an FTP server. You can also specify hostname as username@hostname or username :password@hostname. The default path is the users home directory. To specify an absolute path, the path must start with%2F; for example, ftp://hostname/%2Fpath/filename. To have the system prompt you for the password, specify prompt in place of the password. If a password is required, and you do not specify the password or prompt, an error message is displayed:
user@host > file copy ftp://[email protected]//filename file copy ftp.hostname.net: Not logged in. user@host > file copy ftp://username:[email protected]//filename Password for [email protected]:
! http://hostname/path/filenameFile on an HTTP server. You can also specify hostname as username@hostname or username :password@hostname. If a password is required and you omit it, you are prompted for it. ! re0:/path/filename or re1:/path/filenameFile on a local Routing Engine.
192
Directories on the Router
Directories on the Router

JUNOS software files are stored in the following directories on the router: ! /configThis directory is located on the primary boot device, that is, on the drive from which the router booted (generally the flash disk, device wd0). This directory contains the current operational router configuration and the last three committed configurations, in the files juniper.conf, juniper.conf.1, juniper.conf.2, and juniper.conf.3, respectively. ! /varThis directory is always located on the hard disk (device wd2). It contains the following subdirectories:
!
/var/homeContains users home directories, which are created when you create user access accounts. For users using secure shell (SSH) authentication, their .ssh file, which contains their SSH key, is placed in their home directory. When a user saves or loads a configuration file, that file is loaded from their home directory unless the user specifies a full path name. /var/db/configUp to six additional previous versions of committed configurations, which are stored in the files juniper.conf.4 through juniper.conf.9. /var/logContains system log and tracing files. /var/tmpContains core files. The software saves the current core file (0) and the four previous core files, which are numbered 1 through 4 (from newest to oldest).
! !
! /altrootWhen you back up the currently running and active file system partitions on the router to standby partitions using the request system snapshot command, the root file system (/) is backed up to /altroot. Normally, the root directory is on the flash disk and /altroot is on the hard drive. ! /altconfigWhen you back up the currently running and active file system partitions on the router to standby partitions using the request system snapshot command, the /config directory is backed up to /altconfig. Normally, the /config directory is on the flash disk and /altconfig is on the hard drive. Each router ships with removable media (device wfd0) that contains a backup copy of the JUNOS software.
Tracing and Logging Operations

Tracing and logging operations allow you to track events that occur in the routerboth normal router operations and error conditionsand to track the packets that are generated by or passed through the router. The results of tracing and logging operations are placed in files in the /var/log directory on the router. Logging operations use a UNIX syslog mechanism to record systemwide, high-level operations, such as interfaces going up or down and users logging into or out of the router. You configure these operations by using the syslog statement at the [edit system] hierarchy level as described in Configure System Logging on page 229 and by using the options statement at the [edit routing-options] hierarchy level as described in the JUNOS Internet Software Configuration Guide: Routing and Routing Protocols.
193
Protocol Authentication
Tracing operations record more detailed messages about the operation of routing protocols, such as the various types of routing protocol packets sent and received, and routing policy actions. You configure tracing operations using the traceoptions statement. You can define tracing operations in different portions of the router configuration: ! Global tracing operationsDefine tracing for all routing protocols. You define these tracing operations at the [edit routing-options] hierarchy level of the configuration. For more information, see the JUNOS Internet Software Configuration Guide: Routing and Routing Protocols. ! Protocol-specific tracing operationsDefine tracing for a specific routing protocol. You define these tracing operations in the [edit protocol] hierarchy when configuring the individual routing protocol. Protocol-specific tracing operations override any equivalent operations that you specify in the global traceoptions statement. If there are no equivalent operations, they supplement the global tracing options. If you do not specify any protocol-specific tracing, the routing protocol inherits all the global tracing operations. ! Tracing operations within individual routing protocol entitiesSome protocols allow you to define more granular tracing operations. For example, in BGP, you can configure peer-specific tracing operations. These operations override any equivalent BGP-wide operations or, if there are no equivalents, supplement them. If you do not specify any peer-specific tracing operations, the peers inherit, first, all the BGP-wide tracing operations and, second, the global tracing operations. ! Interface tracing operationsDefine tracing for individual router interfaces and for the interface process itself. You define these tracing operations at the [edit interfaces] hierarchy level of the configuration as described in the JUNOS Internet Software Configuration Guide: Interfaces and Chassis.
Protocol Authentication
Some IGPs (IS-IS, OSPF, and RIP) and RSVP allow you to configure an authentication method and password. Neighboring routers use the password to verify the authenticity of packets sent by the protocol from the router or from a router interface. The following authentication methods are supported: ! Simple authentication (IS-IS, OSPF, and RIP)Uses a simple text password. The receiving router uses an authentication key (password) to verify the packet. Because the password is included in the transmitted packet, this method of authentication is relatively insecure. We recommend that you not use this authentication method. ! MD5 and HMAC-MD5 (IS-IS, OSPF, RIP, and RSVP)MD5 creates an encoded checksum that is included in the transmitted packet. HMAC-MD5, which combines HMAC authentication with MD5, adds the use of an iterated cryptographic hash function. With both types of authentication, the receiving router uses an authentication key (password) to verify the packet. HMAC-MD5 authentication is defined in RFC 2104, HMAC: Keyed-Hashing for Message Authentication. In general, authentication passwords are text strings consisting of a maximum of 16 or 255 letters and digits. Characters can include any ASCII strings. If you include spaces in a password, enclose all characters in quotation marks ( ).
194
User Authentication
User Authentication
The JUNOS software supports three methods of user authentication: local password authentication, Remote Authentication Dial-In User Service (RADIUS), and Terminal Access Controller Access Control System Plus (TACACS+). With local password authentication, you configure a password for each user allowed to log into the router. RADIUS and TACACS+ are authentication methods for validating users who attempt to access the router using Telnet. They are both distributed client-server systemsthe RADIUS and TACACS+ clients run on the router, and the server runs on a remote network system. For TACACS+, the JUNOS software supports authentication but does not support authorization. You can configure the router to be both a RADIUS and TACACS+ client, and you can also configure authentication passwords in the JUNOS configuration file. You can prioritize the methods to configure the order in which the software tries the different authentication methods when verifying user access.
195
User Authentication
196
Chapter 18 System Management Configuration Statements

To configure system management, you can include the following statements in the configuration:
system { authentication-order [ authentication-methods ]; backup-router address <destination destination-address>; compress-configuration-files; default-address-selection; dhcp-relay { disable; maximum-hop-count; minimum-wait-time seconds; server [ address ]; } diag-port-authentication (encrypted-password password | plain-text-password); domain-name domain-name ; domain-search [ domain-list ]; host-name host-name ; location { altitude feet ; country-code code ; hcoord horizontal-coordinate ; lata service-area ; latitude degrees ; longitude degrees ; npa-nxx number ; postal-code postal-code ; vcoord vertical-coordinate ; } login { message text ; class class-name { allow-commands "regular-expression"; deny-commands "regular-expression "; idle-timeout minutes ; permissions [ permissions ]; } user user-name { full-name complete-name ; uid uid-value ; class class-name ; authentication { (encrypted-password password | plain-text-password); ssh-rsa public-key; } } }
System Management Configuration Statements
197
mirror-flash-on-disk; name-server { address ; } no-redirects; ntp { authentication-key key-number type type value password ; boot-server address ; broadcast <address> <key key-number> <version value> <ttl value>; broadcast-client; multicast-client <address>; peer address <key key-number> <version value> <prefer>; server address <key key-number> <version value> <prefer>; trusted-key [ key-numbers ]; } ports { auxiliary { insecure; speed baud-rate ; type terminal-type ; } console { insecure; speed baud-rate ; type terminal-type ; } } processes { inet-process (enable | disable) failover (alternate-media | other-routing-engine); interface-control (enable | disable) failover (alternate-media | other-routing-engine); mib-process (enable | disable) failover (alternate-media | other-routing-engine); ntp (enable | disable) failover (alternate-media | other-routing-engine); routing (enable | disable) failover (alternate-media | other-routing-engine); snmp (enable | disable) failover (alternate-media | other-routing-engine); watchdog (enable | disable) failover (alternate-media | other-routing-engine) timeout seconds ; } radius-server server-address { port number ; retry number ; secret password ; timeout seconds ; } root-authentication { (encrypted-password password | plain-text-password); ssh-rsa public-key; } services { finger <connection-limit limit> <rate-limit limit>; ssh <connection-limit limit> <rate-limit limit>; telnet <connection-limit limit> <rate-limit limit>; } static-host-mapping { host-name { inet [ address ]; sysid system-identifier ; alias [ alias ]; } }
198
syslog { file filename { facility level ; archive { files number ; size size ; (world-readable | no-world-readable); } } host hostname { facility level ; facility-override facility; log-prefix string; } user (username | *) { facility level ; } console { facility level ; } archive { files number ; size size ; (world-readable | no-world-readable); } } tacplus-server server-address { secret password ; single-connection; timeout seconds ; } time-zone time-zone ; }

System Management Configuration Statements
199
200
Chapter 19 Configure Basic System Management

This chapter discusses the following topics: ! Configure the Routers Name and Addresses on page 201 ! Configure the Routers Domain Name on page 203 ! Configure Which Domains to Search on page 204 ! Configure a DNS Name Server on page 204 ! Configure a Backup Router on page 205 ! Configure Flash Disk Mirroring on page 205 ! Configure the System Location on page 206 ! Configure the Root Password on page 206 ! Compress the Current Configuration File on page 208
Configure the Routers Name and Addresses

For the router, you can do the following: ! Configure the Routers Name on page 201 ! Map the Routers Name to IP Addresses on page 202 ! Configure an ISO Sysid on page 202
Configure the Routers Name

To configure the routers name, include the host-name statement at the [edit system] hierarchy level:
[edit system] host-name host-name ;
Configure Basic System Management
201
Configure the Routers Name and Addresses
Map the Routers Name to IP Addresses

To map a routers host name to one or more IP addresses, include the inet statement at the [edit system static-host-mapping host-name ] hierarchy level:
[edit system] static-host-mapping { host-name { inet [ address ]; alias [ alias ]; } }
The host-name is the name you specified in the host-name statement. For each host, you can specify one or more aliases.
Configure an ISO Sysid

For IS-IS to operate on the router, you must configure a system identifier (sysid). The sysid is commonly the Media Access Control (MAC) address or the IP address expressed in binary-coded decimal (BCD). For more information, see the JUNOS Internet Software Configuration Guide: Routing and Routing Protocols. To configure an ISO sysid, include the sysid statement at the [edit system static-host-mapping host-name ] hierarchy level:
[edit system] static-host-mapping { host-name { sysid system-identifier ; } }
The host-name is the name you specified in the host-name statement. system-identifier is the ISO sysid. It is the 6-byte sysid portion of the IS-IS NSAP. We recommend that you use the hosts IP address represented in binary-coded decimal (BCD) format. For example, the IP address 192.168.1.77 would be 1921.6800.1077 in BCD.
202
Configure the Routers Domain Name
Example: Configure a Routers Name, IP Address, and Sysid

Configure the routers name, map the name to an IP address and alias, and configure a sysid:
[edit] user@host# set system host-name router-sj1 [edit] user@host# set system static-host-mapping router-sj1 inet 192.168.1.77 [edit] user@host# set system static-host-mapping router-sj1 alias sj1 [edit] user@host# set system static-host-mapping router-sj1 sysid 1921.6800.1077 [edit] user@host# show system { host-name router-sj1; static-host-mapping { router-sj1 { inet 192.168.1.77; alias sj1; sysid 1921.6800.1077; } } }
Configure the Routers Domain Name

For each router, you should configure the name of the domain in which the router is located. This is the default domain name that is appended to host names that are not fully qualified. To configure the domain name, include the domain-name statement at the [edit system] hierarchy level:
[edit system] domain-name domain-name ;
Example: Configure the Routers Domain Name

Configure the routers domain name:
[edit] user@host# set system domain-name company.net [edit] user@host# show system { domain-name company.net; }
203
Configure Which Domains to Search
Configure Which Domains to Search

If your router is included in several different domains, you can configure those domain names to be searched. To configure more than one domain to be searched, include the domain-search statement at the [edit system] hierarchy level:
[edit system] domain-search [ domain-list ];
The domain list can contain up to six domain names, with a total of up to 256 characters.
Example: Configure Which Domains to Search

Configure two domains to be searched:
[edit system] domain-search [domainone.net domainonealternate.com]
Configure a DNS Name Server

To have the router resolve host names into addresses, you must configure one or more DNS name servers by including the name-server statement at the [edit system] hierarchy level:
[edit system] name-server { address ; }
Example: Configure a DNS Name Server

Configure two DNS name servers:
[edit] user@host# set system name-server 192.168.1.253 [edit] user@host# set system name-server 192.168.1.254 [edit] user@host# show system { name server { 192.168.1.253; 192.168.1.254; } }
204
Configure a Backup Router
Configure a Backup Router

During the time that the router is booting, the routing protocol process (RPD) is not running; therefore, the router has no static or default routes. To allow the router to boot and to ensure that the router is reachable over the network if the routing protocol process fails to start properly, you configure a backup router, which is a router that is directly connected to the local router (that is, on the same subnet). To configure a backup router, include the backup-router statement at the [edit system] hierarchy level:
[edit system] backup-router address <destination destination-address>;
By default, all hosts (default route) are reachable through the backup router. To eliminate the risk of installing a default route in the forwarding table, include the destination option, specifying an address that is reachable through the backup router. Specify the address in the format network/mask-length so that the entire network is reachable through the backup router. When the routing protocols start, the address of the backup router is removed from the local routing and forwarding tables. To have the address remain in these tables, configure a static route for that address by including the static statement at the [edit routing-options] hierarchy level.
Example: Configure a Backup Router

Configure a backup router and have its address remain in the routing and forwarding tables:
[edit] system { backup-router 192.168.1.254 destination 208.197.1.0/24; } routing-options { static { route 208.197.1.0/24 { gateway 192.168.1.254; retain; } } }
Configure Flash Disk Mirroring

You can direct the hard drive to automatically mirror the contents of the compact flash. When you issue the mirror-flash-on-disk statement, the hard drive maintains a synchronized mirror copy of the compact-flash contents. Data written to the compact flash is simultaneously updated in the mirrored copy of the hard drive. If the flash drive fails to read data, the hard drive automatically retrieves its mirrored copy of the flash disk.
205
Configure the System Location
We recommend that you disable flash disk mirroring when you updgrade or downgrade the router. You cannot issue the request system snapshot command when you enable flash disk mirroring. To configure the mirroring of the compact flash to the hard disk, include the mirror-flash-on-disk statement at the [edit system] hierarchy level:
[edit system] mirror-flash-on-disk
After you have enabled or disabled the mirror-flash-on-disk statement, you must reboot the router for your changes to take effect. To reboot, issue the request system reboot command.
Configure the System Location

To configure the physical location of the system, include the location statement at the [edit system] hierarchy level:
[edit system] location { altitude feet ; country-code code ; hcoord horizontal-coordinate ; lata service-area ; latitude degrees ; longitude degrees ; npa-nxx number ; postal-code postal-code ; vcoord vertical-coordinate ; }
Configure the Root Password

The JUNOS software is preinstalled on the router. When the router is powered on, it is ready to be configured. Initially, you log into the router as the user root with no password. After you log in, you should configure the root (superuser) password by including the root-authentication statement at the [edit system] hierarchy level:
[edit system] root-authentication { (encrypted-password "password"| plain-text-password); ssh-rsa "public-key"; ssh-dsa "public-key"; }
If you configure the plain-text-password option, you are prompted to enter and confirm the password:
206
Configure the Root Password
[edit system] user@host# set root-authentication plain-text-password New password: type password here Retype new password: retype password here
To load an ssh key file, enter the load-key-file command. This command loads RSA (ssh version 1) and DSA (ssh version 2) public keys. You can also configure a user to use ssh-rsa and ssh-dsa keys. If you load the ssh keys file, the contents of the file are copied into the configuration immediately after you enter the load-key-file statement. To view the ssh keys entries, use the configuration mode show command. For example:
[edit system] user@host# set root-authentication load-key-file my-host:.ssh/identity.pub .file.19692 | 0 KB | 0.3 kB/s | ETA: 00:00:00 | 100% [edit system] user@host# show root-authentication { ssh-rsa "1024 35 972763820408425105546822675724986424163032220740496252839 03820386901415845349641700196106083587229615634757849182736033612764418 74265946893207739108344810126831259577226254616679992783161235004386609 15866283822489746732605661192181489539813965561563786211940327687806538 16960202749164163735913269396344008443 [email protected]"; # SECRET-DATA }
Example: Configure the Root Password

Configure an encrypted password:
[edit] user@host# set system root-authentication encrypted-password "$1$14c5.$sBopasddsdfs0" [edit] user@host# show system { root-authentication { encrypted-password "$1$14c5.$sBopasddsdfs0"; } }
Configure a plain-text password:

[edit] user@host# set system root-authentication plain-text-password New password: type root password Retype new password: retype root password [edit] user@host# show system { root-authentication { encrypted-password "$1$14c5.$sBopasddsdfs0"; } }
207
Compress the Current Configuration File
Compress the Current Configuration File

By default, the current operational configuration file is uncompressed, and is stored in the file juniper.conf, in the /config file system, along with the last three committed versions of the configuration. However, with large networks, the current configuration file might exceed the available space in the /config file system. Compressing the current configuration file allows the file to fit in the file system, typically reducing the size of the file by 90 percent. When the current operational configuration file reaches 3 MB in size, you might want to begin compressing the file. To determine the size of the files in the /config file system, issue the file list /config detail command. To compress the current configuration file, include the compress-configuration-files statement at the [edit system] hierarchy level:
[edit system] compress-configuration-files;
The current configuration file is compressed on the second commit of the configuration after the first commit is made to include the compress-configuration-files statement:
[edit system] user@host# set compress-configuration-files user@host# commit commit complete user@host# commit commit complete
For more information on how configurations are stored, see How the Configuration Is Stored on page 106.
208
Chapter 20 Configure System Authentication

You can configure the router to use RADIUS or TACACS+ authentication, or both, to validate users who attempt to access the router using Telnet. If you configure both authentication methods, you also can configure which method the router will try first. For TACACS+, the JUNOS software supports authentication, but does not support authorization. When configuring system authentication, you can do the following: ! Configure RADIUS Authentication on page 209 ! Configure TACACS+ Authentication on page 210 ! Configure Shared User Accounts for RADIUS and TACACS+ Authentication on page 211 ! Configure the Authentication Order on page 212 For an example of configuring system authentication, see Examples: Configure System Authentication on page 213.
Configure RADIUS Authentication

To use RADIUS authentication on the router, configure information about one or more RADIUS servers on the network by including the radius-server statement at the [edit system] hierarchy level:
[edit system] radius-server server-address { port number ; secret password ; retry number ; timeout seconds ; }
In server-address, specify the address of the RADIUS server. You can specify a port number on which to contact the RADIUS server. By default, port number 1812 is used (as specified in RFC 2138). You must specify a secret (password) that the local router passes to the RADIUS client (in the secret statement). Secrets can contain spaces. The secret used by the local router must match that used by the server.
Configure System Authentication
209
Configure TACACS+ Authentication
Optionally, you can specify the amount of time that the local router waits to receive a response from a RADIUS server (in the timeout statement) and the number of times that the router attempts to contact a RADIUS authentication server (in the retry statement). By default, the router waits 3 seconds. You can configure this to be a value in the range 1 through 90 seconds. By default, the router retries connecting to the server 3 times. You can configure this to be a value in the range 1 through 10 times. To configure multiple RADIUS servers, include multiple radius-server statements. To configure a set of users that share a single account for authorization purposes, you create a template user. To do this, include the user statement at the [edit system login] hierarchy level as described in Configure Shared User Accounts for RADIUS and TACACS+ Authentication on page 211.
Configure Juniper NetworksSpecific RADIUS Attributes

The JUNOS software supports the configuration of Juniper Networks-specific RADIUS attributes. These attributes are known as vendor-specific attributes and are described in RFC 2138, Remote Authentication Dial In User Service (RADIUS). These Juniper Networks-specific attributes are encapsulated in a RADIUS vendor-specific attribute with the vendor ID set to the Juniper Networks ID number, 2636. Table 7 lists the Juniper Networks-specific attributes you can configure.
Table 7: Juniper NetworksSpecific RADIUS Attributes

Name
Juniper-Local-User-Name
Description
Indicates the name of the user template used by this user when logging into a device. This attribute is used only in Access-Accept packets. Contains an extended regular expression that allows the user to run commands in addition to the commands authorized by the users login class permission bits. This attribute is used only in Access-Accept packets. Contains an extended regular expression that denies the user permission to run commands authorized by the users login class permission bits. This attribute is used only in Access-Accept packets.
Type
1
Length String
3 One or more octets containing printable ASCII characters. One or more octets containing printable ASCII characters, in the form of an extended regular expression. One or more octets containing printable ASCII characters, in the form of an extended regular expression.
Juniper-Allow-Commands
Juniper-Deny-Commands
Configure TACACS+ Authentication

To use TACACS+ authentication on the router, configure information about one or more TACACS+ servers on the network by including the tacplus-server statement at the [edit system] hierarchy level:
[edit system] tacplus-server server-address { secret password ; single-connection; timeout seconds ; }
210
Configure Shared User Accounts for RADIUS and TACACS+ Authentication
In server-address, specify the address of the TACACS+ server. You must specify a secret (password) that the local router passes to the TACACS+ client (in the secret statement). Secrets can contain spaces. The secret used by the local router must match that used by the server. You can optionally specify the amount of time that the local router waits to receive a response from a TACACS+ server (in the timeout statement). By default, the router waits 3 seconds. You can configure this to be a value in the range 1 through 90 seconds. Optionally, you can have the software maintain one open TCP connection to the server for multiple requests, rather than opening a connection for each connection attempt, thus optimizing attempts to connect to a TACACS+ server. To do this, include the single-connection statement. To configure multiple TACACS+ servers, include multiple tacplus-server statements. To configure a set of users that share a single account for authorization purposes, you create a template user. To do this, include the user statement at the [edit system login] hierarchy level as described in Configure Shared User Accounts for RADIUS and TACACS+ Authentication on page 211.
Configure Shared User Accounts for RADIUS and TACACS+ Authentication

When you are using local password authentication, you must create a local user account for every user who wants to access the system. However, when you are using RADIUS or TACACS+ authentication, you can create a shared user account that can be used by all users who do not have an individual account configured locally on the system. These accounts are sometimes called template accounts. To enable a shared remote user account, create a user account with the user name remote and specify the privileges that you want to provide to these remote users:
[edit] system { login { user remote { full-name "All remote users"; uid uid-value ; class class-name ; } } }
Privileges and file ownership are shared by all users who share the remote account. To specify exceptions to this account, but still use a remote authentication service, configure individual local accounts for those users. When you are using TACACS+, the template account must have the user name remote. You cannot change the name of this account or configure other template accounts.
211
Configure the Authentication Order
For information about creating user accounts, see Configure User Accounts on page 220. For an example of how to configure a shared account, see Examples: Configure System Authentication on page 213.
Configure the Authentication Order

If you configure the router to be both a RADIUS and TACACS+ client (by including the radius-server and tacplus-server statements), you can prioritize the methods to configure the order in which the software tries the different authentication methods when verifying that a user can access the router. For each login attempt, the JUNOS software tries the authentication methods in order, starting with the first one, until the password matches. To configure the authentication order, include the authentication-order statement at the [edit system] hierarchy level:
[edit system] authentication-order [ authentication-methods ];
In authentication-methods, specify one or more of the following in the preferred order, from first tried to last tried: ! radiusVerify the user using RADIUS authentication services. ! tacplusVerify the user using TACACS+ authentication services. ! passwordVerify the user using the password configured for the user with the authentication statement at the [edit system login user] hierarchy level. If you do not include the authentication-order statement, users are verified based on their configured passwords.
Example: Remove an Ordered Set from the Authentication Order

Delete the radius statement from the authentication order:
[edit system] delete system authentication-order radius
For more information on how to remove a statement from the configuration, see Remove a Statement from the Configuration on page 122.
Example: Insert an Order Set in the Authentication Order

Insert the tacplus statement after the radius statement:
[edit system] insert system authentication-order tacplus after radius
For more information on how to modify a portion of the configuration in which the statement order matters, see Insert a New Identifier on page 125.
212
Examples: Configure System Authentication

Allow logins only by users who have been authenticated by a remote RADIUS server for the individual user Philip and for all other users validated by the RADIUS server. When Philip tries to log into the system, if the RADIUS server authenticates him, he is given access and privileges for the superuser class. Local accounts are not configured for the users Alexander and Darius. When they try to log into the system, if the RADIUS server authenticates them, they are given access with user ID (UID) 9999 and privileges for the operator class.
[edit] system { authentication-order radius; login { user philip { full-name "Philip"; uid 1001; class superuser; user remote { full-name "All remote users"; uid 9999; class operator; } } }
Configuring a single remote user template account requires that all users without individual configuration entries share the same class and UID. When you are using RADIUS and Telnet or RADIUS and SSH together, you can specify a different template user other than the remote user. This functionality is not available with TACACS+. To configure an alternate template user, specify the User-Name parameter returned in the RADIUS authentication response packet. Not all RADIUS servers allow you to change this parameter. The following shows a sample JUNOS configuration:
[edit] system { login { user philip { full-name "Philip"; uid 1001; class superuser; } user operator { full-name "All operators"; uid 9990; class read-only; } user remote { full-name "All remote users"; uid 9999; class read-only; } } }
213
Assume your RADIUS server is configured with the following information: ! User Philip with password olympia ! User Alexander with password bucephalus and user name operator ! User Darius with password redhead and user name operator ! User Roxane with password athena Philip would be given access as a superuser, because he has his own local user account. Alexander and Darius share UID 9990 and have access as an operator. Roxane has no template-user override, so she shares access with all the other remote users, getting read-only access. When you are using TACACS+, the template account must have the user name remote. You cannot change the name of this account or configure other template accounts.
214
Chapter 21 Configure User Access

To configure user access, you do the following: ! Define Login Classes on page 215 ! Configure User Accounts on page 220
For information on how to configure user access through ssh, see Configure SSH Service on page 239.
Define Login Classes

All users who can log into the router must be in a login class. With login classes, you define the following: ! Access privileges users have when they are logged into the router ! Commands and statements that users can and cannot specify ! How long a login session can be idle before it times out and the user is logged off You can define any number of login classes. You then apply one login class to an individual user account as described in Configure User Accounts on page 220. To define a login class and its access privileges, include the class statement at the [edit system login] hierarchy level:
[edit system] login { class class-name { allow-commands "regular-expression"; deny-commands "regular-expression"; idle-timeout minutes ; permissions [ permissions ]; } }
In class-name, you name the login class. The software contains a few predefined login classes, which are listed in Table 9 on page 217. The predefined login classes cannot be modified.
Configure User Access
215
For each login class, you can do the following: ! Configure Access Privilege Levels on page 216 ! Deny or Allow Individual Commands on page 218 ! Configure the Timeout Value for Idle Login Sessions on page 220
Configure Access Privilege Levels

Each top-level CLI command and each configuration statement has an access privilege level associated with it. Users can execute only those commands and configure and view only those statements for which they have access privileges. The privilege level for each command and statement is listed in the summary chapter of the part in which that command or statement is described. The access privileges for each login class are defined by one or more permission bits. To configure access privilege levels, include the permissions statement at the [edit system login class] hierarchy level:
[edit system login class] permissions [ permissions ];
In permissions, specify one or more of the permission bits listed in Table 8. Permission bits are not cumulative, so for each class list all the bits needed, including view to display information and configure to enter configuration mode. For the permissions that control the individual parts of the configuration, there are two forms of the permission: ! Plain formProvides read-only capability for that permission type. An example is interface. ! Form that ends in -controlProvides read and write capability for that permission type. An example is interface-control.
Table 8: Login Class Permission Bits

Permission Bit
admin admin-control all clear configure control edit
Description
Can view user account information in configuration mode and with the show configuration command. Can view user accounts and configure them (at the [edit system login] hierarchy level). Has all permissions. Can clear (delete) information learned from the network that is stored in various network databases (using the clear commands). Can enter configuration mode (using the configure command) and commit configurations (using the commit command). Can perform all control-level operations (all operations configured with the -control permission bits). Can edit all portions of a configuration, can load a configuration from an ASCII file, and can commit new and modified configurations (using all the commands in configuration mode). Reserved for field (debugging) support. Can view the firewall filter configuration in configuration mode.
field firewall
216
Permission Bit
firewall-control floppy interface interface-control maintenance
Description
Can view and configure firewall filter information (at the [edit firewall] hierarchy level). Can read from and write to the removable media. Can view the interface configuration in configuration mode and with the show configuration operational mode command. Can view interface configuration information and configure interfaces (at the [edit interfaces] hierarchy level). Can perform system maintenance, including starting a local shell on the router and becoming the superuser in the shell (by issuing the su root command), and can halt and reboot the router (using the request system commands). Can access the network by entering the ping, ssh, telnet, and traceroute commands. Can restart software processes using the restart command and can configure whether software processes are enabled or disabled (at the [edit system processes] hierarchy level). Can use the rollback command to return to a previously committed configuration other than the most recently committed one. Can view general routing, routing protocol, and routing policy configuration information in configuration and operational modes. Can view general routing, routing protocol, and routing policy configuration information and configure general routing (at the [edit routing-options] hierarchy level), routing protocols (at the [edit protocols] hierarchy level), and routing policy (at the [edit policy-options] hierarchy level). Can view passwords and other authentication keys in the configuration. Can view passwords and other authentication keys in the configuration and can modify them in configuration mode. Can start a local shell on the router by entering the start shell command. Can view SNMP configuration information in configuration and operational modes. Can view SNMP configuration information and configure SNMP (at the [edit snmp] hierarchy level). Can view system-level information in configuration and operational modes. Can view system-level configuration information and configure it (at the [edit system] hierarchy level). Can view trace file settings in configuration and operational modes. Can view trace file settings and configure trace file properties. Can use various commands to display current systemwide, routing table, and protocol-specific values and statistics.
network reset
rollback routing routing-control
secret secret-control shell snmp snmp-control system system-control trace trace-control view
Table 9: Default System Login Classes

Login Class
operator read-only superuser unauthorized
Permission Bits Set

clear, network, reset, trace, view view all None
217
Example: Configure Access Privilege Levels

Create two access privilege classes on the router, one for configuring and viewing user accounts only and the second for configuring and viewing SNMP parameters only:
[edit] system { login { class user-accounts { permissions [ configure admin admin-control ]; } class network-mgmt { permissions [ configure snmp snmp-control ]; } } }
Deny or Allow Individual Commands

By default, all top-level CLI commands and all configuration statements have associated access privilege levels. Users can execute only those commands and configure and view only those statements for which they have access privileges. For each login class, you can explicitly deny or allow commands that would otherwise be permitted or disallowed by a privilege level specified in the permissions statement. To explicitly deny a command that would otherwise be permitted, include the deny-commands statement at the [edit system login class class-name] hierarchy level:
[edit system login class class-name] deny-commands regular-expression ;
To explicitly allow additional commands that would otherwise be denied, include the allow-commands statement at the [edit system login class class-name] hierarchy level:
[edit system login class class-name] allow-commands regular-expression ;
You can include one deny-commands and one allow-commands statement in each login class. If the regular-expression contains any spaces, operators, or wildcard characters, enclose it in quotation marks. Regular expressions are not case-sensitive. You use extended regular expressions to specify which commands are denied or allowed. You specify these regular expressions in the allow-commands and deny-commands statements at the [edit system login class] hierarchy level or by specifying JUNOS-specific attributes in your RADIUS authentication servers configuration. If regular expressions are received during RADIUS authentication, they override any regular expressions configured on the local router. Command regular expressions implement the extended (modern) regular expressions as defined in POSIX 1003.2. Table 10 lists common regular expression operators.
218
Table 10: Common Regular Expression Operators

Operator
| ^ $
Match...
One of the two terms on either side of the pipe. At the beginning of an expression, used to denote where the command begins, where there might be some ambiguity. Character at the end of a command. Used to denote a command that must be matched exactly up to that point. For example, allow-commands "show interfaces $" means that the user cannot issue show interfaces detail or show interfaces extensive. Range of letters or digits. To separate the start and end of a range, use a hyphen ( - ). A group of commands, indicating an expression to be evaluated; the result is then evaluated as part of the overall expression.
[] ()
If a regular expression contains a syntax error, user authentication fails, and the user cannot log in. If a regular expression does not contain any operators, all varieties of the command are allowed. For example, if the following statement is included in the configuration, the user can issue the commands show interfaces detail and show interfaces extensive in addition to showing an individual interface:
allow-commands "show interfaces"
Example: Deny or Allow Individual Commands

Configure permissions for individual commands:
[edit] system { login { /* * This login class has operator privileges and the additional ability to reboot the router. */ class operator-and-boot { permissions [ clear network reset trace view ]; allow-commands "request system reboot"; } /* * This login class has operator privileges but can't use any commands beginning with set. */ class operator-no-set { permissions [ clear network reset trace view ]; deny-commands "^set"; } /* * This login class has operator privileges and can install software but not view bgp information. */ class operator-and-install-but-no-bgp { permissions [ clear network reset trace view ]; allow-commands "request system software add"; deny-commands "show bgp"; } } }
219
Configure User Accounts
Configure the Timeout Value for Idle Login Sessions

An idle login session is one in which the CLI operational mode prompt is displayed but there is no input from the keyboard. By default, a login session remains established until a user logs out of the router, even if that session is idle. To close idle sessions automatically, you configure a time limit for each login class. If a session established by a user in that class remains idle for the configured time limit, the session automatically closes. To define the timeout value for idle login sessions, include the idle-timeout statement at the [edit system login class] hierarchy level:
[edit system login class class-name] idle-timeout minutes ;
Specify the number of minutes that a session can be idle before it is automatically closed. If you have configured a timeout value, the CLI displays messages similar to the following when timing out an idle user. It starts displaying these messages 5 minutes before timing out the user.
user@host# Session will be closed in 5 minutes if there is no activity. Warning: session will be closed in 1 minute if there is no activity Warning: session will be closed in 10 seconds if there is no activity Idle timeout exceeded: closing session
If you configure a timeout value, the session closes after the specified time has elapsed except if the user is running Telnet or monitoring interfaces using the monitor interface or monitor traffic command.

User accounts provide one way for users to access the router CLI. (Users can access the router without accounts if you have configured RADIUS or TACACS+ servers as described in User Authentication on page 195.) For each account, you define the login name for the user and, optionally, information that identifies the user. After you have created an account, the software creates a home directory for the user. To create user accounts, include the user statement at the [edit system login] hierarchy level:
[edit system] login { user user-name { full-name complete-name ; uid uid-value ; class class-name ; authentication { (encrypted-password "password " | plain-text-password); ssh-rsa "public-key"; ssh-dsa "public-key" ; } } }
220
For each user account, you can define the following: ! User name(Optional) Name that identifies the user. It must be unique within the router. Do not include spaces, colons, or commas in the user name. ! Users full name(Optional) If the full name contains spaces, enclose it in quotation marks. Do not include colons or commas. ! User identifier (UID)(Optional) Numeric identifier that is associated with the user account name. The identifier must be in the range 100 through 64000 and must be unique within the router. If you do not assign a UID to a user name, the software assigns one when you commit the configuration, preferring the lowest available number. You must ensure that the UID is unique. However, it is possible to assign the same UID to different users. If you do this, the CLI displays a warning when you commit the configuration, then assigns the duplicate UID. ! Users access privilege(Required) One of the login classes you defined in the class statement at the [edit system login] hierarchy level or one of the default classes listed in Table 9 on page 217. ! Authentication method or methods and passwords that the user can use to access the router(Optional) You can use ssh or an MD5 password, or you can enter a plain-text password that the JUNOS software encrypts using MD5-style encryption before entering it in the password database. For each method, you can specify the users password. If you configure the plain-text-password option, you are prompted to enter and confirm the password:
[edit system] user@host# set root-authentication plain-text-password New password: type password here Retype new password: retype password here
For ssh authentication, you can copy the contents of an ssh keys file into the configuration. For information about how to specify filenames, see How to Specify Filenames and URLs on page 192. To load an ssh key file, use the load-key-file command. This command loads RSA (ssh version 1) and DSA (ssh version 2) public key files. You can also configure a user to use ssh-rsa and ssh-dsa keys. If you load the ssh keys file, the contents of the file are copied into the configuration immediately after you enter the load-key-file statement. To view the ssh keys entries, use the configuration mode show command. For example:
[edit system] user@host# set root-authentication load-key-file my-host:.ssh/identity.pub .file.19692 | 0 KB | 0.3 kB/s | ETA: 00:00:00 | 100% [edit system] user@host# show root-authentication { ssh-rsa "1024 35 97276382040842510554682267572498642416303222074049625 2839038203869014158453496417001961060835872296156347578491827360336 1276441874265946893207739108344810126831259577226254616679992783161 2350043866091586628382248974673260566119218148953981396556156378621 194032768780653816960202749164163735913269396344008443 [email protected]"; # SECRET-DATA }
221
An account for the user root is always present in the configuration. You configure the password for root using the root-authentication statement as described in Configure the Root Password on page 206.
Example: Configure User Accounts

Create accounts for four router users, and create an account for the template user remote. All users use one of the default system login classes.
[edit] system { login { user philip { full-name Philip of Macedonia; uid 1001; class superuser; authentication { encrypted-password $1$poPPeY; } } user alexander { full-name Alexander the Great; uid 1002; class view; authentication { encrypted-password $1$14c5.$sBopasdFFdssdfFFdsdfs0; ssh-rsa 8924 37 5678 [email protected]; } } user darius { full-name Darius King of Persia; uid 1003; class operator; authentication { ssh-dsa 1024 37 [email protected]; } } user anonymous { class unauthorized; } user remote { full-name All remote users; uid 9999; class read-only; } } }
222
Chapter 22 Configure Time

This chapter discusses the following topics related to configuring time: ! Set the Time Zone on page 223 ! Configure the Network Time Protocol on page 224 For more information about configuring time, see Set the Current Date and Time on page 97.
Set the Time Zone

The default local time zone on the router is UTC (Coordinated Universal Time, formerly known as Greenwich Mean Time). To modify the local time zone, include the time-zone statement at the [edit system] hierarchy level:
[edit system] time-zone time-zone ;
You specify the time-zone using the continent/country/zone primary name. For the time zone change to take effect for all processes running on the router, you must reboot the router. For information about setting the time on the router, see Set the Current Date and Time on page 97.
Examples: Set the Time Zone

Set the time zone for New York:
[edit] user@host# set system time-zone America/New_York [edit] user@host# show system { time-zone America/New_York; }
Configure Time
223
Configure the Network Time Protocol
Set the time zone for Pacific Time:

[edit] user@host# set system time-zone America/Los_Angeles [edit] user@host# show system { time-zone America/Los_Angeles; }
For information about what time zones are available, see time-zone on page 273.

The Network Time Protocol (NTP) provides the mechanisms to synchronize time and coordinate time distribution in a large, diverse network. NTP uses a returnable-time design in which a distributed subnet of time servers operating in a self-organizing, hierarchical master-slave configuration synchronizes local clocks within the subnet and to national time standards by means of wire or radio. The servers also can redistribute reference time using local routing algorithms and time daemons. NTP is defined in the following document: ! RFC 1305, Network Time Protocol (Version 3) Specification, Implementation and Analysis To configure NTP on the router, include the ntp statement at the [edit system] hierarchy level:
[edit system] ntp { authentication-key number type type value password ; boot-server address ; broadcast <address> <key key-number> <version value> <ttl value>; broadcast-client; multicast-client <address>; peer address <key key-number> <version value> <prefer>; server address <key key-number> <version value> <prefer>; trusted-key [ key-numbers ]; }
To configure NTP properties, you can do one of more of the following: ! Configure the NTP Boot Server on page 225 ! Configure the NTP Time Server and Time Services on page 225 ! Configure NTP Authentication Keys on page 227 ! Configure the Router to Listen for Broadcast Messages on page 228 ! Configure the Router to Listen for Multicast Messages on page 228 When configuring NTP, you do not actively configure time servers. Rather, all clients also are servers. An NTP server is not believed unless it, in turn, is synchronized to another NTP serverwhich itself must be synchronized to something upstream, eventually terminating in a high-precision clock.
224
If the time difference between the local router clock and the NTP server clock is more than 128 milliseconds, but less than 128 seconds, the clocks are slowly stepped into synchronization. However, if the difference is more than 128 seconds, the clocks are not synchronized. You must set the time on the local router so that the difference is less than 128 seconds to start the synchronization process. On the local router, you set the date and time using the set date command. To set the time automatically, use the boot-server statement at the [edit system ntp] hierarchy level, specifying the address of an NTP server.
Configure the NTP Boot Server

When you boot the router, it issues an ntpdate request, which polls a network server to determine the local date and time. You need to configure a server that the router uses to determine the time when the router boots. Otherwise, NTP will not be able to synchronize to a time server if the servers time appears to be very far off of the local routers time. To configure the NTP boot server, include the boot-server statement at the [edit system ntp] hierarchy level:
[edit system ntp] boot-server address ;
Specify the address of the network server. You must specify an address, not a hostname.
Configure the NTP Time Server and Time Services

When configuring NTP, you can specify which system on the network is the authoritative time source, or time server, and how time is synchronized between systems on the network. To do this, you configure the router to operate in one of the following modes: ! Client modeIn this mode, the local router can be synchronized to the remote system, but the remote system can never be synchronized to the local router. ! Symmetric active modeIn this mode, the local router and the remote system can synchronize each other. You use this mode in a network in which either the local router or the remote system might be a better source of time. Symmetric active mode can be initiated by either the local or remote system. Only one system needs to be configured to do so. This means that the local system can synchronize to any system that offers symmetric active mode without any configuration whatsoever. However, we strongly encourage you to configure authentication to ensure that the local system synchronizes only to known time servers. ! Broadcast modeIn this mode, the local router sends periodic broadcast messages to a client population at the specified broadcast or multicast address. Normally, you include this statement only when the local router is operating as a transmitter.
Configure Time
225
The following sections describe how to configure these modes of operation: ! Configure the Router to Operate in Client Mode on page 226 ! Configure the Router to Operate in Symmetric Active Mode on page 226 ! Configure the Router to Operate in Broadcast Mode on page 227
Configure the Router to Operate in Client Mode

To configure the local router to operate in client mode, include the server statement at the [edit system ntp] hierarchy level:
[edit system ntp] server address <key key-number > <version value> <prefer>;
Specify the address of the system acting as the time server. You must specify an address, not a hostname. To include an authentication key in all messages sent to the time server, include the key option. The key corresponds to the key number you specify in the authentication-key statement as described in Configure NTP Authentication Keys on page 227. By default, the router sends NTP version 3 packets to the time server. To set the NTP version level to 1 or 2, include the version option. If you configure more than one time server, you can mark one server as being preferred by including the prefer option.
Configure the Router to Operate in Symmetric Active Mode

To configure the local router to operate in symmetric active mode, include the peer statement at the [edit system ntp] hierarchy level:
[edit system ntp] peer address <key key-number > <version value > <prefer>;
Specify the address of the remote system. You must specify an address, not a hostname. To include an authentication key in all messages sent to the remote system, include the key option. The key corresponds to the key number you specify in the authentication-key statement as described in Configure NTP Authentication Keys on page 227. By default, the router sends NTP version 3 packets to the remote system. To set the NTP version level to 1 or 2, include the version option. If you configure more than one remote system, you can mark one system as being preferred by including the prefer option:
peer address <key key-number> <version value> <prefer>;
226
Configure the Router to Operate in Broadcast Mode

To configure the local router to operate in broadcast mode, include the broadcast statement at the [edit system ntp] hierarchy level:
[edit system ntp] broadcast address <key key-number > <version value> <ttl value>;
Specify the broadcast address on one of the local networks or a multicast address assigned to NTP. You must specify an address, not a hostname. Currently, the multicast address must be 224.0.1.1. To include an authentication key in all messages sent to the remote system, include the key option. The key corresponds to the key number you specify in the authentication-key statement as described in Configure NTP Authentication Keys on page 227. By default, the router sends NTP version 3 packets to the remote system. To set the NTP version level to 1 or 2, include the version option.
Configure NTP Authentication Keys

Time synchronization can be authenticated to ensure that the local router obtains its time services only from known sources. By default, network time synchronization is unauthenticated. The system will synchronize to whatever system appears to have the most accurate time. We strongly encourage you to configure authentication of network time services. To authenticate other time servers, include the trusted-key statement at the [edit system ntp] hierarchy level. Only time servers transmitting network time packets that contain one of the specified key numbers and whose key matches the value configured for that key number are eligible to be synchronized to. Other systems can synchronize to the local router without being authenticated.
[edit system ntp] trusted-key [ key-numbers ];
Each key can be any 32-bit unsigned integer except 0. Include the key option in the peer, server, or broadcast statements to transmit the specified authentication key when transmitting packets. The key is necessary if the remote system has authentication enabled so that it can synchronize to the local system. To define the authentication keys, include the authentication-key statement at the [edit system ntp] hierarchy level:
[edit system ntp] authentication-key key-number type type value password ;
number is the key number, type is the authentication type (either MD5 or DES), and password is the password for this key. The key number, type, and password must match on all systems using that particular key for authentication.
Configure Time
227
Configure the Router to Listen for Broadcast Messages

When you are using NTP, you can configure the local router to listen for broadcast messages on the local network to discover other servers on the same subnet by including the broadcast-client statement at the [edit system ntp] hierarchy level:
[edit system ntp] broadcast-client;
When the router hears a broadcast message for the first time, it measures the nominal network delay using a brief client-server exchange with the remote server. Then, it enters broadcast client mode, in which it listens for, and synchronizes to, succeeding broadcast messages. To avoid accidental or malicious disruption in this mode, both the local and remote systems must use authentication and the same trusted key and key identifier.
Configure the Router to Listen for Multicast Messages

When you are using NTP, you can configure the local router to listen for multicast messages on the local network to discover other servers on the same subnet by including the multicast-client statement at the [edit system ntp] hierarchy level:
[edit system ntp] multicast-client <address>;
When the router hears a multicast message for the first time, it measures the nominal network delay using a brief client-server exchange with the remote server. Then, it enters multicast client mode, in which it listens for, and synchronizes to, succeeding multicast messages. You can specify one or more IP addresses. (You must specify an address, not a hostname.) If you do, the route joins those multicast groups. If you do not specify any addresses, the software uses 224.0.1.1. To avoid accidental or malicious disruption in this mode, both the local and remote systems must use authentication and the same trusted key and key identifier.
228
Chapter 23 Configure System Logging

The chapter discusses the following topics: ! Configure System Logging on page 229 ! Archive System Logs on page 231 ! Override the Facility on page 232 ! Configure Log Message Prefixes on page 232
Configure System Logging

System logging operations use a syslog mechanism to record systemwide, high-level operations, such as interfaces going up or down and users logging into or out of the router. To control system logging and how much information the system should log, include the syslog statement at the [edit system] hierarchy level:
[edit system] syslog { archive { files number ; size size ; (world-readable | no-world-readable); } file filename { facility level ; archive { files number ; size size ; (world-readable | no-world-readable); } } host hostname { facility level ; facility-override facility; log-prefix string; } user (username | *) { facility level ; } console { facility level ; } }
229
You can log specified system information to one or more destinations. The destinations can be one or more files, one or more remote hosts, the terminals of one or more users if they are logged in, and the system console. For each place where you can log system information, you specify the class (facility) of messages to log and the minimum severity level (level) of the message. Table 11 lists the system logging facilities, and Table 12 lists the system logging severity levels.
Table 11: System Logging Facilities

Facility
any authorization change-log conflict-log cron daemon firewall interactive-commands kernel pfe user
Description
Any facility Any authorization attempt Any change to the configuration Messages generated when configuration conflicts with hardware Cron daemon Various system daemons Firewall filtering subsystem Commands executed in the CLI Messages generated by the JUNOS kernel Messages generated by the packet forwarding engine (pfe) Messages from random user processes
Table 12: System Logging Severity Levels

Severity Level (from Highest to Lowest Severity)
emergency alert critical error warning notice info debug
Description
Panic or other conditions that cause the system to become unusable. Conditions that should be corrected immediately, such as a corrupted system database. Critical conditions, such as hard drive errors. Standard error conditions. System warning messages. Conditions that are not error conditions, but that might warrant special handling. Informational messages. This is the default. Software debugging messages.
230
Archive System Logs
A common set of operations to log is when users log into the router and when they issue CLI commands. To configure this type of logging, specify the interactive-commands facility and one of the following severity levels: ! infoLog all top-level CLI commands, including the configure command, and all configuration mode commands. ! noticeLog the configuration mode commands rollback and commit. ! warningLog when any software process restarts. Another common operation to log is when users enter authentication information. To configure this type of logging, specify the authorization facility.
Archive System Logs

Logging information is saved to one or more files. By default, the software stores the logging information in up to ten 128-KB files, and by default, these files can be read by a limited group of users. To modify the number and size of all system log files, as well as who can read them, include the archive option at the [edit system syslog] hierarchy level:
[edit system] syslog { archive { files number ; size size ; (world-readable | no-world-readable); } }
To modify the number and size of a particular system log file, as well as who can read it, include the archive option at the [edit system syslog file filename ] hierarchy level:
[edit system] syslog { file filename { facility level ; archive { files number ; size size ; (world-readable | no-world-readable); } } }
You can configure any number of files in the range 1 through 1000, and they can be any size in the range 64 KB (64k) through 1 GB (1g). To allow any user to read the log file, include the world-readable option.
231
Override the Facility
Override the Facility

When sending messages to a remote host, you can override the facility. For example, you can configure all messages from a single router to go to a single log file on the remote host. You can also configure different routers to send messages to different log files on the same remote host to, for example, segregate messages representing different regions of the country. To override the facility, include the facility-override statement at the [edit system syslog host hostname ] hierarchy level.
[edit system syslog host hostname ] facility-override facility ;
Table 13 lists the system logging facilities that you can specify on the facility-override statement.
Table 13: System Logging Facilities That You Can Specify on the facility-override Statement
Facility
authorization cron daemon kernel local0 local1 local2 local3 local4 local5 local6 local7 user
Description
Any authorization attempt Cron daemon Various system daemons Messages generated by the JUNOS kernel Local logging option number 0 Local logging option number 1 Local logging option number 2 Local logging option number 3 Local logging option number 4 Local logging option number 5 Local logging option number 6 Local logging option number 7 Messages from random user processes
Configure Log Message Prefixes

You can configure a string to be prepended to every log message sent to the remote host, which is useful for identifying the router from which it came. The string cannot contain spaces, equal signs ( = ), or colons ( : ). To prepend a string to log messages sent to a remote host, include the log-prefix statement at the [edit system syslog host hostname ] hierarchy level.
[edit system syslog host hostname ] log-prefix string ;
A colon and a space are appended to the string when the syslog messages are written to the log. For example, if the string is configured as JNPR:
Mar 9 17:33:23 host JNPR: mgd[477]: UI_CMDLINE_READ_LINE: user root, command run show version
232
Examples: Configure System Logging

Log system logging information to two files, one remote host (the user Alexs terminal), and the system console:
[edit system] syslog { /* send all security-related information to file "security" */ file security { authorization info; interactive-commands info; } /* send generic messages (authorization at level notice and above, the rest at level warning and above) to file "messages" */ file messages { authorization notice; any warning; } /* send any critical messages to alex if he is logged in */ user alex { any critical; } /* send all daemon level info and above, or anything warning and above, to the host junipero.berry.net */ host junipero.berry.net { daemon info; any warning; } /* send any error messages, or higher, to the system console */ console { any error; } }
Log all CLI commands entered by all users and all authorization attempts to a file and to the terminals of all users who are logged in:
[edit system] syslog { file cli-commands { interactive-commands info; authorization info; } user * { interactive-commands info; authorization info; }
233
Log all CLI commands entered by any user to the user Philips terminal and log only the rollback and commit commands entered by any user to the user Darius terminal:
[edit system] syslog { user philip { interactive-commands any; } user darius { any notice; }
Log the changing of alarms:

[edit system] syslog { file alarms { daemon warning; } }
234
Chapter 24 Configure Miscellaneous System Management

This chapter discusses the following topics: ! Configure Console and Auxiliary Port Properties on page 235 ! Disable the Sending of Redirect Messages on the Router on page 236 ! Configure the Source Address for Locally Generated TCP/IP Packets on page 236 ! Configure the Router or Interface to Act as a DHCP/BOOTP Relay Agent on page 237 ! Configure System Services on page 238 ! Configure a System Login Message on page 240 ! Disable JUNOS Software Processes on page 241 ! Configure a Password on the Diagnostics Port on page 242
Configure Console and Auxiliary Port Properties

The routers craft interface has two portsa console port and an auxiliary portfor connecting terminals to the router. The console port is enabled by default, and its default speed is 9600 baud. The auxiliary port is disabled by default. To configure the properties for the console and auxiliary ports, include the ports statement at the [edit system] hierarchy level:
[edit system] ports { auxiliary { insecure; speed baud-rate ; type terminal-type ; } console { insecure; speed baud-rate ; type terminal-type ; } }
Configure Miscellaneous System Management
235
Disable the Sending of Redirect Messages on the Router
By default, the terminal type is unknown, and the terminal speed is 9600 baud for both the console and auxiliary ports. To change the terminal type, include the type statement, specifying a terminal-type of ansi, vt100, small-xterm, or xterm. The first three terminal types set a screen size of 80 columns by 24 lines. The last type, xterm, sets the size to 80 columns by 65 rows. To change the terminal speed, include the speed statement, specifying a baud-rate of 19200, 38400, 57600, or 115200. If you change the speed on the auxiliary or console port, any user currently logged in through that port is logged off the router when the terminal resets. By default, terminal connections to the console and auxiliary ports are secure. That is, it is safe to log in as root and enter the root password. To configure the terminal so that it is not safe for you to enter the root-level password, include the insecure statement.
Disable the Sending of Redirect Messages on the Router

By default, the router sends protocol redirect messages. To disable the sending of redirect messages by the router, include the no-redirects statement at the [edit system] hierarchy level:
[edit system] no-redirects;
To re-enable the sending of redirect messages on the router, delete the no-redirects statement from the configuration. To disable the sending of redirect messages on a per-interface basis, include the no-redirects statement at the [edit interfaces interface-name unit logical-unit-number family family ] hierarchy level as described in the JUNOS Internet Software Configuration Guide: Interfaces and Chassis.
Configure the Source Address for Locally Generated TCP/IP Packets

By default, the source address included in locally generated TCP/IP packets, such as FTP traffic, and in UDP and IP packets, such as NTP requests, is chosen as the local address for the interface on which the traffic is transmitted. This means that the local address chosen for packets to a particular destination might change from connection to connection based on the interface that routing has chosen to reach the destination when the connection is established. To configure the software to select a fixed address to use as the source for locally generated IP packets, include the default-address-selection statement at the [edit system] hierarchy level:
[edit system] default-address-selection;
If you include the default-address-selection statement in the configuration, the software chooses the system default address as the source for most locally generated IP packets. The default address is usually an address configured on the lo0 loopback interface. For example, if you specified that ssh and Telnet use a particular address, but you also have default-address selection configured, the system default address is used. For more information about how the default address is chosen, see the JUNOS Internet Software Configuration Guide: Interfaces and Chassis.
236
Configure the Router or Interface to Act as a DHCP/BOOTP Relay Agent
For IP packets sent by IP routing protocols (including OSPF, RIP, RSVP, and the multicast protocols, but not including IS-IS), the local address selection is often constrained by the protocol specification so that the protocol operates correctly. When this constraint exists in the routing protocol, the packets source address is unaffected by the presence of the default-address-selection statement in the configuration. For protocols in which the local address is unconstrained by the protocol specification, for example, IBGP and multihop EBGP, if you do not configure a specific local address when configuring the protocol, the local address is chosen using the same method as other locally generated IP packets.
Configure the Router or Interface to Act as a DHCP/BOOTP Relay Agent

You can configure the router or an interface to act as a Dynamic Host Configuration Protocol (DHCP) or BOOTP relay agent. This means that a locally attached host can issue a DHCP or BOOTP request as a broadcast message. If the router or an interface sees this broadcast message, it relays the message to a specified DHCP or BOOTP server. You should configure the router or an interface to be a DHCP/BOOTP relay agent if you have locally attached hosts and a distant DHCP or BOOTP server. To configure the router to act as a DHCP/BOOTP relay agent, include the dhcp-relay statement at the [edit system] hierarchy level, specifying the address of the DHCP or BOOTP server:
[edit system] dhcp-relay { no-listen; maximum-hop-count; minimum-wait-time seconds; server [ address ]; interface interface-group { no-listen; maximum-hop-count; minimum-wait-time seconds; server [ address ]; } }
server sets the IP address or addresses that specifies the DHCP or BOOTP server for the router or interface. You can include as many addresses as necessary in the same statement. no-listen stops packets from being forwarded on a logical interface, a group of logical interfaces, or router. interface sets a logical interface or a group of logical interfaces with a specific DHCP-relay or BOOTP configuration. maximum-hop-count sets the maximum allowed number in the hops field of the BOOTP header. Headers that have a larger number in the hops field are not forwarded. If you omit the maximum-hop-count statement, the default value is 4 hops. minimum-wait-time sets the minimum allowed number of seconds in the secs field of the BOOTP header. Headers that have a smaller number in the secs field are not forwarded. If you omit the minimum-wait-time statement, the default value is 0 seconds.
237
Configure System Services
To configure an interface to act as a DHCP/BOOTP relay agent, include the interface statement at the [edit system dhcp-relay] hierarchy level, specifying the address of the DHCP or BOOTP server. The interface statement configured under the [edit system dhcp-relay] hierarchy has the same syntax and defaults as the dhcp-relay statement. The configuration described in this section differs only in allowing you to fine-tune the routers response capabilities. You can also configure an individual logical interface to be a DHCP/BOOTP relay if you have locally attached hosts and a remote DHCP or BOOTP server at the [edit interfaces] hierarchy level. For more information, see the JUNOS Internet Software Configuration Guide: Interfaces, Class of Service, and Firewalls.

For security reasons, no remote access to the router is enabled by default. You must configure the router explicitly so that users on remote systems can access it. The router can be accessed from a remote system using the finger, rlogin, ssh, and Telnet services.
Configure Finger Service

To configure the router to accept finger as an access service, include the finger statement at the [edit system services] hierarchy level.
[edit system services] finger { <connection-limit limit>; <rate-limit limit>; }
You can optionally specify the maximum number of concurrently established connections and the maximum number of connections attempted per minute.
Configure Rlogin Service

To configure the router to accept rlogin as an access service, include the rlogin statement at the [edit system services] hierarchy level.
[edit system services] rlogin { <connection-limit limit>; <rate-limit limit>; }
238
Configure SSH Service

To configure the router to accept ssh as an access service, include the ssh statement at the [edit system services] hierarchy level.
[edit system] services { ssh { root-login (allow | deny | deny-password); protocol-version [v1 v2]; <connection-limit limit> ; <rate-limit limit>; } }
You can optionally specify the maximum number of concurrently established connections and the maximum number of connections attempted per minute. The following sections explain how to specify the remaining options: ! Configure Root Login on page 239 ! Configure SSH Protocol Version on page 240
Configure Root Login

By default, users are allowed to log on to the router as root through ssh. To control user access through ssh, include the root-login statement at the [edit systems services ssh] hierarchy level.
[edit system services ssh] root-login (allow | deny | deny-password);
! allowallows users to log on to the router as root through ssh. The default is allow. ! denydisables users from logging on to the router as root through ssh. ! deny-passwordallows users to log on to the router as root through ssh when the authentication method does not require a password, for example, RSA authentication method. The root-login and protocol-version statements are supported in JUNOS Release 5.0 or later. If you downgrade prior to release 5.0, the root-login and protocol-version statements are ignored if present in the configuration file.
239
Configure a System Login Message
Configure SSH Protocol Version

By default, both version 1 and 2 of the ssh protocol are enabled. To configure the router to use version 1only of the ssh protocol, include the protocol-version statement and specify v1 at the [edit system services ssh] hierarchy level
[edit system services ssh] protocol-version [version];
To configure the router to use version 1 and 2 of the ssh protocol, include the protocol-version statement and specify v1 and v2 at the [edit system services ssh] hierarchy level
[edit system services ssh] protocol-version [version];
You can specify v1, v2, or both versions [v1 v2] of the ssh protocol . The default is [v1 v2]. The root-login and protocol-version statements are supported in JUNOS Release 5.0 or later. If you downgrade prior to release 5.0, the root-login and protocol-version statements are ignored if present in the configuration file.
Configure Telnet Service

To configure the router to accept telnet as an access service, include the telnet statement at the [edit system services] hierarchy level.
[edit system services] telnet { <connection-limit limit> ; <rate-limit limit>; }
Configure a System Login Message

By default, no login message is displayed. To configure a system login message, include the message statement at the [edit system login] hierarchy level:
[edit system login] message text ;
240
Configure JUNOS Software Processes
Configure JUNOS Software Processes

By default, all JUNOS software processes are enabled on the router. To control the software processes on the router, you can do the following: ! Disable JUNOS Software Processes on page 241 ! Configure Failover to Backup Media if a Software Process Fails on page 241
Disable JUNOS Software Processes
Never disable any of the software processes unless instructed to do so by a customer support engineer.
To disable a software process, specify the appropriate option in the processes statement at the [edit system] hierarchy level:
[edit system] processes { inet-process (enable | disable); interface-control (enable | disable); mib-process (enable | disable); ntp (enable | disable); routing (enable | disable); snmp (enable | disable); watchdog (enable | disable) timeout seconds ; }
Configure Failover to Backup Media if a Software Process Fails

For routers with redundant Routing Engines, in the event that a software process fails repeatedly, you can configure the router to switch to backup media containing an alternate version of the system, either the alternate media or the other Routing Engine. To configure the switch to the backup media, include the failover statement at the [edit system processes process-name] hierarchy level:
[edit system processes] process-name failover ( alternate-media | other-routing-engine );
process-name is one of the valid process names. If this statement is configured for a process, and that process fails three times in quick succession, the router reboots from either the alternative media or the other Routing Engine.
241
Configure a Password on the Diagnostics Port
Configure a Password on the Diagnostics Port

If you have been asked by Customer Support personnel to connect a physical console to the routers SCB, SSB, or SFM to perform diagnostics, you can configure a password on the diagnostics port. This password provides an extra level of security on the SCB, SSB, or SFM diagnostics port. To configure a password on the diagnostics port, include the diag-port-authentication statement at the [edit system] hierarchy level:
[edit system] diag-port-authentication (encrypted-password password | plain-text-password);
You can use an MD5 password, or you can enter a plain-text password that the JUNOS software encrypts (using MD5-style encryption) before it places it into the password database. For an MD5 password, specify the password in the configuration. If you configure the plain-text-password option, the CLI prompts you for the password. For routers that have more than one SSB, the same password is used for both SSBs.
242
Chapter 25 Summary of System Management

Configuration Statements
The following sections explain each of the system management configuration statements. The statements are organized alphabetically.
allow-commands
Syntax Hierarchy Level Description Default
allow-commands "regular-expression"; [edit system login class] Specify the commands that members of a login class can use. If you omit this statement and the deny-commands statement, users can issue only those commands for which they have access privileges through the permissions statement. regular-expressionExtended (modern) regular expression as defined in POSIX 1003.2. If it contains any spaces, operators, or wildcard characters, enclose it in quotation marks. See Deny or Allow Individual Commands on page 218. adminTo view this statement in the configuration. admin-controlTo add this statement to the configuration. deny-commands on page 251, user on page 276
Options
See Also
Summary of System Management Configuration Statements
243
authentication
authentication
Syntax
authentication { (encrypted-password "password " | plain-text-password); ssh-rsa public-key ; ssh-dsa public-key ; } [edit system login user] Authentication methods that a user can use to log into the router. You can assign multiple authentication methods to a single user. encrypted-password "password "Use MD5 or other encrypted authentication. Specify the MD5 or other password. You can specify only one encrypted password for each user. plain-text-passwordUse a plain-text password. The CLI prompts you for the password and then encrypts it. The CLI displays the encrypted version, and the software places the encrypted version in its user database. You can specify only one plain-text password for each user. ssh-rsa "public-key"Secure shell (ssh version 1) authentication. Specify the ssh public key. You can specify one or more public keys for each user. ssh-dsa "public-key"Secure shell (ssh version 2) authentication. Specify the ssh public key. You can specify one or more public keys for each user.
Hierarchy Level Description
Options
See Configure User Accounts on page 220. adminTo view this statement in the configuration. admin-controlTo add this statement to the configuration. root-authentication on page 265
See Also
244
authentication-key
authentication-key
authentication-key key-number type type value password ; [edit system ntp] Configure NTP authentication keys so that the router can send authenticated packets. If you configure the router to operate in authenticated mode, you must configure a key. Both the keys and the authentication schemes (DES or MD5) must be identical between a set of peers sharing the same key number.
Options
key-numberPositive integer that identifies the key. typeAuthentication type. It can be either md5 or des. value passwordThe key itself, which can be 1 to 8 ASCII characters. If the key contains spaces, enclose it in quotation marks.
See Configure NTP Authentication Keys on page 227. systemTo view this statement in the configuration. system-controlTo add this statement to the configuration. broadcast on page 248, peer on page 260, server on page 267, trusted-key on page 275
See Also
authentication-order
authentication-order [ authentication-methods ]; [edit system] Configure the order in which the software tries different user-authentication methods when attempting to authenticate a user. For each login attempt, the software tries the authentication methods in order, starting with the first one, until the password matches. If you do not include the authentication-order statement, users are verified based on their configured password. authentication-methodsOne or more authentication methods, listed in the order in which they should be tried. It can be one or more of the following: ! passwordVerify the user using the password configured for the user with the authentication statement at the [edit system login user] hierarchy level. ! radiusVerify the user using RADIUS authentication services. ! tacplusVerify the user using TACACS+ authentication services.
Default
Options
See Configure the Authentication Order on page 212. systemTo view this statement in the configuration. system-controlTo add this statement to the configuration.
245
auxiliary
auxiliary
Syntax
auxiliary { insecure; speed baud-rate ; type terminal-type ; } [edit system ports] Configure the characteristics of the auxiliary port, which is on the routers craft interface. The auxiliary port is disabled. insecureThe terminal connection is not secure enough to allow you to enter the superuser password. Default: The connection is secure. It is safe to enter the root password. speed baud-rateBaud rate of the port. If you change the speed on the auxiliary port, any user currently logged in through this port is logged off the system. Values: 9600, 19200, 38400, 57600, 115200 Default: 9600 baud type terminal-typeType of terminal that is connected to the port. Values: ansi, vt100, small-xterm, xterm Default: The terminal type is unknown, and the user is prompted for the terminal type.
Hierarchy Level Description Default Options
See Configure Console and Auxiliary Port Properties on page 235. systemTo view this statement in the configuration. system-controlTo add this statement to the configuration.
246
backup-router
backup-router
backup-router address <destination destination-address>; [edit system] Set a default router to use while the local router is booting and if the routing protocol processes fail to start. The JUNOS software removes the route to this router as soon as the software starts. addressAddress of the default router. destination destination-address(Optional) Destination address that is reachable through the backup router. Include this option to achieve network reachability while loading, configuring, and recovering the router, but without the risk of installing a default route in the forwarding table. Default: All hosts (default route) are reachable through the backup router.
Options
See Configure a Backup Router on page 205. systemTo view this statement in the configuration. system-controlTo add this statement to the configuration.
boot-server
boot-server address ; [edit system ntp] Configure the server that NTP queries when the router boots to determine the local date and time. When you boot the router, it issues an ntpdate request, which polls a network server to determine the local date and time. You need to configure a server that the router uses to determine the time when the router boots. Otherwise, NTP will not be able to synchronize to a time server if the servers time appears to be very far off of the local routers time.
addressAddress of an NTP server. You must specify an address, not a hostname. See Configure the NTP Boot Server on page 225. systemTo view this statement in the configuration. system-controlTo add this statement to the configuration.
247
broadcast
broadcast
broadcast address <key key-number <version value> <ttl value>; [edit system ntp] Configure the local router to operate in broadcast mode with the remote system at the specified address. In this mode, the local router sends periodic broadcast messages to a client population at the specified broadcast or multicast address. Normally, you include this statement only when the local router is operating as a transmitter. addressAddress on one of the local networks or a multicast address assigned to NTP. You must specify an address, not a hostname. Currently, the multicast address must be 224.0.1.1. key key-number(Optional) All packets sent to the address include authentication fields that are encrypted using the specified key number. Values: Any unsigned 32-bit integer ttl value(Optional) Time-To-Live (TTL) value to use. Range: 1 through 255 Default: 1 version value(Optional) Specify the version number to be used in outgoing NTP packets. Values: 1, 2, 3 Default: 3
Options
See Configure the NTP Time Server and Time Services on page 225. systemTo view this statement in the configuration. system-controlTo add this statement to the configuration.
broadcast-client
broadcast-client; [edit system ntp] Configure the local router to listen for broadcast messages on the local network to discover other servers on the same subnet. See Configure the Router to Listen for Broadcast Messages on page 228. systemTo view this statement in the configuration. system-controlTo add this statement to the configuration.
248
class
class
Syntax
class class-name { allow-commands "regular-expression"; deny-commands "regular-expression"; idle-timeout minutes ; permissions [ permissions ]; } [edit system login] Define login classes. class-nameA name you choose for the login class. The remaining statements are explained separately in this chapter.
See Define Login Classes on page 215. adminTo view this statement in the configuration. admin-controlTo add this statement to the configuration. user on page 276
See Also
Syntax Hierarchy Level Description Options Usage Guidelines Required Privilege Level
class class-name ; [edit system login user] Configure a users login class. You must configure one class for each user. class-nameOne of the classes defined at the [edit system login class] hierarchy level. See Configure User Accounts on page 220. adminTo view this statement in the configuration. admin-controlTo add this statement to the configuration.
compress-configuration-files
compress-configuration-files; [edit system] Compress the current operational configuration file. By default, the current operational configuration file is uncompressed, and is stored in the file juniper.conf, in the /config file system, along with the last three committed versions of the configuration. However, with large networks, the current configuration file might exceed the available space in the /config file system. Compressing the current configuration file allows the file to fit in the file system, typically reducing the size of the file by 90 percent. The current configuration file is compressed on the second commit of the configuration after the first commit is made to include the compress-configuration-files statement. The current operational configuration file is uncompressed. See Compress the Current Configuration File on page 208.
Default Usage Guidelines
249
console
systemTo view this statement in the configuration. system-controlTo add this statement to the configuration.
console
Syntax
console { insecure; speed baud-rate ; type terminal-type ; } [edit system ports] Configure the characteristics of the console port, which is on the routers craft interface. The console port is enabled, and its speed is set to 9600 baud. insecureThe terminal connection is not secure enough to allow you to enter the superuser password. Default: The connection is secure. That is, it is safe to enter the root password. speed baud-rateBaud rate of the port. If you change the speed on the auxiliary port, any user currently logged in through this port is forced off the system. Values: 9600, 19200, 38400, 57600, 115200 Default: 9600 baud type terminal-typeType of terminal that is connected to the port. Values: ansi, vt100, small-xterm, xterm Default: The terminal type is unknown, and the user is prompted for the terminal type.
Hierarchy Level Description Default Options
See Configure Console and Auxiliary Port Properties on page 235. systemTo view this statement in the configuration. system-controlTo add this statement to the configuration.
default-address-selection
default-address-selection; [edit system] Use the loopback interface, lo0, as the source address for all locally generated IP packets. The lo0 interface is the interface to the routers Routing Engine. The outgoing interface is used as the source address. See Configure the Source Address for Locally Generated TCP/IP Packets on page 236 and the JUNOS Internet Software Configuration Guide: Interfaces and Chassis. systemTo view this statement in the configuration. system-controlTo add this statement to the configuration.
Default Usage Guidelines
250
deny-commands
deny-commands
deny-commands "regular-expression"; [edit system login class] Specify the commands the user is denied permission to issue, even though the permissions set with the permissions statement would allow it. If you omit this statement and the allow-commands statement, users can issue only those commands for which they have access privileges through the permissions statement. regular-expressionExtended (modern) regular expression as defined in POSIX 1003.2. If it contains any spaces, operators, or wildcard characters, enclose it in quotation marks. See Deny or Allow Individual Commands on page 218. adminTo view this statement in the configuration. admin-controlTo add this statement to the configuration. allow-commands on page 243, user on page 276
Default
Options
See Also
251
dhcp-relay
dhcp-relay
Syntax
dhcp-relay { no-listen; maximum-hop-count number ; minimum-wait-time seconds; server [ address ]; interface interface-group { no-listen; maximum-hop-count number ; minimum-wait-time seconds; server [ address ]; } } [edit system], [edit system dhcp-relay] Configures a router or interface to act as a DHCP or BOOTP relay agent. DHCP relaying is disabled. no-listenStops packets from being forwarded on a logical interface, a group of logical interfaces, or router. maximum-hop-count numberIn the hops field of the BOOTP header, the maximum number of hops allowed. Default: 4 hops minimum-wait-time secondsIn the secs field of the BOOTP header, the minimum time allowed. Default: 0 seconds server [ address ]Sets IP Address or Addresses that specifies the DHCP server or BOOTP server for the router or interface. interface interface-groupSets a logical interface or group of logical interfaces with a specific dhcp-relay configuration.
Hierarchy Level
Description Default Options
See Configure the Router or Interface to Act as a DHCP/BOOTP Relay Agent on page 237. systemTo view this statement in the configuration. system-controlTo add this statement to the configuration.
252
diag-port-authentication
diag-port-authentication
diag-port-authentication (encrypted-password password | plain-text-password); [edit system] Configure a password for performing diagnostics on the routers SCB, SSB, SFM, or FEB port. For routers that have more than one SSB, the same password is used for both SSBs. Do not run diagnostics on the SCB, SSB, SFM, or FEB unless you have been instructed to do so by customer support personnel.
Default Options
No password is configured on the diagnostics port. encrypted-password password Use MD5 or other encrypted authentication. Specify the MD5 or other password. You can specify only one encrypted password for each user. plain-text-passwordUse a plain-text password. The CLI prompts you for the password and then encrypts it. The CLI displays the encrypted version, and the software places the encrypted version in its user database. You can specify only one plain-text password for each user.
See Configure a Password on the Diagnostics Port on page 242. systemTo view this statement in the configuration. system-controlTo add this statement to the configuration.
domain-name
domain-name domain-name ; [edit system] Configure the name of the domain in which the router is located. This is the default domain name that is appended to host names that are not fully qualified. domain-nameName of the domain. See Configure the Routers Domain Name on page 203. systemTo view this statement in the configuration. system-controlTo add this statement to the configuration.
253
domain-search
domain-search
Syntax Hierarchy Level Description Options
domain-search [domain-list ]; [edit system] Configure a list of domains to be searched. domain-listA list of domain names to search. The list can contain up to six domain names, with a total of up to 256 characters. See Configure Which Domains to Search on page 204. systemTo view this statement in the configuration. system-controlTo add this statement to the configuration.
full-name
full-name complete-name ; [edit system login user] Configure the complete name of a user. complete-nameFull name of the user. If the name contains spaces, enclose it in quotation marks. See Configure User Accounts on page 220. adminTo view this statement in the configuration. admin-controlTo add this statement to the configuration.
host-name
host-name host-name ; [edit system] Set the host name of the router. host-nameName of the router. See Configure the Routers Name and Addresses on page 201. systemTo view this statement in the configuration. system-controlTo add this statement to the configuration.
254
idle-timeout
idle-timeout
idle-timeout minutes ; [edit system login class] For a login class, configure the maximum time that a session can be idle before the user is logged off the router. The session times out after remaining at the CLI operational mode prompt for the specified time. If you omit this statement, a user is never forced off the system after extended idle times. minutesMaximum idle time. Range: 0 through 100,000 minutes See Configure the Timeout Value for Idle Login Sessions on page 220. adminTo view this statement in the configuration. admin-controlTo add this statement to the configuration. user on page 276
Default Options
See Also
255
location
location
Syntax
location { altitude feet ; country-code code ; hcoord horizontal-coordinate ; lata service-area ; latitude degrees ; longitude degrees ; npa-nxx number ; postal-code postal-code ; vcoord vertical-coordinate ; } [edit system] Configure the system location in various formats. altitude feetNumber of feet above sea level. country-code codeTwo-letter country code. hcoord horizontal-coordinateBellcore Horizontal Coordinate. lata service-areaLong distance service area. latitude degreesLatitude in degree format. longitude degreesLongitude in degree format. npa-nxx numberFirst six digits of the phone number (area code and exchange). postal-code postal-codePostal code. vcoord vertical-coordinateBellcore Vertical Coordinate.
See Configure the System Location on page 206. systemTo view this statement in the configuration. system-controlTo add this statement to the configuration.
256
login
login
Syntax
login { message text ; class class-name { allow-commands [ addresses ]; deny-commands [ addresses ]; idle-timeout minutes ; permissions [ permissions ]; } user user-name { full-name complete-name ; uid uid-value ; class class-name ; authentication authentication ; (encrypted-password password | plain-text-password); ssh-rsa public-key; ssh-dsa public-key; } } } [edit system] Configure user access to the router. The remaining statements are explained separately in this chapter. See Configure User Access on page 215. adminTo view this statement in the configuration. admin-controlTo add this statement to the configuration.
Hierarchy Level Description Options Usage Guidelines Required Privilege Level
message
message text ; [edit system login] Configure a system login message. textText of the message. See Configure a System Login Message on page 240. systemTo view this statement in the configuration. system-controlTo add this statement to the configuration
257
mirror-flash-on-disk
mirror-flash-on-disk
mirror-flash-on-disk; [edit system] Configure the hard drive to automatically mirror the contents of the compact flash. The hard drive maintains a synchronized mirror copy of the compact-flash contents. Data written to the compact flash is simultaneously updated in the mirrored copy of the hard drive. If the flash drive fails to read data, the hard drive automatically retrieves its mirrored copy of the flash disk. We recommend that you disable flash disk mirroring when you updgrade or downgrade the router. You cannot issue the request system snapshot command when you enable flash disk mirroring.
After you have enabled or disabled the mirror-flash-on-disk statement, you must reboot the router for your changes to take affect. To reboot, issue the request system reboot command.
See Configure Flash Disk Mirroring on page 205. systemTo view this statement in the configuration. system-controlTo add this statement to the configuration.
multicast-client
multicast-client <address>; [edit system ntp] For NTP, configure the local router to listen for multicast messages on the local network to discover other servers on the same subnet. address(Optional) One or more IP addresses. If you specify addresses, the router joins those multicast groups. Default: 224.0.1.1. See Configure the Router to Listen for Multicast Messages on page 228. systemTo view this statement in the configuration. system-controlTo add this statement to the configuration.
Options
258
name-server
name-server
Syntax
name-server { address ; } [edit system] Configure one or more DNS name servers. addressAddress of the name server. To configure multiple name servers, include multiple address options. See Configure a DNS Name Server on page 204. systemTo view this statement in the configuration. system-controlTo add this statement to the configuration.
no-redirects
no-redirects; [edit system] Disable the sending of protocol redirect messages by the router. To disable the sending of redirect messages on a per-interface basis, include the no-redirects statement at the [edit interfaces interface-name unit logical-unit-number family family ] hierarchy level.
Default Usage Guidelines Required Privilege Level
The router sends redirect messages. See Disable the Sending of Redirect Messages on the Router on page 236. systemTo view this statement in the configuration. system-controlTo add this statement to the configuration. The no-redirects statement in the JUNOS Internet Software Configuration Guide: Interfaces and Chassis.
See Also
259
ntp
ntp
Syntax
ntp { authentication-key number type type value password ; boot-server address ; broadcast <address> <key key-number> <version value> <ttl value>; broadcast-client; multicast-client <address>; peer address <key key-number> <version value> <prefer>; server address <key key-number> <version value> <prefer>; trusted-key [ key-numbers ]; }
[edit system] Configure the Network Time Protocol (NTP) on the router. The remaining statements are explained separately in this chapter. See Configure the Network Time Protocol on page 224. systemTo view this statement in the configuration. system-controlTo add this statement to the configuration.
peer
peer address <key key-number> <version value> <prefer>; [edit system ntp] For NTP, configure the local router to operate in symmetric active mode with the remote system at the specified address. In this mode, the local router and the remote system can synchronize each other. This configuration is useful in a network in which either the local router or the remote system might be a better source of time. addressAddress of the remote system. You must specify an address, not a hostname. key key-number(Optional) All packets sent to the address include authentication fields that are encrypted using the specified key number. Values: Any unsigned 32-bit integer prefer(Optional) Mark the remote system as the preferred host, which means that, if all other factors are equal, this remote system is chosen for synchronization among a set of correctly operating systems. version value(Optional) Specify the NTP version number to be used in outgoing NTP packets. Values: 1, 2, 3 Default: 3
Options
260
permissions
permissions
permissions [ permissions ]; [edit system login class] Configure the login access privileges to be provided on the router. permissionsPrivilege type. For a list of types, see Table 8 on page 216. See Configure Access Privilege Levels on page 216. adminTo view this statement in the configuration. admin-controlTo add this statement to the configuration. user on page 276
See Also
261
port
port
port number ; [edit system radius-server address ] Configure the port number on which to contact the RADIUS server. numberPort number on which to contact the RADIUS server. Default: 1812 (as specified in RFC 2138) See Configure RADIUS Authentication on page 209. systemTo view this statement in the configuration. system-controlTo add this statement to the configuration.
ports
Syntax
ports { auxiliary { insecure; speed baud-rate ; type terminal-type ; } console { insecure; speed baud-rate ; type terminal-type ; } } [edit system] Configure the properties of the console and auxiliary ports, which are located on the routers craft interface. The remaining statements are explained separately in this chapter. See Configure Console and Auxiliary Port Properties on page 235. systemTo view this statement in the configuration. system-controlTo add this statement to the configuration.
262
processes
processes
Syntax
processes { inet-process (enable | disable) failover (alternate-media | other-routing-engine); interface-control (enable | disable) failover (alternate-media | other-routing-engine); mib-process (enable | disable) failover (alternate-media | other-routing-engine); ntp (enable | disable) failover (alternate-media | other-routing-engine); routing (enable | disable) failover (alternate-media | other-routing-engine); snmp (enable | disable) failover (alternate-media | other-routing-engine); watchdog (enable | disable) failover (alternate-media | other-routing-engine) timeout seconds; } [edit system] Configure which JUNOS software processes are running on the router. All processes are enabled by default
Hierarchy Level Description Default
Never disable any of the software processes unless instructed to do so by a customer support engineer.
Options
failover (alternate-media | other-routing-engine)(Optional) For routers with redundant Routing Engines only, switch to backup media if a process fails repeatedly. If a process fails three times in quick succession, the router reboots from the alternate media or the other Routing Engine. timeout seconds(Optional) How often the system checks the watchdog timer, in seconds. If the watchdog timer has not been checked in the specified number of seconds, the system reloads. If you set the time value too low, it is possible for the system to reboot immediately after it loads. Values: 15, 60, 180 Default: 180 seconds (rounded up to 291 seconds by the JUNOS kernel)
See Disable JUNOS Software Processes on page 241. systemTo view this statement in the configuration. system-controlTo add this statement to the configuration.
263
protocol-version
protocol-version
protocol-version; [edit system services ssh] Specify ssh protocol version. protocol versionv1, v2, or [v1 v2] Default: [v1 v2] See Configure SSH Protocol Version on page 240 adminTo view this statement in the configuration. admin-controlTo add this statement to the configuration.
radius-server
Syntax
radius-server server-address { port number ; retry number ; secret password ; timeout seconds ; } [edit system] Configure the Remote Authentication Dial-In User Service (RADIUS). To configure multiple RADIUS servers, include multiple radius-server statements. The servers are tried in order and in a round-robin fashion until a valid response is received from one of the servers or until all the configured retry limits are reached.
Options
server-addressAddress of the RADIUS authentication server. The remaining statements are explained separately in this chapter.
See Configure RADIUS Authentication on page 209. systemTo view this statement in the configuration. system-controlTo add this statement to the configuration.
264
retry
retry
retry number ; [edit system radius-server server-address ] Number of times that the router attempts to contact a RADIUS authentication server. numberNumber of times to retry contacting a RADIUS server. Range: 1 through 10 Default: 3 See Configure RADIUS Authentication on page 209. systemTo view this statement in the configuration. system-controlTo add this statement to the configuration. timeout on page 272
See Also
root-authentication
Syntax
root-authentication { (encrypted-password "password" | plain-text-password); ssh-rsa "public-key"; ssh-dsa "public-key"; } [edit system] Configure the authentication methods for the root-level user, whose username is root. encrypted-password "password "Use MD5 or other encrypted authentication. Specify the MD5 or other password. You can specify only one encrypted password. plain-text-passwordUse a plain-text password. The CLI prompts you for the password and then encrypts it. The CLI displays the encrypted version, and the software places the encrypted version in its user database. You can specify only one plain-text password. ssh-rsa "public-key"Secure shell (ssh version 1) authentication. Specify the ssh public key. You can specify one or more public keys. ssh-dsa "public-key"Secure shell (ssh version 2) authentication. Specify the ssh public key. You can specify one or more public keys.
See Configure the Root Password on page 206. adminTo view this statement in the configuration. admin-controlTo add this statement to the configuration. authentication on page 244
See Also
265
root-login
root-login
root-login (allow | deny | deny-password); [edit system services ssh] Control user access through ssh. allowAllows users to log on to the router as root through ssh. Default: allow denyDisable users from logging on the router as root through ssh. deny-passwordAllows users to log onto the router as root through ssh when the authentication method (for example, RSA authentication) does not require a password.
See Configure Root Login on page 239 adminTo view this statement in the configuration. admin-controlTo add this statement to the configuration. Configure SSH Service on page 239.
See Also
secret
Syntax Hierarchy Level
secret password ; [edit system radius-server server-address ], [edit system tacplus-server server-address ] Configure the password to use with the RADIUS or TACACS+ server. The secret password used by the local router must match that used by the server. passwordPassword to use. Can include spaces. See Configure RADIUS Authentication on page 209 and Configure TACACS+ Authentication on page 210. systemTo view this statement in the configuration. system-controlTo add this statement to the configuration.
Description
Options Usage Guidelines
266
server
server
server address <key key-number> <version value> <prefer>; [edit system ntp] For NTP, configure the local router to operate in client mode with the remote system at the specified address. In this mode, the local router can be synchronized to the remote system, but the remote system never can be synchronized to the local router. addressAddress of the remote system. You must specify an address, not a hostname. key key-number(Optional) All packets sent to the address include authentication fields that are encrypted using the specified key number. Values: Any unsigned 32-bit integer prefer(Optional) Mark the remote system as preferred host, which means that, if all other are equal, this remote system is chosen for synchronization among a set of correctly operating systems. version value(Optional) Specify the version number to be used in outgoing NTP packets. Values: 1, 2, 3 Default: 3
Options
267
services
services
Syntax
services { finger { <connection-limit limit >; <rate-limit limit>; } rlogin { <connection-limit limit >; <rate-limit limit>; } ssh { root-login (allow | deny | deny-password); protocol-version [v1 v2]; <connection-limit limit>; <rate-limit limit >; } telnet { <connection-limit limit >; <rate-limit limit >; } } [edit system] Configure the router so that users on remote systems can access the local router using the finger, rlogin, ssh, and Telnet, and network utilities. connection-limit limit(Optional) Maximum number of established connections. Range: 1 through 250 Default: 75 rate-limit limit(Optional) Maximum number of connection attempts allowed per minute. Range: 1 through 250 Default: 150 fingerAllow finger requests from remote systems to the local router. rloginAllow rlogin access from remote systems to the local router sshAllow ssh access from remote systems to the local router. telnetAllow Telnet login from remote systems to the local router. The remaining statements are explained separately.
Options
See Configure System Services on page 238. systemTo view this statement in the configuration. system-controlTo add this statement to the configuration. protocol-version on page 264, root-login on page 266, Configure SSH Service on page 239
See Also
268
single-connection
single-connection
single-connection; [edit system tacplus-server server-address] Optimize attempts to connect to a TACACS+ server. The software maintains one open TCP connection to the server for multiple requests, rather than opening a connection for each connection attempt. See Configure TACACS+ Authentication on page 210. systemTo view this statement in the configuration. system-controlTo add this statement to the configuration.
static-host-mapping
Syntax
static-host-mapping { host-name { inet [ address ]; sysid system-identifier ; alias [ alias ]; } } [edit system] Map a host name to one or more IP addresses and aliases, and configure an ISO system identifier (sysid). alias alias(Optional) Alias for the host name. host-nameFully qualified host name. inet addressIP address. You can specify one or more IP addresses for the host. sysid system-identifierISO system identifier (sysid). It is the 6-byte sysid portion of the IS-IS NSAP. We recommend that you use the hosts IP address represented in binary-coded decimal (BCD) format. For example, the IP address 208.197.169.18 would be 2081.9716.9018 in BCD.
Options
See Configure the Routers Name and Addresses on page 201. systemTo view this statement in the configuration. system-controlTo add this statement to the configuration.
269
syslog
syslog
Syntax
syslog { file filename { facility level ; archive { files number ; size size ; (world-readable | no-world-readable); } } host hostname { facility level ; facility-override facility; log-prefix string; } user (username | *) { facility level ; } console { facility level ; } archive { files number ; size size ; (world-readable | no-world-readable); } } [edit system] Configure the types of syslog messages to log to files, remote host, user terminals, and the system console. archiveConfigure how to archive system logging files. consoleConfigure the types of syslog messages to log to the system console. facility levelClass of log messages. To specify multiple classes, include multiple facility level options. It can be one or more of the facilities listed in Table 11 on page 230. facility-override facilityWhen sending files to a remote host, override the facility. file filenameConfigure the types of syslog messages to log to the specified file. To log messages to more than one file, include more than one file option. files numberMaximum number of system log files. When a log file named syslog-file reaches its maximum size, it is renamed as syslog-file.0, then as syslog-file.1, and so on, until the maximum number of log files is reached. Then, the oldest log file is overwritten. Range: 1 through 1000 Default: 10 files host hostnameConfigure the types of syslog messages to log to the specified remote host. Specify the IP address or the fully qualified domain name of the host. To log messages to more than one host, include more than one host option.
Options
270
system
levelPriority of the message. It can be one or more of the priorities listed in Table 12. log-prefix stringWhen sending log messages to a remote host, prepend a string to the log message. no-world-readableSystem logging files can be read only by a limited group of users. This is the default. size sizeMaximum size of each system log file, in kilobytes (KB), megabytes (MB), or gigabytes (GB). When a system log file named syslog-file reaches this size, it is renamed as syslog-file.0. When the syslog-file again reaches its maximum size, syslog-file.0 is renamed as syslog-file.1 and syslog-file is renamed as syslog-file.0. This renaming scheme continues until the maximum number of log files is reached. Then, the oldest log file is overwritten. Syntax: x k to specify KB, x m to specify MB, or x g to specify GB Range: 64 KB through 1 GB user (username | *)Configure the types of syslog messages to log to the specified users terminal session. To log messages to more than one user, include more than one user option. To log messages to the terminal sessions of all users who are currently logged in, specify an asterisk instead of a username. world-readableSystem logging files can be read by anyone. Default: no-world-readable
See Configure System Logging on page 229. systemTo view this statement in the configuration. system-controlTo add this statement to the configuration. The options statement in the JUNOS Internet Software Configuration Guide: Routing and Routing Protocols.
See Also
system
Syntax Hierarchy Level Description Usage Guidelines Required Privilege Level
system { ... } [edit] Configure system management properties. See System Management Configuration Statements on page 197. systemTo view this statement in the configuration. system-controlTo add this statement to the configuration.
271
tacplus-server
tacplus-server
Syntax
tacplus-server server-address { secret password ; single-connection; timeout seconds ; } Configure the Terminal Access Controller Access Control System Plus (TACACS+). [edit system] server-addressAddress of the TACACS+ authentication server. The remaining statements are explained separately.
Description Hierarchy Level Options
See Configure TACACS+ Authentication on page 210. systemTo view this statement in the configuration. system-controlTo add this statement to the configuration.
timeout
Syntax Hierarchy Level
timeout seconds ; [edit system radius-server server-address ], [edit system tacplus-server server-address ] Configure the amount of time that the local router waits to receive a response from a RADIUS or TACACS+ server. secondsAmount of time to wait. Range: 1 through 90 Default: 3 seconds See Configure RADIUS Authentication on page 209 and Configure TACACS+ Authentication on page 210. systemTo view this statement in the configuration. system-controlTo add this statement to the configuration. retry on page 265
Description
Options
Usage Guidelines
See Also
272
time-zone
time-zone
Syntax Hierarchy Level Description Default Options
time-zone time-zone ; [edit system] Set the local time zone. UTC time-zoneTime zone. To have the time zone change take effect for all processes running on the router, you must reboot the router. Specify the time zone either as UTC, which is the default time zone, or use one of the following continent/country/zone primary names:
Africa/Abidjan, Africa/Accra, Africa/Addis_Ababa, Africa/Algiers, Africa/Asmera, Africa/Bamako, Africa/Bangui, Africa/Banjul, Africa/Bissau, Africa/Blantyre, Africa/Brazzaville, Africa/Bujumbura, Africa/Cairo, Africa/Casablanca, Africa/Ceuta, Africa/Conakry, Africa/Dakar, Africa/Dar_es_Salaam, Africa/Djibouti, Africa/Douala, Africa/El_Aaiun, Africa/Freetown, Africa/Gaborone, Africa/Harare, Africa/Johannesburg, Africa/Kampala, Africa/Khartoum, Africa/Kigali, Africa/Kinshasa, Africa/Lagos, Africa/Libreville, Africa/Lome, Africa/Luanda, Africa/Lubumbashi, Africa/Lusaka, Africa/Malabo, Africa/Maputo, Africa/Maseru, Africa/Mbabane, Africa/Mogadishu, Africa/Monrovia, Africa/Nairobi, Africa/Ndjamena, Africa/Niamey, Africa/Nouakchott, Africa/Ouagadougou, Africa/Porto-Novo, Africa/Sao_Tome, Africa/Timbuktu, Africa/Tripoli, Africa/Tunis, Africa/Windhoek America/Adak, America/Anchorage, America/Anguilla, America/Antigua, America/Aruba, America/Asuncion, America/Barbados, America/Belize, America/Bogota, America/Boise, America/Buenos_Aires, America/Caracas, America/Catamarca, America/Cayenne, America/Cayman, America/Chicago, America/Cordoba, America/Costa_Rica, America/Cuiaba, America/Curacao, America/Dawson, America/Dawson_Creek, America/Denver, America/Detroit, America/Dominica, America/Edmonton, America/El_Salvador, America/Ensenada, America/Fortaleza, America/Glace_Bay, America/Godthab, America/Goose_Bay, America/Grand_Turk, America/Grenada, America/Guadeloupe, America/Guatemala, America/Guayaquil, America/Guyana, America/Halifax, America/Havana, America/Indiana/Knox, America/Indiana/Marengo, America/Indiana/Vevay, America/Indianapolis, America/Inuvik, America/Iqaluit, America/Jamaica, America/Jujuy, America/Juneau, America/La_Paz, America/Lima, America/Los_Angeles, America/Louisville, America/Maceio, America/Managua, America/Manaus, America/Martinique, America/Mazatlan, America/Mendoza, America/Menominee, America/Mexico_City, America/Miquelon, America/Montevideo, America/Montreal, America/Montserrat, America/Nassau, America/New_York, America/Nipigon, America/Nome, America/Noronha, America/Panama, America/Pangnirtung, America/Paramaribo, America/Phoenix, America/Port-au-Prince, America/Port_of_Spain, America/Porto_Acre, America/Puerto_Rico, America/Rainy_River, America/Rankin_Inlet, America/Regina, America/Rosario, America/Santiago, America/Santo_Domingo, America/Sao_Paulo, America/Scoresbysund, America/Shiprock, America/St_Johns, America/St_Kitts, America/St_Lucia, America/St_Thomas, America/St_Vincent, America/Swift_Current, America/Tegucigalpa, America/Thule, America/Thunder_Bay, America/Tijuana, America/Tortola, America/Vancouver, America/Whitehorse, America/Winnipeg, America/Yakutat, America/Yellowknife Antarctica/Casey, Antarctica/DumontDUrville, Antarctica/Mawson, Antarctica/McMurdo, Antarctica/Palmer, Antarctica/South_Pole Arctic/Longyearbyen Asia/Aden, Asia/Alma-Ata, Asia/Amman, Asia/Anadyr, Asia/Aqtau, Asia/Aqtobe, Asia/Ashkhabad, Asia/Baghdad, Asia/Bahrain, Asia/Baku, Asia/Bangkok, Asia/Beirut, Asia/Bishkek, Asia/Brunei, Asia/Calcutta, Asia/Chungking, Asia/Colombo, Asia/Dacca, Asia/Damascus, Asia/Dubai, Asia/Dushanbe, Asia/Gaza, Asia/Harbin, Asia/Hong_Kong, Asia/Irkutsk, Asia/Ishigaki, Asia/Jakarta, Asia/Jayapura, Asia/Jerusalem, Asia/Kabul, Asia/Kamchatka, Asia/Karachi, Asia/Kashgar, Asia/Katmandu, Asia/Krasnoyarsk,
273
time-zone
Asia/Kuala_Lumpur, Asia/Kuching, Asia/Kuwait, Asia/Macao, Asia/Magadan, Asia/Manila, Asia/Muscat, Asia/Nicosia, Asia/Novosibirsk, Asia/Omsk, Asia/Phnom_Penh, Asia/Pyongyang, Asia/Qatar, Asia/Rangoon, Asia/Riyadh, Asia/Saigon, Asia/Seoul, Asia/Shanghai, Asia/Singapore, Asia/Taipei, Asia/Tashkent, Asia/Tbilisi, Asia/Tehran, Asia/Thimbu, Asia/Tokyo, Asia/Ujung_Pandang, Asia/Ulan_Bator, Asia/Urumqi, Asia/Vientiane, Asia/Vladivostok, Asia/Yakutsk, Asia/Yekaterinburg, Asia/Yerevan Atlantic/Azores, Atlantic/Bermuda, Atlantic/Canary, Atlantic/Cape_Verde, Atlantic/Faeroe, Atlantic/Jan_Mayen, Atlantic/Madeira, Atlantic/Reykjavik, Atlantic/South_Georgia, Atlantic/St_Helena, Atlantic/Stanley Australia/Adelaide, Australia/Brisbane, Australia/Broken_Hill, Australia/Darwin, Australia/Hobart, Australia/Lindeman, Australia/Lord_Howe, Australia/Melbourne, Australia/Perth, Australia/Sydney Europe/Amsterdam, Europe/Andorra, Europe/Athens, Europe/Belfast, Europe/Belgrade, Europe/Berlin, Europe/Bratislava, Europe/Brussels, Europe/Bucharest, Europe/Budapest, Europe/Chisinau, Europe/Copenhagen, Europe/Dublin, Europe/Gibraltar, Europe/Helsinki, Europe/Istanbul, Europe/Kaliningrad, Europe/Kiev, Europe/Lisbon, Europe/Ljubljana, Europe/London, Europe/Luxembourg, Europe/Madrid, Europe/Malta, Europe/Minsk, Europe/Monaco, Europe/Moscow, Europe/Oslo, Europe/Paris, Europe/Prague, Europe/Riga, Europe/Rome, Europe/Samara, Europe/San_Marino, Europe/Sarajevo, Europe/Simferopol, Europe/Skopje, Europe/Sofia, Europe/Stockholm, Europe/Tallinn, Europe/Tirane, Europe/Vaduz, Europe/Vatican, Europe/Vienna, Europe/Vilnius, Europe/Warsaw, Europe/Zagreb, Europe/Zurich Indian/Antananarivo, Indian/Chagos, Indian/Christmas, Indian/Cocos, Indian/Comoro, Indian/Kerguelen, Indian/Mahe, Indian/Maldives, Indian/Mauritius, Indian/Mayotte, Indian/Reunion Pacific/Apia, Pacific/Auckland, Pacific/Chatham, Pacific/Easter, Pacific/Efate, Pacific/Enderbury, Pacific/Fakaofo, Pacific/Fiji, Pacific/Funafuti, Pacific/Galapagos, Pacific/Gambier, Pacific/Guadalcanal, Pacific/Guam, Pacific/Honolulu, Pacific/Johnston, Pacific/Kiritimati, Pacific/Kosrae, Pacific/Kwajalein, Pacific/Majuro, Pacific/Marquesas, Pacific/Midway, Pacific/Nauru, Pacific/Niue, Pacific/Norfolk, Pacific/Noumea, Pacific/Pago_Pago, Pacific/Palau, Pacific/Pitcairn, Pacific/Ponape, Pacific/Port_Moresby, Pacific/Rarotonga, Pacific/Saipan, Pacific/Tahiti, Pacific/Tarawa, Pacific/Tongatapu, Pacific/Truk, Pacific/Wake, Pacific/Wallis, Pacific/Yap Usage Guidelines Required Privilege Level
See Set the Time Zone on page 223. systemTo view this statement in the configuration. system-controlTo add this statement to the configuration.
274
trusted-key
trusted-key
trusted-key [ key-numbers ]; [edit system ntp] For NTP, configure the keys you are allowed to use when you configure the local router to synchronize its time with other systems on the network. key-numbersOne or more key numbers. Each key can be any 32-bit unsigned integer except 0. See Configure NTP Authentication Keys on page 227. systemTo view this statement in the configuration. system-controlTo add this statement to the configuration. authentication-key on page 245, broadcast on page 248, peer on page 260, server on page 267
Options
See Also
uid
uid uid-value ; [edit system login user] Configure user identifier for a login account. uid-valueNumber associated with the login account. This value must be unique on the router. Range: 100 through 64000 See Configure User Access on page 215. adminTo view this statement in the configuration. admin-controlTo add this statement to the configuration.
275
user
user
Syntax
user user-name { full-name complete-name ; uid uid-value ; class class-name ; authentication { (encrypted-password password | plain-text-password); ssh-rsa public-key; ssa-dsa public-key; } } [edit login] Configure access permission for individual users. The remaining statements are explained separately in this chapter. See Configure User Access on page 215. adminTo view this statement in the configuration. admin-controlTo add this statement to the configuration. class on page 249
See Also
276

! Router Chassis Configuration Guidelines on page 279 ! Summary of Router Chassis Configuration Statements on page 289
277
278
Chapter 26 Router Chassis Configuration Guidelines

You can configure properties of the router chassis, including the clock source, conditions that activate the red and yellow alarm LEDs on the routers craft interface, and SONET/SDH framing and concatenation properties for individual PICs. To configure router chassis properties, you include statements at the [edit chassis] hierarchy level of the configuration:
chassis { aggregated-devices { ethernet { device-count number ; } sonet { device-count number ; } } alarm { interface-type { alarm-name (red | yellow | ignore); } } fpc slot-number { pic pic-number { framing (sdh | sonet); no-concatenate; } } (packet-scheduling | no-packet-scheduling); (source-route | no-source-route); redundancy { failover on-loss-of-keepalives; keepalive-time seconds; routing-engine slot-number (master | backup | disabled); ssb slot-number (always | preferred); } }
This chapter describes the following tasks for configuring the router chassis: ! Minimum Chassis Configuration on page 280 ! Configure Aggregated Devices on page 280 ! Configure Conditions That Trigger Alarms on page 280 ! Configure SONET/SDH Framing on page 283
Router Chassis Configuration Guidelines
279
Minimum Chassis Configuration
! Configure Channelized PIC Operation on page 283 ! Configure the Drop Policy for Traffic with Source-Route Constraints on page 284 ! Configure Redundancy on page 284 ! Configure Packet Scheduling on page 288
Minimum Chassis Configuration

All the statements at the [edit chassis] hierarchy level of the configuration are optional.
Configure Aggregated Devices

JUNOS software supports the aggregation of physical devices into defined virtual links, such as the link aggregation of Ethernet interfaces defined by the IEEE 802.3ad standard. To define the virtual links, you need to specify the associations between physical and logical devices within the [edit interfaces] hierarchy, and assign the correct number of logical devices by including the device-count statement at the [edit chassis aggregated-devices ethernet] and [edit chassis aggregated-devices sonet] hierarchy levels:
[edit chassis] aggregated-devices { ethernet { device-count 16; } sonet { device-count 16; } }
The maximum number of logical devices you can assign is 16. For more information on physical and logical interfaces using aggregated links, including sample configurations, see the JUNOS Internet Software Configuration Guide: Interfaces, Class of Service, and Firewalls.
Configure Conditions That Trigger Alarms

For the different types of Physical Interface Connectors (PICs), you can configure which conditions trigger alarms and whether they trigger a red or yellow alarm, or are ignored. Red alarm conditions light the RED ALARM LED on the routers craft interface and trigger an audible alarm if one is connected to the contacts on the craft interface. Yellow alarm conditions light the YELLOW ALARM LED on the routers craft interface and trigger an audible alarm if one is connected to the craft interface.
280
To configure conditions that trigger alarms and that can occur on any interface of the specified type, include the alarm statement at the [edit chassis] hierarchy level:
[edit chassis] alarm { interface-type { alarm-name (red | yellow | ignore); } }
alarm-name is the name of an alarm. Table 14 lists the systemwide alarms and the alarms for each interface type.
Table 14: Configurable PIC Alarm Conditions

Interface/System
SONET/SDH and ATM
Alarm Condition
Link alarm indication signal Path alarm indication signal Signal degrade (SD) Signal fail (SF) Loss of cell delineation (ATM only) Loss of framing Loss of light Loss of pointer Loss of signal Phase locked loop out of lock STS payload label (C2) mismatch Line remote failure indication Path remote failure indication STS path (C2) unequipped
Configuration Option
ais-l ais-p ber-sd ber-sf locd lof lol lop-p los pll plm-p rfi-l rfi-p uneq-p ais exz ferf idle lcv lof los pll ylw link-down ais ylw link-down
E3/T3
Alarm indicator signal Excessive numbers of zeros Failure of the far end Idle alarm Line code violation Loss of frame Loss of signal Phase locked loop out of lock Yellow alarm
Ethernet DS-1
Link has gone down Alarm indicator signal Yellow alarm
Management-Ethernet
Link has gone down
281
Chassis Conditions That Trigger Alarms

Various conditions related to the chassis components trigger yellow and red alarms. You cannot configure these conditions. Table 15 lists the alarms that the chassis components can generate.
Table 15: Chassis Component Alarm Conditions

Chassis Component
Fans
Alarm Condition
One fan has been removed from the chassis. Two or more fans have been removed from the chassis. One fan in the chassis is installed but not spinning.
Alarm Severity
Yellow Red Red Yellow Red
Power supplies
A power supply has been removed from the chassis. A power supply has failed. If both power supplies fail, the router shuts down and the software might report the failures in the syslog file.
Temperature
Chassis temperature has exceeded 54 degrees Centigrade and the fans have been turned on to full speed. Chassis temperature has exceeded 75 degrees Centigrade and the router has been shut down. The temperature sensor has failed.
Yellow Red Red Red
SCB/SSB/FEB/SFM
The control board (SCB, SSB, FEB, or SFM, depending on model) has failed. If this occurs, the board attempts to reboot. An FPC has failed. If this occurs, the FPC attempts to reboot. If the SCB sees that an FPC is rebooting too often, it shuts down the FPC. The craft interface has failed. Too many hot-swap interrupts are occurring. This message generally indicates that a hardware component that plugs into the routers backplane from the front (generally, an FPC) is broken.
FPC
Red
Craft interface Hot swapping
Red Red
Silence External Devices

You can manually silence external devices connected to the alarm relay contacts by pressing the alarm cutoff button located on the craft interface front panel. Silencing the device does not remove the alarm messages from the display (if present on the router) or extinguish the alarm LEDs. In addition, new alarms that occur after an external device is silenced reactivate the external device.
282
Configure SONET/SDH Framing
Configure SONET/SDH Framing

By default, SONET/SDH PICs use SONET framing. For discussion of the differences between the two standards, see the JUNOS Internet Software Configuration Guide: Interfaces, Class of Service, and Firewalls. To configure a PIC to use SDH framing, include the framing statement at the [edit chassis fpc slot-number pic pic-number ] hierarchy level, specifying the sdh option:
[edit chassis] user@host# set fpc slot-number pic pic-number framing sdh [edit chassis] user@host# show fpc slot-number { pic pic-number { framing sdh; } }
To explicitly configure a PIC to use SONET framing, include the framing statement at the [edit chassis fpc slot-number pic pic-number ] hierarchy level, specifying the sonet option:
[edit chassis] user@host# set fpc slot-number pic pic-number framing sonet [edit chassis] user@host# show fpc slot-number { pic pic-number framing sonet; } }
Configure Channelized PIC Operation

By default, packet-over-SONET PICs (interfaces with names so-fpc/pic/port ) operate in concatenated mode, a mode in which the bandwidth of the interface is in a single channel. To configure a PIC to operate in channelized (multiplexed) mode, include the no-concatenate statement at the [edit chassis fpc slot-number pic pic-number ] hierarchy level:
[edit chassis] user@host# set fpc slot-number pic pic-number no-concatenate [edit chassis] user@host# show fpc slot-number { pic pic-number no-concatenate; } }
283
Configure the Drop Policy for Traffic with Source-Route Constraints
When configuring and displaying information about interfaces that are operating in channelized mode, you must specify the channel number in the interface name (physical:channel); for example, so-2/2/0:0 and so-2/2/0:1. For more information about interface names, see the JUNOS Internet Software Configuration Guide: Interfaces, Class of Service, and Firewalls. When you switch between concatenated mode (the default mode of operation) and nonconcatenated mode, you must reboot an M20 or M40 router for the change to take effect. On M5, M10, or M160 routers, the change takes effect immediately without requiring a reboot on routers running JUNOS Internet software Release 4.2 or later; routers running Release 4.1 will require rebooting. On SONET OC-48 interfaces that are configured for channelized (multiplexed) mode, the bytes e1-quiet and bytes f1 options in the sonet-options statement have no effect. The bytes f2, bytes z3, bytes z4, and path-trace options work correctly on channel 0 and work in the transmit direction only on channels 1, 2, and 3. The M160 four-port channelized OC-12 PIC can run each of the OC-12 links in concatenated mode only and requires a Type 2 M160 FPC. The links cannot be configured in nonconcatenated mode. Similarly, the four-port OC-3 PIC cannot run in nonconcatenated mode on any platform.
Configure the Drop Policy for Traffic with Source-Route Constraints

By default, the router forwards IP traffic that has either loose or strict source-route constraints. However, you might want the router to use only the IP destination address on transit traffic for forwarding decisions. You can configure the router to discard IP traffic with source-route constraints by including the no-source-route statement at the [edit chassis] hierarchy level:
[edit chassis] no-source-route;
Configure Redundancy
For routers that have multiple Routing Engines or multiple System and Switch Boards (SSBs), you can configure redundancy properties. A separate log file is provided for redundancy logging, located at /var/log/mastership. This section describes the following tasks for configuring redundancy: ! Configure Routing Engine Redundancy on page 285 ! Configure SSB Redundancy on page 288
284
Configure Routing Engine Redundancy

For routers with two Routing Engines, you can configure which Routing Engine is the master and which is the backup. By default, the Routing Engine in slot 0 is the master and the one in slot 1 is the backup. To modify the default configuration, include the routing-engine statement at the [edit chassis redundancy] hierarchy level:
[edit chassis redundancy] routing-engine slot-number (master | backup | disabled);
slot-number can be 0 or 1. To configure the Routing Engine to be the master, specify the master option. To configure it to be the backup, specify the backup option. To switch between the master and the backup Routing Engines, you must modify the configuration and then activate the configuration by issuing the commit command. For routers that have two Routing Engines, both Routing Engines must be running JUNOS Internet software Release 4.0 or later. Do not run JUNOS Internet software Release 3.4 on one of the Routing Engines and Release 4.0 on the other. (Note that Release 3.4 does not support Routing Engine redundancy, so if you are using this release of the software, only one Routing Engine can be installed in the router. It can be installed in either slot.) If you have Release 3.4 installed on one of the Routing Engines and Release 4.0 or later on the other, either remove the backup Routing Engine from the router or install Release 4.0 or later on that Routing Engine. You must also ensure that both Routing Engines have the same configuration file. You can use either the console port or the management Ethernet (fxp0) port to establish connectivity between the two Routing Engines. You can then copy or ftp the configuration from the master to the backup, and load the file and commit it in the normal way. For further information, see the JUNOS Internet Software Configuration Guide: Installation and System Management. To make a tty connection to the other Routing Engine using the routers internal Ethernet network, issue the following command:
user@host > request routing-engine login (other-routing-engine | re0 | re1)
Copy a Configuration File from One Routing Engine to the Other

To copy a configuration file from one Routing Engine to the other, you use the existing file copy command:
user@host > file copy source destination
In this case, source is the name of the configuration file. These files are stored in the directory /config. The active configuration is /config/juniper.conf, and older configurations are in /config/juniper.conf { 1...9 }. destination is a file on the other Routing Engine.
285
The following is an example of copying a configuration file from Routing Engine 0 to Routing Engine 1:
user@host> file copy /config/juniper.conf re1:/var/tmp/copied-juniper.conf
To load the file into configuration mode, use the load replace configuration mode command:
user@host% load replace /var/tmp/copied-juniper.conf
Make sure you change any IP addresses specified in fxp0 on Routing Engine 0 to addresses appropriate for Routing Engine 1.
You can use configuration groups to ensure that the correct IP addresses are used for each Routing Engine and to maintain a single configuration file for both Routing Engines. The following example defines configuration groups re0 and re1 with separate IP addresses. These well-known configuration group names take effect only on the appropriate Routing Engine.
groups { re0 { system { host-name my-re0; } interfaces { fxp0 { description "10/100 Management interface"; unit 0 { family inet { address 10.255.2.40/24; } } } } } re1 { system { host-name my-re1; } interfaces { fxp0 { description "10/100 Management interface"; unit 0 { family inet { address 10.255.2.41/24; } } } } } }
For more information on the configuration groups feature, see Configuration Groups on page 149.
286
Load a Package from the Other Routing Engine

You can load a package from the other Routing Engine onto the local Routing Engine using the existing request system software add package-name command:
user@host > request system software add re(0|1):/filename
In the re portion of the URL, specify the number of the other Routing Engine. In the filename portion of the URL, specify the path to the package. Packages are typically in the directory /var/sw/pkg.
Change over to the Backup Routing Engine

Once you have configured a backup Routing Engine, you can direct it to assume mastership automatically if it detects loss of keepalive signal from the master. By default, this feature is disabled; to enable it, include the failover on-loss-of-keepalives statement at the [edit chassis redundancy] hierarchy level:
[edit chassis redundancy] failover on-loss-of-keepalives;
By default, failover will occur after 300 seconds (5 minutes). To change the keepalive time period, include the keepalive-time statement at the [edit chassis redundancy] hierarchy level:
[edit chassis redundancy] keepalive-time seconds;
The range for keepalive-time is 300 through 10,000 seconds. The sequence of events is as follows: 1. 2. After 20 seconds of keepalive loss, a message is logged. After 300 seconds of keepalive loss (default setting), the backup Routing Engine attempts to assume mastership. An alarm is generated whenever the backup is active and the display is updated with status. Once the backup Routing Engine assumes mastership, it will continue to function as master even after the originally configured master Routing Engine has successfully resumed operation. Operator intervention is required to restore its previous backup status. However, if at any time one of the Routing Engines is not present, the other one becomes master automatically, regardless of how redundancy is configured.
3.
287
Configure Packet Scheduling
Configure SSB Redundancy

For routers with two System and Switch Boards, you can configure which SSB is the master and which is the backup. By default, the SSB in slot 0 is the master and the one in slot 1 is the backup. To modify the default configuration, include the ssb statement at the [edit chassis redundancy] hierarchy level:
[edit chassis redundancy] ssb slot-number (always | preferred);
slot-number can be 0 or 1. always defines the ssb as the sole device. preferred defines the ssb as the preferred device of at least two.
Configure Packet Scheduling

The packet scheduling is for an M160 router only. By default, packet scheduling is disabled. To configure a router to operate in packet scheduling mode, include the packet-scheduling statement at the [edit chassis] hierarchy level:
[edit chassis] packet-scheduling;
To explicity disable the packet scheduling, include the no-package-scheduling statement at [edit chassis] hierarchy level:
[edit chassis] no-packet-scheduling;
When you enable packet scheduling mode, the Packet Director ASIC schedules packet dispatches to compensate for transport delay differences, preserving the interpacket gaps as the packets are distributed from the Packet Director ASIC to the Packet Forwarding Engine. Whenever you change the configuration for packet scheduling, the system stops all SFMs and FPCs and restarts them in the new mode.
288
Chapter 27 Summary of Router Chassis Configuration Statements

The following sections explain each of the chassis configuration statements. The statements are organized alphabetically.
aggregated-devices
Syntax
aggregated-devices { ethernet { device-count number; } sonet { device-count number ; } } [edit chassis] Configure properties for aggregated devices on the router. The statements are explained separately. See Configure Aggregated Devices on page 280. interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.
Summary of Router Chassis Configuration Statements
289
alarm
alarm
Syntax
alarm { interface-type { alarm-name (red | yellow | ignore); } } [edit chassis] Configure the chassis alarms and whether they trigger a red or yellow alarm, or whether they are ignored. Red alarm conditions light the RED ALARM LED on the routers craft interface and trigger an audible alarm if one is connected to the contact on the craft interface. Yellow alarm conditions light the YELLOW ALARM LED on the routers craft interface and trigger an audible alarm if one is connected to the craft interface. To configure more than one alarm, include multiple alarm-name lines.
Options
alarm-nameAlarm condition. For a list of conditions, see Table 14 on page 281. ignoreThe specified alarm condition does not set off any alarm. interface-typeType of interface on which you are configuring the alarm. It can be one of the following: atm, ethernet, sonet, or t3. redThe specified alarm condition sets off a red alarm. yellowThe specified alarm condition sets off a yellow alarm.
See Chassis Conditions That Trigger Alarms on page 282. interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.
chassis
chassis { ... } [edit] Configure router chassis properties. See Router Chassis Configuration Guidelines on page 279. interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.
290
device-count
device-count
device-count number; [edit chassis aggregated-devices ethernet] Configure number of aggregated logical devices available to the router. See Configure Aggregated Devices on page 280. interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.
ethernet
Syntax
ethernet { device-count number; } [edit chassis aggregated-devices] Configure properties for Ethernet aggregated devices on the router. See Configure Aggregated Devices on page 280. interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.
Hierarchy Level Description Usage Guidelines Required Privilege Level
failover
failover on-loss-of-keepalives; [edit chassis redundancy] Instruct backup router to assume mastership if it detects loss of keepalive signal. See Configure Routing Engine Redundancy on page 285. interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.
291
fpc
fpc
Syntax
fpc slot-number { pic pic-number { framing (sdh | sonet); no-concatenate; } } [edit chassis] Configure properties for the Physical Interface Cards (PICs) in individual Flexible PIC Concentrators (FPCs). slot-numberSlot number in which the FPC is installed. The remaining statements are explained separately in this chapter.
Options
Usage Guidelines
See Configure SONET/SDH Framing on page 283 and Configure Channelized PIC Operation on page 283. interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.
framing
framing (sdh | sonet); [edit chassis fpc slot-number pic pic-number] On SONET PICs only, configure the framing type. sdhSDH framing. sonetSONET framing. Default: sonet
See Configure SONET/SDH Framing on page 283. interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.
keepalive-time
keepalive-time seconds; [edit chassis redundancy] Configure the time period that must elapse before backup router assumes mastership if it detects loss of keepalive signal. See Configure Routing Engine Redundancy on page 285. interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.
292
no-concatenate
no-concatenate
no-concatenate; [edit chassis fpc slot-number pic pic-number] Do not concatenate (multiplex) the output of a packet-over-SONET PIC (an interface with a name so-fpc/pic/port ). When configuring and displaying information about interfaces that are operating in channelized mode, you must specify the channel number in the interface name (physical:channel); for example, so-2/2/0:0 and so-2/2/0:1. For more information about interface names, see the JUNOS Internet Software Configuration Guide: Interfaces, Class of Service, and Firewalls. On SONET OC-48 interfaces that are configured for channelized (multiplexed) mode, the bytes e1-quiet and bytes f1 options in the sonet-options statement have no effect. The bytes f2, bytes z3, bytes z4, and path-trace options work correctly on channel 0 and work in the transmit direction only on channels 1, 2, and 3.
Default Usage Guidelines Required Privilege Level
Output is concatenated (multiplexed). See Configure Channelized PIC Operation on page 283. interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration. JUNOS Internet Software Configuration Guide: Interfaces, Class of Service, and Firewalls.
See Also
packet-scheduling
(packet-scheduling | no-packet-scheduling); [edit chassis] Enable packet scheduling mode, in which the Packet Director ASIC schedules packet dispatches to compensate for transport delay differences, preserving the interpacket gaps as the packets are distributed from the Packet Director ASIC to the Packet Forwarding Engine. no-packet-schedulingDo not schedule packets. packet-schedulingSchedule packets to preserve interpacket gaps.
Options
Default: Usage Guidelines Required Privilege Level
no-packet-scheduling See Configure Packet Scheduling on page 288. interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.
293
pic
pic
Syntax
pic pic-number { framing (sdh | sonet); no-concatenate; } [edit chassis fpc slot-number] Configure properties for an individual Physical Interface Card (PIC). pic-numberSlot number in which the FPC is installed. The remaining statements are explained separately in this chapter.
Usage Guidelines
See Configure SONET/SDH Framing on page 283 and Configure Channelized PIC Operation on page 283. interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.
redundancy
Syntax
redundancy { failover on-loss-of-keepalives; keepalive-time seconds; routing-engine slot-number (backup | disabled | master); ssb slot-number (always | preferred); } [edit chassis] You can configure a redundant Routing Engine or System and Switch Board (SSB) in the chassis as a secondary backup for the chassis. By default, the Routing Engine in slot 0 is the master Routing Engine and the Routing Engine in slot 1 is the backup Routing Engine. The switchover from the master Routing Engine to the backup Routing Engine is performed manually. This feature can be used for software upgrades. New software can be loaded on the backup Routing Engine and when the routing engine is ready, you can switch the mastership over, with a brief interruption in traffic. Slot 0 is preferred. The statements are explained separately. See Configure Redundancy on page 284. interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.
Default Options Usage Guidelines Required Privilege Level
294
routing-engine
routing-engine
routing-engine slot-number (backup | disabled | master); [edit chassis redundancy] You can configure a redundant Routing Engine in the chassis as a secondary backup for the chassis. By default, the Routing Engine in slot 0 is the master Routing Engine and the Routing Engine in slot 1 is the backup Routing Engine. The switchover from the master Routing Engine to the backup Routing Engine is performed manually. This feature can be used for software upgrades. New software can be loaded on the backup Routing Engine and when the routing engine is ready, you can switch the mastership over, with a brief interruption. Slot 0 is preferred. slot numberSpecify which slot is the master and which is the backup. masterRouting Engine in specified slot is the master. backupRouting Engine in specified slot is the backup. disabledRouting Engine in specified slot is disabled.
Default Options
See Configure Routing Engine Redundancy on page 285. interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.
sonet
Syntax
sonet { device-count number ; } [edit chassis aggregated-devices] Configure properties for SONET aggregated devices on the router. See Configure Aggregated Devices on page 280. interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.
Hierarchy Level Description Usage Guidelines Required Privilege Level
295
source-route
source-route
(source-route | no-source-route); [edit chassis] Configure whether IP traffic with source-route constraints (loose or strict) is forwarded or discarded. no-source-routeDiscard IP traffic that has loose or strict source-route constraints. Use this option when you want the router to use only the IP destination address on transit traffic for forwarding decisions. source-routeForward IP traffic that has loose or strict source-route constraints.
Options
Default: Usage Guidelines Required Privilege Level
source-route See Configure the Drop Policy for Traffic with Source-Route Constraints on page 284. interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.
ssb
ssb slot-number (always | preferred); [edit chassis redundancy] For routers with two System and Switch Boards (SSB), you can configure which is the master and which is the backup. By default, the SSB in slot 0 is the master and the one in slot 1 is the backup. Slot 0 is preferred. slot numberSpecify which slot is the master and which is the backup. alwaysDefines this SSB as the sole device. preferredDefines this SSB as the preferred device of at least two.
Default Options
See Configure SSB Redundancy on page 288. interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.
296
Part 6 Appendix
! Glossary on page 295
297
298
Appendix A Glossary A
AAL ATM adaptation layer. A series of protocols enabling various types of traffic, including voice, data, image, and video, to run over an ATM network. Route chosen from all routes in the routing table to reach a destination. Active routes are installed into the forwarding table. See ADM. See ARP.
active route
add/drop multiplexer Address Resolution Protocol adjacency
Portion of the local routing information that pertains to the reachability of a single neighbor over a single circuit or interface. Add/drop multiplexer. SONET functionality that allows lower-level signals to be dropped from a high-speed optical connection. Combination of groups of routes that have common addresses into a single entry in the routing table. American National Standards Institute. The United States representative to the ISO. Automatic Protection Switching. Technology used by SONET ADMs to protect against circuit faults between the ADM and a router and to protect against failing routers. Routing subdomain that maintains detailed routing information about its own internal composition and that maintains routing information that allows it to reach other routing subdomains. In IS-IS, an area corresponds to a Level 1 subdomain. In IS-IS and OSPF, a set of contiguous networks and hosts within an autonomous system that have been administratively grouped together.
ADM
aggregation
ANSI APS
area
area border router ARP AS
Router that belongs to more than one area. Used in OSPF. Address Resolution Protocol. Protocol for mapping IP addresses to MAC addresses. Autonomous system. Set of routers under a single technical administration. Each AS normally uses a single interior gateway protocol (IGP) and metrics to propagate routing information within the set of routers. Also called routing domain. In OSPF, routers that exchange routing information with routers in other ASs.
AS boundary router
Glossary
299
Glossary
AS external link advertisements
OSPF link-state advertisement sent by AS boundary routers to describe external routes that they know. These link-state advertisements are flooded throughout the AS (except for stub areas). In BGP, the route to a destination. The path consists of the AS numbers of all routers a packet must go through to reach a destination. Application-specific integrated circuit. Specialized processors that perform specific functions on the router. Asynchronous Transfer Mode. A high-speed multiplexing and switching method utilizing fixed-length cells of 53 octets to support multiple types of traffic. Smallest possible operation. An atomic operation is performed either entirely or not at all. For example, if machine failure prevents a transaction from completing, the system is rolled back to the start of the transaction, with no changes taking place. See APS.
AS path
ASIC
ATM
atomic
Automatic Protection Switching autonomous system autonomous system boundary router autonomous system external link advertisements autonomous system path
See AS. In OSPF, routers that exchange routing information with routers in other ASs.
OSPF link-state advertisement sent by autonomous system boundary routers to describe external routes that they know. These link-state advertisements are flooded throughout the autonomous system (except for stub areas). In BGP, the route to a destination. The path consists of the autonomous system numbers of all the routers a packet must pass through to reach a destination.
backbone area
In OSPF, an area that consists of all networks in area ID 0.0.0.0, their attached routers, and all area border routers. On an M40 router, component of the Packet Forwarding Engine that distributes power, provides signal connectivity, manages shared memory on FPCs, and passes outgoing data cells to FPCs. The range of transmission frequencies a network can use, expressed as the difference between the highest and lowest frequencies of a transmission channel. In computer networks, greater bandwidth indicates faster data-transfer rate capacity. Bell Communications Research. Research and development organization created after the divestiture of the Bell System. It is supported by the regional Bell holding companies (RBHCs), which own the regional Bell operating companies (RBOCs). Bit error rate test. A test that can be run on a T3 interface to determine whether it is operating properly. Border Gateway Protocol. Exterior gateway protocol used to exchange routing information among routers in different autonomous systems. See BERT.
backplane
bandwidth
Bellcore
BERT
BGP
bit error rate test
300
Glossary
BITS
Building Integrated Timing Source. Dedicated timing source that synchronizes all equipment in a particular building. See BGP.
Border Gateway Protocol broadcast bundle
Operation of sending network traffic from one network node to all other network nodes. Collection of software that makes up a JUNOS software release.
CCC
Circuit cross-connect. A JUNOS software feature that allows you to configure transparent connections between two circuits, where a circuit can be a Frame Relay DLCI, an ATM VC, a PPP interface, a Cisco HDLC interface, or an MPLS label-switched path (LSP). Customer edge device. Router or switch in the customer's network that is connected to a service provider's provider edge (PE) router and participates in a Layer 3 VPN. Cubic feet per minute. Measure of fan speed. See CSU/DSU. Classless interdomain routing. A method of specifying Internet addresses in which you explicitly specify the bits of the address to represent the network address instead of determining this information from the first octet of the address. Connector Interface Panel. On an M160 router, the panel that contains connectors for the Routing Engines, BITS interfaces, and alarm relay contacts. See CCC. See CoS. (Pronounced see-lek) Competitive Local Exchange Carrier. Company that competes with the already established local telecommunications business by providing its own network and switching. Common language equipment identifier. Inventory code used to identify and track telecommunications equipment. Command-line interface. Interface provided for configuring and monitoring the routing protocol software. In a BGP route reflection, a member of a cluster that is not the route reflector. See also nonclient peer. Connectionless Network Protocol. ISO-developed protocol for OSI connectionless network service. CLNP is the OSI equivalent of IP. In BGP, a set of routers that have been grouped together. A cluster consists of one system that acts as a route reflector, along with any number of client peers. The client peers receive their route information only from the route reflector system. Routers in a cluster do not need to be fully meshed.
CE device
CFM channel service unit CIDR
CIP
circuit cross-connect class of service CLEC
CLEI
CLI
client peer
CLNP
cluster
Glossary
301
Glossary
community
In BGP, a group of destinations that share a common property. Community information is included as one of the path attributes in BGP update messages. In BGP, a group of systems that appears to external autonomous systems to be a single autonomous system. In traffic engineering, a path determined using RSVP signaling and constrained using CSPF. The ERO carried in the packets contains the constrained path information. The central backbone of the network. Class of service. A group of privileges and features assigned to a particular service. Customer premises equipment. Telephone or other service provider equipment located at a customer site. Mechanisms used by a Communication Workers of America craftsperson to operate, administer, and maintain equipment or provision data communications. On a Juniper Networks router, the craft interface allows you to view status and troubleshooting information and perform system control functions. Complete sequence number PDU. Packet that contains a complete list of all the LSPs in the IS-IS database. Constrained Shortest Path First. An MPLS algorithm that has been modified to take into account specific restrictions when calculating the shortest path across the network. Channel service unit/data service unit. Channel service unit connects a digital phone line to a multiplexer or other digital signal device. Data service unit connects a DTE to a digital phone line. See CE device.
confederation
constrained path
core CoS CPE
craft interface
CSNP
CSPF
CSU/DSU
customer edge device
daemon
Background process that performs operations on behalf of the system software and hardware. Daemons normally start when the system software is booted, and they run as long as the software is running. In the JUNOS software, daemons are also referred to as processes. Method of reducing the number of update messages sent between BGP peers, thereby reducing the load on these peers without adversely affecting the route convergence time for stable routes. See DCE.
damping
data circuit-terminating equipment data-link connection identifier data service unit Data Terminal Equipment dcd DCE
See DLCI.
See CSU/DSU. See DTE.
The JUNOS software interface process (daemon). Data circuit-terminating equipment. RS-232-C device, typically used for a modem or printer, or a network access and packet switching node.
302
Glossary
default address denial of service dense wavelength-division multiplexing designated router
Router address that is used as the source address on unnumbered interfaces. See DoS. See DWDM.
In OSPF, a router selected by other routers that is responsible for sending link-state advertisements that describe the network, which reduces the amount of network traffic and the size of the routers topological databases. Number of bits of the network address used for host portion of a CIDR IP address.
destination prefix length DHCP
Dynamic Host Configuration Protocol. Allocates IP addresses dynamically so that they can be reused when they are no longer needed. See SPF. Dual inline memory module. 168-pin memory module that supports 64-bit data transfer. See interface routes. Data-link connection identifier. Identifier for a Frame Relay virtual connection (also called a logical interface). Denial of service. System security breach in which network services become unavailable to users. Dynamic random-access memory. Storage source on the router that can be accessed quickly by a process. Drop probabilities for different levels of buffer fullness that are used by RED to determine from which queue to drop packets. Data service unit. A device used to connect a DTE to a digital phone line. Converts digital data from a router to voltages and encoding required by the phone line. See also CSU/DSU. Data Terminal Equipment. RS-232-C interface that a computer uses to exchange information with a serial device. Distance Vector Multicast Routing Protocol. Distributed multicast routing protocol that dynamically generates IP multicast delivery trees using a technique called reverse path multicasting (RPM) to forward multicast traffic to downstream interfaces. Dense wavelength-division multiplexing. Technology that enables data from different sources to be carried together on an optical fiber, with each signal carried on its own separate wavelength. See DHCP.
Dijkstra algorithm DIMM direct routes DLCI
DoS
DRAM
drop profile
DSU
DTE
DVMRP
DWDM
Dynamic Host Configuration Protocol
Glossary
303
Glossary
EBGP
External BGP. BGP configuration in which sessions are established between routers in different ASs. Exchange Carriers Standards Association. A standards organization created after the divestiture of the Bell System to represent the interests of interexchange carriers. In MPLS, a router located at the beginning or end of a label-switching tunnel. When at the beginning of a tunnel, an edge router applies labels to new packets entering the tunnel. When at the end of a tunnel, the edge router removes labels from packets exiting the tunnel. See also MPLS. Exterior gateway protocol, such as BGP. In MPLS, last router in a label-switched path (LSP). See also ingress router. Electronic Industries Association. A United States trade group that represents manufacturers of electronics devices and sets standards and specifications. Electromagnetic interference. Any electromagnetic disturbance that interrupts, obstructs, or otherwise degrades or limits the effective performance of electronics or electrical equipment. In IS-IS, network entity that sends and receives packets. Explicit Route Object. Extension to RSVP that allows an RSVP PATH message to traverse an explicit sequence of routers that is independent of conventional shortest-path IP routing. See signaled path. See ERO. To place routes from the routing table into a routing protocol. See EBGP. A cost included in a route when OSPF exports route information from external autonomous systems. There are two types of external metrics: Type 1 and Type 2. Type 1 external metrics are equivalent to the link-state metric; that is, the cost of the route, used in the internal autonomous system. Type 2 external metrics are greater than the cost of any path internal to the autonomous system.
ECSA
edge router
EGP egress router EIA
EMI
end system ERO
explicit path Explicit Route Object export external BGP external metric
fast reroute
Mechanism for automatically rerouting traffic on an LSP if a node or link in an LSP fails, thus reducing the loss of packets traveling over the LSP. Far-end alarm and control. T3 signal used to send alarm or status information from the far-end terminal back to the near-end terminal and to initiate T3 loopbacks at the far-end terminal from the near-end terminal. Forwarding Engine Board. In M5 and M10 routers, provides route lookup, filtering, and switching to the destination port. See damping. See route flapping.
FEAC
FEB
flap damping flapping
304
Glossary
Flexible PIC Concentrator Forwarding Engine Board forwarding information base forwarding table
See FPC.
See FEB.
See forwarding table.
JUNOS software forwarding information base (FIB). The JUNOS routing protocol process installs active routes from its routing tables into the Routing Engine forwarding table. The kernel copies this forwarding table into the Packet Forwarding Engine, which is responsible for determining which interface transmits the packets. Flexible PIC Concentrator. An interface concentrator on which PICs are mounted. An FPC inserts into a slot in a Juniper Networks router. See also PIC. Field-replaceable unit. Router component that customers can replace onsite.
FPC
FRU
G H
group
A collection of related BGP peers.
HDLC
High-level data link control. An International Telecommunication Union (ITU) standard for a bit-oriented data link layer protocol on which most other bit-oriented protocols are based. Maximum number of seconds allowed to elapse between the time a BGP system receives successive keepalive or update messages from a peer. On an M160 router, provides routing and system management functions of the router. Consists of the Routing Engine and Miscellaneous Control Subsystem (MCS).
hold time
host module
IANA
Internet Assigned Numbers Authority. Regulatory group that maintains all assigned and registered Internet numbers, such as IP and multicast addresses. See also NIC. Internal BGP. BGP configuration in which sessions are established between routers in the same ASs. Internet Control Message Protocol. Used in router discovery, ICMP allows router advertisements that enable a host to discover addresses of operating routers on the subnet. Integrated Drive Electronics. Type of hard disk on the Routing Engine. International Electrotechnical Commission. See ISO. Institute of Electronic and Electrical Engineers. International professional society for electrical engineers. Internet Engineering Task Force. International community of network designers, operators, vendors, and researchers concerned with the evolution of the Internet architecture and the smooth operation of the Internet. Internet Group Membership Protocol. Used with multicast protocols to determine whether group members are present.
IBGP
ICMP
IDE IEC IEEE
IETF
IGMP
Glossary
305
Glossary
IGP import ingress router inter-AS routing intercluster reflection
Interior gateway protocol, such as IS-IS, OSPF, and RIP. To install routes from the routing protocols into a routing table. In MPLS, first router in a label-switched path (LSP). See also egress router. Routing of packets among different ASs. See also EBGP. In a BGP route reflection, the redistribution of routing information by a route reflector system to all nonclient peers (BGP peers not in the cluster). See also route reflection. Routes that are in the routing table because an interface has been configured with an IP address. Also called direct routes. In IS-IS, network entity that sends and receives packets and that can also route packets. See IBGP. The routing of packets within a single AS. See also IBGP. Internet Protocol. The protocol used for sending data from one point to another on the Internet. Intermediate System-to-Intermediate System protocol. Link-state, interior gateway routing protocol for IP networks that also uses the shortest-path first (SPF) algorithm to determine routes. International Organization for Standardization. Worldwide federation of standards bodies that promotes international standardization and publishes international agreements as International Standards. Internet service provider. Company that provides access to the Internet and related services. International Telecommunications Union (formerly known as the CCITT). Group supported by the United Nations that makes recommendations and coordinates the development of telecommunications standards for the entire world.
interface routes
intermediate system internal BGP intra-AS routing IP
IS-IS
ISO
ISP ITU
J K L
jitter
Small random variation introduced into the value of a timer to prevent multiple timer expirations from becoming synchronized.
kernel forwarding table
See forwarding table.
label
In MPLS, 20-bit unsigned integer in the range 0 through 1048575, used to identify a packet traveling along an LSP. Sequence of routers that cooperatively perform MPLS operations for a packet stream. The first router in an LSP is called the ingress router, and the last router in the path is called the egress router. An LSP is a point-to-point, half-duplex connection from the ingress router to the egress router. (The ingress and egress routers cannot be the same router.) See MPLS. See LSR.
label-switched path (LSP)
label switching label-switching router
306
Glossary
link
Communication path between two neighbors. A link is up when communication is possible between the two end points. Packets that contain information about the state of adjacencies to neighboring systems. Optional BGP path attribute carried in internal BGP update packets that indicates the degree of preference for an external route. In the context of traffic engineering, a path that can use any route or any number of other intermediate (transit) points to reach the next address in the path. (Definition from RFC 791, modified to fit LSPs.) See label-switched path (LSP) and link-state PDU (LSP). Label-switching router. A router on which MPLS and RSVP are enabled and is thus capable of processing label-switched packets.
link-state PDU (LSP) local preference
loose
LSP LSR
martian address mask MBGP
Network address about which all information is ignored. See subnet mask. Multiprotocol BGP. An extension to BGP that allows you to connect multicast topologies within and between BGP ASs. Internet multicast backbone. An interconnected set of subnetworks and routers that support the delivery of IP multicast traffic. The MBone is a virtual network that is layered on top of sections of the physical Internet. Miscellaneous Control Subsystem. On an M160 router, provides control and monitoring functions for router components and SONET clocking for the router. Multiple exit discriminator. Optional BGP path attribute consisting of a metric value that is used to determine the exit point to a destination when all other factors in determining the exit point are equal. Network topology in which devices are organized in a manageable, segmented manner with many, often redundant, interconnections between network nodes. Management Information Base. Definition of an object that can be managed by SNMP. Forms the rear of the PIC cage on M5 and M10 routers and the FPC card cage on M20 and M160 routers. Provides data transfer, power distribution, and signal connectivity. See MCS.
MBone
MCS
MED
mesh
MIB midplane
Miscellaneous Control Subsystem MPLS
Multiprotocol Label Switching. Mechanism for engineering network traffic patterns that functions by assigning to network packets short labels that describe how to forward them through the network. Also called label switching. See also traffic engineering. Mean time between failure. Measure of hardware component reliability.
MTBF
Glossary
307
Glossary
MTU multicast multiprotocol BGP Multiprotocol Label Switching
Maximum transfer unit. Limit on segment size for a network. Operation of sending network traffic from one network node to multiple network nodes. See MBGP. See MPLS.
neighbor
Adjacent system reachable by traversing a single subnetwork. An immediately adjacent router. Also called a peer. Network entity title. Network address defined by the ISO network architecture and used in CLNS-based networks. See NLRI.
NET
network layer reachability information network link advertisement Network Time Protocol NIC
An OSPF link-state advertisement flooded throughout a single area by designated routers to describe all routers attached to the network. See NTP. Network Information Center. Internet authority responsible for assigning Internet-related numbers, such as IP addresses and autonomous system numbers. See also IANA. Network layer reachability information. Information that is carried in BGP packets and is used by MBGP. In a BGP route reflection, a BGP peer that is not a member of a cluster. See also client peer. See NSSA. Network service access point. Connection to a network that is identified by a network address. Last byte of an nonclient peer address. Not-so-stubby area. In OSPF, a type of stub area in which external routes can be flooded. Network Time Protocol. Protocol used to synchronize computer clock times on a network.
NLRI
nonclient peer not-so-stubby area NSAP
n-selector NSSA NTP
OC
Optical Carrier. In SONET, Optical Carrier levels indicate the transmission rate of digital signals on optical fiber. Open System Interconnection. Standard reference model for how messages are transmitted between two points on a network. Open Shortest Path First. A link-state IGP that makes routing decisions based on the shortest-path-first (SPF) algorithm (also referred to as the Dijkstra algorithm).
OSI
OSPF
308
Glossary
package
A collection of files that make up a JUNOS software component. The architectural portion of the router that processes packets by forwarding them between input and output interfaces. Information about a BGP route, such as the route origin, AS path, and next-hop router. Peripheral Component Interconnect. Standard, high-speed bus for connecting computer peripherals. Used on the Routing Engine. Personal Computer Memory Card International Association. Industry group that promotes standards for credit card-size memory or I/O devices. Protocol data unit. IS-IS packets. Provider edge router. A router in the service provider's network that is connected to a customer edge (CE) device and that participates in a Virtual Private Network (VPN). Policing Equivalence Classes. In traffic policing, a set of packets that is treated the same by the packet classifier. An immediately adjacent router with which a protocol relationship has been established. Also called a neighbor. See Packet Forwarding Engine. See PIC. Physical Interface Card. A network interfacespecific card that can be installed on an FPC in the router. Protocol Independent Multicast. A protocol-independent multicast routing protocol. PIM Sparse Mode routes to multicast groups that might span wide-area and interdomain internets. PIM Dense Mode is a flood-and-prune protocol. Packet Loss Priority. Applying rate limits on bandwidth and burst size for traffic on a particular interface. Removal of the last label, by a router, from a packet as it exits an MPLS domain. Point-to-Point Protocol. Link-layer protocol that provides multiprotocol encapsulation. It is used for link-layer and network-layer configuration. Desirability of a route to become the active route. A route with a lower preference value is more likely to become the active route. The preference is an arbitrary value in the range 0 through 255 that the routing protocol process uses to rank routes received from different protocols, interfaces, or remote systems. On an interface, the default local address used for packets sourced by the local router to destinations on the subnet. On an interface, the address used by default as the local address for broadcast and multicast packets sourced locally and sent out the interface.
Packet Forwarding Engine path attribute PCI
PCMCIA
PDU PE router
PEC
peer
PFE Physical Interface Card PIC
PIM
PLP policing pop PPP
preference
preferred address
primary address
Glossary
309
Glossary
primary interface
Router interface that packets go out when no interface name is specified and when the destination address does not imply a particular outgoing interface. See PIM.
Protocol-Independent Multicast provider edge router provider router PSNP
See PE router. Router in the service providers network that does not attach to a customer edge (CE) device. Partial sequence number PDU. Packet that contains only a partial list of the LSPs in the IS-IS link-state database. Addition of a label or stack of labels, by a router, to a packet as it enters an MPLS domain.
push
Q R
QoS
Quality of service. Performance, such as transmission rates and error rates, of a communications channel or system. See QoS.
quality of service
RADIUS
Remote Authentication Dial-In User Service. Authentication method for validating users who attempt to access the router using Telnet. See RED.
Random Early Detection rate limiting RBOC
See policing. (Pronounced are-bock) Regional Bell operating company. Regional telephone companies formed as a result of the divestiture of the Bell System. (Pronounced red) Random Early Detection. Gradual drop profile for a given class that is used for congestion avoidance. RED tries to anticipate incipient congestion and reacts by dropping a small percentage of packets from the head of the queue to ensure that a queue never actually becomes congested. See RSVP.
RED
Resource Reservation Protocol RFC
Request for Comments. Internet standard specifications published by the Internet Engineering Task Force. Radio frequency interference. Interference from high-frequency electromagnetic waves emanating from electronic devices. Routing Information Protocol. Distance-vector interior gateway protocol that makes routing decisions based on hop count. Situation in which BGP systems send an excessive number of update messages to advertise network reachability information. IP address of the router from which a BGP, IGP, or OSPF packet originated.
RFI
RIP
route flapping
route identifier
310
Glossary
route reflection
In BGP, configuring a group of routers into a cluster and having one system act as a route reflector, redistributing routes from outside the cluster to all routers in the cluster. Routers in a cluster do not need to be fully meshed. OSPF link-state advertisement flooded throughout a single area by all routers to describe the state and cost of the routers links to the area. See AS. Architectural portion of the router that handles all routing protocol processes, as well as other software processes that control the routers interfaces, some of the chassis components, system management, and user access to the router. Common database of routes learned from one or more routing protocols. All routes are maintained by the JUNOS routing protocol process. JUNOS software routing protocol process (daemon). User-level background process responsible for starting, managing, and stopping the routing protocols on a Juniper Networks router. Reverse path multicasting. Routing algorithm used by DVMRP to forward multicast traffic. Resource Reservation Protocol. Resource reservation setup protocol designed to interact with integrated services on the Internet.
router link advertisement routing domain Routing Engine
routing table
rpd
RPM RSVP
SAP
Session Announcement Protocol. Used with multicast protocols to handle session conference announcements. Segmentation and reassembly. Buffering used with ATM. System Control Board. On an M40 router, the part of the Packet Forwarding Engine that performs route lookups, monitors system components, and controls FPC resets. Synchronous Digital Hierarchy. CCITT variation of SONET standard. Session Description Protocol. Used with multicast protocols to handle session conference announcements. Synchronous Dynamic Random Access Memory. See SSH. Switching and Forwarding Module. On an M160 router, a component of the Packet Forwarding Engine that provides route lookup, filtering, and switching to FPCs. See SPF.
SAR SCB
SDH SDP
SDRAM secure shell SFM
shortest-path-first algorithm signaled path
In traffic engineering, an explicit path; that is, a path determined using RSVP signaling. The ERO carried in the packets contains the explicit path information. An interface that assumes that packets it receives from itself are the result of a software loopback process. The interface does not consider these packets when determining whether the interface is functional.
simplex interface
Glossary
311
Glossary
SNMP
Simple Network Management Protocol. Protocol governing network management and the monitoring of network devices and their functions. Synchronous Optical Network. High-speed (up to 2.5 Gbps) synchronous network specification developed by Bellcore and designed to run on optical fiber. STS-1 is the basic building block of SONET. Approved as an international standard in 1988. See also SDH. Shortest-path first, an algorithm used by IS-IS and OSPF to make routing decisions based on the state of network links. Also called the Dijkstra algorithm. System and Switch Board. On an M20 router, Packet Forwarding Engine component that performs route lookups and component monitoring and monitors FPC operation. Secure shell. Software that provides a secured method of logging in to a remote network system. Synchronous Static Random Access Memory. See static path. In the context of traffic engineering, a static route that requires hop-by-hop manual configuration. No signaling is used to create or maintain the path. Also called a static LSP. Synchronous Transport Module. CCITT specification for SONET at 155.52 Mbps. In the context of traffic engineering, a route that must go directly to the next address in the path. (Definition from RFC 791, modified to fit LSPs.) Synchronous Transport Signal. Synchronous Transport Signal level 1. Basic building block signal of SONET, operating at 51.84 Mbps. Faster SONET rates are defined as STS-n, where n is a multiple of 51.84 Mbps. See also SONET. In OSPF, an area through which, or into which, AS external advertisements are not flooded. Number of bits of the network address used for host portion of a Class A, Class B, or Class C IP address. OSPF link-statement advertisement flooded throughout the advertisements associated areas by area border routers to describe the routes that they know about in other areas. System identifier. Portion of the ISO nonclient peer. The sysid can be any 6 bytes that are unique throughout a domain. See SSB.
SONET
SPF
SSB
SSH
SSRAM static LSP static path
STM strict
STS
stub area subnet mask
summary link advertisement sysid
System and Switch Board
TACACS+
Terminal Access Controller Access Control System Plus. Authentication method for validating users who attempt to access the router using Telnet. Transmission Control Protocol. Works in conjunction with Internet Protocol (IP) to send data over the Internet. Divides a message into packets and tracks the packets from point of origin to destination. Type of service.
TCP
ToS
312
Glossary
traffic engineering
Process of selecting the paths chosen by data traffic in order to balance the traffic load on the various links, routers, and switches in the network. (Definition from http://www.ietf.org/internet-drafts/draft-ietf-mpls-framework-04.txt.) See also MPLS. In OSPF, an area used to pass traffic from one adjacent area to the backbone or to another area if the backbone is more than two hops away from an area. In MPLS, any intermediate router in the LSP between the ingress router and the egress router. Private, secure path through an otherwise public network. See ToS.
transit area
transit router tunnel type of service
U V
unicast
Operation of sending network traffic from one network node to another individual network node. Uninterruptible power supply. Device that sits between a power supply and a router (or other piece of equipment) the prevents undesired power-source events, such as outages and surges, from affecting or damaging the device.
UPS
VCI
Virtual circuit identifier. Identifier for an ATM virtual connection. Also called a logical interface. See VCI. In OSPF, a link created between two routers that are part of the backbone but are not physically contiguous. Virtual circuit identifier. See VCI. See VRRP.
virtual circuit identifier virtual link
virtual path identifier Virtual Router Redundancy Protocol VPI VRRP
See VCI. Virtual Router Redundancy Protocol. On Fast Ethernet and Gigabit Ethernet interfaces, allows you to configure virtual default routers.
wavelength-division multiplexing WDM
See WDM.
Wavelength-division multiplexing. Technique for transmitting a mix of voice, data, and video over various wavelengths (colors) of light. See WRR. Weighted round-robin. Scheme used to decide the queue from which the next packet should be transmitted.
weighted round-robin WRR
Glossary
313
Glossary
314
Part 7 Indexes
! Index on page 317 ! Index of Statements and Commands on page 327
315
316
Index Index Symbols

! regular expression operator..........................90, 219 wildcard .............................................................154 " ", configuration group wildcards .............................154 # comment delimiter.............................................137 configuration mode prompt ...............................109 #, in configuration statements .................................. xxix $, regular expression operator.............................90, 219 () in syntax descriptions ....................................... xxix regular expression operator..........................90, 219 *, wildcard ................................................................153 +, in statement lists..................................................110 -, wildcard .................................................................154 /* */, comment delimiters .........................................137 <> in syntax descriptions ..................................... xxviii wildcard patterns ...............................................154 > CLI prompt...........................................................79 in statement lists ................................................109 ? operational mode help .........................................83 wildcard .............................................................153 [] banners ..............................................................109 in configuration statements............................... xxix regular expression operator..........................90, 219 [, wildcard .................................................................153 ], wildcard .................................................................154 ^, regular expression operator.............................90, 219 {} in configuration statements............................... xxix specifying statements.........................................145 | (pipe) filtering command output.............................88, 184 in syntax descriptions ....................................... xxix
access privilege levels entering configuration mode ..............................107 login classes ...............................................216, 261 permission bits...........................................216, 261 user accounts .....................................................221 See also security accounting-options statement usage guidelines .................................................110 activate command ................................................. 173 usage guidelines .................................................136 activating configurations............................................128 activating software configurations ...............................16 addresses IP addresses .......................................191, 202, 203 router source addresses..............................236, 250 admin permission bit.................................................216 admin-control permission bit.....................................216 aggregated devices, configuring.................................280 aggregated-devices statement ................................. 289 usage guidelines .................................................280 alarm conditions chassis alarm conditions ....................................282 PIC alarms..........................................................280 silencing alarm devices ......................................282 alarm cutoff button....................................................282 alarm statement..................................................... 290 usage guidelines .................................................280 alert (system logging severity level) ...........................230 alias statement....................................................... 269 usage guidelines .................................................202 all permission bit .......................................................216 allow-commands statement .................................... 243 usage guidelines .................................................218 allowing commands to login classes ..................218, 243 /altconfig directory.....................................................193 alternate boot device ...................................................57 altitude option ...........................................................256 /altroot directory........................................................193 annotate command ................................................ 173 usage guidelines .................................................137 any (system logging facility) ......................................230 apply-groups statement .......................................... 165 usage guidelines .........................................150, 151
Index
317
Index
applying configuration groups ................................... 151 architecture of routers ................................................... 4 archive option ................................................... 231, 270 archiving system logs ................................................ 231 ATM ...................................................................... 17, 23 ATM interfaces PIC alarm conditions.......................................... 281 authentication authentication order................................... 212, 245 diagnostics port password.......................... 242, 253 NTP authentication keys .................... 227, 245, 273 protocol authentication ...................................... 194 RADIUS authentication....... 195, 209, 211, 213, 264 root password ............................................ 206, 265 shared user accounts.................................. 211, 213 TACACS+ authentication........... 195, 210, 211, 272 user accounts ............................................. 221, 244 user authentication ............................................ 195 See also passwords; security authentication statement ........................................ 244 usage guidelines................................................. 220 authentication-key statement .................................. 245 usage guidelines................................................. 227 authentication-order statement ............................... 245 usage guidelines................................................. 212 authorization (system logging facility) ............... 230, 232 auxiliary port............................................................... 14 auxiliary port properties ............................ 235, 246, 262 auxiliary statement ................................................ 246 usage guidelines................................................. 235
broadcast statement ...............................................248 usage guidelines .................................................227 broadcast-client statement ......................................248 usage guidelines .................................................228 bundles .......................................................................55
backing up root file system ....................................... 129 backup option ........................................................... 285 backup routers .................................................. 205, 247 backup Routing Engine ............................................. 287 backup-router statement......................................... 247 usage guidelines................................................. 205 banners ..................................................................... 109 BGP routing protocol ............................................. 10, 17 bgp statement..........................................................35 boot devices, routers ................................................... 57 boot sequences, routers .............................................. 58 boot server, NTP ............................................... 225, 247 boot-server statement ............................................ 247 usage guidelines................................................. 225 braces, in configuration statements.......................... xxix brackets angle, in syntax descriptions............................xxviii square, in configuration statements .................. xxix broadcast messages, synchronizing NTP ........... 228, 248 broadcast mode, NTP ................................ 225, 227, 248
candidate configurations ...........................................130 change-log (system logging facility) ...........................230 channelized mode .....................................................283 characters, inserting and deleting................................86 chassis configuration alarm conditions ................................................280 channelized PIC operation..................................283 configuration statements............................279, 289 drop policies.......................................................284 redundancy properties .......................................284 SONET/SDH framing ..........................................283 chassis process ............................................................13 chassis statement ............................................. 27, 290 usage guidelines .........................................110, 279 class statement ......................................................249 usage guidelines .........................................215, 220 class-of-service statement .........................................27 usage guidelines .................................................110 clear command ...................................................81, 183 clear permission bit ...................................................216 CLI command completion ..........................................80 command history .........................................97, 171 comparing configuration versions ........................92 configuration mode See configuration mode, CLI date, setting .................................................97, 170 editing command line ..........................................86 environment settings ...........................................99 filtering command output.............................88, 184 help with commands............................................80 hierarchy of commands ...............80, 117, 181, 182 keyboard sequences.......................................86, 87 logging CLI command activity ....................231, 233 messages .............................................................85 modes ..................................................................79 --More-- prompt....................................................87 operational mode See operational mode overview ........................................................14, 79 prompt strings......................................79, 100, 168 screen output .......................................................87 type checking .....................................................147 typing commands ................................................79 users, monitoring .................................................98 client mode, NTP.......................................225, 226, 267 command completion, CLI configuration mode............................................111 configuring .................................................100, 167 operational mode .................................................84 command hierarchy, CLI .....................80, 117, 181, 182
318
Index
command history, CLI configuration mode ............................................128 operational mode .........................................97, 171 command output configuration details.............................................94 counting output lines............................................94 displaying all output .............................................94 filtering ................................................88, 179, 184 --More-- prompt ....................................................87 multiple filters ......................................................97 retaining output....................................................94 saving output to files ............................................89 string searches .....................................................90 command-line interface See CLI commands allowing or denying to login classes ...218, 243, 251 command line See CLI completion ...................................84, 100, 111, 167 filenames, specifying..........................................192 help with commands............................83, 113, 176 hierarchy of CLI commands .........80, 117, 181, 182 history..................................................97, 128, 171 logging CLI command activity ....................231, 233 output See command output overview ..............................................................81 running operational commands in configuration mode ......................................................127, 179 typing...................................................................79 URLs, specifying.................................................192 comments .........................................................137, 173 comments, in configuration statements ................... xxix commit and-quit command usage guidelines .................................................129 commit check command usage guidelines .........................................128, 130 commit command ................................................. 174 usage guidelines .................................................128 commit command,usage guidelines ..........................134 commit confirmed command usage guidelines .................................................130 committing configurations commit command..............................................128 exiting configuration mode ................................129 previously committed configurations .................134 compare command .....................................................92 comparing configuration versions ...............................92 completing commands configuration mode ............................................111 configuring .................................................100, 167 operational mode .................................................84 compress-configuration-files statement .................... 249 usage guidelines .................................................208 compressing configuration files .........................208, 249 concatenated mode ...................................................283 /config directory ..........................................63, 106, 193 configuration files compressing...............................................208, 249
saving configurations to files ......................131, 179 configuration files, copying........................................285 configuration groups applying .....................................................150, 151 copying configuration files .................................285 creating ......................................................150, 166 example configuration groups ............................157 inheritance model ..............................................149 inherited values ..................................................153 interface parameters ..........................................159 nested groups.....................................................152 overview.............................................................149 peer entities .......................................................161 re0, re1 groups ...................................................150 regional configurations .......................................163 sets of statements ..............................................157 wildcards....................................................153, 164 See also configurations configuration mode, CLI + .......................................................................110 > .......................................................................109 banners ..............................................................109 command completion ........................................111 command history ...............................................128 commands ...........................................................25 committing configurations .................................128 copying configuration statements...............123, 174 copying configurations .........................................63 displaying current configuration .................120, 181 entering configuration mode ......................107, 183 error messages .............................................85, 135 example configurations ......................................140 exiting configuration mode ................................119 help with statements ..................................113, 176 loading configurations ................................131, 177 locking configurations ........................................108 overview...............................................................79 prompt ...............................................................109 running operational mode commands........127, 179 statements See configuration statements top-level statements ...........................................110 users editing configurations displaying............................................121, 181 multiple simultaneous users ........................139 verifying configurations......................................128 See also configurations configuration statements copying ......................................................123, 174 deactivating................................................136, 175 filenames, specifying..........................................192 help with statements ..................................113, 176 IP addresses, specifying .....................................191 overview.............................................................109 reactivating ................................................136, 173 removing....................................................122, 175 sets of statements ..............................................157 specifying ...........................................................145
Index
319
Index
statement hierarchy ............. 26, 104, 117, 181, 182 symbols, including in statements ....................... 110 top-level statements ........................................... 110 URLs, specifying................................................. 192 See also configuration mode, CLI; configurations configurations activating ..................................................... 16, 128 aggregated devices............................................. 280 combining.......................................................... 131 comments.................................................. 137, 173 committing ................................................ 128, 174 comparing configuration versions ........................ 92 copying configurations......................................... 63 copying statements .................................... 123, 174 creating.............................................. 114, 176, 180 deactivating statements and identifiers ...... 136, 175 displaying configuration details............................ 94 displaying current configuration................. 120, 181 groups See configuration groups identifiers................... 109, 124, 125, 145, 177, 178 initial router configuration.................................... 59 loading ....................................................... 131, 177 locking ............................................................... 108 modifying .................................................. 114, 176 previously committed configurations ......... 134, 178 reactivating statements and identifiers....... 136, 173 removing statements ................................. 122, 175 replacing ............................................................ 131 saved configurations .......................................... 106 saving to files ............................................. 131, 179 statements See configuration statements storing................................................................ 106 symbols, including in statements ....................... 110 verifying............................................................. 128 See also configuration mode, CLI configure command ............................................... 183 usage guidelines........................................... 82, 107 configure exclusive command ................................. 183 usage guidelines................................................. 108 Configure Packet Scheduling ..................................... 288 configure permission bit............................................ 216 configuring JUNOS software See configurations conflict-log (system logging facility)........................... 230 connection-limit option ............................................. 268 connections statement .............................................37 console port ................................................................ 14 console port properties.............................. 235, 250, 262 console statement .................................................. 250 usage guidelines................................................. 235 container statements................................................. 104 context-sensitive help.................................................. 83 control permission bit ............................................... 216 conventions, documentation ...................................xxviii copy command ...................................................... 174 usage guidelines........................................... 81, 123 copying configuration files ........................................ 285 copying configurations ................................................ 63
copying statements in configurations ................123, 174 count command ..........................................................94 counting output lines ...................................................94 country-code option ..................................................256 craft interface alarm conditions ........................................280, 282 alarm cutoff button ............................................282 creating configuration groups ....................................150 creating configurations ........................15, 114, 176, 180 critical (system logging severity level)........................230 cron (system logging facility) .............................230, 232 curly braces, in configuration statements ................. xxix current configuration displaying...........................................................120 current configuration, displaying ...............................181 cursor, moving ............................................................86 customer support, contacting .................................... xxx
daemon (system logging facility) .......................230, 232 data types, CLI...........................................................147 date, setting.........................................................97, 170 deactivate command ..............................................175 usage guidelines .................................................136 deactivating statements and identifiers .............136, 175 debug (system logging severity level) ........................230 default-address-selection statement .........................250 usage guidelines .................................................236 delete command ....................................................175 usage guidelines .................................................122 deny-commands statement..................................... 251 usage guidelines .................................................218 denying commands to login classes ..................218, 251 destination option .............................................205, 247 device-count statement ........................................... 291 usage guidelines .................................................280 DHCP relay agents.............................................237, 252 dhcp-relay statement ..............................................252 usage guidelines .................................................237 diagnostics port password .................................242, 253 diag-port-authentication statement ..........................253 usage guidelines .................................................242 directories, JUNOS software ......................................193 disable statement ......................................................136 disabling software processes .............................241, 263 display detail command ..............................................94 display inheritance command ...................................153 displaying all command output ...................................94 displaying configuration details ...................................94 displaying current configuration ........................120, 181 displaying environment settings........................101, 170 displaying users editing configuration ...............121, 181 Distributed Buffer Manager ASIC ...................................5 distribution components, JUNOS software...................55 DNS name servers, configuring .........................204, 259 documentation conventions ................................... xxviii
320
Index
domain names on routers .................................203, 253 domain-name statement ........................................ 253 usage guidelines .................................................203 domains to be searched ....................................204, 254 domain-search statement ....................................... 254 usage guidelines .................................................204 downloading software packages ..................................68 drop policies..............................................................284 DS-1 interfaces, PIC alarm conditions........................281 DVMRP routing protocol..............................................11 dvmrp statement ..................................................... 37
E3 interfaces, PIC alarm conditions ...........................281 edit command ....................................................... 176 usage guidelines .........................................115, 117 edit permission bit.....................................................216 editing command line..................................................86 Emacs keyboard sequences.........................................86 emergency logging severity .......................................230 encrypted passwords.................................206, 207, 265 encrypted-password option ...............................206, 265 environment settings, CLI command completion ................................100, 167 configuring ...........................................................99 displaying settings......................................101, 170 example configuration .......................................101 idle timeout................................................100, 167 prompt string .............................................100, 168 restarting after software upgrade ...............100, 168 screen dimensions .......................................99, 169 terminal type................................................99, 169 error (system logging severity level) ..........................230 error messages ....................................................85, 135 Ethernet ......................................................................23 Ethernet interfaces PIC alarm conditions ..........................................281 Ethernet management port .........................................14 ethernet statement ................................................. 291 usage guidelines .................................................280 exit command ....................................................... 176 usage guidelines .........................................118, 119 exit configuration-mode command.......................... 176 usage guidelines .................................................119 export policies .............................................................12
failover, configuring...........................................241, 263 fan alarm conditions..................................................282 FEB alarm condition ..................................................282 field permission bit....................................................216 file command ......................................................81, 183 file copy command....................................................285 file system, backing up ..............................................129 filenames, specifying in commands...........................192 files configuration files, compressing .................208, 249 configuration files, copying ................................285 saving command output to files ...........................89 saving configurations to files ......................131, 179 filtering command output | (pipe)..........................................................88, 184 comparing configuration versions ........................92 counting output lines ............................................94 displaying all output .............................................94 multiple filters ......................................................97 retaining output....................................................94 saving to files ...............................................89, 179 string searches .....................................................90 finger access..............................................................238 finger service, configuring .................................238, 268 finger statement..................................................... 268 usage guidelines .................................................238 firewall (system logging facility).................................230 firewall permission bit ...............................................216 firewall statement ....................................................29 usage guidelines .................................................110 firewall-control permission bit ...................................217 flash drives mirroring to hard drives .............................205, 258 storage media overview .......................................57 floppy permission bit.................................................217 forwarding tables.........................................................11 forwarding-options statement ...................................29 usage guidelines .................................................110 FPC alarm condition ..................................................282 fpc statement router chassis configuration ............................. 292 usage guidelines .................................................283 Frame Relay ..........................................................17, 23 framing modes ..........................................................283 framing statement.................................................. 292 usage guidelines .................................................283 full names, in user accounts ......................................221 full-name statement ............................................... 254 usage guidelines .................................................220
facilities, system logging............................230, 232, 270 facility-override statement usage guidelines .........................................232, 270 failover on-loss-of-keepalives statement usage guidelines .................................................287 failover statement ...........................................263, 291 usage guidelines .................................................241
global tracing operations ...........................................193 GRE Encapsulation ......................................................17 groups statement ............................................. 30, 166 usage guidelines .........................................110, 150
Index
321
Index
hard drives mirroring flash drives................................. 205, 258 storage media overview ....................................... 57 hardware components .................................................. 3 hcoord option............................................................ 256 help configuration mode statements.................. 113, 176 operational mode commands .............................. 83 help apropos command .................................... 113, 176 help command ...................................................... 176 usage guidelines................................................. 113 help reference command .................................. 113, 176 help topic command ................................................. 113 hierarchy of CLI commands ................ 80, 117, 181, 182 hierarchy of configuration statements 26, 104, 117, 181, 182 history, CLI commands configuration mode............................................ 128 operational mode......................................... 97, 171 HMAC-MD5 authentication........................................ 194 hold command............................................................ 94 host-name statement.............................................. 254 usage guidelines................................................. 201 hot swapping alarm condition ................................... 282
ICMP routing protocol ................................................. 10 identifiers deactivating ............................................... 136, 175 inserting in sequential lists......................... 125, 177 reactivating ................................................ 136, 173 renaming ................................................... 124, 178 specifying........................................................... 145 idle timeout values CLI sessions ............................................... 100, 167 login classes ............................................... 220, 255 idle-timeout statement ........................................... 255 usage guidelines................................................. 220 IGMP routing protocol ................................................. 11 igmp statement........................................................37 import policies ............................................................ 12 inactive tag................................................................ 136 inet statement ....................................................... 269 usage guidelines................................................. 202 info (system logging severity level).................... 230, 231 inheritance model, configuration groups ................... 149 inherited values, configuration groups....................... 153 insecure statement ......................................... 246, 250 usage guidelines................................................. 236 insert command .................................................... 177 usage guidelines................................................. 125 inserting identifiers in sequential lists ............... 125, 177
installing JUNOS software factory installation................................................55 initial router configuration....................................59 naming conventions.............................................56 overview ..............................................................14 package names ....................................................57 reconfiguring........................................................64 release names ......................................................56 software distribution components ........................55 storage media ......................................................57 See also JUNOS software interactive-commands (system logging facility) .230, 231 interface media parameters.......................................159 interface permission bit.............................................217 interface process .........................................................13 interface statement usage guidelines .................................................237 interface tracing operations.......................................194 interface-control permission bit.................................217 interfaces statement .................................................30 usage guidelines .................................................110 Internet drafts supported.............................................17 Internet Processor ASIC.................................................6 IP addresses router names, mapping..............................202, 203 specifying in statements.....................................191 IP Multicast..................................................................17 IP packets, router source addresses...................236, 250 IP traffic, discarding ..................................................284 IP-IP Encapsulation......................................................17 IS-IS routing protocol .......................................10, 18, 22 isis statement...........................................................38 ISO standards supported .............................................22
juniper.conf file, compressing ...........................208, 249 Juniper-Allow-Commands attribute............................210 Juniper-Deny-Commands attribute ............................210 Juniper-Local-User-Name attribute .............................210 JUNOS software boot sequence ......................................................58 configuration overview.........................................15 directories stored in ...........................................193 factory installation................................................55 initial router configuration....................................59 installation ...........................................................14 naming conventions.............................................56 package names ....................................................57 reconfiguring........................................................64 release names ......................................................56 software distribution components ........................55 standards supported.............................................16 storage media ......................................................57
322
Index
keepalive-time statement........................................ 292 usage guidelines .................................................287 kernel (system logging facility) ..........................230, 232 kernel, Routing Engine ................................................14 keyboard sequences editing command line ..........................................86 --More-- prompt ....................................................87
lata option .................................................................256 latitude option ...........................................................256 LDP .......................................................................11, 18 ldp statement .......................................................... 39 leaf statements ..........................................................104 lo0 interface ......................................................236, 250 load command ...................................................... 177 usage guidelines .................................................131 load replace command ..............................................286 loading configurations .......................................131, 177 load-key-file command ..............................................206 local password authentication ...................................211 local0local7 (system logging facilities) .....................232 location statement ................................................. 256 usage guidelines .................................................206 locking configurations ...............................................108 log files redundancy logging............................................284 logging in as root.......................................................239 logging operations system logging ...........................................229, 233 tracing operations ..............................................193 logical devices ...........................................................280 login classes access privilege levels.................................216, 261 commands, allowing or denying ........218, 243, 251 default classes ....................................................217 defining......................................215, 218, 249, 257 idle timeout values .....................................220, 255 login messages, system .....................................240, 257 login statement ...................................................... 257 usage guidelines .........................................215, 220 log-prefix statement ..........................................232, 270 longitude option ........................................................256
MD5 authentication ...................................................194 merge option .....................................................131, 177 message statement ................................................ 257 usage guidelines .................................................240 messages broadcast messages, NTP ...........................228, 248 CLI messages........................................................85 error messages ...................................................135 logging See system logging multicast messages, NTP ............................228, 258 redirect messages.......................................236, 259 system login messages ...............................240, 257 MIB II process..............................................................13 MIBs standards supported.............................................18 minimum-wait-time statement ..................................237 mirror-flash-on-disk statement ................................ 258 usage guidelines .................................................205 modifying configurations...................................114, 176 monitor command ..............................................81, 184 monitoring tools overview...............................................................16 system logging ...........................................229, 233 tracing operations ..............................................193 See also MIBs; SNMP --More-- prompt ...........................................................87 MPLS protocol .......................................................11, 20 MPLS routing table ......................................................12 mpls statement ........................................................39 MSDP routing protocol.................................................11 msdp statement ....................................................... 41 multicast messages, NTP ...........................................228, 258 multicast routing protocols ..........................................11 multicast routing table .................................................12 multicast-client statement ....................................... 258 usage guidelines .................................................228 multiplexed mode .....................................................283
maintenance permission bit ......................................217 Management Ethernet interfaces, PIC alarm conditions .. 281 management process ..................................................13 managing routers See SNMP master option ............................................................285 match command .........................................................90 maximum-hop-count statement ................................237
name servers, DNS ............................................204, 259 names domain names on routers ..........................203, 253 package names.....................................................57 release names ......................................................56 router names..............................201, 202, 203, 254 wildcard names ..................................................164 name-server statement ........................................... 259 usage guidelines .................................................204 nested configuration groups ......................................152 network masks ..........................................................191 network permission bit..............................................217 Network Time Protocol See NTP no-concatenate statement ....................................... 293 usage guidelines .................................................283 no-listen statement ....................................................237
Index
323
Index
no-more command ..................................................... 94 non-concatenated mode............................................ 283 no-packet-scheduling statement .............................. 293 usage guidelines................................................. 288 no-redirects statement ............................................ 259 usage guidelines................................................. 236 no-source-route statement ...................................... 296 usage guidelines................................................. 284 notice (system logging severity level) ................ 230, 231 npa-nxx option.......................................................... 256 NTP authentication keys ............................ 227, 245, 273 boot server................................................. 225, 247 broadcast mode ................................. 225, 227, 248 client mode ........................................ 225, 226, 267 configuring................................................. 224, 260 listening for broadcast messages................ 228, 248 listening for multicast messages................. 228, 258 symmetrc active mode....................................... 260 symmetric active mode.............................. 225, 226 ntp statement ........................................................ 260 usage guidelines................................................. 224
operational mode command completion .......................................... 84 command history......................................... 97, 171 command overview ............................................. 81 date, setting ................................................. 97, 170 help about commands ......................................... 83 running commands in configuration mode 127, 179 users, monitoring................................................. 98 operator login class ................................................... 217 operators regular expressions ...................................... 90, 219 OSPF routing protocol ................................................. 10 standards supported ............................................ 20 ospf statement ......................................................... 41 output of commands See command output override option.................................................. 131, 177 overriding system logging facilities............................ 232
packages ......................................................... 55, 57, 68 transferring between routing engines................. 287 Packet Forwarding Engine......................................... 4, 5 packet scheduling...................................................... 288 packet scheduling statement, usage guidelines.......... 288 packets flow through routers............................................... 5 router source addresses ............................. 236, 250 packet-scheduling statement ................................... 293 usage guidelines................................................. 288 passwords
diagnostics port password ..........................242, 253 RADIUS authentication.......................................209 root password ............................................206, 265 shared user accounts..................................211, 213 user accounts .....................................................221 See also authentication; security peer entities ..............................................................161 peer statement .......................................................260 usage guidelines .................................................226 permission bits..................................................216, 261 permissions statement............................................ 261 usage guidelines .................................................216 pfe (system logging facility) .......................................230 physical devices, aggregating ....................................280 physical interfaces framing modes...................................................283 PIC alarm conditions .................................................280 pic statement .........................................................294 usage guidelines .................................................283 PIM routing protocol....................................................11 pim statement .........................................................42 ping command ....................................................81, 184 pipe ( | ) filtering command output.............................88, 184 in syntax descriptions ....................................... xxix plain-text passwords..........................................206, 207 plain-text-password option ........................................206 policy-options statement ...........................................34 usage guidelines .................................................110 port statement .......................................................262 usage guidelines .................................................209 ports auxiliary port properties .....................235, 246, 262 console port properties ......................235, 250, 262 diagnostics port..........................................242, 253 external ports.......................................................14 RADIUS server port ....................................209, 262 ports statement ......................................................262 usage guidelines .................................................235 postal-code option .....................................................256 power supply alarm conditions .................................282 PPP .............................................................................20 prefixes log message prefixes ..........................................232 specifying in statements.....................................191 primary boot device ....................................................57 privileges See access privilege levels processes configuring failover ....................................241, 263 disabling.............................................................241 processes statement ...............................................263 usage guidelines .................................................241 processes, disabling...................................................263
324
Index
prompt strings # ........................................................................109 > .........................................................................79 CLI .......................................................79, 100, 168 configuration mode ............................................109 --More-- prompt ....................................................87 protocol authentication..............................................194 protocol redirect messages ................................236, 259 protocols statement ................................................. 35 usage guidelines .................................................110 protocol-specific tracing operations ...........................193 protocol-version statement ................................240, 264 usage guidelines .................................................264
Q R
quit command.............................................82, 178, 185
RADIUS authentication ..............195, 209, 211, 213, 264 radius-server statement .......................................... 264 usage guidelines .................................................209 rate-limit option.........................................................268 re0 configuration group .............................................150 re1 configuration group .............................................150 reactivating statements and identifiers ..............136, 173 read-only login class ..................................................217 reconfiguring JUNOS software .....................................64 red alarm conditions .................................................280 redirect messages..............................................236, 259 redrawing screen.........................................................87 redundancy backup routing engine........................................287 configuring failover ....................................241, 263 routing engine redundancy ................................285 SSB redundancy .................................................288 redundancy logging ...................................................284 redundancy statement ........................................... 294 usage guidelines .........................................285, 288 regional configurations ..............................................163 regular expression operators ...............................90, 219 relay agents, DHCP............................................237, 252 release names .............................................................56 releases, upgrading to..................................................67 remote access, configuring ................................238, 268 remote user name .............................................211, 213 removable media ........................................................57 removing statements from configurations .........122, 175 rename command ................................................. 178 usage guidelines .................................................124 renaming identifiers ..........................................124, 178 replace option ...................................................132, 177
request command ...............................................82, 185 request system command .........................................287 request system snapshot command ..........................129 reset permission bit ...................................................217 restart command .................................................81, 185 restarting after software upgrade.......................100, 168 retaining command output ..........................................94 retry statement ...................................................... 265 usage guidelines .................................................209 RIP routing protocol...............................................10, 20 rip statement ...........................................................43 rlogin service, configuring .................................238, 268 rlogin statement ..................................................... 268 usage guidelines .................................................238 rollback command ................................................. 178 usage guidelines .................................................134 rollback permission bit ..............................................217 root file system, backing up.......................................129 root password....................................................206, 265 root-authentication statement ................................. 265 usage guidelines .................................................206 root-login statement ............................................... 266 usage guidelines .................................................239 route prefixes ............................................................191 router chassis configuration alarm conditions ................................................280 channelized PIC operation..................................283 configuration statements ............................279, 289 drop policies.......................................................284 redundancy properties .......................................284 SONET/SDH framing ..........................................283 router software See software, JUNOS router-discovery statement .......................................44 routers architecture ............................................................4 backup routers ...........................................205, 247 boot devices .........................................................57 boot sequence ......................................................58 configuring See configurations DHCP relay agents......................................237, 252 DNS name servers, configuring ..................204, 259 domain names ...........................................203, 253 domains to be searched .............................204, 254 failover, configuring ...................................241, 263 hardware components............................................3 initial router software configuration .....................59 login classes .......................................215, 249, 257 managing See SNMP names configuring..................................201, 203, 254 mapping to IP addresses .....................202, 203 NTP ............................................................224, 260 Packet Forwarding Engine..................................4, 5 physical system location.............................206, 256
Index
325
Index
ports auxiliary port properties.............. 235, 246, 262 console port properties ............... 235, 250, 262 diagnostics port .................................. 242, 253 RADIUS server port............................. 209, 262 redirect messages ...................................... 236, 259 root login, controlling......................................... 239 Routing Engine............................................... 4, 6, 9 software processes, disabling..................... 241, 263 source addresses........................................ 236, 250 storage media ...................................................... 57 system identifiers............................................... 202 system login messages............................... 240, 257 system services, configuring ...................... 238, 268 time zone setting ....................................... 223, 273 user accounts ..................................... 220, 257, 276 Routing Engines backup Routing Engine ...................................... 287 chassis process..................................................... 13 interface process.................................................. 13 management process ........................................... 13 MIB II process ...................................................... 13 overview ............................................................ 4, 6 redundancy................................................ 285, 287 Routing Engine kernel.......................................... 14 routing protocol process....................................... 10 SNMP process ...................................................... 13 software components............................................. 9 tty connections .................................................. 285 routing instances routing options..................................................... 45 routing permission bit ............................................... 217 routing policy .............................................................. 12 routing protocol process routing policy ....................................................... 12 routing protocols.................................................. 10 routing tables ....................................................... 11 routing protocols MPLS applications protocols................................. 11 multicast routing protocols........................................... 11 overview .............................................................. 10 unicast routing protocols...................................... 10 routing tables .............................................................. 11 routing-control permission bit ................................... 217 routing-engine statement ........................................ 295 usage guidelines................................................. 285 routing-instances statement ......................................45 usage guidelines........................................... 45, 111 routing-options statement .........................................47 usage guidelines........................................... 45, 111 RSVP ..................................................................... 11, 21 rsvp statement .........................................................44 run command ........................................................ 179 usage guidelines................................................. 127 running operational commands in configuration mode... 127
sap statement ..........................................................44 SAP/SDP routing protocol ............................................11 save command ......................................................179 usage guidelines ...........................................89, 131 saving command output to files ..................................89 saving configurations to files .............................131, 179 SCB alarm condition..................................................282 scheduling packets ....................................................288 screen dimensions ......................................99, 100, 169 screen output See command output screen, redrawing........................................................87 SDH.............................................................................22 SDH framing .............................................................283 SDH interfaces framing mode ....................................................283 PIC alarm conditions ..........................................281 sdp statement ..........................................................44 searching regular expressions ..............................................90 strings in command output ..................................90 secret permission bit .................................................217 secret statement RADIUS authentication ....................................266 usage guidelines..........................................209 TACACS+ authentication .................................266 usage guidelines..........................................210 secret-control permission bit .....................................217 security router port properties.........................236, 246, 250 See also access privilege levels; authentication; passwords server statement ....................................................267 usage guidelines .........................................226, 237 services statement..................................................268 usage guidelines .................................................238 set cli complete-on-space command ........................167 usage guidelines .................................................100 set cli idle-timeout command ..................................167 usage guidelines .................................................100 set cli prompt command .........................................168 usage guidelines .................................................100 set cli restart-on-upgrade command.........................168 usage guidelines .................................................100 set cli screen-length command ................................169 usage guidelines ...................................................99 set cli screen-width command .................................169 usage guidelines .................................................100 set cli terminal command .......................................169 usage guidelines ...................................................99 set command ................................................. 180, 185 usage guidelines .................................................115 set date command ................................................. 170 usage guidelines ...................................................97 sets of statements .....................................................157 settings, CLI, displaying .....................................101, 170 severity levels, system logging...................................230
326
Index
SFM alarm condition .................................................282 shared memory .............................................................4 shared user accounts .........................................211, 213 shell permission bit ...................................................217 show cli command ................................................. 170 usage guidelines .................................................101 show cli history command ...................................... 171 usage guidelines ...................................................97 show command........................................... 81, 181, 186 usage guidelines .........................................119, 120 show configuration command ...................................120 simple authentication ................................................194 single-connection statement ................................... 269 usage guidelines .................................................210 snmp permission bit..................................................217 SNMP process..............................................................13 snmp statement ....................................................... 49 usage guidelines .................................................111 snmp-control permission bit......................................217 software monitoring tools See monitoring tools software processes configuring failover ....................................241, 263 disabling.............................................................241 software processes, disabling ....................................263 software, JUNOS boot sequence ......................................................58 configuration overview.........................................15 directories stored in ...........................................193 factory installation................................................55 initial router configuration....................................59 installation ...........................................................14 naming conventions.............................................56 package names ....................................................57 reconfiguring........................................................64 release names ......................................................56 software distribution components ........................55 standards supported.............................................16 storage media ......................................................57 See also SNMP SONET.........................................................................22 SONET framing .........................................................283 SONET interfaces framing mode ....................................................283 PIC alarm conditions ..........................................281 sonet statement ..................................................... 295 usage guidelines .................................................280 source-route constraints ............................................284 source-route statement ........................................... 296 speed statement .............................................246, 250 usage guidelines .................................................236 SSB alarm condition ..................................................282 SSB redundancy ........................................................288 ssb statement ........................................................ 296 usage guidelines .................................................288 ssh command......................................................81, 186 SSH key files..............................................................206 ssh protocol version ..................................................240
ssh service configuring .........................................186, 239, 268 root login............................................................239 ssh protocol version ...........................................240 ssh statement ........................................................ 268 usage guidelines .................................................239 standards supported by software.................................16 start command ....................................................82, 186 statement hierarchy.....................26, 104, 117, 181, 182 statement paths.........................................................104 statements configuration mode statements ..........................109 copying in configurations ...........................123, 174 deactivating................................................136, 175 filenames, specifying..........................................192 IP addresses, specifying .....................................191 reactivating ................................................136, 173 removing from configurations ....................122, 175 sets, in configuration groups ..............................157 specifying ...........................................................145 top-level statements ...........................................110 URLs, specifying .................................................192 See also configuration mode, CLI; configurations static statement .........................................................205 static-host-mapping statement ................................ 269 usage guidelines .................................................202 status command .................................................... 181 usage guidelines .................................................121 storage media..............................................................57 storing configurations ................................................106 string searches, command output................................90 subnet masks ............................................................191 super-user login class.................................................217 support, technical ......................................................xxx symmetrc active mode, NTP......................................260 symmetric active mode, NTP.............................225, 226 sysid statement ...................................................... 269 usage guidelines .................................................202 syslog statement .................................................... 270 usage guidelines .................................................229 system authentication authentication order ...................................212, 245 RADIUS authentication ...............209, 211, 213, 264 TACACS+ authentication ...................210, 211, 272 See also authentication system identifiers ......................................................202 system logging archiving system logs .........................................231 CLI commands, logging ..............................231, 233 configuring .........................................................229 example configuration........................................233 facilities ......................................................230, 232 log message prefixes ..........................................232 overriding facilities .............................................232 severity levels.....................................................230 system login messages ......................................240, 257 system permission bit ...............................................217
Index
327
Index
system services configuring on routers................................ 238, 268 rlogin service...................................................... 238 ssh service ......................................................... 239 Telnet service............................................. 238, 240 system statement ............................................. 50, 271 usage guidelines......................................... 111, 197 system-control permission bit ................................... 217
T3 ............................................................................... 23 T3 interfaces PIC alarm conditions.......................................... 281 TACACS+ authentication .................. 195, 210, 211, 272 tacplus-server statement ......................................... 272 usage guidelines................................................. 210 TCP/IP v4 .................................................................... 21 technical support....................................................... xxx Telnet access, configuring ......................................... 238 telnet command.................................................. 81, 186 Telnet service, configuring ........................ 186, 240, 268 telnet statement ..................................................... 268 usage guidelines................................................. 240 temperature alarm conditions ................................... 282 template accounts ............................................. 211, 213 terminal option ................................................. 131, 177 terminal speed .......................................... 236, 246, 250 terminal type............................... 99, 169, 236, 246, 250 test command ..................................................... 81, 187 time setting ......................................................... 97, 170 time zone setting, routers.................................. 223, 273 timeout statement RADIUS authentication .................................... 272 usage guidelines.......................................... 209 TACACS+ authentication ................................. 272 usage guidelines.......................................... 210 time-zone statement .............................................. 273 usage guidelines................................................. 223 top command ........................................................ 181 usage guidelines................................................. 118 top-level statements .................................................. 110 trace permission bit .................................................. 217 trace-control permission bit....................................... 217 traceroute command........................................... 81, 187 tracing operations ..................................................... 193 See also logging operations trusted-key statement ............................................. 275 usage guidelines................................................. 227 tty connections between routing engines .................. 285 type checking, CLI ..................................................... 147 type statement ............................................... 246, 250 usage guidelines................................................. 236 typefaces, documentation conventions ...................xxviii typing commands ....................................................... 79
uid statement .........................................................275 usage guidelines .................................................220 UIDs ..........................................................................221 unauthorized login class ............................................217 unicast routing protocols .............................................10 unicast routing table....................................................12 up command .........................................................182 usage guidelines .................................................118 upgrading software......................................67, 100, 168 URLs, specifying in commands..................................192 user (system logging facility) .............................230, 232 user access login classes .......................................215, 249, 257 user accounts .....................................220, 257, 276 user accounts authentication ............................................221, 244 configuring .........................................220, 257, 276 shared user accounts..................................211, 213 user authentication....................................195, 221, 244 See also authentication user statement .......................................................276 usage guidelines .................................................220 users editing configurations displaying...................................................121, 181 multiple simultaneous users ...............................139 users of CLI, monitoring ..............................................98
/var/db/config directory .....................................106, 193 /var directory.............................................................193 /var/home directory...................................................193 /var/log directory .......................................................193 /var/tmp directory .....................................................193 vcoord option ............................................................256 verifying configurations.............................................128 view permission bit ...................................................217 virtual links aggregated devices .............................................280
W Y
warning (system logging severity level) .............230, 231 wildcard names .........................................................164 wildcards...................................................................153 world-readable option .......................................231, 270
yellow alarm conditions ............................................280
328
Index Index of Statements and Commands Symbols A

| (pipe) filtering command output ..................................... 184 device-count statement ............................................... 291 dhcp-relay statement................................................... 252 diag-port-authentication statement ............................... 253 domain-name statement ............................................. 253 domain-search statement ............................................ 254
activate command ...................................................... 173 aggregated-devices statement ...................................... 289 alarm statement ......................................................... 290 alias statement ........................................................... 269 allow-commands statement ......................................... 243 annotate command ..................................................... 173 apply-groups statement ............................................... 165 authentication statement ............................................. 244 authentication-key statement ....................................... 245 authentication-order statement .................................... 245 auxiliary statement ..................................................... 246
E F
edit command ............................................................ 176 ethernet statement ...................................................... 291 exit command ............................................................ 176 exit configuration-mode command............................... 176
B C
backup-router statement ............................................. 247 boot-server statement ................................................. 247 broadcast statement ................................................... 248 broadcast-client statement........................................... 248
failover statement ................................................263, 291 file command ............................................................. 183 finger statement ......................................................... 268 fpc statement router chassis configuration ..................................292 framing statement ...................................................... 292 full-name statement ....................................................254
H I
chassis statement ....................................................... 290 class statement ........................................................... 249 clear command .......................................................... 183 commit command ...................................................... 174 compress-configuration-files statement ........................ 249 configure command .................................................... 183 configure exclusive command ..................................... 183 console statement ....................................................... 250 copy command .......................................................... 174
help apropos command ............................................... 176 help command ........................................................... 176 help reference command ............................................. 176 host-name statement .................................................. 254
idle-timeout statement ................................................ 255 inet statement ............................................................ 269 insecure statement .............................................. 246, 250 insert command ......................................................... 177
deactivate command ................................................... 175 default-address-selection statement .............................. 250 delete command ......................................................... 175 deny-commands statement ......................................... 251
keepalive-time statement............................................. 292
Index of Statements and Commands
327
Index of Statements and Commands
load command ........................................................... 177 location statement ...................................................... 256 login statement ........................................................... 257
M N
message statement ..................................................... 257 mirror-flash-on-disk statement ..................................... 258 monitor command ...................................................... 184 multicast-client statement ............................................ 258
name-server statement................................................ 259 no-concatenate statement ........................................... 293 no-packet-scheduling statement ................................... 293 no-redirects statement ................................................ 259 no-source-route statement ........................................... 296 ntp statement ............................................................. 260
packet-scheduling statement ........................................ 293 peer statement ........................................................... 260 permissions statement ................................................ 261 pic statement.............................................................. 294 ping command ........................................................... 184 pipe ( | ) filtering command output ..................................... 184 port statement ............................................................ 262 ports statement .......................................................... 262 processes statement .................................................... 263 protocol-version statement .......................................... 264
save command ...........................................................179 secret statement RADIUS authentication .........................................266 TACACS+ authentication ......................................266 server statement .........................................................267 services statement ......................................................268 set cli complete-on-space command .............................167 set cli idle-timeout command .......................................167 set cli prompt command..............................................168 set cli restart-on-upgrade command .............................168 set cli screen-length command .....................................169 set cli screen-width command ......................................169 set cli terminal command ............................................169 set command ...................................................... 180, 185 set date command ...................................................... 170 show cli command ...................................................... 170 show cli history command ........................................... 171 show command .................................................. 181, 186 single-connection statement ........................................269 sonet statement ..........................................................295 source-route statement ................................................296 speed statement ................................................. 246, 250 ssb statement .............................................................296 ssh command .............................................................186 ssh statement .............................................................268 start command ...........................................................186 static-host-mapping statement .....................................269 status command ......................................................... 181 sysid statement ...........................................................269 syslog statement .........................................................270 system statement ........................................................ 271
Q R
quit command .................................................... 178, 185
radius-server statement ............................................... 264 redundancy statement ................................................ 294 rename command ...................................................... 178 request command ....................................................... 185 restart command ........................................................ 185 retry statement ........................................................... 265 rlogin statement ......................................................... 268 rollback command ...................................................... 178 root-authentication statement ...................................... 265 root-login statement .................................................... 266 routing-engine statement ............................................. 295 run command ............................................................. 179
tacplus-server statement ..............................................272 telnet command..........................................................186 telnet statement ..........................................................268 test command.............................................................187 timeout statement RADIUS authentication .........................................272 TACACS+ authentication ......................................272 time-zone statement ...................................................273 top command ............................................................. 181 traceroute command ...................................................187 trusted-key statement ..................................................275 type statement .................................................... 246, 250
uid statement .............................................................275 up command ..............................................................182 user statement ............................................................276
328

Swconfig50 Getting Started

Uploaded by

Copyright:

Available Formats

Swconfig50 Getting Started

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Swconfig50 Getting Started

Uploaded by

Copyright:

Available Formats

JUNOS Internet Software Configuration Guide

Abbreviated Table of Contents About this Manual Part 1 Overview

Part 2 Software Installation and Upgrade

Abbreviated Table of Contents

Part 3 Command-Line Interface

Part 4 System Management

Part 5 Router Chassis

Abbreviated Table of Contents

Table of Contents About this Manual

Chapter JUNOS2 Software Overview .................................................................................9

JUNOS 5.0 Internet Software Configuration Guide: Getting Started

Chapter 3 Configuration Mode Complete

Part 2 Software Installation and Upgrade

Chapter 7 Software Packages Upgrade

Upgrade All Software Packages.............................................................................68 Upgrade Individual Software Packages .................................................................69

Chapter 8 to Release 5.0 or Downgrade from Release 5.0 ...........73 Upgrade

Part 3 Command-Line Interface

Chapter 10 Command-Line Interface Operational Mode ......................................... 81

JUNOS 5.0 Internet Software Configuration Guide: Getting Started

Chapter 11 Control the CLI Environment ..........................................................................99

Chapter 12 the Router with the CLI............................................................103 Configure

Chapter 13 Groups ........................................................................................149 Configuration

JUNOS 5.0 Internet Software Configuration Guide: Getting Started

Chapter 14of CLI Environment Commands ............................................167 Summary

Chapter 15of CLI Configuration Mode Commands ...........................173 Summary

Chapter 16of CLI Operational Mode Commands ................................183 Summary

Part 4 System Management

JUNOS 5.0 Internet Software Configuration Guide: Getting Started

Chapter 20 System Authentication.............................................................209 Configure

Chapter 21 User Access .....................................................................................215 Configure

Chapter 22 Time.......................................................................................................223 Configure

Chapter 23 System Logging.............................................................................229 Configure

Chapter 24 Miscellaneous System Management ..............................235 Configure

Chapter 25 Summary of System Management

JUNOS 5.0 Internet Software Configuration Guide: Getting Started

Part 5 Router Chassis

Chapter 27of Router Chassis Configuration Statements............289 Summary

JUNOS 5.0 Internet Software Configuration Guide: Getting Started

List of Figures List of Figures

List of Tables List of Tables

About this Manual

About this Manual

JUNOS 5.0 Internet Software Configuration Guide: Getting Started

About this Manual

! Part 5, Router Chassis, covers the configuration of router chassis properties.

This manual also contains a glossary and an index.

JUNOS 5.0 Internet Software Configuration Guide: Getting Started

Using the Index

Using the Index

About this Manual

Documentation Conventions General Conventions

Remote --> 1.0.0.2

Conventions for Software Commands and Statements

JUNOS 5.0 Internet Software Configuration Guide: Getting Started

About this Manual

How to Request Support

JUNOS 5.0 Internet Software Configuration Guide: Getting Started

JUNOS 5.0 Internet Software Configuration Guide: Getting Started

Chapter 1 Product Architecture

JUNOS 5.0 Internet Software Configuration Guide: Getting Started