Hello and welcome to Basic Junos Config for EX. The agenda looks like this. We’ll be going through some basic Junos concepts first, interface naming in the devices, a little bit on the CLI modes, and also the Junos commit model. We’ll walk through the apply groups, some simple examples there, and finish off with a small configuration exercise.
So the Junos operating system runs on most of the Juniper product lines. They actually share a lot of code for core functionalities, but obviously we need to add other functionality depending on the type of platform it is, if it’s a security device, switching or routing device, of course. So let’s take a look at what happens when you unpack a device. So it does have switch defaults on it, so when it’s factor default, you will have one VLAN on it. It’s called default and it has a VLAN ID of 1, and all the access ports are connected to that VLAN. ZTP is enabled on the device, so it will try to call home to the missed cloud if it gets an IP address. When you create VLAN, it’s not only ports that you can add to it, you can also add filters to a VLAN. You can add some security stuff to a VLAN like depicted here, for instance, DGP security or dynamic ARP inspection.
When it comes to switch ports, we have a few different modes. So access port is the default, where you just have a VLAN and there’s no VLAN tag sent out of that port, so it’s ready to connect a laptop too. The trunk port sends out multiple VLANs and it transmits the VLAN IDs on the wire, we call that tagged. And then the bottom one is configured as a trunk port, but we add a native VLAN to that, so the native VLAN will then be sent untagged out of that port. We have a lot of configuration options for our ports. The ones with a star behind them here are also there by default.
From factory, the default VLAN comes with an IP interface. The IP interfaces that we can attach to a VLAN is called IRBs. So IRB.0 in this case is attached to the default VLAN and it’s configured for DHCP. That IRB can be used for in-band management. So you can use that IP address to SSH to the device or maybe web management, but you can also use it for routing. Now every switch has an out of band ethernet port as well, and this one is dedicated for management. The device name in the CLI is called VME, and by default it has DHCP enabled on it. There are some things you have to know about this port and it’s always an access port, it cannot be a trunk. It never belongs to a VLAN. You actually add an IP address directly on that interface and it cannot pass traffic to and from the front panel ports. Worth noting though, is that it does share the routing table with the other IP interfaces. Now, if we add multiple VLANs and we want a route, we have to create more IRBs as well. An IRB is an object that you assign an address to and then you assign that IRB to a VLAN. And when you do it like it’s depicted here, you can actually start routing between these VLANs, because they all come into the same default routing instance.
All right. Let’s continue with interface naming. This is an important topic. You need to understand how the interfaces are addressed in the CLI. So we have different types of devices, of course, chassis and fixed configuration devices. Now the way that you type the interface name is actually four parts of it. Now, an IF type is a few letters telling us what kind of interface it is. So you can see here in my example, I have GE- and that means it’s a gigabit port. Now the next piece of this is the FPC, and that’s kind of simple. On the chassis side, that’s really just a line card. A standalone device will always have FPC 0. You still need to put a 0 in there. And in a virtual chassis system, every member of that virtual chassis has a FPC number.
The next part of this is the pic. So a line card or a member in a virtual chassis, or a standalone device, has multiple modules in it. Even though a pic is fixed and cannot be removed, we still have several pics on a line card or on a switch. So you can see here that the standalone device on the virtual chassis there, we have pic 0, which represents the normal, let’s say, front-facing ports. Pic 1 would normally be a set of uplink ports. And the last piece of this of course is the ports themselves, so within that pic. You can pause the video if you like and look at some of these examples to understand it.
This is a very short one, logging into Junos. I have it here because there is a difference between logging in with a user root or a non-root user. Also, it’s worth mentioning that when a device is factory default, the default user is root with no password and you can only access it through the serial console. Obviously, the device is also in zero touch provisioning mode and could contact the cloud, and then you would get access to it anyway. But if it’s a standalone device without the cloud, you can then enable SSH service on the device and obviously it needs an IP address, and as soon as you’ve done that, you can access the device through SSH or serial. Now if you log in with the root user, this will drop you into the UNIX Shell to be able to do any configuration or monitoring of the device, you need to go to the Junos CLI. So you simply type CLI, hit enter and you’re in the Junos CLI. If you then create a non-root user, which is recommended, and you log in, you’ll automatically get dropped into the Junos CLI. Now just mention the UNIX Shell and the Junos CLI.
Now we have two different CLI modes in Junos. So the first one is where you get to when you log in, and that’s called operational mode, and this is where you can look at logs, monitor the system, view tables, and view anything that’s actually active in the system right now. Now the Junos configuration mode is where you would configure the device and make all the changes that you want to do, and you can get into this configuration mode by simply typing, edit, enter or configure, enter. So in operational mode, the question mark is really your friend. You’ll be able to see available commands that way. You can use tab for command completion, so typing a partial word, and use arrows up and down for history, and also navigate on the command line with Ctrl E, A and W to move back and forth on it.
I listed some common commands for you here, but I’ll show you those in a little video instead. Also, when you do a show command, it’s always useful to parse your output, because you might get a lot of information you don’t want to see. So using a pipe and then a command after that. And again, you can always use question mark. You can then match just to see specific information and you can hide specific information. You can even save the output to file.
The Junos configuration is stored in a hierarchy. Now if you enter configuration mode and do a show, and hit enter, you will see everything in the entire configuration and you’ll see it in a hierarchical manner. You can however, do a pipe display set and you’ll see the configuration also line by line. This configuration hierarchy works a little bit like the directory structure on a pc. Different areas of configuration have what we call different stanzas, and you can go into these stanzas and you can go back, and you use commands edit, up, top, et cetera. So as an example here, if you are in the root and type edit system, and hit enter, you’ll go into the system stanza. Type edit services SSH again, and you’ll come into the SSH stanza, and then you can back down using the command up, or top will get you right down to route again.
In configuration mode, you can obviously use the question mark again, but the most common ones are probably set and show commands. Also, the replace command is kind of cool, because you can do a pattern search replace in the entire hierarchy or in the hierarchy that you are right now. For instance, changing an IP address in the entire system to something else or changing a VLAN ID to something else, things like that.
So commit and commit confirmed, I’ll get back to that in a little bit. Activate and deactivate are actually nice troubleshooting commands, because you can deactivate entire trees of configuration in the hierarchy. The configuration will stay there, as you can see here with OSPF, and be visible, but it’s not active, and then when you’re ready you can activate it again. So let’s look at some examples here on this video. So we’re just doing a show question mark. We’ll give you a whole lot of stuff to look at. We’re looking at VLANs here as well. You can just use the question mark, looking at interfaces in a terse format, but you get too much. So I’ll look at it again. Except interfaces that are down and only match GE-.
Another example is looking at my DTP client. So my switch asking for a IP and I can refresh that every second to just see if things are happening on. I can monitor interfaces. This is an active screen that updates automatically all the time. And in this case I’m showing the system log, but only showing the last 10 messages by piping it to last 10. Just typing show in edit mode, will show you the entire configuration. And as you can see, I’m going into system, I’m going into system services SSH and doing a show command, and then I can move around like this. And as I alluded to before, you can also do a display set to see the entire config in a line by line format like this.
So next I want to talk a little bit about the Junos commit model, which is an important concept to understand. So imagine that you want to change your configuration. You have this active config, which is running in the switch right now, and you go into configuration mode by typing edit. What happens now is that we make an offline copy of the active configuration, and this is where you make your changes. So any ads, any deletes will go into this offline file and they will not be activated until you specifically say so. So that’s very powerful. You can make your changes and deletes, and then when you feel you’re ready, you do a commit to activate the config changes. There are a few other things that happen when you type commit. So we will make a backup copy of the active configuration as it is. The active config is also called rollback 0, but this copy will be called rollback 1. And when we’ve done that, we do a syntax check of your candidate configuration, and then if that passes, we activate it and you’re good to go. Now the rollback 1 is still there, so you could type rollback 1 and go back to your old configure any time you’d like.
Now let’s try that again, same thing again, but this time we type commit confirmed 4 instead. The 4 there means minutes. So now we want to back up the active config again to rollback one, but before that we have to save rollback 1 to rollback 2. Then we can save the active config rollback 1. All right. When that’s done, we do a syntax check and if that goes well, we activate the config. Now the difference here is that a commit confirmed is pending and you’ll see that on the command line, because it keeps reminding you and counting down the minutes. Now, if you want to stop this process, you have to do a commit check or a commit on the command line within those 4 minutes. If you don’t do that, we will revert the config. So if you make a configuration change that accidentally cuts off your own access to the device, the device will roll back to the last configuration again, automatically.
So we do have this rollback, so we save up to 50 versions of old configurations on the device itself, and you can roll back to any one of them. To understand which one you want to roll back to, you can compare a rollback with what’s actually active in the device right now. So for instance, you can do a show pipe compare rollback and whatever rollback you want. Now remember the rollback 0 is actually the active configuration. If you go into configuration mode and add a few commands, you can then do show pipe compare rollback 0 and just see the changes you made. But you can also compare the configuration that you’re working on right now with any other rollback. So let’s see what that might look like. In this case, I’ll show you what VLANs I have. Please note the demo VLAN there. So I’m going to add some more VLANs to this configuration to show you Mist Rocks VLAN. I’ll put some SNMP config in there. And also, I’ll delete that demo VLAN for you.
All right. So now, what I’ll do is I’ll compare this to rollback 0, my active config. These are the changes I made. You can see the pluses and minuses. I’ll do commit check for syntax checking, and now I’ll do commit confirm 1. What I mean by that is that, if I don’t type commit check or commit again within 1 minute, it will revert back to the old configuration. We’re now looking at the changed VLAN configuration. Remember, I created a VLAN called Mist Rocks and I deleted the one called demo-VLAN, and you can see the changes I’ve made when I do a show pipe compare rollback 1. And I can roll back to that one and commit that again, and I’m back to where I started.
Next, I want to talk about Junos Apply Groups. Junos Apply Groups is a powerful way of grouping commands together or being able to apply the same configuration in multiple places at the same time. I have two examples here. One of them is the orange and the group is called Mist Script. Mist Script is a block of configuration commands that I can just apply to the system. So when I’m looking at my configuration, I know that everything under my script has to do with Mist Script. The other way of using this is like I’ve done with the blue, the DHCP security, where I wanted to activate DHCP security on all VLANs at the same time, by only typing a few commands. So every time I would add a new VLAN, the new VLAN would automatically get this configuration. So I have an example of that here. So let’s go into edit mode and I’ll show you the group I created. And then this has VLANs with the star, the wild card. And if you look at VLANs here, you can’t see it. You can only see that I’ve applied that group, but to see what actually happened, I can do a pipe display inheritance, and if I add the no comments on there, I will see it as if I did it on every single VLAN all by itself.
Lastly, we’ll do a short configuration exercise. So I’ve got this simple network here, two switches, one core, one access. The core switch will configure manually by CLI. The access switch is fully mist cloud managed, okay, so we won’t do any configuration on that. All that configuration is done from the mist dashboard. So what I want to do here is I want to create a management network, and I’m going to use the default VLAN for that, because the default VLAN is always there when you add a new switch or a new access point, it makes it easy for those devices to get an IP address to the cloud right away.
I would need to configure the down link on the switch. I have some extra VLANs, so I’ve added some IRBs to them as well. And I will also add some configurations, so that DHCP requests from the other VLANs will actually reach my DHCP server. So what I need to do on the core switch is some basic configuration first. If you do have a factory defaulted device, you need to add some basic things to it. I’ll start by creating my VLANs. So remember that the default VLAN, which I’m using for my management here, has already been created from factory. I’ll then create my IRBs. I need to change my IRB 0 that’s connected to the default VLAN, because I want a static IP address on that instead of that DHCP address.
Next, I have to connect those IRBs to my VLANs. Again, the default is already connected with IRB 0, so that’s already done. I’ll add some commands so that I can forward DHCP requests to my DHCP server from the other VLANs as well. And last, I’ll do some configuration on the interfaces. I’m giving a name to the interface where the DHCP server is located, and then I’m creating my down link to the access switch and setting that to interface mode trunk with all VLANs on it. And I’m adding native VLAN 1 to that trunk as well, which will mean that my default VLAN is being sent untagged on that link. And then I commit those changes to make them active. Now I can go into the switches and I can do some simple commands to verify a few things. I’m looking at the IRBs here that they’re actually created. I’m doing a show LLDP neighbor to see that my neighbors are up on the same on the access switch with the IRB and the LLDP information. So very simple setup with some VLANs and with some IRBs. That’s it for this session. Thank you very much.