32. Configuration Hierarchy
Let’s talk about the Junos configuration hierarchy. When we configured the Junos device, we have two options. We can choose to configure it from the top of the configuration hierarchy, which is the edit hierarchy at the top. Or we can choose to navigate into an item specific configuration hierarchy and configure it from there. Let’s dive into the terminal and take a look at the differences. All right. I’m here at the Junos terminal. I am first going to enter the configuration mode.
And let’s first look at a configuration example from the top of the configuration hierarchy, which is the edit hierarchy. I’m going to configure a security policy. The focus here is not to understand the syntax or the structure of the command. The focus here is the length of the command. We want to see the difference in length of command. When you can figure it from the top and when you configured from a specific configuration hierarchy. All right. So focus on the length, not the structure or the syntax of the command.
So I’ll start with said space. Question mark. And I’m going to say security policies from zone. And I need to provide the zone name trust to zone name entrust. Let’s do a question mark here. Notice I can’t execute this command because it doesn’t say is a possible completion. So I need to complete that command. The keyword is policy. And now I need to provide a policy name, which is permit all in question mark. We still need to complete the command. I’m going to see a match. Question mark.
And I’m going to match the source address, source address any and now we can execute this command. So take a look at that command. It’s a really long one. The policy has not been fully configured yet. We still need to match the destination, address application and provide an action, which is to permit or deny the traffic. So I can choose to write the whole command again, or I can hit the Aperol and just delete the last two words there and say match destination, address any repeat that one more time match application, any. And then I can say. Policy permit all then. Permit. Press enter.
And now the policy has been configured. So when you configure from the top of the configuration hierarchy, you need to write the entire command. Let me show you one more thing here. Let’s say after configuring the policy, I want to view the policy. If I do show here, it’s going to show me the entire configuration. And then I have to navigate through it and take a look at the policy here. Or I can choose to say show security policies and then write that command again from Zone Trust TOS on untrust. And then policy name and then permit all. So even the show command becomes so lendee, right? And now I can see that policy. One more thing to notice over here is that when you’re at the top of the configuration mode, when you try set space question mark, it gives you all possible completions from the top of the configuration mode. All right, so have those things in mind. Now let’s try to navigate into these specific configuration, Iraki, and we’ll see the differences.
So also added security policies and we’re going to follow the same structure over here. Make a note here that I’m not starting with set. I’m starting with edit. The edit command is used to navigate into a specific configuration hierarchy. So added security policies from zone trust to zone untrust. Policy and will provide a policy name here. Just gonna give it a different name so we can see the difference. Let’s call this one as allow all. And now I should be able to press enter. When I press enter.
Notice from edit, we have now navigated to this configuration hierarchy, Edik security policies from Zone Trust to zone untrust policy policy name. If I do set space question mark here. Notice I can see much fewer options as possible completions compared to this one. So that’s one of the benefits. When you look at the possible completions from the item specific configuration hierarchy, you’re not going to see all possible options. You will only see the options that can be configured at that Iwaki. Also, the length of my commands will be reduced. So I can say set. Match.
Source, address, any set, match, destination, address, any set, match application, any. Don’t worry about the syntax or the structure of the command. The focus here is just the length of the command set. Then permit. Don’t you think this is much easier to configure than configuring it this way? Well, you’re typing the entire command much easier, right? Let me show you one more difference. If you do show from here, you will only see output that’s relevant to that configuration hierarchy.
So if I do show here, we’re only seeing that output. So this is one of the powerful things about Junos, instead of having to configure everything from the top of the configuration mode. You can get into a specific configuration hierarchy and configure it from there. So here are the benefits of configuring from an item specific Iraqi. Number one, it significantly reduces the length of your commands. Number two, when you perform a question mark, it only shows you commands specific to that Iraqi. And when you perform show the output is reduced to only items under that hierarchy.
33. Junos Commit
Let’s talk about the Junos commitment, like we already know, the commitment is used to save the configuration. So the commitment saves the candidate configuration as the active configuration. And when you issue the commit command, Junos automatically performs a commit check to look for syntax errors if you’d like to perform the check manually. We can use the command, commit check if you’d like to view the changes that will be committed before you perform the commit operation. We can use the command show pipe compare. This will show you the changes that will be committed. A few other things to keep in mind before we get to the terminal and try these commands. It is possible to schedule a comet using the comet at command. And if you have any scheduled comets or any pending comet operations and you want to clear them, we can use the command clear system comet. It’s an operational mode command. We can use that, commit confirmed command to commit changes and then require confirmation before making changes permanent. And the last command to keep in mind is commit and quit. This will commit the changes and take you back to the operational mode. Now, let’s dive into the Junos terminal and try these commands. All right, I’m here at a Junos terminal. I’ll first enter the configuration mode and I’ll make a configuration change over here. So I’m going to do set security policies from zone trust to zone untrust, and I’m going to see a policy. Let’s call this as demo. The syntax of this command is not important right now. We’re trying to understand the commitment. So I’m going to press enter here.
That command is incomplete. So I’m going to do a question mark here and use the match keyword and source address any. And now I should be able to commit. So if I perform a commit here, Junos will automatically perform a commit check to verify if the configuration can be accepted. So clearly we can see here Junos does not like the fact that the configuration is incomplete. It says you are missing a statement for the destination address. You are missing a statement for the application and you’re missing the then statement. And as a result, the commit has failed. So when you perform the commit command, Junos will automatically verify the configuration to check for syntax errors. It is also possible to manually verify the configuration using the commit check command. And we should get the same output. It says these statements are missing. Now, I’m going to rollback that change. I’m just going to say delete. Security policies from zone trust to zone untrust. Just gonna take that policy statement out. And now if I do commit check. It should be fine because they have removed the policy statement. All right. The next comment that we’ll look at is commit at this allows you to schedule the commit. So let’s say I want to perform the commit at a future date and time. I can say commit add. And here we can provide the timestamp or the date and time information when we want to commit operation to be performed.
So I’m going to say commit at and you’ll start with that year and then the month and then the date and then the time. So I’m saying commit the configuration on the 8th of April, twenty twenty, add fifteen hundred hours, press enter here, it will first perform a commit check to see that the configuration can be accepted. And if that succeeds? The configuration will be committed at this specific time. Now, also notice that once the statement has been executed, you’ve been moved out to the operational mode. Now, let’s say I changed my mind and I want to stop this coming from happening. Then we can use the clear command. We can say clear system. Let’s do a question mark. And here we can see commit. Let’s do a question mark here. So the comment is clear, system commit and press enter and that will clear out any pending commit. Let’s go back to the configuration mode. The other command that we should know is commit confirmed. And this is one of my favorite commands on the Junos device. This allows you to temporarily commit the configuration before making the changes permanent.
So when I say commit confirmed and press enter, the configuration will be saved for 10 minutes and within 10 minutes, if I do not follow it up with another commit command, the configuration will be automatically rolled back. So the default timer is 10 minutes, but we can set it to any other time. So, for example, we can say commit confirmed and then we can put a number here. That number can be between one and six five five three five. So if I do commit confirm two, that means the changes will be committed for two minutes. And if I do not follow up with a commit command within two minutes, the configuration will be rolled back. This has a very powerful use case when you’re configuring your device remotely. And you’re making crucial changes like interface IP address changes, routing changes, you could very easily get locked out if you make any mistakes in the configuration.
So the best practice is to first start with commit confirmed and give yourself some time to verify the changes and connectivity and then followed up with a commit command. Let’s say you make a configuration mistake and you’re locked out of your device. You know that the configuration will be automatically rolled back when the timer expires. So that’s a very handy command. The other comment that we can use is commit comment, and that allows you to specify a comment along with the commit operation. Again, this is a best practice. So anybody else who looks at the configuration or the commit history will come to know what was the reason for committing this change. So let’s say we change the interface IP address. And when we are committing the change, we can say come at comment and we can say interface. Effie’s 0.0.0IP changed. So that will help the next person identify why this commit operation was performed.
All right. So that’s gone through the other command that we’ll look at is commit pipe and will do a display over here. Now, this command is not used very often, but sometimes when you need to troubleshoot issues with your Junos device, you may want to use this command. Normally, this command is not used. So the command is commit pipe display detail. This will show you all the activities that are being performed in the background. When the committee action is taking place. I’ll press enter, come at pipe display detail. And here we can see all the activities that are happening in the background. When the commit operation is taking place, another command, which is quite handy, is commit and quit.
This will commit the configuration and will automatically take you back to the operational mode. All right, so the comet has been completed and we have been moved back into the operational mode. One last comment is show system commit, and this will show you the commit history on your Junos device, this command is performed from the operational mode. So show system commit. And here we can see the history of the commits and notice the description that we provided or the comment that we provided. A scene over here. Also notice here, there was a commit operation that was performed in the past. It was a commit confirmed operation and the commit operation was not confirmed. So it was automatically rolled back in one minute. You will be tested in different ways for different variations of the commit command. So very important command from the examination perspective.
34. Junos Rollback
Let’s talk about Junos rollback. Let’s first understand what is a rollback, so Junos stores up to 50 committed versions of the configuration. And these can be used to rollback. So 50 is the maximum number of configurations that can be stored on the device for rollback purposes. If we choose to, we can reduce that number and we can say maybe we only want to store 10 rollback configurations or 20 rollback configurations, but the maximum number of configurations that can be stored for rollback is 50. And very important to remember that the rollback version number starts from 0. So it goes from 0 to forty nine. Some other things to keep in mind, Rollback 0 is the most recent configuration or in other words, the active configuration of your device. So let’s say you enter the configuration mode and you make some changes, but then you change your mind and you want to revert back all the changes you can type in rollback 0 and you’ll come back to the active configuration. So Rollback 0 can be used to discard the candidate configuration and return to the active configuration after you apply a rollback. You must follow it up with a commit command. Let’s take a look at this from the Junos terminal. All right, I’m here at the terminal window. I’ll first enter the configuration mode and let’s start with the rollback command so we can do rollback. Question mark.
And here we can see all the rollbacks that have been stored on this device. Rollback 0 is from the most recent commit, which means that is the active configuration rollback. One is from one commit before the most recent commit. Similarly, rollback two is to commit before the most recent commit. Take a look at Rollback seven. This is from the committee confirmed command. Remember, we understood that when you issued that commit confirmed command. If you do not follow it up with a commit command, the change will be automatically rolled back. That’s what Rollback seven is. So a rollback is just a configuration that has been saved so that you can revert to your changes. Now, let’s try this. So right now, my hostname is set to S.R. X. Let’s try to change the hostname. So we’ll say set system hostname and let’s change that to maybe SRX 20/20. And I’ll press enter. Now, let’s say I change my mind. I don’t want to apply this change anymore. I want to revert back to the active configuration. So I can do rollback. 0. Press enter and then follow it up with a comment and all the changes will be discarded and we’ll go back to the active configuration. Before we do that, let’s take a look at this command here, show compare. We spoke about this command earlier. This command can be used to view the changes that are going to be applied on the device.
So show pipe compare. So it says that you’ve removed this statement here and you applied this statement. When you try this command, it is going to compare the candidate configuration with the active configuration. But we also understood that Rollback 0 is the active configuration because that is from the most recent combat operation. So if we change this command and we say show pipe, compare rollback 0, we should get the same output. Because Rollback 0 is the active configuration. It is also possible to compare the current candidate configuration with some other rollback. So let’s say I want to compare the current candidate configuration with rollback seven, maybe so I can do this show, compare rollback seven. And now I can see compared to rollback seven in the current candidate configuration. We have applied these changes under added system. We have applied these changes under our system name server. These changes under our system services DHCP and these changes under added system. So you can compare your candidate configuration against Rollback 0, which is your active configuration or any other rollback. Now, how do we set the maximum number of rollbacks to be saved on the device? So the command is set system. And the next keyword is max configuration. I’ll do a question mark here. The keyword is max configuration rollbacks.
So max configuration rollbacks. Question mark. And here we can see that we can provide 0 to forty nine as the number. So we’re going to say set system, max configuration rollbacks. Forty nine. So that would mean the device will store 50 rollbacks. Because remember, the sequence number starts with 0. So 0 to forty nine would be 50 rollback files. Or you could give any other number of your choice. For example, we can say 30 rollbacks maybe. And then we can commit the configuration. Now, let’s say I changed my mind. I don’t want to apply any of these changes. So we know what to do. Right. We’ll see a rollback. 0. Which means discard the changes and come back to the active configuration.
And keep in mind, you need to follow it up with a commitment. All right, that’s done. Now, what if I wanted to see the configuration stored in that file? So, for example, what if I wanted to see the configuration stored in rollback for a rollback six? How would I see that? So we can go back over here to the operational mode and we can say show system. And the command is rollback, show system rollback. Question mark. And we need to provide the rollback. No. So let’s say I want to see a rollback. Six, maybe. Press enter and you can see the configuration stored as rollback. Six. It is also possible to compare any to rollback configurations. So if we did show system rollback here, there is an option to compare any two rollbacks. So let’s do a compare and let’s try to compare rollback number three. Excuse me there, three and maybe eight. So here we can see rollback three compared to rollback eight. So under added system name server, a new configuration has been added and under edit system, one configuration has been removed and one configuration has been added.