Juniper JunOS Command Overview and Howtos Switch, Router, Firewall Tutorial Guide

How Do You Apply Changes You've Made?

You can make all kinds of changes to the switch, but remember they are not actually active until you run the "commit" command.  This means adding or deleting config options will not have any effect until you run "commit".

Under configure mode:

root# commit
commit complete

 

Reboot:

request system reboot
Reboot the system ? [yes,no] (no) yes

Shutdown NOW!
[pid 59765]
 

How Can You Get Info About the Hardware /model/serial number?

In CLI mode:

show chassis hardware

Set Default Config:

load factory-default
warning: activating factory configuration

 

#if you already have DHCP on the network, I recommend deleting the DHCP service which may start handing out IPs by default

delete system services dhcp

#in most firmware you'll need to set a root password before you can commit

Find the IP

By default most JunOS devices will try to get a DHCP address from the network on vlan 0.

In CLI mode type this:

show interfaces vlan.0

Set Root Password

root# set system root-authentication plain-text-password
New password:
Retype new password:

Enable SSH access:

In conf mode:

set system services ssh

 

SSH to the device doesn't work as root by default, you should create a separate user. It doesn't allow the user to attempt password authentication.

Received disconnect from 192.168.1.205 port 22:2: Too many authentication failures for root
Disconnected from 192.168.1.205 port 22

The error above could be caused by this problem described here, where you will need to ensure that password auth is preferred before trying to use client side keys.

If it still doesn't work, you may need to manually recreate the server rsa and dsa keys

ssh-keygen -t rsa -f /etc/ssh/ssh_host_rsa_key

ssh-keygen -t dsa -f /etc/ssh/ssh_host_dsa_key

This will fix the root access by password (which should only be done for testing/non-production!)

set system services ssh root-login allow

How To Disable STP (RSTP):

RSTP is normally enabled by default to avoid loops, however, if the switch may be connected to other uplinks that will disable the port for sending BPDU packets, it may be wise to disable RSTP in this circumstance in conf mode:

delete protocols rstp
 

See what protocols are enabled on the switch:

show protocols

protocols {
    igmp-snooping {
        vlan all;
    }
    rstp;                               
    lldp {
        interface all;
    }
    lldp-med {
        interface all;
    }
}
 

How To Check Logs:

In cli mode:

show log ?

             Name of log file
  authd_libstats       Size: 0, Last changed: Nov 17 21:43:30
  authd_profilelib     Size: 0, Last changed: Nov 17 21:43:30
  authd_sdb.log        Size: 0, Last changed: Nov 17 21:43:30
  chassisd             Size: 350470, Last changed: Nov 18 01:06:32
  cosd                 Size: 64148, Last changed: Nov 17 22:00:19
  dcd                  Size: 339433, Last changed: Nov 18 01:42:56
  default-log-messages  Size: 0, Last changed: Nov 18 01:14:51
  dfwc                 Size: 0, Last changed: Nov 17 21:43:14
  dhcp_logfile         Size: 60198, Last changed: Nov 18 01:43:03
  dhcp_logfile.0.gz    Size: 8135, Last changed: Nov 18 01:35:31
  dhcp_logfile.1.gz    Size: 7401, Last changed: Nov 18 01:18:27
  eccd                 Size: 0, Last changed: Nov 17 21:43:12
  erp-default          Size: 100197, Last changed: Nov 18 01:41:26
  ext/                 Last changed: Nov 17 21:40:09
  flowc/               Last changed: Nov 17 21:40:09
  ggsn/                Last changed: Nov 17 21:40:09
  gres-tp              Size: 8193, Last changed: Nov 17 22:00:19
  interactive-commands  Size: 48350, Last changed: Nov 18 01:43:03
  interactive-commands.0.gz  Size: 9672, Last changed: Nov 17 22:30:01
  inventory            Size: 5266, Last changed: Nov 18 01:05:53
  license              Size: 0, Last changed: Nov 17 21:44:44
  license_subs_trace.log  Size: 4354, Last changed: Nov 17 22:01:21
  mastership           Size: 1014, Last changed: Nov 17 22:00:19
  messages             Size: 23596, Last changed: Nov 18 01:41:31
  messages.0.gz        Size: 24441, Last changed: Nov 17 22:00:00
  messages.1.gz        Size: 22618, Last changed: Nov 17 22:00:00
  pgmd                 Size: 336, Last changed: Nov 17 21:59:04
  snapshot             Size: 2926, Last changed: Nov 17 21:59:40
  user                 Show recent user logins
  wtmp                 Size: 20772, Last changed: Nov 17 22:11:52
  wtmp.0.gz            Size: 96, Last changed: Nov 17 21:44:46

show log messages

Work with a range:

With Juniper you need to create a "range" membership list first.

For example below you can use a wildcard on ge-0/0/* or even ge-*/*/* or even ge-0/0/[0-15] etc..

set interfaces interface-range rttall member-range ge-0/0/0 to ge-0/0/15

set interfaces interface-range rttall member ge-0/0/*

Examples of working with the range:

delete interfaces interface-range rtt unit 0

set interfaces interface-range rttall unit 0 family bridge

Backup Firmware:

root@t1test> request system snapshot media internal
error: Cannot snapshot to current boot device

If you just want the factory firmware/settings backed up:

request system snapshot factory slice alternate


If you get that error just put the snapshot on the alternative partition in this case /dev/da0s2a


root@t1test> request system snapshot slice alternate  

Formatting alternate root (/dev/da0s2a)...
Copying '/dev/da0s1a' to '/dev/da0s2a' .. (this may take a few minutes)
The following filesystems were archived: /

Mount the backup like this:

mkdir /var/mtp/da0s2a

mount -t ufs /dev/da0s2a /var/tmp/da0s2a/

 

Change SSH Timeout time:

The default is just 1800 seconds, which means after 30 minutes you will be kicked out of SSH.  Let's say you wanto to stay logged in for much longer.  Conversely, you can also set it to be much lower.

You an also set "never" as the timeout time.

You just use this command to set the time in seconds for time out.

set applications application junos-ssh inactivity-timeout 4294967295



The number above is the highest value you can set which works out to be about 49710 days!

Show MAC Addresses:

These commands are done from "cli" mode.

show ethernet-switching table brief

On a firewall you would use this to show mac addresses:

show bridge mac-table 
MAC flags (S -static MAC, D -dynamic MAC, L -locally learned
           SE -Statistics enabled, NM -Non configured MAC, R -Remote PE MAC)

Routing instance : default-switch
 Bridging domain : rtt138, VLAN : 5
   MAC                 MAC      Logical
   address             flags    interface
   00:24:2c:00:ef:01   D        ge-0/0/1.0        

Check system snapshot

show system snapshot media internal
Information for snapshot on       internal (/dev/da0s1a) (primary)
Creation date: Sep 30 18:41:52 2021
JUNOS version on snapshot:
  junos  : 12.1X46-D77.1-domestic
Information for snapshot on       internal (/dev/da0s2a) (backup)
Creation date: Sep 30 22:08:07 2021
JUNOS version on snapshot:
  junos  : 12.1X46-D77.1-domestic

 

Upgrade Firwmare:

request system software add no-copy /var/tmp/junos-srxsme-15-domestic.tgz

#apply the update by rebooting

request system reboot

How To Set Which Devices can physically use a port

Say you don't want someone plugging in another device to their port, maybe the port the user is plugged into is the company workstation and only the MAC of that workstation should be allowed to use the port.  Or maybe it's a VOIP phone and only the MAC of that VOIP phone should have access.

You can use the mac "source-address-filter" option:

edit interfaces ge-0/0/0
set gigether-options source-address-filter

    ge-0/0/0 {                          
        gigether-options {
            source-address-filter {
                00:21:1e:00:ae:11;
            }
        }

In the option above we set the interface ge-0/0/0 to only allow the device with MAC "00:21:1e:00:ae:11" to use the port.  You could also add more than one MAC address if there are multiple MACs that would be allowed to use the port.

 

Set Transparent Mode on Juniper SRX Firewall:


set interfaces interface-range ge0/0/[0-15] unit 0 family bridge

[edit interfaces ge-0/0/12 unit 0 family]
  'bridge'
    family bridge and rest of the families are mutually exclusive
[edit interfaces ge-0/0/13 unit 0 family]
  'bridge'
    family bridge and rest of the families are mutually exclusive
[edit interfaces ge-0/0/14 unit 0 family]
  'bridge'
    family bridge and rest of the families are mutually exclusive
[edit interfaces ge-0/0/15 unit 0 family]
  'bridge'
    family bridge and rest of the families are mutually exclusive
error: commit failed: (statements constraint check failed)

delete interfaces ge-0/0/0
delete interfaces ge-0/0/1
delete interfaces ge-0/0/2
delete interfaces ge-0/0/3
delete interfaces ge-0/0/4
delete interfaces ge-0/0/5
delete interfaces ge-0/0/6
delete interfaces ge-0/0/7
delete interfaces ge-0/0/8
delete interfaces ge-0/0/9
delete interfaces ge-0/0/10
delete interfaces ge-0/0/11
delete interfaces ge-0/0/12
delete interfaces ge-0/0/13
delete interfaces ge-0/0/14
delete interfaces ge-0/0/15

#after this the interfaces will not be shown under "show"

#delete vlans and all security or it will break things when we try to enable bridging/we have interfaces that are assgined to vlans that no longer exist

delete vlans

delete interfaces vlan

delete security

#now we enable transparent mode by setting the interfaces as family type bridge, we create a vlan for them and associate them with an irb for layer 3 routing

#for now we just add port 0 and 1 to vlan 5 and make those ports transparent

set interfaces ge-0/0/0 unit 0 family bridge interface-mode access vlan-id 5

set interfaces ge-0/0/1 unit 0 family bridge interface-mode access vlan-id 5

#now we have to assign the relevant interfaces to our security zone and allow our security zone to talk to itself (otherwise nothing works as in you can't DHCP from your LAN, you can't ping out or do anything

#in this mode we will be leaving everything open, this is a good way to analyze traffic and slowly restrict unnecessary services and applications for security reasons

#notice we use the same vlan we assigned to ge0/0/0 and ge0/0/1 we also made irb.1 as the interface which we'll have to configure next

set bridge-domains rtt138 domain-type bridge vlan-id 5 routing-interface irb.1

#set the IP on your IRB interface to 10.25.20.200 (change to what suits you)

set interfaces irb unit 1 family inet address 10.25.20.200/24

#after committing and to actually enable transparent mode you must reboot

root# commit
warning: Interfaces are changed from route mode to transparent mode. Please reboot the device or all nodes in the HA cluster!
commit complete
 

Juniper SRX failure to update firmware:

This normally happens if you go from old firmware on a unit that you have never used. For example JunOS 10, you should upgrade to the latest version of 10, then go to 11, and then go to version 12 etc..

root> ... add no-copy /cf/var/junos-srxsme-12.3X48-D75.4-domestic.tgz

NOTICE: Validating configuration against junos-srxsme-12.3X48-D75.4-domestic.tgz.
NOTICE: Use the 'no-validate' option to skip this if desired.
Formatting alternate root (/dev/da0s2a)...
/dev/da0s2a: 298.0MB (610284 sectors) block size 16384, fragment size 2048
        using 4 cylinder groups of 74.50MB, 4768 blks, 9600 inodes.
super-block backups (for fsck -b #) at:
 32, 152608, 305184, 457760
** /dev/altroot
FILE SYSTEM CLEAN; SKIPPING CHECKS
clean, 150096 free (24 frags, 18759 blocks, 0.0% fragmentation)
Checking compatibility with configuration
Initializing...
Verified manifest signed by PackageProduction_10_0_0
Verified junos-10.0R3.10-domestic signed by PackageProduction_10_0_0
Using junos-12.3X48-D75.4-domestic from /altroot/cf/packages/install-tmp/junos-12.3X48-D75.4-domestic
Copying package ...
veriexec: cannot update veriexec for /cf/var/validate/chroot/junos/usr/lib/libcurl.so.1: No such file or directory
veriexec: cannot update veriexec for /cf/var/validate/chroot/junos/usr/lib/libcurl.so.1: No such file or directory
veriexec: cannot update veriexec for /cf/var/validate/chroot/junos/usr/lib/libslax.so.3: No such file or directory
veriexec: cannot update veriexec for /cf/var/validate/chroot/junos/usr/lib/libcurl.so.1: No such file or directory
veriexec: cannot update veriexec for /cf/var/validate/chroot/junos/usr/lib/libext_bit.so.3: No such file or directory
veriexec: cannot update veriexec for /cf/var/validate/chroot/junos/usr/lib/libext_curl.so.3: No such file or directory
veriexec: cannot update veriexec for /cf/var/validate/chroot/junos/usr/lib/libext_xutil.so.3: No such file or directory
Verified manifest signed by PackageProductionRSA_2018
Hardware Database regeneration succeeded
Validating against /config/juniper.conf.gz
cp: /cf/var/validate/chroot/var/etc/resolv.conf and /etc/resolv.conf are identical (not copied).
cp: /cf/var/validate/chroot/var/etc/hosts and /etc/hosts are identical (not copied).
Chassis control process:
Chassis control process: chassisd
Chassis control process: realtime-ukernel-thread is disable. Please use the command request system reboot.
Chassis control process:

Connectivity fault management process: rtslib: FATAL ERROR interface version mismatch: kernel=97 library=98,a reboot or software upgrade may be required
Connectivity fault management process:
mgd: error: configuration check-out failed
Validation failed
WARNING: Current configuration not compatible with /altroot/cf/packages/install-tmp/junos-12.3X48-D75.4-domestic


Tags:

juniper, junos, overview, howtos, router, firewall, tutorial, guidehow, ve, active, quot, adding, deleting, config, configure, mode, reboot, shutdown, pid, default, factory, activating, configuration, dhcp, handing, ips, delete, firmware, ll, password, authentication, text, retype, membership, wildcard, ge, etc, interfaces, interface, rttall, examples, rtt, snapshot, settings, slice, alternate, partition, dev, formatting, copying, filesystems, archived, mount, mkdir, var, mtp, ufs, tmp, addresses, commands, cli, ethernet, switching, flags, static, dynamic, locally, se, statistics, enabled, nm, configured, pe, routing, bridging, domain, vlan, ef, primary, creation, sep, domestic, upgrade, firwmare, software, srxsme, tgz, update, rebooting, devices, plugging, user, plugged, workstation, voip, filter, edit, gigether, ae, multiple, macs, transparent, srx, mutually, exclusive, statements, constraint, vlans, enable, assgined, irb, layer, ports, assign, relevant, lan, ping, analyze, restrict, unnecessary, applications, assigned, domains, ip, inet, committing, nodes, cluster, cf, validating, validate, desired, mb, sectors, fragment, cylinder, groups, blks, inodes, backups, fsck, altroot, skipping, frags, fragmentation, compatibility, initializing, verified, manifest, packageproduction_, _, packages, install, veriexec, chroot, usr, lib, libcurl, directory, libslax, libext_bit, libext_curl, libext_xutil, packageproductionrsa_, hardware, database, regeneration, succeeded, conf, gz, cp, resolv, identical, copied, hosts, chassis, chassisd, realtime, ukernel, disable, connectivity, rtslib, fatal, mismatch, kernel, mgd, validation, compatible,

Latest Articles

  • ssh Too many authentication failures not prompting for password
  • LightDM Mint Ubuntu Debian won't start errors Nvidia Graphics
  • WARNING: Unable to determine the path to install the libglvnd EGL vendor library config files. Check that you have pkg-config and the libglvnd development libraries installed, or specify a path with --glvnd-egl-config-path. Linux Ubuntu Mint Debian E
  • How To Upgrade Linux Mint 18.2 to 18.3 to 19.x and 20.x
  • MP3s Won't Play / ID3 Version 2.4 Issues in Cars and Other MP3 Players/CDs/DVDs Solution
  • LXC Containers LXD How to Install and Configure Tutorial Ubuntu Debian Mint
  • GlusterFS HowTo Tutorial For Distributed Storage in Docker, Kubernetes, LXC, KVM, Proxmox
  • Ubuntu Mint audio output not working pulseaudio "pulseaudio[13710]: [pulseaudio] sink-input.c: Failed to create sink input: too many inputs per sink."
  • How To Shrink Dynamically Allocated VM QEMU KVM VMware Disk Image File
  • How To Enable Linux Swapfile Instead of Partition Ubuntu Mint Debian Centos
  • 404 Not Found [IP: 151.101.194.132 80] apt update Debian 11 Bullseye Solution The repository 'http://security.debian.org bullseye/updates Release' does not have a Release file.
  • WARNING: Can't download daily.cvd from db.local.clamav.net freshclam clamav error solution
  • (firefox:9562): LIBDBUSMENU-GLIB-WARNING **: Unable to get session bus: Failed to execute child process "dbus-launch" (No such file or directory) Solution
  • Debian Mint Ubuntu Which Package Provides missing top, ps and w Solution
  • Vbox Virtualbox DNS NAT Network Mode NOT working
  • Docker Tutorial HowTo Install Docker, Use and Create Docker Container Images Clustering Swarm Mode Monitoring Service Hosting Provider
  • Zoom Password Error 'That passcode was incorrect' - Solution Wrong Passcode Wrong Meeting Name
  • How To Startup and Open Remote/Local Folder/Directory in Ubuntu Linux Mint automatically upon login
  • How To Reset Windows Server Password 2019, 2022, 7, 8, 10, 11 Recovery and Removal Guide Using Linux Ubuntu Mint Debian
  • How To Create OpenVPN Server for Secure Remote Corporate Access in Linux Debian/Mint/Ubuntu with client public key authentication