Juniper CLI Modes and Hierarchies

The Juniper CLI architecture is indeed really nicely done. No wonder it is the primary method of managing and configuring the Juniper devices. If you are coming from a Cisco background which most of start with then this way of doing things is indeed new, but just spend a few hours and get a GNS3 lab going and it will grow on you in no time.

Here's the architecture at a glance.

Juniper CLI architecture

Of course this is not what you see when you login into a new JunOS device.

What we see there is the different modes a user can get into and a hierarchical division in which the configuration can be performed.

The two modes are:
  1. The operator mode
  2. The configuration mode

Unix Shell


This is NOT really a mode and hence I want to get it out of the way quickly.

Since the Juniper kernel is based on FreeBSD, this is the root shell aka the c shell. On a new device, which only has the root user with no password, this is the prompt (shown by the %) the root user is dropped too.

Of course it's never recommended t o use this account for anything but the initial setup.
login as: root
Using keyboard-interactive authentication.
--- JUNOS 12.1X47-D15.4 built 2014-11-12 02:13:59 UTC

root@SRX1%

The Operator Mode


This mode provides only means to monitoring, troubleshooting and displaying the current status of the device with show commands.

On a new device the root user must use the "cli" command to jump to the operator mode from the c shell. And immediately create admin accounts for the future device configuration.

Any custom user accounts created fall straight to the operator mode prompt which is show my the '>' prompt.
login as: admin
Using keyboard-interactive authentication.
Password:
--- JUNOS 12.1X47-D15.4 built 2014-11-12 02:13:59 UTC
admin@SRX1>

The Configuration Mode


This is the mode where an admin would live and breathe. All configuration and changes to the system are done here. As show below, you must use the "configure" or the "edit" command to jump to this mode. Hence for some admins this is also the "edit mode".
login as: admin
Using keyboard-interactive authentication.
Password:
--- JUNOS 12.1X47-D15.4 built 2014-11-12 02:13:59 UTC
admin@SRX1> configure
Entering configuration mode

[edit]
admin@SRX1#
The edit command is also a amazing feature which sets JunOS CLI apart from other CLIs. It can be used as an "cd" command (as in windows cmd) to jump across and into the various configuration hierarchies. This really brings the CLI to life giving you a complete view of where and what is to be configured.

The above figure is a good reference here. Here are some config examples using the edit command and the same config without it.

Here we are setting the host-name for the SRX from the config mode using the set command.
admin@SRX1> configure
Entering configuration mode

admin@SRX1# set system host-name ?
Possible completions:
  <host-name>          Hostname for this router

[edit]
admin@SRX1# set system host-name SRX2 #press enter to set the name to SRX2
We can do the same thing using edit to go under the system hierarchy
[edit] #this shows us our current level in the hierarchy which is global
admin@SRX1# edit system

#and here we are under the system hierarchy and only have access to those commands
[edit system]
admin@SRX1# set host-name SRX2
And when you do a show command here, it only shows you the config under that hierarchy which makes troubleshooting extremely smooth and easy!
[edit system]
admin@SRX1# show
host-name SRX1;
root-authentication {
    encrypted-password "$1$mEHemrS1$PZOVox.e6.YpxXFLiWZmA."; ## SECRET-DATA
}
login {
    user admin {
        uid 2000;
        class super-user;
        authentication {
            encrypted-password "$1$G28me91/$HfoIQrKZBBAMJM3hFfBNE."; ## SECRET-DATA
        }
    }
}
services {
    ssh;
    telnet;
    web-management {
        http {
            interface ge-0/0/0.0;
        }
        https {
            system-generated-certificate;
        }
    }
Similarly we can go into different levels of the hierarchy and configure just those parameters.

Let's look at one more example with interfaces. This is using the set command in the global hierarchy.
[edit] #just edit means the global hierarchy
admin@SRX1# set interfaces ge-0/0/0 unit 0 family inet address 192.168.2.1/24
And the same thing can be done with the edit command. Then you do the show command and see the settings just under that interface.
admin@SRX1# edit interfaces ge-0/0/0

[edit interfaces ge-0/0/0] #the interfaces hierarchy
admin@SRX1# show
unit 0 {
    family inet {
        address 192.168.2.1/24;
    }
}
Juniper provides a nice document for further reference on the CLI.

Share:

0 comments