Ways to access CLI
- Out-Of-Band - Using serial console port or management port.
- In-band - Using Telnet or SSH.
- In our terminal emulation program like putty or similar ones, we need to make sure that we have proper configuration in place.
- Bits per second: 9600
- Data bits: 8
- Pairty: None
- Stop bits: 1
- Flow control: Hardware
Root User
- In a brand new Junos device, by default it have an root user account with username as root and with no password by default.
- This root account cannot be deleted and it will have shell mode.
root@device-name%
- % - says it’s a shell mode. We can go to operational mode by the command
cli
Non Root Users.
- There is no non root users by default, we need to create them.
- There is no default permissions, we have to allocate to them.
- With non root user we will be placed in operational mode.
root@device-name>
- > - says it’s a operational mode and can be accessible by the command
cli
- These users can be deleted.
Commands
start shell user user-name
- starts shell session with that user after prompting for password.
start shell
- starts the default shell session with root.
cli
to access operational mode >
CLI Modes
Shell Mode
- prompt ends with %
- directly available to root user
- non-root user can enter by
start shell
command from the operational mode.
Operational Mode

Accessible by cli
command
To view configurations or to use network utilities like ssh, ping, telnet, traceroute, etc… It’s also used to Shutdown the device and view log files.
prompt ends with >
show interfaces
to view all interfaces information and stats.
Configuration Mode

- Used to set configuration of device.
- prompt ends with #
- accessible by
edit
or configure
command
CLI Navigation
- You can use ? to get all possible commands available at current combination.
- if you see a entry like
<[Enter]>
it means the command is executable at current combination, else it needs more arguement(s).
- Both Tab and Space auto completes commands after matching a unique combination
- The key difference is, tab completion works for all while the space completion only auto completes the system commands.
- for example: In
show security policy policy-name
command, upto show security policy
space completion as well as tab completion works fine.
- But the
policy-name
arguement is something the user would have defined which is not available in the system by default.
- So space won’t work on user defined variables or stuffs.
- It’s good practice to make all the user defined stuffs in full caps seperated with hyphens.
Keyboard Shortcuts
ctrl + a
- Moves to the beginning.
ctrl + e
- Moves to the end.
ctrl + w
- Erases word to the left.
ctrl + u
- Erases entire line.
help commands
help topic
- Usage guidelines for the statement. eg: help topic interfaces family
help reference
- Shows summary information about the statement. eg: help reference security dns
help apropos
- lists all commands and help text that contain a particular string. eg: help apropos snmp
the generic syntax is help apropos <topic>
help syslog
- info about system log messages. eg: help syslog RT_FLOW_SESSION_CREATE
gives meaning of the syslog message.
help tip cli
- gives a random tip identified by a integer. eg: help tip cli 4
Output levels
show interfaces fe-0/0/*
shows all interfaces with the wildcard-combo.
terse
- displays least amount of information in a list format. eg: show interfaces terse
brief
- displays additional information about each element.
detail
- displays most of the information about each element.
extensive
- displays all information about each element.
Filtering Output
- Use pipe to concat outputs and perform filtering on them

Active Config
- the configuration that is currently active on the device.
- also the config that is loaded when the device is rebooted.
Candiate Config
- A copy of the active config is created while editing.
- upon comitting or saving it, it becomes the active config.
// Enter configuration mode
> edit
# set system host-name SRX-ARJ
# commit
// changes the host-name.
Configure Command
configure
- Shared configuration mode.
- Multiple users can edit simultaneously.
- When we commit, all changes made by all users are committed.
- While editing, it warns with list of peeps editing it at what hierarchy.
configure exclusive
- Only one user is allowed to enter the exclusive config mode.
- Only the one with exclusive configuration rights can save changes.
configure private
- Multiple users can enter the mode, but each one has seperate candidate config for them to edit and work on.
- When committed, changes made by the private user is alone saved.
- When there is a conflicting configuration changes like both parties trying to edit same thing, the first commit takes precedence.
Navigational Commands
edit
navigates to specific heirachy, eg: edit security policies
gives [edit security policies from-zone trust to-zone untrust]
hierarchy
up
command takes us one level above the hierarchy. up 2
can move up for 2 levels.
top
comes up all the way to top of the hierarchy
exit configuration-mode
takes you back to the operational mode.
Configuration hierarcy
From top of the configuration hierarchy
[edit]
root@srx# set security policy from-zone trust to-zone untrust policy PERMIT-ALL match source-address any
root@srx# set security policy from-zone trust to-zone untrust policy PERMIT-ALL match destination-address any
...
...
It’s a very lengthy command which you have to use again and again by the up arrow and edit the last to complete a entire configuration or you can go with…
Item specific configuration hierarchy
root@srx# edit security policy from-zone trust to-zone untrust policy ALLOW-ALL
[edit security policy from-zone trust to-zone untrust policy ALLOW-ALL]
root@srx# set match source-address any
root@srx# set match destination-address any
...
...
Now the edit takes place in the specific hierarchy. The hierarchy can be noticed in the square braces []
Note: that we used edit
command to navigate into the hierarchy
Key benefits are:
- Reduces length of commands.
- Only commands specific to the hierarchy are shown.
- Output is reducded to only items under hierarchy.
Junos Commit
- The
commit
command saves the candidate configuration as the active configuration.
- Before comitting, Junos performs a commit check to look for syntax errors.

- To manually run a check you can use
commit check
command.
- use
show | compare
to view changes before committing.

- You can schedule a commit using
commit at "YYYY-MM-DD 15:00"
command
- To clear pending commit,
clear system commit
in operational mode.
- Use
commit confirmed
command to commit changes termprorily (10 Minutes) and then require confirmation before making changes permanent. If not the commit will be rolled back automatically.
commit confirmed 2
will stay for 2 minutes. You can choose from 1-65535
- Use
commit and-quit
to commit changes and return to operational mode.
commit comment
leaves a message in the commit history, just to keep good track of commits and their purpose.
show system commit
shows commit history in the operational mode.
Junos rollback
- Stores upto 50 committed versions of the configurations - these can be used to rollback
- The version numbers ranges from 0-49 where 0 is the most recent configuration - the active configuration. So if you did something wrong in the commit, you can
rollback 0
to save yourself lol.
- After rollback, we should follow it up with a
commit
command.
- We can set no. of rollback by
set system max-configuration-rollback 8
fixes to 8 configs (0-7).
- comapre two rollbacks like
show system rollback comapre 5 9
comapres rollback versions 5 and 9.
Junos Configuration Files
- Use
save filename
to save the configuration, by default to the /var/home/username
directory.
- Use
file compare files filename1 filename2
to compare any two saved configs. filename1 is compared to filename2 not vice versa.
- As a root user, you can compare your configs with other user’s configs too which is not possible as a non-root user.

1c1
indicates there is a level 1 Changes in both File1 and File2
- in
106,131d105
deletion is denoted by character d and addition is represented by a
- Left angular bracket corresponds to the 1st file <
- Right angular bracket corresponds to the 2nd file >

- Observe how the output changed in reverse if we swap the filename1 and filename2.
- You can use
file compare files file1 file2 context
to get a contexual output like: deletion means minus sign (-), addition is (+) and (!) exclamation for change.
- To check integrity you can use
file checksum md5 filename
. Useful when you are transferring other places or archiving the config files, you can recompute and check for corruption.
- You can rename files with
file rename file1 file01
- You can create a archive with
file archive
command either locally to the filename or remotely to a URL.
Load Command
Used to load configuration from a saved file
load override
- discards the current candidate config and loads config from the file.
load merge
- merges configs from the saved file with the existing candidate config. In case of conflicts, The statements in the saved configuration file will override those in the existing candidate config
load replace
- looks for the replace tags in the loaded file, and replaces parts of the candidate config with whatever is specified after the tag. Deletes anything after the replace tag and replaces it.

- If there is no portion like fe-0/0/1, the stuffs will just be simply added and results in same output.
load set
- loads a configuration that contains “Set” commands. This executes the config instruction line by line as they are stored in the file. Use commit
command to commit the changes after loading.
load patch
- imagine you have a config to be applied in several machines, apply on one device then use show | compare
to get the File Contents and copy it. use load patch
in all other devices with the output.
J-WEB
- GUI of the Junos device.
- Monitor, configurem troubleshoot and manage the device using a web browser that supports HTTP and HTTPS.
- All configuration statements that works on CLI are supported.
- Provided by the Routing Engine, infact both CLI and GUI.