CLI User Guide For Junos OS

Junos® OS
CLI User Guide for Junos OS
Published
2021-11-08
ii
Juniper Networks, Inc.

1133 Innovation Way
Sunnyvale, California 94089
USA
408-745-2000
www.juniper.net
Juniper Networks, the Juniper Networks logo, Juniper, and Junos are registered trademarks of Juniper Networks, Inc.
in the United States and other countries. All other trademarks, service marks, registered marks, or registered service
marks are the property of their respective owners.
Juniper Networks assumes no responsibility for any inaccuracies in this document. Juniper Networks reserves the right
to change, modify, transfer, or otherwise revise this publication without notice.
Junos® OS CLI User Guide for Junos OS

Copyright © 2021 Juniper Networks, Inc. All rights reserved.
The information in this document is current as of the date on the title page.
YEAR 2000 NOTICE
Juniper Networks hardware and software products are Year 2000 compliant. Junos OS has no known time-related
limitations through the year 2038. However, the NTP application is known to have some difficulty in the year 2036.
END USER LICENSE AGREEMENT
The Juniper Networks product that is the subject of this technical documentation consists of (or is intended for use
with) Juniper Networks software. Use of such software is subject to the terms and conditions of the End User License
Agreement ("EULA") posted at https://support.juniper.net/support/eula/. By downloading, installing or using such
software, you agree to the terms and conditions of that EULA.
iii
Table of Contents
About This Guide | xiv
1 Overview
About the CLI Guide | 2
CLI Overview | 2
Introducing the Command-Line Interface | 3
CLI Modes, Commands, and Statement Hierarchies—An Overview | 5
Other Tools to Configure and Monitor Juniper Networks Devices | 7
Configure Junos OS in a FIPS Environment | 7
2 Getting Started
Getting Started: A Quick Tour of the CLI | 10
Get Started with the Command-Line Interface | 10
Switch Between Operational Mode and Configuration Mode | 12
Use Keyboard Sequences to Navigate and Edit the CLI | 14
Configure a User Account on a Juniper Networks Device | 16
Use the CLI Editor in Configuration Mode | 19
Check the Status of a Juniper Networks Device | 22
Roll Back Configuration Changes | 25
Configure a Routing Protocol | 27
Shortcut | 28
Longer Configuration | 28
Make Changes to a Routing Protocol Configuration | 31
Online Help in the CLI | 35
Get Online Help from the Command-Line Interface | 35
CLI Online Help Features | 39
CLI Explorer Overview | 41

iv
CLI Environment Settings | 42
Customize the CLI Environment | 42
Set the CLI Screen Length and Width | 46
Enable Configuration Breadcrumbs | 47
3 Using Configuration Statements to Configure a Device

CLI Configuration Mode Overview | 51
Understanding CLI Configuration Mode | 51
Enter and Exit CLI Configuration Mode | 58
Relative Configuration Mode Commands | 61
Command Completion in Configuration Mode | 61
Notational Conventions Used in Configuration Hierarchies | 64
Overview of the Configure Command | 65
Forms of the configure Command | 65
How to Use the configure Command | 67
How to Use the configure exclusive Command | 68
How to Work with the Correct Configuration | 71
Modify the Configuration of a Device | 71
Display Users Currently Editing the Configuration | 72
How to Modify the Juniper Networks Device Configuration | 73
How to Add Configuration Statements and Identifiers | 74
How to Delete a Statement from a Device Configuration | 76
Example: Delete a Statement from the Device Configuration | 79
Copy a Statement in the Configuration | 81
Example: Copy a Statement in the Configuration | 81
Requirements | 81
Overview | 82
Configuration | 82
v
Example: Replace a Configuration | 85
Requirements | 85
Overview | 85
Configuration | 86
Insert a New Identifier in a Device Configuration | 92
Example: Insert a New Identifier in a Device Configuration | 92
Requirements | 93
Overview | 94
Configuration | 94
Deactivate and Reactivate Statements and Identifiers in a Device Configuration | 97
Example: Deactivate and Reactivate Statements and Identifiers in a Device Configuration | 98
Requirements | 98
Overview | 98
Configuration | 98
How to Make Global Changes in the Device Configuration | 100
Common Regular Expressions to Use with the replace Command | 101
Example: How to Use Global Replace in a Device Configuration—the \n Back Reference | 103
Requirements | 103
Overview | 104
Configuration | 105
Example: Global Replace in a Device Configuration—Replacing an Interface Name | 106
Requirements | 107
Overview | 107
Configuration | 107
Example: Global Replace in a Device Configuration—the upto Option | 109
Add Comments in a Device Configuration | 112
Add Comments in the CLI | 112
Add Comments in a File | 113
Example: Include Comments in a Device Configuration by Using the CLI | 114
Requirements | 115
vi
Overview | 115
Configuration | 116
Use Configuration Groups to Quickly Configure Devices | 118
Configuration Groups Overview | 119
Create a Configuration Group | 120
How to Apply a Configuration Group | 122
Example: Create and Apply Configuration Groups | 123
Example: Disable Inheritance of a Configuration Group | 125
Example: Use the junos-defaults Configuration Group | 127
Example: Use Wildcards with Configuration Groups | 128
How to Improve Commit Time When Using Configuration Groups | 131
Example: Configure Sets of Statements with Configuration Groups | 132
Example: Configure Interfaces Using Configuration Groups | 134
Example: Use Configuration Groups to Configure a Consistent IP Address for the Management
Interface | 137
Example: Use Configuration Groups to Configure Peer Entities | 138
Example: Use Configuration Groups to Establish Regional Configurations | 140
Example: Configure Wildcard Configuration Group Names | 142
Example: Reference the Preset Statement from the Defaults Group | 144
Example: View Default Statements That Have Been Applied to the Configuration | 145
Set Up Routing Engine Configuration Groups | 145
How to Use Conditions to Apply Configuration Groups | 148
Example: Configure Conditions for Applying Configuration Groups | 148
Requirements | 148
Overview | 148
Configuration | 149
View the Configuration | 152
Display the Current Configuration | 152

vii
Example: Display the Current Configuration | 154
Display Additional Information About the Configuration | 155
Display set Commands from the Configuration | 159
Verify the Device Configuration | 161
Commit the Configuration | 162
The Commit Model for Configurations | 162
Commit a Device Configuration | 164
Commit Operation When Multiple Users Configure the Software | 165
Commit Preparation and Activation Overview | 166
Commit Device Configurations in Two Steps: Preparation and Activation | 168
Activate a Device Configuration with Confirmation | 170
Schedule a Commit Operation | 171
Monitor the Commit Process | 173
Add a Comment to Describe the Committed Configuration | 174
Batch Commits Overview | 175
Example: Configure Batch Commit Server Properties | 176
Requirements | 176
Overview | 176
Configuration | 177
Verification | 180
Back Up the Committed Configuration on the Alternate Boot Drive | 187
4 Managing Configurations
Configuration Files Overview | 189
Device Configuration Storage Overview | 191
Managing Configurations | 191
The show | compare | display xml Command Output | 192

viii
Returning to the Most Recently Committed Configuration | 201
Returning to a Previously Committed Configuration | 202
Example of Returning to a Previous Configuration | 202
Example of Displaying Previous Configurations | 202
About Comparing Configuration Versions | 204
Saving a Configuration to a File | 206
About Compressing the Current Configuration File | 207
Free Up System Storage Space | 209
Clean Up Files with the CLI | 210
Autoinstallation of Configuration Files Overview | 212
Configuration File Autoinstallation—An Overview | 212
Configuring Autoinstallation of Configuration Files (CLI Procedure) | 215
Loading Configuration Files | 217
Examples for Loading a Configuration from a File or the Terminal | 218
How Character Encoding Works on Juniper Networks Devices | 221
About Specifying Statements and Identifiers | 222
About Loading a Configuration from a File | 227
Upload a Configuration File | 230
Backing Up Configurations to an Archive Site | 231
Configuring the Transfer of the Currently Active Configuration | 231
Factory Default Configuration Overview | 233
Restore the Default Factory Configuration | 234
Rescue Configuration | 235
Creating and Returning to a Rescue Configuration | 235
Encrypt and Decrypt Configuration Files | 236
Encrypt Configuration Files | 237
Decrypt Configuration Files | 238

ix
Modify the Encryption Key | 239
Synchronizing Configurations Across Routing Engines | 240
Routing Engine Synchronization Overview | 240
Configure Multiple Routing Engines to Synchronize Committed Configurations Automatically | 244
5 Using Operational Commands to Monitor Devices

CLI Operational Mode Overview | 248
CLI Operational Mode Command Overview | 248
Display Options of the show Command—An Overview | 251
Interface Naming Conventions Used in Operational Commands | 252
About Group Interface Names Using Wildcard Characters | 254
Using Operational Commands to Monitor a Device | 255
CLI Command Completion Example | 256
Operational Mode Commands: Overview of Controlling the Scope | 257
Viewing Files and Directories on a Device | 259
Directories on the Device | 259
List Files and Directories | 260
Filenames and URLs | 263
Display Operating System Information | 265
Managing Programs and Processes Using Operational Mode Commands | 265
Show Software Processes | 266
Restart the Software Process | 267
Stop the Software | 268
Reboot the Software | 269
CLI Comment Character # for Operational Mode Commands | 270
Filtering Operational Command Output | 271
About Using the Pipe ( | ) Symbol to Filter Command Output | 271
Example: Use Regular Expressions with the Pipe ( | ) Symbol to Filter Command Output | 272
Example: Pipe ( | ) Filter Functions in the Command-Line Interface | 274

x
Filter Operational Mode Command Output in a QFabric System | 288
6 Configuration Statements
apply-groups | 292
apply-groups-except | 293
archival | 295
autoinstallation | 297
commit activate | 299
commit prepare | 301
export-format | 303
groups | 305
no-hidden-commands | 309
server (Batch Commits) | 311
synchronize | 313
traceoptions (Batch Commits) | 316
7 CLI Commands
activate | 322
annotate | 323
clear log | 325
clear system commit | 327
clear system commit prepared | 330
commit | 332
configure | 339
copy | 342
deactivate | 343
delete | 345
xi
edit | 347
exit | 348
file | 350
help | 351
insert | 353
load | 355
| (pipe) | 358
protect | 363
quit | 365
rename | 366
replace | 368
request | 370
request system commit server pause | 372
request system commit server queue cleanup | 374
request system commit server start | 376
request system configuration rescue delete | 377
request system configuration rescue save | 379
restart | 381
rollback | 398
run | 400
save | 401
set | 404
set cli complete-on-space | 406
set cli directory | 408
set cli idle-timeout | 409

xii
set cli prompt | 411
set cli restart-on-upgrade | 413
set cli screen-length | 415
set cli screen-width | 416
set cli terminal | 418
set cli timestamp | 420
set date | 422
show | 424
show cli | 425
show cli authorization | 428
show cli directory | 434
show cli history | 435
show configuration | 436
show | display inheritance | 441
show | display omit | 444
show | display set | 446
show | display set relative | 448
show groups junos-defaults | 450
show system commit | 452
show system commit server queue | 457
show system commit server status | 462
show system configuration archival | 464
show system configuration rescue | 466
show system rollback | 468
status | 471
xiii
test configuration | 472
top | 474
unprotect | 475
up | 477
update | 478
wildcard delete | 480

xiv
About This Guide
The Junos OS command-line interface (CLI) is a command shell specific to Juniper Networks. This
command shell runs on top of the FreeBSD UNIX-based operating system kernel for Junos OS. Using
industry-standard tools and utilities, the CLI provides a powerful set of commands that you can use to
monitor and configure Juniper Networks devices running Junos OS. This guide contains information
about the CLI for Junos OS.
RELATED DOCUMENTATION
Day One: Exploring the Junos CLI

Day One: Junos for IOS Engineers
1 CHAPTER
Overview
About the CLI Guide | 2
CLI Overview | 2
2
About the CLI Guide
The Junos OS CLI Guide explains how to use the command-line interface (CLI). This guide also describes
advanced concepts and device configuration when working with Juniper Networks devices running
Junos OS.
In this guide, you will learn about:
• Using configuration statements to configure network devices
• Managing device configurations
• Using operational commands to monitor devices
• Syntax for configuration statements, operational commands, and environmental commands
For a basic introduction to Junos OS, see the Getting Started Guide for Junos OS. It provides a high-level
description of Junos OS, describes how to access devices, and provides simple step-by-step instructions
for initial device configuration.
For a technical and detailed exploration of Junos OS, see the Overview for Junos OS. It further explains
how Junos OS works and describes the security, configuration, monitoring, and management of network
devices.
Another useful learning resource is Day One: Exploring the Junos CLI.
CLI Overview
IN THIS SECTION
Introducing the Command-Line Interface | 3
CLI Modes, Commands, and Statement Hierarchies—An Overview | 5
Other Tools to Configure and Monitor Juniper Networks Devices | 7
Configure Junos OS in a FIPS Environment | 7

3
The CLI is the software interface used to access your device. You use the CLI to configure the device,
monitor its operations, and adjust the configuration as needed. You access the CLI through a console
connection interface or through a network connection.
Introducing the Command-Line Interface
IN THIS SECTION
Key Features of the CLI | 3
The Junos OS CLI is a command shell specific to Juniper Networks that runs on top of the operating
system kernel. Through industry-standard tools and utilities, the CLI provides a powerful set of
commands that you can use to monitor and to configure devices running Junos OS.
The CLI has two modes:
• Operational mode—Use this mode to display the current status of the device. In operational mode,
you enter commands to monitor and to troubleshoot the network operating system, devices, and
network connectivity.
• Configuration mode—Use this mode to configure the device. In this mode, you enter statements to
configure all properties of the device, including interfaces, general routing information, routing
protocols, user access, and several system and hardware properties. Junos OS stores a configuration
as a hierarchy of configuration statements.
When you enter configuration mode, you are viewing and changing a file called the candidate
configuration. You use the candidate configuration file, you make configuration changes without
causing operational changes to the current operating configuration, called the active configuration.
The device does not implement the changes you added to the candidate configuration file until you
commit the changes. Committing the configuration changes activates the revised configuration on
the device. Candidate configurations enable you to alter your configuration without damaging your
current network operations.
Key Features of the CLI
The CLI commands and statements follow a hierarchical organization and have a regular syntax. The CLI
provides the following features to simplify CLI use:
4
• Consistent command names—Commands that provide the same type of function have the same
name, regardless of the specific device type on which you are operating. For example, all show
commands display software information and statistics, and all clear commands erase various types of
system information.
• Lists and short descriptions of available commands—The CLI provides information about available
commands t each level of the command hierarchy. If you type a question mark (?) at any level, you
see a list of the available commands along with a short description of each. This means that if you are
already familiar with Junos OS or with other routing software, you can use many of the CLI
commands without referring to the documentation.
• Command completion—Command completion for command names (keywords) and for command
options is available at each level of the hierarchy. To complete a command or option that you have
partially typed, press the Tab key or the Spacebar. If the partially typed letters begin a string that
uniquely identifies a command, the complete command name appears. Otherwise, a beep indicates
that you have entered an ambiguous command, and the CLI displays possible completions.
Completion also applies to other strings, such as filenames, interface names, usernames, and
configuration statements.
If you have typed the mandatory arguments for executing a command in operational mode or
configuration mode, the CLI displays <[Enter]> as one of the choices when you type a question mark
(?). This output indicates that you have entered the mandatory arguments and can execute the
command at that level without specifying any further options. Likewise, the CLI also displays <[Enter]>
when you reach a specific hierarchy level in the configuration mode and do not need to enter any
more mandatory arguments or statements.
• Industry-standard technology—With FreeBSD UNIX as the kernel, a variety of UNIX utilities are
available on the CLI. For example, you can:
• Use regular expression matching to locate and to replace values and identifiers in a configuration,
to filter command output, and to examine log file entries.
• Use Emacs-based key sequences to move around on a command line and scroll through the
recently executed commands and command output.
• Store and archive Junos OS device files on a UNIX-based file system.
Use standard UNIX conventions to specify filenames and paths.
Exit the CLI environment and create a UNIX C shell or Bourne shell to navigate the file system,
manage router processes, and so on.
5
CLI Modes, Commands, and Statement Hierarchies—An Overview
IN THIS SECTION
CLI Command Hierarchy | 5
Configuration Statement Hierarchy | 5
Move Among Hierarchy Levels | 6
The Junos OS CLI commands and statements are organized under two command modes and various
hierarchies. The following sections provide an overview of the CLI command modes and the command
and statement hierarchies.
CLI Command Hierarchy
CLI commands are organized in a hierarchy. Commands that perform a similar function are grouped
together under the same level of the hierarchy. For example, all commands that display information
about the system and the system software are under the show system command. All commands that
display information about the routing table are under the show route command.
To execute a command, enter the full command name, starting at the top level of the hierarchy. For
example, to display a brief view of the routes in the routing table, use the command show route brief.
Configuration Statement Hierarchy
The configuration statement hierarchy has two types of statements: Container statements, which are
statements that contain other statements, and leaf statements, which do not contain other statements.
All the container statements and leaf statements together form the configuration hierarchy.
The following illustration shows a part of the hierarchy tree. The protocols statement is a top-level
statement at the trunk of the configuration tree. The ospf, area, and interface statements are all
subordinate container statements of a higher statement; that is, they are branches of the hierarchy tree.
The hello-interval statement is a leaf on the tree.
Figure 1: Configuration Statement Hierarchy Example

6
Move Among Hierarchy Levels
The following table shows the CLI commands you use to navigate the levels of the configuration
statement hierarchy.
Table 1: CLI Configuration Mode Navigation Commands
Command Description
edit hierarchy-level Moves to an existing configuration statement hierarchy or creates a hierarchy and moves
to that level.
exit Moves up the hierarchy to the previous level where you were working. This command is,
in effect, the opposite of the edit command. Alternatively, you can use the quit command.
The exit command and the quit command are interchangeable.
up Moves up the hierarchy one level at a time.
top Moves directly to the top level of the hierarchy.

7
Other Tools to Configure and Monitor Juniper Networks Devices
Apart from the CLI, Junos OS also supports the following applications, scripts, and utilities that enable
you to configure and monitor Juniper Networks devices:
• J-Web GUI—Available on select Juniper Networks devices, the J-Web GUI enables you to monitor,
configure, troubleshoot, and manage the device by means of a browser with HTTP or HTTPS
enabled. For more information, see the J-Web Interface User Guide.
• Junos XML management protocol—The Junos XML management protocol enables you to monitor
and configure Juniper Networks devices. Juniper Networks provides a Perl module with the API to
help you more quickly and easily develop custom Perl scripts for configuring and monitoring devices.
For more information, see the Junos XML Management Protocol Developer Guide.
• NETCONF API—You can also use the NETCONF XML management protocol to monitor and
configure Juniper Networks routers. For more information, see the NETCONF XML Management
Protocol Developer Guide.
• Junos OS commit scripts and self-diagnosis features—You can define scripts to enforce custom
configuration rules, use commit script macros to provide simplified aliases for frequently used
configuration statements, and configure diagnostic event policies and actions associated with each
policy. For more information, see the Junos OS Automation Scripting User Guide.
• MIBs—You can use enterprise-specific and standard MIBS to retrieve information about the hardware
and software components on a Juniper Networks device. For more information about MIBs, see the
Junos OS Network Management Administration Guide for Routing Devices.
Configure Junos OS in a FIPS Environment
With Junos-FIPS you can configure a network of Juniper Networks devices in a FIPS 140-2
environment.
The Junos-FIPS software environment requires the installation of FIPS software by a Crypto Officer. In
Junos-FIPS, some Junos OS commands and statements have restrictions and some additional
configuration statements are available. For more information, see the following resources:
• Common Criteria and FIPS Certifications—Provides links to guidelines for configuring Juniper
Networks devices so the secure environment complies with the requirements of public sector
certifications such as Common Criteria and FIPS certification.
• Compliance Advisor—A Web application that provides regulatory compliance information about
Common Criteria, FIPS, Homologation, ROHS2, and USGv6 for Juniper Networks products.
8
SEE ALSO
IPsec Requirements for Junos-FIPS

Configuring IPsec for Enabling Internal Communications Between Routing Engines for Junos OS in
FIPS Mode
2 CHAPTER
Getting Started
Getting Started: A Quick Tour of the CLI | 10
Online Help in the CLI | 35
CLI Environment Settings | 42

10
Getting Started: A Quick Tour of the CLI
IN THIS SECTION
Get Started with the Command-Line Interface | 10
Use Keyboard Sequences to Navigate and Edit the CLI | 14
Configure a User Account on a Juniper Networks Device | 16
Use the CLI Editor in Configuration Mode | 19
Check the Status of a Juniper Networks Device | 22
Roll Back Configuration Changes | 25
Configure a Routing Protocol | 27
The following topics can help you (the network administrator) get started with the Junos OS CLI to
perform configuration changes, switch between operational mode and configuration mode, create a user
account, and execute some of the basic commands.
NOTE: If you need a basic introduction to Junos OS, see the Getting Started Guide for Junos OS.
For more in-depth information, as well as to learn how to use Junos OS with Juniper Networks
devices, see the Overview for Junos OS.
This Junos OS CLI Guide assumes that you are familiar with Junos OS concepts and operation
principles.
Get Started with the Command-Line Interface
This topic shows you how to start the Junos OS CLI, view the command hierarchy, and make minor
configuration changes.
11
NOTE: Before you begin, make sure that your device hardware is set up and Junos OS is
installed. You must have a direct console connection to the device or network access using SSH
or Telnet. If your device is not set up, follow the installation instructions provided with the device
before proceeding.
To log in to a device and start the CLI:
1. Log in as root.
The root login account has superuser privileges, with access to all commands and statements.
2. Start the CLI:
root# cli
root@>
The > command prompt shows that you are in operational mode. Later, when you enter configuration
mode, the prompt will change to #.
NOTE: If you are using the root account for the first time on the device, remember that the
device ships with no password required for root. The first time you commit a configuration, you
must set a root password. Root access is not allowed over a telnet session. To enable root access
over an SSH connection, you must configure the system services ssh root-login allow statement.
CLI commands can vary by platform and software release. The CLI includes several ways to get help
about available commands. This section demonstrates some examples showing how to get help:
1. Type ? to show the top-level commands available in operational mode.
root@> ?
Possible completions:
clear Clear information in the system
configure Manipulate software configuration information
diagnose Invoke diagnose script
file Perform file operations
help Provide help information
monitor Show real-time debugging information
mtrace Trace multicast path from source to receiver
ping Ping remote target
quit Exit the management session
12
request Make system-level requests

restart Restart software process
set Set CLI properties, date/time, craft interface message
show Show system information
ssh Start secure shell on another host
start Start shell
telnet Telnet to another host
test Perform diagnostic debugging
traceroute Trace route to remote host
2. Type file ? to show all possible completions for the file command.
root@> file ?
<[Enter]> Execute this command
archive Archives files from the system
checksum Calculate file checksum
compare Compare files
copy Copy files (local or remote)
delete Delete files from the system
list List file information
rename Rename files
show Show file contents
source-address Local address to use in originating the connection
| Pipe through a command
3. Type file archive ? to show all possible completions for the file archive command.
root@> file archive ?

compress Compresses the archived file using GNU gzip (.tgz)
destination Name of created archive (URL, local, remote, or floppy)
source Path of directory to archive
Switch Between Operational Mode and Configuration Mode
When you monitor and configure a device running Junos OS, you may need to switch between modes .
When you switch between operational mode and configuration mode, the command prompt also
13
changes. The operational mode prompt is a right-angle bracket (>). The configuration mode prompt is a
pound or hash sign (#).
To switch between operational mode and configuration mode:
1. When you log in to the device and type the cli command and press Enter, you are automatically in
operational mode:
---JUNOS 17.2B1.8 built 2018-05-09 23:41:29 UTC

% cli
user@host>
2. To enter configuration mode, type the configure command or the edit command in CLI operational
mode. The prompt in brackets ([edit]), also known as a banner, shows that you are in configuration
mode at the top of the hierarchy. For example:
user@host> configure
Entering configuration mode
[edit]
user@host#
The CLI prompt changes from user@host> to user@host#, showing that you are in configuration mode,
and a banner appears to indicate the hierarchy level.
3. You can exit configuration mode and return to operational mode in one of the following ways:
• To commit the configuration and exit:
[edit]
user@host# commit and-quit
commit complete
Exiting configuration mode
user@host>
• To exit without committing:
[edit]
user@host# exit
14

user@host>
When you exit configuration mode, the CLI prompt changes from user@host# to user@host>, and the
banner no longer appears. You can enter or exit configuration mode as many times as you wish
without committing your changes.
4. To display the output of an operational mode command such as show while in configuration mode,
issue the run configuration mode command. Then, specify the operational mode command:
[edit]
user@host# run operational-mode-command
For example, to display the currently set priority value of the Virtual Router Redundancy Protocol
(VRRP) primary device while you are modifying the VRRP configuration for a backup device:
[edit interfaces xe-4/2/0 unit 0 family inet vrrp-group 27]

user@host# show
virtual-address [ 192.168.1.15 ];
user@host# run show vrrp detail
Physical interface: xe-5/2/0, Unit: 0, Address: 192.168.29.10/24
Interface state: up, Group: 10, State: backup
Priority: 190, Advertisement interval: 3, Authentication type: simple
Preempt: yes, VIP count: 1, VIP: 192.168.29.55
Dead timer: 8.326, Master priority: 201, Master router: 192.168.29.254
user@host# set priority ...
Use Keyboard Sequences to Navigate and Edit the CLI
You can use keyboard sequences in the Junos OS CLI to navigate and edit the command line. You can
also use keyboard sequences to scroll through a list of recently executed commands. The following table
lists some of the CLI keyboard sequences. They are the same as those used in Emacs.
15
Table 2: CLI Keyboard Shortcuts
Keyboard sequence Action
Ctrl+b Move the cursor back one character.
Esc+b or Alt+b Move the cursor back one word.
Ctrl+f Move the cursor forward one character.
Esc+f or Alt+f Move the cursor forward one word.
Ctrl+a Move the cursor to the beginning of the command line.
Ctrl+e Move the cursor to the end of the command line.
Ctrl+h, Delete, Delete the character before the cursor.

or Backspace
Ctrl+d Delete the character at the cursor.
Ctrl+k Delete the all characters from the cursor to the end of the command line.
Ctrl+u or Ctrl+x Delete the all characters from the command line.
Ctrl+w, Esc+Backspace, Delete the word before the cursor.

or Alt+Backspace
Esc+d or Alt+d Delete the word after the cursor.
Ctrl+y Insert the most recently deleted text at the cursor.
Ctrl+l Redraw the current line.
Ctrl+p Scroll backward through the list of recently executed commands.

16
Table 2: CLI Keyboard Shortcuts (Continued)
Keyboard sequence Action
Ctrl+n Scroll forward through the list of recently executed commands.
Ctrl+r Search the CLI history incrementally in reverse order for lines matching the search
string.
Esc+/ or Alt+/ Search the CLI history for words for which the current word is a prefix.
Esc+. or Alt+. Scroll backward through the list of recently entered words in a command line.
Esc+number sequence Specify the number of times to execute a keyboard sequence.

or Alt+number sequence
Configure a User Account on a Juniper Networks Device
This topic describes how to use a root account to log in to a Juniper Networks device and configure a
new user account. You can configure an account for your own use or create a test account.
To configure a new user account on the device:
1. Log in as root and enter configuration mode:
root@host> configure
[edit]
root@host#
The ([edit]) prompt banner shows that you are in configuration edit mode at the top of the
hierarchy.
2. Change to the [edit system login] section of the configuration:
[edit]
root@host# edit system login
17
[edit system login]

root@host#
The prompt in brackets changes to [edit system login] to show that you are at a new level in the
hierarchy.
3. Now add a new user account. In the example, user1 represents a username:
[edit system login]

root@host# edit user user1
This example adds an account user1.
NOTE: User account names can contain a period (.). For example, you can have a user
account user.1. However, the username cannot begin or end with a period.
4. Configure a full name for the account. If the name includes spaces, enclose the entire name in
quotation marks (" "):
[edit system login user user1]

root@host# set full-name "User One"
5. Configure an account class. The account class sets the user access privileges for the account:

root@host# set class super-user
6. Configure an authentication method and password for the account:

root@host# set authentication plain-text-password
New password:
Retype new password:
When the new password prompt appears, enter a clear-text password that the system can encrypt,
and then confirm the new password.
18
7. Commit the configuration:

root@host# commit
commit complete
Configuration changes are not active until you commit the configuration. If the commit is
successful, a commit complete message appears.
8. Return to the top level of the configuration, and then exit:

root@host# top
[edit]
root@host# exit
9. Log out of the device:
root@host> exit
% logout Connection closed.
10. To test your changes, log back in with the user account and password you just configured:
login: user1
Password: password
---JUNOS 17.2B1.8 built 2018-05-09 23:41:29 UTC
user1@host>
When you log in, you should see the new username at the command prompt.
You have successfully used the CLI to view the device status and perform a simple configuration change.
NOTE: For complete information about the commands to issue to configure your device,
including examples, see the Junos OS configuration guides.
19
Use the CLI Editor in Configuration Mode
This topic describes basic commands that you can use to enter configuration mode in the CLI editor. The
topic also describes commands that you use to navigate the configuration hierarchy, get help, and
commit or revert the changes that you make during the configuration session.
Task Command/ Example

Statement
Edit Your Configuration
Enter configuration mode.

configure user@host> configure
When you start the CLI, the device is
in operational mode. You must
explicitly enter configuration mode.
When you do, the CLI prompt changes [edit]
from user@host> to user@host#, and the user@host#
hierarchy level appears in square
brackets.
Create a statement hierarchy.

edit hierarchy- [edit]
You can use the edit command to level value user@host# edit security zones security-zone myzone
simultaneously create a hierarchy and
move to that new level in the
hierarchy. You cannot use the edit
command to change the value of [edit security zones security-zone myzone]
identifiers. user@host#
Create a statement hierarchy, and set

identifier values. set hierarchy- [edit]
level value user@host# set security zones security-zone myzone
The set command is like edit, except
that your current level in the hierarchy
does not change.
[edit]
user@host#
Navigate the Hierarchy

20
(Continued)

Statement
Navigate down to an existing

hierarchy level. edit hierarchy- [edit]
level user@host# edit security zones
[edit security zones]

user@host#
Navigate up one level in the hierarchy.

up [edit security zones]
user@host# up
[edit security]
user@host#
Navigate to the top of the hierarchy.

top [edit security zones]
user@host# top
[edit]
user@host#
Commit or Revert Changes
Commit your configuration.

commit [edit]
user@host# commit
commit complete
21
(Continued)

Statement
Roll changes back from the current

session. rollback [edit]
user@host# rollback
Use the rollback command to revert all
changes from the current
configuration session. When you run
the rollback command before you exit load complete
your session or commit changes, the
software loads the most recently
committed configuration onto the
device. You must enter the rollback
statement at the edit level in the
hierarchy.
Exit Configuration Mode
Commit the configuration, and exit

configuration mode. commit and-quit [edit]
user@host# commit and-quit
user@host>
Exit configuration mode without

committing your configuration. exit [edit]
user@host# exit
You must navigate to the top of the
hierarchy using the up or top
commands before you can exit
configuration mode. The configuration has been changed but not
committed
Exit with uncommitted changes? [yes,no] (yes)
Get Help
22
(Continued)

Statement
Display a list of valid options for the

current hierarchy level. ? [edit ]
user@host# edit security zones ?
> functional-zone Functional zone
> security-zone Security zones
| Pipe through a
command
[edit]
SEE ALSO
Check the Status of a Juniper Networks Device
In operational mode, you can use show commands to check the status of the device and monitor the
activities on the device.
To help you become familiar with show commands:
• Type show ? to display the list of show commands you can use to monitor the router:
root@> show ?
accounting Show accounting profiles and records
aps Show Automatic Protection Switching information
arp Show system Address Resolution Protocol table entries
as-path Show table of known autonomous system paths
bfd Show Bidirectional Forwarding Detection information
23
bgp Show Border Gateway Protocol information

chassis Show chassis information
class-of-service Show class-of-service (CoS) information
cli Show command-line interface settings
configuration Show current configuration
connections Show circuit cross-connect connections
dvmrp Show Distance Vector Multicast Routing Protocol info
dynamic-tunnels Show dynamic tunnel information information
esis Show end system-to-intermediate system information
firewall Show firewall information
helper Show port-forwarding helper information
host Show hostname information from domain name server
igmp Show Internet Group Management Protocol information
ike Show Internet Key Exchange information
ilmi Show interim local management interface information
interfaces Show interface information
ipsec Show IP Security information
ipv6 Show IP version 6 information
isis Show Intermediate System-to-Intermediate System info
l2circuit Show Layer 2 circuit information
l2vpn Show Layer 2 VPN information
lacp Show Link Aggregation Control Protocol information
ldp Show Label Distribution Protocol information
link-management Show link management information
llc2 Show LLC2 protocol related information
log Show contents of log file
mld Show multicast listener discovery information
mpls Show Multiprotocol Label Switching information
msdp Show Multicast Source Discovery Protocol information
multicast Show multicast information
ntp Show Network Time Protocol information
ospf Show Open Shortest Path First information
ospf3 Show Open Shortest Path First version 3 information
passive-monitoring Show information about passive monitoring
pfe Show Packet Forwarding Engine information
pgm Show Pragmatic Generalized Multicast information
pim Show Protocol Independent Multicast information
policer Show interface policer counters and information
policy Show policy information
ppp Show PPP process information
rip Show Routing Information Protocol information
ripng Show Routing Information Protocol for IPv6 info
route Show routing table information
24
rsvp Show Resource Reservation Protocol information

sap Show Session Announcement Protocol information
security Show security information
services Show services information
snmp Show Simple Network Management Protocol information
system Show system information
task Show routing protocol per-task information
ted Show Traffic Engineering Database information
version Show software process revision levels
vpls Show VPLS information
vrrp Show Virtual Router Redundancy Protocol information
• Use the show chassis routing-engine command to view the Routing Engine status:
root@> show chassis routing-engine

Routing Engine status:
Slot 0:
Current state Master
Election priority Master (default)
Temperature 31 degrees C / 87 degrees F
CPU temperature 32 degrees C / 89 degrees F
DRAM 768 MB
Memory utilization 84 percent
CPU utilization:
User 0 percent
Background 0 percent
Kernel 1 percent
Interrupt 0 percent
Idle 99 percent
Model RE-2.0
Serial ID b10000078c10d701
Start time 2005-12-28 13:52:00 PST
Uptime 12 days, 3 hours, 44 minutes, 19 seconds
Load averages: 1 minute 5 minute 15 minute
0.02 0.01 0.00
• Use the show system storage command to view available storage on the device:
root@> show system storage
Filesystem Size Used Avail Capacity Mounted on

25
/dev/ad0s1a 865M 127M 669M 16% /

devfs 1.0K 1.0K 0B 100% /dev
devfs 1.0K 1.0K 0B 100% /dev/
/dev/md0 30M 30M 0B 100% /packages/mnt/jbase
/dev/md1 158M 158M 0B 100% /packages/mnt/jkernel-9.3B1.5
/dev/md2 16M 16M 0B 100% /packages/mnt/jpfe-M7i-9.3B1.5
/dev/md3 3.8M 3.8M 0B 100% /packages/mnt/jdocs-9.3B1.5
/dev/md4 44M 44M 0B 100% /packages/mnt/jroute-9.3B1.5
/dev/md5 12M 12M 0B 100% /packages/mnt/jcrypto-9.3B1.5
/dev/md6 25M 25M 0B 100% /packages/mnt/jpfe-common-9.3B1.5
/dev/md7 1.5G 196K 1.4G 0% /tmp
/dev/md8 1.5G 910K 1.4G 0% /mfs
/dev/ad0s1e 96M 38K 88M 0% /config
procfs 4.0K 4.0K 0B 100% /proc
/dev/ad1s1f 17G 2.6G 13G 17% /var
SEE ALSO

Roll Back Configuration Changes
This topic shows how to use the rollback command to return your uncommitted but revised
configuration to the state of the most recently committed Junos OS configuration. The rollback
command is useful if you make configuration changes and then decide not to keep them.
The following procedure shows how to configure an SNMP health monitor on a Juniper Networks
device and then return to the most recently committed configuration that does not include the health
monitor. When configured, the SNMP health monitor provides the network management system (NMS)
with predefined monitoring for file system usage, CPU usage, and memory usage on the device.
1. Enter configuration mode:
entering configuration mode
[edit]
user@host#
26
2. Show the current configuration (if any) for SNMP:
[edit]
user@host# show snmp
No snmp statements appear because SNMP has not been configured on the device.
3. Configure the health monitor:
[edit]
user@host# set snmp health-monitor
4. Show the new configuration:
[edit]
health-monitor;
The health-monitor statement indicates that SNMP health monitoring is configured on the device.
5. Enter the rollback configuration mode command to return to the most recently committed
configuration:
[edit]
user@host# rollback
load complete
6. Show the configuration again to make sure your change is no longer present:
[edit]
No snmp configuration statements appear. The health monitor is no longer configured.
7. Enter the commit command to activate the configuration to which you rolled back:
[edit]
user@host# commit
27
8. Exit configuration mode:
[edit]
user@host# exit
You can also use the rollback command to return to earlier configurations.
SEE ALSO
Configure a Routing Protocol
IN THIS SECTION
Shortcut | 28
Longer Configuration | 28
Make Changes to a Routing Protocol Configuration | 31
This topic provides a sample configuration that describes how to configure an OSPF backbone area that
has two SONET interfaces.
The final configuration looks like this:
[edit]
protocols {
ospf {
area 0.0.0.0 {
interface so-0/0/0 {
hello-interval 5;
dead-interval 20;
}
28
hello-interval 5;
dead-interval 20;
}
}
}
}
Shortcut
You can create a shortcut for this entire configuration with the following two commands:
[edit]
user@host# set protocols ospf area 0.0.0.0 interface so-0/0/0 hello-interval 5 dead-interval 20
[edit]
Longer Configuration
This section provides a longer example of creating the previous OSPF configuration. In the process, it
illustrates how to use the different features of the CLI.
1. Enter configuration mode by issuing the configure command:
[edit]
user@host#
Notice that the prompt has changed to a pound or hash sign (#) to indicate configuration mode.
2. To create the above configuration, you start by editing the protocols ospf statements:
[edit]
user@host# edit protocols ospf
[edit protocols ospf]
user@host#
3. Now add the OSPF area:

user@host# edit area 0.0.0.0
29
[edit protocols ospf area 0.0.0.0]

user@host#
4. Add the first interface:

user@host# edit interface so-0/0/0
[edit protocols ospf area 0.0.0.0 interface so-0/0/0]
user@host#
You now have four nested statements.

5. Set the hello and dead intervals.

user@host# set hello-interval 5
user@host# set dead-interval 20
user@host#
6. You can see what is configured at the current level with the show command:

user@host# show
hello-interval 5;
dead-interval 20;
user@host#
7. You are finished at this level, so go up a level and view what you have done so far:

user@host# up
user@host# show
hello-interval 5;
dead-interval 20;
}
user@host#
30
The interface statement appears because you have moved to the area statement.
8. Add the second interface:

user@host# edit interface so-0/0/1
user@host# up
user@host# show
hello-interval 5;
dead-interval 20;
}
hello-interval 5;
dead-interval 20;
}
user@host#
9. Move up to the top level and review what you have:

user@host# top
[edit]
user@host# show
protocols {
ospf {
area 0.0.0.0 {
hello-interval 5;
dead-interval 20;
}
hello-interval 5;
dead-interval 20;
}
31
}
}
}
[edit]
user@host#
This configuration now contains the statements that you want.

10. Before committing the configuration (and thereby activating it), verify that the configuration is
correct:
[edit]
user@host# commit check
configuration check succeeds
[edit]
user@host#
11. Commit the configuration to activate it on the device:
[edit]
user@host# commit
commit complete
[edit]
user@host#
Make Changes to a Routing Protocol Configuration
Suppose you decide to use different dead intervals and hello intervals on interface so-0/0/1. You can
make changes to the configuration.
1. Go directly to the appropriate hierarchy level by typing the full hierarchy path to the statement that
you want to edit:
[edit]
user@host# edit protocols ospf area 0.0.0.0 interface so-0/0/1
user@host# show
hello-interval 5;
dead-interval 20;
32

user@host# top
[edit]
user@host# show
protocols {
ospf {
area 0.0.0.0 {
hello-interval 5;
dead-interval 20;
}
hello-interval 7;
dead-interval 28;
}
}
}
}
[edit]
user@host#
2. If you decide not to run OSPF on the first interface, delete the statement:
[edit]
user@host# edit protocols ospf area 0.0.0.0
user@host# delete interface so-0/0/0
user@host# top
[edit]
user@host# show
protocols {
ospf {
area 0.0.0.0 {
hello-interval 7;
dead-interval 28;
}
}
}
}
33
[edit]
user@host#
Everything inside the statement you deleted was deleted with it. You can also eliminate the entire
OSPF configuration by simply entering delete protocols ospf while at the top level.
3. Maybe you decide to use the default values for the hello intervals and dead intervals on your
remaining interface but want OSPF to run on that interface. In that case, delete the hello interval
timer and dead interval timer:
[edit]
user@host# delete hello-interval
user@host# delete dead-interval
user@host# top
[edit]
user@host# show
protocols {
ospf {
area 0.0.0.0 {
interface so-0/0/1;
}
}
}
[edit]
user@host#
You can set multiple statements at the same time as long as they are all part of the same hierarchy.
The hierarchy consists of the path of statements from the top inward, as well as one or more
statements at the bottom of the hierarchy. Setting multiple statements at the same time can reduce
considerably the number of commands you must enter.
4. To go back to the original hello interval timer and dead interval timer on interface so-0/0/1, enter:
[edit]
user@host# set hello-interval 5 dead-interval 20
user@host# exit
34
[edit]
user@host# show
protocols {
ospf {
area 0.0.0.0 {
hello-interval 5;
dead-interval 20;
}
}
}
}
[edit]
user@host#
5. You also can re-create the other interface, as you had it before, with only a single entry:
[edit]
[edit]
user@host# show
protocols {
ospf {
area 0.0.0.0 {
hello-interval 5;
dead-interval 20;
}
hello-interval 5;
dead-interval 20;
}
}
}
}
[edit]
user@host#
35
Online Help in the CLI
IN THIS SECTION
CLI Online Help Features | 39
CLI Explorer Overview | 41
Get Online Help from the Command-Line Interface
IN THIS SECTION
Getting Help About Commands | 35
Getting Help About a String in a Statement or Command | 37
Getting Help About Configuration Statements | 38
Getting Help About System Log Messages | 38
The CLI has a context-sensitive online help feature that enables you to access information about
commands and statements.
Getting Help About Commands
CLI commands and options can vary by platform and software release. Each level of the CLI command
hierarchy provides information about available commands. You can type a question mark (?) to get
context-relevant help about commands.
• If you type the question mark at the command-line prompt, the CLI lists the available commands and
options. For example, to view a list of top-level operational mode commands, this is the result:
user@host> ?
36

file Perform file operations
mtrace Trace mtrace packets from source to receiver.
monitor Real-time debugging
ping Ping a remote target
quit Exit the management session
restart Restart a software process
set Set CLI properties, date, time, craft display text
show Show information about the system
ssh Open a secure shell to another host
start Start a software process
telnet Telnet to another host
test Diagnostic debugging commands
traceroute Trace the route to a remote host
user@host>
• If you type the question mark after entering the complete name of a command or command option,
the CLI lists the available commands and options and then re-displays the command names and
options you typed.
user@host> clear ?
arp Clear address-resolution information
bgp Clear BGP information
chassis Clear chassis information
firewall Clear firewall counters
igmp Clear IGMP information
interfaces Clear interface information
ilmi Clear ILMI statistics information
isis Clear IS-IS information
ldp Clear LDP information
log Clear contents of a log file
mpls Clear MPLS information
msdp Clear MSDP information
multicast Clear Multicast information
ospf Clear OSPF information
pim Clear PIM information
rip Clear RIP information
route Clear routing table information
37
rsvp Clear RSVP information

snmp Clear SNMP information
system Clear system status
vrrp Clear VRRP statistics information
user@host> clear
• If you type the question mark in the middle of a command name, the CLI lists possible command
completions that match the letters you have entered so far. It then re-displays the letters that you
typed. For example, to list all operational mode commands that start with the letter c, type the
following:
user@host> c?
user@host> c
• For introductory information on using the question mark or the help command, you can also type help
and press Enter:
user@host> help
Getting Help About a String in a Statement or Command
You can use the help command to display help about a text string contained in a statement or command
name:
help apropos string
string is a text string about which you want to get help. Use the string to match statement or command
names as well as to match the help strings that are displayed for the statements or commands.
If the string contains spaces, enclose it in quotation marks (" "). You can also specify a regular expression
for the string, using standard UNIX-style regular expression syntax.
For statements or commands that need input data type as STRING, the supported characters set is as
follows:
• Any printable ASCII characters
• For characters with space, enclose it in double-quotes.

38
• To have double-quote as the input, it should be escaped with ‘\’.
NOTE: No escape characters are supported in a string other than to escape from double
quotes.
• The range of supported characters for attributes is 0 through 65499 characters.
• The range of supported characters for string type identifiers is 1 through 255 characters.
In configuration mode, this command displays statement names and help text that match the string
specified. In operational mode, this command displays command names and help text that match the
string specified.
Getting Help About Configuration Statements
You can display help based on text contained in a statement name using the help topic and help reference
commands:
help topic word

help reference statement-name
The help topic command displays usage guidelines for the statement based on information that appears
in the Junos OS configuration guides. The help reference command displays summary information about
the statement based on the summary descriptions that appear in the Junos OS configuration guides.
Getting Help About System Log Messages
You can display help based on a system log tag using the help syslog command:
help syslog syslog-tag
The help syslog command displays the contents of a system log message.
39
CLI Online Help Features
IN THIS SECTION
Help for Omitted Statements | 39
Using CLI Command Completion | 39
Using Command Completion in Configuration Mode | 40
Displaying Tips About CLI Commands | 40
Help for Omitted Statements
If you have omitted a required statement at a specific hierarchy level, when you attempt to move from
that hierarchy level or when you issue the show command in configuration mode, a message indicates
which statement is missing. For example:
[edit protocols pim interface so-0/0/0]

user@host# top
Warning: missing mandatory statement: 'mode'
[edit]
user@host# show
protocols {
pim {
priority 4;
version 2;
# Warning: missing mandatory statement(s): 'mode'
}
}
}
Using CLI Command Completion
The Junos OS CLI provides you a command completion option that enables the operating system to
recognize commands and options based on the initial few letters you typed. That is, you do not always
have to remember or type the full command or option name for the CLI to recognize it.
40
• To display all possible command or option completions, type the partial command followed
immediately by a question mark.
• To complete a command or option that you have partially typed, press Tab or Space. If the partially
typed letters begin a string that uniquely identifies a command, the complete command name
appears. Otherwise, a prompt indicates that you have entered an ambiguous command, and the
possible completions display.
Command completion also applies to other strings, such as filenames, interface names, and usernames.
To display all possible values, type a partial string followed immediately by a question mark. To complete
a string, press Tab.
Using Command Completion in Configuration Mode
The CLI command completion functions also apply to the commands in configuration mode and to
configuration statements. Specifically, to display all possible commands or statements, type the partial
string followed immediately by a question mark. To complete a command or statement that you have
partially typed, press Tab or Space.
Displaying Tips About CLI Commands
To get tips about CLI commands, issue the help tip cli command. Each time you enter the command, a
new tip appears. For example:
user@host> help tip cli

Junos tip:
Use 'request system software validate' to validate the incoming software
against the current configuration without impacting the running system.
Junos tip:
Use 'commit and-quit' to exit configuration mode after the commit has
succeeded. If the commit fails, you are left in configuration mode.
You can also enter help tip cli number to associate a tip with a number. This enables you to recall the tip
later. For example:
user@host> help tip cli 10

JUNOS tip:
Use '#' in the beginning of a line in command scripts to cause the
rest of the line to be ignored.
41

JUNOS tip:
Use the 'apply-groups' statement at any level of the configuration
hierarchy to inherit configuration statements from a configuration group.
user@host>
SEE ALSO
CLI Explorer Overview
CLI Explorer is a Web application that helps you to explore Junos OS configuration statements and
commands. CLI Explorer lists all the configuration statements and commands the Junos OS supports
across different platforms and software releases.
To view the available configuration statements and commands, you can use any of the following filtering
options:
• Filter by product family—To find the CLI reference information by product family, you can either
select “All products” or select any specific product.
For example: ACX Series, EX Series.
• Filter by number or letter—To find the CLI reference information by number or letter, you can either
select “All” or filter by numbers “3” or “8” or any of the letters (“A”, “B”, “C”...).
For example, if you select the letter “A”, commands such as aaa, aaa clients (TDF), aaa-access-profile
(L2TP LNS) appear.
• Filter by the normal search option—To use this option to filter the commands and statements, you
enter your search criteria.
For example, if you enter the number “3”, all the commands and statements containing the number
“3” appear in the search results.
When you click on the link in the search results, you are directed to a page describing the command or
statement that is referenced in a user guide.
To explore the Junos OS configuration statements and commands, see the CLI Explorer.
42
CLI Environment Settings
IN THIS SECTION
Enable Configuration Breadcrumbs | 47
In operational mode, you (the network administrator) can customize the Junos OS CLI environment to
suit your specific preferences and requirements.
Customize the CLI Environment
IN THIS SECTION
Display the Current CLI Settings | 43
Set the Terminal Type | 43
Set the CLI Prompt | 44
Set the CLI Directory | 44
Set the CLI Timestamp | 44
Set the Idle Timeout | 45
Set the CLI to Prompt for Restart After a Software Upgrade | 45
Set CLI Command Completion | 45

43
In operational mode, you can customize the CLI environment by using the set cli command. For
example, you can specify the number of lines that are displayed on the screen or your terminal type. The
following output lists the available options:
user@host>set cli ?
complete-on-space Set whether typing space completes current word
directory Set working directory
idle-timeout Set maximum idle time before login session ends
logical-system Set default logical system
prompt Set CLI command prompt string
restart-on-upgrade Set whether CLI prompts to restart after software upgrade
screen-length Set number of lines on screen
screen-width Set number of characters on a line
tenant Set default tenant
terminal Set terminal type
timestamp Timestamp CLI output
NOTE: Some values are already set when you use SSH to log in to the device or log in from the
console when its terminal type is already configured: your terminal type, screen length, and
screen width.
Display the Current CLI Settings
To display the current CLI settings, use the show cli command:
user@host> show cli

CLI screen length set to 24
CLI screen width set to 80
CLI complete-on-space set to on
Set the Terminal Type
To set the terminal type, use the set cli terminal command:
user@host> set cli terminal terminal-type

44
The terminal type can be one of the following: ansi, vt100, small-xterm, or xterm.
Set the CLI Prompt
The default CLI prompt is user@host>. To change this prompt, use the set cli prompt command. If the
prompt string contains spaces, enclose the string in quotation marks (" " ).
user@host> set cli prompt string
NOTE: Changing the CLI prompt is not persistent across CLI sessions. When you exit the CLI and
restart it, the prompt defaults to user@host.
Set the CLI Directory
To set the current working directory, use the set cli directory command:
user@host> set cli directory directory
The directory must be the full pathname of the desired working directory. After entering this command,
the CLI switches to the specified directory.
Set the CLI Timestamp
By default, CLI output does not include a timestamp. To include a timestamp in CLI output, use the set
cli timestamp command:
user@host> set cli timestamp [format time-date-format | disable]
Enclose the format in single quotation marks ( ‘ ). If you do not specify a timestamp format, the default
format is 'Mmm dd hh:mm:ss’ (for example, Feb 08 17:20:49).
45
Set the Idle Timeout
By default, a CLI session never times out after extended idle time unless you have included the idle-
timeout statement in the user’s login class configuration. To set the maximum time an individual session
can be idle before the user is logged off the device, use the set cli idle-timeout command:
user@host> set cli idle-timeout timeout
The timeout can be 0 through 100,000 minutes. Setting the timeout to 0 disables the idle timeout.
Set the CLI to Prompt for Restart After a Software Upgrade
By default, the CLI prompts users to restart after a software upgrade. To disable the prompt, use the set
cli restart-on-upgrade off command:
user@host>set cli restart-on-upgrade off
To reenable the prompt, use the set cli restart-on-upgrade on command:
user@host> set cli restart-on-upgrade on
Set CLI Command Completion
By default, you can press Tab or the spacebar to have the CLI complete a command.
To have the CLI allow only Tab to complete a command, use the set cli complete-on-space off command:
user@host> set cli complete-on-space off

Disabling complete-on-space
user@host>
To enable the use of the spacebar (as well as Tab) for command completion, use the set cli complete-on-
space on command:
user@host> set cli complete-on-space on

Enabling complete-on-space
user@host>
46
Set the CLI Screen Length and Width
IN THIS SECTION
Set the Screen Length | 46
Set the Screen Width | 46
You can set the Junos OS CLI screen length and width according to your specific preferences and
requirements.
Set the Screen Length
The default CLI screen length is 24 lines. If output is longer than this, the display scrolls to the
configured screen length and then displays a more prompt. You can press Enter to display the next line, or
press the Spacebar to show the next full screen. Alternatively, you can press h to view all the available
options, which include navigation, searching, and saving.
To change the screen length, use the set cli screen-length command:
user@host> set cli screen-length length
Setting the screen length to 0 lines disables the use of “one screen at a time” output. This setting causes
the screen to scroll all the way through to completion without displaying the more prompt. Disabling this
UNIX more-type interface can be useful when you are issuing CLI commands from scripts.
Set the Screen Width
The value of CLI screen width can be 0 or in the range of 40 through 1024. The default CLI screen width
is 80 characters. Using a CLI screen width value of 0 disables the display of the output screen, which
may be desirable when using scripts. To change the width, use the set cli screen-width command:
user@host> set cli screen-width width

47
Enable Configuration Breadcrumbs
You can configure the output of show configuration operational mode commands and show configuration
mode commands to display configuration breadcrumbs. These breadcrumbs help you identify the exact
location in the configuration hierarchy for the output you are viewing.
Before you enable the configuration breadcrumbs feature, check the output of the show configuration
command.
user@host> show configuration
...
}
}
}
}
}
fe-4/1/2 {
description "FA4/1/2: mxxj1-mr6 (64.12.137.160/27) (T=bblan, bbmail, bbowmtc)";
unit 0 {
family inet {
filter {
output 151mj;
}
address 64.12.137.187/27 {
vrrp-group 1 {
virtual-address 64.12.137.189;
---(more 18%)-----------------------------------------------------
The output does not clearly indicate the section of the configuration being viewed.
To enable the configuration breadcrumbs feature:
1. Launch configuration mode in the CLI.

2. Define a class at the [edit system login] hierarchy level, and set an idle timeout value of 10 minutes.
[edit system login]

user@host# set class breadclass idle-timeout 10
48
3. Include the configuration-breadcrumbs statement at the [edit system login class <class name>] hierarchy
level.
[edit system login class breadclass]

user@host# set configuration-breadcrumbs
4. Add a user to the defined login class to enable the breadcrumb output view when this user runs the
show configuration operational mode command.

user@host# set class breadclass
5. Commit the configuration.
[edit]
user@host# commit
Upon enabling configuration breadcrumbs in the CLI, user1 (the user added to the login class) can
verify the feature in the output by entering the show configuration command.
user1@host> show configuration
...
}
}
}
}
}
fe-4/1/2 {
description "FA4/1/2: mxxj1-mr6 (64.12.137.160/27) (T=bblan, bbmail, bbowmtc)";
unit 0 {
family inet {
filter {
output 151mj;
}
address 64.12.137.187/27 {
vrrp-group 1 {
virtual-address 64.12.137.189;
49
---(more 18%)---[groups main interfaces fe-4/1/2 unit 0 family inet address 64.12.137.187/27
vrrp-group 1]---
The new output indicates the exact location of the configuration hierarchy the user is viewing. In this
case, user1 is currently viewing the interface configuration of a group.
NOTE: If you enable configuration breadcrumbs for your own user account, log out and then
log in again to see the changes.
3 CHAPTER
Using Configuration Statements to

Configure a Device
CLI Configuration Mode Overview | 51
Modify the Configuration of a Device | 71
Use Configuration Groups to Quickly Configure Devices | 118
View the Configuration | 152

51
CLI Configuration Mode Overview
IN THIS SECTION
Enter and Exit CLI Configuration Mode | 58
Command Completion in Configuration Mode | 61
Notational Conventions Used in Configuration Hierarchies | 64
The configuration mode of the Junos OS CLI enables you to configure a device, using configuration
statements to set, manage, and monitor device properties.
Understanding CLI Configuration Mode
IN THIS SECTION
Configuration Mode Commands | 52
Configuration Statements and Identifiers | 54
Configuration Statement Hierarchy | 55
You can configure all Junos OS properties, including interfaces, general routing information, routing
protocols, and user access, as well as several system hardware properties.
As "Understanding the Junos OS CLI Modes, Commands, and Statement Hierarchies" on page 5
describes, a device configuration is stored as a hierarchy of statements. In configuration mode, you
create a set of configuration statements to use. When you finish entering the configuration statements
and are certain they are complete and correct, you commit them, which activates the configuration on
the device.
52
You can create the configuration interactively, or you can create an ASCII text file containing the
configuration, load it on the device, and commit it.
Configuration Mode Commands
The following table summarizes each CLI configuration mode command. The commands are organized
alphabetically.
Table 3: Summary of Configuration Mode Commands
Command Description
activate Remove the inactive: tag from a statement. Statements or identifiers that have been activated
take effect when you next issue the commit command.
annotate Add comments to a configuration. You can add comments only at the current hierarchy level.
commit Commit the set of changes to the database and cause the changes to take operational effect.
copy Make a copy of an existing statement in the configuration.
deactivate Add the inactive: tag to a statement, effectively commenting out the statement or identifier
from the configuration. Statements or identifiers marked as inactive are ignored when you issue
the commit command.
delete Delete a statement or identifier. All subordinate statements and identifiers contained within the
specified statement path are deleted with it.
edit Move inside the specified statement hierarchy. If the statement does not exist, it is created.
exit Exit the current level of the statement hierarchy, returning to the level before the last edit
command, or exit from configuration mode. The quit and exit commands are equivalent.
extension Manage configurations that SDK application packages contribute. Manage them by either
displaying or deleting user-defined configurations that the named SDK application package
contributed. A configuration defined in any native Junos OS package is never deleted by the
extension command.
53
Table 3: Summary of Configuration Mode Commands (Continued)
Command Description
help Display help about available configuration statements.
insert Insert an identifier into an existing hierarchy.
load Load a configuration from an ASCII configuration file or from terminal input. Your current
location in the configuration hierarchy is ignored when the load operation occurs.
quit Exit the current level of the statement hierarchy, returning to the level before the last edit
command, or exit from configuration mode. The quit and exit commands are equivalent.
rename Rename an existing configuration statement or identifier.
replace Replace identifiers or values in a configuration.
rollback Return to a previously committed configuration. The software saves the last 10 committed
configurations, including the rollback number, date, time, and name of the user who issued the
commit configuration command.
run Run a CLI command without exiting from configuration mode.
save Save the configuration to an ASCII file. The configuration statements up to and including the
current level of the statement hierarchy are saved, along with the statement hierarchy
containing it. This action allows a section of the configuration to be saved, while fully
specifying the statement hierarchy.
set Create a statement hierarchy and set identifier values. This command is similar to edit, except
that your current level in the hierarchy does not change.
show Display the current configuration.
status Display the users currently editing the configuration.

54
Table 3: Summary of Configuration Mode Commands (Continued)
Command Description
top Return to the top level of configuration command mode, which is indicated by the [edit]
banner.
up Move up one level in the statement hierarchy.
update Update a private database.
wildcard delete Delete a statement or identifier. All subordinate statements and identifiers contained within the
specified statement path are deleted with it. You can use regular expressions to specify a
pattern. Based on this pattern, the operating system searches for items that contain these
patterns and deletes them.
Configuration Statements and Identifiers
You can configure device properties by including the corresponding statements in the configuration.
Typically, a statement consists of a system-defined keyword, which is fixed text, and an optional
identifier. An identifier is an identifying name that you can define, such as the name of an interface or a
username, which enables you and the CLI to differentiate among a collection of statements.
Table 4 on page 54 lists top-level configuration statements. See CLI Explorer for information about
each configuration statement.
Table 4: Configuration Mode Top-Level Statements
Statement Description
access Configure the Challenge Handshake Authentication Protocol (CHAP).
accounting-options Configure accounting statistics data collection for interfaces and firewall filters.
chassis Configure properties of the router chassis, including conditions that activate alarms and
SONET/SDH framing and concatenation properties.
55
Table 4: Configuration Mode Top-Level Statements (Continued)
Statement Description
class-of-service Configure class-of-service parameters.
firewall Configure filters that select packets based on their contents.
forwarding-options Configure forwarding options, including traffic sampling options.
groups Configure configuration groups.
interfaces Configure interface information, such as encapsulation, interfaces, virtual channel identifiers
(VCIs), and data-link connection identifiers (DLCIs).
policy-options Configure routing policies, which enable you to filter and set properties in incoming and
outgoing routes.
protocols Configure routing protocols, including BGP, IS-IS, LDP, MPLS, OSPF, RIP, and RSVP.
routing-instances Configure one or more routing instances.
routing-options Configure protocol-independent routing options, such as static routes, autonomous system
numbers, confederation members, and global tracing (debugging) operations to log.
security Configure IP Security (IPsec) services.
snmp Configure SNMP community strings, interfaces, traps, and notifications.
system Configure systemwide properties, including the hostname, domain name, Domain Name
System (DNS) server, user logins and permissions, mappings between hostnames and
addresses, and software processes.
Configuration Statement Hierarchy
The Junos OS configuration consists of a hierarchy of statements. There are two types of statements:
56
• Container statements, which are branches that can contain other statements (including additional
container statements or leaf statements). Container statements at the top of the hierarchy are
considered to be the trunk of the hierarchy tree.
• Leaf statements (contained by container statements), which do not contain other statements.
The container and leaf statements form the configuration hierarchy. Each statement at the top level of
the configuration hierarchy resides at the trunk of a hierarchy tree. These top-level statements are
container statements, containing other statements that form the tree branches. The leaf statements are
the leaves of the hierarchy tree. An individual hierarchy of statements, which starts at the trunk of the
hierarchy tree, is called a statement path.
The following illustration shows the hierarchy tree, illustrating a statement path for the part of the
protocol configuration hierarchy responsible for configuring the hello-interval statement on an interface
in an OSPF area.
Figure 2: Configuration Mode Hierarchy of Statements
The protocols statement is a top-level statement at the trunk of the configuration tree. The ospf, area, and
interface statements are all subordinate container statements of a higher statement (they are branches of
the hierarchy tree). The hello-interval statement is a leaf on the tree, which in this case contains a data
value, namely the length of the hello-interval, in seconds.
The following configuration example illustrates the statement hierarchy as shown in Figure 2 on page
56:
57
[edit protocols ospf area area-number interface interface-name]
The command displays the configuration as follows:
protocols {
ospf {
area 0.0.0.0 {
hello-interval 5;
}
hello-interval 5;
}
}
}
}
The CLI indents each level in the hierarchy to indicate each statement’s relative position in the hierarchy.
Additionally, in general, it sets off each level with braces, using an open brace at the beginning of each
hierarchy level and a closing brace at the end. If the statement at a hierarchy level is empty, the braces
are not printed.
Each leaf statement ends with a semicolon. If the hierarchy does not extend as far as a leaf statement,
the last statement in the hierarchy ends with a semicolon.
The configuration hierarchy can also contain “oneliners” at the lowest level in the hierarchy. Oneliners
remove one level of braces in the syntax and display the container statement, its identifiers, the child or
leaf statement, and its attributes all on one line.
For example, dynamic-profile dynamic-profile-name aggregate-clients; is a oneliner because the dynamic-profile

statement, its identifier dynamic-profile-name, and leaf statement aggregate-clients all appear on one line
when you run the show command in configuration mode:
[edit forwarding-options]
user@host# show
dhcp-relay {
dynamic-profile dynamic-profile-name aggregate-clients;
}
58
Enter and Exit CLI Configuration Mode
You configure Junos OS by entering configuration mode and creating a hierarchy of configuration mode
statements.
• To enter configuration mode, use the configure command.
When you enter configuration mode, the following configuration mode commands are available:
user@host>configure
[edit]
user@host#?
possible completions:
activate Remove the inactive tag from a statement
annotate Annotate the statement with a comment
commit Commit current set of changes
copy Copy a statement
deactivate Add the inactive tag to a statement
delete Delete a data element
edit Edit a sub-element
exit Exit from this level
insert Insert a new ordered data element
load Load configuration from ASCII file
quit Quit from this level
rename Rename a statement
replace Replace character string in configuration
rollback Roll back to previous committed configuration
run Run an operational-mode command
save Save configuration to ASCII file
set Set a parameter
show Show a parameter
status Show users currently editing configuration
top Exit to top level of configuration
up Exit one level of configuration
wildcard Wildcard operations
[edit]
user@host>
59
NOTE: When making configuration changes, commit them before you exit. If you exit
configuration mode without committing configuration changes, you lose the intended
changes.
You must have configure permission to view and use the configure command. When in configuration
mode, you can view and modify only those statements for which you have access privileges.
• If you enter configuration mode and another user is also in configuration mode, a message shows the
user’s name and the part of the configuration the other user is viewing or editing:
Users currently editing the configuration:
root terminal d0 (pid 4137) on since 2008-04-09 23:03:07 PDT, idle 7w6d 08:22
[edit]
The configuration has been changed but not committed
[edit]
user@host#
Up to 32 users can be in configuration mode simultaneously, and they all can make changes to the
configuration at the same time.
• To exit configuration mode, use the exit configuration-mode configuration mode command from any
level, or use the exit command from the top level. For example:

user@host# exit configuration-mode
exiting configuration mode
user@host>
[edit]
user@host# exit
user@host>
60
If you try to exit fconfiguration mode using the exit command and the configuration contains changes
that you have not committed, you see the following message and prompt:
[edit]
user@host# exit
Exit with uncommitted changes? [yes,no] yes
user@host>
• To exit with uncommitted changes without having to respond to a prompt, use the exit configuration-
mode command. This command is useful when you are using scripts to perform remote configuration.
[edit]
user@host# exit configuration-mode
user@host>
SEE ALSO

How to Use the configure exclusive Command Do you want to make this (and the other command
topics) user focused by referring to the main action users want to do? Example: "How to Prevent
Conflicts Using the configure exclusive Command" or "How to Prevent Configuration Conflicts." |
68
How to Work with the Correct ConfigurationIf you want to make the title user focused, this is one
option (but pretty long). You may have a better idea. What is the main reason a user would use this
command? That goal can become the title. | 71
61
Relative Configuration Mode Commands
The top or up command followed by another configuration command—such as edit, insert, delete,
deactivate, annotate, or show—enables you to quickly move to the top of the hierarchy or to a level above
the area you are configuring.
To issue configuration mode commands from the top of the hierarchy, use the top command and specify
a configuration command. For example:
[edit interfaces fxp0 unit 0 family inet]

user@host# top edit system login
[edit system login]
user@host#
To issue configuration mode commands from a location higher up in the hierarchy, use the up
configuration mode command. Specify the number of levels you want to move up in the hierarchy, and
then specify a configuration command. For example:
[edit protocols bgp]

user@host# up 2 activate system
SEE ALSO
Command Completion in Configuration Mode
This topic shows you how to access command help and to use basic command completion in CLI
configuration mode. In each case, you access help by using the question mark (?) character, either alone
or with a partial command or configuration statement.
To list the configuration mode commands, use the ? command alone:
[edit]
user@host# ?
activate Remove the inactive tag from a statement
62
annotate Annotate the statement with a comment

commit Commit current set of changes
copy Copy a statement
deactivate Add the inactive tag to a statement
delete Delete a data element
edit Edit a sub-element
exit Exit from this level
extension Extension operations
insert Insert a new ordered data element
load Load configuration from ASCII file
quit Quit from this level
rename Rename a statement
replace Replace character string in configuration
rollback Roll back to previous committed configuration
run Run an operational-mode command
save Save configuration to ASCII file
set Set a parameter
show Show a parameter
status Show users currently editing configuration
top Exit to top level of configuration
up Exit one level of configuration
wildcard Wildcard operations
[edit]user@host#
To list all the statements available at a particular hierarchy level, use ? after the name of the hierarchy
level you wish to view. In this example, see the edit and edit protocols hierarchies:
[edit]
user@host# edit ?
> accounting-options Accounting data configuration
> chassis Chassis configuration
> class-of-service Class-of-service configuration
> firewall Define a firewall configuration
> forwarding-options Configure options to control packet sampling
> groups Configuration groups
> interfaces Interface configuration
> policy-options Routing policy option configuration
> protocols Routing protocol configuration
> routing-instances Routing instance configuration
> routing-options Protocol-independent routing option configuration
63
> snmp Simple Network Management Protocol

> system System parameters
user@host# edit protocols ?
> bgp BGP options
> connections Circuit cross-connect configuration
> dvmrp DVMRP options
> igmp IGMP options
> isis IS-IS options
> ldp LDP options
> mpls Multiprotocol Label Switching options
> msdp MSDP options
> ospf OSPF configuration
> pim PIM options
> rip RIP options
> router-discovery ICMP router discovery options
> rsvp RSVP options
> sapSession Advertisement Protocol options
> vrrp VRRP options
To list all commands that start with a particular string or letter, enter the string, letter, or both, and then
enter the ? character. This example shows all the routing-options commands starting with the letter “a”:
user@host# edit routing-options a?

> aggregate Coalesced routes
> autonomous-system Autonomous system number
This example shows all configured xe- interfaces. You can display these interfaces by using the first two
letters of the abbreviation (ex) and the ? character:
user@host# edit interfaces ex?

<interface_name> Interface name
ex-0/2/0 Interface name
ex-0/2/1 Interface name
[edit]
64
You can also show a list of all configured policy statements:
user@host# show policy-options policy-statement ?

user@host# show policy-options policy-statement
<policy_name> Name to identify a policy filter
lo0only-v4 Name to identify a policy filter
lo0only-v6 Name to identify a policy filter
lo2bgp Name to identify a policy filter
SEE ALSO
Notational Conventions Used in Configuration Hierarchies
When you are working in CLI configuration mode, the banner on the line preceding the prompt indicates
the current hierarchy level. In the following example, the level is [edit protocols ospf]:

user@host#
NOTE: Junos OS documentation uses user@host# as the standard configuration mode prompt. In a
CLI session, the prompt shows your user ID and the configured name of the Juniper Networks
device you are working on.
Use the set ? command to display the statements that you can include in the configuration at the current
level. The help apropos command is also context-sensitive, displaying matching statements only at the
current command hierarchy level and below.
Statements are listed alphabetically within each hierarchy and subhierarchy. An exception occurs if a
subhierarchy is so long that it might be difficult to determine where it ends and its next peer statement
begins. In case of a very long subhierarchy, the subhierarchy appears at the end of its parent hierarchy
instead of in alphabetical order. In this exception scenario, a placeholder appears in the alphabetical
position where the subhierarchy would have been listed.
65
For example, at the [edit interfaces interface-name unit logical-unit-number] hierarchy level, the
family family-name subhierarchy has more than 20 child statements, including several subhierarchies with
child statements of their own. The full family family-name hierarchy appears at the end of its parent
hierarchy ([edit interfaces interface-name unit logical-unit-number]), and the following placeholder appears
at its alphabetical position:
family family-name {
... the family subhierarchy appears after the main [edit interfaces interface-name
unit logical-unit-number] hierarchy ...
}
Another exception to alphabetical order is that the disable statement always appears first in any
hierarchy that includes it.
Overview of the Configure Command
IN THIS SECTION
How to Use the configure exclusive Command | 68
How to Work with the Correct Configuration | 71
You (the network administrator) use the configure command to enter CLI configuration mode. You can
also use it to gather other information, such as which other users are currently in configuration mode.
Forms of the configure Command
Junos OS supports three forms of the configure command: configure, configure private, and configure
exclusive. These forms control how users edit and commit configurations. You can use this command to
coordinate the work of multiple users who manage the network and device configuration.
66
Table 5: Forms of the configure Command
Command Edit Access Commit Access
configure • No one can lock the configuration. All users can • All users can commit any changes
make configuration changes. to the configuration.
• When you enter configuration mode, the CLI • If you and another user make
displays the following information: changes and the other user
commits changes, your changes
• A list of other users editing the are committed as well.
configuration
• Hierarchy levels the users are viewing or

editing
• Whether the configuration has been

changed, but not committed
• When more than one user makes changes to a

configuration, the most recent changes take
precedence when the configuration is
committed.
configure • One user locks the configuration and makes • Only the user who has locked the
exclusive changes without interference from other users. configuration can commit it.
• If you enter configuration mode while another • Other users can enter and exit
user has locked the configuration (with the configuration mode, but they
configure exclusive command), the CLI displays cannot commit any changes they
the user’s PID and the hierarchy level the user is attempt to make to the
viewing or editing. configuration until it is unlocked.
• If you enter configuration mode when another

user has locked the configuration, you can
attempt to forcibly log out that user using the
request system logout operational mode
command. For details, see the CLI Explorer.
67
Table 5: Forms of the configure Command (Continued)
Command Edit Access Commit Access
configure private • Multiple users can edit the configuration at the • When you commit the
same time. configuration, the device does not
immediately accept your private
• Each user has a private candidate configuration candidate configuration as the
to edit independently of other users. new operational configuration.
Before the device accepts your
• When multiple users enter conflicting configuration, it verifies that no
configurations, the first commit operation takes
other user has modified the
precedence over subsequent commit
operational (running)
operations.
configuration .
• If another user has modified the

configuration, you can merge the
modifications into your private
candidate configuration and
attempt to commit again.
SEE ALSO

How to Use the configure Command
Up to 32 users can work in configuration mode simultaneously; all can make changes to the
configuration at the same time. When you commit changes to the configuration, you may be committing
a combination of changes that you and other users have made. For this reason, you must keep track of
who is in configuration mode with you.
To see other users currently logged in to the same device in configuration mode:
• Use the configure command to enter CLI configuration mode.

68
If other users are in configuration mode, the message displayed indicates who the users are and what
portion of the configuration each person is viewing or editing.
Current configuration users:
root terminal p3 (pid 1088) on since 2018-05-13 01:03:27 EDT
[edit interfaces so-3/0/0 unit 0 family inet]
[edit]
user@host#
How to Use the configure exclusive Command
If you enter configuration mode using the configure exclusive command, you lock the candidate global
configuration for as long as you remain in configuration mode. (The candidate global configuration is also
known as the shared configuration or shared configuration database.) Using the configure exclusive
command, you can make changes without interference from other users. Other users can enter and exit
configuration mode, but they cannot make any permanent changes to the configuration. Also, any
attempted changes by other users while the configuration is in the locked state are discarded as soon as
the other users exit configuration mode.
If another user has locked the configuration, and you need to forcibly log them out, use the operational
mode command request system logout pid pid_number. You can locate the pid_number in the notification you
receive upon entering configuration mode when someone else has locked it for exclusive access.
If you enter configuration mode while another user is also in configuration mode and has locked the
configuration, a message identifies the user. The message also identifies the portion of the configuration
that the user is viewing or editing. For example, in the following example, the pid_number of the user
who has locked the configuration for exclusive access is 1088:
root terminal p3 (pid 1088) on since 2018-10-30 19:47:58 EDT, idle 00:00:44
exclusive [edit interfaces so-3/0/0 unit 0 family inet]
69
In configure exclusive mode, any uncommitted changes are discarded when you exit:
user@host> configure exclusive

warning: uncommitted changes will be discarded on exit
[edit]
user@host# set system host-name cool
[edit]
user@host# quit
warning: Auto rollback on exiting 'configure exclusive'
Discard uncommitted changes? [yes,no]yes
warning: discarding uncommitted changes

load complete
When you use the yes option to exit configure exclusive mode, Junos OS discards any uncommitted
changes and rolls backs the configuration to its previously committed state. The no option enables you to
continue editing or to commit your changes in configure exclusive mode.
When one user exits configure exclusive mode while another user is in configure private mode, Junos OS
rolls back any uncommitted changes in the private mode session.
Another rollback can happen if you enter configuration mode with the configure exclusive command and
issue the commit confirmed command, but without confirming the commit within the specified interval. By
not confirming the commit within the specified interval, you trigger an automatic rollback. After an
automatic rollback occurs, the operating system removes the exclusive lock from your session. As a
result, the error message “access has been revoked” appears. This error message appears because the
session is no longer an exclusive session. This means that the configuration is back to the default state:
anyone with access can edit the configuration, commit it, or both. To re-lock the configuration, you must
use the configure exclusive command again.
user@host>configure exclusive
[edit]
user@host# commit confirmed 1
commit confirmed will be automatically rolled back in 1 minutes unless confirmed
70
commit
# commit confirmed will be rolled back in 1 minute
Commit was not confirmed; automatic rollback complete.
[edit]
user@host# commit
error: access has been revoked.

error: access has been revoked.
user@host>configure exclusive
If you initiate a configure exclusive session, issue the commit confirmed command, and confirm the commit,
your session retains the exclusive lock. You can continue to make changes to the configuration while still
in a locked exclusive session.
user@host> configure exclusive

[edit]
user@host# commit confirmed 1
commit complete
# commit confirmed will be rolled back in 1 minute
[edit]
user@host# commit
commit complete
SEE ALSO

71
How to Work with the Correct Configuration
When you are in configure private mode, you must work with a copy of the most recently committed
shared configuration. If the global configuration changes, you can issue the update command to update
your private candidate configuration. When you update your private candidate configuration, that
configuration contains a copy of the most recently committed configuration with your private changes
merged in.
NOTE: Merge conflicts can occur when you issue the update command.
You can also issue the rollback command to discard your private candidate configuration changes and
obtain the most recently committed configuration.
NOTE: Junos OS does not support using the configure private command to configure statements
corresponding to third-party YANG data models such as OpenConfig data models or custom
YANG data models.
Modify the Configuration of a Device
IN THIS SECTION
Example: Delete a Statement from the Device Configuration | 79
Example: Copy a Statement in the Configuration | 81
Example: Replace a Configuration | 85
Example: Insert a New Identifier in a Device Configuration | 92

72
Example: Deactivate and Reactivate Statements and Identifiers in a Device Configuration | 98
Common Regular Expressions to Use with the replace Command | 101
Example: How to Use Global Replace in a Device Configuration—the \n Back Reference | 103
Example: Global Replace in a Device Configuration—Replacing an Interface Name | 106
Example: Include Comments in a Device Configuration by Using the CLI | 114
The CLI enables you to modify an existing Junos OS configuration. This section explains the specifics of
adding a statement, deleting a statement, copying a statement, and inserting a new identifier, including
examples.
Display Users Currently Editing the Configuration
To display the users currently editing the configuration, use the status configuration mode command:
user@host# status
rchen terminal p0 (pid 55691) on since 2018-03-01 13:17:25 PST
[edit interfaces]
The system displays who is editing the configuration (rchen), where the user is logged in (terminal p0), the
date and time the user logged in (2018-03-01 13:17:25 PST), and what level of the hierarchy the user is
editing ([edit interfaces]).
If you issue the status configuration mode command and a user has scheduled a candidate configuration
to become active for a future time, the system displays who scheduled the commit (root), where the user
is logged in (terminal d0), the date and time the user logged in (2018-10-31 14:55:15 PST), and that a commit
is pending (commit at).
[edit]
user@host# status
73

root terminal d0 (pid 767) on since 2018-10-31 14:55:15 PST, idle 00:03:09
commit at
If you issue the status configuration mode command and a user is editing the configuration in configure
exclusive mode, the system displays who is editing the configuration (root), where the user is logged in
(terminal d0), the date and time the user logged in (2018-11-01 13:05:11 PST), and that a user is editing the
configuration in configure exclusive mode (exclusive [edit]).
[edit]
user@host# status
root terminal d0 (pid 2088) on since 2018-11-01 13:05:11 PST
exclusive [edit]
SEE ALSO

How to Modify the Juniper Networks Device Configuration
To configure a Juniper Networks device or to modify an existing configuration, you add statements to
the configuration using the edit and set commands. For each statement hierarchy, you create the
hierarchy starting with a statement at the top level. You then continue creating the hierarchy with
statements that move progressively lower in the hierarchy.
To modify the hierarchy, you use two configuration mode commands. Select the relevant command
based on what you want to accomplish:
• edit—Moves to a specified hierarchy level. If that hierarchy level does not exist, the edit command
creates it. The edit command has the following syntax:
edit <statement-path>
74
• set—Creates a configuration statement and sets identifier values. After you issue a set command, you
remain at the same level in the hierarchy. The set command has the following syntax:
set <statement-path> statement <identifier>
The hierarchy to the configuration statement and the statement itself is statement-path. If you have
already moved to the statement’s hierarchy level, you can omit the statement path. The configuration
statement itself is statement. Theidentifier string identifies an instance of a statement.
Statements can be either container statements or leaf statements. A container statement can include
additional container statements within it, as well as leaf statements. A leaf statement, however, stands
alone. The command edit? displays the container statements, while set? displays both the container and
leaf statements, using > to differentiate between them.
NOTE: You cannot use the edit command to change the value of identifiers. You must use the set
command.
SEE ALSO

How to Use the configure exclusive Command Do you want to make this (and the other command
topics) user focused by referring to the main action users want to do? Example: "How to Prevent
Conflicts Using the configure exclusive Command" or "How to Prevent Configuration Conflicts." | 68
How to Add Configuration Statements and Identifiers
You configure all properties of a Juniper Networks device by including statements in the configuration. A
statement consists of a keyword, which is fixed text. You can also include an identifier in a statement. An
identifier is an identifying name that you define, such as the name of an interface or a username, and
that enables you and the CLI to discriminate among a collection of statements.
75
For example, the following list shows the statements available at the top level in configuration mode:
user@host# set ?
> accounting-options Accounting data configuration
+ apply-groups Groups from which to inherit configuration data
> chassis Chassis configuration
> class-of-service Class-of-service configuration
> firewall Define a firewall configuration
> forwarding-options Configure options to control packet sampling
> groups Configuration groups
> interfaces Interface configuration
> policy-options Routing policy option configuration
> protocols Routing protocol configuration
> routing-instances Routing instance configuration
> routing-options Protocol-independent routing option configuration
> snmp Simple Network Management Protocol
> system System parameters
An angle bracket ( > ) before the statement name indicates that it is a container statement and that you
can define other statements at levels below it. If there is no angle bracket ( > ) before the statement
name, the statement is a leaf statement; you cannot define other statements at hierarchy levels below it.
A plus sign (+) before the statement name indicates that it can contain a set of values. To specify a set,
include the values in brackets. For example:
[edit]
user@host# set policy-options community my-as1-transit members [65535:10 65535:11]
In some statements, you can include an identifier. For some identifiers, such as interface names, you
must specify the identifier in a precise format. For example, the interface name so-0/0/0 refers to a
SONET/SDH interface that is on the Flexible PIC Concentrator (FPC) in slot 0, in the first PIC location,
and in the first port on the Physical Interface Card (PIC).
For other identifiers, such as interface descriptive text and policy and firewall term names, you can
specify any name, including special characters, spaces, and tabs.
76
You must enclose identifiers in quotation marks (double quotes). You must also use quotation marks to
enclose identifiers and any strings that include a space, a tab character, or any of the following
characters:
( ) [ ] { } ! @ # $ % ^ & | ' = ?
If you do not type an option for a statement that requires one, a message indicates the type of
information required. In this example, you must type an area number to complete the command:
[edit]
user@host# set protocols ospf area
^
syntax error, expecting <identifier>
SEE ALSO

How to Delete a Statement from a Device Configuration
You delete a statement or identifier from a device configuration using the delete configuration mode
command. Deleting a statement or an identifier effectively "unconfigures" the functionality associated
with that statement or identifier, returning that functionality to its default condition.
user@host# delete <statement-path> <identifier>
When you delete a statement, the statement and all its subordinate statements and identifiers are
removed from the configuration.
For statements that can have more than one identifier, when you delete one identifier, only that
identifier is deleted. The other identifiers in the statement remain.
77
To delete the entire hierarchy starting at the current hierarchy level, use the delete command without
specifying a statement or an identifier. When you omit the statement or identifier, you are prompted to
confirm the deletion:
[edit]
user@host# delete
Delete everything under this level? [yes, no] (no)
no Don't delete everything under this level
yes Delete everything under this level
Delete everything under this level? [yes, no] (no)
NOTE: You cannot delete multiple statements or identifiers within a hierarchy using a single
delete command. You must delete each statement or identifier individually, using multiple delete
commands. For example, consider the following configuration at the [edit system] hierarchy level:
system {
host-name host-211;
domain-name domain-122;
backup-router 192.168.71.254;
arp;
authentication-order [ radius password tacplus ];
}
To delete the domain-name, host-name, and backup-router from the configuration, you must delete each
statement individually.
user@host delete system host-name host-211

user@host delete system domain-name domain-122
user@host delete system backup-router 192.168.71.254
You cannot issue a single delete command. For example, the following command would not work:
user@host> delete system hostname host-211 domain-name domain-122 backup-router 192.168.71.254
You can delete related configuration items simultaneously, such as channelized interfaces or static
routes, by using a single command and regular expressions. Deleting a statement or an identifier
effectively “unconfigures” the functionality associated with that statement or identifier, returning that
functionality to its default condition.
78
You can delete only certain parts of the configuration where you normally put multiple items, such as
interfaces. However, you cannot delete "groups" of different items, as shown in this example:
user@host# show system services

ftp;
rlogin;
rsh;
ssh {
root-login allow;
}
telnet;
[edit]
user@host# wildcard delete system services *
syntax error.
When you delete a statement, the statement and all its subordinate statements and identifiers are
removed from the configuration.
To delete related configuration items, issue the wildcard configuration mode command with the delete
option and specify the statement path, the items to be summarized with a regular expression, and the
regular expression, as follow:
user@host# wildcard delete <statement-path> <identifier> <regular-expression>
NOTE: When you use the wildcard command to delete related configuration items, the regular
expression must be the final statement.
If the Junos OS matches more than eight related items, the CLI displays only the first eight items.
How to Delete Interfaces from the Configuration
You can delete multiple T1 interfaces in the range from t1-0/0/0:0 through t1-0/0/0:23 by using this
syntax:
user@host# wildcard delete interfaces t1-0/0/0:.*

matched: t1-0/0/0:0
matched: t1-0/0/0:1
matched: t1-0/0/0:2
Delete 3 objects? [yes,no] (no) no
79
How to Delete Routes from the Configuration
You can delete static routes in the range from 172.0.0.0 to 172.255.0.0 by using this syntax:
user@host# wildcard delete routing-options static route 172.*

matched: 172.16.0.0/12
matched: 172.16.14.0/24
matched: 172.16.100.0/24
matched: 172.16.128.0/19
matched: 172.16.160.0/24
matched: 172.17.12.0/23
matched: 172.17.24.0/23
matched: 172.17.28.0/23
...
Delete 13 objects? [yes,no] (no)
Example: Delete a Statement from the Device Configuration
The following example shows how to delete the ospf statement, effectively unconfiguring OSPF on the
router:
[edit]
user@host# set protocols ospf area 0.0.0.0 interface so-0/0/0 hello-interval 5
[edit]
user@host# show
protocols {
ospf {
area 0.0.0.0 {
hello-interval 5;
}
}
}
}
[edit]
user@host# delete protocols ospf
[edit]
user@host# show
80
[edit]
user@host#
Delete all statements from the current level down:
[edit]
user@host# set interface so-0/0/0 hello-interval 5
user@host# delete
Delete everything under this level? [yes, no] yes
user@host# show
[edit]
user@host#
Unconfigure a specific property. In this example, remove the interface speed setting:
[edit]
user@host# set interfaces so-3/0/0 speed 100mb
[edit]
user@host# show
interfaces {
so-3/0/0 {
speed 100mb;
}
}
[edit]
user@host# delete interfaces so-3/0/0 speed
[edit]
user@host# show
interfaces {
so-3/0/0;
}
81
Copy a Statement in the Configuration
When you have many similar statements in a device configuration, you can add one statement and then
make copies of that statement. Copying a statement duplicates that statement and the entire hierarchy
of statements configured under that statement. Copying statements is useful when you are configuring
many physical or logical interfaces of the same type.
To make a copy of an existing statement in the configuration:
1. Use the configuration mode copy command:
user@host# copy existing-statement to new-statement
2. Immediately after you have copied a portion of the configuration, check the validity of the new
configuration.
3. If the configuration is invalid, modify either the copied portion or the original portion to produce a
valid configuration.
Example: Copy a Statement in the Configuration
IN THIS SECTION
Requirements | 81
Overview | 82
Configuration | 82
This example shows how you can create one virtual connection (VC) on an interface by copying an
existing VC.
Requirements
No special configuration beyond device initialization is required before configuring this example.
82
Before you begin this example, configure the following initial configuration:
[edit interfaces]
user@host# show
at-1/0/0 {
description "PAIX to MAE West"
encapsulation atm-pvc;
unit 61 {
point-to-point;
vci 0.61;
family inet {
address 10.0.1.1/24;
}
}
}
To quickly configure the initial configuration for this example, copy the following commands, paste them
into a text file, remove any line breaks and change any details necessary to match your network
configuration, copy and paste this command into the CLI at the [edit] hierarchy level, and then enter
commit in configuration mode.
set interfaces at-1/0/0 description "PAIX to MAE West"

set interfaces at-1/0/0 encapsulation atm-pvc
set interfaces at-1/0/0 unit 61 point-to-point
set interfaces at-1/0/0 unit 61 vci 0.61
set interfaces at-1/0/0 unit 61 family inet address 10.0.1.1/24
Overview
In this example illustrating how to copy statements, you add a virtual connection that is very similar to a
virtual connection already configured.
Configuration
IN THIS SECTION
CLI Quick Configuration | 83
Configure by Copying | 83
Results | 84
83
CLI Quick Configuration
Start at the [edit interfaces at-1/0/0] hierarchy level.
copy unit 61 to unit 62

set unit 62 vci 0.62
edit unit 62
replace pattern 10.0.1.1 with 10.0.2.1
Configure by Copying
Step-by-Step Procedure
To configure by copying a configuration:
1. Go to the [edit interfaces at-1/0/0] hierarchy level and copy unit 61.
[edit interfaces at-1/0/0]

user@host# copy unit 61 to unit 62
2. Take a look at the new configuration and see what you need to change to make the configuration
valid.
user@host# show interfaces at-1/0/0

unit 61 {
point-to-point;
vci 0.61;
family inet {
address 10.0.1.1/24;
}
}
unit 62 {
point-to-point;
vci 0.61;
family inet {
address 10.0.1.1/24;
84
}
}
3. Change the configuration to make it valid.
In this example you want to reconfigure the virtual circuit identifier (VCI) and virtual path identifier
(VPI).

user@host# set unit 62 vci 0.62
You also want to replace the IP address of the new interface with its own IP address.

user@host# edit unit 62
user@host# replace pattern 10.0.1.1 with 10.0.2.1
Results
[edit]
show interfaces
at-1/0/0 {
unit 61 {
point-to-point;
vci 0.61;
family inet {
address 10.0.1.1/24;
}
}
unit 62 {
point-to-point;
vci 0.62;
family inet {
address 10.0.2.1/24;
}
85
}
}
Example: Replace a Configuration
IN THIS SECTION
Requirements | 85
Overview | 85
Configuration | 86
If you need to make changes to the configuration of a device, you can always remove the original
configuration settings using the delete command and add your new configuration settings using the set
command. However, there are other ways of modifying a configuration that are more efficient and easier
to use.
This example shows how to use the following configuration mode commands to update an existing
configuration:
• rename—Rename an existing configuration setting, such as an interface name. This command can be
useful when you are adding new interfaces to a device.
• copy—Copy a configuration setting and the entire hierarchy of statements configured under that
setting. Copying configuration statements is useful when you are configuring many physical or logical
interfaces of the same type.
• replace—Make global changes to text patterns in the configuration. For example, if you consistently
misspell a word common to the description statement for all of the interfaces on your device, you
can fix this mistake with a single command.
Requirements
Overview
During the first example in this topic, you make the following configuration changes:
• Create a new interface with a description that contains a typing error.

86
• Copy the configuration from the interface that you created to create a new interface.
• Rename one of the interfaces that you created.
• Fix the typing error in the description for the interfaces that you created.
In the second, shorter example, you try some of the same commands under slightly different
circumstances.
Configuration
IN THIS SECTION
Use the Copy, Rename, and Replace Commands to Modify a Loopback Interface Configuration | 86
Compare the Copy Command at the Top-Level Configuration Hierarchy Level | 89
Use the Copy, Rename, and Replace Commands to Modify a Loopback Interface Configuration
CAUTION: If your existing configuration uses any of the loopback interface unit
numbers used in this example, you must substitute different unused loopback interface
unit numbers. Otherwise, following these steps could damage the existing operational
status of your device.
To create and modify a configuration of a loopback interface using the copy, rename, and replace
commands:
1. Create a new loopback interface unit number and include a description.
The mistakes in the spelling of loopback in the description are intentional.
[edit]
user@host# set interfaces lo0 unit 100 description "this is a lopbck interface"
87
2. Display the configuration for the loopback interface you have just added.
[edit]
user@host# show interfaces lo0 unit 100
description "this is a lopbck interface";
3. Duplicate the loopback interface you have just created, errors included, from unit 100 to unit 101.
[edit]
user@host# copy interfaces lo0 unit 100 to unit 101
4. Display the configurations for loopback interfaces lo0 unit 100 and lo0 unit 101.
[edit]
[edit]
The copy command duplicates an interface including any child statements, such as description.
5. Rename the loopback interface lo0 unit 100 to loopback interface lo0 unit 102.
[edit]
user@host# rename interfaces lo0 unit 100 to unit 102
6. Display the configuration for loopback interface lo0 unit 100.
[edit]
[edit]
user@host#
You should not see any results from this command. The loopback interface lo0 unit 100 is now gone.
The rename command replaces the configuration statement indicated with the new configuration.
88
7. Fix the misspelling of the word loopback in the descriptions for loopback interfaces lo0 unit 101 and
lo0 unit 102.
[edit]
user@host# replace pattern lopbck with loopback
8. Display the configuration for loopback interfaces lo0 unit 101 and lo0 102 to verify that the word
loopback is now spelled correctly.
[edit]
description "this is a loopback interface";
[edit]
description "this is a loopback interface";
The replace command replaces all instances of the pattern specified in the command, unless limited in
some way. The next example in this topic shows one way to limit the effect of the replace command.
9. In configuration mode, use the rollback command to returnthe device configuration to the state it was
in before you executed the previous steps.
[edit]
user@host# rollback
Results
In configuration mode, use the show interfaces lo0 unit 101 and show interfaces lo0 unit 102 commands to
ensure that the device configuration is in the state it was in before you executed the steps in this
example.
[edit]
user@host: show interfaces lo0 unit 101
[edit]
user@host#
89
You should not see any results from this command.
[edit]
[edit]
user@host#
Compare the Copy Command at the Top-Level Configuration Hierarchy Level
The previous example shows the copy, rename, and replace commands at the [edit interfaces interface-name
unit logical-interface-number] hierarchy level. This example shows how some of these commands work at
the top level of the CLI configuration mode hierarchy.
The following example requires you to navigate to various levels in the configuration hierarchy. For
information about navigating the CLI, see "Using the CLI Editor in Configuration Mode" on page 19 .
1. Create an Ethernet interface.
[edit]
user@host# set interfaces et-2/0/0 unit 0 family inet address 192.0.2.2
2. Copy the interface you just created to another interface.
[edit]
user@host# copy interfaces et-2/0/0 to et-2/1/0
Compare this copy command to the one in the previous example, where the copy command takes the
keyword unit before the value to be copied:
[edit]
user@host# copy interfaces lo0 unit 100 to unit 101
Notice that the keyword interfaces is not repeated after the preposition to and before the value to be
copied. This happens in some top-level statements with the copy command.
90
TIP: Similarly, in the rename command, you do not repeat the keyword part of the statement
before the new identifier in some top-level statements.
3. Show your configuration so far.
[edit]
user@host# show interfaces
et-2/0/0 {
unit 0 {
family inet {
address 192.0.2.2/32;
}
}
}
et-2/1/0 {
unit 0 {
family inet {
address 192.0.2.2/32;
}
}
}
4. Replace the address for et-2/1/0 with another IP address.
[edit interfaces et-2/1/0 unit 0 family inet]

user@host# replace pattern 192.0.2.2 with 192.0.2.40
Notice that if you want to change only a specific occurrence of a pattern instead of all occurrences,
youmust navigate to that specific hierarchy level before using the replace command.
5. Show the interfaces again.
[edit]
et-2/0/0 {
unit 0 {
family inet {
address 192.0.2.2/32;
}
91
}
}
et-2/1/0 {
unit 0 {
family inet {
address 192.0.2.40/32;
}
}
}
6. In configuration mode, use the rollback command to return the device configuration to the state it
was in before you executed the previous steps.
[edit]
user@host# rollback
Results
In configuration mode, use the show interfaces et-2/0/0 and show interfaces et-2/1/0 commands to ensure
that the device configuration is in the state it was in before you executed the steps in this example.
[edit]
user@hostshow interfaces et-2/0/0
[edit]
user@host#
[edit]
user@R1# show interfaces et-2/1/0
[edit]
user@host#

92
Insert a New Identifier in a Device Configuration
When configuring a Juniper Networks device, you can enter most statements and identifiers in any
order. Regardless of the order in which you enter the configuration statements, the CLI always displays
the configuration in a strict order. However, in a few cases the order of the statements matters because
the configuration statements create a sequence that is analyzed in order.
For example, in a routing policy or firewall filter, you define terms that are analyzed sequentially. Also,
when you create a named path in dynamic MPLS, you define an ordered list of the transit routers in the
path, starting with the first transit router and ending with the last one.
To modify a portion of the configuration in which the statement order matters, use the insert
configuration mode command:
user@host#insert <statement-path> identifier1 (before | after) identifier2
If you do not use the insert command but instead configure the identifier, the identifier is placed at the
end of the list of similar identifiers.
Example: Insert a New Identifier in a Device Configuration
IN THIS SECTION
Requirements | 93
Overview | 94
Configuration | 94
This example shows the use of the insert command.
Whereas a term added using the set command is placed at the end of the existing list of terms, you use
the insert command to add a term in the order you specify. Specifying the order of statements is
important in the cases in which the order matters because the configuration statements create a
sequence that is analyzed in order.
As this example shows, you must create the term (or it must already exist) before you can use it with the
insert command. The reference point for placing the term must also exist; for example, to place the term
93
T1 before the term T2, both T1 and T2 must already exist and be populated. Junos OS removes empty
terms automatically.
Requirements
Before you can insert a term, you must configure an initial policy. To quickly configure the initial policy
for this example, copy the following commands, paste them into a text file, remove any line breaks and
change any details necessary to match your network configuration, copy and paste the commands into
the CLI at the [edit policy-options] hierarchy level, and then enter commit from configuration mode.
set policy-statement statics term term1 from route-filter 192.168.0.0/16 orlonger

set policy-statement statics term term1 from route-filter 224.0.0.0/3 orlonger
set policy-statement statics term term1 then reject
set policy-statement statics term term2 from protocol direct
set policy-statement statics term term3 from protocol static
set policy-statement statics term term4 then accept
Now check to verify that you have the hierarchy configured correctly:
[edit policy-options]
user@host# show
policy-statement statics {
term term1 {
from {
route-filter 192.168.0.0/16 orlonger;
}
then reject;
}
term term2 {
from protocol direct;
then reject;
}
term term3 {
from protocol static;
then reject;
}
term term4 {
then accept;
94
}
}
Overview
To modify a portion of the configuration in which the statement order matters, you must use the insert
configuration mode command. If you use the set command instead, the added statement or identifier
will be in the wrong place sequentially. The only other way to get the terms of the command in the
correct order is to dismantle the configuration and start over.
Configuration
IN THIS SECTION
Configure to Insert Terms | 95
Results | 96
To quickly configure this example, copy the following commands, paste them into a text file, remove any
line breaks and change any details necessary to match your network configuration, copy and paste the
commands into the CLI at the [edit policy-options] hierarchy level, and then enter commitin configuration
mode.
[edit]
user@host# rename policy-options policy-statement statics term term4 to term term6
[edit]
user@host# set policy-options policy-statement statics term term4 from protocol local
[edit]
user@host# set policy-options policy-statement statics term term4 then reject
[edit]
user@host# set policy-options policy-statement statics term term5 from protocol aggregate
[edit]
[edit]
user@host# insert policy-options policy-statement statics term term4 after term term3
95
[edit]
Configure to Insert Terms
1. Determine the order in which your configuration terms need to go. Consider both the original terms
and the new terms you plan to add.
In the original configuration, the policy is named statics, and there are four terms. Each of the first
three terms matches on a different match criteria, and the resulting matches are rejected. The last
term accepts all the rest of the traffic.
In this example, you need to add two terms that eliminate additional types of traffic. Both these
terms need to go before the last term in the original configuration.
2. Rename original term4 to term6.
[edit]
user@host# rename policy-options policy-statement statics term term4 to term term6
This step preserves the original last term, now renamed term6, as the last term.
3. Create a new term4.
[edit]
user@host# set policy-options policy-statement statics term term4 from protocol local
A new term is added that matches traffic from local system addresses and rejects it.
4. Create new term5.
[edit]
user@host# set policy-options policy-statement statics term term5 from protocol aggregate
A new term is added that matches traffic from aggregate routes and rejects it.
96
5. Insert term4 after term3.
[edit]
6. Insert term5 after term4.
[edit]
Results
[edit]
user@host# show policy-options policy-statement statics
term term1 {
from {
}
then reject;
}
term term2 {
then reject;
}
term term3 {
from protocol static;
then accept;
}
term term4 {
from protocol local;
then reject;
}
term term5 {
from protocol aggregate;
then reject;
}
term term6 {
97
then accept;
}
Deactivate and Reactivate Statements and Identifiers in a Device

Configuration
In a Junos OS configuration, you can deactivate statements and identifiers so they do not take effect
when you issue the commit command. Any deactivated statements and identifiers are marked with the
inactive tag. They remain in the configuration but are not activated when you issue a commit command.
To deactivate a statement or identifier, use the deactivate configuration mode command:
user@host# deactivate( statement | identifier )
To reactivate a statement or identifier, use the activate configuration mode command:
user@host# activate ( statement | identifier )
In both commands, the statement and the identifier you specify must be at the current hierarchy level.
When you deactivate a statement, that specific statement is ignored and is not applied at all when you
issue a commit command.
To disable a statement, use the disable configuration mode command.
In some portions of the configuration hierarchy, you can include a disable statement to disable
functionality. One example is disabling an interface by including the disable statement at the [edit
interface interface-name] hierarchy level. When you disable a function, it is reactivated when you issue a
commit command but is treated as though it is down or administratively disabled.
98
Example: Deactivate and Reactivate Statements and Identifiers in a

Device Configuration
IN THIS SECTION
Requirements | 98
Overview | 98
Configuration | 98
This example shows a common use case in which you use the deactivate and activate configuration mode
commands. It involves dual Routing Engines, primary and backup, that have graceful Routing Engine
switchover (GRES) configured. The software on both Routing Engines needs to be upgraded. This can
easily be accomplished by deactivating GRES, updating the Routing Engines, and then reactivating
GRES.
NOTE: You can also perform a similar upgrade using the same setup, except that nonstop active
routing (NSR) is configured instead of GRES. You would need to deactivate NSR and then
upgrade the Routing Engines before reactivating NSR.
Requirements
This example requires the use of a device with dual Routing Engines that can be upgraded.
Before you begin this example, make sure that you have GRES configured.
Overview
In this example, there are two Routing Engines. GRES is configured, and the Routing Engines need to be
upgraded. To accomplish the upgrade, you need to deactivate the GRES feature, upgrade each of the
Routing Engines, and then activate GRES again.
Configuration
IN THIS SECTION
Configure the Deactivation and Reactivation of GRES | 99

99
Configure the Deactivation and Reactivation of GRES
To deactivate and reactivate GRES for Routing Engine upgrade:
1. Show that GRES is enabled for the router.
[edit]
user@host# show chassis
redundancy {
graceful-switchover;
}
fpc 2 {
pic 0 {
tunnel-services {
bandwidth 1g;
}
}
}
2. Deactivate GRES.
[edit]
user@host# deactivate chassis redundancy graceful-switchover
user@host# commit
3. Show that GRES is deactivated.
[edit]
redundancy {
inactive: graceful-switchover;
}
fpc 2 {
pic 0 {
tunnel-services {
bandwidth 1g;
}
100
}
}
4. Upgrade the Routing Engines one by one.
For instructions on upgrading Junos OS on dual Routing Engines, see Installing the Software Package
on a Device with Redundant Routing Engines.
5. Reactivate GRES.
[edit]
user@host# activate chassis redundancy graceful-switchover
user@host# commit
Results
Verify that GRES feature is activated again.
[edit]
redundancy {
graceful-switchover;
}
fpc 2 {
pic 0 {
tunnel-services {
bandwidth 1g;
}
}
}
How to Make Global Changes in the Device Configuration
You can make global changes to variables and identifiers in the device configuration by using the replace
configuration mode command. This command replaces a pattern in a configuration with another pattern.
101
For example, you can use this command to find and replace all occurrences of an interface name when a
PIC is moved to another slot in the router.
user@host# replace pattern pattern1 with pattern2 <upto n>
The pattern pattern1 option is a text string or regular expression that defines the identifiers and values you
want to replace in the configuration.
The pattern2 option is a text string or regular expression that replaces the identifiers and values located
within pattern1.
The CLI uses standard UNIX-style regular expression syntax (as defined in POSIX 1003.2). If the regular
expression contains spaces, operators, or wildcard characters, enclose the expression in quotation
marks. Greedy qualifiers (match as much as possible) are supported. Lazy qualifiers (match as little as
possible) are not supported.
The upto n option specifies the number of objects replaced. The value of n controls the total number of
objects that are replaced in the configuration (not the total number of times the pattern occurs). Objects
at the same hierarchy level (siblings) are replaced first. Multiple occurrences of a pattern within a given
object are considered a single replacement. For example, if a configuration contains a 010101 text string,
the command replace pattern 01 with pattern 02 upto 2 replaces 010101 with 020202 (instead of 020201).
Replacement of 010101 with 020202 is considered a single replacement (n = 1), not three separate
replacements (n =3).
If you do not specify an upto option, all identifiers and values in the configuration that match pattern1 are
replaced.
The replace command is available in configuration mode at any hierarchy level. All matches are case-
sensitive.
Common Regular Expressions to Use with the replace Command
Table 6: Common Regular Expressions to Use with the replace Command
Operator Function
| Indicates that a match can be one of the two terms on either side of the pipe.
^ Used at the beginning of an expression, denotes where a match should begin.

102
Table 6: Common Regular Expressions to Use with the replace Command (Continued)
Operator Function
$ Used at the end of an expression, denotes that a term must be matched exactly up to the point of the
$ character.
[ ] Specifies a range of letters or digits to match. To separate the start and end of a range, use a hyphen
( - ).
( ) Specifies a group of terms to match. Stored as numbered variables. Use for back references as \1
\2 .... \9.
* Denotes 0 or more terms.
+ Denotes one or more terms.
. Denotes any character except for a space (" ").
\ A backslash escapes special characters to suppress their special meaning. For example, \. matches .
(period symbol).
\n Back reference that matches the nth group.
& Back reference that matches the entire match.
The following table lists some replacement examples.
Table 7: Replacement Examples
Command Result
replace pattern myrouter with router1 Match: myrouter
Result: router1
103
Table 7: Replacement Examples (Continued)
Command Result
replace pattern "192\.168\.(.*)/24" with "10.2.\1/28" Match: 192.168.3.4/24
Result: 10.2.3.4/28
replace pattern "1.\1" with "abc&def" Match: 1.1
Result: abc1.1def
replace pattern 1.1 with " abc\&def" Match: 1#1
Result: abc&def
Example: How to Use Global Replace in a Device Configuration—the \n

Back Reference
IN THIS SECTION
Requirements | 103
Overview | 104
Configuration | 105
This example shows how you can use a back reference to replace a pattern.
Requirements
No special configuration beyond device initiation is required before configuring this example.
Before you begin, configure the following:
[edit]
104
xe-0/0/0 {
unit 0;
}
fe-3/0/1 {
vlan-tagging;
unit 0 {
description "inet6 configuration. IP: 2000::c0a8::1bf5";
vlan-id 100;
family inet {
address 17.10.1.1/24;
}
family inet6 {
address 2000::c0a8:1bf5/3;
}
}
}
To quickly configure this initial configuration, copy the following commands and paste them in a text file,
remove any line breaks, change any details necessary to match your network configuration, and then
copy and paste the commands into the CLI at the [edit] hierarchy level:
set interfaces xe-0/0/0 unit 0

set interfaces fe-3/0/1 vlan-tagging
set interfaces fe-3/0/1 unit 0 description "inet6 configuration IP: 2000::c0a8::1bf5"
set interfaces fe-3/0/1 unit 0 vlan-id 100
set interfaces fe-3/0/1 unit 0 family inet address 17.10.1.1/24
set interfaces fe-3/0/1 unit 0 family inet6 address 2000::c0a8:1bf5/3
Overview
One of the most useful features of regular expressions is the back reference. Backreferences provide a
convenient way to identify a repeated character or substring within a string. Once you find the pattern,
you can repeat it without writing it again. You refer to the previously captured pattern with just \#
(where # is a numeral that indicates the number of times you want the pattern matched).
You can use backreferences to recall, or find, data and replace it with something else. In this way you can
reformat large sets of data with a single replace command, thus saving you the time it would take to look
for and replace the pattern manually.
105
Configuration
IN THIS SECTION
Configuring a Replacement Using a Back Reference in the Command | 105
Results | 105
Configuring a Replacement Using a Back Reference in the Command
To replace a pattern in a Junos OS configuration using a back reference:
• Use the replace command.
[edit]
user@host# replace pattern pattern1 with pattern2
In this case, we want to replace :1bf5with 1bf5.
[edit]
user@host# replace pattern "(.*):1bf5" with "\11bf5"
Notice the back reference (\1), which indicates the pattern should be searched for and replaced only
once.
Results
Here is the resulting configuration:
[edit]
xe-0/0/0 {
unit 0;
}
fe-3/0/1 {
vlan-tagging;
106
unit 0 {
description "inet6 configuration. IP: 2000::c0a8:1bf5";
vlan-id 100;
family inet {
address 17.10.1.1/24;
}
family inet6 {
address 2000::c0a8:1bf5/3;
}
}
}
In this example, the pattern 2000::c0a8::1bf5 is replaced with 2000::c0a8:1bf5 once.
Example: Global Replace in a Device Configuration—Replacing an

Interface Name
IN THIS SECTION
Requirements | 107
Overview | 107
Configuration | 107
This example shows how to replace an interface name globally in a configuration by using the replace
command.
Using the replace command can be a faster and better way to change a configuration. For example, a PIC
might be moved to another slot in a router, which changes the interface name. With one command you
can update the whole configuration. Or you might want to quickly extend the configuration with other
similar configurations, for example, similar interfaces.
By using a combination of the copy and replace commands, you can add to a configuration and then
replace certain aspects of the newly copied configurations. The replace command works with regular
expressions. Regular expressions are quick, flexible, and ubiquitous. You can fashion just about any
pattern you might need to search for, and most programming languages support regular expressions.
107
Requirements
Before you begin, configure the following hierarchy on the router. To quickly configure this hierarchy,
see "CLI Quick Configuration" on page 108 .

so-0/0/0 {
dce;
}
user@host# show protocols
ospf {
area 0.0.0.0 {
interface so-0/0/0.0 {
hello-interval 5;
}
}
}
Overview
This example shows how to replace an interface name globally in a configuration by using the replace
command. It is a simple example.
The previous configuration is the starting point for this configuration update. In the course of this
example, you change the name of the initial interface throughout the configuration with one command.
Configuration
IN THIS SECTION
Configuring an Interface Name Change | 108
Results | 108
108
To quickly configure the initial configuration for this example, copy the following commands, paste them
into a text file, remove any line breaks and change any details necessary to match your network
configuration, copy and paste these commands into the CLI at the [edit] hierarchy level, and then enter
commit from configuration mode.:
set interfaces so-0/0/0 dce

set protocols ospf area 0.0.0.0 interface so-0/0/0.0 hello-interval 5
Configuring an Interface Name Change
To change an interface name:
1. Make sure that you are at the top of the configuration mode hierarchy.
user@host# top
2. Replace so-0/0/0 with so-1/1/0 using the replace command, which uses the pattern keyword.
user@host# replace pattern so-0/0/0 with so-1/1/0
Results
After making the required changes, verify the configuration by using the show interfaces and show protocols
configuration mode commands.
[edit]
so-1/1/0 {
dce;
}
ospf {
area 0.0.0.0 {
109
hello-interval 5;
}
}
}
After you have confirmed that the configuration is correct, enter the commit command.
Example: Global Replace in a Device Configuration—the upto Option
Consider the hierarchy shown in Figure 3 on page 110. The text string 010101 appears in three places: the
description sections of ge-0/0/0, ge-0/0/0.0, and fe-0/0/1. These three instances are three objects. The
110
following example shows how you can use the upto option to perform replacements in a device
configuration:
Figure 3: Replacement by Object
An upto 2 option in the replace command converts 01 to 02 for two object instances. The objects under the
main interfaces ge-0/0/0 and fe-0/0/1 will be replaced first (since these are siblings in the hierarchy level).
111
Because of the upto 2 restriction, the replace command replaces patterns in the first and second instance
in the hierarchy (siblings), but not the third instance (child of the first instance).

ge-0/0/0 {
description "mkt 010101"; #First instance in the hierarchy
unit 0 {
description "mkt 010101"; #Third instance in the hierarchy (child of the first
instance)
}
}
fe-0/0/1 {
description "mkt 010101"; #second instance in the hierarchy (sibling of the first
instance)
unit 0 {
family inet {
address 200.200.20.2/24;
}
}
}
[edit]
user@host# replace pattern 01 with 02 upto 2
[edit]
user@host# commit
commit complete
[edit]
ge-0/0/0 {
description "mkt 020202"; #First instance in the hierarchy
unit 0 {
description "mkt 010101"; #Third instance in the hierarchy (child of the first
instance)
}
}
fe-0/0/1 {
description "mkt 020202"; #second instance in the hierarchy (sibling of the first
instance)
unit 0 {
family inet {
address 200.200.20.2/24;
112
}
}
}
Add Comments in a Device Configuration
IN THIS SECTION
Add Comments in the CLI | 112
Add Comments in a File | 113
You can include comments in a device configuration to describe any statement in the configuration. You
can add comments interactively in the CLI and by editing the ASCII configuration file.
When configuring interfaces, you can add comments about the interface by including the description
statement at the [edit interfaces interface-name] hierarchy level. Any comments you include appear in the
output of the show interfaces commands..
Add Comments in the CLI

When you add comments in configuration mode, they are associated with a statement at the current
level. Each statement can have one single-line comment associated with it. Before you can associate a
comment with a statement, the statement must exist. The comment is placed on the line preceding the
statement.
To add comments to a configuration, use the annotate configuration mode command:
user@host# annotate statement "comment-string"
statement is the configuration statement to which you are attaching the comment; it must be at the
current hierarchy level. If a comment for the specified statement already exists, it is deleted and replaced
with the new comment.
comment-string is the text of the comment. The comment text can be any length, and you must type it on a
single line. If the comment contains spaces, you must enclose it in quotation marks. In the comment
string, you can include the comment delimiters /* */ or #. If you do not specify any, the comment string
is enclosed with the /* */ comment delimiters.
113
To delete an existing comment, specify an empty comment string:
user@host# annotate statement ""
If you add comments with the annotate command, you can view the comments within the configuration
by entering the show configuration mode command or the show configuration operational mode
command.
NOTE: Junos OS supports annotation up to the last level in the configuration hierarchy, including
oneliners. However, annotation of parts (the child statements or identifiers within the oneliner)
of the oneliner is not supported. For example, in the following sample configuration hierarchy,
annotation is supported up to the level 1 parent hierarchy, but not supported for the metric child
statement:
[edit protocols]
isis {
interface ge-0/0/0.0 {
level 1 metric 10;
}
}
}
Add Comments in a File

When you edit the ASCII configuration file and add comments, they can be one or more lines and must
precede the statement they are associated with. If you place the comments in other places in the file,
such as on the same line following a statement or on a separate line following a statement, they are
removed when you use the load command to open the configuration into the CLI.
The following excerpt from a configuration example illustrates how to place and how not to place
comments in a configuration file:
/* This comment goes with routing-options */

routing-options {
/* This comment goes with routing-options traceoptions */
traceoptions {
/* This comment goes with routing-options traceoptions tracefile */
tracefile rpd size 1m files 10;
/* This comment goes with routing-options traceoptions traceflag task */
traceflag task;
114
/* This comment goes with routing-options traceoptions traceflag general */

traceflag general;
}
autonomous-system 10458; /* This comment is dropped */
}
routing-options {
rib-groups {
ifrg {
import-rib [ inet.0 inet.2 ];
/* A comment here is dropped */
}
dvmrp-rib {
import-rib inet.2;
export-rib inet.2;
}
}
}
When you include comments in the configuration file directly, you can format comments in the following
ways:
• Start the comment with a /* and end it with a */. The comment text can be on a single line or can
span multiple lines.
• Start the comment with a # and end it with a new line (carriage return).
Example: Include Comments in a Device Configuration by Using the CLI
IN THIS SECTION
Requirements | 115
Overview | 115
Configuration | 116
115
Adding comments to a device configuration makes the configuration file readable and more readily
understood by users. You can include comments as you configure by using the annotate statement. In this
example, comments are added by using the CLI for an already existing configuration:
Requirements
Before you add a comment, you must configure the following hierarchy on the router.
To quickly configure the initial configuration for this example, copy the following command, paste it into
a text file, remove any line breaks and change any details necessary to match your network
configuration, copy and paste this command into the CLI at the [edit] hierarchy level, and then enter
commit from configuration mode.
set protocols ospf area 0.0.0.0 interface so-0/0/0.0 hello-interval 5
Now verify that you have this hierarchy configured.

ospf {
area 0.0.0.0 {
hello-interval 5;
}
}
}
Overview
When you add comments by using the CLI, you do so in configuration mode using the annotate
statement. Each comment you add is associated with a statement at the current level. Each statement
can have one single-line comment associated with it.
To configure the annotate statement, move to the level of the statement with which you want to associate
a comment. To view the comments, go to the top of the configuration hierarchy and use the show
command.
116
Configuration
IN THIS SECTION
Including Comments in the CLI Configuration Mode | 116
Results | 117
To quickly configure the comments for this example, copy the following commands, paste them into a
text file, remove any line breaks and change any details necessary to match your network configuration,
copy and paste the commands into the CLI, starting at the [edit] hierarchy level, and then enter commit
from configuration mode.
edit protocols ospf

annotate area 0.0.0.0 "Backbone area configuration added June 15, 2018"
edit area 0.0.0.0
annotate interface so-0/0/0.0 "Interface from router sj1 to router sj2"
Notice that the commands are moving you down the hierarchy as you annotate different sections of the
hierarchy.
Including Comments in the CLI Configuration Mode
This procedure assumes that you have already configured the initial configuration.
To add comments to a configuration:
1. Move to the first hierarchy level to which you need to add a comment.
[edit]
user@host# edit protocols ospf
117
2. Add a comment to the area configuration statement by using the annotate statement.

user@host# annotate area 0.0.0.0 "Backbone area configuration added June 15, 1998"
3. Move down a level to the interface configuration statement.

user@host# edit area 0.0.0.0
4. Add a comment to interface so-0/0/0.0 by using the annotate statement.

user@host# annotate interface so-0/0/0.0 "Interface from router sj1 to router sj2"
Results
Move to the top of the hierarchy and use the show command to see the comments you added. The
comments precede the statement they are associated with.
[edit]
ospf {
/* Backbone area configuration added June 15, 2018 */
area 0.0.0.0 {
/* Interface from router sj1 to router sj2 */
hello-interval 5;
}
}
}
After you have confirmed that the configuration is correct, enter the commit command.
118
Use Configuration Groups to Quickly Configure

Devices
IN THIS SECTION
Configuration Groups Overview | 119
How to Apply a Configuration Group | 122
Example: Create and Apply Configuration Groups | 123
Example: Disable Inheritance of a Configuration Group | 125
Example: Use Wildcards with Configuration Groups | 128
How to Improve Commit Time When Using Configuration Groups | 131
Example: Configure Sets of Statements with Configuration Groups | 132
Example: Configure Interfaces Using Configuration Groups | 134
Example: Use Configuration Groups to Configure a Consistent IP Address for the Management
Interface | 137
Example: Use Configuration Groups to Configure Peer Entities | 138
Example: Use Configuration Groups to Establish Regional Configurations | 140
Example: Configure Wildcard Configuration Group Names | 142
Example: Reference the Preset Statement from the Defaults Group | 144
Example: View Default Statements That Have Been Applied to the Configuration | 145
Set Up Routing Engine Configuration Groups | 145
How to Use Conditions to Apply Configuration Groups | 148
Example: Configure Conditions for Applying Configuration Groups | 148
Use configuration groups to set up and apply common elements that are reused within the same
configuration.
119
Configuration Groups Overview
IN THIS SECTION
How Configuration Groups Work | 119
Inheritance Model | 119
Configure Configuration Groups | 120
This topic provides an overview of configuration groups and the inheritance model in the Junos OS CLI.
How Configuration Groups Work
Configuration groups enable you to create a group containing configuration statements and to direct the
inheritance of that group’s statements in the rest of the configuration. The same group can be applied to
different sections of the configuration. Different sections of one group’s configuration statements can
be inherited in different places in the configuration.
Configuration groups enable you to create smaller, more logically constructed configuration files, making
it easier to configure and maintain Juniper Networks devices. For example, you can group statements
that are repeated in many places in the configuration, such as when configuring interfaces. By grouping
statements, you can limit configuration updates to just the group.
You can also use wildcards in a configuration group. Any object that matches the wildcard expression
inherits the group configuration data.
The configuration group mechanism is separate from the grouping mechanisms used elsewhere in the
configuration, such as BGP groups. Configuration groups provide a generic mechanism that you can use
throughout the configuration but that are known only to the CLI. The individual software processes that
perform the actions directed by the configuration receive the expanded form of the configuration; they
have no knowledge of configuration groups.
Inheritance Model
Configuration groups use true inheritance, which involves a dynamic, ongoing relationship between the
source of the configuration data and the target of that data. The target automatically inherits data values
that you change in the configuration group. The target does not need to contain the inherited
information. However, the inherited values can be overridden in the target without affecting the source
from which they were inherited.
120
This inheritance model enables you to see only the instance-specific information without seeing the
inherited details. A command pipe in configuration mode enables you to display the inherited data.
Configure Configuration Groups
For areas of your configuration to inherit configuration statements, you must first put the statements
into a configuration group. You then apply that group to the levels in the configuration hierarchy that
require the statements.
For areas of your configuration to inherit configuration statements:
1. Configure statements into a configuration group. To configure configuration groups and inheritance,
you can include the groups statement at the [edit] hierarchy level:
[edit]
groups {
group-name {
configuration-data;
}
}
2. Apply the configuration group from step 1 to the levels in the configuration hierarchy that require the
statements.
Include the apply-groups [ group-names ] statement anywhere in the configuration where the
configuration statements contained in a configuration group are needed.
Create a Configuration Group
The Junos OS CLI enables you to create re-usable groups containing configuration statements. You can
apply these groups to to different sections of the configuration where the same configuration
statements are repeated multiple times.
When you apply the group in different sections of the configuration, that part of the configuration
inherits the statements configured in the group. Configuration groups follow the rule of inheritance
where the dynamic, ongoing relationship is set between the source of the configuration data and the
target of that data. If you change the data values in the configuration group, the inherited target reflects
the changes automatically.
You can overwrite the values in the target configuration if required, which does not affect the source in
the group.
121
This inheritance model enables you to see only the instance-specific information without seeing the
inherited details. A command pipe in configuration mode enables you to display the inherited data. For
example, you may want to configure all of your ge-0/0/1 interfaces for the MTU value of 1500.
To do configure all of your ge-0/0/1 interfaces for the MTU value of 1500:
1. Create a group with MTU value 1500:
[edit groups group-1]

lab@vSRX3-05# show
interfaces {
ge-0/0/1 {
unit 0 {
family inet {
mtu 1500;
}
}
}
}
2. Next, you apply the group in the interface configuration.
[edit interfaces ge-0/0/1]

lab@vSRX3-05# set apply-groups group-1
3. View the inherited configuration.
[edit]
lab@vSRX3-05# show interfaces ge-0/0/1 | display inheritance
unit 0 {
family inet {
##
## '1500' was inherited from group 'group-1'
##
mtu 1500;
address 5.0.0.254/24;
}
}
122
If you want to configure MTU value for interface ge-0/0/1 in different parts of the configuration, you can
apply the group statement using the apply-groups option. If you do this manually and later want to
increase the MTU, you may have to manually change every interface. If you use a configuration group,
you can change the group configuration, thereby automatically updating all associated interfaces.
You can also use wildcards in a configuration group to allow configuration data to be inherited by any
object that matches a wildcard expression. For example:
[edit groups group-1]

lab@vSRX3-05# show
interfaces {
ge-* {
unit 0 {
family inet {
mtu 1500;
}
}
}
}
How to Apply a Configuration Group
If you want a Juniper Networks device configuration to inherit the statements from a configuration
group, include the apply-groups statement in the configuration.
apply-groups [ group-names ];
If you specify more than one group name, you must list the names in order of inheritance priority. The
configuration data in the first group takes priority over the data in subsequent groups.
For devices that support multiple Routing Engines, you can specify re0 and re1 group names. The
configuration specified in group re0 is applied only if the current Routing Engine is in slot 0. Likewise, the
configuration specified in group re1 is applied only if the current Routing Engine is in slot 1. Therefore,
both Routing Engines can use the same configuration file, each using only the configuration statements
that apply to it. Each re0 or re1 group contains at a minimum the configuration for the hostname and the
management interface (fxp0). If each Routing Engine uses a different management interface, the group
also should contain the configuration for the backup router and static routes.
123
You can include only one apply-groups statement at each specific level of the configuration hierarchy. The
apply-groups statement at a specific hierarchy level lists the configuration groups to be added to the
containing statement’s list of configuration groups.
Values specified at the specific hierarchy level override values inherited from the configuration group.
Groups listed in nested apply-groups statements take priority over groups in outer statements. In the
following example, the BGP neighbor 10.0.0.1 inherits configuration data from group one first. It then
inherits configuration data from group two and group three. Configuration data in group one overrides data
in any other group. Data from group ten is used only if a statement is not contained in any other group.
apply-groups [ eight nine ten ];

protocols {
apply-groups seven;
bgp {
apply-groups [ five six ];
group some-bgp-group {
apply-groups four;
neighbor 10.0.0.1 {
apply-groups [ one two three ];
}
}
}
}
The root level is the default logical system. When you configure a group defined for the root level, you
cannot successfully apply that group to a nondefault logical system under the [edit logical-systems
logical-system-name] hierarchy level. Although the device accepts the commit if you apply the group, the
configuration group does not take effect for the nondefault logical system. You can instead create an
additional configuration group at the root level and apply it within the logical system. Alternatively, you
can modify the original group so that it includes configuration for both the default and nondefault logical
system hierarchy levels.
Example: Create and Apply Configuration Groups
This example illustrates the creation and application of configuration groups. In this example, the SNMP
configuration is divided between the group basic and the normal configuration hierarchy.
You gain multiple advantages by placing the system-specific configuration (SNMP contact) into a
configuration group, thus separating it from the normal configuration hierarchy:
124
• You can replace either section without discarding data from the other, by using the load replace
command.
• You can set a contact for a specific box because the group data is hidden by the device-specific data.
[edit]
groups {
basic { # User-defined group name
snmp { # This group contains some SNMP data
contact "My Engineering Group";
community BasicAccess {
authorization read-only;
}
}
}
}
apply-groups basic; # Enable inheritance from group "basic"
snmp { # Some normal (non-group) configuration
location "West of Nowhere";
}
This configuration is equivalent to the following:
[edit]
snmp {
}
}
125
Example: Disable Inheritance of a Configuration Group
You can disable inheritance of a configuration group at any level except the top level of the hierarchy. To
disable inheritance, you include the apply-groups-except statement in the configuration:
apply-groups-except [ group-names ];
This statement is useful when you use the apply-group statement at a specific hierarchy level but also
want to override the values inherited from the configuration group for a specific parameter.
Example: Disable Inheritance on Interface so-1/1/0
In the following example, the apply-groups statement is applied globally at the interfaces level. The apply-
groups-except statement is also applied at interface so-1/1/0 so that it uses the default values for the hold-
time and link-mode statements.
[edit]
groups { # "groups" is a top-level statement
global { # User-defined group name
interfaces {
<*> {
hold-time down 640;
link-mode full-duplex;
}
}
}
}
apply-groups global;
interfaces {
so-1/1/0 {
apply-groups-except global; # Disables inheritance from group "global"
# so-1/1/0 uses default value for “hold-time”
# and "link-mode"
}
}
Configuration groups can add some confusion regarding the actual values used by the device, because a
device can inherit configuration data from configuration groups. To view the actual values used by the
device, you use the display inheritance command after the pipe ( | ) in a show command. This command
126
displays the inherited statements at the level at which they are inherited and the group from which they
have been inherited:
[edit]
user@host# show | display inheritance
snmp {
##
## 'My Engineering Group' was inherited from group 'basic'
##
##
## 'BasicAccess' was inherited from group 'basic'
##
##
## 'read-only' was inherited from group 'basic'
##
}
}
To display the expanded configuration (the configuration, including the inherited statements) without
the ## lines, you use the except command after the pipe in a show command:
[edit]
user@host# show | display inheritance | except ##
snmp {
}
}
NOTE: Using the display inheritance | except ## option removes all the lines with ##. Therefore, you
may not be able to view information about passwords or other important data where ## is used.
To view the complete configuration details with all the information (without just the comments
marked with ##), you use the no-comments option with the display inheritance command:
127
[edit]
user@host# show | display inheritance no-comments
snmp {
}
}
Example: Use the junos-defaults Configuration Group
Junos OS provides a hidden and immutable configuration group called junos-defaults that is automatically
applied to the configuration of your device. The junos-defaults group contains preconfigured statements
that contain predefined values for common applications. Some of the statements must be referenced to
take effect, such as definitions for applications (for example, FTP or telnet settings). Other statements
are applied automatically, such as terminal settings.
NOTE: Many identifiers included in the junos-defaults configuration group begin with the name
junos-. Because identifiers beginning with the name junos- are reserved for use by Juniper
Networks, you cannot define any configuration objects using this name.
You cannot include junos-defaults as a configuration group name in an apply-groups statement.
To view the full set of available preset statements from the junos-defaults group, you issue the show groups
junos-defaults configuration mode command at the top level of the configuration. The following example
displays a partial list of Junos defaults groups:
user@host# show groups junos-defaults

# Make vt100 the default for the console port
system {
ports {
console type vt100;
}
}
applications {
128
# File Transfer Protocol

application junos-ftp {
application-protocol ftp;
protocol tcp;
destination-port 21;
}
# Trivial File Transfer Protocol
application junos-tftp {
application-protocol tftp;
protocol udp;
}
# RPC port mapper on TCP
application junos-rpc-portmap-tcp {
application-protocol rpc-portmap;
protocol tcp;
}
# RPC port mapper on UDP
}
To reference statements available from the junos-defaults group, you include the selected junos- default-
name statement at the applicable hierarchy level.
Example: Use Wildcards with Configuration Groups
You can use wildcards to identify names and allow one statement to provide data for a variety of
statements.
Using wildcards in normal configuration data is done in a style that is consistent with that used with
traditional UNIX shell wildcards. In this style, you can use the following metacharacters:
• Asterisk ( * )—Matches any string of characters.
• Question mark ( ? )—Matches any single character.
• Open bracket ( [ )—Introduces a character class.
• Close bracket ( ] )—Indicates the end of a character class. If the close bracket is missing, the open
bracket matches an open bracket [ rather than introducing a character class.
129
• A character class matches any of the characters between the square brackets. Within a configuration
group, you must enclose in quotation marks an interface name that includes a character class.
• Hyphen ( - )—Specifies a range of characters.
• Exclamation point ( ! )—You can complement the character class by making an exclamation point the
first character of the character class. To include a close bracket (]) in a character class, make it the
first character listed (after the !, if any). To include a minus sign, make it the first or last character
listed.
NOTE: If using an identifier inside the groups hierarchy, start the identifier name with something
other than <. However, if you are defining a wildcard statement, you can use < because the
wildcard statement must have a closing >.
Using wildcards in configuration groups follows the same rules as using them for normal configuration.
However, < and > have a special meaning when used under the groups hierarchy. In the groups hierarchy,
you must enclose in angle brackets any term using a wildcard pattern <pattern> to differentiate it from
other wildcards in the configuration file.
[edit]
groups {
sonet-default {
interfaces {
<so-*> {
sonet-options {
payload-scrambler;
rfc-2615;
}
}
}
}
}
Wildcard expressions match (and provide configuration data for) existing statements in the configuration
that match their expression only. In the previous example, the expression <so-*> passes its sonet-options
statement to any interface that matches the expression so-*.
The following example shows how to specify a range of interfaces:
[edit]
groups {
130
gigabit-ethernet-interfaces {
interfaces {
"<ge-1/2/[5-8]>" {
description "These interfaces reserved for Customer ABC";
}
}
}
}
Angle brackets enable you to pass normal wildcards through without modification. In any matching
within the configuration, whether it is done with or without wildcards, the first item encountered in the
configuration that matches is used. In the following example, data from the wildcarded BGP groups is
inherited in the order in which the groups are listed.
• The preference value from <*a*> overrides the preference in <*b*>.
• The p value from <*c*> overrides the one from <*d*>
Data values from any of these groups override the data values from abcd:
[edit]
user@host# show
groups {
one {
protocols {
bgp {
group <*a*> {
preference 1;
}
group <*b*> {
preference 2;
}
group <*c*> {
out-delay 3;
}
group <*d*> {
out-delay 4;
}
group abcd {
preference 10;
hold-time 10;
out-delay 10;
131
}
}
}
}
}
protocols {
bgp {
group abcd {
apply-groups one;
}
}
}
[edit]
protocols {
bgp {
group abcd {
##
## ’1’ was inherited from group ’one’
##
preference 1;
##
##
hold-time 10;
##
##
out-delay 3;
}
}
}
How to Improve Commit Time When Using Configuration Groups
You use configuration groups to apply configurations across other hierarchies without re-entering
configuration data. You can specify every configuration detail in a configuration groups. You can also use
wildcards in configuration groups to configure ranges of data, without detailing each configuration line.
Another way to use configuration groups is to create an inheritance path that includes a long string of
configurations to be applied.
132
When a configuration that uses configuration groups is committed, the commit process expands and
reads all the configuration data of the group into memory to apply the configurations as intended. The
commit performance can be negatively affected if many configuration groups are being applied,
especially if the configuration groups use wildcards extensively.
If your system uses many configuration groups that use wildcards, you can configure the persist-groups-
inheritance statement at the [edit system commit] hierarchy level to improve commit time performance.
Using this option enables the system to build the inheritance path for each configuration group inside
the database rather than in the process memory. This change can improve commit time performance.
However, it can also increase the database size.
Example: Configure Sets of Statements with Configuration Groups
When sets of statements exist in configuration groups, all values are inherited. For example:
[edit]
user@host# show
groups {
basic {
snmp {
interface so-1/1/1.0;
}
}
}
apply-groups basic;
snmp {
interface so-0/0/0.0;
}
[edit]
snmp {
##
## ’so-1/1/1.0’ was inherited from group ’basic’
##
interface [ so-0/0/0.0 so-1/1/1.0 ];
}
133
For sets that are not displayed within brackets, all values are also inherited. For example:
[edit]
user@host# show
groups {
worldwide {
system {
name-server {
10.0.0.100;
10.0.0.200;
}
}
}
}
apply-groups worldwide;
system {
name-server {
10.0.0.1;
10.0.0.2;
}
}
[edit]
system {
name-server {
##
## ’10.0.0.100’ was inherited from group ’worldwide’
##
10.0.0.100;
##
## ’10.0.0.200’ was inherited from group ’worldwide’
##
10.0.0.200;
10.0.0.1;
10.0.0.2;
}
}
134
Example: Configure Interfaces Using Configuration Groups
You can use configuration groups to separate the common interface media parameters from the
interface-specific addressing information. The following example places configuration data for ATM
interfaces into a group called atm-options.
[edit]
user@host# show
groups {
atm-options {
interfaces {
<at-*> {
atm-options {
vpi 0 maximum-vcs 1024;
}
unit <*> {
encapsulation atm-snap;
point-to-point;
family iso;
}
}
}
}
}
apply-groups atm-options;
interfaces {
at-0/0/0 {
unit 100 {
vci 0.100;
family inet {
address 10.0.0.100/30;
}
}
unit 200 {
vci 0.200;
family inet {
address 10.0.0.200/30;
}
}
}
}
135
[edit]
interfaces {
at-0/0/0 {
##
## "atm-options" was inherited from group "atm-options"
##
atm-options {
##
## "1024" was inherited from group "atm-options"
##
}
unit 100 {
##
## "atm-snap" was inherited from group "atm-options"
##
##
## "point-to-point" was inherited from group "atm-options"
##
point-to-point;
vci 0.100;
family inet {
address 10.0.0.100/30;
}
##
## "iso" was inherited from group "atm-options"
##
family iso;
}
unit 200 {
##
## "atm-snap" was inherited from group "atm-options"
##
##
## "point-to-point" was inherited from group "atm-options"
##
point-to-point;
vci 0.200;
family inet {
address 10.0.0.200/30;
136
}
##
## "iso" was inherited from group "atm-options"
##
family iso;
}
}
}
[edit]
user@host# show | display inheritance | except ##
interfaces {
at-0/0/0 {
atm-options {
}
unit 100 {
point-to-point;
vci 0.100;
family inet {
address 10.0.0.100/30;
}
family iso;
}
unit 200 {
point-to-point;
vci 0.200;
family inet {
address 10.0.0.200/30;
}
family iso;
}
}
}
SEE ALSO

137
Example: Use Configuration Groups to Configure a Consistent IP Address

for the Management Interface
On devices with multiple Routing Engines, each Routing Engine is configured with a separate IP address
for the management interface. To access the primary Routing Engine, you must know which Routing
Engine is active and use the appropriate IP address.
Another option for consistent access to the primary Routing Engine is to configure an additional IP
address. You then use this address for the management interface regardless of which Routing Engine is
active. This additional IP address is active only on the management interface for the primary Routing
Engine. During switchover, the address moves to the new primary Routing Engine.
This example configures address 10.17.40.131 for both Routing Engines and includes a master-only
statement. With this configuration, the 10.17.40.131 address is active only on the primary Routing Engine.
The address remains consistent regardless of which Routing Engine is active. Address 10.17.40.132 is
assigned to fxp0 on re0, and 10.17.40.133 is assigned to fxp0 on re1.
[edit groups re0 interfaces fxp0]

unit 0 {
family inet {
address 10.17.40.131/25 {
master-only;
}
address 10.17.40.132/25;
}
}
[edit groups re1 interfaces fxp0]
unit 0 {
family inet {
address 10.17.40.131/25 {
master-only;
}
address 10.17.40.133/25;
}
}
This feature is available on all routers that include dual Routing Engines. On a routing matrix composed
of the TX Matrix router, this feature is applicable to the switch-card chassis (SCC) only. Likewise, on a
routing matrix composed of a TX Matrix Plus router, this feature is applicable to the switch-fabric
chassis (SFC) only.
138
NOTE:
• You must assign unique IP addresses for two interfaces that have duplicate addresses on
private and public interfaces. When graceful Routing Engine switchover (GRES) is enabled, the
CLI displays an appropriate commit error message if it finds identical addresses. This error can
occur if you configure the same IP address for a management interface or internal interface
such as fxp0 and an external physical interface such as ge-0/0/1.
• The em0 management Ethernet interface is used for the TX Matrix Plus router, T1600 routers
in a routing matrix, and PTX Series Packet Transport Routers. Junos OS automatically creates
the device's management Ethernet interface, em0.
Example: Use Configuration Groups to Configure Peer Entities
This example creates a group some-isp that contains configuration data relating to another ISP. It then
inserts apply-group statements at various points to allow those locations in the configuration hierarchy to
inherit this data.
[edit]
user@host# show
groups {
some-isp {
interfaces {
<xe-*> {
gigether-options {
flow-control;
}
}
}
protocols {
bgp {
group <*> {
neighbor <*> {
remove-private;
}
}
}
pim {
139
interface <*> {
version 1;
}
}
}
}
}
interfaces {
xe-0/0/0 {
apply-groups some-isp;
unit 0 {
family inet {
address 10.0.0.1/24;
}
}
}
}
protocols {
bgp {
group main {
neighbor 10.254.0.1 {
}
}
}
pim {
interface xe-0/0/0.0 {
}
}
}
[edit]
interfaces {
xe-0/0/0 {
##
## "gigether-options" was inherited from group "some-isp"
##
gigether-options {
##
## "flow-control" was inherited from group "some-isp"
##
flow-control;
140
}
unit 0 {
family inet {
address 10.0.0.1/24;
}
}
}
}
protocols {
bgp {
group main {
neighbor 10.254.0.1 {
##
## "remove-private" was inherited from group "some-isp"
##
remove-private;
}
}
}
pim {
interface xe-0/0/0.0 {
##
## "1" was inherited from group "some-isp"
##
version 1;
}
}
}
Example: Use Configuration Groups to Establish Regional Configurations
This example populates one group with configuration data that is standard throughout the company,
while another group contains regional deviations from this standard:
[edit]
user@host# show
groups {
standard {
interfaces {
141
<t3-*> {
t3-options {
compatibility-mode larscom subrate 10;
idle-cycle-flag ones;
}
}
}
}
northwest {
interfaces {
<t3-*> {
t3-options {
long-buildout;
compatibility-mode kentrox;
}
}
}
}
}
apply-groups standard;
interfaces {
t3-0/0/0 {
apply-groups northwest;
}
}
[edit]
interfaces {
t3-0/0/0 {
##
## "t3-options" was inherited from group "northwest"
##
t3-options {
##
## "long-buildout" was inherited from group "northwest"
##
long-buildout;
##
## "kentrox" was inherited from group "northwest"
##
compatibility-mode kentrox;
##
## "ones" was inherited from group "standard"
142
##
idle-cycle-flag ones;
}
}
}
Example: Configure Wildcard Configuration Group Names
Wildcards are configuration group names that use special characters to create a pattern that you can
apply to multiple statements. Wildcards are useful for copying one set of configuration options to many
different configuration groups. You must set up your wildcard name properly to ensure that the wildcard
configuration options get copied to the appropriate configuration groups.
This example configures different values for the <*-major> and <*-minor> wildcard groups under the label-
switched-path statement. The asterisk (*) character represents a section of the wildcard name that can
match any string of characters. For example, the configuration options under label-switched-path <*-major>
are passed on to label-switched-path metro-major and any other label-switched-path configuration group
containing -major in its name.
[edit]
user@host# show
groups {
mpls-conf {
protocols {
mpls {
label-switched-path <*-major> {
retry-timer 5;
bandwidth 155m;
optimize-timer 60;
}
label-switched-path <*-minor> {
retry-timer 15;
bandwidth 64k;
optimize-timer 120;
}
}
}
}
}
apply-groups mpls-conf;
143
protocols {
mpls {
label-switched-path metro-major {
to 10.0.0.10;
}
label-switched-path remote-minor {
to 10.0.0.20;
}
}
}
[edit]
protocols {
mpls {
label-switched-path metro-major {
to 10.0.0.10;
##
## "5" was inherited from group "mpls-conf"
##
retry-timer 5;
## "155m" was inherited from group "mpls-conf"
##
bandwidth 155m;
##
##
optimize-timer 60;
}
label-switched-path remote-minor {
to 10.0.0.20;
##
##
retry-timer 15;
##
## "64k" was inherited from group "mpls-conf"
##
bandwidth 64k;
##
##
optimize-timer 120;
}
144
}
}
Example: Reference the Preset Statement from the Defaults Group
The following example is a preset statement from the defaults group that is available for FTP in a
stateful firewall:
[edit]
groups {
junos-defaults {
applications {
application junos-ftp {# Use FTP default configuration
protocol tcp;
}
}
}
To reference a preset default statement from the defaults group, include the junos-default-name statement
at the applicable hierarchy level. For example, to reference the default statement for FTP in a stateful
firewall, include the junos-ftp statement at the [edit services stateful-firewall rule my-rule term my-term from
applications] hierarchy level:
[edit]
services {
stateful-firewall {
rule my-rule {
term my-term {
from {
applications junos-ftp; #Reference predefined statement, junos-ftp
}
}
}
}
}
145
Example: View Default Statements That Have Been Applied to the

Configuration
To view the defaults that have been applied to the device configuration, you issue the show | display
inheritance defaults command. This example displays the inherited defaults at the [edit system ports]
hierarchy level:
user@host# show system ports | display inheritance defaults

## ## 'console' was inherited from group 'junos-defaults'
## 'vt100' was inherited from group 'junos-defaults'
## console type vt100;
If you choose not to use existing default statements, you can create your own configuration groups
manually.
To view the complete configuration information omitting any comments marked with ##, use the no-
comments option with the display inheritance command.
Set Up Routing Engine Configuration Groups
In a device with two Routing Engines, both Routing Engines should share one configuration. This setup
ensures that both Routing Engine configurations are identical. Within this configuration, create two
Routing Engine groups, one for each Routing Engine. Within these groups, you specify the Routing
Engine–specific parameters.
For more information about the initial configuration for redundant Routing Engine systems and the re0
group, see Junos OS High Availability User Guide.
To set up a Routing Engine configuration group:
1. Create the configuration group re0. The re0 group is a special group designator that RE0 uses, only in
a redundant routing platform.
[edit]
root# set groups re0
146
2. Navigate to the groups re0 level of the configuration hierarchy.
[edit]
root# edit groups re0
3. Specify the device hostname.
[edit groups re0]

root# set system host-name host-name
NOTE: The DNS server does not use the hostname that you specify in the device
configuration to resolve to the correct IP address. The DNS server uses this hostname to
display the name of the Routing Engine in the CLI. For example, the hostname appears at
the command-line prompt when you are logged in to the CLI:
user-name@host-name>
4. Configure the IP address and prefix length for the device Ethernet interface.
• For all devices except the TX Matrix Plus router, T1600 or T4000 routers in a routing matrix,
and PTX Series Packet Transport Routers:
[edit]
root@# set interfaces fxp0 unit 0 family inet address address/prefix-length
• For the TX Matrix Plus router, T1600 or T4000 routers in a routing matrix only, and PTX Series
Packet Transport Routers:
[edit]
root@# set interfaces em0 unit 0 family inet address address/prefix-length
To use em0 as an out-of-band management Ethernet interface, you must configure its logical port,
em0.0, with a valid IP address.
5. Return to the top level of the hierarchy.
[edit groups re0]

root# top
147
6. Create the configuration group re1.
[edit]
root# set groups re1
7. Navigate to the groups re1 level of the configuration hierarchy.
[edit]
root# edit groups re1
8. Specify the device hostname.
[edit groups re1]

root# set system host-name host-name
9. Configure the IP address and prefix length for the device Ethernet interface.
• For all devices except the TX Matrix Plus router, T1600 or T4000 routers in a routing matrix,
and PTX Series Packet Transport Routers:
[edit]
root@# set interfaces fxp0 unit 0 family inet address address/prefix-length
• For the TX Matrix Plus router and T1600 or T4000 routers in a routing matrix only:
[edit]
root@# set interfaces em0 unit 0 family inet address address/prefix-length
To use em0 as an out-of-band management Ethernet interface, you must configure its logical port,
em0.0, with a valid IP address.
10. Return to the top level of the hierarchy.
[edit groups re0]

root# top
148
11. Specify the group application order.
[edit]
root# set apply-groups [ re0 re1 ]
How to Use Conditions to Apply Configuration Groups
You can use the when statement at the [edit groups group-name] hierarchy level to define conditions under
which to apply a configuration group.
You can configure a group to apply based on the type of chassis, model, or Routing Engine, virtual
chassis member, cluster node, and start and optional end time of day or date.
For example, you could use the when statement to create a generic configuration group for each type of
node and then apply the configuration based on certain node properties, such as chassis or model.
Example: Configure Conditions for Applying Configuration Groups
IN THIS SECTION
Requirements | 148
Overview | 148
Configuration | 149
This example shows how to configure conditions under which a specified configuration group is to be
applied.
Requirements
No special configuration beyond device initialization is required before you configure this example.
Overview
You can configure your group configuration data at the [edit groups group-name] hierarchy level. You can
then use the when statement to apply the group configuration based on conditions such as these: Type of
149
chassis, model, routing-engine, virtual chassis member, cluster node, and start and optional end time of
day or date.
If you specify multiple conditions in a single configuration group, all conditions must be met before the
configuration group is applied.
You can specify the start time or the time duration for the configuration group to be applied. If only the
start time is specified, the configuration group is applied at the specified time and it remains in effect
until the time is changed. If the end time is specified, then on each day, the applied configuration group
is started and stopped at the specified times.
This example sets conditions in a configuration group, test1, such that this group is applied only when all
of the following conditions are met: the router is a model MX240 router with chassis type LCC0, with a
Routing Engine operating as RE0, is member0 of the virtual chassis on node0, and the configuration
group will only be in effect from 9:00 a.m. until 5:00 p.m. each day.
Configuration
IN THIS SECTION
Verification | 151
To quickly configure this example, copy the following commands, paste them into a text file, remove any
line breaks, change any details necessary to match your network configuration, and then copy and paste
the commands into the CLI at the [edit] hierarchy level.
set groups test1 when model mx240

set groups test1 when chassis lcc0
set groups test1 when routing-engine re0
set groups test1 when member member0
set groups test1 when node node0
set groups test1 when time 9 to 5
150
Procedure
To configure conditions for configuration group test1:
1. Set the condition that identifies the model MX240 router.
[edit groups test1 when]

user@host# set model mx240
2. Set the condition that identifies the chassis type as LCC0.

user@host# set chassis lcc0
3. Set the condition that identifies the Routing Engine operating as RE0.

user@host# set routing-engine re0
4. Set the condition that identifies the virtual chassis member0.

user@host# set member member0
5. Set the condition that identifies the cluster node0.

user@host# set node node0
6. Set the condition that applies the group only between the hours of 9:00 a.m. and 5:00 p.m. daily.

user@host# set time 9 to 5
151
NOTE: The syntax for specifying the time is: time <start-time> [to <end-time>] using the time
format yyyy-mm-dd.hh:mm, hh:mm, or hh.
7. Commit the configuration.
user@host# commit
Results
In configuration mode, confirm your configuration by entering the show groups test1 command. If the
output does not display the intended configuration, repeat the instructions in this example to correct
the configuration.
user@host# show groups test1

when {
time 9 to 5;
chassis lcc0;
model mx240;
routing-engine re0;
member member0;
node node0;
}
Verification
IN THIS SECTION
Check Group Inheritance with Conditional Data | 151
Check Group Inheritance with Conditional Data
Purpose
Verify that conditional data from a configuration group is inherited when applied.
152
Action
Issue the show | display inheritance operational command with the when data to display the conditional
inheritance. Using this example, you can issue one of these commands to determine that the conditional
data was inherited:
user@host> show | display inheritance when model mx240

user@host> show | display inheritance when chassis lcc0
user@host> show | display inheritance when routing-engine re0
user@host> show | display inheritance when member member0
user@host> show | display inheritance when node node0
user@host> show | display inheritance when time 9 to 5
View the Configuration
IN THIS SECTION
Example: Display the Current Configuration | 154
Display Additional Information About the Configuration | 155
The show configuration mode command displays the current configuration for a device running Junos OS.
Display the Current Configuration
To display the current configuration for a Juniper Networks device, use the show command in
configuration mode. This command displays the configuration at the current hierarchy level or at the
specified level.
user@host# show <statement-path>

153
The configuration statements appear in a fixed order, interfaces appear alphabetically by type, and then
in numerical order by slot number, PIC number, and port number. Note that when you configure the
device, you can enter statements in any order.
You also can use the CLI operational mode show configuration command to display the last committed
configuration, which is the configuration currently running on the router:
When you show a configuration, a timestamp at the top of the configuration indicates when the
configuration was last changed:
## Last commit: 2018-07-18 11:21:58 PDT by echen

version 8.3
If you have omitted a required statement at a specific hierarchy level, when you issue the show command
in configuration mode, a message indicates which statement is missing. If a mandatory statement is
missing, the CLI continues to display this message each time you issue a show command.
For example:
[edit]
user@host# show
protocols {
pim {
priority 4;
version 2;
# Warning: missing mandatory statement(s): 'mode'
}
}
}
Unsupported statements included in the CLI configuration are displayed with the “unsupported” text in
the configuration. For example, if a statement is configured on an unsupported platform, the CLI displays
a message that the statement is ignored in the configuration because it is configured on an unsupported
platform. When you issue the show command with the | display xml option, you can see the
unsupported="unsupported” attribute for configuration that is unsupported.
The “unsupported” attribute included in text configuration or XML configuration is provided to scripts
when the unsupported="unsupported" attribute is included in the <get-configuration> RPC call.
154
Example: Display the Current Configuration
The following example shows how you can display the current device configuration.
Set and commit a configuration:
[edit]
user@host# set protocols ospf area 0.0.0.0 interface xe-0/0/0 hello-interval 5
[edit]
user@host# commit
commit complete
[edit]
user@host# quit
Display the current configuration:
[edit]
user@host# show
protocols {
ospf {
area 0.0.0.0 {
interface xe-0/0/0 {
hello-interval 5;
}
}
}
}
Display the configuration at a particular hierarchy:
[edit]
user@host# show protocols ospf area 0.0.0.0
hello-interval 5;
}
155
Move down a level and display the configuration at that level:
[edit]
user@host# show
hello-interval 5;
}
Display the last committed configuration:

## Last commit: 2018-08-10 11:21:58 PDT by user
version 8.3
protocols {
ospf {
area 0.0.0.0 {
hello-interval 5;
}
}
}
}
Display Additional Information About the Configuration
In configuration mode only, to display additional information about the device configuration, use the
display detail command after the pipe ( | ) in conjunction with a show command. The additional
information includes the help string that explains each configuration statement and the permission bits
required to add and modify the configuration statement.
user@host# show <hierarchy-level> | display detail

156
For example:
[edit]
user@host# show | display detail
##
## version: Software version information
## require: system
##
version 21.3-202107190949.0;
system {
##
## host-name: Host name for this router
## match: ^[[:alnum:]._-]+$
## require: system
##
}
host-name router-name;
##
## domain-name: Domain name for this router
## match: ^[[:alnum:]._-]+$
## require: system
##
domain-name isp.net;
##
## backup-router: Address of router to use while booting
##
root-authentication {
##
## encrypted-password: Encrypted password string
##
encrypted-password "$ABC123"; # SECRET-DATA
}
##
## name-server: DNS name servers
## require: system
##
name-server {
##
## name-server: DNS name server address
##
208.197.1.0;
157
}
login {
##
## class: User name (login)
## match: ^[[:alnum:]_-]+$
##
class super-user {
##
## permissions: Set of permitted operation categories
##
permissions all;
}
...
##
## services: System services
## require: system
##
services {
## services: Service name
##
ftp;
##
## services: Service name
##
telnet;
##
}
syslog {
##
## file-name: File to record logging data
##
file messages {
##
## Facility type
## Level name
##
any notice;
##
## Facility type
## Level name
##
authorization info;
}
158
}
}
chassis {
alarm {
sonet {
##
## lol: Loss of light
## alias: loss-of-light
##
lol red;
}
}
}
interfaces {
##
## Interface name
##
xe-2/1/1 {
atm-options {
##
## vpi: Virtual path index
## range: 0 .. 255
## maximum-vcs: Maximum number of virtual circuits on this VP
##
}
##
## unit: Logical unit number
## range: 0 .. 16384
##
unit 0 {
##
## vci: ATM point-to-point virtual circuit identifier ([vpi.]vci)
}
##
vci 0.128;
}
}
...
159
Display set Commands from the Configuration
IN THIS SECTION
Example: Display set Commands from the Configuration | 159
Example: Display set Commands with the match Option | 160
In configuration mode, you can display the configuration as a series of configuration mode commands
required to re-create the configuration. This is useful if you are not familiar with how to use
configuration mode commands or if you want to cut, paste, and edit the displayed configuration.
To display the configuration as a series of configuration mode commands, which are required to re-
create the configuration from the top level of the hierarchy as set commands, issue the show configuration
mode command with the display set option:
user@host# show | display set
When you issue the show configuration command with the | display set pipe option to view the
configuration as set commands, those portions of the configuration that you do not have permissions to
view are substituted with the text ACCESS-DENIED.
Example: Display set Commands from the Configuration
Display the set commands from the configuration at the [edit interfaces] hierarchy level:
[edit interfaces xe-0/0/0]

user@host# show
unit 0 {
family inet {
address 192.107.1.230/24;
}
family iso;
family mpls;
}
inactive: unit 1 {
family inet {
address 10.0.0.1/8;
160
}
}
set interfaces xe-0/0/0 unit 0 family inet address 192.107.1.230/24
set interfaces xe-0/0/0 unit 0 family iso
set interfaces xe-0/0/0 unit 0 family mpls
deactivate interfaces xe-0/0/0 unit 1
To display the configuration as a series of configuration mode commands required to re-create the
configuration from the current hierarchy level, issue the show configuration mode command with the
display set relative option:

user@host# show | display set relative
set unit 0 family inet address 192.107.1.230/24
set unit 0 family iso
set unit 0 family mpls
deactivate unit 1
Example: Display set Commands with the match Option
To display the configuration as set commands and search for text matching a regular expression by
filtering output, specify the match option after the pipe ( | ):
user@host# show | display set | match regular-expression
Display IP addresses associated with an interface:
xe-2/3/0 {
unit 0 {
family inet {
address 192.107.9.106/30;
}
}
}
so-5/1/0 {
unit 0 {
161
family inet {
address 192.107.9.15/32 {
destination 192.107.9.192;
}
}
}
}
lo0 {
unit 0 {
family inet {
address 127.0.0.1/32;
}
}
}
user@host# show interfaces | display set | match address
set interfaces so-5/1/0 unit 0 family inet address 192.168.9.15/32 destination 192.168.9.192
set interfaces lo0 unit 0 family inet address 127.0.0.1/32
Verify the Device Configuration
To verify that the syntax of a Juniper Networks device configuration is correct, use the configuration
mode commit check command:
[edit]
[edit]
user@host#
If the commit check command finds an error, a message indicates the location of the error.

162
Commit the Configuration
IN THIS SECTION
The Commit Model for Configurations | 162
Activate a Device Configuration with Confirmation | 170
Batch Commits Overview | 175
Back Up the Committed Configuration on the Alternate Boot Drive | 187
The commit configuration mode command enables you to save the device configuration changes to the
configuration database and to activate the configuration on the device.
The Commit Model for Configurations
The device configuration is saved using a commit model—a candidate configuration is modified as
desired and then committed to the system. When a configuration is committed, the device checks the
configuration for syntax errors, and if no errors are found, the configuration is saved as juniper.conf.gz
and activated. The formerly active configuration file is saved as the first rollback configuration file
(juniper.conf.1.gz), and any other rollback configuration files are incremented by 1. For example,
juniper.conf.1.gz is incremented to juniper.conf.2.gz, making it the second rollback configuration file.
The device can have a maximum of 49 rollback configurations (numbered 1 through 49) saved on the
system.
163
On the device, the current configuration file and the first three rollback files (juniper.conf.gz.1,
juniper.conf.gz.2, juniper.conf.gz.3) are located in the /config directory. (The remaining rollback files, 4
through 49, are located in /var/db/config.)
If the recovery configuration file rescue.conf.gz exists, this file is also located in the /config directory.
The factory default files are located in the /etc/config directory.
There are two mechanisms used to propagate the configurations between Routing Engines within a
device:
• Synchronization: Propagates a configuration from one Routing Engine to a second Routing Engine
within the same device chassis.
To synchronize configurations, use the commit synchronize CLI command. If one of the Routing Engines
is locked, the synchronization fails. If synchronization fails because of a locked configuration file, you
can use the commit synchronize force command. This command overrides the lock and synchronizes the
configuration files.
• Distribution: Propagates a configuration across the routing plane on a multichassis device.

Distribution occurs automatically. There is no user command available to control the distribution
process. If a configuration is locked during a distribution of a configuration, the locked configuration
does not receive the distributed configuration file, so the synchronization fails. You need to clear the
lock before the configuration and resynchronize the routing planes.
NOTE: When you use the commit synchronize force CLI command on a multichassis platform, the
forced synchronization of the configuration files does not affect the distribution of the
configuration file across the routing plane. If a configuration file is locked on a device remote
from the device where the command was issued, the synchronization fails on the remote
device. You need to clear the lock and reissue the synchronization command.
SEE ALSO
Configuring Junos OS for the First Time on a Device with a Single Routing Engine
164
Commit a Device Configuration
To save device configuration changes to the configuration database and to activate the configuration on
the device, use the commit configuration mode command. You can issue the commit command from any
hierarchy level:
[edit]
user@host# commit
commit complete
[edit]
user@host#
When you enter the commit command, the configuration is first checked for syntax errors (commit check).
Then, if the syntax is correct, the configuration is activated and becomes the current, operational device
configuration.
NOTE: We do not recommend performing a commit operation on the backup Routing Engine
when graceful Routing Engine switchover is enabled on the router.
A configuration commit can fail for any of the following reasons:
• The configuration includes incorrect syntax, which causes the commit check to fail.
• The candidate configuration that you are trying to commit is larger than 700 MB.
• The configuration is locked by a user who entered the configure exclusive command.
If the configuration contains syntax errors, a message indicates the location of the error, and the
configuration is not activated. The error message has the following format:
[edit edit-path]
‘offending-statement;’
error-message
For example:
[edit firewall filter login-allowed term allowed from]

‘icmp-type [ echo-request echo-reply ];’
keyword ‘echo-reply’ unrecognized
165
You must correct the error before recommitting the configuration. To return quickly to the hierarchy
level where the error is located, copy the path from the first line of the error and paste it at the
configuration mode prompt at the [edit] hierarchy level.
The uncommitted, candidate configuration file is /var/rundb/juniper.db. It is limited to 700 MB. If the
commit fails with a message configuration database size limit exceeded, view the file size from configuration
mode by entering the command run file list /var/rundb detail. You can simplify the configuration and
reduce the file size by creating configuration groups with wildcards or defining less specific match
policies in your firewall filters.
NOTE: CLI commit-time warnings displayed for configuration changes at the [edit interfaces]
hierarchy level are removed and are logged as system log messages.
This is also applicable to VRRP configuration at the following hierarchy levels:
• [edit interfaces interface-name unit logical-unit-number family (inet | inet6) address address]
• [edit logical-systems logical-system-name interfaces interface-name unit logical-unit-number family

(inet | inet6) address address]
When you commit a configuration, you commit the entire configuration in its current form.
NOTE:
• We do not recommend performing a commit operation on the backup Routing Engine when
graceful Routing Engine switchover is enabled on the device.
• If you configure the same IP address for a management interface or internal interface such as
fxp0 and an external physical interface such as ge-0/0/1, when graceful Routing Engine
switchover (GRES) is enabled, the CLI displays an appropriate commit error message that
identical addresses have been found on the private and public interfaces. In such cases, you
must assign unique IP addresses for the two interfaces that have duplicate addresses.
Commit Operation When Multiple Users Configure the Software
Up to 32 users can be in configuration mode simultaneously making changes to the configuration. All
changes made by all users are visible to everyone editing the configuration—the changes become visible
as soon as the user presses the Enter key at the end of a command that changes the configuration, such
as set, edit, or delete.
166
When any of the users editing the configuration issues a commit command, the CLI checks and activates
all changes by all users.
If you enter configuration mode with the configure private command, each user has a private candidate
configuration to edit somewhat independently of other users. When you commit the configuration, the
CLI commits only your own changes. To synchronize your copy of the configuration after other users
have committed changes, you can run the update command in configuration mode. A commit operation
also updates all the private candidate configurations. For example, suppose user X and user Y are both in
configure private mode, and user X commits a configuration change. When user Y performs a subsequent
commit operation and then views the new configuration, the new configuration seen by user Y includes
the changes made by user X.
If you enter configuration mode with the configure exclusive command, you lock the candidate
configuration for as long as you remain in configuration mode. This allows you to make changes without
interference from other users. Other users can enter and exit configuration mode, but they cannot
commit the configuration. This is true even if the other users entered configuration mode before you
enter the configure exclusive command. For example, suppose user X is already in the configure private or
configure mode. Then suppose user Y enters the configure exclusive mode. User X cannot commit any
changes to the configuration, even if user X entered those changes before user Y logged in. If user Y
exits configure exclusive mode, user X can then commit the changes made in configure private or configure
mode.
Commit Preparation and Activation Overview
You can complete the commit process in two steps. The two-step commit feature enables you to
configure several devices and simultaneously activate the configurations. Two-step commit provides a
definitive time window for the commit to be effective on the system. You can enter commit mode after
the commit is prepared, but you will receive a message that the commit is pending activation.
In the first step, the preparation stage, the commit is validated and a new database with the necessary
files is generated. If the configuration contains any syntax errors, an appropriate error message is
displayed, and the configuration is not prepared. In the event of failure during the preparation stage, the
error message commit check-out faileddisplays.
In the second step, the activation stage, the previously prepared configuration is activated. Next, if you
need to clear the prepared configuration, you can do so by using clear system commit prepared command. A
log message is generated upon successful clearing of the pending commit.
NOTE: You cannot perform commit operations in between preparation and activation stages.
167
The two-step commit process is superior to the single-step process for time-critical commits. In the
single-step process, the preparation time can vary depending on the existing configuration on the
device. In the two-step process, the complex preparation work is more efficiently handled.
Configuration commands are provided that allow you to prepare the configuration cache and activate
the configuration. You can prepare the devices with new configurations and activate them at the exact
times you want.
The commit prepare command validates the configurations, and the commit activate command activates the
configurations. The commands have the following configuration options:
• and-quit
• no-synchronize
• peers-synchronize
• synchronize
The commit prepare and commit activate commands are available for private, exclusive and shared commits
only. The commands are not applicable for dynamic and ephemeral modes. This feature is applicable for
multichassis devices, but it is not applicable for batch commits.
To support this functionality using Network Configuration Protocol (NETCONF), the following new
remote procedure calls (RPCs) are provided:
• <commit-configuration>< prepare/></commit-configuration>
• <commit-configuration><activate/></commit-configuration>
• <clear-system-commit><prepared/></clear-system-commit>
NOTE:
• In an MX Series Virtual Chassis setup the following applies: When commit prepare is issued on
one Routing Engine followed by switchover, the Routing Engine where the switchover
command is issued reboots. Therefore, the prepared cache is cleared in that Routing Engine.
• In an MX Series Virtual Chassis setup, it is advisable to execute clear system commit prepared
command only on VC primary.
168
Commit Device Configurations in Two Steps: Preparation and Activation
You can complete the commit process in two steps. This enables you to configure several devices, and
the configurations can be activated simultaneously. In the first step, known as the preparation stage, the
commit is validated and a new database along with necessary files is generated. If the configuration
contains any syntax errors, an appropriate error message is displayed, and the configuration is not
prepared. In the second step, referred to as the activation stage, the previously prepared configuration is
activated and becomes the current, operational device configuration.
To prepare the configuration:
1. At the [edit] hierarchy level in configuration mode, make the necessary changes to the configuration.
For example, to configure the scripts of the system, issue the following command:
[edit]
user@host# set system scripts language
For example:
[edit]
user@host#set system scripts language python
2. Issue the commit prepare command.
[edit]
user@host# commit prepare
The message commit prepare successful is displayed.
If the preparation stage fails, the error message commit check-out failed is displayed.
[edit]
user@host# set interfaces ge-0/0/0 unit 0 family inet address 1.1.1.2/2
[edit]
user@host# set interfaces ge-0/0/1 unit 0 family inet address 1.1.1.2/24
[edit]
user@host# commit prepare
[edit interfaces ge-2/0/0 unit 0 family inet]
'address 1.1.1.2/24'
169
Cannot have the same local address on the same unit of an interface
error: configuration check-out failed
3. To verify the output of the show system commit command after commit prepare is issued, use the following
command:
user@host> show system commit

commit prepared by user via cli is pending activation
To activate the prepared configuration:
1. Use the commit activate command
[edit]
user@host# commit activate
The message commit complete is displayed.
2. To verify the activated system configuration, use the following command:
user@host> show configuration system scripts

language python;
To verify the output of the show system commit and show system commit revision detail commands after commit
activate is issued, issue the following commands.

0 2018-07-12 22:54:46 PDT by user via cli commit activate
user@host> show system commit revision detail

Revision: re0-1499925285-2214
User : user
Client : cli
Time : 2018-07-12 22:54:46 PDT
Comment : commit activate
170
Activate a Device Configuration with Confirmation
When you commit the current candidate configuration, you can require an explicit confirmation for the
commit to become permanent. This is useful if you want to verify that a configuration change works
correctly and does not prevent access to the device. If the change prevents access or causes other
errors, the device automatically returns to the previous configuration and restores access after the
rollback confirmation timeout passes. This feature is called automatic rollback.
To commit the current candidate configuration but require an explicit confirmation for the commit to
become permanent, use the commit confirmed configuration mode command:
[edit]
user@host# commit confirmed
commit complete
#commit confirmed will be rolled back in 10 minutes
[edit]
user@host#
Once you have verified that the change works correctly, you can keep the new configuration active by
entering a commit or commit check command within 10 minutes of the commit confirmed command. For
example:
[edit]
If the commit is not confirmed within a certain time (10 minutes by default), the operating system
automatically rolls back to the previous configuration and a broadcast message is sent to all logged-in
users.
To show when a rollback is scheduled after a commit confirmed command, enter the show system commit
command. For example:
user@host>show system commit

0 2018-01-05 15:00:37 PST by root via cli commit confirmed, rollback in 3mins
171
Like the commit command, the commit confirmed command verifies the configuration syntax and reports any
errors. If there are no errors, the configuration is activated temporarily (10 minutes by default) and
begins running on the device.
Figure 4: Confirm a Configuration
To change the amount of time before you must confirm the new configuration, specify the number of
minutes when you issue the command:
[edit]
user@host# commit confirmed minutes
commit complete
[edit]
user@host#
You can also use the commit confirmed command in the [edit private] configuration mode.
Schedule a Commit Operation
You can schedule when you want your candidate configuration to become active. To save device
configuration changes and activate the configuration on the device at a future time or upon reboot, use
the commit at configuration mode command, specifying reboot or a future time at the [edit] hierarchy level:
[edit]
user@host # commit at string
string is reboot or the future time to activate the configuration changes. You can specify time in two
formats:
• A time value in the form hh:mm[:ss] (hours, minutes, and optionally seconds)—Commit the
configuration at the specified time, which must be in the future but before 11:59:59 PM on the day
172
the commit at configuration mode command is issued. Use 24-hour time for the hh value; for example,
04:30:00 is 4:30:00 AM, and 20:00 is 8:00 PM. The time is interpreted with respect to the clock and
time zone settings on the router.
• A date and time value in the form yyyy-mm-dd hh:mm[:ss] (year, month, date, hours, minutes, and,
optionally, seconds)—Commit the configuration at the specified day and time, which must be after
the commit at command is issued. Use 24-hour time for the hh value. For example, 2018-08-21 12:30:00 is
12:30 PM on August 21, 2018. The time is interpreted with respect to the clock and time zone
settings on the router.
Enclose the string value in quotation marks (" "). For example, commit at "18:00:00". For date and time,
include both values in the same set of quotation marks. For example, commit at "2018-03-10 14:00:00".
A commit check is performed immediately when you issue the commit at configuration mode command. If
the result of the check is successful, then the current user is logged out of configuration mode, and the
configuration data is left in a read-only state. No other commit can be performed until the scheduled
commit is completed.
NOTE: If the device software fails before the configuration changes become active, all
configuration changes are lost.
You cannot enter the commit at configuration command after you issue the request system reboot
command.
You cannot enter the request system reboot command once you schedule a commit operation for a
specific time in the future.
You cannot commit a configuration when a scheduled commit is pending. For information about
how to cancel a scheduled configuration by means of the clear command, see the CLI Explorer.
NOTE: We do not recommend performing a commit operation on the backup Routing Engine
when graceful Routing Engine switchover is enabled on the device.
173
Monitor the Commit Process
To monitor the device configuration commit process, use the display detail command after the pipe with
the commit command:
user@host# commit | display detail
For example:
[edit]
user@host# commit | display detail
2018-09-22 15:39:39 PDT: exporting juniper.conf
2018-09-22 15:39:39 PDT: setup foreign files
2018-09-22 15:39:39 PDT: propagating foreign files
2018-09-22 15:39:39 PDT: complete foreign files
2018-09-22 15:39:40 PDT: copying configuration to juniper.data+
2018-09-22 15:39:40 PDT: dropping unchanged foreign files
2018-09-22 15:39:40 PDT: daemons checking new configuration
2018-09-22 15:39:41 PDT: commit wrapup...
2018-09-22 15:39:42 PDT: activating '/var/etc/ntp.conf'
2018-09-22 15:39:42 PDT: activating '/var/etc/kmd.conf'
2018-09-22 15:39:42 PDT: activating '/var/db/juniper.data'
2018-09-22 15:39:42 PDT: notifying daemons of new configuration
2018-09-22 15:39:42 PDT: signaling 'Firewall daemon', pid 24567, signal 1,
status 0
2018-09-22 15:39:42 PDT: signaling 'Interface daemon', pid 24568, signal 1,
status 0
2018-09-22 15:39:43 PDT: signaling 'Routing protocol daemon', pid 25679,
signal 1, status 0
2018-09-22 15:39:43 PDT: signaling 'MIB2 daemon', pid 24549, signal 1,
status 0
2018-09-22 15:39:43 PDT: signaling 'NTP daemon', pid 37863, signal 1, status 0
2018-09-22 15:39:43 PDT: signaling 'Sonet APS daemon', pid 24551, signal 1,
status 0
2018-09-22 15:39:43 PDT: signaling 'VRRP daemon', pid 24552, signal 1,
status 0
2018-09-22 15:39:43 PDT: signaling 'PFE daemon', pid 2316, signal 1, status 0
2018-09-22 15:39:43 PDT: signaling 'Traffic sampling control daemon', pid 24553
signal 1, status 0
2018-09-22 15:39:43 PDT: signaling 'IPsec Key Management daemon', pid
24556, signal 1, status 0
174
2018-09-22 15:39:43 PDT: signaling 'Forwarding UDP daemon', pid 2320,

signal 1, status 0
commit complete
Add a Comment to Describe the Committed Configuration
You can include a comment that describes changes to the committed configuration. To do so, include the
commit comment statement. The comment can be as long as 512 bytes and you must type it on a single line.
[edit]
user@host# commit comment comment-string
comment-string is the text of the comment.
NOTE: You cannot include a comment with the commit check command.
To add a comment to the commit command, include the comment statement after the commit command:
[edit]
user@host# commit comment "add user joe"
commit complete
[edit]
user@host#
To add a comment to the commit confirmed command, include the comment statement after the commit
confirmed command:
[edit]
user@host# commit confirmed comment "add customer to port 27"
commit complete
[edit]
user@host#
To view these commit comments, issue the show system commit operational mode command.
175
NOTE: You can also use the commit confirmed command in the [edit private] configuration mode.
Batch Commits Overview
IN THIS SECTION
Aggregation and Error Handling | 175
Batch commit aggregates or merges multiple configuration edits from different CLI sessions or users and
adds them to a batch commit queue. A batch commit server running on the device takes one or more
jobs from the batch commit queue, applies the configuration changes to the shared configuration
database, and then commits the configuration changes in a single commit operation.
Batches are prioritized by the commit server based on priority of the batch specified by the user or the
time when the batch job is added. When one batch commit is complete, the next set of configuration
changes are aggregated and loaded into the batch queue for the next session of the batch commit
operation. Batches are created until there are no commit entries left in the queue directory.
When compared to the regular commit operation where all commits are independently committed
sequentially, batch commits save time and system resources by committing multiple small configuration
edits in a single commit operation.
Batch commits are performed from the [edit batch] configuration mode. The commit server properties
can be configured at the [edit system commit server] hierarchy level.
Aggregation and Error Handling
When there is a load-time error in one of the aggregated jobs, the commit job that encounters the error
is discarded and the remaining jobs are aggregated and committed.
For example, if there are five commit jobs (commit-1, commit-2, commit-3, commit-4, and commit-5) being
aggregated, and commit-3 encounters an error while loading, commit-3 is discarded and commit-1, commit-2,
commit-4, and commit-5 are aggregated and committed.
176
If there is an error during the commit operation when two or more jobs are aggregated and committed,
the aggregation is discarded and each of those jobs is committed individually like a regular commit
operation.
For example, if there are five commit jobs (commit-1, commit-2, commit-3, commit-4, and commit-5) that are
aggregated and if there is a commit error caused because of commit-3, the aggregation is discarded,
commit-1, commit-2, commit-3, commit-4, and commit-5 are committed individually, and the CLI reports a commit
error for commit-3.
Example: Configure Batch Commit Server Properties
IN THIS SECTION
Requirements | 176
Overview | 176
Configuration | 177
Verification | 180
This example shows how to configure batch commit server properties to manage batch commit
operations.
Requirements
This example uses the following hardware and software components:
• MX Series 5G Universal Routing Platform
Overview
You can control how the batch commit queue is handled by the commit server by configuring the server
properties at the [edit system commit server] hierarchy level. This enables you to control how many commit
jobs are aggregated or merged into a single batch commit, the maximum number of jobs that can be
added to the queue, days to keep batch commit error logs, interval between two batch commits, and
tracing operations for batch commit operations.
177
Configuration
IN THIS SECTION
Configuring the Commit Server Properties | 177
Committing the Configuration from Batch Configuration Mode | 179
To quickly configure this section of the example, copy the following commands, paste them into a text
file, remove any line breaks, change any details necessary to match your network configuration, and
then copy and paste the commands into the CLI at the [edit] hierarchy level. You can configure the
commit server properties from either the regular [edit] mode or the [edit batch] mode.
Device R0
set system commit server maximum-aggregate-pool 4

set system commit server maximum-entries 500
set system commit server commit-interval 5
set system commit server days-to-keep-error-logs 30
set system commit server traceoptions file commitd_nov
set system commit server traceoptions flag all
Configuring the Commit Server Properties
1. (Optional) Configure the number of commit transactions to aggregate or merge in a single commit
operation.
The default value for maximum-aggregate-pool is 5.
NOTE: Setting maximum-aggregate-pool to 1 commits each of the jobs individually.

178
In this example, the number of commit transactions is set to 4 indicating that four different commit
jobs are aggregated into a single commit before the commit operation is initiated.
[edit system commit server]

user@R0# set maximum-aggregate-pool 4
2. (Optional) Configure the maximum number of jobs allowed in a batch.
This limits the number of commits jobs that are added to the queue.

user@R0# set maximum-entries 500
NOTE: If you set maximum-entries to 1, the commit server cannot add more than one job to the
queue, and the CLI displays an appropriate message when you try to commit more than one
job.
3. (Optional) Configure the time (in seconds) to wait before starting the next batch commit operation.

user@R0# set commit-interval 5
4. (Optional) Configure the number of days to keep error logs.
The default value is 30 days.

user@R0# set days-to-keep-error-logs 30
5. (Optional) Configure tracing operations to log batch commit events.
In this example, the filename for logging batch commit events is commitd_nov, and all traceoption flags
are set.

user@R0# set traceoptions commitd_nov
user@R0# set traceoptions flag all
179
Results
From configuration mode, confirm your configuration by entering the show system commit server command.
If the output does not display the intended configuration, repeat the instructions in this example to
correct the configuration.
user@R0# show system commit server

maximum-aggregate-pool 4;
maximum-entries 500;
commit-interval 5;
days-to-keep-error-logs 30;
traceoptions {
file commitd_nov;
flag all;
}
Committing the Configuration from Batch Configuration Mode
To commit the configuration from the [edit batch] mode, do one of the following:
• Log in to the device and enter commit.
[edit batch]
user@R0# commit
Added to commit queue request-id: 1000
• To assign a higher priority to a batch commit job, issue the commit command with the priority option.
[edit batch]
user@R0# commit priority
180
• To commit a configuration without aggregating the configuration changes with other commit jobs in
the queue, issue the commit command with the atomic option.
[edit batch]
user@R0# commit atomic
• To commit a configuration without aggregating the configuration changes with other commit jobs in
the queue, and issuing a higher priority to the commit job, issue the commit command with the atomic
priority option.
[edit batch]
user@R0# commit atomic priority
Verification
IN THIS SECTION
Checking the Batch Commit Server Status | 180
Checking the Batch Commit Status | 181
Viewing the Patch Files in a Batch Commit Job | 182
Viewing the Trace Files for Batch Commit Operations | 185
Confirm that the configuration is working properly.
Checking the Batch Commit Server Status
Purpose
Check the status of the batch commit server.

181
Action
user@R0> show system commit server

Commit server status : Not running
By default, the status of the commit server is Not running. The commit server starts running only when a
batch commit job is added to the queue.
When a batch commit job is added to the queue, the status of the commit server changes to Running.
user@R0> show system commit server
Commit server status : Running

Jobs in process:
1003 1004 1005
Meaning
The Jobs in process field lists the commit IDs of jobs that are in process.
Checking the Batch Commit Status
Purpose
Check the commit server queue for the status of the batch commits.
Action
user@R0> show system commit server queue
Pending commits:
Id: 1005
Last Modified: Tue Nov 1 23:56:43 2018
Completed commits:
Id: 1000
Status: Successfully committed 1000
Id: 1002
182

Id: 1004
Id: 1007
Last Modified: Wed Nov 2 01:08:04 2018
Id: 1009
Id: 1010
Id: 1011
Error commits:
Id: 1008
Status: Error while commiting 1008
Meaning
Pending commits displays commit jobs that are added to the commit queue but are not committed yet.
Completed commits displays the list of commit jobs that are successful. Error commits are commits that failed
because of an error.
Viewing the Patch Files in a Batch Commit Job
Purpose
View the timestamps, patch files, and the status of each of the commit jobs. Patch files show the
configuration changes that occur in each commit operation that is added to the batch commit queue.
183
Action
1. Use the show system commit server queue patch command to view the patches for all commit operations.
user@R0> show system commit server queue patch

Pending commits:
none
Completed commits:
Id: 1000
Patch:
[edit groups]
re1 { ... }
+ GRP-DHCP-POOL-NOACCESS {
+ access {
+ address-assignment {
+ pool <*> {
+ family inet {
+ dhcp-attributes {
+ maximum-lease-time 300;
+ grace-period 300;
+ domain-name verizon.net;
+ name-server {
+ 4.4.4.1;
+ 4.4.4.2;
+ }
+ }
+ }
+ }
+ }
+ }
+ }
Id: 1002
Patch:
[edit]
184
+ snmp {
+ community abc;
+ }
Id: 1010
Patch:
[edit system syslog]
file test { ... }
+ file j {
+ any any;
+ }
Error commits:
Id: 1008
Patch:
[edit system]
+ radius-server {
+ 10.1.1.1 port 222;
+ }
The output shows the changes in configuration for each commit job ID.
2. To view the patch for a specific commit job ID, issue the show system commit server queue patch id <id-
number> command.
user@R0> show system commit server queue patch id 1000

Completed commits:
Id: 1000
Patch:
[edit system]
+ radius-server {
+ 192.168.69.162 secret teH.bTc/RVbPM;
185

+ }
Meaning
The output shows the patch created for a commit job. The + or - sign indicates the changes in the
configuration for a specific commit job.
Viewing the Trace Files for Batch Commit Operations
Purpose
View the trace files for batch commit operations. You can use the trace files for troubleshooting
purposes.
Action
• Use the file show /var/log/<filename> command to view all entries in the log file.
user@R0> file show/var/log/commitd_nov
The output shows commit server event logs and other logs for batch commits.
Nov 1 22:46:43 Successfully committed 1000

Nov 1 22:46:43 pausing after commit for 0 seconds
...
Nov 1 22:46:43 Done working on queue
...
Nov 1 22:47:17 maximum-aggregate-pool = 5

Nov 1 22:47:17 maximum-entries= 0
Nov 1 22:47:17 asynchronous-prompt = no
Nov 1 22:47:17 commit-interval = 0
Nov 1 22:47:17 days-to-keep-error-logs = -1
...
Nov 1 22:47:17 Added to commit queue request-id: 1001
Nov 1 22:47:17 Commit server status=running
Nov 1 22:47:17 No need to pause
...
186
Nov 1 22:47:18 Error while commiting 1001

Nov 1 22:47:18 doing rollback
...
• To view log entries only for successful batch commit operations, issue the file show /var/log/<filename>
command with the | match committed pipe option.
The output shows batch commit job IDs for successful commit operations.
user@R0> file show/var/log/commitd_nov | match committed

• To view log entries only for failed batch commit operations, issue the file show /var/log/<filename>
command with the | match “Error while” pipe option.
The output shows commit job IDs for failed commit operations.
user@R0> file show/var/log/commitd_nov | match “Error while”

...
• To view log entries only for commit server events, issue the file show /var/log/<filename> command
with the | match “commit server” pipe option.
The output shows commit server event logs.
user@R0> file show/var/log/commitd_nov | match “commit server”

Nov 1 22:46:39 Commit server jobs=1000
Nov 1 22:46:43 Commit server status=not running
187
Nov 1 22:46:43 Commit server jobs=

Nov 1 22:47:18 2 errors reported by commit server
Nov 1 22:51:10 2 errors reported by commit server
...
Back Up the Committed Configuration on the Alternate Boot Drive
After you commit the configuration and are satisfied that it is running successfully, you should issue the
request system snapshot command to back up the new software onto the /altconfig file system. If you do
not issue the request system snapshot command, the configuration on the alternate boot drive is out of
sync with the configuration on the primary boot drive.
The request system snapshot command backs up the root file system to /altroot, and /config to /altconfig.
The root and /config file systems are on the router’s flash drive, and the /altroot and /altconfig file
systems are on the router’s hard disk (if available).
After you issue the request system snapshot command, you cannot return to the previous version of the
software because the running and backup copies of the software are identical.

4 CHAPTER
Managing Configurations
Managing Configurations | 191
Autoinstallation of Configuration Files Overview | 212
Loading Configuration Files | 217
Factory Default Configuration Overview | 233
Rescue Configuration | 235
Encrypt and Decrypt Configuration Files | 236
Synchronizing Configurations Across Routing Engines | 240

189
Configuration Files Overview
IN THIS SECTION
Device Configuration Storage Overview | 191
You use configuration files to configure devices and to streamline device configuration tasks. A
configuration file stores the complete configuration of a device. Keep in mind these distinctions
between configuration files:
• The active (running) configuration is the operational file of the device. These files control device
behavior.
• The candidate configuration is the working copy that stores configuration updates. These are the
files that you use to automatic device configuration.
Configuration Files Overview
IN THIS SECTION
Configuration File Terms | 190
A configuration file stores the complete configuration of a network device. The current configuration of
a device is called the active configuration. You can alter this current configuration, and you can also
return to a previous configuration or to a rescue configuration.
The 50 most recently committed configuration files on a device are saved so that you can return to a
previous configuration. The configuration files are named as follows:
• juniper.conf.gz—The current active configuration
• juniper.conf.1.gz to juniper.conf.49.gz—Rollback configurations

190
To make changes to the configuration file, you must use configuration mode in the CLI. When making
changes to a configuration file, you are viewing and changing the candidate configuration file. The
candidate configuration enables you to make configuration changes without causing operational
changes to the active configuration or causing potential damage to your current network operations.
After you commit the changes you made to the candidate configuration, the system updates the active
configuration.
Configuration File Terms
Table 8: Configuration File Terms
Term Definition
active configuration Current committed configuration of a device.
candidate configuration Working copy of the configuration that enables users to make configurational changes
without causing any operational changes until this copy is committed.
configuration group Group of configuration statements that the rest of the configuration can inherit.
commit a configuration The act of checking a configuration for proper syntax, activating it, and marking as the
current configuration file running on the device.
configuration hierarchy A hierarchy of statements comprising the system configuration. The two types of
statements are container and leaf: Container statements contain other statements.
Leaf statements do not contain other statements. All the container and leaf statements
together form the configuration hierarchy.
default configuration The initial values set for each configuration parameter when a device is shipped.
rescue configuration Well-known configuration that recovers a device from a configuration that denies
management access. Through the CLI, you set a current committed configuration to be
the rescue configuration.
roll back a configuration The act of returning to a previously committed configuration.

191
Device Configuration Storage Overview
When you edit a Juniper Networks device configuration, you work in a copy of the current configuration
to create a candidate configuration. The changes that you make to the candidate configuration are
visible in the CLI immediately. Therefore, if multiple users are editing the configuration at the same time,
all users can see all changes.
You commit your changes to cause a candidate configuration to take effect. At this point, the candidate
file is checked for proper syntax, activated, and marked as the current, operational software
configuration file. If multiple users are editing the configuration simultaneously, all changes made by all
the users take effect when you commit the candidate configuration.
In addition to saving the current configuration, the CLI saves the current operational version and the
previous 49 versions of committed configurations. The most recently committed configuration is version
0, which is the current operational version. This current operational version is the default configuration
that the system returns to if you roll back to a previous configuration. The oldest saved configuration is
version 49.
By default, the current configuration and three previous versions of the committed configuration are
saved on the device CompactFlash card. The currently operational device configuration is stored in the
file juniper.conf.gz, and the last three committed configurations are stored in the files juniper.conf.1.gz,
juniper.conf.2.gz, and conf.3.gz. These four files are stored on the device’s CompactFlash card in the
directory /config.
The remaining 46 previous versions of committed configurations, the files juniper.conf.4 through
juniper.conf.49, are stored in the directory /var/db/config on the hard disk.
Managing Configurations
IN THIS SECTION
Returning to a Previously Committed Configuration | 202
Saving a Configuration to a File | 206
About Compressing the Current Configuration File | 207
Free Up System Storage Space | 209

192
Clean Up Files with the CLI | 210
The show | compare | display xml Command Output
IN THIS SECTION
Add a Statement (create Operation) | 193
Delete a Statement (delete Operation) | 194
Change a Statement (delete and create Operations) | 196
Change Metadata (inactive Attribute and Operation) | 196
Add an Annotation (comment Tag and create Operation) | 198
Change an Annotation (comment Tag, and delete and create Operations) | 199
Add a Statement Inside a Container (create Operation, and insert and key Attributes) | 199
Change the Order Inside a Container (merge Operation, and insert and key Attributes) | 200
The compare | display xml filter compares the candidate configuration with the current committed
configuration and displays the differences between the two configurations in XML. To compare
configurations, enter compare | display xml after the pipe ( | ) symbol in either operational or configuration
mode.
Example in operational mode:
user@host> show configuration | compare | display xml
Example in configuration mode:
[edit]
user@host# show | compare | display xml
193
You can enter a specific configuration hierarchy immediately preceding the compare filter, for example, show
configuration system syslog | compare | display xml. In configuration mode, you can navigate to a hierarchy
where the command is applied.
The differences from the compare filter function are output in XML. The configuration tag starts the
output. The context for changes is established with hierarchy name tags relative to the root of the
compare. For element changes, an operation attribute is output in the tag where a change occurs. This
attribute has the value create, delete, or merge. For metadata changes, the metadata name is specified. For
example, if a statement is marked inactive, the inactive="inactive" attribute and value are output. The nc
namespace is used when necessary to indicate that an attribute is in the NETCONF namespace rather
than the operating system namespace.
NOTE: Beginning with Junos OS Release 16.2R2, the show | compare | display xml command omits
the <configuration> tag in the XML output if the comparison returns no differences or if the
comparison returns only differences for non-native configuration data, for example, configuration
data associated with an OpenConfig data model.
The following sections explain the XML that is generated for specific types of configuration changes.
The corresponding text changes are shown for comparison.
Add a Statement (create Operation)
The following example shows the addition of IPv4 address 2.2.2.2 to unit 1.
The tags through name provide the context for the addition. The operation="create" attribute indicates that
a unit statement was created and is defined by the configuration within the unit tag.

user@host> show configuration | compare
+ unit 1 {
+ family inet {
+ address 2.2.2.2/32;
+ }
+ }

<configuration>
<interfaces>
<interface>
194
<name>ge-0/0/0</name>
<unit nc:operation="create">
<name>1</name>
<family>
<inet>
<address>
<name>2.2.2.2/32</name>
</address>
</inet>
</family>
</unit>
</interface>
</interfaces>
</configuration>
Delete a Statement (delete Operation)
The following example shows the deletion of a simple statement in the configuration hierarchy. The tags
through system provide the context for the deletion. The operation="delete" attribute indicates that the
services statement was deleted. The configuration following the services statement was deleted though is
not output.
[edit system]
[edit system]
- services {
- ftp;
- }
[edit system]
<configuration>
<system>
<services operation="delete"/>
</system>
</configuration>
195
The following example shows the deletion of unit 1 from the ge-0/0/0 interface. The configuration
following the unit statement was deleted though is not output.

- unit 1 {
- family inet {
- address 2.2.2.2/32;
- }
- }

<configuration>
<interfaces>
<interface>
<name>ge-0/0/0</name>
<unit nc:operation="delete">
<name>1</name>
</unit>
</interface>
</interfaces>
</configuration>
The following example shows the deletion of the apply-groups configuration. The groups that are deleted
are not shown in the output.
[edit]
user@host# delete apply-groups
[edit]
[edit]
- apply-groups [ g1 g2 g3 ];
[edit]
<configuration>
<apply-groups operation="delete"/>
</configuration>
196
Change a Statement (delete and create Operations)
The following example shows a change in a statement in the hierarchy. The tags through system provide
the context for the change. The operation="delete" attribute indicates that the host-name statement was
deleted. The configuration following the host-name statement was deleted, but this is not shown in the
output. The operation="create" attribute indicates that a host-name statement was created and is defined by
the configuration within the host-name tag.
[edit system]
[edit system]
- host-name router1;
+ host-name router2;
[edit system]
<configuration>
<system>
<host-name nc:operation="delete"/>
<host-name nc:operation="create">router2</host-name>
</system>
</configuration>
Change Metadata (inactive Attribute and Operation)
The following example shows the inactivation of a statement in the hierarchy. The tags through system
provide the context for the change. The inactive="inactive" attribute indicates that the syslog statement
was inactivated.
[edit system]
[edit system]
! inactive: syslog { ... }
[edit system]
<configuration>
<system>
<syslog inactive="inactive"/>
197
</system>
</configuration>
The following example shows the addition of an inactive syslog statement. The operation="create" attribute
indicates that the syslog statement was created and is defined by the configuration within the syslog tag.
The inactive="inactive" attribute indicates that the syslog statement was inactivated.
[edit system]
[edit system]
+ inactive: syslog {
+ file foo {
+ any any;
+ }
+ }
[edit system]
<configuration>
<system>
<syslog nc:operation="create"
inactive="inactive">
<file>
<name>foo</name>
<contents>
<name>any</name>
<any/>
</contents>
</file>
</syslog>
</system>
</configuration>
198
Add an Annotation (comment Tag and create Operation)
The following example shows the addition of a comment to a statement. The tags through syslog provide
the context for the annotation. The operation="create" attribute for the junos:comment tag indicates that a
comment was added to the [edit system syslog] hierarchy.
[edit system]
[edit system]
+ /* my-comments-simple */
syslog { ... }
[edit system]
<configuration>
<system>
<junos:comment nc:operation="create">/* my-comments-simple
*/</junos:comment>
<syslog/>
</system>
</configuration>
The following example shows the addition of a comment to a statement. The tags through syslog provide
the context for the annotation. The operation="create" attribute for the junos:comment tag indicates that a
comment was added to the [edit system syslog] hierarchy for the statement output within the syslog tag.

+ /* my-comments-ele */
file f1 { ... }

<configuration>
<system>
<syslog>
<junos:comment nc:operation="create">/* my-comments-elem
*/</junos:comment>
<file>
<name>f1</name>
</file>
199
</syslog>
</system>
</configuration>
Change an Annotation (comment Tag, and delete and create Operations)
The following example shows the change of a comment for a statement. The tags through system provide
the context for the annotation.
• The operation="delete" attribute for the junos:comment tag indicates that a comment was deleted from
the [edit system] hierarchy at the syslog statement.
• The operation="create" attribute for the junos:comment tag indicates that a comment was added to the
[edit system] hierarchy for the syslog statement.
[edit system]
- /* my-comments-1 */
+ /* my-comments-2 */
syslog { ... }
[edit system]
<configuration>
<system>
<junos:comment nc:operation="delete"/>
<junos:comment nc:operation="create">/* my-comments-2
*/</junos:comment>
<syslog/>
</system>
</configuration>
Add a Statement Inside a Container (create Operation, and insert and key Attributes)
The following example shows the addition of a file statement at the [edit system syslog] hierarchy. The
tags through syslog provide the context for the addition.
• The operation="create" attribute for the file tag indicates that a file statement was added.
• The yang:insert="after" attribute indicates that the file was added after the position indicated by the
yang:key="[name='file-1']" attribute.
200
• The file-1 value represents the position within the existing file statements, where one is the first file.
• In this example, the new file statement was added after the first file.

file file-1 { ... }
+ file file-2 {
+ any any;
+ }

<configuration>
<system>
<syslog>
<file nc:operation="create"
yang:insert="after"
yang:key="[name='file-1']">
<name>file-2</name>
<contents>
<name>any</name>
<any/>
</contents>
</file>
</syslog>
</system>
</configuration>
Change the Order Inside a Container (merge Operation, and insert and key Attributes)
The following example shows the change in order of file statements at the [edit system syslog] hierarchy.
The tags through syslog provide the context for the change.
• The operation="merge" attribute for the file tag indicates that an existing file statement was moved.
• The yang:insert="after" attribute indicates that the file was moved after the file in the position
indicated by the yang:key="[name='file-1']" attribute.
• The file-1 value represents a position within the existing file statements, where one is the first file.
• The value at the name tag, file-3, represents a position within the existing file statements.
201
• In this example, the file statement in the third position was moved after the first file.

file f1 { ... }
! file f3 { ... }

<configuration>
<system>
<syslog>
<file nc:operation="merge"
yang:insert="after"
yang:key="[name='file-1']">
<name>file-3</name>
</file>
</syslog>
</system>
</configuration>
Returning to the Most Recently Committed Configuration
To return to the most recently committed configuration and load it into configuration mode without
activating it, use the rollback configuration mode command:
[edit]
user@host# rollback
load complete
To activate the configuration to which you rolled back, use the commit command:
[edit]
user@host# rollback
202
load complete
[edit]
user@host# commit
Returning to a Previously Committed Configuration
IN THIS SECTION
Example of Returning to a Previous Configuration | 202
Example of Displaying Previous Configurations | 202
About Comparing Configuration Versions | 204
This topic explains how you can return to an earlier configuration than the most recently committed one.
Example of Returning to a Previous Configuration
To return to a previous configuration, you include the configuration number, 0 through 49, in the rollback
command. The most recently saved configuration is number 0 (which is the default configuration to
which the system returns), and the oldest saved configuration is number 49.
Example:
[edit]
user@host# rollback number
load complete
Example of Displaying Previous Configurations
To display previous configurations, you use the rollback ? command. You include the rollback number,
date, time, the name of the user who committed changes, and the method of commit.
Example:
[edit]
user@host# rollback ?
203

<number> Numeric argument
0 2018-02-27 12:52:10 PST by abc via cli
1 2018-02-26 14:47:42 PST by def via cli
2 2018-02-14 21:55:45 PST by ghi via cli
3 2018-02-10 16:11:30 PST by jkl via cli
4 2018-02-10 16:02:35 PST by mno via cli
5 2018-03-16 15:10:41 PST by pqr via cli
6 2018-03-16 14:54:21 PST by stu via cli
7 2018-03-16 14:51:38 PST by vwx via cli
8 2018-03-16 14:43:29 PST by yzz via cli
9 2018-03-16 14:15:37 PST by abc via cli
10 2018-03-16 14:13:57 PST by def via cli
11 2018-03-16 12:57:19 PST by root via other
15 2018-03-16 00:40:37 PST by ghi via cli
16 2018-03-16 00:39:29 PST by jkl via cli
17 2018-03-16 00:32:36 PST by mno via cli
18 2018-03-16 00:31:17 PST by pqr via cli
19 2018-03-15 19:59:00 PST by stu via cli
20 2018-03-15 19:53:39 PST by vwx via cli
21 2018-03-15 18:07:19 PST by yzz via cli
22 2018-03-15 17:59:03 PST by abc via cli
23 2018-03-15 15:05:14 PST by def via cli
24 2018-03-15 15:04:51 PST by ghi via cli
25 2018-03-15 15:03:42 PST by jkl via cli
26 2018-03-15 15:01:52 PST by mno via cli
27 2018-03-15 14:58:34 PST by pqr via cli
29 2018-03-12 11:01:20 PST by stu via cli
30 2018-03-12 10:57:35 PST by vwx via cli
31 2018-03-11 10:25:07 PST by yzz via cli
32 2018-03-10 23:40:58 PST by abc via cli
33 2018-03-10 23:40:38 PST by def via cli
34 2018-03-10 23:14:27 PST by ghi via cli
35 2018-03-10 23:10:16 PST by jkl via cli
36 2018-03-10 23:01:51 PST by mno via cli
37 2018-03-10 22:49:57 PST by pqr via cli
38 2018-03-10 22:24:07 PST by stu via cli
39 2018-03-10 22:20:14 PST by vwx via cli
40 2018-03-10 22:16:56 PST by yzz via cli
204
41 2018-03-10 22:16:41 PST by abc via cli

42 2018-03-10 20:44:00 PST by def via cli
43 2018-03-10 20:43:29 PST by ghi via cli
44 2018-03-10 20:39:14 PST by jkl via cli
46 2018-03-10 18:57:01 PST by mno via cli
47 2018-03-10 18:56:18 PST by pqr via cli
48 2018-03-10 18:47:49 PST by stu via cli
49 2018-03-10 18:47:34 PST by vw via cli
[edit]
About Comparing Configuration Versions

In configuration mode only, when you have made changes to the configuration, you can compare the
candidate configuration with a prior version. To compare versions, you use the compare command to
display the configurations. The compare command compares the candidate configuration with either the
current committed configuration or a configuration file. This command also displays the differences
between the two configurations.
To compare configurations, you specify the compare command after the pipe:
[edit]
user@host# show | compare (filename| rollback n)
• filename is the full path to a configuration file. The file must be in the proper format: a hierarchy of
statements.
• n is the index into the list of previously committed configurations. The most recently saved
configuration is number 0, and the oldest saved configuration is number 49. If you do not specify
arguments, the system compares candidate configuration against the active configuration file (/
config/juniper.conf).
The comparison output includes the following symbols in the prefix for statements that are:
• In the candidate configuration only: a plus sign (+).
• In the comparison file only: a minus sign (-).
• Unchanged; a single blank space ( ).

205
The following example shows various changes, followed by a comparison of the candidate configuration
with the active configuration. The example shows only the changes made at the [edit protocols bgp]
hierarchy level:
[edit]
user@host# edit protocols bgp
user@host# show
group my-group {
type internal;
hold-time 60;
advertise-inactive;
allow 10.1.1.1/8;
}
group fred {
type external;
peer-as 33333;
allow 10.2.2.2/8;
}
group test-peers {
type external;
allow 10.3.3.3/8;
}
user@host# set group my-group hold-time 90
user@host# delete group my-group advertise-inactive
user@host# set group fred advertise-inactive
user@host# delete group test-peers
user@host# show | compare
[edit protocols bgp group my-group]
-hold-time 60;
+hold-time 90;
-advertise-inactive;
[edit protocols bgp group fred]
+advertise-inactive;
-group test-peers {
-type external;
206
-allow 10.3.3.3/8;
}
user@host# show
group my-group {
type internal;
hold-time 90;
allow 10.1.1.1/8;
}
group fred {
type external;
advertise-inactive;
peer-as 3333;
allow 10.2.2.2/8;
}
Saving a Configuration to a File
Saving a device configuration to a file allows you to edit it with any plain text editor of your choice. You
can save your current configuration to an ASCII file, which saves the configuration in its current form,
including any uncommitted changes. If more than one user is modifying the configuration, all changes
made by all users are saved.
To save software configuration changes to an ASCII file, use the save configuration mode command:
[edit]
user@host# save filename
[edit]
user@host#
The contents of the current level of the statement hierarchy (and below) are saved, along with the
statement hierarchy containing it. This allows a section of the configuration to be saved, while fully
specifying the statement hierarchy.
By default, the configuration is saved to a file in your home directory, which is on the flash drive.
When you issue this command from anywhere in the hierarchy (except the top level), a replace tag is
automatically included at the beginning of the file. You can use the replace tag to control how a
configuration is loaded from a file.
207
Example:
user@host> file show /var/home/user/myconf

replace:
protocols {
bgp {
disable;
group int {
type internal;
}
}
isis {
disable;
interface all {
level 1 disable;
}
interface fxp0.0 {
disable;
}
}
ospf {
traffic-engineering;
reference-bandwidth 4g;
...
}
}
About Compressing the Current Configuration File
By default, the current operational configuration file is compressed and is stored in the file
juniper.conf.gz in the /config file system. The operational configuration file is stored along with the last
three committed versions of the configuration. If you have large networks, the current configuration file
might exceed the available space in the /config file system. Compressing the current configuration file
enables the file to fit in the file system, typically reducing the size of the file by 90 percent. You might
want to compress your current operational configuration files when they reach 3 megabytes (MB) in
size.
When you compress the current configuration file, the names of the configuration files change. To
determine the size of the files in the /config file system, you issue the file list /config detail command.
208
NOTE: We recommend that you compress the configuration files (this is the default) to minimize
the amount of disk space that they require.
• If you want to compress the current configuration file, include the compress-configuration-files
statement at the [edit system] hierarchy level:
[edit system]
compress-configuration-files;
• Commit the current configuration file to include the compression-configuration-files statement. Commit
the configuration again to compress the current configuration file:
[edit system]
user@host# set compress-configuration-files
user@host# commit
commit complete
• If you do not want to compress the current operational configuration file, include the no-compress-
configuration-files statement at the [edit system] hierarchy level:
[edit system]
no-compression-configuration-files;
• Commit the current configuration file to include the no-compress-configuration-files statement. Commit
the configuration again to uncompress the current configuration file:
[edit system]
user@host# set no-compress-configuration-files
user@host# commit
commit complete
209
Free Up System Storage Space
IN THIS SECTION
Problem | 209
Solution | 209
Problem
Description
The system file storage space on the device is full. Rebooting the switch does not solve the problem.
The following error message appears during a typical operation on the device after the file storage space
is full:
user@host% cli
/var: write failed, filesystem is full
Solution
Clean up the file storage on the device by deleting system files.
1. Issue a request to clean up (delete) system files.
user@host> request system storage cleanup
The list of files to be deleted is displayed.
List of files to delete:
Size Date Name

11B Jul 26 20:55 /var/jail/tmp/alarmd.ts
124B Aug 4 18:05 /var/log/default-log-messages.0.gz
1301B Jul 26 20:42 /var/log/install.0.gz
210
387B Jun 3 14:37 /var/log/install.1.gz

4920B Aug 4 18:05 /var/log/messages.0.gz
20.0K Jul 26 21:00 /var/log/messages.1.gz
16.3K Jun 25 13:45 /var/log/messages.2.gz
804B Aug 4 18:05 /var/log/security.0.gz
16.8K Aug 3 11:15 /var/log/security.1.gz
487B Aug 4 18:04 /var/log/wtmp.0.gz
855B Jul 29 22:54 /var/log/wtmp.1.gz
920B Jun 30 16:32 /var/log/wtmp.2.gz
94B Jun 3 14:36 /var/log/wtmp.3.gz
353.2K Jun 3 14:37 /var/sw/pkg/jloader-qfx-11.2I20110303_1117_dc-builder.tgz
124.0K Jun 3 14:30 /var/tmp/gres-tp/env.dat
0B Apr 14 16:20 /var/tmp/gres-tp/lock
0B Apr 14 17:37 /var/tmp/if-rtsdb/env.lck
12.0K Jul 26 20:55 /var/tmp/if-rtsdb/env.mem
2688.0K Jul 26 20:55 /var/tmp/if-rtsdb/shm_usr1.mem
132.0K Jul 26 20:55 /var/tmp/if-rtsdb/shm_usr2.mem
2048.0K Jul 26 20:55 /var/tmp/if-rtsdb/trace.mem
155B Jul 26 20:55 /var/tmp/krt_gencfg_filter.txt
0B Jul 26 20:55 /var/tmp/rtsdb/if-rtsdb
1400.6K Aug 3 10:13 /var/tmp/sfid.core.0.gz
1398.9K Aug 3 17:01 /var/tmp/sfid.core.1.gz
Delete these files ? [yes,no] (no)
2. Select yes to delete the files.
3. Reboot the device.
BEST PRACTICE: We recommend that you regularly issue a request to clean up the system file
storage. Cleaning up the system file storage space optimizes device performance.
Clean Up Files with the CLI
You can use the CLI request system storage cleanup command to rotate log files and delete unnecessary files
on the device. If you are running low on storage space, the file cleanup procedure quickly identifies files
that you can delete.
The file cleanup procedure performs the following tasks:

211
• Rotates log files—Archives all information in the current log files, deletes old archives, and creates
fresh log files.
• Deletes log files in /var/log—Deletes any files that are not currently being written to.
• Deletes temporary files in /var/tmp—Deletes any files that have not been accessed within two days.
• Deletes all crash files in /var/crash—Deletes any core files that the device has written during an error.
• Deletes all software images (*.tgz files) in /var/sw/pkg—Deletes any software images copied to this
directory during software upgrades.
To rotate log files and delete unnecessary files with the CLI:
1. Enter operational mode in the CLI.

2. Rotate log files and identify the files that you can safely delete.
user@host> request system storage cleanup
The device rotates log files and displays the files that you can delete.
3. Enter yes at the prompt to delete the files.
NOTE: You can issue the request system storage cleanup dry-run command to review the list of files
that you can safely delete . The dry-run action lets you review the list before you issue the request
system storage cleanup command to delete the files.
NOTE: On SRX Series devices, the /var hierarchy is hosted in a separate partition (instead of the
root partition). If the operating system installation fails as a result of insufficient space:
• Use the request system storage cleanup command to delete temporary files.
• Delete any user-created files in both the root partition and under the /var hierarchy.
Release History Table
Release Description
16.2R2 Beginning with Junos OS Release 16.2R2, the show | compare | display xml command omits the
<configuration> tag in the XML output if the comparison returns no differences or if the comparison
returns only differences for non-native configuration data, for example, configuration data associated
with an OpenConfig data model.
212
Autoinstallation of Configuration Files Overview
IN THIS SECTION
Configuration File Autoinstallation—An Overview | 212
Configuring Autoinstallation of Configuration Files (CLI Procedure) | 215
Autoinstallation is the automatic configuration of devices over the network without manual
intervention, including manual configuration. You (the network administrator) use autoinstallation to
save time and to implement the same configuration consistently across devices.
Configuration File Autoinstallation—An Overview
IN THIS SECTION
Typical Uses for Autoinstallation | 213
Autoinstallation Configuration Files and IP Addresses | 213
Typical Autoinstallation Process on a New Device | 213
Autoinstallation is the automatic configuration of a device over the network from a preexisting
configuration file that you create and store on a configuration server—typically a Trivial File Transfer
Protocol (TFTP) server. You can use autoinstallation to configure new devices automatically and to
deploy multiple devices from a central location in the network.
You enable autoinstallation so that network devices implement autoinstallation when they are powered
on. To configure autoinstallation, you specify a configuration server, an autoinstallation interface, and a
protocol for IP address acquisition.
213
NOTE: The QFX5200 switches work only with HTTP for autoinstallation. They do not support
TFTP or FTP protocols. Autoinstallation as a feature is not supported on all devices. Refer to your
hardware information for specific details.
Typical Uses for Autoinstallation
Typical uses for autoinstallation of the software include:
• Deploy and update multiple devices from a central location in the network.
• Update a device automatically, when powered on.
Autoinstallation Configuration Files and IP Addresses
For the autoinstallation process to work, you must store one or more host-specific or default
configuration files on a configuration server in the network. In addition, you must ensure that a service
such as Dynamic Host Configuration Protocol (DHCP) is available to assign an IP address to thedevice.
You can set up the following configuration files for autoinstallation on the device:
• network.conf—Default configuration file for autoinstallation, in which you specify IP addresses and
associated hostnames for devices on the network.
• switch.conf—Default configuration file for autoinstallation on a switch. This file contains just enough
configuration information for you to telnet to the device and configure it manually.
• hostname.conf—Host-specific configuration file for autoinstallation on a device. This file contains all
the configuration information necessary for the device. In the filename, replace hostname with the
hostname assigned to the device.
If the server with the autoinstallation configuration file is not on the same LAN segment as the new
device, or if a specific device is required by the network, you must configure an intermediate device. You
must attach this intermediate device directly to the new device so that the new device can send TFTP,
Boot Protocol (BOOTP), and Domain Name System (DNS) requests through the intermediate device. In
this case, you specify the IP address of the intermediate device as the location at which to receive TFTP
autoinstallation requests.
Typical Autoinstallation Process on a New Device
When the device configured for autoinstallation is powered on, it performs the following autoinstallation
tasks:
214
1. The device sends out DHCP or BOOTP requests on each connected interface simultaneously to
obtain an IP address.
If a DHCP server responds to these requests, it provides the device with some or all of the following
information:
• An IP address and subnet mask for the autoinstallation interface.
• The location of the (typically) TFTP server, HTTP server, or FTP server on which the configuration
file is stored.
• The name of the configuration file to be requested from the TFTP server.
• The IP address or hostname of the TFTP server.
If the DHCP server provides the server’s hostname, a DNS server must be available on the
network to resolve the name to an IP address.
• The IP address of an intermediate device if the configuration server is on a different LAN segment
from the device.
2. After the device acquires an IP address, the autoinstallation process on the device attempts to
download a configuration file in the following ways:
a. If the DHCP server specifies the host-specific configuration file hostname.conf, the device uses
that filename in the TFTP server request. The autoinstallation process on the new device makes
three unicast TFTP requests for hostname.conf. If these attempts fail, the device broadcasts three
requests to any available TFTP server for the file.
b. If the device does not locate a hostname.conf file, the autoinstallation process sends three unicast
TFTP requests for a network.conf file that contains the device’s hostname-to-IP-address mapping
information. If these attempts fail, the device broadcasts three requests to any available TFTP
server for the file.
c. If the device fails to find a network.conf file that contains a hostname entry for the device, the
autoinstallation process sends out a DNS request and attempts to resolve the device's IP address
to a hostname.
d. If the device determines its hostname, it sends a TFTP request for the hostname.conf file.
e. If the device is unable to map its IP address to a hostname, it sends TFTP requests for the default
configuration file device.conf. The TFTP request procedure is the same as for the network.conf
file.
3. After the device locates a configuration file on a TFTP server, the autoinstallation process downloads
the file, installs the file on the device, and commits the configuration.
215
Configuring Autoinstallation of Configuration Files (CLI Procedure)
Autoinstallation is the automatic configuration of a device over the network from a pre-existing
configuration file that you create and store on a configuration server. A configuration server is typically a
Trivial File Transfer Protocol (TFTP) server. You can use autoinstallation to deploy multiple devices
automatically from a central location in the network.
Before you can configure autoinstallation, you must enable autoinstallation to run when you power on a
device already installed in your network. You enable it by specifying one or more interfaces, protocols,
and configuration servers to be used for autoinstallation.
To enable autoinstallation to run, complete the following steps:
1. Ensure that a service such as Dynamic Host Configuration Protocol (DHCP) is available to assign an
IP address to the device.
2. Configure a DHCP server on your network to meet your network requirements. You can configure a
switch to operate as a DHCP server.
3. Create one of the following configuration files, and store it on a TFTP server (or HTTP server or FTP
server) in the network:
• A host-specific file with the name hostname.conf for each device undergoing autoinstallation.
Replace hostname with the name of a device. The hostname.conf file typically contains all the
configuration information necessary for the device with this hostname.
• A default configuration file named device.conf with the minimum configuration necessary to
enable you to telnet into the new device for further configuration.
4. Physically attach the device to the network using a Gigabit Ethernet port.
5. If you configured the DHCP server to provide only the TFTP server hostname, add an IP address-to-
hostname mapping entry for the TFTP server. Map the TFTP server hostname to the DNS database
file on the Domain Name System (DNS) server in the network.
6. If the device is not on the same network segment as the DHCP server (or other device providing IP
address resolution), configure an existing device as an intermediate device to receive TFTP and DNS
requests and forward them to the TFTP server and the DNS server. You must configure the LAN or
serial interface on the intermediate device with the IP addresses of the hosts providing TFTP and
DNS services. Connect this interface to the device.
7. If you are using hostname.conf files for autoinstallation, you must also complete the following tasks:
• Configure the DHCP server to provide a hostname.conf filename to each device. Each device uses
its hostname.conf filename to request a configuration file from the TFTP server. Copy the
necessary hostname.conf configuration files to the TFTP server.
216
• Create a default configuration file named network.conf, and copy it to the TFTP server. This file
contains IP-address-to-hostname mapping entries. If the DHCP server does not send a
hostname.conf filename to a new device, the device uses network.conf to resolve its hostname
based on its IP address.
Alternatively, you can add the IP-address-to-hostname mapping entry for the device to a DNS
database file.
The device uses the hostname to request a hostname.conf file from the TFTP server.
Before you explicitly enable and configure autoinstallation on the device, perform these tasks as needed
for your network configuration:
To configure autoinstallation:
1. Specify the URL address of one or more servers from which to obtain configuration files.
[edit system]
user@host# set autoinstallation configuration-servers tftp://tftpconfig.example.com
NOTE: You can also use an FTP address such as ftp://

user:[email protected].
2. Configure one or more Ethernet interfaces to perform autoinstallation and one or two procurement
protocols for each interface. The switch uses the protocols to send a request for an IP address for the
interface:
[edit system]
user@host# set autoinstallation interfaces ge-0/0/0 bootp
To verify autoinstallation, from the CLI enter the show system autoinstallation status command.
Example:
user@host> show system autoinstallation status

Autoinstallation status:
Master state: Active
Last committed file: None
Configuration server of last committed file: 10.25.100.1
Interface:
Name: ge-0/0/0
217
State: Configuration Acquisition

Acquired:
Address: 192.168.124.75
Hostname: host-ge-000
Hostname source: DNS
Configuration filename: device-ge-000.conf
Configuration filename server: 10.25.100.3
Address acquisition:
Protocol: DHCP Client
Acquired address: None
Protocol: RARP Client
Interface:
Name: ge-0/0/1
State: None
Address acquisition:
Protocol: DHCP Client
Protocol: RARP Client
Loading Configuration Files
IN THIS SECTION
How Character Encoding Works on Juniper Networks Devices | 221
About Loading a Configuration from a File | 227
Upload a Configuration File | 230
Loading configuration files on the device are helpful for loading parts of configuration files that might be
common across many devices within a network.
218
Examples for Loading a Configuration from a File or the Terminal
You can create a file containing configuration data for a Juniper Networks device, copy the file to the
local device, and then load the file into the CLI. After you have loaded the file, you can commit it to
activate the configuration on the device, or you can edit the configuration interactively using the CLI
and commit the configuration at a later time.
You can also create a configuration while typing at the terminal and then load the configuration. Loading
a configuration from the terminal is useful when you are cutting existing portions of the configuration
and pasting them elsewhere in the configuration.
To load an existing configuration file that is located on the device, you use the load configuration mode
command:
[edit]
user@host# load (factory-default | merge | override | patch | replace | set | update) filename <relative>
<json>
To load a configuration from the terminal, you use the following version of the load configuration mode
command. Press Ctrl-d to end the input.
[edit]
user@host# load (factory-default | merge | override | patch | replace | set | update)
terminal <relative> <json>
To replace an entire configuration, you specify the override option at any level of the hierarchy. A load
override operation completely replaces the current candidate configuration with the file you are loading.
Thus, if you saved a complete configuration, you use this option.
An override operation discards the current candidate configuration and loads the configuration in
filename or the configuration that you type at the terminal. When you use the override option and
commit the configuration, all system processes reparse the configuration.
To replace portions of a configuration, you specify the replace option. The load replace operation looks for
replace: tags that you added to the loaded file. The operation then replaces those parts of the candidate
configuration with whatever is specified after the tag. This is useful when you want more control over
exactly what is being changed. For this operation to work, you must include replace: tags in the file or
configuration that you type at the terminal. The software searches for the replace: tags, deletes the
existing statements of the same name, if any, and replaces them with the incoming configuration. If no
statement of the same name exists, the replace operation adds to the configuration the statements
marked with the replace: tag.
219
If, in an override or merge operation, you specify a file or type text that contains replace: tags, the replace:
tags are ignored. In this scenario, the override or merge operation takes precedence and is performed.
If you are performing a replace operation, and if the file that you specify lacks replace: tags, the replace
operation runs as a merge operation. The replace operation also runs as a merge operation if the text you
type lacks replace: tags. This information might be useful if you are running automated scripts and
cannot know in advance whether the scripts need to perform a replace operation or a merge operation.
The scripts can use the replace operation to cover either case.
The load merge operation merges the configuration from the saved file or terminal with the existing
candidate configuration. This information is useful if you are adding new configuration sections. For
example, suppose that you are adding a BGP configuration to the [edit protocols] hierarchy level, where
there was no BGP configuration before. You can use the load merge operation to combine the incoming
configuration with the existing candidate configuration. If the existing configuration and the incoming
configuration contain conflicting statements, the statements in the incoming configuration override
those in the existing configuration.
To replace only those parts of the configuration that have changed, you specify the update option at any
level of the hierarchy. The load update operation compares the candidate configuration and the new
configuration data. This operation changes only those parts of the candidate configuration that are
different from the new configuration. You would use this operation, for example, if there is an existing
BGP configuration and the file you are loading changes it in some way.
The merge, override, and update options support loading configuration data in JavaScript Object Notation
(JSON) format. When loading configuration data that uses JSON format, you must specify the json
option in the command.
To change part of the configuration with a patch file, you specify the patch option. The load patch
operation loads a file or terminal input that contains configuration changes. First, on a device that
already has the configuration changes, you type the show | compare command to output the differences
between two configurations. Then you can load the differences on another device. The advantage of the
load patch command is that it saves you from having to copy snippets from different hierarchy levels into
a text file before loading them into the target device. This might be a useful time saver if you are
configuring several devices with the same options. For example, suppose that you configure a routing
policy on router1 and you want to replicate the policy configuration on router2, router3, and router4.
You can use the load patch operation.
In this example, you first run the show | compare command.
Example:
user@router1# show | compare rollback 3

+ export default-static;
220
- export static-default
[edit policy-options]
+ policy-statement default-static {
+ from protocol static;
+ then accept;
+ }
Continuing this example, you copy the output of the show | compare command to the clipboard, making
sure to include the hierarchy levels. On router2, router3, and router4, you type load patch terminal and
paste the output. You then press Enter and press Ctrl-d to end the operation. If the patch input specifies
different values for an existing statement, the patch input overrides the existing statement.
To use the merge, replace, set, or update option without specifying the full hierarchy level, you specify the
relative option. This option loads the incoming configuration relative to your current edit point in the
configuration hierarchy.
Example:
[edit system]
user@host# show static-host-mapping
bob sysid 987.654.321ab
[edit system]
user@host# load replace terminal relative
[Type ^D at a new line to end input]
replace: static-host-mapping {
bob sysid 0123.456.789bc;
}
load complete
[edit system]
user@host# show static-host-mapping
bob sysid 0123.456.789bc;
To load a configuration that contains set configuration mode commands, specify the set option. This
option executes the configuration instructions line by line as they are stored in a file or from a terminal.
The instructions can contain any configuration mode command, such as set, edit, exit, and top.
To copy a configuration file from another network system to the local router, you can use the SSH and
Telnet utilities, as described in the CLI Explorer.
NOTE: If you are working in a Common Criteria environment, system log messages are created
whenever a secret attribute is changed (for example, password changes or changes to the
221
RADIUS shared secret). These changes are logged during the following configuration load
operations:
load merge
load replace
load override
load update
How Character Encoding Works on Juniper Networks Devices
Junos OS configuration data and operational command output might contain non-ASCII characters,
which are outside of the 7-bit ASCII character set. When displaying operational or configuration data in
certain formats or within a certain type of session, the software escapes and encodes these characters.
The software escapes or encodes the characters using the equivalent UTF-8 decimal character
reference.
The CLI attempts to display any non-ASCII characters in configuration data that is produced in text, set,
or JSON format. The CLI also attempts to display these characters in command output that is produced
in text format. In the exception cases, the CLI displays the UTF-8 decimal character reference instead.
(Exception cases include configuration data in XML format and command output in XML or JSON
format,) In NETCONF and Junos XML protocol sessions, you see a similar result if you request
configuration data or command output that contains non-ASCII characters. In this case, the server
returns the equivalent UTF-8 decimal character reference for those characters for all formats.
For example, suppose the following user account, which contains the Latin small letter n with a tilde (ñ),
is configured on the device.
[edit]
user@host# set system login user mariap class super-user uid 2007 full-name "Maria Peña"
When you display the resulting configuration in text format, the CLI prints the corresponding character.
[edit]
user@host# show system login user mariap
full-name "Maria Peña";
uid 2007;
class super-user;
222
When you display the resulting configuration in XML format in the CLI, the ñ character maps to its
equivalent UTF-8 decimal character reference Ã±. The same result occurs if you display the
configuration in any format in a NETCONF or Junos XML protocol session.
[edit]
user@host# show system login user mariap | display xml
<rpc-reply xmlns:junos="http://xml.juniper.net/junos/17.2R1/junos">
<configuration junos:changed-seconds="1494033077" junos:changed-localtime="2017-05-05
18:11:17 PDT">
<system>
<login>
<user>
<name>mariap</name>
<full-name>Maria PeÃ±a</full-name>
<uid>2007</uid>
<class>super-user</class>
</user>
</login>
</system>
</configuration>
<cli>
<banner>[edit]</banner>
</cli>
</rpc-reply>
When you load configuration data onto a device, you can load non-ASCII characters using their
equivalent UTF-8 decimal character references.
About Specifying Statements and Identifiers
IN THIS SECTION
Specifying Statements | 223
Performing CLI Type Checking | 225

223
This topic provides details about CLI container statements and leaf statements so that you know how to
must specify them when creating ASCII configuration files. This topic also describes how the CLI
performs type checking to verify that the data you entered is in the correct format.
Specifying Statements
Statements are shown one of two ways, either with braces ({ }) or without:
• Statement name and identifier, with one or more lower-level statements enclosed in braces:
statement-name1 identifier-name {
statement-name2;
additional-statements;
}
• Statement name, identifier, and a single identifier:
statement-name identifier-name1 identifier-name2;
The statement-name is the name of the statement. The identifier-name is a name or other string that
uniquely identifies an instance of a statement. You use an identifier when a statement can be specified
more than once in a configuration.
When specifying a statement, you must specify a statement name, an identifier name, or both,
depending on the statement hierarchy.
You specify identifiers in one of the following ways:
• identifier-name—The identifier-name is a keyword used to uniquely identify a statement when a

statement can be specified more than once in a statement.
• identifier-name value—The identifier-name is a keyword, and the value is a required option variable.
• identifier-name [value1 value2 value3 ...]—The identifier-name is a keyword that accepts multiple
values. The brackets are required when you specify a set of values; however, they are optional when
you specify only one value.
The following examples illustrate how statements and identifiers are specified in the configuration:
protocol { # Top-level statement (statement-name).

ospf { # Statement under "protocol" (statement-name).
area 0.0.0.0 { # OSPF area "0.0.0.0" (statement-name identifier-name),
224
interface so-0/0/0 { # which contains an interface named "so-0/0/0."

hello-interval 25; # Identifier and value (identifier-name value).
priority 2; # Identifier and value (identifier-name value).
disable; # Flag identifier (identifier-name).
}
interface so-0/0/1; # Another instance of "interface," named so-0/0/1,
} # this instance contains no data, so no braces
} # are displayed.
}
policy-options { # Top-level statement (statement-name).
term term1 { # Statement under "policy-options"
# (statement-name value).
from { # Statement under "term" (statement-name).
route-filter 10.0.0.0/8 orlonger reject; # One identifier ("route-
filter") with
route-filter 127.0.0.0/8 orlonger reject; # multiple values.
route-filter 128.0.0.0/16 orlonger reject;
}
then { # Statement under "term" (statement-name).
next term; # Identifier (identifier-name).
}
}
}
When you create an ASCII configuration file, you specify statements and identifiers. Each statement has
a preferred style, and the CLI uses that style when displaying the configuration in response to a
configuration mode show command. You can specify statements and identifiers in one of the following
ways:
• Statement followed by identifiers:
statement-name identifier-name [...] identifier-name value [...];
• Statement followed by identifiers enclosed in braces:
statement-name {
identifier-name;
[...]
225
identifier-name value;
[...]
}
• For some repeating identifiers, you can use one set of braces for all the statements:
statement-name {
identifier-name value1;
identifier-name value2;
}
Performing CLI Type Checking
When you specify identifiers and values, the CLI performs type checking to verify that the data you
entered is in the correct format. For example, for a statement in which you must specify an IP address,
the CLI requires that you enter an address in a valid format. Otherwise, an error message indicates what
you need to type. lists the data types the CLI checks. The following are CLI configuration input types:
Table 9: CLI Configuration Input Types
Data Type Format Examples
Physical interface type-fpc/pic/port Correct: et-0/0/1

name (used in the
[edit interfaces] Incorrect: et-0
hierarchy)
Full interface name type-fpc/pic/ Correct: et-0/0/1.0

port<:channel>.logical
Incorrect: et-0/0/1
Full or abbreviated type-<fpc</pic/port>><<: Correct: et, et-1, et-1/2/3:4.5

interface name channel>.logical>
(used in places
other than the [edit
interfaces]
hierarchy)
226
Table 9: CLI Configuration Input Types (Continued)
Data Type Format Examples
IP address 0xhex-bytesoctet<. octet<.octet. Correct: 1.2.3.4, 0x01020304, 128.8.1, 128.8

<octet>>>
Sample translations:
1.2.3 becomes 1.2.3.0

0x01020304 becomes 1.2.3.4
0x010203 becomes 0.1.2.3
IP address 0xhex-bytes</length>octet<octet Correct: 10/8, 128.8/16, 1.2.3.4/32, 1.2.3.4

(destination prefix) <octet.<octet>>></length>
and prefix length Sample translations:
1.2.3 becomes 1.2.3.0/32

0x01020304 becomes 1.2.3.4/32
0x010203 becomes 0.1.2.3/32
default becomes 0.0.0.0/0
International hex-nibble<hex-nibble ...> Correct: 47.1234.2345.3456.00, 47123423453456.00,

Organization for 47.12.34.23.45.34.56.00
Standardization
(ISO) address Sample translations:
47123456 becomes 47.1234.56

47.12.34.56 becomes 47.1234.56
4712.3456 becomes 47.1234.56
OSPF area 0xhex-bytesoctet<.octet<.octet.< Correct: 54, 0.0.0.54, 0x01020304, 1.2.3.4

identifier (ID) octet >>> decimal-number
Sample translations:
54 becomes 0.0.0.54
257 becomes 0.0.1.1

128.8 becomes 128.8.0.0
0x010203 becomes 0.1.2.3
227
About Loading a Configuration from a File
The following examples demonstrate the process of loading a configuration from a file.
Figure 5: Overriding the Current Configuration
Figure 6: Using the replace Option

228
Figure 7: Using the merge Option
Figure 8: Using a Patch File

229
Figure 9: Using the set Option

230
Upload a Configuration File
You can create a configuration file on your local system, copy the file to the device, and then load the file
into the CLI. After you have loaded the configuration file, you can commit it to activate the configuration
on the device. You can also edit the configuration interactively using the CLI and commit it at a later
time.
To upload a configuration file from your local system:
1. Create the configuration file using a text editor such as Notepad, making sure that the syntax of the
configuration file is correct.
2. In the configuration text file, include one or more of the following options to perform the required
action when the file is loaded.
Table 10: Options for the load Command
Options Description
merge Combines the current active configuration with either the configuration in the
filename that you specify or the configuration that you type in the terminal
window. A merge operation is useful when you are adding a new section to an
existing configuration. If the active configuration and the incoming configuration
contain conflicting statements, the statements in the incoming configuration
override those in the active configuration.
override Discards the current candidate configuration. Loads either the configuration in
the filename that you specify or the configuration that you type at the terminal.
When you use the override option and commit the configuration, all system
processes reparse the configuration. You can use the override option at any level
of the hierarchy.
replace Searches for the replace tags, deletes the existing statements of the same name,
if any, and replaces the existing statements with the incoming configuration. If no
statement of the same name exists, the replace operation adds the statements
marked with the replace tag to the active configuration.
NOTE: For this operation to work, you must include replace tags in the text file or
in the configuration that you enter at the terminal.
3. Press Ctrl+a to select all the text in the configuration file.

4. Press Ctrl+c to copy the contents of the configuration text file to the Clipboard.
5. Log in to the device using your username and password.
231
6. Enter configuration mode: user@host> configure

[edit]
user@host#
7. Load the configuration file: [edit] user@host# load merge terminal
8. At the cursor, paste the contents of the Clipboard using the mouse and the Paste icon: [edit]
user@host# load merge terminal [Type ^D at a new line to end input] >Cursor is here. Paste the
contents of the clipboard here<
9. Press Enter.
10. Press Ctrl+d to set the end-of-file marker.
To view results of the configuration steps before committing the configuration, type the show command
at the user prompt.
To commit these changes to the active configuration, type the commit command at the user prompt. You
can also edit the configuration interactively using the CLI and commit it at a later time.
Backing Up Configurations to an Archive Site
IN THIS SECTION
Configuring the Transfer of the Currently Active Configuration | 231
You can configure a device to transfer its configuration to an archive file periodically.
Configuring the Transfer of the Currently Active Configuration
If you want to back up your device’s current configuration to an archive site, you can configure the
device to transfer its currently active configuration by FTP, HTTP, or secure copy (SCP) periodically or
after each commit.
232
To configure the device to transfer its currently active configuration to an archive site, include
statements at the [edit system archival configuration] hierarchy level:
[edit system archival configuration]

archive-sites {
ftp://username<:password>@host-address<:port>/url-path;
scp://username<:password>@host-address<:port>/url-path;
http://username @host-address :url-path <password>;
}
transfer-interval interval;
transfer-on-commit;
To configure the device to periodically transfer its currently active configuration to an archive site,
include the transfer-interval statement at the [edit system archival configuration] hierarchy level:

The interval is a period of time ranging from 15 through 2880 minutes.
To configure the device to transfer its currently active configuration to an archive site each time you
commit a candidate configuration, include the transfer-on-commit statement at the [edit system archival
configuration] hierarchy level:

transfer-on-commit;
NOTE: When specifying a URL in a statement using an IPv6 host address, you must enclose the
entire URL in quotation marks ("") and enclose the IPv6 host address in brackets ([ ]). For
example, “ftp://username<:password>@[ipv6-host-address]<:port>/url-path”
When you configure the device to transfer its configuration files, you specify an archive site to which
the files are transferred. If you specify more than one archive site, the device attempts to transfer files to
the first archive site in the list, moving to the next site only if the transfer fails.
When you use the archive-sites statement, you can specify a destination as an FTP URL, HTTP URL, or
SCP-style remote file specification. The URL type file:// is also supported.
233
To configure the archive site, include the archive-sites statement at the [edit system archival configuration]
hierarchy level:

archive-sites {
ftp://username@host:<port>url-path password password;
scp://username@host:<port>url-path password password;
file://<path>/<filename>;
http://username@host: url-path password password;
}
When you specify the archive site, do not add a forward slash (/) to the end of the URL.
The destination filename is saved in the following format, where n corresponds to the number of the
compressed configuration rollback file that has been archived:
<router-name>_YYYYMMDD_HHMMSS_juniper.conf.n.gz
NOTE: Whenever configurations are made, the time included in the destination filename is in
Coordinated Universal Time (UTC).
NOTE: When you configure file archival by using the archive-sites statement, the transfer file
utility does not work if you have enabled the management instance.
Factory Default Configuration Overview
IN THIS SECTION
Restore the Default Factory Configuration | 234

234
The default factory configuration contains the basic device configuration settings. This first
configuration of the device is loaded automatically the first time you install the device and power it on.
Restore the Default Factory Configuration
If for any reason the current active configuration fails, you can restore the default factory configuration.
The default factory configuration contains the basic configuration settings and is sometimes referred to
as the rescue configuration. This is the first configuration of the device and is loaded the first time you
install the device and power it on.
The load factory default command is a standard configuration command. This configuration command
replaces the current active configuration with the default factory configuration.
To restore the switch to the default factory configuration:
1. Make sure you are in configuration mode.

2. Enter the following commands at the CLI:
[edit]
user@switch# load factory-default
[edit]
user@switch# delete system commit factory-settings
[edit]
user@switch# commit
NOTE: This process clears prior committed configuration parameters, except for those that
preserve a Virtual Chassis configuration. A Virtual Chassis is a group of devices configured to
work together as if they were a single device. You can use the load factory-default command to
restore the factory default configuration on a Virtual Chassis without removing anything
needed to keep the Virtual Chassis working.
235
Rescue Configuration
IN THIS SECTION
Creating and Returning to a Rescue Configuration | 235
A rescue configuration is the known working configuration. If the active configuration is corrupted, the
device automatically loads the rescue configuration file as the active configuration.
Creating and Returning to a Rescue Configuration
A rescue configuration allows you to define a known working configuration or a configuration with a
known state for recovery, if necessary. This alleviates the necessity of having to remember the rollback
number with the rollback command. The rescue configuration rolls back the device to a known
configuration, or can serve as a last resort if your device configuration and the backup configuration files
become damaged beyond repair.
To save the most recently committed configuration as the rescue configuration so that you can return to
it at any time, issue the request system configuration rescue save command:
user@host> request system configuration rescue save
To return to the rescue configuration, use the rollback rescue configuration mode command. To commit
the rescue configuration, thereby activating it, use the commit command.
[edit]
user@host# rollback rescue
load complete
236
NOTE: If the rescue configuration does not exist, or if the rescue configuration is not a complete,
viable configuration, then the rollback command fails, an error message appears, and the current
configuration remains active.
To delete an existing rescue configuration, issue the request system configuration rescue delete command:
user@host> request system configuration rescue delete

user@host>
Encrypt and Decrypt Configuration Files
IN THIS SECTION
Encrypt Configuration Files | 237
Decrypt Configuration Files | 238
Modify the Encryption Key | 239
You store configuration data and sensitive network information in configuration files. Encrypting
configuration files enables you to secure the information they store. Decrypting means disabling the
encryption of configuration files on a device and making the files readable to all.
NOTE: Encryption features are not available on all Juniper Networks devices. If these features
are not available on one or more of your devices, the Junos OS CLI encryption-related commands
described in this topic may be hidden or may not function. See your hardware documentation for
details.
237
Encrypt Configuration Files
To encrypt configuration files on a Juniper Networks device, you need an encryption key. You configure
an encryption key in EEPROM and determine which encryption process is appropriate for your network.
To configure an encryption key, select the most appropriate request system set-encryption-key command in
operational mode, as described in the following table.
Table 11: The request system set-encryption-key CLI Commands
CLI Command Description
request system set-encryption-key Sets the encryption key and enables default
configuration file encryption:
• AES encryption for the Canada and U.S. version of

the operating system
• DES encryption for the international version of the

operating system
request system set-encryption-key algorithm des Sets the encryption key and specifies configuration file
encryption by DES.
request system set-encryption-key unique Sets the encryption key and enables default
configuration file encryption with a unique encryption
key that includes the chassis serial number of the
device.
When you encrypt configuration files with the unique

key, you can decrypt the files on the current device
only. You cannot copy encrypt configuration files to
another device and decrypt them.
request system set-encryption-key des unique Sets the encryption key and specifies configuration file
encryption by DES with a unique encryption key.
To encrypt configuration files on a device:

238
2. Configure an encryption key in EEPROM and determine the encryption process; for example, enter
the request system set-encryption-key command.
user@host> request system set-encryption-key

Enter EEPROM stored encryption key:
3. At the prompt, enter the encryption key. The encryption key must have at least six characters.
Enter EEPROM stored encryption key:juniper1

Verifying EEPROM stored encryption key:
4. At the second prompt, reenter the encryption key.

5. Enter configuration mode in the CLI.
6. Enable configuration file encryption to take place.
[edit]
user@host# edit system
user@host# set encrypt-configuration-files
7. Begin the encryption process by committing the configuration.
[edit]
user@host# commit
commit complete
Decrypt Configuration Files
Decrypting configuration files means disabling the file encryption on a device, which makes the files
readable to all.
To disable the encryption of configuration files on a device:

2. Verify your permission to decrypt configuration files on this device by entering the encryption key for
the device.
239
Example:

3. At the second prompt, reenter the encryption key.

4. Enter configuration mode in the CLI.
5. Enable configuration file decryption.
[edit]
user@host# edit system
user@host# set no-encrypt-configuration-files
6. Begin the decryption process by committing the configuration.
[edit]
user@host# commit
commit complete
Modify the Encryption Key
When you modify the encryption key, the configuration files are decrypted and then reencrypted with
the new encryption key.
To modify the encryption key:

2. Configure a new encryption key in EEPROM, and determine the encryption process; for example,
enter the request system set-encryption-key command.

240
3. At the prompt, enter the new encryption key. The encryption key must have at least six characters.
Enter EEPROM stored encryption key:juniperone

4. At the second prompt, reenter the new encryption key.
Synchronizing Configurations Across Routing

Engines
IN THIS SECTION
Routing Engine Synchronization Overview | 240
On devices with redundant Routing Engines, you can perform a commit synchronize, which activates and
synchronizes the configuration on both Routing Engines.
Routing Engine Synchronization Overview
If your device has two Routing Engines, you can manually direct one Routing Engine to synchronize its
configuration with the other by issuing the commit synchronize command. The Routing Engine on which
you execute this command (the requesting Routing Engine) first commits the configuration. The
requesting Routing Engine then copies and loads its candidate configuration to the responding Routing
Engine. Each Routing Engine performs a syntax check on the candidate configuration file before
committing it. The commit synchronization process takes place one Routing Engine at a time.
If no errors are found, the configuration is activated and becomes the current operational configuration
on both Routing Engines.
241
NOTE: If the commit fails on either Routing Engine, the commit process is rolled back on the
other Routing Engine as well. This safeguard ensures that both Routing Engines have the same
configuration.
NOTE: If your configuration includes a large amount of text or many apply-groups, commit times
can be longer than desired.
For example, you may want both Routing Engines to have the same configuration. In this scenario, if you
are logged in to re1 (requesting Routing Engine), you issue the commit synchronize command on re1.
Routing Engine re1 copies and loads its candidate configuration to re0 (responding Routing Engine). Both
Routing Engines then perform a syntax check on the candidate configuration file being committed. If no
errors are found, the re1 candidate configuration is activated and becomes the current operational
configuration on both Routing Engines.
NOTE: When you issue the commit synchronize command, you must use the groups re0 and re1. For
information about how to use the apply-groups statement, see "Applying a Configuration Group"
on page 122.
You can synchronize a Routing Engine's current operational configuration file with the other Routing
Engine's configuration file. To do this, you log in to the Routing Engine from which you want to
synchronize and issue the commit synchronize command.
Example:
[edit]
user@host# commit synchronize
re0:
re1:
commit complete
re0:
commit complete
242
NOTE: The backup Routing Engine may be only partially committed due to invalid configuration
during system reboot. In this case, the commit synchronize command with the force option from the
primary Routing Engine does not work.
The commit synchronize command does not work if the responding Routing Engine has uncommitted
configuration changes. However, you can force commit synchronization on the Routing Engines by using
the force option. When you issue the commit synchronize command with the force option from one Routing
Engine, the configuration sessions on the other Routing Engine are terminated. When those sessions are
terminated on the other Routing Engine, its configuration is synchronized with the configuration on the
Routing Engine from which you issued the command.
NOTE: We recommend that you use the force option only if you are unable to resolve the issues
that caused the commit synchronize command to fail.
To force a commit synchronize on the Routing Engines, you log in to the Routing Engine from which you
want to synchronize. Then, you issue the command with the force option.
Example:
[edit]
user@host# commit synchronize force
re0:
re1:
commit complete
re0:
commit complete
[edit]
user@host#
NOTE: If you have nonstop routing enabled on your device, you enter the commit synchronize
command from the primary Routing Engine after you make any changes to the configuration. If
you enter this command on the backup Routing Engine, the software displays a warning and
commits the configuration.
243
Include the fast-synchronize statement at the [edit system] hierarchy level to have the synchronization
occur simultaneously between the primary and the backup Routing Engines:
[edit system]
commit fast-synchronize;
NOTE:
• When the fast-synchronize statement is configured, the commits on the primary Routing Engine
and the backup Routing Engine run in parallel. In this process, the configuration is validated
only on the Routing Engine where you execute the commit command. Therefore, we
recommend that you not include too many configuration details in groups like re0 and re1,
because the configuration specified in group re0 is applied only if the current Routing Engine
is in slot 0. Likewise, the configuration specified in group re1 is applied only if the current
Routing Engine is in slot 1.
• If fast-synchronize is enabled and both Routing Engines (primary and backup) run different
software versions, the backup Routing Engine configuration may not be valid. This is true
even if the primary Routing Engine validates the configuration. Therefore, ensure that the
same operating systemoperating system software version is running on both the Routing
Engines.
You can use the commit synchronize scripts command to synchronize a Routing Engine's configuration and
all commit, event, lib, op, and SNMP scripts with the other Routing Engine. If you configure the load-
scripts-from-flash statement for the requesting Routing Engine, the device synchronizes the scripts. The
device synchronizes the scripts from flash memory on the requesting Routing Engine to flash memory
on the responding Routing Engine. Otherwise, the device synchronizes the scripts from the hard disk on
the requesting Routing Engine to the hard disk on the responding Routing Engine. The device
synchronizes all scripts regardless of whether they are enabled in the configuration or have been
updated since the last synchronization.
To synchronize a Routing Engine's configuration file and all scripts with the other Routing Engine, log in
to the Routing Engine from which you want to synchronize, and issue the commit synchronize scripts
command.
Example:
[edit]
user@host# commit synchronize scripts
re0:
244
re1:
commit complete
re0:
commit complete
NOTE: If the commit check operation fails for the requesting Routing Engine, the process stops,
and the scripts are not copied to the responding Routing Engine. If the commit check or commit
operation fails for the responding Routing Engine, the scripts are still synchronized. The scripts
are still synchronized because the synchronization occurs before the commit check operation on
the responding Routing Engine.
Include the synchronize statement at the [edit system scripts] hierarchy level to synchronize scripts every
time you issue a commit synchronize command.
[edit system scripts]

synchronize;
Configure Multiple Routing Engines to Synchronize Committed

Configurations Automatically
If your device has multiple Routing Engines, you can manually direct one Routing Engine to synchronize
its configuration with the others by issuing the commit synchronize command.
To make the Routing Engines synchronize automatically whenever a configuration is committed, include
the commit synchronize statement at the [edit system] hierarchy level:
[edit system]
commit synchronize;
The Routing Engine on which you execute the commit command (requesting Routing Engine) copies and
loads its candidate configuration to the other (responding) Routing Engines. All Routing Engines then
perform a syntax check on the candidate configuration file being committed. If no errors are found, the
configuration is activated and becomes the current operational configuration on all Routing Engines.
For the commit synchronization process, the primary Routing Engine commits the configuration and
sends a copy of the configuration to the backup Routing Engine. Then the backup Routing Engine loads
and commits the configuration. So, the commit synchronization between the primary and backup
245
Routing Engines takes place one Routing Engine at a time. If the configuration has a large text size or
many apply-groups, commit times can be longer than desired.
You can use the commit fast-synchronize statement to have the synchronization between the primary and
backup Routing Engines occur simultaneously instead of sequentially. This can reduce the time needed
for synchronization because the commits on the primary and backup Routing Engines occur in parallel.
Include the fast-synchronize statement at the [edit system] hierarchy level to have synchronize occur
simultaneously between the primary and the backup Routing Engines:
[edit system]
commit fast-synchronize
NOTE:
• If commit fails on either Routing Engine, the commit process is rolled back on the other
Routing Engine as well. This ensures that both Routing Engines have the same configuration.
• When the fast-synchronize statement is configured, the commits on the primary Routing Engine
and the backup Routing Engine run in parallel. In this process, the configuration is validated
only on the Routing Engine where you execute the commit command. Therefore, we
recommend limiting the number of configuration details in groups like re0 and re1, because
the configuration specified in group re0 is applied only if the current Routing Engine is in slot
0. Likewise, the configuration specified in group re1 is applied only if the current Routing
Engine is in slot 1.
• If fast-synchronize is enabled and if the primary Routing Engine and backup Routing Engines
run different software versions, you cannot be sure that the backup Routing Engine
configuration is valid. This is true even if the primary Routing Engine validates the
configuration, Therefore, ensure that the operating system software version running on both
the Routing Engines is the same.
Release Description
19.4R1-S1 Starting in Junos OS Evolved Release 19.4R1-S1, commit synchronize is enabled by default on
PTX10008. If you issue commit at the [edit system] hierarchy level from the primary routing engine,
you see that the backup routing engine is automatically synchronized.
246
19.4R1 Starting in Junos OS Evolved Release 19.4R1, commit synchronize is enabled by default on PTX10008.
If you issue commit at the [edit system] hierarchy level from the primary routing engine, you see that
the backup routing engine is automatically synchronized.
5 CHAPTER
Using Operational Commands to

Monitor Devices
CLI Operational Mode Overview | 248
Using Operational Commands to Monitor a Device | 255
Filtering Operational Command Output | 271

248
CLI Operational Mode Overview
IN THIS SECTION
Display Options of the show Command—An Overview | 251
About Group Interface Names Using Wildcard Characters | 254
In operational mode, you can use Junos OS CLI commands to monitor and troubleshoot a device. The
monitor, ping, show, test, and traceroute commands enable you to display information and test network
connectivity for the device.
CLI Operational Mode Command Overview
IN THIS SECTION
CLI Operational Mode Command Categories | 248
Commonly Used Operational Mode Commands | 249
You (the network administrator) can control all network operations using the Junos OS CLI operational
mode commands described in this topic.
CLI Operational Mode Command Categories
CLI operational mode commands fall into the following broad categories:
• Operational mode commands for monitoring and troubleshooting—The following commands perform
functions related to information and statistics about the software and to test network connectivity.
• clear—Clear statistics and protocol database information.

249
• file—Perform file operations.
• mtrace—Trace a multicast path from source to receiver.
• monitor—Perform real-time debugging of various software components, including the routing

protocols and interfaces.
• ping—Determine the reachability of a remote network host.
• show—Display the current configuration and information about interfaces, routing protocols,
routing tables, routing policy filters, system alarms, and the chassis.
• test—Test the configuration and application of policy filters and autonomous system (AS) path
regular expressions.
• traceroute—Trace the route to a remote network host.
• Commands for restarting software processes—The commands in the restart hierarchy restart the
various system processes, including the routing protocol, interface, and SNMP.
• A command—request—Perform system-level operations, including stopping and rebooting the router

or switch and loading operating system images.
• A command—start—Exit the CLI and start a UNIX shell.
• A command—configure—Enter configuration mode, which provides a series of commands that

configure the system, including the routing protocols, interfaces, network management, and user
access.
For more information about the CLI operational mode commands, see the CLI Explorer. Alternatively,
you can enter ? at the operational mode command prompt to view a list of available commands.
Commonly Used Operational Mode Commands
The following table lists some operational commands you may find useful for monitoring router or
switch operation.
Table 12: Commonly Used Operational Mode Commands
Items to Check Description Command
Software version Versions of software running on the router or switch show version
Log files Contents of the log files monitor

250
Table 12: Commonly Used Operational Mode Commands (Continued)
Items to Check Description Command
Log files and their contents and recent user logins show log
Remote systems Host reachability and network connectivity ping
The route to a network system traceroute
Configuration Current system configuration show configuration
File manipulation List of files and directories on the router or switch file list
Contents of a file file show
Interface information Detailed information about interfaces show interfaces
Chassis Chassis alarm status show chassis alarms
Information currently on craft display show chassis craft-interface
Router or switch environment information show chassis environment
Hardware inventory show chassis hardware
Routing table Information about entries in the routing tables show route
information
Forwarding table Information about data in the kernel’s forwarding table show route forwarding-table
information
251
Display Options of the show Command—An Overview
The show command can include brief, detail, extensive, or terse options. You can use these and other
options to control the amount and type of information to view.
1. At any point in the CLI, you can enter the ? character to view all the currently available options. For
example:
user@host> show interfaces fe-1/1/1 ?

brief Display brief output
descriptions Display interface description strings
detail Display detailed output
extensive Display extensive output
media Display media information
snmp-index SNMP index of interface
statistics Display statistics and detailed output
terse Display terse output
252
2. At any point in the CLI, you can use the show command with one of the following options to display
the detail you need to view.
Figure 10: Command Output Options
Interface Naming Conventions Used in Operational Commands
IN THIS SECTION
Physical Part of an Interface Name | 253
Logical Part of an Interface Name | 253
Channel Identifier Part of an Interface Name | 254
This topic explains the interface naming conventions used in operational commands.
253
Physical Part of an Interface Name
The physical interface naming conventions for Juniper Networks device platforms is as follows:
• On SRX devices, the unique name of each network interface has the following format to identify the
physical device that corresponds to a single physical network connector:
type-slot/pim-or-ioc/port
• On other platforms, when you display information about an interface, you specify the following
identifiers: interface type, the slot in which the Flexible PIC Concentrator (FPC) is installed, the slot
on the FPC in which the PIC is located, and the configured port number.
In the physical part of the interface name, a hyphen (-) separates the media type from the FPC
number, and a slash (/) separates the FPC, PIC, and port numbers:
type-fpc/pic/port
NOTE: Exceptions to the type-fpc/pic/port physical description include the aggregated Ethernet
and aggregated SONET/SDH interfaces, which use the syntax aenumber and asnumber, respectively.
Logical Part of an Interface Name
The logical unit part of the interface name corresponds to the logical unit number, which can be a
number from 0 through 16,384. You use logical unit numbers to uniquely identify physical storage
systems or virtual storage systems within a network. In the virtual part of the name, a period (.)
separates the port and logical unit numbers:
• SRX devices:
type-slot/pim-or-ioc/port:channel.unit
• Other platforms:
type-fpc/pic/port.logical
254
Channel Identifier Part of an Interface Name
The channel identifier part of an interface name is required only on channelized interfaces. For
channelized interfaces, channel 0 identifies the first channelized interface. For channelized intelligent
queuing (IQ) interfaces, channel 1 identifies the first channelized interface.
NOTE: Depending on the type of channelized interface, you can specify up to three levels of
channelization.
A colon (:) separates the physical and virtual parts of the interface name:
• SRX devices:
type-slot/pim-or-ioc/port:channel
type-slot/pim-or-ioc/port:channel:channel
type-slot/pim-or-ioc/port:channel:channel:channel
• Other platforms:
type-fpc/pic/port:channel
type-fpc//pic/port:channel:channel
type-fpc/pic/port:channel:channel:channel
About Group Interface Names Using Wildcard Characters
You can use wildcard characters in operational commands to specify groups of interface names without
having to type each name individually. The following table lists the available wildcard characters. You
must enclose all wildcard characters except the asterisk (*) in quotation marks (“ ”).
Table 13: Wildcard Characters for Specifying Interface Names
Wildcard Character Description
* (asterisk) Match any string of characters in that position in the interface name. For example,
so* matches all SONET/SDH interfaces.
255
Table 13: Wildcard Characters for Specifying Interface Names (Continued)
Wildcard Character Description
"[character<character...>]" Match one or more individual characters in that position in the interface name.
For example, so-“[03]”* matches all SONET/SDH interfaces in slots 0 and 3.
"[!character<character...>]" Match all characters except those included in the brackets. For example, so-“[!
03]”* matches all SONET/SDH interfaces except those in slots 0 and 3.
"[character1-character2]" Match a range of characters. For example, so-“[0-3]” * matches all SONET/SDH
interfaces in slots 0, 1, 2, and 3.
"[!character1-character2]" Match all characters that are not in the specified range of characters. For example,
so-”[!0-3]”* matches all SONET/SDH interfaces in slots 4, 5, 6, and 7.
Using Operational Commands to Monitor a Device
IN THIS SECTION
Operational Mode Commands: Overview of Controlling the Scope | 257
Display Operating System Information | 265
CLI Comment Character # for Operational Mode Commands | 270
Operational mode CLI commands enable you to monitor and control the operation of a Juniper
Networks device. The operational mode commands exist in a hierarchical structure.
256
CLI Command Completion Example
The command completion feature can help make it easier both to enter commands or to learn what
possible completion options are available at any given time.
This example shows the result of issuing the show interfaces command. In this case, the spacebar is used
to autocomplete the command.
user@host> sh<Space>ow i<Space>

'i' is ambiguous.
igmp Show information about IGMP
interface Show interface information
isis Show information about IS-IS
user@host> show in<Space>terfaces

Physical interface: at-0/1/0, Enabled, Physical link is Up
Interface index: 11, SNMP ifIndex: 65
Link-level type: ATM-PVC, MTU: 4482, Clocking: Internal, SONET mode
Speed: OC12, Loopback: None, Payload scrambler: Enabled
Device flags: Present Running
Link flags: 0x01
...
user@host>
This example shows how to display a list of all log files whose names start with the string “messages,”
and then display the contents of one of the files. Here, the Tab key is used to perform the
autocompletion.
user@myhost> show log mes?

<filename>Log file to display
messagesSize: 1417052, Last changed: Mar 3 00:33
messages.0.gzSize: 145575, Last changed: Mar 3 00:00
messages.2.grSize: 137112, Last changed: Mar 2 22:00
257

user@myhost> show log mes<Tab>sages.4<Tab>.gz<Enter>

Jan 15 21:00:00 myhost newsyslog[1381]: logfile turned over
...
Operational Mode Commands: Overview of Controlling the Scope
IN THIS SECTION
Routing Matrix Command Options | 258
The Junos OS CLI operational commands include options that you can use to identify specific
components on a device. For example:
• You use the show interfaces command to display information about all interfaces on the router.
1. Type the show interfaces command to display information about all interfaces on the router.
user@host> show interfaces

Physical interface: so-0/0/0, Enabled, Physical link is Up
Link-level type: PPP, MTU: 4474, Clocking: Internal, SONET mode, Speed: OC3,
Loopback: None, FCS: 16, Payload scrambler: Enabled
Device flags : Present Running
Interface flags: Point-To-Point SNMP-Traps Internal: 0x4000
Link flags : Keepalives
Keepalive settings: Interval 10 seconds, Up-count 1, Down-count 3
Keepalive: Input: 13861 (00:00:05 ago), Output: 13891 (00:00:01 ago)
LCP state: Opened
NCP state: inet: Opened, inet6: Not-configured, iso: Opened, mpls: Not-configured
CHAP state: Closed
PAP state: Closed
CoS queues : 4 supported, 4 maximum usable queues
Last flapped : 2008-06-02 17:16:14 PDT (1d 14:21 ago)
258
Input rate : 40 bps (0 pps)

Output rate : 48 bps (0 pps)
---(more)---
NOTE: This example output shows only one interface, for the sake of brevity, but in reality,
the interfaces information for all four would be shown after the —(more)— prompts.
2. To display information about a specific interface, type that interface as a command option:
user@host> show interfaces fe-0/1/3

Physical interface: fe-0/1/3, Enabled, Physical link is Up
Link-level type: Ethernet, MTU: 1514, Speed: 100mbps, MAC-REWRITE Error: None,
Loopback: Disabled, Source filtering: Disabled, Flow control: Enabled
Device flags : Present Running
Interface flags: SNMP-Traps Internal: 0x4000
Link flags : None
CoS queues : 4 supported, 4 maximum usable queues
Current address: 00:05:85:8f:c8:22, Hardware address: 00:05:85:8f:c8:22
Last flapped : 2008-06-02 17:16:15 PDT (1d 14:28 ago)
Input rate : 0 bps (0 pps)
Output rate : 0 bps (0 pps)
Active alarms : None
Active defects : None
user@host>
Routing Matrix Command Options
The show version command offers several options for viewing information about the routing matrix.
user@host> show version ?

all-lcc Show software version on all LCC chassis
brief Display brief output
detail Display detailed output
259
lcc Show software version on specific LCC (0..3)

scc Show software version on the SCC
Viewing Files and Directories on a Device
IN THIS SECTION
Directories on the Device | 259
List Files and Directories | 260
Filenames and URLs | 263
The operating system stores information in files on the device, including configuration files, log files, and
device software files. This topic shows some examples of operational commands that you can use to
view files and directories on a device.
Directories on the Device

The following table lists some standard directories on a Juniper Networks device.
Table 14: Directories on the Device
DIrectory Description
/config This directory is located on the device’s internal flash drive. It contains the active configuration
(juniper.conf) and rollback files 1, 2, and 3.
/var/db/config This directory is located on the device’s hard drive and contains rollback files 4 through 49.
/var/tmp This directory is located on the device’s hard drive. It holds core files from the various processes
on the Routing Engines. Core files are generated when a particular process crashes. Juniper
Networks engineers use these core files to diagnose the cause of the failure.
260
Table 14: Directories on the Device (Continued)
DIrectory Description
/var/log This directory is located on the device’s hard drive. It contains files generated by both the
device’s logging function and the traceoptions command.
/var/home This directory is located on the device’s hard drive. It contains a subdirectory for each configured
user on the device. These individual user directories are the default file location for many
software commands.
/altroot This directory is located on the device’s hard drive and contains a copy of the root file structure
from the internal flash drive. This directory is used in certain disaster recovery modes where the
internal flash drive is not operational.
/altconfig This directory is located on the device’s hard drive and contains a copy of the /config file
structure from the internal flash drive. This directory is also used in certain disaster recovery
modes when the internal flash drive is not operational.
List Files and Directories
You can view the device’s directory structure as well as individual files by issuing the file command in
operational mode.
1. To get help about the file command, enter file ?:
user@host> file ?
Possible
completions:

archive Archives files from the system
change-owner Change owner of file
change-permission Change permission of file
checksum Calculate file checksum
compress Compress file
copy Copy files (local or remote)
delete Delete files from the system
delete-directory Delete a directory
link Create link between files
261
list List file information

make-directory Create a new
make-directory Create a new
user@host> file
Help shows that the file command includes several options for manipulating files.
2. Use the list option to see the directory structure of the device. For example, to show the files
located in your home directory on the device:
user@host> file list

.ssh/
common
The default directory for the file list command is the home directory of the user logged in to the
device. In fact, the user’s home directory is the default directory for most of the commands requiring
a filename.
3. To view the contents of other file directories, specify the directory location. For example:
user@host> file list /config

juniper.conf
juniper.conf.1.gz
juniper.conf.2.gz
juniper.conf.3.gz
4. You can also use the device’s context-sensitive help system to locate a directory. For example:
user@host> file list /?

<path> Path to list
/COPYRIGHT Size: 6355, Last changed: Feb 13 2017
/altconfig/ Last changed: Aug 07 2017
/altroot/ Last changed: Aug 07 2017
/bin/ Last changed: Apr 09 22:31:35
/boot/ Last changed: Apr 09 23:28:39
/config/ Last changed: Apr 16 22:35:35
/data/ Last changed: Aug 07 2017
/dev/ Last changed: Apr 09 22:36:21
/etc/ Last changed: Apr 11 03:14:22
262
/kernel Size: 27823246, Last changed: Aug 07 2017

/mfs/ Last changed: Apr 09 22:36:49
/mnt/ Last changed: Jan 11 2017
/modules/ Last changed: Apr 09 22:33:54
/opt/ Last changed: Apr 09 22:31:00
/packages/ Last changed: Apr 09 22:34:38
/proc/ Last changed: May 07 20:25:46
/rdm.taf Size: 498, Last changed: Apr 09 22:37:31
/root/ Last changed: Apr 10 02:19:45
/sbin/ Last changed: Apr 09 22:33:55
/staging/ Last changed: Apr 09 23:28:41
/tmp/ Last changed: Apr 11 03:14:49
/usr/ Last changed: Apr 09 22:31:34
/var/ Last changed: Apr 09 22:37:30
user@host> file list /var/?
<path> Path to list
/var/account/ Last changed: Jul 09 2017
/var/at/ Last changed: Jul 09 2017
/var/backups/ Last changed: Jul 09 2017
/var/bin/ Last changed: Jul 09 2017
/var/crash/ Last changed: Apr 09 22:31:08
/var/cron/ Last changed: Jul 09 2017
/var/db/ Last changed: May 07 20:28:40
/var/empty/ Last changed: Jul 09 2017
/var/etc/ Last changed: Apr 16 22:35:36
/var/heimdal/ Last changed: Jul 10 2017
/var/home/ Last changed: Apr 09 22:59:18
/var/jail/ Last changed: Oct 31 2017
/var/log/ Last changed: Apr 17 02:00:10
/var/mail/ Last changed: Jul 09 2017
/var/msgs/ Last changed: Jul 09 2017
/var/named/ Last changed: Jul 10 2017
/var/packages/ Last changed: Jan 18 02:38:59
/var/pdb/ Last changed: Oct 31 2017
/var/preserve/ Last changed: Jul 09 2017
/var/run/ Last changed: Apr 17 02:00:01
/var/rundb/ Last changed: Apr 17 00:46:00
/var/rwho/ Last changed: Jul 09 2017
/var/sdb/ Last changed: Apr 09 22:37:31
/var/spool/ Last changed: Jul 09 2017
/var/sw/ Last changed: Jul 09 2017
/var/tmp/ Last changed: Apr 09 23:28:41
263
/var/transfer/ Last changed: Jul 09 2017

/var/yp/ Last changed: Jul 09 2017
user@host> file list /var/
5. You can also display the contents of a file. For example:
user@host>file show /var/log/inventory

Jul 9 23:17:46 CHASSISD release 8.4I0 built by builder on 2017-06-12 07:58:27 UTC
Jul 9 23:18:05 CHASSISD release 8.4I0 built by builder on 2017-06-12 07:58:27 UTC
Jul 9 23:18:06 Routing Engine 0 - part number 740-003239, serial number 9000016755
Jul 9 23:18:15 Routing Engine 1 - part number 740-003239, serial number 9001018324
Jul 9 23:19:03 SSB 0 - part number 710-001951, serial number AZ8025
Jul 9 23:19:03 SSRAM bank 0 - part number 710-001385, serial number 243071
Jul 9 23:19:03 SSRAM bank 1 - part number 710-001385, serial number 410608
...
Filenames and URLs

You can include a filename in CLI commands and configuration statements such as these:
• file copy
• file archive,
• load,
• save
• set system login user
• username
• authentication
• load-key-file
• request system software add
On a routing matrix, you can include chassis information as part of the filename (for example, lcc0, lcc0-
re0, or lcc0-re1).
You can specify a filename or URL in one of the following ways:
• filename—File in the user’s current directory on the local flash drive. You can use wildcards to specify
multiple source files or a single destination file. Neither HTTP nor FTP supports wildcards.
264
NOTE: Only the file (compare | copy | delete | list | rename | show) commands support
wildcards. When you issue the file show command with a wildcard, the command must
resolve to one filename.
• path/filename—File on the local flash disk.
• /var/filename or /var/path/filename—File on the local hard disk.
You can also specify a file on a local Routing Engine for a specific T640 router on a routing matrix:
user@host> file delete lcc0-re0:/var/tmp/junk
• a:filename or a:path/filename—File on the local drive. The default path is / (the root-level directory). The
removable media can be in MS-DOS or UNIX (UFS) format.
• hostname:/path/filename, hostname:filename, hostname:path/filename, or scp://hostname/path/filename—File on

an scp/ssh client. This form is not available in the worldwide version of the operating system. The
default path is the user’s home directory on the remote system. You can also specify hostname as
username@hostname.
• ftp://hostname/path/filename—File on an FTP server. You can also specify hostname as username@hostname or

username:password@hostname. The default path is the user’s home directory.
To specify an absolute path, the path must start with %2F; for example, ftp://hostname/%2Fpath/filename.
To have the system prompt you for the password, specify prompt in place of the password. If a
password is required, and you do not specify the password or prompt, an error message is displayed:
user@host> file copy ftp://[email protected]//filename

file copy ftp.hostname.net: Not logged in.
user@host> file copy ftp://username:[email protected]//filename
Password for [email protected]:
• http://hostname/path/filename—File on an HTTP server. You can also specify hostname as username@hostname

or username:password@hostname. If a password is required and you omit it, you are prompted for it.
• re0:/path/filename or re1:/path/filename—File on a local Routing Engine.

265
You can also specify a file on a local Routing Engine for a specific T640 router on a routing matrix:
user@host> show log lcc0-re1:chassisd
Display Operating System Information
You can display Junos OS version information and other status to determine if the version of the
software that you are running supports specific features or hardware.
To display this information:
1. Make sure you are in operational mode.

2. To display brief information and status for the kernel and Packet Forwarding Engine, enter the show
version brief command. This command shows version information for software packages installed on
the router.
If the Junos Crypto Software Suite is listed, the router has Canada and USA encrypted software. If
the Junos Crypto Software Suite is not listed, the router is running worldwide nonencrypted
software.
3. To display detailed version information, enter the show version detail command. This command
displays the hostname and version information for software packages installed on your router. It also
includes the version information for each software process.
Managing Programs and Processes Using Operational Mode Commands
IN THIS SECTION
Show Software Processes | 266
Restart the Software Process | 267
Stop the Software | 268
Reboot the Software | 269
This topic shows some examples of Junos OS operational commands that you can use to manage
programs and processes on a Juniper Networks device.
266
Show Software Processes

To verify system operation or to begin diagnosing an error condition, you may need to display
information about software processes running on the device.
To show software processes:
2. Enter the show system processes extensive command. This command shows the CPU utilization on the
device and lists the processes in order of CPU utilization.
The following table lists and describes the output fields included in this example. The fields are listed in
alphabetical order.
Table 15: The show system process extensive Command Output Fields
Field Description
COMMAND Command that is running.
last pid Last process identifier assigned to the process.
load averages Three load averages, followed by the current time.
Mem Information about physical and virtual memory allocation.
NICE UNIX “nice” value. The nice value allows a process to change its final scheduling priority.
PID Process identifier.
PRI Current kernel scheduling priority of the process. A lower number indicates a higher priority.
processes Number of existing processes and the number of processes in each state (sleeping, running,
starting, zombies, and stopped).
RES Current amount of resident memory, in KB.

267
Table 15: The show system process extensive Command Output Fields (Continued)
Field Description
SIZE Total size of the process (text, data, and stack), in KB.
STATE Current state of the process (sleep, wait, run, idle, zombi, or stop).
Swap Information about physical and virtual memory allocation.
USERNAME Owner of the process.
WCPU Weighted CPU usage.
Restart the Software Process

To correct an error condition, you might need to restart a software process running on the device. You
can use the restart command to force a restart of a software process.
CAUTION: Do not restart a software process unless specifically asked to do so by your

Juniper Networks customer support representative. Restarting a software process
during normal operation of a device can interrupt packet forwarding and cause data
loss.
To restart a software process:
2. Enter the following command:
user@host> restart process-name < (immediately | gracefully | soft) >
• process-name is the name of the process that you want to restart. For example, routing or class-of-
service. You can use the command completion feature of the system to see a list of software
processes that you can restart using this command.
• The option gracefully restarts the software process after performing clean-up tasks.
• The option immediately restarts the software process without performing any clean-up tasks.
268
• The option soft rereads and reactivates the configuration without completely restarting the
software processes. For example, BGP peers stay up and the routing table stays constant.
NOTE: The gracefully, immediately, and soft options for the restart command are optional and not
required for executing the command.
The following example shows how to restart the routing process:
user@host> restart routing

Routing protocol daemon started, pid 751
When a process restarts, the process identifier (PID) is updated.
Figure 11: Restarting a Process
Stop the Software
CAUTION: To avoid possible damage to the file system and to prevent data loss, you
must always shut down the software gracefully before powering off the device.
You must stop the software on a device through a direct console connection, not through the network.
As the software shuts down, the network will go down, and if you were connected that way, you will not
see the results output.
To stop the software:

269
2. Enter the request system halt command. This command stops all system processes and halts the
operating system. For example:
user@host> request system halt

Halt the system? [yes,no] (no) yes
shutdown: [pid 3110]
Shutdown NOW!
*** FINAL System shutdown message from root@host ***
System going down IMMEDIATELY
user@host> Dec 17 17:28:40 init: syslogd (PID 2514) exited with status=0 Normal Exit
Waiting (max 60 seconds) for system process `bufdaemon' to stop...stopped
Waiting (max 60 seconds) for system process `syncer' to stop...stopped
syncing disks... 4
done
Uptime: 3h31m41s
ata0: resetting devices.. done
The operating system has halted.
Please press any key to reboot.
Reboot the Software

After a software upgrade or to recover (occasionally) from an error condition, you must reboot the
software. As with the shutdown command, you must reboot through a direct console connection otherwise
you will not see the command output when the network goes down during the reboot process.
To reboot the software:
2. Enter the request system reboot command. This command displays the final stages of the system
shutdown and executes the reboot. Reboot requests are recorded to the system log files, which you
can view with the show log messages command. For example:
user@host>request system rebootReboot the system? [yes,no] (no)yes
shutdown: [pid 845]

Shutdown NOW!
*** FINAL System shutdown message from root@host ***
System going down IMMEDIATELY
270
user@host> Dec 17 17:34:20 init: syslogd (PID 409) exited with status=0 Normal Exit
Waiting (max 60 seconds) for system process `bufdaemon' to stop...stopped
Waiting (max 60 seconds) for system process `syncer' to stop...stopped
syncing disks... 10 6
done
Uptime: 2m45s
ata0: resetting devices.. done
Rebooting...
CLI Comment Character # for Operational Mode Commands
The comment character enables you to copy operational mode commands that include comments from
a file and paste them into the CLI. A pound or hash symbol (#) at the beginning of the command line
indicates a comment line. This command is useful for describing frequently used operational mode
commands, such as a user’s work instructions on how to monitor the network. To add a comment to a
command file, you must place # as the first character of the line. When you start a command with #, the
operating system disregards the rest of the line.
NOTE: The device configuration does not save the comments you enter in the CLI, whether
individually or by pasting in the contents of a configuration file. Comments entered at the CLI are
ignored.
To add comments in operational mode, you start with a # and end with a new line (carriage return):
user@host> #comment-string
comment-string is the text of the comment. The comment text can be any length, but each comment line
must begin with a #.
271
Filtering Operational Command Output
IN THIS SECTION
Example: Use Regular Expressions with the Pipe ( | ) Symbol to Filter Command Output | 272
Filter Operational Mode Command Output in a QFabric System | 288
The pipe | symbol lets you (the network administrator) filter the command output in both operational
and configuration modes.
About Using the Pipe ( | ) Symbol to Filter Command Output
You can filter command output by adding the pipe ( | ) symbol when you enter the command.
Example:
user@host> show rip neighbor ?

<name> Name of RIP neighbor
instance Name of RIP instance
logical-system Name of logical system, or 'all'
The following example lists the filters that you can use with the pipe symbol ( | ):
user@host> show interfaces | ?

user@host> show interfaces | ?
append Append output text to file
count Count occurrences
display Show additional kinds of information
272
except Show only text that does not match a pattern

find Search for first occurrence of pattern
hold Hold text without exiting the --More-- prompt
last Display end of output only
match Show only text that matches a pattern
no-more Don't paginate output
refresh Refresh a continuous display of the command
resolve Resolve IP addresses
save Save output text to file
tee Write to standard output and file
trim Trim specified number of columns from start of line
For the show configuration command only, you can combine the pipe symbol and question mark to display
an additional compare filter:
user@host> show configuration | ?

compare Compare configuration changes with prior version
...
You can enter any of the pipe filters in combination. For example:
user@host>command | match regular-expression | save filename
NOTE: This topic describes only the filters that you can use for operational mode command
output.
Example: Use Regular Expressions with the Pipe ( | ) Symbol to Filter

Command Output
You use the except, find, and match filters with the pipe symbol to employ regular expressions to filter
output. Juniper Networks uses the regular expressions as defined in POSIX 1003.2. If a regular
273
expression contains spaces, operators, or wildcard characters, enclose the expression in quotation
marks.
Table 16: Common Regular Expression Operators in Operational Mode Commands
Operator Function
| Indicates that a match can be one of the two terms on either side of the pipe.
^ Used at the beginning of an expression to denote where a match should begin.
$ Used at the end of an expression to denote that a term must be matched exactly up to the point of
the $ character.
[ ] Specifies a range of letters or digits to match. To separate the start and end of a range, use a hyphen
( - ).
( ) Specifies a group of terms to match.
For example, if a command produces the following output:
user@host> show chassis hardware

Hardware inventory:
Item Version Part number Serial number Description
Chassis F0632 MX80
Midplane REV 09 711-031594 ZW0568 MX80
PEM 0 Rev 04 740-028288 VK09886 AC Power Entry Module
Routing Engine BUILTIN BUILTIN Routing Engine
TFEB 0 BUILTIN BUILTIN Forwarding Engine Processor
QXM 0 REV 06 711-028408 ZW4288 MPC QXM
FPC 0 BUILTIN BUILTIN MPC BUILTIN
MIC 0 BUILTIN BUILTIN 4x 10GE XFP
PIC 0 BUILTIN BUILTIN 4x 10GE XFP
Xcvr 0 REV 02 740-014289 C825XU010 XFP-10G-SR
Xcvr 1 REV 03 740-014289 CB25BQ0WD XFP-10G-SR
Xcvr 2 REV 01 740-011571 C739XJ039 XFP-10G-SR
MIC 1 *** Hardware Not Supported ***
Fan Tray Fan Tray
274
A pipe filter of | match "FPC-1" displays the following output:
A pipe filter of | except "FPC 1" displays the following output:
Hardware inventory:
Item Version Part number Serial number Description
Chassis F0632 MX80
PEM 0 Rev 04 740-028288 VK09886 AC Power Entry Module
Routing Engine BUILTIN BUILTIN Routing Engine
TFEB 0 BUILTIN BUILTIN Forwarding Engine Processor
Fan Tray Fan Tray
Example: Pipe ( | ) Filter Functions in the Command-Line Interface
IN THIS SECTION
Examples of Configurations and Their Differences in Text | 275
Examples of Configurations and Their Differences in XML | 277
Example of Counting the Number of Lines of Output | 278
Example of Output Displayed in XML Tag Format | 278
Example of Displaying Static Configuration Data | 278
Example of Displaying Ephemeral Configuration Data | 279
Example of Displaying Output in JSON Format | 279
Example of Displaying the Configuration with YANG Translation Scripts Applied | 280
Example of Displaying the RPC Tags for a Command | 281
Example of Ignoring Output That Does Not Match a Regular Expression | 282
Example of Displaying Output from the First Match of a Regular Expression | 282
Example of Retaining Output After the Last Screen | 283
Example of Displaying Output Beginning with the Last Entries | 283
Example of Displaying Output That Matches a Regular Expression | 284

275
Example of Preventing Output from Being Paginated | 284
Example of Sending Command Output to Other Users | 284
Example of Resolving IP Addresses | 285
Example of Saving Output to a File | 285
Example of Appending Output to a File | 286
Example of Displaying Output on Screen and Writing to a File | 286
Example of Trimming Output by Specifying the Starting Column | 287
Example of Refreshing the Output of a Command | 287
This topic describes and provides examples of the pipe ( | ) filter functions that the Junos OS CLI
supports.
Examples of Configurations and Their Differences in Text
The compare filter compares the candidate configuration with either the current committed configuration
or a configuration file. It also displays the differences between the two configurations with text
characters.
To compare configuration files, you enter compare after the pipe ( | ) symbol, as follows:
show | compare [rollback n | filename]
The rollback n variable is the index into the list of previously committed configurations. The most
recently saved configuration is 0. If you do not specify arguments, the candidate configuration is
compared against the active configuration file (/config/juniper.conf), which is the same as comparing to
rollback index 0.
The full path (or URL) to a configuration file is filename.
The comparison output uses the following conventions:
• Statements that are in the candidate configuration only are prefixed with a plus sign (+).
• Statements that are in the comparison file only are prefixed with a minus sign (–).
• Statements that are unchanged are prefixed with a single blank space ( ).
276
Example:
user@host> show configuration system | compare rollback 9

[edit system]
+ host-name device;
+ backup-router 192.168.71.254;
- ports {
- console log-out-on-disconnect;
- }
[edit system name-server]
+ 172.17.28.11;
172.17.28.101 { ... }
[edit system name-server]
172.17.28.101 { ... }
+ 172.17.28.100;
+ 172.17.28.10;
[edit system]
- scripts {
- commit {
- allow-transients;
- }
- }
+ services {
+ ftp;
+ rlogin;
+ rsh;
+ telnet;
+ }
We have enhanced output from the show | compare command to more accurately reflect configuration
changes. This enhancement includes more intelligent handling of order changes in lists. For example,
consider group names that are reordered as follows:
groups {
groups {
group_xmp; group_xmp;
group_cmp; group_grp:
group_grp; group_cmp;
}
}
277
In early releases, output from the show | compare command looked like the following:
[edit groups]
- group_xmp;
- group_cmp;
- group_grp;
+ group_xmp;
+ group_grp;
+ group_cmp;
Now, output from the show | compare command looks like the following:
[edit groups]
group_xmp {...}
! group_grp {...}
Examples of Configurations and Their Differences in XML
The compare | display xml filter compares the candidate configuration with the current committed
configuration and displays the differences between the two configurations in XML. To compare
configurations, you enter compare | display xml after the pipe ( | ) symbol in either operational or
configuration mode.
Example in operational mode:
user@host> show configuration | compare | display xml
Example in configuration mode:
[edit]
You can enter a specific configuration hierarchy before using the | compare command. In configuration
mode, you can navigate to a hierarchy where the command is applied.
278
Example of Counting the Number of Lines of Output
To count the number of lines in command output, enter count after the pipe symbol ( | ). For example:
user@host> show configuration | count

Count: 269 lines
Example of Output Displayed in XML Tag Format
To display command output in XML tag format, you enter display xml after the pipe symbol ( | ).
The following example displays the show cli directory command output as XML tags:
user@host> show cli directory | display xml

<rpc-reply xmlns:junos="http://xml.juniper.net/junos/7.5I0/junos">
<cli>
<working-directory>/var/home/user</working-directory>
</cli>
<cli>
<banner></banner>
</cli>
</rpc-reply>
If the configuration data or command output contains characters that are outside of the 7-bit ASCII
character set, the CLI displays the equivalent UTF-8 decimal character reference for those characters in
the XML output.
Example of Displaying Static Configuration Data
You can view the inherited configuration data and information about the source group from which the
configuration has been inherited with respect to the static configuration database. To view this data, you
issue the show configuration | display inheritance command.
user@host> show configuration | display inheritance

## Last commit: 2018-03-29 15:54:17 PDT
version 16.2R2;
system {
...
}
279
Example of Displaying Ephemeral Configuration Data
Juniper Extension Toolkit (JET) applications, Network Configuration Protocol (NETCONF), and Junos
XML protocol client applications can configure the ephemeral configuration database. The ephemeral
database is an alternate configuration database that provides a fast programmatic interface for
performing configuration updates.
To view the complete post-inheritance configuration merged with the configuration data in all instances
of the ephemeral database, use the show ephemeral-configuration merge command.
user@host> show ephemeral-configuration merge

## Last changed: 2019-02-01 09:47:20 PST
version 18.2R1;
system {
...
}
Example of Displaying Output in JSON Format
You can display the configuration or command output in JavaScript Object Notation (JSON) format by
entering display json after the pipe symbol ( | ).
The following example displays the show cli directory command output in JSON format:
user@host> show cli directory | display json
{
"cli" : [
{
"working-directory" : [
{
"data" : "/var/home/username"
}
]
}
]
}
If the operational command output contains characters that are outside of the 7-bit ASCII character set,
the CLI displays the equivalent UTF-8 decimal character reference for those characters in the JSON
output.
280
Example of Displaying the Configuration with YANG Translation Scripts Applied
You can load YANG modules onto devices running Junos OS to augment the configuration hierarchy
with data models that Junos OS does not support natively. Junos OS does support translation of these
models.. The active configurations and candidate configurations contain the configuration data for non-
native YANG data models in the syntax defined by that model. These configurations do not explicitly
display the corresponding translated Junos OS syntax, which is committed as a transient change.
The | display translation-scripts filter displays the complete post-inheritance configuration, with the
translated configuration data from all enabled translation scripts explicitly included in the output. To
display the configuration with all enabled YANG translation scripts applied, append the | display
translation-scripts filter to the show configuration command in operational mode or the show command in
configuration mode. For example:
user@host> show configuration | display translation-scripts
To view just the non-native configuration data after translation, you use the | display translation-
scripts translated-config filter in either operational mode or configuration mode.
user@host> show configuration | display translation-scripts translated-config
In configuration mode, you can display just the configuration differences in the hierarchies
corresponding to non-native YANG data models before or after translation scripts are applied. To display
those differences, you append the configured-delta or translated-delta keyword, respectively, to the show |
display translation-scripts command. In both cases, the XML output displays the deleted configuration
data, followed by the new configuration data.
user@host# show | display-translation-scripts (configured-delta | translated-delta)
The following example displays a sample configuration with and without translation scripts applied. The
show command displays the configuration, which includes the non-native configuration data in the syntax
that the YANG data model defines. The | display translation-scripts filter displays the non-native
configuration data in both the syntax defined by the YANG data model and the translated Junos OS
syntax. Both commands display the entire configuration, which has been truncated for brevity in this
example. However, the show command returns the pre-inhertitance configuration, whereas the show |
display translation-scripts command returns the post-inheritance configuration.
user@host# show
...
myint:intconfig {
281
interfaces {
interface ge-0/0/0 {
config {
description test;
}
}
}
}
...
user@host# show | display translation-scripts

...
interfaces {
ge-0/0/0 {
description test;
gigether-options {
no-flow-control;
}
}
}
...
myint:intconfig {
interfaces {
interface ge-0/0/0 {
config {
description test;
}
}
}
}
...
Example of Displaying the RPC Tags for a Command
To display the remote procedure call (RPC) XML tags for an operational mode command, you enter
display xml rpc after the pipe symbol ( | ).
282
The following example displays the RPC tags for the show route command:
user@host> show route | display xml rpc

<rpc-reply xmlns:junos="http://xml.juniper.net/junos/10.1I0/junos">
<rpc>
<get-route-information>
</get-route-information>
</rpc>
<cli>
<banner></banner>
</cli>
</rpc-reply>
Example of Ignoring Output That Does Not Match a Regular Expression
To ignore text that matches a regular expression, specify the except command after the pipe symbol ( | ).
If the regular expression contains any spaces, operators, or wildcard characters, enclose it in quotation
marks.
The following example displays all users who are logged in to the router, except for the user root:
user@host> show system users | except root

8:28PM up 1 day, 13:59, 2 users, load averages: 0.01, 0.01, 0.00
USER TTY FROM LOGIN@ IDLE WHAT
user p0 device1.example.com 7:25PM - cli
Example of Displaying Output from the First Match of a Regular Expression
To display output starting with the first occurrence of text matching a regular expression, you enter find
after the pipe symbol ( | ). If the regular expression contains any spaces, operators, or wildcard
characters, enclose it in quotation marks.
The following example displays the routes in the routing table starting at IP address 208.197.169.0:
user@host> show route | find 208.197.169.0

208.197.169.0/24 *[Static/5] 1d 13:22:11
> to 192.168.4.254 via so-3/0/0.0
224.0.0.5/32 *[OSPF/10] 1d 13:22:12, metric 1
iso.0: 1 destinations, 1 routes (1 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both
283
47.0005.80ff.f800.0000.0108.0001.1921.6800.4015.00/160
*[Direct/0] 1d 13:22:12
> via lo0.0
The following example displays the first CCC entry in the forwarding table:
user@host> show route forwarding-table | find ccc

Routing table: ccc
MPLS:
Interface.Label Type RtRef Nexthop Type Index NhRef Netif
default perm 0 rjct 3 1
0 user 0 recv 5 2
1 user 0 recv 5 2
32769 user 0 ucst 45 1 fe-0/0/0.534
fe-0/0/0. (CCC) user 0 indr 44 2
10.0.16.2 Push 32768, Push
Example of Retaining Output After the Last Screen
You can retain output and scroll or search through it by holding rather than returning immediately to the
CLI prompt after viewing the last screen of output. To retain output, you enter hold after the pipe symbol
( | ). The following example prevents returning to the CLI prompt after you have viewed the last screen
of output from the show log log-file-1 command:
user@host> show log log-file-1 | hold
Example of Displaying Output Beginning with the Last Entries
You can view log files in which the end of the file contains the most recent entries. To display text
starting from the end of the output, you enter last <lines> after the pipe symbol ( | ).
The following example displays the last entries in log-file-1 file:
user@host> show log log-file-1 | last
NOTE: When the number of lines requested is less than the number of lines that the screen
length setting permits you to display, the system returns a subset. The system returns as many
284
lines as permitted by the screen length setting. That is, if your screen length is set to 20 lines and
you have requested only the last 10 lines, the system returns the last 19 lines instead of the last
10 lines.
Example of Displaying Output That Matches a Regular Expression
To display output that matches a regular expression, you enter match regular-expression after the pipe
symbol ( | ). If the regular expression contains any spaces, operators, or wildcard characters, enclose it in
quotation marks.
The following example matches all the Asynchronous Transfer Mode (ATM) interfaces in the
configuration:
user@host> show configuration | match at-

at-2/1/0 {
at-2/1/1 {
at-2/2/0 {
at-5/2/0 {
at-5/3/0 {
Example of Preventing Output from Being Paginated
By default, if output is longer than the length of the terminal screen, you receive a ---(more)--- message
to display the remaining output. To display the remaining output, you press Space.
To prevent the output from being paginated, you enter no-more after the pipe symbol ( | ).
The following example displays output from the show configuration command all at once:
user@host> show configuration | no-more
This feature is useful if you want to copy the entire output and paste it into an email message.
Example of Sending Command Output to Other Users
To display command output on the terminal of a specific user logged in to your router, or on the
terminals of all users logged in to your router, you enter request message (all | user account@terminal) after
the pipe symbol ( | ).
285
If you are troubleshooting your router and talking with a customer service representative on the phone,
you can share the command output. You use the request message command to send your representative
the command output you are currently viewing on your terminal.
The following example sends the output from the show interfaces command that you enter on your
terminal to the terminal of the user root@ttyp1:
user@host> show interfaces | request message user root@ttyp1
The user root@ttyp1 sees the following output appear on the terminal screen:
Message from user@host on /dev/ttyp0 at 10:32 PST...

Physical interface: dsc, Enabled, Physical link is Up
Type: Software-Pseudo, MTU: Unlimited...
Example of Resolving IP Addresses
In operational mode only, if the output of a command displays an unresolved IP address, you can enter |
resolve after the command to display the name associated with the IP address. The resolve filter enables
the system to perform a reverse DNS lookup of the IP address. If DNS is not enabled, the lookup fails
and no substitution is performed.
To perform a reverse DNS lookup of an unresolved IP address, you enter resolve <full-names> after the
pipe symbol ( | ). If you do not specify the full-names option, the name is truncated to fit whatever field
width limitations apply to the IP address.
The following example performs a DNS lookup on any unresolved IP addresses in the output from the
show ospf neighbors command:
user@host> show ospf neighbors | resolve
Example of Saving Output to a File
When command output is lengthy, when you need to store or analyze the output, or when you need to
send the output in an e-mail message or by FTP, you can save the output to a file. By default, the file is
placed in your home directory on the router.
To save command output to a file, you enter save filename after the pipe symbol ( | ).
286
The following example saves the output from the request support information command to a file named
my-support-info.txt:
user@host> request support information | save my-support-info.txt

Wrote 1143 lines of output to ‘my-support-info.txt’
Example of Appending Output to a File
When command output is displayed, you can either save the output to a file, which overwrites the
existing contents of that file, or you can append the output text to a specific file.
To append the command output to the file, you enter append filename after the pipe symbol ( | ).
The following example appends the output from the request support information command to a file named
my-support-info.txt:
user@host> request support information | append my-support-info.txt

Wrote 2247 lines of output to 'my-support-info.txt'
Example of Displaying Output on Screen and Writing to a File
When command output is displayed, you can also write the output to a file. To both display the output
and write it to a file, you enter tee filename after the pipe symbol (|).
The following example displays the output from the show interfaces ge-* terse command (displaying
information about the status of the Gigabit Ethernet interfaces on the device) and diverts the output to
a file called ge-interfaces.txt:
user@host> show interfaces ge-* terse | tee ge-interfaces.txt

Interface Admin Link Proto Local Remote
ge-0/1/0 up down
ge-0/1/1 up up
ge-0/1/2 up down
ge-0/1/3 up up
287
Unlike the UNIX tee command, only an error message is displayed if the file cannot be opened (instead
of displaying the output and then the error message).
user@host> show interfaces ge-* terse | tee /home/user/test.txt

error: tee failed: file /home/user/test.txt could not be opened
user@host>
Example of Trimming Output by Specifying the Starting Column
Output appears on the terminal screen in terms of rows and columns. The first alphanumeric character
starting at the left of the screen is in column 1, the second character is in column 2, and so on. To display
output starting from a specific column (thus trimming the leftmost portion of the output), you enter trim
columns after the pipe symbol ( | ). The trim filter is useful for trimming the date and time from the
beginning of system log messages.
The following example displays output from the show system storage command, filtering out the first 10
columns:
user@host> show system storage | trim 11
NOTE: The trim command does not accept negative values.
Example of Refreshing the Output of a Command
You can run an operational mode command with the | refresh pipe option to refresh the output
displayed on the screen periodically. The default refresh occurs every second. However, you can also
explicitly specify a refresh interval from 1 through 604,800 seconds. For example, to refresh the output
of the show interfaces command every 5 seconds, you run the following command:
user@host> show interfaces | refresh 5

288
Filter Operational Mode Command Output in a QFabric System
When you issue an operational mode command in a QFabric system, the output generated can be fairly
extensive because of the number of components contained within the system. To make the output more
accessible, you can filter the output by appending the | filter option to the end of most commands.
1. To filter operational mode command output and limit it to a Node group, include the | filter node-
group node-group-name option at the end of your operational mode command. For example:
root@qfabric> show interfaces terse | filter node-group NW-NG-0
Interface Admin Link Proto Local Remote

NW-NG-0:dsc up up
NW-NG-0:em0 up up
NW-NG-0:em1 up up
NW-NG-0:gre up up
NW-NG-0:ipip up up
NW-NG-0:lo0 up up
NW-NG-0:lo0.16384 up up inet 127.0.0.1 --> 0/0
NW-NG-0:lo0.16385 up up inet
NW-NG-0:lsi up up
NW-NG-0:mtun up up
NW-NG-0:pimd up up
NW-NG-0:pime up up
NW-NG-0:tap up up
Node01:ge-0/0/10 up up
vlan up up
2. To filter operational mode command output and limit it to a set of Node groups, include the | filter
node-group option at the end of your operational mode command and specify the list of Node group
names in brackets. For example:
root@qfabric> show ethernet-switching interfaces | filter node-group [NW-NG-0 RSNG-1]

Interface State VLAN members Tag Tagging Blocking
NW-NG-0:ae0.0 up v200 200 tagged unblocked
v50 50 tagged unblocked
289
RSNG-1:ae0.0 up v200 200 untagged unblocked

RSNG-1:ae47.0 up v50 50 tagged unblocked
Release Description
18.2R1 In Junos OS Release 18.1 and earlier, to view the complete post-inheritance configuration merged with
the configuration data in all instances of the ephemeral configuration database, use the show
ephemeral-configuration | display merge command. Starting in Junos OS Release 18.2R1, the display
merge option is deprecated.
17.3R1 Starting in Junos OS Release 17.3R1, OpenConfig supports the operational state emitted by daemons
directly in JSON format in addition to XML format. To configure JSON compact format, use the
command set system export-format state-data json compact. This command converts XML format to
compact JSON format. Else, it emits the JSON in non-compact format.
16.2R2 Starting in Junos OS Release 16.2R2, the show | compare | display xml command omits the
16.2R2 Starting in Junos OS Release 16.2R2, the show | compare | display xml command omits the
16.1 Starting in Junos OS Release 16.1, devices running Junos OS emit JSON-formatted configuration data
using a new default implementation for serialization.
16.1 Starting in Junos OS Release 16.1, you can load YANG modules onto devices running Junos OS to
augment the configuration hierarchy with data models that are not natively supported by Junos OS but
can be supported by translation. The active and candidate configurations contain the configuration data
for non-native YANG data models in the syntax defined by that model, but they do not explicitly display
the corresponding translated Junos OS syntax, which is committed as a transient change.
14.2 Starting in Junos OS Release 14.2, you can display the configuration or command output in JavaScript
Object Notation (JSON) format by entering display json after the pipe symbol ( | ).
290
8.3 Starting with Junos OS Release 8.3, output from the show | compare command has been enhanced to
more accurately reflect configuration changes. This includes more intelligent handling of order changes
in lists.
6 CHAPTER
Configuration Statements
apply-groups | 292
apply-groups-except | 293
archival | 295
autoinstallation | 297
commit activate | 299
commit prepare | 301
export-format | 303
groups | 305
no-hidden-commands | 309
server (Batch Commits) | 311
synchronize | 313

292
apply-groups
IN THIS SECTION
Syntax | 292
Hierarchy Level | 292
Description | 292
Options | 293
Required Privilege Level | 293
Release Information | 293
Syntax
apply-groups [ group-names ];
Hierarchy Level
All hierarchy levels
Description
Apply a configuration group to a specific hierarchy level in a configuration, to have a configuration

inherit the statements in the configuration group.
You can specify more than one group name. You must list them in order of inheritance priority. The
configuration data in the first group takes priority over the data in subsequent groups.
293
Options
group-names One or more names specified in the groups statement.
Required Privilege Level
configure—To enter configuration mode, but other required privilege levels depend on where the
statement is located in the configuration hierarchy.
Release Information
Statement introduced before Junos OS Release 7.4.
How to Apply a Configuration GroupThis is a concept, not a task. It describes how to apply a config
group but does not provide a procedure taking a user through the task. | 122
groups | 305
apply-groups-except
IN THIS SECTION
Syntax | 294
Description | 294
Options | 294

294
Syntax
apply-groups-except [ group-names ];
Hierarchy Level
All hierarchy levels except the top level
Description
Disable inheritance of a configuration group.
Options
group-names One or more names specified in the groups statement.
Release Information
groups | 305
295
Example: Disable Inheritance of a Configuration GroupThis isn't a task. It doesn't contain how-to
information. No procedure. Use an example heading since that the type of content this topic
contains. | 125
archival
IN THIS SECTION
Syntax | 295
Description | 296
Options | 296
Syntax
archival {
configuration {
archive-sites {
file://<path>/<filename>;
ftp://username@host:<port>url-path password password;
http://username@host:<port>url-path password password;
pasvftp://username@host:<port>url-path password password;
scp://username@host:<port>url-path password password;
}
transfer-on-commit;
}
routing-instance routing-instance;
}
296
Hierarchy Level
[edit system]
Description
Configure copying of the currently active configuration to an archive site. An archive site can be a file, or
an FTP, HTTP, passive FTP, or SCP location.
Options
configuration Configure the router or switch to periodically transfer its currently active
configuration (or after each commit). Parameters include archive-sites, transfer-interval,
and transfer-on-commit.
NOTE: The [edit system archival] hierarchy is not available on QFabric systems.
archive-sites Specify where to transfer the current configuration files. When specifying a URL in a
Junos OS statement using an IPv6 host address, you must enclose the entire URL in
quotation marks (" ") and enclose the IPv6 host address in brackets ([ ]). For example:
"scp://username<:password>@[ipv6-host-address]<:port>/url-path".
If you specify more than one archive site, the router or switch attempts to transfer the
configuration files to the first archive site in the list, moving to the next only if the
transfer fails. The destination filename is saved in the following format, where n
corresponds to the number of the compressed configuration rollback file that has
been archived:
router-name_YYYYMMDD_HHMMSS_juniper.conf.n.gz
NOTE: The time included in the destination filename is always in Coordinated

Universal Time (UTC) regardless of whether the time on the router or switch is
297
configured as UTC or the local time zone. The default time zone on the router
or switch is UTC.
transfer-interval The frequency, in minutes, for transferring the current configuration to an archive site.
Valid intervals are 15 to 2880 minutes.
transfer-on- Configure the router or switch to transfer its currently active configuration to an
commit archive site each time you commit a candidate configuration.
routing- Defines the routing instance through which a server is reachable.

instance
admin—To view this statement in the configuration.
admin-control—To add this statement to the configuration.
Release Information
autoinstallation
IN THIS SECTION
Syntax | 298
298
Description | 298
Options | 298
Syntax
autoinstallation;
Hierarchy Level
[edit system]
Description
Download a configuration file automatically from an FTP, Hypertext Transfer Protocol (HTTP), or Trivial
FTP (TFTP) server. When you power on a router or switch configured for autoinstallation, it requests an
IP address from a Dynamic Host Configuration Protocol (DHCP) server. Once the router or switch has an
address, it sends a request to a configuration server and downloads and installs a configuration.
Options
There are no options.

299
system—To view this statement in the configuration.
system-control—To add this statement to the configuration.
Release Information
ACX Series Autoinstallation Overview

Before You Begin Autoinstallation on an ACX Series Universal Metro Router
Autoinstallation Configuration of ACX Series Universal Metro Routers
USB Autoinstallation on ACX Series Routers
Verifying Autoinstallation on ACX Series Universal Metro Routers
show system autoinstallation status
Upgrading Software by Using Automatic Software Download for Switches
commit activate
IN THIS SECTION
Syntax | 300
Description | 300
Options | 300

300
Syntax
commit activate{
comment;
and-quit;
peers-synchronize;
synchronize;
}
Hierarchy Level
[edit system]
Description
Activate a previously prepared commit. Upon successful validation, during the activation stage,
previously prepared commits are activated. Also, pending activation files are checked during this stage. If
there are pending activation files, the existence of required files and daemon map present in the
database data structures are checked. If there is any failure, a log message is generated that informs you
that the commit has failed.
Options
and-quit (Optional) Commit the configuration and, if the configuration contains no errors and
the commit succeeds, exit from configuration mode.
no-synchronize (Optional) Do not synchronize the commit. Configure the commit prepare statement to
run without synchronization.
peers-synchronize (Optional) Synchronize the commit on remote peers.
synchronize (Optional) Synchronize the commit on both Routing Engines.

301
configure—To enter configuration mode.
Release Information
Statement introduced in Junos OS Release 17.3R1.

commit prepare
IN THIS SECTION
Syntax | 302
Description | 302
Options | 302

302
Syntax
commit prepare{
and-quit;
no-synchronize;
peers-synchronzie;
synchronize;
}
Hierarchy Level
[edit system]
Description
Prepare for an upcoming commit activation. Prepare the configurations that can be activated at a later
stage. During the preparation stage, all the required files and databases are generated and the
configuration is validated. A file is created that indicates if the commit is pending for activation. In the
event of failure during the preparation stage, the log message commit preparation failed is generated.
Options
and-quit (Optional) Commit the configuration and, if the configuration contains no errors and
the commit succeeds, exit from configuration mode.
no-synchronize (Optional) Do not synchronize the commit. Configure the commit prepare statement to
run without synchronization.
peers-synchronize (Optional) Synchronize the commit on remote peers.
synchronize (Optional) Synchronize the commit on both Routing Engines.

303
Release Information
Statement introduced in Junos OS Release 17.3.

export-format
IN THIS SECTION
Syntax | 304
Description | 304
Options | 304

304
Syntax
export-format {
json {
ietf;
verbose;
}
}
Hierarchy Level
[edit system]
Description
Specify the default implementation of the serialization to use for exported data in the given format. This
statement only affects device configuration data that is displayed in the requested format.
Options
json Define which implementation of the serialization to use for configuration data emitted in
JavaScript Object Notation (JSON) format.
Acceptable values include:
• ietf—JSON data is emitted according to the encoding rules defined in Internet drafts draft-ietf-
netmod-yang-json-09, JSON Encoding of Data Modeled with YANG, and draft-ietf-netmod-
yang-metadata-06, Defining and Using Metadata with YANG.
• verbose—JSON data is emitted in verbose format, which emits all objects as JSON arrays.
You can configure the verbose statement starting in Junos OS Release 16.1R1, even though the
statement is not exposed in the Junos OS CLI until a later release.
305
• Default: ietf in Junos OS Release 16.1R1 and later; verbose in earlier releases.
NOTE: Starting in Junos OS Release 17.3R1, OpenConfig supports the operational state emitted
by daemons directly in JSON format in addition to XML format. To configure JSON compact
format, use the following command: set system export-format state-data json compact.
This CLI command converts XML format to compact JSON format. Else, it emits the JSON in
non-compact format.
maintenance—To view this statement in the configuration.
maintenance-control—To add this statement to the configuration.
Release Information
Mapping Junos OS Command Output to JSON in the CLI

Mapping Junos OS Configuration Statements to JSON
groups
IN THIS SECTION
Syntax | 306

306
Description | 307
Options | 307
Syntax
groups {
group-name {
configuration-data;
when {
chassis chassis-id;
member member-id;
model model-id;
node node-id;
peers [ names-of-peers ]
routing-engine routing-engine-id;
time <start-time> [to <end-time>];
}
conditional-data;
}
lccn-re0 {
configuration-data;
}
lccn-re1 {
configuration-data;
}
}
Hierarchy Level
[edit]
307
Description
Create a configuration group.
NOTE: Junos OS does not support configuring statements corresponding to third-party YANG
data models, for example, OpenConfig or custom data models, under the [edit groups] hierarchy.
Options
group-name Name of the configuration group. To configure multiple groups, specify more than one
group name.
configuration- The configuration statements that are to be applied elsewhere in the configuration
data with the apply-groups statement, to have the target configuration inherit the
statements in the group.
when Define conditions under which the configuration group should be applied. Conditions
include the type of chassis, model, or Routing Engine, virtual chassis member, cluster
node, and start and optional end time of day. If you specify multiple conditions in a
single configuration group, all conditions must be met before the configuration group
is applied.
• chassis chassis-id—Specify the chassis type of the router. Valid types include SCC0,
SCC1, LCC0, LCC1 ... LCC3.
• member member-id—Specify the name of the member of the virtual chassis.
• model model-id—Specify the model name of the router, such as m7i or tx100.
• node node-id—Specify the cluster node.
• peers names-of-peers—Specify the names of the MC-LAG peers participating in

commit synchronization.
• routing-engine routing-engine-id—Specify the type of Routing Engine, re0 or re1.
• time start-time [to end-time]—Specify the start time or time duration for this
configuration group to be applied. If only the start time is specified, the
configuration group is applied at the specified time and remains in effect until the
308
time is changed. If the end time is specified, then on each day, the applied
configuration group is started and stopped at the specified times. The syntax for
specifying the time uses the format yyyy-mm-dd.hh:mm, hh:mm, or hh.
conditional-data Option introduced in Junos 11.3. The conditional statements that are to be applied
when this configuration group is applied. On routers that support multiple Routing
Engines, you can also specify two special group names:
• re0—Configuration statements that are to be applied to the Routing Engine in slot

0.
• re1—Configuration statements that are to be applied to the Routing Engine in slot

1.
On routers that support multiple Routing Engines, you can also specify two special
group names:
The configuration specified in group re0 is applied only if the current Routing Engine is
in slot 0; likewise, the configuration specified in group re1 is applied only if the current
Routing Engine is in slot 1. Therefore, both Routing Engines can use the same
configuration file, each using only the configuration statements that apply to it. Each
re0 or re1 group contains at a minimum the configuration for the hostname and the
management interface (fxp0). If each Routing Engine uses a different management
interface, the group also should contain the configuration for the backup router and
static routes.
(Routing matrix only) The TX Matrix router supports group names for the Routing
Engines in each connected T640 router in the following formats:
NOTE: The management Ethernet interface used for the TX Matrix Plus
router, T1600 routers in a routing matrix, and PTX Series Packet Transport
Routers, is em0. Junos OS automatically creates the router’s management
Ethernet interface, em0.
• lccn-re0—Configuration statements applied to the Routing Engine in slot 0 of the

specified T640 router that is connected to a TX Matrix router.
• lccn-re1—Configuration statements applied to the specified to the Routing Engine

in slot 1 of the specified T640 router that is connected to a TX Matrix router.
n identifies the T640 router and can be from 0 through 3.

309
Release Information

apply-groups
apply-groups-except
no-hidden-commands
IN THIS SECTION
Syntax | 310
Description | 310
Default | 310
Options | 310

310
Syntax
no-hidden-commands;
Hierarchy Level
[edit system]
Description
Hidden commands are software commands that are not published but could be run on a router. Hidden
commands serve a specific purpose, but for most part are not expected to be used, and as such are not
actively supported. The no-hidden-commands statement allows you to block all hidden commands to all users
except the root users.
Default
Hidden commands are enabled by default.
Options
This command has no options.
admin—To view this statement in the configuration.
admin-control—To add this statement to the configuration.

311
Release Information
Statement introduced in Junos OS Release 16.1R1.
server (Batch Commits)
IN THIS SECTION
Syntax | 311
Description | 312
Options | 312
Syntax
server {
commit-intervalnumber-of-seconds-between-commits;
commit-schedule-profile;
days-to-keep-error-logsdays-to-keep-error-log-entries;
maximum-aggregate-poolmaximum-number-of-commits-to-aggregate;
maximum-entries number-of-entries;
redirect-completion-status;
retry-attempts;
retry-interval;
traceoptions {
file filename;
files number;
flag (all | batch | commit-server | configuration);
size maximum-file-size;
(world-readable | no-world-readable);
312
}
}
Hierarchy Level
[edit system commit]
Description
Configure the system commit to occur in batches. Configure parameters for aggregating and saving
batch commits.
Options
commit-interval Configure the interval in seconds between commits.
days-to-keep-error-logs Configure the number of days to keep log entries. Valid range is from 1 to
366 days.
maximum-aggregate- Configure the maximum number of commits to aggregate together. The valid
pool range is 1 through 4294967295.
maximum-entries Configure the maximum number of commit entries.
redirect-completion- Configure the redirect asynchronous commit status to server configured here.
status
retry-attempts Configure the retry attempts for commit failure due to db lock error. The
default is 5 retries.
retry-interval Configure the retry interval in seconds for commit failure. The default is 20
seconds.
The remaining statements are explained separately. See CLI Explorer.

313
Release Information

synchronize
IN THIS SECTION
Syntax | 313
Description | 314
Options | 315
Syntax
synchronize;
314
Hierarchy Level
Description
For devices with multiple Routing Engines only. Configure the commit command to automatically perform
a commit synchronize action between dual Routing Engines within the same chassis. The Routing Engine on
which you execute the commit command (the requesting Routing Engine) copies and loads its candidate
configuration to the other (the responding) Routing Engine. Each Routing Engine then performs a syntax
check on the candidate configuration file being committed. If no errors are found, the configuration is
activated and becomes the current operational configuration on both Routing Engines.
NOTE: If you configure the commit synchronize statement at the [edit system] hierarchy level and
issue a commit in the primary Routing Engine, the primary configuration is automatically
synchronized with the backup. However, if the backup Routing Engine is down when you issue
the commit, the Junos OS displays a warning and commits the candidate configuration in the
primary Routing Engine. When the backup Routing Engine comes up, its configuration will
automatically be synchronized with the primary. A newly inserted backup Routing Engine
automatically synchronizes its configuration with the primary Routing Engine configuration.
NOTE: When you configure nonstop active routing (NSR), you must configure the commit
synchronize statement. Otherwise, the commit operation fails.
NOTE: Starting in Junos OS Release 20.2R1, when the commit synchronize statement is configured
and the backup Routing Engine synchronizes its configuration with the primary Routing Engine,
for example, when it is newly inserted, brought back online, or during a change in primary role, it
also synchronizes the ephemeral configuration database.
On the TX Matrix router, synchronization only occurs between the Routing Engines within the same
chassis. When synchronization is complete, the new configuration is then distributed to the Routing
Engines on the T640 routers. That is, the primary Routing Engine on the TX Matrix router distributes the
configuration to the primary Routing Engine on each T640 router. Likewise, the backup Routing Engine
315
on the TX Matrix router distributes the configuration to the backup Routing Engine on each T640
router.
On the TX Matrix Plus router, synchronization only occurs between the Routing Engines within the
switch-fabric chassis and when synchronization is complete, the new configuration is then distributed to
the Routing Engines on the line-card chassis (LCC). That is, the primary Routing Engine on the TX Matrix
Plus router distributes the configuration to the primary Routing Engine on each LCC. Likewise, the
backup Routing Engine on the TX Matrix Plus router distributes the configuration to the backup Routing
Engine on each LCC.
In EX Series Virtual Chassis configurations:
• On EX4200 switches in Virtual Chassis, synchronization occurs between the switch in the primary
role and the switch in the backup role.
• On EX8200 switches in a Virtual Chassis, synchronization occurs only between the primary and
backup XRE200 External Routing Engines.
Options
and-quit (Optional) Quit configuration mode if the commit synchronization succeeds.
at (Optional) Time at which to activate configuration changes.
comment (Optional) Write a message to the commit log.
force (Optional) Force a commit synchronization on the other Routing Engine (ignore warnings).
scripts (Optional) Push scripts to the other Routing Engine.

316
Release Information
Synchronizing the Routing Engine Configuration

traceoptions (Batch Commits)
IN THIS SECTION
Syntax | 316
Description | 317
Options | 317
Syntax
traceoptions {
file filename;
files number;
flag (all | batch | commit-server | configuration);
size maximum-file-size;
(world-readable | no-world-readable);
}
317
Hierarchy Level
[edit system commit server],

[edit system commit synchronize server]
Description
For software batch commits, configure tracing operations.
Options
file name Name of the file to receive the output of the tracing operation.
NOTE: If you configure traceoptions and do not explicitly specify a filename for
logging the events, the batch commit events are logged in the commitd file
(var/log/commitd) by default.
files number Maximum number of trace files.
flag flag Tracing operation to perform. To specify more than one tracing operation, include
multiple flag statements. You can include the following flags:
• all—All tracing operations flags.
• batch—Tracing operations for batch events.
• commit-server—Tracing operations for commit server events.
• configuration—Tracing operations for the reading of configuration.
size Maximum size of each trace file, in kilobytes (KB), megabytes (MB), or gigabytes (GB).
world- readable—Grant all users permission to read archived log files, or restrict the permission
readable | no- only to the root user and users who have the Junos OS maintenance permission.
world-
readable
318
Release Information

7 CHAPTER
CLI Commands
activate | 322
annotate | 323
clear log | 325
clear system commit prepared | 330
commit | 332
configure | 339
copy | 342
deactivate | 343
delete | 345
edit | 347
exit | 348
file | 350
help | 351
insert | 353
load | 355
| (pipe) | 358
protect | 363
quit | 365
rename | 366
replace | 368
request | 370
request system commit server pause | 372
request system commit server queue cleanup | 374
request system commit server start | 376
request system configuration rescue delete | 377
request system configuration rescue save | 379
restart | 381
rollback | 398
run | 400
save | 401
set | 404
set cli complete-on-space | 406
set cli directory | 408
set cli idle-timeout | 409
set cli prompt | 411
set cli restart-on-upgrade | 413
set cli timestamp | 420
set date | 422
show | 424
show cli | 425

show system commit server queue | 457
show system commit server status | 462
show system configuration rescue | 466
show system rollback | 468
status | 471
test configuration | 472
top | 474
unprotect | 475
up | 477
update | 478
wildcard delete | 480

322
activate
IN THIS SECTION
Syntax | 322
Description | 322
Options | 322
Syntax
activate <statement | identifier >
Description
Remove the inactive: tag from a statement, effectively adding the statement or identifier back to the
configuration. Statements or identifiers that have been activated take effect when you next issue the
commit command.
Options
identifier Identifier from which you are removing the inactive tag. It must be an identifier at the
current hierarchy level.
statement Statement from which you are removing the inactive tag. It must be a statement at the
current hierarchy level.
323
Release Information
Command introduced before Junos OS Release 7.4.
deactivate | 343
annotate
IN THIS SECTION
Syntax | 323
Description | 324
Options | 324
Syntax
annotate <statement> <comment string>

324
Description
Add comments to a configuration. You can add comments only at the current hierarchy level.
Any comments you add appear only when you view the configuration by entering the "show" on page
424 command in configuration mode or the show configuration command in operational mode.
NOTE: The software supports annotation up to the last level in the configuration hierarchy,
including oneliners. However, annotation of parts (child statements or identifiers within a
oneliner) of the oneliner is not supported. For example, in the following sample configuration
hierarchy, annotation is supported up to the oneliner level 1 , but not supported for the metric
child statement and its attribute 10:
[edit protocols]
isis {
interface ge-0/0/0.0 {
level 1 metric 10;
}
}
}
Options
statement Statement to which you are attaching the comment.
comment- Text of the comment. You must enclose it in quotation marks. In the comment string,
string you can include the comment delimiters /* */ or #. If you do not specify any, the
comment string is enclosed with the /* */ comment delimiters. If a comment for the
specified statement already exists, it is deleted and replaced with the new comment.
325
Release Information
clear log
IN THIS SECTION
Syntax | 325
Description | 325
Options | 326
Output Fields | 326
Sample Output | 326
Syntax
clear log filename

<all>
Description
Remove contents of a log file.

326
Options
filename Name of the specific log file to delete. Note that the file name cannot contain any special
characters, including: ![=;|(){}]
all (Optional) Delete the specified log file and all archived versions of it.
clear
Output Fields
See file list for an explanation of output fields.
Sample Output
clear log
The following sample commands list log file information, clear the contents of a log file, and then display
the updated log file information:
user@host> file list lcc0-re0:/var/log/sampled detail

lcc0-re0:
--------------------------------------------------------------------------
-rw-r----- 1 root wheel 26450 Jun 23 18:47 /var/log/sampled
total 1
user@host> clear log lcc0-re0:sampled

lcc0-re0:
--------------------------------------------------------------------------
user@host> file list lcc0-re0:/var/log/sampled detail

lcc0-re0:
327
--------------------------------------------------------------------------
-rw-r----- 1 root wheel 57 Sep 15 03:44 /var/log/sampled
total 1
Release Information
show log
clear system commit
IN THIS SECTION
Syntax | 327
Description | 328
Options | 328
Output Fields | 328
Sample Output | 329
Syntax
clear system commit

<synchronize-server pending-jobs>
328
Description
Clear pending commit operations.
Options
none Clear pending commit operations on the static configuration database.
synchronize- (Optional) Clear pending commit synchronize operations for all instances of the
server pending- ephemeral configuration database on an MX Series Virtual Chassis or a device with
jobs
dual Routing Engines. This option can only be executed on the primary Routing
Engine of the Virtual Chassis primary router or the dual Routing Engine system.
NOTE: The clear system commit synchronize-server pending-jobs command should

be used only under the supervision of the Juniper Networks Technical
Assistance Center (JTAC) during a troubleshooting session.
maintenance (or the actual user who scheduled the commit)
Output Fields
When you enter this command, you are provided feedback on the status of your request.
329
Sample Output
clear system commit
user@host> clear system commit

Pending commit cleared.
clear system commit (None Pending)

No commit scheduled.
clear system commit (User Does Not Have Required Privilege Level)

error: Permission denied
clear system commit synchronize-server pending-jobs
user@host> clear system commit synchronize-server pending-jobs
Release Information
Option synchronize-server introduced in Junos OS Release 17.2R1.

330
clear system commit prepared
IN THIS SECTION
Syntax | 330
Description | 330
Options | 330
Output Fields | 331
Sample Output | 331
Syntax
Description
Clear the prepared commit. This initiates cleanup of the saved database data structures and the
necessary files that are generated as a result of the commit preparation stage and unlinks the pending
activation file. A log message is generated upon successful clearing of the pending commit.
Options

331
Maintenance (or the actual user who scheduled the commit)
Output Fields
Sample Output
user@host> clear system commit prepared

Prepared commit cleared.
clear system commit prepared (None Prepared)
user@host> clear system commit prepared

No commit prepared.
Release Information
Command introduced in Junos OS Release 17.3.

332
commit
IN THIS SECTION
Syntax | 332
Description | 332
Options | 333
Additional Information | 337
Syntax
commit
<activate>
<and-quit>
<at “string”>
<check>
<comment <comment-string>
<confirmed>
<peers-synchronize>
<prepare>
<scripts>
<synchronize | no-synchronize>
< | >
Description
Commit the set of changes to the database and cause the changes to take operational effect.
333
NOTE: The fast-synchronize option is not supported in the QFX Series Virtual Chassis.
The peers-synchronize option is not supported in SRX Series devices.
NOTE: Beginning in Junos OS 12.3, it is possible that FPCs brought offline using the request
chassis fpc slot fpc-slot offline operational-mode CLI command can come online during a
configuration commit or power-supply replacement procedure. As an alternative, use the set fpc
fpc-slot power off configuration-mode command at the [edit chassis] hierarchy level to ensure that
the FPCs remain offline.
In Junos OS Evolved, if an FPC or PIC is brought offline, neither will be started when you enter a commit
command that configures an element of the offline FPC or PIC.
Options
none Execute the commit command without any options to commit the configuration
changes to the configuration database.
activate Complete commit in two steps of preparing the configuration for commit and later
(Optional) activating the configuration. This enables you configure a number of devices and
simultaneously activate the configurations on multiple devices.
and-quit Commit the configuration and, if the configuration contains no errors and the commit
(Optional) succeeds, exit from configuration mode.
at string (Optional) Save software configuration changes and activate the configuration at a
future time, or upon reboot. The variable string is reboot or the future time to activate
the configuration changes. Enclose the string value (including reboot) in quotation marks
(“ ”). You can specify time in two formats:
• A time value in the form hh:mm[:ss] (hours, minutes, and optionally seconds)— Commit
the configuration at the specified time, which must be in the future by at least one
minute but before 11:59:59 PM on the day the commit at configuration command is
issued. Use 24-hour time for the hh value; for example, 04:30:00 is 4:30:00 AM, and
20:00 is 8:00 PM. The time is interpreted with respect to the clock and time zone
settings on the device.
334
• A date and time value in the form yyyy-mm-dd hh:mm[:ss] (year, month, date, hours,
minutes, and, optionally, seconds)—Commit the configuration at the specified day
and time, which must be after the commit at command is issued. Use 24-hour time
for the hh value. For example, 2003-08-21 12:30:00 is 12:30 PM on August 21, 2003.
The time is interpreted with respect to the clock and time zone settings on the
router.
For example, commit at "18:00:00". For date and time, include both values in the same
set of quotation marks. For example, commit at "2018-03-10 14:00:00".
• A commit check is performed when you issue the commit at configuration mode
command. If the result of the check is successful, then the current user is logged out
of configuration mode, and the configuration data is left in a read-only state. No
other commit can be performed until the scheduled commit is completed.
NOTE: If Junos OS fails before the configuration changes become active, all
configuration changes are lost.
You cannot enter the commit at configuration mode command when there is a
pending reboot.
You cannot enter the request system reboot command once you schedule a
commit operation for a specific time in the future.
You cannot commit a configuration when a scheduled commit is pending. For

information about how to use the clear system commit command to cancel a
scheduled commit configuration, see clear system commit.
check (Optional) Verify the syntax of the configuration, but do not activate it.
comment (Optional) Add a comment that describes the committed configuration. The comment
comment- can be as long as 512 bytes and must be typed on a single line. You cannot include a
string
comment with the commit check command. Enclose comment-string in quotation marks (" ").
For example, commit comment "Includes changes recommended by user".
confirmed in (Optional) Require that the commit be confirmed within the specified amount of time.
minutes
• To confirm a commit, enter either a commit or commit check command.
• If the commit is not confirmed within the time limit, the configuration rolls back
automatically to the precommit configuration and a broadcast message is sent to all
logged-in users. To show when a rollback is scheduled, enter the show system commit
335
command. The allowed range is 1 through 65,535 minutes, and the default is
10 minutes.
• The timeout for the commit confirmed command is calculated based on the system
time, when the commit confirmed command is issued. In case the system time is
modified while a commit confirmed is pending, the remaining time until commit
execution might get shortened (in case the old system time is behind) or prolonged
(in case the old system time is ahead) from the intended interval.
• In Junos OS Release 11.4 and later, you can also use the commit confirmed command in
the [edit private] configuration mode.
no- (Optional) Configure the commit command to run without synchronization. This can be
synchronize useful in situations, for example, where a Routine Engine configuration is corrupted
such that a commit synchronization is not possible or will block the commit.
• This option allows you to commit only on the current Routing Engine even if set
system commit synchronize is configured.
• This option overrides the commit peer-synchronize configuration as well. If you have
configured the commit synchronize using set system commit synchronize and then use
the command commit no-synchronize, the commit will happen only on the device issuing
the command.
• When using commit synchronize, the commit is first done in the other Routing Engine
and then in the current one. If the other Routine Engine is corrupted, the commit
will fail. In such cases, you can use commit no-synchronize. This command cannot be
configured using set. It can only be run.
peers- (Optional) Configure the commit command to automatically perform a peers-

synchronize synchronize action between peers. The local peer (or requesting peer) on which you
enable the peers-synchronize statement copies and loads its configuration to the
remote (or responding) peer. Each peer then performs a syntax check on the
configuration file being committed. If no errors are found, the configuration is activated
and becomes the current operational configuration on both peers.
synchronize (Optional) If your router has two Routing Engines, you can manually direct one Routing
Engine to synchronize its configuration with the other by issuing the commit synchronize
command. The Routing Engine on which you execute this command (the request
Routing Engine) copies and loads its candidate configuration to the other Routing
Engine (the responding Routing Engine). Both Routing Engines then perform a syntax
check on the candidate configuration file being committed. If no errors are found, the
configuration is activated and becomes the current operational configuration on both
Routing Engines.
336
The synchronize option has the following two additional options:
• force—(Optional) Enforce commit synchronization on the Routing Engines by using

the force option.
The commit synchronize command does not work if the responding Routing Engine has
uncommitted configuration changes. You can enforce commit synchronization on
the Routing Engines by using the force option. When you issue the commit synchronize
command with the force option from one Routing Engine, the configuration sessions
on the other Routing Engine are terminated and the configuration is synchronized
with that on the Routing Engine from which you issued the command.
• scripts—(Optional) Synchronize all commit, event, lib, op, and SNMP scripts from the
requesting Routing Engine to the responding Routing Engine and commit and
synchronize the configuration.
If the commit check operation fails for the requesting Routing Engine, the process
stops, and the scripts are not copied to the responding Routing Engine. If the commit
check or commit operation fails for the responding Routing Engine, the scripts are still
synchronized, since the synchronization occurs prior to the commit check operation on
the responding Routing Engine.
• If the load-scripts-from-flash statement is configured at the [edit system scripts]

hierarchy level for the requesting Routing Engine, the device synchronizes the
scripts from flash memory on the requesting Routing Engine to flash memory on the
responding Routing Engine. Otherwise, the device synchronizes the scripts from the
hard disk on the requesting Routing Engine to the hard disk on the responding
Routing Engine. The device synchronizes all scripts regardless of whether they are
enabled in the configuration or have been updated since the last synchronization.
NOTE: It can happen that the commit synchronize command is initiated at the same
time from both Routing Engines, which causes the process to hang. As of Junos
OS Release 15.1, this is a temporary (20 seconds) anomaly, after which the user
can try the commit sychronize command again.
NOTE: When you issue the commit synchronize command, you must use the apply-
groups re0 and re1 commands. For information about how to use groups, see
"Disabling Inheritance of a Configuration Group" on page 125.
The responding Routing Engine must use Junos OS Release 5.0 or later.
337
prepare (Optional) Prepare the configuration to activate at a later stage. During the preparation
stage, all the required files and databases are generated and the configuration is
validated. A file is created that indicates if the commit is pending for activation. In the
event of failure during the preparation stage, the log message commit preparation
failed is generated.
scripts (Optional) Commit newly enabled scripts during the commit operation and push scripts
to the other Routing Engine.
| (pipe) (Optional) Use the | (pipe)) options to filter the output of the commit command.
Additional Information
NOTE: Beginning in Junos OS 12.3, it is possible that FPCs brought offline using the request
chassis fpc slot fpc-slot offline operational-mode CLI command can come online during a
configuration commit or power-supply replacement procedure. As an alternative, use the set fpc
fpc-slot power off configuration-mode command at the [edit chassis] hierarchy level to ensure that
the FPCs remain offline.
| display detail—(Optional) Monitors the commit process.
NOTE: In Junos OS Release 10.4 and later, if the number of commit details or messages exceeds
a page when used with the | display detail pipe option, the more pagination option on the screen
is no longer available. Instead, the messages roll up on the screen by default, just like using the
commit command with the | no more pipe option.
NOTE: If you are using Junos OS in a Common Criteria environment, system log messages are
created whenever a secret attribute is changed (for example, password changes or changes to the
338
operations:
load merge
load replace
load override
load update
For more information, see the Secure Configuration Guide for Common Criteria and Junos-FIPS
Release Information
Option synchronize scripts introduced in Junos OS Release 13.2.
Option no-synchronize introduced in Junos OS Release 17.2R1

Committing Configurations on a Routing Matrix with a TX Matrix Plus Router
Commit Script Overview
339
configure
IN THIS SECTION
Syntax | 339
Syntax (Junos OS Evolved) | 339
Description | 340
Options | 340
Output Fields | 341
Sample Output | 341
Syntax
configure
<batch>
<dynamic>
<exclusive>
<private>
Syntax (Junos OS Evolved)
configure
<batch>
<exclusive>
<private>
340
Description
Enter configuration mode. When this command is entered without any optional keywords, everyone can
make configuration changes and commit all changes made to the configuration.
Options
none Enter configuration mode.
batch (Optional) Work in the batch commit mode where commit operations are executed in
batches.
dynamic (Optional) (Not available for Junos OS Evolved) Configure routing policies and certain routing
policy objects in a dynamic database that is not subject to the same verification required in
the standard configuration database. As a result, the time it takes to commit changes to the
dynamic database is much shorter than for the standard configuration database. You can
then reference these policies and policy objects in routing policies you configure in the
standard database.
exclusive (Optional) Lock the candidate configuration for as long as you remain in configuration mode,
allowing you to make changes without interference from other users. Other users can enter
and exit configuration mode, but they cannot change the configuration.
private (Optional) Allow multiple users to edit different parts of the configuration at the same time
and to commit only their own changes, or to roll back without interfering with one another's
changes. You cannot commit changes in configure private mode when another user is in
configure exclusive mode. This mode does not support configuring statements corresponding
to third-party YANG data models, for example, OpenConfig or custom YANG data models.
For more information about the different methods of entering configuration mode and the restrictions
that apply, see the Junos OS Administration Library for Routing Devices.
341
configure
Output Fields
When you enter this command, you are placed in configuration mode and the system prompt changes
from hostname> to hostname#.
Sample Output
configure
[edit]
user@host#
Release Information
The dynamic option of the configure command is deprecated for Junos OS Evolved.

342
copy
IN THIS SECTION
Syntax | 342
Description | 342
Options | 342
Syntax
copy existing-statement to new-statement
Description
Make a copy of an existing statement in the configuration.
Options
existing-statement Statement to copy.
new-statement Copy of the statement.

343
Release Information
deactivate
IN THIS SECTION
Syntax | 343
Description | 344
Options | 344
Syntax
deactivate (statement | identifier)

344
Description
Add the inactive: tag to a statement, effectively commenting out the statement or identifier from the
configuration. Statements or identifiers marked as inactive do not take effect when you issue the commit
command.
Options
identifier Identifier to which you are adding the inactive: tag. It must be an identifier at the current
hierarchy level.
statement Statement to which you are adding the inactive: tag. It must be a statement at the current
hierarchy level.
Release Information
activate | 322
delete | 345
345
delete
IN THIS SECTION
Syntax | 345
Description | 345
Options | 346
Sample Output | 346
Syntax
delete <statement-path> <identifier>
Description
Delete a statement or identifier. All subordinate statements and identifiers contained within the
Deleting a statement or an identifier effectively “unconfigures” or disables the functionality associated

with that statement or identifier.
If you do not specify statement-path or identifier, the entire hierarchy, starting at the current hierarchy
level, is removed.
NOTE: For Junos OS Evolved, if you use the delete configuration command at the top level of the
configuration, you cannot commit the resulting empty configuration. At a minimum, the root
authentication password is required.
346
Options
statement-path (Optional) Path to an existing statement or identifier. Include this if the statement or
identifier to be deleted is not at the current hierarchy level.
identifier (Optional) Name of the statement or identifier to delete.
Sample Output
delete (Junos OS Evolved)
[edit]
user@host# delete
This will delete the entire configuration
Delete everything under this level? [yes,no] (no) yes
If you then try to commit the change, you get this:
user@host# commit
error: cannot commit an empty configuration
Release Information

347
deactivate | 343
edit
IN THIS SECTION
Syntax | 347
Description | 347
Options | 347
Syntax
edit statement-path
Description
Move inside the specified statement hierarchy. If the statement does not exist, it is created.
You cannot use the edit command to change the value of identifiers. You must use the set command.
Options
statement-path Path to the statement.

348
Release Information
exit
IN THIS SECTION
Syntax | 348
Description | 349
Options | 349
Syntax
exit <configuration-mode>
349
Description
Exit the current level of the statement hierarchy, returning to the level prior to the last edit command, or
exit from configuration mode. The quit and exit commands are synonyms.
Options
none Return to the previous edit level. If you are at the top of the statement hierarchy,
exit configuration mode.
configuration-mode (Optional) Exit from configuration mode.
Release Information

350
file
IN THIS SECTION
Syntax | 350
Description | 350
Options | 350
Syntax
file <archive | checksum | compare | copy | delete | list | rename | show | source address>
Description
Archive files from the device, copy files to and from the router or switch, calculate the file checksum,
compare files, delete a file from the device, list files on the device, rename a file, show file contents, or
show the local address to initiate a connection.
Options
archive (Optional) Archive, and optionally compress, one or multiple local system files as a single
file, locally or at a remote location.
checksum (Optional) Calculate the Message Digest 5 (MD5) checksum of a file.
compare (Optional) Compare two local files and describe the differences between them in default,
context, or unified output styles.
351
copy (Optional) Copy files from one place to another on the local device or between the local
device and a remote system.
delete (Optional) Delete a file on the local device.
list (Optional) Display a list of files on the local device.
rename (Optional) Rename a file on the local device.
show (Optional) Display the contents of a file.
source address Specify the source address of the local file.

(Optional)
maintenance
Release Information
help
IN THIS SECTION
Syntax | 352
Description | 352
Options | 352
352
Syntax
help < (apropos string | reference statement-name| syslog syslog-tag| tip cli number | topic
word)>
Description
Display help about available operational commands, configuration statements, or general information
about getting help. Entering the help command without an option provides introductory information
about how to use the help and ? commands.
Options
apropos string—(Optional) Display command names and help text that matches the string specified. If the
string contains spaces, enclose it in quotation marks (" " ). You can also specify a regular expression for
the string, using standard UNIX-style regular expression syntax.
reference statement-name—(Optional) Display summary information for a configuration statement. This

information is based on summary descriptions that appear in the Junos configuration guides.
syslog syslog-tag—(Optional) Display information about system log messages.
tip cli number—(Optional) Display a tip about using the CLI. Specify the number of the tip you want to
view.
topic word—(Optional) Display usage guidelines for a topic or configuration statement. This information
is based on subjects that appear in the Junos configuration guides.
353
None
Release Information
The apropos option was added in Junos OS Release 8.0.
insert
IN THIS SECTION
Syntax | 353
Description | 354
Options | 354
Syntax
insert <statement-path> identifier1 (before | after) identifier2

354
Description
Insert an identifier in to an existing hierarchy.
Options
statement-path (Optional) Path to the existing identifier.
identifier1 The existing identifier.
after Place identifier1 after identifier2.
before Place identifier1 before identifier2.
identifier2 The new identifier to insert.
Release Information

355
load
IN THIS SECTION
Syntax | 355
QFX Series | 355
VMX Series | 355
Description | 356
Options | 356
Sample Output | 358
Syntax
load (factory-default | merge | override | patch | replace | set | update) (filename | terminal)
<json>
<relative>
QFX Series
load (dhcp-snooping filename)
VMX Series
load (<dhcp-security-snoop | dhcpv6-security-snoop>filename)

356
Description
Load a configuration from an ASCII configuration file, from terminal input, or from the factory default.
Your current location in the configuration hierarchy is ignored when the load operation occurs.
For information on valid filename and URL formats, see Format for Specifying Filenames and URLs in
Junos OS CLI Commands.
NOTE: load can be run from configuration mode only.
Options
dhcp-snooping—(QFX Series switches) Loads DHCP snooping entries.
dhcp-security-snoop—(VMX Series switches) Loads DHCP snooping entries.
dhcpv6-security-snoop—(VMX Series switches) Loads DHCPv6 snooping entries.
factory-default—Loads the factory configuration. The factory configuration contains the manufacturer’s
suggested configuration settings. The factory configuration is the first configuration for the router or
switch and is loaded when the router or switch is first installed and powered on. The factory-default
option cannot be combined with other options.
NOTE: To load the factory default configuration, you must first "unprotect" on page 475 any
protected hierarchies in the configuration.
filename—Name of the file to load. For information about specifying the filename, see "Viewing Files and
Directories on a Juniper Networks Device" on page 259.
json—(Optional) Load configuration data that uses JavaScript Object Notation (JSON) format. This option
can be used with the merge, override, or update options.
merge—Combine the configuration that is currently shown in the CLI with the configuration.
override—Discard the entire configuration that is currently shown in the CLI and load the entire
configuration. Marks every object as changed.
patch—Change part of the configuration and mark only those parts as changed.
357
relative—(Optional) Load the new configuration data relative to the current edit point in the
configuration hierarchy.
replace—Look for a replace tag in filename, delete the existing statement of the same name, and replace it
with the configuration.
set—Merge a set of commands with an existing configuration. This option executes the configuration
instructions line by line as they are stored in a file or from a terminal. The instructions can contain any
configuration mode command, such as set, edit, exit, and top.
terminal—Use the text you type at the terminal as input to the configuration. Type Ctrl+d to end terminal
input.
update—Discard the entire configuration that is currently shown in the CLI, and load the entire
configuration. Marks changed objects only.
NOTE: If you are using Junos OS in a Common Criteria environment, system log messages are
created whenever a secret attribute is changed (for example, password changes or changes to the
operations:
load merge
load replace
load override
load update
For more information, see the Secure Configuration Guide for Common Criteria and Junos-FIPS.
NOTE: The load commands for dhcp-security-snoop and dhcpv6-security-snoop are restricted to admin
only.
358
Sample Output
The following is an example of a load scenario using Secure Copy (scp).
To Load a Configuration File Using Secure Copy Protocol (scp) with ’source-address’
and ’routing-instance’ options
To load a configuration file using the scp command with the source-address and routing-instance options,
enter the following command:
root@host# load merge scp://user@hostname/path/filename source-address address routing-instance

instance-name
The scp options source-address and routing-instance are supported for load override, load patch, load
replace, load set, and load update options also.
Release Information
json option introduced in Junos OS Release 16.1.
| (pipe)
IN THIS SECTION
Syntax | 359
Description | 359
Options | 359
359
Syntax
| (compare | count |
display (changed | commit-scripts | detail | inheritance | json | merge | omit | set |
translation-scripts <configured-delta | translated-config | translated-delta> | xml) |
except pattern | find pattern | hold | last lines | match pattern | no-more | refresh
interval |
request message (all | account@terminal)
resolve <full-names> | save filename | append filename | tee | trim columns )
Description
Filter the output of an operational mode or a configuration mode command.
Options
append filename Append the output to a file.
compare (filename | Compare configuration changes with another configuration file. In operational
rollback n ) mode, use the show configuration command. In configuration mode, use the show
command.
compare | display xml Compare configuration changes with the active configuration and display them
in XML format. In operational mode, use the show configuration command. In
configuration mode, use the show command.
count Display the number of lines in the output.
display Display additional information about the configuration contents.

360
changed Tag changes with junos:changed attribute (XML only).
commit- (Configuration mode only) Display all statements that are in a

scripts configuration, including statements that were generated by
transient changes.
detail (Configuration mode only) Display configuration data detail.
inheritance (Configuration mode only) Display inherited configuration data

<brief | and source group.
default | no-
comments |
groups |
terse>
json Display the output for operational commands and
configuration data in JavaScript Object Notation (JSON)
format.
merge Use with the show ephemeral-configuration command to display the

merged view of the static and ephemeral configuration
databases in Junos OS Release 18.1 and earlier releases.
Issuing the show ephemeral-configuration | display merge command
displays the configuration data from all instances of the
ephemeral configuration database merged with the complete
post-inheritance configuration.
Starting in Junos OS Release 18.2R1, to display the merged

view of the static and ephemeral configuration databases, use
the show ephemeral-configuration merge command instead.
omit (Configuration mode only) Display configuration statements

omitted by the apply-flags omit configuration statement.
set Display the configuration as a series of configuration mode

commands required to re-create the configuration.
translation- Display the configuration with YANG translation scripts

scripts applied.
To view the complete post-inheritance configuration with the

translated configuration data from all enabled YANG
translation scripts included in the output, append the | display
translation-scripts filter to the show configuration command in
operational mode or the show command in configuration mode.
361
You can also append one of several keywords to display

different views of the configuration data corresponding to the
non-native YANG data models:
• configured-delta—In configuration mode, compare the

candidate and active configurations, and display
configuration changes in the statements or hierarchies
corresponding to non-native YANG data models before any
translation is applied. The XML output displays the deleted
content, followed by the new content in the syntax defined
by the YANG data model.
• translated-config—In operational or configuration mode,

display all non-native configuration data present in the
committed or candidate configuration, respectively, after
processing by all enabled translation scripts into Junos OS
syntax.
• translated-delta—In configuration mode, compare the

candidate and active configurations, and display
configuration changes in the statements or hierarchies
corresponding to non-native YANG data models after
translation is applied. The XML output displays the deleted
content, followed by the new content in Junos OS syntax.
xml (Operational mode only) Display the command output as Junos

XML protocol (Extensible Markup Language [XML]) tags.
except pattern Ignore text matching a regular expression when searching the output. If the
regular expression contains spaces, operators, or wildcard characters, enclose it
in quotation marks.
find pattern Display the output starting at the first occurrence of text matching a regular
expression. If the regular expression contains spaces, operators, or wildcard
characters, enclose it in quotation marks (" ").
hold Hold text without exiting the --More-- prompt.
last lines Display the last number of lines you want to view from the end of the
configuration. However, when the number of lines requested is less than the
number of lines that the screen length setting permits you to display, Junos
returns as many lines as permitted by the screen length setting.
362
match pattern Search for text matching a regular expression. If the regular expression contains
spaces, operators, or wildcard characters, enclose it in quotation marks.
no-more Display output all at once rather than one screen at a time.
resolve (Operational mode only) Convert IP addresses into Domain Name System (DNS)
names. Truncates to fit original size unless full-names is specified. To prevent the
names from being truncated, use the full-names option.
refresh interval Refresh the display of the command according to the interval specified. The
screen gets refreshed periodically to show you the current output of the
command until you quit the command. The default refresh interval is one
second. However, you can also explicitly specify a value from 1 through 604800
for the refresh interval.
request message (all | Display command output on the terminal of a specific user logged in to your
account@terminal ) router, or on the terminals of all users logged in to your router.
save filename Save the output to a file or URL.
tee Allows you to both display the command output on screen and write it to a file.
Unlike the UNIX tee command, if the file cannot be opened, just an error
message is displayed.
trim columns Trim specified number of columns from the start line. Only positive values are
accepted. An error message appears if a negative value is given.
view
Release Information
display commit-scripts option added in Junos OS Release 7.4.
tee option added in Junos OS Release 14.1.
display json option added in Junos OS Release 14.2.

363
compare | display xml option added in Junos OS Release 15.1.
display translation-scripts option added in Junos OS Release 16.1.
display merge option added in Junos OS Release 16.2R2.
display merge option deprecated in Junos OS Release 18.2R1.

Junos OS Automation Scripting User Guide
protect
IN THIS SECTION
Syntax | 363
Description | 364
Options | 364
Syntax
protect (hierarchy | statement | identifier)

364
Description
Protect a hierarchy, statement, or identifier from modification or deletion.
Options
hierarchy (Optional) Protect a specific hierarchy.
statement (Optional) Protect a specific statement.
identifier (Optional) Protect a specific identifier.
none
Release Information
Example: Protecting the Configuration from Modification or Deletion

unprotect | 475
365
quit
IN THIS SECTION
Syntax | 365
Description | 365
Options | 365
Syntax
quit <configuration-mode>
Description
Exit the current level of the statement hierarchy, returning to the level prior to the last edit command, or
exit from configuration mode. The quit and exit commands are synonyms.
Options
none Return to the previous edit level. If you are at the top of the statement hierarchy,
exit configuration mode.
configuration-mode (Optional) Exit from configuration mode.

366
Release Information
rename
IN THIS SECTION
Syntax | 366
Description | 367
Options | 367
Syntax
rename <statement-path> identifier1 to identifier2

367
Description
Rename an existing configuration statement or identifier.
Options
identifier1 Existing identifier to rename.
identifier2 New name of identifier.
statement-path (Optional) Path to an existing statement or identifier.
NOTE: For example, to rename interface ge-0/1/0.0 to ge-0/1/10.0 at the following hierarchy level:
logical-systems {
logical-system-abc {
(...)
protocols {
ospf {
area 0.0.0.0 {
interface ge-0/1/0.0;
Issue the following command:
rename logical-systems logical-system-abc protocols ospf area 0.0.0.0 interface ge-0/1/0.0.0

to interface ge-0/1/10.0
368
Release Information
Renaming an Identifier in a Configuration
replace
IN THIS SECTION
Syntax | 368
Description | 368
Options | 369
Syntax
replace pattern pattern1 with pattern2 <upto n>
Description
Replace identifiers or values in a configuration.

369
Options
pattern1 Text string or regular expression that defines the identifiers or values you want to match.
pattern2 Text string or regular expression that replaces the identifiers and values located with
pattern1. Juniper Networks uses standard UNIX-style regular expression syntax (as defined in
POSIX 1003.2). If the regular expression contains spaces, operators, or wildcard characters,
enclose the expression in quotation marks. Greedy qualifiers (match as much as possible) are
supported. Lazy qualifiers (match as little as possible) are not.
upto n Number of objects replaced. The value of n controls the total number of objects that are
replaced in the configuration (not the total number of times the pattern occurs). Objects at
the same hierarchy level (siblings) are replaced first. Multiple occurrences of a pattern within
a given object are considered a single replacement. If you do not specify an upto option, all
identifiers and values in the configuration that match pattern1 are replaced.
Release Information

370
request
IN THIS SECTION
Syntax | 370
Description | 370
Syntax
request <chassis | ipsec switch | message | mpls | routing-engine | security | services | system
| flow-collector | support information>
Description
Stop or reboot router components, switch between primary and backup components, display messages,
and display system information.
CAUTION: Halt the backup Routing Engine before you remove it or shut off the power
to the router; otherwise, you might need to reinstall the Junos OS.
NOTE: If your router contains two Routing Engines and you want to shut the power off to the
router or remove a Routing Engine, you must first halt the backup Routing Engine (if it has been
upgraded) and then the primary Routing Engine. To halt a Routing Engine, enter the request system
halt command. You can also halt both Routing Engines at the same time by issuing the request
system halt both-routing-engines command.
371
If you want to reboot a router that has two Routing Engines, reboot the backup Routing Engine
(if you have upgraded it) and then the primary Routing Engine.
NOTE: If you reboot the TX Matrix router, all the T640 primary Routing Engines connected to
the TX Matrix router reboot. If you halt both Routing Engines on a TX Matrix router, all the T640
Routing Engines connected to the TX Matrix router are also halted. Likewise, if you reboot the
TX Matrix Plus router, all the T1600 or T4000 primary Routing Engines connected to the TX
Matrix Plus router reboot. If you halt both Routing Engines on a TX Matrix Plus router, all the
T1600 or T4000 Routing Engines connected to the TX Matrix Plus router are also halted.
NOTE: If you insert a Flexible PIC Concentrator (FPC) into your router, you may need to issue the
request chassis fpc command (or press the online button) to bring the FPC online. This applies to
FPCs in M20, M40, M40e, M160, M320, and T Series routers. For command usage, see the
request chassis fpc command description in the CLI Explorer.
Most request commands are described in the Junos System Basics and Services Command Reference.
The following request commands are described in the Junos Interfaces Command Reference: request ipsec
switch and request services.
maintenance
Release Information

372
Overview of Operational Mode Commands
request system commit server pause
IN THIS SECTION
Syntax | 372
Description | 372
Options | 373
Sample Output | 373
Syntax
Description
Pause the commit server.
NOTE: If you issue this command when a commit job is in process, the batch commit server
pauses only after the current commit job is completed.
373
Options
view
Sample Output
When you enter the request system commit server pause command, you are provided feedback on the status
of your request.
user@host> request system commit server pause
Successfully paused the commit server.
Release Information

374
request system commit server queue cleanup
IN THIS SECTION
Syntax | 374
Description | 374
Options | 374
Sample Output | 375
Syntax
request system commit server queue cleanup <id commit-id | job-status (error | pending |
success)>
Description
Clean up the batch commit queue. Note that the id argument cleans up batch commit operation
messages for a specific commit ID, whereas job-status cleans up more broadly, based on categories of
status messages. You can use either option, but not both.
Options
id commit-id (Optional) Clean up batch commit operation status messages for a specific commit ID.
job-status (Optional) Clean up batch commit operation status messages for the following:
• error—Clean up status messages for batch commit operations that have errors.
375
• pending—Clean up status messages for batch commit operations that are pending.
• success—Clean up status messages for batch commit operations that are successful.
view
Sample Output
When you enter the request system commit server queue cleanup command, you are provided feedback on the
status of your request. The first example demonstrates cleaning up job ID 1008, while the second shows
a queue clean up for all jobs marked as successfully completed.
request system commit server queue cleanup id
user@host> request system commit server queue cleanup id 1008
Successfully cleaned up jobs.
request system commit server queue cleanup job-status success
user@host> request system commit server queue cleanup job-status success
Successfully cleaned up jobs.
Release Information

376
request system commit server start
IN THIS SECTION
Syntax | 376
Description | 376
Options | 376
Sample Output | 377
Syntax
Description
Start the commit server.
Options

377
view
Sample Output
When you enter the request system commit server start command, you are provided feedback on the status
of your request.
user@host> request system commit server start
Successfully started the commit server.
Release Information
request system configuration rescue delete
IN THIS SECTION
Syntax | 378
Description | 378
378
Options | 378
Output Fields | 379
Sample Output | 379
Syntax
Description
Delete an existing rescue configuration.
NOTE: The [edit system configuration] hierarchy is not available on QFabric systems.
Options
maintenance
379
Output Fields
This command produces no output.
Sample Output
user@host> request system configuration rescue delete
Release Information
Command introduced in Junos OS Evolved Release 20.4R2.
request system configuration rescue save
IN THIS SECTION
Syntax | 380
Description | 380
Options | 380
Output Fields | 380
Sample Output | 381

380
Syntax
Description
Save the most recently committed configuration as the rescue configuration so that you can return to it
at any time by using the rollback command. If saved on a device with redundant REs, the rescue
configuration file is saved on both REs.
Options
maintenance
Output Fields
This command produces no output.

381
Sample Output
user@host> request system configuration rescue save
Release Information
Command introduced in Junos OS Evolved Release 20.4R2.
restart
IN THIS SECTION
Syntax | 382
Syntax (ACX Series Routers) | 382
Syntax (EX Series Switches) | 383
Syntax (MX Series Routers) | 383
Syntax (QFX Series) | 384
Syntax (Routing Matrix) | 384
Syntax (SRX Series) | 384
Syntax (TX Matrix Routers) | 385
Syntax (TX Matrix Plus Routers) | 385
Syntax (QFX Series) | 386
Syntax (Junos OS Evolved) | 386
Description | 387
Options | 387

382
Output Fields | 397
Sample Output | 397
Syntax
restart
<adaptive-services |ancpd-service | application-identification |audit-process | auto-
configuration |captive-portal-content-delivery |ce-l2tp-service |chassis-control | class-of-
service |clksyncd-service |database-replication|datapath-trace-service |dhcp-service | diameter-
service | disk-monitoring | dynamic-flow-capture | ecc-error-logging | ethernet-connectivity-
fault-management |ethernet-link-fault-management |event-processing | firewall | general-
authentication-service | gracefully | iccp-service |idp-policy | immediately |interface-control
| ipsec-key-management | kernel-health-monitoring | kernel-replication | l2-learning | l2cpd-
service | l2tp-service | l2tp-universal-edge | lacp | license-service |link-management |local-
policy-decision-function |mac-validation |mib-process | mountd-service |mpls-traceroute |mspd |
multicast-snooping |named-service | nfsd-service | packet-triggered-subscribers |peer-selection-
service |pgm | pic-services-logging | pki-service |ppp | ppp-service | pppoe | protected-system-
domain-service | redundancy-interface-process | remote-operations | root-system-domain-service |
routing <logical-system logical-system-name> | sampling | sbc-configuration-process | sdk-
service |service-deployment | services | snmp |soft |static-subscribers |statistics-service|
subscriber-management | subscriber-management-helper | tunnel-oamd |usb-control| vrrp |web-
management>
<gracefully | immediately | soft>
Syntax (ACX Series Routers)
restart
<adaptive-services |audit-process | auto-configuration | autoinstallation |chassis-control |
class-of-service |clksyncd-service |database-replication| dhcp-service | diameter-service | disk-
monitoring | dynamic-flow-capture | ethernet-connectivity-fault-management | ethernet-link-fault-
management |event-processing | firewall | general-authentication-service | gracefully |
immediately |interface-control | ipsec-key-management | l2-learning | lacp |link-management |mib-
process | mountd-service |mpls-traceroute |mspd | named-service | nfsd-service | pgm | pki-
383
service | ppp | pppoe | redundancy-interface-process | remote-operations | routing | sampling |

sdk-service |secure-neighbor-discovery | service-deployment | services | snmp |soft | statistics-
service| subscriber-management | subscriber-management-helper | tunnel-oamd | vrrp>
Syntax (EX Series Switches)
restart
<autoinstallation | chassis-control | class-of-service | database-replication | dhcp | dhcp-
service | diameter-service | dot1x-protocol | ethernet-link-fault-management | ethernet-
switching | event-processing | firewall | general-authentication-service | interface-control |
kernel-health-monitoring | kernel-replication | l2-learning | lacp | license-service | link-
management | lldpd-service | mib-process | mountd-service | multicast-snooping | pgm |
redundancy-interface-process | remote-operations | routing | secure-neighbor-discovery | service-
deployment | sflow-service | snmp | vrrp | web-management>
Syntax (MX Series Routers)
restart
<adaptive-services | ancpd-service | application-identification | audit-process | auto-
configuration | bbe-stats-service | captive-portal-content-delivery | ce-l2tp-service | chassis-
control | class-of-service | clksyncd-service | database-replication | datapath-trace-service |
dhcp-service | diameter-service | disk-monitoring | dynamic-flow-capture | ecc-error-logging |
ethernet-connectivity-fault-management | ethernet-link-fault-management | event-processing |
firewall | general-authentication-service | gracefully | iccp-service | idp-policy | immediately
|interface-control | ipsec-key-management |kernel-health-monitoring | kernel-replication | l2-
learning | l2cpd-service | l2tp-service | l2tp-universal-edge | lacp | license-service | link-
management | local-policy-decision-function | mac-validation | mib-process | mountd-service |
mpls-traceroute | mspd | multicast-snooping |named-service | nfsd-service | packet-triggered-
subscribers |peer-selection-service | pgm | pic-services-logging | pki-service | ppp | ppp-
service | pppoe | protected-system-domain-service | redundancy-interface-process | remote-
operations | root-system-domain-service | routing | routing <logical-system logical-system-
name> | sampling | sbc-configuration-process | sdk-service | service-deployment | services |
snmp |soft |static-subscribers |statistics-service| subscriber-management | subscriber-
management-helper | tunnel-oamd | usb-control | vrrp | web-management>
<all-members>
384
<local>
<member member-id>
Syntax (QFX Series)
restart
<adaptive-services | audit-process | chassis-control | class-of-service | dialer-services |
diameter-service | dlsw | ethernet-connectivity | event-processing | fibre-channel | firewall |
general-authentication-service | igmp-host-services | interface-control | ipsec-key-management |
isdn-signaling | l2ald | l2-learning | l2tp-service | mib-process | named-service | network-
access-service | nstrace-process | pgm | ppp | pppoe | redundancy-interface-process | remote-
operations |logical-system-name> | routing | sampling |secure-neighbor-discovery | service-
deployment | snmp | usb-control | web-management>
Syntax (Routing Matrix)
restart
<adaptive-services | audit-process | chassis-control | class-of-service | disk-monitoring |
dynamic-flow-capture | ecc-error-logging | event-processing | firewall | interface-control |
ipsec-key-management | kernel-replication | l2-learning | l2tp-service | lacp | link-management
| mib-process | pgm | pic-services-logging | ppp | pppoe | redundancy-interface-process | remote-
operations | routing <logical-system logical-system-name> | sampling | service-deployment |
snmp>
<all | all-lcc | lcc number>
Syntax (SRX Series)
restart
<application-identification |application-security |audit-process |commitd-service |chassis-
control | class-of-service |database-replication |datapath-trace-service |ddns |dhcp |dhcp-
385
service |dynamic-flow-capture |disk-monitoring |event-processing | ethernet-connectivity-fault-

management |ethernet-link-fault-management |extensible-subscriber-services |fipsd |firewall |
firewall-authentication-service |general-authentication-service |gracefully |gprs-process |idp-
policy |immediately |interface-control | ipmi |ipsec-key-management |jflow-service |jnu-
management |jnx-wmicd-service |jsrp-service |kernel-replication |l2-learning |l2cpd-service |
lacp |license-service |logical-system-service |mib-process |mountd-service |named-service |
network-security |network-security-trace |nfsd-service |ntpd-service |pgm |pic-services-logging |
profilerd |pki-service |remote-operations |rest-api |routing |sampling |sampling-route-record |
scc-chassisd |secure-neighbor-discovery |security-intelligence |security-log |services |service-
deployment |simple-mail-client-service |soft |snmp |static-routed |statistics-service |
subscriber-management |subscriber-management-helper |system-log-vital |tunnel-oamd |uac-service |
user-ad-authentication |vrrp |web-management >
Syntax (TX Matrix Routers)
restart
<adaptive-services | audit-process | chassis-control | class-of-service | dhcp-service |
diameter-service | disk-monitoring | dynamic-flow-capture | ecc-error-logging | event-processing
| firewall | interface-control | ipsec-key-management | kernel-replication | l2-learning | l2tp-
service | lacp | link-management | mib-process |pgm | pic-services-logging | ppp | pppoe |
redundancy-interface-process | remote-operations | routing <logical-system logical-system-name>
| sampling | service-deployment | snmp| statistics-service>
<all-chassis | all-lcc | lcc number | scc>
Syntax (TX Matrix Plus Routers)
restart
<adaptive-services | audit-process | chassis-control | class-of-service | dhcp-service |
diameter-service | disk-monitoring | dynamic-flow-capture | ecc-error-logging | event-processing
| firewall | interface-control | ipsec-key-management | kernel-replication | l2-learning | l2tp-
service | lacp | link-management | mib-process | pgm | pic-services-logging | ppp | pppoe |
redundancy-interface-process | remote-operations | routing <logical-system logical-system-name>
| sampling | service-deployment | snmp| statistics-service>
386
<all-chassis | all-lcc | all-sfc | lcc number | sfc number>

Syntax (QFX Series)
restart
<adaptive-services | audit-process | chassis-control | class-of-service | dialer-services |
diameter-service | dlsw | ethernet-connectivity | event-processing | fibre-channel | firewall |
general-authentication-service | igmp-host-services | interface-control | ipsec-key-management |
isdn-signaling | l2ald | l2-learning | l2tp-service | mib-process | named-service | network-
access-service | nstrace-process | pgm | ppp | pppoe | redundancy-interface-process | remote-
operations |logical-system-name> | routing | sampling |secure-neighbor-discovery | service-
deployment | snmp | usb-control | web-management>
Syntax (Junos OS Evolved)
restart (BdL2Token | aft-sysinfo | agentd | alarmd | arpd | audit-process | bcmd_evo | bfdd |

bios-manager | charonctl | chassis-control | class-of-service | clksynced | cmevod | command-
handler | command-relay | configd | ddosd | dfwd-junos-relay | diskmgmt | distributor | dot1x-
protocol | dot1xd-agent | edo | emfca | ethernet-connectivity-fault-management | ethernet-link-
fault-management | event-processing | evo-aftmand-zx | evo-cda-zx | evo-cda-zx-diag | evo-jet-
sdk-broker | evoaft-jvisiond | fabricHub | fabspoked-fchip | fabspoked-pfe | fabtokend | fibd |
fibd-proxy | firewall | fpa | fwstatsd | gcd | hwddual | hwdfpc | hwdspmb | icmpd | idmd-dest-
usage-class | idmd-src-usage-class | idmdbd | idmdcounter | idmdfabtoken | idmdfilter |
idmdfilterterm | idmdfwgretunnel | idmdifd | idmdifl | idmdnh | idmdoffchip32 | idmdoffchip64 |
idmdonchip | dmdpolicer | idmdrtb | idmdsensor |idmdsgid | idmdstp | ifstatsd | imgd | interface-
control | jdhcpd | jinsightd | jsd | jstatsd | kfirewall-agent | l2agent | l2ald | l2cpd | l2cpd-
agent | lacp | license-check | lldpd | mem-mgmt | mfilterd | mgd | mgd-api | mgd-pfe | mgmt-ethd
| mib-process | mplsoamd | mstr | mstrzk | msvcsd | mstrzk | msvcsd | mustd | na-grpcd | na-mqtt
| ndp | netdefaultsd | nlsd | objmon | objping-server | ofp | ofp-command | opticmand |
orchestratord | packetio-zx | pccd | pci-agent | pdevmand | pfestatsd | picd | ppman | ppmd |
ppmdagent | resild | routing | rpcserviced | rpdfw | securityd | sflowd | sinetd | smartd-agent-
monitor | snmp | snmpd-subagent | svcsd | syscmdd | sysepochman | sysman | sysman-ui | trace-
387
relay | trace-writer | xmlproxyd | ztp)

Description
Restart a Junos OS process.
CAUTION: Never restart a software process unless instructed to do so by a customer

support engineer. A restart might cause the router or switch to drop calls and interrupt
transmission, resulting in possible loss of data.
For Junos OS Evolved, the restart command also triggers a restart of the dependent applications (apps).
In order to inform you which dependent apps are being restarted the following message will be logged
when the restart command is used:
App restarting <app name>. Related apps that may be impacted - <related-app name> . For example: Jan 14 11:42:08
RE0 sysman[5100]: SYSTEM_APP_RESTARTING_WITH_RELAPPS_EVENT: App restarting re0-ifmand. Related apps that may be
impacted - aggd
Starting in Junos OS Evolved Release 20.1R1, if you specify restart app-name and the application is not
supposed to run on the platform, the error message is as follows:
user@device> restart fabspoked-pfe

Restart failed for fabspoked-pfe on node re0. Application is not running.
The restart command expands all applications names including applications that are not required for the
current platform. Therefore, a user could try to do a restart for an application that is not running for the
current platform. This error message communicates that the restart failed because the application was
not running on the system.
Options
none Same as gracefully.
adaptive-services (Optional) Restart the configuration management process that manages the
configuration for stateful firewall, Network Address Translation (NAT), intrusion
388
detection services (IDS), and IP Security (IPsec) services on the Adaptive

Services PIC.
all-chassis (TX Matrix and TX Matrix Plus routers only) (Optional) Restart the software
process on all chassis.
all-lcc (TX Matrix and TX Matrix Plus routers only) (Optional) For a TX Matrix router,
restart the software process on all T640 routers connected to the TX Matrix
router. For a TX Matrix Plus router, restart the software process on all T1600
routers connected to the TX Matrix Plus router.
all-members (MX Series routers only) (Optional) Restart the software process for all members
of the Virtual Chassis configuration.
all-sfc (TX Matrix Plus routers only) (Optional) For a TX Matrix Plus router, restart the
software processes for the TX Matrix Plus router (or switch-fabric chassis).
ancpd-service (Optional) Restart the Access Node Control Protocol (ANCP) process, which
works with a special Internet Group Management Protocol (IGMP) session to
collect outgoing interface mapping events in a scalable manner.
application- (Optional) Restart the process that identifies an application using intrusion
identification detection and prevention (IDP) to allow or deny traffic based on applications
running on standard or nonstandard ports.
application-security (Optional) Restart the application security process.
audit-process (Optional) Restart the RADIUS accounting process that gathers statistical data
that can be used for general network monitoring, analyzing, and tracking usage
patterns, for billing a user based on the amount of time or type of services
accessed.
auto-configuration (Optional) Restart the Interface Auto-Configuration process.
autoinstallation (EX Series switches only) (Optional) Restart the autoinstallation process.
bbe-stats-service (MX Series routers only) (Optional) Restart bbe-statsd, the BBE statistics
collection and management process.
captive-portal- (Optional) Restart the HTTP redirect service by specifying the location to which
content-delivery a subscriber's initial Web browser session is redirected, enabling initial
provisioning and service selection for the subscriber.
389
ce-l2tp-service (M10, M10i, M7i, and MX Series routers only) (Optional) Restart the Universal
Edge Layer 2 Tunneling Protocol (L2TP) process, which establishes L2TP tunnels
and Point-to-Point Protocol (PPP) sessions through L2TP tunnels.
chassis-control (Optional) Restart the chassis management process.
class-of-service (Optional) Restart the class-of-service (CoS) process, which controls the router's
or switch’s CoS configuration.
clksyncd-service (Optional) Restart the external clock synchronization process, which uses
synchronous Ethernet (SyncE).
commitd-service (Optional) Restart the committed services.
database-replication (EX Series switches and MX Series routers only) (Optional) Restart the database
replication process.
datapath-trace- (Optional) Restart the packet path tracing process.

service
dhcp (EX Series switches only) (Optional) Restart the software process for a Dynamic
Host Configuration Protocol (DHCP) server. A DHCP server allocates network IP
addresses and delivers configuration settings to client hosts without user
intervention.
dhcp-service (Optional) Restart the Dynamic Host Configuration Protocol process.
dialer-services (EX Series switches only) (Optional) Restart the ISDN dial-out process.
diameter-service (Optional) Restart the diameter process.
disk-monitoring (Optional) Restart disk monitoring, which checks the health of the hard disk
drive on the Routing Engine.
dlsw (QFX Series only) (Optional) Restart the data link switching (DLSw) service.
dot1x-protocol (EX Series switches only) (Optional) Restart the port-based network access
control process.
dynamic-flow- (Optional) Restart the dynamic flow capture (DFC) process, which controls DFC
capture configurations on Monitoring Services III PICs.
ecc-error-logging (Optional) Restart the error checking and correction (ECC) process, which logs
ECC parity errors in memory on the Routing Engine.
390
ethernet- (Optional) Restart the process that provides IEEE 802.1ag Operation,
connectivity-fault- Administration, and Management (OAM) connectivity fault management (CFM)
management
database information for CFM maintenance association end points (MEPs) in a
CFM session.
ethernet-link-fault- (EX Series switches and MX Series routers only) (Optional) Restart the process
management that provides the OAM link fault management (LFM) information for Ethernet
interfaces.
ethernet-switching (EX Series switches only) (Optional) Restart the Ethernet switching process.
event-processing (Optional) Restart the event process (eventd).
extensible- (Optional) Restart the extensible subscriber services process.

subscriber-services
fibre-channel (QFX Series only) (Optional) Restart the Fibre Channel process.
fipsd (Optional) Restart the fipsd services.
firewall (Optional) Restart the firewall management process, which manages the firewall
configuration and enables accepting or rejecting packets that are transiting an
interface on a router or switch.
general- (EX Series switches and MX Series routers only) (Optional) Restart the general
authentication- authentication process.
service
gprs-process (Optional) Restart the General Packet Radio Service (GPRS) process.
gracefully (Optional) Restart the software process.
iccp-service (Optional) Restart the Inter-Chassis Communication Protocol (ICCP) process.
idp-policy (Optional) Restart the intrusion detection and prevention (IDP) protocol process.
immediately (Optional) Immediately restart the software process.
interface-control (Optional) Restart the interface process, which controls the router's or switch’s
physical interface devices and logical interfaces.
ipmi (Optional) Restart the intelligent platform management interface process.
ipsec-key- (Optional) Restart the IPsec key management process.

management
isdn-signaling (QFX Series only) (Optional) Restart the ISDN signaling process, which initiates
ISDN connections.
391
jflow-service (Optional) Restart jflow service process.
jnu-management (Optional) Restart jnu management process.
jnx-wmicd-service (Optional) Restart jnx wmicd service process.
jsrp-service (Optional) Restart the Juniper Services Redundancy Protocol (jsrdp) process,
which controls chassis clustering.
kernel-health- (Optional) Restart the Routing Engine kernel health monitoring process, which
monitoring enables health parameter data to be sent from kernel components to data
collection applications. When you change the polling interval through sysctl
kern.jkhmd_polling_time_secs, you must restart the kernel health monitoring process
for the new polling interval to take effect.
kernel-replication (Optional) Restart the kernel replication process, which replicates the state of
the backup Routing Engine when graceful Routing Engine switchover (GRES) is
configured.
l2-learning (Optional) Restart the Layer 2 address flooding and learning process.
l2cpd-service (Optional) Restart the Layer 2 Control Protocol process, which enables features
such as Layer 2 protocol tunneling and nonstop bridging.
l2tp-service (M10, M10i, M7i, and MX Series routers only) (Optional) Restart the Layer 2
Tunneling Protocol (L2TP) process, which sets up client services for establishing
Point-to-Point Protocol (PPP) tunnels across a network and negotiating Multilink
PPP if it is implemented.
l2tp-universal-edge (MX Series routers only) (Optional) Restart the L2TP process, which establishes
L2TP tunnels and PPP sessions through L2TP tunnels.
lacp (Optional) Restart the Link Aggregation Control Protocol (LACP) process. LACP
provides a standardized means for exchanging information between partner
systems on a link to allow their link aggregation control instances to reach
agreement on the identity of the LAG to which the link belongs, and then to
move the link to that LAG, and to enable the transmission and reception
processes for the link to function in an orderly manner.
lcc number (TX Matrix and TX Matrix Plus routers only) (Optional) For a TX Matrix router,
restart the software process for a specific T640 router that is connected to the
TX Matrix router. For a TX Matrix Plus router, restart the software process for a
specific router that is connected to the TX Matrix Plus router.
Replace number with the following values depending on the LCC configuration:
392
• 0 through 3, when T640 routers are connected to a TX Matrix router in a

routing matrix.
• 0 through 3, when T1600 routers are connected to a TX Matrix Plus router in

a routing matrix.
• 0 through 7, when T1600 routers are connected to a TX Matrix Plus router

with 3D SIBs in a routing matrix.
• 0, 2, 4, or 6, when T4000 routers are connected to a TX Matrix Plus router

with 3D SIBs in a routing matrix.
license-service (EX Series switches only) (Optional) Restart the feature license management
process.
link-management (TX Matrix and TX Matrix Plus routers and EX Series switches only) (Optional)
Restart the Link Management Protocol (LMP) process, which establishes and
maintains LMP control channels.
lldpd-service (EX Series switches only) (Optional) Restart the Link Layer Discovery Protocol
(LLDP) process.
local (MX Series routers only) (Optional) Restart the software process for the local
Virtual Chassis member.
local-policy-decision- (Optional) Restart the process for the Local Policy Decision Function, which
function regulates collection of statistics related to applications and application groups
and tracking of information about dynamic subscribers and static interfaces.
logical-system- (Optional) Restart the logical system service process.

service
mac-validation (Optional) Restart the Media Access Control (MAC) validation process, which
configures MAC address validation for subscriber interfaces created on demux
interfaces in dynamic profiles on MX Series routers.
member member-id (MX Series routers only) (Optional) Restart the software process for a specific
member of the Virtual Chassis configuration. Replace member-id with a value of 0
or 1.
mib-process (Optional) Restart the Management Information Base (MIB) version II process,
which provides the router's MIB II agent.
mobile-ip (Optional) Restart the Mobile IP process, which configures Junos OS Mobile IP
features.
393
mountd-service (EX Series switches and MX Series routers only) (Optional) Restart the service
for NFS mount requests.
mpls-traceroute (Optional) Restart the MPLS Periodic Traceroute process.
mspd (Optional) Restart the Multiservice process.
multicast-snooping (EX Series switches and MX Series routers only) (Optional) Restart the multicast
snooping process, which makes Layer 2 devices, such as VLAN switches, aware
of Layer 3 information, such as the media access control (MAC) addresses of
members of a multicast group.
named-service (Optional) Restart the DNS Server process, which is used by a router or a switch
to resolve hostnames into addresses.
network-access- ( QFX Series only) (Optional) Restart the network access process, which provides
service the router's Challenge Handshake Authentication Protocol (CHAP)
authentication service.
network-security (Optional) Restart the network security process.
network-security- (Optional) Restart the network security trace process.

trace
nfsd-service (Optional) Restart the Remote NFS Server process, which provides remote file
access for applications that need NFS-based transport.
ntpd-service (Optional) Restart the Network Time Protocol (NTP) process.
packet-triggered- (Optional) Restart the packet-triggered subscribers and policy control (PTSP)
subscribers process, which allows the application of policies to dynamic subscribers that are
controlled by a subscriber termination device.
peer-selection- (Optional) Restart the Peer Selection Service process.

service
pgcp-service (Optional) Restart the pgcpd service process running on the Routing Engine. This
option does not restart pgcpd processes running on mobile station PICs. To
restart pgcpd processes running on mobile station PICs, use the services pgcp
gateway option.
pgm (Optional) Restart the process that implements the Pragmatic General Multicast
(PGM) protocol for assisting in the reliable delivery of multicast packets.
394
pic-services-logging (Optional) Restart the logging process for some PICs. With this process, also
known as fsad (the file system access daemon), PICs send special logging
information to the Routing Engine for archiving on the hard disk.
pki-service (Optional) Restart the PKI Service process.
ppp (Optional) Restart the Point-to-Point Protocol (PPP) process, which is the
encapsulation protocol process for transporting IP traffic across point-to-point
links.
ppp-service (Optional) Restart the Universal edge PPP process, which is the encapsulation
protocol process for transporting IP traffic across universal edge routers.
pppoe (Optional) Restart the Point-to-Point Protocol over Ethernet (PPPoE) process,
which combines PPP that typically runs over broadband connections with the
Ethernet link-layer protocol that allows users to connect to a network of hosts
over a bridge or access concentrator.
profilerd (Optional) Restart the profiler process.
protected-system- (Optional) Restart the Protected System Domain (PSD) process.

domain-service
redundancy- (Optional) Restart the ASP redundancy process.
interface-process
remote-operations (Optional) Restart the remote operations process, which provides the ping and
traceroute MIBs.
rest-api (Optional) Restart the rest api process.
root-system-domain- (Optional) Restart the Root System Domain (RSD) service.

service
routing (ACX Series routers, QFX Series, EX Series switches, and MX Series routers only)
(Optional) Restart the routing protocol process.
routing <logical- (Optional) Restart the routing protocol process, which controls the routing
system logical- protocols that run on the router or switch and maintains the routing tables.
system-name>
Optionally, restart the routing protocol process for the specified logical system
only.
sampling (Optional) Restart the sampling process, which performs packet sampling based
on particular input interfaces and various fields in the packet header.
sampling-route- (Optional) Restart the sampling route record process.

record
395
sbc-configuration- (Optional) Restart the session border controller (SBC) process of the border
process signaling gateway (BSG).
scc (TX Matrix routers only) (Optional) Restart the software process on the
TX Matrix router (or switch-card chassis).
scc-chassisd (Optional) Restart the scc chassisd process.
sdk-service (Optional) Restart the SDK Service process, which runs on the Routing Engine
and is responsible for communications between the SDK application and Junos
OS. Although the SDK Service process is present on the router, it is turned off
by default.
secure-neighbor- (QFX Series, EX Series switches, and MX Series routers only) (Optional) Restart
discovery the secure Neighbor Discovery Protocol (NDP) process, which provides support
for protecting NDP messages.
security-intelligence (Optional) Restart security intelligence process.
security-log (Optional) Restart the security log process.
sfc number (TX Matrix Plus routers only) (Optional) Restart the software process on the TX
Matrix Plus router (or switch-fabric chassis). Replace number with 0.
service-deployment (Optional) Restart the service deployment process, which enables Junos OS to
work with the Session and Resource Control (SRC) software.
services (Optional) Restart a service.
services pgcp (Optional) Restart the pgcpd process for a specific border gateway function
gateway gateway- (BGF) running on an MS-PIC. This option does not restart the pgcpd process
name
running on the Routing Engine. To restart the pgcpd process on the Routing
Engine, use the pgcp-service option.
sflow-service (EX Series switches only) (Optional) Restart the flow sampling (sFlow
technology) process.
simple-mail-client- (Optional) Restart the simple mail client service process.

service
snmp (Optional) Restart the SNMP process, which enables the monitoring of network
devices from a central location and provides the router's or switch’s SNMP
master agent.
396
soft (Optional) Reread and reactivate the configuration without completely restarting
the software processes. For example, BGP peers stay up and the routing table
stays constant. Omitting this option results in a graceful restart of the software
process.
static-routed (Optional) Restart the static routed process.
static-subscribers (Optional) Restart the static subscribers process, which associates subscribers
with statically configured interfaces and provides dynamic service activation and
activation for these subscribers.
statistics-service (Optional) Restart the process that manages the Packet Forwarding Engine
statistics.
subscriber- (Optional) Restart the Subscriber Management process.

management
subscriber- (Optional) Restart the Subscriber Management Helper process.
management-helper
system-log-vital (Optional) Restart system log vital process.
tunnel-oamd (Optional) Restart the Tunnel OAM process, which enables the Operations,
Administration, and Maintenance of Layer 2 tunneled networks. Layer 2
protocol tunneling (L2PT) allows service providers to send Layer 2 protocol data
units (PDUs) across the provider’s cloud and deliver them to Juniper Networks
EX Series Ethernet Switches that are not part of the local broadcast domain.
uac-service (Optional) Restart the Unified Access Control (UAC) process.
usb-control (MX Series routers) (Optional) Restart the USB control process.
user-ad- (Optional) Restart User ad Authentication process

authentication
vrrp (ACX Series routers, EX Series switches, and MX Series routers only) (Optional)
Restart the Virtual Router Redundancy Protocol (VRRP) process, which enables
hosts on a LAN to make use of redundant routing platforms on that LAN
without requiring more than the static configuration of a single default route on
the hosts.
web-management (QFX Series, EX Series switches, and MX Series routers only) (Optional) Restart
the Web management process.
397
reset
Output Fields
Sample Output
restart interfaces
user@host> restart interfaces

interfaces process terminated
interfaces process restarted
restart interface-control gracefully
user@host> restart interface-control gracefully

Interface control process started, pid 41129
restart interface-control (Junos OS Evolved)
user@host> restart interface-control

interface-control restart requested
Restarted aggd on re0
Restarted ifmand on re0
Release Information

398
Options added:
• dynamic-flow-capture in Junos OS Release 7.4.
• dlsw in Junos OS Release 7.5.
• event-processing in Junos OS Release 7.5.
• ppp in Junos OS Release 7.5.
• l2ald in Junos OS Release 8.0.
• link-management in Junos Release 8.0.
• pgcp-service in Junos OS Release 8.4.
• sbc-configuration-process in Junos OS Release 9.5.
• services pgcp gateway in Junos OS Release 9.6.
• sfc and all-sfc for the TX Matrix Router in Junos OS Release 9.6.
• Command introduced before Junos OS Release 9.2 on SRX Series devices.
• bbe-stats-service in Junos OS Release 18.4R1 on MX Series routers.
• kernel-health-monitoring in Junos OS Release 19.1R1.
• Introduced in Junos OS Evolved Release 19.1R1.
Overview of Operational Mode Commands
rollback
IN THIS SECTION
Syntax | 399
Description | 399
399
Options | 399
Syntax
rollback <number | rescue | revision revision-string>
Description
Return to a previously committed configuration. The software saves the last 50 committed
configurations, including the rollback number, date, time, and name of the user who issued the commit
configuration command.
The currently operational configuration is stored in the file juniper.conf, and the last three committed
configurations are stored in the files juniper.conf.1, juniper.conf.2, and juniper.conf.3. These four files
are located in the directory /config, which is on the router’s flash drive. The remaining 46 previous
committed configurations, the files juniper.conf.4 through juniper.conf.49, are stored in the
directory /var/db/config, which is on the router’s hard disk.
During rollback, the configuration you specify is loaded from the associated file. Only objects in the
rollback configuration that differ from the previously loaded configuration are marked as changed
(equivalent to load update).
Options
none (Optional) Return to the most recently saved configuration.
number (Optional) Configuration to return to. The range of values is from 0 through 49. The
most recently saved configuration is number 0, and the oldest saved configuration is
number 49. The default is 0.
rescue (Optional) Return to the rescue configuration.

400
revision (Option) Use a configuration revision identifier to rollback to a specific configuration.

revision- Use the "show system commit include-configuration-revision" on page 452 command to
string
view the configuration revision identifier for each revision.
rollback—To roll back to configurations other than the one most recently committed.
Release Information
Option revision introduced in Junos OS Release 20.4R1 and Junos OS Evolved Release 20.4R1.
run
IN THIS SECTION
Syntax | 400
Description | 401
Options | 401
Syntax
run command
401
Description
Run a top-level CLI command without exiting from configuration mode.
Options
command CLI top-level command.
Release Information
save
IN THIS SECTION
Syntax | 402
QFX and VMX Series | 402
Description | 402
Options | 402
402
Sample Output | 404
Syntax
save filename
QFX and VMX Series
save (<dhcp-security-snoop | dhcpv6-security-snoop>filename)
Description
Save the configuration to an ASCII file. The contents of the current level of the statement hierarchy (and
below) are saved, along with the statement hierarchy containing it. This allows a section of the
configuration to be saved, while fully specifying the statement hierarchy.
For information on valid filename and URL formats, see Format for Specifying Filenames and URLs in
Junos OS CLI Commands.
When saving a file to a remote system, the software uses the scp/ssh protocol.
Options
filename—Name of the saved file. You can specify a filename in one of the following ways:
• filename—File in the user’s home directory (the current directory) on the local flash drive.
• path/filename—File on the local flash drive.

403
• /var/filename or /var/path/filename—File on the local hard disk.
• a:filename or a:path/filename—File on the local drive. The default path is / (the root-level directory). The
removable media can be in MS-DOS or UNIX (UFS) format.
• hostname:/path/filename, hostname:filename, hostname:path/filename, or scp:// hostname/path/filename—File on

an scp/ssh client. This form is not available in the worldwide version of Junos OS. The default path is
the user’s home directory on the remote system. You can also specify hostname as username@hostname.
• ftp://hostname/path/filename—File on an FTP server. You can also specify hostname as username @hostname or
username:password @hostname. The default path is the user’s home directory. To specify an absolute path,
the path must start with the string %2F; for example, ftp://hostname/%2Fpath/filename. To have the system
prompt you for the password, specify prompt in place of the password. If a password is required, and
you do not specify the password or prompt, an error message is displayed:
user@host> file copy ftp://[email protected]//filename

file copy ftp.hostname.net: Not logged in.
user@host> file copy ftp://username:[email protected]//filename
Password for [email protected]:
• http://hostname/path/filename—File on a Hypertext Transfer Protocol (HTTP) server. You can also specify
hostname as username@hostname or username:password@hostname. If a password is required and you omit it, you
are prompted for it.
• re0:/path/filename or re1:/path/filename—File on a local Routing Engine.
Options for QFX and VMX Series
• dhcp-security-snoop—Save DHCP snooping entries
• dhcpv6-security-snoop—Save DHCPv6 snooping entries
NOTE: The save commands for dhcp-security-snoop and dhcpv6-security-snoop are restricted to admin
only.

404
Sample Output
The following is an example of a save scenario:
Save a File Using Secure Copy Protocol (scp) with ’source-address’ and ’routing-instance’
options
To use the scp command to save local file to a remote system with the source-address and routing-instance
enter the following command:
root@host# save scp://user@hostname/path/filename routing-instance instance-name source-address

address
Release Information
set
IN THIS SECTION
Syntax | 405
Description | 405
Options | 405

405
Syntax
set <statement-path> identifier
Description
Create a statement hierarchy and set identifier values. This is similar to edit except that your current
level in the hierarchy does not change.
Options
identifier Name of the statement or identifier to set.
statement-path (Optional) Path to an existing statement hierarchy level. If that hierarchy level does not
exist, it is created.
Release Information
edit | 347
406
set cli complete-on-space
IN THIS SECTION
Syntax | 406
Description | 406
Options | 406
Output Fields | 407
Sample Output | 407
Syntax
set cli complete-on-space (off | on)
Description
Set the command-line interface (CLI) to complete a partial command entry when you type a space or a
tab. This is the default behavior of the CLI.
Options
off Turn off command completion.
on Allow either a space or a tab to be used for command completion.

407
view
Output Fields
Sample Output
set cli complete-on-space
In the following example, pressing the Spacebar changes the partial command entry from com to
complete-on-space. The example shows how adding the keyword off at the end of the command
disables command completion.
user@host> set cli com<Space>

user@host>set cli complete-on-space off
Disabling complete-on-space
Release Information
CLI User Interface Overview

show cli | 425
408
set cli directory
IN THIS SECTION
Syntax | 408
Description | 408
Options | 408
Output Fields | 409
Sample Output | 409
Syntax
set cli directory directory
Description
Set the current working directory.
Options
directory Pathname of the working directory.
view
409
Output Fields
Sample Output
set cli directory
user@host> set cli directory /var/tmp

Current directory: /var/tmp
Release Information

set cli idle-timeout
IN THIS SECTION
Syntax | 410
Description | 410
Options | 410
Output Fields | 410

410
Sample Output | 411
Syntax
set cli idle-timeout <minutes>
Description
Set the maximum time that an individual session can be idle before the user is logged off the router or
switch. set cli idle-timeout holds good only for the session in use when you enter it. If you need to
configure the idle timeout permanently for all the CLI sessions, then configure the idle-timeout statement
at the [edit system login] hierarchy level.
Options
minutes (Optional) Maximum idle time. The range of values, in minutes, is 0 through 100,000. If you do
not issue this command, and the user’s login class does not specify this value, the user is never
forced off the system after extended idle times. Setting the value to 0 disables the timeout.
view
Output Fields
411
Sample Output
set cli idle-timeout
user@host> set cli idle-timeout 60

Idle timeout set to 60 minutes
Release Information

show cli | 425
set cli prompt
IN THIS SECTION
Syntax | 412
Description | 412
Options | 412
Output Fields | 412
Sample Output | 412

412
Syntax
set cli prompt string
Description
Set the prompt so that it is displayed within the CLI.
Options
string CLI prompt string. To include spaces in the prompt, enclose the string in quotation marks. By
default, the string is username@hostname.
view
Output Fields
When you enter this command, the new CLI prompt is displayed.
Sample Output
set cli prompt
user@host> set cli prompt lab1-router>

lab1-router>
413
Release Information

show cli | 425
set cli restart-on-upgrade
IN THIS SECTION
Syntax | 413
Description | 414
Options | 414
Output Fields | 414
Sample Output | 414
Syntax
set cli restart-on-upgrade string (off | on)

414
Description
For an individual session, set the CLI to prompt you to restart the router or switch after upgrading the
software.
Options
off Disables the prompt.
on Enables the prompt.
view
Output Fields
Sample Output
set cli restart-on-upgrade
user@host> set cli restart-on-upgrade on

Enabling restart-on-upgrade
Release Information

415

show cli | 425
set cli screen-length
IN THIS SECTION
Syntax | 415
Description | 415
Options | 416
Syntax
set cli screen-length length
Description
Set terminal screen length.
user@host> set cli screen-length 75

Screen length set to 75
416
Options
length—Number of lines of text that the terminal screen displays. The range of values, in an integer
number of lines, is 2 through 100,000. The default is 24.
The point at which the ---(more)--- prompt appears on the screen is a function of this setting and the
settings for the set cli screen-width and set cli terminal commands.
view
Release Information

show cli | 425
set cli screen-width
IN THIS SECTION
Syntax | 417
Description | 417
417
Options | 417
Syntax
set cli screen-width width
Description
Set the terminal screen width.
user@host> set cli screen-width

Screen width set to 132
Options
width—Number of characters in a line. The value is 0 or in the range of 40 through 1024. The default value
is 80.
NOTE: In Junos OS Release 13.2 and earlier, the value of width is in the range of 0 through 1024.
view
418
Release Information

show cli | 425
set cli terminal
IN THIS SECTION
Syntax | 418
Description | 419
Options | 419
Syntax
set cli terminal terminal-type

419
Description
Set the terminal type.
user@host> set cli terminal xterm
Options
terminal-type—Type of terminal that is connected to the Ethernet management port:
• ansi—ANSI-compatible terminal
• pc—PC screen command-prompt window
• small-xterm—Small xterm window (24 lines long)
• vt100—VT100-compatible terminal
• xterm—Large xterm window (65 lines long)
view
Release Information

420
set cli timestamp
IN THIS SECTION
Syntax | 420
Description | 420
Options | 420
Output Fields | 421
Sample Output | 421
Syntax
set cli timestamp (format timestamp-format | disable)
Description
Set a timestamp for CLI output.
Options
format Set the date and time format for the timestamp. The timestamp format you specify
timestamp- can include the following placeholders in any order:
format
• %m—Two-digit month
• %d—Two-digit date
• %T—Six-digit hour, minute, and seconds

421
disable Remove the timestamp from the CLI.
NOTE: A timestamp is displayed by default when no command output is generated.
view
Output Fields
Sample Output
set cli timestamp
user@host> set cli timestamp format '%m-%d-%T'

'04-21-17:39:13'
CLI timestamp set to: '%m-%d-%T'
Release Information

show cli | 425
422
set date
IN THIS SECTION
Syntax | 422
Description | 422
Options | 422
Sample Output | 423
Syntax
set date (date-time | ntp <ntp-server> <key key> <source-address source-address>)
Description
Set the date and time.
user@host> set date ntp

21 Apr 17:22:02 ntpdate[3867]: step time server 172.17.27.46 offset 8.759252 sec
Options
• date-time—Specify date and time in one of the following formats:
• YYYYMMDDHHMM.SS
• “month DD, YYYY HH:MM(am | pm)”

423
• ntp—Configure the router to synchronize the current date and time setting with a Network Time
Protocol (NTP) server.
NOTE: In Junos OS Evolved, if the ntpd server is running, the set date ntp command fails with
the following error message: error: ntpd is already running. To use this command, you must first
stop the ntpd server
• ntp-server—(Optional) Specify the IP address of one or more NTP servers.
• key key—Configure the key to authenticate the NTP server.
• source-address source-address—(Optional) Specify the source address that is used by the router to
contact the remote NTP server.
view
Sample Output
set date ntp (Junos OS)

22 Jun 10:07:48 ntpdate[51123]: step time server 66.129.255.62 offset -0.013200 sec
set date ntp (Junos OS Evolved)

-------------------------------
node: re0
-------------------------------
error: ntpd is already running
424
Release Information
Setting the Date and Time Locally
show
IN THIS SECTION
Syntax | 424
Description | 424
Options | 425
Syntax
show <statement-path> <identifier>
Description
Display the current configuration.

425
Options
none—Display the entire configuration at the current hierarchy level.
identifier—(Optional) Display the configuration for the specified identifier.
statement-path—(Optional) Display the configuration for the specified statement hierarchy path.
Release Information

show cli
IN THIS SECTION
Syntax | 426
426
Description | 426
Options | 426
Output Fields | 426
Sample Output | 427
Syntax
show cli
Description
Display configured CLI settings.
Options
view
Output Fields
Table 17 on page 427 lists the output fields for the show cli command. Output fields are listed in the
approximate order in which they appear.
427
Table 17: show cli Output Fields
Field Name Field Description
CLI complete-on-space Capability to complete a partial command entry when you type a space or a tab: on or
off.
CLI idle-timeout Maximum time that an individual session can be idle before the user is logged out from
the router or switch. When this feature is enabled, the number of minutes is displayed.
Otherwise, the state is disabled.
CLI restart-on-upgrade CLI is set to prompt you to restart the router or switch after upgrading the software: on
or off.
CLI screen-length Number of lines of text that the terminal screen displays.
CLI screen-width Number of characters in a line on the terminal screen.
CLI terminal Terminal type.
CLI is operating in Mode: enhanced.
CLI timestamp Date and time format for the timestamp. If the timestamp is not set, the state is
disabled.
CLI working directory Pathname of the working directory.
Sample Output
show cli
user@host> show cli

CLI complete-on-space set to on
CLI idle-timeout disabled
428
CLI restart-on-upgrade set to on

CLI screen-length set to 47
CLI screen-width set to 132
CLI terminal is 'vt100'
CLI is operating in enhanced mode
CLI timestamp disabled
CLI working directory is '/var/tmp'
Release Information

show cli authorization
IN THIS SECTION
Syntax | 429
Description | 429
Options | 429
Output Fields | 429
Sample Output | 432

429
Syntax
Description
Display the permissions for the current user.
Options
view
Output Fields
Table 18 on page 429 lists the output fields for the show cli authorization command. In the table, all
possible permissions are displayed and output fields are listed in alphabetical order.
Table 18: show cli authorization Output Fields
access Can view access configuration information.
access-control Can modify access configuration.
admin Can view user account information.

430
Table 18: show cli authorization Output Fields (Continued)
admin-control Can modify user account information.
clear Can clear learned network information.
configure Can enter configuration mode.
control Can modify any configuration.
edit Can edit configuration files.
field Reserved for field (debugging) support.
firewall Can view firewall configuration information.
firewall-control Can modify firewall configuration information.
floppy Can read from and write to removable media.
flow-tap Can view flow-tap configuration information.
flow-tap-control Can configure flow-tap configuration information.
idp-profiler-operation Can configure Profiler data.
interface Can view interface configuration information.
interface-control Can modify interface configuration information.
maintenance Can perform system maintenance.

431
network Can access the network by entering the ping, ssh, telnet, and traceroute
commands.
pgcp-session-mirroring Can view Packet Gateway Control Protocol session mirroring configuration.
pgcp-session-mirroring-control Can modify Packet Gateway Control Protocol session mirroring configuration
all-control.
reset Can reset or restart interfaces and system processes.
rollback Can roll back to previous configurations.
routing Can view routing configuration information.
routing-control Can modify routing configuration information.
secret Can view passwords and authentication keys in the configuration.
secret-control Can modify passwords and authentication keys in the configuration.
security Can view security configuration information.
security-control Can modify security configuration information.
shell Can start a local shell.
snmp Can view SNMP configuration information.
snmp-control Can modify SNMP configuration information.

432
system Can view system configuration information.
system-control Can modify system configuration information.
trace Can view trace file settings information.
trace-control Can modify trace file settings information.
view Can view current values and statistics.
view-configuration Can view all configuration information (not including secrets).
Sample Output
user@host> show cli authorization

Current user: 'remote' login: 'user' class ''
Permissions:
admin -- Can view user accounts
admin-control-- Can modify user accounts
clear -- Can clear learned network information
configure -- Can enter configuration mode
control -- Can modify any configuration
edit -- Can edit full files
field -- Special for field (debug) support
floppy -- Can read and write from the floppy
interface -- Can view interface configuration
interface-control-- Can modify interface configuration
network -- Can access the network
reset -- Can reset/restart interfaces and daemons
433
routing -- Can view routing configuration

routing-control-- Can modify routing configuration
shell -- Can start a local shell
snmp -- Can view SNMP configuration
snmp-control-- Can modify SNMP configuration
system -- Can view system configuration
system-control-- Can modify system configuration
trace -- Can view trace file settings
trace-control-- Can modify trace file settings
view -- Can view current values and statistics
maintenance -- Can become the super-user
firewall -- Can view firewall configuration
firewall-control-- Can modify firewall configuration
secret -- Can view secret configuration
secret-control-- Can modify secret configuration
rollback -- Can rollback to previous configurations
security -- Can view security configuration
security-control-- Can modify security configuration
access -- Can view access configuration
access-control-- Can modify access configuration
view-configuration-- Can view all configuration (not including secrets)
flow-tap -- Can view flow-tap configuration
flow-tap-control-- Can configure flow-tap service
Individual command authorization:
Allow regular expression: none
Deny regular expression: none
Allow configuration regular expression: none
Deny configuration regular expression: none
Release Information

434
show cli directory
IN THIS SECTION
Syntax | 434
Description | 434
Options | 434
Syntax
show cli directory
Description
Display the current working directory.
user@host> show cli directory

Current directory: /var/home/user
Options

435
view
Release Information
show cli history
IN THIS SECTION
Syntax | 435
Description | 436
Options | 436
Syntax
show cli history

<count>
436
Description
Display a list of previous CLI commands.
user@host> show cli history

11:14:14 -- show arp
11:22:10 -- show cli authorization
11:27:12 -- show cli history
Options
none Display all previous CLI commands.
count (Optional) Maximum number of commands to display.
view
Release Information
show configuration
IN THIS SECTION
Syntax | 437
437
Description | 437
Options | 437
Output Fields | 439
Sample Output | 439
Syntax
show configuration
<statement-path>
Description
Display the configuration that currently is running on the router or switch, which is the last committed
configuration.
Options
none Display the entire configuration.
statement- (Optional) Display one of the following hierarchies in a configuration. (Each statement-path
path option has additional suboptions not described here. See the appropriate user guide or
EX Series switch documentation for more information.)
• access—Network access configuration.
• access-profile—Access profile configuration.
• accounting-options—Accounting data configuration.

438
• applications—Applications defined by protocol characteristics.
• apply-groups—Groups from which configuration data is inherited.
• chassis—Chassis configuration.
• chassis network-services—Current running mode.
• class-of-service—Class-of-service configuration.
• diameter—Diameter base protocol layer configuration.
• ethernet-switching-options—(EX Series switch only) Ethernet switching configuration.
• event-options—Event processing configuration.
• firewall—Firewall configuration.
• forwarding-options—Options that control packet sampling.
• groups—Configuration groups.
• interfaces—Interface configuration.
• jsrc—JSRC partition configuration.
• jsrc-partition—JSRC partition configuration.
• logical-systems—Logical system configuration.
• poe—(EX Series switch only) Power over Ethernet configuration.
• policy-options—Routing policy option configuration.
• protocols—Routing protocol configuration.
• routing-instances—Routing instance configuration.
• routing-options—Protocol-independent routing option configuration.
• security—Security configuration.
• services—Service PIC applications configuration.
• snmp—Simple Network Management Protocol configuration.
• system—System parameters configuration.

439
• virtual-chassis—(EX Series switch only) Virtual Chassis configuration.
• vlans—(EX Series switch only) VLAN configuration.
The portions of the configuration that you can view depend on the user class that you belong to and the
corresponding permissions. If you do not have permission to view a portion of the configuration, the
text ACCESS-DENIED is substituted for that portion of the configuration. If you do not have permission to
view authentication keys and passwords in the configuration, because the secret permission bit is not set
for your user account, the text SECRET-DATA is substituted for that portion of the configuration. If an
identifier in the configuration contains a space, the identifier is displayed in quotation marks.
Likewise, when you issue the show configuration command with the | display set pipe option to view the
configuration as set commands, those portions of the configuration that you do not have permissions to
view are substituted with the text ACCESS-DENIED.
view
Output Fields
This command displays information about the current running configuration.
Sample Output
show configuration

## Last commit: 2006-10-31 14:13:00 PST by user1 version "8.2I0 [userb]"; ## last changed:
2006-10-31 14:05:53 PST
system {
440
host-name exhost;
domain-name ex1.net;
time-zone America/Los_Angeles;
default-address-selection;
name-server {
192.0.2.254;
192.0.2.249;
192.0.2.176;
}
services {
telnet;
}
tacplus-server {
10.2.3.4 {
secret /* SECRET-DATA */;
...
}
}
}
interfaces {
...
}
protocols {
isis {
export "direct routes";
}
}
policy-options {
policy-statement "direct routes" {
then accept;
}
}
show configuration policy-options
user@host> show configuration policy-options

policy-options {
policy-statement "direct routes" {
441
then accept;
}
}
Release Information

show | display inheritance
IN THIS SECTION
Syntax | 441
Description | 442
Options | 442
Output Fields | 442
Sample Output | 442
Syntax
show | display inheritance <brief | defaults | no-comments | terse>

442
Description
Show the inherited configuration data and information about the source group from which the
configuration has been inherited. Show interface ranges configuration data in expanded format and
information about the source interface-range from which the configuration has been expanded
Options
brief Display brief output for the command.
defaults Display the defaults that have been applied to the configuration.
no-comments Display configuration information without in-line comments marked with ##.
terse Display terse output with inheritance details as an in-line comment.
view
Output Fields
Sample Output
show system login class readonly | display inheritance
user@host#show system login class readonly | display inheritance

443
##
## 'interface' was inherited from group 'global'
## 'network' was inherited from group 'global'
## 'routing' was inherited from group 'global'
## 'system' was inherited from group 'global'
## 'trace' was inherited from group 'global'
## 'view' was inherited from group 'global'
##
permissions [ interface network routing system trace view ];
show system login class readonly | display inheritance brief
user@host#show system login class readonly | display inheritance brief
## 'interface' was inherited from group 'global'

## 'network' was inherited from group 'global'
## 'routing' was inherited from group 'global'
## 'system' was inherited from group 'global'
## 'trace' was inherited from group 'global'
## 'view' was inherited from group 'global'
show system ports | display inheritance defaults
user@host# show system ports | display inheritance defaults
## 'console' was inherited from group 'junos-defaults'

## 'vt100' was inherited from group 'junos-defaults'
## console type vt100;
show system login class readonly | display inheritance no-comments
user@host# show system login class readonly | display inheritance no-comments

444
show system login class readonly | display inheritance terse
user@host# show system login class readonly | display inheritance terse

permissions [ interface network routing system trace view ]; ## inherited from group 'global';
inherited from group 'global'; inherited from group 'global'; inherited from group 'global';
inherited from group 'global'; inherited from group 'global'
Release Information
show | display omit
IN THIS SECTION
Syntax | 444
Description | 445
Syntax
show | display omit

445
Description
Display configuration statements (including those marked as hidden by the apply-flags omit configuration
statement).
user@host# show | display omit

system {
apply-flags omit;
login {
message lengthy-login-message;
}
}
Following is an example that shows how to set omit:
user@host#set system apply-flags omit

[edit]
user@host# commit
commit complete
view
Release Information
show | 424
446
show | display set
IN THIS SECTION
Syntax | 446
Description | 446
Options | 446
Sample Output | 447
Syntax
show | display set <explicit>
Description
Display the configuration as a series of configuration mode commands required to re-create the
configuration from the top level of the hierarchy as set commands.
Options
explicit Display explicitly, as a series of commands, all the configurations that the system internally
creates when you configure certain statements from the top level of the hierarchy.
For example, assume you issue the set interfaces ge-0/0/0.0 family inet configuration mode
command. You then show the resulting configuration with the show interfaces ge-0/0/0 | display
set command. The output displays the same set command you entered. If you include the
explicit argument, the output also shows the configuration statements needed to create the
447
hierarchy where the family inet statement is specified. Specifically for this example, the output
therefore includes the set interfaces ge-0/0/0 unit 0 statement in addition to the set interfaces
ge-0/0/0.0 family inet statement.
view
Sample Output
Sample output for the show | display set and show | display set <explicit> commands:
command-name

set interfaces ge-0/0/0 unit 0 family inet address 10.0.1.254/24

user@host# show | display set | explicit
set interfaces ge-0/0/0 unit 0 family inet address 10.0.1.254/24
set interfaces ge-0/0/0 unit 0 family inet
set interfaces ge-0/0/0 unit 0
Release Information
Option explicit command introduced in Junos OS Release 20.1R1.
show | 424
448
show | display set relative
IN THIS SECTION
Syntax | 448
Description | 448
Options | 448
Sample Output | 449
Syntax
show | display set relative <explicit>
Description
Display the configuration as a series of configuration mode commands required to re-create the
configuration from the current hierarchy level.
Options
explicit Display explicitly, as a series of commands, all the configurations that the system internally
creates when you configure certain statements from the current hierarchy level.
449
view
Sample Output
Sample output for the show | display set relative <explicit> command:
command-name
[edit interfaces fe-0/0/0]

user@host# show
unit 0 {
family inet {
address 192.107.1.230/24;
}
family iso;
family mpls;
}
inactive: unit 1 {
family inet {
address 10.0.0.1/8;
}
}
user@host# show | display set relative
deactivate unit 1
user@host# show | display set relative explicit
set unit 0 family inet
set unit 0
450
set unit 1 family inet

deactivate unit 1
Release Information
Option explicit command introduced in Junos OS Release 20.1R1.
show groups junos-defaults
IN THIS SECTION
Syntax | 450
Description | 451
Syntax
show groups junos-defaults

451
Description
Display the full set of available preset statements from the defaults group.
user@host# show groups junos-defaults

groups {
junos-defaults {
applications {
# File Transfer Protocol
application junos-ftp {
protocol tcp;
}
# Trivial File Transfer Protocol
application junos-tftp {
application-protocol tftp;
protocol udp;
}
# RPC port mapper on TCP
application junos-rpc-portmap-tcp {
application-protocol rpc-portmap;
protocol tcp;
}
# RPC port mapper on UDP
}
}
}
view
452
Release Information
Using Defaults Groups
show system commit
IN THIS SECTION
Syntax | 452
Description | 452
Options | 453
Output Fields | 453
Sample Output | 455
Syntax
show system commit

<revision | server | synchronize-server pending-jobs | include-configuration-revision>
Description
Display the system commit history and pending commit operations.

453
Options
none Display the last 50 commit operations on the static configuration database,
starting with the most recent.
revision (Optional) Display the revision number of the active configuration of the Routing
Engine(s).
server (Optional) Display the commit server status.
NOTE: By default, the status of the commit server is “Not running”. The
commit server starts running only when a commit job is added to the batch.
synchronize-server (Optional) Display the pending commit synchronize operations for all instances of
pending-jobs the ephemeral configuration database on an MX Series Virtual Chassis or a device
with dual Routing Engines. This option can only be executed on the primary
Routing Engine of the Virtual Chassis primary router or the dual Routing Engine
system.
include- (Optional) Display configuration revision information including the revision

configuration- identifier string for each commit record.
revision
view
Output Fields
Table 19 on page 454 describes the output fields for the show system commit command. Output fields are
listed in the approximate order in which they appear.
454
Table 19: show system commit Output Fields
Field Name Field Description Level of

Output
<number> Displays the last 50 commit operations listed, most recent to first. The identifier none
<number> designates a configuration created for recovery using the request system
configuration rescue save command.
<time-stamp> Date and time of the commit operation. none
<root>/ User who executed the commit operation. none

<username>
<method> Method used to execute the commit operation: none
• CLI—CLI interactive user performed the commit operation.
• Junos XML protocol—Junos XML protocol client performed the commit

operation.
• synchronize—The commit synchronize command was performed on the other

Routing Engine.
• snmp—An SNMP set request caused the commit operation.
• button—A button on the router or switch was pressed to commit a rescue

configuration for recovery.
• autoinstall—A configuration obtained through autoinstallation was

committed.
• other—When there is no login name associated with the session, the values for
user and client default to root and other. For example, during a reboot after
package installation, mgd commits the configuration as a system commit, and
there is no login associated with the commit.
455
Sample Output
show system commit

0 2003-07-28 19:14:04 PDT by root via other
1 2003-07-25 22:01:36 PDT by user via cli
3 2003-07-25 21:30:13 PDT by root via button
5 2003-07-25 05:33:21 PDT by root via autoinstall
...
rescue 2002-05-10 15:32:03 PDT by root via other
show system commit (At a Particular Time)

commit requested by root via cli at Tue May 7 15:59:00 2002
show system commit (At the Next Reboot)

commit requested by root via cli at reboot
show system commit (Rollback Pending)

0 2005-01-05 15:00:37 PST by root via cli commit confirmed, rollback in 3mins
show system commit (QFX Series)
user@switch> show system commit

0 2011-11-25 19:17:49 PST by root via cli
456
show system commit synchronize-server pending-jobs
user@host> show system commit synchronize-server pending-jobs

Job Id Commit Synchronize Model Database Version
36 Asynchronous Commit ephemeral 130
show system commit include-configuration-revision
user@host> show system commit include-configuration-revision

0 2020-08-02 00:42:58 IST by user via cli re0-1596309177-4
3 2020-08-02 00:42:40 IST by user via other re0-1596309160-1
Release Information
Option server introduced in Junos OS Release 12.1 for the PTX Series router.
Option revision introduced in Junos OS Release 14.1.
Option synchronize-server introduced in Junos OS Release 17.2R1.
Option include-configuration-revision introduced in Junos OS Release 20.4R1 and Junos OS Evolved

Release 20.4R1.

show system commit revision
457
show system commit server queue
IN THIS SECTION
Syntax | 457
Description | 457
Options | 458
Sample Output | 458
Syntax

<id commit-id>
<job-status (all| error| pending| success)>
<patch (none | id commit-id) | (job-status (all | error | pending | success)>
Description
Display the status of commit server queue transactions.
NOTE: Only 50 successful commit jobs are stored in the database and displayed in the output.
When the fifty-first job is committed, the first job is deleted from the database and is no longer
displayed in the output.
458
Options
id commit-id (Optional) Display the batch commit operation status messages for a specific
commit ID.
job-status (Optional) Display batch commit operation status messages for the following
batch commit statuses:
• all—Status messages for all batch commit operations.
• error—Status messages for batch commit operations that have errors.
• pending—Status messages for batch commit operations that are pending.
• success—Status messages for batch commit operations that are successful.
patch (none | id (Optional) Display the patch file containing the configuration changes for all
commit-id) | job-status batch commit operations, a specific batch commit ID, or a specific job status.
(all |error | pending |
success)
view
Sample Output
user@host> show system commit server queue
Pending commits:
none
Completed commits:
Id: 1000
459
Id: 1002
Id: 1004
Id: 1007
Id: 1009
Id: 1010
Id: 1011
Error commits:
Id: 1008
show system commit server queue job-status success
user@host> show system commit server queue job-status success

Completed commits:
Id: 1000
Id: 1001
460

show system commit server queue patch
user@host> show system commit server queue patch

Pending commits:
none
Completed commits:
Id: 1000
Patch:
+ server {
+ days-to-keep-error-logs 4294967295;
+ traceoptions {
+ file commitd_nov;
+ flag all;
+ }
+ }
Id: 1002
Patch:
- days-to-keep-error-logs 4294967295;
Id: 1004
Patch:
Id: 1007
461
Patch:
- days-to-keep-error-logs 4294967295;
Id: 1009
Patch:
[edit]
+ snmp {
+ community abc;
+ }
Id: 1010
Patch:
file test { ... }
+ file j {
+ any any;
+ }
Id: 1011
Error commits:
Id: 1008
Patch:
[edit system]
+ radius-server {
+ 10.1.1.1 port 222;
+ }
462
Release Information
show system commit server status
IN THIS SECTION
Syntax | 462
Description | 462
Options | 463
Sample Output | 463
Syntax
show system commit server status
Description
Display commit server status.

463
NOTE: By default, the status of the commit server is “Not running”. The commit server starts
running only when a commit job is added to the batch.
Options
view
Sample Output
show system commit server status (When Server Is Inactive)
user@host> show system commit server status

Commit server status : Not running
show system commit server status (When Server Is Active)
user@R0> show system commit server status
Commit server status : Running

Jobs in process:
1369 1370 1371
464
Release Information
show system configuration archival
IN THIS SECTION
Syntax | 464
Description | 464
Options | 465
Sample Output | 465
Syntax
Description
Display directory and number of files queued for archival transfer.

465
Options
maintenance
Sample Output
user@host> show system configuration archival
/var/transfer/config/:
total 8
Release Information
Introduced in Junos OS Release 7.6.

466
show system configuration rescue
IN THIS SECTION
Syntax | 466
Description | 466
Options | 466
Sample Output | 467
Syntax
Description
Display a rescue configuration, if one exists.
Options

467
maintenance
Sample Output
user@switch> show system configuration rescue

version "7.3"; groups {
global {
system {
host-name router1;
domain-name customer.net;
domain-search [ customer.net ];
name-server {
192.0.2.11;
192.0.2.101;
192.0.2.100;
192.0.2.10;
}
login {
user user1 {
uid 928;
class ;
shell csh;
authentication {
encrypted-password "$ABC123"; ## SECRET-DATA
}
}
}
services {
ftp;
rlogin;
rsh;
telnet;
}
}
468
}
....
Release Information
show system rollback
IN THIS SECTION
Syntax | 468
Description | 469
Options | 469
Sample Output | 469
Syntax
show system rollback number

<compare number | configuration-revision>
469
Description
This command displays the contents of a previously committed configuration, or the differences
between two previously committed configurations.
The show system rollback command is an operational mode command and cannot be issued with run from
configuration mode.
Options
number Number of a configuration to view. The output displays the configuration. The
range of values is 0 through 49.
compare number (Optional) Number of another previously committed (rollback) configuration to

compare to rollback number. The output displays the differences between the two
configurations. The range of values is 0 through 49.
configuration- (Optional) Display corresponding configuration revision for this rollback number.
revision
view
Sample Output
show system rollback compare
user@host> show system rollback 3 compare 1

[edit]
+ interfaces {
+ ge-1/1/1 {
+ unit 0 {
+ family inet {
+ filter {
+ input mf_plp;
470
+ }
+ address 10.1.1.1/10;
+ }
+ }
+ }
+ ge-1/2/1 {
+ unit 0 {
+ family inet {
+ filter {
+ input mf_plp;
+ }
+ address 10.1.1.1/10;
+ }
+ }
+ }
+ ge-1/3/0 {
+ unit 0 {
+ family inet {
+ filter {
+ input mf_plp;
+ }
+ address 10.1.1.1/10;
+ }
+ }
+ }
+}
show system rollback configuration-revision
user@host> show system rollback 0 configuration-revision

The corresponding configuration revision is: re0-1596379942-3
Release Information
Option configuration-revision introduced in Junos OS Release 20.4R1 and Junos OS Evolved Release
20.4R1.
471
status
IN THIS SECTION
Syntax | 471
Description | 471
Options | 471
Syntax
status
Description
Display the users currently editing the configuration.
Options
configure—Enters status configuration mode.

472
Release Information
test configuration
IN THIS SECTION
Syntax | 472
Description | 473
Options | 473
Output Fields | 473
Sample Output | 473
Syntax
test configuration filename

syntax-only
473
Description
Verify that the syntax of a configuration file is correct. If the configuration contains any syntax or
commit check errors, a message is displayed to indicate the line number and column number in which
the error was found. When using the filename option, this command only accepts text files.
Options
filename Name of the configuration file. This file must be a text file and no other type.
syntax-only (Optional) Check the syntax of a partial configuration file, without checking for commit
errors.
view
Output Fields
Sample Output
test configuration
user@host> test configuration terminal

[Type ^D to end input]
system {
host-name host;
test1;
login;
}
474
terminal:3:(8) syntax error: test

[edit system]
'test;'
syntax error
terminal:4:(11) statement must contain additional statements: ;
[edit system login]
'login ;'
statement must contain additional statements
configuration syntax failed
Release Information
syntax-only option introduced in Junos OS Release 12.1.
top
IN THIS SECTION
Syntax | 474
Description | 475
Options | 475
Syntax
top <configuration-command>
475
Description
Return to the top level of configuration command mode, which is indicated by the [edit] banner.
Options
configuration-command (Optional) Issue configuration mode commands from the top of the hierarchy.
Release Information

exit | 348
up | 477
unprotect
IN THIS SECTION
Syntax | 476
Description | 476
476
Options | 476
Syntax
unprotect (hierarchy | statement | identifier)
Description
Unprotect a protected hierarchy, configuration statement, or an identifier, so that it can be modified or

deleted.
Options
hierarchy (Optional) Unprotect a specific protected hierarchy.
statement (Optional) Unprotect a specific protected statement.
identifier (Optional) Unprotect a specific protected identifier.
477
Release Information
protect | 363
top | 474
up | 477
up
IN THIS SECTION
Syntax | 477
Description | 477
Options | 478
Syntax
up <number> <configuration-command>
Description
Move up one level in the statement hierarchy.

478
Options
none Move up one level in the configuration hierarchy.
configuration- (Optional) Issue configuration mode commands from a location higher in the
command hierarchy.
number (Optional) Move up the specified number of levels in the configuration

hierarchy.
Release Information

exit | 348
top | 474
update
IN THIS SECTION
Syntax | 479
Description | 479
479
Options | 479
Syntax
update
Description
Update private candidate configuration with a copy of the most recently committed configuration,
including your private changes.
NOTE: The update command is available only when you are in configure private mode.
Options
Release Information

480
wildcard delete
IN THIS SECTION
Syntax | 480
Description | 480
Options | 481
Syntax
wildcard delete <statement-path> <identifier> <regular-expression>
Description
Delete a statement or identifier. All subordinate statements and identifiers contained within the
Deleting a statement or an identifier effectively “unconfigures” or disables the functionality associated

with that statement or identifier.
If you do not specify statement-path or identifier, the entire hierarchy starting at the current hierarchy
level is removed.
481
Options
identifier (Optional) Name of the statement or identifier to delete.
regular- (Optional) The pattern based on which you want to delete multiple items. When you
expression use the wildcard command to delete related configuration items, the regular-
expression must be the final statement.
statement-path (Optional) Path to an existing statement or identifier. Include this if the statement or
identifier to be deleted is not at the current hierarchy level.
configure—To enter configuration mode. Other required privilege levels depend on where the statement
is located in the configuration hierarchy.
Release Information

CLI User Guide For Junos OS

Uploaded by

Copyright:

Available Formats

CLI User Guide For Junos OS

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

CLI User Guide For Junos OS

Uploaded by

Copyright:

Available Formats

Junos® OS

CLI User Guide for Junos OS

Juniper Networks, Inc.

Junos® OS CLI User Guide for Junos OS

YEAR 2000 NOTICE

END USER LICENSE AGREEMENT

Introducing the Command-Line Interface | 3

CLI Modes, Commands, and Statement Hierarchies—An Overview | 5

Other Tools to Configure and Monitor Juniper Networks Devices | 7

Configure Junos OS in a FIPS Environment | 7

Get Started with the Command-Line Interface | 10

Switch Between Operational Mode and Configuration Mode | 12

Use Keyboard Sequences to Navigate and Edit the CLI | 14

Configure a User Account on a Juniper Networks Device | 16

Use the CLI Editor in Configuration Mode | 19

Check the Status of a Juniper Networks Device | 22

Roll Back Configuration Changes | 25

Configure a Routing Protocol | 27

Make Changes to a Routing Protocol Configuration | 31

Online Help in the CLI | 35

Get Online Help from the Command-Line Interface | 35

CLI Online Help Features | 39

CLI Explorer Overview | 41

CLI Environment Settings | 42

Customize the CLI Environment | 42

Set the CLI Screen Length and Width | 46

Enable Configuration Breadcrumbs | 47

3 Using Configuration Statements to Configure a Device

Understanding CLI Configuration Mode | 51

Enter and Exit CLI Configuration Mode | 58

Relative Configuration Mode Commands | 61

Command Completion in Configuration Mode | 61

Notational Conventions Used in Configuration Hierarchies | 64

Overview of the Configure Command | 65

Forms of the configure Command | 65

How to Use the configure Command | 67

How to Use the configure exclusive Command | 68

How to Work with the Correct Configuration | 71

Modify the Configuration of a Device | 71

Display Users Currently Editing the Configuration | 72

How to Modify the Juniper Networks Device Configuration | 73

How to Add Configuration Statements and Identifiers | 74

How to Delete a Statement from a Device Configuration | 76

Example: Delete a Statement from the Device Configuration | 79

Copy a Statement in the Configuration | 81

Example: Copy a Statement in the Configuration | 81

Example: Replace a Configuration | 85

Insert a New Identifier in a Device Configuration | 92

Example: Insert a New Identifier in a Device Configuration | 92

Deactivate and Reactivate Statements and Identifiers in a Device Configuration | 97

Example: Deactivate and Reactivate Statements and Identifiers in a Device Configuration | 98

How to Make Global Changes in the Device Configuration | 100

Common Regular Expressions to Use with the replace Command | 101

Example: Global Replace in a Device Configuration—Replacing an Interface Name | 106

Example: Global Replace in a Device Configuration—the upto Option | 109

Add Comments in a Device Configuration | 112

Add Comments in the CLI | 112

Add Comments in a File | 113

Example: Include Comments in a Device Configuration by Using the CLI | 114