<!--StartFragment-->
One of my longtime gripes about IOS is that when you type a new statement to the CLI and hit return, the statement immediately becomes active on the router. For someone as mistake-prone as me, this is a big risk. And given that the majority of network problems are due to human error rather than hardware and software failures, it is a risk for everyone.
This can also be a problem when you’re making extensive configuration changes. Having those changes take effect one statement at a time can introduce all sorts of transient conditions.
The Candidate Configuration and Explicit Commits
This leads, in contrast, to one of my favorite JUNOS features: When you make a configuration change, the change does not take effect immediately. Instead, it goes into a candidate configuration file. You can make as many configuration additions, deletions, and changes as you like, and none of them become active on the router until you enter a commit command. That command causes the candidate configuration to become the active configuration.
The candidate configuration and explicit commit help tremendously in reducing the number of simple human errors that plague day-to-day network operations. You can make all your changes, check them as many times as you like during the configuration process, and only commit them when you are ready and are sure the changed configuration looks right.
Rollback
Of course there’s still the chance that after you commit the candidate configuration the result is not what you expected, and you want to get back to an earlier configuration. You can do that in JUNOS because when you do a commit and the candidate configuration becomes the active configuration, the previous configuration is saved to a hard disk on the router.
So if you want to get back to a previous configuration, you can enter the rollback 1 command and the most recently saved configuration becomes the candidate configuration. You can then make that previous configuration active again by entering commit.
JUNOS saves the last 49 configuration files. When you commit a new configuration, the old active configuration is saved as juniper.conf.1. What was juniper.conf.1 becomes juniper.conf.2, what was juniper.conf.2 becomes juniper.conf.3, and so on. So if you want to go back to some config older than the most recently saved one, you can do that. For example if you enter rollback 3, juniper.conf.3 – the configuration that was active before the last three commits – is loaded back into the candidate configuration.
<!--StartFragment-->
Click here for an illustration of how these commands interact.
Commit Confirmed
Suppose that despite all your efforts to insure your new configuration is correct before you commit it, something is overlooked and when you commit, you are locked out of the router.
Rather than just a simple commit, you can make the candidate configuration active with a commit confirmed command. With this command, the router waits 10 minutes for a second commit. If it does not receive that confirming command within those 10 minutes, the router automatically does a rollback and commit so that the previous configuration becomes active again.
The commit confirmed command can be such a lifesaver, I recommend forming the habit of using it rather than a simple commit in all cases.
You can change the default time that JUNOS waits for a confirming commit, by the way, to between 1 and 65,535 minutes. If for instance, you want the router to wait only 3 minutes for a confirmation, you can enter commit confirmed 3.
Save and Load
The candidate configuration is also a great feature for making maintenance windows go faster. Say you need to make changes to 10 routers at a 2AM scheduled maintenance. You can make the changes ahead of time in the candidate configuration file, and then save the file under whatever name you want either on the router’s hard drive or to an external server.
When it’s time to perform the maintenance, you can load the saved configuration back to the candidate config and commit it.
For example if you make a pre-maintenance configuration change and want to save it as Juniper3_10August_Change, you enter save Juniper3_10August_Change.
After the save, it’s a good idea to do a rollback 0. This causes a copy of the currently active configuration (juniper.conf.0) to be entered as the candidate configuration, thus avoiding a situation in which someone else might log into the router and commit your changes before the intended time.
Note that if you are at the top of the configuration hierarchy, as indicated by [edit], the entire configuration is saved. If you are at some lower level when you issue the save command, only the part of the configuration at that level is saved. For example, if you are at [edit protocols bgp], only the BGP configuration is saved.
When you are ready to make the configuration changes permanent, you load the saved configuration back to the candidate configuration file with – logically enough—the load command. This command has several options, depending on how you want to use the file you are loading:
· load override completely replaces the current candidate configuration with the file you are loading. So if you saved a complete configuration, this is the option to use.
· load merge adds the saved file to the existing candidate configuration. This is useful if you are adding new configuration sections; for example, if you are adding a BGP configuration to the [edit protocols] level, where there was no BGP configuration before.
· load update compares the candidate configuration and the file you are loading, and only changes the parts of the candidate configuration that are different from the new configuration. You would use this, for example, if there is an existing BGP configuration and the file you are loading changes it in some way.
· load replace looks for replace: tags that you added to the loaded file, and replaces the parts of the candidate configuration with whatever is specified after the tag. This is useful when you want more control over exactly what is being changed.
After the load operation, you can check the new candidate configuration to insure it shows the changes you want, and then commit it.
There’s an alternative approach to the operation I just described. You can make your changes to the candidate configuration and then use the command commit at, specifying an the hour and minute later on the same day, or specifying some later date, hour, and minute. For example, I could type commit at 2008-09-21 02:30:00 and the commit will not happen until 2:30 AM on September 21, 2008 (assuming that time is in the future, according to the router’s date and time).
Personally I don’t like this command; it leaves too much to automation. I prefer saves and loads, which gives more control of the operation. Your own preferences may differ, however.
There are several other JUNOS CLI features that help reduce operational mistakes, and I’ll cover those in the next post.
<!--EndFragment-->
Jeff Doyle is president of Jeff Doyle and Associates, an IP network consultancy. Jeff is the author of Routing TCP/IP, Volumes I (read an excerpt) and II and of OSPF and IS-IS: Choosing an IGP for Large-Scale Networks. He is a frequent speaker on IPv6, MPLS, and large-scale routing.
The Leader in Network Knowledge
Jeff - Great Post! You
Jeff -
Great Post!
You touched on a lot of things I did not know about the configuration architecture.
I feel the same way, we recently phased out our juniper routers and this is one thing about JUNOS I will surely miss.
Sure we have configuration management tools in place to easily roll back a config, but its not the same. There is still the time in between noticing the error, logging in to the management interface and deploying the last saved config.
-Christian
Don't forget
Maybe this will be covered in the next article, but 'configure exclusive' and 'configure private', two other configure features, have saved my butt on more than one occasion.
'configure exclusive' is nice if you are in the middle of a maintenance and don't want anyone else to make changes to the config that might conflict or override yours. It locks the configuration so no one can commit until you log out of configure mode.
'configure private' is even neater - say you're working on making some changes, but others also need to make changes. This happens frequently in our NOC where support techs need to make minor interface changes to bring up new circuits and such. I can't really lock them out of the config, so I 'configure private' and my configuration changes get put into a private file that does not get merged into the current configuration until I perform my own commit.
Re: Don't Forget
Hi,
Great points! I hope others will chime in to mention some of their favorite JUNOS commands.
--Jeff
show | compare
Hi Jeff,
My favourite command would have to be 'show | compare', I use this before every commit.
I find the 'show | compare' command useful because it only shows the parts of the config the i'm adding or removing when compared to the active config.
-Jason
Hello,jeff
Hello jeff,first of all,I am a Chinese,so my english is not very well.Now, I am reading your books(Routing TCP/IP Volume 1,second Edition),this book is very good and I have a problem that I can't buy the becasue the book has been out of print for several years.I really want to buy this book,and will it be published again?I wait your reply,please send Email to me: ,thanks
Doesn't IOS XR match up to JUNOS ?
Jeff,
I haven't used JUNOS and do understand the vulnerability of IOS as you mentioned, but doesn't IOS XR do a better job in terms of the user needing to commit before any config change is applied. How does XR stack up against JUNOS?
PS: BTW, JUNOS really sounds cool. Great post. Many thanks !!!
IOS XR is a recent
IOS XR is a recent introduction from Cisco and it seems to be influenced by JUNOS. We're an all Cisco shop but we started looking into Juniper recently. First of all, the experience with going from IOS to JUNOS reminds me of moving from Microsoft DOS to Unix in terms of flexibility, stability and security. I see now why our Cisco reps get incensed when we mention Juniper. One of the many standout features we saw with JUNOS is the config checking. In the Cisco world, OS updates come out fairly frequently due to security vulnerabilities and we evaluate each release based on what feature or command is affected. Sometimes we're not affected at that point in time so we skip the update saving a potential upgrade outage but potentially down the road we might enable the affected feature or command and overlook a security issue. This is where the config checking helps where it flags the command you're about to apply with a reference to the vulnerability. Ironically, this is more useful for Cisco since Juniper seems to have fewer vulnerabilities in general due to a better unix OS versus monolithic MS-DOS like OS of IOS.
IOS XR
Santhosh,
In answer to your question, yes, IOS XR does a much better job. IOS XR runs on both the CRS and the 12000 and for both there are commits, rollbacks, etc.. etc.
Cisco also started putting config rollback capabilities into IOS back in 12.3(7)T and 12.2(25)S.
http://www.cisco.com/en/US/docs/ios/12_3t/12_3t7/feature/guide/gtrollbk.html
it has no value
It has no value,, if it comes from a Juniper Staff.
Regards!!!
Huh?
I have no idea what this means. Can you elaborate?
--Jeff