Stuff

config/network/juniper-junos-general.md

@@ -62,7 +62,11 @@ breadcrumbs:
 - CLI settings:
     - Show: `show cli`
     - Enable timestamp for commands: `set cli timestamp`
-- Enter configuration mode (from op mode): `configure`
+- Enter configuration mode (from op mode): `configure {<omit>|exclusive|private}`
+    - By default, a shared config mode session is used where multiple users may edit the same candidate config. Be careful when committing in this mode to avoid accidentally applying changes from the other users.
+    - Specify `exclusive` to avoid having other users make changes in config mode at the same time.
+    - Specify `private` to start a separate/private config mode session, independent of other users. This is weird and rarely used.
+    - **TODO** Certain restrictions of committing for exclusive mode.
 - Exit any mode: `exit`
 - Show configuration:
     - From (op mode): `show configuration [statement]`
@@ -74,6 +78,8 @@ breadcrumbs:
     - Show older config: `show system rollback <n>` (1 is the last etc.)
     - Compare active with older version: `show configuration | compare rollback <n>`
     - Compare two older versions: `show system rollback <n> compare <m>`
+    - Show details and defaults: `show configuration | display detail` (add `| except "##$"` to omit empty comment lines)
+    - Show with inherited properties from apply groups: `show | display inheritance`
 - Config files:
     - Revisions: The most recent are stored in `/config/`, the rest (up to some count) are stored in `/var/db/config/`.
     - Configs are gzip-compressed.
@@ -85,10 +91,44 @@ breadcrumbs:
     - Go up in context: `up` or `top`
     - Show configuration for current level: `show`
 - Perform operation on multiple interfaces or similar: `wildcard range set int ge-0/0/[0-47] unit 0 family ethernet-switching` (example)
-- Commit config changes: `commit [comment <comment>] [confirmed] [and-quit]`
-    - `confirmed` automatically rolls back the commit if it is not confirmed within a time limit.
+- Rename a config element: `rename <a> to <b>`
+- Move config element to before another element: `insert <b> before <b>`
+- Copy config element: `copy <a> to <b>`
+- Delete config element: `delete <element>`
+- Search and replace (global): `replace pattern <a> with <b>`
+- Add comment to element: `annotate <element> "<comment>"`
+- Deactivate element (instead of deleting it): `deactivate <element>`
+    - Use `activate <...>` to undo.
+- Prevent changes to element: `protect <element>`
+    - Use `unprotect` to undo.
+    - User privileges may be set such that certain users are not allowed to unprotect, as a sort of access control to certain config sections.
+- Hide section for `show configuration`: Set `apply-flags omit` inside the section
+    - Use `show configuration | display omit` to override and show omitted sections too.
+- Commit config changes:
+    - Commit candidate to active: `commit [comment <comment>] [confirmed <minutes>] [synchronize]`
+    - `confirmed` automatically rolls back the commit if it is not confirmed within a time limit. Run `commit check` (or `commit` to also create a new commit) to confirm changes and prevent rollback.
     - `and-quit` will quit configuration mode after a successful commit.
-- Delete all existing configuration while in config mode: `load override terminal`, then Ctrl+D.
+    - `synchronize` will apply the change to all REs. It can be configured as the default.
+    - Check without committing: `commit check`
+    - Use `at <time>` to commit at a later time. Use `commit check` first to avoid config errors when it happens.
+    - Rollback changes: Go to top level, `rollback <n>` (use `?` to show log), then commit
+    - Discard changes in candidate config: `rollback 0`
+- Apply groups:
+    - Apply groups are a form of object-oriented templating.
+    - The template/group are set under `groups <name>`.
+    - They may use wildcards like `<ge-*>` instead of `ge-0/0/0` etc.
+    - Apply the group to some section: `apply-groups <name>`
+    - Avoid inheriting the group in some child section: `apply-groups-except <name>`
+    - Local elements override the template.
+    - Show config with inherited properties: `show | display inheritance`
+- Apply path:
+    - Used to reference a value from another element, e.g. to reference a singly defined IP address instead of specifying it every time.
+    - Example: `set policy-options prefix-list RADIUS_SERVERS apply-path "system radius-server <*>"`
+- Load changes (from terminal typically):
+    - Load config section from terminal: `load merge terminal [relative]`, paste, `Ctrl+D` (`relative` for relative path)
+    - Load set format (`set`'s and `delete`'s etc.): `load set terminal`, etc.
+    - Load diff format (with config section, `+`'es and `-`'es etc.): `load patch terminal`, etc.
+    - Delete all existing configuration while in config mode: `load override terminal`, then `Ctrl+D` without typing anything.
 - Typical show command granularities (suffix):
     - `terse` (very brief)
     - `brief`
@@ -99,7 +139,7 @@ breadcrumbs:
     - Most stuff is logged in `/var/log/messages`
     - Some hardware stuff is logged in `/var/log/chassisd`.
     - Show other file: `show log <log>` (for file `/var/log/<log>`)
-    - Show entered commands: `show log interactive-commands`
+    - Show entered commands (if configured for syslog): `show log interactive-commands`
     - Show commit log: `show system commit`
     - Print log to console (tail-like): `monitor start` (stop with `monitor stop`)
 - Show stats or monitor traffic:
@@ -182,6 +222,10 @@ Wait for the "The operating system has halted." text before pulling the power, s
 - There are zero to three extra cumulative bug patches `R1` to `R3` (no suffix for the initial release).
 - Each release is supported for exactly three years.
 
+### Miscellanea
+
+- Set `system auto-snapshot` on single-flash devices to make them automatically rebuild the alternate partition in case of corruption.
+
 ## Tasks
 
 ### Reset Root Password

config/network/juniper-junos-switches.md

@@ -32,6 +32,32 @@ breadcrumbs:
 
 ## Initial Setup
 
+**TODO** (some general info, some switch config info, move this to some appropriate place):
+
+- `request system storage cleanup` for cleanup of old files.
+- `system auto-snapshot` (already added here)
+- `system no-redirects`
+- `system arp aging-timer 5` (defaults to 20 minutes (on routers which run ARP), which is crazy) (MAC address timeout on switches however is 5 minutes) (may cause flooding when the router tries to forward traffic but the MAC address is timed out) (use 5 minutes to be compatible with MAC address timeout)
+- `system internet-options path-mtu-discovery` (allows BGP to use packets larger than the minimum)
+- Syslog:
+    - See nLogic slides.
+    - `user *` decides what to show in the terminal. `any emergency` shows very few messages.
+    - `host <hostname>` is used for remote logging. The DNS lookup is resolved only at commit time, so maybe use an IP address just for clarity.
+    - `file <file>` is used for log files (e.g. `messages` and `interactive-commands`).
+    - The `local[0-7]` facilities were conventionally used for different types of devices. Nowadays it doesn't normally provide any benefit.
+- User AAA:
+    - No "enable mode".
+    - `authentication-order [ radius ]` (example) (RADIUS timeouts still allow local passwords?)
+    - `login class <name> permissions <...>` for custom classes. `super-user` allows everything.
+    - Locally defined users are not required if RADIUS/TACACS is setup. Class etc. is fetched from RADIUS.
+- Config archival:
+    - See `system archival` with `transfer-on-commit` and nLogic slides.
+- LAG:
+    - `aggregated-ether-options minimum-links 1`
+    - `aggregated-ether-options lacp active`
+    - `aggregated-ether-options lacp periodic fast`
+- Loopback address for consistent address if multiple routed interfaces.
+
 1. Connect to the switch using serial:
     - RS-232 w/ RJ45, baud 9600, 8 data bits, no parity, 1 stop bits, no flow control.
 1. Login:
@@ -66,10 +92,11 @@ breadcrumbs:
     - `set system name-server <addr>` (once for each address)
 1. Set time:
     1. (Optional) Set time locally: `set date <YYYYMMDDhhmm.ss>`
-    1. Set server to use while booting: `set system ntp boot-server <address>`
-    1. Set server to use periodically: `set system ntp server <address>`
+    1. Set server to use while booting (forces initial time): `set system ntp boot-server <address>`
+    1. Set server to use periodically (for tiny, incremental changes): `set system ntp server <address>`
     1. Set time zone: `set system time-zone Europe/Oslo` (example)
     1. Note: After committing, use `show ntp associations` to verify NTP.
+    1. Note: After committing, use `set date ntp` to force it to update. This may be required if the delta is too large and the NTP client refuses to update.
 1. Delete default interfaces configs:
     - `wildcard range delete interface ge-0/0/[0-47]` (example, repeat for all FPCs/PICs)
 1. Disable unused interfaces:
@@ -89,7 +116,7 @@ breadcrumbs:
     - Configure it as a normal interface, which will be applied to all members.
 1. Setup LACP:
     1. Note: Make sure you allocate enough LACP interfaces and that the interface numbers are below 512 (empirically discovered on EX3300).
-    1. Set number of available LACP interfaces: `set chassis aggregated-devices ethernet device-count <0-64>`
+    1. Set number of available LACP interfaces: `set chassis aggregated-devices ethernet device-count <0-64>` (just set it to some standard large size)
     1. Add individual Ethernet interfaces (not using interface range):
         1. Delete logical units (or the whole interfaces): `wildcard range delete interfaces ge-0/0/[0-1] unit 0` (example)
         1. Set as members: `wildcard range set ge-0/0/[0-1] ether-options 802.3ad ae<n>` (for LACP interface `ae<n>`)