All posts by egoepfert

Showing QoS counters

When you’re classifying and prioritizing traffic it’s always nice to make sure that you’re getting hits on the right things.  In the Cisco world we’d use “show service-policy [POLICYNAME] interface [WHATEVER]”

Juniper must have a similar command, but you should fish around for a while to find that it’s “show interface queue [IF-NAME]”



Permit traffic in the same zone

Access lists.  ACLs.  The things you use to identify interesting traffic.  Cisco fell a bit behind on the object oriented build that some other manufactures had been using for a long time.  Thankfully they’ve seen the need and built it into their newer OS versions.   For big complex policies and for groups of addresses that you use all the time this is great.  You build an object and then you can reference that object in your ACL, and then your ACL in your policy.  Want to do that in Junos?  Awesome, no problem.  It’s pretty similar.

Want to do a short version?  Just a simple “permit any any” Nope.  You have to do it the long way.  Let’s say I’ve got a zone called BLAH, and I want everything in that zone to be able to talk to everything else in that zone.  Now here you might say “They’re in the same zone, shouldn’t they be able to talk to each other?”  And I would agree with you, but even traffic in the same zone has to be defined and permitted. Here’s your security policy to do that:

set security policies from-zone BLAH to-zone BLAH policy manage match source-address any

set security policies from-zone BLAH to-zone BLAH policy manage match destination-address any

set security policies from-zone BLAH to-zone BLAH policy manage match application any

set security policies from-zone BLAH to-zone BLAH policy manage then permit

set security policies from-zone BLAH to-zone BLAH policy manage then log session-init


Different line to match source, destination, port, and permit.  Ugh.

Juniper and loopbacks

root# commit
[edit interfaces lo0]
‘unit 2’
if_instance: Multiple loopback interfaces not permitted in master routing instance
error: configuration check-out failed


This is one of those things that I’ll never understand.  I’m sure there is a programmer at Juniper who thinks that this is a perfectly normal thing and wonders why anyone would ever want to make multiple loopback interfaces in the same routing instance.

Frankly, in the real world I probably wouldn’t.  But then there’s the lab environment where we go to play with things and setting up a loopback interface is way easier in a lab than a physical interface.  Especially if you virtualize your labs (like I tend to).

What’s the way around this?  Assign a second IP to the same loopback I guess.  I can think of things I’d want to test like ip sla interface status where I’d want to shut down a select loopback interface to verify that my scripts work properly.  So this ins’t the best solution, but it’s the only on I can think of.


So, Juniper.  Do us engineers a favor and fix this “feature.”

Copying your config into Junos

So you’ve written a config in notepad like a lot of us do.  You’ve gone into another WAN site router, copied the “show configuration | display set” output and made your modifications for that new WAN site.  Now you need to get it on the router.

If you try to just paste in the config the way you might with a different manufacturer you’ll notice that commands get backed up.  It’s slow.  Some commands get truncated.  It’s a mess.  How could they be so short sited?

They weren’t.

Use “load set terminal” in edit mode and you can paste as much as you like.  Finish with ctrl+d and then commit check

Juniper’s page with more info


Looking at Junos configs

You want to do a “show run” right?  See what’s going on in this thing?  Great, use the “show configuration” command.

show config




Some people may look at this and say “Hey, I like that format.”  That’s cool.  I get it.  It’s tabbed nicely and formatted in a hierarchical structure.  My problem with it is that it takes up way too much room on my screen and it doesn’t reflect the actual commands I have used or will use.

Use a pipe display set to get a different view of the same info. “show config | display set”

show config dis set


There, isn’t that better.  Now I know the commands that have been entered and if I need to change an IP on an interface I can just copy that line, edit the IP and paste it back in.