JUNIPER LESSONS - How to Rollback a Config
One of my longtime gripes about IOS is that when you type a new statement to the CLI and hit return, the statement immediately becomes active on the router. For someone as mistake-prone as me, this is a big risk. And given that the majority of network problems are due to human error rather than hardware and software failures, it is a risk for everyone. Having those changes take effect one statement at a time can introduce all sorts of transient conditions.
This leads, in contrast, to one of my favorite JUNOS features: When you make a configuration change, the change does not take effect immediately. Instead, it goes into a candidate configuration file.
You can make as many configuration additions, deletions, and changes as you like, and none of them become active on the router until you enter a commit command. That command causes the candidate configuration to become the active configuration. The candidate configuration and explicit commit help tremendously in reducing the number of simple human errors that plague day-to-day network operations. You can make all your changes, check them as many times as you like during the configuration process, and only commit them when you are ready and are sure the changed configuration looks right.
You can do that in JUNOS because when you do a commit and the candidate configuration becomes the active configuration, the previous configuration is saved to a hard disk on the router. So if you want to get back to a previous configuration, you can enter the rollback 1 command and the most recently saved configuration becomes the candidate configuration. You can then make that previous configuration active again by entering commit. JUNOS saves the last 49 configuration files.
When you commit a new configuration, the old active configuration is saved as juniper. What was juniper. So if you want to go back to some config older than the most recently saved one, you can do that.
For example if you enter rollback 3, juniper. Click here for an illustration of how these commands interact. Suppose that despite all your efforts to insure your new configuration is correct before you commit it, something is overlooked and when you commit, you are locked out of the router. Rather than just a simple commit, you can make the candidate configuration active with a commit confirmed command. With this command, the router waits 10 minutes for a second commit.
If it does not receive that confirming command within those 10 minutes, the router automatically does a rollback and commit so that the previous configuration becomes active again. The commit confirmed command can be such a lifesaver, I recommend forming the habit of using it rather than a simple commit in all cases.
You can change the default time that JUNOS waits for a confirming commit, by the way, to between 1 and 65, minutes. If for instance, you want the router to wait only 3 minutes for a confirmation, you can enter commit confirmed 3. The candidate configuration is also a great feature for making maintenance windows go faster. Say you need to make changes to 10 routers at a 2AM scheduled maintenance. This causes a copy of the currently active configuration juniper.
Note that if you are at the top of the configuration hierarchy, as indicated by , the entire configuration is saved. If you are at some lower level when you issue the save command, only the part of the configuration at that level is saved. For example, if you are at [edit protocols bgp], only the BGP configuration is saved.
When you are ready to make the configuration changes permanent, you load the saved configuration back to the candidate configuration file with — logically enough—the load command. This command has several options, depending on how you want to use the file you are loading:.Junos is the best when it comes to committing or saving your configuration - after having worked on network equipment from different vendors, I can say this with confidence!
By the end of this article, I'm sure you'll agree with me. The commit check command is a handy tool to verify that your configuration changes will be accepted by the device. From the configuration mode, just before issuing the commit command, issue a commit check. Junos will verify the configuration and point out any problems or will let you know that the configuration can be committed.
The above image shows an example of a failed commit check. It also explains the problem - the referenced object, in this case, a screen called untrust-screenisn't defined under the right hierarchy.
The Function of the Three Planes of Junos Network OS
The commit at command can be used to schedule your commits. This option is handy when you're only allowed to commit your configuration during a maintenance window. In the above image, I've chosen to commit the configuration at When you issue commit atJunos automatically performs a commit check in the background to verify that the configuration will be committed without issues.
The output configuration check succeeds confirms that a check was performed. If the configuration had issues, the commit would not be scheduled.
Important: Note that the device schedules the commit according to your device timezone, in my case, UTC.
Comparing rollback files
One of the many reasons why I love Juniper - commit confirmed. A very handy feature that allows you to commit your configuration, verify if everything is working fine and then permanently apply your changes. If things aren't looking good, just rollback; or wait for your timer to expire and the configuration will automatically rollback. At times, I'm configuring my device remotely.
Some changes have the potential to impact your connectivity, like interface IP address changes. This is the perfect use case for commit confirmed. By default, when you issue the commit confirmed command, Junos commits your configuration changes and starts a timer for 10 minutes. The configuration changes are automatically rolled back if you do not follow it up with a commit statement. The commit confirmed command also allows you to set a custom timer, like this:.
For instance, here I've issued commit confirmed 3 - this gives me 3 minutes to issue the final commit command. Not sure if you have a commit scheduled? The operational mode show system commit command can be used to view pending Junos commits. As you can see highlighted above, there's a pending commit at UTC. Notice the command also shows the Junos commit history, the commit timestamps, the user who performed the commit, and where was it performed from, the CLI or J-Web.
This command is not regularly used, but if you need to monitor what's going in the background when you perform a commit, try the commit display detail command.By Walter J. Goralski, Cathy Gadecki, Michael Bushong.
Junos provides a path for the timid and cautious user. You can try out a candidate configuration. This approach is an easy way to get out of a jam. To try out a candidate configuration, instead of using the commit command, use commit confirmed :. The default wait is ten minutes, and you have to explicitly accept the commitment, either by typing the commit command again or by typing the commit check command. Then you see the commit complete message.
If ten minutes is too long to wait in your functional network, use a shorter delay, such as one minute, to tell whether the configuration is working:. When the confirm time expires, Junos automatically returns to the previous configuration, which you know is a working configuration:. Even the most experienced Junos engineers and administrators use the commit confirmed command as an insurance policy on their own work.
Doing so can sometimes save hours lost sending someone to a remote site so that they can physically access a device which has become inadvertently isolated from the rest of the network through a configuration misstep. He has worked in the networking field for more than 40 years. Cathy Gadecki is coauthor of the first edition of Junos For Dummies.Today i will discuss about all useful commit command Juniper routerwhich are used in different purpose.
When you have definitely made all your changes, done all your checks, and are ready to make your candidate the active configuration running the device, enter the commit command:. To activate any configuration you must type commit.
Otherwise the configuration will be not execute. Below describe the type of commit operation:. Use commit to activate configuration changes:.
As part of the commit process, Junos checks basic syntax and semantics. For example, the software makes sure that a policy has been defined before it is referenced.
If any syntax or semantic problems are found, the commit command returns an error:. You must fix all mistakes before the candidate or any part of the candidate can become active. When the activation is done, you see the commit complete message. If multiple REs are installed, use commit synchronize. Use commit check to confirm syntax:. Use commit confirmed to temporarily activate:. Use commit at to schedule a future commit:.
How to Go Back to a Previous Junos Configuration
Use commit comment to add comments:. All useful commit command Juniper router. I am Shahed. I currently work as a Sr. Network Engineer.By Walter J. Goralski, Cathy Gadecki, Michael Bushong. The architecture of the Junos operating system cleanly divides the functions of control, services, and forwarding into different planes. Each of the planes of Junos OS provides a critical set of functionality in the operation of the network. All the functions of the control plane run on the Routing Engine RE whether you have a router, switch, or security platform running Junos.
The high-level design of the control plane consists of a set of modules, with clean interfaces between them, and an underlying kernel that controls the modules and manages all the needed communication back and forth among all the components. Each of the different modules provides a different control process, such as control for the chassis components, Ethernet switching, routing protocols, interfaces, management, and so on.
This mature, general-purpose system provides many of the essential functions of an operating system, such as the scheduling of resources. To transform it into a network operating system, the Juniper engineers extensively modified and hardened the code for the specialized requirements of networking.
You may be wondering if you have a way in Junos OS to protect the control plane itself from a security attack. Yes, you can configure filters and rate-limit the traffic that reaches your RE. The Packet Forwarding Engine PFE is the central processing element of the forwarding plane, systematically moving the packets in and out of the device.
The forwarding table is a synchronized copy of all the information from the RE that the forwarding plane needs to handle each packet, including outgoing interfaces, addresses, and so on.
Storing a local copy of this information allows the PFE to get its job done without going to the control plane every time that it needs to process a packet.
Another benefit to having a local copy is that the PFE can continue forwarding packets, even when a disruption occurs to the control plane, such as when a routing or other process issue happens. The services plane provides special handling required by many different types of packets. By separating the processing of services from other functions of the operating systems, Junos OS is able to support a wide variety of different service types in different kinds of platforms.
These services might include prioritizing a packet carrying time-sensitive information, such as a voice call, ahead of others on a congested link; guarding which users can get to what sections or applications of the network; translating addresses where one network meets another; or mediating how the network serves video content.
He has worked in the networking field for more than 40 years. Cathy Gadecki is coauthor of the first edition of Junos For Dummies.GitHub is home to over 40 million developers working together to host and review code, manage projects, and build software together. Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
Already on GitHub? Sign in to your account. Commits are immediately rolled back. TL;DR: Junos expects the xml tree for a commit RPC to have commit-configuration as the top level node, not commitbut ncclient continues to use the incorrect top level node name.
If these files are inaccurate, please update the component name section of the description or use the!
We have experienced this issue as well, but only with ansible 2. We ran ansible 2. We downgraded to ansible 2.
Prior to our move to 2. Juniper states that they do indeed expect the top level node to be commit-configuration and not commit which is what ncclient is sending. If I understand the ansible code of 2. My understanding of python is very basic and so might be wrong. Would seem you're correct about how 2. Lines 63 to 69 in b3a It seems another possible fix here is to toss out the usage of ncclient and simply revert to the previous method for loading configs.
I figured out a little bit more what is the issue. This means that there are a few options:. Interesting that you saw any difference.
Did you happen to be on the switch at the moment you tested that? IIRC, I also saw a rollback entry showing what appeared to be the correctly expected timeout value, but the rollback continued to happen immediately. I only noticed when I was on the switch and saw the rollbacks actually happen. I was connected to the SRX at the moment. I retried it again after your comment with a confirm timeout of 5 minutes and the rollback happened after 1 minute and than every time after that after a few seconds.
I am unsure as to why the rollback is slower the first time around, but it in all cases it isn't working as it should. I did a test to confirm that in ansible 2.
Also running ansible 2. So sadly the timeout seems to quite fast usually within seconds when top level of the netconf is 'commit'. Juniper won't fix that off course as their documentation states to use 'commit-configuration'. As you rightly mentioned in your above comment in 2. Hence the issue in ncclient commit api for Juniper was exposed from 2.Command introduced in Junos OS Release Option synchronize scripts introduced in Junos OS Release Option no-synchronize introduced in Junos OS Release The peers-synchronize option is not supported in SRX Series devices.
Beginning in Junos OS As an alternative, use the set fpc fpc-slot power off configuration-mode command at the [edit chassis] hierarchy level to ensure that the FPCs remain offline. A time value in the form hh : mm [ : ss ] hours, minutes, and optionally seconds — Commit the configuration at the specified time, which must be in the future by at least one minute but before PM on the day the commit at configuration command is issued. Use hour time for the hh value; for example, is AM, and is PM.
The time is interpreted with respect to the clock and time zone settings on the device. Use hour time for the hh value. The time is interpreted with respect to the clock and time zone settings on the router. For example, commit at "". For date and time, include both values in the same set of quotation marks. For example, commit at " ". A commit check is performed when you issue the commit at configuration mode command.
If the result of the check is successful, then the current user is logged out of configuration mode, and the configuration data is left in a read-only state. No other commit can be performed until the scheduled commit is completed. If Junos OS fails before the configuration changes become active, all configuration changes are lost.
You cannot enter the commit at configuration mode command when there is a pending reboot. You cannot enter the request system reboot command once you schedule a commit operation for a specific time in the future. You cannot commit a configuration when a scheduled commit is pending. For information about how to use the clear system commit command to cancel a scheduled commit configuration, see clear system commit.
To confirm a commit, enter either a commit or commit check command. If the commit is not confirmed within the time limit, the configuration rolls back automatically to the precommit configuration and a broadcast message is sent to all logged-in users. To show when a rollback is scheduled, enter the show system commit command. The timeout for the commit confirmed command is calculated based on the system time, when the commit confirmed command is issued.
In case the system time is modified while a commit confirmed is pending, the remaining time until commit execution might get shortened in case the old system time is behind or prolonged in case the old system time is ahead from the intended interval. In Junos OS Release