29. Active vs Candidate Configuration
Let’s talk about an interesting concept called active configuration and candidate configuration.
So, the configuration that is currently active on the Junos device is what is called as the active configuration. Some vendors also call this as running configuration. This is also the configuration that is loaded on a device when it is rebooted. So, the configuration that is currently active on the device and the configuration that is loaded when a device is rebooted is what we call as active configuration.
Now, let’s talk about candidate configuration when you enter the configuration mode. A copy of the active configuration is created. This copy is called as the candidate configuration. This means when you’re making changes on a Junos device, you are not actually editing the active configuration, you’re editing a copy of the active configuration, which is called as the candidate configuration. When the candidate configuration is committed, it becomes the new active configuration. So here’s how it works.
You have your Junos device. It is running a configuration and that is your active configuration. When you enter the configuration mode, you are trying to modify the configuration. So, Junos creates a copy of the active configuration, which is called as the candidate configuration. When you save that configuration, that becomes the new active configuration.
Let’s take a look at this on the Junos terminal. All right, so I’m on a Junos terminal, and right now I’m in the operational mode, which can be seen with the greater than symbol here. And when I use the command show config, the configuration that I’m seeing here is the configuration that is running on this device. And that is called as the active configuration. When I entered that configuration mode with the edit command or with the configure command, Junos will create a copy of that configuration, which is now called as the candidate configuration. So, if I make any changes right now, I am not actually affecting the active configuration. I am affecting only the candidate configuration. So, let’s do this. Let’s try to change the hostname of this device. So, right now the hostname is SRX and I’m going to use the command set system hostname and I’m going to change this to SRX, maybe 2, or let’s do SRX2020, for example. Okay. I’m going to press enter. The configuration that I’ve modified now is the candidate configuration. When I issue the commit command, this configuration will be saved as the active configuration.
Now, I have a question for you. We know that we can use the show command in the configuration mode to view the configuration. If I view the configuration using the show command here, am I going to be seeing the active configuration or the candidate configuration? Take a minute. You might want to pause the video, but think about this. If I try the show command here, what configuration am I going to view, the active or the candidate config?
All right, so here’s the answer. If I try the show command here, I am going to view the candidate configuration. Remember, I’ve changed the host name here. So, if I do a show here, you see that the host name shows as SRX2020. So, I am looking at the candidate configuration. But if I went into the operational mode and I did show config, I would be viewing the active configuration.
This is very important for you to remember from the examination perspective. When you do show config from the operational mode, you are looking at the active configuration. When you do show from the configuration mode, you’re looking at the candidate configuration.
30. Configure Command
Let’s talk about the configure command that is used to make configuration changes on a Junos device.
The configure command has three variations. The first one is just configure. And this is how we normally enter the configuration mode. And this is also the same as the edit command that we use. The second variation is configure exclusive. And the third one is configure private. Let’s understand the differences.
When you enter the configuration mode with the configure command, it’s called as the shared configuration mode. Like the name suggests, the configuration is shared with multiple users. So, multiple users can be in the shared configuration mode at the same time. If other users are editing the configuration, when you enter the configuration mode, you will see a warning message showing the user name of the person who is already making changes and the level or the hierarchy at which the changes are being made in the shared configuration mode.
When you commit the changes, changes made by all users will be committed. So, when you use the configure command to enter the configuration mode, it’s called as shared configuration mode. No one is allowed to lock the configuration and multiple users can make changes.
What if multiple users are trying to change the same element? Let’s say multiple users are trying to change the IP address of a specific interface. When that happens, the most recent changes will take precedence when the commit operation is performed. Let’s take a look at this from the terminal.
All right, I’m here at the Junos terminal, and I’m going to start with the configure command. Let’s start with question mark. So here we can see the options that we spoke about. Configure exclusive, configure private, or we can simply press enter over here. You will see the same options if you did edit. So, edit question mark. We can see added exclusive and added private.
So, I’m going to do configure and enter the configuration mode. So, now I’m in the shared configuration mode. Now I’m going to switch to another terminal window where I’m logged in as another user and I’m going to try configure from here. And when I tried to enter the shared configuration mode, you’ll notice that I see a warning message here that says users currently editing the configuration. They user name is root. And this is the process ID associated with that user. And this is the time since when the user is in the configuration mode and the level or the hierarchy at which this user is making changes.
So, multiple users will be allowed to make changes to the configuration. I’ve got to exit out from here.
Okay. Let me show you another handy command. If you want to see the users who are logged in to the Junos device, you can do show system users. Notice, I’m doing this from the operational mode. Show system users, press enter and I can see both of the users who are currently on the Junos device.
It is also possible to forcibly log out another user. So let’s say I wanted to log out this user. I would use the request command. Make a note that this is done from the operational mode. So, the command is request system. And let’s do a question mark here. We’ll use this keyword here called logout, which is used to forcibly end a user’s CLI login session. So, request system logout question mark. We can provide the process ID associated with the user or the user name. It’s also user question mark. And now I need to provide the user name. Press enter. And it says logout is done. So, if I go back to the other window, I can see that the connection has been closed.
The other configuration mode is called as the exclusive configuration mode. And this is accessed using the configure exclusive command. Like the name suggests, only one user is allowed to enter the exclusive configuration mode. And only the user who has the exclusive configuration rights is allowed to commit the changes. And like we discussed earlier, if you’d like to log out a specific user, you can use the request system logout command. So let’s try this from the terminal.
Back over here. I’m going to enter the configuration mode with the configure exclusive command. All right, so I’m in. And let’s try to do the same thing from the other window. A log in first. All right. And I’m going to try configure exclusive. And you notice straight away we get an error message. It says the configuration database has been locked by this user. He’s in the exclusive configuration mode. And this is the level at which he’s making changes. Notice, we have not been allowed to enter the exclusive configuration mode because that is already done by another user.
So, if you are in an environment where multiple users can log into the device and perform changes, you should use to configure exclusive command. A typical example would be, let’s say you are in a security operation center and you are a team of people who manage network devices, and you know that, along with you, there could be other users who may attempt to modify the configuration. That is a good use case for this. You want to make sure that you take exclusive rights over the configuration so that another user is not able to make changes while you’re performing the configuration of the device.
The third configuration mode is called as the private configuration mode. And this is accessed using the configure private command. With the private configuration mode, multiple users can enter the private configuration and each user has a private candidate configuration to edit. When committed, only changes made by the private user will be saved.
This is different from the exclusive configuration mode. With the exclusive configuration mode, only one user is allowed to enter the configuration mode. But with the private configuration mode, multiple users have their own private copy of the configuration that they can edit. And when the changes are committed, only changes made by the private user will be saved.
But what happens if two users try to change the same element? So, if multiple users make conflicting configurations, the first commit operation will take precedence. Let’s go back to the terminal.
All right, back over here. I’ll first log out of the exclusive configuration mode and let’s try to enter the private configuration board. So, we are now in the private configuration mode. And when I try the same thing with the other user account – configure private – notice, I am allowed to enter the configuration mode. But it gives me a warning saying there’s another user as well who’s making changes in the private configuration mode. So, both of the users can make changes to the configuration simultaneously. Both of them are allowed to commit. But when you commit, only your changes will be committed because you are editing a private copy of the configuration.
From an examination perspective, these three commands are very-very important. You should know the differences between shared configuration, exclusive configuration, and private configuration.
31. More Navigation Commands
In one of the earlier videos, we looked at some of the satellite navigation techniques and we also looked at some of the navigation shortcuts in this video. We’re going to look at some more navigation commands. So we’re specifically going to talk about four commands. The first one is edit. The second one is up. Third, we have top. And the last command is exit configuration mode. Let’s take a look at these commands on the Junos terminal. All right, I’m here at the Junos command line interface. I’m first going to enter the configuration mode with the configured command. And let’s talk about the first navigation command, which is the edit command. The edit command is used to navigate into a specific configuration hierarchy. So, for example, I could do edit space, question mark. And these are all the different configuration hierarchies that I can navigate to. So let’s try maybe edit security. Press enter.
And now I’m going to be configuring within the added security configuration hierarchy. We can take it further to so we could do edit space question mark and it will only show me possible completions under this specific configuration hierarchy. So let’s do edit policies maybe. All right. So I added policies and now you will notice from added security, we have now navigated to added security policies and in a similar way, we can keep going on into specific configuration hierarchies. So added question mark. Let’s do from Zone. And I’m going to select one of the zones here, trust. And I’m also going to do two zone on trust. Press enter. So now you can see that I’m in a very specific configuration hierarchy. I’m under added security policies from zone trust to zone untrust. This is a common technique when configuring Junos devices, instead of configuring everything from the top, which is the edit hierarchy, administrators find it comfortable to navigate to a specific configuration hierarchy and then configure the device from there.
Now, let’s say I’ve navigated into a configuration hierarchy and I want to move up. Maybe I want to come back to the policies ARCHEY or I want to come back to the security hierarchy. In that case, we can use the up command. So if we try the up command, it will take us one level up. So you can see that from added security policies, from zone trust to zone untrust. We’ve moved up one level to edit security policies. Don’t worry about the warning that you see here. It just says that I’m missing a mandatory statement because I did not configure a policy there. But that’s not what we’re looking at. We’ve moved from this Archey to this Archey. The up command can also be combined with a number. So let’s take up space, question mark, and you’ll notice we can also combine that with a number and that is essentially saying I want to move up by so many levels. Let’s try this up, space to press, enter, and you can see that we’ve moved up to levels, the first level would have been added security and the second level is edit. So the edit command is used to navigate into a specific configuration hierarchy while the up command is used to move out of the specific configuration hierarchy.
Let’s now talk about the top command. But before we do that, I am going to navigate into a specific configuration hierarchy. Let’s do added security policies. So now I’m under this hierarchy. Let’s say I want to come all the way back to the top. So in that case, I can do the top command. And that would straightaway bring me to the top of the configuration hierarchy. The last command that we’re going to look at is exit configuration mode. This command can be tried from any specific configuration hierarchy. So let’s say I’m under added security policies. I can do exit and then I can do configuration mode. So that will take me back to the operational mode. We can see a message here. The configuration has been changed, but not committed. Exiting the configuration mode. And we are back to the operational mode. So these four commands come in very handy when you’re navigating the command line interface added up top and exit configuration mode.
