Ethernet Switching
Highlighted
Ethernet Switching

Clean up configuration against actual interfaces - how to

‎03-14-2019 02:21 AM

Hi all,

 

It seems to me that i am able to configure non-existence interfaces into the actual configuration despite having no relevant physical ports. 

e.g.  ( i don't have a xe-1/0/1 interface at all)

show configuration interfaces xe-1/0/1
unit 0 {
family ethernet-switching {
storm-control default;
}
}

I find this to be very confusing.... when looking at the configuration VS the actual setup.

 

q1) How can i do a clean up of the configuration such that only what is "physically and actually in used"  will be shown ?

 

Regards,

Alan

1 ACCEPTED SOLUTION

Accepted Solutions
Ethernet Switching
Solution
Accepted by topic author alankoh
‎03-25-2019 10:08 AM

Re: Clean up configuration against actual interfaces - how to

‎03-20-2019 06:43 PM

a) An interface will automatically be "up"  once connected - even without a corresponding entry in the configuration - right ?

 

Yes, that is correct.

 

b) If answer to a) is yes ->  is there any security concern or impact  ? What can an interface without a logical unit in Juniper do ? or rather what can an "up interface" without a corresponding entry in the configuration do ? Does it accept/transmit any form of traffic ?  

or is there some sort of "default" configuration for an interface if it is not explicity configured/specified in the configuration

 

The physical interface will only have physical attributes such as MTU=1500, duplex mode = full, but no traffic forwarding enabled.

 

Interfaces have NO logical properties by default. That means no address or family (inet, inet6, ethernet-switching, and so on) enabling packet processing. All of these are configured under logical interfaces/units.  

 

There is NO default configuration UNLESS you load the factory-defaults (like you saw in your switch) which adds family-ethernet-switching for example.

 

There is NO logical properties unless explicitly configured/specified in the configuration (either by you or with the factory default configuration).

 

c) Will the best practise = to make sure entries for all interfaces are configured in the configuration and set to disable ?

 

Some people do that for peace of mind, but I do not think that is necessary. Removing the factory default configuration (family ethernet-switching) would be enough.

 

HTH,

Yasmin Lara
Sunset Learning Institute (SLI)
Juniper Ambassador #QuadE - JNCIE-SP, JNCIE-ENT, JNCIE-DC, JNCIE-SEC
JNCIS-CLOUD, JNCDS-DC, JNCIA-DevOps
11 REPLIES 11
Ethernet Switching

Re: Clean up configuration against actual interfaces - how to

‎03-14-2019 02:43 AM

Hi alankoh,

 

Simply "delete" from the config mode (#) will remove all hierarchies, then you may key in the necessary configuration.


Which Junos device are you trying to configure? Most support "load factory-default" CLI too but I think that will come with some default configuration for the ports like you've shown.

 

Hope this helps.

 

Regards,
-r.

--------------------------------------------------

If this solves your problem, please mark this post as "Accepted Solution."
Kudos are always appreciated Smiley Happy.

Ethernet Switching

Re: Clean up configuration against actual interfaces - how to

‎03-14-2019 07:14 PM

That is correct. The configuration file does not show existing interfaces automatically, nor the device validates that an interface you are configuring exists, other than for example if you try to configure xe-10/0/0, and there is not a slot 10 on your device.

Also, physical interfaces come up automatically, when there is connectivity with another device without any configuration required. I know it can be confusing when you have for example worked with other vendor devices where the default configuration has all the interfaces listed, so I can see why you might want to make sure that your configuration only has interfaces with actual existing interfaces. There is no command that will allow you to do that quickly; you would need to delete those interfaces from the configuration with the delete command.

However, you could write a commit script that checks the status of the interfaces, and validates the existence of any interface you are including in your configuration. The script could return a message, could prevent the commit from going through, or could even remove the interface from the configuration. You could also make the script an op script, so that you can run it manually whenever you want. The commit script would be triggered any time a commit is issued, so it would also prevent anyone from adding non-existing interfaces to the configuration.

Yasmin Lara
Sunset Learning Institute (SLI)
Juniper Ambassador #QuadE - JNCIE-SP, JNCIE-ENT, JNCIE-DC, JNCIE-SEC
JNCIS-CLOUD, JNCDS-DC, JNCIA-DevOps
Ethernet Switching

Re: Clean up configuration against actual interfaces - how to

‎03-14-2019 07:36 PM

Also, that configuration that you are seeing for interface xe-1/0/1 is part of the factory default configuration on an EX switch. 

Yasmin Lara
Sunset Learning Institute (SLI)
Juniper Ambassador #QuadE - JNCIE-SP, JNCIE-ENT, JNCIE-DC, JNCIE-SEC
JNCIS-CLOUD, JNCDS-DC, JNCIA-DevOps
Ethernet Switching

Re: Clean up configuration against actual interfaces - how to

[ Edited ]
‎03-19-2019 08:42 AM

Hi Yasmin,

Thank you for your reply and sorry for the late response.

The configuration file does not show existing interfaces automatically


I am using a qfx5100-48s-6q which accept SFP transciever. Do you mean if i insert a SFP transciever into the slot, the configuration will not show it automatically ?

 


There is no command that will allow you to do that quickly; you would need to delete those interfaces from the configuration with the delete command.

Does that mean i will have to go to operation mode, do a "show interface terse" to see the actual interfaces, then match it against the configuration ?

 

Regards,

Alan

 

Ethernet Switching

Re: Clean up configuration against actual interfaces - how to

[ Edited ]
‎03-19-2019 08:47 AM

Hi Mriyaz,

 

Thank you for your reply.

 


Simply "delete" from the config mode (#) will remove all hierarchies, then you may key in the necessary configuration.

But these also means all my actual usable configurations will be gone as well ?

 

Regards,

Alan

Ethernet Switching

Re: Clean up configuration against actual interfaces - how to

‎03-19-2019 09:04 AM

@alankoh wrote:

Hi Mriyaz,

 

Thank you for your reply.

 


Simply "delete" from the config mode (#) will remove all hierarchies, then you may key in the necessary configuration.

But these also means all my actual usable configurations will be gone as well ?

 

Regards,

Alan



@alankoh wrote:

Hi Mriyaz,

 

Thank you for your reply.

 


Simply "delete" from the config mode (#) will remove all hierarchies, then you may key in the necessary configuration.

But these also means all my actual usable configurations will be gone as well ?

[Ans] Yes, that is correct.  You can selectively delete part of the configuration to an extent using the right hierarchy i.e. if you did a delete from "edit interfaces" hierarchy, that clears all configuration of all interfaces.  Then you'll need to key in the desired interfaces' configuration prior to committing the changes

 

In a sense, this is best useful when configuring the device afresh.  

 

Using delete on interface hierarchy:

{master:0}[edit]
labroot@simicacd01h# edit interfaces

{master:0}[edit interfaces]
labroot@simicacd01h# delete
Delete everything under this level? [yes,no] (no) yes


{master:0}[edit interfaces]
labroot@simicacd01h# show | compare
[edit interfaces]
- et-0/0/0 {
- unit 0 {
- family ethernet-switching {
- storm-control default;
- }
- }
- }
- sxe-0/0/0 {
- unit 0 {
- family ethernet-switching {
- storm-control default;
- }
- }
- }
- xe-0/0/0:0 {
- flexible-vlan-tagging;
- mtu 9192;
- encapsulation flexible-ethernet-services;
- unit 0 {
- vlan-id 1;
- family inet {
- mtu 1500;
- address 11.0.0.2/24;
- }
- family iso;
- family inet6 {
- mtu 1500;
- address 2001:558:22:8209::2/64;
- }
- }
- unit 100 {
- vlan-id 100;
- family inet {
- address 12.0.0.2/24;
- }
- family inet6 {
- address 2001:559:22:8209::2/64;
- }
- }
- }
- xe-0/0/0:1 {
- disable;
- mtu 9192;
- unit 0 {
- family inet {
- address 22.0.0.2/24;
- }
- family iso;
- family inet6 {
- address 2001:558:22:8208::2/64;
- }
- }
- }
- et-0/0/1 {
- unit 0 {
- family ethernet-switching {
- storm-control default;
- }

 

 

Regards,

Alan


 

Hope this helps.

Regards,
-r.

--------------------------------------------------

If this solves your problem, please mark this post as "Accepted Solution."
Kudos are always appreciated Smiley Happy.

Ethernet Switching

Re: Clean up configuration against actual interfaces - how to

‎03-19-2019 10:17 AM

1) Do you mean if i insert a SFP transciever into the slot, the configuration will not show it automatically ?

A. That is correct. If you add an optic to an interface, you will see it in the "show chassis hardware" command. If you connect a device to that port the port will automatically come up, NO configuration required, and it will NOT be added automatically to the configuration.  You will see that the interface now exists and is up with "show interfaces terse". 

In Junos, you only need to configure an interface, if you want to change a default attribute such as the MTU, or if you need to configure a logical interface (for example, et-0/0/0.0  which is the same  et-0/0/0 unit 0). The logical interfaces is where you enable family ethernet-switching (L2) or family inet (IPv4).  The reason why you are seeing all those interfaces in your configuration is because the factory-default configuration on the switch, sets all possible interfaces with family ethernet-switching, and storm-control.

 

2) Does that mean I will have to go to operation mode, do a "show interface terse" to see the actual interfaces, then match it against the configuration ?

A. Yes, the show interface terse is a good command to check which interfaces are actually there.  You might want to do show interfaces terse xe* or show interfaces terse et*. 

 

And yes, you would need to then remove the interfaces that do not exist from the configuration file to make it match.  You could write an op script to do that so that you don't have to do it manually or simply delete everything under interfaces and then add the interfaces that you do have. For the second option, you could go into "edit interfaces" and enter:  show | display set relative | except "ethernet|storm" and copy that, so that you can paste it back after you delete everything under edit interfaces.   

You could also write an op script that for example adds "set interface xe-x/y/z enable" to the configuration, when xe-x/y/z is physically added to the device.  (NOT needed, but will allow you to see the exiting interfaces in the config file).

 

HTH,

 

Yasmin Lara
Sunset Learning Institute (SLI)
Juniper Ambassador #QuadE - JNCIE-SP, JNCIE-ENT, JNCIE-DC, JNCIE-SEC
JNCIS-CLOUD, JNCDS-DC, JNCIA-DevOps
Ethernet Switching

Re: Clean up configuration against actual interfaces - how to

[ Edited ]
‎03-20-2019 10:40 AM

Hi Yasmin ,

 

Thanks for the confirmation and appreciate your help.
Can I confirm and check 1 last thing ->

 

a) An interface will automatically be "up"  once connected - even without a corresponding entry in the configuration - right ?

 

b) If answer to a) is yes ->  is there any security concern or impact  ? What can an interface without a logical unit in Juniper do ? or rather what can an "up interface" without a corresponding entry in the configuration do ?

 

Does it accept/transmit any form of traffic ?  

or is there some sort of "default" configuration for an interface if it is not explicity configured/specified in the configuration

 

c) Will the best practise = to make sure entries for all interfaces are configured in the configuration and set to disable ?

 

Regards,

Alan

Ethernet Switching
Solution
Accepted by topic author alankoh
‎03-25-2019 10:08 AM

Re: Clean up configuration against actual interfaces - how to

‎03-20-2019 06:43 PM

a) An interface will automatically be "up"  once connected - even without a corresponding entry in the configuration - right ?

 

Yes, that is correct.

 

b) If answer to a) is yes ->  is there any security concern or impact  ? What can an interface without a logical unit in Juniper do ? or rather what can an "up interface" without a corresponding entry in the configuration do ? Does it accept/transmit any form of traffic ?  

or is there some sort of "default" configuration for an interface if it is not explicity configured/specified in the configuration

 

The physical interface will only have physical attributes such as MTU=1500, duplex mode = full, but no traffic forwarding enabled.

 

Interfaces have NO logical properties by default. That means no address or family (inet, inet6, ethernet-switching, and so on) enabling packet processing. All of these are configured under logical interfaces/units.  

 

There is NO default configuration UNLESS you load the factory-defaults (like you saw in your switch) which adds family-ethernet-switching for example.

 

There is NO logical properties unless explicitly configured/specified in the configuration (either by you or with the factory default configuration).

 

c) Will the best practise = to make sure entries for all interfaces are configured in the configuration and set to disable ?

 

Some people do that for peace of mind, but I do not think that is necessary. Removing the factory default configuration (family ethernet-switching) would be enough.

 

HTH,

Yasmin Lara
Sunset Learning Institute (SLI)
Juniper Ambassador #QuadE - JNCIE-SP, JNCIE-ENT, JNCIE-DC, JNCIE-SEC
JNCIS-CLOUD, JNCDS-DC, JNCIA-DevOps
Ethernet Switching

Re: Clean up configuration against actual interfaces - how to

‎03-21-2019 03:15 AM

I like to preload the interface configurations with a disable and description on all the unused interfaces.

 

We have monitoring that alerts for down interfaces, so when optics are inserted and the interface is not configured as disable it will come up and be link down while it waits for the physical connection generating an alarm.

 

the list of existing and consisten descriptions let's me know at a glance how many interfaces are open and available on the device for use with a  show command

show interfaces descriptions | match LABEL

 

Steve Puluka BSEET - Juniper Ambassador
IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP)
http://puluka.com/home
Ethernet Switching

Re: Clean up configuration against actual interfaces - how to

‎03-25-2019 10:11 AM

Thank you all for your kind replies !