The Juniper JunOS operating system powers enterprise routers, switches, and firewalls. This comprehensive JunOS cheat sheet provides quick reference for 300+ commands covering CLI navigation, interface configuration, routing protocols (OSPF, BGP, IS-IS), firewall filters, NAT, security policies, VPN, and SD-WAN. Essential for network engineers working with Juniper MX, EX, QFX, and SRX platforms.
Quick Navigation: CLI Modes | Show Commands | Interfaces | Routing | Firewall | Security | VPN
Quick Command Reference
| Task | Command |
|---|---|
| Enter configuration mode | configure |
| Commit changes | commit |
| Show configuration | show configuration |
| Show interfaces | show interfaces terse |
| Show routing table | show route |
| Show system uptime | show system uptime |
| Rollback configuration | rollback 0 |
| Compare configuration | show | compare |
| Show commit history | show system commit |
| Monitor logs | monitor start messages |
Full command reference below ↓
JunOS CLI Modes
JunOS uses a two-mode CLI structure with hierarchical configuration:
- Operational Mode (
user@router>) - View status, run show commands, execute operational commands - Configuration Mode (
user@router#) - Make configuration changes, navigate configuration hierarchy
Unlike Cisco IOS, JunOS uses a hierarchical configuration tree where you navigate into configuration sections (interfaces, protocols, security, etc.) and make changes that are staged but not active until committed.
Mode Transitions
# Operational Mode → Configuration Mode
user@router> configure
Entering configuration mode
[edit]
user@router#
# Alternative: Edit mode (auto-commits on exit)
user@router> edit
Entering configuration mode
[edit]
user@router#
# Configuration Mode → Operational Mode
user@router# exit
Exiting configuration mode
user@router>
# Exit to operational mode (alternative)
user@router# exit configuration-mode
user@router>
# Quick exit from any configuration level to top
[edit interfaces ge-0/0/0 unit 0]
user@router# top
[edit]
user@router#
# Move up one level in configuration hierarchy
[edit interfaces ge-0/0/0 unit 0]
user@router# up
[edit interfaces ge-0/0/0]
user@router#
# Navigate into configuration section
user@router# edit interfaces ge-0/0/0
[edit interfaces ge-0/0/0]
user@router#
# Return to top level
[edit interfaces ge-0/0/0]
user@router# top
[edit]
user@router#
Configuration Hierarchy Navigation
# From top of config, navigate to interface
[edit]
user@router# edit interfaces ge-0/0/0
# Now at interface level
[edit interfaces ge-0/0/0]
user@router#
# Navigate deeper
user@router# edit unit 0
# Now at unit level
[edit interfaces ge-0/0/0 unit 0]
user@router#
# Go back to top
user@router# top
# Or go up one level at a time
[edit interfaces ge-0/0/0 unit 0]
user@router# up
[edit interfaces ge-0/0/0]
user@router#
Command Help
# Show available commands
?
# Show command syntax
command ?
# Complete partial command
Tab or Space
# Show command history
Ctrl+P (previous) or Ctrl+N (next)
Show Commands
System Information
# Show system information
show system uptime
show system information
# Show version
show version
# Show configuration
show configuration
# Show configuration in set format
show configuration | display set
# Show running configuration
show configuration | display inheritance
# Show chassis hardware
show chassis hardware
# Show chassis environment
show chassis environment
# Show chassis alarms
show chassis alarms
# Show route engine information
show chassis routing-engine
# Show system processes
show system processes
# Show system memory
show system memory
# Show system storage
show system storage
Interface Information
# Show interfaces terse
show interfaces terse
# Show specific interface
show interfaces ge-0/0/0
# Show interface statistics
show interfaces statistics
# Show interface extensive info
show interfaces ge-0/0/0 extensive
# Show interface descriptions
show interfaces descriptions
# Show VLAN information
show vlans
# Show ethernet switching table
show ethernet-switching table
# Show LLDP neighbors
show lldp neighbors
# Show chassis MAC addresses
show chassis mac-addresses
Routing Information
# Show routing table
show route
# Show specific route
show route 192.168.1.0/24
# Show routing protocol summary
show route protocol <protocol>
# Show OSPF neighbors
show ospf neighbor
# Show OSPF database
show ospf database
# Show BGP summary
show bgp summary
# Show BGP neighbors
show bgp neighbor
# Show IS-IS adjacencies
show isis adjacency
# Show IS-IS database
show isis database
# Show route forwarding table
show route forwarding-table
Security and Firewall
# Show security policies
show security policies
# Show security zones
show security zones
# Show security flow sessions
show security flow session
# Show security NAT
show security nat source summary
show security nat destination summary
# Show security IPsec
show security ike security-associations
show security ipsec security-associations
Configuration Basics
Configuration Mode
# Enter configuration mode
configure
# Load configuration
load merge terminal
load override terminal
load replace terminal
# Show configuration changes
show | compare
# Commit configuration
commit
# Commit with comment
commit comment "Added new interface"
# Commit and quit
commit and-quit
# Commit confirmed (auto-rollback)
commit confirmed 5
# Confirm commit
commit
# Rollback configuration
rollback 0 # rollback to last committed
rollback 1 # rollback to previous
rollback ? # show available rollbacks
# Show commit history
show system commit
# Delete configuration section
delete interfaces ge-0/0/0
# Deactivate (keep but disable)
deactivate interfaces ge-0/0/0
# Reactivate
activate interfaces ge-0/0/0
Hostname and System
Basic System Configuration
# Set hostname
set system host-name ROUTER1
# Set domain name
set system domain-name example.com
# Set time zone
set system time-zone America/New_York
# Set name servers
set system name-server 8.8.8.8
set system name-server 8.8.4.4
# Set NTP servers
set system ntp server pool.ntp.org
# Set login message
set system login message "Authorized Access Only"
# Set root password
set system root-authentication plain-text-password
User Management
# Create user
set system login user admin class super-user
# Set user password
set system login user admin authentication plain-text-password
# Set SSH key for user
set system login user admin authentication ssh-rsa "ssh-rsa AAAAB3..."
# Create custom login class
set system login class operator permissions interface
set system login class operator permissions routing
Interface Configuration
Physical Interface
# Configure interface IP
set interfaces ge-0/0/0 unit 0 family inet address 192.168.1.1/24
# Set interface description
set interfaces ge-0/0/0 description "Link to ISP"
# Enable interface
delete interfaces ge-0/0/0 disable
# Disable interface
set interfaces ge-0/0/0 disable
# Set interface speed/duplex
set interfaces ge-0/0/0 speed 1g
set interfaces ge-0/0/0 link-mode full-duplex
# Configure aggregated interface
set interfaces ae0 aggregated-ether-options minimum-links 1
set interfaces ge-0/0/0 ether-options 802.3ad ae0
set interfaces ge-0/0/1 ether-options 802.3ad ae0
Logical Units and VLANs
# Create subinterface with VLAN
set interfaces ge-0/0/0 vlan-tagging
set interfaces ge-0/0/0 unit 10 vlan-id 10
set interfaces ge-0/0/0 unit 10 family inet address 192.168.10.1/24
# Configure trunk port
set interfaces ge-0/0/1 unit 0 family ethernet-switching port-mode trunk
set interfaces ge-0/0/1 unit 0 family ethernet-switching vlan members [10 20 30]
# Configure access port
set interfaces ge-0/0/2 unit 0 family ethernet-switching port-mode access
set interfaces ge-0/0/2 unit 0 family ethernet-switching vlan members 10
Loopback Interface
# Create loopback
set interfaces lo0 unit 0 family inet address 1.1.1.1/32
IRB (Integrated Routing and Bridging)
# Create IRB interface
set interfaces irb unit 10 family inet address 192.168.10.1/24
# Associate VLAN with IRB
set vlans vlan10 l3-interface irb.10
VLAN Configuration
VLANs on Switches
# Create VLAN
set vlans vlan10 vlan-id 10
# Set VLAN description
set vlans vlan10 description "Sales Department"
# Configure interface as access port
set interfaces ge-0/0/1 unit 0 family ethernet-switching port-mode access
set interfaces ge-0/0/1 unit 0 family ethernet-switching vlan members vlan10
# Configure trunk port
set interfaces ge-0/0/10 unit 0 family ethernet-switching port-mode trunk
set interfaces ge-0/0/10 unit 0 family ethernet-switching vlan members [vlan10 vlan20]
# Set native VLAN
set interfaces ge-0/0/10 native-vlan-id 1
Routing Configuration
Static Routes
# Add static route
set routing-options static route 192.168.2.0/24 next-hop 10.1.1.2
# Add default route
set routing-options static route 0.0.0.0/0 next-hop 10.1.1.1
# Add qualified next-hop (floating static)
set routing-options static route 192.168.2.0/24 qualified-next-hop 10.1.1.3 preference 10
# Delete static route
delete routing-options static route 192.168.2.0/24
OSPF Configuration
# Configure OSPF
set protocols ospf area 0.0.0.0 interface ge-0/0/0.0
# Set router ID
set routing-options router-id 1.1.1.1
# Set passive interface
set protocols ospf area 0.0.0.0 interface ge-0/0/1.0 passive
# Set interface cost
set protocols ospf area 0.0.0.0 interface ge-0/0/0.0 metric 10
# Set interface priority
set protocols ospf area 0.0.0.0 interface ge-0/0/0.0 priority 100
# Set reference bandwidth
set protocols ospf reference-bandwidth 10g
# Enable authentication
set protocols ospf area 0.0.0.0 interface ge-0/0/0.0 authentication md5 1 key "password"
BGP Configuration
# Configure BGP
set routing-options autonomous-system 65001
# Add BGP neighbor
set protocols bgp group EBGP type external
set protocols bgp group EBGP neighbor 10.1.1.2 peer-as 65002
# Set local AS
set protocols bgp local-as 65001
# Configure iBGP
set protocols bgp group IBGP type internal
set protocols bgp group IBGP local-address 1.1.1.1
set protocols bgp group IBGP neighbor 2.2.2.2
# Export policy
set protocols bgp group EBGP export EXPORT-POLICY
# Import policy
set protocols bgp group EBGP import IMPORT-POLICY
IS-IS Configuration
# Configure IS-IS
set protocols isis interface ge-0/0/0.0
set protocols isis interface lo0.0
# Set NET address
set protocols isis net 49.0001.0100.1000.1001.00
# Set level
set protocols isis interface ge-0/0/0.0 level 2
# Set passive interface
set protocols isis interface ge-0/0/1.0 passive
Firewall Filters (ACLs)
Firewall Filter Configuration
# Create firewall filter
set firewall family inet filter ALLOW-WEB term 10 from source-address 192.168.1.0/24
set firewall family inet filter ALLOW-WEB term 10 from protocol tcp
set firewall family inet filter ALLOW-WEB term 10 from destination-port [80 443]
set firewall family inet filter ALLOW-WEB term 10 then accept
# Deny all other traffic
set firewall family inet filter ALLOW-WEB term 99 then reject
# Apply filter to interface (input)
set interfaces ge-0/0/0 unit 0 family inet filter input ALLOW-WEB
# Apply filter to interface (output)
set interfaces ge-0/0/0 unit 0 family inet filter output ALLOW-WEB
# Apply filter to loopback (protect RE)
set interfaces lo0 unit 0 family inet filter input PROTECT-RE
# Show filter statistics
show firewall filter ALLOW-WEB
Common Filter Terms
# Allow SSH
set firewall family inet filter PROTECT-RE term allow-ssh from protocol tcp
set firewall family inet filter PROTECT-RE term allow-ssh from destination-port 22
set firewall family inet filter PROTECT-RE term allow-ssh then accept
# Allow ICMP
set firewall family inet filter PROTECT-RE term allow-icmp from protocol icmp
set firewall family inet filter PROTECT-RE term allow-icmp then accept
# Rate limit
set firewall family inet filter PROTECT-RE term rate-limit then policer 1m
set firewall policer 1m if-exceeding bandwidth-limit 1m
set firewall policer 1m if-exceeding burst-size-limit 100k
set firewall policer 1m then discard
NAT Configuration (SRX)
Source NAT
# Configure source NAT pool
set security nat source pool SRC-POOL address 203.0.113.10/32 to 203.0.113.20/32
# Configure source NAT rule set
set security nat source rule-set NAT-OUT from zone trust
set security nat source rule-set NAT-OUT to zone untrust
set security nat source rule-set NAT-OUT rule 1 match source-address 192.168.1.0/24
set security nat source rule-set NAT-OUT rule 1 then source-nat pool SRC-POOL
# Configure PAT (interface-based)
set security nat source rule-set NAT-OUT rule 1 then source-nat interface
Destination NAT
# Configure destination NAT pool
set security nat destination pool DST-POOL address 192.168.1.10/32
# Configure destination NAT rule set
set security nat destination rule-set DNAT from zone untrust
set security nat destination rule-set DNAT rule 1 match destination-address 203.0.113.10/32
set security nat destination rule-set DNAT rule 1 match destination-port 80
set security nat destination rule-set DNAT rule 1 then destination-nat pool DST-POOL
Security Policies (SRX)
Security Zones
# Create security zones
set security zones security-zone trust interfaces ge-0/0/0.0
set security zones security-zone untrust interfaces ge-0/0/1.0
# Configure host-inbound services
set security zones security-zone trust host-inbound-traffic system-services ping
set security zones security-zone trust host-inbound-traffic system-services ssh
Security Policies
# Create policy
set security policies from-zone trust to-zone untrust policy ALLOW-INTERNET match source-address any
set security policies from-zone trust to-zone untrust policy ALLOW-INTERNET match destination-address any
set security policies from-zone trust to-zone untrust policy ALLOW-INTERNET match application any
set security policies from-zone trust to-zone untrust policy ALLOW-INTERNET then permit
# Log session init
set security policies from-zone trust to-zone untrust policy ALLOW-INTERNET then log session-init
# Log session close
set security policies from-zone trust to-zone untrust policy ALLOW-INTERNET then log session-close
Address Books
# Create address book entry
set security zones security-zone trust address-book address SERVER1 192.168.1.10/32
set security zones security-zone trust address-book address SUBNET1 192.168.1.0/24
# Create address set
set security zones security-zone trust address-book address-set SERVERS address SERVER1
set security zones security-zone trust address-book address-set SERVERS address SERVER2
Policy Options and Route Filters
Prefix Lists
# Create prefix list
set policy-options prefix-list INTERNAL-NETWORKS 192.168.0.0/16
set policy-options prefix-list INTERNAL-NETWORKS 10.0.0.0/8
Route Filters
# Create route filter
set policy-options policy-statement EXPORT-POLICY term 10 from route-filter 192.168.1.0/24 exact
set policy-options policy-statement EXPORT-POLICY term 10 then accept
set policy-options policy-statement EXPORT-POLICY term 99 then reject
Communities
# Define community
set policy-options community NO-EXPORT members no-export
# Match community
set policy-options policy-statement EXPORT-POLICY term 10 from community NO-EXPORT
set policy-options policy-statement EXPORT-POLICY term 10 then reject
DHCP Configuration
DHCP Server
# Configure DHCP pool
set system services dhcp-local-server group DHCP-GROUP interface ge-0/0/0.0
# Configure address pool
set access address-assignment pool DHCP-POOL family inet network 192.168.1.0/24
set access address-assignment pool DHCP-POOL family inet range RANGE1 low 192.168.1.100
set access address-assignment pool DHCP-POOL family inet range RANGE1 high 192.168.1.200
set access address-assignment pool DHCP-POOL family inet dhcp-attributes router 192.168.1.1
set access address-assignment pool DHCP-POOL family inet dhcp-attributes name-server 8.8.8.8
set access address-assignment pool DHCP-POOL family inet dhcp-attributes domain-name example.com
# Show DHCP bindings
show system services dhcp binding
show system services dhcp statistics
DHCP Relay
# Configure DHCP relay
set forwarding-options dhcp-relay server-group SERVERS 192.168.2.10
set forwarding-options dhcp-relay group RELAY-GROUP active-server-group SERVERS
set forwarding-options dhcp-relay group RELAY-GROUP interface ge-0/0/0.0
SSH and Remote Access
SSH Configuration
# Enable SSH
set system services ssh
# Set SSH port
set system services ssh port 22
# Limit SSH to specific addresses
set system services ssh root-login deny
set system services ssh protocol-version v2
# Configure SSH authorized keys
set system login user admin authentication ssh-rsa "ssh-rsa AAAAB3..."
Spanning Tree Protocol
RSTP Configuration
# Enable RSTP
set protocols rstp
# Set bridge priority
set protocols rstp bridge-priority 4k
# Configure interface
set protocols rstp interface ge-0/0/1 edge
set protocols rstp interface ge-0/0/1 no-root-port
# Enable BPDU protection
set protocols rstp bpdu-block-on-edge
# Show spanning tree
show spanning-tree bridge
show spanning-tree interface
Link Aggregation (LAG)
LACP Configuration
# Create aggregated interface
set chassis aggregated-devices ethernet device-count 4
# Configure AE interface
set interfaces ae0 aggregated-ether-options minimum-links 1
set interfaces ae0 aggregated-ether-options lacp active
# Add members
set interfaces ge-0/0/0 ether-options 802.3ad ae0
set interfaces ge-0/0/1 ether-options 802.3ad ae0
# Configure logical interface
set interfaces ae0 unit 0 family inet address 192.168.1.1/24
# Show LAG status
show lacp interfaces
show interfaces ae0
Configuration Management
Save and Load Configuration
# Commit configuration
commit
# Save configuration
request system configuration rescue save
# Load rescue configuration
rollback rescue
# Show configuration files
show system configuration
# Show commit history
show system commit
# Compare configurations
show configuration | compare rollback 1
# Load configuration from file
load merge terminal
load override terminal
# Save configuration to file
show configuration | save /var/tmp/config.txt
# Copy configuration
file copy /var/tmp/config.txt ftp://user@server/config.txt
System Maintenance
Software Management
# Show system storage
show system storage
# Add software package
request system software add /var/tmp/junos-package.tgz
# Add and reboot
request system software add /var/tmp/junos-package.tgz reboot
# Validate package
request system software add /var/tmp/junos-package.tgz validate
# Delete old packages
request system storage cleanup
# Show installed software
show version
show system software
Reboot and Shutdown
# Reboot system
request system reboot
# Reboot at specific time
request system reboot at 23:00
# Reboot in X minutes
request system reboot in 30
# Shutdown system
request system halt
# Power off
request system power-off
Monitoring and Troubleshooting
Monitor Traffic
# Monitor interface traffic
monitor interface traffic
# Monitor interface in real-time
monitor interface ge-0/0/0
# Monitor specific statistics
monitor interface ge-0/0/0 detail
# Stop monitoring
Ctrl+C
Ping and Traceroute
# Ping
ping 192.168.1.1
# Ping with count
ping 192.168.1.1 count 10
# Ping with size
ping 192.168.1.1 size 1500
# Ping from source
ping 192.168.1.1 source 10.1.1.1
# Traceroute
traceroute 192.168.1.1
# Traceroute without DNS
traceroute 192.168.1.1 no-resolve
Debug and Logging
# Show log files
show log messages
show log messages | last 50
# Follow log in real-time
monitor start messages
# Stop monitoring
monitor stop
# Show system alarms
show system alarms
# Show chassis alarms
show chassis alarms
# Configure syslog
set system syslog host 192.168.1.100 any any
set system syslog file messages any any
Test Commands
# Test network connectivity
test routing fib-lookup 192.168.1.1
# Test NAT
show security nat source pool
show security flow session
# Clear sessions
clear security flow session all
# Test DNS
show host 192.168.1.1
VPN Configuration (SRX)
Site-to-Site IPsec VPN
# MODE: Configuration #
# Phase 1 - IKE Policy
set security ike policy IKE-POLICY mode main
set security ike policy IKE-POLICY proposals IKE-PROPOSAL
set security ike policy IKE-POLICY pre-shared-key ascii-text "MySecretKey"
# IKE Proposal
set security ike proposal IKE-PROPOSAL authentication-method pre-shared-keys
set security ike proposal IKE-PROPOSAL dh-group group14
set security ike proposal IKE-PROPOSAL authentication-algorithm sha-256
set security ike proposal IKE-PROPOSAL encryption-algorithm aes-256-cbc
set security ike proposal IKE-PROPOSAL lifetime-seconds 28800
# IKE Gateway
set security ike gateway IKE-GW ike-policy IKE-POLICY
set security ike gateway IKE-GW address 203.0.113.10
set security ike gateway IKE-GW external-interface ge-0/0/0.0
set security ike gateway IKE-GW local-identity inet 203.0.113.1
set security ike gateway IKE-GW remote-identity inet 203.0.113.10
# Phase 2 - IPsec Policy
set security ipsec policy IPSEC-POLICY proposals IPSEC-PROPOSAL
set security ipsec policy IPSEC-POLICY perfect-forward-secrecy keys group14
# IPsec Proposal
set security ipsec proposal IPSEC-PROPOSAL protocol esp
set security ipsec proposal IPSEC-PROPOSAL authentication-algorithm hmac-sha-256-128
set security ipsec proposal IPSEC-PROPOSAL encryption-algorithm aes-256-cbc
set security ipsec proposal IPSEC-PROPOSAL lifetime-seconds 3600
# IPsec VPN
set security ipsec vpn IPSEC-VPN bind-interface st0.0
set security ipsec vpn IPSEC-VPN ike gateway IKE-GW
set security ipsec vpn IPSEC-VPN ike ipsec-policy IPSEC-POLICY
set security ipsec vpn IPSEC-VPN establish-tunnels immediately
# Configure st0 interface
set interfaces st0 unit 0 family inet address 10.0.0.1/30
# Configure zones
set security zones security-zone trust interfaces st0.0
# Configure routing
set routing-options static route 192.168.2.0/24 next-hop st0.0
# Show VPN status
show security ike security-associations
show security ipsec security-associations
show security ipsec statistics
Route-Based VPN
# MODE: Configuration #
# Create st0 interface for route-based VPN
set interfaces st0 unit 0 family inet
# Bind VPN to st0
set security ipsec vpn SITE-B-VPN bind-interface st0.0
set security ipsec vpn SITE-B-VPN ike gateway IKE-GW
set security ipsec vpn SITE-B-VPN ike ipsec-policy IPSEC-POLICY
# Add st0 to security zone
set security zones security-zone vpn interfaces st0.0 host-inbound-traffic system-services all
set security zones security-zone vpn interfaces st0.0 host-inbound-traffic protocols all
# Configure routing over VPN
set routing-options static route 192.168.2.0/24 next-hop st0.0
# Configure OSPF over VPN
set protocols ospf area 0.0.0.0 interface st0.0
Policy-Based VPN
# MODE: Configuration #
# Create security policies for VPN traffic
set security policies from-zone trust to-zone untrust policy VPN-POLICY match source-address 192.168.1.0/24
set security policies from-zone trust to-zone untrust policy VPN-POLICY match destination-address 192.168.2.0/24
set security policies from-zone trust to-zone untrust policy VPN-POLICY match application any
set security policies from-zone trust to-zone untrust policy VPN-POLICY then permit tunnel ipsec-vpn IPSEC-VPN
set security policies from-zone trust to-zone untrust policy VPN-POLICY then permit tunnel pair-policy VPN-RETURN
# Return policy
set security policies from-zone untrust to-zone trust policy VPN-RETURN match source-address 192.168.2.0/24
set security policies from-zone untrust to-zone trust policy VPN-RETURN match destination-address 192.168.1.0/24
set security policies from-zone untrust to-zone trust policy VPN-RETURN match application any
set security policies from-zone untrust to-zone trust policy VPN-RETURN then permit tunnel ipsec-vpn IPSEC-VPN
Remote Access VPN (Dynamic VPN)
# MODE: Configuration #
# Configure IKE user authentication
set security ike policy REMOTE-IKE-POLICY mode aggressive
set security ike policy REMOTE-IKE-POLICY proposals REMOTE-PROPOSAL
set security ike policy REMOTE-IKE-POLICY pre-shared-key ascii-text "RemoteKey"
set security ike gateway REMOTE-GW ike-policy REMOTE-IKE-POLICY
set security ike gateway REMOTE-GW dynamic hostname remote-user
set security ike gateway REMOTE-GW external-interface ge-0/0/0.0
set security ike gateway REMOTE-GW xauth access-profile REMOTE-ACCESS
# Configure access profile
set access profile REMOTE-ACCESS authentication-order password
set access profile REMOTE-ACCESS client remote-user firewall-user password MyPassword
# Configure address assignment
set access address-assignment pool REMOTE-POOL family inet network 192.168.100.0/24
set access address-assignment pool REMOTE-POOL family inet range RANGE1 low 192.168.100.10
set access address-assignment pool REMOTE-POOL family inet range RANGE1 high 192.168.100.254
set access address-assignment pool REMOTE-POOL family inet dhcp-attributes name-server 8.8.8.8
set access address-assignment pool REMOTE-POOL family inet dhcp-attributes wins-server 192.168.1.10
# Configure IPsec for remote access
set security ipsec vpn REMOTE-VPN ike gateway REMOTE-GW
set security ipsec vpn REMOTE-VPN ike ipsec-policy IPSEC-POLICY
# Configure group VPN
set security group-vpn member ike gateway REMOTE-GW
set security group-vpn member ike proxy-identity local 0.0.0.0/0
set security group-vpn member ike proxy-identity remote 0.0.0.0/0
set security group-vpn member ipsec vpn REMOTE-VPN
# Show remote access VPN
show security ike security-associations detail
show security dynamic-vpn users
SD-WAN Configuration
Contrail SD-WAN (formerly Juniper Networks vSRX)
# MODE: Configuration #
# Configure underlay interfaces
set interfaces ge-0/0/0 unit 0 family inet address 203.0.113.1/24
set interfaces ge-0/0/1 unit 0 family inet address 198.51.100.1/24
# Configure overlay tunnels
set interfaces st0 unit 0 family inet address 10.0.0.1/30
set interfaces st0 unit 1 family inet address 10.0.0.5/30
# Configure routing instance for overlay
set routing-instances OVERLAY instance-type virtual-router
set routing-instances OVERLAY interface st0.0
set routing-instances OVERLAY interface st0.1
set routing-instances OVERLAY routing-options static route 0.0.0.0/0 next-hop st0.0
# Configure application identification
set services application-identification
set services application-identification application facebook
# Configure AppQoE (Application Quality of Experience)
set services appqoe rule VOICE-RULE match application junos:VOIP
set services appqoe rule VOICE-RULE qos-profile VOICE-QOS
set services appqoe qos-profile VOICE-QOS dscp ef
set services appqoe qos-profile VOICE-QOS bandwidth 1m
Session Smart Routing (Juniper SSR/128T)
# MODE: Configuration (SSR CLI)
# Configure router
config authority router BRANCH-1
name BRANCH-1
location "Branch Office"
node NODE-1
# Configure device interfaces
device-interface WAN
type ethernet
pci-address 0000:00:03.0
network-interface WAN-INET
address 203.0.113.1/24
gateway 203.0.113.254
device-interface LAN
type ethernet
pci-address 0000:00:04.0
network-interface LAN-NET
address 192.168.1.1/24
# Configure services
service INTERNET
service-policy BRANCH-INTERNET
address 0.0.0.0/0
service VOICE
service-policy VOICE-HIGH-PRIORITY
address 10.1.1.0/24
protocol tcp
port 5060-5061
# Configure service policies
service-policy BRANCH-INTERNET
vector INTERNET-PRIMARY
service-class standard
service-policy VOICE-HIGH-PRIORITY
vector VOICE-PRIMARY
service-class high-priority
max-latency 100
max-loss 0.5
max-jitter 20
# Configure paths
router BRANCH-1
peer HUB-1
authority-name COMPANY
routing interface WAN-INET
Application-Aware Routing
# MODE: Configuration #
# Configure RPM probes for path monitoring
set services rpm probe HUB-PROBE test HTTP-TEST target address 10.2.2.2
set services rpm probe HUB-PROBE test HTTP-TEST probe-type http-get
set services rpm probe HUB-PROBE test HTTP-TEST destination-port 80
set services rpm probe HUB-PROBE test HTTP-TEST test-interval 30
set services rpm probe HUB-PROBE test HTTP-TEST thresholds successive-loss 3
set services rpm probe HUB-PROBE test HTTP-TEST thresholds total-loss 5
# Configure event policy based on RPM
set event-options policy PATH-DOWN events RPM_PROBE_FAILED
set event-options policy PATH-DOWN within 60 trigger on
set event-options policy PATH-DOWN within 60 trigger 3
set event-options policy PATH-DOWN then execute-commands commands "request security ipsec rekey"
# Configure APBR (Application-Based Routing)
set firewall family inet filter APBR-FILTER term VOICE from protocol udp
set firewall family inet filter APBR-FILTER term VOICE from port 5060-5061
set firewall family inet filter APBR-FILTER term VOICE then routing-instance VOICE-VRF
set firewall family inet filter APBR-FILTER term DEFAULT then accept
# Apply filter
set interfaces ge-0/0/1 unit 0 family inet filter input APBR-FILTER
SD-WAN Policy and SLA Monitoring
# MODE: Configuration #
# Configure SLA monitoring
set services rpm probe SLA-MONITOR test LATENCY target address 10.2.2.2
set services rpm probe SLA-MONITOR test LATENCY probe-type icmp-ping
set services rpm probe SLA-MONITOR test LATENCY test-interval 5
set services rpm probe SLA-MONITOR test LATENCY probe-count 5
set services rpm probe SLA-MONITOR test LATENCY thresholds total-loss 10
set services rpm probe SLA-MONITOR test LATENCY thresholds rtt-threshold 100000
# Configure backup path based on SLA violation
set event-options policy SLA-VIOLATION events PING_TEST_FAILED
set event-options policy SLA-VIOLATION then change-configuration commands "activate routing-options static route 0.0.0.0/0 next-hop 198.51.100.254"
# Show SD-WAN status
show security ipsec statistics
show services rpm probe-results
show security flow session
show route table OVERLAY.inet.0
Load Balancing Across Multiple WAN Links
# MODE: Configuration #
# Configure per-packet load balancing
set routing-options forwarding-table export LB-POLICY
set policy-options policy-statement LB-POLICY then load-balance per-packet
# Configure weighted load balancing
set routing-options static route 0.0.0.0/0 next-hop 203.0.113.254
set routing-options static route 0.0.0.0/0 qualified-next-hop 198.51.100.254 preference 10
# Per-flow load balancing (default)
set routing-options forwarding-table export PER-FLOW-LB
set policy-options policy-statement PER-FLOW-LB then load-balance per-flow
# Show load balancing
show route forwarding-table destination 0.0.0.0/0
show interfaces statistics
📥 Download & Print
Want a PDF version? This Juniper JunOS cheat sheet is optimized for printing:
- Use your browser’s Print function (Ctrl/Cmd + P)
- Select “Save as PDF”
- Choose landscape orientation for best results
Stay Updated: Bookmark this page for the latest JunOS commands and configurations.
Last Updated: March 8, 2026