3.3 Initial Configuration & Interfaces
Key Takeaways
- Initial setup always requires a root password via `set system root-authentication`; named user accounts are then created under `[edit system login]` with a username, login class, and authentication.
- `set system host-name` names the device and `set system services` enables management protocols such as SSH and (legacy, insecure) Telnet.
- The dedicated out-of-band management interface on most platforms is `fxp0` or `me0`, configured under `interfaces` with an address that is kept separate from transit interface logic.
- Junos interface names follow `type-fpc/pic/port` (for example `ge-0/0/0`), and a logical `unit` carries protocol families such as `family inet` (IPv4) and `family inet6` (IPv6).
- Verify interfaces with `show interfaces terse`, `show interfaces` *name* `extensive`, and `show configuration interfaces`, all from operational mode after commit.
Why This Topic Matters
Initial configuration and interface basics sit at the heart of the Configuration Basics objective, the largest area on JNCIA-Junos. The exam consistently tests the mandatory first steps after factory default, the difference between root and named accounts, how management services are enabled, and how to read a Junos interface name. These are also the first tasks you perform on any real Junos device.
Root and User Accounts
The root account is the built-in superuser. On a factory-default device it has no password, and as covered earlier Junos will not commit until a root password is set.
[edit]
user@host# set system root-authentication plain-text-password
New password:
Retype new password:
After the root password, create named user accounts so individuals do not share root. Each account needs a class (login class) and an authentication method.
[edit system login]
user@host# set user nadia class super-user
user@host# set user nadia authentication plain-text-password
New password:
| Element | Purpose |
|---|---|
root-authentication | Password (or SSH key) for the built-in root user |
login user name | Creates a named account |
class | Maps the account to a login class (permissions) |
authentication | Local password or SSH key for the account |
For stronger security you can configure ssh-rsa / ssh-ed25519 public keys instead of plain-text passwords, and centralized authentication such as RADIUS or TACACS+ with a local fallback.
Host Name and Management Services
Host Name
The device name appears in the CLI prompt and in logs.
[edit]
user@host# set system host-name core-rtr-01
After commit, the prompt becomes user@core-rtr-01>.
System Services
Management access protocols are enabled under [edit system services]. Junos disables most remote access by default, so you explicitly turn on what you need.
| Service statement | Effect | Notes |
|---|---|---|
set system services ssh | Enables SSH | Recommended; encrypted |
set system services telnet | Enables Telnet | Legacy and unencrypted - avoid in production |
set system services web-management https | Enables J-Web over HTTPS | Needed before J-Web can be used |
set system services web-management http | Enables J-Web over HTTP | Unencrypted; HTTPS preferred |
set system services netconf ssh | Enables NETCONF over SSH | Programmatic/automation access |
A minimal secure baseline typically enables only SSH:
[edit]
user@host# set system services ssh
user@host# commit
The exam often contrasts SSH with Telnet: both provide remote CLI access, but Telnet sends credentials and data in clear text, so SSH is the correct choice for secure management.
The Management Interface
Most Junos platforms include a dedicated out-of-band (OOB) management interface, separate from the revenue/transit ports. It is named fxp0 on many routers and me0 on many switches. Because it is out-of-band, its address is reachable for management even when transit routing is broken, and it is kept logically separate from production traffic.
[edit]
user@host# set interfaces fxp0 unit 0 family inet address 10.10.10.2/24
user@host# set routing-options static route 0.0.0.0/0 next-hop 10.10.10.1
user@host# commit
Key points for the exam:
- The management interface is configured like any other interface but is intended only for device management, not for forwarding user traffic.
- It commonly uses a static route or a dedicated management routing instance so management traffic does not mix with the main routing table.
Junos Interface Naming
Junos interface names are highly structured. Understanding the parts lets you decode any name on the exam.
The general form is:
type-fpc/pic/port.unit
For example, in ge-0/0/5.0:
| Part | Value | Meaning |
|---|---|---|
| type | ge | Media type - Gigabit Ethernet |
| fpc | 0 | Flexible PIC Concentrator (slot) |
| pic | 0 | Physical Interface Card position |
| port | 5 | Port number on the PIC |
| unit | 0 | Logical unit (after the dot) |
Common media-type prefixes:
| Prefix | Interface type |
|---|---|
ge | Gigabit Ethernet |
xe | 10-Gigabit Ethernet |
et | 40/100-Gigabit Ethernet |
ae | Aggregated Ethernet (link bundle) |
lo0 | Loopback (always-up logical interface) |
fxp0 / me0 | Out-of-band management |
Physical vs. Logical (Units)
A physical interface such as ge-0/0/0 carries one or more logical units. The unit holds protocol family configuration and addressing. Every interface that carries traffic needs at least one unit (commonly unit 0), and a family such as inet for IPv4 or inet6 for IPv6 must be configured on that unit.
Basic Interface Configuration
A typical IPv4 plus IPv6 interface configuration sets a description, a unit, and address families.
[edit interfaces]
user@host# set ge-0/0/0 description "Link to core-rtr-02"
user@host# set ge-0/0/0 unit 0 family inet address 192.0.2.1/30
user@host# set ge-0/0/0 unit 0 family inet6 address 2001:db8:0:1::1/64
user@host# top
user@host# commit
The loopback interface lo0 is special: it is always up as long as the device is running, so it is the preferred source for management, routing protocol IDs, and stable addressing.
[edit interfaces]
user@host# set lo0 unit 0 family inet address 10.255.0.1/32
Verifying Interfaces
After commit, verify from operational mode. These commands appear frequently on the exam.
| Command | Use |
|---|---|
show interfaces terse | Compact list: every interface, admin/link state, and address |
show interfaces ge-0/0/0 | Detailed status for one interface |
show interfaces ge-0/0/0 extensive | Full statistics, errors, and counters |
show configuration interfaces | The committed interface configuration |
monitor interface ge-0/0/0 | Live, refreshing traffic counters |
Example terse output:
user@host> show interfaces terse
Interface Admin Link Proto Local Remote
ge-0/0/0 up up
ge-0/0/0.0 up up inet 192.0.2.1/30
inet6 2001:db8:0:1::1/64
lo0 up up
lo0.0 up up inet 10.255.0.1/32
Two states matter: Admin is whether the interface is administratively enabled (an interface set with disable shows down), and Link is the physical/operational state. Both must be up for the interface to pass traffic. An interface that is Admin up but Link down usually indicates a cabling, speed, or far-end problem rather than a configuration error.
On a factory-default Junos device, which configuration step is mandatory before the first commit will succeed?
In the interface name xe-1/0/3.0, what does the xe prefix indicate?
A network administrator must enable secure remote CLI access on a new Junos router. Which is the best choice?
show interfaces terse shows ge-0/0/0 as Admin up but Link down. What is the most likely cause?