How to Determine Who’s Doing What on Your Junos Router

By Walter J. Goralski, Cathy Gadecki, Michael Bushong

More than one person can log in to a Juniper router at any given time, logging in either with an individual user account name or with a group name that is shared by many users. (An example of a group account is root.) Each person who is on the router can perform whatever operations they’re allowed, depending on their privileges, and it’s possible that another person’s work may interfere with what you’re doing.

Know who’s logged in

When you log in to the router, the Command Line Interface (CLI) doesn’t tell you whether anyone else is already logged in. You need to check manually:

fred@router> show system users

If you discover that an unwanted user is logged into the router or if you need to perform an operation, such as rebooting the router or installing new software, you can forcibly log people out. The show system users command shows you the names of users who are logged in. Use the name to forcibly log the person out, in this case Mike:

fred@router> request system logout mike

Now, Mike sees the following on his terminal window:

mike@router> Connection closed by foreign host.
[server.mycompany.com] mike@server%

You can also ask people to log out. You can ask an individual with a command like this one, with any message you want:

fred@router> request message user mike message "End router session now!"

You can also have the message go to everyone currently logged in to the router:

fred@router> request message all message "End router session now!"

Figure out who’s configuring

Junos OS also allows multiple people to be in configuration mode at the same time. When you enter configuration mode, the CLI displays a message letting you know whether anyone else is also editing the configuration. However, if someone enters configuration mode after you, you won’t receive any kind of message. You can check periodically using the status configuration mode command:

[edit]
fred@router# status
Users currently editing the configuration:
  fred terminal p0 (pid 13329) on since 2008-03-23 15:15:12 UTC
      [edit]

If more than one person is changing the configuration, when one of them issues a commit command to activate the configuration, all changes made by all users are activated. To check the changes before committing the configuration, move to the top of the configuration hierarchy and use the following version of the show configuration mode command to look at the differences:

[edit]
fred@router# show | compare
[edit protocols]
+   mstp;
[edit interfaces]
-  ge-0/0/1 {
-   unit 0 {
-     family inet {
-       address 192.168.1.4;
-     }
-   }
- }

The plus sign (+) indicates lines that have been added to the configuration since it was last activated, and the minus sign () shows what has been deleted. In the preceding example, the MSTP protocol has been enabled, and one of the Gigabit Ethernet interfaces has been removed from the configuration.

If you need to ensure that no one else can modify the router configuration while you’re editing, lock it when you enter configuration mode with this command:

fred@router> configure exclusive

If someone else has an exclusive lock on the configuration, the CLI displays a message when you enter configuration mode:

fred@router> configure
Users currently editing the configuration:
  mike terminal p0 (pid 13329) on since 2008-03-23 15:15:12 UTC
  exclusive [edit]