This post is to list the basic configuration for the Juniper EX/QFX Layer3 switch. Similar to the previous Cisco Layer 3 configuration, it will demonstrate the most used configurations based on the production deployments.
Related Topic:
How to – Juniper EX switch Virtual Chassis and JUNOS upgrade
https://ictfella.com/juniper-ex-switch-virtual-chassis-stacking-and-junos-upgrade/
How to Configure Cisco Layer 3 Switch
https://ictfella.com/how-to-configure-cisco-layer-3-switch
Juniper L3 Switch configuration examples
Configure automatic backup whenever there is a “commit” executed.
In the example below, 10.0.0.4 is the FTP server, the “transfer-on-commit” tells the switch to backup the config to FTP when “commit” happens.
set system archival configuration transfer-on-commit archive-sites "ftp://[email protected]" password "ICTFella.com"
Configure Radius authentication
10.0.0.2 and 10.0.0.3 are the Radius server IP, they are Windows Server with NPS role configured, the authentication order tells the switch to use “radius” as the preferred authentication method, if not working, failback to local password authentication.
set system radius-server 10.0.0.2 secret ICTFella.com port 1812 accounting-port 1813
set system radius-server 10.0.0.2 source-address 10.0.4.1
set system radius-server 10.0.0.3 secret ICTFella.com port 1812 accounting-port 1813
set system radius-server 10.0.0.3 source-address 10.0.4.1
set system authentication-order [ radius password ]
Local admin with full rights and general read-only user creation
set system login user admin full-name admin uid 2000 class super-user authentication plain-text-password
Type your password:
Confirm your password:
set system login user support full-name support uid 3001 class read-only authentication plain-text-password
Type your password:
Confirm your password:
SNMP community string for monitoring: read-only and read-write
set snmp community ICTFellaro authorization read-only
set snmp community ICTFellaro clients 10.0.0.4/32
set snmp community ICTFellaw authorization read-write
set snmp community ICTFellaw clients 10.0.0.4/32
NTP server and time zone configuration
set system ntp server 10.0.0.4
set system ntp server 10.0.0.4
set system time-zone Australia/Melbourne
DNS Server Configuration
set system name-server 8.8.8.8
set system name-server 1.1.1.1
Enable SSH authentication and allow root login
set system services ssh root-login allow
set system services ssh
Static route / default route
Let’s assume 10.0.4.1 is the Firewall/router device
set routing-options static route 0.0.0.0/0 next-hop 10.0.4.1
Link Layer Discovery Protocol (LLDP, equivalent to Cisco CDP)
set protocols lldp interface all
Link Layer Discovery Protocol-Media Endpoint Discovery (LLDP-MED) and PoE Configuration
LLDP-MED is an extension to LLDP that operates between endpoint devices such as IP phones to provide support for voice over IP (VoIP) applications, this has to be enabled globally or on the interfaces that have IP phones connected
set protocols lldp-med interface all
set poe interface all
VLAN and Switch Virtual Interface (SVI) configuration (IRB interface)
Please be aware it is always the best practice to use the same number for VLAN and IRB interface
set vlans Voice vlan-id 2
set vlans Voice l3-interface irb.2
set vlans Workstations vlan-id 3
set vlans Workstations l3-interface irb.3
set interfaces irb unit 2 family inet address 10.0.2.1/24
set interfaces irb unit 3 family inet address 10.0.3.1/24
Access port configuration
“wildcard range set” is equivalent to Cisco’s “interface range” command, the first example is for the multigigabit ports and the second one is for 1gigabit ports.
“switch-options voip” is equivalent to Cisco “switchport voice vlan” command
wildcard range set interfaces mge-0/0/[16-31] description *DataVoice*
wildcard range set interfaces mge-0/0/[16-31] unit 0 family ethernet-switching interface-mode access
wildcard range set interfaces mge-0/0/[16-31] unit 0 family ethernet-switching vlan members 3
wildcard range set switch-options voip interface mge-0/0/[16-31].0 vlan Voice
wildcard range set interfaces ge-0/0/[0-15] description *DataVoice*
wildcard range set interfaces ge-0/0/[0-15] unit 0 family ethernet-switching interface-mode access
wildcard range set interfaces ge-0/0/[0-15] unit 0 family ethernet-switching vlan members 3
wildcard range set switch-options voip interface ge-0/0/[0-15].0 vlan Voice
Trunk port configuration
set interfaces xe-0/1/0 description ***Uplink****
set interfaces xe-0/1/0 native-vlan-id 1
set interfaces xe-0/1/0 unit 0 family ethernet-switching interface-mode trunk
set interfaces xe-0/1/0 unit 0 family ethernet-switching vlan members all
DHCP server configuration
set access address-assignment pool Pool_Workstation family inet network 10.0.3.0/24
set access address-assignment pool Pool_Workstation family inet range range1 low 10.0.3.35
set access address-assignment pool Pool_Workstation family inet range range1 high 10.0.3.200
set access address-assignment pool Pool_Workstation family inet dhcp-attributes name-server 208.67.222.222
set access address-assignment pool Pool_Workstation family inet dhcp-attributes name-server 208.67.220.220
set access address-assignment pool Pool_Workstation family inet dhcp-attributes router 10.0.3.1
set access address-assignment pool Pool_Voice family inet network 10.0.2.0/24
set access address-assignment pool Pool_Voice family inet range range1 low 10.0.2.35
set access address-assignment pool Pool_Voice family inet range range1 high 10.0.2.200
set access address-assignment pool Pool_Voice family inet dhcp-attributes name-server 208.67.222.222
set access address-assignment pool Pool_Voice family inet dhcp-attributes name-server 208.67.220.220
set access address-assignment pool Pool_Voice family inet dhcp-attributes router 10.0.2.1
set system services dhcp-local-server group Workstation interface irb.3
set system services dhcp-local-server group Voice interface irb.2
DHCP forwarding / IP Helper configuration
Opposed to the example above, this forwards the DHCP traffic to the DHCP servers 10.0.0.1 and 10.0.0.2. Obviously, you would NOT put DHCP forwarding and DHCP Server config at the same time for the same VLAN/SVI, hence here use irb.4 and irb.4 as an example.
set forwarding-options dhcp-relay forward-snooped-clients all-interfaces
set forwarding-options dhcp-relay overrides allow-snooped-clients
set forwarding-options dhcp-relay server-group dhcp-srv 10.0.0.1
set forwarding-options dhcp-relay server-group dhcp-srv 10.0.0.2
set forwarding-options dhcp-relay active-server-group dhcp-srv
set forwarding-options dhcp-relay group all interface irb.4
set forwarding-options dhcp-relay group all interface irb.5