How to – Juniper EX/QFX Layer 3 Switch Configuration

This post is to list the basic configuration for the Juniper EX/QFX Layer3 switch. Similar to the previous Cisco Layer 3 configuration, it will demonstrate the most used configurations based on the production deployments.

Related Topic:

How to – Juniper EX switch Virtual Chassis and JUNOS upgrade

https://ictfella.com/juniper-ex-switch-virtual-chassis-stacking-and-junos-upgrade/

How to Configure Cisco Layer 3 Switch

https://ictfella.com/how-to-configure-cisco-layer-3-switch

Juniper L3 Switch configuration examples

Configure automatic backup whenever there is a “commit” executed.

In the example below, 10.0.0.4 is the FTP server, the “transfer-on-commit” tells the switch to backup the config to FTP when “commit” happens.

set system archival configuration transfer-on-commit archive-sites "ftp://[email protected]" password "ICTFella.com"

Configure Radius authentication

10.0.0.2 and 10.0.0.3 are the Radius server IP, they are Windows Server with NPS role configured, the authentication order tells the switch to use “radius” as the preferred authentication method, if not working, failback to local password authentication.

set system radius-server 10.0.0.2 secret ICTFella.com port 1812 accounting-port 1813
set system radius-server 10.0.0.2 source-address 10.0.4.1
set system radius-server 10.0.0.3 secret ICTFella.com port 1812 accounting-port 1813
set system radius-server 10.0.0.3 source-address 10.0.4.1
set system authentication-order [ radius password ]

Local admin with full rights and general read-only user creation

set system login user admin full-name admin uid 2000 class super-user authentication plain-text-password
Type your password:
Confirm your password:
set system login user support full-name support uid 3001 class read-only authentication plain-text-password
Type your password:
Confirm your password:

SNMP community string for monitoring: read-only and read-write

set snmp community ICTFellaro authorization read-only
set snmp community ICTFellaro clients 10.0.0.4/32
set snmp community ICTFellaw authorization read-write
set snmp community ICTFellaw clients 10.0.0.4/32

NTP server and time zone configuration

set system ntp server 10.0.0.4
set system ntp server 10.0.0.4
set system time-zone Australia/Melbourne

DNS Server Configuration

set system name-server 8.8.8.8
set system name-server 1.1.1.1

Enable SSH authentication and allow root login

set system services ssh root-login allow
set system services ssh

Static route / default route

Let’s assume 10.0.4.1 is the Firewall/router device

set routing-options static route 0.0.0.0/0 next-hop 10.0.4.1

Link Layer Discovery Protocol (LLDP, equivalent to Cisco CDP)

set protocols lldp interface all

Link Layer Discovery Protocol-Media Endpoint Discovery (LLDP-MED) and PoE Configuration

LLDP-MED is an extension to LLDP that operates between endpoint devices such as IP phones to provide support for voice over IP (VoIP) applications, this has to be enabled globally or on the interfaces that have IP phones connected

set protocols lldp-med interface all
set poe interface all

VLAN and Switch Virtual Interface (SVI) configuration (IRB interface)

Please be aware it is always the best practice to use the same number for VLAN and IRB interface

set vlans Voice vlan-id 2
set vlans Voice l3-interface irb.2

set vlans Workstations vlan-id 3
set vlans Workstations l3-interface irb.3

set interfaces irb unit 2 family inet address 10.0.2.1/24
set interfaces irb unit 3 family inet address 10.0.3.1/24

Access port configuration

wildcard range set” is equivalent to Cisco’s “interface range” command, the first example is for the multigigabit ports and the second one is for 1gigabit ports.

“switch-options voip” is equivalent to Cisco “switchport voice vlan” command

wildcard range set interfaces mge-0/0/[16-31] description *DataVoice*
wildcard range set interfaces mge-0/0/[16-31] unit 0 family ethernet-switching interface-mode access
wildcard range set interfaces mge-0/0/[16-31] unit 0 family ethernet-switching vlan members 3
wildcard range set switch-options voip interface mge-0/0/[16-31].0 vlan Voice

wildcard range set interfaces ge-0/0/[0-15] description *DataVoice*
wildcard range set interfaces ge-0/0/[0-15] unit 0 family ethernet-switching interface-mode access
wildcard range set interfaces ge-0/0/[0-15] unit 0 family ethernet-switching vlan members 3
wildcard range set switch-options voip interface ge-0/0/[0-15].0 vlan Voice

Trunk port configuration

set interfaces xe-0/1/0 description ***Uplink****
set interfaces xe-0/1/0 native-vlan-id 1
set interfaces xe-0/1/0 unit 0 family ethernet-switching interface-mode trunk
set interfaces xe-0/1/0 unit 0 family ethernet-switching vlan members all

DHCP server configuration

set access address-assignment pool Pool_Workstation family inet network 10.0.3.0/24
set access address-assignment pool Pool_Workstation family inet range range1 low 10.0.3.35
set access address-assignment pool Pool_Workstation family inet range range1 high 10.0.3.200
set access address-assignment pool Pool_Workstation family inet dhcp-attributes name-server 208.67.222.222
set access address-assignment pool Pool_Workstation family inet dhcp-attributes name-server 208.67.220.220
set access address-assignment pool Pool_Workstation family inet dhcp-attributes router 10.0.3.1

set access address-assignment pool Pool_Voice family inet network 10.0.2.0/24
set access address-assignment pool Pool_Voice family inet range range1 low 10.0.2.35
set access address-assignment pool Pool_Voice family inet range range1 high 10.0.2.200
set access address-assignment pool Pool_Voice family inet dhcp-attributes name-server 208.67.222.222
set access address-assignment pool Pool_Voice family inet dhcp-attributes name-server 208.67.220.220
set access address-assignment pool Pool_Voice family inet dhcp-attributes router 10.0.2.1

set system services dhcp-local-server group Workstation interface irb.3
set system services dhcp-local-server group Voice interface irb.2

DHCP forwarding / IP Helper configuration

Opposed to the example above, this forwards the DHCP traffic to the DHCP servers 10.0.0.1 and 10.0.0.2. Obviously, you would NOT put DHCP forwarding and DHCP Server config at the same time for the same VLAN/SVI, hence here use irb.4 and irb.4 as an example.

set forwarding-options dhcp-relay forward-snooped-clients all-interfaces
set forwarding-options dhcp-relay overrides allow-snooped-clients

set forwarding-options dhcp-relay server-group dhcp-srv 10.0.0.1
set forwarding-options dhcp-relay server-group dhcp-srv 10.0.0.2

set forwarding-options dhcp-relay active-server-group dhcp-srv
set forwarding-options dhcp-relay group all interface irb.4
set forwarding-options dhcp-relay group all interface irb.5

Useful Links

https://www.juniper.net/documentation/us/en/hardware/ex2300/topics/topic-map/ex2300-configuring-junos-os.html#ex-series-initial-configuration-setting-up-cli

Leave a Comment

Your email address will not be published. Required fields are marked *