Juniper Configuration

I never write about my experience maintaining or configuring network switches, mainly because the options provided for declaring configuration are not impressive. Most proprietary switches provide a CLI for interactive use, but no means of applying this configuration apart from vendor-specific protocols.

JunOS is proprietary, but provides a far better story:

1. A sandboxed FreeBSD 12 userland with modern SSH protocols
2. Tools for loading, merging and displaying the diff of a configuration

These are notes on configuring the Juniper EX2300-C-12P using rset(1).

USB console

Juniper switches can be accessed using a USB cable since have a built-in UART

uslcom0 at uhub0 port 4 configuration 1 interface 0 "Silicon Labs CP2104 USB to UART Bridge Controller" rev 2.00/1.00 addr 8
ucom0 at uslcom0 portno 0

To switch output to the USB console run

set system ports auxiliary port-type mini-usb

Manual configuration can now be handled from my from my OpenBSD router using

cu -l cuaU0

Configuring SSH

The next step is to establish network access using a management interface

set interfaces me0 unit 0 family inet address 192.168.0.7/24
set routing-options static route 0.0.0.0/0 next-hop 192.168.0.3

Optionally disable the alarm LED if this interface will only be used for unitial provisioning

set chassis alarm management-ethernet link-down ignore

Set accepted cypers

set system services ssh hostkey-algorithm ssh-ed25519

Add users

set system login user eradman class super-user
set system login user eradman authentication ssh-ed25519 "ssh-ed25519 key..."

Once we have settled on a network design we can bring up a layer 3 interface and assign an IP address that is accessible on a VLAN instead

set interfaces irb unit 80 description wired-network
set interfaces irb unit 80 family inet address 192.168.0.7/24

Upgrading JunOS

> show version
> request system software add http://192.168.0.11/junos-arm-32-18.2R3-S5.3.tgz reboot

Or if there isn't enough space

> request system software add http://192.168.0.11/junos-arm-32-18.2R3-S5.3.tgz force unlink no-copy

Trunking to an OpenBSD Router

First we'll define the vlans on the switch

# juniper/ex2300-c

set vlans vlan80 description wired
set vlans vlan80 vlan-id 80
set vlans vlan80 l3-interface irb.80

set vlans vlan81 description wireless
set vlans vlan81 vlan-id 81
set vlans vlan81 l3-interface irb.81

Set interfaces to trunk mode to accept 802.1q frames

edit interfaces ge-0/0/0
  set description "Uplink to router"
  edit unit 0 family ethernet-switching
    set interface-mode trunk
    set vlan members vlan80
    set vlan members vlan81
  exit
exit

On the OpenBSD host ensure the physical interface is up and define the VLANs

# hostname.em0
up

# hostname.vlan0
parent em0 vnetid 80
inet 192.168.0.3/24

# hostname.vlan1
parent em0 vnetid 81
inet 192.168.1.3/24

To install these using rset(1), I often use a shell loop and set a variable to indicate the network needs to be reconfigured

# apu4d2.pln
network:
    let changed=0
    for interface in em0 vlan0 vlan1
    do
        ./rinstall -m 640 apu4d2/hostname.$interface /etc/hostname.$interface && changed=1
    done
    [ $changed -ge 0 ] && sh /etc/netstart

# vim:noexpandtab:syntax=sh:ts=4

Aggregate Links

Tagged or untagged interfaces may be set up for redundancy

set interfaces ge-0/0/10 ether-options 802.3ad ae0
set interfaces ge-0/0/11 ether-options 802.3ad ae0

edit interfaces ae0
  set description "apu4d2 em0,em1"
  aggregated-ether-options lacp active
  edit unit 0 family ethernet-switching
      set interface-mode access
      set vlan members vlan80
      set vlan members vlan81
    exit
  exit
exit

On the OpenBSD host, configure an aggregate interface and it's members. There is some mismatched terminology here, since trunkport on OpenBSD implements LACP, not VLAN tagging.

# /etc/hostname.aggr0
trunkport em0
trunkport em1
up

# /etc/hostname.em0
up

# /etc/hostname.em1
up

POE

JunOS is far more adaptable to configuration management than most switches since changes stage before committing. Another feature is the ability to clear a section using delete to ensure the entire category has been redefined

delete poe
set poe interface ge-0/0/6
set poe interface ge-0/0/7

Routed VLANs

By assigning an IP address to each VLAN L3 interface traffic can be routed between LANs on the switch.

set interfaces irb unit 80 family inet address 192.168.0.7/24
set interfaces irb unit 81 family inet address 192.168.1.7/24
set routing-options static route 0.0.0.0/0 next-hop 192.168.0.3

To take advantage of the routed VLAN interfaces, adjust the default gateway for each subnet

# /etc/dhcpd.conf
subnet 192.168.0.0 netmask 255.255.255.0 {
  option routers 192.168.0.7;
}
subnet 192.168.1.0 netmask 255.255.255.0 {
  option routers 192.168.1.7;
}

SRX Series

Juniper SRX firewalls can also be used as a switch by enabling packet mode

delete security
edit security forwarding-options family
  set iso mode packet-based
  set inet6 mode packet-based
  set mpls mode packet-based
exit

Alarm Status

If the alarm light is on, the system may be missing a last-known-working configuration, or the recovery partition may not be ready. Use show system alarms to show known issues.

# mirror state
request system configuration rescue save
request system autorecovery state save

Links

fs.com has everything need to assemble tidy cabling and are very easy to use:

• 1U 24 Ports Cat6 Unshielded Feed-Through High Quality Patch Panel
• Cat6 RJ45 (8P8C) Unshielded Toolless Keystone Jack Module
• 3ft (0.9m) Cat6 Snagless Unshielded (UTP) PVC CM Slim Ethernet Network Patch Cable, White