We use a pair of Juniper EX3300 L3 switches in the network at the Space. They have fancy features like ASIC based IP routing similar to the Brocade FCXen (meta post) we were evaluating previously. Unlike the Brocades they use a FreeBSD based Unix OS (with root access) which comes with a more or less recent version of openssh to provide such creature comforts as ssh-ed25519 support and no need for obscure ssh client options on recent OSes, unlike Brocade’s proprietary and outdated embedded OS and SSH implementations.
The EXen also have better IPv6 support around access (DHCPv6-PD snooping) and security (ACLs/NDP snooping). They have serious support for multiple isolated routing tables (VRFs) and access control (regex restricted command filters) allowing them to be reasonably safe as a combination production and lab kit. The config follows a very nice hierarchical model which supports editing before apply and “confirmed commit”, i.e. rollback after timeout for when remote management access is lost inadvertently. Uptimecounters rejoice! It is much too easy to kill the network, or worse CLI access, without those features.
Quick links:
Vendor docs
Juniper (JunOS) docs cover all or most of their products in one document but there are CLI differences across different product categories and software versions (pre/post ELS) so it can be difficult to find exactly the docs page or incantation you need for a particular product. Reading carefully or if all else fails Google is your friend here.
- 802.1 L2, VLAN, ARP, Multicast
Ethernet Switching User Guide | Junos OS | Juniper Networks - L3 Per-port IP addressing, VLAN tagging config, negotiation etc.:
Interfaces User Guide for Switches | Junos OS | Juniper Networks - Static IP routing:
Protocol-Independent Routing Properties User Guide | Junos OS | Juniper Networks - OS Snapshot, Recovery and Boot-from-USB
Backing Up an Installation Using Snapshots (Junos OS) | Junos OS | Juniper Networks
Management Access
jex1.asozial.it-syndikat.org– fe80::7e81 / 2a0c:9a40:8070::7e81jex2.asozial.it-syndikat.org– fe80::7e82 / 2a0c:9a40:8070::7e82
SSH just works as you’d expect. Password is in Vault, same for both.
Command quick reference
Show configshow configuration(for hierarchical format)show configuration | display set(for line-basedsetcommands)- In
editmode it’s justshow.
Config Manipulation
delete– remove subtree. think:rm -rreplace– string/pattern substitutiondeactivate/activate– “comment out” subtreeannotate– add comment
CLI
- Disable paging:
show inter terse | no-more
Interface convention
ge-0/0/0 unit 1is equivalent toge-0/0/0.1but only the latter is allowed sometimes
Paste hierarchical config snippet
root@jun1> edit
Entering configuration mode
{master:0}[edit]
root@jun1# load merge terminal
[Type ^D at a new line to end input]
system {
host-name jex2;
}
load complete
Logging in/out and diffing/saving/rollback config
Juniper Day One: Exploring the CLI (pdf) and
Juniper Day One: Beginner’s guide to JunOS (pdf)
$ ssh root@jex1.asozial.it-syndikat.org
--- JUNOS 15.1R7-S2 built 2018-09-15 07:29:34 UTC
root@jex1:RE:0% id # demonstrate we have a unix shell with root
uid=0(root) gid=0(wheel) groups=0(wheel), 5(operator), 10(field), 31(guest), 73(config)
root@jex1:RE:0% cli # run "cli" to get to the JunOS CLI, duh
{master:0}
root@jex1> conf # this is the junos shell in read-only mode,
# now switch to edit mode
{master:0} # "cd" to a path in the config hierarchy. Yes the
root@jex1# edit system # config is not flat like in Brocade land yey
{master:0}[edit system]
root@jex1# set host-name jex1
{master:0}[edit system]
root@jex1# show host-name # read back config item (think: "ls"), works
# without an arg too
host-name jex1;
{master:0}[edit system]
root@jex1# show | compare # diff against running config.
# Where have you been all my life.
[edit system]
- host-name amnesiac;
+ host-name jex1;
{master:0}[edit system] # Actually reload, apply and save. None of this
root@jex1# commit # apply immediately garbage here.
{master:0}[edit system]
root@jex1# commit
{master:0}[edit system]
root@jex1# rollback 0 # Alternatively forget uncommitted changes
{master:0}[edit system]
root@jex1# exit
{master:0}[edit]
root@jex1# exit
root@jex1> exit
root@jex1:RE:0% exit
logout
Yeah there sure are a lot of exits. FYI emacs/bash-style command line
editing works across the board here. So Ctrl-A/-E, Cltr-K and -Y
away. Resp: Begining/end of line and kill/yank (copy/paste).
There’s also TAB completion everywhere. Use it.
Confirmed Commit (auto rollback)
Sometimes a well meaning config change can kill remote access to the switch itself. To prevent that situation we should prefer to use commit confirmed. It will rollback changes after a while (10min by default) if the timer is not explicitly cancelled using conmit check.
Switch VLANs
Understanding Bridging and VLANs on EX Switches (multicast-l2 JunOS docs)
Example VLAN Declarations:
vlans {
default;
lan {
vlan-id 1;
l3-interface vlan.1; #< optional routing interface
interface ge-0/0/0.0; #< optional alternative to `vlan member lan`
Note the difference: vlans is where the name<>id mapping is, vlan.* is the name for L3 interfaces that are part of a VLAN.
Example L2 switched interface in VLAN:
ge-0/0/0 {
unit 0 {
family ethernet-switching {
port-mode access;
vlan {
members lan;
With interface port-mode access (the default) only one VLAN is allowed in vlan members (which defaults to default) and frames must ingress/egress untagged. We can set port-mode trunk to allow multiple tagged VLANs or port-mode tagged-access to additionally allow one untagged VLAN which is set using native-vlan-id <vlan>. Here a defined name or int is allowed, name is recommended.
WARNING: vlan members and native-vlan-id MUST NOT overlap if you want to keep your sanity as members will override native-vlan-id resulting in only tagged egress on the port.
ge-0/0/0 {
unit 0 {
family ethernet-switching {
port-mode tagged-access;
vlan {
members [ mgmt ];
}
native-vlan-id lan;
MAC Address Table
To find a host’s port:
root@jex2> show ethernet-switching table brief | match 6c:4b:90:92:1b:b3
default 6c:4b:90:92:1b:b3 Learn 0 ge-0/0/46.0