Rack Switches: Juniper EX3300

We use a pair of Juniper EX3300 L3 switches in the network at the Space. They have fancy features like ASIC based IP routing similar to the Brocade FCXen (meta post) we were evaluating previously. Unlike the Brocades they use a FreeBSD based Unix OS (with root access) which comes with a more or less recent version of openssh to provide such creature comforts as ssh-ed25519 support and no need for obscure ssh client options on recent OSes, unlike Brocade’s proprietary and outdated embedded OS and SSH implementations.

The EXen also have better IPv6 support around access (DHCPv6-PD snooping) and security (ACLs/NDP snooping). They have serious support for multiple isolated routing tables (VRFs) and access control (regex restricted command filters) allowing them to be reasonably safe as a combination production and lab kit. The config follows a very nice hierarchical model which supports editing before apply and “confirmed commit”, i.e. rollback after timeout for when remote management access is lost inadvertently. Uptimecounters rejoice! It is much too easy to kill the network, or worse CLI access, without those features.

Quick links:

Vendor docs

Juniper (JunOS) docs cover all or most of their products in one document but there are CLI differences across different product categories and software versions (pre/post ELS) so it can be difficult to find exactly the docs page or incantation you need for a particular product. Reading carefully or if all else fails Google is your friend here.

Management Access

  • jex1.asozial.it-syndikat.org – fe80::7e81 / 2a0c:9a40:8070::7e81
  • jex2.asozial.it-syndikat.org – fe80::7e82 / 2a0c:9a40:8070::7e82

SSH just works as you’d expect. Password is in Vault, same for both.

Command quick reference

Show config
  • show configuration (for hierarchical format)
  • show configuration | display set (for line-based set commands)
  • In edit mode it’s just show.

Config Manipulation

  • delete – remove subtree. think: rm -r
  • replace – string/pattern substitution
  • deactivate/activate – “comment out” subtree
  • annotate – add comment


  • Disable paging: show inter terse | no-more

Interface convention

  • ge-0/0/0 unit 1 is equivalent to ge-0/0/0.1 but only the latter is allowed sometimes

Paste hierarchical config snippet

root@jun1> edit       
Entering configuration mode

root@jun1# load merge terminal 
[Type ^D at a new line to end input]
system {
    host-name jex2;
load complete

Logging in/out and diffing/saving/rollback config

Juniper Day One: Exploring the CLI (pdf) and
Juniper Day One: Beginner’s guide to JunOS (pdf)

$ ssh root@jex1.asozial.it-syndikat.org
--- JUNOS 15.1R7-S2 built 2018-09-15 07:29:34 UTC
root@jex1:RE:0% id      # demonstrate we have a unix shell with root
uid=0(root) gid=0(wheel) groups=0(wheel), 5(operator), 10(field), 31(guest), 73(config)

root@jex1:RE:0% cli     # run "cli" to get to the JunOS CLI, duh

root@jex1> conf         # this is the junos shell in read-only mode,
                        # now switch to edit mode

{master:0}              # "cd" to a path in the config hierarchy. Yes the
root@jex1# edit system  # config is not flat like in Brocade land yey

{master:0}[edit system]
root@jex1# set host-name jex1

{master:0}[edit system]
root@jex1# show host-name  # read back config item (think: "ls"), works
                           # without an arg too
host-name jex1;

{master:0}[edit system]
root@jex1# show | compare  # diff against running config.
                           # Where have you been all my life.
[edit system]
- host-name amnesiac;
+ host-name jex1;

{master:0}[edit system]    # Actually reload, apply and save. None of this
root@jex1# commit          # apply immediately garbage here.

{master:0}[edit system]
root@jex1# commit

{master:0}[edit system]
root@jex1# rollback 0       # Alternatively forget uncommitted changes

{master:0}[edit system]
root@jex1# exit

root@jex1# exit

root@jex1> exit

root@jex1:RE:0% exit

Yeah there sure are a lot of exits. FYI emacs/bash-style command line
editing works across the board here. So Ctrl-A/-E, Cltr-K and -Y
away. Resp: Begining/end of line and kill/yank (copy/paste).

There’s also TAB completion everywhere. Use it.

Confirmed Commit (auto rollback)

Sometimes a well meaning config change can kill remote access to the switch itself. To prevent that situation we should prefer to use commit confirmed. It will rollback changes after a while (10min by default) if the timer is not explicitly cancelled using conmit check.

Switch VLANs

Understanding Bridging and VLANs on EX Switches (multicast-l2 JunOS docs)

Example VLAN Declarations:

vlans {
    lan {
        vlan-id 1;
        l3-interface vlan.1; #< optional routing interface
        interface ge-0/0/0.0; #< optional alternative to `vlan member lan`

Note the difference: vlans is where the name<>id mapping is, vlan.* is the name for L3 interfaces that are part of a VLAN.

Example L2 switched interface in VLAN:

ge-0/0/0 {
    unit 0 {
        family ethernet-switching {
            port-mode access;
            vlan {
                members lan;

With interface port-mode access (the default) only one VLAN is allowed in vlan members (which defaults to default) and frames must ingress/egress untagged. We can set port-mode trunk to allow multiple tagged VLANs or port-mode tagged-access to additionally allow one untagged VLAN which is set using native-vlan-id <vlan>. Here a defined name or int is allowed, name is recommended.

WARNING: vlan members and native-vlan-id MUST NOT overlap if you want to keep your sanity as members will override native-vlan-id resulting in only tagged egress on the port.

ge-0/0/0 {
    unit 0 {
        family ethernet-switching {
            port-mode tagged-access;
            vlan {
                members [ mgmt ]; 
            native-vlan-id lan;

MAC Address Table

To find a host’s port:

root@jex2> show ethernet-switching table brief | match 6c:4b:90:92:1b:b3
  default           6c:4b:90:92:1b:b3 Learn          0 ge-0/0/46.0

Remote exec vuln. im web interface, I’m shocked, shocked:
2024-01 Security Bulletin: Junos OS: SRX Series and EX Series: Security Vulnerability in J-web allows a preAuth Remote Code Execution (CVE-2024-21591)

via https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2024-0064

Update: We noticed a quirk, when configuring VLANs vlan members and native-lan-id MUST NOT overlap. The previously listed port-mode tagged-access example was was incorrect and has been fixed.