Rack Switches: Juniper EX3300

The Juniper EX3300 are powerful L3 switches with ASIC based IP forwarding, similar to the Brocade FCXen (meta post) we were evaluating previously. They use a FreeBSD based Unix OS (with root access) with a more or less recent version of openssh so we get ssh-ed25519 support and unlike with the Brocade’s proprietary embedded OS and SSH implementation there is no need for weird legacy crypto options on clients.

The EX have better IPv6 support around access (DHCPv6-PD snooping) and security (ACLs/NDP snooping). They have serious support for multiple isolated routing tables (VRFs) and access control (regex restricted command filters) allowing them to be reasonably safe as a combination production and lab kit. The config follows a very nice hierarchical model which supports editing before apply and “confirmed commit”, i.e. rollback after timeout for when remote management access is lost inadvertently. Uptimecounters rejoice! It is much too easy to kill the network, or worse CLI access, without those features.

Docs

Juniper (JunOS) docs cover all or most of their products in one document but there are CLI differences across different product categories and software versions (pre/post ELS) so it can be difficult to find exactly the docs page or incantation you need for a particular product. Reading carefully or if all else fails Google is your friend here.

Access

  • jex1.asozial.it-syndikat.org – fe80::7e81 / 2a0c:9a40:8070::7e81
  • jex2.asozial.it-syndikat.org – fe80::7e82 / 2a0c:9a40:8070::7e82

SSH just works as you’d expect. Password is in Vault, same for both.

Command quick reference

Show config

  • show configuration (for hierarchical format)
  • show configuration | display set (for line-based set commands)
  • In edit mode it’s just show.

Config Manipulation

  • delete – remove subtree. think: rm -r
  • replace – string/pattern substitution
  • deactivate/activate – “comment out” subtree
  • annotate – add comment

CLI

  • Disable paging: show inter terse | no-more

Interface convention

  • ge-0/0/0 unit 1 is equivalent to ge-0/0/0.1 but only the latter is allowed sometimes

Paste hierarchical config snippet

root@jun1> edit       
Entering configuration mode

{master:0}[edit]
root@jun1# load merge terminal 
[Type ^D at a new line to end input]
system {
    host-name jex2;
}
load complete

Logging in/out and diffing/saving/rollback config

Juniper Day One: Exploring the CLI (pdf) and
Juniper Day One: Beginner’s guide to JunOS (pdf)

$ ssh root@jex1.asozial.it-syndikat.org
--- JUNOS 15.1R7-S2 built 2018-09-15 07:29:34 UTC
root@jex1:RE:0% id      # demonstrate we have a unix shell with root
uid=0(root) gid=0(wheel) groups=0(wheel), 5(operator), 10(field), 31(guest), 73(config)

root@jex1:RE:0% cli     # run "cli" to get to the JunOS CLI, duh

{master:0}
root@jex1> conf         # this is the junos shell in read-only mode,
                        # now switch to edit mode

{master:0}              # "cd" to a path in the config hierarchy. Yes the
root@jex1# edit system  # config is not flat like in Brocade land yey
                        

{master:0}[edit system]
root@jex1# set host-name jex1

{master:0}[edit system]
root@jex1# show host-name  # read back config item (think: "ls"), works
                           # without an arg too
host-name jex1;

{master:0}[edit system]
root@jex1# show | compare  # diff against running config.
                           # Where have you been all my life.
[edit system]
- host-name amnesiac;
+ host-name jex1;

{master:0}[edit system]    # Actually reload, apply and save. None of this
root@jex1# commit          # apply immediately garbage here.

{master:0}[edit system]
root@jex1# commit

{master:0}[edit system]
root@jex1# rollback 0       # Alternatively forget uncommitted changes

{master:0}[edit system]
root@jex1# exit

{master:0}[edit]
root@jex1# exit

root@jex1> exit

root@jex1:RE:0% exit
logout

Yeah there sure are a lot of exits. FYI emacs/bash-style command line
editing works across the board here. So Ctrl-A/-E, Cltr-K and -Y
away. Resp: Begining/end of line and kill/yank (copy/paste).

There’s also TAB completion everywhere. Use it.

Switch VLANs

Understanding Bridging and VLANs on EX Switches (multicast-l2 JunOS docs)

Example VLAN Declarations:

vlans {
    default;
    lan {
        vlan-id 1;
        l3-interface vlan.1; #< optional routing interface
        interface ge-0/0/0.0; #< optional alternative to `vlan member lan`

Note the difference: vlans is where the name<>id mapping is, vlan.* is the name for L3 interfaces that are part of a VLAN.

Example L2 switched interface in VLAN:

ge-0/0/0 {
    unit 0 {
        family ethernet-switching {
            port-mode access;
            vlan {
                members lan;

With interface port-mode access (the default) only one VLAN is allowed in vlan members (which defaults to default) and frames must ingress/egress untagged. We can set port-mode trunk to allow multiple tagged VLANs or port-mode tagged-access to additionally allow one untagged VLAN which is set using native-vlan-id <vlan>. Here a defined name or int is allowed, name is recommended.

ge-0/0/0 {
    unit 0 {
        family ethernet-switching {
            port-mode tagged-access;
            vlan {
                members [ lan mgmt ]; 
            }
            native-vlan-id lan;

MAC Address Table

To find a host’s port:

root@jex2> show ethernet-switching table brief | match 6c:4b:90:92:1b:b3
  default           6c:4b:90:92:1b:b3 Learn          0 ge-0/0/46.0

Remote exec vuln. im web interface, I’m shocked, shocked:
2024-01 Security Bulletin: Junos OS: SRX Series and EX Series: Security Vulnerability in J-web allows a preAuth Remote Code Execution (CVE-2024-21591)

via https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2024-0064