By Nicholas Kurland
Juniper Networks is a networking company who create and manufacture the Juniper switch and router series. They also provide help with securing these devices, creating fast networks, and connections amongst their products. Juniper Networks has several different series of routers and switches each with slight alterations of their configuration methods. This sometimes creates a problem when looking at even a switch or router in the same series but different model.
I will be giving a configuration overview of the Juniper Ex-4200 series switches. The Ex-4200 series switches are very flexible and scalable for any sized corporation along. In this blog post I will cover how to set up an Ex-4200 series Juniper Switch with IP, DHCP relay, OSPF, and firewalls along with giving basic system commands that will be useful when debugging and testing. For all intents and purposes, we will be working with a Juniper Ex-4200 switch that is on its default factory settings. For this configuration overview we will mainly be using the interface ge-0/0/0 but other interfaces may be referenced.
During this overview it should be noted that many Ex-4200 commands require the user to input custom string names or highly variable commands. In these cases I will indicate it using italics when giving the general command. If it is a highly variable command I will give an explanation and some examples on possible completion statements. An example of highly variable commands include the firewall which can have destination ports, source ports, destination addresses, and other filter options.
Useful System Commands
I have provided several useful commands that are basic to configure the Juniper switch along with commands that allow for debugging and analysis on the current configuration. Below is the table of some of these basic juniper commands along with a brief description, and an example of a valid usage of the command.
|Command||Brief Description||Example Command|
|cli||Puts the Juniper Ex-4200 switch into enable mode, this lets you use commands such as show and ping.||cli|
|configure||Puts the Juniper Ex-4200 into configuration mode. Cli must be used first.||configure|
|ping||Used in cli mode, pings an address||ping 172.16.31.1|
|commit||Saves the current configuration.||commit|
|rollback X||Rollback lets you rollback your configuration to the previous commit. You can also implement a number where X is to rollback that many commit statements. By default without prompt, X is 0.||rollback|
|show||Shows a specified parameter of the configuration, can be used in both cli and configure mode.||show configuration|
|edit||Allows you to edit a sub-element configuration.||edit interface ge-0/0/0|
|delete||Delete a data-element or configuration.||delete interface ge-0/0/0 unit 0 family ethernet-switching|
|set||Set a configuration or change a configuration.||set interface ge-0/0/0 unit 0 family inet 188.8.131.52/20|
The Edit Command
In the Juniper switch configuration settings are contained within elements, and elements often have elements contained within them too. Each part of the Juniper switch command after the action command, such as set, edit, and delete, is an element in which we can set ourselves to begin our configuration at with the usage of the edit command. So for example, if we were focusing on the element forward-routing dhcp-relay and all its sub elements and wishes to configure it. We could type set forward-routing dhcp-relay … where … is the rest of the command, or we could use edit forward-routing dhcp-relay to begin in the sub element forward-routing dhcp-relay. By using the edit command this way we can use commands like set and delete as if we had already typed in forward-routing dhcp-relay or other elements this makes the commands needed to change or delete configurations shorter and more efficient to perform. Now while I won’t be using the edit command for this configuration overview, it is important know for configuration and it is present within some of my figures.
At the factory default settings a Juniper Ex-4200 switch will only require a user name, root, for you to log on and begin configuration. The first task before you can begin configuring the switch is to set up a password for the root user. Without setting up the password first the Juniper switch will not allow the usage of the commit command until a password is set to be committed. Using the cli and the configuration commands we can enter configuration mode as shown by Figure 1 below. Figure 1 also shows us the differences when we are in cli or in configure mode as indicated by the ‘>’ and the ‘#’ respectively. It should be noted that above the command line prompt is something labeled ‘’. When we use the edit command this will change to show us the element we are currently editing, for example: ‘[edit interface ge-0/0/0]’.
After this is done, we can set up the root’s password by issuing the following command: ‘set system root-authentication plain-text-password’ as seen in Figure 2. You may for security purposes instead of plain-text-password use encrypted-password so that after creation your password is encrypted but for the purpose of this Ex-4200 overview we will be using plain-text-password as an example. After issuing the command, the switch will ask for a password to be entered and for this overview I simply used the password: ‘Password’ but for official use a more complicated password should be used. Now with the root password set we can begin configuration of the Juniper Ex-4200 switch. Once the password is set, we can check it using the show configuration command in cli mode. We will need to type in both the user and the password anytime afterwards when we log into the Juniper Switch.
Figure 1- cli and configure commands
Figure 2- Setting the root password
Setting IP addresses on a Juniper Switch
For a Juniper Switch that interacts with networks, if we wish for its interfaces to host an IP address it will need to be configured on the individual interface. By factory-default every interface of the Juniper switch will have a setting on it called ‘ethernet-switching’ and you can check which interfaces have this by using the ‘show configuration’ command in cli mode or ‘show interface interface-name’ in configuration mode. The delete command in configuration mode can be used to delete this setting. The command to delete the ethernet switching is as follows: ‘delete interfaces ge-0/0/0 unit 0 family ethernet-switching’. The general command for deleting a setting on the interface is ‘delete interface interface-name unit number elements’. The last part of the general command is highly variable as it can be something such as inet, inetv6, or other settings on the interface but inet and inet6 elements do need the family element before them for a successful command.
To set an IP address, we will need to use the set command on the interface we wish to use. Let’s say we wish to set interface ge-0/0/0’s IP address as 172.16.31.3/19. To do so we will need to use the command ‘set interfaces ge-0/0/0 unit 0 family inet 172.16.31.3/19’ or for a more general use command for setting the IP: ‘set interfaces interface unit number family inet IP-address’. This may also be done for IPv6 if inet is replaced with inet6 and the IP address after it is replaced with a valid IPv6 address. Below with figure 3 I have provided examples of a successful configuration of an IP version 4 and 6 before removing the family ethernet-switching configuration.
Figure 3- IPv4 and IPv6 Configuration
DHCP Relay Overview
Juniper switches may be used as a DHCP relay point and to configure one you will need to use the forwarding-options and dhcp-relay elements of the configuration settings. There are multiple steps to setting up the switch to be a relay point. The first is to point the switch to the DHCP providers such as a router that are already set up. For this DHCP relay overview our example DHCP providers will be at 172.16.31.1 and 172.16.31.2. To set these up as the DHCP servers for the relay point the basic command is: ‘set forwarding-options dhcp-relay server-group server-group-name ip-address’. The command used for our example would be ‘set forward-options dhcp-relay server-group DHCP-relay 172.16.31.1’ and then the same command but using the 172.16.31.2 to set both DHCP servers under the same server-group (Figure 4). Juniper requires the DHCP server-group to be deemed as active before it can begin functioning, and this can be done with the command ‘set forward-options dhcp-relay active-server-group server-group-name’ by replacing the server-group-name with our example dhcp server group name of ‘DHCP-relay’. Lastly, we will need to set the interfaces in which the DHCP relay will run using the command ‘set forward-options dhcp-relay group group-name interface interface-name’, examples of these can be found below in Figure 5. This will select the interfaces who will be acting as DHCP relay interfaces for the DHCP servers that we have specified.
Figure 4- dhcp-relay server set up
Figure 5- dhcp-relay set interfaces
OSPF protocol is a useful protocol to implement on our Juniper switch if we wish for our network to be able to receive and forward OSPF packets. Similar to IPv4 and IPv6, OSPF and OSPFv3 can be set up by only changing one part of the command. The general command for setting up OSPF is ‘set protocols ospf area area interface interface’, if you need to configure retransmit-interval you add retransmit-interval number at the end after the interface. In this OSPF configuration example for this overview I will use the following: area 0 or 0.0.0.0, interface ge-0/0/0, interface ge-0/0/1, and a retransmit interval of 1 to set up OSPF. So for our example configuration the command would be ‘set protocols ospf area 0.0.0.0 interface ge-0/0/0 retransmit-interval 1’ and then the interface is changed to ge-0/0/1 to add it into area 0.0.0.0. Figure 6 below shows what a successful ospf configuration looks like for two interfaces.
The last topic for this Juniper switch overview will be the configuration of a firewall in Juniper. In Juniper you can create multiple firewalls with many different statements that will allow or deny different protocols and or ports. These firewalls can then be set to different interfaces and multiple firewalls can be set to an interface, allowing each interface in a Juniper switch to have unique firewalls for both inbound and outbound traffic. Each firewall has a few main parts first is the name of the overall filter than each filter has different terms. Terms are checked from top to bottom and each term has a ‘from’ statement that checks where the incoming traffic is coming from which can be a protocol, a port, or both. When traffic is being filtered through the firewall will check the traffic to see if any of the terms give a true statement for the traffic incoming. When this occurs, the ‘then’ statement is read to see what the firewall will do with the traffic. Some explains of the actions that can be performed when this occurs are: accept, reject, or count.
So as an example if we wished to create a firewall on interface ge-0/0/0 it would require to first make the firewall and then set it to the interface. The basic command for creating a firewall, a term name in the firewall and what the term will check for: ‘set firewall family inet filter filter-name term term from location‘. As stated before, you can have multiple firewalls, multiple terms in a firewall, and multiple locations for the terms to check. After you have created the terms and there from statements you need to make a ‘then’ statement which can be made with the example general command: ‘set firewall family inet filter filter-name term term-name then action’. For the first firewall command for creating the term the from statement can be followed by different things such as source-port, destination-address, source-address, destination-port, and protocols, which are all than followed by a respective input such as an IP address for destination-address or TCP for protocols. For the firewall from element, the action can be replaced with as stated before as examples accept, reject, or count. Lastly, the firewall will need to be set on an interface to function. The general command for this is the following: ‘set interface interface-name unit number family inet/inet6 filter output/input filtername’. In this general command, I can put either output or input since when setting the filter to an interface it requires that the firewall be set for either of these types of traffic.
As an example for creating a firewall, let’s say I want a firewall on ge-0/0/0 that allows for tcp protocol to come through on destination port 80 for its output. The commands I would use are the following:
set firewall family inet filter tcp-filter term tcp-term from protocol tcp set firewall family inet filter tcp-filter term tcp-term from port 80 set firewall family inet filter tcp-filter term tcp-term then accept set interfaces ge-0/0/0 unit 0 family inet filter output tcp-filter.
This series of commands creates a firewall tcp-filter that will allow the tcp-protocol to be outputted through interface ge-0/0/0 on port 80. Juniper firewalls can be configured for IPv6 by creating separate firewalls specifically for IPv6, which is simply done by replacing inet with inet6. These are the basics for firewall creation on a Juniper switch, however be warned that firewalls can conflict and that each term of a firewall should only focus on one thing such as filtering for tcp or the terms will conflict.
The Juniper Ex-4200 series are highly flexible and scalable switches, which when properly configured can be very useful. While initially they may seem very complicated to work with due to lack of explanation, after working with them it becomes simpler to understand the underlying principles of the switch. While there are more ways to configure a Juniper Ex-4200, I have mainly covered some of the main methods that the switch will be used when put onto a network. It should be noted that at any time you can use ? to ask the Juniper switch for possible things to enter in to complete the next part of the command or tab to finish a single part of the command if it knows what you wish to input. This concludes this overview of the Juniper Ex-4200 switch configuration.
- EX4200 Ethernet Switch – Juniper Networks. N.p., n.d. Web. 07 May 2017.
- “TechLibrary.” EX4200 Switch Hardware Guide – Technical Documentation – Support – Juniper Networks. Juniper Networks, n.d. Web. 07 May 2017.