As promised here’s the current template I’m using to configure the Juniper EX4300 series switches in my environment. Please feel free to provide corrections or updates based on your own experiences.
We’ll touch on the following configuration topics; OSPF, VLANs, DHCP relay, DHCP snooping, MAC limiting, rate limiting, BFD, TACACS+, SYSLOG, SNMP, RSTP, and BPDU filtering(blocking).
Let’s start by setting the hostname of the switch and the timezone.
set system host-name B99-SW01-EAST set system time-zone America/New_York
Let’s set the root password, we’ll also add an ‘admin’ user later.
set system root-authentication plain-text-password
{enter local root password}
{confirm local root password}
In this case I’m using TAC_PLUS so let’s configure TACACS+ authentication. In the example below X.X.X.X is the IP address of your our TACACS+ server and Y.Y.Y.Y is the management IP address of loopback address of the switch itself.
set system tacplus-server X.X.X.X set system tacplus-server X.X.X.X secret tac_plus_shared_secret_here set system tacplus-server X.X.X.X single-connection set system tacplus-server X.X.X.X source-address Y.Y.Y.Y
Let’s change the order of the authentication sources, making TACACS+ the first choice.
set system authentication-order tacplus set system authentication-order password
Let’s set the DNS and NTP servers (in my case they are the same – Infoblox);
set system name-server X.X.X.X set system name-server Y.Y.Y.Y set system domain-name acme.com set system ntp server X.X.X.X set system ntp server Y.Y.Y.Y
Let’s create the user ‘admin’ and make that user a superuser, this will be the user role we return from TACACS+. We don’t use the ‘root’ account because then the user would need to launch the CLI interface. With doing it this way any TACACS+ user is autoamtically at the CLI prompt when they login, no need to launch the CLI prompt with ‘cli’.
set system login user admin uid 2000
set system login user admin class super-user
set system login user admin authentication plain-text-password
{enter local admin password}
{confirm local admin password}
Let’s enable SSH and the WEBUI;
set system services ssh set system services web-management https system-generated-certificate
Let’s turn on accounting and set it to use the TACACS+ servers;
set system accounting events login set system accounting events change-log set system accounting events interactive-commands set system accounting destination tacplus
Let’s enable logging and set a SYSLOG server where Z.Z.Z.Z is your syslog server IP address.
set system syslog host Z.Z.Z.Z any notice set system syslog file messages any notice set system syslog file messages authorization info set system syslog file messages daemon info set system syslog file interactive-commands interactive-commands any
Let’s create some VLANs and assign them names and VLAN IDs and L3 interfaces (DATA = 8, VOICE = 16, SECURITY = 99);
set vlans DATA vlan-id 8 set vlans DATA l3-interface irb.8 set vlans VOICE vlan-id 16 set vlans VOICE l3-interface irb.16 set vlans SECURITY vlan-id 99 set vlans SECURITY l3-interface irb.99
Let’s assign some IP addresses to our Layer3 interfaces for each VLAN;
set interfaces irb unit 8 family inet address 10.200.8.1/22 set interfaces irb unit 16 family inet address 10.200.16.1/22 set interfaces irb unit 99 family inet address 10.200.99.1/24 set interfaces lo0 unit 0 family inet address 10.200.0.11/32
You’ll notice above that I chose to match the VLAN ID to the third octet of the IP address. There’s no requirement to-do this, I just choose to-do it this way since this is a greenfield deployment and I don’t have any constraints around how I setup the IP address schema. You’ll also noticed that I added a loopback address. This is the IP address that we’ll use to manage this switch. Since the switch will have multiple routed uplinks we want to use an IP address that will always be reachable if either routed link is down at any one time.
Now it’s time to configure some ports… by default all ports belong to VLAN 1 (the default VLAN) as access ports. In JunOS we need to use the wildcard command to configure multiple interfaces with a single command, similar to the range command in Cisco. In the samples below I’m configuring ports 0-47 on the first two switches in the virtual chassis (stack).
wildcard range set interfaces ge-[0-1]/0/[0-47] unit 0 family ethernet-switching interface-mode access wildcard range delete interfaces ge-[0-1]/0/[0-47] unit 0 family ethernet-switching vlan members default wildcard range set interfaces ge-[0-1]/0/[0-47] unit 0 family ethernet-switching vlan members DATA
Now, let’s add the voice VLAN to those same ports. I’m using Avaya 1600 Series IP phones with an Avaya Communication Manager.
wildcard range set switch-options voip interface ge-[0-1]/0/[0-47].0 vlan VOICE wildcard range set switch-options voip interface ge-[0-1]/0/[0-47].0 forwarding-class expedited-forwarding
Let’s enable rate-limiting for every port at 20% of traffic – now you need to be careful here. If you have a very busy network this value may not be a good choice so some testing and evaluation is needed.
set forwarding-options storm-control-profiles standardsc all bandwidth-percentage 20 wildcard range set interface ge-[0-1]/0/[0-47] unit 0 family ethernet-switching storm-control standardsc
Let’s setup DHCP relay for the DATA and VOICE VLANs and DHCP snoooping where X.X.X.X and Y.Y.Y.Y are your DHCP servers;
set forwarding-options dhcp-relay server-group dhcp-srv X.X.X.X set forwarding-options dhcp-relay server-group dhcp-srv Y.Y.Y.Y set forwarding-options dhcp-relay active-server-group dhcp-srv set forwarding-options dhcp-relay group all interface irb.8 set forwarding-options dhcp-relay group all interface irb.16 set system processes dhcp-service dhcp-snooping-file /var/tmp/snooping write-interval 60
Let’s take care of rogue DHCP servers by enabling DHCP filtering. We’ll trust our uplinks xe-0/1/0.0 and xe0/2/0.0
set vlans DATA forwarding-options dhcp-security group trusted overrides trusted set vlans DATA forwarding-options dhcp-security group trusted interface xe-0/1/0.0 set vlans DATA forwarding-options dhcp-security group trusted interface xe-0/2/0.0 wildcard range set vlans DATA forwarding-options dhcp-security group untrusted interface ge-[0-1]/0/[0-47].0
Let’s enable MAC security and restrict each port to 3 MAC addresses with a 5 minute recovery time.
wildcard range set switch-options interface ge-[0-1]/0/[0-47] interface-mac-limit 3 packet-action shutdown wildcard range set interfaces ge-[0-1]/0/[0-47] unit 0 family ethernet-switching recovery-timeout 300
Let’s enable RSTP and BPDU filtering;
wildcard range set protocols rstp interface ge-[0-1]/0/[0-47] edge set protocols rstp bridge-priority 16384 set protocols rstp bpdu-block-on-edge set protocols layer2-control bpdu-block disable-timeout 300
Since we’re not using the local management port let’s disable the alarm (show chassis alarms).
set chassis alarm management-ethernet link-down ignore
Let’s set the SNMP configuration;
set snmp name "B99-SW01-EAST" set snmp description "Juniper EX4300 IDF Switch" set snmp location "B99 East First Floor" set snmp contact "ACME IT Technical Services" set snmp community ACME-READONLY authorization read-only
Let’s configure OSPF so we can start up routing, 10.200.0.11 is the loopback IP address we used above. The 10GE uplinks are on xe-0/1/0 and xe-0/2/0. You’ll notice that we’re also using BFD to assist in quicker convergence times should there be an interruption on that specific uplink.
set routing-options router-id 10.200.0.11 set protocols ospf area 0.0.0.0 interface xe-0/1/0 hello-interval 2 set protocols ospf area 0.0.0.0 interface xe-0/1/0 dead-interval 8 set protocols ospf area 0.0.0.0 interface xe-0/1/0 bfd-liveness-detection minimum-interval 300 set protocols ospf area 0.0.0.0 interface xe-0/1/0 bfd-liveness-detection multiplier 4 set protocols ospf area 0.0.0.0 interface xe-0/1/0 bfd-liveness-detection full-neighbors-only set protocols ospf area 0.0.0.0 interface xe-0/2/0 hello-interval 2 set protocols ospf area 0.0.0.0 interface xe-0/2/0 dead-interval 8 set protocols ospf area 0.0.0.0 interface xe-0/2/0 bfd-liveness-detection minimum-interval 300 set protocols ospf area 0.0.0.0 interface xe-0/2/0 bfd-liveness-detection multiplier 4 set protocols ospf area 0.0.0.0 interface xe-0/2/0 bfd-liveness-detection full-neighbors-only
Let’s make sure that we only advertise routes to connected interfaces into OSPF;
set policy-options policy-statement LOCAL_INTO_OSPF term connected from protocol direct set policy-options policy-statement LOCAL_INTO_OSPF term connected then accept set protocols ospf export LOCAL_INTO_OSPF
I’m not going to dive to deep into Virtual Chassis, that would likely require it’s own blog post, but here are the settings I’m using to minimize downtime and failover time between Routing Engines.
set chassis redundancy graceful-switchover set routing-options graceful-restart
With all that done all that’s left to-do is “commit and-quit”.