🔧 Learning to Configure a Juniper EX4300 Switch

So my buddy had this Juniper EX4300-48P switch sitting around and basically gave it to me. I've got my CCNA and figured I'd mess around with it before I eventually go for the JNCIA cert. No pressure, just wanted to see what all the Juniper hype was about.

Turns out configuring this thing was... an experience. I'm writing this down mostly for myself so I remember what I did, but figured someone else might find it useful. This isn't textbook stuff - just me figuring things out as I go.

First Things First: Setting the Hostname

set system host-name your-hostname
set system time-zone America/New_York

Look, I know this seems basic, but coming from Cisco land where everything is "enable" and "conf t", Juniper does things differently. Just set the hostname to whatever and pick your timezone.

The timezone thing? Honestly just helps with logs. Set it and forget it.

Passwords - Don't Skip This!

set system root-authentication plain-text-password

When you run this, it'll prompt you twice. Pick something decent. Not gonna lecture you on password security - you know the drill from CCNA.

Creating Your Daily Driver Account

set system login user your-username uid 2000
set system login user your-username class super-user
set system login user your-username authentication plain-text-password

Here's something I didn't know coming from Cisco - logging in as root makes you type "cli" every time to get to the command line. Kinda annoying.

So I just created a user with superuser access. Same permissions, but drops you straight into CLI when you SSH in. Much better.

The "uid 2000" is just an ID number. Pick whatever over 2000, doesn't matter.

DNS - Because Nobody Remembers IP Addresses

set system name-server 8.8.8.8
set system name-server 1.1.1.1
set system domain-name yourdomain.local

I'm using Google's DNS (8.8.8.8) and Cloudflare's (1.1.1.1) because they're free, fast, and reliable. You could use your router's IP if you want, but these public ones just work.

The domain-name thing? That's just for local stuff. Set it to your local domain so your switch knows it's part of your network. Not critical, but it's good practice.

Time Sync - Keeping Everything on Schedule

set system ntp server 0.pool.ntp.org
set system ntp server 1.pool.ntp.org

Your switch has a clock. That clock sucks at keeping time. NTP (Network Time Protocol) fixes that by syncing with internet time servers.

Why do you care? Because when you're looking at logs trying to figure out when something broke, you need accurate timestamps. Also, some security stuff like certificates actually check the time, and if your switch thinks it's 2015, things get weird.

Alright, this is where it gets interesting. VLANs are basically how you split one physical switch into multiple virtual switches. It's like having different floors in a building - they're all in the same building, but they're separate spaces.

Creating the VLANs

set vlans DATA vlan-id 10
set vlans DATA l3-interface irb.10
set vlans VOICE vlan-id 20
set vlans VOICE l3-interface irb.20
set vlans GUEST vlan-id 30
set vlans GUEST l3-interface irb.30

The "l3-interface irb.X" part means this VLAN can route traffic. The switch isn't just moving packets around - it's actually smart enough to route between VLANs if needed.

Giving Each VLAN an IP Address

set interfaces irb unit 10 family inet address x.x.10.1/24
set interfaces irb unit 20 family inet address x.x.20.1/24
set interfaces irb unit 30 family inet address x.x.30.1/24

Each VLAN needs a gateway IP - that's what devices use as their "exit point" to reach other networks.

I kept it simple:

• VLAN 10 gets x.x.10.1 (10 in the third octet matches VLAN 10 - easy to remember!)
• VLAN 20 gets x.x.20.1 (see the pattern?)
• VLAN 30 gets x.x.30.1 (yep, still following the pattern)

The "/24" means devices can use IPs from .1 to .254 in that range. So VLAN 10 can have x.x.10.2, x.x.10.3, all the way up to x.x.10.254.

The Loopback - Your Switch's Permanent Address

set interfaces lo0 unit 0 family inet address x.x.x.x/32

This is the switch's management IP. Pick an available IP in your management network.

Making Ports Actually Do Something

wildcard range set interfaces ge-0/0/[1-47] unit 0 family ethernet-switching interface-mode access
wildcard range delete interfaces ge-0/0/[1-47] unit 0 family ethernet-switching vlan members default
wildcard range set interfaces ge-0/0/[1-47] unit 0 family ethernet-switching vlan members DATA

By default, all ports are in VLAN 1 (the "default" VLAN). That's not useful for us.

What these commands do:

1. Set ports 1-47 as "access" ports (regular ports for end devices)
2. Remove them from the default VLAN
3. Add them to the DATA VLAN

Notice I did 1-47, not 1-48? That's because port 0 is my uplink to the router. I left that one alone for now.

The "wildcard range" thing is Juniper's way of configuring multiple ports at once. In Cisco land, you'd use "interface range" - same concept, different syntax.

Adding Voice VLAN to Those Same Ports

wildcard range set switch-options voip interface ge-0/0/[1-47].0 vlan VOICE
wildcard range set switch-options voip interface ge-0/0/[1-47].0 forwarding-class expedited-forwarding

Here's the cool part - IP phones are smart. They can be on TWO VLANs at once. The phone itself talks on VLAN 20 (VOICE), but the computer plugged into the back of the phone talks on VLAN 10 (DATA).

The "expedited-forwarding" bit tells the switch "hey, this voice traffic is important, prioritize it." That's QoS (Quality of Service) in action - making sure voice packets get through even when the network is busy.

Storm Control - Stopping Broadcast Storms

set forwarding-options storm-control-profiles standardsc all bandwidth-percentage 20
wildcard range set interfaces ge-0/0/[1-47] unit 0 family ethernet-switching storm-control standardsc

Ever seen a network completely melt down because someone plugged both ends of a cable into the same switch? That's a broadcast storm. Packets just loop forever, consuming all your bandwidth.

Storm control says "if any port starts flooding more than 20% of its bandwidth with broadcast traffic, shut it down." It's like a circuit breaker - saves you from network disasters.

DHCP Relay - Connecting VLANs to Your DHCP Server

set forwarding-options dhcp-relay server-group dhcp-srv x.x.x.x
set forwarding-options dhcp-relay active-server-group dhcp-srv
set forwarding-options dhcp-relay group all interface irb.10
set forwarding-options dhcp-relay group all interface irb.20
set forwarding-options dhcp-relay group all interface irb.30

Your router (replace x.x.x.x with your router's IP) runs the DHCP server. But devices on VLAN 10, 20, and 30 can't directly talk to it without help.

DHCP relay is the middleman. When a device on VLAN 10 says "hey, I need an IP address!" the switch forwards that request to the router, gets a response, and sends it back to the device.

DHCP Security - Blocking Rogue DHCP Servers

set vlans DATA forwarding-options dhcp-security group trusted overrides trusted
set vlans DATA forwarding-options dhcp-security group trusted interface ge-0/0/0.0
wildcard range set vlans DATA forwarding-options dhcp-security group untrusted interface ge-0/0/[1-47].0

MAC Address Limiting - Preventing Port Flooding

wildcard range set switch-options interface ge-0/0/[1-47] interface-mac-limit 3 packet-action shutdown
wildcard range set interfaces ge-0/0/[1-47] unit 0 family ethernet-switching recovery-timeout 300

Each port can learn a maximum of 3 MAC addresses. Why?

• Normal scenario: Computer (1 MAC) + IP phone (1 MAC) + maybe a VM or something (1 MAC) = 3 MACs. Perfect.
• Attack scenario: Hacker floods the network with fake MAC addresses trying to overwhelm the switch's MAC table. This stops them cold.

If a port exceeds 3 MACs, the switch shuts it down. After 300 seconds (5 minutes), it automatically tries to bring the port back up.

RSTP Configuration

wildcard range set protocols rstp interface ge-0/0/[1-47] edge
set protocols rstp bridge-priority 16384
set protocols rstp bpdu-block-on-edge
set protocols layer2-control bpdu-block disable-timeout 300

RSTP (Rapid Spanning Tree Protocol) is insurance against network loops. Remember that cable-plugged-into-itself scenario? RSTP automatically detects loops and shuts them down.

What each line does:

• edge - Tells the switch "these ports connect to end devices (computers, phones), not other switches." This makes them come up faster.
• bridge-priority 16384 - This is the switch's "rank" in the spanning tree hierarchy. Lower numbers win.
• bpdu-block-on-edge - If an "edge" port starts receiving BPDUs, something's wrong - maybe someone plugged in a rogue switch. This blocks those BPDUs.
• disable-timeout 300 - If a port gets blocked, wait 300 seconds (5 minutes) then try to bring it back up. Auto-recovery.

SNMP - Keeping an Eye on Things

set snmp name "your-network-name"
set snmp description "Your Organization Juniper EX4300-48P"
set snmp location "Your Location"
set snmp contact "Your Name - Network Admin"
set snmp community public authorization read-only

SNMP (Simple Network Management Protocol) lets monitoring tools check on your switch. Think of it like a health check-up.

Network monitoring software (like PRTG, Zabbix, or even HomeAssistant) can connect to your switch via SNMP and see:

• How much traffic is flowing
• Are any ports down?
• Is CPU/memory getting high?
• Any errors happening?

System Logging

set system syslog file messages any notice
set system syslog file messages authorization info
set system syslog file interactive-commands interactive-commands any

Logs are your best friend when troubleshooting. These commands tell the switch what to log:

• any notice - Log anything that's noteworthy (but not super critical)
• authorization info - Log all login attempts (who logged in when)
• interactive-commands - Log every command that gets run (good for security/auditing)

Static Route Configuration

set routing-options static route 0.0.0.0/0 next-hop x.x.x.x
set routing-options router-id x.x.x.x

This is probably the simplest but most important routing config.

0.0.0.0/0 means "any IP address" - it's the default route, the catch-all. It says "if you don't know where to send traffic, send it here."

Replace x.x.x.x with your router's IP address as the next-hop. All internet-bound traffic goes there.

Graceful Restart

set chassis redundancy graceful-switchover
set routing-options graceful-restart

These are "nice to have" features. If the switch needs to reboot or if you're running a stack of switches and one fails, these settings help minimize downtime.

Graceful restart means "try to keep forwarding traffic even during software restarts when possible." It won't always work perfectly, but when it does, it's the difference between a 2-second blip and a 30-second outage.

Commit and Save

commit and-quit

This is the magic command. Until you run "commit," all your changes are just sitting in a staging area. They're not actually active.

commit saves everything and makes it live. and-quit exits configuration mode.

Testing Your Setup

After committing, here's what I tested:

1. ✅ Can I still SSH in? (Yes - used the management IP and it worked fine)
2. ✅ Do devices get IPs? (Plugged in a laptop, got an IP from VLAN 10 - perfect!)
3. ✅ Does internet work? (Yep, browsed to google.com successfully)
4. ✅ Can I access the web UI? (Used the management IP in browser - worked!)

If any of those failed, I'd know something was wrong and could troubleshoot from there.

Honestly? Juniper syntax takes some getting used to when you're coming from Cisco. Everything is "set" commands instead of going into config sub-modes. Kinda prefer it actually - feels cleaner.

The VLAN setup was straightforward once I wrapped my head around the IRB interfaces. It's basically Cisco's SVI but with a different name.

DHCP relay was probably the most confusing part. In Cisco you do "ip helper-address" and call it a day. Juniper has this whole server-group thing. Works fine once it's set up though.

Not really sure yet. Might play around with OSPF just to see how it compares to Cisco. Eventually I'll study for JNCIA properly, but for now I'm just messing around and learning by doing.

Switch works, internet works, can't complain. Good enough for me.