Support Store Sign In
Overview
System
Network
Services
Identities
Policies
Billing
Archives
Instruments
Installation
Lab Manual
Portal Customization
RESTful API
Miscellaneous
View as one page

Juniper EX Switches

Juniper EX Series switches are enterprise-class Ethernet switches running Junos OS, providing robust Layer 2/3 switching with advanced features and high reliability. The rXg integrates with Juniper EX switches via NETCONF over SSH, providing configuration synchronization, VLAN management, and 802.1X/MAC-RADIUS authentication support.

Supported Models

Model/Series Notes
EX2300 Series Compact, fanless access switches
EX3400 Series Enterprise access switches
EX4300 Series Stackable access/aggregation switches
EX4400 Series High-performance access switches
EX4600 Series Data center switches

All models running Junos OS with NETCONF support are compatible.

Features Supported

Feature Supported Description
Config Sync Yes Automatic configuration synchronization via NETCONF
Auto Bootstrap Yes Bootstrap configuration generation for initial setup
SNMP Monitoring Yes CPU, memory, and port statistics collection
LLDP Neighbor Discovery Yes Automatic detection of connected devices
LLDP Management Address Yes Automatic LLDP management address synchronization
Switch Port Import Yes Automatic import and management of switch ports
Port Descriptions Yes Sync port descriptions/names from rXg
802.1X Authentication Yes Port-based network access control via dot1x
MAC-RADIUS Authentication Yes MAC-based authentication for non-802.1X devices
Dynamic VLAN Assignment Yes RADIUS-assigned VLAN based on authentication
DHCP Snooping No Not currently implemented
Firmware Management No Manual firmware upgrades required
SPB-m Fabric No Not supported

Prerequisites

Firmware Requirements

  • Junos OS 18.2R4 or later recommended
  • NETCONF over SSH enabled (port 830 default for Junos 18.2R4+)
  • SSH enabled with root login allowed

Network Requirements

  • Management IP connectivity to rXg
  • NETCONF/SSH access (TCP port 830 or 22)
  • SNMP access (UDP port 161)
  • RADIUS connectivity (UDP ports 1812, 1813) - for 802.1X/MAC-RADIUS
  • NTP connectivity (UDP port 123) - recommended

Onboarding Process

Automatic Onboarding

Juniper EX switches support bootstrap configuration generation. The rXg can generate a complete bootstrap script that configures the switch for management.

Prerequisites for Bootstrap:

  1. Console access or existing network access to the switch
  2. A switch record must exist in rXg with management IP configured
  3. SSH/NETCONF credentials configured

Bootstrap Process:

  1. Create switch record in rXg with target management IP
  2. Generate bootstrap configuration from rXg
  3. Apply bootstrap commands via console or existing SSH
  4. Switch connects to rXg via NETCONF on management IP

Manual Onboarding

For manual configuration, connect to the switch via console and apply the bootstrap commands below.

Bootstrap Commands

Enter CLI and Configuration Mode:

cli
configure

Set Root Password:

set system root-authentication plain-text-password
<enter-password>
<confirm-password>

Disable Auto Image Upgrade:

delete chassis auto-image-upgrade

Enable NETCONF and SSH:

set system services netconf ssh
set system services ssh root-login allow

Configure Management Interface:

delete interfaces irb unit 0 family inet dhcp
set interfaces irb unit 0 family inet address <switch-ip>/<prefix-length>
set routing-options static route 0.0.0.0/0 next-hop <gateway-ip>

Configure Management VLAN:

set vlans vlan<vlan-id> vlan-id <vlan-id>
set vlans vlan<vlan-id> l3-interface irb.0

Configure Uplink Ports for Management VLAN:

set interface <port> native-vlan-id <vlan-id>
set interface <port> unit 0 family ethernet-switching interface-mode trunk
set interface <port> unit 0 family ethernet-switching vlan members <vlan-id>

Enable LLDP:

set protocols lldp interface all
set protocols lldp management-address <rxg-ip>

Configure NTP:

set system ntp server <rxg-ip>
set system ntp boot-server <rxg-ip>

Configure DNS:

set system name-server <rxg-ip>

Configure SNMP:

set snmp community <community-string> authorization read-only

Commit Configuration:

commit

Configuration

Connection Settings

Configure the switch in the Network::Wired::Switches scaffold with:

  • Host: Management IP address
  • Username/Password: SSH/NETCONF credentials (typically root)
  • Port: NETCONF port (830 for Junos 18.2R4+, or 22)
  • Management VLAN: VLAN for management traffic
  • SNMP Community: Community string for monitoring (default: public)

NETCONF Configuration

The rXg uses NETCONF over SSH for configuration management. Ensure NETCONF is enabled on the switch:

set system services netconf ssh port 830

For older Junos versions that default to port 22:

set system services netconf ssh

RADIUS / AAA Configuration

When a RADIUS Server Option is active in rXg, the system configures RADIUS servers and profiles:

RADIUS Server Configuration:

set access radius-server <rxg-ip> port 1812 secret <radius-secret>

RADIUS Profile Configuration:

set access profile radius-auth-profile authentication-order radius
set access profile radius-auth-profile radius authentication-server <rxg-ip>

802.1X Port Configuration:

set protocols dot1x authenticator authentication-profile-name radius-auth-profile
set protocols dot1x authenticator interface <port>.0

MAC-RADIUS Port Configuration:

set protocols dot1x authenticator interface <port>.0 mac-radius restrict

VLAN Configuration

VLANs are automatically managed through Switch Port Profiles:

  • VLANs created: set vlans vlan<id> vlan-id <id>
  • Tagged ports: set interfaces <port> unit 0 family ethernet-switching vlan members vlan<id>
  • Native VLAN: set interfaces <port> native-vlan-id <id>
  • Trunk mode: set interfaces <port> unit 0 family ethernet-switching interface-mode trunk

Note: Ports with 802.1X or MAC-RADIUS authentication are automatically configured as access ports (interface-mode removed).

Port Management

Port enable/disable is managed via NETCONF:

  • Enable port: Remove disable statement
  • Disable port: Add disable statement to interface

Port descriptions are synchronized from switch port names in rXg.

Monitoring Capabilities

Metric Collection Method Notes
CPU Usage SNMP Collected at configured monitoring interval
Memory Usage SNMP Collected at configured monitoring interval
Port Statistics SNMP Packets in/out, errors, discards
Port Status NETCONF Up/down via get-interface-information RPC
Port Speed/Duplex NETCONF Via interface information RPC
MAC Address Table NETCONF Via get-ethernet-switching-table-information RPC
LLDP Neighbors SNMP Connected device discovery
Device Info NETCONF Model, serial via get-chassis-inventory RPC
Junos Version NETCONF Via configuration XML

Troubleshooting

Common Issues

Issue: Switch shows offline in rXg

Symptom: Switch appears offline despite being reachable via ping Cause: NETCONF connectivity issues or credential mismatch Resolution: - Verify SSH/NETCONF credentials match switch configuration - Ensure NETCONF is enabled: show system services netconf - Check correct port (830 for Junos 18.2R4+, 22 for older) - Verify root login is allowed for SSH

Issue: Config sync fails with lock error

Symptom: "LockError" during configuration sync Cause: Another session has the configuration locked Resolution: - Check for other active configuration sessions: show system users - Clear locked sessions: request system logout user <user> - Wait for other sessions to complete

Issue: NETCONF connection refused

Symptom: Cannot establish NETCONF session Cause: NETCONF not enabled or wrong port Resolution: - Enable NETCONF: set system services netconf ssh - For Junos 18.2R4+, ensure port 830 is configured - Verify firewall allows NETCONF port

Issue: VLAN changes not applying

Symptom: VLAN configuration shows in diff but doesn't apply Cause: Commit validation error or conflicting configuration Resolution: - Check for commit errors in sync output - Verify VLAN doesn't conflict with existing configuration - Ensure interface-mode is compatible with VLAN membership

Issue: 802.1X/MAC-RADIUS ports not authenticating

Symptom: Devices not authenticating on configured ports Cause: RADIUS server or profile misconfiguration Resolution: - Verify RADIUS server is reachable from switch - Check authentication profile is assigned to dot1x authenticator - Verify port interface includes .0 unit suffix - Check RADIUS logs on rXg for authentication attempts

Diagnostic Commands

General: show system information show version show configuration show interfaces terse show vlans

NETCONF: show system services netconf show system connections | match 830

Authentication: show dot1x interface show dot1x interface detail show authentication-session

RADIUS: show access profile show access radius-server

VLANs and MAC Table: show vlans show ethernet-switching table show ethernet-switching interface

LLDP: show lldp neighbors show lldp local-information

Known Limitations

  • Firmware upgrades not supported via rXg (manual upgrade required)
  • DHCP snooping not implemented
  • Only trunk interface-mode supported for tagged VLANs
  • 802.1X/MAC-RADIUS ports must be access ports (no tagged VLANs)

Operational Caveats

  • NETCONF Protocol: The rXg uses NETCONF over SSH for all configuration changes. This provides atomic configuration with automatic validation and rollback on failure.
  • Commit Model: Junos requires explicit commits. Config sync locks the candidate configuration, applies changes, validates, and commits atomically.
  • Configuration Locking: Only one session can modify configuration at a time. Config sync will fail if another session holds the lock.
  • NETCONF Port: Junos 18.2R4+ defaults NETCONF to port 830. Older versions may use port 22. Ensure the correct port is configured in rXg.
  • Root Login: SSH root login must be allowed for NETCONF access with root credentials.
  • Interface Units: Junos uses unit numbers for interfaces. The rXg automatically appends .0 for dot1x interface configuration.
  • VLAN Names: VLANs are created with names in format vlan<id> (e.g., vlan100).
  • RADIUS Secret Encryption: Junos encrypts RADIUS secrets in configuration. The rXg decrypts them for comparison during config sync.
  • LLDP Management Address: The rXg synchronizes LLDP management-address to ensure proper device identification.
  • Auto Image Upgrade: Bootstrap automatically disables chassis auto-image-upgrade to prevent unexpected firmware changes.

External References

About

RG Nets is the premium provider of gateways and centralized-authentication appliances designed to manage, provision, and protect revenue-generating networks. Our mission is to create tools that are so good, we would use our own money to buy them.

Company Links

Contact

316 California Ave.
Suite 331
Reno, NV 89509
+1 (408) 441 0100
[email protected]
Copyright 2026 RG Nets, Inc.
v2026.01-66-gc969c
Cookies help us deliver our services. By using our services, you agree to our use of cookies.