Install firmware updates

In this article I want to show you how to run a firmware update on a juniper router.
First you have to download the firwmare.
In this case EX3300.

You can run the firmware update using a USB stick that is FAT32 formated that is exactly 2GB sized.
Using a 2GB Fat23 partition will not do the trick and you can end up crunching the filesystem of the router...

Alternativley you can choose your a Web- or FTP server to be the source of the update files.
I choose to use the HFS Webserver, feel free to use what ever suites you best.


After installing the webserver, load the .tgz firmware file into its root directory and copy the link to it.
As you can see on the switch I am checking the currently running firmware version (12.3R12-S7)

> show version

After that I start the installation of the new firmware

> request system software add <http link>

Depending on the device this process can take 15 minutes or more.
When the upgrade is complete you will be asked to reboot the device.
Please do not just pull the cable, give it a graceful reboot.
(Trust me)

> request system reboot

When your reboot is done, check that the new version (15.1R6-S3) has been applied.




Find connected devices

In this article I want to show you how you can find devices that are attached to a juniper router.

Search the MAC table

You can print out the entire mac table using this command

> show ethernet switching table

If you want to know what is connected to a specific interface use this

> show ethernet switching-table interface ge-0/0/2

If you know the MAC of the device you are looking for, this command will find it

> show ethernet switching-table | match <string>

If you only want to see what devices are connected to the Gigabit Ethernet interfaces do this
> show ehternet switching table | match ge-

Be careful... if you use aggregated interfaces (AE) or glas modules (SFP) this search pattern would not work.


Vlan configuration

In this article I will show you how to configure V-Lans on a Juniper Router.
VLANs are virtual networks defined by the IEEE Standard 802.1q.

The idea is to run separated networks on the same physical infrastructure.
This gets accomplished by adding another 32Bit to the frame on layer 2, containing the V-Lan related information.

It is important that all devices that are supposed to forward tagged frames do support 802.1q.
If a device is unable to handle frames of that size it will simply destroy them.

Creating a VLAN

First we check if V-Lans on that device already exist.

#show vlans

Now we define two V-Lans named first und second.
is going to be assigned the VLAN-ID 10.
is going to be assigned the VLAN-ID 20.

# set vlans first vlan-id 10
# set vlans second vlan-id 20

Lets take a look at the V-Lan config.

root# show vlans
default {
    l3-interface vlan.0;
first {
    vlan-id 10;
second {
    vlan-id 20;

This output should be pretty self explanatory.
Before making an interface become a member in one of these V-Lans we should take a look at the difference between tagged and untagged interfaces.

Tagged and untagged interfaces

V-Lans can be configured in two modes on an interface.

Access (native / untagged):

  • Every interface can only be of type Access for one V-Lan
  • An Access Interface receives untagged traffic and attaches a V-Lan tag to that traffic before forwarding it
  • You will usually use this setting to connect clients or devices that are unable of speaking V-Lan

Example: Gigabit Ethernet Interface 10
This interface will receive untagged (normal) traffic and forward it with the V-Lan Tag "10".
The V-Lan Tag will removed before sending traffic outbound.
For example broadcast traffic for V-Lan 10 or traffic for a device located behind this interface (ARP table).
This way the device on the other end can understand the traffic and does not even know it ever had a V-Lan tag attached to it.

ge-0/0/10 {
    unit 0 {
      family ethernet-switching {
          vlan {
            members first;

Trunk (tagged):

  • If an Interface is defined as a trunk it receives and sends tagged frames for certain V-Lans
  • Usually interfaces that have other V-Lan capable devices on the other end get defined that way

Example: Gigabit Ethernet Interface 12
This interface receives tagged traffic for the V-Lans 10 and 20.
If traffic that is supposed to be sent to that network, the V-Lan Tag will be attached to the frame.

Important: A Trunk Interface does not need to be a member in all V-Lans!

ge-0/0/12 {
    unit 0 {
      family ethernet-switching {
         port-mode trunk;
            vlan {
               members [ first second ];

Setting up an IP address on a V-Lan Interface
Please make sure to make the Unit ID the same as th VLAN ID to minimize confusion!!
Your colleagues will hate you if you don't.

At first we will configure a virtual interface with an IPv4 address

#set interface irb unit <UNIT ID> family inet address <IP/subnetmask>

Then we make that interface a member of a V-Lan
# set vlans <VLAN NAME> l3interface irb.<Interface ID>

Then we define this interface to be of type access in this V-Lan

# set interface ge-0/0/2.20 family ethernet-swtiching port mode access

In this case the commands could look like this:

# set interface irb unit 10 family inet address
# set vlans 10 l3interface irb.10
# set interface ge-0/0/2.10 family ethernet-swtiching port mode access

If we now connect a cable to the interface ge-0/0/2 our traffic will be sent to V-Lan 10.
Since the we configured the router to have an IP address on the layer 3 interface irb.10, we can now connect to it via ssh on


Setting up link aggregation

Bundeling multiple physical connections to maximize troughput and get redundency is called Link Aggregation.

!WARNING, Terminology-fu! 
Networking equipment manufacturers do not use the same technical terms.
For example HP calls aggregating interfaces "Trunking" and aggregated interfaces a "Trunk".
"Trunking" is a term used by Cisco and Juniper in V-Lan (802.1q) to describe interfaces that are allowed to forward V-Lan traffic.
Such an interface is referred to as a "Trunk Port", while HP calles this a "Tagged Interface".
If you are in a homogenic network eqipment envoirement that is passing V-Lan tagged traffic over aggregated interfaces you really have to watch your lingo!
(Especially if multiple parties are involved!)

The common protokoll used here is the Link aggregation control protocoll (LACP).


In this example I show you how the Interfaces 22 and 23 on a Juniper EX3300 POE+ can be aggregated to one AE.

At first connect to the serial port of the Junipers switch and start it.
This can take a few minutes.

We must allow aggregated interfaces to exist in this chassis (a one device chassis in this case).
Set the device-count from 0 up to 1 (or more).

set chassis aggregated-devices ethernet device-count 1

Delete the configuration of the interfaces ge-0/0/22 and ge-0/0/23.

delete interfaces ge-0/0/22 unit 0
delete interfaces ge-0/0/23 unit 0

After that we definieren the interfaces as ae0 and to be a type 802.3ad (Link Aggregation)

set interfaces ge-0/0/22 ether-options 802.3ad ae0
set interfaces ge-0/0/23 ether-options 802.3ad ae0

Then we give an IP address to ae0 .
set interfaces ae0 unit 0 family inet address

Finally we have to let the Juniper switch know that LACP gets used on ae0.

set interfaces ae0 aggregated-ether-options lacp active

Jetzt können wir noch testen, ob das Interface hochgefahren ist (up up) und einen Ping absetzen.

show interfaces terse | match ae0


Link Aggregation einrichten

Link Aggregation ist eine Technik, bei der Mehrere Interfaces zu einem Zusammengefasst werden.
Sie wird eingesetzt um den Datentransfer zwischen zwei Geräten zu erhöhen und für Redundanz zu sorgen.

!ACHTUNG, Terminologie-Fu! 
Hersteller von Netzwerkhardware nutzen nicht immer die Selbe Terminologie!
Zum Beispiel nennt HP das zusammenfassen von interfaces "Trunking" und zusammengefasste Interfaces einen "Trunk".
"Trunking" ist ein Begriff der von Cisco und Juniper im V-Lan (802.1q) Kontext genutzt wird um Interfaces zu beschreiben, über welche V-Lan Tagged Traffic ausgetauscht wird.
Ein solches Interface wird als "Trunk Port" bezeichnet, bei HP nennt es sich "Tagged Interface".
Wenn Ihr Netzwerkhardware mehrerer Hersteller in eurem Netzwerk habt und V-Lan tagged traffic über aggregated interfaces schickt müsst ihr auf eure Sprache achten!
(Vor allem, wenn mehrere Parteien involviert sind!)

Das geläufige Protokoll für diese Technik ist das Link aggregation control protocoll (LACP).


In diesem Beispiel werde ich die Interfaces 22 und 23 an einen Juniper EX3300 POE+ zu einer AE zusammenfassen und dann mit einem anderen Switch verbinden.

Verbindet euch als erstes mit der seriellen Schnittstelle des Junipers und startet den Switch.
Es kann einige Minuten dauern, bin das Gerät hochgefahren ist.

Wir müssen erlauben das in dem Chassis (in unserem Fall nur ein Device) ein Aggregated interface eingesetzt werden darf.
Hierfür setzen wir den device-count von 0 hoch auf 1 (oder mehr).

set chassis aggregated-devices ethernet device-count 1

Zunächst löschen wir die konfiguration auf den interfaces ge-0/0/22 und ge-0/0/23.

delete interfaces ge-0/0/22 unit 0
delete interfaces ge-0/0/23 unit 0

Anschließend definieren wir die Interfaces als ae0 vom Typ 802.3ad (Link Aggregation)

set interfaces ge-0/0/22 ether-options 802.3ad ae0
set interfaces ge-0/0/23 ether-options 802.3ad ae0

Danach vergeben wir dem neu erzeugten Interface ae0 noch eine IP Adresse.
set interfaces ae0 unit 0 family inet address

Als letztes müssen wir auf dem Juniper Switch noch sagen, dass auf der ae0 das Protokoll LACP zum Einsatz kommt.

Jetzt können wir noch testen, ob das Interface hochgefahren ist (up up) und einen Ping absetzen.

show interfaces terse | match ae0


Configure an IP Address on an Interface

In this article I will show you how to set an IP Address on an interface.
Before we do this however let me tell you something about Interface Families.

Interface Familien

An interface in Juniper has to be defined as a member of an Interface Family.
What configuration can be set on an interface is depending on what Familiy it is a member of.

Possible Families are are:

  • inet → IPv4
  • inet6 → IPv6
  • iso → IS-IS (routingprotokoll, simmular to OSPF)
  • ethernet-switching → Layer 2 Lan Switching
  • mpls → Label Switching (Layer 2 Switching)

When I sayed that we were going to give the Interface an IP Address I have not been percize enaugh.
We are going to give the Interface an IPv4 Address.

Setting the IPv4 Address

At first we change into the configuration mode.
Here I am checking the current configuration of Interface ge-0/0/1.

Since there already is an IP Address on the Interface I am deleting it.
Since your system has been reset you can skip this part.

Afterwards I set the IP Address using the command:

set interfaces ge-/0/0/1 unit 0 familiy inet address <IP Adresse>

Then apply the changes with the commit command.
In the gif below I am running a constant ping against the interface so you can see when the changes are in effect.


03_Basic configuration

In this article I want to show you how to do a basic configuration of a juniper router.
You should be connected to the Routers CLI.

Resetting the Router

The first thing we will do is reset the router to the factory defaults.
To do this type in operational mode request system zeroize.

This can take 10 Minutes or longer.

Change the Passwort

When the system has been resetted we will change the root password.
Do this by using the command set system root-authentication plain-text-password in config mode.

Don't forget to commit, otherwise your changes will not have any effect!



02_The CLI

The CLI or Command Line Interface is a textbased konfiguration utility.
With it you can get information about the current konfiguration and staus of the device or change the configuration.


When you are connected to the Router your prompt looks something like this.

Root is the user you are logged in with and you are working on Routing Engine 0.
To start the CLI simply type cli.

There are two modes in wich you can operate, operational and configuration.
You will always enter the cli in the operational mode.

In operational mode you prompt is > and in configuration mode it is #.

In the operational mode you will get informations on the current state of the Router like:

  • What does the current mac address table look like
  • How much Watt is used on Interface ge-0/0/3 over POE right now?

In the configuration mode you can check and change the configuration:

  • What is the configuration on Interface ge-0/0/3?
  • Change what v-lans are tagged on Interface ge-0/0/3

Changes to the config are not live on Juniper!
You change whats called a candidate config.
To let the changes take effekct you have to run the commit command.

Finding Commands

In both modes you have a lot of commands you can choose from.
Wich ones is depending on what device you have and firmware version you have isntalled.

You can list all available command in the mode you are currently in with ?.

To see what parameters a command has you can type another ? after it.
< [Enter]> means that the command can be executed at this point.

If you want to get more information regarding a command you can use the builtin help.

Help Apropos <string>
Is listing ALL possible commands containing the searchstring.
Is capable of regex.

  • Help Apropos vlan → is finding very much
  • Help Apropos „*vlan “ → is finding only what is ending in vlan
  • Help Apropos „ vlan „ → is finding only "vlan" as a single word


Help Refference <statement-name>
Same as manpage

  • Help Refference snmp alarm → dscribes function and syntax
  • Help Refference ospf area → describes syntax and options


Help Topic <word>
Info about usage guidelines

  • help topic interfaces family → explains how to configure protocol families on Juniper Interfaces


01_Connect to the CLI

To configure a Juniper router you have to connect to the Command Line Interface.
In this article I will show you two ways to do this.

Mit der CLI Verbinden

To start the CLI you will have to connect via SSH or over Console Cable.

If the Juniper device already has an IP Address and you want to connect over SSH the linux terminal brings that out of the box.
On windows you can use Putty or Bash from the Linux Subsystem for Windows.

The other option is using a serial cable and possibly a USB Serial Adapter.

Connect the serial cable to the console port of the device and the other end to your laptop


Diffrent then for example on cisco devices the console ports often are in the back.
If they are mounted in a 19" rack this can mean that they are hard to reach.

To connect to a divice via Serial you have to know what COM Port they are on.
In Windows you can check Device Management by pressing Windows+r > devmgmt.msc.

After that you have to change the Serial Settings in Putty.
The other Serial options like baudrate are fine.

After that you can connect to the router using Session > Serial.

In Linux you can install minicom to connect to the router using the serial adapter.

sudo apt-get install minicom

After you have connected the serial cable using USB you can check dmesg for the new USB device.

dmesg | grep USB

Here you will find [...] now attached to TTYUSB [...] followd by a number.
Now start serialcom and select the serial device /dev/ttyUSB<number>

serialcom -s


Firmware Update einspielen

In diesem Artikel geht es darum, wie Ihr auf einem Juniper Router ein Firemwareupdate durchführen könnt.
Zuerst müsst ihr euch die Firwmare Herunterladen.
In meinem Fall EX3300.

Ihr könnt das Firmwareupdate machen, indem ihr einen USB Stick benutzt, der FAT32 Formatiert ist und genau 2GB groß.
Eine 2GB Fat23 Partition reicht nicht aus, ihr könnt euch damit das Dateisystem des Routers zerschießen...

Alternativ könnt ihr einen Webserver oder FTP Server als Quelle für euer Firmwareupdate nutzen.
Ich habe mich für den HFS Webserver entschieden.

Firmware update

Nachdem Ihr den Webserver installiert habt, ladet das .tgz Firmware file in das Rootverzeichniss und kopiert den Link.
Wie ihr auf dem Switch sehen könnt prüfe ich die aktuelle version (12.3R12-S7)

> show version

Anschließend starte ich die Installation der neuen Firmware

> request system software add <http link>

Das Firmwareupdate kann je nach Gerät über 15 Minuten dauern.
Wenn das Update abgeschlossen ist, werdet ihr gebeten das Gerät neu zu starten.
Bitte nicht einfach den Strom ziehen, an diesem kritischem Moment, solltet ihr lieber einen gracefull reboot machen

> request system reboot

Anschließend nochmal prüfen, dass die aktuelle Version (15.1R6-S3) eingespielt wurde.