Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

Switch Configuration Options

Use this information to configure your switches.

Overview

You can enter switch settings at the organization level or the site level.

  • To configure organization-wide settings, select Organization > Switch Templates from the left menu of the Juniper Mist portal. Then create your template and apply it to one or more sites or site groups.

  • To configure switch settings at the site level, select Site > Switch Configuration from the left menu of the Juniper Mist portal. Then select the site that you want to set up, and enter your switch settings.

    If an organization-level switch template was assigned to the site, the site configuration will appear in view-only mode. You can keep the settings from the template or make adjustments. In each section of the page, you can select Override Configuration Template and then enter your changes. These changes will apply only to this site, not to the template.

    The following example shows how to override a template and set a site-specific root password.

    Override Configuration Template Example
Note:

The fields that support configuration through site variable have a help text showing the site variable configuration format underneath them. To configure site variables, follow the steps provided in Configure Site Variables. For more information about the switch configuration process and switch templates, see Configure Switches.

At both the organization and site levels, the switch settings are grouped into sections as described below.

All Switches

Configure these options in the All Switches section of the Organization > Switch Templates page and the Site > Switch Configuration page.

All Switches
Table 1: All Switches Configuration Options
Field Description
RADIUS

Choose an authentication server for validating usernames and passwords, certificates, or other authentication factors provided by users.

  • Mist Auth—Configure Juniper Mist Access Assurance, a cloud-based authentication service, on your switch. For this option to work, you must use a port with dot1x or MAB authentication. For information, see the Juniper Mist Access Assurance Guide.

  • RADIUS—Select this option to configure a RADIUS authentication server and an accounting server, for enabling dot1x port authentication at the switch level. For the dot1x port authentication to work, you also need to create a port profile that uses dot1x authentication, and you must assign that profile to a port on the switch.

    The default port numbers are:

    • port 1812 for the authentication server

    • port 1813 for the accounting server

Note:

If you want to set up RADIUS authentication for Switch Management access (for the switch CLI login), you need to include the following CLI commands in the Additional CLI Commands section in the template:

set system authentication-order radius
set system radius-server radius-server-IP port 1812
set system radius-server radius-server-IP secret secret-code
set system radius-server radius-server-IP source-address radius-Source-IP
set system login user remote class class

For RADIUS or TACACS+ local authentication to the Switch, it is necessary to create a remote user account or a different login class. To use different login classes for different RADIUS-authenticated users, create multiple user templates in the Junos OS configuration by using the following CLI commands in the Additional CLI Commands section:

set system login user RO class read-only
set system login user OP class operator
set system login user SU class super-user
set system login user remote full-name "default remote access user template"
set system login user remote class read-only
TACACS+ Enable TACACS+ for centralized user authentication on network devices.

To use TACACS+ authentication on the device, you must configure information about one or more TACACS+ servers on the network. You can also configure TACACS+ accounting on the device to collect statistical data about the users logging in to or out of a LAN and send the data to a TACACS+ accounting server.

In addition, you can specify a user role for TACACS+ authenticated users within switch configuration. The following user roles are available: None, Admin, Read, Helpdesk. When the TACACs+ authenticated users do not have a user account configured on the local device, Junos assigns them a user account named 'remote' by default.

The port range supported for TACACS+ and accounting servers is 1 to 65535.

Note:

For TACACS+ to authenticate into the Switch, a similar login user as defined in the RADIUS section above needs to be created.

NTP Specify the IP address or hostname of the Network Time Protocol (NTP) server. NTP is used to synchronize the clocks of the switch and other hardware devices on the Internet.
DNS SETTINGS

Configure the domain name server (DNS) settings. You can configure up to three DNS IP addresses and suffixes in comma separated format.

SNMP

Configure Simple Network Management Protocol (SNMP) on the switch to support network management and monitoring. You can configure the SNMPv2 or SNMPv3. Here are the SNMP options that you can configure:

  • Options under SNMPv2 (V2)

    • General—Specify the system's name, location, administrative contact information, and a brief description of the managed system. When using SNMPv2, you have the option to specify the source address for SNMP trap packets sent by the device. If you don't specify a source address, the address of the outgoing interface is used by default.

    • Client—Define a list of SNMP clients. You can add multiple client lists. This configuration includes a name for the client list and IP addresses of the clients (in comma separated format). Each client list can have multiple clients. A client is a prefix with /32 mask.

    • Trap Group—Create a named group of hosts to receive the specified trap notifications. At least one trap group must be configured for SNMP traps to be sent. The configuration includes the following fields:

      • Group Name—Specify a name for the trap group.

      • Categories—Choose from the following list of categories. You can select multiple values.

        • authentication

        • chassis

        • configuration

        • link

        • remote-operations

        • routing

        • services

        • startup

        • vrrp-events

      • Targets—Specify the target IP addresses. You can specify multiple targets.

      • Version—Specify the version number of SNMP traps.

    • Community—Define an SNMP community. An SNMP community is used to authorize SNMP clients by their source IP address. It also determines the accessibility and permissions (read-only or read-write) for specific MIB objects defined in a view. You can include a client list, authorization information, and a view in the community configuration.

    • View(Applicable to both SNMPv2 and SNMPv3)—Define a MIB view to identify a group of MIB objects. Each object in the view shares a common object identifier (OID) prefix. MIB views allow an agent to have more control over access to specific branches and objects within its MIB tree. A view is made up of a name and a collection of SNMP OIDs, which can be explicitly included or excluded.

  • Options under SNMPv3 (V3)

    • General—Specify the system's name, location, administrative contact information, and a brief description of the managed system. When using SNMPv2, configure an engine ID, which serves as a unique identifier for SNMPv3 entities.

    • USM—Configure the user-based security model (USM) settings. This configuration includes a username, authentication type, and an encryption type. You can configure a local engine or a remote engine for USM. If you select a remote engine, specify an engine identifier in hexadecimal format. This ID is used to compute the security digest for authenticating and encrypting packets sent to a user on the remote host. If you specify the Local Engine option, the engine ID specified on the General tab is considered. If no engine ID is specified, local mist is configured as the default value.

    • VACM—Define a view-based access control model (VACM). A VACM lets you set access privileges for a group. You can control access by filtering the MIB objects available for read, write, and notify operations using a predefined view (you must define the required views first from the Views tab). Each view can be associated with a specific security model (v1, v2c, or usm) and security level (authenticated, privacy, or none). You can also apply security settings (you have the option to use already defined USM settings here) to the access group from the Security to Group settings.

    • Notify— Select SNMPv3 management targets for notifications, and specify the notification type. To configure this, assign a name to the notification, choose the targets or tags that should receive the notifications, and indicate whether it should be a trap (unconfirmed) or an inform (confirmed) notification.

    • Target—Configure the message processing and security parameters for sending notifications to a particular management target. You can also specify the target IP address here.

    • View(Applicable to both SNMPv2 and SNMPv3)—Define a MIB view to identify a group of MIB objects. Each object in the view shares a common object identifier (OID) prefix. MIB views allow an agent to have more control over access to specific branches and objects within its MIB tree. A view is made up of a name and a collection of SNMP OIDs, which can be explicitly included or excluded.

For more information, see Configure SNMP on Switches.

STATIC ROUTE

Configure static routes. The switch uses static routes when:

  • It doesn't have a route with a better (lower) preference value.

  • It can't determine the route to a destination.

  • It needs to forward packets that can't be routed.

Mist supports IPv4 and IPv6 addresses for static routes. The IPv6 support is available for destination and next hop addresses.

Types of static routes supported:

  • Subnet—If you select this option, specify the IP addresses for the destination network and the next hop.

  • Network—If you select this option, specify a VLAN (containing a VLAN ID and a subnet) and the next hop IP address.

  • Metric—The metric value for the static route. This value helps determine the best route among multiple routes to a destination. Range: 0 to 4294967295.

  • Preference—The preference value is used to select routes to destinations in external autonomous systems (ASs) or routing domains. Routes within an AS are selected by the IGP and are based on that protocol’s metric or cost value. Range: 0 to 4294967295.

  • Discard—If you select this check box, packets addressed to this destination are dropped. Discard takes precedence over other parameters.

After specifying the details, click the check mark (✓) on the upper right of the Add Static Route window to add the configuration to the template.

CLI CONFIGURATION

To configure any additional settings that are not available in the template's GUI, you can use set CLI commands.

For instance, you can set up a custom login message to display a warning to users, advising them not to make any CLI changes directly on the switch. Here's an example of how you can do it:

set system login message \n\n Warning! This switch is managed by Mist. Do not make any CLI changes.

To delete a CLI command that was already added, use the delete command, as shown in the following example:

delete system login message \n\n Warning! This switch is managed by Mist. Do not make any CLI changes.
Note:

Ensure that you enter the complete CLI command for the configuration to be successful.

OSPF From this tile, you can:
  • Define an Open Shortest Path First (OSPF) area. OSPF is a link-state routing protocol used to determine the best path for forwarding IP packets within an IP network. OSPF divides a network into areas to improve scalability and control the flow of routing information. For more information about OSPF areas, see this Junos documentation: Configuring OSPF Areas.

  • Enable or disable OSPF configuration on the switch.

DHCP SNOOPING

Enable the DHCP snooping option to monitor DHCP messages from untrusted devices connected to the switch. DHCP snooping creates a database to keep track of these messages. This helps prevent the acceptance of DHCPOFFER packets on untrusted ports, assuming they originate from unauthorized DHCP servers.

DHCP configuration has the following options:

  • All Networks— Select the All Networks check box to enable DHCP snooping on all VLANs.

  • Networks—If you want to enable DHCP snooping only on specific networks, click Add (+) in the Networks box and add the required VLANs.

  • Address Resolution Protocol (ARP) Inspection—Enable this feature to block any man-in-the-middle attacks. ARP Inspection examines the source MAC address in ARP packets received on untrusted ports. It validates the address against the DHCP snooping database. If the source MAC address does not have a matching entry (IP-MAC binding) in the database, it drops the packets.

    You can check ARP statistics by using the following CLI commands: show dhcp-security arp inspection statistics, and show log messages | match DAI.

    The device logs the number of invalid ARP packets that it receives on each interface, along with the sender’s IP and MAC addresses. You can use these log messages to discover ARP spoofing on the network.

  • IP Source Guard—IP source guard validates the source IP and MAC addresses received on untrusted ports against entries in the DHCP snooping database. If the source addresses do not have matching entries in the database, IP Source Guard discards the packet.

    Note:

    IP Source Guard works only with single-supplicant 802.1X user authentication mode.

Note:
  • If you have a DHCP server connected to an untrusted access port, DHCP won't function properly. In such cases, you may need to make adjustments to ensure that DHCP works as intended. By default, DHCP considers all trunk ports as trusted and all access ports as untrusted.

  • You need to enable VLAN on the switch for the DHCP snooping configuration to take effect. So, you need to create a port profile (described later in this document) with the VLAN included and apply the profile to the switch port.

A device with a static IP address might not have a matching MAC-IP binding in the DHCP snooping database, if you have connected the device to an untrusted port on the switch. To check the DHCP snooping database on your switch and view the bindings, use the CLI command show dhcp-security binding. This command will provide you with information about the DHCP bindings recorded in the snooping database.

For more information, see DHCP Snooping and Port Security Considerations.
Note:

You need to enable this feature if you want to view the DHCP issues for the switch under the Successful Connect SLE metric.

SYSLOG

Configure SYSLOG settings to set up how system log messages are handled. You can configure settings to send the system log messages to files, remote destinations, user terminals, or to the system console. Here are the configuration options available for SYSLOG settings:

  • Files—Send log messages to a named file.

  • Hosts—Send log messages to a remote location. This could be an IP address or hostname of a device that will be notified whenever those log messages are generated.

  • Users—Notify a specific user of the log event.

  • Console—Send log messages of a specified class and severity to the console. Log messages include priority information, which provides details about the facility and severity levels of the log messages.

  • Archive—Define parameters for archiving log messages.

  • General—Specify general information such as a time format, routing instance, and source address for the log messages.

PORT MIRRORING

Configure port mirroring.

Port mirroring is the ability of a router to send a copy of a packet to an external host address or a packet analyzer for analysis. In the port mirroring configuration, you can specify the following:

  • Input: The source (an interface or network) of the traffic to be monitored. Along with the input, you can specify whether you want Mist to monitor the ingress traffic or the egress traffic for an interface. If you want both ingress and egress traffic to be monitored, add two input entries for the same interface - one with the ingress flag and the other with the egress flag.

  • Output: The destination interface to which you want to mirror the traffic. You cannot specify the same interface or network in both the input and output fields.

Routing Policy

Configure routing policies for the entire organization (Organization > Switch Templates) or for a site (Site > Switch Configuration). These routing policies will only be pushed to the switch configuration if it is tied to the BGP Routing Protocol. The Routing policies that are already defined inside the BGP tab of a switch will now appear on the Routing Policy tab. The routing policies are tied to protocols such as BGP or OSPF. A routing policy framework is composed of default rules for each routing protocol. These rules determine which routes the protocol places in the routing table and advertises from the routing table. Configuration of a routing policy involves defining terms, which consist of match conditions and actions to apply to matching routes.

To configure a routing policy:

  1. Click Add Routing Policy on the Routing Policy tile.

  2. Provide a name to the policy, and then click Add Terms.

  3. Provide a name to the term and specify other match details such as:

    • Prefix

    • AS Path

    • Protocol

    • Community—A route attribute used by BGP to administratively group routes with similar properties.

    • Then—Then action (Accept or Reject) to be applied on the matching routes.

    • Add Action—Additional actions such as prepend AS path, set community, and set local preference.

  4. Click the check mark (✓) on the right of the Add Term title to save the term. You can add multiple terms.

  5. Click Add to save the routing policy.

Management

Configure these options in the Management section of the Organization > Switch Templates page and the Site > Switch Configuration page.

Management Section of the Configuration Page
Table 2: Management Configuration Options
Option Notes

Configuration Revert Timer

This feature helps restore connectivity between a switch and the Mist cloud if a configuration change causes the switch to lose connection. It automatically reverts the changes made by a user and reconnects to the cloud within a specified time duration. By default, this time duration is set to 10 minutes for EX Series switches. You can specify a different time duration.

Root Password

A plain-text password for the root-level user (whose username is root).

Protection of Routing Engine

Enable this feature to ensure that the Routing Engine accepts traffic only from trusted systems. This configuration creates a stateless firewall filter that discards all traffic destined for the Routing Engine, except packets from specified trusted sources. Protecting the Routing Engine involves filtering incoming traffic on the router’s lo0 interface. Enabling Protection of Routing Engine on Juniper Switches is suggested as the best practice.

When Protection of Routing Engine is enabled, Mist by default ensures that the following services (if configured) are allowed to communicate with the switch: BGP, BFD, NTP, DNS, SNMP, TACACS, and RADIUS.

If you need additional services that need access to the switch, you can use the Trusted Networks or Services section. If you want to set up access to the switch via ssh, select the ssh option under Trusted Services. If you need to allow switch to respond to pings, select the icmp option under Trusted Services.

If you have other segments that you would like to reach the switch from, you can add them under Trusted Networks or Trusted IP/Port/Protocol.

For more information, refer to Example: Configuring a Stateless Firewall Filter to Accept Traffic from Trusted Sources and Example: Configuring a Stateless Firewall Filter to Protect Against TCP and ICMP Floods.

Local Users

Create a local user account on the switch for device management purposes. To create a user account, click Add User and then define a username, login class (Operator, Read-only, Super User, or Unauthorized), and a password.

Idle Timeout

The maximum number of minutes that a remote shell session can be idle. When this limit is reached, users are logged out. (Valid Range: 1-60).

Login Banner

Enter text that you want users to see when they log in to the switch. Example: “Warning! This switch is managed by Juniper Mist. Do not make any CLI changes.” You can enter up to 2048 characters.

Shared Elements

Configure these options in the Shared Elements section of the Organization > Switch Templates page and the Site > Switch Configuration page.

Shared Elements Section
Table 3: Shared Elements Configuration Options
Option Notes

Networks

Add or update VLANs, which you can then use in your port profiles.

For each VLAN, enter the name, VLAN ID, and subnet. You can specify IPv4 or IPv6 address for the subnet. See the on-screen information for more tips.

On this tile, you have an option to hide the networks that are not used in a user-defined port profiles or L3 sub-interfaces. This feature helps you quickly identify those networks that are in use and those that are not in use.

Port Profiles

Add or update port profiles. For help with the profile options, see the on-screen tips and Shared Elements—Port Profiles.

On this tile, you have an option to hide the port profiles that are not used in any static or dynamic port configurations defined by users. This feature helps you quickly identify those port profiles that are in use and those that are not in use.

Dynamic Port Configuration

Dynamic port profiling uses a set of device properties of the connected client device to automatically associate pre-configured port and network settings to the interface.

You can configure a dynamic port profile based on the following parameters:

  • LLDP System Name

  • LLDP Description

  • LLDP Chassis ID

  • Radius Username

  • Radius Filter-ID

  • MAC (Ethernet mac-address)

In this example, the rule applies a port profile to all devices with the specified LLDP system name.

For your dynamic port configurations to take effect, you also need to specify the ports that you want to function as dynamic ports. You can do this by selecting the Enable Dynamic Configuration check box on the Port Config tab in the Select Switches section of the switch template or in the Port Configuration section of the switch details page.

It takes a couple of minutes for a port profile to be applied a port after a client is recognized, and a couple of minutes after that for the port profile assignment status to appear on the Mist portal.

In case of switch reboots or a mass link up or down event affecting all ports on a switch, it takes approximately 20 minutes for all the ports to be assigned to the right profile (assuming that dynamic port configuration is enabled on all the ports).

Dynamic port configuration on a switch is meant for establishing connection to IoT devices, APs, and user port endpoints. You should not use it for creating connection between switches, switches and routers, and switches and firewalls. Also, you should not enable Dynamic Port Configuration on the uplink port.

VRF

With VRF, you can divide an EX Series switch into multiple virtual routing instances, effectively isolating the traffic within the network. You can define a name for the VRF, specify the networks associated with it, and include any additional routes needed. You can specify IPv4 or IPv6 addresses for the additional route.

Note:

You can't assign the default network (VLAN ID = 1) to VRF.

Shared Elements—Port Profiles

In the Shared Elements section, you can configure port profiles. These options appear when you click Add Profile or when you click a profile to edit.

Note:
  • For general information about profiles, see Port Profiles Overview.

  • If you're working at the site level, you might see asterisks (*) next to the port profile names. These port profiles were created in the switch template. If you click them, you'll see the settings in view-only mode. To make site-specific changes (affecting only this site and not the switch template itself), select Override Template Defined Profile and then edit the settings.

Table 4: Port Profile Configuration Options
Option Notes
Name, Port Enabled, and Description

Basic settings to identify and enable the port.

Mode
  • Trunk—Trunk interfaces typically connect to other switches, APs, and routers on the LAN. In this mode, the interface can be in multiple VLANs and can multiplex traffic between different VLANs. Specify the Port Network, VoIP Network (if applicable), and Trunk Networks.

  • Access—Default mode. Access interfaces typically connect to network devices, such as PCs, printers, IP phones, and IP cameras. In this mode, the interface can be in a single VLAN only. Specify the Port Network and the VoIP Network (if applicable).

  • Port Network and VoIP Network—Select the VLANs for this port.

Use dot1x authentication

Select this option to enable IEEE 802.1X authentication for Port-Based Network Access Control. 802.1X authentication is supported on interfaces that are members of private VLANs (PVLANs).

The following options are available if you enable dot1x authentication on a port:

  • Allow Multiple Supplicants—Select this option to allow multiple end devices to connect to the port. Each device is authenticated individually.

  • Dynamic VLAN—Specify dynamic VLANs that will be returned by the RADIUS server attribute 'tunnel-private-group-ID' or 'Egress-VLAN-Name'. This configuration enables a port to perform dynamic VLAN assignment.

  • MAC authentication—Select this option to enable MAC authentication for the port. When this option is selected, you can also specify an Authentication Protocol. If you specify a protocol, it must be used by supplicants to provide authentication credentials.

  • Use Guest Network—Select this option to use a guest network for authentication. Then select a Guest Network from the drop-down list.

  • Bypass authentication when server is down—If you select this option, clients can join the network without authentication if the server is down.

  • Reauthentication interval—In a switch port profile that uses dot1x authentication, you can configure a timer that controls how often a client reauthenticates itself with the RADIUS server. The recommended value is 6 to 12 hours (21600 to 43200 seconds). The default value is 65000 seconds.

You need to also do the following for dot1x authentication to work:

  • Configure a RADIUS server for dot1x authentication from the Authentication Servers tile in the All Switches Configuration section of the template.

  • Assign a dot1x port profile to a switch port for the RADIUS configuration to be pushed to the switch. You can do this from the Port Config tab in the Select Switches Configuration section of the template.

    Mouse-over the port to see the RADIUS-assigned VLAN field. Ports with dot1x enabled are assigned a new VLAN by the RADIUS server when the 802.1x authentication is successful. This view is especially useful when checking whether a given VLAN on a port has changed following dot1x authentication.

    Figure 1: Radius Assigned VLAN on a Dot1x Port Radius Assigned VLAN on a Dot1x Port

Speed

Keep the default setting, Auto, or select a speed

Duplex

Keep the default setting, Auto, or select a Half or Full.

MAC Limit Configure the maximum number of MAC addresses that can be dynamically learned by an interface. When the interface exceeds the configured MAC limit, it drops the frames. A MAC limit also results in a log entry.

The default value: 0

Supported range: 0 through 16383

PoE

Enable the port to support power over Ethernet (PoE).

RSTP Edge

Configure the port as a Rapid Spanning Tree Protocol (RSTP) edge port, if you want to enable Bridge Protocol Data Unit (BPDU) guard on a port. RSTP is enabled on ports to which clients that do not participate in RSTP are connected. This setting ensures that the port is treated as an edge port and guards against the reception of BPDUs. If you plug a non-edge device into a port configured with RSTP Edge, the port is disabled. In addition, the Switch Insights page generates a Port BPDU Blocked event. The Front Panel on the Switch Details will also display a BPDU Error for this port.

You can clear the port of the BPDU error by selecting the port on the Front Panel and then clicking Clear BPDU Errors.

You should not enable RSTP Edge on the Uplink port.

You can also configure RSTP Edge at the switch level, from the Port Profile section on the switch details page.

RSTP Point-to-Point

This configuration changes the interface mode to point-to-point. Point-to-point links are dedicated links between two network nodes, or switches, that connect one port to another.

RSTP No Root Port

This configuration prevents the interface from becoming a root port.

QoS

Enable Quality of Service (QoS) for the port to prioritize latency-sensitive traffic, such as voice, over other traffic on a port.

Note:

For optimal results, it's important to enable Quality of Service (QoS) for both the downstream (incoming) and upstream (outgoing) traffic. This ensures that the network can effectively prioritize and manage traffic in both directions, leading to improved performance and better overall quality of service.

You have the option to override the QoS configuration on the WLAN settings page (Site > WLANs > WLAN name). To override the QoS configuration, select the Override QoS check box and choose a wireless access class. The downstream traffic (AP > client) gets marked with the override access class value specified. The override configuration doesn't support upstream traffic (client > AP).

See also: QoS Configuration.

Storm Control Enable storm control to monitor traffic levels and automatically drop broadcast, multicast, and unknown unicast packets when the traffic exceeds a traffic level (specified in percentage). This specified traffic level is known as the storm control level. This feature actively prevents packet proliferation and maintains the performance of the LAN. When you enable Storm Control, you can also choose to exclude broadcast, multicast, and unknown unicast packets from monitoring.

For more information, see Understanding Storm Control.

Persistent (Sticky) MAC Learning

Enable Persistent (Sticky) MAC to retain MAC addresses for trusted workstations and servers learned by the interface, even after a device restart. You can configure Sticky MAC for static wired clients. Sticky MAC is not intended for use on Juniper Mist AP interfaces, nor is it supported for trunk ports or those configured with 802.1X authentication.

Used in conjunction with MAC Limits (explained above), Sticky MAC protects against Layer 2 denial-of-service (DoS) attacks, overflow attacks on the Ethernet switching table, and DHCP starvation attacks, while still allowing the interface to dynamically learn MAC addresses. In the Mist portal, the Insights page reports these events as MAC Limit Exceeded .

You configure both Sticky MAC and MAC limits as part of the Port Profile for the switch. The general procedure is demonstrated in this video:

Port profiles provide a convenient way to manually or automatically provision EX switch interfaces. Going into the EX4300, we'll first create VLANs. We'll make a camera network with VLAN ID 30 and an IoT network with VLAN ID 29.

You can create as many networks as needed. You can create the profiles, for example, a camera, and map it to the camera network that we just created. Customize the settings as desired, such as PoE and STP.

We'll repeat this process to create profiles for a corporate device enabling 802.1x authentication, an IoT device configured with PoE, and an access point configured as a trunk port. It's very simple to modify profiles to meet your specific requirements. Then we go into the port configuration section to associate the configurations with port profiles.

Here we map ports 1 through 5 to be with an AP profile, ports 6 through 10 with a corporate device profile, ports 11 through 15 with IoT profiles, and ports 16 to 20 with the camera profile. This is how to create port profiles. We can also create port aggregation uplinks to be associated with the appropriate profiles.

When you save all of your changes, this pushes the configuration to the particular switch. This covers how EX switches are manually provisioned with port profiles from the Juniper MIST Cloud.

You must explicitly enable the Persistent (Sticky) MAC Learning option, located at the bottom of the Port Profile configuration block, to include Sticky MAC as part of the Port Profile that you associate with the interface. For MAC limits, the default value is 0 (unlimited, that is, disabled) but you can enable it by setting a value of up to 16383 unique MAC addresses allowed.

To see in the Mist portal what value has been set for the MAC Limit or the MAC Count, select a switch from the Switches page and hover your mouse over a switch port. You can see which (port) Profile is applied to the interface, and by extension, know its Sticky MAC status.

Figure 2: Port Details Showing Sticky MAC Port Details Showing Sticky MAC

The configured MAC limit and number of MACs learned will appear after a few minutes, as dynamic learning on the interface progresses. In the Mist dashboard, only the maximum MAC address count is shown. However, you can see every MAC address a given interface has learned by opening a Remote Shell to the switch and running the following Junos CLI commands:

show ethernet-switching table persistent-learning
show ethernet-switching table persistent-learning interface

MAC count is a persistent value that remains until the MAC address is cleared (or until it is disabled in the Port Profile and then that configuration is pushed to the switch).

To clear the MAC addresses on a given interface from the Mist dashboard, you need to be logged as Network Administrator or Super User. Then just select the port you want from the switch front panel (as shown in Figure 1) and click the Clear MAC [Dynamic/Persistent] button that appears.

On the Switch Insights page, the event shows up as a MAC Limit Reset event.

For more information on the front panel, see Switch Details.

Select Switches Configuration

Create rules to apply configuration settings based on the name, role, or model of the switch.

Click a rule to edit it, or click Add Rule. Then complete each tabbed page. As you enter settings, click the checkmark at the top right to save your changes. You can also create a switch rule entry by cloning an existing rule. To do that, you just need to click the clone button and name the new rule.

Select Switches Configuration

The various tabs are described in separate tables below.

Table 5: Select Switches—Info Tab
Option Notes

Name

Enter a name to identify this rule.

Applies to switch name

Enable this option if you want this rule to apply to all switches that match the specified name. Then enter the text and the number of offset characters. For example, if you enter abc with an offset of 0, the rule applies to switches whose names start with abc. If the offset is 5, the rule ignores the first 5 characters of the switch name.

Applies to switch role

Enable this option if you want this rule to apply to all switches that have the same role. Enter the role by using lowercase letters, numbers, underscores (_), or dashes (-).

Applies to switch model

Enable this option if you want this rule to apply to all switches that have the same model. Then select the model.

Table 6: Select Switches—Port Config Tab
Option Notes
Configuration List

Click Add Port Configuration, or select a port configuration to edit.

Port Configuration Tab Showing List of Port Configurations

Port IDs and Configuration Profile

Enter the port(s) to configure and the configuration profile to apply to them.

Enable Dynamic Configuration

When you enable this feature, a port profile is assigned based on defined attributes of the connected device. If the device matches the attributes, Mist assigns a matching dynamic profile to the device. But if the device doesn't match the attributes, it is placed in a specified VLAN.

In the following example, the port is enabled with dynamic port allocation and is assigned with a restricted VLAN. In this case, if the connected device doesn't match the dynamic profiling attributes, it will be placed into a restricted VLAN such as a non-routable VLAN or a guest VLAN. Interfaces enabled with Port Aggregation don't support dynamic port configuration.

Up/Down Port Alerts

When you enable this feature, Juniper Mist monitors transitions between up and down states on these ports. If you enable this feature, also enable Critical Switch Port Up/Down on the Monitor > Alerts > Alerts Configuration page.

Port Aggregation

When you enable this feature, Ethernet interfaces are grouped to form a single link layer interface. This interface is also known as a link aggregation group (LAG) or bundle.

The number of interfaces that you can group into a LAG and the total number of LAGs that a switch supports vary depending on switch model. You can use LAG with or without LACP enabled. If the device on the other end doesn't support LACP, you can disable LACP here.

You can also configure the LACP force-up state for the switch. This configuration sets the state of the interface as up when the peer has limited LACP capability.

You can also configure an LACP packet transmission interval. If you configure the LACP Periodic Slow option on an AE interface, the LACP packets are transmitted every 30 seconds. By default, the interval is set to fast in which the packets are transmitted every second.

Allow switch port operator to modify port profile

When you enable this feature, users with the Switch Port Operator admin role can view and manage this configuration.
Table 7: Select Switches Configuration—IP Config Tab
Option Notes

Network (VLAN) List

Select a network for in-band management traffic. Or click Add Network and complete the New Network fields as described in the remaining rows of this table.

Select Switches - IP Config Tab

Name

Enter a name to identify this network.

VLAN ID

Enter the VLAN ID from 1-4094, or enter a site variable to dynamically enter an ID.

Subnet

Enter the subnet or site variable.

Select Switches—IP Config (OOB) Tab

Enable or disable Dedicated Management VRF (out of band). For all standalone devices or Virtual Chassis running Junos version 21.4 or later, this feature confines the management interface to non-default virtual routing and forwarding (VRF) instances. Management traffic no longer has to share a routing table with other control traffic or protocol traffic.

Select Switches—Port Mirroring Tab

This tab displays the list of port mirroring configurations already added. Click an entry to edit it. Or click Add Port Mirror to enable port mirroring. This feature allows you to dynamically apply port mirroring on switches based on the parameters such as the switch role, switch name, and switch model as specified in the rules. This feature is typically used for monitoring and troubleshooting. When port mirroring is enabled, the switch sends a copy of the network packet from the mirrored ports to the monitor port. The configuration options include the following:

  • Input—The source (an interface or network) of the traffic to be monitored. Along with the input, you can specify whether you want Mist to monitor the ingress traffic or the egress traffic for an interface. If you want both ingress and egress traffic to be monitored, add two input entries for the same interface - one with the ingress flag and the other with the egress flag.

  • Output—The destination interface to which you want to mirror the traffic. You cannot specify the same interface or network in both the input and output fields.

The rules under Select Switches Configuration take precedence over the global Port Mirroring configuration. Also, if the global port mirroring is configured, it is displayed as the default rule in the Select Switches configuration section and is displayed as read-only. You can edit it at the global level.

Select Switches—CLI Config Tab

Enter additional CLI commands, as needed.

Switch Policy Labels (Beta)

In this section, add GBP tags to identify groups of users and resources to reference in your switch policies.

Note:

Only the following devices that run Junos OS Release 22.4R1 and later support GBPs: EX4400, EX4100, EX4650, QFX5120-32C and QFX5120-48Y.

The following example shows the tags that a user created, along with the policies that reference them.

Switch Policy Labels (Beta)
Note:

This feature is currently available only to beta participants.

To get started, click Add GBP tag. Then enter a name, select the type, and enter the value. Then click Add at the lower-right corner of the screen.

When you enable a tag, you'll see on-screen alert about the impact on standalone switches and virtual chassis. Read the on-screen information before proceeding.

Note:

If you configure 802.1X authentication with multiple-supplicant mode, the GBP tagging is MAC-based. If you configure 802.1X authentication with single-supplicant mode, the GBP tagging is port-based.

Table 8: Switch Policy Label (GBP Tag) Configuration Options
Option Notes

Dynamic or Static

By default, Juniper Mist chooses the Dynamic option. If you select Static, specify a GBP tag source. It can be a MAC address, network, or an IP subnet.

GBP Tag

Enter value or GBP source tag for host-originated packets (range: 1 through 65535).

Switch Policy (Beta)

Configure Group Based Policies (GBPs) that you can use in your campus fabric IP Clos deployments. When you create a policy, you use organization-level and site-level labels and your GBP tags (from the Switch Policy Labels section) to identify users who can or cannot access specified resources.

Note:

Only the following devices that run Junos OS Release 22.4R1 and later support GBPs: EX4400, EX4100, EX4650, QFX5120-32C and QFX5120-48Y.

The following image shows a sample policy, using tags that were defined in the Switch Policy Labels section.

Switch Policy (Beta)

To get started, click Add Switch Policy. Then enter the settings, as described in the following table.

Table 9: Switch Policy Configuration Options
Option Notes

USER/GROUP

Click + and add the users or groups that need access to the resources. You can use the GBT tags here, if you have defined them already.

RESOURCE

Click + and add the resources that you need to map to the selected users or groups. You can use the GBT tags here too, if you have defined them already.

By default, users are given access to the resources added. If you want to deny the user access to certain resources, click the Resource label that you have added and set the access to deny.

Changing Access to Deny