# **Juniper EX4400 Switch Initial Junos OS Configuration Guide** ## **1.0 Introduction** This document provides a detailed explanation of the initial configuration procedures for Juniper EX4400 series switches running Junos OS, based on the information presented in the official Juniper documentation. The focus is on the steps required to establish initial connectivity, set fundamental system parameters, and understand the default state of the switch. It covers console access, basic setup using the Command-Line Interface (CLI), essential system settings like DNS and user accounts, and the methods available for reverting the switch to its factory-default configuration. The scope also includes an analysis of the default Layer 2 and Layer 3 settings and the initial security steps outlined in the source material. Limitations in the source documentation regarding more advanced configuration topics are also addressed. ## **2.0 Initial Device Access and Basic Setup** The primary method for initial configuration of an EX4400 switch involves connecting directly to the console port and utilizing the Junos OS CLI. This process establishes a baseline for management access. ### **2.1 RJ-45 to USB-A or C** An RJ-45 to DB-9 serial port adapter is typically used with an Ethernet cable for this connection. It is important to note that this cable and adapter may need to be ordered separately, as they are no longer standard inclusions in the device package. USB-A or USB-C adapters are alternatives, but require the installation of an X64 Virtual COM port (VCP) driver on the management host The terminal emulation software on the management host must be configured with the following parameters to ensure successful communication: | Parameter | Value | | :----------- | :-------- | | Baud Rate | 9600 | | Data Bits | 8 | | Flow Control | None | | Parity | None | | Stop Bits | 1 | | DCD State | Disregard | ### **2.2 Initial Login Procedure** Once the physical connection is established and the switch is powered on, access is gained by logging in as the root user. At the initial login: prompt, enter root. No password is required for the first login. If the prompt is not immediately visible, pressing the Enter key may reveal it. ### **2.3 Entering CLI and Configuration Mode** After successfully logging in as root, the user is placed in the UNIX shell. To access the Junos OS operational environment, the command cli must be entered. This changes the prompt to root\> To make changes to the switch's configuration, one must enter configuration mode. This is achieved by typing the command configure, which changes the prompt to root\#, indicating that configuration commands can now be entered ### **2.4 Setting Root Authentication (Mandatory Security Step)** Securing the root administrative account is a critical first step after entering configuration mode. The documentation emphasizes setting a password immediately to prevent unauthorized access. The primary command for this is set system root-authentication plain-text-password. Upon entering this command, the system prompts for the new password and requires confirmation by retyping it. While plain-text password entry is shown, alternative methods like setting a pre-encrypted password or using an SSH public key for authentication are also possible, offering potentially higher security levels. ### **2.5 Basic Device Identification** Assigning a unique name and domain can aid in network management and identification. * **Hostname:** The command set system host-name \<host-name\> allows assigning a specific name to the switch. If the chosen hostname includes spaces, it must be enclosed in double quotation marks (" "). This is listed as an optional step but is highly recommended for clarity in managed environments. * **Domain Name:** Similarly, the command set system domain-name \<domain-name\> can be used to configure the DNS domain name for the switch, although this is also presented as optional. The specific command structure is implied through other set system commands shown. ### **2.6 Configuring Management Network Access** Establishing network connectivity for management purposes is a core part of the initial setup. * **Management Interface (me0):** The dedicated management interface, typically labeled MGMT on the physical chassis, is configured using the me0 logical interface in Junos OS. The command set interfaces me0 unit 0 family inet address \<address\>/\<prefix-length\> assigns an IPv4 address and subnet mask (in CIDR notation, e.g., /24) to this interface. This interface is intended for out-of-band management, separating management traffic from data plane traffic. * **Default Gateway:** For the switch's management interface to communicate with devices outside its local IP subnet (like management stations or authentication servers), a default gateway must be configured. The command set routing-options static route 0/0 next-hop \<address\> defines the IP address of the router that serves as the default gateway for the management plane. The route 0/0 represents the default route for all destinations not otherwise specified in the routing table. ### **2.7 Committing the Configuration** Changes made in configuration mode are not active until they are committed. The commit command validates the syntax of the configuration changes, saves them to the candidate configuration file, and then activates them, making them the running configuration of the switch. A confirmation message is displayed upon successful commit. After committing, the administrator can exit configuration mode using the exit command (returning to the root\> prompt) and subsequently log out of the CLI entirely using exit again. The sequence and emphasis on setting the root password, configuring the me0 interface, defining the default gateway, and enabling SSH (covered in Section 7.3) strongly suggest that the primary goal of this initial configuration procedure is to establish secure, remote administrative access as quickly as possible. These steps collectively allow an administrator to move from direct console access to network-based management via SSH, which is standard practice. Other configurations, such as detailed interface setup or advanced system parameters, are presented as optional or are not detailed in this specific guide, indicating their secondary importance relative to achieving initial remote manageability. ## **3.0 Configuring Fundamental System Parameters** Beyond basic connectivity and identification, several other system parameters are often configured during initial setup. ### **3.1 DNS Server Configuration** To allow the switch to resolve domain names to IP addresses (necessary for tasks like reaching NTP servers by name or downloading software updates), DNS servers should be configured. The command set system name-server \<address\> is used, where \<address\> is the IP address of a reachable DNS server. Multiple DNS servers can typically be configured by repeating the command with different addresses. ### **3.2 User Account Management** While initial access uses the root account, creating dedicated user accounts is often preferred for traceability and adherence to the principle of least privilege. * **Creating Additional Users:** The command set system login user \<user-name\> authentication plain-text-password allows the creation of new local user accounts. The system prompts for and confirms the password for the new user. * **Assigning Privileges:** New users require assigned privileges to perform tasks. The command set system login user \<user-name\> class super-user grants the specified user full administrative privileges, equivalent to the root user. Other predefined or custom classes can restrict user capabilities. Providing the capability to create non-root administrative accounts facilitates better security practices. Although not explicitly framed as a security recommendation within this specific documentation, using individual administrative accounts instead of the shared root account enhances accountability and allows for more granular access control, aligning with standard security guidelines. ### **3.3 System Time and NTP** Accurate timekeeping is essential for logging, troubleshooting, certificate validation, and correlating events across network devices. However, the analyzed documentation snippets, while listing "setting the system date and time" as an optional step in the initial configuration overview, *do not provide the specific CLI commands or procedures* for manually setting the system clock or configuring the Network Time Protocol (NTP) for automatic time synchronization. This omission is significant. Operating network devices without accurate time synchronization can severely hamper troubleshooting efforts, particularly when analyzing logs, and can interfere with time-sensitive protocols or security mechanisms. Users relying solely on this initial configuration guide might overlook time synchronization, potentially leading to operational challenges later. It implies that administrators must consult other, more comprehensive Junos OS documentation to properly configure time settings. ### **3.4 Other Optional Initial Settings** The documentation mentions a few other optional settings during the initial configuration phase: * **Backup Router:** The command set system backup-router \<address\> configures a backup router address. This is noted to be used only when dynamic routing protocols are not active on the switch. * **Static Routes for Management Access:** If specific remote subnets or prefixes need to reach the switch's management interface (me0) and are not covered by the default gateway, static routes can be added using set routing-options static route \<remote-subnet/prefix\> next-hop \<destination-IP\> retain no-readvertise. The retain no-readvertise options prevent these specific management routes from being redistributed if dynamic routing protocols are later enabled. ## **4.0 Network Interface Configuration Insights** Network interface configuration is fundamental to switch operation, directing how data traffic is handled. ### **4.1 Management Interface (me0)** As detailed in Section 2.6, the out-of-band management interface me0 is configured using set interfaces me0 unit 0 family inet address \<address\>/\<prefix-length\>. This establishes IP connectivity specifically for management purposes. ### **4.2 Default Data Interface Configuration** The EX4400 switch ships with a factory-default configuration that pre-configures the data plane interfaces. This default setup enables basic Layer 2 functionality out-of-the-box. All physical network interfaces (e.g., Gigabit Ethernet ge-0/0/x, multi-gigabit Ethernet et-0/x/x, or fiber xe-0/x/x, depending on the model) are configured for Ethernet switching by assigning them to family ethernet-switching under unit 0\. Furthermore, all these interfaces are placed into the default VLAN, named default, which has a VLAN ID of \. A Layer 3 interface, irb.0, is also associated with this default VLAN in the factory settings. ### **4.3 Limitations Regarding Advanced Interface Configuration** While the default configuration provides basic connectivity, the analyzed documentation *does not provide specific CLI commands or procedures* for tailoring interface configurations beyond the initial me0 setup and the default Layer 2 settings. Specifically, information is absent on: * Configuring parameters on individual physical data ports, such as speed, duplex, descriptions, or disabling unused ports. * Creating logical units (subinterfaces, e.g., unit 10, unit 20\) on physical ports or LAGs to handle tagged VLAN traffic (IEEE 802.1Q). * Configuring Link Aggregation Groups (LAGs or EtherChannels) to bundle multiple physical interfaces for increased bandwidth and redundancy. The documentation itself acknowledges this limitation by suggesting consultation of more comprehensive Junos OS configuration guides for complete details on enabling the switch to forward traffic according to specific network requirements. The default configuration effectively creates a single, flat Layer 2 broadcast domain (VLAN 1\) encompassing all data ports, with basic Layer 2 switching enabled. While this allows immediate plug-and-play connectivity for devices in that single VLAN, it is rarely suitable for production network environments. Modern networks typically demand segmentation using multiple VLANs, resilience and bandwidth scaling via LAGs, and specific port-level settings for performance and security. The documentation details the starting point (the default state) but omits the necessary steps to transition the switch to a customized, operational state suitable for complex network roles. Administrators must therefore understand that significant further interface configuration, not covered in this initial guide, is almost always required. ## **5.0 Layer 2 Switching Feature Configuration (Based on Documentation)** Layer 2 features like VLANs and Spanning Tree Protocol are critical for modern switched networks. ### **5.1 VLANs (Virtual LANs)** The factory-default configuration establishes a baseline VLAN setup. All interfaces are members of the default VLAN, which uses VLAN ID 1, and a corresponding Layer 3 interface (irb.0) is configured for potential routing within this VLAN. However, the documentation *does not provide detailed steps or CLI commands* for common VLAN management tasks, such as : * Creating new VLANs with different VLAN IDs and names. * Assigning specific switch ports to these VLANs as access ports (untagged). * Configuring ports as trunk ports to carry traffic for multiple VLANs (tagged). * Configuring other VLAN properties. The document only implicitly touches upon VLANs by mentioning that Ethernet switching (enabled by default) is a prerequisite and that in-band management could involve creating a management VLAN , but without providing the configuration commands. ### **5.2 Spanning Tree Protocol (STP)** To prevent Layer 2 loops in networks with redundant paths, STP or its variants are used. The documentation highlights that Rapid Spanning Tree Protocol (RSTP), an enhancement over traditional STP, is *enabled by default* in the factory configuration on EX4400 switches. However, similar to VLANs, the documentation *does not offer specific procedures or commands* for configuring or tuning STP/RSTP behavior. This includes tasks like: * Modifying the bridge priority to influence root bridge election. * Adjusting interface path costs or priorities. * Changing the STP mode (e.g., to MSTP \- Multiple Spanning Tree Protocol). * Enabling or disabling STP/RSTP on specific interfaces or VLANs. The documentation's approach relies entirely on the pre-configured defaults – RSTP enabled globally and all ports residing in the default VLAN – to provide basic Layer 2 loop prevention and connectivity. This reinforces the guide's focus on initial device bring-up rather than detailed network design implementation. While the default RSTP setting offers fundamental loop protection, networks often require specific STP tuning for optimal performance and convergence. Users needing network segmentation via multiple VLANs or customized STP behavior must refer to more extensive Junos OS documentation, as this initial guide implicitly accepts the default Layer 2 state as sufficient for basic access and testing. ## **6.0 Layer 3 Routing Configuration (Based on Documentation)** While primarily Layer 2 devices, EX4400 switches possess Layer 3 routing capabilities. The initial configuration guide touches upon only the most basic aspects. ### **6.1 Static Routing** The documentation covers the configuration of static routes primarily for management plane connectivity: * **Default Gateway:** As mentioned previously (Section 2.6), the command set routing-options static route 0/0 next-hop \<address\> configures the essential default route, enabling the switch's management interface to reach external networks. * **Specific Management Routes:** The guide also shows how to configure static routes for specific remote subnets or prefixes that need to access the switch's management port (me0), using set routing-options static route \<remote-subnet/prefix\> next-hop \<destination-IP\> retain no-readvertise. ### **6.2 Dynamic Routing Protocols (e.g., OSPF, BGP)** The documentation explicitly states that it *does not provide configuration details or examples* for dynamic routing protocols like OSPF (Open Shortest Path First), BGP (Border Gateway Protocol), or RIP (Routing Information Protocol). The only hint towards dynamic routing capabilities is the description of the optional set system backup-router \<address\> command, which is noted as being applicable only "when a routing protocol is not running" , implying such protocols can be configured but are outside the scope of this initial setup guide. The Layer 3 configuration detailed in this guide is minimal, focusing almost exclusively on ensuring the switch's own management interface can communicate across network boundaries via the default gateway, and allowing specific external networks to reach the management interface via static routes. There is no coverage of configuring Layer 3 interfaces for inter-VLAN routing (beyond the default irb.0 interface associated with VLAN \) or implementing dynamic routing protocols to exchange routing information with other network devices. This limited scope strongly suggests the documentation's primary aim is establishing management plane connectivity, not configuring the switch for complex data plane routing tasks. ## **7.0 Initial Security Configuration Steps** Securing the switch starts with the initial configuration. The documentation covers several fundamental security-related steps, while omitting others. ### **7.1 Mandatory Root Password** The most critical initial security action covered is setting a password for the root account using set system root-authentication plain-text-password (or alternatives like encrypted passwords or SSH keys) immediately after initial login. This prevents trivial unauthorized access. ### **7.2 Optional User Account Creation** The ability to create additional user accounts (e.g., set system login user \<user-name\>...) and assign specific privilege levels (e.g., class super-user) is provided. While presented as optional, utilizing non-root accounts aligns with security best practices for auditing and limiting potential damage from compromised credentials. ### **7.3 SSH Service Configuration** Secure remote management typically relies on SSH. The documentation provides the command set system services ssh root-login allow to enable the SSH service. While enabling SSH is essential for secure remote CLI access, the inclusion of root-login allow permits direct login using the highly privileged root account over SSH. Security hardening guidelines often recommend disabling direct root login via SSH (set system services ssh root-login deny or no-allow) and requiring administrators to log in with their personal accounts, potentially elevating privileges afterward if necessary using role-based access control (RBAC) mechanisms like Junos user classes. The documentation presents a functional method to enable SSH access but uses an option (root-login allow) that might be considered suboptimal from a strict security standpoint, likely prioritizing ease of initial access over a more hardened configuration. ### **7.4 Management Access Strategy (In-band vs. Out-of-band)** The documentation briefly mentions the choice between in-band management (using a regular network port, possibly in a dedicated management VLAN) and out-of-band management (using the dedicated me0 port). It implicitly favors out-of-band by detailing the me0 configuration. Out-of-band management is generally considered more secure as it isolates management traffic from the production data network, reducing the attack surface. However, specific configuration steps for in-band management are not provided. ### **7.5 Omitted Security Features** Notably, the initial configuration guide *does not cover* the setup of crucial security features commonly deployed on switches : * **Firewall Filters:** Applying stateless firewall filters (similar to Access Control Lists or ACLs) to control traffic flowing through interfaces or destined for the switch's control plane. * **Port Security:** Implementing features like MAC limiting (restricting the number of MAC addresses learned on a port), DHCP snooping (validating DHCP messages), or Dynamic ARP Inspection (preventing ARP spoofing). These features are typically configured after basic connectivity is established and are considered essential for securing network access at the edge. Their omission reinforces the guide's focus on initial bootstrapping rather than comprehensive security hardening. ## **8.0 Basic Monitoring and Maintenance Procedures** The documentation provides limited information on operational monitoring but details procedures for managing the switch's configuration state, particularly reverting to defaults. ### **8.1 Monitoring Commands Mentioned** The guide does not focus on operational monitoring commands. Only a few show commands are mentioned incidentally, primarily in the context of verifying Virtual Chassis settings when reverting configurations : * show virtual-chassis: Used to check member ID and primary-role priority. * show virtual-chassis vc-port: Used to check uplink Virtual Chassis Port (VCP) settings. Comprehensive commands for monitoring system health (show system...), interface status and statistics (show interfaces...), or system logs (show log...) are *not detailed* in this documentation. ### **8.2 Maintenance Commands/Procedures** The documentation provides more detail on maintenance related to configuration management: * **Backup Configuration:** The command request system snapshot is recommended for backing up the current configuration and system files before performing potentially disruptive actions like reverting to factory defaults. * **Reverting to Factory Defaults:** Three distinct methods are described: 1. **request system zeroize Command:** This operational mode command completely erases all configuration information, log files, and user-created data, resetting all keys. The switch then reboots with the factory-default configuration. A variant, request system zeroize media, performs a more thorough erasure of user data. This is the most destructive method. 2. **load factory-default Command:** This configuration mode command replaces the current *active* configuration with the factory-default settings. Crucially, it *preserves* the configured root password. After loading, the changes must be committed manually (commit). This method does not trigger the EZsetup script upon reboot and requires checking Virtual Chassis settings if applicable. 3. **Factory Reset/Mode Button:** A physical button on the switch's front panel can be used. Pressing and holding it for 10 seconds reverts the switch to the factory-default configuration. Holding it for a subsequent 10 seconds (total 20 seconds) activates the EZsetup mode for simplified initial setup via DHCP and J-Web. CLI commands exist to disable or re-enable this physical button's functionality. #### **Works cited** 1. Configure Junos OS on the EX4400 | Juniper Networks, accessed April 27, 2025, [https://www.juniper.net/documentation/us/en/hardware/ex4400/topics/topic-map/ex4400-configure-junos-os.html](https://www.juniper.net/documentation/us/en/hardware/ex4400/topics/topic-map/ex4400-configure-junos-os.html)