Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Manual EX Series Switch Configurations



All the features you need to set up interoperability between Juniper access points with EX Series switches are available in Junos OS Release 18.4R2.7 and later. The procedures are the same for any Juniper EX2300, EX3400 or EX4300 Ethernet Switch, and any Juniper access points (AP43, AP41, AP 21, and AP61).


To manually connect Juniper access points to an EX Series switch, start by configuring the switch and then move to the Juniper Mist portal on the cloud to finish the connection details. Once connected, you can also SSH back to the switch from the Juniper Mist portal to make any additional configuration settings you might have.

Figure 1: Switch Connections
 Switch Connections

Set Up the EX Series Switch

Before You Begin

Note that it might be necessary to configure your firewall so that the switch can receive the traffic from the Juniper Mist cloud over TCP port 2200. If so, please see your firewall documentation for those details.

PoE must be enabled on the relevant interfaces of the EX Series switch.

In addition, when making the physical connections, pay attention to the LED status lights on the Juniper access points to see whether the connection is good. The LEDs use a blink pattern to signal connection errors in the event the connection to the cloud fails. A steady green light indicates the connection succeeded, and a steady red light indicates failure. Two red lights mean the device is booting up. For information on all lights and blink patterns, see What is the LED telling me?

Configure a Hostname and Password on the EX Series Switch

Step-by-Step Procedure

The first task is to configure some system settings on the EX Series switch, including a hostname and password.

  1. Log in to the device CLI and type configure to start configuration mode, which allows you to edit the configuration.
  2. In the CLI, enter the following commands (note that you are prompted to create a password as part of the second command).
    set system host-name Switch-1
    set system root-authentication plain-text-password
  3. Next, add a DNS server so the switch can resolve the IP addresses obtained from the Juniper Mist portal.
    set system name-server ip-address
  4. Configure your time zone and add an NTP server to the switch.
    set system time-zone UTC
    set system ntp server ip-address
  5. For any EX Series switches that are acting as a DHCP client, disallow automatic software downloads.
    delete chassis auto-image-upgrade
  6. To allow remote administration of the EX switch from the Juniper Mist portal, you need to enable root login over SSH.
    set system services ssh root-login allow

Configure the Guest and Employee Networks

On EX Series switches, you can configure a port interface as either a Layer 2 access port, a Layer 2 trunk port, or a Layer 3 interface port. A Layer 2 trunk port is typically used when there is traffic from multiple VLANs connecting to it. To differentiate the separate VLAN flows, packets entering the port are tagged with a VLAN identifier (as defined in IEEE 802.1Q) of your choice.

You can connect the Juniper access points to a tagged port or untagged port configured for native VLAN. This NCE uses untagged (also known as native), because Juniper access points boot on untagged VLANs by default.

To protect the LAN against broadcast storms, we’ll also enable storm control on the interfaces (briefly, storm control is a feature that prevents broadcast storms by automatically dropping packets when traffic-levels exceed a set limit).

Step-by-Step Procedure

  1. Configure the VLAN IDs for the management, guest, and employee networks using the following VLAN IDs: VLAN 180, VLAN 188, and VLAN 189, respectively.
  2. To locally route between VLANs or subnets on the local switch, you need integrated routing and bridging (IRB) interfaces. We create these here, and also assign each IRB an IP address for connecting to the Juniper Mist portal.
  3. Next you need to attach each of the IRBs that you just created to its respective VLAN.
  4. Associate the physical interfaces with their respective VLANs, and apply storm control. For the guest network, this example uses ge-0/0/0 configured as an access interface. The employee network uses ge-0/0/2, also as an access interface.

    The interface that the Juniper access points will connect to is ge-0/0/1, which is configured as a trunk interface. Set the management VLAN as a native (untagged) interface because an access point boots on an untagged VLAN by default.

  5. Create a default storm control profile to support the storm-control settings in the previous step.
  6. Add a default gateway to the switch. Use the IP address of your next-hop router.
  7. To show your wired clients in the Juniper Mist portal, you need to enable dhcp-security on the IRB interfaces.
  8. Check your settings for validity by running the Junos OS commit check command, or run the following show commands to display the configuration as entered (the vlan information included below appears only after the configuration has been committed).
    show interfaces ge-0/0/1
    run show vlans

Enable PoE+ on the Interfaces

Step-by-Step Procedure

The next task is to enable PoE+ on the interfaces. Start by checking what version of the controller software the switch is running. (A more recent version might be on the device as part of a Junos OS upgrade, and if so, you should upgrade the controller software.) You can find instructions for doing the upgrade in this document: Upgrading the PoE Controller Software.

  1. Find what version of the controller software the switch is running.
    run show poe controller

    To stay well within the capacity of the power supply (single or dual) provisioned on most EX Series switches, we recommend that you budget 75 percent or less of the switch ports for (physically) connecting 802.11at PoE capable Juniper access points.

  2. Enable PoE+ on the switch interfaces intended for Juniper access point connections.
  3. Verify your configuration settings (the details below appear only after the configuration has been committed).
    run show poe interface ge-0/0/1
  4. Enable PoE power monitoring on the switch to view real-time statistics including power consumption, and to support port-level telemetry. Do this for all switch ports, or at least for those connecting to a Juniper access point.
    set poe interface all telemetries interval 10
  5. Run the following commands to view PoE statistics (the details shown below appear only after the configuration has been committed).
    run show poe interface

Enable Junos OS Link Layer Discovery Protocol

Step-by-Step Procedure

Have the switch send Junos OS Link Layer Discovery Protocol (LLDP) information to the Juniper Mist cloud. Although LLDP is enabled by default on all interfaces on the switch, you need to configure it as shown here so it works with the Juniper Mist portal. (LLDP, as described in the IEEE 802.1AB specification, is a standards-based method of exchanging device capabilities.)

  1. Enter the following commands to configure LLDP (using an IP address appropriate for your network).
  2. View the LLDP statistics (the details shown below appear only after the configuration has been committed).
    run show lldp neighbors
  3. Query the Junos OS switching table to see if the Juniper access points show up in the MAC table. In the example output, the management VLAN appears, which confirms that they do.
    run show ethernet-switching table

Enable the Switch to Receive DHCP or BOOTP Requests

Step-by-Step Procedure

You enable the switch to receive DHCP or BOOTP requests so it can receive broadcast messages, sent from clients and associated to the Juniper access points, and then relay these requests to a DHCP or BOOTP server. This is especially important for wireless clients so they can reach a given remote DHCP or BOOTP server even though neither the access point nor clients have Layer 2 adjacency with the DHCP server.

  1. Enable BOOTP requests on the switch, by entering the following command.

    (You must explicitly type “bootp” for the command to appear, that is, you can’t just use the tab or space key.)

  2. You can also configure the switch to act as a DHCP server. Doing so is useful for sandbox deployments, but in a production environment, we recommend that you use an external DHCP server (that is, not DHCP on the switch). The following commands create DHCP pools for the guest, employee, and management VLANs, and also for any Juniper access points and associated clients.
  3. (Optional) Configure a proxy URL using DHCP option 43. This step is provided to support the case where you have Juniper access points that need to connect to the EX Series switch using a proxy server. The first set of commands shows how to add the IP address of the proxy in plain text for the guest, employee, and management VLANs. The second does the same for hex addresses (you only need to run one). See Proxy URL Configuration via DHCP Option 43 with Microsoft Windows Server   for more information.



Step-by-Step Procedure

Confirm your settings by running show commands at the different levels of the hierarchy to display the configuration as entered. Confirm the validity by running the Junos OS commit check command (you need to actually commit the configuration to see the actual dhcp server binding).

  1. View the configurations you entered.
    show access address-assignment
    show system services dhcp-local-server
  2. Run the show dhcp server binding and show dhcp server statistics commands to verify DHCP message statistics between server and the clients. The sample output shown here shows that the DHCP pools for guest, employee, and management VLANs are bound, and that the client is receiving DHCP messages.
    run show dhcp server binding
    run show dhcp server statistics

Enable 802.1x Authentication on the Switch Ports

We recommend that you enable 802.1x port-based network access control (PNAC) authentication on the switches to authenticate the Juniper access points. There are three ways you can do this:

  • Authenticate the first end device (supplicant) on an authenticator port, and allow all other connecting end devices to also have access to the LAN

  • Authenticate a single end device on an authenticator port at one time

  • Authenticate multiple end devices on an authenticator port (this is typically used in VoIP configurations)

Step-by-Step Procedure

  1. Configure the management interface to authenticate multiple end devices. For the 802.1x authentication, this example uses protocol dot1x, which is supported on interfaces that are members of private VLANs. Replace ge-0/0/0.0 with the correct interface for your switch.
  2. Confirm your settings by running show protocols dot1x commands to display the configuration as entered. Run commit check to confirm the validity of the configuration, or commit if you’re done.
    show protocols dot1x

Manage Logs in EX Series Switches

Junos OS writes log messages to a file, that, when it reaches a specified size, is compressed and archived and a new log file is started. We recommend that you enable this feature. View access to these log files is restricted to the root user and users who have Junos OS maintenance permission.

Step-by-Step Procedure

  1. Set the syslog file size to 1 MB, after which the log is archived and a new one is started. After 10 log files are archived, the oldest one is replaced with the newest.
  2. You can confirm your settings by running the show system syslog command to display the configuration as entered. Run the commit command to save the configuration. System logs are written to the /var/log directory.

(Optional) Automate Switch Port Provisioning

Junos OS can run scripts based on system events. You can use event scripts to automatically provision switch ports for the Juniper access points, and you can have them monitor LLDP events to identify when a Juniper access point has been connected to a switch port, or to trigger an action in response to link up and link down events. You can get the sample script used here by contacting your Juniper technical representative.

Once a Juniper access point has been identified, the script searches the Junos OS configuration for a matching VLAN, and, when found, updates the Junos OS configuration to make that VLAN the native VLAN for ports connected to Juniper access points.

Use the Juniper Mist account you just created to copy the Python script onto the switch so that when the script runs, it runs using those access privileges.

Step-by-Step Procedure

  1. Create a juniper-mist user for the event scripts to run under.
  2. Configure the switch to run unsigned Python scripts.
    set system scripts language python
  3. Commit the configuration by running the commit command.
  4. Switch to the juniper-mist account by typing exit in the CLI command window to end that session, and then log back in using the juniper-mist account.
  5. Copy the script you received from your Juniper technical representative from its location to the Junos event script file location on the switch (use run file copy if you are in configure mode).
    file copy file-location /var/db/scripts/event
  6. Confirm your settings by running show commands at the system login user juniper-mist level of the hierarchy to display the configuration as entered. You can confirm the validity by running the Junos OS commit check command.
    run show system login user juniper-mist
  7. Type configure to return to configuration mode and then enter the following commands to create event policies on the switch to run the script whenever the monitored links go down or up.
  8. Run the following show commands at the event-options level of the hierarchy to see the commands you entered. Run commit to save the configuration.
    run show event-options
  9. Leave the CLI connection open when you’re done. After logging on to the Juniper Mist portal, you need to get some additional configuration setting from the Juniper Mist portal for additional updates that you still need to make on the switch.