Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?


Switch Configuration Options

SUMMARY Use this information to configure your switches.


You can enter switch settings at the organization level or the site level.

  • To configure organization-wide settings, select Organization > Switch Templates from the left menu of the Juniper Mist portal. Then create your template and apply it to one or more sites or site groups.

  • To configure switch settings at the site level, select Site > Switch Configuration from the left menu of the Juniper Mist portal. Then select the site that you want to set up, and enter your switch settings.

    If an organization-level switch template was assigned to the site, the site configuration will appear in view-only mode. You can keep the settings from the template or make adjustments. In each section of the page, you can select Override Configuration Template and then enter your changes. These changes will apply only to this site, not to the template.

    The following example shows how to override a template and set a site-specific root password.

    Override Configuration Template Example

The fields that support configuration through site variable have a help text showing the site variable configuration format underneath them. To configure site variables, follow the steps provided in Configure Site Variables. For more information about the switch configuration process and switch templates, see Configure Switches.

At both the organization and site levels, the switch settings are grouped into sections as described below.

All Switches

Configure these options in the All Switches section of the Organization > Switch Templates page and the Site > Switch Configuration page.

All Switches
Table 1: All Switches Configuration Options
Field Description

Choose an authentication server for validating usernames and passwords, certificates, or other authentication factors provided by users.

  • Mist Auth—Select this option if you want to configure Juniper Mist Access Assurance, a cloud-based authentication service from Mist, on your switch. For this option to work, you also need to use a port with dot1x or MAB authentication. For more information, see the 'Introducing Mist Access Assurance' section on this product updates page.


    Mist Auth on wired switches requires Junos 20.4R3-S7 or above, 22.3R3 or above, 22.4R2 or above, or 23.1R1 or above.

    To configure Mist Access Assurance features such as authentication policies, policy label, certificates, and identity providers, navigate to Organization > Access.

  • RADIUS—Select this option to configure a RADIUS authentication server and an accounting server, for enabling dot1x port authentication at the switch level. For the dot1x port authentication to work, you also need to create a port profile that uses dot1x authentication, and you must assign that profile to a port on the switch.

    The default port numbers are:

    • port 1812 for the authentication server

    • port 1813 for the accounting server


If you want to set up RADIUS authentication for Switch Management access (for the switch CLI login), you need to include the following CLI commands in the Additional CLI Commands section in the template:

set system authentication-order radius
set system radius-server radius-server-IP port 1812
set system radius-server radius-server-IP secret secret-code
set system radius-server radius-server-IP source-address radius-Source-IP
set system login user remote class class

For RADIUS or TACACS+ local authentication to the Switch, it is necessary to create a remote user account or a different login class. To use different login classes for different RADIUS-authenticated users, create multiple user templates in the Junos OS configuration by using the following CLI commands in the Additional CLI Commands section:

set system login user RO class read-only
set system login user OP class operator
set system login user SU class super-user
set system login user remote full-name "default remote access user template"
set system login user remote class read-only
TACACS+ Configure TACACS+ for centralized user authentication on network devices. Additionally, you can enable TACACS+ accounting on the device to gather statistical data about user logins and logouts on a LAN, and send this data to a TACACS+ accounting server.

The port range supported for TACACS+ and accounting servers is 1 to 65535.


For TACACS+ to authenticate into the Switch, a similar login user as defined in the RADIUS section above needs to be created.

NTP Specify the IP address or hostname of the Network Time Protocol (NTP) server. NTP is used to synchronize the clocks of the switch and other hardware devices on the Internet.

Configure the domain name server (DNS) settings. You can configure up to three DNS IP addresses and suffixes in comma separated format.


Configure Simple Network Management Protocol (SNMP) on the switch to support network management and monitoring. You can configure the SNMPv2 or SNMPv3. Here are the SNMP options that you can configure:

  • Options under SNMPv2 (V2)

    • General—Specify the system's name, location, administrative contact information, and a brief description of the managed system. When using SNMPv2, you have the option to specify the source address for SNMP trap packets sent by the device. If you don't specify a source address, the address of the outgoing interface is used by default.

    • Client—Define a list of SNMP clients. You can add multiple client lists. This configuration includes a name for the client list and IP addresses of the clients (in comma separated format). Each client list can have multiple clients. A client is a prefix with /32 mask.

    • Trap Group—Create a named group of hosts to receive the specified trap notifications. At least one trap group must be configured for SNMP traps to be sent. The configuration includes the following fields:

      • Group Name—Specify a name for the trap group.

      • Categories—Choose from the following list of categories. You can select multiple values.

        • authentication

        • chassis

        • configuration

        • link

        • remote-operations

        • routing

        • services

        • startup

        • vrrp-events

      • Targets—Specify the target IP addresses. You can specify multiple targets.

      • Version—Specify the version number of SNMP traps.

    • Community—Define an SNMP community. An SNMP community is used to authorize SNMP clients by their source IP address. It also determines the accessibility and permissions (read-only or read-write) for specific MIB objects defined in a view. You can include a client list, authorization information, and a view in the community configuration.

    • View(Applicable to both SNMPv2 and SNMPv3)—Define a MIB view to identify a group of MIB objects. Each object in the view shares a common object identifier (OID) prefix. MIB views allow an agent to have more control over access to specific branches and objects within its MIB tree. A view is made up of a name and a collection of SNMP OIDs, which can be explicitly included or excluded.

  • Options under SNMPv3 (V3)

    • General—Specify the system's name, location, administrative contact information, and a brief description of the managed system. When using SNMPv2, configure an engine ID, which serves as a unique identifier for SNMPv3 entities.

    • USM—Configure the user-based security model (USM) settings. This configuration includes a username, authentication type, and an encryption type. You can configure a local engine or a remote engine for USM. If you select a remote engine, specify an engine identifier in hexadecimal format. This ID is used to compute the security digest for authenticating and encrypting packets sent to a user on the remote host. If you specify the Local Engine option, the engine ID specified on the General tab is considered. If no engine ID is specified, local mist is configured as the default value.

    • VACM—Define a view-based access control model (VACM). A VACM lets you set access privileges for a group. You can control access by filtering the MIB objects available for read, write, and notify operations using a predefined view (you must define the required views first from the Views tab). Each view can be associated with a specific security model (v1, v2c, or usm) and security level (authenticated, privacy, or none). You can also apply security settings (you have the option to use already defined USM settings here) to the access group from the Security to Group settings.

    • Notify— Select SNMPv3 management targets for notifications, and specify the notification type. To configure this, assign a name to the notification, choose the targets or tags that should receive the notifications, and indicate whether it should be a trap (unconfirmed) or an inform (confirmed) notification.

    • Target—Configure the message processing and security parameters for sending notifications to a particular management target. You can also specify the target IP address here.

    • View(Applicable to both SNMPv2 and SNMPv3)—Define a MIB view to identify a group of MIB objects. Each object in the view shares a common object identifier (OID) prefix. MIB views allow an agent to have more control over access to specific branches and objects within its MIB tree. A view is made up of a name and a collection of SNMP OIDs, which can be explicitly included or excluded.

For more information, see Configure SNMP on Switches.


Configure static routes. The switch uses static routes when:

  • It doesn't have a route with a better (lower) preference value.

  • It can't determine the route to a destination.

  • It needs to forward packets that can't be routed.

Types of static routes supported:

  • Subnet—If you select this option, specify the IP addresses for the destination network and the next hop.

  • Network—If you select this option, specify a VLAN (containing a VLAN ID and a subnet) and the next hop IP address.

  • Metric—The metric value for the static route. This value helps determine the best route among multiple routes to a destination. Range: 0 to 4294967295.

  • Preference—The preference value is used to select routes to destinations in external autonomous systems (ASs) or routing domains. Routes within an AS are selected by the IGP and are based on that protocol’s metric or cost value. Range: 0 to 4294967295.

  • Discard—If you select this check box, packets addressed to this destination are dropped. Discard takes precedence over other parameters.

After specifying the details, click the check mark (✓) on the upper right of the Add Static Route window to add the configuration to the template.


To configure any additional settings that are not available in the template's GUI, you can use set CLI commands.

For instance, you can set up a custom login message to display a warning to users, advising them not to make any CLI changes directly on the switch. Here's an example of how you can do it:

set system login message \n\n Warning! This switch is managed by Mist. Do not make any CLI changes.

To delete a CLI command that was already added, use the delete command, as shown in the following example:

delete system login message \n\n Warning! This switch is managed by Mist. Do not make any CLI changes.

Ensure that you enter the complete CLI command for the configuration to be successful.

OSPF From this tile, you can:
  • Define an Open Shortest Path First (OSPF) area. OSPF is a link-state routing protocol used to determine the best path for forwarding IP packets within an IP network. OSPF divides a network into areas to improve scalability and control the flow of routing information. For more information about OSPF areas, see this Junos documentation: Configuring OSPF Areas.

  • Enable or disable OSPF configuration on the switch.


Enable the DHCP snooping option to monitor DHCP messages from untrusted devices connected to the switch. DHCP snooping creates a database to keep track of these messages. This helps prevent the acceptance of DHCPOFFER packets on untrusted ports, assuming they originate from unauthorized DHCP servers.

DHCP configuration has the following options:

  • All Networks— Select the All Networks check box to enable DHCP snooping on all VLANs.

  • Networks—If you want to enable DHCP snooping only on specific networks, click Add (+) in the Networks box and add the required VLANs.

  • Address Resolution Protocol (ARP) Inspection—Enable this feature to block any man-in-the-middle attacks. ARP Inspection examines the source MAC address in ARP packets received on untrusted ports. It validates the address against the DHCP snooping database. If the source MAC address does not have a matching entry (IP-MAC binding) in the database, it drops the packets.

    You can check ARP statistics by using the following CLI commands: show dhcp-security arp inspection statistics, and show log messages | match DAI.

    The device logs the number of invalid ARP packets that it receives on each interface, along with the sender’s IP and MAC addresses. You can use these log messages to discover ARP spoofing on the network.

  • IP Source Guard—IP source guard validates the source IP and MAC addresses received on untrusted ports against entries in the DHCP snooping database. If the source addresses do not have matching entries in the database, IP Source Guard discards the packet.


    IP Source Guard works only with single-supplicant 802.1X user authentication mode.

  • If you have a DHCP server connected to an untrusted access port, DHCP won't function properly. In such cases, you may need to make adjustments to ensure that DHCP works as intended. By default, DHCP considers all trunk ports as trusted and all access ports as untrusted.

  • You need to enable VLAN on the switch for the DHCP snooping configuration to take effect. So you need to apply port profiles (described later in this document) to the ports.

A device with a static IP address might not have a matching MAC-IP binding in the DHCP snooping database, if you have connected the device to an untrusted port on the switch. To check the DHCP snooping database on your switch and view the bindings, use the CLI command show dhcp-security binding. This command will provide you with information about the DHCP bindings recorded in the snooping database.

For more information, see DHCP Snooping and Port Security Considerations.

You need to enable this feature if you want to view the DHCP issues for the switch under the Successful Connect SLE metric.


Configure SYSLOG settings to set up how system log messages are handled. You can configure settings to send the system log messages to files, remote destinations, user terminals, or to the system console. Here are the configuration options available for SYSLOG settings:

  • Files—Send log messages to a named file.

  • Hosts—Send log messages to a remote location. This could be an IP address or hostname of a device that will be notified whenever those log messages are generated.

  • Users—Notify a specific user of the log event.

  • Console—Send log messages of a specified class and severity to the console. Log messages include priority information, which provides details about the facility and severity levels of the log messages.

  • Archive—Define parameters for archiving log messages.

  • General—Specify general information such as a time format, routing instance, and source address for the log messages.


Configure port mirroring.

Port mirroring is the ability of a router to send a copy of a packet to an external host address or a packet analyzer for analysis. In the port mirroring configuration, you can specify the following:

  • Input: The source (an interface or network) of the traffic to be monitored. Along with the input, you can specify whether you want Mist to monitor the ingress traffic or the egress traffic for an interface. If you want both ingress and egress traffic to be monitored, add two input entries for the same interface - one with the ingress flag and the other with the egress flag.

  • Output: The destination interface to which you want to mirror the traffic. You cannot specify the same interface or network in both the input and output fields.

Routing Policy

Configure routing policies for the entire organization (Organization > Switch Templates) or for a site (Site > Switch Configuration). These routing policies will only be pushed to the switch configuration if it is tied to the BGP Routing Protocol. The Routing policies that are already defined inside the BGP tab of a switch will now appear on the Routing Policy tab. The routing policies are tied to protocols such as BGP or OSPF. A routing policy framework is composed of default rules for each routing protocol. These rules determine which routes the protocol places in the routing table and advertises from the routing table. Configuration of a routing policy involves defining terms, which consist of match conditions and actions to apply to matching routes.

To configure a routing policy:

  1. Click Add Routing Policy on the Routing Policy tile.

  2. Provide a name to the policy, and then click Add Terms.

  3. Provide a name to the term and specify other match details such as:

    • Prefix

    • AS Path

    • Protocol

    • Community—A route attribute used by BGP to administratively group routes with similar properties.

    • Then—Then action (Accept or Reject) to be applied on the matching routes.

    • Add Action—Additional actions such as prepend AS path, set community, and set local preference.

  4. Click the check mark (✓) on the right of the Add Term title to save the term. You can add multiple terms.

  5. Click Add to save the routing policy.


Configure these options in the Management section of the Organization > Switch Templates page and the Site > Switch Configuration page.

Management Section of the Configuration Page
Table 2: Management Configuration Options
Option Notes

Configuration Revert Timer

This feature helps restore connectivity between a switch and the Mist cloud if a configuration change causes the switch to lose connection. It automatically reverts the changes made by a user and reconnects to the cloud within a specified time duration. By default, this time duration is set to 10 minutes for EX Series switches. You can specify a different time duration.

Root Password

A plain-text password for the root-level user (whose username is root).

Protection of Routing Engine

Enable this feature to ensure that the Routing Engine accepts traffic only from trusted systems. This configuration creates a stateless firewall filter that discards all traffic destined for the Routing Engine, except SSH and BGP protocol packets from specified trusted sources. For more information, refer to Example: Configuring a Stateless Firewall Filter to Accept Traffic from Trusted Sources.

Idle Timeout

The maximum number of minutes that a remote shell session can be idle. When this limit is reached, users are logged out. (Valid Range: 1-60).

Login Banner

Enter text that you want users to see when they log in to the switch. Example: “Warning! This switch is managed by Juniper Mist. Do not make any CLI changes.” You can enter up to 2048 characters.

Shared Elements

Configure these options in the Shared Elements section of the Organization > Switch Templates page and the Site > Switch Configuration page.

Shared Elements Section
Table 3: Shared Elements Configuration Options
Option Notes


Add or update VLANs, which you can then use in your port profiles.

For each VLAN, enter the name, VLAN ID, and subnet. See the on-screen information for more tips.

Port Profiles

Add or update port profiles. For help with the profile options, see the on-screen tips and Shared Elements—Port Profiles.

Dynamic Port Configuration

Dynamic port profiling uses a set of device properties of the connected client device to automatically associate pre-configured port and network settings to the interface.

You can configure a dynamic port profile based on the following parameters:

  • LLDP System Name

  • LLDP Description

  • LLDP Chassis ID

  • Radius Username

  • Radius Filter-ID

  • MAC (Ethernet mac-address)

In this example, the rule applies a port profile to all devices with the specified LLDP system name.

For your dynamic port configurations to take effect, you also need to specify the ports that you want to function as dynamic ports. You can do this by selecting the Enable Dynamic Configuration check box on the Port Config tab in the Select Switches section of the switch template or in the Port Configuration section of the switch details page.

It takes a couple of minutes for a port profile to be applied a port after a client is recognized, and a couple of minutes after that for the port profile assignment status to appear on the Mist portal.

In case of switch reboots or a mass link up or down event affecting all ports on a switch, it takes approximately 20 minutes for all the ports to be assigned to the right profile (assuming that dynamic port configuration is enabled on all the ports).


With VRF, you can divide an EX Series switch into multiple virtual routing instances, effectively isolating the traffic within the network. You can define a name for the VRF, specify the networks associated with it, and include any additional routes needed.


You can't assign the default network (VLAN ID = 1) to VRF.

Shared Elements—Port Profiles

In the Shared Elements section, you can configure port profiles. These options appear when you click Add Profile or when you click a profile to edit.

  • For general information about profiles, see Port Profiles Overview.

  • If you're working at the site level, you might see asterisks (*) next to the port profile names. These port profiles were created in the switch template. If you click them, you'll see the settings in view-only mode. To make site-specific changes (affecting only this site and not the switch template itself), select Override Template Defined Profile and then edit the settings.

Table 4: Port Profile Configuration Options
Option Notes
Name, Port Enabled, and Description

Basic settings to identify and enable the port.

  • Trunk—Trunk interfaces typically connect to other switches, APs, and routers on the LAN. In this mode, the interface can be in multiple VLANs and can multiplex traffic between different VLANs. Specify the Port Network, VoIP Network (if applicable), and Trunk Networks.

  • Access—Default mode. Access interfaces typically connect to network devices, such as PCs, printers, IP phones, and IP cameras. In this mode, the interface can be in a single VLAN only. Specify the Port Network and the VoIP Network (if applicable).

  • Port Network and VoIP Network—Select the VLANs for this port.

Use dot1x authentication

Select this option to enable IEEE 802.1X authentication for Port-Based Network Access Control. 802.1X authentication is supported on interfaces that are members of private VLANs (PVLANs).

The following options are available if you enable dot1x authentication on a port:

  • Allow Multiple Supplicants—Select this option to allow multiple end devices to connect to the port. Each device is authenticated individually.

  • Dynamic VLAN—Specify dynamic VLANs that will be returned by the RADIUS server attribute 'tunnel-private-group-ID' or 'Egress-VLAN-Name'. This configuration enables a port to perform dynamic VLAN assignment.

  • MAC authentication—Select this option to enable MAC authentication for the port. When this option is selected, you can also specify an Authentication Protocol. If you specify a protocol, it must be used by supplicants to provide authentication credentials.

  • Use Guest Network—Select this option to use a guest network for authentication. Then select a Guest Network from the drop-down list.

  • Bypass authentication when server is down—If you select this option, clients can join the network without authentication if the server is down.

You need to also do the following for dot1x authentication to work:

  • Configure a RADIUS server for dot1x authentication from the Authentication Servers tile in the All Switches Configuration section of the template.

  • Assign a dot1x port profile to a switch port for the RADIUS configuration to be pushed to the switch. You can do this from the Port Config tab in the Select Switches Configuration section of the template.


Keep the default setting, Auto, or select a speed


Keep the default setting, Auto, or select a Half or Full.

MAC Limit Configure the maximum number of MAC addresses that can be dynamically learned by an interface. When the interface exceeds the configured MAC limit, it drops the frames. A MAC limit also results in a log entry.

The default value: 0

Supported range: 0 through 16383


Enable the port to support power over Ethernet (PoE).

STP Edge

Configure the port as a Spanning Tree Protocol (STP) edge port, if you want to enable Bridge Protocol Data Unit (BPDU) guard on a port. This setting ensures that the port is treated as an edge port and guards against the reception of BPDUs, which are control messages in the STP. If you plug a non-edge device into a port configured with STP Edge, the port is disabled. In addition, the Switch Insights page generates a Port BPDU Blocked event. The Front Panel on the Switch Details will also display a BPDU Error for this port.

You can clear the port of the BPDU error by selecting the port on the Front Panel and then clicking Clear BPDU Errors.

You can also configure STP Edge at the switch level, from the Port Profile section on the switch details page.

For more information on STPs, see How Spanning Tree Protocols Work.


Enable Quality of Service (QoS) for the port to prioritize latency-sensitive traffic, such as voice, over other traffic on a port.


For optimal results, it's important to enable Quality of Service (QoS) for both the downstream (incoming) and upstream (outgoing) traffic. This ensures that the network can effectively prioritize and manage traffic in both directions, leading to improved performance and better overall quality of service.

You have the option to override the QoS configuration on the WLAN settings page (Site > WLANs > WLAN name). To override the QoS configuration, select the Override QoS check box and choose a wireless access class. The downstream traffic (AP > client) gets marked with the override access class value specified. The override configuration doesn't support upstream traffic (client > AP).

See also: QoS Configuration.

Storm Control Enable storm control to monitor traffic levels and automatically drop broadcast, multicast, and unknown unicast packets when the traffic exceeds a traffic level (specified in percentage). This specified traffic level is known as the storm control level. This feature actively prevents packet proliferation and maintains the performance of the LAN. When you enable Storm Control, you can also choose to exclude broadcast, multicast, and unknown unicast packets from monitoring.

For more information, see Understanding Storm Control.

Persistent (Sticky) MAC Learning

Enable Persistent (Sticky) MAC to stop unauthorized devices from connecting to your network. When enabled, the switch learns the MAC addresses of devices that arrive on the port and saves them in memory. If the number of MAC addresses learned exceeds the 'MAC Limit' specified above, the port drops the frames. Also, you will see a 'MAC Limit Exceeded' event on the Insights page.

You can hover over the port from the front panel on the switch details page to see the MAC Limit and the MAC Count (the number of MAC addresses that the port learned dynamically).

  • You cannot enable this feature on a Trunk port or on a port with 802.1X authentication, as Junos OS does not support this combination.

  • Enable this feature for static wired clients. Do not enable it for Mist AP interfaces.

The Juniper Mist portal does not show the MAC addresses that an interface has learned. It shows only the maximum MAC address count. To view the MAC addresses that an interface learned, select the Utilities > Remote Shell option on the switch details page and run the following commands:

  • show ethernet-switching table persistent-learning
  • show ethernet-switching table persistent-learning interface

The MAC Count value remains on the port until you clear it from the front panel on the switch details or until you disable the Persistent (Sticky) MAC Learning feature. To clear the MAC addresses that a port learned, select the port on the switch front panel and then click Clear MAC [Dynamic/Persistent]. This action generates a MAC Limit Reset event on the Switch Insights page. Read more about the front panel in Switch Details.

Select Switches Configuration

Create rules to apply configuration settings based on the name, role, or model of the switch.

Click a rule to edit it, or click Add Rule. Then complete each tabbed page. As you enter settings, click the checkmark at the top right to save your changes. You can also create a switch rule entry by cloning an existing rule. To do that, you just need to click the clone button and name the new rule.

Select Switches Configuration

The various tabs are described in separate tables below.

Table 5: Select Switches—Info Tab
Option Notes


Enter a name to identify this rule.

Applies to switch name

Enable this option if you want this rule to apply to all switches that match the specified name. Then enter the text and the number of offset characters. For example, if you enter abc with an offset of 0, the rule applies to switches whose names start with abc. If the offset is 5, the rule ignores the first 5 characters of the switch name.

Applies to switch role

Enable this option if you want this rule to apply to all switches that have the same role. Enter the role by using lowercase letters, numbers, underscores (_), or dashes (-).

Applies to switch model

Enable this option if you want this rule to apply to all switches that have the same model. Then select the model.

Table 6: Select Switches—Port Config Tab
Option Notes
Configuration List

Click Add Port Configuration, or select a port configuration to edit.

Port Configuration Tab Showing List of Port Configurations

Port IDs and Configuration Profile

Enter the port(s) to configure and the configuration profile to apply to them.

Enable Dynamic Configuration

When you enable this feature, a port profile is assigned based on defined attributes of the connected device. If the device matches the attributes, Mist assigns a matching dynamic profile to the device. But if the device doesn't match the attributes, it is placed in a specified VLAN.

In the following example, the port is enabled with dynamic port allocation and is assigned with a restricted VLAN. In this case, if the connected device doesn't match the dynamic profiling attributes, it will be placed into a restricted VLAN such as a non-routable VLAN or a guest VLAN. Interfaces enabled with Port Aggregation don't support dynamic port configuration.

Up/Down Port Alerts

When you enable this feature, Juniper Mist monitors transitions between up and down states on these ports. If you enable this feature, also enable Critical Switch Port Up/Down on the Monitor > Alerts > Alerts Configuration page.

Port Aggregation

When you enable this feature, Ethernet interfaces are grouped to form a single link layer interface. This interface is also known as a link aggregation group (LAG) or bundle.

The number of interfaces that you can group into a LAG and the total number of LAGs that a switch supports vary depending on switch model. You can use LAG with or without LACP enabled. If the device on the other end doesn't support LACP, you can disable LACP here.

You can also configure the LACP force-up state for the switch. This configuration sets the state of the interface as up when the peer has limited LACP capability.

You can also configure an LACP packet transmission interval. If you configure the LACP Periodic Slow option on an AE interface, the LACP packets are transmitted every 30 seconds. By default, the interval is set to fast in which the packets are transmitted every second.

Allow switch port operator to modify port profile

When you enable this feature, users with the Switch Port Operator admin role can view and manage this configuration.
Table 7: Select Switches Configuration—IP Config Tab
Option Notes

Network (VLAN) List

Select a network for in-band management traffic. Or click Add Network and complete the New Network fields as described in the remaining rows of this table.

Select Switches - IP Config Tab


Enter a name to identify this network.


Enter the VLAN ID from 1-4094, or enter a site variable to dynamically enter an ID.


Enter the subnet or site variable.

Select Switches—IP Config (OOB) Tab

Enable or disable Dedicated Management VRF (out of band). For all standalone devices or Virtual Chassis running Junos version 21.4 or later, this feature confines the management interface to non-default virtual routing and forwarding (VRF) instances. Management traffic no longer has to share a routing table with other control traffic or protocol traffic.

Select Switches—Port Mirroring Tab

This tab displays the list of port mirroring configurations already added. Click an entry to edit it. Or click Add Port Mirror to enable port mirroring. This feature allows you to dynamically apply port mirroring on switches based on the parameters such as the switch role, switch name, and switch model as specified in the rules. This feature is typically used for monitoring and troubleshooting. When port mirroring is enabled, the switch sends a copy of the network packet from the mirrored ports to the monitor port. The configuration options include the following:

  • Input—The source (an interface or network) of the traffic to be monitored. Along with the input, you can specify whether you want Mist to monitor the ingress traffic or the egress traffic for an interface. If you want both ingress and egress traffic to be monitored, add two input entries for the same interface - one with the ingress flag and the other with the egress flag.

  • Output—The destination interface to which you want to mirror the traffic. You cannot specify the same interface or network in both the input and output fields.

The rules under Select Switches Configuration take precedence over the global Port Mirroring configuration. Also, if the global port mirroring is configured, it is displayed as the default rule in the Select Switches configuration section and is displayed as read-only. You can edit it at the global level.

Select Switches—CLI Config Tab

Enter additional CLI commands, as needed.

Switch Policy Labels (Beta)

In this section, add GBP tags to identify groups of users and resources to reference in your switch policies.


Only the following devices that run Junos OS Release 22.4R1 and later support GBPs: EX4400, EX4100, EX4650, QFX5120-32C and QFX5120-48Y.

The following example shows the tags that a user created, along with the policies that reference them.

Switch Policy Labels (Beta)

This feature is currently available only to beta participants.

To get started, click Add GBP tag. Then enter a name, select the type, and enter the value. Then click Add at the lower-right corner of the screen.

When you enable a tag, you'll see on-screen alert about the impact on standalone switches and virtual chassis. Read the on-screen information before proceeding.


If you configure 802.1X authentication with multiple-supplicant mode, the GBP tagging is MAC-based. If you configure 802.1X authentication with single-supplicant mode, the GBP tagging is port-based.

Table 8: Switch Policy Label (GBP Tag) Configuration Options
Option Notes

Dynamic or Static

By default, Juniper Mist chooses the Dynamic option. If you select Static, specify a GBP tag source. It can be a MAC address, network, or an IP subnet.


Enter value or GBP source tag for host-originated packets (range: 1 through 65535).

Switch Policy (Beta)

Configure Group Based Policies (GBPs) that you can use in your campus fabric IP Clos deployments. When you create a policy, you use organization-level and site-level labels and your GBP tags (from the Switch Policy Labels section) to identify users who can or cannot access specified resources.


Only the following devices that run Junos OS Release 22.4R1 and later support GBPs: EX4400, EX4100, EX4650, QFX5120-32C and QFX5120-48Y.

The following image shows a sample policy, using tags that were defined in the Switch Policy Labels section.

Switch Policy (Beta)

To get started, click Add Switch Policy. Then enter the settings, as described in the following table.

Table 9: Switch Policy Configuration Options
Option Notes


Click + and add the users or groups that need access to the resources. You can use the GBT tags here, if you have defined them already.


Click + and add the resources that you need to map to the selected users or groups. You can use the GBT tags here too, if you have defined them already.

By default, users are given access to the resources added. If you want to deny the user access to certain resources, click the Resource label that you have added and set the access to deny.

Changing Access to Deny