Switching

I could really use some help! I am brand new (very green) to  both networking and Juniper and I have been tasked to configure and deploy switches and firewalls for our commercial network .  My predecessor decided to replace everything Cisco with Juniper but then took another job out of state . I am learning on the fly so to speak.  Essentially our activity centers use the commercial network to conduct their day to day business. They have points of sale (POS) which are also connected so PCI compliance is a must, hence the firewalls.  After hours of  watching Juniper training videos, taking a couple of ILO classes via Zoom, and tirelessly perusing the internet I have successfully configured one (EX4300 switch). By that I mean, in my little test area,  I can pull the correct IP addresses (10.4.x.x range) from our active directory server, and can surf the internet with no problem. I just don't know if it's actually configured correctly and secure enough to deploy yet.  I can't access J-web although I added web-management nor can I use SSH.  I have attached what I call my running configuration document which I have compiled from various sources. It starts off with me resetting the device because heaven know that's been my fall-back alot (lol). Could anyone please review it (provide constructive criticism) and tell me if there's anything I need to correct, add , or omit? Any explanation you could provide would be great because I want to learn and understand. This ordeal has been both arduous and fun at same time . Thanks in advance.

So, let's see if my first post makes it through. Here are some more pointers.

Consider a firewall policy tied to the loopback interface. It will protect the RE (call it CPU if you will) from unwanted traffic and attacks. It's a stateless L4 policy that can be very flexible using apply path statements, like this one:

set policy-options prefix-list RE-SRC-DNS apply-path "system name-server <*>"

It will give the prefix list RE-SRC-DNS the values of any configured DNS server in your system so you can build a firewall policy without even knowing the addresses of your DNS servers!

Configure a syslog host to receive any logs from the system: set system syslog host 10.65.116.11 any any

You can push your configs to a server every time you do a commit. I'd love to have that combined with monthly backups (just in case), but sadly, it one or the other:

set system archival configuration transfer-on-commit
set system archival configuration archive-sites "scp://backup-user@192.168.19.139/home/backup-user/backup"

By using scp for this, you can push the backup with SSH encryption to a server (Linux or other). Sadly, sftp is not supported and scp in OpenSSH has no means of containing the user to a chroot dir as you can with SFTP, but that aside, it's a way better solution than tftp!

If the file system in these boxes are abused, they may become corrupt. There are two of them, but if one gets corrupted and the switch boots off the secondary and that too becomes corrupt, it no good any more! To show and repair a partition in Junos:
show system snapshot media internal
request system snapshot slice alternate  -> copy the currently running partition to the non-active one, do this after an upgrade!

To have the system attempt to copy the alternate image to the primary if the primary has been corrupted:
set system auto-snapshot

Well, this is the crash-course, lots more to say, but we can do that in another post :)

I could really use some help! I am brand new (very green) to  both networking and Juniper and I have been tasked to configure and deploy switches and firewalls for our commercial network .  My predecessor decided to replace everything Cisco with Juniper but then took another job out of state . I am learning on the fly so to speak.  Essentially our activity centers use the commercial network to conduct their day to day business. They have points of sale (POS) which are also connected so PCI compliance is a must, hence the firewalls.  After hours of  watching Juniper training videos, taking a couple of ILO classes via Zoom, and tirelessly perusing the internet I have successfully configured one (EX4300 switch). By that I mean, in my little test area,  I can pull the correct IP addresses (10.4.x.x range) from our active directory server, and can surf the internet with no problem. I just don't know if it's actually configured correctly and secure enough to deploy yet.  I can't access J-web although I added web-management nor can I use SSH.  I have attached what I call my running configuration document which I have compiled from various sources. It starts off with me resetting the device because heaven know that's been my fall-back alot (lol). Could anyone please review it (provide constructive criticism) and tell me if there's anything I need to correct, add , or omit? Any explanation you could provide would be great because I want to learn and understand. This ordeal has been both arduous and fun at same time . Thanks in advance.

Part 1.2:

set system services web-management https system-generated-certificate : Get a proper cert if you want, it's not that difficult. On the other hand, J-Web is for sissies.

wildcard range set : you could use apply groups instead, or interface ranges. Really powerful, both of them. Also usable in RSTP config.

rstp edge all day long!!! Good job! Just remember to disable all other use of RSTP and use modern redundancy instead! If you really, really NEED RSTP for a ring or two, configure the links involved for RSTP, but leave the rest disabled for RSTP. B.t.w., use bridge-prio 0 and system-identifier 00:00:00:00:00:01 for the designated root bridge (:02 for the backup root) to maximize your chances of getting that selected as root. I've seen too many instances where people cautiously use 4k and the standard MAC, only to be overridden by some industrial excuse for a switch that has a default of 0.

Encrypted SNMPv3 isn't hard in Junos. Just do it!

My VC-list:

set system commit synchronize -> Makes sure all REs get the config every time
set virtual-chassis no-split-detection -> Juniper says to do this for 2 member VC only, I say do it for all configs. I'll tell you why if you ask :)
set chassis redundancy graceful-switchover
set protocols layer2-control nonstop-bridging -> As nonstop-routing but for L2 protocols like RSTP
set routing-options nonstop-routing

More tips in the next post, this became long enough!

So, let's see if my first post makes it through. Here are some more pointers.

Consider a firewall policy tied to the loopback interface. It will protect the RE (call it CPU if you will) from unwanted traffic and attacks. It's a stateless L4 policy that can be very flexible using apply path statements, like this one:

set policy-options prefix-list RE-SRC-DNS apply-path "system name-server <*>"

It will give the prefix list RE-SRC-DNS the values of any configured DNS server in your system so you can build a firewall policy without even knowing the addresses of your DNS servers!

Configure a syslog host to receive any logs from the system: set system syslog host 10.65.116.11 any any

You can push your configs to a server every time you do a commit. I'd love to have that combined with monthly backups (just in case), but sadly, it one or the other:

set system archival configuration transfer-on-commit
set system archival configuration archive-sites "scp://backup-user@192.168.19.139/home/backup-user/backup"

By using scp for this, you can push the backup with SSH encryption to a server (Linux or other). Sadly, sftp is not supported and scp in OpenSSH has no means of containing the user to a chroot dir as you can with SFTP, but that aside, it's a way better solution than tftp!

If the file system in these boxes are abused, they may become corrupt. There are two of them, but if one gets corrupted and the switch boots off the secondary and that too becomes corrupt, it no good any more! To show and repair a partition in Junos:
show system snapshot media internal
request system snapshot slice alternate  -> copy the currently running partition to the non-active one, do this after an upgrade!

To have the system attempt to copy the alternate image to the primary if the primary has been corrupted:
set system auto-snapshot

Well, this is the crash-course, lots more to say, but we can do that in another post :)

I could really use some help! I am brand new (very green) to  both networking and Juniper and I have been tasked to configure and deploy switches and firewalls for our commercial network .  My predecessor decided to replace everything Cisco with Juniper but then took another job out of state . I am learning on the fly so to speak.  Essentially our activity centers use the commercial network to conduct their day to day business. They have points of sale (POS) which are also connected so PCI compliance is a must, hence the firewalls.  After hours of  watching Juniper training videos, taking a couple of ILO classes via Zoom, and tirelessly perusing the internet I have successfully configured one (EX4300 switch). By that I mean, in my little test area,  I can pull the correct IP addresses (10.4.x.x range) from our active directory server, and can surf the internet with no problem. I just don't know if it's actually configured correctly and secure enough to deploy yet.  I can't access J-web although I added web-management nor can I use SSH.  I have attached what I call my running configuration document which I have compiled from various sources. It starts off with me resetting the device because heaven know that's been my fall-back alot (lol). Could anyone please review it (provide constructive criticism) and tell me if there's anything I need to correct, add , or omit? Any explanation you could provide would be great because I want to learn and understand. This ordeal has been both arduous and fun at same time . Thanks in advance.

So, let's see if my first post makes it through. Here are some more pointers.

Consider a firewall policy tied to the loopback interface. It will protect the RE (call it CPU if you will) from unwanted traffic and attacks. It's a stateless L4 policy that can be very flexible using apply path statements, like this one:

set policy-options prefix-list RE-SRC-DNS apply-path "system name-server <*>"

It will give the prefix list RE-SRC-DNS the values of any configured DNS server in your system so you can build a firewall policy without even knowing the addresses of your DNS servers!

Configure a syslog host to receive any logs from the system: set system syslog host 10.65.116.11 any any

You can push your configs to a server every time you do a commit. I'd love to have that combined with monthly backups (just in case), but sadly, it one or the other:

set system archival configuration transfer-on-commit
set system archival configuration archive-sites "scp://backup-user@192.168.19.139/home/backup-user/backup"

By using scp for this, you can push the backup with SSH encryption to a server (Linux or other). Sadly, sftp is not supported and scp in OpenSSH has no means of containing the user to a chroot dir as you can with SFTP, but that aside, it's a way better solution than tftp!

If the file system in these boxes are abused, they may become corrupt. There are two of them, but if one gets corrupted and the switch boots off the secondary and that too becomes corrupt, it no good any more! To show and repair a partition in Junos:
show system snapshot media internal
request system snapshot slice alternate  -> copy the currently running partition to the non-active one, do this after an upgrade!

To have the system attempt to copy the alternate image to the primary if the primary has been corrupted:
set system auto-snapshot

Well, this is the crash-course, lots more to say, but we can do that in another post :)

I could really use some help! I am brand new (very green) to  both networking and Juniper and I have been tasked to configure and deploy switches and firewalls for our commercial network .  My predecessor decided to replace everything Cisco with Juniper but then took another job out of state . I am learning on the fly so to speak.  Essentially our activity centers use the commercial network to conduct their day to day business. They have points of sale (POS) which are also connected so PCI compliance is a must, hence the firewalls.  After hours of  watching Juniper training videos, taking a couple of ILO classes via Zoom, and tirelessly perusing the internet I have successfully configured one (EX4300 switch). By that I mean, in my little test area,  I can pull the correct IP addresses (10.4.x.x range) from our active directory server, and can surf the internet with no problem. I just don't know if it's actually configured correctly and secure enough to deploy yet.  I can't access J-web although I added web-management nor can I use SSH.  I have attached what I call my running configuration document which I have compiled from various sources. It starts off with me resetting the device because heaven know that's been my fall-back alot (lol). Could anyone please review it (provide constructive criticism) and tell me if there's anything I need to correct, add , or omit? Any explanation you could provide would be great because I want to learn and understand. This ordeal has been both arduous and fun at same time . Thanks in advance.

So, let's see if my first post makes it through. Here are some more pointers.

Consider a firewall policy tied to the loopback interface. It will protect the RE (call it CPU if you will) from unwanted traffic and attacks. It's a stateless L4 policy that can be very flexible using apply path statements, like this one:

set policy-options prefix-list RE-SRC-DNS apply-path "system name-server <*>"

It will give the prefix list RE-SRC-DNS the values of any configured DNS server in your system so you can build a firewall policy without even knowing the addresses of your DNS servers!

Configure a syslog host to receive any logs from the system: set system syslog host 10.65.116.11 any any

You can push your configs to a server every time you do a commit. I'd love to have that combined with monthly backups (just in case), but sadly, it one or the other:

set system archival configuration transfer-on-commit
set system archival configuration archive-sites "scp://backup-user@192.168.19.139/home/backup-user/backup"

By using scp for this, you can push the backup with SSH encryption to a server (Linux or other). Sadly, sftp is not supported and scp in OpenSSH has no means of containing the user to a chroot dir as you can with SFTP, but that aside, it's a way better solution than tftp!

If the file system in these boxes are abused, they may become corrupt. There are two of them, but if one gets corrupted and the switch boots off the secondary and that too becomes corrupt, it no good any more! To show and repair a partition in Junos:
show system snapshot media internal
request system snapshot slice alternate  -> copy the currently running partition to the non-active one, do this after an upgrade!

To have the system attempt to copy the alternate image to the primary if the primary has been corrupted:
set system auto-snapshot

Well, this is the crash-course, lots more to say, but we can do that in another post :)

I could really use some help! I am brand new (very green) to  both networking and Juniper and I have been tasked to configure and deploy switches and firewalls for our commercial network .  My predecessor decided to replace everything Cisco with Juniper but then took another job out of state . I am learning on the fly so to speak.  Essentially our activity centers use the commercial network to conduct their day to day business. They have points of sale (POS) which are also connected so PCI compliance is a must, hence the firewalls.  After hours of  watching Juniper training videos, taking a couple of ILO classes via Zoom, and tirelessly perusing the internet I have successfully configured one (EX4300 switch). By that I mean, in my little test area,  I can pull the correct IP addresses (10.4.x.x range) from our active directory server, and can surf the internet with no problem. I just don't know if it's actually configured correctly and secure enough to deploy yet.  I can't access J-web although I added web-management nor can I use SSH.  I have attached what I call my running configuration document which I have compiled from various sources. It starts off with me resetting the device because heaven know that's been my fall-back alot (lol). Could anyone please review it (provide constructive criticism) and tell me if there's anything I need to correct, add , or omit? Any explanation you could provide would be great because I want to learn and understand. This ordeal has been both arduous and fun at same time . Thanks in advance.

imo, push on commit is far, far better than a monthly backup.  Once it's on the server, you can do whatever you want with it.  I have a script that runs every 5 minutes and checks for uploaded files.  Any found get renamed and added or updated in git.  The renaming is mainly to remove the timestamp so the filenames don't change on every commit.  Unfortunately I don't see a way to have a commit message other than "updated files" but if things break at a certain time, it's easy to see what changed.  And because the script sends emails when a file is added or updated, I can quickly see if someone else has made any updates, and then see what the updates are.

So, let's see if my first post makes it through. Here are some more pointers.

Consider a firewall policy tied to the loopback interface. It will protect the RE (call it CPU if you will) from unwanted traffic and attacks. It's a stateless L4 policy that can be very flexible using apply path statements, like this one:

set policy-options prefix-list RE-SRC-DNS apply-path "system name-server <*>"

It will give the prefix list RE-SRC-DNS the values of any configured DNS server in your system so you can build a firewall policy without even knowing the addresses of your DNS servers!

Configure a syslog host to receive any logs from the system: set system syslog host 10.65.116.11 any any

You can push your configs to a server every time you do a commit. I'd love to have that combined with monthly backups (just in case), but sadly, it one or the other:

set system archival configuration transfer-on-commit
set system archival configuration archive-sites "scp://backup-user@192.168.19.139/home/backup-user/backup"

By using scp for this, you can push the backup with SSH encryption to a server (Linux or other). Sadly, sftp is not supported and scp in OpenSSH has no means of containing the user to a chroot dir as you can with SFTP, but that aside, it's a way better solution than tftp!

If the file system in these boxes are abused, they may become corrupt. There are two of them, but if one gets corrupted and the switch boots off the secondary and that too becomes corrupt, it no good any more! To show and repair a partition in Junos:
show system snapshot media internal
request system snapshot slice alternate  -> copy the currently running partition to the non-active one, do this after an upgrade!

To have the system attempt to copy the alternate image to the primary if the primary has been corrupted:
set system auto-snapshot

Well, this is the crash-course, lots more to say, but we can do that in another post :)

I could really use some help! I am brand new (very green) to  both networking and Juniper and I have been tasked to configure and deploy switches and firewalls for our commercial network .  My predecessor decided to replace everything Cisco with Juniper but then took another job out of state . I am learning on the fly so to speak.  Essentially our activity centers use the commercial network to conduct their day to day business. They have points of sale (POS) which are also connected so PCI compliance is a must, hence the firewalls.  After hours of  watching Juniper training videos, taking a couple of ILO classes via Zoom, and tirelessly perusing the internet I have successfully configured one (EX4300 switch). By that I mean, in my little test area,  I can pull the correct IP addresses (10.4.x.x range) from our active directory server, and can surf the internet with no problem. I just don't know if it's actually configured correctly and secure enough to deploy yet.  I can't access J-web although I added web-management nor can I use SSH.  I have attached what I call my running configuration document which I have compiled from various sources. It starts off with me resetting the device because heaven know that's been my fall-back alot (lol). Could anyone please review it (provide constructive criticism) and tell me if there's anything I need to correct, add , or omit? Any explanation you could provide would be great because I want to learn and understand. This ordeal has been both arduous and fun at same time . Thanks in advance.

Thank you! Are you willing to share that configuration? I love the insight

imo, push on commit is far, far better than a monthly backup.  Once it's on the server, you can do whatever you want with it.  I have a script that runs every 5 minutes and checks for uploaded files.  Any found get renamed and added or updated in git.  The renaming is mainly to remove the timestamp so the filenames don't change on every commit.  Unfortunately I don't see a way to have a commit message other than "updated files" but if things break at a certain time, it's easy to see what changed.  And because the script sends emails when a file is added or updated, I can quickly see if someone else has made any updates, and then see what the updates are.

So, let's see if my first post makes it through. Here are some more pointers.

Consider a firewall policy tied to the loopback interface. It will protect the RE (call it CPU if you will) from unwanted traffic and attacks. It's a stateless L4 policy that can be very flexible using apply path statements, like this one:

set policy-options prefix-list RE-SRC-DNS apply-path "system name-server <*>"

It will give the prefix list RE-SRC-DNS the values of any configured DNS server in your system so you can build a firewall policy without even knowing the addresses of your DNS servers!

Configure a syslog host to receive any logs from the system: set system syslog host 10.65.116.11 any any

You can push your configs to a server every time you do a commit. I'd love to have that combined with monthly backups (just in case), but sadly, it one or the other:

set system archival configuration transfer-on-commit
set system archival configuration archive-sites "scp://backup-user@192.168.19.139/home/backup-user/backup"

By using scp for this, you can push the backup with SSH encryption to a server (Linux or other). Sadly, sftp is not supported and scp in OpenSSH has no means of containing the user to a chroot dir as you can with SFTP, but that aside, it's a way better solution than tftp!

If the file system in these boxes are abused, they may become corrupt. There are two of them, but if one gets corrupted and the switch boots off the secondary and that too becomes corrupt, it no good any more! To show and repair a partition in Junos:
show system snapshot media internal
request system snapshot slice alternate  -> copy the currently running partition to the non-active one, do this after an upgrade!

To have the system attempt to copy the alternate image to the primary if the primary has been corrupted:
set system auto-snapshot

Well, this is the crash-course, lots more to say, but we can do that in another post :)

I could really use some help! I am brand new (very green) to  both networking and Juniper and I have been tasked to configure and deploy switches and firewalls for our commercial network .  My predecessor decided to replace everything Cisco with Juniper but then took another job out of state . I am learning on the fly so to speak.  Essentially our activity centers use the commercial network to conduct their day to day business. They have points of sale (POS) which are also connected so PCI compliance is a must, hence the firewalls.  After hours of  watching Juniper training videos, taking a couple of ILO classes via Zoom, and tirelessly perusing the internet I have successfully configured one (EX4300 switch). By that I mean, in my little test area,  I can pull the correct IP addresses (10.4.x.x range) from our active directory server, and can surf the internet with no problem. I just don't know if it's actually configured correctly and secure enough to deploy yet.  I can't access J-web although I added web-management nor can I use SSH.  I have attached what I call my running configuration document which I have compiled from various sources. It starts off with me resetting the device because heaven know that's been my fall-back alot (lol). Could anyone please review it (provide constructive criticism) and tell me if there's anything I need to correct, add , or omit? Any explanation you could provide would be great because I want to learn and understand. This ordeal has been both arduous and fun at same time . Thanks in advance.

Thank you! Are you willing to share that configuration? I love the insight

imo, push on commit is far, far better than a monthly backup.  Once it's on the server, you can do whatever you want with it.  I have a script that runs every 5 minutes and checks for uploaded files.  Any found get renamed and added or updated in git.  The renaming is mainly to remove the timestamp so the filenames don't change on every commit.  Unfortunately I don't see a way to have a commit message other than "updated files" but if things break at a certain time, it's easy to see what changed.  And because the script sends emails when a file is added or updated, I can quickly see if someone else has made any updates, and then see what the updates are.

So, let's see if my first post makes it through. Here are some more pointers.

Consider a firewall policy tied to the loopback interface. It will protect the RE (call it CPU if you will) from unwanted traffic and attacks. It's a stateless L4 policy that can be very flexible using apply path statements, like this one:

set policy-options prefix-list RE-SRC-DNS apply-path "system name-server <*>"

It will give the prefix list RE-SRC-DNS the values of any configured DNS server in your system so you can build a firewall policy without even knowing the addresses of your DNS servers!

Configure a syslog host to receive any logs from the system: set system syslog host 10.65.116.11 any any

You can push your configs to a server every time you do a commit. I'd love to have that combined with monthly backups (just in case), but sadly, it one or the other:

set system archival configuration transfer-on-commit
set system archival configuration archive-sites "scp://backup-user@192.168.19.139/home/backup-user/backup"

By using scp for this, you can push the backup with SSH encryption to a server (Linux or other). Sadly, sftp is not supported and scp in OpenSSH has no means of containing the user to a chroot dir as you can with SFTP, but that aside, it's a way better solution than tftp!

If the file system in these boxes are abused, they may become corrupt. There are two of them, but if one gets corrupted and the switch boots off the secondary and that too becomes corrupt, it no good any more! To show and repair a partition in Junos:
show system snapshot media internal
request system snapshot slice alternate  -> copy the currently running partition to the non-active one, do this after an upgrade!

To have the system attempt to copy the alternate image to the primary if the primary has been corrupted:
set system auto-snapshot

Well, this is the crash-course, lots more to say, but we can do that in another post :)

I could really use some help! I am brand new (very green) to  both networking and Juniper and I have been tasked to configure and deploy switches and firewalls for our commercial network .  My predecessor decided to replace everything Cisco with Juniper but then took another job out of state . I am learning on the fly so to speak.  Essentially our activity centers use the commercial network to conduct their day to day business. They have points of sale (POS) which are also connected so PCI compliance is a must, hence the firewalls.  After hours of  watching Juniper training videos, taking a couple of ILO classes via Zoom, and tirelessly perusing the internet I have successfully configured one (EX4300 switch). By that I mean, in my little test area,  I can pull the correct IP addresses (10.4.x.x range) from our active directory server, and can surf the internet with no problem. I just don't know if it's actually configured correctly and secure enough to deploy yet.  I can't access J-web although I added web-management nor can I use SSH.  I have attached what I call my running configuration document which I have compiled from various sources. It starts off with me resetting the device because heaven know that's been my fall-back alot (lol). Could anyone please review it (provide constructive criticism) and tell me if there's anything I need to correct, add , or omit? Any explanation you could provide would be great because I want to learn and understand. This ordeal has been both arduous and fun at same time . Thanks in advance.

I could really use some help! I am brand new (very green) to  both networking and Juniper and I have been tasked to configure and deploy switches and firewalls for our commercial network .  My predecessor decided to replace everything Cisco with Juniper but then took another job out of state . I am learning on the fly so to speak.  Essentially our activity centers use the commercial network to conduct their day to day business. They have points of sale (POS) which are also connected so PCI compliance is a must, hence the firewalls.  After hours of  watching Juniper training videos, taking a couple of ILO classes via Zoom, and tirelessly perusing the internet I have successfully configured one (EX4300 switch). By that I mean, in my little test area,  I can pull the correct IP addresses (10.4.x.x range) from our active directory server, and can surf the internet with no problem. I just don't know if it's actually configured correctly and secure enough to deploy yet.  I can't access J-web although I added web-management nor can I use SSH.  I have attached what I call my running configuration document which I have compiled from various sources. It starts off with me resetting the device because heaven know that's been my fall-back alot (lol). Could anyone please review it (provide constructive criticism) and tell me if there's anything I need to correct, add , or omit? Any explanation you could provide would be great because I want to learn and understand. This ordeal has been both arduous and fun at same time . Thanks in advance.

Hi!

Perhaps in a year or so, you too will say "Junos forever" and feel horribly limited when logging into another brand :) That said, the threshold for getting there may be steep, but you did the right thing and asked for help!

So, nit-picking mode on :) Correct all your initial capital letters as they will not work to cut an paste. Set system ... -> set system ...

No real need to set the exact time (set date YYYYMMDDhhmm.ss), NTP will do that for you later on.

class super-user: Create specific classes for specific needs and don't use the default. A fallback account may have super-user, but the password should be in a vault never to be used. For all(!) other accounts, even if it is indeed a "super user", create a specific role. It shows that you have given it more thought than all the others.

Delete interfaces vme unit 0 family inet dhcp -> delete interface vme  : you might as well delete it all as you set the fixed address on the next line, nothing else to save in that tree.

Set the management address on vme and just delete me0. vme stands for virtual management ethernet and will work on standalone and VC setups. delete interface me0 (mind you that some platforms have interface em0 and some fxp0, just to confuse you even more!)

Why not just "delete interfaces irb unit 0" all together? In band management (if you use that) should be on another VLAN/IRB than the default. Untagged management can be good if you want ZTP (or Mist autoconf), but only for that single purpose(s!).

There's rarely a reason to "set system domain-name". The advertised system name just gets longer than needed. You may need it, though.

set system services ssh root-login allow  : NO, NO, NO!!! SSH is enabled by default, but you can make sure with "set system services ssh". NOT for root!!!

set system services web-management https system-generated-certificate : Get a proper cert if you want, it's not that difficult. On the other hand, J-Web is for sissies.

wildcard range set : you could use apply groups instead, or interface ranges. Really powerful, both of them. Also usable in RSTP config.

rstp edge all day long!!! Good job! Just remember to disable all other use of RSTP and use modern redundancy instead! If you really, really NEED RSTP for a ring or two, configure the links involved for RSTP, but leave the rest disabled for RSTP. B.t.w., use bridge-prio 0 and system-identifier 00:00:00:00:00:01 for the designated root bridge (:02 for the backup root) to maximize your chances of getting that selected as root. I've seen too many instances where people cautiously use 4k and the standard MAC, only to be overridden by some industrial excuse for a switch that has a default of 0.

Encrypted SNMPv3 isn't hard in Junos. Just do it!

My VC-list:

set system commit synchronize   -> Makes sure all REs get the config every time
set virtual-chassis no-split-detection -> Juniper says to do this for 2 member VC only, I say do it for all configs. I'll tell you why if you ask :)
set chassis redundancy graceful-switchover
set protocols layer2-control nonstop-bridging   -> As nonstop-routing but for L2 protocols like RSTP
set routing-options nonstop-routing

More tips in the next post, this became long enough!

I could really use some help! I am brand new (very green) to  both networking and Juniper and I have been tasked to configure and deploy switches and firewalls for our commercial network .  My predecessor decided to replace everything Cisco with Juniper but then took another job out of state . I am learning on the fly so to speak.  Essentially our activity centers use the commercial network to conduct their day to day business. They have points of sale (POS) which are also connected so PCI compliance is a must, hence the firewalls.  After hours of  watching Juniper training videos, taking a couple of ILO classes via Zoom, and tirelessly perusing the internet I have successfully configured one (EX4300 switch). By that I mean, in my little test area,  I can pull the correct IP addresses (10.4.x.x range) from our active directory server, and can surf the internet with no problem. I just don't know if it's actually configured correctly and secure enough to deploy yet.  I can't access J-web although I added web-management nor can I use SSH.  I have attached what I call my running configuration document which I have compiled from various sources. It starts off with me resetting the device because heaven know that's been my fall-back alot (lol). Could anyone please review it (provide constructive criticism) and tell me if there's anything I need to correct, add , or omit? Any explanation you could provide would be great because I want to learn and understand. This ordeal has been both arduous and fun at same time . Thanks in advance.

Sorry for the double posts! I promised Pedro a working PROTECT-RE config, so here it is. If anyone wants to try it, beware that I have used similar configs for OSPF and BGP but not this version, and other functions may be untested as well. I'm happy to expand on the config if I receive feedback!

Hi!

Perhaps in a year or so, you too will say "Junos forever" and feel horribly limited when logging into another brand :) That said, the threshold for getting there may be steep, but you did the right thing and asked for help!

So, nit-picking mode on :) Correct all your initial capital letters as they will not work to cut an paste. Set system ... -> set system ...

No real need to set the exact time (set date YYYYMMDDhhmm.ss), NTP will do that for you later on.

class super-user: Create specific classes for specific needs and don't use the default. A fallback account may have super-user, but the password should be in a vault never to be used. For all(!) other accounts, even if it is indeed a "super user", create a specific role. It shows that you have given it more thought than all the others.

Delete interfaces vme unit 0 family inet dhcp -> delete interface vme  : you might as well delete it all as you set the fixed address on the next line, nothing else to save in that tree.

Set the management address on vme and just delete me0. vme stands for virtual management ethernet and will work on standalone and VC setups. delete interface me0 (mind you that some platforms have interface em0 and some fxp0, just to confuse you even more!)

Why not just "delete interfaces irb unit 0" all together? In band management (if you use that) should be on another VLAN/IRB than the default. Untagged management can be good if you want ZTP (or Mist autoconf), but only for that single purpose(s!).

There's rarely a reason to "set system domain-name". The advertised system name just gets longer than needed. You may need it, though.

set system services ssh root-login allow  : NO, NO, NO!!! SSH is enabled by default, but you can make sure with "set system services ssh". NOT for root!!!

set system services web-management https system-generated-certificate : Get a proper cert if you want, it's not that difficult. On the other hand, J-Web is for sissies.

wildcard range set : you could use apply groups instead, or interface ranges. Really powerful, both of them. Also usable in RSTP config.

rstp edge all day long!!! Good job! Just remember to disable all other use of RSTP and use modern redundancy instead! If you really, really NEED RSTP for a ring or two, configure the links involved for RSTP, but leave the rest disabled for RSTP. B.t.w., use bridge-prio 0 and system-identifier 00:00:00:00:00:01 for the designated root bridge (:02 for the backup root) to maximize your chances of getting that selected as root. I've seen too many instances where people cautiously use 4k and the standard MAC, only to be overridden by some industrial excuse for a switch that has a default of 0.

Encrypted SNMPv3 isn't hard in Junos. Just do it!

My VC-list:

set system commit synchronize   -> Makes sure all REs get the config every time
set virtual-chassis no-split-detection -> Juniper says to do this for 2 member VC only, I say do it for all configs. I'll tell you why if you ask :)
set chassis redundancy graceful-switchover
set protocols layer2-control nonstop-bridging   -> As nonstop-routing but for L2 protocols like RSTP
set routing-options nonstop-routing

More tips in the next post, this became long enough!

I could really use some help! I am brand new (very green) to  both networking and Juniper and I have been tasked to configure and deploy switches and firewalls for our commercial network .  My predecessor decided to replace everything Cisco with Juniper but then took another job out of state . I am learning on the fly so to speak.  Essentially our activity centers use the commercial network to conduct their day to day business. They have points of sale (POS) which are also connected so PCI compliance is a must, hence the firewalls.  After hours of  watching Juniper training videos, taking a couple of ILO classes via Zoom, and tirelessly perusing the internet I have successfully configured one (EX4300 switch). By that I mean, in my little test area,  I can pull the correct IP addresses (10.4.x.x range) from our active directory server, and can surf the internet with no problem. I just don't know if it's actually configured correctly and secure enough to deploy yet.  I can't access J-web although I added web-management nor can I use SSH.  I have attached what I call my running configuration document which I have compiled from various sources. It starts off with me resetting the device because heaven know that's been my fall-back alot (lol). Could anyone please review it (provide constructive criticism) and tell me if there's anything I need to correct, add , or omit? Any explanation you could provide would be great because I want to learn and understand. This ordeal has been both arduous and fun at same time . Thanks in advance.