Notes on setting up and programmatically configuring VLANs on the Juniper EX3200 platform

General notes

The EX3200 and related small switches are a flexible inexpensive platform for provisioning VLANs. They are capable of provisioning vlans in trunk or access mode to multiple ports. Their port naming convention is as follows: [ge|xe]-chassis/pic/port.unit where 'ge' refers to Gigabit Ethernet interfaces, XE are 10G optical interfaces.

Configuring configuration access

There are a number of options possible for passing XML commands to the EX3200. This document describes how to enable them. For ORCA we are using SSL based approach.

Configuring a vlan to access ports and passing it over the trunk

In this configuration we are provisioining a slice vlan to a number of access GigE ports and passing it through the uplink 10GE port configured as trunk. First we create the vlan

set vlans <vlan name> vlan-description “<Vlan description>”

set vlans <vlan name> vlan-id <numeric vlan tag>

then we add access ports into it

set interfaces ge-0/0/46 unit 0 description "<Port description>”

set interfaces ge-0/0/46 unit 0 family ethernet-switching port-mode access

set interfaces ge-0/0/46 unit 0 family ethernet-switching vlan members <vlan name>

set vlans <vlan name> interface ge-0/0/46.0

Finally we make sure this vlan goes through the trunk port

set interfaces xe-0/1/0 unit 0 description “<Port description>”

set interfaces xe-0/1/0 unit 0 family ethernet-switching port-mode trunk

set interfaces xe-0/1/0 unit 0 family ethernet switching vlan members <vlan name>

Unconfiguring a vlan

Use 'delete' instead of 'set'

Committing configuration


Sending commands over the tcp connection

Commands can be a mix of XML and plain text. For example, here is a login exchange:


<?xml version="1.0" encoding="us-ascii"?>
<junoscript xmlns="" xmlns:junos="" schemaLocation=" junos/10.0S3/junos.xsd" os="JUNOS" release="10.0S3.1" hostname="" version="1.0">
<!-- session start at 2010-03-04 16:03:08 EST -->


<?xml version="1.0" encoding="us-ascii"?>
<junoscript version="1.0" hostname="client1" release="9.0R1">
<rpc> <request-login> <username>someuser</username> <challenge-response>somepassword</challenge-response> </request-login> </rpc>


<rpc-reply xmlns:junos="">


<load-configuration action="merge" format="text"> 
 vlans { sliceVlan10 { vlan-id 212; } } interfaces { xe-0/0/1 { unit 0 { family ethernet-switching { port-mode trunk; vlan { members sliceVlan10 } } } } }


<!-- No zombies were killed during the creation of this user interface -->
<!-- user remote, class j-super-user -->
<rpc-reply xmlns:junos="">


<rpc> <commit-configuration/> </rpc>


<rpc-reply xmlns:junos="">
<routing-engine junos:style="normal">




<rpc-reply xmlns:junos="">




<!-- session end at 2010-03-04 16:05:11 EST -->

Note that commands can be sent using regular text instead of XML (using <configuration-text> instead of <configuration>). For deletion of elements from configuration, word "delete:" must be prepended to the path that is being deleted from the configuration and closed with a ';' :

delete: vlans sliceVlan;

inside the <configuration-text>.

QoS configuration

JUNOS has an extensive array of tools for QoS provisioning. For create rate-limited slices, the most straightforward configuration is to create a firewall policer, which is then included into the firewall filter. The filter is attached as an input filter to a VLAN like so (note that rate is in bps, and burst size is in bytes):

ibaldin# show firewall 
family ethernet-switching {
    filter qosFilter {
        term qosRule {
            then {
                count qosCounter;
                policer testPolicer;
policer testPolicer {
    if-exceeding {
        bandwidth-limit 500k;
        burst-size-limit 50k;
    then discard;

ibaldin# show vlans qosVlan 
description "QoS VLAN";
vlan-id 250;
interface {
filter {
    input qosFilter;

Creating an SSL certificate for a device

On a host with openssl installed, create a self-signed certificate and package it with the private key (replace XXX with some descriptive name of the device, no spaces allowed):

openssl req -x509 -nodes -newkey rsa:1024 -keyout certificate-file.pem -out junos-ssl-cert-XXX.pem

For the DN inside the certificate you can use something like this:

Country Name (2 letter code) [AU]:US
State or Province Name (full name) [Some-State]:NC
Locality Name (eg, city) []:Chapel Hill
Organization Name (eg, company) [Internet Widgits Pty Ltd]:RENCI
Organizational Unit Name (eg, section) []:NRIG
Common Name (eg, YOUR name) []:EX3200-Euca-RENCI
Email Address []

Installing and enabling the certificate

You can scp the certificate file into the device:

scp junos-ssl-cert-XXX.pem ex3200.ip.address.or.FQDN:~/

Now ssh to the EX3200 and perform the following commands (replace orca-ssl-cert with whatever name you want to give the certificate):

ibaldin> file list    


ibaldin> edit            
Entering configuration mode

ibaldin# set security certificates local orca-ssl-cert load-key-file ./junos-ssl-cert-XXX.pem 

ibaldin# set system services xnm-ssl local-certificate orca-ssl-cert 

ibaldin# commit 
commit complete

This enables the certificate use and also enables SSL-over-TCP command channel with default rate-limited settings.


* JUNOS for EX3200