Converting a Juniper EX4200 From L2 to L3

Why would I use an EX4200 as an L2 switch?

Initially, I had a Cisco network at home, for reasons such as “It was what I learned first”, and “The equipment happened to be free”. At one of my (recent) past employers, I had an opportunity to use some Juniper equipment. I found that I preferred the syntax and thinking that went with using JUNOS over IOS.

Does it hurt that JUNOS is based on FreeBSD? I <3 FreeBSD! Since then, I’ve started collecting Juniper equipment and doing simple replacements in my home network. First was the Cisco 2960G, replaced with an EX4200. The Cisco didn’t support full Layer 3, so it was setup as a simple Layer 2 switch with a collection of VLANs. Dropping the EX4200 in to replace it was simple enough. A single SVI (RVI) for management and a static route pointing at my router/firewall device. All of the logic still resided on the router/firewall (which contained all the L2/L3 bits). The router was a pc with a via chip, running pfSense. I’ve run pfSense since around 2006 and, for the most part, been quite happy.

I wanted to get the Layer 2 off the router, but doing so meant that I would have to setup the switch with some RVI’s, 1 for each network. I would also need to create a new network that would exist solely between the switch and the router. The last bit is I needed to add some static routes to the router for all the networks that now lived on the switch.


Converting the EX4200 from L2 to L2/L3 would require the following:

  1. Create a L3 only link between the EX4200 and the router

    • If you want to use the same IPs the router was using, it may be worth while to rip them off the router so there is no (less?) confusion
  2. Setup SVI interfaces on the EX4200 to take the place of what existed on the router

    • Create VLAN interfaces with IP addresses
    • Bind VLAN interfaces to VLAN
  3. Setup any “services” such as dhcp-relay (ip helper in Cisco) to run on the EX4200

  4. Setup static routes on the router for each of the netblocks which have SVI’s on the switch

JunOS config bits

Creating an L3 link on the EX4200 looks like this:

 1	louisk@switch0# show interfaces ge-0/0/0
 2	description "pfSense LAN";
 3	unit 0 {
 4	    family inet {
 5	        address;
 6	    }
 7	    family inet6.0 {
 8			address fc00:dead:beef::2/64
 9	    }
10	}
12	{master:0}[edit]
13	louisk@switch0#

Setting up an SVI looks like this:

 1	louisk@switch0# show interfaces vlan unit 10
 2	description "Guest Net";
 3	family inet {
 4	    address;
 5	}
 6	family inet6.0 {
 7	    address fc00:dead:beef:10::1/64;
 8	}
10	{master:0}[edit]
11	louisk@switch0#

Binding the L3 interface to a VLAN looks like this:

1	louisk@switch0# show vlans guest
2	vlan-id 10;
3	l3-interface vlan.10;
5	{master:0}[edit]
6	louisk@switch0#

Setting up a dhcp-relay looks like this:

 1	louisk@switch0# show forwarding-options helpers
 2	bootp {
 3	    server;
 4	    interface {
 5	        vlan.10;
 6	    }
 7	}
 9	{master:0}[edit]
10	louisk@switch0#

Setting up the static route(s) looks like this:

1	louisk@switch0# show routing-options
2	static {
3	    route next-hop;
4	}
6	{master:0}[edit]
7	louisk@switch0#

All this looks relatively straight forward, and it is. This migration, while not complicated, is completely disruptive to the existing network. JUNOS has the ability to work up a candidate config with all changes in it, and commit all changes atomically. pfSense doesn’t offer this. Neither do Cisco devices. I’d suggest you take a day to perform this, plan ahead, go slowly, and keep your serial connections handy (I have found both the IO Gear GBS301 and Get-Console’s AirConsole to both be quite handy. They allow me to connect to serial devices that are “near by” with out having to cart a computer down to the garage to work). Its also convienient to have a 3g device (could be anything from a 3g card for a laptop, to an iPad) you can look up documentation on while your network is down.