Table of Contents
Navigation
Back up to About Overview [+] Expand All
[-] Collapse All
New and Changed Features
This section describes the new features and enhancements to existing features in Junos OS Release 13.2R8 for the EX Series.
- Hardware
- Infrastructure
- Interfaces and Chassis
- Network Management and Monitoring
- Port Security
- Routing Policy and Firewall Filters
- System
- Virtual Chassis
Hardware
- Extended cable manager for EX9214 switches—An extended cable manager is now available for EX9214 switches. The extended cable manager enables you to route cables away from the front of the line cards and Switch Fabric modules and provides easier access to the switch than offered by the standard cable manager. To obtain the extended cable manager, order the MX960 Enhanced Cable Manager, ECM-MX960. (Note that installation of the extended cable manager must be done by a Juniper Networks-authorized technician and that the service cost is in addition to the component cost.) [See MX960 Cable Manager Description.]
Infrastructure
- Uniform Enhanced Layer 2 Software CLI configuration
statements and operational commands—ELS provides
a uniform CLI for configuring and monitoring Layer 2 features on EX
Series switches that support ELS, such as EX9200 switches and EX4300
switches, and on MX Series routers in LAN mode (MX-ELM). With ELS,
for example, you can configure a VLAN and other Layer 2 features on
an EX9200 switch, an EX4300 switch, or an MX-ELM router by using the
same configuration commands. [See Getting Started with Enhanced Layer 2 Software.]
The Web-based ELS Translator tool is available for registered customers to help them become familiar with the ELS CLI and to quickly translate existing EX Series switch–based CLI configurations into ELS CLI configurations. [See ELS Translator.]
- Enhanced Layer 2 Software storm control on EX9200
switches—EX9200 switches support storm control.
Storm control enables the switch to monitor traffic levels and to
drop broadcast, multicast, and unknown unicast packets when a specified
traffic level—called the storm control level—is exceeded,
thereby preventing packets from proliferating and degrading the LAN.
Storm control is enabled by default on all Layer 2 interfaces. You can modify the storm-control configuration with a two-step process:
- Configure a storm-control profile at the [edit forwarding-options] hierarchy level.
- Bind the storm-control profile to a specific logical interface or to a group of logical interfaces. The group can include a range of interfaces or all interfaces on the switch.
- DHCP servers can process packets without Option 255 (EX9200)—On EX9200 switches, starting with Junos OS Release 13.2R6, you can override the configuration on a DHCP local server in order to enable the server to process DHCP packets without Option 255 (end-of-options) sent by the client. The default behavior in Junos OS, for the DHCP local server, is to drop packets that do not include Option 255. To override the default behavior, configure the allow-no-end-options CLI statement at the [system services dhcp-local-server overrides] hierarchy level.
Interfaces and Chassis
- MAC address synchronization for a multichassis link aggregation group on EX9200 switches—When you enable Layer 3 unicast functionality across an MC-LAG on an EX9200 switch, you can now synchronize the MAC addresses for IRB interfaces assigned to a specified VLAN, which participates in the MC-LAG. To synchronize the MAC addresses for the IRB interfaces assigned to a VLAN, use the mcae-mac-synchronize statement at the [edit vlans vlan-name] hierarchy level. [See Configuring Multichassis Link Aggregation.]
Network Management and Monitoring
- Enhanced Layer 2 Software native analyzer support on EX9200 switches—Support for native analyzers and remote port-mirroring capabilities. On EX9200 switches, the analyzer configuration is available at the [edit forwarding-options] hierarchy level. A native analyzer configuration contains both an input stanza and an output stanza in this analyzer hierarchy level for mirroring packets. In remote port mirroring, the mirrored traffic is flooded into a remote mirroring VLAN that can be specifically created for the purpose of receiving mirrored traffic. [See Understanding Analyzers on EX9200 Switches.]
Port Security
- Enhanced Layer 2 Software access port security
on EX9200 switches:
- DAI—DAI protects switches against ARP spoofing. DAI inspects ARP packets on the LAN and uses the information in the DHCP snooping database on the switch to validate ARP packets and to protect against ARP cache poisoning. To enable DAI on a VLAN, issue the arp-inspection statement at the [edit vlans vlan-name forwarding-options dhcp-security] hierarchy level.
- DHCP option 82—You can use DHCP option 82, also known as the DHCP relay agent information option, to help protect the switch against attacks such as spoofing (forging) of IP addresses and MAC addresses, and DHCP IP address starvation. Option 82 provides information about the network location of a DHCP client, and the DHCP server uses this information to implement IP addresses or other parameters for the client. To enable DHCP option 82, issue the option-82 statement at the [edit vlans vlan-name forwarding-options dhcp-security] hierarchy level.
- DHCP snooping—DHCP snooping filters and blocks ingress DHCP server messages on untrusted ports, and builds and maintains an IP address to MAC address binding database. Most port security features depend on DHCP snooping. If you enable DAI or IP source guard, DHCP snooping is enabled implicitly for the VLAN. Also, if you configure a group of access interfaces at the [edit vlans vlan-name forwarding-options dhcp-security] hierarchy level, the configuration implicitly enables DHCP snooping.
- IP source guard—You can use the IP source guard access port security feature to mitigate the effects of source IP address spoofing and source MAC address spoofing. If IP source guard determines that a host connected to an access interface has sent a packet with an invalid source IP address or source MAC address in the packet header, it discards the packet. To enable IP source guard on a VLAN, issue the ip-source-guard statement at the [edit vlans vlan-name forwarding-options dhcp-security] hierarchy level.
- Static IP—You can add static (fixed) IP addresses and bind them to fixed MAC addresses in the DHCP snooping database. To configure a static IP-MAC binding in the DHCP snooping database, you must first create a group of access interfaces at the [edit vlans vlan-name forwarding-options dhcp-security] hierarchy level. To configure a specific interface within the group to have a static IP address that is bound to a fixed MAC address, issue the group group-name interface interface-name static-ip ip-address mac-address statement at the [edit vlans vlan-name forwarding-options dhcp-security] hierarchy level.
- Trusted DHCP server interface—You can configure any interface on a switch that connects
to a DHCP server as a trusted interface (port). Configuring a DHCP
server on a trusted interface protects against rogue DHCP servers
sending leases. By default, all access interfaces are untrusted, and
all trunk interfaces are trusted. However, you can override the default
setting for access interfaces by configuring a group of access interfaces
within a VLAN, specifying that an interface belong to that group,
and then configuring the group as trusted. To configure an untrusted
access interface as a trusted interface for a DHCP server, issue the overrides trusted statement at the [edit vlans vlan-name forwarding-options dhcp-security group group-name] hierarchy level.
[See Port Security Overview.]
Routing Policy and Firewall Filters
- Egress firewall filter for VLANs—On an EX9200 switch running Junos OS Release 12.3R2 or later, you can apply an ingress firewall filter to a specified VLAN. Starting with Junos OS Release 13.2R1, you can also apply an egress firewall filter to a specified VLAN on an EX9200 switch. An egress VLAN firewall filter enables you to control the transmission of all packets from the VLAN. To apply an egress firewall filter, use the output filter-name statement at the [edit vlans vlan-name forwarding-options filter] hierarchy level. [See Firewall Filters for EX9200 Switches.]
System
- EX9200-2C-8XS line card for EX9200 switches—EX9200 switches now support the new EX9200-2C-8XS line card.
It is a hot-removable and hot-insertable field-replaceable unit (FRU)
that you can install in the line card slots on the front of the switch
chassis. The line card has two 100-Gigabit Ethernet C-form factor
pluggable (CFP) ports in which you can install CFP transceivers and
eight oversubscribed 10-Gigabit Ethernet small-form factor pluggable
(SFP+) ports in which you can install SFP+ transceivers.
The line card supports the following CFP transceivers:
- 100GBASE-LR4 (10 km)
- 100GBASE-SR10 (100 m, 150 m)
The line card supports the following SFP+ transceivers:
- EX-SFP-10GE-SR (10GBASE-SR, 26 m, 33 m, 66 m, 82 m, 300 m)
- EX-SFP-10GE-LR (10GBASE-LR, 10 km)
- EX-SFP-10GE-ER (10GBASE-ER, 40 km)
- EX-SFP-10GE-ZR (10GBASE-ZR, 80 km)
[See EX9200-2C-8XS Line Card.]
Virtual Chassis
- EX9200 Virtual Chassis—EX9200
Virtual Chassis brings the Virtual Chassis flexible, scaling switch
solution to Juniper Networks EX9200 Ethernet Switches. You can connect
two EX9200 switches into an EX9200 Virtual Chassis and manage the
interconnected switches as a single chassis. The advantages of connecting
multiple switches into a Virtual Chassis include:
- Better-managed bandwidth at a network layer
- Simplified configuration and maintenance because multiple devices can be managed as a single device
- Increased fault tolerance and high availability (HA) because a Virtual Chassis can remain active and network traffic can be redirected to other member switches when a single member switch fails
- A flatter, simplified Layer 2 network topology that minimizes or eliminates the need for loop-prevention protocols such as Spanning Tree Protocol (STP)
