Key Features in Junos OS Release 21.2
Use this video to take a quick look at some of the key features introduced in Junos OS Release 21.2R1.
Here is the list of all key features in this release. For more information about a feature, click the link in the feature description.
-
AutoVPN PSK support (SRX5000 line of devices with SPC3 card and vSRX running iked)—To enable the VPN gateway to use a different IKE preshared key (PSK) for authenticating each remote peer, use the new CLI commands
seeded-pre-shared-key ascii-text
orseeded-pre-shared-key hexadecimal
under the[edit security ike policy policy_name]
hierarchy level. See policy.The SRX5000 line of devices with an SPC3 card and vSRX supports AutoVPN PSK only if the junos-ike-package is installed.
To enable the VPN gateway to use the same IKE PSK for authenticating all remote peers, use the existing CLI commands
pre-shared-key ascii-text
orpre-shared-key hexadecimal
.We also introduce an optional configuration to bypass the IKE ID validation. Use the
general-ikeid
configuration statement under the[edit security ike gateway gateway_name dynamic]
hierarchy level to bypass the IKE ID validation. If you enable this option, then during authentication of the remote peer, the SRX Series device and vSRX skips the IKE ID validation, and accepts all IKE ID types (hostname, user@hostname). See general-ikeid.[See AutoVPN on Hub-and-Spoke Devices and Example: Configuring AutoVPN with Pre-Shared Key.]
- Display dynamic-applications and URL
category hit counts in a security policy (NFX Series and SRX Series)—Starting in Junos
OS Release 21.2R1, we've enhanced the
show security policies hit-count
command to include the dynamic applications and URL categories options. You can now display the utility rate of the policy according to the number of hits for the dynamic applications and URL categories. -
cSRX support on AWS (cSRX)—Starting in Junos OS Release 21.2R1, you can deploy cSRX Container Firewall in Amazon Web Services (AWS) Cloud using Amazon Elastic Kubernetes Services (Amazon EKS), which is a fully managed Kubernetes service.
With cSRX, you can also set up automated service provisioning and orchestration, distributed and multitenant traffic security, centralized management with Juniper® Security Director (including dynamic policy and address update, remote log collections, security events monitoring), and scalable security services with small footprints.
cSRX is available with 60 days free trial eval license (S-CSRX-A1 SKU). The eval license in cSRX expires after 60 days.
You can purchase bring your own license (BYOL) from Juniper Networks or a Juniper Networks authorized reseller for using the software features on the cSRX. Use this license to customize your license, subscription, and support.
[See cSRX Deployment Guide for AWS and Flex Software License for cSRX.]
-
DNS DGA and tunnel detection (SRX Series)—Starting in Junos OS Release 21.2R1, you can configure DNS Domain Generation Algorithm (DGA) detection and DNS tunnel detection. This feature enables you to block the malicious domains and DNS-tunneled requests or responses generated by infected hosts and command-and-control (C&C) servers. DGA periodically generates a large number of domain names that are used as rendezvous points (RPs) with their C&C servers. DNS tunneling is a cyberattack method that encodes the data of malicious programs or protocols in DNS queries and responses.
Use the
set security-metadata-streaming policy policy-name detections dga
andset security-metadata-streaming policy policy-name detections tunneling
commands at the[edit services]
hierarchy to configure DNS DGA and tunneling detections.[See security-metadata-streaming.]
-
End-of-message notification for Routing Engine sensors (EX2300, EX4300, EX4300-MP, EX9200, MX240, MX960, MX10016, MX2010, MX2020, PTX1000, PTX3000, PTX10001, QFX5100, QFX5110, QFX5120, and QFX10002)—Starting in Junos OS Release 21.2R1, we've introduced an end-of-message (EoM) Boolean flag for all Junos telemetry interface (JTI) Routing Engine sensors. The flag notifies the collector that the current wrap has completed for a particular sensor path. A wrap is a complete key-value data dump for all the leaves under a sensor path.
The EoM flag also enables the collector to detect when the end of wrap occurs without having to compare stream creation timestamp values that the collector receives from the packets. Comparing timestamp values is costly time-wise and delays data aggregation.
To use this feature with gRPC Network Management Interface (gNMI) transport or Remote Procedure Call (gRPC), retrieve the protobuf files from the relevant branch on the Juniper Networks download site:
- GnmiJuniperTelemetryHeaderExtension.proto (gNMI)
- agent.proto (for gRPC)
For example: https://github.com/Juniper/telemetry/blob/master/20.3/20.3R1/protos/GnmiJuniperTelemetryHeaderExtension.proto.
After you download and install the new protobuf files on a collector, the EoM field is present in the packets received.
[See Understanding OpenConfig and gRPC on Junos Telemetry Interface.]
-
Mellanox support (vSRX 3.0)—Starting in Junos OS Release 21.2R1, vSRX 3.0 instances that you deploy on VMware and kernel-based virtual machine (KVM) support the Mellanox ConnectX-4 and ConnectX-5 family adapters.
[See vSRX Deployment for KVM.]
-
Optimized inter-subnet multicast support with symmetric bridge domain configuration in an EVPN-VXLAN fabric (QFX5110, QFX5120, QFX10002-36Q, and QFX10002-72Q)—Starting in Junos OS Release 21.2R1, you can configure optimized inter-subnet multicast (OISM) on leaf devices and border leaf devices in an EVPN-VXLAN edge-routed bridging overlay fabric. This feature helps optimize the routing of multicast traffic across VLANs in an EVPN tenant domain. This feature uses a supplemental bridge domain (SBD) and a multicast VLAN (MVLAN) to route multicast traffic from or to devices outside of the fabric. This feature also works with existing IGMP snooping and selective multicast (SMET) forwarding optimizations to minimize replication in the EVPN core when bridging within tenant VLANs.
With this implementation, you must enable OISM and IGMP snooping on all the leaf and border leaf devices in the EVPN-VXLAN fabric. You also must configure the SBD and all tenant VLANs symmetrically on all leaf and border leaf devices in the fabric.
You can use OISM with:
- EVPN on the
default-switch
instance with VLAN-aware bundle service model (Layer 2) - Routing instances of type
vrf
(Layer 3) - EVPN single-homing or multihoming (all-active mode)
- IGMPv2
- Multicast sources and receivers within the EVPN data center
- Multicast sources and receivers outside the EVPN data center that are reachable through the border leaf devices
- EVPN on the
-
Enhanced CFM support (ACX5448, ACX5448-M, and ACX5448-D)—Starting in Junos OS Release 21.2R1, you can enable the performance monitoring responder functionality without enabling the transmission of continuity check messages (CCM). To enable the performance monitoring responder functionality without enabling CCM transmission, configure our new configuration statement
send-zero-interval-ccm
under the[edit protocols protocols oam ethernet connectivity-fault-management]
hierarchy level. After you configure the statement, if the continuity-check is not enabled, CCMs are not transmitted, but are programmed to receive the CFM packets for that maintenance endpoint (MEP) level.[See IEEE 802.1ag OAM Connectivity Fault Management Overview and connectivity-fault-management (EX Series Switch Only).]
-
Enhancements to prefix-limit and accepted-prefix-limit configuration statements, and updates to show bgp neighbor command (ACX1000, EX9200, MX Series, PTX5000, and QFX10002)— Starting from Junos OS Release 21.2R1, the
prefix-limit
andaccepted-prefix-limit
configuration statements include the following options:drop-excess <percentage>
—If you include thedrop-excess <percentage>
option, the excess routes are dropped when the maximum number of prefixes is reached. If you specify a percentage, the routes are logged when the number of prefixes exceeds that percentage value of the maximum number.hide-excess <percentage>
—If you include thehide-excess <percentage>
option, the excess routes are hidden when the maximum number of prefixes is reached. If you specify a percentage, the routes are logged when the number of prefixes exceeds that percentage value of the maximum number.
The
show bgp neighbor
command has been enhanced to display the following additional information:- Count of prefixes that are dropped or hidden based on network layer reachability information (NLRI) when the maximum allowed prefixes threshold is exceeded.
- Alerts when a peer starts to drop or hide routes.
- Configuration details of the
prefix-limit
andaccepted-prefix-limit
configuration statements.
[See prefix-limit, accepted-prefix-limit, show bgp neighbor, and Multiprotocol BGP.]
-
Juniper Agile Licensing (EX2300, EX3400, EX4300, and EX4400)—Starting in Junos OS Release 21.2R1, the listed EX Series switches support Juniper Agile Licensing.
Juniper Agile Licensing provides simplified and centralized license administration and deployment. You can use Juniper Agile Licensing to install and manage licenses for hardware and software features.
[See Flex Software License for EX Series Switches and Configuring Licenses in Junos OS.]
-
Junos Multi-Access User Plane support for 5G user plane function (MX204, MX240, MX480, MX960, and MX10003)—Starting in Junos OS Release 21.2R1, Junos Multi-Access User Plane supports routers functioning as user plane functions (UPFs) in accordance with 3GPP Release 15 CUPS architecture. This provides high-throughput 5G fixed and mobile wireless service in non-standalone (NSA) mode. This includes support for the following:
- N3, N4, N6, and N9 interface support
- Roaming through the N9 interface
- GPRS tunneling protocol, user plane (GTP-U) tunneling to the control plane
- QoS Flow ID (QFI) support for 5G QoS flows
-
RSVP-TE supports preempting secondary LSPs that are signaled but not active (MX Series and PTX Series)—Starting in Junos OS Release 21.2R1, you can preempt secondary LSPs that are signaled but not active and configure the hold priority of the secondary standby label-switched path (LSP) for RSVP-Traffic Engineering (RSVP-TE). This helps to bring up non-standby secondary path LSPs with higher setup priority which are not able to come-up because of bandwidth crunch. To configure the non-active hold priority value for a secondary standby path, use the
non-active-hold-priority
statement at the [edit protocols mpls label-switched-path <lsp-name> secondary <path-name>
] hierarchy level. You can set the priority from 0 through 7, where 0 is the highest priority and 7 is the lowest. - Unified policy support for firewall user
authentication (SRX Series and vSRX)—Starting in Junos OS Release 21.2R1, we support
firewall user authentication in a security policy with dynamic applications (unified
policy). You can configure pass-through or web authentication in the unified policy to
restrict or permit users to access network resources.
Firewall user authentication support in the unified policy provides an additional layer of protection in a network with dynamic traffic changes.
[See Configure Firewall User Authentication with Unified Policies.]
-
Secure packet capture to cloud (EX4400)—Starting in Junos OS Release 21.2R1, we support secure packet capture using Junos telemetry interface (JTI). You can use this feature to capture packets from a device and send them over a secure channel to an external collector (in the cloud) for monitoring and analysis. The maximum size of the packet you can capture is 128 bytes, including the packet header and the data within. Network professionals use real-time packet capture data to troubleshoot complex issues such as network and performance degradation and poor end-user experience.
To use secure packet capture, include the /junos/system/linecard/packet-capture resource path using a Junos RPC call.
For ingress packet capture, include the
packet-capture
option in the existing firewall filter configuration at the[edit firewall family family-name filter filter-name term match-term then packet-capture]
hierarchy level. Do this before you send packet capture sensor data to the collector and remove thepacket-capture
configuration after data is sent to the collector. After the capture is done, ingress packets with the filter match conditions are trapped to the CPU. The trapped packets then go to the collector over a secure channel in JTI-specified format in key-value pairs by means of Remote Procedure Call (gRPC) transport.For egress packet capture on physical interfaces (ge-*, xe-*, mge-*, and et-*), include "packet-capture-telemetry," "egress," and "interface <interface-name>" at the
[edit forwarding-options]
hierarchy level. For example:set forwarding-options packet-capture-telemetry egress interface ge-0/0/0
set forwarding-options packet-capture-telemetry egress interface ge-0/0/10
You can add multiple interfaces on the device for egress packet capture. When configured, host-bound egress packets are captured from the interface and sent to the collector. As with the ingress configuration, remove the configuration when packet capture is not required.
-
G.8275.1 Telecom profile and PTP over Ethernet encapsulation support (ACX2100 and ACX2200)—Starting in Junos OS Release 21.2R1, ACX2100 and ACX2200 routers support Precision Time Protocol (PTP) over Ethernet encapsulation and G.8275.1 Telecom profile.
The G.8275.1 Telecom profile supports the architecture defined in ITU-T G.8275 to enable the distribution of phase and time with full timing support. This profile requires all devices in the network to operate in combined or hybrid modes, which means that PTP and Synchronous Ethernet are enabled on all devices.
PTP over Ethernet enables the effective implementation of packet-based technology that enables the operator to deliver synchronization services on packet-based mobile backhaul networks.
[See G.8275.1 Telecom Profile and Precision Time Protocol Overview.]
-
Hardware-assisted inline BFD (QFX5120-32C and QFX5120-48Y)—Starting in Junos OS Release 21.2R1, we support a hardware implementation of the inline BFD protocol in firmware form. The ASIC firmware handles most of the BFD protocol processing. The firmware uses existing paths to forward any BFD events that must be processed by protocol processes. The ASIC firmware processes the packets more quickly than the software, so hardware-assisted inline BFD sessions can have keepalive intervals of less than a second. These platforms support this feature for single-hop and multihop IPv4 and IPv6 BFD sessions.
Limitations:
-
If the Packet Forwarding Engine process restarts or the system reboots, the BFD sessions will go down.
-
When using hardware-assisted BFD with ECMP, if hardware recovery takes more time than the BFD timer, it can cause flapping in the BFD session.
Hardware-assisted inline BFD:
- Does not support micro BFD.
- Is only supported on standalone devices.
- Does not support BFD authentication.
- Does not support IPv6 link local BFD sessions.
- Cannot be used with VXLAN encapsulation of BFD packets.
- Cannot be used with LAG.
- Cannot be used with ECMP on QFX5120 Series devices.
[See ppm and Bidirectional Forwarding Detection (BFD).]
-
-
Interoperability of MPC10E with MX-SPC3 for IPSec services steering (MX240, MX480, and MX960)—Starting in Junos OS Release 21.2R1, the MPC10E-15C-MRATE and MPC10E-10C-MRATE interoperates with the MX-SPC3 card to enable the packet forwarding path that steers packets to the MX- SPC3 card. The MPC10E line card can perform the ingress or the egress processing for IPSec services packets through the
st0
andvms
interfaces, nexthops, and the routes programmed in the line card.[See MPC10E-15C-MRATE and MPC10E-10C-MRATE.]
-
Interoperability of MPC10E with MX-SPC3 to support TLB (MX240, MX480, and MX960)—Starting in Junos OS Release 21.2R1, the MPC10E-15C-MRATE and the MPC10E-10C-MRATE interoperates with the MX-SPC3 card to support traffic load balancing. Using the Traffic Load Balancer (TLB) application, you can distribute traffic among multiple servers in a server group and perform health checks to determine whether any servers should not receive traffic. TLB supports multiple VPN routing and forwarding instance (VRF) instances..
-
MRU support (SRX1500, SRX4100, SRX4200, SRX4600, SRX5400, SRX5600, and SRX5800)—Starting in Junos OS Release 21.2R1, you can configure maximum receive unit (MRU) size to accept packet sizes which are bigger than the configured MTU size and configure different values for both MTU and MRU to prevent frequent fragmentation and reassembly of larger packets on the receiving side. You can configure MRU on the
xe
,ge
,et
, andreth
interfaces.Use the CLI command
mru
under theedit interfaces reth0 redundant-ether-options
hierarchy level to configure the MRU size in bytes.[See mru.]
-
Support for BGP MVPN (ACX710 routers)—Starting in Junos OS Release 21.2R1, ACX710 routers support BGP multicast virtual private network (MVPN) (also known as next-generation (NG) MVPN). You can configure multipoint LDP provider tunnels as the data plane for intra-AS BGP MVPNs. ACX710 routers do not support extranet MVPN.
-
TCP proxy short-circuit (SRX Series)—Starting in Junos OS Release 21.2R1, for a session with an active TCP proxy plug-in, the SRX Series device disables TCP proxy if there is no further requirement for the TCP proxy plug-in based on the user-defined configuration or the state of the flow. This enhancement significantly improves the session flow performance.
-
TLS version 1.3 support for SSL proxy (SRX Series)—Starting in Junos OS Release 21.2R1, Secure Sockets Layer (SSL) proxy supports the Transport Layer Security (TLS) protocol version 1.3, which provides improved security and better performance. TLS version 1.3 supports the following cipher suites:
-
TLS_AES_256_GCM_SHA384
-
TLS_AES_128_GCM_SHA256
-
TLS_CHACHA20_POLY1305_SHA256
-
TLS_AES_128_CCM_SHA256
-
TLS_AES_128_CCM_8_SHA256
[See SSL Proxy.]
-