Services Applications
-
Inband Flow Analyzer (IFA) 2.0 (QFX5120-48Y and QFX5120-32C)—In Junos OS Release 21.4R1, we've introduced support for IFA 2.0 on QFX Series switches. IFA 2.0 monitors and analyzes packets entering and exiting the network. You can use IFA 2.0 to monitor the network for faults and performance issues. IFA 2.0 supports both Layer 3 and VXLAN flows.
With IFA 2.0, you can collect various flow-specific information from the data plane, without the involvement of the control plane or the host CPU. IFA collects data on a per-hop basis across the network. You can export this data to external collectors to perform localized or end-to-end analytics.
IFA 2.0 contains three different processing nodes:
- IFA initiator node
- IFA transit node
- IFA terminating node
[See Inband Flow Analyzer (IFA) 2.0 Probe for Real-Time Performance Monitoring, inband-flow-telemetry, show services inband-flow-telemetry, and clear inband-flow-telemetry stats.]
-
Support for GeoIP filtering, global allowlist, and global blocklist (MX240, MX480, and MX960 )—Starting in Junos OS Release 21.4R1, you can configure the Security Intelligence process ipfd on the listed MX Series routers to fetch GeoIP feeds from Policy Enforcer. The GeoIP feeds help prevent devices from communicating with IP addresses belonging to specific countries.
You can define:
- A profile to dynamically fetch GeoIP feeds. Include the
geo-ip rule match country country-name
statement at the[edit services web-filter profile profile-name security-intelligence-policy]
hierarchy level. - A template to dynamically fetch GeoIP feeds. Include the
geo-ip rule match group group-name
statement at the[edit services web-filter profile profile-name url-filter-template template-name security-intelligence-policy]
hierarchy level.
You can define a global allowlist by configuring the
white-list (IP-address-list | file-name)
statement at theedit services web-filter profile profile-name security-intelligence-policy
hierarchy level. You can define a global blocklist by configuring theblack-list (IP-address-list | file-name)
statement at theedit services web-filter profile profile-name security-intelligence-policy
hierarchy level. Here, IP-address-list refers to the name of the list specified at the[edit services web-filter]
hierarchy level. The file-name option refers to the name of the file where the list of the IP addresses to be allowed or blocked is specified. The file must be in the /var/db/url-filterd directory and must have the same name as in the configuration.[See Integration of Juniper ATP Cloud and Web filtering on MX Routers .]
- A profile to dynamically fetch GeoIP feeds. Include the
-
Support for Two-Way Active Measurement Protocol (TWAMP) and hardware timestamping of RPM probe messages (EX9200 line of switches)—Starting in Release 24.1R1, Junos OS supports TWAMP and hardware timestamping of real-time performance monitoring (RPM) probe messages on the EX9200 line of switches.
You can use TWAMP to measure IP performance between two devices in a network. By enabling hardware timestamping of RPM, you can account for the latency in the communication of probe messages and also generate more accurate timers in the Packet Forwarding Engine.
[See Understand Two-Way Active Measurement Protocol and Understanding Using Probes for Real-Time Performance Monitoring on M, T, PTX, and MX Series Routers and QFX Switches .]
-
IPv6 link-local address support for TWAMP Light (MX Series, vMX, PTX1000, PTX3000, and PTX5000)—Starting in Junos OS Release 21.4R1, you can specify IPv6 link-local addresses for target addresses. You can also configure IPv6 addresses for source addresses that correspond to target addresses configured with IPv6 link-local addresses. To configure a TWAMP Light target address as an IPv6 link-local address, include both the:
local-link logical-interface-name
option for thetarget-address
statement at the[edit services rpm twamp client control-connection connection-name test-session session-name]
hierarchy levelcontrol-type light
statement at the[edit services rpm twamp client control-connection connection-name]
hierarchy level
[See Configure TWAMP.]