Junos 9.5 Release Highlights

MX Series

Dynamic Application Awareness

Dynamic Application Awareness is a new optionally licensed software that provides layer 4 - 7 application identification on MX Series routers that helps customers maintain tight control over network resources, improve operations, and offer differentiated services.

Dynamic Application Awareness examines the packets of newly initiated sessions to identify the application. Once identified, a router-integrated policy management function provisions the forwarding plane with the appropriate handling instructions (e.g.; block, rate limit, apply CoS, etc), in order to support fine-grained per-application QoS and SLAs.

Data collected by Dynamic Application Awareness can be exported to reporting tools in order to enhance route and capacity planning activities, verify adherence to SLAs, more precisely model the impact of specific applications on the network, and can help align infrastructure investment with application requirements.

FPC2

MX FPCs occupy two slots and are designed to accept up to two physical interface cards (PIC) commonly used with the M Series and T Series routers. These modules allow the MX Series to support non-Ethernet interfaces and the PIC portability between M Series, T Series, and MX Series routers provide common sparing and investment protection.

M Series

IQ-E PIC

The Juniper Networks Enhanced IQ PIC family extends the latest technical advancements in traffic management technology, allowing service providers and enterprises to meet their most demanding needs in terms of cost-effective TDM aggregation.

The family offers a diverse set of SONET/SDH, PDH, channelized and non-channelized interfaces that can support large numbers of customers per interface across a broad range of interface types and speeds (from T1/E1 to OC48/STM16) with advanced class-of-service (CoS) capabilities.

Junos release 9.5 adds support for the last card of the family - a 10-port T1/E1 PIC which supports per-port selection of DS1 / E1, DS0 level channelization, various encapsulations, rich COS capabilities, and increased scaling.

M10I

Unified in-service software upgrade (ISSU) with enhanced CFEB

For high-end routing platforms Juniper offers unified in-service software upgrade (ISSU). Unified ISSU enables the complete upgrade from one Junos Software version to another with no disruption on the control plane and with minimal disruption of traffic. Unlike solutions requiring piecemeal system updates, unified ISSU upgrades your entire system to preserve the full integrity of quality and regression testing and minimize upgrade time and risk. The Junos 9.5R1 release extends unified ISSU to the M10i with enhanced CFEB.

J Series

Unified Threat Management (UTM)

Unified Threat Management (UTM) is a term used to describe the consolidation of several security features into one device, protecting against multiple threat types. The advantage of UTM is streamlined installation and management of these multiple security capabilities. New UTM capabilities for J Series available in the Junos 9.5 release include:

• Antispam - E-mail spam consists of unwanted e-mail messages, usually sent by commercial, malicious, or fraudulent entities. The antispam feature examines transmitted e-mail messages to identify e-mail spam. When the device detects an e-mail message deemed to be spam, it either drops the message or tags the message header or subject field with a pre-programmed string.
• Content filtering - Content filtering blocks or allows certain types of traffic based on the MIME type, file extension, protocol command, and embedded object type. Content filtering does not require a separate license.
• Full file-based antivirus - A virus is an executable code that infects or attaches itself to other executable code to reproduce itself. Some malicious viruses erase files or lock up systems. Other viruses merely infect files and overwhelm the target host or network with bogus data.
• Integrated web filtering - Web filtering lets you manage Internet usage by preventing access to inappropriate web content. With the integrated web filtering solution, the decision-making for blocking or permitting web access is done on the device after it identifies the category for a URL either from user-defined categories or from a category server (Websense provides the CPA Server). The integrated web filtering feature is a separately licensed subscription service.
• Redirect web filtering ­- Web filtering lets you manage Internet usage by preventing access to inappropriate web content. The redirect web filtering solution intercepts HTTP requests and forwards the server URL to an external URL filtering server provided by Websense to determine whether to block or permit the requested web access. Redirect web filtering does not require a separate license.

VPLS

This release supports virtual private LAN service (VPLS), an Ethernet-based point-to-multipoint Layer 2 virtual private network (VPN), on J Series Services Routers. VPLS allows you to connect geographically dispersed Ethernet LAN sites to each other across a service provider's MPLS backbone.

SRX5600/5800

Flexible I/O card

This release of Junos supports the new SRX5K-FPC-IOC modular Flex I/O Card (IOC) for the SRX 5600 and SRX 5800 services gateways.

Flex IOCs have two slots and accept port modules that add Ethernet ports to your services gateway. A flex IOC with port modules installed in it functions in the same way as a regular IOC, but allows greater flexibility in adding different types of Ethernet ports to your services gateway.

SRX3400/3600/5600/5800

Chassis cluster A/A

This feature is supported on SRX3400, SRX3600, SRX5600, and SRX5800 devices.

The data plane now supports active/active chassis clustering for these SRX Series devices. The chassis clustering on these SRX Series devices is no longer restricted to the creation of only one redundancy group beyond redundancy group 0. You can now configure one or more redundancy groups numbered 1 through 128. Multiple redundancy groups make it possible for traffic to arrive on an interface of one redundancy group and egress on an interface that belongs to another redundancy group. In this situation, the ingress and egress interfaces might not be active on the same node. When this happens, the traffic is forwarded over the fabric link to the appropriate node. SRX Series chassis clusters operate with an active/backup control plane.

IPV4 Multicast

The SRX3400, SRX3600, SRX5600, and SRX5800 devices support multicast protocols such as:

• PIM/SM DM
• DVMRP
• MSDP
• SAP

Jumbo frame

Jumbo frames, or 9192 byte MTUs, on Gigabit Ethernet interfaces and 10-Gigabit Ethernet interfaces is supported on SRX3400, SRX3600, SRX5600, and SRX5800 devices.

IS-IS

IS-IS protocol, a classless interior routing protocol developed by the International Organisation for Standardisation (ISO) as part of the development of the Open Systems Interconnection (OSI) protocol suite, is supported on SRX3400, SRX3600, SRX5600, and SRX5800 devices. Like OSPF routing, IS-IS uses hello packets that allow network convergence to occur quickly when network changes are detected.

SRX Series

J-Flow

Traffic sampling allows you to sample IP traffic based on particular input interfaces and various fields in the packet header. J-Flow allows the user to export data to the UDP port of a remote workstation for data collection and further processing.

SRX as UAC enforcement point

You can configure the SRX Series to act as a Junos Enforcer in a Unified Access Control (UAC) deployment. When deployed as a Junos Enforcer, the device enforces the policies that are defined on the UAC's Infranet Controller.

L2 transparent mode

Layer 2 bridging with transparent mode provides full security services on top of Layer 2 bridging functions. An SRX services gateway operates in Layer 2 transparent mode when all physical interfaces on the device are configured as Layer 2 logical interfaces.

SRX3400/3600

Simple FW filter

To handle oversubscribed traffic in the SRX3400 and SRX3600 series devices, you can configure simple filters and policing. The simple filter functionality comprises of the following:

• Classifying packets according to configured policies
• Taking appropriate actions based on the results of classification

SRX210/240

L3 remote access (clientless VPN)

The current objective for this feature is to provide a simple IPSEC client implementation for setting up remote access IPSEC VPNs with the SRX device. It is supported only in the SRX210 and SRX240.

EX3200/4200 Switches

MAC learning disable

The MAC learning disable feature enables a customer to selectively turn off the learning of MAC addresses on a switch level or on an individual level. Customers deploying EX Series Switches in a Service Provider Q-in-Q network can enable this feature to protect the edge EX Switch connecting to a customer's network from learning the MAC addresses of hosts in the customer's network.

Dynamic Access Control Lists (ACL) for multi-supplicant ports

This feature customizes authentication or role-based policies sent from the RADIUS server using the MAC address of the authenticating host when connected to a multiple supplicant port of the EX Series Switch.

When different hosts connected to a single port on an EX Switch authenticate using either 802.1X or MAC-RADIUS, each of the authenticated hosts can be subject to a policy sent by the RADIUS server. These policies are then customized with the source MAC address of each host such that the policy meant for one host does not affect another host on the same network port.

MPLS Cross Connect Circuits

Junos MPLS for EX Series Switches supports Layer 2 protocols and Layer 2 virtual private networks (VPNs). The MPLS Cross Connect Circuits (MPLS-CCC) can be configured on your switches to increase transport efficiency in your network. These MPLS services can be used in a backbone network which connects various sites and aggregates the traffic towards a provider edge network.

The MPLS-CCC implementation is single-label based and supports RSVP-based signaling. The feature also supports path protection to protect the MPLS network from label-switched path failures.

Auto-provisioning of Virtual Chassis extension

Currently, if a virtual chassis (VC) needs to be formed across EX4200 devices over network ports, such network ports must be first configured individually on each box. To achieve this, each device must have a network connectivity of its own and should be reachable before forming a VC. Auto-provisioning feature provides an easy way to dynamically configure VC ports on EX 4200 Switches, thus eliminating the need to connect to each device and configure it individually.

Auto-provisioning will take effect only on a pre-provisioned VC. For example, the master should contain the serial number of all these line cards connected over the network port. Once the pre-provisioning is completed on the master, the VCPs are automatically configured and the line cards are added to the VC in the sequence they are connected.

Class of Service rewrite on routed VLAN interface

This feature enables customers to configure an interface-specific rewrite rule for changing the outgoing Class of Service (CoS) value of a packet routed out of a routed VLAN interface (RVI).

Customers can now choose to rewrite CoS values for packets being routed out of a VLAN and these rewrite rules can vary based on the outgoing RVI.

EX4200 Switches

5m Virtual Chassis Cable

Until now, EX4200 supported the following VC cable lengths - 0.5m, 1m and 3m. In addition to these lengths, EX4200 now supports 5 Meter VC cable lengths. The 5m VC cables can be useful in interconnecting adjacent or every other rack where 3m cable lengths are not long enough. For example, in some Data Centres, VC cables would have to go up from the cabinet to the cable racking, then across to the adjacent or more likely to the adjacent plus one cabinet, then down from the cable tray to the cabinet. The 5m VC cables address such height and inter-rack distance restrictions and simplify deployment.

EX3200/4200/8200 Switches

Internet Group Management Protocol (IGMP) filter

IGMP filter specifies the list of multicast groups that a multicast listener can join.

This feature is used by service providers providing IP triple play services to control users from accessing channels or multimedia streams they don't have access to.

Multicast Source Discovery Protocol (MSDP)

The Multicast Source Discovery Protocol (MSDP) describes a mechanism to connect multiple PIM Sparse-Mode (PIM-SM) domains together. Each PIM-SM domain uses its own independent rendezvous point(s) (RPs) and does not have to depend on RPs in other domains. Advantages of this approach include:

• No third-party resource dependencies on a domain's RP PIM-SM domains can rely on their own RPs only.
• Receiver-only domains: Domains with only receivers get data without globally advertising group membership.

MSDP may be used with protocols other than PIM-SM.