New Features in JUNOS Software for EX-series Switches, Release 9.3

New features in Release 9.3 of JUNOS software for EX-series switches are described on the following pages:

• 802.1X, Port Security, and VoIP
• Access Control and Port Security
• Bridging, VLANs, and Spanning Trees
• Class of Service (CoS)
• High Availability
• Interfaces
• Layer 3 Protocols
• Management and RMON
• Packet Filters
• PoE

802.1X, Port Security, and VoIP

• MAC RADIUS authentication—To permit nonresponsive hosts access to the LAN, you can configure MAC RADIUS authentication on the interface to which a nonresponsive host is connected. When the MAC address of a nonresponsive host appears on the interface, the switch consults the RADIUS server to check whether the MAC address is a permitted MAC address. If the MAC address of the nonresponsive host is configured as permitted on the RADIUS server, the RADIUS server informs the switch that the MAC address is a permitted address, and the switch opens LAN access to the nonresponsive host on the interface to which it is connected.

  You also can configure MAC RADIUS authentication to automatically eliminate the normal 90-second delay needed for the switch to determine that a device is a nonresponsive host. All 802.1X packets received on that interface will be dropped.

• Server fail fallback—Server fail fallback allows you to specify how 802.1X supplicants connected to the switch are supported if the RADIUS authentication server becomes unavailable or sends an Extensible Authentication Protocol Over LAN (EAPOL) Access-Reject message. Server fail fallback also allows you to specify that a supplicant be moved to a specified VLAN if the switch receives an EAPOL Accept-Reject message.

Access Control and Port Security

• DHCP option 82—The switch inserts DHCP option 82 information in Layer 2 and Layer 3 packets to provide information to the DHCP server about a DHCP client’s network. Option 82 suboptions are circuit ID, remote ID, and vendor ID. The feature helps to protect the switch against spoofing (forging) of IP addresses and MAC addresses and against DHCP IP address starvation. If the server or clients connect to the switch through a routed VLAN interface (RVI), the switch relays the requests to the server. If the server and clients connect to the switch on the same VLAN, the switch forwards the requests. The feature supports RFC 3046, DHCP Relay Agent Information Option.
• DHCP snooping—Information can now be acquired and saved in the DHCP snooping database when the switch is configured as a DHCP/BOOTP relay agent or as a DHCP server (called the “local” configuration).

Bridging, VLANs, and Spanning Trees

• Private VLANs—The private VLAN (PVLAN) features on EX-series switches allow an administrator to split a broadcast domain into multiple isolated broadcast subdomains, like a VLAN inside a VLAN. Just like regular VLANs, PVLANs are isolated on Layer 2 and require a Layer 3 device to route traffic among them.
• Q-in-Q tunneling—Q-in-Q tunneling is commonly used by service providers on Ethernet access networks to segregate customer traffic into different VLANs. In Q-in-Q , a service 802.1Q (dot1q) tag is used on the service provider network to segregate traffic into different VLANs defined by the service provider.
• Unknown unicast forwarding—Unknown unicast traffic consists of unicast packets with unknown destination MAC addresses. By default, the switch floods these unicast packets that are traveling in a VLAN to all interfaces that are members of the VLAN. Forwarding this type of traffic to interfaces on the switch can trigger a security issue. The LAN is suddenly flooded with packets, creating unnecessary traffic that leads to poor network performance or even a complete loss of network service. This is known as a traffic storm. To prevent a storm, you can disable the flooding of unknown unicast packets to all interfaces by channeling them to a specific trunk interface.

Class of Service (CoS)

• JUNOS EZQoS—JUNOS EZQoS on EX-series switches eliminates the complexities involved in configuring class of service (CoS) across the network.
• Per-interface BA classifiers—Per-interface behavior aggregate (BA) classifiers enable you to apply different BA classifiers to each interface in the switch, which allows you to classify traffic as it enters the switch.
• Port shaping—Port shaping allows you to shape aggregate traffic through a port or channel to a rate that is less than the line or port rate. With port shaping, you can configure schedulers at the port level.
• Rate shaping—Rate shaping throttles the rate at which queues transmit packets. Rate shaping is TCP friendly; that is, it buffers packets that are above the rate, rather than dropping them.

High Availability

• MAC table aging on Virtual Chassis management VLANs—MAC table aging has been extended to the Virtual Chassis management VLAN. The aging process ensures that the switch tracks only active nodes on the network and that it can flush out nodes that are no longer available.
• Virtual Chassis fast failover—The Virtual Chassis fast failover feature is a hardware-assisted failover mechanism that automatically reroutes traffic and reduces traffic loss in the event of a link failure or a member switch failure. If a link between two members fails, traffic flow between those members must be rerouted quickly so that there is minimal traffic loss.
• Virtual Chassis software upgrade enhancements—When you upgrade software in a Virtual Chassis configuration, the upgrade will either succeed or fail on all member switches, preventing the situation in which only some Virtual Chassis member switches are upgraded.
• Virtual Chassis split and merge—If there is a disruption to the Virtual Chassis configuration due to a member switch failing or being removed from the configuration, the Virtual Chassis configuration splits into two separate Virtual Chassis. This situation could cause disruptions in the network if the two separate configurations share common resources, such as global IP addresses. The Virtual Chassis split and merge feature provides a method to prevent the split Virtual Chassis from adversely affecting the network and also allows the two parts to merge back into a single Virtual Chassis configuration after the problem that caused the split has been resolved. You can also use this feature to merge two active but separate Virtual Chassis that have not previously been part of the same configuration into one Virtual Chassis configuration.

Interfaces

• Unicast reverse-path forwarding (RPF)—Unicast RPF helps protect the switch against denial-of-service (DoS) and distributed DoS (DDoS) attacks by verifying the unicast source address of each packet that arrives on an ingress interface on which unicast RPF is enabled.

Layer 3 Protocols

• IPv6—Support is provided for IPv6 routing, forwarding, and management (excluding multicast).

Management and RMON

• Real-time performance monitoring—Real-time performance monitoring (RPM) enables you to configure active probes to track and monitor traffic on the switch. EX-series switches supports all JUNOS RPM options.
• sFlow technology—sFlow technology is a monitoring technology for high-speed switched or routed networks that you can use to continuously monitor traffic at wire speed on all interfaces simultaneously. sFlow data can be used to provide network traffic visibility information. JUNOS software on EX-series switches supports the sFlow standard, which is described in RFC 3176, InMon Corporation’s sFlow: A Method for Monitoring Traffic in Switches and Routed Networks.

Packet Filters

• Additional firewall filter processing points—For Layer 2 (bridged) unicast packets, firewall filter processing points now include the egress port firewall filter and the egress VLAN firewall filter.

PoE

• Power management mode—You can use the power management mode to determine the number of interfaces that can be provided with power. The two modes of power management are static and class.

Related Documentation

• Outstanding and Resolved Issues in JUNOS Release 9.3 for EX-series Switches