New Features in JUNOS Software Release 9.5 for J-series Services Routers

• JUNOS Software

JUNOS Software

Release 9.5 of JUNOS software includes the following features.

Chassis Clustering

• Control link recovery—This feature is supported on J2320, J2350, J4350, and J6350 Services Routers. Prior to this release, when a node was disabled due to control link failure, after fixing the issue, you had to manually reboot the disabled node to make the disabled node rejoin the cluster. With this release, you can specify that control link recovery be done automatically by the system by using the set chassis cluster control-link-recovery command (this feature is disabled by default). Once the system determines that the control link is healthy, it issues an automatic reboot on the disabled node. When the disabled node reboots, the node rejoins the cluster. There is no need for any manual intervention.
• Cold synchronization monitoring—This feature is supported on J-series Services Routers.The process of synchronizing data-plane runtime objects (RTOs) on the startup of the Services Processing Units (SPUs) or flowd is called cold sync. Chassis clustering supports the process of monitoring the cold-sync state of all SPUs or flowd on a node. Also, if you enable preempt, cold-sync monitoring prevents the node from taking over mastership until the cold-sync process is completed for all the SPUs or flowd on the node.
• SNMP failover traps—This feature is supported on the J-series Services Routers. Chassis clustering supports SNMP traps, which are triggered whenever there is a redundancy group failover. You can specify that a trace log be generated by using the set chassis cluster traceoptions flag snmp command.

Flow-Based Processing

J-series devices now use flow-based processing comparable to that used on SRX-series devices. For more information, see the JUNOS Software Interfaces and Routing Configuration Guide for Security Devices.

Intrusion Detection and Prevention (IDP)

• Configuring IDP test conditions in custom anomaly attacks—The user can now see the supported test conditions for a protocol in the CLI.

  When configuring IDP custom attacks, you can now list supported test conditions for a specific protocol. For example, to configure test conditions for ICMP:

  1. List supported test conditions for ICMP and choose the one you want to configure:
     [edit security idp custom-attack test1 attack-type anomaly]
     
     

     user@host# set test icmp?

     Possible completions:
       <test>  Protocol anomaly condition to be checked 
        ADDRESSMASK_REQUEST  
        DIFF_CHECKSUM_IN_RESEND
        DIFF_CHECKSUM_IN_RESPONSE
        DIFF_LENGTH_IN_RESEND

  2. Configure the service for which you want to configure the test condition.
     [edit security idp custom-attack test1 attack-type anomaly]
     
     

     user@host# set service ICMP
  3. Configure the test condition (specifying the protocol name is not required):
     [edit security idp custom-attack test1 attack-type anomaly]
     
     

     user@host# set test ADDRESSMASK_REQUEST

Interfaces and Routing

• Link Fragmentation and Interleaving (LFI) over Asymmetric Digital Subscriber Line (ADSL)—This release of JUNOS software supports link fragmentation and interleaving (LFI) for asymmetric digital subscriber line (ADSL). LIF requires Multilink Point-to-Point Protocol (MPPP) on ADSL, which involves enabling the existing CLI under the xDSL interface to support MLPPP encapsulation and the family mlppp. MLPPP LFI is supported on xDSL Single IFL (logical interface).
• Voice over IP joint development with Avaya phase 1 (JD1)—This feature is now supported on J2320, J2350, J4350, and J6350 Services Routers.

J-Web

• J-Web User Interface—IPv6 management support for J-Web is available in this release. Users can access J-Web through the IPv6 address. The IPv6 address is assigned to the management interface and then J-Web is accessed.
  • J-Web Monitor pages for enhanced switching—The J-Web interface now provides Monitor pages for enhanced switching. New Monitor pages for enhanced switching allow you to monitor information and status for the following:
    • Internet Group Management Protocol (IGMP) snooping
    • Ethernet switching
  • J-Web Quick Configuration pages for enhanced switching—The J-Web interface now provides Quick Configuration pages for enhanced switching. New Quick Configuration pages for enhanced switching allow you to configure information for the following:
    • Virtual LAN (VLAN)
    • Spanning Tree Protocol (STP)
    • Link Aggregation Control Protocol (LACP)
    • Generic Virtual Local Area Network Registration Protocol (GVRP)
    • IGMP snooping
    • Dot1X

Network Address Translation (NAT)

Network Address Translation (NAT) is a method by which IP addresses in a packet are mapped from one group to another and, optionally, port numbers in the packet are translated into different port numbers. NAT is described in RFC 1631 to solve IP (version 4) address depletion problems. On J-series devices, JUNOS software decouples NAT configuration from policy configuration. NAT now uses rules to regulate traffic on J-series devices. NAT on J-series Services Routers is compatible with SRX–series devices. NAT is configured in the same way as other SRX-series devices.

Unified Access Control (UAC) Integration

You can configure a J-series Services Router to act as a JUNOS Enforcer in a Unified Access Control (UAC) deployment. When deployed as a JUNOS Enforcer, the J-series device enforces the policies that are defined on the UAC’s Infranet Controller.

To configure the J-series device as a JUNOS Enforcer, enable the uac-policy option for the application-services statement at the [set security policies from-zone zone-name to-zone zone-name policy match then permit] hierarchy level. Then use the unified-access-control statement at the [edit services] hierarchy level to configure UAC features. For more information, see the JUNOS Software Security Configuration Guide.

Unified Threat Management (UTM)

• Antispam—E-mail spam consists of unwanted e-mail messages, usually sent by commercial, malicious, or fraudulent entities. The antispam feature examines transmitted e-mail messages to identify e-mail spam. When the device detects an e-mail message deemed to be spam, it either drops the message or tags the message header or subject field with a preprogrammed string.

  The antispam feature uses a constantly updated spam block list (SBL). Sophos updates and maintains the IP-based SBL. The antispam feature is a separately licensed subscription service.

  To configure antispam, use the antispam statement at the [set security utm feature-profile] hierarchy level. For more information, see the JUNOS Software Security Configuration Guide.

• Content filtering—Content filtering blocks or allows certain types of traffic based on the MIME type, file extension, protocol command, and embedded object type. Content filtering does not require a separate license.

  To configure redirect content filtering, use the content-filtering statement at the [set security utm feature-profile] hierarchy level. For more information, see the JUNOS Software Security Configuration Guide.

• Full file-based antivirus—A virus is executable code that infects or attaches itself to other executable code to reproduce itself. Some malicious viruses erase files or lock up systems. Other viruses merely infect files and overwhelm the target host or network with bogus data. The full file-based antivirus feature provides file-based scanning on specific Application Layer traffic checking for viruses against a virus signature database. It collects the received data packets until it has reconstructed the original application content, such as an e-mail file attachment, and then scans this content. Kaspersky Lab provides the internal scan engine. The full file-based antivirus scanning feature is a separately licensed subscription service.

  To configure full file-based antivirus, use the antivirus kaspersky-lab-engine statement at the [set security utm feature-profile] hierarchy level. For more information, see the JUNOS Software Security Configuration Guide.

• Integrated Web filtering—Web filtering lets you manage Internet usage by preventing access to inappropriate Web content. With the integrated Web filtering solution, the decision-making for blocking or permitting Web access is done on the device after it identifies the category for a URL either from user-defined categories or from a category server (Websense provides the CPA Server). The integrated Web filtering feature is a separately licensed subscription service.

  To configure integrated Web filtering, use the web-filtering surf-control-integrated statement at the [set security utm feature-profile] hierarchy level. For more information, see the JUNOS Software Security Configuration Guide.

• Redirect Web filtering—Web filtering lets you manage Internet usage by preventing access to inappropriate Web content. The redirect Web filtering solution intercepts HTTP requests and forwards the server URL to an external URL filtering server provided by Websense to determine whether to block or permit the requested Web access. Redirect Web filtering does not require a separate license.

  To configure redirect Web filtering, use the web-filtering websense-redirect statement at the [set security utm feature-profile] hierarchy level. For more information, see the JUNOS Software Security Configuration Guide.

• UTM licensing—The majority of UTM features function as a subscription service requiring a license. You can redeem this license once you have purchased your subscription license SKUs.

  To apply your UTM license, use the system license update statement at the [request] hierarchy level. For more information, see the JUNOS Software Security Configuration Guide.

• Antivirus SNMP support—SNMP support is provided for the following antivirus functionality: scan engine monitoring, signature database update status, and scan statistics.

  For more information, see the JUNOS Network Management Guide.

VPLS

This release supports virtual private LAN service (VPLS), an Ethernet-based point-to-multipoint Layer 2 virtual private network (VPN), on J-series Services Routers. VPLS allows you to connect geographically dispersed Ethernet LAN sites to each other across a service provider's MPLS backbone.

To configure VPLS on a provider edge (PE) router to a customer edge (CE) router, use the following statements:

• set interfaces <name> encapsulation ethernet-vpls | extended-vlan-vpls | vlan-vpls
• set interfaces <name> unit 0 family vpls

To create and configure a VPLS routing instance, use the following statements:

• set routing interfaces <name> instance-type vpls
• set routing interfaces <name> protocols vpls site-range <number> site <name> site-identifier <number>
• set routing-instances <name> protocols vpls no-tunnel-services
• set routing-instances <name> route-distinguisher <distinguisher>
• set routing-instances <name> vrf-target target: <target>
• set routing-instances <name> instance-type vpls interface <interface>

Note: You must also configure MPLS label-switched paths (LSPs) between PE routers, internal BGP (IBGP) sessions between PE routers, and an interior gateway protocol (IGP) on the PE routers.

For more information, see the JUNOS Software Interfaces and Routing Configuration Guide for Security Devices.

Related Topics

• Known Limitations in JUNOS Software Release 9.5 for J-series Services Routers
• Changes in Default Behavior and Syntax
• Issues in JUNOS Software Release 9.5 for J-series Services Routers
• Hardware Requirements for JUNOS Software Release 9.5 for J-series Services Routers
• Upgrade and Downgrade Instructions for JUNOS Software Release 9.5 for J-series Services Routers