Junos 10.0 Release Highlights

Junos 10.0

Need Help?

Routing Platforms
Security Platforms
Switching Platforms

Multichassis Link Aggregation Group
MX Series routers now support multichassis link aggregation (MC-LAG), allowing a customer device to form a logical LAG interface with two MX devices. One MX device will be active and the other will be standby.

IP Fast Reroute (IP FRR) for OSPF Using Loop-Free Alternate Routes
This feature adds fast reroute capability for OSPF in M, MX and T Series routers and the TX Matrix. The Junos OS precomputes loop-free backup routes for all OSPF routes. These backup routes are preinstalled in the Packet Forwarding Engine, which performs a local repair and implements the backup path when the link for a primary next hop for a particular route is no longer available.

Packet-based IPsec Services
For Junos platforms equipped with services PICS or DPCs, this feature adds optional support for packet-based IPsec services. This feature supports a mix of flowless and flow-based IPsec within a service set.

Interface Ranges
The interface-range configuration statement available in Junos routing, switching and security devices helps group interfaces of the same type that share a common configuration profile, thus reducing the time and effort required to configure interfaces. The configurations common to all the interfaces can be included in the interface-range definition.

IPv6 for NG MVPN
Multiprotocol BGP-based multicast VPNs (also referred to as next-generation Layer 3 VPN multicast) can transport IPv6 multicast customer traffic over an IPv4 core network using RSVP-TE tunnels. This feature does not require IPv6 support in the core network. IPv6 support for NG MVPN is available in J, M, MX, and T Series routers and the TX Matrix.

Shared Tree for NG MVPN
For multiprotocol BGP-based multicast VPNs (also referred to as next-generation Layer 3 multicast VPNs), this feature provides support for all RPT-SPT mode operations, as described in Section 13 of the BGP-MVPN draft (draft-ietf-l3vpn-2547bis-mcast-bgp-00.txt). This feature is available in M, MX and T Series routers for shared tree support in the C-PIM instance.

VoIP BGF (Border Gateway Function) Capacity Enhancements
Adding the H.248 control processing option on the MS-PIC and MS-DPC (in addition to the already available RE option) provides more flexibility and capacity to the BGF. As an example, when using multiple instances of BGF per MX960 with H.248 control on an MS-DPC, the number of concurrent voice sessions can scale up to 100,000 per chassis.

HA for the VoIP BSG Signaling Engine
This feature adds high-availability of 1:1 when running SIP SBC services on the MS-DPC and MS-PIC. With this feature it is now possible to build full HA configurations of VoIP media and signaling functions.

Broadband Network Gateway (BNG) Selection for PPPoE Session
Load balance PPPoE sessions amongst a cluster of BNGs with this feature. The feature also allows BNG redundancy for PPPoE sessions, based on a delayed response for a PADI from a backup BNG. A single BNG within the cluster is selected to terminate a given PPPoE session based on a configured service name table, which contains entries consisting of service names and optionally ACI and ARI strings. This feature is available in the M120 or M320 router.

Dynamic VLAN Interface Authentication
This feature allows RADIUS authentication for autosensed VLANs created as a result of control or data traffic from a subscriber in MX Series and M320 routers. As a result of authentication, RADIUS server can provide an LS:RI where the auto-sensed VLAN is created. This allows for dynamic L3 wholesale scenario where the subscriber's VLAN is dynamically created in the appropriate routing domain corresponding to a retail ISP.

RADIUS Server Round-robin
This MX Series feature allows round-robin distribution of authentication and accounting messages amongst a configured list of RADIUS servers. This provides load-balancing of RADIUS interactions amongst multiple RAIDUS servers.

Multicast on Demux Interfaces (DSIs)
This MX Series feature allows a BNG to perform multicast replication over demux subscriber interfaces (DSIs) or perform an "OIF-map" function to a MC-VLAN based on IGMP transactions received over the demux subscriber interfaces. IGMP is run in passive mode on the demux interfaces and a single IGMP is run in the active mode on the underlying primary interface.

SRX210 and SRX240 Services Gateways with Integrated Convergence Services
The existing functionality on the SRX210 and SRX240 Services Gateways with Integrated Convergence Services is enhanced to include Voice over IP (VoIP) functionality along with multiple interfaces that support WAN and LAN connectivity. Besides Session Initiation Protocol (SIP)/analog voice support, additional features include 3G Wireless support, digital subscriber line access multiplexer (DSLAM), and Power over Ethernet (PoE). This product is available in North America only.

Integrated Convergence Services
Integrated Convergence Services optimizes and secures VoIP communication and applications. The features support the Open Convergence Architecture and provide the flexibility to select the SIP call servers, IP phones, and service providers to use. Junos 10.0 supports a broad set of VoIP functionality and features on the SRX210 and SRX240 devices, including:

MGW - A standards-based SIP media gateway (MGW) that connects VoIP networks to the PSTN so that calls can be made from, and routed to, local analog telephones, fax machines, and SIP IP phones behind it. When the SRX Series MGW is active, a SIP peer call server at the data center, or elsewhere, provides call handling services and call routing for the branch.
SCS - A survivable call server (SCS) provides local call handling and basic call routing when the SIP peer call server cannot be reached to provide these services for the branch.
Music on hold – Allows for music to be played from a previously loaded file for all calls that are placed on hold.
Policy-based routing – Allows calls to be routed through the media gateway instead of originating or terminating in the gateway.

New Interface Modules
New interface modules are available for the SRX210 and SRX240 Services Gateways with Integrated Convergence Services and cannot be used in standalone mode:

4-Port FXO Mini-Physical Interface Module
2-Port FXS/2-Port FXO Mini-Physical Interface Module

Additionally, a G.SHDSL Mini-Physical Interface Module is now available for the SRX210 and SRX240 Services Gateways.

AX411 Access Point
The AX411 Access Point provides network access for wireless clients equipped with a Wi-Fi adapter and drivers, supporting the IEEE 802.11n wireless networking standard with backward compatibility for IEEE 802.11a/b/g standards. Configure and manage the AX411 Access Point from an SRX210, SRX240, or SRX650 device.

General Packet Radio Service (GPRS)
GPRS networks connect to several external networks including those of roaming partners, corporate customers, GPRS Roaming Exchange (GRX) providers, and the public Internet. GPRS network operators face the challenge of protecting their network while providing and controlling access to and from these external networks. A broad set of GPRS features is supported on SRX3400, SRX3600, SRX5600, and SRX5800 devices providing solutions to security issues.

New Unified Threat Management (UTM) Features
The following new UTM features are available in Junos 10.0:

Juniper local Web filtering – Enables the firewall to intercept every HTTP request in a TCP connection and extract the URL for categorization. Support for this feature is available on the SRX100, SRX210, SRX240, SRX650, and J Series devices.
UTM WELF support – Allows the sending of log file information in the WebTrends Enhanced Log file Format (WELF). Support for this feature is available on the SRX100, SRX210, SRX240, and SRX650 devices.

IDP AppDDoS Protection
The SRX3400, SRX3600, SRX5600, and SRX5800 devices now support IDP AppDDoS protection. While from an L3 and L4 perspective, application DDoS attacks might appear as legitimate transactions, this feature uses application-level metrics to differentiate between good and bad application requests and thereby take action.

New Application Layer Gateways (ALGs)
The SRX3400, SRX3600, SRX5600, and SRX5800 now support the following Application Layer Gateways (ALGs):

PPTP ALG - Point-to-Point Tunneling Protocol (PPTP) is a Layer 2 protocol that tunnels PPP data across TCP/IP networks.
RSH ALG - The Remote Shell (RSH) ALG handles TCP packets destined for port 514 and processes the RSH port command.
RTSP ALG - The Real-Time Streaming Protocol (RTSP) ALG is a network control protocol to control streaming media servers.
TALK ALG - The TALK protocol uses UDP port 517 and port 518 for control channel connections. The talk program consists of a server and a client.

These ALGs also have existing support on the SRX100, SRX210, SRX240, and J Series devices.

Dual Control Links
This feature is supported on SRX5600 and SRX5800 devices to connect two control links between each device in a cluster, effectively reducing the chance of control link failure. This functionality requires a second Routing Engine to be installed on each device in the cluster, as well as a second Switch Control Board (SCB) to house the Routing Engine for the SRX5000 line. Having two control links helps to avoid a single point of failure by reducing the number of disabled cases that are caused by control link failure.

Persistent NAT
This feature is now supported on SRX3400, SRX3600, SRX5600, and SRX5800 devices in addition to existing support on the other SRX Series devices. (NOTE: Persistent NAT is sometimes referred to as cone NAT. The term cone NAT has been replaced by persistent NAT by the IETF).

Hot Swap of Uplink Modules
The uplink modules in EX3200 and EX4200 switches can now be removed and replaced without powering off the switch or disrupting switch functions. The switch detects the newly installed uplink module or new transceivers and creates the required interfaces.

New Optical Transceivers
The SFP uplink module in EX3200 and EX4200 switches now support two new optical transceivers:

EX-SFP-1FE-LX40K (100Base-LX40K, 40 km)
EX-SFP-1FE-LH (100Base-LH/100Base-ZX, 80 km)

The EX8200 now supports SFP+ Direct Attached Copper (DAC) for 10GbE connectivity

EX-SFP-10GE-DAC-1M
EX-SFP-10GE-DAC-3M
EX-SFP-10GE-DAC-7M

Multiple VLAN Registration Protocol (MVRP)
Multiple VLAN Registration Protocol (MVRP) is now available in EX Series switches to manage dynamic VLAN registration in a LAN. MVRP is an application protocol of the Multiple Registration Protocol (MRP) and is defined in the IEEE 802.1ak standard.

VLAN ID Translation
VLAN ID translation maps traffic with different VLAN ID tags to a single VLAN in EX Series switches. With this feature the old VLAN tag is swapped for the new VLAN tag. VLAN ID translation is useful whenever traffic that requires identical treatment from multiple networks is traversing access interfaces on an EX Series switch.

Layer 2 Protocol Tunneling
The EX Series switches support Layer 2 protocol tunneling (L2PT). The switches can send Layer 2 protocol data units (PDUs) across a service provider network and deliver them to switches that are not part of the local broadcast domain.

Interface Ranges
The interface-range configuration statement helps group interfaces of the same type that share a common configuration profile, thus reducing the time and effort required to configure interfaces on EX Series switches. The configurations common to all the interfaces can be included in the interface-range definition.

Firewall Filters on Aggregated Ethernet Interfaces
EX8200 switches now support firewall filters on Layer 2 and Layer 3 aggregated Ethernet interfaces. On aggregated Ethernet interfaces, firewall filters are supported on the following bind points:

Ingress-ports and router interfaces
Egress-ports and router interfaces

Dynamic TCAM
On EX3200 and EX4200 switches, the TCAM memory usage limits set for specific types of firewall filters (such as firewall filters applied to ports, VLANs, or router interfaces) have been removed. TCAM memory is now allocated dynamically to firewall filters as they are configured, regardless of their type.

Proxy ARP
On EX Series switches, proxy ARP can now be configured in restricted mode (in addition to the default mode of unrestricted). When an interface is set to restricted proxy ARP mode, it does not proxy for hosts on the same subnet. Also, now when you configure proxy ARP on an interface, it is set on that interface only and is not set globally.