Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Navigation  Back up to About Overview 
[+] Expand All
[-] Collapse All

New and Changed Features

This section describes the new features and enhancements to existing features in Junos OS Release 14.2R8 for the EX Series.

Note: The following EX Series platforms are supported in Junos OS Release 14.2R8: EX9200.


  • New line cards for EX9200 switches—EX9200 switches support two new line cards. These line cards interoperate with all existing line cards for EX9200 switches:
    • EX9200-6QS—6 40-Gigabit Ethernet QSFP+ ports that support 40GBASE-LR4 and 40GBASE-SR4 transceivers and 24 10-Gigabit Ethernet SFP+ ports that support 10GBASE-SR, 10GBASE-LR, 10GBASE-ER, and 10GBASE-ZR transceivers.
    • EX9200-40F-M—40 MACsec-capable 1-Gigabit Ethernet SFP ports that support 1000BASE-T, 10/100/1000BASE-T, 100BASE-FX, 1000BASE-EX, 1000BASE-LH, 1000BASE-LX, and 1000BASE-SX transceivers.

Authentication and Access Control

  • Access control (EX9200)—Starting with Junos OS Release 14.2, EX9200 switches support controlling access to your network by using several different authentication methods: 802.1X authentication, MAC RADIUS authentication, or captive portal. You now enable the authentication-whitelist statement at the [edit switching-options] hierarchy level instead of at the [edit ethernet-switching-options] hierarchy level.

    [See Access Control on EX9200 Switches.]

Bridging and Learning

  • Support for PVLANs (EX9200)—Starting with Junos OS Release 14.2, EX9200 switches support private VLANs. Private VLANs are useful for restricting the flow of broadcast and unknown unicast traffic and for limiting communication between known hosts. Private VLANs help ensure the security of service providers sharing a server farm, or to provide security to subscribers of various service providers sharing a common metropolitan area network.

    Note: An interface can belong to only one private VLAN domain.

    [See Understanding Private VLANs on EX Series Switches.]

Class of Service

  • Layer 2 class of service (CoS) support (EX9200)—Starting with Junos OS Release 14.2R1, EX9200 switches support the following Layer 2 CoS features: DSCP IPv4 and DSCP IPv6 rewrite on Layer 2 access and trunk ports, inet-precedence rewrite on Layer 2 access and trunk ports, IEEE 802.1p rewrite on access ports, and IEEE 802.1p classifiers on access ports. The rewrite feature enables you to change the code point bits of packets when they egress the switch. Classification groups packets into forwarding classes at the ingress interface, based on the IEEE 802.1p code point in the Ethernet frame header. (Classification can also use DSCP IPv4 or DSCP IPv6 code points. You can configure both an IEEE 802.1p classifier and a DSCP classifier on the same port.) You can configure the new Layer 2 CoS support features at the [edit class-of-service rewrite-rules] and the [edit class-of-service classifier] hierarchy levels.

    [See Rewriting Packet Headers to Ensure Forwarding Behavior and Understanding How Behavior Aggregate Classifiers Prioritize Trusted Traffic.]

Interfaces and Chassis

  • Configuration support to improve MC-LAG Layer 2 and Layer 3 convergence (EX9200)—Starting with Junos OS Release 14.2R3, you can configure multichassis link aggregation (MC-LAG) interfaces on EX9200 switches to improve Layer 2 and Layer 3 convergence times to subsecond values when an MC-AE link goes down or comes up in a VLAN. To use this feature, ensure that the interchassis link (ICL) is configured on an aggregated Ethernet interface.

    For Layer 2 convergence, configure the enhanced-convergence statement on an aggregated Ethernet interface at the [edit interfaces aex aggregated-ether-options mc-ae] hierarchy level. For Layer 3 convergence, configure the enhanced-convergence statement on an integrated routing and bridging (IRB) interface at the [edit interfaces irb unit unit-number] hierarchy level.


  • YANG module that defines the Junos OS configuration hierarchy (EX9200)—Starting with Junos OS Release 14.2, Juniper Networks provides a YANG module, which defines the Junos OS configuration hierarchy. You can download the YANG module that defines the complete Junos OS configuration hierarchy for all devices running a particular Junos OS release from the Juniper Networks website at You can also generate a YANG module that defines the device-specific configuration hierarchy by using the show system schema module configuration format yang operational mode command on the local device. The Juniper Networks YANG module, configuration, is bound to the namespace URI and uses the prefix jc.

    [See Understanding YANG on Devices Running Junos OS.]

Network Management and Monitoring

  • Enhancements to SNMP statistics operational mode commands (EX9200)—Starting with Junos OS Release 14.2, you can use the show snmp stats-response-statistics command to view information about SNMP statistics responses sent from the Packet Forwarding Engine during the MIB II process (mib2d). In addition, you can use the subagents option in the show snmp statistics command to view the statistics of the protocol data units (PDUs) and the number of SNMP requests and responses per subagent. You can also use the subagents option to view the SNMP statistics received from each subagent on each logical system.

    [See show snmp stats-response-time and show snmp statistics.]

Open vSwitch Database Management Protocol (OVSDB)

  • OVSDB support (EX9200)—Starting with Junos OS Release 14.2, the Junos OS implementation of the Open vSwitch Database (OVSDB) management protocol provides a means by which VMware NSX controllers and EX9200 switches that support OVSDB can communicate. In an NSX multi-hypervisor environment, NSX controllers and EX9200 switches can exchange control and statistical information, thereby enabling virtual machine (VM) traffic from entities in a virtual network to be forwarded to entities in a physical network and the reverse.

    [See Understanding the Open vSwitch Database Management Protocol Running on Juniper Networks Devices and Product Compatibility.]

  • OVSDB schema update (EX9200)—Starting with Junos OS Release 14.2R4, the OVSDB schema for physical devices version that is implemented on the EX9200 switch is version 1.3.0. In addition, the schema now supports the multicast MACs local table.

    [See Open vSwitch Database Schema For Physical Devices.]


  • Support for OpenFlow v1.3.1 (EX9200)—Starting with Junos OS Release 14.2, EX9200 switches support OpenFlow v1.3.1 in addition to the OpenFlow v1.0 functionality that is already supported on EX9200 switches. OpenFlow v1.3.1 enables the action specified in one or more flow entries to direct packets to a base action called a group. The purpose of the group action is to further process these packets and assign a more specific forwarding action to them. You can use the show openflow groups command to view groups that were added, modified, or deleted from the group table by the OpenFlow controller. You can view group statistics using the show openflow statistics groups command.

    [See Understanding How the OpenFlow Group Action Works.]

Port Security

  • IPv6 access security (EX9200)—Starting with Junos OS Release 14.2, IPv6 access security, with the following features, is supported on EX9200 switches: DHCPv6 snooping, IPv6 neighbor discovery inspection, IPv6 source guard, and RA guard. DHCPv6 snooping enables a switch to process DHCPv6 messages between a client and a server and build a database of the IPv6 addresses assigned to the DHCPv6 clients. The switch can use this database, also known as the binding table, to stop malicious traffic. The EX9200 also supports DHCPv6 options to provide additional information in messages sent by the client to the server. This information can be used by the server to assign addresses and configuration parameters to the client. The following options are supported:
    • Option 14, also known as Rapid Commit. When Rapid Commit is enabled, the DHCPv6 server and client use a two-message exchange (Solicit and Reply) to configure clients, rather than the default four-message exchange (Solicit, Advertise, Request, and Reply).
    • Option 16, also known as the Vendor-Class option, is used to transmit information about the vendor of the hardware on which the client is hosted.
    • Option 18, also known as the Interface-ID option, is used to transmit information about the port on which the DHCPv6 request was received from the client.
    • Option 37, also known as the Remote-ID option, is used to transmit information about the remote host.

    IPv6 neighbor discovery inspection analyzes neighbor discovery messages and Router Advertisement (RA) messages sent from IPv6 nodes on the same link, and verifies them against the DHCPv6 binding table. IPv6 source guard inspects all IPv6 traffic from the client and verifies the source IPv6 address and source MAC address against the entries in the DHCPv6 binding table. If no match is found, the traffic is dropped. You configure DHCPv6 snooping, DHCPv6 options, IPv6 neighbor discovery Inspection, and IPv6 source guard at the [edit vlans vlan-name forwarding-options dhcp-security] hierarchy level.

    [See Understanding Port Security.]

  • Unknown unicast forwarding (EX9200)—Unknown unicast traffic consists of unicast packets with unknown destination MAC addresses. By default, the switch floods these unicast packets that traverse a VLAN to all interfaces that are members of the VLAN. This type of traffic forwarding can create unnecessary traffic that leads to poor network performance or even a complete loss of network service. This is known as a traffic storm.

    To prevent a storm, you can disable the flooding of unknown unicast packets to all VLAN interfaces by configuring one VLAN or all VLANs to forward all unknown unicast traffic to a specific interface. This channels the unknown unicast traffic to a single interface.

    Configure unknown unicast forwarding at these hierarchy levels:

    • [edit vlans vlan-name forwarding-options flood input uuf-filter-name]
    • [edit forwarding-options next-hop-group next-hop-group-name group-type layer-2 interface interface-name]
    • [edit firewall family ethernet-switching filter uuf-filter-name term term-name from traffic-type unknown-unicast]
    • [edit firewall family ethernet-switching filter uuf-filter-name term term-name then next-hop-group next-hop-group-name]

    [See Understanding Unknown Unicast Forwarding.]

Routing Policy and Firewall Filters

  • Firewall filter match condition support (EX9200)—Starting with Junos OS Release 14.2R1, EX9200 switches support the following match conditions in a family-ethernet-switching filter for IPv6 traffic: destination-address, destination-prefix-list, source-address, source-prefix-list, icmp-type, icmp-code, next-header, source-port, destination-port, tcp-flags, tcp-initial, tcp-established, and traffic-class. You can configure these match conditions at the [edit firewall family ethernet-switching filter filter-name term term-name from] hierarchy level.

    [See Firewall Filters for EX9200 Switches.]

  • Support for firewall filter flexible match conditions (EX9200)—Starting with Junos OS Release 14.2R7, EX9200 switches support flexible match conditions under family ethernet-switching for firewall filters. Standard firewall filter match conditions vary based on the protocol family of the traffic being matched. The fields available for matching within each protocol family are fixed or predefined. This means that filters can match on patterns within those predefined fields only. Using flexible match conditions, you can construct flexible match filter terms that start the match at Layer 2, Layer 3, Layer 4, or payload locations. You can enable further pattern matches at user-defined custom locations within a packet by specifying additional offset criteria.

    Flexible match filter terms are applied to interfaces as either input or output filters just as any other firewall filter terms. Flexible match filter terms can also be created as templates at the [edit firewall] hierarchy level. These templates can then be referenced within a flexible match term.

    [See Firewall Filters Match Conditions.]

Software Installation and Upgrade

  • Support for unified-in-service software upgrade on 10-Gigabit Ethernet, 40-Gigabit Ethernet, and 100-Gigabit Ethernet line cards (EX9200)—Starting with Junos OS Release 14.2, unified-in-service software upgrade (unified ISSU) is supported on EX9200 switches on 10-Gigabit Ethernet, 40-Gigabit Ethernet, and 100-Gigabit Ethernet line cards. Unified ISSU is a process to upgrade Junos OS with minimal disruption of transit traffic and no disruption of the control plane. This process is for upgrading Junos OS from an earlier release to a later one. After the unified ISSU completes, the new upgrade works identically to one performed through a cold boot.

    Configure unified ISSU with the request system software in-service-upgrade command.

    [See Unified ISSU System Requirements.]

User Interface and Configuration

  • Enhancement to reduce the time taken for performing system commit (EX9200)—Starting with Junos OS Release 14.2, you can configure the delta-export statement at the [edit system commit] hierarchy level to reduce the time taken to commit configuration changes.

    [See commit (system) and delta-export.]


  • EVPN (EX9200)—Starting with Junos OS Release 14.2, an Ethernet virtual private network (EVPN) is made up of a set of CE devices that are connected to PE devices or MPLS edge switches (MES) that make up the edge of the MPLS network. The CE devices can be routers or switches. The MESs provide Layer 2 virtual bridge connectivity between the CE devices. You can deploy multiple EVPNs in the provider's network. In an EVPN, learning between MESs takes place in the control plane by using BGP rather than in the data plane (as is the case with traditional bridging). EVPNs can be used to provide connectivity between data centers spanning metro area networks (MANs) and wide area networks (WANs).

    [See EVPN Overview for Switches.]


  • VXLAN gateway support (EX9200)—Starting with Junos OS Release 14.2, EX9200 switches support Virtual Extensible LAN (VXLAN) gateways. Each VXLAN gateway supports the following functionalities:
    • 32,000 VXLANs (with one VXLAN per bridge domain)
    • 8000 virtual tunnel endpoints (VTEPs)
    • 32,000 multicast groups
    • Switching functionality with traditional Layer 2 networks and VPLS networks
    • Inter-VXLAN routing and VXLAN-only bridging
    • Virtual switches
    • Virtual routing instances
    • Configurable load balancing
    • Statistics for remote VTEPs

    [See Understanding VXLANs.]

Modified: 2017-12-12