New and Changed Features
This section describes the new features and enhancements to existing features in Junos OS Release 15.1R7 for the EX Series.
The following EX Series platforms are supported in Junos OS Release 15.1R7: EX3300, EX4200, EX4300, EX4500, EX4550, EX4600, EX6200, EX8200, and EX9200.
A new J-Web distribution model was introduced in Junos OS Release 14.1X53-D10, and the same model is supported in Junos OS Release 15.1R1 and later. The model provides two packages:
The J-Web Platform package—Installed as part of Junos OS; provides basic functionalities of J-Web.
The J-Web Application package—Optionally installable package; provides complete functionalities of J-Web.
The J-Web Platform package is included in the EX2200, EX3300, EX4200, EX4300, EX4500, EX4550, and EX6200 Junos OS Release 15.1R1 install images.
For details about the J-Web distribution model, see Release Notes: J-Web Application Package Release 15.1A3 for Juniper
Networks EX Series Ethernet Switches
EX9200-MPC line card for EX9200 switches—Starting with Junos OS Release 15.1R3, EX9200 switches support the new EX9200-MPC line card. It is a modular line card that has two slots on the faceplate in which you can install any of the following modular interface cards (MICs):
EX9200-10XS-MIC: It has 10 10-Gigabit Ethernet small form-factor pluggable plus (SFP+) ports, which can house SFP+ transceivers. These ports support 10GBASE-SR, 10GBASE-LR, 10GBASE-ER, and 10GBASE-ZR transceivers.
EX9200-20F-MIC: It has 20 1-Gigabit Ethernet small form-factor pluggable (SFP) ports with Media Access Control Security (MACsec) capability, each of which can house 1-gigabit SFP transceivers. These ports support 1000BASE-T, 1000BASE-SX, 100BASE-FX, 1000BASE-LX, 1000BASE-BX-U, 1000BASE-BX-D, 100BASE-BX-U, 100BASE-BX-D, and 1000BASE-LH transceivers.
EX9200-40T-MIC: It has 40 RJ-45 ports.
You can install the MICs in the following configurations:
One EX9200-10XS-MIC and one EX9200-20F-MIC
You can transmit up to 130 gigabits of traffic through the line card without a packet drop.
New optical transceiver support—Starting with Junos OS Release 15.1R3, the 40-Gigabit Ethernet quad small form-factor pluggable plus (QSFP+) ports on EX9200-4QS and EX9200-6QS line cards for EX9200 switches support the transceiver JNP-QSFP-40G-LX4.
Authentication and Access Control
Central Web authentication (EX2200, EX3300, and EX4300)—Starting with Junos OS Release 15.1R3, you can configure central Web authentication to redirect Web browser requests to a login page that requires the user to input a username and password. Upon successful authentication, the user is allowed to access the network. The login process is handled by a central Web authentication server, which provides scaling benefits over local Web authentication, also known as captive portal.
Central Web authentication is useful for providing network access to temporary users, such as visitors to a corporate site, who are trying to access the network using devices that are not 802.1X-enabled. Web authentication can also be used as a fallback authentication method for regular network users who have 802.1X-enabled devices, but fail authentication because of other issues, such as expired network credentials.
RADIUS-initiated changes to an authorized user session (EX2200, EX3300, and EX4300)—Starting with Junos OS Release 15.1R3, EX2200, EX3300, and EX4300 switches support changes to an authorized user session that are initiated by the authentication server. The server can send the switch a Disconnect message to terminate the session, or a Change of Authorization (CoA) message to modify the session authorization attributes. CoA messages are typically used to change data filters or VLANs for an authenticated host.
Flexible authentication order (EX2200, EX3300, and EX4300)—Starting with Junos OS Release 15.1R3, you can configure the order of authentication methods that the switch will use to authenticate an end device. By default, the switch will first attempt to authenticate using 802.1X authentication, then MAC RADIUS authentication, and then captive portal. You can override the default order of authentication methods by configuring the authentication-order statement to specify that the switch use either 802.1X authentication or MAC RADIUS authentication first. Captive portal must always be last in the order of authentication methods.
RADIUS accounting interim updates (EX4300)—Starting with Junos OS Release 15.1R3, you can configure an EX4300 switch to send periodic updates for a user accounting session at a specified interval to the accounting server. Interim accounting updates are included in the exchange of messages between the client and the accounting server. In RADIUS accounting, the client sends Accounting-Request messages to the server, which acknowledges receipt of the requests with Accounting-Response messages. Interim accounting updates are sent in Accounting-Request messages with the Acct-Status-Type set to Interim-Update.
Support for multiple terms in a filter sent from the RADIUS server (EX4300)—Starting with Junos OS Release 15.1R3, you can use RADIUS server attributes to implement dynamic firewall filters with multiple terms on a RADIUS authentication server. These filters can be dynamically applied on all switches that authenticate supplicants through that server, eliminating the need to configure the same filter on multiple switches. You can define the filters directly on the server by using the Juniper-Switching-Filter attribute, which is a RADIUS attribute specific to Juniper Networks, also known as a vendor-specific attribute (VSA). Filter terms are configured using one or more match conditions and a resulting action.
EAP-PAP protocol support for MAC RADIUS authentication (EX2200, EX3300, and EX4300)—Starting with Junos OS Release 15.1R3, you can configure the switch to use the Password Authentication Protocol (PAP) when authenticating clients with the MAC RADIUS authentication method. PAP transmits plaintext passwords over the network without encryption. It is required for use with LDAP (Lightweight Directory Access Protocol), which supports plaintext passwords for client authentication. This feature is configured by using the authentication- protocol CLI statement at the [edit protocols dot1x authenticator interface interface-name mac-radius] hierarchy level.
Interfaces and Chassis
Half-duplex link support (EX4300 switches)—Starting with Junos OS 15.1R4, half-duplex communication is supported on all built-in network copper ports on EX4300 switches. Full-duplex communication means that both ends of the communication can send and receive signals at the same time. Half-duplex is also bidirectional communication, but signals can flow in only one direction at a time. Half-duplex is configured by default on EX4300 switches. If the link partner is set to autonegotiate the link, then the link is autonegotiated to full duplex or half duplex. If the link is not set to autonegotiation, then the EX4300 link defaults to half-duplex unless the interface is explicitly configured for full duplex.
To explicitly configure full duplex:
user@switch# set interfaces interface-name speed 10m-or-100m
user@switch# set interfaces interface-name ether-options no-auto-negotiate
To verify a half-duplex setting, issue one of:
user@switch> show interfaces interface-name media
user@switch> show interfaces interface-name extensive
To query the OID:
user@switch> show snmp mib get dot3StatsDuplexStatus.SNMP-ifIndex
[See Documentation Updates.]
LACP minimum link support on LAGs (EX9200 switches)—Starting with Junos OS Release 15.1R3, LACP minimum link support is added to the existing minimum link feature. The minimum-link configuration specifies that a required minimum bandwidth is provided for LAG interfaces. When there are not enough active links to provide this minimum bandwidth for a LAG interface, the LAG interface is brought down. The LACP minimum-link feature enhances the existing minimum-link feature by bringing down the LAG interface on the peer device as well as on the device on which you have configured minimum links. Before the LACP minimum link enhancement was made, if you configured the minimum link feature on one device but could not or had not configured it on the peer device, traffic would exit the LAG interface on the peer device although it would be dropped at the destination because the LAG interface on the peer is not be brought down. LACP minimum link is enabled by default when you configure minimum links.
Support for MC-LAG on logical systems (EX9200 switches)—Starting with Junos OS Release 15.1, you can configure multichassis link aggregation (MC-LAG) interfaces on logical systems within an EX9200 switch. When you configure multichassis aggregated Ethernet interfaces on a logical system, ensure that these interfaces are added with the same multichassis aggregated Ethernet identification number and redundancy group identifier for the MC-LAG on both peers or devices that are connected by the MC-AE interfaces. Ensure that the Inter-Chassis Control Protocol (ICCP) to associate the routing or switching devices contained in a redundancy group is defined on both peers within the logical systems of the devices. Such a configuration ensures that all packets are transmitted using ICCP within the logical system network. The logical system information is added, and then removed, by the ICCP process to prevent each packet from containing the logical system details. This behavior enables multiple disjoint users to employ MC-LAG capabilities within their networks transparently and seamlessly. A unique ICCP definition for a logical system is created, thereby enabling you to wholly manage ICCP parameters on one logical system without the need for access permissions to view other logical system networks on the same device.
Configuration of MC-LAG interfaces on logical systems enables MC-LAG to be used across multiple routing tables and switch forwarding tables in active-active and active-standby modes of MC-LAG interfaces.
IPv6 support on multichassis aggregated Ethernet interfaces (EX9200 switches)—Starting with Junos OS Release 15.1, multichassis aggregated Ethernet interfaces on EX9200 switches support IPv6 and Neighbor Discovery Protocol (NDP). IPv6 neighbor discovery is a set of ICMPv6 messages that combine IPv4 messages such as ICMP redirect, ICMP router discovery, and ARP messages.
Junos OS XML API and Scripting
Support for replacing patterns in configuration data within NETCONF and Junos XML protocol sessions (EX Series)—Starting with Junos OS Release 15.1, you can replace variables and identifiers in the candidate configuration when you perform a
<load-configuration>operation in a Junos XML protocol or NETCONF session. The
replace-patternattribute specifies the pattern to replace, the
withattribute specifies the replacement pattern, and the optional
uptoattribute indicates the number of occurrences to replace. The scope of the replacement is determined by the placement of the attributes in the configuration data. The functionality of the attribute is identical to that of the replace pattern configuration mode command in the Junos OS CLI.
Support for YANG features, including configuration hierarchy must constraints published in YANG, and a module that defines Junos OS YANG extensions (EX Series)—Starting with Junos OS Release 15.1, the Juniper Networks
configurationYANG module includes configuration constraints published using either the YANG
muststatement or the Junos OS YANG extension
junos:must. Constraints that cannot be mapped directly to the YANG
muststatement, which include expressions containing special keywords or symbols such as
__, and wildcard characters, are published using
junos-extensionmodule contains definitions for Junos OS YANG extensions, including the
junos-extensionmodule is bound to the namespace URI
http://yang.juniper.net/yang/1.1/jeand uses the prefix
junos. You can download Juniper Networks YANG modules from the website, or you can generate the modules by using the show system schema operational mode command on your local device.
Support for enforcing RFC-compliant behavior in NETCONF sessions (EX Series)—Starting with Junos OS Release 15.1, you can require that the NETCONF server enforce certain behaviors during the NETCONF session by configuring the rfc-compliant statement at the [edit system services netconf] hierarchy level. If you configure the rfc-compliant statement, the NETCONF server explicitly declares the NETCONF namespace in its replies and qualifies all NETCONF tags with the
<get-config>operations that return no configuration data do not include an empty
<configuration>element in RPC replies.
New command to display the MPLS label availability in RPD (EX Series)—Starting with Junos OS Release 15.1, a new show command, show mpls label usage, is introduced to display the available label space resource in RPD and also the applications that use the label space in RPD. Using this command, the administrator can monitor the available labels in each label space and the applications that are using the labels.
[See show mpls label usage.]
Network Management and Monitoring
MIB support for media attachment unit (MAU) information (EX2200, EX3300)—Starting with Junos OS Release 15.1R4, EX2200 and EX3300 switches support standard and enterprise-specific MIBs that allow users to gather information about MAUs connected to those switches. The switches populate the entityMIB (RFC 4133) and entityStateMIB (RFC 4268) standard SNMP MIBs, and a new MIB table, ifJnxMediaTable, which is part of the Juniper enterprise-specific Interface MIB extensions. The objects in ifJnxMediaTable represent MAU information such as media type, connector type, link mode, and link speed. Users can gather this information using the Junos OS CLI command show snmp mib or other remote SNMP MIB object access methods.
[See SNMP MIB Explorer.]
Media Access Control Security (MACsec) support (EX9200 switches)—Starting with Junos OS Release 15.1R1, MACsec is supported on all SFP interfaces on the EX9200-40F-M line card when it is installed in an EX9200 switch. MACsec is an industry-standard security technology that provides secure communication for all traffic on point-to-point Ethernet links. MACsec is capable of identifying and preventing most security threats, and can be used in combination with other security protocols to provide end-to-end network security. MACsec can only be enabled on domestic versions of Junos OS software. MACsec is standardized in IEEE 802.1AE.
MAC move limiting support (EX9200 switches)—Starting with Junos OS Release 15.1R1, MAC move limiting is supported on EX9200 switches. MAC move limiting provides port security by controlling the number of MAC address moves that are allowed in a VLAN in one second. When MAC move limiting is configured, the switch tracks MAC address movements on access and trunk interfaces. A MAC address move occurs when an interface on the switch receives a packet with a source MAC address that has already been learned by the switch, but on a different interface. If a MAC address moves more than the configured number of times within one second, you can configure an action to be taken on incoming packets with new source MAC addresses. The incoming packets can be dropped, logged, or ignored. You can also specify an action to shut down or temporarily disable the interfaces associated with that MAC address.
Software Installation and Upgrade
Support for FreeBSD 10 kernel for Junos OS (EX9200 switches)—Starting with Junos OS Release 15.1, on EX9200 switches, FreeBSD 10 is the underlying OS for Junos OS instead of FreeBSD 6.1. This feature includes a simplified package naming system that drops the domestic and world-wide naming convention. Because installation restructures the file system, logs and configurations are lost unless precautions are taken. There are now Junos OS and OAM volumes, which provide the ability to boot from the OAM volume upon failures. Some system commands display a different output than on earlier releases and a few others are deprecated.
Configuration validation for image upgrade or downgrade (EX3300 switches and EX3300 Virtual Chassis)—Starting in Junos OS Release 15.1R7, EX3300 switches and EX3300 Virtual chassis support configuration validation when upgrading or downgrading a Junos OS
jinstallpackage. When you install a new version of Junos OS on the switch, the system validates that the existing configuration is compatible with the new image. Without the validation feature, configuration incompatibilities or insufficient memory to load the new image might cause the system to lose its current configuration or go offline. With the validation feature, if validation fails, the new image is not loaded, and an error message provides information about the failure. If you invoke validation from an image that does not support validation, the new image is loaded but validation does not occur. Validation is invoked when installing a new Junos OS version with the request system software add or request system software nonstop-upgrade command. Running the request system software validate command performs configuration validation without installing the new version.
Global configuration of spanning-tree protocols (EX Series)—Starting with Junos OS Release 15.1R1, global configuration of the spanning-tree protocols RSTP, MSTP, and VSTP is supported on EX Series switches with Enhanced Layer 2 Software (ELS) configuration style.
In earlier releases, ELS supported configuration of spanning-tree protocols on individual interfaces or on a range of interfaces. It did not support configuration of spanning-tree protocols on all interfaces or disabling spanning-tree protocols on specific interfaces.
Starting with Junos OS Release 15.1R1, CLI changes in ELS provide the options of configuring spanning-tree protocols on all interfaces, disabling the configuration for individual interfaces, and configuring VSTP on all VLANs or on a VLAN group.