Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

New and Changed Features

 

This section describes the new features and enhancements to existing features in the Junos OS main release and the maintenance releases for Junos Fusion Enterprise.

Note

For more information about the Junos Fusion Enterprise features, see the Junos Fusion Enterprise Feature Guide.

Release 17.1R2 New and Changed Features

There are no new features or enhancements to existing features for Junos Fusion Enterprise in Junos OS Release 17.1R2.

Release 17.1R1 New and Changed Features

Hardware

  • Satellite device support (EX2300 and EX3400)—Starting with Junos OS Release 17.1R1, you can configure EX2300 and EX3400 switches as satellite devices in a Junos Fusion Enterprise topology. The satellite device in a Junos Fusion topology is managed and configured by the aggregation device. Junos Fusion Enterprise uses EX9200 switches in the aggregation device role.

    [See Junos Fusion Enterprise Overview.]

Authentication, Authorization, and Accounting (AAA) (RADIUS)

  • Authentication and access control features (Junos Fusion Enterprise)—Starting with Junos OS Release 17.1R1, Junos Fusion Enterprise supports controlling access to the network by using the following features:

    • 802.1X authentication

    • MAC RADIUS authentication

    • Server-fail fallback

    • TACACS+ authentication

    • Central Web authentication

    • RADIUS-initiated changes to an authorized user session (RFC 3576)

    • Flexible authentication order

    • RADIUS accounting interim updates

    • Dynamic filtering with multiple filter terms using VSAs

    • EAP-PAP protocol support for MAC RADIUS authentication

    • RADIUS accounting attributes Client-system-Name, Framed-MTU, Session-timeout, Acct-authentic, Nas-port-ID, and Filter-ID

    [See Understanding Authentication on Switches.]

Class of Service (CoS)

  • Class of Service support (Junos Fusion Enterprise)—Starting with Junos OS Release 17.1R1, Junos Fusion Enterprise supports the standard Junos CoS features and operational commands. Each extended port on a satellite device is a logical extension to the aggregation device. Therefore, the default CoS policy on the aggregation device applies to each extended port. An EX9200 aggregation device supports the following CoS features for each extended port:

    • BA classifier

    • Multifield classifier

    • Input and output policer

    • Egress rewrite

    The satellite devices support the following CoS features for each extended port:

    • BA classifier

    • Queuing and scheduling

    A cascade port is a physical interface on an aggregation device that provides a connection between the aggregation device and a satellite device. Port scheduling is supported on cascade ports. A Junos Fusion Enterprise reserves a separate set of queues with minimum bandwidth guarantees for in-band management traffic to protect against congestion caused by data traffic.

    [See Understanding CoS in Junos Fusion Enterprise.]

Layer 2 Features

  • Support for Layer 2 Features (Junos Fusion Enterprise)—Starting in Junos OS Release 17.1R1, the following features are supported:

    • Storm control—Monitor traffic levels and take a specified action when a defined traffic level (called the storm control level) is exceeded, preventing packets from proliferating and degrading service. You can configure the switch to drop broadcast and unknown unicast packets, shut down interfaces, or temporarily disable interfaces when a traffic storm occurs. [See Understanding Storm Control for Managing Traffic Levels on Switching Devices.]

    • Persistent MAC learning (Sticky MAC)—Configure persistent MAC addresses (also called sticky MAC addresses) to help restrict access to an access port by identifying the MAC addresses of workstations that are allowed access to a given port. Secure access to these workstations is retained even if the switch is restarted. [See Understanding Persistent MAC Learning (Sticky MAC).]

    • MAC limiting—Configure MAC limiting on an interface or a VLAN, and specify the action to take on the next packet the interface or the VLAN receives after the limit is reached. Limiting the number of MAC addresses protects the switch from flooding the Ethernet switching table (also known as the MAC forwarding table or Layer 2 forwarding table). [See MAC Limiting.]

    • Loop detection on extended ports—Enable downstream loop detection on the satellite device to prevent accidental loops caused by miswiring or misconfiguration on the extended ports.

  • Support for MAC/PHY features on Junos Fusion Enterprise—Starting with Junos OS Release 17.1R1, the following MAC/PHY features are supported on Junos Fusion Enterprise:

    • Digital optical monitoring (DOM)—You can run the show interfaces diagnostics optics interface-name command to display the DOM information. The information includes diagnostics data and alarms for Gigabit Ethernet optical transceivers.

    • Energy Efficient Ethernet (EEE)—EEE reduces the power consumption of physical layer devices during periods of low link utilization. EEE saves energy by putting part of the transmission circuit into low power mode when a link is idle. You can run the set interfaces interface-name ether-options ieee-802-3az-eee command at the [edit] hierarchy level to enable energy efficiency at the Ethernet ports. You can view the EEE status by using the show interfaces interface-name detail command. By default, EEE is disabled on EEE-capable ports.

    • Jumbo frames—You can configure jumbo frames by using the set interfaces interface-name mtu 9216 command at the [edit] hierarchy level.

    • Medium-dependent Interface (MDI)—By default, the auto MDI/MDI-X feature is enabled on Junos Fusion Enterprise. This feature eliminates the need for a cross-over cable to connect the LAN port to a port on another device, as the crossover function is automatically enabled, when required.

Multicast

  • Support for multicast traffic forwarding (Junos Fusion Enterprise)—Starting with Junos OS Release 17.1R1, multicast traffic forwarding is supported in Junos Fusion Enterprise. Multicast replication is supported only on the aggregation device. The aggregation device performs ingress multicast replication to a set of extended ports. On the satellite device, multicast traffic is received for each of the extended ports. The following scenarios are supported for both IPv4 and IPv6 traffic: Layer 2 multicast with VLAN flooding and Layer 3 multicast.

    [See Understanding Multicast Forwarding on a Junos Fusion Enterprise.]

Network Management and Monitoring

  • Network monitoring and analysis (Junos Fusion Enterprise)—Starting with Junos OS Release 17.1R1, sFlow monitoring and port mirroring and analyzers are supported in Junos Fusion Enterprise:

    • sFlow technology, which is a monitoring technology for high-speed switched or routed networks, randomly samples network packets and sends the samples to a monitoring station. You can configure sFlow technology to continuously monitor traffic at wire speed on all interfaces simultaneously.

    • Port mirroring and analyzers facilitate analyzing traffic on switches at the packet level. You configure port mirroring on a switch to send copies of unicast traffic to an output destination such as an interface, a routing instance, or a VLAN. You can configure an analyzer to define both the input traffic and output traffic in the same analyzer configuration. The input traffic to be analyzed can be traffic that enters or exits an interface, or traffic that enters a VLAN.

    [See Understanding sFlow Technology on a Junos Fusion Enterprise and Understanding Port Mirroring Analyzers on a Junos Fusion Enterprise.]

Port Security

  • Media Access Control Security (MACsec) support on extended ports (Junos Fusion Enterprise)—Starting with Junos OS Release 17.1R1, MACsec is supported on extended ports in a Junos Fusion Enterprise topology. MACsec is an 802.1AE IEEE industry-standard security technology that provides secure communication for all traffic on point-to-point Ethernet links. MACsec is capable of identifying and preventing most security threats and can be used in combination with other security protocols to provide end-to-end network security. Enabling MACsec on extended ports in a Junos Fusion Enterprise topology provides secure communication between the satellite device and connected hosts.

    [See Understanding Media Access Control Security (MACsec).]

  • Access security support (Junos Fusion Enterprise)—Starting with Junos OS Release 17.1R1, the following access security features are supported in Junos Fusion Enterprise:

    • DHCP snooping—DHCP snooping allows the switch to monitor and control DHCP messages received from untrusted devices connected to the switch. When DHCP snooping is enabled, the system snoops the DHCP messages to view DHCP lease information, which it uses to build and maintain a database of valid IP-address-to-MAC-address (IP-MAC) bindings called the DHCP snooping database. Clients on untrusted ports are only allowed to access the network only if they are validated against the database.

    • DHCPv6 snooping—DHCP snooping for DHCPv6.

    • Dynamic ARP inspection (DAI)—DAI inspects Address Resolution Protocol (ARP) packets on the LAN and uses the information in the DHCP snooping database on the switch to validate ARP packets and to protect against ARP spoofing (also known as ARP poisoning or ARP cache poisoning). ARP requests and replies are compared against entries in the DHCP snooping database, and filtering decisions are made based on the results of those comparisons.

    • IP source guard—IP source guard prevents IP address spoofing by examining each packet sent from a host attached to an untrusted access interface on the switch. The IP address, MAC address, VLAN, and interface associated with the host are checked against entries stored in the DHCP snooping database. If the packet header does not match a valid entry in the DHCP snooping database, the packet is discarded.

    • IPv6 source guard—IP source guard for IPv6.

    • IPv6 neighbor discovery (ND) inspection—IPv6 ND inspection mitigates attacks based on Neighbor Discovery Protocol; by inspecting neighbor discovery messages and verifying them against the DHCPv6 snooping table.

    [See Understanding Port Security Features to Protect the Access Ports on Your Device Against the Loss of Information and Productivity.]