Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?


Important Features in Junos OS Release 20.3


For details on these features, go to the other chapters in this guide or click the link in the feature description below.

  • New Juniper Secure Connect for SRX Series and vSRX Next-Generation Firewalls—Starting in Junos OS Release 20.3R1, we introduce the Juniper Secure Connect application. Juniper Secure Connect is a client-based SSL-VPN application that allows you to securely connect and access protected resources on your network. This application, when combined with SRX Series Services Gateways, helps organizations quickly achieve dynamic, flexible, and adaptable connectivity from devices anywhere across the globe. Juniper Secure Connect extends visibility and enforcement from client to cloud using secure VPN connections.

    [See Juniper Secure Connect.]

  • Probe command to query the status of the probed interfaces (ACX Series, EX Series, MX Series, PTX Series, QFX Series, and SRX Series)—Starting in Junos OS Release 20.3R1, you can use the probe command to query the status of the probed interface. The proxy interface resides on the same node as the probed interface, or it can reside on a node to which the probed interface is directly connected.

    The Probe command helps to capture the interface details such as system statistics, and interface state (active/inactive), irrespective of whether the network family address configured is IPv4 or IPv6 on the probed interfaces.

    To enable the probe command, configure the extended-echo statement under the [edit system] hierarchy.

    [See How to use the Probe command.]

  • Support for phone-home client (EX4300 Virtual Chassis)—Starting in Junos OS Release 20.3R1, the phone-home client (PHC) can securely provision a Virtual Chassis without requiring user interaction. You only need to:

    • Ensure that the Virtual Chassis members have the factory-default configuration.

    • Interconnect the member switches using dedicated or default-configured Virtual Chassis ports.

    • Connect the Virtual Chassis management port or any network port to the network.

    • Power on the Virtual Chassis members.

    PHC automatically starts up on the Virtual Chassis and connects to the phone-home server (PHS). The PHS responds with bootstrapping information, including the Virtual Chassis topology, software image, and configuration. PHC upgrades each Virtual Chassis member with the new image and applies the configuration, and the Virtual Chassis is ready to go.

    [See How to Provision a Virtual Chassis Using the Phone-Home Client.]

  • Support for TCP authentication option (TCP-AO) for BGP and LDP connections (MX Series and PTX Series)——Starting in Junos OS Release 20.3R1, you can use TCP-AO to authenticate TCP segments exchanged during BGP and LDP sessions. It supports both IPv4 and IPv6 traffic. TCP-AO provides a framework to support multiple stronger algorithms, such as HMAC-SHA1 and AES-128, to create its message digest. TCP-AO supports up to 64 keys that can be used for a BGP or an LDP session. You can configure a new key for a BGP or LDP session during its lifetime without causing any session flap. Each key becomes active based on its configured start time.

    In earlier releases, you could use only the TCP MD5 authentication method. It supports only MD5 algorithm to create its message digest.

    [See TCP Authentication Option (TCP-AO)].

  • Support for LDP Tunneling over Segment Routing Traffic Engineering (MX Series, PTX Series, and ACX5448)—Starting in Junos OS Release 20.3R1, you can tunnel LDP LSPs over Segment Routing Traffic Engineering (SR-TE) in your network. Tunneling LDP over SR-TE support the co-existence of both LDP LSPs and SR-TE LSPs.

    [See How to Tunnel LDP LSPs over Segment Routing Traffic Engineering.]

  • Support for IP-over-IP next-hop-based tunneling (MX Series, PTX1000, PTX10000, and QFX10000)—Starting in Junos OS Release 20.3R1, we support an IP-over-IP encapsulation to facilitate IP overlay construction over an IP transport network. An IP network contains edge devices and core devices. To achieve higher scale and reliability among these devices, you need to use an overlay encapsulation to logically isolate the core network from the external network that the edge devices interact with. Among other supported encapsulation methods, only IP-over-IP allows transit devices to parse the inner payload and use inner packet fields for hash computation and customer edge devices to route traffic into and out of the tunnel without any throughput reduction. IP-over-IP relies on a next-hop-based infrastructure to support higher scale.

    On MX Series routers, the routing protocol daemon (rpd) sends the encapsulation header with tunnel composite next hop and the Packet Forwarding Engine finds the tunnel destination address and forwards the packet. On PTX Series routers and QFX10000 switches, rpd sends the fully resolved next-hop-based tunnel to the Packet Forwarding Engine. You can either use static configuration or a BGP protocol configuration to distribute routes and signal dynamic tunnels. You can also configure Interface based firewall filters on any transit or egress device with an action to decapsulate IP-IP packets and forward it to the main instance or to a routing-instance as required.

    See How to Configure Next-Hop-Based Dynamic Tunneling Using IP-Over-IP Encapsulation

  • SRv6 network programming in IS-IS (MX Series with MPC7E, MPC8E and MPC9E line cards)—Starting in Junos OS Release 20.3R1, you can configure segment routing (SR) in a core IPv6 network without an MPLS data plane. This feature is useful for service providers whose networks are predominantly IPv6 and have not deployed MPLS. Such networks depend only on the IPv6 headers and header extensions for transmitting data. This feature benefits networks that need to deploy segment routing traffic through transit routers that do not have segment routing capability yet. In such networks, the SRv6 network programming feature can provide flexibility to leverage segment routing without deploying MPLS.

    To enable SRv6 network programming in an IPv6 domain, include the srv6 statement at the [edit routing-options source-packet-routing] hierarchy level.

    To advertise the SRH locator with a mapped flexible algorithm, include the algorithm statement at the [edit protocols isis source-packet-routing srv6 locator] hierarchy level.

    To configure topology-independent loop-free alternate backup path for SRv6 in an IS-IS network, include the transit-srh-insert statement at the [edit protocols isis source-packet-routing srv6] hierarchy level.

    [See How to Enable SRv6 Network Programming in IS-IS Networks.]

  • Enhancements to sessions over outbound HTTPS (EX Series, MX Series, PTX Series, QFX Series, and SRX Series)—Starting in Junos OS Release 20.3R1, devices running Junos OS with upgraded FreeBSD support the following enhancements to sessions over outbound HTTPS:

    • Connecting to multiple outbound HTTPS clients by configuring one or more clients at the [edit system services outbound-https] hierarchy level

    • Configuring multiple backup gRPC servers for a given outbound HTTPS client

    • Establishing a csh session

    • Establishing multiple, concurrent NETCONF and csh sessions between the device running Junos OS and an outbound HTTPS client

    • Configuring a shared secret that the outbound HTTPS client uses to authenticate the device running Junos OS

    • Authenticating the client using certificate chains in addition to self-signed certificates

    [See How to Configure NETCONF or Shell Sessions over Outbound HTTPS.]