Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Release Notes: Juniper Networks OpenStack Neutron Plug-in Release v3.0


This release notes accompany Juniper Networks OpenStack Neutron Plug-in Release v3.0. This document describes new and changed features, limitations, and known issues in hardware and software.


Juniper Networks provides OpenStack Neutron plug-ins, which enable integration and orchestration of EX, MX, QFX, and SRX devices in the customer network.

Neutron plug-ins are categorized as follows:

  • Core plug-ins - Implement the core API of the neutron, which consists of networking building blocks such as port, subnet, and network.

    Juniper provides the following core plug-ins:

    • ML2 VLAN plug-in

    • ML2 VXLAN plug-in with EVPN

  • Service plug-ins - Implement the neutron API extensions such as L3 router and L4-L7 services such as FWaaS, LBaaS, and VPNaaS.

    Juniper provides the following service plug-ins:

    • Juniper L3 plug-in

    • FWaaS plug-in

    • VPNaaS plug-in

For more information on the overview of the OpenStack Neutron plug-in, refer to Overview of the OpenStack Neutron Plug-in.

Supported Platforms

The following platforms are supported:

  • QFabric System

  • QFX Series

  • EX Series

  • SRX Series

New Features for OpenStack Neutron Plug-in v3.0

The following features are introduced for the OpenStack Neutron plug-in version 3.0 release:

  • VPN-as-a-Service (VPNaaS)

    Juniper Networks VPN-as-a-Service (VPNaaS) builds on top of the Juniper Networks L3 and FWaaS plug-ins. Use the VPNaaS plug-in to configure site-to-site VPN on SRX and vSRX devices.

  • Virtual Extensible LAN L3 Routing with Ethernet VPN (VXLAN L3 Routing with EVPN)

    The Juniper VXLAN EVPN ML2 plug-in uses VXLAN tunnels along with the Neutron hierarchal port binding design to provide L2 networks in OpenStack. The default L3 service plug-in in OpenStack implements virtual router using Linux network namespaces.

    This release of Neutron Plug-ins from Juniper Networks adds support for L3 routing for VXLAN networks. This is done by creating a VTEP on MX and QFX10000 series devices to convert the VXLAN to VLAN based network and configuring Routing Instances to route packets between these VLANs. This feature works in conjunction with Junipers VXLAN EVPN ML2 plug-in, while the VXLAN EVPN ML2 plug-in is used to provide L2 connectivity, the VXLAN EVPN L3 service plug-in provides L3 routing between the VXLAN based virtual networks.

  • EVPN Multi-homing

    To achieve network redundancy and load balancing, OpenStack nodes can be connected to more than one leaf switches capable of VXLAN-EVPN network. Juniper VXLAN-EVPN plug-in provisions the multi-homed peer devices with an identical Ethernet Segment Identification (ESI) number and identical VLAN, VNI encapsulation details. This enables EVPN multi-homing functionality on the device.

    OpenStack nodes can utilize all the multi-homing feature enabled uplinks to send traffic. This provides load balancing and redundancy in case of any failures. The uplink interface must be an aggregated interface.

  • EVPN Bare Metal Server (BMS)

    Juniper VXLAN-EVPN plug-in supports integration of Bare Metal Server (BMS) into VXLAN-EVPN network. BMS communicates with the OpenStack VMs when it is connected through an OpenStack network. Juniper plug-in supports integration of BMS into the OpenStack network. This provides accessibility to traditional physical devices from the OpenStack VM. Based on the plug-in configuration, BMS can be integrated into VLAN, VXLAN-EVPN network.

  • Source Network Address Translation (SNAT) and Destination Network Address Translation (DNAT)

    Network Address Translation (NAT) is a process for modifying the source or destination addresses in the headers of an IP packet while the packet is in transit. In general, the sender and receiver applications are not aware that the IP packets are manipulated.

    In OpenStack, external network provides Internet access for instances. By default, this network only allows Internet access from instances using Source Network Address Translation (SNAT). In SNAT, the NAT router modifies the IP address of the sender in IP packets. SNAT is commonly used to enable hosts with private addresses to communicate with servers on the public Internet.

    OpenStack enables Internet access to an instance by using floating IPs. Floating IPs are not allocated to instances by default. Cloud users should get the floating IPs from the pool configured by the OpenStack administrator and then attach them to their instances. Floating IP is implemented by Destination Network Address Translation (DNAT). In DNAT, the NAT router modifies the IP address of the destination in IP headers.

Software Compatibility

To use the Juniper Neutron plug-ins, your device requires the following software:

  • OpenStack

    • Releases supported Liberty and Mitaka.

  • Operating Systems

    • Ubuntu 14

    • Centos 7

  • Devices

    • Switching Platforms – EX and QFX

    • Routing and Security – SRX and vSRX

  • Python

    • Python, version 2.7

  • External Libraries

    • ncclient python library

Known Issues in OpenStack Neutron Plug-in

This section lists the known limitations in OpenStack Neutron plug-in:

  • Openstack Neutron plug-in has not been tested in a nested virtualization environment.

  • If users configure parallel networks using Openstack, there might be failures.


The following features of VPNaaS is either partially supported or not supported in 3.0 release and will be taken care in a future release:

  • Only Dead-Peer-Detection (DPD) disable action is supported. The other actions are not supported.

  • DPD interval is supported and DPD is always set to optimized and threshold always gets set to 5. DPD timeout is not supported.

  • Initiator state is always set to bidirectional.

  • Admin state transitions are not supported. Its advised to delete and recreate when needed.

  • SRX/vSRX support only IPSec Tunnel mode.