Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?


New and Changed Features


This section describes the new features and enhancements in this release.

  • Flow caching is enabled for GRE traffic—vMX has flow cache support for GRE traffic.

  • Flow caching is enabled for multicast traffic—vMX has flow cache support for the following multicast traffic:

    • IPv4 and IPv6 multicast

    • GRE encapsulated multicast traffic (PIM MVPN, rosen 6 MVPN)

    • Multicast traffic encapsulated in MPLS (BGP MVPN)

    • Tunnel as multicast outgoing interface (OIF)

    The multicast flows are stored in the same flow table as unicast flows. Tunnel flows consume two flow entries. To support flow caching, the maximum values are:

    • Size of flow table—1 million entries (unicast and multicast)

    • Number of multicast flows—32,768

    • Number of replications—16

    If multicast traffic exceeds the limits, packets are sent to microcode for processing.


    You do not need to dedicate microcode Workers for multicast traffic because flow cache is enabled for multicast.

    [See Multicast Protocols Feature Guide.]

  • IPsec VPN support—vMX supports inline site-to-site IPsec VPNs. The inline service interface (si) is used as the service interface for the service set. You enable inline service interfaces by configuring the inline-services bandwidth (1g | 10g) option at the [edit chassis fpc 0 pic 0] hierarchy level. The bandwidth value is not used for si traffic, so you can choose either value.


    The FPC reboots if you enable inline service interfaces.

    vMX supports manual and dynamic security associations in tunnel mode (only ESP protocol supported), static tunnels and dynamic endpoint tunnels, and next-hop-style and interface-style service sets. vMX does not support match-direction output configuration for interface-style configuration. Enabling routing on the si interface is not supported. We recommend that you configure static rules, dynamic rules, and dynamic Group VPN rules in different service sets.

    vMX includes support for Suite B cryptographic suites in addition to the IPsec encryption algorithms. To configure the encryption algorithms for AES Galois/Counter Mode (GCM), include the encryption-algorithm (aes-128-gcm | aes-192-gcm | aes-256-gcm) option at the [edit services ipsec-vpn ipsec proposal proposal-name] hierarchy level.

    vMX supports NAT-Traversal on IPsec tunnels. If the remote gateway for which the IKE policy is used has an IP address that is translated by NAT, you must specify the remote ID. To specify the remote ID, include the remote-id ipv4_addr ip-address option at the [edit services ipsec-vpn ike policy policy-name] hierarchy level.

    [See Creating Secure Tunnels Using Junos VPN Site Secure.]

  • Ubuntu OpenStack support—Ubuntu OpenStack (Liberty) is supported.