Hardware

Class of service

Support for CoS configuration with the following limitations:

• If you apply strict-high priority schedulers to queues 0 through 3, then the strict-high priority schedulers are also applied to queues 8 through 11. Therefore, we recommend that you apply strict-high priority schedulers only to queues 4 through 7.

• The EX4400 doesn't support the excess-rate configuration for schedulers.

[See schedulers (CoS).]

EVPN

Support for Layer 2 VXLAN gateway services in an EVPN-VXLAN network:

• 802.1X authentication, accounting, CWA authentication, and captive portal

• CoS

• DHCPv4 and DHCPv6 snooping, dynamc ARP inspection (DAI), neighbor discovery inspection, IP source guard and IPv6 source guard, and router advertisement (RA) guard (no multihoming)

• Firewall filters and policing

• Storm control, port mirroring, and MAC filtering

[See EVPN Feature Guide.]

Support for the following Layer 2 VXLAN gateway features in an EVPN-VXLAN network:

• Active/active multihoming

• Proxy ARP use and ARP suppression, and Neighbor Discovery Protocol (NDP) use and NDP suppression on non-IRB interfaces

• Ingress node replication for broadcast, unknown unicast, and multicast (BUM) traffic forwarding

[See EVPN Feature Guide.]

Layer 3 VXLAN gateway in EVPN-VXLAN centrally routed bridging overlay or edge-routed bridging overlay networks, supported on standalone switches or Virtual Chassis and including the following features:

• Default gateway using IRB interfaces to route traffic between VLANs. [See Using a Default Layer 3 Gateway to Route Traffic in an EVPN-VXLAN Overlay Network.]

• IPv6 data traffic routed through an EVPN-VXLAN overlay network with an IPv4 underlay. [See Routing IPv6 Data Traffic through an EVPN-VXLAN Network with an IPv4 Underlay.]

• EVPN pure Type 5 routes. [See Understanding EVPN Pure Type-5 Routes.]

The Virtual Chassis doesn’t support EVPN-VXLAN multihoming, but you can use the standalone switch as an EVPN-VXLAN provider edge device in multihoming use cases.

Support for VXLAN Group Based Policy (VXLAN-GBP). EX4400 switches support the use of existing Layer 3 VXLAN network identifiers (VNI) in conjunction with firewall filter policies to provide microsegmentation at the device or tag level, independent of the underlying network topology. IoT devices, for example, typically only need access to specific applications on the network. GBP keeps this traffic isolated by automatically applying security policies without the need for L2 or L3 lookups, or access control lists (ACLs). [See Example: Micro and Macro Segmentation using Group Based Policy in a VXLAN.]

High availability (HA) and resiliency

High availability includes NSSU, GRES, NSB, and NSR. [See High Availability User Guide.]

Interfaces and chassis

EX4400-24T and EX4400-24P models have 24 RJ-45 ports and 2 QSFP28 ports.

EX4400-48T and EX4400-48P models have 48 RJ-45 ports and 2 QSFP28 ports.

The EX4400-48F model has 36 1GbE SFP ports, 12 10GbE SFP+ ports, and 2 100GbE QSFP28 ports.

You can channelize the QSFP28 ports into four 25-Gbps or four 10-Gbps interfaces. [See Port Settings.]

Support for the IEEE 802.3bt standard for Power over Ethernet (PoE) and fast PoE. With fast PoE enabled, the switch saves PoE power settings across a reboot and powers on the powered device (PD) at the initial stage of the boot (within a few seconds of switching on power) before the complete switch is booted. To configure fast PoE, use the command set poe fast-poe. [See Understanding PoE on EX Series Switches.]

Junos telemetry interface (JTI)

JTI Packet Forwarding Engine and Routing Engine sensor support. Use the Junos telemetry interface (JTI) and remote procedure calls (gRPC) to stream statistics from the switches to an outside collector.

The following Routing Engine statistics are supported:

• LACP state export

• Chassis environmentals export

• Network discovery chassis and components

• LLDP export and LLDP model

• BGP peer information (RPD)

• RPD task memory utilization export

• Network discovery ARP table state

• Network discovery NDP table state

The following Packet Forwarding Engine statistics are supported:

• Congestion and latency monitoring

• Logical interface

• Filter

• Physical interface

• NPU/LC memory

• Network discovery NDP table state

To provision a sensor to export data through gRPC, use the telemetrySubscribe RPC to specify telemetry parameters.

[ See Configuring a Junos Telemetry Interface Sensor (CLI Procedure), Configure a NETCONF Proxy Telemetry Sensor in Junos, and Guidelines for gRPC and gNMI Sensors (Junos Telemetry Interface).]

Junos XML API and scripting

Support for Python, SLAX, and XSLT scripting languages and for commit scripts and macros, event policy and event scripts, op scripts, and SNMP scripts. [See Automation Scripting User Guide.]

Support for Ethernet ring protection switching version 2 (ERPSv2), which reliably achieves carrier-class network requirements for Ethernet topologies to form a closed loop. [See Example: Configuring Ethernet Ring Protection Switching on QFX Series and EX Series Switches Supporting ELS.]

Layer 2 unicast features

• Bridge protocol data unit (BPDU) protection

• Ethernet ring protection switching (ERPS)

• IEEE 802.1p

• LAG resilient hashing

• Layer 3 VLAN-tagged subinterfaces

• LLDP (IEEE 802.1AB)

• Loop protection

• MAC address aging

• MAC address filtering

• Disable MAC learning

• Multiple Spanning Tree Protocol (MSTP) (IEEE 802.1s)

• Multiple VLAN Registration Protocol (MVRP) (IEEE 802.1ak)

• Persistent MAC (sticky MAC)

• Per VLAN MAC learning (limit)

• Port-based VLAN

• Proxy ARP

• Redundant trunk group (RTG)

• Root protection

• Routed VLAN interface (RVI)

• Rapid Spanning Tree Protocol (RSTP) (IEEE 802.1w)

• Static and dynamic link aggregation with LACP (fast and slow LACP)

• Static MAC address assignment for interface

• Storm control

• STP (IEEE 802.1D)

• Uplink failure detection

• VLAN

• VLAN—IEEE 802.1Q VLAN trunking

• VSTP

[See Ethernet Switching User Guide, Security Services Administration Guide, and Spanning-Tree Protocols User Guide.]

Layer 3 unicast features

• 32-way equal-cost multipath (ECMP)

• BFD (for RIP, OSPF, IS-IS, BGP, and PIM)

• BGP 4-byte ASN support

• BGP Add Path (BGP-AP)

• Filter based forwarding (FBF)

• IP directed broadcast traffic forwarding

• IPv4 BGP

• IPv4 multiprotocol BGP (MBGP)

• IPv4 over GRE

• IPv6 BGP

• IPv6 CoS (BA, classification and rewrite, scheduling based on traffic class)

• IPv6 IS-IS

• IPv6 Neighbor Discovery Protocol (NDP)

• IPv6 OSPFv3

• IPv6 ping

• IPv6 stateless auto-configuration

• IPv6 static routing

• IPv6 traceroute

• IS-IS

• OSPFv2

• Path MTU discovery

• RIPv2

• Static routing

• Unicast reverse path forwarding (unicast RPF)

• Virtual router for IS-IS, RIP, OSPF, and BGP

• Virtual Router Redundancy Protocol (VRRP)

• VRRPv3

[See High Availability User Guide, BGP User Guide, Routing Policies, Firewall Filters, and Traffic Policers User Guide, IS-IS User Guide, Security Services Administration Guide, and OSPF User Guide.]

Licensing

You need a license to use the software features on the EX4400-24T, EX4400-24P, EX4400-48T, EX4400-48P, and EX4400-48F switches. To learn about the features supported on this device. [See EX Series Switches Support for the Juniper Flex Program.]

[To add, delete, and manage licenses, see Managing Licenses.]

Multicast

• IGMP snooping

• IGMP: version 1, version 2, version 3

• Multicast Listener Discovery (MLD) snooping

• PIM-SM, PIM-SSM, PIM-DM

[See Multicast Protocols User Guide.]

Network management and monitoring

Chef support for EX4400-48F. [See Chef for Junos OS Getting Started Guide.]

EX4400 switches support the following Ethernet OAM link fault management (LFM) and connectivity fault management (CFM) features:

• Monitor faults, using the continuity check messages (CCM) protocol to discover and maintain adjacencies at the VLAN or link level.

• Discover paths and verify faults, using the Link Trace Message protocol (LTM protocol) to map the path taken to a destination MAC address.

• Isolate faults, using loopback messages

The EX4400 supports the following Ethernet switching events:

• adjacency loss

• connection-protection-tlv

• interface-status-tlv

• port-status-tlv

EX Series switches support the interface-down action.

[See Ethernet OAM and CFM for Switches and OAM Link Fault Management.]

• Local and remote port mirroring, and remote port mirroring to an IP address (GRE encapsulation). [See Port Mirroring and Analyzers.]

• sFlow network monitoring technology. [See sFlow Monitoring Technology.]

Support for Puppet for Junos OS. [See Puppet for Junos OS Administration Guide.]

Support for adding nonnative YANG modules to the Junos OS schema. [See Understanding the Management of Nonnative YANG Modules on Devices Running Junos OS.]

Support for configuring the ephemeral database using the NETCONF and Junos XML protocols. [See Understanding the Ephemeral Configuration Database.]

Support for Juniper Mist Wired Assurance. You can automatically onboard and provision Juniper Networks EX4400 switches to the Juniper Mist cloud using a single activation code. Juniper Mist Wired Assurance provides automated operations and enables the use of service-level expectations (SLEs) for IoT devices, Juniper access points driven by Mist AI, and other network devices.

[For an overview of Juniper Mist Wired Assurance and deployment instructions, see Juniper AI-Driven Enterprise and Overview of EX Series Switches and the Juniper Mist Cloud.]

Routing policy and firewall filters

Firewall filters and policers. [See Firewall Filters Overview.]

Security

Support for distributed denial-of-service (DDoS) protection. [See Control Plane Distributed Denial-of-Service (DDoS) Protection Overview.]

Support for the following port security features:

• DHCP snooping (IPv4 and IPv6)

• Dynamic ARP inspection (DAI)

• IPv6 neighbor discovery inspection

[See Security Services Administration Guide.]

Support for Media Access Control security with 256-bit cipher suite. [See Understanding Media Access Control Security (MACsec).]

Services applications

Flow-based telemetry (FBT) enables per-flow-level analytics, using inline monitoring services to create flows and collect them. A flow is a sequence of packets that have the same source IP, destination IP, source port, destination port, or protocol on an interface. For each flow, various parameters are collected and sent to a collector using the open-standard IPFIX template to organize the flow. You configure FBT by configuring the template statement at the [edit services inline-monitoring] hierarchy level, and including the flow-monitoring option. [See Inline Monitoring Services Configuration and template (Inline Monitoring).]

Software installation and upgrade

Support for secure boot. The implementation is based on the UEFI 2.4 standard. [See Software Installation and Upgrade Guide.]

Virtual Chassis

Virtual Chassis support for up to ten EX4400 switches interconnected and managed as a single device. The Virtual Chassis also supports NSSU to upgrade all member devices with a single command.

You configure and operate an EX4400 Virtual Chassis the same way as you do other EX Series and QFX Series Virtual Chassis. However, there are a few platform-specific VCP differences, including the following:

• By default, the two rear-panel 100GbE QSFP28 ports operate as four logical 50-Gbps VCP interfaces to connect the member switches. You can’t use any other ports as VCPs.

• These ports are in PIC slot 1, so the VCP ports on a switch are always named vcp-255/1/x, where x is a port number from 0 through 3.

[See Virtual Chassis Overview for Switches.]

• Configure inner source MAC address for flexible VXLAN tunnels—Use the Juniper Extension Toolkit (JET) RIB Service API to configure the source MAC address used in IPv4 and IPv6 flexible VXLAN tunnel encapsulation profiles. If you don’t specify a source MAC address, the default source MAC address 00:00:5e:00:52:01 is used to encapsulate IPv4 and IPv6 flexible VXLAN tunnels.

  [See Understanding Programmable Flexible VXLAN Tunnels and Juniper Extension Toolkit (JET).]

• Support for auto-derived route targets on EVPN-MPLS.Junos OS supports the automatic derivation of route targets on EVPN-MPLS in an MPC10E line card on an MX Series router. When you enable the auto-derived route target feature, route targets are automatically derived from the VLAN ID for EVPN Type 2 and EVPN Type 3 routes and can be imported to the EVPN routing instance table.

  To enable the auto-derived route targets option, include the auto statement at the [edit routing-instances routing-instance-name protocols evpn vrf-target] hierarchy level.

  [See Auto-derived Route targets.]

• Support for IPv4 unicast VXLAN encapsulation optimization on MPC10E and MPC11E line cards running on MX240, MX480, MX960, MX2008, MX2010, and MX2020 routers. By default, these routers optimize VXLAN-encapsulated throughput for IPv4 unicast packets that are 512 through 1500 bytes in size over the following VXLAN tunnel types:

  • PIM-based VXLAN

  • EVPN-VXLAN

  • Static VXLAN

  This feature doesn’t provide additional optimization over EVPN Type 5 tunnels (which are already optimized), and is not supported with forwarding table filters.

  [See Understanding VXLANs.]

• MX Series Virtual Chassis (MX-VC) support for MPC10E-10C-MRATE and MPC10E-15C-MRATE (MX240, MX480, and MX960)— You can operate the MPC10E-10C-MRATE and MPC10E-15C-MRATE line cards in a router in an MX Series Virtual Chassis. The MPC10E support in MX-VC is only for uplink usage.

  [See Virtual Chassis Components Overview.]

• Support for static backup paths with IP-in-IP tunnel encapsulation and provisioning APIs (MX240, MX480, MX960, MX2010 and MX2020)—We've enhanced Juniper Extension Toolkit (JET) APIs to enable a controller to set up underlay network backup paths that use IP-in-IP tunnels with IPv4 encapsulation.

  [See Juniper Extension Toolkit (JET).]

• Support for MAC statistics (MX-Series)— You can enable MAC statistics for Layer 2 traffic on MPC10E-15C-MRATE, MPC10E-10C-MRATE, and MX2K-MPC11E MPC line cards.

  To enable MAC statistics at the bridge domain, include the mac-statistics configuration statement at the [edit bridge-domains <bridge-domain name> bridge-options] hierarchy level.

  To enable MAC statistics at the global level, you need to include the global-mac-statistics configuration statement at the [edit protocols l2-learning] hierarchy level.

  [See mac-statistics and global-mac-statistics.]

• Support for Multiple VLAN Registration Protocol (MVRP) and Ethernet ring protection switching (ERPS).

  [See Understanding Multiple VLAN Registration Protocol (MVRP) for Dynamic VLAN Registration and Ethernet Ring Protection Switching Overview.]

• Support for Media Access Control Security (MACsec) on logical interfaces (MPC10E and MPC11E). VLAN tags are transmitted in clear text, which allows intermediate switches that are MACsec-unaware to switch the packets based on the VLAN tags.

  [See Media Access Control Security (MACsec) over WAN.]

• Support for Mapping of Address and Port with Encapsulation (MAP-E) and inline 6rd (MPC10E and MX2K-MPC11E)— You can configure MAP-E and inline IPv6 rapid deployment (inline 6rd) on the following MPCs:

  • MPC10E-15C-MRATE and MPC10E-10C-MRATE on MX240, MX480, and MX960 routers

  • MX2K-MPC11E on MX2010 and MX2020 routers

  [See Configuring Mapping of Address and Port with Encapsulation (MAP-E) and Configuring Inline 6rd.]

• Support for tunnel interfaces on the MPC10E line card—Junos OS supports three tunnel interfaces on the MPC10E line card: generic routing encapsulation (GRE) tunnel, logical tunnel (LT), and virtual tunnel (VT).

  • The GRE tunnel interface supports the tunnel statement with these options: destination, key, source, traffic-class and ttl. The copy-tos-to-outer-ip-header statement is also supported.

  • The LT interface supports the family inet, inet6, and iso options. The encapsulation statement supports the Ethernet and VLAN physical interface options only.

  • The VT interface supports the family inet option only.

  [See Tunnel Services Overview].

• AMS support (MX240, MX480, MX960, MX2010, and MX2020 routers)—Junos OS supports aggregated multiservices (AMS) interfaces on the MPC10E and MX2K-MPC11E line cards to provide load balancing and high availability features for stateful firewall and NAT services. You can configure AMS interfaces with next-hop style service sets and with MS-MPC or MS-MIC only.

  [See Understanding Aggregated Multiservices Interfaces.]

• Support for Synchronous Ethernet over link aggregation group interfaces (MX240, MX480, and MX960)—MPC10E line cards support Synchronous Ethernet over a link aggregation group (LAG).

  [See Synchronous Ethernet Overview.]

• Support for PTP over Ethernet, hybrid mode, and G.8275.1 profile (MX240, MX480, and MX960)—MPC10E line cards support Precision Time Protocol (PTP) over Ethernet, G.8275.1 profile, and hybrid mode.

  [See Precison Time Protocol Overview and Understanding Hybrid Mode.]

• Support for PTP over Ethernet and hybrid mode over link aggregation group interfaces (MX240, MX480, and MX960)— MPC10E line cards support Precision Time Protocol (PTP) over Ethernet and hybrid mode over a link aggregation group (LAG).

  [See Understanding Hybrid Mode and Precison Time Protocol Overview.]