Key Features in Junos OS Release 21.1R1 | Junos OS

Enhanced monitoring and troubleshooting of the flow session (SRX Series)—Starting in Junos OS Release 21.1R1, we’ve introduced additional filters to the show security flow session operational command. The additional filters allow you to generate specified outputs in a list so that you can easily monitor the flow session. We’ve also introduced the show security flow session pretty and show security flow session plugins operational commands to view detailed information about the flow session.

You can also trace the packet-drop information without committing the configuration using the monitor security packet-drop operational command. This command output is displayed on the screen until you press Ctrl+c or until the security device collects the requested number of packet drops. The command includes various filters to generate the output fields per your requirement.

[See show security flow session, show security flow session pretty, show security flow session plugins, and monitor security packet-drop.]

EVPN-VXLAN tunnel inspection (SRX4100, SRX4200, SRX4600, SRX5400, SRX5600, SRX5800, and vSRX)—Starting in Junos OS Release 21.1R1, we've introduced the following enhancements to the VXLAN support for SRX Series devices:

Support for SRX5000 line of devices in addition to the SRX4000 line and vSRX
Enhancements to tunnel inspection for VXLAN-encapsulated traffic by applying Layer 4 or Layer 7 security services to the tunnel traffic. The supported services are:
- Application identification
- IDP
- Juniper Advanced Threat Prevention (ATP Cloud)
- Unified threat management (UTM)

Layer 7 security services provide application-level security and protect users from security threats through VXLAN tunnel.

[See Configuring Tunnel Traffic Inspection.]

Support for flexible algorithms in IS-IS for segment routing–traffic engineering (SR-TE) (ACX Series)—Starting in Junos OS Release 21.1R1, you can thin-slice a network by defining flexible algorithms that compute paths using different parameters and link constraints based on your requirements. For example, you can define a flexible algorithm that computes a path to minimize the IGP metric and another flexible algorithm to compute a path based on the traffic engineering metric to divide the network into separate planes. This feature enables networks without a controller to configure traffic engineering and utilize the segment routing capability of a device.

To define a flexible algorithm, include the flex-algorithm statement at the [edit routing-options] hierarchy level. To configure a device to participate in a flexible algorithm, include the flex-algorithm statement at the [edit protocols isis segment routing] hierarchy level.

[See Understanding IS-IS Flexible Algorithm for Segment Routing.]

IS-IS link delay measurement and advertising (MX Series)—Starting in Junos OS Release 21.1R1, you can measure and advertise various performance metrics in IP networks with scalability, by using several IS-IS probe messages. These metrics can then be used to make path-selection decisions based on network performance.

[See How to Enable Link Delay Measurement and Advertising in IS-IS, delay-measurement, and delay-metric.]

LLDP on routed and reth interfaces (SRX4100, SRX4200, SRX4600, SRX5400, SRX5600, and SRX5800)—Starting in Junos OS Release 21.1R1, you can enable LLDP on all physical interfaces, including routed and redundant Ethernet (reth) interfaces. LLDP is a link-layer protocol used by network devices to advertise capabilities, identity, and other information to a LAN.

[See LLDP Overview.]

MVPN live-live solution support (MX Series)—Starting in Junos OS Release 21.1R1, we’ve added support to enable the MVPN live-live feature in next-generation multicast VPN (MVPN) with multicast LDP point-to-multipoint (P2MP) provider tunnel. This feature helps to keep your network live all the time.

To enable the MVPN live-live solution:

Configure the sender-based-rpf option by running the set routing-instances routing-instance-name protocols mvpn sender-based-rpf command. This option is disabled by default.
Configure the hot-root-standby option by running the set routing-instances routing-instance-name protocols mvpn hot-root-standby command. You can configure this option only if sender-based RPF is enabled.

When you enable this configuration, the receiving PE automatically switches over to the backup path if it encounters any failure while forwarding the traffic from the primary path to the customer network. The transition from primary path to backup path happens in less than 50 milliseconds.

For previous Junos OS releases, we provided support only for RSVP-TE and IR provider tunnels.

[See sender-based-rpf and hot-root-standby.]

BGP Classful Transport planes (BGP-CT) to facilitate service mapping over colored tunnels (ACX Series, PTX Series, MX Series)—Starting in Junos OS Release 21.1R1, you can classify colored transport tunnels (RSVP, IS-IS flexible algorithm) in your network into transport classes and map service routes over an intended transport class. You can also extend the transport tunnels to span across multiple domains (ASs or IGP areas) by using the new BGP transport address family called BGP Classful Transport (BGP CT).

This feature lays the foundation for network slicing and allows the different domains to interoperate irrespective of the transport signaling protocols used in each domain.

[See BGP Classful Transport Planes Overview.]

Packet-based ECMP support for Express Path (SRX5400, SRX5600, and SRX5800)—In earlier releases, Express Path supported only session-based ECMP traffic. Starting in Junos OS Release 21.1R1, Express Path also supports packet-based ECMP traffic from different network processors of the SRX Series device. In the packet-based ECMP mode, the SPU creates multiple network processor sessions on multiple network processors at a time. This feature is enabled by default.

[See Express Path.]

Support for BGP unnumbered neighbor (MX Series, PTX1000, PTX10008, QFX5120-32C, QFX5200, QFX5210, and QFX10008) —Starting in Junos OS Release 21.1R1, we support the BGP unnumbered neighbor feature using the IPv6 Neighbor Discovery Protocol (NDP). This feature allows BGP to automatically create peer neighbor sessions using link local IPv6 addresses of directly connected neighbor routers using IPv6 NDP.

Support for BGP MVPN (Junos fusion for provider edge)—Starting in Junos OS Release 21.1R1, Junos fusion for provider edge supports BGP multicast VPN (MVPN). BGP MVPN is a method for implementing multiprotocol multicast services over a BGP MPLS Layer 3 VPN. Junos fusion for provider edge supports the connection of a BGP-based MVPN customer edge (CE) device on the extended ports of the satellite device in Junos fusion for provider edge.

[See Junos Fusion Provider Edge Supported Protocols.]

Support for configuring multiple independent IGP instances of IS-IS (ACX Series, MX Series, and PTX Series)—Starting in Junos OS Release 21.1R1, you can configure and run multiple independent IGP instances of IS-IS simultaneously on a router.

Note:

Junos OS does not support configuring the same logical interface in multiple IGP instances of IS-IS.

[See How to Configure Multiple Independent IGP Instances of IS-IS.]

Support for displaying the timestamp in syslog (MX Series routers with MS-MPC, MS-MIC, and MX-SPC3)—Starting in Junos OS Release 21.1R1, you can enable system log (syslog) timestamps in local system timestamp format or UTC format.

On routers with MS-MPC, you can override the default UTC timestamp to local system timestamp format by configuring the new statement, syslog-local-system-timestamp, at the edit interfaces ms-interface\ams-interfaceservices-options hierarchy level.

On routers with MX-SPC3 cards, you can override the default local system timestamp in syslog to UTC format by configuring the existing statement,utc-timestamp, at the edit interfaces vms-interface\ams-interfaceservices-options hierarchy level or at the [edit services service-set-namesyslog hierarchy level.

For the routers with MX-SPC3 cards, starting in Release 21.1R1 you can configure the utc-timestamp statement at the edit interfaces vms-interface\ams-interfaceservices-options hierarchy level. In earlier releases, we support this statement at the [edit services service-set-namesyslog hierarchy level.

[See syslog (Services Service Set).]

Support for EVPN-MPLS (Junos fusion for provider edge)—Starting in Junos OS Release 21.1R1, Junos fusion for provider edge supports EVPN-MPLS. EVPN-MPLS is a solution that extends Layer 2 VPN services over an MPLS network. Junos fusion for provider edge supports the connection of a customer edge (CE) device on the extended port of the satellite device in an EVPN-MPLS network.

[See Junos Fusion Provider Edge Supported Protocols.]

Support for microsegmentation on VLANs and VXLANs (QFX5110 and QFX5120)—Starting in Junos OS Release 21.1R1, you can configure egress filters with Layer 2 and Layer 3 match conditions in both VLAN and VXLAN deployments. Junos OS already supports filtering in Layer 2 match conditions in the ingress direction.

To use egress filters for microsegmentation in a VXLAN, enable the epacl-firewall-optimization statement at the [edit chassis] level of the hierarchy and create the firewall rules with the match conditions that you want to filter on. For egress filtering on VLANs, you don't need to enable epacl-firewall-optimization. Both the QFX5110 and QFX5120 support egress filtering, for VLANs and VXLANs, with the following match conditions:

ip-source-address
ip-destination-address
destination-port
destination-mac-address
user-vlan-id
ip-protocol
source-mac-address

Valid actions for these rules are accept, count, and discard.

[See Overview of Firewall Filters (QFX Series) and Understanding Firewall Filter Match Conditions.]

Avoid microloops in IS-IS-SRv6 networks (MX Series with MPC7E, MPC8E and MPC9E line cards) —Starting in Junos OS Release 21.1R1, you can enable post-convergence path calculation on a device to avoid microloops if a link or metric changes in an SRv6 network. Note that microloop avoidance is not a replacement for local repair mechanisms such as topology-independent loop-free alternate (TI-LFA), which detects local failure very fast and activates a precomputed loop-free alternative path.

To configure microloop avoidance in an SRv6 network, include the microloop avoidance post-convergence-path delay milliseconds statement at the [edit protocols isis spf-options] hierarchy level.

[See How to Configure Microloop Avoidance for IS-IS in SRv6 Networks.]

Support for interprovider and carrier-of-carrier VPNs (Junos fusion for provider edge)—Starting in Junos OS Release 21.1R1, Junos fusion for provider edge supports Interprovider and Carrier-of-Carrier VPNs. The Carrier-of-Carrier VPN service describes a hierarchical VPN (also known as a recursive VPN) model where one carrier (VPN service customer) transports its VPN traffic inside another carrier’s VPN (VPN service provider). Junos fusion for provider edge currently supports provider edge (PE) routers for VPN service customers. In Junos OS Release 21.1R1, we introduce support for PE routers for VPN service providers along with VPN service customers.

Interprovider VPNs provide connectivity between different service providers that are using separate autonomous systems (ASs) or one service provider that is using different ASs for different geographic locations. For Interprovider VPNs, Junos fusion for provider edge supports only intra-AS connection on an AS boundary router (ASBR) to the extended port.

[See Junos Fusion Provider Edge Supported Protocols.]

Support for PWHT (over EVPN-VPWS, on a transport logical interface) with subscriber management (BNG) service logical interfaces (MX Series routers)—Starting in Junos OS Release 21.1R1, you can deploy broadband network gateways (BNGs) that are connected to aggregation networks running EVPN-VPWS. You configure pseudowire headend termination (PWHT) on a transport logical interface that is on the pseudowire subscriber interface. The BNG pops the EVPN and VPWS headers and terminates subscribers at Layer 2.

This feature includes support for:

All broadband features available on PWHT on MX Series routers
Single-homed EVPN-VPWS with the pseudowire subscriber interface anchored to a logical tunnel (LT) interface
Choice of whether or not to use a control word

Support for Snort IPS signatures (SRX Series and NFX Series)—Starting in Junos OS Release 21.1R1, Juniper Networks IDP supports Snort IPS signatures. IDP secures your network by using signatures that help to detect attacks. Snort is an open-source intrusion prevention system (IPS). You can convert the Snort IPS rules into Juniper IDP custom attack signatures using the Juniper Integration of Snort Tool (JIST). These rules help detect malicious attacks.

JIST is included in Junos OS by default. The tool supports Snort version 2 and version 3 rules.
JIST converts the Snort rules with snort-ids into equivalent custom attack signatures on Junos OS with respective snort-ids as the custom attack names.
When you run the request command with Snort IPS rules, JIST generates set commands equivalent to the Snort IPS rules. Use the request security idp jist-conversion command to generate the set commands as CLI output. To load the set commands, use the load set terminal statement or copy and paste the commands in the configuration mode, and then commit. You can then configure the existing IDP policy with the converted custom attack signatures.
All the Snort IPS rule files that didn’t get converted are written to /tmp/jist-failed.rules. The error log files generated during the conversion are written to /tmp/jist-error.log.
To view the jist-package version, use the show security idp jist-package-version command.

[See Understanding Snort IPS Signatures, request security idp jist-conversion , and show security idp jist-package-version .]

Support for strict SPF and IGP shortcut (ACX710, MX960, MX10008, MX2020, PTX5000, and PTX1000)—Starting in Junos OS Release 21.1R1, you can configure segment routing algorithm 1 (strict SPF) and advertise its SIDs in IS-IS link-state PDU (LSPDU) and use these SIDs to create SR-TE tunnels to forward the traffic by using the shortest IGP path to reach the tunnel endpoint while avoiding loops. You can also specify a set of prefixes in the import policy, based on which the tunnel can redirect the traffic to a certain destination. You can use algorithm 1 (strict SPF) along with algorithm 0 (default SPF) by default when Source Packet Routing in Networking (SPRING) is enabled.

[See How to Enable Strict SPF SIDs and IGP Shortcut, prefix-segment, and source-packet-routing.]

Support for VRRP (PTX1000, PTX10002, PTX10008, and PTX10016)—Starting in Junos OS Release 21.1R1, PTX1000, PTX10002, PTX10008, and PTX10016 routers support VRRP. However, these routers do not support the following VRRP features:

VRRP on IRB
Dual tagging
GRES
VRRP on logical tunnel (LT) interfaces
Layer 2 VRRP

[See Understanding VRRP.]

Policy-based threat profiling (SRX Series devices and vSRX)—Starting in Junos OS Release 21.1R1, you can add the user source identity (username) to a security policy to generate security feeds.

Juniper ATP Cloud service consolidates the generated feeds from SRX Series device and shares the duplicated results back with that security device. The security device uses the feeds to perform actions against the designated traffic. You can enable the security device to use the feeds by configuring security policies with the feeds as matching criteria. When traffic matches policy conditions, the device applies policy actions.

[See Threat Profiling Support in Security Policy.]