Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

Platform and Infrastructure

  • Next Gen Services (MX240, MX480, and MX960 with MX-SPC3)— Starting in Junos OS Release 21.1R1, we support IPsec (a Next Gen Services component) on the listed MX Series routers with the MX-SPC3 services card installed. To configure IPsec on MX Series routers with MX-SPC3, use the CLI configuration statements at the [edit security] hierarchy level. On MX Series routers with MS-MPC/MS-MIC line cards, you configure the feature at the [edit services] hierarchy level.

    Note:

    MX240, MX480, and MX960 routers with MS-MPC/MS-MIC and MX-SPC3 support Next Gen Services. We introduced this support in Junos OS Release 19.3R2.
    Table 1: Next Gen Services Supported on MX-SPC3
    Feature Description
    MX-SPC3 IPsec VPN Feature License You require a valid license to use the IPsec VPN feature on your MX Series devices with the MX-SPC3 services card.

    This is a binary license. The show system license command output displays the license count as 0 when no license is installed and 1 when a valid license is installed.

    You won't be able to establish IPsec VPN tunnels if you don't have a valid license to use the feature. However, tunnels that are currently active will continue to stay up if your license expires. You cannot reestablish IPsec VPN tunnels that go down after the expiry of the license until you install a valid license.

    See Managing Licenses.
    IPsec VPN

    The MX-SPC3 services card provides consistent IPsec VPN capability across security and routing platforms.

    You configure IPsec for the MX-SPC3 at the [edit security] hierarchy level.

    See Next Gen Services Overview
    AutoVPN preshared key (PSK) on MX-SPC3

    To allow different IKE preshared keys used by the VPN gateway to authenticate the remote peer, use our new CLI statements seeded-pre-shared-key ascii-text or seeded-pre-shared-key hexadecimal at the [edit security ike gateway gateway_name] hierarchy level. To allow the same IKE preshared key used by the VPN gateway to authenticate the remote peer, use the existing CLI command pre-shared-key ascii-text or pre-shared-key hexadecimal.

    During authentication of the remote peer, use the general-ikeid statement at the [edit security ike gateway gateway_name dynamic] hierarchy level to bypass the IKE-ID validation.

    See AutoVPN on Hub-and-Spoke Devices.
    Add new members to existing aggregated multiservice (AMS) bundle for IPsec service

    To add new members to an AMS bundle (for IPsec services) without impacting the traffic on the existing AMS bundle, configure the no-bundle-flap statement under the [edit interfaces interface-name load-balancing-options] hierarchy in non-HA mode. During the configuration change, the existing members in the AMS bundle don’t flap.

    See Understanding Aggregated Multiservices Interfaces for Next Gen Services.
    PowerMode IPsec

    The MX-SPC3 card supports PowerMode IPsec (PMI) with vector packet processing (VPP) and Intel Advanced Encryption Standard New Instructions (AES-NI), leading to IPsec performance improvements. You can enable PMI processing by using the set security flow power-mode-ipsec command. To disable PMI processing, use the delete security flow power-mode-ipsec command.

    MX-SPC3 also supports the fat tunnel feature that improves the performance of a single tunnel. If one of the tunnels is loaded with traffic and other tunnels have less traffic, the resources are shared within the fat group. This results in an even CPU utilization of the resources. To enable this feature, configure the fat-core statement at the [edit security distribution-profile] hierarchy level. You must configure the PMI feature first to enable the fat tunnel feature.

    See Improving IPsec Performance with PowerMode IPsec, Understanding Symmetric Fat IPsec Tunnel, and power-mode-ipsec.
    Support for mobility in CGNAT–XLAT464 We’ve upgraded the current dual-translation (464XLAT) feature by introducing clat-ipv6-prefix-length at the source NAT rule hierarchy level. You can use a single NAT rule with this configuration parameter in place of multiple source NAT rules with different source-address and customer-side translator (CLAT)-prefix values. This simplifies the configuration method for certain use case scenarios.
    Support for time zones in carrier-grade NAT Support for syslog timestamp (local system time stamp) using the utc-timestamp statement at the [edit interfaces interface-name services-options] hierarchy level.
    Network Address Translation - Port Translation (NAT-PT) We support NAT-PT with the DNS ALG service on the MX-SPC3 services card.

    See Configuring the DNS ALG.
    MPC10E interoperability

    The MPC10E (MPC10E-15C-MRATE and MPC10E-10C-MRATE) line card interoperates with the MX-SPC3 services card to support the NAT and stateful firewall Layer 3 services.

    See Protocols and Applications Supported by MX-SPC3 Services Card

    [See Next Gen Services Overview.]