Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

Routing Policy and Firewall Filters

  • Enhanced scale support for firewall filters (ACX7100-32C and ACX7100-48L)—Starting in Junos OS Evolved Release 21.3R1, we support 16000 firewall filters.

    [See Understanding How to Use Standard Firewall Filters.]

  • Support for line-rate firewall filtering in the egress direction (PTX10001-36MR and PTX10008)—Starting in Junos OS Evolved Release 21.3R1, you can enable fast-lookup-filter to increase the performance of output firewall filters. Family inet, inet6 and MPLS filters can be configured with fast-lookup-filter at the [edit firewall family family-name filter filter-name] hierarchy level.

    [See fast-lookup-filter .]

  • Firewall filtering using flood policer, IRB, and service provider egress filtering (PTX10001-36MR, PTX10004, and PTX10008)—In Junos OS Evolved Release 21.3R1, you can use the flood policer feature to control flooding of the network with broadcast, unknown unicast, and multicast (BUM) traffic, and this control includes the EVPN flood policer. We now support inner VLAN ID and inner VLAN priority on ingress and egress and service provider style egress filters. Service provider style egress filters are Layer 2 filters attached in the egress direction for L2 interfaces configured in the service provider style. IRB filters are attached to an IRB interface configured for transitioning packets from Layer 2 to Layer 3 forwarding and vice versa (both entering or exiting the L3 interface) to control flooding of traffic in a given bridge domain. You can attach filters to IRB interfaces for both ingress and egress, but the execution of filters is different for each direction. Note that EVPN-MPLS configurations also support flood policers.

    [See Configuring the Filter Profile.]

  • New firewall filter feature: shared-bandwidth and percentage policers on the BT chip (PTX10001-36MR, PTX10004, and PTX10008)—Junos OS Evolved Release 21.3R1 introduces the shared-bandwidth policer for instances where policers are attached to aggregated Ethernet interface bundles with child legs spanning different Packet Forwarding Engine or Flexible Port Concentrator (FPC) instances. The bandwidth policers program the policer token bucket with weighted bandwidth or burst (depending on the number of child legs per Packet Forwarding Engine).

    The percentage policer feature allows you to configure the bandwidth policer relative to the IFD speed where you configure the Class of Service (CoS) shaping rate. After the configuration, the egress policer can then use this base CoS shaping rate instead of the IFD speed.

    [See Configuring the Filter Profile.]

  • Multiple database profile support (ACX7100-32C and ACX7100-48L)—ACX7000 series is based on Broadcom DNX family ASIC which internally stores forwarding information in a number of databases and tables: LPM, LEM, EEDB (ARP) which share the same memory space and each table has predefined fixed size. Starting with Junos OS Evolved Release 21.3R1, this feature enables you to allocate different sizes for the databases in ASIC. Use new statement hw-db-profile at the [edit system packet-forwarding-options] hierarchy level to configure the available profiles to allocate sizes for the databases.

    [See hw-db-profile.]

  • Support for packet rate policers (PTX10003)—Starting in Junos OS Evolved release 21.3R1, you can use a count of packets as the threshold for traffic policers. These per-packet policers can better mitigate low-and-slow types of denial-of-service (DoS) and distributed denial-of-service (DDoS) attacks. You can apply per-packet policers in the ingress or egress interface direction and for the following families: inet, inet6, mpls, and ethernet-switching. Per-packet policers support both two-color and three-color policies.

    [See Packets-Per-Second (pps)-Based Policer Overview and pps-limit (Policer).]