Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

Routing Policy and Firewall Filters

  • Support for secure vector routing (NFX Series, SRX300, SRX320, SRX340, SRX345, SRX380, SRX1500, SRX4100, SRX4200, SRX4600, and vSRX 3.0)

    Starting in Junos OS Release 21.4R1, you can deploy SVR-based distributed routing and network services with SRX Series or NFX Series devices. The secure vector routing (SVR) services provide session-aware routing for IPv4 networks, while the SRX or NFX devices provide a secure SD-WAN gateway and reliable service delivery. With this release of Junos, these devices can inter-operate directly with SVR.

    For targeted sessions, the SRX Series or NFX Series device can be the first hop from the client or the last hop to the server. Vector routing packets that enter the device are tagged with source-tenant and destination-service and select the SVR path while non-vector-routing packets such as tunnels while non-targeted flows such as tunnels, are passed through.

    To support vector routing, we've introduced new CLI commands at the [edit services vector-routing] hierarchy level.

    Identify the routers you will use with SVR:

    You can then define the source and destination sessions:

    [See vector-routing.]
  • Support for IPv4 and IPv6 firewall filters on Layer 3 gateways in EVPN-VXLAN fabrics (QFX5210)—Starting in Junos OS Release 21.4R1, QFX5210 switches acting as Layer 3 gateways in EVPN-VXLAN fabrics support IPv4 and IPv6 firewall filters in the ingress direction of the IRB interface. We recommend that you do not apply filters on the RIOT loopback interface. The switch supports the following match conditions:

    • source-address
    • destination-address
    • source-port
    • destination-port
    • ttl
    • ip-protocol
    • hop-limit

    The supported actions are:

    • accept
    • discard
    • log
    • syslog
    • policer

    The QFX5210 does not support filter-based forwarding (FBF).

    [See Firewall Filter Match Conditions and Actions (QFX5100, QFX5110, QFX5120, QFX5200, QFX5210, QFX5700, EX4600, EX4650).]

  • Support for source-port and destination-port range optimize conditions to reduce the TCAM space—Starting in Junos OS Release 21.4R1, we support the source-port-range-optimize and the destination-port-range-optimize conditions at the [edit firewall family ethernet-switching filter <filter-name> term <term-name> from] hierarchy level. This configuration considerably reduces the ternary content addressable memory (TCAM) space usage. QFX5100 switches support up to 24 non-contiguous matching conditions for the source-port-range-optimize and destination-port-range-optimize options.

    [See Firewall Filter Match Conditions and Actions (QFX5100, QFX5110, QFX5120, QFX5200, QFX5210, QFX5700, EX4600, EX4650).]