Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

Key Features in Junos OS Release 21.4

Start here to learn about the key features in Junos OS Release 21.4. For more information about a feature, click the link in the feature description.

  • DHCP relay in an EVPN-VXLAN fabric with IPv6 underlay (QFX5120-32C, QFX5120-48T, QFX5120-48Y, QFX10002, QFX10008, and QFX10016)—Starting in Junos OS Release 21.4R1, EVPN-VXLAN fabrics with an IPv6 underlay support DHCP relay. You can configure the DHCP relay agent in centrally routed and edge-routed bridging overlays. Support for DHCP relay includes support for DHCPv4 and DHCPv6. This feature was introduced in Junos OS Release 21.2R2.

    [See DHCP Relay Agent over EVPN-VXLAN.]

  • Enhancements to source NAT pool IP address range and NAT pool name character length (SRX Series and MX-SPC3)—Starting in Junos OS Release 21.4R1, we’ve increased the source NAT pool IP address range from 8 IP addresses to 64 IP addresses.

    We've also increased the configurable length of the source NAT pool name, destination NAT pool name, source NAT rule name, destination NAT rule name, static NAT rule name, and rule set name from 31 characters to 63 characters.

    [See show security nat source rule, show security nat destination rule, and show security nat static rule.]

  • EVPN-VXLAN support (QFX5120-48YM):

    • EVPN-VXLAN with MAC-VRF routing instances

    • Filter-based forwarding in EVPN-VXLAN

    • IPv6 data traffic support through an EVPN-VXLAN overlay network

    • IPv6 support for firewall filtering and policing on EVPN-VXLAN traffic

    • Port mirroring and analyzers on EVPN-VXLAN

    • Storm control on EVPN-VXLAN

    [See EVPN User Guide.]

  • EVPN-VXLAN fabric with an IPv6 underlay (QFX5120-32C, QFX5120-48T, QFX5120-48Y, QFX5120-48YM, QFX10002, QFX10008, and QFX10016)—Starting in Junos OS Release 21.4R1, you can configure an EVPN-VXLAN fabric with an IPv6 underlay. You can use this feature only with MAC-VRF routing instances (all service types). You must configure either an IPv4 or an IPv6 underlay across the EVPN instances in the fabric; you can’t mix IPv4 and IPv6 underlays in the same fabric.

    To enable this feature, configure the underlay VXLAN tunnel endpoint (VTEP) source interface in the MAC-VRF instance as an IPv6 address. However, you must use the IPv4 loopback address as the router ID for BGP handshaking to work.

    This feature was introduced in Junos OS Release 21.2R2.

    [See EVPN-VXLAN with an IPv6 Underlay and Understanding EVPN with VXLAN Data Plane Encapsulation.]

  • Hybrid mode (Synchronous Ethernet and Precision Time Protocol) over LAG supports PTP over IPv4 and PTP over Ethernet (MX204 and MX10003)

    [See PTP Overview and Hybrid Mode Overview.]

  • Inband Flow Analyzer (IFA) 2.0 (QFX5120-48Y and QFX5120-32C)—In Junos OS Release 21.4R1, we've introduced support for IFA 2.0 on QFX Series switches. IFA 2.0 monitors and analyzes packets entering and exiting the network. You can use IFA 2.0 to monitor the network for faults and performance issues. IFA 2.0 supports both Layer 3 and VXLAN flows.

    With IFA 2.0, you can collect various flow-specific information from the data plane, without the involvement of the control plane or the host CPU. IFA collects data on a per-hop basis across the network. You can export this data to external collectors to perform localized or end-to-end analytics.

    IFA 2.0 contains three different processing nodes:

    • IFA initiator node
    • IFA transit node
    • IFA terminating node

    [See Inband Flow Analyzer (IFA) 2.0 Probe for Real-Time Performance Monitoring, inband-flow-telemetry, show services inband-flow-telemetry, and clear inband-flow-telemetry stats.]

  • Increase in AC redundancy mode to 2+2 for high-capacity high-line PEMs (SRX5400)—Starting in Junos OS Release 21.4R1, the SRX5400 device supports 2+2 AC redundancy mode on high-capacity high-line power entry modules (PEMs). The support for 2+2 redundancy mode increases the PEM's capacity from 2050 W to 4100 W.

    [See SRX5400 Services Gateway AC Power Supply Specifications.]

  • Interconnecting EVPN-VXLAN data centers with EVPN-MPLS in a WAN using gateway nodes (MX-Series, EX9200, EX9252, EX9253)—Starting in Junos OS Release 21.4R1, you can interconnect EVPN-VXLAN data centers with EVPN-MPLS in a WAN using gateway nodes, but without using logical tunnel interfaces. In Release 21.4R1, you can interconnect only those BDs/VLANs that are on the interconnected VLAN list. Note that the gateway nodes in one data center will have connectivity by means of virtual tunnel end points (VTEPs), whereas gateway nodes must be able to handle EVPN-VXLAN encapsulation on the data center side and EVPN-MPLS on the WAN (data center interconnect) side.

    EVPN interconnect CLI commands:

    [See Technology Overview of VXLAN-EVPN Integration for DCI and Connecting Logical Systems Using Logical Tunnel Interfaces.]

  • Support for firewall filters on EVPN-VXLAN with IPv6 underlay (QFX5120-32C, QFX5120-48T, QFX5120-48Y, and QFX5120-48YM)—Starting in Junos OS Release 21.4R1, QFX5120 switches support firewall filters for ingress and egress traffic on EVPN-VXLAN with an IPv6 underlay. This feature was introduced in Junos OS Release 21.2R2.

    [See Understanding EVPN with VXLAN Data Plane Encapsulation.]

  • Support for fat flow (SRX4100, SRX4200, SRX4600, SRX5400, SRX5600, SRX5800, and vSRX 3.0)—Starting in Junos OS Release 21.4R1, we support fat flow technology to improve the firewall and NAT throughput value up to 10 times of the current value.

    [See Understanding Symmetric Fat IPsec Tunnel.]

  • Support for FPC major alarm (SRX5400, SRX5600, and SRX5800 with SPC3)—In Junos OS Release 21.4R1, we’ve enhanced the following commands to show more details about the FPC major alarm:

    • show chassis error active
    • show chassis error active detail
    • show chassis error active fpc-slot slot-number
    • show chassis error active detail fpc-slot slot-number

    You can use these commands to identify and troubleshoot the hardware issues.

    [See show chassis errors active.]

  • Support for UPF N9 uplink classifier (MX240, MX480, MX960, MX10003, and MX204 Routers)—Starting in Junos OS Release 21.4R1, you can use the uplink classifiers functionality supported by the control and user plane separation (CUPS)-enabled UPF (User Plane Functions) to do the following selectively on the link connected to your devices:
    • Forward uplink traffic towards different protocol data unit (PDU) session anchors.
    • Merge downlink traffic from the different PDU session anchors.
    [See Junos Multi-Access User Plane Overview and CUPS Session Creation and Data Flow with Junos Multi-Access User Plane.]

  • High-capacity second-generation AC PSM for SRX5800—Starting in Junos OS Release 21.4R1, SRX5800 supports the new high-capacity second-generation AC power supply module (PSM). This single or dual feed PSM provides a maximum output power of 5100 W. In single-feed mode, the PSM provides power at a reduced capacity (2550 W). In dual feed mode, the PSM provides power at full capacity (5100W). The PSM supports 1+1 redundancy.

    High-voltage second-generation Universal PSM for SRX5800—Starting in Junos OS 21.4R1, the SRX5800 supports the new high-voltage second-generation universal power supply module (PSM). This single feed PSM provides a maximum output power of 5100W, and supports either AC or DC input. The PSM supports 1+1 redundancy.

    The increased power supply capacity enables SRX5800 devices to support service cards like SPC3. show chassis power command displays PSM status, including state, input type, feed, capacity, output, and remaining power. show chassis environment pem command displays the power entry module (PEM) status for state, temperature, AC/DC input, and AC/DC output for the SRX5800 device.

    [See show chassis power and show chassis environment.]

  • Support for GeoIP filtering, global allowlist, and global blocklist (MX240, MX480, and MX960 )—Starting in Junos OS Release 21.4R1, you can configure the Security Intelligence process ipfd on the listed MX Series routers to fetch GeoIP feeds from Policy Enforcer. The GeoIP feeds help prevent devices from communicating with IP addresses belonging to specific countries.

    You can define:

    • A profile to dynamically fetch GeoIP feeds. Include the geo-ip rule match country country-name statement at the [edit services web-filter profile profile-name security-intelligence-policy] hierarchy level.
    • A template to dynamically fetch GeoIP feeds. Include the geo-ip rule match group group-name statement at the [edit services web-filter profile profile-name url-filter-template template-name security-intelligence-policy] hierarchy level.

    You can define a global allowlist by configuring the white-list (IP-address-list | file-name) statement at the edit services web-filter profile profile-name security-intelligence-policy hierarchy level. You can define a global blocklist by configuring the black-list (IP-address-list | file-name) statement at the edit services web-filter profile profile-name security-intelligence-policy hierarchy level. Here, IP-address-list refers to the name of the list specified at the [edit services web-filter] hierarchy level. The file-name option refers to the name of the file where the list of the IP addresses to be allowed or blocked is specified. The file must be in the /var/db/url-filterd directory and must have the same name as in the configuration.

    [See Integration of Juniper ATP Cloud and Web filtering on MX Routers .]

  • Support for Precision Time Protocol (PTP) over Ethernet in hybrid mode over link aggregation group (LAG) (MX10008 with JNP10K-LC2101 MPC line card)

    [See Precision Time Protocol Overview and Hybrid Mode Overview.]

  • Content filtering based on file content (SRX Series and vSRX 3.0)—Starting in Junos OS Release 21.4R1, content security (UTM) performs content filtering to determine the file type based on the file content and not on file extensions. The file content is first analyzed to accurately determine the file type.

    This feature replaces the legacy content filtering based on MIME type, content type, and protocol commands.

    You can define the content filtering rule-set and rules from the [edit security utm utm-policy <utm-policy-name> content-filtering] hierarchy and use these rules from the [edit security utm default-configuration content-filtering] hierarchy for controlling the traffic direction.

    The existing show security utm content-filtering statistics command is enhanced to display the content filtering system statistics and errors.

    [See Content Filtering, content-filtering (Security UTM Policy), utm, and utm default-configurationshow security utm content-filtering statistics.]