Key Features in Junos OS Release 22.2
Start here to learn about the key features in Junos OS Release 22.2. For more information about a feature, click the link in the feature description.
-
Support for dynamic address groups (cSRX)—Starting in Junos OS Release 22.2R1, cSRX supports dynamic address groups (DAGs) or entries in a security policy.
In a Juniper Connected Security deployment, cSRX receives policy updates from external sources such as Policy Enforcer and SecIntel feeds. These external sources provide lists of IP addresses that satisfy either of these conditions:
- Have a specific purpose, such as a blocklist.
- Include a common attribute, such as a particular location or behavior that might pose a threat.
You use the external intelligence in the cloud to identify threat sources by their IP addresses. You can then group those addresses into a dynamic address entry or DAG.
Reference this dynamic address entry in a security policy to control the traffic to and from those addresses.
[See Dynamic Address Group Overview and Dynamic Address Groups in Security Policies.]
-
Automatically derived ESI configuration (MX Series, QFX5100, QFX5110, QFX5120-32C, QFX5120-48T, QFX5120-48Y, QFX10002, QFX10002-60C, QFX10008, and QFX10016)—In the current implementation, Junos OS derives the Ethernet segment identifier (ESI) from the system ID and the administrative key on the local multihomed provider edge (PE) device that is a part of the LACP link (actor). Starting in Junos OS Release 22.2R1, you can also configure the multihomed devices on an EVPN-VXLAN network to automatically generate the ESI from:
-
The system ID and administrative key on the remote customer edge (CE) device (partner).
-
The locally configured
macand local discriminator values.
To automatically derive the ESI using the system ID and administrative key on the remote CE device, include
type-1-lacpat the[edit interfaces aeX aggregated-ether-options lacp auto-derive]hierarchy level.To automatically derive the ESI using locally configured values, configure
macandlocal-discriminatorat the[edit interfaces aeX aggregated-ether-options lacp auto-derive type-3-system-mac]hierarchy level.[See Understanding Automatically Generated ESIs in EVPN Networks.]
-
-
Certificate-based authentication and encryption for MACsec (MX Series)—Starting in Junos OS Release 22.2R1, you can enable MACsec on links connecting switches or routers using certificate-based authentication and encryption. Connected devices can mutually authenticate using 802.1X over Extensible Authentication Protocol-Transport Layer Security (EAP-TLS) and dynamically derive the connectivity association key (CAK) for encryption.
-
EVPN active/active redundancy, aliasing, and mass MAC withdrawal (MX Series and vMX)—Starting in Junos OS Release 22.2R1, the listed devices support EVPN active/active redundancy, aliasing, and mass MAC withdrawal, integrated with VXLAN in the data plane. These features provide resilient inter-data center connectivity to the established Data Center Interconnect (DCI) technologies. This new support builds an end-to-end DCI solution by integrating EVPN active/active multicast with DP VXLAN.
Use existing configuration statements to configure active/active redundancy at the ESI level on the loopback (lo0) interface. Include lo0 as the virtual tunnel endpoint (VTEP) interface in the routing instance.
-
NP-cache scale-up (SRX4600)—Starting in Junos OS Release 22.2R1, the NP-cache wing count is 20 million. With this increment, the number of Express Path sessions increase fourfold.
[See Sessions per Wing Statistics.]
-
Optimized intersubnet multicast (OISM) with MAC-VRF instances and IGMPv2 or IGMPv3 in an EVPN-VXLAN fabric (EX4650, QFX5110, QFX5120, QFX10002, QFX10008, and QFX10016)—Starting in Junos OS Release 22.2R1, you can configure OISM on leaf devices and border leaf devices in an EVPN-VXLAN ERB overlay fabric with:
-
MAC-VRF routing instances or the default switch instance with IGMPv2 or IGMPv3.
-
IGMP snooping and selective multicast Ethernet tag (SMET) forwarding optimizations with IGMPv2 or IGMPv3.
When you configure OISM, you must enable OISM and IGMP snooping on all the server leaf and border leaf devices in the EVPN-VXLAN fabric. With a MAC-VRF instance configuration, you configure the OISM supplemental bridge domain (SBD) and all revenue VLANs in the MAC-VRF instances on all leaf and border leaf devices in the fabric.
-
-
Support for guaranteed bit rate (GBR) on Junos Multi-Access User Plane (MX240, MX480, and MX960)—Starting in Junos OS Release 22.2R1, the Junos Multi-Access User Plane has added GBR support and supports 3GPP standards for both 4G and 5G networks. The following features are added:
- GBR support in the downlink direction and partial support in the uplink direction
- Bandwidth reservation for express and GBR traffic flows
- Mapping of transport level marking to forwarding classes
- Call admission control (CAC)
- Maximum bit rate (MBR) and GBR policers
-
Support for IPv6 tunnel (SRX Series and vSRX 3.0)— Starting in Junos OS Release 22.2R1, you can encapsulate IPv4 and IPv6 traffic over the IPv6 network.
The IPv6 tunnel helps IPv4 traffic traverse over the IPv6 network. You can use IPv6 tunneling in various features such as policy routing and preferential billing. For example, a set-top box that supports only IPv4 traffic can traverse the server over an IPv6 network.
[See show security flow session.]
-
Symmetric integrated routing and bridging (IRB) with EVPN Type 2 routes (EX4400, EX4650, EX9204, EX9208, EX9214, MX Series, vMX, QFX5110, QFX5120, QFX10002, QFX10002-60C, QFX10008, and QFX10016). We support this feature only with MAC-VRF EVPN routing instance configurations and MAC-VRF service types
vlan-basedandvlan-aware. [See Symmetric Integrated Routing and Bridging with EVPN Type 2 Routes in EVPN-VXLAN Fabrics and irb-symmetric-routing.]