Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

EVPN

  • VXLAN Group-Based Policy (EX9204, EX9208, and EX9214 switches with the EX9200-15C line card). —Starting in Junos OS Release 23.2R1, you can secure data and assets through microsegmentation. You use the existing Layer 3 (L3) VXLAN network identifiers (VNIs) and the firewall filter policies to provide microsegmentation at the device or tag level, independent of the underlying network topology. You can use VXLAN group-based policy (VXLAN-GBP), for example, to secure IoT-generated network traffic. IoT devices typically access only specific applications on the network. GBP keeps this IoT-driven traffic isolated by automatically applying security policies without the need for Layer 2 (L2) or L3 lookups, or access control lists (ACLs).

    [See Example: Micro and Macro Segmentation using Group Based Policy in a VXLAN.]

  • New VXLAN-GBP profiles and additional L4 matches for GBP policy filters (EX4100, EX4400, and EX4650 switches)—Starting in Junos OS Release 23.2R1, we've added these enhancements to the group-based policy (GBP) microsegmentation feature:

    • The EX4400 and EX4650 switches support new VXLAN-GBP profiles:

      • vxlan-gbp-l2-profile

        This profile increases the capacity for MAC addresses.

      • vxlan-gbp-l3-profile

        This profile increases the capacity for IP addresses.

    • The EX4400, EX4100, and EX4650 switches support additional Layer 4 matches for a GBP policy filter for IPv4 or IPv6. You can use protocol, source ports, destination ports, TCP flags, and other matches for MAC and IP-based GBP tagged packets.

    • You can use the set forwarding-options evpn-vxlan gbp tag-only-policy command to allow only GBP source and destination tags as matches in the GBP policy on the EX4650 series.

    [See Example: Micro and Macro Segmentation using Group Based Policy in a VXLAN.]

  • Support for detecting local and global loops in EVPN fabrics (EX4400)—Starting in Junos OS Release 23.2R1, we've enhanced the duplicate MAC address detection feature to take a configured action when a duplicate MAC address is detected. Loops can occur when provider edge (PE) devices continuously forward frames back and forth to one another in the same broadcast domain.

    To detect and resolve these loops, use the following statements at the [edit routing-instances name protocols evpn duplicate-mac-detection] hierarchy level on your peer devices:

    • action <block | shutdown>

      The block option blocks any packet that has the source MAC address or destination MAC address of the duplicate MAC address. The shutdown option shuts down the duplicate MAC address's local interface.

    • include-local-moves. This statement tracks duplicate MAC address movements that occur on local interfaces.

    To manually clear the duplicate MAC addresses, issue the clear evpn duplicate-mac-suppression <instance name | l2-domain-id | mac-address> command.

    To manually recover the interface that was shut down, issue the clear ethernet-switching recovery-timeout command.

    [See Configuring Loop Detection for Duplicate MAC Addresses.]

  • Symmetric Type 2 EVPN-VXLAN to EVPN-VXLAN DCI stitching (EX4650 and QFX10002)—Starting in Junos OS Release 23.2R1, we support Ethernet VPN–Virtual Extensible LAN (EVPN-VXLAN) to EVPN-VXLAN symmetric Type 2 route stitching between data center networks using Data Center Interconnect (DCI). Your network can more efficiently interoperate with data center networks that include devices from other vendors who support symmetric Type 2 route stitching. Symmetric Type 2 route stitching means that the VXLAN tunnel endpoint (VTEP) interfaces perform routing and bridging on both the ingress and egress sides of the VXLAN tunnel.

    [See Symmetric Integrated Routing and Bridging with EVPN Type 2 Routes in EVPN-VXLAN Fabrics.]

  • GBP tag propagation with EVPN-VXLAN to EVPN-VXLAN stitching (EX4650 and QFX10002)—Starting in Junos OS Release 23.2R1, we support group-based policy (GBP) tag propagation for EVPN Type 2 and Type 5 routes in a stitched EVPN-VXLAN data center environment. GBP uses existing Layer 3 VXLAN network identifiers (VNIs) in conjunction with firewall filter policies to provide microsegmentation at the device or tag level, independent of the underlying network topology.

    [See Example: Micro and Macro Segmentation using Group Based Policy in a VXLAN.]

  • Hard interface shutdown when a device detects EVPN core isolation conditions (EX4100-24MP, EX4400-24MP, MX304, MX10003)—Starting in Junos OS Release 23.2R1, you can configure a device to bring associated interfaces down (hard shutdown) when the device detects an EVPN core isolation event. In the CLI:

    1. Define a service tracking profile for detecting core isolation conditions.

    2. Set the link-down service tracking action in the profile.

    3. Assign the profile to the interfaces you want the device to bring down after it detects a core isolation condition.

    We support core isolation service tracking on:

    • Links to single-homed customer edge (CE) devices.

    • Ethernet segment identifier (ESI) LAG member interfaces to multihomed CE devices.

    [See Layer 2 Interface Status Tracking and Shutdown Actions for EVPN Core Isolation Conditions, network-isolation and network-isolation-profile.]

  • EZ-LAG simplified configuration for ESI LAGs with EVPN dual-homing (EX4100-48MP, EX4100-24MP, EX4100-48P, EX4100-48T, EX4100-24P, EX4100-24T, EX4100-F-48P, EX4100-F-24P, EX4100-F-48T, EX4100-F-24T, EX4100-F-12P, EX4100-F-12T, EX4300-MP, EX4400-24MP, EX4400-24P, EX4400-24T, EX4400-24X, EX4400-48F, EX4400-48MP, EX4400-48P, EX4400-48T, EX4650, QFX5120-32C, QFX5120-48T, QFX5120-48Y, and QFX5120-48YM )—Starting in Junos OS Release 23.2R1, we support a new CLI statement hierarchy level, [edit services evpn]. Using statements at this hierarchy level, you can specify the device attributes and other parameters to configure an Ethernet segment in an EVPN fabric. This new configuration feature, which we call EZ-LAG, simplifies setting up EVPN fabrics with Ethernet segment identifier (ESI) link aggregation groups (LAGs) for dual-homing peer provider edge (PE) devices.

    When you commit a configuration at this hierarchy level, the device automatically invokes a commit script to create a corresponding configuration on the device. You must specify some mandatory elements. You can also include optional elements. For optional elements that you don't specify, the configuration script derives the optional elements (or the script uses default parameters).

    The resulting configuration includes the applicable configuration stanzas corresponding to the different elements you specify at the [edit services evpn] hierarchy level.

    The new hierarchy includes options to override some default parameters, and you can override the commit script settings by manually configuring the related statements.

    [See Easy EVPN LAG (EZ-LAG) Configuration and the evpn statement and options at the [edit services] hierarchy level.]