Routing Policy and Firewall Filters | Junos OS

Improved DDoS protection protocol prioritization (MX104, MX204, MX240, MX304, MX480, MX960, MX2008, MX2010, MX2020, MX10003, MX10004, MX10008, and MX10016)—In releases before Junos OS Release 23.2R1, the type of line card in the device drives the distributed denial of service (DDoS) priority of incoming protocols. Starting in Junos OS Release 23.2R1, the device determines the DDoS priority of a protocol based on the DDoS parameters table. This enhancement enables the device to treat all packets of a particular protocol the same by default, regardless of the device's line card. You can modify the DDoS parameters table using CLI. This feature improves consistency in the way devices in the network prioritize protocols to protect against DDoS attacks.

[See Control Plane Distributed Denial-of-Service (DDoS) Protection Overview and protocols (DDoS).]

Improved DDoS protocol classification for ARP request and reply traffic (MX Series)—Starting in Junos OS Release 23.2R1, you can configure separate DDoS protocol packet-types, bcast and ucast, at the [edit system ddos-protection protocols arp] hierarchy level for ARP request and reply traffic. The separate DDoS policers provide an improved packet rate limiting and priority handling for the ARP traffic. Prior to this release, the ARP request and reply traffic had a single DDoS protocol.

[See protocols (DDoS) and show ddos-protection protocols.]

Support for loopback-firewallv6-optimization (QFX5210)-Starting in Junos 23.2R1, loopback-firewallv6-optimization can be used to increase IPv6 loopback filter scale when scale of IPv4 loopback filters are used in EVPN VXLAN deployments.

[See loopback-firewallv6-optimization.]

Support for processing firewall filters at the PFE NPU level (SRX4600, SRX5400, SRX5600, and SRX5800)

Note: This feature is supported only when enhanced-mode knob is configured under the filter.

[See enhanced-mode].