Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

Routing Protocols

  • Support for OSPFv2 HMAC SHA-2 keychain authentication and weighted ECMP (EX2300, EX2300-MP, EX2300-C, EX2300-VC, EX3400, EX3400-VC, EX4100-48MP, EX4100-H-12P, EX4100-H-12P-DC, EX4100-H-24P, EX4100-H-24P-DC, EX4100-H-24F, EX4100-H-24F-DC, EX4100-24MP, EX4100-48P, EX4100-48T, EX4100-24P, EX4100-24T, EX4100-F-48P, EX4100-F-24P, EX4100-F-48T, EX4100-F-24T, EX4100-F-12P, EX4100-F-12T, EX4300-MP, EX4300VC, EX4400-24MP, EX4400-24P, EX4400-24T, EX4400-24X, EX4400-48F, EX4400-48MP, EX4400-48P, EX4400-48T, EX4600-VC, EX4650, EX4650-48Y-VC, EX9204, EX9208, EX9214, MX204, MX240, MX304, MX150, MX480, MX960, MX10003, MX10004, MX10008, MX10016, MX2008, MX2010, MX2020, and VMX)—Starting in Junos OS Release 24.2R1, you can enable OSPFv2 keychain module with HMAC-SHA2 authentication to authenticate packets reaching or originating from an OSPF interface. HMAC SHA2 algorithms include HMAC-SHA2-256, HMAC-SHA2-384 and HMAC-SHA2-512 as defined in RFC 5709, OSPFv2 HMAC-SHA Cryptographic Authentication. We also support the HMAC-SHA2-224 algorithm. This feature ensures smooth transition from one key to another for OSPFv2 with enhanced security. We also support HMAC-SHA1 and HMAC-SHA2 authentication for virtual and sham links.

    You can enable weighted ECMP for directly connected routers. In earlier releases , Junos OS ECMP algorithm does not take the underlying bandwidth into consideration. The algorithm assumes that the links are of equal capacity and the traffic is distributed equally based on this assumption.

    To enable OSPFv2 HMAC-SHA2 authentication, configure the keychain keychain-name configuration statement [edit protocols ospf area area-id interface interface-name authentication] at the hierarchy level and algorithm (hmac-sha2-224 | hmac-sha2-256 | hmac-sha2-384 | hmac-sha2-512) option at the [edit security authentication-key-chains key-chain key-chain-name] hierarchy level.

    To enable keychains authentication support for OSPFv2 virtual links, configure the keychain keychain-name configuration statement [edit protocols ospf area area-id virtual-link neighbor-id router-id transit-area area-idauthentication] at the hierarchy level.

    To enable keychains authentication support for OSPFv2 sham links, configure the keychain keychain-name configuration statement [edit protocols ospf area area-id virtual-link neighbor-id router-id transit-area area-idauthentication] at the hierarchy level.

    To enable weighted ECMP traffic distribution on directly connected OSPFv2 neighbors, configure weighted one-hop statement at the [edit protocols ospf spf-options multipath] hierarchy level.

    [See Understanding OSPFv2 Authentication and Understanding Weighted ECMP Traffic Distribution on One-Hop OSPF Neighbors .]

  • BGP link bandwidth community (cRPD, EX4100-48MP, EX4300-MP, EX4400-48MP, EX4650, EX9204, EX9208, MX240, MX480, MX960, MX10003, MX10004, MX10008, MX10016, MX2008, MX2010, and MX2020, cSRX, QFX5110, QFX5120-32C, QFX5120-48T, QFX5120-48Y, QFX5120-48YM, QFX5200, and QFX5210)—Starting in Junos OS Release 24.2R1,BGP can communicate link speeds to remote peers, enabling better optimization of traffic distribution for load balancing. A BGP group can send the link-bandwidth non-transitive extended community over an EBGP session for originated or received and readvertised link-bandwidth extended communities.

    To configure the non-transitive link bandwidth extended community, include the bandwidth-non-transitive:value in the export policy at the [edit policy-options community name members community-ids] hierarchy level.

    To enable the device to automatically detect and attach the link-bandwidth community on a route at import, include theauto-sense auto-sense statement at the [edit protocols bgp group link-bandwidth ] hierarchy level. This feature facilitates the integration of devices with different transmission speeds within the network, enabling efficient traffic distribution based on link speed.

    [See and group (Protocols BGP).]

  • HMAC authentication with hash functions for IS-IS (EX2300, EX2300-MP, EX2300-C, EX2300-VC, EX3400, EX3400-VC, EX4100-48MP, EX4100-H-12P, EX4100-H-12P-DC, EX4100-H-24P, EX4100-H-24P-DC, EX4100-H-24F, EX4100-H-24F-DC, EX4100-24MP, EX4100-48P, EX4100-48T, EX4100-24P, EX4100-24T, EX4100-F-48P, EX4100-F-24P, EX4100-F-48T, EX4100-F-24T, EX4100-F-12P, EX4100-F-12T, EX4300-MP, EX4300VC, EX4400-24MP, EX4400-24P, EX4400-24T, EX4400-24X, EX4400-48F, EX4400-48MP, EX4400-48P, EX4400-48T, EX4600-VC, EX4650, EX4650-48Y VC, EX9204, EX9208, EX9214, MX204, MX240, MX304, MX150, MX480, MX960, MX10003, MX10004, MX10008, MX10016, MX2008, MX2010, and MX2020)—Starting in Junos OS Release 24.2R1, we extend support to the IS-IS keychain with the following hash functions:

    • HMAC-SHA2-224,

    • HMAC-SHA2-256,

    • HMAC-SHA2-384,

    • HMAC-SHA2-512

    Currently, IS-IS supports inline authentication using simple password, keyed MD5 and HMAC-SHA1 algorithms with common keychain. Note that it’s important to have the system time synchronized on all nodes when a keychain is active on an IS-IS session.

    [See Understanding Hitless Authentication Key Rollover for IS-IS.].]