Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

Platform and Infrastructure

  • Next Gen Services (MX240, MX480, and MX960 with MX-SPC3)— Starting in Junos OS Release 21.1R1, we support IPsec (a Next Gen Services component) on the listed MX Series routers with the MX-SPC3 services card installed. To configure IPsec on MX Series routers with MX-SPC3, use the CLI configuration statements at the [edit security] hierarchy level. On MX Series routers with MS-MPC/MS-MIC line cards, you configure the feature at the [edit services] hierarchy level.

    Note:

    MX240, MX480, and MX960 routers with MS-MPC/MS-MIC and MX-SPC3 support Next Gen Services. We introduced this support in Junos OS Release 19.3R2.

    Table 1: Next Gen Services Supported on MX-SPC3
    Feature Description
    MX-SPC3 IPsec VPN Feature License You require a valid license to use the IPsec VPN feature on your MX Series devices with the MX-SPC3 services card.

    This is a binary license. The show system license command output displays the license count as 0 when no license is installed and 1 when a valid license is installed.

    You won't be able to establish IPsec VPN tunnels if you don't have a valid license to use the feature. However, tunnels that are currently active will continue to stay up if your license expires. You cannot reestablish IPsec VPN tunnels that go down after the expiry of the license until you install a valid license.

    See Managing Licenses.

    IPsec VPN

    The MX-SPC3 services card provides consistent IPsec VPN capability across security and routing platforms.

    You configure IPsec for the MX-SPC3 at the [edit security] hierarchy level.

    See Next Gen Services Overview

    AutoVPN preshared key (PSK) on MX-SPC3

    To allow different IKE preshared keys used by the VPN gateway to authenticate the remote peer, use our new CLI statements seeded-pre-shared-key ascii-text or seeded-pre-shared-key hexadecimal at the [edit security ike gateway gateway_name] hierarchy level. To allow the same IKE preshared key used by the VPN gateway to authenticate the remote peer, use the existing CLI command pre-shared-key ascii-text or pre-shared-key hexadecimal.

    During authentication of the remote peer, use the general-ikeid statement at the [edit security ike gateway gateway_name dynamic] hierarchy level to bypass the IKE-ID validation.

    See AutoVPN on Hub-and-Spoke Devices.

    Add new members to existing aggregated multiservice (AMS) bundle for IPsec service

    To add new members to an AMS bundle (for IPsec services) without impacting the traffic on the existing AMS bundle, configure the no-bundle-flap statement under the [edit interfaces interface-name load-balancing-options] hierarchy in non-HA mode. During the configuration change, the existing members in the AMS bundle don’t flap.

    See Understanding Aggregated Multiservices Interfaces for Next Gen Services.

    PowerMode IPsec

    The MX-SPC3 card supports PowerMode IPsec (PMI) with vector packet processing (VPP) and Intel Advanced Encryption Standard New Instructions (AES-NI), leading to IPsec performance improvements. You can enable PMI processing by using the set security flow power-mode-ipsec command. To disable PMI processing, use the delete security flow power-mode-ipsec command.

    MX-SPC3 also supports the fat tunnel feature that improves the performance of a single tunnel. If one of the tunnels is loaded with traffic and other tunnels have less traffic, the resources are shared within the fat group. This results in an even CPU utilization of the resources. To enable this feature, configure the fat-core statement at the [edit security distribution-profile] hierarchy level. You must configure the PMI feature first to enable the fat tunnel feature.

    See Improving IPsec Performance with PowerMode IPsec, Understanding Symmetric Fat IPsec Tunnel, and power-mode-ipsec.

    Support for mobility in CGNAT–XLAT464 We’ve upgraded the current dual-translation (464XLAT) feature by introducing clat-ipv6-prefix-length at the source NAT rule hierarchy level. You can use a single NAT rule with this configuration parameter in place of multiple source NAT rules with different source-address and customer-side translator (CLAT)-prefix values. This simplifies the configuration method for certain use case scenarios.
    Support for time zones in carrier-grade NAT Support for syslog timestamp (local system time stamp) using the utc-timestamp statement at the [edit interfaces interface-name services-options] hierarchy level.
    Network Address Translation - Port Translation (NAT-PT) We support NAT-PT with the DNS ALG service on the MX-SPC3 services card.

    See Configuring the DNS ALG.

    MPC10E interoperability

    The MPC10E (MPC10E-15C-MRATE and MPC10E-10C-MRATE) line card interoperates with the MX-SPC3 services card to support the NAT and stateful firewall Layer 3 services.

    See Protocols and Applications Supported by MX-SPC3 Services Card

    [See Next Gen Services Overview.]

  • Authentication, authorization, and accounting—Starting in cRPD Release 21.1R1, you can configure local and remote authorizations on RADIUS and TACPLUS servers at the [edit system services ssh] hierarchy level. We support the following features:

    • Local authentication and local authorization

    • TACACS+ authentication, authorization and accounting

    • User template support

    • Support for operational commands and regular expressions

    • Local authentication and remote authorization

    [See password-options, tacplus, and radius (System).]

  • SRv6 network programming in IS-IS—Starting in cRPD Release 21.1R1, you can configure to enable basic segment routing functionalities in a core IPv6 network for both route reflector role and host routing roles.

    You can enable SRv6 network programming in an IPv6 network at the [edit source-packet-routing] hierarchy level.

    Note:

    The support for flavor (specifies end sid behavior) and flexible algorithm options is not available for configuring end sids.

    [See source-packet-routing].

  • Increase ECMP next-hop limit—Starting in cRPD Release 21.1R1, you can specify the multipath next-hop limit at the [edit routing-options maximum-ecmp] hierarchy level. This helps to load-balance the traffic over multiple paths. The default ECMP next-hop limit is 16.

    [See routing-options-max-ecmp and Hash Field Selection for ECMP Load Balancing on Linux].

  • EVPN Type 5 with VXLAN —Starting in cRPD Release 21.1R1, we support EVPN Type 5 Route over VXLAN for both IPv4 and IPv6 prefix advertisements.

    [See EVPN Type-5 Route with VXLAN encapsulation for EVPN-VXLAN].

  • Support for multiple KRT channels in SONiC—cRPD in SONiC supports multiple Kernel Routing Table (KRT) channels to download route table information to forwarding table (FIB). The KRT channels supported are NetLink-based native Linux kernel FIB and FpmSyncd-based SONiC FIB.

    [See cRPD Multi-channel KRT Support in SONiC].

  • Transfer files from USB (NFX150, NFX250 NextGen, and NFX350 devices)—Starting in Junos OS Release 21.1R1, you can transfer files from USB to NFX devices by enabling the USB pass-through feature. To enable this feature, use the set system services usb-pass-through command. Built-in LTE functionality does not work after you enable the USB pass-through feature.

    [See Supporting File Transfer from USB on NFX150 Devices, Supporting File Transfer from USB on NFX250 NextGen Devices, and Supporting File Transfer from USB on NFX350 Devices.]

  • Virtual port peering (NFX250 NextGen and NFX350 devices)—Starting in Junos OS Release 21.1R1, you can configure the virtual port peering (VPP) feature to map a physical port and an interface to a virtualized network function (VNF), so that if the physical interface becomes inactive, the corresponding virtual interface also becomes inactive and the status of the physical interface is communicated to the virtual interface.

    The VPP feature is supported only on the Network Functions Virtualization (NFV) backplane.

    [See Configuring VNFs on NFX350 Devices and Configuring VNFs on NFX250 NextGen Devices.]