junosv firefly feature support guide controlled release
DESCRIPTION
Feature Support Guide for Junos FireflyTRANSCRIPT
Junos® OS
Feature Support Reference for JunosV Firefly
Release
12.1X44-D20
Published: 2013-07-02
Copyright © 2013, Juniper Networks, Inc.
Juniper Networks, Inc.1194 North Mathilda AvenueSunnyvale, California 94089USA408-745-2000www.juniper.net
This product includes the Envoy SNMPEngine, developed by Epilogue Technology, an IntegratedSystemsCompany. Copyright© 1986-1997,Epilogue Technology Corporation. All rights reserved. This program and its documentation were developed at private expense, and no partof them is in the public domain.
This product includes memory allocation software developed by Mark Moraes, copyright © 1988, 1989, 1993, University of Toronto.
This product includes FreeBSD software developed by the University of California, Berkeley, and its contributors. All of the documentationand software included in the 4.4BSD and 4.4BSD-Lite Releases is copyrighted by the Regents of the University of California. Copyright ©1979, 1980, 1983, 1986, 1988, 1989, 1991, 1992, 1993, 1994. The Regents of the University of California. All rights reserved.
GateD software copyright © 1995, the Regents of the University. All rights reserved. Gate Daemon was originated and developed throughrelease 3.0 by Cornell University and its collaborators. Gated is based on Kirton’s EGP, UC Berkeley’s routing daemon (routed), and DCN’sHELLO routing protocol. Development of Gated has been supported in part by the National Science Foundation. Portions of the GateDsoftware copyright © 1988, Regents of the University of California. All rights reserved. Portions of the GateD software copyright © 1991, D.L. S. Associates.
This product includes software developed by Maker Communications, Inc., copyright © 1996, 1997, Maker Communications, Inc.
Juniper Networks, Junos, Steel-Belted Radius, NetScreen, and ScreenOS are registered trademarks of Juniper Networks, Inc. in the UnitedStates and other countries. The Juniper Networks Logo, the Junos logo, and JunosE are trademarks of Juniper Networks, Inc. All othertrademarks, service marks, registered trademarks, or registered service marks are the property of their respective owners.
Juniper Networks assumes no responsibility for any inaccuracies in this document. Juniper Networks reserves the right to change, modify,transfer, or otherwise revise this publication without notice.
Products made or sold by Juniper Networks or components thereof might be covered by one or more of the following patents that areowned by or licensed to Juniper Networks: U.S. Patent Nos. 5,473,599, 5,905,725, 5,909,440, 6,192,051, 6,333,650, 6,359,479, 6,406,312,6,429,706, 6,459,579, 6,493,347, 6,538,518, 6,538,899, 6,552,918, 6,567,902, 6,578,186, and 6,590,785.
Junos OS Feature Support Reference for JunosV FireflyRelease 12.1X44-D20Copyright © 2013, Juniper Networks, Inc.All rights reserved.
The information in this document is current as of the date on the title page.
YEAR 2000 NOTICE
Juniper Networks hardware and software products are Year 2000 compliant. Junos OS has no known time-related limitations through theyear 2038. However, the NTP application is known to have some difficulty in the year 2036.
ENDUSER LICENSE AGREEMENT
The Juniper Networks product that is the subject of this technical documentation consists of (or is intended for use with) Juniper Networkssoftware. Use of such software is subject to the terms and conditions of the End User License Agreement (“EULA”) posted athttp://www.juniper.net/support/eula.html. By downloading, installing or using such software, you agree to the terms and conditions ofthat EULA.
Copyright © 2013, Juniper Networks, Inc.ii
Table of Contents
About This Guide . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . v
JunosV Firefly Documentation and Release Notes . . . . . . . . . . . . . . . . . . . . . . v
Supported Routing Platforms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . v
Document Conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . vi
Documentation Feedback . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . vii
Requesting Technical Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . viii
Self-Help Online Tools and Resources . . . . . . . . . . . . . . . . . . . . . . . . . . . viii
Opening a Case with JTAC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . viii
Part 1 Feature Support for JunosV Firefly
Chapter 1 Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
Feature Support Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
Chapter 2 Feature Support Tables . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
Address Books and Address Sets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
Administrator Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
Alarms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
Application Layer Gateways . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
Attack Detection and Prevention . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
Autoinstallation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
Class of Service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
Diagnostics Tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
DNS Proxy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
Dynamic Host Configuration Protocol . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
Ethernet Link Aggregation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
Ethernet Link Fault Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
File Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
Firewall Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
Flow-Based and Packet-Based Processing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
IP Monitoring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
IP Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
IPv6 Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
IPv6 IP Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
Log File Formats . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28
MPLS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28
Multicast . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
Multicast VPN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30
Network Address Translation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31
Network Operations and Troubleshooting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32
iiiCopyright © 2013, Juniper Networks, Inc.
Network Time Protocol . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32
Packet Capture . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33
Routing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33
Secure Web Access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34
Security Policy Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34
Security Zone . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35
Session Logging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36
SMTP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36
SNMP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36
Stateless Firewall Filters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37
System Log Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37
Upgrading and Rebooting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38
User Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39
Chapter 3 Feature Support Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41
Part 2 Index
Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45
Copyright © 2013, Juniper Networks, Inc.iv
Junos OS Feature Support Reference for JunosV Firefly
About This Guide
This preface provides the following guidelines for using the Junos OS Feature Support
Reference for JunosV Firefly:
• JunosV Firefly Documentation and Release Notes on page v
• Supported Routing Platforms on page v
• Document Conventions on page vi
• Documentation Feedback on page vii
• Requesting Technical Support on page viii
JunosV Firefly Documentation and Release Notes
If the information in the latest release notes differs from the information in the
documentation, follow the JunosV Firefly Release Notes.
To obtain the most current version of all Juniper Networks®technical documentation,
see the product documentation page on the Juniper Networks website at
http://www.juniper.net/techpubs/ .
JuniperNetworkssupportsa technicalbookprogramtopublishbooksby JuniperNetworks
engineers and subject matter experts with book publishers around the world. These
books go beyond the technical documentation to explore the nuances of network
architecture, deployment, and administration using the Junos operating system (Junos
OS) and Juniper Networks devices. In addition, the Juniper Networks Technical Library,
published in conjunction with O'Reilly Media, explores improving network security,
reliability, and availability using Junos OS configuration techniques. All the books are for
sale at technical bookstores and book outlets around the world. The current list can be
viewed at http://www.juniper.net/books .
Supported Routing Platforms
This manual describes features supported on JunosV Firefly running Junos OS.
vCopyright © 2013, Juniper Networks, Inc.
Document Conventions
Table 1 on page vi defines the notice icons used in this guide.
Table 1: Notice Icons
DescriptionMeaningIcon
Indicates important features or instructions.Informational note
Indicates a situation that might result in loss of data or hardware damage.Caution
Alerts you to the risk of personal injury or death.Warning
Alerts you to the risk of personal injury from a laser.Laser warning
Table 2 on page vi defines the text and syntax conventions used in this guide.
Table 2: Text and Syntax Conventions
ExamplesDescriptionConvention
To enter configuration mode, typetheconfigure command:
user@host> configure
Represents text that you type.Bold text like this
user@host> show chassis alarms
No alarms currently active
Represents output that appears on theterminal screen.
Fixed-width text like this
• A policy term is a named structurethat defines match conditions andactions.
• JunosOSSystemBasicsConfigurationGuide
• RFC 1997,BGPCommunities Attribute
• Introduces or emphasizes importantnew terms.
• Identifies book names.
• Identifies RFC and Internet draft titles.
Italic text like this
Configure themachine’s domain name:
[edit]root@# set system domain-namedomain-name
Represents variables (options for whichyou substitute a value) in commands orconfiguration statements.
Italic text like this
Copyright © 2013, Juniper Networks, Inc.vi
Junos OS Feature Support Reference for JunosV Firefly
Table 2: Text and Syntax Conventions (continued)
ExamplesDescriptionConvention
• To configure a stub area, include thestub statement at the[edit protocolsospf area area-id] hierarchy level.
• Theconsoleport is labeledCONSOLE.
Represents names of configurationstatements, commands, files, anddirectories; configurationhierarchy levels;or labels on routing platformcomponents.
Text like this
stub <default-metricmetric>;Enclose optional keywords or variables.< > (angle brackets)
broadcast | multicast
(string1 | string2 | string3)
Indicates a choice between themutuallyexclusive keywords or variables on eitherside of the symbol. The set of choices isoften enclosed in parentheses for clarity.
| (pipe symbol)
rsvp { # Required for dynamicMPLS onlyIndicates a comment specified on thesame lineas theconfiguration statementto which it applies.
# (pound sign)
community namemembers [community-ids ]
Enclose a variable for which you cansubstitute one or more values.
[ ] (square brackets)
[edit]routing-options {static {route default {nexthop address;retain;
}}
}
Identify a level in the configurationhierarchy.
Indention and braces ( { } )
Identifies a leaf statement at aconfiguration hierarchy level.
; (semicolon)
GUI Conventions
• In the Logical Interfaces box, selectAll Interfaces.
• To cancel the configuration, clickCancel.
Representsgraphicaluser interface(GUI)items you click or select.
Bold text like this
In the configuration editor hierarchy,select Protocols>Ospf.
Separates levels in a hierarchy of menuselections.
> (bold right angle bracket)
Documentation Feedback
We encourage you to provide feedback, comments, and suggestions so that we can
improve the documentation. You can send your comments to
[email protected], or fill out the documentation feedback form at
https://www.juniper.net/cgi-bin/docbugreport/ . If you are using e-mail, be sure to include
the following information with your comments:
• Document or topic name
• URL or page number
viiCopyright © 2013, Juniper Networks, Inc.
About This Guide
• Software release version (if applicable)
Requesting Technical Support
Technical product support is available through the JuniperNetworksTechnicalAssistance
Center (JTAC). If you are a customer with an active J-Care or JNASC support contract,
or are covered under warranty, and need postsales technical support, you can access
our tools and resources online or open a case with JTAC.
• JTAC policies—For a complete understanding of our JTAC procedures and policies,
review the JTAC User Guide located at
http://www.juniper.net/us/en/local/pdf/resource-guides/7100059-en.pdf.
• Product warranties—For product warranty information, visit
http://www.juniper.net/support/warranty/.
• JTAC Hours of Operation —The JTAC centers have resources available 24 hours a day,
7 days a week, 365 days a year.
Self-Help Online Tools and Resources
For quick and easy problem resolution, Juniper Networks has designed an online
self-service portal called the Customer Support Center (CSC) that provides youwith the
following features:
• Find CSC offerings: http://www.juniper.net/customers/support/
• Find product documentation: http://www.juniper.net/techpubs/
• Find solutions and answer questions using our Knowledge Base: http://kb.juniper.net/
• Download the latest versions of software and review release notes:
http://www.juniper.net/customers/csc/software/
• Search technical bulletins for relevant hardware and software notifications:
https://www.juniper.net/alerts/
• Join and participate in the Juniper Networks Community Forum:
http://www.juniper.net/company/communities/
• Open a case online in the CSC Case Management tool: http://www.juniper.net/cm/
Toverify serviceentitlementbyproduct serial number, useourSerialNumberEntitlement
(SNE) Tool: https://tools.juniper.net/SerialNumberEntitlementSearch/
Opening a Casewith JTAC
You can open a case with JTAC on theWeb or by telephone.
• Use the Case Management tool in the CSC at http://www.juniper.net/cm/.
• Call 1-888-314-JTAC (1-888-314-5822 toll-free in the USA, Canada, and Mexico).
For international or direct-dial options in countries without toll-free numbers, visit us at
http://www.juniper.net/support/requesting-support.html
Copyright © 2013, Juniper Networks, Inc.viii
Junos OS Feature Support Reference for JunosV Firefly
PART 1
Feature Support for JunosV Firefly
• Overview on page 3
• Feature Support Tables on page 5
• Feature Support Information on page 41
1Copyright © 2013, Juniper Networks, Inc.
Copyright © 2013, Juniper Networks, Inc.2
Junos OS Feature Support Reference for JunosV Firefly
CHAPTER 1
Overview
• Feature Support Overview on page 3
Feature Support Overview
JunosVFirefly is a virtual security appliance thatprovides security andnetworking services
at theperimeter or edge in virtualizedprivateor public cloudenvironments. JunosVFirefly
runs as a virtual machine (VM) on a standard x86 server.
JunosVFirefly enablesadvancedsecurity and routingat thenetworkedge inamultitenant
virtualized environment. JunosV Firefly is built on Junos OS and delivers the similar core
networking and security features available on SRX Series devices for the branch.
Someof the keybenefits of JunosVFirefly in virtualizedprivateor public cloudmultitenant
environments include:
• Stateful firewall protection at the tenant edge
• Faster deployment of virtual firewalls
• Full routing and networking capabilities
• Complementary with the Juniper Networks vGWVirtual Gateway for inter-VM security
• Centralized and local management
JunosV Firefly inherits many features from the SRX Series product line. However, there
are certain features that might not be directly applicable in a virtualized environment,
and such SRX Series features have been excluded from the JunosV Firefly product line.
The following sections describe the available features on JunosV Firefly as of Junos OS
Release 12.1X44-D20. For feature roadmap details, contact your Juniper Networks
representative.
3Copyright © 2013, Juniper Networks, Inc.
Copyright © 2013, Juniper Networks, Inc.4
Junos OS Feature Support Reference for JunosV Firefly
CHAPTER 2
Feature Support Tables
• Address Books and Address Sets on page 7
• Administrator Authentication on page 7
• Alarms on page 8
• Application Layer Gateways on page 8
• Attack Detection and Prevention on page 10
• Autoinstallation on page 11
• Class of Service on page 12
• Diagnostics Tools on page 13
• DNS Proxy on page 13
• Dynamic Host Configuration Protocol on page 14
• Ethernet Link Aggregation on page 14
• Ethernet Link Fault Management on page 15
• File Management on page 17
• Firewall Authentication on page 18
• Flow-Based and Packet-Based Processing on page 18
• Interfaces on page 19
• IP Monitoring on page 21
• IP Security on page 21
• IPv6 Support on page 26
• IPv6 IP Security on page 27
• Log File Formats on page 28
• MPLS on page 28
• Multicast on page 29
• Multicast VPN on page 30
• Network Address Translation on page 31
• Network Operations and Troubleshooting on page 32
• Network Time Protocol on page 32
• Packet Capture on page 33
5Copyright © 2013, Juniper Networks, Inc.
• Routing on page 33
• SecureWeb Access on page 34
• Security Policy Support on page 34
• Security Zone on page 35
• Session Logging on page 36
• SMTP on page 36
• SNMP on page 36
• Stateless Firewall Filters on page 37
• System Log Files on page 37
• Upgrading and Rebooting on page 38
• User Interfaces on page 39
Copyright © 2013, Juniper Networks, Inc.6
Junos OS Feature Support Reference for JunosV Firefly
Address Books and Address Sets
Junos OS supports address books and address sets. An address book is a collection of
addresses and address sets that are available in one security zone.
An address in an address book could be a name for an IP address, a network prefix, a
DNSdomain, or a range of IP addresses. Address sets are collections of addresseswithin
an address book. They allow you to effectivelymanage addresseswhen configuring your
network. Instead ofmanaging large numbers of individual address entries, you canmore
easily manage a smaller number of address sets because any changes made to an
address set automatically applies to all the addresses in the set.
JunosOSalsosupportsaglobal addressbook,which is createdoneachsystembydefault.
It contains predefined addresses and is not attached to any zone.
Table 3 on page 7 lists the address book features supported on JunosV Firefly.
Table 3: Address Books and Address Sets Support
JunosV FireflyFeature
YesAddress books
YesAddress sets
YesGlobal address objects or sets
YesNested address groups
Administrator Authentication
Junos OS supports three methods of administrator authentication:
• Local password authentication
• RADIUS
• TACACS+
With local password authentication, you configure a password for each user who is
allowed to log in to the device.
RADIUS and TACACS+ are authentication methods for validating users who attempt to
access the device using Telnet, SSH, or other administrativemeans. Both are distributed
client/server systems—the RADIUS and TACACS+ clients run on the device, and the
server runs on a remote network system.
7Copyright © 2013, Juniper Networks, Inc.
Chapter 2: Feature Support Tables
Table 4 on page 8 lists the administrator authentication features that are supported on
JunosV Firefly.
Table 4: Administrator Authentication Support
JunosV FireflyFeature
YesLocal authentication
YesRADIUS
YesTACACS+
Alarms
Junos OS supports three types of alarms:
• Chassis alarms indicatea failureon thedeviceor oneof its components. Chassis alarms
are preset and cannot bemodified.
• Interfacealarms indicateaproblem in thestateof thephysical linkson fixedor installed
PIMs. To enable interface alarms, youmust configure them.
• Systemalarms indicateamissing rescueconfigurationor software license,where valid.
System alarms are preset and cannot bemodified, although you can configure them
to appear automatically in the J-Web or CLI display.
Table 5 on page 8 lists the alarm features that are supported on JunosV Firefly.
Table 5: Alarm Support
JunosV FireflyFeature
YesChassis alarms
YesInterface alarms
YesSystem alarms
Application Layer Gateways
AnApplicationLayerGateway (ALG) isa softwarecomponent that isdesigned tomanage
specificprotocols suchasSession InitiationProtocol (SIP)or FileTransferProtocol (FTP)
on JunosVFirefly devices running JunosOS.TheALG interceptsandanalyzes the specified
traffic, allocates resources, and defines dynamic policies to permit the traffic to pass
securely through the JunosV Firefly. Also, ALGsmodify the embedded IP addresses as
required.
Copyright © 2013, Juniper Networks, Inc.8
Junos OS Feature Support Reference for JunosV Firefly
Table 6 on page 9 lists the ALG features that are supported on JunosV Firefly.
Table 6: ALG Support
JunosV FireflyFeature
YesDNS ALG
YesDNS doctoring support
NoDNS, FTP, RTSP, and TFTP ALGs (Layer 2) with chassis clustering
YesDSCPmarking for SIP, H.323, MGCP, and SCCP ALGs
YesFTP
YesH.323
YesAvaya H.323
YesIKE
YesMGCP
YesPPTP
YesRSH
YesRTSP
YesSCCP
YesSIP
YesSIP ALG–NEC
YesSQL
YesMS RPC
YesSUN RPC
YesTALK
YesTFTP
9Copyright © 2013, Juniper Networks, Inc.
Chapter 2: Feature Support Tables
Attack Detection and Prevention
Attack detection and prevention detects and prevents attacks in network traffic. An
exploit canbeeitheran information-gatheringprobeoranattack tocompromise, disable,
or harm a network, network resource, clients or servers.
Juniper Networks provides various detection methods and defense mechanisms at the
zone and policy levels to combat exploits at all stages of their execution, including:
• Screen options at the zone level
• Firewall policies at the inter-, intra-, and super-zone policy levels (super-zone here
means in global policies, where no security zones are referenced)
Table 7 on page 10 lists the attack detection and prevention features that are supported
on JunosV Firefly.
Table 7: Attack Detection and Prevention Support
JunosV FireflyFeature
YesBad IP option
YesBlock fragment traffic
YesFIN flag without ACK flag set protection
YesICMP flood protection
YesICMP fragment protection
YesIP address spoof
YesIP address sweep
YesIP record route option
YesIP security option
YesIP stream option
YesIP strict source route option
YesIP timestamp option
YesLand attack protection
YesLarge size ICMP packet protection
YesLoose source route option
Copyright © 2013, Juniper Networks, Inc.10
Junos OS Feature Support Reference for JunosV Firefly
Table 7: Attack Detection and Prevention Support (continued)
JunosV FireflyFeature
YesPing of death attack protection
YesPort scan
YesSource IP-based session limit
YesSYN-ACK-ACK proxy protection
YesSYN and FIN flags set protection
YesSYN flood protection
YesSYN fragment protection
YesTCP address sweep
YesTCP packet without flag set protection
YesTeardrop attack protection
YesUDP address sweep
YesUDP flood protection
YesUnknown IP protocol protection
YesWhitelist for SYN flood screens
YesWinNuke attack protection
Autoinstallation
Autoinstallation provides automatic configuration for a new device that you connect to
the network and turn on, or for a device configured for autoinstallation. The
autoinstallation process begins any time a device is powered on and cannot locate a
valid configuration file in the disk. Typically, a configuration file is unavailable when a
device is powered on for the first time, or if the configuration file is deleted from the disk.
Theautoinstallation featureenables you todeploymultipledevices fromacentral location
in the network.
11Copyright © 2013, Juniper Networks, Inc.
Chapter 2: Feature Support Tables
Class of Service
When a network experiences congestion and delay, some packets must be dropped.
Junos OS class of service (CoS) allows you to divide traffic into classes and offer various
levels of throughput and packet loss when congestion occurs. This allows packet loss
to happen according to the rules you configure.
Table 8 on page 12 lists the CoS features that are supported on JunosV Firefly.
Table 8: CoS Support
JunosV FireflyFeature
YesClassifiers
YesCode-point aliases
YesEgress interface shaping
YesForwarding classes
YesHigh-priority queue on Services Processing Card
YesIngress interface policer
YesSchedulers
YesSimple filters
YesTransmission queues
YesTunnels
NOTE: GRE and IP-IP tunnels only.
YesVirtual channels
Copyright © 2013, Juniper Networks, Inc.12
Junos OS Feature Support Reference for JunosV Firefly
Diagnostics Tools
JunosVFireflydevicessupportasuiteof J-WebtoolsandCLIoperationalmodecommands
for evaluating system health and performance. Diagnostics tools and commands test
the connectivity and reachability of hosts in the network.
Table9onpage 13 lists the featuresof thediagnostics tools that are supportedon JunosV
Firefly.
Table 9: Diagnostics Tools Support
JunosV FireflyFeature
YesCLI terminal
YesJ-Flow versions 5 and version 8
YesJ-Flow version 9
YesPing host
YesPing MPLS
YesTraceroute
YesPing Ethernet (CFM)
YesTraceroute Ethernet (CFM)
DNS Proxy
Adomain name service (DNS) proxy allows clients to use a device as aDNSproxy server.
Use of a DNS proxy improves domain lookup performance by caching previous lookups.
A typical DNS proxy processes DNS queries by issuing a new DNS resolution query to
each name server that it has detected until the hostname is resolved.
Table 10 on page 13 lists the DNS proxy features that are supported on JunosV Firefly.
Table 10: DNS Proxy Support
JunosV FireflyFeature
YesDNS proxy cache
YesDNS proxy with split DNS
YesDynamic DNS
13Copyright © 2013, Juniper Networks, Inc.
Chapter 2: Feature Support Tables
Dynamic Host Configuration Protocol
Dynamic Host Configuration Protocol (DHCP) is based on BOOTP, a bootstrap protocol
that allows a client to discover its own IP address, the IP address of a server host, and
the nameof a bootstrap file. DHCP servers can handle requests fromBOOTP clients, but
provide additional capabilities beyond BOOTP, such as the automatic allocation of
reusable IP addresses and additional configuration options.
DHCP provides two primary functions:
• Allocate temporary or permanent IP addresses to clients.
• Store, manage, and provide client configuration parameters.
Table 11 on page 14 lists the DHCP features that are supported on JunosV Firefly.
Table 11: DHCP Support
JunosV FireflyFeature
NoDHCPv6 client
YesDHCPv4 client
NoDHCPv6 relay agent
YesDHCPv4 relay agent
YesDHCPv6 server
YesDHCPv4 server
YesDHCP server address pools
YesDHCP server static mapping
Ethernet Link Aggregation
Link aggregation groups (LAGs) based on IEEE 802.3admake it possible to aggregate
physical interface links on a device. LAGs provide increased interface bandwidth and link
availability by linking physical ports and load-balancing traffic crossing the combined
interface.
TheLinkAggregationControlProtocol (LACP), asubcomponentof IEEE802.3ad,provides
additional functionality for LAGs. LACP is supported in standalone deployments, where
aggregatedEthernet interfacesare supported, and in chassis cluster deployments,where
aggregated Ethernet interfaces and redundant Ethernet interfaces are supported
simultaneously.
JunosV Firefly provides Ethernet Link Aggregation support in routing mode only.
Copyright © 2013, Juniper Networks, Inc.14
Junos OS Feature Support Reference for JunosV Firefly
Table 12 on page 15 lists the Ethernet link aggregation features that are supported on
JunosV Firefly.
Table 12: Ethernet Link Aggregation Support
JunosV FireflyFeature
Routingmode
NoLACP in chassis cluster pair
YesLACP in standalone device
YesLayer 3 LAG on routed ports
NoStatic LAG in chassis cluster mode
YesStatic LAG in standalonemode
Ethernet Link Fault Management
The Ethernet interfaces on the JunosV Firefly support the IEEE 802.3ah standard for
Operation,Administration, andMaintenance (OAM).ThestandarddefinesOAM link fault
management (LFM).
JunosV Firefly provides Ethernet Link Fault Management support in routing mode only.
Table 13 on page 15 lists the LFM features that are supported on JunosV Firefly in routing
mode.
Table 13: Ethernet Link Fault Management Support in RoutingMode
JunosV FireflyFeature
Interfaces supported:
NoLACP in chassis cluster pair
YesLACP in standalonemode
NoStatic LAG in chassis cluster mode
YesStatic LAG in standalonemode
Physical interface (encapsulations)
Noethernet-ccc
Noextended-vlan-ccc
Noethernet-tcc
Noextended-vlan-tcc
15Copyright © 2013, Juniper Networks, Inc.
Chapter 2: Feature Support Tables
Table 13: Ethernet Link Fault Management Support in RoutingMode (continued)
JunosV FireflyFeature
Interface family
Yesinet
Yesmpls
Noccc
Notcc
Yesiso
Noethernet-switching
Yesinet6
Aggregated Ethernet interface:
YesStatic LAG
YesLACP enabled LAG
Interface family
Noethernet-switching
Yesinet
Yesinet6
Yesiso
Yesmpls
Copyright © 2013, Juniper Networks, Inc.16
Junos OS Feature Support Reference for JunosV Firefly
File Management
You can use the J-Web interface to perform routine file management operations such
as archiving log files and deleting unused log files, cleaning up temporary files and crash
files, and downloading log files from the routing platform to your computer. You can also
encrypt the configuration files with the CLI configuration editor to prevent unauthorized
users from viewing sensitive configuration information.
Table 14 on page 17 lists the file management features that are supported on JunosV
Firefly.
Table 14: File Management Support
JunosV FireflyFeature
YesClean up unnecessary files
YesDelete backup software image
YesDelete individual files
YesDownload system files
YesEncrypt/decrypt configuration files
YesManage account files
YesRescue
YesSystem snapshot
YesSystem zeroize
YesMonitor start
YesArchive files
YesCalculate checksum
YesCompare files
YesRename files
17Copyright © 2013, Juniper Networks, Inc.
Chapter 2: Feature Support Tables
Firewall Authentication
Junos OS supports the following two types of firewall user authentication:
• Pass-through authentication—Ahost or a user fromone zone tries to access resources
on another zone. Youmust use an FTP, Telnet, or HTTP client to access the IP address
of the protected resource and to get authenticated by the firewall. The device uses
FTP, Telnet, or HTTP to collect username and password information. Subsequent
traffic from the user or host is allowed or denied based on the result of this
authentication.
• Web authentication—Users try to connect, using HTTP, to an IP address on the device
that is enabled forWeb authentication; in this scenario, you do not use HTTP to get to
the IP address of the protected resource. You are prompted for the username and
password that are verified by the device. Subsequent traffic from the user or host to
the protected resource is allowed or denied based on the result of this authentication.
Table 15 on page 18 lists firewall authentication features that are supported on JunosV
Firefly.
Table 15: Firewall Authentication Support
JunosV FireflyFeature
NoFirewall authentication on Layer 2 transparent authentication
YesLDAP authentication server
YesLocal authentication server
YesPass-through authentication
YesRADIUS authentication server
YesSecurID authentication server
YesWeb authentication
Flow-Based and Packet-Based Processing
A packet undergoes flow-based processing after any packet-based filters and policers
havebeenapplied to it. A flow is a streamof relatedpackets thatmeet the samematching
criteria and share the same characteristics. Junos OS treats packets belonging to the
same flow in the samemanner.
Apacketundergoespacket-basedprocessingwhen it is dequeued from its input (ingress)
interface and before it is enqueued on its output (egress) interface. Packet-based
processingapplies stateless firewall filters andclass-of-service (CoS) features todiscrete
packets. You can apply a firewall filter to an ingress or egress interface, or to both.
Copyright © 2013, Juniper Networks, Inc.18
Junos OS Feature Support Reference for JunosV Firefly
Table 16 on page 19 lists the flow-based and packet-based features that are supported
on JunosV Firefly.
Table 16: Flow-Based and Packet-Based Processing Support
JunosV FireflyFeature
YesAlarms and auditing
NoEnd-to-end packet debugging
YesFlow-based processing
NoNetwork processor bundling
YesPacket-based processing
YesSelective stateless packet-based services
Interfaces
All Juniper Networks devices use network interfaces to connect to other devices. Each
device interface has a unique name that follows a naming convention.
Youmustconfigureeachnetwork interfacebefore it canoperateon thedevice.Configuring
an interface can define both the physical properties of the link and the logical properties
of a logical interface on the link.
Table 17 on page 19 lists the features of the physical and virtual interfaces that are
supported on JunosV Firefly.
Table 17: Physical and Virtual Interface Support
JunosV FireflyFeature
YesEthernet interface
YesGigabit Ethernet interface
Table 18 on page 19 lists the features of the services that are supported on JunosV Firefly.
Table 18: Services Support
JunosV FireflyFeature
YesAggregated Ethernet interface
YesGRE interface
YesIEEE 802.1X dynamic VLAN assignment
19Copyright © 2013, Juniper Networks, Inc.
Chapter 2: Feature Support Tables
Table 18: Services Support (continued)
JunosV FireflyFeature
YesIEEE 802.1X MAC bypass
YesIEEE 802.1X port-based authentication control withmultisupplicant support
NoInterleaving using MLFR
NoInternally configured interface used by the systemas a controlpath between theWXC Integrated Services Module and theRouting Engine
YesInternally generated GRE interface (gr-0/0/0)
YesInternally generated IP-over-IP interface (ip-0/0/0)
YesInternally generated link services interface
YesInternally generated Protocol Independent Multicastde-encapsulation interface
YesInternally generated Protocol Independent Multicastencapsulation interface
YesLink fragmentation and interleaving interface
YesLink services interface
YesLoopback interface
YesManagement interface
NoPPP interface
NoPPPoE-based radio-to-router protocol
NoPPPoE interface
Yes
NOTE: Promiscuousmodeneeds tobeenabledonhypervisor.
Promiscuous mode on interfaces
YesSecure tunnel interface
Copyright © 2013, Juniper Networks, Inc.20
Junos OS Feature Support Reference for JunosV Firefly
IP Monitoring
The IPmonitoring feature monitors IP addresses and enables the device to track the
reachability of a particular IP address. Existing real-time performancemonitoring (RPM)
probesare sent toan IPaddress tocheck for reachability. Eachprobed target ismonitored
over the course of a test. During a test, probes are generated and responses collected at
a rate defined by the probe interval, which is the number of seconds between probes.
Table 19 on page 21 lists the IP monitoring features that are supported on JunosV Firefly.
Table 19: IP Monitoring Support
JunosV FireflyFeature
YesIP monitoring with route failover (for standalone devices andredundant Ethernet interfaces)
YesIP monitoring with interface failover (for standalone devices)
IP Security
IP Security (IPsec) is a suite of related protocols for cryptographically securing
communications at the IP layer. IPsec also provides methods for the manual and
automaticnegotiationof securityassociations (SAs)andkeydistribution, all theattributes
that are gathered in a domain of interpretation (DOI). The IPsec DOI is a document
containing definitions for all the security parameters required for successful negotiation
of a VPN tunnel—essentially, all the attributes required for SA and Internet Key Exchange
(IKE) negotiations.
In Public Key Infrastructure (PKI), a public-private key pair is used to encrypt and decrypt
data. Data encrypted with a public key, which the owner makes available to the public,
can be decrypted with the corresponding private key only, which the owner keeps secret
and protected. The reverse process is also useful: encrypting data with a private key and
decrypting itwith the correspondingpublic key. This process is knownascreatingadigital
signature. A digital certificate is an electronic means for verifying your identity through a
trusted third party, known as a certificate authority (CA).
The dynamic VPN feature simplifies remote access by enabling users to establish IP
Security (IPsec) VPN tunnelswithout having tomanually configure VPN settings on their
Windows PCs or laptops. Instead, authenticated users can simply download the Access
ManagerWebclient to their computers. This Layer3 remoteaccessclientusesclient-side
configuration settings that it receives from the server to create andmanage a secure
end-to-site VPN tunnel to the server.
21Copyright © 2013, Juniper Networks, Inc.
Chapter 2: Feature Support Tables
Table 20 on page 22 lists IPsec features that are supported on JunosV Firefly.
Table 20: IPsec Support
JunosV FireflyFeature
YesAcadia - Clientless VPN
YesAH protocol
YesAlarms and auditing
YesAntireplay (packet replay attack prevention)
YesAuthentication
YesAuthentication Header (AH)
YesAutokey management
YesAutomated certificate enrollment using SCEP
YesAutomatic generation of self-signed certificates
NoBridge domain and transparent mode
YesCertificate - Configure local certificate sent to peer
YesCertificate - Configure requested CA of peer certificate
YesCertificate - Encoding: PKCS7, X509, PEM, DERs
YesCertificate - RSA signature
NoChassis clusters (active/backup and active/active)
YesClass of service
YesCRL update at user-specified interval
YesConfig Mode (draft-dukes-ike-mode-cfg-03)
YesDead Peer Detection (DPD)
YesDiffie-Hellman (PFS) Group 1
YesDiffie-Hellman (PFS) Group 2
YesDiffie-Hellman (PFS) Group 5
YesDiffie-Hellman Group 1
Copyright © 2013, Juniper Networks, Inc.22
Junos OS Feature Support Reference for JunosV Firefly
Table 20: IPsec Support (continued)
JunosV FireflyFeature
YesDiffie-Hellman Group 2
YesDiffie-Hellman Group 5
YesDigital signature generation
YesDynamic IP address
YesDynamic IPsec VPNs
YesEncapsulating Security Payload (ESP) protocol
YesEncryption Algorithms 3DES
YesEncryption Algorithms AES 128, 192, and 256
YesEncryption Algorithms DES
YesEncryption Algorithms NULL (authentication only)
YesEntrust, Microsoft, and Verisign certificate authorities (CAs)
YesExternal Extended Authentication (Xauth) to a RADIUS serverfor remote access connections
NoGroup Encrypted Transport (GET VPN)
NoGroup VPNwith dynamic policies
YesHard lifetime limit
NoHardware IPSec (bulk crypto) Cavium/RMI
YesHash Algorithms MD5
YesHash Algorithms SHA-1
YesHash Algorithms SHA-2 (SHA-256)
YesHub & Spoke VPN
YesIdle timers for IKE
YesImprovements in VPN Debug Capabilities
YesInitial Contact
23Copyright © 2013, Juniper Networks, Inc.
Chapter 2: Feature Support Tables
Table 20: IPsec Support (continued)
JunosV FireflyFeature
YesInvalid SPI response
YesIKE Diffie-Hellman Group 14 support
YesIKE Phase 1
YesIKE Phase 1 lifetime
YesIKE Phase 2
YesIKE Phase 2 lifesize
YesIKE and IPSEC pre-define proposal sets to work with DynamicVPN client
YesIPSec tunnel termination in routing-instances
YesIKE support
YesIKEv1
YesIKEv1 authentication, preshared key
YesIKEv2
YesLocal IP address Management - VPN XAuth support
YesLocal IP address Management Support for DVPN
YesManual installation of DER-encoded and PEM-encoded CRLs
YesManual key management
YesManual proxy-ID (Phase 2 ID) configuration
YesNHTB - Next Hop Tunnel Binding
YesNew IPSec Phase 2 Authentication Algorithm
YesOnline CRLretrieval through LDAP and HTTP
YesPackage dynamic VPN client
YesPolicy-based VPN
YesPreshared key (PSK)
Copyright © 2013, Juniper Networks, Inc.24
Junos OS Feature Support Reference for JunosV Firefly
Table 20: IPsec Support (continued)
JunosV FireflyFeature
YesPrioritization of IKE packet processing
YesReconnect to dead IKE peer
YesRemote Access
YesRemote Access user IKE peer
YesRemote Access user-group IKE peer - group IKE ID
YesRoute-based VPN
YesSHA-2 IPSec support
YesSoft lifetime
YesStatic IP address
YesSuites: Standard, Compatible, Basic, and custom-created
YesSupport forNHTBwhen thest0.x interface isbound toa routinginstance
YesSupport for Remote Access peers with shared IKE identity +mandatory XAuth
YesSupport group IKE IDs for Dynamic VPN configuration
YesTOS/DSCP honoring/coloring (inner/outer)
YesTunnel Mode with clear/copy/set Don't Fragment bit
NoUAC Layer 3 enforcement
YesVirtual router support for route-based VPNs
YesVPNmonitoring (proprietary)
YesX.509 encoding for IKE
YesXAuth (draft-beaulieu-ike-xauth-03)
25Copyright © 2013, Juniper Networks, Inc.
Chapter 2: Feature Support Tables
IPv6 Support
IPv6 is the successor to IPv4. IPv6 builds upon the functionality of IPv4, providing
improvements to addressing, configuration andmaintenance, and security. These
improvements include:
• Expandedaddressingcapabilities—IPv6providesa largeraddressspace. IPv6addresses
consist of 128 bits, whereas IPv4 addresses consist of 32 bits.
• Header format simplification—IPv6 packet header format is designed to be efficient.
IPv6 standardizes the size of the packet header to 40 bytes, divided into 8 fields.
• Improved support for extensions and options—Extension headers carry Internet-layer
information and have a standard size and structure.
• Improved privacy and security—IPv6 supports extensions for authentication and data
integrity, which enhance privacy and security.
Table 21 on page 26 lists the IPv6 features that are supported on JunosV Firefly.
Table 21: IPv6 Support
JunosV FireflyFeature
Flow-based forwarding and security features
YesAdvanced flow
NoDS-Lite concentrator (aka AFTR)
NoDS-Lite initiator (aka B4)
YesFirewall filters
YesForwarding option: flowmode
YesMulticast flow
YesScreens
YesSecurity policy (firewall)
NoSecurity policy (IDP)
NoSecurity policy (user role firewall)
YesZones
YesIPv6 ALG support for FTP
Routing, NAT, NAT-PT support
Copyright © 2013, Juniper Networks, Inc.26
Junos OS Feature Support Reference for JunosV Firefly
Table 21: IPv6 Support (continued)
JunosV FireflyFeature
YesIPv6 ALG support for ICMP
Routing, NAT, NAT-PT support
YesIPv6 NAT
NAT-PT, NAT support
YesIPv6 NAT64
YesIPv6–related protocols
BFD, BGP, ECMPv6, ICMPv6, ND, OSPFv3, RIPng
YesIPv6 ALG support for TFTP
YesSystem services
DHCPv6, DNS, FTP, HTTP, ping, SNMP, SSH, syslog, Telnet,traceroute
Packet-based forwarding and security features
YesClass of service
YesFirewall filters
YesForwarding option: packet mode
IPv6 IP Security
IPv6 IP Security (IPsec) is the implementation of the IPsec suite of protocols in IPv6
networks. IPsecprovides interoperable, highquality, andcryptographicallybasedsecurity
services for traffic at the IP layer. In IPv6, IPsec enhances the original IP protocol by
providing authenticity, integrity, confidentiality, and access control to each IP packet
through theuseof twoprotocols: authenticationheader (AH)andEncapsulatingSecurity
Payload (ESP).
Table 22 on page 27 lists the IPv6 IPsec features that are supported on JunosV Firefly.
Table 22: IPv6 IP Security Support
JunosV FireflyFeature
Yes4in4 and 6in6 policy-based site-to-site VPN, AutoKey IKEv1
Yes4in4 and 6in6 policy-based site-to-site VPN, manual key
Yes4in4 and 6in6 route-based site-to-site VPN, AutoKey IKEv1
Yes4in4 and 6in6 route-based site-to-site VPN, manual key
27Copyright © 2013, Juniper Networks, Inc.
Chapter 2: Feature Support Tables
Log File Formats
Junos OS generates separate log messages to record events that occur on the system’s
control and data planes. The control plane logs (called system logs) include events that
occur on the routing platform. The data plane logs (called security logs) primarily include
security events that the system has handled directly inside the data plane.
Table 23 on page 28 lists the system and security log file formats supported on JunosV
Firefly.
Table 23: Security Log File Formats
JunosV FireflyFeature
System (Control Plane) Log File Formats
NoBinary format (binary)
YesStructured syslog (sd-syslog)
YesSyslog (syslog)
NoWebTrends Enhanced Log Format (welf)
Security (Data Plane) Log File Formats
YesBinary format (binary)
YesStructured syslog (sd-syslog)
YesSyslog (syslog)
YesWebTrends Enhanced Log Format (welf)
MPLS
MPLS provides a framework for controlling traffic patterns across a network. The MPLS
framework allows JunosV Firefly to pass traffic through transit networks on paths that
are independent of the individual routing protocols enabled throughout the network.
The MPLS framework supports traffic engineering and the creation of virtual private
networks (VPNs). Traffic is engineered (controlled) primarily by the use of signaling
protocols to establish label-switched paths (LSPs). VPN support includes Layer 2 and
Layer 3 VPNs and Layer 2 circuits.
Copyright © 2013, Juniper Networks, Inc.28
Junos OS Feature Support Reference for JunosV Firefly
Table 24 on page 29 lists the MPLS features that are supported on JunosV Firefly.
Table 24: MPLS Feature Support
JunosV FireflyFeature
YesCCC and TCC
YesCLNS
YesInterprovider and carrier-of-carriers VPNs
YesLayer 2 VPNs for Ethernet connections
YesLayer 3 MPLS VPNs
YesLDP
YesMPLS VPNs with VRF tables on provider edge routers
YesMulticast VPNs
YesOSPF and IS-IS traffic engineering extensions
YesP2MP LSPs
YesRSVP
YesSecondary and standby LSPs
YesStandards-based fast reroute
NoVPLS
Multicast
Multicast traffic lies between the extremes of unicast (one source, one destination) and
broadcast (one source, all destinations). Multicast is a “one source, many destinations”
method of traffic distribution, meaning that only the destinations needing to receive the
information from a particular source receive the traffic stream.
IP network destinations (clients) do not often communicate directly with sources
(servers), so the routers between source and destination must be able to determine the
topology of the network from the unicast ormulticast perspective to avoid routing traffic
haphazardly. Themulticast router must find multicast sources on the network, send out
copies of packets on several interfaces, prevent routing loops, connect interested
destinationswith theproper source, andkeepthe flowofunwantedpackets toaminimum.
Standard multicast routing protocols provide most of these capabilities.
29Copyright © 2013, Juniper Networks, Inc.
Chapter 2: Feature Support Tables
Table 25 on page 30 lists the multicast features that are supported on JunosV Firefly.
Table 25: Multicast Support
JunosV FireflyFeature
YesFiltering PIM register messages
YesIGMP
YesPIM RPF routing table
YesPrimary routingmode (densemode for LAN and sparsemodefor WAN)
YesProtocol Independent Multicast Static RP
YesSession Announcement Protocol (SAP)
YesSDP
Multicast VPN
MPLSmulticast VPNs employ the intra-autonomous system (AS) next-generation
(NGEN) BGP control plane and Protocol Independent Multicast (PIM) sparse mode as
the data plane.
A multicast VPN is defined by two sets of sites, a sender site set and a receiver site set.
These sites have the following properties:
• Hostswithin the sender site set canoriginatemulticast traffic for receivers in the receiver
site set.
• Receivers outside the receiver site set should not be able to receive this traffic.
• Hosts within the receiver site set can receive multicast traffic originated by any host in
the sender site set.
• Hostswithin the receiver site set shouldnotbeable to receivemulticast trafficoriginated
by any host that is not in the sender site set.
Table26onpage30 lists themulticastVPN features thatare supportedon JunosVFirefly.
Table 26: Multicast VPN Support
JunosV FireflyFeature
YesBasic multicast features in C-instance
YesMulticast VPNmembership discovery with BGP
YesP2MP LSP support
Copyright © 2013, Juniper Networks, Inc.30
Junos OS Feature Support Reference for JunosV Firefly
Table 26: Multicast VPN Support (continued)
JunosV FireflyFeature
YesP2MPOAM - P2MP LSP ping
YesReliable multicast VPN routing information exchange
Network Address Translation
Network Address Translation (NAT) is a method by which IP addresses in a packet are
mapped from one group to another and, optionally, port numbers in the packet are
translated into different port numbers.
NAT is described in RFC 3022 to solve IP (version 4) address depletion problems. Since
then, NAT has been found to be a useful tool for firewalls, traffic redirect, load sharing,
network migrations, hide topology, and so on.
Table 27 on page 31 lists the NAT features that are supported on JunosV Firefly.
Table 27: NAT Support
JunosV FireflyFeature
YesDestination IP address translation
YesDisabling source NAT port randomization
YesInterface source NAT pool port
YesNAT address pool utilization threshold status
YesNAT traversal (NAT-T) for site-to-site IPsec VPNs (IPv4)
YesPersistent NAT
YesPersistent NAT binding for wildcard ports
YesPersistent NAT hairpinning
YesMaximize persistent NAT bindings
YesPool translation
YesProxy ARP (IPv4)
YesProxy NDP (IPv6)
YesRemoving persistent NAT query bindings
YesRule-based NAT
31Copyright © 2013, Juniper Networks, Inc.
Chapter 2: Feature Support Tables
Table 27: NAT Support (continued)
JunosV FireflyFeature
YesRule translation
YesSource address and group address translation for multicastflows
YesSource IP address translation
YesStatic NAT
Network Operations and Troubleshooting
You can use commit scripts, operation scripts, and event policies to automate network
operations and troubleshooting tasks. You can use commit scripts to enforce custom
configuration rules. You can use operation scripts to automate network management
and troubleshooting tasks. You can configure event policies that initiate self-diagnostic
actions on the occurrence of specific events.
Table 28 on page 32 lists the network operations features that are supported on JunosV
Firefly.
Table 28: Network Operations and Troubleshooting Support
JunosV FireflyFeature
YesEvent policies
YesEvent scripts
YesOperation scripts
YesXSLT commit scripts
Network Time Protocol
The Network Time Protocol (NTP) provides themechanisms for synchronizing time and
coordinating time distribution in a large, diverse network. NTP uses a returnable-time
design in which a distributed subnet of time servers operating in a self-organizing,
hierarchical primary-secondary configuration synchronizes local clockswithin the subnet
and to national time standards by means of wire or radio.
Copyright © 2013, Juniper Networks, Inc.32
Junos OS Feature Support Reference for JunosV Firefly
Packet Capture
Packet capture is a tool that helps you analyze network traffic and troubleshoot network
problems. The packet capture tool captures real-time data packets, traveling over the
network, for monitoring and logging.
NOTE: Packet capture, in this context, refers to standard interface packetcapture. It is not part of the IDP. Packet capture is supported only on physicalinterfaces and tunnel interfaces; for example, gr, ip, st0, lsq-/ls-. Packetcapture is not supported on redundant Ethernet interfaces (reth).
Packets are captured as binary data, without modification. You can read the packet
information offline with a packet analyzer such as Ethereal or tcpdump.
Routing
Routing is the transmission of data packets from a source to a destination address. For
packets to be correctly forwarded to the appropriate host address, the host must have
auniquenumeric identifier or IPaddress. Theunique IPaddressof thedestinationprefixes
forms entries in the routing table. These entries are primarily responsible for determining
the path that a packet traverses when transmitted from source to destination.
Table 29 on page 33 lists the routing features that are supported on JunosV Firefly.
Table 29: Routing Support
JunosV FireflyFeature
YesBGP
YesBGP extensions for IPv6
YesCompressed Real-Time Transport Protocol (CRTP)
YesECMP flow-based forwarding
YesInternet Group Management Protocol (IGMP)
YesIPv4 options and broadcast Internet diagrams
YesIPv6 routing, forwarding, global address configuration, andInternet Control Message Protocol (ICMP)
YesIS-IS
YesMultiple virtual routers
YesNeighbor Discovery Protocol and Secure Neighbor DiscoveryProtocol
33Copyright © 2013, Juniper Networks, Inc.
Chapter 2: Feature Support Tables
Table 29: Routing Support (continued)
JunosV FireflyFeature
YesOSPF v2
YesOSPF v3
YesRIP next generation (RIPng)
YesRIP v1, v2
YesStatic routing
YesVirtual Router Redundancy Protocol (VRRP)
SecureWeb Access
You canmanage a Juniper Networks device remotely through the J-Web interface. To
communicate with the device, the J-Web interface uses the Hypertext Transfer Protocol
(HTTP). HTTP allows easyWeb access but no encryption. The data that is transmitted
between theWebbrowser and thedevice bymeansofHTTP is vulnerable to interception
andattack.Toenable secureWebaccess, the JuniperNetworksdevices supportHypertext
Transfer Protocol over Secure Sockets Layer (HTTPS). You can enable HTTP or HTTPS
access on specific interfaces and ports as needed.
Table 30 on page 34 lists the secure web access features that are supported on JunosV
Firefly.
Table 30: SecureWeb Access Support
JunosV FireflyFeature
YesCAs
YesHTTP
YesHTTPS
Security Policy Support
With the advent of the Internet, the need for a secure network has become vital for
businesses with an Internet connection. Before a network can be secured for a business,
a network security policy has to outline all the network resources within that business
and identify the required security level for those resources. The network security policy
also defines the security threats and the actions taken for such threats. JunosOSstateful
firewall policy provides a set of tools to network administrators, enabling them to
implement network security for their organizations. Global policies allow you to regulate
traffic with addresses and applications, regardless of their security zones.
Copyright © 2013, Juniper Networks, Inc.34
Junos OS Feature Support Reference for JunosV Firefly
Table 31 on page 35 lists the security policy features that are supported on JunosV Firefly.
Table 31: Security Policy
JunosV FireflyFeature
YesAddress books/Address sets
YesCustom policy applications
YesGlobal Policy
YesPolicy application timeouts
YesPolicy applications and application sets
YesPolicy hit-count tracking
YesSchedulers
YesSecurity policies for self-traffic
NoSSL proxy
NoUser role firewall
YesCommon predefined applications
YesShadow policy
Security Zone
A security zone is:
• A collection of one or more network segments requiring the regulation of inbound and
outbound traffic through policies
• A group of networks that follow the same security principles
• A group of logical entities to which one or more interfaces are bound
On a single device, you can configure multiple security zones, dividing the network into
segments to which you can apply various security options to satisfy the needs of each
segment. At a minimum, youmust define two security zones, basically to protect one
area of the network from the other.
Table 32 on page 36 lists the zones supported on JunosV Firefly.
35Copyright © 2013, Juniper Networks, Inc.
Chapter 2: Feature Support Tables
Table 32: Zones Support
JunosV FireflyFeature
YesFunctional zone
YesSecurity zone
Session Logging
You can obtain information about the sessions and packet flows active on your device,
including detailed information about specific sessions. You can display this information
to observe activity and for debugging purposes.
Table 33 on page 36 lists the session logging features that are supported on JunosV
Firefly.
Table 33: Session Logging Support
JunosV FireflyFeature
YesAccelerating security and traffic logging
YesAggressive session aging
YesGetting information about sessions
YesLogging to a single server
YesSession logging with NAT information
SMTP
SMTP is used for sending e-mail messages between servers. SMTP can be used to send
an e-mail message to a local or a remote mail server to forward an e-mail message.
While electronic mail servers use SMTP to send and receive mail messages, user-level
client mail applications typically use SMTP only for sending messages to amail server
for relaying. For receiving messages, client applications usually use either Post Office
Protocol (POP) or Internet Message Access Protocol (IMAP).
SNMP
SNMP enables the monitoring of network devices from a central location. Use SNMP to
determine where and when a network failure is occurring, and to gather statistics about
network performance to evaluate the overall health of the network and identify
bottlenecks.
SNMP v1, v2, and v3 are supported on JunosV Firefly.
Copyright © 2013, Juniper Networks, Inc.36
Junos OS Feature Support Reference for JunosV Firefly
Stateless Firewall Filters
A stateless firewall filter evaluates the contents of packets transiting the device from a
source to a destination, or the contents of packets originating from, or destined for, the
Routing Engine. Stateless firewall filters applied to the Routing Engine interface protect
the processes and resources owned by the Routing Engine. A stateless firewall filter
evaluates every packet, including fragmented packets.
A stateless firewall filter, often called a firewall filter or access control list (ACL), statically
evaluates packet contents. In contrast, a stateful firewall filter uses connection state
information derived frompast communications and other applications tomake dynamic
control decisions.
Table 34 on page 37 lists the features of stateless firewall filters that are supported on
JunosV Firefly.
Table 34: Stateless Firewall Filters Support
JunosV FireflyFeature
YesStateless firewall filters (ACLs)
NoStateless firewall filters (simple filter)
System Log Files
JunosOSsupports configuringandmonitoringof system logmessages (alsocalled syslog
messages). You can configure files to log systemmessages and also assign attributes,
suchas severity levels, tomessages. TheViewEventspage in the J-Web interfaceenables
you to filter and view system logmessages.
Table 35 on page 37 lists the features of system log files that are supported on JunosV
Firefly.
Table 35: System Log Files Support
JunosV FireflyFeature
YesArchiving system logs
YesConfiguring system logmessages
YesDisabling system logs
YesFiltering system logmessages
YesMultiple system log servers (control-plane logs)
YesSending system logmessages to a file
37Copyright © 2013, Juniper Networks, Inc.
Chapter 2: Feature Support Tables
Table 35: System Log Files Support (continued)
JunosV FireflyFeature
YesSending system logmessages to a user terminal
YesViewing data plane logs
YesViewing system logmessages
Upgrading and Rebooting
When you power on the JunosV Firefly VM, it starts (boots up) using its primary boot
device. As new features and software fixes become available, youmust upgrade your
software to use them. Before an upgrade, we recommend that you back up your primary
boot device.
You can configure the primary boot device with a snapshot of the current configuration,
default factory configuration, or rescue configuration. You can also replicate the
configuration for use on another device, or configure a boot device to receive core files
for troubleshooting.
Table 36 on page 38 lists the upgrading and rebooting features that are supported on
JunosV Firefly.
Table 36: Upgrading and Rebooting Support
JunosV FireflyFeature
YesAutorecovery
YesBoot device configuration
YesBoot device recovery
YesChassis components control
YesChassis restart
YesDownloadmanager
NoDual-root partitioning
NoIn-band cluster upgrade
NoLow-impact cluster upgrades
YesSoftware upgrades and downgrades
Copyright © 2013, Juniper Networks, Inc.38
Junos OS Feature Support Reference for JunosV Firefly
User Interfaces
You can use two user interfaces to monitor, configure, troubleshoot, andmanage your
device—the command-line interface (CLI) for Junos OS and the J-Web interface.
The Junos OS CLI is the software interface you use to access a device running Junos
OS—whether from the console or through a network connection. By leveraging
industry-standard tools and utilities, the CLI provides a powerful set of commands that
you can use to monitor and configure devices running Junos OS.
The J-Web interface allows you to monitor, configure, troubleshoot, andmanage the
routing platform bymeans of aWeb browser enabled with Hypertext Transfer Protocol
(HTTP) or HTTP over Secure Sockets Layer (HTTPS). J-Web provides access to all the
configuration statements supported by the routing platform, so you can fully configure
your device without using the Junos OS CLI.
Table 37 on page 39 lists the user interface features that are supported on JunosV Firefly.
Table 37: User Interfaces Support
JunosV FireflyFeature
YesCLI
YesJ-Web user interface
YesJunos XML protocol
NoNetwork and Security Manager
YesJunos Space SD
NoSRC application
39Copyright © 2013, Juniper Networks, Inc.
Chapter 2: Feature Support Tables
Copyright © 2013, Juniper Networks, Inc.40
Junos OS Feature Support Reference for JunosV Firefly
CHAPTER 3
Feature Support Information
JunosV Firefly inherits many features from the SRX Series product line. However, there
are certain features that might not be directly applicable in a virtualized environment,
and such SRX Series features have been excluded from the JunosV Firefly product line.
The following table lists some of the SRX Series product line features that are not
supported on JunosV Firefly as of Junos OS Release 12.1X44-D20.
NOTE: For the support information on features that are not listed in any ofthe tables in this guide, or for feature roadmap details, contact your JuniperNetworks representative.
Table 38 on page 41 lists the features that are not supported on JunosV Firefly.
Table 38: JunosV Firefly Feature Support Information
JunosV FireflyFeature
NoApplication Identification (Junos OS)
NoAuthentication with IC Series Devices
NoChassis Cluster and Chassis Management
NoGeneral Packet Radio Service
NoIntrusion Detection and Prevention
NoLayer 2 Mode
NoLogical Systems
NoPower over Ethernet
NoPublic Key Infrastructure
NoRemote Device Access
NoRoute Reflector
41Copyright © 2013, Juniper Networks, Inc.
Table 38: JunosV Firefly Feature Support Information (continued)
JunosV FireflyFeature
NoRPM Probe
NoServices Offloading
NoTransparent Mode
NoUnified Threat Management
NoUSBModem
NoVirtual Private LAN Service
NoVoice over Internet Protocol with Avaya
NoWireless Local Area Network
Copyright © 2013, Juniper Networks, Inc.42
Junos OS Feature Support Reference for JunosV Firefly
PART 2
Index
• Index on page 45
43Copyright © 2013, Juniper Networks, Inc.
Copyright © 2013, Juniper Networks, Inc.44
Junos OS Feature Support Reference for JunosV Firefly
Index
Symbols#, comments in configuration statements....................vii
( ), in syntax descriptions......................................................vii
< >, in syntax descriptions....................................................vii
[ ], in configuration statements..........................................vii
{ }, in configuration statements.........................................vii
| (pipe), in syntax descriptions...........................................vii
Aaddress book...............................................................................7
support table......................................................................7
administrator authentication................................................7
support table......................................................................7
alarms............................................................................................8
support tables...................................................................8
ALG See Application Layer Gateway
Application Layer Gateway...................................................8
support table......................................................................8
autoinstallation..........................................................................11
support table.....................................................................11
Bbraces, in configuration statements.................................vii
brackets
angle, in syntax descriptions.......................................vii
square, in configuration statements........................vii
Cclass of service..........................................................................12
support table....................................................................12
comments, in configuration statements........................vii
conventions
notice icons........................................................................vi
text and syntax.................................................................vi
CoS See class of service
curly braces, in configuration statements......................vii
customer support...................................................................viii
contacting JTAC..............................................................viii
DDHCP See Dynamic Host Configuration Protocol
documentation
comments on...................................................................vii
Dynamic Host Configuration Protocol.............................14
support table....................................................................14
EEthernet link aggregation......................................................14
support table....................................................................14
Ethernet link fault management........................................15
support table....................................................................15
Ffile format
security logs.....................................................................28
file management......................................................................17
support table.....................................................................17
firewall authentication..........................................................18
support table....................................................................18
firewall filters
stateless.............................................................................37
flow-based and packet-based processing....................18
support table....................................................................18
font conventions.......................................................................vi
Iinterfaces....................................................................................19
support table....................................................................19
user......................................................................................39
IP monitoring..............................................................................21
redundant Ethernet interface.....................................21
standalone device...........................................................21
IPsec..............................................................................................21
support table....................................................................21
IPv6..............................................................................................26
support table...................................................................26
IPv6 IP Security........................................................................27
support table....................................................................27
Llogging
sessions.............................................................................36
Mmanuals
comments on...................................................................vii
MPLS...........................................................................................28
multicast....................................................................................29
support table...................................................................29
multicast VPN..........................................................................30
45Copyright © 2013, Juniper Networks, Inc.
NNAT See Network Address Translation
Network Address Translation..............................................31
support table....................................................................31
network operations and troubleshooting......................32
support table...................................................................32
Network Time Protocol.........................................................32
support table...................................................................32
notice icons.................................................................................vi
NTP See Network Time Protocol
Ppacket capture.........................................................................33
support table...................................................................33
See also flow-based and packet-based
processing
parentheses, in syntax descriptions.................................vii
policy
security...............................................................................34
Rrouting.........................................................................................33
support table...................................................................33
Ssecure web access.................................................................34
support table...................................................................34
security log file format..........................................................28
security policy..........................................................................34
support table...................................................................34
session logging........................................................................36
SMTP...........................................................................................36
support table...................................................................36
SNMP..........................................................................................36
support table...................................................................36
stateless firewall filter...........................................................37
support table....................................................................37
support, technical See technical support
syntax conventions..................................................................vi
system log file...........................................................................37
support table....................................................................37
Ttechnical support
contacting JTAC..............................................................viii
troubleshooting
feature support...............................................................32
Uupgrading and rebooting.....................................................38
support table...................................................................38
user interfaces..........................................................................39
support table...................................................................39
Vvirtual private network
multicast...........................................................................30
VPN See virtual private network
multicast...........................................................................30
Zzones............................................................................................35
support table...................................................................35
Copyright © 2013, Juniper Networks, Inc.46
Junos OS Feature Support Reference for JunosV Firefly