Specifications
Routing Policy and Firewall Filters
•
Using a firewall filter to prevent or allow datagram fragmentation (MX
Series)—Starting in Junos OS Release 13.3, you can define a firewall filter term to
prevent or allow datagram fragmentation by setting or clearing the Don’t Fragment
flag in the IPv4 header of packets that are matched by the filter. Specify the desired
action at the [edit firewall family inet filter filter-name term term-name then action]
hierarchy level.
•
To prevent fragmentation of the IP datagram, include the dont-fragment set action
in a term to set the dont-fragment bit to one.
•
To allow fragmentation of the IP datagram, include the dont-fragment clear action
in a term to clear the dont-fragment bit to zero.
[See Configuring a Firewall Filter to Prevent or Allow IPv4 Packet Fragmentation and
Firewall Filter Nonterminating Actions.]
•
New firewall filtergre-key field match condition—Starting in Junos OS Release 13.3R3,
there is a new gre-key match condition at the [edit firewall family inet filter filter-name
term term-name from] hierarchy level. The gre-key match condition allows a user to
match against the gre key field which is an optional field in gre encapsulated packets.
The key can be matched as a single key value and or a range of key values.
•
Support for consistent load balancing for ECMP groups (MX Series routers with
MPCs)—Starting in Junos OS Release 13.3, effective in Junos OS Release 13.3R3, on
MX Series 3D Universal Edge Routers with modular port concentrators (MPCs) only,
you can prevent the reordering of flows to active paths in an ECMP group when one or
more paths fail. Only flows that are inactive are redirected. This feature applies only
to Layer 3 adjacencies learned through external BGP connections. It overrides the
default behavior of disrupting all existing, including active, TCP connections when an
active path fails. Include the consistent-hash statement at the [edit policy-options
policy-statement policy-statement-name then load-balance] hierarchy level. You must
also configure a global per-packet load-balancing policy.
[See Actions in Routing Policy Terms. ]
•
New fast-lookup-filter statement on MX240, MX480, MX960,MX2010, and MX2020
routers with MPC5E, MPC5EQ, and MPC6E MPCs and compatible MICs—Starting in
Junos OS Release 13.3R3, the fast-lookup-filter option is available at the [edit firewall
family (inet | inet6) filter filter-name] hierarchy level. This allows for hardware assist
from compatible MPCs in the firewall filter lookup. There are 4096 hardware filters
available for this purpose, each of which can support up to 255 terms. Within the firewall
filters and their terms, ranges, prefix lists, and the except keyword are all supported.
Only the inet and inet6 protocol families are supported.
•
New action settings for firewall filter term when next-interface is down—In previous
versions of Junos OS, if the then clause of a firewall filter term was set to next-interface
and that next interface went down, traffic was lost because the default action is to
drop the packet.
Starting in Junos OS Release 13.3R3, the actions accept and next term are available at
the [edit firewall family inet filter filter-name term term-name then next-interface
Copyright © 2015, Juniper Networks, Inc.44
Release Notes: Junos OS Release 13.3R6 for the EX Series, M Series, MX Series, PTX Series, and T Series