Release Notes - Juniper Networks

JUNOS® 9.5 Software Release Notes
Release 9.5R4
19 February 2010
Part Number: 530-029328-01
Revision R4
These release notes accompany Release 9.5R4 of the JUNOS software. They describe
device documentation and known problems with the software. JUNOS software runs
on all Juniper Networks M-series, MX-series, and T-series routing platforms, SRX-series
Services Gateways, J-series Services Routers, and EX-series switches.
You can also find these release notes on the Juniper Networks JUNOS Software
Documentation Web page, which is located at
http://www.juniper.net/techpubs/software/junos/.
Contents
JUNOS Software Release Notes for M-series, MX-series, and T-series Routing
Platforms ..................................................................................................6
New Features in JUNOS Software Release 9.5 for M-series, MX-series,
and T-series Routing Platforms ...........................................................6
Class of Service ..................................................................................6
Hardware ...........................................................................................8
High Availability .................................................................................8
Interfaces and Chassis ........................................................................9
Layer 2 Ethernet Services .................................................................14
MPLS Applications ............................................................................15
Multicast ...........................................................................................16
Platform and Infrastructure ..............................................................17
Routing Policy and Firewall Filters ....................................................17
Routing Protocols .............................................................................20
Services Applications ........................................................................22
Software Installation and Upgrade ....................................................27
Subscriber Access Management .......................................................27
System Logging ................................................................................31
User Interface and Configuration ......................................................31
VPNs ................................................................................................33
■
1
JUNOS 9.5 Software Release Notes
JUNOS XML API and Scripting ..........................................................37
Changes in Default Behavior and Syntax in JUNOS Software Release 9.5
for M-series, MX-series, and T-series Routing Platforms ...................41
Class of Service ................................................................................41
Layer 2 Ethernet Services .................................................................41
High Availability ...............................................................................41
Multicast ...........................................................................................41
MPLS Applications ............................................................................41
Routing Protocols .............................................................................42
Routing Policy and Firewall Filters ....................................................43
Platform and Infrastructure ..............................................................44
Services ............................................................................................44
Subscriber Access .............................................................................44
User Interface and Configuration ......................................................44
Issues in JUNOS Software Release 9.5 for M-series, MX-series, and
T-series Routing Platforms ................................................................45
Current Software Release .................................................................45
Previous Releases .............................................................................60
Errata and Changes in Documentation for JUNOS Software Release 9.5
for M-series, MX-series, and T-series Routing Platforms ...................75
Changes to the JUNOS Documentation Set .......................................75
Errata ...............................................................................................76
Upgrade and Downgrade Instructions for JUNOS Software Release 9.5
for M-series, MX-series, and T-series Routing Platforms ...................80
Basic Procedure for Upgrading to Release 9.5 ..................................81
Upgrading a Router with Redundant Routing Engines ......................83
Upgrading to Release 9.5 in a Routing Matrix ...................................83
Upgrading Using ISSU .......................................................................84
Upgrading from JUNOS Release 9.2 or Earlier on a Router Enabled
for Both PIM and NSR ................................................................85
Downgrade from Release 9.5 ...........................................................86
JUNOS Software Release Notes for SRX-series Services Gateways .................87
JUNOS for SRX-Series Services Gateways Product Overview ...................87
Application Layer Gateways (ALGs) ..................................................87
Chassis Clustering ............................................................................87
Flow and Processing .........................................................................88
Interfaces and Routing .....................................................................89
Security ............................................................................................91
Intrusion Detection and Prevention (IDP) .........................................93
J-Web ...............................................................................................95
Management and Administration .....................................................95
New Features in JUNOS Software Release 9.5 for SRX-series Services
Gateways ..........................................................................................98
Software Features .............................................................................98
Hardware Features—SRX 210 Services Gateways ..........................109
Hardware Features—SRX 240 Services Gateways ..........................114
Hardware Features—SRX650 Services Gateways ...........................117
Hardware Features—SRX 5600 and SRX 5800 Services
Gateways .................................................................................121
2
■
Changes In Default Behavior and Syntax ..............................................122
CLI ..................................................................................................122
Flow and Processing .......................................................................122
Interfaces and Routing ...................................................................123
Intrusion Detection and Prevention (IDP) .......................................123
J-Web .............................................................................................123
Known Limitations in JUNOS Software Release 9.5 for SRX-series Services
Gateways ........................................................................................124
Accounting-Options Hierarchy ........................................................124
Chassis Cluster ...............................................................................124
CLI ..................................................................................................125
Flow and Processing .......................................................................125
Hardware .......................................................................................126
Interfaces and Routing ...................................................................127
Intrusion Detection and Prevention (IDP) .......................................127
NetScreen-Remote ..........................................................................128
System ...........................................................................................128
Unsupported CLI Statements and Commands in JUNOS Software Release
9.5 for SRX-series Services Gateways .............................................128
Issues in JUNOS Software Release 9.5 for SRX-series Services
Gateways ........................................................................................129
Outstanding Issues in JUNOS Software Release 9.5 for SRX-series
Services Gateways ...................................................................129
Resolved Issues in JUNOS Software Release 9.5 for SRX-series
Services Gateways ...................................................................139
Errata in Documentation for JUNOS Software Release 9.5 for SRX-series
Services Gateways ..........................................................................140
Attack Detection and Prevention ....................................................140
Chassis Clustering ..........................................................................141
CLI ..................................................................................................141
CompactFlash Card Support ...........................................................142
Device Support ...............................................................................142
DLSw ..............................................................................................142
Flow ...............................................................................................142
Installing Software Packages ..........................................................143
Intrusion Detection and Prevention (IDP) .......................................143
J-Web .............................................................................................143
Screens ...........................................................................................143
JUNOS Software Release Notes for J-series Services Routers ........................145
New Features in JUNOS Software Release 9.5 for J-series Services
Routers ...........................................................................................145
JUNOS Software .............................................................................145
Known Limitations in JUNOS Software Release 9.5 for J-series Services
Routers ...........................................................................................150
Chassis Cluster ...............................................................................150
Intrusion Detection and Prevention (IDP) .......................................151
J-Web .............................................................................................151
Simple Network Management Protocol (SNMP) ..............................151
Unified Threat Management (UTM) ................................................151
■
3
JUNOS 9.5 Software Release Notes
Changes in Default Behavior and Syntax ..............................................151
CLI ..................................................................................................152
Configuration .................................................................................152
Network Address Translation (NAT) ................................................152
Security ..........................................................................................152
Issues in JUNOS Software Release 9.5 for J-series Services Routers .......152
Outstanding Issues in JUNOS Software Release 9.5 for J-series
Services Routers ......................................................................153
Resolved Issues in JUNOS Software Release 9.5 for J-series Services
Routers ....................................................................................157
Errata in Documentation for JUNOS Software Release 9.5 for J-series
Services Routers .............................................................................158
Chassis Clustering ..........................................................................158
CLI ..................................................................................................158
DLSw ..............................................................................................159
Intrusion Detection and Prevention (IDP) .......................................159
J-Web .............................................................................................159
PIM .................................................................................................159
Screens ...........................................................................................159
Hardware Requirements for JUNOS Software Release 9.5 for J-series
Services Routers .............................................................................160
Power and Heat Dissipation Requirements for J Series PIMs ..........160
Supported Third-Party Hardware for J Series Services Routers .......160
J Series CompactFlash and Memory Requirements ........................161
Upgrade and Downgrade Instructions for JUNOS Software Release 9.5
for J-series Services Routers ............................................................162
JUNOS Software Release Notes for EX-series Switches ................................162
New Features in JUNOS Software for EX-series Switches, Release
9.5 ..................................................................................................162
Hardware .......................................................................................163
Access Control and Port Security ....................................................164
Bridging, VLANs, and Spanning Trees ............................................164
Class of Service (CoS) .....................................................................164
Layer 3 Protocols ............................................................................164
Management and RMON ................................................................165
MPLS ..............................................................................................166
Virtual Chassis ................................................................................166
Changes in Default Behavior and Syntax ..............................................166
Class of Service ..............................................................................167
Interfaces .......................................................................................167
Virtual Chassis ................................................................................167
Outstanding and Resolved Issues and Upgrade/Downgrade Issues in
JUNOS Release 9.5 for EX-series Switches ......................................167
Outstanding Issues .........................................................................167
Resolved Issues ..............................................................................170
Upgrading or Downgrading from JUNOS Release 9.4R1 for EX-series
Switches ..................................................................................176
Upgrading from JUNOS Release 9.3R1 to Release 9.5 for EX-series
Switches ..................................................................................176
Upgrading from JUNOS Release 9.2 to Release 9.5 for EX-series
Switches ..................................................................................176
4
■
Downgrading from JUNOS Release 9.5 to Release 9.2 for EX 4200
Switches ..................................................................................178
Errata in Documentation for JUNOS Software Release 9.5 for EX-series
Switches .........................................................................................178
Hardware .......................................................................................178
Infrastructure .................................................................................178
Virtual Chassis ................................................................................179
JUNOS Documentation and Release Notes ..................................................180
Documentation Feedback ............................................................................180
Requesting Technical Support .....................................................................180
Revision History ..........................................................................................182
■
5
JUNOS 9.5 Software Release Notes
JUNOS Software Release Notes for M-series, MX-series, and T-series Routing
Platforms
■
New Features in JUNOS Software Release 9.5 for M-series, MX-series, and T-series
Routing Platforms on page 6
■
Changes in Default Behavior and Syntax in JUNOS Software Release 9.5 for
M-series, MX-series, and T-series Routing Platforms on page 41
■
Issues in JUNOS Software Release 9.5 for M-series, MX-series, and T-series Routing
Platforms on page 45
■
Errata and Changes in Documentation for JUNOS Software Release 9.5 for
M-series, MX-series, and T-series Routing Platforms on page 75
■
Upgrade and Downgrade Instructions for JUNOS Software Release 9.5 for M-series,
MX-series, and T-series Routing Platforms on page 80
New Features in JUNOS Software Release 9.5 for M-series, MX-series, and T-series Routing
Platforms
The following features have been added to JUNOS Release 9.5. Following the
description is the title of the manual or manuals to consult for further information.
Class of Service
■
Enhanced IQ PIC for the M320, M120, T-series, and M40e—Allows the user
to apply a hierarchical policer for the premium and aggregate (premium plus
normal) traffic levels to an interface. To configure the hierarchical policer, apply
the policing-priority statement to the proper forwarding class and configure a
hierarchical policer for the aggregate and premium level. [Class of Service]
■
Allocating extra CIR bandwidth equally amongst all PVCs—By default, all
logical (lsq-) interfaces on a MultiServices (MS) PIC share bandwidth equally in
the excess region (that is, bandwidth available once these interfaces have
exhausted their committed information rate (CIR).
However, you can configure the excess-rate statement to control an independent
set of parameters for bandwidth sharing in the excess region of a Frame Relay
data-link connection identifier (DLCI) on an MS PIC. You configure the excess-rate
statement at the [edit class-of-service traffic-control-profile] hierarchy level.
[Network Interfaces, Class of Service]
■
Customizing type-of-service bits—By default, all logical (lsq-) interfaces on a
MultiServices (MS) PIC preserve the type-of-service (ToS) bits in an incoming
packet header.
However, you can configure the translation-tables statement to replace the arriving
ToS bit pattern to a user-defined value. You configure the translation-tables
statement at the [edit class-of-service] hierarchy level.
6
■
JUNOS Software Release Notes for M-series, MX-series, and T-series Routing Platforms
New Features in JUNOS Software Release 9.5 for M-series, MX-series, and T-series Routing Platforms
This feature follows exactly the same configuration rules as the Enhanced IQ
PIC. [Class of Service]
■
Rate-limit and excess rate/excess priority option—You can configure bandwidth
sharing rate limits, excess rate, and excess priority at the queue level on the
following routers:
■
M120 (rate limit and excess priority only; excess rate is handled by the
hardware.)
■
MX-series (rate limit, excess rate, and excess priority)
■
T-series (rate limit, excess rate, and excess priority)
Some Packet Forwarding Engine chipsets support rate limits by enabling rate
control and keeping the queue length small. The Enhanced Type II FPCs support
configuration of excess priority but do not support configuration of excess rate.
The Enhanced Type III FPCs support configuration of excess rate and excess
priority.
You configure rate limits when you have a concern that low latency packets
(such as high or strict-high priority packets for voice) might starve low-priority
and medium-priority packets. In the JUNOS software, the low latency queue is
implemented by rate-limiting packets to the transmit bandwidth. The rate limiting
is performed immediately before queueing the packet for transmission. All
packets which exceed the rate limit are dropped, not queued.
By default, if the excess priority is not configured for a queue, the excess priority
will be the same as the normal queue priority. If none of the queues have an
excess rate configured, then the excess rate will be the same as the transmit
rate percentage. If at least one of the queues has an excess rate configured, then
the excess rate for the queues which do not have an excess rate configured will
be set to zero.
When the physical interface is on queuing hardware such as the IQ, IQ2, IQE
PICs, or MX-series DPCs, these features are not supported.
You cannot configure both rate limits and buffer sizes on these Packet Forwarding
Engines.
Four levels of excess priorities are supported: low, medium-low, medium-high,
and high.
All queues can be rate limited, whether eight or four queues are configured. The
queue is shaped by limiting the queue to the transmit rate and reducing the
queue buffer size to 1 millisecond. For example, a rate-limited queue (scheduler)
with a configured transmit rate of 100 Mbps has a delay buffer of 1 millisecond
of 100 megabytes, and the queue is shaped (rate controlled) to 100 Mbps. The
queue output will be exactly 100 Mbps and the 1-millisecond buffer is available
to absorb any transmission bursts. Any traffic above and beyond this limit is
tail-dropped and in statistics this traffic is counted as rate-limited drops.
To configure rate limits for non-queuing Packet Forwarding Engines, include the
shaping rate statement at the [edit class-of-service schedulers scheduler-name]
hierarchy level.
To configure the excess rate for non-queuing Packet Forwarding Engines, include
the excess-rate statement at the [edit class-of-service schedulers scheduler-name]
hierarchy level.
New Features in JUNOS Software Release 9.5 for M-series, MX-series, and T-series Routing Platforms
■
7
JUNOS 9.5 Software Release Notes
To configure the excess priority for non-queuing Packet Forwarding Engines,
include the excess-priority at the [edit class-of-service schedulers scheduler-name]
hierarchy level.
The relationship among the configured guaranteed rate, excess rate, guaranteed
priority, excess priority, and offered load is not always obvious. [Class of Service]
Hardware
■
New 10-port Channelized E1/T1 Enhanced IQ (IQE) PIC with RJ-48 connector
(M40e, M120, M320, and T series)—The IQE PICs support the same features
as existing IQ PICs. In addition, they support enhanced CoS and diagnostic
features. The valid configuration statements are also the same; for some options,
limits and ranges of values are different to support augmented capabilities. Model
number PB-10CHE1-T1-IQE-RJ48. [PIC Guides, Class of Service, Network Interfaces]
■
New Flexible PIC Concentrators (FPCs) (T640 and T1600)—The T640 and
T1600 core routers support a new Type 2 FPC (T640-FPC2-ES) and a new Type
4 FPC (T640-FPC4-1P-ES).
NOTE: Before you install the T640-FPC2-ES or the T640-FPC4-1P-ES in a T640 routing
node, all SIBs must be SIB version B, or T640–SIBs for T640 nodes connected to a
TX matrix. [PIC Guides]
■
New Flexible PIC Concentrators (FPCs) MX-FPC2 (MX-series)—JUNOS Release
9.5 supports the MX-FPC2 on MX-series platforms. The MX-FPC2 supports up to
two PICs per FPC. For a list of supported PICs, see the MX-series PIC Guide.
[MX-series PIC Guide, MX240 Hardware Guide, MX480 Hardware Guide, MX960
Hardware Guide]
■
Nonstop active routing support for RSVP-TE LSPs—Starting with Release 9.5,
the JUNOS software extends nonstop active routing support to transit
label-switching routers (LSR) that are part of an RSVP-TE LSP. Nonstop active
routing support on transit LSRs ensures that the master to backup Routing Engine
switchover on an LSR remains transparent to the network neighbors and that
the path and LSP information remains unaltered during and after the switchover.
You can use the show rsvp version command to find out the nonstop active routing
mode and state on a label-switching router.
High Availability
However, the JUNOS software does not support the following features for nonstop
active routing on RSVP-TE LSRs:
■
Point-to-multipoint (P2MP) LSPs
■
Generalized Multiprotocol Label Switching (GMPLS) and LSP hierarchy
■
Inter-domain or loose hop expansion LSPs
[High Availability]
8
■
New Features in JUNOS Software Release 9.5 for M-series, MX-series, and T-series Routing Platforms
New Features in JUNOS Software Release 9.5 for M-series, MX-series, and T-series Routing Platforms
■
Unified ISSU support on additional hardware—Extends the unified ISSU support
to the following routing platforms and PICs:
■
M10i routing platforms with Enhanced Compact Forwarding Engine Board
(CFEB-E)
■
Enhanced IQ2 PICs (IQ2-E):
■
PC-8GE-TYPE3-SFP-IQ2E
■
PB-8GE-TYPE2-SFP-IQ2E
■
PB-4GE-TYPE1-SFP-IQ2E
■
PC-1XGE-TYPE3-XFP-IQ2E
[High Availability]
Interfaces and Chassis
■
New 10-port Channelized E1/T1 IQE PIC (M320, M120, T-series
platforms)—Provides 10 E1/T1 ports with increased channelization and enhanced
COS features. To configure, use the same interface configuration syntax as for
the existing Channelized E1 IQ PIC and Channelized T1 IQ PIC. The configuration
limits have changed to match its augmented capabilities. [Network Interfaces,
Class of Service]
■
Ethernet Local Management Interface (E-LMI) (MX-series)—Enables you to
configure an MX-series router with ge, xe, or ae interfaces, operating on the
provider edge (PE), to send connectivity status and configuration parameters of
Ethernet services available on the customer edge (CE) port. The E-LMI procedures
and protocols are used for enabling autoconfiguration of the CE to support Metro
Ethernet services.
E-LMI interoperates with an Operations, Administration, and Management (OAM)
protocol, such as Connectivity Fault Management (CFM), that runs within the
provider network to collect OAM status. CFM runs at the provider maintenance
level (User Network Interface [UNI] UNI-N to UNI-N with up Management End
Points [MEPs] at the UNI). E-LMI relies on the CFM for end-to-end status of
Ethernet virtual connections (EVCs) across CFM domains (SVLAN domain or
VPLS).
To configure E-LMI, include the connectivity-fault-management, evcs, and lmi
statements at the [edit protocols oam ethernet] hierarchy level. [Network Interfaces]
■
Ethernet Delay Measurement (ETH-DM) (MX-series)—Enables you to configure
on-demand Operations, Administration, and Maintenance (OAM) for
measurement of frame delay and frame delay variation (jitter) in either one-way
or two-way mode, gathering frame delay statistics, and is capable of simultaneous
statistics collection from multiple sessions. ETH-DM provides fine control to
operators for triggering delay measurement on a given service and can be used
to monitor SLAs. ETH-DM also collects other useful information, such as worst
and best case delays, average delay, and average delay variation. ETH-DM
supports hardware-based timestamping in the receive direction for delay
measurements. Provides run-time display of delay statistics when two-way delay
measurement is triggered. ETH-DM records the last 100 samples collected per
New Features in JUNOS Software Release 9.5 for M-series, MX-series, and T-series Routing Platforms
■
9
JUNOS 9.5 Software Release Notes
session. You can retrieve the history at any time. JUNOS software maintains
various counters for ETH-DM PDUs which can be retrieved at any time. You can
clear all the ETH-DM statistics and PDU counters. ETH-DM is fully compliant with
ITU-T Y.1731.
To trigger ETH-DM, use the monitor ethernet delay-measurement (one-way | two-way)
(remote-mac-address | mep identifier) maintenance-domain name
maintenance-association ma-id [count count] [wait time] operational command.
To enable hardware assisted time stamping in reception path, use the
performance-monitoring hardware-assisted-timestamping statement at the [edit
protocols oam ethernet connectivity-fault-management] hierarchy level.
To retrieve the last 100 ETH-DM statistics per session, two show commands are
provided; one for all (all OAM frame counters and ETH-DM) statistics and one
for ETH-DM statistics only.
To retrieve all statistics for given session, use the show oam ethernet
connectivity-fault-management mep-statistics maintenance-domain name
maintenance-association name [local-mep identifier] [remote-mep identifier] [count
count] command.
To retrieve only ETH-DM stats for given session, use the show oam ethernet
connectivity-fault-management delay-statistics maintenance-domain name
maintenance-association name [local-mep identifier] [remote-mep identifier] [count
count] command.
[Network Interfaces]
■
Unidirectional link support on 10-Gigabit Ethernet IQ2 PIC interfaces (T-series
routing platforms)—Enables 10-Gigabit Ethernet IQ2 PIC interfaces on T-series
routing platforms to operate in unidirectional mode. Unidirectional links reduce
the number of ports required for broadcast video traffic applications, where most
of the traffic flow is in only one direction. [Multiplay Solutions, Network Interfaces]
■
Support for new Flexible PIC Concentrator with enhanced scalability (T640,
T1600)—Supports four Type 2 PICs per FPC2. For PIC compatibility, see the
T640 Routing Node PIC Guide and T1600 Routing Node PIC Guide.
[Network Interfaces, PIC Guide]
■
Support for new Flexible PIC Concentrator FPC4-1 with enhanced scalability
(T640, T1600)—Supports one Type 4 PIC per FPC4-1. For PIC compatibility, see
the T640 Routing Node PIC Guide and T1600 Routing Node PIC Guide.
[Network Interfaces, PIC Guide]
■
New auto-negotiation of speed and disable Auto MDI/MDIX features
(MX-series)—Support for auto-negotiation of speed on MX-series platforms with
10/100/1000 capable DPCs and Tri-Rate Copper SFPs. The auto-negotiation
specified interface speed is propagated to other CoS, routing protocols, and other
system components. Half duplex mode is not supported.
To specify the auto-negotiation speed, use the speed <(auto | 1 Gbps | 100 Mbps
| 10 Mbps)> statement in the [edit interface ge-/fpc/pic/port] hierarchy level.
To set port speed negotiation to a specific rate, set the port speed to either 1
Gbps, 100 Mbps, or 10 Mbps. If the negotiated speed and the interface-speed
do not match, the link will not be brought up.
10
■
New Features in JUNOS Software Release 9.5 for M-series, MX-series, and T-series Routing Platforms
New Features in JUNOS Software Release 9.5 for M-series, MX-series, and T-series Routing Platforms
If you set the auto-negotiation speed auto option, then the port speed is
negotiated.
You can disable Auto MDI/MDIX using the no-auto-mdix statement under the [edit
interface ge-/fpc/pic/port gigether-options] hierarchy level.
Use the show interfaces ge-fpc/pic/port brief command to display the auto
negotiation of speed and Auto MDI/MDIX states.
[Network Interfaces]
■
Extended period for T1 and E1 bit error rate test (BERT) (M-series,
T-series)—Supports running BERT for a period of up to 24 hours (previous
4–minute maximum) on the following T1 and E1 interfaces, and includes
channelized PICs which can be channelized down to T1 or E1 interfaces:
IQ PICs:
■
10-port CT1 IQ PIC
■
10-port CE1 IQ PIC
■
1-port OC3 Channelized down to T1/DS0 IQ PIC
■
1-port Channelized STM1 IQ PIC
■
2-port Channelized STM1 IQ PIC
■
1-port Channelized 0C12 IQ PIC
IQE PICs:
■
4-port DS3/E3 Channelized IQE PIC (Type 1)
■
10-port CHT1/E1 Channelized IQE PIC (Type 1)
■
2-port COC3/STM1 Channelized IQE PIC (Type 1)
■
1-port COC12/STM4 Channelized IQE PIC (Type 1)
■
4-port CHOC12/STM4 Channelized IQE PIC (Type 2)
■
1-port CHOC48/STM16 Channelized IQE PIC (Type 2)
Standard PICs:
■
2-port T1 PIC
■
4-port T1 PIC
■
2-port E1 PIC
■
4-port E1 PIC
■
10-port CE1 704 PIC
■
1-port OC3 Channelized down to T1 PIC
New Features in JUNOS Software Release 9.5 for M-series, MX-series, and T-series Routing Platforms
■
11
JUNOS 9.5 Software Release Notes
■
1-port STM1 Channelized down to E1 PIC
■
1-port OC12 Channelized PIC
To configure the BERT period on T1 interfaces, use the bert-period seconds
statement at the [edit interfaces t1-fpc/pic/port t1-options] hierarchy level. The
range is from 1 through 86,400 seconds. The default value is 240 seconds.
To configure the BERT period on E1 interfaces, use the bert-period seconds
statement at the [edit interfaces e1-fpc/pic/port e1-options] hierarchy level. The
range is from 1 through 86,400 seconds. The default period is 10 seconds.
You can use the show interfaces t1-fpc/pic/port extensive | find BERT command
to display T1 PIC BERT results.
You can use the show interfaces e1-fpc/pic/port extensive | find BERT command
to display E1 PIC BERT results.
[Network Interfaces]
■
New Flexible PIC Concentrator (FPC) MX-FPC2 (MX-series)—Supports
non-Ethernet PICs on MX-series platforms. For a list of supported PICs, see the
MX-series PIC Guide. [Network Interfaces, PIC Guide]
■
JUNOS software Layer 3 datapath support for Type 2 FPC (MX-series)—Supports
two PICs per FPC. For PIC compatibility, see the MX-series PIC Guide. [Network
Interfaces]
■
VPLS support on new Flexible PIC Concentrator MX-FPC2
(MX-series)—Supports non-Ethernet PICs on MX-series platforms. For a complete
list of supported PICs, see the MX-series Hardware Guide.
[Network Interfaces, MX-series Hardware Guide]
■
Support for inter-PSD forwarding (JCS 1200)—Enables communication between
PSDs without requiring dedicated physical links. Instead, PSD communication
is achieved by using internal tunnel PICs that reside on the PSD. The PSDs
communicate over logical interfaces (ifls) configured on the tunnel PICs. Multiple
logical interfaces can be configured on the tunnel PIC, allowing the PSD to
communicate with multiple PSDs over the same tunnel PIC.
For inter-PSD forwarding, each PSD that needs to communicate with another
PSD must have a Tunnel PIC attached. To configure inter-PSD forwarding on a
PSD, include the following statements at the [edit interfaces] hierarchy level of
the associated PSDs:
xt-fpc/pic/port {
unit unit-number {
peer-psd psdn;
peer-interface logical-interface-name;
encapsulation frame-relay;
point-to-point;
dlci dlci-value;
}
}
Currently, only Frame Relay encapsulation is supported for inter-PSD forwarding.
[JUNOS PSD Configuration Guide].
12
■
New Features in JUNOS Software Release 9.5 for M-series, MX-series, and T-series Routing Platforms
New Features in JUNOS Software Release 9.5 for M-series, MX-series, and T-series Routing Platforms
■
VLAN rewrite operations on incoming and outgoing frames (M320, M120,
and MX platforms)—Supports adding a new VLAN tag in front of the existing
one, removing a VLAN tag or replacing the existing tag with a new user-configured
tag, on tagged frames only, on a per logical interface basis in both the ingress
and egress directions. Encapsulation on the logical interface must be vlan-ccc,
vlan-vpls, extended-vlan-ccc, or extended-vlan-vpls. This enhancement also supports
rewrite operations on untagged frames under ethernet-ccc and ethernet-vpls
encapsulations.
The JUNOS software supports the following rewrite operations under ethernet-ccc
and ethernet-vpls encapsulations:
■
push— A VLAN tag will be added to the incoming untagged frame.
■
pop— VLAN tag is removed from the outgoing frame.
■
push-push— An outer and inner VLAN tag will be added to the incoming
untagged frame.
■
pop-pop— Both the outer and inner VLAN tags of the outgoing frame are
removed.
push-push and pop-pop operations are not supported on Ethernet IQ PICs.
Ethernet IQ2 PICs support all the above mentioned rewrite operations.
M320 and M120 platforms with the following PICs, support this feature:
■
■
Ethernet IQ PICs:
■
Gigabit Ethernet IQ, 1-port SFP
■
Gigabit Ethernet IQ, 2-port SFP
Ethernet IQ2 PICs:
■
1-Gigabit Ethernet IQ2, 4-port SFP oversubscription
■
1-Gigabit Ethernet IQ2, 8-port SFP oversubscription
■
1-Gigabit Ethernet IQ2, 8-port SFP line rate
■
10-Gigabit Ethernet IQ2, 1-port XFP line rate
Enhanced Ethernet IQ2E PICs:
■
1-Gigabit Ethernet IQ2E, 4-port
■
1-Gigabit Ethernet IQ2E, 8-port
■
10-Gigabit Ethernet IQ2E, 1-port
MX platforms with the following DPCs support this feature:
■
Gigabit Ethernet R, 40-port SFP
■
Gigabit Ethernet R EQ, 40-port SFP
New Features in JUNOS Software Release 9.5 for M-series, MX-series, and T-series Routing Platforms
■
13
JUNOS 9.5 Software Release Notes
■
10-Gigabit Ethernet R, 1-port XFP
■
10-Gigabit Ethernet R EQ, 1-port XFP
In the input-vlan-map, only the push and push-push operations are permitted.
Similarly, only pop and pop-pop operations are permitted in the output-vlan-map.
For push and push-push operations, the tag parameters must be explicitly
specified. All other rules for configuring input-vlan-map and output-vlan-map remain
the unchanged.
To configure an input VLAN map, use the input-vlan-map statement and options
at the [edit interfaces interface-name fpc/pic/port unit number] hierarchy level.
To configure an output VLAN map, use the output-vlan-map statement and options
at the [edit interfaces interface-name fpc/pic/port unit number] hierarchy level.
NOTE: Unit encapsulation must be set to ethernet-ccc or ethernet-vpls , otherwise
input VLAN map and output VLAN map settings will not be valid.
You can use the show interface interface-name dpc/pic/port command to display
the Index, SNMP ifIndex, flags, In(push), Out(pop), and Encapsulation parameters.
[Network Interfaces]
■
1–port 10–Gigabit XENPAK PIC as a shared interface PIC (JCS 1200)—Support
for the 1-port 10 Gigabit XENPAK PIC (PC-1XGE-XENPAK) as a shared interface
PIC on the JCS 1200 platform. This shared interface supports VLAN tag IP routing
(Ethernet or ENET2) encapsulation. [JUNOS PSD Configuration Guide]
■
TX-series supports unnumbered Ethernet interfaces (TX-series)—Removes
TX-series restriction on configuring unnumbered Ethernet interfaces. [Network
Interfaces]
■
Next-hop groups (MX-series)—You can configure next-hop groups for the
MX-series routers using either IP addresses or Layer 2 addresses for the next
hops. Use the group-type[inet|layer-2] statement at [edit forwarding-options
next-hop-group group-name] to establish the next-hop groups. You can also
reference more than one port-mirroring instance in a filter on MX-series routers.
Use the port-mirror-instance instance-name statement at the [edit firewall family
family-name filter filter-name term term-name] to refer to one of several
port-mirroring instances. [Layer 2 Configuration Guide, Policy Framework]
■
DHCP support for integrated routing and bridging (MX-series routers)—DHCP
is now supported in integrated routing and bridging (IRB) configurations. When
you configure IRB in a network that is using DHCP, the DHCP information (for
example, authentication, address assignment, and so on) is propagated in the
associated bridge domain. This enables the DHCP server to configure client IP
addresses residing within the bridge domain. This feature currently works only
for static configurations. The show dhcp server binding detail command has been
enhanced to show both the Layer 2 interface and the IRB interface when
applicable. [Subscriber Access]
Layer 2 Ethernet Services
14
■
New Features in JUNOS Software Release 9.5 for M-series, MX-series, and T-series Routing Platforms
New Features in JUNOS Software Release 9.5 for M-series, MX-series, and T-series Routing Platforms
■
Hash key load balancing support for Layer 3 and Layer 4 fields—By default,
the hash key mechanism to load-balance frames across LAG interfaces is based
on Layer 2 fields (such as frame source and destination address) as well as the
input logical interface (unit). No Layer 3 or Layer 4 fields are examined and are
part of the default hash process, so the default is not optimized for Layer 2
switching (the frame source and destination MAC addresses are the same). One
link is overutilized and other links are underutilized.
You can configure the load-balancing hash key for Layer 2 traffic to use fields in
the Layer 3 and Layer 4 headers inside the frame payload for load-balancing
purposes using the payload statement. You can configure the statement to look
at layer-3 (and source-address-only or destination-address-only packet header fields)
or layer-4 fields. You configure this statement at the [edit forwarding-options
hash-key family multiservice] hierarchy level. [Layer 2 Configuration Guide, Policy,
Network Interfaces]
MPLS Applications
■
GRES for MPLS ingress and egress P2MP LSPs—Graceful Routing Engine
switchover (GRES) and graceful restart are now supported for point-to-multipoint
(P2MP) LSPs at ingress and egress routers. The P2MP LSPs must be configured
using static routes or CCC. GRES and graceful restart are not supported on P2MP
LSPs configured for VPLS or next-generation multicast VPNs (MVPNs). GRES and
graceful restart allow the traffic to be forwarded at the Packet Forwarding Engine
(PFE) based on the old state while the control plane recovers using the standard
graceful restart procedures. This functionality is enabled automatically whenever
you enable GRES and graceful restart on the router. [MPLS Applications]
■
Statistics for P2MP LSPs—A number of commands have been enhanced to allow
you to display statistics related to point-to-multipoint (P2MP) LSPs.
The revised commands are:
■
show mpls lsp statistics p2mp
■
show mpls lsp statistics p2mp ingress
■
show mpls lsp statistics p2mp transit
■
monitor label-switched-path sub-LSP-name
You can now display information on P2MP LSPs by issuing these commands on
either the ingress router of the P2MP LSP or from any of the routers along any
of the sub-LSP paths. [Routing Protocols Reference]
■
Automatic policers for P2MP LSPs—You can now configure automatic policers
for point-to-multipoint (P2MP) LSPs. P2MP LSPs allow you to establish LSPs with
a single origin and multiple destinations. Automatic policers allow you to
automatically limit the amount of traffic sent over the P2MP LSP, providing a
strict service guarantee for network traffic. You configure automatic policers on
the trunk routing node for the P2MP LSP using the auto-policing statement
configured at the [edit protocols mpls] hierarchy level. [MPLS Configuration Guide]
New Features in JUNOS Software Release 9.5 for M-series, MX-series, and T-series Routing Platforms
■
15
JUNOS 9.5 Software Release Notes
Multicast
■
Hierarchical bandwidth adjustment and reverse OIF mapping—Enables you
to disable hierarchical bandwidth adjustment for all subscriber interfaces that
are reverse OIF mapped from a specified multicast interface. Reverse OIF
mapping is used to determine the subscriber VLAN interface and the multicast
traffic bandwidth on the interface.
To disable hierarchical bandwidth adjustment for all subscribers on a multicast
interface, include the no-qos-adjust statement at the [edit routing-options multicast
interface [interface-names] reverse-oif-mapping] hierarchy level.
To display the multicast bandwidth consumed on the subscriber interfaces, issue
the show multicast interfaces command. [Multicast, Subscriber Access]
■
Turn off spanning-tree interface state (MX-series)—By default, the IGMP
snooping process on an MX-series router is aware of topology changes made by
any of the spanning-tree protocols (STPs).
The default behavior for the IGMP snooping process on an MX-series router can
be changed to ignore the spanning-tree topology change messages. To ignore
the spanning-tree topology change messages, include the
ignore-stp-topology-change statement at the [edit routing-instances
routing-instance-name bridge-domains bridge-domain-name multicast-snooping-options]
hierarchy level.
[Multicast, MX-series Layer 2 Configuration Guide]
■
Full support for IGMPv3 snooping on Layer 2 interfaces (MX-series)—The
JUNOS software provides full support for IGMPv3 snooping on Layer 2 interfaces
for VPLS instances and IRB bridging. Only Include mode and Internet Standard
Multicast (ISM) version of Exclude Mode are supported for this release. This
support gives the hosts the flexibility to choose the source from which they want
to receive the traffic. No additional configuration is required. [Multicast, Routing
Protocols and Policies Command Reference]
■
Dynamic reuse of data multicast distribution tree group addresses —A limited
number of multicast group addresses are available for use in data multicast
distribution tree (MDT) tunnels. By default when the available multicast group
addresses are all used, no new data MDTs can be created.
You can enable dynamic reuse of data MDT group addresses. Dynamic reuse of
data MDT group addresses allows multiple multicast streams to share a single
MDT and multicast provider group address. For example, three streams can use
the same provider group address and MDT tunnel. When the feature is enabled,
new streams are assigned to a particular MDT in a round-robin fashion. Note
that if the provider tunnel is being used by multiple customer streams, it might
result in egress routers receiving customer traffic that is not requested by the
attached customer sites. This is similar to what happens if multiple customer
streams are sent on the default MDT tunnel.
To enable dynamic reuse of data MDT group addresses, include the data-mdt-reuse
statement. The data-mdt-reuse statement can be configured at the [edit
logical-systems logical-system-name routing-instances routing-instance-name protocols
pim mdt] and [edit routing-instances routing-instance-name protocols pim mdt]
hierarchy levels. [Multicast, Routing Protocols and Policies Command Reference]
16
■
New Features in JUNOS Software Release 9.5 for M-series, MX-series, and T-series Routing Platforms
New Features in JUNOS Software Release 9.5 for M-series, MX-series, and T-series Routing Platforms
Platform and Infrastructure
■
Enhancements to Juniper Networks enterprise-specific MPLS MIB —The
following objects of the enterprise-specific MPLS MIB ( jnx-mpls.mib ) have been
modified to support and store information about manual bypass tunnels through
the entire life cycle of a bypass tunnel. Both mplsLspState and mplsLspInfoState
objects now have two additional values: notInService (integer value: 4) and
backupActive (5). The notInService state indicates that the LSP has been torn down
or never been signaled due to the lack of demand for its protection. The
backupActive state indicates that the LSP is up and carrying user traffic for at
least one protected LSP due to the failure of the LSP, which has caused the
creation of a backup LSP. Similarly, the mplsPathType and mplsPathInfoType
objects now have a new value, bypass (5), to denote that the path is a
manually-configured bypass tunnel. In the previous releases, the information
about bypass tunnels was stored in the standard mplsTunnelTable that uses a
combination of mplsTunnelIndex , mplsTunnelInstance , mplsTunnelIngressLSRId
, and mplsTunnelEgressLSRId as index. Because the value for mplsTunnelInstance
changes when an LSP is signaled or resignaled, new entries are created each
time an LSP is signaled or resignaled. This has been causing problems in tracking
the state of bypass tunnels. The latest enhancements to the enterprise-specific
MIB, which uses the LSP name as index, enable the MIB to store information
about bypass tunnels in a single entry and users to access information about
bypass tunnels through its life cycle using a single index. The show mpls lsp
bypass command returns information about bypass tunnels of all states. [Network
Management]
Routing Policy and Firewall Filters
New Features in JUNOS Software Release 9.5 for M-series, MX-series, and T-series Routing Platforms
■
17
JUNOS 9.5 Software Release Notes
■
Dynamic configuration support for routing policies—Enables you to configure
routing policies in a dynamic database that is not subject to the same verification
required to commit configuration changes to the standard configuration database.
As a result, you can quickly commit routing policies that can be referenced and
applied in the standard configuration as needed. The dynamic database is stored
in the /var/run/db/juniper.dyn directory.
To configure a dynamic database, enter the configure dynamic command to be
placed in the [edit dynamic] hierarchy. At the [edit dynamic policy-options] hierarchy
level, you can configure the following statements: as-path as-path-name,
as-path-group group-name, community community-name, condition condition-name,
prefix-list prefix-list-name, and policy-statement policy-statement-name. No other
configuration is supported at the [edit dynamic] hierarchy level.
All the policies that you configure in the dynamic database can be referred to in
policies configured in the standard configuration under the [edit policy-options]
hierarchy level. To define a routing policy based on the dynamic database
configuration, include the dynamic-db statement at the [edit policy-options
policy-statement policy-statement-name] hierarchy level in the standard
configuration mode. You can also include the dyanmic-db statement at the
following hierarchy levels: [edit policy-options as-path as-path-name, [edit
policy-options as-path-group group-ame], [edit policy-options community
community-name, [edit policy-options condition condition-name], and [edit
policy-options prefix-list prefix-list-name]. In this way, you can define any of these
policy objects using the dynamic database configuration. You can then apply
any of these policies that reference the dynamic database configuration to a
routing policy configured in the standard configuration. For example, include
the dynamic-db statement at the [edit policy-options prefix-list p11] hierarchy level
to create a prefix list, p11, that references the dynamic database configuration.
You can then include the prefix-list p11 statement at the [edit policy-options
policy-statement policy-statement-name from] hierarchy level in the standard
configuration to define a routing policy that matches on a prefix list configured
in the dynamic database.
Currently, BGP is the only protocol to which you can apply routing policies
configured in the dynamic database. You must use the standard configuration
mode to apply routing policies configured in the dynamic database. For example,
you configure policy-statement dyn-policy1 at the [edit dynamic] hierarchy level.
You then define a routing policy based on the dynamic database configuration
by including the dynamic-db statement at the [edit policy-options policy-statement
dyn-policy1] hierarchy level. You can then apply the dyn-policy-1 routing policy at
the [edit protocols bgp group group-name neighbor address export] or [edit protocols
bgp group group-name neighbor address import] hierarchy level in the standard
configuration mode. [Policy]
■
18
■
IEEE 802.1p priority match conditions for Layer 2 VPN firewall filters
(MX-series routers)—Enables you to configure firewall filters for Layer 2 VPN
traffic that match on learned and user IEEE 802.1p priority fields. To match on
a learned 802.1p priority field, include the learn-vlan-1p-priority value statement
at the [edit firewall family ccc filter filter-name term term-name from] hierarchy level.
To match on a user 802.1p priority field, include the user-vlan-1p-priority value
statement at the [edit firewall family ccc filter filter-name term term-name from]
hierarchy level. These match conditions were previously supported with VPLS
and Layer 2 bridging only. [Policy, Layer 2 Configuration Guide]
New Features in JUNOS Software Release 9.5 for M-series, MX-series, and T-series Routing Platforms
New Features in JUNOS Software Release 9.5 for M-series, MX-series, and T-series Routing Platforms
■
Port mirroring for VPLS traffic and multiple port-mirroring instances for IPv4,
IPv6, and VPLS traffic (M7i, M10i, M120, M320 routers)—Extends port-mirroring
support for VPLS traffic to M7i, M10i, M120, and M320 routers. Previously, only
the MX-series routers supported port mirroring for VPLS traffic. The M7i or M10i
router must include the Enhanced CFEB (CFEB-E) to use this feature. In addition,
on the M320, VPLS port mirroring is supported only on Enhanced III FPCs. Include
the family vpls statement at the [edit forwarding-options port-mirroring] hierarchy
level.
You can also configure multiple port-mirroring instances for VPLS, IPv6, and
VPLS traffic with each instance specifying different input sampling properties
and output mirror destination properties. Multiple port-mirroring instances were
previously supported only on the MX-series routers. To configure a port-mirroring
instance, include the instance port-mirroring-instance-name statement at the [edit
forwarding-options port-mirroring] hierarchy level. To configure a family address
type for a port-mirroring instance, include the family (inet | inet6 | vpls) statement
at the [edit forwarding-options port-mirroring instance port-mirror-instance-name]
hierarchy level. To configure input properties for a port-mirroring instance,
include the input statement at the [edit forwarding-options port-mirroring instance
port-mirroring-instance-name] hierarchy level. To configure output properties for
a port-mirroring instance, include the output statement at the [edit
forwarding-options port-mirroring family (inet | inet6 | vpls)] hierarchy level. You can
also associate a port-mirroring instance with a specific FPC on an M320 router
and with a specific FEB on an M120 router. To associate a port-mirroring instance
with a specific FPC on an M320 router, include the port-mirror-instance
instance-name statement at the [edit chassis fpc number] hierarchy level. To
associate a port-mirroring instance with a specific FEB on an M120 router, include
the port-mirror-instance instance-name statement at the [edit chassis feb slot
number] hierarchy level. You can associate only one port mirroring instance with
each FPC on an M320 router and with each FEB on an M120 router. In addition,
on an M120 router, you cannot configure a port mirroring instance on a FEB
configured as a backup FEB. [Policy, System Basics]
■
Packet loss priority match condition for firewall filters extended to M120
and M320 routers—Enables you to configure a firewall filter that matches on a
specific packet loss priority (PLP) level. To configure a PLP match condition,
include the loss-priority level statement at the [edit firewall filter filter-name term
term-name from] hierarchy level. For the level, you can include one or more of
the following values: high, low, medium-high, or medium-low. All protocol families
are supported with the loss-priority match condition. To configure a family type
for a firewall filter, include the family (any | ccc | inet | inet6 | mpls | vpls) statement
at the [edit firewall] hierarchy level. The loss-priority level was previously supported
only on the MX-series routers and on the M7i and M10i routers that use the new
Enhanced CFEB (CFEB-E). [Policy]
New Features in JUNOS Software Release 9.5 for M-series, MX-series, and T-series Routing Platforms
■
19
JUNOS 9.5 Software Release Notes
Routing Protocols
■
Routing Engines as BGP route reflectors (JCS 1200)—To decrease BGP control
traffic and minimize the number of update messages, a BGP route reflector is
used in many networks to distribute BGP routes within the AS. This feature
leverages the large memory and 64-bit processor capacity of the JCS routing
engine, making it an ideal candidate for route reflection.
To configure this option, the blade bay data includes support for a new routing
platform type: Standalone Control Element (PRDSCE). The SCE platform does
not have forwarding plane (PFE) support and does not require RSD connectivity.
The platform has network connectivity by fxp0 and fxp1 interfaces only. [JUNOS
PSD Configuration Guide]
■
Support for alternate loop-free routes for IS-IS —Adds fast reroute capability
for IS-IS. The JUNOS software precomputes loop-free backup routes for all IS-IS
routes. These backup routes are preinstalled in the Packet Forwarding Engine,
which performs a local repair and implements the backup path when the link
for a primary next hop for a particular route is no longer available. A loop-free
path is one that does not return traffic through the router to reach a given
destination. That is, a neighbor that already forwards traffic to the router is not
used as a backup route to that destination.
You can enable support for alternate loop-free routes on any IS-IS interface.
Because it is common practice to enable LDP on an interface for which IS-IS is
already enabled, this feature also provides support for LDP label-switched paths
(LSPs).
The level of backup coverage available through IS-IS routes depends on the actual
network topology and is typically less than 100 percent for all destinations on
any given router. You can extend backup coverage to include RSVP LSP paths.
The JUNOS software provides two mechanisms to enable fast reroute for IS-IS
using alternate loop-free routes: link protection and node-link protection. When
you enable link protection or node-link protection on an IS-IS interface, the JUNOS
software creates an alternate path to the primary next hop for all destination
routes that traverse a protected interface. Link protection offers per-link traffic
protection. Use link protection when you assume that only one link might become
unavailable but that the neighboring node on the primary path would still be
available through another interface. Node-link protection establishes an alternate
path through a different router altogether. Use node-link protection when you
assume that access to a node is lost when a link is no longer available.
To enable link protection for all destination routes that traverse a specific
interface, include the link-protection statement at the [edit protocols isis interface
interface-name] hierarchy level. To enable node-link protection for all destination
routes that traverse a specific interface, include the node-link-protection statement
at the [edit protocols isis interface interface-name] hierarchy level. By default, all
the interfaces in a routing instance can function as backup interfaces for a
protected interface. To exclude a specific interface from functioning as a backup
for a protected interface, include the no-eligible-backup statement at the [edit
protocols isis interface interface-name] hierarchy level. You can enhance backup
coverage for IS-IS routes and LDP LSP paths by configuring RSVP LSPs as
additional backup paths. Include the backup statement at the [edit mpls
label-switched-path lsp-name]. You must also specify the address of the egress
20
■
New Features in JUNOS Software Release 9.5 for M-series, MX-series, and T-series Routing Platforms
New Features in JUNOS Software Release 9.5 for M-series, MX-series, and T-series Routing Platforms
router for the LSP by including the to address statement at the [edit mpls
label-switched-path lsp-name] hierarchy level.
Several new commands are available to support this new feature. Use the show
isis backup label-switched-path command to display which MPLS LSPs have been
designated as backup paths. To display shortest-path-first (SPF) calculations for
each neighbor, use the show isis backup spf results command. Use the show isis
backup coverage command to display how many nodes and prefixes for each
address family are protected. In addition, the show isis detail command has been
enhanced to display the type of protection, link or link-node, applied to each
interface. [Routing Protocols, Routing Protocols and Policies Command Reference]
■
Support for the BGP Monitoring Protocol—Enables you to collect data from the
BGP Adjacency-RIB-In routing tables and to periodically have that data sent to a
monitoring station. The JUNOS software implementation of the BGP Monitoring
Protocol (BMP) is based on Internet draft BGP Monitoring Protocol
draft-scudder-bmp-01.txt. To configure BMP, include the bmp station- address
bmp-station-address statements at the [edit routing-options] hierarchy level. For
bmp-station-address, include the IP address of the monitoring station. You must
also configure the port number of the monitoring station. Include the station-port
station-port-number statement at the [edit routing-options bmp] hierarchy level.
You can also configure BMP for individual logical systems.
Optionally, you can configure how often to send data to the monitoring station
with the statistics-timeout seconds statement. The default is 1 hour. You can also
configure a memory threshold to stop collecting BMP data when it is exceeded
as well as a time interval to wait before reestablishing a BMP session that has
ended after exceeding the memory threshold. Use the memory-lmit bytes statement
to configure the memory threshold. The default is 10 MB. To configure the interval
to wait before reestablishing the BMP session, include the memory-connect-timeout
seconds statement. The default is 10 minutes. [Routing Protocols]
■
Alias support for local autonomous system number for BGP—Enables you to
configure a local autonomous system (AS) number assigned to a BGP group or
neighbor as an alias to the system AS. As a result, a BGP peer considers any local
AS to which it is assigned as equivalent to the primary AS number configured
for the router. When you configure a local AS number as an alias, that number
is no longer prepended in the BGP path when a BGP peer sends route updates
to an external peer. Only the primary AS number is prepended in the BGP path.
To configure a local AS as an alias to the system AS, include the alias statement
at the [edit protocols bgp group group-name local-as number] or [edit protocols bgp
group group-name neighbor address local-as number] hierarchy level. You configure
the AS for the router with the autonomous-system number statement at the [edit
routing-options] hierarchy level. [Routing Protocols]
■
Support to hold down BGP peering sessions after a nonstop active routing
switchover—Enables you to configure the router not to reestablish a BGP peering
session after a nonstop active routing (NSR) switchover either for a specified
period of time or until you manually reestablish the session. Include the
idle-after-switch-over (seconds | forever) statement at the [edit protocols bgp]
hierarchy level. For seconds, you can configure a value from 1 through
4294967295. After an NSR switchover, the BGP peering session is not
reestablished until after the specified period of time. If you specify the forever
option, the BGP peering session is not reestablished until you issue the clear bgp
neighbor command from the master Routing Engine. The idle-after-switch-over
New Features in JUNOS Software Release 9.5 for M-series, MX-series, and T-series Routing Platforms
■
21
JUNOS 9.5 Software Release Notes
statement is also supported at the BGP group and BGP neighbor hierarchy levels.
[Routing Protocols]
Services Applications
■
Support for TCP maximum segment size (MSS) adjustment on M-series routers
and T-series routing platforms—The TCP protocol negotiates an MSS value
during session connection establishment between two peers. The MSS value
negotiated is primarily based on the MTU of the interfaces to which the
communicating peers are directly connected to. However in the network, due
to variation in link MTU on the path taken by the TCP packets, some packets
which are still well within the MSS value may be fragmented when the concerned
packet's size exceeds the link's MTU.
To reduce the possibility of fragmentation and to protect against packet loss,
include the tcp-mss mss-value statement to specify an appropriate TCP MSS value.
If the router receives a TCP packet with the SYN bit and MSS option set and the
MSS option specified in the packet is larger than the MSS value specified by the
tcp-mss statement, the router replaces the MSS value in the packet with the lower
value specified by the tcp-mss statement.
To configure a TCP MSS value, include the tcp-mss statement at the [edit services
service-set service-set-name] hierarchy level:
[edit services service-set service-set-name {
tcp-mss mss-value;
}
The range for the tcp-mss mss-value parameter is from 536 to 65,535.
To view statistics of SYN packets received and SYN packets whose MSS value is
modified, issue the show services service-sets statistics tcp-mss operational mode
command. [Services Interfaces, System Basics]
■
Flow-tap support on additional platforms—Adds support for a version of the
flow-tap application on MX-series platforms and on M120 and M320 routers.
Unlike the previously released flow-tap application, this functionality resides in
the Packet Forwarding Engine rather than in a service PIC. You must configure
a service PIC or DPC or a regular tunnel port to provide tunneling.
To configure the new feature, include the flow-tap-lite statement at the [edit
services] hierarchy level and assign the designated tunnel interface for use by
the dynamic flow capture process (dfcd). The original flow-tap feature and the
new version share the same Dynamic Tasking Control Protocol (DTCP) SSH
architecture to install the DTCP filters and authenticate users. [Services Interfaces,
Feature Guide]
22
■
■
Border gateway function (BGF) and Integrated Multi-Service Gateway (IMSG)
support on MX platform—Adds support for BGF and IMSG features on
MultiServices DPCs on MX-series routers. This functionality was previously
released on services PICs running on M-series and T-series routing platforms.
[Services Interfaces, Multiplay Solutions, DPC Guide, System Basics and Services
Command References]
■
Call admission control (CAC) for Border Signaling Gateway (BSG)—Enables
you to configure a policy action to prevent voice traffic congestion and to ensure
New Features in JUNOS Software Release 9.5 for M-series, MX-series, and T-series Routing Platforms
New Features in JUNOS Software Release 9.5 for M-series, MX-series, and T-series Routing Platforms
that there is enough bandwidth for authorized flows. CAC is applied during the
call setup phase. You configure admission control rules in named objects called
controllers. For each controller you configure, you can specify:
■
Maximum number of concurrent dialogs and out-of-dialog transactions
■
Maximum rate of dialog and out-of-dialog transaction attempts per second
■
Committed burst size (number of dialogs and out-dialog-transactions)
When a call cannot be admitted due to a CAC violation, the call request is rejected
with a code 403.
To configure a controller file, enter the controller-name statement at the [edit
services border-signaling-gateway gateway gateway-name admission-control]
hierarchy level.
To enforce the admission control on dialogs, enter the following statements at
the [edit services border-signaling-gateway gateway gateway-name admission-control
controller-name dialogs] hierarchy level: maximum-concurrent,
committed-attempts-rate, committed-burst-size.
To enforce admission control on transactions, enter the following statements at
the [edit services border-signaling-gateway gateway gateway-name admission-control
controller-name transactions] hierarchy level: maximum-concurrent,
committed-attempts-rate, committed-burst-size.
To assign a CAC controller to a policy action, enter the admission-control statement
at the [edit services border-signaling gateway gateway-name new-transaction-policy
policy-name term term-name then] hierarchy level.
You can use the following show commands to display information about call
admission control:
■
show services border-signaling-gateway by-contact contact detailed gateway
gateway-name
■
show services border-signaling-gateway by-request–uri request–uri detailed
gateway gateway-name
■
show services border-signaling-gateway admission-control gateway gateway-name
[Multiplay Solutions, Services Interfaces, System Basics Command Reference]
■
MultiServices PICs support on the JCS 1200—MultiServices 500 PICs running
Layer 3 services packages are now supported on the JCS 1200. [JUNOS PSD
Configuration Guide]
■
TWAMP support extension—Support has been added for existing RPM Two-Way
Active Measurement Protocol (TWAMP) functionality on MX-series routers that
do not have MultiServices DPCs installed.
To configure TWAMP, include the twamp statement at the [edit services rpm]
hierarchy as previously documented, but do not specify the twamp-server
statement for any interface. There are no new CLI statements associated with
this feature and the existing operational commands function as documented.
[Services Interfaces]
New Features in JUNOS Software Release 9.5 for M-series, MX-series, and T-series Routing Platforms
■
23
JUNOS 9.5 Software Release Notes
■
RPM TWAMP enhancements—Adds support for TWAMP functionality on
MultiServices PICs configured in Layer 3 mode. Also adds support for encryption
and authentication mode, based on RFC 4656.
To configure the mode, include the authentication-mode statement at the [edit
services twamp server] hierarchy level and specify the value authenticated or
encrypted. [Services Interfaces]
■
Flow aggregation template enhancements—Adds the following new fields to
the flow record templates used for version 9 flow aggregation:
■
IPv4 template—Adds IPv4 next-hop address
■
IPv6 template—Adds IPv6 next-hop address, OIF egress interface, and BGP
source and destination AS numbers
■
MPLS template—Adds MPLS EXP information
[Services Interfaces, Feature Guide]
■
Integrated Multi-Service Gateway (IMSG) support for BGF state changes and
load balancing (M120, M320, and T640 platforms)—A virtual border gateway
function (BGF) that is controlled by the BSG supports the full set of virtual BGF
state changes (in-service and out-of-service). To display the current state of the
virtual BGF, check the status field that is displayed using the show services pgcp
active-configuration command. The BGF also supports distributed virtual BGF load
balancing using a round-robin algorithm. [Multiplay Solutions, CR:System Basics
and Services]
■
Border Gateway Function (BGF) user interface enhancements—Enhanced
formats for operational commands and trace options configuration statements
provide greater flexibility for monitoring the status of virtual BGFs.
Operational Commands
For ease of operation the CLI now enables the user to present each vBGF
separately. The new syntax is show services pgcp xxxxx gateway gw-name, where
xxxxx represents the desired display. For example, to display vBGF-5 statistics
use show services pgcp statistics gateway vBGF-5 .
Similarly, to display all existing vBGFs use the wildcard “*” to replace the gateway
name: for example, show services pgcp statistics gateway * .
Trace Options
You can now configure trace options for extraction and storage of log information
for the H.248 stack, the BGF core, and SBC utilities. To configure, include one
or more of the following statements at the [edit services pgcp traceoptions flag]
hierarchy level: session-trace, h.248-stack, bgf-core, sbc-util.
[Multiplay Solutions, Services Interfaces, System Basics Command Reference]
■
24
■
Border Gateway Function (BGF) preferential handling of emergency calls
during overload (M120, M320, and T640 platforms)—Enables the gateway
controller and the administrator to provide preferred processing for emergency
calls when the BGF is at an overload processing state. The BGF processing queue
is divided into three watermarks that you enable and provision. To configure,
include the queue-limit-percentage, reject-new-calls-threshold, and
reject-all-commands-threshold statements at the [edit services pgcp gateway
New Features in JUNOS Software Release 9.5 for M-series, MX-series, and T-series Routing Platforms
New Features in JUNOS Software Release 9.5 for M-series, MX-series, and T-series Routing Platforms
overload-control] hierarchy level. To display the current enforcement and
transaction queue states, issue the show services pgcp active-configuration gateway
gateway-name command and review the Usage Counters. [Multiplay Solutions,
Services Interfaces, System Basics Command Reference]
■
New application-aware access list (AACL) service (MX-series platforms)—Adds
support for a new service that uses application names and groups as matching
criteria for filtering traffic. AACL is a stateless, rules-based service that can be
combined with application identification to enable policies to be applied to flows
based on application and application group membership in addition to traditional
packet matching rules.
In JUNOS Release 9.5, AACL is supported only on MultiServices DPCs running
on MX-series platforms. It is configured in a similar way to other rules-based
services such as NAT, CoS, and stateful firewall. To configure AACL, include rule
specifications for match criteria and actions at the [edit services
application-aware-access-list] hierarchy level. You can chain AACL rules along
with other service rules by including them in a service-set definition at the [edit
services service-set] hierarchy level, as previously documented. There are no
new operational commands associated specifically with AACL. [Services Interfaces]
■
New service for identifying applications—Application identification (APPID) is
a component of a larger project to provide Deep Packet Inspection (DPI)
functionality on MX-series platforms. The two main features are per-subscriber,
per-application group bandwidth control and Intrusion Detection and Prevention
(IDP). The APPID feature is used to identify applications as constituents of
application groups in TCP/UDP traffic. To configure APPID, include statements
at the [edit services application-identification] hierarchy level to specify parameter
values for identifying applications, enable or disable application rules, and gather
the applications and rules into groups. A new operational command, show/clear
application-identification application-system-cache, allows you to view and delete
stored cache entries. [Services Interfaces, System Basics, and Services Command
Reference]
■
IDP functionality extended to MX-series platforms—Adds support for Intrusion
Detection and Prevention (IDP) functionality using Deep Packet Inspection (DPI)
technology on MX-series platforms equipped with MultiServices DPCs. This
feature set is already supported on J-series platforms and is described in J-series
Services Router documentation. To configure IDP properties, include statements
at the [edit security idp] hierarchy level. You configure IDP processes by including
the idp-policy statement at the [edit system processes] hierarchy level. To specify
an IDP profile, include the new idp-profile statement at the [edit services
service-set] hierarchy level. To configure SNMP IDP objects, include the idp
statement at the [edit snmp health-monitor] hierarchy level. Operational commands
for monitoring and regulating IDP activity use the clear/request/show security
idp command syntax. [J-series Services Router Guides, Services Interfaces]
■
Local policy decision functionality for application-related services (MX-series
platforms)—Adds support for a new process that regulates collection of statistics
related to applications and application groups and tracking of information about
dynamic subscribers. This functionality is collectively named the local policy
decision function (L-PDF); in JUNOS Release 9.5 it is supported only on MX-series
platforms equipped with MultiServices DPCs. The application identification
(APPID) service defines the applications and how they are grouped. The
application-aware access list (AACL) service defines the applications and
New Features in JUNOS Software Release 9.5 for M-series, MX-series, and T-series Routing Platforms
■
25
JUNOS 9.5 Software Release Notes
application groups for which statistics are collected for a specific user or interface.
The L-PDF configuration defines the way in which the statistics are output.
To configure properties for statistics output, include the
policy-decision-statistics-profile statement at the [edit accounting-options] hierarchy
level. A new traceoptions configuration is available at the [edit services
local-policy-decision-function] hierarchy level. To configure a dynamic profile to
attach a specified service-set to an interface, include the service statement at the
[edit dynamic-profiles profile-name interfaces interface-name unit logical-unit-number
family inet] hierarchy level. The following new operational commands are
supported:
■
show services statistics
■
show services application-aware-access-list statistics
■
show services flows
[Services Interfaces, System Basics and Services Command Reference]
26
■
New Features in JUNOS Software Release 9.5 for M-series, MX-series, and T-series Routing Platforms
New Features in JUNOS Software Release 9.5 for M-series, MX-series, and T-series Routing Platforms
Software Installation and Upgrade
■
Subscriber interface creation licensing support (MX-series routers)—To enable
some router scaling levels, you must purchase, install, and manage separate
software license packs. This release supports subscriber interface creation limits.
The presence on the router of the appropriate software license keys (passwords)
determines how many subscriber interfaces you can configure for use with the
JUNOS Subscriber Access Feature Pack.
For information about how to purchase JUNOS software licenses, contact your
Juniper Networks sales representative. [Software Installation and Upgrade Guide]
Subscriber Access Management
■
Extended DHCP relay proxy (MX-series routers)—The extended DHCP relay
proxy mode feature supports subscriber access management. The DHCP relay
proxy supports all features of the DHCP relay. However, while the extended
DHCP relay is virtually transparent, DHCP clients see the DHCP relay proxy as
the DHCP server, and the actual DHCP server sees the DHCP relay proxy as a
DHCP relay that communicates with clients.
DHCP relay proxy helps improve security for service providers by hiding internal
DHCP servers from the view of the attached DHCP clients and providing denial
of service (DOS) protection. Also, in a network with multiple DHCP servers, DHCP
relay proxy reduces access network traffic by forwarding a single lease to a client.
In contrast to the extended DHCP relay, the extended DHCP relay proxy can be
used in a logical router.
To configure DHCP relay proxy support, include the proxy-mode statement at the
[edit forwarding-options dhcp-relay overrides] hierarchy level or the [edit
forwarding-options dhcp-relay group overrides] hierarchy level.
The extended DHCP relay proxy is not compatible with the J-series DHCP server.
Also, you cannot configure both the extended DHCP relay proxy and the extended
DHCP local server on the same interface. [Subscriber Access]
■
■
JUNOS subscriber access scaling values—The following subscriber access scaling
values are supported in this release:
■
Number of subscriber VLANs per DPC: 16,000
■
Number of subscriber VLANs per chassis for MX-240 routing platform, which
accommodates 2 DPCs: 32,000
■
Number of subscriber VLANs per chassis for MX-480 and MX-960 routing
platforms: 64,000
■
Number of DHCP bindings: 120,000
Mobile IP supports multiple logical routers and routing instances (MX-series
routers)—You can now configure the Mobile IP home agent feature independently
in any named routing instance in any configured logical router. Previously, Mobile
IP supported only the default routing instance and default logical router.
New Features in JUNOS Software Release 9.5 for M-series, MX-series, and T-series Routing Platforms
■
27
JUNOS 9.5 Software Release Notes
The CLI has been enhanced to add the services hierarchy to the following
additional hierarchies:
■
[edit logical-systems logical-system-name]
■
[edit routing-instances routing-instances-name]
■
[edit logical-systems logical-system-name routing-instances
routing-instances-name]
This feature enables you to configure a Mobile IP subscriber in a routing instance
in a specific logical router based on the vendor-specific attributes (VSAs) returned
from the RADIUS server during authentication of the subscriber.
Multiple logical router and routing instance support is available only when you
configure local authentication for Mobile IP. When you instead configure RADIUS
authentication, only the default logical router and routing instance are supported.
Only the local option is available for the order statement; the aaa option is not
supported for nondefault logical routers and routing instances. Otherwise, all
previously supported Mobile IP configuration statements are available at the new
hierarchy levels. [Subscriber Access]
■
Support for RADIUS framed-route attribute [22] (M120, M320, and MX-series
Routers)—Enables you to configure the RADIUS Framed-Route Attribute [22]
for Access-Accept and CoA-Request messages. The Framed-Route attribute
enables you to provide routing information to be configured for the subscriber
on the NAS.
The format for the string is:
addr [/maskLen] [nexthop [cost]] [tag tagValue] [distance distValue]
[Subscriber Access]
■
Support for dynamic configuration of framed routes and addresses (M120,
M320, and MX-series routers)—Enables you to configure framed routes and
addresses in a dynamic profile. The values for the framed route and addresses
are dynamically supplied to subscriber interfaces using RADIUS attributes.
Framed routes are used so traffic from the subsets can traverse the subscriber
interface. By applying framed routes, you can extend the per-subscriber interface
management to any subnetworks behind the dynamic subscriber interface.
To dynamically configure framed routes using values specified in Framed-Route
Attribute [22], include the new junos-framed-route-ip-address-prefix variable with
the route statement at the [edit dynamic profiles profile-name routing-options access]
hierarchy level. For each route, you can configure variables for the next-hop IP
address (junos-framed-route-nexthop), the cost metric (junos-framed-route-cost),
and the preference value (junos-framed-route-distance).
Configuring support for access-internal variables is optional, but it ensures that
if the next-hop value is missing in the Framed-Routes Attribute [22], values from
the access-internal variables are used instead. To configure access-internal
variables, include the new junos-subscriber-ip-address variable with the route
statement at the [edit dynamic profiles profile-name routing-options access-internal]
hierarchy level. For each access-internal variable, you can configure variables
for the qualified next-hop (junos-underlying-interface) and the MAC address
(junos-mac-address).
28
■
New Features in JUNOS Software Release 9.5 for M-series, MX-series, and T-series Routing Platforms
New Features in JUNOS Software Release 9.5 for M-series, MX-series, and T-series Routing Platforms
To monitor framed routes, issue the show route protocol access command. To
monitor access-internal variables, issue the show route protocol access-internal
command.
[Subscriber Access]
■
Enhancement of client firewall filter and CoS attribute aggregation (MX-series
routers)—Using the aggregate-clients statement in DHCP local server and DHCP
relay agent dynamic profile configurations enable multiple DHCP clients to share
the same VLAN logical interface (for example, multiple clients belonging to the
same household). By default, the aggregate-clients feature is disabled and a single
DHCP client is allowed per VLAN when a dynamic profile is associated with the
VLAN logical interface.
In this release the aggregate-clients statement enables you to either merge (the
default action; available in a previous release) or replace the firewall filters, CoS
schedulers, and IGMP configuration of multiple DHCP clients that share the same
VLAN logical interface. When you choose to merge software components, the
behavior is as follows:
■
Firewall filters—The filters are chained together using the precedence as the
order of execution. If the same firewall filter is attached multiple times, the
filter is executed only once.
■
CoS schedulers—The different CoS schedulers are merged as if the scheduler
map has multiple schedulers. The merge operation for the individual
traffic-control-profiles parameters (shaping-rate, delay-buffer-rate,
guaranteed-rate) preserves the maximum value for each parameter.
■
IGMP configuration—The current IGMP configuration is replaced with the
configuration of the newest DHCP client.
When you choose to replace software components, each new client session
replaces the previous session.
You can configure the aggregate-clients attribute for all interfaces or for groups
of interfaces. This feature supports static VLANs. [Subscriber Access]
■
ANCP individual VLAN support and neighbor configuration enhancements
(MX-series routers)—ANCP is now supported on individual VLANs. Previously,
ANCP was supported only on groups of VLANs (interface sets) carrying services
to a subscriber. Now you can configure ANCP on individual logical interfaces for
single VLANs that carry services to a subscriber.
To configure ANCP for an individual VLAN, include the access-identifier statement
at the [edit protocols ancp interfaces interface-name] hierarchy level. The access
identifier no longer has to be unique across the router. Now it must only be
unique for individual ANCP neighbors. You must specify neighbor ip-address in
the access-identifier statement when the access identifier is unique only for a
neighbor.
You can now configure the maximum number of discovery table entries accepted
from neighbors. To configure this limit globally for all ANCP neighbors, include
the maximum-discovery-table-entries statement at the [edit protocols ancp] hierarchy
level.
New Features in JUNOS Software Release 9.5 for M-series, MX-series, and T-series Routing Platforms
■
29
JUNOS 9.5 Software Release Notes
You can now specify several ANCP parameters for individual neighbors in addition
to setting global parameters for all neighbors. Individual neighbor configurations
take precedence over the global configuration.
To configure individual neighbor parameters, you can include any of the following
statements at the [edit protocols ancp neighbor ip-address] hierarchy level:
■
adjacency-timer—Specify the interval between adjacency messages sent to
this ANCP neighbor.
■
discovery-mode—This statement currently has no effect. By default, topology
discovery is enabled globally for all neighbors and cannot be disabled.
■
ietf—Specify that the neighbor is running in IETF mode. This statement is
not available at the [edit protocols ancp] hierarchy level for global
configuration. By default, ANCP neighbors run in IETF mode. This statement
is useful when you configure pre-IETF mode globally but want to negate that
mode for individual neighbors.
■
maximum-discovery-table-entries—Configure the maximum number of
discovery table entries accepted from this neighbor.
■
pre-ietf—Specify that the neighbor is running in pre-IETF mode.
The output for the show ancp cos and show ancp subscriber commands has been
enhanced to support this feature. For access identifers that are not unique across
the network, you can issue the show ancp subscriber identifier identifier-string
neighbor ip-address command to display subscriber information for a particular
neighbor associated with the access identifier. [Subscriber Access, Protocols
Command Reference]
■
Mobile IP home agent support for WiMAX (MX-series routers)—The Mobile
IP home agent can now receive, process, and send Worldwide Interoperability
for Microwave Access (WiMAX) vendor-specific RADIUS attributes (VSAs). This
feature enables Mobile IP home agent to work in a WiMAX home connectivity
services network (HCSN), to provide for mobility management at the IP layer.
To enable the WiMAX feature for Mobile IP, include the wimax statement at the
new [edit services mobile-ip access-type] hierarchy level. To disable the WiMAX
feature, include the generic statement at the [edit services mobile-ip access-type]
hierarchy level.
To determine which release and version number of the WiMAX Forum Network
Architecture is supported by the current Mobile IP implementation, enter the
show mobile-ip wimax release command.
Reauthentication of WiMAX subscribers is not currently supported. [Subscriber
Access, System Basics and Services Command Reference]
■
30
■
GRES support for dynamically-created IP DEMUX interfaces—GRES now
supports IP DEMUX interfaces in a DHCP subscriber access configuration.
New Features in JUNOS Software Release 9.5 for M-series, MX-series, and T-series Routing Platforms
New Features in JUNOS Software Release 9.5 for M-series, MX-series, and T-series Routing Platforms
System Logging
New and deprecated system log tags—The following system log message is new in
this release:
■
HNCACHED—This describes messages with the HNCACHED prefix. They are
generated by the hostname-caching process.
The following system log messages are new in this release:
■
DFWD_POLICER_LIMIT_EXCEEDED
■
ESWD_BPDU_BLOCK_ERROR_DISABLED
■
ESWD_ST_CTL_BW_INFO
■
ESWD_ST_CTL_INVALID_LEVEL
■
ESWD_ST_CTL_INVALID_NO_BR
■
ESWD_ST_CTL_INVALID_NO_UNKNUNI
■
EVENTD_SCRIPT_CHECKSUM_MISMATCH
■
LLDPD_PARSE_ARGS
■
LLDPD_PARSE_BAD_SWITCH
■
LLDPD_PARSE_CMD_ARG
■
LLDPD_PARSE_CMD_EXTRA
■
LLDPD_PARSE_USAGE
■
MIB2D_IF_FLAPPING_MISSING
■
PFE_FW_SYSLOG_ETH
■
RPD_DYN_CFG_GET_SES_TYPE_FAILED
■
RPD_MC_COSD_WRITE_ERROR
■
RPD_MPLS_INTERFACE_ROUTE_ERROR
■
RPD_MPLS_TABLE_ROUTE_ERROR
■
RPD_TASK_DYN_REINIT
The following system log messages are no longer documented:
■
RDD_TRACE_FILE_OPEN_FAILED
■
RPD_DYN_CFG_BAD_REQ_OPCODE
User Interface and Configuration
■
New directory structure and file system access for logical systems—Beginning
with JUNOS Release 9.5, logical systems have their own individual directory
structure created in the /var/logical-system/logical-system-name directory. This
directory contains the following subdirectories:
New Features in JUNOS Software Release 9.5 for M-series, MX-series, and T-series Routing Platforms
■
31
JUNOS 9.5 Software Release Notes
■
/config—Contains the current operational router configuration specific to
the logical system.
■
/log—Contains system log and tracing files specific to the logical system.
■
/tmp—Contains temporary files specific to the logical system.
Backward compatibility is maintained by creating software links from
/var/logs/logical-system-name to /var/logical-systems/logical-system-name.
The new file system access for each logical system enables logical system users
to view trace logs and modify logical system files. Logical system administrators
have full access to view and modify all files specific to the logical system.
[System Basics]
■
Support for optionally configuring checksum values to check the integrity
of scripts—Enables you to configure checksum values to validate the integrity
of commit, operations, and events scripts. The supported hash algorithms for
calculating checksum are md5, sha-256, and sha1. You can configure one or
more hash algorithms for the checksum values.
To configure checksum values for commit scripts, include the appropriate hash
algorithms at the [edit system scripts commit file file-name checksum] hierarchy
level. To configure checksum values for operations scripts, include the appropriate
hash algorithms at the [edit system scripts op file file-name checksum] hierarchy
level. To configure checksum values for events scripts, include the appropriate
hash algorithms at the [edit event-options event-script file file-name checksum]
hierarchy level.
To view the calculated checksum value, issue the file checksum (md5 | sha-256
| sha1) operational mode command. [Automation, System Basics and Services
Command Reference]
■
Dynamic auto-sensed VLAN support—This release supports the automatic
configuration of VLANs and stacked VLANs on static Ethernet interfaces. You
can configure a single set of up to 32 ranges per VLAN or stacked VLAN type.
When using mixed VLAN tagging, you can configure up to 64 VLANs per port
(32 VLANs and 32 stacked VLANs). This feature supports vlan-tagging,
stacked-vlan-tagging, and flexible-vlan-tagging (both VLAN tagging and stacked
VLAN tagging and on the same port) encapsulations.
You enable automatic configuration of VLANs by including the vlan-id statement
in a dynamic profile at the [edit dynamic-profiles profile-name] hierarchy level and
by referencing the dynamic profile in the auto-configure statement at the [edit
interfaces interface-name] hierarchy level.
Using the vlan-id statement, you specify the junos-vlan-id variable for the VLAN
ID. This statement and variable combination obtains an actual VLAN ID from a
range of VLAN IDs that you specify at the [edit interfaces interface-name ] hierarchy
level.
You enable automatic configuration of stacked VLANS by defining a dynamic
stacked VLAN profile and using the vlan-tags statement at the [edit dynamic-profiles]
hierarchy level. In the vlan-tags statement, you specify the junos-stacked-vlan-id
variable for the outer VLAN ID and the junos-vlan-id variable for the inner VLAN
ID. This statement and variable combination obtains an actual outer and inner
stacked VLAN ID from a range of VLAN IDs that you specify.
32
■
New Features in JUNOS Software Release 9.5 for M-series, MX-series, and T-series Routing Platforms
New Features in JUNOS Software Release 9.5 for M-series, MX-series, and T-series Routing Platforms
You define VLAN or stacked VLAN ranges with the auto-configure statement at
the [edit interfaces interface-name] hierarchy level. To define VLAN ranges, include
the vlan-ranges statement at the [edit interfaces interface-name auto-configure]
hierarchy level. You must then specify the dynamic VLAN profile using the
dynamic-profile statement at the [edit interfaces interface-name auto-configure
vlan-ranges] or [edit interfaces interface-name auto-configure vlan-ranges] hierarchy
level, the VLAN interface type (inet) by using the accept statement at the [edit
interfaces interface-name auto-configure vlan-ranges dynamic-profile] or [edit
interfaces interface-name auto-configure vlan-ranges dynamic-profile] hierarchy
level, and finally specify the VLAN ranges that you want accessing clients to use
with the ranges statement at the [edit interfaces interface-name auto-configure
vlan-ranges dynamic-profile] or [edit interfaces interface-name auto-configure
vlan-ranges dynamic-profile] hierarchy level.
When specifying values for the low-tag and high-tag variables for the vlan-ranges
or stacked-vlan-ranges statement, you can define tag ranges from 1 to 4094 or
use the any option to specify the use of the entire VLAN range. You can use the
clear auto-configuration interfaces interface-name command to manually remove
a dynamically-created VLAN or stacked VLAN interface.
NOTE: You can only remove dynamically-created VLANs or stacked VLANs when no
subscribers are using the interface either directly on that VLAN interface or on a
separate IP DEMUX interface using that VLAN as its underlying interface.
[Network Interfaces, Subscriber Access]
VPNs
■
Layer 3 VPN BGP routes and labels—You can now configure Juniper Networks
routers to accept larger numbers of Layer 3 VPN BGP updates with unique inner
VPN labels by including the l3vpn-composite-nexthop statement at the [edit
routing-options] hierarchy level. This feature is available on M120, M320, and
MX-series routers. The neighboring PE routers are typically non-Juniper Networks
routers configured to assign a unique inner label to each Layer 3 VPN BGP route.
The l3vpn-composite-nexthop statement is disabled by default.
When you configure the l3vpn-composite-nexthop statement and issue the commit
command, the BGP session is immediately restarted. For more information, see
PR 292173. [VPNs]
■
VPLS routing instance prioritization—When a path is rerouted using fast reroute,
the Packet Forwarding Engine (PFE) collects all the affected next-hops and
changes them to the backup link one after another in no particular order. When
a fast reroute event occurs, the time needed to restore connectivity depends on
the number of affected next-hops which can lead to longer fast reroute times for
all affected traffic. You can now prioritize specific VPLS routing instances for
faster fast reroute convergence. The next-hops for a higher priority VPLS routing
instance are modified first and therefore the traffic traversing the higher priority
VPLS routing instance is restored faster.
New Features in JUNOS Software Release 9.5 for M-series, MX-series, and T-series Routing Platforms
■
33
JUNOS 9.5 Software Release Notes
To prioritize a VPLS routing instance, configure the fast-reroute-priority statement
at the [edit routing-instances routing-instance-name forwarding-options] hierarchy
level. You can configure a priority of high, medium, or low. [VPNs]
■
Extranet next-generation MVPN—The extranet next-generation multicast VPN
(MVPN) functionality (also known as overlapping MVPNs) allows multicast
receivers in a given VRF routing instance to receive traffic from multicast sources
in another VRF routing instance. Extranet MVPNs support PIM-ASM or PIM-SSM
in customer instances. PIM-DM in customer instances is not supported. Extranet
MVPNs require the use of RSVP-TE P2MP LSPs for provider tunnels. Extranet
MVPNs also support both inclusive and selective tunnels.
The following extranet MVPN topologies are supported:
■
The source and receiver are in different VPNs attached to different PE routers.
■
The source and receiver are in different VPNs but attached to the same PE
router.
■
Multiple receivers are attached to one PE router but in different VPNs.
■
Prefix-based extranets, where a few selected sources are exported from one
VPN to another, are also supported.
The configuration for extranet next-generation MVPNs relies on existing
configuration statements.
If there is more than one MVPN routing instance on a PE router, extranet
next-generation MVPNs require VT interfaces to be configured on all MVPN
routing instances on a PE router that is designated to receive traffic from the
same source. If there is only one MVPN routing instance on a PE router that has
receivers for a particular source, the MVPN routing instance does not need to
have a VT interface configured. VT interfaces are not required for unicast routing
instances which can still rely upon label-switching interfaces (LSIs).
PIM-DM is not supported in the MVPN SP core for Draft-Rosen. [VPNs]
■
LDP BGP interworking additional platform support—LDP BGP interworking is
now supported on the M10i, M40e, M120, and T-series routers and the TX Matrix
platform. [VPNs]
■
VLAN range for L2 VPN (MX-series)—Supports bundling a list of VLAN IDs on
a logical interface and using it for a cross-connect, to enhance existing
functionality, dramatically reduce usage of system resources such as logical
interfaces and next-hops, and simplify configuration.
To configure a VLAN ID list, use the vlan-id-list list statement at the [edit interfaces
interface-name-fpc/pic/portunit unit-number] hierarchy level.
To configure a group of VLAN tags, use the vlan-tags <(inner | inner-list list)>
statement at the [edit interfaces interface-name-fpc/pic/port] hierarchy level.
NOTE: TPID is not supported with inner-list.
An example configuration for this feature follows:
34
■
New Features in JUNOS Software Release 9.5 for M-series, MX-series, and T-series Routing Platforms
New Features in JUNOS Software Release 9.5 for M-series, MX-series, and T-series Routing Platforms
interfaces {
ge-1/1/0 {
vlan-tagging;
encapsulation flexible-ethernet-services;
unit 10 {
encapsulation vlan-ccc;
vlan-id-list [20 30-40 45];
}
}
ge-1/1/1 {
flexible-vlan-tagging;
encapsulation flexible-ethernet-services;
unit 10 {
encapsulation vlan-ccc;
vlan-tags outer 200 inner-list [50-60 80 90-100];
}
}
}
[Network Interfaces]
■
Static pseudowires (M-series and T-series routers)—You can now configure
static pseudowires. Static pseudowires are designed for networks that do not
support or have not enabled LDP. Without LDP, Layer 2 circuits could not be
signaled in previous JUNOS software releases. You enable static pseudowires by
configuring static values for the in and out labels needed to bring up a pseudowire
connection. You must configure unique labels for the static pseudowire
configuration to commit. The ignore-mtu-mismatch, ignore-vlan-id, and
ignore-encaps-mismatch statements are not relevant for static pseudowire
configurations since there is no way for the peer router to forward this
information.
To configure a static pseudowire, include the static statement at the [edit protocols
l2circuit neighbor address interface interface-name] hierarchy level. You must also
configure the incoming-label label statement and outgoing-label label statement at
the [edit protocols l2circuit neighbor address interface interface-name static]
hierarchy level. You can also configure the static statement and sub-statements
at the [edit protocols l2circuit neighbor address interface interface-name
backup-neighbor neighbor] hierarchy level. If you configure the neighbor as static,
you must configure the backup neighbor as static as well.
Note that when you configure static pseudowires, you need to manually compare
the encapsulation, TDM bit rate, and control word of the router with the remote
peer router and ensure that they match, otherwise the data path can be affected.
For example, data would be forwarded from one end of the pseudowire, but
would be dropped at the other end as there is a mismatch in the encapsulation,
TDM bit rate, or control word.
You can also make it possible to ping a static pseudowire by configuring the
send-oam statement at the [edit protocols l2circuit neighbor address interface
interface-name static] hierarchy level. If you configure the send-oam statement,
it applies to the backup neighbor as well. Once you have enabled this statement,
you can ping the static pseudowire by issuing the ping mpls l2circuit command.
New Features in JUNOS Software Release 9.5 for M-series, MX-series, and T-series Routing Platforms
■
35
JUNOS 9.5 Software Release Notes
The command output of the show l2circuit connection command has been
modified to indicate if a pseudowire on a router is static. The Layer 2 circuit
interface is labeled with SP (meaning static pseudowire). [VPNs]
36
■
New Features in JUNOS Software Release 9.5 for M-series, MX-series, and T-series Routing Platforms
New Features in JUNOS Software Release 9.5 for M-series, MX-series, and T-series Routing Platforms
JUNOS XML API and Scripting
New Features in JUNOS Software Release 9.5 for M-series, MX-series, and T-series Routing Platforms
■
37
JUNOS 9.5 Software Release Notes
■
New JUNOS XML API operational request tag elements—Table 1 on page 38
lists the JUNOS Extensible Markup Language (XML) operational request tag
elements that are new in JUNOS Release 9.5, along with the corresponding CLI
command and response tag element for each one.
Table 1: JUNOS XML Tag Elements and CLI Command Equivalents New in JUNOS 9.5
Request Tag Element
CLI Command
Response Tag Element
<clear-ancp-subscriber-identifier-information>
clear ancp subscriber identifier
<ancp-subscriber-identifier-information>
<clear-mpls-lsp-information>
clear mpls lsp
NONE
<clear-elmi-statistics>
clear oam ethernet lmi statistics
NONE
<clear-ospf-database-information>
clear ospf database
NONE
<clear-ospf-io-statistics-information>
clear ospf io-statistics
NONE
<clear-ospf-neighbor-information>
clear ospf neighbor
NONE
<clear-ospf-overload-information>
clear ospf overload
NONE
<clear-ospf3-database-information>
clear ospf3 database
NONE
<clear-ospf3-io-statistics-information>
clear ospf3 io-statistics
NONE
<clear-ospf3-neighbor-information>
clear ospf3 neighbor
NONE
<clear-ospf3-overload-information>
clear ospf3 overload
NONE
<clear-ospf3-statistics-information>
clear ospf3 statistics
NONE
<clear-rsvp-session-information>
clear rsvp session
NONE
<clear-rsvp-counters-information>
clear rsvp statistics
NONE
<clear-idp-application-system-cache>
clear security idp application-identification
application-system-cache
<idp-applications-information>
<clear-service-msp-flow-table-information>
clear services flows
<service-msp-flow-drain-information>
<clear-service-pgcp-gates-gateway>
clear services pgcp gates gateway
<service-pgcp-gates-gateway-drain-information>
<clear-service-pgcp-statistics-gateway>
clear services pgcp statistics gateway
<service-pgcp-statistics-gateway-drain-information>
<request-ping-l2circuit-interface>
ping mpls l2circuit interface
NONE
<request-ping-l2circuit-virtual-circuit>
ping mpls l2circuit virtual-circuit
NONE
<request-ping-l2vpn-instance>
ping mpls l2vpn instance
NONE
<request-ping-l2vpn-interface>
ping mpls l2vpn interface
NONE
<request-ping-l3vpn>
ping mpls l3vpn
NONE
38
■
New Features in JUNOS Software Release 9.5 for M-series, MX-series, and T-series Routing Platforms
New Features in JUNOS Software Release 9.5 for M-series, MX-series, and T-series Routing Platforms
Table 1: JUNOS XML Tag Elements and CLI Command Equivalents New in JUNOS 9.5 (continued)
Request Tag Element
CLI Command
Response Tag Element
<request-ping-ldp-lsp>
ping mpls ldp
NONE
<request-ping-lsp-end-point>
ping mpls lsp-end-point
NONE
<request-ping-rsvp-lsp>
ping mpls rsvp
NONE
<request-ping-vpls-instance>
ping vpls instance
NONE
<request-appid-applicationpackage-uninstall>
request services application-identification
uninstall
<appid-apppack-uinstall>
<check-in-service-upgrade>
request system software validate
in-service-upgrade
NONE
<get-environment-cip-information>
show chassis environment cip
<environment-component-information>
<get-cos-multi-destination-information>
show class-of-service multi-destination
<cos-multi-destination-information>
<get-isis-backup-coverage-information>
show isis backup coverage
<isis-backup-coverage-information>
<get-isis-backup-lsp-information>
show isis backup label-switched-path
<isis-backup-lsp-information>
<get-isis-backup-spf-results-information>
show isis backup spf results
<isis-backup-spf-results-information>
<get-mip-wimax-release-information>
show mobile-ip wimax release
<mip-wimax-release-information>
<get-evc-infromation>
show oam ethernet evc
<elmi-evc-information>
<get-elmi-information>
show oam ethernet lmi
<elmi-interface-information>
<get-elmi-statistics>
show oam ethernet lmi statistics
<elmi-interface-statistics>
<get-idp-applications-information>
show security idp application-statistics
<idp-applications-information>
<get-service-border-signalinggateway-statistics-admission-control>
show services border-signaling-gateway
admission-control
<bsg-statistics-admission-control>
<get-service-border-signalinggateway-information-by-contact>
show services border-signaling-gateway
by-contact
<bsg-information-details>
<get-service-border-signalinggateway-information-by-request-uri>
show services border-signaling-gateway
by-request-uri
<bsg-information-details>
<get-service-border-signalinggateway-statistics-calls>
show services border-signaling-gateway calls
<bsg-statistics-calls-details>
<get-service-border-signalinggateway-statistics-calls-failed>
show services border-signaling-gateway
calls-failed
<bsg-statistics-calls-failed-details>
<get-service-msp-flow-table-information>
show services flows
<service-sfw-flow-table-information>
<get-service-pgcp-activeconfiguration-gateway>
show services pgcp active-configuration
gateway
<service-pgcp-active-configuration-gateway>
New Features in JUNOS Software Release 9.5 for M-series, MX-series, and T-series Routing Platforms
■
39
JUNOS 9.5 Software Release Notes
Table 1: JUNOS XML Tag Elements and CLI Command Equivalents New in JUNOS 9.5 (continued)
Request Tag Element
CLI Command
Response Tag Element
<get-service-pgcpconversation-information-gateway>
show services pgcp conversations gateway
<service-pgcp-conversation-gateway-information>
<get-service-pgcp-flowtable-information-gateway>
show services pgcp flows gateway
<service-pgcp-flow-table-gateway-information>
<get-service-pgcp-gate>
show services pgcp gate
<service-pgcp-gate>
<get-service-pgcp-gate-gateway>
show services pgcp gate gateway
<service-pgcp-gate-gateway>
<get-services-pgcpd-roottermination-gateway>
show services pgcp root-termination gateway
<services-pgcpd-root-termination-gateway>
<get-service-pgcp-terminations-gateway>
show services pgcp terminations gateway
<service-pgcp-terminations-gateway>
<get-service-set-pluginsummary>
show services service-sets plug-ins
<service-set-plugin-summary>
<get-service-set-tcp-mss-statistics>
show services service-sets statistics tcp-mss
<service-set-tcp-mss-statistics>
<get-name-resolution-info>
show system name-resolution
<name-resolution-info>
[JUNOS XML API Operational Reference]
Related Topics
40
■
■
Changes in Default Behavior and Syntax in JUNOS Software Release 9.5 for
M-series, MX-series, and T-series Routing Platforms on page 41
■
Issues in JUNOS Software Release 9.5 for M-series, MX-series, and T-series Routing
Platforms on page 45
■
Errata and Changes in Documentation for JUNOS Software Release 9.5 for
M-series, MX-series, and T-series Routing Platforms on page 75
■
Upgrade and Downgrade Instructions for JUNOS Software Release 9.5 for M-series,
MX-series, and T-series Routing Platforms on page 80
New Features in JUNOS Software Release 9.5 for M-series, MX-series, and T-series Routing Platforms
Changes in Default Behavior and Syntax in JUNOS Software Release 9.5 for M-series, MX-series, and T-series Routing Platforms
Changes in Default Behavior and Syntax in JUNOS Software Release 9.5 for M-series,
MX-series, and T-series Routing Platforms
Class of Service
■
The [edit firewall hierachical-policer] stanza documented in Chapter 21,
“Configuring CoS on Enhanced IQ PICs,” of the CoS Configuration Guide is new
to JUNOS Release 9.5. [Class of Service]
■
Change in dhcp command (MX-series)—The output format of the show dhcp
relay bindings detail command has changed from a tabular display to a line-by-line
display. In addition, a new field, interface-name, was added to the output of this
command. The interface-name field provides the MAC address of a client that is
part of a DHCP relay/DHCP snooping configuration. [Command Reference: Protocols
and Policies]
■
New priority hold time—With the priority-hold-time statement at the [edit protocols
vrrp] hierarchy level, you can configure asymmetric behavior for VRRP routers.
When a primary router loses a route, the standby router will become the primary
router. After the formerly primary router (now the standby router) receives the
route, it must wait for the configured time before declaring itself as the primary
router again. [High Availability]
■
PIM restriction with nonforwarding instances—You cannot configure PIM
within a nonforwarding instance. If you try to do so, the router displays a commit
check error and does not complete the configuration commit process. [Multicast]
■
Hello and hold time intervals for LDP targeted hellos—You can now configure
hello and hold time intervals for LDP targeted hellos. To configure the targeted
hello interval, include the hello-interval seconds statement at the [edit protocols
ldp targeted-hello] hierarchy level. To configure the targeted hello hold time
interval, include the hold-time seconds statement at the [edit protocols ldp
targeted-hello] hierarchy level. For both statements, you can configure an interval
of between 1 through 65,535 seconds. [MPLS Applications]
■
IGP LDP synchronization holddown interval—You can now configure the time
LDP waits before informing the IGP that the LDP neighbor and session for an
interface are operational. For large networks with numerous FECs, it might be
necessary to configure a longer value to allow enough time for the LDP label
databases to be exchanged for the session. Specify the time in seconds by
configuring the holddown-interval statement at the [edit ldp igp-synchronization]
Layer 2 Ethernet Services
High Availability
Multicast
MPLS Applications
Changes in Default Behavior and Syntax in JUNOS Software Release 9.5 for M-series, MX-series, and T-series Routing Platforms
■
41
JUNOS 9.5 Software Release Notes
hierarchy level. You can configure a value of 10 through 60 seconds. The default
value is 10 seconds. [MPLS]
Routing Protocols
■
Bandwidth-based metric values for OSPF interfaces—Enables you to specify
a set of bandwidth threshold values and associated metric values for an OSPF
interface or for a topology on an OSPF interface. When the bandwidth of an
interface changes, the JUNOS software automatically sets the interface metric
to the value associated with the appropriate bandwidth threshold value. The
JUNOS software uses the smallest configured bandwidth threshold value that is
equal to or higher than the actual interface bandwidth to determine the metric
value. If the interface bandwidth is higher than any of the configured bandwidth
threshold values, the metric value configured for the interface is used instead of
any of the bandwidth-based metric values configured. The ability to recalculate
the metric for an interface when its bandwidth changes is especially useful for
aggregate interfaces.
To configure bandwidth-based metric values, include the bandwidth-based-metrics
bandwidth value metric value statements at the [edit protocols (ospf| ospf3) area
area-id interface interface-name], [edit protocols ospf3 realm (ipv4-multicast |
ipv4-unicast | ipv6-multicast) area area-id interface interface-name], or [edit protocols
ospf area area-id interface interface-name topology topology-name] hierarchy levels.
You must also configure the metric number statement at the [edit protocols (ospf
| ospf3) area area-id interface interface-name], [edit protocols ospf3 realm
(ipv4-multicast | ipv4-unicast | ipv6-multicast) area area-id interface interface-name],
or [edit protocols ospf area area-id interface interface-name topology topology-name]
hierarchy levels.
When configuring bandwidth-based metrics, you would typically configure
multiple bandwidth and metric values as in the example below:
[edit protocols]
ospf {
area 0.0.0.0 {
interface ae0.0 {
metric5;
bandwidth-based metrics {
bandwidth 2g metric 70;
bandwidth 1g metric 80;
bandwidth 3g metric 60;
bandwidth 4g metric 50;
bandwidth 5g metric 40;
bandwidth 6g metric 30;
bandwidth 7g metric 20;
bandwidth 8g metric 10;
}
}
}
}
In addition, the show ospf interface detail command has been enhanced so that
the output for the Cost field displays the metric calculated when it is based on
42
■
Platforms
Changes in Default Behavior and Syntax in JUNOS Software Release 9.5 for M-series, MX-series, and T-series Routing
Changes in Default Behavior and Syntax in JUNOS Software Release 9.5 for M-series, MX-series, and T-series Routing Platforms
the bandwidth-based metric configuration. [Routing Protocols, Routing Protocols
and Policies Command Reference]
■
Enhancement to show (ospf | ospf3) database advertising-router and clear (ospf
| ospf3) database advertising-router commands—You can now use the self option
with the show (ospf | ospf3) database advertising-router command to display
link-state advertisements (LSAs) generated by the router. You can also use the
self option to discard entries for the LSAs advertised by the router. Execute the
clear (ospf| ospf3) database advertising-router self purge command. Previously,
you can to specify the router identifier of the router to display or discard
self-generated LSAs. [Routing Protocols CR]
■
Limit Bidirectional Forwarding Detection Protocol sessions for OSPF to
neighbors in the full state—Enables you to configure the Bidirectional
Forwarding Detection (BFD) Protocol to establish BFD sessions only for OSPF
neighbors in the full state. By default, BFD sessions are established for all OSPF
neighbors, Include the full-neighbors-only statement at the [edit protocols (ospf |
ospf3) area area-id interface interface-name bfd-liveness-detection] or the [edit
protocols ospf3 realm (ipv4-multicast | ipv4-unicast | ipv6-multicast) area area-id
interface interface-name bfd-liveness-detection] hierarchy level. Logical systems
and routing instances are also supported. [Routing Protocols]
■
Enhancement to show bfd session extensive command—The output of the show
bfd session extensive command displays the TTL value only when the
minimum-receive-ttl number statement for the Bidirectional Forwarding Protocol
(BFD) is configured. The minimum-receive-ttl statement is configured only for BFD
sessions over multihop static routes. If this statement is not configured, the TTL
value is no longer displayed. In addition, the Multi-hop field continues to be
displayed in all cases. [Routing Protocols CR]
Routing Policy and Firewall Filters
■
IPv6 support for the Ethernet type match condition for VPLS and Layer 2
bridging firewall filters—You can now specify ipv6 as a value for the ether-type
statement at the [edit firewall family vpls filter filter-name term term-name from] or
[edit firewall family bridge filter filter-name term term-name from] hierarchy level.
■
Deprecated statements for VPLS and Layer 2 bridging firewall filters—For
VPLS and Layer 2 bridging firewall filters, the vlan variable for the vlan-ether-type
and ether-type match conditions has been deprecated. You can no longer configure
vlan as a value at the [edit firewall family vpls filter filter-name term term-name from
vlan-ether-type], [edit firewall family vpls filter filter-name term term-name from
ether-type], [edit firewall family bridge filter filter-name term term-name from
vlan-ether-type], and [edit firewall family bridge filter filter-name term term-name from
ether-type] hierarchy levels.
NOTE: Only the MX-series routers support the family bridge statement.
[Policy, Layer 2]
Changes in Default Behavior and Syntax in JUNOS Software Release 9.5 for M-series, MX-series, and T-series Routing Platforms
■
43
JUNOS 9.5 Software Release Notes
■
Enhancement to the show firewall command—The show firewall command
now supports a terse option that enables you to display only the names of firewall
filters. This option displays no other information about the firewall filters
configured on your system. Use the show firewall terse command to verify that
all the correct filters are installed. [Routing Protocols and Policies CR]
■
On the M7i Multiservice Edge Router and M10i Multiservice Edge Router
platforms, the Enhanced Compact Forwarding Engine Board (CFEB-E) introduced
in release 9.4 supports the 4-port Gigabit Ethernet Enhanced IQ2 (IQ2E) PIC with
SFP, model number PE-4GE-TYPE1-SFP-IQ2E.
■
Increase in limit to external paths accepted for BGP route target filtering—You
can now specify for BGP to accept up to 256 external paths for route target
filtering. Previously, the maximum number that you could configure was 16.
The default value remains one. To specify the maximum number of external
paths for BGP to accept for route target filtering, include the external-paths number
statement at the [edit protocols bgp family route-target] hierarchy level. This
statement is also supported for BGP groups and neighbors. [Routing Protocols]
■
The show services l2tp radius commands now displays when a server belongs
to a profile that is the same for statistics.
■
Enabling and disabling DHCP snooping support—You can now explicitly enable
or disable DHCP snooping support on the router. If you disable DHCP snooping
support, the router drops snooped DHCP discover and request messages.
Platform and Infrastructure
Services
Subscriber Access
To enable DHCP snooping support, include the allow-snooped-clients statement
at the [edit forwarding-options dhcp-relay overrides] hierarchy level. To disable
DHCP snooping support, include the no-allow-snooped-clients statement at the
[edit forwarding-options dhcp-relay overrides] hierarchy level. Both statements are
also supported at the named group level and per-interface level.
In JUNOS releases 10.0 and earlier, DHCP snooping is enabled by default. In
releases 10.1 and later, DHCP snooping is disabled by default.
[Subscriber Access]
User Interface and Configuration
44
■
Platforms
■
Option added to the file-copy operational request tag element—The
source-address option has been added to the file-copy operational request tag
element. This can be used by a JUNOScript client application to request
information from a routing platform about the local address used in originating
a connection for file copy. [JUNOS XML API Operational Reference]
■
LSP ping interval—You can now specify the time interval for LSP ping messages
when OAM is also configured. To specify the LSP ping interval time, include the
Changes in Default Behavior and Syntax in JUNOS Software Release 9.5 for M-series, MX-series, and T-series Routing
Issues in JUNOS Software Release 9.5 for M-series, MX-series, and T-series Routing Platforms
lsp-ping-interval statement at the [edit protocols ldp oam] hierarchy level for
LDP-signaled LSPs and at the [edit protocols mpls oam] hierarchy level for RSVP
LSPs. [MPLS, System Basics Command Reference]
Related Topics
■
The maximum number of aggregated Ethernet interfaces (LAG bundles) is 480
on all MX-series routers. [Network Interfaces, Layer 2 Configuration Guide]
■
Configuration statements for disabling the reporting of ping record route
and timestamp—Two new statements, no-ping-record-route and no-ping-time-stamp,
have been introduced at the [edit system] hierarchy level. Include the
no-ping-record-route statement in the configuration to prevent the Routing Engine
from recording and displaying the route of the ping request packet in the
response. Include the no-ping-time-stamp statement in the configuration to disable
the Routing Engine from recording and displaying the timestamp in the ping
response. By configuring these statements, you can prevent unauthorized users
from discovering information about the PE router and its loopback address.
[System Basics].
■
Limitations to loopback configurations on 10–port Channelized E1/T1 IQE
PICs—While configuring loopback on a 10-port Channelized E1/T1 IQE PIC, it is
possible to simultaneously configure local/remote loopback at the CT1 partition
and payload loopback at the T1 partition. Such a configuration will result in
unpredictable PIC behavior and should not be used. [Network Interfaces]
■
New Features in JUNOS Software Release 9.5 for M-series, MX-series, and T-series
Routing Platforms on page 6
■
Issues in JUNOS Software Release 9.5 for M-series, MX-series, and T-series Routing
Platforms on page 45
■
Errata and Changes in Documentation for JUNOS Software Release 9.5 for
M-series, MX-series, and T-series Routing Platforms on page 75
■
Upgrade and Downgrade Instructions for JUNOS Software Release 9.5 for M-series,
MX-series, and T-series Routing Platforms on page 80
Issues in JUNOS Software Release 9.5 for M-series, MX-series, and T-series Routing
Platforms
The current software release is Release 9.5R4. For information about obtaining the
software packages, see “Upgrade and Downgrade Instructions for JUNOS Software
Release 9.5 for M-series, MX-series, and T-series Routing Platforms” on page 80.
■
Current Software Release on page 45
■
Previous Releases on page 60
Current Software Release
The current software release is Release 9.5R4. For information about obtaining the
software packages, see “Upgrade and Downgrade Instructions for JUNOS Software
Release 9.5 for M-series, MX-series, and T-series Routing Platforms” on page 80.
Issues in JUNOS Software Release 9.5 for M-series, MX-series, and T-series Routing Platforms
■
45
JUNOS 9.5 Software Release Notes
Outstanding Issues
Class of Service
■
If you try to configure a scheduler map containing two forwarding classes that
are mapped to the same queue, the class-of-service scheduler is not applied to
the Packet Forwarding Engine. As a workaround, configure a single forwarding
class for each available queue. [PR/57907]
■
On the MX960, bandwidth sharing across high priority and strict-high priority
schedulers might not be as expected. This issue occurs when the schedulers are
configured on logical interfaces. [PR/265603]
■
On M Series routers (except M120 and M320), packet classification will not work
on aggregated Ethernet bundles that have LACP enabled. [PR/492057]
■
On M320 and T-series routers, when you configure interface output sampling,
packets might travel through the output firewall. As a workaround, configure a
firewall filter on the output interface with then sample and then next-term
statements. The workaround provides the same functionality as the other
configuration, but avoids the problem behavior. [PR/70473]
■
On T-series routers, if an ingress firewall is configured to drop all incoming
multicast packets the discarded multicast packets, are incorrectly sent to the
Routing Engine. This causes a high utilization of the CPU (50 percent) on the
FPC. [PR/239268]
■
The output firewall filter counter doesn’t count packets when a firewall is
configured on the discard interface of an M120 router. [PR/404645]
■
When configuring a routing-instance in a firewall filter on the MX480, the router
might give a warning message "Warning: statement ignored: unsupported
platform.". [PR/421765]
■
Under rare circumstances, if the filter is changed while a counter query is in
progress and the system is under heavy load, the system may crash. [PR/447033]
■
Using the ipv4-template to collect flow monitoring version 9 statistics on ingress
L3VPN PE devices results in BGP IP next–hop address not being included in the
report. [PR/467403]
■
On rare occasions, the firewall compiler can discard a prefix configured for
accept. This issue depends on the set of prefixes configured for matching across
the various terms. [PR/486633]
■
The blocked-hosts-src term being used before the anti-spoof term in a firewall
filter can cause incorrect firewall filter evaluation. [PR/493356]
Forwarding and Sampling
46
■
Issues in JUNOS Software Release 9.5 for M-series, MX-series, and T-series Routing Platforms
Issues in JUNOS Software Release 9.5 for M-series, MX-series, and T-series Routing Platforms
High Availability
■
The primary Routing Engine might lose CM/CP information if it looses connectivity
with the redundant Routing Engine (i.e. through disabling GRES or
halting/rebooting the redundant Routing Engine). This can cause small packet
drop on multicast traffic upon a multicast distribution tree change. [PR/278882]
■
When a static route created using the passive retain option is pointing to a private
interface such as fxp0, the backup router during a GRES might not behave as
expected. As a workaround, do not use the passive retain option to create a static
route to a private interface. [PR/412746]
■
When a Routing Engine switchover occurs at the same time that FRUs are
reconnecting to the Routing Engine, kernel panic may occur. [PR/419966]
■
On a TX Matrix router that has an aggregate sonet (AS) or container interfaces
(CI) configured, the AS won't come up after an ISSU. All traffic passing through
AS will be lost after ISSU. As a workaround, restart the interface or
activate/deactivate the AS/CI after ISSU. [PR/446984]
■
On aggregated SONET/SDH interfaces, the counter for drops and errors in the
show interfaces command output does not display the correct value, because the
counter does not collect data from the constituent interfaces within the aggregate.
[PR/23577]
■
On a 2-port OC12 ATM2 IQ interface, the total virtual path (VP) downtime might
not display correctly in the show interfaces command output. [PR/27128]
■
On M20 and M40 routers, when a physical layer problem affects a SONET/SDH
interface, carrier transition statistics might not increment correctly in the output
of the show interfaces extensive command. [PR/33325]
■
When you configure both the bundle link and constituent links at the [edit
Interfaces and Chassis
(logical-routers logical-router-name | logical-systems logical-system-name) interfaces]
hierarchy level, the constituent links do not come up. As a workaround, configure
the constituent links at the [edit interfaces] hierarchy level. [PR/35578]
■
On the Channelized STM-1 with QPP PIC, error monitoring for CRC and frame
errors might not work as expected. [PR/39440]
■
When you apply an IPsec firewall filter to match traffic sent across a generic
routing encapsulation (GRE) tunnel and originating from the local routing platform,
the local traffic is dropped. Transient traffic is not affected. [PR/44871]
■
If you configure IS-IS, MPLS, and graceful Routing Engine switchover (GRES) and
a switchover event occurs, the routing platform might end the PPP IP Control
Protocol (IPCP) sessions and renegotiate them if the remote side has changed
interface MTU settings prior to the switchover event. [PR/61121]
■
If you configure graceful Routing Engine switchover and issue the request chassis
routing-engine master acquire command, in rare cases the master Routing Engine
might fail to relinquish mastership, or the switchover to the backup Routing
Engine might take up to 360 seconds. [PR/61821]
Issues in JUNOS Software Release 9.5 for M-series, MX-series, and T-series Routing Platforms
■
47
JUNOS 9.5 Software Release Notes
48
■
■
For Automatic Protection Switching (APS) on SONET/SDH interfaces, there are
no operational mode commands that display the presence of APS mode
mismatches. An APS mode mismatch occurs when one side is configured to use
bidirectional mode, and the other side is configured to use unidirectional mode.
[PR/65800]
■
When the ATM scheduler map is configured, the code does not check if the early
packet discard (EPD) configured on the forwarding class exceeds the maximum
EPD that the hardware supports. [PR/70336]
■
The output of the show interfaces diagnostics optics command includes the "Laser
rx power low alarm" field even if the transceiver is a type (such as XENPAK) that
does not support this alarm. [PR/103444]
■
Hot swapping the M120 router fan tray might cause the Check CB alarm to
activate. [PR/268735]
■
On the JCS 1200, when you issue the clear -config -T switch[1] command using
the management module, the switch module returns to its factory default setting
instead of the Juniper Networks default setting. As a workaround, do not issue
the command. [PR/274399]
■
When the ilmi statement is included at the [edit interfaces interface-name
atm-options] hierarchy level and than a graceful Routing Engine switchover (GRES)
or unified in-service software upgrade (ISSU) event occurs, the show ilmi command
no longer returns any output even though ILMI is configured on the interface.
[PR/282051]
■
On a router with Frame Relay multilink configured on an MS400 PIC or on a
Channelized DS3 PIC, when the minimum links value for the Frame Relay
interface is set to 8 and a link is deactivated from the configuration, the link
remains up. [PR/285244]
■
On the Juniper Control System (JCS) platform, the control and management
traffic for all Routing Engines share the same physical link on the same switch
module. In rare cases, the physical link might become oversubscribed, causing
the management connection to Protected System Domains (PSDs) to be dropped.
[PR/293126]
■
On a Protected System Domain (PSD) configured with a large number of BGP
peers and routes (for example, 5000 peers and a million routes), FPCs might
restart during a graceful Routing Engine switchover. [PR/295464]
■
When two routers are connected via SONET/SDH interfaces that are configured
as container interfaces and the Routing Engine on one router reboots, the
container interfaces on the other router might go down and come up again.
[PR/302757]
■
When forwarding-options is configured without route accounting, a commit will
be successful but will display the following error message: “Could not retrieve
the route-accounting.” This message does not affect any functionality.
[PR/312933]
■
On MX-series routers, MAC address accounting in the egress direction might not
work if traffic is unidirectional and no traffic flows in the reverse direction for a
duration longer than the aging interval. [PR/415146]
■
Under some conditions, if an interface flaps for an interval less than the
hold-down time value configured, the interface might stop forwarding even
Issues in JUNOS Software Release 9.5 for M-series, MX-series, and T-series Routing Platforms
Issues in JUNOS Software Release 9.5 for M-series, MX-series, and T-series Routing Platforms
though it appears as UP. As a workaround, monitor traffic on the interface or
disable and then enable the interface. {PR/423065]
■
When a backup Routing Engine is replaced after a graceful Routing Engine
switchover (GRES), the device control process (dcd) generates a new link local
address on non-MAC interfaces (such as SONET). [PR/429078]
■
When the show interfaces extensive command is used, some interfaces may not
display the correct value for the Oversized Frames counter. [PR/437176]
■
When you configure the payload port-data statement at the [edit family mpls
hash-key] hierarchy level on M120, MX, or M320 routers with E3 FPCs, the
hashing algorithm might not take the port-data values into account. [PR/442223]
■
When configured for WAN-PHY framing, the ports on the 4-port 10-Gigabit
Ethernet PIC always report zero for path level errors (BIP-B3) in the output of
the show interfaces extensive command. [PR/447653]
■
The primary routing engine might fail to connect with the backup routing engine
due to an autonegotiation issue with an em1 interface. [PR/461469]
■
Certain Gigabit Ethernet SFPs on MX-series routers may periodically show the
wrong diagnostic information even though they are operating correctly.
[PR/463837]
■
The APS process is fixed to handle the SONET defects when it is in the middle
of switching over correctly. [PR/466649]
■
On an M320 router, the Channelized OC12/STM4 Enhanced IQ PIC supports 2
ports (0 and 2) when configured for eight queues per port. [PR/475008]
■
In some cases during periodic error statistics monitoring, you might see error
messages on adjacent streams. These messages are cosmetic and can be ignored.
[PR/481344]
■
Under certain circumstances, the E3 IQ PIC might give incorrect CCV, CES, and
CSES alarms. [PR/505921]
■
Multicast packets received on an AE interface that is part of an IRB will be counted
twice, once for the bridged packet and a second time for the routed packet.
[PR/461923]
■
When inserting a DPC into the chassis, the chassid log might display an incorrect
error message: "FPC X temperature is -60 degrees C, which is outside operating
range." This message does not impact any functionality. [PR/470512]
■
The output of the show mpls lsp route and the show mpls lsp extensive 'Active
Route' counter is incorrect when per-packet load balancing is configured.
[PR/22376]
■
If a cross-connected circuit (CCC) traverses a forwarding-adjacency label-switched
path (LSP), traffic forwarding might be affected. [PR/60088]
Layer 2 Ethernet Services
MPLS Applications
Issues in JUNOS Software Release 9.5 for M-series, MX-series, and T-series Routing Platforms
■
49
JUNOS 9.5 Software Release Notes
■
When you modify the primary path for an MPLS LSP by using the delete protocols
mpls label-switched-path lsp-path-name primary path-name command in
configuration mode, followed by the set protocols mpls label-switched-path
lsp-path-name primary path-name command, and then commit, the entire LSP
(both primary and secondary) is torn down and then rebuilt from scratch. As a
workaround, issue the delete protocols mpls label-switched-path lsp-path-name
primary path-name command in configuration mode followed by the commit.
Then issue the set protocols mpls label-switched-path lsp-path-name primary
path-name command followed by the commit. [PR/62365]
■
When you enable per-packet load balancing on parallel label-switched paths
(LSPs), the output of the show mpls lsp ingress command might display all the
routes on only one of the LSPs even when traffic is evenly balanced across the
LSP. [PR/70487]
■
No p2mp LSPs are reported with the show mpls lsp p2mp command. As a
workaround enter the show mpls lsp command before you enter the show mpls
lsp p2mp.[PR/266343]
■
For point-to-multipoint LSPs configured for VPLS, the ping mpls command reports
100 percent packet loss even though the VPLS connection is active. [PR/287990]
■
P2MP LSP branches undergoing make-before-break perform double bandwidth
reservation on the same link while rerouting. [PR/454692]
■
A race condition between MVPN and RSVP p2mp signaling can lead to the
creation of stale flood next hops. [PR/491586]
■
tcpdump might crash when receiving malformed IPv6 packets. This has no
impact on actual traffic. [PR/399073]
■
After changes are made to the firewall, and the counters are cleared and
commited, SNMP sends the wrong value for 5 seconds. This creates a discrepancy
between the CLI output and the get snmp output. [PR/459583]
■
The SNMP MIB on jnxFWCounterDisplayName might miss certain policer counters
of firewall filters applied with respect to IFL. [PR/485477]
■
If a tunnel destination is in a VPN, with GRE encapsulation the traffic might get
black-holed due to a lookup in the wrong forwarding table. [PR/45035]
■
On T-series platforms, a Layer 2 maximum transmission unit (MTU) check is not
supported for MPLS packets exiting the routing platform. [PR/46238]
■
When you configure a source class usage (SCU) name with an integer (for
example, 100) and use this source class as a firewall filter match condition, the
class identifier might be misinterpreted as an integer, which might cause the
filter to disregard the match. [PR/50247]
■
If you configure 11 or more logical interfaces in a single VPLS instance, VPLS
statistics might not be reported correctly. [PR/65496]
Network Management
Platform and Infrastructure
50
■
Issues in JUNOS Software Release 9.5 for M-series, MX-series, and T-series Routing Platforms
Issues in JUNOS Software Release 9.5 for M-series, MX-series, and T-series Routing Platforms
■
When a large number of kernel system log messages are generated, the log
information might become garbled and the severity level could change. This
behavior has no operational impact. [PR/71427]
■
When a Link Services (LS) interface to a CE router appears in the VPN routing
and forwarding table (VRF table) and fragmentation is required, Internet Control
Message Protocol (ICMP) cannot be forwarded out of the LS interface from a
remote PE router that is in the VRF table. As a workaround, include the
vrf-table-label statement in the configuration. [PR/75361]
■
On T-series routing platforms, the commit operation succeeds when you include
the no-labels statement at the [edit forwarding-options hash-key family mpls]
hierarchy level, but MPLS labels are still included in the hash key. [PR/80334]
■
Traceroute does not work when ICMP tunneling is configured. [PR/94310]
■
When the configuration present in 'init.conf' includes values in a nonstandard
order, the init parser returns a syntax error. [PR/94576]
■
If you ping a nonexistent IPv6 address that belongs to the same subnet as an
existing point-to-point link, the packet loops between the two point-to-point
interfaces until the time-to-live expires. [PR/94954]
■
On T-series and M320 routers, multicast traffic with the "do not fragment" bit
set is being dropped due to a low MTU value. The router might stop forwarding
all traffic transiting this interface if the clear pim join command is executed.
[PR/95272]
■
A firewall filter that matches the forwarding class of incoming packets (that is,
includes the forwarding-class statement at the [edit firewall filter filter-name term
term-name from] hierarchy level) might incorrectly discard traffic destined for the
Routing Engine. Transit traffic is handled correctly. [PR/97722]
■
The JUNOS software does not support dynamic ARP resolution on Ethernet
interfaces that are designated for port mirroring. This causes the Packet
Forwarding Engine to drop mirrored packets. As a workaround, configure the
next-hop address as a static ARP entry by including the arp ip-address statement
at the [edit interfaces interface-name] hierarchy level. [PR/237107]
■
Currently, the JUNOS cannot build an outbound serial connections through the
AUX port. [PR/256818]
■
When Periodic Packet Management (PPM) delegation for Bidirectional Forwarding
Detection (BFD) sessions is disabled (the delegate-processing statement is removed
at the [edit routing-options ppm] hierarchy level), the BFD sessions might be
terminated (because a "state is down" message is sent) and reestablished.
[PR/280233]
■
When you perform an in-service software upgrade (ISSU) on a routing platform
with an FPC3 or an Enhanced FPC3 with 256 MB of memory and the number
of routes in the routing table exceeds 750,000, route loss might occur. If route
loss occurs, as a workaround, perform either of the following tasks: (a) replace
the FPC3 or Enhanced FPC3 with another FPC that has more memory, or (b)
after the ISSU is complete, reboot only the FPC3 or Enhanced FPC3. [PR/282146]
■
For Routing Engines rated at 850 MHz (which appear as RE-850 in the output
from the show chassis hardware command), messages like the following might
be written to the system log when you insert a PC Card: “bad Vcc request” and
Issues in JUNOS Software Release 9.5 for M-series, MX-series, and T-series Routing Platforms
■
51
JUNOS 9.5 Software Release Notes
“Device does not support APM.” Despite the messages, operations that involve
the PC Card work properly. [PR/293301]
■
On a Protected System Domain, under the following conditions an FPC might
generate a core file and stop operating:
■
A firewall policer with a large number of counters (for example, 20,000) is
applied to a shared uplink interface.
■
The FPC that houses the interface does not have a sufficiently powerful CPU
As a workaround, reduce the number of counters or install a more powerful FPC.
[PR/311906]
■
When a CFEB failover occurs on an M10i or M7i router that has 4000 or more
IFLs, the following message will display:
IFRT: 'IFD ioctl' (opcode 10) failed
ifd 153; does not exist
IFRT: 'IFD Ether autonegotiation config' (opcode 163) failed
The message has no operational impact. When the backup CFEB becomes the
active CFEB, the message will not display. [PR/400774]
52
■
■
For tunnel PICs, the following messages may display in /var/log/messages: /kernel:
if_tunnel_cookie_remove no callback!!! This message is harmless and not valid.
[PR/422715]
■
On M320, M120, T-series, and MX-series routers, a traceroute egressing an LSP,
configured for explicit-null and no-decrement-ttl or no-propagate-ttl, might not
show the transit IP hop router immediately after the LSP egress router.
[PR/438735]
■
If the subinterface on an aggregate interface goes down, the GRE traffic egressing
that interface might not use the backup subinterface. This will result in GRE
traffic being dropped. [PR/454751]
■
An overloaded strict-high priority queue might result in loss of high-priority traffic.
[PR/455152]
■
DHCP-related configurations (such as delete bootp server address) under some
rare conditions might generate an FUD core. [PR/458132]
■
On T640 routers, an interface might report LSIF errors/ Cell mismatched errors
after it receives an IPv6 packet that has an invalid payload. The interface still
accepts traffic, but discards all outgoing packets. To recover, reboot the FPC on
T640 and TX-series router. If the IPv6 packets invalid payload are still transmitted,
the problem will occur again. [PR/470219]
■
When an aggregated SONET interface is configured with cisco-hdlc encapsulation,
a member link may not be marked link down if remote end of the link is disabled.
[PR/472677]
■
Payload corruption and packet drops might occur for packets bigger than 3000
bytes when MPLS over GRE is configured on a service PIC. [PR/478563]
■
If a duplicate IPv6 address has been configured, every icmp6 packet received (
icmp request, icmp neighbor solicitation, or icmp neighbor advertisement ) will
trigger an mbuf leak. Such a duplicate address configuration might not get noticed
at the VRRP backup router, which is not used for data forwarding. Correcting
Issues in JUNOS Software Release 9.5 for M-series, MX-series, and T-series Routing Platforms
Issues in JUNOS Software Release 9.5 for M-series, MX-series, and T-series Routing Platforms
the configuration and deactivating/activating the interface will stop the mbuf
leak. [PR/481071]
■
Statistics might be updated twice, which causes an inconsistency between ifd
and ifl stats. [PR/486200]
■
Swapping out eight FPCs and replacing them with a different FPC types, might
cause the kernel to crash when the last FPC is powered on. [PR/502075]
■
When you configure damping globally and use the import policy to prevent
damping for specific routes, and a new route is received from a peer with the
local interface address as the next hop, the route is added to the routing table
with default damping parameters, even though the import policy has a nondefault
setting. As a result, damping settings do not change appropriately when the route
attributes change. [PR/51975]
■
If a BGP group is created without any defined peers, a warning message no longer
appears when the configuration is committed. [PR/63279]
■
When you issue the show ldp traffic-statistics command, the following system
log message might be generated for all forwarding equivalence classes (FECs)
with an ingress counter set to zero: "send rnhstats GET: error: ENOENT -- Item
not found." [PR/67647]
■
If ICMP tunneling is enabled on the router and you configure a new logical system
that does not have ICMP tunneling enabled, the feature is globally disabled.
[PR/81884]
■
When the flow of multicast traffic changes because an OSPFv3 link goes down,
the output from the show multicast statistics inet6 command reports incorrect
values in the In kbytes and In packets fields for the new ingress interface.
[PR/234969]
■
When you commit a new configuration for nonstop routing (NSR) on a primary
Routing Engine that differs from the configuration for NSR that is already running
on the backup Routing Engine, the routing protocol process stops functioning
on the backup Routing Engine only. Traffic forwarding is not affected.
[PR/254379]
■
RPD may restart if PIM is configured to run on unnumbered interfaces.
[PR/295319]
■
On routers running OSPF and advertising LSA for a DC-incapable neighbor, the
RPD might crash when the LSA is purged. [PR/406276].
■
OSPF and IS-IS differ in how they handle the addition of a better internal or
external route (smaller IGP metric) into the protocol internal routing table. IS-IS
flushes all next-hop information (including LSP next hops) when learning a better
prefix, despite equal cost LSP tunnels, whereas OSPF does not. However, this
does not cause any issues with respect to load balancing. [PR/408702]
■
The "Keepalive timeout" counter for multicast sessions is not displayed after the
PIM protocol is deactivated and activated. This is a cosmetic issue and there is
no interruption to multicast traffic flow, even though the "Keepalive timeout"
counter is not displayed after the PIM protocol is activated. [PR/419509]
Routing Protocols
Issues in JUNOS Software Release 9.5 for M-series, MX-series, and T-series Routing Platforms
■
53
JUNOS 9.5 Software Release Notes
■
Setting the advertise-high-metric option when using IS-IS overload also suppresses
route leaking. [PR/419624]
■
In a router with VPNs configured, modifying or adding to the configuration could
reset the 'age' of the secondary routes to 0. For example, secondary routes are
BGP routes in the .inet.0 table that are learned from the remote PE routers
through BGP and imported into this table. Although the age is reset, these routes
downloaded again to PFEs and there is no impact to traffic forwarding.
[PR/447802]
■
The rpd sporadically dumps the core due to a soft assertion failure. [PR/451021]
■
All local generated type 5 LSAs will be purged and regenerated when an NSSA
area is deleted from an ABR. [PR/457579]
■
The RPD might crash, which causes BGP sessions to flap. [PR/465624]
■
When an FPC reboots or an interface is temporarily deactivated, two
RPD_PIM_NBRDOWN messages are logged for every PIM neighbor affected;
however, only one RPD_PIM_NBRUP message is logged when the service is
restored. This might lead to inconsistencies in management software.
[PR/472873]
■
When PIM is configured on an interface, it might not process interface mismatch.
This causes mpvn c-multicast traffic to be duplicated. As a workaround, configure
PIM under the main instance. [PR/481476]
■
When PIM is configured on an interface, the router can send the first PIM hello
shortly before the interface comes up. This causes the router to drop the first
outgoing PIM hello message. [PR/482903]
■
During transient periods where both the secondary and primary LSPs exist in
the route table and the number of LSP next hops is greater than 16 in a
multigateway scenario, IS-IS is unaware of the preference. Because of this, it
might remove the preferred LSP next hop. [PR/485748]
■
The show services accounting flow-detail extensive command sometimes displays
incorrect information about input and output interfaces. [PR/40446]
■
On Adaptive Services PICs configured for IPsec tunnel redundancy, if there are
a large number of tunnels, sometimes a few of the tunnels might switch over to
the backup tunnel. [PR/46733]
■
When a routing platform is configured for graceful Routing Engine switchover
and Adaptive Services (AS) PIC redundancy, and a switchover to the backup
Routing Engine occurs, the redundant services interface (rsp-) always activates
the primary services interface (sp-), even if the secondary interface was active
before the switchover. [PR/59070]
■
For Adaptive Services II PICs, even if you do not configure flow collector services,
a temporary file might be created every 15 minutes in the /var/log/flowc/
directory. The file is deleted if there are no clients, and re-created only when a
client connects and attempts to write to the file. [PR/75515]
■
When the PGCP configuration contains values for RTCP traffic management for
sustained-data-rate or peak-data-rate (at the [edit pgcp gateway gateway-name
Services Applications
54
■
Issues in JUNOS Software Release 9.5 for M-series, MX-series, and T-series Routing Platforms
Issues in JUNOS Software Release 9.5 for M-series, MX-series, and T-series Routing Platforms
h248-properties traffic-management sustained-data-rate rtcp] hierarchy level), SIP
calls may fail with error code 500 (Internal Server Error). The default values of
the RTCP SDR and PDR are 5% of RTP's SDR and PDR. If the configuration
overrides these values and sets RTCP's SDR to be higher than the PDR, media
gates for calls will not be created, and the call is rejected with error code 500.
[PR/400618]
■
When you configure L2TP with link fragmentation and interleaving (LFI), the
MultiServices PIC drops a significant number of MLPPP fragments. [PR/401247]
■
With E-CFEB on M7i and M10i routers, when a firewall filter is configured with
an action of sampling and then applied to the filter to the interface, all the packets
received on the PIC are corrupt and packets are dropped. [{R408802]
■
When you configure overload control for the BGF, you must set the
reject-new-calls-threshold to a value greater than the queue-limit-percentage,
and you must set the reject-all-commands-threshold to a value greater than the
reject-new-calls-threshold. If you do not set these values correctly, the software
resets the values so that they conform to these rules. To view the actual values
enforced by the system, use the show pgcp active-configuration command.
[{R415614]
■
On a services interface, the mlppp reassembly logic will not do a strict out-of-order
check. In a multi-CPU packet handling environment, packets could be processed
before the first packet. [PR/430296]
■
The clear services stateful-firewall flows command can cause the MSDPC to fail.
This command should be avoided. There is no workaround. [PR/472386]
■
A static route pointing to destination is incorrectly added for source NAT when
a next-hop style service set is used. [PR/476165]
■
The show services nat pool pool-name command does not work. [PR/493820]
■
When you configure different autonomous-system-types (origin and peer ) toward
two v5 servers, the router incorrectly counts the origin as the autonomous system
type for both flow servers. [PR/496954]
Subscriber Access Management
■
RADIUS subscribers with framed-protocol attributes on the server will fail to
authenticate. [PR/424323]
■
Wimax testing with SBR must be done with transposable IP for HA. Otherwise,
FA-HA authentication will fail with return code 132. [PR/431969]
■
When the Acct-Interim-Interval attribute is sent from RADIUS and the value is
set to 600 seconds, the MX-serues router starts sending duplicate records every
2 seconds instead of every 600 seconds. [PR/448456]
■
The router always uses the revert-interval value that is configured at the [edit
access] hierarchy level, and ignores any revert-interval valueconfigured at the
[edit access profile] hierarchy level. If no value is configured, the router uses the
default value of 600 seconds. [PR/454040]
■
RADIUS authentication must be configured in order to use RADIUS accounting.
[PR/488627]
Issues in JUNOS Software Release 9.5 for M-series, MX-series, and T-series Routing Platforms
■
55
JUNOS 9.5 Software Release Notes
User Interface and Configuration
56
■
■
Setting allow-commands show interfaces $will disable the use of the show interface
command. [PR/55413]
■
The router will not give a warning if the same UID is configured for multiple
users. [PR/55774]
■
The router will allow without warning the deletion of configuration groups with
the allow-configuration and deny-configuration statements. [PR/59187]
■
Performance is considerably slower for users who have permissions controlled
by Juniper-Allow-Cmmands and/or Juniper-Deny-Commands expressions and have
complex regular expressions configured under these same commands. To help
avoid this problem, define the expressions in the allow-configuration and
deny-configuration commands in a restrictive manner. [PR/63248]
■
When the get-configuration or load-configuration commands are run via JUNOScript,
these events are not recorded in the syslog. [PR/64544]
■
On M20 routers, after a Routing Engine mastership switchover, it might not be
possible to enter CLI configuration mode on the new master Routing Engine.
Also, the request system reboot and request system halt commands do not clearly
fail but do not return the CLI prompt either. [PR/64899]
■
JUNOScript does not support the configuration-text statement. [PR/82004]
■
The logical system administrator can modify and delete master administrator-only
configurations by performing local operations such as issuing the load override,
load replace, and load update commands. [PR/238991]
■
The “'replace:” tag is missing from the output when entering the save terminal
command from inside a configuration object. [PR/269736]
■
The primary Routing Engine validates the configuration. During commit
synchronize, the backup Routing Engine will not validate the configuration as it
was already validated by primary Routing Engine. [PR/282896]
■
A user belonging to a login class with limited rights to modify a specific firewall
filter cannot use the insert command to reorder firewall terms. [PR/310872]
■
Users with superuser privileges will sometimes have their access restricted to
view permission only when they log in through TACACS. [PR/388053]
■
Double logging does not occur during load upate and commit (load update occurs
on backup Routing Engine). [PR/395716]
■
On the TX Matrix routing platform, automatic rollback might not work as expected
on the backup Routing Engine. [PR/425617]
■
Using the filter config-text in the get-config command results in a syntax error and
the router configuration cannot be returned in ASCII format. [PR/430799]
■
Help page Information is not available for the Monitor->Alarms page.
[PR/437377]
■
Core files cannot be deleted when logged in with superuser access privileges
unless the Routing Engine name is included in the path. Core files can, however,
be deleted when logged in as root without specifying the Routing Engine name.
[PR/469168]
Issues in JUNOS Software Release 9.5 for M-series, MX-series, and T-series Routing Platforms
Issues in JUNOS Software Release 9.5 for M-series, MX-series, and T-series Routing Platforms
■
When commit scripts are used and the configuration contains a policy that uses
an apply-group with a then action of “then community + EXPORT”', the commit
fails. [PR/501876]
■
The load replace command does not consider the allow-configuration configuration.
■
When you modify the frame-relay-tcc statement at the [edit interfaces
interface-name unit logical-unit-number] hierarchy level of a Layer 2 VPN, the
connection for the second logical interface might not come up. As a workaround,
restart the chassis process (chassisd) or reboot the router. [PR/32763]
■
Traffic might not flow when an ATM interface is used as the access circuit on an
M120 router. [PR/255160]
■
For a VRF instance configured for PIM, MVPN, and provider tunnels (the pim and
mvpn statements are included at the [edit routing-instances vpn-name protocols]
hierarchy level and the provider-tunnel statement is included at the [edit
routing-instances vpn-name] hierarchy level), when PIM is deactivated and
reactivated, it fails to install type-5 (source-active) routes in the
instance-name.mvpn.0 routing table. This issue arises only when remote
C-multicast joins are configured on the ingress PE router (as displayed by the
show mvpn c-multicast command). [PR/306983]
■
When you configure inter-AS VPLS with MAC processing at the autonomous
system (AS) boundary router along with multihoming, and if a designated
forwarding AS boundary router fails and then comes back up again, traffic flowing
to the local AS from the other AS’s boundary router might be lost. The loss occurs
in the time period (tenths of a second) during which the old designated forwarding
AS boundary router is taking back the role of designated forwarder. [PR/312730]
■
Under certain circumstances, if BGP is configured as the PE router to CE router
protocol in a Layer 3 VPN routing instance, renaming the routing instance can
cause the PE router to CE router session to stay down. [PR/399275]
■
In Layer 2 CCC scenarios where the packet size is less than 64 bytes, the packets
may be erroneously padded when forwarded through an Ethernet uplink. As a
result, the packet sizes arriving at the remote end will not correspond to the
originally sent packet sizes. [PR/420037]
■
On a BGP L3VPN PE router, with a combination of (1) label-per-next-hop in the
VRFs, (2) configuration of the same IP addresses in different VRFs (3), need for
an indirect next-hops within the VRFs, then label routes with an indirect next-nop
might be created incorrectly in the master instance table "mpls.0." [PR/436404]
■
On MX-series, M120. and EIII FPCs on M320 routers, the ISO/Connectionless
Network Service (CLNS) packets over the translational cross-connect (TCC) are
dropped in the case of Frame Relay, even though the family TCC has been
configured to switch family iso on the Frame Relay interface. [PR/462052]
■
When different prefixes are advertised to the same source by different PE routers,
an egress PE router can’t pick the lower prefix route for RPF when the PR
advertising the higher prefix loses its route to the source. [PR/493835]
VPNs
Issues in JUNOS Software Release 9.5 for M-series, MX-series, and T-series Routing Platforms
■
57
JUNOS 9.5 Software Release Notes
Resolved Issues in JUNOS Release 9.5 for M-series, MX-series, and T-series Routers
Class of Service
■
When you configure a specific classifier for a logical unit, it does not override
the fixed classifier configured using wildcards. [PR/68888]
■
If you ping a nonexistent IPv6 address that belongs to the same subnet as an
existing point-to-point link, the packet loops between the two point-to-point
interfaces until the time-to-live expires. [PR/94954]
■
Bandwidth on any IFL configured on an IFD should always be less than or equal
to that of the speed on the respective IFD. This fix addresses the issue only on
ether devices. If bandwidth is not configured on the IFl, it will be set to the speed
of the IFD. [PR/426469]
■
On an MX960 with a significant number of DPCs, even if unconfigured (more
than 8), the output of the show interface extensive command can be very slow
if SCU/DCU is configured for some units. [PR/449034]
■
The show dhcp binding interface interace-name command does not work properly
when an MX-series Router is configured as a DHCP server.
■
If you configure a label-switched path (LSP) with the no-cspf statement at the
[edit protocols mpls] hierarchy level, the LSP might cycle up and down several
times before stabilizing. [PR/10415]
■
On M-series routers, if you disable and then enable IPv6 on an interface, routing
on that interface will no longer work. [PR/459781]
Interfaces and Chassis
Layer 2 Ethernet Services
MPLS Applications
Platforms and Infrastructure
58
■
■
On a Monitoring Services III PIC configured as a dynamic flow capture (DFC)
interface (dfc-fpc/pic/port), when you configure the DFC interface as the next
hop in a forwarding path, port-mirrored packets might become corrupted.
[PR/60799]
■
On M320 and T-series routing platforms, a process monitors FPCs while they
transition to an online state. If an FPC is busy and cannot complete the transition
within the time limit, the process might time out and prevent the FPC from
coming online. [PR/72364]
■
On the Routing Engine on the line-card chassis of the TX Matrix router, sometimes
the reboot will fail due to an incorrect ntp query. [PR/450217]
Issues in JUNOS Software Release 9.5 for M-series, MX-series, and T-series Routing Platforms
Issues in JUNOS Software Release 9.5 for M-series, MX-series, and T-series Routing Platforms
■
If you configure a lot of vrf prefixes with the l3vpn-composite-nexthop statement
and a lot of link flaps occur, the jtree might become corrupted. This corruption
triggers traffic black-holing. Other symptoms of this include the router sending
VPN MPLS traffic with stale MPLS label information or running out of Layer 2
descriptors many flaps. [PR/468584]
■
An FPC may stop forwarding traffic when an aggregate interface flaps and the
router is using per-prefix load balancing (default configuration) for some prefixes.
For this issue to occur the aggregate interface must flap. The more likely scenario
can occur when aggregate interface is configured with just a single link (that
flaps) AND per-prefix load balancing is used. This issue can be avoided by using
a load-balancing per-packet policy for all prefixes (per-flow load balancing) and/or
not having aggregate interfaces flap. The most likely aggregate interface to flap
is one with a single member link. [PR/477326]
■
The CLI allows you to commit a configuration that specifies a value higher than
32 for the metric statement at the [edit protocols dvmrp interface all] hierarchy
level; however, values higher than 32 are invalid. [PR/33429]
■
If a router receives a Pragmatic General Multicast (PGM) Source Path Message
(SPM), it does not create a forwarding cache, nor does it forward the message
to other routers as a heartbeat, as specified in RFC 3208. Also, the router’s
multicast cache might time out if it does not receive actual PGM data (ODATA)
for more than 6 minutes. As a workaround, configure the PGM source application
to send PGM ODATA at least once every 6 minutes. The ODATA acts as the
heartbeat message in lieu of the SPM messages and ensures that the multicast
and forwarding caches are created and updated. [PR/37504]
■
When you configure the l3vpn-composite-nexthop statement at the [edit
routing-options] hierarchy level and issue the commit command, the BGP session
is immediately restarted. [PR/292173]
■
When the state for an IGMP group is exclude and the source list is non-empty, the
traffic for the excluded sources will still be received and sent as if it were in the
exclude state. [PR/422190]
■
The router might crash if a nonexistent table is referenced when using the
rib-groups statement. [PR/467332]
■
If a reject route is present for the address of a Multicast Source Discovery Protocol
(MSDP) SA originator, the routing protocol process (RPD) might crash.
[PR/469142]
■
When a dampened route is restored, the accepted counter for the peer in the
show bgp summary command output is not shown. [PR/473567]
■
Sometimes the closing tag for route-family is missing in the output of the show
multicast route extensive | display xml statement.
■
Application layer gateways (ALGs) might cause memory corruption when certain
flows in the session are closed ahead of the main initiator flow. [PR/475436]
Routing Protocols
Services Applications
Issues in JUNOS Software Release 9.5 for M-series, MX-series, and T-series Routing Platforms
■
59
JUNOS 9.5 Software Release Notes
■
When a standard application is specified at the [edit security idp idp-policy
policy-name rulebase-ips rule-name match application] hierarchy. IDP doesn't detect
the attack on the non-standard port (for example, junos:ftp on port 85). Whether
it is a custom or predefined application, the application name does not matter.
IDP simply looks at the protocol/port from the application definition. Only when
traffic matches the protocol/port, then IDP tries to match/detect against the
attached attack. [PR/477747]
Subscriber Access Management
■
When dynamic IP address assignment is configured, if there is only one address
left in the address allocation pool and an attempt to authenticate with a service
fails (because, for example, the authentication request specifies an invalid service
name), a subsequent authentication attempt for the service also fails. The
following messages might appear in the log for the authentication process (authd):
"assigned address address in use, trying next available" and "Unable to assign
an address." [PR/305516]
User Interface and Configuration
■
The message from jcs:syslog() is visible after the rest of the system log.
[PR/449778]
■
The J-Web interface will not display the USB option under
Maintain->Reboot->Reboot from Media. [PR/464774]
Previous Releases
Resolved Issues for JUNOS Release 9.5R3
Class of Service
60
■
■
In the cosd logs for JUNOS Release 9.4R1, "entries" is misspelled as "enteries."
[PR/439993]
■
When an Intelligent Queuing PIC is taken offline and back online again, the
chassis scheduler map might change to [95,0,0,5]. As a workaround, deactivate
the chassis scheduler map before taking the PIC offline and then activate the
chassis scheduler map after the PIC comes online. [PR/444543]
■
When a classifier is applied on a services PIC logical interface, a commit warning
is issued stating that the classifier is not supported on this interface. [PR/448913]
Issues in JUNOS Software Release 9.5 for M-series, MX-series, and T-series Routing Platforms
Issues in JUNOS Software Release 9.5 for M-series, MX-series, and T-series Routing Platforms
Forwarding and Sampling
■
On M320 and T-series routing platforms, when you configure interface output
sampling, packets sometimes might travel through the output firewall. As a
workaround, configure a firewall filter on the output interface with then sample
and then next-term statements. The workaround provides the same functionality
as the other configuration, but avoids the problem behavior. [PR/70473]
■
On T-series routers, if an ingress firewall is configured to drop all incoming
multicast packets, the discarded multicast packets are sent to the Routing Engine
incorrectly. This causes a high utilization of the CPU (50%) on the FPC.
[PR/239268]
■
When configuring a routing instance in a firewall filter, the router will give the
warning message “Warning: statement ignored: unsupported platform.”
[PR/421765]
■
Upon changing policers on an aggregated Ethernet interface, the DPC might
reboot. [PR/431635]
■
When you issue the show chassis ethernet-switch statistics command on a routing
platform with graceful Routing Engine (GRES) switchover enabled, the two Routing
Engines might be unable to exchange information for about 2 seconds.
[PR/233779]
■
On the Channelized STM-1 with QPP PIC, error monitoring for CRC and Frame
Errors might not work as expected. [PR/39440]
■
When you configure ILMI on an ATM interface (include the ilmi statement at the
[edit interfaces interface-name atm-options] hierarchy level) and a graceful Routing
Engine switchover (GRES) or unified in-service software upgrade (ISSU) event
occurs, the show ilmi command no longer returns any output. [PR/282051]
■
On a router with Frame Relay multilink configured on a MultiServices 400 PIC
or on a Channelized DS3 PIC, when the minimum links value for the Frame
Relay interface is set to 8 and a link is deactivated from the configuration, the
link remains up. [PR/285244]
■
The XML output is not correct when the VRRP track interface is configured.
[PR/414734]
■
Under some conditions, if an interface flaps for an interval less than the hold
down time value configured, an interface might stop forwarding even though it
shows as being UP. As a workaround, enable traffic monitoring on the interface
or enable and disable the interface. [PR/423065]
■
Upon changing policers on a Aggregate Ethernet interface, the DPC might reboot.
[PR/431635]
■
For some interfaces, when configured with the WAN-PHY framing mode, the
monitor interface command might be missing some counters.. [PR/435775]
High Availability
Interfaces and Chassis
Issues in JUNOS Software Release 9.5 for M-series, MX-series, and T-series Routing Platforms
■
61
JUNOS 9.5 Software Release Notes
■
Too many ATM2 error interrupts might cause the FPC to panic. [PR/438073]
■
When you configure the payload port-data statement at the [edit family mpls
hash-key] hierarchy level on M120, MX-series, or M320 platforms with E3 FPCs,
the hashing algorithm might not take the port-data values into account.
[PR/442223]
■
On M-series routers, BGP sessions flap when any configuration (even irrelevant)
change happens. As a workaround, make the difference between the configured
MRRU and MTU to be greater than eight. [PR/442688]
■
If VRRP tracks a cloned route then the cloned route will always be treated as
down. The reason is that the unicast cloned routes not added to the routing table.
[PR/446408]
■
When you configure graceful Routing Engine switchover (GRES) on MX-series
routers, the Switch Interface Board (SIB) might not initialize if you reboot both
Routing Engines simultaneously or reboot a router with only one Routing Engine
installed. [PR/408359]
■
When you modify the primary path for an MPLS LSP by using the delete protocols
mpls label-switched-path lsp-path-name primary path-name command in
configuration mode, followed by the set protocols mpls label-switched-path
lsp-path-name primary path-name command, and then issue the commit command,
the entire LSP (both primary and secondary) is torn down and then rebuilt from
scratch. As a workaround, issue the delete protocols mpls label-switched-path
lsp-path-name primary path-name command in configuration mode followed by
the commit command. Then issue the set protocols mpls label-switched-path
lsp-path-name primary path-name command followed by the commit command.
[PR/62365]
■
When there are more than five link-protected or node-link-protected LSPs to the
same destination and per-packet load balancing is enabled, some bypass next
hops might not be part of the active route. This can occur after a primary link
goes down and comes back up. [PR/259219]
■
The mplsResourceTunnelTable reports bandwidth in bps instead of kbps.
[PR/432716]
■
MPLS LSP auto-bandwidth adjustment may stop working while RSVP signals for
the path; either optimization is initiated or the LSP goes down. [PR/438157]
■
When the SNMP get response is larger than 9 KB, a "Message too long" log is
reported but no SNMP gets a response failure with a code "tooBig" sent back to
the source. [PR/389559]
■
tcpdump might report a max-response-time within IGMP in seconds while it is
presenting units of 1/10th of a second. [PR/424618]
Layer 2 Ethernet Services
MPLS Applications
Network Management
62
■
Issues in JUNOS Software Release 9.5 for M-series, MX-series, and T-series Routing Platforms
Issues in JUNOS Software Release 9.5 for M-series, MX-series, and T-series Routing Platforms
Platform and Infrastructure
■
On T-series routing platforms, the commit operation succeeds when you include
the no-labels statement at the [edit forwarding-options hash-key family mpls]
hierarchy level, but MPLS labels are still included in the hash key. [PR/80334]
■
After an ISSU software upgrade on the MX-series router, you might see a kernel
database replication error, ISSU prepare timeout, and a core dump. These
problems might be due to issues with allocated schedulers after the ISSU. This
issue is seen only with Gigabit Ethernet Enhanced Queuing IP Services DPCs.
[PR/427694]
■
If a BGP group is created but without any defined peers, a warning message
appears when the configuration is committed. [PR/63279]
■
Reverse OIF mappings are lost when you add or delete an interface set of
multicast VLANs when subscriber VLANs are active. [PR/423376]
■
When reverse OIF mapping enabled is configured on multicast VLAN interfaces,
reverse OIF mappings to DHCP subscriber interfaces are lost if the routing
protocol process gracefully restarts. [PR/438930]
■
When the l3vpn-composite-nexthop statement and the multipath vpn-unequal-cost
statement at the [edit routing-options] hierarchy, are configured together, the
routing process may crash during the multipath calculation for destinations that
contain both composite and non-composite eligible paths. [PR/448745]
■
The output of the show services nat pool command displays duplicate entries for
a single Network Address Translation (NAT) pool. [PR/34678]
Routing Protocols
Services Applications
Subscriber Access Management
■
Incorrect reverse OIF mappings can be created when a multicast VLAN interface
with reverse-OIF mapping enabled receives a join request from a DHCP subscriber
and both of the following are true: A valid route to the subscriber is not present
and another route's subnet mask overlaps the address of the subscriber interface.
[PR/416774]
■
On MX routers, Wimax testing with SBR must be done with Non-Transposable
IP for high availability (HA). Otherwise FA-HA authentication will fail with return
code 132. [PR/431969]
■
On a BGP Layer 3 VPN provider edge router with a combination of (1) label per
next hop in the VRFs, (2) configuration of the same IP addresses in different
VRFs, and (3) a need for an indirect next-hops within the VRFs, then label routes
VPNs
Issues in JUNOS Software Release 9.5 for M-series, MX-series, and T-series Routing Platforms
■
63
JUNOS 9.5 Software Release Notes
with indirect next hop, may be created incorrectly in the master instance table
"mpls.0." [PR/436404]
■
After the ingress PE router for an NG MVPN instance performs a GRES event,
the egress PE routers could fail to install a new forwarding state for the multicast
traffic. Clearing the BGP session on the ingress router can restore traffic to all
egress routers. [PR/441392]
■
The VPLS instance on the MX960 router does not learn the remote CE MAC
address after issuing the clear vpls mac-address command. [PR/476020]
Resolved Issues for JUNOS Release 9.5R2
Class of Service
64
■
■
In JUNOS Release 8.4 and later, the commit or commit check operation fails if a
rewrite rule is defined both at the [edit class-of-service interfaces interface-name
unit logical-unit-number rewrite-rules] hierarchy level and in a configuration group
(defined at the [edit groups] hierarchy level) that is applied to that interface. The
correct behavior is for the directly applied rule to override the rule inherited from
the configuration group. [PR/261229: This issue has been resolved.]
■
When you set the port speed of a Multi-Rate SONET Type 2 PIC to OC3, it does
not correctly change the CoS speed value within the Packet Forwarding Engine.
The speed value remains OC12, which results in unexpected CoS behavior. There
is no workaround. [PR/279617: This issue has been resolved.]
■
When a CoS classifier is applied to a logical unit with a wildcard (*), the default
classifier is removed after the Routing Engine reboots. [PR/427848: This issue
has been resolved.]
■
A packet drop is seen when a logical unit is configured with the per-unit-scheduler.
[PR/429961: This issue has been resolved.]
■
On M320 routers, when the Tunnel PIC is on a standard FPC, multicast traffic
conforming to Internet draft-rosen-vpn-mcast-08.txt might be subject to incorrect
CoS queuing and rewrite. [PR/433142: This issue has been resolved.]
■
The CoS DSCP classifier might not work properly on a redundant LSQ interface.
[PR/435701: This issue has been resolved.]
■
After the aggregate chassis configuration is deactivated then activated, the
classifier might not be properly applied on aggregate interfaces. [PR/442240:
This issue has been resolved.]
■
The OC3/12 Multi-Rate PIC may not be able to transmit any packet. [PR/444077:
This issue has been resolved.]
■
When an Intelligent Queuing PIC is taken offline and brought back online, the
chassis scheduler map configured may be changed to [95,0,0,5]. The workaround
is to deactivate the chassis scheduler map before taking the PIC offline and
activate the configuration after the PIC comes online. [PR/444543: This issue
has been resolved.]
Issues in JUNOS Software Release 9.5 for M-series, MX-series, and T-series Routing Platforms
Issues in JUNOS Software Release 9.5 for M-series, MX-series, and T-series Routing Platforms
Forwarding and Sampling
■
When a filter term has "next term" as the action, the action may be shown in
the firewall log as "unknown" for the matched outgoing packets. [PR/421810:
This issue has been resolved.]
■
If (1) an input-list or output-list is configured on an interface in a logical system,
(2) the filters in the list are defined under the firewall hierarchy of the main
router, and (3) a prefix list defined under the policy-options of the main router
is referenced by one of the filters in the list, the commit will fail with the error
message "Referenced prefix-list xxx is not defined." [PR/427253: This issue has
been resolved.]
■
When attempting to use a framed route from a RADIUS client, rpd may core if
there is no static route table. [PR/432447: This issue has been resolved.]
■
In a TX Matrix router, the show chassis fpc fpc-number command returns an error
instead of showing FPC information when the FPC number is greater than 8.
[PR/387956: This issue has been resolved.]
■
When you reboot an FPC while it is coming online and if the FPC adding process
is interrupted before it successfully completes, the chassis process does not
operate properly. [PR/400676: This issue has been resolved.]
■
When traffic is passed at near maximum throughput to any queuing IQ2 or IQ2E
PICs or DPCs, the show interfaces xe-fpc-pic-port extensive command output for
queue counters might be incorrect. [PR/401431: This issue has been resolved.]
■
Incorporating any changes in the interfaces configuration results in a small leak
in the dcd process. The leak is at the rate of 16 bytes per interface configured
per commit. [PR/411596: This issue has been resolved.]
■
When you configure LACP on an aggregated Ethernet interface, the counters
displayed by the show interface extensive command might show unexpected
values. This problem occurs for logical interfaces that have an incoming interface
index value that matches the default index of the data stream. [PR/418054: This
issue has been resolved.]
■
On the M320 router, clearing statistics with the clear interfaces statistics command
might take up to 10 seconds. [PR/421520]
■
The PPP MTU value of an interface protocol on a peer might change as a result
of an irrelevant configuration change and cause the PPP MTU negotiation to fail.
[PR/421706: This issue has been resolved.]
■
Using disable under an aggregate member can lead the interface to be flagged
in the “HARDDOWN” state despite being physically up. Deactivate/activate the
interface to fix the problem. [PR/422933: This issue has been resolved.]
General Routing
Interfaces and Chassis
Issues in JUNOS Software Release 9.5 for M-series, MX-series, and T-series Routing Platforms
■
65
JUNOS 9.5 Software Release Notes
■
During the Switching and Forwarding Module (SFM) switchover process, the
algorithm to switch over the SFM and take the FPC offline does not clear the
hard and soft errors on each FPC. [PR/433616: This issue has been resolved.]
■
In the output of the show chassis pic fpc-pic-slot command, the 40 port Gigabit
Ethernet DPC with SFP might be shown erroneously as 1000LH instead of
1000EX. [PR/438753: This issue has been resolved.]
■
When the same logical interface is deleted from the default system and added
into the logical system, the Routing Engine might fail. [PR/441284: This issue
has been resolved.]
■
When the sum of the shaping rate for the logical interfaces for a physical interface
is greater than the physical interface's bandwidth and a rate limit is applied to
one of the logical interface queues, the bandwidth limit for the queue will be
based on a scaled down logical interface shaping rate value rather than the
configured logical interface shaping rate. [PR/441413: This issue has been
resolved.]
■
When the ingress router re-signals an RSVP session, traffic could egress a disabled
SONET interface that is part of an APS group using container interfaces. Switching
the APS interfaces resolves the problem. [PR/443295: This issue has been
resolved.]
■
Upon issuing the clear dhcp relay bindings all command, not all access-internal
routes are deleted from the route table for DHCP subscribers being terminated
on dynamic demux interfaces. The routes point to demux interfaces that are no
longer present. Associated ARP entries and DHCP bindings appear to be properly
cleared. [PR/425279: This issue has been resolved.]
■
The relay-option-60 configuration stops working under a configured group if
something else is changed under that group. [PR/434373: This issue has been
resolved.]
■
After the MX-series router reboots, no DHCP packets reach the JDHCPD log.
[PR/438269: This issue has been resolved.]
■
On an M-series or T-series router, when an MPLS label-switch path (LSP)
re-optimizes or changes path and there is a signaling failure along that path, then
the path change will not happen until the next LSP re-optimization event.
[PR/401343: This issue has been resolved.]
■
The load-balancing spread is affected when both the primary and the first
secondary LSP are out of commission. [PR/422596: This issue has been resolved.]
■
For JUNOS Release 9.5 and later, when the show mpls lsp p2mp statistics egress
command is entered, the Packets and Bytes fields should display as "NA" for
egress LSP sessions. The statistics should display meaningful numbers only for
ingress and transit LSP sessions. Instead, the fields display as 0 with the show
mpls lsp p2mp statistics egress command. This is changed to NA after including
Layer 2 Ethernet Services
MPLS Applications
66
■
Issues in JUNOS Software Release 9.5 for M-series, MX-series, and T-series Routing Platforms
Issues in JUNOS Software Release 9.5 for M-series, MX-series, and T-series Routing Platforms
the no-tunnel-services statement at the [edit routing-instances vpls1 protocols vpls]
hierarchy level. [PR/429001: This issue has been resolved.]
■
If you have disabled the trap statement at the [edit protocols ldp log-updown]
hierarchy level, upgrading to JUNOS Release 9.2 and later from a release previous
to 9.2 will fail. [PR/432003: This issue has been resolved.]
■
When subagents are slow in responding to SNMP queries, the SNMP process
continues to buffer the incoming SNMP requests. SNMP memory becomes
exhausted after the buffer increases to a bigger value, which causes the SNMP
process to dump core. [PR/430106: This issue has been resolved.]
■
When Routing Engine 1 (RE1) is reloaded, the Management Information Base II
(MIB II) process (mib2d) dumps core. [PR/436218: This issue has been resolved.]
■
When the master SNMP process (snmpd) restarts on a TX Matrix platform, the
SNMP subagent running on the line-card chassis (LCC) chassis process (chassisd)
tries to register MIB objects with the master snmpd. If the registration progress
enters in infinite loop, it causes the master snmpd to consume high CPU
utilization. [PR/438085: This issue has been resolved.]
■
On M320 and T-series routing platforms, when you configure the local gateway
of an IPsec tunnel in a routing instance, IPsec might not function properly over
a generic routing encapsulation (GRE) tunnel. [PR/73864: This issue has been
resolved.]
■
On MX-series platforms using Routing Engine-based sampling, when samples
are sent from the Packet Forwarding Engine to the Routing Engine over certain
interfaces, the interface Input/Output index and next-hop address are set to 0.
The following interfaces are affected: ge-x/0/y, ge-x/1/y, xe-x/2/0, and xe-x/3/0.
It is not possible in this case to match on the interface index to retrieve data
from the flow collector. [PR/286089: This issue has been resolved.]
■
If a duplicate address is detected for the IPv6 family on an Ethernet interface,
the DAD is not restarted even after the interface goes down and comes back.
[PR/421241: This issue has been resolved.]
■
On the M320 router, clearing statistics with the clear interfaces statistics command
might take up to 10 seconds. [PR/421520: This issue has been resolved.]
■
On M10i routers with I-chip based E-CFEBs, IQ2 PIC ISSU is not supported. Take
the IQ2 PIC offline before initiating ISSU on M10i routers. [PR/421988: This issue
has been resolved.]
■
When you configure an aggregate Ethernet interface as unnumbered, the router
might fail. As a workaround, do not configure aggregate Ethernet interfaces with
unnumbered addresses. [PR/428345: This issue has been resolved.]
■
On MX-series Ethernet Services routers, the FPC might reboot without a core
dump when the DWDM is incorrectly configured, and that incorrect configuration
causes many link flaps. As a workaround, either disconnect the offending link
Network Management
Platform and Infrastructure
Issues in JUNOS Software Release 9.5 for M-series, MX-series, and T-series Routing Platforms
■
67
JUNOS 9.5 Software Release Notes
or include the disable statement at the [edit interfaces] hierarchy level to stop
the FPC reboots. [PR/430703: This issue has been resolved.]
■
When configuring proxy-arp on unnumbered interfaces, the router can incorrectly
answer address-collision-detection ARP requests, causing DHCP clients to decline
the offered address. [PR/431192: This issue has been resolved.]
■
When you configure flow monitoring on a T1600 router with a T640 or T1600
Enhanced Scaled FPC4, if both input and output traffic are located on the same
bottom Packet Forwarding Engine, the next-hop address and output interface
are set to 0. [PR/431567: This issue has been resolved.]
■
On MX-series and M120 routers, and M320 routers with an Enhanced III FPC,
if the VRF configuration includes the vrf-table-label statement, a DPC or FPC might
dump the core when an MPLS packet with time-to-live (TTL) equal to 0 (zero) or
1 (one) is processed at the egress provider edge (PE) router. [PR/436017: This
issue has been resolved.]
■
The Address Resolution Protocol (ARP) retry count might be incorrect: instead
of sending out the first five retries every second, the third and consequent retries
might be sent out every 15 seconds. [PR/436580: This issue has been resolved.]
■
On an MX-series platform with a Combo DPC (20-port 1-Gigabit Ethernet 2-port
10-Gigabit Ethernet), if the family mpls statement is included at the [edit interfaces
interface-name unit logical-unit-number] hierarchy level for the 1-Gigabit Ethernet
port of a DPC slot, the show interfaces statistics command reports zero values
for input traffic at all ports. This issue does not affect the input traffic statistics
for the 10-Gigabit Ethernet ports. This is a cosmetic issue and does not affect
functionality. [PR/436653: This issue has been resolved.]
■
SCU configuration causes the PFE to drop some host-bound packets on M320
and T-series routers. [PR/438261] [PR/438261: This issue has been resolved.]
■
Under certain circumstances Intelligent Queuing PICs might not be able to boot
properly on E3-FPCs. [PR/438678: This issue has been resolved.]
■
When certain FPCs (T1600-FPC4-ES, T640-FPC4-1P-ES, T640-FPC1-ES,
T640-FPC2-ES, and T640-FPC3-ES) receive corrupted cells via high-speed links,
they might unnecessarily reboot and report the following system log error
message: “Unrecoverable Error: Flist gtop bit toggled !”. No reset is needed to
recover from this condition. [PR/441844: This issue has been resolved.]
■
On T1600, TX Matrix, or T640 routers installed in JUNOS Release 9.3 or higher
with one of the following Flexible PIC Concentrators (FPCs):
■
T1600-FPC4-ES
■
T640-FPC4-1P-ES
■
T640-FPC4-ES
■
T640-FPC1-ES
■
T640-FPC2-ES
■
T640-FPC3-ES
jtree memory might get corrupted once routes are deleted while traffic is send to
those prefixes. This can result in permanent or transient packet drops.
68
■
Issues in JUNOS Software Release 9.5 for M-series, MX-series, and T-series Routing Platforms
Issues in JUNOS Software Release 9.5 for M-series, MX-series, and T-series Routing Platforms
One or more of following messages might get logged in the system log:
■
SRCHIP(1): 131072 Discards - stack underflow
■
SRCHIP(1): 129735 Discards - truncated key - next hop
■
SRCHIP(1): SOF (58) >= DMA length (46) (Read Channel
■
SRCHIP(1): RKME int_status 0x300
■
SRCHIP(1): 4670347 Multicast list discard route entries
■
SRCHIP(1): 14486 Discards - illegal BTT
■
SLCHIP(1): 1617082 new errors (illegal link) in DESRD last stream 0 last lout_key
0xabd0e
■
o SLCHIP(1): 1622998 new errors (packet error) in HDRF, lout_hdrf_poll_stats
There is no workaround and an FPC reboot might be needed to recover. [PR/443171:
This issue has been resolved.]
Routing Protocols
■
Deactivation of routing instances might cause the routing protocol process (rpd)
to create a soft assertion core dump. [PR/396122: This issue has been resolved.]
■
If a multiaccess interface is disabled, after a Routing Engine switchover this
disabled link is advertised in the router link-state advertisement (LSA).
[PR/418559: This issue has been resolved.]
■
If OSPF is in overload mode on the standby Routing Engine but not in overload
mode on the primary Routing Engine, it may take a long time to install OSPF
routes on the standby Routing Engine. [PR/421636: This issue has been resolved.]
■
Community types are allocated at random to the members in the community
list; as a result, sometimes extended communities are treated as simple and vice
versa, which causes problems with the VRF import code. [PR/430728: This issue
has been resolved.]
■
If static route pointing to discard is configured, a core happens when the router
tries to collect the multicast statistic data. [PR/434298: This issue has been
resolved.]
■
BGP in L3VPN will show “local-id 0.0.0.0” in output from the show bgp neighbor
command when NSR is enabled [PR/434321: This issue has been resolved.]
■
When you configure support for alternate loop-free routes through the
link-protection statement and you configure PIM join-load-balance, the backup
paths will be used in load-balancing PIM joins along with the active path.
[PR/434996: This issue has been resolved.]
■
With BGP multipath configured, BGP traceoption flags may not be refreshed after
a change in the traceoption flag configuration. [PR/436440: This issue has been
resolved.]
■
Embedded RP is not created upon receiving a trigger from multicast traffic.
Deactivating and activating the configuration solves the issue. [PR/437893: This
issue has been resolved.]
Issues in JUNOS Software Release 9.5 for M-series, MX-series, and T-series Routing Platforms
■
69
JUNOS 9.5 Software Release Notes
■
If PIM is disabled, embedded rendezvous point (RP) configurations might cause
continuous routing protocol process (rpd) cores. [PR/438159: This issue has been
resolved.]
■
When you configure auto-rp, if the rendezvous point (RP) configuration is
deactivated and then reactivated on the provider edge router, the router fails to
rediscover the RP announced by the customer edge router. [PR/438356: This
issue has been resolved.]
■
If a RIB is referenced within the from clause of a policy statement the statement,
might be changed on every commit. This can lead to route flaps on every commit
if the statement is used as the import policy for a RIB group, which in turn is
referenced in OSPF. [PR/441557: This issue has been resolved.]
■
RPD may crash if a VRF routing instance is reconfigured in a single commit from
Draft-Rosen MVPN to Next-Gen MVPN with RSVP-TE inclusive provider tunnels.
[PR/442391: This issue has been resolved.]
■
When you configure the path-selection always-compare-med statement at the [edit
protocols bgp] hierarchy level, BGP multipath might not find all the eligible paths.
[PR/444629: This issue has been resolved.]
■
TTL for BGP listen socket changed from 64 to 255 to give support for GTSM.
[PR/449160: This issue has been resolved.]
■
When using L2TP services on M-series routers, every session or tunnel connection
and disconnection will leak memory. [PR/312961: This issue has been resolved.]
■
When the IDP config, service-sets, and interfaces are committed separately, the
IDP policy push will fail. [PR/434624: This issue has been resolved.]
Services Applications
User Interface and Configuration
70
■
■
When you set the time-zone statement at the [edit system] hierarchy level, it
might cause the backup Routing Engine to lock the configuration. As a result,
you would no longer be able to reboot the Routing Engine or perform any
commits. To clear the issue, you must log on to the backup Routing Engine and
issue the clear system commit command. [PR/309100: This issue has been
resolved.]
■
In JUNOS Release 9.5, the time it takes to commit a configuration is significantly
improved when the configuration is very big (for example, for 250K firewall
filters or 64K IFLs). With small or medium configurations; ;however, the
improvement in commit time is not as noticeable or might even seem slower
because of features added in JUNOS Release 9.5. [PR/417957] [PR/417957: This
issue has been resolved.]
■
The dynamic-db policies feature works under logical systems but needs to restart
the logical router after any changes or commits to the dynamic policy
configuration under the [edit logical-systems] hierarchy level in the dynamic
database. [PR/418969: This issue has been resolved.]
Issues in JUNOS Software Release 9.5 for M-series, MX-series, and T-series Routing Platforms
Issues in JUNOS Software Release 9.5 for M-series, MX-series, and T-series Routing Platforms
■
When you issue the commit confirmed command on a TX Matrix platform, it
might not roll back to the original configuration as expected when the commit
is not confirmed. [PR/425642: This issue has been resolved.]
■
Trying to use the system-generated certificate is displayed in the J-Web interface,
it will commit errors. [PR/432208: This issue has been resolved.]
■
When you configure trace options at the [edit system scripts] hierarchy level, the
router sometimes produces commit errors. [PR/438289: This issue has been
resolved.]
■
Applying configuration changes that remove a static point-to-multipoint LSP and
a static MVPN provider tunnel group configuration can cause the routing protocol
process (rpd) to reset unexpectedly. To avoid this problem, first delete the
provider-tunnel configuration, then the LSP configuration. [PR/288456: This issue
has been resolved.]
■
When you delete a Layer 2 VPN routing instance and add a new VPLS routing
instance using the same interface within the same commit, the routing protocol
process (rpd) might dump core. [PR/291407: This issue has been resolved.]
VPNs
Resolved Issues for JUNOS Release 9.5R1
This section lists issues that were fixed in JUNOS Release 9.5R1. The identifier
following the description is the tracking number in our bug database.
Software Installation and Upgrade
■
The ARP aging time configuration in the system configuration stanza in JUNOS
Release 9.4R1 is incompatible with the ARP aging configuration in JUNOS Release
9.3R1 or earlier and JUNOS Release 9.4R2 or later. If you have configured system
arp aging-timer aging-time on an M-series, MX-series, or T-series routing platform
running JUNOS Release 9.4R1 and upgrade to JUNOS Release 9.4R2 or downgrade
to JUNOS Release 9.3R1, the router will display configuration errors on booting
up after the upgrade or downgrade. As a workaround, delete the arp aging-timer
aging-time configuration in the system configuration stanza before you upgrade
or downgrade from JUNOS Release 9.4R1, and reapply the configuration after
you complete the upgrade or downgrade. [PR/ 425221: This issue has been
resolved.]
■
You might encounter output drops with the 10-Gigabit Ethernet PICs. The output
drops occur because the software incorrectly calculates the number of queues
for polling statistics in a 10-Gigabit Ethernet PIC, even though it is different from
other PICs. [PR/277693: This issue has been resolved.]
■
The MX Tri-rate DPC does not support MAC accounting and returns the following
message: "error: MAC accounting and policing not supported." [PR/387919: This
issue has been resolved.]
Platform and Infrastructure
Issues in JUNOS Software Release 9.5 for M-series, MX-series, and T-series Routing Platforms
■
71
JUNOS 9.5 Software Release Notes
72
■
■
When you have configured the vrf-table-label statement at the [edit
routing-instances routing-instance-name] hierarchy level for a VRF routing instance,
IPv4 and IPv6 MTU error notification is not handled properly. On M320 routers
with an incoming FPC as SFPC and an outgoing FPC as FFPC, large IPv6 packets
are not being detected and discarded properly. [PR/397334: This issue has been
resolved.]
■
When the Routing Engine requests numerous statistics that surpass a set
boundary, "PFEMAN: Couldn't write..." messages might be logged and DPC core
dumps might occur. [PR/398233: This issue has been resolved.]
■
When you configure per-packet load balancing, outgoing traffic is dropped on
T640 routers. The problem is exacerbated if you have configured two PFE
instances. [PR/402031: This issue has been resolved.]
■
Aggregate bundle child interface statistics do not account for the packets sent
to a demux interface using an AE bundle as the underlying interface. [PR/403570:
This issue has been resolved.]
■
When ifd channel mode is of type HYBRID, LSI statistics are counted every time
ifl_stats are collected for each logical interface. This causes the LSI input counters
to be incremented by a multiple of the logical interfaces. [PR/404857: This issue
has been resolved.]
■
With the E-CFEB on the M10i router, the backup Routing Engine will go to the
database prompt when GRES and NSR are enabled with a Layer 2 circuit
configuration. [PR/409075]
■
The show pfe statistics command is not displaying the I-CHIP Ipktwr packet drop
counts. [PR/416477: This issue has been resolved.]
■
Under rare circumstances, it is possible for the kernel to panic on the TX Matrix
LCC or on the SRX platform following a Routing Engine switchover or RDP
connection timeout between the LCC and SCC. [PR/416973: This issue has been
resolved.]
■
For multicast traffic, if the OIF is on an aggregated interface and its member link
is on a different PFE (for example, 7/1/0 and 6/1/0), multicast traffic might be
lost after the FPC, which has IIF for the multicast, is rebooted. [PR/418583: This
issue has been resolved.]
■
Initial ARP packets are discarded by the default ARP policer because when a
T1600’s FPC restarts, the current credit is initialized to
JT_POL_SR_CURRENT_CREDIT_MAX, which is 0xFFFFF. This has a high negative
value in SR, so packets are dropped until it goes down. As a workaround, you
can initialize the current credit to max_credit_limit (which is equal to (credit_limit
/ Rate) * time_credit), approximately equal to TC. [PR/419909: This issue has
been resolved.]
■
The SNMP remote operations process (rmopd) might fail after configuring a BGP
neighbor with a local address. [PR/420504: This issue has been resolved.]
■
In JUNOS Release 9.3R1 or higher, on Juniper Networks routers with Type 4
FPCs or T1600 routers, multicast traffic is not counted within the interface
statistics counters once class-of-service rewrite rules have been applied to the
interface. [PR/420681: This issue has been resolved.]
■
On the MX-series router, when you configure MPLS and a tunnel configuration
on the same Gigabit Ethernet DPC, the tunnel interface shows traffic as the sum
Issues in JUNOS Software Release 9.5 for M-series, MX-series, and T-series Routing Platforms
Issues in JUNOS Software Release 9.5 for M-series, MX-series, and T-series Routing Platforms
of the traffic of the other Gigabit Ethernet interfaces on the DPC. This is a cosmetic
issue and does not affect functionality. [PR/422274: This issue has been resolved.]
Interfaces and Chassis
■
In OC768-over-OC192 mode on the 4-port OC192c PIC, when you change the
clocking internal statement to clocking external at the [edit interfaces interface-name]
hierarch level, the clock may not come up. [PR/395847: This issue has been
resolved.]
■
The AE bundle statistics (issue the monitor interface traffic command) on T640
routers display a high value when the FPC is taken offline. There is no issue with
the TX Matrix. [PR/399451: This issue has been resolved.]
■
Aggregate bundle child interface statistics do not account for the packets sent
to a demux interface using an AE bundle as the underlying interface. [PR/403570:
This issue has been resolved.]
■
With the E-CFEB on M7i and M10i routers, total traffic loss might occur after a
CFEB switchover. [PR/407608: This issue has been resolved.]
■
With the IQ2 interface, the queue scheduler will not work as expected for shaped
L2TP sessions. Only the rate limit will work on a per queue basis. This problem
does not occur for Enhanced IQ2 interfaces. [PR/409590:This issue has been
resolved.]
■
When a 10-Gigabit Ethernet interface of a DPC is connected to a faulty optical
card which is causing the link state to change at a very high rate, the DPC might
fail. [PR/411072: This issue has been resolved.]
■
The valid range for timeslot under e1-options in channelized E1 (CE1) interfaces
of Enhanced Intelligent Queuing (IQE) PICs is 2 through 32. This option is used
to create fractional E1 interfaces. [PR/416800: This issue has been resolved.]
■
When a Layer 2 policer is applied to the egress interface of a router, the dropped
frame statistics might show incorrect information. [PR/419181: This issue has
been resolved.]
■
On an IQ2 PIC, the slow aging interval might be overwritten with a value of 202
seconds. This causes the MAC entry to be removed between 6 and 7 minutes.
[PR/419510: This issue has been resolved.]
■
With the E-CFEB on M7i and M10i routers, If you configure a firewall filter with
an action of sampling and then apply the filter to the interface, all packets
received on the PIC are corrupt and consequently dropped. [PR/408802: This
issue has been resolved.]
■
On an M7i or M10i routers with the enhanced CFEB, if you issue the deactivate
forwarding-options sampling command, sampling stops for both IPv4 and IPv6
traffic. If you then issue the activate forwarding-options sampling command,
sampling resumes for only IPv4 traffic. [PR/415140: This issue has been resolved.]
■
If you are setting the option refresh rate using the flow monitoring feature
supported in version 9 and you set the lowest rate to IPv6 and the highest rate
Services Applications
Issues in JUNOS Software Release 9.5 for M-series, MX-series, and T-series Routing Platforms
■
73
JUNOS 9.5 Software Release Notes
to IPv4, the device will treat IPv6 as having the lowest rate. [PR/416788: This
issue has been resolved.],
Layer 2 Ethernet Services
■
When you configure GRES on the MX-series router, the SIB might not initialize
if you reboot both Routing Engines simultaneously, or reboot the router with
only one Routing Engine installed. [PR/408359: This issue has been resolved.]
■
Integrated routing and bridging (IRB) configured over VPLS or multicast might
not be reachable. As a workaround, clear the ARP table with the clear arp
command. [PR/418438: This issue has been resolved.]
Subscriber Access Management
■
When a RADIUS initiated disconnect is attempted on a client session that does
not have time-based accounting enabled, the generic authentication service
process (authd) currently logs out the session and cleans up, but does not send
an Ack message back to the requesting server. This may lead the RID server to
retry even though the subscriber has already been successfully logged out. This
problem occurs when volume-based accounting is configured or when no
accounting is configured for the subscriber. It does not occur when time-based
accounting is configured for that subscriber. [PR/417765: This issue has been
resolved.]
■
On a TX Matrix with JUNOS Release 9.1 and later, configuring the generate
statement at the [edit routing-options] hierarchy level with a reference to a policy
results in the commit not completing successfully. [PR/416380: This issue has
been resolved.]
■
On a router with dual Routing Engines and NSR configured, the backup RPD
may go down in rare instances while processing an indirect next-hop delete.
[PR/302731: This issue has been resolved.]
■
When you transition an MVPN configuration from sparse mode to dense mode,
you might need to restart routing to ensure that dense mode (DM) is flooding
properly over the core router's default multicast distribution tree (MDT).
[PR/398110: This issue has been resolved.]
■
If GRES is not enabled, on a Routing Engine switchover the routing protocol
process (rpd) on the new backup Routing Engine quits before cleaning up the
forwarding table. [PR/402372: This issue has been resolved.]
■
With JUNOS Release (9.3R1) or higher with a Type 4 FPC or T1600, multicast
traffic is not counted in the interface statistics after the class-of-service (CoS)
rewrite rules have been applied to the interface. [PR/420681: This issue has been
resolved.]
General Routing
Routing Protocols
74
■
Issues in JUNOS Software Release 9.5 for M-series, MX-series, and T-series Routing Platforms
Errata and Changes in Documentation for JUNOS Software Release 9.5 for M-series, MX-series, and T-series Routing Platforms
VPNs
■
If MAC addresses are learned within a VPLS instance, CE devices will
communicate directly even though the no-local-switching statement is configured.
[PR/419976: This issue has been resolved.]
■
Multicast group addresses ending with .232 are classified as SSM groups when
using multicast VPNs. These routes are note installed in the multicast VPN routing
table and all traffic destined to these destinations is dropped. As a workaround,
include the asm-override-ssm statement at the [edit routing-instances routing-options
multicast] hierarchy level. [PR/426811: This issue has been resolved.]
■
The policer value does not change dynamically on changing the shaping rate.
The policer keeps the initial value. As a workaround, deactivate and activate the
filter. [PR/286663: This issue has been resolved.]
■
New Features in JUNOS Software Release 9.5 for M-series, MX-series, and T-series
Routing Platforms on page 6
■
Changes in Default Behavior and Syntax in JUNOS Software Release 9.5 for
M-series, MX-series, and T-series Routing Platforms on page 41
■
Errata and Changes in Documentation for JUNOS Software Release 9.5 for
M-series, MX-series, and T-series Routing Platforms on page 75
■
Upgrade and Downgrade Instructions for JUNOS Software Release 9.5 for M-series,
MX-series, and T-series Routing Platforms on page 80
Forwarding and Sampling
Related Topics
Errata and Changes in Documentation for JUNOS Software Release 9.5 for M-series,
MX-series, and T-series Routing Platforms
Changes to the JUNOS Documentation Set
The following changes have been introduced to the JUNOS documentation set:
■
Technical documentation will no longer be available in iSilo/Palm OS and
Windows eBook formats. Documentation will still be available in HTML, TAR/ZIP,
and PDF formats.
■
There is a new book, the SDK Applications Configuration Guide and Command
Reference.
Errata and Changes in Documentation for JUNOS Software Release 9.5 for M-series, MX-series, and T-series Routing Platforms
■
75
JUNOS 9.5 Software Release Notes
■
For JUNOS Release 9.5 only, documentation on the DVD-ROM will be available
in PDF form only.
■
JUNOS Release 9.5 supports a new index page that consolidates subscriber
management information (http://www.juniper.net/techpubs/en_US/junos9.5/
information-products/pathway-pages/subscriber-access/index.html). This index page
provides top-level access to the Broadband Subscriber Management Solutions
Guide and topic categories that describe how to configure clients and services
in a subscriber access network. The index page contains pathway page links
categorized as follows:
■
■
■
■
Access Technologies
■
DHCP (Local and Relay)
■
Mobile IP Home Agent
■
Point-to-Point Protocol (PPP)
AAA Technologies
■
Authentication, authorization, and accounting (AAA)
■
Address Assignment Pools
Protocols
■
Access Node Control Protocol (ANCP)
■
Internet Group Management Protocol (IGMP)
Subscriber Management and Services
■
Dynamic Profiles
■
Class of Service (CoS)
■
Subscriber Secure Policy
Errata
This section lists outstanding issues with the documentation.
Class of Service
In JUNOS Release 8.0 and later, contrary to what is implied in the text, memory
allocation dynamic (MAD) support is dependent on the FPC and PFE, not the PIC.
All M320 router, MX-series router , and T-series router FPCs and PFEs support MAD,
except for the T-series router ES-FPC and Enhanced IV FPC. No IQ, IQ2, IQ2E, or
IQE PICs support MAD. [Class of Service]
The Class of Service Configuration Guidefor JUNOS Release 9.3 and 9.4 states that “If
you configure more forwarding classes than the supported platform maximum, an
error message is displayed.” This is not correct. You cannot configure more forwarding
classes than supported in these releases. [Class of Service]
76
■
Platforms
Errata and Changes in Documentation for JUNOS Software Release 9.5 for M-series, MX-series, and T-series Routing
Errata and Changes in Documentation for JUNOS Software Release 9.5 for M-series, MX-series, and T-series Routing Platforms
Configuration and Diagnostic Automation
■
In the Introduction to Writing Event Scripts chapter of the JUNOS 9.5 Configuration
and Diagnostic Automation Guide the section "Using RPCs and Operational Mode
Commands" erroneously states that RPCs can be invoked from event scripts.
This feature is not supported in JUNOS Release 9.5.
In the Introduction to Writing Operation Scripts chapter and Introduction to Writing
Event Scripts chapter of the JUNOS 9.5 Configuration and Diagnostic Automation
Guide the section "Importing the junos.xsl File" includes the jcs:getsecret()
extension function. This function is accessible only after JUNOS Release 9.5R1;
it is not accessible in JUNOS Release 9.5R1 or earlier JUNOS releases.
[Configuration and Diagnostic Automation]
Network Interfaces
■
In the Network Interfaces Configuration Guide, Chapter 44 Configuring IEEE 802.1ag
OAM Connectivity-Fault Management section Configuring a CFM Interface Down
Action Profile Action states the following:
“Note: The action profile is supported only on the physical interface level, and
not on the logical interface.”
This is incorrect, and was revised in the JUNOS Software 9.6R1 release of the
same document. The note was replaced with the following text:
“The action profile is supported on the physical interface level and the logical
interface.”
[Network Interfaces]
■
Configuring Protocol Family and Interface Address Properties chapter of the Network
Interfaces Configuration Guide sections “Configuring an Unnumbered Interface”
and “Restrictions for Configuring Unnumbered Ethernet Interfaces” erroneously
states that you cannot configure unnumbered Ethernet interfaces on the TX
Matrix platform. This restriction was removed starting in JUNOS 9.5 and
unnumbered Ethernet interfaces are now supported on the TX Matrix platform.
[Network Interfaces]
■
The "Configuring an Unnumbered Interface" section in the JUNOS 9.5 Network
Interfaces Configuration Guide in Chapter 5: Configuring Protocol Family and
Interface Address Properties, erroneously included the following restriction on
configuring unnumbered Ethernet interfaces:
■
The configuration of unnumbered Ethernet interfaces is not supported when
graceful Routing Engine switchover (GRES) is enabled on the router.
Beginning with JUNOS Release 9.4, the configuration of unnumbered Ethernet
interfaces is supported when GRES is enabled on the router.
■
Network Interfaces Configuration Guide in Chapter 5: Configuring Protocol Family
and Interface Address Properties, the section "Enabling Source Class and
Destination Class Usage" contains the following incorrect statement that can be
ignored: "On T-series, M120, and M320 platforms, the destination-class and
source-class statements are not supported at the [edit firewall family family-name
filter filter-name term term-name from] hierarchy level. On other M-series platforms,
these statements are supported.”
Errata and Changes in Documentation for JUNOS Software Release 9.5 for M-series, MX-series, and T-series Routing Platforms
■
77
JUNOS 9.5 Software Release Notes
Routing Policy and Firewall Filters
78
■
Platforms
■
The output of the show pim statistics command has been enhanced to show the
number of join and prune messages that have been dropped. The information
is displayed in the following format: “Rx Join/Prune messages dropped 0” [Routing
Protocols and Policies Command Reference]
■
In a routing policy, only standard and extended match conditions are evaluated
according to a logical AND operation. Matching in prefix lists and route filters
are handled differently. They are evaluated according to a logical OR operation.
If you configure a policy that includes some combination of route filters, prefix
lists, and source address filters, they are evaluated according to a logical OR
operation or a longest-route match lookup. [Policy]
■
Active flow monitoring using version 9 supports sampling of both IPv4 and MPLS
traffic simultaneously. You configure traffic sampling for IPv4 and MPLS traffic
using the family (inet | mpls) statement at the [edit forwarding-options sampling
input]hierarchy level. For additional information about configuring active flow
monitoring , see the JUNOS Services Interfaces Configuration Guide and the JUNOS
Feature Guide. [Policy]
■
The Routing Protocols Configuration Guide and the VPNs Configuration Guide both
erroneously state that it is not possible to configure route reflectors and cluster
IDs for the same routing instance. This type of configuration is now possible.
[Protocols, VPNs]
Errata and Changes in Documentation for JUNOS Software Release 9.5 for M-series, MX-series, and T-series Routing
Errata and Changes in Documentation for JUNOS Software Release 9.5 for M-series, MX-series, and T-series Routing Platforms
Subscriber Access
■
The "DHCP State Persistence" and "Graceful Routing Engine Switchover" sections
in the JUNOS 9.5 Subscriber Access Configuration Guide and the JUNOS 9.5 Policy
Framework Configuration Guide contain erroneous information. The correct
description, which applies to both the extended DHCP relay agent and the
extended DHCP local server, is as follows:
The extended DHCP local server and the DHCP relay agent applications both
maintain the state of active DHCP client leases in the session database. The
extended DHCP application can recover this state if the DHCP process fails or
is manually restarted, thus preventing the loss of active DHCP clients in either
of these circumstances. However, the state of active DHCP client leases is lost
if a power failure occurs or if the kernel stops operating (for example, when the
router is reloaded) on a single Routing Engine.
The extended DHCP local server and the DHCP relay agent support graceful
Routing Engine switchover on all routing platforms that contain dual Routing
Engines. To support graceful Routing Engine switchover, the extended DHCP
application automatically mirrors (replicates) information about the state of
bound DHCP clients from the master Routing Engine to the backup Routing
Engine.
To enable graceful Routing Engine switchover support for the extended DHCP
local server or DHCP relay agent, include the graceful-switchover statement at
the [edit chassis redundancy] hierarchy level. You cannot disable graceful Routing
Engine switchover support for the extended DHCP application when the router
is configured to support graceful Routing Engine switchover.
For more information about using graceful Routing Engine switchover, see the
JUNOS High Availability Configuration Guide.
Subscriber Management
The Subscriber Access Configuration Guide contains the following dynamic variable
errors:
■
The Configuring a Dynamic Profile for Client Access topic erroneously uses the
$junos-underlying-interface variable when configuring an IGMP interface in the
client access dynamic profile. The following example provides the appropriate
use of the $junos-interface-name variable:
[edit dynamic-profiles access-profile]
user@host# set protocols igmp interface $junos-interface-name
■
Table 25 in the Dynamic Variables Overview topic neglects to define the
$junos-igmp-version predefined dynamic variable. This variable is defined as
follows:
$junos-igmp-version—IGMP version configured in a client access profile. The
JUNOS software obtains this information from the RADIUS server when a
subscriber accesses the router. The version is applied to the accessing subscriber
when the profile is instantiated. You specify this variable at the [dynamic-profiles
profile-name protocols igmp] hierarchy level for the interface statement.
Errata and Changes in Documentation for JUNOS Software Release 9.5 for M-series, MX-series, and T-series Routing Platforms
■
79
JUNOS 9.5 Software Release Notes
In addition, the Subscriber Access Configuration Guide erroneously specifies the
use of a colon (:) when configuring the dynamic profile to define the IGMP version
for client interfaces. The following example provides the appropriate syntax for
setting the IGMP interface to obtain the IGMP version from RADIUS:
[edit dynamic-profiles access-profile protocols igmp interface $junos-interface-name]
user@host# set version $junos-igmp-version
■
You can configure dynamic 802.1Q VLANs on Gigabit Ethernet (GE) and 10-Gigabit
Ethernet (XE) interfaces only. Configuration on Aggregated Ethernet (AE)
interfaces is currently not supported. For additional information about configuring
dynamic VLANs, see the JUNOS Subscriber Access Configuration Guide.
■
You can specify both Layer 3 and Layer 4 fields to be included while
load-balancing Layer 2 traffic. This can be accomplished by including the layer-3
or the layer-4 statement at the [edit forwarding-options hash-key family multiservice
payload ip] hierarchy level. The 9.5 JUNOS VPNs Configuration Guide does not
include this information. For more information, see the JUNOS MX Series Ethernet
Services Routers Layer 2 Configuration Guide.
VPNS
User Interface and Configuration
Related Topics
■
The show system statistics bridge command displays system statistics on
MX-series routers. [System Basics Command Reference]
■
New Features in JUNOS Software Release 9.5 for M-series, MX-series, and T-series
Routing Platforms on page 6
■
Changes in Default Behavior and Syntax in JUNOS Software Release 9.5 for
M-series, MX-series, and T-series Routing Platforms on page 41
■
Issues in JUNOS Software Release 9.5 for M-series, MX-series, and T-series Routing
Platforms on page 45
■
Upgrade and Downgrade Instructions for JUNOS Software Release 9.5 for M-series,
MX-series, and T-series Routing Platforms on page 80
Upgrade and Downgrade Instructions for JUNOS Software Release 9.5 for M-series,
MX-series, and T-series Routing Platforms
This section discusses the following topics:
80
■
■
Basic Procedure for Upgrading to Release 9.5 on page 81
■
Upgrading a Router with Redundant Routing Engines on page 83
■
Upgrading to Release 9.5 in a Routing Matrix on page 83
■
Upgrading Using ISSU on page 84
Upgrade and Downgrade Instructions for JUNOS Software Release 9.5 for M-series, MX-series, and T-series Routing Platforms
Upgrade and Downgrade Instructions for JUNOS Software Release 9.5 for M-series, MX-series, and T-series Routing Platforms
■
Upgrading from JUNOS Release 9.2 or Earlier on a Router Enabled for Both PIM
and NSR on page 85
■
Downgrade from Release 9.5 on page 86
Basic Procedure for Upgrading to Release 9.5
When upgrading or downgrading the JUNOS software, always use the jinstall package.
Use other packages (such as the jbundle package) only when so instructed by a Juniper
Networks support representative. For information about the contents of the jinstall
package and details of the installation process, see the JUNOS Software Installation
and Upgrade Guide.
NOTE: You cannot upgrade by more than three releases at a time. For example, if
your routing platform is running JUNOS Release 9.1 you can upgrade to JUNOS
Release 9.4 but not to JUNOS Release 9.5. As a workaround, first upgrade to JUNOS
Release 9.2 and then upgrade to JUNOS Release 9.5.
NOTE: With JUNOS Release 9.0 and later, the compact flash disk memory requirement
for JUNOS software is 1 GB. For M7i and M10i routing platforms with only 256 MB
memory, see the Customer Support Center JTAC Technical Bulletin PSN-2007-10-001
at
https://www.juniper.net/alerts/viewalert.jsp?txtAlertNumber=PSN-2007-10-001&actionBtn=Search.
NOTE: Before upgrading, back up the file system and the currently active JUNOS
configuration so that you can recover to a known, stable environment in case the
upgrade is unsuccessful. Issue the following command:
user@host> request system snapshot
The installation process rebuilds the file system and completely reinstalls the JUNOS
software. Configuration information from the previous software installation is retained,
but the contents of log files might be erased. Stored files on the routing platform,
such as configuration templates and shell scripts (the only exceptions are the
juniper.conf and ssh files) may be removed. To preserve the stored files, copy them
to another system before upgrading or downgrading the routing platform. For more
information, see the JUNOS System Basics Configuration Guide.
Upgrade and Downgrade Instructions for JUNOS Software Release 9.5 for M-series, MX-series, and T-series Routing Platforms
■
81
JUNOS 9.5 Software Release Notes
The download and installation process for JUNOS Release 9.5 is the same as for
previous JUNOS releases.
If you are not familiar with the download and installation process, follow these steps:
1.
Using a Web browser, follow the links to the download URL on the Juniper
Networks Web page. Choose either Canada and U.S. Version or Worldwide
Version:
■
https://www.juniper.net/support/csc/swdist-domestic/ (customers in the United
States and Canada)
■
https://www.juniper.net/support/csc/swdist-ww/ (all other customers)
2.
Log in to the Juniper Networks authentication system using the username
(generally your e-mail address) and password supplied by Juniper Networks
representatives.
3.
Download the software to a local host.
4.
Copy the software to the routing platform or to your internal software distribution
site.
5.
Install the new jinstall package on the routing platform.
NOTE: We recommend that you upgrade all software packages out-of-band using
the console because in-band connections are lost during the upgrade process.
Customers in the United States and Canada use the following command:
user@host> request system software add validate reboot
source/jinstall-9.5B1.3-domestic-signed.tgz
All other customers use the following command:
user@host> request system software add validate reboot
source/jinstall-9.5B1.3-export-signed.tgz
Replace source with one of the following values:
■
/pathname—For a software package that is installed from a local directory
on the router.
■
For software packages that are downloaded and installed from a remote
location:
■
ftp://hostname/pathname
■
http://hostname/pathname
■
scp://hostname/pathname (available only for Canada and U.S. version)
The validate option validates the software package against the current
configuration as a prerequisite to adding the software package to ensure that
the router reboots successfully. This is the default behavior when the software
package being added is a different release.
82
■
Upgrade and Downgrade Instructions for JUNOS Software Release 9.5 for M-series, MX-series, and T-series Routing Platforms
Upgrade and Downgrade Instructions for JUNOS Software Release 9.5 for M-series, MX-series, and T-series Routing Platforms
Adding the reboot command reboots the router after the upgrade is validated
and installed. When the reboot is complete, the router displays the login prompt.
The loading process can take 5 to 10 minutes.
Rebooting occurs only if the upgrade is successful.
NOTE: After you install a JUNOS 9.5 jinstall package, you cannot issue the request
system software rollback command to return to the previously installed software.
Instead you must issue the request system software add validate command and specify
the jinstall package that corresponds to the previously installed software.
NOTE: Before you upgrade a router that you are using for voice traffic, you should
monitor call traffic on each virtual BGF. Confirm that no emergency calls are active.
When you have determined that no emergency calls are active, you can wait for
non-emergency call traffic to drain as a result of graceful shutdown, or you can force
a shutdown. For detailed information on how to monitor call traffic before upgrading,
see the Multiplay Solutions Guide.
Upgrading a Router with Redundant Routing Engines
If the router has two Routing Engines, perform a JUNOS software installation on each
Routing Engine separately to avoid disrupting network operation as follows:
1.
Disable graceful Routing Engine switchover (GRES) on the master Routing Engine
and save the configuration change to both Routing Engines.
2.
Install the new JUNOS software release on the backup Routing Engine while
keeping the currently running software version on the master Routing Engine.
3.
After making sure that the new software version is running correctly on the
backup Routing Engine, switch over to the backup Routing Engine to activate
the new software.
4.
Install the new software on the original master Routing Engine that is now active
as the backup Routing Engine.
For the detailed procedure, see the JUNOS Software Installation and Upgrade Guide.
Upgrading to Release 9.5 in a Routing Matrix
By default, when you upgrade software on the TX Matrix platform, the new image
is loaded onto the TX Matrix platform and distributed to all routing nodes in the
routing matrix. To upgrade software for the entire routing matrix, issue the request
system software add command. Customers in the United States and Canada use the
following command:
user@host> request system software add source/jinstall-9.5B1.5-domestic-signed.tgz
All other customers use the following command:
Upgrade and Downgrade Instructions for JUNOS Software Release 9.5 for M-series, MX-series, and T-series Routing Platforms
■
83
JUNOS 9.5 Software Release Notes
user@host> request system software add source/jinstall-9.5B1.5-export-signed.tgz
Replace source with one of the following values:
■
/pathname—For a software package that is installed from a local directory on
the TX Matrix platform.
■
For software packages that are downloaded and installed from a remote location:
■
ftp://hostname/pathname
■
http://hostname/pathname
■
scp://hostname/pathname (available only for Canada and U.S. version)
When you complete the software installation and reboot the TX Matrix platform, all
routing nodes also reboot and all hardware and software components in the routing
matrix begin using the new software.
To upgrade the backup Routing Engines, log in to the backup Routing Engine on the
TX Matrix platform before you issue the request system software add command. You
can also update the software on the TX Matrix platform only or on a specific T640
routing node as needed by including the lcc or scc option.
NOTE: We recommend you run the same JUNOS software release on the master and
backup Routing Engines on all components of a routing matrix. If you elect to run
different JUNOS software releases on the Routing Engines, a change in Routing Engine
mastership can cause one or all routing nodes to be logically disconnected from the
TX Matrix platform. It is also a best practice to make sure that all master Routing
Engines are re0 and all backup Routing Engines are re1 (or vice versa).
NOTE: You must use the same Routing Engine model on all routing platforms in a
routing matrix. For example, it is not supported to use model RE-A-2000 on the TX
Matrix platform and model RE-1600 on the routing nodes.
Upgrading Using ISSU
Unified in-service software upgrade (ISSU) enables you to upgrade between two
different JUNOS software releases with no disruption on the control plane and with
minimal disruption of traffic. Unified in-service software upgrade is only supported
by dual Routing Engine platforms. In addition, graceful Routing Engine switchover
(GRES) and nonstop active routing (NSR) must be enabled. For additional information
about using unified in-service software upgrade, see the JUNOS High Availability
Configuration Guide.
84
■
Upgrade and Downgrade Instructions for JUNOS Software Release 9.5 for M-series, MX-series, and T-series Routing Platforms
Upgrade and Downgrade Instructions for JUNOS Software Release 9.5 for M-series, MX-series, and T-series Routing Platforms
NOTE: Upgrading with ISSU from JUNOS 9.4R2 to any other release results in the
loss of control traffic due to the loss of keepalives. This causes interfaces to go down
and will result in the loss of respective adjacencies for all configured protocols. This
problem only exist in JUNOS 9.4R2.
Upgrading from JUNOS Release 9.2 or Earlier on a Router Enabled for Both
PIM and NSR
JUNOS Release 9.3 introduced NSR support for PIM for IPv4 traffic. However, the
following PIM features are not currently supported with NSR. The commit operation
fails if the configuration includes both NSR and one or more of these features:
■
Anycast RP
■
Draft-Rosen multicast VPNs (MVPNs)
■
Local RP
■
Next-generation MVPNs with PIM provider tunnels
■
PIM join load balancing
JUNOS 9.3 introduced a new configuration statement that disables NSR for PIM only,
so that you can activate incompatible PIM features and continue to use NSR for the
other protocols on the router: the nonstop-routing disable statement at the [edit
protocols pim] hierarchy level. (Note that this statement disables NSR for all PIM
features, not only incompatible features.)
If neither NSR nor PIM is enabled on the router to be upgraded or if one of the
unsupported PIM features is enabled but NSR is not enabled, no additional steps are
necessary and you can use the standard upgrade procedure described in other sections
of these instructions. If NSR is enabled and no NSR-incompatible PIM features are
enabled, use the standard reboot or ISSU procedures described in the other sections
of these instructions.
Because the nonstop-routing disable statement was not available in JUNOS Release
9.2 and earlier, if both NSR and an incompatible PIM feature are enabled on a router
to be upgraded from JUNOS Release 9.2 or earlier to a later release, you must disable
PIM before the upgrade and reenable it after the router is running the upgraded
JUNOS software and you have enter4ed the nonstop-routing disable statement. If your
router is running JUNOS Software Release 9.3 or later, you can upgrade to a later
release without disabling NSR or PIM–simply use the standard reboot or ISSU
procedures described in the other sections of these instructions.
To disable and reenable PIM:
1.
On the router running JUNOS Release 9.2 or earlier, enter configuration mode
and disable PIM:
[edit]
user@host# deactivate protocols pim
user@host# commit
Upgrade and Downgrade Instructions for JUNOS Software Release 9.5 for M-series, MX-series, and T-series Routing Platforms
■
85
JUNOS 9.5 Software Release Notes
2.
Upgrade to JUNOS Release 9.3 or later software using the instructions appropriate
for the router type. You can either use the standard procedure with reboot or
use ISSU.
3.
After the router reboots and is running the upgraded JUNOS software, enter
configuration mode, disable PIM NSR with the nonstop-routing disable statement,
and then reenable PIM:
[edit]
user@host# set protocols pim nonstop-routing disable
user@host# activate protocols pim
user@host# commit
Downgrade from Release 9.5
To downgrade from Release 9.5 to another supported release, follow the procedure
for upgrading, but replace the 9.5 jinstall package with one that corresponds to the
appropriate release.
NOTE: You cannot downgrade more than three releases. For example, if your routing
platform is running JUNOS Release 9.3, you can downgrade the software to
Release 9.0 directly, but not to Release 8.5 or earlier; as a workaround, you can first
downgrade to Release 9.0 and then downgrade to Release 8.5.
For more information, see the JUNOS Software Installation and Upgrade Guide.
Related Topics
86
■
■
New Features in JUNOS Software Release 9.5 for M-series, MX-series, and T-series
Routing Platforms on page 6
■
Changes in Default Behavior and Syntax in JUNOS Software Release 9.5 for
M-series, MX-series, and T-series Routing Platforms on page 41
■
Issues in JUNOS Software Release 9.5 for M-series, MX-series, and T-series Routing
Platforms on page 45
■
Errata and Changes in Documentation for JUNOS Software Release 9.5 for
M-series, MX-series, and T-series Routing Platforms on page 75
Upgrade and Downgrade Instructions for JUNOS Software Release 9.5 for M-series, MX-series, and T-series Routing Platforms
JUNOS Software Release Notes for SRX-series Services Gateways
JUNOS Software Release Notes for SRX-series Services Gateways
■
JUNOS for SRX-Series Services Gateways Product Overview on page 87
■
New Features in JUNOS Software Release 9.5 for SRX-series Services
Gateways on page 98
■
Changes In Default Behavior and Syntax on page 122
■
Known Limitations in JUNOS Software Release 9.5 for SRX-series Services
Gateways on page 124
■
Unsupported CLI Statements and Commands in JUNOS Software Release 9.5 for
SRX-series Services Gateways on page 128
■
Issues in JUNOS Software Release 9.5 for SRX-series Services
Gateways on page 129
■
Errata in Documentation for JUNOS Software Release 9.5 for SRX-series Services
Gateways on page 140
JUNOS for SRX-Series Services Gateways Product Overview
Application Layer Gateways (ALGs)
■
FTP ALG
JUNOS software for SRX-series devices provides File Transfer Protocol (FTP)
support for services and applications that transfer data using FTP, allowing
legitimate FTP traffic to go through the device while blocking out malicious FTP
packets. The FTP ALG monitors PORT, PASV, and 229 commands. It performs
Network Address Translation (NAT) of the IP or port in the message and gate
opening on the device as necessary.
To configure the FTP ALG, use the edit security alg ftp statement at the [edit
security alg] hierarchy level. For more information, see the JUNOS Software
Security Configuration Guide.
■
TFTP ALG
JUNOS software for SRX-series devices provides Trivial File Transfer Protocol
(TFTP) support for services and applications that transfer data using TFTP,
allowing legitimate TFTP traffic to go through the device while blocking out
malicious TFTP packets. The TFTP ALG processes the TFTP packets that initiate
the request and opens a pinhole to allow return packets from the reverse direction
to the port that sends the request.
To configure TFTP ALG, use the edit security alg tftp statement at the [edit security
alg] hierarchy level. For more information, see the JUNOS Software Security
Configuration Guide.
Chassis Clustering
■
Chassis clustering—You can connect a pair of the same kind of supported
SRX-series devices into a cluster to provide stateful failover of JUNOS processes
and services. Interchassis clustering removes the single point of failure in the
JUNOS Software Release Notes for SRX-series Services Gateways
■
87
JUNOS 9.5 Software Release Notes
network by allowing the devices to be configured in a redundant cluster, with
one device acting as the primary device and the other as a backup. If the primary
device fails, the backup takes over traffic processing. Clustered devices
synchronize configuration, kernel, and Packet Forwarding Engine session states
across the cluster to facilitate high availability of interfaces and services. JUNOS
software includes the following chassis cluster features:
■
Resilient system architecture includes a single control plane for the entire
cluster to manage multiple Packet Forwarding Engines.
■
Configuration and dynamic runtime states are synchronized between the
services gateways within a cluster.
■
Graceful restart of the routing protocols enables the services gateway to
minimize traffic disruption during a failover.
■
Physical interfaces are grouped and monitored to trigger failover to the
backup services gateway if the failure parameters cross a configured
threshold.
For more information, see the JUNOS Software Security Configuration Guide.
NOTE: In this release of JUNOS software for SRX-series devices, synchronization of
IDP-specific runtime data does not occur across the cluster. As a result, IDP processing
is not continued for sessions that fail over. (IDP processing resumes for sessions
created after failover.)
NOTE: When configuring chassis clusters, you are automatically in configure private
mode. As a result, you must commit changes from the top of the hierarchy. For
information about the configure private mode, see the JUNOS CLI User Guide.
Flow and Processing
■
Combo-mode SPU—The central point (CP) in the architecture has two basic flow
functionalities: load balancing and traffic identification. However, the central
point functionalities and normal flow processing are embedded in a single
Services Processing Unit (SPU), and this shared SPU is operating in combination,
or combo mode. In combo mode, the number of threads is divided among the
central point and the flow services, based on the number of SPUs in the system.
NOTE: This feature is applicable only for SRX 3400, SRX 3600, SRX 5600, and SRX
5800 devices.
■
88
■
Flow-based stateful processing—In addition to packet processing, JUNOS
software for SRX-series devices performs flow-based stateful processing. When
a packet enters the device, the system applies any packet-based filter processing
associated with the interface to the packet. Next, the system attempts to match
the packet against an existing session based on a session's match criteria (source
JUNOS for SRX-Series Services Gateways Product Overview
JUNOS for SRX-Series Services Gateways Product Overview
and destination addresses, source and destination ports, and protocol and session
tokens derived from the zone and virtual router). If a packet matches an existing
session, the system processes it according to the flow's session features, security
policies, screens, and other features. If the packet does not match an existing
session, the system establishes a new session for the packet based on routing,
policy, and other classification information. Before a packet leaves the device,
the system applies filters and traffic shaping to it.
■
Distributed multithread flow—The SRX-series services gateway is multicore,
multichassis hardware with distributed computing engines. The Network
Processing Units (NPUs) and multicore Services Processing Units (SPUs) on the
Services Processing Cards (SPCs) comprise the data plane.
Packets for any given flow could traverse two NPUs and possibly more than one
SPU (in the case of tunnels). Therefore, a distributed flow module is needed that
can span multiple computing engines.
NOTE: This feature is applicable only for SRX 3400, SRX 3600, SRX 5600, and SRX
5800 devices.
To configure flow options, use the flow statement at the [set security] hierarchy
level. For more information, see the JUNOS Software Security Configuration Guide.
Interfaces and Routing
■
Interfaces—Interfaces act as a doorway through which traffic enters and exits
a device. Several security-related configuration and runtime attributes are kept
in an interface object. Different modules in the data path use these attributes.
Many interfaces can share exactly the same security requirements; however,
different interfaces can also have different security requirements for inbound
and outbound (I/O) data packets.
Security processing and inbound and outbound (I/O) data packets analysis are
separated in JUNOS software and SRX-series devices. As a result, the line-card
interface on the Input/Output Card (IOC) and the security processors on the
Services Processing Card (SPC) are separated by a fabric. The security data plane
is simultaneously performing multiprocessing (32-way MT per XLR SPU) and
distributed processing (SRX 5600 and SRX 5800 devices distribute the processing
over a maximum of 2 SPUs per SPC). For more information, see the JUNOS
Software Interfaces and Routing Configuration Guide for Security Devices.
■
Routing—SRX-series devices support using the Border Gateway Protocol (BGP),
the Open Shortest Path First (OSPF) Protocol, and the Routing Information
Protocol (RIP) to deliver routing information across networks. To configure the
services gateway to use these protocols, use the bgp, ospf, or rip statements
(respectively) at the [protocols] hierarchy level. You can also configure the services
gateway to use static routes. For more information, see the JUNOS Software
Interfaces and Routing Configuration Guide for Security Devices.
SRX-series devices also support the following additional routing functionality:
■
DHCP—JUNOS software for SRX-series supports Dynamic Host Configuration
Protocol (DHCP) client, relay, and server functions, enabling the services
gateway to provide IP addresses and settings to hosts that are connected to
JUNOS for SRX-Series Services Gateways Product Overview
■
89
JUNOS 9.5 Software Release Notes
the device’s interfaces. When you configure the SRX-series device as a DHCP
server, hosts can connect to the device's interface via subnet or through
DHCP relay. To configure DHCP, use the dhcp statement at the [system
services] hierarchy level.
■
NTP—JUNOS software for SRX-series incorporates Network Time Protocol
(NTP) support, enabling the services gateway to synchronize time and
coordinate time distribution in a large, diverse network. To configure NTP,
use the ntp statement at the [system] hierarchy level.
For more information, see the JUNOS Software Administration Guide for Security
Devices.
NOTE: This release of JUNOS software for the SRX-series devices does not support
packet-based protocols such as MPLS, Connectionless Network Service (CLNS), and
IP version 6 (IPV6).
■
IPv4—JUNOS software for SRX-series devices supports processing IPv4 (IP version
4) traffic through an interface. The IPv4 protocol family supports 32-bit addresses
and subnets. To enable the IPv4 protocol for an interface, specify inet for the
interface family. For example, use edit interfaces ge-0/0/3 unit 0 family inet
address 10.10.10.10/24.
■
Class of service (CoS)—The JUNOS software for SRX-series devices class of
service (CoS) feature provides a set of mechanisms that you can use to provide
differentiated services when best-effort traffic delivery is insufficient. When a
network experiences congestion and delay, some packets must be dropped. CoS
allows you to classify and then divide traffic into classes and offer various levels
of throughput and packet loss when congestion occurs. This allows packet loss
to happen according to rules that you configure. Note that CoS policing is not
available in this release.
You can use an SRX-series devices to control traffic rate by applying classifiers
and shapers. To configure CoS components, use the component you want to
configure at the [edit class-of-service] hierarchy level of the configuration. For
more information, see the JUNOS Software Interfaces and Routing Configuration
Guide for Security Devices.
■
Network interfaces—SRX 3400 and SRX 3600 devices support a Switch Fabric
Board (SFB) and Common Form-factor Module (CFM) slots.
The following table lists CFM slots on SRX 3400 and SRX 3600 devices:
Table 2: CFM Slots on SRX 3400 and SRX 3600 Devices
90
■
CFM Type
SRX 3400 Devices
SRX 3600 Devices
I/O Cards (IOC)
Slots—1 through 4
Slots—1 through 6
Services Processing Cards (SPC)
Slots—any
Slots—any
Network Processing Cards (NPC)
Slots—5 through 7
Slots—10 through 12
JUNOS for SRX-Series Services Gateways Product Overview
JUNOS for SRX-Series Services Gateways Product Overview
The unique name of each network interface identifies its type and location and
indicates whether it is a physical interface or an optional logical unit created on
a physical interface. The name of each network interface has the following format
to identify the physical device that corresponds to a single physical network
connector:
type-slot/pic/port
For the SRX 3400 and 3600 devices:
■
The Switch Fabric Board (SFB) is always slot 0.
■
The PIC number is always 0. Only one PIC can be installed in a slot.
■
The designated port numbers are described in the following format:
■
For the SFB built-in copper Gigabit Ethernet ports, this number begins
at 0 and increases from top to bottom, left to right, to a maximum of
7. For the SFB built-in fiber Gigabit Ethernet ports, this number begins
at 8 and increases from left to right to a maximum of 11.
■
For 16-port Gigabit Ethernet IOCs, this number begins at 0 and increases
to a maximum of 15.
■
For 2-port 10-Gigabit Ethernet IOCs, this number is 0 or 1.
NOTE: This feature is applicable only for SRX 3400 and SRX 3600 devices.
Security
■
Security zones—Security zones are the building blocks for policies; they are
logical entities to which one or more interfaces are bound. Security zones provide
a means of distinguishing groups of hosts (user systems and other hosts, such
as servers) and their resources from one another in order to apply different
security measures to them. From the perspective of security policies, traffic
enters into one security zone (to-zone) and goes out on another (from-zone). To
configure security zones, use the zones statement at the [security zones] hierarchy
level. For more information, see the JUNOS Software Security Configuration Guide.
■
Security policies—Security policies can be configured to control traffic flow from
one zone to another by defining a certain action on the kinds of traffic that is
allowed from specified sources to specified destinations at scheduled times.
When packets match a policy, the policy instructs the flow to apply different
rules for features. To configure a policy, use the policy statement at the [set
security policies] hierarchy level.
■
Firewall screens—JUNOS software for SRX-series provides various detection
methods and defense mechanisms to combat the following security breaches at
all stages of their execution:
■
SYN, UDP, and ICMP flood attacks
■
Network DoS attacks
JUNOS for SRX-Series Services Gateways Product Overview
■
91
JUNOS 9.5 Software Release Notes
■
Operating system-specific DoS attacks
To configure screen options, use the screen statement at the [set security screen]
hierarchy level.
■
Firewall user authentication—Firewall user authentication enables you to restrict
and permit access to protected resources behind a firewall based on a user’s
source IP address and other credentials. You may use pass-through authentication
or Web authentication to control access to the protected resources. With
pass-through authentication, a user from one zone tries to access resources from
another zone over an FTP, Telnet, or HTTP connection. With Web authentication,
a user tries to connect to an IP address on the device over an HTTP connection.
With both methods, the device forwards the user’s credentials to the server of
your choice (local, RADIUS, LDAP, or RSA SecurID) to authenticate the user and
control subsequent access requests.
To configure pass-through authentication, use the following statements:
set security policies from-zone zone-name to-zone zone-name policy policy-name then
permit firewall-authentication pass-through
To configure Web authentication, use the following statements:
set security policies from-zone zone-name to-zone zone-name policy policy-name then
permit firewall-authentication web-authentication
For more information, see the JUNOS Software Security Configuration Guide.
■
IPsec VPN—A virtual private network (VPN) provides a means for securely
communicating among remote computers across a public wide area network
(WAN) such as the Internet. Using the JUNOS Software VPN feature, you can
secure traffic from your local area network (LAN) to remote users (end-to-site
VPN) or between two separate LANs (site-to-site VPN). JUNOS Software uses IP
security (IPsec) to secure the VPN traffic at the IP layer, authenticating and
encrypting traffic by using phased tunnel negotiations. For more information,
see the JUNOS Software Security Configuration Guide.
■
Network Address Translation—Network Address Translation (NAT) is a method
by which IP addresses in a packet are mapped from one group to another and,
optionally, port numbers in the packet are translated into different port numbers.
NAT is described in RFC 1631 to solve IP (version 4) address depletion problems.
On an SRX-series devices, JUNOS software decouples NAT configuration from
policy configuration. NAT has its own rules to regulate traffic on the SRX-series
devices.
To configure NAT, use the nat statement at the [set security] hierarchy level. For
more information, see the JUNOS Software Security Configuration Guide.
■
92
■
Static NAT—Static Network Address Translation (NAT) defines a one-to-one static
mapping from one IP subnet to another IP subnet. To configure static NAT, use
the static statement at the [edit security nat] hierarchy level. For more information,
see the JUNOS Software Security Configuration Guide.
JUNOS for SRX-Series Services Gateways Product Overview
JUNOS for SRX-Series Services Gateways Product Overview
Intrusion Detection and Prevention (IDP)
■
IDP application identification—Juniper Networks provides predefined application
signatures that detect TCP and UDP applications running on nonstandard ports.
Identifying these applications allows IDP to apply appropriate attack objects to
applications running on nonstandard ports. It also improves performance by
narrowing the scope of attack signatures for applications without decoders.
Application signatures are available as part of the security package provided by
Juniper Networks. You download predefined application signatures along with
the security package updates. Application identification is enabled by default
and is automatically turned on when you configure the default application in the
IDP policy. For more information, see the JUNOS Software Security Configuration
Guide.
■
IDP custom attacks and groups—JUNOS CLI support is available for creating
IDP custom attacks and groups. You can use the JUNOS configuration statements
to configure the required fields. For more information, see the JUNOS Software
CLI Reference.
■
IDP DiffServ marking—Configuring Differentiated Services Code Point (DSCP)
values in IDP policies provides a method of associating class-of-service (CoS)
values—thus different levels of reliability—for different types of traffic on the
network. DSCP is an integer value encoded in the 6-bit field defined in IP packet
headers. It is used to enforce CoS distinctions. CoS allows you to override the
default packet-forwarding behavior and assign service levels to specific traffic
flows.
You can configure DSCP value as an action in an IDP policy rule. Based on the
DSCP value, behavior aggregate classifiers set the forwarding class and loss
priority for the traffic, determining the forwarding treatment the traffic receives.
For more information, see the JUNOS Software Security Configuration Guide.
■
IDP J-Web support—You can configure IDP policies and request security package
updates by using Quick Configuration pages in the J-Web user interface. You can
also display IDP status and memory usage in the J-Web monitoring pages. For
more information, see the JUNOS Software Security Configuration Guide and the
JUNOS Software Administration Guide for Security Devices.
■
IDP logging—The basic JUNOS system logging continues to function after IDP
is enabled. An IDP-enabled device supports basic JUNOS system logging and
continues to record events that occur because of routine operations, such as a
user login into the configuration database. It records failure and error conditions,
such as failure to access a configuration file. In addition to the regular system
log messages, IDP generates event logs for attacks. To manage attack log volume
and message size, IDP supports log suppression.
Enabling log suppression ensures that minimal numbers of logs are generated
for the same event or attack that occurs multiple times. To configure log
suppression, use the suppression statement at the [edit security idp
sensor-configuration log] hierarchy level. For more information, see the JUNOS
Software Security Configuration Guide.
■
IDP session-limit threshold-crossing event—The number of IDP sessions per
SPU is typically 128K, except on 4G SPUs in non-combo mode, where it is set
to 256K. These numbers can be found in the IDP documentation. When the
JUNOS for SRX-Series Services Gateways Product Overview
■
93
JUNOS 9.5 Software Release Notes
number of IDP sessions exceeds the allowed limit, log messages are generated
indicating that the number of IDP sessions exceeded the limit. When the number
of IDP sessions drops to fewer than 5120 from the allowed high-water mark,
another log message will be sent indicating that IDP sessions have dropped below
the allowed limit.
■
IDP policies—Intrusion Detection and Prevention (IDP) policy enables you to
selectively enforce various attack detection and prevention techniques on network
traffic passing through an IDP-enabled device. It allows you to define policy rules
to match a section of traffic based on a zone, network, and application, and then
take active or passive preventive actions on that traffic.
A policy is made up of rulebases, and each rulebase contains a set of rules. You
define rule parameters, such as traffic match conditions, action, and logging
requirements and then add the rules to rulebases. You can create new IDP policies
from scratch, or start with a predefined template provided by Juniper Networks.
Juniper Networks also provides custom application objects and attack objects
that you can configure as match conditions in policies.
To configure an IDP policy, use the idp-policy statement at the [edit security idp]
hierarchy level. For more information, see the JUNOS Software Security
Configuration Guide.
■
IDP protocol detector engine—The IDP protocol detector engine contains
Application Layer protocol decoders or services. You can download the protocol
detector updates along with the signature database updates.
IDP supports 52 protocol decoders or services. Protocol decoders scan protocol
headers and message body to identify individual fields in the protocols to
determine if data conforms to the RFC. You configure protocol decoders in IDP
policy rules to specify the protocol that an attack uses to access your network.
For more information, see the JUNOS Software Security Configuration Guide.
■
IDP signature database—Signature database is one of the major components
of IDP. It contains definitions of different objects—such as attack objects,
application signatures objects, and service objects—that are used in defining IDP
policy rules. As a response to new vulnerabilities, Juniper Networks periodically
provides a file containing attack database updates on the Juniper Web site.
To protect your network from new threats, you can download signature database
updates manually or configure your device to download them automatically at
a specified interval. For more information, see the JUNOS Software Security
Configuration Guide.
■
94
■
IDP SSL Inspection—Secure Sockets Layer (SSL) is a protocol suite that consists
of different versions, ciphers, and key exchange methods. SSLv2, SSLv3, and
TLS protocols are supported. Combined with the Application Identification feature,
the SSL Inspection feature enables SRX-series devices to inspect HTTP traffic
encrypted in SSL on any TCP/UDP port. SSL inspection is disabled by default and
can be enabled by using the configuration CLI. To display all installed keys and
associated servers, use the show security idp ssl-inspection key command. This
feature is supported on SRX 3400, SRX 3600, SRX 5600, and SRX 5800 devices.
For more information, see the JUNOS Software Security Configuration Guide.
JUNOS for SRX-Series Services Gateways Product Overview
JUNOS for SRX-Series Services Gateways Product Overview
J-Web
■
J-Web user interface—A graphical user interface enables you to configure,
monitor, troubleshoot, and manage the SRX-series devices through an Internet
browser. The J-Web interface includes Quick Configuration pages to perform
basic configuration of the devices and monitoring tools to view system health,
routes, and statistics. The J-Web interface provides diagnostic tools (such as ping
and traceroute) and file utilities to manage configuration files, licenses, and
temporary files on the device. The J-Web interface also includes a Chassis View,
which provides a graphical, dynamic view of the SRX-series of devices.
■
J-Web Chassis View—The Chassis View allows the dynamic display of line cards,
link states, errors, individual Physical Interface Cards (PICs), Flexible PIC
Concentrators (FPCs), fans, power supplies, and so on. It also helps you view the
current status of the services gateway.
The Chassis View appears on the Dashboard page by default when you log in to
the services gateway.
NOTE: The Chassis View option can be enabled or disabled in the Dashboard
Preference dialog box. To access the Dashboard Preference dialog box, click the icon
on the upper-right corner of the Dashboard page and select Chassis View from the
Dashboard Preference dialog box. You can also enable Chassis View by clearing the
Internet Explorer cookies.
NOTE: To use the Chassis View, a recent version of Adobe Flash that supports
ActionScript and AJAX (version 9 must be installed).
For more details about how to use the J-Web Chassis View, see the JUNOS Software
Administration Guide.
Management and Administration
■
Chassis management—JUNOS software for SRX-series devices provides the
ability to monitor and manage select chassis components. This includes
monitoring chassis clusters, component temperature and cooling systems, chassis
firmware, and chassis location. The CLI also provides commands for bringing
most chassis components online and offline.
To bring chassis components online and offline, use the chassis statement at
the [request] hierarchy level. For more information, see the JUNOS Software
Security Configuration Guide.
NOTE: In SRX-series devices, the offline, online, and restart commands are supported
only on IOCs and are not supported on SPCs.
JUNOS for SRX-Series Services Gateways Product Overview
■
95
JUNOS 9.5 Software Release Notes
The chassis control daemon (chassisd) comprises the following major
components:
■
Switch Control Board (SCB)
■
Routing Engine (RE)
■
Network Processing Card (NPC)
■
Services Processing Card (SPC)
■
Input/Output Card (IOC)
■
Power Module (PWM)
■
Front Panel Display (FPD)
■
Fan Tray
■
Map Table fru
To view chassis details, use the show chassis statement.
NOTE: This feature is applicable only for SRX 3400, and SRX 3600 devices.
■
System logging—JUNOS software for SRX-series devices generates separate
system log messages (also called syslog messages) to record events that occur
on the system’s data and control planes.
The data plane logs primarily include a list of security events that the system
has handled directly inside the data plane. Because the system has already
handled these events, it does not send them on to the Routing Engine. Instead,
the system streams the logs directly to external log servers, bypassing the Routing
Engine. To view the data plane logs, use the log statement at the [security]
hierarchy level.
NOTE: In SRX-series, data plane logs and control plane logs have to be configured
separately only for SRX 3400, SRX 3600, SRX 5600, and SRX 5800.
For all other SRX-series devices, the system sends this list of control plane events
and the security events that the system has handled directly inside the data plane
on to the eventd process on the Routing Engine, which then handles the events
by using JUNOS event policies and/or by generating system log messages. You
can choose to send control plane logs to a file, user terminal, routing platform
console, or remote machine.
To generate control plane and security event generated within the data plane,
use the syslog statement at the [system] hierarchy level. For more information,
see the JUNOS Software Administration Guide for Security Devices.
■
96
■
Packet tracing—The JUNOS software for SRX-series devices trace function
provides a tool for applications to write security and security flow debugging
information to a file. The information that appears in this file is based on
JUNOS for SRX-Series Services Gateways Product Overview
JUNOS for SRX-Series Services Gateways Product Overview
configured criteria. These criteria include source port, destination port, protocol,
interface, and string matching. Use this information to analyze security application
issues. The trace function operates in a distributed manner, with each thread
writing to its own trace buffer. These trace buffers are then collected at one point,
sorted, and written to trace files. Trace messages are delivered using the
InterProcess Communications (IPC) protocol.
To configure trace options, use the traceoptions statement at the [set security]
hierarchy level. For more information, see the JUNOS Software Security
Configuration Guide.
■
Services Processing Unit (SPU) monitoring—JUNOS software for SRX-series
devices provides a new JUNOS software-based security device that uses multiple
processors to process traffic. SPU monitoring allows for:
■
CPU utilization per SPU in percentage
■
Memory utilization per SPU in percentage
These metrics provide information that can be used to prevent unexpected
outages and look for trends for capacity planning. To monitor the Flexible PIC
Concentrator (FPC) card by using the SPU unit’s CPU and memory utilization,
use the show security monitoring fpc statement.
■
Simple Network Management Protocol (SNMP)—JUNOS software for SRX-series
devices supports SNMP, which is part of the Internet protocol suite that is used
to monitor network-attached devices for conditions that warrant administrative
attention. SNMP enables the monitoring of network devices from a central
location.
The SNMP agent exchanges network management information with SNMP
manager software running on a network management system (NMS), or host.
The agent responds to requests for information and actions from the manager.
The agent also controls access to the agent’s Management Information Base
(MIB), the collection of objects that can be viewed or changed by the SNMP
manager. The SNMP manager collects information on network connectivity,
activity, and events by polling managed devices.
A MIB is a hierarchy of information used to define managed objects in a network
device. The MIB structure is based on a tree structure, which defines a grouping
of objects into related sets. Each object in the MIB is associated with an object
identifier (OID), which names the object. The “leaf” in the tree structure is the
actual managed object instance, which represents a resource, event, or activity
that occurs in your network device. MIBs are either standard or enterprise-specific.
Standard MIBs are created by the Internet Engineering Task Force (IETF) and
documented in various RFCs. Depending on the vendor, many standard MIBs
are delivered with the Network Management System (NMS) software. You can
also download the standard MIBs from the IETF Web site, http://www.ietf.org, and
compile them into your NMS, if necessary.
Enterprise-specific MIBs are developed and supported by a specific equipment
manufacturer. If your network contains devices that have enterprise-specific
MIBs, you must obtain them from the manufacturer and compile them into your
network management software. For a list of Juniper Networks enterprise-specific
supported MIBs, see “Juniper Networks Enterprise-Specific MIBs” in the JUNOS
Network Management Configuration Guide.
JUNOS for SRX-Series Services Gateways Product Overview
■
97
JUNOS 9.5 Software Release Notes
New Features in JUNOS Software Release 9.5 for SRX-series Services Gateways
■
Software Features on page 98
■
Hardware Features—SRX 210 Services Gateways on page 109
■
Hardware Features—SRX 240 Services Gateways on page 114
■
Hardware Features—SRX650 Services Gateways on page 117
■
Hardware Features—SRX 5600 and SRX 5800 Services Gateways on page 121
Software Features
Application Layer Gateways (ALGs)
■
DNS ALG
Now supported on SRX 210 devices.
JUNOS software for SRX-series devices provides Domain Name System (DNS)
support. The DNS ALG monitors DNS query and reply packets and closes the
session if the DNS flag indicates the packet is a reply message.
To configure the DNS ALG, use the edit security alg dns statement at the [edit
security alg] hierarchy level. For more information, see the JUNOS Software
Security Configuration Guide.
■
FTP ALG
Now supported on SRX 240 and SRX650 devices. Existing support on SRX 210,
SRX 3400, SRX 3600, SRX 5600, and SRX 5800 devices.
For information on functionality, see the “JUNOS for SRX-Series Services Gateways
Product Overview” section.
To configure these ALGs, use the edit security alg ftp and edit security alg ftp
statements at the [edit security alg] hierarchy level. For more information, see
the JUNOS Software Security Configuration Guide.
■
H.323 ALG
Now supported on SRX 210 devices.
JUNOS software for SRX-series devices provides H.323 standard and H.323 Avaya
support. The H.323 standard is a legacy VoIP protocol defined by the International
Telecommunication Union Telecommunication Standardization (ITU-T). H.323
consists of a suite of protocols (such as H.225.0 and H.245) that are used for call
signaling and call control for VoIP.
To configure the H.323 ALG, use the edit security alg h323 statement at the [edit
security alg] hierarchy level. For more information, see the JUNOS Software
Security Configuration Guide
■
MGCP ALG
Now supported on SRX 210 devices.
JUNOS software for SRX-series devices provides Media Gateway Control Protocol
(MGCP) support. MGCP is a text-based Application Layer protocol used for call
98
■
New Features in JUNOS Software Release 9.5 for SRX-series Services Gateways
New Features in JUNOS Software Release 9.5 for SRX-series Services Gateways
setup and call control between the media gateway and the media gateway
controller (MGC).
To configure the MGCP ALG, use the edit security alg mgcp statement at the [edit
security alg] hierarchy level. For more information, see the JUNOS Software
Security Configuration Guide
■
PPTP ALG
Now supported on SRX 210 devices.
JUNOS software for SRX-series devices provides Point-to-Point Tunneling Protocol
(PPTP) support. PPTP is a Layer 2 protocol that tunnels PPP data across TCP/IP
networks. The PPTP client is freely available on Windows systems and is widely
deployed for building virtual private networks (VPNs).
To configure the PPTP ALG, use the edit security alg pptp statement at the [edit
security alg] hierarchy level. For more information, see the JUNOS Software
Security Configuration Guide
■
RPC ALG
Now supported on SRX 210 devices.
JUNOS software for SRX-series devices provides basic Remote Procedure Call
(RPC) support. RPC is a protocol that allows an application running in one address
space to access the resources of applications running in another address space
as if the resources were local to the first address space. The RPC ALG is
responsible for RPC packet processing.
To configure the RPC ALG, use the edit security alg rpc statement at the [edit
security alg] hierarchy level. For more information, see the JUNOS Software
Security Configuration Guide
■
RSH ALG
Now supported on SRX 210 devices.
JUNOS software for SRX-series devices provides Remote Shell (RSH) support.
The RSH ALG handles TCP packets destined for port 514 and processes the RSH
port command. The RSH ALG performs NAT on the port in the port command
and opens gates as necessary.
To configure the RSH ALG, use the edit security alg rsh statement at the [edit
security alg] hierarchy level. For more information, see the JUNOS Software
Security Configuration Guide
■
RTSP ALG
Now supported on SRX 210 devices.
JUNOS software for SRX-series devices provides Real-Time Streaming Protocol
support.
To configure the RTSP ALG, use the edit security alg rtsp statement at the [edit
security alg] hierarchy level. For more information, see the JUNOS Software
Security Configuration Guide
■
SCCP ALG
Now supported on SRX 210 devices.
New Features in JUNOS Software Release 9.5 for SRX-series Services Gateways
■
99
JUNOS 9.5 Software Release Notes
JUNOS software for SRX-series devices provides Skinny Client Control Protocol
(SCCP) support. SCCP is a Cisco proprietary protocol for call signaling. Skinny is
based on a call-agent-based call-control architecture. The control protocol uses
binary-coded frames encoded on TCP frames sent to well-known TCP port number
destinations to set up and tear down RTP media sessions. The SCCP protocol,
just as other call control protocols, negotiates media endpoint parameters,
specifically the RTP port number and the IP address of media termination by
embedding information in the control packets. The SCCP ALG parses these control
packets and facilitates media and control packets to flow through the SRX-series
devices.
To configure the SCCP ALG, use the edit security alg sccp statement at the [edit
security alg] hierarchy level. For more information, see the JUNOS Software
Security Configuration Guide
■
SIP ALG
Now supported on SRX 210 devices.
JUNOS software for SRX-series devices provides Session Initiation Protocol (SIP)
support. SIP is an Internet Engineering Task Force (IETF)-standard protocol for
initiating, modifying, and terminating multimedia sessions over the Internet.
Such sessions might include conferencing, telephony, or multimedia, with features
such as instant messaging and application-level mobility in network environments.
To configure the SIP ALG, use the edit security alg sip statement at the [edit
security alg] hierarchy level. For more information, see the JUNOS Software
Security Configuration Guide
■
SQLNET ALG
Now supported on SRX 210 devices.
JUNOS software for SRX-series devices provides Structured Query Language
(SQL) support. The SQLNET ALG processes SQL TNS response frames from the
server side. It parses the packet and looks for (HOST = ipaddress) , (PORT =
port) patterns and performs NAT and gate opening on the client side for the TCP
data channel.
To configure the SQLNET ALG, use the edit security alg sqlnet statement at the
[edit security alg] hierarchy level. For more information, see the JUNOS Software
Security Configuration Guide
■
TALK ALG
Now supported on SRX 210 devices.
JUNOS software for SRX-series devices provides TALK protocol support. The
TALK protocol uses UDP port 517 and port 518 for control channel connections.
The <ui>talk</ui> program consists of a server and a client. The server handles
client notifications and helps to establish talk sessions. There are two types of
talk servers: ntalk and talkd. The TALK ALG processes packets of both ntalk and
talkd formats. It also performs NAT and gate opening as necessary.
To configure the TALK ALG, use the edit security alg talk statement at the [edit
security alg] hierarchy level. For more information, see the JUNOS Software
Security Configuration Guide
■
100
■
TFTP ALG
New Features in JUNOS Software Release 9.5 for SRX-series Services Gateways
New Features in JUNOS Software Release 9.5 for SRX-series Services Gateways
Now supported on SRX 240 and SRX650 devices. Existing support on SRX 210,
SRX 3400, SRX 3600, SRX 5600, and SRX 5800 devices.
For information on functionality, see the “JUNOS for SRX-Series Services Gateways
Product Overview.”
To configure the TFTP ALG, use the edit security alg tftp statement at the [edit
security alg] hierarchy level. For more information, see the JUNOS Software
Security Configuration Guide
Chassis Clustering
■
Active/active chassis clustering
This feature is supported on SRX 3400, SRX 3600, SRX 5600, and SRX 5800
devices.
The data plane now supports active/active chassis clustering for these SRX-series
devices. The chassis clustering on these SRX-series devices is no longer restricted
to the creation of only one redundancy group beyond redundancy group 0. You
can now configure one or more redundancy groups numbered 1 through 128.
Multiple redundancy groups make it possible for traffic to arrive on an interface
of one redundancy group and egress on an interface that belongs to another
redundancy group. In this situation, the ingress and egress interfaces might not
be active on the same node. When this happens, the traffic is forwarded over
the fabric link to the appropriate node. SRX-series chassis clusters operate with
an active/backup control plane.
■
Control link recovery
This feature is supported on SRX 3400, SRX 3600, SRX 5600, and SRX 5800
devices.
Prior to this release, when a node was disabled due to control link failure, after
fixing the issue, you had to manually reboot the disabled node to make the
disabled node rejoin the cluster. With this release, you can specify that control
link recovery be done automatically by the system by using the set chassis cluster
control-link-recovery command (this feature is disabled by default). Once the
system determines that the control link is healthy, it issues an automatic reboot
on the disabled node. When the disabled node reboots, the node rejoins the
cluster. There is no need for any manual intervention.
■
Cold synchronization monitoring
This feature is now supported on SRX 210, SRX 240, and SRX650 devices.
Existing support on SRX 3400, SRX 3600, SRX 5600, and SRX 5800 devices.
The process of synchronizing data plane RTOs (runtime objects) on the startup
of the Services Processing Units (SPUs) or flowd is called cold sync. Chassis
clustering supports the process of monitoring the cold-sync state of all SPUs or
flowd on a node. Also, if you enable preempt, cold-sync monitoring prevents
the node from taking over mastership until the cold-sync process is completed
for all the SPUs or flowd on the node.
■
Flowd monitoring
This feature is supported on SRX 210 devices.
New Features in JUNOS Software Release 9.5 for SRX-series Services Gateways
■
101
JUNOS 9.5 Software Release Notes
Chassis clustering supports the process of monitoring the health of the flowd
process. A failed flowd process causes failover of redundancy group x to the
secondary node.
■
SNMP failover traps
This feature is supported on SRX 3400, SRX 3600, SRX 5600, and SRX 5800
devices.
Chassis clustering supports SNMP traps, which are triggered whenever there is
a redundancy group failover. You can specify that a trace log be generated by
using the set chassis cluster traceoptions flag snmp command.
■
SPU monitoring
This feature is supported on SRX 3400, SRX 3600, SRX 5600, and SRX 5800
devices.
Chassis clustering supports the process of monitoring the health of the SPUs and
of the central point (CP). A single, failed SPU causes failover of redundancy group
x to the secondary node. A central point failure triggers failover to the secondary
node.
102
■
New Features in JUNOS Software Release 9.5 for SRX-series Services Gateways
New Features in JUNOS Software Release 9.5 for SRX-series Services Gateways
Intrusion Detection and Prevention (IDP)
■
Configuring IDP test conditions in custom anomaly attacks
This feature is supported on SRX 210, SRX 240, SRX650, SRX 3400, SRX 3600,
SRX 5600, and SRX 5800 devices.
The user can now see the supported test conditions for a protocol in the CLI.
When configuring IDP custom attacks, you can now list supported test conditions
for a specific protocol. For example, to configure test conditions for ICMP:
1.
List supported test conditions for ICMP and choose the one you want to
configure:
[edit security idp custom-attack test1 attack-type anomaly]
user@host# set test icmp?
Possible completions:
<test> Protocol anomaly condition to be checked
ADDRESSMASK_REQUEST
DIFF_CHECKSUM_IN_RESEND
DIFF_CHECKSUM_IN_RESPONSE
DIFF_LENGTH_IN_RESEND
2.
Configure the service for which you want to configure the test condition.
[edit security idp custom-attack test1 attack-type anomaly]
user@host# set service ICMP
3.
Configure the test condition (specifying the protocol name is not required):
[edit security idp custom-attack test1 attack-type anomaly]
user@host# set test ADDRESSMASK_REQUEST
Interfaces and Routing
■
Class of Service (CoS)
This feature is now supported on SRX 210, SRX 240, and SRX650 devices.
Existing support on SRX 3400, SRX 3600, SRX 5600, and SRX 5800 devices.
CoS allows you to divide traffic into classes and specify various levels of
throughput and packet loss when congestion occurs. This allows packet loss to
happen occur according to the rules you configure. For more information about
the JUNOS implementation of CoS and about configuring CoS, see the JUNOS
Software Interfaces and Routing Configuration Guide.
■
Configuring simple filters and policers
This feature is supported on SRX 3400 and SRX 3600 devices.
New Features in JUNOS Software Release 9.5 for SRX-series Services Gateways
■
103
JUNOS 9.5 Software Release Notes
To handle oversubscribed traffic in the SRX 3400 and SRX 3600 series devices,
you can configure simple filters and policing. The simple filter functionality
comprises of the following:
■
■
Classifying packets according to configured policies
■
Taking appropriate actions based on the results of classification
Intermediate System-to-Intermediate System (IS-IS)
This feature is supported on SRX 210, SRX 240, SRX650, SRX 3400, SRX 3600,
SRX 5600, and SRX 5800 devices.
IS-IS protocol, a classless interior routing protocol developed by the International
Organization for Standardization (ISO) as part of the development of the Open
Systems Interconnection (OSI) protocol suite. Like OSPF routing, IS-IS uses hello
packets that allow network convergence to occur quickly when network changes
are detected.
For more information about the IS-IS protocol and about configuring IS-IS, see
the JUNOS Software Interfaces and Routing Configuration Guide.
■
Jumbo frame support
This feature is supported on SRX 3400, SRX 3600, SRX 5600, and SRX 5800
devices.
Jumbo frames, or 9192 byte MTUs, on Gigabit Ethernet interfaces and 10-Gigabit
Ethernet interfaces. To configure jumbo frame support, see the JUNOS Software
Interfaces and Routing Configuration Guide.
■
Layer 2 bridging and transparent mode
This feature is supported on SRX 3400, SRX 3600, SRX 5600, and SRX 5800
devices.
This release provides Layer 2 bridging with transparent mode. Transparent mode
provides full security services on top of Layer 2 bridging functions. An SRX
services gateway operates in Layer 2 transparent mode when all physical
interfaces on the device are configured as Layer 2 logical interfaces. There is no
command to enable transparent mode on the device.
NOTE: You cannot define both Layer 2 and Layer 3 logical interfaces on a physical
interface.
To configure a Layer 2 logical interface, use the unit statement at the [edit
interfaces] hierarchy, and configure the logical interface with the bridge family
type. You can configure the logical interface as an access or a trunk interface.
A bridge domain is a set of logical interfaces that share the same flooding or
broadcast characteristics. You can configure a set of bridge domains that are
associated with a trunk interface. The set of bridge domains then functions as a
switch: a packet received on a trunk interface is forwarded based on the VLAN
ID (a packet is forwarded within the bridge domain that has the same VLAN ID
as the packet) and destination MAC. VLAN-based MAC learning, forwarding, and
aging are supported. To configure a bridge domain, use the [edit bridge-domains]
104
■
New Features in JUNOS Software Release 9.5 for SRX-series Services Gateways
New Features in JUNOS Software Release 9.5 for SRX-series Services Gateways
hierarchy to specify the VLAN ID(s) for packets that will be forwarded on the
bridge domain.
NOTE: In this release, Layer 2 bridging does not support STP. It is the user’s
responsibility to ensure that no flooding loops exist in the network topology.
You can optionally configure an integrated routing and bridging (IRB) interface
for management traffic on the device. For this release, the IRB interface does
not support traffic forwarding or routing. To configure an IRB interface, create
an irb logical interface in the [edit interfaces] hierarchy, and then reference the
IRB interface in the [edit bridge-domains] hierarchy.
When packets are forwarded through a bridge domain, security policies can be
applied between Layer 2 security zones. To create Layer 2 security zones, use
the security-zone statement at the [edit security zones] hierarchy, and specify the
interfaces that belong to the zone. (The IRB interface cannot be assigned to any
security zone.) You can configure screen options, address books, or TCP-RST for
Layer 2 security zones.
NOTE: You can configure the same screen options for a Layer 2 security zone as for
a Layer 3 security zone, with the exception of IP spoofing.
You configure a transparent mode security policy in the same way as for policies
configured for Layer 3 zones, with the following exceptions:
■
NAT is not supported
■
Layer 2 IPsec VPN is not supported
■
ALGs are not supported
■
IDP policies are not supported for Layer 2 traffic
To configure a transparent mode security policy, use the [edit security policies]
hierarchy.
NOTE: Chassis clustering of SRX devices in transparent mode is not supported in
this release.
For more information, see the JUNOS Software Interfaces and Routing Configuration
Guide.
■
3G wireless network connections
This feature is supported on SRX 210 devices.
New Features in JUNOS Software Release 9.5 for SRX-series Services Gateways
■
105
JUNOS 9.5 Software Release Notes
This release allows SRX 210 devices to use 3G networks as primary or backup
WAN links. Juniper supports the following 3G wireless modem cards installed in
the ExpressCard slot of the SRX 210 services gateway:
■
Sierra Wireless AirCard Global System for Mobile communications (GSM)
High-Speed Downlink Packet Access (HSDPA) ExpressCard
■
Sierra Wireless AirCard Code-Division Multiple Access (CDMA)
1xEvolution-Data Optimized (EV-DO) rev. A ExpressCard
The physical interface cl-0/0/8 is created automatically when the 3G modem is
installed in the SRX 210 services gateway. To configure the interface, use the
set interfaces cl-0/0/8 statement at the [set interfaces] hierarchy level. To
configure the logical dialer interface, use the set interfaces dln statement at the
[set interfaces] hierarchy level. For more information, see the JUNOS Software
Interfaces and Routing Configuration Guide.
■
Multicast Interfaces
This feature is supported on SRX 3400, SRX 3600, SRX 5600, and SRX 5800
devices.
Multicast traffic streams between a single source and multiple destinations. In
Protocol Independent Multicast (PIM) sparse mode, the first-hop routing platform
encapsulates packets destined for the rendezvous point device. The packets are
encapsulated with a unicast header and are forwarded through a unicast tunnel
to the rendezvous point. The rendezvous point then de-encapsulates the packets
and transmits them through its multicast tree.
Within a device, packets are routed to the PIM interfaces pe-0/0/0 for
encapsulation and pd-0/0/0 for de-encapsulation. These interfaces are not
associated with physical network interfaces and are created internally when you
issue the set protocol pim command. You must configure PIM with the [edit
protocols pim] hierarchy to perform PIM encapsulation or de-encapsulation.
For more information about multicast protocols and configuring multicast
protocols on Juniper Networks devices, see the JUNOS Multicast Protocols
Configuration Guide
IPsec
■
IPsec multiple flow thread architecture
This feature is now supported on SRX 210, SRX 240 and SRX650 devices. Existing
support on SRX 3400, SRX 3600, SRX 5600, and SRX 5800 devices.
These devices provide a multiple flow thread architecture that results in increased
IPsec performance. For more information, see the JUNOS Software Security
Configuration Guide.
■
Dynamic VPN
This feature is supported on SRX 210 and SRX 240 devices.
The dynamic VPN feature uses Internet Protocol Security (IPsec) technology to
create secure VPN tunnels. This feature simplifies remote access by enabling
users to establish VPN tunnels without having to manually configure VPN settings
on their PCs or laptops. Instead, the client is dynamically delivered to users from
106
■
New Features in JUNOS Software Release 9.5 for SRX-series Services Gateways
New Features in JUNOS Software Release 9.5 for SRX-series Services Gateways
the SRX 210 or SRX 240 devices upon successful authentication. This Layer 3
remote access client uses client-side configuration settings that it receives from
the server to create and manage a secure VPN tunnel to the server. For more
information, see the JUNOS Software Security Configuration Guide.
Management and Administration
■
Support for the TFTPBOOT installation method
This feature is supported on SRX 210 devices.
You install the JUNOS software by using the Trivial File Transfer Protocol BOOT
(TFTPBOOT) method. During installation of the JUNOS software, the secondary
boot loader in the services gateway retrieves the JUNOS software package from
a TFTP server. The software image is then installed on the internal flash. Using
TFTP installation to install a new image will wipe out any user-generated
configurations on the router. The router will come up with the factory default
configuration.
NOTE: The TFTPBOOT method can be used only on LANs.
To install the software image on the internal flash, issue the following command
at the loader prompt.
Loader > install URL
where URL is tftp://<tftp server ip> <package name>
You can use the TFTPBOOT method in the following scenarios:
■
To bring up the SRX 210 services gateway if the standard boot process fails
■
To install the JUNOS software on the SRX 210 services gateway for the first
time
■
To start JUNOS without using the NAND flash
For more information about the other installation methods, see the JUNOS
Software Administration Guide for Security Devices.
Security
■
Unified Access Control (UAC) integration
This feature is now supported on SRX 240, and SRX650 devices. Existing support
on SRX 210, SRX 3400, SRX 3600, SRX 5600, and SRX 5800 devices.
You can configure an SRX-series services gateway to act as a JUNOS Enforcer in
a Unified Access Control (UAC) deployment. When deployed as a JUNOS Enforcer,
the SRX-series device enforces the policies that are defined on the UAC’s Infranet
Controller. To configure the SRX-series device as a JUNOS Enforcer, enable the
application-services statement at the [edit security policies from-zone zone-name
to-zone zone-name policy match then permit] hierarchy level. Then use the
unified-access-control statement at the [edit services] hierarchy level to configure
New Features in JUNOS Software Release 9.5 for SRX-series Services Gateways
■
107
JUNOS 9.5 Software Release Notes
UAC features. For more information, see the JUNOS Software Security Configuration
Guide.
■
Unified Threat Management (UTM) features
These features are supported on SRX 210, SRX 240, and SRX650 devices.
■
Antispam—E-mail spam consists of unwanted e-mail messages, usually sent
by commercial, malicious, or fraudulent entities. The antispam feature
examines transmitted e-mail messages to identify e-mail spam. When the
device detects an e-mail message deemed to be spam, it either drops the
message or tags the message header or subject field with a preprogrammed
string.
The antispam feature uses a constantly updated spam block list (SBL). Sophos
updates and maintains the IP-based SBL. The antispam feature is a separately
licensed subscription service.
To configure antispam, use the antispam statement at the [set security utm
feature-profile] hierarchy level. For more information, see the JUNOS Software
Security Configuration Guide.
■
Content filtering—Content filtering blocks or allows certain types of traffic
based on the MIME type, file extension, protocol command, and embedded
object type. Content filtering does not require a separate license.
To configure redirect content filtering, use the content-filtering statement at
the [set security utm feature-profile] hierarchy level. For more information,
see the JUNOS Software Security Configuration Guide.
■
Express antivirus—Express antivirus scanning is offered as a less CPU
intensive alternative to the full file-based antivirus feature. The express
antivirus feature, like the full antivirus feature, scans specific Application
Layer traffic for viruses against a virus signature database. However, unlike
full antivirus, express antivirus does not reconstruct the original application
content. Rather, it just sends (streams) the received data packets, as is, to
the scan engine. With express antivirus, the virus scanning is executed by
a hardware pattern matching engine. This improves performance while
scanning is occurring, but the level of security provided is lessened. Juniper
Networks provides the scan engine. The express antivirus scanning feature
is a separately licensed subscription service.
To configure express antivirus, use the antivirus juniper-express-engine
statement at the [set security utm feature-profile] hierarchy level. For more
information, see the JUNOS Software Security Configuration Guide.
■
108
■
Full file-based antivirus—A virus is executable code that infects or attaches
itself to other executable code to reproduce itself. Some malicious viruses
erase files or lock up systems. Other viruses merely infect files and
overwhelm the target host or network with bogus data. The full file-based
antivirus feature provides file-based scanning on specific Application Layer
traffic checking for viruses against a virus signature database. It collects the
received data packets until it has reconstructed the original application
content, such as an e-mail file attachment, and then scans this content.
Kaspersky Lab provides the internal scan engine. The full file-based antivirus
scanning feature is a separately licensed subscription service.
New Features in JUNOS Software Release 9.5 for SRX-series Services Gateways
New Features in JUNOS Software Release 9.5 for SRX-series Services Gateways
To configure full file-based antivirus, use the antivirus kaspersky-lab-engine
statement at the [set security utm feature-profile] hierarchy level. For more
information, see the JUNOS Software Security Configuration Guide.
■
Integrated Web filtering—Web filtering lets you manage Internet usage by
preventing access to inappropriate Web content. With the integrated Web
filtering solution, the decision-making for blocking or permitting Web access
is done on the device after it identifies the category for a URL either from
user-defined categories or from a category server (Websense provides the
CPA Server). The integrated Web filtering feature is a separately licensed
subscription service.
To configure integrated Web filtering, use the web-filtering
surf-control-integrated statement at the [set security utm feature-profile]
hierarchy level. For more information, see the JUNOS Software Security
Configuration Guide.
■
Redirect Web filtering—Web filtering lets you manage Internet usage by
preventing access to inappropriate Web content. The redirect Web filtering
solution intercepts HTTP requests and forwards the server URL to an external
URL filtering server provided by Websense to determine whether to block
or permit the requested Web access. Redirect Web filtering does not require
a separate license.
To configure redirect Web filtering, use the web-filtering websense-redirect
statement at the [set security utm feature-profile] hierarchy level. For more
information, see the JUNOS Software Security Configuration Guide.
■
UTM licensing—The majority of UTM features function as a subscription
service requiring a license. You can redeem this license once you have
purchased your subscription license SKUs.
To apply your UTM license, use the system license update statement at the
[request] hierarchy level. For more information, see the JUNOS Software
Security Configuration Guide.
■
Antivirus SNMP support—SNMP support is provided for the following
antivirus functionality: scan engine monitoring, signature database update
status, and scan statistics.
For more information, see the JUNOS Network Management Guide.
Hardware Features—SRX 210 Services Gateways
Hardware
JUNOS software for the SRX 210 services gateway integrates the world-class network
security and routing capabilities of Juniper Networks. JUNOS software for the SRX
210 includes a wide range of security services, including policies, screens, Network
Address Translation (NAT), and other flow-based services, that are also supported
on the other SRX-series services gateways.
The SRX 210 services gateway offers features that provide complete functionality
and flexibility for delivering secure Internet and intranet access. This services gateway
offers stable, reliable, and efficient IP routing along with WAN and LAN connectivity.
New Features in JUNOS Software Release 9.5 for SRX-series Services Gateways
■
109
JUNOS 9.5 Software Release Notes
The gateway provides Internet Protocol Security (IPsec), virtual private network (VPN),
and firewall services for small and medium companies and enterprise branch and
remote offices.
The SRX 210 services gateway can be connected directly to traditional private
networks, such as leased line, Frame Relay, and MPLS networks, or the public Internet.
There are three variants of the SRX 210 services gateway:
■
Low Memory
■
High Memory
■
Power over Ethernet (PoE)
The SRX 210 services gateway has redundant and resilient hardware. The following
table provides the SRX 210 services gateway chassis specifications.
Table 3: SRX 210 Services Gateway Chassis Specifications
Description
Value
Chassis height
1 rack unit (U)
Chassis width
11 in. (280 mm)
Chassis depth
7 in. (179 mm)
The following table provides information about the SRX 210 services gateway
hardware features.
Table 4: SRX 210 Services Gateway Hardware Features
Feature
Description
Gigabit Ethernet
Two ports on the front panel provide LAN and WAN connectivity to hubs, switches, local
servers, and workstations with link speeds of 10/100/1000 Mbps.
In the PoE version, the PoE is supported on both ports.
Fast Ethernet
Six ports on the front panel provide LAN and WAN connectivity to hubs, switches, local
servers, and workstations with link speeds of 10/100 Mbps.
In the PoE version, the PoE is supported on the first two Fast Ethernet ports.
Universal serial bus
Two ports on the front panel support a USB storage device that can function as a secondary
boot device in the event of internal flash failure. USB ports also provide interfaces for
communicating with peripherals such as USB storage devices and USB storage device
adapters.
Console
One port on the front panel functions as a management port for directly logging into a
device to configure it by using the CLI.
ExpressCards
One slot on the rear panel can hold a 3G wireless ExpressCard.
110
■
New Features in JUNOS Software Release 9.5 for SRX-series Services Gateways
New Features in JUNOS Software Release 9.5 for SRX-series Services Gateways
Table 4: SRX 210 Services Gateway Hardware Features (continued)
Mini-PIM
One slot on the front panel supports the following Mini-Physical Interface Modules
(Mini-PIMs) to provide LAN and WAN functionality, along with access to the T1, E1, Gigabit
Ethernet, ADSL, and Serial interfaces:
External power supply
■
T1/E1 Mini-PIM
■
1-port SFP Mini-PIM
■
ADSL2+ Mini-PIM
■
Serial Mini-PIM
The total power consumption by the three SRX 210 services gateway variants is as follows:
■
Low Memory—35.5 W @12 V
■
High Memory—36.5 W @ 12 V
■
PoE—36.5 W @ 12 V
50 W @ 48 V
Memory
■
Fixed Random Access:
■
Low Memory—512 MB
■
High Memory—1GB
■
PoE—1GB
■
Boot flash—4 MB
■
Internal flash—1 GB
For more information, see the SRX 210 Services Gateway Hardware Guide.
Support for the 3G ExpressCard
Wireless WAN access is becoming widely available and comparable in cost to ISDN
and DSL. The SRX 210 services gateway provides support for a wireless interface
that serves both as a backup and as the primary WAN connection.
Juniper Networks supports 3G wireless modem cards that you can install into the
ExpressCard slot in SRX 210 services gateways.
The 3G ExpressCard provides the following key features:
■
Operating mode selection—You can select the operating mode you want to use
for the 3G ExpressCard. The supported operating modes are EVDO, HSPDA, and
Automatic.
■
Activation of new cards through the CLI—You can activate CDMA ExpressCards
through the JUNOS CLI.
■
Unlocking ExpressCards—You can unlock both CDMA and Global System for
Mobile (GSM) ExpressCards through the JUNOS CLI.
■
Call logging support—Call logging provides details about the calling number,
dialed number, direction and duration of the call, and traffic.
For more information, see the SRX 210 Services Gateway Hardware Guide.
New Features in JUNOS Software Release 9.5 for SRX-series Services Gateways
■
111
JUNOS 9.5 Software Release Notes
Support for PoE
Power over Ethernet (PoE) is the implementation of the IEEE 802.3 AF standard,
allowing both data and electric power to pass over a copper Ethernet LAN cable.
The SRX 210 services gateway supports PoE on Gigabit Ethernet ports. The PoE ports
transfer electrical power, along with data, to remote devices over standard twisted-pair
cable in an Ethernet network. PoE ports allow you to plug in devices that require
both network connectivity and electric power, such as VOIP phones, wireless LAN
access points, and IP telephones.
You can configure the gateway to act as power sourcing equipment to supply the
power to powered devices connected on the designated ports.
The following table lists the SRX 210 services gateway PoE specifications.
Table 5: SRX 210 Services Gateway PoE Specifications
Power Management Schemes
Value
Supported standards
■
IEEE 802.3 AF
■
Legacy (pre-standards)
Supported ports
PoE is supported on the two Gigabit Ethernet ports and two Fast Ethernet
ports.
Total PoE power sourcing capacity
50 W
Per port power limit
15.4 W
Power management modes
■
Static: power allocated for each interface can be configured
■
Class: power allocation for interfaces is decided based on the class
of powered device connected
ADSL Interface Support on SRX 210
The SRX 210 services gateway provides a single-port ADSL2+ Mini-Physical Interface
Module (Mini-PIM). The ADSL2+ Mini-PIM provides a single physical interface for
ADSL network media types.
The ADSL2+ Mini-PIM supports the following operational modes:
■
ADSL mode for ANNEX-A
■
ADSL mode for ANNEX-B
■
ADSL mode for ANNEX-M
The ADSL interface provides the following key features:
112
■
New Features in JUNOS Software Release 9.5 for SRX-series Services Gateways
New Features in JUNOS Software Release 9.5 for SRX-series Services Gateways
■
Automatic configuration of the ADSL line after negotiation with the DSLAM,
minimizing configuration
■
Supports ADSL, ADSL2, and ADSL2+ protocols on the same interface card
■
Gasp support
■
MLPPP over two ADSL cards
■
Asynchronous Transfer Mode (ATM) Adaptation Layer 5 (AAL5) encapsulation
For more information, see the JUNOS Software Interfaces and Routing Configuration
Guide for Security Devices.
Support for the T1 and E1 Interfaces
The T1/E1 Mini-Physical Interface Module (Mini-PIM) provides the physical connection
to T1 or E1 network media types and also performs T1 or E1 framing and line-speed
signaling.
The T1 and E1 interfaces provide the following key features:
■
Integrated channel service unit (CSU) or data service unit (DSU) to eliminate the
need for a separate external device.
■
56-Kbps and 64-Kbps operating modes
■
Independent internal and external clocking option
■
Alarm reporting with a 24-hour history
■
Loopback, bit error rate test (BERT), facilities data link [FDL (T1 only)], and Long
Buildout (T1 only) diagnostics
■
Multilink Frame Relay and Multilink PPP support
■
Complete configuration and management by CLI and J-Web
For more information, see the JUNOS Software Interfaces and Routing Configuration
Guide for Security Devices.
Support for Connectivity to a Gigabit Ethernet Device or Network
The 1-Port Small Form factor Pluggable (SFP) Mini-Physical Interface Module
(Mini-PIM) provides connectivity to a single Gigabit Ethernet device or network.
The 1-Port SFP Mini-PIM provides the following key features:
■
Enables you to install and remove transceivers without powering down the device
■
Provides real-time visual status of connectivity and traffic flows
■
Provides Link Up/Down alarm
■
Supports different transceiver types
For more information, see the SRX 210 Services Gateway Hardware Guide.
New Features in JUNOS Software Release 9.5 for SRX-series Services Gateways
■
113
JUNOS 9.5 Software Release Notes
Serial Mini-Physical Interface Module
Serial WAN links provide bidirectional links that require very few control signals. In
a basic serial setup, the data circuit-terminating equipment (DCE) is responsible for
establishing, maintaining, and terminating a connection. A modem is a typical DCE
device. A serial cable connects the DCE to a telephony network where, ultimately, a
link is established with data terminal equipment (DTE). DTE is typically where a link
terminates.
Key Features
■
Autoselection of operation modes based on DTE or DCE cables
■
Local and remote loopback diagnostics
■
Configurable clock rate for the transmit (TX) clock and receive (RX) clock
■
Complete configuration and management by CLI and J-Web configuration editor
Hardware Features—SRX 240 Services Gateways
Hardware
■
JUNOS software for the SRX 240 services gateway integrates the world-class
network security and routing capabilities of Juniper Networks products. JUNOS
software for the SRX 240 services gateway includes a wide range of security
services, including policies, screens, NAT, and other flow-based services that are
also supported on the other SRX-series services gateways.
The SRX 240 device offers features that provide complete functionality and
flexibility for delivering secure Internet and intranet access. The SRX 240 device
offers stable, reliable, and efficient IP routing and WAN and LAN connectivity.
The device provides IP Security (IPsec), virtual private network (VPN), and firewall
services for small and medium companies and enterprise branch and remote
offices.
The SRX 240 services gateway can be connected directly to a traditional private
network such as leased line, Frame Relay, or Multi Protocol Label Switching
(MPLS) networks as well as the public Internet.
There are three types of SRX 240 services gateways:
■
Low Memory
■
High Memory
■
PoE
Table 6 on page 115 lists the hardware features supported on the SRX 240 services
gateway.
114
■
New Features in JUNOS Software Release 9.5 for SRX-series Services Gateways
New Features in JUNOS Software Release 9.5 for SRX-series Services Gateways
Table 6: Hardware Features of the SRX 240 Services Gateway
SRX 240 Services Gateway
SRX 240 Services Gateway
SRX 240 Services Gateway
Features
Low Memory
High Memory
PoE
DDR Memory
512 MB
1 GB
1 GB
PoE Support
No
No
Yes
Input Power
119 W
128 W
317 W
AC input voltage
100 to 240 VAC
100 to 240 VAC
100 to 240 VAC
The SRX 240 services gateway has redundant and resilient hardware.
Table 7 on page 115 describes the SRX 240 services gateway hardware
specifications.
Table 7: Hardware Specifications of the SRX 240 Services Gateway
Description
Value
Chassis height
1 Rack Unit (U)
Chassis width
17.5 in (444 mm)
Chassis depth
16 in (408.23)
Maximum thermal output
SRX 240 Low Memory:
■
AC Power: 396 BTU/hour (116W)
■
DC Power: 338 BTU/hour (99W)
SRX 240 High Memory:
■
AC Power: 427 BTU/hour (125W)
■
DC Power: 365 BTU/hour (107W)
SRX 240 PoE:
Temperature
■
AC Power: 560 BTU/hour (164W)
■
DC Power: 478 BTU/hour (140W)
Normal operation ensured in temperature range of 32°F (0°C) to
104°F (–40°C)
Nonoperating storage temperature in shipping container: –40°F
(–40°C) to 158°F (70°C)
Table 8 on page 116 describes the SRX 240 services gateway hardware features.
New Features in JUNOS Software Release 9.5 for SRX-series Services Gateways
■
115
JUNOS 9.5 Software Release Notes
Table 8: SRX 240 Services Gateway Hardware Features
Features
Description
Gigabit Ethernet
Sixteen ports on the front panel provide LAN and WAN connectivity to hubs,
switches, local servers, and workstations with link speeds of 10/100/1000 Mbps.
NOTE: On the PoE version of the SRX 240 services gateway, all 16 Gigabit Ethernet
ports support PoE.
Universal Serial Bus (USB)
Two ports on the front panel support a USB storage device that can function as a
secondary boot device in the event of internal flash failure. USB ports also provide
interfaces for communicating with peripherals such as USB storage devices and
USB storage device adapters.
Console
One port on the front panel functions as a management port for directly logging
into a device to configure it using the CLI.
Mini-PIM
Four slots on the front panel support the following Mini-Physical Interface Modules
(Mini-PIMs) to provide LAN and WAN functionality, along with access to the T1,
E1, Gigabit Ethernet, and ADSL interfaces:
■
T1/E1 Mini-PIM
■
1-port SFP Mini-PIM
■
ADSL2+ Mini-PIM
■
Serial Mini-PIM
Power supply
100 to 240 VAC (Integrated single AC power supply)
Memory
■
Fixed Random Access — 512 MB Memory (RAM)
■
Boot flash — 4 MB
■
Internal flash — 1 GB
For more information, see the SRX 240 Services Gateway Hardware Guide.
Serial Mini-Physical Interface Module
Serial WAN links provide bidirectional links that require very few control signals. In
a basic serial setup, the data circuit-terminating equipment (DCE) is responsible for
establishing, maintaining, and terminating a connection. A modem is a typical DCE
device. A serial cable connects the DCE to a telephony network where, ultimately, a
link is established with data terminal equipment (DTE). DTE is typically where a link
terminates.
Key Features
■
Autoselection of operational modes based on DTE or DCE cables
■
Local and remote loopback diagnostics.
■
Configurable clock rate for transmit (TX) and receive (RX) clocks.
■
Complete configuration and management by CLI and J-Web configuration editor.
For more information, see the SRX 240 Services Gateway Hardware Guide.
116
■
New Features in JUNOS Software Release 9.5 for SRX-series Services Gateways
New Features in JUNOS Software Release 9.5 for SRX-series Services Gateways
Power Over Ethernet
Introduction
Power over Ethernet (PoE) is the implementation of the IEEE 802.3 AF standard,
allowing both data and electric power to pass over a copper Ethernet LAN cable.
The SRX 240 services gateway supports PoE on Gigabit Ethernet ports. The PoE ports
transfer electrical power, along with data, to remote devices over standard twisted-pair
cable in an Ethernet network. PoE ports allow you to plug in devices that require
both network connectivity and electric power, such as VOIP phones, wireless LAN
access points, and IP telephones.
You can configure the gateway to act as power sourcing equipment to supply the
power to powered devices connected on the designated ports.
SRX 240 Services Gateway PoE Specifications
Table 9 on page 117 lists the SRX 240 Services Gateway PoE specifications:
Table 9: SRX 240 Services Gateway PoE Specifications
Power Management Schemes
Values
Supported standards
■
IEEE 802.3 AF
■
IEEE 802.3 AT (draft)
■
Legacy (pre-standards)
Supported ports
Supported on all sixteen Gigabit Ethernet ports
Total PoE power sourcing capacity
150 W
Per port power limit
30 W
Power management modes
■
Static: power allocated for each interface can be configured
■
Class: power allocation for interfaces is decided based on the class of powered
device connected
Hardware Features—SRX650 Services Gateways
Hardware
The SRX650 is a mid-range dynamic services gateway that consolidates network
infrastructure and security applications for regional offices, large branch offices, and
small to medium enterprises. The services gateway provides cost-effective, scalable
integration of routing, security, and other mid-range applications for these sites.
The SRX650 services gateway has a modular 2U chassis that fits a 19-inch rack with
a depth of approximately 18.1 inches. It contains a rear-pluggable Services and
New Features in JUNOS Software Release 9.5 for SRX-series Services Gateways
■
117
JUNOS 9.5 Software Release Notes
Routing Engine (SRE) module that improves processing performance for mid-range
applications, particularly routing and firewall services.
The SRX650 services gateway provides the following features:
■
Symmetric Multiprocessing (SMP)-based data forwarding.
■
Hardware-based control and data plane separation.
■
4 on-board 10/100/1000Base-T Gigabit Ethernet ports.
■
A Services and Routing Engine with 1 GB memory configuration, which contains
the management ports (console and USB) for the services gateway.
■
Support for dual AC power supplies with a redundant configuration in the chassis
(approximately 645 W power supply is supported). The AC power supplies are
hot-swappable.
■
Support for 2 GB CompactFlash (CF) storage devices. The SRE contains a
hot-pluggable CF storage device used to upload and download files, and the
chassis contains a CF storage device used to store the operating system.
■
JUNOS support for advanced security and routing services on the SRE.
Services and Routing Engine module—The Services and Routing Engine (SRE)
module provides processing power for security services, routing protocol processes,
and other software processes that control the services gateway interfaces, some of
the chassis components, system management, and user access to the device.
The services gateway must have at least one SRE installed. You can install additional
SREs to increase processing power or to create SRE redundancy. SREs install
horizontally in the back of the chassis in slots SRE0 and SRE1/SRE1.1. An SRE weighs
3 lbs 13.6 oz (1.75 kg).
CAUTION: SREs are not Online Insertion and Removal (OIR) capable. You must
power off the services gateway before removing or inserting an SRE.
NOTE: Slot SRE0 is a full-length slot capable of holding a full-slot module such as an
SRE. The SRE1 and SRE1.1 slots are capable of holding either two half-slot modules
or one full-slot module.
If a slot is not occupied by a card, a blank panel must be installed to shield the empty
slot and to maintain proper cooling of the services gateway.
NOTE: For this release, the SRE must be installed into the lower slot (SRE0).
118
■
New Features in JUNOS Software Release 9.5 for SRX-series Services Gateways
New Features in JUNOS Software Release 9.5 for SRX-series Services Gateways
Gigabit-Backplane Pluggable Interface Modules—The SRX650 services gateway
supports the following Gigabit-backplane Pluggable Interface Modules (GPIMs):
■
16-Port Gigabit Ethernet XGPIM
■
16-Port Gigabit Ethernet with PoE XGPIM
■
24-Port Gigabit Ethernet XPIM
■
24-Port Gigabit Ethernet with PoE XPIM
■
Dual T1/E1 GPIM-contains 2 fixed T1/E1 ports labeled 0 to 1 which supports
framed clear channel
■
Quad T1/E1 GPIM-contains 4 fixed T1/E1 ports labeled 0 to 3 which supports
framed clear channel
A GPIM is a network interface card that installs in the front slots of the services
gateway to provide physical connections to a LAN or a WAN. The GPIM receives
incoming packets from a network and transmits outgoing packets to a network.
PIM Terminology:
■
GPIM — Gigabit-backplane PIM (GPIM) includes standard GPIMs that are
installed in a single high, single wide GPIM slot and has gigabit connectivity
to the system backplane.
■
XGPIM — The XGPIM can only be installed in the 20-gigabit GPIM slots (slots
2 and 6 on the front panel).
■
XPIM — The XGPIM can only be installed in the 20-gigabit GPIM slots (slots
2 and 6 on the front panel).
CAUTION: GPIMs are not Online Insertion and Removal (OIR) capable. You must
power off the services gateway before removing or inserting a GPIM. Ensure that the
GPIM is installed in the appropriate GPIM slot before powering on the services
gateway.
The services gateway GPIMs communicate with the backplane at various
performance levels and might require specific GPIM slot placement. GPIM
slots are located in the front of the chassis and can hold up to 8 standard
GPIMs. The Dual T1/E1 GPIM and Quad T1/E1 GPIM can be plugged into any
GPIM slot on the services gateway and provide the physical connection to
T1 or E1 network media types. The SRX650 services gateway chassis can
also hold GPIMs that use more than one standard slot:
■
Double-high single-wide, which uses two standard slots vertically
■
Double-high double-wide, which uses two vertical and two horizontal
slots for a total of four standard slots
NOTE: When installing the 24-Port Gigabit Ethernet XPIM, which uses four slots, you
must install it in the 20-gigabit GPIM slots 2 and 6, which refer to the bottom four
slots 1 to 4, or the top four slots 5 to 8.
New Features in JUNOS Software Release 9.5 for SRX-series Services Gateways
■
119
JUNOS 9.5 Software Release Notes
The Dual T1/E1 GPIM and Quad T1/E1 GPIM provide the following common key
features for both T1 and E1 modes:
■
HDLC operating mode supports 56-Kbps and 64-Kbps
■
Independent internal and external clocking option
■
Alarm reporting with 24-hour history
■
MTU supports 9K bytes
The Dual T1/E1 GPIM and Quad T1/E1 GPIM provide the following key
features specific to either T1 or E1 modes as listed in Table 10 on page 120.
Table 10: Dual T1/E1 GPIM and Quad T1/E1 Specific T1 or E1 Features
Description
T1 Mode
Operation modes
■
Framed clear channel
■
Framed clear channel (64-Kbps)
■
Fractional operation mode supports flexible
configuration for time slots (numbered 1-24)
■
Unframed clear channel
■
Fractional operation mode supports flexible
configuration for time slots (numbered 0-31)
■
Superframe (D4/SF)
■
G704
■
Extended Superframe (ESF)
■
G704 with no CRC4
■
G703 Unframed
■
HDB3
Framing
Line encoding
■
B8ZS
■
AMI
E1 Mode
USB Support
The following USB devices have been tested with SRX650 devices:
■
Sandisk micro (1 and 2 GB)
■
Lexar (1 and 2 GB)
NOTE: Contact a customer service representative for more information on supported
USB devices.
Power over Ethernet
Both 16-Port XGPIM and 24-Port XPIM support Power over Ethernet (PoE) if a
PoE-capable power supply and PIM module are installed in the chassis. PoE is the
implementation of the IEEE 802.3 AF standard, which allows both data and electric
power to pass over a copper Ethernet LAN cable. The active Services and Routing
Engine (SRE) manages the overall system PoE power.
The SRX650 services gateway provides PoE ports, which supply electric power over
the same ports that are used to connect network devices. PoE ports allow you to plug
120
■
New Features in JUNOS Software Release 9.5 for SRX-series Services Gateways
New Features in JUNOS Software Release 9.5 for SRX-series Services Gateways
in devices that require both network connectivity and electric power, such as VOIP,
IP phones, and wireless access points. You can configure the services gateway to act
as power sourcing equipment to supply the power to the GPIMs connected on the
designated PoE ports.
Table 11 on page 121 lists the SRX650 Services Gateway PoE Specifications.
Table 11: SRX650 Services Gateway PoE Specifications
Power Management Schemes
Values
Supported standards
■
IEEE 802.3 AF
■
IEEE 802.3 AT
■
Legacy (pre-standards)
Supported slots
PoE is supported on the following front panel slots:
Total PoE power sourcing capacity
■
2
■
4
■
6
■
8
■
250 W with one power supply
■
500 W with two power supplies
Per-port power limit
31.2 W
Power management modes
■
Static: power allocated for each interface can be configured
■
Class: power allocation for interfaces is decided based on the class of powered
device connected
For more information, see the SRX650 Services Gateway Hardware Guide.
Hardware Features—SRX 5600 and SRX 5800 Services Gateways
Flex I/O Card
This release of JUNOS supports the new SRX5K-FPC-IOC modular Flex I/O Card (IOC)
for the SRX 5600 and SRX 5800 services gateways.
Flex IOCs are IOCs that have two slots and accept port modules that add Ethernet
ports to your services gateway. A flex IOC with port modules installed in it functions
in the same way as a regular IOC, but allows greater flexibility in adding different
types of Ethernet ports to your services gateway.
Table 12 on page 122 lists the Port Modules for SRX 5600 and SRX 5800 services
gateway Flex IOC.
New Features in JUNOS Software Release 9.5 for SRX-series Services Gateways
■
121
JUNOS 9.5 Software Release Notes
Table 12: Port Modules for SRX 5600 and SRX 5800 Services Gateway Flex
IOC
Module
Port type
Ports
SRX-IOC-16GE-TX
10/100/1000 RJ-45
16
SRX-IOC-4XGE-XFP
10 Gigabit XFP
4
NOTE: A third port module type, the SRX-IOC-16GE-SFP, is described in the SRX
5600 Services Gateway Hardware Guide and SRX 5800 Services Gateway Hardware
Guide, but this is not available in the 9.5 release.
Related Topics
■
Known Limitations in JUNOS Software Release 9.5 for SRX-series Services
Gateways on page 124
■
Issues in JUNOS Software Release 9.5 for SRX-series Services Gateways on
page 129
■
Errata in Documentation for JUNOS Software Release 9.5 for SRX-series Services
Gateways on page 140
■
Unsupported CLI Statements and Commands in JUNOS Software Release 9.5 for
SRX-series Services Gateways on page 128
Changes In Default Behavior and Syntax
CLI
■
If more than 10 users logged into the router then not all the users are displayed
in CLI.
■
CLI Commands No Longer Supported
The show dhcp relay and show dhcp server commands are no longer supported.
Flow and Processing
■
On SRX650 devices, although the physical installed DRAM is 2 GB, and uboot
detected is 2 GB, JUNOS software detects only 1GB.
■
On SRX-series devices, the factory default for the maximum number of backup
configurations allowed is 5. Therefore, you can have one active configuration
and a maximum of five rollback configurations. Increasing this backup
configuration number will result in increased memory usage on disk and
increased commit time.
To modify the factory defaults, use the following commands
root@vidar7# set system max-configurations-on-flash number
122
■
Changes In Default Behavior and Syntax
Changes In Default Behavior and Syntax
root@vidar7# set system max-configuration-rollbacks number
Where max-configurations-on-flash indicates backup configurations to be stored
in the configuration partition and max-configuration-rollbacks indicates the
maximum number of backup configurations.
Interfaces and Routing
■
On SRX-series devices, we need to minimize the number of writes to the flash
device to ensure that we do not hit flash issues. Disable writing the logs to the
flash by default. Options can be to write to memory or to a secondary device
like USB or over the network.
Intrusion Detection and Prevention (IDP)
■
Moving to compressed DFA—With compressed DFA, the application signature
will have a different file name /var/db/idpd/bins/compressed_ai.bin, instead of
the current /var/db/idpd/bins/compiled_ai.bin.
■
Specifying service fields for custom attack definition in IDP—On SRX-series
devices, while running commands in IDP, ensure that you provide the service
field values in lowercase.
Example:
set security idp custom-attack temp severity info attack-type signature context packet
direction any pattern .* protocol udp destination-port match equal value 1333
Here the protocol service field value udp is specified in lowercase.
■
The IDP ip-action statement is now supported on TCP, UDP, and ICMP flows.
When the ip-action target is service, the ip-action flow is applied if the traffic
matches the values specified for source port, destination port, source address
and destination address. However, for ICMP flows, the destination port is 0, so
that any ICMP flow matching source port, source address, and destination address
would be blocked. For more information, see the JUNOS Software CLI Reference
Guide.
■
For SRX 210, SRX 240, and SRX650 devices, the LED status for (Alarm, HA, 3g,
Power Status and Power) shown in the front panel of chassis viewer will not
replicate the exact status as we see in the device.
J-Web
Changes In Default Behavior and Syntax
■
123
JUNOS 9.5 Software Release Notes
Known Limitations in JUNOS Software Release 9.5 for SRX-series Services Gateways
Accounting-Options Hierarchy
■
In the CLI accounting-options hierarchy for SRX 210 and SRX 240 devices,
accounting, source-class, and destination-class are not supported.
Chassis Cluster
For this release of JUNOS software, the following features are not supported when
chassis clustering is enabled on the device:
■
All packet-based protocols, such as MPLS, Connectionless Network Service (CLNS),
and IP version 6 (IPv6)
■
Any function that depends on the configurable interfaces:
■
lsq-0/0/0—Link services Multilink Point-to-Point Protocol (MLPPP), Multilink
Frame Relay (MLFR), and Compressed Real-Time Transport Protocol (CRTP)
■
gr-0/0/0—Generic routing encapsulation (GRE) and tunneling
■
ip-0/0/0—IP-over-IP (IP-IP) encapsulation
■
pd-0/0/0, pe/0/0/0, and mt-0/0/0—All multicast protocols
■
lt-0/0/0—Real-time performance monitoring (RPM)
■
WXC Integrated Services Module (WXC ISM 200)
■
Layer 2 Ethernet switching
■
ISDN BRI
■
Multicast traffic streams
■
Dial-up VPN is not supported on SRX 3400, SRX 3600, SRX 5600, and SRX 5800
chassis clusters. It is supported in standalone mode.
■
IDP feature is not supported in active/active chassis clustering.
Additional limitations include:
124
■
■
For SRX 3000 and SRX 5000 line chassis clusters, screen statistics data can be
gathered on the primary device only.
■
After fabric interfaces have been configured on a chassis cluster, removing the
fabric configuration on either node will cause the redundancy group 0 (RG0)
secondary node to move to a disabled state. (Resetting a device to the factory
default configuration removes the fabric configuration and thereby causes the
RG0 secondary node to move to a disabled state.) After the fabric configuration
is committed, do not reset either device to the factory default configuration.
Known Limitations in JUNOS Software Release 9.5 for SRX-series Services Gateways
Known Limitations in JUNOS Software Release 9.5 for SRX-series Services Gateways
CLI
On SRX 210 and SRX 240 devices, J-Web crashes if more than nine users log into
the router via the CLI.
The number of users allowed to access the routers is limited.
■
For SRX 210 devices: four CLI users and three J-Web users
■
For SRX 240 devices: six CLI users and five J-Web users
Flow and Processing
Maximum Concurrent ssh , telnet , and Web Session
■
For ssh, telnet, and Web sessions, the maximum number of concurrent sessions
is as follows:
Sessions
SRX 210 Devices
SRX 240 Devices
SRX650 Devices
ssh
3
5
5
telnet
3
5
5
web
3
5
5
NOTE: These defaults are provided for performance reasons.
Known Limitations in JUNOS Software Release 9.5 for SRX-series Services Gateways
■
125
JUNOS 9.5 Software Release Notes
Hardware
■
This section covers the filter and policing limitations:
The following features are not supported by simple filter on SRX 3400 and SRX
3600 devices:
■
Forwarding class as match condition.
The following features are not supported by policer and three-color-policer on
SRX 3400 and SRX 3600 devices:
■
color-aware mode of a three-color-policer
■
filter-specific policer
■
forwarding class as action of a policer
■
logical interface policer
■
logical interface three-color policer
■
logical interface bandwidth policer
■
packet loss priority as action of a policer
■
packet loss priority as action of a three-color-policer
The following features are not supported by a firewall filter on SRX 3400, SRX
3600, SRX 5600, and SRX 5800 devices:
■
policer action
■
egress FBF
■
FTF
The following are the limitations of a simple filter on SRX 3400 and SRX 3600
devices:
126
■
■
In one Broadcom packet processor on an IOC, up to 100 logical interfaces
can be applied with simple filters.
■
In one Broadcom packet processor on an IOC, max number of terms of all
simple filters is 4000.
■
In one Broadcom packet processor on an IOC, max number of policers is
4000.
Known Limitations in JUNOS Software Release 9.5 for SRX-series Services Gateways
Known Limitations in JUNOS Software Release 9.5 for SRX-series Services Gateways
■
In one Broadcom packet processor on an IOC, max number of
three-color-policers is 2000.
■
The maximum burst size of a policer or three-color-policer is 16M bytes.
Interfaces and Routing
■
MAC pause frame and FCS error frame counters are not supported for the
interfaces ge-0/0/0 through ge-0/0/3 on the SRX650 services gateway.
■
On SRX 240 devices, the IP Multicast switching is not supported and hence the
multicast snooping is based on corresponding IP multicast L2 address
(01:00:5e:xx:xx:xx). In this case all multicast receivers with IP multicast address
mapped to the same L2 address will receive the packets.
■
VLAN Range from 3967 to 4094 falls under reserved VLAN for SRX 240 and
SRX650 and user is not allowed configured VLANs from this range.
■
On SRX650 devices, the last 4 ports of 24 GE-GPIM can be used either as RJ45
or SFP ports. If both are present and providing power, the SFP media is preferred.
If the SFP media is removed or the link is brought down, then the interface will
switch to the RJ45 medium. This can take up to 15 seconds, during which the
LED for the RJ45 port may go up and down intermittently. Similarly when RJ45
medium is active, and a SFP link is brought up, the interface will transition to
SFP medium and this transition could also take a few seconds.
■
The user can only use IPsec on an interface that resides in routing instance inet
0. The user is able to assign an external interface to the IKE policy if that interface
is placed in a routing instance other than inet 0, but the configuration is not
supported.
Intrusion Detection and Prevention (IDP)
■
On SRX-series devices, IP actions do not work when you select a timeout value
greater than 65535 in the IDP policy.
■
On SRX 210, SRX 240, and SRX650 devices, the maximum number of IDP
sessions supported in 9.5 is 16K.
■
This release of JUNOS software for SRX-series devices supports all IDP policy
templates except All Attacks. There is a 100-MB policy size limit, and the current
IDP policy templates supported are dynamic, based on the attack signatures
being added. Therefore, be aware that supported templates might eventually
grow past this 100-MB policy size limit.
The following IDP policies are supported on SRX devices:
■
DMZ_Services
■
DNS_Service
■
File_Server
■
Getting_Started
■
IDP_Default
Known Limitations in JUNOS Software Release 9.5 for SRX-series Services Gateways
■
127
JUNOS 9.5 Software Release Notes
■
Recommended
■
Web_Server
■
By default, the detector embedded in the SRX-series devices has the SIP, SSL,
SSH, and MSPRC protocol decoders disabled.
■
IDP failover is not supported in chassis clustering.
■
NetScreen-Remote is not supported on SRX-series devices.
■
By default, the detector embedded in the SRX-series devices has the SIP, SSL,
SSH, and MSPRC protocol decoders disabled.
■
On the four Gigabit Ethernet ports (ge-0/0/0 through ge-0/0/3) of an SRX650
device, if a port is linked up at 10 Mbps or 100 Mbps, it will not support jumbo
frames. Frames greater than 1500 bytes will be dropped.
■
New Features in JUNOS Software Release 9.5 for SRX-series Services Gateways
on page 98
■
Issues in JUNOS Software Release 9.5 for SRX-series Services Gateways on
page 129
■
Errata in Documentation for JUNOS Software Release 9.5 for SRX-series Services
Gateways on page 140
■
Unsupported CLI Statements and Commands in JUNOS Software Release 9.5 for
SRX-series Services Gateways on page 128
NetScreen-Remote
System
Related Topics
Unsupported CLI Statements and Commands in JUNOS Software Release 9.5 for SRX-series
Services Gateways
Related Topics
128
■
■
On SRX 3400, SRX 3600, SRX 5600, and SRX 5800 devices, the show command
does not support the oam, dot1x, subscribers, link-management, and vpls options.
[PR/313099]
■
New Features in JUNOS Software Release 9.5 for SRX-series Services Gateways
on page 98
■
Known Limitations in JUNOS Software Release 9.5 for SRX-series Services
Gateways on page 124
■
Issues in JUNOS Software Release 9.5 for SRX-series Services Gateways on
page 129
■
Errata in Documentation for JUNOS Software Release 9.5 for SRX-series Services
Gateways on page 140
Unsupported CLI Statements and Commands in JUNOS Software Release 9.5 for SRX-series Services Gateways
Issues in JUNOS Software Release 9.5 for SRX-series Services Gateways
Issues in JUNOS Software Release 9.5 for SRX-series Services Gateways
■
Outstanding Issues in JUNOS Software Release 9.5 for SRX-series Services
Gateways on page 129
■
Resolved Issues in JUNOS Software Release 9.5 for SRX-series Services
Gateways on page 139
Outstanding Issues in JUNOS Software Release 9.5 for SRX-series Services
Gateways
Application Layer Gateways (ALGs)
■
On SRX 210 devices, an SCCP call cannot be set up after disabling and enabling
SCCP ALG. The call does not go through. [PR/409586]
■
After the user is authenticated, if the webauth-policy is deleted or changed and
an entry exists in the firewall authentication table, then an authentication entry
created as a result of webauth will be deleted only if a traffic flow session exists
for that entry. Otherwise, the webauth entry will not get deleted and will only
age out. This behavior will not cause a security breach. [PR/309534]
■
Configuring an SRX-series device with set system process jsrp-service disable
only on a primary node of the cluster causes the cluster to go into an incorrect
state. [PR/292411]
■
The SRX-series device will crash if you use the set system processes
chassis-control disable command for 4 to 5 minutes and then enable it. Do not
use this command on an SRX-series device in a chassis cluster. [PR/296022]
■
On SRX 3400, SRX 3600, SRX 5600, and SRX 5800 devices, 8 queue
configurations are not reflected on the chassis cluster interface. [PR/389451]
■
On SRX 3400, SRX 3600, SRX 5600, and SRX 5800 devices, iflset functionality
is not supported for aggregated interfaces like reth. [PR/391377]
■
On SRX 210 devices in a chassis cluster, when you upgrade the nodes, sometimes
the forwarding daemon might crash and get restarted. [PR/396728]
■
On the SRX 210 Low Memory device in a chassis cluster, the firewall filter does
not work on the reth interfaces. [PR/407336]
■
On SRX 3400, SRX 3600, SRX 5600, and SRX 5800 devices, snmpwalk on
jnxJsSPUMonitoringObjectsTable in a cluster from the primary node shows
information for only the local SPC installed in that node. Instead, it should show
information about all the SPCs in the primary and secondary nodes. [PR/408261]
■
On SRX 210 devices in a chassis cluster, the restart forwarding method is not
recommended because when the control link goes through forwarding, restart
forwarding causes disruption in the control traffic. [PR/408436]
Authentication
Chassis Cluster
Issues in JUNOS Software Release 9.5 for SRX-series Services Gateways
■
129
JUNOS 9.5 Software Release Notes
■
On SRX 3400, SRX 3600, SRX 5600, and SRX 5800 devices on failover, both
the primary Routing Engine and secondary Routing Engine are sending SNMP
traps. Only the primary Routing Engine should send SNMP traps. [PR/417782]
■
On SRX 3400, SRX 3600, SRX 5600, and SRX 5800 devices, the queue statistics
are not correct after deletion and re-creation of an IFL or creation of a new IFL.
IFL statistics are not cleared for 15 minutes after chassis-control is restarted.
[PR/417947]
■
On SRX 3400, SRX 3600, SRX 5600, and SRX 5800 devices in an active/active
chassis cluster, when the fabric link fails and then recovers, services with a short
time-to-live such as FTP ALG stop working. [PR/419095]
■
On SRX 5600 devices in a chassis cluster, replay errors are seen on peer devices.
[PR/422371]
■
On SRX 210 High Memory devices in a chassis cluster, when the stress test is
stopped, the primary H323 counters of Number of active calls should be 0, but
128 is incorrectly displayed. [PR/429560]
■
On SRX 5800 devices, SNMP traps might not be generated for the
ineligible-primary state with the current software design. [PR/434144]
■
On an SRX-series device, class-of-service-based forwarding (CBF) is not working.
[PR/304830]
■
On an SRX-series device, the show security flow session command currently does
not display aggregate session information. Instead, it displays sessions on a
per-SPU basis. [PR/264439]
■
On an SRX-series device, when traffic matches a deny policy, sessions will not
be created successfully. However, sessions are still consumed, and the
Unicast-sessions and Sessions-in-use fields shown by the show security flow
session summary command will reflect this. [PR/284299]
■
Configuring the flow filter on SRX-series devices with the all flag might result in
traces that are not related to the configured filter. As a workaround, use the flow
trace flag basic with the command set security flow traceoptions flag. [PR/304083]
■
On SRX 210 and SRX 240 devices, broadcast TFTP is not supported when flow
is enabled on the device. [PR/391399]
■
On SRX 240 and SRX650 devices, tagged frames on an access port with the
same VLAN tag are not getting dropped. [PR/414856]
■
If an SRX 210 device receives more traffic than it can handle, Node1 either
disappears or gets disabled. [PR/416087]
■
On SRX 5600 devices, when the system is in an unstable state (for example,
SPU reboot), NFS might generate residual.nfs files under /var/tmp, which can
occupy the disk space for very long time. As a workaround, run request sys
storage cleanup command to clean up when the system has low disk space.
[PR/420553]
Class of Service
Flow and Processing
130
■
Issues in JUNOS Software Release 9.5 for SRX-series Services Gateways
Issues in JUNOS Software Release 9.5 for SRX-series Services Gateways
■
On SRX 210 devices, dynamic VPN does not support the ability to automatically
generate the routes when the radius server is used to assign the IP addresses.
[PR/421137]
■
On SRX650 devices, the input DA errors are not updated when packets are
dropped due to MAC filtering on the following:
■
SRX 240
■
SRX 210
■
16-port and 24-port GPIMs
■
SRX650 front-end port
This is due to MAC filtering implemented in hardware.
[PR/423777]
■
On SRX 5800 devices, when VPN is not in use, the device will not generate the
var/tmp/spu_kmd_init/ file, which is logged by Iked_cfg. This should not happen
because it is not an error condition. As a result, disk space may be wasted over
time. As a workaround, run the cp /dev/null /var/tmp/spu_kmd_init command
from the shell to create this file. Also run request sys storage cleanup to clean up
when the system has low disk space. [PR/425380]
■
On SRX650 devices, continuous messages are displayed from syslogd when ports
are in switching mode. [PR/426815]
■
On SRX650 devices, the uplinks to the CPU can be exhausted and the system
can be limited to 2.5 GB throughput traffic when the device is using similar kinds
of source MAC addresses. [PR/428526]
■
On SRX 240 and SRX650 devices, CLI help for the VLAN name under Interface
vlan member and protocols xstp is not displayed properly. Instead, this message
appears: mgd:unable to execute /usr/bin/vlanconfiginfo: No such file or directory.
[PR/429018]
■
On SRX650 devices, packet loss is observed when the device interoperates with
an SSG20 with AMI line-encoding. [PR/430475]
■
On SRX 3400 devices in combo mode, the firewall authentication Age and Access
time remaining are displayed incorrectly as 0 and Infinite, respectively. This does
not affect aging functionality. The authentication entry is aged out after the
configured timeout. [PR/434985]
■
On SRX 240 devices, when you configure the syslog hostname as 1 or 2, the
device goes to the shell prompt. [PR/435570]
■
On SRX650 devices, when you run scaling scripts of the scheduler, an nsd core
file is generated. For example, when you are configuring 257 schedulers, the
257th scheduler (counting from 0) is not allocated. The ID 0 is considered invalid,
and only 1 through 256 are valid IDs. [PR/437064]
■
On SRX platforms running flow-based code, multiple flows with high traffic
volumes to unknown destinations can cause the kernel to run out of buffer space.
[PR/507137]
Issues in JUNOS Software Release 9.5 for SRX-series Services Gateways
■
131
JUNOS 9.5 Software Release Notes
Hardware
■
On an SRX 210 device, the MTU size is limited to 1518 bytes for the 1-port SFP
Mini-PIM. [PR/296498]
■
On SRX210 device, chassis Mini-PIMs LED’s do not go to the off state when the
FPC is offline. [PR/299434]
■
■
On an SRX 210 device in a chassis cluster, when you upgrade to the 9.5 image,
the interface links do not come up and are not seen in the Packet Forwarding
Engine. As a workaround, you can reboot the device to bring up the interface.
[PR/399564]
■
On SRX 210 devices in a chassis cluster, sometimes the reth interface MAC
address might not make it to the switch filter table. This results in the dropping
of traffic sent to the reth. As a workaround, restart the Packet Forwarding Engine.
[PR/401139]
■
On an SRX 210 device in a chassis cluster, the fabric monitoring option is enabled
by default. This can cause one of the nodes to move to a disabled state. You can
disable fabric monitoring by using the following CLI command:
set chassis cluster fabric-monitoring disable
[PR/404866]
■
On SRX 3400 and SRX 3600 devices, the minor alarm is not triggered when the
central point or SPU session table is full. [PR/405990]
■
On SRX 210, SRX 240, and SRX650 devices, after the device fragments packets,
FTP over a GRE link might not perform properly due to packet serialization.
[PR/412055]
■
On SRX 240 devices, SRX650 devices, and 16-port or 24-port GPIMs, the 1G
half-duplex mode of operation is not supported in the autonegotiation mode.
[PR/424008]
■
On an SRX 5600 device, when snmp mib walk is running, the snmpd core file is
seen after 4 to 5 hours. [PR/387117]
■
When the firewall and IDP policy both enable diffServ marking with a different
DSCP value for the same traffic, the firewall DSCP value takes precedence and
the traffic is marked using the firewall DSCP value. [PR/297437]
■
On an SRX 3400 device, the IPv6 transit counters on the reth interface show
invalid value statistics. [PR/391407]
■
On SRX650 devices, when VLAN tagging is configured and traffic is sent, the
output of show interfaces ge-0/0/1 media detail VLAN tagged frame count is not
shown. [PR/397849]
Infrastructure
Interfaces and Routing
132
■
Issues in JUNOS Software Release 9.5 for SRX-series Services Gateways
Issues in JUNOS Software Release 9.5 for SRX-series Services Gateways
■
On SRX 5600 and SRX 5800 devices, ping to far-end reth interfaces does not
work for different routing instances. [PR/408500]
■
On an SRX 3600 device, there might be VPN sync issues with IPsec SA. This
happens when the secondary node reboots during primary node IPsec negotiation.
[PR/413727]
■
On SRX 5600 devices in a chassis cluster, the IPsec statistics counters display
incorrect random numbers on the Routing Engine after a small amount of traffic
is sent. [PR/415451]
■
The SRX 5600 and SRX 5800 devices might get disabled when you configure
more than 1000 reth logical interfaces. [PR/417391]
■
On SRX 240 devices, drops in out-of-profile LLQ packets might be seen in the
presence of data traffic even when the combined (data+LLQ) traffic does not
oversubscribe the multilink bundle. [PR/417474]
■
On an SRX 5800 device, running the clear security ike sa command does not
delete the IKE SA. This happens when you try to delete the IKE SA by using the
clear command after loading and overwriting the configuration. As a workaround,
reboot the device. [PR/420162]
■
On SRX 240 and SRX650 devices, when you are configuring the link options on
an interface, only the following scenarios are supported:
■
Autonegotiation is enabled on both sides.
■
Autonegotiation is disabled on both sides (forced speed), and both sides are
set to the same speed and duplex.
If one side is set to autonegotiation mode and the other side is set to forced
speed, the behavior is indeterminate and not supported. [PR/423632]
■
On SRX-series devices, the RPM operation will not work for the probe-type
tcp-ping when the probe is configured with the option destination-interface.
[PR/424925]
■
On SRX650 devices, the following are not implemented in this release for T1/E1
GPIMs:
■
Line Loopback
■
FDL Payload Loopback
■
Inband Line Loopback
■
Inband Payload Loopback
[PR/425040]
■
On SRX650 devices, the kernel crashes when the link goes down during TFTP
installation of the srxsme image. [PR/425419]
■
On SRX 3400 and SRX 3600 devices in a chassis cluster, ESP authentication
errors are seen while traffic is sent through 4000 site-to-site IPsec tunnels.
[PR/426073]
■
On SRX 3400 and SRX 3600 devices in a chassis cluster, Routing Engine kmd
shows fewer tunnels than spu-kmd after the primary node is rebooted.
[PR/426139]
Issues in JUNOS Software Release 9.5 for SRX-series Services Gateways
■
133
JUNOS 9.5 Software Release Notes
■
On SRX650 devices, during CoS tests, a core file is generated at pif_ds1_bert.
This causes the CT1/E1-PIM FPC to go offline when the ifinfo core file is seen.
The FPC does not recover even after interface-control/chassisd is restarted.
[PR/426982]
■
On SRX 3400 and SRX 3600 devices in a chassis cluster, tunnels are not evenly
distributed to four kmd threads. [PR/427526]
■
On SRX650 devices, doing an redundancy group 0 failover with 1000 ifls on the
reth interface causes replication errors. As a result, ksyncd generates a core file.
[PR/428636]
■
On SRX 210 devices, the dialer interface goes down when the call is idle for a
short interval because the Sierra ExpressCard is rejecting the redial attempts
from the dialer. As a workaround, restart the flowd to restore the connection.
[PR/428735]
■
On SRX 240 devices, the following issues might be encountered when 1-Port
SFP Mini-PIMs are used along with T1/E1 or serial Mini-PIMs:
■
Device timeout messages might be seen on I2C access.
■
T1/E1 or serial cards might not get detected.
[PR/429906]
134
■
■
On SRX 240 devices, the Mini-PIM LEDs glow red for a short duration (1 second)
when the device is powered on. [PR/429942]
■
On SRX 3400, SRX 3600, SRX 5600, and SRX 5800 devices, after you configure
rpf-check, a ping to that particular interface fails. [PR/431135]
■
On SRX 240 devices, during the TFTP installation, if TFTP timeout occurs, then
booting the existing kernel using the boot command might crash the kernel. As
a workaround, use the reboot command from the loader prompt. [PR/431955]
■
On SRX650 devices, configuring dual and quad T1/E1 framing at the chassis
level takes no effect. [PR/432071]
■
On SRX 3400, SRX 3600, SRX 5600, and SRX 5800 devices, interface statistics
on the st0 interface are not accurate. As a workaround, use the statistics on the
security association (SA) to determine input and output bytes and packets.
[PR/436857]
■
On SRX650 devices, the Q-pic-large-buffer is not active. [PR/437389]
■
On SRX 240 devices, the serial interface maximum speed in extensive output is
displayed as 16384 Kbps instead of 8.0 Mbps. [PR/437530]
■
On SRX 240 devices, the Scheduler Oinker messages are seen on the console at
various instances with various Mini-PIM combinations. These messages are seen
during bootup, restarting fwdd, restarting chassisd, and configuration commits.
[PR/437553]
■
On SRX 240 devices, the file installation fails on the right USB slot when both of
the USB slots have USB keys attached. [PR/437563]
■
On SRX 240 devices, when users swap the USBs after startup, the chassis-control
subsystem might not respond to any chassis-related commands. As a workaround,
avoid plug and play for the right USB slot. [PR/437798]
Issues in JUNOS Software Release 9.5 for SRX-series Services Gateways
Issues in JUNOS Software Release 9.5 for SRX-series Services Gateways
■
On SRX 240 devices, the combinations of Mini-PIMs cause SFP-Copper links to
go down in some instances during bootup, restarting fwdd, and restarting
chassisd. As a workaround, reboot the device and the link will be up. [PR/437788]
■
On SRX 210 and SRX 240 devices, when autoinstallation is configured to run on
a particular interface, the DHCP client is run on that interface. The device tries
to get the configuration file from the TFTP server. During this process, the
autoinstallation status might get into the configuration acquisition state because
it cannot reach the UDP port through which the device sends read request to the
TFTP server. The issue might be seen in packet mode or flow mode. [PR/438181]
■
On SRX 210 devices, the E1Mini-PIM interface flaps and traffic does not go
through the link after restarting the forwarding during Transit traffic. [PR/441312]
Intrusion Detection and Prevention (IDP)
■
On SRX 5600 and SRX 5800 devices, when you downgrade to the 9.2 software
image, the IDP policy compilation fails, takes an indefinite time to finish, or
becomes slow due to IDP policy cache.
Workaround:
1.
Stop the idpd daemon by using the set system processes idp-policy disable
command and commit the configuration.
2.
Delete all policy cache files in the /var/db/idpd/db folder.
3.
Log on to the SRX-series as root user, and use the following UNIX commands:
rm–f /var/db/idpd/db/dfa* /var/db/idpd/db/pcre*.
4.
Reboot the system.
5.
Enable the idpd daemon by using the delete system processes idp-policy
command and commit the configuration.
6.
Ensure that the cache files are regenerated and are located in the
/var/db/idpd/db folder.
[PR/300428]
■
On SRX 5600 devices, the licensing service currently does not support the
different traceoption flags (config, events, all) that are available through the
configuration setup. The current default behavior is to trace all. This is the reason
that the tracelog file will contain all log information exported by the daemon.
[PR/310783]
■
On SRX-series devices, the IDP status command show security idp status displays
an error message when the device is processing heavy data traffic. [PR/388048]
■
On SRX-series devices, the IDP status command show security idp status might
fail when processing heavy traffic. As a result, IDP flow, session statistics, and
packet statistics do not match firewall statistics. [PR/389501]
■
On SRX 3400, SRX 3600, SRX 5600, and SRX 5800 devices, HTTPS sessions
with higher data transaction sizes fail due to heavy CPU usage, which results in
the failure of new connections. [PR/390308]
Issues in JUNOS Software Release 9.5 for SRX-series Services Gateways
■
135
JUNOS 9.5 Software Release Notes
■
The SRX 210 device supports only one IDP policy at any given time. When you
make changes to the IDP policy and commit, the current policy is completely
removed before the new policy becomes effective. During the update, IDP will
not inspect the traffic that is passing through the device for attacks. As a result,
there is no IDP policy enforcement. [PR/392421]
■
On SRX 210, SRX 3400, SRX 3600, SRX 5600, and SRX 5800 devices, in J-Web
selecting Configuration > Quick Configuration > Security Policies > IDP
Policies > Security Package Update > Help brings up the IDP policy help page
instead of the Signature update help page. To access the corresponding help
page, select: Configuration > Quick Configuration > IDP Policies >
Signature/Policies Update and then click Help. [PR/409127]
■
On SRX 210 devices, during attack detection, multiple attacks get detected. This
happens when the IDP policy contains rules that have the match criteria for the
same attacks. Error/warning messages do not appear during policy compilation.
[PR/414416]
■
On SRX 3400, SRX 3600, SRX 5600, and SRX 5800 devices, the idp-policy
subsystem is not responding to management requests. Sometimes when policy
changes are committed, some of the operational commands might not be
successful. Until policy changes are effective, users might see errors. [PR/432026]
■
On SRX 5800 devices, IDP is not officially supported in an active/active chassis
cluster configuration. The user must disable the IDP configuration when the
devices are configured in an active/active chassis cluster. [PR/432252]
■
SRX 3400, SRX 3600, SRX 5600, and SRX 5800 devices support 4-byte
autonomous system (AS) for BGP configuration. However, the J-Flow template
versions 5 and 8 do not support 4-byte AS, because these J-Flow templates have
2 bytes for the SRC/DST AS field. [PR/416497]
■
On SRX 3400, SRX 3600, SRX 5600, and SRX 5800 devices, J-Flow sampling on
the virtual router interface does not show the values of autonomous system (AS)
and mask length values. The AS and mask length values of cflowd packets show
0 while sampling the packet on the virtual router interface. [PR/419563]
■
On SRX 3400, SRX 3600, SRX 5600, and SRX 5800 devices, the LEDs on the
Routing Engine and PICs are not shown as green when they are up and online
on the J-Web Chassis View. [PR/297693]
■
On SRX-series devices, when the user adds LACP interface details, a pop-up
window appears in which there are two buttons to move the interface left and
right. The LACP page currently does not have images incorporated with these
two buttons. [PR/305885]
■
On SRX 210 Low Memory devices, there is no maximum length limit when the
user commits the hostname in CLI mode; however, only a maximum of 58
characters are displayed in the System Identification panel. [PR/390887]
J-Flow
J-Web
136
■
Issues in JUNOS Software Release 9.5 for SRX-series Services Gateways
Issues in JUNOS Software Release 9.5 for SRX-series Services Gateways
■
On SRX 210, SRX 240, and SRX650 devices, in J-Web, the complete content of
the ToolTipis not displayed in the Chassis View. As a workaround, drag the
Chassis Viewer image down to see the complete ToolTip. [PR/396016]
■
On SRX 3400, SRX 3600, SRX 5600, and SRX 5800 devices, in J-Web, when you
right-click Configure Interface on an interface in Chassis View, the
Configuration>Quick Configuration>Interface page is displayed. [PR/405392]
■
On SRX-series devices, the CLI Terminal feature is not working in J-Web over
IPv6. [PR/409939]
■
On SRX-series devices, the Ajax calls need to be optimized and should be in
synchronization with the existing configuration screens (STP, GVRP, and
IGMP-Snooping). [PR/422523]
■
On SRX 210 and SRX 240 devices, when J-Web users select the tabs on the
bottom-left menu, the corresponding screen is not displayed fully, so users must
scroll the page to see all content. This issue occurs when the computer is set to
a low resolution. As a workaround, set the computer resolution at 1280 x 1024.
[PR/423555]
■
On SRX 240 devices, on the J-Web monitor interface page, it is not possible to
generate an interface graph of two interfaces that are on two different pages of
the interface summary table. [PR/429572]
Management and Administration
■
On SRX 3400, SRX 3600, SRX 5600, and SRX 5800 devices, no trap is generated
for redundancy group 0 failover. You can check on the redundancy group 0 state
only when you log in to the device. Nonavailability of such information without
login results in the failure of the snmpwalk on the backup/secondary node. As
a workaround, use a master-only IP address across the cluster. This way, you
can query a single IP address and that IP address will always be the master for
redundancy group 0. [PR/413719]
■
On an SRX 210 device with an FTP session ramp-up rate of 70, either of the
following might disable the secondary node:
■
Back-to-back redundancy group 0 failover
■
Back-to-back primary node reboot
[PR/414663]
Power over Ethernet (PoE)
■
On SRX 210 and SRX 240 devices in a chassis cluster, PoE configuration and
operational commands operate on only one chassis. The PoE interfaces of the
other chassis are not configurable and not displayed in operational command
output even though the data ports are recognized. [PR/415174]
■
On SRX 240 and SRX 210 devices, the output of the PoE operational commands
takes roughly 20 seconds to reflect a new configuration or a change in status of
the ports. [PR/419920]
■
On SRX 210 and SRX 240 devices, the deactivate poe interface all command does
not deactivate the PoE ports. Instead, the PoE feature can be turned off by using
Issues in JUNOS Software Release 9.5 for SRX-series Services Gateways
■
137
JUNOS 9.5 Software Release Notes
the disable configuration option. Otherwise, the device must be rebooted for the
deactivate setting to take effect. [PR/426772]
■
On SRX 210 and SRX 240 devices, the output for the show poe telemetries
command shows the telemetry data in chronological order. This should be
changed to reverse-chronological (most recent data first). [PR/429033]
■
On SRX 210 and SRX 240 devices, the class-4 powered device does not get
powered on when PoE is configured to operate in Class management mode.
[PR/437406]
■
The SRX 210 and SRX 240 devices, the powered device takes more time than
what is specified by the standards to power off when operating under overload
conditions. [PR/437416]
■
On SRX 240 and SRX 210 devices, the last powered device will not power on if
the allocated power becomes equal to the power limit on the device. Power
allocated must always be less than the power limit. For example, on the SRX
240 device, the powered devices cannot be configured such that allocated power
becomes 150 W, even though it is possible to allocate the power up to 149.8 W.
[PR/437792]
■
The SRX-series devices do not support egress filter-based forwarding (FBF).
[PR/396849]
■
On SRX 210, SRX 3400, SRX 3600, SRX 5600, and SRX 5800 devices in a chassis
cluster, if the Infranet Controller auth table mapping action is configured as
provision auth table as needed, UAC terminates the existing sessions after Routing
Engine failover. You might have to initiate new sessions. Existing sessions will
not get affected after Routing Engine failover if the Infranet Controller auth table
mapping action is configured as always provision auth table. [PR/416843]
■
On SRX-series devices, when the J-Web session is terminated from the CLI, error
and warning messages related to J-Web appear in the logs. [PR/311181]
Security
System
Unified Threat Management (UTM)
138
■
■
Content filtering provides the ability to block protocol commands. In some cases,
blocking these commands interferes with protocol continuity, causing the session
to hang. For instance, blocking the FETCH command for the IMAP protocol causes
the client to hang. [PR/303584]
■
The express antivirus initial database download fails due to the slow start of the
router interface. To get a proper update, you can either wait until the next
auto-update or manually update the database by using the CLI. [PR/388535]
■
When the content filtering message type is set to protocol-only, customized
messages appear in the log file. [PR/403602]
■
The express antivirus feature does not send a replacement block message for
HTTP upload (POST) transactions if the current antivirus status is engine-not-ready
Issues in JUNOS Software Release 9.5 for SRX-series Services Gateways
Issues in JUNOS Software Release 9.5 for SRX-series Services Gateways
and the fallback setting for this state is block. An empty file is generated on the
HTTP server without any block message contained within it. [PR/412632]
■
On SRX 240 and SRX650 devices, Outlook Express is sending infected mail (with
an EICAR test file) to the mail server (directly, not through DUT). Eudora 7 is
using the IMAP protocol to download this mail (through DUT). Mail retrieval is
slow, and the EICAR test file is not detected. [PR/424797]
■
On SRX 3400, SRX 3600, SRX 5600, and SRX 5800 devices, transparent mode
does not support UTM and IDP policy. The UTM and IDP options should be hidden
from the policy application-services list. [PR/427921]
■
On SRX650 devices operating under stress conditions, the UTM subsystem file
partition might fill up faster than UTM can process and clean up existing
temporary files. In that case, the user might see error messages. As a workaround,
reboot the system [PR/435124]
■
On SRX 240 devices, FTP download for large files (larger than 4 MB) does not
work in a two-router topology. [PR/435366]
■
On SRX 210, SRX 240, SRX650 devices, the Websense server stops taking new
connections after http stress. All new sessions get blocked. As a workaround,
reboot the Websense server. [PR/435425]
■
On SRX 240 devices, if the device is under UTM stress traffic for several hours,
users might get the following error while issuing UTM command:
the utmd subsystem is not responding to management requests.
As a workaround, restart the utmd process. [PR/436029]
VPN
■
On an SRX-series device, the shared IKE limit does not work in remote access.
[PR/288551]
■
On SRX 210 High Memory devices, certification-based VPN IKE negotiation fails
sometimes if the user uses the PKI wildcard as the local ID. As a workaround,
reboot the device. [PR/411398]
■
On SRX 210 and SRX 240 devices, when you uninstall Juniper Access Manager
(JAM), the client prompts for a reboot. Ignore the prompt. It is caused by a reboot
flag in some JAM files that have not been removed from your system. All the
JAM executables have been removed. [PR/428315]
Resolved Issues in JUNOS Software Release 9.5 for SRX-series Services
Gateways
The following issues from JUNOS Release 9.5 R3 have been resolved in this release.
The identifier following the description is the tracking number in our bug database.
Issues in JUNOS Software Release 9.5 for SRX-series Services Gateways
■
139
JUNOS 9.5 Software Release Notes
Chassis Cluster
■
On SRX 210 devices, existing FTP data transfer failed because the primary node
of the device chassis cluster was rebooted or powered off. [PR/429296: This
issue has been resolved.]
■
On SRX650 devices, resource errors were seen in the show interface extensive
command output during bidirectional traffic on the CT/E1 GPIMs. [PR/430181:
This issue has been resolved.]
■
On SRX-series devices, on the J-Web spanning-tree configuration page, the Edit
interface/msti window did not save the data before committing the configuration.
[PR/433506: This issue has been resolved.]
■
On SRX 240 series devices in a chassis cluster (active-active mode) and policy
based IPsec VPN configured together, ftp put (in port mode) command failed
after a RG2 (egress RG) manual failover. [PR/438590: This issue has been
resolved.]
■
New Features in JUNOS Software Release 9.5 for SRX-series Services Gateways
on page 98
■
Known Limitations in JUNOS Software Release 9.5 for SRX-series Services
Gateways on page 124
■
Errata in Documentation for JUNOS Software Release 9.5 for SRX-series Services
Gateways on page 140
■
Unsupported CLI Statements and Commands in JUNOS Software Release 9.5 for
SRX-series Services Gateways on page 128
Interfaces and Routing
J-Web
Power over Ethernet (PoE)
Related Topics
Errata in Documentation for JUNOS Software Release 9.5 for SRX-series Services Gateways
This section lists outstanding issues with the documentation.
Attack Detection and Prevention
The default parameters documented in the firewall/NAT screen configuration options
table in the JUNOS Software Security Configuration Guide and the J-Web online Help
do not match the default parameters in the CLI. The correct default parameters are:
tcp {
syn-flood {
140
■
Errata in Documentation for JUNOS Software Release 9.5 for SRX-series Services Gateways
Errata in Documentation for JUNOS Software Release 9.5 for SRX-series Services Gateways
alarm-threshold 1024;
attack-threshold 200;
source-threshold 1024;
destination-threshold 2048;
timeout 20;
}
}
[edit security screen ids-option untrust-screen]
Chassis Clustering
■
The JUNOS Software Security Configuration Guide for SRX-series services gateways
contains incorrect information in the “Hardware Setup for SRX-series Chassis
Clusters” section.
The text incorrectly says that the connection that serves as the control link must
be the built-in controller port on each device. SRX 5600 and SRX 5800 devices
do not contain built-in ports. Their control ports should be on corresponding
Services Processing Cards (SPCs) in the two devices in the cluster, with a slot
numbering offset of 6 for SRX 5600 devices and 12 for SRX 5800 devices. Also,
the text incorrectly says that the fabric link connection can be a combination of
any pair of Gigabit Ethernet interfaces on the devices. The fabric link connection
can be a pair of Fast Ethernet or Gigabit Ethernet interfaces for SRX 210 devices
and a pair of Gigabit Ethernet or 10-Gigabit Ethernet interfaces for all other
SRX-series devices.
The figure showing the fabric link connection for the pair of SRX 5800 devices
incorrectly shows two-port Input/Output Cards (IOCs). The IOCs have 4 ports.
■
The “Setting the Node ID and Cluster ID” and “Active/Passive Chassis Cluster
Scenario” sections in the JUNOS Software Security Configuration Guide incorrectly
show command syntax as the following:
set chassis cluster node 0 cluster-id 1
set chassis cluster node 1 cluster-id 1 reboot
The command syntax should be as follows:
set chassis cluster cluster-id 1 node 0
set chassis cluster cluster-id 1 node 1 reboot
CLI
■
The JUNOS Software CLI Reference Guide erroneously contains some content
concerned with policy-based NAT configuration. This release supports only
rule-based NAT configuration.
■
Page 976 of the JUNOS Software CLI Reference Guide for J-series Services Routers
and SRX-series Services Gateways displays the “show security alg status” title
when it should display the “show security alg sip transactions” title. The
information for Syntax, Release Information, Description, and Options is also
incorrect. The correct information is provided below.
Syntax—show security alg sip transactions<node (node-id | all | local | primary)>
Release information—Command modified in Release 9.2 of JUNOS software;
node options added in Release 9.0 of JUNOS software.
Errata in Documentation for JUNOS Software Release 9.5 for SRX-series Services Gateways
■
141
JUNOS 9.5 Software Release Notes
Description—Display information about Session Initiation Protocol (SIP)
Application Layer Gateway (ALG) transactions.
This command is supported on J-series and SRX-series devices.
Options
■
none—Display all SIP ALG transactions.
■
node—(Optional) For chassis cluster configurations, display SIP transactions
on a specific node (device) in the cluster.
■
node-id—Identification number of the node. It can be 0 or 1.
■
all—Display information about all nodes.
■
local—Display information about the local node.
■
primary—Display information about the primary node.
CompactFlash Card Support
■
The JUNOS Software Administration Guide incorrectly states that JUNOS supports
a 256-MB CompactFlash card size. JUNOS supports only 512-MB and 1024-MB
CompactFlash card sizes.
■
The “Installing Software using the TFTPBoot Method on the SRX 100/SRX 210/SRX
650 Services Gateway” section and the “Administration Features on SRX
100/210/240 Services Gateways” section in the JUNOS Software Administration
Guide incorrectly imply that the SRX100 device is supported. The SRX100 device
is not supported in this release.
■
The JUNOS Software Interfaces and Routing Configuration Guide incorrectly states
that the data link switching (DLSw) protocol is supported in this release. DLSw
support ended in JUNOS Release 9.3.
Device Support
DLSw
Flow
The JUNOS Software CLI Reference and the JUNOS Software Security Configuration
Guide state that the following aggressive aging statements are supported on SRX-series
devices when in fact they are not supported on SRX 3400, 3600, 5600, and SRX
5800 devices:
142
■
■
[edit security flow aging early-ageout]
■
[edit security flow aging high-watermark]
■
[edit security flow aging low-watermark]
Errata in Documentation for JUNOS Software Release 9.5 for SRX-series Services Gateways
Errata in Documentation for JUNOS Software Release 9.5 for SRX-series Services Gateways
Installing Software Packages
■
The current SRX 210 documentation does not include the following information:
On SRX 210 devices, the /var hierarchy is hosted in a separate partition (instead
of the root partition). If JUNOS software installation fails due to insufficient space:
1.
Use the request system storage cleanup command to delete temporary files.
2.
Delete any user-created files in both the root partition and under the /var
hierarchy.
Intrusion Detection and Prevention (IDP)
■
In the JUNOS Software Security Configuration Guide, the following information in
the "Verifying the Policy Compilation and Load Status" section is incorrect:
■
The text does not indicate that the log file must be created first.
■
The path for the log file is incorrect.
Note the following correct information:
■
Create the log file first by entering set security idp traceoptions file idpd. You
can then set flags by entering set security idp traceoptions flag all.
■
The correct path for the idpd log file is /var/log, not /var/db
J-Web
■
The J-Web Security Package Update help page does not have information about
download status.
■
The following guide contains incorrect screen configuration instructions:
Screens
■
JUNOS Software Design and Implementation Guide, “Implementing Firewall
Deployments for Branch Offices” chapter
Examples throughout this guide describe how to configure screen options using
the set security screen screen-name CLI statements. Instead, you should use the
set security screen ids-option screen-name CLI statements. All screen configuration
options are located at the [set security screen ids-option screen-name] level of the
configuration hierarchy.
Related Topics
■
New Features in JUNOS Software Release 9.5 for SRX-series Services Gateways
on page 98
■
Known Limitations in JUNOS Software Release 9.5 for SRX-series Services
Gateways on page 124
Errata in Documentation for JUNOS Software Release 9.5 for SRX-series Services Gateways
■
143
JUNOS 9.5 Software Release Notes
144
■
■
Issues in JUNOS Software Release 9.5 for SRX-series Services Gateways on
page 129
■
Unsupported CLI Statements and Commands in JUNOS Software Release 9.5 for
SRX-series Services Gateways on page 128
Errata in Documentation for JUNOS Software Release 9.5 for SRX-series Services Gateways
JUNOS Software Release Notes for J-series Services Routers
JUNOS Software Release Notes for J-series Services Routers
■
New Features in JUNOS Software Release 9.5 for J-series Services
Routers on page 145
■
Known Limitations in JUNOS Software Release 9.5 for J-series Services
Routers on page 150
■
Changes in Default Behavior and Syntax on page 151
■
Issues in JUNOS Software Release 9.5 for J-series Services Routers on page 152
■
Errata in Documentation for JUNOS Software Release 9.5 for J-series Services
Routers on page 158
■
Hardware Requirements for JUNOS Software Release 9.5 for J-series Services
Routers on page 160
■
Upgrade and Downgrade Instructions for JUNOS Software Release 9.5 for J-series
Services Routers on page 162
New Features in JUNOS Software Release 9.5 for J-series Services Routers
■
JUNOS Software on page 145
JUNOS Software
Release 9.5 of JUNOS software includes the following features.
Chassis Clustering
■
Control link recovery—This feature is supported on J2320, J2350, J4350, and
J6350 Services Routers. Prior to this release, when a node was disabled due to
control link failure, after fixing the issue, you had to manually reboot the disabled
node to make the disabled node rejoin the cluster. With this release, you can
specify that control link recovery be done automatically by the system by using
the set chassis cluster control-link-recovery command (this feature is disabled by
default). Once the system determines that the control link is healthy, it issues
an automatic reboot on the disabled node. When the disabled node reboots, the
node rejoins the cluster. There is no need for any manual intervention.
■
Cold synchronization monitoring—This feature is supported on J-series Services
Routers.The process of synchronizing data-plane runtime objects (RTOs) on the
startup of the Services Processing Units (SPUs) or flowd is called cold sync. Chassis
clustering supports the process of monitoring the cold-sync state of all SPUs or
flowd on a node. Also, if you enable preempt, cold-sync monitoring prevents
the node from taking over mastership until the cold-sync process is completed
for all the SPUs or flowd on the node.
■
SNMP failover traps—This feature is supported on the J-series Services Routers.
Chassis clustering supports SNMP traps, which are triggered whenever there is
a redundancy group failover. You can specify that a trace log be generated by
using the set chassis cluster traceoptions flag snmp command.
JUNOS Software Release Notes for J-series Services Routers
■
145
JUNOS 9.5 Software Release Notes
Flow-Based Processing
J-series devices now use flow-based processing comparable to that used on SRX-series
devices. For more information, see the JUNOS Software Interfaces and Routing
Configuration Guide for Security Devices.
Intrusion Detection and Prevention (IDP)
■
Configuring IDP test conditions in custom anomaly attacks—The user can
now see the supported test conditions for a protocol in the CLI.
When configuring IDP custom attacks, you can now list supported test conditions
for a specific protocol. For example, to configure test conditions for ICMP:
1.
List supported test conditions for ICMP and choose the one you want to
configure:
[edit security idp custom-attack test1 attack-type anomaly]
user@host# set test icmp?
Possible completions:
<test> Protocol anomaly condition to be checked
ADDRESSMASK_REQUEST
DIFF_CHECKSUM_IN_RESEND
DIFF_CHECKSUM_IN_RESPONSE
DIFF_LENGTH_IN_RESEND
2.
Configure the service for which you want to configure the test condition.
[edit security idp custom-attack test1 attack-type anomaly]
user@host# set service ICMP
3.
Configure the test condition (specifying the protocol name is not required):
[edit security idp custom-attack test1 attack-type anomaly]
user@host# set test ADDRESSMASK_REQUEST
Interfaces and Routing
146
■
■
Link Fragmentation and Interleaving (LFI) over Asymmetric Digital Subscriber
Line (ADSL)—This release of JUNOS software supports link fragmentation and
interleaving (LFI) for asymmetric digital subscriber line (ADSL). LIF requires
Multilink Point-to-Point Protocol (MPPP) on ADSL, which involves enabling the
existing CLI under the xDSL interface to support MLPPP encapsulation and the
family mlppp. MLPPP LFI is supported on xDSL Single IFL (logical interface).
■
Voice over IP joint development with Avaya phase 1 (JD1)—This feature is
now supported on J2320, J2350, J4350, and J6350 Services Routers.
New Features in JUNOS Software Release 9.5 for J-series Services Routers
New Features in JUNOS Software Release 9.5 for J-series Services Routers
J-Web
■
J-Web User Interface—IPv6 management support for J-Web is available in this
release. Users can access J-Web through the IPv6 address. The IPv6 address is
assigned to the management interface and then J-Web is accessed.
■
■
J-Web Monitor pages for enhanced switching—The J-Web interface now
provides Monitor pages for enhanced switching. New Monitor pages for
enhanced switching allow you to monitor information and status for the
following:
■
Internet Group Management Protocol (IGMP) snooping
■
Ethernet switching
J-Web Quick Configuration pages for enhanced switching—The J-Web
interface now provides Quick Configuration pages for enhanced switching.
New Quick Configuration pages for enhanced switching allow you to configure
information for the following:
■
Virtual LAN (VLAN)
■
Spanning Tree Protocol (STP)
■
Link Aggregation Control Protocol (LACP)
■
Generic Virtual Local Area Network Registration Protocol (GVRP)
■
IGMP snooping
■
Dot1X
Network Address Translation (NAT)
Network Address Translation (NAT) is a method by which IP addresses in a packet
are mapped from one group to another and, optionally, port numbers in the packet
are translated into different port numbers. NAT is described in RFC 1631 to solve IP
(version 4) address depletion problems. On J-series devices, JUNOS software decouples
NAT configuration from policy configuration. NAT now uses rules to regulate traffic
on J-series devices. NAT on J-series Services Routers is compatible with SRX–series
devices. NAT is configured in the same way as other SRX-series devices.
Unified Access Control (UAC) Integration
You can configure a J-series Services Router to act as a JUNOS Enforcer in a Unified
Access Control (UAC) deployment. When deployed as a JUNOS Enforcer, the J-series
device enforces the policies that are defined on the UAC’s Infranet Controller.
To configure the J-series device as a JUNOS Enforcer, enable the uac-policy option for
the application-services statement at the [set security policies from-zone zone-name
to-zone zone-name policy match then permit] hierarchy level. Then use the
unified-access-control statement at the [edit services] hierarchy level to configure UAC
features. For more information, see the JUNOS Software Security Configuration Guide.
New Features in JUNOS Software Release 9.5 for J-series Services Routers
■
147
JUNOS 9.5 Software Release Notes
Unified Threat Management (UTM)
■
Antispam—E-mail spam consists of unwanted e-mail messages, usually sent by
commercial, malicious, or fraudulent entities. The antispam feature examines
transmitted e-mail messages to identify e-mail spam. When the device detects
an e-mail message deemed to be spam, it either drops the message or tags the
message header or subject field with a preprogrammed string.
The antispam feature uses a constantly updated spam block list (SBL). Sophos
updates and maintains the IP-based SBL. The antispam feature is a separately
licensed subscription service.
To configure antispam, use the antispam statement at the [set security utm
feature-profile] hierarchy level. For more information, see the JUNOS Software
Security Configuration Guide.
■
Content filtering—Content filtering blocks or allows certain types of traffic based
on the MIME type, file extension, protocol command, and embedded object
type. Content filtering does not require a separate license.
To configure redirect content filtering, use the content-filtering statement at the
[set security utm feature-profile] hierarchy level. For more information, see the
JUNOS Software Security Configuration Guide.
■
Full file-based antivirus—A virus is executable code that infects or attaches
itself to other executable code to reproduce itself. Some malicious viruses erase
files or lock up systems. Other viruses merely infect files and overwhelm the
target host or network with bogus data. The full file-based antivirus feature
provides file-based scanning on specific Application Layer traffic checking for
viruses against a virus signature database. It collects the received data packets
until it has reconstructed the original application content, such as an e-mail file
attachment, and then scans this content. Kaspersky Lab provides the internal
scan engine. The full file-based antivirus scanning feature is a separately licensed
subscription service.
To configure full file-based antivirus, use the antivirus kaspersky-lab-engine
statement at the [set security utm feature-profile] hierarchy level. For more
information, see the JUNOS Software Security Configuration Guide.
■
Integrated Web filtering—Web filtering lets you manage Internet usage by
preventing access to inappropriate Web content. With the integrated Web filtering
solution, the decision-making for blocking or permitting Web access is done on
the device after it identifies the category for a URL either from user-defined
categories or from a category server (Websense provides the CPA Server). The
integrated Web filtering feature is a separately licensed subscription service.
To configure integrated Web filtering, use the web-filtering surf-control-integrated
statement at the [set security utm feature-profile] hierarchy level. For more
information, see the JUNOS Software Security Configuration Guide.
■
148
■
Redirect Web filtering—Web filtering lets you manage Internet usage by
preventing access to inappropriate Web content. The redirect Web filtering
solution intercepts HTTP requests and forwards the server URL to an external
URL filtering server provided by Websense to determine whether to block or
permit the requested Web access. Redirect Web filtering does not require a
separate license.
New Features in JUNOS Software Release 9.5 for J-series Services Routers
New Features in JUNOS Software Release 9.5 for J-series Services Routers
To configure redirect Web filtering, use the web-filtering websense-redirect
statement at the [set security utm feature-profile] hierarchy level. For more
information, see the JUNOS Software Security Configuration Guide.
■
UTM licensing—The majority of UTM features function as a subscription service
requiring a license. You can redeem this license once you have purchased your
subscription license SKUs.
To apply your UTM license, use the system license update statement at the
[request] hierarchy level. For more information, see the JUNOS Software Security
Configuration Guide.
■
Antivirus SNMP support—SNMP support is provided for the following antivirus
functionality: scan engine monitoring, signature database update status, and
scan statistics.
For more information, see the JUNOS Network Management Guide.
VPLS
This release supports virtual private LAN service (VPLS), an Ethernet-based
point-to-multipoint Layer 2 virtual private network (VPN), on J-series Services Routers.
VPLS allows you to connect geographically dispersed Ethernet LAN sites to each other
across a service provider's MPLS backbone.
To configure VPLS on a provider edge (PE) router to a customer edge (CE) router,
use the following statements:
■
set interfaces <name> encapsulation ethernet-vpls | extended-vlan-vpls | vlan-vpls
■
set interfaces <name> unit 0 family vpls
To create and configure a VPLS routing instance, use the following statements:
■
set routing interfaces <name> instance-type vpls
■
set routing interfaces <name> protocols vpls site-range <number> site <name>
site-identifier <number>
■
set routing-instances <name> protocols vpls no-tunnel-services
■
set routing-instances <name> route-distinguisher <distinguisher>
■
set routing-instances <name> vrf-target target: <target>
■
set routing-instances <name> instance-type vpls interface <interface>
NOTE: You must also configure MPLS label-switched paths (LSPs) between PE routers,
internal BGP (IBGP) sessions between PE routers, and an interior gateway protocol
(IGP) on the PE routers.
For more information, see the JUNOS Software Interfaces and Routing Configuration
Guide for Security Devices.
New Features in JUNOS Software Release 9.5 for J-series Services Routers
■
149
JUNOS 9.5 Software Release Notes
Related Topics
■
Known Limitations in JUNOS Software Release 9.5 for J-series Services Routers
on page 150
■
Changes in Default Behavior and Syntax on page 151
■
Issues in JUNOS Software Release 9.5 for J-series Services Routers on page 152
■
Hardware Requirements for JUNOS Software Release 9.5 for J-series Services
Routers on page 160
■
Upgrade and Downgrade Instructions for JUNOS Software Release 9.5 for J-series
Services Routers on page 162
Known Limitations in JUNOS Software Release 9.5 for J-series Services Routers
Chassis Cluster
For this release of JUNOS software, the following features are not supported when
chassis clustering is enabled on the router:
■
All packet-based protocols, such as MPLS, Connectionless Network Service (CLNS),
and IP version 6 (IPv6)
■
Any function that depends on the configurable interfaces:
■
lsq-0/0/0—Link services Multilink Point-to-Point Protocol (MLPPP), Multilink
Frame Relay (MLFR), and Compressed Real-Time Transport Protocol (CRTP)
■
gr-0/0/0—Generic routing encapsulation (GRE) and tunneling
■
ip-0/0/0—IP-over-IP (IP-IP) encapsulation
■
pd-0/0/0, pe/0/0/0, and mt-0/0/0—All multicast protocols
■
lt-0/0/0—Real-time performance monitoring (RPM)
■
WXC Integrated Services Module (WXC ISM 200)
■
Layer 2 Ethernet switching
■
ISDN BRI
Additional limitations include:
150
■
■
For a J-series chassis cluster, the maximum number of redundancy groups is
equal to the number of redundant Ethernet interfaces configured by the user.
■
After fabric interfaces have been configured on a chassis cluster, removing the
fabric configuration on either node will cause the redundancy group 0 (RG0)
secondary node to move to a disabled state. (Resetting a device to the factory
default configuration removes the fabric configuration and thereby causes the
RG0 secondary node to move to a disabled state.) After the fabric configuration
is committed, do not reset either device to the factory default configuration.
■
A Fast Ethernet port from a 4-port Ethernet PIM cannot be used as a fabric link
port in a chassis cluster.
Known Limitations in JUNOS Software Release 9.5 for J-series Services Routers
Changes in Default Behavior and Syntax
Intrusion Detection and Prevention (IDP)
■
On J-series Services Routers, IP actions do not work when users select a timeout
value greater than 65535 in IDP policy.
■
Some J-Web pages for new features (for example, the Quick Configuration page
for the switching features on J-series Services Routers) display content in one or
more modal pop-up windows. In the modal pop-up windows, you can interact
only with the content in the window and not with the rest of the J-Web page. As
a result, online help is not available when modal pop-up windows are displayed.
You can access the online help for a feature only by clicking the Help button on
a J-Web page.
J-Web
Simple Network Management Protocol (SNMP)
■
SNMP NAT related MIB is not supported in this release.
Unified Threat Management (UTM)
Related Topics
■
Unified Threat Management (UTM) requires 1 GB of memory. If your J2320,
J2350, or J4350 device has only 512 MB of memory, you must upgrade the
memory to 1 GB to run UTM.
■
New Features in JUNOS Software Release 9.5 for J-series Services Routers on
page 145
■
Changes in Default Behavior and Syntax on page 151
■
Issues in JUNOS Software Release 9.5 for J-series Services Routers on page 152
■
Hardware Requirements for JUNOS Software Release 9.5 for J-series Services
Routers on page 160
■
Upgrade and Downgrade Instructions for JUNOS Software Release 9.5 for J-series
Services Routers on page 162
■
Errata in Documentation for JUNOS Software Release 9.5 for J-series Services
Routers on page 158
Changes in Default Behavior and Syntax
The following current system behavior, configuration statement usage, and operational
mode command usage might not yet be documented in the JUNOS software
documentation:
Changes in Default Behavior and Syntax
■
151
JUNOS 9.5 Software Release Notes
CLI
■
CLI Commands No Longer Supported
The show dhcp relay and show dhcp server commands are no longer supported.
Configuration
■
J-series devices no longer allow a configuration in which a tunnel's source or
destination address falls under the subnet of the same logical interface’s address.
Network Address Translation (NAT)
■
J-series devices running JUNOS 9.5 now support rules-based NAT. Previously,
J-series devices supported policy-based NAT. As part of the upgrade procedure,
a migration utility explained in the JUNOS Software Migration Guide converts
any existing NAT policies to NAT rules. For more information, see the JUNOS
Software Migration Guide.
■
J-series Services Routers do not support the authentication order password radius
or password ldap in the edit access profile profile-name authentication-order
command. Instead, use the order radius password or ldap password.
■
New Features in JUNOS Software Release 9.5 for J-series Services Routers on
page 145
■
Known Limitations in JUNOS Software Release 9.5 for J-series Services Routers
on page 150
■
Issues in JUNOS Software Release 9.5 for J-series Services Routers on page 152
■
Hardware Requirements for JUNOS Software Release 9.5 for J-series Services
Routers on page 160
■
Upgrade and Downgrade Instructions for JUNOS Software Release 9.5 for J-series
Services Routers on page 162
■
Errata in Documentation for JUNOS Software Release 9.5 for J-series Services
Routers on page 158
Security
Related Topics
Issues in JUNOS Software Release 9.5 for J-series Services Routers
152
■
■
Outstanding Issues in JUNOS Software Release 9.5 for J-series Services
Routers on page 153
■
Resolved Issues in JUNOS Software Release 9.5 for J-series Services
Routers on page 157
Issues in JUNOS Software Release 9.5 for J-series Services Routers
Issues in JUNOS Software Release 9.5 for J-series Services Routers
Outstanding Issues in JUNOS Software Release 9.5 for J-series Services
Routers
Application Layer Gateways (ALGs)
■
On J2350 Services Routers, an SCCP call cannot be set up after disabling and
enabling SCCP ALG. The call does not go through. [PR/409586]
■
In some operating systems, your attempt to log in to the router from a
management device through FTP or Telnet might fail if you type your username
and password in quick succession before the prompt is displayed. As a
workaround, type your username and password after getting the prompt.
[PR/255024]
■
In a chassis cluster, the show interface terse command on the secondary Routing
Engine does not display the same details as that of the primary Routing Engine.
[PR/237982]
■
On J4350 Services Routers, because the clear security alg sip call command
triggers a SIP RTO to synchronize sessions in a chassis cluster, use of the
command on one node with the node-id, local, or primary option might result in
a SIP call being removed from both nodes. [PR/263976]
■
When a new redundancy group is added to a chassis cluster, the node with lower
priority might be elected as primary when the preempt option is not enabled for
the nodes in the redundancy group. [PR/265340]
■
When you commit a configuration for a node belonging to a chassis cluster, all
the redundancy groups might fail over to node 0. If graceful protocol restart is
not configured, the failover can destabilize routing protocol adjacencies and
disrupt traffic forwarding. To allow the commit operation to take place without
causing a failover, we recommend that you use the set chassis cluster
heartbeat-threshold 5 command on the cluster. [PR/265801]
■
In a chassis cluster, J-Web does not enable you to commit any configuration. We
recommend that you use the command-line interface (CLI) for configuration.
[PR/281986]
■
In a chassis cluster, a high load of SIP ALG traffic might result in some call leaks
in active resource manager groups and gates on the backup router. [PR/268613]
■
On J2300, J2320, J2350, J4350, and J6350 Services Routers, in an active/active
chassis cluster, when the fabric link fails and then recovers, services with a short
time-to-live, such as ALG FTP, stop working. [PR/419095]
■
On J4350 Services Routers in a chassis cluster, the FTP session is lost after Routing
Engine failover, although it still exists on the DUT active session. [PR/432203]
Authentication
Chassis Cluster
Issues in JUNOS Software Release 9.5 for J-series Services Routers
■
153
JUNOS 9.5 Software Release Notes
Class of Service
■
J4350 and J6350 Services Routers might not have the requisite data buffers
needed to meet expected delay-bandwidth requirements. Lack of data buffers
might degrade CoS performance with smaller-sized (500 bytes or less) packets.
[PR/73054]
■
With a CoS configuration, when you try to delete all the flow sessions using the
clear security flow session command, the WX application acceleration platform
might fail over with heavy traffic. [PR/273843]
■
If the access port is tagged with the same VLAN that is configured at the port,
the access port accepts tagged packets and determines the MAC. [PR/302635]
■
VLAN output traffic statistics are not being updated. [PR/305845]
■
In JUNOS software, the TTL value on the Internet control message protocol (ICMP)
responses is set to 65. [PR/233844]
■
Even when forwarding options are set to drop packets for the ISO protocol family,
the router forms End System-to-Intermediate System (ES-IS) adjacencies and
transmits packets because ES-IS packets are Layer 2 terminating packets.
[PR/252957]
■
OSPF over a multipoint interface connected as a hub-and-spoke network does
not restart when a new path is found to the same destination. [PR/280771]
■
On J-series Services Routers, outbound filters will be applied twice for
host-generated IPv4 traffic. [PR/301199]
■
On J6350 Services Routers, when a basic SCCP call is made and the primary
node is rebooted when the call is active, call information hot sync fails. The log
on secondary node shows that the SCCP call information is not sychronized
correctly, while the rm session will be synchronized successfully. [PR/426289]
■
On J-series Services Routers, NAT traffic that is going to the WXC ISM 200 and
returning back in clear (that is, not accelerated by the WXC ISM 200) does not
work. [PR/438152]
Enhanced switching
Flow and Processing
154
■
Issues in JUNOS Software Release 9.5 for J-series Services Routers
Issues in JUNOS Software Release 9.5 for J-series Services Routers
Infrastructure
■
On J-series Services Routers, you cannot use a USB device that provides U3
features (such as the U3 Titanium device from SanDisk Corporation) as the media
device during system boot. You must remove the U3 support before using the
device as a boot medium. For the U3 Titanium device, you can use the U3
Launchpad Removal Tool on a Windows-based system to remove the U3 features.
The tool is available for download at
http://www.sandisk.com/Retail/Default.aspx?CatID=1415. (To restore the U3 features,
use the U3 Launchpad Installer Tool accessible at
http://www.sandisk.com/Retail/Default.aspx?CatID=1411). [PR/102645]
■
If the device does not have an ARP entry for an IP address, it drops the first
packet from itself to that IP address. [PR/233867]
■
On J2320, J2350, J4350, and J6350 Services Routers, when you press the F10
key to save and exit from BIOS configuration mode, the operation might not
work as expected. As a workaround, use the Save and Exit option from the Exit
menu. This issue can be seen on the J4350 and J6350 routers with BIOS Version
080011 and on the J2320 and J2350 routers with BIOS Version 080012.
[PR/237721]
■
On J2320, J2350, J4350, and J6350 Services Routers, the Clear NVRAM option in
the BIOS configuration mode does not work as expected. This issue can be seen
on the J4350 and J6350 routers with BIOS Version 080011 and on the J2320 and
J2350 routers with BIOS Version 080012. To help mitigate this issue, note any
changes you make to the BIOS configuration so that you can revert to the default
BIOS configuration as needed. [PR/237722]
■
If you enable security trace options, the log file might not be created in the default
location at /var/log/security-trace. As a workaround, manually set the log file to
the directory /var/log/security-trace. [PR/254563]
■
The link status of the onboard Gigabit Ethernet interfaces (ge-0/0/0 through
ge-0/0/3) or the 1-port Gigabit Ethernet ePIM interface on J4350 and J6350
Services Routers fails when you configure these interfaces in loopback mode.
[PR/72381]
■
Asymmetric routing, such as tracing a route to a destination behind J-series
routers running JUNOS software with Virtual Router Redundancy Protocol (VRRP),
does not work. [PR/237589]
■
On J2320 Services Routers, when you enable the DHCP client, the default route
is not added to route-table. [PR/296469]
■
On J2320, J2350, J4350, and J6350 Services Routers, boadcast TFTP is not
supported when flow is enabled on the device. [PR/391399]
■
On J-series Services Routers, the RPM operation will not work for the probe-type
tcp-ping when the probe is configured with the option destination-interface.
[PR/424925]
Interfaces and Routing
Issues in JUNOS Software Release 9.5 for J-series Services Routers
■
155
JUNOS 9.5 Software Release Notes
■
J2350 Services Routers configured as a DHCP client will not receive the DNS
server IP address passed on by the DHCP server. Without name-server, license
updates, and AV attack object, updates will fail. [PR/428445]
■
On J2300, J2320, J2350, J4350, and J6350 Services Routers, doing an redundancy
group 0 failover with 1000 ifls on the reth interface causes replication errors that
causes ksyncd to generate a core file. [PR/428636]
■
On J4350 Services Routers, when the user adds LACP interface details, a pop-up
window appears in which there are two buttons to move the interface left and
right. The LACP page currently does not have images incorporated with these
two buttons. [PR/305885]
■
On J2350, J4350, and J6350 Services Routers if the user opens J-Web using
Internet Explorer, the Configuration>Switching>LACP Sorting option for Aggegate
Interface column will not work. [PR/421634]
■
On J-series Services Routers, the Ajax calls need to be optimized and should be
in synchronization with the existing configuration screens [STP, GVRP and
IGMP-Snooping]. [PR/422523]
■
On J2350, J4350, and J6350 Services Routers when J-Web users select the tabs
on the bottom-left menu, the corresponding screen is not displayed fully, so
users must scroll the page to see all content. This issue occurs when the computer
is set to a low resolution. As a workaround, set the computer resolution to 1280
x 1024. [PR/423555]
J-Web
Unified Access Control (UAC)
■
On J-series Services Routers, MAC address based authentication does not work
when the router is configured as UAC L2 Enforcer. [PR/431595]
Unified Threat Management (UTM)
156
■
■
On J-series Services Routers, under stress conditions, it is possible that UTM
sessions do not get cleaned up properly. The user will continue to see outstanding
UTM sessions even after traffic is stopped and flow sessions have been released.
If the number of outstanding leaked sessions exceeds desirable levels causing
UTM not to handle new traffic, the forwarding daemon will need to be restarted.
[PR/424426]
■
On J2320, J2350, J4350, and J6350 Services Routers, Outlook Express is sending
infected mail (with an EICAR test file) to a mail server (directly, not through DUT).
Eudora 7 is using the IMAP protocol to download this mail (through DUT). Mail
retrieval is slow, and the EICAR test fille is not detected. [PR/424797]
■
On J2300, J2320, J2350, J4350, and J6350 Services Routers, Websense server
stops taking new connections after http stress. All new sessions get blocked. As
a workaround, reboot the WebSense server. [PR/435425]
Issues in JUNOS Software Release 9.5 for J-series Services Routers
Issues in JUNOS Software Release 9.5 for J-series Services Routers
Virtual Private Network (VPN)
■
The proxy-identity statement is valid for route-based VPN configuration only.
Policy-based VPN does not support the proxy-identity statement. [PR/296468]
WXC Integrated Services Module
■
When two J-series devices with WXC Integrated Services Modules (ISM 200s)
installed are configured as peers, traceroute fails if redirect-wx is configured on
both peers. [PR/227958]
■
JUNOS software does not support policy-based VPN with WXC Integrated Services
Modules (ISM200s). [PR/281822]
Resolved Issues in JUNOS Software Release 9.5 for J-series Services
Routers
The following issues from JUNOS Release 9.5 R3 have been resolved in this release.
The identifier following the description is the tracking number in our bug database.
Flow and Processing
■
On J2350, J4350, and J6350 Services Routers, OSPF over GRE over IPsec did not
work. [PR/105279: This issue has been resolved.]
■
On J-series Services Routers, on the J-Web spanning-tree configuration page, the
Edit interface/msti window did not save the data before committing the
configuration. [PR/433506: This issue has been resolved.]
■
New Features in JUNOS Software Release 9.5 for J-series Services Routers on
page 145
■
Known Limitations in JUNOS Software Release 9.5 for J-series Services Routers
on page 150
■
Changes in Default Behavior and Syntax on page 151
■
Hardware Requirements for JUNOS Software Release 9.5 for J-series Services
Routers on page 160
■
Upgrade and Downgrade Instructions for JUNOS Software Release 9.5 for J-series
Services Routers on page 162
■
Errata in Documentation for JUNOS Software Release 9.5 for J-series Services
Routers on page 158
J-Web
Related Topics
Issues in JUNOS Software Release 9.5 for J-series Services Routers
■
157
JUNOS 9.5 Software Release Notes
Errata in Documentation for JUNOS Software Release 9.5 for J-series Services Routers
Chassis Clustering
■
The “Setting the Node ID and Cluster ID” and “Active/Passive Chassis Cluster
Scenario” sections in the JUNOS Software Security Configuration Guide incorrectly
show command syntax as the following:
set chassis cluster node 0 cluster-id 1
set chassis cluster node 1 cluster-id 1 reboot
The command syntax should be as follows:
set chassis cluster cluster-id 1 node 0
set chassis cluster cluster-id 1 node 1 reboot
CLI
■
Page 976 of the JUNOS Software CLI Reference Guide displays the “show security
alg status” title when it should display the “show security alg sip transactions”
title. The information for Syntax, Release Information, Description, and Options
is also incorrect. The correct information is provided below.
Syntax—show security alg sip transactions<node (node-id | all | local | primary)>
Release information—Command modified in Release 9.2 of JUNOS software;
node options added in Release 9.0 of JUNOS software.
Description—Display information about Session Initiation Protocol (SIP)
Application Layer Gateway (ALG) transactions.
This command is supported on J-series and SRX-series devices.
Options
■
none—Display all SIP ALG transactions.
■
node—(Optional) For chassis cluster configurations, display SIP transactions
on a specific node (device) in the cluster.
158
■
■
node-id—Identification number of the node. It can be 0 or 1.
■
all—Display information about all nodes.
Errata in Documentation for JUNOS Software Release 9.5 for J-series Services Routers
Errata in Documentation for JUNOS Software Release 9.5 for J-series Services Routers
■
local—Display information about the local node.
■
primary—Display information about the primary node.
DLSw
■
The JUNOS Software Interfaces and Routing Configuration Guide incorrectly states
that the data link switching (DLSw) protocol is supported in this release. DLSw
support ended in JUNOS Release 9.3.
Intrusion Detection and Prevention (IDP)
■
In the JUNOS Software Security Configuration Guide, the following information in
the "Verifying the Policy Compilation and Load Status" section is incorrect:
■
The text does not indicate that the log file must be created first.
■
The path for the log file is incorrect.
Note the following correct information:
■
Create the log file first by entering set security idp traceoptions file idpd. You
can then set flags by entering set security idp traceoptions flag all.
■
The correct path for the idpd log file is /var/log, not /var/db
J-Web
■
J-Web Pages for Stateless Firewall Filters
There is no documentation describing the J-Web pages for stateless firewall filters.
To find these pages in J-Web, go to Configuration>Firewall Filters, then select IPv4
Firewall Filters or IPv6 Firewall Filters. After configuring filters, select Assign to
Interfaces to assign your configured filters to interfaces.
PIM
The J2300, J4300, and J6300 Services Router Getting Started Guide incorrectly states
that 1000Base-LH SFP (JX-SFP-1GE-LH) is not supported. This SFP is supported.
Screens
■
The following guide contains incorrect screen configuration instructions:
■
JUNOS Software Design and Implementation Guide, “Implementing Firewall
Deployments for Branch Offices” chapter
Examples throughout the guide describe how to configure screen options using
the set security screen screen-name CLI statements. Instead, you should use the
set security screen ids-option screen-name CLI statements. All screen configuration
Errata in Documentation for JUNOS Software Release 9.5 for J-series Services Routers
■
159
JUNOS 9.5 Software Release Notes
options are located in the [set security screen ids-option screen-name] level of the
configuration hierarchy.
Related Topics
■
New Features in JUNOS Software Release 9.5 for J-series Services Routers on
page 145
■
Known Limitations in JUNOS Software Release 9.5 for J-series Services Routers
on page 150
■
Changes in Default Behavior and Syntax on page 151
■
Issues in JUNOS Software Release 9.5 for J-series Services Routers on page 152
■
Hardware Requirements for JUNOS Software Release 9.5 for J-series Services
Routers on page 160
■
Upgrade and Downgrade Instructions for JUNOS Software Release 9.5 for J-series
Services Routers on page 162
Hardware Requirements for JUNOS Software Release 9.5 for J-series Services Routers
■
Power and Heat Dissipation Requirements for J Series PIMs on page 160
■
Supported Third-Party Hardware for J Series Services Routers on page 160
■
J Series CompactFlash and Memory Requirements on page 161
Power and Heat Dissipation Requirements for J Series PIMs
On J Series Services Routers, the system monitors the PIMs and verifies that the PIMs
fall within the power and heat dissipation capacity of the chassis. If power
management is enabled and the capacity is exceeded, the system prevents one or
more of the PIMs from becoming active.
CAUTION: Disabling power management can result in hardware damage if you
overload the chassis capacities.
You can also use CLI commands to choose which PIMs are disabled. For details about
calculating the power and heat dissipation capacity of each PIM and troubleshooting
procedures, see the J-series Services Routers Hardware Guide.
Supported Third-Party Hardware for J Series Services Routers
The following third-party hardware is supported for use with J-series Services Routers
running JUNOS software.
USB Modem
Storage Devices
160
■
We recommend using a U.S. Robotics USB 56K V.92 Modem, model number USR
5637.
The USB slots on J-series Services Routers accept a USB storage device or USB storage
device adapter with a CompactFlash card installed, as defined in the CompactFlash
Hardware Requirements for JUNOS Software Release 9.5 for J-series Services Routers
Hardware Requirements for JUNOS Software Release 9.5 for J-series Services Routers
Specification published by the CompactFlash Association. When the USB device is
installed and configured, it automatically acts as a secondary boot device if the
primary CompactFlash card fails on startup. Depending on the size of the USB storage
device, you can also configure it to receive any core files generated during a router
failure. The USB device must have a storage capacity of at least 256 MB.
Table 13 on page 161 lists the USB and CompactFlash card devices supported for use
with the J-series Services Routers.
Table 13: Supported Storage Devices on the J-series Services Routers
Manufacturer
Storage Capacity
Third-Party Part Number
SanDisk—Cruzer Mini 2.0
256 MB
SDCZ2-256-A10
SanDisk
512 MB
SDCZ3-512-A10
SanDisk
1024 MB
SDCZ7-1024-A10
Kingston
512 MB
DTI/512KR
Kingston
1024 MB
DTI/1GBKR
SanDisk—ImageMate USB 2.0 Reader/Writer for
CompactFlash Type I and II
N/A
SDDR-91-A15
SanDisk CompactFlash
512 MB
SDCFB-512-455
SanDisk CompactFlash
1 GB
SDCFB-1000.A10
J Series CompactFlash and Memory Requirements
Table 14 on page 161 lists the CompactFlash card and DRAM requirements for J Series
Services Routers.
Table 14: J Series CompactFlash Card and DRAM Requirements
Model
Minimum CompactFlash Card
Required
Minimum DRAM Required
Maximum DRAM Supported
J2320
512 MB
512 MB
1 GB
J2350
512 MB
512 MB
1 GB
J4350
512 MB
512 MB
2 GB
J6350
512 MB
1 GB
2 GB
Hardware Requirements for JUNOS Software Release 9.5 for J-series Services Routers
■
161
JUNOS 9.5 Software Release Notes
Related Topics
■
New Features in JUNOS Software Release 9.5 for J-series Services Routers on
page 145
■
Known Limitations in JUNOS Software Release 9.5 for J-series Services Routers
on page 150
■
Changes in Default Behavior and Syntax on page 151
■
Issues in JUNOS Software Release 9.5 for J-series Services Routers on page 152
■
Upgrade and Downgrade Instructions for JUNOS Software Release 9.5 for J-series
Services Routers on page 162
■
Errata in Documentation for JUNOS Software Release 9.5 for J-series Services
Routers on page 158
Upgrade and Downgrade Instructions for JUNOS Software Release 9.5 for J-series Services
Routers
For upgrade and download instructions for JUNOS Software Release 9.5, please see
the JUNOS Software Migration Guide.
JUNOS Software Release Notes for EX-series Switches
■
New Features in JUNOS Software for EX-series Switches, Release 9.5 on page 162
■
Changes in Default Behavior and Syntax on page 166
■
Outstanding and Resolved Issues and Upgrade/Downgrade Issues in JUNOS
Release 9.5 for EX-series Switches on page 167
■
Errata in Documentation for JUNOS Software Release 9.5 for EX-series
Switches on page 178
New Features in JUNOS Software for EX-series Switches, Release 9.5
New features in Release 9.5 of JUNOS software for EX-series switches are described
in this section.
Not all EX-series software features are supported on all EX-series platforms in the
current release. For a list of all EX-series software features and their platform support,
see EX-series Switch Software Features Overview.
New features are described on the following pages:
162
■
■
Hardware on page 163
■
Access Control and Port Security on page 164
■
Bridging, VLANs, and Spanning Trees on page 164
■
Class of Service (CoS) on page 164
■
Layer 3 Protocols on page 164
■
Management and RMON on page 165
Upgrade and Downgrade Instructions for JUNOS Software Release 9.5 for J-series Services Routers
New Features in JUNOS Software for EX-series Switches, Release 9.5
■
MPLS on page 166
■
Virtual Chassis on page 166
Hardware
■
EX 8216 switch—The EX 8216 switch is a half-rack, midplane architecture,
modular Ethernet switch that is designed for ultra-high-density environments
such as campus aggregation, data center, or high-performance core switching
environments. EX 8216 switches provide high availability and redundancy for
all major hardware components, including Routing Engine (RE) modules, Switch
Fabric (SF) modules, fan trays (with redundant fans), and load-sharing 3000 W
AC and DC power supplies. Like other EX-series switches, EX 8216 switches
provide high performance, scalability, and carrier-class reliability.
The EX 8216 switch chassis can accommodate a variety of Ethernet interfaces,
supporting wire rate on all ports for all packet sizes. An EX 8216 switch accepts
up to 16 line cards, double the number of line cards accepted by the EX 8208
switch. It offers the benefit of having more port density per rack unit of space
than the EX 8208 switch.
The following line cards are available for all EX 8200 series switches and can be
used interchangeably between EX 8208 and EX 8216 switches. You can install
any combination of the line cards in the chassis:
■
8-port 10-Gigabit Ethernet SFP+ line card
■
48-port 10/100/1000 RJ-45 line card
■
48-port 100/1000 SFP line card
■
Four-post rack-mount kit—The four-post rack-mount kit is a separately orderable
kit for EX 3200 and EX 4200 switches. This kit allows you to mount the switch
on four posts of a four-post rack. It also provides two types of front brackets that
allow you to mount the switch on two-post or four-post racks, either flush with
the front of the rack or recessed 2 inches from the front of the rack.
■
New optical transceiver support—The SFP uplink module in EX 3200 and EX
4200 switches now supports five new optical transceivers:
■
■
■
EX-SFP-1FE-LX (100Base-LX, 10 km)
■
EX-SFP-GE10KT13R15 (1000Base-BX-U, 10 km)
■
EX-SFP-GE10KT15R13 (1000Base-BX-D, 10 km)
■
EX-SFP-GE40KT13R15 (1000Base-BX-U, 40 km)
■
EX-SFP-GE40KT15R13 (1000Base-BX-D, 40 km)
New optical transceiver support—The SFP+ uplink module in EX 3200 and
EX 4200 switches now supports two new optical transceivers:
■
EX-SFP-10GE-LR (10GBase-LR, 10 km)
■
EX-SFP-10GE-LRM (10GBase-LRM, 220 m)
New optical transceiver support—The SFP+ uplink module in EX 8200 series
switches now supports one new optical transceiver:
New Features in JUNOS Software for EX-series Switches, Release 9.5
■
163
JUNOS 9.5 Software Release Notes
■
■
EX-SFP-10GE-LRM (10GBase-LRM, 220 m)
Virtual Chassis cable—The maximum length allowed for a Virtual Chassis cable
is now 5 meters.
Access Control and Port Security
■
Dynamic firewall filters—Firewall filters applied to interfaces enabled for 802.1X
or MAC RADIUS authentication are dynamically combined with the per-user
policies sent to the switch from the RADIUS server. The switch uses internal logic
to dynamically combine the interface firewall filter with the user policies from
the RADIUS server and create an individualized policy for each of the multiple
users or nonresponsive hosts that are authenticated on the interface.
Bridging, VLANs, and Spanning Trees
■
Private VLAN (PVLAN) enhancements—The following access security features
are supported on PVLANs: MAC limiting, DHCP snooping, dynamic ARP
inspection, IP source guard, and 802.1X.
Class of Service (CoS)
■
CoS rewrites—Differential Services code point (DSCP), IEEE 802.1p, and IP
precedence bit value rewrites are enabled on routed VLAN interfaces (RVIs) on
EX 3200 and EX 4200 switches.
■
CoS multidestination—You can use the CoS multidestination feature on EX
8200 series switches to specify the traffic class to be applied to unknown-unicast,
broadcast, and multicast traffic. Three new default classifiers are provided for
multidestination traffic: multicast expedited forwarding, multicast assured
forwarding, and multicast best-effort. A default forwarding class once configured
is applied to all interfaces on the switch. A classifier option is provided to allow
you to specify a classifier to be used for bridged registered multidestination traffic
and IP multidestination traffic on each interface.
Layer 3 Protocols
164
■
■
Multicast Source Discovery Protocol (MSDP)—You can use MSDP to connect
multiple IP version 4 Protocol Independent Multicast sparse mode (PIM SM)
domains. Each PIM SM domain uses its own independent rendezvous point and
does not have to depend on rendezvous points in other domains.
■
OSPF multitopology routing (MT-OSPF)—You can use the MT-OSPF feature to
define multiple topologies and to configure topology-specific metrics for individual
links as well as to exclude individual links from specific topologies. As a result,
you can use a single instance of OSPF to carry connectivity and IP reachability
information for different topologies. Information for different topologies is used
to calculate independent shortest-path-first (SPF) trees and routing tables.
New Features in JUNOS Software for EX-series Switches, Release 9.5
New Features in JUNOS Software for EX-series Switches, Release 9.5
Management and RMON
■
J-Web enhancements—The J-Web interface has the following enhancements:
■
The Ports Configuration page displays details about port role configuration.
■
The Link Aggregation Configuration page supports aggregating interfaces
with any speed setting.
■
J-Web supports IPv6 configuration on the management interface.
■
The dashboard displays 10-gigabit SFP+ ports.
■
You can configure:
■
■
■
■
Spanning-tree protocols
■
GVRP
■
IGMP snooping
■
Redundant trunk groups (RTGs)
The monitoring feature has been enhanced to support:
■
Ethernet switching
■
Spanning-tree protocols
■
GVRP
■
IGMP snooping
The troubleshooting feature supports setting up real-time performance
monitoring (RPM) and viewing RPM results.
Port mirroring:
■
Multiple VLAN support—You can configure multiple VLANs (up to 256)
including a VLAN range and private VLANs (PVLANs) as ingress input to an
analyzer in EX 3200 and EX 4200 switches or as egress input to an analyzer
in EX 8200 series switches.
■
Layer 3 interface support—You can configure Layer 3 interfaces as ingress
and egress input to an analyzer.
New Features in JUNOS Software for EX-series Switches, Release 9.5
■
165
JUNOS 9.5 Software Release Notes
MPLS
■
JUNOS MPLS for EX-series switches—MPLS on EX-series switches supports
Layer 2 protocols and Layer 2 VPNs. You can configure MPLS on your switches
to increase transport efficiency in your network. MPLS services can be used to
connect various sites to a backbone network or to ensure better performance
for low-latency applications such as VoIP and other business-critical functions.
MPLS on EX-series switches supports only single-label MPLS packets and does
not support LDP-based MPLS. MPLS configurations on EX-series switches are
compatible with configurations on other Juniper Networks devices that support
MPLS and circuit cross-connect (CCC).
Virtual Chassis
Related Topics
■
Autoprovisioning Virtual Chassis ports (VCPs)—In an existing preprovisioned
Virtual Chassis configuration, you can use the autoprovisioning feature to
automatically configure uplink module ports as VCPs when you add switches to
that configuration.
■
Outstanding and Resolved Issues and Upgrade/Downgrade Issues in JUNOS
Release 9.5 for EX-series Switches on page 167
■
Changes in Default Behavior and Syntax on page 166
■
Errata in Documentation for JUNOS Software Release 9.5 for EX-series Switches
on page 178
Changes in Default Behavior and Syntax
The following current system behavior, configuration statement usage, and operational
mode command usage might not yet be documented in the JUNOS software for
EX-series switches documentation:
166
■
Changes in Default Behavior and Syntax
Outstanding and Resolved Issues and Upgrade/Downgrade Issues in JUNOS Release 9.5 for EX-series Switches
Class of Service
■
A new command has been introduced to change the buffering scheme:
set class-of-service shared-buffers percent value
This option gives you the flexibility of controlling the shared egressed buffer
allocation per interface. Uplink ports are not used for shared allocation.
Interfaces
■
The following counters are not supported on routed VLAN interfaces (RVIs): local
statistics, traffic statistics, and transit statistics.
■
On EX 4200 switches, if you enter the command request chassis routing-engine
master switch and then enter the command again within 240 seconds, the switch
will display an error message saying “Command aborted. Not ready for
mastership switch, try after n seconds.”
■
New Features in JUNOS Software for EX-series Switches, Release 9.5 on page 162
■
Outstanding and Resolved Issues and Upgrade/Downgrade Issues in JUNOS
Release 9.5 for EX-series Switches on page 167
■
Errata in Documentation for JUNOS Software Release 9.5 for EX-series Switches
on page 178
Virtual Chassis
Related Topics
Outstanding and Resolved Issues and Upgrade/Downgrade Issues in JUNOS Release 9.5
for EX-series Switches
Outstanding issues in the JUNOS Release 9.5R4 software for EX-series switches and
issues regarding software upgrade or downgrade are described on the following
pages. The pages also list the issues that have been resolved since the last JUNOS
Release 9.4 release:
Outstanding Issues
The following are outstanding issues in the JUNOS Release 9.5R4 software for
EX-series switches. The identifier following the description is the tracking number
in our bug database.
Outstanding and Resolved Issues and Upgrade/Downgrade Issues in JUNOS Release 9.5 for EX-series Switches
■
167
JUNOS 9.5 Software Release Notes
NOTE: The following PRs that were previously included in the JUNOS Release 9.5
release notes as outstanding issues have been removed, because these issues are
not present in JUNOS Release 9.5R4 for EX-series switches:
286600, 295588, 389276, 390812, 399331, 403842, 406032, 409321, 410947,
411660, 414110, 415772
Access Control and Port Security
■
On EX-series switches, if you configure the RADIUS server revert-interval interval
option, the switch does not attempt to reconnect to the unreachable server after
the revert interval has elapsed. [PR/304637]
■
On EX 8208 switches, the medium attachment unit (MAU) type field is empty
in the Link Layer Discovery Protocol (LLDP) protocol data unit (PDU). [PR/392043]
Bridging, VLANs, and Spanning Trees
Class of Service
■
Packets sent to the CPU are not supported for system log, log, or reject messages
on EX-series switches. [PR/399664]
■
On 48-port SFP line cards used in EX 8208 switches, do not insert a transceiver
into the first or last port on the bottom row (ports 1 and 47). Transceivers inserted
in these ports are difficult to remove. As a workaround, you can remove the
transceiver by using a small flathead screwdriver or other tool to lift the lock on
the transceiver. [PR/423694]
■
The RADIUS request sent by an EX-series switch contains both Extensible
Authentication Protocol (EAP) Identity Response and State attributes. [PR/300790]
■
On EX 8208 switches, RIP version 1 does not work properly. [PR/394905]
■
In the J-Web interface, you cannot commit some configuration changes in the
Ports Configuration and VLAN Configuration pages because of the following
limitations for port mirroring ports and port mirroring VLANs:
Hardware
Infrastructure
■
A port configured as the output port for an analyzer cannot be a member of
any VLAN other than the default VLAN.
■
A VLAN configured to receive analyzer output can be associated with only
one port.
[PR/400814]
168
■
Outstanding and Resolved Issues and Upgrade/Downgrade Issues in JUNOS Release 9.5 for EX-series Switches
Outstanding and Resolved Issues and Upgrade/Downgrade Issues in JUNOS Release 9.5 for EX-series Switches
■
After a redundant trunk group (RTG) interface switchover, MAC address aging
does not stop, even though traffic is sent continuously and switched correctly.
[PR/416739]
■
Spanning-tree, GVRP, or IGMP snooping configuration windows might load slowly
in the J-Web interface. Wait till the windows load completely before entering
information, or some information might get lost. [PR/422523]
■
In the J-Web interface on EX 8208 and EX 8216 switches, IPv6 is listed as an
option in the Management Options page in the EZSetup wizard, but it is not
supported. [PR/425959]
■
In the J-Web interface, uploading a package might not work properly if you are
using Internet Explorer version 7. [PR/424859]
■
In the J-Web interface, the Ethernet Switching monitoring page might not display
monitoring details if there are more than 13,000 MAC entries on the switch.
[PR/425693]
■
If an SRE module, RE module, SF module, line card, or Virtual Chassis member
is in offline mode, the J-Web interface might not update the dashboard image
accordingly. [PR/431441]
■
In the J-Web interface, in the Port Security Configuration page, you are required
to configure action when you configure MAC limit even though configuring an
action value is not mandatory in the CLI. [PR/434836]
■
In the J-Web interface, interfaces configured with no-flow-control might be
displayed in the Link Aggregation Configuration page. [PR/437410]
■
On routed VLAN interfaces (RVIs), the analyzer (port mirroring configuration)
might incorrectly append an 802.1q (802.1Q) header to the packets being
mirrored. As a workaround, you can configure an egress analyzer on each port
of the egress VLAN. [PR/445393]
■
If software forwarding process (sfid) usage is greater than 60 percent, there might
be packet losses in packets originating from the Routing Engine. [PR/473753]
■
When you use the show interfaces extensive command, the queued packet counter
might not get updated and might display a value of 0. [PR/263527]
■
On EX 8208 switches, after an interface is blocked by BPDU control, removing
the BPDU control configuration does not unblock the interfaces. As a workaround,
issue the clear ether bpdu-error command from the CLI. [PR/407020]
■
On EX 8208 switches, if primary and backup interfaces for link protection are
configured on a LAG interface (under the ether-options 802.3ad statement),
packets might egress on the backup interface instead of on the primary interface
when the line card is restarted or during Routing Engine switchover. As a
workaround, remove and reapply the LAG configuration. [PR/409934]
■
On EX 4200 switches, when port mirroring is configured on all interfaces, the
mirrored packets leaving a tagged interface might contain an incorrect VLAN ID.
[PR/431101]
Interfaces
Outstanding and Resolved Issues and Upgrade/Downgrade Issues in JUNOS Release 9.5 for EX-series Switches
■
169
JUNOS 9.5 Software Release Notes
Layer 3 Protocols
■
On EX 8208 switches, if Layer 3 traffic is routed with static routes and static ARP
and is egressing on a routed VLAN interface (RVI), Layer 3 traffic might be
dropped after you delete all configurations and roll back the configuration. To
recover the traffic, flap the egress physical interface. [PR/417024]
■
If a member whose MAC address is being used as a system MAC address of the
Virtual Chassis goes offline, the mac-persistence-timer parameter determines how
long the Virtual Chassis continues to use the member’s MAC address. When the
timer expires, the system MAC address of the Virtual Chassis changes and there
might be a traffic loss for some period of time until the neighbor switches update
the ARP table. As a workaround, you can clear ARP on the neighbor switches so
the ARP updates happen immediately. [PR/435084]
Virtual Chassis
Resolved Issues
Access Control and Port Security
■
When you have a port with membership in a VoIP VLAN and a guest VLAN and
configured with 802.1X authentication, traffic in the VoIP VLAN is forwarded
even after authentication has failed for the port. [PR/292268: This issue has been
resolved.]
■
On EX-series switches, the LLDP-MED voice solution might not work properly
unless the VLAN name is configured as voice. As a workaround, configure the
VLAN name as voice for LLDP-MED to propagate the VLAN ID to the phone
properly. [PR/421741: This issue has been resolved.]
■
Dynamic filters are not installed for all 802.1X clients authenticating with the
same authentication credentials and are installed only for the first client.
[PR/422919: This issue has been resolved.]
Bridging, VLANs, and Spanning Trees
170
■
■
When frames are switched from access to trunk interfaces (that is, when incoming
frames are not tagged), the priority bits in the 802.1Q header are set to 1 by
default. [PR/273079: This issue has been resolved.]
■
If you have configured VSTP on an aggregated Ethernet interface with LACP
enabled, the initial port cost value is shown as 200000000. Deactivate and
reactivate VSTP on the interface to set the port cost to the correct value (10000).
[PR/412099: This issue has been resolved.]
■
When the primary interface in a redundant trunk group (RTG) is disabled and
then enabled, the ports in the RTG do not move into appropriate states.
[PR/413089: This issue has been resolved.]
■
When a VLAN is configured in the analyzer stanza with an invalid VLAN tag, the
Ethernet switching process (eswd) will terminate abnormally. As a workaround,
Outstanding and Resolved Issues and Upgrade/Downgrade Issues in JUNOS Release 9.5 for EX-series Switches
Outstanding and Resolved Issues and Upgrade/Downgrade Issues in JUNOS Release 9.5 for EX-series Switches
correct the VLAN index being referenced. [PR/421105: This issue has been
resolved.]
■
When a gratuitous ARP message is sent to the switch, the message is ignored
by the routed VLAN interface (RVI) and the switch does not update the ARP table.
[PR/426810: This issue has been resolved.]
■
When the ethernet-switching-options secure-access-port part of the configuration
is enabled along with VSTP, under a high traffic rate, the VSTP BPDUs are sent
to the Routing Engine with an incorrect code that causes a blocking port to go
into the Forwarding state, which results in a spanning-tree loop. [PR/468095:
This issue has been resolved.]
■
On EX 8208 switches, when link protection is enabled on a LAG interface, the
scheduler map configured on the LAG interface will not be active after a graceful
Routing Engine switchover (GRES) or after the class-of-service process (cosd) is
restarted. As a workaround, remove and reapply the scheduler map on the LAG
interface. [PR/415476: This issue has been resolved.]
■
Interchanging routed VLAN interfaces (RVIs) between VLANs does not interchange
classifiers. Restart the class-of-service process (cosd) to interchange classifiers
and make the classification work properly. [PR/417236: This issue has been
resolved.]
■
On EX 8208 switches, when multiple forwarding classes are mapped to the same
queue, the tail-drop counters for some queues might show an incorrect value.
[PR/413673: This issue has been resolved.]
■
Policers might be shared across interfaces that are part of the same Packet
Forwarding Engine. If the same policer is applied to two interfaces on the same
Packet Forwarding Engine, then the policer is shared. If the same policer is
applied to two interfaces on different Packet Forwarding Engines, the policer is
not shared and functions as two separate policers. [PR/405111: This issue has
been resolved.]
■
On EX 8216 switches, a fan failure trap is not generated when the fans go into
a failed state. [PR/413426: This issue has been resolved.]
■
When an EX8216 switch power cycle completes, the Last reboot reason for the
master and backup Routing Engines in the show chassis routing-engine command
output might display incorrect values. [PR/415569: This issue has been resolved.]
■
On EX 8216 switches, online insertion and removal of a Switch Fabric (SF)
module is not supported. [PR/422276: This issue has been resolved.]
■
Occasionally, on a switch with SFP FE-BX transceivers plugged into the uplink
module, the I2C bus locks up and the uplink module is unusable after running
traffic for a few hours. The system recovers after a reboot. [PR/430237: This
issue has been resolved.]
Class of Service
Firewall Filters
Hardware
Outstanding and Resolved Issues and Upgrade/Downgrade Issues in JUNOS Release 9.5 for EX-series Switches
■
171
JUNOS 9.5 Software Release Notes
Infrastructure
■
If you reboot an EX 3200 or EX 4200 switch after you have configured the Power
over Ethernet (PoE) guard-band value, the two ports that had been shut down
because of their low priority become active again. They should have remained
shut down. [PR/285262: This issue has been resolved.]
■
In the J-Web interface, neither the Add window nor the Edit window in the Link
Aggregation Configuration page displays the interfaces for which speed is
configured explicitly. [PR/301532: This issue has been resolved.]
■
On EX 8208 switches, a 48-port RJ-45 line card configured for fixed mode
(no-auto-negotiation) does not disable interfaces when the two ends of the
connection are configured with different speeds. [PR/307834: This issue has
been resolved.]
■
On EX 8208 switches, while commits of configuration changes under the
interfaces stanza or routing-options stanza are in progress, VRRP advertisement
does not occur for a short time. This can result in a change of VRRP mastership.
[PR/310524: This issue has been resolved.]
■
On EX 8208 switches, during chassis bootup, the system log might display the
following messages:
"RT-HAL,rt_entry_add_msg_check,1116:unknown vlan index 0"
"RT-HAL,rt_msg_handler,407:route check failed"
[PR/313185, PR/313187: This issue has been resolved.]
■
On EX 8208 switches, occasionally the system log might display the following
message when the switch is receiving simultaneous traffic:
ex8200-re0 fpc7 Old expected RT_NH is NULL
[PR/314377: This issue has been resolved.]
172
■
■
In the Ports Configuration page in the J-Web interface, the default values displayed
for Speed, Duplex, and Auto Negotiation for ports with SFP or XFP transceivers
are incorrect. [PR/398858: This issue has been resolved.]
■
On EX 8208 switches, after a graceful Routing Engine switchover (GRES), the
first sample (show snmp rmon history output) shows incorrect statistics for
broadcast and multicast packets. Correct statistics are displayed after the first
sample. [PR/399317: This issue has been resolved.]
■
When you have connected a management device to an EX 8208 switch using
Telnet, issuing the show lacp statistics interfaces command might cause the CLI
to stop responding. [PR/402393: This issue has been resolved.]
■
On EX 8208 switches, the storm control configuration displays the default level
for storm control as 80 percent of the link bandwidth although the actual default
value and the maximum value for the storm control level is 50 percent of the
link bandwidth. [PR/407540: This issue has been resolved.]
■
If you configure a port mirroring session in which the output is set to a VLAN
with the input not configured, the commit will fail. As a workaround, configure
Outstanding and Resolved Issues and Upgrade/Downgrade Issues in JUNOS Release 9.5 for EX-series Switches
Outstanding and Resolved Issues and Upgrade/Downgrade Issues in JUNOS Release 9.5 for EX-series Switches
the input and then commit the configuration. [PR/407559: This issue has been
resolved.]
■
In the J-Web interface, when packets are being captured using Troubleshoot >
Packet capture, the PHP process consumes more than 90 percent of the CPU
cycles. [PR/411070: This issue has been resolved.]
■
On EX 8208 switches in some topologies with multifeature scaling, multicast
traffic to some groups might be dropped after multiple graceful Routing Engine
switchovers (GRESs). [PR/412908: This issue has been resolved.]
■
On EX 8208 switches, transitioning from a remote port mirroring configuration
to a local port mirroring configuration or the reverse does not work properly.
For example, if a remote port mirroring configuration transitions to a local port
mirroring configuration, packets are mirrored as tagged packets. As a workaround,
restart the line card. [PR/414122: This issue has been resolved.]
■
On EX 8208 switches with GRES enabled, sometimes the state of the backup
Routing Engine is shown as:
Kernel database: Connection error, Initialize error.
As a workaround, deactivate and reactivate GRES on the switch. [PR/413637:
This issue has been resolved.]
■
If the power supplied to an EX 8208 switch is insufficient, the behavior of the
switch becomes nondeterministic and affects the operation of the switch.
[PR/414718: This issue has been resolved.]
■
On EX 8208 switches, the in-band management option is not supported in the
EZSetup wizard. Use the out-of-band management option while using the EZSetup
wizard for initial configuration. [PR/414960: This issue has been resolved.]
■
On EX 8208 switches, in a scaled environment with a large number of routes
and ARP entries, OSPF adjacency links might not come up while the switch is
deleting ARP entries when there is data traffic through the interface. Stopping
data traffic on the OSPF interface resolves this condition. [PR/414998: This issue
has been resolved.]
■
On EX 8208 switches, if port mirroring is configured with a link aggregation
group (LAG) interface as the input interface, packets are not mirrored correctly
after a graceful Routing Engine switchover (GRES). As a workaround, restart the
line card. [PR/415213: This issue has been resolved.]
■
On EX-series switches, the storm control command options no-broadcast and
no-unknown-unicast do not have any effect. [PR/415542: This issue has been
resolved.]
■
On EX 8208 switches, the LCD displays FAN FAIL even though the fans are
operational and running at normal speed. [PR/415756: This issue has been
resolved.]
■
Learned MAC address entries are not flushed when the interface mode changes
for RTG interfaces. Clearing the Ethernet switching table resolves this problem.
[PR/416103: This issue has been resolved.]
■
On EX 8208 switches, after a graceful Routing Engine switchover (GRES), unicast
routed traffic might egress as untagged packets or as packets with incorrect tag
Outstanding and Resolved Issues and Upgrade/Downgrade Issues in JUNOS Release 9.5 for EX-series Switches
■
173
JUNOS 9.5 Software Release Notes
values. As a workaround, restart the egress line card. [PR/416358: This issue has
been resolved.]
■
When the MSTP topology changes in an extended VLAN topology, sometimes
sessions such as those for VRRP, BFD, and upper protocols dependent upon BFD
(such as PIM or OSPF) bounce briefly. [PR/416400: This issue has been resolved.]
■
On EX 8208 switches, when you commit some firewall filter configurations, the
following error might be displayed:
internal error: database reference has invalid type - not a container
[PR/416685: This issue has been resolved.]
174
■
■
Traffic might not be forwarded correctly in a Q-in-Q VLAN if a customer VLAN
is added and deleted. [PR/416817: This issue has been resolved.]
■
In the J-Web interface, you cannot edit the Layer 2 Uplink port role without
changing the group name of the redundant trunk group (RTG) on the Ports
Configuration page. [PR/417174: This issue has been resolved.]
■
An EX 4200 or EX 3200 switch with JUNOS Release 9.3R3 or earlier might
experience an optical interface or Virtual Chassis interface transition resulting
in a few milliseconds of traffic loss. [PR/418128: This issue has been resolved.]
■
On EX 3200 and EX 4200 switches, if you configure more than one analyzer
(port mirroring) session, an incorrect commit check error is displayed. As a
workaround, configure only one analyzer session. [PR/428689: This issue has
been resolved.]
■
In the J-Web interface, when you use the port profiles in the Ports configuration
window to configure RSTP while STP or MSTP is configured on the switch and
is in a disabled state, an error message might be displayed and the port profile
configuration might be prevented from being committed. As a workaround,
delete the disabled STP or MSTP configuration from the switch. [PR/429615:
This issue has been resolved.]
■
In the J-Web interface, when you are editing interfaces through either the Add
VLAN or Edit VLAN window in the IGMP Snooping Configuration page, the Edit
interfaces section might not display interfaces details that have not yet been
committed. [PR/432664: This issue has been resolved.]
■
In the J-Web interface, the Redundant Trunk Group Add or Edit window might
list all the trunk interfaces configured on the switch without verifying the interface
information. If a Virtual Chassis member ID is changed or a line card is moved
to a different slot, the previous interface details might also be listed. [PR/433427:
This issue has been resolved.]
■
In the J-Web interface, the Edit MSTI window in the Spanning Tree Configuration
page might not display details of an uncommitted interface configuration.
[PR/433506: This issue has been resolved.]
■
If all interfaces is configured as analyzer (port mirroring configuration) input in
the ingress or egress direction, the analyzer output interface might not be
removed from the input list of interfaces, resulting in a mirroring loop. As a
workaround, delete that particular analyzer configuration, commit the change
and reconfigure the analyzer. [PR/436304: This issue has been resolved.]
Outstanding and Resolved Issues and Upgrade/Downgrade Issues in JUNOS Release 9.5 for EX-series Switches
Outstanding and Resolved Issues and Upgrade/Downgrade Issues in JUNOS Release 9.5 for EX-series Switches
■
On EX 8200 series switches, when multiple analyzer (port mirroring configuration)
sessions refer to a VLAN in the analyzer output stanza, the VLAN is created in
the same commit cycle, and only the first analyzer will be functional in the
system. As a workaround, you can restart the Ethernet switching process (eswd)
after the commit. [PR/437098: This issue has been resolved.]
■
In the J-Web interface, if a VLAN has been configured in the interfaces stanza an
incorrect validation message might be displayed when you are specifying an
interface for an MST instance. [PR/437448: This issue has been resolved.]
■
In rare occurrences the hardware device routing table goes out of sync with the
software routing table thereby resulting in packet drops. The device routing table
is responsible for correct packet transfer between interfaces across Virtual Chassis
members. [PR/439486: This issue has been resolved.]
■
On EX 8208 switches with 48-port RJ-45 line cards, interface links might go
down and come back up while you are adding the interfaces to an aggregated
Ethernet interface. [PR/395936: This issue has been resolved.]
■
On EX 8208 switches, sometimes the autonegotiation status on interfaces is
shown as None, even though flow control is negotiated correctly, enabled, and
functioning. [PR/302662: This issue has been resolved.]
■
On EX 8208 switches, if an analyzer (a port mirroring configuration) is configured
to mirror traffic on both ingress and egress interfaces, traffic loss is observed on
the mirrored port. [PR/398182: This issue has been resolved.]
■
On EX 8208 switches, when a Layer 3 subinterface and an RVI are next hops
for a multicast group, modifying the subinterface configuration causes flooding
in the VLAN until the IGMP snooping table is populated. [PR/403597: This issue
has been resolved.]
■
On EX 8208 switches, if autonegotiation is enabled on an interface, the interface
might go down and come up again after a GRES. As a workaround, configure
the speed as 1 gigabit and the duplex mode as full duplex. [PR/410816: This
issue has been resolved.]
■
On EX 8208 switches, multifield classifier (MFC)-based rewrites might not work.
[PR/412106: This issue has been resolved.]
■
On EX 3200 and EX 4200 switches, ping traffic does not always go through on
an aggregated Ethernet interface. [PR/422148: This issue has been resolved.]
■
On EX 8208 switches, if a Layer 3 LAG interface is configured with VLAN tagging,
disabling one subinterface disables the aggregated Ethernet interface.
Interfaces
As a workaround, do the following:
1.
Deactivate and activate the configuration.
2.
Delete and add the LAG interface again.
3.
Restart the respective line card.
[PR/413110: This issue has been resolved.]
Outstanding and Resolved Issues and Upgrade/Downgrade Issues in JUNOS Release 9.5 for EX-series Switches
■
175
JUNOS 9.5 Software Release Notes
Layer 3 Protocols
■
On EX 8208 switches, if you issue the clear pim join command multiple times in
a short time, multicast traffic fails to recover. As a workaround, restart the line
card. [PR/405899: This issue has been resolved.]
■
On EX 8208 switches, after a graceful Routing Engine switchover (GRES), under
certain circumstances, Layer 3 unicast traffic might egress with the wrong MAC
address. As a workaround, issue the clear arp command to refresh the Address
Resolution Protocol (ARP) entries. [PR/418325: This issue has been resolved.]
■
When the dates on the members of a Virtual Chassis are not synchronized, a
member switch or backup forwarding process (pfem) might not be able to connect
to the master. [PR/278784: This issue has been resolved.]
Virtual Chassis
Upgrading or Downgrading from JUNOS Release 9.4R1 for EX-series
Switches
The ARP aging time configuration in the system configuration stanza in JUNOS Release
9.4R1 is incompatible with the ARP aging time configuration in JUNOS Release 9.3R1
or earlier and JUNOS Release 9.4R2 or later. If you have configured system arp
aging-timer aging-time on EX-series switches running JUNOS Release 9.4R1 and upgrade
to JUNOS Release 9.4R2 or later or downgrade to JUNOS Release 9.3R1 or earlier,
the switch will display configuration errors on booting up after the upgrade or
downgrade. As a workaround, delete the arp aging-timer aging-time configuration in
the system configuration stanza and reapply the configuration after you complete
the upgrade or downgrade.
Upgrading from JUNOS Release 9.3R1 to Release 9.5 for EX-series Switches
If you are upgrading from JUNOS Release 9.3R1 and have voice over IP (VoIP) enabled
on a private VLAN (PVLAN), you must remove this configuration before upgrading,
to prevent upgrade problems. VoIP on PVLAN interfaces is not supported in releases
later than JUNOS Release 9.3R1.
Upgrading from JUNOS Release 9.2 to Release 9.5 for EX-series Switches
For JUNOS Release 9.3 and later for EX-series switches, during the upgrade process,
the switch performs reference checks on VLANs and interfaces in the 802.1X
configuration stanza. If there are references in the 802.1X stanza to names or tags
of VLANs that are not currently configured on the switch or to interfaces that are not
configured or do not belong to the ethernet-switching family, the upgrade will fail. In
addition, static MAC addresses on single-supplicant mode interfaces are not supported.
176
■
Outstanding and Resolved Issues and Upgrade/Downgrade Issues in JUNOS Release 9.5 for EX-series Switches
Outstanding and Resolved Issues and Upgrade/Downgrade Issues in JUNOS Release 9.5 for EX-series Switches
CAUTION: If your Release 9.2 configuration includes any of the following conditions,
revise the configuration before upgrading to Release 9.5. If you do not take these
actions, the upgrade will fail:
■
Ensure that all VLAN names and tags in the 802.1X configuration stanza are
configured on the switch and that all interfaces are configured on the switch and
assigned to the ethernet-switching family. If the VLAN or the interface is not
configured and you try to commit the configuration, the commit will fail.
■
Remove static MAC addresses on single-supplicant mode interfaces. If they exist
and you try to commit the configuration, the commit will fail.
■
In an 802.1X configuration stanza, if authentication-profile-name does not exist
and you try to commit the configuration, the commit will fail.
■
In an 802.1X configuration stanza, broadcast and multicast MAC addresses are
not allowed in a static MAC configuration. If they exist and you try to commit
the configuration, the commit will fail.
■
Support for static MAC address bypass in single or single-secure mode has been
removed. If static MAC bypass in those modes exists and you try to commit the
configuration, the commit will fail.
■
In an 802.1X configuration stanza, the switch will not accept the option vrange
as an assigned VLAN name. If it exists and you try to commit the configuration,
the commit will fail.
■
Enabling 802.1X and the port mirroring feature on the same interface is not
supported. If you enable 802.1X and port mirroring on the same interface and
then attempt to commit the configuration, the commit will fail.
■
In an 802.1X configuration stanza, if the VLAN name or tag specified under dot1x
authenticator static does not exist and you try to commit the configuration, the
commit will fail.
■
In the interfaces configuration stanza, if no-auto-negotiation is configured but
speed and link duplex settings are not configured under ether-options and you
try to commit the configuration, the commit will fail. If no-auto-negotiation is
configured under ether-options, you must configure speed and link duplex settings.
■
In the ethernet-switching-options configuration, if action is not configured for the
number of MAC addresses allowed on the interface (under secure-access-port
interface interface-name mac-limit in the CLI or in the Port Security Configuration
page in the J-Web interface), you must configure an action for the MAC address
limit before upgrading from Release 9.2 to Release 9.5. If it is not configured
and you try to commit the configuration, the commit will fail.
■
If you have configured a tagged interface on logical interface 0 (unit 0), configure
a tagged interface on a logical interface other than unit 0 before upgrading from
Release 9.2 to Release 9.5. If you have not done this and you try to commit the
configuration, the commit will fail. Beginning with JUNOS software Release 9.3
for EX-series switches, untagged packets, BPDUs (such as in LACP and STP), and
priority-tagged packets are processed on logical interface 0 and not on logical
Outstanding and Resolved Issues and Upgrade/Downgrade Issues in JUNOS Release 9.5 for EX-series Switches
■
177
JUNOS 9.5 Software Release Notes
interface 32767. In addition, if you have not configured any untagged interfaces,
the switch creates a default logical interface 0.
■
On EX 4200 switches, if you have installed advanced licenses for features such
as BGP, rename the /config/license directory to /config/.license_priv before
upgrading from Release 9.2 to Release 9.3 or later. If the switch does not have
a /config/license directory, create the /config/.license_priv directory manually
before you upgrade. If you do not rename the /config/license directory or create
the /config/.license_priv directory manually, the licenses installed will be deleted
after you upgrade from Release 9.2 to Release 9.3 or later.
Downgrading from JUNOS Release 9.5 to Release 9.2 for EX 4200 Switches
When you downgrade a Virtual Chassis configuration from JUNOS Release 9.5 to
JUNOS Release 9.2 for EX-series switches, member switches might not retain the
mastership priorities that had been configured previously. To restore the previously
configured mastership priorities, commit the configuration by issuing the commit
command.
Related Topics
■
New Features in JUNOS Software for EX-series Switches, Release 9.5 on page 162
■
Changes in Default Behavior and Syntax on page 166
■
Errata in Documentation for JUNOS Software Release 9.5 for EX-series Switches
on page 178
Errata in Documentation for JUNOS Software Release 9.5 for EX-series Switches
Hardware
■
In JUNOS Release 9.5 for EX-series switches, statistical mirroring is supported
only in the ingress direction on EX 8208 switches.
■
The Alarm LED (labeled ALM) on EX-series switches indicates a minor alarm
(yellow or amber) when you power on a switch for the first time because no
rescue configuration is saved on the switch.
■
The J-Web Online Help for configuring MAC limit and MAC move limit features
in port security does not reflect recent changes to the default configuration values.
See the EX-series documentation topics for the most up-to-date information.
Infrastructure
178
■
Errata in Documentation for JUNOS Software Release 9.5 for EX-series Switches
Errata in Documentation for JUNOS Software Release 9.5 for EX-series Switches
Virtual Chassis
Related Topics
■
To form a Virtual Chassis configuration using network ports as Virtual Chassis
ports (VCPs), directly connect the network ports to each other and configure
them as VCPs.
■
New Features in JUNOS Software for EX-series Switches, Release 9.5 on page 162
■
Outstanding and Resolved Issues and Upgrade/Downgrade Issues in JUNOS
Release 9.5 for EX-series Switches on page 167
■
Changes in Default Behavior and Syntax on page 166
Errata in Documentation for JUNOS Software Release 9.5 for EX-series Switches
■
179
JUNOS 9.5 Software Release Notes
JUNOS Documentation and Release Notes
For a list of related JUNOS documentation, see
http://www.juniper.net/techpubs/software/junos/ .
If the information in the latest release notes differs from the information in the
documentation, follow the JUNOS Release Notes.
To obtain the most current version of all Juniper Networks® technical documentation,
see the product documentation page on the Juniper Networks website at
http://www.juniper.net/techpubs/.
Juniper Networks supports a technical book program to publish books by Juniper
Networks engineers and subject matter experts with book publishers around the
world. These books go beyond the technical documentation to explore the nuances
of network architecture, deployment, and administration using JUNOS Software and
Juniper Networks devices. In addition, the Juniper Networks Technical Library,
published in conjunction with O'Reilly Media, explores improving network security,
reliability, and availability using JUNOS configuration techniques. All the books are
for sale at technical bookstores and book outlets around the world. The current list
can be viewed at http://www.juniper.net/books .
Documentation Feedback
We encourage you to provide feedback, comments, and suggestions so that we can
improve the documentation. You can send your comments to
techpubs-comments@juniper.net, or fill out the documentation feedback form at
https://www.juniper.net/cgi-bin/docbugreport/. If you are using e-mail, be sure to include
the following information with your comments:
■
Document name
■
Document part number
■
Page number
■
Software release version
Requesting Technical Support
Technical product support is available through the Juniper Networks Technical
Assistance Center (JTAC). If you are a customer with an active J-Care or JNASC support
contract, or are covered under warranty, and need postsales technical support, you
can access our tools and resources online or open a case with JTAC.
180
■
■
JTAC policies—For a complete understanding of our JTAC procedures and policies,
review the JTAC User Guide located at
http://www.juniper.net/customers/support/downloads/710059.pdf.
■
Product warranties—For product warranty information, visit
http://www.juniper.net/support/warranty/.
JUNOS Documentation and Release Notes
Requesting Technical Support
■
JTAC Hours of Operation —The JTAC centers have resources available 24 hours
a day, 7 days a week, 365 days a year.
Self-Help Online Tools and Resources
For quick and easy problem resolution, Juniper Networks has designed an online
self-service portal called the Customer Support Center (CSC) that provides you with
the following features:
■
Find CSC offerings: http://www.juniper.net/customers/support/
■
Search for known bugs: http://www2.juniper.net/kb/
■
Find product documentation: http://www.juniper.net/techpubs/
■
Find solutions and answer questions using our Knowledge Base:
http://kb.juniper.net/
■
Download the latest versions of software and review release notes:
http://www.juniper.net/customers/csc/software/
■
Search technical bulletins for relevant hardware and software notifications:
https://www.juniper.net/alerts/
■
Join and participate in the Juniper Networks Community Forum:
http://www.juniper.net/company/communities/
■
Open a case online in the CSC Case Management tool: http://www.juniper.net/cm/
To verify service entitlement by product serial number, use our Serial Number
Entitlement (SNE) Tool located at https://tools.juniper.net/SerialNumberEntitlementSearch/.
Opening a Case with JTAC
You can open a case with JTAC on the Web or by telephone.
■
Use the Case Management tool in the CSC at http://www.juniper.net/cm/ .
■
Call 1-888-314-JTAC (1-888-314-5822 toll-free in the USA, Canada, and Mexico).
For international or direct-dial options in countries without toll-free numbers, visit
us at http://www.juniper.net/support/requesting-support.html.
If you are reporting a hardware or software problem, issue the following command
from the CLI before contacting support:
user@host> request support information | save filename
To provide a core file to Juniper Networks for analysis, compress the file with the
gzip utility, rename the file to include your company name, and copy it to
ftp.juniper.net:pub/incoming. Then send the filename, along with software version
information (the output of the show version command) and the configuration, to
support@juniper.net. For documentation issues, fill out the bug report form located at
https://www.juniper.net/cgi-bin/docbugreport/.
Requesting Technical Support
■
181
JUNOS 9.5 Software Release Notes
Revision History
19 February 2010—Revision 4, JUNOS Release 9.5R4
30 October 2009—Revision 3, JUNOS Release 9.5R3
07 July 2009—Revision 2, JUNOS Release 9.5R2
26 May 2009—Revision 1, rev. 2, JUNOS Release 9.5R1
13 April 2009—Revision 1, JUNOS Release 9.5R1
Copyright © 2010, Juniper Networks, Inc. All rights reserved.
Juniper Networks, the Juniper Networks logo, JUNOS, NetScreen, ScreenOS, and Steel-Belted Radius are registered trademarks of Juniper Networks, Inc. in
the United States and other countries. JUNOSe is a trademark of Juniper Networks, Inc. All other trademarks, service marks, registered trademarks, or
registered service marks are the property of their respective owners.
Juniper Networks assumes no responsibility for any inaccuracies in this document. Juniper Networks reserves the right to change, modify, transfer, or
otherwise revise this publication without notice.
Products made or sold by Juniper Networks or components thereof might be covered by one or more of the following patents that are owned by or licensed
to Juniper Networks: U.S. Patent Nos. 5,473,599, 5,905,725, 5,909,440, 6,192,051, 6,333,650, 6,359,479, 6,406,312, 6,429,706, 6,459,579, 6,493,347,
6,538,518, 6,538,899, 6,552,918, 6,567,902, 6,578,186, and 6,590,785.
182
■
Requesting Technical Support
Download PDF
Similar pages