Release Notes - Juniper Networks

Release Notes - Juniper Networks
®
Release Notes: Junos OS Release 16.1R4
for the ACX Series, EX Series, MX Series,
PTX Series, QFX Series, T Series, and
Junos Fusion
6 September 2017
Contents
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
Junos OS Release Notes for ACX Series . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
New and Changed Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
Release 16.1R2 New and Changed Features . . . . . . . . . . . . . . . . . . . . . . . . 9
Release 16.1R1 New and Changed Features . . . . . . . . . . . . . . . . . . . . . . . 25
Changes in Default Behavior and Syntax . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
Interfaces and Chassis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28
System Logging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28
User Interface and Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28
Junos OS XML API and Scripting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
Known Behavior . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
Known Issues . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
Class of Service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30
Firewall Filters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31
Interfaces and Chassis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32
Integrated Routing and Bridging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35
Layer 2 Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36
MPLS Applications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37
Network Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37
Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37
Timing and Synchronization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37
Resolved Issues . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38
Documentation Updates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38
Migration, Upgrade, and Downgrade Instructions . . . . . . . . . . . . . . . . . . . . . . 39
Upgrade and Downgrade Support Policy for Junos OS Releases . . . . . . 39
Copyright © 2017, Juniper Networks, Inc.
1
Junos OS Release 16.1R4 for the ACX Series, EX Series, MX Series, PTX Series, QFX Series,T Series and Junos Fusion
Product Compatibility . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39
Hardware Compatibility . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39
Junos OS Release Notes for EX Series Switches . . . . . . . . . . . . . . . . . . . . . . . . . . . 41
New and Changed Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41
Hardware . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42
Authentication, Authorization, and Accounting . . . . . . . . . . . . . . . . . . . . 42
Interfaces and Chassis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43
Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44
Multicast . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44
Network Management and Monitoring . . . . . . . . . . . . . . . . . . . . . . . . . . . 45
Port Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45
Routing Policy and Firewall Filters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46
Software-Defined Networking . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48
User Interface and Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48
VPNs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48
Changes in Behavior and Syntax . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49
Authentication and Access Control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49
General Routing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49
Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50
Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50
User Interface and Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50
Known Behavior . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51
Authentication and Access Control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51
Interfaces and Chassis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51
Layer 2 Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52
Multicast . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52
Platform and Infrastructure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52
Port Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52
Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52
Software Installation and Upgrade . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53
User Interface and Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53
Known Issues . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53
Authentication and Access Control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54
Firewall Filters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54
Interfaces and Chassis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54
Layer 2 Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55
Platform and Infrastructure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55
Port Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55
Software Installation and Upgrade . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55
Resolved Issues . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55
Resolved Issues: 16.1R4 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56
Resolved Issues: 16.1R3 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59
Documentation Updates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61
Migration, Upgrade, and Downgrade Instructions . . . . . . . . . . . . . . . . . . . . . . 61
Upgrade and Downgrade Support Policy for Junos OS Releases . . . . . . . 61
Product Compatibility . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62
Hardware Compatibility . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62
2
Copyright © 2017, Juniper Networks, Inc.
Junos OS Release Notes for Junos Fusion Enterprise . . . . . . . . . . . . . . . . . . . . . . . 63
New and Changed Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63
Junos Fusion Enterprise . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64
Changes in Behavior and Syntax . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65
General Routing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65
Known Behavior . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66
Junos Fusion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66
Known Issues . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67
Authentication and Access Control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67
Interfaces and Chassis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67
Layer 2 Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67
Platform and Infrastructure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67
Resolved Issues . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68
Resolved Issues: 16.1R4 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68
Resolved Issues: 16.1R3 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69
Documentation Updates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70
Migration, Upgrade, and Downgrade Instructions . . . . . . . . . . . . . . . . . . . . . . 70
Basic Procedure for Upgrading Junos OS on an Aggregation Device . . . . 70
Upgrading an Aggregation Device with Redundant Routing Engines . . . 72
Preparing the Switch for Satellite Device Conversion . . . . . . . . . . . . . . . . 73
Converting a Satellite Device to a Standalone Switch . . . . . . . . . . . . . . . 74
Upgrade and Downgrade Support Policy for Junos OS Releases . . . . . . 76
Downgrading from Release 16.1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77
Product Compatibility . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77
Hardware and Software Compatibility . . . . . . . . . . . . . . . . . . . . . . . . . . . 77
Junos OS Release Notes for Junos Fusion Provider Edge . . . . . . . . . . . . . . . . . . . . 79
New and Changed Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79
Hardware . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79
Junos Fusion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79
Multicast . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80
Changes in Behavior and Syntax . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81
Known Behavior . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 82
Known Issues . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 82
Junos Fusion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 82
Resolved Issues . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83
Resolved Issues: 16.1R3 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83
Resolved Issues:16.1R2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83
Documentation Updates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 84
Migration, Upgrade, and Downgrade Instructions . . . . . . . . . . . . . . . . . . . . . . 84
Basic Procedure for Upgrading an Aggregation Device . . . . . . . . . . . . . . 85
Upgrading an Aggregation Device with Redundant Routing Engines . . . 88
Preparing the Switch for Satellite Device Conversion . . . . . . . . . . . . . . . 88
Converting a Satellite Device to a Standalone Switch . . . . . . . . . . . . . . . 89
Upgrading an Aggregation Device from Junos OS Release 14.2 . . . . . . . . 91
Upgrade and Downgrade Support Policy for Junos OS Releases . . . . . . . 91
Downgrading from Release 16.1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 92
Product Compatibility . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 92
Hardware Compatibility . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 92
Copyright © 2017, Juniper Networks, Inc.
3
Junos OS Release 16.1R4 for the ACX Series, EX Series, MX Series, PTX Series, QFX Series,T Series and Junos Fusion
Junos OS Release Notes for MX Series 3D Universal Edge Routers and T Series
Core Routers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93
New and Changed Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93
Release 16.1R4 New and Changed Features . . . . . . . . . . . . . . . . . . . . . . . 94
Release 16.1R3 New and Changed Features . . . . . . . . . . . . . . . . . . . . . . . 117
Release 16.1R2 New and Changed Features . . . . . . . . . . . . . . . . . . . . . . 124
Release 16.1R1 New and Changed Features . . . . . . . . . . . . . . . . . . . . . . . 136
Changes in Behavior and Syntax . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 187
Authentication and Access Control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 188
General Routing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 188
Interfaces and Chassis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 189
Junos OS XML API and Scripting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 189
Layer 2 Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 190
Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 191
MPLS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 191
Network Management and Monitoring . . . . . . . . . . . . . . . . . . . . . . . . . . 192
Operation, Administration, and Maintenance (OAM) . . . . . . . . . . . . . . . 193
Platform and Infrastructure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 194
Routing Policy and Firewall Filters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 194
Routing Protocols . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 194
Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 196
Services Applications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 198
Software Installation and Upgrade . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 199
Subscriber Management and Services . . . . . . . . . . . . . . . . . . . . . . . . . 200
System Logging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 207
System Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 207
User Interface and Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 208
Known Behavior . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 209
Forwarding and Sampling . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 209
General Routing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 209
Interfaces and Chassis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 210
MPLS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 210
Network Management and Monitoring . . . . . . . . . . . . . . . . . . . . . . . . . . 210
Routing Protocols . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 211
Software Installation and Upgrade . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 211
Subscriber Management and Services . . . . . . . . . . . . . . . . . . . . . . . . . . . 211
System Logging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 212
User Interface and Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 212
VPNs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 212
Known Issues . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 213
Class of Service (CoS) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 214
Forwarding and Sampling . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 214
General Routing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 215
High Availability (HA) and Resiliency . . . . . . . . . . . . . . . . . . . . . . . . . . . 220
Infrastructure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 220
Interfaces and Chassis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 220
Junos Fusion Provider Edge . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 221
Layer 2 Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 221
MPLS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 222
4
Copyright © 2017, Juniper Networks, Inc.
Network Management and Monitoring . . . . . . . . . . . . . . . . . . . . . . . . . . 222
Platform and Infrastructure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 222
Routing Protocols . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 224
Services Applications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 224
Software Installation and Upgrade . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 225
Subscriber Access Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 225
VPNs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 225
Resolved Issues . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 225
Resolved Issues:16.1R4 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 226
Interfaces and Chassis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 243
Layer 2 Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 244
MPLS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 245
Multicast . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 246
Network Management and Monitoring . . . . . . . . . . . . . . . . . . . . . . . . . . 246
Platform and Infrastructure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 246
Resolved Issues:16.1R3 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 249
Resolved Issues:16.1R2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 258
Resolved Issues: 16.1R1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 274
Documentation Updates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 276
Advanced Subscriber Management Provision Guide . . . . . . . . . . . . . . . 277
L2 VPNS Feature Guide . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 277
Monitoring, Sampling Collection Services Interface Feature Guide . . . . 277
Tunnel Encryption Services Interfaces Feature Guide . . . . . . . . . . . . . . . 277
Software Installation and Upgrade Guide . . . . . . . . . . . . . . . . . . . . . . . . 277
Security Services Administration Guide . . . . . . . . . . . . . . . . . . . . . . . . . 278
SNMP MIBS and traps reference . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 278
Subscriber Management Access Network Guide . . . . . . . . . . . . . . . . . . 278
Syslog Reference Guide . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 279
Standards Reference . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 279
Subscriber Management Provisioning Guide . . . . . . . . . . . . . . . . . . . . . 279
Migration, Upgrade, and Downgrade Instructions . . . . . . . . . . . . . . . . . . . . . 280
Basic Procedure for Upgrading to Release 16.1 . . . . . . . . . . . . . . . . . . . . 281
Upgrading from Junos OS (FreeBSD 6.1) to Junos OS (FreeBSD
10.x) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 282
Upgrading from Junos OS (FreeBSD 6.1) to Junos OS (FreeBSD 6.1) . . 284
Installing the Network Agent Package (Junos Telemetry Interface) in
MX Series Routers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 285
Upgrade and Downgrade Support Policy for Junos OS Releases . . . . . 288
Upgrading a Router with Redundant Routing Engines . . . . . . . . . . . . . 288
Upgrading Juniper Network Routers Running Draft-Rosen Multicast
VPN to Junos OS Release 10.1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 288
Downgrading from Release 16.1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 290
Product Compatibility . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 290
Hardware Compatibility . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 290
Junos OS Release Notes for PTX Series Packet Transport Routers . . . . . . . . . . . 292
New and Changed Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 292
Release 16.1R4 New and Changed Features . . . . . . . . . . . . . . . . . . . . . . 292
Release 16.1R3 New and Changed Features . . . . . . . . . . . . . . . . . . . . . . 294
Release 16.1R2 New and Changed Features . . . . . . . . . . . . . . . . . . . . . . 297
Copyright © 2017, Juniper Networks, Inc.
5
Junos OS Release 16.1R4 for the ACX Series, EX Series, MX Series, PTX Series, QFX Series,T Series and Junos Fusion
Release 16.1R1 New and Changed Features . . . . . . . . . . . . . . . . . . . . . . 304
Changes in Behavior and Syntax . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 312
Hardware . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 313
Authentication and Access Control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 313
Forwarding and Sampling . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 313
Interfaces and Chassis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 313
Junos OS XML API and Scripting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 315
Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 315
Routing Policy and Firewall Filters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 315
Routing Protocols . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 315
Services Applications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 316
Software Installation and Upgrade . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 316
System Logging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 316
User Interface and Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 316
Known Behavior . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 317
General Routing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 317
Known Issues . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 318
General Routing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 318
Interfaces and Chassis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 320
Multiprotocol Label Switching (MPLS) . . . . . . . . . . . . . . . . . . . . . . . . . 320
Routing Protocols . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 320
Documentation Updates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 321
Resolved Issues . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 322
Resolved Issues:16.1R4 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 322
Resolved Issues:16.1R3 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 323
Resolved Issues:16.1R2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 325
Resolved Issues:16.1R1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 328
Migration, Upgrade, and Downgrade Instructions . . . . . . . . . . . . . . . . . . . . . 328
Upgrade and Downgrade Support Policy for Junos OS Releases . . . . . 329
Upgrading a Router with Redundant Routing Engines . . . . . . . . . . . . . . 329
Basic Procedure for Upgrading to Release 16.1 . . . . . . . . . . . . . . . . . . . . 329
Installing the Network Agent Package (Junos Telemetry Interface) in
PTX Series Routers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 333
Product Compatibility . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 335
Hardware Compatibility . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 335
Junos OS Release Notes for the QFX Series . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 337
New and Changed Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 337
Junos OS XML API and Scripting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 338
MPLS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 338
Routing Policy and Firewall Filters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 338
Routing Protocols . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 339
User Interface and Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 339
Changes in Behavior and Syntax . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 340
Authentication and Access Control . . . . . . . . . . . . . . . . . . . . . . . . . . . . 340
General Routing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 340
Interfaces and Chassis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 341
Network Management and Monitoring . . . . . . . . . . . . . . . . . . . . . . . . . . 342
Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 342
Software Installation and Upgrade . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 342
6
Copyright © 2017, Juniper Networks, Inc.
User Interface and Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 342
Known Behavior . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 343
High Availability (HA) and Resiliency . . . . . . . . . . . . . . . . . . . . . . . . . . . 343
Interfaces and Chassis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 343
Layer 2 Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 344
Network Management and Monitoring . . . . . . . . . . . . . . . . . . . . . . . . . . 344
Routing Protocols . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 344
Software Installation and Upgrade . . . . . . . . . . . . . . . . . . . . . . . . . . . . 344
System Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 344
Known Issues . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 345
Firewall Filters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 345
High Availability and Resiliency . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 345
Infrastructure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 345
Interfaces and Chassis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 345
Multicast . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 346
Port Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 346
Software Defined Networking . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 346
Software Installation and Upgrade . . . . . . . . . . . . . . . . . . . . . . . . . . . . 346
Resolved Issues . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 346
Resolved Issues: 16.1R4 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 346
Resolved Issues: 16.1R3 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 350
Documentation Updates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 353
Migration, Upgrade, and Downgrade Instructions . . . . . . . . . . . . . . . . . . . . . 353
Upgrading Software on QFX5100 Standalone Switches . . . . . . . . . . . . 353
Installing the Software on QFX10002 Switches . . . . . . . . . . . . . . . . . . 355
Performing an In-Service Software Upgrade (ISSU) . . . . . . . . . . . . . . . 355
Preparing the Switch for Software Installation . . . . . . . . . . . . . . . . . . . 355
Upgrading the Software Using ISSU . . . . . . . . . . . . . . . . . . . . . . . . . . . . 356
Product Compatibility . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 358
Hardware Compatibility . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 358
Third-Party Components . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 358
Finding More Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 359
Upgrading Using Unified ISSU . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 359
Compliance Advisor . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 359
Documentation Feedback . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 359
Requesting Technical Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 360
Self-Help Online Tools and Resources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 360
Opening a Case with JTAC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 360
Revision History . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 361
Copyright © 2017, Juniper Networks, Inc.
7
Junos OS Release 16.1R4 for the ACX Series, EX Series, MX Series, PTX Series, QFX Series,T Series and Junos Fusion
Introduction
®
Junos OS runs on the following Juniper Networks hardware: ACX Series, EX Series, M
Series, MX Series, PTX Series, QFabric systems, QFX Series, SRX Series, T Series, and
Junos Fusion.
These release notes accompany Junos OS Release 16.1R4 for the ACX Series, EX Series,
MX Series, PTX Series, QFX Series,T Series and Junos Fusion. They describe new and
changed features, limitations, and known and resolved problems in the hardware and
software.
Junos OS Release Notes for ACX Series
These release notes accompany Junos OS Release 16.1R4 for the ACX Series. They
describe new and changed features, limitations, and known and resolved problems in
the hardware and software.
You can also find these release notes on the Juniper Networks Junos OS Documentation
webpage, located at http://www.juniper.net/techpubs/software/junos/.
•
New and Changed Features on page 8
•
Changes in Default Behavior and Syntax on page 26
•
Known Behavior on page 29
•
Known Issues on page 29
•
Resolved Issues on page 38
•
Documentation Updates on page 38
•
Migration, Upgrade, and Downgrade Instructions on page 39
•
Product Compatibility on page 39
New and Changed Features
There are no new features and enhancements in Junos OS Release 16.1R4 for ACX Series
Universal Access Routers.
8
•
Release 16.1R2 New and Changed Features on page 9
•
Release 16.1R1 New and Changed Features on page 25
Copyright © 2017, Juniper Networks, Inc.
New and Changed Features
Release 16.1R2 New and Changed Features
Hardware
•
ACX4000 Universal Access Router—Starting in Junos OS Release 16.1R2, Junos OS
supports the ACX4000 router. These routers enable a wide range of business and
residential applications and services, including microwave cell site aggregation, MSO
mobile backhaul service cell site deployment, and service provider or operator cell site
deployment.
The ACX4000 router supports use of either four RJ-45 ports or four Gigabit Ethernet
SFP transceivers. The ACX4000 router contains two PoE ports and four ports that
accept transceivers. The two ports labeled GE support Gigabit Ethernet SFP
transceivers. The two ports labeled XE support Gigabit Ethernet SFP transceivers and
10-Gigabit Ethernet SFP+ transceivers. The router has two dedicated slots for MICs.
For a list of the supported MICs, see the ACX4000 Universal Access Router MIC Guide
Class of Service
•
Class of service for PPP and MLPPP interfaces (ACX Series)—Starting in Junos OS
Release 16.1R2, ACX Series Universal Access Routers support class-of-service (CoS)
functionalities on PPP and MLPPP interfaces. Up to four forwarding classes and four
queues are supported per logical interface for PPP and MLPPP packets.
The following restrictions apply when you configure CoS on PPP and MLPPP interfaces
on ACX Series routers:
•
•
For interfaces with PPP encapsulation, you can configure interfaces to support only
the IPv4, Internet Protocol Control Protocol (IPCP), PPP Challenge Handshake
Authentication Protocol (CHAP), and Password Authentication Protocol (PAP)
applications.
•
Drop timeout is not supported.
•
Loss of traffic occurs during a change of scheduling configuration; you cannot modify
scheduling attributes instantaneously.
•
Buffer size is calculated in terms of number of packets, with 256 bytes considered
as the average packet size.
•
Only two loss priority levels, namely low and high, are supported.
Support for MLPPP encapsulation (ACX Series)—Starting in Junos OS Release 16.1R2,
you configure multilink bundles as logical units or channels on the link services interface
lsq-0/0/0. With MLPPP, multilink bundles are configured as logical units on
lsq-0/0/0—for example, lsq-0/0/0.0 and lsq-0/0/0.1. After creating multilink bundles,
you add constituent links to the bundle.
MLPPP is supported on ACX1000, ACX2000, and ACX2100 routers, and with
Channelized OC3/STM1 (Multi-Rate) MICs with SFP and 16-port Channelized E1/T1
Circuit Emulation MIC on ACX4000 routers. With multilink PPP bundles, you can use
the PPP Challenge Handshake Authentication Protocol (CHAP) and Password
Authentication Protocol (PAP) for secure transmission over the PPP interfaces.
Copyright © 2017, Juniper Networks, Inc.
9
Junos OS Release 16.1R4 for the ACX Series, EX Series, MX Series, PTX Series, QFX Series,T Series and Junos Fusion
To configure MLPPP encapsulation, include the encapsulation multilink-ppp statement
at the [edit interfaces lsq-fpc/pic/port unit logical-unit-number] hierarchy level. To
aggregate T1 links into a an MLPPP bundle, include the bundle statement at the [edit
interfaces t1-fpc/pic/port unit logical-unit-number family mlppp] hierarchy level.
•
Support for configuring the shared buffer size (ACX Series)—Starting in Junos OS
Release 16.1R2, ACX Series Universal Access Routers enable you to control the amount
of shared packet buffer a given queue can consume. Using this feature, you can ensure
that important queues have a higher chance of using the shared buffers than not so
important queues. To achieve this, you can configure lower values for the shared-buffer
maximum CLI statement for the not so important queues, and higher values for the
shared-buffer maximum CLI statement for the important queues.
You can explicitly configure the shared-buffer maximum CLI statement at the [edit
class-of-service] hierarchy level.
NOTE: The default value for shared-buffer maximum is 66%.
Firewall Filters
•
Support for hierarchical policers (ACX Series)—Starting in Junos OS Release 16.1R2,
ACX Series Universal Access Routers supports two-level ingress hierarchical policing.
With single-level policers, you cannot administer the method used with which the
committed information rate (CIR) and the excess information rate (EIR) values specified
in the bandwidth profile are shared across different flows. For example, in a certain
network deployment, you might want an equal or even distribution of CIR across the
individual flows. In such a scenario, you cannot accomplish this requirement using
single-level policers and need to configure aggregate or hierarchical policers.
Aggregate policers operate in peak, guarantee, and hybrid modes. You can configure
an aggregate policer by including the aggregate-policer aggregate-policer-name
statement at the [edit firewall policer policer-name if-exceeding] hierarchy level. You
can specify the mode of the aggregate policer by including the aggregate-sharing-mode
[guarantee | peak | hybrid] statement at the [edit firewall policer policer-name
if-exceeding aggregate-policer aggregate-policer-name] hierarchy level.
•
Enhancement to support additional firewall filter match capabilities (ACX
Series)—Starting in Junos OS Release 16.1R2, ACX Series router supports additional
match capabilities at the [edit firewall family ccc filter] and [edit firewall family inet
filter] hierarchy levels.
The existing firewalls do not support Layer 2, Layer 3, and Layer 4 fields at the [edit
firewall family ccc filter] hierarchy level. With additional matching fields, ACX Series
routers support all the available Layer 2, Layer 3, and Layer 4 fields on the
user-to-network interface side (ethernet-ccc/vlan-ccc).
At the [edit firewall family inet filter] hierarchy level, the fragment-flags match field
has been removed to accommodate the following Layer 2 and Layer 3 fields:
10
Copyright © 2017, Juniper Networks, Inc.
New and Changed Features
Table 1: Fields Added to the [edit firewall family inet filter] Hierarchy Level
Field
Description
first-fragment
Matches if packet is the first fragment
is-fragment
Matches if packet is a fragment
The scale for inet and ccc in the firewall family filter has been reduced from 250
hardware entries to 122 hardware entries.
Interfaces and Chassis
•
Support for Channelized OC3/STM1 (Multi-Rate) Circuit Emulation MIC with SFP
(ACX4000)—Starting in Junos OS Release 16.1R2, ACX4000 Universal Access Routers
support the Channelized OC3/STM1 (Multi-Rate) Circuit Emulation MIC with SFP
(model number ACX-MIC-4COC3-1COC12CE).
The key features supported are:
•
Structure-Agnostic TDM over Packet (SAToP)
•
Pseudowire Emulation Edge to Edge (PWE3) control word for use over an MPLS
packet-switched network (PSN)
•
Support for 6-port Gigabit Ethernet Copper/SFP MIC (ACX4000)—Starting in Junos
OS Release 16.1R2, ACX4000 Universal Access Routers support the 6-port Gigabit
Ethernet Copper/SFP MIC. The 6-port Gigabit Ethernet Copper/SFP MIC features six
tri-speed (10/100/1000 Mbps) Ethernet ports. Each port can be configured to operate
in either RJ–45 or SFP mode and can support PoE.
•
Support for chassis management (ACX4000)—Starting in Junos OS Release 16.1R2,
ACX4000 Universal Access Routers support the following CLI operational mode
commands:
Show commands:
•
show chassis alarms
•
show chassis craft-interface
•
show chassis environment
•
show chassis environment pem
•
show chassis fan
•
show chassis firmware
•
show chassis fpc pic-status
•
show chassis hardware (clei-models | detail | extensive | models)
•
show chassis mac-addresses
•
show chassis pic fpc-slot fpc-slot pic-slot pic slot
•
show chassis routing-engine
Copyright © 2017, Juniper Networks, Inc.
11
Junos OS Release 16.1R4 for the ACX Series, EX Series, MX Series, PTX Series, QFX Series,T Series and Junos Fusion
Restart command:
•
restart chassis-control (gracefully | immediately | soft)
Request commands:
•
•
request chassis feb restart slot slot-number
•
request chassis mic mic-slot mic-slot fpc-slot fpc-slot (offline | online)
•
request chassis pic offline fpc-slot fpc-slot pic-slot pic-slot
User-defined alarms (ACX Series)—Starting in Junos OS Release 16.1R2, on ACX Series
router, the alarm contact port (labeled ALARM) provides four user-defined input ports
and two user-defined output ports. Whenever a system condition occurs—such as a
rise in temperature, and depending on the configuration—the input or output port is
activated.
To view the alarm relay information, issue the show chassis craft-interface command
from the Junos OS command-line interface.
•
Support for Ethernet synthetic loss measurement (ACX Series)—Starting in Junos
OS Release 16.1R2, you can trigger on-demand and proactive Operations, Administration,
and Maintenance (OAM) for measurement of statistical counter values corresponding
to ingress and egress synthetic frames. Frame loss is calculated using synthetic frames
instead of data traffic. These counters maintain a count of transmitted and received
synthetic frames and frame loss between a pair of maintenance association end points
(MEPs).
The Junos OS implementation of Ethernet synthetic loss measurement (ETH-SLM) is
fully compliant with ITU-T Recommendation Y.1731. Junos OS maintains various
counters for ETH-SLM PDUs, which can be retrieved at any time for sessions that are
initiated by a certain MEP. You can clear all the ETH-SLM statistics and PDU counters.
•
Support for Network Address Translation (ACX Series)—Starting in Junos OS Release
16.1R2, ACX Series Universal Access Routers supports Network Address Translation
(NAT). NAT is a method for modifying or translating network address information in
packet headers. Either or both source and destination addresses in a packet may be
translated. NAT can include the translation of port numbers as well as IP addresses.
ACX Series routers support only source NAT for IPv4 packets. Static and destination
NAT types are currently not supported on the ACX Series routers.
NOTE: In ACX Series routers, NAT is supported only on the ACX1100
AC-powered router.
•
12
Support for inline service interface (ACX Series)—Starting in Junos OS Release 16.1R2,
ACX Series Universal Access Routers support inline service interface. An inline service
interface is a virtual physical interface that resides on the Packet Forwarding Engine.
The si- interface makes it possible to provide NAT services without a special services
PIC.
Copyright © 2017, Juniper Networks, Inc.
New and Changed Features
To configure inline NAT, you define the service interface as type si- (service-inline)
interface. You must also reserve adequate bandwidth for the inline interface. This
enables you to configure both interface or next-hop service sets used for NAT.
NOTE: In ACX Series routers, you can configure only one inline services
physical interface as an anchor interface for NAT sessions: si-0/0/0.
•
Support for IPsec (ACX Series)—Starting in Junos OS Release 16.1R2, you can configure
IPsec on ACX Series Universal Access Routers. The IPsec architecture provides a security
suite for the IP version 4 (IPv4) network layer. The suite provides functionality such as
authentication of origin, data integrity, confidentiality, replay protection, and
nonrepudiation of source. In addition to IPsec, Junos OS also supports the Internet Key
Exchange (IKE), which defines mechanisms for key generation and exchange, and
manages security associations. IPsec also defines a security association and key
management framework that can be used with any network layer protocol. The security
association specifies what protection policy to apply to traffic between two IP-layer
entities. IPsec provides secure tunnels between two peers.
NOTE: IPsec is supported only on the ACX1100 AC-powered router and is
limited to 100 Mbps maximum throughput.
•
Support for ATM OAM F4 and F5 cells (ACX Series)—Starting in Junos OS Release
16.1R2, ACX Series routers provide Asynchronous Transfer Mode (ATM) support for the
following Operations, Administration, and Maintenance (OAM) fault management cell
types:
•
F4 alarm indication signal (AIS) (end-to-end)
•
F4 remote defect indication (RDI) (end-to-end)
•
F4 loopback (end-to-end)
•
F5 AIS
•
F5 RDI
•
F5 loopback
ATM OAM is supported on ACX1000, ACX2000, and ACX2100 routers, and on 16-port
Channelized E1/T1 Circuit Emulation MICs on ACX4000 routers.
Junos OS supports the following methods of processing OAM cells that traverse through
pseudowires with circuit cross-connect (CCC) encapsulation:
•
Virtual path (VP) pseudowires (CCC encapsulation)
•
Port pseudowires (CCC encapsulation)
•
Virtual circuit (VC) pseudowires (CCC encapsulation)
For ATM pseudowires, the F4 flow cell is used to manage the VP level. On ACX Series
routers with ATM pseudowires (CCC encapsulation), you can configure OAM F4 cell
Copyright © 2017, Juniper Networks, Inc.
13
Junos OS Release 16.1R4 for the ACX Series, EX Series, MX Series, PTX Series, QFX Series,T Series and Junos Fusion
flows to identify and report virtual path connection (VPC) defects and failures. Junos
OS supports three types of OAM F4 cells in end-to-end F4 flows:
•
Virtual path AIS
•
Virtual path RDI
•
Virtual path loopback
For OAM F4 and F5 cells, IP termination is not supported. Also, Junos OS does not
support segment F4 flows, VPC continuity check, or VP performance management
functions.
For OAM F4 cells, on each VP, you can configure an interval during which to transmit
loopback cells by including the oam-period statement at the [edit interfaces
interface-name atm-options vpi vpi-identifier] hierarchy level. To modify OAM liveness
values on a VP, include the oam-liveness statement at the [edit interfaces interface-name
atm-options vpi vpi-identifier] hierarchy level.
•
Support for CESoPSN on Channelized OC3/STM1 (Multi-Rate) Circuit Emulation
MIC with SFP (ACX Series)—Starting in Junos OS Release 16.1R2, you can configure
structure-aware TDM CESoPSN on the Channelized OC3/STM1 (Multi-Rate) Circuit
Emulation MIC with SFP (model number: ACX-MIC-4COC3-1COC12CE) on ACX Series
routers. This rate-selectable MIC can be configured as four OC3/STM1 ports or one
OC12/STM4 port.
•
Support for Point-to-Point Protocol encapsulation (ACX Series)—Starting in Junos
OS Release 16.1R2, you can configure Point-to-Point Protocol (PPP) encapsulation on
physical interfaces on ACX Series routers. PPP provides a standard method for
transporting multiprotocol datagrams over a point-to-point link. PPP uses the
High-Speed Data Link Control (HDLC) protocol for its physical interface and provides
a packet-oriented interface for the network-layer protocols.
PPP is supported on the following MICs on ACX Series routers:
•
On ACX1000 routers with 8-port built-in T1/E1 TDM MICs.
•
On ACX2000 and ACX2100 routers with 16-port built-in T1/E1 TDM MICs.
•
On ACX4000 routers with 16-port Channelized E1/T1 Circuit Emulation MICs.
On ACX Series routers, E1, T1, and NxDS0 interfaces support PPP encapsulation.
•
14
Support for Ethernet link aggregation (ACX Series)—Starting in Junos OS Release
16.1R2, ACX Series Universal Access Routers supports Ethernet link aggregation for
Layer 2 bridging. Ethernet link aggregation is a mechanism for increasing the bandwidth
of Ethernet links linearly and improving the links' resiliency by bundling or combining
multiple full-duplex, same-speed, point-to-point Ethernet links into a single virtual
link. The virtual link interface is referred to as a link aggregation group (LAG) or an
aggregated Ethernet interface. The LAG balances traffic across the member links within
an aggregated Ethernet interface and effectively increases the uplink bandwidth.
Another advantage of link aggregation is increased availability because the LAG is
composed of multiple member links. If one member link fails, the LAG continues to
carry traffic over the remaining links.
Copyright © 2017, Juniper Networks, Inc.
New and Changed Features
•
16-port Channelized E1/T1 Circuit Emulation MIC (ACX4000)—Starting in Junos OS
Release 16.1R2, ACX4000 Universal Access Routers support the 16-port Channelized
E1/T1 Circuit Emulation MIC (model number ACX-MIC-16CHE1-T1-CE).
The key features supported on this MIC are:
•
•
Structure-Agnostic TDM over Packet (SAToP)
•
ATM encapsulation—Only the following ATM encapsulations are supported on this
MIC:
•
ATM CCC cell relay
•
ATM CCC VC multiplex
•
ATM pseudowires
•
ATM quality-of-service (QoS) features—traffic shaping, scheduling, and policing
•
ATM Operation, Administration, and Maintenance
•
ATM (IMA) protocol at the T1/E1 level with up to 16 IMA (Inverse Multiplexing for
ATM) groups. Each group can have one to eight IMA links.
Support for PIM and IGMP in global domain (ACX Series)—Starting in Junos OS
Release 16.1R2, ACX Series Universal Access Routers supports Protocol Independent
Multicast (PIM) and Internet Group Management Protocol (IGMP) messages for
multicast data delivery. ACX Series routers are used as a leaf in the multicast distribution
tree so that subscribers in the global domain can directly connect to the ACX Series
routers through IPv4 interfaces. ACX Series routers can also be used as a branch point
in the tree so that they are connected to other downstream ACX Series or MX Series
routers and send multicast data according to the membership established through
the PIM or IGMP messaging.
NOTE: ACX Series routers support only sparse mode. Dense mode on ACX
series is supported only for control multicast groups for autodiscovery of
rendezvous point (auto-RP).
You can configure IGMP on the subscriber-facing interfaces to receive IGMP control
packets from subscribers, which in turn triggers the PIM messages to be sent out of
the network-facing interface toward the rendezvous point (RP).
NOTE: ACX Series routers do not support IPv6 interfaces for multicast
data delivery and RP functionality.
•
Support for dying-gasp PDU generation (ACX Series)—Starting in Junos OS Release
16.1R2, ACX Series Universal Access Routers supports the generation of dying-gasp
protocol data units (PDUs). Dying gasp refers to an unrecoverable condition such as
a power failure. In this condition, the local peer informs the remote peer about the
failure state. When the remote peer receives a dying-gasp PDU, it takes an action
corresponding to the action profile configured with the link-adjacency-loss event.
Copyright © 2017, Juniper Networks, Inc.
15
Junos OS Release 16.1R4 for the ACX Series, EX Series, MX Series, PTX Series, QFX Series,T Series and Junos Fusion
ACX Series routers can generate and receive dying-gasp packets. When LFM is
configured on an interface, a dying-gasp PDU is generated for the interface on the
following failure conditions:
•
•
Power failure
•
Packet Forwarding Engine panic or a crash
Support for logical tunnels (ACX Series)—Starting in Junos OS Release 16.1R2, ACX
Series Universal Access Routers supports logical tunnels. Logical tunnel (lt-) interfaces
provide quite different services depending on the host router. On ACX Series routers,
logical tunnel interfaces enable you to connect a bridge domain and a pseudowire.
To create tunnel interfaces, an FPC and the corresponding Packet Forwarding Engine
on an ACX Series router must be configured to be used for tunneling services at the
[edit chassis] hierarchy level. The amount of bandwidth reserved for tunnel services
must also be configured.
To create logical tunnel interfaces and the bandwidth in gigabits per second to reserve
for tunnel services, include the tunnel-services bandwidth (1g | 10g) statement at the
[edit chassis fpc slot-number pic number] hierarchy level.
•
Support for PPP encapsulation on Channelized OC3/STM1 (Multi-Rate) Circuit
Emulation MIC with SFP (ACX Series)—Starting in Junos OS Release 16.1R2, on
ACX4000 routers, you can configure Point-to-Point Protocol (PPP) encapsulation on
physical interfaces on Channelized OC3/STM1 (Multi-Rate) Circuit Emulation MIC with
SFP. PPP provides a standard method for transporting multiprotocol datagrams over
a point-to-point link. PPP uses the High-Speed Data Link Control (HDLC) protocol for
its physical interfaces and provides a packet-oriented interface for the network-layer
protocols.
On ACX Series routers, E1, T1, and NxDS0 interfaces support PPP encapsulation.
IP class of service (CoS) is not supported on PPP interfaces. All the traffic is sent to
the best effort queue (queue 0) and CoS code points are not processed. Also, fixed
classifiers are not supported. PPP is supported only for IPv4 networks.
•
Support for dual-rate SFP+ modules (ACX Series)—Starting in Junos OS Release
16.1R2, ACX2000, ACX2100, and ACX4000 routers support the dual-rate SFP+ optic
modules. These modules operate at either 1 Gbps or 10 Gbps speeds. When you plug
in the module to the small form-factor pluggable plus (SFP+) slot, the module can be
set at either 1 Gbps or 10 Gpbs.
ACX Series routers use the 2-port 10-Gigabit Ethernet (LAN) SFP+ MIC in the following
two combinations:
•
2-port 10-Gigabit Ethernet (LAN) SFP+ uses BCM84728 PHY on ACX 2100/ACX4000
routers.
•
2-port 10-Gigabit Ethernet (LAN) SFP+ uses BCM8728/8747 on ACX2000 routers.
To configure an xe port in 1-Gigabit Ethernet mode , use the set interfaces xe-x/y/z
speed 1g statement. To configure an xe port in 10-Gigabit Ethernet mode, use the set
interfaces xe-x/y/z speed 10g statement. The default speed mode is 1-Gigabit Ethernet
mode.
16
Copyright © 2017, Juniper Networks, Inc.
New and Changed Features
•
Support for inverse multiplexing for ATM (IMA) on Channelized OC3/STM1
(Multi-Rate) Circuit Emulation MIC with SFP (ACX Series)—Starting in Junos OS
Release 16.1R2, you can configure inverse multiplexing for ATM (IMA) on the Channelized
OC3/STM1 (Multi-Rate) Circuit Emulation MIC with SFP (model number:
ACX-MIC-4COC3-1COC12CE) on ACX Series routers. You can configure four OC3/STM1
ports or one OC12/STM4 port on this rate-selectable MIC.
•
Support for TDR for diagnosing cable faults (ACX Series)—Starting in Junos OS
Release 16.1R2, ACX Series Universal Access Routers supports Time Domain
Reflectometry (TDR), which is a technology used for diagnosing copper cable states.
This technique can be used to determine whether cabling is at fault when you cannot
establish a link. TDR detects the defects by sending a signal through a cable, and
reflecting it from the end of the cable. Open circuits, short circuits, sharp bends, and
other defects in the cable reflect the signal back at different amplitudes, depending
on the severity of the defect. TDR diagnostics is supported only on copper interfaces
and not on fiber interfaces.
TDR provides the following capabilities that you can use to effectively identify and
correct cable problems:
•
Display detailed information about the status of a twisted-pair cable, such as cable
pair being open or short-circuited.
•
Determine the distance in meters at which open or short-circuit is detected.
•
Detect whether or not the twisted pairs are swapped.
•
Identify the polarity status of the twisted pair.
•
Determine any downshift in the connection speed.
Installation
•
Support for USB autoinstallation from XML file (ACX Series routers)—Starting in
Junos OS Release 16.1R2, ACX Series Universal Access Routers support USB
autoinstallation using the configuration file in XML format. The USB-based
autoinstallation process overrides the network-based autoinstallation process. If the
ACX Series router detects a USB Disk-on-Key device containing a valid configuration
file during autoinstallation, the router uses the configuration file on Disk-on-Key instead
of fetching the configuration from the network.
•
Support for hybrid mode of autoinstallation—Starting in Junos OS Release 16.1R2,
ACX Series Universal Access Routers support hybrid mode of autoinstallation. The
autoinstallation mechanism allows the router to configure itself out-of-the-box with
no manual intervention, using the configuration available on the network, locally through
a removable media, or using a combination of both. ACX Series routers support the
retrieval of partial configuration from an external USB storage device plugged into the
router’s USB port during the autoinstallation process. In turn, this partial configuration
facilitates the network mode of autoinstallation to retrieve the complete configuration
file from the network. This method is called hybrid mode of autoinstallation.
Copyright © 2017, Juniper Networks, Inc.
17
Junos OS Release 16.1R4 for the ACX Series, EX Series, MX Series, PTX Series, QFX Series,T Series and Junos Fusion
Layer 2 Features
•
Support for Layer 2 security (ACX Series)—Starting in Junos OS Release 16.1R2, ACX
Series routers support bridge family firewall filters. These family filters can be configured
at the logical interface level and can be scaled up to 124 terms for ingress traffic, and
126 terms for egress traffic.
•
Support for Ethernet Local Management Interface protocol (ACX Series)—Starting
in Junos OS Release 16.1R2, the Ethernet Local Management Interface (E-LMI) protocol
on ACX Series Universal Access Routers supports Layer 2 circuit and Layer 2 VPN
Ethernet virtual connection (EVC) types.
Junos OS for ACX Series Universal Access Routers supports E-LMI only on provider
edge (PE) routers.
•
Support for Layer 2 control protocols and Layer 2 protocol tunneling (ACX
Series)—Starting in Junos OS Release 16.1R2, you can configure spanning tree protocols
to prevent Layer 2 loops in a bridge domain. Layer 2 control protocols for ACX Series
Universal Access Routers include the Spanning Tree Protocol (STP), Rapid Spanning
Tree Protocol (RSTP), Multiple Spanning Tree Protocol (MSTP), VLAN Spanning Tree
Protocol (VSTP), and Link Layer Discovery Protocol (LLDP). ACX Series routers can
support up to 128 STP instances, which includes all instances of VSTP, MSTP, RSTP,
and STP.
Layer 2 protocol tunneling (L2PT) is supported on ACX Series routers. L2PT allows
Layer 2 protocol data units (PDUs) to be tunneled through a network. L2PT can be
configured on a port on a customer-edge router by using MAC rewrite configuration.
MAC rewrite is supported for STP, Cisco Discovery Protocol (CDP), VLAN Trunk Protocol
(VTP), IEEE 802.1X, IEEE 802.3ah, Ethernet Local Management Interface (E-LMI), Link
Aggregation Control Protocol (LACP), Link Layer Discovery Protocol (LLDP), Multiple
MAC Registration Protocol (MMRP), and Multiple VLAN Registration Protocol (MVRP)
packets.
•
Support for Layer 2 bridging (ACX Series)—Starting in Junos OS Release 16.1R2, ACX
Series Universal Access Routers supports Layer 2 bridging and Q-in-Q tunneling. A
bridge domain is created by adding a set of Layer 2 logical interfaces in a bridge domain
to represent a broadcast domain. Layer 2 logical interfaces are created by defining one
or more logical units on a physical interface with encapsulation as ethernet-bridge or
vlan-bridge. All the member ports of the bridge domain participate in Layer 2 learning
and forwarding. You can configure one or more bridge domains to perform Layer 2
bridging. You can optionally disable learning on a bridge domain.
NOTE: ACX Series routers do not support the creation of bridge domains
by using access and trunk ports.
On ACX Series routers, you can configure E-LAN and E-LINE services on bridge domains.
When you configure E-LAN and E-LINE services by using a bridge domain without a
vlan-id statement, the bridge domain should explicitly be normalized by an input VLAN
map to a service VLAN ID and TPID. Explicit normalization is required when a logical
18
Copyright © 2017, Juniper Networks, Inc.
New and Changed Features
interface’s outer VLAN ID and TPID are not the same as the service VLAN ID and TPID
of the service being configured.
•
Support for IEEE 802.1ad classifier (ACX Series)—Starting in Junos OS Release 16.1R2,
ACX Series Universal Access Routers supports the IEEE 802.1ad classifier. Rewrite rules
at the physical interface level support the IEEE 802.1ad bit value. The IEEE 802.1ad
classifier uses IEEE 802.1p and DEI bits together. On logical interfaces, only fixed
classifiers are supported.
You can configure either IEEE 802.1p or IEEE 802.1ad classifiers at the physical interface
level. You can define the following features:
•
IEEE 802.1ad classifiers (inner or outer)
•
IEEE 802.1ad rewrites (outer)
NOTE: You cannot configure both IEEE 802.1p and IEEE 802.1ad classifiers
together at the physical interface level.
ACX Series routers support the IEEE 802.1ad classifier and rewrite along with the existing
class-of-service features for Layer 2 interfaces.
•
Support for OAM with Layer 2 bridging as a transport mechanism (ACX
Series)—Starting in Junos OS Release 16.1R2, ACX Series Universal Access Routers
supports the following OAM features that use Layer 2 bridging as a transport
mechanism:
•
IEEE 802.3ah LFM—IEEE 802.3ah link fault management (LFM) operates at the
physical interface level and the packets are sent using Layer 2 bridging as a transport
mechanism.
•
Dying-gasp packets—Dying-gasp PDU generation operates at the physical interface
level. Dying-gasp packets are sent through the IEEE 802.3ah LFM-enabled interfaces.
•
IEEE 802.1ag and ITU-T Y.1731 protocols on down MEPs—IEEE 802.1ag configuration
fault management (CFM) and ITU-T Y.1731 performance-monitoring OAM protocols,
which are used for end-to-end Ethernet services, are supported only on down
maintenance association end points (MEPs). The ITU-T Y.1731 protocol supports
delay measurement on down MEPs but does not support loss measurement on
down MEPs.
•
Support for storm control (ACX Series)—Starting in Junos OS Release 16.1R2, storm
control is supported on ACX Series routers. Storm control is only applicable at the IFD
level for ACX Series. When a traffic storm is seen on the interface configured for storm
control, the default action is to drop the packets exceeding the configured bandwidth.
No event is generated as part of this. Storm control is not enabled on the interface by
default.
•
Support for RFC 2544-based benchmarking tests (ACX Series)—Starting in Junos
OS Release 16.1R2, ACX Series Universal Access Routers support RFC 2544-based
benchmarking tests for E-LINE and ELAN services configured using bridge domains.
RFC 2544 defines a series of tests that can be used to describe the performance
Copyright © 2017, Juniper Networks, Inc.
19
Junos OS Release 16.1R4 for the ACX Series, EX Series, MX Series, PTX Series, QFX Series,T Series and Junos Fusion
characteristics of network interconnecting devices. RFC 2544 tests methodology can
be applied to a single device under test, or to a network service (set of devices working
together to provide end-to-end service). When applied to a service, the RFC 2544 test
results can characterize the service-level agreement parameters.
RFC 2544 tests are performed by transmitting test packets from a device that functions
as the generator or the initiator. These packets are sent to a device that functions as
the reflector, which receives and returns the packets back to the initiator.
ACX Series routers support RFC 2544 tests to measure throughput, latency, frame loss
rate, and back-to-back frames.
With embedded RFC 2544, an ACX Series router can be configured as an initiator and
reflector.
•
•
You can configure RFC 2544 tests on the following underlying services:
•
Between two IPv4 endpoints.
•
Between two user-to-network interfaces (UNIs) of Ethernet Virtual Connection
(EVC), Ethernet Private Line (EPL, also called E-LINE), Ethernet Virtual Private
Line (EVPL), and EVC (EPL, EVPL).
Support for IEEE 802.1ag and ITU-T Y.1731 OAM protocols on up MEPs (ACX
Series)—Starting in Junos OS Release 16.1R2, ACX Series Universal Access Routers
supports IEEE 802.1ag configuration fault management (CFM) and ITU-T Y.1731
performance-monitoring OAM protocols on up maintenance association end points
(MEPs). CFM OAM protocol is supported on link aggregation group (LAG) or aggregated
Ethernet (AE) interfaces. The ITU-T Y.1731 protocol supports delay measurement on
up MEPs but does not support loss measurement on up MEPs.
NOTE: ACX Series routers do not support the ITU-T Y.1731 OAM protocol
on AE interfaces.
•
Support for Ethernet alarm indication signal (ACX Series)—Starting in Junos OS
Release 16.1R2, ACX Series Universal Access Routers supports ITU-T Y.1731 Ethernet
alarm indication signal function (ETH-AIS) to provide fault management for service
providers. ETH-AIS enables you to suppress alarms when a fault condition is detected.
Using ETH-AIS, an administrator can differentiate between faults at the customer level
and faults at the provider level. When a fault condition is detected, a maintenance end
point (MEP) generates ETH-AIS packets to the configured client levels for a specified
duration until the fault condition is cleared. Any MEP configured to generate ETH-AIS
packets signals to a level higher than its own. A MEP receiving ETH-AIS recognizes that
the fault is at a lower level and then suppresses alarms at the current level that the
MEP is in.
ACX Series routers support ETH-AIS PDU generation for server MEPs on the basis of
the following defect conditions:
20
•
Loss of connectivity (physical link loss detection)
•
Layer 2 circuit or Layer 2 VPN down
Copyright © 2017, Juniper Networks, Inc.
New and Changed Features
•
Support for Ethernet ring protection switching (ACX Series)—Starting in Junos OS
Release 16.1R2, you can configure Ethernet ring protection switching (ERPS) on ACX
Series routers to achieve high reliability and network stability. The basic idea of an
Ethernet ring is to use one specific link, called the ring protection link (RPL), to protect
the whole ring. Links in the ring will never form loops that fatally affect the network
operation and services availability.
ACX Series routers support multiple Ethernet ring instances that share the physical
ring. Each instance has its own control channel and a specific data channel. Each ring
instance can take a different path to achieve load balancing in the physical ring. When
no data channel is specified, ERP operates only on the VLAN ID associated with the
control channel. G.8032 open rings are supported.
ACX Series routers do not support aggregate Ethernet–based rings.
To configure Ethernet ring protection switching, include the protection-ring statement
at the [edit protocols] hierarchy level.
•
Support for integrated routing and bridging (ACX Series)—Starting in Junos OS
Release 16.1R2, ACX Series Universal Access Routers supports integrated routing and
bridging (IRB) functionality. IRB provides routing capability on a bridge domain. To
enable this functionality, you need to configure an IRB interface as a routing interface
in a bridge domain and then configure a Layer 3 protocol such as IP or ISO on the IRB
interface.
ACX Series routers support IRB for routing IPv4 packets. IPv6 and MPLS packets are
not supported.
•
Support for IGMP snooping (ACX Series)—Starting in Junos OS Release 16.1R2, ACX
Series routers supports IGMP snooping functionality. IGMP snooping functions by
snooping at the IGMP packets received by the switch interfaces and building a multicast
database similar to what a multicast router builds in a Layer 3 network. Using this
database, the switch can forward multicast traffic only to the downstream interfaces
of interested receivers. This technique allows more efficient use of network bandwidth,
particularly for IPTV applications. You configure IGMP snooping for each bridge on the
router.
•
Support for unicast reverse path forwarding (ACX Series)—Starting in Junos OS
Release 16.1R2, ACX Series Universal Access Routers supports unicast reverse path
forwarding. For interfaces that carry IPv4 or IPv6 traffic, you can reduce the impact of
denial-of-service (DoS) attacks by configuring unicast reverse path forwarding (RPF).
Unicast RPF helps determine the source of attacks and rejects packets from unexpected
source addresses on interfaces where unicast RPF is enabled.
Reverse path forwarding is not supported on the interfaces that you configure as tunnel
sources. This limitation affects only the transit packets exiting the tunnel.
To configure unicast reverse path forwarding, issue the rpf-check statement at the
[edit interfaces interface-name unit logical-unit-number family inet] hierarchy level. RPF
fail filters are not supported on ACX Series routers. The RPF check to be used when
routing is asymmetrical is not supported.
•
Support for disabling local switching in bridge domains (ACX Series)—Starting in
Junos OS Release 16.1R2,, in a bridge domain, when a frame is received from a customer
Copyright © 2017, Juniper Networks, Inc.
21
Junos OS Release 16.1R4 for the ACX Series, EX Series, MX Series, PTX Series, QFX Series,T Series and Junos Fusion
edge (CE) interface, it is flooded to the other CE interfaces and all of the provider edge
(PE) interfaces if the destination MAC address is not learned or if the frame is either
broadcast or multicast.
To prevent CE devices from communicating directly, include the no-local-switching
statement at the [edit bridge-domains bridge-domain-name] hierarchy level. Configure
the logical interfaces in the bridge domain as core-facing (PE interfaces) by including
the core-facing statement at the [edit interfaces interface-name unit logical-unit-number
family family] hierarchy level to specify that the VLAN is physically connected to a
core-facing ISP router and ensure that the network does not improperly treat the
interface as a client interface. When local switching is disabled, traffic from one CE
interface is not forwarded to another CE interface.
•
Support for hierarchical VPLS (ACX Series)—Starting in Junos OS Release 16.1R2,,
hierarchical LDP-based VPLS requires a full mesh of tunnel LSPs between all the PE
routers that participate in the VPLS service. Using hierarchical connectivity reduces
signaling and replication overhead to facilitate large-scale deployments. In a typical
IPTV solution, IPTV sources are in the public domain and the subscribers are in the
private VPN domain.
For an efficient delivery of multicast data from the IPTV source to the set-top boxes
or to subscribers in the private domain using the access devices (ACX Series routers
in this case), P2MP LSPs and MVPN are necessary. Because VPLS and MVPN are not
supported on ACX routers, an alternative approach is used to achieve hierarchical VPLS
(HPVLS) capabilities. The subscriber devices are connected to a VPLS or a Layer 3
VPN domain on the ACX Series (access) router and they are configured to import the
multicast routes. The support for PIM snooping in Layer 3 interfaces, IGMP snooping
in Layer 2 networks, IRB interfaces, and logical tunnel interfaces enables HVPLS support.
Management
•
Support for real-time performance monitoring (ACX Series)—Starting in Junos OS
Release 16.1R2, ACX Universal Access Routers supports real-time performance
monitoring. Real-time performance monitoring (RPM) allows you to perform
service-level monitoring. When RPM is configured on a router, the router calculates
network performance based on packet response time, jitter, and packet loss. You can
configure these values to be gathered by HTTP, Internet Control Message Protocol
(ICMP), TCP, and UDP requests. The router gathers RPM statistics by sending out
probes to a specified probe target, identified by an IP address. When the target receives
a probe, it generates responses that are received by the router. You set the probe
options in the test test-name statement at the [edit services rpm probe owner] hierarchy
level. You use the show services rpm probe-results command to view the results of the
most recent RPM probes.
NOTE: Packet Forwarding Engine timestamping is available only for ICMP
probes and for UDP probes with the destination port set to UDP_ECHO
port (7).
•
22
Support for Virtual Router Redundancy Protocol version 2 (ACX Series)—Starting
in Junos OS Release 16.1R2, ACX Series Universal Access Routers supports Virtual
Copyright © 2017, Juniper Networks, Inc.
New and Changed Features
Router Redundancy Protocol (VRRP) version 2 configuration. VRRP enables hosts on
a LAN to make use of redundant routers on that LAN without requiring more than the
static configuration of a single default route on the hosts. Routers running VRRP share
the IP address corresponding to the default route configured on the hosts. At any time,
one of the routers running VRRP is the master (active) and the others are backups. If
the master fails, one of the backup routers becomes the new master router, providing
a virtual default router and enabling traffic on the LAN to be routed without relying on
a single router. Using VRRP, a backup router can take over a failed default router within
a few seconds. This is done with minimum VRRP traffic and without any interaction
with the hosts.
•
Support for DHCP client and DHCP server (ACX Series)—Starting in Junos OS Release
16.1R2, ACX Series Universal Access Routers can be enabled to function as a DHCP
client and an extended DHCP local server. An extended DHCP local server provides an
IP address and other configuration information in response to a client request in the
form of an address-lease offer. An ACX Series router configured as a DHCP client can
obtain its TCP/IP settings and the IP address from a DHCP local server.
•
Support for preserving DHCP server subscriber information (ACX Series)—Starting
in Junos OS Release 16.1R2, ACX Series Universal Access Routers preserves DHCP
server subscriber binding information. ACX series router functioning as a DHCP server
stores the subscriber binding information to a file and when the router reboots, the
subscriber information is read from the file and restored.
•
Support for DHCP client, DHCP server, and DHCP relay on Aggregated Ethernet
(ACX Series)—Starting in Junos OS Release 16.1R2, ACX Series routers support DHCP
client, DHCP server, and DHCP relay configurations on Aggregated Ethernet interfaces.
•
Support for Two-Way Active Measurement Protocol (ACX Series)—Starting in Junos
OS Release 16.1R2, ACX Series Universal Access Routers supports Two-Way Active
Measurement Protocol (TWAMP). TWAMP provides a method for measuring round-trip
IP performance between two devices in a network. ACX Series routers support only
the reflector side of TWAMP.
Routing
•
Support for ECMP flow-based forwarding (ACX Series)—Starting in Junos OS Release
16.1R2, ACX Series Universal Access Routers supports equal-cost multipath (ECMP)
flow-based forwarding. An ECMP set is formed when the routing table contains multiple
next-hop addresses for the same destination with equal cost. If there is an ECMP set
for the active route, Junos OS uses a hash algorithm to choose one of the next-hop
addresses in the ECMP set to install in the forwarding table. You can configure Junos
OS so that multiple next-hop entries in an ECMP set are installed in the forwarding
table. On ACX Series routers, per-flow load balancing can be performed to spread
traffic across multiple paths between the routers.
ECMP flow-based forwarding is supported for IPv4, IPv6, and MPLS packets.
Security
•
Support for IP and MAC address validation (ACX Series)—Starting in Junos OS Release
16.1R2, ACX Series Universal Access Routers supports IP and MAC address validation.
This feature enables the ACX Series router to validate that received packets contain
Copyright © 2017, Juniper Networks, Inc.
23
Junos OS Release 16.1R4 for the ACX Series, EX Series, MX Series, PTX Series, QFX Series,T Series and Junos Fusion
a trusted IP source and an Ethernet MAC source address. Configuring MAC address
validation can provide additional validation when subscribers access billable services.
MAC address validation provides additional security by enabling the router to drop
packets that do not match, such as packets with spoofed addresses.
•
Support for unattended boot mode (ACX Series)—Starting in Junos OS Release
16.1R2, ACX Series Universal Access Routers supports unattended boot mode.
Unattended boot mode feature blocks any known methods to get access to the router
from CPU reset until the Junos OS login prompt, thereby preventing a user from making
any unauthorized changes on the router such as viewing, modifying, or deleting
configuration information.
Subscriber Access Management
•
Support for DHCP relay agent (ACX Series)—Starting in Junos OS Release 16.1R2, you
can configure extended DHCP relay options on an ACX Series router and enable the
router to function as a DHCP relay agent. A DHCP relay agent forwards DHCP request
and reply packets between a DHCP client and a DHCP server that might or might not
reside in the same IP subnet.
To configure the DHCP relay agent on the router for IPv4 packets, include the dhcp-relay
statement at the [edit forwarding-options] hierarchy level. You can also include the
dhcp-relay statement at the [edit routing-instances routing-instance-name
forwarding-options] and the [edit routing-instances routing-instance-name protocols
vrf] hierarchy levels.
Timing and Synchronization
24
•
Support for PTP over Ethernet (ACX Series)—Starting in Junos OS Release 16.1R2,
Precision Time Protocol (PTP) is supported over IEEE 802.3 or Ethernet links on ACX
Series routers. This functionality is supported in compliance with the IEEE 1588-2008
specification. PTP over Ethernet enables effective implementation of packet-based
technology that enables the operator to deliver synchronization services on
packet-based mobile backhaul networks that are configured in Ethernet rings.
Deployment of PTP at every hop in an Ethernet ring using the Ethernet encapsulation
method enables robust, redundant, and high-performance topologies to be created
that enable a highly-precise time and phase synchronization to be obtained.
•
PTP slave performance metrics (ACX Series)—Starting in Junos OS Release 16.1R2,
Precision Time Protocol (PTP) slave devices are used to provide frequency and time
distribution throughout large networks. On ACX Series routers, PTP slave devices
calculate performance metrics based on standard PTP timing messages. These
performance metrics include both inbound and outbound packet delay and jitter
between the PTP slave and master. Metrics are exported every 15 minutes to Junos
Space. Performance metrics are also stored locally on the ACX Series router and can
be accessed with the show ptp performance-monitor [short-term | long-term] command.
•
Support for hybrid mode (ACX Series)—Starting in Junos OS Release 16.1R2, ACX
Series Universal Access Routers supports hybrid mode, which is a combined operation
of Synchronous Ethernet and Precision Time Protocol (PTP). In hybrid mode, the
synchronous Ethernet equipment clock (EEC) on the router derives the frequency from
Copyright © 2017, Juniper Networks, Inc.
New and Changed Features
Synchronous Ethernet and the phase and time of day from PTP. Time synchronization
includes both phase synchronization and frequency synchronization.
Synchronous Ethernet supports hop-by-hop frequency transfer, where all interfaces
on the trail must support Synchronous Ethernet. PTP (also known as IEEE 1588v2)
synchronizes clocks between nodes in a network, thereby enabling the distribution of
an accurate clock over a packet-switched network.
To configure the router in hybrid mode, you must configure Synchronous Ethernet
options at the [edit chassis synchronization] hierarchy level and configure PTP options
at the [edit protocols ptp] hierarchy level. Configure hybrid mode options by including
the hybrid statement at the [edit protocols ptp slave] hierarchy level.
Release 16.1R1 New and Changed Features
Junos OS XML API and Scripting
•
Support for Python language for commit, event, op, and SNMP scripts (ACX
Series)—Starting in Junos OS Release 16.1R1, you can author commit, event, op, and
SNMP scripts in Python on devices that include the Python extensions package in the
software image. Creating automation scripts in Python enables you to take advantage
of Python features and libraries as well as leverage Junos PyEZ APIs supported in Junos
PyEZ Release 1.3.1 and earlier releases to perform operational and configuration tasks
on devices running Junos OS. To enable execution of Python automation scripts, which
the root user must own, configure the language python statement at the [edit system
scripts] hierarchy level, and configure the filename for the Python script under the
hierarchy level appropriate to that script type. Supported Python versions include
Python 2.7.x.
Management
•
YANG module that defines Junos OS operational commands (ACX Series)—Starting
in Junos OS Release 16.1R1, Juniper Networks provides the juniper-command YANG
module, which represents the operational command hierarchy and collective group of
modules that define the remote procedure calls (RPCs) for Junos OS operational mode
commands. You can download Juniper Networks YANG modules from the website, or
you can generate the modules by using the show system schema format yang module
juniper-command operational command on the local device. The juniper-command
module is bound to the namespace URI http://yang.juniper.net/yang/1.1/jrpc and uses
the prefix jrpc.
•
YANG module that defines CLI formatting for RPC output (ACX Series)—Starting in
Junos OS Release 16.1R1, Juniper Networks provides the junos-extension-odl YANG
module. The module contains definitions for Junos OS Output Definition Language
(ODL) statements, which determine the CLI formatting for RPC output when you
execute the operational command corresponding to that RPC in the CLI or when you
request the RPC output in text format. You can use statements in the
junos-extension-odl module in custom RPCs to convert the XML output into a more
logical and human-readable representation of the data. The junos-extension-odl module
is bound to the namespace URI http://yang.juniper.net/yang/1.1/jodl and uses the
prefix junos-odl.
Copyright © 2017, Juniper Networks, Inc.
25
Junos OS Release 16.1R4 for the ACX Series, EX Series, MX Series, PTX Series, QFX Series,T Series and Junos Fusion
Software Installation and Upgrade
•
Limited encryption Junos image (“Junos Limited”) created for customers in Armenia,
Belarus, Kazakhstan, Kyrgyzstan, and Russia (ACX1100)—Starting in Junos OS Release
16.1R1, customers in the Eurasian Customs Union (currently comprised of Armenia,
Belarus, Kazakhstan, Kyrgyzstan, and Russia) should use the “Junos Limited” image
for ACX1100 routers instead of the “Junos Worldwide” image. The “Junos Limited”
image does not have data-plane encryption and is intended only for countries in the
Eurasian Customs Union because these countries have import restrictions on software
containing data plane encryption. Unlike the “Junos Worldwide” image, the “Junos
Limited” image supports control plane encryption through Secure Shell (SSH) and
Secure Sockets Layer (SSL), thus allowing secure management of the system.
NOTE: The limited encryption Junos image (“Junos Limited”) is to be used
by customers in Armenia, Belarus, Kazakhstan, Kyrgyzstan, and Russia.
User Interface and Configuration
Related
Documentation
•
Support for JSON format for configuration data (ACX Series)–Starting in Junos OS
Release 16.1R1, you can configure devices running Junos OS using configuration data
in JavaScript Object Notation (JSON) format in addition to the existing text, Junos XML,
and Junos OS set command formats. You can load configuration data in JSON format
in the Junos OS CLI by using the load (merge | override | update) json command or from
within a NETCONF or Junos XML protocol session by using the <load-configuration
format="json"> operation. You can load JSON configuration data either from an existing
file or as a data stream. Configuration data that is provided as a data stream must be
enclosed in a <configuration-json> element.
•
Changes in Default Behavior and Syntax on page 26
•
Known Behavior on page 29
•
Known Issues on page 29
•
Migration, Upgrade, and Downgrade Instructions on page 39
•
Product Compatibility on page 39
Changes in Default Behavior and Syntax
This section lists the changes in behavior of Junos OS features and changes in the syntax
of Junos OS statements and commands from Junos OS Release 16.1R4 for the ACX Series
Universal Access Routers.
26
•
Interfaces and Chassis on page 27
•
Management on page 28
•
System Logging on page 28
Copyright © 2017, Juniper Networks, Inc.
Changes in Default Behavior and Syntax
•
User Interface and Configuration on page 28
•
Junos OS XML API and Scripting on page 29
Interfaces and Chassis
•
Connectivity fault management MEPs on Layer 2 circuits and Layer 2 VPNs—On
interfaces configured on ACX Series routers, you no longer need to configure the
no-control-word statement at either the [edit protocols l2circuit neighbor neighbor-id
interface interface-name] or the [edit routing-instances routing-instance-name protocols
l2vpn] hierarchy level for Layer 2 circuits and Layer 2 VPNs over which you are running
CFM maintenance association end points (MEPs). This configuration is not needed
because ACX Series routers support the control word for CFM MEPs. The control word
is enabled by default.
•
In the output of the show interfaces command under the MAC Statistics section, any
packet whose size exceeds the configured MTU size is considered an oversized frame
and the value displayed in the Oversized frames field is incremented. The value displayed
in the Jabber frames field is incremented when a bad CRC frame size is between 1518
bytes and the configured MTU size.
•
Support for chained composite next hop in Layer 3 VPNs—Next-hop chaining (also
known as chained composite next hop) is a composition function that concatenates
the partial rewrite strings associated with individual next hops to form a larger rewrite
string that is added to a packet. To configure the router to accept up to one million
Layer 3 VPN route updates with unique inner VPN labels, include the l3vpn statement
at the [edit routing-options forwarding-table chained-composite-next-hop ingress]
hierarchy level. The l3vpn statement is disabled by default.
Copyright © 2017, Juniper Networks, Inc.
27
Junos OS Release 16.1R4 for the ACX Series, EX Series, MX Series, PTX Series, QFX Series,T Series and Junos Fusion
Management
•
Support for status deprecated statement in YANG modules (ACX Series)—Starting
in Junos OS Release 16.1R2, Juniper Networks YANG modules include the status
deprecated statement to indicate configuration statements, commands, and options
that are deprecated.
System Logging
•
Support for system log message: UI_SKIP_SYNC_OTHER_RE (ACX Series)—Starting
with Junos OS Release 16.1R1, configuration synchronization with a remote Routing
Engine is skipped when the configuration is already in sync with another Routing Engine
with database revision.
NOTE: This system log message is generated when the graceful Routing
Engine switchover feature is enabled.
This system log message reports an event, not an error, and has notice as Severity and
LOG_AUTH as Facility.
[See Understanding Graceful Routing Engine Switchover in the Junos OS.]
User Interface and Configuration
28
•
The output-file-name option for show system schema command is deprecated (ACX
Series)—Starting in Junos OS Release 16.1R1, the output-file-name option for the show
system schema operational command is deprecated. To direct the output to a file, use
the output-directory option and specify the directory. By default, the filename for the
output file uses the module name as the filename base and the format as the filename
extension. If you also include the module-name option in the command, the specified
module name is used for both the name of the generated module and for the filename
base for the output file.
•
New default implementation for serialization for JSON configuration data (ACX
Series)—Starting in Junos OS Release 16.1R1, the default implementation for serialization
for configuration data emitted in JavaScript Object Notation (JSON) has changed. The
new default is as defined in Internet drafts draft-ietf-netmod-yang-json-09, JSON
Encoding of Data Modeled with YANG, and draft-ietf-netmod-yang-metadata-06, Defining
and Using Metadata with YANG.
•
Integers in configuration data in JSON format are displayed without quotation marks
(ACX Series)—Starting in Junos OS Release 16.1R4, integers in Junos OS configuration
data emitted in JavaScript Object Notation (JSON) format are not enclosed in quotation
marks. Prior to Junos OS Release 16.1R4, integers in JSON configuration data were
treated as strings and enclosed in quotation marks.
Copyright © 2017, Juniper Networks, Inc.
Known Behavior
Junos OS XML API and Scripting
•
Changes to Python automation script execution requirements and access privileges
(ACX Series)—Starting in Junos OS Release 16.1R3, unsigned Python commit, event,
op, and SNMP scripts must be owned by either root or a user in the Junos OS super-user
login class, and only the file owner can have write permission for the file. In Junos OS
Release 16.1R2 and earlier, unsigned Python scripts must be owned by the root user.
Furthermore, starting in Junos OS Release 16.1R3, you can execute Python automation
scripts using the access privileges of authorized users. Interactive Python scripts, such
as commit and op scripts, run with the access privileges of the user who executes the
command or operation that invokes the script. Non-interactive Python scripts, such as
event and SNMP scripts, by default, execute under the privileges of the *nix user and
group nobody. To execute the scripts under the access privileges of a specific user,
configure the python-script-user username statement at the [edit event-options
event-script file filename] hierarchy level for event scripts, or the [edit system scripts
snmp file filename] hierarchy level for SNMP scripts. In Junos OS Release 16.1R2 and
earlier, Python commit, event, op, and SNMP scripts are executed using the access
privileges of only the user and group nobody.
Related
Documentation
•
New and Changed Features on page 8
•
Known Behavior on page 29
•
Known Issues on page 29
•
Migration, Upgrade, and Downgrade Instructions on page 39
•
Product Compatibility on page 39
Known Behavior
There are no known limitations in Junos OS Release 16.1R4 for the ACX Series.
For the most complete and latest information about known Junos OS defects, use the
Juniper Networks online Junos Problem Report Search application.
Related
Documentation
•
New and Changed Features on page 8
•
Changes in Default Behavior and Syntax on page 26
•
Known Issues on page 29
•
Migration, Upgrade, and Downgrade Instructions on page 39
•
Product Compatibility on page 39
Known Issues
This section lists the known issues in hardware and software in Junos OS Release 16.1R4
for the ACX Series Universal Access Routers.
Copyright © 2017, Juniper Networks, Inc.
29
Junos OS Release 16.1R4 for the ACX Series, EX Series, MX Series, PTX Series, QFX Series,T Series and Junos Fusion
For the most complete and latest information about known Junos OS defects, use the
Juniper Networks online Junos Problem Report Search application.
•
Class of Service on page 30
•
Firewall Filters on page 31
•
Interfaces and Chassis on page 32
•
Integrated Routing and Bridging on page 35
•
Layer 2 Services on page 36
•
MPLS Applications on page 37
•
Network Management on page 37
•
Statistics on page 37
•
Timing and Synchronization on page 37
Class of Service
•
When the rewrite-rules statement is configured with the dscp or the inet-precedence
options at the [edit class-of-service interfaces] hierarchy level, the expectation is that
the DiffServ code point (DSCP) or IPv4 precedence rewrite rules take effect only on
IP packets. However, in addition to the IP packets, the DSCP or IPv4 rewrite takes effect
on the IP header inside the Ethernet pseudowire payload as well. This is not applicable
for the ACX4000 router. PR664062
•
In an ACX4000 router, whenever the scheduling and shaping parameters of a port or
any of its queues are changed, the entire scheduling configuration on the port is erased
and the new configuration is applied. During the time when such a configuration change
is taking place, the traffic pattern does not adhere to user parameters. It is
recommended that the scheduling configurations are done much earlier before live
traffic. PR840313
•
The VLAN packet loss priority (PLP) is incorrectly set when untagged VLAN frames
are received on the ingress interface with DSCP or IP precedence classification enabled
and the NNI (egress) interface does not contain IEEE 802.1p rewrite rules. PR949524
CoS limitations on PPP and MLPPP interfaces
The following are the common limitations on PPP and MLPPP interfaces:
30
•
Traffic loss is observed when a CoS configuration is changed.
•
Scheduling and shaping feature is based on CIR-EIR model and not based on weighted
fair queuing (WFQ) model.
•
The minimum transmit rate is 32 Kbps and the minimum supported rate difference
between transmit rate and shaping rate is 32 Kbps.
•
Buffer size is calculated based on the average packet size of 256 bytes.
•
Low and High are the only loss priority levels supported.
•
The mapping between forwarding class and queue is fixed as follows:
Copyright © 2017, Juniper Networks, Inc.
Known Issues
•
best-effort is queue 0
•
expedited-forwarding is queue 1
•
assured-forwarding is queue 2
•
network-control is queue 3
The following are the specific CoS limitations on MLPPP interfaces:
•
Percentage rate configuration is not supported for shaping and scheduling. Rate
configuration is only supported in terms of bits per second.
•
Buffer size is calculated based on a single member link (T1/E1) speed and is not based
on the number of member links in a bundle.
•
Supports only transmit-rate exact configuration without fragmentation-map. Shaping
and priority will not be supported without fragmentation-map.
•
If fragmentation-map is configured, shaping is supported on a forwarding class with
different priorities. If two or more forwarding classes are configured with the same
priority, then only transmit-rate exact is supported for the respective forwarding class.
•
Supports only one-to-one mapping between a forwarding class and a multiclass. A
forwarding class can only send traffic corresponding to one multiclass.
The following is the specific CoS limitation on PPP interfaces:
•
The distribution of excess rate between two or more queues of same priority happens
on a first-come first-served basis. The shaping rate configured on the respective queue
remains valid.
Firewall Filters
•
In ACX Series routers, the following Layer 2 control protocols packet are not matched
(with the match-all term) by using the bridge family firewall filter applied on a Layer 2
interface:
•
Slow-Protocol/LACP MAC (01:80:c2:00:00:02)
•
E-LMI MAC ((01:80:c2:00:00:07)
•
IS-IS L2 MAC (01:80:c2:00:00:14/09:00:2B:00:00:14)
•
STP BPDU (01:80:c2:00:00:00)
•
VSTP BPDU (01:00:0C:CC:CC:CD)
•
LLDP/PTP (01:80:c2:00:00:0E)
When layer rewrite is configured:
•
VTP/CDP (01:00:0C:CC:CC:CC)
•
L2PT RW MAC (01:00:0C:CD:CD:D0)
•
MMRP (01:80:C2:00:00:20)
•
MVRP (01:80:C2:00:00:21)
Copyright © 2017, Juniper Networks, Inc.
31
Junos OS Release 16.1R4 for the ACX Series, EX Series, MX Series, PTX Series, QFX Series,T Series and Junos Fusion
As a workaround, to match the Layer 2 control packet flows with a bridge family filter
term, you must explicitly specify the destination MAC match (along with other MAC
matches) in the firewall filter term and in the match term. PR879105
•
In ACX Series routers, a firewall filter cannot be applied to a logical interface configured
with vlan-id-list or vlan-range. As a workaround, you can configure the interface-specific
statement, which can be applied to the bridge, inet, or mpls family firewall filter.
PR889182
•
In ACX Series routers, packet drops in the egress interface queue are also counted as
input packet rejects under the Filter statistics section in the output of the show interface
input-interfaces extensive command when the command is run on the ingress interface.
PR612441
•
When the statistics statement is configured on a logical interface—for example, [edit
interface name-X unit unit-Y ]; the (policer | count | three-color-policer) statements are
configured in a firewall filter for the family any—for example, [edit firewall family any
filter filter-XYZ term term-T then] hierarchy level; and the configured filter-XYZ is
specified in the output statement of the logical interface at the [edit interface name-X
unit unit-Y filter] hierarchy level, the counters from the configuration of another firewall
family filter on the logical interface do not work. PR678847
•
The policing rate can be incorrect if the following configurations are applied together:
•
The policer or three-color-policer statement configured in a firewall filter—for example,
filter-XYZ at the [edit firewall family any filter filter-XYZ term term-T then] hierarchy
level, and filter-XYZ is specified as an ingress or egress firewall filter on a logical
interface—for example, interface-X unit-Y at the [edit interface interface-X unit unit-Y
filter (input|output) filter-XYZ] hierarchy level.
•
The policer or three-color-policer statement configured in a firewall filter—for example,
filter-ABC at the [edit firewall family name-XX filter filter-ABC term term-T then]
hierarchy level, and filter-ABC is configured as an ingress or egress firewall filter on
a family of the same logical interface interface-X unit-Y at the [edit interface
interface-X unit unit-Y family name-XX filter (input|output) filter-ABC] hierarchy level.
NOTE: If one of these configurations is applied independently, then the
correct policer rate can be observed.
PR678950
Interfaces and Chassis
•
32
Egress maximum transmission unit (MTU) check value of an interface is different for
tagged and untagged packets. If an interface is configured with CLI MTU value as x,
then the following would be the checks depending on outgoing packet type:
•
Egress MTU value for unatagged packet = x − 4
•
Egress MTU value for single-tagged packet = x
•
Egress MTU value for double-tagged packet = x + 4
Copyright © 2017, Juniper Networks, Inc.
Known Issues
NOTE: The ingress MTU check is the same for all incoming packet types.
There is no workaround available. PR891770
•
In ACX Series routers, when STP is configured on an interface, the detailed interface
traffic statistics show command output does not show statistics information but
displays the message Dropped traffic statistics due to STP State. However, the drop
counters are updated. There is no workaround available. PR810936
•
When the differential-delay number option is configured in the ima-group-option
statement at the [edit interfaces at-fpc/pic/ima-group-no] hierarchy level, with a value
less than 10, some of the member links might not come up and the group might remain
down, resulting in traffic loss. A workaround is to keep the differential delay value above
10 for all IMA bundles. PR726279
•
The ACX Series routers support logical interface statistics, but do not support the
address family statistics. PR725809
•
BERT error insertion and bit counters are not supported by the IDT82P2288 framer.
PR726894
•
All 4x supported TPIDs cannot be configured on different logical interfaces of a physical
interface. Only one TPID can be configured on all logical interfaces of a physical
interface. But different physical interfaces can have different TPIDs. As a workaround,
use TPID rewrite. PR738890
•
The ACX Series routers do not support logical interface statistics for logical interfaces
with vlan-list or vlan-range configured. PR810973
•
CFM up-MEP session (to monitor pseudowire service) does not come up when the
output VLAN map is configured as push on an AC logical interface. This is due to a
hardware limitation in the ACX4000 router. PR832503
•
For ATM interfaces with atm-ccc-cell-relay and atm-ccc-vc-mux encapsulation types
configured, and with shaping profile configured on the interfaces, traffic drop is observed
when the configured shaping profile is changed. This problem occurs with 16-port
Channelized E1/T1 Circuit Emulation MICs on ACX4000 routers. As a workaround, you
must stop the traffic on the Layer 2 circuit before changing any of the traffic shaping
profile parameters. PR817335
•
In the case of normalized bridge domain, with double-tagged aggregated Ethernet
interface as ingress, the classification based on inner tag does not work for the
ACX4000. To do classification based on inner tag, configure the bridge domain with
explicit normalization and configure input and output VLAN map to match the behavior.
PR869715
•
The MAC counter behavior of 10-Gigabit Ethernet is different compared to 1-Gigabit
Ethernet.
On 1-Gigabit Ethernet interfaces, if the packet size is greater than 1518 bytes, irrespective
of whether the packet is tagged or untagged, the Oversized counter gets incremented.
If the packet has a CRC error, then the Jabber counter gets incremented.
Copyright © 2017, Juniper Networks, Inc.
33
Junos OS Release 16.1R4 for the ACX Series, EX Series, MX Series, PTX Series, QFX Series,T Series and Junos Fusion
On 10-Gigabit Ethernet interfaces, if the packet is size is greater than 1518 bytes and
the packet is untagged, then the Oversized counter gets incremented. If the packet has
a CRC error, then the Jabber counter gets incremented.
If the packet is tagged (TPID is 0x8100), then the Oversized counter is incremented
only if the packet size is greater than 1522 bytes (1518 + 4 bytes for the tag). The Jabber
counter is incremented only if the packet size is greater than 1522 bytes and the packet
has a CRC error.
The packet is considered as tagged if the outer TPID is 0x8100. Packets with other
TPIDs values (for example, 0x88a8, 0x9100, or 0x9200) are considered as untagged
for the counter. There is no workaround available. PR940569
•
Layer 2 RFC 2544 benchmarking test cannot be configured to generate dual-tagged
frames when the UNI interface is configured for the QnQ service. This occurs when the
input VLAN map push is configured on the UNI interface. There is no workaround
available. PR946832
•
After running RFC 2544 tests, PTP stops working when the tests are performed on the
same router. A workaround is to reboot FEB after running the RFC 2544 tests. PR944200
•
When an ACX1100 router with AC power is configured as PTP slave or boundary clock,
the router does not achieve PTP accuracy within the specification (1.5 us), even if the
PTP achieves the state Phase Aligned. PR942664
•
Layer 2 RFC 2544 benchmark test fails for packet sizes 9104 and 9136 when the test
bandwidth is less than 10-MB and the NNI interface link speed is 10-MB. This behavior
is also seen when the 10-MB policer or shaper is configured on the NNI interface. The
issue will not be seen if the egress queue is configured with sufficient queue buffers.
PR939622
•
34
Limitations on logical tunnel interfaces—The following limitations apply when you
configure logical tunnel (LT) interfaces in ACX Series Universal Access Routers:
•
ACX router supports a total of two LT interfaces in a system, one of bandwidth 1G
and another of bandwidth 10G.
•
The bandwidth configured on the LT interface is shared between upstream and
downstream traffic on that interface. The effective available bandwidth for the
service is half the configured bandwidth.
•
Supported encapsulations on LT interface are ethernet-bridge, ethernet-ccc,
vlan-bridge, and vlan-ccc.
•
Total number of LT logical interfaces supported on a router is 30.
•
If an LT interface with bandwidth 1 Gbps is configured and port-mirroring is also
configured on the router, then LT physical interface statistics may not be accurate
for that LT interface.
•
Default classifiers are not available on the LT interface if a non-Ethernet PIC is used
to create the LT interface.
•
LT interfaces do not support protocol configuration.
Copyright © 2017, Juniper Networks, Inc.
Known Issues
Integrated Routing and Bridging
The following are the limitations on integrated routing and bridging (IRB) for ACX Series
Universal Access Routers.
At the IRB device level, the following limitations apply:
•
Behavior aggregate (BA) classifiers are not supported
•
Statistics are not supported
On an IRB logical interface, the following limitations apply:
•
Statistics and Layer 2 policers are not supported
•
Only inet and iso families are supported
On an IRB logical interface family inet, the following limitations apply:
•
Policer, rpf-check, and dhcp-client are not supported
When firewall is applied on an IRB logical interface family inet, the following limitations
apply:
•
Default (global) filters are not supported
•
Supports only accept, forwarding-class, and loss-priority actions
•
Supports only input filters
Interface Limitations—IRB configurations supports a maximum of 1000 logical interfaces
on a box.
Class-of-Service Limitations—The following are CoS limitations for IRB:
•
Maximum of 16 fixed classifiers are supported. Each classifier consumes two filter
entries and is shared with RFC 2544 sessions. Total number of shared filter entries is
32.
•
Maximum of 64 multifield filter classifiers are supported. Each classifier takes two
filter entries. Total of 128 entries are shared between family inet based classifiers on
IRB and normal Layer 3 logical interfaces.
•
Maximum 24 forwarding class and loss priority combinations can be rewritten. Each
rewrite rule takes single entry from egress filters. Total of 128 entries are shared by
rewrite-rules and all other output firewall filters.
•
IRB rewrite is supported only on the ACX4000 Series router.
Firewall Limitations—The following are the firewall limitations for IRB:
•
IRB supports only family inet filters.
•
Only interface-specific and physical-interface specific filters are supported.
•
Only forwarding-class and loss-priority actions are supported, other actions are not
supported.
Copyright © 2017, Juniper Networks, Inc.
35
Junos OS Release 16.1R4 for the ACX Series, EX Series, MX Series, PTX Series, QFX Series,T Series and Junos Fusion
Layer 2 Services
Limitations on Layer 2 bridging
The following Layer 2 bridging limitations apply for ACX Series Universal Access Routers:
•
A bridge domain cannot have two or more logical interfaces that belong to the same
physical interface.
•
A bridge domain with dual VLAN ID tag is not supported.
•
The following input VLAN map functions are not supported because the bridge domain
should have a valid service VLAN ID after normalization:
•
pop-pop on double-tagged logical interface.
•
pop on a single-tagged logical interface.
•
VLAN map with VLAN ID value set to 0.
•
swap-push and pop-swap VLAN map functions are not supported.
•
The maximum number of supported input VLAN maps with TPID swap is 64.
•
MAC learning cannot be disabled at the logical interface level.
•
MAC limit per logical interface cannot be configured.
•
All STP ports on a bridge domain must belong to the same MST (multiple spanning
tree) instance.
•
If a logical interface is configured with Ethernet bridge encapsulation with push-push
as the input VLAN map, normalization does not work when single-tagged or
double-tagged frames are received on the logical port. Untagged frames received on
the logical interface are normalized and forwarded correctly.
•
On a priority-tagged logical interface with the output VLAN map function pop, egress
VLAN filter check does not work.
•
Output VLAN map function push cannot work on a dual-tagged frame egressing a
logical interface.
•
In a bridge domain configured with vlan-id statement, when a dual-tagged frame enters
a non-dual-tagged logical interface and exits a dual-tagged logical interface, the VLAN
tags are not translated correctly at egress.
Limitations on integrated routing and bridging
The following integrated routing and bridging (IRB) limitations apply for ACX Series
Universal Access Routers:
At the IRB device level, the following limitations apply:
36
•
Behavior aggregate (BA) classifiers are not supported
•
Statistics are not supported
Copyright © 2017, Juniper Networks, Inc.
Known Issues
On an IRB logical interface, the following limitations apply:
•
Statistics and Layer 2 policers are not supported
•
Only inet and iso families are supported
On an IRB logical interface family inet, the following limitations apply:
•
Policer, rpf-check, and dhcp-client are not supported
When firewall is applied on an IRB logical interface family inet, the following limitations
apply:
•
Default (global) filters are not supported
•
Supports only accept, forwarding-class, and loss-priority actions
•
Supports only input filters
MPLS Applications
•
The scaling numbers for pseudowires and MPLS label routes published for the ACX
Series routers are valid only when the protocols adopt graceful restart. In case of
non-graceful restart, the scaling numbers would become half of the published numbers.
PR683581
Network Management
•
In a connectivity fault management (CFM) up-mep session, when a remote-mep error
is detected, the local-mep does not set the RDI bit in the transmitted continuity check
messages (CCM). This problem is not seen in ACX4000 routers and in down-mep
sessions. There is no workaround available. PR864247
•
The ACX Series routers do not support the configuration of RPM probes to a routing
instance along with the configuration of the hardware-timestamp statement at the
[edit services rpm probe owner test test-name] hierarchy level. PR846379
Statistics
•
ACX Series routers do not support route statistics per next hop and per flow for unicast
and multicast traffic. Only interface-level statistics are supported.
•
The show multicast statistics command is not supported on ACX Series routers.
PR954273
Timing and Synchronization
•
When you use the replace pattern command to toggle from a secure slave to an
automatic slave or vice versa in the PTP configuration of a boundary clock, the external
slave goes into a freerun state. The workaround is to use the delete and set commands
instead of the replace pattern command. PR733276
Copyright © 2017, Juniper Networks, Inc.
37
Junos OS Release 16.1R4 for the ACX Series, EX Series, MX Series, PTX Series, QFX Series,T Series and Junos Fusion
Related
Documentation
•
In a boundary clock mode, if the upstream master is in ACQUIRING state, the
downstream slave toggles from ACQUIRING to FREERUN state if more than one slave
is configured. This behavior is random and intermittent. PR1210349
•
New and Changed Features on page 8
•
Changes in Default Behavior and Syntax on page 26
•
Known Behavior on page 29
•
Migration, Upgrade, and Downgrade Instructions on page 39
•
Product Compatibility on page 39
Resolved Issues
This section lists the issues fixed in the Junos OS main release and the maintenance
releases.
For the most complete and latest information about known Junos OS defects, use the
Juniper Networks online Junos Problem Report Search application.
Related
Documentation
•
New and Changed Features on page 8
•
Changes in Default Behavior and Syntax on page 26
•
Known Behavior on page 29
•
Known Issues on page 29
•
Documentation Updates on page 38
•
Migration, Upgrade, and Downgrade Instructions on page 39
•
Product Compatibility on page 39
Documentation Updates
Related
Documentation
38
•
New and Changed Features on page 8
•
Changes in Default Behavior and Syntax on page 26
•
Known Behavior on page 29
•
Known Issues on page 29
•
Resolved Issues on page 38
•
Migration, Upgrade, and Downgrade Instructions on page 39
•
Product Compatibility on page 39
Copyright © 2017, Juniper Networks, Inc.
Migration, Upgrade, and Downgrade Instructions
Migration, Upgrade, and Downgrade Instructions
This section contains the upgrade and downgrade support policy for Junos OS for the
ACX Series Universal Access Routers. Upgrading or downgrading Junos OS can take
several hours, depending on the size and configuration of the network.
For information about software installation and upgrade, see the Installation and Upgrade
Guide.
•
Upgrade and Downgrade Support Policy for Junos OS Releases on page 39
Upgrade and Downgrade Support Policy for Junos OS Releases
Support for upgrades and downgrades that span more than three Junos OS releases at
a time is not provided, except for releases that are designated as Extended End-of-Life
(EEOL) releases. EEOL releases provide direct upgrade and downgrade paths—you can
upgrade directly from one EEOL release to the next EEOL release even though EEOL
releases generally occur in increments beyond three releases.
from Junos OS Release 14.1 to Release 15.1 or from Junos OS Release 15.1 to Release 16.2.
However, you cannot upgrade directly from a non-EEOL release that is more than three
releases ahead or behind.
To upgrade or downgrade from a non-EEOL release to a release more than three releases
before or after, first upgrade to the next EEOL release and then upgrade or downgrade
from that EEOL release to your target release.
For more information about EEOL releases and to review a list of EEOL releases, see
http://www.juniper.net/support/eol/junos.html.
Related
Documentation
•
New and Changed Features on page 8
•
Changes in Default Behavior and Syntax on page 26
•
Known Behavior on page 29
•
Known Issues on page 29
•
Product Compatibility on page 39
Product Compatibility
•
Hardware Compatibility on page 39
Hardware Compatibility
To obtain information about the components that are supported on the devices, and the
special compatibility guidelines with the release, see the Hardware Guide for the product.
To determine the features supported on ACX Series routers in this release, use the Juniper
Networks Feature Explorer, a Web-based application that helps you to explore and
compare Junos OS feature information to find the right software release and hardware
Copyright © 2017, Juniper Networks, Inc.
39
Junos OS Release 16.1R4 for the ACX Series, EX Series, MX Series, PTX Series, QFX Series,T Series and Junos Fusion
platform for your network. Find Feature Explorer at
http://pathfinder.juniper.net/feature-explorer/.
Related
Documentation
40
•
New and Changed Features on page 8
•
Changes in Default Behavior and Syntax on page 26
•
Known Behavior on page 29
•
Known Issues on page 29
•
Migration, Upgrade, and Downgrade Instructions on page 39
Copyright © 2017, Juniper Networks, Inc.
Junos OS Release Notes for EX Series Switches
Junos OS Release Notes for EX Series Switches
These release notes accompany Junos OS Release 16.1R4 for the EX Series. They describe
new and changed features, limitations, and known and resolved problems in the hardware
and software.
You can also find these release notes on the Juniper Networks Junos OS Documentation
webpage, located at http://www.juniper.net/techpubs/software/junos/.
•
New and Changed Features on page 41
•
Changes in Behavior and Syntax on page 49
•
Known Behavior on page 51
•
Known Issues on page 53
•
Resolved Issues on page 55
•
Documentation Updates on page 61
•
Migration, Upgrade, and Downgrade Instructions on page 61
•
Product Compatibility on page 62
New and Changed Features
This section describes the new features in Junos OS Release 16.1 for the EX Series switches.
NOTE: The following EX Series switches are supported in Release 16.1R4:
EX4300, EX4600, and EX9200.
NOTE: A new J-Web distribution model was introduced in Junos OS Release
14.1X53-D10, and that same model is supported in Release 16.1R1 and later.
The model provides two packages:
•
Platform package—Installed as part of Junos OS; provides basic
functionalities of J-Web.
•
Application package—Optionally installable package; provides complete
functionalities of J-Web.
In Junos OS Release 16.1R1, J-Web is supported on the EX4300 and EX4600
switches in both standalone and Virtual Chassis setup.
For details about the J-Web distribution model, see Release Notes: J-Web
Application Package Release 16.1A1 for EX4300 and EX4600 Switches.
•
Hardware on page 42
•
Authentication, Authorization, and Accounting on page 42
•
Interfaces and Chassis on page 43
Copyright © 2017, Juniper Networks, Inc.
41
Junos OS Release 16.1R4 for the ACX Series, EX Series, MX Series, PTX Series, QFX Series,T Series and Junos Fusion
•
Management on page 44
•
Multicast on page 44
•
Network Management and Monitoring on page 45
•
Port Security on page 45
•
Routing Policy and Firewall Filters on page 46
•
Software-Defined Networking on page 48
•
User Interface and Configuration on page 48
•
VPNs on page 48
Hardware
•
New line cards for EX9200 switches—Starting with Junos OS Release 16.1R1, EX9200
switches support the following new line cards:
EX9200-12QS line card: It is a line card with 12 Gigabit Ethernet rate-selectable ports,
each of which can house transceivers. These ports can operate at 10-Gbps, 40-Gbps,
and 100-Gbps speeds.
[See EX9200-12QS Line Card.]
EX9200-40XS line card: It is a line card with 40 10-Gigabit Ethernet ports with Media
Access Control Security (MACsec) capability, each of which can house 10-gigabit small
form-factor plus pluggable (SFP+) transceivers.
[See EX9200-40XS Line Card.]
Authentication, Authorization, and Accounting
•
Additional attributes for RADIUS accounting (EX4300)—Starting with Junos OS
Release 16.1R1, additional RADIUS accounting attributes are supported on EX4300
switches. RADIUS accounting attributes are included in Accounting Request messages
sent from a network access server (NAS) to the RADIUS accounting server. These
RADIUS accounting attributes contain user accounting information that is used for
keeping network statistics and for general network monitoring. The following additional
attributes are supported: Client-System-Name, Framed-MTU, Session-Timeout,
Acct-Authentic, NAS-Port-ID, and Filter-ID. There is no configuration required for
enabling these attributes.
[See Understanding 802.1X and RADIUS Accounting on EX Series Switches.]
•
Liveness detection for captive portal (EX4300)—Starting with Junos OS Release
16.1R1, you can configure a keep-alive timer to extend a captive portal authentication
session after the MAC table aging timer expires. The keep-alive timer starts when the
MAC address of the authenticated host ages of out of the Ethernet switching table. If
traffic is received within the keep-alive period, the timer stops and the authenticated
session remains active. If there is no traffic within the keep-alive period, the
authenticated session ends, and the host must reauthenticate.
[See Understanding Authentication Session Timeout.]
42
Copyright © 2017, Juniper Networks, Inc.
New and Changed Features
Interfaces and Chassis
•
Configuration support to keep an aggregated Ethernet link in an MC-LAG up for a
peer that has limited LACP capability (EX9200)—Starting with Junos OS Release
16.1R1, you can configure an aggregated Ethernet link or an interface in an MC-LAG
topology to remain up even when the peer link or peer interface has limited Link Access
Control Protocol (LACP) capability.
To enable this feature, configure the force-up statement at the [edit interfaces
interface-name ether-options 802.3ad lacp] hierarchy level.
[See Forcing MC-LAG Links or Interfaces with Limited LACP Capability to Be Up.]
•
Configuration consistency check for multichassis link aggregation groups
(EX9200)—Starting with Junos OS Release 16.1R1, use configuration consistency
checks, which are enabled by default, to find configuration-parameter inconsistencies
between multichassis link aggregation group (MC-LAG) peers. Severe inconsistencies
prevent MC-LAG interfaces from coming up; the interfaces come up after you correct
those inconsistencies. Moderate inconsistencies generate error messages, and you
can optionally fix those inconsistencies. At each commit, the configuration on each
MC-LAG peer is checked. Use show multichassis configuration-consistency
list-of-parameters to view which parameters are checked and which parameters must
be configured identically or uniquely across MC-LAG peers. Use show multichassis
configuration-consistency redundancy-group-id redundancy-group-id (global | icl |
mc-ae-id mc-ae-id) to see the consistency status for a given mc-ae ID.
[See Understanding Multichassis Link Aggregation Group Configuration Consistency
Check.]
•
Configuration synchronization for multichassis link aggregation groups
(EX9200)—Starting with Junos OS Release 16.1R1, multichassis link aggregation group
(MC-LAG) configuration synchronization enables you to easily propagate, synchronize,
and commit configurations from one MC-LAG peer to another. Log in to either peer to
manage both, and use configuration groups to simplify the configuration process. You
can create one configuration group each for the local peer and the remote peer, and
a global configuration common to both peers.
Create conditional groups to specify when peer configurations are synchronized. Enable
peers-synchronize at the [edit system commit] hierarchy to synchronize configurations
and commits across peers by default. NETCONF over SSH provides a secure connection
between peers; Secure Copy Protocol (SCP) copies configurations securely between
them.
•
A limited encryption Junos OS image, Junos Limited, created for customers in
Armenia, Belarus, Kazakhstan, Kyrgyzstan, and Russia (EX9200)—Starting with
Junos OS Release 16.1R1, customers in the Eurasian Customs Union (comprising Armenia,
Belarus, Kazakhstan, Kyrgyzstan, and Russia) must use the limited encryption Junos
OS image, Junos Limited, instead of the Junos Worldwide image, on EX9200 switches.
The Junos Limited image does not have data-plane encryption and is intended only
for countries in the Eurasian Customs Union, because these countries have import
restrictions on software that has data-plane encryption. Unlike the Junos Worldwide
Copyright © 2017, Juniper Networks, Inc.
43
Junos OS Release 16.1R4 for the ACX Series, EX Series, MX Series, PTX Series, QFX Series,T Series and Junos Fusion
image, the Junos Limited image supports control-plane encryption through the protocols
SSH and SSL, thus enabling secure management of the system.
NOTE: Customers in Armenia, Belarus, Kazakhstan, Kyrgyzstan, and Russia
must use the limited encryption Junos Limited image. Customers in all other
countries must use the Junos image, introduced in Release 15.1R1 to replace
the Junos Domestic image.
Management
•
YANG module that defines Junos OS operational commands (EX9200)—Starting
with Junos OS Release 16.1R1, Juniper Networks provides the juniper-command YANG
module, which represents the operational command hierarchy and collective group of
modules that define the remote procedure calls (RPCs) for Junos OS operational mode
commands. You can download Juniper Networks YANG modules from the website, or
you can generate the modules by using the show system schema format yang module
juniper-command operational command on the local device. The juniper-command
module is bound to the namespace URI http://yang.juniper.net/yang/1.1/jrpc and uses
the prefix jrpc.
[See Understanding the Juniper Networks YANG Modules for Operational Commands.]
•
YANG module that defines CLI formatting for RPC output (EX9200)—Starting with
Junos OS Release 16.1R1, Juniper Networks provides the junos-extension-odl YANG
module. The module contains definitions for Junos OS Output Definition Language
(ODL) statements, which determine the CLI formatting for RPC output when you
execute the operational command corresponding to that RPC in the CLI or when you
request the RPC output in text format. You can use statements in the
junos-extension-odl module in custom RPCs to convert the XML output into a more
logical and human-readable representation of the data. The junos-extension-odl module
is bound to the namespace URI http://yang.juniper.net/yang/1.1/jodl and uses the
prefix junos-odl.
[See Understanding Junos OS YANG Extensions for Formatting RPC Output.]
Multicast
44
•
MLD snooping versions 1 and 2 (EX4300)—Starting with Junos OS Release 16.1R1,
EX4300 switches support Multicast Listener Discovery (MLD) snooping version 1
(MLDv1) and version 2 (MLDv2). MLD snooping constrains the flooding of IPv6 multicast
traffic on VLANs. When MLD snooping is enabled on a VLAN, an EX4300 switch
examines MLD messages between hosts and multicast routers and learns which hosts
are interested in receiving traffic for a multicast group. On the basis of what it learns,
the switch forwards multicast traffic only to those interfaces in the VLAN that are
connected to interested receivers instead of flooding the traffic to all interfaces.
•
IPv6 PIM support (EX4300)—Starting with Junos OS Release 16.1R1, EX4300 switches
support Protocol Independent Multicast (PIM) for IPv6. The EX4300 switches support
the following IPv6 PIM modes:
Copyright © 2017, Juniper Networks, Inc.
New and Changed Features
•
Sparse mode
•
Dense mode
•
Sparse-dense mode
•
Source-specific mode (SSM)
PIM sparse mode supports the following rendezvous point (RP) functionality:
•
Static RP addresses
•
Bootstrap routers
•
Automatic RP announcement and discovery
•
Embedded RPs
•
Anycast RP
[See PIM Overview.]
Network Management and Monitoring
•
•
Sampling VXLAN traffic (EX9200)—Starting with Junos OS Release 16.1R1, on EX9200
switches, you can use sFlow technology to sample 128 bytes of a VXLAN packet starting
from the outer IP header. When configuring sFlow technology, you must specify an
interface on which VXLAN packets enter or exit.
•
Ingress packets sampled before encapsulation—At this stage, sampled packets do
not have an outer IP header. Outer Layer 2, Layer 3, and VXLAN network identifier
(VNI) information are added to the packets as an sFlow extended header.
•
Ingress packets sampled before de-encapsulation—At this stage, sampled packets
have an outer IP header. An sFlow extended header is added for an inner header
offset.
•
Egress packets sampled after encapsulation—At this stage, sampled packets have
an outer IP header. An sFlow extended header is added for an inner header offset.
•
Egress packets sampled after de-encapsulation—At this stage, sampled packets
do not have an outer IP header. Outer Layer 2, Layer 3, and VNI information are added
to the packets as an sFlow extended header.
Support for IPv6 for sFlow Monitoring (EX9200)—Starting with Junos OS Release
16.1R1, on EX9200 switches, sFlow technology supports configuration of IPv6 addresses
in addition to the existing IPv4 address support.
Port Security
•
Media Access Control Security (MACsec) support (EX9200 switches)—Starting
with Junos OS Release 16.1R1, MACsec is supported on all SFP and SFP+ interfaces on
the EX9200-40XS line card when it is installed in an EX9200 switch. MACsec is an
industry-standard security technology that provides secure communication for all
traffic on point-to-point Ethernet links. MACsec is capable of identifying and preventing
most security threats, and can be used in combination with other security protocols
Copyright © 2017, Juniper Networks, Inc.
45
Junos OS Release 16.1R4 for the ACX Series, EX Series, MX Series, PTX Series, QFX Series,T Series and Junos Fusion
to provide end-to-end network security. MACsec can be enabled only on domestic
versions of Junos OS software. MACsec is standardized in IEEE 802.1AE.
[See Understanding Media Access Control Security (MACsec)].
•
IPv6 Router Advertisement (RA) Guard (EX4300)—Starting with Junos OS Release
16.1R1 for EX Series switches, IPv6 RA guard is supported on EX4300 switches. RA
guard protects networks against rogue RA messages generated either maliciously or
unintentionally by unauthorized or improperly configured routers connecting to the
network segment. RA guard works by validating RA messages based on whether they
meet certain criteria, which is configured on the switch as a policy. RA guard inspects
the RA message and compares the information contained in the message attributes
to the policy. Depending on the policy, RA guard either drops or forwards the RA
messages that match the conditions.
[See Understanding IPv6 Router Advertisement Guard].
•
Lightweight DHCPv6 Relay Agent (LDRA) (EX4300 and EX9200)—Starting with
Junos OS Release 16.1R3 for EX Series switches, you can configure a Lightweight
DHCPv6 Relay Agent (LDRA) to include relay-agent information in messages sent
from a DHCPv6 client to a server or to another relay agent on the same IPv6 link. When
the LDRA receives a DHCPv6 Solicit message from a client, it encapsulates that
message within a DHCPv6 Relay-Forward message, which it then forwards to the
server or to another relay agent. Before it forwards the Relay-Forward message, the
LDRA can also insert DHCPv6 options in the message. These options contain
information that the server uses to assign IP addresses, prefixes, and other configuration
parameters to the client.
[See Enabling DHCPv6 options Using a Lightweight DHCPv6 Relay Agent (LDRA)].
Routing Policy and Firewall Filters
•
Filter-based forwarding for IPv6 traffic (EX4300 switches and EX4300 Virtual
Chassis)—Starting with Junos OS Release 16.1R1, standalone EX4300 switches and
EX4300 Virtual Chassis support the use of firewall filters in conjunction with virtual
routing instances, enabling you to specify different routes for IPv6 traffic to traverse
through the network. To set up this feature, called filter-based forwarding, you specify
a firewall filter and match criteria and then specify the virtual routing instance to send
packets to.
You can use filter-based forwarding to route IPv6 traffic through a firewall or security
device before the traffic continues on its path. You can also use filter-based forwarding
to give IPv6 traffic preferential treatment or to improve load balancing of switch traffic.
•
Filtering and policing VXLAN traffic (EX9200)—Starting with Junos OS Release 16.1R1,
on EX9200 switches, you can filter and police VXLAN traffic in the following ways:
•
46
Per-VXLAN network identifier (VNI) filtering and policing—You can create a firewall
filter that matches the VNI of a VXLAN segment. To rate-limit traffic for the VXLAN
segment, you can specify policer as the action in the firewall filter. To rate-limit traffic
exiting the VXLAN segment, you must apply the filter to the input traffic for the
VXLAN. To rate-limit traffic entering the VXLAN segment, you must apply the filter
to the output traffic for the VXLAN.
Copyright © 2017, Juniper Networks, Inc.
New and Changed Features
•
Per-virtual tunneling endpoint (VTEP) filtering and policing—To perform per-VTEP
filtering, you create a firewall filter with one or more match conditions. In addition,
you can create a dynamic profile for each dynamically created VTEP interface to
filter input or output traffic. You can also create a default profile for interfaces that
are not included in a dynamic profile.
For the packets that match the per-VTEP filter, you can rate-limit the traffic for a
dynamically created VTEP interface by specifying policer as the action in the firewall
filter.
•
Filtering and policing based on outer header—You can create a firewall filter that
matches the outer IP and UDP header contents of a VXLAN packet. When configuring
this firewall filter, you must specify family inet and apply the filter to an interface on
which VXLAN packets enter or exit. For the packets that match the filter, you can
rate-limit traffic for the interface by specifying policer as the action in the firewall
filter.
Copyright © 2017, Juniper Networks, Inc.
47
Junos OS Release 16.1R4 for the ACX Series, EX Series, MX Series, PTX Series, QFX Series,T Series and Junos Fusion
Software-Defined Networking
•
Support for ping and traceroute (EX9200) in troubleshooting overlay
networks—Starting with Junos OS Release 16.1R1, EX9200 switches support overlay
ping and traceroute as troubleshooting tools for overlay networks such as Virtual
Extensible LANs (VXLANs). For ping and traceroute mechanisms to work in overlay
networks, the ping and traceroute packets, also referred to collectively as the
Operations, Administration, and Maintenance (OAM) packets, must be encapsulated
with the same tunnel headers (outer headers) as the data packets forwarded over the
overlay segment. The OAM packets then follow the same path as the data packets
for the overlay segment. If any connectivity issues arise in the overlay segment, an OAM
packet corresponding to a flow experiences the same connectivity issues as a data
packet for that flow. OAM packets can collect detailed information specific to an
overlay segment, and as a result, connectivity issues in the overlay network can be
better detected.
User Interface and Configuration
•
Support for JSON format for configuration data (EX4300, EX4600,
EX9200)–Starting with Junos OS Release 16.1, you can configure devices running Junos
OS using configuration data in JavaScript Object Notation (JSON) format in addition
to the existing text, Junos XML, and Junos OS set command formats. You can load
configuration data in JSON format in the Junos OS CLI by using the load (merge | override
| update) json command or from within a NETCONF or Junos XML protocol session by
using the <load-configuration format="json"> operation. You can load JSON
configuration data either from an existing file or as a data stream. Configuration data
that is provided as a data stream must be enclosed in a <configuration-json> element.
[See load, Defining the Format of Configuration Data to Upload in a Junos XML Protocol
Session, and Mapping Junos OS Configuration Statements to JSON.]
VPNs
•
Support for Layer 2 VPNs (EX9200)—Starting with Junos OS Release 16.1R1, EX9200
switches support Layer 2 VPNs, allowing you to securely connect geographically diverse
sites across an MPLS network. Implementing a Layer 2 VPN on the switch is similar to
using other Layer 2 technologies, such as Asynchronous Transfer Mode (ATM) or Frame
Relay. However, with Layer 2 VPNs, traffic is forwarded by the customer’s customer
edge (CE) switch to the service provider’s provider edge (PE) switch in Layer 2 format.
It is carried by MPLS over the service provider’s network and then converted back to
Layer 2 format at the receiving site. Layer 2 VPNs provide complete separation between
the service provider network and the customer network. This means that provider edge
(PE) devices and customer edge (CE) devices do not exchange routing information,
giving the customer full control over routing.
[See Layer 2 VPNs Feature Guide for EX9200 Switches.]
Related
Documentation
48
•
Changes in Behavior and Syntax on page 49
•
Known Behavior on page 51
Copyright © 2017, Juniper Networks, Inc.
Changes in Behavior and Syntax
•
Known Issues on page 53
•
Resolved Issues on page 55
•
Documentation Updates on page 61
•
Migration, Upgrade, and Downgrade Instructions on page 61
•
Product Compatibility on page 62
Changes in Behavior and Syntax
This section lists the changes in behavior of Junos OS features and changes in the syntax
of Junos OS statements and commands from Junos OS Release 16.1R4 for the EX Series.
•
Authentication and Access Control on page 49
•
General Routing on page 49
•
Management on page 50
•
Security on page 50
•
User Interface and Configuration on page 50
Authentication and Access Control
•
Starting from Junos OS Release 16.1R1, for configuring the root login through SSH to
control user access, the system services ssh root-login deny-password is the default
option. In previous releases, the system services ssh root-login allow was the default
option. Now, you must explicitly configure the set system services ssh root-login allow
option to allow users to log in to the device as root through SSH.
General Routing
•
Enhancement to request support information command—Starting with Junos OS
Release 16.1R1, the request support information command is enhanced to capture the
following additional details:
•
file list detail/var/rundb/—Displays the size of the configuration databases.
•
show system configuration database usage—Displays the actual usage of the
configuration databases.
NOTE: This information will be displayed only if the show system
configuration database usage command is supported in the release.
•
file list detail /config/—Contains the db_ext file and shows the size of it to indicate
whether extend_size is enabled or disabled.
•
New option introduced under show | display xml | display—Starting with Junos OS
16.1R1, you can use the show | display xml | display | mark-changed statement to view
the mark-changed status of the nodes. This is useful for debugging purpose.
Copyright © 2017, Juniper Networks, Inc.
49
Junos OS Release 16.1R4 for the ACX Series, EX Series, MX Series, PTX Series, QFX Series,T Series and Junos Fusion
•
Modified output of the clear services sessions | display xml command (MX Series)—In
Junos OS Release 16.1, the output of the clear services sessions | display xml command
is modified to include the <sess-marked-for-deletion> tag instead of the <sess-removed>
tag. In releases before Junos OS Release 14.1X55-D30, the output of this command
includes the <sess-removed> tag. The replacement of the <sess-removed> tag with
the <sess-marked-for-deletion> tag establishes consistency with the output of the
clear services sessions command that includes the field Sessions marked for deletion.
Management
•
Support for status deprecated statement in YANG modules (EX Series)—Starting
with Junos OS Release 16.1R3, Juniper Networks YANG modules include the status
deprecated statement to indicate configuration statements, commands, and options
that are deprecated.
Security
•
Changes to DDoS protection protocol group and packet type support
(EX9200)—Starting with Junos OS Release 16.1, the following changes have been
made to the protocols statement at the [edit system ddos-protection] hierarchy level
and to the output of the show ddos-protection protocols command:
•
Removed the firewall-host protocol group.
•
Removed the unclassified packet type from the mcast-snoop protocol group.
•
Added the unclassified packet type to the tcp-flags protocol group.
User Interface and Configuration
•
New default implementation for serialization for JSON configuration data (EX
Series)—Starting with Junos OS Release 16.1, the default implementation for
serialization for configuration data emitted in JavaScript Object Notation (JSON) has
changed. The new default is as defined in Internet drafts
draft-ietf-netmod-yang-json-09, JSON Encoding of Data Modeled with YANG, and
draft-ietf-netmod-yang-metadata-06, Defining and Using Metadata with YANG.
[See Mapping Junos OS Configuration Statements to JSON.]
•
output-file-name option for show system schema command is deprecated (EX
Series)—Starting with Junos OS Release 16.1, the output-file-name option for the show
system schema operational command is deprecated. To direct the output to a file, use
the output-directory option and specify the directory. By default, the filename for the
output file uses the module name as the filename base and the format as the filename
extension. If you also include the module-name option in the command, the specified
module name is used for both the name of the generated module and for the filename
base for the output file.
[See show system schema.]
•
50
Integers in configuration data in JSON format are displayed without quotation marks
(EX Series)—Starting in Junos OS Release 16.1R4, integers in Junos OS configuration
data emitted in JavaScript Object Notation (JSON) format are not enclosed in quotation
Copyright © 2017, Juniper Networks, Inc.
Known Behavior
marks. Prior to Junos OS Release 16.1R4, integers in JSON configuration data were
treated as strings and enclosed in quotation marks.
Related
Documentation
•
New and Changed Features on page 41
•
Known Behavior on page 51
•
Known Issues on page 53
•
Resolved Issues on page 55
•
Documentation Updates on page 61
•
Migration, Upgrade, and Downgrade Instructions on page 61
•
Product Compatibility on page 62
Known Behavior
This section lists known behavior, system maximums, and limitations in hardware and
software in Junos OS Release 16.1R4 for the EX Series.
For the most complete and latest information about known Junos OS defects, use the
Juniper Networks online Junos Problem Report Search application.
•
Authentication and Access Control on page 51
•
Interfaces and Chassis on page 51
•
Layer 2 Features on page 52
•
Multicast on page 52
•
Platform and Infrastructure on page 52
•
Port Security on page 52
•
Security on page 52
•
Software Installation and Upgrade on page 53
•
User Interface and Configuration on page 53
Authentication and Access Control
•
On EX Series and QFX Series switches, RADIUS authentication might fail when the
switch receives an access-accept message containing another vendor’s vendor specific
attribute (VSA). PR1095197
Interfaces and Chassis
•
If an Inter-Chassis Control Protocol (ICCP) interface on an EX9200 switch in an MC-LAG
active-active topology is disabled and then reenabled, traffic might be dropped for
more than 2 seconds. PR1173923
•
On EX9200 switches with MC-LAG configuration consistency check enabled and with
conflicting authentication types for VRRP groups on the peer nodes of the MC-LAG,
all mc-ae interfaces might go down even if the mc-ae interfaces are not members of
the VLAN that has the conflict. PR1085664
Copyright © 2017, Juniper Networks, Inc.
51
Junos OS Release 16.1R4 for the ACX Series, EX Series, MX Series, PTX Series, QFX Series,T Series and Junos Fusion
Layer 2 Features
•
On EX Series switches that support Enhanced Layer 2 Software (ELS), when an interface
is removed from a private VLAN (PVLAN) and then added back, the corresponding
MAC entry might not be deleted from the Ethernet table. PR1036265
•
On EX9200 switches, for a MAC limit configured with a packet action of log, a packet
drop might occur when interface-mac-limit is configured with mac-table-size on a
specific VLAN or on a global VLAN hierarchy. PR1076546
Multicast
•
On EX4600 and QFX Series switches, IGMP snooping might not be enabled after you
reboot the switch. Running a nonstop software upgrade (NSSU) on the switch might
also cause the same issue. PR1082453
Platform and Infrastructure
•
On EX4300 switches, if multicast data packets that fail an RPF check are received on
a nonshared tree, the packets might be trapped on the Routing Engine at a high rate,
causing poor PIM convergence. PR911649
•
On EX4300 switches, in egress router-based firewall filters, IPv6 Layer 4 headers
(icmp-type) might not work. PR912483
•
EX4300 switches do not support power negotiation based on LLDP-MED. Because of
this, some access points that use LLDP-MED for negotiating PoE 802.3at do not work.
PR1125374
•
Because of the factory default file that gets activated after zeroizing, an EX4300 can
contain more interfaces to cater to a 10-member Virtual Chassis default configuration,
even if the interfaces are not physically there or if there is only a standalone device.
PR1238848
Port Security
•
On EX4300 switches, if either storm-control or storm-control-profiles with
action-shutdown is configured, and if the storm-triggered traffic is control traffic such
as LACP, then the physical interface might be put into an STP blocking state rather
than turned down. Hence, valid control traffic might be trapped to the control plane
and unrelated interfaces might be set down as an LACP timeout. PR1130099
Security
•
On EX4300 and EX4600 switches, if a remote analyzer has an output IP address that
is reachable through a route learned by BGP, the analyzer might be in a DOWN state.
PR1007963
•
52
On EX9200 switches, analyzer configurations with analyzer input and output stanzas
containing members of the same VLAN or the VLAN itself are not supported. With such
configurations, packets can mirror in a loop, resulting in LUCHIP errors. As a workaround,
Copyright © 2017, Juniper Networks, Inc.
Known Issues
use the mirror-once option if the input is for ingress mirroring. If it is for both ingress and
egress mirroring, configure the output interface as an access interface. PR1068405
•
On EX4600 switches, when LACP is configured together with MACsec, the links in the
bundle might not all work. Rebooting the switch might solve the problematic links but
might also create the same issue on other child interfaces. PR1093295
Software Installation and Upgrade
•
On EX4300 switches, traffic might be lost for Layer 3 protocols (such as RIP, OSPF,
BGP, and VRRP) during a nonstop system upgrade (NSSU). PR1065405
•
During a unified ISSU upgrade of an EX9200 switch, BGPv6, OPSFv6, RIPng, and
multicast traffic might be dropped for approximately 30 seconds. PR1195439
•
During a nonstop software upgrade (NSSU) on an EX4300, or an EX4600, or a QFX5100
Virtual Chassis, a traffic loop or loss might occur if the Junos OS software version that
you are upgrading and the Junos OS software version that you are upgrading to use
different internal message formats. PR1123764
•
On an EX4300 or a QFX5100 Virtual Chassis, when you perform an NSSU, there might
be more than five seconds of traffic loss for multicast traffic. PR1125155
User Interface and Configuration
•
On EX9200 Virtual Chassis, commit errors might occur if commits are done frequently.
PR1188816
Related
Documentation
•
New and Changed Features on page 41
•
Changes in Behavior and Syntax on page 49
•
Known Issues on page 53
•
Resolved Issues on page 55
•
Documentation Updates on page 61
•
Migration, Upgrade, and Downgrade Instructions on page 61
•
Product Compatibility on page 62
Known Issues
This section lists the known issues in hardware and software in Junos OS Release 16.1R4
for the EX Series.
For the most complete and latest information about known Junos OS defects, use the
Juniper Networks online Junos Problem Report Search application.
•
Authentication and Access Control on page 54
•
Firewall Filters on page 54
•
Interfaces and Chassis on page 54
Copyright © 2017, Juniper Networks, Inc.
53
Junos OS Release 16.1R4 for the ACX Series, EX Series, MX Series, PTX Series, QFX Series,T Series and Junos Fusion
•
Layer 2 Features on page 55
•
Platform and Infrastructure on page 55
•
Port Security on page 55
•
Software Installation and Upgrade on page 55
Authentication and Access Control
•
On EX4300 switches, when 802.1X single-supplicant authentication is initiated, multiple
EAP Request Id Frame Sent packets might be sent. PR1163966
•
Changing the 802.1X (dot1x) supplicant mode from single-secure to multiple on
interfaces of an EX9200-40XS line card might generate FPC core files. PR1198463
Firewall Filters
•
On an EX4300 egress VLAN-based firewall filter on a Q-in-Q interface, after a switch
reboot, firewall counters might not increment as expected. PR1165450
•
Sending line-rate traffic on 10G interfaces of an EX9200-40XS line card that has an
ingress router firewall filter configured with actions log and syslog might generate FPC
kernel core files. PR1191397
Interfaces and Chassis
54
•
On QFX5100 and EX4600 switches, a long ICMP delay might occur when you attempt
to ping a directly connected integrated routing and bridging (IRB) interface. PR966905
•
On EX4300 switches, after disabling MC-LAG member interfaces, more than 3 seconds
of traffic loss might occur. PR1164228
•
On an EX9200-12QS line card, interfaces with the default speed of 10G are not brought
down even when the remote end of a connection is misconfigured as 40G. PR1175918
•
Restarting an EX9200-40XS card with MC-LAG ICL, ICCP, and MC-AE interfaces
configured on different interfaces of the same EX9200-40XS card might cause the
system to shut down. PR1183135
•
On EX4300 Virtual Chassis, Layer 2 multicast might not work properly when both
Layer 2 and Layer 3 entries are present for the same group on two different integrated
routing and bridging (IRB) interfaces. PR1183531
•
Mismatches of ICL physical interface or logical interface mandatory parameters are
not detected by the MC-LAG configuration consistency check feature on EX9200
switches. PR1191197
Copyright © 2017, Juniper Networks, Inc.
Resolved Issues
Layer 2 Features
•
On EX4300 switches, starting with Junos OS Release 15.1R3, a pfex_junos core might
be generated when you add or delete a native VLAN configuration with
flexible-vlan-tagging. PR1089483
Platform and Infrastructure
•
On EX9200 switches, SNMP queries to retrieve jnxRpmResSumPercentLost return the
RPM/TWAMP probe loss percentage as an integer value, whereas the precise value
(including decimal points) can be retrieved through the CLI by using the show services
rpm probe-results and show services rpm twamp client probe-results commands.
PR1104897
Port Security
•
On an EX9200-6QS line card, storm control might not work for multicast traffic.
PR1191611
•
On an EX9200-40XS line card, if you toggle the MACSec encryption option multiple
times, encryption and protected MACSec statistics might be updated incorrectly. As
a workaround, restart the line card. PR1185659
Software Installation and Upgrade
Related
Documentation
•
When performing a unified ISSU (FRU upgrade) on EX9200-40T, EX9200-40F,
EX9200-40F-M, EX9200-32XS, EX9200-2C-8XS, and EX9200-4QS line cards, an
issue occurs with the buffer size in the line cards. As a result, the unified ISSU cannot
be performed on EX9200 switches with these line cards. PR1175240
•
After a unified ISSU upgrade from Junos OS Release 15.1R3 to Junos OS Release 16.1
on EX4600 and QFX5100 switches, LLDP neighbor discovery might fail. PR1187729
•
New and Changed Features on page 41
•
Changes in Behavior and Syntax on page 49
•
Known Behavior on page 51
•
Resolved Issues on page 55
•
Documentation Updates on page 61
•
Migration, Upgrade, and Downgrade Instructions on page 61
•
Product Compatibility on page 62
Resolved Issues
This section lists the issues fixed in the Junos OS main release and the maintenance
releases.
Copyright © 2017, Juniper Networks, Inc.
55
Junos OS Release 16.1R4 for the ACX Series, EX Series, MX Series, PTX Series, QFX Series,T Series and Junos Fusion
For the most complete and latest information about known Junos OS defects, use the
Juniper online Junos Problem Report Search application.
•
Resolved Issues: 16.1R4 on page 56
•
Resolved Issues: 16.1R3 on page 59
Resolved Issues: 16.1R4
•
Authentication and Access Control
•
Firewall Filters
•
Hardware
•
High Availability (HA) and Resiliency
•
Infrastructure
•
Interfaces and Chassis
•
Multicast Protocols
•
Platform and Infrastructure
•
Virtual Chassis
Authentication and Access Control
•
On EX4300 switches, dot1x server fail might not work as expected. PR1147894
•
On EX4300 and EX9200 switches, in dot1x scenarios involving single-supplicant mode,
mac-radius and server-fail deny or no server-fail action configured, the supplicant
authentication sessions might not recover after the Quiet While timer expires after it
enters the Held state. As a workaround, disable and enable the interface to bring the
authentication session back to the Connecting state. PR1193944
•
On EX9200 Virtual Chassis, MAC address learning might fail on an authenticated
interface assigned to a voice VLAN by dynamic VLAN assignment in single-secure
mode. PR1212826
•
On EX9200 switches, a MAC address corresponding to an authenticated session (dot1x)
might age out as soon as traffic is not received from this MAC address for more than
a few seconds (approximately 10 seconds). This leads to deletion of the authenticated
session and a corresponding traffic loss. As a workaround, you can prevent the session
deletion by configuring the no-mac-table-binding statement in the dot1x configuration.
PR1233261
Firewall Filters
56
•
On EX4300 switches, if you configure a firewall filter on a loopback (lo0) interface to
accept BGP flow and another term with the discard action, and the receiving
host-inbound traffic with a designated TCP port 179 to the Routing Engine, existing
BGP sessions might go down. PR1090033
•
On EX4300 switches, if you configure a firewall filter policer with action forwarding-class
on an egress filter, the software might allow the configuration to commit although that
action is not supported. PR1104868
Copyright © 2017, Juniper Networks, Inc.
Resolved Issues
•
On EX9200 switches, if a firewall filter that has action tcp-reset is applied to an IRB
interface, action tcp-reset does not work properly. PR1219953
•
On EX4300 switches, a firewall filter might not be programmed correctly when multiple
action modifiers (such as forwarding-class, priority, loss-priority) are performed in the
same firewall filter term. PR1203251
•
On an EX4300, if you install a firewall filter with filter-based forwarding rules to multiple
bind points, it might exhaust the available TCAM, deleting the filter from all the bind
points. As a workaround, apply the filter to the bind points with a series of commits,
applying the filter to some of the bind points with each commit. PR1214151
•
On EX4300 switches, EBGP packets with ttl=1 and non-EBGP packets with ttl=1,
whether destined for the device or even transit traffic, go to the same queue. In the
event of a heavy inflow of non-EBGP ttl=1 packets, occasionally valid EBGP packets
might be dropped, causing EBGP to flap. As a workaround, apply a firewall filter to lo0
to discard non-eBGP ttl=1 packets. PR1215863
•
On an EX4300 switch, a loopback policer might not work. PR1219946
Hardware
•
On an EX4600 switch, when you remove the 40GBASE-ER4 QSFP+ module, the show
chassis hardware command still shows that the module is inserted. PR1208805
High Availability (HA) and Resiliency
•
On an EX4300 Virtual Chassis, when a switchover with GRES enabled is performed,
this warning might appear: All Packet Forwarding Engines are not ready for RE
switchover and may be reset. PR1158881
Infrastructure
•
On EX4600 and QFX5100 switches that are configured with native-vlan-id, the switch
sends untagged traffic. But if you delete native-vlan-id, the switch keeps sending
untagged traffic. PR1186436
•
On an EX Series or QFX Series Virtual Chassis, during an upgrade, failover, or switchover
operation on the backup Routing Engine member, you might see vmcore and ksyncd
core files generated and see the log message /kernel: Nexthop index allocation failed:
regular index space exhausted. PR1212075
•
On EX4300 switches with DHCP relay configured, DHCP return packets—for example,
DHCPREPLY and DHCPOFFER—that are received across a GRE tunnel might not be
forwarded to clients, which can impact DHCP services. PR1226868
•
On EX4300 Virtual Chassis, DHCPv6 binding might not work with a lightweight DHCPv6
relay agent (LDRA) configuration. PR1227938
Copyright © 2017, Juniper Networks, Inc.
57
Junos OS Release 16.1R4 for the ACX Series, EX Series, MX Series, PTX Series, QFX Series,T Series and Junos Fusion
Interfaces and Chassis
•
On an EX4300 switch or an EX4300 Virtual Chassis that has a generic routing
encapsulation (GRE) tunnel configured on an integrated routing and bridging interface
(IRB), the associated GRE statistical counters might not be updated after the GRE
interface is deactivated and then reactivated. PR1183521
•
On EX9200 switches, the interface fxp0 might flap upon some specific commit; this
might impact the normal work of out-of-band management. PR1213171
•
On an EX9200 switch with MC-LAG, when the enhanced-convergence statement is
enabled, and when the kernel sends a next-hop message to the Packet Forwarding
Engine, the full Layer 2 header is not sent and a packet might be generated with an
invalid source MAC address for some VLANs. PR1223662
•
On EX4600 switches, when temperatures for FPCs are polled, the temperatures might
not be polled for all SNMP members. PR1232911
Multicast Protocols
•
On EX4300 switches with IGMP snooping enabled with flexible-vlan-tagging configured
on ingress and egress interfaces for passthrough multicast traffic, IGMPv2 membership
report messages might not be forwarded from the receiver to the sender. PR1175954
•
On EX4300, EX4600, and QFX5100 switches in a Virtual Chassis configuration, IPv6
multicast packets might not be flooded in a VLAN if IGMP snooping is enabled and the
ingress interface is on a different FPC than the egress interface. PR1205416
•
On EX4300 switches and EX4300 Virtual Chassis, Hot Standby Router Protocol (HSRP)
packets might be dropped in a VLAN if IGMP snooping is configured. As a workaround,
configure the switch to flood multicast 224.0.0.2. PR1211440
Platform and Infrastructure
•
On EX9200 switches, SNMP queries to retrieve jnxRpmResSumPercentLost return the
RPM/TWAMP probe loss percentage as an integer value, whereas the precise value
(including decimal points) can be retrieved through the CLI by using the show services
rpm probe-results and show services rpm twamp client probe-results commands.
PR1104897
58
•
On EX4300 switches and EX4300 Virtual Chassis, PIM register messages are not
forwarded to a rendezvous point (RP) when the RP is not directly connected to the
first-hop router of the multicast source. PR1134235
•
On an EX4300 Virtual Chassis with Q-in-Q enabled, when vlan-id-list is configured on
a C-VLAN interface and, for example, if the VLAN range vlist element is in [1-3] or
[5-50], C-VLAN traffic is not sent properly across the Q-in-Q network from the C-VLAN
interface. PR1159854
•
On EX4300 switches, when xSTP is configured, if you unplug a loopback cable between
ports of different FPCs and then plug it back in, the interface might go down and a
BPDU error might be detected on this port, causing traffic to drop on another egress
port. As a workaround, clear the Ethernet-switching table. PR1160114
Copyright © 2017, Juniper Networks, Inc.
Resolved Issues
•
When you install an SFP in an operating EX4300 switch, the SFP might be recognized
as either unsupported or as an SFP+-10G. As a workaround, reboot the switch.
PR1202730
•
When set vlans xxx interface all is configured on EX4300, EX4600, or QFX Series
switches, the Junos device control process (dcd) might crash as this is an unsupported
configuration on these platforms. PR1221803
•
On EX4300 switches, if a Layer 3 interface receives a frame with the CFI/DEI bit set to
1, this frame might be dropped and not be processed further. PR1237945
Virtual Chassis
•
On EX4300 Virtual Chassis, a message such as /kernel: %KERN-5: tcp_timer_keep:
Dropping socket connection due to keepalive timer expiration might be seen repeatedly.
There is no service impact from the condition that causes the message (a Packet
Forwarding Engine timeout trying to connect to a daemon that is not active). As a
workaround, you can use a system-logging (syslog) filter to mask the messages.
PR1209847
Resolved Issues: 16.1R3
•
Firewall Filters
•
Interfaces and Chassis
•
Layer 2 Features
•
Network Analytics
•
Platform and Infrastructure
•
Port Security
•
Routing Protocols
Firewall Filters
•
On EX4600 switches, when traffic enters an MPLS interface and is destined to the
loopback interface in the routing instance, the firewall filter might not work properly.
PR1205626
Interfaces and Chassis
•
PoE might not work on all EX4300 ports on a mixed-mode Virtual Chassis (mixed-mode
EX4600 and EX4300 or mixed-mode QFX5100). PR1195946
Layer 2 Features
•
On EX9200, EX4300, and EX4600 switches on which any type of spanning-tree
protocol (STP, RSTP, MSTP, or VSTP) is configured, the MAC address part of the bridge
ID might be set to all zeros (for example, 4096.00:00:00:00:00:00) after you power
cycle the device without issuing the request system halt command. As a workaround,
issue the restart l2-learning command. PR1201293
•
On EX4300, EX4600, and EX9200 switches, if set protocols xstp interface all edge is
configured in combination with set protocols xstp bpdu-block-on-edge, interfaces do
Copyright © 2017, Juniper Networks, Inc.
59
Junos OS Release 16.1R4 for the ACX Series, EX Series, MX Series, PTX Series, QFX Series,T Series and Junos Fusion
not go down (transition into Disabled - Bpdu-Inconsistent) when they receive BPDUs;
they transition to nonedge. If an interface is configured specifically with set protocols
xstp interface interface-name edge, then when that interface receives a BPDU, it goes
down or transitions into Disabled - Bpdu-Inconsistent correctly. As a workaround,
configure set protocols layer2-control bpdu-block interface all. PR1210678
Network Analytics
•
On EX4300 switches, although the network analytics feature is configured, the analytics
daemon might not run. As a result, the network analytics feature might be unable to
collect traffic and queue statistics and generate reports. PR1184720
Platform and Infrastructure
•
On EX4300 switches, if you configure a policer on the loopback filter, host-bound
traffic might drop even though the traffic does not exceed the specified limit. PR1196822
•
On EX9200 MC-LAG interfaces, broadcast, unknown unicast, and multicast (BUM)
traffic might not flood on random 10-Gigabit interfaces on an EX9200-32XS line card.
As a workaround, disable and then reenable the problem interfaces. PR1198653
•
On EX9200 switches, part of the configuration is not applied after a reboot when REST
is configured as in the following example:
services {
ssh;
rest {
http {
port 7000;
addresses 1.1.1.1;
}
}
}
PR1212425
•
On EX4300 switches, if you activate DHCP security features for IPv6, a JDHCPD core
file might be generated. PR1212425
Port Security
•
On EX4300 switches, the routing table entry for an integrated routing and bridging
(IRB) interface on which a connection with a DHCPv6 server is configured might be
removed if the snooping device in the topology is configured with neighbor discovery
inspection. PR1201628
Routing Protocols
•
On EX4600 switches, the FXPC process might occasionally crash and restart, generating
a core file when an LPM route install fails. After the switch restarts, services are restored.
PR1212685
Related
Documentation
60
•
New and Changed Features on page 41
•
Changes in Behavior and Syntax on page 49
Copyright © 2017, Juniper Networks, Inc.
Documentation Updates
•
Known Behavior on page 51
•
Known Issues on page 53
•
Documentation Updates on page 61
•
Migration, Upgrade, and Downgrade Instructions on page 61
•
Product Compatibility on page 62
Documentation Updates
There are no errata or changes in Junos OS Release 16.1R4 for the EX Series switches
documentation.
Related
Documentation
•
New and Changed Features on page 41
•
Changes in Behavior and Syntax on page 49
•
Known Behavior on page 51
•
Known Issues on page 53
•
Resolved Issues on page 55
•
Migration, Upgrade, and Downgrade Instructions on page 61
•
Product Compatibility on page 62
Migration, Upgrade, and Downgrade Instructions
This section contains the upgrade and downgrade support policy for Junos OS for the
EX Series. Upgrading or downgrading Junos OS can take several hours, depending on the
size and configuration of the network. For information about software installation and
upgrade, see the Installation and Upgrade Guide.
•
Upgrade and Downgrade Support Policy for Junos OS Releases on page 61
Upgrade and Downgrade Support Policy for Junos OS Releases
Support for upgrades and downgrades that span more than three Junos OS releases at
a time is not provided, except for releases that are designated as Extended End-of-Life
(EEOL) releases. EEOL releases provide direct upgrade and downgrade paths—you can
upgrade directly from one EEOL release to the next EEOL release even though EEOL
releases generally occur in increments beyond three releases.
You can upgrade or downgrade to the EEOL release that occurs directly before or after
the currently installed EEOL release, or to two EEOL releases before or after. For example,
Junos OS Releases 14.1, 14.2, 15.1 and 16.1 are EEOL releases. You can upgrade from Junos
OS Release 14.1 to Release 15.1 or from Junos OS Release 15.1 to Release 16.2. However,
you cannot upgrade directly from a non-EEOL release that is more than three releases
ahead or behind.
Copyright © 2017, Juniper Networks, Inc.
61
Junos OS Release 16.1R4 for the ACX Series, EX Series, MX Series, PTX Series, QFX Series,T Series and Junos Fusion
To upgrade or downgrade from a non-EEOL release to a release more than three releases
before or after, first upgrade to the next EEOL release and then upgrade or downgrade
from that EEOL release to your target release.
For more information about EEOL releases and to review a list of EEOL releases, see
http://www.juniper.net/support/eol/junos.html.
Related
Documentation
•
New and Changed Features on page 41
•
Changes in Behavior and Syntax on page 49
•
Known Behavior on page 51
•
Known Issues on page 53
•
Resolved Issues on page 55
•
Documentation Updates on page 61
•
Product Compatibility on page 62
Product Compatibility
•
Hardware Compatibility on page 62
Hardware Compatibility
To obtain information about the components that are supported on the devices, and the
special compatibility guidelines with the release, see the Hardware Guide for the product.
To determine the features supported on EX Series switches in this release, use the Juniper
Networks Feature Explorer, a Web-based application that helps you to explore and
compare Junos OS feature information to find the right software release and hardware
platform for your network. Find Feature Explorer at
http://pathfinder.juniper.net/feature-explorer/.
Related
Documentation
62
•
New and Changed Features on page 41
•
Changes in Behavior and Syntax on page 49
•
Known Behavior on page 51
•
Known Issues on page 53
•
Resolved Issues on page 55
•
Documentation Updates on page 61
•
Migration, Upgrade, and Downgrade Instructions on page 61
Copyright © 2017, Juniper Networks, Inc.
Junos OS Release Notes for Junos Fusion Enterprise
Junos OS Release Notes for Junos Fusion Enterprise
These release notes accompany Junos OS Release 16.1R4 for Junos Fusion Enterprise.
Junos Fusion Enterprise is a Junos Fusion that uses EX9200 switches in the aggregation
device role. These release notes describe new and changed features, limitations, and
known problems in the hardware and software.
NOTE: For a complete list of all hardware and software requirements for a
Junos Fusion Enterprise, including which Juniper Networks devices can
function as satellite devices, see Understanding Junos Fusion Enterprise Software
and Hardware Requirements in the Junos Fusion Enterprise Feature Guide.
You can also find these release notes on the Juniper Networks Junos OS Documentation
webpage, located at http://www.juniper.net/techpubs/software/junos/.
•
New and Changed Features on page 63
•
Changes in Behavior and Syntax on page 65
•
Known Behavior on page 66
•
Known Issues on page 67
•
Resolved Issues on page 68
•
Documentation Updates on page 70
•
Migration, Upgrade, and Downgrade Instructions on page 70
•
Product Compatibility on page 77
New and Changed Features
This section describes the new features in Junos OS Release 16.1R1 through Junos OS
Release 16.1R4 for Junos Fusion Enterprise.
NOTE: For more information about the Junos Fusion Enterprise features, see
the Junos Fusion Enterprise Feature Guide.
•
Junos Fusion Enterprise
Copyright © 2017, Juniper Networks, Inc.
63
Junos OS Release 16.1R4 for the ACX Series, EX Series, MX Series, PTX Series, QFX Series,T Series and Junos Fusion
Junos Fusion Enterprise
•
Junos Fusion Enterprise support—Starting with Junos OS Release 16.1R1, Junos Fusion
Enterprise—a Junos Fusion that uses EX9200 switches in the aggregation device role—is
supported to bring the Junos Fusion technology to enterprise switching networks.
Junos Fusion Enterprise allows enterprise switching networks to combine numerous
switches into a single, port-dense device that simplifies network management because
it is managed from a single point—the EX9200 switch or switches acting in the
aggregation device role—and simplifies network topologies because the Junos Fusion
Enterprise is viewed as a single device by the larger network. Junos Fusion Enterprise
supports the 802.1BR standard.
[See Junos Fusion Enterprise Overview.]
•
Dual aggregation device support for Junos Fusion (Junos Fusion Enterprise)—Starting
in Junos OS Release 16.1R1, dual aggregation device topologies are supported in a Junos
Fusion. A Junos Fusion Enterprise dual aggregation topology provides traffic
load-balancing and redundancy to the Junos Fusion.
Junos Fusion Enterprise supports multiple aggregation devices using multichassis link
aggregation groups (MC-LAGs) and the Inter-Chassis Control Protocol (ICCP).
[See Junos Fusion Enterprise Components.]
•
Satellite device clustering support for Junos Fusion (Junos Fusion
Enterprise)—Starting in Junos OS Release 16.1R1, satellite device clustering in a Junos
Fusion is supported. Satellite device clustering allows you to connect up to 10 satellite
devices into a single cluster, and connect the satellite device cluster to the aggregation
device as a single group instead of as individual satellite devices.
Satellite device clustering is particularly useful in scenarios where optical cabling
options between buildings are limited and in scenarios where you want to preserve
optical interfaces for other purposes. If you have, for instance, two buildings that have
limited optical interfaces between each other and you want to put an aggregation
device in one building and two to ten satellite devices in the other building, you can
group the ten satellite devices into a cluster and connect the cluster to the aggregation
device with a single cable.
[See Understanding Satellite Device Clustering in a Junos Fusion.]
•
PoE for Junos Fusion (Junos Fusion Enterprise)—Starting in Junos OS Release 16.1R1,
PoE is supported on Junos Fusion Enterprise.
PoE enables electric power, along with data, to be passed over a copper Ethernet LAN
cable. Powered devices—such as VoIP telephones, wireless access points, video
cameras, and point-of-sale devices—that support PoE can receive power safely from
the same access ports that are used to connect personal computers to the network.
This reduces the amount of wiring in a network, and also eliminates the need to position
a powered device near an AC power outlet, making network design more flexible and
efficient.
In a Junos Fusion Enterprise, PoE is used to carry electric power from an extended port
on a satellite device to a connected device. An extended port is any network-facing
64
Copyright © 2017, Juniper Networks, Inc.
Changes in Behavior and Syntax
port on a satellite device in a Junos Fusion Enterprise. All extended ports that support
PoE on satellite devices in a Junos Fusion Enterprise support the IEEE 802.3at PoE+
standard.
Junos Fusion Enterprise is able to support PoE when the satellite device provides
PoE-capable interfaces.
[See Understanding Power over Ethernet in a Junos Fusion Enterprise.]
•
LLDP-MED with VoIP integration (Junos Fusion Enterprise)—Starting in Junos OS
Release 16.1R1, Link Layer Discovery Protocol–Media Endpoint Discovery (LLDP-MED)
with VoIP integration is available for Junos Fusion Enterprise.
LLDP-MED with VoIP integration is an extension of LLDP that is used to support device
discovery of VoIP telephones and to create location databases for these telephone
locations.
[See Understanding LLDP and LLDP-MED on a Junos Fusion Enterprise.]
Related
Documentation
•
Changes in Behavior and Syntax on page 65
•
Known Behavior on page 66
•
Known Issues on page 67
•
Resolved Issues on page 68
•
Documentation Updates on page 70
•
Migration, Upgrade, and Downgrade Instructions on page 70
•
Product Compatibility on page 77
Changes in Behavior and Syntax
This section lists the changes in behavior of Junos OS features and changes in the syntax
of Junos OS statements and commands in Junos OS Release 16.1R4 for Junos Fusion
Enterprise.
•
General Routing on page 65
General Routing
•
Enhancement to request support information command—Starting in Junos OS Release
16.1R1, the request support information command is enhanced to capture the following
additional details:
•
file list detail/var/rundb/—Displays the size of the configuration databases.
•
show system configuration database usage—Displays the actual usage of the
configuration databases.
NOTE: This information will be displayed only if the show system
configuration database usage command is supported in the release.
Copyright © 2017, Juniper Networks, Inc.
65
Junos OS Release 16.1R4 for the ACX Series, EX Series, MX Series, PTX Series, QFX Series,T Series and Junos Fusion
•
file list detail /config/—Contains the db_ext file and shows the size of it to indicate
whether extend_size is enabled or disabled.
Related
Documentation
•
New option introduced under show | display xml | display—Starting in Junos OS 16.1R1,
you can use the show | display xml | display | mark-changed statement to view the
"mark-changed" status of the nodes. This is useful for debugging purpose.
•
New and Changed Features on page 63
•
Known Behavior on page 66
•
Known Issues on page 67
•
Resolved Issues on page 68
•
Documentation Updates on page 70
•
Migration, Upgrade, and Downgrade Instructions on page 70
•
Product Compatibility on page 77
Known Behavior
This section lists known behavior, system maximums, and limitations in hardware and
software in Junos OS Release 16.1R4 for Junos Fusion Enterprise.
For the most complete and latest information about known Junos OS problems, use the
Juniper Networks online Junos Problem Report Search application.
•
Junos Fusion on page 66
Junos Fusion
Related
Documentation
66
•
On Junos Fusion Enterprise, PoE Simple Network Management Protocol (SNMP) traps
are not supported. PR1112613
•
In a Junos Fusion Enterprise topology with dual aggregation devices, firewall statistics
are not synced across the aggregation devices. PR1105612
•
On a Junos Fusion Enterprise that has been reconfigured from a dual aggregation device
topology to a single aggregation device topology, some satellite devices might not
return online and remain in the Present state in the show chassis satellite output
indefinitely after the reconfiguration. As a workaround, enter the restart
satellite-discovery-provisioning-process command to reboot the satellite discovery
provisioning process and return the satellite devices online. PR1182542
•
New and Changed Features on page 63
•
Changes in Behavior and Syntax on page 65
•
Known Issues on page 67
•
Resolved Issues on page 68
•
Documentation Updates on page 70
Copyright © 2017, Juniper Networks, Inc.
Known Issues
•
Migration, Upgrade, and Downgrade Instructions on page 70
•
Product Compatibility on page 77
Known Issues
This section lists the known issues in hardware and software in Junos OS Release 16.1R4
for Junos Fusion Enterprise.
For the most complete and latest information about known Junos OS defects, use the
Juniper Networks online Junos Problem Report Search application.
•
Authentication and Access Control on page 67
•
Interfaces and Chassis on page 67
•
Layer 2 Features on page 67
•
Platform and Infrastructure on page 67
Authentication and Access Control
•
On a Junos Fusion Enterprise, after you disable or deactivate LLDP, LLDP entries might
still be displayed under lldp neighbourship . PR1187968
Interfaces and Chassis
•
On a Junos Fusion Enterprise using a dual aggregation device topology, an interchassis
link (ICL) configured on an aggregated Ethernet interface cannot pass traffic between
aggregation devices. PR1090470
•
On Junos Fusion Enterprise, PoE telemetries do not work. PR1112953
•
On a Junos Fusion Enterprise, PoE configuration changes might not be reflected on
satellite devices that are not in the online state at the time of the configuration change.
PR1154486
•
On a Junos Fusion Enterprise, issues with ARP traffic might occur if the Junos Fusion
topology exceeds the documented limit of 6,000 extended port interfaces. PR1186077
Layer 2 Features
•
On a Junos Fusion Enterprise, Link Layer Discovery Protocol-Media Endpoint Discovery
(LLDP-MED) fast start does not work. PR1171899
Platform and Infrastructure
•
On a Junos Fusion Enterprise, PoE firmware upgrades for EX4300 switches acting as
satellite devices are not supported. PR1151622
•
On a Junos Fusion Enterprise that is using a 40-Gbps QSFP+ direct-attach copper
(DAC) cable to interconnect an EX4300 switch running Junos into a satellite device
cluster, the EX4300 switch running Junos may not convert into a satellite device and
is not recognized by the satellite devices in the satellite device cluster until link
Copyright © 2017, Juniper Networks, Inc.
67
Junos OS Release 16.1R4 for the ACX Series, EX Series, MX Series, PTX Series, QFX Series,T Series and Junos Fusion
autonegotiation is disabled using the set interfaces ether-options no-auto-negotiation
statement.
As a workaround, interconnect the satellite device using a standard 40-Gbps QSFP+
cable to convert the switch into a satellite device. If desired, interconnect the satellite
devices using the 40-Gbps QSFP+ direct-attach copper (DAC) cable after the EX4300
switch is converted into a satellite device. PR1198942
Related
Documentation
•
New and Changed Features on page 63
•
Changes in Behavior and Syntax on page 65
•
Known Behavior on page 66
•
Resolved Issues on page 68
•
Documentation Updates on page 70
•
Migration, Upgrade, and Downgrade Instructions on page 70
•
Product Compatibility on page 77
Resolved Issues
This section lists the issues fixed in the Junos OS main release and the maintenance
releases.
For the most complete and latest information about known Junos OS defects, use the
Juniper Networks online Junos Problem Report Search application.
•
Resolved Issues: 16.1R4 on page 68
•
Resolved Issues: 16.1R3 on page 69
Resolved Issues: 16.1R4
68
•
Authentication and Access Control
•
Network Management and Monitoring
•
Platform and Infrastructure
•
Power over Ethernet (PoE)
Copyright © 2017, Juniper Networks, Inc.
Resolved Issues
Authentication and Access Control
•
On a Junos Fusion Enterprise, LLDP might stop working if it is reenabled after being
manually disabled. PR1188254
Network Management and Monitoring
•
On a Junos Fusion Enterprise, the SNMP trap that should be sent for a satellite device
reboot event is not sent. PR1182895
Platform and Infrastructure
•
On a Junos Fusion Enterprise that has an EX9200-6QS line card installed in the
aggregation device, restarting the EX9200-6QS line card might lead to an FPC staying
in the ready state instead of returning online. PR1173958
Power over Ethernet (PoE)
•
In a Junos Fusion Enterprise that has enabled PoE for all extended ports, the show poe
interface command output displays the PoE administrative status as Enabled for
non-PoE-capable interfaces. PR1150955
Resolved Issues: 16.1R3
•
Interfaces and Chassis
•
Layer 2 Features
Interfaces and Chassis
•
On a Junos Fusion Enterprise that has rebooted a satellite device in a satellite device
cluster, traffic can be lost for several seconds after the satellite device returns to an
operational state. PR1168820
•
On a Junos Fusion Enterprise using a dual aggregation device topology, control traffic
generated by the aggregation device—with the exception of Address Resolution Protocol
(ARP) traffic—is sometimes not forwarded to the extended ports on the satellite
devices. This issue does not impact datapath traffic flows. PR1174373
Layer 2 Features
Related
Documentation
•
On a Junos Fusion Enterprise that has simultaneously deleted or deactivated LLDP
and LLDP-MED, LLDP packets continue to be forwarded. PR1136395
•
New and Changed Features on page 63
•
Changes in Behavior and Syntax on page 65
•
Known Behavior on page 66
•
Known Issues on page 67
•
Documentation Updates on page 70
•
Migration, Upgrade, and Downgrade Instructions on page 70
Copyright © 2017, Juniper Networks, Inc.
69
Junos OS Release 16.1R4 for the ACX Series, EX Series, MX Series, PTX Series, QFX Series,T Series and Junos Fusion
•
Product Compatibility on page 77
Documentation Updates
There are no errata or changes in Junos OS Release 16.1R4 for Junos Fusion Enterprise
documentation.
Related
Documentation
•
New and Changed Features on page 63
•
Changes in Behavior and Syntax on page 65
•
Known Behavior on page 66
•
Known Issues on page 67
•
Resolved Issues on page 68
•
Migration, Upgrade, and Downgrade Instructions on page 70
•
Product Compatibility on page 77
Migration, Upgrade, and Downgrade Instructions
This section contains the procedure to upgrade or downgrade Junos OS and satellite
software for a Junos Fusion Enterprise. Upgrading or downgrading Junos OS and satellite
software can take several hours, depending on the size and configuration of the Junos
Fusion Enterprise topology.
•
Basic Procedure for Upgrading Junos OS on an Aggregation Device on page 70
•
Upgrading an Aggregation Device with Redundant Routing Engines on page 72
•
Preparing the Switch for Satellite Device Conversion on page 73
•
Converting a Satellite Device to a Standalone Switch on page 74
•
Upgrade and Downgrade Support Policy for Junos OS Releases on page 76
•
Downgrading from Release 16.1 on page 77
Basic Procedure for Upgrading Junos OS on an Aggregation Device
When upgrading or downgrading Junos OS for an aggregation device, always use the
junos-install package. Use other packages (such as the jbundle package) only when so
instructed by a Juniper Networks support representative. For information about the
contents of the junos-install package and details of the installation process, see the
Installation and Upgrade Guide.
70
Copyright © 2017, Juniper Networks, Inc.
Migration, Upgrade, and Downgrade Instructions
NOTE: Before upgrading, back up the file system and the currently active
Junos OS configuration so that you can recover to a known, stable
environment in case the upgrade is unsuccessful. Issue the following
command:
[email protected]> request system snapshot
The installation process rebuilds the file system and completely reinstalls
Junos OS. Configuration information from the previous software installation
is retained, but the contents of log files might be erased. Stored files on the
routing platform, such as configuration templates and shell scripts (the only
exceptions are the juniper.conf and ssh files), might be removed. To preserve
the stored files, copy them to another system before upgrading or
downgrading the routing platform. See the Junos OS Administration Library for
Routing Devices.
The download and installation process for Junos OS Release 16.1 is different from previous
Junos OS releases.
1.
Using a Web browser, navigate to the Download Software URL on the Juniper Networks
webpage:
http://www.juniper.net/support/downloads/
2. Log in to the Juniper Networks authentication system using the username (generally
your e-mail address) and password supplied by Juniper Networks representatives.
3. Select By Technology > Junos Platform > Junos Fusion to find the software that you
want to download.
4. Select the release number (the number of the software version that you want to
download) from the Version drop-down list on the right of the page.
5. Select the Software tab.
6. Select the software package for the release.
7. Review and accept the End User License Agreement.
8. Download the software to a local host.
9. Copy the software to the routing platform or to your internal software distribution
site.
10. Install the new junos-install package on the aggregation device.
Copyright © 2017, Juniper Networks, Inc.
71
Junos OS Release 16.1R4 for the ACX Series, EX Series, MX Series, PTX Series, QFX Series,T Series and Junos Fusion
NOTE: We recommend that you upgrade all software packages out of
band using the console because in-band connections are lost during the
upgrade process.
Customers in the United States and Canada, use the following commands.
[email protected]> request system software add validate reboot
source/junos-install-ex92xx-x86-64-16.1R1.11.tgz
All other customers, use the following commands.
[email protected]> request system software add validate reboot
source/junos-install-ex92xx-x86-64-16.1R1.11.tgz
Replace source with one of the following values:
•
/pathname—For a software package that is installed from a local directory on the
router.
•
For software packages that are downloaded and installed from a remote location:
•
ftp://hostname/pathname
•
http://hostname/pathname
•
scp://hostname/pathname (available only for Canada and U.S. version)
The validate option validates the software package against the current configuration
as a prerequisite to adding the software package to ensure that the router reboots
successfully. This is the default behavior when the software package being added is
a different release.
Adding the reboot command reboots the router after the upgrade is validated and
installed. When the reboot is complete, the router displays the login prompt. The
loading process can take 5 to 10 minutes.
Rebooting occurs only if the upgrade is successful.
NOTE: After you install a Junos OS Release 16.1 junos-install package, you
cannot issue the request system software rollback command to return to the
previously installed software. Instead, you must issue the request system
software add validate command and specify the junos-install package that
corresponds to the previously installed software.
Upgrading an Aggregation Device with Redundant Routing Engines
If the aggregation device has two Routing Engines, perform a Junos OS installation on
each Routing Engine separately to minimize disrupting network operations as follows:
72
Copyright © 2017, Juniper Networks, Inc.
Migration, Upgrade, and Downgrade Instructions
1.
Disable graceful Routing Engine switchover (GRES) on the master Routing Engine
and save the configuration change to both Routing Engines.
2. Install the new Junos OS release on the backup Routing Engine while keeping the
currently running software version on the master Routing Engine.
3. After making sure that the new software version is running correctly on the backup
Routing Engine, switch over to the backup Routing Engine to activate the new software.
4. Install the new software on the original master Routing Engine that is now active as
the backup Routing Engine.
For the detailed procedure, see the Installation and Upgrade Guide.
Preparing the Switch for Satellite Device Conversion
There are multiple methods to upgrade or downgrade satellite software in your Junos
Fusion Enterprise. See Configuring or Expanding a Junos Fusion Enterprise.
For satellite device hardware and software requirements, see Understanding Junos Fusion
Enterprise Software and Hardware Requirements.
A satellite device must be running Junos OS Release 14.1X53-D35 or later before it can
be converted into a satellite device, in any context.
Use the following command to install Junos OS Release 14.1X53-D35 onto a switch before
converting it into a satellite device:
[email protected]> request system software add validate reboot
source/jinstall-ex-4300-14.1X53-D35.3-domestic-signed.tgz
When the interim installation has completed and the switch is running a version of Junos
OS that is compatible with satellite device conversion, perform the following steps:
1.
Log in to the device using the console port.
2. Clear the device:
[edit]
[email protected]# request system zeroize
NOTE: The device reboots to complete the procedure for resetting the
device.
If you are not logged in to the device using the console port connection, your connection
to the device is lost after entering the request system zeroize command.
If you lose your connection to the device, log in using the console port.
3. (EX4300 switches only) After the reboot is complete, convert the built-in 40-Gbps
QSFP+ interfaces from Virtual Chassis ports (VCPs) into network ports:
Copyright © 2017, Juniper Networks, Inc.
73
Junos OS Release 16.1R4 for the ACX Series, EX Series, MX Series, PTX Series, QFX Series,T Series and Junos Fusion
[email protected]> request virtual-chassis vc-port delete pic-slot 1 port port-number
For example, to convert all four built-in 40-Gbps QSFP+ interfaces on an EX4300-24P
switch into network ports:
[email protected]>request virtual-chassis vc-port delete pic-slot 1 port 0
[email protected]> request virtual-chassis vc-port delete pic-slot 1 port 1
[email protected]> request virtual-chassis vc-port delete pic-slot 1 port 2
[email protected]> request virtual-chassis vc-port delete pic-slot 1 port 3
This step is required for the 40-Gbps QSFP+ interfaces that will be used as uplink
interfaces in a Junos Fusion topology. Built-in 40-Gbps QSFP+ interfaces on EX4300
switches are configured into VCPs by default, and the default settings are restored
after the device is reset.
After this initial preparation, you can use one of three methods to convert your switches
into satellite devices—autoconversion, manual conversion, or preconfiguration. See
Configuring or Expanding a Junos Fusion Enterprise for detailed configuration steps for
each option.
Converting a Satellite Device to a Standalone Switch
In the event that you need to convert a satellite device to a standalone device, you will
need to install a new Junos OS software package on the satellite device and remove it
from the Junos Fusion topology.
74
Copyright © 2017, Juniper Networks, Inc.
Migration, Upgrade, and Downgrade Instructions
The following steps explain how to download software, remove the satellite device from
the Junos Fusion, and install the Junos OS software image on the satellite device so that
the device can operate as a standalone device.
1.
Using a Web browser, navigate to the Junos OS software download URL on the Juniper
Networks webpage:
http://www.juniper.net/support/downloads
2. Log in to the Juniper Networks authentication system using the username (generally
your e-mail address) and password supplied by Juniper Networks representatives.
3. Select By Technology > Junos Platform > Junos Fusion from the pull-down menu and
select the switch platform series and model for your satellite device.
4. Select the Junos OS Release 14.1X53-D35 software image for your platform.
5. Review and accept the End User License Agreement.
6. Download the software to a local host.
Copy the software to the routing platform or to your internal software distribution
site.
7. Remove the satellite device from the automatic satellite conversion configuration.
If automatic satellite conversion is enabled for the satellite device’s member number,
remove the member number from the automatic satellite conversion configuration.
The satellite device’s member number is the same as the FPC slot ID. You can check
the automatic satellite conversion configuration by entering the show command at
the [edit chassis satellite-management auto-satellite-conversion] hierarchy level.
[edit]
[email protected]# delete chassis satellite-management auto-satellite-conversion
satellite member-number
For example, to remove member number 101 from the Junos Fusion:
[edit]
[email protected]# delete chassis satellite-management auto-satellite-conversion
satellite 101
8. Commit the configuration.
To commit the configuration to both Routing Engines:
[edit]
[email protected]# commit synchronize
Otherwise, commit the configuration to a single Routing Engine:
[edit]
Copyright © 2017, Juniper Networks, Inc.
75
Junos OS Release 16.1R4 for the ACX Series, EX Series, MX Series, PTX Series, QFX Series,T Series and Junos Fusion
[email protected]# commit
9. Install the Junos OS software on the satellite device to convert the device to a
standalone device.
[edit]
[email protected]> request chassis satellite install URL-to-software-package fpc-slot
member-number
For example, to install a software package stored in the /var/tmp directory on the
aggregation device onto an EX4300 switch acting as the satellite device using FPC
slot 102:
[edit]
[email protected]> request chassis satellite install
/var/tmp/jinstall-ex-4300-14.1X53-D35.3-domestic-signed.tgz fpc-slot 102
The satellite device stops participating in the Junos Fusion topology once the software
installation starts. The software upgrade starts after this command is entered.
10. Wait for the reboot that accompanies the software installation to complete.
11. When you are prompted to log back in to your device, uncable the device from the
Junos Fusion topology. SeeRemoving a Transceiver from a QFX Series Device or
Removing a Transceiver, as needed. Your device has been removed from the Junos
Fusion.
NOTE: The device uses a factory default configuration after the Junos OS
installation is complete.
Upgrade and Downgrade Support Policy for Junos OS Releases
Support for upgrades and downgrades that span more than three Junos OS releases at
a time is not provided, except for releases that are designated as Extended End-of-Life
(EEOL) releases. EEOL releases provide direct upgrade and downgrade paths—you can
upgrade directly from one EEOL release to the next EEOL release even though EEOL
releases generally occur in increments beyond three releases.
You can upgrade or downgrade to the EEOL release that occurs directly before or after
the currently installed EEOL release, or to two EEOL releases before or after. For example,
Junos OS Releases 14.1, 14.2, 15.1 and 16.1 are EEOL releases. You can upgrade from Junos
OS Release 14.1 to Release 15.1 or from Junos OS Release 15.1 to Release 16.2. However,
you cannot upgrade directly from a non-EEOL release that is more than three releases
ahead or behind.
To upgrade or downgrade from a non-EEOL release to a release more than three releases
before or after, first upgrade to the next EEOL release and then upgrade or downgrade
from that EEOL release to your target release.
76
Copyright © 2017, Juniper Networks, Inc.
Product Compatibility
For more information about EEOL releases and to review a list of EEOL releases, see
http://www.juniper.net/support/eol/junos.html.
Downgrading from Release 16.1
Junos Fusion Enterprise is first supported in Junos OS Release 16.1, although you can
downgrade a standalone EX9200 switch to earlier Junos OS releases.
To downgrade from Release 16.1 to another supported release, follow the procedure for
upgrading, but replace the 16.1 junos-install package with one that corresponds to the
appropriate release.
NOTE: You cannot downgrade more than three releases. For example, if your
routing platform is running Junos OS Release 11.4, you can downgrade the
software to Release 10.4 directly, but not to Release 10.3 or earlier; as a
workaround, you can first downgrade to Release 10.4 and then downgrade
to Release 10.3.
For more information, see the Installation and Upgrade Guide.
Related
Documentation
•
New and Changed Features on page 63
•
Changes in Behavior and Syntax on page 65
•
Known Behavior on page 66
•
Known Issues on page 67
•
Resolved Issues on page 68
•
Documentation Updates on page 70
•
Product Compatibility on page 77
Product Compatibility
•
Hardware and Software Compatibility on page 77
Hardware and Software Compatibility
For a complete list of all hardware and software requirements for a Junos Fusion
Enterprise, including which Juniper Networks devices can function as satellite devices,
see Understanding Junos Fusion Enterprise Software and Hardware Requirements in the
Junos Fusion Enterprise Feature Guide.
Related
Documentation
•
New and Changed Features on page 63
•
Changes in Behavior and Syntax on page 65
•
Known Behavior on page 66
•
Known Issues on page 67
•
Resolved Issues on page 68
Copyright © 2017, Juniper Networks, Inc.
77
Junos OS Release 16.1R4 for the ACX Series, EX Series, MX Series, PTX Series, QFX Series,T Series and Junos Fusion
78
•
Documentation Updates on page 70
•
Migration, Upgrade, and Downgrade Instructions on page 70
Copyright © 2017, Juniper Networks, Inc.
Junos OS Release Notes for Junos Fusion Provider Edge
Junos OS Release Notes for Junos Fusion Provider Edge
These release notes accompany Junos OS Release 16.1R4 for the Junos Fusion Provider
Edge. They describe new and changed features, limitations, and known and resolved
problems in the hardware and software.
You can also find these release notes on the Juniper Networks Junos OS Documentation
webpage, located at http://www.juniper.net/techpubs/software/junos/
•
New and Changed Features on page 79
•
Changes in Behavior and Syntax on page 81
•
Known Behavior on page 82
•
Known Issues on page 82
•
Resolved Issues on page 83
•
Documentation Updates on page 84
•
Migration, Upgrade, and Downgrade Instructions on page 84
•
Product Compatibility on page 92
New and Changed Features
This section describes the new features in Junos OS Release 16.1R4 for Junos Fusion
Provider Edge.
•
Hardware on page 79
•
Junos Fusion on page 79
•
Multicast on page 80
Hardware
•
Additional MPC support—Starting with Junos OS Release 16.1R1, the following Modular
Port Concentrators (MPCs) are supported on the MX Series routers:
•
MPC7E
•
MPC8E
•
MPC9E
Junos Fusion
•
Support for selective VLAN local switching—Starting in Junos OS Release 16.1R4,
Junos Fusion Provider Edge supports local switching on a service level. When you
configure selective VLAN local switching on satellite devices, the other VLANs will
continue to follow the default forwarding behavior. Use the selective-vlan-switching
option for the routing instance at the [edit forwarding-options satellite fpc slot] hierarchy
level to enable selective VLAN local switching for a particular satellite device.
•
Support for an ingress policer—Starting in Junos OS Release 16.1R4, Junos Fusion
Provider Edge supports the use of an ingress policer to filter incoming traffic at the
Copyright © 2017, Juniper Networks, Inc.
79
Junos OS Release 16.1R4 for the ACX Series, EX Series, MX Series, PTX Series, QFX Series,T Series and Junos Fusion
extended port level. This feature supports a two-color policer that allows you to limit
the traffic that is received on an interface. You can configure the Layer 2 ingress policer
by using the input-policer statement at the [edit interfaces interface-name layer2-policer]
hierarchy level.
Multicast
•
Egress Multicast Replication—Starting with Junos OS Release 16.1, you can enable
egress multicast replication to optimize multicast traffic in a Junos Fusion. In egress
multicast replication, multicast traffic is replicated on satellite devices, rather than on
the aggregation device. If you have a large number of multicast receivers or high
multicast bandwidth traffic, enabling egress multicast replication reduces the traffic
on cascade port interfaces and reduces the load on the aggregation device. This can
reduce the latency and jitter in packet delivery, decrease the number of problems
associated with oversubscription, and prevent a traffic storm caused by flooding of
unknown unicast packets to all interfaces.
This feature is disabled by default. To enable egress multicast replication, use the
local-replication statement in the the [edit forwarding-options satellite] hierarchy level.
When you enable this feature, local replication is enabled on all satellite devices that
are connected to the aggregation device. You cannot enable local replication for just
a few selected satellite devices, specific bridge domains, or specific route prefixes.
Egress multicast replication does not take effect with the following features (Junos
Fusion replicates multicast traffic on the aggregation device and other multicast traffic
will continue to be replicated on satellite devices):
•
Multicast support on pure layer 3 extended ports
•
MLD snooping on an IPv6 network
Egress multicast replication is incompatible with the following features (the feature
will not work together with egress multicast replication and you must choose either
to enable egress multicast replication or to use the feature):
•
VLAN tag manipulations, such as VLAN tag translations, VLAN tag stacking, and
VLAN per port policies. This can result in dropped packets caused by unexpected
VLAN tags.
•
Multicast support for the extended ports on the edge side of Pseudowire connections
in VPLS networks.
•
Multicast support for the extended ports on the edge side of EVPNs.
•
Multicast VPN deployments.
•
MPLS/BGP VPN deployments.
•
Features that perform egress actions on individual extended ports, such as egress
local-port mirroring.
Use the following new operational commands to display information related to this
feature:
80
Copyright © 2017, Juniper Networks, Inc.
Changes in Behavior and Syntax
Related
Documentation
•
show bridge flood next-hops satellite
•
show bridge flood next-hops satellite nexthop-id nexthop-identifier
•
show bridge flood satellite
•
show bridge flood satellite bridge-domain-name domain-name
•
show bridge satellite device
•
show multicast ecid-mapping satellite
•
show multicast next-hops satellite
•
show multicast snooping next-hops satellite nexthop-id nexthop-identifier
•
show multicast snooping route satellite
•
show multicast snooping route satellite bridge-domain-name domain-name
•
show multicast snooping route satellite group group-id
•
show multicast statistics satellite
•
show multicast summary satellite
•
Changes in Behavior and Syntax on page 81
•
Known Behavior on page 82
•
Known Issues on page 82
•
Resolved Issues on page 83
•
Documentation Updates on page 84
•
Migration, Upgrade, and Downgrade Instructions on page 84
•
Product Compatibility on page 92
Changes in Behavior and Syntax
There are no changes in behavior of Junos OS features and changes in the syntax of Junos
OS statements and commands in Junos OS Release 16.1R4 for Junos Fusion Provider
Edge.
Related
Documentation
•
New and Changed Features on page 79
•
Known Behavior on page 82
•
Known Issues on page 82
•
Resolved Issues on page 83
•
Documentation Updates on page 84
•
Migration, Upgrade, and Downgrade Instructions on page 84
•
Product Compatibility on page 92
Copyright © 2017, Juniper Networks, Inc.
81
Junos OS Release 16.1R4 for the ACX Series, EX Series, MX Series, PTX Series, QFX Series,T Series and Junos Fusion
Known Behavior
There are no known behaviors, system maximums, and limitations in hardware and
software in Junos OS Release 16.1R4 for Junos Provider Edge.
For the most complete and latest information about known Junos OS defects, use the
Juniper Networks online Junos Problem Report Search application.
Related
Documentation
•
New and Changed Features on page 79
•
Changes in Behavior and Syntax on page 81
•
Known Issues on page 82
•
Resolved Issues on page 83
•
Documentation Updates on page 84
•
Migration, Upgrade, and Downgrade Instructions on page 84
•
Product Compatibility on page 92
Known Issues
This section lists the known issues in hardware and software in Junos OS Release 16.1R4
for Junos Fusion Provider Edge.
For the most complete and latest information about known Junos OS defects, use the
Juniper Networks online Junos Problem Report Search application.
•
Junos Fusion on page 82
Junos Fusion
•
On a Junos Fusion Provider Edge topology, if you configure an outgoing firewall or
policer to drop packets prior to transmission, the logical interfaces of satellite device
extended ports that appear in the output of the show interfaces extensive command
might include packets in the statistics counter that have been dropped but not
forwarded. PR1078304
•
On a Junos Fusion Provider Edge topology running multicast, if you disable and reenable
a satellite device, the PIM upstream interface state might not be updated correctly.
PR1091449
Related
Documentation
82
•
New and Changed Features on page 79
•
Changes in Behavior and Syntax on page 81
•
Known Behavior on page 82
•
Resolved Issues on page 83
•
Documentation Updates on page 84
•
Migration, Upgrade, and Downgrade Instructions on page 84
Copyright © 2017, Juniper Networks, Inc.
Resolved Issues
•
Product Compatibility on page 92
Resolved Issues
There are no fixed issues in the Junos OS Release 16.1R4 for Junos Fusion Provider Edge.
For the most complete and latest information about known Junos OS defects, use the
Juniper Networks online Junos Problem Report Search application.
•
Resolved Issues: 16.1R3 on page 83
•
Resolved Issues:16.1R2 on page 83
Resolved Issues: 16.1R3
Junos Fusion
•
On a Junos Fusion topology, some race conditions occur, such as a satellite route being
deleted followed quickly by the reuse of the same route. This may cause the SCPD
process to crash.PR1200120
Resolved Issues:16.1R2
Junos Fusion
•
On a Junos Fusion topology, MX Series routers send an extra VLAN tag for routing
engine (RE) packets on the extended ports with dual vlan-tag family inet option
configured. PR1184850
•
On a Junos Fusion topology, the transit traffic that is received from the LAG of the
extended ports is still forwarded even when the minimum-link condition has not been
met. PR1188482
•
On a Junos Fusion topology, when you issue the request chassis satellite shell command
and the output generates more than 24 kilobytes of data, the satellite discovery and
provisioning process (SDPD) might stop operating. PR1188712
•
On a Junos Fusion topology, the SNMP monitoring tool does not receive any interface
statistics for the extension ports on the satellite device when there is traffic on the
extension ports and connectivity between the mib2d (Management Information Base
II Daemon) process and the spmd (Satellite Platform Management Daemon) process
is lost. PR1190655
•
On a Junos Fusion topology, you cannot specify the fpc-slot option with the show
chassis environment satellite command.PR1199787
Copyright © 2017, Juniper Networks, Inc.
83
Junos OS Release 16.1R4 for the ACX Series, EX Series, MX Series, PTX Series, QFX Series,T Series and Junos Fusion
Junos Fusion
•
On a Junos Fusion topology, when forwarding-options satellite local-replication is
enabled and multicast traffic is being forwarded by the satellite devices, some
configuration changes and hardware events may result in dropped multicast traffic.
PR1139592
Related
Documentation
•
New and Changed Features on page 79
•
Changes in Behavior and Syntax on page 81
•
Known Behavior on page 82
•
Known Issues on page 82
•
Documentation Updates on page 84
•
Migration, Upgrade, and Downgrade Instructions on page 84
•
Product Compatibility on page 92
Documentation Updates
There are no errata or changes in Junos OS Release 16.1R4 for Junos Fusion Provider Edge
documentation.
Related
Documentation
•
New and Changed Features on page 79
•
Changes in Behavior and Syntax on page 81
•
Known Behavior on page 82
•
Known Issues on page 82
•
Resolved Issues on page 83
•
Migration, Upgrade, and Downgrade Instructions on page 84
•
Product Compatibility on page 92
Migration, Upgrade, and Downgrade Instructions
This section contains the procedure to upgrade Junos OS, and the upgrade and downgrade
policies for Junos OS for Junos Fusion Provider Edge. Upgrading or downgrading Junos
OS can take several hours, depending on the size and configuration of the network.
84
•
Basic Procedure for Upgrading an Aggregation Device on page 85
•
Upgrading an Aggregation Device with Redundant Routing Engines on page 88
•
Preparing the Switch for Satellite Device Conversion on page 88
•
Converting a Satellite Device to a Standalone Switch on page 89
•
Upgrading an Aggregation Device from Junos OS Release 14.2 on page 91
Copyright © 2017, Juniper Networks, Inc.
Migration, Upgrade, and Downgrade Instructions
•
Upgrade and Downgrade Support Policy for Junos OS Releases on page 91
•
Downgrading from Release 16.1 on page 92
Basic Procedure for Upgrading an Aggregation Device
When upgrading or downgrading Junos OS, always use the jinstall package. Use other
packages (such as the jbundle package) only when so instructed by a Juniper Networks
support representative. For information about the contents of the jinstall package and
details of the installation process, see the Installation and Upgrade Guide.
NOTE: Before upgrading, back up the file system and the currently active
Junos OS configuration so that you can recover to a known, stable
environment in case the upgrade is unsuccessful. Issue the following
command:
[email protected]> request system snapshot
The installation process rebuilds the file system and completely reinstalls
Junos OS. Configuration information from the previous software installation
is retained, but the contents of log files might be erased. Stored files on the
routing platform, such as configuration templates and shell scripts (the only
exceptions are the juniper.conf and ssh files), might be removed. To preserve
the stored files, copy them to another system before upgrading or
downgrading the routing platform. See the Junos OS Administration Library for
Routing Devices.
Copyright © 2017, Juniper Networks, Inc.
85
Junos OS Release 16.1R4 for the ACX Series, EX Series, MX Series, PTX Series, QFX Series,T Series and Junos Fusion
The download and installation process for Junos OS Release 16.1R1 is different from
previous Junos OS releases.
1.
Using a Web browser, navigate to the Download Software URL on the Juniper Networks
webpage:
http://www.juniper.net/support/downloads/
2. Log in to the Juniper Networks authentication system using the username (generally
your e-mail address) and password supplied by Juniper Networks representatives.
3. Select By Technology > Junos Platform > Junos Fusion to find the software that you
want to download.
4. Select the release number (the number of the software version that you want to
download) from the Version drop-down list to the right of the page.
5. Select the Software tab.
6. Select the software package for the release.
7. Review and accept the End User License Agreement.
8. Download the software to a local host.
9. Copy the software to the routing platform or to your internal software distribution
site.
10. Install the new jinstall package on the aggregation device.
NOTE: We recommend that you upgrade all software packages out of
band using the console because in-band connections are lost during the
upgrade process.
Customers in the United States and Canada, use the following commands.
•
For 64-bit software:
NOTE: We highly recommend using 64-bit Junos OS software when
implementing Junos Fusion.
[email protected]> request system software add validate reboot
source/jinstall64-16.1R4.9-domestic-signed.tgz
•
86
For 32-bit software:
Copyright © 2017, Juniper Networks, Inc.
Migration, Upgrade, and Downgrade Instructions
[email protected]> request system software add validate reboot
source/jinstall-16.1R4.9-domestic-signed.tgz
All other customers, use the following commands.
•
For 64-bit software:
NOTE: We highly recommend using 64-bit Junos OS software when
implementing Junos Fusion.
[email protected]> request system software add validate reboot
source/jinstall64-16.1R4.9-export-signed.tgz
•
For 32-bit software:
[email protected]> request system software add validate reboot
source/jinstall-16.1R4.9-export-signed.tgz
Replace source with one of the following values:
•
/pathname—For a software package that is installed from a local directory on the
router.
•
For software packages that are downloaded and installed from a remote location:
•
ftp://hostname/pathname
•
http://hostname/pathname
•
scp://hostname/pathname (available only for Canada and U.S. version)
The validate option validates the software package against the current configuration
as a prerequisite to adding the software package to ensure that the router reboots
successfully. This is the default behavior when the software package being added is
a different release.
Adding the reboot command reboots the router after the upgrade is validated and
installed. When the reboot is complete, the router displays the login prompt. The
loading process can take 5 to 10 minutes.
Rebooting occurs only if the upgrade is successful.
NOTE: After you install a Junos OS Release 16.1R4 jinstall package, you cannot
issue the request system software rollback command to return to the previously
installed software. Instead you must issue the request system software add
validate command and specify the jinstall package that corresponds to the
previously installed software.
Copyright © 2017, Juniper Networks, Inc.
87
Junos OS Release 16.1R4 for the ACX Series, EX Series, MX Series, PTX Series, QFX Series,T Series and Junos Fusion
Upgrading an Aggregation Device with Redundant Routing Engines
If the aggregation device has two Routing Engines, perform a Junos OS installation on
each Routing Engine separately to minimize disrupting network operations as follows:
1.
Disable graceful Routing Engine switchover (GRES) on the master Routing Engine
and save the configuration change to both Routing Engines.
2. Install the new Junos OS release on the backup Routing Engine while keeping the
currently running software version on the master Routing Engine.
3. After making sure that the new software version is running correctly on the backup
Routing Engine, switch over to the backup Routing Engine to activate the new software.
4. Install the new software on the original master Routing Engine that is now active as
the backup Routing Engine.
For the detailed procedure, see the Installation and Upgrade Guide.
Preparing the Switch for Satellite Device Conversion
There are multiple methods to upgrade or downgrade satellite software in your Junos
Fusion Provider Edge. See Configuring Junos Fusion Provider Edge.
For satellite device hardware and software requirements, see Understanding Junos Fusion
Software and Hardware Requirements
A satellite device must be running Junos OS Release 14.1X53-D35 or later before it can
be converted into a satellite device, in any context.
Use the following command to install Junos OS Release 14.1X53-D35 onto a switch before
converting it into a satellite device:
[email protected]> request system software add validate reboot
source/jinstall-ex-4300-14.1X53-D35.3-domestic-signed.tgz
When the interim installation has completed and the switch is running a version of Junos
OS that is compatible with satellite device conversion, perform the following steps:
1.
Log in to the device using the console port.
2. Clear the device:
[edit]
[email protected]# request system zeroize
NOTE: The device reboots to complete the procedure for resetting the
device.
If you are not logged in to the device using the console port connection, your connection
to the device is lost after entering the request system zeroize command.
88
Copyright © 2017, Juniper Networks, Inc.
Migration, Upgrade, and Downgrade Instructions
If you lose your connection to the device, log in using the console port.
3. (EX4300 switches only) After the reboot is complete, convert the built-in 40-Gbps
QSFP+ interfaces from Virtual Chassis ports (VCPs) into network ports:
[email protected]> request virtual-chassis vc-port delete pic-slot 1 port port-number
For example, to convert all four built-in 40-Gbps QSFP+ interfaces on an EX4300-24P
switch into network ports:
[email protected]>request virtual-chassis vc-port delete pic-slot 1 port 0
[email protected]> request virtual-chassis vc-port delete pic-slot 1 port 1
[email protected]> request virtual-chassis vc-port delete pic-slot 1 port 2
[email protected]> request virtual-chassis vc-port delete pic-slot 1 port 3
This step is required for the 40-Gbps QSFP+ interfaces that will be used as uplink
interfaces in a Junos Fusion topology. Built-in 40-Gbps QSFP+ interfaces on EX4300
switches are configured into VCPs by default, and the default settings are restored
after the device is reset.
After this initial preparation, you can use one of three methods to convert your switches
into satellite devices—autoconversion, manual conversion, and preconfiguration. See
Configuring Junos Fusion Provider Edge for detailed configuration steps for each option.
Converting a Satellite Device to a Standalone Switch
In the event that you need to convert a satellite device to a standalone device, you will
need to install a new Junos OS software package on the satellite device and remove it
from the Junos Fusion topology.
Copyright © 2017, Juniper Networks, Inc.
89
Junos OS Release 16.1R4 for the ACX Series, EX Series, MX Series, PTX Series, QFX Series,T Series and Junos Fusion
The following steps explain how to download software, remove the satellite device from
the Junos Fusion, and install the Junos OS software image on the satellite device so that
the device can operate as a standalone device.
1.
Using a Web browser, navigate to the Junos OS software download URL on the Juniper
Networks webpage:
http://www.juniper.net/support/downloads
2. Log in to the Juniper Networks authentication system using the username (generally
your e-mail address) and password supplied by Juniper Networks representatives.
3. Select By Technology > Junos Platform > Junos Fusion from the pull-down menu and
select the switch platform series and model for your satellite device.
4. Select the Junos OS Release 14.1X53-D35 software image for your platform.
5. Review and accept the End User License Agreement.
6. Download the software to a local host.
Copy the software to the routing platform or to your internal software distribution
site.
7. Remove the satellite device from the automatic satellite conversion configuration.
If automatic satellite conversion is enabled for the satellite device’s member number,
remove the member number from the automatic satellite conversion configuration.
The satellite device’s member number is the same as the FPC slot ID. You can check
the automatic satellite conversion configuration by entering the show command at
the [edit chassis satellite-management auto-satellite-conversion] hierarchy level.
[edit]
[email protected]# delete chassis satellite-management auto-satellite-conversion
satellite member-number
For example, to remove member number 101 from the Junos Fusion:
[edit]
[email protected]# delete chassis satellite-management auto-satellite-conversion
satellite 101
8. Commit the configuration.
To commit the configuration to both Routing Engines:
[edit]
[email protected]# commit synchronize
Otherwise, commit the configuration to a single Routing Engine:
[edit]
90
Copyright © 2017, Juniper Networks, Inc.
Migration, Upgrade, and Downgrade Instructions
[email protected]# commit
9. Install the Junos OS software on the satellite device to convert the device to a
standalone device.
[edit]
[email protected]> request chassis satellite install URL-to-software-package fpc-slot
member-number
For example, to install a software package stored in the /var/tmp directory on the
aggregation device onto an EX4300 switch acting as the satellite device using FPC
slot 102:
[edit]
[email protected]> request chassis satellite install
/var/tmp/jinstall-ex-4300-14.1X53-D35.3-domestic-signed.tgz fpc-slot 102
The satellite device stops participating in the Junos Fusion topology once the software
installation starts. The software upgrade starts after this command is entered.
10. Wait for the reboot that accompanies the software installation to complete.
11. When you are prompted to log back in to your device, uncable the device from the
Junos Fusion topology. SeeRemoving a Transceiver from a QFX Series Device or
Removing a Transceiver, as needed. Your device has been removed from the Junos
Fusion.
NOTE: The device uses a factory default configuration after the Junos OS
installation is complete.
Upgrading an Aggregation Device from Junos OS Release 14.2
When you upgrade an aggregation device from Junos OS Release 14.2 to Junos OS Release
16.1R4, you must also upgrade your satellite device to Satellite Device Software Version
2.0R1.
Upgrade and Downgrade Support Policy for Junos OS Releases
Support for upgrades and downgrades that span more than three Junos OS releases at
a time is not provided, except for releases that are designated as Extended End-of-Life
(EEOL) releases. EEOL releases provide direct upgrade and downgrade paths—you can
upgrade directly from one EEOL release to the next EEOL release even though EEOL
releases generally occur in increments beyond three releases.
You can upgrade or downgrade to the EEOL release that occurs directly before or after
the currently installed EEOL release, or to two EEOL releases before or after. For example,
Junos OS Releases 14.1, 14.2, 15.1 and 16.1 are EEOL releases. You can upgrade from Junos
OS Release 14.1 to Release 15.1 or from Junos OS Release 15.1 to Release 16.2. However,
you cannot upgrade directly from a non-EEOL release that is more than three releases
ahead or behind.
Copyright © 2017, Juniper Networks, Inc.
91
Junos OS Release 16.1R4 for the ACX Series, EX Series, MX Series, PTX Series, QFX Series,T Series and Junos Fusion
To upgrade or downgrade from a non-EEOL release to a release more than three releases
before or after, first upgrade to the next EEOL release and then upgrade or downgrade
from that EEOL release to your target release.
For more information about EEOL releases and to review a list of EEOL releases, see
http://www.juniper.net/support/eol/junos.html.
Downgrading from Release 16.1
To downgrade from Release 16.1 to another supported release, follow the procedure for
upgrading, but replace the16.1 jinstall package with one that corresponds to the
appropriate release.
NOTE: You cannot downgrade more than three releases. For example, if your
routing platform is running Junos OS Release 11.4, you can downgrade the
software to Release 10.4 directly, but not to Release 10.3 or earlier; as a
workaround, you can first downgrade to Release 10.4 and then downgrade
to Release 10.3.
For more information, see the Installation and Upgrade Guide.
Related
Documentation
•
New and Changed Features on page 79
•
Changes in Behavior and Syntax on page 81
•
Known Behavior on page 82
•
Known Issues on page 82
•
Resolved Issues on page 83
•
Documentation Updates on page 84
•
Product Compatibility on page 92
Product Compatibility
•
Hardware Compatibility on page 92
Hardware Compatibility
To obtain information about the components that are supported on the devices, and
special compatibility guidelines with the release, see the Hardware Guides for the devices
used in your Junos Fusion Provider Edge topology.
To determine the features supported on Junos Fusion devices, use the Juniper Networks
Feature Explorer, a Web-based application that helps you to explore and compare Junos
OS feature information to find the right software release and hardware platform for your
network. Find Feature Explorer at: http://pathfinder.juniper.net/feature-explorer/.
Related
Documentation
92
•
New and Changed Features on page 79
•
Changes in Behavior and Syntax on page 81
Copyright © 2017, Juniper Networks, Inc.
Junos OS Release Notes for MX Series 3D Universal Edge Routers and T Series Core Routers
•
Known Behavior on page 82
•
Known Issues on page 82
•
Resolved Issues on page 83
•
Documentation Updates on page 84
•
Migration, Upgrade, and Downgrade Instructions on page 84
Junos OS Release Notes for MX Series 3D Universal Edge Routers and T Series Core
Routers
These release notes accompany Junos OS Release 16.1R4 for the MX Series and T series.
They describe new and changed features, limitations, and known and resolved problems
in the hardware and software.
You can also find these release notes on the Juniper Networks Junos OS Documentation
webpage, located at http://www.juniper.net/techpubs/software/junos/.
•
New and Changed Features on page 93
•
Changes in Behavior and Syntax on page 187
•
Known Behavior on page 209
•
Known Issues on page 213
•
Resolved Issues on page 225
•
Documentation Updates on page 276
•
Migration, Upgrade, and Downgrade Instructions on page 280
•
Product Compatibility on page 290
New and Changed Features
This section describes the new features and enhancements to existing features in Junos
OS Release 16.1R4 for the MX Series and T Series.
•
Release 16.1R4 New and Changed Features on page 94
•
Release 16.1R3 New and Changed Features on page 117
•
Release 16.1R2 New and Changed Features on page 124
•
Release 16.1R1 New and Changed Features on page 136
Copyright © 2017, Juniper Networks, Inc.
93
Junos OS Release 16.1R4 for the ACX Series, EX Series, MX Series, PTX Series, QFX Series,T Series and Junos Fusion
Release 16.1R4 New and Changed Features
Class of Service
•
Propagating CoS shaping rate adjustments that are based on multicast traffic (MX
Series)—Starting in Junos OS Release 16.1R4, you can set up CoS shaping rate
adjustments that are based on multicast traffic to be propagated to the parent in the
scheduler hierarchy. For service providers that are using interface sets to deliver services
such as voice and data and multicast VLANs (M-VLANs) to deliver broadcast television,
you can set up CoS so that when a subscriber begins receiving multicast traffic, the
shaping rate of the subscriber interface is adjusted to account for the multicast traffic.
You can now set up the CoS multicast adjustment to be propagated from the subscriber
interface to the interface set, which is the parent in the scheduler hierarchy. This feature
prevents oversubscription of the subscriber, which can result in dropped traffic and
service disruption.
EVPN
•
VPWS service with EVPN mechanisms (MX Series)—Starting in Junos OS Release
16.1R4, Junos OS enables Ethernet VPN-virtual private wire service (EVPN-VPWS) to
present a framework for delivering point-to-point EVC (E-Line) VPWS service with
EVPN-signaling mechanisms. VPWS service with EVPN-signaling mechanisms enables
single-active and all-active multihoming capabilities and support for inter-autonomous
system (AS) options associated with BGP-signaled virtual private network service
(VPNS).
The Metro Ethernet Forum (MEF) describes two models for E-Line service, Ethernet
private line (EPL) and Ethernet virtual private line (EVPL). EPL provides a point-to-point
Ethernet virtual connection (EVC) between a pair of dedicated user-to-network
interfaces (UNIs), with transparency. EVPL differs from EPL in that it enables service
multiplexing; that is, multiple EVCs per UNI.
Associating MEF definitions with EVPN terms, the services are defined as:
•
EVPL—Service between Ethernet segment identifier (ESI) and VLAN pairs {ESI,VLAN}.
•
EPL—Service between two ESIs. For this service, the circuit maps to a whole port;
that is, all VLANs coming into a port are trunked together to the other endpoint of
the service.
The EVPN-VPWS feature enables using an autodiscovery route per ESI and an
autodiscovery route per Ethernet private instance (EVI) for E-Line service. There is no
bridging for EVPN-VPWS service. Type 2 and Type 3 routes are not required. Type 4
routes are used for designated forwarder election, as they are for EVPN
multipoint-to-multipoint EVC (E-LAN) services. However, designated forwarder election
is useful only for single-active service. For all-active service, designated forwarder
election is not required, because there is no broadcast, unknown unicast, and multicast
(BUM) traffic in VPWS.
•
94
EVPN MAC Pinning (MX Series)—Starting in Junos OS Release 16.1R4, Junos OS
enables MAC pinning for Ethernet VPN (EVPN), including customer edge (CE) interfaces
and EVPN over MPLS core in both all-active mode or active-standby mode.
Copyright © 2017, Juniper Networks, Inc.
New and Changed Features
MAC pinned over CE interfaces in EVPN is synchronized to remote EVPN PEs by adding
the Sticky bit (in accord with RFC 7432, Section 7.7, MAC Mobility Extended
Community). On a remote EVPN PE, MAC received with Sticky bit enabled is pinned
over MPLS core. Therefore, MAC address advertisement and learning that is conducted
through the control plane is enabled according the design of the MAC Mobility Extended
Community.
•
EVPN E-Tree (MX Series)—Starting in Junos OS Release 16.1R4, Junos OS enables
you to configure an Ethernet VPN E-Tree service.
The EVPN E-Tree feature implements E-Tree service as defined by the Metro Ethernet
Forum (MEF) in draft-sajassi-l2vpn-evpn-etree-03. The E-Tree service is a
rooted-multipoint service that is supported only with EVPN over MPLS in the core.
In an EVPN E-Tree service, each circuit attached to the service is either a root or a leaf.
The service adheres to the following forwarding rules:
•
•
•
A leaf can send or receive traffic only from a root.
•
A root can send traffic to another root or any of the leaves.
•
A leaf or root can be connected to provider edge (PE) devices in single homing mode
or multihoming mode.
Ethernet VPN Multihoming with Ethernet Segment Identifier Per Interface (MX
Series)—Starting in Junos OS Release 16.1R4, Junos OS enables the Ethernet VPN
(EVPN) multihoming feature, with which you can connect a customer site to two or
more provider edge (PE) devices to provide redundant connectivity. A customer edge
(CE) device can be multihomed to different PE devices or the same PE device. A
redundant PE device can provide network service to the customer site as soon as a
failure is detected. EVPN multihoming helps to maintain EVPN service and traffic
forwarding to and from the multihomed site if one of the following types of network
failure occurs:
•
PE device to CE device link failure
•
PE device failure
•
MPLS-reachability failure between the local PE device and a remote PE device
NSR for EVPN (MX Series)—Starting in Junos OS Release 16.1R4, Junos OS ensures
minimal loss of traffic when a Routing Engine switchover occurs with nonstop active
routing (NSR) and graceful Routing Engine switchover (GRES) enabled. The forwarding
state of the Packet Forwarding Engine remains intact during switchover. The signaling
state on the primary Routing Engine and on the standby Routing Engine are built in
parallel.
NOTE: Expect a traffic loss pertaining to a topology change if the topology
change occurs during a switchover.
EVPN reproduces dynamically generated data (such as labels and sequence numbers),
and data obtained from peers on the primary Routing Engine, on the standby Routing
Engine. EVPN also monitors BGP ingress and egress routing table messages on the
Copyright © 2017, Juniper Networks, Inc.
95
Junos OS Release 16.1R4 for the ACX Series, EX Series, MX Series, PTX Series, QFX Series,T Series and Junos Fusion
standby Routing Engine to populate its signaling plane data structures. Local MAC
addresses are obtained by the Layer 2 address learning process, which transfers the
data to the EVPN module in the route processing software. In the network layer
reachability information (NLRI) fields of its packets, BGP transfers the MAC addresses
to peers in the network.
General Routing
•
Enhancement to memory utilization (MX Series)—Junos OS Release 16.1R4 supports
an enhanced method for calculating the memory utilization by a Routing Engine. The
inactive memory is now considered free and is no longer included in the calculation of
memory utilization. That is, the value for used memory shown in the output of the show
chassis routing-engine command decreases and results in more memory to be available
for other processes.
High Availability and Resiliency
•
Support for unified ISSU on MX Series routers and MX Series Virtual Chassis with
MPC3E-3D-NG, MPC3E-3D-NG-Q, MPC2E-3D-NG, MPC2E-3D-NG-Q, and MPC5E
(MX240, MX480, MX960, MX2010, and MX2020)—Starting with Release 16.1R4,
Junos OS supports unified in-service software upgrade (ISSU) on MX Series routers
and MX Series Virtual Chassis with MPC3E-3D-NG, MPC3E-3D-NG-Q, MPC2E-3D-NG,
MPC2E-3D-NG-Q, and MPC5E.
Unified ISSU is supported on MPC5E with the following MICs in non-optical transport
network (non-OTN) mode:
•
3X40GE QSFPP
•
12X10GE-SFPP OTN
•
1X100GE-CFP2
•
2X10GE SFPP OTN
NOTE: Unified ISSU is not supported on MPC3E-3D-NG, MPC3E-3D-NG-Q,
MPC2E-3D-NG, and MPC2E-3D-NG-Q with the following MICs:
96
•
MS-MIC-16G
•
MIC-3D-8DS3-E3
•
MIC-3D-1OC192-XFP
Copyright © 2017, Juniper Networks, Inc.
New and Changed Features
Unified ISSU enables you to upgrade between two different Junos OS releases with
no disruption on the control plane and with minimal disruption of traffic.
Interfaces and Chassis
•
Enhancement to policer configuration—Starting in Junos OS Release 16.1R4, you can
configure the MPC to take a value in the range 0 through 5 for the policer tick byte by
using the policer-limit statement at the [edit chassis] hierarchy level. If this statement
is not configured, the policer tick byte can take values till 7, which is the default behavior.
You can use the set chassis policer-limit command to enable this feature.
You must restart the MPC or the router for the changes to take effect.
IPV6
•
Preserving and restoring IPv6 prefixes assigned using DHCPv6 PD (MX
Series)—Starting in Junos OS Release 16.1R4, when IPv6 addresses are assigned using
DHCPv6 prefix delegation (PD), you can configure the router to preserve and restore
a subscriber's delegated prefix through multiple logins. This feature prevents an IA-PD
change, which triggers renegotiation for all hosts attached to the residential gateway.
This feature requires the use of agent circuit identifiers (ACIs) to identify subscribers.
Layer 2 VPN
•
Support for FEC 128 and FEC 129 in the same routing instance—Starting in Junos OS
Release 16.1R4, Junos OS supports t forwarding equivalence class (FEC) 128 or FEC
129-based mesh groups in a FEC 129 VPN instance. You can configure a FEC 129 VPLS
instance to support both BGP autodiscovery as defined in FEC 129 as well as statically
configured LDP neighbors as defined by FEC 128. This feature allows a router to use a
common MAC table to forward traffic between a FEC 128 LDP VPLS domain and a
FEC 129 domain.
Management
•
Support for gRPC streaming for Junos Telemetry Interface firewall filter statistics
(MX Series)—Starting with Junos OS Release 16.1R4, you can use gRPC interfaces to
provision sensors to subscribe to and receive firewall filter telemetry data. If your Juniper
Networks device is running a version of Junos OS with the upgraded FreeBSD kernel,
you must download the Junos Network Agent package, which provides the interfaces
to manage gRPC subscriptions. The package is available on the All Junos Platforms
software download URL on the Juniper Networks webpage. Hierarchical policer statistics
are included in telemetry data for firewall filters. Use the
/junos/system/linecard/firewall/ path to provision a sensor for firewall filter statistics.
[See Guidelines for gRPC Sensors.]
•
Support for gRPC streaming for Junos Telemetry Interface LSP statistics (MX
Series)—Starting with Junos OS Release 16.1R4, you can use gRPC interfaces to
provision sensors to subscribe to and receive telemetry data for label-switched paths
(LSPs). If your Juniper Networks device is running a version of Junos OS with the
upgraded FreeBSD kernel, you must download the Junos Network Agent package,
which provides the interfaces to manage gRPC subscriptions. The package is available
Copyright © 2017, Juniper Networks, Inc.
97
Junos OS Release 16.1R4 for the ACX Series, EX Series, MX Series, PTX Series, QFX Series,T Series and Junos Fusion
on the All Junos Platforms software download URL on the Juniper Networks webpage.
Data is collected only for ingress LSPs, bypass LSPs, and bidirectional LSPs for
ultimate-hop popping (UHP). The router should operate in enhanced mode. You must
also configure the sensor-based-stats statement at the [edit protocols mpls] hierarchy
level. Use the /junos/services/label-switched-path/usage/ path to provision a sensor
for LSP statistics.
[See Guidelines for gRPC Sensors.]
•
Support for gRPC streaming for Junos Telemetry Interface physical interface queue
statistics (MX Series)—Starting with Junos OS Release 16.1R4, physical interface
sensors provisioned through gRPC interfaces also collect egress and ingress queue
statistics. If your Juniper Networks device is running a version of Junos OS with the
upgraded FreeBSD kernel, you must download the Junos Network Agent package,
which provides the interfaces to manage gRPC subscriptions. The package is available
on the All Junos Platforms software download URL on the Juniper Networks webpage.
On MX Series routers, queue statistics are exported by each slot on which an interface
is configured. Use the /junos/system/linecard/interface/ path to provision sensors for
physical interface statistics.
[See Guidelines for gRPC Sensors.]
Network Management and Monitoring
•
98
Support for kernel features on MPC7E, MPC8E, and MPC9E line cards (MX Series)—In
Junos OS Release 16.1R4, MPC7E, MPC8E, and MPC9E support the following features:
•
Addressing the IPv6 NDP DoS issue —You can address the IPv6 Neighbor Discovery
Protocol (NDP) denial-of-service (DoS) issue at the Routing Engine by using NDP
inspection or protection to prioritize NDP activities on the Routing Engine.
•
Maximum period for autogeneration of keepalives by the kernel using precision timer
feature—Precision timers in the kernel automatically generate keepalives on behalf
of BGP for a specified maximum period of time after a switchover event from standby
to master.
•
IPv6 support for traceroute with AS number lookup—IPv6 is supported for traceroute
with the as-number-lookup option. Traceroute is an application used to display a list
of routers between the device and a specified destination host.
•
Targeted aggregated Ethernet distribution—You can direct traffic through specified
links of a logical interface of an aggregate Ethernet bundle that is configured without
link protection. By configuring targeted aggregated Ethernet distribution, you can
create distribution lists consisting of specific child member links.
•
Reduction in the number of IPCs between master agent and subagent- The SNMP
GetBulk requests are converted to AgentX GetNext for the repetitions specified in
the request. This might result in several inter-process communication (IPCs) between
the master agent snmpd and subagent AgentX in proportion to the number of
max-repetitions specified in the GetBulk request. The number of IPCs between the
master agent and subagent can be reduced by translating GetBulk requests with a
high max-repetitions count to a single request between the master agent snmp and
the subagent AgentX.
Copyright © 2017, Juniper Networks, Inc.
New and Changed Features
•
•
•
l3-level liveness detection mechanism for child links of ethernet LAG interface.
•
Match-string functionality for efficient syslog message filtering.
New indicators for the jnxLEDState MIB (MX960, MX2020, and MX2010)—In Junos
OS Release 16.1R4, MPC7E, MPC8E, and MPC9E include the following indicators for
the jnxLEDState MIB object in the jnxLEDEntry MIB table:
•
Off—Offline, not running.
•
BlinkingGreen—Entering state of OK, good, normally working.
Support for mplsL3VpnIfConfTable object (MX Series, and T Series)— Starting in
Junos OS Release 16.1R4, support is provided for the mplsL3VpnIfConfTable object
described in RFC 4382, MPLS/BGP Layer 3 Virtual Private Network (VPN) MIB. The
mplsL3VpnIfConfTable object represents the Layer 3 VPN enabled interfaces that are
associated with a specific Virtual Routing and Forwarding (VRF) instance and shows
the bitmask values of the supported protocols. The mplsL3VpnIfConfTable object
creates entries for the interfaces that are associated with the VRF instances. If an
interface is later removed from a VRF instance, the corresponding entry in the
mplsL3VpnIfConfTable object gets deleted. To view details of the
mplsL3VpnIfConfTable object, use the show snmp mib walk mplsL3VpnIfConfTable
command.
[See SNMP MIB Explorer.]
•
Support for features on MPC7E, MPC8E, and MPC9E line cards (MX Series)—In Junos
OS Release 16.1R4, MPC7E, MPC8E, and MPC9E support the following features:
•
LDP in an IPv6 network only, and in an IPv6 or IPv4 dual-stack network.
•
The IS-IS protocol can restrict flooding of LSAs to control sharing of routes between
multiple level-2 metro ring networks.
•
For routers operating in Enhanced IP Network Services mode, you can configure a
threshold that triggers fast failover in next-generation MVPNs with hot-root standby
on the basis of aggregate flow rate.
•
Control word feature for LDP VPLS and FEC 129 VPLS.
•
You can specify route prefix priority of high or low through the existing import policy
in protocols. Through priority, you can control the order in which the routes get
updated from LDP/OSPF to RPD, and RPD to kernel.
•
RSVP with traffic engineering (RSVP-TE) protocol extensions for fast reroute (FRR)
facility protection to allow greater scalability of LSPs and faster convergence times.
•
The Junos OS implementation of MPLS RSVP-TE is scaled to enhance the usability,
visibility, configuration, and troubleshooting of label-switched paths (LSPs).
•
Tables and objects defined in RFC 5132, IP Multicast MIB, except the
ipMcastZoneTable table.
•
Agent Capabilities MIB provides information about the implementation characteristics
of an Agent subsystem in a network management system.
•
You can prioritize BGP route updates by using output queues.
Copyright © 2017, Juniper Networks, Inc.
99
Junos OS Release 16.1R4 for the ACX Series, EX Series, MX Series, PTX Series, QFX Series,T Series and Junos Fusion
•
Flow-aware transport (FAT) label for BGP-signaled pseudowires such as Layer 2
VPN and VPLS.
•
The NLRI format available for BGP VPN multicast is changing from the existing
format of SAFI 128 to SAFI 129 as defined in RFC 6514.
•
You can use the import-labeled-routes statement at the [edit routing-instances
routing-instance-name protocols vpls] hierarchy level to specify one or more nondefault
routing instances where you want MPLS pseudowire labeled routes to be leaked
from the mpls.0 path routing table in the master routing instance.
•
You can configure BGP-ORR with IS-IS as the interior gateway protocol (IGP) on a
route reflector to advertise the best path to the BGP-ORR client groups by using the
shortest IGP metric from a client's perspective, instead of the route reflector's view.
OAM
•
Support for Ethernet OAM features on MPC7E, MPC8E, and MPC9E (MX
Series)—Starting in Release 16.1R4, Junos OS supports the following Ethernet OAM
features on MPC7E, MPC8E, and MPC9E:
•
IEEE 802.3ah standard for OAM
•
IEEE 802.1ag standard for OAM
•
Technical Specification MEF-36-compliant performance monitoring
•
Configuration of multiple maintenance endpoints (MEPs) for a single combination
of maintenance association and maintenance domain IDs for interfaces belonging
to a particular VPLS service or bridge domain
Platform and Infrastructure
•
Virtual broadband network gateway support on virtual MX Series router
(vMX)—Starting in Junos OS Release 16.1R4, vMX supports most of the subscriber
management features available with Junos OS Release 16.1R4 on MX Series routers
to provide a virtual broadband network gateway on x86 servers.
Because vBNG runs on vMX, it has similar exceptions. The following subscriber
management features available on MX Series routers are not supported for vBNG:
•
High availability features such as hot-standby backup for enhanced subscriber
management and MX Series Virtual Chassis
•
CoS features such as shaping applied to an agent circuit identifier (ACI) interface
set and its members
To deploy a vBNG instance, you must purchase these licenses:
•
100
vMX PREMIUM application package license with 1 Gbps, 5 Gbps, 10 Gbps, or 40 Gbps
bandwidth
Copyright © 2017, Juniper Networks, Inc.
New and Changed Features
•
vBNG subscriber scale license with 1000, 10 thousand, 100 thousand, or 1 million
subscriber sessions for one of these tiers: Introductory, Preferred, or Elite
Routing Policy and Firewall Filter
•
Support for Packet Forwarding Engine features on MPC7E, MPC8E, and MPC9E line
cards (MX Series)—In Junos OS Release 16.1R4, MPC7E, MPC8E, and MPC9E support
the following features:
•
Protection against label spoofing or errant label injection across ASBRs—You can
use regular BGP implicit and explicit export policies to restrict VPN ASBR peer route
advertisement to a given routing instance.
•
Policer overhead adjustment at the interface level—The policer overhead
adjustment for ingress and egress policers is defined on a per IFL/direction granularity
in order to address MEF CE 2.0 requirements to the bandwidth profile.
•
Configuration support to improve MC-LAG Layer 2 and Layer 3 convergence—You
can configure multichassis link aggregation (MC-LAG) interfaces to improve Layer
2 and Layer 3 convergence time to subsecond values when a multichassis aggregated
Ethernet link goes down or comes up in a bridge domain.
•
Support for packet-marking schemes on a per-customer basis—A packet-marking
scheme, called policy map, enables you to define rewrite rules on a per-customer
basis.
•
MPLS encapsulated payload load-balancing—Configure the zero-control-word
option to indicate the start of an Ethernet frame in an MPLS Ethernet pseudowire
payload.
•
Latency fairness optimized multicast—You can reduce latency in the multicast
packet delivery by optimizing multicast packets sent to the Packet Forwarding
Engines.
Routing Protocols
•
Support for unique AS path count ( MX Series)—Starting with Junos OS Release
16.1R4, you can configure a routing policy to determine the number of unique
autonomous systems (ASs) present in the AS path. The unique AS path count helps
determine whether a given AS is present in the AS path multiple times, typically as
prepended ASs. In earlier Junos releases it was not possible to implement this counting
behavior using the as-path regular expression policy. This feature permits the user to
configure a policy based on the number of AS hops between the route originator and
receiver. This feature ignores ASs in the as-path that are confederation ASs, such as
confed_seq and confed_set.
To configure AS path count, include the as-path-unique-count count (equal | orhigher |
orlower) configuration statement at the [edit policy-options policy-statement
policy_name from] hierarchy level.
Services Applications
•
Support for Inline-JFlow multiple collectors on MX Series routers—Starting in Junos
OS Release 16.1R4, you can export flow records to four collectors under a family with
Copyright © 2017, Juniper Networks, Inc.
101
Junos OS Release 16.1R4 for the ACX Series, EX Series, MX Series, PTX Series, QFX Series,T Series and Junos Fusion
the same source IP address for Inline-JFlow. The Packet Forwarding Engine (PFE) can
export the flow record, flow record template, option data, and option data template
packet to all configured collectors. You can configure the multiple collectors at the
[edit forwarding-options sampling instance instance name] hierarchy level.
NOTE: You cannot change the source IP address for collectors under the
same family.
•
Support for inline TWAMP server and client on MPC7E (MX240, MX480,
MX960)—Starting in Junos OS Release 16.1R4, MX Series routers with MPC7E cards
support the inline Two-Way Active Measurement Protocol (TWAMP) control-client
and server for transmission of TWAMP IPv4 UDP probes between the session-sender
(control-client) and the session-reflector (server). The TWAMP control-client and
server can also work with a third-party server and control-client implementation.
TWAMP is an open protocol for measuring network performance between any two
devices that support TWAMP. To configure the TWAMP server, specify the logical
interface on the service PIC that provides the TWAMP service by including the
twamp-server statement at the [edit interfaces si-fpc/pic/ port unit logical-unit-number
rpm] hierarchy level. To configure the TWAMP client, include the twamp-client
statement at the [edit interfaces si-fpc/pic/ port unit logical-unit-number rpm] hierarchy
level.
•
Support for AMS warm standby on MS-MPC and MS-MIC (MX Series
routers)—Starting in Junos OS Release 16.1R4, one service interface can be the backup
interface for multiple service interfaces. This feature is called AMS warm standby. To
make a service interface the backup for multiple service interfaces, you configure an
AMS interface for each service interface you want to protect. Each of these AMS
interfaces has two member interfaces—a primary member interface, which is the
service interface you want to protect, and the secondary member interface, which is
the backup service interface. You can use the same secondary member interface in
multiple AMS interfaces.
To configure a warm-standby AMS interface, include the primary mams-a/b/0
statement and the secondary mams-a/b/0 statement at the [edit interfaces amsn
redundancy-options] hierarchy level.
If you use redundancy-options in an AMS interface, you cannot use
load-balancing-options in the same AMS interface.
You cannot use the same member interface in both an AMS interface that includes
load-balancing-options and an AMS interface that includes redundancy-options.
To show the state of an AMS interface configured with warm standby, issue the show
interfaces redundancy command.
To switch from the primary interface to the secondary interface, issue the request
interface switchover amsn command.
To revert to the primary interface from the secondary interface, issue the request
interface revert amsn command.
102
Copyright © 2017, Juniper Networks, Inc.
New and Changed Features
Software Installation and Upgrade
•
CFM enhancement for interoperability during unified ISSU (MX Series)—Starting in
Junos OS Release 16.1R4, Junos OS connectivity fault management (CFM) works during
a unified in-service software upgrade (ISSU) when the peer device is not a Juniper
Networks router. Interoperating with the router of another vendor, the Juniper Networks
router retains session information and continues to transmit CCM PDU (continuity
check messages) during the unified ISSU upgrade. CFM interoperability during a unified
ISSU is supported on MPC1, MPC2, MPC2-NG, MPC3-NG, MPC5, and MPC6 cards.
To provide this interoperability, enable inline (Packet Forwarding Engine) keepalives
with the hardware-assisted-keepalives statement at the [edit protocols oam ethernet
connectivity-fault-management performance-monitoring] hierarchy level. You must
also configure the continuity-check interval to 1 second with the interval statement at
the [edit protocols oam ethernet connectivity-fault-management maintenance-domain
domain-name maintenance-association ma-name continuity-check] hierarchy level.
Interoperability during unified ISSU is not supported for any other interval value.
Subscriber Management and Services
•
Subscriber management and services feature parity (MX240, MX480,
MX960)—Starting in Junos OS Release 16.1R4, the MX240, MX480, and MX960 routers
with the Routing Engine RE-S-X6-64G support all subscriber management and services
features. These services include DHCP, PPP, L2TP, VLAN, and pseudowire.
•
Subscriber termination supported in dynamic-bridged GRE tunnels (MX
Series)—Starting in Junos OS Release 16.1R4, dynamic-bridged generic routing
encapsulation (GRE) tunnels are created and terminated at the broadband network
gateway (BNG) to support the MX Series deployed as a Wi-Fi Gateway model. Dynamic
Host Configuration Protocol (DHCP) subscribers are transported through GRE tunnels
as either VLAN-tagged or untagged. Subscriber services such as authentication,
authorization, and accounting (AAA); address assignment; and class of service (CoS)
are supported for individual DHCP subscribers within the GRE tunnels.
•
Support for parameterized filters for protocol-independent packets (MX
Series)—Starting in Junos OS Release 16.1R4, you can use family any for parameterized
firewall filters in dynamic service profiles. You can also specify a precedence order for
family any filters when they are attached to a dynamic logical interface.
Parameterization enables you to create basic or boilerplate filters under a dynamic
profile and have specific values for certain attributes provided only when the dynamic
session is activated.
•
Enhancement to subscriber services (MX Series)—Starting in Junos OS Release 16.1R4,
Junos OS supports a maximum of 100 services per subscriber. However, the total
number of residential services allowed per subscriber is limited to 12. In earlier releases,
the maximum number of services allowed per subscriber is limited to 12, irrespective
of the type of service.
Copyright © 2017, Juniper Networks, Inc.
103
Junos OS Release 16.1R4 for the ACX Series, EX Series, MX Series, PTX Series, QFX Series,T Series and Junos Fusion
NOTE: If you upgrade to Junos OS Release 16.1R4 from an earlier release
through unified ISSU, the increase in the number of services applies only
to those subscriber sessions that are established after the upgrade. Existing
subscribers must log out and log in again to apply this enhancement.
•
Reporting of effective shaping rate and session rate limit from LAC to LNS in L2TP
(MX Series)—Starting in Junos OS Release 16.1R4, Junos OS reports connect speed
updates from the L2TP access concentrator (LAC) to the L2TP network server (LNS)
for class -of-service (CoS) effective shaping rates. This includes both AVP 24 (the Tx
speed) and AVP 38 (the Rx speed). These speed updates are reported in the L2TP
CSUN message.
A new Tx connect speed method, service-profile, is added to the
tx-connect-speed-method configuration statement, replacing the actual Tx connect
speed method. The service-profile method is also added to the RADIUS dictionary for
the VSA attribute Tunnel-Tx-Speed-Method (26-94). You configure service-profile as
the Tx connect speed method with the set tx-connect-speed method service-profile
statement at the [edit services l2tp] hierarchy level.
To provide the Rx connect speed for the new service-profile method, use the set
report-ingress-shaping-rate statement at the [edit dynamic-profiles profile-name
class-of-service interfaces interface-name unit logical-unit-number] hierarchy level.
To display the configured Tx connect speed method, use the show services lt2p session
extensive command.
•
Reporting of effective shaping rate and session rate limit from LAC to LNS in L2TP
(MX Series)—Starting in Junos OS Release 16.1R4, Junos OS reports connect speed
updates from the L2TP access concentrator (LAC) to the L2TP network server (LNS)
for class -of-service (CoS) effective shaping rates. This includes both AVP 24 (the Tx
speed) and AVP 38 (the Rx speed). These speed updates are reported in the L2TP
CSUN message.
A new Tx connect speed method, service-profile, is added to the
tx-connect-speed-method configuration statement, replacing the actual Tx connect
speed method. The service-profile method is also added to the RADIUS dictionary for
the VSA attribute Tunnel-Tx-Speed-Method (26-94). You configure service-profile as
the Tx connect speed method with the set tx-connect-speed method service-profile
statement at the [edit services l2tp] hierarchy level.
To provide the Rx connect speed for the new service-profile method, use the set
report-ingress-shaping-rate statement at the [edit dynamic-profiles profile-name
class-of-service interfaces interface-name unit logical-unit-number] hierarchy level.
To display the configured Tx connect speed method, use the show services lt2p session
extensive command.
•
104
Support for parameterized filters for protocol-independent packets (MX
Series)—Starting in Junos OS Release 16.1R4, you can use family any for parameterized
firewall filters in dynamic service profiles. You can also specify a precedence order for
family any filters when they are attached to a dynamic logical interface.
Copyright © 2017, Juniper Networks, Inc.
New and Changed Features
Parameterization enables you to create basic or boilerplate filters under a dynamic
profile and have specific values for certain attributes provided only when the dynamic
session is activated.
•
DHCP and DHCPv6 asymmetric lease support (MX Series)—Starting in Junos OS
Release 16.1R4, you can configure a shorter lease for DHCP and DHCPv6 that overrides
the original lease configuration. The shorter lease is also known as an asymmetric
lease. When the client successfully requests a lease extension, the client renews the
short lease for the same duration. The short lease continues until the original or long
lease offered by DHCP or DHCPv6 expires. The short lease provides a means to force
a lease renewal for particular hosts or clients before the original lease expires and a
form of liveness detection. When the client is no longer using the lease, the client stops
requesting a lease renewal; this is reported to the DHCP server or DHCP relay agent as
an expiration of the short lease. In the absence of a short lease, client inactivity can be
detected only when the long lease expires. The short lease enables earlier detection
and frees up address resources earlier than is possible with the long lease.
Configure the short lease duration for DHCP or DHCPv6 globally or by group with the
following statement at any [edit...(dhcp-local-server | dhcp-relay)...overrides] hierarchy
level:
•
asymmetric-lease-time seconds, where seconds is in the range 600 through 86,400
Configure the short lease duration for DHCPv6 delegated prefix addresses globally or
by group with the following statement at any [edit...(dhcp-local-server |
dhcp-relay)...overrides] hierarchy level:
•
asymmetric-prefix-lease-time seconds, where seconds is in the range 600 through
86,400
•
Shared memory log supports filter-based debugging (MX Series)—Starting in Junos
OS Release 16.1R4, Junos OS supports filter-based debugging using the shared memory
log.
Junos OS uses a shared memory space to store log entries for subscriber service
daemons, such as jpppd, jdhcpd, jl2tpd, autoconfd, bbe-smgd, authd, cosd, and dfwd.
The shared memory log, or shmlog, output can be displayed using the show shmlog
entries logname (logname | all) <filter filter> <flag-name flag> command.
By default, shared memory logging is enabled. To disable the shmlog, at the [edit
system services subscriber-management] hierarchy level, enter the set overrides shmlog
disable; configuration statement.
By default, shmlog filtering is disabled. To enable shmlog filtering, at the [edit system
services subscriber-management overrides] hierarchy level, enter the set shmlog filtering
enable; configuration statement.
To display shmlog output for all daemon logs, use the logname all option in the show
shmlog entries command. To limit shmlog output to a specific daemon log, provide
the daemon name after the logname option followed by an asterisk. For example,
logname jpppd* or logname authd*.
Copyright © 2017, Juniper Networks, Inc.
105
Junos OS Release 16.1R4 for the ACX Series, EX Series, MX Series, PTX Series, QFX Series,T Series and Junos Fusion
To filter shmlog output, use the filter filter option in the show shmlog entries logname
all command. To display a list of valid filters, enter the command show shmlog entries
logname all ?.
Output can also be limited to shmlog entries with specific flags, such as
transmit-packets, configuration, and sessionDb, using the flag-name flag option in the
show shmlog entries logname all command. To display a list of valid flags, enter the
command show shmlog entries logname all flag-name ?.
To direct shmlog output to a file, at the [edit system services subscriber-management
overrides] hierarchy level, enter the set shmlog file <filename>; configuration statement.
To view shmlog output stored in a text file, use the command show shmlog entries
filename filename.
•
Support for ANCP-triggered dynamic VLANs (MX Series)—Starting in Junos OS
Release 16.1R4, you can configure the instantiation of autosensed dynamic VLANs for
Layer 2 wholesale services, triggered by out-of-band ANCP messages rather than by
in-band control packets. These VLANs accommodate both subscribers wholesaled
to a retailer and subscribers belonging to the wholesaler. An ANCP Port Up message
triggers VLAN instantiation and conveys several ANCP DSL attributes. During VLAN
authorization, RADIUS determines which traffic belongs to the access provider’s own
subscribers and which belongs to the wholesale customer (retail ISP) based on
identification of the subscriber’s access line by the agent remote identifier. The outer
VLAN ID provided by the access node is swapped for an inner VLAN ID to convey
wholesaled traffic to the retailer’s unique, nondefault routing instance.
The wholesaler uses Layer 2 cross-connects to implement the retail networks with 1:1
autosensed, dynamic VLANs and VLAN tag swapping. Core-facing physical interfaces
are dedicated to forwarding subscriber connections to the retailer’s router. The traffic
for an entire outer VLAN can be wholesaled this way. This direct-connect model
supports any combination of wholesaler-owned and wholesaled connections for the
entire access-facing VLAN range.
•
Enhanced performance in provisioning and deprovisioning of ESSM services (MX
Series)— Starting in Junos Release 16.1R4, you can load and commit configurations
into an ephemeral configuration database through an operation (op)script, thereby
improving the performance of provisioning and deprovisioning of ESSM services. The
total number of business services supported is increased to 100 business services per
subscriber and 8000 business services per chassis. Before you commit a configuration,
you must validate the op script because committing an invalid configuration might
result in unexpected behavior.
The ephemeral configuration database is an alternate database that provides a
configuration layer separate from both the static configuration database and the
configuration layers of other client applications. The ephemeral commit model enables
devices running Junos OS to simultaneously commit and merge changes from multiple
clients and execute the commits with significantly greater throughput than when
committing data to the static configuration database.
•
106
Extended support for service-accounting, service-filter-hit, and force-premium
firewall match conditions and actions (MX Series)—Starting in Junos OS Release
16.1R4, the service-filter-hit firewall match condition and the service-filter-hit,
Copyright © 2017, Juniper Networks, Inc.
New and Changed Features
force-premium, service-accounting, and service-accounting-deferred firewall actions
are extended to the family any filter on MX Series routers. This support is in addition
to existing support on the family inet and family inet6 filters.
•
Processing multiple activation and deactivation requests in a single CoA message
(MX Series)—Starting in Junos OS Release 16.1R4, subscriber management processes
RADIUS-initiated Change of Authorization (CoA) messages in a more efficient manner.
When receiving a CoA message that has multiple activation and deactivation requests,
the router groups the requests together, by type. The router then processes all
deactivation requests before processing the activation requests.
Processing deactivation requests first helps the router provide a consistent behavior
for activated services. For example, a particular service might be activated multiple
times, using different parameters. It is more efficient for the router to process the
deactivation requests for existing instances of the service before attempting to activate
the same service with different parameters.
In earlier releases, the router processed all activation requests first, before processing
the deactivation requests in the CoA message.
•
Captive portal content delivery (HTTP redirect) and converged services supported
on the Routing Engine (MX Series)—Starting in Junos OS Release 16.1R4, you can
configure Routing Engine-based captive portal content delivery (HTTP redirect) with
converged services. HTTP redirect and HTTP rewrite traffic are supported on the si
logical interface. The Routing Engine-based captive portal supports a walled garden
as a firewall service filter only.
•
ANCP agent adjustment of downstream data rate and overhead for SDSL, VDSL,
and VDSL2 subscriber lines (MX Series)—Starting in Junos OS Release 16.1R4, you
can configure the Access Node Control Protocol (ANCP) agent to provide two
independent, adjusted values to CoS for downstream subscriber traffic on frame mode
DSL types (SDSL, VDSL, and VDSL2), enabling CoS to more accurately adjust the
effective shaping rate for the downstream subscriber traffic. You can specify a
percentage value that is applied to the actual, unadjusted data rate received in ANCP
Port Up messages. You can also specify a number of bytes that is added to or subtracted
from the frame overhead for the traffic.
To adjust the received values, first include the qos-adjust statement at the [edit
protocols ancp] hierarchy level to enable the ANCP agent to report values to CoS. Then
include one or more of the following statements at the [edit protocols ancp qos-adjust]
hierarchy level to specify a percentage adjustment value: sdsl-overhead-adjust,
vdsl-overhead-adjust, or vdsl2-overhead-adjust. To adjust the frame overhead, include
one or more of the following statements at the same hierarchy level: sdsl-bytes,
vdsl-bytes, or vdsl2-bytes.
Use the show ancp cos command to view the adjustment configuration and the last
updated values sent to CoS. The show class-of-service interface interface-name
command displays the adjusted rate and overhead values CoS has received from the
ANCP agent.
•
Enhancement to MAC limit function (MX Series with MPCs)—Starting in Junos OS
Release 16.1R4, the handling of a burst of packets with new source MAC addresses is
improved to reduce resource use and processing time. In earlier releases, new source
Copyright © 2017, Juniper Networks, Inc.
107
Junos OS Release 16.1R4 for the ACX Series, EX Series, MX Series, PTX Series, QFX Series,T Series and Junos Fusion
MAC addresses are learned and placed in the MAC table even after the limit is exceeded.
The Routing Engine later deletes the MAC address entries that are over the limit.
Now, the learning limit configured with the interface-mac-limit statement for new
source MAC addresses is enforced at all levels: global, bridge domain, and VPLS. The
MAC table is not updated with any new addresses after the limit has been reached.
When any static MAC addresses are configured, the learning limit is the configured
limit minus the number of static addresses.
When the configured packet action is drop, all subsequent packets with new source
MAC addresses are dropped when the MAC address limit is reached. Otherwise, all
such packets are forwarded when the MAC address limit is reached.
This enhancement applies to the MAC address learning limit at all levels: global, bridge
domain, and VPLS. It does not apply to bridge domain trunk ports, because those have
no counters for the individual domains, which might have different MAC address learning
limits. The enhancement also does not apply to aggregated Ethernet interfaces or to
label-switched interfaces. In these cases, the behavior is to learn all the addresses and
later delete the excess.
•
PIM support for enhanced subscriber management (MX Series)—Starting in Junos
OS Release 16.1R4, you can use the Protocol Independent Multicast (PIM) protocol
with enhanced subscriber management. Use the protocols pim command at the [edit
dynamic-profiles profile-name] hierarchy level to enable PIM for subscribers within the
specified profile. To selectively disable PIM for an individual subscriber, use the new
PIM-enable RADIUS VSA and set the integer value to 0.
The routing-services and protocols pim commands under the [edit dynamic-profiles
profile-name] hierarchy level are mutually exclusive and should not be configured
together in the same client dynamic profile.
•
Authenticating dynamic VLANs ranges using different profiles (MX Series)—Starting
in Junos OS Release 16.1R4, you can set up the software to authenticate and authorize
different sets of VLAN ranges on the same interface each using a different access
profile. In earlier releases, all dynamic VLAN ranges on the same interface, are
authenticated and authorized using the same access profile.
With this feature, you can have different access profiles for different types of VLANs;
for example, voice or data VLANs. If an S-VLAN being used for voice traffic goes down,
and the NASREQ server is also down, you can set up the access profile for the S-VLAN
so that it comes up without requiring authorization. At the same time, you can configure
access profiles for data VLANs that require authorization before the VLAN comes back
up.
To configure this feature, assign a different access profile to each dynamic profile
configured on a VLAN. For example:
[edit interfaces ge-1/0/0]
auto-configure {
vlan-ranges {
dynamic-profile svlan-profile-1 {
accept any;
ranges {
101-110;
111-120;
108
Copyright © 2017, Juniper Networks, Inc.
New and Changed Features
121-130;
}
access-profile svlan-access-profile-1;
}
dynamic-profile vlan-profile-2 {
accept any;
ranges {
201-210;
211-220;
221-230;
}
access-profile vlan-access-profile-2;
}
Use the following command to configure an access profile that does not require
authorization if the NASREQ is down:
[email protected]# set access profile svlan-access-profile svlan_access_profile_name
authorization-order nasreq none
If you configure access profiles for dynamic VLANs in a dynamic profile, you must
configure an access profile in each dynamic profile configured on the VLAN.
If you configure multiple access profiles at different levels of the hierarchy, and a conflict
occurs, the router applies the access profiles based on the following precedence rules:
•
•
If you assign multiple access profiles, the most specific access profile assignment
takes precedence over any other access profile assignment.
•
If you assign an access profile at a new level, it takes precedence over any other
access profile assignment.
Broadband PCEF (MX Series)—Starting in Junos OS Release 16.1R4, Junos OS supports
broadband policy and charging enforcement function (BPCEF). BPCEF provides PCEF
functionality interacting with external PCRF and OCF resources.
To configure BPCEF:
•
Configure the BPCEF partition parameters.
•
Configure BPCEF dynamic-profile parameters.
•
Configure access profile parameters.
Use the following configuration statements at the [edit access] hierarchy level to
configure the properties for the BPCEF partition:
BPCEF {
partition partition-name{
diameter-instance instance-name;
draining;
subscription-id-type subscription-id-type;
subscription-id-data subscription-id-data;
ip-can-type ip-can-type;
pcrf-dest-host pcrf-host-name;
pcrf-dest-realm pcrf-realm-name;
pcrf-max-outstanding pcrf-max-outstanding;
pcrf-send-origin-state-id;
pcrf-local-decision (allow | deny) timeout seconds;
Copyright © 2017, Juniper Networks, Inc.
109
Junos OS Release 16.1R4 for the ACX Series, EX Series, MX Series, PTX Series, QFX Series,T Series and Junos Fusion
pcrf-report-local-rules;
ocf-dest-host ocf-host-name;
ocf-dest-realm ocf-realm-name;
ocf-max-outstanding ocf-max-outstanding;
ocf-send-origin-state-id;
ocf-force-continue;
}
}
Use the following configuration statements at the [edit access] hierarchy level to
configure the rules and parameters for the dynamic-profile:
BPCEF {
global {
service-context-id service-context id;
rule rule-id {
profile profile_id;
parameter parameter-id;
value parameter-value;
}
rule rule-id {
profile profile_id;
parameter parameter-id;
value parameter-value;
}
}
}
Use the following configuration statements at the [edit access] hierarchy level to
configure the access profile parameters. Note that if the provisioning order is set to
pcrf, then the accounting order should be set to ocf. If the provisioning order is set to
ocf, then the accounting order should be set to pcrf.
profile access-profile-name {
provisioning-order (pcrf | ocf);
accounting -order (pcrf | ocf);
}
To display subscriber command output, use the show network-access aaa subscribers
session-id session-id detail command.
•
Targeted distribution of subscriber traffic over aggregated Ethernet—Starting in
Junos OS Release 16.1R4, for a demux configuration whose underlying interface is an
aggregated Ethernet interface, Junos OS provides targeted distribution of subscriber
traffic while also allowing subscriber traffic redundancy. This ensures equal distribution
of bandwidth and CoS resources among subscribers.
Service providers can now:
•
Provide DPC and port redundancy for subscriber traffic.
•
Apply per-subscriber hierarchical QoS and firewall filters on subscriber traffic over
LAG.
To set targeted distribution in the demux logical interfaces configuration, use the
targeted-distribution at the [edit interfaces demux0 unit logical-unit-number] hierarchy
level.
110
Copyright © 2017, Juniper Networks, Inc.
New and Changed Features
To schedule an automatic periodic rebalance on an aggregated Ethernet bundle, use
the rebalance-periodic start-time <hh:mm> interval <hours> option at the [edit interfaces
aenumber aggregated-ether-options targeted-options] hierarchy level.
To provide module redundancy for demux subscribers on aggregated Ethernet bundles
configured with targeted distribution, use the logical-interface-fpc-redundancy
statement at the [edit interfaces aenumber aggregated-ether-options targeted-options]
hierarchy level.
To manually rebalance the subscribers on an aggregated Ethernet bundle with targeted
distribution enabled, use the request interface rebalance <interface-name> command.
To display status information about the distribution of subscribers on different links in
an aggregated Ethernet bundle, use the show interfaces targeting aex command.
To view status information about the specified demux interface, use show interfaces
demux0.logical-interface-number command.
To set targeted distribution in the VLAN logical interface configuration, use the
targeted-distribution at the [edit interfaces interface-set <interface-set name> demux0
unit logical-unit-number] hierarchy level.
•
Dynamic subscriber and service management on statically configured interfaces
(MX Series)—Starting in Junos OS Release 16.1R4, enhanced subscriber management
supports dynamic service activation and deactivation for static subscribers. These
static subscribers work with the native Juniper Networks Session and Resource Control
(SRC), or you can configure RADIUS to activate and deactivate the services with change
of authorization (CoA) messages. Note, however, that with RADIUS, authentication
failure does not prevent the underlying interface from coming up and forwarding traffic.
Instead, it prevents the subscriber from coming up, and thus service
activation/deactivation. Authorization parameters such as IP addresses, net masks,
policy lists, and QoS are also not imposed when using RADIUS.
Use the following commands to provide administrative control of static subscribers:
•
request services static-subscribers login interface interface-name
•
request services static-subscribers logout interface interface-name
•
request services static-subscribers login group group-name
•
request services static-subscribers logout group group-name
Use the following commands to monitor static subscribers:
•
•
show static-subscribers
•
show static-subscribers interface interface-name
•
show static-subscribers group group-name
Logging and reporting function (MX Series with MS-MPC and MS-MIC)—Starting in
Junos OS Release 16.1R4, the logging and reporting function (LRF) enables you to log
data for subscriber application-aware data sessions and send that data in an IP Flow
Information Export (protocol) (IPFIX) format to an external log collector, using
UDP-based transport. These data session logs can include subscriber information,
Copyright © 2017, Juniper Networks, Inc.
111
Junos OS Release 16.1R4 for the ACX Series, EX Series, MX Series, PTX Series, QFX Series,T Series and Junos Fusion
application information, HTTP metadata, data volume, time-of-day information, and
source and destination details. An external collector, which is not a Juniper Networks
product, can then use this data to perform analytics that provide you with insights
about subscriber and application usage.
To configure logging and reporting:
1.
Install the LRF service package jservices-lrf at the [edit chassis fpc slot-number pic
pic-number service-package extension-provider package] hierarchy on any MS-MPC
PICs and MS-MICs that perform LRF.
2. Configure an LRF profile to specify a set of logging and reporting parameters, which
includes data templates, collectors, and LRF rules. See Configuring an LRF Profile
for Subscribers.
3. Assign the LRF profile to the service set that handles application-aware policy
control.
service-set service-set-name {
lrf-profile profile-name;
}
4. Configure activation of an LRF rule with a PCC rule. See Configuring the Activation
of an LRF Rule by a Static PCC Rule. That topic shows the pcef objects at the [edit
unified-edge pcef] hierarchy level, but for subscriber management, configure the
pcef objects at the [edit services pcef] hierarchy level.
For a description of the LRF, see the following topics:
•
•
Logging and Reporting Function for Subscribers
•
Log Dictionary for Template Types
Subscriber login session with optional services (MX Series)—Starting in Junos OS
Release 16.1R4, you can use the service activation statement at the [edit access profile
profile-name radius options] hierarchy level to specify whether successful activation
of services referenced in the Activate-Service VSA (26-65) in the RADIUS
Access-Accept message is required or optional for subscriber login access.
When activation is required, failure for any reason causes the
Network-Family-Activate-Request for that network family to fail. If no other network
family is already active for the subscriber, then the client application logs out the
subscriber.
When activation is optional, subscribers can still log in when a service fails to activate
because of a configuration error. Failures for any other reason do not allow successful
login.
By default, activation is required for services applied with a dynamic profile and is
optional for services applied by an Extensible Subscriber Services Manager (ESSM)
operation script. In earlier releases, only the default behavior is available.
NOTE: This configuration does not apply to services activated by means
of RADIUS CoA requests, JSRC Push-Profile-Request (PPR) messages, or
subscriber secure policy.
112
Copyright © 2017, Juniper Networks, Inc.
New and Changed Features
•
Support for per-subscriber application-aware policy control (MX Series with
MS-MPCs)—Starting in Junos OS Release 16.1R4, the MS-MPC supports per-subscriber
policy control based on Layer 7 application identification information for the IP flow
(for example, YouTube) or Layer 3 and Layer 4 information for the IP flow (for example,
the source and destination IP address). Subscriber application-aware policy actions
can include:
•
Redirecting HTTP traffic to another URL or IP address
•
Setting the forwarding class
•
Setting the maximum bit rate
•
Setting the gating status to blocked or allowed
•
Setting the allowed burst size
•
Logging and reporting application-aware data sessions
To configure per-subscriber application-aware policy control or Layer 3 and Layer 4
policy control:
1.
Install the jservices-mss, jservices-jdpi, and jservices-pcef service packages at the
[edit chassis fpc slot-number pic pic-number service-package extension-provider
package] hierarchy level on any MS-MPC that performs policy control.
2. Configure policy control with policy and charging control (PCC) rules and policy
and charging enforcement function (PCEF) profiles. PCC rules define the Layer 7
or Layer 3 and Layer 4 conditions to match and the actions to take on packets that
match. A PCEF profile points to a set of PCC rules to assign to a subscriber. To use
Layer 7 matching conditions, you must either install predefined application
identification signatures (see Downloading and Installing Predefined Junos OS
Application Signature Packages) or configure custom application signatures (see
Configuring Custom Application Signatures). To use Layer 3 and Layer 4 matching
conditions, configure flow descriptions. Configure PCC action profiles to specify the
actions for a PCC rule.
Configure PCC rules, PCEF profiles, flow descriptions, and PCC action profiles at
the [edit services pcef] hierarchy level.
You can find details about configuring PCC rules and PCEF profiles in the
Subscriber-Aware and Application-Aware Traffic Treatment Feature Guide. The guide
shows the pcef objects at the [edit unified-edge pcef] hierarchy level, but for
subscriber management, configure the pcef objects at the [edit services pcef]
hierarchy level. See the following topics:
•
Configuring Policy and Charging Control Rules
•
Configuring Policy and Charging Control Action Profiles
•
Configuring Service Data Flow Filters
•
Configuring a Policy and Charging Control Rulebase
•
Configuring a Policy and Charging Enforcement Function Profile for Static Policies
Copyright © 2017, Juniper Networks, Inc.
113
Junos OS Release 16.1R4 for the ACX Series, EX Series, MX Series, PTX Series, QFX Series,T Series and Junos Fusion
3. Configure a service set to identify the service interface that handles
application-aware policy control.
service-set service-set-name {
service-set-options {
subscriber-awareness;
}
application-identification-profile appid-profile-name;
pcef-profile pcef-profile-name;
interface-service {
service-interface interface-name;
}
}
The application-identification-profile and pcef-profile statements must include
names, but these names are dummy variables and are not used.
The service-interface can be an aggregated multiservices (AMS) interface (see
Configuring Aggregated Multiservices Interfaces).
4. Configure one or more dynamic profiles that specify the PCEF profile and the service
set to use.
a. In the dynamic profile at the [edit dynamic-profile profile-name interfaces
interface-name unit logical-unit-number service pcef] hierarchy level, point to the
PCEF profile. In the client dynamic profile, you can identify the PCEF profile with
the variable $junos-pcef-profile. All of a subscriber’s dynamic profiles that include
a PCEF profile must point to the same PCEF profile.
b. Activate one or more PCC rules in the dynamic profile at the [edit dynamic-profile
profile-name interfaces interface-name unit logical-unit-number service pcef
profile-name] hierarchy level. Activate a specific rule name with the activate
rule-name statement or activate all the rules in the PCEF profile with the
activate-all statement. In the client dynamic profile, you can identify a specific
rule name with the variable $junos-pcef-rule.
If you activate PCC rules in multiple dynamic profiles, all of those PCC rules are
applied to the subscriber.
c. In the dynamic profile at the [edit dynamic-profile profile-name interfaces
interface-name unit logical-unit-number family family service (input | output)
service-set] hierarchy level, point to the service set. In the client dynamic profile,
you can identify the service set with a variable ($junos-input-service-set |
$junos-output-service-set | $junos-input-ipv6-service-set |
$junos-output-ipv6-service-set). You must use the same service set for both the
input and output service.
d. (Optional) In the dynamic profile at the [edit dynamic-profile profile-name
interfaces interface-name unit logical-unit-number family family service (input |
output) service-set service-set-name service-filter] hierarchy level, point to the
service filter. In the client dynamic profile, you can identify the service filter with
a variable ($junos-input-service-filter | $junos-output-service-filter |
$junos-input-ipv6-service-filter | $junos-output-ipv6-service-filter).
114
Copyright © 2017, Juniper Networks, Inc.
New and Changed Features
Table 2 on page 115 provides a list of the new predefined variables for
application-aware policy control in the dynamic profile.
Table 2: Junos OS PCEF Predefined Variables
Junos OS Predefined Variable
RADIUS Attribute
Description
$junos-pcef-profile
204
PCEF profile name.
$junos-pcef-rule
205
PCC rule name. The RADIUS server
can provide multiple PCC rule names
for a dynamic profile.
The following commands have been added or modified to support application-aware
policy control:
•
show services pcef subscribers—(New) Displays statistics for subscribers that are
using PCEF profiles. You can include any of the options that are available for show
subscribers (see show subscribers).
•
show services pcef pic <fpc-slot fpc-slot> <pic-slot pic-slot>—(New) Displays the
number of subscribers on each service PIC. The output is zero when a service PIC is
down or is coming up after a reboot because the information is taken from the service
PIC, and this will not match the show services pcef subscribers count, which is taken
from the Routing Engine.
•
show subscribers—(Modified) Displays additional fields that show the service set,
service filter, PCEF profile, and PCC rules for the subscriber.
•
Support for mapping VLAN session termination cause (MX Series)—Starting in Junos
OS Release 16.1R4, new internal identifiers indicate the reasons that autoconfd initiates
termination of individual VLAN out-of-band subscriber sessions. In earlier releases, the
termination cause for a VLAN session is always 6 (administrative reset) and cannot
be modified.
The session termination causes map to default code values that are reported in the
RADIUS Acct-Terminate-Cause attribute (49) in Acct-Stop messages for the service.
You can use the new vlan option with the terminate-code aaa statement at the [edit
access] hierarchy level to remap any of the new termination causes to any number in
the range 1 through 4,294,967,295.
You can use the new vlan option with the show network-access aaa terminate-code
vlan command to display only the VLAN termination causes and their current code
values.
[See VLAN Termination Causes and Code Values.]
System Management
•
•
Support for asynchronous batch commits (MX Series)—Starting in Junos OS Release
16.1R4, batch commit behavior is enhanced to allow asynchronous commits,
scheduling of commit jobs, and fair scheduling among jobs with different priorities.
Copyright © 2017, Juniper Networks, Inc.
115
Junos OS Release 16.1R4 for the ACX Series, EX Series, MX Series, PTX Series, QFX Series,T Series and Junos Fusion
By default, batch commit behavior is synchronous, meaning that the CLI waits until
the commit completes before displaying the command prompt. By default,
high-priority commit jobs are always processed before low-priority jobs, blocking
the completion of low-priority jobs. This default behavior is not suitable for situations
where there is a hard requirement to commit certain configurations in a predefined
time period or to see the command-prompt within a predefined time limit, especially
in a scaled environment.
Now you can configure asynchronous batch commits, which allow the CLI to display
the command prompt immediately following the commit request when the job is
added to the commit queue. Two new CLI commands are introduced to commit the
jobs asynchronously: commit asynchronous commits the low-priority jobs
asynchronously, and commit priority asynchronous commits the high-priority jobs
asynchronously. A new CLI configuration statement commit async/asynchronous is
introduced that returns a job-id which can be used for status on these jobs. The CLI
returns a job-id that you can use to monitor status with the show commit server queue
id commit-id command.
Use the commit async statement from batch configuration mode [edit batch] to
batch an asynchronous job in the commit queue as a low-priority commit job. You
can specify a high-priority asynchronous commit job with the commit priority async
statement. The commit operation proceeds in the background, depending on priority
and scheduling, and the CLI is available for further inputs.
BEST PRACTICE: We recommend that you use the and-quit option for
either asynchronous statement.
There is a schedule attached to low-priority asynchronous commits. The schedule
specifies the time duration and maximum load under which the commit server should
process the low-priority jobs. If there is no schedule specified, no schedule is used,
and the commit will proceed as a normal batch commit.
You can use the new commit-schedule-profile profile-name statement at the [edit
system commit server] hierarchy level to define one or more sets of scheduling
parameters that can be attached to low-priority commit jobs. For example, you might
configure different schedules for day versus night. An example schedule has the
following attributes:
•
start-time hh:mm—Time when the schedule starts.
•
end-time hh:mm—Time when the schedule ends.
•
interruptible—Flag indicating that any commit job in the schedule can be interrupted
by a high-priority job. If this attribute is not configured, a high-priority job must wait
for an ongoing low-priority job to finish before it can be processed; the high-priority
job is then processed ahead of any pending low-priority jobs.
•
load-average average—Preferred load-average before schedule kicks in. This is the
maximum system utilization or load average that allows the schedule to start. For
example, if you specify a load average of 0.66, the schedule is not applied unless
the system utilization is less than or equal to 0.66 (66 percent).
116
Copyright © 2017, Juniper Networks, Inc.
New and Changed Features
The commitd daemon determines when to remove from the queue and process
a job based on the priority of the job and the schedule configured on the commit
server. The schedule is checked every time a batch job is removed from the queue
and committed.
Apart from receiving system log messages, you can also use the
redirect-completion-status url statement at the [edit system commit server]
hierarchy level to post status for asynchronous commits to the URL configured.
The status includes a job ID, job status, and job cookie for the specified URL.
Release 16.1R3 New and Changed Features
General Routing
•
Support for OpenConfig—Starting in Junos OS Release 16.1R3, you can configure your
MX and PTX Series network devices by using OpenConfig data models. The data
models are written in YANG, a data modeling language that can be used to model both
configurational data as well as operational data and can be managed on the router
by using the CLI or with NETCONF.
Junos OS Release 16.1R3 supports the following OpenConfig data models:
•
Border Gateway Protocol
•
Routing Policy
•
Local Routing
•
Telemetry
•
Interface
•
MPLS
[See OpenConfig Feature Guide.]
High availability and Resiliency
•
NOTE: This feature is documented but not supported in Junos OS Release
16.1R1.
High availability for IPsec on MS-MPCs (MX Series)—Starting in Junos OS Release
16.1R3, you can use the new one-to-one statement at the [edit interfaces interface-name
load-balancing-options high availability-options] hierarchy level to configure one-to-one
(1:1) redundancy between a pair of interfaces. If the active interface fails, the backup
interface takes over. The one-to-one statement configures synchronization between
the two interfaces, which creates support for IPsec connections over the redundant
interfaces.
Layer 2 Features
•
Implicit maximum bandwidth for inline services for L2TP LNS (MX Series)—Starting
in Junos OS Release 16.1R3, you are no longer required to explicitly specify a bandwidth
Copyright © 2017, Juniper Networks, Inc.
117
Junos OS Release 16.1R4 for the ACX Series, EX Series, MX Series, PTX Series, QFX Series,T Series and Junos Fusion
for L2TP LNS tunnel traffic using inline services. If you do not specify a bandwidth, the
maximum bandwidth supported on the PIC is automatically available for the inline
services; inline services can use up to this maximum value. For example:
[email protected]# set chassis fpc 3 pic 0 inline-services
[email protected]# set chassis fpc 3 pic 1 inline-services
[email protected]> show interfaces si-3/0/0
Physical interface: si-3/0/0, Enabled, Physical link is Up
Interface index: 181, SNMP ifIndex: 561
Type: Adaptive-Services, Link-level type: Adaptive-Services,
MTU: 9192, Speed: 100000mbps
…
[email protected]> show interfaces si-3/1/0
Physical interface: si-3/1/0, Enabled, Physical link is Up
Interface index: 182, SNMP ifIndex: 562
Type: Adaptive-Services, Link-level type: Adaptive-Services,
MTU: 9192, Speed: 100000mbps
…
In earlier releases, you must specify a bandwidth to enable inline services by including
the bandwidth statement with the inline-services statement.
Management
•
Enhancements to the Junos Telemetry Interface (MX Series)—The Junos Telemetry
Interface enables you to export telemetry data from supported interface hardware.
Line-card sensor data, such as interface events, are sent directly to configured collection
points without requiring polling.
Starting with Junos OS Release 16.1R3, telemetry sensors for the following system
resources are now also supported:
118
•
CPU memory
•
BGP peers (gRPC streaming only)
•
Memory utilization for routing protocol tasks (gRPC streaming only)
•
Network processing unit (NPU) memory and memory utilization
•
Optical interfaces
•
Inline flow sampling process (UDP streaming only)
•
Chassis components
•
Aggregated Ethernet interfaces configured with LACP (gRPC streaming only)
•
ARP (gRPC streaming only)
•
Ethernet interfaces configured with LLDP (gRPC streaming only)
•
RSVP interface events (gRPC streaming only)
•
Network Discovery Protocol table state (gRPC streaming only)
•
Routing Engine internal interfaces (gRPC streaming only)
Copyright © 2017, Juniper Networks, Inc.
New and Changed Features
[See Junos Telemetry Interface Feature Guide.]
•
Support for adding nonnative YANG RPCs to the Junos OS schema (MX Series and
T Series)—Starting with Junos OS Release 16.1R3, you can load custom YANG RPCs
on devices running Junos OS. Creating custom RPCs enables you to precisely define
the input parameters and operations and the output fields and formatting for your
specific operational tasks on those devices. The ability to add custom RPCs to a device
is also beneficial when you want to create RPCs that are device-agnostic and
vendor-neutral. You can load YANG modules that add custom RPCs by using the
request system yang add operational command.
•
gRPC support for the Junos Telemetry Interface (MX Series)—Starting with Junos
OS Release 16.1R3, you can use a set of gRPC remote procedure call (gRPC) interfaces
to provision sensors and to subscribe to and receive telemetry data. gRPC is based on
an open source framework and provides for interoperability as well as the secure and
reliable transport of data. Use the telemetrySubscribe RPC to specify telemetry
parameters and stream data for a specified list of OpenConfig command paths.
Telemetry data is generated as Google protocol buffers (gpb) messages in a universal
key/value format. If your Juniper Networks device is running a version of Junos OS with
the upgraded FreeBSD kernel, you must download the Network Agent package, which
provides the interfaces to manage gRPC subscriptions. The package is available on
the All Junos Platforms software download URL on the Juniper Networks webpage.
On MX Series routers, supported hardware for gRPC telemetry data streaming is MPC1
through MPC9E. On PTX Series routers, supported hardware is FPC1, FPC2, and FPC3.
[See Junos Telemetry Interface Feature Guide.]
•
Junos SDK is end of life (EOL)—Starting in Junos OS Release 16.1, the Juniper Extension
Toolkit (JET) provides a rich set of APIs to program the Junos control plane. JET allows
users to build applications on top of Junos OS and, hence, replaces the legacy Junos
SDK. With the support of JET APIs in Junos OS Release 16.1R1, Junos SDK is now EOL.
Junos SDK will be supported as long as the equivalent Junos OS Release is supported.
So, a customer running Junos OS Release 14.2 can still download and use Junos SDK
until Junos OS Release 14.2 is end of support (EOS).
[For JET, see Juniper Extension Toolkit (JET). For, Junos SDK downloads, see
https://www.juniper.net/support/csc/swdist-junos-sdk/.]
MPLS
•
Enhancements to MPLS RSVP-TE LSP (T Series)—The Junos OS implementation of
MPLS RSVP-TE is scaled to enhance the usability, visibility, configuration, and
troubleshooting of label-switched paths (LSPs) in Junos OS Release 16.1R2 and later
releases.
These enhancements make the RSVP-TE configuration easier by:
•
Ensuring LSP data-plane readiness during LSP resignaling (before traffic traverses
the LSP) by using the RSVP-TE LSP self-ping mechanism.
•
Removing the current hard limit of 64000 LSPs on an ingress router, and thereby
enabling scaling to be constrained only by the total number of LSPs, RSVP-TE
signaling can sustain.
Copyright © 2017, Juniper Networks, Inc.
119
Junos OS Release 16.1R4 for the ACX Series, EX Series, MX Series, PTX Series, QFX Series,T Series and Junos Fusion
•
Preventing abrupt tearing down of LSPs by the ingress router because of delay in
signaling the LSP at the transit routers.
Services Applications
•
IPsec multipath forwarding with UDP encapsulation (MX Series routers with
MS-MPCs and MS-MICs)—Starting in Junos OS Release 16.1R3, you can enable the
UDP encapsulation of the IPsec encapsulated packets between peers, which appends
a UDP header after the ESP header. Doing this provides Layer 3 and 4 information to
the intermediate routers, and the IPsec packets are forwarded over multiple paths,
which increases the throughput.
[See IPsec Multipath Forwarding With UDP Encapsulation.]
Subscriber Management and Services
•
Enhanced DHCP dual-stack support (MX Series)—Starting in Junos OS Release 16.1R3,
subscriber management supports a single-session DHCP dual-stack model that
provides a more efficient configuration and management of dual-stack subscribers.
The single-session dual-stack model addresses session-related inefficiencies that
exist in the traditional dual-stack—for example, the new model requires single sessions
for authentication and accounting, as opposed to multiple sessions that are often
needed in a traditional dual-stack configuration. The single-session dual-stack model
also simplifies router configuration, reduces RADIUS message load, and improves
accounting session performance for subscriber households with dual-stack
environments.
See Single-Session DHCP Dual-Stack Overview.
•
Flat-file accounting (MX Series)—Starting in Junos OS Release 16.1R3, you can collect
accounting statistics from the Packet Forwarding Engine to be reported in an XML flat
file. Flat file accounting is typically used to record accounting statistics on logical
interfaces for Extensible Subscriber Services Manager (ESSM) business subscribers.
You can also use flat-file accounting to collect and archive accounting statistics for
wholesaler and retailer subscriber activity in a Layer 2 wholesale environment by
applying it to a core-facing physical interface. You can configure multiple accounting
profiles with different combinations of fields for specific accounting requirements, and
then assign the profiles as needed to provisioned interfaces to satisfy the accounting
requirements for each interface depending on how it is used.
BEST PRACTICE: We recommend that you use separate flat-file profiles
for Layer 2 wholesale core-facing physical interfaces and ESSM business
subscriber logical interfaces.
You can create an accounting profile template to define the flat-file attributes, such
as the statistics fields to collect, the name and format of the file, the frequency at
which the Packet Forwarding Engine is polled for statistics, and the schema version.
The file typically uses the IP Detail Record (IPDR) format; in this case, a file header
includes information, such as the name of the host where the statistics are collected,
120
Copyright © 2017, Juniper Networks, Inc.
New and Changed Features
a timestamp, a file identification number, and the name of the schema. The schema
is associated with a specific XML format and output based on the flat-file configuration
and defines the information conveyed in the file. The schema enables an external file
processor to correctly interpret the file contents.
[See Flat File Accounting Overview.]
•
Flat-file accounting options (MX Series)—Starting in Junos OS Release 16.1R3, you
can configure accounting options for flat files, which are typically used to record
accounting statistics on logical interfaces for Extensible Subscriber Services Manager
(ESSM) business subscribers.
Flat file accounting options include the size, number of files saved before overwriting,
how long backed-up files are saved, archive sites, frequency, the location where files
are saved in the event of a Routing Engine switchover, and more. You can configure
the router to save a backup copy of the accounting files to the /var/log/pfedBackup
directory.
The accounting files are transferred at regular intervals; configuring multiple archive
sites increases the likelihood of a successful transfer. If a transfer fails, all remaining
sites are tried in order until the transfer is successful or all sites have failed. If
backup-on-failure is configured, an attempt is made at the next scheduled interval to
transfer any backed-up files from /var/log/pfedBackup.
If you do not configure backup-on-failure, the file is saved on failure into the local
directory that is specified as the last site in the list of archive sites. No further attempts
are made to transfer the file. You must configure an event script or some other means
to transfer files from the local directory to a remote site.
[See Flat File Accounting Overview.]
•
Monitoring only ingress traffic for subscriber idle timeouts (MX Series)—Starting in
Junos OS Release 16.1R3, you can specify that only ingress data traffic is monitored for
subscriber idle timeout processing. If you Include the client-idle-timeout-ingress-only
statement in addition to the client-idle-timeout statement at the [edit access-profile
profile-name session-options] hierarchy level, subscribers are logged out or disconnected
when no ingress traffic is received for the duration of the idle timeout period. Egress
traffic is not monitored. If you do not include the client-idle-timeout-ingress-only
statement, both ingress and egress data traffic are monitored during the timeout period
to determine whether subscribers are logged out or disconnected.
This configuration is useful in cases where the LNS sends traffic to the remote peer
even when the peer is not up, such as when the LNS does not have PPP keepalives
enabled and therefore is not aware that the peer is not up. In this situation, because
by default the LAC monitors both ingress and egress traffic, it detects the egress traffic
from the LNS and either does not log out the subscriber or delays detection of inactivity
until the egress traffic ceases. When you specify that only ingress traffic be monitored,
the LAC can detect that the peer is inactive and then initiate logout.
•
Support for maximum session limits on L2TP service interfaces (MX Series)—Starting
in Junos OS Release 16.1R3, you can include the l2tp-maximum-session number
statement at the [edit interfaces service-interface] hierarchy level to specify the
maximum number of sessions that are allowed on an individual service interface (si)
Copyright © 2017, Juniper Networks, Inc.
121
Junos OS Release 16.1R4 for the ACX Series, EX Series, MX Series, PTX Series, QFX Series,T Series and Junos Fusion
or aggregated service interface (asi). New session requests on an interface are accepted
only when the session count is less than the maximum session limit. If the limit has
been reached, subsequent requests are dropped and the LNS responds with a CDN
message (Result Code 2, Error Code 4). If a pool of interfaces is configured, interfaces
at the maximum limit are ignored in favor of an interface in the pool that has a lower
session count. For an asi interface, the configuration applies to all member interfaces;
you cannot configure the limit for individual member interfaces.
•
Enhanced load balancing on L2TP physical service interfaces (MX Series)—Starting
in Junos OS Release 16.1R3, when a service interface in a service device pool is rebooted,
sessions reconnect and new session requests are distributed based on the number of
sessions on the available interfaces in the pool. The sessions are assigned to the
interface with the fewest sessions. If more than one interface has the minimum number
of sessions, then a random selection determines which interface gets the session.
In earlier releases, session load balancing is a simple round-robin distribution among
the interfaces. Consequently, fewer sessions are assigned to a newly rebooted interface
than to the other interfaces. For example, consider a pool with two si interfaces,
si-0/0/0 and si-1/0/0. Each has 100 sessions. If si-1/0/0 reboots, it drops all 100
sessions. As the sessions reconnect, they alternate between the two interfaces so that
when all sessions have reconnected, si-0/0/0 has 150 sessions and the reconnected
si-1/0/0 interface has only 50 sessions.
Consider the same pool with the new behavior. As sessions reconnect, si-1/0/0 has
fewer sessions (0 to start) than si-0/0/0 (100). Because the interface with the fewest
sessions is selected, all sessions are assigned to si-1/0/0 until it reaches the same
count as si-0/0/0.
For asi interfaces, the interface with the lowest session count is selected from the pool
for new or reconnect session requests. When the active si interface in the asi bundle
goes down, all the active sessions on that primary interface fail over to the secondary
interface.
•
DHCPv6 subscriber identification criteria and automatic logout(MX Series)—Starting
in Junos OS Release 16.1R3, the DHCPv6 local server and the DHCPv6 relay agent can
identify a DHCPv6 client by using the incoming-interface option in addition to the client
identifier. The incoming interface allows only one client device to connect on the
interface. If the client device changes—that is, if DHCPv6 receives a solicit message
from a client whose incoming interface matches the existing interface—DHCPv6
automatically logs out the existing client without waiting for the normal lease expiration.
It deletes the existing client binding and creates a binding for the newly connected
device.
See DHCPv6 Match Criteria for Identifying DHCPv6 Subscribers.
•
122
Changes to show ancp subscriber and clear ancp subscriber commands (MX
Series)—Starting in Junos OS Release 16.1R3, multiple simultaneous filtering options
are no longer allowed for the show ancp neighbor, show ancp subscriber, and clear ancp
subscriber commands. In earlier releases, you can issue commands with both the
identifier and neighbor options or both the ip-address and system-name options on the
same line. Now you can enter only one of these options at a time.
Copyright © 2017, Juniper Networks, Inc.
New and Changed Features
To improve consistency, the neighbor option has been replaced with ip-address for the
show ancp subscriber command, to match the show ancp neighbor, clear ancp neighbor,
and clear ancp subscriber commands. For example, to display information about
subscribers connected to a specific access node identified by its address, use the show
ancp subscriber ip-address ip-address command; in earlier releases, you use the show
ancp subscriber neighbor ip-address command.
The system-name mac-address option is now available for the show ancp subscriber
and clear ancp subscriber commands.
Copyright © 2017, Juniper Networks, Inc.
123
Junos OS Release 16.1R4 for the ACX Series, EX Series, MX Series, PTX Series, QFX Series,T Series and Junos Fusion
Release 16.1R2 New and Changed Features
High Availability and Resiliency
•
Support for unified ISSU on MX Series routers with MPC3E-3D-NG, MPC3E-3D-NG-Q,
MPC2E-3D-NG, and MPC2E-3D-NG-Q (MX240, MX480, MX960, MX2010, and
MX2020)—Starting with Release 16.1R2, Junos OS supports unified in-service software
upgrade (ISSU) on MX Series routers with MPC3E-3D-NG, MPC3E-3D-NG-Q,
MPC2E-3D-NG, and MPC2E-3D-NG-Q.
Unified ISSU enables you to upgrade between two different Junos OS releases with
no disruption on the control plane and with minimal disruption of traffic.
NOTE: Unified ISSU is not supported on MPC3E-3D-NG, MPC3E-3D-NG-Q,
MPC2E-3D-NG, and MPC2E-3D-NG-Q with the following MICs:
•
MS-MIC-16G
•
MIC-3D-8DS3-E3
•
MIC-3D-1OC192-XFP
IPv6
•
Forced IPv6 DNS server address insertion (MX Series)—Starting in Junos OS Release
16.1R2, MX Series devices can dynamically provision IPv6 DNS Server addresses for
DHCPv6 clients. The IPv6 DNS Server addresses are provided in DHCPv6 Advertise
and Reply messages, even if the Solicit message or Request message from the client
does not request the IPv6 DNS Server address.
Management
•
Support for Junos Telemetry Interface (MX Series)—Junos Telemetry Interface enables
you to export telemetry data from supported interface hardware. Line card sensor data
is sent directly to configured collection points without involving polling. Starting with
Junos OS Release 16.1R2, you can export logical interface statistics and firewall filter
statistics in addition to physical interface statistics. Junos Telemetry Interface is
supported only on MPC1 through MPC9E. All parameters are configured at the [edit
services analytics] hierarchy level.
MPLS
•
Support for LDP signaling over native IPv6 (T Series)— IPv6 connectivity often relies
on tunneling IPv6 over an IPv4 MPLS core with IPv4-signaled MPLS label-switched
paths (LSPs). To enable such tunneling, you need to configure the IPv4-signaled LSPs
statically or have them configured dynamically by provider edge routers. To overcome
these challenges, and to meet the growing demand of IPv6, Junos OS supports LDP
signaling for native IPv6.
Starting in Junos OS Release 16.1R2, LDP is supported in:
•
124
IPv6 network only
Copyright © 2017, Juniper Networks, Inc.
New and Changed Features
•
IPv6 or IPv4 dual-stack network
[ See Configuring LDP Native IPv6 Support and Example: Configuring LDP Native IPv6
Support.]
Operation Administration and Management
•
Support for sender ID TLV—Starting with Junos OS Release 16.1R2, you can configure
Junos OS to send the sender ID TLV along with the packets. The sender ID TLV is an
optional TLV that is sent in continuity check messages (CCMs), loopback messages,
and Link Trace Messages (LTMs), as specified in the IEEE 802.1ag standard. The sender
ID TLV contains the chassis ID, which is the unique, CFM-based MAC address of the
device, and the management IP address, which is an IPv4 or an IPv6 address.
You can enable Junos OS to send the sender ID TLV at the global level by using the set
protocols oam ethernet connectivity-fault-management sendid-tlv and the set protocols
oam ethernet connectivity-fault-management sendid-tlv send-chassis-tlv commands.
If the sender ID TLV is configured at the global level, then the default maintenance
domain, maintenance association, and the maintenance association intermediate
point (MIP) half function inherit this configuration.
You can also configure the sender ID TLV at the following hierarchy levels:
•
Maintenance domain—At the [edit protocols oam ethernet
connectivity-fault-management maintenance-domain maintenance-domain-name
mip-half-function default] hierarchy level. Configuration performed at this level
applies to all the maintenance associations under the maintenance domain.
•
Default maintenance domain and the MIP half function—At the [edit protocols oam
ethernet connectivity-fault-management maintenance-domain
default-maintenance-domain-name mip-half-function default] hierarchy level.
•
Maintenance association—At the [edit protocols oam ethernet
connectivity-fault-management maintenance-domain maintenance-domain-name
maintenance-association maintenance-association-name continuity-check] hierarchy
level.
The sender ID TLV, if configured at the hierarchy levels mentioned above, takes
precedence over the global-level configuration.
NOTE: Sender ID TLV is supported only for 802.1ag PDUs and is not
supported for performance monitoring protocol data units (PDUs).
Platform and Infrastructure
•
Virtual MX Series router (vMX)—Starting in Junos OS Release 16.1, you can deploy
vMX routers on x86 servers. FreeBSD 10 is the underlying OS for Junos OS for vMX.
vMX supports most of the features available on MX Series routers and allows you to
leverage Junos OS to provide a quick and flexible deployment. vMX provides the
following benefits:
•
Optimizes carrier-grade routing for the x86 environment
Copyright © 2017, Juniper Networks, Inc.
125
Junos OS Release 16.1R4 for the ACX Series, EX Series, MX Series, PTX Series, QFX Series,T Series and Junos Fusion
•
Simplifies operations by consistency with MX Series routers
•
Introduces new services without reconfiguration of current infrastructure
Routing Protocols
•
Selective advertising of BGP multiple paths—Beginning with Junos OS Release 16.1R2,
you can restrict BGP add-path to advertise contributor multiple paths only. Advertising
all available multiple paths might result in a large overhead of processing on device
memory and is a scaling consideration, too. You can limit and configure up to six prefixes
that the BGP multipath algorithm selects. Selective advertising of multiple paths
facilitates Internet service providers and data centers that use route reflector to build
in-path diversity in IBGP.
•
Support for IS-IS Flooding Groups (PTX Series)—Starting with Junos OS Release
15.1F5 and 16.1R2, you can configure flooding groups with IS-IS. This feature is to limit
the Link State PDU (LSP) flooding over IS-IS interfaces.
A non self-originated LSP will be flooded only through the interface belonging to the
flood group that has the configured area ID in the LSP. It helps to minimize the routes
and topology information, thus ensuring optimal convergence. You can segregate both
level 1 and level 2 networks into flood groups by using area IDs as tags to identify a
flood group. Configure interfaces with specific area IDs to modify the flooding behavior
as per your requirements.
To enable IS-IS flooding group include the flood-group flood-group-area-ID statement
at the [edit protocols isis interface] hierarchy level.
•
BGP advertises multiple add-paths based on community value—Beginning with Junos
OS 16.1R2, you can define a policy to identify eligible multiple path prefixes based on
community values. BGP advertises these community-tagged routes in addition to the
active path to a given destination. If the community value of a route does not match
the community value defined in the policy, then BGP does not advertise that route.
This feature allows BGP to limit the number of multiple paths that are processed and
not advertise more than 20 paths to a given destination. You can limit and configure
the number of prefixes that BGP considers for multiple paths without actually knowing
the prefixes in advance. Instead, a known BGP community value determines whether
or not a prefix is advertised.
Security
•
126
Global configuration for flow detection and tracking (MX Series)—Starting in Junos
OS Release 16.1R2, you can configure the mode of operation for flow detection and
tracking globally for all protocol groups and packet types. In earlier releases, although
you enable flow detection and tracking globally, you can configure the behavior only
at the individual flow aggregation levels: physical interface, logical interface, or
subscriber; you cannot configure the behavior globally. The new the global configuration
applies to all packet types in the traffic flow unless it is overridden by the configuration
for a protocol group or packet type at the flow aggregation levels.
Copyright © 2017, Juniper Networks, Inc.
New and Changed Features
To configure the global behavior for flow detection, include the flow-detection-mode
statement at the [edit system ddos-protection global] hierarchy level and specify one
of the following modes:
•
automatic—Detect flows only when the policer is being violated. This is the default
mode.
•
on—Monitor and detect all flows even when no policer is being violated.
•
off—Disable flow detection.
To configure the global behavior for how traffic in the detected flow is controlled,
include the flow-level-control statement at the [edit system ddos-protection global]
hierarchy level and specify one of the following control behaviors:
•
drop—Drop all traffic in the flow. This is the default behavior.
•
keep—Keep all traffic in the flow.
•
police—Police the traffic in the flow to within its allowed bandwidth.
Use the show ddos-protection statistics command to display the current global
configuration.
Services Applications
•
Network attack protection for MS-MPCs (MX Series)—Starting in Junos OS Release
16.1R2, the MS-MPC can detect and prevent network probing attacks, network flooding
attacks, suspicious packet pattern attacks, and header anomaly attacks. The
configuration of IDS rules for MS-MPCs differs from the configuration of IDS rules for
MS-DPCs.
Network probing attacks and network flooding attacks—Use the following hierarchy to
configure an intrusion detection service (IDS) rule and assign the IDS rule to a service
set to protect against network probing attacks and network flooding attacks. The IDS
rule has no from statement, and we recommend that you also configure a stateful
firewall rule to limit the packets that the IDS rule processes. Only the first IDS input
rule and the first IDS output rule for a service set are used, and only the first term of an
IDS rule is used. If you configure an IDS rule to protect against suspicious packet pattern
attacks (see Suspicious packet pattern attacks) in addition to network attacks, all
configuration must be in the first term of the same rule.
[edit services ids]
rule rule-name {
match-direction (input | input-output |output);
term term-name {
then {
aggregation {
destination-prefix prefix-value;
destination-prefix-ipv6 prefix-value;
source-prefix prefix-value;
source-prefix-ipv6 prefix-value;
}
session-limit {
by-destination {
Copyright © 2017, Juniper Networks, Inc.
127
Junos OS Release 16.1R4 for the ACX Series, EX Series, MX Series, PTX Series, QFX Series,T Series and Junos Fusion
maximum number;
packets number;
rate number;
by-protocol {
tcp {
maximum number;
packets number;
rate number;
}
udp {
maximum number;
packets number;
rate number;
}
icmp {
maximum number;
packets number;
rate number;
}
}
}
by-source {
maximum number;
packets number;
rate number;
by-protocol {
tcp {
maximum number;
packets number;
rate number;
}
udp {
maximum number;
packets number;
rate number;
}
icmp {
maximum number;
packets number;
rate number;
}
}
}
}
}
}
}
[edit services]
service-set service-set-name {
ids-rules rule-name;
}
You can configure the following IDS rule options for protecting against network probing
attacks and network flooding attacks:
128
Copyright © 2017, Juniper Networks, Inc.
New and Changed Features
•
match-direction (input | input-output |output)—Specify whether the IDS rule is applied
to input traffic, output traffic, or both.
•
aggregation—Specify a prefix length for source or destination packets for IPv4 or
IPv6. This applies session limits to an aggregation of all attacks from within a subnet
of the specified length. For example, if you configure a value of 24 for source-prefix,
then attacks from 10.1.1.2 and 10.1.1.3 are counted as attacks from the 10.1.1/24 subnet.
However, if a single host on a subnet generates a large number of network probing
or flooding attacks, the flows for the entire subnet might be stopped. For IPv4, use
a value from 1 through 32; for IPv6, use a value from 1 through 128.
•
maximum number—Specify the maximum number of concurrent sessions allowed
for a destination or source address or subnet. You can configure this value for specific
protocols for the destination or source or for the destination or source independent
of a protocol.
•
packets number—Specify the maximum packets per second allowed for a destination
or source address or subnet. You can configure this value for specific protocols for
the destination or source or for the destination or source independent of a protocol.
For TCP sessions, we recommend that you do not configure packets, or configure a
very high value.
•
rate number—Specify the maximum number of connections per second allowed for
a specific destination or source address or subnet. You can configure this value for
specific protocols for the destination or source or for the destination or source
independent of a protocol.
Configure the maximum number, packets number, or rate number at the following
hierarchies:
•
Configure the value for the destination, independent of the protocol, at the [edit
services ids rule rule-name term term-name then session-limit by-destination] hierarchy
level. This value overrides the value for a specific protocol.
•
Configure the value for the destination and for a specific protocol at the [edit services
ids rule rule-name term term-name then session-limit by-destination by-protocol (tcp
| udp | icmp)] hierarchy level.
•
Configure the value for the source, independent of the protocol, at the [edit services
ids rule rule-name term term-name then session-limit by-source] hierarchy level. This
value overrides the value for a specific protocol.
•
Configure the value for the source and for a specific protocol at the [edit services ids
rule rule-name term term-name then session-limit by-source by-protocol (tcp | udp |
icmp)] hierarchy level.
If the service set is associated with an AMS interface, the limits you configure are
applicable to each member interface.
Suspicious packet pattern attacks—Use the following hierarchy to configure an IDS rule
to protect against suspicious packet pattern attacks. The IDS rule has no from
statement, and we recommend that you also configure a stateful firewall rule to limit
the packets that the IDS rule processes. Only the first IDS input rule and the first IDS
output rule for a service set are used, and only the first term of an IDS rule is used. If
Copyright © 2017, Juniper Networks, Inc.
129
Junos OS Release 16.1R4 for the ACX Series, EX Series, MX Series, PTX Series, QFX Series,T Series and Junos Fusion
you configure an IDS rule to protect against network probing attacks and network
flooding attacks (see Network probing attacks and network flooding attacks) in addition
to suspicious pattern attacks, all configuration must be in the first term of the same
rule.
[edit services ids]
rule rule-name {
match-direction (input | input-output |output);
term term-name {
then {
allow-ip-options {
any;
loose-source-route;
route-record;
route-alert;
security;
stream-id;
strict-source-route;
timestamp;
}
allow-ipv6-extension-header {
any;
ah;
dstopts;
esp;
fragment;
hop-by-hop;
mobility;
routing;
}
tcp-syn-defense;
tcp-syn-fragment-check;
tcp-winnuke-check;
icmp-fragment-check;
icmp-large-packet-check;
land-attack-check {
ip-only ;
ip-port;
}
}
}
}
You can configure the following IDS rule options for protecting against suspicious
packet pattern attacks:
•
match-direction (input | input-output |output)—Specify whether the IDS rule is applied
to input traffic, output traffic, or both.
•
allow-ip-options—Specify the type of IPv4 options that the packet can include. If the
packet includes an option that is not configured, the packet is blocked. If the packet
includes a configured option whose length is an illegal value, the packet is dropped.
Specifying any allows all options.
•
allow-ipv6-extension-header—Specify the type of IPv6 extension headers that the
packet can include. If the packet includes an extension header that is not configured,
130
Copyright © 2017, Juniper Networks, Inc.
New and Changed Features
the packet is blocked. If the packet includes a configured extension header whose
length is an illegal value, the packet is dropped. Specifying any allows all extension
headers.
•
tcp-syn-defense—Use to close unestablished TCP connections when the open-timeout
value at the [edit interfaces interface-name service-options] hierarchy level expires.
•
tcp-syn-fragment-check—Use to identify and drop TCP SYN packets that are IP
fragments.
•
tcp-winnuke-check—Use to identify and drop TCP segments that are destined for
port 139 and have the urgent (URG) flag set.
•
icmp-fragment-check—Use to identify and drop ICMP packets that are IP fragments.
•
icmp-large-packet-check—Use to identify and drop ICMP packets that are larger than
1024.
•
land-attack-check—Use to identify and drop SYN packets that have the same source
and destination address or port.
Header anomaly attacks—To protect against header anomaly attacks, use either of the
following methods:
•
Configure a stateful firewall rule, a NAT rule, or an IDS rule and apply it to the service
set. A header integrity check is automatically enabled.
•
If you do not apply a stateful firewall rule, NAT rule, or IDS rule to a service set, use
the following hierarchy to configure a header integrity check:
[edit services]
service-set service-set-name {
service-set-options {
header-integrity-check {
enable-all;
}
}
}
Header integrity checks now include;
•
ICMP ping of death
•
IP unknown protocol
•
TCP no flag
•
TCP SYN FIN
•
TCP FIN no ACK
If you want to skip IDS rule processing for some traffic, configure a stateful-firewall
rule that matches the traffic, and configure skip-ids at the [edit services stateful-firewall
rule rule-name term term-name then accept] hierarchy level.
If the service set is associated with an AMS interface, and a NAT rule and an IDS rule
are assigned to the service set, we recommend that you configure source-ip at the [edit
interfaces interface-name load-balancing-options hash-keys ingress-key] hierarchy level.
Copyright © 2017, Juniper Networks, Inc.
131
Junos OS Release 16.1R4 for the ACX Series, EX Series, MX Series, PTX Series, QFX Series,T Series and Junos Fusion
You can enable logging of IDS events at the [edit services service-set service-set-name
syslog host hostname] hierarchy level. To log header-integrity and suspicious packet
pattern packet drops, configure packet-logs. To log limit-based packet drops, configure
ids-logs.
The show services service-set statistics ids drops <interface interface-name> <service-set
service-set-name> <terse> command displays counters for IDS violations on service
sets. The interface interface-name option lists the counters for the service sets hosted
on the specified service interface. The service-set service-set-name option lists counters
for the specified service set. The terse option displays only the nonzero values.
•
Service redundancy daemon support for redundancy across multiple gateways (MX
Series with MPC)—Starting in Junos OS Release 16.1R2, you can configure redundancy
across multiple service gateways. The redundancy actions are based on the results of
monitoring system events, including:
•
Interface and link down events
•
FPC and PIC reboots
•
Routing protocol daemon (rpd) aborts and restarts
•
Peer gateway events, including requests to acquire or release mastership, or to
broadcast warnings
[See Service Redundancy Daemon Overview.]
•
Traffic Load Balancer (MX Series with MS-MPCs or MS-MICs)—Starting in Junos OS
Release 16.1R2, traffic load balancing is supported on MS-MPCs and on MS-MICs. The
Traffic Load Balancer (TLB) application distributes traffic among multiple servers in
a server group, and performs health checks to determine whether any servers should
not receive traffic. TLB supports multiple VRFs.
[See Traffic Load Balancer Overview.]
•
Support for IKE and IPsec on NAPT-44 and NAT64 (MX Series with MS-MPCs and
MS-MICs)—Starting in Junos OS Release 16.1R2, you can enable the passing of IKE
and IPsec packets through NAPT-44 and NAT64 filters between IPsec peers that are
not NAT-T compliant by using the IKE-ESP-TUNNEL-MODE-NAT-ALG application-level
gateway (ALG) on MS-MPCs and MS-MICs.
Use the following hierarchy to enable IKE-ESP-TUNNEL-MODE-NAT-ALG:
[edit applications]
application ike-esp-application-name {
application-protocol ike-esp-nat;
protocol udp;
destination-port 500;
inactivity-timeout 3600;
}
application-set ike-esp-application-set-name {
application ike-esp-application-name;
}
[edit services nat]
pool ike-isp-nat-pool-name {
address ip-prefix;
132
Copyright © 2017, Juniper Networks, Inc.
New and Changed Features
port automatic;
}
rule rule-name {
match-direction input;
term 0 {
from {
source-address address;
application-sets ike-esp-application-set-name;
}
then {
translated {
source-pool ike-isp-nat-pool-name;
translation-type napt-44;
}
}
}
}
•
Class-of-service (CoS) marking and reclassification for MS-MICs and
MS-MPCs—Starting with Junos Release OS 16.1R2, MS-MICs and MS-MPCs support
CoS configuration, which enables you to configure Differentiated Services code point
(DSCP) marking and forwarding-class assignment for packets transiting the MS-MIC
or MS-MPC. You can configure the CoS service alongside the stateful firewall and NAT
services, using a similar rule structure.
[See Configuring CoS Rules.]
•
New options to stop creating sessions for TCP non-SYN packets(MX Series with
MS-MPC or MS-DPC)—On routers with MS-MPC and MS-DPC and with stateful firewall
configured, a session is created when a packet hits the services set and matches the
stateful firewall rule even if the packet is a non-SYN packet. However, in certain
scenarios, a session must not be created if the first packet is a non-SYN packet even
if it matches the stateful firewall rule.
To ensure that a session is not created, include either the tcp-non-syn drop-flow or the
tcp-non-syn drop-flow-send-rst statement at the [edit services service-set
service-set-name service-set-options] hierarchy level. If either of the two options is
configured, and if the first packet is a TCP non-SYN packet, the packet is dropped and
a drop flow is created. If the tcp-non-syn drop-flow-send-rst statement is configured,
in addition to the creation of a drop flow, the originator of the non-SYN packet receives
a reset frame.
•
CLI command parity for carrier-grade NAT and stateful firewall (MX Series with
MS-MPC)—Starting in Junos OS Release 16.1R2, new operational commands and
configuration options provide information previously available only when using the
MS-DPC as the services PIC.
•
To display information equivalent to that provided by show services stateful-firewall
flow-analysis for the MS-DPC, use show services sessions analysis for the MS-MPC.
•
To display information equivalent to that provided by show services stateful-firewall
subscriber-analysis for the MS-DPC, use show services subscriber analysis for the
MS-MPC.
Copyright © 2017, Juniper Networks, Inc.
133
Junos OS Release 16.1R4 for the ACX Series, EX Series, MX Series, PTX Series, QFX Series,T Series and Junos Fusion
•
•
To drop sessions after a certain session setup rate is reached, include the new CLI
option max-session-creation-rate at the [edit services service-set service-set-name]
hierarchy level.
Enhancements to stateful synchronization (MS-MIC, MS-MPC)—Starting in Junos
OS Release 16.1R2, stateful synchronization for long-running flows is available for
MS-MPC services PICs. These enhancements include:
•
Automatic replication of NAT flows for all service sets: NAT44 flows are automatically
synchronized for all eligible service sets. You can selectively disable replication for
individual service sets by including the disable-replication-capability statement at
the [edit services service-set service-set-name replicate-services] hierarchy level.
•
Checkpointing of IPv4 and IPv6 stateful firewall flows and NAPT-44 with address
pooling paired (APP). To configure the timeout for checkpointing, include the
replication-threshold seconds statement at the [edit interfaces interface-name
redundancy-options] hierarchy level.
[See Configuring Inter-Chassis Stateful Synchronization for Long Lived Flows (MS-MPC,
MS-MIC).]
Subscriber Management and Services
NOTE: Although present in the code, the subscriber management features
are not supported in Junos OS Release 16.1R2. Documentation for subscriber
management features is included in the Junos OS Release 16.1 documentation
set.
•
Support for username stripping per routing instance (MX Series)—Starting in Junos
OS Release 16.1R2, you can configure a subscriber access profile so that a portion of
each subscriber login string is discarded and the remaining characters are used as a
modified username by an external AAA server for session authentication and accounting.
The modified username appears in RADIUS Access-Request, Acct-Start, and Acct-Stop
messages; RADIUS-initiated disconnect requests; and change of authorization (CoA)
requests. This username stripping configuration replaces a domain map configuration,
but can be overridden by a AAA server.
Use the following statements at the [edit access profile profile-name session-options
strip-user-name] hierarchy level to configure username stripping:
•
delimiter delimiter—Specify up to eight characters that the router uses to determine
the boundary between the new modified username and the part of the original
username that is discarded. There is no default delimiter.
•
parse-direction (left-to-right | right-to-left)—Specify the direction in which the login
string is examined until one of the configured delimiters is identified; left-to-right is
the default. The delimiter and all characters to the right of the delimiter are discarded.
For example, consider a login string of [email protected]$84 with the delimiters
configured to be /@$%#. If the parse direction is left-to-right, the @ delimiter is reached
134
Copyright © 2017, Juniper Networks, Inc.
New and Changed Features
first and the modified username is drgt21. If the parse direction is right-to-left, then the
$ delimiter is reached first and the modified username is [email protected]
BEST PRACTICE: We recommend that you do not configure username
stripping either when multiple user authentications are needed or when a
global domain map is configured for the same subscribers covered by the
AAA options configuration.
The show network-access aaa subscribers session-id id-number detail command displays
the modified username in the Session Authentication Username field. The clear
network-access aaa subscriber username username command requires you to specify
the original, unstripped username (login string). The output of the show subscribers
command displays the unstripped username, and when you issue the show subscribers
user-name username command, you must specify the unstripped username.
•
AAA option sets to authorize and configure subscribers per routing instance to
support username stripping (MX Series)—Starting in Junos OS Release 16.1R2, you
can include one or more of the following statements at the new [edit access aaa-options
aaa-options-name] hierarchy level to define a set of AAA options for a subscriber or set
of subscribers that username stripping is applied to:
•
access-profile profile-name—Specify the name of the access profile that includes
the username stripping configuration.
•
aaa-context aaa-context-name—Specify the logical-system:routing-instance that
the subscriber session uses for AAA (RADIUS) interactions like authenticating and
accounting.
•
subscriber-context subscriber-context-name—Specify the
logical-system:routing-instance in which the subscriber interface is placed.
NOTE: Only the default (master) logical system is supported.
Use the aaa-options aaa-options-name statement at the [edit dynamic-profiles
profile-name interfaces pp0 unit $junos-interface-unit ppp-options] hierarchy level to
apply the attributes to PPP subscribers tunneled from the LAC to the LNS inline service
interface.
Alternatively, use the aaa-options aaa-options-name statement at the [edit access
group-profile profile-name ppp-options] hierarchy level to apply the attributes to PPP
subscribers tunneled from LACs that are members of the user group.
Usernames are examined and modified according to the subscriber and AAA contexts
specified in the option set. In the event of a conflict between option sets configured in
both a group profile and a dynamic profile, the dynamic profile takes precedence.
Copyright © 2017, Juniper Networks, Inc.
135
Junos OS Release 16.1R4 for the ACX Series, EX Series, MX Series, PTX Series, QFX Series,T Series and Junos Fusion
Release 16.1R1 New and Changed Features
Hardware
•
New Routing Engine RE-S-X6-64G (MX240, MX480, and MX960)—Starting in Junos
OS Release 16.1, the Routing Engine RE-S-X6-64G is supported on MX240, MX480,
and MX960 routers. This Routing Engine has an increased computing capability and
scalability to support the rapid rise in the data plane capacity. The Routing Engine is
based on a modular, virtualized architecture and leverages the hardware-assisted
virtualization capabilities.
The Routing Engine has a 64-bit CPU and supports a 64-bit kernel and 64-bit
applications. With its multicore capabilities, the Routing Engine supports symmetric
multiprocessing in the Junos OS kernel and hosted applications.
NOTE: The Routing Engine RE-S-X6-64G is supported only on SCBE2, and
it is not compatible with the SCB or the SCBE.
•
New MPC variants that support higher scale and bandwidth (MX Series)—Starting
with Junos OS Release 16.1, MPC7E (Multi-Rate), MPC7E 10G, MPC8E, and MPC9E are
supported on MX Series routers. Table 3 on page 136 lists the platforms that support
these MPCs.
Table 3: Supported Platforms
MPC
Supported Platforms
MPC7E (Multi-Rate)
MX240, MX480, MX960, MX2010, and MX2020
MPC7E 10G
MX240, MX480, MX960, MX2010, and MX2020
MPC8E
MX2010 and MX2020
MPC9E
MX2010 and MX2020
See MIC/MPC Compatibility for supported MICs on these MPCs.
NOTE: MPC7E(Multi-Rate) MPC is also supported in Junos OS Release
15.1F4. MPC7E 10G, MPC8E, and MPC9E MPCs are also supported in Junos
OS Release 15.1F5. To use these MPCs in these releases, you must install
Junos Continuity software. See Junos Continuity Software for more details.
136
Copyright © 2017, Juniper Networks, Inc.
New and Changed Features
Authentication, Authorization, and Accounting
•
Logging out idle root users from C shell or CLI console session (MX Series)— Starting
with Junos OS Release 16.1, idle users (including root users) are logged out of their C
shell or CLI console session after the expiry of the configured maximum idle timeout
period.
Class of Service (CoS)
•
Support for suppressing the default classifier (MX Series)—Beginning with Junos OS
Release 16.1R1, you can disable the application of the default classifier on an interface
or a routing instance to preserve the incoming classifier. This is done by applying the
no-default option at the [edit class-of-service routing-instances routing-instance-name
classifiers] hierarchy level. This is useful, for example, in a bridge domain, where the
default classifier for the interface overrides the configured classifier for the domain.
[See Applying Behavior Aggregate Classifiers to Logical Interfaces.]
•
Support for queuing features on built-in ports to provide customized traffic shaping
services (MX80, MX104)—Starting with Junos OS Release 16.1, support for hierarchical
class-of-service (HCoS) features such as per-unit scheduling and hierarchical
scheduling is extended to the built-in (fixed) ports on MX80 and MX104 routers. The
MX104 has four built-in ports: xe-2/0/0, xe-2/0/1, xe-2/0/2, and xe-2/0/3. The MX80
also has four built-in ports: xe-0/0/0, xe-0/0/1, xe-0/0/2, and xe-0/0/3. You can
enable scheduling and shaping on a logical interface and provide customized traffic
shaping services for the logical interface, and this configuration is independent of any
configuration on other logical interfaces on a given physical interface. You can configure
per-unit scheduling by including the per-unit-scheduler statement at the [edit interfaces
interface-name] hierarchy level. To configure hierarchical scheduling, include the
hierarchical-scheduler statement at the [edit interfaces interface-name] hierarchy level.
•
Timestamping of class-of-service (CoS) queues for a configured Flexible PIC
Concentrator (MX Series)—Starting in Junos OS Release 16.1, you can configure the
Packet Forwarding Engine to collect the timestamp for all inbound and outbound
queue counters for all subscribers that are configured on the Flexible PIC Concentrator
(FPC) and, when requested, also return statistics corresponding to data traffic on the
router.
To configure the timestamp for an FPC, include the packet-timestamp enable statement
at the [edit chassis fpc slot-number traffic-manager] hierarchy level.
[See Enabling a Timestamp for Ingress and Egress Queue Packets.]
•
Support for packet-marking schemes on a per-customer basis (MX
Series)—Traditionally, packet marking in the Junos OS uses the forwarding class and
loss priority determined from a BA classifier or multifield classifier. This approach does
not allow rewrite rules to be directly assigned for each customer because of the limited
number of combinations of forwarding class and loss priority.
Beginning with Junos OS Release 16.1R1, a new packet-marking scheme, called policy
map, enables you to define rewrite rules on a per-customer basis. Policy maps are
defined at the [edit class-of-service policy-map] hierarchy level and can be assigned
to a customer through a firewall action, an ingress interface, or a routing policy.
Copyright © 2017, Juniper Networks, Inc.
137
Junos OS Release 16.1R4 for the ACX Series, EX Series, MX Series, PTX Series, QFX Series,T Series and Junos Fusion
[See Assigning Rewrite Rules on a Per-Customer Basis Using Policy Maps Overview.]
•
Enhanced ingress queuing support for built-in ports (MX80, MX104)—Starting with
Junos OS Release 16.1, support for ingress queuing is extended to the built-in (fixed)
ports on MX80 and MX104 routers. The MX104 has the following four built-in ports:
xe-2/0/0, xe-2/0/1, xe-2/0/2, and xe-2/0/3. The MX80 also has four built-in ports:
xe-0/0/0, xe-0/0/1, xe-0/0/2, and xe-0/0/3. In this release, for the MX80 and MX104,
the maximum number of ports that can support ingress queuing is increased from 10
to 12. You can distribute the 12 ingress queuing ports among MIC ports and built-in
ports. Therefore, you can select a combination of ports (including MIC ports and built-in
ports) for ingress queuing. To enable ingress queuing, specify ingress-and-egress as
the value of the mode statement at the [edit chassis fpc fpc-slot-number pic
pic-slot-number traffic-manager] hierarchy level.
NOTE: The systemwide hierarchical queuing bandwidth remains the same
and is shared by built-in ports and MIC ports. Enabling ingress queuing on
built-in ports results in a Packet Forwarding Engine restart, and requires a
two-step commit operation.
In releases before Junos OS Release 16.1, ingress queuing is supported only on MIC
ports and not on built-in ports, and the maximum number of ports that support ingress
queuing is 10.
•
Hierarchical CoS support for GRE tunnel interface output queues (MX Series routers
with MPC5E)—Starting with Junos OS Release 16.1R1, you can manage output queuing
of traffic entering GRE tunnel interfaces hosted on MPC5E line cards in MX Series
routers. Support for the output-traffic-control-profile configuration statement, which
applies an output traffic scheduling and shaping profile to the interface, is extended
to GRE tunnel physical and logical interfaces. Support for the
output-traffic-control-profile-remaining configuration statement, which applies an
output traffic scheduling and shaping profile for remaining traffic to the interface, is
extended to GRE tunnel physical interfaces.
NOTE: Interface sets (sets of interfaces used to configure hierarchical CoS
schedulers on supported Ethernet interfaces) are not supported on GRE
tunnel interfaces.
[See Configuring Traffic Control Profiles for Shared Scheduling and Shaping.]
EVPNs
•
138
Active-active multihoming support for EVPNs (MX Series with MPCs and MICs
only)—Starting with Junos OS Release 15.1F6 and 16.1R1, the Ethernet VPN (EVPN)
solution on MX Series routers with MPC and MIC interfaces is extended to provide
multihoming functionality in the active-active redundancy mode of operation. This
feature enables load balancing of Layer 2 unicast traffic across all the multihomed
links on and toward a customer edge device.
Copyright © 2017, Juniper Networks, Inc.
New and Changed Features
The EVPN active-active multihoming feature provides link-level and node-level
redundancy along with effective utilization of resources.
To enable EVPN active-active multihoming, include the all-active statement at the
[edit interfaces esi] hierarchy level.
[See EVPN Multihoming Overview, and Example: Configuring EVPN Active-Active
Multihoming.]
•
Distribution of VXLAN VNIDs using EVPN (MX Series)—Starting in Release 16.2, Junos
OS enables Ethernet VPN (EVPN) with Virtual Extensible LAN (VXLAN) encapsulation
to provide Layer 2 connectivity for endpoints within a virtual network that Contrail
virtualization software creates. Endpoints in this scheme include virtual machines
(VMs) connected to a virtual server, and non-virtual bare-metal servers (BMSs)
connected to a top-of-rack (ToR) platform. An MX Series router performs as a default
gateway for non-virtual BMSs for the traffic among the endpoints that belong to
different virtual networks.
The virtual network uses two types of encapsulation:
An MX Series router supports all-active L3 gateways for redundancy and load balancing
to ensure failure protection for the default gateway.
General Routing
•
Support for fabric management on MPC7E-MRATE and MPC7E-10G MPCs (MX240,
MX480, and MX960 routers)—Fabric management is implemented on MPC7E-MRATE
and MPC7E-10G MPCs and is supported in Junos OS Release 16.1R1. The MX960 router
supports a maximum of six fabric planes (two per MX-SCBE2), and the MX240, and
MX480 routers support a maximum of eight fabric planes (four per MX-SCBE2).
NOTE: The MPC7E-MRATE and MPC7E-10G MPCs are supported only on
MX-SCBE2.
NOTE: Fabric management is supported on the MPC7E-MRATE and
MPC7E-10G MPCs in Junos OS Releases,15.F4, 15.1F5 with respective JAM
packages, and in 15.1F6.
•
Support for virtualization on RE-S-X6-64G (MX240, MX480, MX960, MX2010, and
MX2020)—The Routing Engine RE-S-X6-64G supports virtualization for the following
platforms:
•
MX240, MX480, and MX960—Junos OS Release 15.1F3, 16.1R1, and later
•
MX2010 and MX2020—Junos OS Release 15.1F5, 16.1R2, and later
Virtualization enables the router to support multiple instances of Junos OS and other
operating systems on the same Routing Engine. However, for Junos OS Release 15.1F3,
one instance of Junos OS, which runs as a guest operating system, is launched by
default. The user needs to log in to this instance for operations and management. For
Copyright © 2017, Juniper Networks, Inc.
139
Junos OS Release 16.1R4 for the ACX Series, EX Series, MX Series, PTX Series, QFX Series,T Series and Junos Fusion
more information see, RE-MX-X6, RE-MX-X8, RE-PTX-X8 and RCBPTX with VM Host
Support .
With virtualization of the Routing Engine, Junos OS supports new request and show
commands associated with host and hypervisor processes. The commands are related
to:
•
Reboot, halt, and power management for the host
•
Software upgrade for the host
•
Disk snapshot for the host
High Availability and Resiliency
•
Support for unified in-service software upgrade (MX Series)—Starting in Release
16.1, Junos OS extends support for unified in-service software upgrade (unified ISSU)
for the following MICs:
•
Channelized OC3/STM1 (Multi-Rate) Circuit Emulation MIC with SFP
(MIC-3D-4COC3-1COC12-CE)
•
Channelized E1/T1 Circuit Emulation MIC (MIC-3D-16CHE1-T1-CE)
•
SONET/SDH OC3/STM1 (Multi-Rate) MICs with SFP (MIC-3D-4OC3OC12-1OC48)
•
SONET/SDH OC3/STM1 (Multi-Rate) MICs with SFP (MIC-3D-8OC3OC12-4OC48)
Unified ISSU is a process to upgrade the system software with minimal disruption of
transit traffic and no disruption of the control plane. You can use unified ISSU only to
upgrade to a later version of the system software. When unified ISSU completes, the
new system software state is identical to that of the system software when the system
upgrade is performed through a cold boot.
•
Support for unified in-service software upgrade on MX Series routers with MPC5E
and MPC6E (MX240, MX480, MX960, MX2010, and MX2020)—Starting with Release
15.1F2 and 16.1R1, Junos OS supports unified in-service software upgrade (unified ISSU)
on MX Series routers with MPC5E (MPC5E-40G10G, MPC5E-100G10G), MPC5EQ
(MPC5EQ-40G10G, MPC5EQ-100G10G), and MPC6E (MX2K-MPC6E). Also, in this
release, Junos OS extends support for unified ISSU on the following MICs that are
supported on MPC6E:
•
10-Gigabit Ethernet MIC with SFP+ (24 Ports)
•
10-Gigabit Ethernet OTN MIC with SFP+ (24 Ports) (non-OTN mode only)
•
100-Gigabit Ethernet MIC with CFP2 (non-OTN mode only)
•
100-Gigabit Ethernet MIC with CXP (4 Ports)
Unified ISSU is a process to upgrade the system software with minimal disruption of
transit traffic and no disruption of the control plane. You can use unified ISSU only to
upgrade to a later version of the system software. When unified ISSU completes, the
new system software state is identical to that of the system software when the system
upgrade is performed through a cold boot.
140
Copyright © 2017, Juniper Networks, Inc.
New and Changed Features
•
Configure BFD over LAG using AE interface addresses (MX Series)—Beginning with
Junos OS Release 16.1, you can configure BFD over child links of an AE or LAG bundle
using AE interface addresses also, thereby conserving routable IP addresses. In earlier
Junos releases, you could configure BFD over LAG using loopback addresses only. To
configure BFD over LAG using AE interface addresses or loopback addresses, include
the bfd-liveness-detection statement at the [edit interfaces aex
aggregated-ether-options bfd-liveness-detection] hierarchy level. Disable duplicate
address detection before configuring this feature for the IPv6 address family.
[See Understanding Independent Micro BFD Sessions for LAG.]
Interfaces and Chassis
•
Maximum generation rate for ICMP and ICMPv6 messages is configurable (MX
Series)—Starting in Junos OS Release 16.1, you can configure the maximum rate at
which ICMP and ICMPv6 messages that are not ttl-expired are generated by using the
icmp rate limit and icmp6 rate limit configuration statements at the [edit chassis]
hierarchy level.
•
Clock synchronization feature support on non-Ethernet MICs—Starting in Release
16.1R1, Junos OS extends clock synchronization support for the MIC-3D-1OC192-XFP
on the MX104 router. This feature enables the selection of the best timing source based
upon the Synchronization Status Message (SSM).
•
Support for GPS external clock interface on the MX2020 Control Board
(MX2020)—Starting with Junos OS Release 16.1, you can configure the external clock
interface on the MX2020 Control Board to select the global positioning system (GPS)
clock source as an input clock source to the centralized timing circuit. You can also
configure the external clock interface to select either the chassis clock source or a
recovered line clock source with GPS timing signals of 1 MHz, 5 MHz, or 10 MHz with
1 pulse per second (PPS) as the output clock source.
•
Support for inline Two-Way Active Measurement Protocol (TWAMP) server on
MPC5E (MX240, MX480, MX960, MX2010, and MX2020)—You can now configure
an inline TWAMP server as part of the inline services (si-) interface processing for
MPC5E interfaces. TWAMP is an open protocol for measuring network performance
between any two devices that support TWAMP. To configure the TWAMP server,
specify the logical interface on the service PIC that provides the TWAMP service by
including the twamp-server statement at the [edit interfaces si-fpc/pic/port unit
logical-unit-number family inet] hierarchy level. You can also specify the TWAMP server
properties by including the server statement at the [edit services rpm twamp] hierarchy
level.
•
Support for higher MTU size on MX Series MPCs—Starting in Junos OS Release 16.1R1,
the maximum transmission unit (MTU) size for a media or protocol is increased from
9192 to 9500 for Ethernet interfaces on the following MX Series MPCs:
•
MPC1
•
MPC2
•
MPC2E
•
MPC3E
Copyright © 2017, Juniper Networks, Inc.
141
Junos OS Release 16.1R4 for the ACX Series, EX Series, MX Series, PTX Series, QFX Series,T Series and Junos Fusion
•
MPC4E
•
MPC5E
•
MPC6E
See
http://www.juniper.net/techpubs/en_US/junos/topics/reference/configuration-statement/mtu-edit-interfaces-ni.html
•
Support to monitor physical Ethernet (10G, 40G, and 100G) links, detect link
degradation, and trigger fast-reroute to minimize packet loss (MX Series Routers
with MPC3, MPCE, and MPC4E)—Starting with Junos OS Release 16.1R1, you can
monitor the physical link degrade (indicated by bit error rate BER levels) and take
-13
-5
corrective actions when [BER] levels drop in the range of 10 to 10 .
Layer 2 and Layer 3 protocols support the monitoring of a physical link degrade and
so does the Ethernet link through the Link Fault System (LFS). However, for both these
-13
-5
monitoring mechanisms, the BER range of 10 to 10 is very low. Due to its low BER
level, the physical link degrade goes undetected, causing disruption and packet loss
on an Ethernet link.
Following new configurations have been introduced at the [edit interfaces
interface-name] hierarchy level to support this feature in Junos OS:
•
To monitor physical link degrade on Ethernet interfaces, configure the
link-degrade-monitor statement.
•
To configure the BER threshold value at which the corrective action should be
triggered or cleared from an interface, use the link-degrade-monitor thresholds
(setvalue | clearvalue) statement. The value is the BER threshold value in a scientific
notation. You can configure this value in the 1E-n format, where 1 is the mantissa
(remains constant) and n is the exponent. For example, a threshold value of 1E-3
-3
refers to the BER threshold value of 1X10 .
The supported exponent range is 1 through 16 and the default value is
142
•
To configure the link degrade interval value, use the link-degrade-monitor thresholds
interval value statement. The interval value configured, determines the number of
consecutive link degrade events that are considered before taking any corrective
action. The supported value range for the interval is 1 through 256, and the default
interval is 10.
•
To configure link degrade warning thresholds, use the link-degrade-monitor thresholds
(warning-set value | warning-clear value) statement. The value is again specified in
the 1E-n format and the supported value range for n is 1 through 16. With this
configuration, every time the BER threshold value is reached, a system message is
logged to indicate that a link degrade has occurred (warning-set) or the link degrade
has been cleared (warning-clear) on an interface.
•
To configure the link degrade action that is taken on reaching the configured BER
threshold levels, use the link-degrade action media-based statement. A media-based
action brings down the physical interface at the local end of the interface, and stops
BER monitoring on the interface (though link fail is active at the local end and the
Copyright © 2017, Juniper Networks, Inc.
New and Changed Features
recovery fail is active on the remote end of the degraded link) until an autorecovery
mechanism is triggered.
•
To configure the link degrade recovery options, use the link-degrade recovery (auto
interval value | manual) statement. The recovery mechanism triggers the recovery
of a degraded link.
auto recovery is used with the media-based action when there are no Layer 2 or Layer
3 protocols configured on the interface. With the auto recovery option, you must
configure the interval in seconds, after which the system triggers the auto recovery
mechanism on a degraded link. The default interval is 1800 seconds.
The manual recovery option is configured with media-based action configuration
when Layer 2 and Layer 3 protocols are configured on an interface. To trigger manual
recovery, use the request interface link-degrade-recovery interface-name statement.
•
Support for ITU-T Y.1731 ETH-LM, ETH-SLM, and ETH-DM on aggregated Ethernet
interfaces (MX Series routers with MPCs)—Starting in Junos OS Release 16.1, you can
configure ITU-T Y.1731 standard-compliant Ethernet loss measurement (ETH-LM),
Ethernet synthetic loss measurement (ETH-SLM), and Ethernet delay measurement
(ETH-DM) capabilities on aggregated Ethernet (AE) interfaces. These performance
monitoring functionalities are supported on MX Series routers with MPCs, where the
same level of support for the Ethernet services OAM mechanisms as the level of support
on non-aggregated Ethernet interfaces is available on AE interfaces. ETH-DM is
supported on MPC3E and MPC4E modules with only software timestamping. ETH-SLM
is supported on MPC3E and MPC4E modules.
•
Optical transceiver support for MX104 —Starting with Release 16.1R1, Junos OS extends
support for the following optical transceivers on MX104 routers:
•
SFP-1FE-FX-Manufactured by Fiberxon—Supports Gigabit Ethernet MIC with SFP
(MIC-3D-20GE-SFP), Gigabit Ethernet MIC with SFP (E) (MIC-3D-20GE-SFP-E),
and Gigabit Ethernet with SFP (EH) (MIC-3D-20GE-SFP-EH)
•
SFP-1FE-FX-Manufactured by Avago—Supports Gigabit Ethernet MIC with SFP (E)
(MIC-3D-20GE-SFP-E) and Gigabit Ethernet with SFP (EH) (MIC-3D-20GE-SFP-EH),
but does not support Gigabit Ethernet MIC with SFP (MIC-3D-20GE-SFP)
•
SFP-1GE-FE-E-T
•
SFP-1GE-LH
•
SFP-1GE-LX
•
SFP-1GE-SX-ET
•
SFP-GE10KT13R14
•
SFP-GE10KT14R13
•
SFP-GE40KM
•
SFP-GE40KT13R15
•
SFP-GE40KT15R13
•
SFP-GE80KCW1470-ET
Copyright © 2017, Juniper Networks, Inc.
143
Junos OS Release 16.1R4 for the ACX Series, EX Series, MX Series, PTX Series, QFX Series,T Series and Junos Fusion
•
SFP-GE80KCW1550-ET
•
SFP-GE80KCW1610-ET
•
SFP-T-ET
•
SFP-LX-ET
•
SFPP-10GE-ER
•
SFPP-10GE-ZR
•
Increased tunnel bandwidth for inline tunnel services (MX240, MX480, MX960,
MX2010, and MX2020 routers)—Starting with Junos OS Release 16.1R1, the tunnel
bandwidth is increased for MPC7E-10G, MPC7E-MRATE, MX2K-MPC8E, and
MX2K-MPC9E. The maximum bandwidth per tunnel is 120 Gbps for MPC7E-10G,
MPC7E-MRATE, and MX2K-MPC8E, and 200 Gbps for MX2K-MPC9E. The bandwidth
command for tunnel services is enhanced to configure the tunnel bandwidth from 1
Gbps through 400 Gbps, with increments of 1 Gbps.
•
Support for Ethernet OAM on MPC7E-MRATE, MPC7E-10G, MX2K-MPC8E, and
MX2K-MPC9E (MX240, MX480, MX960, MX2010, and MX2020 routers)— Starting
in Release 16.1R1, Junos OS extends MPLS support for MPC7E-MRATE, MPC7E-10G,
MX2K-MPC8E, and MX2K-MPC9E.
•
Support for Ethernet OAM on MPC7E-MRATE, MPC7E-10G, MX2K-MPC8E, and
MX2K-MPC9E (MX240, MX480, MX960, MX2010, and MX2020 routers)— Starting
in Release 16.1R1, Junos OS extends Ethernet OAM support for MPC7E-MRATE,
MPC7E-10G, MX2K-MPC8E, and MX2K-MPC9E.
•
Support for scaling on MPC7E-MRATE, MPC7E-10G, MX2K-MPC8E, and
MX2K-MPC9E (MX240, MX480, MX960, MX2010, and MX2020 routers)—Starting
in Junos OS Release 16.1R1, MPC7E-MRATE, MPC7E-10G, MX2K-MPC8E, and
MX2K-MPC9E are supported on MX Series routers. These MPCs support scaling and
performance values that are equivalent to the scaling and performance values
supported by MPCs such as MPC6E, MPC5E, MPC2E-3D-NG/NG-Q, and
MPC2E-3D-NG/NG-Q.
•
Support for hyper mode feature on MPC7E-MRATE, MPC7E-10G, MX2K-MPC8E,
and MX2K-MPC9E (MX240, MX480, MX960, MX2010, and MX2020)—The hyper
mode feature is supported on MPC7E-MRATE, MPC7E-10G, MX2K-MPC8E, and
MX2K-MPC9E. The hyper mode feature enhances the performance and throughput
of a router by increasing the data packet processing rate and optimizes the lifetime of
a data packet.
To configure the hyper mode feature, use the hyper-mode statement at the [edit
forwarding-options] hierarchy level.
Support for flexible queuing on MPC7E-MRATE, MPC7E-10G, MX2K-MPC8E, and
MX2K-MPC9E (MX240, MX480, MX960, MX2010, and MX2020)— The flexible
queuing feature is supported on non-hierarchical quality-of-service (non-HQoS) MPCs
MPC7E-MRATE, MPC7E-10G, MX2K-MPC8E, and MX2K-MPC9E. By default, the
non-HQoS MPCs do not support flexible queuing. You can enable flexible queuing on
these MPCs by including the flexible-queuing-mode statement at the [edit chassis fpc]
144
Copyright © 2017, Juniper Networks, Inc.
New and Changed Features
hierarchy level. When flexible queuing is enabled, non-HQoS MPCs support a limited
queuing capability of 32,000 queues per slot, including ingress and egress.
•
Configuration support to improve convergence (MX Series)—Starting with Junos OS
Release 16.1R1, you can configure multichassis link aggregation (MC-LAG) interfaces
to improve Layer 2 and Layer 3 convergence time to subsecond values when a
multichassis aggregated Ethernet link goes down or comes up in a bridge domain.
To use this feature, ensure that the interchassis link (ICL) is configured on an aggregated
Ethernet interface. For Layer 2 convergence, configure the enhanced-convergence
statement at the [edit interfaces aeX aggregated-ether-options mc-ae] hierarchy level.
For Layer 3, configure the enhanced-convergence statement at the [edit interfaces irb
unit unit-number] hierarchy level for an integrated routing and bridging (IRB) interface.
NOTE:
• If the enhanced-convergence feature is configured on an multichassis
aggregated Ethernet interface of a bridge domain that has an IRB
interface, the IRB interface must also be configured for the convergence
feature.
•
All multichassis aggregated Ethernet interfaces that are part of a bridge
domain must be configured for enhanced convergence in order to utilize
this feature on any of them.
•
On enabling or disabling the enhanced convergence feature, all services
get deleted and re-created.
[ See Configuring Active-Active Bridging and VRRP over IRB in Multichassis Link Aggregation
on MX Series Routers, Configuring Multichassis Link Aggregation on MX Series Routers.]
•
LACP hold-up timer configuration support on LAG interfaces—Starting with Junos
OS Release 16.1R1, you can configure a Link Aggregation Control Protocol (LACP)
hold-up timer value for link aggregation group (LAG) interfaces.
You configure the hold-up timer to prevent excessive flapping of a child (member) link
of a LAG interface due to transport layer issues. With transport layer issues, it is possible
for a link to be physically up and still cause LACP state-machine flapping. LACP
state-machine flapping can adversely affect traffic on the LAG interface. To prevent
this, a hold-up timer value is configured. LACP monitors the PDUs received on the child
link for the configured time value, but does not allow the member link to transition
from the expired or defaulted state to current state. This configuration thus prevents
excessive flapping of the member link.
To configure the LACP hold-up timer for LAG interfaces, use the hold-time up timer-value
statement at the [edit interfaces ae aeX aggregated-ether-options lacp] hierarchy level.
Copyright © 2017, Juniper Networks, Inc.
145
Junos OS Release 16.1R4 for the ACX Series, EX Series, MX Series, PTX Series, QFX Series,T Series and Junos Fusion
•
Initialization delay timer feature support on LAG interfaces (MX Series)—Starting
with Junos OS Release 16.1R1, you can configure an initialization delay timer value
on link aggregation group (LAG) interfaces.
When a standby multichassis aggregated Ethernet (MC-AE) interface reboots to
come up in active-active MC-AE mode, the Link Aggregation Control Protocol (LACP)
protocol comes up faster than the Layer 3 protocols. As soon as LACP comes up,
the interface is UP and starts receiving traffic from the neighboring interfaces. In
absence of the routing information, the traffic received on the interface is dropped,
causing traffic loss.
The initialization delay timer, when configured, delays the MC-AE node from coming
UP for a specified amount of time. This gives the Layer 3 protocols time to converge
on the interface and prevent traffic loss.
To configure the initialization delay timer on an MC-AE interface, use the
init-delay-timer statement at the [edit interfaces ae-interface-name
aggregated-ether-options mc-ae] hierarchy level.
146
•
Support for ARP cache protection to prevent DOS attacks (MX Series and T
Series)—Starting in Junos OS Release 16.1, you can configure an ARP cache limit for
resolved and unresolved next-hop entries in the cache. This limits the maximum number
of next hops that can be created. The benefit of configuring ARP cache limit is to protect
the device from DOS attacks. You can configure the cache limit globally at the system
level or for a particular interface. To configure the cache limit at the system level,
include the arp-system-cache-limit statement at the [edit system] hierarchy level. To
configure the cache limit at an interface level, include the arp-max-cache statement
at the [edit interfaces interface-name unit interface-unit-number family inet] hierarchy
level. To configure the maximum number of unresolved next-hop entries to hold for
an interface, set the arp-new-hold-limit statement at the [edit interfaces interface-name
unit interface-unit-number family inet] hierarchy level. To view ARP cache statistics at
the system level, run the show system statistics arp command. To view the ARP cache
statistics for an interface, run the show interfaces interface-name command.
•
Synchronous Ethernet support on MPC7E-MRATE, MPC7E-10G, MX2K-MPC8E, and
MX2K-MPC9E (MX240, MX480, MX960, MX2010, and MX2020)—Starting with
Junos OS Release 16.1R1, Synchronous Ethernet with Ethernet Synchronization Message
Channel is supported on MPC7E-MRATE, MPC7E-10G, MX2K-MPC8E, and
MX2K-MPC9E.
•
Disabling fabric grant bypass mode for better performance (MX2010 and
MX2020)—Fabric grant bypass mode is enabled, by default, for all MPCs on MX2010
and MX2020 routers. Disabling fabric grant bypass mode controls congestion and thus
improves system behavior and performance on MX2010 and MX2020 routers. Starting
with Junos OS Release 16.1, you can disable fabric grant bypass mode on MX2010 and
MX2020 routers by including the disable-grant-bypass configuration statement at the
[edit chassis fabric] hierarchy level.
Copyright © 2017, Juniper Networks, Inc.
New and Changed Features
NOTE: After disabling fabric grant bypass mode on the MX2010 and
MX2020, you must reboot the router for the changes to take effect. MPC1
(MX-MPC1-3D), MPC2 (MX-MPC2-3D), and the 16-port 10-Gigabit Ethernet
MPC (MPC-3D-16XGE-SFP) do not power on after you disable fabric grant
bypass mode and reboot the router.
•
Support for aysnchronous notification on MIC-8OC3OC12-4OC48-SFP and
MIC-1OC192-HO-VC-XFP (MX240, MX480, MX960, MX2010, and MX2020
routers)—Starting in Junos OS Release 16.1R1, the asynchronous-notification command
is supported at the [edit interfaces interface-name sonet-options] hierarchy level for
the MICs MIC-8OC3OC12-4OC48-SFP and MIC-1OC192-HO-VC-XFP.
In a network comprising SONET and Ethernet interfaces connected through a TCC
circuit, if an interface goes down, you can use the asynchronous–notification command
to disable the physical interface on the remote end, thereby notifying the loss of signal
(LOS) and loss of connection.
•
Routing Engine failover detection (MX240, MX480, MX960, MX2010, and
MX2020)—Starting with Junos OS Release 16.1, you use the on-re-to-fpc-stale
configuration statement at the [edit chassis redundancy failover] hierarchy level to
instruct the backup Routing Engine to take the mastership if the em0 interface fails
on the master Routing Engine.
•
Upgrading MPC8E bandwidth from 960 Gbps to 1600 Gbps (MX2010 and
MX2020)—Starting in Junos OS Release 16.1R1, you can upgrade MPC8E to provide
an increased bandwidth of 1600 Gbps (1.6 Tbps), by using an add-on license. After
you purchase the license and perform the upgrade, MPC8E provides a bandwidth of
1.6 Tbps, which is equivalent to that of MPC9E. However, the MPC continues to be
identified as MPC8E.
NOTE: After you upgrade MPC8E to provide a bandwidth of 1.6 Tbps, the
power consumption by MPC8E increases and is equivalent to the power
that MPC9E consumes.
You upgrade the bandwidth by using the set chassis fpc slot bandwidth 1.6T command.
You can disable this feature by using the delete chassis fpc slot bandwidth 1.6T
command.
[See MPC8E on MX Series Routers Overview.]
•
Configuration support for multiple up MEPs for interfaces belonging to a single VPLS
service or a bridge domain (MX Series with MPC)—Starting with Junos OS Release
16.1R1, you can configure multiple up maintenance association endpoints (MEP) for a
single combination of maintenance association ID and maintenance domain ID for
interfaces belonging to a particular VPLS service or a bridge domain.
To configure multiple up MEPs, specify the mep mep-id statement at the [edit protocols
oam ethernet connectivity-fault-management maintenance-domain domain-name
Copyright © 2017, Juniper Networks, Inc.
147
Junos OS Release 16.1R4 for the ACX Series, EX Series, MX Series, PTX Series, QFX Series,T Series and Junos Fusion
maintenance association ma-name] hierarchy level, when the MEP direction is configured
as direction up.
•
Starting in Junos OS Release 16.1, the show pfe statistics traffic command now displays
the following fabric statistics:
•
Fabric Input packets—Number and rate of incoming fabric packets
•
Fabric Output packets—Number and rate of outgoing fabric packets
See show pfe statistics traffic.
•
Enhancement to ambient-temperature statement (MX Series)—Starting in Junos
OS Release 16.1R1, the default ambient temperature is set at 40° C on MX480, MX960,
MX2010, and MX2020 3D Universal Edge Routers. You can override ambient
temperature by setting the temperature at 55° C or 25° C.
[edit]
[email protected]# set chassis ambient-temperature ?
Possible completions:
25C
25 degree celsius
40C
40 degree celsius
55C
55 degree celsius
[edit]
When a router restarts, the system adjusts the power allocation or the provisioned
power for the line cards on the basis of the configured ambient temperature. If enough
power is not available, a minor chassis alarm is raised. However, the chassis continues
to run with the configured ambient temperature. You can configure a new higher
ambient temperature only after you make more power available by adding new power
supply modules or by taking a few line cards offline. By using the provisioned power
that is saved by configuring a lower ambient temperature, you can bring more hardware
components online.
•
Support for fabric black-hole detection and recovery in TX Matrix Plus routers—TX
Matrix Plus routers can detect and recover from fabric faults that are not caused by
hardware failure but might be a result of a fabric black-hole condition.
To recover from a fabric black-hole condition, the routing matrix uses the following
options:
•
SIB reboot
•
FPC reboot
•
Destination reprogramming
•
Related faults recovery
You can disable the automatic recovery feature by using the auto-recovery-disable
statement at the [edit chassis fabric degraded] hierarchy level. You can configure the
FPCs to go offline when a traffic black-hole condition is detected in the routing matrix
by using the fpc-offline-on-blackholing statement at the [edit chassis fabric degraded]
hierarchy level.
148
Copyright © 2017, Juniper Networks, Inc.
New and Changed Features
You can configure the FPCs to restart when a traffic black-hole condition is detected
in the routing matrix by using the fpc-restart statement at the [edit chassis fabric
degraded] hierarchy level.
[See auto-recovery-disable and fpc-offline-on-blackholing.]
IPv4
•
IPv4 address conservation method for hosting providers (MX Series)—Starting with
Junos OS Release 14.2R4, Release 15.1R1, Release 16.1R1, and later releases, you can
configure a static route on an integrated routing and bridging (IRB) interface with or
without pinning to a specific underlying interface, thereby conserving the usage of IP
address space.
When a customer needs servers to be assigned within a block of IP addresses, several
IP addresses are consumed. These include the network and broadcast IP addresses,
the addresses for the router gateway that the servers are connected to, and the
addresses of the individual servers. When this effect is multiplied across thousands of
hosting providers, IP address space is underutilized.
This issue can be resolved by configuring the router interface with an address from the
reserved IPv4 prefix for shared address space (RFC 6598) and by using static routes
pointed at that interface. Internet Assigned Numbers Authority (IANA) has recorded
the allocation of an IPv4 /10 for use as shared address space. The shared address
space address range is 100.64.0.0/10.
This way, the router interface is allocated an IP address from the shared address space,
so it is not consuming publicly routable address space, and connectivity is handled
with static routes on the interface. The interface in the server is configured with a
publicly routable address, but the router interfaces are not. Network and broadcast
addresses are consumed out of the shared address space rather than the publicly
routable address space.
Junos OS XML API and Scripting
•
Support for Python language for commit, event, op, and SNMP scripts (MX Series
and T Series)—Starting in Junos OS Release 16.1, you can author commit, event, op,
and SNMP scripts in Python on devices that include the Python extensions package in
the software image. Creating automation scripts in Python enables you to take
advantage of Python features and libraries as well as leverage Junos PyEZ APIs
supported in Junos PyEZ Release 1.3.1 and earlier releases to perform operational and
configuration tasks on devices running Junos OS. To enable execution of Python
automation scripts, which the root user must own, configure the language python
statement at the [edit system scripts] hierarchy level, and configure the filename for
the Python script under the hierarchy level appropriate to that script type. Supported
Python versions include Python 2.7.x.
[See Understanding Python Automation Scripts for Devices Running Junos OS.]
Layer 2 Features
•
Support for MAC pinning to prevent loops (MX Series)—A MAC move occurs when
a MAC address frequently appears on a different physical interface than the one it was
Copyright © 2017, Juniper Networks, Inc.
149
Junos OS Release 16.1R4 for the ACX Series, EX Series, MX Series, PTX Series, QFX Series,T Series and Junos Fusion
learned on. Frequent MAC moves indicate the presence of loops in Layer 2 bridges and
in VPLS networks. To avoid loops, you can enable the MAC pinning feature on an
interface.
Starting in Junos OS Release 16.1, support for MAC pinning is provided to prevent loops
in Layer 2 bridges and in VPLS networks.
When you enable MAC pinning on an interface in a bridge domain or VPLS domain, a
MAC address learned over that interface cannot be relearned on any other interface
in the same bridge domain or VPLS domain until the MAC address either ages out on
the first interface or is cleared from the MAC table. If a packet with the same MAC
address arrives at any other interface in the same bridge domain, then the packet is
discarded. This action, effectively, controls MAC moves and prevents the creation of
loops in Layer 2 bridges and VPLS domains.
NOTE: If you do not specify the timeout interval for the MAC addresses by
configuring the mac-table-aging-time statement, the MAC addresses learned
over the MAC pinning interface are pinned to the interface until the default
timeout period expires.
•
Enhanced convergence time required for IRB ARP resolution (MX Series)—Starting
with Junos OS Release 16.1, the convergence of IRB ARP resolution when the underlying
L2 IFL association with the MAC changes due to link failure or MAC move improves
when both enhanced-convergence and enhanced-ip chassis is configured. The show
arp and show ipv6 neighbor command does not display the underlying IFL information
if the destination interface is IRB.
•
Support for Layer 2 port mirroring to a remote collector over a GRE Interface (MX
Series)—Starting with Junos OS Release 16.1, Layer 2 port mirroring to a remote collector
over a GRE interface is supported.
Management
•
YANG module that defines CLI formatting for RPC output (MX Series and T
Series)—Starting with Junos OS Release 16.1, Juniper Networks provides the
junos-extension-odl YANG module. The module contains definitions for Junos OS
Output Definition Language (ODL) statements, which determine the CLI formatting
for RPC output when you execute the operational command corresponding to that
RPC in the CLI or when you request the RPC output in text format. You can use
statements in the junos-extension-odl module in custom RPCs to convert the XML
output into a more logical and human-readable representation of the data. The
junos-extension-odl module is bound to the namespace URI
http://yang.juniper.net/yang/1.1/jodl and uses the prefix junos-odl.
[See Understanding Junos OS YANG Extensions for Formatting RPC Output.]
•
150
YANG module that defines Junos OS operational commands (MX Series and T
Series)—Starting with Junos OS Release 16.1, Juniper Networks provides the
juniper-command YANG module, which represents the operational command hierarchy
and collective group of modules that define the remote procedure calls (RPCs) for
Junos OS operational mode commands. You can download Juniper Networks YANG
Copyright © 2017, Juniper Networks, Inc.
New and Changed Features
modules from the website, or you can generate the modules by using the show system
schema format yang module juniper-command operational command on the local
device. The juniper-command module is bound to the namespace URI
http://yang.juniper.net/yang/1.1/jrpc and uses the prefix jrpc.
[See Understanding the Juniper Networks YANG Modules for Operational Commands.]
•
Support for adding non-native YANG modules to the Junos OS schema (MX Series
and T Series)–Starting with Junos OS Release 16.1, you can load standard (IETF,
OpenConfig) or custom YANG models on devices running Junos OS to add data models
that are not natively supported by Junos OS but can be supported by translation. Doing
this enables you to augment the configuration hierarchies with data models that are
customized for your operations. The ability to add data models to a device is also
beneficial when you want to create device- and vendor-agnostic configuration models
that enable the same configuration to be used on different devices from one or more
vendors. You can load YANG modules that add configuration hierarchies by using the
request system yang add operational command.
[See Understanding the Management of Non-Native YANG Modules on Devices Running
Junos OS.]
•
Juniper Extension Toolkit for Junos (JET for Junos) provides a modern programmatic
interface for developers of third-party applications—As of Junos OS Release 16.1, JET
for Junos, an evolution of the Junos SDK, allows customers and partners to build and
run applications either directly on Junos OS devices or off-box. These applications can
interact with Junos OS native features. A framework is provided in the Python language
for Python JET for Junos application developers. This framework allows your
applications to run directly on Junos OS devices. JET for Junos is based on Apache
Thrift; thus, it also supports multiple languages running off-box to interact with the
same JET for Junos APIs. This gives developers true flexibility to adapt Junos OS devices
to business processes.
Developers can view JET guides at Juniper Extension Toolkit, Release 1.0. For the JET
Applications Guide, see Understanding JET Interaction with Junos OS.
MPLS
•
Longest matching route for label mapping (MX Series)— Starting with Junos OS
Release 16.1, LDP uses the longest match to learn the routes aggregated or summarized
across OSPF areas or IS-IS levels in the interdomain.
•
Explicit notifications for pseudowire termination (MX Series)—Starting with Junos
OS Release 16.1R1, MX Series routers can provide notifications on the service node
when the access pseudowire goes down, and provide efficient termination capabilities
when Layer 2 and Layer 3 segments are interconnected. This feature also provides
termination of pseudowire into virtual routing and forwarding (VRF) and virtual private
LAN service (VPLS) routing instances without pseudowire redundancy, which includes:
•
Termination of an access pseudowire into VRF.
•
Termination of an access pseudowire into a VPLS instance.
[See Pseudowire Termination: Explicit Notifications for Pseudowire Down Status.]
Copyright © 2017, Juniper Networks, Inc.
151
Junos OS Release 16.1R4 for the ACX Series, EX Series, MX Series, PTX Series, QFX Series,T Series and Junos Fusion
•
Support for NIST Deterministic Random Bit Generator (DRBG) recommendations
(MX Series)—Starting with Release 16.1, Junos OS supports NIST computer security
standards recommended in Recommendation for Random Number Generation Using
Deterministic Random Bit Generators, NIST Special Publication 800-90A;
Recommendation for the Entropy Sources Used for Random Bit Generation, NIST DRAFT
Special Publication 800-90B; and Recommendation for Random Bit Generator (RBG)
Constructions, DRAFT NIST Special Publication 800-90C.
NOTE: Junos OS supports Recommendation for the Entropy Sources Used
for Random Bit Generation, NIST DRAFT Special Publication 800-90B and
Recommendation for Random Bit Generator (RBG) Constructions, DRAFT
NIST Special Publication 800-90C only when the system is operating in
Junos-FIPS mode.
•
BGP Prefix-Independent Convergence (PIC) Edge for RSVP (MX Series)—Starting
with Junos OS Release 16.1, BGP PIC Edge for RSVP enables you to implement a solution
where a protection path is calculated in advance to provide an alternative forwarding
path in case of path failure.
With BGP PIC Edge in an MPLS VPN network, IGP failure triggers a repair of the failing
entries and causes the Packet Forwarding Engine to use the pre-populated protection
path until global convergence has re-resolved the VPN routes. This feature helps to
reduce the convergence time taken to repair the remote provider edge (PE) link failure,
when compared to the traditional approach of re-resolving each prefix. The convergence
time is no longer dependent on the number of prefixes.
Earlier, this feature used LDP as the transport protocol, which is now extended to
support BGP PIC Edge with RSVP as the transport protocol. When RSVP receives a
tunnel down notification at the ingress PE router, it sends a notification to the Packet
Forwarding Engine to start making use of the tunnel to the alternate egress PE router.
The tunnel route to the alternate egress PE router is calculated and installed in advance.
[See show rsvp version.]
•
Protection against incorrect label injection across ASBRs (MX Series)—Starting in
Junos OS Release 16.1, you can use regular BGP export policies to control route
advertisement to a VPN ASBR peer in a given routing instance. This is especially useful
in the service provider context of Inter-AS VPN Option-B ASBRs because it prevents
peer ASBRs in a neighboring AS from injecting a VPN label intended for a different
peer-AS, or intra-AS PEs, into the common ASBR. The common ASBR only accepts
MPLS packets from a peer ASBR that has explicitly advertised the label to the common
ASBR.
To support this new functionality, the statement forwarding-context is introduced at
the [edit protocols bgp group] hierarchy level, and the instance type mpls-forwarding
is introduced at the [edit routing-instances] hierarchy level.
•
152
Support for inet and inet6 families on pseudowire subscriber logical interface (MX
Series)—Starting with Junos OS Release 16.1R1, inet and inet6 families are supported
on the services side of an MPLS pseudowire subscriber as well as non-subscriber logical
interfaces. You use family inet6 to assign an IPv6 address. You use family inet to assign
Copyright © 2017, Juniper Networks, Inc.
New and Changed Features
an IPv4 address. A logical interface can be configured with both an IPv4 and IPv6
address.
[See Pseudowire Subscriber Logical Interfaces Overview.]
•
Support for Inline IPFIX on pseudowire subscriber logical interface (MX
Series)—Starting with Junos OS Release 16.1R1, Inline IPFIX is supported on the services
side of an MPLS pseudowire subscriber logical interface. With Inline IPFIX you can
configure active sampling to be performed on an inline data path without the need for
a services Dense Port Concentrator (DPC). To enable this feature, define a sampling
instance with specific properties. One Flexible PIC Concentrator (FPC) can support
only one instance. For each instance, either services PIC-based sampling or inline
sampling is supported per family. As a result, a particular instance can define PIC-based
sampling for one family and inline sampling for a different family. Both IPv4 and IPv6
are supported for inline sampling.
•
RSVP scalability (MX Series and T Series)—Starting with Junos OS Release 16.1, RSVP
Traffic Engineering (TE) protocol extensions for fast reroute (FRR) facility protection
are introduced to allow greater scalability of LSPs and faster convergence times.
RSVP-TE runs in enhanced FRR profile mode by default and includes FRR extensions
as defined in RFC 2961. In mixed environments, where a subset of LSPs traverse nodes
do not include this feature, RSVP-TE behavior is unchanged—backward compatibility
is fundamentally supported in the design.
•
Enhancements to MPLS RSVP-TE LSP (MX Series and T Series)—The Junos OS
implementation of MPLS RSVP-TE is scaled to enhance the usability, visibility,
configuration, and troubleshooting of label-switched paths (LSPs) in Junos OS Release
16.1 and later releases.
These enhancements make the RSVP-TE configuration easier at scale by:
•
•
Ensuring that the LSP data-plane readiness during LSP resignaling (before traffic
traverses the LSP) by using the RSVP-TE LSP self-ping mechanism.
•
Removing the current hard limit of 64K LSPs on an ingress router, and thereby
enabling scaling to be constrained only by the total number of LSPs RSVP-TE
signaling can sustain.
•
Preventing abrupt tearing down of LSPs by the ingress router because of delay in
signaling the LSP at the transit routers.
•
Enabling flexible view of LSP data-sets to facilitate LSP characteristic data
visualization.
Leaking MPLS routes to nondefault routing instances (MX Series with MPC/MIC
interfaces)—Starting in Junos OS Release 16.1, you can use the import-labeled-routes
statement to specify one or more nondefault routing instances where you want MPLS
pseudowire labeled routes to be leaked from the mpls.0 path routing table in the
master routing instance.
This capability prevents traffic loss in an L2VPN/VPLS configuration where the remote
PE router is learned from the IGP in a nondefault routing instance. Because
ingress-labeled routes are installed only in the master mpls.0 table by default, no route
Copyright © 2017, Juniper Networks, Inc.
153
Junos OS Release 16.1R4 for the ACX Series, EX Series, MX Series, PTX Series, QFX Series,T Series and Junos Fusion
is found in the routing-instance-name.mpls.0 table when L2VPN/VPLS traffic is received
on the core-facing interface, and that traffic is dropped.
•
Subnet-match authentication for LDP sessions (MX Series)—Starting in Junos OS
Release 16.1R1, support for Hashed Message Authentication Code (HMAC) and MD5
authentication for LDP sessions is extended from a per-session configuration to a
subnet-match (that is, longest-prefix-match) configuration.
This feature provides flexibility in configuring authentication for automatically targeted
LDP (TLDP) sessions, making the deployment of remote loop-free alternate (LFA)
and FEC 129 pseudowires easy.
To enable this feature, configure the session-group option at the [edit protocols ldp]
hierarchy level, and then enable the required authentication for the configured session
group.
[See Configuring the TCP MD5 Signature for LDP Sessions.]
•
Support for Ethernet circuit cross-connect (CCC) encapsulation on pseudowire
subscriber logical interface (MX Series)—Starting with Junos OS Release 15.1R3 and
16.1R1 and later releases, CCC encapsulation is supported on the transport side of an
MPLS pseudowire subscriber logical interface. This feature helps in migrating or
deploying seamless MPLS architectures in access networks. Customers deploying
either business edge or broadband residential edge access networks use this feature
to configure interfaces over the virtual Ethernet interface similar to what is already
available on physical Ethernet interfaces.
You can define only one transport logical interface per pseudowire subscriber logical
interface. Although the unit number can be any valid value, we recommend that unit
0 represent the transport logical interface. Two types of pseudowire signaling are
allowed: Layer 2 circuit and Layer 2 VPN.
[See Pseudowire Subscriber Logical Interfaces Overview.]
154
•
Support for DDoS on pseudowire subscriber logical interface (MX Series)—Starting
with Junos OS Release 15.1R3 and 16.1R1 and later releases, distributed denial-of-service
(DDoS) protection is supported on the services side of an MPLS pseudowire subscriber
logical interface. DDoS protection identifies and suppresses malicious control packets
while enabling legitimate control traffic to be processed. This protection enables the
device to continue functioning, even when attacked from multiple sources. Junos OS
DDoS protection provides a single point of protection management that enables
network administrators to customize a profile appropriate for the control traffic on
their networks.
•
Support for Policer and Filter on pseudowire subscriber logical interface (MX
Series)—Starting with Junos OS Release 15.1R3 and 16.1R1 and later releases, Policer
and Filter are supported on the services side of an MPLS pseudowire subscriber logical
interface. Policer defines a set of traffic rate limits and sets consequences for traffic
that does not conform to the configured limits. Firewall filters restrict traffic destined
for the Routing Engine based on its source, protocol, and application. Also, firewall
filters limit the traffic rate of packets destined for the Routing Engine to protect against
flood or denial-of-service (DoS) attacks.
Copyright © 2017, Juniper Networks, Inc.
New and Changed Features
•
Support for accurate transmit logical interface statistics on pseudowire subscriber
logical interface (MX Series)—Starting with Junos OS Release 15.1R3 and 16.1R1 and
later releases, accurate transmit statistics on logical interface are supported on the
services side of an MPLS pseudowire subscriber logical interface. These statistics report
actual transmit statistics instead of the offered load statistics given by the router for
the pseudowire subscriber service logical interfaces.
[See Pseudowire Subscriber Logical Interfaces Overview.]
•
Egress peer engineering of service labels (BGP, MPLS) and egress peer protection
for BGP-LU (MX Series)—Beginning with Junos OS Release 14.2R4, you can enable
traffic engineering of service traffic, such as MPLS LSP traffic between autonomous
systems (ASs), using BGP-labeled unicast for optimum utilization of the advertised
egress routes. You can specify one or more backup devices for the primary egress AS
boundary router. Junos OS installs the backup path in addition to the primary path in
the MPLS forwarding table, which enables MPLS fast reroute (FRR) when the primary
link fails.
•
MPLS Encapsulated Payload load-balancing (MX Series)—Starting with Junos OS
Release 16.1, configure zero-control-word option to indicate the start of Ethernet frame
in an MPLS ether-pseudowire payload. On seeing this control word, four bytes having
numerical value of all zeros, the hash generator assumes the start of the Ethernet
frame and continues to parse the packet from here and generate hash. For DPC I-chip
based cards, configure the zero-control-word option at the [edit forwarding-options
hash-key family mpls ether-pseudowire] hierarchy level, and for MPC cards, configure
zero-control-word option at the [edit forwarding-options enhanced-hash-key family
mpls ether-pseudowire] hierarchy level.
•
LDP native IPv6 support (MX Series)— Starting with Junos OS Release 16.1, LDP is
supported in an IPv6 network only, and in an IPv6 or IPv4 dual-stack network. Configure
the address family as inet for IPv4 or inet6 for IPv6. By default, IPv6 is used as the TCP
transport for an LDP session with its peers when both IPv4 and IPv6 are enabled. The
dual-transport statement allows Junos OS LDP to establish the TCP connection over
IPv4 with IPv4 neighbors, and over IPv6 with IPv6 neighbors as a single-stack LSR. The
inet-lsr-id and inet6-lsr-id are the two LSR IDs that have to be configured to establish
an LDP session over IPv4 and IPv6 TCP transport. These two IDs should be non-zero
and must be configured with different values.
•
MPLS-TP enhancements for on-demand connectivity verification (MX
Series)—Starting with Junos OS Release 16.1, the transport profile (TP) of MPLS
supports two additional channel types for the default LSPING channel type. These
additional channel types provide on-demand connectivity verification (CV) with and
without IP/UDP encapsulation.
With this feature, the following channel types are supported in the MPLS-TP mode:
•
On-demand CV (0x0025)—This channel type is a new pseudowire channel type
and is used for on-demand CV without IP/UDP encapsulation, where IP addressing
is not available or non-IP encapsulation is preferred.
•
IPv4 (0x0021)—This channel type uses the IP/UDP encapsulation and provides
interoperability support with other vendor devices using IP addressing.
Copyright © 2017, Juniper Networks, Inc.
155
Junos OS Release 16.1R4 for the ACX Series, EX Series, MX Series, PTX Series, QFX Series,T Series and Junos Fusion
•
LSPING (0x0008)—This is the default channel type for Junos OS, and the GACH-TLV
is used along with this channel type.
As per RFC 7026, GACH-TLV is deprecated for 0x0021 and 0x0025 channel types.
To configure a channel type for MPLS-TP, include the lsping-channel-type channel-type
statement at the [edit protocols mpls label-switched-path lsp-name oam mpls-tp-mode]
and [edit protocols mpls oam mpls-tp-mode] hierarchy levels.
Multicast
•
Improved multicast convergence and RPT-SPT support for BGP-MVPN (MX
Series)—Starting with Junos OS Release 16.1, support for multicast forwarding-cache
threshold is extended to rendezvous-point tree shortest-path tree (RPT-SPT) mode
for BGP-MVPN. In addition, for both Rosen and next-generation MVPNs, PE routers
across all sites should see the same set of multicast routes even if the configured
forwarding-cache limit is exceeded.
To configure a specific threshold for MVPN RPT, set one or both of the
mvpn-rpt-suppress and mvpn-rpt-reuse statements at the [edit routing-instances name
routing-options multicast forwarding-cache] or [edit logical system name
routing-instances name routing-options multicast forwarding-cache] hierarchy level.
In addition, the show multicast forwarding-cache statistics command provides
information about both the general and RPT suppression states. Likewise, a list of
suppressed customer-multicast states can be seen by running the show mvpn
suppressed general| mvpn-rpt inet| inet6 instance name summary command.
•
Improved scaling for multicast OIFs (MX Series)—Starting with Junos OS Release
16.1, for both Rosen and NGEN-MVPN, improvements have been made to increase the
number of possible outgoing interfaces (OIFs) used in virtual routing and forwarding
(VRF). Changes have also been made to improve the efficiency of PIM Join/Prune
message processing and to support the increased scaling.
These changes are implemented by default and do not need to be explicitly enabled.
The following operational commands support the increased scale:
156
•
show multicast next-hops terse
•
show multicast route oif-count
•
show multicast statistics interface
•
show pim join downstream-count
•
Fast-failover according to flow rate (MX Series with MPCs)—Starting in Junos OS
Release 16.1, for routers operating in Enhanced IP Network Services mode, you can
configure a threshold that triggers fast failover in NG MVPNs with hot-root standby on
the basis of aggregate flow rate. For example, fast failover (as defined in Draft Morin
L3VPN Fast Failover 05) is triggered if the flow rate of monitored multicast traffic from
the provider tunnel drops below the set threshold.
•
SAFI 129 NLRI compliance with RFC 6514 (MX Series)—Starting in Junos OS Release
16.1, the Network Layer Reachability Information (NLRI) format used for BGP VPN
multicast has changed. Now Junos OS uses Subsequent Address Family Identifier
Copyright © 2017, Juniper Networks, Inc.
New and Changed Features
(SAFI) 129, as defined in RFC 6514, which is length, prefix. Previous releases of Junos
OS use SAFI 128 (which is length, label, prefix).
•
Latency fairness optimized multicast (MX Series)—Starting with Junos OS Release
16.1R1, you can reduce latency in the multicast packet delivery by optimizing multicast
packets sent to the Packet Forwarding Engines. You can achieve this by enabling the
ingress or local-latency-fairness option in the multicast-replication configuration
statement at the [edit forwarding-options] hierarchy level. The multicast-replication
statement is supported only on platforms with the enhanced-ip mode enabled. This
feature is not supported in VPLS networks and Layer 2 bridging.
Network Management and Monitoring
•
Support for RFC 4878 (MX Series and T Series)—Starting with Release 16.1, Junos
OS supports IETF standard RFC 4878, Definitions and Managed Objects for Operations,
Administration, and Maintenance (OAM) Functions on Ethernet-Like Interfaces.
To enable generation of SNMP traps, dot3OamThresholdEvent and
dot3OamNonThresholdEvent, you must configure the new dot3oam-events statement
at the [edit snmp trap-groups <group-name> categories] hierarchy level.
NOTE:
• Junos OS does not support the dot3oamFramesLostDueToOam object in
the dot3OamStatsEntry table. In addition, Junos OS does not support the
SNMP set operations for the OAM MIBs.
•
On an Aggregated Ethernet bundle if link fault management (LFM) is
configured, you must do SNMP operations individually for each interface
in the AE bundle because some OAM MIB tables are maintained only for
member interfaces in the AE bundle.
•
SNMP support to monitor the total number of subscribers per PIC and per
slot—Starting in Junos OS Release 16.1R1, you can monitor the total number of
subscribers per PIC and per slot. The MIB tables jnxSubscriberPicCountTable and
jnxSubscriberSlotCountTable are added to the Juniper Networks enterprise-specific
Subscriber MIB to support this feature. In releases earlier than Junos OS Release 16.1,
you need to use the show subscribers summary pic and show subscribers summary slot
operational commands, respectively, to display the total number of subscribers per
PIC and per slot.
•
SNMP support for the timing feature on MPC5E and MPC6E—Starting in Junos OS
Release 16.1R1, SNMP supports the timing feature on MPC5E and MPC6E. Currently,
SNMP support is limited to defect and event notifications through SNMP traps. The
enterprise-specific MIB, Timing Feature Defect/Event Notification MIB, allows you to
monitor the operation of PTP clocks within the network. The trap notifications are
disabled by default. To enable trap notifications for timing events and defects, include
the timing-event statement at the [edit snmp trap-group trap-group object categories]
hierarchy level.
Copyright © 2017, Juniper Networks, Inc.
157
Junos OS Release 16.1R4 for the ACX Series, EX Series, MX Series, PTX Series, QFX Series,T Series and Junos Fusion
•
Support for Entity State MIBs (T Series)—Starting with Junos OS Release 16.1, support
for IETF standard RFC 4268, Entity State MIB, is extended to the T Series. Junos OS
provides only read-only support to Entity State MIB.
•
IPv6 support for traceroute with AS number lookup (MX Series and T Series)—Starting
with Junos OS Release 16.1R1, IPv6 is supported for traceroute with the
as-number-lookup option. Traceroute is an application used to display a list of routers
between the device and a specified destination host. Traceroute also provides an
option to look up the autonomous system (AS) number of each intermediate hop on
the path from the host to the destination.
[See traceroute.]
•
•
Support for the interface-set SNMP index (MX Series)—Starting with Release 16.1,
Junos OS supports the interface-set SNMP index that provides information about
interface-set queue statistics. The following interface-set SNMP index MIBs are
introduced in the Juniper Networks enterprise-specific Class-of-Service MIB:
•
jnxCosIfTable in jnxCos MIB
•
jnxCosIfsetQstatTable in jnxCos MIB
SNMP support for fabric queue depth, WAN queue depth, and fabric counter (MX240,
MX480, MX960, MX2010, and MX2020)—Starting with Release 16.1, Junos OS provides
SNMP support for WAN queue depth, fabric queue depth, and fabric counter. The
following SNMP MIB tables include the associated objects:
•
jnxCosQstatTable table
•
jnxCosIngressQstatTable table
•
jnxFabricMib table
In addition, this feature supports the following traps for the Packet Forwarding Engine
resource monitoring MIBs:
158
•
jnxPfeMemoryTrapVars
•
jnxPfeMemoryNotifications
•
New SNMP MIB object for RADIUS accounting subscribers (MX Series)—Starting
with Release 16.1R1, Junos OS supports a new SNMP MIB object,
jnxSubscriberAccountingTotalCount, in JUNIPER-SUBSCRIBER-MIB whose object
identifier is {jnxSubscriberGeneral 7}. The jnxSubscriberAccountingTotalCount object
provides information about the total number of subscribers that have RADIUS
accounting enabled.
•
Support for Agent Capabilities MIB (MX Series)—Starting with Release 16.1, Junos
OS introduces the Agent Capabilities MIB, which provides information about the
implementation characteristics of an Agent subsystem in a network management
system. The MIB provides you details of the MIB objects and tables that are supported
by an Agent, the conformance and variance information associated with the managed
objects in the Agent, and the access level of each object. Currently, the Agent Capability
MIB is applicable only for the MPLS and multicast MIBs.
Copyright © 2017, Juniper Networks, Inc.
New and Changed Features
•
•
New indicators for the jnxLEDState MIB (MX5, MX10, MX40, MX80, MX104, and
MX240 routers)—Starting with Release 16.1, Junos OS introduces the following six
new indicators for the jnxLEDState MIB object in the jnxLEDEntry MIB table:
•
off—Offline, not running
•
blinkingGreen—Entering state of ok, good, normally working
•
blinkingYellow—Entering state of alarm, warning, marginally working
•
blinkingRed—Entering state of alert, failed, not working
•
blinkingBlue—Entering state of ok, online as an active primary
•
blinkingAmber—Entering state of offline, not running
Support for RFC 5132, IP Multicast MIB (MX Series and T Series)—Starting with Junos
OS Release 16.1, Junos OS supports tables and objects defined in RFC 5132, IP Multicast
MIB, except the ipMcastZoneTable table. RFC 5132, IP Multicast MIB, obsoletes RFC
2932, IPv4 Multicast Routing MIB.
Operation Administration and Management
•
Configuration support for multiple up MEPs for interfaces belonging to a single VPLS
service or a bridge domain (MX Series with MPC)—Starting with Junos OS Release
16.1R1, you can configure multiple up maintenance association endpoints (MEP) for a
single combination of maintenance association ID and maintenance domain ID for
interfaces belonging to a particular VPLS service or a bridge domain.
To configure multiple up MEPs, specify mep mep-id statement at the [edit protocols
oam ethernet connectivity-fault-management maintenance-domain domain-name
maintenance association ma-name] hierarchy level, when the MEP direction is configured
as direction up.
•
Ethernet loss measurement counter support for each class in a multiclass
environment—Junos OS supports Ethernet loss measurement (ETH-LM) for multiclass
services. The ETH-LM feature is used by operators to collect frame loss counter values
for ingress and egress service frames. Starting with Junos OS Release 16.1R1, the ETH-LM
feature is extended to support the frame loss measurement counters for each class
of packets in a multiclass environment. Counters for each class of packets are supported
for point-to-point services only.
NOTE: ETH-LM is currently supported for VPWS services only.
ETH-LM maintains counters based on the forwarding class and loss priority of a packet.
The loss priority determines the color of a packet—for example, green indicates loss
priority low for committed information rate (CIR) and yellow indicates loss priority
medium-high for excess information rate (EIR). The color (green and yellow) counters
are maintained for each class of packets. Based on the counters supported on an
interface, you can configure accounting modes with color or without color for Ethernet
loss measurement:
Copyright © 2017, Juniper Networks, Inc.
159
Junos OS Release 16.1R4 for the ACX Series, EX Series, MX Series, PTX Series, QFX Series,T Series and Junos Fusion
•
Forwarding class-based accounting with color—In this mode, traffic is serviced based
on packet loss priority and forwarding class. Two counters—green and yellow—are
maintained for each forwarding class on each service interface. In this mode, an OAM
(operation, accounting, and maintenance) packet collects counters based on the
forwarding class.
To configure this mode of loss measurement accounting, use the
enable-multiclass-loss-measurement statement at the [set protocols oam ethernet
connectivity-fault-management performance-monitoring] hierarchy level for global
configuration or at the [set protocols oam ethernet connectivity-fault-management
performance-monitoring interface interface-name] hierarchy level for interface-level
configuration.
•
Forwarding class-based accounting without color—In this mode, traffic is serviced
based on the forwarding class only. Only one counter is maintained for each
forwarding class in each service interface.
To configure this mode of loss measurement accounting, use the
enable-multiclass-loss-measurement and colorless-loss-measurement statements
at the [set protocols oam ethernet connectivity-fault-management
performance-monitoring] hierarchy level for global configuration or at the [set
protocols oam ethernet connectivity-fault-management performance-monitoring
interface interface-name] hierarchy level for interface-level configuration.
•
Color-based accounting—In this mode, traffic is serviced based on the loss priority.
Two counters—green and yellow—are maintained for each service interface.
Color-based accounting is the default loss measurement mode and requires no
configuration.
•
Code point-based accounting (without color)—In this mode, traffic is serviced based
on the 802.1p priority bits. One counter is maintained for each code point (priority
bit) on each service interface. If there are user virtual LAN or 802.1p rewrite rules
configured, loss measurement accounting is done before applying the rewrite rules.
To configure this mode, use the code-point-based-lm-accounting statement at the
[set protocols oam ethernet connectivity-fault-management performance-monitoring]
hierarchy level for global configuration or at the [set protocols oam ethernet
connectivity-fault-management performance-monitoring interface interface-name]
hierarchy level for interface-level configuration
NOTE: Code point-based accounting mode does not work if virtual LAN
pop or push is configured on the interface. If pop or push is configured,
the 802.1p bits are removed from the data packets. Therefore in such
cases, you can use forwarding class-based accounting if a one-to-one
mapping exists between a forwarding class and the 802.1p bits value;
else you can use the priority-based accounting mode.
•
160
Priority-based accounting—In this mode, four counters are maintained for each
forwarding class for each interface, with each counter corresponding to either green
or yellow colors. To configure this mode, use the priority-based-lm-accounting
statement at the [set protocols oam ethernet connectivity-fault-management
Copyright © 2017, Juniper Networks, Inc.
New and Changed Features
performance-monitoring] hierarchy level for global configuration or at the [set
protocols oam ethernet connectivity-fault-management performance-monitoring
interface interface-name] hierarchy level for interface-level configuration.
•
Support extended for IEEE 802.1ag Ethernet OAM (MX Series routers with MPC2E,
MPC3E, MPC5E, and MPC6)—Support for the IEEE 802.1ag standard for Operation,
Administration, and Maintenance (OAM) is now available on MX Series routers with
MPC2E, MPC3E, MPC5E, and MPC6. The IEEE 802.1ag specification provides for Ethernet
connectivity fault management (CFM), which monitors Ethernet networks that might
comprise one or more service instances for network-compromising connectivity faults.
•
Support for MEF-36-compliant performance monitoring (MX Series)—Starting in
Release 16.1R1, Junos OS supports performance monitoring that is compliant with
Technical Specification MEF 36. You can enable MEF-36-compliant performance
monitoring by configuring the measurement-interval statement at the [edit protocols
oam ethernet cfm performance-monitoring] hierarchy level.
NOTE: When MEF-36-compliant performance monitoring is enabled, an
SNMP get next request for a variable might not fetch the current value
unless an SNMP walk is performed before performing the get next request.
This limitation applies only to the current statistics for delay measurement,
loss measurement, and synthetic loss measurement.
When MEF-36-compliant performance monitoring is enabled:
•
The output for the field Current delay measurement statistics might display a
measurement interval of 0 (zero) and an incorrect timestamp until the first cycle
time has expired.
•
Supported data TLV size for performance monitoring protocol data units (PDUs) is
1386 bytes when MEF-36-compliant performance monitoring is enabled. The TLV
size is 1400 bytes in legacy mode.
•
The maximum configurable value for the lower threshold bin is 4,294,967,294.
•
Frame loss ratio (FLR) is excluded in loss measurements during period of
unavailability for synthetic loss measurement only. In case of loss measurement,
FLR is included even during period of unavailability.
•
During a period of loss of continuity (adjacency down), although SOAM PDUs are
not sent, FLR and availability calculations are not stopped. These calculations are
performed with the assumption of 100% loss.
•
The number of SOAM PDUs that are sent during the first measurement interval might
be less than expected. This is because of a delay in detecting the adjacency state
at the performance monitoring session level.
•
The number of SOAM PDUs transmitted during a measurement interval for a cycle
time of 100 ms might not be accurate. For example, in a measurement interval of
two minutes with a cycle time 100 ms, the SOAM PDUs transmitted might be in the
range of 1198—2000.
Copyright © 2017, Juniper Networks, Inc.
161
Junos OS Release 16.1R4 for the ACX Series, EX Series, MX Series, PTX Series, QFX Series,T Series and Junos Fusion
Routing Policy and Firewall Filters
•
New load-balancing options using source or destination IP address only (MX
Series)–Starting in Junos OS Release 16.1, new load-balancing options based solely
on the source or destination IP address are available. Using only source IP or destination
IP as the basis for generating load-balancing hashes helps service providers to ensure
that both incoming and outgoing traffic through provider edge (PE) routers is sent
toward the content server that maintains subscriber state for a given subscriber. These
options are intended for use in deep packet inspection (DPI) networks with
per-subscriber awareness and in environments that employ transparent caching.
•
Policer overhead adjustment at the interface level (MX Series)—Starting in Junos
OS Release 16.1, policer-overhead adjustment for ingress and egress policers is defined
on a per IFL/direction granularity in order to address MEF CE 2.0 requirements to the
bandwidth profile. The policer-overhead adjustment is the range of -16 bytes to +16
bytes. It is applied for all the policers that take into account L1/L2 packet length that
are exercised in the specified IFL/direction, including corresponding IFF feature policers,
and is applied only to interface/filter-based policers.
[See Configuring the Accounting of Policer Overhead in Interface Statistics.]
•
New packet-per-second (pps)-based policer for transit and control traffic (MX
Series)–Starting in Junos OS Release 16.1, a new pps-based policer is available at the
[edit firewall policer policer-name] hierarchy level. This new policer is configured using
the if-exceeding-pps configuration statement. Compared to bandwidth-based policers,
the pps-based policer is more effective at combating low-and-slow types of DDoS
attacks. The pps-based policer can be applied in the same manner and the same
locations as bandwidth-based policers, but it cannot be used as a percentage-based
policer.
•
New route-filter-list and source-address-filter-list configuration statements (MX
Series)–Starting in Junos OS Release 16.1, the new route-filter-list and
source-address-filter-list statements provide an additional means of configuring route
filters and source address filters. Now you can configure route-filter-list or
source-address-filter-list at the [edit policy-options] hierarchy level for later use in a
policy statement. The lists are used in the same contexts as the route-filter and
source-address-filter statements. You can use the lists in multiple policy statements.
[See Understanding Route Filter and Source Address Filter Lists for Use in Routing Policy
Match Conditions.]
•
Priority for Route Prefixes in RPD Infrastructure (MX Series)—Starting in Junos OS
Release 16.1, you can specify a priority of high or low through the existing import policy
in protocols. Through priority, you can control the order in which the routes get updated
from LDP/OSPF to RPD, and RPD to kernel. In the event of a topology change, high
priority prefixes are updated in the routing table first, followed by low priority prefixes.
Routes that are not explicitly assigned a priority are treated as medium priority.
[See Example: Configuring the Priority for Route Prefixes in the rpd Infrastructure.]
•
162
New multifield ingress queuing classifier filter (MX Series with MPCs)–Starting in
Junos OS Release 16.1, you can apply the ingress-queuing-filter filter-name statement
at the [edit interfaces interface-name family family-name] hierarchy level for the following
Copyright © 2017, Juniper Networks, Inc.
New and Changed Features
protocol families: bridge, cc, inet, inet6, mpls, and vpls. The ingress-queuing-filter
statement allows you to set the forwarding class and loss priority for a packet prior to
ingress queue selection by applying a previously configured firewall filter. Multiple fields
within the packet header can be matched based on the configured protocol family
within the firewall filter.
•
Support for logical queue-depth in the Packet Forwarding Engine for IP options
packets for a given protocol (MX Series)— Starting with Junos OS Release 16.1R1, you
can configure logical queue-depth in the Packet Forwarding Engine for IP options
packets for a given protocol. The queue-depth indicates the number of IP options
packets which can be enqueued in the Packet Forwarding Engine logical queue, beyond
which it would start dropping the packets.
Routing Protocols
•
BGP flow specification for IPv6 (MX Series)—Starting with Junos OS Release 16.1,
this feature extends IPv6 support to the BGP flow specification and allows propagation
of traffic flow specification rules for IPv6 and IPv6 VPN. The BGP flow specification
automates coordination of traffic filtering rules in order to mitigate distributed
denial-of-service attacks. In earlier Junos OS releases, flow-specific rules were
propagated for IPv4 over BGP as network layer reachability information.
To enable the BGP flow specification for IPv6, include the flow statement at the [edit
routing-options] hierarchy level for global configuration or at the [edit routing-instances
routing-instance-name routing-options] hierarchy level for instance-level configuration.
[See flow-ipv6.]
•
Support for PTP over Ethernet (MX Series)—Starting in Junos OS Release 16.1R1, the
Precision Time Protocol (PTP) is supported over IEEE 802.3 or Ethernet links on MX
Series routers. This functionality is supported in compliance with the IEEE 1588-2008
specification.
For the base station vendors that support only packet interfaces by using Ethernet
encapsulation for PTP packets for time and phase synchronization, you can configure
any node (an MX Series router) that is directly connected to the base station to use
the Ethernet encapsulation method for PTP on a master port to support a packet-based
timing capability.
To configure Ethernet as the encapsulation type for transport of PTP packets on master
or slave interfaces, use the transport 802.3 statement at the [edit protocols ptp slave
interface interface-name multicast-mode] or [edit protocols ptp master interface
interface-name multicast-mode] hierarchy level.
•
Maximum period for autogeneration of keepalives by the kernel using precision timer
feature (MX Series)— Starting with Junos OS Release 16.1, precision timers in the kernel
autogenerate keepalives on behalf of BGP after a switchover event from standby to
master for a specified maximum period of time.
•
IS-IS Layer 2 mapping (MX Series and T Series)—Beginning with Junos OS Release
16.1, you can enable Layer 2 mapping of next-hop addresses using the IS-IS LAN and
point-to point Hellos that supply all relevant Layer 2 and Layer 3 binding address
information for address resolution. The device at the receiving end can extract the
Copyright © 2017, Juniper Networks, Inc.
163
Junos OS Release 16.1R4 for the ACX Series, EX Series, MX Series, PTX Series, QFX Series,T Series and Junos Fusion
information and populate the ARP or Neighbor Discovery table even before the
installation of routes. Layer 2 mapping is a topology driven rather than traffic driven
next-hop resolution that minimizes traffic loss while activating an Ethernet link.
[See Layer 2 Mapping for IS-IS.]
•
IPv6 support for IS-IS BFD (MX Series and T Series)—Starting with Junos OS Release
16.1, you can configure IS-IS BFD sessions for IPv6. You can enable IS-IS BFD sessions
by including the bfd-liveness-detection statement at the [edit protocols isis interface
interface-name family inet|inet6] hierarchy level. Currently, IS-IS BFD configuration is
available at the [edit protocols isis interface interface-name] hierarchy level. At present,
BFD configuration is supported at both of these hierarchy levels.
[See bfd-liveness-detection.]
•
IS-IS FRR route convergence (MX Series)—Starting with Junos OS Release 16.1R1,
IS-IS fast reroute (FRR) route convergence enables you to restore sub-second service.
Sub-second service restoration is a key requirement for service providers on MPLS and
native IP-based networks.
There are many ways to achieve fast reroute with suboptimal next hop to reach a
destination, such as loop-free alternate (LFA) and remote loop-free alternate (RLFA).
In these cases, IGP downloads the primary and backup next hops beforehand in the
forwarding information base (FIB). The Packet Forwarding Engine does a local repair
when the primary next hop loses its reachability to a given destination. Because the
Packet Forwarding Engine already has an alternative path to reach its destination,
sub-second restoration is possible. If the destination is reachable through equal-cost
multipath (ECMP), only the primary path is downloaded to the FIB. When the bandwidth
of the ECMP links is lower than the required bandwidth for a destination, fast
convergence is not possible.
The best ECMP links are grouped as a unilist of primary next hops to reach the
destination. Suboptimal ECMP links are grouped as a unilist of backup next hops to
reach the destination. If the bandwidth of the primary next hops falls below the desired
bandwidth, the Packet Forwarding Engine does a local repair and traffic switch to back
up the unilist next hops.
[See IS-IS Fast Reroute Route Convergence Overview.]
•
Advertising IPv4 routes over BGP IPv6 sessions(MX Series and T Series)—Beginning
with Junos OS Release 16.1, you can configure BGP to advertise IPv4 unicast reachability
with IPv4 next hop over an IPv6 BGP session. In earlier Junos OS releases, BGP could
advertise only inet6 unicast, inet6 multicast, and inet6 labeled unicast address families
over BGP IPv6 sessions. This feature allows BGP to exchange all the BGP address
families over an IPv6 BGP session.
[See Advertising IPv4 Routes over IPv6 Overview.]
•
164
BGP route prefix prioritization (MX Series and T Series)–Starting in Junos OS Release
16.1, you can prioritize BGP route updates using output queues. The output queues are
serviced using a token mechanism that allows you to assign routes to queues using
policies. There is an expedited queue and 16 numbered queues that range in priority
from lowest priority (1) to highest priority (16). The lowest priority queue (1) is designated
Copyright © 2017, Juniper Networks, Inc.
New and Changed Features
as the default queue. Routes that are not explicitly assigned to a queue by automatic
protocol determination or by user policy are placed in this queue.
•
ISIS Purge Originator Identification TLV (MX Series) Beginning with Junos OS Release
15.1 F4, Junos OS supports RFC 6232, Purge Originator Identification TLV for IS-IS , which
defines a type, length, and value (TLV) for identifying the origin of a purge initiated by
the IS-IS protocol. You can configure this feature to add this TLV to a purge along with
the system ID of the Intermediate System (IS) that has initiated this purge. This makes
it easier to locate the origin of the purge and its cause. A new show command show
isis purge log is introduced to view the purge history and to identify the purge originator.
[See IS-IS Purge Originator Identification Overview.]
•
Weighted ECMP support for one-hop IS-IS neighbors (MX Series)—Beginning with
Junos OS Release 15.1F4, you can configure the IS-IS protocol to get the logical interface
bandwidth information associated with the gateways of equal-cost multipath (ECMP)
next hop. During per-packet load balancing, traffic distribution is based on the available
bandwidth to facilitate optimal bandwidth usage for incoming traffic on an ECMP path
of one hop distance. The Packet Forwarding Engine does not distribute the traffic
equally, but considers the balance values and distributes the traffic according to the
bandwidth availability. However, this feature is not available for ECMP paths that are
more than one hop away.
[See Weighted ECMP Traffic Distribution on One Hop IS-IS Neighbors Overview.]
•
Statements introduced to delay the DHCP-OFFER and DHCP-ADVERISE for DHCPv4
and DHCPv6 server bindings—Starting in Junos OS 16.1R1, you can delay the
DHCP-OFFER/DHCP-ADVERTISE sent to the subscribers. This feature is applicable
only for DHCPv4 and DHCPv6 server bindings. You can configure the OFFER/ADVERTISE
delay per ACI/ARI. You can configure the delay time between 1 and 30 seconds. If you
don't configure any delay time, then the default value of 3 seconds will be used.
To configure the DHCP-OFFER delay for DHCPv4 server bindings, use the delay-offer
delay-time <time in seconds> statement at the [edit system services dhcp-local-server
overrides] hierarchy level. The delay will take effect only if at least one of the options
(option-60/option-70/option-82) are configured. To configure options, go to the [edit
system services dhcp-local-server overrides based-on] hierarchy level.
To configure the DHCP-ADVERTISE delay for DHCPv6 server bindings, use delay
advertise delay-time <time in seconds> at the [edit system services dhcp-local-server
dhcpv6 overrides] hierarchy level. The delay will take effect only if at least one of the
options (option-15/option-16/option-17/option-37) are configured. To configure options,
go to the [edit system services dhcp-local-server dhcpv6 overrides based-on] hierarchy
level.
•
Support for BGP Optimal Route Reflection (BGP-ORR) (MX Series)—Starting with
Junos OS Release 16.1R1, you can configure BGP-ORR with IS-IS as the interior gateway
protocol (IGP) on a route reflector to advertise the best path to the BGP-ORR client
groups by using the shortest IGP metric from a client's perspective, instead of the route
reflector's view.
To enable BGP-ORR, include the optimal-route-reflection statement at the [edit
protocols bgp group group-name] hierarchy level.
Copyright © 2017, Juniper Networks, Inc.
165
Junos OS Release 16.1R4 for the ACX Series, EX Series, MX Series, PTX Series, QFX Series,T Series and Junos Fusion
Client groups sharing the same or similar IGP topology can be grouped as one BGP
peer group. You can configure optimal-route-reflection to enable BGP-ORR in that BGP
peer group. You can also configure one of the client nodes as the primary node
(igp-primary) in a BGP peer group so that the IGP metric from that primary node is used
to select the best path and advertise it to the clients in the same BGP peer group.
Optionally, you can also select another client node as the backup node (igp-backup),
which is used when the primary node (igp-primary) goes down or is unreachable.
•
Flow-aware transport pseudowire for BGP L2VPN and BGP VPLS (MX Series)—
Starting with Junos OS Release 16.1, the flow-aware transport (FAT) label that is
supported for BGP-signaled pseudowires such as L2VPN and VPLS is configured only
on the label edge routers (LERs). This causes the transit routers or label-switching
routers (LSRs) to perform load balancing of MPLS packets across equal-cost multipath
(ECMP) paths or link aggregation groups (LAGs) without the need for deep packet
inspection of the payload. The FAT flow label can be used for LDP-signaled forwarding
equivalence class (FEC 128 and FEC 129) pseudowires for VPWS and VPLS pseudowires.
•
Control word feature for LDP VPLS and FEC129 VPLS (MX Series)— Starting with
Junos OS Release 16.1, the control word feature is supported for LDP VPLS and FEC129
VPLS.
•
Flow-aware transport pseudowire for BGP L2VPN and BGP VPLS (MX Series)—
Starting with Junos OS Release 16.1R1, the flow-aware transport (FAT) label is supported
for BGP-signaled pseudowires such as L2VPN and VPLS. Configuring flow-label-receive
and flow-label-trasmit on the label edge routers (LERs) enables the transit routers or
label-switching routers (LSRs) to perform load balancing of MPLS packets across
equal-cost multipath (ECMP) paths or link aggregation groups (LAGs) without the
need for deep packet inspection of the payload.
Security
•
Support for IPv6 NDP DoS issue (MX Series)—Starting with Junos OS Release 16.1R1,
you can address the IPv6 Neighbor Discovery Protocol (NDP) denial-of-service (DoS)
issue at the Routing Engine.
Unlike IPv4 subnets, IPv6 subnets have large address spaces in which a majority of
them remain unassigned. When a network scan tool or an attacker initiates traffic to
nonexistent hosts through a router on a subnet that is directly connected to the router,
the router attempts to perform address resolution on a large number of destinations.
This condition can cause the inability to resolve new neighbors, unreachability to the
existing neighbors, and can also result in a DoS attack.
NDP inspection or protection addresses the NDP DoS issue by implementing the
prioritization of NDP activities on the Routing Engine. At the ingress router, neighbor
discovery (ND) packets are classified and handled according to a predefined priority
with multiple ingress queues. On the egress path, neighbor solicitations (NS) sent for
previously not seen hosts are handled with a lower priority by deferring the process of
next-hop creation and sending out the packet.
[See Supported IPv6 Standards.]
•
166
Support for mitigating potential DDoS issues with IPv6 NDP and resolve traffic (MX
Series)—Starting with Junos OS Release 16.1R1, you can resolve potential distributed
Copyright © 2017, Juniper Networks, Inc.
New and Changed Features
denial-of-service (DDoS) issues with the IPv6 Neighbor Discovery Protocol (NDP) and
traffic.
The fundamental challenge of IPv6 NDP DDoS is the large address space of IPv6 that
allows attackers to trigger a huge number of resolves that exhaust the router resources.
The resolution mechanism and DDoS NDP policer help mitigate the problem to some
extent.
The functionality primarily extends the flow-detection CLI and optimizes the hostbound
classification (HBC) filter to make packet-type searching faster. It also extends the
NDP DDoS protocol group to classify the NDP types. Full Ethernet or IPv6 fields support
is added by allowing destination addresses.
[See Understanding Distributed Denial-of-Service Protection with IPv6 Neighbor Discovery
Protocol.]
Services Applications
•
Data plane inline support for 6rd and 6to4 tunnels connecting IPv6 clients to IPv4
networks (MX Series with MPC5E and MPC6E)—Starting with Release 16.1R1, Junos
OS supports inline 6rd and 6to4 on MPC5E and MPC6E line cards. In releases earlier
than Junos OS Release 16.1R1, inline 6rd and 6to4 was supported on MPC3E line cards
only.
•
Support for inline MPLS Junos Traffic Vision with IPFIX and v9 (MX Series)—Starting
in Junos OS Release 15.1F2 and 16.1R1, support of the MX Series routers for the inline
Junos Traffic Vision feature is extended to the MPLS family (MPLS and MPLS-IPv4
templates) consisting of the IP Flow Information Export (IPFIX) protocol and flow
monitoring version 9 (v9). In previous releases, the inline Junos Traffic Vision feature
is supported only for IPv4, IPv6, and VPLS families. In this release, Inline Junos Traffic
Vision feature is extended to MPC5E and MPC6E for the VPLS address family.
•
Support for inline video monitoring on MPC2E-NG, MPC3E-NG, MPC5E, and MPC6E
(MX Series routers)—Starting in Junos OS Release 16.1, support for video monitoring
using media delivery indexing (MDI) criteria is expanded to include the MPC2E-NG,
MPC3E-NG, MPC5E, and MPC6E.
[See Inline Video Monitoring Overview.]
•
Support for RFC 2544-based benchmarking tests (MX Series)—Junos OS Release 16.1
extends support for the reflector function and the corresponding RFC 2544-based
benchmarking tests on MX Series routers with MPC1 (MX-MPC1-3D), MPC2
(MX-MPC2-3D), and the 16-port 10-Gigabit Ethernet MPC (MPC-3D-16XGE-SFP). The
RFC 2544 tests are performed to measure and demonstrate the service-level agreement
(SLA) parameters before activation of the service. The tests measure throughput,
latency, frame loss rate, and back-to-back frames.
RFC 2544-based benchmarking tests on MX Series routers support the following
reflection functions:
•
Ethernet pseudowire reflection (ingress and egress direction) (ELINE
service—supported for family ccc)
Copyright © 2017, Juniper Networks, Inc.
167
Junos OS Release 16.1R4 for the ACX Series, EX Series, MX Series, PTX Series, QFX Series,T Series and Junos Fusion
•
Layer 2 reflection (egress direction) (ELAN service—supported for family bridge,
vpls)
•
Layer 3 IPv4 reflection (limited support)
To run the benchmarking tests on the MX Series routers, you must configure reflection
(Layer 2 or pseudowire) on the supported MPC. To configure the reflector function on
the MPC, use the chassis fpc fpc-slot-no slamon-services rfc2544 statement at the
[edit] hierarchy level.
•
Support for RPM probes with IPv6 sources and destinations (MX Series routers with
MPCs)—Starting in Junos OS Release 16.1, the RPM client router (the router or switch
that originates the RPM probes) can send probe packets to the RPM probe server (the
device that receives the RPM probes) that contains an IPv6 address. To specify the
destination IPv6 address used for the probes, include the target (url ipv6-url | address
ipv6-address) statement at the [edit services rpm probe owner test test-name] hierarchy
level. You can also define the RPM client or the source that sents RPM probes to contain
an IPv6 address. To specify the IPv6 protocol-related settings and the source IPv6
address of the client from which the RPM probes are sent, include the inet6-options
source-address ipv6-address statement at the [edit services rpm probe owner test
test-name] hierarchy level.
•
Provide egress VLAN ID and flow direction information in sampling records (MX
Series)—Starting in Junos OS Release 16.1R1, Junos OS can include flow direction and
egress VLAN ID information in the output records when you perform inline sampling
on IPv4 or IPv6 traffic by using the IPFIX or version 9 templates. You can optionally
include VLAN IDs in both the ingress and egress directions in the flow key.
[See Configuring Flow Aggregation to Use Version 9 Flow Templates and Configuring
Flow Aggregation to Use IPFIX Flow Templates.]
•
Support for inline MPLS Junos Traffic Vision with IPFIX and v9 (MX Series)—Starting
in Junos OS Release 16.1, support for the inline Junos Traffic Vision feature on MX Series
routers is extended to the MPLS family (MPLS and MPLS-IPv4 templates), consisting
of the IP Flow Information Export (IPFIX) protocol and flow monitoring version 9 (v9).
In previous releases, the inline Junos Traffic Vision feature is supported only for IPv4,
IPv6, and VPLS families.
The inline Junos Traffic Vision feature is extended to the MPC5E and MPC6E for VPLS
address family. Also, Inline Junos Traffic Vision support using version 9 templates is
extended to the VPLS family.
•
NOTE: This feature is documented but not supported in Junos OS Release
16.1R1.
Subscriber-aware and application-aware traffic treatment (MX Series with
MS-MPC)—Although present in the code, the subscriber-aware and application-aware
traffic treatment features are not supported in Junos OS Release 16.1R1.
Subscriber-aware and application-aware traffic treatment identifies the mobile or
fixed-line subscriber and enforces traffic treatment based on policies assigned to the
subscriber. A subscriber policy can be based on Layer 7 application information for the
168
Copyright © 2017, Juniper Networks, Inc.
New and Changed Features
IP flow (for example, YouTube) or can be based on Layer 3/Layer 4 information for
the IP flow (for example, the source and destination IP address). Subscriber policy
actions can include:
•
•
Redirecting HTTP traffic to another URL or IP address
•
Forwarding packets to a routing instance so that packets are directed to external
service chains (predefined sequence of services)
•
Setting the forwarding class
•
Setting the maximum bit rate
•
Performing HTTP header enrichment
•
Setting the gating status to blocked or allowed
Exclude interfaces support in flowspec (rpd-infra) (MX Series)—Starting in Release
15.1, Junos OS excludes applying the flowspec filter to traffic received on specific
interfaces. A new term is added at the beginning of the flowspec filter that accepts
any packet received on these specific interfaces. The new term is a variable that creates
an exclusion list of terms attached to the forwarding table filter as a part of the flow
specification filter.
To exclude the flowspec filter from being applied to traffic received on specific
interfaces, you must first configure a group-id on such interfaces by including the family
inet filter group group-id statement at the [edit interfaces] hierarchy level and then
attach the flowspec filter with the interface group by including the flow interface-group
group-id exclude statement at the [edit routing-options] hiearchy level. You can
configure only one group-id per routing instance with the set routing-options flow
interface-group group-id statement.
[See Understanding BGP Flow Routes for Traffic Filtering.]
Software Installation and Upgrade
•
Validate system software against running configuration on remote host—Beginning
with Junos OS Release 16.1R1, you can use the on (host host <username username> |
routing-engine routing-engine) option with the request system software validate
package-name command to verify candidate system software against the running
configuration on the specified remote host or Routing Engine.
•
Validate system software add against running configuration on remote host or
routing engine—Beginning with Junos OS Release 16.1R1, you can use the
validate-on-host hostname and validate-on-routing-engine routing-engine options with
the request system software add package-name command to verify a candidate software
bundle against the running configuration on the specified remote host or Routing
Engine.
[See request system software add.]
•
Unified ISSU support for upgrading from FreeBSD 6.1-based Junos OS to FreeBSD
10.x-based Junos OS (MX Series)—Starting with Junos OS Release 16.1R1, you can
upgrade from a FreeBSD 6.1-based Junos OS MX Series router to a FreeBSD 10.x-based
Junos OS MX Series router by peUpgrading Junos OS with Upgraded FreeBSDrforming
Copyright © 2017, Juniper Networks, Inc.
169
Junos OS Release 16.1R4 for the ACX Series, EX Series, MX Series, PTX Series, QFX Series,T Series and Junos Fusion
unified in-service software upgrade (ISSU). A unified (ISSU) enables you to upgrade
between two different Junos OS releases with minimal disruption on the control plane
and with minimal disruption of traffic.
Before performing a unified ISSU from a FreeBSD 6.1-based Junos OS to an upgraded
FreeBSD 10.x-based Junos OS, the configuration must be validated on a remote host
or on a Routing Engine. The remote host or the Routing Engine must be running a Junos
OS with an upgraded FreeBSD.
[See Example: Performing a Unified ISSU and Upgrading Junos OS with Upgraded
FreeBSD.]
•
New way to provision new routers automatically (MX Series)—As of Junos OS Release
16.1, zero touch provisioning (ZTP) allows you to provision new routers in your network
automatically either by executing a script file or by loading a configuration file. In either
case, the information is detected in a file on the Dynamic Host Control Protocol (DHCP)
server. In releases earlier than Junos OS Release 16.1, automatically provisioning a new
device was available only for switches.
[See Configuring Zero Touch Provisioning.]
•
Limited encryption Junos image (“Junos Limited”) created for customers in Armenia,
Belarus, Kazakhstan, Kyrgyzstan, and Russia (MX80, MX104, MX240, MX480,
MX960, MX2010, MX2020)—Starting in Junos OS Release 16.1R1, customers in the
Eurasian Customs Union (currently comprised of Armenia, Belarus, Kazakhstan,
Kyrgyzstan, and Russia) should use the “Junos Limited” image for MX240, MX480,
MX960, MX2010, and MX2020 routers instead of the “Junos Worldwide” image. The
“Junos Limited” image does not have data-plane encryption and is intended only for
countries in the Eurasian Customs Union because these countries have import
restrictions on software containing data plane encryption. Unlike the “Junos Worldwide”
image, the “Junos Limited” image supports control plane encryption through Secure
Shell (SSH) and Secure Sockets Layer (SSL), thus allowing secure management of
the system.
NOTE: The limited encryption Junos image (“Junos Limited”) is to be used
by customers in Armenia, Belarus, Kazakhstan, Kyrgyzstan, and Russia.
Customers in all other countries should use “Junos” image which was
introduced in 15.1R1 to replace “Junos Domestic” image.
•
170
Limited encryption Junos image (“Junos Limited”) created for customers in Armenia,
Belarus, Kazakhstan, Kyrgyzstan, and Russia (MX80 and MX104)—Starting in Junos
OS Release 16.1R1, customers in the Eurasian Customs Union (currently comprised of
Armenia, Belarus, Kazakhstan, Kyrgyzstan, and Russia) should use the “Junos Limited”
image for MX80 and MX104 routers instead of the “Junos Worldwide” image. The
“Junos Limited” image does not have data-plane encryption and is intended only for
countries in the Eurasian Customs Union because these countries have import
restrictions on software containing data plane encryption. Unlike the “Junos Worldwide”
image, the “Junos Limited” image supports control plane encryption through Secure
Shell (SSH) and Secure Sockets Layer (SSL), thus allowing secure management of
the system.
Copyright © 2017, Juniper Networks, Inc.
New and Changed Features
NOTE: The limited encryption Junos image (“Junos Limited”) is to be used
by customers in Armenia, Belarus, Kazakhstan, Kyrgyzstan, and Russia.
Software Defined Networking
•
Support of Internet draft draft-ietf-pce-stateful-pce-07 for the stateful PCC
implementation (MX Series and T Series)—The partial client-side implementation
of the stateful Path Computation Element (PCE) architecture is currently based on
version 2 of Internet draft draft-ietf-pce-stateful-pce. Starting with Junos OS Release
16.1, this implementation is upgraded to support version 7, as defined in Internet draft
draft-ietf-pce-stateful-pce-07.
Releases prior to 16.1 support the older version of the PCE draft, causing interoperability
issues between a Path Computation Client (PCC) running a previous release and a
stateful PCE server that adheres to Internet draft draft-ietf-pce-stateful-pce-07.
[See Example: Configuring Path Computation Element Protocol for MPLS RSVP-TE.]
•
Support for PCEP-based reporting of point-to-multipoint LSPs (MX Series and T
Series)—A stateful Path Computation Element (PCE) provides external path
computation of traffic engineered (TE) label-switched paths (LSPs) for a Path
Computation Client (PCC) in an MPLS network. After a PCEP session is established
between a PCE and a PCC, the PCC reports all the LSPs in the system to the PCE for
LSP state synchronization. Currently, this includes PCC-controlled, PCE-delegated,
and PCE-initiated point-to-point RSVP-TE LSPs. Starting with Junos OS Release 15.1F6
and 16.1R1, this capability of a PCC is extended to report point-to-multipoint RSVP-TE
LSPs as well.
By default, a PCC does not support reporting of point-to-multipoint LSPs to a PCE. To
add this capability, include the p2mp-lsp-report-capability statement at the [edit
protocols pcep pce pce-name] or [edit protocols pcep pce-group group-id] hierarchy
levels.
A PCC configured with the capability of reporting point-to-multipoint LSPs to a PCE
enables the PCE to have greater visibility of individual per-LSP, per-device bandwidth
demands in the MPLS netwrok.
[See Support of Path Computation Element Protocol for RSVP-TE Overview and Example:
Configuring Path Computation Element Protocol with Support for PCE Controlled
Point-to-Multipoint RSVP-TE LSPs.]
•
Support for securing PCEP sessions using MD5 authentication (MX Series and T
Series)—Starting with Junos OS Release 16.1, you can secure a Path Computation
Element Protocol (PCEP) session using TCP-MD5 authentication as per RFC 5440.
To enable the MD5 security mechanism for a PCEP session, it is recommended that
you define and bind the MD5 authentication key at the [edit protocols pcep pce pce-id]
hierarchy level for a PCEP session. You can, however, also use a predefined keychain
from the [edit security authentication-key-chains key-chain] hierarchy level to secure
a PCEP session. In this case, you should bind the predefined keychain into the PCEP
session at the [edit protocols pcep pce pce-id] hierarchy level.
Copyright © 2017, Juniper Networks, Inc.
171
Junos OS Release 16.1R4 for the ACX Series, EX Series, MX Series, PTX Series, QFX Series,T Series and Junos Fusion
The following configuration is executed on the Path Computation Client (PCC) to
establish a secure PCEP session with a Path Computation Element (PCE):
•
Using MD5 authentication key:
[edit protocols pcep pce pce-id]
[email protected]# set authentication-key key
•
Using predefined authentication keychain:
[edit protocols pcep pce pce-id]
[email protected]# set authentication-key-chain key-chain
[email protected]# set authentication-algorithm md5
For secure PCEP sessions to be established successfully, the MD5 authentication
should be configured with the pre-shared authentication key on both the PCE and the
PCC. The PCE and PCC use the same key to verify the authenticity of each segment
sent on the TCP connection of the PCEP session.
This feature protects the communication between a PCE and PCC over a PCEP session,
which might be subject to an attack, and can disrupt network services.
You can view the authentication keychain used by a PCEP session by executing the
show path-computation-client status and show protocols pcep commands.
[See Support of Path Computation Element Protocol for RSVP-TE Overview.]
Subscriber Management and Services
NOTE: Although present in the code, the subscriber management features
are not supported in Junos OS Release 16.1R1. Documentation for subscriber
management features is included in the Junos OS Release 16.1 documentation
set.
172
Copyright © 2017, Juniper Networks, Inc.
New and Changed Features
•
Wildcard domain map (MX Series)—Starting in Junos OS Release 16.1R1, you can
configure a wildcard domain map that is used by subscribers when there is no exact
match to the subscriber’s domain name, but there is a partial match. For example, if
you create a wildcard domain map with the name xyz*.com, subscribers with the
domain names xyz-eastern.com and xyz-northern.com are both mapped to that wildcard
domain when there was no exact match for the subscriber’s domain name.
To configure a wildcard domain map, you include the asterisk wildcard character in
the map domain-map-name statement at the [edit access domain] hierarchy level.
Wildcard domain mapping is also useful to provide a partial match when subscriber
management derives subscriber usernames from the DHCPv4 Agent Remote ID (option
82 suboption 2) or the DHCPv6 Remote-ID (option 37). For example, a username might
be EricSmith#premiumTier1#314159265#0000 (where the # character is the delimiter).
For domain mapping for this subscriber, you might create the wildcard domain map,
domain map premiumTier1*.
[See Configuring a Wildcard Domain Map.]
•
DHCP-initiated service change based on client Remote ID (MX Series)—Starting in
Junos OS Release 16.1R1, DHCP local server enables you to update a client’s current
service based on the client’s remote ID. DHCP-initiated service updates are particularly
useful in dual-stack environments and other networks that do not include RADIUS
support.
When a DHCP client is initially established, DHCP preserves the client’s incoming remote
ID in the DHCP client database. You can configure DHCP local server to compare the
client’s initial remote ID to the remote ID that the server subsequently receives in DHCP
Renew or Rebind messages. If DHCP local server detects a mismatch between the two
remote IDs, the server tears down the existing binding, which initiates a client reconnect
sequence. The service change is encoded within the new remote ID string, and is
activated when the client reconnects.
DHCP local server receives the remote ID in option 82, suboption 2 for DHCPv4 clients,
and in DHCPv6 option 37 for DHCPv6 clients.
To configure DHCP local server to support the remote ID service change feature, use
the remote-id-mismatch disconnect statement at the [edit system services
dhcp-local-server] hierarchy level. You can configure support globally or for a specific
group.
[See DHCP-Initiated Service Change Based on Remote ID.]
•
New support for Framed-IP-Netmask for access-internal routes (MX Series)—Starting
in Junos OS Release 16.1, the mask value returned by RADIUS in the Framed-IP-Netmask
attribute during PPP negotiation is considered for application to the access-internal
route for the subscriber session. In earlier releases, the attribute mask is ignored and
a /32 netmask is always applied, with the consequence that the address is set to the
value of the Framed-IP-Address attribute returned by RADIUS.
Now, when the SDB_FRAMED_PROTOCOL attribute is equal to
AUTHD_FRAMED_PROTOCOL_PPP, the value of SDB_USER_IP_MASK is set to
255.255.255.255 by default. This value is overridden by the Framed-IP-Netmask value,
if present.
Copyright © 2017, Juniper Networks, Inc.
173
Junos OS Release 16.1R4 for the ACX Series, EX Series, MX Series, PTX Series, QFX Series,T Series and Junos Fusion
When the SDB_FRAMED_PROTOCOL attribute is equal to
AUTHD_FRAMED_PROTOCOL_PPP, the show subscribers command now displays the
actual value of Framed-IP-Netmask in the IP Netmask field. Otherwise, the field displays
the default value of 255.255.255.255.
•
Disabling DHCP snooping filters for DHCP traffic that can be directly forwarded (MX
Series)—Starting in Junos OS Release 16.1, you can disable DHCP snooping filters for
an address family in the routing context in which snooping is configured.
When you first enable DHCP snooping, all DHCP traffic is snooped by default and only
DHCP packets associated with subscribers (or their creation) will be handled; all other
DHCP packets will be discarded. You can optionally modify this dropping behavior
based on the type of interface: configured interfaces, non-configured interfaces, or all
interfaces. All snooped DHCP traffic is still forwarded to the routing plane in the routing
instance, and in some cases, this results in excessive DHCP traffic being sent to the
routing plane for snooping. The no-snoop statement disables snooping filters for DHCP
traffic that can be forwarded directly from the hardware control plane, such as Layer
3 unicast traffic with a valid route, preventing that DHCP traffic from being forwarded
to the slower routing plane of the routing instance.
[See DHCP Snooping Support.]
•
Changes to AAA accounting statistics counters (MX Series)—Starting in Junos OS
Release 16.1, 17 new statistics counters have been added to the output of the show
network-access aaa statistics accounting detail command to report accounting
information that is backed up when RADIUS accounting servers are unreachable and
RADIUS backup accounting options are configured.
In earlier releases, the general statistics counters display aggregate values for original
accounting events plus backup events. Now the Accounting response success,
Accounting retransmissions, and Requests received counters no longer include requests
that are sent to the backup accounting mechanism.
Two non-backup statistics counters have also been added, Accounting request failures
and Accounting request success.
The Timed out requests counter has been renamed to Accounting request timeouts.
[See show network-access aaa statistics.]
•
New option for service type added to test aaa commands (MX Series)—Starting in
Junos OS Release 16.1, you can include the service-type option with the test aaa ppp
user and test aaa dhcp user commands to test the AAA configuration of a subscriber.
You can use this option to distinguish a test session from an actual subscriber session.
The option specifies a value for the Service-Type RADIUS attribute [6] in the test
Access-Request message; when you do not include this option, the test uses a service
type of Framed. You can specify a number in the range 1 through 255, or you can specify
a string that corresponds to an RFC-defined service type. When the Service-Type
RADIUS attribute [6] is received in an Access-Accept message, it overrides the value
inserted in the Access-Request message by this command.
[See test aaa dhcp user and test aaa ppp user.]
174
Copyright © 2017, Juniper Networks, Inc.
New and Changed Features
•
New predefined variable for dynamic underlying interfaces (MX Series)—Starting in
Junos OS Release 16.1, you can use the Juniper Networks predefined variable,
$junos-underlying-ifd-name, to reference the underlying physical interface when you
configure CoS properties for an underlying logical interface in a dynamic profile. The
new variable is useful when the $junos-interface-ifd-name variable already references
a different physical interface, such as in configurations with stacked logical interfaces.
For example, in a PPPoE session where the PPP logical interface is stacked over a
demux VLAN logical interface, $junos-interface-ifd-name is set to the pp0 physical
interface. In this case you can specify the $junos-underlying-ifd-name predefined
variable with the interfaces statement at the [edit dynamic-profiles profile-name
class-of-service] hierarchy level to reference the underlying physical interface.
•
Support for service session termination causes (MX Series)—Starting in Junos OS
Release 16.1, new internal identifiers are available that identify the reasons that authd
initiates termination of individual service sessions. In earlier releases, the termination
cause for a service session is the same as that for the parent subscriber session.
The service termination causes map to default code values that are reported in the
RADIUS Acct-Terminate-Cause attribute (49) in Acct-Stop messages for the service.
You can use the new service-shutdown option with the terminate-code aaa statement
at the [edit access] hierarchy level to remap any of the new termination causes to any
number in the range 1 through 4,294,967,295:
•
network-logout—Termination was initiated by deactivation of one family for a
dual-stack subscriber, typically triggered by termination of the corresponding Layer
3 access protocol. Default code value is 6.
•
remote-reset—Termination was initiated by an external authority, such as a RADIUS
CoA service-deactivation. Default code value is 10.
•
subscriber-logout—Overrides the default inheritance of the subscriber session value
with a different value when you map it to a different value. Default code value is 1,
meaning that it inherits the terminate cause from the parent subscriber session.
•
time-limit—Service time limit was reached. Default code value is 5.
•
volume-limit—Service traffic volume limit was reached. Default code value is 10.
The show network-access aaa terminate-code aaa detail command displays the new
termination causes and their current code values.
[See Understanding Session Termination Causes and RADIUS Termination Cause Codes.]
•
Support for a static unnumbered interface with $junos-routing-instance (MX
Series)—Starting in Junos OS Release 16.1, you can configure a static logical interface
as the unnumbered interface in a dynamic profile that includes dynamic routing instance
assignment by means of the $junos-routing-instance predefined variable.
NOTE: This configuration fails commit if you also configure a preferred
source address, either statically with the preferred-source-address statement
or dynamically with the $junos-preferred-source-address predefined variable
for IPv4 (family inet) addresses or the $junos-preferred-source-ipv6-address
predefined variable for IPv6 (family inet6) addresses.
Copyright © 2017, Juniper Networks, Inc.
175
Junos OS Release 16.1R4 for the ACX Series, EX Series, MX Series, PTX Series, QFX Series,T Series and Junos Fusion
NOTE: The static interface must belong to the routing instance; otherwise
the profile instantiation fails.
In earlier releases, when the dynamic profile includes the $junos-routing-instance
predefined variable, you must do both of the following, else the commit fails:
•
Use the $junos-loopback-interface-address predefined variable to dynamically assign
an address to the unnumbered interface. You cannot configure a static interface
address.
•
Use the $junos-preferred-source-address or $junos-preferred-source-ipv6-address
predefined variable to dynamically assign a secondary IP address to the unnumbered
interface. You cannot configure a static preferred source address.
[See Configuring an Unnumbered Interface.]
•
Logical interface option for show ptp port command (MX Series)—Starting in Junos
OS Release 16.1, you can display PTP port information for a specific logical interface
by using the ifl logical-interface-name option with the show ptp port command:
[email protected]> show ptp port ifl ge-1/0/5.0
PTP port-data:
Local Interface
: ge-1/0/5.0
Local Address
: 2001:db8:00:05:85:73:b0:aa
Remote Address
: 2001:db8:01:80:c2:00:00:0e
Clock Stream
: 0
Clock Identity
:
2001:db8::85:ff:fe:73:b7:d0
Port State
: Master
Delay Req Interval:
Announce Interval : 1
Announce Timeout :
Sync Interval
: -6
Delay Mechanism
:
Port Number
: 1
Operating Mode
:
•
-4
3
End-to-end
Master only
Enhancements to test aaa statements for VLAN-OOB subscribers (MX
Series)—Starting in Junos OS Release 16.1, you can use the no-address-request option
with the test aaa dhcp user and test aaa ppp user statements for testing subscribers in
a Layer 2 scenario where no address allocation request is required.
The output of these two statements now displays two additional user attributes.
Dynamic Profile is the name of the profile received in the Client-Profile-Name VSA
(26-174). Routing Instance is the name of the routing instance conveyed by the
Virtual-Router VSA (26-1). The existing Virtual Router Name attribute is the locally
configured name of the logical system.
[See Testing a Subscriber AAA Configuration.]
•
176
New predefined variable to group subscribers on a physical interface (MX
Series)—Starting in Junos OS Release 16.1, you can specify the new Juniper Networks
predefined variable, $junos-phy-ifd-interface-set-name, with the interface-set
statement at the [edit dynamic-profiles profile-name interfaces] hierarchy level to
configure an interface set associated with the underlying physical interface in a dynamic
profile. This predefined variable enables you to group all the subscribers on a specific
physical interface so that you can apply services to the entire group of subscribers.
Copyright © 2017, Juniper Networks, Inc.
New and Changed Features
Another use case is optimizing CoS level 2 node resources by grouping residential
subscribers into an interface set associated with the physical interface in a topology
where residential and business subscribers share the interface, enabling the use of
CoS level 2 nodes for the interface set rather than for each residential interface.
[See CoS for Interface Sets of Subscribers Overview.]
•
New predefined variables and Juniper Networks VSAs for family any interface filters
(MX Series)—Starting in Junos OS Release 16.1R1, you can use the
$junos-input-interface-filter and $junos-output-interface-filter predefined variables
to attach a filter to a dynamic interface created for family any. The filter names are
derived from the Juniper Networks VSAs, Input-Interface-Filter (26-191), and
Output-Interface-filter (26-192). These VSAs are conveyed in the following RADIUS
messages: Access-Request, Acct-Start, Acct-Stop, and Acct-Interim-Interval. You can
specify the variables as the filter names with input and output statements at the [edit
dynamic-profiles profile-name interfaces interface-name unit logical-interface-number
filter] hierarchy level.
[See Juniper Networks VSAs Supported by the AAA Service Framework.]
•
Configuring default values for routing instances (MX Series)—Starting in Junos OS
Release 16.1, you can define a default value for the Juniper Networks predefined variable,
$junos-routing-instance. This value is used in the event RADIUS does not supply a
value for $junos-routing-instance. To configure a default value, use the
predefined-variable-defaults statement at the [edit dynamic-profiles] hierarchy level.
For example, to set the default value to RI-default:
[edit dynamic-profiles profile-name]
[email protected]# set predefined-variable-defaults routing-instance RI-default
•
Address-assignment pool hold-down (MX Series)—Starting in Junos OS Release 16.1,
you can place an active address-assignment pool in a hold-down state. When a pool
is in the hold-down state, no additional addresses are allocated from that pool.
However, the hold-down state does not affect any existing subscribers that are using
addresses previously assigned from the pool.
As the existing subscribers disconnect, their IP addresses are marked as free in the
pool, but the addresses are not reallocated because of the pool’s hold-down state.
Eventually, when all subscribers have disconnected and their addresses are returned
to the pool, the pool becomes inactive. When the pool is in the inactive state, you can
safely perform maintenance on the pool (such as adding, changing, or deleting
addresses) without affecting any active subscribers.
[See Configuring Address-Assignment Pool Hold Down.]
•
Support for subscriber management and services feature parity (MX104)—Starting
in Release 16.1, the MX104 supports all subscriber management and services features
that are supported on the MX240, MX480, and MX960 routers as of Junos OS Release
14.1R1. Previously, the MX104 matched feature support with the MX80 as of Junos OS
Release 13.3R1.
•
PPPoE-over-ATM support and other enhancements to PPPoE subscriber session
lockout (MX Series)—Starting in Junos OS Release 16.1, PPPoE subscriber session
Copyright © 2017, Juniper Networks, Inc.
177
Junos OS Release 16.1R4 for the ACX Series, EX Series, MX Series, PTX Series, QFX Series,T Series and Junos Fusion
lockout supports PPPoE-over-ATM subscriber interfaces and also adds the following
enhancements:
•
Persistence of the lockout condition after automatic removal of dynamic VLAN or
VLAN demultiplexing (demux) subscriber interfaces.
•
Termination of the lockout condition after administratively clearing the lockout or
resetting the interface module.
•
Ability to clear the lockout condition or display information about the lockout status
by specifying encapsulation type identifier characteristics when no underlying
interface exists for the subscriber session:
•
VLAN identifiers (device name, S-VLAN ID, and VLAN ID) in the clear pppoe lockout
vlan-identifier and show pppoe lockout vlan-identifier commands
•
ATM identifiers (device name, VPI, and VCI) in the clear pppoe lockout atm-identifier
and show pppoe lockout atm-identifier commands
[See PPPoE Subscriber Session Lockout Overview.]
•
New reject action for a LAC receiving change requests from the LNS (MX
Series)—Starting in Junos OS Release 16.1, you can configure the LAC to reject change
requests received in SCCRP messages from the LNS. During tunnel establishment, the
LNS might include a request for the LAC to change the destination IP address, UDP
port, or both, that it uses to communicate with the LNS. When a LAC that is configured
to reject these requests receives one, it sends a StopCCN message to the original
address or port and then terminates the connection to that LNS. This reject option is
in addition to the previously available accept and ignore options.
[See Configuring How the LAC Responds to Address and Port Changes Requested by the
LNS.]
•
Enhanced subscriber management support for Ethernet OAM on S-VLANs with
associated C-VLANs and subscriber interfaces (MX Series routers with
MPCs/MICs)—This feature is supported in Junos OS Release 16.1 with no changes from
the original 13.2R1 implementation. As such, when Ethernet IEEE 802.1ag Operation,
Administration, and Maintenance (OAM) connectivity fault management (CFM) is
configured on a static single-tagged service VLAN (S-VLAN) logical interface on a
Gigabit Ethernet, 10-Gigabit Ethernet, or Aggregated Ethernet physical interface, you
can configure the router to propagate the OAM state of the S-VLAN to the associated
dynamic or static double-tagged customer VLAN (C-VLAN) logical interfaces. If the
CFM continuity check protocol detects that the OAM state of the S-VLAN is down, you
can configure the underlying physical interface to bring down all associated C-VLANs
on the interface with the same S-VLAN (outer) tag as the S-VLAN interface. In addition,
the router brings down all DHCP, IP demultiplexing (IP demux), and PPPoE logical
subscriber interfaces configured on top of the C-VLAN. Propagation of the S-VLAN
OAM state to associated C-VLANs ensures that when the OAM state of the S-VLAN
link is down, the associated C-VLANs and all subscriber interfaces on top of the
C-VLANs go down as well.
To enable propagation of the S-VLAN OAM state to associated C-VLAN logical
interfaces, use the oam-on-svlan option when you configure a Gigabit Ethernet (ge),
10-Gigabit Ethernet (xe), or Aggregated Ethernet (ae) interface.
178
Copyright © 2017, Juniper Networks, Inc.
New and Changed Features
Ethernet OAM support for S-VLANs and associated C-VLANs is not currently supported
for use with dynamic profiles, S-VLAN trunk interfaces, or C-VLAN trunk interfaces.
•
Support for manual targeting—Starting in Junos OS Release 16.1R1, service providers
can configure manual targeting, assigning specific member links as primary and backup
links per subscriber so that all traffic goes through those links. Manual targeting
enhances the distribution of targeted VLANs or subscribers across member links of an
aggregated Ethernet bundle by making it bandwidth-aware.
You configure the targeting options by including the targeted-options statement at the
[edit interfaces aex aggregated-ether-options] hierarchy level.
You can select the targeting type for an aggregated Ethernet bundle as manual or auto
at the [edit interfaces aex aggregated-ether-options targeted-options] hierarchy level.
When you configure manual targeting, you must always configure a primary link.
Configuring a backup link is optional. You specify the primary and backup links for a
subscriber in the individual interface configuration.
If the aggregated Ethernet bundle is configured for manual targeting, then all the
subscribers in that bundle can be optionally configured for manual targeting, but none
of them can be configured for autotargeting (targeted distribution). That is, you cannot
have a configuration that contains a mix of manual targeting and autotargeting among
subscribers. If the aggregated Ethernet bundle is not configured for manual targeting,
then you can optionally configure autotargeting for all the subscribers, but you cannot
configure manual targeting for any of them. Manual targeting and autotargeting are
supported only on static interfaces.
•
Grouping of subscribers with similar bandwidth usage—Junos OS Release 16.1R1
supports grouping of subscribers with similar bandwidth usage and ensures even
distribution of subscribers in each group across the member links of an aggregated
Ethernet bundle. Service providers can group together subscribers with similar
bandwidth usage and optionally assign a group name. Subscribers that are configured
for targeted distribution without a group name are added to the default group and
distributed evenly across member links. Grouping of subscribers is supported only for
static subscribers.
You can specify the group name by including the group statement at the [edit interfaces
interface-nameunit logical-unit-number targeted-options] hierarchy level.
•
Configurable session limits for L2TP (MX Series)—Starting in Junos OS Release 16.1,
you can configure a limit on the maximum number of L2TP sessions allowed for the
chassis, for all tunnels, for a tunnel-group, for a client group, and for a client. When the
session limit is reached, no new sessions can be established until the number of current
sessions drops below the configured limit. One use of this feature is to control the
number of sessions from an enterprise customer that is connected over LACs in multiple
locations. These configured session limits have no effect on the maximum supported
chassis limits that are imposed through the Juniper Networks license.
[See Limiting the Number of L2TP Sessions Allowed by the LAC or LNS.]
•
Ensuring IPCP negotiation for IPv4 DNS addresses (MX Series)—Starting in Junos
OS Release 16.1, the router can prompt customer premises equipment (CPE) to
negotiate both primary and secondary IPv4 DNS addresses during IPCP negotiation.
Copyright © 2017, Juniper Networks, Inc.
179
Junos OS Release 16.1R4 for the ACX Series, EX Series, MX Series, PTX Series, QFX Series,T Series and Junos Fusion
This feature is useful when the CPE fails to send DNS address options in the IPCP
configure request message, or when the options are sent but rejected. In earlier releases,
either situation results in no DNS address negotiation even though IPv4 DNS addresses
are available on the router. This DNS option enables the router to control IPv4 DNS
address provisioning for dynamic and static, terminated PPPoE and LNS subscribers.
[See Ensuring IPCP Negotiation for Primary and Secondary DNS Addresses.]
•
Filters for duplicate RADIUS accounting interim reports (MX Series)—Starting in
Junos OS Release 16.1, you can specify which accounting servers receive the RADIUS
accounting interim reports when RADIUS accounting duplicate reporting is active.
Subscriber management supports the following filtering for RADIUS accounting
duplicate reporting:
•
Duplicated accounting interim messages—The accounting messages are sent only
to RADIUS accounting servers in the subscriber’s access profile.
•
Original accounting interim messages—The accounting messages are sent only to
servers in a duplication access profile other than the subscriber’s access profile.
•
Excluded RADIUS attributes—RADIUS attributes in accounting messages are filtered
based on the exclude statement configuration.
The exclude statement supports new attributes.
[See Understanding RADIUS Accounting Duplicate Reporting.]
•
Multiple DHCPv6 IA_NA and IA_PD requests (MX Series)—Starting in Junos OS Release
16.1, DHCPv6 relay agent supports multiple DHCPv6 IA_NA or IA_PD requests within
the same Solicit message, up to a maximum of eight requests. This support enables
each negotiated lease to have its own lease expiration time and also allows one lease
to expire without tearing down any other active leases. The multiple IA address support
also enables customers to delegate multiple address blocks to a CPE router, which
simplifies flow classification and service monetization.
In Junos OS releases before Release 16.1, the router supports one IA_NA request or one
IA_PD request, or a combination of one of each type of request.
[See Multiple DHCPv6 IA_NA and IA_PD Requests Per Client Interface.]
•
New VSAs for IPv4 and IPv6 link addresses of first DHCP relay into RADIUS Auth
and Accounting Messages (MX Series)—Starting in Junos OS Release 16.1, two new
VSAs, DHCP-First-Relay-IPv4-Address and DHCP-First-Relay-IPv6-Address, are available
for configuration of a RADIUS server. The values of these new VSAs are the link address
of the first relay of a DHCPv4 or DHCPv6 client/server binding. These new VSAs are
sent to RADIUS as part of Access-Request, Accounting-Start, Accounting-Interim, and
Accounting-Stop Messages. These VSAs enable RADIUS to identify clients uniquely
for your business purposes, such as keeping track of your billing clients.
[See Juniper Networks VSAs Supported by the AAA Service Framework.]
180
Copyright © 2017, Juniper Networks, Inc.
New and Changed Features
•
Five-level hierarchical CoS (MX240, MX480, MX960, and MX2020 Series)—Starting
in Junos OS Release 16.1, the Broadband Network Gateway (BNG) supports five-level
hierarchical CoS (HCoS) in dynamic configurations. It allows you to differentiate and
shape traffic at the following levels:
•
Level 1—Physical interface (port level)
•
Level 2—Interface set, for example, S-VLAN (access node)
•
Level 3—Customer VLAN (C-VLAN)
•
Level 4—Session logical interface (ppp or dhcp)
•
Level 5—Service queues (up to 8)
The use cases that five-level HCoS supports include:
•
Residential and business traffic on the same access node (if business interfaces are
dynamic).
•
Multiple retail ISPs on the same access node.
•
Multiple subscriber sessions for a household on the same C-VLAN.
This feature is not supported on agent circuit identifier (ACI) sets or aggregated Ethernet
(AE) interfaces.
[See Understanding Hierarchical CoS for Subscriber Interfaces.]
•
Support for IP reassembly on an L2TP connection (MX Series routers with
MPC5E)—Starting in Junos OS Release 16.1, you can configure the service interfaces
on MX Series routers with MPC5E to support IP packet reassembly on a Layer 2
Tunneling Protocol (L2TP) connection. The IP packet is fragmented over an L2TP
connection when the packet size exceeds the maximum transmission unit (MTU)
defined for the connection. Depending on the direction of the traffic flow, the
fragmentation can occur either at the L2TP access concentrator (LAC) or at the L2TP
network server (LNS), and reassembly occurs at the peer interface. (In an L2TP
connection, a LAC is a peer interface for the LNS and vice versa.)
You can configure the service interfaces on the LAC or on the LNS to reassemble the
fragmented packets before they can be further processed on the network. On a router
running Junos OS, a service set is used to define the reassembly rules on the service
interface. The service set is then assigned to the L2TP service at the [edit services l2tp]
hierarchy level to configure IP reassembly for L2TP fragments.
[See IP Packet Fragment Reassembly for L2TP Overview.]
•
Diameter Network Access Server Requirements (NASREQ) authentication and
authorization (MX Series)—Starting in Junos OS Release 16.1, Junos OS supports the
Diameter-based Network Access Server Requirements (NASREQ) protocol for
authentication and authorization at login. NASREQ is described in RFC 7155. Junos OS
supports the following NASREQ protocol exchanges:
•
AA-Request/Answer—The authentication/authorization request at login.
•
Session-Termination-Request/Answer—Notification that the subscriber’s session
has been terminated.
Copyright © 2017, Juniper Networks, Inc.
181
Junos OS Release 16.1R4 for the ACX Series, EX Series, MX Series, PTX Series, QFX Series,T Series and Junos Fusion
•
Abort-Session-Request/Answer—Request to terminate the subscriber’s session
from a NASREQ server.
[See Diameter Network Access Server Requirements (NASREQ).]
•
Communicating with RADIUS servers over IPv6 (MX Series)—Starting in Junos OS
Release 16.1, subscriber management supports RADIUS connectivity over IPv6, in
addition to IPv4 connectivity. This support enables you to specify the IPv6 addresses
of your targeted RADIUS servers, and also enables you to specify IPv6 addresses for
the source address configuration of your RADIUS servers.
Also in Release 16.1, the AAA process now supports the NAS-IPv6-Address RADIUS
attribute (attribute 95), which identifies the IPv6 address of the NAS that requests
subscriber authentication.
[See Configuring Router or Switch Interaction with RADIUS Servers.]
•
Limiting the subscriber sessions per aggregated Ethernet or Packet Forwarding
Engine bundle (MX Series)—Starting in Junos OS Release 16.1, you can restrict the
number of Point-to-Point Protocol over Ethernet (PPPoE) subscriber sessions per
aggregated Ethernet or Packet Forwarding Engine bundle by using the existing PPPoE
Service-Name table. You can modify the existing PPPoE Service-Name table by
changing its default configuration to eliminate the default empty Service-Name entry
in the Service-Name table.
In earlier releases, each PPPoE service name table in the service (PPPoE) configuration
statement included one empty service entry by default.
•
Support for unlocking destinations during LAC tunnel selection (MX Series)—Starting
in Junos OS Release 16.1, the tunnel selection process for a subscriber login enables
the LAC to cycle through the tunnel preference levels until it establishes a session to
a destination or has attempted to contact every valid destination but failed.
In earlier releases, if the LAC reaches the lowest level and all valid destinations at that
level are locked, it selects the destination with the shortest remaining lockout time,
removes the lockout, and attempts to connect to that destination. If it fails, it does not
cycle back through the preference levels.
You can use the new clear services l2tp destination lockout command to manually clear
all locked destinations or only locked destinations that match the specified local or
remote gateway address.
[See LAC Tunnel Selection Overview.]
•
Support for DHCPv6 duplicate client DUIDs (MX Series)—Starting in Junos OS Release
16.1, you can configure DHCPv6 relay agent and DHCPv6 local server to support DHCP
clients that have the same DHCP unique identifier (DUID) when the DHCPv6 requests
are received on different underlying interfaces.
Typically, the router treats a request from a duplicate client as a renegotiation, and
replaces the existing client entry with a new entry. However, in some cases, the duplicate
request is from a different client, and replacement is not desired. When you enable
duplicate client support, the router uses the underlying interfaces to differentiate
between two clients with the same DUID, enabling both clients to be granted leases.
182
Copyright © 2017, Juniper Networks, Inc.
New and Changed Features
The router retains the existing client entry, and creates a new entry for the duplicate
client.
[See DHCPv6 Duplicate Client DUIDs.]
•
Improved multicast convergence and RPT-SPT support for BGP-MVPN (MX
Series)—Starting with Junos OS Release 16.1, support for multicast forwarding-cache
threshold is extended to rendezvous-point tree shortest-path tree (RPT-SPT) mode
for BGP-MVPN. In addition, for both Rosen and next-generation MVPNs, PE routers
across all sites should see the same set of multicast routes even if the configured
forwarding-cache limit is exceeded.
To configure a specific threshold for MVPN RPT, set one or both of the
mvpn-rpt-suppress and mvpn-rpt-reuse statements at the [edit routing-instances name
routing-options multicast forwarding-cache] or [edit logical system name
routing-instances name routing-options multicast forwarding-cache] hierarchy level.
In addition, the show multicast forwarding-cache statistics command provides
information about both the general and RPT-suppression states. Likewise, a list of
suppressed customer-multicast states can be seen by running the show mvpn
suppressed general|mvpn-rpt inet|inet6 instance name summary command.
System Logging
•
System log messages to indicate checksum errors on the DDR3 interface—Starting
in Junos OS Release 13.3 R9, two new system log messages,
XMCHIP_CMERROR_DDRIF_INT_REG_CHKSUM_ERR_MINOR and
XMCHIP_CMERROR_DDRIF_INT_REG_CHKSUM_ERR_MAJOR, are added to indicate
memory-related problems on the interfaces to the double data rate type 3 (DDR3)
memory. These error messages indicate that an FPC has detected a checksum error,
which is causing packet drops.
The following error threshold values classify the error as a major error or a minor error:
•
•
Minor error— 6-254 errors per second
•
Major error—255 and more errors per second
New configuration statement for filtering text substring in system log messages
(MX Series and T Series)—Starting with Junos OS Release 16.1, a new configuration
statement, match-string <string-name>, helps you display specified text substrings in
the system log messages when using the show system syslog statement. The
match-string <string-name> configuration statement can be configured at the following
hierarchy levels:
•
edit system syslog file <file-name>
•
edit system syslog host <host-name>
•
edit system syslog user <user-name>
This statement can be configured along with the match <string-name> configuration
statement. In addition, it reduces the CPU usage while filtering the text substring in the
system log messages.
Copyright © 2017, Juniper Networks, Inc.
183
Junos OS Release 16.1R4 for the ACX Series, EX Series, MX Series, PTX Series, QFX Series,T Series and Junos Fusion
[See match-string.]
System Management
•
Statement introduced to deny hidden commands—Starting in Release 16.1, Junos OS
allows users to deny hidden commands to all users except root. To deny hidden
commands to all users except root, use the set system no-hidden-commands statement
at the [edit] hierarchy level.
Timing and Synchronization
•
Support for PTP over IPv6/UDP encapsulation (MX240, MX480, and
MX960)—Starting with Junos OS Release 16.1, Precision Time Protocol (PTP) is
supported over IPv6/UDP encapsulation on MX240, MX480, and MX960 routers. This
functionality is supported in compliance with PTP over IPv6/UDP encapsulation defined
in Annex E of 1588 standard.
NOTE: In earlier Junos releases, PTP is supported over IPv4/UDP
encapsulation.
[See load, Defining the Format of Configuration Data to Upload in a Junos XML Protocol
Session, and Mapping Junos OS Configuration Statements to JSON.]
User Interface and Configuration
•
Support for JSON format for configuration data (MX Series and T Series)–Starting
with Junos OS Release 16.1, you can configure devices running Junos OS using
configuration data in JavaScript Object Notation (JSON) format in addition to the
existing text, Junos XML, and Junos OS set command formats. You can load
configuration data in JSON format in the Junos OS CLI by using the load (merge | override
| update) json command or from within a NETCONF or Junos XML protocol session by
using the <load-configuration format="json"> operation. You can load JSON
configuration data either from an existing file or as a data stream. Configuration data
that is provided as a data stream must be enclosed in a <configuration-json> element.
[See load, Defining the Format of Configuration Data to Upload in a Junos XML Protocol
Session, and Mapping Junos OS Configuration Statements to JSON.]
•
Extend the Junos CLI command set with custom scripts (MX Series)–Starting with
Junos OS Release 16.1, you can configure devices running Junos OS to allow your custom
scripts to be invoked in the Junos OS CLI or from within a NETCONF or Junos XML
protocol session. The custom script can be written in either SLAX or Python. Configure
your custom script to act as a native command using Yang’s RPC keyword extension.
Its location in the command schema is specified in a Yang module.
[See Junos Automation Scripting Overview,Using Juniper Networks YANG Modules.]
184
Copyright © 2017, Juniper Networks, Inc.
New and Changed Features
Virtual Chassis
•
MX Series Virtual Chassis support for L2TP LNS (MX Series)—Starting in Junos OS
Release 16.1, MX Series Virtual Chassis configurations support L2TP LNS functionality.
[See L2TP for Subscriber Access Overview.]
•
MX Series Virtual Chassis commit time improvements (MX Series with
MPCs/MICs)—Starting in Junos OS Release 16.1, the commit process for MX Series
Virtual Chassis is optimized to provide faster commit times. No additional configured
is required to take advantage of the improved commit times. You can use the commit
| display detail command to monitor the steps of the new commit process.
•
MX Series Virtual Chassis support for MX240 and MX480 member routers in a VC
containing MX2010 or MX2020 member routers (MX Series with
MPCs/MICs)—Starting in Junos OS Release 16.1, you can configure a MX240 router or
MX480 router as a member router in an MX Series Virtual Chassis that contains a
MX2010 or MX2020 member router. In earlier releases, MX2010 routers and MX2020
routers could only interoperate with MX960 routers.
The following member router combinations are introduced in Junos OS Release 15.2
for a two-member Virtual Chassis configuration:
•
•
MX240 router and MX2010 router
•
MX240 router and MX2020 router
•
MX480 router and MX2010 router
•
MX480 router and MX2020 router
MX Series Virtual Chassis Unified ISSU support for MPC6E line cards (MX Series
Virtual Chassis)—Starting in Junos OS Release 16.1R2, MPC6E line cards support
Unified ISSU in MX Series Virtual Chassis environments.
VPNs
•
Redundant virtual tunnels on MPCs (MX Series)—In multicast Layer 3 VPNs, virtual
tunnel (VT) interfaces are needed to facilitate virtual routing and forwarding (VRF)
table lookup based on MPLS labels. Beginning with Junos OS Release 16.1, support for
redundant VTs at the Packet Forwarding Engine level is provided to improve resiliency
in delivering multicast traffic.
[See Redundant Virtual Tunnels Providing Resiliency in Delivering Multicast Traffic
Overview.]
•
MVPN source-active upstream multicast hop selection and redundant source
improvements (MX Series)–Starting in Junos OS Release 16.1, you can use new
configuration statements available at the [edit protocols mvpn] hierarchy level to
influence the source-active upstream multicast hop selection process. You can use
the umh-selection-additional-input statement to influence the upstream multicast hop
selection by making the MVPN consider a combination of route preference and RSVP
tunnel status. You can use the source-redundancy statement so that the MVPN acts
on all redundant sources sending to a specific group address as the same source.
Copyright © 2017, Juniper Networks, Inc.
185
Junos OS Release 16.1R4 for the ACX Series, EX Series, MX Series, PTX Series, QFX Series,T Series and Junos Fusion
•
Support for common Public Key Infrastructure (PKI) functionality (MX
Series)—Starting in Junos OS Release 16.1R3, MX Series devices support the following
common PKI functionalities:
•
Certificate chaining—Certificate-based authentication is an authentication method
supported on MX Series devices during IKE negotiation. In large networks, multiple
certificate authorities (CAs) can issue end entity (EE) certificates to their respective
end devices. It is common to have separate CAs for individual locations, departments,
and organizations. With a single-level hierarchy for certificate-based authentication,
all EE certificates in the network must be signed by the same CA. All firewall devices
must have the same CA certificate enrolled for peer certificate validation. The
certificate payload sent during IKE negotiation only contains EE certificates.
In Junos OS Release 16.1R3, the certificate payload sent during IKE negotiation can
contain a chain of EE and CA certificates. A certificate chain is the list of certificates
required to certify the subject in the EE certificate. The certificate chain includes the
EE certificate, intermediate CA certificates, and the root CA certificate. CA certificates
can be enrolled using the Simple Certificate Enrollment Process (SCEP) or loaded
manually. There is no new CLI configuration statement or command for certificate
chains; however, every end device must be configured with a CA profile for each CA
in the certificate chain.
The network administrator needs to ensure that all peers participating in IKE
negotiation have at least one common trusted CA in their respective certificate
chains. The common trusted CA does not have to be the root CA. The number of
certificates in the chain, including certificates for EEs and the topmost CA in the
chain, cannot exceed 10.
•
•
Online Certificate Status Protocol (OCSP)—OCSP checks the revocation status
of X509 certificates. Requests are sent to the OCSP server(s) configured in a CA
profile with the ocsp url statement at the [edit security pki ca-profile profile-name
revocation-check] hierarchy level. The use-ocsp option must also be configured. If
there is no response from the OCSP server, the request is then sent to the location
specified in the certificate's AuthorityInfoAccess extension.
•
Digital certificate validation—The PKI daemon on MX Series devices performs X509
certificate policy, path, key usage, and distinguished name validation, as specified
in RFC 5280, Internet X.509 Public Key Infrastructure Certificate and Certificate
Revocation List (CRL) Profile.
New configuration statement to manage VCCV BFD session state (MX
Series)—Starting with Junos OS Release 16.1, the ping-multiplier statement is introduced
to delay the virtual circuit connectivity verification (VCCV) Bidirectional Forwarding
Detection (BFD) session from going down by the specified number of LSP ping packets.
The VCCV BFD session is signaled down only after the specified number of LSP ping
packets are lost. This feature is supported for Layer 2 Circuit, Layer 2 VPN, and VPLS
technologies.
To configure the LSP ping multiplier feature, include the ping-multiplier
number-of-packets statement at the [edit protocols l2circuit neighbor neighbor-address
interface interface-name oam], [edit routing-instances routing-instances-name protocols
186
Copyright © 2017, Juniper Networks, Inc.
Changes in Behavior and Syntax
l2vpn oam], and [edit routing-instances routing-instances-name protocols vpls oam]
hierarchy levels for Layer 2 circuit, Layer 2 VPN, and VPLS, respectively.
Related
Documentation
•
Changes in Behavior and Syntax on page 187
•
Known Behavior on page 209
•
Known Issues on page 213
•
Resolved Issues on page 225
•
Documentation Updates on page 276
•
Migration, Upgrade, and Downgrade Instructions on page 280
•
Product Compatibility on page 290
Changes in Behavior and Syntax
This section lists the changes in behavior of Junos OS features and changes in the syntax
of Junos OS statements and commands from Junos OS Release 16.1R4 for MX Series
and T Series.
•
Authentication and Access Control on page 188
•
General Routing on page 188
•
Interfaces and Chassis on page 189
•
Junos OS XML API and Scripting on page 189
•
Layer 2 Features on page 190
•
Management on page 191
•
MPLS on page 191
•
Network Management and Monitoring on page 192
•
Operation, Administration, and Maintenance (OAM) on page 193
•
Platform and Infrastructure on page 194
•
Routing Policy and Firewall Filters on page 194
•
Routing Protocols on page 194
•
Security on page 196
•
Services Applications on page 198
•
Software Installation and Upgrade on page 199
•
Subscriber Management and Services on page 200
•
System Logging on page 207
•
System Management on page 207
•
User Interface and Configuration on page 208
Copyright © 2017, Juniper Networks, Inc.
187
Junos OS Release 16.1R4 for the ACX Series, EX Series, MX Series, PTX Series, QFX Series,T Series and Junos Fusion
Authentication and Access Control
•
Change in range of client alive messages for SSH—Starting with Junos OS Release
16.1R1, you can configure 0 through 255 as the range for configuring the number of client
alive messages that can be sent without sshd receiving any messages back from the
client. In releases before Junos OS Release 16.1R1, the range for configuring client alive
messages is 1 through 255.
[See client-alive-count-max.]
•
Starting from Junos OS Release 16.1R1, for configuring the root login through SSH to
control user access, the system services ssh root-login deny-password is the default
option. In previous releases, the system services ssh root-login allow was the default
option. Now, you must explicitly configure the set system services ssh root-login allow
option to allow users to log in to the device as root through SSH.
General Routing
•
New option introduced under show | display xml | display—Starting in Junos OS 16.1R1,
you can use the show | display xml | display | mark-changed statement to view the
"mark-changed" status of the nodes. This is useful for debugging purposes.
•
Enhancement to request support information command—Starting in Junos OS Release
16.1R1, the request support information command is enhanced to capture the following
additional details:
•
file list detail/var/rundb/—Displays the size of configuration databases.
•
show system configuration database usage—Displays the actual usage of configuration
database.
NOTE: This information will be displayed only if the show system
configuration database usage command is supported in the release.
•
file list detail /config/—Contains the db_ext file and shows the size of it to indicate
whether extend_size is enabled or disabled.
•
188
Modified output of the clear services sessions | display xml command (MX Series)—In
Junos OS Release 16.1, the output of the clear services sessions | display xml command
is modified to include the <sess-marked-for-deletion> tag instead of the <sess-removed>
tag. In releases before Junos OS Release 14.1X55-D30, the output of this command
includes the <sess-removed> tag. The replacement of the <sess-removed> tag with
the <sess-marked-for-deletion> tag aims at establishing consistency with the output
of the clear services sessions command that includes the field Sessions marked for
deletion.
Copyright © 2017, Juniper Networks, Inc.
Changes in Behavior and Syntax
•
For the routing command, starting in Junos 15.1F3, 15.1R2, 15.1R3, and 15.2R1, 64-bit
mode is enabled by default on systems that support it and which have at least 16 GB
of RAM.
•
The as-path-ignore command is supported for routing instances starting with Junos
OS Release 14.1R8, 14.2R7, 15.1R4, 15.1F6, and 16.1R1.
Interfaces and Chassis
•
Change in enforcement of vtmapping restriction for Channelized OC3/STM1
(Multi-Rate) Circuit Emulation MIC with SFP (H)—Starting with Junos OS Release
16.1, a commit error occurs when you include the vtmapping statement under the [edit
interfaces interface-name sonet-options] hierarchy for cau4 interfaces on the Channelized
OC3/STM1 (Multi-Rate) Circuit Emulation MIC with SFP (H). Prior to Junos OS Release
16.1R1, a commit error was not displayed when this restriction was violated.
•
Starting in Junos OS Release 16.1R4, the show interfaces queue remaining-traffic
command now displays egress remaining queue statistics on the aggregated Ethernet
interfaces on the MX Series routers.
•
Support for automatic enabling of flow control for MACsec (MX Series)—Starting
in Junos OS Release 16.1R2, when Media Access Control Security (MACsec) is enabled
on an interface, the interface flow control capability is enabled by default, regardless
of the configuration that you set using the (flow-control | no-flow-control) statement
at the [edit interfaces interface- name gigether-options] hierarchy level. When MACsec
is disabled, interface flow control is restored to the configuration that you set using
the flow-control statement at the [edit interfaces] hierarchy level. When MACsec is
enabled, additional header bytes are added to the packet by the MACsec PHY. With
line rate traffic, when MACsec is enabled and flow control is disabled, the pause frames
sent by the MACsec PHY are terminated by the MIC’s MAC (enhanced 20-port Gigabit
Ethernet MICs on MX Series routers) and not transferred to the Packet Forwarding
Engine, causing framing errors. Therefore, when MACsec is enabled on an interface,
flow control is also automatically enabled on such an interface.
•
Starting in Junos OS Release 16.1, the show pfe statistics traffic command now displays
the following fabric statistics:
•
Fabric Input packets—Number and rate of incoming fabric packets
•
Fabric Output packets—Number and rate of outgoing fabric packets
See show pfe statistics traffic.
Junos OS XML API and Scripting
•
Support for a configuration revision identifier to enable NMS determine
synchronization status of devices (MX Series and T Series)—Starting in Junos OS
Release 16.1, a configuration revision identifier string, the <commit-revision-information>
tag, is supported within the <commit-results> tag. The configuration revision identifier
is used to determine whether the configuration settings on devices being managed by
a network management server (NMS) application is in synchronization (sync) with the
CLI of devices running Junos OS. In a real- world network deployment, out-of-band
configuration commits might occur on a device, such as during a maintenance window
Copyright © 2017, Juniper Networks, Inc.
189
Junos OS Release 16.1R4 for the ACX Series, EX Series, MX Series, PTX Series, QFX Series,T Series and Junos Fusion
for support operations. In such cases, the NMS application queries Junos OS to retrieve
the latest revision number and compares it against the revision number stored locally
to validate whether it is out-of-sync or in-sync with the device to detect the out-of-band
commits.
•
Changes to Python automation script execution requirements and access privileges
(MX Series and T Series)—Starting in Junos OS Release 16.1R3, unsigned Python
commit, event, op, and SNMP scripts must be owned by either the root user or a user
in the Junos OS super-user login class, and only the file owner can have write permission
for the file. In Junos OS Release 16.1R2 and earlier releases, unsigned Python scripts
must be owned by the root user.
Furthermore, starting in Junos OS Release 16.1R3, you can execute Python automation
scripts using the access privileges of authorized users. Interactive Python scripts, such
as commit and op scripts, run with the access privileges of the user who executes the
command or operation that invokes the script. Noninteractive Python scripts, such as
event and SNMP scripts, by default, execute under the privileges of the *nix user and
group nobody. To execute the scripts under the access privileges of a specific user,
configure the python-script-user username statement at the [edit event-options
event-script file filename] hierarchy level for event scripts, or the [edit system scripts
snmp file filename] hierarchy level for SNMP scripts. In Junos OS Release 16.1R2 and
earlier releases, Python commit, event, op, and SNMP scripts are executed using the
access privileges of only the user and group nobody.
Layer 2 Features
•
Discrepancy in the reported BUM traffic—There is a discrepancy in the amount of
BUM traffic reported on the aggregated Ethernet (AE) link between a designated
forwarder (DF) and non-DF router. In an active-active configuration, the interface on
the router in a DF role reports receiving twice as many packets as was sent from the
interface of the router in a non-DF role.
•
Option to display the age of a single MAC entry—Beginning with Junos OS Release
16.1, a new option age is added to the command show vpls mac table to display the
age of a single MAC address for a given VPLS instance. For GE interfaces, age displays
the MAC address aging time for a given VPLS instance. For AE interfaces, the age is
reported for a given VPLS instance, separately for all the line cards.
[See show vpls mac-table.]
•
Option to display the age of a single MAC entry—Beginning with Junos OS Release
16.1, a new option age is added to the command show bridge mac table to display the
age of a single MAC address for a given bridge. For GE interfaces, age displays the MAC
address aging time for a given bridge instance. For AE interfaces, the age is reported
for a given bridge instance, separately for all the line cards.
[See show bridge mac-table.]
•
190
Option to display the age of a single MAC entry—Beginning with Junos OS Release
16.1, a new option age is added to the command show evpn mac table to display the
age of a single MAC address for a given evpn instance.
Copyright © 2017, Juniper Networks, Inc.
Changes in Behavior and Syntax
[See show evpn mac-table.]
•
Support for configuring MAC move parameters globally (MX Series)—Starting in
Junos OS Release 16.1, you can configure parameters for media access control (MAC)
address move reporting by including the global-mac-move statement and its
substatements at the [edit protocols l2-learning] hierarchy level. When a MAC address
appears on a different physical interface or within a different unit of the same physical
interface and this behavior occurs frequently, it is considered a MAC move. You can
configure the router to report a MAC address move based on the following parameters:
the number of times a MAC address move occurs, a specified period of time over which
the MAC address move occurs, and the specified number of times a MAC address move
occurs in one second.
Management
•
Support for status deprecated statement in YANG modules (MX Series and T
Series)—Starting with Junos OS Release 16.1R2, Juniper Networks YANG modules
include the status deprecated statement to indicate configuration statements,
commands, and options that are deprecated.
•
XPath expressions for specific YANG keywords disabled during commit operations
(MX Series and T Series)—Starting in Junos OS Release 16.1R2, XPath expression
evaluations for the following YANG keywords are disabled by default during commit
operations: leafref, must, and when. Prior to Junos OS Release 16.1R2, Junos OS
evaluates the constraints for these keywords, which can result in longer commit times.
MPLS
•
LSPs displayed in lexicographic order (MX Series)—Starting with Junos OS Release
16.1, the LSPs are displayed in lexicographic order in the output of the show mpls lsp
command. In earlier releases, this command displayed the LSPs in the order in which
they were configured.
•
Inline BFD support on IRB interfaces (MX Series routers with MPCs or MICs)—Starting
with Junos OS Release 16.1, the inline BFD sessions transmitted or received from FPC
hardware are supported on integrated routing and bridging (IRB) interfaces. This
enhancement is available only on MX Series routers with MPCs/MICs that have
configured the enhanced-ip option.
•
Point-to-multipoint LSP ping echo reply ignored on Juniper side in Cisco-Juniper
interoperability (MX Series and T Series)—Curently, in a Juniper-Cisco interoperation
network scenario, a point-to-multipoint LSP ping echo reply message from a Cisco
device in a different IGP area is dropped on the Juniper device when the source address
of the reply message is an interface address other than the loopback address or router
ID.
Starting with Junos OS Release 14.2R6, 15.1R4, 16.1, and later releases, such
point-to-multipoint LSP ping echo reply messages are accepted by the Juniper device
and the messages get logged as uncorrelated responses.
Copyright © 2017, Juniper Networks, Inc.
191
Junos OS Release 16.1R4 for the ACX Series, EX Series, MX Series, PTX Series, QFX Series,T Series and Junos Fusion
Network Management and Monitoring
•
Updated unified container set in enterprise-specific Chassis MIB (MX Series)—Starting
with Junos OS Release 16.1, the Juniper Networks enterprise-specific Chassis MIB
(jnxBoxAnatomy) provides a unified container set that represents all supported MX
Series chassis types when MX Series Virtual Chassis mode is active.
•
New lease query and bulk lease query definitions for the DHCP MIB (MX
Series)—Starting in Junos OS Release 16.1R1, the DHCP mib, jnx-jdhcp.mib, now includes
the following definitions to collect statistics for DHCP lease query and bulk lease query
messages for DHCP local server and DHCP relay:
In jnxJdhcpLocalServerStatistics
In jnxJdhcpRelayStatistics
jnxJdhcpLocalServerLeaseQueryReceived
jnxJdhcpRelayLeaseQuerySent
jnxJdhcpLocalServerBulkLeaseQueryReceived
jnxJdhcpRelayBulkLeaseQuerySent
jnxJdhcpLocalServerLeaseActiveSent
jnxJdhcpRelayLeaseActiveReceived
jnxJdhcpLocalServerLeaseUnknownSent
jnxJdhcpRelayLeaseUnknownReceived
jnxJdhcpLocalServerLeaseUnAssignedSent
jnxJdhcpRelayLeaseUnAssignedReceived
jnxJdhcpLocalServerLeaseQueryDoneSent
jnxJdhcpRelayLeaseQueryDoneReceived
•
SNMP proxy feature (MX Series)—Starting with Junos OS Release 16.1, you must
configure interface <interface-name> statement at the [edit snmp] hierarchy level for
the proxy SNMP agent. Earlier, configuring interface for the proxy SNMP agent was not
mandatory.
•
MIB object ifOutErrors to display four types of errors---Starting in Junos OS Release
16.1, the MIB object ifOutErrors, which used to display only the errors on a particular
interface, will now display the sum of the following four types of errors to match the
CLI output of the command show interfaces interface_name extensive:
•
oerrors
•
oqdrops
•
oresourcerrors
•
bo_tx_drops
Previously, SNMP ifOutErrors always showed as zero.
192
•
Change in the output of snmp mib walk of the jnxVpnIfStatus MIB object (MX
Series)—Starting with Junos OS Release 16.1R1, the show snmp mib walk jnxVpnIfStatus
command provides information for all interfaces, except the Juniper Networks specific
dynamic interfaces.
•
MIB buffer overruns only be counted under ifOutDiscard (MX Series)---The change
done via PR 1140400 Introduced a CVBC where qdrops (buffer overruns) were counted
Copyright © 2017, Juniper Networks, Inc.
Changes in Behavior and Syntax
under ifOutErrors along with ifOutDiscards. This is against RFC 2863 where buffer
overruns should only be counted under ifOutDiscards and not under ifOutErrors. In
Junos OS Release 16.1R4, this is now fixed.
•
Juniper MIBs Loading Errors Fixed (MX Series)—In Junos OS Release 16.1R3, duplicated
entries and errors while loading MIBs on ManageEngine MIB browser are fixed for the
following MIB files:
•
jnx-chas-defines.mib
•
jnx-gen-set.mib
•
jnx-ifotn.mib
•
jnx-optics.mib
[See MIB Explorer.]
Operation, Administration, and Maintenance (OAM)
•
Change in behavior of the Ethernet OAM CFM process (MX Series)—Starting in Junos
OS Release 16.1R1, when you deactivate the connectivity fault management (CFM)
protocol, the CFM process (cfmd) stops. When you activate CFM protocol, cfmd starts.
In releases before Junos OS Release 16.1R1, when you deactivate the CFM protocol, the
CFM process continues to run.
•
Support for damping connectivity fault management (CFM) performance monitoring
traps and notifications to prevent congestion (MX Series routers)—Starting with
Junos OS Release 16.1R4, you can dampen the performance monitoring
threshold-crossing traps and notifications that are generated every time a
threshold-crossing event occurs to prevent congestion of the network management
system (NMS). Damping limits the number of jnxSoamPmThresholdCrossingAlarm
traps sent to the NMS by summarizing the flap occurrences over a period of time, known
as the flap trap timer, and sends a single jnxSoamPmThresholdFlapAlarm notification
to the NMS. You can configure the duration of the flap trap timer to any value from 1
through 360 seconds.
The jnxSoamPmThresholdFlapAlarm notification is generated and sent when the
following conditions are met:
•
At least one flap has occurred when the flap timer has expired.
•
You changed the value of the flap trap timer, which caused the timer to stop.
To enable damping at the global level, for the iterator, use the following command:
set protocols oam ethernet cfm performance-monitoring sla-iterator-profiles profile-name
flap-trap-monitor.
To enable damping at the threshold type of an iterator—for instance,
avg-fdv-twoway-threshold—use the following command: set protocols oam ethernet
cfm performance-monitoring sla-iterator-profiles profile-name avg-fdv-twoway-threshold
flap-trap-monitor.
Copyright © 2017, Juniper Networks, Inc.
193
Junos OS Release 16.1R4 for the ACX Series, EX Series, MX Series, PTX Series, QFX Series,T Series and Junos Fusion
To disable damping at the global level, for the iterator, use the following command:
delete protocols oam ethernet cfm performance-monitoring sla-iterator-profiles
profile-name flap-trap-monitor.
To disable damping at the threshold type of an iterator—for instance,
avg-fd-twoway-threshold—use the following command: delete protocols oam ethernet
cfm performance-monitoring sla-iterator-profiles profile-name avg-fd-twoway-threshold
flap-trap-monitor.
Platform and Infrastructure
•
The length of TACACS messages allowed on JUNOS devices has been increased from
8150 to 65535 bytes. PR1147015
Routing Policy and Firewall Filters
•
New policy actions to set and modify AIGP attribute (MX Series and T
Series)—Beginning with Junos OS 16.1, a new policy action metric-aigp is added to
configure the accumulated interior gateway protocol (AIGP) metric value as the IGP
metric and aigp-adjust is introduced to modify this configured accumulated interior
gateway protocol (AIGP) attribute at the [edit policy-options policy statement
policy-name term term-name then] and [edit policy-options policy-statement policy-name
then] hierarchy levels. You can make minor adjustments on the AIGP from another AS
or for scaling from one IGP domain to another.
[See aigp-adjust.]
Routing Protocols
•
New option to configure the bandwidth-based metric (MX Series)—Beginning with
Junos OS Release 16.1, you can configure the delay time that the IS-IS takes before
replacing the metric with a new metric value when the bundle changes from a worse
metric to a better metric. The new configuration option interface-group-holddown-delay
is available at the [edit protocols isis interface interface-name] hierarchy level.
A new show command show isis interface-group displays the status information for
the specified interface group.
[See show isis interface-group.]
•
New option to configure IPv6 router advertisement preference (MX Series)—Beginning
with Junos OS Release 16.1, you can configure preference for routers, which is
communicated to IPv6 hosts through router advertisements. A new configuration
statement preference is introduced at the [edit protocols router-advertisement interface
interface-name] hierarchy level.
[See preference.]
•
194
Change in command output for system statistics for IP and IP6—Beginning with
Junos OS Release 16.1, the output of show system statistics ip and show system statistics
ip6 operations commands is modified. The output now displays the field fragment
sessions dropped (queue overflow) for IP instead of fragments dropped (queue overflow),
Copyright © 2017, Juniper Networks, Inc.
Changes in Behavior and Syntax
and fragment sessions dropped (queue overflow) for IP6, instead of fragments that
exceeded limit.
•
Support for generate route with table next-hop (MX Series)—Starting with Junos OS
Release 15.1R3 onwards, the generate route with table next-hop feature is supported.
Generated routes are used as the route of last resort. A packet is forwarded to the
route of last resort when the routing tables have no information about how to reach
that packet’s destination.
A generated route becomes active when it has one or more contributing routes. A
contributing route is an active route that is a more specific match for the generated
destination.
A route can contribute only to a single generated route. However, an active generated
route can recursively contribute to a less specific matching generated route.
NOTE: The generate route pointing to table next-hop feature is platform
independent as long as the Packet Forwarding Engine of the platform
supports table next-hop.
•
Support of sham-links on default instances—Starting with Junos OS Release 16.1,
OSPF sham-links are supported on default instances. The cost of the sham-link is
dynamically set to the aigp-metric of the BGP route if no metric is configured on the
sham-link by the user.
•
New option to delay BGP route advertisements (MX Series)—Beginning with Junos
OS Release 15.1F6, you can delay BGP route updates to its peers until the forwarding
table is synchronized. This is to avoid premature route advertisements that might result
in traffic loss. A new configuration statement delay-route-advertisements is available
at the [edit routing-instances routing-instance-name protocols bgp group group-name
family inet unicast] hierarchy level. You can configure both minimum and maximum
delay periods to suit your network requirements.
[See delay-route-advertisements.]
•
Contradictory configuration options not allowed—Beginning with Junos OS Release
15.1R4, you cannot configure both resolve and retain options for a statically configured
route at the [edit routing-options] hierarchy level because they behave contradictorily.
Resolved next hops cannot be retained, therefore you can configure only one of these
options at a time.
•
Support for BGP flow specification for IPv6 on MPC7 line cards—Starting with Junos
OS Release 16.1R2, the BGP flow specification for IPv6 feature is supported on MPC7
line cards. BGP flow specification automates coordination of traffic filtering rules in
order to mitigate distributed denial-of-service attacks.
•
Change in default behavior of router capability (MX Series and PTX Series)—In Junos
OS Releases 15.1F7, 16.1R4, 16.2R2, 16.1X65, and 17.1R1 and later releases, router capability
TLV distribution flag (S-bit), that controls IS-IS advertisements, will be reset, so that
the segment routing capable sub-TLV is propagated throughout the IS-IS level and
not advertised across IS-IS level boundaries.
Copyright © 2017, Juniper Networks, Inc.
195
Junos OS Release 16.1R4 for the ACX Series, EX Series, MX Series, PTX Series, QFX Series,T Series and Junos Fusion
Security
•
•
Changes to DDoS protection protocol group and packet type support (MX
Series)—Starting in Junos OS Release 16.1, the following changes have been made to
the protocols statement at the [edit system ddos-protection] hierarchy level and to
the output of the show ddos-protection protocols command:
•
Removed the firewall-host protocol group.
•
Removed the unclassified packet type from the mcast-snoop protocol group.
•
Added the unclassified packet type to the tcp-flags protocol group.
Changes to distributed denial of service (DDoS) protection protocol groups and
packet types (MX Series, T4000 with FPC5)—Starting in Junos OS Release 16.1, the
following syntax changes have been made:
•
•
Policer
The mlp protocol group has been modified as follows to provide DDoS protection
with full control of the bandwidth:
•
The aging-exc, packets, and vxlan packet types have been removed from the mlp
protocol group.
•
The add, delete, and lookup packet types have been added to the mlp protocol
group. These packets correspond to the MAC learning command codes.
•
The keepalive protocol group has been renamed to tunnel-ka.
•
The firewall-host protocol group and the mcast-copy packet type in the unclassified
protocol groups have been removed from the CLI. They are now classified by the
internal host-bound classification engine on the line card.
Changes to distributed denial of service (DDoS) protection default values for MLP
packets (MX Series, T4000 with FPC5)—Starting in Junos OS Release 16.1, the
following default bandwidth (pps) and burst (packets) values apply for MLP packets
by line card:
MPC1, MPC2, MPC5, and MPC6
MPC3, MPC4, and FPC5
Bandwidth
Burst
Bandwidth
Burst
aggregate
10,000
20,000
5000
10,000
add
4096
8192
2048
4096
delete
4096
8192
2048
4096
lookup
1024
2048
512
1024
unclassified
1024
1024
512
512
•
196
Changes to distributed denial of service (DDoS) protection flow detection defaults
(MX Series, T4000 with FPC5)—Starting in Junos OS Release 16.1, flow detection
Copyright © 2017, Juniper Networks, Inc.
Changes in Behavior and Syntax
defaults to disabled for the following protocol groups and packet type, because they
do not have typical Ethernet, IP, or IPv6 headers. Global flow detection does not enable
flow detection for these groups and the packet type.
•
•
Protocol groups: fab-probe, frame-relay, inline-ka, isis, jfm, mlp, pfe-alive, pos, services.
•
Packet type: unclassified in the ip-opt protocol group.
Changes to show ddos-protection protocols command output (MX Series, T4000
with FPC5)—Starting in Junos OS Release 16.1, when you disable DDoS protection
policers on the Routing Engine or on an FPC for a specific packet type, an asterisk is
displayed next to that field in the CLI output. For example, if you issue the following
statements:
[email protected]# set system ddos-protection protocols mlp lookup disable-routing-engine
[email protected]# set system ddos-protection protocols mlp lookup fpc 1 disable-fpc
the fields are marked as in the following sample output:
[email protected]> show ddos-protection protocols mlp lookup
Currently tracked flows: 0, Total detected flows: 0
* = User configured value
Protocol Group: MLP
Packet type: lookup (MLP lookup request)
Individual policer configuration:
Bandwidth:
1024 pps
...
Routing Engine information:
Bandwidth: 1024 pps, Burst: 2048 packets, disabled*
Policer is never violated
Received: 0
Arrival rate:
0 pps
Dropped:
0
Max arrival rate: 0 pps
Dropped by aggregate policer: 0
FPC slot 1 information:
Bandwidth: 100% (1024 pps), Burst: 100% (2048 packets), disabled*
Policer is never violated
Received: 0
Arrival rate:
0 pps
Dropped:
0
Max arrival rate: 0 pps
Dropped by aggregate policer: 0
Dropped by flow suppression: 0
Copyright © 2017, Juniper Networks, Inc.
197
Junos OS Release 16.1R4 for the ACX Series, EX Series, MX Series, PTX Series, QFX Series,T Series and Junos Fusion
Services Applications
•
Support for RPM probes for IPv4 and IPv6 sources and targets (TX Matrix
Plus)—Starting with Junos OS Release 16.1, you can configure the TXP-T1600,
TXP-T1600-3D, TXP-T4000-3D, or TXP-Mixed-LCC-3D router as the real-time
performance monitoring (RPM) client router (the router or switch that originates the
RPM probes) to send probe packets to the RPM probe server (the device that receives
the RPM probes) that contains an IPv4 or IPv6 address. RPM enables you to configure
active probes to track and monitor traffic. The support for configuring RPM probes and
RPM clients on TX Matrix Plus routers is in addition to the support for RPM that existed
on M Series, MX Series, T1600, and T4000 routers in previous releases.
•
Class pcp-logs and alg-logs are not configured for ms-interface (MX Series)—Starting
with Junos OS Release 16.1R1, for multiservices (ms-) interfaces, you cannot configure
system logging for PCP and ALGs by including the pcp-logs and alg-logs statements
at the [edit services service-set service-set-name syslog host hostname class] hierarchy
level. An error message is displayed if you attempt to commit a configuration that
contains the pcp-logs and alg-logs options to define system logging for PCP and ALGs
for ms- interfaces.
•
Support for configuring maximum number of measured video flows—Starting in
Junos OS Release 16.1, you can configure the maximum number of video flows that
can be measured at a time. To configure the maximum number of flows measured,
include the flow-table-size max-flows statement at the [edit chassis fpc slot
inline-video-monitoring] hierarchy level.
[See Configuring Inline Video Monitoring.]
198
•
Anycast address 0/0 must not be accepted in the from-clause of Detnat rule (MX
Series)—Starting with Junos OS Release 16.1R1, for multiservices (ms-) interfaces,
anycast configuration is not allowed as the source-address when translation type is
deterministic NAT.
•
Disabling NAT-traversal for IPsec-protected packets (MX Series)—Starting in Junos
OS release 16.1R1, you can include the disable-natt statement at the [edit services
ipsec-vpn] hierarchy level to disable NAT-traversal (NAT-T) on MX Series routers.
When you disable NAT-T, the NAT-T functionality is globally switched off. Also, even
when a NAT device is present between the two IPsec gateways, only Encapsulating
Security Payload (ESP) is used when you disable NAT-T. When NAT-T is configured,
IPsec traffic is encapsulated using the UDP header, and port information is provided
for the NAT devices. By default, Junos OS detects whether either one of the IPsec
tunnels is behind a NAT device and automatically switches to using NAT-T for the
protected traffic. However, in certain cases, NAT-T support on MX Series routers might
not work as desired. Also, you might require NAT-traversal to be disabled if you are
aware that the network uses IPsec-aware NAT. In such cases, you can disable NAT-T.
•
Exclude interfaces support in flowspec (rpd-infra) (MX Series)—Starting release
16.1, Junos OS excludes applying the flowspec filter to traffic received on specific
interfaces. A new term is added at the beginning of the flowspec filter that accepts
any packet received on these specific interfaces. The new term is a variable that creates
an exclusion list of terms attached to the forwarding table filter as a part of the flow
specification filter.
Copyright © 2017, Juniper Networks, Inc.
Changes in Behavior and Syntax
To exclude the flowspec filter from being applied to traffic received on specific
interfaces, you must first configure a group-id on such interfaces by including the family
inet filter group group-id statement at the [edit interfaces] hierarchy level, and then
attach the flowspec filter with the interface group by including the flow interface-group
group-id exclude statement at the [edit routing-options] hierarchy level. You can
configure only one group-id per routing instance with the set routing-options flow
interface-group group-id statement.
•
Forwarding class and DSCP configuration for sampled packets (MX Series)—Starting
with Junos Release OS 16.1R1, you can configure the forwarding class and the
Differentiated Services Code Point (DSCP) mapping that is applied to exported packets
for inline active flow monitoring. Configure forwarding-class class-name and dscp
dscp-value at the [edit forwarding-options sampling instance instance-name family (inet
| inet6) output flow-server hostname] hierarchy level.
The dscp-value range is 0 through 63 (the default is 0). When the same flow-server is
configured under both the inet and inet6 families in a sampling instance, use the same
dscp value for both flow-server appearances.
The dscp-value is overwritten by the CoS DSCP value if you configure dscp at the [edit
class-of-service] hierarchy level.
•
Support for deterministic NAPT (MX Series)—You can configure deterministic port
block allocation for Network Address Port Translation (NAPT) on MX Series routers
with MS-MPCs or MS-MICs. By configuring deterministic NAPT, you ensure that
translation of internal host IP(private IP to public IP and vice versa) is deterministic
thus eliminating the need for address translation logging for each connection. To use
deterministic port block allocation, you must specify deterministic-napt44 as the
translation type in your NAT rule.
•
Deprecated security idp statements (MX Series)—The [edit security idp] configuration
statements are deprecated for the MX Series for Junos OS Release 16.1R3 and earlier.
•
Change in the default behavior for memory utilization—Starting in Junos OS Release
16.1R1, by default, the software allocates 1024 (1K) entries for IPv4 flow tables. To
allocate fifteen units of 256,000 (256K) IPv4 flow tables, which is the former default
value, enter this configuration from the [edit] hierarchy level:
[edit]
[email protected]# set chassis fpc slot-number inline-services flow-table-size
ipv4-flow-table-size 15
NOTE: Including this statement might result in an FPC restart. Therefore,
it is recommended that you make this configuration change only during a
maintenance window to prevent disruption of network operations.
Software Installation and Upgrade
•
Asia/Kolkata option replaces Asia/Calcutta option in time-zone
statement—Beginning with Junos OS Release 16.1, the time-zone statement has
replaced the Asia/Calcutta option with Asia/Kolkata.
Copyright © 2017, Juniper Networks, Inc.
199
Junos OS Release 16.1R4 for the ACX Series, EX Series, MX Series, PTX Series, QFX Series,T Series and Junos Fusion
•
request system software add command options updated (MX Series and T
Series)—As of Junos OS Release 16.1, the upgrade-with-config-format option in the
request system software add command is removed. The upgrade-with-config option
applies to the file indicated. Specify .text or .xml. The upgrade-with-config option does
not accept files with the extension .txt.
Subscriber Management and Services
NOTE: Although present in the code, the subscriber management features
are not supported in Junos OS Release 16.1R2. Documentation for subscriber
management features is included in the Junos OS Release 16.1 documentation
set.
•
Including termination reason for user logout events (MX Series)—Starting in Junos
OS Release 16.1, when the you enable the user-access flag at the [edit system processes
general-authentication-service traceoptions] hierarchy level, the system log messages
generated for authd include a termination reason for user logout events. In earlier
releases, the log does not report any termination reasons.
Sample output before the behavior change:
Aug 2 15:10:28.181293 UserAccess:[email protected] session-id:19 state:log-out
ge-1/1/0.100:100-1
Sample output after the behavior change:
Aug 6 21:15:55.106031 UserAccess:[email protected] session-id:3 state:log-out
ge-1/2/0.1:1 reason: ppp lcp-peer-terminate-term-req
Aug 6 21:16:42.654181 UserAccess:[email protected] session-id:4 state:log-out
ge-1/2/0.1:1 reason: ppp lower-interface-down
Aug 6 21:17:43.991585 UserAccess:[email protected] session-id:5
state:log-out ge-1/2/0.1:1 reason: aaa shutdown-session-timeout
•
Change in support for L2TP statistics-related commands (MX Series)—Starting in
Junos OS Release 16.1, statistics-related show services l2tp commands cannot be
issued in parallel with clear services l2tp commands from separate terminals. In earlier
releases, you can issue these show and clear commands in parallel. Now, when any of
these clear commands is running, you must press Ctrl+c to make the clear command
run in the background before issuing any of these show commands.
NOTE: You cannot run multiple clear services l2tp commands from separate
terminals. This behavior is unchanged.
[See clear services l2tp destination, clear services l2tp session, and clear services l2tp
tunnel.]
•
200
Support for longer CHAP challenge local names (MX Series)—Starting in Junos OS
Release 16.1, the supported length of the CHAP local name is increased to 32 characters.
In earlier releases, only 8 characters are supported even though the CLI allows you to
Copyright © 2017, Juniper Networks, Inc.
Changes in Behavior and Syntax
enter a longer name. You can configure the name with the local-name statement at
the [edit dynamic-profiles profile-name interfaces pp0 unit “$junos-interface-unit”
ppp-options] or [edit dynamic-profiles profile-name interfaces
"$junos-interface-ifd-name" unit “$junos-interface-unit” ppp-options] hierarchy level.
The maximum length of the local name for PAP authentication remains unchanged
at 8 characters.
[See Configuring the PPP Challenge Handshake Authentication Protocol.]
•
Local DNS configurations available when authentication order is set to none (MX
Series)—Starting in Junos OS Release 16.1, subscribers get the DNS server addresses
when both of the following are true:
•
The authentication order is set to none at the [edit access profile profile-name
authentication-order] hierarchy level.
•
A DNS server address is configured locally in the access profile with the
domain-name-server, domain-name-server-inet, or domain-name-server-inet6
statement at the [edit access profile profile-name] hierarchy level.
In earlier releases, subscribers get an IP address in this situation, but not the DNS server
addresses.
•
Increased maximum limits for accounting and authentication retries and timeouts
(MX Series)—Starting in Junos OS Release 16.1, you can configure a maximum of 100
retry attempts for RADIUS accounting (accounting-retry statement) or authentication
(retry statement). In earlier releases, the maximum value is 30 retries. You can also
configure a maximum timeout of 1000 seconds for RADIUS accounting
(accounting-timeout statement) or authentication (timeout statement). In earlier
releases the maximum timeout is 90 seconds.
NOTE: The maximum retry duration (the number of retries times the length
of the timeout) cannot exceed 2700 seconds. An error message is displayed
if you configure a longer duration.
[See Configuring Router or Switch Interaction with RADIUS Servers.]
•
Change in Routing Engine-based CPCD (MX Series)—Starting in Junos OS Release
16.1, you must specify a URL with the redirect statement. You must also specify
destination-address address with the rewrite statement. In earlier releases, you can
successfully commit the configuration without these options.
•
Change in displayed value of LCP State field for tunneled subscriber sessions (MX
Series)—Starting in Junos OS Release 16.1, when a subscriber session has been tunneled
from the LAC to the LNS, the LCP State field displayed by the show interfaces pp0.unit
command has a value of Stopped, which correctly reflects the actual state of the LCP
negotiation (because at this stage LCP is terminated at the LNS).
In earlier releases, this field incorrectly shows a value of Opened, reflecting the state
of LCP negotiation before tunneling started. In earlier releases, you must issue the show
ppp interface.unit command to display the correct LCP state.
Copyright © 2017, Juniper Networks, Inc.
201
Junos OS Release 16.1R4 for the ACX Series, EX Series, MX Series, PTX Series, QFX Series,T Series and Junos Fusion
•
Improved result code reporting in stopCCN and CDN messages (MX Series)—Starting
in Junos OS Release 16.1, the LAC provides more accurate result codes and always
includes error messages in the Result-Error Code AVP (1) included in the stopCCN and
CDN messages that it sends to the LNS. Packet captures display the relevant
information in the Result code, Error code, and Error Message fields of the AVP.
In earlier releases, the result code is does not provide sufficient information about the
cause of the event, and the error message is omitted for some result codes.
•
Improved show interfaces interface-set command output (MX Series)—Starting in
Junos OS Release 16.1R3, the output of the show interfaces interface-set command
can now display mixed-protocol member interfaces when interface-sets are configured
in the dynamic profile using the predefined variable,
$junos-phy-ifd-interface-set-name.
This display enhancement is necessary for a heterogeneous topology where both
residential PPPoE subscribers and wholesaled (L2BSA) subscribers share the same
access-facing physical interface. In earlier releases, the command output displays
member interfaces only of the same type; for example, either PPPoE or L2BSA.
•
Syntax change for the show ancp neighbor command (MX Series)—Starting in Junos
OS 16.1, to specify a neighbor for display, the show ancp neighbor command allows you
to enter either an IP address or a MAC address for the neighbor:
show ancp neighbor <brief | detail> <ip-address ip-address | system-name mac-address>
In earlier releases, the CLI permitted you to use enter both an IP address and a MAC
address to specify a neighbor.
•
Changes to show ancp subscriber and clear ancp subscriber commands (MX
Series)—Starting in Junos OS Release 16.1, multiple simultaneous filtering options are
no longer allowed for the show ancp neighbor, show ancp subscriber, and clear ancp
subscriber commands. In earlier releases, you can issue commands with both the
identifier and neighbor options or both the ip-address and system-name options on the
same line. Now you can enter only one of these options at a time.
To improve consistency, the neighbor option has been replaced with ip-address for the
show ancp subscriber command, to match the show ancp neighbor, clear ancp neighbor,
and clear ancp subscriber commands. For example, to display information about
subscribers connected to a specific access node identified by its address, use the show
ancp subscriber ip-address ip-address command; in earlier releases you use the show
ancp subscriber neighbor ip-address command.
The system-name mac-address option is now available for the show ancp subscriber
and clear ancp subscriber commands.
•
Enhancements to test aaa statements for VLAN-OOB subscribers (MX
Series)—Starting in Junos OS Release 16.1, you can use the no-address-request option
with the test aaa dhcp user and test aaa ppp user statements for testing subscribers in
a Layer 2 scenario where no address allocation request is required.
The output of these two statements now displays two additional user attributes.
Dynamic Profile is the name of the profile received in the Client-Profile-Name VSA
(26-174). Routing Instance is the name of the routing instance conveyed by the
202
Copyright © 2017, Juniper Networks, Inc.
Changes in Behavior and Syntax
Virtual-Router VSA (26-1). The existing Virtual Router Name attribute is the locally
configured name of the logical system.
[See Testing a Subscriber AAA Configuration.]
•
Subscriber secure policies and service change of authorization requests (MX
Series)—Starting in Junos OS Release 16.1, a subscriber secure policy cannot be
instantiated by a CoA that includes any other subscriber service activation or
deactivation. Use a separate CoA to apply a subscriber secure policy.
•
Change to test aaa commands (MX Series)—Starting in Junos OS Release 16.1R2, the
following changes have been made to the test aaa ppp user, test aaa dhcp user, and
test aaa authd-lite user commands:
•
•
Attributes not supported by Junos OS no longer appear in the output.
•
The Virtual Router Name and Routing Instance fields have been combined into the
new Virtual Router Name (LS:RI) field. The value of this field matches the Juniper
Networks Virtual-Router VSA (26-1), if present; otherwise the field displays
default:default.
•
The value for any attribute that is not received (except for 26-1), or set locally, is
displayed as <not set>.
•
The Redirect VR Name field has been renamed to Redirect VR Name (LS:RI).
•
In the CLI output header section, the Attributes area has been renamed to User
Attributes.
•
Supported attributes now always appear in the display, even when their values are
not set.
•
The IGMP field has been renamed to IGMP Enable.
•
The IGMP Immediate Leave and the MLD Immediate Leave default values have
changed from disabled to <not set>.
•
The Chargeable user identity value has changed from an integer to a string.
•
The Virtual Router Name field has been added to the display for the DHCP client.
Change to using the UID as part of a variable expression (MX Series)—Starting in
Junos OS Release 16.1, you cannot use the UID (the unique identifier of variables defined
in dynamic profiles) as part of a variable expression, because the hierarchy of evaluation
is as follows:
•
The user variable expressions are first evaluated for the UIDs to be resolved.
•
If the expression contains UIDs, it might result in unpredictable results.
Using a variable expression with a UID now results in a commit check failure.
•
Change to the show network-access aaa commands (MX Series)—Starting in Junos
OS Release 16.1, the outputs from the show network-access aaa statistics authentication
detail command and the show network-access aaa radius-servers detail command
have changed as follows:
Copyright © 2017, Juniper Networks, Inc.
203
Junos OS Release 16.1R4 for the ACX Series, EX Series, MX Series, PTX Series, QFX Series,T Series and Junos Fusion
•
The Accounting request timeouts field displayed by the show network-access aaa
statistics authentication detail command has been renamed to Timed out requests.
•
The Round Trip Time field of the show network-access aaa radius-servers detail
command has been renamed to Last Round Trip Time.
•
Subscriber management support for rpd in 64-bit mode (MX Series)—Starting in
Junos OS Release 16.1, subscriber management is now supported when the routing
protocol daemon (rpd) is running in 64-bit mode. In earlier releases, subscriber
management support required rpd to run in 32-bit mode.
•
Extended range for RADIUS request rate (MX Series)—Starting in Junos OS Release
16.1, the range for the request-rate statement at the [edit access radius-options]
hierarchy level has been extended to 100 through 4000 requests per second. In earlier
releases, the range is 500 through 4000 requests per second. The default value is
unchanged at 500 requests per second.
•
Variable substitution change of authorization (CoA) behavior now the same as
service activation CoA—Starting with Junos OS Release 16.1R2, variable substitution
change of authorization (CoA) now behaves the same as service activation CoA.
Variable substitution CoA, however, only occurs after the login, the authentication
phase, and the service activation phase have occurred.
The authentication phase occurs at login.
The service activation phase occurs:
•
During login with the reception of an Access-Accept message from the RADIUS
server in response to an Access-Request message
•
After login, when a CoA request message is sent from the RADIUS server
NOTE: Service activation is independent of variable substitution CoA. While
service activation can occur at login, it can also occur afterward, with or
without variable substitution CoA, in any order, and can occur multiple
times.
In both cases, the Access-Accept and CoA-Request messages sent from the RADIUS
server contain the name of a service profile configured in the router that is to be applied
to the client.
A variable substitution CoA is processed in the same way as a service profile CoA with
respect to the Class of Service (CoS) Adjustment Control Profile when the overhead
accounting mode, or bytes, or both, are not provided in the variable substitution CoA,
and differ from those specified in the client profile. If the overhead accounting mode
or bytes, or both, are not specified, these values come from the client profile; otherwise
the defaults (which are typically Frame Mode and 0 bytes, respectively) are used.
The entire client profile is modified, if not replaced, with service activation. In the case
of a variable substitution CoA, only specified variables in the existing client profile are
modified. With this change, if the shaping rate is specified in the variable substitution
CoA, but the overhead accounting mode, bytes, or both are not specified, the unspecified
204
Copyright © 2017, Juniper Networks, Inc.
Changes in Behavior and Syntax
values come from the last configured values (sourced from the TCP, whether explicitly
defined, or populated from a RADIUS server) in the client profile. The unspecified values
do not come from the adjusting application (ANCP, PPPOE, or DHCP) values in the
client profile, which may be presently applied. The overhead accounting mode, bytes,
or both are now modified if left unspecified in a variable substitution CoA that modifies
the shaping rate. This has always been the case for service activation, but now a variable
modification CoA also correctly handles this case.
•
L2TP statistics now included in the output of the show system subscriber-management
statistics command—Starting in Junos OS Release 16.1, a new option displays the L2TP
plugin statistics in the output of the show system subscriber-management statistics
command.
The possible completions for the show system subscriber-management statistics
command are:
•
•
<[Enter]> executes this command
•
all—Displays all statistics
•
dhcp—Displays the DHCP statistics
•
dvlan—Displays the DVLAN statistics
•
l2tp—Displays the L2TP statistics
•
ppp—Displays the PPP statistics
•
pppoe—Displays the PPPoE statistics
•
/—Pipes through a command
Error messages generated for L2TP access concentrator (LAC) logins can be
prevented from appearing in the syslogs—Starting with Junos OS Release 16.1, setting
the syslogs log level to WARNING or higher prevents error messages generated for
Layer 2 Tunneling Protocol (L2TP) subscribers from appearing in the syslogs. The
syslogs are L2TP packet statistics counters (Rx/Tx) that are displayed every minute.
If no packets are received or L2TP is not configured, these messages do not appear in
the syslogs.
In earlier releases, the severity of the log level was ERROR, which now has changed to
NOTICE. The error messages are filtered out if the log level is set to WARNING or higher
(ERROR, CRITICAL, ALERT, or EMERGENCY). Setting the log level to NOTICE or lower
(INFORMATIONAL or DEBUG) allows the error messages to appear in the syslogs.
•
VLAN demux interfaces over pseudowire interfaces (MX Series)—Starting in Junos
OS Release 16.1, VLAN demux interfaces are supported over pseudowire subscriber
logical interfaces.
•
Configuring a pseudowire subscriber interface for a logical tunnel (MX
Series)—Starting in Junos OS release 16.1R2, you can configure a pseudowire subscriber
interface and anchor it to a logical tunnel interface without explicitly specifying the
tunnel bandwidth. In earlier releases, if you do not explicitly specify the tunnel
bandwidth, or the tunnel bandwidth is anything other than 1G or 10G, the pseudowire
interface is not created.
Copyright © 2017, Juniper Networks, Inc.
205
Junos OS Release 16.1R4 for the ACX Series, EX Series, MX Series, PTX Series, QFX Series,T Series and Junos Fusion
•
Automatic limit set for transmit window size (MX Series)—Starting in Junos OS
Release 16.1R2, when the LAC receives a receive window size of more than 128 in the
Start-Control-Connection-Reply (SCCRP) message, it sets the transmit window size
to 128 and logs an Error level syslog message.
In earlier releases, the LAC accepts any value sent in the Receive Window Size
attribute-value pair (AVP 10) from an L2TP peer. Some implementations send a receive
window size as large as 65530. Accepting such a large value causes issues in the L2TP
congestion/flow control and slow start. The router may run out of buffers because it
can support only up to a maximum of 60,000 tunnels.
•
Change in range for PPP keepalive interval (MX Series)—Starting in Junos OS Release
16.1R3, you can configure the PPP keepalive interval for subscriber services in the range
1 second through 600 seconds. Subscriber PPP keepalives are handled by the Packet
Forwarding Engine. If you configure a value greater than 600 seconds, the number is
accepted by the CLI, but the Packet Forwarding Engine limits the interval to 600
seconds. The interval is configured in a PPP dynamic profile with the interval statement
at the [edit dynamic-profiles profile-name interfaces pp0 unit $junos-interface-unit
keepalives] hierarchy level.
In earlier Junos OS 16.1x releases, the range is from 1 second through 60 seconds. The
Packet Forwarding Engine limits any higher configured value to an interval of 60
seconds.
PPP keepalives for nonsubscriber services are handled by the Routing Engine with an
interval range from 1 second through 32,767 seconds.
•
New option to display all pending accounting stops (MX Series)—Starting in Junos
OS Release 16.1R4, the brief option is added to the show accounting
pending-accounting-stops command. This option displays the current count of pending
RADIUS Acct-Stop messages for subscribers, services, and total combined value:
[email protected]> show accounting pending-accounting-stops brief
Total pending accounting stops: 4
Subscriber pending accounting stops: 2
Service pending accounting stops: 2
•
DNS servers displayed by the show subscribers extensive command (MX
Series)—Starting in Junos OS Release 16.1R4, the display of DHCP domain name servers
(DNS) by the show subscribers extensive command has changed. When DNS addresses
are configured at multiple levels, the command displays only the preferred address
according to this order of precedence: RADIUS > access profile > global access. The
command does not display DNS addresses configured as DHCP local pool attributes.
DNS addresses from RADIUS appear in the following fields: Primary DNS Address,
Secondary DNS Address, IPv6 Primary DNS Address, IPv6 Secondary DNS Address.
DNS addresses from the access profile or the global access configuration appear in
the following fields: Domain name server inet, Domain name server inet6.
206
Copyright © 2017, Juniper Networks, Inc.
Changes in Behavior and Syntax
In earlier releases, the command displays only DHCP DNS addresses provided by
RADIUS.
•
Traffic shaping and L2TP tunnel switches (MX Series)—Starting in Junos OS Release
16.1R4, when a dynamic profile attaches a statically configured firewall filter to an L2TP
tunnel switch (LTS) session, the filter polices traffic from the LTS (acting as a LAC)
to the ultimate endpoint LNS, in addition to the previously supported traffic from the
LAC to the LTS (acting as an LNS). In previous releases, the firewall filter applied to
only the traffic from the LAC to the LTS.
System Logging
•
Support for system log message: UI_SKIP_SYNC_OTHER_RE (MX Series)—Starting
with Junos OS Release 16.1R1, configuration synchronization with a remote Routing
Engine is skipped when the configuration is already in sync with another Routing Engine
with database revision.
NOTE: This system log message is generated when the graceful Routing
Engine switchover feature is enabled.
This system log message reports an event, not an error, and has notice as Severity and
LOG_AUTH as Facility.
[See Understanding Graceful Routing Engine Switchover in the Junos OS.]
System Management
•
Change to process health monitor process (MX Series)—Starting in Junos OS Release
15.1R2, the process health monitor process (pmond) is enabled by default on the
Routing Engines of MX Series routers, even if no service interfaces are configured. To
disable the pmond process, include the disable statement at the [edit system processes
process-monitor] hierarchy level.
[See process-monitor.]
•
New option to suppress ARP response from kernel to non-subscribers—Beginning
with Junos OS Release 13.3R9, you can suppress the ARP response from the kernel
when there is an ARP request for a loopback interface from non-subscribers. To drop
ARP requests from non-subscribers, include the non-subscriber-no-response statement
at the [edit system arp] hierarchy level.
[See non-subscriber-no-response.]
Copyright © 2017, Juniper Networks, Inc.
207
Junos OS Release 16.1R4 for the ACX Series, EX Series, MX Series, PTX Series, QFX Series,T Series and Junos Fusion
User Interface and Configuration
•
New default implementation for serialization for JSON configuration data (MX Series
and T Series)—Starting with Junos OS Release 16.1, the default implementation for
serialization for configuration data emitted in JavaScript Object Notation (JSON) has
changed. The new default is as defined in Internet drafts
draft-ietf-netmod-yang-json-09, JSON Encoding of Data Modeled with YANG, and
draft-ietf-netmod-yang-metadata-06, Defining and Using Metadata with YANG.
[See Mapping Junos OS Configuration Statements to JSON.]
•
output-file-name option for show system schema command is deprecated (MX Series
and T Series)—Starting with Junos OS Release 16.1, the output-file-name option for
the show system schema operational command is deprecated. To direct the output to
a file, use the output-directory option and specify the directory. By default, the filename
for the output file uses the module name as the filename base and the format as the
filename extension. If you also include the module-name option in the command, the
specified module name is used for both the name of the generated module and for
the filename base for the output file.
[See show system schema.]
Related
Documentation
208
•
Enhanced output regarding per CPU usage introduced in Junos OS Release 16.1R3 for
Junos OS with upgraded FreeBSD (MX Series, QFX Series,EX9200, PTX5000)---A
new field in the output of the show system processes extensive command gives the
breakdown of the percent usage on a per-CPU basis into the following categories: %
user, % nice, % system, % interrupt, % idle. This field shows up in the second frame
of output. To see which platforms run Junos OS with upgraded FreeBSD, see
Understanding Junos OS with Upgraded FreeBSD.
•
SLAX scripts included as part of the Junos OS image (MX Series)—Starting in Junos
OS Release 16.1R4, the Stylesheet Language Alternative Syntax (SLAX) scripts
services-oids-ev-policy.slax, services-oids.slax, and utils.slax are included as part of the
Junos OS image and automatically copied to the required location on the router when
you install Junos OS.
•
Integers in configuration data in JSON format are displayed without quotation marks
(MX Series and T Series)—Starting in Junos OS Release 16.1R4, integers in Junos OS
configuration data emitted in JavaScript Object Notation (JSON) format are not
enclosed in quotation marks. Prior to Junos OS Release 16.1R4, integers in JSON
configuration data were treated as strings and enclosed in quotation marks.
•
New and Changed Features on page 93
•
Known Behavior on page 209
•
Known Issues on page 213
•
Resolved Issues on page 225
•
Documentation Updates on page 276
•
Migration, Upgrade, and Downgrade Instructions on page 280
Copyright © 2017, Juniper Networks, Inc.
Known Behavior
•
Product Compatibility on page 290
Known Behavior
This section contains the known behavior, system maximums, and limitations in hardware
and software in Junos OS Release 16.1R4 for MX Series and T Series.
For the most complete and latest information about known Junos OS defects, use the
Juniper Networks online Junos Problem Report Search application.
•
Forwarding and Sampling on page 209
•
General Routing on page 209
•
Interfaces and Chassis on page 210
•
MPLS on page 210
•
Network Management and Monitoring on page 210
•
Routing Protocols on page 211
•
Software Installation and Upgrade on page 211
•
Subscriber Management and Services on page 211
•
System Logging on page 212
•
User Interface and Configuration on page 212
•
VPNs on page 212
Forwarding and Sampling
•
On MX Series routers, starting with Junos OS release 15.1R5, 16.1R3 or later, a new
mechanism is added to the Packet Forwarding Engine to improve forwarding
performance. A noticeable behavior of the mechanism is to increase the CPU utilization
periodically.
General Routing
•
Jitter transfer might fail on MX104 router with non-Ethernet MICs—Jitter transfer
might fail on MX104 routers with MIC-3D-1OC192-XFP. This is due to a hardware
limitation and there is no workaround.
•
The date and time zones are synchronized from the admin guest Junos OS to host OS
on the MX240, MX480, MX960, MX2010, and MX2020 routers and use same time
zones. Therefore, there is no difference in the timestamp in system log files of Junos
OS and the host OS.
•
The temperature conditions of the Routing Engine FRU for RE-MX-X8 are now displayed
correctly. The show chassis zones command now displays the accurate temperature
conditions.
Copyright © 2017, Juniper Networks, Inc.
209
Junos OS Release 16.1R4 for the ACX Series, EX Series, MX Series, PTX Series, QFX Series,T Series and Junos Fusion
Interfaces and Chassis
•
Reordering of MAC addresses after a Routing Engine switchover—In Junos OS Release
14.2 and later, if you configure multiple aggregated Ethernet interfaces, the MAC address
of the aggregated Ethernet interfaces displayed in the show interfaces ae number
command output might get reordered after a Routing Engine switchover or restart.
As a workaround, you can configure static MAC addresses for aggregated Ethernet
interfaces. Any external dependency, such as filtering of the MAC addresses that are
assigned before the reboot, becomes invalid if the MAC address changes.
MPLS
•
Removal of SRLG details from the SRLG table only on the next reoptimization of
the LSP—If an SRLG is associated with a link used by an ingress LSP in the router, then
on deleting the SRLG configuration from that router, the SRLG gets removed from the
SRLG table only on the next reoptimization of the LSP. Until then, the output displays
Unknown-XXX instead of the SRLG name and a nonzero srlg-cost of that SRLG for the
run show mpls srlg command.
•
The configuration flow-label-transmit and flow-label-receive statements are not
supported in OAM CFM session over L2Circuit.
•
Non-compliance with RFC 6424 causes MPLS LDP traceroute loop—Use of the
traceroute mpls ldp command on devices that do not support RFC 6424, Mechanism
for Performing Label Switched Path Ping (LSP Ping) over MPLS Tunnels, results in a
loop creation. As a workaround, use the pipe-mode option with the traceroute mpls ldp
command to avoid loops. This can cause some of the intermediate nodes to return a
non-complaint probe status, which is acceptable.
[See traceroute mpls ldp.]
Network Management and Monitoring
•
SNMP— The configuration flow-label-transmit and flow-label-receive statements are
not supported in OAM CFM session over L2Circuit.
•
Configuration recommendation for use with the Junos Space Network Management
Platform (MX Series)—Starting in Junos OS 16.1R3, we recommend that you use the
following configuration for an encryption cipher on any router or switch used with the
Junos Space Network Management Platform. The recommended configuration enables
the Junos Space Network Management Platform to more easily discover the device.
Other configurations may result in a failed SSH negotiation.
[email protected]# set system services ssh ciphers "[email protected]"
[email protected]# set system services ssh ciphers aes256-ctr
[email protected]# set system services ssh ciphers aes192-ctr
[email protected]# set system services ssh ciphers aes128-ctr
[email protected]# set system services ssh ciphers "[email protected]"
[email protected]# set system services ssh ciphers "[email protected]"
[email protected]# set system services ssh ciphers 3des-cbc
[email protected]# set system services ssh ciphers blowfish-cbc
[email protected]# set system services ssh key-exchange curve25519-sha256
210
Copyright © 2017, Juniper Networks, Inc.
Known Behavior
[email protected]# set system services ssh key-exchange ecdh-sha2-nistp256
[email protected]# set system services ssh key-exchange ecdh-sha2-nistp384
[email protected]# set system services ssh key-exchange ecdh-sha2-nistp521
[email protected]# set system services ssh key-exchange dh-group14-sha1
[email protected]# set system services ssh key-exchange dh-group1-sha1
[email protected]# set system services ssh key-exchange group-exchange-sha2
Routing Protocols
•
BGP advertises inactive routes when advertise-inactive statement is not
configured—When BGP advertises a network layer reachability information (NLRI)
with a label, and the advertised route resides in xxx.xxx.3 routing table such as inet.3,
Junos OS automatically advertises such inactive routes even if you have not configured
the advertise-inactive statement.
Software Installation and Upgrade
•
Option upgrade-with-config Accepts Only Configuration Files with Extension .text
or .xml (MX Series and T Series)—In the request system software add command, the
upgrade-with-config option does not apply the configuration if the configuration file
has the extension .txt. This option accepts only files with the extension .text or .xml.
Subscriber Management and Services
•
On MX Series routers, when you configure the subscriber-awareness statement on a
service set by committing the set services service-set service-set-name
service-set-options subscriber-awareness statement, the service sessions fail to create.
To avoid this issue, on MX Series routers that support the Service Control Gateway
solution, ensure that the Junos OS Mobility package software is installed on the router.
The Service Control Gateway solution is supported only in 14.1X55 releases. For Junos OS
Releases 14.2, 15.1, and 16.1, ensure that the subscriber-awareness statement is not set.
•
Enhanced subscriber management performance and scale (MX Series)—Starting in
Junos OS Release 16.1, subscriber management supports a denser subscriber scale per
platform, per line card, and per port. It also provides improved performance of call
setup rates. These enhancements are available through a software upgrade, which
retains feature parity with existing broadband edge implementations, except as noted
for “enhanced subscriber management” in these release notes. New hardware is not
required.
The increased scale and faster setup rates apply to PPP client scaling, PPP LAC
sessions, LAC and termination and aggregation (PTA) combinations, and PPP client
scaling over LNS on the PPP interface for IPv4, IPv6, and concurrent sessions. It also
applies to DHCP client scaling stateless address autoconfiguration (SLAAC), IPv6 over
Ethernet, and DHCPv4 clients.
•
Dynamic provisioning in Layer 2 wholesaling (MX Series)—Starting with Release
15.1R3, Junos OS does not support dynamic VLAN mapping into VPLS instances. (You
can still configure static VLAN interface mapping to VPLS instances.) By extension,
dynamic provisioning for Layer 2 wholesaling is also not supported in this release.
Copyright © 2017, Juniper Networks, Inc.
211
Junos OS Release 16.1R4 for the ACX Series, EX Series, MX Series, PTX Series, QFX Series,T Series and Junos Fusion
The following example shows the statements that are not currently available
(encapsulation vlan-vpls and family vplsat the [edit dynamic interfaces] hierarchy level):
interfaces {
"$junos-interface-ifd-name" {
unit "$junos-interface-unit" {
encapsulation vlan-vpls
vlan-id "$junos-vlan-id";
family vpls;
}
}
}
System Logging
•
On MX Series routers, when you configure a rate limit for system log messages by
setting the message-rate-limit statement for a multiservices interface, ensure that the
syslog host option for that interface is configured. This configuration ensures that the
system log statistics reflect the rate limit set for the interface.
User Interface and Configuration
•
Modification to configurable link degrade threshold values (MX Series)—Starting
with Junos OS Release 15.1F7 and 16.1R1, the values of the user configurable link degrade
thresholds, have to be configured as per the following guidelines:
•
set threshold value must be greater than warning set threshold value
•
set threshold value must be greater than clear threshold value
•
warning set threshold value must be greater than warning clear threshold value
If the threshold values are not configured as per these guidelines, the configuration
fails and a Commit Error message is displayed.
VPNs
•
212
Default export EVPN policy has been removed (MX Series)—Starting in Junos OS
Release 16.1R2 and forward, the hidden default EVPN export policy statement
(evpn-pplb) has been removed. To enable and configure load balance per packet for
EVPN, use the existing policy statements:
•
set routing-options forwarding-table export evpn-pplb
•
set policy-options policy-statement evpn-pplb from protocol evpn
•
set policy-options policy-statement evpn-pplb then load-balance per-packet
Copyright © 2017, Juniper Networks, Inc.
Known Issues
NOTE: To support EVPN multihoming, you must configure the load-balance
per-packet statement.
Related
Documentation
•
New and Changed Features on page 93
•
Changes in Behavior and Syntax on page 187
•
Known Issues on page 213
•
Resolved Issues on page 225
•
Documentation Updates on page 276
•
Migration, Upgrade, and Downgrade Instructions on page 280
•
Product Compatibility on page 290
Known Issues
This section lists the known issues in hardware and software in Junos OS Release 16.1R4
for MX Series and T Series.
For the most complete and latest information about known Junos OS defects, use the
Juniper Networks online Junos Problem Report Search application.
•
Class of Service (CoS) on page 214
•
Forwarding and Sampling on page 214
•
General Routing on page 215
•
High Availability (HA) and Resiliency on page 220
•
Infrastructure on page 220
•
Interfaces and Chassis on page 220
•
Junos Fusion Provider Edge on page 221
•
Layer 2 Features on page 221
•
MPLS on page 222
•
Network Management and Monitoring on page 222
•
Platform and Infrastructure on page 222
•
Routing Protocols on page 224
•
Services Applications on page 224
•
Software Installation and Upgrade on page 225
•
Subscriber Access Management on page 225
•
VPNs on page 225
Copyright © 2017, Juniper Networks, Inc.
213
Junos OS Release 16.1R4 for the ACX Series, EX Series, MX Series, PTX Series, QFX Series,T Series and Junos Fusion
Class of Service (CoS)
•
In rare cases, CoS-related queue statistics polling with multiple object identifier (OID)
packing or multiple SNMP clients polling on the same interface simultaneously can
cause cosd to generate a core file and restart. The cosd restart does not impact any
CoS services. PR1199687
Forwarding and Sampling
214
•
When a policing filter is applied to an active LSP carrying traffic, the LSP resignals and
drops traffic for approximately 2 seconds. It can take up to 30 seconds for the LSP to
come up under the following conditions: - Creation of the policing filter and application
of the same to the LSP through configuration occurs in the same commit sequence Load override of a configuration file that has a policing filter and policing filter
application to the LSP is followed by a commit.PR1160669
•
The counters values received through SNMP are sometimes incorrect when you
configure firewall filters for IPv6 flow routes. PR1189258
•
The "default-arp-policer" is applied to every relevant logical interface to rate-limit the
ARP traffic. You can disable the "default-arp-policer" by running the command set
firewall disable-arp-policer. Note that improper application leads to the Routing Engine
getting overloaded with ARP traffic leading to a typical DoS scenario. The issue is that
even after disabling the "default-arp-policer", it still affects IFL in some scenarios, such
as after DUT reboot or when a new IFL is created. The issue is fixed in this PR so that
wherever set firewall disable-arp-policer is configured, in all scenarios
"default-arp-policer" will not get applied to IFL. PR1198107
•
Root Cause of the Problem: +++++++++++++++++++++++++ As per the investigation
from RPD : we have is an interface for a direct route starting in ifdown condition. The
remote side is then brought up, so I/F goes to ifup. Since it is a direct route, rpd does
not install the route or nexthop. It receives that info from the kernel, and just updates
a nexthop in rpd local storage. Route and nexthop for the interface are taken care of
in the kernel. There is no route change in rpd. route_record depends on route flash to
find out about updates. That is the architecture. Since there is no route change, there
is no route flash, so route_record is blissfully unaware. In order to change this, we would
need to decide that we want a route flash for this case. Currently, for direct and local
routes / nexthops, these are "do not care" in rpd, as far as route updates go. We just
update our nexthop info, without marking for any other notifications. To change this,
we would need to find the correct place to decide we need to flash the route, and at
the same time, make sure we do not do any harm to anything else. That is what I am
currently working on finding. A complication for the solution is a change that was done
for PR 1002287, where if the NOTINSTALL flag is set, do not send the update to srrd.
That flag is set for direct and local routes. Incidently, this is day-one operation. If the
interface is up at startup, it should all work correctly. Why is the Packet Forwarding
Engine depending on rpd / srrd to get the info for sampling when it is already there in
the forwarding table ?
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
++++++++++++++++++++++++++++++++++++++++++ FIB table can provide
OIF/GW only. SRC_MASK, DST_MASK, SRC_AS and DST_AS are not available in PFE
Copyright © 2017, Juniper Networks, Inc.
Known Issues
FIB Table. So SRRD connection is required. Listening to both SRRD and FIB table, and
consolidating information will complicate implementation. Scanning entire FIB Table
just for the few such routes will have performance impact and will complicate present
implementation. This is day 1 implementation for SRRD/Sampled. Workarounds:
++++++++++++ There are two possible workarounds a) A workaround would be to
have the far end interface up when the DUT interface is brought up. In the case where
that is not happening, a recovery would be to disable the DUT interface, then enable
it again. At that point, everything should be initially brought up in the state we are
looking for. b) enable nexthop-learning configuaration statement. Please refer to the
documentation on the working of this configuaration statement before enabling.
PR1224105
•
MX Series platforms send Session-Interim Accounting messages every 10 minutes,
even though the "ACCT-Interim-Interval (85) = 0. PR1244393
General Routing
•
EVPN uses several different subtypes of routes within the EVPN address family which
are advertised through the control plane between Provider Edges using BGP.
Multihoming Provider Edges use Ethernet segment (ES) routes to advertise the fact
that the Provider Edges are connected to a given multihomed segment. All other
multihoming Provider Edges attached to the same multihomed segment import those
ES routes, and combined with their own local state, elect a single designated forwarder
(DF) for each EVPN instance that is part of the multihomed segment. When a new
Provider Edge is added to an existing EVPN, the new Provider Edge needs to download
the full set of EVPN routes advertised by the other existing Provider Edges. In cases of
high MAC scaling, it is possible that remote Provider Edges will generate and send BGP
updates for MAC routes (or other EVPN route types) before generating and sending
the ES routes. If the time taken by the original multihoming Provider Edge(s) to send
the ES routes is longer than the DF election hold timer on the new Provider Edge, the
new Provider Edge and an existing multihoming Provider Edge might both consider
themselves to be the DF for the same EVPN ES simultaneously. In this situation,
broadcast traffic could be flooded by both Provider Edges. Additionally, in the case of
single-active multihoming, transient/spurious MAC moves could happen between the
two Provider Edges both considering themselves to be the DF, causing unnecessary
BGP update churn and slowing convergence. PR968428
•
A PE device running EVPN IRB with an IGP configured in a VRF associated with the
EVPN instance will be unable to establish an IGP adjacency with a CE device attached
to a remote PE device. The IGP instance running in the VRF on the PE device might be
able to discover the IGP instance running on the remote CE through broadcast or
multicast traffic, but will be unable to send unicast traffic directly to the remote CE
device. PR977945
•
In a provider backbone bridging (PBB) EVPN scenario, after configuration changes of
the EVPN routing-instance, a rare race condition might occur — a internal reference
count might unexpectedly become zero when some deletions are yet to be processed.
As a result, L2ald crashes. L2ald runs on the Routing Engine to mainly manage MAC
learning, aging, removal, and so on. The crash of L2ald might impact the MAC learning
related feature during the crash. The impact might sustain around 3–4 seconds.
PR1015297
Copyright © 2017, Juniper Networks, Inc.
215
Junos OS Release 16.1R4 for the ACX Series, EX Series, MX Series, PTX Series, QFX Series,T Series and Junos Fusion
•
There are some configuration related functions in the routing protocol process (rpd)
and L2cpd that use special memory APIs called lite pools. These pools when reset
were not freeing control information related to these pools, thereby resulting in a leak.
This is not a day one issue. This PR impacts all daemons using LIBJTASK (including
rpd) on all platforms, provided memory lite pools are used by those daemons. PR1071191
•
For Junos OS Release 13.3R5, 14.1R1, and later, the MX-VC inter-chassis TCP control
flows are changed to VC high priority, so high volume of VC inter-chassis TCP control
flow might impact VC stability and responsiveness to external protocol events. Now
with the fix, the priority of VC inter-chassis TCP control flow has been reverted.
PR1074760
•
On XL-based cards such as MPC or IOC3, PPE thread timeout errors are triggered when
the FPC allocates illegal memory space for the forwarding state of routing operations.
In certain cases, this results in packet loss depending on the number of packets using
this forwarding state. PR1100357
•
In some scenarios, upon executing show services sessions/show services sessions
extensive command, the CLI might collect information about the sessions as and when
the packets for that particular session are being processed. Under these circumstances,
the frame count and byte count of both the forward and reverse flow in a session, show
zero for a few second. After a few seconds, once the processing of the packet is
complete, the frame count and byte count show proper values. PR1110303
•
vMX: Information leak vulnerability (CVE-2016-4924); Refer to
https://kb.juniper.net/JSA10766 for more information. PR1129051
•
In case of IPsec if the member interface indicates that mams-x/y/z is part of the ams
bundle in one-to-one mode, the same interface should not be used for IPsec or any
other services. PR1134645
•
When successive back-to-back commits are performed on a scaled configuration,
there could be a timeout or a delay in completing the commit check operation.
PR1139206
216
•
MPC7E/MPC8E/MPC9E control traffic is backing up and influenced during large-scale
IS-IS convergence, cause LACP timeout and flapping. In addition, the entire system
might be unstable and other protocols like IS-IS or LDP might also flap. PR1154404
•
The process agentd and g_down might consume more CPU when using Junos Traffic
Vision without set system processes SDN-Telemetry disable configured. PR1155350
•
On MS-MIC, starting from Junos OS Release 15.1R3 and later, the J-Flow/Sampling
scaling is coming down to 12.5 million active flows. PR1163976
•
With an MX Series platform acting as TWAMP client and a vMX platform acting as
TWAMP server setup, probe packet loss iseen at the TWAMP server, for example, on
VMX with Junos OS Release 15.1F5. When the TWAMP target interface address is
configured as a Media interface (-ge/-xe), probe packets are getting dropped at vMx
because of ENDIAN conversion of UDP checksum (vMx is Little Endian and Mx is Big
Endian platform) in the probe packet. This issue was seen earlier in Junos OS Release
15.1F4 but was resolved through PR1125516. However, due to some merge issue the fix
got overwritten and this issue resurfaced. Also, when the TWAMP target interface
address is configured as si- interface probe-packet loss iseen but this time not because
Copyright © 2017, Juniper Networks, Inc.
Known Issues
of UDP checksum error. Here, the issue appears because of some looping issue and
packets after getting processed at LU (timestamped at LU) are not able to go out of
the media interface. Sometimes enabling some debug logs at the Packet Forwarding
Engine and changing TWAMP probe packet size resolves the issue (but not always).
PR1164093
•
The cosd, dcd, or rpd might generate core files during subscriber management
deployment using dynamic profiles and RADIUS authentication. PR1168327
•
When using MS-MPC or MS-MIC service cards, a single pool cannot be used in different
service-sets. Separate pools with different names would then need to be used.
Additionally, pools created automatically by a source-prefix or destination-prefix
statement will not work if the same source-prefix or destination-prefix statement
appears in a different service-set. PR1175664
•
Changing "inline-services flow-table-size" might cause memory-related errors to be
logged until the FPC is rebooted. PR1176186
•
Some older Routing Engines (RE-2000) have insufficient storage on CF to hold a
complete recovery snapshot for Junos OS Release 16.1 and later. In such cases, a
minimal recovery snapshot will be created. This minimal recovery snapshot does not
include any linecard software. Once the Routing Engine has been recovered, if the
management Ethernet interface is connected, the full Junos OS bundle can be
downloaded and added or can be fetched to the other Routing Engine and then
transferred to the recovered Routing Engine. PR1178536
•
Changes are needed to support dedicated users for control and multicast traffic. This
will avoid unicast traffic to be hashed to users doing ucode processing. On Junos OS
side, this PR introduces new CLI command set chassis fpc X performance-mode
num-of-ucode-workers Y. PR1178811
•
The cfm interface will not come up on an interface for an FPC that restarted. PR1180681
•
The Chef client is not able to create an XE interface by means of the netdev_interface.
Chef for Junos supports additional resources to enable easier configuration of
networking devices. These are available in the form of netdev-resources. The
netdev-resource developed for interface configuration has a limitation to configure
the XE interface. Netdev-interface resource assumes that speed is a configurable
parameter that is supported on a GE interface but not on an XE interface. Hence
netdev-interface resource cannot be used to configure an XE interface due to this
limitation. This limitation is applicable to packages chef-11.10.4_1.1.*.tgz
chef-11.10.4_2.0_*.tgz in all platforms {i386/x86-32/powerpc}. PR1181475
•
On MX2010/2020 routers with SFB2 and empty fabric slots, a system defect that
fetches wrong fabric info might cause MPC7E/8E/9E to not be able to come online.
PR1182404
•
CGNAT NAT mappings and ports are not cleared after SIP session timeouts for the
SIP spoofed traffic and SIP scaled traffic, and very few ports are for the scaled traffic
of 10,000-20,000 SIP sessions. PR1187965
•
AMS soft failover using the request interface load-balancing switchover mams-x/x/x
command does not work.PR1194094
Copyright © 2017, Juniper Networks, Inc.
217
Junos OS Release 16.1R4 for the ACX Series, EX Series, MX Series, PTX Series, QFX Series,T Series and Junos Fusion
•
It is possibile to see a bbe-smgd core file on the standby after a Packet Forwarding
Engine restart with certain specific configurations, if new renews or logins take place
before the states for the Packet Forwarding Engine have not been restored completely.
Because the core is on the standby, no disruption in service is expected and the system
recovers from this condition. PR1194144
•
Line card crashes during internal testing. The line card is busy looping/not yielding to
other threads, so chassisD sends an NMI and the line card crashes. This is observed
only once and unable to be reproduced. PR1194692
•
When multicast-only fast reroute (MoFRR) is activated, multicast source route flapping
leads to corresponding multicast traffic 100 percent drop. PR1194730
•
Few sessions are always dropped during session setup with IPsec. This issue is seen
in sessions exceeding 1M. PR1204566
•
Changing members from an AMS bundle impacts traffic and SAs. To avoid this issue,
you should reboot members after new members are added to an existing AMS bundle.
PR1205932
•
When trying to scale total numbers of subscribers on a chassis beyond 375,000 with
4 MPC5E-Q cards in an MX480/MX960 chassis, the clients might get rejected as a
result of memory threshold being exceeded. The resource monitoring output shows
an incorrect value for expansion memory. The system will still allow 128,000 subscribers
to be scaled on a single MPC5 card. PR1210122
•
In certain cases, the subscriber created on the MS-MPC will not be cleared even though
all the sessions associated with that subscriber are cleared. Any new sessions for that
subscriber will go through the session creation based on the rules configured and the
subscriber will be reused. No new sessions will be automatically allowed because of
the existing subscriber. PR1210820
•
Major errors might be seen on MPC3/FPC3 with 1X100 and 5x100 DWDM MIC/PIC.
[email protected]> show chassis alarms no-forwarding 1 alarms currently active Alarm time
Class Description <timestamp> Major FPC 3 Major Errors. The following messages are
seen in the logs: fpc3 Cmerror Op Sub Set: 5-port 100G DWDM MIC/PIC : 5-port 100G
DWDM MIC/PIC(3/0) link 0 : DSP loss of lock fpc3 Cmerror Op Sub Set: 5-port 100G
DWDM MIC/PIC : 5-port 100G DWDM MIC/PIC(3/0) link 0 : DFE tuning failed
alarmd[16241]: Alarm set: FPC color=RED, class=CHASSIS, reason=FPC 3 Major Errors
craftd[15906]: Major alarm set, FPC 3 Major Errors. PR1212089
•
The PIC gets rebooted without generating a core file, even though a core file on flow
control is configured. PR1217167
•
Kernel crash and router reboot might happen when committing RLT configuration.
PR1218326
•
This syslog message was added to track an ACX PTP GPS related issue. It got merged
to the mainline branch, so this PR removed this debug code from the mainline branch.
It has no functional impact, so can be safely ignored. *** messages *** Oct 6
15:28:08.282 MX2K fpc12 clksync_ptp_gps_init: PR-1106344 : setting g_gps_recv to NULL.
Oct 6 15:28:08.282 MX2K fpc12 PR-1106344 g_gps_recv tracking Oct 6 15:28:08.282
MX2K fpc12 Frame 0: sp = 0xdeb6bf58, pc = 0x8cfbc93 Oct 6 15:28:08.282 MX2K fpc12
Frame 1: sp = 0xdeb6bf78, pc = 0xa15f5d4 Oct 6 15:28:08.282 MX2K fpc12 Frame 2: sp
218
Copyright © 2017, Juniper Networks, Inc.
Known Issues
= 0xdeb6bfa8, pc = 0x8cfe0ce Oct 6 15:28:08.282 MX2K fpc12 Frame 3: sp = 0xdeb6bfc8,
pc = 0xa1486f1 Oct 6 15:28:08.283 MX2K fpc12 Frame 4: sp = 0xdeb6bff8, pc = 0x8155e76
Oct 6 15:28:08.283 MX2K fpc12 Frame 5: sp = 0xdeb38fd8, pc = 0xa14aec5 Oct 6
15:28:08.283 MX2K fpc12 Frame 6: sp = 0xdeb38ff8, pc = 0x8155e76 Oct 6 15:28:08.283
MX2K fpc12 Frame 7: sp = 0xff880dc8, pc = 0xa14cbca Oct 6 15:28:08.283 MX2K fpc12
Frame 8: sp = 0xff880de8, pc = 0xa153565 Oct 6 15:28:08.283 MX2K fpc12 Frame 9: sp
= 0xff880e08, pc = 0x8068193 Oct 6 15:28:08.284 MX2K fpc12 Frame 10: sp =
0xff880e28, pc = 0xf74806d3 PR1220507
•
Multicast processing is processor intensive on vMX because flow cache is not supported.
Ucode workers are hyper-threaded, so they are sharing a physical core. PR1221036
•
There is no unified ISSU from Junos OS Release 15.1 and earlier releases to Junos OS
Release 16.2R1. PR1222540
•
When you subscribe for /interfaces path, the NA creates sensors in the Packet
Forwarding Engine and receives all statistics data from the Packet Forwarding Engine
for the physical and logical interfaces. It converts the statistics data to OC key value
pairs. There are issues during this conversion and hence the reset. PR1226358
•
The subscriber's traffic volume accounting statistics remain unchanged post-ISSU on
MXVC platform until the pre-ISSU value is exceeded.. This is a day-1 issue seen on
MXVC after Junos OS Release 14.1. PR1230524
•
The wrong PE device is being attached to an ESI when the router receives two copies
of the same AD/ESI route (for example, one through eBGP and another one received
from an iBGP neighbor). This causes a partial traffic black hole and stale MAC entries.
You can confirm the issue by checking the members of the ESI: [email protected]> show
evpn instance extensive ... Number of ethernet segments: 5 ESI:
00:13:78:00:00:00:00:00:00:01 Status: Resolved Number of remote PEs connected: 3
Remote PE MAC label Aliasing label Mode 87.233.39.102 0 0 all-active 87.233.39.1 200
0 all-active <<<< this PE is not part of the ESI 87.233.39.101 200 0 all-active. PR1231402
•
In a subscriber management environment, Junos OS broadband network gateway
(BNG) does not send an ICMPv6 packet too big notification (type 2 code 0) when it
receives a packet bigger than the MTU of a subscriber interface from the core in an
IPv6 tunneling scenario. This issue occurs toward subscriber interfaces only; static IPv6
interfaces are not affected. PR1232266
•
To distinguish between flow and kernel IFL for VLAN-OOB subscribers, use the option
"idl-arch-type": router> show interfaces ge-1/0/3.3221225476 ifl-arch-type ? Possible
completions: flow Display flow ifls rtsock Display rtsock ifls PR1236713
•
When the IPv4 or IPv6 address configured as "local-gateway" for the IPsec VPN service
is not actually assigned to any interface in UP state (not present a local/direct route
in the routing-table), the system still sends ISAKMP packets for IKE exchange. As a
source address for these packets, an address of the outgoing interface should be
selected. PR1238112
•
Routes learned over EBGP multipath peering might not get installed in the forwarding
table, resulting in traffic black hole occurring for the affected destinations. This will
only happen if in addition to EBGP multipath, a multihop configuaration statement is
enabled for that peering and a Unicast Reverse Path Forwarding (uRPF) check is
Copyright © 2017, Juniper Networks, Inc.
219
Junos OS Release 16.1R4 for the ACX Series, EX Series, MX Series, PTX Series, QFX Series,T Series and Junos Fusion
enabled over the involved interfaces. Corresponding routes would end up stuck in the
KRT queue and related KRT log messages containing error code EINVAL -- Bad
parameter in request would be seen in the logs. PR1241501
•
The mobiled daemon is not supported in MX-VC environment yet. Hence BNG advanced
services functionality will not work in MX-VC mode. PR1241857
•
The CLI command show ancp subscriber should display the ANCP actual net data rate
downstream value from the DSL access line. Sometimes it might only display the ANCP
adjusted CoS value. PR1243349
High Availability (HA) and Resiliency
•
There was no intent for this feature to be provided in Junos OS Release 16.1R1. The first
"R" release supporting this feature is Junos OS Release 16.2R1. PR1186982
Infrastructure
•
The issue is seen only on T1600/T640/T320 when the Routing Engine type is
RE-A-2000, which has only 1 Gb of RAM. In addition, the image size was increased for
the images for Junos OS Release 15.1F6.2 and later. Both these factors are causing the
used space on the partition /dev/ad0s1a to be exceeded and hence the reserved space
for root is getting occupied. As a result, a negative value is seen in the available column.
RE 2000 is not supported for these platforms with Junos OS Release 15.1F6.2+ or
16.1R1+ images. Additionally, due to low memory, upgrade or downgrade from Junos
OS Release 15.1F6 or 16.1R2 to any other build fails. Upgrade or downgrade works only
if you force the option. PR1191244
•
Unable to execute the show log user command because FreeBSD lastutility does not
exist in the FreeBSD 10.x-based Junos OS package. PR1221581
Interfaces and Chassis
•
During configuration changes and reuse of Virtual IP on an interface as a interface
address; you must delete the configuration, do a commit, and then add the interface
address configuration in the following commit. PR1191371
•
It has been observed that there could be 200-300ms deviation in the Event-Timestamp
and Acct-Delay-Time attribute-value pairs (AVPs) of the radius Accounting Stop
message for IPv6 PPPoE subscribers PR1232944
•
Users appear in show network-access aaa subscribers but do not appear in show
subscribers and cannot be cleared. PR1237204
•
If there is an IFL set configuration present, the following issue might be seen with the
windsurf card interfaces - After unified ISSU from FreeBSD 6.1-based Junos OS to
Junos OS Release15.1F throttle, interfaces of windsurf card stay down. when the card
is restarted, it goes to ready state. - After unified ISSU from FreeBSD 6.1-based Junos
OS to 16.1 throttle, windsurf card interfaces stay down but neo card goes to ready state.
PR1242627
•
220
If there is an IFL set configuration present, the following issue might be seen. After
unified ISSU from FreeBSD 6.1-based Junos OS to Junos OS Release 15.1F throttle,
Copyright © 2017, Juniper Networks, Inc.
Known Issues
interfaces of windsurf card stay down. When the card is restarted, it goes to ready
state. After ISSU from FreeBSD 6.1-based Junos OS to Junos OS Release 16.1 throttle,
windsurf card interfaces stay down but neo card goes to ready state. This issue is seen
if unified ISSU is done from Junos OS Release 14.2 to Junos OS Release 15.1 and later
releases with static interface set) - Before performing a unified ISSU upgrade to Junos
OS Release 15.1 or later, static interface sets have to be disabled. The interface sets
that have been disabled can be enabled after the upgrade. PR1252360
Junos Fusion Provider Edge
•
On Junos fusion setup, the log capture would not work by issuing the CLI command
request support information. PR1220575
Layer 2 Features
•
When an MX Series router functions as DHCP local-server, the configuration used to
deactive the local-server is invalid and could cause the server to be halted. However,
the subscriber entries remain active and stranded. This in turn prevents deactivating
all dynamic-profiles prior to the upgrade to enable the dynamic-profile versioning
feature, and subscribers cannot be pinged . PR935931
•
After Routing Engine switchover as part of GRES, sometimes a momentary flood of
data frames are seen that is caused by a delay in reconvergence of xSTP (VSTP, MSTP,
RSTP) topology. PR1064225
•
When "input-vlan-map" with "push" operation is enabled for dual-tagged interfaces
in "enhanced-ip" mode, there is a probability that the broadcast, unknown unicast,
and multicast (BUM) traffic might be blackholed on some of the child interfaces of
the egress Aggregated Ethernet (AE) interfaces or on some of the equal-cost multipath
(ECMP) core-links. PR1078617
•
IPv4 and IPv6 long Virtual Router Redundancy Protocol (VRRP) convergence delay
and unexpected packet loss might happen when MAC move for the IRB interface occurs
(for example, when flapping the Layer 2 interface that is the under-interface of IRB on
master VRRP). PR1116757
•
When GRES is enabled, after Routing Engine switchover, the local MAC address is not
learned anymore from the local CE device in VPLS instance due to spanning-tree
"discarding" in the kernel table. PR1205373
•
This issue occurs when you request two addresses in the DHCPv6 Solicit, an IA_NA
and an IA_PD. The server is configured to respond with an IA_PD from a local address
pool. The IA_NA was assigned with RA and no address pool for IA_NA is configured at
the server. Per RFC, the status codes returned in DHCPv6 Advertise/Reply PDUs from
the server when an IA_NA address cannot be assigned, must be NO_ADDRS_AVAIL.
The behavior was correct in Junos OS Release 14.1X45-D50. However, a regression
caused this status code to be changed to NO_BINDING instead of NO_ADDRS_AVAIL,
in Junos OS Release 15.1. The CPE in question was likely not interpreting the NO_BINDING
status code as a failure from the server to assign an IA_NA address. As part of this fix,
the status code is modified to respond with Advertise/Reply PDUs with the IA_NA
status code of NO_ADDRS_AVAIL. PR1224212
Copyright © 2017, Juniper Networks, Inc.
221
Junos OS Release 16.1R4 for the ACX Series, EX Series, MX Series, PTX Series, QFX Series,T Series and Junos Fusion
MPLS
•
In a BGP Prefix-Independent Convergence (PIC) edge scenario, when the ingress route
(the primary route) fails, because LDP failed to send the session down event to the
Packet Forwarding Engine correctly, the Packet Forwarding Engine might still use the
primary path to forward traffic until (in some cases, 3- 5 seconds for 30,000 prefixes)
the global convergence is completed by the interior gateway protocol (IGP). In addition,
the issue might also be seen when the delay-delete configuration statement is
configured. In this scenario, the session down event might get sent to the Packet
Forwarding Engine correctly. However, due to local reversion, the primary path might
also be chosen as forwarding path when it is deleted. PR1097642
•
When graceful Routing Engine switchover (GRES) is done between the master and
backup Routing Engines of different memory capabilities (such that one has only
enough memory to run routing protocol process (rpd) in 32-bit mode while the other
is capable of 64-bit mode), rpd might crash on the new master Routing Engine. This
issue might be seen when using Junos OS Release 13.3 and later releases with the
configuration statement auto-64-bit configured, or when using Junos OS Release 15.1
and later releases (even without the configuration statement). As a workaround, this
issue can be avoided by the CLI command set system processes routing force-32-bit.
PR1141728
•
When configuring CCC remote-interface switch or LSP-switch, self-ping should be
disabled on the LSPs, referred to in the CCC configuration, by configuring the following:
[edit protocols mpls label-switched-path lsp1] + no-self-ping; If you do not use this
command, the LSPs will not complete MBB (make before break). PR1181407
•
When any configuration change is done, even if it is unrelated to the LSP, it results in
an MBB the next time the LSP does path computation. PR1186801
•
The rsvp-lsp-enh-lp-upstream-status is taking more time for synchronization in the
backup Routing Engine on egress. PR1242324
Network Management and Monitoring
•
On MX Series platforms, BNG responds to SNMP bulk get requests for some of the
OIDs incorrectly. But these OIDs can be fetched correctly by using snmp-get requests.
PR1242940
Platform and Infrastructure
•
In a dual Routing Engine scenario, the backup Routing Engine does not sync up the
configuration change while deleting an inactivated interface from the master. So after
the operation, the inactivated interface still exists on the backup Routing Engine.
PR991081
•
222
On T Series platforms, occasionally, when reloading the chassis that has SONET Clock
Generators (SCGs) equipped, because of the timing issue, the No CG online RED alarm
might be displayed on the LCD panel and not cleared, even though the SCGs are coming
up later and this alarm should be cleared. PR991533
Copyright © 2017, Juniper Networks, Inc.
Known Issues
•
When TCP authentication is enabled on a TCP session, the TCP session might not use
the selective acknowledgement (SACK) TCP extensions. PR1024798
•
On MX Series routers with MPCs, when the feature flow-control is disabled (enabled
by default) by using the no-flow-control configuration statement (for example, under
the gigether-options hierarchy), after bringing up or rebooting the MPC, because status
of the hardware might not be updated correctly, the flow control on that MAC might
remain enabled. PR1045052
•
In configurations with IRB interfaces, during times of interface deletion, such as an FPC
reboot, the Packet Forwarding Engine might log errors stating
nh_ucast_change:291Referenced l2ifl not found. This condition should be transient, with
the system reconverging on the expected state. PR1054798
•
A parity error might be seen in the pre-classifier engine. There is currently no mechanism
to detect these errors and the packets will be silently discarded. You might see an
increased amount of "Input DA rejects" on the interface. PR1059137
•
In multicast environment, memory leak might be seen on certain MPCs after adding,
deleting, and changing multicast groups repeatedly. PR1160909
•
If the operator wants to deactivate the global DDOS parameters (in order to keep only
the protocol-specific DDoS configuration statements for flow detection), we
recommend that you use the following two commands: deactivate system
ddos-protection global flow-detection-mode deactivate system ddos-protection global
flow-level-control. Note that if you only use deactivate system ddos-protection global,
flow detection will be disabled completely because this command also deactivates
the master flow-detectionconfiguration statement under it. PR1182078
•
Multicast traffic might get dropped when the STP port role is changed. As a workaround,
toggle the IGMP snooping membership. PR1193325
•
The DDoS MTU-exceeded exception is detected on the egress side, and there is not
enough information available to create physical interface flows. As a result, physical
interface flows cannot be created for MTU-exceeded packet-type. Hence it is expected
that physical interface level flow detection does not happen with any combination of
flow-level detection or control for [edit system ddos-protection protocols exceptions
mtu-exceeded]. PR1196738
•
Because of an issue related to the ephemeral database, rpd might crash if the
ephemeral database is enabled. PR1214298
•
During EVPL stress (login/out/login) for 161_x60.0 with 8,000 ESSM services
configuration statement, dexp core is seen. PR1228136
•
The scale-subscriber license count might increase to an invalid license state with
L2TP/LTS clients. This issue occurs because the l2tpd daemon does not go through
proper state transition on L2TP/LTS clients logout; hence license count is not updated.
The fix should ensure license count is updated on logout regardless of daemon going
through proper state transition or not. PR1233298
•
Replacing MPC6E with ADC-based cards causes failure in internal link training. As a
result of this failure, the ADC-based line card will not boot up normally. PR1235861
Copyright © 2017, Juniper Networks, Inc.
223
Junos OS Release 16.1R4 for the ACX Series, EX Series, MX Series, PTX Series, QFX Series,T Series and Junos Fusion
Routing Protocols
•
Applying add-path to BGP groups with both IPv4 and IPv6 neighbors causes multiple
update groups, as opposed to just one update group per BGP group configuration as
is seen when add-path is not configured. PR1144136
•
If IPv6 default route is configured, after issuing offline/online FPC commamd, the IPv6
default route might not be seen in IS-IS route table, and this might cause IPv6 traffic
loss. PR1159482
•
In MC-LAG scenario with IGMP snooping configuration, when one link of MC-LAG is
disabled, the IGMP report packet cannot be transferred correctly. It might cause impact
for multiple traffic for IGMP report failing. PR1183532
•
PIM NSR Design :- - With GRES+ NSR enabled, Master Routing Engine replicate kernel
states and protocol states on backup-Routing Engine - Both kernel state (ifstates)
and protocol state replication are independent processes. - ksyncd takes care of ifstates
replication - RPD infra takes care of replication (mirror) connection between two
Routing Engine - And NSR supported protocols have their own mechanism to replicate
their database using mirror connection - As per PIM/MVPN NSR design, on
backup-Routing Engine, it walks through replication database (RDB) with ?consume
& delete? action i.e. once a PIM/MVPN states is processed on backup, associated RDB
is deleted - If ?kernel replication? is restarted, which lead to interface delete/add on
backup-Routing Engine. PIM states on backup goes out of sync . That?s a caveat. ?kernel replication? restart lead to interface delete/add on backup-Routing Engine
only - PIM/MVPN does not have RDB on backup-Routing Engine, so - On interface
delete, it delete the relevant PIM state - Once interface is added by kernel, PIM has no
state to consume - No change on master Routing Engine to re-initiate the protocol
replication - PIM/MVPN ?out of sync? issue can be seen with following events :- Manually "restart kernel-replication" - PIM out of sync - ksyncd cored & restarted - PIM
out of sync - ksyncd restarted as workaround of kernel replication issues- PIM out of
sync. PR1224155
Services Applications
•
In an L2TP scenario, when the LNS is flooded by high rate L2TP messages from LAC,
the CPU on the Routing Engine might be too busy to bring up new sessions. PR990081
•
When polling to jnxNatSrcNumPortInuse via SNMP MIB get, information might not be
displayed correctly. PR1100696
•
In Junos OS Release 13.3 and later, when configuring a /31 subnet address under a NAT
pool, the adaptive services daemon (SPD) will continuously crash. PR1103237
•
It is not recommended to configure ms- interface when an AMS bundle in one-to-one
mode has the same member interface. PR1209660
•
When executing show services l2tp tunnel extensive command, an output of "Up time"
and "Idle Time" fields might be incomplete, as per the following: [email protected]> show
services l2tp tunnel extensive Waiting for statistics... <snip> Create time: Thu Feb 2
16:26:21 2017, Up time: 00: Idle time: 00: <snip> PR1251456
224
Copyright © 2017, Juniper Networks, Inc.
Resolved Issues
Software Installation and Upgrade
•
Because of increases in software requirements and hardware limitations of older
hardware USB installation image might not work correctly in platforms with RE-A-2000
or their variants. Using these types of USB install images results in the Routing Engines
going into a boot loop. PR1196232
Subscriber Access Management
•
In a subscriber management environment, after performing the graceful Routing Engine
switchover (GRES), if the Routing Engine switchover happens before the Acct-Start
response is received, and the timeout on service session happens before timeout on
subscriber session, the authentication process (authd) might crash. PR1074011
•
If RADIUS returns some syntactically incorrect variables inside ERX-Service-Activate
VSA and the dynamic-profile optional-at-login configuration statement is enabled in
the access profile, this service might be incorrectly activated for the subscriber.
PR1233299
VPNs
Related
Documentation
•
In the Layer 2 circuit environment, when the l2ckt configuration includes the
backup-neighbor statement, the flow label operation is blocked at the configuration
level. PR1056777
•
New and Changed Features on page 93
•
Changes in Behavior and Syntax on page 187
•
Known Behavior on page 209
•
Resolved Issues on page 225
•
Documentation Updates on page 276
•
Migration, Upgrade, and Downgrade Instructions on page 280
•
Product Compatibility on page 290
Resolved Issues
This section lists the issues fixed in the Junos OS main release and the maintenance
releases for MX Series and T Series.
For the most complete and latest information about known Junos OS defects, use the
Juniper Networks online Junos Problem Report Search application.
•
Resolved Issues:16.1R4 on page 226
•
Interfaces and Chassis on page 243
•
Layer 2 Features on page 244
•
MPLS on page 245
Copyright © 2017, Juniper Networks, Inc.
225
Junos OS Release 16.1R4 for the ACX Series, EX Series, MX Series, PTX Series, QFX Series,T Series and Junos Fusion
•
Multicast on page 246
•
Network Management and Monitoring on page 246
•
Platform and Infrastructure on page 246
•
Resolved Issues:16.1R3 on page 249
•
Resolved Issues:16.1R2 on page 258
•
Resolved Issues: 16.1R1 on page 274
Resolved Issues:16.1R4
Class of Service (CoS)
•
When the "chained-composite-next-hop" is enabled for Layer 3 VPN routes, MPLS
CoS rewrite rules attached to the core-facing interface for "protocol
mpls-inet-both-non-vpn" are applied not only to non-VPN traffic (which is the correct
behavior) but also to Layer 3 VPN traffic. That is, both MPLS and IP headers in Layer
3 VPN traffic receive CoS rewrite. PR1062648
•
In phase 1 of v44 extended ports do not support snmp based cos statistics. Polling an
EP port for CoS stats can trigger a cosd core. PR1205512
•
Following error log message might be seen with Hierarchical CoS and strict-high
scheduling configured. Dec 27 11:08:02.293 mand-re0 fpc1
cos_check_temporal_buffer_status: IFD ge-1/2/1 IFL 358: Delay buffer computation
incorrect.^M If hierarchical scheduler is configured for an IFD and if guaranteed rate is
not set for an IFL under this IFD, then the temporal buffer configured The display of
error message is valid when guarenteed rate is '0', but it is not valid when 'guranteed
rate' is disabled. PR1238719
Forwarding and Sampling
226
•
If a two-color policer is configured on Trio based card, more traffic than the limited
traffic might be passed when packets size is less than 128 bytes. PR1207810
•
PFED cores on both Routing Engine after a huge configuration statement change
commit PR1220653
•
Bandwidth-percent policer does not work on ps interface, which will result in commit
error. PR1225977
•
Firewall filter family "any" with shared-bandwidth-policer on MC-AE interface does
not reconfigure bandwidth or carve-up policer when standby becomes active after
A/S switchover, it drops all packets. PR1232607
•
On MX/EX device with ipv4-flow-table-size or ipv6-flow-table-size configuration
statement, if sampling instance is not defined under chassis hierarchy (sampling
instance is not associated to FPC), after rebooting the device, the "ipv4-flow-table-size"
or "ipv6-flow-table-size" does not propagate to FPC. PR1234905
•
When the following configuration statements are applied to accounting options file
configuration, it is expected that upon the routing-engine switchover, the local backup
statistics files from /var/log/pfedBackup/ directory will be moved from the old master
Routing Engine to the new master Routing Engine. But in this case, this does not happen.
Copyright © 2017, Juniper Networks, Inc.
Resolved Issues
set accounting-options file <filename> push-backup-to-master set accounting-options
file <filename> backup-on-failure master-only. PR1236618
•
J-Flow version 9 cannot get TCP flag information from IPv6 fragment packets. However,
it can get other information like src and dst ports infromation etc. It can get sampling
information partially from TCP header in IPv6 fragment packets. PR1239817
•
On MX Series platforms series, after GRES (done for SSD upgrade) or configuration
change which lead to pfed core/restart, the MX Series platforms might send for every
single session 5 AcctInterim updates. PR1249770
General Routing
•
This is a timing issue. After deleting and reconfiguring a VRF instance or changing
route-distinguisher in VRF instance while rpf-check is enabled, rpd process might crash.
The routing protocols are impacted and traffic disruption will be seen due to loss of
routing information. PR911547
•
Wrong byte count was seen in the ipfix exported statistics packets for mpls flows . This
issue is taken care now . PR1067084
•
On a Junos Fusion Provider Edge topology, if there are power failures or the power is
not connected to a power supply on a satellite device, the "jnxPowerSupplyFailure"
traps are not generated by the aggregation device. For example, if there are two Power
Entry Modules (PEMs) inserted on the satellite device and one PEM is not powered on,
the aggregation device does not generate a trap for the PEM without power. PR1140097
•
If AE interface without LACP being enabled have at least 2 member links and one
member link is on MIC-3D-4XGE-XFP which is in MPC3E-NG or MPC2E-NG, when the
link is coming up from down status, there might be 400-900ms traffic loss. This is
because there is window between the physical link getting activated and the XM stream
getting created. This window of time might reach to 700ms, all the traffic entering
during this period is black holed. PR1167231
•
If the MIC-3D-4XGE-XFP is used with MPC2E-3D-NG or MPC3E-3D-NG, the interfaces
on the MIC-3D-4XGE-XFP connected to a DWDM device might flap continuously.
PR1180890
•
AMS redundant interfaces not listed under possible-completions of operational
commands. PR1185710
•
Nexthop attribute in a framed route is not applicable anymore. Since subscriber IP
address is used as the nexthop in all cases, there is no need to have an additional
attribute for nexthop for framed routes. PR1186046
•
FRU model numbers might be missing or incorrect as below. 740-013110 PDM-MX960
740-057995 FFANTRAY-MX960-HC-S 750-033205 MX-MPC3E-3D (incorrect)
750-038493 MX-MPC2E-3D-Q 750-044130 MX2K-MPC6E 750-045372 MX-MPC3E-3D
750-046005 MPC5EQ-100G10G 750-046532 MIC6-10G 750-049457 MIC6-100G-CFP2
750-054563 MPC5E-40G10G 750-054902 MPC3E-3D-NG 750-054903
MPC2E-3D-NG-Q 750-055976 SCBE2-MX-S all CFP, CFP2, QSFPP, QSFP28 optics
all MX2000 FRUs all MPC7E, MPC8E, MPC9E, SFB2 FRUs. Note that show chassis
hardware models displays correct information, but optics are missing from that output.
PR1186245
Copyright © 2017, Juniper Networks, Inc.
227
Junos OS Release 16.1R4 for the ACX Series, EX Series, MX Series, PTX Series, QFX Series,T Series and Junos Fusion
•
When VC-Heartbeat is configured, the MX Series platforms virtual chassis split detection
feature should cause the backup chassis to enter line card isolation mode, powering
off all FPCs to force external gear to re-route traffic. A race condition in the mechanism
can cause the backup chassis to also become protocol master, and leave its line cards
in an operational state, which is undesirable. This PR fixes that condition. PR1187567
•
As described in RFC7130, when LACP is used and considers the member link to be ready
to forward traffic, the member link MUST NOT be used by the load balancer until all
the micro-BFD sessions of the particular member link are in Up state. PR1192161
•
Configuring an RLT interface and rebooting the router shows the RLT interface down.
The show l2circuit connection shows an mtu mismatch as the immediate cause. For
example, the problem may be seen with the following configuration: show configuration
interfaces rlt0 redundancy-group { member-interface lt-4/0/0; member-interface
lt-4/2/0; } unit 0 { encapsulation vlan-ccc; vlan-id 600; peer-unit 1; family ccc; } unit
1 { encapsulation vlan; vlan-id 600; peer-unit 0; family inet { address 70.70.70.1/24; }
} PR1192932
•
Due to a bug in schema with Junos Version 14.1Rx and 15.1rx Releases, Admins will not
be able push mpls configurations to Devices which includes loose strict tags PR1193599
•
MAC routes received from control plane not installed in EVPN mac-table PR1193754
•
With GRES (graceful-switchover) and nonstop-bridging configured in Juniper devices
with dual Routing Engines, the backup Routing Engine might run into high CPU usage
due to abnormally high CPU utilization by firewall daemon. The abnormally high CPU
usage might impact the functions that backup Routing Engine works for. PR1193891
•
If a fragmented ICMP request from subscribers is sent to a device, the device only
responses ICMP request for the first packet, which causes PING failing. And if PING
initiates from a device to subscribers with size greater than the negotiated MRU, the
device can not fragment the packet, which causes PING still failing. PR1195031
•
With MPC8/9 MRATE MIC. If plug in optics module(QSFP28-100GBASE-LR4), bit
errors might be seen. PR1200010
•
When performing unified in-service software upgrade (ISSU) on MX Series routers, the
MPC might crash during the field-replaceable unit (FRU) upgrade process. PR1200690
•
The routing table will not be updated if some of the unnumbered interface goes down
and some unnumbered interface is still active when there are multiple unnumbered
interfaces configured under OSPF. PR1202795
•
A dynamic tunnel gets timed out every 15 mins by default, and then re-tries to create
another tunnel. This happens if the route obtained from IGP is non-forwarding. With
this fix, allow stable and persistent dynamic tunnel even for non-forwarding routes.
PR1202926
•
228
Problem - In case of Local source and with asm MoFRR enabled, the default MDT
traffic loops back to the originating router on the MoFRR backup interface, thereby
causing continous IIF_mismatches. MoFRR behavior after fix - With the current MoFRR
code ? Since the source is Local, SPT BIT is set by default, hence we send an (S,G,rpt)
PRUNE out of MoFRR Active interface. But we don?t send an (S,G,rpt) PRUNE out of
MoFRR Backup interface (Missing Code). With the new fix ? We will have (S,G,rpt)
Copyright © 2017, Juniper Networks, Inc.
Resolved Issues
PRUNE sent over the MoFRR backup path also (if there is already an (S,G,rpt Prune)
going out of the MoFRR Active Path) in order to avoid IIF_Mismatches. PR1206121
•
The l2ald might thrash when the targeted-broadcast is configured on EVPN irb.
PR1206979
•
As analysis, - when an egress Packet Forwarding Engine (NG-MPC3E) is oversubscribed,
it applies flow control to the ingress Packet Forwarding Engine (MPC7E). - The fabric
delay buffer memory utilization on the ingress Packet Forwarding Engine (MPC7E)
went up due to the flow control from the egress Packet Forwarding Engine. - The
default WRED drop profile for the low priority fabric queues was not aggressively
dropping the low priority traffic. As solution, - Have separate default WRED drop profiles
for low and high priority fabric queues. - Setup the default WRED drop profile for the
low priority queues to drop the traffic more aggressively so that high priority traffic can
be protected. PR1207417
•
VC link "last flapped" timestamp is reset to "Never" on the new backup Routing Engine
after MX VC global GRES switchover. PR1208294
•
This is a rare race condition of multiple interrupts are not handled properly on MX Series
platforms platform with MPC7E/MPC8E/MPC9E and PTX platform with
FPC3-PTX-U2/FPC3-PTX-U3, which could lead to a core-dump. It is hard to reproduce.
The interrupt code is optimized to avoid the unnecessary call to prevent the issue.
PR1208536
•
When using the "show chassis hardware detail" command in Junos 15.1 or above to
display chassis components, the Compact Flash and Hard Disk serial numbers may
be truncated to 15 characters. PR1209181
•
The logic to calculate the IPsec phase2 soft lifetime has been changed in 14.2R6,
resulting in an interop issue in certain scenarios. A hidden configuration statement is
provided as part of this PR which will revert the soft lifetime logic to the one used in
11.4 release. PR1209883
•
BGP PIC Installs multiple MPLS LSP next hops as Active instead of Standby in Packet
Forwarding Engine. This can cause a routing loop. PR1209907
•
On MX Series platforms, if any inline feature is configured (e.g. inline BFD, CFM , PPP
etc.), the FPC might crash and core files are generated. PR1210060
•
The Periodic Packet Manager (ppman) based sessions (such as CFM session) might
be flapping when executing offline/online MIC-3D-20GE-SFP (model number) MIC
inserted into MPC2E-NG/MPC3E-NG. This is due to the TNPC-CM thread is hogging
the CPU for ~450 ms when executing MIC-3D-20GE-SFP MIC offline/online. PR1211702
•
On SRX Series devices, when an ARP entry is learned through AE interface, and a route
is pointing to that ARP nexthop, the ARP entry might not be expired even though the
ARP IP is no more reachable. This issue is due to the route nexthop on AE interface
getting stuck in unicast state even if the remote end is not reachable, and the RPD
never gets to know that ARP is invalid. So with this fix, the route nexthop on AE interface
can be shown in 'hold' state when the remote end is not reachable. PR1211757
Copyright © 2017, Juniper Networks, Inc.
229
Junos OS Release 16.1R4 for the ACX Series, EX Series, MX Series, PTX Series, QFX Series,T Series and Junos Fusion
•
The MS-MPC/MS-MIC service cards might encounter a core when using certain ALGs
or the EIM (Endpoint-independent mapping ) / EIF (Endpoint independent filtering)
feature due to a bad mapping in memory. PR1213161
•
FPC Major alarm and "MQSS overflow" error messages might be reported on MPC9E
running at line rate with small packet sizes, which causes no traffic loss. PR1213391
•
MS-MPC/MS-MIC might crash when large fragmented(larger than 2048 bytes) traffic
hits the pinhole opened by an ALG. PR1214134
•
AE IFL targeted distribution feature now provides 4 level of prioritization. Please refer
document attached in PR for more details. PR1214725
•
MX-VC: All VCP interface experiences tail-dropped as result of configuration conflict.
It is a good idea to reference documentation and customize the COS associated with
VCP interfaces. In this scenario customer has configured a corresponding xe-n/n/n
interface with just a description to denote that port is dedicated to VCP. Problem is
the resource calculation is impacted and reports smaller queue-depth maximum values
when both network interface xe-n/n/n and vcp-n/n/n are defined. Issue is more likely
to occur with dynamic modification add/delete of vcp interfaces with a corresponding
network interface xe-n/n/n configured. > show interfaces queue vcp-5/3/0 | match
max Maximum : 32768 Maximum : 32768 Maximum : 32768 Maximum : 32768
PR1215108
230
•
If zero length interface name comes in the SDB database, on detection of a zero length
memory allocation in the SDB database, a forced rpd crash would be seen. PR1215438
•
On 15.1R3 onwards MX Series platforms trinity platform release, if DHCPv4 or DHCPv6
subscriber is configured and the subscriber joins more than 29 multicast groups, the
line card might crash. PR1215729
•
Incorrect source MAC used for PPPoE after underlying AE is changed. PR1215870
•
The AMS interface is configured in warm-standby mode when fail-over occurs a
percentage of the traffic might fail to get NAT. The issue is after the failover the internal
mappings driving traffic back to the service PIC might fail. PR1216030
•
When VPLS instances are configured for the first time or when a system with VPLS
instances is rebooted, RPD will be consuming high CPU usage (100%) for a period of
time (10-20 mins), the installation of other routes may defer and traffic will be lost,
many other RPD services may also slow down or be unavailable. PR1216332
•
Due to a software issue, replacing an MQ FPC (MPC Type1, 2, MPC 3D 16x10GE) with
an XM one (MPC Type 3,4,5 6. 2E-NG, 3E-NG) might cause all other MQ-based cards
to report "FI Cell underflow at the state stage". It will cause packets dropped. PR1219444
•
If RS/RA messages were received through an ICL-enabled(MC-AE) IFL, packet loss
would be seen and last for a while. PR1219569
•
On M/MX/T series, enable feature VRRP delegate-processing ae-irb, VRRP and BFD
might be flapping. PR1219882
•
The master CB/Routing Engine offline or OIR could lead the pcie link down between
SFB2 and CB during link reset. As a result of this, some of SFB could be in check status
followed by fabric healing. With the fix, the software will 5 times retry in which can help
Copyright © 2017, Juniper Networks, Inc.
Resolved Issues
graceful link up. When issue happens, following chassis alarm could be seen. "Minor
Check plane <idx> Fabric Chip" where <idx> is SFB slot number. PR1219890
•
When fpc-pfe-liveness-check is configured, Packet Forwarding Engine liveness detection
might incorrectly report a Packet Forwarding Engine failure event under a severe
interface congestion situation. PR1220740
•
On MX Series platforms virtual chassis partial or complete traffic loss for streams via
AE interfaces might be observed in certain scenarios. For example, if vcp ports were
de-configured and re-configured again, then two consecutive global GRES switchovers
were performed and MPC hosting AE child links was reloaded, traffic loss would be
observed after MPC boots up due to incorrect programming of AE interface on its
Packet Forwarding Engine. PR1220934
•
When MX Series platforms router has macsec under security and include-sci option is
configured, while the interface where macsec is configured receives traffic with imix
packet sizes, framing errors might be reported in the interface statistics. PR1221099
•
On MX Series platforms series with "pppoe dynamic-profile and service-name-table
xx" configured, if configuring the prefix or any interface configuration and after
committing, the output of "show pppoe service-name-tables xx" displays as "Service
Name Table not found: xx" PR1221278
•
Continuous error messages are seen. PR1221340
•
PPPoE/DHCP subscribers fail to bind due to
ProcessPADIFailedUiflNotActive/SML_CLIENT_DELETE_SDB_ADD_FAILED errors. It is
seen during inflight tests. PR1221690
•
After Junos OS 15.1 Release, the behavior of storage devices enumeration in kernel level
has been changed. Device enumeration in legacy Junos OS (pre 15.1) Release will show
CF and Disk as ad0 and ad1 respectively. Device enumeration after Junos OS 15.1 Release
will show CF and Disk as ad1 and ad0 instead in the result of show chassis hardware.
This might be inconsistent for other result of output, such as show system
boot-messages and show log messages. PR1222330
•
During CoA request there are no changes on schedulers. Requests are received
successfully, but no changes from CoS side. PR1222553
•
On setup with IRB configuration statement and non-enhanced-ip mode, when actions
which result into underlying AE interface of IRB going down, are done, the backup
Routing Engine may experience 'panic' and hence reboot. The panic will be due to not
being able to allocate nexthop index that master Routing Engine has asked. Since the
panic and reboot happens on backup Routing Engine, routing/forwarding/any other
functionality will not be affected. Some examples of trigger are - continuous child link
flaps of AE or back-to-back commits of different IRB configuration statements or
activating/deactivating bridge family on underlying interface etc. PR1222582
•
Due to a defect related to auto-negotiation in a Packet Forwarding Engine driver, making
any configuration change to interface in MIC "3D 20x 1GE(LAN)-E,SFP" might lead to
interface flapping. PR1222658
•
In enhanced subscriber management environment ("set system services
subscriber-management enable") and in case of the 'remove-when-no-subscribers'
Copyright © 2017, Juniper Networks, Inc.
231
Junos OS Release 16.1R4 for the ACX Series, EX Series, MX Series, PTX Series, QFX Series,T Series and Junos Fusion
configuration statement is configured in auto-configure stanza, when last subscriber
logs out which is triggering the dynamic VLAN IFL removal and then in close proximity
a new subscriber logs in before the IFL is set to inactive, the dynamic profile deletion
might be failed. And it will result in the subsequent subscribers login failure. This is a
timing issue. PR1222829
•
"unnumbered-address" under dynamic profile showing wrong value. PR1222975
•
The problem of tunnel stream getting MIS configured for LT interfaces is due to internal
programming and the same has been corrected to evaluate multiple IT interfaces for
FPC and PIC slot combination.PR1223087
•
On rare occasions, offlining a MIC-3D-16CHE1-T1-CE MIC can cause a FPC core. This
is very unlikely in general and chances of it happening are very low. There is no
workaround for this except to upgrade to an image with this fix present. PR1223277
•
After the backup Routing Engine is replaced, the new Backup Routing Engine cannot
synchronize with Master Routing Engine if 'dynamic-profile-options versioning' is
configured. This is because the code checks if any dynamic profile is configured before
enabling dynamic-profile-options versioning. If so it throws an commit error. But there
is no need to check when the Routing Engine is in backup state. PR1234453
•
In MX Series platforms virtual chassis with subscriber management environment, the
bbe-smgd process may leak memory in the backup Routing Engine when running
continuous subscriber login logout loop tests. It seems memory utilization increases
with each login logout loop till it reaches 809MB and it does not increase beyond that.
PR1223625
•
No optic lane diag exported for XFP optic in both CLI and snmp. PR1223742
•
In PPPoE subscriber scenario, after demux underlying interface AEx is changed tO AEy,
the source MAC used for PPPoE handshake is still the old AEx interface's MAC. This
causes PPPoE clients to fail as the PADR packets from the client are dropped due to
the MAC address mismatch. PR1224190
•
When you receive alignment errors on a 10GE port you may see MAC control frames
counter with a huge value. PR1224632
•
Continuously increasing normal discard count in 'show pfe statistics traffic' without
any user traffic due to an internal control traffic which is expected to be dropped silently
is unexpectedly being counted as 'normal discard'. There's no impact on user traffic
with this issue. PR1227162
•
On MX2020 router, when all the SFBs are yanked out, there is no available fabric in
system, but FPCs remain online state. There is no problem in offlining these SFB/SFb2s.
PR1227342
•
On MX Series platforms platform, executing command of "show chassis
ucode-rebalance" without a special FPC slot number, it might cause chassisd crash.
PR1227445
•
232
Need to document that scripts no longer need to be installed using a separate package
as was the case with 14.1X55-D35 PR1228324
Copyright © 2017, Juniper Networks, Inc.
Resolved Issues
•
Flowstat reply has incorrect DL type. e.g. for below flow rule, the flowstat reply shows
DL type as 0xcc88 instead of 0x88cc [email protected]> show openflow flows detail Flow
name: flow-65536 Table ID: 1 Flow ID: 65536 Priority: 32768 Idle timeout(in sec):0
Hard timeout(in sec): 0 Cookie: 1 Match: Input port: wildcard Ethernet src addr: wildcard
Ethernet dst addr: wildcard Input vlan id: 50 Input VLAN priority: wildcard Ether type:
0x88cc IP ToS: wildcard IP protocol: wildcard IPv4 src addr: NA IPv4 dst addr: NA IPv6
src addr: NA IPv6 dst addr: NA ICMPv4 type: wildcard ICMPv4 code: wildcard Source
port: wildcard Destination port: wildcard Action: Output port CONTROLLER, [email protected]>
PR1228383
•
When after Routing Engine switch-over or OIR is performed, stout mpc(MPC7/8/9)
could go into wedge status then traffic forwarding would be impacted. PR1228767
•
The Routing Engine CPU uses chassis temperature to decide fan speed instead of
Routing Engine CPU. This PR has been fixed to use real Routing Engine CPU temp to
decide the temp threshold. PR1230109
•
The Random Load Balancing feature does not function; all traffic goes to one of the
loadshared egress links instead of being shared across all the links. PR1230272
•
ICMP Identifier not translated back to expected value during traceroute for TTL
exceeded packets on NAT using Multiservice MPC. This occurs for ICMP ID >255 and
causes all hops (except 1st and last) appearing as "*". PR1231868
•
Some pfe statistics counters do not work in MPC7/8/9. 1. Fabric Input/Output pps
counters do not work in "show pfe statistics traffic" 2. Output and Fabric Input/Output
counters do not work in "show pfe statistics traffic detail" example
---------------------------------------------------------------------- [email protected]>
show pfe statistics traffic fpc 1 | match pps Packet Forwarding Engine traffic statistics:
Input packets: 112980131493 1672233 pps Output packets: 112980107498 1790272 pps
Fabric Input : 0 0 pps <<<<<< Fabric Output : 0 0 pps <<<<<< [email protected]>
show pfe statistics traffic detail fpc 1 | match "pps|fpc|pfe" Packet Forwarding Engine
Details: fpc: 1 pfe: 0 Packet Forwarding Engine traffic statistics: Input packets:
56677058489 832899 pps Output packets: 0 0 pps <<<<<< Fabric Input : 0 0 pps
<<<<<< Fabric Output : 0 0 pps <<<<<<
---------------------------------------------------------------------- PR1232540
•
On XQ based linecard, in rare condition, if offline/online the FPC or link flap, some error
messages might be seen. PR1232686
•
Bug is fixed. No behavior change from customer point of view. PR1233307
•
When set port-mirror to MX Series router, LSP-ping might fail and IP packets with
options will not get mirrored due to unexpected echo reply from DUT:
<----------------------------- echo request -----------------------------> echo reply
[R1]------------[DUT]--------------[R2] A | -----------> echo reply (unexpected behavior)
| mirror PR1234006
•
RPC call syntax of some of the ANCP related show commands like show ancp subscriber
neighbor, show ancp subscriber ip-address and show ancp subscriber identifier has
changed. PR1234711
Copyright © 2017, Juniper Networks, Inc.
233
Junos OS Release 16.1R4 for the ACX Series, EX Series, MX Series, PTX Series, QFX Series,T Series and Junos Fusion
•
MX MPC7 and above might receive noise on the FPC console port, and interprets it as
valid signals. This might cause login fails on the console port, core-dumps or even
reloads. This PR covers MX Series MPCs/MICs PR/1224820 covers PTX FPC3. PR1234712
•
Starting a session with a dynamic-profile service using the service volume I see that
volumes are checked every 10mins instead of every 5min as implemented in 14.1X50.
PR1234887
234
•
VLNS(VBNG) - Commit generated a "warning: requires 'l2tp-inline-lns' license" but
valid license is installed PR1235697
•
The CLI commands show route forwarding-table all and show system commit are being
taken by RSI twice. PR1236180
•
When PIC based MPLS jflow is configured and MPLS packets are being sampled at
egress (to be sent to service pic), because if this issue the sampled packets do no reach
service PIC which results in no MPLS jflow flows getting created. PR1236892
•
show ancp neighbor ip-address <> detail command show the auto-configure interface
state as disabled; eventhough the neighbor maps to auto-configure interface. PR1237107
•
When the interface configured under "router-advertisement" physically comes up for
the first time, the rpd might repeatedly send the router-advertisement, which might
result in as high as 100% Routing Engine CPU usage. PR1237894
•
BNG generates rpd core krt_q_flush_status_async. PR1238333
•
After the number of licenses for scale-subscriber feature exceeded, customer
encountered the following endless logs on the backup Routing Engine every 10 seconds:
Dec 12 13:22:41 antelope-re0 license-check[4900]: RE protocol backup state = 0 Dec
12 13:22:42 antelope-re0 license-check[4900]: Empty license directory copied from
the master Dec 12 13:22:51 antelope-re0 license-check[4900]: RE protocol backup
state = 0 Dec 12 13:22:52 antelope-re0 license-check[4900]: Empty license directory
copied from the master backup Routing Engine: has all licenses in state permanent
master Routing Engine: shows the license with the expiry date. The log messages
disappear after the master switchover. When changing master back, the above
messages will start again. These messages do not appear on master Routing Engine,
which has the expire day set, regardless of the mastership state. PR1238615
•
MX Series platforms is sending accounting interim without update-interval configuration
statement. PR1239273
•
In a BGP-PIC scenario, a change in the IGP topology, for example a link failure in the
IGP path, causes traffic outage for certain prefixes. The reason for this is that the unilist
Next-hops for these prefixes are in a broken state. PR1239357
•
During scaled subscriber setup it could happen that the lowest dynamic-profile cos
service rate is applied to other sessions. PR1241201
•
The PTP clock class changes are delayed. When PTP fails and the system goes into
holdover it will be send clock class 6 for the next 10-15 minutes. The same behavior,
when the system goes from holdover in state "locked". It will be send clock class 248
for the next 10-15 minutes. PR1241211
Copyright © 2017, Juniper Networks, Inc.
Resolved Issues
•
In some specific case untagged bridged traffic might not be mirrored on the second
port of the mirrored group. If untagged bridged traffic is to be mirrored/sent on two
different interfaces of the mirrored group, in some specific case traffic might be
mirrored/sent only on one of the mirrored interfaces/ports. PR1241403
•
Changes in CLI and XML RPC for show ancp subscriber identifier ... and show ancp
subscriber ip-address ... caused the removal of the "detail" and "brief" option for this
commands. PR1242360
•
Auto route insertion (ARI) IPv6 routes installed for IPSec dynamic endpoints might
disappear from the routing-table after performing a graceful routing-engine switchover
(GRES) with Nonstop Active Routing (NSR) enabled. The issue is triggered for IPv6
ARI routes with masks of /98 or longer. PR1242503
•
1. Do we have figures in terms supported of ipv6 and ipv4 route scale for MS-MIC with
Netflow configuration? so we can tell the customer. 2M cumulative is the route scale
supported with Netflow. This includes all IPv4, IPv6 and MPLS routes in the system.
2. What will be the impact on MS-MIC if we exceeded route scale limit. From MIC
perspective, we can't accommodate the additional routes and the JFlow feature or
Netflow feature (configured on the MIC) will report wrong information to the collector.
3. Why we do see issue with MS-MIC after increasing route scale without any relevant
configuration ? Currently, for supporting JFlow feature (whenever configured), MS-MIC
will listen on routes and store them locally irrespective of JFlow being configured. The
supported scale is just 2M and the current scale tested is 5M. We are not having space
for accommodating more routes (according to the current design with the current flow
scale number we published for JFlow service). PR1243581
•
In certain scenarios output of "show ancp subscriber detail" command may omit many
TLVs including mandatory Actual Net Data Upstream and Actual Net Data Downstream
TLVs. PR1252747
High Availability (HA) and Resiliency
•
On all platforms, if running unified ISSU, connection might be broken between master
Routing Engine and backup Routing Engine. PR1234196
Infrastructure
•
During the upgrade harmless "invalid SMART checksum logs" might be seen. This PR
will suppress unnecessary "invalid SMART checksum logs". PR1222105
•
Polling SNMP QOS queue stats along with IFD stats might result in flat values for QOS
queue stat. The flat values could give a false impression that spikes are happening in
the queues. This PR is addressing the problem. PR1226781
Interfaces and Chassis
•
In the hsl2 toolkit, there is a process which periodically checks the ASICs which
communicate through it. Due to a bug in the toolkit code, the process used devalidate
the very ASIC that it used to process, due to which the crash happens. PR1180010
•
In very rare conditions, FPC might crash when CLI command "request chassis mic
offline fpc-slot <fpc-slot> mic-slot <mic-slot>" or "request chassis pic offline fpc-slot
<fpc-slot> pic-slot <pic-slot>" is executed. This is due to a software defect that SFP
Copyright © 2017, Juniper Networks, Inc.
235
Junos OS Release 16.1R4 for the ACX Series, EX Series, MX Series, PTX Series, QFX Series,T Series and Junos Fusion
diagnostics polling function tries to access already destroyed SFP data structure by
MIC/PIC offline. PR1204485
•
If version-3 configuration statement is not configured, the command of show vrrp
detail|extensive|interface display VRRP-Version as 2 for inet6 address family. The VRRP
IPv6 never supported any VRRP version 2. It was always version 3. This issue is cosmetic
but not actual impact on VRRP IPv6 functionality. The VRRP packets generated for
inet6 address family are of VRRP version 3. PR1206212
•
When VRRP is configured on IRB interface with scaling configuration (300k lines), in
corner case, handles might not be released appropriately after their use is over. As a
result of that, memory leak on vrrpd might be seen after configuration commit.
PR1208038
•
Access-internal route not installed for Dual Stack subscriber terminated in VRF at LNS
with on-demand-ip-address PR1214337
•
In ppp subscriber scenario, if the jpppd process receives a reply message attribute from
the radius or tacplus server with a character of %, it might cause the jpppd process to
crash and cause the ppp user to be offline PR1216169
•
Dcd can not start after router reboot due to non-existing IFL referenced in
'demux-options underlying-interface' PR1216811
•
Unified ISSU will not work from Junos OS 15.1R to later images (like 15.1F, 16.1R2, ...),
when the router is equipped with QSFP/CXP/CFP2 optics on
MPC3E/MPC4E/MPC5E/MPC6E/MPC 3D 16x10GE cards. This is because a dark window
issue is fixed for SFPP/QSFP/CXP/CFP2 optics in 16.1 and 15.1F, which makes the Junos
OS 15.1R image unified ISSU incompatible with later images. Doing unified ISSU on the
incompatible image from 15.1R to later versions might result in the line card crash as a
side effect. PR1216924
•
On Junos OS Release 14.2 and later releases, if asymmetric-hold-time,
delegate-processing and preempt hold-time is configured, when neighbor's interface
comes up again, "asymmetric-hold-time" feature cannot be used as expected.
PR1219757
236
•
PPPoE tunneled subscriber (L2TP) might get stuck in terminating state if radius sendsÂ
Framed-IP-Address and Framed-IP-Netmask via access-accept in LAC PR1228802
•
The configuration change where for a static vlan demux interface the underlying physical
interface is changed to a one with lower bandwidth (e.g. from xe to ge) can fail with
the following error: "error: Bandwidth on IFL demux0.7000 cannot be greater than that
of its IFD". For example: [email protected]# show | compare [edit interfaces demux0
unit 7000 demux-options] - underlying-interface xe-0/1/0; + underlying-interface
ge-0/3/9; [email protected]# commit re0: error: Bandwidth on IFL demux0.7000 cannot
be greater than that of its IFD error: DCD Configuration check FAILED. error: configuration
check-out failed PR1232598
•
There is no trap for dot1agCfmMepHighestPrDefect with value 0 reported when CFM
session recovers from any other failed state. PR1232947
•
On MX Series platform acting as broadband network gateway (BNG), in Point-to-Point
Protocol (PPP) scenario, when using the Internet Protocol Control Protocol (IPCP) or
Copyright © 2017, Juniper Networks, Inc.
Resolved Issues
Internet Protocol version 6 Control Protocol (IPv6CP) for negotiation, if the router
receives an Configure-Request packet from client, MX BNG sends the Configure-Request
packet, but does not send Configure-Ack packet, in case it does not receive the
Configure-Ack that responding to the Configure-Request packet it sent. The behavior
does not follow the RFC 1661, which demands the both actions Send-Configure-Request
(i.e. ConfReq from MX Series platforms to client) and Send-Configure-Ack (i.e. ConfAck
from MX Series platforms to client) must be conducted on the router without any
significant delay. PR1234004
•
Under a particular condition in configuring interfaces which have units, commit operation
fails with error message. PR1234050
•
On MX Series platform acting as broadband network gateway (BNG), in Point-to-Point
Protocol (PPP) scenario, when using the Internet Protocol Control Protocol (IPCP)
and Internet Protocol version 6 Control Protocol (IPv6CP) for negotiation and IPv6CP
is negotiated first, if the router receives an IPCP Configure-Request packet from client,
MX BNG sends the Configure-Request packet, but does not send Configure-Ack packet
in case it does not receive the Configure-Ack that responding to the Configure-Request
packet it sent. The behavior does not follow the RFC 1661, which demands the both
actions Send-Configure-Request (i.e. ConfReq from MX Series to client) and
Send-Configure-Ack (i.e. ConfAck from MX Series to client) must be conducted on the
router without any significant delay. PR1235261
Layer 2 Features
•
When MSTP is configured under routing-instance, both the primary and standby VPLS
pseudowires are struck in ST state due to a bug in the software. That has been fixed
and now the PW status is set correctly. PR1206106
•
On MX Series platforms, if chassis level configuration is used to offline FPC after
detecting major errors, FPC will be off-lined. But if committing configuration is performed
after off-lining FPC, FPC will be brought online back again. PR1218304
•
In dhcp relay environment, when delay-authentication and proxy mode are configured
at same time. Jdhcpd may core due to NULL session ID. PR1219958
•
During unified ISSU process, if the first unified ISSU is aborted for some reason, an
internal timer will not be cleaned up, and the new lacpd will be forked up, this cause
the second unified ISSU in backup Routing Engine to be aborted in daemon prepare
phase. It will not proceed further. PR1225523
•
MX Series platforms is not including Delegated-IPv6-Prefix in accounting interim.
PR1231665
•
DHCPv6 renegotiation-lockout configuration configuration statement range has
expanded to 4-600 seconds. Which enables the customer to reduce the MX BNG wait
time for responding to DHCPv6 Solicit retransmissions messages according to their
requirement. PR1234009
•
This issue can be seen if CPE is intiating DHCPv6-Solicit with IA_NA, IA-PD and
Rapid-Commit Option but MX Series platforms will send the DHCV6 Advertise with
Rapid commit flag eventhough Rapid-commit configuration statement is not enabled
on MX Series platforms. PR1235578
Copyright © 2017, Juniper Networks, Inc.
237
Junos OS Release 16.1R4 for the ACX Series, EX Series, MX Series, PTX Series, QFX Series,T Series and Junos Fusion
MPLS
•
User is allowed to configure both "load-balance-label-capability" and
"no-load-balance-label-capability" together. This is incorrect and confusing. PR1126439
•
When using RSVP-TE protocol to establish LSPs, make before break (MBB) might not
be quit and start a fresh when there is a failure on PSB2 (RSVP Path State Block for
new LSP) in some cases where PathErr is not seen. (For example, for a PSB2 that is
already up and there is PathErr processing for it in place already, in this case, no PathErr
is seen owing to local-reversion and a quick flap.) As a result, no rerouting happens
even if the TE metric cost is raised. This issue has more chances of occurring only when
there is non-default optimize switchover delay. PR1205996
•
Due to an imperfect fix for compatible issue between 64-bit RPD and 32-bit client
applications (such as "mpls ping", "monitor label-switched-path", "monitor static-lsp",
etc) on 15.1F5-S3/15.1F6/14.2R7/15.1R4/16.1R1, the function of monitoring signaled or
static LSP is broken on either 64-bit or 32-bit RPD. But the other 32-bit client
applications (such as "mpls ping" etc) is not impacted. PR1213722
•
In scaled environment, when there are many Unicast NHs which are related to the
same transport LSP (e.g., same RSVP or LDP label), MPLS traffic statistics collection
may take too much CPU time in kernel mode. This can in turn lead to various system
impacting events, like scheduler slips of various processes and losing connection
towards the backup Routing Engine and FPCs. PR1214961
•
If the link/node failure that triggered a bypass persists for a long time, and there are
LSPs that do not get globally repaired, multiple stale LSP entries are showing down
and listed multiple times in the MPLS LSP. PR1222179
•
In a multi instance RSVP scenario we support MPLS in the VRF routing-instance but
we still do not support Connections protocol inside the VRF routing instance. So when
we are are adding any interface under MPLS inside VRF routing-instance, then it should
affect the Connections protocol inside the main instance. When we were adding the
CE facing interface under MPLS in VRF instance it was deleting the Patricia which was
having CCC information as we do not have CCC information inside the VRF instance.
So to resolve this issue we have added a check that before acting on the Connections
protocol we should check whether the instance passed is master instance or not and
if it is not the master instance we do not trigger the functionality related to CCC.
PR1222570
238
•
In VPLS environment, if delete the routing-instance, in rare condition, the rpd process
might crash, the routing protocols are impacted and traffic disruption will be seen due
to loss of routing information. This is a timing issue and hard to reproduce. PR1223514
•
In impacted Junos releases ldp will import metric for all IS-IS routes which have tags
without configuration statement track-igp-metric. Versions 14.1R3 ,14.2R1 and later are
impacted with this issue . For example below route has tag and ldp metric is same as
IGP MX> show route 20.20.20.20/32 inet.0: 17696 destinations, 17696 routes (17695
active, 0 holddown, 1 hidden) + = Active Route, - = Last Active, * = Both 20.20.20.20/32
*[IS-IS/18] 3d 03:36:14, metric 11, tag 80 to 10.10.1.1 via xe-0/0/2.0 to 10.11.1.1 via
xe-0/0/3.0 > to 10.13.1.1 via xe-2/1/2.0 to 10.14.1.1 via xe-2/1/3.0 inet.3: 13418 destinations,
13418 routes (13418 active, 0 holddown, 0 hidden) + = Active Route, - = Last Active, *
Copyright © 2017, Juniper Networks, Inc.
Resolved Issues
= Both 20.20.20.20/32 *[LDP/9] 00:58:01, metric 11, tag 80 to 10.10.1.1 via xe-0/0/2.0,
Push 533376 to 10.11.1.1 via xe-0/0/3.0, Push 533376 to 10.13.1.1 via xe-2/1/2.0, Push
533376 > to 10.14.1.1 via xe-2/1/3.0, Push 533376 Below route does not have tag and
has default Ldp metric MX> show route 10.10.10.10/32 inet.0: 17695 destinations, 17695
routes (17694 active, 0 holddown, 1 hidden) + = Active Route, - = Last Active, * = Both
10.10.10.10/32 *[IS-IS/18] 3d 03:35:23, metric 22 to 10.1.1.1 via xe-0/0/0.0 to 10.10.1.1
via xe-0/0/2.0 to 10.11.1.1 via xe-0/0/3.0 to 10.12.1.1 via xe-2/0/0.0 > to 10.13.1.1 via
xe-2/1/2.0 to 10.14.1.1 via xe-2/1/3.0 inet.3: 13417 destinations, 13417 routes (13417 active,
0 holddown, 0 hidden) + = Active Route, - = Last Active, * = Both 10.10.10.10/32
*[LDP/9] 00:57:10, metric 1 to 10.1.1.1 via xe-0/0/0.0, Push 593760 to 10.10.1.1 via
xe-0/0/2.0, Push 556161 to 10.11.1.1 via xe-0/0/3.0, Push 556161 to 10.12.1.1 via
xe-2/0/0.0, Push 593760 to 10.13.1.1 via xe-2/1/2.0, Push 556161 > to 10.14.1.1 via
xe-2/1/3.0, Push 556161 PR1225592
Multicast
•
RPD creates an indirect next hop when a multicast route (S,G) needs to be installed
when listeners show their interest to S,G traffic. Kernel would then creates a composite
NH. In this case this appears to be P2MP MCNH which gets created. When any member
interface is not a Packet Forwarding Engine specific interface (e.g, Vt, LSI, IRB or any
other pseudo interfaces), kernel throws this message indicating that FMBB cannot be
supported. These messages are harmless and does not have any impact. PR1230465
Network Management and Monitoring
•
Duplicated entries and error while loading MIBs on ManageEngine MIB Browser are
fixed for the below MIB files. - jnx-chas-defines.mib - jnx-gen-set.mib - jnx-ifotn.mib
- jnx-optics.mib PR1216567
•
On Junos OS Releases prior to 15.1R6 and 16.1R4, Digital Optical Monitoring (DOM) MIB
jnxDomCurrentTable for 1G SFP interface does not return any value. PR1218134
•
In MX Series platforms subscriber management environment, sometimes BNG responds
to the snmp get requests with Error: status=5 / vb_index=0 for some of the interface
related mibs. PR1218206
•
The reason for this new PR (1227121) is because the fix for PR-1126532 was accidentally
reverted while committing code under another PR-1209561. Hence, the external content
for this PR is same as: https://gnats.juniper.net/web/default/1126432#external_tab
PR1227121
•
JUNIPER-SMI-MIB in MIB-Packet juniper-mibs-16.1X60-D30.4-signed.tgz have some
syntactical Errors. PR1239539
Copyright © 2017, Juniper Networks, Inc.
239
Junos OS Release 16.1R4 for the ACX Series, EX Series, MX Series, PTX Series, QFX Series,T Series and Junos Fusion
Platform and Infrastructure
•
SNMP queries to retrieve jnxRpmResSumPercentLost will return the RPM/TWAMP
probe loss percentage as an integer value whereas the precise value (including decimal
points) can be retrieved through the CLI by using the following commands: show
services rpm probe-results show services rpm twamp client probe-results PR1104897
•
If configure micro-bfd on aggregate interface, when using native-vlan and if native-vlan
is configured on one of the logical interfaces, then ARP resolution is failing for that IFL.
PR1172229
•
The issue happens after GRES. If commit on the new master during the configuration
statement sync from the old master, commit might fail. PR1179324
•
IPv6 now defaults to a probe type of ICMP. Prior to this a probe type had to be explicitly
specified. This change brings functional parity between UIPv4 and IPv6 probe types
with regard to a default probe. PR1183196
•
On MX2K, the 'commit full' operation, or committing configuration under 'system'
stanza(such as root-authentication and fxp0 interfaces) can cause transient Fan check
Major alarm and Fan full speed. The Fan Tray spins at full speed for a while, then goes
back to normal with clearing the alarm. The Fan check alarm and corresponding snmp
trap are temporal, and they can be safely ignored. [email protected]> show chassis alarms
2 alarms currently active Alarm time Class Description 2016-05-17 19:49:57 JST Major
Fan Tray X Failure 2016-05-17 19:49:57 JST Major Fan Tray Y Failure [email protected]> show
chassis environment Class Item Status Measurement Fans Fan Tray X Fan 1 Check Fan
Tray X Fan 2 Check Fan Tray X Fan 3 Check Fan Tray X Fan 4 Check Fan Tray X Fan 5
Check Fan Tray X Fan 6 Check Fan Tray Y Fan 1 Check Fan Tray Y Fan 2 Check Fan Tray
Y Fan 3 Check Fan Tray Y Fan 4 Check Fan Tray Y Fan 5 Check Fan Tray Y Fan 6 Check
When MPC9E is installed in MX2K, the Fans usually keep around 6K rpm, and the fan
speed control is frequently done by the Junos software. In this situation, when all
daemons are re-evaluated(by commit full or configuration statement change under
system stanza), the software bug causes the fan status to be checked within quite
small period, then the Junos software recognizes that the fan is faulty because the fan
speed has not reached the target speed yet when the fan status is checked within the
small period. After the fan alarm is detected, the fans are expected to start working
with full speed to cool the system components. The fan status check logic is fixed by
this PR. The fan status is checked after the fan speed is stabilized, hence we do not
see this transient fan alarm. PR1185304
•
Issue occurs if there is at least one python event-scripts configured with policy defended
in configuration statement DB. There are also some policies without script action hit
the same warning. #commit full Jun 10 13:24:44 re0: [edit event-options] 'policy
DOM-SIGNAL-CHECK' warning: Policy 'DOM-SIGNAL-CHECK' is defined in both Junos
OS configuration database and event script, ignoring the one defined in event script
PR1190964
240
•
In a very rare scenario, during TAC accounting configuration change, auditd daemon
crashes due to a race condition between auditd and its sigalarm handler. PR1191527
•
Customer can now set the max-datasize configuration statement for JET scripts to
upto 3GB PR1193948
Copyright © 2017, Juniper Networks, Inc.
Resolved Issues
•
junos:key attribute which is emitted in the XML format of configuration will not be
emitted in the JSON format of configuration PR1195928
•
On Junos OS platforms with configuration statement "delta-export" enabled, the
delta-export database might not get correctly reinitialized upon one of the following
conditions: 1. delta-export is enabled for first time (delta-export is enabled in just this
commit) 2. load override (delta-export is enabled in the configuration statement) 3.
commit full (delta-export is enabled in the configuration statement) Due to this there
is a mismatch databases in further commits. As a result, the configuration on backup
Routing Engine will be corrupted. PR1199895
•
After system boot up or after PSM reset we may see "PSM INP1 circuit Failure" error
message PR1203005
•
If Inline JFlow is configured in scaled scenarios, Inline JFlow Sampler route database
is taking huge time to converge. PR1206061
•
On MX Series platforms installed both DPC/E and MX Series with MPCs/MICs, when
DPC/E detects a remote destination error toward a MX Series with MPCs/MICs Packet
Forwarding Engine, unexpected fabric drops happened. PR1214461
•
In large scale configurations or environment with high rates of churn, the FPC ASIC
memory will become "fragmented" over time. It is possible in an extreme case that
memory of a particular size will become exhausted and due to the fragmentation, the
available memory will not fulfill the pending allocation. PR1216300
•
On MX2K, MIC output is seen when there is no MIC in MPC under "show chassis hardware
detail". Steps to reproduce the issue: 1. offline MPC 2. physically remove MPC 3.
physically remove MIC from the MPC 4. reinsert MPC 5. online MPC [email protected]> show
chassis hardware detail |find fpc FPC 0 REV 68 750-044130 ABDxxx79 MPC6E 3D
CPU REV 12 711-045719 ABDxxx35 RMPC PMB MIC 0 REV 14 750-049457 ABCxxx22
2X100GE CFP2 OTN >>>>>>>> No MIC inside MIC 1 REV 26 750-046532 ABCxxx53
24X10GE SFPP >>>>>>>>>>No MIC inside XLM 0 REV 13 711-046638 ABDxxx59
MPC6E XL XLM 1 REV 13 711-046638 ABDxxx87 MPC6E XL PR1216413
•
This rmopd core file was created by the NULL pointer in SW function. PR1217140
•
For Junos OS devices supporting FreeBSD10 and with Junos release 16.1R2, 16.1x60-D30
or 16.1x60-D35, when ephemeral database is in use and "persist-groups-inheritance"
configuration statement is configured, daemons (for example, bbe-smgd, l2ald, ccmd,
dcd but not limited) might crash after deletion of configuration from either ephemeral
database or normal static configuration database. PR1217362
•
Trio-based linecards might crash after firewall filter configuration change is committed.
PR1220185
•
Under certain conditions sync-other-re editing configuration warning might be displayed
after reboot: [email protected]> configure exclusive warning: uncommitted changes will be
discarded on exit Entering configuration mode Users currently editing the configuration:
sync-other-re (pid 9220) on since 2016-10-03 00:16:36 PDT, idle 2d 05:47 sync-other-re
(pid 9282) on since 2016-10-03 00:16:40 PDT, idle 2d 05:47 sync-other-re (pid 9333)
on since 2016-10-03 00:16:49 PDT, idle 2d 05:47 sync-other-re (pid 9383) on since
2016-10-03 00:16:59 PDT, idle 2d 05:46 sync-other-re (pid 9433) on since 2016-10-03
00:17:07 PDT, idle 2d 05:46 PR1221723
Copyright © 2017, Juniper Networks, Inc.
241
Junos OS Release 16.1R4 for the ACX Series, EX Series, MX Series, PTX Series, QFX Series,T Series and Junos Fusion
•
When any MPC line card is offlined, it goes offline via all offline flows and connection
is cleaned, but in the end of the offline flow, somehow it delays powering off the line
card. The chasd powers off the MPC via I2cs write the respective power registers, but
in hardware it is not really powering off. As a consequence, since MPC is still power-on
but connection is down, it will try to reconnect, then start to come up automatically
within 10 secs. It occurs sometimes (not all the times). PR1222071
•
NTP peers failed to synchronize in symmetric active mode when there is significant
downtime of one peer (e.g., due to power maintenance, HW or SW upgrades).
PR1222544
242
•
IPv6 traffic learned on a L2/bridge interface interface and when it has to be traversed
through MPLS core random packets may get classified incorrectly by the fabric which
leads to packet loss. With the fix of this PR it is taken care of such packets to be flagged
appropriately and made sure that packets are handled correctly in the fabric. PR1223566
•
Nexthop used for Routing Engine generated TCP traffic might differ from the one used
for Routing Engine generated non-TCP traffic if the prefix not subjected to 'then
load-balanced per-packet' action and is pointing to an indirect nexthop resolved via
unilist nexthop (ECMP). Before the fix for PR1193697 this leads to non-TCP traffic
generated from Routing Engine taking one unicast next-hop while TCP traffic generated
from Routing Engine is load-balanced across different next-hops. After the fix for
PR1193697 this behaviour might lead to non-TCP host outbound traffic taking one
unicast next-hop, while TCP host outbound traffic takes another. PR1229409
•
Firewall filter index mapping gets incorrect after Routing Engine switchover, due to the
contents of "/var/etc/filters/filter-define.conf" getting wrongly changed after Routing
Engine switchover. PR1230954
•
The apply-path change bit does not seem to get applied when prefix-list is modified
and the DFWD daemon which waits for the policy-options does not get notified. And
the apply-path function is broken. PR1232299
•
Incoming interface index could not be used as a load balancing input factor under
family multiservice if the traffic payload is non-Ethernet frame. PR1232943
•
If openconfig package is installed on the device, when user tries to configure sensor
from CLI or netconf with an erroneous path, mgd process might slip into endless loop
and consume 100% CPU. PR1233178
•
Login for flow-tap DTCP-over-SSH service fails when SSH key-based authentication
is configured for the flow-tap user. When such a login attempt is performed, depending
on the Junos version, ssh-relay process might crash or the following log message might
be printed: dfcd[21043]: DFCD_DTCP_USER_NOT_AUTHORIZED: Unauthorized user
ft-user tried to log in for flow-tap service The following configuration will cause the
login for the flow-tap-dtcp service to fail: system { login { class ft-class { permissions
[ flow-tap flow-tap-control flow-tap-operation ]; } user ft-user { uid 2012; class ft-class;
authentication { ssh-rsa " ssh-rsa "
Copyright © 2017, Juniper Networks, Inc.
Resolved Issues
Interfaces and Chassis
•
In the hsl2 toolkit, there is a process which periodically checks the ASICs that
communicate through it. Due to a bug in the toolkit code, the process used invalidates
the ASIC and a crash occurs. PR1180010
•
In very rare conditions, FPC might crash when CLI command "request chassis mic
offline fpc-slot <fpc-slot> mic-slot <mic-slot>" or "request chassis pic offline fpc-slot
<fpc-slot> pic-slot <pic-slot>" is executed. This is due to a software defect that SFP
diagnostics polling function tries to access already destroyed SFP data structure by
MIC/PIC offline. PR1204485
•
If version-3 configuration statement is not configured, the command of show vrrp
detail|extensive|interface displays VRRP-Version as 2 for inet6 address family. The
VRRP IPv6 never supported any VRRP version 2. It was always version 3. This issue is
cosmetic and has no impact on VRRP IPv6 functionality. The VRRP packets generated
for inet6 address family are of VRRP version 3. PR1206212
•
When VRRP is configured on IRB interface with scaling configuration (300,000 lines),
in a corner case, handles might not be released appropriately after their use is over. As
a result, memory leak on vrrpd might be seen after configuration commit. PR1208038
•
Access-internal route not installed for Dual Stack subscriber terminated in VRF at LNS
with on-demand-ip-address. PR1214337
•
In a PPP subscriber scenario, if the jpppd process receives a reply message attribute
from the RADIUS or tacplus server with a character of %, it might cause the jpppd
process to crash and cause the PPP user to go offline. PR1216169
•
The dcd cannot start after router reboot due to nonexisting IFL referenced in
demux-options underlying-interface.PR1216811
•
Unified ISSU will not work from Junos OS Release 15.1R to later images ((for example,
15.1F and 16.1R2)), when the router is equipped with QSFP/CXP/CFP2 optics on
MPC3E/MPC4E/MPC5E/MPC6E/MPC 3D 16x10GE cards. This issue occurs because
a dark window issue is fixed for SFPP/QSFP/CXP/CFP2 optics in the Junos OS Release
16.1 and 15.1F images, which makes the Junos OS 15.1R image incompatible with later
images. Doing unified ISSU on the incompatible image from Junos OS 15.1R to later
versions might result in a line card crash. PR1216924
•
On Junos OS Release 14.2 and later releases, if asymmetric-hold-time,
delegate-processing, and preempt hold-time are configured, when a neighbor's interface
comes up again, the "asymmetric-hold-time" feature cannot be used as expected.
PR1219757
•
PPPoE tunneled subscriber (L2TP) might get stuck in terminating state if RADIUS
sends  Framed-IP-Address and Framed-IP-Netmask via access-accept in LAC.
PR1228802
•
The configuration change where for a static VLAN demultiplexing (demux) interface
the underlying physical interface is changed to a one with a lower bandwidth (for
example, from xe to ge) can fail.PR1232598
Copyright © 2017, Juniper Networks, Inc.
243
Junos OS Release 16.1R4 for the ACX Series, EX Series, MX Series, PTX Series, QFX Series,T Series and Junos Fusion
•
There is no trap for dot1agCfmMepHighestPrDefect with value 0 reported when CFM
session recovers from any other failed state. PR1232947
•
On an MX Series platform acting as broadband network gateway (BNG), in
Point-to-Point Protocol (PPP) scenario, when using the Internet Protocol Control
Protocol (IPCP) or Internet Protocol version 6 Control Protocol (IPv6CP) for negotiation,
if the router receives a Configure-Request packet from client, MX Series BNG sends
the Configure-Request packet, but does not send Configure-Ack packet, in case it does
not receive the Configure-Ack that is responding to the Configure-Request packet it
sent. The behavior does not follow RFC 1661, which demands that both actions
Send-Configure-Request (that is, ConfReq from MX Series to client) and
Send-Configure-Ack (that is ConfAck from MX Series to client) must be conducted on
the router without any significant delay. PR1234004
•
Under a particular condition in configuring interfaces that have units, commit operation
fails with error message. PR1234050
•
On an MX Series platform acting as broadband network gateway (BNG), in
Point-to-Point Protocol (PPP) scenario, when using the Internet Protocol Control
Protocol (IPCP) and Internet Protocol version 6 Control Protocol (IPv6CP) for
negotiation and IPv6CP is negotiated first, if the router receives an IPCP
Configure-Request packet from client, MX Series BNG sends the Configure-Request
packet, but does not send Configure-Ack packet in case it does not receive the
Configure-Ack that is responding to the Configure-Request packet it sent. The behavior
does not follow RFC 1661, which demands that both actions Send-Configure-Request
(that is, ConfReq from MX Series to client) and Send-Configure-Ack (that is, ConfAck
from MX Series to client) must be conducted on the router without any significant
delay. PR1235261
Layer 2 Features
•
When MSTP is configured under routing-instance, both the primary and standby VPLS
pseudowires are stuck in ST state due to a bug in the software. PR1206106
•
On MX Series platforms, if a chassis-level configuration is used to offline FPC after
detecting major errors, FPC will be offlined. But if committing configuration is performed
after offlining FPC, FPC will be brought online back again. PR1218304
•
In a DHCP relay environment, when delay-authentication and proxy mode are configured
at the same time, jdhcpd might generate a core file because of to NULL session ID.
PR1219958
•
During unified ISSU process, if the first unified ISSU is aborted for some reason, an
internal timer will not be cleaned up, and the new lacpd will be forked up. In this case,
the second unified ISSU in the backup Routing Engine is aborted in daemon prepare
phase. It will not proceed further. PR1225523
•
MX Series platform is not including Delegated-IPv6-Prefix in accounting interim.
PR1231665
•
244
This issue can be seen if CPE is intiating DHCPv6-Solicit with IA_NA, IA-PD and
Rapid-Commit Option, but MX Series platforms will send the DHCV6 Advertise with
Copyright © 2017, Juniper Networks, Inc.
Resolved Issues
Rapid commit flag even though the Rapid-commit configuration statement is not
enabled on MX Series platforms. PR1235578
MPLS
•
User is allowed to configure both "load-balance-label-capability" and
"no-load-balance-label-capability" together. This is incorrect and confusing. PR1126439
•
When using RSVP-TE protocol to establish LSPs, make before break (MBB) might not
quit and start again when there is a failure on PSB2 (RSVP Path State Block for new
LSP) in some cases where PathErr is not seen. (For example, for a PSB2 that is already
up and there is PathErr processing for it in place already, in this case, no PathErr is seen
owing to local-reversion and a quick flap.) As a result, no rerouting happens even if the
TE metric cost is raised. This issue has more chances of occurring only when there is
non-default optimize switchover delay. PR1205996
•
Due to an imperfect fix for compatible issue between 64-bit routing protocol process
(rpd) and 32-bit client applications (such as "mpls ping", "monitor
label-switched-path", "monitor static-lsp", etc) on the Junos OS Release
15.1F5-S3/15.1F6/14.2R7/15.1R4/16.1R1, the function of monitoring signaled or static
LSP is broken on either 64-bit or 32-bit rpd. However, the other 32-bit client applications
(such as "mpls ping") are not impacted. PR1213722
•
In a scaled environment, when there are many Unicast NHs that are related to the
same transport LSP (for example, the same RSVP or LDP label), MPLS traffic statistics
collection might take too much CPU time in kernel mode. This can in turn lead to various
system impacting events, like scheduler slips of various processes and losing connection
with the backup Routing Engine and FPCs. PR1214961
•
If the link/node failure that triggered a bypass persists for a long time, and there are
LSPs that do not get globally repaired, multiple stale LSP entries are showing down
and listing multiple times in the MPLS LSP. PR1222179
•
This issue occurs in a multi-instance RSVP scenario with MPLS supported in the VRF
routing-instance but the Connections protocol is not inside the VRF routing instance.
When you are adding any interface under MPLS inside VRF routing-instance, then it
should affect the Connections protocol inside the main instance. When we were adding
the CE facing interface under MPLS in VRF instance , the Patricia with CCC information
was deleted (because the CCC information was not inside the VRF instance). To resolve
this issue, oyu would add a check that before acting on the Connections protocol , a
check for whether the instance passed was master instance or not would occur. If it
was not the master instance, the functionality related to CCC is not triggered. PR1222570
•
In VPLS environment, if you delete the routing-instance, in a rare condition, the rpd
process might crash. The routing protocols are impacted and traffic disruption will be
seen due to loss of routing information. This is a timing issue and hard to reproduce.
PR1223514
•
In impacted Junos OS releases LDP will import metrics for all IS-IS routes that have
tags without the configuration statement track-igp-metric. Junos OS Releases 14.1R3
,14.2R1, and later are impacted with this issue. PR1225592
Copyright © 2017, Juniper Networks, Inc.
245
Junos OS Release 16.1R4 for the ACX Series, EX Series, MX Series, PTX Series, QFX Series,T Series and Junos Fusion
Multicast
•
The routing protocol process (RPD) creates an indirect next hop when a multicast
route (S,G) needs to be installed when listeners show their interest to S,G traffic. Kernel
would then create a composite NH. In this case this appears to be P2MP MCNH that
gets created. When any member interface is not a Packet Forwarding Engine specific
interface (for example, Vt, LSI, IRB or any other pseudointerfaces), the kernel throws
a message indicating that FMBB cannot be supported. These messages are harmless
and do not have any impact. PR1230465
Network Management and Monitoring
•
Duplicated entries and error while loading MIBs on ManageEngine MIB Browser are
fixed for the below MIB files. - jnx-chas-defines.mib - jnx-gen-set.mib - jnx-ifotn.mib
- jnx-optics.mib PR1216567
•
On Junos OS Releases prior to 15.1R6 and 16.1R4, Digital Optical Monitoring (DOM) MIB
jnxDomCurrentTable for 1G SFP interface does not return any value. PR1218134
•
In MX Series platforms subscriber management environment, sometimes BNG responds
to the snmp get requests with Error: status=5 / vb_index=0 for some of the interface
related MIBs. PR1218206
•
JUNIPER-SMI-MIB in MIB-Packet juniper-mibs-16.1X60-D30.4-signed.tgz have some
syntactical Errors. PR1239539
Platform and Infrastructure
•
SNMP queries to retrieve jnxRpmResSumPercentLost will return the RPM/TWAMP
probe loss percentage as an integer value whereas the precise value (including decimal
points) can be retrieved through the CLI by using the following commands: show services
rpm probe-results show services rpm twamp client probe-results .PR1104897
•
If when you configure micro-bfd on aggregate interface when using native-vlan and if
native-vlan is configured on one of the logical interfaces, then ARP resolution is failing
for that IFL. PR1172229
•
The issue happens after GRES. If the commit on the new master Routing Engine during
the configuration statement synchronizes with the old master, the commit might fail.
PR1179324
246
•
IPv6 now defaults to a probe type of ICMP. Prior to this a probe type had to be explicitly
specified. This change brings functional parity between UIPv4 and IPv6 probe types
with regard to a default probe. PR1183196
•
On MX2K, the 'commit full' operation, or committing configuration under 'system'
stanza (such as root-authentication and fxp0 interfaces) can cause transient Fan
check Major alarm and Fan full speed. The Fan Tray spins at full speed for a while, then
goes back to normal with clearing the alarm. The Fan check alarm and corresponding
snmp trap are temporal, and they can be safely ignored. [email protected]> show chassis
alarms 2 alarms currently active Alarm time Class Description 2016-05-17 19:49:57
JST Major Fan Tray X Failure 2016-05-17 19:49:57 JST Major Fan Tray Y Failure
[email protected]> show chassis environment Class Item Status Measurement Fans Fan
Copyright © 2017, Juniper Networks, Inc.
Resolved Issues
Tray X Fan 1 Check Fan Tray X Fan 2 Check Fan Tray X Fan 3 Check Fan Tray X Fan 4
Check Fan Tray X Fan 5 Check Fan Tray X Fan 6 Check Fan Tray Y Fan 1 Check Fan Tray
Y Fan 2 Check Fan Tray Y Fan 3 Check Fan Tray Y Fan 4 Check Fan Tray Y Fan 5 Check
Fan Tray Y Fan 6 Check When MPC9E is installed in MX2K, the Fans usually keep around
6K rpm, and the fan speed control is frequently done by the Junos software. In this
situation, when all daemons are re-evaluated(by commit full or configuration statement
change under system stanza), the software bug causes the fan status to be checked
within quite small period, then the Junos OS software recognizes that the fan is faulty
because the fan speed has not reached the target speed yet when the fan status is
checked within the small period. After the fan alarm is detected, the fans are expected
to start working with full speed to cool the system components. The fan status check
logic is fixed by this PR. The fan status is checked after the fan speed is stabilized,
hence we do not see this transient fan alarm. PR1185304
•
Issue occurs if there is at least one python event-script configured with policy defended
in configuration statement database. There are also some policies without script action
that receive the same warning. #commit full Jun 10 13:24:44 re0: [edit event-options]
'policy DOM-SIGNAL-CHECK' warning: Policy 'DOM-SIGNAL-CHECK'. The warning is
defined in both the Junos OS configuration database and the event script. PR1190964
•
In a very rare scenario, during TAC accounting configuration change, auditd daemon
crashes due to a race condition between auditd and its sigalarm handler. PR1191527
•
Customer can now set the max-datasize configuration statement for JET scripts to up
to 3 GB. PR1193948
•
The junos:key attribute that is emitted in the XML format of configuration will not be
emitted in the JSON format of configuration PR1195928
•
On Junos OS platforms with configuration statement "delta-export" enabled, the
delta-export database might not get correctly reinitialized upon one of the following
conditions: 1. delta-export is enabled for first time (delta-export is enabled in just this
commit) 2. load override (delta-export is enabled in the configuration statement) 3.
commit full (delta-export is enabled in the configuration statement) Due to this there
is a mismatch between databases in further commits. As a result, the configuration
on backup Routing Engine will be corrupted. PR1199895
•
After system start up or after PSM reset you might see "PSM INP1 circuit Failure" error
message. PR1203005
•
If inline J-Flow is configured in scaled scenarios, Inline JFlow Sampler route database
is taking huge time to converge. PR1206061
•
On MX Series platforms installed both DPC/E and MX Series with MPCs/MICs, when
DPC/E detects a remote destination error toward a MX Series with MPCs/MICs Packet
Forwarding Engine, unexpected fabric drops happened. PR1214461
•
In large scale configurations or environment with high rates of churn, the FPC ASIC
memory will become "fragmented" over time. It is possible in an extreme case that
memory of a particular size will become exhausted and due to the fragmentation, the
available memory will not fulfill the pending allocation. PR1216300
•
On MX2K, MIC output is seen when there is no MIC in MPC under "show chassis hardware
detail". Steps to reproduce the issue:
Copyright © 2017, Juniper Networks, Inc.
247
Junos OS Release 16.1R4 for the ACX Series, EX Series, MX Series, PTX Series, QFX Series,T Series and Junos Fusion
1. offline MPC
2. physically remove MPC
3. physically remove MIC from the MPC
4. reinsert MPC
5. online MPC
[email protected]> show chassis hardware detail |find fpc
FPC 0 REV 68 750-044130 ABDxxx79 MPC6E 3D
CPU REV 12 711-045719 ABDxxx35 RMPC PMB
MIC 0 REV 14 750-049457 ABCxxx22 2X100GE CFP2 OTN >>>>>>>> No MIC inside
MIC 1 REV 26 750-046532 ABCxxx53 24X10GE SFPP >>>>>>>>>>No MIC inside
XLM 0 REV 13 711-046638 ABDxxx59 MPC6E XL
XLM 1 REV 13 711-046638 ABDxxx87 MPC6E XL PR1216413
•
This rmopd core file was caused by the NULL pointer in SW function. PR1217140
•
For Junos OS devices supporting FreeBSD10 and with Junos OS Release 16.1R2,
16.1x60-D30 or 16.1x60-D35, when ephemeral database is in use and
"persist-groups-inheritance" configuration statement is configured, daemons (for
example, bbe-smgd, l2ald, ccmd, dcd but not limited) might crash after deletion of
configuration from either ephemeral database or normal static configuration database.
PR1217362
•
MX Series with MPCs/MICs based linecards might crash after firewall filter configuration
change is committed. PR1220185
•
Under certain conditions sync-other-re editing configuration warning might be displayed
after reboot: [email protected]> configure exclusive warning: uncommitted changes will be
discarded on exit Entering configuration mode Users currently editing the configuration:
sync-other-re (pid 9220) on since 2016-10-03 00:16:36 PDT, idle 2d 05:47 sync-other-re
(pid 9282) on since 2016-10-03 00:16:40 PDT, idle 2d 05:47 sync-other-re (pid 9333) on
since 2016-10-03 00:16:49 PDT, idle 2d 05:47 sync-other-re (pid 9383) on since
2016-10-03 00:16:59 PDT, idle 2d 05:46 sync-other-re (pid 9433) on since 2016-10-03
00:17:07 PDT, idle 2d 05:46 PR1221723
248
•
When any MPC line card is offlined, it goes offline via all offline flows and connection
is cleaned, but in the end of the offline flow, somehow it delays powering off the line
card. The chasd powers off the MPC via I2cs write the respective power registers, but
in hardware it is not really powering off. As a consequence, since MPC is still power-on
but connection is down, it will try to reconnect, then start to come up automatically
within 10 secs. It occurs sometimes (not all the time). PR1222071
•
NTP peers failed to synchronize in symmetric active mode when there is significant
downtime of one peer (for example, due to power maintenance, or HW or SW
upgrades). PR1222544
Copyright © 2017, Juniper Networks, Inc.
Resolved Issues
•
IPv6 traffic learned on an L2/bridge interface interface and when it has to be traversed
through MPLS core random packets might get classified incorrectly by the fabric which
leads to packet loss. PR1223566
•
Next hop used for Routing Engine generated TCP traffic might differ from the one used
for Routing Engine generated non-TCP traffic if the prefix not subjected to 'then
load-balanced per-packet' action and is pointing to an indirect next hop resolved via
unilist next hop equal cost multipath (ECMP). Before the fix for PR1193697 this leads
to non-TCP traffic generated from Routing Engine taking one unicast next hop while
TCP traffic generated from Routing Engine is load-balanced across different next hops.
After the fix for PR1193697 this behavior might lead to non-TCP host outbound traffic
taking one unicast next hop, while TCP host outbound traffic takes another. PR1229409
•
Firewall filter index mapping gets incorrect after Routing Engine switchover, due to the
contents of "/var/etc/filters/filter-define.conf" getting incorrectly changed after Routing
Engine switchover. PR1230954
•
The apply-path change bit does not seem to get applied when prefix-list is modified
and the dfwd process which waits for the policy-options does not get notified. In
addition, the apply-path function is broken. PR1232299
•
Incoming interface index could not be used as a load-balancing input factor under
family multiservice if the traffic payload is non-Ethernet frame. PR1232943
•
If openconfig package is installed on the device, when you try to configure sensor from
CLI or netconf with an erroneous path, mgd process might slip into endless loop and
consume 100% CPU. PR1233178
•
Login for flow-tap DTCP-over-SSH service fails when SSH key-based authentication
is configured for the flow-tap user. When such a login attempt is performed, depending
on the Junos OS version, ssh-relay process might crash or the following log message
might be printed: dfcd[21043]: DFCD_DTCP_USER_NOT_AUTHORIZED: Unauthorized
user ft-user tried to log in for flow-tap service The following configuration will cause the
login for the flow-tap-dtcp service to fail: system { login { class ft-class { permissions [
flow-tap flow-tap-control flow-tap-operation ]; } user ft-user { uid 2012; class ft-class;
authentication { ssh-rsa " ssh-rsa "
Resolved Issues:16.1R3
Forwarding and Sampling
•
The changes to srrd (sampling route reflector daemon - new architecture for sampling)
process between 14.2R5.8 and 14.2R6.5 severely reduce MX80 series available memory
and therefore RIB/FIB scaling. PR1187721
•
On MX Series platforms with "Enhanced Subscriber Management" mode, if default
forwarding-classes are referenced by subscriber filters, commit configuration changes
after GRES will be failed. PR1214040
Copyright © 2017, Juniper Networks, Inc.
249
Junos OS Release 16.1R4 for the ACX Series, EX Series, MX Series, PTX Series, QFX Series,T Series and Junos Fusion
General Routing
•
On MX Series platforms, the MS-MPC crash might occur. The exact trigger of the issue
is unknown; normally, this issue might happen over long hours (for example, within a
week) of traffic run (for example, running HTTP/HTTPS/DNS/RTSP/TFP/FTP traffic
profile). Coredumps might point to - Program terminated with signal 4, Illegal instruction
PR1124466
250
•
On rare occasions the transport daemon may generate a core dump after a configuration
change. PR1164377
•
When a CFM down-mep is configured on a STP-blocked interface which is housed on
a DPCE card, flooding of traffic in the local L2 broadcast network might happen, leading
to side-effects such as flapping of OSPF sessions, BFD sessions, or similar. PR1174175
•
This is a display issue and does not affect functionality of the power, fixing has been
added to commands show chassis powerand show chassis environment pem, when
one of the DC PEM ciruit breaker tripped. PR1177536
•
If "router-advertisement" protocol is configured in client ppp profile, unsolicited RA
might be sent before the IPv6CP Configuration ACK is received. PR1179066
•
On MX240/MX480/MX960/MX2010/MX2020 platforms, in rare cases, MPC4 line
card might never come back online after rebooting the chassis by "request system
reboot both-routing-engine" command. PR1190418
•
On MX series with MPC3/MPC4/MPC5/MPC6, the VSC8248 firmware on the MPC
crashes occasionally. This PR enhances the existing VSC8248 PHY firmware crash
detection and recovery, helping recover from a few corner cases where the existing
Junos OS workaround does not work. PR1192914
•
Configuring an RLT interface and rebooting the router shows the RLT interface down.
The show l2circuit connection shows an mtu mismatch as the immediate cause. For
example, the problem may be seen with the following configuration: show configuration
interfaces rlt0 redundancy-group { member-interface lt-4/0/0; member-interface
lt-4/2/0; } unit 0 { encapsulation vlan-ccc; vlan-id 600; peer-unit 1; family ccc; } unit
1 { encapsulation vlan; vlan-id 600; peer-unit 0; family inet { address 70.70.70.1/24; }
} PR1192932
•
In inline BFD or distributed BFD (in Packet Fowarding Engine) scenario, Packet
Fowarding Engine fast reroute is not invoked anymore if the remote peer signals BFD
ADMINDOWN message to local node and convergence time is performed based on
protocol signaling. PR1196243
•
With MPC-NG or MPC5E hardware, the range of the queue weights on an interface is
from 0 to 124. As every queue has to have an integer value of queue weight, it might
be impossible to assign the weights in exact proportions to the configured transmit-rate
percentage. Therefore, when a physical interface operates in a PIR-only mode, this
might cause imprecise scheduling results. PR1200013
•
MS-MPC/MS-MIC: MSPMAND cores when an encrypted packet is received out of the
range of replay-window size. The issue might occur in peak loads where by encrypted
packets received, out of order due to drops in the network. PR1200739
Copyright © 2017, Juniper Networks, Inc.
Resolved Issues
•
Dynamic firewall filter programs incorrect match prefix on the Packet Fowarding Engine.
PR1204291
•
On MX240/MX480/MX960 platform with RE-S-2000, the Hard-Drive information on
RE is missing in "show chassis hardware detail" output after upgrading to Junos 15.1
and later. This is just a display issue and this has no impact on any functionality.
PR1205004
•
J-UKERN.mpc0 core after filter configuration change on vMX. PR1205325
•
SMID daemon has stopped responding to the management requests after a jl2tpd
(L2TP daemon) crash on a production MX960 BNG.
•
SMID daemon has stopped responding to the management requests after a jl2tpd
(L2TP daemon) crash on a production MX960 BNG.
•
When PCEP is enabled and LSPs are undergoing changes, like make before break
(MBB) for rerouting, the rpd has to send those updates to PCE. However, when the
PCEP session to PCE goes down, these updates are cancelled, but the rpd fails to
completely reclaim the memory allocated for these updates. This causes increasing
in the rpd memory every time the connection to PCE goes down while LSPs are
simultaneously going through MBB changes. This issue will be especially noticeable
when connectivity to PCE goes UP and DOWN continuously. If the connection is in
steady state either UP or DOWN, then the memory leak will not happen. PR1206324
•
As analysis, - when an egress Packet Forwarding Engine (NG-MPC3E) is oversubscribed,
it applies flow control to the ingress Packet Forwarding Engine (MPC7E). - The fabric
delay buffer memory utilization on the ingress Packet Forwarding Engine (MPC7E)
went up due to the flow control from the egress Packet Forwarding Engine. - The
default WRED drop profile for the low priority fabric queues was not aggressively
dropping the low priority traffic. As solution, - Have separate default WRED drop profiles
for low and high priority fabric queues. - Setup the default WRED drop profile for the
low priority queues to drop the traffic more aggressively so that high priority traffic can
be protected. PR1207417
•
RLT interface configuration not supported. PR1207982
•
In rare race condition of multiple interrupts are not handled properly on MX platform
with MPC7E/MPC8E/MPC9E and PTX platform with FPC3-PTX-U2/FPC3-PTX-U3,
and this will lead to a core-dump. It is hard to reproduce. The interrupt code is optimized
to avoid the unnecessary call to prevent the issue. PR1208536
•
The cpcdd daemon might core and restart on the subscriber scenario with CPCD
(captive-portal-content-delivery) service configured. PR1208577
•
On MX Series platform with "subscriber-management" enabled, if route-suppression
is configured for access/access-internal routes as well as destination L2 address
suppression is configured for the subscriber, wrong destination MAC would be generated
for the subscriber. PR1209430
•
The logic to calculate the IPsec phase2 soft lifetime has been changed in 14.2R6,
resulting in an interop issue in certain scenarios. A hidden configuration statement is
provided as part of this PR which will revert the soft lifetime logic to the one used in
11.4 release. PR1209883
Copyright © 2017, Juniper Networks, Inc.
251
Junos OS Release 16.1R4 for the ACX Series, EX Series, MX Series, PTX Series, QFX Series,T Series and Junos Fusion
•
During GRES or unified ISSU, the BFD protocol state of a child ifd may not get replicated
on the backup Routing Engine until bfd starts running on the new Active Routing Engine.
PR1211015
•
On MX series routers, when configuring the dynamic access routes for subscribers
based on the Framed-Route RADIUS attribute, the route will be created on the device,
however, the it will be installed as an access-internal route instead of access route if
it has /32 mask length. PR1211281
•
Inline J-Flow - Sequence number in flow data template is always set to zero on MPC5E
and above line card type PR1211520
•
Change the text for 'Illegal IP protocol number' by removing the 0, 255, since they are
not considered as illegal per the standards. For Ipv4 drop packets where the protocol
number is > 142, and update the counter 'Illegal IP protocol number'. PR1211785
•
=====ae12======| T4000 |==ae4== +--+----+ | ae2 In T4000 we have AE4 and
AE2 all have Type 4 FPCs, When these two FPC are alone in the VPLS instance the
VRRP status stays as Master/Backup in the CE routers. But when we call the AE12
bundle under the same VPLS instance , the VRRP status in both CE becomes
Master/Master. We found that the One CE sending the VRRP adv packets with TTL
value 255 and in other CE we found its receiving the VRRP packets, but the TTL value
was showing as 0. This happens when we call a AE bundle which has got a Type 5 fpc,
under the VPLS instance which is already having FPC type 4 PR1212796
•
Inline J-Flow service will not work after unified ISSU on MPC5E and above type line
cards. PR1214842
•
This issue happens only with RLT configuration and only on 16.1 and beyond. PR1216991
Infrastructure
•
The issue is the gstatd process for 64 bit Junos image does not get to the correct path
in the code and due to that gstatd process fails to start. PR1074084
•
From Junos OS Release 15.1 and later, smartd error message of Unigen SSD may be
seen. Smartd reads SSD attributes and checks on 197-current-uncorrectable,
198-offline-uncorrectable by default. To Unigen, 198 is not = Offline-Uncorrectable, it
is 'Total Count of Read Sectors'. As it is Total-Read, such attribute(198) always carries
value and smartd reports it as 'Offline Uncorrectable Error'. PR1187389
•
This patch fixes problem seen on MX80 platforms, which is when the Routing Engine
memory utilization is high (for example, 95%), kernel can crash. Now, on MX5, MX10,
MX40, and MX80 routers, router will restart. This restart can manifest in one of two
ways:
- A kernel core is generated after restart;
- The watchdog restart is triggered and no kernel core is generated;
In both cases the system will restart.PR1099998
252
Copyright © 2017, Juniper Networks, Inc.
Resolved Issues
Interfaces and Chassis
•
In the hsl2 toolkit, there is a process which periodically checks the ASICs which
communicate through it. Due to a bug in the toolkit code, the process used devalidate
the very ASIC that it used to process, due to which the crash happens. PR1180010
•
IP traffic forwarding stops within VRF L3VPN after an MX-VC reboot. PR1203887
•
In very rare possibility, mpc can be crashed with coredump will be seen when cli
command request chassis mic offline fpc-slot <fpc-slot> mic-slot <mic-slot> is executed
due to software bug that sfp diagnostics polling function tries to access already
destroyed sfp data structure by mic-offline. With fix, software will check if sfp data is
valid before tries. PR1204485
•
When configuring "vlan-tags" for any interface, if the interface configuration is changed
continually, the dcd process might memory leak. If the memory is exhausted, the dcd
process might crash. PR1207233
•
The command show interfaces terse routing-instance all has wrong display format
when there are multiple addresses. PR1207272
•
If the configuration can be scaled to have inner list to have more than 4K vlans, the
commit vlan configuration operations might fail. PR1207939
•
The interface fxp0 might flap upon some specific commit, this might impact the normal
work of out-of-band management. PR1213171
•
During L2TP session establishment on MX LAC, if CPE attempts to negotiate MRU
higher than 1492 bytes, spurious MRU of 1492 bytes is included into the Last Received
ConfReq AVP in ICCN packet. PR1215062
MPLS
•
With a high degree of aggregation and a large number of next hops for the same route,
ldp may spend too much CPU updating routes due to topology changes. This may
result in scheduler slip and ldp session timing out. PR1192950
•
In L3vpn with chained-composite-next-hop scenario, when receiving a TTL expired
packet, the device will transmit a ICMP error message in a MPLS header, but the route
next-hop for this ICMP error packet is discard, so the one error message will be logged.
PR1194446
•
After MBB, new LSP will not have "explicit route". This behavior happens under
MPLS-TP BFD environment. You can confirm this behavior in BFD packets drop pattern
and link down pattern. Both patterns will indicate the same behavior. PR1207039
•
This behavior is 16.1 release specific. When an ingress side link failure and LSP uses
bypass path, LSR(DUT) cannot send proper "RSVP RRO" even if egress side topology
changes. Please refer the following example. --- example --- 1. This is initial state. LSP
of RRO has Link A and B IP address. bypass bypass Link C Link D +--------------------+
+------------------+ | | | | [Ingress LER] [ LSR ] [ Egress LER] | | | | +--------------------+
+------------------+ Link A Link B strict path strict path 2. Link A is down. LSP of RRO
has Link B and C IP address because LSR sends out RSVP RESV including proper RRO
to Ingress LER. bypass RSVP RESV bypass Link C <-----+ Link D +--------------------+
| +------------------+ | | | | | [Ingress LER] [ LSR ] [ Egress LER] | | | | +--------- X --------+
Copyright © 2017, Juniper Networks, Inc.
253
Junos OS Release 16.1R4 for the ACX Series, EX Series, MX Series, PTX Series, QFX Series,T Series and Junos Fusion
+------------------+ Link A Link B strict path strict path 3. Link B is down. LSP of RRO
has Link B and C IP address because LSR does not send out RSVP RESV including
proper RRO to Ingress LER. (wrong) bypass RSVP RESV bypass Link C <-----+ Link D
+--------------------+ | +------------------+ | | | | | [Ingress LER] [ LSR ] [ Egress LER] |
| | | +--------- X --------+ +-------- X -------+ Link A Link B strict path strict path
PR1207862
•
With two Routing Engines and ldp export policy or l2-smart-policy configured. rpd on
the backup Routing Engine may crash when ldp is trying to delete a filtered label binding.
PR1211194
Network Management and Monitoring
•
A trailing newline was erroneously added to the $$.message variable, this had
undesirable effects for some use cases when using the 'event-options policy <> then
execute-commands commands <>' stanza. The fix escapes any newline chars which
mitigates the issue. PR1200820
•
RLI-24802 introduced in 16.1R1 caused some issues with snmp get-bulk. These changes
are reverted from 16.1R2. PR1209561
Platform and Infrastructure
254
•
"show interfaces mac-database mac-address <mac-addr> <intf-name> " does not
display any mac-specific traffic statistics data on Stout Line cards and also VMX for
mac-learning enabled interfaces mapped to inet family PR1012046
•
On MX2K, the 'commit full' operation, or committing configuration under 'system'
stanza(such as root-authentication and fxp0 interfaces) can cause transient Fan check
Major alarm and Fan full speed. The Fan Tray spins at full speed for a while, then goes
back to normal with clearing the alarm. The Fan check alarm and corresponding snmp
trap are temporal, and they can be safely ignored. [email protected]> show chassis alarms
2 alarms currently active Alarm time Class Description 2016-05-17 19:49:57 JST Major
Fan Tray X Failure 2016-05-17 19:49:57 JST Major Fan Tray Y Failure [email protected]> show
chassis environment Class Item Status Measurement Fans Fan Tray X Fan 1 Check Fan
Tray X Fan 2 Check Fan Tray X Fan 3 Check Fan Tray X Fan 4 Check Fan Tray X Fan 5
Check Fan Tray X Fan 6 Check Fan Tray Y Fan 1 Check Fan Tray Y Fan 2 Check Fan Tray
Y Fan 3 Check Fan Tray Y Fan 4 Check Fan Tray Y Fan 5 Check Fan Tray Y Fan 6 Check
When MPC9E is installed in MX2K, the Fans usually keep around 6K rpm, and the fan
speed control is frequently done by the Junos software. In this situation, when all
daemons are re-evaluated(by commit full or configuration change under system
stanza), the software bug causes the fan status to be checked within quite small period,
then the Junos software recognizes that the fan is faulty because the fan speed has
not reached the target speed yet when the fan status is checked within the small period.
After the fan alarm is detected, the fans are expected to start working with full speed
to cool the system components. The fan status check logic is fixed by this PR. The fan
status is checked after the fan speed is stabilized, hence we do not see this transient
fan alarm. PR1185304
•
A customer has reported that if you mistakenly configure a static flow route at the
wrong hierarchy in the configuration of an MX80 or MX104 that a core dump occurs
upon commit. This does not happen on other MX Series platforms. PR1187469
Copyright © 2017, Juniper Networks, Inc.
Resolved Issues
•
In a very rare scenario, during TAC accounting configuration change, auditd daemon
crashes due to a race condition between auditd and its sigalarm handler. PR1191527
•
On MX Series with MQCHIP linecard (Trio linecard) with traffic-control-profile, if the
overhead-accounting is configured with negative values, it might not work. The shape
function will be affected. PR1195866
•
By checking default configurations about groups junos-defaults, there is no info to be
shown. PR1201380
•
The unsupported CLI commands in MX Series Platforms "show ddos-protection
protocols proto-802-1x / oam-cfm / multihop-bfd / iso-tcc / mld / martian-address
/ ldp-hello / arp-snoop / ethernet-tcc / all-fiber-channel-enode / bridge-control ..."
are made hidden/removed starting 16.1R3. PR1201459
•
When a Netconf '<get-route-information>' RPC is executed for all routes via ssh
transport session and the session is terminated before all the route information is
retrieved, the MGD process and RPD daemon will cause high CPU utilization for an
extended period of time. Example of issues caused by this high CPU utilization for an
extended period is as follow: BGP neighbors holddown timer expires and become
ACTIVE OSPF adjacencies reset during database exchange OSPF LSA retransmissions
events on neighboring nodes due to missing ACKs LDP sessions time out non distributed
BFD sessions being reset due to missing keepalives PR1203612
•
This fix optimized the communication between SRRD and it's clients. Previous behavior
of the SRRD daemon 1. The daemon sends routes for 10 seconds per client. If the socket
is full and is not writable, it waits for the buffer to get writable using select call. 2. The
daemon moves on to the next client and repeats the step 1 and comes back to the first
client once done with all the clients for 10 seconds each. 3. When there are no more
routes to send, it just moves on to the next client and doesn?t wait for the interval of
10 seconds to expire. The fix is to optimize the way SRRD daemon uses the interval
per client. The interval duration per client and the buffer sizes used by the socket in
SRRD daemon are tweaked. PR1206061
•
When "commit confirmed" is used after performing some changes, and an empty
commit is performed to confirm the changes, the previous changes related processes
will be notified again which is unnecessary. It might cause session/protocol flap.
PR1208230
•
A fusion setup can experience a leak of NH memory when MAC moves result in updated
next hops. You must restart the MPC to regain the memory. PR1208514
•
Workaround : Deactivate and Activate Inline J-Flow sampling instance How to Avoid
1. Don't make any Inline J-Flow specific configuration changes when service is not in
steady state 2. configuration changes should be done in two steps. a ) First configure
the J-Flow related configuration except the Flow Table size. b) Flow table size should
be changed in a separate commit from the rest of the J-Flow configuration. PR1210899
•
Several files are copied between Routing Engines during 'ffp synchronize' phase of the
commit (for example, /var/etc/mobile_aaa_ne.id, /var/etc/mobile_aaa_radius.id, etc).
These files are copied even if there was no corresponding change in the configuration
thus unnecessarily increasing commit time. PR1210986
Copyright © 2017, Juniper Networks, Inc.
255
Junos OS Release 16.1R4 for the ACX Series, EX Series, MX Series, PTX Series, QFX Series,T Series and Junos Fusion
•
If a Unicast or Multicast source sends a fragmented packet (a packet which exceeds
the MTU of its outgoing interface) to the router and it needs to resolve the destination
route, then only the first fragment of the packet is sent when the route it resolved.
PR1212191
•
For Junos devices supporting FreeBSD10 and with Junos release 16.1R2, 16.1x60-D30
or 16.1x60-D35, when ephemeral database is in use and "persist-groups-inheritance"
configuration statement is configured, daemons (for example, bbe-smgd, l2ald, ccmd,
dcd but not limited) might crash after deletion of configuration from either ephemeral
database or normal static configuration database. PR1217362
Routing Policy and Firewall Filters
•
From Junos OS Release 15.1, memory leak on policy_object might be observed if the
configuration of policies is added and deleted in high frequency. Not all polices make
memory leak, and only the container policy referred in policy statement hits this issue:
the "from" in policy invokes the terms which is defined in policy-options, e.g. community,
as-path, prefix-list. This is the configuration example. set policy-options prefix-list pl
set policy-options policy-statement from prefix-list pl PR1202297
Routing Protocols
•
When a bgp peer has a hold time of zero configured the peer will not reach
establishment. PR1138690
•
If we have post-policy BMP configured & import policy rejects the route making it
hidden, we will still periodically send this Unreachable Prefix to the BMP station. May
17 15:45:05.047931 bmp_send_rm_msg called, found post-policy prefix 101.66.66.66/32,
peer 10.0.1.1 (External AS 65101), station BMP_STATION_2 May 17 15:45:05.047943
import policy rejected post-policy prefix 101.66.66.66/32, peer 10.0.1.1 (External AS
65101), station BMP_STATION_2 May 17 15:45:05.047986 generating post-policy delete
for prefix 101.66.66.66/32, peer 10.0.1.1 (External AS 65101), station BMP_STATION_2
May 17 15:45:05.048001 BMP: type 0 (RM), len 76, ver 3, post-policy, for Peer 10.0.1.1,
station BMP_STATION_2 May 17 15:45:05.048018 Peer AS: 65101 Peer BGP Id: 10.0.1.1
Time: 1463492684:0 (May 17 13:44:44) May 17 15:45:05.048027 Update: message
type 2 (Update) length 28 May 17 15:45:05.048034 Update: Unreachable prefix data
length 5 May 17 15:45:05.048047 Update: 101.66.66.66/32 PR1184344
•
The VRF related routes which are leaked to the global inet.0 table and advertised by
the access routers are not being advertised to global inet.0 table on the core. PR1200883
•
In a situation which a BGP route is resolved using a secondary OSPF route which is
exported from one routing-instance to another routing-instance. If the BGP route is
being withdrawn while the OSPF route is deleted, rpd might restart unexpectedly.
PR1206640
•
If BGP and NSR are configured, then doing GRES might cause BGP is stuck in NSR
replication state. PR1210781
•
If a NSR enabled router is providing graceful restart support for a restarting peer, and
the standby is unconfigured, then rpd may core on the standby during the shutdown.
PR1212683
256
Copyright © 2017, Juniper Networks, Inc.
Resolved Issues
•
EBGP peer may remain "Idle" at NSR backup-Routing Engine, after Interface-down
event. PR1215855
•
When using 64-bit RPD (routing protocol process), if either OSPFv2 or OSPFv3 are
configured, the device may not handle correctly the received LSAs having LS sequence
number set to MaxSequenceNumber (0x7fffffff) in LS Updates and may discard those
LSAs without acknowledging them as it is considered that a newer copy in present in
the the OSPF database. The issue surfaced because a particular vendor OSPF
implementation was setting the LSA's LS sequence number to MaxSequenceNumber
in addition to setting the LSA's age to MaxAge (3600) when prematurely aging an LSA
(which is not correct according to Section 14.1 of the RFC 2328). PR1217373
•
When doing multiple back to back GRES switchovers the BGP peerings may drop after
3 or more swithovers PR1224330
Services Applications
•
Issue happens in specific corner cases and Acceptable workaround is available. If we
bring down the complete subscriber and bring it back up again. Family bring up will
work. PR1190939
•
On MX Series with L2TP configured, for some reason the L2TP packet in ICRQ
retransmission message is set to incorrect value, and this causes frequent L2TP session
flaps. PR1206542
•
On MX Series routers with subscriber management feature enabled used as a LAC
(L2TP Access Concentrator), a small amount of memory leak is leaked by jl2tpd process
on the backup Routing Engine when subscriber sessions are logged out. PR1208111
•
L2TP subscribers on LNS might get stuck in Terminated state. PR1215941
Subscriber Access Management
•
Subscribers can not pass the authentication if Radius returned attribute
22(Framed-route) with "0.0.0.0/0". PR1208637
•
On MX Series routers with subscriber management feature enabled, after GRES
switchover "show network-access aaa statistics radius" CLI command display only
zeros and "clear network-access aaa statistics radius" does not clear statistics as it
should. It's a cosmetic issue and communication with Radius server is working fine,
the only impact is that affected CLI commands do not work as expected. PR1208735
•
Commit error: "Radius-Flow-Tap LSRI" "is in use by subscriber, cannot be removed
from the configuration" might be seen after two consecutive GRES switchovers if a
subscriber with lawful intercept mirroring enabled was logged in before the switchovers.
PR1210943
User Interface and Configuration
•
Configuration database is locked by "root" user when trying to commit vpls circuit
configurations in "configuration exclusive" mode. PR1208390
•
If user enter configuration mode with "configure exclusive" command, after
configuration is automatic rollback due to commit un-confirmed, user still can make
configuration changes with "replace pattern" command, the subsequent commit fails
Copyright © 2017, Juniper Networks, Inc.
257
Junos OS Release 16.1R4 for the ACX Series, EX Series, MX Series, PTX Series, QFX Series,T Series and Junos Fusion
with "error: access has been revoked". After exit configuration mode, user fail to enter
configuration mode using "configure exclusive" with "error: configuration database
modified". PR1210942
•
When persist-groups-inheritance is configured and you issue a rollback you may see
that the configuration is not propagated properly after a commit. PR1214743
VPNs
•
In BGP VPLS environment, sometimes we receive routes from BGP with invalid next-hop
related information. In such scenarios, VPLS should treat them as bad routes and not
send them to rpd infra for route resolution. Due to a software defect, the bad routes
are passed to the route resolver, which might lead to rpd process crash. The routing
protocols are impacted and traffic disruption will be seen due to loss of routing
information. PR1192963
•
In MVPN mode SPT-only, the first multicast packet is lost when the source is directly
connected to the PE. PR1204425
Resolved Issues:16.1R2
Class of Service (CoS)
•
The actual problem seen is logical interfaces binded to Routing-instance classifier is
not seen under classifier Index inside CFEB. The cause for this Issue was "missing else
statement was leading to data getting overwritten for LSI scenario." The same has
been corrected. PR1200785
Forwarding and Sampling
258
•
Commit gives error as follows when apply-groups is configured under bridge domain.
error: Check-out failed for Firewall process (/usr/sbin/dfwd) without details. PR1166537
•
SRRD (Sampling Route-Record Daemon) process does not delete routes when the
DELETE is received from RPD in few configuration cases. This results in build-up of
memory in SRRD daemon and once SRRD reaches the limit, it crashes and restarts
itself. This happens only when one certain family is not configured on all of the FPC
clients (e.g., FPC with inline J-Flow enabled or PIC with PIC-based sampling enabled
is one client). For example, only IPv4 family is configured in all the clients, and IPv6
and MPLS families are not configured for sampling in any of the clients. PR1180158
•
Starting with Junos OS Release 14.2R1, FPC offline could trigger Sampling Route Record
(SRRD) daemon restart. PR1191010
Copyright © 2017, Juniper Networks, Inc.
Resolved Issues
General Routing
•
When ps interface is configured using as anchor interface a logical tunnel (lt) interface
without explicit tunnel-bandwidth configuration (under 'chassis fpc pic tunnel-services'
configuration hierarchy), the ps interface is created only in kernel, but not on Packet
Forwarding Engine. In order to have ps interface in Packet Forwarding Engine, an explicit
tunnel-bandwidth configuration is required. PR 1042737 removes this restriction, and
a ps interface may be anchored to an lt interface without explicit tunnel-bandwidth
configured. PR1042737
•
During initial rampup of a IPSEC session, a race condition could crash mspmand in rare
circumstances. PR1116487
•
On MX Series platforms with MS-MPC/MS-MIC in use, due to some reason if the NAT
session is freed/removed but without removing timer wheel entry, then it might cause
MS-MPC/MS-MIC crash. It is a timing issue where just before invoking the timer wheel
callback the NAT session extension got freed/removed. PR1117662
•
The jsscd might crash in static-subscribers scaling environment (e.g., 112K total
subscribers, 77K dhcp subscribers, 3K static-subscribers, 32K dynamic vlans), when
this issue occurs the subscribers might be lost. [email protected]_RE0> show system
core-dumps -rw-rw---- 1 root field 8088852 Jan 1 11:11 /var/tmp/jsscd.core-tarball.0.tgz.
PR1133780
•
On MX Series platforms, the "Max Power Consumption" of MPC Type 1 3D (model
number: MX-MPC1-3D) would exceed the default value due to software issue. For
example, the value might be shown as 368 Watts instead of 239 Watts when "max
ambient temperature" is 55 degree Celsius. PR1137925
•
OLD: set applications application my-ike-alg44 child-session-timeout 240 NEW: set
applications application my-ike-alg44 child-inactivity-timeout 240 IKE ALG child
sessions (ESP sessions) inactive timeout can be configured with this option. This option
name is changed for better representation (the functionality is not changed). PR1153045
•
In sampling feature, certain scenarios force handling of the sampled packet at the
interrupt context , which may have chance to corrupt the BMEB packet context , and
lead to BMEB FDB corruption. PR1156464
•
The default (per-packet load balancing) PPLB export policy created for Ethernet VPN
(EVPN) has been removed from Junos OS. It was used to enable per packet
load-balance for EVPN routes on certain MX Series platforms and not all. Now
per-packet load balance needs to be configured explicitly. PR1162433
•
The ICMP time exceeded error packet is not generated on an IPsec router on the decap
side. The problem is fixed for MS-MPC/MIC and works fine if the session is there. There
is no other way to return the time exceeded message over a tunnel. There is no plan
to fix this for MS-DPC. PR1163472
•
When using qsfp28 optics on 100G Gladiator PTX FPC card, the Tx laser disabled alarm
is not on after disabling interface. This has been already fixed in 15.1F6. One of the
function was set w/ incorrect value that was causing this problem when scanning Tx
disable alarms . Laser bias current low alarm : On Laser bias current high warning : Off
Laser bias current low warning : On Laser receiver power high alarm : Off Laser receiver
Copyright © 2017, Juniper Networks, Inc.
259
Junos OS Release 16.1R4 for the ACX Series, EX Series, MX Series, PTX Series, QFX Series,T Series and Junos Fusion
power low alarm : Off Laser receiver power high warning : Off Laser receiver power low
warning : Off Tx loss of signal functionality alarm : Off Rx loss of signal alarm : Off Tx
laser disabled alarm : Off<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<,, Lane 3 Laser
bias current : 0.000 mA Laser output power : 0.000 mW / - Inf dBm Laser receiver
power : 1.091 mW / 0.38 dBm Laser bias current high alarm : Off Laser bias current low
alarm : On Laser bias current high warning : Off Laser bias current low warning : On
Laser receiver power high alarm : Off Laser receiver power low alarm : Off Laser receiver
power high warning : Off Laser receiver power low warning : Off Tx loss of signal
functionality alarm : Off Rx loss of signal alarm : Off Tx laser disabled alarm :
Off<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<< [edit] [email protected]# PR1164163
•
With Junos OS Release 15.1 and later, on MS-MPC or MS-PIC, OSPF adjacency may
fail to establish when there is no static route pointing to service PIC. PR1164517
•
On MS-MPC/MS-DPC platforms, if stateful-firewall is configured, it should not create
a session when first packet is a TCP NON-SYN packet, even if it matches the
stateful-firewall rule. PR1166500
•
Sampled continues logging events in trace option file after trace option for sampled
deactivated. This can be hit if there is no configuration under 'forwarding-options
sampling' but other configuration for sampled is present (e.g., port-mirroring).
PR1168666
•
When MS-MPC is used, if any bridging domain related configuration exists (e.g., "family
bridge", “vlan-bridge", “family evpn", etc), in some cases, continuous MS-MPC crash
hence traffic loss may occur. PR1169508
•
When upgrading Junos OS software on RE1, if at the time, RE1 is the "master Routing
Engine", both Routing Engines will be in "backup" state, resulting in losing remote
connectivity, and all interfaces. Only "console" access will be available at this time.
PR1172729
•
When upgrading or rebooting the router, the following logs might be seen in Junos OS
Release 15.1F5. There is no impact and they can be ignored. This is due to the fact that
agentd is trying to read the forwarding class entries at system boot time too early,
when they are not yet created. This has been fixed. <..> FILE SYSTEM CLEAN; SKIPPING
CHECKS clean, 9762157 free (813 frags, 1220168 blocks, 0.0% fragmentation) tunefs:
soft updates remains unchanged as disabled chown: wheel: Invalid argument Creating
initial configuration...agent for all the telemetry sensors: COSD_CONF_OPEN_FAILURE:
Unable to open: /var/etc/cosd.conf, using default CoS forwarding classes, do 'commit
full' in cli to avoid this message agent for all the telemetry sensors:
COSD_CONF_OPEN_FAILURE: Unable to open: /var/etc/cosd.conf, using default CoS
forwarding classes, do 'commit full' in CLI to avoid this message mgd: commit complete.
PR1173137
•
260
On Virtual Tunnel (vt) tunnel environment with forwarding-class, customer is using
AE interface to terminate subscribers on the box and the AE interface has members
on two different FPCs, due to a software defect, the mirrored traffic is not going to the
correct forwarding class as expected. The issue is also seen when terminate Subscribers
and vt tunnel hosted interface are on two different FPCs (Non-AE case). PR1174257
Copyright © 2017, Juniper Networks, Inc.
Resolved Issues
•
The statistics of dropped packets only indicates the number of packets dropped by
policer. The packets indicate only the number of packets forwarded and does not
include dropped packets. PR1177353
•
MTU discovery may not be working due to luck of VRF info on egress card for BBE
Subscriber traffic. PR1177381
•
CGNAT-NAT64: Few port leak are observed for the EIM/EIF IPv4 traffic(2M sessions)
from public side. PR1177679
•
destination-prefix-list support list added for NAT rule with twice-napt-44 translation.
Customer will be able to define a prefix list and match it in the NAT rule while using
twice-napt-44. PR1177732
•
Under excessive SIB yanking, interface might be WEDGED causing permanent drop.
The work around is to restart the related FPC. PR1177753
•
A micro BFD session sourced from an interface's L3 address works even when the
interface is not assigned the related UBFD address. PR1180109
•
In case of point to point interfaces and unnumbered interfaces rpd crash might be seen
in corner cases on configuration changes. There is potential fix given through this PR
to avoid the crash. PR1181332
•
Ping fail in lt interface ip after Load baseline configuration & Rollback to mvng. PR1181517
•
Fragmented ALG control traffic is not supported on the MS-MPC. PR1182910
•
With NAT translation-type as napt-44, a few sessions are getting stuck upon
deactivating/activating service-set or corresponding applications at a few times with
traffic running. The same symptom is seen upon deactivating/activating service-set
with traffic running and with 'deterministic-napt44' translation type as well. PR1183193
•
CGNAT Pool stats for "Available address" is shown incorrect for destination pool.
Available address shown zero even though destination NAT IPs are available. PR1183538
•
DA MAC filter is missing on Child link of AE after FPC restart. PR1184310
•
With BGP add-path and consistent-hash enabled, when a BGP learnt route prefix with
multiple paths(next-hop) is installed in the forwarding-table, all the next-hops should
be reachable/resolvable at the time of installing the route in the forwarding-table.
However, there might be a chance that any of the next-hops are not resolvable at that
time, which will lead to incorrect Packet Forwarding Engine route programming. In this
case, traffic forwarded to this prefix will be affected. PR1184504
•
When IPv4 firewall filter have 2625/32 destination in prefix-list , filter attached to
subscriber interface is found broken. PR1184543
•
Syslog error "rt_nh_topo_handler: Rcvd NH delete before RT delete" might be seen for
some IPv6 configurations which can be ignored. This does not cause any traffic loss
or other undesirable behaviors. PR1184561
•
Starting with Junos OS Release 15.1F5, the splitting of destination NAT pools across
AMS members will be prevented. Currently with AMS interfaces, dnat44 pools do not
get split. However, all twice-NAT destination pools are split. This is not needed and
Copyright © 2017, Juniper Networks, Inc.
261
Junos OS Release 16.1R4 for the ACX Series, EX Series, MX Series, PTX Series, QFX Series,T Series and Junos Fusion
this change makes it so (source pools are split or/and hashing is based on source so
there is never any chance of conflict). PR1184749
262
•
Continuous reporting of the following messages might be noticed sometimes while
bringing up all IFD/IFL/IFF states at once. Apr 1 11:16:05 mx2020-1 dot1xd[16641]: %-:
task_receive_packet_internal: knl Ifstate packet from zero-len socket 8 truncated Apr
1 11:16:05 mx2020-1 dot1xd[16641]: %-: Free allocated bufp:(a433004)
buflen:(16384)task_receive_packet_internal: knl Ifstate packet from zero-len socket
8 truncated Apr 1 11:16:05 mx2020-1 dot1xd[16641]: %-: task_receive_packet_internal:
knl Ifstate packet from zero-len socket 8 truncated Apr 1 11:16:05 mx2020-1
dot1xd[16641]: %-: task_receive_packet_internal: knl Ifstate packet from zero-len socket
8 truncated Apr 1 11:16:05 mx2020-1 dot1xd[16641]: %-: Free allocated bufp:(a433004)
buflen:(16384)task_receive_packet_internal: knl Ifstate packet from zero-len socket
8 truncated Apr 1 11:16:05 mx2020-1 dot1xd[16641]: %-: task_receive_packet_internal:
knl Ifstate packet from zero-len socket 8 truncated During syncing of ifstate dot1xd try
to read all the ifd/ifl/iff state at once. In scale scenario the size of these information
will be very high. It may exceed demon rlimit / memory availability. PR1184948
•
In IPv6 environment, adding a link local neighbor entry on subscriber interface, then
adding a new lo0 address, if delete this neighbor entry and the subscriber interface,
due to software defect, the next hop info is not cleaned properly, the rpd process might
crash. The routing protocols are impacted and traffic disruption will be seen due to
loss of routing information. PR1185482
•
When ams-interface is configured in warm-standby mode without adding any members,
configuration commit will lead to rdd core. PR1185702
•
ksyncd crash might be seen with GRES due to kernel replication error. PR1186317
•
ICMP pings destined to VRRP VIP address beyond 166 bytes are dropped as "my-mac
check failed" on MPC7E/8E/9E. PR1186537
•
MPC-7/8/9 : Business Edge: Getting syslog messages "trinity_insert_ifl_channel:6449
ifl 495 chan_index 495 NOENT" and "jnh_ifl_topo_handler_pfe(11591): ifl=495 err=1
updating channel table nexthop". PR1186645
•
Junos OS might improperly bind Packet Forwarding Engine ukernel application sockets
after unified ISSU due to a bug in IP->TNP fallback logic. Because of that bug, threads
running on the ukernel that relay on UDP sockets can experience connectivity issues
with host, which in turn can lead to various problems. For instance, SNTP (simple
network time protocol) client might fail to synchronize time, which in turn might lead
to other problems such as failure in adjacency formation for HMAC authenticated
protocols. PR1188087
•
By default SNMP will cache SNMP values for 5 seconds. Sometimes kernel will cache
these values for longer duration. This PR will correct the caching behavior. PR1188116
•
A bug got introduced in Junos OS releases 15.1R4 and 15.1F6 due to which MS-MIC may
crash if dynamic routing protocols are configured over IPSec with MS-MIC. This crash
is limited to Junos OS releases 15.1R4 or 15.1F6 only. PR1188275
•
The command "request system reboot both-routing-engines local” on VC-Mm will
reboot only one Routing Engine on an MX-VC, with this fix, it will reboot both Routing
Engines of local chassis. In addition, this fix also removes the "set virtual-chassis
Copyright © 2017, Juniper Networks, Inc.
Resolved Issues
member <n> role line-card" configuration option on an MX-VC because this option is
not supported on MX-VC as designed. PR1188383
•
On MX Series routers, a vulnerability in IPv6 processing has been discovered that may
allow a specially crafted IPv6 Neighbor Discovery (ND) packet to be accepted by the
router rather than discarded. The crafted packet, destined to the router, will then be
processed by the Routing Engine. A malicious network-based packet flood, sourced
from beyond the local broadcast domain, can cause the Routing Engine CPU to spike,
or cause the DDoS protection ARP protocol group policer to engage. When this happens,
the DDoS policer may start dropping legitimate IPv6 neighbors as legitimate ND times
out. Refer to JSA10749 for more information. PR1188939
•
On MX Series platforms, while using routing-instance for EVPN, and trace options is
configured under global "protocols evpn", configuration of "vtep-source-interface"
under global "switch-options" would be rejected. PR1189235
•
Ingress queuing configuration on MPC2ENG is leading to host loopback wedge due to
some bug in the code specific to MPC2ENG; there is a mis-programming in the Junos
OS code for the lookup chip for this type of card. PR1189800
•
SSH keys are not preserved across upgrade. PR1190852
•
In rare cases, a logical IRB interface (irb.x) might refer to a wrong MAC address when
sending unicast IPv6 neighbor solicitation (NS) (a packet type of IPv6 Neighbor
Discovery Protocol) to verify the reachability of a neighbor. The NS messages with a
wrong source MAC address will result in the neighbor discard the packet and IPV6
neighborship goes to an unreachable state. Note: - Neighbor Solicitations are multicast
when the node (host or router) needs to resolve an address and unicast when the node
seeks to verify the reachability of a neighbor. - For the first release of IRB supported
product, please refer to this. PR1191086
•
When LFM session is configured with timeout of 300 ms or less, it might flap during
another MPC's offline sequence. PR1191546
•
If a message received from LLDP neighbor contains "Port Id" TLV which has "Interface
alias" subtype and is longer than 34 bytes, subsequent running of "show lldp neighbors"
might lead to l2cpd crash. PR1192871
•
From Junos OS Release 15.1F5 or 16.1R1 and later, when the forwarding-table export
policy with install next-hop configured, route resolution might be incorrect when the
forwarding next-hop of the dependent route changes. It might cause incorrect LSP or
even entropy label is installed for forwarding which results in packet loss. PR1193731
•
During the unified ISSU from Junos OS Release 15.1 (or previous release) to Junos OS
Release 16.1R1 on TX platforms, Packet Forwarding Engines will get rebooted. This
might cause traffic loss during unified ISSU. PR1194032
•
In port mirror, IPv4 inbound traffic may not get mirrored to the 10G Analyzer interface
in certain interface type. PR1194139
•
PTP support MPC2E-NG and MPC3E-NG is not working in Junos OS Release 16.1R1.
Issue came because incorrect branch sync removing support checks for these MPCs.
There is no workaround for this. PR1194734
Copyright © 2017, Juniper Networks, Inc.
263
Junos OS Release 16.1R4 for the ACX Series, EX Series, MX Series, PTX Series, QFX Series,T Series and Junos Fusion
264
•
Two issues are addressed in this PR: (1) In some situations, the backup Routing Engine
may not be able to setup the subscriber correctly when a multicast service is activated
for a subscriber. The core in backup will be seen when this subscriber logs out and the
system reuses a kernel resource for some other future multicast service. (2) When
variables are used in a service profile for igmp/ mld stanza, the variable values sent
from AAA server are not applied correctly for the IGMP/ MLD service other than the
first subscriber. PR1195504
•
In TX Matrix, if there are any FPC Type 4-ES line cards which are un-supported for TX,
system will go in db prompt. PR1196484
•
Distributed BFD session using inline-redirection on MX-VC might not work if the ANCHOR
Packet Forwarding Engine is not within the same chassis member as the interface
where the BFD packet is received from peer device. PR1197634
•
L2VPNs or L2Circuit services along with lengthy interfaces descriptions might lead to
memory leak in variable-sized malloc block, which in turn results in RPD crash due to
"out of memory". PR1198165
•
Problem: ======== The following continuous error messages are generated during
2X100GE CFP2 OTN MIC online on MX2K. This error message means PCI control signal
communication failure between Packet Forwarding Engine on MPC6E and PMC Sierra
OTN framer (pm544x) on MIC 2X100GE CFP2 OTN. *** messages *** Jul 25
17:39:04.807 2016 MX2K : %PFE-3: fpc0 cmic_pm544x_hires_periodic: error getting
counters Jul 25 17:39:04.893 2016 MX2K : %PFE-3: fpc0 Failed in function
pm544x_manage_link:2616 Jul 25 17:39:05.267 2016 MX2K : %PFE-3: fpc0 Failed in
function pm544x_link_status:2449 Jul 25 17:39:05.267 2016 MX2K : %PFE-3: fpc0
cmic_pm544x_hires_periodic: error getting counters Jul 25 17:39:05.267 2016 MX2K :
%PFE-3: fpc0 Failed in function pm544x_manage_link:2616 Jul 25 17:39:05.267 2016
MX2K : %PFE-3: fpc0 Failed in function pm544x_link_status:2449 Jul 25 17:39:05.321
2016 MX2K : %PFE-3: fpc0 cmic_pm544x_hires_periodic: error getting counters Jul 25
17:39:05.408 2016 MX2K : %PFE-3: fpc0 Failed in function pm544x_manage_link:2616
Jul 25 17:39:05.486 2016 MX2K : %PFE-3: fpc0 Failed in function
pm544x_link_status:2449 Root cause: =========== Bug was in converting the 32bit
PCI shared address to 64 bit address. When the MSB of the 32bit address was set, the
conversion was buggy as it type caused it to signed long int, which resulted in extending
the sign bit to first 32 bits of the converted 64 bit address. The first 32bit of the converted
address is expected to be zero as our memory is only 32 bit addressable. Problem
appearance on customer deployments:
=========================================== 1. Issue will be seen only
when there are large number of next hops in the Packet Forwarding Engine due to
Packet Forwarding Engine anchor feature before the MIC is made online. 2. If the MIC
came online without hitting this issue, then there is no chance of hitting this issue later.
Because the bug was in the PCI shared memory allocation, which happens only during
the MIC online. 3. This issue started showing after the Packet Forwarding Engine
anchoring feature, which delayed the MIC online until the next-hops are sync to Packet
Forwarding Engine. As a result the MIC is coming online very late and the shared memory
allocation is coming from the higher RAM address, which the PMC vendor code porting
layer is failing to handle. After the fix from this PR, we should not hit this issue. PR1198295
Copyright © 2017, Juniper Networks, Inc.
Resolved Issues
•
GUMEM errors for the same address may continually be logged if a parity error occurs
in a locked location in GUMEM. These messages should not be impacting. The Parity
error in the locked location can be cleared by rebooting the FPC. PR1200503
•
When ppm deviation exceeds 10 ppm, do not display off-frequency if the clock source
is still being locked. Display as 'in-use#' instead. This indicates that it is still locked to
the source, although the clock has considerably large ppm deviation. PR1202327
•
PPE traps may occur when enabling Lawful Intercept on Subscriber interfaces.
PR1204804
High Availability (HA) and Resiliency
•
In PPP environment with access-internal and multiple routing instances, after restart
rpd process, the access-internal route might disappear. PR1174171
Infrastructure
•
With Junos OS Release 13.3 using Ericsson/ Juniper EPG platforms, some session PIC
C-PIC cards might experience kernel vmcores, followed by reboot (failover to spare
C-PICs) due to soft-update BSD enabled in some partitions of the Routing Engine.
PR1174607
•
The statistics info of em0 is 0 when checking by SNMP or CLI show command.
PR1188103
Interfaces and Chassis
•
In a VPLS scenario the flood NH for the default mesh group might not be programmed
properly. A complete black-holing for the VPLS instance would be seen as a
consequence. PR1166960
•
In previous release, only IEEE classification is supported for CFM OAM packets. In the
fix, we will support 802.1AD based filter for CFM OAM packets. when Linktrace and
loopback requests are received in MX Series, 802.1p bits is used to determine the
forwarding class and queue for response or link trace request forwarded to next router,
this cause these PDUs are put to wrong queue when input-vlan-map pop is present
because received PDU does not carry 802.1p bits. In the fix, we will use incoming
forwarding class to determine the 802.1p priority and outgoing forwarding class and
queue for new generated response or link trace requests. PR1175951
•
On dual Routing Engine system, if master Routing Engine is running Junos OS Releases
13.3R9/14.1R7/14.2R5/15.1R3/15.2IB or later, backup Routing Engine is running Junos
OS Release prior to 13.3R9/14.1R7/14.2R5/15.1R3/15.2IB, a major alarm is raised. This
is cosmetic and can be safely ignored. Please upgrade backup Routing Engine to the
same release with master Routing Engine to avoid the issue. [email protected]> show system
alarms 2 alarms currently active Alarm time Class Description 2016-xx-xx xx:xx:xx UTC
Major PEM 1 Not OK 2016-yy-yy yy:yy:yy UTC Major Host 1 failed to mount /var off HDD,
emergency /var created <<<<<<<<<<<<<<< PR1177571
•
CFM enahanced-iterator functionality will be affected with scale if "deactivate protocol
oam" is done with working configurations. The workaround is to do the following steps
in the given order 1. "deactivate protocols oam ethernet connectivity-fault-management
Copyright © 2017, Juniper Networks, Inc.
265
Junos OS Release 16.1R4 for the ACX Series, EX Series, MX Series, PTX Series, QFX Series,T Series and Junos Fusion
performance-monitoring enhanced-sla-iterator" 2. "deactivate protocol oam" On
following the above order of commit the problem will not be seen. PR1185842
•
When there is a configuration change about OAM CFM, cfmd memory leak is observed
and sometime also might trigger cfmd crash info as follows. Following messages are
observed: /kernel: Process (44128,cfmd) has exceeded 85% of RLIMIT_DATA: used
378212 KB Max 393216 KB. PR1186694
•
The jpppd might crash with a core dump due to memory heap violation associated
with processing MLPPP requests. PR1187558
•
If "filter" configuration statement is present in PPPoE traceoptions configuration, the
resulting log file will contain only part of messages about establishment of the
interesting PPPoE session, but will contain information related to other sessions
established at the moment. PR1187845
•
In OAM CFM (connectivity-fault-management) scenario on AE interfaces with
maintenance-domain level (for example: 3) configuration, when sending OAM CFM
LBM messages with level which is smaller than configured level to ingress interface of
VPWS with QinQ encapsulation, they are not dropped by ingress PE. PR1191818
•
FPC might crash if the packet passed by PFEMAN to PPMAN has incorrect length.
PR1195703
•
MAC addresses are incorrectly assigned to interfaces by the MX-VC SCC (global)
chassisd daemon, leading to duplicate addresses for adjacent FPCs. PR1202022
Layer 2 Features
•
The command "set chassis aggregated-devices ethernet lacp system-priority 1" is not
getting applied to the ae0. This global system-priority value should be applied to all
AE interfaces. This issue might affect determining which links between LACP partner
devices are active and which are in standby for each LACP group. PR1185447
•
In DHCP environment, if the interface is deleted and recreated in single commit, the
duplicate DHCP subscriber is not getting bound. PR1188026
•
A new static MAC is configured under AE interface, but the MAC of the LACP PDUs
sent out is not changed. PR1204895
MPLS
266
•
When OSPF LFA is enabled and there is available backup path, after clearing the LDP
session to the primary path or backup path, in a very rare condition, the LDP session
on this router might flap multiple times. PR1119700
•
Due to Junos OS Release 15.1 enabling process rpcbind in FreeBSD by default, port 646
might be grabbed by rpcbind on startup, which causes LDP sessions failing to come
up. PR1167786
•
RSVP signalled p2mp sub-LSP with atleast 1 or more sub-LSPs in a down state might
not get re-optimized in the event of a transit core link going down. If there are no
sub-LSPs in a down state at the time of re-optimization, then this issue won't be seen.
This can cause traffic drop over the sub-LSP which are carrying traffic which are unable
to get re-optimized. PR1174679
Copyright © 2017, Juniper Networks, Inc.
Resolved Issues
•
When RSVP LSPs are signaled with loose hops in their explicit path (or no explicit path
at all), then the new default RSVP refresh interval of 20 minutes may sometimes
interfere with reacting to route changes in the network. A Junos OS LSP ingress router
will signal loose hops when configured with an explicit path that contains loose hops
and when also configured with the "no-cspf" option for the LSP. PR1186210
•
From Junos OS Release 16.1R1 with LDP egress protection in stub-alias mode, traffic
loss occurs when the interface between the protector egress node and the primary
egress node goes down. PR1190983
•
Packets will be out-of-order if they are Routing Engine generated and go over
unilist/ECMP. PR1193697
•
Changing the configuration under both [ protocols pcep ] and [ protocols mpls
lsp-external-controller ] might trigger RPD to crash due to a race condition. PR1194068
•
When LDP is deactivated, there may still be route entries left in the LDP shadow routing
table. RPD will generate a core file due to stranded route entries in the LDP routing
table. PR1196405
•
If RSVP link-protection optimize-timer is enabled, RPD memory might leak in "TED
cross-connect" when a bypass LSP is being optimized. PR1198775
•
This behavior is seen under the conditions of "teardown" feature for MPLS-TP BFD.
When we set firewall filter for dropping MPLS-TP BFD packets, we can see unexpected
behavior for LSP. We can see just LSP is down after "teardown" and the LSP will not
be "up" even if we remove firewall filter setting. This behavior is seen in 16.1X70-D10
branch only. PR1199957
Network Management and Monitoring
•
When mib-process disconnects from SNMP master-agent, it was not cleaning up the
firewall-mib related data structures. This was causing crash of mib-process in the
async stats response handling path. PR1098782
•
Traps are sent as AgentX messages type (AGENTX_MSG_NOTIFY) from subagent to
master agent. Subagent expects a response in form of an acknowledgement from
SNMPD after sending these AGENTX_MSG_NOTIFY messages upstream. If an ACK is
not received from snmpd within 1 second (current timeout value) the sub-agent will
resend the trap. After router reboot or GRES a lot of upstream communication is
triggered from subagent to snmpd (traps/mib registration messages) at such time
snmpd may not be able to send the downstream ack within 1 second period. This may
trigger the subagent to resend trap and this will be seen as a duplicate trap on the
NMS. As a fix we have increased the timeout value from 1 second to 5 second in
sub-agent. PR1164848
•
The PR fixes the output of CLI command when snmp notify-filter is configured with
wildcard characters. Example Configuration: set snmp v3 notify-filter nf1 oid .1.*.6
include set snmp v3 notify-filter nf1 oid 1.2.3.4.5 mask 1.0.0.1.1 set snmp v3 notify-filter
nf1 oid 1.2.3.4.5 include OLD OUTPUT: [email protected]_re0> show snmp v3 Local engine ID:
80 00 0a 4c 01 80 dd 8f 78 Engine boots: 33 Engine time: 9 seconds Max msg size:
65507 bytes Engine ID: local User Auth/Priv Storage Status abhinav none/none
nonvolatile active Group name Security Security Storage Status model name type
Copyright © 2017, Juniper Networks, Inc.
267
Junos OS Release 16.1R4 for the ACX Series, EX Series, MX Series, PTX Series, QFX Series,T Series and Junos Fusion
myGroup usm abhinav nonvolatile active Access control: Group Context Security Read
Write Notify prefix model/level view view view myGroup usm/none iso iso iso SNMP
Target: Address Address Port Parameters Storage Status name name type trapReceive
172.29.237.94 162 trapReceive nonvolatile active Parameters Security Security Notify
Storage Status name name model/level filter type trapReceiversP abhinav usm/none
nf1 nonvolatile active SNMP Notify: Notify Tag Type Storage Status name type n1
trapReceivers trap nonvolatile active Filter Subtree Filter Storage Status name type
type nf1 1.2.3.4.5 include nonvolatile active <<<<< Issue nf1 1.42.6 include nonvolatile
active <<<< Issue NEW OUTPUT: [email protected]_re0> show snmp v3 Local engine ID: 80
00 0a 4c 01 80 dd 8f 78 Engine boots: 32 Engine time: 2850 seconds Max msg size:
65507 bytes Engine ID: local User Auth/Priv Storage Status abhinav none/none
nonvolatile active Group name Security Security Storage Status model name type
myGroup usm abhinav nonvolatile active Access control: Group Context Security Read
Write Notify prefix model/level view view view myGroup usm/none iso iso iso SNMP
Target: Address Address Port Parameters Storage Status name name type trapReceive
172.29.237.94 162 trapReceive nonvolatile active Parameters Security Security Notify
Storage Status name name model/level filter type trapReceiversP abhinav usm/none
nf1 nonvolatile active SNMP Notify: Notify Tag Type Storage Status name type n1
trapReceivers trap nonvolatile active Filter Subtree Filter Storage Status name type
type nf1 1.*.*.4.5 include nonvolatile active <<< Fixed nf1 1.*.6 include nonvolatile active
<<< Fixed PR1185143
•
In some cases the output of a "show version detail" command may pause and take
over one minute to finish. Note that trying to abort with cntrl-c does not shorten the
delay to regain the cli prompt. PR1196129
Platform and Infrastructure
268
•
The GNU debugger, gdb, can be exploited in a way that may allow execution of arbitrary
unsigned binary applications. PR968335
•
In software versions which contain PR 1136360's code changes on MX-VC systems,
when J-Flow is not configured and equal-cost multipath (ECMP) load-balanced routes
occur, the linecards may stop forwarding packets after logging any of the below errors
prior to possible linecard restart or offline: - PPE Thread Timeout Traps - PPE Sync
XTXN Err Trap - Uninitialized EDMEM Read Error. - LUCHIP FATAL ERROR pio_read_u64() failed (A possible workaround is to configure J-Flow and restart all
linecards.) In software versions which do not contain PR 1136360 solution, on MX Series
Virtual Chassis (MX-VC) with "virtual-chassis locality-bias" configured, when equal-cost
multipath (ECMP) load-balancing is occurring in the VC system, multicast streams
and flooded Layer 2 streams may be duplicated or lost. Disabling "virtual-chassis
locality-bias" from the configuration will eliminate the problem. PR1104096
•
Kernel might crash when deactivate or deleting a static route that is configured to point
to an unnumbered interface-name as qualified-next-hop. PR1118681
•
On MX Series with MPC6E linecard, MPC6 only has 2 PICs (PIC number 0/1), if we try
to configure an si interface with PIC number beyond range (PIC number 2) on MPC6E,
it might crash, and traffic forwarding might be affected. PR1160367
Copyright © 2017, Juniper Networks, Inc.
Resolved Issues
•
In CoS environment with shaping-rate configuration under interface, if flapping that
CoS interface, the shaping-rate function does not take effect. As a workaround, please
deactivate/activate interfaces to avoid the issue. PR1163147
•
"show arp" command cannot get complete results and reports "error: could not find
interface entry for given index". PR1174150
•
On MX2020/2010, chassisd file rotation on commit check will cause the trace file to
be stuck and no other operational chassisd events will be logged until chassisd restart.
PR1177625
•
We have observed that on 32 bit images with scaled configuration route-table memory
is used more leading to veto logic. It is suggested to use 64 bit images for scaled
configurations. PR1179029
•
When graceful Routing Engine switchover (GRES) is configured, the ksyncd crashes
on backup Routing Engine if a VPN static route has a network address as a next-hop.
This causes that the backup Routing Engine is not ready for graceful switchover.
PR1179192
•
In IPv6 sampling environment, if flapping IPv6 routes frequently, in rare condition, due
to a software defect, free of route node is not deleting it from radix node, so the Packet
Forwarding Engine might crash. This is a corner case, it is hard to reproduce. PR1179776
•
If igmp snooping is configured on the system and vpls instances has no active physical
interfaces, multicast traffic arriving from the core might be send to the Routing Engine.
Host queues are getting congested and may cause protocol instability. PR1183382
•
This issue exists in Junos OS Release 16.1R1 release and no other previous release has
this issue. We have fixed this issue in Junos OS Release 16.1R2 and subsequent releases.
PR1187331
•
When access accept response from radius server contains class attribute, .class file is
created. Normally .class file gets deleted in success scenario after the user logs in and
reads the attributes. However, in error scenarios where the login fails or login succeeds
but fails to read the user attributes, .class file is not deleted. Due to this, .class files will
remain in /tmp folder. As multiple .class files are stored in /tmp folder, /tmp folder is
running out of inodes. PR1187477
•
Over a period of time in network, the stale AS paths might be seen in the sampler
database of JNH memory. The JNH memory being very limited and used by all the
modules in Packet Forwarding Engine, these stale AS paths are resulting in wastage
of JNH memory. PR1189689
•
VPLS: FPC CPU goes high for several minutes when mac/arp are learnt via lsi interfaces.
The FPC CPU goes high during the learning phase and issue can be seen with various
triggers that result in mac/arp re-learning e.g. mac flush, FPC reboot or link flap resulting
in mac flush etc. For agent smith cards (MPC 3D 16x 10GE), the CPU may remain high
for upto 30 minutes on learning/re-learning of 10k arp/mac via irb lsi interfaces Problem
is only seen if there are ARPs learnt in bulk over irb lsi interfaces. PR1192338
•
Insertion of an offlined MPC6E into the MX2K chassis can cause the FPC Temp sensor
to detect transient "WARM TEMP" condition, and the chassis FAN in the same zone
goes to high speed. *** messages *** Jul 12 18:10:17.698 MX2K-re0 chassisd[xxxx]:
Copyright © 2017, Juniper Networks, Inc.
269
Junos OS Release 16.1R4 for the ACX Series, EX Series, MX Series, PTX Series, QFX Series,T Series and Junos Fusion
CHASSISD_SNMP_TRAP7: SNMP trap generated: FRU insertion (jnxFruContentsIndex
7, jnxFruL1Index 3, jnxFruL2Index 0, jnxFruL3Index 0, jnxFruName FPC: MPC6E 3D @
2/*/*, jnxFruType 3, jnxFruSlot 2) MX2K-re0> show chassis zones |refresh 2
---(refreshed at 2016-07-12 18:10:18 JST)--- ZONE 0 Status Driving FRU FPC 2
Temperature 63 degrees C / 145 degrees F Condition WARM TEMP
<------------------------ Warm temp is detected Num Fans Missing 0 Num Fans Failed
0 Fan Duty Cycle 27 ZONE 1 Status Driving FRU SFB 5 SFB-XF2-Zone1 Temperature
59 degrees C / 138 degrees F Condition OK Num Fans Missing 0 Num Fans Failed 0
Fan Duty Cycle 27 ---(refreshed at 2016-07-12 18:10:20 JST)--- ZONE 0 Status Driving
FRU FPC 2 Temperature 63 degrees C / 145 degrees F Condition WARM TEMP
<------------------------ Warm temp is detected Num Fans Missing 0 Num Fans Failed
0 Fan Duty Cycle 27 ZONE 1 Status Driving FRU SFB 5 SFB-XF2-Zone1 Temperature
59 degrees C / 138 degrees F Condition OK Num Fans Missing 0 Num Fans Failed 0
Fan Duty Cycle 27 ---(refreshed at 2016-07-12 18:10:22 JST)--- ZONE 0 Status Driving
FRU FPC 2 Temperature 63 degrees C / 145 degrees F Condition OK Num Fans Missing
0 Num Fans Failed 0 Fan Duty Cycle 27 ZONE 1 Status Driving FRU SFB 5 SFB-XF2-Zone1
Temperature 59 degrees C / 138 degrees F Condition OK Num Fans Missing 0 Num
Fans Failed 0 Fan Duty Cycle 27 Jul 12 18:10:27.489 MX2K-re0 chassisd[xxxx]: Fan Tray
0: zone 0 fan_speed current 27% target 50% raising ratio 0.80 (linear) FPC 2 temp 72
last 72 WTC 55 WT 60 high limit 75 i2c_ratio 0.80 Jul 12 18:10:27.490 MX2K-re0
chassisd[xxxx]: Fan Tray 0: set fan_speed to 50% cfg_speed 50% (linear) Jul 12
18:10:27.492 MX2K-re0 chassisd[xxxx]: Fan Tray 1: zone 0 fan_speed current 27% target
50% raising ratio 0.80 (linear) FPC 2 temp 72 last 72 WTC 55 WT 60 high limit 75
i2c_ratio 0.80 Jul 12 18:10:27.492 MX2K-re0 chassisd[xxxx]: Fan Tray 1: set fan_speed
to 50% cfg_speed 50% (linear) Jul 12 18:10:47.517 MX2K-re0 chassisd[xxxx]: Fan Tray
0: zone 0 fan_speed current 50% target 27% falling ratio 0.00 (linear) SFB 2
SFB-XF0-Zone0 temp 63 last 63 WTC 70 WT 75 high limit 90 i2c_ratio -0.60 Jul 12
18:10:47.517 MX2K-re0 chassisd[xxxx]: Fan Tray 0: set fan_speed to 27% cfg_speed
27% (linear) Jul 12 18:10:47.519 MX2K-re0 chassisd[xxxx]: Fan Tray 1: zone 0 fan_speed
current 50% target 27% falling ratio 0.00 (linear) SFB 2 SFB-XF0-Zone0 temp 63
last 63 WTC 70 WT 75 high limit 90 i2c_ratio -0.60 Jul 12 18:10:47.520 MX2K-re0
chassisd[xxxx]: Fan Tray 1: set fan_speed to 27% cfg_speed 27% (linear) PR1193273
270
•
A rare VMCORE can occur caused due to process limit being breached by too many
RSHD children processes being created. PR1193792
•
When a Netconf '<get route information>' RPC is executed for all routes via ssh
transport session and the session is terminated before all the route information is
retrieved, the MGD process and RPD daemon will cause high CPU utilization for an
extended period of time. Example of issues caused by this high CPU utilization for an
extended period is as follow: BGP neighbors holddown timer expires and become
ACTIVE OSPF adjacencies reset during database exchange OSPF LSA retransmissions
events on neighboring nodes due to missing ACKs LDP sessions time out non distributed
BFD sessions being reset due to missing keep.alives. PR1203612
•
From Junos OS Release 15.1F2/14.2R4, validating configuration fails if commit scripts
are used during software upgrade. PR1204881
Copyright © 2017, Juniper Networks, Inc.
Resolved Issues
Routing Protocols
•
When BGP speaker has multiple peers configured in a BGP group and when it receives
the route from a peer and re-advertises route to another peer within the same group,
MIB object "jnxBgpM2PrefixOutPrefixes" to the peers in the same group reports the
total number of advertised prefixes in the group. MIB value "jnxBgpM2PrefixOutPrefixes"
is defined as per peer basis but it looks as if it is per group basis. As a workaround, we
can get the number of advertised prefixes from CLI command "show bgp neighbor"
instead. PR1116382
•
On Junos-based products, changes in routing-instance, like changing route-distinguisher
or routing-option changes in some corner cases might lead to rpd crash. As a
workaround always deactivate routing-instance part that is to be changed before
committing the changes. PR1134511
•
When a bgp peer has a hold time of zero configured the peer will not reach
establishment. PR1138690
•
With SRLG (Shared Risk Link Group) enabled under corner conditions, after executing
command of "clear isis database", the rpd might crash due to the IS-IS database tree
gets corrupted. PR1152940
•
Symptoms: With NSR enabled, rpd may core on standby Routing Engine when
operations like RD modify or RD delete/RD operations are done.(Not always observed).
Impact: There is no impact on traffic or other functionality. The core occurs only once
on the standby Routing Engine. Standby Routing Engine recovers completely, with all
replication done fully post core. PR1162665
•
AfterRouting Engine switchover, a race condition could result in a RIB not to register
for route flash. As a result, there may be stale entries seen when routes are withdrawn.
This is a rare race condition. PR1170572
•
When we have a route received from different eBGP neighbors, for this specific route,
if all BGP selection criteria is matching, we will end up using router ID. As this is eBGP
route, so BGP will use active route as the preferred one. Now if this specific route flapped
with sequence from the non-preferred to the preferred path, RPD will run the path
selection. During RPD path selection we might generate a core file. This issue has no
operational impact, also a workaround is available to avoid this issue. PR1180307
•
Please refer to the following topology. When the opposite router's interface "A" is
down by "disable/deactivate/delete" configuration, BFD timeout detection might be
long delay. Topology +-----+ | DUT | OSPF | |-------------+ +-----+ | A | | | | | | | +------+
OSPF(p2p) | | R2 | bfd | | | | | +------+ | | | V intf A | | +-----+ | | R1 |-------------+ | | OSPF
+-----+ PR1183353
•
Any configuration change can cause deletion of a firewall filter created for a routing
instance if the flowspec routes in that instance are imported using rib-group, and there
is no "inet-vpn flow" address family configured and the routing instance does not have
any BGP group configured with "inet flow" address family. PR1185954
•
On the RSVP LSP scenario with IS-IS configured, memory leak might happen in rpd
and Packet Forwarding Engine after the LSP re-optimization, and this might cause FPC
crash. PR1187395
Copyright © 2017, Juniper Networks, Inc.
271
Junos OS Release 16.1R4 for the ACX Series, EX Series, MX Series, PTX Series, QFX Series,T Series and Junos Fusion
•
The rpd might crash when printing the socket address of type inet6 flow address family
while the buffer is not sufficient to print decimal number. PR1188502
•
A route which has an IPv6 next hop which is resolved recursively over other routes may
fail to resolve successfully. This problem could happen because the route resolver may
incorrectly use the IPv4 family resolution tree to resolve the next hop rather than the
correct IPv6 resolution tree. As a result no route covering the IPv6 next hop address
can be located so the route with the IPv6 next hop remains unresolved and unusable.
PR1192591
•
The rpd might crash while receiving BGP IPv6 flow routes with prefix-offset and adding
them for validation. PR1192875
•
On executing "show task replication" command, IS-IS could be shown as "Complete"
if IS-IS is not configured on the device. If IS-IS is configured, the replication will be
shown correctly (NotStarted/InProgress/Complete). No other functionality impacted.
PR1199596
•
Here are the results when L1 is disabled for Lo0 {master}[edit] [email protected]# run
show isis interface IS-IS interface database: Interface L CirID Level 1 DR Level 2 DR
L1/L2 Metric lo0.0 3 0x1 Disabled Passive 0/0 Here are the results when L2 is disabled
for Lo0 {master} [email protected]> show isis interface IS-IS interface database:
Interface L CirID Level 1 DR Level 2 DR L1/L2 Metric lo0.0 3 0x1 Passive Disabled 0/0.
PR1202216
•
With nonstop-routing enabled all running protocols will be replicate, this includes PIM
and NG-MVPN. If NSR was disabled only under PIM "set protocol pim nonstop-routing
disabled" this will remove both PIM and NG-MPVN from replicated list. Adding PIM
NSR again by "delete protocol pim nonstop-routing disabled" will not work as expected
and PIM will not be added. PR1203943
Services Applications
272
•
On MX Series platforms, when using MS-MPC, the "idpd_err.date" error message is
filling var/log. Please refer to KB30743 for details. PR1151945
•
During "commit synchronize" operation, when commit gets executed on backup Routing
Engine, system is idling for 10 seconds after the following operation (can be observed
with "commit synchronize | display detail"): 2016-07-07 10:30:04 CEST: Spawning
IPSec Key Management daemon to check new configuration This slows down the
whole commit process exactly by 10 seconds. Issue can only be seen when IPSec is
configured and, therefore, IPSec Key Management daemon (kmd) is running (needed
by configuration). PR1185504
•
When using MS-DPC under heavy load condition (e.g., with about 7m flows) with
deterministic NAT and port block allocation (PBA) scenario, in rare condition, MS-DPC
crash may occur due to memory issue. PR1186391
•
Attempting to ping a subscriber address from the L2TP LNS CLI will fail. PR1187449
•
When using NAT on the MX Series, the FTP ALG fails to translate the PORT command
when the FTP client using Active Mode requests AUTH(SSL-TLS) and the FTP server
does not use AUTH. PR1194510
Copyright © 2017, Juniper Networks, Inc.
Resolved Issues
•
When MS-PIC is running on T640/T1600/T4000, the number of maximum service
sets if wrongly limited to 4000, instead of 12000. This might impact in scaled service
(ipsec, etc) environment. PR1195088
•
After upgrading M Series router (LNS) to 15.1R4.6, it was observed that L2TP sessions
are not coming up due to PPP CHAP authentication failure. L2TP control messages
are sent/received and tunnel id is obtained. PPP LCP is also successful. During PPP
CHAP phase, only Challenge and Response messages are present and then L2TP CDN
is initiated. PR1201733
•
NAT service route is available in route table even after disabling Service Interface.
PR1203147
Subscriber Access Management
•
In DHCP relay scenario, DHCP relay binding might get stuck in
"RELEASE(RELAY_STATE_WAIT_AUTH_REQ_RELEASE" state due to the LOGOUT
Request is not processed correctly by authentication manager process (authd) if there
were multiple attempts to activate Lawful Intercept (LI) for this DHCP subscriber using
RADIUS change of authorization (CoA) packets in quick succession. PR1179199
•
If aborting "test aaa ppp" command with Ctrl-C, due to a software defect, when
subscriber logs out, the system does not wait for logout response, subscriber is
immediately removed. Because of this, dfwd daemon is not able to clear filters in time
and results in stale entries. The stale info might affect subscriber login and logout.
PR1180352
•
authd core at /src/junos/bsd/gnu/include/c++/4.2.1/bits/stl_list.h PR1189020
•
When destination-override is used([email protected]# set system tracing destination-override
syslog host <host ip>), the user access events are not sent to the external syslog server.
PR1192160
•
On MX Series platforms, when using RADIUS dynamic requests for subscriber access
management, if the device detects that the CoA-Request it received is same with the
one in processing progress, the router would send CoA-NAK packet back to the RADIUS
server with incorrect code 122 (invalid request) wrongly, before sending CoA-ACK
packet in response to the original CoA-Request that was being processed. In this case
the router should ignore all RADIUS CoA-Request retries and respond only to the original
CoA-Request packet. PR1198691
•
Incorrect service-accounting name in radius accounting record if service activated by
SRC PR1206868
VPNs
•
After a GRES with NSR enabled, in NG-MVPN scenario, on the new backup Routing
Engine RPD is consuming more than 90% CPU. This issue happens rarely and it is not
reproducible. PR1189623
•
With MVPN and NSR enabled, high CPU on backup Routing Engine might be seen.
MVPN on backup Routing Engine is re-queuing c-mcast events for flows as it is unable
to find phantom routes from master routing-engine . However, as routes is not reaching
Copyright © 2017, Juniper Networks, Inc.
273
Junos OS Release 16.1R4 for the ACX Series, EX Series, MX Series, PTX Series, QFX Series,T Series and Junos Fusion
from master Routing Engine so backup Routing Engine keeps trying causing high CPU
triggered by RPD processing. PR1200867
Resolved Issues: 16.1R1
•
Forwarding and Sampling on page 274
•
General Routing on page 274
•
Interfaces and Chassis on page 275
•
MPLS on page 275
•
Platform and Infrastructure on page 275
•
Routing Protocols on page 275
Forwarding and Sampling
•
If bandwidth-percent based policer is applied on aggregated Ethernet (AE) bundle
without the "shared-bandwidth-policer" configuration statement, traffic will hit policer
even if the traffic is not exceeding the configured bandwidth. As a workaround, configure
the "shared-bandwidth-policer" configuration statement under the policer. PR1125071
•
SRRD daemon doesnot delete routes when the DELETE is received from RPD in few
configuration cases. This results in build-up of memory in SRRD daemon and once
SRRD reaches the limit, it crashes and restarts itself. This happens only when none of
the SRRD clients (FPCs in Inline J-Flow case and PICs in PIC based sampling) are
interested in one or more families. Say, only IPv4 family is configured in all the clients
and, IPv6 and MPLS families are not configured for sampling in any of the clients.
PR1180158
General Routing
274
•
On MX Series routers with MPC3E, MPC4E, MPC5E, MPC6E, Junos OS does not support
short (sub-second) interface hold-time down configuration. A hidden configuration
statement is introduced to ignore DFE tuning state during hold-down timer period. This
configuration statement allows sub-second hold-down timer on MPC3E, MPC4E,
MPC5E, MPC6E. set interfaces <intf name> hold-time up <U ms> down <D ms>
alternative. The configuration statement does not work/support 'MPC5E 3D Q
2CGE+4XGE' and 'MIC6 2X100GE CFP2 OTN', and we recommend configuring hold-time
down to be more than 3 seconds for these two cards. PR1012365
•
During initial rampup of a IPsec session, a race condition could crash mspmand in rare
circumstances. PR1116487
•
On MX Series routers containing multiple Packet Forwarding Engines such as
MX240/MX480/MX960/MX2010/MX2020, with MPC3E/MPC4E/MPC5E/MPC6E
cards, if the routers have GRE decap, then certain packet sizes coming via these line
cards, at very high rate can cause these line cards to exhibit a lockup, and one or more
of their Packet Forwarding Engines corrupt traffic toward the router fabric. PR1117665
•
On dual Routing Engine MX Series platforms, the "xe" interfaces of any of the line cards
below may flap during in-service software upgrade (ISSU) due to missing support. The
flapping may not happen every time and the probability of occurrence would increase
if more number of SFP+ (e.g., SFP+-10G-SR) are connected on the FPC. The affected
Copyright © 2017, Juniper Networks, Inc.
Resolved Issues
line cards are: * MIC3-3D-10XGE-SFPP * MPC4E-3D-32XGE-SFPP,
MPC4E-3D-2CGE-8XGE * MPC5E-40G10G, MPC5EQ-40G10G * MX2K-MIC6-24XE,
MX2K-MIC6-24XE-OTN. PR1118379
•
On MX Series platforms, the MS-MPC crash might occur. The exact trigger of the issue
is unknown; normally, this issue might happen over long hours (e.g., within a week) of
traffic run (e.g., running HTTP/HTTPS/DNS/RTSP/TFP/FTP traffic profile). PR1124466
•
In a IGMP oversubscriber environment with the configuration statement
"remove-when-no-subscribers" configured, after performing graceful Routing Engine
switchover, subscribers with multicast joins cannot re-login when the subscriber logs
out before it sends an IGMP leave in the new master. PR1136646
•
With Junos OS Release 15.1 and later, on MS-MPC or MS-PIC, OSPF adjacency may
fail to establish when there is no static route pointing to service PIC. PR1164517
•
When upgrading Junos software on Routing Engine1, if at the time, Routing Engine1 is
the "master Routing Engine", both Routing Engines will be in "backup" state. Resulting
in losing remote connectivity, and all interfaces. Only "console" access will be available
at this time. PR1172729
•
ICMP pings destined to VRRP VIP address beyond 166 bytes are dropped as "my-mac
check failed" on MPC7E/8E/9E. PR1186537
•
On MX Series router, while using routing-instance for EVPN, and traceoptions is
configured under global "protocols evpn", configuration of "vtep-source-interface"
under global "switch-options" would be rejected. PR1189235
Interfaces and Chassis
•
Chap Local-name defaults to 8 characters. Should be 32. PR996760
MPLS
•
When OSPF LFA is enabled and there is an available backup path, after clearing the
LDP session to the primary path or backup path, in a very rare condition, the LDP session
on this router might flap multiple times. PR1119700
Platform and Infrastructure
•
When a common scheduler is shared by multiple scheduler maps which applies to
different VLANs of an aggregated Ethernet (AE) interface, if the configuration statement
"member-link-scheduler" is configured at "scale", for some VLANs, the scheduler
parameters are wrongly scaled among AE member links. As a workaround, we should
explicitly configure different schedulers under the scheduler maps. PR1107013
•
We have observed that on 32 bit images with scaled configuration, route-table memory
is used more leading to veto logic. It is suggested to use 64 bit images for scaled
configurations. PR1179029
Routing Protocols
•
On the RSVP LSP scenario with IS-IS configured, memory leak might happen in rpd
and Packet Forwarding Engine after the LSP re-optimization, and this might cause FPC
crash. PR1187395
Copyright © 2017, Juniper Networks, Inc.
275
Junos OS Release 16.1R4 for the ACX Series, EX Series, MX Series, PTX Series, QFX Series,T Series and Junos Fusion
•
During the testing of 16.1B1, a customer found rpd coring during BGP flow routes updates.
This PR has now been fixed in the June 15th build of 16.1. and also in 16.1R1. PR1188502
•
During 16.1B1 testing a customer has reported that while receiving certain combinations
of BGP flow routes that they experience an rpd core. This issue is fixed in 16.1R1.
PR1192875
Related
Documentation
•
New and Changed Features on page 93
•
Changes in Behavior and Syntax on page 187
•
Known Behavior on page 209
•
Known Issues on page 213
•
Documentation Updates on page 276
•
Migration, Upgrade, and Downgrade Instructions on page 280
•
Product Compatibility on page 290
Documentation Updates
This section lists the errata and changes in Junos OS Release 16.1R4 documentation for
MX Series and T Series.
276
•
Advanced Subscriber Management Provision Guide on page 277
•
L2 VPNS Feature Guide on page 277
•
Monitoring, Sampling Collection Services Interface Feature Guide on page 277
•
Tunnel Encryption Services Interfaces Feature Guide on page 277
•
Software Installation and Upgrade Guide on page 277
•
Security Services Administration Guide on page 278
•
SNMP MIBS and traps reference on page 278
•
Subscriber Management Access Network Guide on page 278
•
Syslog Reference Guide on page 279
•
Standards Reference on page 279
•
Subscriber Management Provisioning Guide on page 279
Copyright © 2017, Juniper Networks, Inc.
Documentation Updates
Advanced Subscriber Management Provision Guide
•
The “Example: Configuring HTTP Redirect Services on the Routing Engine” topic shows
an incorrectly formatted redirect URL, http://www.example.com?=%dest-url%. The
correct format is http://www.example.com/url=%dest-url%.
L2 VPNS Feature Guide
•
The control-word (EVPN) topic was erroneously included in this guide in the Junos OS
16.1R1 release. The control-word statement is not supported for EVPN. The topic and
references to it have been removed from the documentation.
Monitoring, Sampling Collection Services Interface Feature Guide
•
The topics “Real-Time Performance Monitoring Services Overview” and “Configuring
RPM Probes” failed to state that RPM is not supported on logical systems.
•
The following topics should state that the test-interval statement at the [edit services
rpm probe owner test test-name] hierarchy level has a range from 0 through 86400
seconds, and that a value of 0 seconds causes the RPM test to stop after one iteration:
•
“Configuring RPM Probes”
•
“test-interval”
•
“Configuring BGP Neighbor Discovery Through RPM”
Tunnel Encryption Services Interfaces Feature Guide
•
The topic “Configuring Tunnel Interfaces on MX Series Routers” incorrectly states that
bandwidth rates of 20 gigabits per second and 40 gigabits per second require use of
a 100-Gigabit Ethernet Modular Port Concentrator and 100-Gigabit CFP MIC. The
MPC4E, MPC5E, and MPC6E also support 20 and 40 gigabits per second.
Software Installation and Upgrade Guide
•
Licensing enhancements—Starting with Junos OS Release 15.1, licensing enhancements
on switches and routers enable you to configure and delete license keys in a Junos OS
CLI configuration file. The license keys are validated and installed after a successful
commit of the configuration file. If a license key is invalid, the commit fails and issues
an error message. You can configure individual license keys or multiple license keys by
issuing Junos OS CLI commands or by loading the license key configuration contained
in a file. All installed license keys are stored in the /config/license/ directory. For
document updates, see the following topics:
•
license
•
Adding New Licenses (CLI Procedure)
Copyright © 2017, Juniper Networks, Inc.
277
Junos OS Release 16.1R4 for the ACX Series, EX Series, MX Series, PTX Series, QFX Series,T Series and Junos Fusion
•
Deleting a License (CLI Procedure)
Security Services Administration Guide
•
The “Distributed Denial-of-Service (DDoS) Protection Overview” topic has been updated
to describe the built-in login overload protection mechanism that is available on MX
Series routers.
The login overload protection mechanism (also called a load-throttling mechanism)
monitors the incoming subscriber login packets and admits only what the system is
capable of handling in accordance with the prevailing load on the system. Packets in
excess of what the system can handle are discarded. By shedding this excess load, the
system is able to maintain optimal performance and prevent any degradation of
login-completion rate under overload conditions. This mechanism uses minimal
resources and is enabled by default; no user configuration is required.
The protection provided by this mechanism is secondary to what distributed
denial-of-service (DDoS) protection provides as a first level of defense against high
rates of incoming packets. DDoS protection operates on the Packet Forwarding Engine
and protects against all packet types of all protocols. In contrast, the login overload
protection mechanism is located on the Routing Engine and specifically operates only
on incoming connection-initiation packets such as DHCPv4 DHCPDISCOVER, DHCPv6
SOLICIT, and PPPoE PADI packets.
•
The “protocols (DDoS)” and “show ddos-protection protocols” topics have been
updated to report changes in syntax for the MLP protocol group. The aging-exc, packets,
and vxlan packet types have been removed from the MLP protocol group. The add,
delete, and lookup packet types have been added to the MLP protocol group. The
keepalive protocol group has been renamed to tunnel-ka. The firewall-host protocol
group and the mcast-copy packet type in the unclassified protocol groups have been
removed from the CLI. Additionally, in the “show ddos-protection protocols” topic, the
description for the global, Routing Engine, and FPC policer states have been expanded
and clarified.
The “DDoS Protection Flow Detection Overview” and “Enabling Flow Detection for All
Protocol Groups and Packet Types” topics now include a note about protocol groups
and a packet type for which you cannot globally enable flow detection.
SNMP MIBS and traps reference
•
SNMP MIBs and Traps Reference deprecation—Starting in Junos OS Release 16.1, the
SNMP MIBs and Traps Reference has been deprecated. To access information about
SNMP MIB objects, tables, and notifications, use the SNMP MIB Explorer. For an overview
of the MIBS supported on Junos OS, see the Network Management Administration Guide.
Subscriber Management Access Network Guide
•
278
The “Configuring a Pseudowire Subscriber Logical Interface Device” and “anchor-point
(Pseudowire Subscriber Interfaces)” topics have been updated to state that you cannot
dynamically change an anchor point that has active pseudowire devices stacked above
Copyright © 2017, Juniper Networks, Inc.
Documentation Updates
it. Both topics describe the steps to follow when you must change such an anchor
point.
•
The following topics have been updated to reflect a change in recommendation for
use of the access-internal statement: “Access and Access-Internal Routes for Subscriber
Management,” “Configuring Dynamic Access Routes for Subscriber Management,”
“Configuring Dynamic Access-Internal Routes for DHCP Subscriber Management,”
“Configuring Dynamic Access-Internal Routes for PPP Subscriber Management,”
“access (Dynamic Access Routes), “ and “access-internal (Dynamic Access-Internal
Routes).”
We recommend that you use only access routes for framed route support. We
recommend that you do not use access-internal routes. If the RADIUS Framed-Route
attribute (22) or Framed-IPv6-Route attribute [99] does not specify the next-hop
gateway—as is common—the variable representing the next-hop,
$junos-framed-route-nexthop, is automatically resolved. If you configure the
access-internal statement in the dynamic profile, it is ignored.
Syslog Reference Guide
•
System Log Messages Reference deprecation—Starting in Junos OS Release 16.1, the
System Log Messages Reference has been deprecated. To access information about
system log messages, use the System Log Explorer or continue to use the CLI by
executing the ‘help syslog <tag> command, where the tag is the unique identifier of
the error message. For an overview of system log messages, see System Log Messages
Configuration Guide.
Standards Reference
•
The Supported Network Management Standards topic incorrectly states that Junos OS
supports mplsL3VpnIfConfTable as part of compliance with RFC 4382, MPLS/BGP
Layer 3 Virtual Private Network (VPN) MIB. Junos OS does not support this table.
Subscriber Management Provisioning Guide
•
The following topics indicate that you can configure an MX Series router to maintain
a DHCP subscriber in the event the subscriber interface is deleted:
•
“Subscriber Binding Retention During Interface Delete Events”
•
“Configuring the Router to Maintain DHCP Subscribers During Interface Delete Events”
•
“Verifying and Managing the DHCP Maintain Subscribers Feature”
•
“interface-delete (Subscriber Management or DHCP Client Management)”
•
“maintain-subscriber”
•
“subscriber-management (Subscriber Management)”
Copyright © 2017, Juniper Networks, Inc.
279
Junos OS Release 16.1R4 for the ACX Series, EX Series, MX Series, PTX Series, QFX Series,T Series and Junos Fusion
This feature is not supported on MX Series routers running Junos OS Release 15.1R4 or
later with enhanced subscriber management enabled.
Related
Documentation
•
New and Changed Features on page 93
•
Changes in Behavior and Syntax on page 187
•
Known Behavior on page 209
•
Known Issues on page 213
•
Resolved Issues on page 225
•
Migration, Upgrade, and Downgrade Instructions on page 280
•
Product Compatibility on page 290
Migration, Upgrade, and Downgrade Instructions
This section contains the procedure to upgrade Junos OS, and the upgrade and downgrade
policies for Junos OS for the MX Series and T Series. Upgrading or downgrading Junos
OS can take several minutes, depending on the size and configuration of the network.
Starting with Junos OS Release 15.1, in some of the devices, FreeBSD 10.x is the underlying
OS for Junos OS instead of FreeBSD 6.1. This feature includes a simplified package naming
system that drops the domestic and world-wide naming convention. However, in some
of the routers, FreeBSD 6.1 remains the underlying OS for Junos OS. For more details
about FreeBSD 10.x, see Understanding Junos OS with Upgraded FreeBSD.
NOTE: In Junos OS Release 15.1, Junos OS (FreeBSD 10.x) is not available to
customers in Belarus, Kazakhstan, and Russia. Customers in these countries
need to use the existing Junos OS (FreeBSD 6.1).
The following table shows detailed information about which Junos OS can be used on
which products:
Platform
FreeBSD 6.1-based Junos OS
FreeBSD 10.x-based Junos OS
MX80, MX104
YES
NO
MX240, MX480, MX960,
NO
YES
MX2010, MX2020
280
•
Basic Procedure for Upgrading to Release 16.1 on page 281
•
Upgrading from Junos OS (FreeBSD 6.1) to Junos OS (FreeBSD 10.x) on page 282
•
Upgrading from Junos OS (FreeBSD 6.1) to Junos OS (FreeBSD 6.1) on page 284
•
Installing the Network Agent Package (Junos Telemetry Interface) in MX Series
Routers on page 285
Copyright © 2017, Juniper Networks, Inc.
Migration, Upgrade, and Downgrade Instructions
•
Upgrade and Downgrade Support Policy for Junos OS Releases on page 288
•
Upgrading a Router with Redundant Routing Engines on page 288
•
Upgrading Juniper Network Routers Running Draft-Rosen Multicast VPN to Junos OS
Release 10.1 on page 288
•
Downgrading from Release 16.1 on page 290
Basic Procedure for Upgrading to Release 16.1
When upgrading or downgrading Junos OS, always use the jinstall package. Use other
packages (such as the jbundle package) only when so instructed by a Juniper Networks
support representative. For information about the contents of the jinstall package and
details of the installation process, see the Installation and Upgrade Guide and Upgrading
Junos OS with Upgraded FreeBSD.
NOTE: Before upgrading, back up the file system and the currently active
Junos OS configuration so that you can recover to a known, stable
environment in case the upgrade is unsuccessful. Issue the following
command:
[email protected]> request system snapshot
The installation process rebuilds the file system and completely reinstalls
Junos OS. Configuration information from the previous software installation
is retained, but the contents of log files might be erased. Stored files on the
routing platform, such as configuration templates and shell scripts (the only
exceptions are the juniper.conf and ssh files) might be removed. To preserve
the stored files, copy them to another system before upgrading or
downgrading the routing platform. For more information, see the Junos OS
Administration Library for Routing Devices.
Copyright © 2017, Juniper Networks, Inc.
281
Junos OS Release 16.1R4 for the ACX Series, EX Series, MX Series, PTX Series, QFX Series,T Series and Junos Fusion
Upgrading from Junos OS (FreeBSD 6.1) to Junos OS (FreeBSD 10.x)
Products impacted: MX240, MX480, MX960, MX2010, and MX2020.
NOTE: This section does not apply to customers in Belarus, Kazakhstan, and
Russia. Customers in these countries need to refer to the next section.
To download and install from Junos OS (FreeBSD 6.1) to Junos OS (FreeBSD 10.x):
1.
Using a Web browser, navigate to the All Junos Platforms software download URL
on the Juniper Networks webpage:
http://www.juniper.net/support/downloads/
2. Select the name of the Junos OS platform for the software that you want to download.
3. Select the release number (the number of the software version that you want to
download) from the Release drop-down list to the right of the Download Software
page.
4. Select the Software tab.
5. In the Install Package section of the Software tab, select the software package for
the release.
6. Log in to the Juniper Networks authentication system using the username (generally
your e-mail address) and password supplied by a Juniper Networks representative.
7. Review and accept the End User License Agreement.
8. Download the software to a local host.
9. Copy the software to the routing platform or to your internal software distribution
site.
10. Install the new jinstall package on the routing platform.
NOTE: We recommend that you upgrade all software packages out of
band using the console because in-band connections are lost during the
upgrade process.
•
282
For 32-bit Routing Engine version:
Copyright © 2017, Juniper Networks, Inc.
Migration, Upgrade, and Downgrade Instructions
[email protected]> request system software add no-validate reboot
source/junos-install-mx-x86-32-16.1R4.9-signed.tgz
•
For 64-bit Routing Engine version:
[email protected]> request system software add no-validate reboot
source/junos-install-mx-x86-64-16.1R4.9-signed.tgz
Replace source with one of the following values:
•
/pathname—For a software package that is installed from a local directory on the
router.
•
For software packages that are downloaded and installed from a remote location:
•
ftp://hostname/pathname
•
http://hostname/pathname
•
scp://hostname/pathname (available only for Canada and U.S. version)
Do not use the validate option while upgrading from Junos OS (FreeBSD 6.1) to Junos
OS (FreeBSD 10.x). This is because programs in the junos-upgrade-x package are
built based on FreeBSD 10.x, and Junos OS (FreeBSD 6.1) would not be able to run
these programs. You must run the no-validate option. The no-validate statement
disables the validation procedure and allows you to use an import policy instead.
Use the reboot command to reboot the router after the upgrade is validated and
installed. When the reboot is complete, the router displays the login prompt. The
loading process can take 5 to 10 minutes.
Rebooting occurs only if the upgrade is successful.
NOTE: You need to install the Junos OS software package and host software
package on the routers with the RE-MX-X6 and RE-MX-X8 Routing Engines.
For upgrading the host OS on these routers with VM Host support use the
junos-vmhost-install-x.tgz image and specify the name of the regular package
in the request vmhost software add command. For more information see VM
Host Installation topic in the Installation and Upgrade Guide.
NOTE: After you install a Junos OS Release 16.1 jinstall package, you cannot
issue the request system software rollback command to return to the previously
installed Junos OS (FreeBSD 6.1) software. Instead, you must issue the request
system software add no-validate command and specify the jinstall package
that corresponds to the previously installed software.
Copyright © 2017, Juniper Networks, Inc.
283
Junos OS Release 16.1R4 for the ACX Series, EX Series, MX Series, PTX Series, QFX Series,T Series and Junos Fusion
NOTE: A few of the existing request system commands are not supported on
routers with the RE-MX-X6 and RE-MX-X8 Routing Engines. See the VM Host
Software Administrative Commands in the Installation and Upgrade Guide.
Upgrading from Junos OS (FreeBSD 6.1) to Junos OS (FreeBSD 6.1)
Products impacted: All T Series routers, MX80, and MX104.
NOTE: Customers in Belarus, Kazakhstan, and Russia must use the following
procedure for all MX Series routers running Junos OS Release 16.1
To download and install from Junos OS (FreeBSD 6.1) to Junos OS (FreeBSD 6.1):
1.
Using a Web browser, navigate to the All Junos Platforms software download URL
on the Juniper Networks webpage:
http://www.juniper.net/support/downloads/
2. Select the name of the Junos OS platform for the software that you want to download.
3. Select the release number (the number of the software version that you want to
download) from the All Junos PlatformsRelease drop-down list to the right of the
Download Software page.
4. Select the Software tab.
5. In the Install Package section of the Software tab, select the software package for
the release.
6. Log in to the Juniper Networks authentication system using the username (generally
your e-mail address) and password supplied by a Juniper Networks representative.
7. Review and accept the End User License Agreement.
8. Download the software to a local host.
9. Copy the software to the routing platform or to your internal software distribution
site.
10. Install the new jinstall package on the routing platform.
284
Copyright © 2017, Juniper Networks, Inc.
Migration, Upgrade, and Downgrade Instructions
NOTE: We recommend that you upgrade all software packages out of
band using the console because in-band connections are lost during the
upgrade process.
•
Customers in the United States and Canada, use the following command:
[email protected]> request system software add validate reboot
source/jinstall-16.1R2.9-domestic-signed.tgz
•
All other customers, use the following command:
[email protected]> request system software add validate reboot
source/jinstall-16.1R2.9-export-signed.tgz
Replace source with one of the following values:
•
/pathname—For a software package that is installed from a local directory on the
router.
•
For software packages that are downloaded and installed from a remote location:
•
ftp://hostname/pathname
•
http://hostname/pathname
•
scp://hostname/pathname (available only for Canada and U.S. version)
The validate option validates the software package against the current configuration
as a prerequisite to adding the software package to ensure that the router reboots
successfully. This is the default behavior when the software package being added is
a different release.
Use the reboot command to reboot the router after the upgrade is validated and
installed. When the reboot is complete, the router displays the login prompt. The
loading process can take 5 to 10 minutes.
Rebooting occurs only if the upgrade is successful.
NOTE: After you install a Junos OS Release 16.1 jinstall package, you cannot
issue the request system software rollback command to return to the previously
installed software. Instead, you must issue the request system software add
validate command and specify the jinstall package that corresponds to the
previously installed software.
Installing the Network Agent Package (Junos Telemetry Interface) in MX Series
Routers
NOTE: This section is applicable only to MX Series routers.
Copyright © 2017, Juniper Networks, Inc.
285
Junos OS Release 16.1R4 for the ACX Series, EX Series, MX Series, PTX Series, QFX Series,T Series and Junos Fusion
Starting with Junos OS Release 16.1R4, the Network Agent software package provides a
framework to support OpenConfig and gRPC for the Junos Telemetry Interface. The
Network Agent package functions as a gRPC server that terminates the OpenConfig
remote procedure call (RPC) interfaces and streams the telemetry data according to
the OpenConfig specification. The Network Agent package, which runs on the Routing
Engine, implements local statistics collection and reports data to active telemetry stream
subscribers.
Network Agent is available as a separate package only for Junos OS with Upgraded
FreeBSD. For other versions of Junos OS, Network Agent functionality is embedded in
the software.
Network Agent for Junos OS software package has the following naming conventions:
•
Package Name—This is Network-Agent.
•
Architecture—This field indicates the CPU architecture of the platforms, such as x86.
•
Application Binary Interface (ABI)—This field indicates the “word length” of the CPU
architecture. Vales include 32 for 32-bit architectures and 64 for 64-bit architectures.
•
Release—This field indicates the Junos OS release number, such as 16.1R4.16.
•
Package release and spin number—This field indicates the package version and spin
number, such as C1.1.
All Network Agent packages are in tarred and gzipped (.tgz) format.
NOTE: Each version of the Network Agent package is supported on a single
release of Junos OS only. The Junos OS version supported is identified by the
Junos OS release number included in the Network Agent package name.
Examples of valid Network Agent package names including the following:
•
network-agent-x86-64-16.1R4.16-C1.0.tgz
•
network-agent-x86-32-16.1R4.12-C1.1.tgz
Before you begin:
•
Install Junos OS Release 16.1R4 or later.
•
Install the OpenConfig for Junos OS module. For more information, see Installing the
OpenConfig Package.
•
Install Secure Sockets Layer (SSL) certificates of authentication on your Juniper
Networks device.
NOTE: Only server-based SSL authentication is supported. Client-based
authentication is not supported.
286
Copyright © 2017, Juniper Networks, Inc.
Migration, Upgrade, and Downgrade Instructions
To download and install the Network Agent package:
1.
Using a Web browser, navigate to the All Junos Platforms software download URL
on the Juniper Networks webpage: http://www.juniper.net/support/downloads/.
2. Select the name of the Junos OS platform for the software that you want to download.
3. Select the release number (the number of the software version that you want to
download) from the Release drop-down list to the right of the Download Software
page.
4. Select the Software tab.
5. In the Tools section of the Software tab, select the Junos Network Agent package for
the release.
6. Log in to the Juniper Networks authentication system by using the username (generally
your e-mail address) and password supplied by a Juniper Networks representative.
7. Download the software to a local host.
8. Copy the software to your Juniper Networks device or to your internal software
distribution site.
9. Install the new network-telemetry package on the device by issuing the request system
software add package-name from the operational mode:
For example:
[email protected] > request system software add
network-telemetry-x86-64-16.1R4.16-C1.0.tgz
NOTE: The command uses the validate option by default. This option
validates the software package against the current configuration as a
prerequisite to adding the software package to ensure that the device
reboots successfully. This is the default behavior when the software
package being added is a different release.
Replace source with one of the following values:
•
/pathname—For a software package that is installed from a local directory on the
device.
•
For software packages that are downloaded and installed from a remote location:
•
ftp://hostname/pathname
•
http://hostname/pathname
Copyright © 2017, Juniper Networks, Inc.
287
Junos OS Release 16.1R4 for the ACX Series, EX Series, MX Series, PTX Series, QFX Series,T Series and Junos Fusion
•
scp://hostname/pathname (available only for Canada and U.S. version)
10. Issue the show version command to verify that the Network Agent package was
successfully installed.
Upgrade and Downgrade Support Policy for Junos OS Releases
Support for upgrades and downgrades that span more than three Junos OS releases at
a time is not provided, except for releases that are designated as Extended End-of-Life
(EEOL) releases. EEOL releases provide direct upgrade and downgrade paths—you can
upgrade directly from one EEOL release to the next EEOL release even though EEOL
releases generally occur in increments beyond three releases.
You can upgrade or downgrade to the EEOL release that occurs directly before or after
the currently installed EEOL release, or to two EEOL releases before or after. For example,
Junos OS Releases 14.1, 14.2, 15.1 and 16.1 are EEOL releases. You can upgrade from Junos
OS Release 14.1 to Release 15.1 or from Junos OS Release 15.1 to Release 16.2. However,
you cannot upgrade directly from a non-EEOL release that is more than three releases
ahead or behind.
To upgrade or downgrade from a non-EEOL release to a release more than three releases
before or after, first upgrade to the next EEOL release and then upgrade or downgrade
from that EEOL release to your target release.
For more information about EEOL releases and to review a list of EEOL releases, see
http://www.juniper.net/support/eol/junos.html.
Upgrading a Router with Redundant Routing Engines
If the router has two Routing Engines, perform the following Junos OS installation on
each Routing Engine separately to avoid disrupting network operation:
1.
Disable graceful Routing Engine switchover (GRES) on the master Routing Engine,
and save the configuration change to both Routing Engines.
2. Install the new Junos OS release on the backup Routing Engine while keeping the
currently running software version on the master Routing Engine.
3. After making sure that the new software version is running correctly on the backup
Routing Engine, switch over to the backup Routing Engine to activate the new software.
4. Install the new software on the original master Routing Engine that is now active as
the backup Routing Engine.
For the detailed procedure, see the Installation and Upgrade Guide.
Upgrading Juniper Network Routers Running Draft-Rosen Multicast VPN to Junos
OS Release 10.1
In releases prior to Junos OS Release 10.1, the draft-rosen multicast VPN feature
implements the unicast lo0.x address configured within that instance as the source
address used to establish PIM neighbors and create the multicast tunnel. In this mode,
the multicast VPN loopback address is used for reverse path forwarding (RPF) route
288
Copyright © 2017, Juniper Networks, Inc.
Migration, Upgrade, and Downgrade Instructions
resolution to create the reverse path tree (RPT), or multicast tunnel. The multicast VPN
loopback address is also used as the source address in outgoing PIM control messages.
In Junos OS Release 10.1 and later, you can use the router’s main instance loopback
(lo0.0) address (rather than the multicast VPN loopback address) to establish the PIM
state for the multicast VPN. We strongly recommend that you perform the following
procedure when upgrading to Junos OS Release 10.1 if your draft-rosen multicast VPN
network includes both Juniper Network routers and other vendors’ routers functioning
as provider edge (PE) routers. Doing so preserves multicast VPN connectivity throughout
the upgrade process.
Because Junos OS Release 10.1 supports using the router’s main instance loopback (lo0.0)
address, it is no longer necessary for the multicast VPN loopback address to match the
main instance loopback adddress lo0.0 to maintain interoperability.
NOTE: You might want to maintain a multicast VPN instance lo0.x address
to use for protocol peering (such as IBGP sessions), or as a stable router
identifier, or to support the PIM bootstrap server function within the VPN
instance.
Complete the following steps when upgrading routers in your draft-rosen multicast VPN
network to Junos OS Release 10.1 if you want to configure the routers’s main instance
loopback address for draft-rosen multicast VPN:
1.
Upgrade all M7i and M10i routers to Junos OS Release 10.1 before you configure the
loopback address for draft-rosen Multicast VPN.
NOTE: Do not configure the new feature until all the M7i and M10i routers
in the network have been upgraded to Junos OS Release 10.1.
2. After you have upgraded all routers, configure each router’s main instance loopback
address as the source address for multicast interfaces.
Include the default-vpn-source interface-name loopback-interface-name] statement
at the [edit protocols pim] hierarchy level.
3. After you have configured the router’s main loopback address on each PE router,
delete the multicast VPN loopback address (lo0.x) from all routers.
We also recommend that you remove the multicast VPN loopback address from all
PE routers from other vendors. In Junos OS releases prior to 10.1, to ensure
interoperability with other vendors’ routers in a draft-rosen multicast VPN network,
you had to perform additional configuration. Remove that configuration from both
the Juniper Networks routers and the other vendors’ routers. This configuration should
be on Juniper Networks routers and on the other vendors’ routers where you configured
the lo0.mvpn address in each VRF instance as the same address as the main loopback
(lo0.0) address.
Copyright © 2017, Juniper Networks, Inc.
289
Junos OS Release 16.1R4 for the ACX Series, EX Series, MX Series, PTX Series, QFX Series,T Series and Junos Fusion
This configuration is not required when you upgrade to Junos OS Release 10.1 and use
the main loopback address as the source address for multicast interfaces.
NOTE: To maintain a loopback address for a specific instance, configure
a loopback address value that does not match the main instance address
(lo0.0).
For more information about configuring the draft-rosen Multicast VPN feature, see the
Multicast Protocols Feature Guide for Routing Devices.
Downgrading from Release 16.1
To downgrade from Release 16.1 to another supported release, follow the procedure for
upgrading, but replace the 16.1 jinstall package with one that corresponds to the
appropriate release.
NOTE: You cannot downgrade more than three releases. For example, if your
routing platform is running Junos OS Release 11.4, you can downgrade the
software to Release 10.4 directly, but not to Release 10.3 or earlier; as a
workaround, you can first downgrade to Release 10.4 and then downgrade
to Release 10.3.
For more information, see the Installation and Upgrade Guide.
Related
Documentation
•
New and Changed Features on page 93
•
Changes in Behavior and Syntax on page 187
•
Known Behavior on page 209
•
Known Issues on page 213
•
Resolved Issues on page 225
•
Documentation Updates on page 276
•
Product Compatibility on page 290
Product Compatibility
•
Hardware Compatibility on page 290
Hardware Compatibility
To obtain information about the components that are supported on the devices, and
special compatibility guidelines with the release, see the Hardware Guide and the Interface
Module Reference for the product.
To determine the features supported on MX Series and T Series devices in this release,
use the Juniper Networks Feature Explorer, a Web-based application that helps you to
explore and compare Junos OS feature information to find the right software release and
290
Copyright © 2017, Juniper Networks, Inc.
Product Compatibility
hardware platform for your network. Find Feature Explorer at:
http://pathfinder.juniper.net/feature-explorer/
Hardware Compatibility Tool
For a hardware compatibility matrix for optical interfaces and transceivers supported
across all platforms, see the Hardware Compatibility tool.
Related
Documentation
•
New and Changed Features on page 93
•
Changes in Behavior and Syntax on page 187
•
Known Behavior on page 209
•
Known Issues on page 213
•
Resolved Issues on page 225
•
Documentation Updates on page 276
•
Migration, Upgrade, and Downgrade Instructions on page 280
Copyright © 2017, Juniper Networks, Inc.
291
Junos OS Release 16.1R4 for the ACX Series, EX Series, MX Series, PTX Series, QFX Series,T Series and Junos Fusion
Junos OS Release Notes for PTX Series Packet Transport Routers
These release notes accompany Junos OS Release 16.1R4 for the PTX Series. They
describe new and changed features, limitations, and known and resolved problems in
the hardware and software.
You can also find these release notes on the Juniper Networks Junos OS Documentation
webpage, located at http://www.juniper.net/techpubs/software/junos/.
•
New and Changed Features on page 292
•
Changes in Behavior and Syntax on page 312
•
Known Behavior on page 317
•
Known Issues on page 318
•
Documentation Updates on page 321
•
Resolved Issues on page 322
•
Migration, Upgrade, and Downgrade Instructions on page 328
•
Product Compatibility on page 335
New and Changed Features
This section describes the new features and enhancements to existing features in Junos
OS Release 16.1R4 for the PTX Series.
•
Release 16.1R4 New and Changed Features on page 292
•
Release 16.1R3 New and Changed Features on page 294
•
Release 16.1R2 New and Changed Features on page 297
•
Release 16.1R1 New and Changed Features on page 304
Release 16.1R4 New and Changed Features
Hardware
•
New Routing and Control Board RCB-PTX-X6-32G (PTX3000)—Starting in Junos
OS Release 16.1R4, the Routing and Control Board (RCB) is supported on PTX3000
routers. The RCB combines the functionality of a Routing Engine, Control Board, and
Centralized Clock Generator (CCG) in a single FRU. Although the functionality is
combined in a single FRU, you must install an RCB companion card in the RE0 and RE1
slots adjacent to each RCB to enable the RCBs to communicate through the backplane.
Management
•
292
Support for gRPC streaming for Junos Telemetry Interface firewall filter statistics
(PTX Series)—Starting with Junos OS Release 16.1R4, you can use gRPC (an open
source remote procedure call) interfaces to provision sensors to subscribe to and
receive firewall filter telemetry data. If your Juniper Networks device is running a version
of Junos OS with the upgraded FreeBSD kernel, you must download the Junos Network
Agent package, which provides the interfaces to manage gRPC subscriptions. The
package is available on the All Junos Platforms software download URL on the Juniper
Copyright © 2017, Juniper Networks, Inc.
New and Changed Features
Networks webpage. Traffic-class counter statistics are included in telemetry data for
firewall filters. Use the /junos/system/linecard/firewall/ path to provision a sensor for
firewall filter statistics.
[See Guidelines for gRPC Sensors.]
•
Support for gRPC streaming for Junos Telemetry Interface LSP statistics (PTX
Series)—Starting with Junos OS Release 16.1R4, you can use gRPC (an open source
remote procedure call) interfaces to provision sensors to subscribe to and receive
telemetry data for label-switched paths (LSPs). If your Juniper Networks device is
running a version of Junos OS with the upgraded FreeBSD kernel, you must download
the Junos Network Agent package, which provides the interfaces to manage gRPC
subscriptions. The package is available on the All Junos Platforms software download
URL on the Juniper Networks webpage. Data is collected only for ingress LSPs. You
must also configure the sensor-based-stats statement at the [edit protocols mpls]
hierarchy level. Use the /junos/services/label-switched-path/usage/ path to provision
a sensor for LSP statistics.
[See Guidelines for gRPC Sensors.]
•
Support for gRPC streaming for Junos Telemetry Interface physical interface queue
statistics (PTX Series)—Starting with Junos OS Release 16.1R4, you can use gRPC (an
open source remote procedure call) interfaces to provision sensors to collect egress
and ingress physical interface queue statistics. If your Juniper Networks device is running
a version of Junos OS with the upgraded FreeBSD kernel, you must download the Junos
Network Agent package, which provides the interfaces to manage gRPC subscriptions.
The package is available on the All Junos Platforms software download URL on the
Juniper Networks webpage. On PTX Series routers, queue statistics are exported by
each line card. Use the /junos/system/linecard/interface/ path to provision sensors
for physical interface statistics.
[See Guidelines for gRPC Sensors.]
Copyright © 2017, Juniper Networks, Inc.
293
Junos OS Release 16.1R4 for the ACX Series, EX Series, MX Series, PTX Series, QFX Series,T Series and Junos Fusion
Routing Protocols
•
Support for unique AS path count ( PTX Series)—Starting with Junos OS Release
16.1R4, you can configure a routing policy to determine the number of unique
autonomous systems (ASs) present in the AS path. The unique AS path count helps
determine whether a given AS is present in the AS path multiple times, typically as
prepended ASs. In earlier Junos releases it was not possible to implement this counting
behavior using the as-path regular expression policy. This feature permits the user to
configure a policy based on the number of AS hops between the route originator and
receiver. This feature ignores ASs in the as-path that are confederation ASs, such as
confed_seq and confed_set.
To configure AS path count, include the as-path-unique-count count (equal | orhigher |
orlower) configuration statement at the [edit policy-options policy-statement
policy_name from] hierarchy level.
Release 16.1R3 New and Changed Features
General Routing
•
Support for OpenConfig—Starting in Junos OS Release 16.1R3, you can configure your
MX and PTX Series network devices by using OpenConfig data models. The data
models are written in YANG, a data modeling language that can be used to model both
configurational data as well as operational data and can be managed on the router
by using the CLI or with NETCONF.
Junos OS Release 16.1R3 supports the following OpenConfig data models:
•
Border Gateway Protocol
•
Routing Policy
•
Local Routing
•
Telemetry
•
Interface
•
MPLS
[See OpenConfig Feature Guide.]
Hardware
•
P3-10-U-QSFP28 PIC (PTX3000)—Starting in Junos OS Release 16.1R3, the
P3-10-U-QSFP28 is supported on PTX3000 routers that have third-generation FPCs
installed. The P3-10-U-QSFP28 PIC has ten ports that are configurable as 10-Gigabit
Ethernet, 40-Gigabit Ethernet, and 100-Gigabit Ethernet ports. The interface speeds
are configured by port group—ports 0 through 4 and ports 5 through 9. To configure
the port speed, use the following command:
[edit chassis]
[email protected]# set fpc slot-number pic pic-number port port-number port-speed (10G |
40G | 100G)
[See the PTX Series Interface Module Reference.]
294
Copyright © 2017, Juniper Networks, Inc.
New and Changed Features
Interfaces and Chassis
•
Unified ISSU support for P2-10G-40G-QSFPP PIC and P2-100GE-OTN PIC
(PTX5000)—In Junos OS Release 16.1R3, unified in-service software upgrade (unified
ISSU) is supported on the P2-10G-40G-QSFPP PIC and the P2-100GE-OTN PIC on
the FPC2-PTX-P1A FPC in PTX5000 routers. Unified ISSU enables you to upgrade
from an earlier Junos OS release to a later one with no disruption on the control plane
and with minimal disruption of traffic.
•
Synchronous Ethernet clock synchronization on third-generation FPCs
(PTX3000)—Starting in Junos OS Release 16.1R3, Synchronous Ethernet clock
synchronization is supported on third-generation FPCs (FPC3-SFF-PTX-U0 and
FPC3-SFF-PTX-U1) on the PTX3000.
Management
•
Enhancements to the Junos Telemetry Interface (PTX Series)—The Junos Telemetry
Interface enables you to export telemetry data from supported interface hardware.
Line-card sensor data, such as interface events, are sent directly to configured collection
points without requiring polling. Starting with Junos OS Release 16.1R3, supported
hardware includes FPC1 and FPC2. Previously, only FPC3 was supported.
Additionally, telemetry sensors for the following system resources are also supported:
•
CPU memory
•
BGP peers (gRPC streaming only)
•
Memory utilization for routing protocol tasks (gRPC streaming only)
•
Network processing unit (NPU) memory and memory utilization
•
Optical interfaces
•
Inline flow sampling process (UDP streaming only)
•
Chassis components
•
Aggregated Ethernet interfaces configured with LACP (gRPC streaming only)
•
ARP (gRPC streaming only)
•
Ethernet interfaces configured with LLDP (gRPC streaming only)
•
RSVP interface events (gRPC streaming only)
•
Network Discovery Protocol table state (gRPC streaming only)
•
Routing Engine internal interfaces (gRPC streaming only)
[See Junos Telemetry Interface Feature Guide.]
•
gRPC support for the Junos Telemetry Interface (PTX Series)—Starting with Junos
OS Release 16.1R3, you can use a set of gRPC interfaces to provision sensors and to
subscribe to and receive telemetry data. gRPC is based on an open source framework
and provides for interoperability as well as the secure and reliable transport of data.
Use the telemetrySubscribe RPC to specify telemetry parameters and stream data for
a specified list of OpenConfig command paths. Telemetry data is generated as Google
Copyright © 2017, Juniper Networks, Inc.
295
Junos OS Release 16.1R4 for the ACX Series, EX Series, MX Series, PTX Series, QFX Series,T Series and Junos Fusion
protocol buffers (gpb) messages in a universal key/value format. If your Juniper
Networks device is running a version of Junos OS with the upgraded FreeBSD kernel,
you must download the Junos Network Agent package, which provides the interfaces
to manage gRPC subscriptions. The package is available on the All Junos Platforms
software download URL on the Juniper Networks webpage. On MX Series routers,
supported hardware for gRPC telemetry data streaming is MPC1 through MPC9E. On
PTX Series routers, supported hardware is FPC1, FPC2, and FPC3.
[See Junos Telemetry Interface Feature Guide.]
MPLS
•
Support for IS-IS segment routing (PTX5000)—In Junos OS Release 16.1R3, IS-IS
segment routing support is enabled through MPLS. Currently, label advertisements
are supported for IS-IS only. IS-IS creates an adjacency segment per adjacency, per
level, and per address family (one each for IPv4 and IPv6). Junos OS IS-IS
implementation allocates node segment label blocks in accordance with the IS-IS
protocol extensions for supporting segment routing node segments and provides a
mechanism to the network operator to provision an IPv4 or IPv6 address family node
segment index. To configure segment routing, use the following configuration
statements at the [edit protocols isis] hierarchy level:
•
no-advertise-adjacency-segment—Disable advertising of the adjacency segment on
all levels for a specific interface.
•
node-segment—Enable source packet routing at all levels.
•
source-packet-routing—Enable the source packet routing feature.
•
use-source-packet-routing—Enable the use of source packet routing node segment
labels for computing backup paths for normal IPv4 or IPv6 IS-IS prefixes and primary
IS-IS source packet routing node segments.
296
•
Egress peer engineering of service labels (BGP, MPLS) and egress peer protection
for BGP-LU (PTX5000)—Starting in Junos OS Release 16.1R3 for PTX5000, you can
enable traffic engineering of service traffic, such as MPLS LSP traffic between
autonomous systems (ASs), using BGP labeled unicast for optimum utilization of the
advertised egress routes. You can specify one or more backup devices for the primary
egress AS boundary router. Junos OS installs the backup path in addition to the primary
path in the MPLS forwarding table, which enables MPLS fast reroute (FRR) when the
primary link fails. It provides support for the FRR protection backup scheme to do an
IP lookup to determine a new egress interface.
•
Support for IPv6 tunneling over an MPLS-based IPv4 network (PTX3000 and
PTX5000)—Starting in Junos OS Release 16.1R3, IPv6 tunneling over an MPLS-based
IPv4 network using IPv6 Provider Edge (6PE) is supported on PTX3000 and PTX5000
routers that have third-generation FPCs installed.
Copyright © 2017, Juniper Networks, Inc.
New and Changed Features
Security
•
Secure Boot (PTX3000)—Junos OS Release 16.1R3 introduces a significant system
security enhancement: Secure Boot. The Secure Boot implementation is based on the
UEFI 2.4 standard. The BIOS has been hardened and serves as a core root of trust. The
BIOS updates, the bootloader, and the kernel are cryptographically protected. No
action is required to implement Secure Boot.
VPNS
•
Support for Layer 3 VPN (PTX3000 and PTX5000)—Starting in Junos OS Release
16.1R3, Layer 3 VPN is supported on PTX3000 and PTX5000 routers that have
third-generation FPCs installed.
NOTE: Layer 3 VPN is supported only when the enhanced-mode statement
is configured at the [edit chassis network-services] hierarchy level.
Release 16.1R2 New and Changed Features
Hardware
•
Upgrading to third-generation FPCs and SIBs in an operational router
(PTX3000)—Starting in Junos OS Release 16.1R2, you can upgrade to third-generation
FPCs (FPC3-SFF-PTX-U0 and FPC3-SFF-PTX-U1) and SIB3-SFF-PTX SIBs in an
operational PTX3000.
•
New Horizontal Fan Tray FAN3-PTX-H (PTX5000)—Starting in Junos OS Release
16.1R2, the FAN3-PTX-H horizontal fan tray is supported on PTX5000 routers.
•
Third-generation FPCs (PTX3000)—Starting in Junos OS Release 16.1R2,
third-generation FPCs are supported on PTX3000 routers. FPC3-SFF-PTX-U1 FPCs
(model numbers FPC3-SFF-PTX-U1-L and FPC3-SFF-PTX-U1-R) support 1.0 Tbps of
throughput. FPC3-SFF-PTX-U0 FPCs (model numbers FPC3-SFF-PTX-U0-L and
FPC3-SFF-PTX-U0-R) support 500 Gbps of throughput.
Third-generation FPCs (FPC3-SFF-PTX-U0 and FPC3-SFF-PTX-U1) are supported
only in a PTX3000 with SIB3-SFF-PTX SIBs. Third-generation FPCs and
FPC-SFF-PTX-P1-A first-generation FPCs can interoperate with each other in the same
system.
Some features provided by these third-generation FPCs can be accessed only when
the enhanced-mode statement is configured at the [edit chassis network-services]
hierarchy level. These features include the following:
•
Filter-based generic routing encapsulation (GRE) for IPv4 and IPv6 tunneling.
•
promote gre-key statement for configuring gre-key as one of the matches in a filter.
•
gtp-tunnel-endpoint-identifier statement for including hash calculation for IPv4 or
IPv6 packets in the GPRS tunneling protocol–tunnel endpoint identifier (GTP-TEID)
field hash calculations.
Copyright © 2017, Juniper Networks, Inc.
297
Junos OS Release 16.1R4 for the ACX Series, EX Series, MX Series, PTX Series, QFX Series,T Series and Junos Fusion
•
Wider configuration range for Bidirectional Forwarding Detection (BFD) protocol
intervals.
•
Support for Layer 3 VPNs. The vrf-table-label statement is supported.
•
Support for destination class usage (DCU) and source class usage (SCU) accounting.
•
Support for up to two million routes in the forwarding table.
•
SIB3-SFF-PTX SIBs (PTX3000)—Starting in Junos OS Release 16.1R2, SIB3-SFF-PTX
SIBs are supported on PTX3000 routers. The SIB3-SFF-PTX SIBs are required with
third-generation FPCs (FPC3-SFF-PTX-U0 and FPC3-SFF-PTX-U1). The SIB3-SFF-PTX
SIBs also support FPC-SFF-PTX-P1-A first-generation FPCs—third-generation FPCs
and FPC-SFF-PTX-P1-A first-generation FPCs can interoperate with each other in the
same system.
•
P3-24-U-QSFP28 PIC supported on third-generation FPC (PTX3000)—Starting in
Junos OS Release 16.1R2, the P3-24-U-QSFP28 PIC is supported on FPC3-SFF-PTX-U1
FPCs on the PTX3000. The P3-24-U-QSFP28 PIC has 24 ports configurable as either
10-Gigabit Ethernet ports or 40-Gigabit Ethernet ports. To configure the port speed,
use the following command:
[edit chassis]
[email protected]# set fpc slot-number pic pic-number port port-number port-speed (10G |
40G)
[See the PTX Series Interface Module Reference.]
•
New FPCs FPC3-PTX-U1-L, FPC3-PTX-U1-R, FPC3-PTX-U2-L, FPC3-PTX-U2-R,
FPC3-PTX-U3-L, and FPC3-PTX-U3-R (PTX5000)—Starting in Junos OS Release
16.1R2, the FPC3-PTX-U1-L, FPC3-PTX-U1-R, FPC3-PTX-U2-L, FPC3-PTX-U2-R,
FPC3-PTX-U3-L, and FPC3-PTX-U3-R FPCs are supported on PTX5000 routers. The
FPCs provide the following throughput:
•
FPC3-PTX-U1-L and FPC3-PTX-U1-R—1.0 Tbps
•
FPC3-PTX-U2-L and FPC3-PTX-U2-R—2.0 Tbps
•
FPC3-PTX-U3-L and FPC3-PTX-U3-R—3.0 Tbps
When installing these third generation FPCs on the PTX5000 chassis, you must also
install the following hardware:
•
New SIB SIB3-PTX5K
•
New horizontal fan tray FAN3-PTX-H
Some new features provided by these third-generation FPCs can be accessed only
when the enhanced-mode statement is configured at the [edit chassis network-services]
hierarchy level.
Some of the new features include the following:
298
•
Filter-based generic routing encapsulation (GRE) for IPV4 and IPV6 tunneling uses
firewall filters to provide decapsulation of GRE traffic. The filter-based GRE
decapsulation will also support routing-instance as an action.
•
promote gre-key statement for configuring gre-key as one of the matches in a filter.
Copyright © 2017, Juniper Networks, Inc.
New and Changed Features
•
gtp-tunnel-endpoint-identifier statement for including hash calculation for IPv4 or
IPv6 packets in the GPRS tunneling protocol–tunnel endpoint identifier (GTP-TEID)
field hash calculations.
•
Longer configuration ranges for Bidirectional Forwarding Detection (BFD) protocol
intervals.
•
Enhanced support for up to two million routes per chassis.
•
New SIB SIB3-PTX5K (PTX5000)—Starting in Junos OS Release 16.1R2, the
SIB3-PTX5K SIB is supported on PTX5000 routers.
•
New PIC P3-24-U-QSFP28 (PTX5000)—Starting in Junos OS Release 16.1R2, the
P3-24-U-QSFP28 PIC is supported on PTX5000 routers. The P3-24-U-QSFP28 PIC
has 24 ports configurable as either 10-Gigabit Ethernet ports or 40-Gigabit Ethernet
ports.
To install the P3-24-U-QSFP28 PIC, you must have a third-generation FPC installed
on your system.
•
Upgrade of FPCs in an operational PTX5000—Starting in Junos OS Release 16.1R2,
you can upgrade the first-generation FPCs or second-generation FPCs to
third-generation FPCs in an operational PTX5000.
You may need to upgrade the following components before you can upgrade the FPCs
in a PTX5000:
•
SIBs
•
Fan tray
•
Power distribution unit
•
Power supply module
•
Midplane
[See the PTX5000 Packet Transport Router Hardware Guide]
•
The P1-PTX-24-10G-W-SFPP PIC is supported on third-generation FPCs
(PTX5000)—Starting in Junos OS Release 16.1R2, the P1-PTX-24-10G-W-SFPP PIC
is supported on PTX Series routers that have third-generation FPCs installed.
•
New P3-15-U-QSFP28 PIC (PTX5000)—Starting in Junos OS Release 16.1R2, the PIC
P3-15-U-QSFP28 is supported on PTX5000 routers that have third-generation FPCs
installed.
Copyright © 2017, Juniper Networks, Inc.
299
Junos OS Release 16.1R4 for the ACX Series, EX Series, MX Series, PTX Series, QFX Series,T Series and Junos Fusion
NOTE: To install the P3-15-U-QSFP28 PIC, you must have a
third-generation FPC installed on your system.
Following is the available port configuration for each FPC:
•
•
FPC3-PTX-U1-L and FPC3-PTX-U1-R—10 ports configurable as 10-Gigabit
Ethernet ports (using a 4x breakout cable), 40-Gigabit Ethernet ports,
or 100-Gigabit Ethernet ports.
•
FPC3-PTX-U2-L and FPC3-PTX-U2-R—10 ports configurable as
10-Gigabit Ethernet ports (using a 4x breakout cable), 40-Gigabit
Ethernet ports, or 100-Gigabit Ethernet ports.
•
FPC3-PTX-U3-L and FPC3-PTX-U3-R—15 ports configurable as
10-Gigabit Ethernet ports (using a 4x breakout cable), 40-Gigabit
Ethernet ports, or 100-Gigabit Ethernet ports.
The ability for third-generation FPCs to interoperate with first-generation and
second-generation FPCs (PTX5000)—Starting in Junos OS Release 16.1R2, when
third-generation FPCs are installed on a chassis with first-generation and
second-generations FPCs, the FPCs can interoperate with each other.
NOTE: For the third-generation FPCs to interoperate with the previous
FPCs, the enhanced-mode statement cannot be configured on the chassis.
Also, the third-generation FPCs can only provide the same functionality as
the first-generation and second-generation FPCs. Any advanced features
that third-generation FPCs may provide, are disabled.
•
The P2-10G-40G-QSFPP PIC is supported on third-generation FPCs
(PTX5000)—Starting in Junos OS Release 16.1R2, the P2-10G-40G-QSFPP PIC is
supported on PTX Series routers that have third-generation FPCs installed.
•
The P2-100GE-OTN PIC is supported on third-generation FPCs (PTX5000)—Starting
in Junos OS Release 16.1R2, the P2-100GE-OTN PIC is supported on PTX Series routers
that have third-generation FPCs installed.
•
P1-PTX-24-10G-W-SFPP, P2-10G-40G-QSFPP, and P2-100GE-OTN PICs supported
on third-generation FPCs (PTX3000)—Starting in Junos OS Release 16.1R2, the
P1-PTX-24-10G-W-SFPP, P2-10G-40G-QSFPP, and P2-100GE-OTN PICs are supported
on third-generation FPCs (FPC3-SFF-PTX-U0 and FPC3-SFF-PTX-U1) on the PTX3000.
(See the PTX Series Interface Module Reference.)
300
Copyright © 2017, Juniper Networks, Inc.
New and Changed Features
Interfaces and Chassis
•
Support for different Ethernet rates in aggregated Ethernet interfaces
(PTX5000)—Starting in Junos OS Release 16.1R2, the mixed statement is supported
for the link-speed configuration statement on aggregated Ethernet interfaces. The
mixed configuration statement is configured at the [edit interfaces interface-name
aggregated-ether-options link-speed (speed | mixed)] hierarchy level.
•
Support for unicast RPF (PTX Series)—Starting in Junos OS Release 16.1R2, you can
configure unicast reverse path forwarding (RPF) to reduce the impact of denial of
service (DoS) attacks on PTX Series routers that have third-generation FPCs installed.
NOTE: Unicast RPF is supported only when the enhanced-mode statement
is configured at the [edit chassis network-services] hierarchy level.
•
Support for DCU and SCU accounting (PTX3000 and PTX5000)—Starting in Junos
OS Release 16.1R2, destination class usage (DCU) and source class usage (SCU)
accounting are supported on PTX3000 and PTX5000routers that have third-generation
FPCs installed.
NOTE: DCU and SCU accounting are supported only when the
enhanced-mode statement is configured at the [edit chassis
network-services] hierarchy level.
•
Support for configuring the LED on a port to flash (PTX5000)—Starting in Junos OS
Release 16.1R2, the led-beacon command causes the LED for the specified port to flash
green. This enables you to physically locate a specific optic port on the PIC. The
led-beacon configuration statement is configured at the [edit interfaces interface-name
(with port number)] hierarchy level.
•
Support for configuring interface loopback (PTX5000)—Starting in Junos OS Release
16.1R2, the loopback (local | remote) configuration statement is used to specify whether
local or remote loopback is enabled. Specifying this information enables you to test
the transceiver cable connection from the far end to the retimer interface without
changing the cable. The loopback (local | remote) configuration statement is configured
at the [edit interfaces interface-name gigether-options] hierarchy level.
•
Support for configuring port speed (PTX3000)—Starting in Junos OS Release 16.1R2,
the port speed configuration statement is used to configure the port speed on PICs
that support multiple port speeds. The port-speed (10G | 40G | 100G) configuration
statement is configured at the [edit chassis fpc slot-number pic pic-number port
port-number] hierarchy level.
•
Support for configuring interface loopback (PTX3000)—Starting in Junos OS Release
16.1R2, the loopback (local | remote) configuration statement is used to specify whether
local or remote loopback is enabled. Specifying this information enables you to test
the transceiver cable connection from the far end to the retimer interface without
Copyright © 2017, Juniper Networks, Inc.
301
Junos OS Release 16.1R4 for the ACX Series, EX Series, MX Series, PTX Series, QFX Series,T Series and Junos Fusion
changing the cable. The loopback (local | remote) statement is configured at the [edit
interfaces interface-name gigether-options] hierarchy level.
•
Support for configuring the LED on a port to flash (PTX3000)—Starting in Junos OS
Release 16.1R2, the led-beacon command causes the LED for the specified port to flash
green. When the LED lights green, you can physically locate a specific optic port on the
PIC. You configure the led-beacon statement at the [edit interfaces interface-name
(with port number)] hierarchy level.
Management
•
Support for the Junos Telemetry Interface (PTX Series)—Junos Telemetry Interface
enables you to export telemetry data from supported interface hardware. Only FPC3
is supported. Line card sensor data for physical and logical interfaces and firewall
filters, including traffic-class counters, is sent directly to configured collection points
without involving polling. All parameters are configured at the [edit services analytics]
hierarchy level.
MPLS
•
MPLS inter-AS link protection (PTX Series)—Starting in Junos OS Release 16.1R2,
MPLS inter-AS link protection is supported. Link protection is essential in an MPLS
network to ensure traffic restoration in case of an interface failure. The ingress router
will then choose an alternate link through another interface to send traffic to its
destination.
For an MPLS inter-AS environment, link protection can be enabled when labeled-unicast
is used to send traffic between autonomous systems (ASs). To configure link protection
on an interface, the protection statement is introduced at the [edit protocols bgp group
group-name family inet labeled-unicast] hierarchy level.
•
Egress peer engineering of service labels (BGP, MPLS) and egress peer protection
for BGP-LU (PTX3000)—Starting in Junos OS Release 16.1R2, you can enable traffic
engineering of service traffic, such as MPLS LSP traffic between autonomous systems
(ASs), using BGP labeled unicast for optimum utilization of the advertised egress
routes. You can specify one or more backup devices for the primary egress AS boundary
router. Junos OS installs the backup path in addition to the primary path in the MPLS
forwarding table, which enables MPLS fast reroute (FRR) when the primary link fails.
It provides support for the FRR protection backup scheme to do an IP lookup to
determine a new egress interface.
Routing Policy and Firewall Filters
•
302
Support for filter-based generic routing encapsulation (GRE) for IPV4 and IPV6
tunneling (PTX Series with third-generation FPCs)—Starting in Junos OS Release
16.1R2, filter-based generic routing encapsulation (GRE) for IPV4 and IPV6 tunneling
uses firewall filters to provide decapsulation of GRE traffic. The filter-based GRE
decapsulation also supports routing-instance as an action.
Copyright © 2017, Juniper Networks, Inc.
New and Changed Features
NOTE: Configuring filter-based generic routing encapsulation (GRE) for
IPV4 and IPV6 tunneling is supported only when the enhanced-mode
statement is configured at the [edit chassis network-services] hierarchy
level.
•
Support for configuring the GTP-TEID field for GTP traffic (PTX3000 and
PTX5000)—Starting in Junos OS Release 16.1R2, the gtp-tunnel-endpoint-identifier
statement is supported to configure the hash calculation of IPv4 or IPv6 packets that
are included in the GPRS tunneling protocol–tunnel endpoint identifier (GTP-TEID)
field hash calculations. The gtp-tunnel-endpoint-identifier configuration statement is
configured at the [edit forwarding-options hash-key family inet layer-4] or [edit
forwarding-options hash-key family inet6 layer-4] hierarchy level.
•
Support for firewall feature matching on gre-key (PTX3000 and PTX5000)—Starting
in Junos OS Release 16.1R2, the promote gre-key statement is supported to configure
gre-key as one of the matches in a filter. When promote gre-key is configured and
gre-key is used in any of the terms in a filter, the entire filter is compiled in a way that
optimizes its performance for gre-key matching. The promote gre-key configuration
statement is configured at the [edit firewall family family-name filter filter-name]
hierarchy level.
NOTE: Gre-key matching in a firewall filter configuration is allowed only if
promote gre-key is also configured. If a filter has gre-key matches, but does
not have promote gre-key configured, the commit will fail.
Routing Protocols
•
Support for IS-IS Flooding Groups (PTX Series)—Starting with Junos OS Release
15.1F5 and 16.1R2, you can configure flooding groups with IS-IS. This feature is to limit
the Link State PDU (LSP) flooding over IS-IS interfaces.
A non self-originated LSP will be flooded only through the interface belonging to the
flood group that has the configured area ID in the LSP. It helps to minimize the routes
and topology information, thus ensuring optimal convergence. You can segregate both
level 1 and level 2 networks into flood groups by using area IDs as tags to identify a
flood group. Configure interfaces with specific area IDs to modify the flooding behavior
as per your requirements.
To enable IS-IS flooding group include the flood-group flood-group-area-ID statement
at the [edit protocols isis interface] hierarchy level.
•
Support for Bidirectional Forwarding Detection protocol intervals (PTX3000 and
PTX5000)—Starting in Junos OS Release 16.1R2, longer configuration ranges for
Bidirectional Forwarding Detection (BFD) protocol intervals are supported on PTX
Series routers that have third-generation FPCs installed.
Copyright © 2017, Juniper Networks, Inc.
303
Junos OS Release 16.1R4 for the ACX Series, EX Series, MX Series, PTX Series, QFX Series,T Series and Junos Fusion
NOTE: The longer configuration ranges are supported only when the
enhanced-mode statement is configured at the [edit chassis
network-services] hierarchy level.
Services Applications
•
Support for inline-jflow (PTX Series routers with third-generation FPCs)—Starting
in Junos OS Release 16.1R2, you can use inline-jflow’s export capabilities with IP Flow
Information Export (IPFIX) to define a flow record template suitable for IPv4 or IPv6
traffic on PTX Series routers that have third-generation FPCs installed.
Release 16.1R1 New and Changed Features
Hardware
•
New Routing Engine RE-PTX-X8-64G (PTX5000)—Starting in Junos OS Release
16.1, the Routing Engine RE-PTX-X8-64G is supported on PTX5000 routers. This
Routing Engine has an increased computing capability and scalability to support the
rapid rise in the data plane capacity. The Routing Engine is based on a modular
virtualized architecture and leverages the hardware-assisted virtualization capabilities.
The Routing Engine has a 64-bit CPU and supports a 64-bit kernel and 64-bit
applications. With its multicore capabilities, the Routing Engine supports symmetric
multiprocessing in the Junos OS kernel and hosted applications.
NOTE: The Routing Engine RE-PTX-X8-64G is supported only on the new
Control Board CB2-PTX.
•
New Control Board support (PTX5000)—Starting with Release 16.1, Junos OS supports
the Routing Engine RE-PTX-X8-64G with an enhanced Control Board (CB) on PTX5000
routers. The CB supports chassis management and 16 additional 10-Gigabit Ethernet
ports with small form-factor pluggable plus (SFP+) transceivers on the front panel of
the router to support multichassis applications.
The enhanced CB consists of the following components:
•
304
•
Ethernet switch used for intermodule communication
•
PCI Express bus to connect to the Routing Engine
•
PCI Express switch to connect to the SIBs
•
Switch Processor Mezzanine Board (SPMB)
High capacity single-phase AC PDU (PTX5000)—In Junos OS Release 16.1, a
single-phase AC power distribution unit (PDU)—PDU2-PTX-AC-SP—is introduced to
provide power to the PTX5000 chassis. The PDU provides a single-phase AC input
connection from the customer’s AC source, an I/O interface to the power supply
modules (PSMs), and a DC power connection to the system midplane. The PDU is
Copyright © 2017, Juniper Networks, Inc.
New and Changed Features
powered by either eight 30-A or eight 20-A single-phase sources. Each of the eight
PSMs connected to the AC PDU receives single-phase input.
Class of Service (CoS)
•
Support for shaping of the traffic exiting a physical interface (PTX Series)—Beginning
with Junos OS Release 16.1R1, you can shape the output traffic of an FPC1 or FPC2
physical interface on a PTX Series packet transport router so that the interface transmits
less traffic than it is physically capable of carrying. Shaping on a PTX Series packet
transport router interface has a minimum rate of 1 Gbps and an incremental granularity
of 0.1 percent of the physical interface speed after that (for example, 10 Mbps
increments on a 10 Gbps interface). You can shape the output traffic of a physical
interface by including the shaping-rate statement at the [edit class-of-service interfaces
interface-name] or [edit class-of-service traffic-control-profiles profile-name] hierarchy
level and applying the traffic control profile to an interface.
[See shaping-rate (Applying to an Interface).]
General Routing
•
Support for virtualization on RE-PTX-X8-64G (PTX5000)—Starting with Junos OS
Release 15.1F3 and 16.1R1 the Routing Engine RE-PTX-X8-64G for PTX5000 supports
virtualization.
Virtualization enables the router to support multiple instances of Junos OS and other
operating systems on the same Routing Engine. However, for Junos OS Release 15.1F3,
one instance of Junos OS, which runs as a guest operating system, is launched by
default. The user needs to log in to this instance for operations and management. For
information, see RE-MX-X6, RE-MX-X8, RE-PTX-X8 and RCBPTX with VM Host Support
With virtualization of the Routing Engine, Junos OS supports new request and show
commands associated with host and hypervisor processes. The commands are related
to:
•
Reboot, halt, and power management for the host
•
Software upgrade for the host
Copyright © 2017, Juniper Networks, Inc.
305
Junos OS Release 16.1R4 for the ACX Series, EX Series, MX Series, PTX Series, QFX Series,T Series and Junos Fusion
•
Disk snapshot for the host
Junos OS XML API and Scripting
•
Support for Python language for commit, event, op, and SNMP scripts (PTX
Series)—Starting in Junos OS Release 16.1, you can author commit, event, op, and
SNMP scripts in Python on devices that include the Python extensions package in the
software image. Creating automation scripts in Python enables you to take advantage
of Python features and libraries, as well as leverage Junos PyEZ APIs supported in Junos
PyEZ Release 1.3.1 and earlier releases, to perform operational and configuration tasks
on devices running Junos OS. To enable execution of Python automation scripts, which
the root user must own, configure the language python statement at the [edit system
scripts] hierarchy level, and configure the filename for the Python script under the
hierarchy level appropriate to that script type. Supported Python versions include
Python 2.7.x.
[See Understanding Python Automation Scripts for Devices Running Junos OS.]
Management
•
YANG module that defines CLI formatting for RPC output (PTX Series)—Starting
with Junos OS Release 16.1, Juniper Networks provides the junos-extension-odl YANG
module. The module contains definitions for Junos OS Output Definition Language
(ODL) statements, which determine the CLI formatting for RPC output when you
execute the operational command corresponding to that RPC in the CLI or when you
request the RPC output in text format. You can use statements in the
junos-extension-odl module in custom RPCs to convert the XML output into a more
logical and human-readable representation of the data. The junos-extension-odl module
is bound to the namespace URI http://yang.juniper.net/yang/1.1/jodl and uses the
prefix junos-odl.
[See Understanding Junos OS YANG Extensions for Formatting RPC Output.]
•
YANG module that defines Junos OS operational commands (PTX Series)—Starting
with Junos OS Release 16.1, Juniper Networks provides the juniper-command YANG
module, which represents the operational command hierarchy and collective group of
modules that define the remote procedure calls (RPCs) for Junos OS operational mode
commands. You can download Juniper Networks YANG modules from the website, or
you can generate the modules by using the show system schema format yang module
juniper-command operational command on the local device. The juniper-command
module is bound to the namespace URI http://yang.juniper.net/yang/1.1/jrpc and uses
the prefix jrpc.
[See Understanding the Juniper Networks YANG Modules for Operational Commands.]
MPLS
•
306
Explicit notifications for pseudowire termination (PTX Series routers)—Starting in
Junos OS Release 15.2, this feature enables you to provide notifications on the service
node when the access pseudowire goes down and provide efficient termination
capabilities, when Layer 2 and Layer 3 segments are interconnected. This also provides
Copyright © 2017, Juniper Networks, Inc.
New and Changed Features
termination of pseudowire into VRF and VPLS routing instance without pseudowire
redundancy, which includes:
•
Termination of access pseudowire into virtual routing and forwarding (VRF)
•
Termination of access pseudowire into virtual private LAN service (VPLS) instance
•
Packet Forwarding Engine fast reroute for P2MP link-protection (PTX Series)—
Starting with Junos OS Release 16.1, fast reroute (FRR) is enabled within the Packet
Forwarding Enigne on detection of link failure of the primary path of a
point-to-multipoint (P2MP) sub-LSP, thereby reducing traffic loss. This support is
provided for FPC1 and FPC2 of PTX Series routers.
•
RSVP scalability (PTX Series)—Starting with Junos OS Release 16.1, RSVP traffic
engineering (RSVP-TE) protocol extensions for fast reroute (FRR) facility protection
are introduced to allow greater scalability of LSPs and faster convergence times.
RSVP-TE runs in enhanced FRR profile mode by default and includes FRR extensions
as defined in RFC 2961. In mixed environments, where a subset of LSPs traverse nodes
that do not include this feature, RSVP-TE behavior is unchanged—backward
compatibility is fundamentally supported in the design.
•
Fast branch updates to existing point-to-multipoint LSPs (PTX Series with
first-generation and second-generation FPCs)—Beginning with Junos OS Release
16.1, fast branch updates, also known as fast make-before-break (MBB), is supported
by default on PTX Series routers. This feature allows changes to existing
point-to-multipoint LSPs by performing incremental additions to the existing binary
replication tree. Because the original binary tree is intact, no traffic loss is expected
over the existing branches.
•
For point-to-multipoint LSPs, protect the Packet Forwarding Engine from bandwidth
saturation (PTX Series with first-generation and second-generation FPCs)—When
a Packet Forwarding Engine does not need to replicate traffic, the Packet Forwarding
Engine's bandwidth is less likely to become saturated. When you include the
no-mcast-replication statement at the [edit chassis fpc slot-number pic slot-number
port port-number] hierarchy level, the Packet Forwarding Engine is forced to be a leaf
node in the multicast binary tree. Leaf nodes, unlike branch nodes, do not replicate
traffic in the process of forwarding traffic. Because leaf nodes have no children, they
do not need to replicate traffic, and therefore they are less likely to become saturated
with traffic.
•
Support for MPLS Transport Profile (PTX Series with first generation and second
generation FPCs)—The MPLS Transport Profile (MPLS-TP) introduces new capabilities
for Operations, Administration, and Management (OAM) when MPLS is used for
transport services and transport network operations. These capabilities include a
generic mechanism to send OAM messages. This mechanism contains two main
components:
Generic Alert Label (GAL)—A special label that enables an exception mechanism that
informs the egress label-switching router (LSR) that a packet it receives on an LSP
belongs to an associated control channel or the control plane.
Copyright © 2017, Juniper Networks, Inc.
307
Junos OS Release 16.1R4 for the ACX Series, EX Series, MX Series, PTX Series, QFX Series,T Series and Junos Fusion
Generic Associated Control Channel Header (G-Ach)—A special header field that
identifies the type of payload contained in the MPLS label-switched paths (LSPs).
G-Ach has the same format as a pseudowire associated control channel header.
For more information about MPLS-TP, see RFC 5654, Requirements of an MPLS
Transport Profile. For more information about GAL and G-Ach, see RFC 5586, MPLS
Generic Associated Channel.
The following capabilities are supported in the Junos OS implementation of MPLS-TP:
•
MPLS-TP OAM can send and receive packets with GAL and G-Ach, without IP
encapsulation.
•
Two unidirectional RSVP LSPs between a pair of routers can be associated with
each other to create an associated bidirectional LSP for binding a path for the GAL
and G-Ach OAM messages. The associated bidirectional LSP model is supported
only for associating the primary paths. A single Bidirectional Forwarding Detection
(BFD) session is established for the associated bidirectional LSP.
The current Junos OS implementation of MPLS-TP does not support:
•
P2MP RSVP LSPs and BGP LSPs
•
Loss Measurement (LM) and Delay Measurement (DM)
[See Configuring the MPLS Transport Profile for OAM.]
•
MPLS-TP enhancements for on-demand connectivity verification (PTX Series with
FPC1 and FPC2 interfaces)—Starting with Junos OS Release 16.1, the MPLS Transport
Profile supports two additional channel types for the default LSPING channel type.
These additional channel types provide on-demand connectivity verification (CV) with
and without IP/UDP encapsulation.
With this feature, the following channel types are supported in the MPLS-TP mode:
•
On-demand CV (0x0025)—This channel type is a new pseudowire channel type
and is used for on-demand CV without IP/UDP encapsulation, where IP addressing
is not available or non-IP encapsulation is preferred.
•
IPv4 (0x0021)—This channel type uses the IP/UDP encapsulation and provides
interoperability support with other vendor devices using IP addressing.
•
LSPING (0x0008)—This is the default channel type for Junos OS, and the GACH-TLV
is used along with this channel type.
As per RFC 7026, GACH-TLV is deprecated for 0x0021 and 0x0025 channel types.
To configure a channel type for MPLS-TP, include the lsping-channel-type channel-type
statement at the [edit protocols mpls label-switched-path lsp-name oam mpls-tp-mode]
and [edit protocols mpls oam mpls-tp-mode] hierarchy levels.
308
Copyright © 2017, Juniper Networks, Inc.
New and Changed Features
Network Management and Monitoring
•
Support for RFC 4878 (PTX Series)—Starting with Release 16.1, Junos OS supports
IETF standard RFC 4878, Definitions and Managed Objects for Operations, Administration,
and Maintenance (OAM) Functions on Ethernet-Like Interfaces.
To enable generation of SNMP traps, dot3OamThresholdEvent and
dot3OamNonThresholdEvent, you must configure the new dot3oam-events statement
at the [edit snmp trap-groups <group-name> categories] hierarchy level.
NOTE:
• Junos OS does not support the dot3oamFramesLostDueToOam object in
the dot3OamStatsEntry table. In addition, Junos OS does not support the
SNMP set operations for the OAM MIBs.
•
•
On an aggregated Ethernet bundle, if link fault management (LFM) is
configured, you must perform SNMP operations individually for each
interface in the Aggregated Ethernet bundle because most of the OAM
MIB tables are maintained only for member interfaces in the Aggregated
Ethernet bundle.
Support for Entity State MIBs (PTX Series)—Starting with Junos OS Release 16.1,
support for IETF standard RFC 4268, Entity State MIB, is extended to the PTX Series.
Junos OS provides only read-only support to Entity State MIBs.
[See SNMP MIB Explorer.]
•
Support for RFC 5132, IP Multicast MIB (PTX Series)—Starting with Junos OS Release
16.1, Junos OS supports tables and objects defined in RFC 5132, IP Multicast MIB, except
the ipMcastZoneTable table. RFC 5132, IP Multicast MIB, obsoletes RFC 2932, IPv4
Multicast Routing MIB.
•
SNMP MIB support for Ethernet OAM (PTX3000 and PTX5000)—SNMP MIB support
is enabled for Ethernet OAM on PTX3000 and PTX5000 routers. See Standard SNMP
MIBs Supported by Junos OS to view the standard MIBs (in IEEE 802.1ag, Connectivity
Fault Management and IEEE 802.1ap, Management Information Base (MIB) definitions
for VLAN Bridges) that are supported for Ethernet OAM.
•
New indicators for the jnxLEDState MIB (PTX 3000)—Starting with Release 16.1,
Junos OS introduces the following six new indicators for the jnxLEDState MIB object
in the jnxLEDEntry MIB table:
•
off—Offline, not running
•
blinkingGreen—Entering state of ok, good, normally working
•
blinkingYellow—Entering state of alarm, warning, marginally working
•
blinkingRed—Entering state of alert, failed, not working
Copyright © 2017, Juniper Networks, Inc.
309
Junos OS Release 16.1R4 for the ACX Series, EX Series, MX Series, PTX Series, QFX Series,T Series and Junos Fusion
•
•
blinkingBlue—Entering state of ok, online as an active primary
•
blinkingAmber—Entering state of offline, not running
Support for Agent Capabilities MIB (PTX Series)—Starting with Release 16.1, Junos
OS introduces the Agent Capabilities MIB, which provides information about the
implementation characteristics of an Agent subsystem in a network management
system. The MIB provides you details of the MIB objects and tables that are supported
by an Agent, the conformance and variance information associated with the managed
objects in the Agent, and the access level of each object. Currently, the Agent Capability
MIB is applicable only for the MPLS and multicast MIBs.
Routing Protocols
•
IS-IS purge originator identification TLV (PTX Series)—Beginning with Release 15.1F4,
Junos OS supports RFC 6232, Purge Originator Identification TLV for IS-IS, which defines
a type, length, and value (TLV) for identifying the origin of a purge initiated by the IS-IS
protocol. You can configure this feature to add this TLV to a purge, along with the
system ID of the Intermediate System (IS) that has initiated this purge. This makes it
easier to locate the origin of the purge and its cause.
[See IS-IS Purge Originator Identification Overview.]
•
LDP native IPv6 support (PTX Series)— Starting with Junos OS Release 16.1, LDP is
supported in an IPv6 network only, and in an IPv6 or IPv4 dual-stack network. Configure
the address family as inet for IPv4 or inet6 for IPv6. By default, IPv6 is used as the TCP
transport for an LDP session with its peers when both IPv4 and IPv6 are enabled. The
dual-transport statement allows Junos OS LDP to establish the TCP connection over
IPv4 with IPv4 neighbors, and over IPv6 with IPv6 neighbors as a single-stack LSR.
inet-lsr-id and inet6-lsr-id are the two LSR IDs that have to be configured to establish
an LDP session over IPv4 and IPv6 TCP transport. These two IDs must be nonzero and
must be configured with different values.
System Logging
•
New configuration statement for filtering text string in system log messages (PTX
Series)—Starting with Junos OS Release 16.1, a new configuration statement,
match-string <string-name>, helps you display specified text strings in the system log
messages when using the show system syslog statement. The match-string
<string-name> configuration statement can be configured at the following hierarchy
levels:
•
edit system syslog file <file-name>
•
edit system syslog host <host-name>
•
edit system syslog user <user-name>
This statement can be configured along with the match <string-name> configuration
statement. The configuration reduces the CPU usage when the text string is filtered in
the system log messages.
310
Copyright © 2017, Juniper Networks, Inc.
New and Changed Features
[See match-string.]
User Interface and Configuration
•
Support for JSON format for configuration data (PTX Series)–Starting with Junos
OS Release 16.1, you can configure devices running Junos OS using configuration data
in JavaScript Object Notation (JSON) format in addition to the existing text, Junos XML,
and Junos OS set command formats. You can load configuration data in JSON format
in the Junos OS CLI by using the load (merge | override | update) json command or from
within a NETCONF or Junos XML protocol session by using the <load-configuration
format="json"> operation. You can load JSON configuration data either from an existing
file or as a data stream. Configuration data that is provided as a data stream must be
enclosed in a <configuration-json> element.
[See load, Defining the Format of Configuration Data to Upload in a Junos XML Protocol
Session, and Mapping Junos OS Configuration Statements to JSON.]
VPNs
•
New configuration statement to manage VCCV BFD session state (PTX
Series)—Starting with Junos OS Release 16.1, the ping-multiplier statement is introduced
to delay the virtual circuit connectivity verification (VCCV) Bidirectional Forwarding
Detection (BFD) session from going down by the specified number of LSP ping packets.
The VCCV BFD session is signaled down only after the specified number of LSP ping
packets are lost. This feature is supported for Layer 2 circuit, Layer 2 VPN, and VPLS
technologies.
To configure the LSP ping multiplier feature, include the ping-multiplier
number-of-packets statement at the [edit protocols l2circuit neighbor neighbor-address
interface interface-name oam], [edit routing-instances routing-instances-name protocols
l2vpn oam], and [edit routing-instances routing-instances-name protocols vpls oam]
hierarchy levels for Layer 2 circuit, Layer 2 VPN, and VPLS, respectively.
Related
Documentation
•
Changes in Behavior and Syntax on page 312
•
Known Behavior on page 317
•
Known Issues on page 318
•
Resolved Issues on page 322
•
Documentation Updates on page 321
•
Migration, Upgrade, and Downgrade Instructions on page 328
•
Product Compatibility on page 335
Copyright © 2017, Juniper Networks, Inc.
311
Junos OS Release 16.1R4 for the ACX Series, EX Series, MX Series, PTX Series, QFX Series,T Series and Junos Fusion
Changes in Behavior and Syntax
This section lists the changes in behavior of Junos OS features and changes in the syntax
of Junos OS statements and commands in Junos OS Release 16.1R4 for the PTX Series.
312
•
Hardware on page 313
•
Authentication and Access Control on page 313
•
Forwarding and Sampling on page 313
•
Interfaces and Chassis on page 313
•
Junos OS XML API and Scripting on page 315
•
Management on page 315
•
Routing Policy and Firewall Filters on page 315
•
Routing Protocols on page 315
•
Services Applications on page 316
•
Software Installation and Upgrade on page 316
•
System Logging on page 316
•
User Interface and Configuration on page 316
Copyright © 2017, Juniper Networks, Inc.
Changes in Behavior and Syntax
Hardware
•
Powering on offline FPCs (PTX5000)—Beginning in Junos OS Release 16.1, offline
FPCs do not come online during reboots or other power management events. To bring
such an FPC online:
1.
Delete the fpc fpc-slot power off statement from the [edit chassis] hierarchy level,
if that statement is configured, and commit the configuration.
2. Either issue the request chassis fpc online slot fpc-slot operational-mode CLI
command or press and hold the FPC ONLINE/OFFLINE button for about 5 seconds
until the green OK LED next to the button lights steadily.
Authentication and Access Control
•
Starting from Junos OS Release 16.1R1, for configuring the root login through SSH to
control user access, the system services ssh root-login deny-password is the default
option. In previous releases, the system services ssh root-login allow was the default
option. Now, you must explicitly configure the set system services ssh root-login allow
option to allow users to log in to the device as root through SSH.
Forwarding and Sampling
•
Deprecation of disable option (PTX3000)—Beginning in Junos OS Release 16.1, the
disable option has been deprecated at the [forwarding-options sampling instance
instance-name family (inet | inet6 | mpls)] hierarchy level on PTX3000 routers. When
configured, the option does not take effect, so packets continue to be sampled. Instead
of the disable option, use the deactivate forwarding-options sampling instance
instance-name family (inet | inet6 | mpls) command to prevent sampling.
[See disable (Forwarding Options).]
Interfaces and Chassis
•
Modified the default temperature threshold for FPC-SFF-PTX-P1-A (PTX Series)—In
Junos OS Release 16.1R1 and later, the default temperature threshold value for
FPC-SFF-PTX-P1-A is decreased to prevent yellow alarm, as shown in the following
example:
[email protected]> show chassis temperature-thresholds
Fan speed
Yellow alarm
Red alarm
(degrees C)
C)
Item
FPC 0
FPC 0
FPC 0
FPC 0
FPC 0
FPC 0
FPC 0
Copyright © 2017, Juniper Networks, Inc.
PMB CPU
Exhaust
Intake
TL0
TQ0
TL1
TQ1
Normal
80
75
80
75
75
75
75
High
90
85
90
85
85
85
85
(degrees C)
Normal
95
95
95
95
95
95
95
Bad fan
85
85
85
85
85
85
85
Fire Shutdown
(degrees C)
Normal
105
105
105
105
105
105
105
Bad fan
95
95
95
95
95
95
95
(degrees
Normal
115
115
115
115
115
115
115
313
Junos OS Release 16.1R4 for the ACX Series, EX Series, MX Series, PTX Series, QFX Series,T Series and Junos Fusion
A yellow alarm is raised whenever the component temperature crosses the configured
temperature threshold value.
•
Message now displayed when SIB autohealing is complete (PTX3000 and
PTX5000)—Starting in Junos OS Release 16.1R4 and later, the show chassis fabric
errors autoheal command displays a message similar to the following output when
SIB autohealing is complete:
[email protected]> show chassis
Mar 30 01:43:00
Time
2016-03-29 23:46:23 PDT
2016-03-29 23:46:23 PDT
2016-03-29 23:54:52 PDT
314
fabric errors autoheal
Error log of first 100 errors
Req: sib 0
Action: SIB 0 (autohealing)
Completed: SIB 0 (autoheal)
Copyright © 2017, Juniper Networks, Inc.
Changes in Behavior and Syntax
Junos OS XML API and Scripting
•
Changes to Python automation script execution requirements and access privileges
(PTX Series)—Starting in Junos OS Release 16.1R3, unsigned Python commit, event,
op, and SNMP scripts must be owned by either the root user or a user in the Junos OS
super-user login class, and only the file owner can have write permission for the file. In
Junos OS Release 16.1R2 and earlier releases, unsigned Python scripts must be owned
by the root user.
Furthermore, starting in Junos OS Release 16.1R3, you can execute Python automation
scripts using the access privileges of authorized users. Interactive Python scripts, such
as commit and op scripts, run with the access privileges of the user who executes the
command or operation that invokes the script. Noninteractive Python scripts, such as
event and SNMP scripts, by default, execute under the privileges of the *nix user and
group nobody. To execute the scripts under the access privileges of a specific user,
configure the python-script-user username statement at the [edit event-options
event-script file filename] hierarchy level for event scripts, or the [edit system scripts
snmp file filename] hierarchy level for SNMP scripts. In Junos OS Release 16.1R2 and
earlier releases, Python commit, event, op, and SNMP scripts are executed using the
access privileges of only the user and group nobody.
Management
•
Support for status deprecated statement in YANG modules (PTX Series)—Starting
with Junos OS Release 16.1R2, Juniper Networks YANG modules include the status
deprecated statement to indicate configuration statements, commands, and options
that are deprecated.
Routing Policy and Firewall Filters
•
Support for logical queue-depth in the Packet Forwarding Engine for IP options
packets for a given protocol (PTX Series)— Starting with Junos OS Release 16.1R1,
you can configure logical queue-depth in the Packet Forwarding Engine for IP options
packets for a given protocol. The queue-depth indicates the number of IP options
packets which can be enqueued in the Packet Forwarding Engine logical queue, beyond
which it would start dropping the packets.
Routing Protocols
•
BGP advertises inactive routes when advertise-inactive statement is not
configured—When BGP advertises a network layer reachability information (NLRI)
with a label, and the advertised route resides in an xxx.xxx.3 routing table such as inet.3,
Junos OS automatically advertises such inactive routes even if you have not configured
the advertise-inactive statement.
•
Change in default behavior of router capability (MX Series and PTX Series)—Starting
in Junos OS Releases 15.1F7, 16.1R4, 16.2R2, 16.1X65, and 17.1R1, and later, the router
capability type, length, and value (TLV) distribution flag (S-bit) that controls IS-IS
advertisements is reset so that the segment routing capable sub-TLV is propagated
throughout the IS-IS level and not advertised across IS-IS level boundaries.
Copyright © 2017, Juniper Networks, Inc.
315
Junos OS Release 16.1R4 for the ACX Series, EX Series, MX Series, PTX Series, QFX Series,T Series and Junos Fusion
Services Applications
•
Forwarding class and DSCP configuration for sampled packets (PTX Series)—Starting
with Junos Release OS 16.1R1, you can configure the forwarding class and the
Differentiated Services Code Point (DSCP) mapping that is applied to exported packets
for inline active flow monitoring. Configure forwarding-class class-name and dscp
dscp-value at the [edit forwarding-options sampling instance instance-name family (inet
| inet6) output flow-server hostname] hierarchy level.
The dscp-value range is 0 through 63 (the default is 0). When the same flow-server is
configured under both the inet and inet6 families in a sampling instance, use the same
dscp value for both flow-server appearances.
The dscp-value is overwritten by the CoS DSCP value if you configure dscp at the [edit
class-of-service] hierarchy level.
Software Installation and Upgrade
•
request system software add command options updated (PTX Series)—As of Junos
OS Release 16.1, the upgrade-with-config-format option in the request system software
add command is removed. The upgrade-with-config option applies to the file indicated.
Specify .text or .xml. The upgrade-with-config option does not accept files with the
extension .txt.
System Logging
•
Support for system log message: UI_SKIP_SYNC_OTHER_RE (PTX Series)—Starting
with Junos OS Release 16.1R1, configuration synchronization with a remote Routing
Engine is skipped when the configuration is already in sync with another Routing Engine
with database revision.
NOTE: This system log message is generated when the graceful Routing
Engine switchover feature is enabled.
This system log message reports an event, not an error, and has notice as Severity and
LOG_AUTH as Facility.
User Interface and Configuration
•
output-file-name option for show system schema command is deprecated (PTX
Series)—Starting with Junos OS Release 16.1, the output-file-name option for the show
system schema operational command is deprecated. To direct the output to a file, use
the output-directory option and specify the directory. By default, the filename for the
output file uses the module name as the filename base and the format as the filename
extension. If you also include the module-name option in the command, the specified
module name is used for both the name of the generated module and for the filename
base for the output file.
[See show system schema.]
316
Copyright © 2017, Juniper Networks, Inc.
Known Behavior
•
New default implementation for serialization for JSON configuration data (PTX
Series)—Starting with Junos OS Release 16.1, the default implementation for
serialization for configuration data emitted in JavaScript Object Notation (JSON) has
changed. The new default is as defined in Internet drafts
draft-ietf-netmod-yang-json-09, JSON Encoding of Data Modeled with YANG, and
draft-ietf-netmod-yang-metadata-06, Defining and Using Metadata with YANG.
[See Mapping Junos OS Configuration Statements to JSON.]
Related
Documentation
•
Integers in configuration data in JSON format are displayed without quotation marks
(PTX Series)—Starting in Junos OS Release 16.1R4, integers in Junos OS configuration
data emitted in JavaScript Object Notation (JSON) format are not enclosed in quotation
marks. Prior to Junos OS Release 16.1R4, integers in JSON configuration data were
treated as strings and enclosed in quotation marks.
•
New and Changed Features on page 292
•
Known Behavior on page 317
•
Known Issues on page 318
•
Resolved Issues on page 322
•
Documentation Updates on page 321
•
Migration, Upgrade, and Downgrade Instructions on page 328
•
Product Compatibility on page 335
Known Behavior
This section contains the known behavior, system maximums, and limitations in hardware
and software in Junos OS Release 16.1R4 for PTX Series.
For the most complete and latest information about known Junos OS defects, use the
Juniper Networks online Junos Problem Report Search application.
•
General Routing on page 317
General Routing
Related
Documentation
•
The temperature conditions of the Routing Engine FRU for RE-PTX-X8 are now
displayed correctly. The show chassis zones command now displays the accurate
temperature conditions.
•
The date and time zones are synchronized from the admin guest Junos OS to host OS
on the PTX5000 router and use the same time zones. Therefore, there is no difference
in the timestamp in system log files of Junos OS and the host OS.
•
New and Changed Features on page 292
•
Changes in Behavior and Syntax on page 312
•
Known Issues on page 318
Copyright © 2017, Juniper Networks, Inc.
317
Junos OS Release 16.1R4 for the ACX Series, EX Series, MX Series, PTX Series, QFX Series,T Series and Junos Fusion
•
Resolved Issues on page 322
•
Documentation Updates on page 321
•
Migration, Upgrade, and Downgrade Instructions on page 328
•
Product Compatibility on page 335
Known Issues
This section lists the known issues in hardware and software in Junos OS Release 16.1R4
for the PTX Series.
For the most complete and latest information about known Junos OS defects, use the
Juniper Networks online Junos Problem Report Search application.
•
General Routing on page 318
•
Interfaces and Chassis on page 320
•
Multiprotocol Label Switching (MPLS) on page 320
•
Routing Protocols on page 320
General Routing
•
On PTX Series platforms with PIM configured and traffic flows, the following harmless
error messages might be seen continuously upon restarting routing or clearing a PIM
join: [LOG: Err] jbwy_fw_plct_free_cntr : 1117 Not able to find the cntr from list [LOG:
Err] bwy_rt_free_stats_counters: jbwy_fw_plct_free_cntr failed 7 [LOG: Err]
jbwy_fw_plct_free_cntr : 1117 Not able to find the cntr from list [LOG: Err]
bwy_rt_free_stats_counters: jbwy_fw_plct_free_cntr failed 7 [LOG: Err]
bwy_rt_cntr_stats_alloc: counter allocation failed for prefix 225.0.1.1.11.1.1.2/64 for sgiif
status 7 PR1004510
•
On PTX Series platforms, if there are scaling configurations on a single interface (for
example, 5,000 routes and each of them has 64 ECMP paths configured) and an L2
rewrite profile is applied for the interface, then the FPC might crash when deactivating
and then activating the CoS configuration of the interface. PR1096958
•
PTX 100GbE-LR4 interfaces might flap when the reference clock switches over from
"line clock" to "holdover" initiated by offlining the PIC, where the "line clock" sources
reside. When the PTX Series line card uses "line clock" sources and when it does not
have any external clocks from BITS-a or BITS-b, offlining the PIC, which is recovering
clock from line, brings "line clock" down and the reference clock is switched from "line
clock" to "holdover". This reference clock transition might cause a large clock
phase-shift in the 100GbE-LR4 CFP modules. This phase-shift might cause the output
optical pulse waveform distortion on the 100GbE-LR4 interfaces. Hence, it results in
interface flap. This issue cannot be fixed by software because of hardware limitations.
PR1130403
•
318
Under certain conditions in a PTX Series platform with a non-next generation Routing
Engine (RE), the master RE might fail to relinquish the mastership upon Control Board
(CB) internal switch failure. PR1132557
Copyright © 2017, Juniper Networks, Inc.
Known Issues
•
On PTX Series platforms with FPC3, the octets of IPv4 source and destination addresses
in the firewall log are listed in reverse; this might affect troubleshooting. The IPv6 log
works fine. This is a minor issue, and there is no other service impact. PR1141495
•
On PTX10008 switches, when you disable one Layer 3 ECMP member link, IPv6 traffic
loss might occur for more than 10 seconds. PR1144847
•
On a PTX5000, after plugging a QSFP28 PIC (15x100GE/15x40GE/60x10GE QSFP+
PIC) into an FPC-P1, you might see 100% CPU usage on the FPC. PR1158640
•
When all of the following conditions are met, forwarding traffic disruption for 2 to 5
minutes might be observed on a PTX5000 dual Routing Engine system. - GRES
(Graceful Routing Engine Switchover) attribute is configured. - Two Routing Engines
are functional and the router is forwarding traffic as expected. - No software notification
for Routing Engine switchover is issued. - An Routing Engine, that is running as a master
Routing Engine, is unmounted from the chassis, , by manually pulling the Routing Engine
board from the chassis Routing Engine slot. - The second Routing Engine takes detects
and takes control of the chassis as the new master Routing Engine. This is due to a
delay in software on the Packet Forwarding Engines in trying to establish a software
connection with the new master Routing Engine that is still installed on the chassis.
As a result the Packet Forwarding Engines may reboot and would cause forwarding
traffic disruption for 2 to 5 minutes. The traffic forwarding however recovers when the
Packet Forwarding Engines software boot up and establish a software connection with
the new master Routing Engine. PR1165925
•
While upgrading from 15.1F-based images to 16.x and later, images or downgrading
from 16.x+ images to 15.1F-based images, if the validate option is enabled, there might
be a chassisd crash and upgrade or downgrade will fail. This issue should not be seen
if both the base and target images are from the 15.1F train or the 16.x and later train.
PR1171652
•
During a GRES, SIB 8 is getting offline or online. This problem is seen only in the Junos
OS Release 16.1X70-D10 branch. It is not observed in Release 16.1 or 15.1F. PR1194995
•
For a large payload size, export will happen only if the ingress and egress MTU of all
devices in the route are set larger than the actual packet size (payload size + header
size) until the packet gets fragmented. PR1200107
•
On PTX Series routers, when a SIB is ungracefully removed while traffic is flowing
through it, some fabric traffic will get dropped and alarms will occur. The alarm can
be seen in the show chassis alarms output. It would appear as FPC <X> Major Errors PE Error code: 0x2101aa. The alarm should get cleared when the SIB offline is completed.
The error history or state can be seen under the show chassis fpc errors (Major:
Occurred/Cleared columns). For example, see the following: [email protected]> show chassis
fpc errors
FPC Level Occurred Cleared Threshold Action-Taken Action
7 Minor 0 0 10 0 LOG|
Major 13 13 1 28 GET STATE|ALARM|
Fatal 0 0 1 0 DISABLE PFE
Copyright © 2017, Juniper Networks, Inc.
319
Junos OS Release 16.1R4 for the ACX Series, EX Series, MX Series, PTX Series, QFX Series,T Series and Junos Fusion
Pfe-State: pfe-0 -ENABLED | pfe-1 -ENABLED | pfe-2 -ENABLED | pfe-3 -ENABLED | pfe-4
-ENABLED | pfe-5 -ENABLED | PR1202020
•
Major errors might be seen on MPC3/FPC3 with 1X100 and 5x100 DWDM MIC/PIC.
[email protected]> show chassis alarms no-forwarding
1 alarms currently active
Alarm time Class Description
<timestamp> Major FPC 3 Major Errors
The following messages are seen in the logs:
fpc3 Cmerror Op Sub Set: 5-port 100G DWDM MIC/PIC : 5-port 100G DWDM MIC/PIC(3/0)
link 0 : DSP loss of lock
fpc3 Cmerror Op Sub Set: 5-port 100G DWDM MIC/PIC : 5-port 100G DWDM MIC/PIC(3/0)
link 0 : DFE tuning failed
alarmd[16241]: Alarm set: FPC color=RED, class=CHASSIS, reason=FPC 3 Major Errors
craftd[15906]: Major alarm set, FPC 3 Major Errors PR1212089
•
In a PTX Series router, CoS classifier is always based on an outer most IP header. In
this case, the GRE encap IP header is having only one DSCP value (ZERO) and hence
the classification will be only Forwarding class ZERO (which is best-effort). PR1228331
•
This is a day one behavior where we have traffic from multiple ingress PFEs to single
igress PFE, and the scheduler assign will have extreme rate distribution (very high to
one queue compare to others) we may see the high configured queue will not get all
its shared of Tx-rate config. This is due to small size OQB on GS scheduler (an ASIC
property). Now to achieve this we may have to assign higher credits to GS, which require
more fine tuning. Doing this require a complete regression test. Hence we assume
supporting such unrealistic corner case require more socking time hence release noting
this behavior for 17.1R1. PR1241291
Interfaces and Chassis
•
The trail trace identifier (TTI) SAPI/DAPI of the first byte is fixed for all zero as per the
G.709 recommendations. But in the current Junos OS implementation, the first byte
of SAPI/DAPI is encoded as whatever the value is configured and there is no way to
set it to "0".PR1176036
Multiprotocol Label Switching (MPLS)
•
Old mbb instance not getting deleted for ~10 mins after an mbb switch over with
'optimize-adaptive-teardown p2p' command configured PR1172763
Routing Protocols
•
320
When there are two paths for the same route, the route gets pointed to a unilist next
hop which in turn gets pointed to two separate unicast next hops. The route is
determined by OSPF and you have BFD enabled on one of the paths, which runs through
an l2circuit path. When the link on the l2circuit gets cut, the link flap is informed by BFD
Copyright © 2017, Juniper Networks, Inc.
Documentation Updates
as well as through OSPF LSAs. Ideally the BFD should inform the link down event before
the OSPF LSA. But in the current situation, the OSPF LSAs update the event a second
before BFD. For this reason, you do get the route to be pointing to a new unilist next
hop with the weights swapped. But the unicast next hop for which the L3 link is down,
gets added to the unilist next hop, the BFD assumes the link to be up, and hence updates
the weights inappropriately and hence we do see traffic loss. Once the BFD link down
event is processed at OSPF protocol level, the route points to only unicast next hop
and hence you do see traffic flowing through the currently active link. The traffic outage
would be hardly for less than a second during FRR. Also, this can be avoided if the BFD
keepalive intervals are maintained around 50 ms with a multiplier of 3 as opposed to
100 ms with a multiplier of 3. PR1119253
Related
Documentation
•
If an IPv6 default route is configured, after issuing the offline or online FPC command,
the IPv6 default route might not be seen in the IS-IS route table, and this might cause
IPv6 traffic loss. PR1159482
•
New and Changed Features on page 292
•
Changes in Behavior and Syntax on page 312
•
Known Behavior on page 317
•
Resolved Issues on page 322
•
Documentation Updates on page 321
•
Migration, Upgrade, and Downgrade Instructions on page 328
•
Product Compatibility on page 335
Documentation Updates
There are no errata or changes in Junos OS Release 16.1R4 for PTX Series.
Related
Documentation
•
New and Changed Features on page 292
•
Changes in Behavior and Syntax on page 312
•
Known Behavior on page 317
•
Known Issues on page 318
•
Resolved Issues on page 322
•
Migration, Upgrade, and Downgrade Instructions on page 328
•
Product Compatibility on page 335
Copyright © 2017, Juniper Networks, Inc.
321
Junos OS Release 16.1R4 for the ACX Series, EX Series, MX Series, PTX Series, QFX Series,T Series and Junos Fusion
Resolved Issues
This section lists the issues fixed in the Junos OS main release and the maintenance
releases. The identifier following the description is the tracking number in the Juniper
Networks Problem Report (PR) tracking system.
•
Resolved Issues:16.1R4 on page 322
•
Resolved Issues:16.1R3 on page 323
•
Resolved Issues:16.1R2 on page 325
•
Resolved Issues:16.1R1 on page 328
Resolved Issues:16.1R4
General Routing
•
The OK LED on the Control Board (CB) not lighting up in the following scenarios: 1. You
Insert only one RE/CB on the router and power on . Only the Master LED is glowing, but
not the OK LED. 2. The test is done with either RE/CB on slot 0 or slot 1, leaving the
other slot empty. 3. When both slots have the RE/CB inserted, the problem is not seen.
Master and OK LED light up on the master CB, and the backup CB has the OK LED lit
up. Engineering is debugging this cosmetic issue PR1115148
•
The clear services accounting flow command should not be used in Junos OS Release
15.1F4 or 15.1F5 on inline J-flow on PTX5000 routers. This command is specific to J-flow
and is not supported in these releases. PR1117181
•
This is a rare race condition of multiple interrupts are not handled properly on MX
platform with MPC7E/MPC8E/MPC9E and PTX platform with
FPC3-PTX-U2/FPC3-PTX-U3, which could lead to a core file. It is hard to reproduce.
The interrupt code is optimized to avoid the unnecessary call to prevent the issue.
PR1208536
322
•
Power budget values for PTX5000 chassis, FPC, and PICs have been revised. For
routers operating on limited power, this can change the point where alarms for
power-over-budget or insufficient power are raised or cleared. PR1216404
•
The options accepted for "set chassis fpc <n> license-mode" configuration of PTX
FPC3 are changed to "IR" and "R". PR1221096
•
A higher number of QoS drops may be seen during large micro-bursts of traffic on the
low priority queues on PTX FPC3 than FPC1 or FPC2. This is due to the delay bandwidth
buffer being reduced to ~64ms on the PTX FPC type 3 versus ~200ms on PTX FPC
type 1 or 2. PR1223440
•
PTX FPC3 might receive noise on the FPC console port, and interprets it as valid signals.
This might cause login failures on the console port, core files, or even reloads. PR1224820
•
When a PTX Series router has inline J-flow configured, and the interfaces where
sampling is configured are receiving TCP traffic, "DMA - memory map failed" error
messages might be reported by the FPC3-PTX-U2 card. PR1227687
•
In a third generation PTX3000 system (PTX3K + FPC3 + SIB3), due to a timing issue,
10x100GE PIC might not come online upon a FPC restart and will remain in offline with
Copyright © 2017, Juniper Networks, Inc.
Resolved Issues
?FPC X PIC 0 Failure? message seen in alarms. User needs to manually bring the PIC
online for recovery. This issue is fixed in 15.1F6-S3, 16.1R3-S1, 16.1R4 , 16.2R2 and
subsequent releases PR1236048
Class of Service (CoS)
•
The following error log message might be seen with hierarchical CoS and strict-high
scheduling configured. Dec 27 11:08:02.293 mand-re0 fpc1
cos_check_temporal_buffer_status: IFD ge-1/2/1 IFL 358: Delay buffer computation
incorrect.^M If hierarchical scheduler is configured for an IFD and if guaranteed rate is
not set for an IFL under this IFD, then the temporal buffer configured The display of error
message is valid when guarenteed rate is '0', but it is not valid when 'guranteed rate' is
disabled. PR1238719
Platform and Infrastructure
•
In a very rare scenario, during a TAC accounting configuration change, the auditd process
crashes due to a race condition between auditd and its sigalarm handler. PR1191527
•
A MIB file was updated to use official names of released products only. No queryable
objects were changed. PR1219906
Routing Protocols
•
If labels change frequently the stall label deletion is postponed and potentially can
exhaust the label space. PR1211010
•
On all platforms, if MPLS goes down due to link flap or fpc reboot or restart, rpd core
could be seen. PR1228388
Resolved Issues:16.1R3
General Routing
•
On PTX Series platform with FPC type 1 and FPC type 2, if there is a problem with the
ASIC in the FPC, which might cause FPC being disconnected from Routing Engine.
PR1207153
•
A vulnerability in IPv6 processing has been discovered that might allow a specially
crafted IPv6 Neighbor Discovery (ND) packet to be accepted by the router rather than
discarded. The crafted packet, destined to the router, will then be processed by the
Routing Engine. A malicious network-based packet flood, sourced from beyond the
local broadcast domain, can cause the Routing Engine CPU to spike, or cause the DDoS
protection ARP protocol group policer to engage. When this happens, the DDoS policer
might start dropping legitimate IPv6 neighbors as the legitimate ND times out. Refer
to JSA10749 for more information. PR1207527
•
On PTX Series routers, when an FPC 1 or 2 is restarted, CoS profiles can be applied
incorrectly to certain VOQs. This can lead to RED drops on those VOQs for traffic that
enters the router on the restarted FPC. PR1211509
•
In some conditions where the fan tray is not properly seated in PTX Series routers, the
present PIN from the fan tray might not be detected, and the Fan tray is declared Absent
in the output of the command show chassis environment. However, the alarm for this
Copyright © 2017, Juniper Networks, Inc.
323
Junos OS Release 16.1R4 for the ACX Series, EX Series, MX Series, PTX Series, QFX Series,T Series and Junos Fusion
condition is not raised under show chassis alarms if the alarm is to be raised during a
system reboot. PR1216335
•
Power budget values for PTX 5000 chassis, FPC, and PICs have been revised. For
routers operating on limited power, this can change the point where alarms for
power-over-budget or insufficient power are raised or cleared. PR1216404
Infrastructure and Platform
•
Unified ISSU will fail when trying to upgrade from 15.1F6 to 16.1 images and
higher.PR1187779
MPLS
•
After MBB, the new LSP does not have an explicit route. This behavior happens in the
MPLS-TP BFD environment. You can confirm this behavior in BFD packets’ drop pattern
and link down pattern. Both patterns indicate the same behavior. PR1207039
•
This behavior is specific to Junos OS 16.1 Release. When an ingress side link failure and
LSP uses a bypass path, LSR(DUT) cannot send proper "RSVP RRO" even if egress
side topology changes. See the following example. --- example --- 1. This is initial state.
LSP of RRO has Link A and B IP address. bypass bypass Link C Link D
+--------------------+ +------------------+ | | | | [Ingress LER] [ LSR ] [ Egress LER] | | |
| +--------------------+ +------------------+ Link A Link B strict path strict path 2. Link
A is down. LSP of RRO has Link B and C IP address because LSR sends out RSVP RESV
including proper RRO to Ingress LER. bypass RSVP RESV bypass Link C <-----+ Link D
+--------------------+ | +------------------+ | | | | | [Ingress LER] [ LSR ] [ Egress LER] |
| | | +--------- X --------+ +------------------+ Link A Link B strict path strict path 3. Link
B is down. LSP of RRO has Link B and C IP address because LSR does not send out
RSVP RESV including proper RRO to Ingress LER. (wrong) bypass RSVP RESV bypass
Link C <-----+ Link D +--------------------+ | +------------------+ | | | | | [Ingress LER] [
LSR ] [ Egress LER] | | | | +--------- X --------+ +-------- X -------+ Link A Link B strict
path strict path PR1207862
Platform and Infrastructure
324
•
In a very rare scenario, during TAC accounting configuration change, the auditd daemon
crashes because of a race condition between auditd and its sigalarm handler. PR1191527
•
On PTX Series platforms with [chassis network-services enhanced-mode] configured,
the default policy junos-ptx-series-default is not loaded correctly in case of some
configuring operations, which causes BGP routes not to be installed in the forwarding
table as expected. To avoid this issue, reboot the router after any configuring operations
on network-services. PR1204827
Copyright © 2017, Juniper Networks, Inc.
Resolved Issues
User Interface and Configuration
•
When persist-groups-inheritance is configured and you issue a rollback, you might see
that the configuration is not propagated properly after a commit. PR1214743
Resolved Issues:16.1R2
Forwarding and Sampling
•
SRRD (Sampling Route-Record Daemon) process does not delete routes when the
DELETE is received from RPD in few configuration cases. This results in build-up of
memory in SRRD daemon and once SRRD reaches the limit, it crashes and restarts
itself. This happens only when one certain family is not configured on all of the FPC
clients (e.g., FPC with inline J-Flow enabled or PIC with PIC-based sampling enabled
is one client). For example, only IPv4 family is configured in all the clients, and IPv6
and MPLS families are not configured for sampling in any of the clients. PR1180158
General Routing
•
On PTX Series platforms, when scaling (for example, 2M) IPv6 routes point to a single
next-hop on FPC3, then the interface down or offline of the PIC hosting the port related
to the next-hop would crash the FPC. PR1129183
•
Link Fault signaling message are not logged on PTX Series platforms Gladiator FPCs.
PR1132114
•
Due to incorrect implementation in the code, power consumption was not fetched
properly for the SIBs when using PTX PDU2. It has been fixed in 15.1R4, 15.1F6, 16.1.
[email protected]> show chassis power detail | match SIB SIB 0 0 -------------------------->>
No value SIB 1 0 -------------------------->> No value SIB 2 0 -------------------------->>
No value SIB 3 0 -------------------------->> No value SIB 4 0 -------------------------->>
No value SIB 5 0 -------------------------->> No value SIB 6 0 -------------------------->>
No value SIB 7 0 -------------------------->> No value SIB 8 0 -------------------------->>
No value PR1156265
•
After booting up FPC3 on PTX Series platform, the internal link communication between
some chips on the FPC might fail to establish and triggers "Host Loopback Wedge"
error message. PR1171101
•
When upgrading or rebooting the router, the following logs might be seen in Junos OS
Release 15.1F5. There is no impact and they can be ignored. This is due to the fact that
agentd is trying to read the forwarding class entries at system boot time too early,
when they are not yet created. This has been fixed. <..> FILE SYSTEM CLEAN; SKIPPING
CHECKS clean, 9762157 free (813 frags, 1220168 blocks, 0.0% fragmentation) tunefs:
soft updates remains unchanged as disabled chown: wheel: Invalid argument Creating
initial configuration...agent for all the telemetry sensors: COSD_CONF_OPEN_FAILURE:
Unable to open: /var/etc/cosd.conf, using default CoS forwarding classes, do 'commit
full' in CLI to avoid this message agent for all the telemetry sensors:
COSD_CONF_OPEN_FAILURE: Unable to open: /var/etc/cosd.conf, using default CoS
forwarding classes, do 'commit full' in CLI to avoid this message mgd: commit complete
PR1173137
Copyright © 2017, Juniper Networks, Inc.
325
Junos OS Release 16.1R4 for the ACX Series, EX Series, MX Series, PTX Series, QFX Series,T Series and Junos Fusion
•
In very rare cases, multiple Routing Engine switchovers may result in SNGPMB crash.
PR1176094
•
When running interfaces on QSFP28 PIC on PTX Series platforms in 40G or 100G mode,
some of the interfaces on the QSFP28 PIC may not come up after a system reboot.
This issue does not impact interface running in 10G mode. PR1176641
•
On PTX Series platforms with FPC3 card, after soft restart of SIBs (it could be GRES
or performing "restart chassis-control immediately" if on the same Routing Engine),
then offline/online of any SIB, traffic loss will be observed. PR1177652
•
Under excessive SIB yanking, interface might be WEDGED causing permanent drop.
The work around is to restart the related FPC PR1177753
•
"show t6e-pic 0 avago" on 15x100G QSFP28 PIC on vty fpc crashes the FPC with ukern
core. PR1181402
•
For FPC3 on PTX Series platforms, in rare scenarios, while restarting FPC, a PIC index
mismatch issue might result in FPC crash if it is configured with inline-JFlow. PR1183215
•
FPC might generate a core file dump when issuing clear threads and show threads
simultaneously. PR1184113
•
By default SNMP will cache SNMP values for 5 seconds. Sometimes kernel will cache
these values for longer duration. This PR will correct the caching behavior. PR1188116
•
FPC might crash when framing wan-phy is configured for an et- interface of PIC
P1-PTX-24-10G-W-SFPP (10-Gigabit Ethernet LAN/WAN OTN PIC with SFP+).
PR1191224
326
•
In rare case with Junos OS Release 15.1F5-S2, the Gladiator FPC may crash due to a
lots of route update/delete. PR1191982
•
SIB Link errors will be seen during GRES, when mixed FPC types are present with EIP
mode enabled. PR1192348
•
On PTX Series platforms, the SNMP trap jnxFruRemoval(CB) is generated when Bits
external clock is down/up, although "External Source Lock Acquired" message is
logged. The SNMP trap jnxFruRemoval(CB) is incorrect with Bits external clock
down/up. The problem is that "jnxFruRemoval" is used when the CB is not removed.
When the trap of "external clock acquired" is generated, the right SNMP trap is: Name:
"jnxExtSrcLockAcquired" OID: "1.3.6.1.4.1.2636.4.2.5". However, SNMP trap was
incorrectly reported as: Name: "jnxFruRemoval" OID: "1.3.6.1.4.1.2636.4.1.5". PR1195686
•
On PTX Series platforms with FPC3, if inline J-Flow is enabled with high scale of IPv4
and IPv6 routes and aggressive route flapping, it might trigger multi-service crash and
FPC reboot. PR1196793
•
When inline sampling is configured under PTX Series platforms 3rd generation FPC, a
debug message will be logged without turning on a debug command. PR1197695
•
The power usage for FPC type 3 units reported by the command "show chassis power
detail" is 5.8% higher than the correct figure. PR1205682
Copyright © 2017, Juniper Networks, Inc.
Resolved Issues
Infrastructure
•
When kernel tries to collect statistics from a faulty FPC, it might trigger a kernel panic
due to an invalid response from the faulty FPC. There is no workaround. PR1185013
Interfaces and Chassis
•
If QSFP28-100GBASE-LR4/QSFP+-40G-LPBK PICs speed is configured at chassis
hierarchy. DCD was not reading speed specified in (set chassis fpc<fpc> pic <pic> port
<port> speed <speed>) and as a result, when IFDs created using this configuration
are added in AE bundle along with IFD of any other kind of pics, DCD used to give
commit error. DCD was able to read speed for other IFDs in AE bundle and was not
able to read speed of IFDs on QSFP28 PIC and hence use to complain about speed
mismatch. Commit error: Interface ae0 with child links of mixed speed but link-speed
mixed is not configured. PR1167780
MPLS
•
Changing the configuration under both [ protocols pcep ] and [ protocols mpls
lsp-external-controller ] might trigger RPD to crash due to a race condition. PR1194068
•
This behavior will happen after "setup-protection" feature works. If MPLS stack packets
are sent out to a LSP which uses "setup-protection" feature, top and bypass MPLS
label "TTL"s are rewritten with second MPLS label TTL. If second(inner) MPLS label
TTL is small, this packet will be lost unexpectedly. This is PTX Series platform’s specific
behavior. PR1196064
•
This behavior is seen under the conditions of "teardown" feature for MPLS-TP BFD.
When we set firewall filter for dropping MPLS-TP BFD packets, we can see unexpected
behavior for LSP. We can see just LSP is down after "teardown" and the LSP will not
be "up" even if we remove firewall filter setting. This behavior is seen in 16.1X70-D10
branch only. PR1199957
Copyright © 2017, Juniper Networks, Inc.
327
Junos OS Release 16.1R4 for the ACX Series, EX Series, MX Series, PTX Series, QFX Series,T Series and Junos Fusion
Platform and Infrastructure
•
Over a period of time in network, the stale AS paths might be seen in the sampler
database of JNH memory. The JNH memory being very limited and used by all the
modules in Packet Forwarding Engine, these stale AS paths are resulting in wastage
of JNH memory. PR1189689
Routing Protocols
•
With SRLG (Shared Risk Link Group) enabled under corner conditions, after executing
command of "clear IS-IS database", the RPD might crash due to the IS-IS database
tree gets corrupted. PR1152940
Resolved Issues:16.1R1
Forwarding and Sampling
Related
Documentation
•
SRRD (Sampling Route-Record Daemon) process does not delete routes when the
DELETE is received from RPD in few configuration cases. This results in buildup of
memory in SRRD daemon, and once SRRD reaches the limit, it crashes and restarts
itself. This happens only when one certain family is not configured on all of the FPC
clients (e.g., FPC with inline J-Flow enabled or PIC with PIC-based sampling enabled
is one client). For example, only IPv4 family is configured in all the clients and IPv6 and
MPLS families are not configured for sampling in any of the clients. PR1180158
•
New and Changed Features on page 292
•
Changes in Behavior and Syntax on page 312
•
Known Behavior on page 317
•
Known Issues on page 318
•
Documentation Updates on page 321
•
Migration, Upgrade, and Downgrade Instructions on page 328
•
Product Compatibility on page 335
Migration, Upgrade, and Downgrade Instructions
This section contains the procedure to upgrade Junos OS, and the upgrade and downgrade
policies for Junos OS for the PTX Series. Upgrading or downgrading Junos OS can take
several hours, depending on the size and configuration of the network.
328
•
Upgrade and Downgrade Support Policy for Junos OS Releases on page 329
•
Upgrading a Router with Redundant Routing Engines on page 329
•
Basic Procedure for Upgrading to Release 16.1 on page 329
•
Installing the Network Agent Package (Junos Telemetry Interface) in PTX Series
Routers on page 333
Copyright © 2017, Juniper Networks, Inc.
Migration, Upgrade, and Downgrade Instructions
Upgrade and Downgrade Support Policy for Junos OS Releases
Support for upgrades and downgrades that span more than three Junos OS releases at
a time is not provided, except for releases that are designated as Extended End-of-Life
(EEOL) releases. EEOL releases provide direct upgrade and downgrade paths—you can
upgrade directly from one EEOL release to the next EEOL release even though EEOL
releases generally occur in increments beyond three releases.
You can upgrade or downgrade to the EEOL release that occurs directly before or after
the currently installed EEOL release, or to two EEOL releases before or after. For example,
Junos OS Releases 14.1, 14.2, 15.1 and 16.1 are EEOL releases. You can upgrade from Junos
OS Release 14.1 to Release 15.1 or from Junos OS Release 15.1 to Release 16.2. However,
you cannot upgrade directly from a non-EEOL release that is more than three releases
ahead or behind.
To upgrade or downgrade from a non-EEOL release to a release more than three releases
before or after, first upgrade to the next EEOL release and then upgrade or downgrade
from that EEOL release to your target release.
For more information on EEOL releases and to review a list of EEOL releases, see
http://www.juniper.net/support/eol/junos.html.
Upgrading a Router with Redundant Routing Engines
If the router has two Routing Engines, perform a Junos OS installation on each Routing
Engine separately to avoid disrupting network operation as follows:
1.
Disable graceful Routing Engine switchover (GRES) on the master Routing Engine
and save the configuration change to both Routing Engines.
2. Install the new Junos OS release on the backup Routing Engine while keeping the
currently running software version on the master Routing Engine.
3. After making sure that the new software version is running correctly on the backup
Routing Engine, switch over to the backup Routing Engine to activate the new software.
4. Install the new software on the original master Routing Engine that is now active as
the backup Routing Engine.
For the detailed procedure, see the Installation and Upgrade Guide.
Basic Procedure for Upgrading to Release 16.1
When upgrading or downgrading Junos OS, use the jinstall package. For information
about the contents of the jinstall package and details of the installation process, see the
Installation and Upgrade Guide. Use other packages, such as the jbundle package, only
when so instructed by a Juniper Networks support representative.
Copyright © 2017, Juniper Networks, Inc.
329
Junos OS Release 16.1R4 for the ACX Series, EX Series, MX Series, PTX Series, QFX Series,T Series and Junos Fusion
NOTE: Back up the file system and the currently active Junos OS configuration
before upgrading Junos OS. This allows you to recover to a known, stable
environment if the upgrade is unsuccessful. Issue the following command:
[email protected]> request system snapshot
NOTE: The installation process rebuilds the file system and completely
reinstalls Junos OS. Configuration information from the previous software
installation is retained, but the contents of log files might be erased. Stored
files on the router, such as configuration templates and shell scripts (the only
exceptions are the juniper.conf and ssh files), might be removed. To preserve
the stored files, copy them to another system before upgrading or
downgrading the routing platform. For more information, see the Junos OS
Administration Library for Routing Devices.
330
Copyright © 2017, Juniper Networks, Inc.
Migration, Upgrade, and Downgrade Instructions
NOTE: We recommend that you upgrade all software packages out of band
using the console because in-band connections are lost during the upgrade
process.
The download and installation process for Junos OS Release 16.1R2 is different from
previous Junos OS releases.
1.
Using a Web browser, navigate to the All Junos Platforms software download URL
on the Juniper Networks webpage:
http://www.juniper.net/support/downloads/
2. Select the name of the Junos OS platform for the software that you want to download.
3. Select the release number (the number of the software version that you want to
download) from the Release drop-down list to the right of the Download Software
page.
4. Select the Software tab.
5. In the Install Package section of the Software tab, select the software package for
the release.
6. Log in to the Juniper Networks authentication system using the username (generally
your e-mail address) and password supplied by Juniper Networks representatives.
7. Review and accept the End User License Agreement.
8. Download the software to a local host.
9. Copy the software to the routing platform or to your internal software distribution
site.
10. Install the new jinstall package on the router.
NOTE: After you install a Junos OS Release 16.1R2 jinstall package, you
cannot issue the request system software rollback command to return to
the previously installed software. Instead you must issue the request
system software add validate command and specify the jinstall package
that corresponds to the previously installed software.
The validate option validates the software package against the current configuration
as a prerequisite to adding the software package to ensure that the router reboots
successfully. This is the default behavior when the software package being added is
Copyright © 2017, Juniper Networks, Inc.
331
Junos OS Release 16.1R4 for the ACX Series, EX Series, MX Series, PTX Series, QFX Series,T Series and Junos Fusion
a different release. Adding the reboot command reboots the router after the upgrade
is validated and installed. When the reboot is complete, the router displays the login
prompt. The loading process can take 5 to 10 minutes. Rebooting occurs only if the
upgrade is successful.
Customers in the United States and Canada, use the following command:
[email protected]> request system software add validate reboot source/jinstall-16.1
R.9-domestic-signed.tgz
All other customers, use the following command:
[email protected]> request system software add validate reboot source/jinstall-16.1
R.9-export-signed.tgz
Replace the source with one of the following values:
•
/pathname—For a software package that is installed from a local directory on the
router.
•
For software packages that are downloaded and installed from a remote location:
•
ftp://hostname/pathname
•
http://hostname/pathname
•
scp://hostname/pathname (available only for Canada and U.S. version)
The validate option validates the software package against the current configuration
as a prerequisite to adding the software package to ensure that the router reboots
successfully. This is the default behavior when the software package being added is
a different release.
Adding the reboot command reboots the router after the upgrade is validated and
installed. When the reboot is complete, the router displays the login prompt. The
loading process can take 5 to 10 minutes.
Rebooting occurs only if the upgrade is successful.
NOTE: You need to install the Junos OS software package and host software
package on the routers with the RE-PTX-X8 Routing Engine. For upgrading
the host and Junos OS on this router with VM host support, use the
junos-vmhost-install-x.tgz image and specify the name of the regular package
in the request vmhost software add command. For more information see VM
Host Installation topic in Installation and Upgrade Guide
332
Copyright © 2017, Juniper Networks, Inc.
Migration, Upgrade, and Downgrade Instructions
NOTE: After you install a Junos OS Release 16.1 jinstall package, you cannot
issue the request system software rollback command to return to the previously
installed software. Instead you must issue the request system software add
validate command and specify the jinstall package that corresponds to the
previously installed software.
NOTE: A few of the existing request system commands are not supported on
routers with RE-PTX-X8 Routing Engines. See the VM Host Software
Administrative Commands in the Installation and Upgrade Guide.
Installing the Network Agent Package (Junos Telemetry Interface) in PTX Series
Routers
NOTE: This section is applicable only to PTX5000.
Starting with Junos OS Release 16.1R4, the Network Agent software package provides a
framework to support OpenConfig and gRPC for the Junos Telemetry Interface. The
Network Agent package functions as a gRPC server that terminates the OpenConfig
remote procedure call (RPC) interfaces and streams the telemetry data according to
the OpenConfig specification. The Network Agent package, which runs on the Routing
Engine, implements local statistics collection and reports data to active telemetry stream
subscribers.
Network Agent is available as a separate package only for Junos OS with Upgraded
FreeBSD. For other versions of Junos OS, Network Agent functionality is embedded in
the software.
Network Agent for Junos OS software package has the following naming conventions:
•
Package Name—This is Network-Agent.
•
Architecture—This field indicates the CPU architecture of the platforms, such as x86.
•
Application Binary Interface (ABI)—This field indicates the “word length” of the CPU
architecture. Vales include 32 for 32-bit architectures and 64 for 64-bit architectures.
•
Release—This field indicates the Junos OS release number, such as 16.1R4.16.
•
Package release and spin number—This field indicates the package version and spin
number, such as C1.1.
All Network Agent packages are in tarred and gzipped (.tgz) format.
NOTE: Each version of the Network Agent package is supported on a single
release of Junos OS only. The Junos OS version supported is identified by the
Junos OS release number included in the Network Agent package name.
Copyright © 2017, Juniper Networks, Inc.
333
Junos OS Release 16.1R4 for the ACX Series, EX Series, MX Series, PTX Series, QFX Series,T Series and Junos Fusion
Examples of valid Network Agent package names including the following:
•
network-agent-x86-64-16.1R4.16-C1.0.tgz
•
network-agent-x86-32-16.1R4.12-C1.1.tgz
Before you begin:
•
Install Junos OS Release 16.1R4 or later.
•
Install the OpenConfig for Junos OS module. For more information, see Installing the
OpenConfig Package.
•
Install Secure Sockets Layer (SSL) certificates of authentication on your Juniper
Networks device.
NOTE: Only server-based SSL authentication is supported. Client-based
authentication is not supported.
To download and install the Network Agent package:
1.
Using a Web browser, navigate to the All Junos Platforms software download URL
on the Juniper Networks webpage: http://www.juniper.net/support/downloads/.
2. Select the name of the Junos OS platform for the software that you want to download.
3. Select the release number (the number of the software version that you want to
download) from the Release drop-down list to the right of the Download Software
page.
4. Select the Software tab.
5. In the Tools section of the Software tab, select the Junos Telemetry Interface Network
Agent package for the release.
6. Log in to the Juniper Networks authentication system using the username (generally
your e-mail address) and password supplied by a Juniper Networks representative.
7. Download the software to a local host.
8. Copy the software to Juniper Networks device or to your internal software distribution
site.
9. Install the new network-telemetry package on the device by issuing the request system
software add package-name from the operational mode:
For example:
334
Copyright © 2017, Juniper Networks, Inc.
Product Compatibility
[email protected] > request system software add
source-network-telemety-x86-64-16.1R4.16-C1.0.tgz
NOTE: The command uses the validate option by default. This option
validates the software package against the current configuration as a
prerequisite to adding the software package to ensure that the device
reboots successfully. This is the default behavior when the software
package being added is a different release.
Replace source with one of the following values:
•
/pathname—For a software package that is installed from a local directory on the
device.
•
For software packages that are downloaded and installed from a remote location:
•
ftp://hostname/pathname
•
http://hostname/pathname
•
scp://hostname/pathname (available only for Canada and U.S. version)
10. Issue the show version command to verify that the Network Agent package was
successfully installed.
Related
Documentation
•
New and Changed Features on page 292
•
Changes in Behavior and Syntax on page 312
•
Known Behavior on page 317
•
Known Issues on page 318
•
Resolved Issues on page 322
•
Documentation Updates on page 321
•
Product Compatibility on page 335
Product Compatibility
•
Hardware Compatibility on page 335
Hardware Compatibility
To obtain information about the components that are supported on the devices, and
special compatibility guidelines with the release, see the Hardware Guide and the Interface
Module Reference for the product.
To determine the features supported on PTX Series devices in this release, use the Juniper
Networks Feature Explorer, a Web-based application that helps you to explore and
compare Junos OS feature information to find the right software release and hardware
Copyright © 2017, Juniper Networks, Inc.
335
Junos OS Release 16.1R4 for the ACX Series, EX Series, MX Series, PTX Series, QFX Series,T Series and Junos Fusion
platform for your network. Find Feature Explorer at:
http://pathfinder.juniper.net/feature-explorer/
Related
Documentation
336
•
New and Changed Features on page 292
•
Changes in Behavior and Syntax on page 312
•
Known Behavior on page 317
•
Known Issues on page 318
•
Resolved Issues on page 322
•
Documentation Updates on page 321
•
Migration, Upgrade, and Downgrade Instructions on page 328
Copyright © 2017, Juniper Networks, Inc.
Junos OS Release Notes for the QFX Series
Junos OS Release Notes for the QFX Series
These release notes accompany Junos OS Release 16.1R4 for the QFX Series. They
describe new and changed features, limitations, and known and resolved problems in
the hardware and software.
You can also find these release notes on the Juniper Networks Junos OS Documentation
webpage, located at http://www.juniper.net/techpubs/software/junos/.
•
New and Changed Features on page 337
•
Changes in Behavior and Syntax on page 340
•
Known Behavior on page 343
•
Known Issues on page 345
•
Resolved Issues on page 346
•
Documentation Updates on page 353
•
Migration, Upgrade, and Downgrade Instructions on page 353
•
Product Compatibility on page 358
New and Changed Features
This section describes the new features for the QFX Series switches in Junos OS Release
16.1.
NOTE: Junos OS Release 16.1R4 supports QFX5100 switches.
NOTE: Juniper Networks does not recommend using JUNOS OS Release
16.1Rx with QFX10002 switches.
•
Junos OS XML API and Scripting on page 338
•
MPLS on page 338
•
Routing Policy and Firewall Filters on page 338
•
Routing Protocols on page 339
•
User Interface and Configuration on page 339
Copyright © 2017, Juniper Networks, Inc.
337
Junos OS Release 16.1R4 for the ACX Series, EX Series, MX Series, PTX Series, QFX Series,T Series and Junos Fusion
Junos OS XML API and Scripting
•
Support for Python language for commit, event, op, and SNMP scripts (QFX5100,
QFX10002)—Starting in Junos OS Release 16.1, you can author commit, event, op, and
SNMP scripts in Python on devices that include the Python extensions package in the
software image. Creating automation scripts in Python enables you to take advantage
of Python features and libraries, as well as leverage Junos PyEZ APIs supported in Junos
PyEZ Release 1.3.1 and earlier releases to perform operational and configuration tasks
on devices running Junos OS. To enable execution of Python automation scripts, which
the root user must own, configure the language python statement at the [edit system
scripts] hierarchy level, and configure the filename for the Python script under the
hierarchy level appropriate to that script type. Supported Python versions include
Python 2.7.x.
[See Understanding Python Automation Scripts for Devices Running Junos OS.]
MPLS
•
Support for the Path Computation Element Protocol (QFX10000 switches)—Starting
with Junos OS Release 16.1R3, QFX10000 switches support the Path Computation
Element Protocol (PCEP). A Path Computation Element (PCE) is an entity (component,
application, or network node) that is capable of computing a network path or route
based on a network graph and applying computational constraints. A Path Computation
Client (PCC) is any client application requesting a path computation to be performed
by a PCE. PCEP is a TCP-based protocol defined by the IETF PCE Working Group, and
it defines a set of messages and objects used to manage PCEP sessions and to request
and send paths for multidomain traffic engineered LSPs (TE LSPs). It provides a
mechanism for a PCE to perform path computation for a PCC’s external LSPs. The
PCEP interactions include LSP status reports sent by the PCC to the PCE, and PCE
updates for the external LSPs.
[See PCEP Overview.]
Routing Policy and Firewall Filters
•
338
Support for flexible-match-mask match condition (QFX5100 switches)—Starting
with Junos OS Release 16.1, QFX5100 switch firewall filters support the
flexible-match-mask match condition. The match condition can be enabled for both
inet and Ethernet-switching families.
Copyright © 2017, Juniper Networks, Inc.
New and Changed Features
Routing Protocols
•
BGP link state distribution (QFX Series)—Junos OS Release 16.1 introduces a new
mechanism to distribute topology information across multiple areas and autonomous
systems (ASs) by extending the BGP protocol to carry link state information. Earlier,
this information was acquired using an IGP, which has scaling limitations when it comes
to distributing a large database. Using BGP provides a policy-controlled and scalable
means of distributing the multiarea and multi-AS topology information. This information
is used for computing paths for MPLS LSPs spanning multiple domains, such as
interarea TE LSPs, and enables external path computing entities, such as ALTO and
PCE, to acquire network topology.
•
Support for unique AS path count ( QFX Series)—Starting with Junos OS Release
16.1R4, you can configure a routing policy to determine the number of unique
autonomous systems (ASs) present in the AS path. The unique AS path count helps
determine whether a given AS is present in the AS path multiple times, typically as
prepended ASs. In earlier Junos releases it was not possible to implement this counting
behavior using the as-path regular expression policy. This feature permits the user to
configure a policy based on the number of AS hops between the route originator and
receiver. This feature ignores ASs in the as-path that are confederation ASs, such as
confed_seq and confed_set.
To configure AS path count, include the as-path-unique-count count (equal | orhigher |
orlower) configuration statement at the [edit policy-options policy-statement
policy_name from] hierarchy level.
User Interface and Configuration
•
Support for JSON format for configuration data (QFX5100, QFX10002)–Starting
with Junos OS Release 16.1, you can configure devices running Junos OS using
configuration data in JavaScript Object Notation (JSON) format in addition to the
existing text, Junos XML, and Junos OS set command formats. You can load
configuration data in JSON format in the Junos OS CLI by using the load (merge | override
| update) json command or from within a NETCONF or Junos XML protocol session by
using the <load-configuration format="json"> operation. You can load JSON
configuration data either from an existing file or as a data stream. Configuration data
that is provided as a data stream must be enclosed in a <configuration-json> element.
[See load, Defining the Format of Configuration Data to Upload in a Junos XML Protocol
Session, and Mapping Junos OS Configuration Statements to JSON.]
Related
Documentation
•
Changes in Behavior and Syntax on page 340
•
Known Behavior on page 343
•
Known Issues on page 345
•
Resolved Issues on page 346
•
Documentation Updates on page 353
•
Migration, Upgrade, and Downgrade Instructions on page 353
Copyright © 2017, Juniper Networks, Inc.
339
Junos OS Release 16.1R4 for the ACX Series, EX Series, MX Series, PTX Series, QFX Series,T Series and Junos Fusion
•
Product Compatibility on page 358
Changes in Behavior and Syntax
This section lists the changes in behavior of Junos OS features and changes in the syntax
of Junos OS statements and commands from Junos OS Release 16.1R4 for the QFX Series.
•
Authentication and Access Control on page 340
•
General Routing on page 340
•
Interfaces and Chassis on page 341
•
Network Management and Monitoring on page 342
•
Security on page 342
•
Software Installation and Upgrade on page 342
•
User Interface and Configuration on page 342
Authentication and Access Control
•
Starting from Junos OS Release 16.1R1, for configuring the root login through SSH to
control user access, the system services ssh root-login deny-password is the default
option. In previous releases, the system services ssh root-login allow was the default
option. Now, you must explicitly configure the set system services ssh root-login allow
option to allow users to log in to the device as root through SSH.
General Routing
•
Enhancement to request support information command—Starting in Junos OS Release
16.1R1, the request support information command is enhanced to capture the following
additional details:
•
file list detail/var/rundb/—Displays the size of the configuration databases.
•
show system configuration database usage—Displays the actual usage of the
configuration databases.
NOTE: This information will be displayed only if the show system
configuration database usage command is supported in the release.
•
file list detail /config/—Contains the db_ext file and shows the size of it to indicate
whether extend_size is enabled or disabled.
340
•
New option introduced under show | display xml | display—Starting in Junos OS 16.1R1,
you can use the show | display xml | display | mark-changed statement to view the
"mark-changed" status of the nodes. This is useful for debugging purposes.
•
Modified output of the clear services sessions | display xml command (QFX
Series)—In Junos OS Release 16.1, the output of the clear services sessions | display
xml command is modified to include the <sess-marked-for-deletion> tag instead of
the <sess-removed> tag. In releases before Junos OS Release 14.1X55-D30, the output
Copyright © 2017, Juniper Networks, Inc.
Changes in Behavior and Syntax
of this command includes the <sess-removed> tag. The replacement of the
<sess-removed> tag with the <sess-marked-for-deletion> tag aims at establishing
consistency with the output of the clear services sessions command that includes the
field Sessions marked for deletion.
Interfaces and Chassis
•
Configuring unified forwarding table profiles (EX4600 Virtual Chassis, QFX5100
Virtual Chassis, and QFX Series Virtual Chassis Fabric)—Starting in Junos OS Release
16.1R3, Packet Forwarding Engines on switches in a Virtual Chassis or Virtual Chassis
Fabric (VCF) do not automatically restart upon configuring and committing a unified
forwarding table profile change using the set chassis forwarding-options statement.
Instead, a message is displayed at the CLI prompt and logged in the switch’s system
log, prompting you to reboot the Virtual Chassis or VCF for the change to take effect.
This change avoids Virtual Chassis or VCF instability that might occur with these
switches if the profile update propagates to member switches and otherwise causes
multiple Packet Forwarding Engines to automatically restart at the same time. This
behavior change does not apply to other switch types or to EX4600 and QFX5100
switches not in a Virtual Chassis or VCF; in those cases, the switch continues to restart
automatically when a unified forwarding table profile change is committed.
We recommend that you plan to make profile changes in a Virtual Chassis or VCF
comprising these switches only when you can perform a Virtual Chassis or VCF system
reboot shortly after committing the configuration update, to avoid instability if one or
more member switches restart unexpectedly with the new configuration (while the
remaining members are still running the old configuration).
[See Configuring the Unified Routing Table and forwarding-options (chassis).]
•
New vc-path command display for Virtual Chassis Fabric (VCF)—Starting in Junos
OS Release 16.1R3, the output from the show virtual-chassis vc-path command displays
additional fields when showing the forwarding path from a source interface to a
destination interface in a Virtual Chassis Fabric (VCF), including details of multiple
possible next hops. The vc-path command display for a forwarding path in a Virtual
Chassis remains unchanged.
[See show virtual-chassis vc-path.]
Copyright © 2017, Juniper Networks, Inc.
341
Junos OS Release 16.1R4 for the ACX Series, EX Series, MX Series, PTX Series, QFX Series,T Series and Junos Fusion
Network Management and Monitoring
•
Cloud Analytics Engine disabled in Junos OS by default (QFX Series)—Starting in
Junos OS Release 16.1R4, Cloud Analytics Engine is disabled by default in Junos OS.
Probe processing is enabled automatically when you configure any supported Cloud
Analytics Engine configuration statement at the [edit system services cloud-analytics]
hierarchy level. In releases prior to Junos OS Release 16.1R4, Cloud Analytics Engine is
enabled by default, and no configuration steps are required for Junos OS to process
and respond to probes.
See Configuring Cloud Analytics Engine on Devices.
Security
•
Changes to DDoS protection packet type support (QFX Series)—Starting in Junos
OS Release 16.1, the unclassified packet type in the mcast-snoop protocol group has
been removed from the protocols statement at the [edit system ddos-protection]
hierarchy level and from the output of the show ddos-protection protocols command.
Software Installation and Upgrade
•
request system software add command options updated (QFX Series)—As of Junos
OS Release 16.1, the upgrade-with-config-format option in the request system software
add command is removed. The upgrade-with-config option applies to the file indicated.
Specify .text or .xml. The upgrade-with-config option does not accept files with the
extension .txt.
User Interface and Configuration
•
output-file-name option for show system schema command is deprecated (QFX5100,
QFX10002)—Starting with Junos OS Release 16.1, the output-file-name option for the
show system schema operational command is deprecated. To direct the output to a
file, use the output-directory option and specify the directory. By default, the filename
for the output file uses the module name as the filename base and the format as the
filename extension. If you also include the module-name option in the command, the
specified module name is used for both the name of the generated module and for
the filename base for the output file.
[See show system schema.]
•
New default implementation for serialization for JSON configuration data (QFX5100,
QFX10002)—Starting with Junos OS Release 16.1, the default implementation for
serialization for configuration data emitted in JavaScript Object Notation (JSON) has
changed. The new default is as defined in Internet drafts
draft-ietf-netmod-yang-json-09, JSON Encoding of Data Modeled with YANG, and
draft-ietf-netmod-yang-metadata-06, Defining and Using Metadata with YANG.
[See Mapping Junos OS Configuration Statements to JSON.]
•
342
Integers in configuration data in JSON format are displayed without quotation marks
(QFX Series)—Starting in Junos OS Release 16.1R4, integers in Junos OS configuration
data emitted in JavaScript Object Notation (JSON) format are not enclosed in quotation
Copyright © 2017, Juniper Networks, Inc.
Known Behavior
marks. Prior to Junos OS Release 16.1R4, integers in JSON configuration data were
treated as strings and enclosed in quotation marks.
Related
Documentation
•
New and Changed Features on page 337
•
Known Behavior on page 343
•
Known Issues on page 345
•
Resolved Issues on page 346
•
Documentation Updates on page 353
•
Migration, Upgrade, and Downgrade Instructions on page 353
•
Product Compatibility on page 358
Known Behavior
This section lists known behavior, system maximums, and limitations in hardware and
software in Junos OS Release 16.1R4 for the QFX Series.
For the most complete and latest information about known Junos OS problems, use the
Juniper Networks online Junos Problem Report Search application.
•
High Availability (HA) and Resiliency on page 343
•
Interfaces and Chassis on page 343
•
Layer 2 Features on page 344
•
Network Management and Monitoring on page 344
•
Routing Protocols on page 344
•
Software Installation and Upgrade on page 344
•
System Management on page 344
High Availability (HA) and Resiliency
•
In a QFX5100 Virtual Chassis or Virtual Chassis Fabric, an NSSU to Junos OS Release
14.1X53-D35 might cause a traffic loss of a few seconds for BUM traffic. PR1128208
Interfaces and Chassis
•
On QFX10002 switches,if you connect 100G optical transceivers (for example,
JNP-QSFP-100G-SR4 and JNP-QSFP-100G-LR4) and add the chassis configuration
for all 100G ports in a single commit, some of the 100G subinterfaces might not be
created. As a workaround, configure the 100G optical transceivers first, then connect
the transceivers. PR1130642
•
On a QFX5100 or an EX4600 switch, high ICMP delays are experienced when pinging
directly connected integrated routing and bridging (IRB) interfaces. This is due to a
hardware limitation. Transit traffic is not affected. PR1164135
Copyright © 2017, Juniper Networks, Inc.
343
Junos OS Release 16.1R4 for the ACX Series, EX Series, MX Series, PTX Series, QFX Series,T Series and Junos Fusion
Layer 2 Features
•
On QFX5100 Virtual Chassis interfaces on which the flexible-vlan-tagging statement
is specified, STP, RSTP, MSTP, and VSTP are not supported. PR1075230
Network Management and Monitoring
•
On a QFX10002 switch, when a new interface is added to an existing link aggregation
group (LAG) interface that acts as an input analyzer interface, traffic sent to the added
interface might not mirrored. As a restoration workaround, delete and reconfigure the
port mirroring configuration. PR1057527
Routing Protocols
•
On QFX5100 switches, when parity errors occur on interfaces, they might affect the
memory management unit ( MMU ) memories. MMU counters can be corrupted, the
interface buffers might be stuck, and there might be interface flaps and traffic loss on
the affected ports. As a workaround (restoration only), reboot the system. PR1169700
Software Installation and Upgrade
•
During a nonstop software upgrade (NSSU) on an EX4300, an EX4600, or a QFX5100
Virtual Chassis, a traffic loop or loss might occur if the Junos OS software version that
you are upgrading and the Junos OS software version that you are upgrading to use
different internal message formats. PR1123764
•
On an EX4300 or a QFX5100 Virtual Chassis, when you perform an NSSU, there might
be up to five seconds of traffic loss for multicast traffic. PR1125155
System Management
Related
Documentation
344
•
On QFX5100 switches, the amount of time that it takes for Zero Touch Provisioning to
complete might be lengthy because TFTP might take a long time to fetch required
data. PR980530
•
New and Changed Features on page 337
•
Changes in Behavior and Syntax on page 340
•
Known Issues on page 345
•
Resolved Issues on page 346
•
Documentation Updates on page 353
•
Migration, Upgrade, and Downgrade Instructions on page 353
•
Product Compatibility on page 358
Copyright © 2017, Juniper Networks, Inc.
Known Issues
Known Issues
This section lists the known issues in hardware and software for the QFX Series switches
in Junos OS Release 16.1R4.
For the most complete and latest information about known Junos OS problems, use the
Juniper Networks online Junos Problem Report Search application.
•
Firewall Filters on page 345
•
High Availability and Resiliency on page 345
•
Infrastructure on page 345
•
Interfaces and Chassis on page 345
•
Multicast on page 346
•
Port Security on page 346
•
Software Defined Networking on page 346
•
Software Installation and Upgrade on page 346
Firewall Filters
•
On QFX5100 Virtual Chassis, a user-defined filter might not work because it is not
getting programmed in the Packet Forwarding Engine. PR1175121
High Availability and Resiliency
•
On QFX5100 switches, after disabling MC-LAG member interfaces, more than 3 seconds
of traffic loss might occur. PR1164228
Infrastructure
•
On QFX5100 Virtual Chassis, DHCP binding might not work on DHCPv6 clients with
option-18 enabled. PR1226321
Interfaces and Chassis
•
After deactivating interfaces on a QFX5100 switch that is configured as a primary
neighbor of a provider edge router, the backup Layer 2 circuit might not get activated
as expected. PR1198191
•
On a QFX5100 switch, with a fully meshed MC-LAG topology configured, sometimes
there is more traffic loss when the ICL interface goes down and then comes back up
compared with when you have Junos OS Release 14.1X53-D35 software installed. This
issue does not affect MC-LAG functionality. PR1209322
•
On QFX5100 Virtual Chassis, traffic loss might occur while you are adding or deleting
a trunk member from local minimum links. PR1226488
•
On QFX5100 Virtual Chassis, traffic might be lost on an IPv6 PVLAN over IRB after
addition or deletion of child interfaces from a LAG. PR1226494
Copyright © 2017, Juniper Networks, Inc.
345
Junos OS Release 16.1R4 for the ACX Series, EX Series, MX Series, PTX Series, QFX Series,T Series and Junos Fusion
Multicast
•
On QFX10002 switches, when IGMPv2 and IGMPv3 receivers for the same multicast
group are in a VLAN, multicast traffic might not flow to any or a few of the IGMPv2
receivers. PR1190736
Port Security
•
On QFX5100 Virtual Chassis, the DHCP snooping database might be cleared if you
change the configuration of the LACP mode from fast to slow. PR1191404
Software Defined Networking
•
Deleted VLAN configurations provided by an OVSDB controller might be erroneously
retained by QFX5100 switches. PR1176592
•
On QFX5100 switches, OVSDB traffic might be dropped after Layer 2 learning is
restarted. PR1177012
Software Installation and Upgrade
Related
Documentation
•
After a unified ISSU upgrade from Junos OS Release 15.1R3 to Junos OS Release 16.1
on QFX5100 switches, LLDP neighbor discovery might fail. PR1187729
•
New and Changed Features on page 337
•
Changes in Behavior and Syntax on page 340
•
Known Behavior on page 343
•
Resolved Issues on page 346
•
Documentation Updates on page 353
•
Migration, Upgrade, and Downgrade Instructions on page 353
•
Product Compatibility on page 358
Resolved Issues
This section lists the issues fixed in the Junos OS main release and the maintenance
releases.
For the most complete and latest information about known Junos OS defects, use the
Juniper online Junos Problem Report Search application.
•
Resolved Issues: 16.1R4 on page 346
•
Resolved Issues: 16.1R3 on page 350
Resolved Issues: 16.1R4
346
•
Authentication and Access Control
•
Firewall Filters
Copyright © 2017, Juniper Networks, Inc.
Resolved Issues
•
High Availability (HA) and Resiliency
•
Infrastructure
•
Interfaces and Chassis
•
Layer 3 Features
•
MPLS
•
Multicast Protocols
•
Network Management and Monitoring
•
Platform and Infrastructure
•
Routing Protocols
•
Virtual Chassis and Virtual Chassis Fabric (VCF)
Authentication and Access Control
•
On QFX Series switches, LLDP does not work on management and internal Ethernet
(em) interfaces. PR1224832
Firewall Filters
•
On QFX5100 switches, when you apply an IPv6 firewall filter, the system might crash
with a PFE panic. PR1234729
•
On QFX5100 and EX4600 switches, during a nonstop software upgrade (NSSU), if an
aggregated Ethernet (AE) interface is configured with multiple subinterfaces across
multiple Flexible PIC Concentrators (FPCs), the AE interface might go down. PR1227522
High Availability (HA) and Resiliency
•
On QFX5100 and EX4600 switches, during a nonstop software upgrade (NSSU), if an
aggregated Ethernet (AE) interface is configured with multiple subinterfaces across
multiple Flexible PIC Concentrators (FPCs), the AE interface might go down. PR1227522
Infrastructure
•
On QFX Series switches, when a neighbor device sends a flood of Link Layer Discovery
Protocol (LLDP) traffic that is larger than 1,000 pps to the QFX Series switch, Link
Aggregation Control Protocol (LACP) flaps might be seen on unrelated interfaces.
PR1058565
•
The Packet Forwarding Engine manager daemon (FXPC) might crash on a QFX5100
switch if multiple processes attempt to access the Ethernet-switching table or database
at the same time. PR1146937
•
On QFX10000 switches, DHCP relay does not forward VXLAN encapsulated DHCP
packets. PR1209499
•
On QFX5100 switches, an fxpc process might generate a core file. PR1231071
Copyright © 2017, Juniper Networks, Inc.
347
Junos OS Release 16.1R4 for the ACX Series, EX Series, MX Series, PTX Series, QFX Series,T Series and Junos Fusion
Interfaces and Chassis
•
On QFX10000 switches, in a multichassis link aggregation group (MC-LAG)
configuration, the all option at the [edit protocols igmp-snooping vlan] hierarchy level
does not work. As a workaround, enable IGMP snooping on a per-VLAN basis on each
of the MC-LAG peers. PR1180494
•
On QFX10000 switches, the commit error Too many VLAN-IDs on interface will be seen
when more than 1025 subinterfaces are added to a LAG interface. PR1186556
•
On QFX10000 switches, show command outputs might display an increase in CRC
errors on 100-gigabit interfaces with 100-gigabit LR4 optics used when receiving traffic.
This issue is not seen with SR4 optics. PR1195623
•
On QFX10000 switches, output from the show interfaces interface-name extensive
command does not display PCS statistics. PR1211160
•
On QFX5100 switches, if you configure an aggregated Ethernet (AE) interface in a
VLAN associated with a VNI, the AE interface might stop forwarding traffic, and even
after you delete the VXLAN configuration, the problem persists. PR1213701
•
On QFX10000 switches, the kernel might fail to allocate IFBD tokens, with the error
message IFBD hw token couldn't be allocated for <interface>. Even if there are enough
IFBD tokens, you might be unable to assign some VLANs to the related interfaces.
PR1227947
•
On QFX Series switches, in rare cases, the Link Up or Down notification from the Packet
Forwarding Engine to the Routing Engine might need a bit of time, so the PFE-side
interface and remote device interface show Admin UP and Link UP, but the CLI might
show the interface in Admin Down and Link Down. When this issue happens, it mightlast
about 30 seconds. PR1227947
Layer 3 Features
•
On a QFX5100 switch with VRF enabled, route leaking from the default routing table
(inet.0 or inet6.0) to VRF might not work as expected. PR1210620
MPLS
•
On QFX10008 switches, when MPLS automatic bandwidth allocation is configured
for an LSP, disabling the configuration might generate an RPD core file. PR1152449
•
With 100 or more Layer 2 circuit configurations in standby mode on a QFX5100 switch,
the Layer 2 circuits might go down after you issue the restart routing operational mode
command. PR1169575
•
On EX Series and QFX Series switches, if you change a Layer 2 circuit configuration
from Ethernet CCC encapsulation to VLAN CCC encapsulation, traffic losses might
occur at the pseudowire tunnel initiation point. PR1222888
Multicast Protocols
•
348
On QFX10000 switches, multicast-router-interface election on Layer 2 IGMP snooping
VLANs might not work for PIM packets. As a workaround, enable an IRB interface on
the VLAN. PR1206041
Copyright © 2017, Juniper Networks, Inc.
Resolved Issues
•
If a QFX5100 switch or VCF is configured with IGMP snooping but not with any
PIM-related configuration, a mcsnoopd memory leak might occur when the device
receives PIM Hello packets that need to be forwarded further. When PIM hellos are
arriving on the device, 12 bytes are allocated for every PIM hello packet, increasing the
amount of memory consumed by the mcsnoopd process. As a workaround, either
restart the mcsnoopd process or apply a firewall filter that discards PIM packets on
the loopback (lo0) interface of the device in the input direction. PR1209773
•
QFX Series switches with no Precision Time Protocol (PTP) configuration do not form
an (S, G) multicast route when receiving PTP multicast traffic with UDP port 319 or
320, and the switch drops this PTP multicast traffic. PR1222172
Network Management and Monitoring
•
On QFX10000 switches, egress sFlow sampling is supported on only 8 ports out of
every 12 ports on 40G linecards and on only 8 ports out of every 48 ports on 10G
linecards. There is no such limitation on ingress sFlow sampling. PR1202870
•
On QFX5100 switches, in Junos OS releases prior to 15.1R6 and 16.1R4, Digital Optical
Monitoring (DOM) MIB jnxDomCurrentTable for the 1G SFP interface does not return
any value. PR1218134
•
On QFX10000 switches, IPv6 MIB statistics for jnxIpv6IfInOctets and jnxIpv6IfOutOctets
for an aggregated Ethernet (AE) bundle show double the count that is shown in CLI
output. PR1230923
Platform and Infrastructure
•
On QFX10002 switches, an FPC might not start and ports might not be seen after the
system with an unsupported configuration is rebooted. PR1216717
•
On QFX10002 switches, the ZTP factory-default configuration may not work on non-flex
images. As a workaround, use the image that includes “-flex-” in the image name.
PR1219875
•
On a QFX5100 switch, Gratuitous Address Resolution Protocol (GARP) reply packets
are not updating the Address Resolution Protocol (ARP) table. GARP request packets,
however, are updating the ARP table as expected. PR1246988
Routing Protocols
•
On QFX5100 switches, when resilient hashing is enabled on ECMP paths, flows on
other paths should not be rehashed when one path goes down, but for host routes
(/32 routes), rehashing might happen in some cases. PR1137998
Virtual Chassis and Virtual Chassis Fabric (VCF)
•
On a Virtual Chassis Fabric, you might see an error such as MMU ERR Type: 1B error,
Addr: 0x001052cf, module: 42, which indicates that there was an ECC error in the PFE
MMU counter memory. ECC errors are corrected by the hardware without software
intervention and are corrected only when a packet hits that memory. Reading an
ECC-errored entry always generates an interrupt; however, the error will only be
corrected when the packet hits the memory. Because this is a counter memory, the
Copyright © 2017, Juniper Networks, Inc.
349
Junos OS Release 16.1R4 for the ACX Series, EX Series, MX Series, PTX Series, QFX Series,T Series and Junos Fusion
counter thread reads this memory continuously, and hence you see continuous error
messages. PR1198162
•
In a QFX5100 Virtual Chassis or Virtual Chassis Fabric (VCF), if the master Routing
Engine crashes when Nonstop Routing (NSR) is configured and the [edit system]
switchover-on-routing-crash statement is set, the Virtual Chassis or VCF fails to perform
the switchover to the backup Routing Engine. The switchover -on-routing-crash
statement helps to prevent loss of traffic during a Routing Engine switchover when
NSR is enabled by switching immediately over to the backup Routing Engine. PR1220811
•
On EX Series or QFX Series Virtual Chassis, if new members are not zeroized prior to
being added to the Virtual Chassis, and then one of the new members splits from the
Virtual Chassis, then whenever you run "commit" or "commit check", the commit might
hang for a long time and then report a timeout error on the FPC that split from the
Virtual Chassis. PR1211753
Resolved Issues: 16.1R3
•
Authentication and Access Control
•
Class of Service (CoS)
•
High Availability (HA) and Resiliency
•
Interfaces and Chassis
•
IP Address Management
•
Layer 2 Features
•
MPLS
•
Network Analytics
•
Network Management and Monitoring
•
Platform and Infrastructure
•
Routing Protocols
•
Virtual Chassis and Virtual Chassis Fabric
Authentication and Access Control
•
On QFX5100 switches, 802.1X authentication might not work after the dot1x protocol
is restarted. PR1197446
Class of Service (CoS)
•
On QFX5100 switches, in an ETS configuration, if transmit-rate is configured at
queue-level, the guaranteed rate should be configured at the TCP level. If not, commit
does to fail, but a syslog message is logged regarding the configuration failure. The
configuration is not pushed to the kernel/PFE. In a Virtual Chassis, when a member
joins, because the configuration check is already done on the master, the configuration
is sent to members. Because the guaranteed rate is configured as 0, the logic to
calculate the trasnmit-rate fails. PR1195948
High Availability (HA) and Resiliency
•
350
On QFX5100 Virtual Chassis, sometimes IRB interfaces flap after a GRES. PR1198522
Copyright © 2017, Juniper Networks, Inc.
Resolved Issues
•
On QFX10000 switches, VRRP might be preempted in case of a priority tie, but
functionality is not impacted. PR1204969
Interfaces and Chassis
•
On QFX10000 switches, when the ARP scale exceeds 40K per Packet Forwarding
Engine (approximately 64K entries), the traffic might drop after the ARP ages out.
PR1129763
•
On QFX10000 switches, if there is a high rate of traffic or a large scale of multicast join
packets are received by an analyzer input port, a sampled process might crash.
PR1156548
•
On QFX5100 Virtual Chassis, DHCPv6 binding might fail if the server and the client are
in different virtual routing and forwarding (VRF) instances. PR1167693
•
Layer 2 circuits on QFX5100 switches might not come up if 100 or more Layer 2 circuit
connections are configured in no-standby mode. PR1169659
•
On QFX Series switches, a Packet Forwarding Engine (PFE) or device-control process
(dcd) restart might result in traffic loss. PR1188120
•
A QFX5100 Virtual Chassis might not be reachable over the management interface for
about a minute when the routing process restarts. PR1193925
•
PoE might not work on all EX4300 ports on a mixed-mode Virtual Chassis (mixed-mode
EX4600 and EX4300 or mixed-mode QFX5100 and EX4300). PR1195946
•
On QFX10002 switches, when GRE is configured over OSPF, traffic might not get
switched through GRE tunnel interfaces. PR1200951
IP Address Management
•
On QFX5100 switches, a long ICMP delay might occur when attempting to ping a
directly connected integrated routing and bridging (IRB) interface. PR966905
Layer 2 Features
•
On QFX10002 switches, MAC addresses associated with a VLAN might be inadvertently
deleted if the VLAN is configured as a native VLAN and is associated with an MC-LAG
interface. PR1193881
•
On QFX5100 and QFX10000 platforms, when any type of spanning tree (STP, RSTP,
MSTP, or VSTP) is configured, the MAC address part of the bridge ID might be set to
all zeros (for example, 4096.00:00:00:00:00:00) after you power cycle the device
without issuing the request system halt command. As a workaround, issue the restart
l2-learning command. PR1201293
•
On QFX5100 and QFX10002 switches, if set protocols xstp interface all edge is configured
in combination with set protocols xstp bpdu-block-on-edge, interfaces do not go down
(transition to Disabled - Bpdu-Inconsistent) when they receive BPDUs; they transition
to nonedge. If an interface is configured specifically with set protocols xstp interface
interface-name edge, then when that interface receives a BPDU, it goes down or
transitions into Disabled - Bpdu-Inconsistent correctly. As a workaround, configure set
protocols layer2-control bpdu-block interface all. PR1210678
Copyright © 2017, Juniper Networks, Inc.
351
Junos OS Release 16.1R4 for the ACX Series, EX Series, MX Series, PTX Series, QFX Series,T Series and Junos Fusion
MPLS
•
On QFX10000 switches, when the Layer 2 CCC MPLS frames MTU is higher than that
of the egress MPLS interface MTU, the frames are still forwarded instead of dropped.
PR1190025
•
QFX5100 switches might fail to forward traffic from MPLS to the IPv4 ECMP next-hop
address. PR1212519
Network Analytics
•
Despite the QFX5100 switch’s being configured with the network analytics feature,
the analytics daemon might not run. As a result, the network analytics feature might
be unable to collect traffic and queue statistics and generate reports. PR1165768
Network Management and Monitoring
•
On QFX10002 switches, if a port receives packets with CRC errors, we see FPC Major
Errors id=150995048 reason=150994944. These are seen initially when sFlow is
enabled on that port or if sFlow was already configured and the first CRC error packet
is received on that port. There is no functionality impact. PR1185812
Platform and Infrastructure
•
On QFX5100 and QFX10002 switches, Rx power low warning set messages might be
logged continuously for channelization ports that are in the DOWN state with snmpwalk
running in the background. PR1204988
Routing Protocols
•
On a QFX10002 switch that functions as a peer in a multicast group, multicast traffic
entering a Layer 3 VLAN-tagged interface might be inadvertently dropped. PR1198502
•
On QFX5100 switches, port-range-optimize (both source and destination) might fail
to be programmed into the hardware for an inet output filter. PR1211576
•
On QFX5100 switches, in rare cases, the FXPC process might crash and restart with a
core file generated upon LPM route install failure. After the switch restarts, services
are restored. PR1212685
Virtual Chassis and Virtual Chassis Fabric
Related
Documentation
352
•
On a non-mixed QFX5100 Virtual Chassis Fabric (VCF) or Virtual Chassis, LACP might
flap when the switch in the master Routing Engine role is rebooted using the CLI or
because of a power cycle. This issue is not experienced after a Routing Engine
switchover. As a workaround, configure a slow LACP timeout. PR1034377
•
New and Changed Features on page 337
•
Changes in Behavior and Syntax on page 340
•
Known Behavior on page 343
•
Known Issues on page 345
Copyright © 2017, Juniper Networks, Inc.
Documentation Updates
•
Documentation Updates on page 353
•
Migration, Upgrade, and Downgrade Instructions on page 353
•
Product Compatibility on page 358
Documentation Updates
There are no documentation errata or changes for the QFX Series switches in Junos OS
Release 16.1R4.
Related
Documentation
•
New and Changed Features on page 337
•
Changes in Behavior and Syntax on page 340
•
Known Behavior on page 343
•
Known Issues on page 345
•
Resolved Issues on page 55
•
Migration, Upgrade, and Downgrade Instructions on page 353
•
Product Compatibility on page 358
Migration, Upgrade, and Downgrade Instructions
This section contains the procedure to upgrade Junos OS, and the upgrade and downgrade
policies for Junos OS. Upgrading or downgrading Junos OS can take several hours,
depending on the size and configuration of the network.
•
Upgrading Software on QFX5100 Standalone Switches on page 353
•
Installing the Software on QFX10002 Switches on page 355
•
Performing an In-Service Software Upgrade (ISSU) on page 355
•
Preparing the Switch for Software Installation on page 355
•
Upgrading the Software Using ISSU on page 356
Upgrading Software on QFX5100 Standalone Switches
When upgrading or downgrading Junos OS, always use the jinstall package. Use other
packages (such as the jbundle package) only when so instructed by a Juniper Networks
support representative. For information about the contents of the jinstall package and
details of the installation process, see the Junos OS Installation and Upgrade Guide and
Junos OS Basics in the QFX Series documentation.
If you are not familiar with the download and installation process, follow these steps:
1.
In a browser, go to http://www.juniper.net/support/downloads/junos.html .
The Junos Platforms Download Software page appears.
2. In the QFX Series section of the Junos Platforms Download Software page, select the
QFX Series platform for which you want to download the software.
Copyright © 2017, Juniper Networks, Inc.
353
Junos OS Release 16.1R4 for the ACX Series, EX Series, MX Series, PTX Series, QFX Series,T Series and Junos Fusion
3. Select 16.1 in the Release pull-down list to the right of the Software tab on the
Download Software page.
4. In the Install Package section of the Software tab, select the QFX Series Install Package
for the 16.1 release.
An Alert box appears.
5. In the Alert box, click the link to the PSN document for details about the software,
and click the link to download it.
A login screen appears.
6. Log in to the Juniper Networks authentication system using the username (generally
your e-mail address) and password supplied by Juniper Networks representatives.
7. Download the software to a local host.
8. Copy the software to the device or to your internal software distribution site.
9. Install the new jinstall package on the device.
NOTE: We recommend that you upgrade all software packages out of
band using the console, because in-band connections are lost during the
upgrade process.
Customers in the United States and Canada use the following command:
[email protected]> request system software add source/jinstall-qfx-5-16.1-R4.10-domestic-signed.tgz
reboot
Replace source with one of the following values:
•
/pathname—For a software package that is installed from a local directory on the
switch.
•
For software packages that are downloaded and installed from a remote location:
•
ftp://hostname/pathname
•
http://hostname/pathname
•
scp://hostname/pathname (available only for Canada and U.S. version)
Adding the reboot command reboots the switch after the upgrade is installed. When
the reboot is complete, the switch displays the login prompt. The loading process can
take 5 to 10 minutes.
Rebooting occurs only if the upgrade is successful.
354
Copyright © 2017, Juniper Networks, Inc.
Migration, Upgrade, and Downgrade Instructions
NOTE: After you install a Junos OS Release 16.1 jinstall package, you can issue
the request system software rollback command to return to the previously
installed software.
Installing the Software on QFX10002 Switches
NOTE: On the switch, use the force-host option to force-install the latest
version of the Host OS. However, by default, if the Host OS version is different
from the one that is already installed on the switch, the latest version is
installed without using the force-host option.
If the installation package resides locally on the switch, execute the request system
software add <pathname><source> reboot command.
For example:
[email protected]> request system software add
/var/tmp/jinstall-qfx-10-f-flex-16.1R4.10-domestic.tgz reboot
If the Install Package resides remotely from the switch, execute the request system
software add <pathname><source> reboot command.
For example:
[email protected]> request system software add
ftp://ftpserver/directory/jinstall-qfx-10-f-flex-16.1R4.10-domestic.tgz reboot
After the reboot has finished, verify that the new version of software has been properly
installed by executing the show version command.
[email protected]> show version
Performing an In-Service Software Upgrade (ISSU)
You can use unified ISSU to upgrade the software running on the switch with minimal
traffic disruption during the upgrade.
NOTE: Unified ISSU is supported in Junos OS Release 13.2X51-D15 and later.
Perform the following tasks:
•
Preparing the Switch for Software Installation on page 355
•
Upgrading the Software Using ISSU on page 356
Preparing the Switch for Software Installation
Before you begin software installation using unified ISSU:
Copyright © 2017, Juniper Networks, Inc.
355
Junos OS Release 16.1R4 for the ACX Series, EX Series, MX Series, PTX Series, QFX Series,T Series and Junos Fusion
•
Ensure that nonstop active routing (NSR), nonstop bridging (NSB), and graceful Routing
Engine switchover (GRES) are enabled. NSB and GRES enable NSB-supported Layer
2 protocols to synchronize protocol information between the master and backup
Routing Engines.
To verify that nonstop active routing is enabled:
NOTE: If nonstop active routing is enabled, then graceful Routing Engine
switchover is enabled.
[email protected]> show task replication
Stateful Replication: Enabled
RE mode: Master
If nonstop active routing is not enabled (Stateful Replication is Disabled), see Configuring
Nonstop Active Routing on Switches for information about how to enable it.
•
Enable nonstop bridging (NSB). See Configuring Nonstop Bridging on Switches (CLI
Procedure) for information on how to enable it.
•
(Optional) Back up the system software—Junos OS, the active configuration, and log
files—on the switch to an external storage device with the request system snapshot
command.
Upgrading the Software Using ISSU
This procedure describes how to upgrade the software running on a standalone switch.
To upgrade the switch using unified ISSU:
1.
Download the software package by following the procedure in the Downloading
Software Files with a Browser section in Upgrading Software.
2. Copy the software package or packages to the switch. We recommend that you copy
the file to the /var/tmp directory.
3. Log in to the console connection. Using a console connection allows you to monitor
the progress of the upgrade.
4. Start the ISSU:
•
On the switch, enter:
[email protected]> request system software in-service-upgrade
/var/tmp/package-name.tgz
where package-name.tgz is, for example, jinstall-132_x51_vjunos.domestic.tgz.
NOTE: During the upgrade, you cannot access the Junos OS CLI.
The switch displays status messages similar to the following messages as the upgrade
executes:
356
Copyright © 2017, Juniper Networks, Inc.
Migration, Upgrade, and Downgrade Instructions
warning: Do NOT use /user during ISSU. Changes to /user during ISSU may get
lost!
ISSU: Validating Image
ISSU: Preparing Backup RE
Prepare for ISSU
ISSU: Backup RE Prepare Done
Extracting jinstall-qfx-5-13.2X51-D15.4-domestic ...
Install jinstall-qfx-5-13.2X51-D15.4-domestic completed
Spawning the backup RE
Spawn backup RE, index 0 successful
GRES in progress
GRES done in 0 seconds
Waiting for backup RE switchover ready
GRES operational
Copying home directories
Copying home directories successful
Initiating Chassis In-Service-Upgrade
Chassis ISSU Started
ISSU: Preparing Daemons
ISSU: Daemons Ready for ISSU
ISSU: Starting Upgrade for FRUs
ISSU: FPC Warm Booting
ISSU: FPC Warm Booted
ISSU: Preparing for Switchover
ISSU: Ready for Switchover
Checking In-Service-Upgrade status
Item
Status
Reason
FPC 0
Online (ISSU)
Send ISSU done to chassisd on backup RE
Chassis ISSU Completed
ISSU: IDLE
Initiate em0 device handoff
NOTE: A unified ISSU might stop, instead of abort, if the FPC is at the
warm boot stage. Also, any links that go down and up will not be detected
during a warm boot of the Packet Forwarding Engine (PFE).
NOTE: If the unified ISSU process stops, you can look at the log files to
diagnose the problem. The log files are located at /var/log/vjunos-log.tgz.
5. Log in after the reboot of the switch completes. To verify that the software has been
upgraded, enter the following command:
[email protected]> show version
6. To ensure that the resilient dual-root partitions feature operates correctly, copy the
new Junos OS image into the alternate root partitions of all of the switches:
[email protected]> request system snapshot slice alternate
Resilient dual-root partitions allow the switch to boot transparently from the alternate
root partition if the system fails to boot from the primary root partition.
Copyright © 2017, Juniper Networks, Inc.
357
Junos OS Release 16.1R4 for the ACX Series, EX Series, MX Series, PTX Series, QFX Series,T Series and Junos Fusion
Related
Documentation
•
New and Changed Features on page 337
•
Changes in Behavior and Syntax on page 340
•
Known Behavior on page 343
•
Known Issues on page 345
•
Resolved Issues on page 346
•
Documentation Updates on page 353
•
Product Compatibility on page 358
Product Compatibility
•
Hardware Compatibility on page 358
Hardware Compatibility
To obtain information about the components that are supported on the devices and the
special compatibility guidelines with the release, see the Hardware Guide for the product.
To determine the features supported on QFX Series switches in this release, use the
Juniper Networks Feature Explorer, a Web-based application that helps you to explore
and compare Junos OS feature information to find the right software release and hardware
platform for your network. Find Feature Explorer at:
http://pathfinder.juniper.net/feature-explorer/
Related
Documentation
•
New and Changed Features on page 337
•
Changes in Behavior and Syntax on page 340
•
Known Behavior on page 343
•
Known Issues on page 345
•
Resolved Issues on page 346
•
Documentation Updates on page 353
•
Migration, Upgrade, and Downgrade Instructions on page 353
Third-Party Components
This product includes third-party components. To obtain a complete list of third-party
components, see Overview for Routing Devices.
For a list of open source attributes for this Junos OS release, see Open Source: Source
Files and Attributions.
358
Copyright © 2017, Juniper Networks, Inc.
Finding More Information
Finding More Information
For the latest, most complete information about known and resolved issues with Junos
OS, see the Juniper Networks Problem Report Search application at:
http://prsearch.juniper.net .
Juniper Networks Feature Explorer is a Web-based application that helps you to explore
and compare Junos OS feature information to find the correct software release and
hardware platform for your network. Find Feature Explorer at:
http://pathfinder.juniper.net/feature-explorer/.
Juniper Networks Content Explorer is a Web-based application that helps you explore
Juniper Networks technical documentation by product, task, and software release, and
download documentation in PDF format. Find Content Explorer at:
http://www.juniper.net/techpubs/content-applications/content-explorer/.
Upgrading Using Unified ISSU
Unified in-service software upgrade (ISSU) enables you to upgrade between two different
Junos OS releases with no disruption on the control plane and with minimal disruption
of traffic. Unified in-service software upgrade is only supported by dual Routing Engine
platforms. In addition, graceful Routing Engine switchover (GRES) and nonstop active
routing (NSR) must be enabled. For additional information about using unified in-service
software upgrade, see the High Availability Feature Guide for Routing Devices.
For information about ISSU support across platforms and Junos OS releases, see the
In-Service Software Upgrade (ISSU) web application.
Compliance Advisor
For regulatory compliance information about Common Criteria, FIPS, Homologation, RoHS2,
and USGv6 for Juniper Networks products, see the Juniper Networks Compliance Advisor.
Documentation Feedback
We encourage you to provide feedback, comments, and suggestions so that we can
improve the documentation. You can send your comments to
techpubs-[email protected], or fill out the documentation feedback form at
https://www.juniper.net/cgi-bin/docbugreport/. If you are using e-mail, be sure to include
the following information with your comments:
•
Document or topic name
•
URL or page number
•
Software release version (if applicable)
Copyright © 2017, Juniper Networks, Inc.
359
Junos OS Release 16.1R4 for the ACX Series, EX Series, MX Series, PTX Series, QFX Series,T Series and Junos Fusion
Requesting Technical Support
Technical product support is available through the Juniper Networks Technical Assistance
Center (JTAC). If you are a customer with an active J-Care or JNASC support contract,
or are covered under warranty, and need post sales technical support, you can access
our tools and resources online or open a case with JTAC.
Technical product support is available through the Juniper Networks Technical Assistance
Center (JTAC). If you are a customer with an active J-Care or Partner Support Service
support contract, or are covered under warranty, and need post-sales technical support,
you can access our tools and resources online or open a case with JTAC.
•
JTAC policies—For a complete understanding of our JTAC procedures and policies,
review the JTAC User Guide located at
http://www.juniper.net/us/en/local/pdf/resource-guides/7100059-en.pdf.
•
Product warranties—For product warranty information, visit
http://www.juniper.net/support/warranty/.
•
JTAC hours of operation—The JTAC centers have resources available 24 hours a day,
7 days a week, 365 days a year.
Self-Help Online Tools and Resources
For quick and easy problem resolution, Juniper Networks has designed an online
self-service portal called the Customer Support Center (CSC) that provides you with the
following features:
•
Find CSC offerings: http://www.juniper.net/customers/support/
•
Search for known bugs: http://www2.juniper.net/kb/
•
Find product documentation: http://www.juniper.net/techpubs/
•
Find solutions and answer questions using our Knowledge Base: http://kb.juniper.net/
•
Download the latest versions of software and review release notes:
http://www.juniper.net/customers/csc/software/
•
Search technical bulletins for relevant hardware and software notifications:
http://kb.juniper.net/InfoCenter/
•
Join and participate in the Juniper Networks Community Forum:
http://www.juniper.net/company/communities/
•
Open a case online in the CSC Case Management tool: http://www.juniper.net/cm/
To verify service entitlement by product serial number, use our Serial Number Entitlement
(SNE) Tool: https://tools.juniper.net/SerialNumberEntitlementSearch/
Opening a Case with JTAC
You can open a case with JTAC on the Web or by telephone.
•
360
Use the Case Management tool in the CSC at http://www.juniper.net/cm/.
Copyright © 2017, Juniper Networks, Inc.
Requesting Technical Support
•
Call 1-888-314-JTAC (1-888-314-5822 toll-free in the USA, Canada, and Mexico).
For international or direct-dial options in countries without toll-free numbers, visit us at
http://www.juniper.net/support/requesting-support.html.
If you are reporting a hardware or software problem, issue the following command from
the CLI before contacting support:
[email protected]> request support information | save filename
To provide a core file to Juniper Networks for analysis, compress the file with the gzip
utility, rename the file to include your company name, and copy it to
ftp.juniper.net/pub/incoming. Then send the filename, along with software version
information (the output of the show version command) and the configuration, to
[email protected] For documentation issues, fill out the bug report form located at
http://www.juniper.net/techpubs/feedback/.
Revision History
6 September 2017—Revision 9, Junos OS Release 16.1R4– ACX Series, MX Series, PTX
Series, QFX Series, T Series, and Junos Fusion.
1 August 2017—Revision 8, Junos OS Release 16.1R4– ACX Series, MX Series, PTX Series,
QFX Series, T Series, and Junos Fusion.
6 July 2017—Revision 7, Junos OS Release 16.1R4– ACX Series, MX Series, PTX Series,
QFX Series, T Series, and Junos Fusion.
8 June 2017—Revision 6, Junos OS Release 16.1R4– ACX Series, MX Series, PTX Series,
QFX Series, T Series, and Junos Fusion.
13 April 2017—Revision 5, Junos OS Release 16.1R4– ACX Series, MX Series, PTX Series,
QFX Series, T Series, and Junos Fusion.
14 March 2017—Revision 4, Junos OS Release 16.1R4– ACX Series, MX Series, PTX Series,
QFX Series, T Series, and Junos Fusion.
7 March 2017—Revision 3, Junos OS Release 16.1R4– ACX Series, MX Series, PTX Series,
QFX Series, T Series, and Junos Fusion.
3 March 2017—Revision 2, Junos OS Release 16.1R4– ACX Series, MX Series, PTX Series,
QFX Series, T Series, and Junos Fusion.
28 February 2017—Revision 1, Junos OS Release 16.1R4– ACX Series, MX Series, PTX
Series, QFX Series, T Series, and Junos Fusion.
22 December 2016—Revision 6, Junos OS Release 16.1R3– ACX Series, MX Series, PTX
Series, QFX Series, T Series, and Junos Fusion.
8 December 2016—Revision 5, Junos OS Release 16.1R3– ACX Series, MX Series, PTX
Series, QFX Series, T Series, and Junos Fusion.
Copyright © 2017, Juniper Networks, Inc.
361
Junos OS Release 16.1R4 for the ACX Series, EX Series, MX Series, PTX Series, QFX Series,T Series and Junos Fusion
2 December 2016—Revision 4, Junos OS Release 16.1R3– ACX Series, MX Series, PTX
Series, QFX Series, T Series, and Junos Fusion.
1 December 2016—Revision 3, Junos OS Release 16.1R3– ACX Series, MX Series, PTX
Series, QFX Series, T Series, and Junos Fusion.
17 November 2016—Revision 2, Junos OS Release 16.1R3– ACX Series, MX Series, PTX
Series, QFX Series, T Series, and Junos Fusion.
10 November 2016—Revision 1, Junos OS Release 16.1R3– ACX Series, MX Series, PTX
Series, QFX Series, T Series, and Junos Fusion.
7 October 2016—Revision 4, Junos OS Release 16.1R2– ACX Series, MX Series, PTX Series,
T Series, and Junos Fusion.
30 September 2016—Revision 3, Junos OS Release 16.1R2– ACX Series, MX Series, PTX
Series, T Series, and Junos Fusion.
26 September 2016—Revision 2, Junos OS Release 16.1R2– ACX Series, MX Series, PTX
Series, T Series, and Junos Fusion.
23 September 2016—Revision 1, Junos OS Release 16.1R2– ACX Series, MX Series, PTX
Series, T Series, and Junos Fusion.
1 September 2016—Revision 7, Junos OS Release 16.1R1– EX Series, MX Series, PTX Series,
QFX Series, T Series, and Junos Fusion.
25 August 2016—Revision 6, Junos OS Release 16.1R1– EX Series, MX Series, PTX Series,
QFX Series, T Series, and Junos Fusion.
19 August 2016—Revision 5, Junos OS Release 16.1R1– EX Series, MX Series, PTX Series,
QFX Series, T Series, and Junos Fusion.
11 August 2016—Revision 4, Junos OS Release 16.1R1– EX Series, MX Series, PTX Series,
QFX Series, T Series, and Junos Fusion.
4 August 2016—Revision 3, Junos OS Release 16.1R1– EX Series, MX Series, PTX Series,
QFX Series, T Series, and Junos Fusion.
28 July 2016—Revision 2, Junos OS Release 16.1R1– EX Series, MX Series, PTX Series, QFX
Series, T Series, and Junos Fusion.
29 June 2016—Revision 1, Junos OS Release 16.1R1– MX Series, and Junos Fusion.
Copyright © 2017, Juniper Networks, Inc. All rights reserved.
Juniper Networks, Junos, Steel-Belted Radius, NetScreen, and ScreenOS are registered trademarks of Juniper Networks, Inc. in the United
States and other countries. The Juniper Networks Logo, the Junos logo, and JunosE are trademarks of Juniper Networks, Inc. All other
trademarks, service marks, registered trademarks, or registered service marks are the property of their respective owners.
Juniper Networks assumes no responsibility for any inaccuracies in this document. Juniper Networks reserves the right to change, modify,
transfer, or otherwise revise this publication without notice.
362
Copyright © 2017, Juniper Networks, Inc.
Was this manual useful for you? yes no
Thank you for your participation!

* Your assessment is very important for improving the work of artificial intelligence, which forms the content of this project

Download PDF

advertisement